Changeset 272 for branches/samba-3.2.x/docs/htmldocs/Samba3-HOWTO/domain-member.html

Timestamp:

Jun 16, 2009, 5:52:30 PM (16 years ago)

Author:

Herwig Bauernfeind

Message:

Update 3.2 to 3.2.12

File:

• branches/samba-3.2.x/docs/htmldocs/Samba3-HOWTO/domain-member.html (modified) (58 diffs)

branches/samba-3.2.x/docs/htmldocs/Samba3-HOWTO/domain-member.html

@@ -1 @@
-<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 6. Domain Membership</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="prev" href="samba-bdc.html" title="Chapter 5. Backup Domain Control"><link rel="next" href="StandAloneServer.html" title="Chapter 7. Standalone Servers"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 6. Domain Membership</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="samba-bdc.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="StandAloneServer.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="domain-member"></a>Chapter 6. Domain Membership</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="orgname">Samba Team</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:[email protected]">[email protected]</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="orgname">Samba Team</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:[email protected]">[email protected]</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="orgname">Samba Team</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:[email protected]">[email protected]</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="orgname">Samba Team</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:[email protected]">[email protected]</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="orgname">The Samba Team</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:[email protected]">[email protected]</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Guenther</span> <span class="orgname">SuSE</span> <span class="surname">Deschner</span></h3><span class="contrib">LDAP updates</span> <div class="affiliation"><span class="orgname">SuSE<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:[email protected]">[email protected]</a>&gt;</code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="domain-member.html#id2569104">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></span></dt><dd><dl><dt><span class="sect2"><a href="domain-member.html#id2569791">Manual Creation of Machine Trust Accounts</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id2570227">Managing Domain Machine Accounts using NT4 Server Manager</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id2570508">On-the-Fly Creation of Machine Trust Accounts</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id2570614">Making an MS Windows Workstation or Server a Domain Member</a></span></dt></dl></dd><dt><span class="sect1"><a href="domain-member.html#domain-member-server">Domain Member Server</a></span></dt><dd><dl><dt><span class="sect2"><a href="domain-member.html#id2571079">Joining an NT4-type Domain with Samba-3</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id2571815">Why Is This Better Than security = server?</a></span></dt></dl></dd><dt><span class="sect1"><a href="domain-member.html#ads-member">Samba ADS Domain Membership</a></span></dt><dd><dl><dt><span class="sect2"><a href="domain-member.html#id2572097">Configure smb.conf</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id2572288">Configure /etc/krb5.conf</a></span></dt><dt><span class="sect2"><a href="domain-member.html#ads-create-machine-account">Create the Computer Account</a></span></dt><dt><span class="sect2"><a href="domain-member.html#ads-test-server">Testing Server Setup</a></span></dt><dt><span class="sect2"><a href="domain-member.html#ads-test-smbclient">Testing with smbclient</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id2573382">Notes</a></span></dt></dl></dd><dt><span class="sect1"><a href="domain-member.html#id2573454">Sharing User ID Mappings between Samba Domain Members</a></span></dt><dt><span class="sect1"><a href="domain-member.html#id2573660">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="domain-member.html#id2573700">Cannot Add Machine Back to Domain</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id2573776">Adding Machine to Domain Fails</a></span></dt><dt><span class="sect2"><a href="domain-member.html#id2574012">I Can't Join a Windows 2003 PDC</a></span></dt></dl></dd></dl></div><p>
-<a class="indexterm" name="id2569052"></a>
-<a class="indexterm" name="id2569058"></a>
-<a class="indexterm" name="id2569066"></a>
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 6. Domain Membership</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="prev" href="samba-bdc.html" title="Chapter 5. Backup Domain Control"><link rel="next" href="StandAloneServer.html" title="Chapter 7. Standalone Servers"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 6. Domain Membership</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="samba-bdc.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="StandAloneServer.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="domain-member"></a>Chapter 6. Domain Membership</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="orgname">Samba Team</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:[email protected]">[email protected]</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="orgname">Samba Team</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:[email protected]">[email protected]</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="orgname">Samba Team</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:[email protected]">[email protected]</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="orgname">Samba Team</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:[email protected]">[email protected]</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="orgname">The Samba Team</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:[email protected]">[email protected]</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Guenther</span> <span class="orgname">SuSE</span> <span class="surname">Deschner</span></h3><span class="contrib">LDAP updates</span> <div class="affiliation"><span class="orgname">SuSE<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:[email protected]">[email protected]</a>&gt;</code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="domain-member.html#id25691">I Can't Join a Windows 2003 PDC</a></span></dt></dl></dd></dl></div><p>
+<a class="indexterm" name="id25690"></a>
+<a class="indexterm" name="id25690"></a>
+<a class="indexterm" name="id25690"></a>
 Domain membership is a subject of vital concern. Samba must be able to
 participate as a member server in a Microsoft domain security context, and
@@ -8 +8 @@
 otherwise it would not be able to offer a viable option for many users.
 </p><p>
-<a class="indexterm" name="id2569081"></a>
-<a class="indexterm" name="id2569088"></a>
+<a class="indexterm" name="id25690"></a>
+<a class="indexterm" name="id2569"></a>
 This chapter covers background information pertaining to domain membership,
 the Samba configuration for it, and MS Windows client procedures for joining a
@@ -17 +17 @@
 misinformation, incorrect understanding, and lack of knowledge. Hopefully
 this chapter will fill the voids.
-</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2569104"></a>Features and Benefits</h2></div></div></div><p>
-<a class="indexterm" name="id2569112"></a>
-<a class="indexterm" name="id2569119"></a>
-<a class="indexterm" name="id2569126"></a>
+</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id25691"></a>Features and Benefits</h2></div></div></div><p>
+<a class="indexterm" name="id25691"></a>
+<a class="indexterm" name="id25691"></a>
+<a class="indexterm" name="id25691"></a>
 MS Windows workstations and servers that want to participate in domain security need to
 be made domain members. Participating in domain security is often called 
@@ -28 +28 @@
 server) or a Samba server a member of an MS Windows domain security context.
 </p><p>
-<a class="indexterm" name="id2569158"></a>
-<a class="indexterm" name="id2569164"></a>
-<a class="indexterm" name="id2569171"></a>
-<a class="indexterm" name="id2569178"></a>
+<a class="indexterm" name="id25691"></a>
+<a class="indexterm" name="id25691"></a>
+<a class="indexterm" name="id25691"></a>
+<a class="indexterm" name="id25691"></a>
 Samba-3 can join an MS Windows NT4-style domain as a native member server, an 
 MS Windows Active Directory domain as a native member server, or a Samba domain
 control network. Domain membership has many advantages:
 </p><div class="itemizedlist"><ul type="disc"><li><p>
-        <a class="indexterm" name="id2569197"></a>
+        <a class="indexterm" name="id2569"></a>
         MS Windows workstation users get the benefit of SSO.
         </p></li><li><p>
-        <a class="indexterm" name="id2569209"></a>
-        <a class="indexterm" name="id2569216"></a>
-        <a class="indexterm" name="id2569223"></a>
-        <a class="indexterm" name="id2569230"></a>
+        <a class="indexterm" name="id25692"></a>
+        <a class="indexterm" name="id25692"></a>
+        <a class="indexterm" name="id25692"></a>
+        <a class="indexterm" name="id25692"></a>
         Domain user access rights and file ownership/access controls can be set
         from the single Domain Security Account Manager (SAM) database 
@@ -48 +48 @@
         that are domain members).
         </p></li><li><p>
-        <a class="indexterm" name="id2569245"></a>
-        <a class="indexterm" name="id2569252"></a>
+        <a class="indexterm" name="id25692"></a>
+        <a class="indexterm" name="id25692"></a>
         Only <span class="application">MS Windows NT4/200x/XP Professional</span>
         workstations that are domain members can use network logon facilities.
         </p></li><li><p>
-        <a class="indexterm" name="id2569271"></a>
-        <a class="indexterm" name="id2569278"></a>
-        <a class="indexterm" name="id2569285"></a>
-        <a class="indexterm" name="id2569292"></a>
+        <a class="indexterm" name="id25692"></a>
+        <a class="indexterm" name="id25692"></a>
+        <a class="indexterm" name="id2569"></a>
+        <a class="indexterm" name="id2569"></a>
         Domain member workstations can be better controlled through the use of
         policy files (<code class="filename">NTConfig.POL</code>) and desktop profiles.
         </p></li><li><p>
-        <a class="indexterm" name="id2569311"></a>
-        <a class="indexterm" name="id2569318"></a>
-        <a class="indexterm" name="id2569325"></a>
+        <a class="indexterm" name="id25693"></a>
+        <a class="indexterm" name="id25693"></a>
+        <a class="indexterm" name="id25693"></a>
         Through the use of logon scripts, users can be given transparent access to network
         applications that run off application servers.
         </p></li><li><p>
-        <a class="indexterm" name="id2569338"></a>
-        <a class="indexterm" name="id2569345"></a>
-        <a class="indexterm" name="id2569352"></a>
-        <a class="indexterm" name="id2569359"></a>
+        <a class="indexterm" name="id25693"></a>
+        <a class="indexterm" name="id25693"></a>
+        <a class="indexterm" name="id25693"></a>
+        <a class="indexterm" name="id25693"></a>
         Network administrators gain better application and user access management
         abilities because there is no need to maintain user accounts on any network
@@ -76 +76 @@
         LDAP directory, or via an Active Directory infrastructure).
         </p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="machine-trust-accounts"></a>MS Windows Workstation/Server Machine Trust Accounts</h2></div></div></div><p>
-<a class="indexterm" name="id2569387"></a>
-<a class="indexterm" name="id2569394"></a>
-<a class="indexterm" name="id2569401"></a>
-<a class="indexterm" name="id2569408"></a>
+<a class="indexterm" name="id2569"></a>
+<a class="indexterm" name="id2569"></a>
+<a class="indexterm" name="id25694"></a>
+<a class="indexterm" name="id25694"></a>
 A Machine Trust Account is an account that is used to authenticate a client machine (rather than a user) to
 the domain controller server. In Windows terminology, this is known as a &#8220;<span class="quote">computer account.</span>&#8221; The
@@ -85 +85 @@
 access to a domain member workstation.
 </p><p>
-<a class="indexterm" name="id2569427"></a>
-<a class="indexterm" name="id2569436"></a>
-<a class="indexterm" name="id2569443"></a>
-<a class="indexterm" name="id2569450"></a>
-<a class="indexterm" name="id2569458"></a>
+<a class="indexterm" name="id25694"></a>
+<a class="indexterm" name="id25694"></a>
+<a class="indexterm" name="id25694"></a>
+<a class="indexterm" name="id25694"></a>
+<a class="indexterm" name="id25694"></a>
 The password of a Machine Trust Account acts as the shared secret for secure communication with the domain
 controller. This is a security feature to prevent an unauthorized machine with the same NetBIOS name from
@@ -97 +97 @@
 possess a Machine Trust Account, and, thus, has no shared secret with the domain controller.
 </p><p>
-<a class="indexterm" name="id2569478"></a>
-<a class="indexterm" name="id2569485"></a>
-<a class="indexterm" name="id2569492"></a>
-<a class="indexterm" name="id2569498"></a>
+<a class="indexterm" name="id25694"></a>
+<a class="indexterm" name="id2569"></a>
+<a class="indexterm" name="id2569"></a>
+<a class="indexterm" name="id2569"></a>
 A Windows NT4 PDC stores each Machine Trust Account in the Windows Registry.
 The introduction of MS Windows 2000 saw the introduction of Active Directory,
@@ -108 +108 @@
 
 </p><div class="itemizedlist"><ul type="disc"><li><p>
-        <a class="indexterm" name="id2569516"></a>
-        <a class="indexterm" name="id2569523"></a>
-        <a class="indexterm" name="id2569530"></a>
+        <a class="indexterm" name="id25695"></a>
+        <a class="indexterm" name="id25695"></a>
+        <a class="indexterm" name="id25695"></a>
         A domain security account (stored in the <a class="link" href="smb.conf.5.html#PASSDBBACKEND" target="_top">passdb backend</a>) that has been configured in
         the <code class="filename">smb.conf</code> file. The precise nature of the account information that is stored depends on the type of
         backend database that has been chosen.
         </p><p>
-        <a class="indexterm" name="id2569561"></a>
-        <a class="indexterm" name="id2569568"></a>
-        <a class="indexterm" name="id2569575"></a>
-        <a class="indexterm" name="id2569582"></a>
-        <a class="indexterm" name="id2569588"></a>
-        <a class="indexterm" name="id2569596"></a>
+        <a class="indexterm" name="id25695"></a>
+        <a class="indexterm" name="id25695"></a>
+        <a class="indexterm" name="id25695"></a>
+        <a class="indexterm" name="id2569"></a>
+        <a class="indexterm" name="id2569"></a>
+        <a class="indexterm" name="id2569"></a>
         The older format of this data is the <code class="filename">smbpasswd</code> database
         that contains the UNIX login ID, the UNIX user identifier (UID), and the
@@ -126 +126 @@
         this file that we do not need to concern ourselves with here.
         </p><p>
-        <a class="indexterm" name="id2569618"></a>
-        <a class="indexterm" name="id2569624"></a>
-        <a class="indexterm" name="id2569631"></a>
-        <a class="indexterm" name="id2569638"></a>
+        <a class="indexterm" name="id25696"></a>
+        <a class="indexterm" name="id25696"></a>
+        <a class="indexterm" name="id25696"></a>
+        <a class="indexterm" name="id25696"></a>
         The two newer database types are called ldapsam and tdbsam. Both store considerably more data than the older
         <code class="filename">smbpasswd</code> file did. The extra information enables new user account controls to be
         implemented.
         </p></li><li><p>
-        <a class="indexterm" name="id2569658"></a>
-        <a class="indexterm" name="id2569665"></a>
+        <a class="indexterm" name="id25696"></a>
+        <a class="indexterm" name="id25696"></a>
         A corresponding UNIX account, typically stored in <code class="filename">/etc/passwd</code>. Work is in progress to
         allow a simplified mode of operation that does not require UNIX user accounts, but this has not been a feature
@@ -141 +141 @@
         </p></li></ul></div><p>
 </p><p>
-<a class="indexterm" name="id2569691"></a>
+<a class="indexterm" name="id2569"></a>
 There are three ways to create Machine Trust Accounts:
 </p><div class="itemizedlist"><ul type="disc"><li><p>
-        <a class="indexterm" name="id2569708"></a>
+        <a class="indexterm" name="id25697"></a>
         Manual creation from the UNIX/Linux command line. Here, both the Samba and
         corresponding UNIX account are created by hand.
         </p></li><li><p>
-        <a class="indexterm" name="id2569721"></a>
-        <a class="indexterm" name="id2569728"></a>
+        <a class="indexterm" name="id25697"></a>
+        <a class="indexterm" name="id25697"></a>
         Using the MS Windows NT4 Server Manager, either from an NT4 domain member
         server or using the Nexus toolkit available from the Microsoft Web site.
@@ -155 +155 @@
         logged on as the administrator account.
         </p></li><li><p>
-        <a class="indexterm" name="id2569744"></a>
-        <a class="indexterm" name="id2569751"></a>
+        <a class="indexterm" name="id25697"></a>
+        <a class="indexterm" name="id25697"></a>
         &#8220;<span class="quote">On-the-fly</span>&#8221; creation. The Samba Machine Trust Account is automatically
         created by Samba at the time the client is joined to the domain.
@@ -162 +162 @@
         account may be created automatically or manually. 
         </p></li></ul></div><p>
-<a class="indexterm" name="id2569770"></a>
-<a class="indexterm" name="id2569777"></a>
+<a class="indexterm" name="id25697"></a>
+<a class="indexterm" name="id25697"></a>
 Neither MS Windows NT4/200x/XP Professional, nor Samba, provide any method for enforcing the method of machine
 trust account creation. This is a matter of the administrator's choice.
-</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2569791"></a>Manual Creation of Machine Trust Accounts</h3></div></div></div><p>
-<a class="indexterm" name="id2569799"></a>
-<a class="indexterm" name="id2569806"></a>
-<a class="indexterm" name="id2569811"></a>
-<a class="indexterm" name="id2569818"></a>
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2569"></a>Manual Creation of Machine Trust Accounts</h3></div></div></div><p>
+<a class="indexterm" name="id2569"></a>
+<a class="indexterm" name="id25698"></a>
+<a class="indexterm" name="id25698"></a>
+<a class="indexterm" name="id25698"></a>
 The first step in manually creating a Machine Trust Account is to manually
 create the corresponding UNIX account in <code class="filename">/etc/passwd</code>. 
@@ -184 +184 @@
 </pre><p>
 </p><p>
-<a class="indexterm" name="id2569887"></a>
-<a class="indexterm" name="id2569894"></a>
-<a class="indexterm" name="id2569900"></a>
+<a class="indexterm" name="id2569"></a>
+<a class="indexterm" name="id2569"></a>
+<a class="indexterm" name="id25699"></a>
 In the example above there is an existing system group &#8220;<span class="quote">machines</span>&#8221; which is used
 as the primary group for all machine accounts. In the following examples the &#8220;<span class="quote">machines</span>&#8221; group
 numeric GID is 100.
 </p><p>
-<a class="indexterm" name="id2569920"></a>
-<a class="indexterm" name="id2569927"></a>
+<a class="indexterm" name="id25699"></a>
+<a class="indexterm" name="id25699"></a>
 On *BSD systems, this can be done using the <code class="literal">chpass</code> utility:
 </p><pre class="screen">
@@ -199 +199 @@
 </pre><p>
 </p><p>
-<a class="indexterm" name="id2569968"></a>
-<a class="indexterm" name="id2569975"></a>
-<a class="indexterm" name="id2569982"></a>
-<a class="indexterm" name="id2569988"></a>
+<a class="indexterm" name="id25699"></a>
+<a class="indexterm" name="id25699"></a>
+<a class="indexterm" name="id25"></a>
+<a class="indexterm" name="id25"></a>
 The <code class="filename">/etc/passwd</code> entry will list the machine name 
 with a &#8220;<span class="quote">$</span>&#8221; appended, and will not have a password, will have a null shell and no 
@@ -211 +211 @@
 </pre><p>
 </p><p>
-<a class="indexterm" name="id2570031"></a>
-<a class="indexterm" name="id2570038"></a>
-<a class="indexterm" name="id2570045"></a>
+<a class="indexterm" name="id25700"></a>
+<a class="indexterm" name="id25700"></a>
+<a class="indexterm" name="id25700"></a>
 in which <em class="replaceable"><code>machine_nickname</code></em> can be any
 descriptive name for the client, such as BasementComputer.
@@ -221 +221 @@
 this as a Machine Trust Account.
 </p><p>
-<a class="indexterm" name="id2570070"></a>
-<a class="indexterm" name="id2570077"></a>
-<a class="indexterm" name="id2570084"></a>
+<a class="indexterm" name="id25700"></a>
+<a class="indexterm" name="id25700"></a>
+<a class="indexterm" name="id2570"></a>
 Now that the corresponding UNIX account has been created, the next step is to create 
 the Samba account for the client containing the well-known initial 
@@ -233 +233 @@
 </pre><p>
 </p><p>
-<a class="indexterm" name="id2570126"></a>
-<a class="indexterm" name="id2570133"></a>
-<a class="indexterm" name="id2570140"></a>
-<a class="indexterm" name="id2570146"></a>
+<a class="indexterm" name="id25701"></a>
+<a class="indexterm" name="id25701"></a>
+<a class="indexterm" name="id25701"></a>
+<a class="indexterm" name="id25701"></a>
 where <em class="replaceable"><code>machine_name</code></em> is the machine's NetBIOS
 name. The RID of the new machine account is generated from the UID of 
 the corresponding UNIX account.
 </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Join the client to the domain immediately</h3><p>
-<a class="indexterm" name="id2570168"></a>
-<a class="indexterm" name="id2570175"></a>
-<a class="indexterm" name="id2570182"></a>
-<a class="indexterm" name="id2570189"></a>
-<a class="indexterm" name="id2570196"></a>
+<a class="indexterm" name="id25701"></a>
+<a class="indexterm" name="id25701"></a>
+<a class="indexterm" name="id2570"></a>
+<a class="indexterm" name="id2570"></a>
+<a class="indexterm" name="id2570"></a>
 Manually creating a Machine Trust Account using this method is the 
 equivalent of creating a Machine Trust Account on a Windows NT PDC using 
-<a class="indexterm" name="id2570205"></a>
+<a class="indexterm" name="id25702"></a>
 the <span class="application">Server Manager</span>. From the time at which the 
 account is created to the time the client joins the domain and 
@@ -255 +255 @@
 trusts members of the domain and will serve out a large degree of user 
 information to such clients. You have been warned!
-</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2570227"></a>Managing Domain Machine Accounts using NT4 Server Manager</h3></div></div></div><p>
-<a class="indexterm" name="id2570236"></a>
-<a class="indexterm" name="id2570243"></a>
-<a class="indexterm" name="id2570250"></a>
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id25702"></a>Managing Domain Machine Accounts using NT4 Server Manager</h3></div></div></div><p>
+<a class="indexterm" name="id25702"></a>
+<a class="indexterm" name="id25702"></a>
+<a class="indexterm" name="id25702"></a>
 A working <a class="link" href="smb.conf.5.html#ADDMACHINESCRIPT" target="_top">add machine script</a> is essential
 for machine trust accounts to be automatically created. This applies no matter whether
 you use automatic account creation or the NT4 Domain Server Manager.
 </p><p>
-<a class="indexterm" name="id2570276"></a>
-<a class="indexterm" name="id2570283"></a>
-<a class="indexterm" name="id2570289"></a>
-<a class="indexterm" name="id2570296"></a>
+<a class="indexterm" name="id25702"></a>
+<a class="indexterm" name="id2570"></a>
+<a class="indexterm" name="id2570"></a>
+<a class="indexterm" name="id2570"></a>
 If the machine from which you are trying to manage the domain is an 
 <span class="application">MS Windows NT4 workstation or MS Windows 200x/XP Professional</span>,
@@ -273 +273 @@
 and <code class="literal">UsrMgr.exe</code> (both are domain management tools for MS Windows NT4 workstation).
 </p><p>
-<a class="indexterm" name="id2570334"></a>
-<a class="indexterm" name="id2570341"></a>
+<a class="indexterm" name="id25703"></a>
+<a class="indexterm" name="id25703"></a>
 If your workstation is a <span class="application">Microsoft Windows 9x/Me</span> family product,
  you should download the <code class="literal">Nexus.exe</code> package from the Microsoft Web site.
@@ -284 +284 @@
 <a class="ulink" href="http://support.microsoft.com/default.aspx?scid=kb;en-us;172540" target="_top">172540</a>
 </p><p>
-<a class="indexterm" name="id2570385"></a>
-<a class="indexterm" name="id2570392"></a>
+<a class="indexterm" name="id2570"></a>
+<a class="indexterm" name="id2570"></a>
 Launch the <code class="literal">srvmgr.exe</code> (Server Manager for Domains) and follow these steps:
-</p><div class="procedure"><a name="id2570407"></a><p class="title"><b>Procedure 6.1. Server Manager Account Machine Account Management</b></p><ol type="1"><li><p>
+</p><div class="procedure"><a name="id25704"></a><p class="title"><b>Procedure 6.1. Server Manager Account Machine Account Management</b></p><ol type="1"><li><p>
         From the menu select <span class="guimenu">Computer</span>.
         </p></li><li><p>
@@ -304 +304 @@
         enter the machine name in the field provided, and click the 
         <span class="guibutton">Add</span> button.
-        </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2570508"></a>On-the-Fly Creation of Machine Trust Accounts</h3></div></div></div><p>
-<a class="indexterm" name="id2570516"></a>
+        </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id25705"></a>On-the-Fly Creation of Machine Trust Accounts</h3></div></div></div><p>
+<a class="indexterm" name="id25705"></a>
 The third (and recommended) way of creating Machine Trust Accounts is simply to allow the Samba server to
 create them as needed when the client is joined to the domain.
 </p><p>
-<a class="indexterm" name="id2570532"></a>
-<a class="indexterm" name="id2570542"></a>
-<a class="indexterm" name="id2570548"></a>
+<a class="indexterm" name="id25705"></a>
+<a class="indexterm" name="id25705"></a>
+<a class="indexterm" name="id25705"></a>
 Since each Samba Machine Trust Account requires a corresponding UNIX account, a method
 for automatically creating the UNIX account is usually supplied; this requires configuration of the
@@ -317 +317 @@
 accounts may also be created manually.
 </p><p>
-<a class="indexterm" name="id2570570"></a>
-<a class="indexterm" name="id2570577"></a>
+<a class="indexterm" name="id25705"></a>
+<a class="indexterm" name="id25705"></a>
 Here is an example for a Red Hat Linux system:
-</p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2570599"></a><em class="parameter"><code>add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u</code></em></td></tr></table><p>
-</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2570614"></a>Making an MS Windows Workstation or Server a Domain Member</h3></div></div></div><p>
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2570"></a><em class="parameter"><code>add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u</code></em></td></tr></table><p>
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id25706"></a>Making an MS Windows Workstation or Server a Domain Member</h3></div></div></div><p>
 The procedure for making an MS Windows workstation or server a member of the domain varies
 with the version of Windows.
-</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2570625"></a>Windows 200x/XP Professional Client</h4></div></div></div><p>
-<a class="indexterm" name="id2570633"></a>
-<a class="indexterm" name="id2570640"></a>
-<a class="indexterm" name="id2570649"></a>
-<a class="indexterm" name="id2570656"></a>
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id25706"></a>Windows 200x/XP Professional Client</h4></div></div></div><p>
+<a class="indexterm" name="id25706"></a>
+<a class="indexterm" name="id25706"></a>
+<a class="indexterm" name="id25706"></a>
+<a class="indexterm" name="id25706"></a>
         When the user elects to make the client a domain member, Windows 200x prompts for
         an account and password that has privileges to create  machine accounts in the domain.