source: branches/samba-3.3.x/docs/htmldocs/Samba3-HOWTO/samba-pdc.html@ 342

<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 4. Domain Control</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="The Official Samba 3.3.x HOWTO and Reference Guide"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="prev" href="ServerType.html" title="Chapter 3. Server Types and Security Modes"><link rel="next" href="samba-bdc.html" title="Chapter 5. Backup Domain Control"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 4. Domain Control</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ServerType.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="samba-bdc.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="samba-pdc"></a>Chapter 4. Domain Control</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="orgname">Samba Team</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:[email protected]">[email protected]</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="orgname">Samba Team</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:[email protected]">[email protected]</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="orgname">Samba Team</span> <span class="surname">Bannon</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:[email protected]">[email protected]</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Guenther</span> <span class="orgname">SuSE</span> <span class="surname">Deschner</span></h3><span class="contrib">LDAP updates</span> <div class="affiliation"><span class="orgname">SuSE<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:[email protected]">[email protected]</a>&gt;</code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="samba-pdc.html#id2561262">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="samba-pdc.html#id2561896">Single Sign-On and Domain Security</a></span></dt><dt><span class="sect1"><a href="samba-pdc.html#id2562485">Basics of Domain Control</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-pdc.html#id2562505">Domain Controller Types</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id2563009">Preparing for Domain Control</a></span></dt></dl></dd><dt><span class="sect1"><a href="samba-pdc.html#id2563520">Domain Control: Example Configuration</a></span></dt><dt><span class="sect1"><a href="samba-pdc.html#id2564263">Samba ADS Domain Control</a></span></dt><dt><span class="sect1"><a href="samba-pdc.html#id2564316">Domain and Network Logon Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-pdc.html#id2564335">Domain Network Logon Service</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id2564926">Security Mode and Master Browsers</a></span></dt></dl></dd><dt><span class="sect1"><a href="samba-pdc.html#id2565206">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="samba-pdc.html#id2565212">$ Cannot Be Included in Machine Name</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id2565312">Joining Domain Fails Because of Existing Machine Account</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id2565377">The System Cannot Log You On (C000019B)</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id2565454">The Machine Trust Account Is Not Accessible</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id2565573">Account Disabled</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id2565600">Domain Controller Unavailable</a></span></dt><dt><span class="sect2"><a href="samba-pdc.html#id2565619">Cannot Log onto Domain Member Workstation After Joining Domain</a></span></dt></dl></dd></dl></div><p>
There are many who approach MS Windows networking with incredible misconceptions.
That's okay, because it gives the rest of us plenty of opportunity to be of assistance.
Those who really want help are well advised to become familiar with information
that is already available.
</p><p>
<a class="indexterm" name="id2561124"></a>
You are advised not to tackle this section without having first understood
and mastered some basics. MS Windows networking is not particularly forgiving of
misconfiguration. Users of MS Windows networking are likely to complain 
of persistent niggles that may be caused by a broken network configuration.
To a great many people, however, MS Windows networking starts with a domain controller
that in some magical way is expected to solve all network operational ills.
</p><p>
<a class="link" href="samba-pdc.html#domain-example" title="Figure 4.1. An Example Domain.">The Example Domain Illustration</a> shows a typical MS Windows domain security
network environment. Workstations A, B, and C are representative of many physical MS Windows
network clients.
</p><div class="figure"><a name="domain-example"></a><p class="title"><b>Figure 4.1. An Example Domain.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/domain.png" width="216" alt="An Example Domain."></div></div></div><br class="figure-break"><p>
From the Samba mailing list we can readily identify many common networking issues.
If you are not clear on the following subjects, then it will do much good to read the 
sections of this HOWTO that deal with it. These are the most common causes of MS Windows
networking problems:
</p><div class="itemizedlist"><ul type="disc"><li><p>Basic TCP/IP configuration.</p></li><li><p>NetBIOS name resolution.</p></li><li><p>Authentication configuration.</p></li><li><p>User and group configuration.</p></li><li><p>Basic file and directory permission control in UNIX/Linux.</p></li><li><p>Understanding how MS Windows clients interoperate in a network environment.</p></li></ul></div><p>
Do not be put off; on the surface of it MS Windows networking seems so simple that anyone 
can do it. In fact, it is not a good idea to set up an MS Windows network with
inadequate training and preparation. But let's get our first indelible principle out of the
way: <span class="emphasis"><em>It is perfectly okay to make mistakes!</em></span> In the right place and at
the right time, mistakes are the essence of learning. It is very much not okay to make
mistakes that cause loss of productivity and impose an avoidable financial burden on an
organization.
</p><p>
Where is the right place to make mistakes? Only out of harms way. If you are going to
make mistakes, then please do it on a test network, away from users, and in such a way as
to not inflict pain on others. Do your learning on a test network.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2561262"></a>Features and Benefits</h2></div></div></div><p>
<a class="indexterm" name="id2561270"></a>
<span class="emphasis"><em>What is the key benefit of Microsoft Domain Security?</em></span>
</p><p>
<a class="indexterm" name="id2561284"></a>
<a class="indexterm" name="id2561294"></a>
<a class="indexterm" name="id2561300"></a>
<a class="indexterm" name="id2561307"></a>
In a word, <span class="emphasis"><em>single sign-on</em></span>, or SSO for short. To many, this is the Holy Grail of MS
Windows NT and beyond networking. SSO allows users in a well-designed network to log onto any workstation that
is a member of the domain that contains their user account (or in a domain that has an appropriate trust
relationship with the domain they are visiting) and they will be able to log onto the network and access
resources (shares, files, and printers) as if they are sitting at their home (personal) workstation. This is a
feature of the domain security protocols.
</p><p>
<a class="indexterm" name="id2561335"></a>
<a class="indexterm" name="id2561342"></a>
<a class="indexterm" name="id2561349"></a>
<a class="indexterm" name="id2561358"></a>
<a class="indexterm" name="id2561367"></a>
The benefits of domain security are available to those sites that deploy a Samba PDC.  A domain provides a
unique network security identifier (SID). Domain user and group security identifiers are comprised of the
network SID plus a relative identifier (RID) that is unique to the account. User and group SIDs (the network
SID plus the RID) can be used to create access control lists (ACLs) attached to network resources to provide
organizational access control. UNIX systems recognize only local security identifiers.
</p><p>
<a class="indexterm" name="id2561386"></a>
A SID represents a security context. For example, every Windows machine has local accounts within the security
context of the local machine which has a unique SID. Every domain (NT4, ADS, Samba) contains accounts that
exist within the domain security context which is defined by the domain SID.
</p><p>
<a class="indexterm" name="id2561401"></a>
<a class="indexterm" name="id2561407"></a>
A domain member server will have a SID that differs from the domain SID.  The domain member server can be
configured to regard all domain users as local users. It can also be configured to recognize domain users and
groups as non-local. SIDs are persistent. A typical domain of user SID looks like this:
</p><pre class="screen">
S-1-5-21-726309263-4128913605-1168186429
</pre><p>
Every account (user, group, machine, trust, etc.) is assigned a RID. This is done automatically as an account
is created. Samba produces the RID algorithmically. The UNIX operating system uses a separate name space for
user and group identifiers (the UID and GID) but Windows allocates the RID from a single name space. A Windows
user and a Windows group can not have the same RID. Just as the UNIX user <code class="literal">root</code> has the
UID=0, the Windows Administrator has the well-known RID=500. The RID is catenated to the Windows domain SID,
so Administrator account for a domain that has the above SID will have the user SID
</p><pre class="screen">
S-1-5-21-726309263-4128913605-1168186429-500
</pre><p>
The result is that every account in the Windows networking world has a globally unique security identifier.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
<a class="indexterm" name="id2561454"></a>
<a class="indexterm" name="id2561464"></a>
<a class="indexterm" name="id2561470"></a>
Network clients of an MS Windows domain security environment must be domain members to be able to gain access
to the advanced features provided. Domain membership involves more than just setting the workgroup name to the
domain name. It requires the creation of a domain trust account for the workstation (called a machine
account). Refer to <a class="link" href="domain-member.html" title="Chapter 6. Domain Membership">Domain Membership</a> for more information.
</p></div><p>
The following functionalities are new to the Samba-3 release:
</p><div class="itemizedlist"><ul type="disc"><li><p>
        <a class="indexterm" name="id2561504"></a>
        Samba-3 supports the use of a choice of backends that may be used in which user, group and machine
        accounts may be stored. Multiple passwd backends can be used in combination, either as additive backend
        data sets, or as fail-over data sets.
        </p><p>
        <a class="indexterm" name="id2561521"></a>
        <a class="indexterm" name="id2561528"></a>
        <a class="indexterm" name="id2561534"></a>
        <a class="indexterm" name="id2561541"></a>
        <a class="indexterm" name="id2561548"></a>
        An LDAP passdb backend confers the benefit that the account backend can be distributed and replicated,
        which is of great value because it confers scalability and provides a high degree of reliability. 
        </p></li><li><p>
        <a class="indexterm" name="id2561563"></a>