diff options
Diffstat (limited to 'docs/docbook/projdoc/ServerType.sgml')
| -rw-r--r-- | docs/docbook/projdoc/ServerType.sgml | 141 |
1 files changed, 141 insertions, 0 deletions
diff --git a/docs/docbook/projdoc/ServerType.sgml b/docs/docbook/projdoc/ServerType.sgml new file mode 100644 index 00000000000..41b1c0ed2f7 --- /dev/null +++ b/docs/docbook/projdoc/ServerType.sgml @@ -0,0 +1,141 @@ +<chapter id="ServerType"> +<chapterinfo> + <author> + <firstname>John H</firstname><surname>Terpstra</surname> + <affiliation> + <orgname>Samba Team</orgname> + <address><email>jht@samba.org</email></address> + </affiliation> + </author> +</chapterinfo> + +<title>Nomenclature of Server Types</title> + +<para>Adminstrators of Microsoft networks often refer to there being three +different type of servers:</para> + +<itemizedlist> + <listitem><para>Stand Alone Server</para></listitem> + <listitem><para>Domain Member Server</para></listitem> + <listitem><para>Domain Controller</para> + <itemizedlist> + <listitem><para>Primary Domain Controller</para></listitem> + <listitem><para>Backup Domain Controller</para></listitem> + <listitem><para>ADS Domain Controller</para></listitem> + </itemizedlist> + </listitem> +</itemizedlist> + +<para>A network administrator who is familiar with these terms and who +wishes to migrate to or use Samba will want to know what these terms mean +within a Samba context.</para> + +<sect1> +<title>Stand Alone Server</title> + +<para> +The term <emphasis>stand alone server</emphasis> means that the server +will provide local authentication and access control for all resources +that are available from it. In general this means that there will be a +local user database. In more technical terms, it means that resources +on the machine will either be made available in either SHARE mode or in +USER mode. SHARE mode and USER mode security are documented under +discussions regarding "security mode". The smb.conf configuration parameters +that control security mode are: "security = user" and "security = share". +</para> + +<para> +Samba tends to blur the distinction a little in respect of what is +a stand alone server. This is because the authentication database may be +local or on a remote server, even if from the samba protocol perspective +the samba server is NOT a member of a domain security context. +</para> + +<para> +Through the use of PAM (Pluggable Authentication Modules) and nsswitch +(the name service switcher) the source of authentication may reside on +another server. We would be inclined to call this the authentication server. +This means that the samba server may use the local Unix/Linux system +password database (/etc/passwd or /etc/shadow), may use a local smbpasswd +file (/etc/samba/smbpasswd or /usr/local/samba/lib/private/smbpasswd), or +may use an LDAP back end, or even via PAM and Winbind another CIFS/SMB +server for authentication. +</para> + +</sect1> + +<sect1> +<title>Domain Member Server</title> + +<para> +This mode of server operation involves the samba machine being made a member +of a domain security context. This means by definition that all user authentication +will be done from a centrally defined authentication regime. The authentication +regime may come from an NT3/4 style (old domain technology) server, or it may be +provided from an Active Directory server (ADS) running on MS Windows 2000 or later. +>/para> + +<para><emphasis> +Of course it should be clear that the authentication back end itself could be from any +distributed directory architecture server that is supported by Samba. This can be +LDAP (from OpenLDAP), or Sun's iPlanet, of NetWare Directory Server, etc. +</emphasis></para> + +<para> +Please refer to the section on Howto configure Samba as a Primary Domain Controller +and for more information regarding how to create a domain machine account for a +domain member server as well as for information regading how to enable the samba +domain member machine to join the domain and to be fully trusted by it. +</para> + +</sect1> + +<sect1> +<title>Domain Controller</title> + +<para> +Over the years public perceptions of what Domain Control really is has taken on an +almost mystical nature. Before we branch into a brief overview of what Domain Control +is the following types of controller are known: +</para> + +<sect2> +<title>Domain Controller Types</title> + +<simplelist> + <member>Primary Domain Controller</member> + <member>Backup Domain Controller</member> + <member>ADS Domain Controller</member> +</simplelist> + +<para> +The <emphasis>Primary Domain Controller</emphasis> or PDC plays an important role in the MS +Windows NT3 and NT4 Domain Control architecture, but not in the manner that so many +expect. The PDC seeds the Domain Control database (a part of the Windows registry) and +it plays a key part in synchronisation of the domain authentication database. +</para> + +<para> +New to Samba-3.0.0 is the ability to use a back-end file that holds the same type of data as +the NT4 style SAM (Security Account Manager) database (one of the registry files). +The samba-3.0.0 SAM can be specified via the smb.conf file parameter "passwd backend" and +valid options include <emphasis> smbpasswd tdbsam ldapsam nisplussam plugin unixsam</emphasis>. +The smbpasswd, tdbsam and ldapsam options can have a "_nua" suffix to indicate that No Unix +Accounts need to be created. In other words, the Samba SAM will be independant of Unix/Linux +system accounts, provided a uid range is defined from which SAM accounts can be created. +</para> + +<para> +The <emphasis>Backup Domain Controller</emphasis> or BDC plays a key role in servicing network +authentication requests. The BDC is biased to answer logon requests so that on a network segment +that has a BDC and a PDC the BDC will be most likely to service network logon requests. The PDC will +answer network logon requests when the BDC is too busy (high load). A BDC can be promoted to +a PDC. If the PDC is on line at the time that the BDC is promoted to PDC the previous PDC is +automatically demoted to a BDC. +</para> + +<para> +At this time Samba is NOT capable of acting as an <emphasis>ADS Domain Controller</emphasis>. + +</sect2> +</sect1> |