Changes

Page history
Rework Overview section authored by Tim Beale's avatar Tim Beale
Show whitespace changes
Inline Side-by-side
samba-functionality/overview.md
View page @ e3066fce
......@@ -53,6 +53,9 @@ and Samba (specifically the `samba` binary) acts as server for each protocol.
The server responsibilties include:
* _File Server_. The AD DC must always provide file server functionality.
Note that the file server always runs as a separate binary ([smbd](https://git.samba.org/?p=samba.git;a=tree;f=source3/smbd)).
* _LDAP Server_. LDAP (Lightweight Directory Access Protocol) is one way
AD clients look up user information or to perform administration.
LDAP is the primary administrative
......@@ -100,19 +103,20 @@ replication support.
## [Domain member](https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member)
A domain member is a server or workstation joined to an AD or NT4
domain which uses that domain as the source of authentication and
A _domain member_ is essentially a machine that forwards authentication requests to an AD DC.
The domain member joins an AD domain and uses that domain as the source of authentication and
authorization for connecting users. This allows transparent access to
the resources on that server without maintaining a distinct password list.
The primary use of a domain member server is as a file server, however
there are other interesting use cases:
the resources on that server, without the server maintaining a distinct password list.
* [source3/winbindd](https://git.samba.org/?p=samba.git;a=tree;f=source3/winbindd)
The domain member is often used when Samba is run solely as a file server (rather than an AD DC).
The domain member plumbs the authentication required by the file server through to another AD DC in the network.
The domain member can also query domain information on the AD DC.
The domain member functionality uses [winbindd](https://git.samba.org/?p=samba.git;a=tree;f=source3/winbindd).
### Kerberos
A linux-based workstation can also use the domain member functionality to authenticate itself (i.e. allow desktop login).
There is a similar mode for NT4.
A domain member holds a kerberos principal in the realm (domain) and
A domain member holds a Kerberos principal in the realm (domain) and
so the *machine account* (the object in the domain that represents the
domain member) can be used to make or accept Kerberised network
requests.
......
......