Article Title: Build an NT domain without an NT server. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Author: Yang Peng
In China, a large number of small and medium network users use Windows NT as the network operating system (NOS) to provide basic network services such as user management and file sharing. For work reasons, you must use the Windows NT domain model to manage the network, and for performance, economics, or other considerations, if you want to give up the complex management, expensive licensing, and low efficiency of NT, please enter the free Samba world! Samba is a set of free and open source software. A legendary master, based on the basic protocol of Windows Network-SMB (Server Message Block), compiled a set of software that fully integrates Unix systems with Windows networks. Samba is named Samba because it contains only letters S, M, and B.
Samba and Windows Network
Windows operating systems provide convenient access to network resources through "Network neighbors. This is actually supported by the Windows Browser Service (do not confuse with Web browsing on the Internet. The Windows browsing service is based on NetBIOS (name). Each Windows Host sends Windows browsing information to the network and keeps a list of network hosts. In this way, the NetBIOS names of all machines can be seen when the network neighbor is enabled. Because this list is updated on a regular basis, we can still see it online when some machines are shut down.
In domain mode, Windows networks were based on working groups. Each host was responsible for maintaining its username/password and shared resource authentication. In this way, it is difficult to ensure network security and performance. In addition, passwords must be provided for accessing different resources of different machines, which is cumbersome and inefficient. According to the requirements of commercial users for security and work efficiency, Windows commercial network puts forward the concept of domain. In a Windows Network with a domain, the master Domain Controller automatically becomes the master browsing server and is responsible for providing and maintaining this list. Other Windows NT machines can run for assistance as the secondary browsing server. The domain provides unified security measures, and all user authentication and resource sharing are managed by the master domain controller, which can achieve one authentication and universal access throughout the domain.
Samba is a set of free and open-source software. Although it cannot obtain the necessary technical information publicly (because the SMB protocol is private), it continues to grow. Samba is no longer a simple bridge between Unix/Linux and Windows. It allows Unix systems to manage the entire Windows Network instead of the NT primary domain controller. In this way, we can build a real Windows Domain Network without a real NT server.
Samba can mimic the nt pdc to send the PDC campaign message to the network and allow Windows clients to log on, as a nt pdc does. It will tell other Windows machines at startup: I am the primary domain controller, and I have logged on to the authentication page. At this time, no other NT Server declared as PDC in the domain will be available. Otherwise, the competition for PDC will fail and Samba must provide domain login, in this way, Windows users can enter the user name, password, and domain name to log on to the domain at startup. Note that the security level must be user at this time, because server and domain-level authentication requires the cooperation of other servers, while PDC only has one. In this way, the Local Password is used, and the encrypted password must be used for security reasons.
Server Configuration
The following is the basic configuration of the Samba server serving as the PDC in Linux:
Domain login indicates that Samba provides client domain login; encrypt passwords indicates that encrypted passwords are used; domain master indicates that Samba declares itself as the primary domain controller of this domain; preferred master is an additional campaign option. The local master allows Samba not only to provide domain browsing, but also to provide local browsing services.
After this configuration, you need to add domain users according to the NT domain management. This step is simple:
First, create a local Unix account:
Useradd-r myaccount
This command creates a common Unix user named myaccount.
Create a Samba user based on it:
Smbadduser myaccount: mysmbact
Or:
Smbpasswd-a myaccount
Client settings
The setting of a common Windows 9X (95/ME) client is very simple, because you can log on to the Samba.net domain without any setup. It does not know that the domain controller has changed from NT Server to Samba Server. It can execute logon scripts, apply system policies and user configuration files, and perform other tasks on the NT Server.
If the client is NT 4.0/2000, it is troublesome because the domain authentication of NT is based on the machine trust account. Therefore, you must create a machine account on the Samba server. The following uses a computer named w2000 as an example (because this part of NT is not much different from 2000, we call it NT ):
Useradd-d/dev/null-r w2000 $-s/bin/false
We have created a Unix local account. For security reasons, you do not need to log on to Linux for any operations. Therefore, its user directory is/dev/null, and Shell is/bin/false.
Then, we can use smbpasswd to create the corresponding Samba Machine Account:
Smbpasswd-a-m w2000
Here,-a is the addition, and-m is the machine trust account. In this way, a machine trust account w2000 with an NT domain is created based on the Unix account of w2000 $.
If you add a machine to the Samba domain when installing NT, you can directly add the machine to the domain, but it is best not to add a computer account in the domain. In this way, the execution script must be set on Linux, which is not only troublesome for beginners, but also prone to errors.
If you re-add an account to the domain on an installed NT Workstation, you are required to provide the username and password that can be added to the domain, such as the Administrator on a common NT Server, on the Samba server, you can use the root group members to perform this operation. If you are not sure, you can create a root Samba account:
Smbadduser root: root
Enter the password twice.
In this way, Samba is finished. On the NT client, change the user or network ID (Win2000) and enter the user name (this user must exist in the Samba password file), domain, and password, it will be added to the Samba domain. If you want to provide a user name that can be added to an account, use the preceding root account.
Conclusion
With Samba PDC, we can include all Windows Network Management in Linux, so as to take advantage of the flexible configuration and management features of Linux, you can easily implement file sharing authentication, printer sharing, and other common functions.
The Samba Development Team cannot obtain the details of the Protocol due to the nature of the SMB protocol. Therefore, the Samba PDC currently does not fully support complicated domain structures.
For example, it does not support other Windows NT servers as backup domain controllers (BDC ). That is to say, only one domain controller exists in the domain. In a large network, a large number of authentication sessions may affect server performance.
In addition, it may have some problems when the client manages file sharing, and does not support multi-Primary Domain Structure and cannot establish trust relationships between two domains. We believe that these problems will be solved one by one.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
