diff options
Diffstat (limited to 'docs/docbook/projdoc/Samba-PDC-HOWTO.xml')
-rw-r--r-- | docs/docbook/projdoc/Samba-PDC-HOWTO.xml | 455 |
1 files changed, 216 insertions, 239 deletions
diff --git a/docs/docbook/projdoc/Samba-PDC-HOWTO.xml b/docs/docbook/projdoc/Samba-PDC-HOWTO.xml index 9bbcb134b4d..0189b59f2e9 100644 --- a/docs/docbook/projdoc/Samba-PDC-HOWTO.xml +++ b/docs/docbook/projdoc/Samba-PDC-HOWTO.xml @@ -14,7 +14,13 @@ <pubdate> (26 Apr 2001) </pubdate> </chapterinfo> -<title>Domain Control</title> +<title> +Samba as an NT4 or Win2k Primary Domain Controller +</title> + + +<sect1> +<title>Prerequisite Reading</title> <para> Before you continue reading in this chapter, please make sure @@ -24,60 +30,15 @@ encryption in Samba. Theses two topics are covered in the &smb.conf; manpage. </para> -<sect1> -<title> -Background -</title> - -<sect2> -<title>Domain Controller</title> - -<para> -Over the years public perceptions of what Domain Control really is has taken on an -almost mystical nature. Before we branch into a brief overview of what Domain Control -is the following types of controller are known: -</para> - -<sect3> -<title>Domain Controller Types</title> - -<simplelist> - <member>Primary Domain Controller</member> - <member>Backup Domain Controller</member> - <member>ADS Domain Controller</member> -</simplelist> -<para> -The <emphasis>Primary Domain Controller</emphasis> or PDC plays an important role in the MS -Windows NT3 and NT4 Domain Control architecture, but not in the manner that so many -expect. The PDC seeds the Domain Control database (a part of the Windows registry) and -it plays a key part in synchronisation of the domain authentication database. -</para> +</sect1> -<para> -New to Samba-3.0.0 is the ability to use a back-end file that holds the same type of data as -the NT4 style SAM (Security Account Manager) database (one of the registry files). -The samba-3.0.0 SAM can be specified via the smb.conf file parameter "passwd backend" and -valid options include <emphasis> smbpasswd tdbsam ldapsam nisplussam plugin unixsam</emphasis>. -The smbpasswd, tdbsam and ldapsam options can have a "_nua" suffix to indicate that No Unix -Accounts need to be created. In other words, the Samba SAM will be independant of Unix/Linux -system accounts, provided a uid range is defined from which SAM accounts can be created. -</para> -<para> -The <emphasis>Backup Domain Controller</emphasis> or BDC plays a key role in servicing network -authentication requests. The BDC is biased to answer logon requests so that on a network segment -that has a BDC and a PDC the BDC will be most likely to service network logon requests. The PDC will -answer network logon requests when the BDC is too busy (high load). A BDC can be promoted to -a PDC. If the PDC is on line at the time that the BDC is promoted to PDC the previous PDC is -automatically demoted to a BDC. -</para> -<para> -At this time Samba is NOT capable of acting as an <emphasis>ADS Domain Controller</emphasis>. -</para> -</sect3> -</sect2> +<sect1> +<title> +Background +</title> <para> This article outlines the steps necessary for configuring Samba as a PDC. @@ -179,19 +140,22 @@ steps. </orderedlist> <para> -There are other minor details such as user profiles, system policies, etc... -However, these are not necessarily specific to a Samba PDC as much as they are -related to Windows NT networking concepts. +There are other minor details such as user profiles, system +policies, etc... However, these are not necessarily specific +to a Samba PDC as much as they are related to Windows NT networking +concepts. </para> </sect1> + <sect1> -<title>Configuring Samba NT4 Style Domain Control</title> +<title>Configuring the Samba Domain Controller</title> <para> -The first step in creating a working Samba PDC is to understand the parameters necessary -in &smb.conf;. Here we attempt to explain the parameters that are covered in +The first step in creating a working Samba PDC is to +understand the parameters necessary in smb.conf. Here we +attempt to explain the parameters that are covered in the &smb.conf; man page. </para> @@ -200,53 +164,54 @@ Here is an example &smb.conf; for acting as a PDC: </para> <para><programlisting> - [global] - ; Basic server settings - <ulink url="smb.conf.5.html#NETBIOSNAME">netbios name</ulink> = <replaceable>POGO</replaceable> - <ulink url="smb.conf.5.html#WORKGROUP">workgroup</ulink> = <replaceable>NARNIA</replaceable> - - ; User and Machine Account Backends - ; Choices are: tdbsam, smbpasswd, ldapsam, mysqlsam, xmlsam, guest - <ulink url="smb.conf.5.html#PASSDBBACKEND">passdb backend</ulink> = ldapsam, guest - - ; we should act as the domain and local master browser - <ulink url="smb.conf.5.html#OSLEVEL">os level</ulink> = 64 - <ulink url="smb.conf.5.html#PERFERREDMASTER">preferred master</ulink> = yes - <ulink url="smb.conf.5.html#DOMAINMASTER">domain master</ulink> = yes - <ulink url="smb.conf.5.html#LOCALMASTER">local master</ulink> = yes - - ; security settings (must user security = user) - <ulink url="smb.conf.5.html#SECURITYEQUALSUSER">security</ulink> = user - - ; encrypted passwords are a requirement for a PDC - <ulink url="smb.conf.5.html#ENCRYPTPASSWORDS">encrypt passwords</ulink> = yes - - ; support domain logons - <ulink url="smb.conf.5.html#DOMAINLOGONS">domain logons</ulink> = yes - - ; where to store user profiles? - <ulink url="smb.conf.5.html#LOGONPATH">logon path</ulink> = \\%N\profiles\%u - - ; where is a user's home directory and where should it be mounted at? - <ulink url="smb.conf.5.html#LOGONDRIVE">logon drive</ulink> = H: - <ulink url="smb.conf.5.html#LOGONHOME">logon home</ulink> = \\homeserver\%u - - ; specify a generic logon script for all users - ; this is a relative **DOS** path to the [netlogon] share - <ulink url="smb.conf.5.html#LOGONSCRIPT">logon script</ulink> = logon.cmd - - ; necessary share for domain controller - [netlogon] - <ulink url="smb.conf.5.html#PATH">path</ulink> = /usr/local/samba/lib/netlogon - <ulink url="smb.conf.5.html#READONLY">read only</ulink> = yes - <ulink url="smb.conf.5.html#WRITELIST">write list</ulink> = <replaceable>ntadmin</replaceable> - - ; share for storing user profiles - [profiles] - <ulink url="smb.conf.5.html#PATH">path</ulink> = /export/smb/ntprofile - <ulink url="smb.conf.5.html#READONLY">read only</ulink> = no - <ulink url="smb.conf.5.html#CREATEMASK">create mask</ulink> = 0600 - <ulink url="smb.conf.5.html#DIRECTORYMASK">directory mask</ulink> = 0700 +[global] + ; Basic server settings + <ulink url="smb.conf.5.html#NETBIOSNAME">netbios name</ulink> = <replaceable>POGO</replaceable> + <ulink url="smb.conf.5.html#WORKGROUP">workgroup</ulink> = <replaceable>NARNIA</replaceable> + + ; User and Machine Account Backends + ; Choices are: tdbsam, tdbsam_nua, smbpasswd, smbpasswd_nua, ldapsam, ldapsam_nua, ... + ; mysqlsam, xmlsam, guest + <ulink url="smb.conf.5.html#PASSDBBACKEND">passdb backend</ulink> = ldapsam, guest + + ; we should act as the domain and local master browser + <ulink url="smb.conf.5.html#OSLEVEL">os level</ulink> = 64 + <ulink url="smb.conf.5.html#PERFERREDMASTER">preferred master</ulink> = yes + <ulink url="smb.conf.5.html#DOMAINMASTER">domain master</ulink> = yes + <ulink url="smb.conf.5.html#LOCALMASTER">local master</ulink> = yes + + ; security settings (must user security = user) + <ulink url="smb.conf.5.html#SECURITYEQUALSUSER">security</ulink> = user + + ; encrypted passwords are a requirement for a PDC + <ulink url="smb.conf.5.html#ENCRYPTPASSWORDS">encrypt passwords</ulink> = yes + + ; support domain logons + <ulink url="smb.conf.5.html#DOMAINLOGONS">domain logons</ulink> = yes + + ; where to store user profiles? + <ulink url="smb.conf.5.html#LOGONPATH">logon path</ulink> = \\%N\profiles\%u + + ; where is a user's home directory and where should it be mounted at? + <ulink url="smb.conf.5.html#LOGONDRIVE">logon drive</ulink> = H: + <ulink url="smb.conf.5.html#LOGONHOME">logon home</ulink> = \\homeserver\%u + + ; specify a generic logon script for all users + ; this is a relative **DOS** path to the [netlogon] share + <ulink url="smb.conf.5.html#LOGONSCRIPT">logon script</ulink> = logon.cmd + +; necessary share for domain controller +[netlogon] + <ulink url="smb.conf.5.html#PATH">path</ulink> = /usr/local/samba/lib/netlogon + <ulink url="smb.conf.5.html#READONLY">read only</ulink> = yes + <ulink url="smb.conf.5.html#WRITELIST">write list</ulink> = <replaceable>ntadmin</replaceable> + +; share for storing user profiles +[profiles] + <ulink url="smb.conf.5.html#PATH">path</ulink> = /export/smb/ntprofile + <ulink url="smb.conf.5.html#READONLY">read only</ulink> = no + <ulink url="smb.conf.5.html#CREATEMASK">create mask</ulink> = 0600 + <ulink url="smb.conf.5.html#DIRECTORYMASK">directory mask</ulink> = 0700 </programlisting></para> <note><para> @@ -292,7 +257,10 @@ between Windows NT groups and Unix groups (this is really quite complicated to explain in a short space). </para> -<sect2> +</sect1> + + +<sect1> <title>Creating Machine Trust Accounts and Joining Clients to the Domain</title> <para> @@ -313,13 +281,8 @@ because it does not possess a machine trust account, and thus has no shared secret with the domain controller. </para> -<para>A Windows NT4 PDC stores each machine trust account in the Windows -Registry. The introduction of MS Windows 2000 saw the introduction of Active Directory, -the new repository for machine trust accounts. -</para> - -<para> -A Samba-3 PDC also has to store machine trust account information +<para>A Windows PDC stores each machine trust account in the Windows +Registry. A Samba-3 PDC also has to store machine trust account information in a suitable backend data store. With Samba-3 there can be multiple back-ends for this including: </para> @@ -334,6 +297,13 @@ for this including: </para></listitem> <listitem><para> + <emphasis>smbpasswd_nua</emphasis> - This file is independant of the + system wide user accounts. The use of this back-end option requires + specification of the "non unix account range" option also. It is called + smbpasswd and will be located in the <filename>private</filename> directory. + </para></listitem> + + <listitem><para> <emphasis>tdbsam</emphasis> - a binary database backend that will be stored in the <emphasis>private</emphasis> directory in a file called <emphasis>passwd.tdb</emphasis>. The key benefit of this binary format @@ -342,9 +312,22 @@ for this including: </para></listitem> <listitem><para> + <emphasis>tdbsam_nua</emphasis> like the smbpasswd_nua option above, this + file allows the creation of arbitrary user and machine accounts without + requiring that account to be added to the system (/etc/passwd) file. It + too requires the specification of the "non unix account range" option + in the [globals] section of the &smb.conf; file. + </para></listitem> + + <listitem><para> <emphasis>ldapsam</emphasis> - An LDAP based back-end. Permits the LDAP server to be specified. eg: ldap://localhost or ldap://frodo.murphy.com </para></listitem> + + <listitem><para> + <emphasis>ldapsam_nua</emphasis> - LDAP based back-end with no unix + account requirement, like smbpasswd_nua and tdbsam_nua above. + </para></listitem> </itemizedlist> <para>Read the chapter about the <link linkend="passdb">User Database</link> @@ -363,8 +346,9 @@ as follows: <itemizedlist> <listitem><para>A Samba account, stored in the same location as user - LanMan and NT password hashes (currently <filename>smbpasswd</filename>). - The Samba account possesses and uses only the NT password hash.</para></listitem> + LanMan and NT password hashes (currently + <filename>smbpasswd</filename>). The Samba account + possesses and uses only the NT password hash.</para></listitem> <listitem><para>A corresponding Unix account, typically stored in <filename>/etc/passwd</filename>. (Future releases will alleviate the need to @@ -389,7 +373,7 @@ There are two ways to create machine trust accounts: </itemizedlist> -<sect3> +<sect2> <title>Manual Creation of Machine Trust Accounts</title> <para> @@ -468,10 +452,10 @@ the corresponding Unix account. information to such clients. You have been warned! </para> </warning> -</sect3> +</sect2> -<sect3> +<sect2> <title>"On-the-Fly" Creation of Machine Trust Accounts</title> <para> @@ -498,10 +482,10 @@ be created manually. add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u </programlisting></para> -</sect3> +</sect2> -<sect3><title>Joining the Client to the Domain</title> +<sect2><title>Joining the Client to the Domain</title> <para> The procedure for joining a client to the domain varies with the @@ -551,17 +535,122 @@ version of Windows. </para></listitem> </itemizedlist> -</sect3> </sect2> </sect1> <sect1> -<title>Samba ADS Domain Control</title> +<title>Common Problems and Errors</title> + +<sect2> +<title>I cannot include a '$' in a machine name</title> +<para> +A 'machine name' in (typically) <filename>/etc/passwd</filename> +of the machine name with a '$' appended. FreeBSD (and other BSD +systems?) won't create a user with a '$' in their name. +</para> + +<para> +The problem is only in the program used to make the entry. Once made, it works perfectly. +Create a user without the '$' using <command>vipw</command> to edit the entry, adding +the '$'. Or create the whole entry with vipw if you like, make sure you use a unique User ID! +</para> +</sect2> + +<sect2> +<title>I get told "You already have a connection to the Domain...." +or "Cannot join domain, the credentials supplied conflict with an +existing set.." when creating a machine trust account.</title> + +<para> +This happens if you try to create a machine trust account from the +machine itself and already have a connection (e.g. mapped drive) +to a share (or IPC$) on the Samba PDC. The following command +will remove all network drive connections: +</para> <para> -Not yet Freddie! +<prompt>C:\WINNT\></prompt> <command>net use * /d</command> </para> +<para> +Further, if the machine is already a 'member of a workgroup' that +is the same name as the domain you are joining (bad idea) you will +get this message. Change the workgroup name to something else, it +does not matter what, reboot, and try again. +</para> +</sect2> + +<sect2> +<title>The system can not log you on (C000019B)....</title> + +<para>I joined the domain successfully but after upgrading +to a newer version of the Samba code I get the message, "The system +can not log you on (C000019B), Please try again or consult your +system administrator" when attempting to logon. +</para> + +<para> +This occurs when the domain SID stored in the secrets.tdb database +is changed. The most common cause of a change in domain SID is when +the domain name and/or the server name (netbios name) is changed. +The only way to correct the problem is to restore the original domain +SID or remove the domain client from the domain and rejoin. The domain +SID may be reset using either the net or rpcclient utilities. +</para> + +<para> +The reset or change the domain SID you can use the net command as follows: + +<programlisting> + net getlocalsid 'OLDNAME' + net setlocalsid 'SID' +</programlisting> +</para> + +</sect2> + +<sect2> +<title>The machine trust account for this computer either does not +exist or is not accessible.</title> + +<para> +When I try to join the domain I get the message "The machine account +for this computer either does not exist or is not accessible". What's +wrong? +</para> + +<para> +This problem is caused by the PDC not having a suitable machine trust account. +If you are using the <parameter>add machine script</parameter> method to create +accounts then this would indicate that it has not worked. Ensure the domain +admin user system is working. +</para> + +<para> +Alternatively if you are creating account entries manually then they +have not been created correctly. Make sure that you have the entry +correct for the machine trust account in smbpasswd file on the Samba PDC. +If you added the account using an editor rather than using the smbpasswd +utility, make sure that the account name is the machine NetBIOS name +with a '$' appended to it ( i.e. computer_name$ ). There must be an entry +in both /etc/passwd and the smbpasswd file. Some people have reported +that inconsistent subnet masks between the Samba server and the NT +client have caused this problem. Make sure that these are consistent +for both client and server. +</para> +</sect2> + +<sect2> +<title>When I attempt to login to a Samba Domain from a NT4/W2K workstation, +I get a message about my account being disabled.</title> + +<para> +At first be ensure to enable the useraccounts with <command>smbpasswd -e +%user%</command>, this is normally done, when you create an account. +</para> + +</sect2> + </sect1> <sect1> @@ -678,10 +767,11 @@ worthwhile to look at how a Windows 9x/ME client performs a logon: <sect2> -<title>Configuring Network Logon Capability</title> +<title>Configuration Instructions: Network Logons</title> <para> -The main difference between a PDC and a Windows 9x logon server configuration is that +The main difference between a PDC and a Windows 9x logon +server configuration is that </para> <itemizedlist> @@ -697,7 +787,8 @@ Windows 9x/ME clients do not possess machine trust accounts. </itemizedlist> <para> -Therefore, a Samba PDC will also act as a Windows 9x logon server. +Therefore, a Samba PDC will also act as a Windows 9x logon +server. </para> @@ -748,118 +839,4 @@ for its domain. </sect2> </sect1> - -<sect1> -<title>Common Problems and Errors</title> - -<sect2> -<title>I cannot include a '$' in a machine name</title> -<para> -A 'machine name' in (typically) <filename>/etc/passwd</filename> -of the machine name with a '$' appended. FreeBSD (and other BSD -systems?) won't create a user with a '$' in their name. -</para> - -<para> -The problem is only in the program used to make the entry. Once made, it works perfectly. -Create a user without the '$' using <command>vipw</command> to edit the entry, adding -the '$'. Or create the whole entry with vipw if you like, make sure you use a unique User ID! -</para> -</sect2> - -<sect2> -<title>I get told "You already have a connection to the Domain...." -or "Cannot join domain, the credentials supplied conflict with an -existing set.." when creating a machine trust account.</title> - -<para> -This happens if you try to create a machine trust account from the -machine itself and already have a connection (e.g. mapped drive) -to a share (or IPC$) on the Samba PDC. The following command -will remove all network drive connections: -</para> - -<para> -<prompt>C:\WINNT\></prompt> <command>net use * /d</command> -</para> - -<para> -Further, if the machine is already a 'member of a workgroup' that -is the same name as the domain you are joining (bad idea) you will -get this message. Change the workgroup name to something else, it -does not matter what, reboot, and try again. -</para> -</sect2> - -<sect2> -<title>The system can not log you on (C000019B)....</title> - -<para>I joined the domain successfully but after upgrading -to a newer version of the Samba code I get the message, "The system -can not log you on (C000019B), Please try again or consult your -system administrator" when attempting to logon. -</para> - -<para> -This occurs when the domain SID stored in the secrets.tdb database -is changed. The most common cause of a change in domain SID is when -the domain name and/or the server name (netbios name) is changed. -The only way to correct the problem is to restore the original domain -SID or remove the domain client from the domain and rejoin. The domain -SID may be reset using either the net or rpcclient utilities. -</para> - -<para> -The reset or change the domain SID you can use the net command as follows: - -<programlisting> - net getlocalsid 'OLDNAME' - net setlocalsid 'SID' -</programlisting> -</para> - -</sect2> - -<sect2> -<title>The machine trust account for this computer either does not -exist or is not accessible.</title> - -<para> -When I try to join the domain I get the message "The machine account -for this computer either does not exist or is not accessible". What's -wrong? -</para> - -<para> -This problem is caused by the PDC not having a suitable machine trust account. -If you are using the <parameter>add machine script</parameter> method to create -accounts then this would indicate that it has not worked. Ensure the domain -admin user system is working. -</para> - -<para> -Alternatively if you are creating account entries manually then they -have not been created correctly. Make sure that you have the entry -correct for the machine trust account in smbpasswd file on the Samba PDC. -If you added the account using an editor rather than using the smbpasswd -utility, make sure that the account name is the machine NetBIOS name -with a '$' appended to it ( i.e. computer_name$ ). There must be an entry -in both /etc/passwd and the smbpasswd file. Some people have reported -that inconsistent subnet masks between the Samba server and the NT -client have caused this problem. Make sure that these are consistent -for both client and server. -</para> -</sect2> - -<sect2> -<title>When I attempt to login to a Samba Domain from a NT4/W2K workstation, -I get a message about my account being disabled.</title> - -<para> -At first be ensure to enable the useraccounts with <command>smbpasswd -e -%user%</command>, this is normally done, when you create an account. -</para> - -</sect2> -</sect1> </chapter> |