Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Mail Systems
Eclipse Documentation

How To Guides
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Problem Solutions
Privacy Policy




Samba HowTo Guide
Prev Home Next

Domain Security Mode (User-Level Security)

Domain security provides a mechanism for storing all user and group accounts in a central, shared, account repository. The centralized account repository is shared between domain (security) controllers. Servers that act as domain controllers provide authentication and validation services to all machines that participate in the security context for the domain. A primary domain controller (PDC) is a server that is responsible for maintaining the integrity of the security account database. Backup domain controllers (BDCs) provide only domain logon and authentication services. Usually, BDCs will answer network logon requests more responsively than will a PDC.

When Samba is operating in security = domain mode, the Samba server has a domain security trust account (a machine account) and causes all authentication requests to be passed through to the domain controllers. In other words, this configuration makes the Samba server a domain member server, even when it is in fact acting as a domain controller. All machines that participate in domain security must have a machine account in the security database.

Within the domain security environment, the underlying security architecture uses user-level security. Even machines that are domain members must authenticate on startup. The machine account consists of an account entry in the accounts database, the name of which is the NetBIOS name of the machine and of which the password is randomly generated and known to both the domain controllers and the member machine. If the machine account cannot be validated during startup, users will not be able to log on to the domain using this machine because it cannot be trusted. The machine account is referred to as a machine trust account.

There are three possible domain member configurations:

  1. Primary domain controller (PDC) - of which there is one per domain.

  2. Backup domain controller (BDC) - of which there can be any number per domain.

  3. Domain member server (DMS) - of which there can be any number per domain.

We will discuss each of these in separate chapters. For now, we are most interested in basic DMS configuration.

Example Configuration

Samba as a Domain Member Server

This method involves addition of the following parameters in the smb.conf file:

security = domain
workgroup = MIDEARTH

In order for this method to work, the Samba server needs to join the MS Windows NT security domain. This is done as follows:

  1. On the MS Windows NT domain controller, using the Server Manager, add a machine account for the Samba server.

  2. On the UNIX/Linux system execute:

    net rpc join -U administrator%password
Samba HowTo Guide
Prev Home Next

  Published under the terms fo the GNU General Public License Design by Interspire