1 2 3 4 5 6 7<html><head><title>Joining an NT Domain with Samba 2.0</title> 8 9<link rev="made" href="mailto:samba@samba.org"> 10</head> 11<body> 12 13<hr> 14 15<h1>Joining an NT Domain with Samba 2.0</h1> 16<h2>Jeremy Allison, Samba Team</h2> 17<h2>7th October 1999</h2> 18 19<h1>Table of Contents </h1><p></p> 20 21<p><hr><p><br> 22<p><center>Joining an NT Domain with Samba 2.0 </center> 23<center>----------------------------------- </center> 24<p>In order for a Samba-2 server to join an NT domain, you must first add 25the NetBIOS name of the Samba server to the NT domain on the PDC using 26Server Manager for Domains. This creates the machine account in the 27domain (PDC) SAM. Note that you should add the Samba server as a "Windows 28NT Workstation or Server", <em>NOT</em> as a Primary or backup domain controller. 29<p>Assume you have a Samba-2 server with a NetBIOS name of <code>SERV1</code> and are 30joining an NT domain called <code>DOM</code>, which has a PDC with a NetBIOS name 31of <code>DOMPDC</code> and two backup domain controllers with NetBIOS names <code>DOMBDC1</code> 32and <code>DOMBDC2</code>. 33<p>In order to join the domain, first stop all Samba daemons and run the 34command 35<p><code>smbpasswd -j DOM -r DOMPDC</code> 36<p>as we are joining the domain DOM and the PDC for that domain (the only 37machine that has write access to the domain SAM database) is DOMPDC. If this is 38successful you will see the message: 39<p><code>smbpasswd: Joined domain DOM.</code> 40<p>in your terminal window. See the <a href="smbpasswd.8.html"><strong>smbpasswd</strong></a> 41man page for more details. 42<p>This command goes through the machine account password change 43protocol, then writes the new (random) machine account password for 44this Samba server into a file in the same directory in which an 45smbpasswd file would be stored - normally : 46<p><code>/usr/local/samba/private</code> 47<p>The filename looks like this: 48<p><code><NT DOMAIN NAME>.<Samba Server Name>.mac</code> 49<p>The <code>.mac</code> suffix stands for machine account password file. So in 50our example above, the file would be called: 51<p><code>DOM.SERV1.mac</code> 52<p>This file is created and owned by root and is not readable by any 53other user. It is the key to the domain-level security for your 54system, and should be treated as carefully as a shadow password file. 55<p>Now, before restarting the Samba daemons you must edit your 56<a href="smb.conf.5.html"><strong>smb.conf</strong></a> file to tell Samba it should now 57use domain security. 58<p>Change (or add) your 59<p><a href="smb.conf.5.html#security"><strong>"security ="</strong></a> 60<p>line in the <a href="smb.conf.5.html#global"><strong>[global]</strong></a> section of your 61<a href="smb.conf.5.html"><strong>smb.conf</strong></a> to read: 62<p><code>security = domain</code> 63<p>Next change the 64<p><a href="smb.conf.5.html#workgroup"><strong>"workgroup ="</strong></a> 65<p>line in the <a href="smb.conf.5.html#global"><strong>[global]</strong></a> section to read: 66<p><code>workgroup = DOM</code> 67<p>as this is the name of the domain we are joining. 68<p>You must also have the parameter <a href="smb.conf.5.html#encryptpasswords"><strong>"encrypt passwords"</strong></a> 69set to <code>"yes"</code> in order for your users to authenticate to the 70NT PDC. 71<p>Finally, add (or modify) a: 72<p><a href="smb.conf.5.html#passwordserver"><strong>"password server ="</strong></a> 73<p>line in the <a href="smb.conf.5.html#global"><strong>[global]</strong></a> section to read: 74<p><code>password server = DOMPDC DOMBDC1 DOMBDC2</code> 75<p>These are the primary and backup domain controllers Samba will attempt 76to contact in order to authenticate users. Samba will try to contact 77each of these servers in order, so you may want to rearrange this list 78in order to spread out the authentication load among domain 79controllers. 80<p>Alternatively, if you want smbd to automatically determine the 81list of Domain controllers to use for authentication, you may set this line to be : 82<p><code>password server = *</code> 83<p>This method, which is new in Samba 2.0.6 and above, allows Samba 84to use exactly the same mechanism that NT does. This method either broadcasts or 85uses a WINS database in order to find domain controllers to 86authenticate against. 87<p>Finally, restart your Samba daemons and get ready for clients to begin 88using domain security! 89<p><center>Why is this better than security = server? </center> 90<center>------------------------------------------ </center> 91<p>Currently, domain security in Samba doesn't free you from having to 92create local Unix users to represent the users attaching to your 93server. This means that if domain user <code>DOM\fred</code> attaches to your 94domain security Samba server, there needs to be a local Unix user fred 95to represent that user in the Unix filesystem. This is very similar to 96the older Samba security mode <a href="smb.conf.5.html#securityequalserver"><strong>"security=server"</strong></a>, where Samba would pass 97through the authentication request to a Windows NT server in the same 98way as a Windows 95 or Windows 98 server would. 99<p>The advantage to domain-level security is that the authentication in 100domain-level security is passed down the authenticated RPC channel in 101exactly the same way that an NT server would do it. This means Samba 102servers now participate in domain trust relationships in exactly the 103same way NT servers do (i.e., you can add Samba servers into a 104resource domain and have the authentication passed on from a resource 105domain PDC to an account domain PDC. 106<p>In addition, with <a href="smb.conf.5.html#securityequalserver"><strong>"security=server"</strong></a> every Samba daemon on a 107server has to keep a connection open to the authenticating server for 108as long as that daemon lasts. This can drain the connection resources 109on a Microsoft NT server and cause it to run out of available 110connections. With <a href="smb.conf.5.html#securityequaldomain"><strong>"security =domain"</strong></a>, however, the Samba 111daemons connect to the PDC/BDC only for as long as is necessary to 112authenticate the user, and then drop the connection, thus conserving 113PDC connection resources. 114<p>And finally, acting in the same manner as an NT server authenticating 115to a PDC means that as part of the authentication reply, the Samba 116server gets the user identification information such as the user SID, 117the list of NT groups the user belongs to, etc. All this information 118will allow Samba to be extended in the future into a mode the 119developers currently call appliance mode. In this mode, no local Unix 120users will be necessary, and Samba will generate Unix uids and gids 121from the information passed back from the PDC when a user is 122authenticated, making a Samba server truly plug and play in an NT 123domain environment. Watch for this code soon. 124<p><em>NOTE:</em> Much of the text of this document was first published in the 125Web magazine <a href="http://www.linuxworld.com"><strong>"LinuxWorld"</strong></a> as the article <a href="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html"><strong>"Doing the NIS/NT Samba"</strong></a>. 126</body> 127</html> 128