<para>
There are many who approach MS Windows networking with incredible misconceptions.
That's OK, because it give the rest of us plenty of opportunity to help someone.
-Those who really want help would be well advised to not make too big a fool
-of themselves by not being informed when are where the information needed is in
-fact available.
+Those who really want help would be well advised to be informed of information that
+is in fact already available.
</para>
</formalpara>
<para>
-The reader is well advised NOT to tackle this section until having first understood
+The reader is well advised NOT to tackle this section without having first understood
and mastered some basics. MS Windows networking is not particularly forgiving of
misconfiguration. Users of MS Windows networking are likely to complain bitterly
of persistent niggles that may be caused by broken network or system configuration.
</itemizedlist>
<para>
-Now, do not be put off too much, on the surface of it MS Windows networking seems so simple
+Do not be put off too much, on the surface of it MS Windows networking seems so simple
that any fool can do it. In fact, only a fool would set up an MS Windows network with
inadequate training and preparation. So let's get our first indelible principle out of the
way: <emphasis>It is perfectly OK to make mistakes!</emphasis> In the right place and at
</para>
<para>
-So where is the right place to make mistakes? Only out of harms' way! If you are going to
+Where is the right place to make mistakes? Only out of harms' way! If you are going to
make mistakes, then please do this on a test network, away from users and in such a way as
to not inflict pain on others. Do your learning on a test network.
</para>
<sect1>
-<title>Background</title>
+<title><Features and Benefits</title
-<sect2>
-<title>Domain Controller</title>
+<para>
+The following functionalities are new to the Samba-3 release:
+</para>
+
+<itemizedlist>
+ <listitem><para>
+ Windows NT4 domain trusts
+ </para></listitem>
+
+ <listitem><para>
+ Adding users via the User Manager for Domains
+ </para></listitem>
+</itemizedlist>
+
+<para>
+The following functionalities are NOT provided by Samba 3.0:
+</para>
+
+<itemizedlist>
+ <listitem><para>
+ SAM replication with Windows NT4 Domain Controllers
+ (i.e. a Samba PDC and a Windows NT BDC or vice versa)
+ </para></listitem>
+
+ <listitem><para>
+ Acting as a Windows 2000 Domain Controller (i.e. Kerberos and
+ Active Directory)
+ </para></listitem>
+</itemizedlist>
+
+<para>
+Please note that Windows 9x / Me / XP Home clients are not true members of a domain
+for reasons outlined in this article. Therefore the protocol for
+support of Windows 9x-style domain logons is completely different
+from NT4 / Win2k type domain logons and has been officially supported for some
+time.
+</para>
+
+<para><emphasis>
+MS Windows XP Home edition is NOT able to join a domain and does not permit
+the use of domain logons.</emphasis>
+</para>
+
+<para>
+Samba-3 offers a complete implementation of group mapping between Windows NT groups
+and Unix groups (this is really quite complicated to explain in a short space).
+</para>
+
+<para>
+A Samba-3 PDC also has to store machine trust account information
+in a suitable backend data store. With Samba-3 there can be multiple back-ends
+for this including:
+</para>
+
+<itemizedlist>
+ <listitem><para>
+ <emphasis>smbpasswd</emphasis> - the plain ascii file stored used by
+ earlier versions of Samba. This file configuration option requires
+ a Unix/Linux system account for EVERY entry (ie: both for user and for
+ machine accounts). This file will be located in the <emphasis>private</emphasis>
+ directory (default is /usr/local/samba/lib/private or on linux /etc/samba).
+ </para></listitem>
+
+ <listitem><para>
+ <emphasis>tdbsam</emphasis> - a binary database backend that will be
+ stored in the <emphasis>private</emphasis> directory in a file called
+ <emphasis>passwd.tdb</emphasis>. The key benefit of this binary format
+ file is that it can store binary objects that can not be accomodated
+ in the traditional plain text smbpasswd file.
+ </para></listitem>
+
+ <listitem><para>
+ <emphasis>ldapsam</emphasis> - An LDAP based back-end. Permits the
+ LDAP server to be specified. eg: ldap://localhost or ldap://frodo.murphy.com
+ </para></listitem>
+</itemizedlist>
+
+<para>Read the chapter about the <link linkend="passdb">User Database</link>
+for details.</para>
+
+<note><para>
+The new tdbsam and ldapsam account backends store vastly more information than
+smbpasswd is capable of. The new backend database includes capacity to specify
+per user settings for many parameters, over-riding global settings given in the
+<filename>smb.conf</filename> file. eg: logon drive, logon home, logon path, etc.
+</para></note>
+
+</sect1>
+
+<sect1>
+<title>Basics of Domain Control</title>
<para>
Over the years public perceptions of what Domain Control really is has taken on an
there are three basic types of domain controllers:
</para>
-<sect3>
+<sect2>
<title>Domain Controller Types</title>
<itemizedlist>
<para>
The <emphasis>Primary Domain Controller</emphasis> or PDC plays an important role in the MS
Windows NT4 and Windows 200x Domain Control architecture, but not in the manner that so many
-expect.
+expect. There is a form of folk lore that dictates that because of it's role in the MS Windows
+network that the PDC should be the most powerful and most capable machine in the network.
+As corny as it may seem to say this here, where good over all network performance is desired
+the entire infrastructure needs to be balanced. It may be more advisable to invest more in
+the Backup Domain Controllers and Stand-Alone (or Domain Member) servers than in the PDC.
</para>
<para>
</para>
<para>
-New to Samba-3 is the ability to use a back-end file that holds the same type of data as
+New to Samba-3 is the ability to use a back-end database that holds the same type of data as
the NT4 style SAM (Security Account Manager) database (one of the registry files).
-The samba-3 SAM can be specified via the smb.conf file parameter "passwd backend" and
-valid options include <emphasis> smbpasswd tdbsam ldapsam nisplussam plugin unixsam</emphasis>.
-The smbpasswd, tdbsam and ldapsam options can have a "_nua" suffix to indicate that No Unix
-Accounts need to be created. In other words, the Samba SAM will be independant of Unix/Linux
-system accounts, provided a uid range is defined from which SAM accounts can be created.
+The samba-3 SAM can be specified via the smb.conf file parameter
+<emphasis>passwd backend</emphasis> and valid options include
+<emphasis>smbpasswd, tdbsam, ldapsam, nisplussam, xmlsam, mysqlsam, plugin, guest</emphasis>.
</para>
<para>
The <emphasis>Backup Domain Controller</emphasis> or BDC plays a key role in servicing network
-authentication requests. The BDC is biased to answer logon requests so that on a network segment
-that has a BDC and a PDC the BDC will be most likely to service network logon requests. The PDC will
-answer network logon requests when the BDC is too busy (high load). A BDC can be promoted to
-a PDC. If the PDC is on line at the time that the BDC is promoted to PDC the previous PDC is
-automatically demoted to a BDC.
+authentication requests. The BDC is biased to answer logon requests in preference to the PDC.
+On a network segment that has a BDC and a PDC the BDC will be most likely to service network
+logon requests. The PDC will answer network logon requests when the BDC is too busy (high load).
+A BDC can be promoted to a PDC. If the PDC is on line at the time that the BDC is promoted to
+PDC the previous PDC is automatically demoted to a BDC. With Samba-3 this is NOT an automatic
+operation, the PDB and BDC must be manually configured and changes need to be made likewise.
</para>
<para>
Active Directory domain.
</para>
+<para>
+New to Samba-3 is the ability to function fully as an MS Windows NT4 style Domain Controller,
+excluding the SAM replication components. However, please be aware that Samba-3 support the
+MS Windows 200x domain control protcols also.
+</para>
+
<para>
At this time Samba-3 is capable of acting as an <emphasis>ADS Domain Controller</emphasis> but
in only a limited and experimental manner. This functionality should not be depended upon
until the samba-team offers formal support for it. At such a time, the documentation will
be revised to duely reflect all configuration and management requirements.
</para>
-</sect3>
+
</sect2>
+<sect2>
+<title>Preparing for Domain Control<title>
+
<para>
-This article outlines the steps necessary for configuring Samba-3 as an MS Windows NT4 style PDC.
+The following outlines the steps necessary for configuring Samba-3 as an MS Windows NT4 style PDC.
It is necessary to have a working Samba server prior to implementing the PDC functionality.
</para>
</note>
<para>
-The following functionalities are new to the Samba-3 release:
-</para>
-
-<itemizedlist>
- <listitem><para>
- Windows NT4 domain trusts
- </para></listitem>
-
- <listitem><para>
- Adding users via the User Manager for Domains
- </para></listitem>
-</itemizedlist>
-
-<para>
-The following functionalities are NOT provided by Samba 3.0:
+Implementing a Samba PDC can basically be divided into 4 broad
+steps.
</para>
-<itemizedlist>
- <listitem><para>
- SAM replication with Windows NT4 Domain Controllers
- (i.e. a Samba PDC and a Windows NT BDC or vice versa)
- </para></listitem>
-
+<orderedlist numeration="arabic">
<listitem><para>
- Acting as a Windows 2000 Domain Controller (i.e. Kerberos and
- Active Directory)
+ Configuration of basic MS Windows Networking
</para></listitem>
-</itemizedlist>
-
-<para>
-Please note that Windows 9x / Me / XP Home clients are not true members of a domain
-for reasons outlined in this article. Therefore the protocol for
-support of Windows 9x-style domain logons is completely different
-from NT4 / Win2k type domain logons and has been officially supported for some
-time.
-</para>
-
-<para><emphasis>
-MS Windows XP Home edition is NOT able to join a domain and does not permit
-the use of domain logons.</emphasis>
-</para>
-
-
-<para>
-Implementing a Samba PDC can basically be divided into 3 broad
-steps.
-</para>
-<orderedlist numeration="arabic">
<listitem><para>
Configuring the Samba PDC
</para></listitem>
<listitem><para>
- Creating machine trust accounts and joining clients to the domain
+ Creating machine trust accounts and joining machines to the domain
</para></listitem>
<listitem><para>
</orderedlist>
<para>
-There are other minor details such as user profiles, system policies, etc...
+There are other details such as user profiles, system policies, etc.
However, these are not necessarily specific to a Samba PDC as much as they are
related to Windows NT networking concepts.
</para>
+</sect2>
</sect1>
<sect1>
-<title>Configuring Samba NT4 Style Domain Control</title>
+<title>Domain Control - Example Configuration</title>
<para>
The first step in creating a working Samba PDC is to understand the parameters necessary
</para></listitem>
</itemizedlist>
-<para>
-Samba 3.0 offers a complete implementation of group mapping
-between Windows NT groups and Unix groups (this is really quite
-complicated to explain in a short space).
-</para>
-
<sect2>
-<title>Creating Machine Trust Accounts and Joining Clients to the Domain</title>
+<title>Machine Trust Accounts and Domain Membership</title>
<para>
-A machine trust account is a Samba account that is used to
-authenticate a client machine (rather than a user) to the Samba
-server. In Windows terminology, this is known as a "Computer
-Account."</para>
+A machine trust account is an account that is used to authenticate a client machine
+(rather than a user) to the Domain Controller server. In Windows terminology,
+this is known as a "Computer Account."</para>
<para>
The password of a machine trust account acts as the shared secret for
the new repository for machine trust accounts.
</para>
-<para>
-A Samba-3 PDC also has to store machine trust account information
-in a suitable backend data store. With Samba-3 there can be multiple back-ends
-for this including:
-</para>
-
-<itemizedlist>
- <listitem><para>
- <emphasis>smbpasswd</emphasis> - the plain ascii file stored used by
- earlier versions of Samba. This file configuration option requires
- a Unix/Linux system account for EVERY entry (ie: both for user and for
- machine accounts). This file will be located in the <emphasis>private</emphasis>
- directory (default is /usr/local/samba/lib/private or on linux /etc/samba).
- </para></listitem>
-
- <listitem><para>
- <emphasis>tdbsam</emphasis> - a binary database backend that will be
- stored in the <emphasis>private</emphasis> directory in a file called
- <emphasis>passwd.tdb</emphasis>. The key benefit of this binary format
- file is that it can store binary objects that can not be accomodated
- in the traditional plain text smbpasswd file.
- </para></listitem>
-
- <listitem><para>
- <emphasis>ldapsam</emphasis> - An LDAP based back-end. Permits the
- LDAP server to be specified. eg: ldap://localhost or ldap://frodo.murphy.com
- </para></listitem>
-</itemizedlist>
-
-<para>Read the chapter about the <link linkend="passdb">User Database</link>
-for details.</para>
-
-<note><para>
-The new tdbsam and ldapsam account backends store vastly more information than
-smbpasswd is capable of. The new backend database includes capacity to specify
-per user settings for many parameters, over-riding global settings given in the
-<filename>smb.conf</filename> file. eg: logon drive, logon home, logon path, etc.
-</para></note>
-
<para>
A Samba PDC, however, stores each machine trust account in two parts,
as follows:
this as a machine trust account.
</para>
-
<para>
Now that the corresponding Unix account has been created, the next step is to create
the Samba account for the client containing the well-known initial
</para>
-<para>Below is an example for a RedHat 6.2 Linux system.
+<para>
+Below is an example for a RedHat Linux system.
</para>
<para><programlisting>
<sect3><title>Joining the Client to the Domain</title>
<para>
-The procedure for joining a client to the domain varies with the
-version of Windows.
+The procedure for joining a client to the domain varies with the version of Windows.
</para>
<itemizedlist>
git.samba.org / sfrench / samba-autobuild / .git / blobdiff