First Release of the DocBook 'source'.

[ira/wip.git] / docs / docbook / samba-pdc-howto.sgml

        
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
<book id="samba-pdc-howto">

<title>The Samba 2.2 PDC HowTo </title>

<!--  ========================================================

  To produce html from this file

         jade -E10 -t sgml -d html.dsl ntdom.sgml

    This assumes that html.dsl is present in the current dir, it includes
    a couple of defines and then refers to the DSSSL html stylesheet.
 
    =========================================================== -->


<bookinfo>
    <author><firstname>David</><surname>Bannon</>
        <affiliation><orgname>La Trobe University</orgname></affiliation>
    </author>
    <pubdate>November 2000</pubdate>
</bookinfo>

<dedication><title></title>

    <para>Comments, corrections and additions to <email>D.Bannon@latrobe.edu.au</email></para>

    <para>
        This document explains how to setup Samba as a Primary Domain Controller and 
        applies to version 2.2.0. 
        Before
        using these functions make sure you understand what the controller can and cannot do.
        Please read the sections below in the Introduction. 
        As 2.2.0 is incrementally updated
        this document will change or become out of date very quickly, make sure you are
        reading the most current version.
    </para>

    <para>Please note this document does not apply to Samba2.2alpha0, Samba2.2alpha1, 
    Samba 2.0.7, TNG nor HEAD branch.</para>

    <para>It does apply to the current (post November 27th) cvs.</para>

    <para>
        Also available is an updated version of Jerry Carter's NTDom <ulink url="samba-pdc-faq.html">
    FAQ</> that will answer lots of 
        the special 'tuning' questions that are not covered here. Over the next couple of weeks
        some of the items here will be moved to the FAQ.
    </para>


</dedication>

<toc>     </toc>

<!-- ================ I N T R O D U C T I O N  ==================== -->

<chapter><title>Introduction</title>

<para>
This document will show you one way of making Version 2.2.0  
of Samba perform some of the tasks of a 
NT Primary Domain Controller. The facilities described are built into Samba as a result of 
development work done over a number of years by a large number of people. These facilities 
are only just beginning to be officially supported and although they do appear to work reliably, 
if you use them then you take the risks upon your self.  This document does not cover the
developmental versions of Samba, particularly 
<ulink url="http://www.samba-tng.org/"><citetitle>Samba-TNG</citetitle></ulink>


</para>


<para>Note that <ulink url="http://bioserve.latrobe.edu.au/samba">Samba 2.0.7</>
    supports significently less of the NT Domain facilities compared with 2.2.0
    </para>

<para>
        This document does not replace the text files DOMAIN_CONTROL.txt, DOMAIN.txt (by
        John H Terpstra) or NTDOMAIN.txt (by Luke Kenneth Casson Leighton). Those documents provide
        more detail and an insight to the development
        cycle and should be considered 'further reading'.

</para>


<sect1><title>What can we do ?</title>
<itemizedlist>
    <listitem><para>Permit 'domain logons' for Win95/98, NT4 and W2K workstations from one central 
        password database. WRT W2K, please see the section about adding machine 
        accounts and the Intro in the <ulink url="samba-pdc-faq.html">FAQ</>.</para></listitem>
    <listitem><para>Grant Administrator privileges to particular domain users on an 
        NT or W2K workstation.</para></listitem> 
    <listitem><para>Apply policies from a domain policy file to NT and W2K (?) 
        workstation.</para></listitem> 
    <listitem><para>Run the appropriate logon script when a user logs on to the domain
        .</para></listitem>
    <listitem><para>Maintain a user's local profile on the server.</para></listitem>
    <listitem><para>Validate a user using another system via smb (such as smb_pam) and 
        soon winbind (?).</para></listitem> 
</itemizedlist>
</sect1>


<sect1><title>What can't we do ?</title>
<itemizedlist>
    <listitem><para> Become or work with a Backup Domain Controller (a BDC).</para></listitem>
    <listitem><para> Participate in any sort of trust relationship (with either Samba or NT 
        Servers).</para></listitem>
    <listitem><para> Offer a list of domain users to User Manager for Domains 
        on the Security Tab etc).</para></listitem>
    <listitem><para>Be a W2K type of Domain Controller. Samba PDC will behave like
        an NT PDC, W2K workstations connect in legacy mode.</para></listitem>
</itemizedlist>
</sect1>

</chapter>


<!-- ================== I N S T A L L I N G  ===================== -->

<chapter><title>Installing</title> 

        <para>Installing consists of the usual download, configure, make and make 
        install process. These steps are well documented elsewhere.
        The <ulink url="samba-pdc-faq.html">FAQ</> discusses getting pre-release versions via CVS. 
        Then you need to configure the server.</para>

<sect1><title>Start Up Script</title>
        <para>Skip this section if you have a working Samba already. 
        Everyone has their own favourite startup script. Here is mine, offered with no warrantee
        at all !</para>

<programlisting> 

        #!/bin/sh
        # Script to control Samba server, David Bannon, 14-6-96
        #
        #
        PATH=/bin:/usr/sbin:/usr/bin
        export PATH
        case "$1" in
        'start')
                if [ -f /usr/local/samba/bin/smbd ]
                then
                        /usr/local/samba/bin/smbd -D
                        /usr/local/samba/bin/nmbd -D
                        echo "Starting Samba Server"
                fi
                ;;
        'conf')
                if [ -f /usr/local/samba/lib/smb.conf ]
                then
                        vi /usr/local/samba/lib/smb.conf
                fi
                ;;
        'pw')
                if [ -f /usr/local/samba/private/smbpasswd ]
                then
                        vi /usr/local/samba/private/smbpasswd
                fi
                ;;
        'who')
                /usr/local/samba/bin/smbstatus -b
                ;;
        'restart')
                psline=`/bin/ps  x | grep smbd | grep -v grep`

                if [ "$psline" != "" ]
                then
                        while [ "$psline" != "" ]
                        do
                                psline=`/bin/ps x | fgrep smbd | grep -v grep`
                                if [ "$psline" ]
                                then
                                        set -- $psline
                                        pid=$1
                                        /bin/kill -HUP $pid
                                        echo "Stopped $pid line = $psline"
                                        sleep 2
                                fi
                        done
                fi
                echo "Stopped Samba servers"
                ;;
        'stop')
                psline=`/bin/ps  x | grep smbd | grep -v grep`

                if [ "$psline" != "" ]
                then
                        while [ "$psline" != "" ]
                        do
                                psline=`/bin/ps x | fgrep smbd | grep -v grep`
                                if [ "$psline" ]
                                then
                                        set -- $psline
                                        pid=$1
                                        /bin/kill -9 $pid
                                        echo "Stopped $pid line = $psline"
                                        sleep 2
                                fi
                        done
                fi
                echo "Stopped Samba servers"
                psline=`/bin/ps x | grep nmbd | grep -v grep`
                if [ "$psline" ]
                then
                        set -- $psline
                        pid=$1
                        /bin/kill -9 $pid
                        echo "Stopped Name Server "
                fi
                echo "Stopped Name Servers"
                ;;
        *)
                echo "usage: samba {start | restart |stop | conf | pw | who}"
                ;;
        esac
    
</programlisting>

<para>  Use this script, or some other one, you will need to ensure its used while the machine
        is booting. (This typically involves <filename>/etc/rc.d</filename>, we'll be 
        assuming that there is a script called
        samba in <filename>/etc/rc.d/init.d</filename> further down in this document.)
</para>
</sect1>

<sect1><title>Config File</title>

<sect2><title id=configfile>A sample conf file</title>
        <para>Here is a fairly minimal config file to do PDC. It will also make the server 
        become the browse master for the
        specified domain (not necessary but usually desirable). You will need to change only 
        two parameters to make this
        file work, <filename>wins server</filename> and <filename>workgroup</filename>, plus
    you will need to put your own name (not mine!) in the <filename>domain admin users</> fields. 
        Some of the parameters are discussed further down this document.</para>

        <para>Assuming you have used the default install directories, this file should appear as 
        <filename>/usr/local/samba/lib/smb.conf</filename>. It should not be 
        writable by anyone except root.</para>

        <note><para>The 'add user script' parameter is a work-around, watch for changes !</></>

    <programlisting> 

        [global]  
        security = user 
        status = yes 
        workgroup = { Your domain name here }
        wins server = { ip of a wins server if you have one } 
        encrypt passwords = yes 
        domain logons =yes 
        logon script = scripts\%U.bat 
        domain admin users = root dbannon andrew 
        add user script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %m$    
        guest account = ftp 
        share modes=no 
        os level=65 
        [homes] 
        guest ok = no 
        read only = no 
        create mask = 0700 
        directory mask = 0700 
        oplocks = false 
        locking = no 
        [netlogon] 
        path = /usr/local/samba/netlogon 
        writeable = no 
        guest ok = no 
   
</programlisting>

</sect2>

<sect2><title>PDC Config Parameters</title>


<variablelist><title>There are a huge range of parameters that may appear in a smb.conf file. Some 
        that may be of interest to a PDC are :</title>

<varlistentry><term>add user script</term>
        <listitem><para>This parameter specifies a script (or program) that will be run
        to add a user to the system. Here it is being used to add a machine, not a user.
        This is probably not very nice and may change. But it does work !</para>

    <para>For this example, I have a group called 'machines', entries can be added to
    <filename>/etc/passwd</> using a programme called <filename>/usr/adduser</> and 
    the other parameters are chosen as suitable for a machine account. Works for
    RH Linux, your system may require changes.</para>
        </listitem>
</varlistentry>

<varlistentry><term>domain admin users = user1 users2</term>
        <listitem><para>This parameter specifies a unix user who will be granted admin privileges 
        on a NT workstation when
        logged onto that workstation. See the section called <link linkend=domainadmin>
    Domain Admin</> Accounts.</para>
        </listitem>
</varlistentry>

<varlistentry><term>encrypt passwords = yes</term>
        <listitem><para>This parameter must be 'yes' to allow any of the recent service pack NTs to logon. There are some reg hacks that
        turn off encrypted passwords on the NTws itself but if you are going to use the smbpasswd system (and you
        should) you must use encrypted passwords.</para>
        </listitem>
</varlistentry>

<varlistentry><term>logon script = scripts\%U.bat</term>
        <listitem><para>This will make samba look for a logon script named after the user 
        (eg joeblow.bat). 
         See the section further on called <link linkend=logonscript>Logon Scripts</></para>
        <note><para>Note that the slash is like this '\', not like this '/'. 
        NT is happy with both, win95 is not !</para></note>
        </listitem>
</varlistentry>

<varlistentry><term>logon path</term>
        <listitem><para>Lets you specify where you would like users profiles kept. The default, that is in the users
        home directory, does encourage a bit of fiddling.</para>
        </listitem>
</varlistentry>


</variablelist>


</sect2>
</sect1>

<sect1><title>Special directories</title>
        <para>You need to create a couple of special files and directories. Its nice 
        to have some of the binaries handy too, so I create links to them. Assuming 
        you have used the default samba location and have not
        changed the locations mentioned in the sample config file, do the following :</para>

    <programlisting> 

        mkdir /usr/local/samba/netlogon 
        mkdir /usr/local/samba/netlogon/scripts
        mkdir /usr/local/samba/private
        touch /usr/local/samba/private/smbpasswd
        chmod go-rwx /usr/local/samba/private/smbpasswd
        cd /usr/local/sbin
        ln -s /usr/local/samba/bin/smbpasswd
        ln -s /usr/local/samba/bin/smbclient
        ln -s /etc/rc.d/init.d/samba
</programlisting>

        <para>Make sure permissions are appropriate !</para> 

        <para>OK, if you have used the scripts above and have a path to where the links are do this to start up 
        the Samba Server :</para>

        <para><command>samba start</command></para>

        <para>Instead, you might like to reboot the machine to make sure that you 
        got the init stuff right. Any way, a quick look in the logs 
        <filename>/usr/local/samba/var/log.smbd</filename> and <filename>
        /usr/local/samba/var/log/nmbd</filename>
        will give you an idea of what's happening. Assuming all is well, lets create 
        some accounts...</para> 
</sect1>
</chapter>

        <!-- ================== U S E R  and M A C H I N E   A C C O U N  T S ================ -->

<chapter><title>User and Machine Accounts</title>
<sect1><title>Logon Accounts</title>

        <para><emphasis role=bold>This section is very nearly out of date already !</emphasis>  It 
        appears that while you are reading it, Jean Francois Micou is making it 
        redundant ! Jean Francois is adding facilities to add users
        (via User Manager) and machines (when joining the domain) and it looks like these facilities will
        make it into the official release of 2.2.</para>


        <para>Every user and NTws (and other samba servers) that will be on the domain 
        must have its own passwd entry in both <filename>/etc/passwd</filename> and 
        <filename>/usr/local/samba/private/smbpasswd</filename> . 
        The <filename>/etc/passwd</filename> entry is really 
        only to reserve a user ID. The NT encrypted password is stored in 
        <filename>/usr/local/samba/private/smbpasswd</filename>. 
        (Note that win95/98 machines don't need an account as they don't do 
        any security aware things.)</para>

        <para>Samba 2.2 will now create these entries for us. Carefull set up is required
        and there may well be some changes to this system before its released. 
        </para>
</sect1>

<sect1 id=machineaccount><title>Machine Accounts</title>

        <note><para>There is an entry in the ntdom <ulink url="samba-pdc-faq.html">FAQ</> explaining how to create
        machine entries manually.</para></note>


<variablelist><title><emphasis>At present</> to have the machine accounts created when a machine joins 
        the domain a number of conditions must be met :</title>

<varlistentry><term>Only root can do it !</term>
        <listitem><para>There must be an entry in <filename>/usr/local/samba/private/smbpasswd</filename>
        for root and root must be mentioned in <filename>domain admins</filename>. This may
        be fixed some time in the future so any 'domain admin' can do it. If you don't 
        like having root as a windows logon account, make the machine
        entries manually (both of them).</para>
        </listitem>
</varlistentry>

<varlistentry><term>Use the <filename>add user script</></term>
        <listitem><para>Again, this looks a bit like a 'work around'. Use a suitable
        command line to add a machine account <link linkend=configfile>see above</link>,
        and pass it %m$, that is %m to get machine name plus the '$'. Now, this
        means you cannot use the <filename>add user script</> to really add users .... </para>
        </listitem>
</varlistentry>

<varlistentry><term>Only for W2K</term>
    <listitem><para>This automatic creation of machine accounts does not work for
    NT4ws at present. Watch this space.</para></listitem></varlistentry>
</variablelist>

</sect1>

<sect1><title>Joining the Domain</title>

        <para>You must have either added the machine account entries manually (NT4 ws)
        or set up the automatic system (W2K), <link linkend=machineaccount>see Machine Accounts</link>
        before proceeding.</para>

<variablelist>
<varlistentry><term><command>Windows NT</></term><listitem>
<itemizedlist>
    <listitem><para> (<emphasis>this step may not be necessary some time in the near future</>).
        On the samba server that is the PDC, add a machine account manually
        as per the instructions in the <ulink url="samba-pdc-faq.html">FAQ</> 
        Then give the command <command>smbpasswd -a -m {machine}</> substituting in the 
        client machine name.</para></listitem>
    <listitem><para> Logon to the NTws in question as a local admin, go to the 
        <command>Control Panel, Network IdentificationTag</command>.</para></listitem> 
    <listitem><para> Press the <command>Change</> button.</para></listitem> 
    <listitem><para> Enter the Domain name (from the 'Workgroup' parameter, smb.conf) 
        in the Domain Field.</para></listitem> 
<!--    <listitem><para> Now enter a user name
        and password for a Domain Admin <emphasis>(Who must be root 
        until a pre-release bug is fixed)</emphasis> and press
        'OK'.</para></listitem> -->
    <listitem><para> Press OK and after a few seconds you will get a 'Welcome to Whatever Domain'. 
        Allow to reboot.</para></listitem>
</itemizedlist>
</listitem></varlistentry>

<varlistentry><term><command>Windows 2000</></term><listitem>
<itemizedlist>
    <listitem><para>Logon to the W2k machine as Administrator, go to the Control 
        Panel and double click on <command>Network and Dialup Connections</>. 
        </para></listitem>
    <listitem><para>Pull down the <command>Advanced</> menu and choose 
        <command>Network Identification</>. Press <command>Properties
        </>. </para></listitem> 
    <listitem><para>Choose <command>Domain</> and enter the domain name. Press 'OK'.</para></listitem> 
    <listitem><para>Now enter a user name and password for a Domain Admin 
        <emphasis>(Who must be root until a pre-release bug is fixed)</emphasis> and press
        'OK'.</para></listitem> 
    <listitem><para>Wait for the confirmation, reboot when prompted.</para></listitem>
</itemizedlist>
    <para>To remove a W2K machine from the domain, follow the first two steps then 
    choose <command>Workgroup</>, enter a work group name (or just WORKGROUP) and follow 
    the prompts.</para>
</listitem></varlistentry>


</variablelist>
        
</sect1>

<sect1><title id=useraccount>User Accounts</title>

        <para><emphasis>Again, doing it manually (cos' the auto way is not working pre-release).
        </emphasis>
        In our simple case every domain user should have an account on the PDC. The 
        account may have a null shell if they are not allowed to log on to the unix 
        prompt. Again they need an entry in both the <filename>/etc/passwd</filename> and
        <filename>/usr/local/samba/private/smbpasswd</filename>. Again a password is 
        not necessary in <filename>/etc/passwd</filename> but the location 
        of the home directory is honoured. 
        To make an entry for a user called Joe Blow you would typically do the following :</para>

    <para><command>adduser -g users -c 'Joe Blow' -s /bin/false -n joeblow</command></para>

    <para><command>smbpasswd -a joeblow</command></para>

        <para>And you will prompted to enter a password for Joe. Ideally he will be 
        hovering over your shoulder and will, when asked, type in a password of 
        his choice. There are a number of scripts and systems to ease the migration of users
        from somewhere to samba. Better start looking !</para>
</sect1>

<sect1><title id=domainadmin>Domain Admin Accounts</title>

        <para>Certain operations demand that the logged on user has Administrator 
        privileges, typically installing software and
        doing maintenance tasks. It is very simple to appoint some users as Domain Admins, 
        most likely yourself. Make
        sure you trust the appointee !</para> 

        <para>Samba 2.2 recognizes particular users as being
        domain admins and tells the NTws when it thinks that it has got one logged on. 
        In the smb.conf file we declare
        that the <filename>Domain Admin users = user1 user2</filename>. 
        Any user mentioned here will be treated as a Domain Admin by a NTws when 
        logged onto the Domain. They will have full Administrator rights 
        including the rights to change permissions on files and run the system 
        utilities such as Disk Administrator.</para> 

        <para>Further, and this is very new, they will be allowed to create a 
        new machine account when first connecting a new NT or W2K machine to 
        the domain. <emphasis>At present, ie pre-release, only a Domain Admin who
        also happens to be root can do so. </emphasis></para>
</sect1>
</chapter>


<!-- ======== P R O F I L E S   P O L I C I E S  and  L O G O N   S C R I P T S ======= -->

<chapter><title>Profiles, Policies and Logon Scripts</title>

<sect1><title>Profiles</title> 

        <para>NT Profiles should work if you have followed the setup so far. 
        A user's profile contains a whole lot of their personal settings, 
        the contents of their desktop, personal 'My Documents' and so on. 
        When they log off, all of the profile is copied to their directory 
        on the server and is downloaded again when they logon on again, possibly 
        on another client machine.</para> 

        <para>Sounds great but can be a bit of a bug bear sometimes. Users let 
        their profiles get too big and then complain about how long it takes 
        to log on each time. This sample setup only supports NT profiles, 
        rumor has it that it is also possible to do the same on Win95, my 
        users don't know and I'm not telling them.</para>

    <note><para>There is more info about Profiles (including for W95/98) 
        in the <ulink url="samba-pdc-faq.html">FAQ</>.</para></note>
</sect1>

<sect1><title>Policies</title> 

        <para>Policies are an easy way to make or enforce specific characteristics across your network. You create a ntconfig.pol
        file and every time someone logs on with their NTws, the settings you put in ntconfig.pol are applied to the NTws.
        Typical setting are things like making the date appear the way you want it (none of these 2 figure years here) or
        maybe suppressing one of the splash screens. Perhaps you want to set the NTws so it does not keep users profiles
        on the local machine. Cool. The only problem is making the ntconfig.pol file itself. You cannot use the policy editor
        that comes with NTws.</para> 

    <note><para>See the <ulink url="samba-pdc-faq.html">FAQ</> for pointers on how to get a suitable Policy Editor.</para></note>

        <para>The Policy Editor (and associated files) will create a 
        <filename>ntconfig.pol</filename> file using the 
        parameters Microsoft thought of and parameters you specify by making your own 
        template file.</para>

        <para>In our example configuration here, Samba will expect to find 
        the <filename>ntconfig.pol</filename> file in 
        <filename>/usr/local/samba/netlogon</filename>. Needless to say (I hope !), 
        it is vitally important that ordinary users don't have 
        write permission to the Policy files.</para>
</sect1>

<sect1><title id=logonscript>Logon Scripts</title>

        <para>In the sample config file above there is a line 
        <filename>logon script = scripts\%U.bat</filename></para>

        <note><para>Note that the slash is like this '\' not like this '/'. 
        NT is happy with both, win95 is not !</para></note>

        <para>This allows you to run a dos batch file every time someone logs on. The batch 
        file is located on the server, in the sample install mentioned here, 
        its in <filename>/usr/local/samba/netlogon/scripts</filename> and 
        is named after the user with <filename>.bat</filename> appended, eg Joe
        Blow's script is called <filename>/usr/local/samba/netlogon/scripts/joeblow.bat</filename>.</para>

    <note><para>There is a suggestion that user names longer than 8 characters may cause
        problems with some systems being unable to run logon scripts. This is confirmed in earlier
    versions when connecting using W95, comments about other combinations ??</para></note>

    <para>You could use a line like this <filename>logon script = default.bat</> and samba
    will supply <filename>/usr/local/samba/netlogon/default.bat</> for any client and every
    user. Maybe you could use %m and get a client machine dependant logon script.
    You get the idea...</para>

        <para>Note that the file is a dos batch file not a Unix script. It runs dos commands on the client 
        computer with the logon user's permissions. It must be a dos file with each line ending with 
        the dos cr/lf not a nice clean newline. Generally,
        its best to create the initial file on a DOS system and copy it across.</para>

        <para>There is lots of very clever uses of the Samba replaceable variables such 
        ( %U = user, %G = primary group, %H = client machine, see the 'man 5 smb.conf') to 
        give you control over which script runs when a particular person logs
        on. (Gee, it would be nice to have a default.bat run when nothing else is available.)</para>

        <para>Again, it is vitally important that ordinary users don't have write 
        permission to other peoples, or even probably their own, logon script files.</para>

        <para>A typical logon script is reproduced below. Note that it runs separate 
        commands for win95 and NT, that's because NT has slightly different behaviour 
        when using the <filename>net use ..</filename> command. Its useful for lots of 
        other situations too. I don't know what syntax to use for win98, I don't use it 
        here.</para>

<programlisting> 

                rem Default logon script, create links to this file.

                net time \\bioserve /set /yes
                @echo off
                if %OS%.==Windows_NT. goto WinNT

                :Win95
                net use k: \\trillion\bio_prog
                net use p: \\bcfile\homes
                goto end
                :WinNT
                net use k: \\trillion\bio_prog /persistent:no
                net use p: \\bcfile\homes /persistent:no

                :end
        
</programlisting>
</sect1>
</chapter>

<chapter><title>Passwords and Authentication</title>

        <para>So far our configuration assumes that ordinary users don't have unix logon access. A change
        to the <link linkend=useraccount><filename>adduser</></> line above would allow unix logon 
        but it would be with passwords that may 
        be different from the NT logon. Clearly that won't suit everyone. Trying to explain to users
        that they need to change their passwords in two seperate places is not fun. 
        Further, even if they cannot do a unix logon there are other processes that 
        might require authentication. We have a nice securely encrypted password in 
        <filename>/usr/local/samba/private/smbpasswd</filename>, why not use it ?</para>

<sect1><title></>
<sect2><title>Syncing Passwords</title>

        <para>Yes, its possible and seems the easiest  way (initially anyway). 
    The <ulink url="samba-pdc-faq.html">FAQ</> details how to 
    do so in the sections <emphasis>What is password sync and should I use it ?</> and <emphasis>
    How do I get remote password (unix and SMB) changing working ?</></para>

</sect2>

<sect2><title>Using PAM</title>
        <para>Pam enabled systems have a much better solution available. The Samba 
        PDC server will offer to authenticate domain users to other processes 
        (either on this server or on the domain). With a suitable pam stack 
        such as <ulink url="http://www.csn.ul.ie/~airlied/pam_smb/"> Pam_smb</ulink> 
        you can get any pam aware application looking to the samba password and 
        can leave the password field in <filename>/etc/shadow</filename>
        or <filename>/etc/passwd</filename> invalid.</para>
</sect2>

<sect2><title>Authenticating other Samba Servers</title>
        <para>In a domain that has a number of servers you only need one password database. 
        The machines that don't have their own ask the PDC  to check for them.
    This will work fine for a domain controlled by either a Samba or NT machine.</para>

    <para>To do so the Samba machine must be told to refer to the PDC and where the PDC is.
    See the section in the NTDom <ulink url="samba-pdc-faq.html">FAQ</> called <emphasis>How do I get my samba server to 
    become a member ( not PDC ) of an NT domain?</></para>
 

</sect2>
</sect1>
</chapter>


<chapter><title>Background</title>

<sect1><title></title>
<sect2><title>History</title>

        <para>It might help you understand the limitations of the PDC in Samba if you
        read something of its history. Well, the history as I understand it anyway.</para>

        <para>For many years the Samba team have been developing Samba, some time ago 
        a number of people, possibly lead by Luke Leighton started contributing NT 
        PDC stuff. This was added to the 'head' stream (that would eventually
        become the next version) and later to a seperate stream (NTDom). They did so 
        much that eventually this development stream was so mutated that it could not 
        be merged back into the main stream and was abandoned towards the end of 1999. 
        And that was very sad because many users, myself include had become heavily
        dependant on the NTController facilities it offered. Oh well...</para>

        <para>The NTDom team continued on with their new found knowledge however and 
        built the TNG stream. Intended to be carefully controlled so that it can be 
        merged back into the main stream and benefiting from what they learnt, it is 
        a very different product to the origional NTDom product. However, for a 
    number of reasons, the merge did not take place and now TNG is being developed 
    at <ulink url="http://www.samba-tng.org">http://www.samba-tng.org</>.</para>

        <para>Now, the NTDom things that the main strean 2.0.x version does is based more 
        on the old (initial version) abandoned code than on the TNG ideas. It appears 
        that version 2.2.0 will also include an improved version of the 2.0.7 domain 
        controller charactistics, not the TNG ways. The developers have indicated 
        that 2.2.0 will be further developed incrementally and the ideas from TNG 
        incorporated into it.</para>

        <para>One more little wriggle is worth mentioning. At one stage the NTDom 
        stream was called Samba 2.1.0-prealpha and similar names. This is most 
        unfortunate because at least one book published advises people who want to 
        use NTDom Samba to get version 2.1.0 or later. As main stream Samba will soon 
        be called 2.2.0  and NOT officially supporting NTDom Controlling functions, 
        the potential for confusion is certainly there.</para>
</sect2>

<sect2><title>The Future</title> 

        <para>There is a document on the Samba mirrors called <emphasis>'Development'
        </emphasis>. It offers the 'best guess' of what is planned for future releases 
        of Samba.</para>

        <para>The future of Samba as a Primary Domain Controller appears rosie, however 
        be aware that its the future, not the present. The developers are strongly committed 
        to building a full featured PDC into Samba but it will  take time. If this 
        version does not meet your requirements then you should consider (in no particular 
        order) :</para>

    <itemizedlist>
        <listitem><para> Wait. No, we don't know how long. Repeated asking won't help.</para></listitem>
        <listitem><para>Investigate the development versions, TNG perhaps or HEAD where new code is being added
        all the time. Realise that development code is often unstable, poorly documented and subject to change.
        You will need to use cvs to download development versions.</para></listitem>
        <listitem><para>Join one of the Samba mailing lists so that you can find out 
        what is happening on the 'bleeding edge'.</para></listitem>
    </itemizedlist>
</sect2>

<sect2><title>Getting further help</title>

        <para>This document cannot possibly answer all your questions. Please understand that its very
        likely that someone has been confrounted by the same problem that you have. The 
    <ulink url="samba-pdc-faq.html">FAQ</>
    discusses a number of possible paths to take to get further help :</para>


    <itemizedlist>
            <listitem><para>Documents on the Samba Sites.</para></listitem>
            <listitem><para>Other web sites.</para></listitem>
            <listitem><para>Mailing list.</para></listitem>
    </itemizedlist>

        <para>There is some discussion about guide lines for using the Mailing Lists on the 
    accompanying <ulink url="samba-pdc-faq.html">FAQ</>,
    please read them before posting.</para>

</sect2>
</sect1>
</chapter>

</book>