diff options
Diffstat (limited to 'docs/htmldocs/Samba-PDC-HOWTO.html')
| -rw-r--r-- | docs/htmldocs/Samba-PDC-HOWTO.html | 239 |
1 files changed, 239 insertions, 0 deletions
diff --git a/docs/htmldocs/Samba-PDC-HOWTO.html b/docs/htmldocs/Samba-PDC-HOWTO.html new file mode 100644 index 00000000000..6476cafce4e --- /dev/null +++ b/docs/htmldocs/Samba-PDC-HOWTO.html @@ -0,0 +1,239 @@ +<HTML +><HEAD +><TITLE +>How to Configure Samba 2.2.x as a Primary Domain Controller</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD +><BODY +CLASS="ARTICLE" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><DIV +CLASS="ARTICLE" +><DIV +CLASS="TITLEPAGE" +><H1 +CLASS="TITLE" +><A +NAME="AEN1" +>How to Configure Samba 2.2.x as a Primary Domain Controller</A +></H1 +><HR></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN3" +>Background</A +></H1 +><P +>Version of Samba prior to release 2.2 had marginal capabilities to +act as a Windows NT 4.0 Primary Domain Controller (PDC). Please +note that Windows 9x clients are not true members of a domain +for reasons outlined in this article. Therefore the protocol for +support Windows 9x style domain logons is completely different +from NT4 domain logons and has been officially supported for some +time.</P +><P +>Beginning with Samba 2.2.0, we are proud to announce official +support for Windows NT 4.0 style domain logons from Windows NT +4.0 and Windows 2000 (including SP1) clients. This article +outlines the steps necessary for configuring Samba as a PDC. +Note that it is necessary to have a working Samba server +prior to implementing the PDC functionality. If you have not +followed the steps outlined in <A +HREF="UNIX_INSTALL.html" +TARGET="_top" +>UNIX_INSTALL.html</A +>, please make sure that your server +is configured correctly before proceeding. Another good +resource in the <A +HREF="smb.conf.5.html" +TARGET="_top" +>smb.conf(5) man +page</A +>.</P +><P +>Implementing a Samba PDC can basically be divided into 2 broad +steps.</P +><P +></P +><OL +TYPE="1" +><LI +><P +>Configuring the Samba Domain Controller + </P +></LI +><LI +><P +>Creating machine trust accounts + and joining clients to the domain</P +></LI +></OL +><P +>There are other minor details such as user profiles, system +policies, etc... However, these are not necessarily specific +to a Samba PDC as much as they are related to Windows NT networking +concepts. They will be mentioned only briefly here.</P +><P +>On a closing note, many people have asked regarding the status +of Samba, Kerberos, and Active Directory. Samba <I +CLASS="EMPHASIS" +>does +not</I +> implement a true Windows 2000 domain controller. +There are actually three pieces to this puzzle.</P +><P +></P +><UL +><LI +><P +>Kerberos</P +></LI +><LI +><P +>Samba</P +></LI +><LI +><P +>LDAP</P +></LI +></UL +><P +>We are working on exploring possibilities related to this, but +much work needs to be done.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" +><A +NAME="AEN26" +>Configuring the Samba Domain Controller</A +></H1 +><P +>The first step in creating a working Samba PDC is to +understand the parameters necesary in smb.conf. I will not +attempt to re-explain the parameters here as they are more that +adequately covered in <A +HREF="smb.conf.5.html" +TARGET="_top" +> the smb.conf +man page</A +>. For convienience, the parameters have been +linked with the actual smb.conf description.</P +><P +>Here is an example smb.conf for acting as a PDC:</P +><P +><PRE +CLASS="PROGRAMLISTING" +>[global] + ; Basic server settings + <A +HREF="smb.conf.5.html#NETBIOSNAME" +TARGET="_top" +>netbios name</A +> = <TT +CLASS="REPLACEABLE" +><I +>POGO</I +></TT +> + workgroup = <TT +CLASS="REPLACEABLE" +><I +>NARNIA</I +></TT +> + + ; we should act as the domain and local master browser + os level = 64 + preferred master = yes + domain master = yes + local master = yes + + ; security settings (must user security = user) + security = user + + ; encrypted passwords are a requirement for a PDC + encrypt passwords = yes + + ; support domain logons + domain logons = yes + + ; where to store user profiles? + logon path = \\%N\profiles\%u + + ; where is a user's home directory and where should it + ; be mounted at? + logon drive = H: + logon home = \\homeserver\%u + + ; specify a generic logon script for all users + ; this is a relative path to the [netlogon] share + logon script = logon.cmd + +; necessary share for domain controller +[netlogon] + path = /usr/local/samba/lib/netlogon + writeable = no + write list = ntadmin + +; share for storing user profiles +[profiles] + path = /export/smb/ntprofile + writeable = yes + create mask = 0600 + directory mask = 0700</PRE +></P +><P +>There are a couple of points to emphasize in the above +configuration.</P +><P +></P +><UL +><LI +><P +>encrypted passwords must be enabled. + For more details on how to do this, refer to + <A +HREF="ENCRYPTION.html" +TARGET="_top" +>ENCRYPTION.html</A +>. + </P +></LI +><LI +><P +>The server must support domain logons + and a [netlogon] share</P +></LI +><LI +><P +>The server must be the domain master browser + in order for Windows client to locate the server as a DC.</P +></LI +></UL +></DIV +><DIV +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" +><A +NAME="AEN45" +>Creating Machine Trust Accounts and Joining Clients +to the Domain</A +></H1 +><P +></P +></DIV +></DIV +></BODY +></HTML +>
\ No newline at end of file |