April 13, 2001, 6:16 PM —
Before I begin my discussion of the new NT domain features in Samba, I'd like to discuss some important differences between the NT and Unix security models.
Parts of the user-account model in the Windows NT security system are well designed. Every Windows NT machine, be it server, workstation, primary domain controller (PDC), or backup domain controller (BDC) has an account database called SAM, which stands for security account manager. This database is equivalent to a combination of the /etc/passwd and /etc/group databases on a Unix machine in that it contains only users and groups local to that machine.
A SAM on an NT primary domain controller is equivalent to the passwd and group maps on an NIS (network information service) master, in that users defined in these maps have existence on all machines participating in the NIS domain (which can be thought of as equivalent to an NT domain). Backup domain controllers have no local account database of their own, as they are read-only mirrors of the SAM account database on the PDC and may be thought of as equivalent to NIS slave servers.
A big difference between NIS and the NT domain system is that the SAM databases on PDCs and BDCs are the only account databases present on these machines. NT BDCs cannot have local accounts as well as domain accounts as there is only one SAM database per machine. NIS slave servers, on the other hand, may have local accounts in their /etc/passwd and /etc/group files as well as being servers for the NIS domain accounts.
|Acronyms used in this article|
|BDC||Backup Domain Controller|
A more important difference between the NIS and NT domain systems is that when logging onto a workstation or server that is a member of an NT domain (of course Unix makes no distinction between workstation and server; however, NT does) the user can choose either to log on as a domain user or as a local user, so long as he knows the relevant password.