- Timestamp:
- Nov 12, 2012, 7:37:04 PM (13 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/samba-3.5.x/docs/htmldocs/Samba3-HOWTO/domain-member.html
r599 r739 1 <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 6. Domain Membership</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="prev" href="samba-bdc.html" title="Chapter 5. Backup Domain Control"><link rel="next" href="StandAloneServer.html" title="Chapter 7. Standalone Servers"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 6. Domain Membership</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="samba-bdc.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="StandAloneServer.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 6. Domain Membership"><div class="titlepage"><div><div><h2 class="title"><a name="domain-member"></a>Chapter 6. Domain Membership</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jra@samba.org">jra@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jerry@samba.org">jerry@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:tridge@samba.org">tridge@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Guenther</span> <span class="surname">Deschner</span></h3><span class="contrib">LDAP updates</span> <div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:gd@samba.org">gd@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="domain-member.html#id33 9970">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></span></dt><dd><dl><dt><span class="sect2"><a href="domain-member.html#id340608">Manual Creation of Machine Trust Accounts</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id341023">Managing Domain Machine Accounts using NT4 Server Manager</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id341289">On-the-Fly Creation of Machine Trust Accounts</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id341389">Making an MS Windows Workstation or Server a Domain Member</a></span></dt></dl></dd><dt><span class="sect1"><a href="domain-member.html#domain-member-server">Domain Member Server</a></span></dt><dd><dl><dt><span class="sect2"><a href="domain-member.html#id341842">Joining an NT4-type Domain with Samba-3</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id342539">Why Is This Better Than <em class="parameter"><code>security = server</code></em>?</a></span></dt></dl></dd><dt><span class="sect1"><a href="domain-member.html#ads-member">Samba ADS Domain Membership</a></span></dt><dd><dl><dt><span class="sect2"><a href="domain-member.html#id342799">Configure <code class="filename">smb.conf</code></a></span></dt><dt><span class="sect2"><a href="domain-member.html#id342981">Configure <code class="filename">/etc/krb5.conf</code></a></span></dt><dt><span class="sect2"><a href="domain-member.html#ads-create-machine-account">Create the Computer Account</a></span></dt><dt><span class="sect2"><a href="domain-member.html#ads-test-server">Testing Server Setup</a></span></dt><dt><span class="sect2"><a href="domain-member.html#ads-test-smbclient">Testing with <span class="application">smbclient</span></a></span></dt><dt><span class="sect2"><a href="domain-member.html#id344013">Notes</a></span></dt></dl></dd><dt><span class="sect1"><a href="domain-member.html#id344082">Sharing User ID Mappings between Samba Domain Members</a></span></dt><dt><span class="sect1"><a href="domain-member.html#id344280">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="domain-member.html#id344314">Cannot Add Machine Back to Domain</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id344384">Adding Machine to Domain Fails</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id344604">I Can't Join a Windows 2003 PDC</a></span></dt></dl></dd></dl></div><p>2 <a class="indexterm" name="id33 9923"></a>3 <a class="indexterm" name="id33 9930"></a>4 <a class="indexterm" name="id33 9936"></a>1 <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 6. Domain Membership</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="prev" href="samba-bdc.html" title="Chapter 5. Backup Domain Control"><link rel="next" href="StandAloneServer.html" title="Chapter 7. Standalone Servers"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 6. Domain Membership</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="samba-bdc.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="StandAloneServer.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 6. Domain Membership"><div class="titlepage"><div><div><h2 class="title"><a name="domain-member"></a>Chapter 6. Domain Membership</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jra@samba.org">jra@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jerry@samba.org">jerry@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:tridge@samba.org">tridge@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Guenther</span> <span class="surname">Deschner</span></h3><span class="contrib">LDAP updates</span> <div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:gd@samba.org">gd@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="domain-member.html#id338126">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></span></dt><dd><dl><dt><span class="sect2"><a href="domain-member.html#id338765">Manual Creation of Machine Trust Accounts</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id339179">Managing Domain Machine Accounts using NT4 Server Manager</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id339445">On-the-Fly Creation of Machine Trust Accounts</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id339545">Making an MS Windows Workstation or Server a Domain Member</a></span></dt></dl></dd><dt><span class="sect1"><a href="domain-member.html#domain-member-server">Domain Member Server</a></span></dt><dd><dl><dt><span class="sect2"><a href="domain-member.html#id340000">Joining an NT4-type Domain with Samba-3</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id340695">Why Is This Better Than <em class="parameter"><code>security = server</code></em>?</a></span></dt></dl></dd><dt><span class="sect1"><a href="domain-member.html#ads-member">Samba ADS Domain Membership</a></span></dt><dd><dl><dt><span class="sect2"><a href="domain-member.html#id340955">Configure <code class="filename">smb.conf</code></a></span></dt><dt><span class="sect2"><a href="domain-member.html#id341137">Configure <code class="filename">/etc/krb5.conf</code></a></span></dt><dt><span class="sect2"><a href="domain-member.html#ads-create-machine-account">Create the Computer Account</a></span></dt><dt><span class="sect2"><a href="domain-member.html#ads-test-server">Testing Server Setup</a></span></dt><dt><span class="sect2"><a href="domain-member.html#ads-test-smbclient">Testing with <span class="application">smbclient</span></a></span></dt><dt><span class="sect2"><a href="domain-member.html#id342170">Notes</a></span></dt></dl></dd><dt><span class="sect1"><a href="domain-member.html#id342239">Sharing User ID Mappings between Samba Domain Members</a></span></dt><dt><span class="sect1"><a href="domain-member.html#id342436">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="domain-member.html#id342470">Cannot Add Machine Back to Domain</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id342540">Adding Machine to Domain Fails</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id342760">I Can't Join a Windows 2003 PDC</a></span></dt></dl></dd></dl></div><p> 2 <a class="indexterm" name="id338079"></a> 3 <a class="indexterm" name="id338086"></a> 4 <a class="indexterm" name="id338092"></a> 5 5 Domain membership is a subject of vital concern. Samba must be able to 6 6 participate as a member server in a Microsoft domain security context, and … … 8 8 otherwise it would not be able to offer a viable option for many users. 9 9 </p><p> 10 <a class="indexterm" name="id33 9952"></a>11 <a class="indexterm" name="id33 9958"></a>10 <a class="indexterm" name="id338108"></a> 11 <a class="indexterm" name="id338114"></a> 12 12 This chapter covers background information pertaining to domain membership, 13 13 the Samba configuration for it, and MS Windows client procedures for joining a … … 17 17 misinformation, incorrect understanding, and lack of knowledge. Hopefully 18 18 this chapter will fill the voids. 19 </p><div class="sect1" title="Features and Benefits"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id33 9970"></a>Features and Benefits</h2></div></div></div><p>20 <a class="indexterm" name="id33 9978"></a>21 <a class="indexterm" name="id33 9985"></a>22 <a class="indexterm" name="id33 9992"></a>19 </p><div class="sect1" title="Features and Benefits"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id338126"></a>Features and Benefits</h2></div></div></div><p> 20 <a class="indexterm" name="id338134"></a> 21 <a class="indexterm" name="id338141"></a> 22 <a class="indexterm" name="id338148"></a> 23 23 MS Windows workstations and servers that want to participate in domain security need to 24 24 be made domain members. Participating in domain security is often called … … 28 28 server) or a Samba server a member of an MS Windows domain security context. 29 29 </p><p> 30 <a class="indexterm" name="id3 40020"></a>31 <a class="indexterm" name="id3 40027"></a>32 <a class="indexterm" name="id3 40033"></a>33 <a class="indexterm" name="id3 40040"></a>30 <a class="indexterm" name="id338176"></a> 31 <a class="indexterm" name="id338183"></a> 32 <a class="indexterm" name="id338189"></a> 33 <a class="indexterm" name="id338196"></a> 34 34 Samba-3 can join an MS Windows NT4-style domain as a native member server, an 35 35 MS Windows Active Directory domain as a native member server, or a Samba domain 36 36 control network. Domain membership has many advantages: 37 37 </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> 38 <a class="indexterm" name="id3 40058"></a>38 <a class="indexterm" name="id338214"></a> 39 39 MS Windows workstation users get the benefit of SSO. 40 40 </p></li><li class="listitem"><p> 41 <a class="indexterm" name="id3 40069"></a>42 <a class="indexterm" name="id3 40076"></a>43 <a class="indexterm" name="id3 40083"></a>44 <a class="indexterm" name="id3 40090"></a>41 <a class="indexterm" name="id338225"></a> 42 <a class="indexterm" name="id338232"></a> 43 <a class="indexterm" name="id338239"></a> 44 <a class="indexterm" name="id338246"></a> 45 45 Domain user access rights and file ownership/access controls can be set 46 46 from the single Domain Security Account Manager (SAM) database … … 48 48 that are domain members). 49 49 </p></li><li class="listitem"><p> 50 <a class="indexterm" name="id3 40103"></a>51 <a class="indexterm" name="id3 40109"></a>50 <a class="indexterm" name="id338259"></a> 51 <a class="indexterm" name="id338265"></a> 52 52 Only <span class="application">MS Windows NT4/200x/XP Professional</span> 53 53 workstations that are domain members can use network logon facilities. 54 54 </p></li><li class="listitem"><p> 55 <a class="indexterm" name="id3 40127"></a>56 <a class="indexterm" name="id3 40134"></a>57 <a class="indexterm" name="id3 40141"></a>58 <a class="indexterm" name="id3 40148"></a>55 <a class="indexterm" name="id338283"></a> 56 <a class="indexterm" name="id338290"></a> 57 <a class="indexterm" name="id338297"></a> 58 <a class="indexterm" name="id338304"></a> 59 59 Domain member workstations can be better controlled through the use of 60 60 policy files (<code class="filename">NTConfig.POL</code>) and desktop profiles. 61 61 </p></li><li class="listitem"><p> 62 <a class="indexterm" name="id3 40166"></a>63 <a class="indexterm" name="id3 40173"></a>64 <a class="indexterm" name="id3 40180"></a>62 <a class="indexterm" name="id338322"></a> 63 <a class="indexterm" name="id338329"></a> 64 <a class="indexterm" name="id338336"></a> 65 65 Through the use of logon scripts, users can be given transparent access to network 66 66 applications that run off application servers. 67 67 </p></li><li class="listitem"><p> 68 <a class="indexterm" name="id3 40192"></a>69 <a class="indexterm" name="id3 40199"></a>70 <a class="indexterm" name="id3 40205"></a>71 <a class="indexterm" name="id3 40212"></a>68 <a class="indexterm" name="id338348"></a> 69 <a class="indexterm" name="id338355"></a> 70 <a class="indexterm" name="id338361"></a> 71 <a class="indexterm" name="id338368"></a> 72 72 Network administrators gain better application and user access management 73 73 abilities because there is no need to maintain user accounts on any network … … 76 76 LDAP directory, or via an Active Directory infrastructure). 77 77 </p></li></ul></div></div><div class="sect1" title="MS Windows Workstation/Server Machine Trust Accounts"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="machine-trust-accounts"></a>MS Windows Workstation/Server Machine Trust Accounts</h2></div></div></div><p> 78 <a class="indexterm" name="id3 40236"></a>79 <a class="indexterm" name="id3 40243"></a>80 <a class="indexterm" name="id3 40249"></a>81 <a class="indexterm" name="id3 40256"></a>78 <a class="indexterm" name="id338392"></a> 79 <a class="indexterm" name="id338399"></a> 80 <a class="indexterm" name="id338405"></a> 81 <a class="indexterm" name="id338412"></a> 82 82 A Machine Trust Account is an account that is used to authenticate a client machine (rather than a user) to 83 83 the domain controller server. In Windows terminology, this is known as a <span class="quote">“<span class="quote">computer account.</span>”</span> The … … 85 85 access to a domain member workstation. 86 86 </p><p> 87 <a class="indexterm" name="id3 40273"></a>88 <a class="indexterm" name="id3 40282"></a>89 <a class="indexterm" name="id3 40289"></a>90 <a class="indexterm" name="id3 40296"></a>91 <a class="indexterm" name="id3 40302"></a>87 <a class="indexterm" name="id338429"></a> 88 <a class="indexterm" name="id338438"></a> 89 <a class="indexterm" name="id338445"></a> 90 <a class="indexterm" name="id338452"></a> 91 <a class="indexterm" name="id338458"></a> 92 92 The password of a Machine Trust Account acts as the shared secret for secure communication with the domain 93 93 controller. This is a security feature to prevent an unauthorized machine with the same NetBIOS name from … … 97 97 possess a Machine Trust Account, and, thus, has no shared secret with the domain controller. 98 98 </p><p> 99 <a class="indexterm" name="id3 40318"></a>100 <a class="indexterm" name="id3 40325"></a>101 <a class="indexterm" name="id3 40331"></a>102 <a class="indexterm" name="id3 40338"></a>99 <a class="indexterm" name="id338474"></a> 100 <a class="indexterm" name="id338481"></a> 101 <a class="indexterm" name="id338487"></a> 102 <a class="indexterm" name="id338494"></a> 103 103 A Windows NT4 PDC stores each Machine Trust Account in the Windows Registry. 104 104 The introduction of MS Windows 2000 saw the introduction of Active Directory, … … 108 108 109 109 </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> 110 <a class="indexterm" name="id3 40352"></a>111 <a class="indexterm" name="id3 40359"></a>112 <a class="indexterm" name="id3 40366"></a>110 <a class="indexterm" name="id338508"></a> 111 <a class="indexterm" name="id338515"></a> 112 <a class="indexterm" name="id338522"></a> 113 113 A domain security account (stored in the <a class="link" href="smb.conf.5.html#PASSDBBACKEND" target="_top">passdb backend</a>) that has been configured in 114 114 the <code class="filename">smb.conf</code> file. The precise nature of the account information that is stored depends on the type of 115 115 backend database that has been chosen. 116 116 </p><p> 117 <a class="indexterm" name="id3 40395"></a>118 <a class="indexterm" name="id3 40402"></a>119 <a class="indexterm" name="id3 40408"></a>120 <a class="indexterm" name="id3 40415"></a>121 <a class="indexterm" name="id3 40422"></a>122 <a class="indexterm" name="id3 40429"></a>117 <a class="indexterm" name="id338551"></a> 118 <a class="indexterm" name="id338558"></a> 119 <a class="indexterm" name="id338564"></a> 120 <a class="indexterm" name="id338571"></a> 121 <a class="indexterm" name="id338578"></a> 122 <a class="indexterm" name="id338585"></a> 123 123 The older format of this data is the <code class="filename">smbpasswd</code> database 124 124 that contains the UNIX login ID, the UNIX user identifier (UID), and the … … 126 126 this file that we do not need to concern ourselves with here. 127 127 </p><p> 128 <a class="indexterm" name="id3 40449"></a>129 <a class="indexterm" name="id3 40455"></a>130 <a class="indexterm" name="id3 40462"></a>131 <a class="indexterm" name="id3 40468"></a>128 <a class="indexterm" name="id338605"></a> 129 <a class="indexterm" name="id338612"></a> 130 <a class="indexterm" name="id338618"></a> 131 <a class="indexterm" name="id338625"></a> 132 132 The two newer database types are called ldapsam and tdbsam. Both store considerably more data than the older 133 133 <code class="filename">smbpasswd</code> file did. The extra information enables new user account controls to be 134 134 implemented. 135 135 </p></li><li class="listitem"><p> 136 <a class="indexterm" name="id3 40487"></a>137 <a class="indexterm" name="id3 40494"></a>136 <a class="indexterm" name="id338644"></a> 137 <a class="indexterm" name="id338651"></a> 138 138 A corresponding UNIX account, typically stored in <code class="filename">/etc/passwd</code>. Work is in progress to 139 139 allow a simplified mode of operation that does not require UNIX user accounts, but this has not been a feature … … 141 141 </p></li></ul></div><p> 142 142 </p><p> 143 <a class="indexterm" name="id3 40518"></a>143 <a class="indexterm" name="id338675"></a> 144 144 There are three ways to create Machine Trust Accounts: 145 145 </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> 146 <a class="indexterm" name="id3 40533"></a>146 <a class="indexterm" name="id338690"></a> 147 147 Manual creation from the UNIX/Linux command line. Here, both the Samba and 148 148 corresponding UNIX account are created by hand. 149 149 </p></li><li class="listitem"><p> 150 <a class="indexterm" name="id3 40546"></a>151 <a class="indexterm" name="id3 40552"></a>150 <a class="indexterm" name="id338702"></a> 151 <a class="indexterm" name="id338709"></a> 152 152 Using the MS Windows NT4 Server Manager, either from an NT4 domain member 153 153 server or using the Nexus toolkit available from the Microsoft Web site. … … 155 155 logged on as the administrator account. 156 156 </p></li><li class="listitem"><p> 157 <a class="indexterm" name="id3 40566"></a>158 <a class="indexterm" name="id3 40573"></a>157 <a class="indexterm" name="id338723"></a> 158 <a class="indexterm" name="id338729"></a> 159 159 <span class="quote">“<span class="quote">On-the-fly</span>”</span> creation. The Samba Machine Trust Account is automatically 160 160 created by Samba at the time the client is joined to the domain. … … 162 162 account may be created automatically or manually. 163 163 </p></li></ul></div><p> 164 <a class="indexterm" name="id3 40589"></a>165 <a class="indexterm" name="id3 40596"></a>164 <a class="indexterm" name="id338746"></a> 165 <a class="indexterm" name="id338753"></a> 166 166 Neither MS Windows NT4/200x/XP Professional, nor Samba, provide any method for enforcing the method of machine 167 167 trust account creation. This is a matter of the administrator's choice. 168 </p><div class="sect2" title="Manual Creation of Machine Trust Accounts"><div class="titlepage"><div><div><h3 class="title"><a name="id3 40608"></a>Manual Creation of Machine Trust Accounts</h3></div></div></div><p>169 <a class="indexterm" name="id3 40616"></a>170 <a class="indexterm" name="id3 40623"></a>171 <a class="indexterm" name="id3 40628"></a>172 <a class="indexterm" name="id3 40635"></a>168 </p><div class="sect2" title="Manual Creation of Machine Trust Accounts"><div class="titlepage"><div><div><h3 class="title"><a name="id338765"></a>Manual Creation of Machine Trust Accounts</h3></div></div></div><p> 169 <a class="indexterm" name="id338773"></a> 170 <a class="indexterm" name="id338780"></a> 171 <a class="indexterm" name="id338785"></a> 172 <a class="indexterm" name="id338792"></a> 173 173 The first step in manually creating a Machine Trust Account is to manually 174 174 create the corresponding UNIX account in <code class="filename">/etc/passwd</code>. … … 184 184 </pre><p> 185 185 </p><p> 186 <a class="indexterm" name="id3 40700"></a>187 <a class="indexterm" name="id3 40707"></a>188 <a class="indexterm" name="id3 40714"></a>186 <a class="indexterm" name="id338857"></a> 187 <a class="indexterm" name="id338864"></a> 188 <a class="indexterm" name="id338871"></a> 189 189 In the example above there is an existing system group <span class="quote">“<span class="quote">machines</span>”</span> which is used 190 190 as the primary group for all machine accounts. In the following examples the <span class="quote">“<span class="quote">machines</span>”</span> group 191 191 numeric GID is 100. 192 192 </p><p> 193 <a class="indexterm" name="id3 40733"></a>194 <a class="indexterm" name="id3 40740"></a>193 <a class="indexterm" name="id338890"></a> 194 <a class="indexterm" name="id338896"></a> 195 195 On *BSD systems, this can be done using the <code class="literal">chpass</code> utility: 196 196 </p><pre class="screen"> … … 199 199 </pre><p> 200 200 </p><p> 201 <a class="indexterm" name="id3 40779"></a>202 <a class="indexterm" name="id3 40786"></a>203 <a class="indexterm" name="id3 40793"></a>204 <a class="indexterm" name="id3 40800"></a>201 <a class="indexterm" name="id338936"></a> 202 <a class="indexterm" name="id338943"></a> 203 <a class="indexterm" name="id338950"></a> 204 <a class="indexterm" name="id338956"></a> 205 205 The <code class="filename">/etc/passwd</code> entry will list the machine name 206 206 with a <span class="quote">“<span class="quote">$</span>”</span> appended, and will not have a password, will have a null shell and no … … 211 211 </pre><p> 212 212 </p><p> 213 <a class="indexterm" name="id3 40840"></a>214 <a class="indexterm" name="id3 40846"></a>215 <a class="indexterm" name="id3 40853"></a>213 <a class="indexterm" name="id338996"></a> 214 <a class="indexterm" name="id339003"></a> 215 <a class="indexterm" name="id339010"></a> 216 216 in which <em class="replaceable"><code>machine_nickname</code></em> can be any 217 217 descriptive name for the client, such as BasementComputer. … … 221 221 this as a Machine Trust Account. 222 222 </p><p> 223 <a class="indexterm" name="id3 40876"></a>224 <a class="indexterm" name="id3 40883"></a>225 <a class="indexterm" name="id3 40890"></a>223 <a class="indexterm" name="id339032"></a> 224 <a class="indexterm" name="id339039"></a> 225 <a class="indexterm" name="id339046"></a> 226 226 Now that the corresponding UNIX account has been created, the next step is to create 227 227 the Samba account for the client containing the well-known initial … … 233 233 </pre><p> 234 234 </p><p> 235 <a class="indexterm" name="id3 40928"></a>236 <a class="indexterm" name="id3 40935"></a>237 <a class="indexterm" name="id3 40942"></a>238 <a class="indexterm" name="id3 40948"></a>235 <a class="indexterm" name="id339084"></a> 236 <a class="indexterm" name="id339091"></a> 237 <a class="indexterm" name="id339098"></a> 238 <a class="indexterm" name="id339104"></a> 239 239 where <em class="replaceable"><code>machine_name</code></em> is the machine's NetBIOS 240 240 name. The RID of the new machine account is generated from the UID of 241 241 the corresponding UNIX account. 242 242 </p><div class="warning" title="Join the client to the domain immediately" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Join the client to the domain immediately</h3><p> 243 <a class="indexterm" name="id3 40969"></a>244 <a class="indexterm" name="id3 40976"></a>245 <a class="indexterm" name="id3 40982"></a>246 <a class="indexterm" name="id3 40989"></a>247 <a class="indexterm" name="id3 40996"></a>243 <a class="indexterm" name="id339125"></a> 244 <a class="indexterm" name="id339132"></a> 245 <a class="indexterm" name="id339138"></a> 246 <a class="indexterm" name="id339145"></a> 247 <a class="indexterm" name="id339152"></a> 248 248 Manually creating a Machine Trust Account using this method is the 249 249 equivalent of creating a Machine Trust Account on a Windows NT PDC using 250 <a class="indexterm" name="id3 41004"></a>250 <a class="indexterm" name="id339160"></a> 251 251 the <span class="application">Server Manager</span>. From the time at which the 252 252 account is created to the time the client joins the domain and … … 255 255 trusts members of the domain and will serve out a large degree of user 256 256 information to such clients. You have been warned! 257 </p></div></div><div class="sect2" title="Managing Domain Machine Accounts using NT4 Server Manager"><div class="titlepage"><div><div><h3 class="title"><a name="id3 41023"></a>Managing Domain Machine Accounts using NT4 Server Manager</h3></div></div></div><p>258 <a class="indexterm" name="id3 41031"></a>259 <a class="indexterm" name="id3 41038"></a>260 <a class="indexterm" name="id3 41045"></a>257 </p></div></div><div class="sect2" title="Managing Domain Machine Accounts using NT4 Server Manager"><div class="titlepage"><div><div><h3 class="title"><a name="id339179"></a>Managing Domain Machine Accounts using NT4 Server Manager</h3></div></div></div><p> 258 <a class="indexterm" name="id339187"></a> 259 <a class="indexterm" name="id339194"></a> 260 <a class="indexterm" name="id339201"></a> 261 261 A working <a class="link" href="smb.conf.5.html#ADDMACHINESCRIPT" target="_top">add machine script</a> is essential 262 262 for machine trust accounts to be automatically created. This applies no matter whether 263 263 you use automatic account creation or the NT4 Domain Server Manager. 264 264 </p><p> 265 <a class="indexterm" name="id3 41068"></a>266 <a class="indexterm" name="id3 41075"></a>267 <a class="indexterm" name="id3 41082"></a>268 <a class="indexterm" name="id3 41088"></a>265 <a class="indexterm" name="id339224"></a> 266 <a class="indexterm" name="id339231"></a> 267 <a class="indexterm" name="id339238"></a> 268 <a class="indexterm" name="id339244"></a> 269 269 If the machine from which you are trying to manage the domain is an 270 270 <span class="application">MS Windows NT4 workstation or MS Windows 200x/XP Professional</span>, … … 273 273 and <code class="literal">UsrMgr.exe</code> (both are domain management tools for MS Windows NT4 workstation). 274 274 </p><p> 275 <a class="indexterm" name="id3 41125"></a>276 <a class="indexterm" name="id3 41131"></a>275 <a class="indexterm" name="id339281"></a> 276 <a class="indexterm" name="id339287"></a> 277 277 If your workstation is a <span class="application">Microsoft Windows 9x/Me</span> family product, 278 278 you should download the <code class="literal">Nexus.exe</code> package from the Microsoft Web site. … … 284 284 <a class="ulink" href="http://support.microsoft.com/default.aspx?scid=kb;en-us;172540" target="_top">172540</a> 285 285 </p><p> 286 <a class="indexterm" name="id3 41171"></a>287 <a class="indexterm" name="id3 41178"></a>286 <a class="indexterm" name="id339327"></a> 287 <a class="indexterm" name="id339334"></a> 288 288 Launch the <code class="literal">srvmgr.exe</code> (Server Manager for Domains) and follow these steps: 289 </p><div class="procedure" title="Procedure 6.1. Server Manager Account Machine Account Management"><a name="id3 41192"></a><p class="title"><b>Procedure 6.1. Server Manager Account Machine Account Management</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>289 </p><div class="procedure" title="Procedure 6.1. Server Manager Account Machine Account Management"><a name="id339348"></a><p class="title"><b>Procedure 6.1. Server Manager Account Machine Account Management</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> 290 290 From the menu select <span class="guimenu">Computer</span>. 291 291 </p></li><li class="step" title="Step 2"><p> … … 304 304 enter the machine name in the field provided, and click the 305 305 <span class="guibutton">Add</span> button. 306 </p></li></ol></div></div><div class="sect2" title="On-the-Fly Creation of Machine Trust Accounts"><div class="titlepage"><div><div><h3 class="title"><a name="id3 41289"></a>On-the-Fly Creation of Machine Trust Accounts</h3></div></div></div><p>307 <a class="indexterm" name="id3 41297"></a>306 </p></li></ol></div></div><div class="sect2" title="On-the-Fly Creation of Machine Trust Accounts"><div class="titlepage"><div><div><h3 class="title"><a name="id339445"></a>On-the-Fly Creation of Machine Trust Accounts</h3></div></div></div><p> 307 <a class="indexterm" name="id339453"></a> 308 308 The third (and recommended) way of creating Machine Trust Accounts is simply to allow the Samba server to 309 309 create them as needed when the client is joined to the domain. 310 310 </p><p> 311 <a class="indexterm" name="id3 41311"></a>312 <a class="indexterm" name="id3 41321"></a>313 <a class="indexterm" name="id3 41327"></a>311 <a class="indexterm" name="id339467"></a> 312 <a class="indexterm" name="id339477"></a> 313 <a class="indexterm" name="id339483"></a> 314 314 Since each Samba Machine Trust Account requires a corresponding UNIX account, a method 315 315 for automatically creating the UNIX account is usually supplied; this requires configuration of the … … 317 317 accounts may also be created manually. 318 318 </p><p> 319 <a class="indexterm" name="id3 41346"></a>320 <a class="indexterm" name="id3 41353"></a>319 <a class="indexterm" name="id339502"></a> 320 <a class="indexterm" name="id339509"></a> 321 321 Here is an example for a Red Hat Linux system: 322 </p><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id3 41375"></a><em class="parameter"><code>add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u</code></em></td></tr></table><p>323 </p></div><div class="sect2" title="Making an MS Windows Workstation or Server a Domain Member"><div class="titlepage"><div><div><h3 class="title"><a name="id3 41389"></a>Making an MS Windows Workstation or Server a Domain Member</h3></div></div></div><p>322 </p><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id339531"></a><em class="parameter"><code>add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u</code></em></td></tr></table><p> 323 </p></div><div class="sect2" title="Making an MS Windows Workstation or Server a Domain Member"><div class="titlepage"><div><div><h3 class="title"><a name="id339545"></a>Making an MS Windows Workstation or Server a Domain Member</h3></div></div></div><p> 324 324 The procedure for making an MS Windows workstation or server a member of the domain varies 325 325 with the version of Windows. 326 </p><div class="sect3" title="Windows 200x/XP Professional Client"><div class="titlepage"><div><div><h4 class="title"><a name="id3 41398"></a>Windows 200x/XP Professional Client</h4></div></div></div><p>327 <a class="indexterm" name="id3 41406"></a>328 <a class="indexterm" name="id3 41413"></a>329 <a class="indexterm" name="id3 41422"></a>330 <a class="indexterm" name="id3 41429"></a>326 </p><div class="sect3" title="Windows 200x/XP Professional Client"><div class="titlepage"><div><div><h4 class="title"><a name="id339554"></a>Windows 200x/XP Professional Client</h4></div></div></div><p> 327 <a class="indexterm" name="id339562"></a> 328 <a class="indexterm" name="id339569"></a> 329 <a class="indexterm" name="id339578"></a> 330 <a class="indexterm" name="id339585"></a> 331 331 When the user elects to make the client a domain member, Windows 200x prompts for 332 332 an account and password that has privileges to create machine accounts in the domain. … … 337 337 by granting the <code class="literal">SeMachineAccountPrivilege</code> privilege to the user account. 338 338 </p><p> 339 <a class="indexterm" name="id3 41464"></a>340 <a class="indexterm" name="id3 41471"></a>339 <a class="indexterm" name="id339620"></a> 340 <a class="indexterm" name="id339627"></a> 341 341 For security reasons, the password for this administrator account should be set 342 342 to a password that is other than that used for the root user in <code class="filename">/etc/passwd</code>. 343 343 </p><p> 344 <a class="indexterm" name="id3 41488"></a>345 <a class="indexterm" name="id3 41495"></a>346 <a class="indexterm" name="id3 41501"></a>347 <a class="indexterm" name="id3 41508"></a>344 <a class="indexterm" name="id339644"></a> 345 <a class="indexterm" name="id339651"></a> 346 <a class="indexterm" name="id339657"></a> 347 <a class="indexterm" name="id339664"></a> 348 348 The name of the account that is used to create domain member machine trust accounts can be 349 349 anything the network administrator may choose. If it is other than <code class="constant">root</code>, … … 351 351 <a class="link" href="smb.conf.5.html#USERNAMEMAP" target="_top">username map = /etc/samba/smbusers</a>. 352 352 </p><p> 353 <a class="indexterm" name="id3 41546"></a>354 <a class="indexterm" name="id3 41552"></a>355 <a class="indexterm" name="id3 41559"></a>353 <a class="indexterm" name="id339702"></a> 354 <a class="indexterm" name="id339709"></a> 355 <a class="indexterm" name="id339715"></a> 356 356 The session key of the Samba administrator account acts as an encryption key for setting the password of the machine trust 357 357 account. The Machine Trust Account will be created on-the-fly, or updated if it already exists. 358 </p></div><div class="sect3" title="Windows NT4 Client"><div class="titlepage"><div><div><h4 class="title"><a name="id3 41570"></a>Windows NT4 Client</h4></div></div></div><p>359 <a class="indexterm" name="id3 41577"></a>360 <a class="indexterm" name="id3 41584"></a>361 <a class="indexterm" name="id3 41590"></a>358 </p></div><div class="sect3" title="Windows NT4 Client"><div class="titlepage"><div><div><h4 class="title"><a name="id339726"></a>Windows NT4 Client</h4></div></div></div><p> 359 <a class="indexterm" name="id339734"></a> 360 <a class="indexterm" name="id339741"></a> 361 <a class="indexterm" name="id339748"></a> 362 362 If the Machine Trust Account was created manually, on the 363 363 Identification Changes menu enter the domain name, but do not … … 366 366 to the domain. 367 367 </p><p> 368 <a class="indexterm" name="id3 41609"></a>369 <a class="indexterm" name="id3 41615"></a>370 <a class="indexterm" name="id3 41622"></a>371 <a class="indexterm" name="id3 41629"></a>368 <a class="indexterm" name="id339766"></a> 369 <a class="indexterm" name="id339773"></a> 370 <a class="indexterm" name="id339780"></a> 371 <a class="indexterm" name="id339786"></a> 372 372 If the Machine Trust Account is to be created on the fly, on the Identification Changes menu enter the domain 373 373 name and check the box <span class="guilabel">Create a Computer Account in the Domain</span>. In this case, joining 374 374 the domain proceeds as above for Windows 2000 (i.e., you must supply a Samba administrator account when 375 375 prompted). 376 </p></div><div class="sect3" title="Samba Client"><div class="titlepage"><div><div><h4 class="title"><a name="id3 41646"></a>Samba Client</h4></div></div></div><p>377 <a class="indexterm" name="id3 41654"></a>376 </p></div><div class="sect3" title="Samba Client"><div class="titlepage"><div><div><h4 class="title"><a name="id339804"></a>Samba Client</h4></div></div></div><p> 377 <a class="indexterm" name="id339812"></a> 378 378 Joining a Samba client to a domain is documented in <a class="link" href="domain-member.html#domain-member-server" title="Domain Member Server">the next section</a>. 379 379 </p></div></div></div><div class="sect1" title="Domain Member Server"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="domain-member-server"></a>Domain Member Server</h2></div></div></div><p> 380 <a class="indexterm" name="id3 41682"></a>381 <a class="indexterm" name="id3 41689"></a>382 <a class="indexterm" name="id3 41696"></a>383 <a class="indexterm" name="id3 41703"></a>380 <a class="indexterm" name="id339840"></a> 381 <a class="indexterm" name="id339847"></a> 382 <a class="indexterm" name="id339854"></a> 383 <a class="indexterm" name="id339861"></a> 384 384 This mode of server operation involves the Samba machine being made a member 385 385 of a domain security context. This means by definition that all user … … 390 390 </p><p> 391 391 <span class="emphasis"><em> 392 <a class="indexterm" name="id3 41722"></a>393 <a class="indexterm" name="id3 41731"></a>394 <a class="indexterm" name="id3 41738"></a>395 <a class="indexterm" name="id3 41744"></a>396 <a class="indexterm" name="id3 41751"></a>397 <a class="indexterm" name="id3 41758"></a>398 <a class="indexterm" name="id3 41765"></a>399 <a class="indexterm" name="id3 41771"></a>392 <a class="indexterm" name="id339879"></a> 393 <a class="indexterm" name="id339889"></a> 394 <a class="indexterm" name="id339895"></a> 395 <a class="indexterm" name="id339902"></a> 396 <a class="indexterm" name="id339909"></a> 397 <a class="indexterm" name="id339916"></a> 398 <a class="indexterm" name="id339922"></a> 399 <a class="indexterm" name="id339929"></a> 400 400 Of course it should be clear that the authentication backend itself could be 401 401 from any distributed directory architecture server that is supported by Samba. … … 404 404 </em></span> 405 405 </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> 406 <a class="indexterm" name="id3 41786"></a>407 <a class="indexterm" name="id3 41793"></a>408 <a class="indexterm" name="id3 41799"></a>406 <a class="indexterm" name="id339944"></a> 407 <a class="indexterm" name="id339950"></a> 408 <a class="indexterm" name="id339957"></a> 409 409 When Samba is configured to use an LDAP or other identity management and/or 410 410 directory service, it is Samba that continues to perform user and machine … … 412 412 authentication handling in place of what Samba is designed to do. 413 413 </p></div><p> 414 <a class="indexterm" name="id3 41812"></a>415 <a class="indexterm" name="id3 41819"></a>416 <a class="indexterm" name="id3 41826"></a>414 <a class="indexterm" name="id339970"></a> 415 <a class="indexterm" name="id339977"></a> 416 <a class="indexterm" name="id339983"></a> 417 417 Please refer to <a class="link" href="samba-pdc.html" title="Chapter 4. Domain Control">Domain Control</a>, for more information regarding 418 418 how to create a domain machine account for a domain member server as well as for 419 419 information on how to enable the Samba domain member machine to join the domain 420 420 and be fully trusted by it. 421 </p><div class="sect2" title="Joining an NT4-type Domain with Samba-3"><div class="titlepage"><div><div><h3 class="title"><a name="id34 1842"></a>Joining an NT4-type Domain with Samba-3</h3></div></div></div><p><a class="link" href="domain-member.html#assumptions" title="Table 6.1. Assumptions">Assumptions</a> lists names that are used in the remainder of this chapter.</p><div class="table"><a name="assumptions"></a><p class="title"><b>Table 6.1. Assumptions</b></p><div class="table-contents"><table summary="Assumptions" border="1"><colgroup><col align="right"><col align="left"></colgroup><tbody><tr><td align="right">Samba DMS NetBIOS name:</td><td align="left">SERV1</td></tr><tr><td align="right">Windows 200x/NT domain name:</td><td align="left">MIDEARTH</td></tr><tr><td align="right">Domain's PDC NetBIOS name:</td><td align="left">DOMPDC</td></tr><tr><td align="right">Domain's BDC NetBIOS names:</td><td align="left">DOMBDC1 and DOMBDC2</td></tr></tbody></table></div></div><br class="table-break"><p>422 <a class="indexterm" name="id34 1925"></a>421 </p><div class="sect2" title="Joining an NT4-type Domain with Samba-3"><div class="titlepage"><div><div><h3 class="title"><a name="id340000"></a>Joining an NT4-type Domain with Samba-3</h3></div></div></div><p><a class="link" href="domain-member.html#assumptions" title="Table 6.1. Assumptions">Assumptions</a> lists names that are used in the remainder of this chapter.</p><div class="table"><a name="assumptions"></a><p class="title"><b>Table 6.1. Assumptions</b></p><div class="table-contents"><table summary="Assumptions" border="1"><colgroup><col align="right"><col align="left"></colgroup><tbody><tr><td align="right">Samba DMS NetBIOS name:</td><td align="left">SERV1</td></tr><tr><td align="right">Windows 200x/NT domain name:</td><td align="left">MIDEARTH</td></tr><tr><td align="right">Domain's PDC NetBIOS name:</td><td align="left">DOMPDC</td></tr><tr><td align="right">Domain's BDC NetBIOS names:</td><td align="left">DOMBDC1 and DOMBDC2</td></tr></tbody></table></div></div><br class="table-break"><p> 422 <a class="indexterm" name="id340083"></a> 423 423 First, you must edit your <code class="filename">smb.conf</code> file to tell Samba it should now use domain security. 424 424 </p><p> 425 <a class="indexterm" name="id34 1941"></a>426 <a class="indexterm" name="id34 1947"></a>427 <a class="indexterm" name="id34 1954"></a>428 <a class="indexterm" name="id34 1961"></a>425 <a class="indexterm" name="id340098"></a> 426 <a class="indexterm" name="id340105"></a> 427 <a class="indexterm" name="id340112"></a> 428 <a class="indexterm" name="id340118"></a> 429 429 Change (or add) your <a class="link" href="smb.conf.5.html#SECURITY" target="_top">security</a> line in the [global] section 430 430 of your <code class="filename">smb.conf</code> to read: 431 </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id34 1991"></a><em class="parameter"><code>security = domain</code></em></td></tr></table><p>431 </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id340148"></a><em class="parameter"><code>security = domain</code></em></td></tr></table><p> 432 432 Note that if the parameter <em class="parameter"><code>security = user</code></em> is used, this machine would function as a 433 433 standalone server and not as a domain member server. Domain security mode causes Samba to work within the … … 436 436 Next change the <a class="link" href="smb.conf.5.html#WORKGROUP" target="_top">workgroup</a> line in the <em class="parameter"><code>[global]</code></em> 437 437 section to read: 438 </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id34 2036"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr></table><p>438 </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id340192"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr></table><p> 439 439 This is the name of the domain we are joining. 440 440 </p><p> 441 <a class="indexterm" name="id34 2051"></a>442 <a class="indexterm" name="id34 2058"></a>441 <a class="indexterm" name="id340207"></a> 442 <a class="indexterm" name="id340214"></a> 443 443 You must also have the parameter <a class="link" href="smb.conf.5.html#ENCRYPTPASSWORDS" target="_top">encrypt passwords</a> 444 444 set to <code class="constant">yes</code> in order for your users to authenticate to the NT PDC. … … 446 446 parameter, but if it is specified in the <code class="filename">smb.conf</code> file, it must be set to <code class="constant">Yes</code>. 447 447 </p><p> 448 <a class="indexterm" name="id34 2094"></a>449 <a class="indexterm" name="id34 2101"></a>450 <a class="indexterm" name="id34 2108"></a>451 <a class="indexterm" name="id34 2114"></a>448 <a class="indexterm" name="id340250"></a> 449 <a class="indexterm" name="id340257"></a> 450 <a class="indexterm" name="id340264"></a> 451 <a class="indexterm" name="id340270"></a> 452 452 Finally, add (or modify) a <a class="link" href="smb.conf.5.html#PASSWORDSERVER" target="_top">password server</a> line in the [global] 453 453 section to read: 454 </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id34 2138"></a><em class="parameter"><code>password server = DOMPDC DOMBDC1 DOMBDC2</code></em></td></tr></table><p>454 </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id340294"></a><em class="parameter"><code>password server = DOMPDC DOMBDC1 DOMBDC2</code></em></td></tr></table><p> 455 455 These are the PDC and BDCs Samba 456 456 will attempt to contact in order to authenticate users. Samba will … … 459 459 among Domain Controllers. 460 460 </p><p> 461 <a class="indexterm" name="id34 2155"></a>462 <a class="indexterm" name="id34 2162"></a>463 <a class="indexterm" name="id34 2169"></a>464 <a class="indexterm" name="id34 2176"></a>461 <a class="indexterm" name="id340311"></a> 462 <a class="indexterm" name="id340318"></a> 463 <a class="indexterm" name="id340325"></a> 464 <a class="indexterm" name="id340332"></a> 465 465 Alternatively, if you want smbd to determine automatically the list of domain controllers to use for 466 466 authentication, you may set this line to be: 467 </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id34 2189"></a><em class="parameter"><code>password server = *</code></em></td></tr></table><p>468 <a class="indexterm" name="id34 2201"></a>467 </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id340345"></a><em class="parameter"><code>password server = *</code></em></td></tr></table><p> 468 <a class="indexterm" name="id340357"></a> 469 469 This method allows Samba to use exactly the same mechanism that NT does. The 470 470 method either uses broadcast-based name resolution, performs a WINS database … … 473 473 </p><p> 474 474 To join the domain, run this command: 475 <a class="indexterm" name="id34 2214"></a>475 <a class="indexterm" name="id340370"></a> 476 476 </p><pre class="screen"> 477 477 <code class="prompt">root# </code><strong class="userinput"><code>net rpc join -S DOMPDC -U<em class="replaceable"><code>Administrator%password</code></em></code></strong> 478 478 </pre><p> 479 479 </p><p> 480 <a class="indexterm" name="id34 2246"></a>481 <a class="indexterm" name="id34 2253"></a>482 <a class="indexterm" name="id34 2260"></a>483 <a class="indexterm" name="id34 2267"></a>480 <a class="indexterm" name="id340402"></a> 481 <a class="indexterm" name="id340409"></a> 482 <a class="indexterm" name="id340416"></a> 483 <a class="indexterm" name="id340423"></a> 484 484 If the <code class="option">-S DOMPDC</code> argument is not given, the domain name will be obtained from <code class="filename">smb.conf</code> and 485 485 the NetBIOS name of the PDC will be obtained either using a WINS lookup or via NetBIOS broadcast based name 486 486 look up. 487 487 </p><p> 488 <a class="indexterm" name="id34 2288"></a>489 <a class="indexterm" name="id34 2295"></a>490 <a class="indexterm" name="id34 2301"></a>491 <a class="indexterm" name="id34 2308"></a>488 <a class="indexterm" name="id340444"></a> 489 <a class="indexterm" name="id340451"></a> 490 <a class="indexterm" name="id340457"></a> 491 <a class="indexterm" name="id340464"></a> 492 492 The machine is joining the domain DOM, and the PDC for that domain (the only machine 493 493 that has write access to the domain SAM database) is DOMPDC; therefore, use the <code class="option">-S</code> … … 500 500 </pre><p> 501 501 </p><p> 502 <a class="indexterm" name="id34 2340"></a>503 <a class="indexterm" name="id34 2352"></a>504 <a class="indexterm" name="id34 2358"></a>502 <a class="indexterm" name="id340496"></a> 503 <a class="indexterm" name="id340508"></a> 504 <a class="indexterm" name="id340514"></a> 505 505 Where Active Directory is used, the command used to join the ADS domain is: 506 506 </p><pre class="screen"> … … 515 515 administration</a> for further information. 516 516 </p><p> 517 <a class="indexterm" name="id34 2412"></a>518 <a class="indexterm" name="id34 2418"></a>519 <a class="indexterm" name="id34 2425"></a>517 <a class="indexterm" name="id340568"></a> 518 <a class="indexterm" name="id340574"></a> 519 <a class="indexterm" name="id340581"></a> 520 520 This process joins the server to the domain without separately having to create the machine 521 521 trust account on the PDC beforehand. 522 522 </p><p> 523 <a class="indexterm" name="id34 2436"></a>524 <a class="indexterm" name="id34 2446"></a>525 <a class="indexterm" name="id34 2453"></a>526 <a class="indexterm" name="id34 2460"></a>523 <a class="indexterm" name="id340592"></a> 524 <a class="indexterm" name="id340602"></a> 525 <a class="indexterm" name="id340609"></a> 526 <a class="indexterm" name="id340616"></a> 527 527 This command goes through the machine account password change protocol, then writes the new (random) machine 528 528 account password for this Samba server into a file in the same directory in which a smbpasswd file would be … … 530 530 <code class="filename">/usr/local/samba/private/secrets.tdb</code> or <code class="filename">/etc/samba/secrets.tdb</code>. 531 531 </p><p> 532 <a class="indexterm" name="id34 2484"></a>533 <a class="indexterm" name="id34 2491"></a>532 <a class="indexterm" name="id340640"></a> 533 <a class="indexterm" name="id340647"></a> 534 534 This file is created and owned by root and is not readable by any other user. It is 535 535 the key to the domain-level security for your system and should be treated as carefully 536 536 as a shadow password file. 537 537 </p><p> 538 <a class="indexterm" name="id34 2503"></a>539 <a class="indexterm" name="id34 2510"></a>540 <a class="indexterm" name="id34 2516"></a>538 <a class="indexterm" name="id340659"></a> 539 <a class="indexterm" name="id340666"></a> 540 <a class="indexterm" name="id340672"></a> 541 541 Finally, restart your Samba daemons and get ready for clients to begin using domain 542 542 security. The way you can restart your Samba daemons depends on your distribution, … … 545 545 <code class="prompt">root# </code>/etc/init.d/samba restart 546 546 </pre><p> 547 </p></div><div class="sect2" title="Why Is This Better Than security = server?"><div class="titlepage"><div><div><h3 class="title"><a name="id34 2539"></a>Why Is This Better Than <em class="parameter"><code>security = server</code></em>?</h3></div></div></div><p>548 <a class="indexterm" name="id34 2552"></a>549 <a class="indexterm" name="id34 2559"></a>550 <a class="indexterm" name="id34 2566"></a>547 </p></div><div class="sect2" title="Why Is This Better Than security = server?"><div class="titlepage"><div><div><h3 class="title"><a name="id340695"></a>Why Is This Better Than <em class="parameter"><code>security = server</code></em>?</h3></div></div></div><p> 548 <a class="indexterm" name="id340708"></a> 549 <a class="indexterm" name="id340715"></a> 550 <a class="indexterm" name="id340722"></a> 551 551 Currently, domain security in Samba does not free you from having to create local UNIX users to represent the 552 552 users attaching to your server. This means that if domain user <code class="constant">DOM\fred</code> attaches to your … … 555 555 NT server in the same way as a Windows 95 or Windows 98 server would. 556 556 </p><p> 557 <a class="indexterm" name="id34 2596"></a>558 <a class="indexterm" name="id34 2602"></a>559 <a class="indexterm" name="id34 2609"></a>557 <a class="indexterm" name="id340752"></a> 558 <a class="indexterm" name="id340758"></a> 559 <a class="indexterm" name="id340765"></a> 560 560 Please refer to <a class="link" href="winbind.html" title="Chapter 24. Winbind: Use of Domain Accounts">Winbind: Use of Domain Accounts</a>, for information on a system 561 561 to automatically assign UNIX UIDs and GIDs to Windows NT domain users and groups. 562 562 </p><p> 563 <a class="indexterm" name="id34 2627"></a>564 <a class="indexterm" name="id34 2633"></a>565 <a class="indexterm" name="id34 2640"></a>563 <a class="indexterm" name="id340783"></a> 564 <a class="indexterm" name="id340789"></a> 565 <a class="indexterm" name="id340796"></a> 566 566 The advantage of domain-level security is that the authentication in domain-level security is passed down the 567 567 authenticated RPC channel in exactly the same way that an NT server would do it. This means Samba servers now … … 570 570 domain PDC). 571 571 </p><p> 572 <a class="indexterm" name="id34 2654"></a>573 <a class="indexterm" name="id34 2661"></a>574 <a class="indexterm" name="id34 2667"></a>572 <a class="indexterm" name="id340810"></a> 573 <a class="indexterm" name="id340817"></a> 574 <a class="indexterm" name="id340823"></a> 575 575 In addition, with <a class="link" href="smb.conf.5.html#SECURITY" target="_top">security = server</a>, every Samba daemon on a server has to 576 576 keep a connection open to the authenticating server for as long as that daemon lasts. This can drain the … … 580 580 connection resources. 581 581 </p><p> 582 <a class="indexterm" name="id34 2702"></a>583 <a class="indexterm" name="id34 2708"></a>584 <a class="indexterm" name="id34 2715"></a>585 <a class="indexterm" name="id34 2721"></a>582 <a class="indexterm" name="id340858"></a> 583 <a class="indexterm" name="id340864"></a> 584 <a class="indexterm" name="id340871"></a> 585 <a class="indexterm" name="id340878"></a> 586 586 Finally, acting in the same manner as an NT server authenticating to a PDC means that as part of the 587 587 authentication reply, the Samba server gets the user identification information such as the user SID, the list … … 592 592 <span class="emphasis"><em>Doing the NIS/NT Samba</em></span>. 593 593 </p></div></div></div><div class="sect1" title="Samba ADS Domain Membership"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ads-member"></a>Samba ADS Domain Membership</h2></div></div></div><p> 594 <a class="indexterm" name="id34 2768"></a>595 <a class="indexterm" name="id34 2774"></a>596 <a class="indexterm" name="id34 2783"></a>597 <a class="indexterm" name="id34 2790"></a>594 <a class="indexterm" name="id340923"></a> 595 <a class="indexterm" name="id340930"></a> 596 <a class="indexterm" name="id340938"></a> 597 <a class="indexterm" name="id340945"></a> 598 598 This is a rough guide to setting up Samba-3 with Kerberos authentication against a 599 599 Windows 200x KDC. A familiarity with Kerberos is assumed. 600 </p><div class="sect2" title="Configure smb.conf"><div class="titlepage"><div><div><h3 class="title"><a name="id34 2799"></a>Configure <code class="filename">smb.conf</code></h3></div></div></div><p>600 </p><div class="sect2" title="Configure smb.conf"><div class="titlepage"><div><div><h3 class="title"><a name="id340955"></a>Configure <code class="filename">smb.conf</code></h3></div></div></div><p> 601 601 You must use at least the following three options in <code class="filename">smb.conf</code>: 602 </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id34 2824"></a><em class="parameter"><code>realm = your.kerberos.REALM</code></em></td></tr><tr><td><a class="indexterm" name="id342836"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td># The following parameter need only be specified if present.</td></tr><tr><td># The default setting if not present is Yes.</td></tr><tr><td><a class="indexterm" name="id342855"></a><em class="parameter"><code>encrypt passwords = yes</code></em></td></tr></table><p>603 <a class="indexterm" name="id34 2869"></a>604 <a class="indexterm" name="id34 2875"></a>605 <a class="indexterm" name="id34 2882"></a>606 <a class="indexterm" name="id34 2888"></a>607 <a class="indexterm" name="id34 2895"></a>602 </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id340980"></a><em class="parameter"><code>realm = your.kerberos.REALM</code></em></td></tr><tr><td><a class="indexterm" name="id340991"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td># The following parameter need only be specified if present.</td></tr><tr><td># The default setting if not present is Yes.</td></tr><tr><td><a class="indexterm" name="id341010"></a><em class="parameter"><code>encrypt passwords = yes</code></em></td></tr></table><p> 603 <a class="indexterm" name="id341024"></a> 604 <a class="indexterm" name="id341031"></a> 605 <a class="indexterm" name="id341037"></a> 606 <a class="indexterm" name="id341044"></a> 607 <a class="indexterm" name="id341051"></a> 608 608 In case samba cannot correctly identify the appropriate ADS server using the realm name, use the 609 609 <a class="link" href="smb.conf.5.html#PASSWORDSERVER" target="_top">password server</a> option in <code class="filename">smb.conf</code>: 610 </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id34 2926"></a><em class="parameter"><code>password server = your.kerberos.server</code></em></td></tr></table><p>610 </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id341081"></a><em class="parameter"><code>password server = your.kerberos.server</code></em></td></tr></table><p> 611 611 The most common reason for which Samba may not be able to locate the ADS domain controller is a consequence of 612 612 sites maintaining some DNS servers on UNIX systems without regard for the DNS requirements of the ADS … … 614 614 server</code></em>. 615 615 </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> 616 <a class="indexterm" name="id34 2950"></a>617 <a class="indexterm" name="id34 2957"></a>616 <a class="indexterm" name="id341105"></a> 617 <a class="indexterm" name="id341112"></a> 618 618 You do <span class="emphasis"><em>not</em></span> need an smbpasswd file, and older clients will be authenticated as 619 619 if <a class="link" href="smb.conf.5.html#SECURITY" target="_top">security = domain</a>, although it will not do any harm and 620 620 allows you to have local users not in the domain. 621 </p></div></div><div class="sect2" title="Configure /etc/krb5.conf"><div class="titlepage"><div><div><h3 class="title"><a name="id34 2981"></a>Configure <code class="filename">/etc/krb5.conf</code></h3></div></div></div><p>622 <a class="indexterm" name="id34 2993"></a>623 <a class="indexterm" name="id34 3000"></a>624 <a class="indexterm" name="id34 3009"></a>625 <a class="indexterm" name="id34 3016"></a>621 </p></div></div><div class="sect2" title="Configure /etc/krb5.conf"><div class="titlepage"><div><div><h3 class="title"><a name="id341137"></a>Configure <code class="filename">/etc/krb5.conf</code></h3></div></div></div><p> 622 <a class="indexterm" name="id341149"></a> 623 <a class="indexterm" name="id341156"></a> 624 <a class="indexterm" name="id341165"></a> 625 <a class="indexterm" name="id341172"></a> 626 626 With both MIT and Heimdal Kerberos, it is unnecessary to configure the <code class="filename">/etc/krb5.conf</code>, 627 627 and it may be detrimental. 628 628 </p><p> 629 <a class="indexterm" name="id34 3032"></a>630 <a class="indexterm" name="id34 3039"></a>631 <a class="indexterm" name="id34 3046"></a>632 <a class="indexterm" name="id34 3053"></a>633 <a class="indexterm" name="id34 3059"></a>629 <a class="indexterm" name="id341188"></a> 630 <a class="indexterm" name="id341194"></a> 631 <a class="indexterm" name="id341201"></a> 632 <a class="indexterm" name="id341208"></a> 633 <a class="indexterm" name="id341215"></a> 634 634 Microsoft ADS automatically create SRV records in the DNS zone 635 635 <em class="parameter"><code>_kerberos._tcp.REALM.NAME</code></em> for each KDC in the realm. This is part … … 638 638 active directory infrastructure. 639 639 </p><p> 640 <a class="indexterm" name="id34 3078"></a>641 <a class="indexterm" name="id34 3085"></a>642 <a class="indexterm" name="id34 3092"></a>643 <a class="indexterm" name="id34 3098"></a>644 <a class="indexterm" name="id34 3105"></a>645 <a class="indexterm" name="id34 3112"></a>640 <a class="indexterm" name="id341233"></a> 641 <a class="indexterm" name="id341240"></a> 642 <a class="indexterm" name="id341247"></a> 643 <a class="indexterm" name="id341254"></a> 644 <a class="indexterm" name="id341261"></a> 645 <a class="indexterm" name="id341267"></a> 646 646 UNIX systems can use kinit and the DES-CBC-MD5 or DES-CBC-CRC encryption types to authenticate to the Windows 647 647 2000 KDC. For further information regarding Windows 2000 ADS kerberos interoperability please refer to the … … 651 651 explains much of the magic behind the operation of Kerberos. 652 652 </p><p> 653 <a class="indexterm" name="id34 3138"></a>654 <a class="indexterm" name="id34 3145"></a>655 <a class="indexterm" name="id34 3152"></a>656 <a class="indexterm" name="id34 3159"></a>657 <a class="indexterm" name="id34 3165"></a>658 <a class="indexterm" name="id34 3172"></a>653 <a class="indexterm" name="id341294"></a> 654 <a class="indexterm" name="id341300"></a> 655 <a class="indexterm" name="id341307"></a> 656 <a class="indexterm" name="id341314"></a> 657 <a class="indexterm" name="id341321"></a> 658 <a class="indexterm" name="id341328"></a> 659 659 MIT's, as well as Heimdal's, recent KRB5 libraries default to checking for SRV records, so they will 660 660 automatically find the KDCs. In addition, <code class="filename">krb5.conf</code> only allows specifying … … 662 662 libraries to use whichever KDCs are available. 663 663 </p><p> 664 <a class="indexterm" name="id34 3191"></a>664 <a class="indexterm" name="id341346"></a> 665 665 When manually configuring <code class="filename">krb5.conf</code>, the minimal configuration is: 666 666 </p><pre class="screen"> … … 677 677 </pre><p> 678 678 </p><p> 679 <a class="indexterm" name="id34 3214"></a>679 <a class="indexterm" name="id341370"></a> 680 680 When using Heimdal versions before 0.6, use the following configuration settings: 681 681 </p><pre class="screen"> … … 694 694 </pre><p> 695 695 </p><p> 696 <a class="indexterm" name="id34 3233"></a>697 <a class="indexterm" name="id34 3240"></a>696 <a class="indexterm" name="id341389"></a> 697 <a class="indexterm" name="id341395"></a> 698 698 Test your config by doing a <strong class="userinput"><code>kinit 699 699 <em class="replaceable"><code>USERNAME</code></em>@<em class="replaceable"><code>REALM</code></em></code></strong> and 700 700 making sure that your password is accepted by the Win2000 KDC. 701 701 </p><p> 702 <a class="indexterm" name="id34 3262"></a>703 <a class="indexterm" name="id34 3269"></a>704 <a class="indexterm" name="id34 3276"></a>705 <a class="indexterm" name="id34 3282"></a>702 <a class="indexterm" name="id341418"></a> 703 <a class="indexterm" name="id341425"></a> 704 <a class="indexterm" name="id341431"></a> 705 <a class="indexterm" name="id341438"></a> 706 706 With Heimdal versions earlier than 0.6.x you can use only newly created accounts 707 707 in ADS or accounts that have had the password changed once after migration, or … … 711 711 in a state of flux. 712 712 </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> 713 <a class="indexterm" name="id34 3300"></a>714 <a class="indexterm" name="id34 3307"></a>715 <a class="indexterm" name="id34 3314"></a>713 <a class="indexterm" name="id341456"></a> 714 <a class="indexterm" name="id341462"></a> 715 <a class="indexterm" name="id341469"></a> 716 716 The realm must be in uppercase or you will get a <span class="quote">“<span class="quote"><span class="errorname">Cannot find KDC for 717 717 requested realm while getting initial credentials</span></span>”</span> error (Kerberos 718 718 is case-sensitive!). 719 719 </p></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> 720 <a class="indexterm" name="id34 3330"></a>721 <a class="indexterm" name="id34 3337"></a>722 <a class="indexterm" name="id34 3344"></a>723 <a class="indexterm" name="id34 3351"></a>720 <a class="indexterm" name="id341486"></a> 721 <a class="indexterm" name="id341493"></a> 722 <a class="indexterm" name="id341500"></a> 723 <a class="indexterm" name="id341506"></a> 724 724 Time between the two servers must be synchronized. You will get a <span class="quote">“<span class="quote"><span class="errorname">kinit(v5): Clock skew too 725 725 great while getting initial credentials</span></span>”</span> if the time difference (clock skew) is more than five minutes. 726 726 </p></div><p> 727 <a class="indexterm" name="id34 3367"></a>728 <a class="indexterm" name="id34 3374"></a>727 <a class="indexterm" name="id341523"></a> 728 <a class="indexterm" name="id341529"></a> 729 729 Clock skew limits are configurable in the Kerberos protocols. The default setting is five minutes. 730 730 </p><p> 731 <a class="indexterm" name="id34 3385"></a>732 <a class="indexterm" name="id34 3391"></a>733 <a class="indexterm" name="id34 3398"></a>734 <a class="indexterm" name="id34 3405"></a>731 <a class="indexterm" name="id341540"></a> 732 <a class="indexterm" name="id341547"></a> 733 <a class="indexterm" name="id341553"></a> 734 <a class="indexterm" name="id341560"></a> 735 735 You also must ensure that you can do a reverse DNS lookup on the IP address of your KDC. Also, the name that 736 736 this reverse lookup maps to must either be the NetBIOS name of the KDC (i.e., the hostname with no domain 737 737 attached) or it can be the NetBIOS name followed by the realm. 738 738 </p><p> 739 <a class="indexterm" name="id34 3417"></a>740 <a class="indexterm" name="id34 3424"></a>741 <a class="indexterm" name="id34 3430"></a>739 <a class="indexterm" name="id341573"></a> 740 <a class="indexterm" name="id341579"></a> 741 <a class="indexterm" name="id341586"></a> 742 742 The easiest way to ensure you get this right is to add a <code class="filename">/etc/hosts</code> entry mapping the IP 743 743 address of your KDC to its NetBIOS name. If you do not get this correct, then you will get a <span class="errorname">local 744 744 error</span> when you try to join the realm. 745 745 </p><p> 746 <a class="indexterm" name="id34 3452"></a>747 <a class="indexterm" name="id34 3459"></a>748 <a class="indexterm" name="id34 3466"></a>749 <a class="indexterm" name="id34 3472"></a>746 <a class="indexterm" name="id341607"></a> 747 <a class="indexterm" name="id341614"></a> 748 <a class="indexterm" name="id341621"></a> 749 <a class="indexterm" name="id341628"></a> 750 750 If all you want is Kerberos support in <span class="application">smbclient</span>, then you can skip directly to <a class="link" href="domain-member.html#ads-test-smbclient" title="Testing with smbclient">Testing with <span class="application">smbclient</span></a> now. <a class="link" href="domain-member.html#ads-create-machine-account" title="Create the Computer Account">Create the Computer Account</a> and <a class="link" href="domain-member.html#ads-test-server" title="Testing Server Setup">Testing Server Setup</a> are needed only if you want Kerberos support for <span class="application">smbd</span> 751 751 and <span class="application">winbindd</span>. 752 752 </p></div><div class="sect2" title="Create the Computer Account"><div class="titlepage"><div><div><h3 class="title"><a name="ads-create-machine-account"></a>Create the Computer Account</h3></div></div></div><p> 753 <a class="indexterm" name="id34 3538"></a>754 <a class="indexterm" name="id34 3544"></a>755 <a class="indexterm" name="id34 3551"></a>756 <a class="indexterm" name="id34 3558"></a>753 <a class="indexterm" name="id341694"></a> 754 <a class="indexterm" name="id341701"></a> 755 <a class="indexterm" name="id341708"></a> 756 <a class="indexterm" name="id341714"></a> 757 757 As a user who has write permission on the Samba private directory (usually root), run: 758 758 </p><pre class="screen"> … … 763 763 On the UNIX/Linux system, this command must be executed by an account that has UID=0 (root). 764 764 </p><p> 765 <a class="indexterm" name="id34 3589"></a>766 <a class="indexterm" name="id34 3595"></a>767 <a class="indexterm" name="id34 3602"></a>768 <a class="indexterm" name="id34 3609"></a>769 <a class="indexterm" name="id34 3616"></a>770 <a class="indexterm" name="id34 3622"></a>765 <a class="indexterm" name="id341745"></a> 766 <a class="indexterm" name="id341752"></a> 767 <a class="indexterm" name="id341758"></a> 768 <a class="indexterm" name="id341765"></a> 769 <a class="indexterm" name="id341772"></a> 770 <a class="indexterm" name="id341779"></a> 771 771 When making a Windows client a member of an ADS domain within a complex organization, you 772 772 may want to create the machine trust account within a particular organizational unit. Samba-3 permits … … 778 778 Your ADS manager will be able to advise what should be specified for the "organizational_unit" parameter. 779 779 </p><p> 780 <a class="indexterm" name="id34 3669"></a>781 <a class="indexterm" name="id34 3676"></a>782 <a class="indexterm" name="id34 3682"></a>783 <a class="indexterm" name="id34 3689"></a>780 <a class="indexterm" name="id341825"></a> 781 <a class="indexterm" name="id341832"></a> 782 <a class="indexterm" name="id341839"></a> 783 <a class="indexterm" name="id341846"></a> 784 784 For example, you may want to create the machine trust account in a container called <span class="quote">“<span class="quote">Servers</span>”</span> 785 785 under the organizational directory <span class="quote">“<span class="quote">Computers/BusinessUnit/Department,</span>”</span> like this: … … 792 792 valid characters in an OU name and used as escapes for other characters. If you need a backslash in an OU 793 793 name, it may need to be quadrupled to pass through the shell escape and ldap escape. 794 </p><div class="sect3" title="Possible Errors"><div class="titlepage"><div><div><h4 class="title"><a name="id34 3732"></a>Possible Errors</h4></div></div></div><p>794 </p><div class="sect3" title="Possible Errors"><div class="titlepage"><div><div><h4 class="title"><a name="id341889"></a>Possible Errors</h4></div></div></div><p> 795 795 </p><div class="variablelist"><dl><dt><span class="term"><span class="errorname">ADS support not compiled in</span></span></dt><dd><p> 796 <a class="indexterm" name="id34 3751"></a>797 <a class="indexterm" name="id34 3758"></a>798 <a class="indexterm" name="id34 3765"></a>796 <a class="indexterm" name="id341908"></a> 797 <a class="indexterm" name="id341914"></a> 798 <a class="indexterm" name="id341921"></a> 799 799 Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the 800 800 Kerberos libraries and headers files are installed. 801 801 </p></dd><dt><span class="term"><span class="errorname">net ads join prompts for user name</span></span></dt><dd><p> 802 <a class="indexterm" name="id34 3783"></a>803 <a class="indexterm" name="id34 3790"></a>802 <a class="indexterm" name="id341940"></a> 803 <a class="indexterm" name="id341946"></a> 804 804 You need to login to the domain using <strong class="userinput"><code>kinit 805 805 <em class="replaceable"><code>USERNAME</code></em>@<em class="replaceable"><code>REALM</code></em></code></strong>. 806 806 <em class="replaceable"><code>USERNAME</code></em> must be a user who has rights to add a machine to the domain. 807 807 </p></dd><dt><span class="term">Unsupported encryption/or checksum types</span></dt><dd><p> 808 <a class="indexterm" name="id34 3822"></a>809 <a class="indexterm" name="id34 3829"></a>810 <a class="indexterm" name="id34 3836"></a>808 <a class="indexterm" name="id341978"></a> 809 <a class="indexterm" name="id341985"></a> 810 <a class="indexterm" name="id341992"></a> 811 811 Make sure that the <code class="filename">/etc/krb5.conf</code> is correctly configured 812 812 for the type and version of Kerberos installed on the system. 813 813 </p></dd></dl></div><p> 814 814 </p></div></div><div class="sect2" title="Testing Server Setup"><div class="titlepage"><div><div><h3 class="title"><a name="ads-test-server"></a>Testing Server Setup</h3></div></div></div><p> 815 <a class="indexterm" name="id34 3866"></a>816 <a class="indexterm" name="id34 3872"></a>817 <a class="indexterm" name="id34 3879"></a>815 <a class="indexterm" name="id342022"></a> 816 <a class="indexterm" name="id342029"></a> 817 <a class="indexterm" name="id342036"></a> 818 818 If the join was successful, you will see a new computer account with the 819 819 NetBIOS name of your Samba server in Active Directory (in the <span class="quote">“<span class="quote">Computers</span>”</span> 820 820 folder under Users and Computers. 821 821 </p><p> 822 <a class="indexterm" name="id34 3894"></a>823 <a class="indexterm" name="id34 3901"></a>824 <a class="indexterm" name="id34 3910"></a>822 <a class="indexterm" name="id342050"></a> 823 <a class="indexterm" name="id342057"></a> 824 <a class="indexterm" name="id342066"></a> 825 825 On a Windows 2000 client, try <strong class="userinput"><code>net use * \\server\share</code></strong>. It should be possible 826 826 to login with Kerberos without needing to know a password. If this fails, then run … … 828 828 an encryption type of DES-CBC-MD5? 829 829 </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> 830 <a class="indexterm" name="id34 3935"></a>831 <a class="indexterm" name="id34 3942"></a>832 <a class="indexterm" name="id34 3948"></a>830 <a class="indexterm" name="id342091"></a> 831 <a class="indexterm" name="id342098"></a> 832 <a class="indexterm" name="id342105"></a> 833 833 Samba can use both DES-CBC-MD5 encryption as well as ARCFOUR-HMAC-MD5 encoding. 834 834 </p></div></div><div class="sect2" title="Testing with smbclient"><div class="titlepage"><div><div><h3 class="title"><a name="ads-test-smbclient"></a>Testing with <span class="application">smbclient</span></h3></div></div></div><p> 835 <a class="indexterm" name="id34 3974"></a>836 <a class="indexterm" name="id34 3980"></a>837 <a class="indexterm" name="id34 3987"></a>835 <a class="indexterm" name="id342130"></a> 836 <a class="indexterm" name="id342137"></a> 837 <a class="indexterm" name="id342144"></a> 838 838 On your Samba server try to login to a Windows 2000 server or your Samba 839 839 server using <span class="application">smbclient</span> and Kerberos. Use <span class="application">smbclient</span> as usual, but 840 840 specify the <code class="option">-k</code> option to choose Kerberos authentication. 841 </p></div><div class="sect2" title="Notes"><div class="titlepage"><div><div><h3 class="title"><a name="id34 4013"></a>Notes</h3></div></div></div><p>842 <a class="indexterm" name="id34 4021"></a>843 <a class="indexterm" name="id34 4028"></a>844 <a class="indexterm" name="id34 4035"></a>841 </p></div><div class="sect2" title="Notes"><div class="titlepage"><div><div><h3 class="title"><a name="id342170"></a>Notes</h3></div></div></div><p> 842 <a class="indexterm" name="id342177"></a> 843 <a class="indexterm" name="id342184"></a> 844 <a class="indexterm" name="id342191"></a> 845 845 You must change the administrator password at least once after installing a domain controller, 846 846 to create the right encryption types. 847 847 </p><p> 848 <a class="indexterm" name="id34 4046"></a>849 <a class="indexterm" name="id34 4053"></a>850 <a class="indexterm" name="id34 4059"></a>848 <a class="indexterm" name="id342202"></a> 849 <a class="indexterm" name="id342209"></a> 850 <a class="indexterm" name="id342216"></a> 851 851 Windows 200x does not seem to create the <em class="parameter"><code>_kerberos._udp</code></em> and 852 852 <em class="parameter"><code>_ldap._tcp</code></em> in the default DNS setup. Perhaps this will be fixed later in service packs. 853 </p></div></div><div class="sect1" title="Sharing User ID Mappings between Samba Domain Members"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id34 4082"></a>Sharing User ID Mappings between Samba Domain Members</h2></div></div></div><p>854 <a class="indexterm" name="id34 4090"></a>855 <a class="indexterm" name="id34 4097"></a>856 <a class="indexterm" name="id34 4104"></a>857 <a class="indexterm" name="id34 4110"></a>853 </p></div></div><div class="sect1" title="Sharing User ID Mappings between Samba Domain Members"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id342239"></a>Sharing User ID Mappings between Samba Domain Members</h2></div></div></div><p> 854 <a class="indexterm" name="id342247"></a> 855 <a class="indexterm" name="id342254"></a> 856 <a class="indexterm" name="id342260"></a> 857 <a class="indexterm" name="id342267"></a> 858 858 Samba maps UNIX users and groups (identified by UIDs and GIDs) to Windows users and groups (identified by SIDs). 859 859 These mappings are done by the <em class="parameter"><code>idmap</code></em> subsystem of Samba. 860 860 </p><p> 861 <a class="indexterm" name="id34 4128"></a>862 <a class="indexterm" name="id34 4134"></a>863 <a class="indexterm" name="id34 4141"></a>861 <a class="indexterm" name="id342284"></a> 862 <a class="indexterm" name="id342291"></a> 863 <a class="indexterm" name="id342298"></a> 864 864 In some cases it is useful to share these mappings between Samba domain members, 865 865 so <span class="emphasis"><em>name->id</em></span> mapping is identical on all machines. 866 866 This may be needed in particular when sharing files over both CIFS and NFS. 867 867 </p><p> 868 <a class="indexterm" name="id34 4157"></a>869 <a class="indexterm" name="id34 4163"></a>868 <a class="indexterm" name="id342313"></a> 869 <a class="indexterm" name="id342320"></a> 870 870 To use the <span class="emphasis"><em>LDAP</em></span> <em class="parameter"><code>ldap idmap suffix</code></em>, set: 871 </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id34 4186"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr></table><p>871 </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id342343"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr></table><p> 872 872 See the <code class="filename">smb.conf</code> man page entry for the <a class="link" href="smb.conf.5.html#LDAPIDMAPSUFFIX" target="_top">ldap idmap suffix</a> 873 873 parameter for further information. 874 874 </p><p> 875 <a class="indexterm" name="id34 4222"></a>876 <a class="indexterm" name="id34 4228"></a>877 <a class="indexterm" name="id34 4235"></a>875 <a class="indexterm" name="id342378"></a> 876 <a class="indexterm" name="id342384"></a> 877 <a class="indexterm" name="id342391"></a> 878 878 Do not forget to specify also the <a class="link" href="smb.conf.5.html#LDAPADMINDN" target="_top">ldap admin dn</a> 879 879 and to make certain to set the LDAP administrative password into the <code class="filename">secrets.tdb</code> using: … … 883 883 In place of <code class="literal">ldap-admin-password</code>, substitute the LDAP administration password for your 884 884 system. 885 </p></div><div class="sect1" title="Common Errors"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id34 4280"></a>Common Errors</h2></div></div></div><p>886 <a class="indexterm" name="id34 4287"></a>887 <a class="indexterm" name="id34 4294"></a>885 </p></div><div class="sect1" title="Common Errors"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id342436"></a>Common Errors</h2></div></div></div><p> 886 <a class="indexterm" name="id342444"></a> 887 <a class="indexterm" name="id342450"></a> 888 888 In the process of adding/deleting/re-adding domain member machine trust accounts, there are 889 889 many traps for the unwary player and many <span class="quote">“<span class="quote">little</span>”</span> things that can go wrong. … … 893 893 of problem. The real solution is often quite simple, and with an understanding of how MS Windows 894 894 networking functions, it is easy to overcome. 895 </p><div class="sect2" title="Cannot Add Machine Back to Domain"><div class="titlepage"><div><div><h3 class="title"><a name="id34 4314"></a>Cannot Add Machine Back to Domain</h3></div></div></div><p>896 <a class="indexterm" name="id34 4322"></a>897 <a class="indexterm" name="id34 4329"></a>895 </p><div class="sect2" title="Cannot Add Machine Back to Domain"><div class="titlepage"><div><div><h3 class="title"><a name="id342470"></a>Cannot Add Machine Back to Domain</h3></div></div></div><p> 896 <a class="indexterm" name="id342478"></a> 897 <a class="indexterm" name="id342485"></a> 898 898 <span class="quote">“<span class="quote">A Windows workstation was reinstalled. The original domain machine trust 899 899 account was deleted and added immediately. The workstation will not join the domain if I use … … 901 901 exists on the network I know it does not. Why is this failing?</span>”</span> 902 902 </p><p> 903 <a class="indexterm" name="id34 4348"></a>904 <a class="indexterm" name="id34 4354"></a>903 <a class="indexterm" name="id342505"></a> 904 <a class="indexterm" name="id342511"></a> 905 905 The original name is still in the NetBIOS name cache and must expire after machine account 906 906 deletion before adding that same name as a domain member again. The best advice is to delete … … 910 910 <code class="prompt">C:\> </code> nbtstat -R 911 911 </pre><p> 912 </p></div><div class="sect2" title="Adding Machine to Domain Fails"><div class="titlepage"><div><div><h3 class="title"><a name="id34 4384"></a>Adding Machine to Domain Fails</h3></div></div></div><p>913 <a class="indexterm" name="id34 4391"></a>914 <a class="indexterm" name="id34 4398"></a>912 </p></div><div class="sect2" title="Adding Machine to Domain Fails"><div class="titlepage"><div><div><h3 class="title"><a name="id342540"></a>Adding Machine to Domain Fails</h3></div></div></div><p> 913 <a class="indexterm" name="id342548"></a> 914 <a class="indexterm" name="id342554"></a> 915 915 <span class="quote">“<span class="quote">Adding a Windows 200x or XP Professional machine to the Samba PDC Domain fails with a 916 916 message that says, <span class="errorname">"The machine could not be added at this time, there is a network problem. 917 917 Please try again later."</span> Why?</span>”</span> 918 918 </p><p> 919 <a class="indexterm" name="id34 4417"></a>919 <a class="indexterm" name="id342573"></a> 920 920 You should check that there is an <a class="link" href="smb.conf.5.html#ADDMACHINESCRIPT" target="_top">add machine script</a> in your <code class="filename">smb.conf</code> 921 921 file. If there is not, please add one that is appropriate for your OS platform. If a script … … 926 926 Possible causes include: 927 927 </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> 928 <a class="indexterm" name="id34 4470"></a>929 <a class="indexterm" name="id34 4477"></a>928 <a class="indexterm" name="id342626"></a> 929 <a class="indexterm" name="id342633"></a> 930 930 The script does not actually exist, or could not be located in the path specified. 931 931 </p><p> 932 <a class="indexterm" name="id34 4487"></a>933 <a class="indexterm" name="id34 4493"></a>932 <a class="indexterm" name="id342643"></a> 933 <a class="indexterm" name="id342650"></a> 934 934 <span class="emphasis"><em>Corrective action:</em></span> Fix it. Make sure when run manually 935 935 that the script will add both the UNIX system account and the Samba SAM account. 936 936 </p></li><li class="listitem"><p> 937 <a class="indexterm" name="id34 4509"></a>938 <a class="indexterm" name="id34 4516"></a>937 <a class="indexterm" name="id342666"></a> 938 <a class="indexterm" name="id342672"></a> 939 939 The machine could not be added to the UNIX system accounts file <code class="filename">/etc/passwd</code>. 940 940 </p><p> 941 <a class="indexterm" name="id34 4532"></a>942 <a class="indexterm" name="id34 4539"></a>941 <a class="indexterm" name="id342689"></a> 942 <a class="indexterm" name="id342696"></a> 943 943 <span class="emphasis"><em>Corrective action:</em></span> Check that the machine name is a legal UNIX 944 944 system account name. If the UNIX utility <code class="literal">useradd</code> is called, … … 947 947 nor will it allow spaces in the name. 948 948 </p></li></ul></div><p> 949 <a class="indexterm" name="id34 4568"></a>950 <a class="indexterm" name="id34 4575"></a>951 <a class="indexterm" name="id34 4582"></a>949 <a class="indexterm" name="id342724"></a> 950 <a class="indexterm" name="id342731"></a> 951 <a class="indexterm" name="id342738"></a> 952 952 The <a class="link" href="smb.conf.5.html#ADDMACHINESCRIPT" target="_top">add machine script</a> does not create the 953 953 machine account in the Samba backend database; it is there only to create a UNIX system 954 954 account to which the Samba backend database account can be mapped. 955 </p></div><div class="sect2" title="I Can't Join a Windows 2003 PDC"><div class="titlepage"><div><div><h3 class="title"><a name="id34 4604"></a>I Can't Join a Windows 2003 PDC</h3></div></div></div><p>956 <a class="indexterm" name="id34 4612"></a>957 <a class="indexterm" name="id34 4618"></a>958 <a class="indexterm" name="id34 4625"></a>959 <a class="indexterm" name="id34 4631"></a>955 </p></div><div class="sect2" title="I Can't Join a Windows 2003 PDC"><div class="titlepage"><div><div><h3 class="title"><a name="id342760"></a>I Can't Join a Windows 2003 PDC</h3></div></div></div><p> 956 <a class="indexterm" name="id342768"></a> 957 <a class="indexterm" name="id342774"></a> 958 <a class="indexterm" name="id342781"></a> 959 <a class="indexterm" name="id342788"></a> 960 960 Windows 2003 requires SMB signing. Client-side SMB signing has been implemented in Samba-3.0. 961 961 Set <a class="link" href="smb.conf.5.html#CLIENTUSESPNEGO" target="_top">client use spnego = yes</a> when communicating
Note:
See TracChangeset
for help on using the changeset viewer.
