diff options
Diffstat (limited to 'docs/textdocs/DOMAIN_CONTROL.txt')
| -rw-r--r-- | docs/textdocs/DOMAIN_CONTROL.txt | 108 |
1 files changed, 0 insertions, 108 deletions
diff --git a/docs/textdocs/DOMAIN_CONTROL.txt b/docs/textdocs/DOMAIN_CONTROL.txt deleted file mode 100644 index 0b077320cdb..00000000000 --- a/docs/textdocs/DOMAIN_CONTROL.txt +++ /dev/null @@ -1,108 +0,0 @@ -Initial Release: August 22, 1996 -Contributor: John H Terpstra <samba-bugs@samba.anu.edu.au> - Copyright (C) 1996-1997 - John H Terpstra -Updated: August 25, 1997 -Status: Current - New Content - -Subject: Windows NT Domain Control & Samba -============================================================================ - -****NOTE:**** -============= -The term "Domain Controller" and those related to it refer to one specific -method of authentication that can underly an SMB domain. Domain Controllers -prior to Windows NT Server 3.1 were sold by various companies and based on -private extensions to the LAN Manager 2.1 protocol. Windows NT introduced -Microsoft-specific ways of distributing the user authentication database. -See DOMAIN.txt for examples of how Samba can participate in or create -SMB domains based on shared authentication database schemes other than the -Windows NT SAM. - -Microsoft Windows NT Domain Control is an extremely complex protocol. -We have received countless requests to implement Domain Control in Samba -and have seriously investigated the potential to support this. The Samba -Team have now concluded that since Domain Control is a completely -undocumented protocol we ought NOT to implement our best guess of this -technology. It is a Microsoft business policy NOT to release the information -necessary to enable this to be implemented in a dependable manner. -============================================================================ - -Windows NT Server can be installed as either a plain file and print server -(WORKGROUP workstaion or server) or as a server that participates in Domain -Control (DOMAIN member, Primary Domain controller or Backup Domain controller). - -The same is true for OS/2 Warp Server, Digital Pathworks and other similar -products, all of which can participate in Domain Control along with Windows NT. -However only those servers which have licenced Windows NT code in them can be -a primary Domain Controller (eg Windows NT Server, Advanced Server for Unix.) - -To many people these terms can be confusing, so let's try to clear the air. - -Every Windows NT system (workstation or server) has a registry database. -The registry contains entries that describe the initialisation information -for all services (the equivalent of Unix Daemons) that run within the Windows -NT environment. The registry also contains entries that tell application -software where to find dynamically loadable libraries that they depend upon. -In fact, the registry contains entries that describes everything that anything -may need to know to interact with the rest of the system. - -The registry files can be located on any Windows NT machine by opening a -command prompt and typing: - dir %SystemRoot%\System32\config - -The environment variable %SystemRoot% value can be obtained by typing: - echo %SystemRoot% - -The active parts of the registry that you may want to be familiar with are -the files called: default, system, software, sam and security. - -In a domain environment, Microsoft Windows NT domain controllers participate -in replication of the SAM and SECURITY files so that all controllers within -the domain have an exactly identical copy of each. - -The Microsoft Windows NT system is structured within a security model that -says that all applications and services must authenticate themselves before -they can obtain permission from the security manager to do what they set out -to do. - -The Windows NT User database also resides within the registry. This part of -the registry contains the user's security identifier, home directory, group -memberships, desktop profile, and so on. - -Every Windows NT system (workstation as well as server) will have its own -registry. Windows NT Servers that participate in Domain Security control -have a database that they share in common - thus they do NOT own an -independent full registry database of their own, as do Workstations and -plain Servers. - -The User database is called the SAM (Security Access Manager) database and -is used for all user authentication as well as for authentication of inter- -process authentication (ie: to ensure that the service action a user has -requested is permitted within the limits of that user's privileges). - -The Samba team have produced a utility that can dump the Windows NT SAM into -smbpasswd format: see ENCRYPTION.txt for information on smbpasswd and -/pub/samba/pwdump on your nearest Samba mirror for the utility. This -facility is useful but cannot be easily used to implement SAM replication -to Samba systems. - -Windows for Workgroups, Windows 95, and Windows NT Workstations and Servers -can participate in a Domain security system that is controlled by Windows NT -servers that have been correctly configured. At most every domain will have -ONE Primary Domain Controller (PDC). It is desirable that each domain will -have at least one Backup Domain Controller (BDC). - -The PDC and BDCs then participate in replication of the SAM database so that -each Domain Controlling participant will have an up to date SAM component -within its registry. - -Samba can NOT at this time function as a Domain Controller for any of these -security services, but like all other domain members can interact with the -Windows NT security system for all access authentication. - -When Samba is configured with the 'security = server' option and the -'password server = Your_Windows_NT_Server_Name' option, then it will -redirect all access authentication to that server. This way you can -use Windows NT to act as your password server with full support for -Microsoft encrypted passwords. - |