2 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
3 <book id="samba-pdc-howto">
5 <title>The Samba 2.2 PDC HowTo </title>
7 <!-- ========================================================
9 To produce html from this file
11 jade -E10 -t sgml -d html.dsl ntdom.sgml
13 This assumes that html.dsl is present in the current dir, it includes
14 a couple of defines and then refers to the DSSSL html stylesheet.
16 =========================================================== -->
20 <author><firstname>David</><surname>Bannon</>
21 <affiliation><orgname>La Trobe University</orgname></affiliation>
23 <pubdate>November 2000</pubdate>
26 <dedication><title></title>
28 <para>Comments, corrections and additions to <email>D.Bannon@latrobe.edu.au</email></para>
31 This document explains how to setup Samba as a Primary Domain Controller and
32 applies to version 2.2.0.
34 using these functions make sure you understand what the controller can and cannot do.
35 Please read the sections below in the Introduction.
36 As 2.2.0 is incrementally updated
37 this document will change or become out of date very quickly, make sure you are
38 reading the most current version.
41 <para>Please note this document does not apply to Samba2.2alpha0, Samba2.2alpha1,
42 Samba 2.0.7, TNG nor HEAD branch.</para>
44 <para>It does apply to the current (post November 27th) cvs.</para>
47 Also available is an updated version of Jerry Carter's NTDom <ulink url="samba-pdc-faq.html">
48 FAQ</> that will answer lots of
49 the special 'tuning' questions that are not covered here. Over the next couple of weeks
50 some of the items here will be moved to the FAQ.
58 <!-- ================ I N T R O D U C T I O N ==================== -->
60 <chapter><title>Introduction</title>
63 This document will show you one way of making Version 2.2.0
64 of Samba perform some of the tasks of a
65 NT Primary Domain Controller. The facilities described are built into Samba as a result of
66 development work done over a number of years by a large number of people. These facilities
67 are only just beginning to be officially supported and although they do appear to work reliably,
68 if you use them then you take the risks upon your self. This document does not cover the
69 developmental versions of Samba, particularly
70 <ulink url="http://www.samba-tng.org/"><citetitle>Samba-TNG</citetitle></ulink>
76 <para>Note that <ulink url="http://bioserve.latrobe.edu.au/samba">Samba 2.0.7</>
77 supports significently less of the NT Domain facilities compared with 2.2.0
81 This document does not replace the text files DOMAIN_CONTROL.txt, DOMAIN.txt (by
82 John H Terpstra) or NTDOMAIN.txt (by Luke Kenneth Casson Leighton). Those documents provide
83 more detail and an insight to the development
84 cycle and should be considered 'further reading'.
89 <sect1><title>What can we do ?</title>
91 <listitem><para>Permit 'domain logons' for Win95/98, NT4 and W2K workstations from one central
92 password database. WRT W2K, please see the section about adding machine
93 accounts and the Intro in the <ulink url="samba-pdc-faq.html">FAQ</>.</para></listitem>
94 <listitem><para>Grant Administrator privileges to particular domain users on an
95 NT or W2K workstation.</para></listitem>
96 <listitem><para>Apply policies from a domain policy file to NT and W2K (?)
97 workstation.</para></listitem>
98 <listitem><para>Run the appropriate logon script when a user logs on to the domain
100 <listitem><para>Maintain a user's local profile on the server.</para></listitem>
101 <listitem><para>Validate a user using another system via smb (such as smb_pam) and
102 soon winbind (?).</para></listitem>
107 <sect1><title>What can't we do ?</title>
109 <listitem><para> Become or work with a Backup Domain Controller (a BDC).</para></listitem>
110 <listitem><para> Participate in any sort of trust relationship (with either Samba or NT
111 Servers).</para></listitem>
112 <listitem><para> Offer a list of domain users to User Manager for Domains
113 on the Security Tab etc).</para></listitem>
114 <listitem><para>Be a W2K type of Domain Controller. Samba PDC will behave like
115 an NT PDC, W2K workstations connect in legacy mode.</para></listitem>
122 <!-- ================== I N S T A L L I N G ===================== -->
124 <chapter><title>Installing</title>
126 <para>Installing consists of the usual download, configure, make and make
127 install process. These steps are well documented elsewhere.
128 The <ulink url="samba-pdc-faq.html">FAQ</> discusses getting pre-release versions via CVS.
129 Then you need to configure the server.</para>
131 <sect1><title>Start Up Script</title>
132 <para>Skip this section if you have a working Samba already.
133 Everyone has their own favourite startup script. Here is mine, offered with no warrantee
139 # Script to control Samba server, David Bannon, 14-6-96
142 PATH=/bin:/usr/sbin:/usr/bin
146 if [ -f /usr/local/samba/bin/smbd ]
148 /usr/local/samba/bin/smbd -D
149 /usr/local/samba/bin/nmbd -D
150 echo "Starting Samba Server"
154 if [ -f /usr/local/samba/lib/smb.conf ]
156 vi /usr/local/samba/lib/smb.conf
160 if [ -f /usr/local/samba/private/smbpasswd ]
162 vi /usr/local/samba/private/smbpasswd
166 /usr/local/samba/bin/smbstatus -b
169 psline=`/bin/ps x | grep smbd | grep -v grep`
171 if [ "$psline" != "" ]
173 while [ "$psline" != "" ]
175 psline=`/bin/ps x | fgrep smbd | grep -v grep`
181 echo "Stopped $pid line = $psline"
186 echo "Stopped Samba servers"
189 psline=`/bin/ps x | grep smbd | grep -v grep`
191 if [ "$psline" != "" ]
193 while [ "$psline" != "" ]
195 psline=`/bin/ps x | fgrep smbd | grep -v grep`
201 echo "Stopped $pid line = $psline"
206 echo "Stopped Samba servers"
207 psline=`/bin/ps x | grep nmbd | grep -v grep`
213 echo "Stopped Name Server "
215 echo "Stopped Name Servers"
218 echo "usage: samba {start | restart |stop | conf | pw | who}"
224 <para> Use this script, or some other one, you will need to ensure its used while the machine
225 is booting. (This typically involves <filename>/etc/rc.d</filename>, we'll be
226 assuming that there is a script called
227 samba in <filename>/etc/rc.d/init.d</filename> further down in this document.)
231 <sect1><title>Config File</title>
233 <sect2><title id=configfile>A sample conf file</title>
234 <para>Here is a fairly minimal config file to do PDC. It will also make the server
235 become the browse master for the
236 specified domain (not necessary but usually desirable). You will need to change only
237 two parameters to make this
238 file work, <filename>wins server</filename> and <filename>workgroup</filename>, plus
239 you will need to put your own name (not mine!) in the <filename>domain admin users</> fields.
240 Some of the parameters are discussed further down this document.</para>
242 <para>Assuming you have used the default install directories, this file should appear as
243 <filename>/usr/local/samba/lib/smb.conf</filename>. It should not be
244 writable by anyone except root.</para>
246 <note><para>The 'add user script' parameter is a work-around, watch for changes !</></>
253 workgroup = { Your domain name here }
254 wins server = { ip of a wins server if you have one }
255 encrypt passwords = yes
257 logon script = scripts\%U.bat
258 domain admin users = root dbannon andrew
259 add user script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %m$
267 directory mask = 0700
271 path = /usr/local/samba/netlogon
279 <sect2><title>PDC Config Parameters</title>
282 <variablelist><title>There are a huge range of parameters that may appear in a smb.conf file. Some
283 that may be of interest to a PDC are :</title>
285 <varlistentry><term>add user script</term>
286 <listitem><para>This parameter specifies a script (or program) that will be run
287 to add a user to the system. Here it is being used to add a machine, not a user.
288 This is probably not very nice and may change. But it does work !</para>
290 <para>For this example, I have a group called 'machines', entries can be added to
291 <filename>/etc/passwd</> using a programme called <filename>/usr/adduser</> and
292 the other parameters are chosen as suitable for a machine account. Works for
293 RH Linux, your system may require changes.</para>
297 <varlistentry><term>domain admin users = user1 users2</term>
298 <listitem><para>This parameter specifies a unix user who will be granted admin privileges
299 on a NT workstation when
300 logged onto that workstation. See the section called <link linkend=domainadmin>
301 Domain Admin</> Accounts.</para>
305 <varlistentry><term>encrypt passwords = yes</term>
306 <listitem><para>This parameter must be 'yes' to allow any of the recent service pack NTs to logon. There are some reg hacks that
307 turn off encrypted passwords on the NTws itself but if you are going to use the smbpasswd system (and you
308 should) you must use encrypted passwords.</para>
312 <varlistentry><term>logon script = scripts\%U.bat</term>
313 <listitem><para>This will make samba look for a logon script named after the user
315 See the section further on called <link linkend=logonscript>Logon Scripts</></para>
316 <note><para>Note that the slash is like this '\', not like this '/'.
317 NT is happy with both, win95 is not !</para></note>
321 <varlistentry><term>logon path</term>
322 <listitem><para>Lets you specify where you would like users profiles kept. The default, that is in the users
323 home directory, does encourage a bit of fiddling.</para>
334 <sect1><title>Special directories</title>
335 <para>You need to create a couple of special files and directories. Its nice
336 to have some of the binaries handy too, so I create links to them. Assuming
337 you have used the default samba location and have not
338 changed the locations mentioned in the sample config file, do the following :</para>
342 mkdir /usr/local/samba/netlogon
343 mkdir /usr/local/samba/netlogon/scripts
344 mkdir /usr/local/samba/private
345 touch /usr/local/samba/private/smbpasswd
346 chmod go-rwx /usr/local/samba/private/smbpasswd
348 ln -s /usr/local/samba/bin/smbpasswd
349 ln -s /usr/local/samba/bin/smbclient
350 ln -s /etc/rc.d/init.d/samba
353 <para>Make sure permissions are appropriate !</para>
355 <para>OK, if you have used the scripts above and have a path to where the links are do this to start up
356 the Samba Server :</para>
358 <para><command>samba start</command></para>
360 <para>Instead, you might like to reboot the machine to make sure that you
361 got the init stuff right. Any way, a quick look in the logs
362 <filename>/usr/local/samba/var/log.smbd</filename> and <filename>
363 /usr/local/samba/var/log/nmbd</filename>
364 will give you an idea of what's happening. Assuming all is well, lets create
365 some accounts...</para>
369 <!-- ================== U S E R and M A C H I N E A C C O U N T S ================ -->
371 <chapter><title>User and Machine Accounts</title>
372 <sect1><title>Logon Accounts</title>
374 <para><emphasis role=bold>This section is very nearly out of date already !</emphasis> It
375 appears that while you are reading it, Jean Francois Micou is making it
376 redundant ! Jean Francois is adding facilities to add users
377 (via User Manager) and machines (when joining the domain) and it looks like these facilities will
378 make it into the official release of 2.2.</para>
381 <para>Every user and NTws (and other samba servers) that will be on the domain
382 must have its own passwd entry in both <filename>/etc/passwd</filename> and
383 <filename>/usr/local/samba/private/smbpasswd</filename> .
384 The <filename>/etc/passwd</filename> entry is really
385 only to reserve a user ID. The NT encrypted password is stored in
386 <filename>/usr/local/samba/private/smbpasswd</filename>.
387 (Note that win95/98 machines don't need an account as they don't do
388 any security aware things.)</para>
390 <para>Samba 2.2 will now create these entries for us. Carefull set up is required
391 and there may well be some changes to this system before its released.
395 <sect1 id=machineaccount><title>Machine Accounts</title>
397 <note><para>There is an entry in the ntdom <ulink url="samba-pdc-faq.html">FAQ</> explaining how to create
398 machine entries manually.</para></note>
401 <variablelist><title><emphasis>At present</> to have the machine accounts created when a machine joins
402 the domain a number of conditions must be met :</title>
404 <varlistentry><term>Only root can do it !</term>
405 <listitem><para>There must be an entry in <filename>/usr/local/samba/private/smbpasswd</filename>
406 for root and root must be mentioned in <filename>domain admins</filename>. This may
407 be fixed some time in the future so any 'domain admin' can do it. If you don't
408 like having root as a windows logon account, make the machine
409 entries manually (both of them).</para>
413 <varlistentry><term>Use the <filename>add user script</></term>
414 <listitem><para>Again, this looks a bit like a 'work around'. Use a suitable
415 command line to add a machine account <link linkend=configfile>see above</link>,
416 and pass it %m$, that is %m to get machine name plus the '$'. Now, this
417 means you cannot use the <filename>add user script</> to really add users .... </para>
421 <varlistentry><term>Only for W2K</term>
422 <listitem><para>This automatic creation of machine accounts does not work for
423 NT4ws at present. Watch this space.</para></listitem></varlistentry>
428 <sect1><title>Joining the Domain</title>
430 <para>You must have either added the machine account entries manually (NT4 ws)
431 or set up the automatic system (W2K), <link linkend=machineaccount>see Machine Accounts</link>
432 before proceeding.</para>
435 <varlistentry><term><command>Windows NT</></term><listitem>
437 <listitem><para> (<emphasis>this step may not be necessary some time in the near future</>).
438 On the samba server that is the PDC, add a machine account manually
439 as per the instructions in the <ulink url="samba-pdc-faq.html">FAQ</>
440 Then give the command <command>smbpasswd -a -m {machine}</> substituting in the
441 client machine name.</para></listitem>
442 <listitem><para> Logon to the NTws in question as a local admin, go to the
443 <command>Control Panel, Network IdentificationTag</command>.</para></listitem>
444 <listitem><para> Press the <command>Change</> button.</para></listitem>
445 <listitem><para> Enter the Domain name (from the 'Workgroup' parameter, smb.conf)
446 in the Domain Field.</para></listitem>
447 <!-- <listitem><para> Now enter a user name
448 and password for a Domain Admin <emphasis>(Who must be root
449 until a pre-release bug is fixed)</emphasis> and press
450 'OK'.</para></listitem> -->
451 <listitem><para> Press OK and after a few seconds you will get a 'Welcome to Whatever Domain'.
452 Allow to reboot.</para></listitem>
454 </listitem></varlistentry>
456 <varlistentry><term><command>Windows 2000</></term><listitem>
458 <listitem><para>Logon to the W2k machine as Administrator, go to the Control
459 Panel and double click on <command>Network and Dialup Connections</>.
461 <listitem><para>Pull down the <command>Advanced</> menu and choose
462 <command>Network Identification</>. Press <command>Properties
463 </>. </para></listitem>
464 <listitem><para>Choose <command>Domain</> and enter the domain name. Press 'OK'.</para></listitem>
465 <listitem><para>Now enter a user name and password for a Domain Admin
466 <emphasis>(Who must be root until a pre-release bug is fixed)</emphasis> and press
467 'OK'.</para></listitem>
468 <listitem><para>Wait for the confirmation, reboot when prompted.</para></listitem>
470 <para>To remove a W2K machine from the domain, follow the first two steps then
471 choose <command>Workgroup</>, enter a work group name (or just WORKGROUP) and follow
473 </listitem></varlistentry>
480 <sect1><title id=useraccount>User Accounts</title>
482 <para><emphasis>Again, doing it manually (cos' the auto way is not working pre-release).
484 In our simple case every domain user should have an account on the PDC. The
485 account may have a null shell if they are not allowed to log on to the unix
486 prompt. Again they need an entry in both the <filename>/etc/passwd</filename> and
487 <filename>/usr/local/samba/private/smbpasswd</filename>. Again a password is
488 not necessary in <filename>/etc/passwd</filename> but the location
489 of the home directory is honoured.
490 To make an entry for a user called Joe Blow you would typically do the following :</para>
492 <para><command>adduser -g users -c 'Joe Blow' -s /bin/false -n joeblow</command></para>
494 <para><command>smbpasswd -a joeblow</command></para>
496 <para>And you will prompted to enter a password for Joe. Ideally he will be
497 hovering over your shoulder and will, when asked, type in a password of
498 his choice. There are a number of scripts and systems to ease the migration of users
499 from somewhere to samba. Better start looking !</para>
502 <sect1><title id=domainadmin>Domain Admin Accounts</title>
504 <para>Certain operations demand that the logged on user has Administrator
505 privileges, typically installing software and
506 doing maintenance tasks. It is very simple to appoint some users as Domain Admins,
507 most likely yourself. Make
508 sure you trust the appointee !</para>
510 <para>Samba 2.2 recognizes particular users as being
511 domain admins and tells the NTws when it thinks that it has got one logged on.
512 In the smb.conf file we declare
513 that the <filename>Domain Admin users = user1 user2</filename>.
514 Any user mentioned here will be treated as a Domain Admin by a NTws when
515 logged onto the Domain. They will have full Administrator rights
516 including the rights to change permissions on files and run the system
517 utilities such as Disk Administrator.</para>
519 <para>Further, and this is very new, they will be allowed to create a
520 new machine account when first connecting a new NT or W2K machine to
521 the domain. <emphasis>At present, ie pre-release, only a Domain Admin who
522 also happens to be root can do so. </emphasis></para>
527 <!-- ======== P R O F I L E S P O L I C I E S and L O G O N S C R I P T S ======= -->
529 <chapter><title>Profiles, Policies and Logon Scripts</title>
531 <sect1><title>Profiles</title>
533 <para>NT Profiles should work if you have followed the setup so far.
534 A user's profile contains a whole lot of their personal settings,
535 the contents of their desktop, personal 'My Documents' and so on.
536 When they log off, all of the profile is copied to their directory
537 on the server and is downloaded again when they logon on again, possibly
538 on another client machine.</para>
540 <para>Sounds great but can be a bit of a bug bear sometimes. Users let
541 their profiles get too big and then complain about how long it takes
542 to log on each time. This sample setup only supports NT profiles,
543 rumor has it that it is also possible to do the same on Win95, my
544 users don't know and I'm not telling them.</para>
546 <note><para>There is more info about Profiles (including for W95/98)
547 in the <ulink url="samba-pdc-faq.html">FAQ</>.</para></note>
550 <sect1><title>Policies</title>
552 <para>Policies are an easy way to make or enforce specific characteristics across your network. You create a ntconfig.pol
553 file and every time someone logs on with their NTws, the settings you put in ntconfig.pol are applied to the NTws.
554 Typical setting are things like making the date appear the way you want it (none of these 2 figure years here) or
555 maybe suppressing one of the splash screens. Perhaps you want to set the NTws so it does not keep users profiles
556 on the local machine. Cool. The only problem is making the ntconfig.pol file itself. You cannot use the policy editor
557 that comes with NTws.</para>
559 <note><para>See the <ulink url="samba-pdc-faq.html">FAQ</> for pointers on how to get a suitable Policy Editor.</para></note>
561 <para>The Policy Editor (and associated files) will create a
562 <filename>ntconfig.pol</filename> file using the
563 parameters Microsoft thought of and parameters you specify by making your own
564 template file.</para>
566 <para>In our example configuration here, Samba will expect to find
567 the <filename>ntconfig.pol</filename> file in
568 <filename>/usr/local/samba/netlogon</filename>. Needless to say (I hope !),
569 it is vitally important that ordinary users don't have
570 write permission to the Policy files.</para>
573 <sect1><title id=logonscript>Logon Scripts</title>
575 <para>In the sample config file above there is a line
576 <filename>logon script = scripts\%U.bat</filename></para>
578 <note><para>Note that the slash is like this '\' not like this '/'.
579 NT is happy with both, win95 is not !</para></note>
581 <para>This allows you to run a dos batch file every time someone logs on. The batch
582 file is located on the server, in the sample install mentioned here,
583 its in <filename>/usr/local/samba/netlogon/scripts</filename> and
584 is named after the user with <filename>.bat</filename> appended, eg Joe
585 Blow's script is called <filename>/usr/local/samba/netlogon/scripts/joeblow.bat</filename>.</para>
587 <note><para>There is a suggestion that user names longer than 8 characters may cause
588 problems with some systems being unable to run logon scripts. This is confirmed in earlier
589 versions when connecting using W95, comments about other combinations ??</para></note>
591 <para>You could use a line like this <filename>logon script = default.bat</> and samba
592 will supply <filename>/usr/local/samba/netlogon/default.bat</> for any client and every
593 user. Maybe you could use %m and get a client machine dependant logon script.
594 You get the idea...</para>
596 <para>Note that the file is a dos batch file not a Unix script. It runs dos commands on the client
597 computer with the logon user's permissions. It must be a dos file with each line ending with
598 the dos cr/lf not a nice clean newline. Generally,
599 its best to create the initial file on a DOS system and copy it across.</para>
601 <para>There is lots of very clever uses of the Samba replaceable variables such
602 ( %U = user, %G = primary group, %H = client machine, see the 'man 5 smb.conf') to
603 give you control over which script runs when a particular person logs
604 on. (Gee, it would be nice to have a default.bat run when nothing else is available.)</para>
606 <para>Again, it is vitally important that ordinary users don't have write
607 permission to other peoples, or even probably their own, logon script files.</para>
609 <para>A typical logon script is reproduced below. Note that it runs separate
610 commands for win95 and NT, that's because NT has slightly different behaviour
611 when using the <filename>net use ..</filename> command. Its useful for lots of
612 other situations too. I don't know what syntax to use for win98, I don't use it
617 rem Default logon script, create links to this file.
619 net time \\bioserve /set /yes
621 if %OS%.==Windows_NT. goto WinNT
624 net use k: \\trillion\bio_prog
625 net use p: \\bcfile\homes
628 net use k: \\trillion\bio_prog /persistent:no
629 net use p: \\bcfile\homes /persistent:no
637 <chapter><title>Passwords and Authentication</title>
639 <para>So far our configuration assumes that ordinary users don't have unix logon access. A change
640 to the <link linkend=useraccount><filename>adduser</></> line above would allow unix logon
641 but it would be with passwords that may
642 be different from the NT logon. Clearly that won't suit everyone. Trying to explain to users
643 that they need to change their passwords in two seperate places is not fun.
644 Further, even if they cannot do a unix logon there are other processes that
645 might require authentication. We have a nice securely encrypted password in
646 <filename>/usr/local/samba/private/smbpasswd</filename>, why not use it ?</para>
649 <sect2><title>Syncing Passwords</title>
651 <para>Yes, its possible and seems the easiest way (initially anyway).
652 The <ulink url="samba-pdc-faq.html">FAQ</> details how to
653 do so in the sections <emphasis>What is password sync and should I use it ?</> and <emphasis>
654 How do I get remote password (unix and SMB) changing working ?</></para>
658 <sect2><title>Using PAM</title>
659 <para>Pam enabled systems have a much better solution available. The Samba
660 PDC server will offer to authenticate domain users to other processes
661 (either on this server or on the domain). With a suitable pam stack
662 such as <ulink url="http://www.csn.ul.ie/~airlied/pam_smb/"> Pam_smb</ulink>
663 you can get any pam aware application looking to the samba password and
664 can leave the password field in <filename>/etc/shadow</filename>
665 or <filename>/etc/passwd</filename> invalid.</para>
668 <sect2><title>Authenticating other Samba Servers</title>
669 <para>In a domain that has a number of servers you only need one password database.
670 The machines that don't have their own ask the PDC to check for them.
671 This will work fine for a domain controlled by either a Samba or NT machine.</para>
673 <para>To do so the Samba machine must be told to refer to the PDC and where the PDC is.
674 See the section in the NTDom <ulink url="samba-pdc-faq.html">FAQ</> called <emphasis>How do I get my samba server to
675 become a member ( not PDC ) of an NT domain?</></para>
683 <chapter><title>Background</title>
685 <sect1><title></title>
686 <sect2><title>History</title>
688 <para>It might help you understand the limitations of the PDC in Samba if you
689 read something of its history. Well, the history as I understand it anyway.</para>
691 <para>For many years the Samba team have been developing Samba, some time ago
692 a number of people, possibly lead by Luke Leighton started contributing NT
693 PDC stuff. This was added to the 'head' stream (that would eventually
694 become the next version) and later to a seperate stream (NTDom). They did so
695 much that eventually this development stream was so mutated that it could not
696 be merged back into the main stream and was abandoned towards the end of 1999.
697 And that was very sad because many users, myself include had become heavily
698 dependant on the NTController facilities it offered. Oh well...</para>
700 <para>The NTDom team continued on with their new found knowledge however and
701 built the TNG stream. Intended to be carefully controlled so that it can be
702 merged back into the main stream and benefiting from what they learnt, it is
703 a very different product to the origional NTDom product. However, for a
704 number of reasons, the merge did not take place and now TNG is being developed
705 at <ulink url="http://www.samba-tng.org">http://www.samba-tng.org</>.</para>
707 <para>Now, the NTDom things that the main strean 2.0.x version does is based more
708 on the old (initial version) abandoned code than on the TNG ideas. It appears
709 that version 2.2.0 will also include an improved version of the 2.0.7 domain
710 controller charactistics, not the TNG ways. The developers have indicated
711 that 2.2.0 will be further developed incrementally and the ideas from TNG
712 incorporated into it.</para>
714 <para>One more little wriggle is worth mentioning. At one stage the NTDom
715 stream was called Samba 2.1.0-prealpha and similar names. This is most
716 unfortunate because at least one book published advises people who want to
717 use NTDom Samba to get version 2.1.0 or later. As main stream Samba will soon
718 be called 2.2.0 and NOT officially supporting NTDom Controlling functions,
719 the potential for confusion is certainly there.</para>
722 <sect2><title>The Future</title>
724 <para>There is a document on the Samba mirrors called <emphasis>'Development'
725 </emphasis>. It offers the 'best guess' of what is planned for future releases
728 <para>The future of Samba as a Primary Domain Controller appears rosie, however
729 be aware that its the future, not the present. The developers are strongly committed
730 to building a full featured PDC into Samba but it will take time. If this
731 version does not meet your requirements then you should consider (in no particular
735 <listitem><para> Wait. No, we don't know how long. Repeated asking won't help.</para></listitem>
736 <listitem><para>Investigate the development versions, TNG perhaps or HEAD where new code is being added
737 all the time. Realise that development code is often unstable, poorly documented and subject to change.
738 You will need to use cvs to download development versions.</para></listitem>
739 <listitem><para>Join one of the Samba mailing lists so that you can find out
740 what is happening on the 'bleeding edge'.</para></listitem>
744 <sect2><title>Getting further help</title>
746 <para>This document cannot possibly answer all your questions. Please understand that its very
747 likely that someone has been confrounted by the same problem that you have. The
748 <ulink url="samba-pdc-faq.html">FAQ</>
749 discusses a number of possible paths to take to get further help :</para>
753 <listitem><para>Documents on the Samba Sites.</para></listitem>
754 <listitem><para>Other web sites.</para></listitem>
755 <listitem><para>Mailing list.</para></listitem>
758 <para>There is some discussion about guide lines for using the Mailing Lists on the
759 accompanying <ulink url="samba-pdc-faq.html">FAQ</>,
760 please read them before posting.</para>