svn commit: samba-docs r557 - in trunk/Samba-HOWTO-Collection: .
jht at samba.org
jht at samba.org
Mon May 16 23:04:10 GMT 2005
Author: jht
Date: 2005-05-16 23:04:09 +0000 (Mon, 16 May 2005)
New Revision: 557
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba-docs&rev=557
Log:
Another progress update.
Modified:
trunk/Samba-HOWTO-Collection/TOSHARG-TheNetCommand.xml
Changeset:
Modified: trunk/Samba-HOWTO-Collection/TOSHARG-TheNetCommand.xml
===================================================================
--- trunk/Samba-HOWTO-Collection/TOSHARG-TheNetCommand.xml 2005-05-16 21:38:34 UTC (rev 556)
+++ trunk/Samba-HOWTO-Collection/TOSHARG-TheNetCommand.xml 2005-05-16 23:04:09 UTC (rev 557)
@@ -661,6 +661,7 @@
</screen>
Next, the domain user <constant>jht</constant> is given the privileges needed for day to day
administration:
+<screen>
&rootprompt; net rpc rights grant "MIDEARTH\jht" \
SeMachineAccountPrivilege SePrintOperatorPrivilege \
SeAddUsersPrivilege SeDiskOperatorPrivilege \
@@ -712,26 +713,85 @@
<title>Managing Trust Relationships</title>
<para>
- Document how to set up trusts here!!!!!!!!!!!
+ There are essentially two types of trust relationships. The first between domain controllers and domain
+ member machines (network clients), the second trusts between domains (called inter-domain trusts). All
+ Samba servers that pasticipate in domain security require a domain membership trust account, as do like
+ Windows NT/2KX/XPP workstations.
</para>
<sect2>
<title>Machine Trust Accounts</title>
<para>
+ A Samba server domain trust account can be validated as shown in this example:
<screen>
&rootprompt; net rpc testjoin
Join to 'MIDEARTH' is OK
</screen>
+ Where there is no domain membership account, or when the account credentials are not valid the following
+ results will be observed:
+<screen>
+net rpc testjoin -S DOLPHIN
+Join to domain 'WORLDOCEAN' is not valid
+</screen>
</para>
+ <para>
+ The equivalent command for joining a Samba server to a Windows ADS domain is shown here:
+<screen>
+&rootprompt; net ads testjoin
+Using short domain name -- TAKEAWAY
+Joined 'LEMONADE' to realm 'TAKEAWAY.BIZ'
+</screen>
+ In the event that the ADS trust was not established, or is broken for one reason or another, the following
+ error message may be obtained:
+<screen>
+&rootprompt; net ads testjoin -UAdministrator%secret
+Join to domain is not valid
+</screen>
+ </para>
+
+ <para>
+ The following demonstrates the process of creating a machine trust account in the target domain for the
+ Samba server from which the command is executed:
+<screen>
+&rootprompt; net rpc join -S FRODO -Uroot%not24get
+Joined domain MIDEARTH.
+</screen>
+ The joining of a Samba server to a Samba domain results in the creation of a machine account. An example
+ of this is shown here:
+<screen>
+&rootprompt; pdbedit -Lw merlin\$
+merlin$:1009:9B4489D6B90461FD6A3EC3AB96147E16:\
+176D8C554E99914BDF3407DEA2231D80:[S ]:LCT-42891919:
+</screen>
+ The equivalent command to join a Samba server to a Windows ADS domain is shown here:
+<screen>
+&rootprompt; net ads join -UAdministrator%not24get
+Using short domain name -- GDANSK
+Joined 'FRANDIMITZ' to realm 'GDANSK.ABMAS.BIZ'
+</screen>
+ </para>
+
+ <para>
+ There is no specific option to remove a machine account from a domain. When a domain member that is a
+ Windows machine is withdrawn from the domain the domain membership account is not automatically removed
+ either. Inactive domain member accounts can be removed using any convenient tool. If necessary, the
+ machine account can be removed using the following <command>net</command> command:
+<screen>
+&rootprompt; net rpc user delete HERRING\$ -Uroot%not24get
+Deleted user account.
+</screen>
+ </para>
+
</sect2>
<sect2>
<title>Inter-Domain Trusts</title>
<para>
- Document how to set up trusts here!!!!!!!!!!!
+ Inter-domain trust relationships form the primary mechanism by which users from one domain can be granted
+ access rights and privileges in another domain.
</para>
</sect2>
More information about the samba-cvs
mailing list