This probably appliles to kens setup:
#----------------------------------------------------------
Domain Security Mode (User-Level Security)
Domain security provides a mechanism for storing all user and group
accounts in a central, shared, account repository. The centralized
account repository is shared between domain (security) controllers.
Servers that act as domain controllers provide authentication and
validation services to all machines that participate in the security
context for the domain. A primary domain controller (PDC) is a server
that is responsible for maintaining the integrity of the security
account database. Backup domain controllers (BDCs) provide only domain
logon and authentication services. Usually, BDCs will answer network
logon requests more responsively than will a PDC.
When Samba is operating in security = domain mode, the Samba server has
a domain security trust account (a machine account) and causes all
authentication requests to be passed through to the domain controllers.
In other words, this configuration makes the Samba server a domain
member server, even when it is in fact acting as a domain controller.
All machines that participate in domain security must have a machine
account in the security database.
Within the domain security environment, the underlying security
architecture uses user-level security. Even machines that are domain
members must authenticate on startup. The machine account consists of an
account entry in the accounts database, the name of which is the NetBIOS
name of the machine and of which the password is randomly generated and
known to both the domain controllers and the member machine. If the
machine account cannot be validated during startup, users will not be
able to log on to the domain using this machine because it cannot be
trusted. The machine account is referred to as a machine trust account.
There are three possible domain member configurations:
Primary domain controller (PDC) - of which there is one per domain.
Backup domain controller (BDC) - of which there can be any number per
domain.
Domain member server (DMS) - of which there can be any number per domain.
We will discuss each of these in separate chapters. For now, we are most
interested in basic DMS configuration.
Example Configuration
Samba as a Domain Member Server
This method involves addition of the following parameters in the
smb.conf file:
security = domain
workgroup = MIDEARTH
In order for this method to work, the Samba server needs to join the MS
Windows NT security domain. This is done as follows:
On the MS Windows NT domain controller, using the Server Manager, add a
machine account for the Samba server.
On the UNIX/Linux system execute:
root# net rpc join -U administrator%password
Note
Samba-2.2.4 and later Samba 2.2.x series releases can autojoin a Windows
NT4-style domain just by executing:
root# smbpasswd -j DOMAIN_NAME -r PDC_NAME \
-U Administrator%password
Samba-3 can do the same by executing:
root# net rpc join -U Administrator%password
It is not necessary with Samba-3 to specify the DOMAIN_NAME or the
PDC_NAME, as it figures this out from the smb.conf file settings.
Use of this mode of authentication requires there to be a standard UNIX
account for each user in order to assign a UID once the account has been
authenticated by the Windows domain controller. This account can be
blocked to prevent logons by clients other than MS Windows through means
such as setting an invalid shell in the /etc/passwd entry. The best way
to allocate an invalid shell to a user account is to set the shell to
the file /bin/false.
Domain controllers can be located anywhere that is convenient. The best
advice is to have a BDC on every physical network segment, and if the
PDC is on a remote network segment the use of WINS (see Network Browsing
for more information) is almost essential.
An alternative to assigning UIDs to Windows users on a Samba member
server is presented in Winbind, Winbind: Use of Domain Accounts.
https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ServerType.html
#-------------------------------------------------------
Regards,
LelandJ
On 03/11/2014 03:30 PM, Ken Dibble wrote:
I assume Windows Server doesn't have Windows NT Services for
Macintosh anymore?
It's not a Windows server. It's a SAMBA 3 domain, which emulates (to
some extent) a Windows NT domain.
Thanks.
Ken Dibble
www.stic-cil.org
[excessive quoting removed by server]
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message:
http://leafe.com/archives/byMID/profox/[email protected]
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
