diff options
Diffstat (limited to 'docs/htmldocs/Samba3-ByExample/unixclients.html')
| -rw-r--r-- | docs/htmldocs/Samba3-ByExample/unixclients.html | 592 |
1 files changed, 296 insertions, 296 deletions
diff --git a/docs/htmldocs/Samba3-ByExample/unixclients.html b/docs/htmldocs/Samba3-ByExample/unixclients.html index 2dd1a1b35e..3772a0ff81 100644 --- a/docs/htmldocs/Samba3-ByExample/unixclients.html +++ b/docs/htmldocs/Samba3-ByExample/unixclients.html @@ -1,26 +1,26 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 7. Adding Domain Member Servers and Clients</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="DMSMig.html" title="Part II. Domain Members, Updating Samba and Migration"><link rel="prev" href="DMSMig.html" title="Part II. Domain Members, Updating Samba and Migration"><link rel="next" href="upgrades.html" title="Chapter 8. Updating Samba-3"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 7. Adding Domain Member Servers and Clients</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="DMSMig.html">Prev</a> </td><th width="60%" align="center">Part II. Domain Members, Updating Samba and Migration</th><td width="20%" align="right"> <a accesskey="n" href="upgrades.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="unixclients"></a>Chapter 7. Adding Domain Member Servers and Clients</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="unixclients.html#id360510">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#id360558">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id360587">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#id360610">Technical Issues</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id361198">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id361279">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></span></dt><dt><span class="sect2"><a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a></span></dt><dt><span class="sect2"><a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a></span></dt><dt><span class="sect2"><a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id367212">UNIX/Linux Client Domain Member</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id367699">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id367744">Questions and Answers</a></span></dt></dl></div><p><a class="indexterm" name="id360421"></a><a class="indexterm" name="id360429"></a> +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 7. Adding Domain Member Servers and Clients</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.73.1"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="DMSMig.html" title="Part II. Domain Members, Updating Samba and Migration"><link rel="prev" href="DMSMig.html" title="Part II. Domain Members, Updating Samba and Migration"><link rel="next" href="upgrades.html" title="Chapter 8. Updating Samba-3"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 7. Adding Domain Member Servers and Clients</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="DMSMig.html">Prev</a> </td><th width="60%" align="center">Part II. Domain Members, Updating Samba and Migration</th><td width="20%" align="right"> <a accesskey="n" href="upgrades.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="unixclients"></a>Chapter 7. Adding Domain Member Servers and Clients</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="unixclients.html#id2611372">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#id2611426">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id2611461">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#id2611489">Technical Issues</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id2612138">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id2612239">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="unixclients.html#sdcsdmldap">Samba Domain with Samba Domain Member Server Using NSS LDAP</a></span></dt><dt><span class="sect2"><a href="unixclients.html#wdcsdm">NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</a></span></dt><dt><span class="sect2"><a href="unixclients.html#dcwonss">NT4/Samba Domain with Samba Domain Member Server without NSS Support</a></span></dt><dt><span class="sect2"><a href="unixclients.html#adssdm">Active Directory Domain with Samba Domain Member Server</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id2618444">UNIX/Linux Client Domain Member</a></span></dt><dt><span class="sect2"><a href="unixclients.html#id2619019">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="unixclients.html#id2619073">Questions and Answers</a></span></dt></dl></div><p><a class="indexterm" name="id2611274"></a><a class="indexterm" name="id2611281"></a> The most frequently discussed Samba subjects over the past 2 years have focused around domain control and printing. It is well known that Samba is a file and print server. A recent survey conducted by <span class="emphasis"><em>Open Magazine</em></span> found that of all respondents, 97 percent use Samba for file and print services, and 68 percent use Samba for Domain Control. See the - <a href="http://www.open-mag.com/cgi-bin/opencgi/surveys/survey.cgi?survey_name=samba" target="_top">Open-Mag</a> + <a class="ulink" href="http://www.open-mag.com/cgi-bin/opencgi/surveys/survey.cgi?survey_name=samba" target="_top">Open-Mag</a> Web site for current information. The survey results as found on January 14, 2004, are shown in - <a href="unixclients.html#ch09openmag" title="Figure 7.1. Open Magazine Samba Survey">???</a>. + <a class="link" href="unixclients.html#ch09openmag" title="Figure 7.1. Open Magazine Samba Survey">“Open Magazine Samba Survey”</a>. </p><div class="figure"><a name="ch09openmag"></a><p class="title"><b>Figure 7.1. Open Magazine Samba Survey</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/openmag.png" width="324" alt="Open Magazine Samba Survey"></div></div></div><br class="figure-break"><p> While domain control is an exciting subject, basic file and print sharing remains the staple bread-and-butter function that Samba provides. Yet this book may give the appearance of having focused too much on more exciting aspects of Samba deployment. This chapter directs your attention to provide important information on the addition of Samba servers into your present Windows network whatever the controlling technology may be. So let's get back to our good friends at Abmas. - </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id360510"></a>Introduction</h2></div></div></div><p><a class="indexterm" name="id360516"></a><a class="indexterm" name="id360524"></a> + </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2611372"></a>Introduction</h2></div></div></div><p><a class="indexterm" name="id2611379"></a><a class="indexterm" name="id2611386"></a> Looking back over the achievements of the past year or two, daily events at Abmas are rather straightforward with not too many distractions or problems. Your team is doing well, but a number of employees are asking for Linux desktop systems. Your network has grown and demands additional domain member servers. Let's get on with this; Christine and Stan are ready to go. - </p><p><a class="indexterm" name="id360542"></a> + </p><p><a class="indexterm" name="id2611407"></a> Stan is firmly in control of the department of the future, while Christine is enjoying a stable and predictable network environment. It is time to add more servers and to add Linux desktops. It is time to meet the demands of future growth and endure trial by fire. - </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id360558"></a>Assignment Tasks</h3></div></div></div><p><a class="indexterm" name="id360565"></a> + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2611426"></a>Assignment Tasks</h3></div></div></div><p><a class="indexterm" name="id2611432"></a> You must now add UNIX/Linux domain member servers to your network. You have a friend who has a Windows 2003 Active Directory domain network who wants to add a Samba/Linux server and has asked Christine to help him out. Your real objective is to help Christine to see more of the way the Microsoft world lives and use @@ -30,8 +30,8 @@ these systems to make sure that Abmas is not building islands of technology. You ask Christine to do likewise at Swodniw Biz NL (your friend's company) to help them to evaluate a Linux desktop. You want to make the right decision, don't you? - </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id360587"></a>Dissection and Discussion</h2></div></div></div><p> - <a class="indexterm" name="id360594"></a> + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2611461"></a>Dissection and Discussion</h2></div></div></div><p> + <a class="indexterm" name="id2611469"></a> Recent Samba mailing-list activity is witness to how many sites are using winbind. Some have no trouble at all with it, yet to others the problems seem insurmountable. Periodically there are complaints concerning an inability to achieve identical user and group IDs between Windows and UNIX environments. @@ -39,28 +39,28 @@ You provide step-by-step implementations of the various tools that can be used for identity resolution. You also provide working examples of solutions for integrated authentication for both UNIX/Linux and Windows environments. - </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id360610"></a>Technical Issues</h3></div></div></div><p> + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2611489"></a>Technical Issues</h3></div></div></div><p> One of the great challenges we face when people ask us, “<span class="quote">What is the best way to solve this problem?</span>” is to get beyond the facts so we not only can clearly comprehend the immediate technical problem, but also can understand how needs may change. </p><p> - <a class="indexterm" name="id360627"></a> + <a class="indexterm" name="id2611508"></a> There are a few facts we should note when dealing with the question of how best to integrate UNIX/Linux clients and servers into a Windows networking environment: </p><div class="itemizedlist"><ul type="disc"><li><p> - <a class="indexterm" name="id360642"></a> - <a class="indexterm" name="id360649"></a> - <a class="indexterm" name="id360655"></a> - <a class="indexterm" name="id360665"></a> - <a class="indexterm" name="id360671"></a> + <a class="indexterm" name="id2611524"></a> + <a class="indexterm" name="id2611531"></a> + <a class="indexterm" name="id2611538"></a> + <a class="indexterm" name="id2611548"></a> + <a class="indexterm" name="id2611554"></a> A domain controller (PDC or BDC) is always authoritative for all accounts in its domain. This means that a BDC must (of necessity) be able to resolve all account UIDs and GIDs to the same values that the PDC resolved them to. </p></li><li><p> - <a class="indexterm" name="id360684"></a> - <a class="indexterm" name="id360691"></a> - <a class="indexterm" name="id360702"></a> - <a class="indexterm" name="id360709"></a> + <a class="indexterm" name="id2611569"></a> + <a class="indexterm" name="id2611576"></a> + <a class="indexterm" name="id2611588"></a> + <a class="indexterm" name="id2611595"></a> A domain member can be authoritative for local accounts, but is never authoritative for domain accounts. If a user is accessing a domain member server and that user's account is not known locally, the domain member server must resolve the identity of that user @@ -70,26 +70,26 @@ Samba, when running on a domain member server, can resolve user identities from a number of sources: </p><div class="itemizedlist"><ul type="circle"><li><p> - <a class="indexterm" name="id360737"></a> - <a class="indexterm" name="id360744"></a> - <a class="indexterm" name="id360751"></a> - <a class="indexterm" name="id360758"></a> - <a class="indexterm" name="id360764"></a> + <a class="indexterm" name="id2611627"></a> + <a class="indexterm" name="id2611634"></a> + <a class="indexterm" name="id2611641"></a> + <a class="indexterm" name="id2611648"></a> + <a class="indexterm" name="id2611654"></a> By executing a system <code class="literal">getpwnam()</code> or <code class="literal">getgrnam()</code> call. On systems that support it, this utilizes the name service switch (NSS) facility to resolve names according to the configuration of the <code class="filename">/etc/nsswitch.conf</code> file. NSS can be configured to use LDAP, winbind, NIS, or local files. </p></li><li><p> - <a class="indexterm" name="id360795"></a> - <a class="indexterm" name="id360802"></a> - <a class="indexterm" name="id360809"></a> + <a class="indexterm" name="id2611687"></a> + <a class="indexterm" name="id2611694"></a> + <a class="indexterm" name="id2611701"></a> Performing, via NSS, a direct LDAP search (where an LDAP passdb backend has been configured). This requires the use of the PADL nss_ldap tool (or equivalent). </p></li><li><p> - <a class="indexterm" name="id360822"></a> - <a class="indexterm" name="id360828"></a> - <a class="indexterm" name="id360835"></a> - <a class="indexterm" name="id360842"></a> + <a class="indexterm" name="id2611715"></a> + <a class="indexterm" name="id2611722"></a> + <a class="indexterm" name="id2611729"></a> + <a class="indexterm" name="id2611736"></a> Directly by querying <code class="literal">winbindd</code>. The <code class="literal">winbindd</code> contacts a domain controller to attempt to resolve the identity of the user or group. It receives the Windows networking security identifier (SID) for that appropriate @@ -97,9 +97,9 @@ creates an entry in its <code class="filename">winbindd_idmap.tdb</code> and <code class="filename">winbindd_cache.tdb</code> files. </p><p> - <a class="indexterm" name="id360878"></a> - <a class="indexterm" name="id360885"></a> - If the parameter <a class="indexterm" name="id360892"></a>idmap backend = ldap:ldap://myserver.domain + <a class="indexterm" name="id2611775"></a> + <a class="indexterm" name="id2611782"></a> + If the parameter <a class="link" href="smb.conf.5.html#IDMAPBACKEND">idmap backend = ldap:ldap://myserver.domain</a> was specified and the LDAP server has been configured with a container in which it may store the IDMAP entries, all domain members may share a common mapping. </p></li></ul></div><p> @@ -111,48 +111,48 @@ in the <code class="filename">smb.conf</code> file. Some of the configuration options are rather less than obvious to the casual user. </p></li><li><p> - <a class="indexterm" name="id360940"></a> - <a class="indexterm" name="id360946"></a> - <a class="indexterm" name="id360956"></a> + <a class="indexterm" name="id2611847"></a> + <a class="indexterm" name="id2611854"></a> + <a class="indexterm" name="id2611863"></a> If you wish to make use of accounts (users and/or groups) that are local to (i.e., capable of being resolved using) the NSS facility, it is possible to use the - <a class="indexterm" name="id360964"></a>winbind trusted domains only = Yes + <a class="link" href="smb.conf.5.html#WINBINDTRUSTEDDOMAINSONLY">winbind trusted domains only = Yes</a> in the <code class="filename">smb.conf</code> file. This parameter specifically applies to domain controllers, and to domain member servers. </p></li></ul></div><p> - <a class="indexterm" name="id360982"></a> - <a class="indexterm" name="id360989"></a> - <a class="indexterm" name="id360996"></a> + <a class="indexterm" name="id2611899"></a> + <a class="indexterm" name="id2611906"></a> + <a class="indexterm" name="id2611913"></a> For many administrators, it should be plain that the use of an LDAP-based repository for all network accounts (both for POSIX accounts and for Samba accounts) provides the most elegant and controllable facility. You eventually appreciate the decision to use LDAP. </p><p> - <a class="indexterm" name="id361008"></a> - <a class="indexterm" name="id361015"></a> - <a class="indexterm" name="id361022"></a> + <a class="indexterm" name="id2611928"></a> + <a class="indexterm" name="id2611935"></a> + <a class="indexterm" name="id2611941"></a> If your network account information resides in an LDAP repository, you should use it ahead of any alternative method. This means that if it is humanly possible to use the <code class="literal">nss_ldap</code> tools to resolve UNIX account UIDs/GIDs via LDAP, this is the preferred solution, because it provides a more readily controllable method for asserting the exact same user and group identifiers throughout the network. </p><p> - <a class="indexterm" name="id361041"></a> - <a class="indexterm" name="id361051"></a> - <a class="indexterm" name="id361058"></a> - <a class="indexterm" name="id361064"></a> - <a class="indexterm" name="id361071"></a> - <a class="indexterm" name="id361078"></a> + <a class="indexterm" name="id2611964"></a> + <a class="indexterm" name="id2611973"></a> + <a class="indexterm" name="id2611981"></a> + <a class="indexterm" name="id2611987"></a> + <a class="indexterm" name="id2611994"></a> + <a class="indexterm" name="id2612001"></a> In the situation where UNIX accounts are held on the domain member server itself, the only effective way to use them involves the <code class="filename">smb.conf</code> entry - <a class="indexterm" name="id361092"></a>winbind trusted domains only = Yes. This forces + <a class="link" href="smb.conf.5.html#WINBINDTRUSTEDDOMAINSONLY">winbind trusted domains only = Yes</a>. This forces Samba (<code class="literal">smbd</code>) to perform a <code class="literal">getpwnam()</code> system call that can then be controlled via <code class="filename">/etc/nsswitch.conf</code> file settings. The use of this parameter disables the use of Samba with trusted domains (i.e., external domains). </p><p> - <a class="indexterm" name="id361122"></a> - <a class="indexterm" name="id361129"></a> - <a class="indexterm" name="id361138"></a> - <a class="indexterm" name="id361145"></a> + <a class="indexterm" name="id2612052"></a> + <a class="indexterm" name="id2612059"></a> + <a class="indexterm" name="id2612069"></a> + <a class="indexterm" name="id2612075"></a> Winbind can be used to create an appliance mode domain member server. In this capacity, <code class="literal">winbindd</code> is configured to automatically allocate UIDs/GIDs from numeric ranges set in the <code class="filename">smb.conf</code> file. The allocation is made for all accounts that connect to that domain member server, whether within its own domain or from @@ -161,16 +161,16 @@ same UID/GID on both servers however, this is transparent to the Windows network user. This data is stored in the <code class="filename">winbindd_idmap.tdb</code> and <code class="filename">winbindd_cache.tdb</code> files. </p><p> - <a class="indexterm" name="id361186"></a> + <a class="indexterm" name="id2612123"></a> The use of an LDAP backend for the Winbind IDMAP facility permits Windows domain SIDs mappings to UIDs/GIDs to be stored centrally. The result is a consistent mapping across all domain member servers so configured. This solves one of the major headaches for network administrators who need to copy files between or across network file servers. - </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id361198"></a>Political Issues</h3></div></div></div><p> - <a class="indexterm" name="id361206"></a> - <a class="indexterm" name="id361213"></a> - <a class="indexterm" name="id361220"></a> - <a class="indexterm" name="id361228"></a> + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2612138"></a>Political Issues</h3></div></div></div><p> + <a class="indexterm" name="id2612146"></a> + <a class="indexterm" name="id2612153"></a> + <a class="indexterm" name="id2612159"></a> + <a class="indexterm" name="id2612168"></a> One of the most fierce conflicts recently being waged is resistance to the adoption of LDAP, in particular OpenLDAP, as a replacement for UNIX NIS (previously called Yellow Pages). Let's face it, LDAP is different and requires a new approach to the need for a better identity management solution. The more @@ -182,23 +182,23 @@ you can't use Windows Active Directory in a heterogenous environment it can be done, it just requires commercial integration products. But it's not what Active Directory was designed for. </p><p> - <a class="indexterm" name="id361259"></a> - <a class="indexterm" name="id361265"></a> + <a class="indexterm" name="id2612207"></a> + <a class="indexterm" name="id2612213"></a> A number of long-term UNIX devotees have recently commented in various communications that the Samba Team is the first application group to almost force network administrators to use LDAP. It should be pointed out that we resisted this for as long as we could. It is not out of laziness or malice that LDAP has finally emerged as the preferred identity management backend for Samba. We recommend LDAP for your total organizational directory needs. - </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id361279"></a>Implementation</h2></div></div></div><p> - <a class="indexterm" name="id361287"></a> - <a class="indexterm" name="id361296"></a> - <a class="indexterm" name="id361305"></a> + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2612239"></a>Implementation</h2></div></div></div><p> + <a class="indexterm" name="id2612246"></a> + <a class="indexterm" name="id2612256"></a> + <a class="indexterm" name="id2612265"></a> The domain member server and the domain member client are at the center of focus in this chapter. Configuration of Samba-3 domain controller is covered in earlier chapters, so if your interest is in domain controller configuration, you will not find that here. You will find good oil that helps you to add domain member servers and clients. </p><p> - <a class="indexterm" name="id361318"></a> + <a class="indexterm" name="id2612281"></a> In practice, domain member servers and domain member workstations are very different entities, but in terms of technology they share similar core infrastructure. A technologist would argue that servers and workstations are identical. Many users would argue otherwise, given that in a well-disciplined @@ -206,15 +206,15 @@ are located on servers. A workstation is frequently viewed as a disposable (easy to replace) item, but a server is viewed as a core component of the business. </p><p> - <a class="indexterm" name="id361335"></a> + <a class="indexterm" name="id2612304"></a> We can look at this another way. If a workstation breaks down, one user is affected, but if a server breaks down, hundreds of users may not be able to work. The services that a workstation must provide are document- and file-production oriented; a server provides information storage and is distribution oriented. </p><p> - <a class="indexterm" name="id361351"></a> - <a class="indexterm" name="id361358"></a> - <a class="indexterm" name="id361364"></a> + <a class="indexterm" name="id2612319"></a> + <a class="indexterm" name="id2612326"></a> + <a class="indexterm" name="id2612333"></a> <span class="emphasis"><em>Why is this important?</em></span> For starters, we must identify what components of the operating system and its environment must be configured. Also, it is necessary to recognize where the interdependencies between the various services to be used are. @@ -226,12 +226,12 @@ So, in this chapter we demonstrate how to implement the technology. It is done within a context of what type of service need must be fulfilled. </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sdcsdmldap"></a>Samba Domain with Samba Domain Member Server Using NSS LDAP</h3></div></div></div><p> - <a class="indexterm" name="id361399"></a> - <a class="indexterm" name="id361406"></a> - <a class="indexterm" name="id361412"></a> - <a class="indexterm" name="id361419"></a> - <a class="indexterm" name="id361428"></a> - <a class="indexterm" name="id361435"></a> + <a class="indexterm" name="id2612374"></a> + <a class="indexterm" name="id2612381"></a> + <a class="indexterm" name="id2612388"></a> + <a class="indexterm" name="id2612395"></a> + <a class="indexterm" name="id2612404"></a> + <a class="indexterm" name="id2612411"></a> In this example, it is assumed that you have Samba PDC/BDC servers. This means you are using an LDAP ldapsam backend. We are adding to the LDAP backend database (directory) containers for use by the IDMAP facility. This makes it possible to have globally consistent @@ -247,9 +247,9 @@ <em class="parameter"><code>idmap gid</code></em> ranges. Where LDAP is used, the mappings can be stored in LDAP so that all domain member servers can use a consistent mapping. </p><p> - <a class="indexterm" name="id361490"></a> - <a class="indexterm" name="id361497"></a> - <a class="indexterm" name="id361504"></a> + <a class="indexterm" name="id2612475"></a> + <a class="indexterm" name="id2612481"></a> + <a class="indexterm" name="id2612488"></a> If your installation is accessed only from clients that are members of your own domain, and all user accounts are present in a local passdb backend then it is not necessary to run <code class="literal">winbindd</code>. The local passdb backend can be in smbpasswd, tdbsam, or in ldapsam. @@ -259,19 +259,19 @@ <code class="literal">getpwnam()</code> system call. On NSS-enabled systems, the actual POSIX account source can be provided from </p><div class="itemizedlist"><ul type="disc"><li><p> - <a class="indexterm" name="id361536"></a> - <a class="indexterm" name="id361543"></a> + <a class="indexterm" name="id2612525"></a> + <a class="indexterm" name="id2612532"></a> Accounts in <code class="filename">/etc/passwd</code> or in <code class="filename">/etc/group</code>. </p></li><li><p> - <a class="indexterm" name="id361566"></a> - <a class="indexterm" name="id361573"></a> - <a class="indexterm" name="id361580"></a> - <a class="indexterm" name="id361587"></a> - <a class="indexterm" name="id361593"></a> - <a class="indexterm" name="id361600"></a> - <a class="indexterm" name="id361607"></a> - <a class="indexterm" name="id361614"></a> - <a class="indexterm" name="id361621"></a> + <a class="indexterm" name="id2612556"></a> + <a class="indexterm" name="id2612562"></a> + <a class="indexterm" name="id2612569"></a> + <a class="indexterm" name="id2612576"></a> + <a class="indexterm" name="id2612583"></a> + <a class="indexterm" name="id2612589"></a> + <a class="indexterm" name="id2612596"></a> + <a class="indexterm" name="id2612603"></a> + <a class="indexterm" name="id2612610"></a> Resolution via NSS. On NSS-enabled systems, there is usually a facility to resolve IDs via multiple methods. The methods typically include <code class="literal">files</code>, <code class="literal">compat</code>, <code class="literal">db</code>, <code class="literal">ldap</code>, @@ -283,13 +283,13 @@ the user account backend is not shared by any other Samba server instead, it is used only locally on the Samba domain member server under discussion. </p></div><p> - <a class="indexterm" name="id361695"></a> - The diagram in <a href="unixclients.html#ch9-sambadc" title="Figure 7.2. Samba Domain: Samba Member Server">???</a> demonstrates the relationship of Samba and system + <a class="indexterm" name="id2612689"></a> + The diagram in <a class="link" href="unixclients.html#ch9-sambadc" title="Figure 7.2. Samba Domain: Samba Member Server">“Samba Domain: Samba Member Server”</a> demonstrates the relationship of Samba and system components that are involved in the identity resolution process where Samba is used as a domain member server within a Samba domain control network. </p><div class="figure"><a name="ch9-sambadc"></a><p class="title"><b>Figure 7.2. Samba Domain: Samba Member Server</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap9-SambaDC.png" width="324" alt="Samba Domain: Samba Member Server"></div></div></div><br class="figure-break"><p> - <a class="indexterm" name="id361755"></a> - <a class="indexterm" name="id361761"></a> + <a class="indexterm" name="id2612751"></a> + <a class="indexterm" name="id2612758"></a> In this example configuration, Samba will directly search the LDAP-based passwd backend ldapsam to obtain authentication and user identity information. The IDMAP information is stored in the LDAP backend so that it can be shared by all domain member servers so that every user will have a @@ -297,14 +297,14 @@ (i.e., not having the same SID as the domain it is a member of) domains. The configuration of NSS will ensure that all UNIX processes will obtain a consistent UID/GID. </p><p> - The instructions given here apply to the Samba environment shown in <a href="happy.html" title="Chapter 5. Making Happy Users">???</a> and <a href="2000users.html" title="Chapter 6. A Distributed 2000-User Network">???</a>. - If the network does not have an LDAP slave server (i.e., <a href="happy.html" title="Chapter 5. Making Happy Users">???</a> configuration), + The instructions given here apply to the Samba environment shown in <a class="link" href="happy.html" title="Chapter 5. Making Happy Users">“Making Happy Users”</a> and <a class="link" href="2000users.html" title="Chapter 6. A Distributed 2000-User Network">“A Distributed 2000-User Network”</a>. + If the network does not have an LDAP slave server (i.e., <a class="link" href="happy.html" title="Chapter 5. Making Happy Users">“Making Happy Users”</a> configuration), change the target LDAP server from <code class="constant">lapdc</code> to <code class="constant">massive.</code> - </p><div class="procedure"><a name="id361803"></a><p class="title"><b>Procedure 7.1. Configuration of NSS_LDAP-Based Identity Resolution</b></p><ol type="1"><li><p> - Create the <code class="filename">smb.conf</code> file as shown in <a href="unixclients.html#ch9-sdmsdc" title="Example 7.1. Samba Domain Member in Samba Domain Using LDAP smb.conf File">???</a>. Locate + </p><div class="procedure"><a name="id2612806"></a><p class="title"><b>Procedure 7.1. Configuration of NSS_LDAP-Based Identity Resolution</b></p><ol type="1"><li><p> + Create the <code class="filename">smb.conf</code> file as shown in <a class="link" href="unixclients.html#ch9-sdmsdc" title="Example 7.1. Samba Domain Member in Samba Domain Using LDAP smb.conf File">“Samba Domain Member in Samba Domain Using LDAP smb.conf File”</a>. Locate this file in the directory <code class="filename">/etc/samba</code>. </p></li><li><p> - <a class="indexterm" name="id361840"></a> + <a class="indexterm" name="id2612844"></a> Configure the file that will be used by <code class="constant">nss_ldap</code> to locate and communicate with the LDAP server. This file is called <code class="filename">ldap.conf</code>. If your implementation of <code class="constant">nss_ldap</code> is consistent with @@ -316,7 +316,7 @@ the resolution of user and group IDs via NSS. </p><p> Change the parameters inside the file that is located on your OS so it matches - <a href="unixclients.html#ch9-sdmlcnf" title="Example 7.3. Configuration File for NSS LDAP Support /etc/ldap.conf">???</a>. To find the correct location of this file, you + <a class="link" href="unixclients.html#ch9-sdmlcnf" title="Example 7.3. Configuration File for NSS LDAP Support /etc/ldap.conf">“Configuration File for NSS LDAP Support /etc/ldap.conf”</a>. To find the correct location of this file, you can obtain this from the library that will be used by executing the following: </p><pre class="screen"> <code class="prompt">root# </code> strings /lib/libnss_ldap* | grep ldap.conf @@ -324,10 +324,10 @@ </pre><p> </p></li><li><p> Configure the NSS control file so it matches the one shown in - <a href="unixclients.html#ch9-sdmnss" title="Example 7.4. NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf">???</a>. + <a class="link" href="unixclients.html#ch9-sdmnss" title="Example 7.4. NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf">“NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf”</a>. </p></li><li><p> - <a class="indexterm" name="id361920"></a> - <a class="indexterm" name="id361927"></a> + <a class="indexterm" name="id2612932"></a> + <a class="indexterm" name="id2612939"></a> Before proceeding to configure Samba, validate the operation of the NSS identity resolution via LDAP by executing: </p><pre class="screen"> @@ -362,9 +362,9 @@ Finances:x:1001: PIOps:x:1002: sammy:x:4321: </pre><p> - <a class="indexterm" name="id361968"></a> - <a class="indexterm" name="id361975"></a> - <a class="indexterm" name="id361982"></a> + <a class="indexterm" name="id2613003"></a> + <a class="indexterm" name="id2613010"></a> + <a class="indexterm" name="id2613017"></a> This shows that all is working as it should be. Notice that in the LDAP database the users' primary and secondary group memberships are identical. It is not necessary to add secondary group memberships (in the group database) if the @@ -374,7 +374,7 @@ sammy:x:4321: conditions. It is intended that these limitations with winbind will be resolved soon after Samba-3.0.20 has been released. </p></li><li><p> - <a class="indexterm" name="id362001"></a> + <a class="indexterm" name="id2613040"></a> The LDAP directory must have a container object for IDMAP data. There are several ways you can check that your LDAP database is able to receive IDMAP information. One of the simplest is to execute: @@ -383,9 +383,9 @@ sammy:x:4321: dn: ou=Idmap,dc=abmas,dc=biz ou: idmap </pre><p> - <a class="indexterm" name="id362021"></a> + <a class="indexterm" name="id2613063"></a> If the execution of this command does not return IDMAP entries, you need to create an LDIF - template file (see <a href="unixclients.html#ch9-ldifadd" title="Example 7.2. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF">???</a>). You can add the required entries using + template file (see <a class="link" href="unixclients.html#ch9-ldifadd" title="Example 7.2. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF">“LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF”</a>). You can add the required entries using the following command: </p><pre class="screen"> <code class="prompt">root# </code> ldapadd -x -D "cn=Manager,dc=abmas,dc=biz" \ @@ -399,8 +399,8 @@ ou: idmap <code class="prompt">root# </code> smbpasswd -w not24get </pre><p> </p></li><li><p> - <a class="indexterm" name="id362080"></a> - <a class="indexterm" name="id362092"></a> + <a class="indexterm" name="id2613128"></a> + <a class="indexterm" name="id2613139"></a> The system is ready to join the domain. Execute the following: </p><pre class="screen"> <code class="prompt">root# </code> net rpc join -U root%not24get @@ -418,10 +418,10 @@ Joined domain MEGANET2. </p><pre class="screen"> <code class="prompt">root# </code> net rpc join -S 'pdc-name' -U administrator%password -d 5 </pre><p> - <a class="indexterm" name="id362158"></a> - <a class="indexterm" name="id362165"></a> - <a class="indexterm" name="id362172"></a> - <a class="indexterm" name="id362179"></a> + <a class="indexterm" name="id2613211"></a> + <a class="indexterm" name="id2613218"></a> + <a class="indexterm" name="id2613224"></a> + <a class="indexterm" name="id2613231"></a> Note: Use "root" for UNIX/Linux and Samba, use "Administrator" for Windows NT4/200X. If the cause of the failure appears to be related to a rejected or failed NT_SESSION_SETUP* or an error message that says NT_STATUS_ACCESS_DENIED immediately check the Windows registry setting that controls the @@ -449,7 +449,7 @@ NT_STATUS_ACCESS_DENIED Join to 'MEGANET2' failed. </pre><p> </p></li><li><p> - <a class="indexterm" name="id362231"></a> + <a class="indexterm" name="id2613293"></a> Just joining the domain is not quite enough; you must now provide a privileged set of credentials through which <code class="literal">winbindd</code> can interact with the domain servers. Execute the following to implant the necessary credentials: @@ -460,7 +460,7 @@ Join to 'MEGANET2' failed. </p></li><li><p> You may now start Samba in the usual manner, and your Samba domain member server is ready for use. Just add shares as required. - </p></li></ol></div><div class="example"><a name="ch9-sdmsdc"></a><p class="title"><b>Example 7.1. Samba Domain Member in Samba Domain Using LDAP <code class="filename">smb.conf</code> File</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id362304"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id362316"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id362329"></a><em class="parameter"><code>security = DOMAIN</code></em></td></tr><tr><td><a class="indexterm" name="id362341"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id362354"></a><em class="parameter"><code>log level = 10</code></em></td></tr><tr><td><a class="indexterm" name="id362366"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id362379"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id362392"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id362404"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id362417"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id362429"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id362442"></a><em class="parameter"><code>wins server = 192.168.2.1</code></em></td></tr><tr><td><a class="indexterm" name="id362455"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id362467"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id362480"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id362493"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id362505"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id362518"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id362531"></a><em class="parameter"><code>idmap backend = ldap:ldap://lapdc.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id362544"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id362556"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id362569"></a><em class="parameter"><code>winbind trusted domains only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id362581"></a><em class="parameter"><code>printer admin = root</code></em></td></tr><tr><td><a class="indexterm" name="id362594"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id362615"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id362628"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id362641"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id362653"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id362675"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id362687"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id362700"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id362712"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id362725"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id362746"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id362759"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id362772"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id362784"></a><em class="parameter"><code>write list = root</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch9-ldifadd"></a><p class="title"><b>Example 7.2. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF</b></p><div class="example-contents"><pre class="screen"> + </p></li></ol></div><div class="example"><a name="ch9-sdmsdc"></a><p class="title"><b>Example 7.1. Samba Domain Member in Samba Domain Using LDAP <code class="filename">smb.conf</code> File</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2613370"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2613382"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2613394"></a><em class="parameter"><code>security = DOMAIN</code></em></td></tr><tr><td><a class="indexterm" name="id2613406"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2613418"></a><em class="parameter"><code>log level = 10</code></em></td></tr><tr><td><a class="indexterm" name="id2613429"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2613441"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2613453"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id2613464"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2613476"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2613488"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2613500"></a><em class="parameter"><code>wins server = 192.168.2.1</code></em></td></tr><tr><td><a class="indexterm" name="id2613512"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2613524"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2613536"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2613548"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id2613560"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2613572"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2613584"></a><em class="parameter"><code>idmap backend = ldap:ldap://lapdc.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2613596"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2613608"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2613619"></a><em class="parameter"><code>winbind trusted domains only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2613632"></a><em class="parameter"><code>printer admin = root</code></em></td></tr><tr><td><a class="indexterm" name="id2613643"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2613664"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2613676"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2613687"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2613699"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2613719"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2613731"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2613743"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2613754"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2613766"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id2613787"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2613798"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2613810"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id2613822"></a><em class="parameter"><code>write list = root</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch9-ldifadd"></a><p class="title"><b>Example 7.2. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF</b></p><div class="example-contents"><pre class="screen"> dn: ou=Idmap,dc=abmas,dc=biz objectClass: organizationalUnit ou: idmap @@ -507,18 +507,18 @@ aliases: files </p></li><li><p> The Samba domain member server must be part of a Windows NT4 Domain, or a Samba Domain. </p></li></ul></div><p> - <a class="indexterm" name="id362905"></a> - <a class="indexterm" name="id362912"></a> - <a class="indexterm" name="id362918"></a> + <a class="indexterm" name="id2613954"></a> + <a class="indexterm" name="id2613960"></a> + <a class="indexterm" name="id2613967"></a> Later in the chapter, you can see how to configure a Samba domain member server for a Windows ADS domain. Right now your objective is to configure a Samba server that can be a member of a Windows NT4-style domain and/or does not use LDAP. </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> - <a class="indexterm" name="id362932"></a> + <a class="indexterm" name="id2613982"></a> If you use <code class="literal">winbind</code> for identity resolution, make sure that there are no duplicate accounts. </p><p> - <a class="indexterm" name="id362948"></a> + <a class="indexterm" name="id2614000"></a> For example, do not have more than one account that has UID=0 in the password database. If there is an account called <code class="constant">root</code> in the <code class="filename">/etc/passwd</code> database, it is okay to have an account called <code class="constant">root</code> in the LDAP ldapsam or in the @@ -526,32 +526,32 @@ aliases: files break. This means that the <code class="constant">Administrator</code> account must be called <code class="constant">root</code>. </p><p> - <a class="indexterm" name="id362982"></a> - <a class="indexterm" name="id362989"></a> - <a class="indexterm" name="id362996"></a> + <a class="indexterm" name="id2614037"></a> + <a class="indexterm" name="id2614043"></a> + <a class="indexterm" name="id2614050"></a> Winbind will break if there is an account in <code class="filename">/etc/passwd</code> that has the same UID as an account that is in LDAP ldapsam (or in tdbsam) but that differs in name only. </p></div><p> - <a class="indexterm" name="id363013"></a> - <a class="indexterm" name="id363020"></a> - <a class="indexterm" name="id363026"></a> - <a class="indexterm" name="id363033"></a> - <a class="indexterm" name="id363042"></a> + <a class="indexterm" name="id2614069"></a> + <a class="indexterm" name="id2614076"></a> + <a class="indexterm" name="id2614082"></a> + <a class="indexterm" name="id2614089"></a> + <a class="indexterm" name="id2614098"></a> The following configuration uses CIFS/SMB protocols alone to obtain user and group credentials. The winbind information is locally cached in the <code class="filename">winbindd_cache.tdb winbindd_idmap.tdb</code> files. This provides considerable performance benefits compared with the LDAP solution, particularly where the LDAP lookups must traverse WAN links. You may examine the contents of these files using the tool <code class="literal">tdbdump</code>, though you may have to build this from the Samba source code if it has not been supplied as part of a binary package distribution that you may be using. - </p><div class="procedure"><a name="id363067"></a><p class="title"><b>Procedure 7.2. Configuration of Winbind-Based Identity Resolution</b></p><ol type="1"><li><p> + </p><div class="procedure"><a name="id2614128"></a><p class="title"><b>Procedure 7.2. Configuration of Winbind-Based Identity Resolution</b></p><ol type="1"><li><p> Using your favorite text editor, create the <code class="filename">smb.conf</code> file so it has the contents - shown in <a href="unixclients.html#ch0-NT4DSDM" title="Example 7.5. Samba Domain Member Server Using Winbind smb.conf File for NT4 Domain">???</a>. + shown in <a class="link" href="unixclients.html#ch0-NT4DSDM" title="Example 7.5. Samba Domain Member Server Using Winbind smb.conf File for NT4 Domain">“Samba Domain Member Server Using Winbind smb.conf File for NT4 Domain”</a>. </p></li><li><p> - <a class="indexterm" name="id363098"></a> + <a class="indexterm" name="id2614160"></a> Edit the <code class="filename">/etc/nsswitch.conf</code> so it has the entries shown in - <a href="unixclients.html#ch9-sdmnss" title="Example 7.4. NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf">???</a>. + <a class="link" href="unixclients.html#ch9-sdmnss" title="Example 7.4. NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf">“NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf”</a>. </p></li><li><p> - <a class="indexterm" name="id363123"></a> + <a class="indexterm" name="id2614186"></a> The system is ready to join the domain. Execute the following: </p><pre class="screen"> net rpc join -U root%not2g4et @@ -560,8 +560,8 @@ Joined domain MEGANET2. This indicates that the domain join succeed. </p></li><li><p> - <a class="indexterm" name="id363148"></a> - <a class="indexterm" name="id363155"></a> + <a class="indexterm" name="id2614213"></a> + <a class="indexterm" name="id2614220"></a> Validate operation of <code class="literal">winbind</code> using the <code class="literal">wbinfo</code> tool as follows: </p><pre class="screen"> @@ -588,9 +588,9 @@ MEGANET2+PIOps </pre><p> This shows that domain groups have been correctly obtained also. </p></li><li><p> - <a class="indexterm" name="id363207"></a> - <a class="indexterm" name="id363213"></a> - <a class="indexterm" name="id363220"></a> + <a class="indexterm" name="id2614276"></a> + <a class="indexterm" name="id2614282"></a> + <a class="indexterm" name="id2614289"></a> The next step verifies that NSS is able to obtain this information correctly from <code class="literal">winbind</code> also. </p><pre class="screen"> @@ -631,7 +631,7 @@ MEGANET2+PIOps:x:10005: </pre><p> </p></li><li><p> The Samba member server of a Windows NT4 domain is ready for use. - </p></li></ol></div><div class="example"><a name="ch0-NT4DSDM"></a><p class="title"><b>Example 7.5. Samba Domain Member Server Using Winbind <code class="filename">smb.conf</code> File for NT4 Domain</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id363316"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id363329"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id363341"></a><em class="parameter"><code>security = DOMAIN</code></em></td></tr><tr><td><a class="indexterm" name="id363354"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id363366"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id363379"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id363392"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id363404"></a><em class="parameter"><code>max log size = 0</code></em></td></tr><tr><td><a class="indexterm" name="id363417"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id363429"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id363442"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id363454"></a><em class="parameter"><code>wins server = 192.168.2.1</code></em></td></tr><tr><td><a class="indexterm" name="id363467"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id363480"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id363492"></a><em class="parameter"><code>template primary group = "Domain Users"</code></em></td></tr><tr><td><a class="indexterm" name="id363505"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id363518"></a><em class="parameter"><code>winbind separator = +</code></em></td></tr><tr><td><a class="indexterm" name="id363530"></a><em class="parameter"><code>printer admin = root</code></em></td></tr><tr><td><a class="indexterm" name="id363543"></a><em class="parameter"><code>hosts allow = 192.168.2., 192.168.3., 127.</code></em></td></tr><tr><td><a class="indexterm" name="id363555"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id363577"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id363590"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id363602"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id363615"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id363636"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id363649"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id363661"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id363674"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id363686"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id363708"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id363720"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id363733"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id363746"></a><em class="parameter"><code>write list = root</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="dcwonss"></a>NT4/Samba Domain with Samba Domain Member Server without NSS Support</h3></div></div></div><p> + </p></li></ol></div><div class="example"><a name="ch0-NT4DSDM"></a><p class="title"><b>Example 7.5. Samba Domain Member Server Using Winbind <code class="filename">smb.conf</code> File for NT4 Domain</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2614400"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2614412"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2614424"></a><em class="parameter"><code>security = DOMAIN</code></em></td></tr><tr><td><a class="indexterm" name="id2614435"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2614447"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2614459"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2614470"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2614482"></a><em class="parameter"><code>max log size = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2614494"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2614505"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2614518"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2614529"></a><em class="parameter"><code>wins server = 192.168.2.1</code></em></td></tr><tr><td><a class="indexterm" name="id2614541"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2614553"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2614565"></a><em class="parameter"><code>template primary group = "Domain Users"</code></em></td></tr><tr><td><a class="indexterm" name="id2614577"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2614589"></a><em class="parameter"><code>winbind separator = +</code></em></td></tr><tr><td><a class="indexterm" name="id2614601"></a><em class="parameter"><code>printer admin = root</code></em></td></tr><tr><td><a class="indexterm" name="id2614612"></a><em class="parameter"><code>hosts allow = 192.168.2., 192.168.3., 127.</code></em></td></tr><tr><td><a class="indexterm" name="id2614624"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2614645"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2614657"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2614668"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2614680"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2614700"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2614712"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2614724"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2614736"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2614747"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id2614768"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2614779"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2614791"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id2614803"></a><em class="parameter"><code>write list = root</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="dcwonss"></a>NT4/Samba Domain with Samba Domain Member Server without NSS Support</h3></div></div></div><p> No matter how many UNIX/Linux administrators there may be who believe that a UNIX operating system that does not have NSS and PAM support to be outdated, the fact is there are still many such systems in use today. Samba can be used without NSS support, but this @@ -642,10 +642,10 @@ MEGANET2+PIOps:x:10005: to the Samba server will cause the look-up of the incoming username. If the account is found, it is used. If the account is not found, one will be automatically created on the local machine so that it can then be used for all access controls. - </p><div class="procedure"><a name="id363783"></a><p class="title"><b>Procedure 7.3. Configuration Using Local Accounts Only</b></p><ol type="1"><li><p> + </p><div class="procedure"><a name="id2614847"></a><p class="title"><b>Procedure 7.3. Configuration Using Local Accounts Only</b></p><ol type="1"><li><p> Using your favorite text editor, create the <code class="filename">smb.conf</code> file so it has the contents - shown in <a href="unixclients.html#ch0-NT4DSCM" title="Example 7.6. Samba Domain Member Server Using Local Accounts smb.conf File for NT4 Domain">???</a>. - </p></li><li><p><a class="indexterm" name="id363814"></a> + shown in <a class="link" href="unixclients.html#ch0-NT4DSCM" title="Example 7.6. Samba Domain Member Server Using Local Accounts smb.conf File for NT4 Domain">“Samba Domain Member Server Using Local Accounts smb.conf File for NT4 Domain”</a>. + </p></li><li><p><a class="indexterm" name="id2614879"></a> The system is ready to join the domain. Execute the following: </p><pre class="screen"> net rpc join -U root%not24get @@ -656,10 +656,10 @@ Joined domain MEGANET2. Be sure to run all three Samba daemons: <code class="literal">smbd</code>, <code class="literal">nmbd</code>, <code class="literal">winbindd</code>. </p></li><li><p> The Samba member server of a Windows NT4 domain is ready for use. - </p></li></ol></div><div class="example"><a name="ch0-NT4DSCM"></a><p class="title"><b>Example 7.6. Samba Domain Member Server Using Local Accounts <code class="filename">smb.conf</code> File for NT4 Domain</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id363899"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id363912"></a><em class="parameter"><code>workgroup = MEGANET3</code></em></td></tr><tr><td><a class="indexterm" name="id363924"></a><em class="parameter"><code>netbios name = BSDBOX</code></em></td></tr><tr><td><a class="indexterm" name="id363937"></a><em class="parameter"><code>security = DOMAIN</code></em></td></tr><tr><td><a class="indexterm" name="id363950"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id363962"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id363975"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id363987"></a><em class="parameter"><code>add user script = /usr/sbin/useradd -m '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id364000"></a><em class="parameter"><code>add machine script = /usr/sbin/useradd -M '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id364013"></a><em class="parameter"><code>add group script = /usr/sbin/groupadd '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id364026"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id364038"></a><em class="parameter"><code>max log size = 0</code></em></td></tr><tr><td><a class="indexterm" name="id364051"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id364063"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id364076"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id364089"></a><em class="parameter"><code>wins server = 192.168.2.1</code></em></td></tr><tr><td><a class="indexterm" name="id364101"></a><em class="parameter"><code>printer admin = root</code></em></td></tr><tr><td><a class="indexterm" name="id364114"></a><em class="parameter"><code>hosts allow = 192.168.2., 192.168.3., 127.</code></em></td></tr><tr><td><a class="indexterm" name="id364127"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id364148"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id364161"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id364173"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id364186"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id364207"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id364220"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id364232"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id364245"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id364258"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id364279"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id364292"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id364304"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id364317"></a><em class="parameter"><code>write list = root</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="adssdm"></a>Active Directory Domain with Samba Domain Member Server</h3></div></div></div><p> - <a class="indexterm" name="id364343"></a> - <a class="indexterm" name="id364352"></a> - <a class="indexterm" name="id364359"></a> + </p></li></ol></div><div class="example"><a name="ch0-NT4DSCM"></a><p class="title"><b>Example 7.6. Samba Domain Member Server Using Local Accounts <code class="filename">smb.conf</code> File for NT4 Domain</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2614967"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2614979"></a><em class="parameter"><code>workgroup = MEGANET3</code></em></td></tr><tr><td><a class="indexterm" name="id2614991"></a><em class="parameter"><code>netbios name = BSDBOX</code></em></td></tr><tr><td><a class="indexterm" name="id2615003"></a><em class="parameter"><code>security = DOMAIN</code></em></td></tr><tr><td><a class="indexterm" name="id2615014"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2615026"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2615038"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2615050"></a><em class="parameter"><code>add user script = /usr/sbin/useradd -m '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2615062"></a><em class="parameter"><code>add machine script = /usr/sbin/useradd -M '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2615074"></a><em class="parameter"><code>add group script = /usr/sbin/groupadd '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2615086"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2615098"></a><em class="parameter"><code>max log size = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2615110"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2615121"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2615133"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2615145"></a><em class="parameter"><code>wins server = 192.168.2.1</code></em></td></tr><tr><td><a class="indexterm" name="id2615157"></a><em class="parameter"><code>printer admin = root</code></em></td></tr><tr><td><a class="indexterm" name="id2615169"></a><em class="parameter"><code>hosts allow = 192.168.2., 192.168.3., 127.</code></em></td></tr><tr><td><a class="indexterm" name="id2615181"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2615201"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2615213"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2615225"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2615236"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2615257"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2615269"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2615280"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2615292"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2615304"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id2615324"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2615336"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2615348"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id2615360"></a><em class="parameter"><code>write list = root</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="adssdm"></a>Active Directory Domain with Samba Domain Member Server</h3></div></div></div><p> + <a class="indexterm" name="id2615385"></a> + <a class="indexterm" name="id2615394"></a> + <a class="indexterm" name="id2615401"></a> One of the much-sought-after features new to Samba-3 is the ability to join an Active Directory domain using Kerberos protocols. This makes it possible to operate an entire Windows network without the need to run NetBIOS over TCP/IP and permits more secure networking in general. An @@ -667,11 +667,11 @@ Joined domain MEGANET2. later book may explore the intricacies of the NetBIOS-less operation that Samba-3 can participate in. For now, we simply focus on how a Samba-3 server can be made a domain member server. </p><p> - <a class="indexterm" name="id364376"></a> - <a class="indexterm" name="id364383"></a> - <a class="indexterm" name="id364390"></a> - <a class="indexterm" name="id364396"></a> - The diagram in <a href="unixclients.html#ch9-adsdc" title="Figure 7.3. Active Directory Domain: Samba Member Server">???</a> demonstrates how Samba-3 interfaces with + <a class="indexterm" name="id2615423"></a> + <a class="indexterm" name="id2615430"></a> + <a class="indexterm" name="id2615437"></a> + <a class="indexterm" name="id2615444"></a> + The diagram in <a class="link" href="unixclients.html#ch9-adsdc" title="Figure 7.3. Active Directory Domain: Samba Member Server">“Active Directory Domain: Samba Member Server”</a> demonstrates how Samba-3 interfaces with Microsoft Active Directory components. It should be noted that if Microsoft Windows Services for UNIX (SFU) has been installed and correctly configured, it is possible to use client LDAP for identity resolution just as can be done with Samba-3 when using an LDAP passdb backend. @@ -694,8 +694,8 @@ Joined domain MEGANET2. name of the server is <code class="constant">W2K3S</code>. In ADS realm terms, the domain controller is known as <code class="constant">w2k3s.london.abmas.biz</code>. In NetBIOS nomenclature, the domain name is <code class="constant">LONDON</code> and the server name is <code class="constant">W2K3S</code>. - </p><div class="figure"><a name="ch9-adsdc"></a><p class="title"><b>Figure 7.3. Active Directory Domain: Samba Member Server</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap9-ADSDC.png" width="324" alt="Active Directory Domain: Samba Member Server"></div></div></div><br class="figure-break"><div class="procedure"><a name="id364496"></a><p class="title"><b>Procedure 7.4. Joining a Samba Server as an ADS Domain Member</b></p><ol type="1"><li><p> - <a class="indexterm" name="id364507"></a> + </p><div class="figure"><a name="ch9-adsdc"></a><p class="title"><b>Figure 7.3. Active Directory Domain: Samba Member Server</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap9-ADSDC.png" width="324" alt="Active Directory Domain: Samba Member Server"></div></div></div><br class="figure-break"><div class="procedure"><a name="id2615557"></a><p class="title"><b>Procedure 7.4. Joining a Samba Server as an ADS Domain Member</b></p><ol type="1"><li><p> + <a class="indexterm" name="id2615569"></a> Before you try to use Samba-3, you want to know for certain that your executables have support for Kerberos and for LDAP. Execute the following to identify whether or not this build is perhaps suitable for use: @@ -762,15 +762,15 @@ massive:/usr/sbin # smbd -b | grep LDAP This does look promising; <code class="literal">smbd</code> has been built with Kerberos and LDAP support. You are relieved to know that it is safe to progress. </p></li><li><p> - <a class="indexterm" name="id364589"></a> - <a class="indexterm" name="id364598"></a> - <a class="indexterm" name="id364605"></a> - <a class="indexterm" name="id364612"></a> - <a class="indexterm" name="id364621"></a> - <a class="indexterm" name="id364630"></a> - <a class="indexterm" name="id364637"></a> - <a class="indexterm" name="id364644"></a> - <a class="indexterm" name="id364651"></a> + <a class="indexterm" name="id2615668"></a> + <a class="indexterm" name="id2615677"></a> + <a class="indexterm" name="id2615684"></a> + <a class="indexterm" name="id2615691"></a> + <a class="indexterm" name="id2615700"></a> + <a class="indexterm" name="id2615710"></a> + <a class="indexterm" name="id2615716"></a> + <a class="indexterm" name="id2615723"></a> + <a class="indexterm" name="id2615730"></a> The next step is to identify which version of the Kerberos libraries have been used. In order to permit Samba-3 to interoperate with Windows 2003 Active Directory, it is essential that it has been linked with either MIT Kerberos version 1.3.1 or later, @@ -786,7 +786,7 @@ massive:/usr/sbin # smbd -b | grep LDAP </pre><p> Please note that the RPMs provided by the Samba-Team are known to be working and have been validated. Red Hat Linux RPMs may be obtained from the Samba FTP sites. SUSE - Linux RPMs may be obtained from <a href="ftp://ftp.sernet.de" target="_top">Sernet</a> in + Linux RPMs may be obtained from <a class="ulink" href="ftp://ftp.sernet.de" target="_top">Sernet</a> in Germany. </p><p> From this point on, you are certain that the Samba-3 build you are using has the @@ -794,11 +794,11 @@ massive:/usr/sbin # smbd -b | grep LDAP </p></li><li><p> Using you favorite editor, configure the <code class="filename">smb.conf</code> file that is located in the <code class="filename">/etc/samba</code> directory so that it has the contents shown - in <a href="unixclients.html#ch9-adssdm" title="Example 7.7. Samba Domain Member smb.conf File for Active Directory Membership">???</a>. + in <a class="link" href="unixclients.html#ch9-adssdm" title="Example 7.7. Samba Domain Member smb.conf File for Active Directory Membership">“Samba Domain Member smb.conf File for Active Directory Membership”</a>. </p></li><li><p> - Edit or create the NSS control file so it has the contents shown in <a href="unixclients.html#ch9-sdmnss" title="Example 7.4. NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf">???</a>. + Edit or create the NSS control file so it has the contents shown in <a class="link" href="unixclients.html#ch9-sdmnss" title="Example 7.4. NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf">“NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf”</a>. </p></li><li><p> - <a class="indexterm" name="id364743"></a> + <a class="indexterm" name="id2615832"></a> Delete the file <code class="filename">/etc/samba/secrets.tdb</code> if it exists. Of course, you do keep a backup, don't you? </p></li><li><p> @@ -809,7 +809,7 @@ massive:/usr/sbin # smbd -b | grep LDAP <code class="prompt">root# </code> rm /var/lib/samba/*tdb </pre><p> </p></li><li><p> - <a class="indexterm" name="id364783"></a> + <a class="indexterm" name="id2615876"></a> Validate your <code class="filename">smb.conf</code> file using <code class="literal">testparm</code> (as you have done previously). Correct all errors reported before proceeding. The command you execute is: @@ -819,8 +819,8 @@ massive:/usr/sbin # smbd -b | grep LDAP Now that you are satisfied that your Samba server is ready to join the Windows ADS domain, let's move on. </p></li><li><p> - <a class="indexterm" name="id364822"></a> - <a class="indexterm" name="id364833"></a> + <a class="indexterm" name="id2615917"></a> + <a class="indexterm" name="id2615928"></a> This is a good time to double-check everything and then execute the following command when everything you have done has checked out okay: </p><pre class="screen"> @@ -831,17 +831,17 @@ Joined 'FRAN' to realm 'LONDON.ABMAS.BIZ' You have successfully made your Samba-3 server a member of the ADS domain using Kerberos protocols. </p><p> - <a class="indexterm" name="id364858"></a> - <a class="indexterm" name="id364864"></a> + <a class="indexterm" name="id2615956"></a> + <a class="indexterm" name="id2615963"></a> In the event that you receive no output messages, a silent return means that the domain join failed. You should use <code class="literal">ethereal</code> to identify what may be failing. Common causes of a failed join include: </p><div class="itemizedlist"><ul type="disc"><li><p> - <a class="indexterm" name="id364884"></a> + <a class="indexterm" name="id2615984"></a> Defective or misconfigured DNS name resolution. </p></li><li><p> - <a class="indexterm" name="id364898"></a> + <a class="indexterm" name="id2615999"></a> Restrictive security settings on the Windows 200x ADS domain controller preventing needed communications protocols. You can check this by searching the Windows Server 200x Event Viewer. @@ -853,16 +853,16 @@ Joined 'FRAN' to realm 'LONDON.ABMAS.BIZ' functionality. </p></li></ul></div><p> - <a class="indexterm" name="id364926"></a> - <a class="indexterm" name="id364937"></a> - <a class="indexterm" name="id364943"></a> + <a class="indexterm" name="id2616030"></a> + <a class="indexterm" name="id2616041"></a> + <a class="indexterm" name="id2616048"></a> In any case, never execute the <code class="literal">net rpc join</code> command in an attempt to join the Samba server to the domain, unless you wish not to use the Kerberos security protocols. Use of the older RPC-based domain join facility requires that Windows Server 200x ADS has been configured appropriately for mixed mode operation. </p></li><li><p> - <a class="indexterm" name="id364965"></a> - <a class="indexterm" name="id364972"></a> + <a class="indexterm" name="id2616073"></a> + <a class="indexterm" name="id2616080"></a> If the <code class="literal">tdbdump</code> is installed on your system (not essential), you can look inside the <code class="filename">/etc/samba/secrets.tdb</code> file. If you wish to do this, execute: @@ -893,7 +893,7 @@ data = "E\89\F6?" It is now time to start Samba in the usual way (as has been done many time before in this book). </p></li><li><p> - <a class="indexterm" name="id365022"></a> + <a class="indexterm" name="id2616137"></a> This is a good time to verify that everything is working. First, check that winbind is able to obtain the list of users and groups from the ADS domain controller. Execute the following: @@ -919,7 +919,7 @@ LONDON+Group Policy Creator Owners LONDON+DnsUpdateProxy </pre><p> Excellent. That worked also, as expected. - </p></li><li><p><a class="indexterm" name="id365063"></a> + </p></li><li><p><a class="indexterm" name="id2616183"></a> Now repeat this via NSS to validate that full identity resolution is functional as required. Execute: </p><pre class="screen"> @@ -952,9 +952,9 @@ LONDON+DnsUpdateProxy:x:10008: </pre><p> This is very pleasing. Everything works as expected. </p></li><li><p> - <a class="indexterm" name="id365111"></a> - <a class="indexterm" name="id365122"></a> - <a class="indexterm" name="id365131"></a> + <a class="indexterm" name="id2616240"></a> + <a class="indexterm" name="id2616252"></a> + <a class="indexterm" name="id2616261"></a> You may now perform final verification that communications between Samba-3 winbind and the Active Directory server is using Kerberos protocols. Execute the following: </p><pre class="screen"> @@ -972,7 +972,7 @@ Server time offset: 2 keep all server time clocks synchronized using the network time protocol (NTP). In any case, the output we obtained confirms that all systems are operational. </p></li><li><p> - <a class="indexterm" name="id365161"></a> + <a class="indexterm" name="id2616297"></a> There is one more action you elect to take, just because you are paranoid and disbelieving, so you execute the following command: </p><pre class="programlisting"> @@ -1142,21 +1142,21 @@ data = "\00\00\00\00bp\00\00\06krbtgt\06krbtgt- </pre><p> Now all is revealed. Your curiosity, as well as that of your team, has been put at ease. May this server serve well all who happen upon it. - </p><div class="example"><a name="ch9-adssdm"></a><p class="title"><b>Example 7.7. Samba Domain Member <code class="filename">smb.conf</code> File for Active Directory Membership</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id365315"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id365328"></a><em class="parameter"><code>workgroup = LONDON</code></em></td></tr><tr><td><a class="indexterm" name="id365340"></a><em class="parameter"><code>realm = LONDON.ABMAS.BIZ</code></em></td></tr><tr><td><a class="indexterm" name="id365353"></a><em class="parameter"><code>server string = Samba 3.0.20</code></em></td></tr><tr><td><a class="indexterm" name="id365366"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id365378"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id365391"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id365403"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id365416"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id365428"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id365441"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id365454"></a><em class="parameter"><code>ldap ssl = no</code></em></td></tr><tr><td><a class="indexterm" name="id365466"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id365479"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id365491"></a><em class="parameter"><code>template primary group = "Domain Users"</code></em></td></tr><tr><td><a class="indexterm" name="id365504"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id365516"></a><em class="parameter"><code>winbind separator = +</code></em></td></tr><tr><td><a class="indexterm" name="id365529"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id365550"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id365563"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id365576"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id365588"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id365610"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id365622"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id365635"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id365647"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id365660"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id365681"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id365694"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id365707"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id365719"></a><em class="parameter"><code>write list = root</code></em></td></tr></table></div></div><br class="example-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id365733"></a>IDMAP_RID with Winbind</h4></div></div></div><p> - <a class="indexterm" name="id365741"></a> - <a class="indexterm" name="id365748"></a> - <a class="indexterm" name="id365754"></a> - <a class="indexterm" name="id365761"></a> + </p><div class="example"><a name="ch9-adssdm"></a><p class="title"><b>Example 7.7. Samba Domain Member <code class="filename">smb.conf</code> File for Active Directory Membership</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2616518"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2616530"></a><em class="parameter"><code>workgroup = LONDON</code></em></td></tr><tr><td><a class="indexterm" name="id2616541"></a><em class="parameter"><code>realm = LONDON.ABMAS.BIZ</code></em></td></tr><tr><td><a class="indexterm" name="id2616553"></a><em class="parameter"><code>server string = Samba 3.0.20</code></em></td></tr><tr><td><a class="indexterm" name="id2616565"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2616577"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2616589"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2616600"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2616612"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2616624"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id2616635"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2616647"></a><em class="parameter"><code>ldap ssl = no</code></em></td></tr><tr><td><a class="indexterm" name="id2616659"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2616671"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2616682"></a><em class="parameter"><code>template primary group = "Domain Users"</code></em></td></tr><tr><td><a class="indexterm" name="id2616695"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2616706"></a><em class="parameter"><code>winbind separator = +</code></em></td></tr><tr><td><a class="indexterm" name="id2616718"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2616739"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2616751"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2616762"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2616774"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2616794"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2616806"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2616818"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2616829"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2616841"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id2616862"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2616873"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2616885"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id2616897"></a><em class="parameter"><code>write list = root</code></em></td></tr></table></div></div><br class="example-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2616910"></a>IDMAP_RID with Winbind</h4></div></div></div><p> + <a class="indexterm" name="id2616918"></a> + <a class="indexterm" name="id2616924"></a> + <a class="indexterm" name="id2616931"></a> + <a class="indexterm" name="id2616938"></a> The <code class="literal">idmap_rid</code> facility is a new tool that, unlike native winbind, creates a predictable mapping of MS Windows SIDs to UNIX UIDs and GIDs. The key benefit of this method of implementing the Samba IDMAP facility is that it eliminates the need to store the IDMAP data in a central place. The downside is that it can be used only within a single ADS domain and is not compatible with trusted domain implementations. </p><p> - <a class="indexterm" name="id365780"></a> - <a class="indexterm" name="id365787"></a> - <a class="indexterm" name="id365794"></a> - <a class="indexterm" name="id365800"></a> + <a class="indexterm" name="id2616961"></a> + <a class="indexterm" name="id2616968"></a> + <a class="indexterm" name="id2616975"></a> + <a class="indexterm" name="id2616982"></a> This alternate method of SID to UID/GID mapping can be achieved with the idmap_rid plug-in. This plug-in uses the RID of the user SID to derive the UID and GID by adding the RID to a base value specified. This utility requires that the parameter @@ -1164,18 +1164,18 @@ data = "\00\00\00\00bp\00\00\06krbtgt\06krbtgt- with multiple domain environments. The <em class="parameter"><code>idmap uid</code></em> and <em class="parameter"><code>idmap gid</code></em> ranges must be specified. </p><p> - <a class="indexterm" name="id365830"></a> - <a class="indexterm" name="id365836"></a> + <a class="indexterm" name="id2617014"></a> + <a class="indexterm" name="id2617021"></a> The idmap_rid facility can be used both for NT4/Samba-style domains as well as with Active Directory. To use this with an NT4 domain, the <em class="parameter"><code>realm</code></em> is not used. Additionally the method used to join the domain uses the <code class="constant">net rpc join</code> process. </p><p> - An example <code class="filename">smb.conf</code> file for an ADS domain environment is shown in <a href="unixclients.html#sbe-idmapridex" title="Example 7.8. Example smb.conf File Using idmap_rid">???</a>. - </p><div class="example"><a name="sbe-idmapridex"></a><p class="title"><b>Example 7.8. Example <code class="filename">smb.conf</code> File Using <code class="constant">idmap_rid</code></b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id365908"></a><em class="parameter"><code>workgroup = KPAK</code></em></td></tr><tr><td><a class="indexterm" name="id365921"></a><em class="parameter"><code>netbios name = BIGJOE</code></em></td></tr><tr><td><a class="indexterm" name="id365933"></a><em class="parameter"><code>realm = CORP.KPAK.COM</code></em></td></tr><tr><td><a class="indexterm" name="id365946"></a><em class="parameter"><code>server string = Office Server</code></em></td></tr><tr><td><a class="indexterm" name="id365958"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id365971"></a><em class="parameter"><code>allow trusted domains = No</code></em></td></tr><tr><td><a class="indexterm" name="id365984"></a><em class="parameter"><code>idmap backend = idmap_rid:KPAK=500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id365996"></a><em class="parameter"><code>idmap uid = 500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id366009"></a><em class="parameter"><code>idmap gid = 500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id366022"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id366034"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id366047"></a><em class="parameter"><code>winbind enum users = No</code></em></td></tr><tr><td><a class="indexterm" name="id366060"></a><em class="parameter"><code>winbind enum groups = No</code></em></td></tr><tr><td><a class="indexterm" name="id366072"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id366085"></a><em class="parameter"><code>printer admin = "KPAK\Domain Admins"</code></em></td></tr></table></div></div><br class="example-break"><p> - <a class="indexterm" name="id366101"></a> - <a class="indexterm" name="id366108"></a> - <a class="indexterm" name="id366115"></a> - <a class="indexterm" name="id366121"></a> + An example <code class="filename">smb.conf</code> file for an ADS domain environment is shown in <a class="link" href="unixclients.html#sbe-idmapridex" title="Example 7.8. Example smb.conf File Using idmap_rid">“Example smb.conf File Using idmap_rid”</a>. + </p><div class="example"><a name="sbe-idmapridex"></a><p class="title"><b>Example 7.8. Example <code class="filename">smb.conf</code> File Using <code class="constant">idmap_rid</code></b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2617095"></a><em class="parameter"><code>workgroup = KPAK</code></em></td></tr><tr><td><a class="indexterm" name="id2617107"></a><em class="parameter"><code>netbios name = BIGJOE</code></em></td></tr><tr><td><a class="indexterm" name="id2617119"></a><em class="parameter"><code>realm = CORP.KPAK.COM</code></em></td></tr><tr><td><a class="indexterm" name="id2617131"></a><em class="parameter"><code>server string = Office Server</code></em></td></tr><tr><td><a class="indexterm" name="id2617143"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2617154"></a><em class="parameter"><code>allow trusted domains = No</code></em></td></tr><tr><td><a class="indexterm" name="id2617166"></a><em class="parameter"><code>idmap backend = idmap_rid:KPAK=500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id2617178"></a><em class="parameter"><code>idmap uid = 500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id2617190"></a><em class="parameter"><code>idmap gid = 500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id2617202"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2617214"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2617226"></a><em class="parameter"><code>winbind enum users = No</code></em></td></tr><tr><td><a class="indexterm" name="id2617238"></a><em class="parameter"><code>winbind enum groups = No</code></em></td></tr><tr><td><a class="indexterm" name="id2617250"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2617262"></a><em class="parameter"><code>printer admin = "KPAK\Domain Admins"</code></em></td></tr></table></div></div><br class="example-break"><p> + <a class="indexterm" name="id2617277"></a> + <a class="indexterm" name="id2617284"></a> + <a class="indexterm" name="id2617291"></a> + <a class="indexterm" name="id2617298"></a> In a large domain with many users, it is imperative to disable enumeration of users and groups. For example, at a site that has 22,000 users in Active Directory the winbind-based user and group resolution is unavailable for nearly 12 minutes following first start-up of @@ -1185,8 +1185,8 @@ data = "\00\00\00\00bp\00\00\06krbtgt\06krbtgt- commands. It will be possible to perform the lookup for individual users, as shown in the procedure below. </p><p> - <a class="indexterm" name="id366154"></a> - <a class="indexterm" name="id366161"></a> + <a class="indexterm" name="id2617336"></a> + <a class="indexterm" name="id2617343"></a> The use of this tool requires configuration of NSS as per the native use of winbind. Edit the <code class="filename">/etc/nsswitch.conf</code> so it has the following parameters: </p><pre class="screen"> @@ -1212,7 +1212,7 @@ Using short domain name -- KPAK Joined 'BIGJOE' to realm 'CORP.KPAK.COM' </pre><p> </p><p> - <a class="indexterm" name="id366236"></a> + <a class="indexterm" name="id2617424"></a> An invalid or failed join can be detected by executing: </p><pre class="screen"> <code class="prompt">root# </code> net ads testjoin @@ -1228,30 +1228,30 @@ Join to domain is not valid Start the <code class="literal">nmbd</code>, <code class="literal">winbind,</code> and <code class="literal">smbd</code> daemons in the order shown. </p></li><li><p> Validate the operation of this configuration by executing: - <a class="indexterm" name="id366298"></a> + <a class="indexterm" name="id2617492"></a> </p><pre class="screen"> <code class="prompt">root# </code> getent passwd administrator administrator:x:1000:1013:Administrator:/home/BE/administrator:/bin/bash </pre><p> - </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id366318"></a>IDMAP Storage in LDAP using Winbind</h4></div></div></div><p> - <a class="indexterm" name="id366326"></a> - <a class="indexterm" name="id366333"></a> + </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2617513"></a>IDMAP Storage in LDAP using Winbind</h4></div></div></div><p> + <a class="indexterm" name="id2617522"></a> + <a class="indexterm" name="id2617528"></a> The storage of IDMAP information in LDAP can be used with both NT4/Samba-3-style domains as well as with ADS domains. OpenLDAP is a commonly used LDAP server for this purpose, although any standards-compliant LDAP server can be used. It is therefore possible to deploy this IDMAP configuration using the Sun iPlanet LDAP server, Novell eDirectory, Microsoft ADS plus ADAM, and so on. </p><p> - The example in <a href="unixclients.html#sbeunxa" title="Example 7.9. Typical ADS Style Domain smb.conf File">???</a> is for an ADS-style domain. - </p><div class="example"><a name="sbeunxa"></a><p class="title"><b>Example 7.9. Typical ADS Style Domain <code class="filename">smb.conf</code> File</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id366387"></a><em class="parameter"><code>workgroup = SNOWSHOW</code></em></td></tr><tr><td><a class="indexterm" name="id366400"></a><em class="parameter"><code>netbios name = GOODELF</code></em></td></tr><tr><td><a class="indexterm" name="id366412"></a><em class="parameter"><code>realm = SNOWSHOW.COM</code></em></td></tr><tr><td><a class="indexterm" name="id366425"></a><em class="parameter"><code>server string = Samba Server</code></em></td></tr><tr><td><a class="indexterm" name="id366437"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id366450"></a><em class="parameter"><code>log level = 1 ads:10 auth:10 sam:10 rpc:10</code></em></td></tr><tr><td><a class="indexterm" name="id366463"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=SNOWSHOW,dc=COM</code></em></td></tr><tr><td><a class="indexterm" name="id366476"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id366488"></a><em class="parameter"><code>ldap suffix = dc=SNOWSHOW,dc=COM</code></em></td></tr><tr><td><a class="indexterm" name="id366501"></a><em class="parameter"><code>idmap backend = ldap:ldap://ldap.snowshow.com</code></em></td></tr><tr><td><a class="indexterm" name="id366514"></a><em class="parameter"><code>idmap uid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id366526"></a><em class="parameter"><code>idmap gid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id366539"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id366552"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr></table></div></div><br class="example-break"><p> - <a class="indexterm" name="id366568"></a> + The example in <a class="link" href="unixclients.html#sbeunxa" title="Example 7.9. Typical ADS Style Domain smb.conf File">“Typical ADS Style Domain smb.conf File”</a> is for an ADS-style domain. + </p><div class="example"><a name="sbeunxa"></a><p class="title"><b>Example 7.9. Typical ADS Style Domain <code class="filename">smb.conf</code> File</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2617588"></a><em class="parameter"><code>workgroup = SNOWSHOW</code></em></td></tr><tr><td><a class="indexterm" name="id2617600"></a><em class="parameter"><code>netbios name = GOODELF</code></em></td></tr><tr><td><a class="indexterm" name="id2617612"></a><em class="parameter"><code>realm = SNOWSHOW.COM</code></em></td></tr><tr><td><a class="indexterm" name="id2617623"></a><em class="parameter"><code>server string = Samba Server</code></em></td></tr><tr><td><a class="indexterm" name="id2617635"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2617647"></a><em class="parameter"><code>log level = 1 ads:10 auth:10 sam:10 rpc:10</code></em></td></tr><tr><td><a class="indexterm" name="id2617659"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=SNOWSHOW,dc=COM</code></em></td></tr><tr><td><a class="indexterm" name="id2617671"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2617683"></a><em class="parameter"><code>ldap suffix = dc=SNOWSHOW,dc=COM</code></em></td></tr><tr><td><a class="indexterm" name="id2617695"></a><em class="parameter"><code>idmap backend = ldap:ldap://ldap.snowshow.com</code></em></td></tr><tr><td><a class="indexterm" name="id2617707"></a><em class="parameter"><code>idmap uid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2617719"></a><em class="parameter"><code>idmap gid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2617731"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2617743"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr></table></div></div><br class="example-break"><p> + <a class="indexterm" name="id2617758"></a> In the case of an NT4 or Samba-3-style domain the <em class="parameter"><code>realm</code></em> is not used, and the command used to join the domain is <code class="literal">net rpc join</code>. The above example also demonstrates advanced error reporting techniques that are documented in the chapter called "Reporting Bugs" in “<span class="quote">The Official Samba-3 HOWTO and Reference Guide, Second Edition</span>” (TOSHARG2). </p><p> - <a class="indexterm" name="id366596"></a> - <a class="indexterm" name="id366603"></a> - <a class="indexterm" name="id366610"></a> + <a class="indexterm" name="id2617789"></a> + <a class="indexterm" name="id2617796"></a> + <a class="indexterm" name="id2617803"></a> Where MIT kerberos is installed (version 1.3.4 or later), edit the <code class="filename">/etc/krb5.conf</code> file so it has the following contents: </p><pre class="screen"> @@ -1306,9 +1306,9 @@ hosts: files wins ... </pre><p> </p><p> - <a class="indexterm" name="id366682"></a> - <a class="indexterm" name="id366689"></a> - You will need the <a href="http://www.padl.com" target="_top">PADL</a> <code class="literal">nss_ldap</code> + <a class="indexterm" name="id2617887"></a> + <a class="indexterm" name="id2617894"></a> + You will need the <a class="ulink" href="http://www.padl.com" target="_top">PADL</a> <code class="literal">nss_ldap</code> tool set for this solution. Configure the <code class="filename">/etc/ldap.conf</code> file so it has the information needed. The following is an example of a working file: </p><pre class="screen"> @@ -1370,20 +1370,20 @@ Joined 'GOODELF' to realm 'SNOWSHOW.COM' </p></li><li><p> Start the <code class="literal">nmbd</code>, <code class="literal">winbind</code>, and <code class="literal">smbd</code> daemons in the order shown. </p></li></ol></div><p> - <a class="indexterm" name="id366872"></a> + <a class="indexterm" name="id2618094"></a> Follow the diagnostic procedures shown earlier in this chapter to identify success or failure of the join. In many cases a failure is indicated by a silent return to the command prompt with no indication of the reason for failure. - </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id366884"></a>IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</h4></div></div></div><p> - <a class="indexterm" name="id366892"></a> - <a class="indexterm" name="id366898"></a> + </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2618108"></a>IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</h4></div></div></div><p> + <a class="indexterm" name="id2618116"></a> + <a class="indexterm" name="id2618123"></a> The use of this method is messy. The information provided in this section is for guidance only and is very definitely not complete. This method does work; it is used in a number of large sites and has an acceptable level of performance. </p><p> - An example <code class="filename">smb.conf</code> file is shown in <a href="unixclients.html#sbewinbindex" title="Example 7.10. ADS Membership Using RFC2307bis Identity Resolution smb.conf File">???</a>. - </p><div class="example"><a name="sbewinbindex"></a><p class="title"><b>Example 7.10. ADS Membership Using RFC2307bis Identity Resolution <code class="filename">smb.conf</code> File</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id366957"></a><em class="parameter"><code>workgroup = BUBBAH</code></em></td></tr><tr><td><a class="indexterm" name="id366970"></a><em class="parameter"><code>netbios name = MADMAX</code></em></td></tr><tr><td><a class="indexterm" name="id366982"></a><em class="parameter"><code>realm = BUBBAH.COM</code></em></td></tr><tr><td><a class="indexterm" name="id366995"></a><em class="parameter"><code>server string = Samba Server</code></em></td></tr><tr><td><a class="indexterm" name="id367008"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id367020"></a><em class="parameter"><code>idmap uid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id367033"></a><em class="parameter"><code>idmap gid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id367046"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id367058"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id367071"></a><em class="parameter"><code>winbind trusted domains only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id367084"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr></table></div></div><br class="example-break"><p> - <a class="indexterm" name="id367100"></a> + An example <code class="filename">smb.conf</code> file is shown in <a class="link" href="unixclients.html#sbewinbindex" title="Example 7.10. ADS Membership Using RFC2307bis Identity Resolution smb.conf File">“ADS Membership Using RFC2307bis Identity Resolution smb.conf File”</a>. + </p><div class="example"><a name="sbewinbindex"></a><p class="title"><b>Example 7.10. ADS Membership Using RFC2307bis Identity Resolution <code class="filename">smb.conf</code> File</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2618186"></a><em class="parameter"><code>workgroup = BUBBAH</code></em></td></tr><tr><td><a class="indexterm" name="id2618198"></a><em class="parameter"><code>netbios name = MADMAX</code></em></td></tr><tr><td><a class="indexterm" name="id2618210"></a><em class="parameter"><code>realm = BUBBAH.COM</code></em></td></tr><tr><td><a class="indexterm" name="id2618221"></a><em class="parameter"><code>server string = Samba Server</code></em></td></tr><tr><td><a class="indexterm" name="id2618233"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2618245"></a><em class="parameter"><code>idmap uid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2618257"></a><em class="parameter"><code>idmap gid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2618268"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2618280"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2618292"></a><em class="parameter"><code>winbind trusted domains only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2618305"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr></table></div></div><br class="example-break"><p> + <a class="indexterm" name="id2618320"></a> The DMS must be joined to the domain using the usual procedure. Additionally, it is necessary to build and install the PADL nss_ldap tool set. Be sure to build this tool set with the following: @@ -1392,7 +1392,7 @@ Joined 'GOODELF' to realm 'SNOWSHOW.COM' make install </pre><p> </p><p> - <a class="indexterm" name="id367118"></a> + <a class="indexterm" name="id2618340"></a> The following <code class="filename">/etc/nsswitch.conf</code> file contents are required: </p><pre class="screen"> ... @@ -1404,30 +1404,30 @@ hosts: files wins ... </pre><p> </p><p> - <a class="indexterm" name="id367141"></a> - <a class="indexterm" name="id367147"></a> + <a class="indexterm" name="id2618365"></a> + <a class="indexterm" name="id2618372"></a> The <code class="filename">/etc/ldap.conf</code> file must be configured also. Refer to the PADL documentation and source code for nss_ldap instructions. </p><p> The next step involves preparation on the ADS schema. This is briefly discussed in the remaining part of this chapter. - </p><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id367167"></a>IDMAP, Active Directory, and MS Services for UNIX 3.5</h5></div></div></div><p> - <a class="indexterm" name="id367175"></a> + </p><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2618394"></a>IDMAP, Active Directory, and MS Services for UNIX 3.5</h5></div></div></div><p> + <a class="indexterm" name="id2618402"></a> The Microsoft Windows Service for UNIX version 3.5 is available for free - <a href="http://www.microsoft.com/windows/sfu/" target="_top">download</a> + <a class="ulink" href="http://www.microsoft.com/windows/sfu/" target="_top">download</a> from the Microsoft Web site. You will need to download this tool and install it following Microsoft instructions. - </p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id367192"></a>IDMAP, Active Directory, and AD4UNIX</h5></div></div></div><p> + </p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2618422"></a>IDMAP, Active Directory, and AD4UNIX</h5></div></div></div><p> Instructions for obtaining and installing the AD4UNIX tool set can be found from the - <a href="http://www.geekcomix.com/cgi-bin/classnotes/wiki.pl?LDAP01/An_Alternative_Approach" target="_top"> + <a class="ulink" href="http://www.geekcomix.com/cgi-bin/classnotes/wiki.pl?LDAP01/An_Alternative_Approach" target="_top"> Geekcomix</a> Web site. - </p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id367212"></a>UNIX/Linux Client Domain Member</h3></div></div></div><p><a class="indexterm" name="id367219"></a> + </p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2618444"></a>UNIX/Linux Client Domain Member</h3></div></div></div><p><a class="indexterm" name="id2618451"></a> So far this chapter has been mainly concerned with the provision of file and print services for domain member servers. However, an increasing number of UNIX/Linux workstations are being installed that do not act as file or print servers to anyone other than a single desktop user. The key demand for desktop systems is to be able to log onto any UNIX/Linux or Windows desktop using the same network user credentials. - </p><p><a class="indexterm" name="id367234"></a> + </p><p><a class="indexterm" name="id2618470"></a> The ability to use a common set of user credential across a variety of network systems is generally regarded as a single sign-on (SSO) solution. SSO systems are sold by a large number of vendors and include a range of technologies such as: @@ -1439,18 +1439,18 @@ hosts: files wins Metadirectory server solutions </p></li><li><p> Replacement authentication systems - </p></li></ul></div><p><a class="indexterm" name="id367272"></a> + </p></li></ul></div><p><a class="indexterm" name="id2618512"></a> There are really four solutions that provide integrated authentication and user identity management facilities: </p><div class="itemizedlist"><ul type="disc"><li><p> Samba winbind (free). Samba-3.0.20 introduced a complete replacement for Winbind that now provides a greater level of scalability in large ADS environments. </p></li><li><p> - <a href="http://www.padl.com" target="_top">PADL</a> PAM and LDAP tools (free). + <a class="ulink" href="http://www.padl.com" target="_top">PADL</a> PAM and LDAP tools (free). </p></li><li><p> - <a href="http://www.vintela.com" target="_top">Vintela</a> Authentication Services (commercial). + <a class="ulink" href="http://www.vintela.com" target="_top">Vintela</a> Authentication Services (commercial). </p></li><li><p> - <a href="http://www.centrify.com" target="_top">Centrify</a> DirectControl (commercial). + <a class="ulink" href="http://www.centrify.com" target="_top">Centrify</a> DirectControl (commercial). Centrify's commercial product allows UNIX and Linux systems to use Active Directory security, directory and policy services. Enhancements include a centralized ID mapping that allows Samba, DirectControl and Active Directory to seamlessly work together. @@ -1464,26 +1464,26 @@ hosts: files wins provides logon services for UNIX/Linux users, while Windows users obtain their sign-on support via Samba-3. </p><p> - <a class="indexterm" name="id367339"></a> + <a class="indexterm" name="id2618591"></a> On the other hand, if the authentication and identity resolution backend must be provided by a Windows NT4-style domain or from an Active Directory Domain that does not have the Microsoft Windows Services for UNIX installed, winbind is your best friend. Specific guidance for these situations now follows. </p><p> - <a class="indexterm" name="id367354"></a> - <a class="indexterm" name="id367361"></a> - <a class="indexterm" name="id367368"></a> + <a class="indexterm" name="id2618608"></a> + <a class="indexterm" name="id2618615"></a> + <a class="indexterm" name="id2618622"></a> To permit users to log on to a Linux system using Windows network credentials, you need to configure identity resolution (NSS) and PAM. This means that the basic steps include those outlined above with the addition of PAM configuration. Given that most workstations (desktop/client) usually do not need to provide file and print services to a group of users, the configuration of shares and printers is generally less important. Often this allows the share specifications to be entirely removed from the <code class="filename">smb.conf</code> file. That is obviously an administrator decision. - </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id367386"></a>NT4 Domain Member</h4></div></div></div><p> + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2618645"></a>NT4 Domain Member</h4></div></div></div><p> The following steps provide a Linux system that users can log onto using Windows NT4 (or Samba-3) domain network credentials: </p><div class="procedure"><ol type="1"><li><p> - Follow the steps outlined in <a href="unixclients.html#wdcsdm" title="NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind">???</a> and ensure that + Follow the steps outlined in <a class="link" href="unixclients.html#wdcsdm" title="NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind">“NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind”</a> and ensure that all validation tests function as shown. </p></li><li><p> Identify what services users must log on to. On Red Hat Linux, if it is @@ -1499,7 +1499,7 @@ hosts: files wins <code class="filename">/etc/pam.d</code> should be backed up to a safe location. </p></li><li><p> If you require only console login support, edit the <code class="filename">/etc/pam.d/login</code> - so it matches <a href="unixclients.html#ch9-pamwnbdlogin" title="Example 7.11. SUSE: PAM login Module Using Winbind">???</a>. + so it matches <a class="link" href="unixclients.html#ch9-pamwnbdlogin" title="Example 7.11. SUSE: PAM login Module Using Winbind">“SUSE: PAM login Module Using Winbind”</a>. </p></li><li><p> To provide the ability to log onto the graphical desktop interface, you must edit the files <code class="filename">gdm</code> and <code class="filename">xdm</code> in the @@ -1507,17 +1507,17 @@ hosts: files wins </p></li><li><p> Edit only one file at a time. Carefully validate its operation before attempting to reboot the machine. - </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id367498"></a>ADS Domain Member</h4></div></div></div><p> + </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2618767"></a>ADS Domain Member</h4></div></div></div><p> This procedure should be followed to permit a Linux network client (workstation/desktop) to permit users to log on using Microsoft Active Directory-based user credentials. </p><div class="procedure"><ol type="1"><li><p> - Follow the steps outlined in <a href="unixclients.html#adssdm" title="Active Directory Domain with Samba Domain Member Server">???</a> and ensure that + Follow the steps outlined in <a class="link" href="unixclients.html#adssdm" title="Active Directory Domain with Samba Domain Member Server">“Active Directory Domain with Samba Domain Member Server”</a> and ensure that all validation tests function as shown. </p></li><li><p> Identify what services users must log on to. On Red Hat Linux, if it is intended that the user shall be given access to all services, it may be most expeditious to simply configure the file - <code class="filename">/etc/pam.d/system-auth</code> as shown in <a href="unixclients.html#ch9-rhsysauth" title="Example 7.13. Red Hat 9: PAM System Authentication File: /etc/pam.d/system-auth Module Using Winbind">???</a>. + <code class="filename">/etc/pam.d/system-auth</code> as shown in <a class="link" href="unixclients.html#ch9-rhsysauth" title="Example 7.13. Red Hat 9: PAM System Authentication File: /etc/pam.d/system-auth Module Using Winbind">“Red Hat 9: PAM System Authentication File: /etc/pam.d/system-auth Module Using Winbind”</a>. </p></li><li><p> Carefully make a backup copy of all PAM configuration files before you begin making changes. If you break the PAM configuration, please note @@ -1527,7 +1527,7 @@ hosts: files wins <code class="filename">/etc/pam.d</code> should be backed up to a safe location. </p></li><li><p> If you require only console login support, edit the <code class="filename">/etc/pam.d/login</code> - so it matches <a href="unixclients.html#ch9-pamwnbdlogin" title="Example 7.11. SUSE: PAM login Module Using Winbind">???</a>. + so it matches <a class="link" href="unixclients.html#ch9-pamwnbdlogin" title="Example 7.11. SUSE: PAM login Module Using Winbind">“SUSE: PAM login Module Using Winbind”</a>. </p></li><li><p> To provide the ability to log onto the graphical desktop interface, you must edit the files <code class="filename">gdm</code> and <code class="filename">xdm</code> in the @@ -1587,7 +1587,7 @@ password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session sufficient /lib/security/$ISA/pam_unix.so session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass -</pre></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id367699"></a>Key Points Learned</h3></div></div></div><p> +</pre></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2619019"></a>Key Points Learned</h3></div></div></div><p> The addition of UNIX/Linux Samba servers and clients is a common requirement. In this chapter, you learned how to integrate such servers so that the UID/GID mappings they use can be consistent across all domain member servers. You also discovered how to implement the ability to use Samba @@ -1607,54 +1607,54 @@ session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass </p></li><li><p> On NSS/PAM enabled UNIX/Linux systems, NSS is responsible for identity management and PAM is responsible for authentication of logon credentials (username and password). - </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id367744"></a>Questions and Answers</h2></div></div></div><p> + </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2619073"></a>Questions and Answers</h2></div></div></div><p> The following questions were obtained from the mailing list and also from private discussions with Windows network administrators. - </p><div class="qandaset"><dl><dt> <a href="unixclients.html#id367761"> + </p><div class="qandaset"><dl><dt> <a href="unixclients.html#id2619091"> We use NIS for all UNIX accounts. Why do we need winbind? - </a></dt><dt> <a href="unixclients.html#id367868"> + </a></dt><dt> <a href="unixclients.html#id2619206"> Our IT management people do not like LDAP but are looking at Microsoft Active Directory. Which is better? - </a></dt><dt> <a href="unixclients.html#id367942"> + </a></dt><dt> <a href="unixclients.html#id2619290"> We want to implement a Samba PDC, four Samba BDCs, and 10 Samba servers. Is it possible to use NIS in place of LDAP? - </a></dt><dt> <a href="unixclients.html#id368049"> + </a></dt><dt> <a href="unixclients.html#id2619401"> Are you suggesting that users should not log on to a domain member server? If so, why? - </a></dt><dt> <a href="unixclients.html#id368158"> + </a></dt><dt> <a href="unixclients.html#id2619529"> We want to ensure that only users from our own domain plus from trusted domains can use our Samba servers. In the smb.conf file on all servers, we have enabled the winbind trusted domains only parameter. We now find that users from trusted domains cannot access our servers, and users from Windows clients that are not domain members can also access our servers. Is this a Samba bug? - </a></dt><dt> <a href="unixclients.html#id368322"> + </a></dt><dt> <a href="unixclients.html#id2619704"> What are the benefits of using LDAP for my domain member servers? - </a></dt><dt> <a href="unixclients.html#id368497"> + </a></dt><dt> <a href="unixclients.html#id2619887"> Is proper DNS operation necessary for Samba-3 plus LDAP? If so, what must I put into my DNS configuration? - </a></dt><dt> <a href="unixclients.html#id368645"> + </a></dt><dt> <a href="unixclients.html#id2620045"> Our Windows 2003 Server Active Directory domain runs with NetBIOS disabled. Can we use Samba-3 with that configuration? - </a></dt><dt> <a href="unixclients.html#id368662"> + </a></dt><dt> <a href="unixclients.html#id2620064"> When I tried to execute net ads join, I got no output. It did not work, so I think that it failed. I then executed net rpc join and that worked fine. That is okay, isn't it? - </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id367761"></a><a name="id367763"></a></td><td align="left" valign="top"><p> + </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id2619091"></a><a name="id2619093"></a></td><td align="left" valign="top"><p> We use NIS for all UNIX accounts. Why do we need winbind? </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> - <a class="indexterm" name="id367774"></a> - <a class="indexterm" name="id367781"></a> - <a class="indexterm" name="id367787"></a> - <a class="indexterm" name="id367794"></a> - <a class="indexterm" name="id367801"></a> - <a class="indexterm" name="id367808"></a> + <a class="indexterm" name="id2619105"></a> + <a class="indexterm" name="id2619112"></a> + <a class="indexterm" name="id2619119"></a> + <a class="indexterm" name="id2619125"></a> + <a class="indexterm" name="id2619132"></a> + <a class="indexterm" name="id2619139"></a> You can use NIS for your UNIX accounts. NIS does not store the Windows encrypted passwords that need to be stored in one of the acceptable passdb backends. Your choice of backend is limited to <em class="parameter"><code>smbpasswd</code></em> or <em class="parameter"><code>tdbsam</code></em>. Winbind is needed to handle the resolution of SIDs from trusted domains to local UID/GID values. </p><p> - <a class="indexterm" name="id367832"></a> - <a class="indexterm" name="id367839"></a> + <a class="indexterm" name="id2619166"></a> + <a class="indexterm" name="id2619173"></a> On a domain member server, you effectively map Windows domain users to local users that are in your NIS database by specifying the <em class="parameter"><code>winbind trusted domains only</code></em>. This causes user and group account lookups to be routed via @@ -1662,17 +1662,17 @@ session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass this pushes the resolution of users and groups out through NIS. </p><p> As a general rule, it is always a good idea to run winbind on all Samba servers. - </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id367868"></a><a name="id367870"></a></td><td align="left" valign="top"><p> + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2619206"></a><a name="id2619208"></a></td><td align="left" valign="top"><p> Our IT management people do not like LDAP but are looking at Microsoft Active Directory. - Which is better?<a class="indexterm" name="id367876"></a> - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id367890"></a><a class="indexterm" name="id367901"></a><a class="indexterm" name="id367909"></a> + Which is better?<a class="indexterm" name="id2619214"></a> + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2619229"></a><a class="indexterm" name="id2619240"></a><a class="indexterm" name="id2619248"></a> Microsoft Active Directory is an LDAP server that is intricately tied to a Kerberos infrastructure. Most IT managers who object to LDAP do so because an LDAP server is most often supplied as a raw tool that needs to be configured and for which the administrator must create the schema, create the administration tools, and devise the backup and recovery facilities in a site-dependent manner. LDAP servers in general are seen as a high-energy, high-risk facility. - </p><p><a class="indexterm" name="id367924"></a> + </p><p><a class="indexterm" name="id2619267"></a> Microsoft Active Directory by comparison is easy to install and configure and is supplied with all tools necessary to implement and manage the directory. For sites that lack a lot of technical competence, Active Directory is a good choice. For sites @@ -1681,28 +1681,28 @@ session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass the site want? If management wants a choice to use an alternative, they may want to consider the options. On the other hand, if management just wants a solution that works, Microsoft Active Directory is a good solution. - </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id367942"></a><a name="id367944"></a></td><td align="left" valign="top"><p> + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2619290"></a><a name="id2619292"></a></td><td align="left" valign="top"><p> We want to implement a Samba PDC, four Samba BDCs, and 10 Samba servers. Is it possible to use NIS in place of LDAP? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id367955"></a><a class="indexterm" name="id367962"></a><a class="indexterm" name="id367970"></a><a class="indexterm" name="id367978"></a><a class="indexterm" name="id367986"></a><a class="indexterm" name="id367994"></a><a class="indexterm" name="id368001"></a> + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2619304"></a><a class="indexterm" name="id2619312"></a><a class="indexterm" name="id2619320"></a><a class="indexterm" name="id2619328"></a><a class="indexterm" name="id2619336"></a><a class="indexterm" name="id2619344"></a><a class="indexterm" name="id2619351"></a> Yes, it is possible to use NIS in place of LDAP, but there may be problems with keeping the Windows (SMB) encrypted passwords database correctly synchronized across the entire network. Workstations (Windows client machines) periodically change their domain membership secure account password. How can you keep changes that are on remote BDCs synchronized on the PDC? - </p><p><a class="indexterm" name="id368019"></a><a class="indexterm" name="id368026"></a><a class="indexterm" name="id368034"></a> + </p><p><a class="indexterm" name="id2619369"></a><a class="indexterm" name="id2619377"></a><a class="indexterm" name="id2619384"></a> LDAP is a more elegant solution because it permits centralized storage and management of all network identities (user, group, and machine accounts) together with all information Samba needs to provide to network clients and their users. - </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id368049"></a><a name="id368051"></a></td><td align="left" valign="top"><p> + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2619401"></a><a name="id2619403"></a></td><td align="left" valign="top"><p> Are you suggesting that users should not log on to a domain member server? If so, why? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id368061"></a><a class="indexterm" name="id368069"></a><a class="indexterm" name="id368080"></a> + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2619414"></a><a class="indexterm" name="id2619422"></a><a class="indexterm" name="id2619434"></a> Many UNIX administrators mock the model that the personal computer industry has adopted as normative since the early days of Novell NetWare. The old perception of the necessity to keep users off file and print servers was a result of fears concerning the security and integrity of data. It was a simple and generally effective measure to keep users away from servers, except through mapped drives. - </p><p><a class="indexterm" name="id368095"></a><a class="indexterm" name="id368103"></a><a class="indexterm" name="id368111"></a><a class="indexterm" name="id368119"></a><a class="indexterm" name="id368127"></a> + </p><p><a class="indexterm" name="id2619459"></a><a class="indexterm" name="id2619467"></a><a class="indexterm" name="id2619474"></a><a class="indexterm" name="id2619482"></a><a class="indexterm" name="id2619490"></a> UNIX administrators are fully correct in asserting that UNIX servers and workstations are identical in terms of the software that is installed. They correctly assert that in a well-secured environment it is safe to store files on a system that has hundreds @@ -1711,17 +1711,17 @@ session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass server the risk to operations through simple user errors. Only then can one begin to appraise the best strategy and adopt a site-specific policy that best protects the needs of users and of the organization alike. - </p><p><a class="indexterm" name="id368143"></a> + </p><p><a class="indexterm" name="id2619512"></a> From experience, it is my recommendation to keep general system-level logins to a practical minimum and to eliminate them if possible. This should not be taken as a hard rule, though. The better question is, what works best for the site? - </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id368158"></a><a name="id368160"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id368163"></a><a class="indexterm" name="id368171"></a><a class="indexterm" name="id368182"></a><a class="indexterm" name="id368190"></a> + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2619529"></a><a name="id2619531"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2619534"></a><a class="indexterm" name="id2619542"></a><a class="indexterm" name="id2619554"></a><a class="indexterm" name="id2619562"></a> We want to ensure that only users from our own domain plus from trusted domains can use our Samba servers. In the <code class="filename">smb.conf</code> file on all servers, we have enabled the <em class="parameter"><code>winbind trusted domains only</code></em> parameter. We now find that users from trusted domains cannot access our servers, and users from Windows clients that are not domain members can also access our servers. Is this a Samba bug? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id368219"></a><a class="indexterm" name="id368227"></a><a class="indexterm" name="id368235"></a><a class="indexterm" name="id368243"></a><a class="indexterm" name="id368250"></a><a class="indexterm" name="id368258"></a> + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2619594"></a><a class="indexterm" name="id2619602"></a><a class="indexterm" name="id2619610"></a><a class="indexterm" name="id2619618"></a><a class="indexterm" name="id2619626"></a><a class="indexterm" name="id2619634"></a> The manual page for this <em class="parameter"><code>winbind trusted domains only</code></em> parameter says, “<span class="quote">This parameter is designed to allow Samba servers that are members of a Samba-controlled domain to use UNIX accounts distributed vi NIS, rsync, or LDAP as the UIDs for winbindd users @@ -1729,7 +1729,7 @@ session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass mapped to the account <code class="constant">user1</code> in <code class="filename">/etc/passwd</code> instead of allocating a new UID for him or her.</span>” This clearly suggests that you are trying to use this parameter inappropriately. - </p><p><a class="indexterm" name="id368296"></a> + </p><p><a class="indexterm" name="id2619675"></a> A far better solution is to use the <em class="parameter"><code>valid users</code></em> by specifying precisely the domain users and groups that should be permitted access to the shares. You could, for example, set the following parameters: @@ -1738,24 +1738,24 @@ session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass path = /export/demodata valid users = @"Domain Users", @"OTHERDOMAIN\Domain Users" </pre><p> - </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id368322"></a><a name="id368324"></a></td><td align="left" valign="top"><p> + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2619704"></a><a name="id2619706"></a></td><td align="left" valign="top"><p> What are the benefits of using LDAP for my domain member servers? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id368334"></a><a class="indexterm" name="id368342"></a><a class="indexterm" name="id368350"></a><a class="indexterm" name="id368358"></a><a class="indexterm" name="id368365"></a><a class="indexterm" name="id368373"></a><a class="indexterm" name="id368381"></a><a class="indexterm" name="id368389"></a><a class="indexterm" name="id368397"></a> + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2619717"></a><a class="indexterm" name="id2619725"></a><a class="indexterm" name="id2619733"></a><a class="indexterm" name="id2619740"></a><a class="indexterm" name="id2619748"></a><a class="indexterm" name="id2619756"></a><a class="indexterm" name="id2619764"></a><a class="indexterm" name="id2619772"></a><a class="indexterm" name="id2619780"></a> The key benefit of using LDAP is that the UID of all users and the GID of all groups are globally consistent on domain controllers as well as on domain member servers. This means that it is possible to copy/replicate files across servers without loss of identity. - </p><p><a class="indexterm" name="id368410"></a><a class="indexterm" name="id368418"></a><a class="indexterm" name="id368426"></a><a class="indexterm" name="id368434"></a><a class="indexterm" name="id368442"></a><a class="indexterm" name="id368450"></a><a class="indexterm" name="id368461"></a><a class="indexterm" name="id368469"></a> + </p><p><a class="indexterm" name="id2619796"></a><a class="indexterm" name="id2619804"></a><a class="indexterm" name="id2619812"></a><a class="indexterm" name="id2619820"></a><a class="indexterm" name="id2619827"></a><a class="indexterm" name="id2619835"></a><a class="indexterm" name="id2619847"></a><a class="indexterm" name="id2619855"></a> When use is made of account identity resolution via winbind, even when an IDMAP backend is stored in LDAP, the UID/GID on domain member servers is consistent, but differs from the ID that the user/group has on domain controllers. The winbind allocated UID/GID that is stored in LDAP (or locally) will be in the numeric range specified in the <em class="parameter"><code> idmap uid/gid</code></em> in the <code class="filename">smb.conf</code> file. On domain controllers, the UID/GID is that of the POSIX value assigned in the LDAP directory as part of the POSIX account information. - </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id368497"></a><a name="id368499"></a></td><td align="left" valign="top"><p> + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2619887"></a><a name="id2619890"></a></td><td align="left" valign="top"><p> Is proper DNS operation necessary for Samba-3 plus LDAP? If so, what must I put into my DNS configuration? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id368510"></a><a class="indexterm" name="id368521"></a><a class="indexterm" name="id368532"></a><a class="indexterm" name="id368540"></a><a class="indexterm" name="id368548"></a><a class="indexterm" name="id368555"></a><a class="indexterm" name="id368563"></a> + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2619901"></a><a class="indexterm" name="id2619912"></a><a class="indexterm" name="id2619923"></a><a class="indexterm" name="id2619931"></a><a class="indexterm" name="id2619939"></a><a class="indexterm" name="id2619947"></a><a class="indexterm" name="id2619955"></a> Samba depends on correctly functioning resolution of hostnames to their IP address. Samba makes no direct DNS lookup calls, but rather redirects all name-to-address calls via the <code class="literal">getXXXbyXXX()</code> function calls. The configuration of the <code class="constant">hosts</code> @@ -1768,23 +1768,23 @@ hosts: files dns wins this means that a hostname lookup first tries the <code class="filename">/etc/hosts</code>. If this fails to resolve, it attempts a DNS lookup, and if that fails, it tries a WINS lookup. - </p><p><a class="indexterm" name="id368613"></a><a class="indexterm" name="id368621"></a><a class="indexterm" name="id368629"></a> + </p><p><a class="indexterm" name="id2620010"></a><a class="indexterm" name="id2620017"></a><a class="indexterm" name="id2620025"></a> The addition of the WINS-based name lookup makes sense only if NetBIOS over TCP/IP has been enabled on all Windows clients. Where NetBIOS over TCP/IP has been disabled, DNS is the preferred name resolution technology. This usually makes most sense when Samba is a client of an Active Directory domain, where NetBIOS use has been disabled. In this case, the Windows 200x autoregisters all locator records it needs with its own DNS server or servers. - </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id368645"></a><a name="id368647"></a></td><td align="left" valign="top"><p> + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2620045"></a><a name="id2620048"></a></td><td align="left" valign="top"><p> Our Windows 2003 Server Active Directory domain runs with NetBIOS disabled. Can we use Samba-3 with that configuration? </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> Yes. - </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id368662"></a><a name="id368664"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id368668"></a><a class="indexterm" name="id368682"></a> + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2620064"></a><a name="id2620066"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2620069"></a><a class="indexterm" name="id2620084"></a> When I tried to execute net ads join, I got no output. It did not work, so I think that it failed. I then executed net rpc join and that worked fine. That is okay, isn't it? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id368704"></a><a class="indexterm" name="id368712"></a> + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2620107"></a><a class="indexterm" name="id2620115"></a> No. This is not okay. It means that your Samba-3 client has joined the ADS domain as a Windows NT4 client, and Samba-3 will not be using Kerberos-based authentication. </p></td></tr></tbody></table></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="DMSMig.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="DMSMig.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="upgrades.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part II. Domain Members, Updating Samba and Migration </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 8. Updating Samba-3</td></tr></table></div></body></html> |