+!==
+!== DOMAIN_CONTROL.txt for Samba release 2.0.0-beta1 13 Nov 1998
+!==
Initial Release: August 22, 1996
-Contributor: John H Terpstra <samba-bugs@samba.anu.edu.au>
+Contributor: John H Terpstra <samba-bugs@samba.org>
Copyright (C) 1996-1997 - John H Terpstra
-Updated: June 27, 1997
-Status: Current - New Content
+Updated: July 5, 1998
+Status: Current
Subject: Windows NT Domain Control & Samba
============================================================================
****NOTE:****
=============
+The term "Domain Controller" and those related to it refer to one specific
+method of authentication that can underly an SMB domain. Domain Controllers
+prior to Windows NT Server 3.1 were sold by various companies and based on
+private extensions to the LAN Manager 2.1 protocol. Windows NT introduced
+Microsoft-specific ways of distributing the user authentication database.
+See DOMAIN.txt for examples of how Samba can participate in or create
+SMB domains based on shared authentication database schemes other than the
+Windows NT SAM.
+
Microsoft Windows NT Domain Control is an extremely complex protocol.
-We have received countless requests to implement Domain Control in Samba
-and have seriously investigated the potential to support this. The Samba
-Team have now concluded that since Domain Control is a completely
-undocumented protocol we ought NOT to implement our best guess of this
-technology. It is a Microsoft business policy NOT to release the information
-necessary to enable this to be implemented in a dependable manner.
+We have received countless requests to implement Domain Control in Samba.
+The 1.9.18 release of Samba contains experimental code to implement
+this. Please read the file docs/NTDOMAIN.txt for more information on this.
============================================================================
Windows NT Server can be installed as either a plain file and print server
The same is true for OS/2 Warp Server, Digital Pathworks and other similar
products, all of which can participate in Domain Control along with Windows NT.
+However only those servers which have licenced Windows NT code in them can be
+a primary Domain Controller (eg Windows NT Server, Advanced Server for Unix.)
To many people these terms can be confusing, so let's try to clear the air.
process authentication (ie: to ensure that the service action a user has
requested is permitted within the limits of that user's privileges).
+The Samba team have produced a utility that can dump the Windows NT SAM into
+smbpasswd format: see ENCRYPTION.txt for information on smbpasswd and
+/pub/samba/pwdump on your nearest Samba mirror for the utility. This
+facility is useful but cannot be easily used to implement SAM replication
+to Samba systems.
+
Windows for Workgroups, Windows 95, and Windows NT Workstations and Servers
can participate in a Domain security system that is controlled by Windows NT
servers that have been correctly configured. At most every domain will have
The PDC and BDCs then participate in replication of the SAM database so that
each Domain Controlling participant will have an up to date SAM component
-within it's registry.
+within its registry.
Samba can NOT at this time function as a Domain Controller for any of these
security services, but like all other domain members can interact with the
use Windows NT to act as your password server with full support for
Microsoft encrypted passwords.
+Note also, that since release of samba-1.9.18 we now support native encrypted
+passwords too. To enable encrypted password handling several things need to be
+done:
+ 1) In smb.conf [globals]:
+ encrypt passwords = yes
+ smbpasswd file = /path/smbpasswd
+the standard path is /usr/local/samba/private/smbpasswd but this may be
+platform specific.
+
+ 2) Use "smbpasswd -a" to add all users to the smbpasswd file.
+
+Above all read all the documentation for encrypted password support - you will
+need it!