1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

ading new files from 3.0

(This used to be commit 99feae7b5b)
This commit is contained in:
Gerald Carter 2003-07-16 05:42:34 +00:00
parent 4a090ba06a
commit 1caa6b23e4
112 changed files with 21094 additions and 0 deletions

View File

@ -0,0 +1 @@
attributions.xml

797
docs/docbook/devdoc/vfs.xml Normal file
View File

@ -0,0 +1,797 @@
<chapter id="vfs">
<chapterinfo>
<author>
<firstname>Alexander</firstname><surname>Bokovoy</surname>
<affiliation>
<address><email>ab@samba.org</email></address>
</affiliation>
</author>
<author>
<firstname>Stefan</firstname><surname>Metzmacher</surname>
<affiliation>
<address><email>metze@metzemix.de</email></address>
</affiliation>
</author>
<pubdate> 27 May 2003 </pubdate>
</chapterinfo>
<title>VFS Modules</title>
<sect1>
<title>The Samba (Posix) VFS layer</title>
<sect2>
<title>The general interface</title>
<para>
Each VFS operation has a vfs_op_type, a function pointer and a handle pointer in the
struct vfs_ops and tree macros to make it easier to call the operations.
(Take a look at <filename>include/vfs.h</filename> and <filename>include/vfs_macros.h</filename>.)
</para>
<para><programlisting>
typedef enum _vfs_op_type {
SMB_VFS_OP_NOOP = -1,
...
/* File operations */
SMB_VFS_OP_OPEN,
SMB_VFS_OP_CLOSE,
SMB_VFS_OP_READ,
SMB_VFS_OP_WRITE,
SMB_VFS_OP_LSEEK,
SMB_VFS_OP_SENDFILE,
...
SMB_VFS_OP_LAST
} vfs_op_type;
</programlisting></para>
<para>This struct contains the function and handle pointers for all operations.<programlisting>
struct vfs_ops {
struct vfs_fn_pointers {
...
/* File operations */
int (*open)(struct vfs_handle_struct *handle,
struct connection_struct *conn,
const char *fname, int flags, mode_t mode);
int (*close)(struct vfs_handle_struct *handle,
struct files_struct *fsp, int fd);
ssize_t (*read)(struct vfs_handle_struct *handle,
struct files_struct *fsp, int fd, void *data, size_t n);
ssize_t (*write)(struct vfs_handle_struct *handle,
struct files_struct *fsp, int fd,
const void *data, size_t n);
SMB_OFF_T (*lseek)(struct vfs_handle_struct *handle,
struct files_struct *fsp, int fd,
SMB_OFF_T offset, int whence);
ssize_t (*sendfile)(struct vfs_handle_struct *handle,
int tofd, files_struct *fsp, int fromfd,
const DATA_BLOB *header, SMB_OFF_T offset, size_t count);
...
} ops;
struct vfs_handles_pointers {
...
/* File operations */
struct vfs_handle_struct *open;
struct vfs_handle_struct *close;
struct vfs_handle_struct *read;
struct vfs_handle_struct *write;
struct vfs_handle_struct *lseek;
struct vfs_handle_struct *sendfile;
...
} handles;
};
</programlisting></para>
<para>
This macros SHOULD be used to call any vfs operation.
DO NOT ACCESS conn-&gt;vfs.ops.* directly !!!
<programlisting>
...
/* File operations */
#define SMB_VFS_OPEN(conn, fname, flags, mode) \
((conn)-&gt;vfs.ops.open((conn)-&gt;vfs.handles.open,\
(conn), (fname), (flags), (mode)))
#define SMB_VFS_CLOSE(fsp, fd) \
((fsp)-&gt;conn-&gt;vfs.ops.close(\
(fsp)-&gt;conn-&gt;vfs.handles.close, (fsp), (fd)))
#define SMB_VFS_READ(fsp, fd, data, n) \
((fsp)-&gt;conn-&gt;vfs.ops.read(\
(fsp)-&gt;conn-&gt;vfs.handles.read,\
(fsp), (fd), (data), (n)))
#define SMB_VFS_WRITE(fsp, fd, data, n) \
((fsp)-&gt;conn-&gt;vfs.ops.write(\
(fsp)-&gt;conn-&gt;vfs.handles.write,\
(fsp), (fd), (data), (n)))
#define SMB_VFS_LSEEK(fsp, fd, offset, whence) \
((fsp)-&gt;conn-&gt;vfs.ops.lseek(\
(fsp)-&gt;conn-&gt;vfs.handles.lseek,\
(fsp), (fd), (offset), (whence)))
#define SMB_VFS_SENDFILE(tofd, fsp, fromfd, header, offset, count) \
((fsp)-&gt;conn-&gt;vfs.ops.sendfile(\
(fsp)-&gt;conn-&gt;vfs.handles.sendfile,\
(tofd), (fsp), (fromfd), (header), (offset), (count)))
...
</programlisting></para>
</sect2>
<sect2>
<title>Possible VFS operation layers</title>
<para>
These values are used by the VFS subsystem when building the conn-&gt;vfs
and conn-&gt;vfs_opaque structs for a connection with multiple VFS modules.
Internally, Samba differentiates only opaque and transparent layers at this process.
Other types are used for providing better diagnosing facilities.
</para>
<para>
Most modules will provide transparent layers. Opaque layer is for modules
which implement actual file system calls (like DB-based VFS). For example,
default POSIX VFS which is built in into Samba is an opaque VFS module.
</para>
<para>
Other layer types (logger, splitter, scanner) were designed to provide different
degree of transparency and for diagnosing VFS module behaviour.
</para>
<para>
Each module can implement several layers at the same time provided that only
one layer is used per each operation.
</para>
<para><programlisting>
typedef enum _vfs_op_layer {
SMB_VFS_LAYER_NOOP = -1, /* - For using in VFS module to indicate end of array */
/* of operations description */
SMB_VFS_LAYER_OPAQUE = 0, /* - Final level, does not call anything beyond itself */
SMB_VFS_LAYER_TRANSPARENT, /* - Normal operation, calls underlying layer after */
/* possibly changing passed data */
SMB_VFS_LAYER_LOGGER, /* - Logs data, calls underlying layer, logging may not */
/* use Samba VFS */
SMB_VFS_LAYER_SPLITTER, /* - Splits operation, calls underlying layer _and_ own facility, */
/* then combines result */
SMB_VFS_LAYER_SCANNER /* - Checks data and possibly initiates additional */
/* file activity like logging to files _inside_ samba VFS */
} vfs_op_layer;
</programlisting></para>
</sect2>
</sect1>
<sect1>
<title>The Interaction between the Samba VFS subsystem and the modules</title>
<sect2>
<title>Initialization and registration</title>
<para>
As each Samba module a VFS module should have a
<programlisting>NTSTATUS vfs_example_init(void);</programlisting> function if it's staticly linked to samba or
<programlisting>NTSTATUS init_module(void);</programlisting> function if it's a shared module.
</para>
<para>
This should be the only non static function inside the module.
Global variables should also be static!
</para>
<para>
The module should register its functions via the
<programlisting>
NTSTATUS smb_register_vfs(int version, const char *name, vfs_op_tuple *vfs_op_tuples);
</programlisting> function.
</para>
<variablelist>
<varlistentry><term>version</term>
<listitem><para>should be filled with SMB_VFS_INTERFACE_VERSION</para></listitem>
</varlistentry>
<varlistentry><term>name</term>
<listitem><para>this is the name witch can be listed in the
<command>vfs objects</command> parameter to use this module.</para></listitem>
</varlistentry>
<varlistentry><term>vfs_op_tuples</term>
<listitem><para>
this is an array of vfs_op_tuple's.
(vfs_op_tuples is descripted in details below.)
</para></listitem>
</varlistentry>
</variablelist>
<para>
For each operation the module wants to provide it has a entry in the
vfs_op_tuple array.
</para>
<programlisting>
typedef struct _vfs_op_tuple {
void* op;
vfs_op_type type;
vfs_op_layer layer;
} vfs_op_tuple;
</programlisting>
<variablelist>
<varlistentry><term>op</term>
<listitem><para>the function pointer to the specified function.</para></listitem>
</varlistentry>
<varlistentry><term>type</term>
<listitem><para>the vfs_op_type of the function to specified witch operation the function provides.</para></listitem>
</varlistentry>
<varlistentry><term>layer</term>
<listitem><para>the vfs_op_layer in whitch the function operates.</para></listitem>
</varlistentry>
</variablelist>
<para>A simple example:</para>
<programlisting>
static vfs_op_tuple example_op_tuples[] = {
{SMB_VFS_OP(example_connect), SMB_VFS_OP_CONNECT, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(example_disconnect), SMB_VFS_OP_DISCONNECT, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(example_rename), SMB_VFS_OP_RENAME, SMB_VFS_LAYER_OPAQUE},
/* This indicates the end of the array */
{SMB_VFS_OP(NULL), SMB_VFS_OP_NOOP, SMB_VFS_LAYER_NOOP}
};
NTSTATUS init_module(void)
{
return smb_register_vfs(SMB_VFS_INTERFACE_VERSION, &quot;example&quot;, example_op_tuples);
}
</programlisting>
</sect2>
<sect2>
<title>How the Modules handle per connection data</title>
<para>Each VFS function has as first parameter a pointer to the modules vfs_handle_struct.
</para>
<programlisting>
typedef struct vfs_handle_struct {
struct vfs_handle_struct *next, *prev;
const char *param;
struct vfs_ops vfs_next;
struct connection_struct *conn;
void *data;
void (*free_data)(void **data);
} vfs_handle_struct;
</programlisting>
<variablelist>
<varlistentry><term>param</term>
<listitem><para>this is the module parameter specified in the <command>vfs objects</command> parameter.</para>
<para>e.g. for 'vfs objects = example:test' param would be &quot;test&quot;.</para></listitem>
</varlistentry>
<varlistentry><term>vfs_next</term>
<listitem><para>This vfs_ops struct contains the information for calling the next module operations.
Use the SMB_VFS_NEXT_* macros to call a next module operations and
don't access handle-&gt;vfs_next.ops.* directly!</para></listitem>
</varlistentry>
<varlistentry><term>conn</term>
<listitem><para>This is a pointer back to the connection_struct to witch the handle belongs.</para></listitem>
</varlistentry>
<varlistentry><term>data</term>
<listitem><para>This is a pointer for holding module private data.
You can alloc data with connection life time on the handle-&gt;conn-&gt;mem_ctx TALLOC_CTX.
But you can also manage the memory allocation yourself.</para></listitem>
</varlistentry>
<varlistentry><term>free_data</term>
<listitem><para>This is a function pointer to a function that free's the module private data.
If you talloc your private data on the TALLOC_CTX handle-&gt;conn-&gt;mem_ctx,
you can set this function pointer to NULL.</para></listitem>
</varlistentry>
</variablelist>
<para>Some useful MACROS for handle private data.
</para>
<programlisting>
#define SMB_VFS_HANDLE_GET_DATA(handle, datap, type, ret) { \
if (!(handle)||((datap=(type *)(handle)-&gt;data)==NULL)) { \
DEBUG(0,(&quot;%s() failed to get vfs_handle-&gt;data!\n&quot;,FUNCTION_MACRO)); \
ret; \
} \
}
#define SMB_VFS_HANDLE_SET_DATA(handle, datap, free_fn, type, ret) { \
if (!(handle)) { \
DEBUG(0,(&quot;%s() failed to set handle-&gt;data!\n&quot;,FUNCTION_MACRO)); \
ret; \
} else { \
if ((handle)-&gt;free_data) { \
(handle)-&gt;free_data(&amp;(handle)-&gt;data); \
} \
(handle)-&gt;data = (void *)datap; \
(handle)-&gt;free_data = free_fn; \
} \
}
#define SMB_VFS_HANDLE_FREE_DATA(handle) { \
if ((handle) &amp;&amp; (handle)-&gt;free_data) { \
(handle)-&gt;free_data(&amp;(handle)-&gt;data); \
} \
}
</programlisting>
<para>How SMB_VFS_LAYER_TRANSPARENT functions can call the SMB_VFS_LAYER_OPAQUE functions.</para>
<para>The easiest way to do this is to use the SMB_VFS_OPAQUE_* macros.
</para>
<programlisting>
...
/* File operations */
#define SMB_VFS_OPAQUE_OPEN(conn, fname, flags, mode) \
((conn)-&gt;vfs_opaque.ops.open(\
(conn)-&gt;vfs_opaque.handles.open,\
(conn), (fname), (flags), (mode)))
#define SMB_VFS_OPAQUE_CLOSE(fsp, fd) \
((fsp)-&gt;conn-&gt;vfs_opaque.ops.close(\
(fsp)-&gt;conn-&gt;vfs_opaque.handles.close,\
(fsp), (fd)))
#define SMB_VFS_OPAQUE_READ(fsp, fd, data, n) \
((fsp)-&gt;conn-&gt;vfs_opaque.ops.read(\
(fsp)-&gt;conn-&gt;vfs_opaque.handles.read,\
(fsp), (fd), (data), (n)))
#define SMB_VFS_OPAQUE_WRITE(fsp, fd, data, n) \
((fsp)-&gt;conn-&gt;vfs_opaque.ops.write(\
(fsp)-&gt;conn-&gt;vfs_opaque.handles.write,\
(fsp), (fd), (data), (n)))
#define SMB_VFS_OPAQUE_LSEEK(fsp, fd, offset, whence) \
((fsp)-&gt;conn-&gt;vfs_opaque.ops.lseek(\
(fsp)-&gt;conn-&gt;vfs_opaque.handles.lseek,\
(fsp), (fd), (offset), (whence)))
#define SMB_VFS_OPAQUE_SENDFILE(tofd, fsp, fromfd, header, offset, count) \
((fsp)-&gt;conn-&gt;vfs_opaque.ops.sendfile(\
(fsp)-&gt;conn-&gt;vfs_opaque.handles.sendfile,\
(tofd), (fsp), (fromfd), (header), (offset), (count)))
...
</programlisting>
<para>How SMB_VFS_LAYER_TRANSPARENT functions can call the next modules functions.</para>
<para>The easiest way to do this is to use the SMB_VFS_NEXT_* macros.
</para>
<programlisting>
...
/* File operations */
#define SMB_VFS_NEXT_OPEN(handle, conn, fname, flags, mode) \
((handle)-&gt;vfs_next.ops.open(\
(handle)-&gt;vfs_next.handles.open,\
(conn), (fname), (flags), (mode)))
#define SMB_VFS_NEXT_CLOSE(handle, fsp, fd) \
((handle)-&gt;vfs_next.ops.close(\
(handle)-&gt;vfs_next.handles.close,\
(fsp), (fd)))
#define SMB_VFS_NEXT_READ(handle, fsp, fd, data, n) \
((handle)-&gt;vfs_next.ops.read(\
(handle)-&gt;vfs_next.handles.read,\
(fsp), (fd), (data), (n)))
#define SMB_VFS_NEXT_WRITE(handle, fsp, fd, data, n) \
((handle)-&gt;vfs_next.ops.write(\
(handle)-&gt;vfs_next.handles.write,\
(fsp), (fd), (data), (n)))
#define SMB_VFS_NEXT_LSEEK(handle, fsp, fd, offset, whence) \
((handle)-&gt;vfs_next.ops.lseek(\
(handle)-&gt;vfs_next.handles.lseek,\
(fsp), (fd), (offset), (whence)))
#define SMB_VFS_NEXT_SENDFILE(handle, tofd, fsp, fromfd, header, offset, count) \
((handle)-&gt;vfs_next.ops.sendfile(\
(handle)-&gt;vfs_next.handles.sendfile,\
(tofd), (fsp), (fromfd), (header), (offset), (count)))
...
</programlisting>
</sect2>
</sect1>
<sect1>
<title>Upgrading to the New VFS Interface</title>
<sect2>
<title>Upgrading from 2.2.* and 3.0aplha modules</title>
<orderedlist>
<listitem><para>
Add &quot;vfs_handle_struct *handle, &quot; as first parameter to all vfs operation functions.
e.g. example_connect(connection_struct *conn, const char *service, const char *user);
-&gt; example_connect(vfs_handle_struct *handle, connection_struct *conn, const char *service, const char *user);
</para></listitem>
<listitem><para>
Replace &quot;default_vfs_ops.&quot; with &quot;smb_vfs_next_&quot;.
e.g. default_vfs_ops.connect(conn, service, user);
-&gt; smb_vfs_next_connect(conn, service, user);
</para></listitem>
<listitem><para>
Uppercase all &quot;smb_vfs_next_*&quot; functions.
e.g. smb_vfs_next_connect(conn, service, user);
-&gt; SMB_VFS_NEXT_CONNECT(conn, service, user);
</para></listitem>
<listitem><para>
Add &quot;handle, &quot; as first parameter to all SMB_VFS_NEXT_*() calls.
e.g. SMB_VFS_NEXT_CONNECT(conn, service, user);
-&gt; SMB_VFS_NEXT_CONNECT(handle, conn, service, user);
</para></listitem>
<listitem><para>
(Only for 2.2.* modules)
Convert the old struct vfs_ops example_ops to
a vfs_op_tuple example_op_tuples[] array.
e.g.
<programlisting>
struct vfs_ops example_ops = {
/* Disk operations */
example_connect, /* connect */
example_disconnect, /* disconnect */
NULL, /* disk free *
/* Directory operations */
NULL, /* opendir */
NULL, /* readdir */
NULL, /* mkdir */
NULL, /* rmdir */
NULL, /* closedir */
/* File operations */
NULL, /* open */
NULL, /* close */
NULL, /* read */
NULL, /* write */
NULL, /* lseek */
NULL, /* sendfile */
NULL, /* rename */
NULL, /* fsync */
example_stat, /* stat */
example_fstat, /* fstat */
example_lstat, /* lstat */
NULL, /* unlink */
NULL, /* chmod */
NULL, /* fchmod */
NULL, /* chown */
NULL, /* fchown */
NULL, /* chdir */
NULL, /* getwd */
NULL, /* utime */
NULL, /* ftruncate */
NULL, /* lock */
NULL, /* symlink */
NULL, /* readlink */
NULL, /* link */
NULL, /* mknod */
NULL, /* realpath */
NULL, /* fget_nt_acl */
NULL, /* get_nt_acl */
NULL, /* fset_nt_acl */
NULL, /* set_nt_acl */
NULL, /* chmod_acl */
NULL, /* fchmod_acl */
NULL, /* sys_acl_get_entry */
NULL, /* sys_acl_get_tag_type */
NULL, /* sys_acl_get_permset */
NULL, /* sys_acl_get_qualifier */
NULL, /* sys_acl_get_file */
NULL, /* sys_acl_get_fd */
NULL, /* sys_acl_clear_perms */
NULL, /* sys_acl_add_perm */
NULL, /* sys_acl_to_text */
NULL, /* sys_acl_init */
NULL, /* sys_acl_create_entry */
NULL, /* sys_acl_set_tag_type */
NULL, /* sys_acl_set_qualifier */
NULL, /* sys_acl_set_permset */
NULL, /* sys_acl_valid */
NULL, /* sys_acl_set_file */
NULL, /* sys_acl_set_fd */
NULL, /* sys_acl_delete_def_file */
NULL, /* sys_acl_get_perm */
NULL, /* sys_acl_free_text */
NULL, /* sys_acl_free_acl */
NULL /* sys_acl_free_qualifier */
};
</programlisting>
-&gt;
<programlisting>
static vfs_op_tuple example_op_tuples[] = {
{SMB_VFS_OP(example_connect), SMB_VFS_OP_CONNECT, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(example_disconnect), SMB_VFS_OP_DISCONNECT, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(example_fstat), SMB_VFS_OP_FSTAT, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(example_stat), SMB_VFS_OP_STAT, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(example_lstat), SMB_VFS_OP_LSTAT, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(NULL), SMB_VFS_OP_NOOP, SMB_VFS_LAYER_NOOP}
};
</programlisting>
</para></listitem>
<listitem><para>
Move the example_op_tuples[] array to the end of the file.
</para></listitem>
<listitem><para>
Add the init_module() function at the end of the file.
e.g.
<programlisting>
NTSTATUS init_module(void)
{
return smb_register_vfs(SMB_VFS_INTERFACE_VERSION,&quot;example&quot;,example_op_tuples);
}
</programlisting>
</para></listitem>
<listitem><para>
Check if your vfs_init() function does more then just prepare the vfs_ops structs or
remember the struct smb_vfs_handle_struct.
<simplelist>
<member>If NOT you can remove the vfs_init() function.</member>
<member>If YES decide if you want to move the code to the example_connect() operation or to the init_module(). And then remove vfs_init().
e.g. a debug class registration should go into init_module() and the allocation of private data should go to example_connect().</member>
</simplelist>
</para></listitem>
<listitem><para>
(Only for 3.0alpha* modules)
Check if your vfs_done() function contains needed code.
<simplelist>
<member>If NOT you can remove the vfs_done() function.</member>
<member>If YES decide if you can move the code to the example_disconnect() operation. Otherwise register a SMB_EXIT_EVENT with smb_register_exit_event(); (Described in the <link linkend="modules">modules section</link>) And then remove vfs_done(). e.g. the freeing of private data should go to example_disconnect().
</member>
</simplelist>
</para></listitem>
<listitem><para>
Check if you have any global variables left.
Decide if it wouldn't be better to have this data on a connection basis.
<simplelist>
<member>If NOT leave them as they are. (e.g. this could be the variable for the private debug class.)</member>
<member>If YES pack all this data into a struct. You can use handle-&gt;data to point to such a struct on a per connection basis.</member>
</simplelist>
e.g. if you have such a struct:
<programlisting>
struct example_privates {
char *some_string;
int db_connection;
};
</programlisting>
first way of doing it:
<programlisting>
static int example_connect(vfs_handle_struct *handle,
connection_struct *conn, const char *service,
const char* user)
{
struct example_privates *data = NULL;
/* alloc our private data */
data = (struct example_privates *)talloc_zero(conn-&gt;mem_ctx, sizeof(struct example_privates));
if (!data) {
DEBUG(0,(&quot;talloc_zero() failed\n&quot;));
return -1;
}
/* init out private data */
data-&gt;some_string = talloc_strdup(conn-&gt;mem_ctx,&quot;test&quot;);
if (!data-&gt;some_string) {
DEBUG(0,(&quot;talloc_strdup() failed\n&quot;));
return -1;
}
data-&gt;db_connection = open_db_conn();
/* and now store the private data pointer in handle-&gt;data
* we don't need to specify a free_function here because
* we use the connection TALLOC context.
* (return -1 if something failed.)
*/
VFS_HANDLE_SET_DATA(handle, data, NULL, struct example_privates, return -1);
return SMB_VFS_NEXT_CONNECT(handle,conn,service,user);
}
static int example_close(vfs_handle_struct *handle, files_struct *fsp, int fd)
{
struct example_privates *data = NULL;
/* get the pointer to our private data
* return -1 if something failed
*/
SMB_VFS_HANDLE_GET_DATA(handle, data, struct example_privates, return -1);
/* do something here...*/
DEBUG(0,(&quot;some_string: %s\n&quot;,data-&gt;some_string));
return SMB_VFS_NEXT_CLOSE(handle, fsp, fd);
}
</programlisting>
second way of doing it:
<programlisting>
static void free_example_privates(void **datap)
{
struct example_privates *data = (struct example_privates *)*datap;
SAFE_FREE(data-&gt;some_string);
SAFE_FREE(data);
*datap = NULL;
return;
}
static int example_connect(vfs_handle_struct *handle,
connection_struct *conn, const char *service,
const char* user)
{
struct example_privates *data = NULL;
/* alloc our private data */
data = (struct example_privates *)malloc(sizeof(struct example_privates));
if (!data) {
DEBUG(0,(&quot;malloc() failed\n&quot;));
return -1;
}
/* init out private data */
data-&gt;some_string = strdup(&quot;test&quot;);
if (!data-&gt;some_string) {
DEBUG(0,(&quot;strdup() failed\n&quot;));
return -1;
}
data-&gt;db_connection = open_db_conn();
/* and now store the private data pointer in handle-&gt;data
* we need to specify a free_function because we used malloc() and strdup().
* (return -1 if something failed.)
*/
SMB_VFS_HANDLE_SET_DATA(handle, data, free_example_privates, struct example_privates, return -1);
return SMB_VFS_NEXT_CONNECT(handle,conn,service,user);
}
static int example_close(vfs_handle_struct *handle, files_struct *fsp, int fd)
{
struct example_privates *data = NULL;
/* get the pointer to our private data
* return -1 if something failed
*/
SMB_VFS_HANDLE_GET_DATA(handle, data, struct example_privates, return -1);
/* do something here...*/
DEBUG(0,(&quot;some_string: %s\n&quot;,data-&gt;some_string));
return SMB_VFS_NEXT_CLOSE(handle, fsp, fd);
}
</programlisting>
</para></listitem>
<listitem><para>
To make it easy to build 3rd party modules it would be usefull to provide
configure.in, (configure), install.sh and Makefile.in with the module.
(Take a look at the example in <filename>examples/VFS</filename>.)
</para>
<para>
The configure script accepts <option>--with-samba-source</option> to specify
the path to the samba source tree.
It also accept <option>--enable-developer</option> which lets the compiler
give you more warnings.
</para>
<para>
The idea is that you can extend this
<filename>configure.in</filename> and <filename>Makefile.in</filename> scripts
for your module.
</para></listitem>
<listitem><para>
Compiling &amp; Testing...
<simplelist>
<member><userinput>./configure <option>--enable-developer</option></userinput> ...</member>
<member><userinput>make</userinput></member>
<member>Try to fix all compiler warnings</member>
<member><userinput>make</userinput></member>
<member>Testing, Testing, Testing ...</member>
</simplelist>
</para></listitem>
</orderedlist>
</sect2>
</sect1>
<sect1>
<title>Some Notes</title>
<sect2>
<title>Implement TRANSPARENT functions</title>
<para>
Avoid writing functions like this:
<programlisting>
static int example_close(vfs_handle_struct *handle, files_struct *fsp, int fd)
{
return SMB_VFS_NEXT_CLOSE(handle, fsp, fd);
}
</programlisting>
Overload only the functions you really need to!
</para>
</sect2>
<sect2>
<title>Implement OPAQUE functions</title>
<para>
If you want to just implement a better version of a
default samba opaque function
(e.g. like a disk_free() function for a special filesystem)
it's ok to just overload that specific function.
</para>
<para>
If you want to implement a database filesystem or
something different from a posix filesystem.
Make sure that you overload every vfs operation!!!
</para>
<para>
Functions your FS does not support should be overloaded by something like this:
e.g. for a readonly filesystem.
</para>
<programlisting>
static int example_rename(vfs_handle_struct *handle, connection_struct *conn,
char *oldname, char *newname)
{
DEBUG(10,(&quot;function rename() not allowed on vfs 'example'\n&quot;));
errno = ENOSYS;
return -1;
}
</programlisting>
</sect2>
</sect1>
</chapter>

View File

@ -0,0 +1,19 @@
<chapter id="windows-debug">
<chapterinfo>
&author.jelmer;
&author.tridge;
</chapterinfo>
<title>Finding useful information on windows</title>
<sect1><title>Netlogon debugging output</title>
<procedure>
<step><para>stop netlogon service on PDC</para></step>
<step><para>rename original netlogon.dll to netlogon.dll.original</para></step>
<step><para>copy checked version of netlogon.dll to system32 directory</para></step>
<step><para>set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DBFlag to 0x20000004</para></step>
<step><para>start netlogon service on PDC</para></step>
</procedure>
</sect1>
</chapter>

View File

@ -0,0 +1,86 @@
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN" [
<!ENTITY % globalentities SYSTEM '../global.ent'> %globalentities;
]>
<refentry id="profiles.1">
<refmeta>
<refentrytitle>profiles</refentrytitle>
<manvolnum>1</manvolnum>
</refmeta>
<refnamediv>
<refname>profiles</refname>
<refpurpose>A utility to report and change SIDs in registry files
</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>profiles</command>
<arg choice="opt">-v</arg>
<arg choice="opt">-c SID</arg>
<arg choice="opt">-n SID</arg>
<arg choice="req">file</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<para>This tool is part of the <citerefentry><refentrytitle>Samba</refentrytitle>
<manvolnum>7</manvolnum></citerefentry> suite.</para>
<para><command>profiles</command> is a utility that
reports and changes SIDs in windows registry files. It currently only
supports NT.
</para>
</refsect1>
<refsect1>
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>file</term>
<listitem><para>Registry file to view or edit. </para></listitem>
</varlistentry>
<varlistentry>
<term>-v,--verbose</term>
<listitem><para>Increases verbosity of messages.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-c SID1 -n SID2</term>
<listitem><para>Change all occurences of SID1 in <filename>file</filename> by SID2.
</para></listitem>
</varlistentry>
&stdarg.help;
</variablelist>
</refsect1>
<refsect1>
<title>VERSION</title>
<para>This man page is correct for version 3.0 of the Samba
suite.</para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para>The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed.</para>
<para>The profiles man page was written by Jelmer Vernooij. </para>
</refsect1>
</refentry>

View File

@ -0,0 +1 @@
attributions.xml

View File

@ -0,0 +1,36 @@
<chapter id="Backup">
<chapterinfo>
&author.jht;
</chapterinfo>
<title>Samba Backup Techniques</title>
<sect1>
<title>Note</title>
<para>
This chapter did not make it into this release.
It is planned for the published release of this document.
If you have something to contribute for this section please email it to
<link url="mail://jht@samba.org">jht@samba.org</link>/
</para>
</sect1>
<sect1>
<title>Features and Benefits</title>
<para>
We need feedback from people who are backing up samba servers.
We would like to know what software tools you are using to backup
your samba server/s.
</para>
<para>
In particular, if you have any success and / or failure stories you could
share with other users this would be appreciated.
</para>
</sect1>
</chapter>

View File

@ -0,0 +1,17 @@
<chapter id="DNSDHCP">
<chapterinfo>
&author.jht;
</chapterinfo>
<title>DNS and DHCP Configuration Guide</title>
<sect1>
<title>Note</title>
<para>
This chapter did not make it into this release.
It is planned for the published release of this document.
</para>
</sect1>
</chapter>

View File

@ -0,0 +1,17 @@
<chapter id="FastStart">
<chapterinfo>
&author.jht;
</chapterinfo>
<title>Fast Start for the Impatient</title>
<sect1>
<title>Note</title>
<para>
This chapter did not make it into this release.
It is planned for the published release of this document.
</para>
</sect1>
</chapter>

View File

@ -0,0 +1,17 @@
<chapter id="SambaHA">
<chapterinfo>
&author.jht;
</chapterinfo>
<title>High Availability Options</title>
<sect1>
<title>Note</title>
<para>
This chapter did not make it into this release.
It is planned for the published release of this document.
</para>
</sect1>
</chapter>

View File

@ -0,0 +1,17 @@
<chapter id="ClientConfig">
<chapterinfo>
&author.jht;
</chapterinfo>
<title>MS Windows Network Configuration Guide</title>
<sect1>
<title>Note</title>
<para>
This chapter did not make it into this release.
It is planned for the published release of this document.
</para>
</sect1>
</chapter>

View File

@ -0,0 +1,18 @@
<samba:parameter name="-valid"
context="S"
xmlns:samba="http://samba.org/common">
<listitem>
<para> This parameter indicates whether a share is
valid and thus can be used. When this parameter is set to false,
the share will be in no way visible nor accessible.
</para>
<para>
This option should not be
used by regular users but might be of help to developers.
Samba uses this option internally to mark shares as deleted.
</para>
<para>Default: <emphasis>True</emphasis></para>
</listitem>
</samba:parameter>

View File

@ -0,0 +1,22 @@
<samba:parameter name="total print jobs"
context="G"
print="1"
xmlns:samba="http://samba.org/common">
<listitem>
<para>This parameter accepts an integer value which defines
a limit on the maximum number of print jobs that will be accepted
system wide at any given time. If a print job is submitted
by a client which will exceed this number, then <citerefentry><refentrytitle>smbd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> will return an
error indicating that no space is available on the server. The
default value of 0 means that no such limit exists. This parameter
can be used to prevent a server from exceeding its capacity and is
designed as a printing throttle. See also <link linkend="MAXPRINTJOBS">
<parameter moreinfo="none">max print jobs</parameter></link>.
</para>
<para>Default: <command moreinfo="none">total print jobs = 0</command></para>
<para>Example: <command moreinfo="none">total print jobs = 5000</command></para>
</listitem>
</samba:parameter>

View File

@ -0,0 +1,13 @@
<samba:parameter name="client use spnego"
context="G"
developer="1"
xmlns:samba="http://samba.org/common">
<listitem>
<para> This variable controls controls whether samba clients will try
to use Simple and Protected NEGOciation (as specified by rfc2478) with
WindowsXP and Windows2000 servers to agree upon an authentication mechanism.
</para>
<para>Default: <emphasis>client use spnego = yes</emphasis></para>
</listitem>
</samba:parameter>

View File

@ -0,0 +1,17 @@
<samba:parameter name="map acl inherit"
context="S"
advanced="1" wizard="1"
xmlns:samba="http://samba.org/common">
<listitem>
<para>This boolean parameter controls whether <citerefentry><refentrytitle>smbd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> will attempt to map the 'inherit' and 'protected'
access control entry flags stored in Windows ACLs into an extended attribute
called user.SAMBA_PAI. This parameter only takes effect if Samba is being run
on a platform that supports extended attributes (Linux and IRIX so far) and
allows the Windows 2000 ACL editor to correctly use inheritance with the Samba
POSIX ACL mapping code.
</para>
<para>Default: <command moreinfo="none">map acl inherit = no</command></para>
</listitem>
</samba:parameter>

View File

@ -0,0 +1,33 @@
<samba:parameter name="profile acls"
context="S"
advanced="1" wizard="1"
xmlns:samba="http://samba.org/common">
<listitem>
<para>This boolean parameter controls whether <citerefentry><refentrytitle>smbd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry>
This boolean parameter was added to fix the problems that people have been
having with storing user profiles on Samba shares from Windows 2000 or
Windows XP clients. New versions of Windows 2000 or Windows XP service
packs do security ACL checking on the owner and ability to write of the
profile directory stored on a local workstation when copied from a Samba
share. When not in domain mode with winbindd then the security info copied
onto the local workstation has no meaning to the logged in user (SID) on
that workstation so the profile storing fails. Adding this parameter
onto a share used for profile storage changes two things about the
returned Windows ACL. Firstly it changes the owner and group owner
of all reported files and directories to be BUILTIN\\Administrators,
BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly
it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to
every returned ACL. This will allow any Windows 2000 or XP workstation
user to access the profile. Note that if you have multiple users logging
on to a workstation then in order to prevent them from being able to access
each others profiles you must remove the "Bypass traverse checking" advanced
user right. This will prevent access to other users profile directories as
the top level profile directory (named after the user) is created by the
workstation profile code and has an ACL restricting entry to the directory
tree to the owning user.
</para>
<para>Default: <command moreinfo="none">profile acls = no</command></para>
</listitem>
</samba:parameter>

View File

@ -0,0 +1,28 @@
<samba:parameter name="client lanman auth"
context="G"
advanced="1" developer="1"
xmlns:samba="http://samba.org/common">
<listitem>
<para>This parameter determines whether or not <citerefentry><refentrytitle>smbclient</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> and other samba client
tools will attempt to authenticate itself to servers using the
weaker LANMAN password hash. If disabled, only server which support NT
password hashes (e.g. Windows NT/2000, Samba, etc... but not
Windows 95/98) will be able to be connected from the Samba client.</para>
<para>The LANMAN encrypted response is easily broken, due to it's
case-insensitive nature, and the choice of algorithm. Clients
without Windows 95/98 servers are advised to disable
this option. </para>
<para>Disabling this option will also disable the <command
moreinfo="none">client plaintext auth</command> option</para>
<para>Likewise, if the <command moreinfo="none">client ntlmv2
auth</command> parameter is enabled, then only NTLMv2 logins will be
attempted. Not all servers support NTLMv2, and most will require
special configuration to us it.</para>
<para>Default : <command moreinfo="none">client lanman auth = yes</command></para>
</listitem>
</samba:parameter>

View File

@ -0,0 +1,26 @@
<samba:parameter name="client ntlmv2 auth"
context="G"
advanced="1" developer="1"
xmlns:samba="http://samba.org/common">
<listitem>
<para>This parameter determines whether or not <citerefentry><refentrytitle>smbclient</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> will attempt to
authenticate itself to servers using the NTLMv2 encrypted password
response.</para>
<para>If enabled, only an NTLMv2 and LMv2 response (both much more
secure than earlier versions) will be sent. Many servers
(including NT4 &lt; SP4, Win9x and Samba 2.2) are not compatible with
NTLMv2. </para>
<para>If disabled, an NTLM response (and possibly a LANMAN response)
will be sent by the client, depending on the value of <command
moreinfo="none">client lanman auth</command>. </para>
<para>Note that some sites (particularly
those following 'best practice' security polices) only allow NTLMv2
responses, and not the weaker LM or NTLM.</para>
<para>Default : <command moreinfo="none">client ntlmv2 auth = no</command></para>
</listitem>
</samba:parameter>

View File

@ -0,0 +1,14 @@
<samba:parameter name="vfs objects"
context="S"
xmlns:samba="http://samba.org/common">
<listitem>
<para>This parameter specifies the backend names which
are used for Samba VFS I/O operations. By default, normal
disk I/O operations are used but these can be overloaded
with one or more VFS objects. </para>
<para>Default: <emphasis>no value</emphasis></para>
<para>Example: <command moreinfo="none">vfs objects = extd_audit recycle</command></para>
</listitem>
</samba:parameter>

View File

@ -0,0 +1,17 @@
<samba:parameter name="enable rid algorithm"
context="G"
advanced="1" developer="1" hide="1"
xmlns:samba="http://samba.org/common">
<listitem>
<para>This option is used to control whether or not smbd in Samba 3.0 should fallback
to the algorithm used by Samba 2.2 to generate user and group RIDs. The longterm
development goal is to remove the algorithmic mappings of RIDs altogether, but
this has proved to be difficult. This parameter is mainly provided so that
developers can turn the algorithm on and off and see what breaks. This parameter
should not be disabled by non-developers because certain features in Samba will fail
to work without it.
</para>
<para>Default: <command moreinfo="none">enable rid algorithm = &lt;yes&gt;</command></para>
</listitem>
</samba:parameter>

View File

@ -0,0 +1,18 @@
<samba:parameter name="idmap gid"
context="G"
advanced="1" developer="1" hide="1"
xmlns:samba="http://samba.org/common">
<listitem>
<para>The idmap gid parameter specifies the range of group ids that are allocated for
the purpose of mapping UNX groups to NT group SIDs. This range of group ids should have no
existing local or NIS groups within it as strange conflicts can occur otherwise.</para>
<para>The availability of an idmap gid range is essential for correct operation of
all group mapping.</para>
<para>Default: <command moreinfo="none">idmap gid = &lt;empty string&gt;</command></para>
<para>Example: <command moreinfo="none">idmap gid = 10000-20000</command></para>
</listitem>
</samba:parameter>

View File

@ -0,0 +1,14 @@
<samba:parameter name="idmap uid"
context="G"
advanced="1" developer="1" hide="1"
xmlns:samba="http://samba.org/common">
<listitem>
<para>The idmap uid parameter specifies the range of user ids that are allocated for use
in mapping UNIX users to NT user SIDs. This range of ids should have no existing local
or NIS users within it as strange conflicts can occur otherwise.</para>
<para>Default: <command moreinfo="none">idmap uid = &lt;empty string&gt;</command></para>
<para>Example: <command moreinfo="none">idmap uid = 10000-20000</command></para>
</listitem>
</samba:parameter>

View File

@ -0,0 +1,14 @@
<samba:parameter name="template primary group"
context="G"
advanced="1" developer="1"
xmlns:samba="http://samba.org/common">
<listitem>
<para>This option defines the default primary group for
each user created by <citerefentry><refentrytitle>winbindd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry>'s local account management
functions (similar to the 'add user script').
</para>
<para>Default: <command moreinfo="none">template primary group = nobody</command></para>
</listitem>
</samba:parameter>

View File

@ -0,0 +1,16 @@
<samba:parameter name="winbind enable local accounts"
context="G"
advanced="1" developer="1"
xmlns:samba="http://samba.org/common">
<listitem>
<para>This parameter controls whether or not winbindd
will act as a stand in replacement for the various account
management hooks in smb.conf (e.g. 'add user script').
If enabled, winbindd will support the creation of local
users and groups as another source of UNIX account information
available via getpwnam() or getgrgid(), etc...
</para>
<para>Default: <command moreinfo="none">winbind enable local accounts = yes</command></para>
</listitem>
</samba:parameter>

View File

@ -0,0 +1,16 @@
<samba:parameter name="winbind trusted domains only"
context="G"
advanced="1" developer="1"
xmlns:samba="http://samba.org/common">
<listitem>
<para>This parameter is designed to allow Samba servers that
are members of a Samba controlled domain to use UNIX accounts
distributed vi NIS, rsync, or LDAP as the uid's for winbindd users
in the hosts primary domain. Therefore, the user 'SAMBA\user1' would
be mapped to the account 'user1' in /etc/passwd instead of allocating
a new uid for him or her.
</para>
<para>Default: <command moreinfo="none">winbind trusted domains only = &lt;no&gt;</command></para>
</listitem>
</samba:parameter>

View File

@ -0,0 +1,67 @@
<?xml version='1.0'?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:exsl="http://exslt.org/common"
xmlns:samba="http://samba.org/common"
version="1.1"
extension-element-prefixes="exsl">
<xsl:output method="xml" omit-xml-declaration="yes"/>
<!-- Remove all character data -->
<xsl:template match="@*|node()">
<xsl:apply-templates select="@*|node()"/>
</xsl:template>
<xsl:template match="book">
<xsl:element name="variablelist">
<xsl:apply-templates/>
</xsl:element>
</xsl:template>
<xsl:template match="chapter">
<xsl:element name="varlistentry">
<xsl:element name="term">
<xsl:element name="link">
<xsl:attribute name="linkend"><xsl:value-of select="@id"/></xsl:attribute>
<xsl:value-of select="title"/>
</xsl:element>
</xsl:element>
<xsl:element name="listitem">
<xsl:element name="para">
<xsl:element name="itemizedlist">
<xsl:apply-templates/>
</xsl:element>
</xsl:element>
</xsl:element>
</xsl:element>
</xsl:template>
<xsl:template match="author">
<xsl:element name="listitem">
<xsl:element name="para">
<xsl:value-of select="firstname"/><xsl:text> </xsl:text><xsl:value-of select="surname"/>
<xsl:choose>
<xsl:when test="affiliation/address/email != ''">
<xsl:text> &lt;</xsl:text>
<xsl:element name="ulink">
<xsl:attribute name="url">
<xsl:text>mailto:</xsl:text>
<xsl:value-of select="affiliation/address/email"/>
</xsl:attribute>
<xsl:value-of select="affiliation/address/email"/>
</xsl:element>
<xsl:text>&gt;</xsl:text>
</xsl:when>
</xsl:choose>
<xsl:choose>
<xsl:when test="contrib != ''">
<xsl:text> (</xsl:text>
<xsl:value-of select="contrib"/>
<xsl:text>) </xsl:text>
</xsl:when>
</xsl:choose>
</xsl:element>
</xsl:element>
</xsl:template>
</xsl:stylesheet>

View File

@ -0,0 +1,660 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 13. File, Directory and Share Access Controls</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="groupmapping.html" title="Chapter 12. Mapping MS Windows and Unix Groups"><link rel="next" href="locking.html" title="Chapter 14. File and Record Locking"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 13. File, Directory and Share Access Controls</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="groupmapping.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="locking.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="AccessControls"></a>Chapter 13. File, Directory and Share Access Controls</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jra@samba.org">jra@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">May 10, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="AccessControls.html#id2920271">Features and Benefits</a></dt><dt><a href="AccessControls.html#id2920308">File System Access Controls</a></dt><dd><dl><dt><a href="AccessControls.html#id2920326">MS Windows NTFS Comparison with Unix File Systems</a></dt><dt><a href="AccessControls.html#id2920583">Managing Directories</a></dt><dt><a href="AccessControls.html#id2920678">File and Directory Access Control</a></dt></dl></dd><dt><a href="AccessControls.html#id2920894">Share Definition Access Controls</a></dt><dd><dl><dt><a href="AccessControls.html#id2922074">User and Group Based Controls</a></dt><dt><a href="AccessControls.html#id2922346">File and Directory Permissions Based Controls</a></dt><dt><a href="AccessControls.html#id2922591">Miscellaneous Controls</a></dt></dl></dd><dt><a href="AccessControls.html#id2922807">Access Controls on Shares</a></dt><dd><dl><dt><a href="AccessControls.html#id2922879">Share Permissions Management</a></dt></dl></dd><dt><a href="AccessControls.html#id2923178">MS Windows Access Control Lists and Unix Interoperability</a></dt><dd><dl><dt><a href="AccessControls.html#id2923186">Managing UNIX permissions Using NT Security Dialogs</a></dt><dt><a href="AccessControls.html#id2923224">Viewing File Security on a Samba Share</a></dt><dt><a href="AccessControls.html#id2923303">Viewing file ownership</a></dt><dt><a href="AccessControls.html#id2923425">Viewing File or Directory Permissions</a></dt><dt><a href="AccessControls.html#id2923653">Modifying file or directory permissions</a></dt><dt><a href="AccessControls.html#id2923805">Interaction with the standard Samba create mask
parameters</a></dt><dt><a href="AccessControls.html#id2924134">Interaction with the standard Samba file attribute
mapping</a></dt></dl></dd><dt><a href="AccessControls.html#id2924210">Common Errors</a></dt><dd><dl><dt><a href="AccessControls.html#id2924224">Users can not write to a public share</a></dt><dt><a href="AccessControls.html#id2924604">I have set force user and Samba still makes root the owner of all the files
I touch!</a></dt></dl></dd></dl></div><p>
Advanced MS Windows users are frequently perplexed when file, directory and share manipulation of
resources shared via Samba do not behave in the manner they might expect. MS Windows network
administrators are often confused regarding network access controls and what is the best way to
provide users with the type of access they need while protecting resources from the consequences
of untoward access capabilities.
</p><p>
Unix administrators frequently are not familiar with the MS Windows environment and in particular
have difficulty in visualizing what the MS Windows user wishes to achieve in attempts to set file
and directory access permissions.
</p><p>
The problem lies in the differences in how file and directory permissions and controls work
between the two environments. This difference is one that Samba can not completely hide, even
though it does try to make the chasm transparent.
</p><p>
POSIX Access Control List technology has been available (along with Extended Attributes)
for Unix for many years, yet there is little evidence today of any significant use. This
explains to some extent the slow adoption of ACLs into commercial Linux products. MS Windows
administrators are astounded at this given that ACLs were a foundational capability of the now
decade old MS Windows NT operating system.
</p><p>
The purpose of this chapter is to present each of the points of control that are possible with
Samba-3 in the hope that this will help the network administrator to find the optimum method
for delivering the best environment for MS Windows desktop users.
</p><p>
This is an opportune point to mention that it should be borne in mind that Samba was created to
provide a means of interoperability and interchange of data between two operating environments
that are quite different. It was never the intent to make Unix/Linux like MS Windows NT. Instead
the purpose was an is to provide a sufficient level of exchange of data between the two environments.
What is available today extends well beyond early plans and expectations, yet the gap continues to
shrink.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2920271"></a>Features and Benefits</h2></div></div><div></div></div><p>
Samba offers a lot of flexibility in file system access management. These are the key access control
facilities present in Samba today:
</p><div class="itemizedlist"><p class="title"><b>Samba Access Control Facilities</b></p><ul type="disc"><li><p>
<span class="emphasis"><em>Unix File and Directory Permissions</em></span>
</p><p>
Samba honours and implements Unix file system access controls. Users
who access a Samba server will do so as a particular MS Windows user.
This information is passed to the Samba server as part of the logon or
connection setup process. Samba uses this user identity to validate
whether or not the user should be given access to file system resources
(files and directories). This chapter provides an overview for those
to whom the Unix permissions and controls are a little strange or unknown.
</p></li><li><p>
<span class="emphasis"><em>Samba Share Definitions</em></span>
</p><p>
In configuring share settings and controls in the <tt class="filename">smb.conf</tt> file
the network administrator can exercise over-rides to native file
system permissions and behaviours. This can be handy and convenient
to affect behaviour that is more like what MS Windows NT users expect
but it is seldom the <span class="emphasis"><em>best</em></span> way to achieve this.
The basic options and techniques are described herein.
</p></li><li><p>
<span class="emphasis"><em>Samba Share ACLs</em></span>
</p><p>
Just like it is possible in MS Windows NT to set ACLs on shares
themselves, so it is possible to do this in Samba.
Very few people make use of this facility, yet it remains on of the
easiest ways to affect access controls (restrictions) and can often
do so with minimum invasiveness compared with other methods.
</p></li><li><p>
<span class="emphasis"><em>MS Windows ACLs through Unix POSIX ACLs</em></span>
</p><p>
The use of POSIX ACLs on Unix/Linux is possible ONLY if the underlying
operating system supports them. If not, then this option will not be
available to you. Current Unix technology platforms have native support
for POSIX ACLs. There are patches for the Linux kernel that provide
this also. Sadly, few Linux platforms ship today with native ACLs and
Extended Attributes enabled. This chapter has pertinent information
for users of platforms that support them.
</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2920308"></a>File System Access Controls</h2></div></div><div></div></div><p>
Perhaps the most important recognition to be made is the simple fact that MS Windows NT4 / 200x / XP
implement a totally divergent file system technology from what is provided in the Unix operating system
environment. Firstly we should consider what the most significant differences are, then we shall look
at how Samba helps to bridge the differences.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2920326"></a>MS Windows NTFS Comparison with Unix File Systems</h3></div></div><div></div></div><p>
Samba operates on top of the Unix file system. This means it is subject to Unix file system conventions
and permissions. It also means that if the MS Windows networking environment requires file system
behaviour that differs from unix file system behaviour then somehow Samba is responsible for emulating
that in a transparent and consistent manner.
</p><p>
It is good news that Samba does this to a very large extent and on top of that provides a high degree
of optional configuration to over-ride the default behaviour. We will look at some of these over-rides,
but for the greater part we will stay within the bounds of default behaviour. Those wishing to explore
to depths of control ability should review the <tt class="filename">smb.conf</tt> man page.
</p><div class="variablelist"><p class="title"><b>File System Feature Comparison</b></p><dl><dt><span class="term">Name Space</span></dt><dd><p>
MS Windows NT4 / 200x/ XP files names may be up to 254 characters long, Unix file names
may be 1023 characters long. In MS Windows file extensions indicate particular file types,
in Unix this is not so rigorously observed as all names are considered arbitrary.
</p><p>
What MS Windows calls a Folder, Unix calls a directory,
</p></dd><dt><span class="term">Case Sensitivity</span></dt><dd><p>
MS Windows file names are generally Upper Case if made up of 8.3 (ie: 8 character file name
and 3 character extension. If longer than 8.3 file names are Case Preserving, and Case
Insensitive.
</p><p>
Unix file and directory names are Case Sensitive and Case Preserving. Samba implements the
MS Windows file name behaviour, but it does so as a user application. The Unix file system
provides no mechanism to perform case insensitive file name lookups. MS Windows does this
by default. This means that Samba has to carry the processing overhead to provide features
that are NOT native to the Unix operating system environment.
</p><p>
Consider the following, all are unique Unix names but one single MS Windows file name:
<tt class="computeroutput">
MYFILE.TXT
MyFile.txt
myfile.txt
</tt>
So clearly, In an MS Windows file name space these three files CAN NOT co-exist! But in Unix
they can. So what should Samba do if all three are present? Answer, the one that is lexically
first will be accessible to MS Windows users, the others are invisible and unaccessible - any
other solution would be suicidal.
</p></dd><dt><span class="term">Directory Separators</span></dt><dd><p>
MS Windows and DOS uses the back-slash '\' as a directory delimiter, Unix uses the forward-slash '/'
as it's directory delimiter. This is transparently handled by Samba.
</p></dd><dt><span class="term">Drive Identification</span></dt><dd><p>
MS Windows products support a notion of drive letters, like <b class="command">C:</b> to represent
disk partitions. Unix has NO concept if separate identifiers for file partitions since each
such file system is <tt class="filename">mounted</tt> to become part of the over-all directory tree.
The Unix directory tree begins at '/', just like the root of a DOS drive is specified like
<b class="command">C:\</b>.
</p></dd><dt><span class="term">File Naming Conventions</span></dt><dd><p>
MS Windows generally never experiences file names that begin with a '.', while in Unix these
are commonly found in a user's home directory. Files that begin with a '.' are typically
either start up files for various Unix applications, or they may be files that contain
start-up configuration data.
</p></dd><dt><span class="term">Links and Short-Cuts</span></dt><dd><p>
MS Windows make use of &quot;links and Short-Cuts&quot; that are actually special types of files that will
redirect an attempt to execute the file to the real location of the file. Unix knows of file and directory
links, but they are entirely different from what MS Windows users are used to.
</p><p>
Symbolic links are files in Unix that contain the actual location of the data (file OR directory). An
operation (like read or write) will operate directly on the file referenced. Symbolic links are also
referred to as 'soft links'. A hard link is something that MS Windows is NOT familiar with. It allows
one physical file to be known simultaneously by more than one file name.
</p></dd></dl></div><p>
There are many other subtle differences that may cause the MS Windows administrator some temporary discomfort
in the process of becoming familiar with Unix/Linux. These are best left for a text that is dedicated to the
purpose of Unix/Linux training/education.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2920583"></a>Managing Directories</h3></div></div><div></div></div><p>
There are three basic operations for managing directories, <b class="command">create, delete, rename</b>.
</p><div class="table"><a name="id2920603"></a><p class="title"><b>Table 13.1. Managing directories with unix and windows</b></p><table summary="Managing directories with unix and windows" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="center">Action</th><th align="center">MS Windows Command</th><th align="center">Unix Command</th></tr></thead><tbody><tr><td align="center">create</td><td align="center">md folder</td><td align="center">mkdir folder</td></tr><tr><td align="center">delete</td><td align="center">rd folder</td><td align="center">rmdir folder</td></tr><tr><td align="center">rename</td><td align="center">rename oldname newname</td><td align="center">mv oldname newname</td></tr></tbody></table></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2920678"></a>File and Directory Access Control</h3></div></div><div></div></div><p>
The network administrator is strongly advised to read foundational training manuals and reference materials
regarding file and directory permissions maintenance. Much can be achieved with the basic Unix permissions
without having to resort to more complex facilities like POSIX Access Control Lists (ACLs) or Extended
Attributes (EAs).
</p><p>
Unix/Linux file and directory access permissions involves setting three (3) primary sets of data and one (1) control set.
A Unix file listing looks as follows:-
</p><pre class="screen">
<tt class="prompt">jht@frodo:~/stuff&gt; </tt><b class="userinput"><tt>ls -la</tt></b>
total 632
drwxr-xr-x 13 jht users 816 2003-05-12 22:56 .
drwxr-xr-x 37 jht users 3800 2003-05-12 22:29 ..
d--------- 2 jht users 48 2003-05-12 22:29 muchado00
d--x--x--x 2 jht users 48 2003-05-12 22:29 muchado01
dr-xr-xr-x 2 jht users 48 2003-05-12 22:29 muchado02
drwxrwxrwx 2 jht users 48 2003-05-12 22:29 muchado03
drw-rw-rw- 2 jht users 48 2003-05-12 22:29 muchado04
d-w--w--w- 2 jht users 48 2003-05-12 22:29 muchado05
dr--r--r-- 2 jht users 48 2003-05-12 22:29 muchado06
drwxrwxrwt 2 jht users 48 2003-05-12 22:29 muchado07
drwsrwsrwx 2 jht users 48 2003-05-12 22:29 muchado08
---------- 1 jht users 1242 2003-05-12 22:31 mydata00.lst
---x--x--x 1 jht users 1674 2003-05-12 22:33 mydata01.lst
--w--w--w- 1 jht users 7754 2003-05-12 22:33 mydata02.lst
--wx-wx-wx 1 jht users 260179 2003-05-12 22:33 mydata03.lst
-r--r--r-- 1 jht users 21017 2003-05-12 22:32 mydata04.lst
-r-xr-xr-x 1 jht users 206339 2003-05-12 22:32 mydata05.lst
-rw-rw-rw- 1 jht users 41105 2003-05-12 22:32 mydata06.lst
-rwxrwxrwx 1 jht users 19312 2003-05-12 22:32 mydata07.lst
<tt class="prompt">jht@frodo:~/stuff&gt;</tt>
</pre><p>
</p><p>
The columns above represent (from left to right): permissions, no blocks used, owner, group, size (bytes), access date, access time, file name.
</p><p>
The permissions field is made up of:
</p><pre class="programlisting">
<i><span class="comment"> JRV: Put this into a diagram of some sort</span></i>
[ type ] [ users ] [ group ] [ others ] [File, Directory Permissions]
[ d | l ] [ r w x ] [ r w x ] [ r w x ]
| | | | | | | | | | |
| | | | | | | | | | |-----&gt; Can Execute, List files
| | | | | | | | | |-------&gt; Can Write, Create files
| | | | | | | | |---------&gt; Can Read, Read files
| | | | | | | |---------------&gt; Can Execute, List files
| | | | | | |-----------------&gt; Can Write, Create files
| | | | | |-------------------&gt; Can Read, Read files
| | | | |-------------------------&gt; Can Execute, List files
| | | |---------------------------&gt; Can Write, Create files
| | |-----------------------------&gt; Can Read, Read files
| |-----------------------------------&gt; Is a symbolic Link
|---------------------------------------&gt; Is a directory
</pre><p>
</p><p>
Any bit flag may be unset. An unset bit flag is the equivalent of 'Can NOT' and is represented as a '-' character.
</p><div class="example"><a name="id2920816"></a><p class="title"><b>Example 13.1. Example File</b></p><pre class="programlisting">
-rwxr-x--- Means: The owner (user) can read, write, execute
the group can read and execute
everyone else can NOT do anything with it
</pre></div><p>
</p><p>
Additional possibilities in the [type] field are: c = character device, b = block device, p = pipe device, s = Unix Domain Socket.
</p><p>
The letters `rwxXst' set permissions for the user, group and others as: read (r), write (w), execute (or access for directories) (x),
execute only if the file is a directory or already has execute permission for some user (X), set user or group ID on execution (s),
sticky (t).
</p><p>
When the sticky bit is set on a directory, files in that directory may be unlinked (deleted) or renamed only by root or their owner.
Without the sticky bit, anyone able to write to the directory can delete or rename files. The sticky bit is commonly found on
directories, such as /tmp, that are world-writable.
</p><p>
When the set user or group ID bit (s) is set on a directory, then all files created within it will be owned by the user and/or
group whose 'set user or group' bit is set. This can be very helpful in setting up directories that for which it is desired that
all users who are in a group should be able to write to and read from a file, particularly when it is undesirable for that file
to be exclusively owned by a user who's primary group is not the group that all such users belong to.
</p><p>
When a directory is set <tt class="constant">drw-r-----</tt> this means that the owner can read and create (write) files in it, but because
the (x) execute flags are not set files can not be listed (seen) in the directory by anyone. The group can read files in the
directory but can NOT create new files. NOTE: If files in the directory are set to be readable and writable for the group, then
group members will be able to write to (or delete) them.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2920894"></a>Share Definition Access Controls</h2></div></div><div></div></div><p>
The following parameters in the <tt class="filename">smb.conf</tt> file sections that define a share control or affect access controls.
Before using any of the following options please refer to the man page for <tt class="filename">smb.conf</tt>.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2922074"></a>User and Group Based Controls</h3></div></div><div></div></div><p>
User and group based controls can prove very useful. In some situations it is distinctly desirable to affect all
file system operations as if a single user is doing this, the use of the <i class="parameter"><tt>force user</tt></i> and
<i class="parameter"><tt>force group</tt></i> behaviour will achieve this. In other situations it may be necessary to affect a
paranoia level of control to ensure that only particular authorised persons will be able to access a share or
it's contents, here the use of the <i class="parameter"><tt>valid users</tt></i> or the <i class="parameter"><tt>invalid users</tt></i> may
be most useful.
</p><p>
As always, it is highly advisable to use the least difficult to maintain and the least ambiguous method for
controlling access. Remember, that when you leave the scene someone else will need to provide assistance and
if that person finds too great a mess, or if they do not understand what you have done then there is risk of
Samba being removed and an alternative solution being adopted.
</p><div class="table"><a name="id2922134"></a><p class="title"><b>Table 13.2. User and Group Based Controls</b></p><table summary="User and Group Based Controls" border="1"><colgroup><col><col></colgroup><thead><tr><th align="center">Control Parameter</th><th align="center">Description - Action - Notes</th></tr></thead><tbody><tr><td>admin users</td><td><p>
List of users who will be granted administrative privileges on the share.
They will do all file operations as the super-user (root).
Any user in this list will be able to do anything they like on the share,
irrespective of file permissions.
</p></td></tr><tr><td>force group</td><td><p>
Specifies a UNIX group name that will be assigned as the default primary group
for all users connecting to this service.
</p></td></tr><tr><td>force user</td><td><p>
Specifies a UNIX user name that will be assigned as the default user for all users connecting to this service.
This is useful for sharing files. Incorrect use can cause security problems.
</p></td></tr><tr><td>guest ok</td><td><p>
If this parameter is set for a service, then no password is required to connect to the service. Privileges will be
those of the guest account.
</p></td></tr><tr><td>invalid users</td><td><p>
List of users that should not be allowed to login to this service.
</p></td></tr><tr><td>only user</td><td><p>
Controls whether connections with usernames not in the user list will be allowed.
</p></td></tr><tr><td>read list</td><td><p>
List of users that are given read-only access to a service. Users in this list
will not be given write access, no matter what the read only option is set to.
</p></td></tr><tr><td>username</td><td><p>
Refer to the <tt class="filename">smb.conf</tt> man page for more information - this is a complex and potentially misused parameter.
</p></td></tr><tr><td>valid users</td><td><p>
List of users that should be allowed to login to this service.
</p></td></tr><tr><td>write list</td><td><p>
List of users that are given read-write access to a service.
</p></td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2922346"></a>File and Directory Permissions Based Controls</h3></div></div><div></div></div><p>
The following file and directory permission based controls, if misused, can result in considerable difficulty to
diagnose the cause of mis-configuration. Use them sparingly and carefully. By gradually introducing each one by one
undesirable side-effects may be detected. In the event of a problem, always comment all of them out and then gradually
re-introduce them in a controlled fashion.
</p><div class="table"><a name="id2922367"></a><p class="title"><b>Table 13.3. File and Directory Permission Based Controls</b></p><table summary="File and Directory Permission Based Controls" border="1"><colgroup><col><col></colgroup><thead><tr><th align="center">Control Parameter</th><th align="center">Description - Action - Notes</th></tr></thead><tbody><tr><td>create mask</td><td><p>
Refer to the <tt class="filename">smb.conf</tt> man page.
</p></td></tr><tr><td>directory mask</td><td><p>
The octal modes used when converting DOS modes to UNIX modes when creating UNIX directories.
See also: directory security mask.
</p></td></tr><tr><td>dos filemode</td><td><p>
Enabling this parameter allows a user who has write access to the file to modify the permissions on it.
</p></td></tr><tr><td>force create mode</td><td><p>
This parameter specifies a set of UNIX mode bit permissions that will always be set on a file created by Samba.
</p></td></tr><tr><td>force directory mode</td><td><p>
This parameter specifies a set of UNIX mode bit permissions that will always be set on a directory created by Samba.
</p></td></tr><tr><td>force directory security mode</td><td><p>
Controls UNIX permission bits modified when a Windows NT client is manipulating UNIX permissions on a directory
</p></td></tr><tr><td>force security mode</td><td><p>
Controls UNIX permission bits modified when a Windows NT client manipulates UNIX permissions.
</p></td></tr><tr><td>hide unreadable</td><td><p>
Prevents clients from seeing the existence of files that cannot be read.
</p></td></tr><tr><td>hide unwriteable files</td><td><p>
Prevents clients from seeing the existence of files that cannot be written to. Unwriteable directories are shown as usual.
</p></td></tr><tr><td>nt acl support</td><td><p>
This parameter controls whether smbd will attempt to map UNIX permissions into Windows NT access control lists.
</p></td></tr><tr><td>security mask</td><td><p>
Controls UNIX permission bits modified when a Windows NT client is manipulating the UNIX permissions on a file.
</p></td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2922591"></a>Miscellaneous Controls</h3></div></div><div></div></div><p>
The following are documented because of the prevalence of administrators creating inadvertant barriers to file
access by not understanding the full implications of <tt class="filename">smb.conf</tt> file settings.
</p><div class="table"><a name="id2922614"></a><p class="title"><b>Table 13.4. Other Controls</b></p><table summary="Other Controls" border="1"><colgroup><col><col></colgroup><thead><tr><th align="center">Control Parameter</th><th align="center">Description - Action - Notes</th></tr></thead><tbody><tr><td>case sensitive, default case, short preserve case</td><td><p>
This means that all file name lookup will be done in a case sensitive manner.
Files will be created with the precise filename Samba received from the MS Windows client.
</p></td></tr><tr><td>csc policy</td><td><p>
Client Side Caching Policy - parallels MS Windows client side file caching capabilities.
</p></td></tr><tr><td>dont descend</td><td><p>
Allows to specify a comma-delimited list of directories that the server should always show as empty.
</p></td></tr><tr><td>dos filetime resolution</td><td><p>
This option is mainly used as a compatibility option for Visual C++ when used against Samba shares.
</p></td></tr><tr><td>dos filetimes</td><td><p>
DOS and Windows allows users to change file time stamps if they can write to the file. POSIX semantics prevent this.
This options allows DOS and Windows behaviour.
</p></td></tr><tr><td>fake oplocks</td><td><p>
Oplocks are the way that SMB clients get permission from a server to locally cache file operations. If a server grants an
oplock then the client is free to assume that it is the only one accessing the file and it will aggressively cache file data.
</p></td></tr><tr><td>hide dot files, hide files, veto files</td><td><p>
Note: MS Windows Explorer allows over-ride of files marked as hidden so they will still be visible.
</p></td></tr><tr><td>read only</td><td><p>
If this parameter is yes, then users of a service may not create or modify files in the service's directory.
</p></td></tr><tr><td>veto files</td><td><p>
List of files and directories that are neither visible nor accessible.
</p></td></tr></tbody></table></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2922807"></a>Access Controls on Shares</h2></div></div><div></div></div><p>
This section deals with how to configure Samba per share access control restrictions.
By default, Samba sets no restrictions on the share itself. Restrictions on the share itself
can be set on MS Windows NT4/200x/XP shares. This can be a very effective way to limit who can
connect to a share. In the absence of specific restrictions the default setting is to allow
the global user <tt class="constant">Everyone</tt> Full Control (ie: Full control, Change and Read).
</p><p>
At this time Samba does NOT provide a tool for configuring access control setting on the Share
itself. Samba does have the capacity to store and act on access control settings, but the only
way to create those settings is to use either the NT4 Server Manager or the Windows 200x MMC for
Computer Management.
</p><p>
Samba stores the per share access control settings in a file called <tt class="filename">share_info.tdb</tt>.
The location of this file on your system will depend on how samba was compiled. The default location
for Samba's tdb files is under <tt class="filename">/usr/local/samba/var</tt>. If the <tt class="filename">tdbdump</tt>
utility has been compiled and installed on your system, then you can examine the contents of this file
by: <b class="userinput"><tt>tdbdump share_info.tdb</tt></b>.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2922879"></a>Share Permissions Management</h3></div></div><div></div></div><p>
The best tool for the task is platform dependant. Choose the best tool for your environment.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2922892"></a>Windows NT4 Workstation/Server</h4></div></div><div></div></div><p>
The tool you need to use to manage share permissions on a Samba server is the NT Server Manager.
Server Manager is shipped with Windows NT4 Server products but not with Windows NT4 Workstation.
You can obtain the NT Server Manager for MS Windows NT4 Workstation from Microsoft - see details below.
</p><div class="procedure"><p class="title"><b>Procedure 13.1. Instructions</b></p><ol type="1"><li><p>
Launch the <span class="application">NT4 Server Manager</span>, click on the Samba server you want to administer, then from the menu
select <span class="guimenu">Computer</span>, then click on the <span class="guimenuitem">Shared Directories</span> entry.
</p></li><li><p>
Now click on the share that you wish to manage, then click on the <span class="guilabel">Properties</span> tab, next click on
the <span class="guilabel">Permissions</span> tab. Now you can add or change access control settings as you wish.
</p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2922975"></a>Windows 200x/XP</h4></div></div><div></div></div><p>
On <span class="application">MS Windows NT4/200x/XP</span> system access control lists on the share itself are set using native
tools, usually from filemanager. For example, in Windows 200x: right click on the shared folder,
then select <span class="guimenuitem">Sharing</span>, then click on <span class="guilabel">Permissions</span>. The default
Windows NT4/200x permission allows <span class="emphasis"><em>Everyone</em></span> Full Control on the Share.
</p><p>
MS Windows 200x and later all comes with a tool called the <span class="application">Computer Management</span> snap-in for the
Microsoft Management Console (MMC). This tool is located by clicking on <tt class="filename">Control Panel -&gt;
Administrative Tools -&gt; Computer Management</tt>.
</p><div class="procedure"><p class="title"><b>Procedure 13.2. Instructions</b></p><ol type="1"><li><p>
After launching the MMC with the Computer Management snap-in, click on the menu item <span class="guimenuitem">Action</span>,
select <span class="guilabel">Connect to another computer</span>. If you are not logged onto a domain you will be prompted
to enter a domain login user identifier and a password. This will authenticate you to the domain.
If you where already logged in with administrative privilege this step is not offered.
</p></li><li><p>
If the Samba server is not shown in the <span class="guilabel">Select Computer</span> box, then type in the name of the target
Samba server in the field <span class="guilabel">Name:</span>. Now click on the <span class="guibutton">[+]</span> next to
<span class="guilabel">System Tools</span>, then on the <span class="guibutton">[+]</span> next to <span class="guilabel">Shared Folders</span> in the
left panel.
</p></li><li><p>
Now in the right panel, double-click on the share you wish to set access control permissions on.
Then click on the tab <span class="guilabel">Share Permissions</span>. It is now possible to add access control entities
to the shared folder. Do NOT forget to set what type of access (full control, change, read) you
wish to assign for each entry.
</p></li></ol></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
Be careful. If you take away all permissions from the <tt class="constant">Everyone</tt> user without removing this user
then effectively no user will be able to access the share. This is a result of what is known as
ACL precedence. ie: Everyone with <span class="emphasis"><em>no access</em></span> means that MaryK who is part of the group
<tt class="constant">Everyone</tt> will have no access even if this user is given explicit full control access.
</p></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2923178"></a>MS Windows Access Control Lists and Unix Interoperability</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923186"></a>Managing UNIX permissions Using NT Security Dialogs</h3></div></div><div></div></div><p>Windows NT clients can use their native security settings
dialog box to view and modify the underlying UNIX permissions.</p><p>Note that this ability is careful not to compromise
the security of the UNIX host Samba is running on, and
still obeys all the file permission rules that a Samba
administrator can set.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
All access to Unix/Linux system file via Samba is controlled at
the operating system file access control level. When trying to
figure out file access problems it is vitally important to identify
the identity of the Windows user as it is presented by Samba at
the point of file access. This can best be determined from the
Samba log files.
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923224"></a>Viewing File Security on a Samba Share</h3></div></div><div></div></div><p>From an NT4/2000/XP client, single-click with the right
mouse button on any file or directory in a Samba mounted
drive letter or UNC path. When the menu pops-up, click
on the <span class="guilabel">Properties</span> entry at the bottom of
the menu. This brings up the file properties dialog
box. Click on the tab <span class="guilabel">Security</span> and you
will see three buttons, <span class="guibutton">Permissions</span>,
<span class="guibutton">Auditing</span>, and <span class="guibutton">Ownership</span>.
The <span class="guibutton">Auditing</span> button will cause either
an error message <span class="errorname">A requested privilege is not held
by the client</span> to appear if the user is not the
NT Administrator, or a dialog which is intended to allow an
Administrator to add auditing requirements to a file if the
user is logged on as the NT Administrator. This dialog is
non-functional with a Samba share at this time, as the only
useful button, the <span class="guibutton">Add</span> button will not currently
allow a list of users to be seen.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923303"></a>Viewing file ownership</h3></div></div><div></div></div><p>Clicking on the <span class="guibutton">Ownership</span> button
brings up a dialog box telling you who owns the given file. The
owner name will be of the form :</p><p><b class="command">&quot;SERVER\user (Long name)&quot;</b></p><p>Where <i class="replaceable"><tt>SERVER</tt></i> is the NetBIOS name of
the Samba server, <i class="replaceable"><tt>user</tt></i> is the user name of
the UNIX user who owns the file, and <i class="replaceable"><tt>(Long name)</tt></i>
is the descriptive string identifying the user (normally found in the
GECOS field of the UNIX password database). Click on the
<span class="guibutton">Close </span> button to remove this dialog.</p><p>If the parameter <i class="parameter"><tt>nt acl support</tt></i>
is set to <tt class="constant">false</tt> then the file owner will
be shown as the NT user <tt class="constant">&quot;Everyone&quot;</tt>.</p><p>The <span class="guibutton">Take Ownership</span> button will not allow
you to change the ownership of this file to yourself (clicking on
it will display a dialog box complaining that the user you are
currently logged onto the NT client cannot be found). The reason
for this is that changing the ownership of a file is a privileged
operation in UNIX, available only to the <span class="emphasis"><em>root</em></span>
user. As clicking on this button causes NT to attempt to change
the ownership of a file to the current user logged into the NT
client this will not work with Samba at this time.</p><p>There is an NT chown command that will work with Samba
and allow a user with Administrator privilege connected
to a Samba server as root to change the ownership of
files on both a local NTFS filesystem or remote mounted NTFS
or Samba drive. This is available as part of the <span class="application">Seclib
</span> NT security library written by Jeremy Allison of
the Samba Team, available from the main Samba ftp site.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923425"></a>Viewing File or Directory Permissions</h3></div></div><div></div></div><p>The third button is the <span class="guibutton">Permissions</span>
button. Clicking on this brings up a dialog box that shows both
the permissions and the UNIX owner of the file or directory.
The owner is displayed in the form :</p><p><b class="command">&quot;<i class="replaceable"><tt>SERVER</tt></i>\
<i class="replaceable"><tt>user</tt></i>
<i class="replaceable"><tt>(Long name)</tt></i>&quot;</b></p><p>Where <i class="replaceable"><tt>SERVER</tt></i> is the NetBIOS name of
the Samba server, <i class="replaceable"><tt>user</tt></i> is the user name of
the UNIX user who owns the file, and <i class="replaceable"><tt>(Long name)</tt></i>
is the descriptive string identifying the user (normally found in the
GECOS field of the UNIX password database).</p><p>If the parameter <i class="parameter"><tt>nt acl support</tt></i>
is set to <tt class="constant">false</tt> then the file owner will
be shown as the NT user <tt class="constant">&quot;Everyone&quot;</tt> and the
permissions will be shown as NT &quot;Full Control&quot;.</p><p>The permissions field is displayed differently for files
and directories, so I'll describe the way file permissions
are displayed first.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2923516"></a>File Permissions</h4></div></div><div></div></div><p>The standard UNIX user/group/world triplet and
the corresponding &quot;read&quot;, &quot;write&quot;, &quot;execute&quot; permissions
triplets are mapped by Samba into a three element NT ACL
with the 'r', 'w', and 'x' bits mapped into the corresponding
NT permissions. The UNIX world permissions are mapped into
the global NT group <tt class="constant">Everyone</tt>, followed
by the list of permissions allowed for UNIX world. The UNIX
owner and group permissions are displayed as an NT
<span class="guiicon">user</span> icon and an NT <span class="guiicon">local
group</span> icon respectively followed by the list
of permissions allowed for the UNIX user and group.</p><p>As many UNIX permission sets don't map into common
NT names such as <tt class="constant">read</tt>, <tt class="constant">
&quot;change&quot;</tt> or <tt class="constant">full control</tt> then
usually the permissions will be prefixed by the words <tt class="constant">
&quot;Special Access&quot;</tt> in the NT display list.</p><p>But what happens if the file has no permissions allowed
for a particular UNIX user group or world component ? In order
to allow &quot;no permissions&quot; to be seen and modified then Samba
overloads the NT <b class="command">&quot;Take Ownership&quot;</b> ACL attribute
(which has no meaning in UNIX) and reports a component with
no permissions as having the NT <b class="command">&quot;O&quot;</b> bit set.
This was chosen of course to make it look like a zero, meaning
zero permissions. More details on the decision behind this will
be given below.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2923608"></a>Directory Permissions</h4></div></div><div></div></div><p>Directories on an NT NTFS file system have two
different sets of permissions. The first set of permissions
is the ACL set on the directory itself, this is usually displayed
in the first set of parentheses in the normal <tt class="constant">&quot;RW&quot;</tt>
NT style. This first set of permissions is created by Samba in
exactly the same way as normal file permissions are, described
above, and is displayed in the same way.</p><p>The second set of directory permissions has no real meaning
in the UNIX permissions world and represents the <tt class="constant">
inherited</tt> permissions that any file created within
this directory would inherit.</p><p>Samba synthesises these inherited permissions for NT by
returning as an NT ACL the UNIX permission mode that a new file
created by Samba on this share would receive.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923653"></a>Modifying file or directory permissions</h3></div></div><div></div></div><p>Modifying file and directory permissions is as simple
as changing the displayed permissions in the dialog box, and
clicking the <span class="guibutton">OK</span> button. However, there are
limitations that a user needs to be aware of, and also interactions
with the standard Samba permission masks and mapping of DOS
attributes that need to also be taken into account.</p><p>If the parameter <i class="parameter"><tt>nt acl support</tt></i>
is set to <tt class="constant">false</tt> then any attempt to set
security permissions will fail with an <span class="errorname">&quot;Access Denied&quot;
</span> message.</p><p>The first thing to note is that the <span class="guibutton">&quot;Add&quot;</span>
button will not return a list of users in Samba (it will give
an error message of <span class="errorname">The remote procedure call failed
and did not execute</span>). This means that you can only
manipulate the current user/group/world permissions listed in
the dialog box. This actually works quite well as these are the
only permissions that UNIX actually has.</p><p>If a permission triplet (either user, group, or world)
is removed from the list of permissions in the NT dialog box,
then when the <span class="guibutton">OK</span> button is pressed it will
be applied as &quot;no permissions&quot; on the UNIX side. If you then
view the permissions again the &quot;no permissions&quot; entry will appear
as the NT <b class="command">&quot;O&quot;</b> flag, as described above. This
allows you to add permissions back to a file or directory once
you have removed them from a triplet component.</p><p>As UNIX supports only the &quot;r&quot;, &quot;w&quot; and &quot;x&quot; bits of
an NT ACL then if other NT security attributes such as &quot;Delete
access&quot; are selected then they will be ignored when applied on
the Samba server.</p><p>When setting permissions on a directory the second
set of permissions (in the second set of parentheses) is
by default applied to all files within that directory. If this
is not what you want you must uncheck the <span class="guilabel">Replace
permissions on existing files</span> checkbox in the NT
dialog before clicking <span class="guibutton">OK</span>.</p><p>If you wish to remove all permissions from a
user/group/world component then you may either highlight the
component and click the <span class="guibutton">Remove</span> button,
or set the component to only have the special <tt class="constant">Take
Ownership</tt> permission (displayed as <b class="command">&quot;O&quot;
</b>) highlighted.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923805"></a>Interaction with the standard Samba create mask
parameters</h3></div></div><div></div></div><p>There are four parameters
to control interaction with the standard Samba create mask parameters.
These are :
</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>security mask</tt></i></td></tr><tr><td><i class="parameter"><tt>force security mode</tt></i></td></tr><tr><td><i class="parameter"><tt>directory security mask</tt></i></td></tr><tr><td><i class="parameter"><tt>force directory security mode</tt></i></td></tr></table><p>
</p><p>Once a user clicks <span class="guibutton">OK</span> to apply the
permissions Samba maps the given permissions into a user/group/world
r/w/x triplet set, and then will check the changed permissions for a
file against the bits set in the <a href="smb.conf.5.html#SECURITYMASK" target="_top">
<i class="parameter"><tt>security mask</tt></i></a> parameter. Any bits that
were changed that are not set to '1' in this parameter are left alone
in the file permissions.</p><p>Essentially, zero bits in the <i class="parameter"><tt>security mask</tt></i>
mask may be treated as a set of bits the user is <span class="emphasis"><em>not</em></span>
allowed to change, and one bits are those the user is allowed to change.
</p><p>If not set explicitly this parameter is set to the same value as
the <a href="smb.conf.5.html#CREATEMASK" target="_top"><i class="parameter"><tt>create mask
</tt></i></a> parameter. To allow a user to modify all the
user/group/world permissions on a file, set this parameter
to 0777.</p><p>Next Samba checks the changed permissions for a file against
the bits set in the <a href="smb.conf.5.html#FORCESECURITYMODE" target="_top">
<i class="parameter"><tt>force security mode</tt></i></a> parameter. Any bits
that were changed that correspond to bits set to '1' in this parameter
are forced to be set.</p><p>Essentially, bits set in the <i class="parameter"><tt>force security mode
</tt></i> parameter may be treated as a set of bits that, when
modifying security on a file, the user has always set to be 'on'.</p><p>If not set explicitly this parameter is set to the same value
as the <a href="smb.conf.5.html#FORCECREATEMODE" target="_top"><i class="parameter"><tt>force
create mode</tt></i></a> parameter.
To allow a user to modify all the user/group/world permissions on a file
with no restrictions set this parameter to 000.</p><p>The <i class="parameter"><tt>security mask</tt></i> and <i class="parameter"><tt>force
security mode</tt></i> parameters are applied to the change
request in that order.</p><p>For a directory Samba will perform the same operations as
described above for a file except using the parameter <i class="parameter"><tt>
directory security mask</tt></i> instead of <i class="parameter"><tt>security
mask</tt></i>, and <i class="parameter"><tt>force directory security mode
</tt></i> parameter instead of <i class="parameter"><tt>force security mode
</tt></i>.</p><p>The <i class="parameter"><tt>directory security mask</tt></i> parameter
by default is set to the same value as the <i class="parameter"><tt>directory mask
</tt></i> parameter and the <i class="parameter"><tt>force directory security
mode</tt></i> parameter by default is set to the same value as
the <i class="parameter"><tt>force directory mode</tt></i> parameter. </p><p>In this way Samba enforces the permission restrictions that
an administrator can set on a Samba share, whilst still allowing users
to modify the permission bits within that restriction.</p><p>If you want to set up a share that allows users full control
in modifying the permission bits on their files and directories and
doesn't force any particular bits to be set 'on', then set the following
parameters in the <tt class="filename">smb.conf</tt> file in that share specific section :
</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>security mask = 0777</tt></i></td></tr><tr><td><i class="parameter"><tt>force security mode = 0</tt></i></td></tr><tr><td><i class="parameter"><tt>directory security mask = 0777</tt></i></td></tr><tr><td><i class="parameter"><tt>force directory security mode = 0</tt></i></td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2924134"></a>Interaction with the standard Samba file attribute
mapping</h3></div></div><div></div></div><p>Samba maps some of the DOS attribute bits (such as &quot;read
only&quot;) into the UNIX permissions of a file. This means there can
be a conflict between the permission bits set via the security
dialog and the permission bits set by the file attribute mapping.
</p><p>One way this can show up is if a file has no UNIX read access
for the owner it will show up as &quot;read only&quot; in the standard
file attributes tabbed dialog. Unfortunately this dialog is
the same one that contains the security info in another tab.</p><p>What this can mean is that if the owner changes the permissions
to allow themselves read access using the security dialog, clicks
<span class="guibutton">OK</span> to get back to the standard attributes tab
dialog, and then clicks <span class="guibutton">OK</span> on that dialog, then
NT will set the file permissions back to read-only (as that is what
the attributes still say in the dialog). This means that after setting
permissions and clicking <span class="guibutton">OK</span> to get back to the
attributes dialog you should always hit <span class="guibutton">Cancel</span>
rather than <span class="guibutton">OK</span> to ensure that your changes
are not overridden.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2924210"></a>Common Errors</h2></div></div><div></div></div><p>
File, Directory and Share access problems are very common on the mailing list. The following
are examples taken from the mailing list in recent times.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2924224"></a>Users can not write to a public share</h3></div></div><div></div></div><p>
&#8220;<span class="quote">
We are facing some troubles with file / directory permissions. I can log on the domain as admin user(root),
and there's a public share, on which everyone needs to have permission to create / modify files, but only
root can change the file, no one else can. We need to constantly go to server to
<b class="userinput"><tt>chgrp -R users *</tt></b> and <b class="userinput"><tt>chown -R nobody *</tt></b> to allow others users to change the file.
</span>&#8221;
</p><p>
There are many ways to solve this problem, here are a few hints:
</p><div class="procedure"><p class="title"><b>Procedure 13.3. Example Solution:</b></p><ol type="1"><li><p>
Go to the top of the directory that is shared
</p></li><li><p>
Set the ownership to what ever public owner and group you want
</p><pre class="programlisting">
find 'directory_name' -type d -exec chown user.group {}\;
find 'directory_name' -type d -exec chmod 6775 'directory_name'
find 'directory_name' -type f -exec chmod 0775 {} \;
find 'directory_name' -type f -exec chown user.group {}\;
</pre><p>
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
The above will set the 'sticky bit' on all directories. Read your
Unix/Linux man page on what that does. It causes the OS to assign
to all files created in the directories the ownership of the
directory.
</p></div></li><li><p>
Directory is: <i class="replaceable"><tt>/foodbar</tt></i>
</p><pre class="screen">
<tt class="prompt">$ </tt><b class="userinput"><tt>chown jack.engr /foodbar</tt></b>
</pre><p>
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
</p><p>This is the same as doing:</p><p>
</p><pre class="screen">
<tt class="prompt">$ </tt><b class="userinput"><tt>chown jack /foodbar</tt></b>
<tt class="prompt">$ </tt><b class="userinput"><tt>chgrp engr /foodbar</tt></b>
</pre><p>
</p></div></li><li><p>Now do:
</p><pre class="screen">
<tt class="prompt">$ </tt><b class="userinput"><tt>chmod 6775 /foodbar</tt></b>
<tt class="prompt">$ </tt><b class="userinput"><tt>ls -al /foodbar/..</tt></b>
</pre><p>
</p><p>You should see:
</p><pre class="screen">
drwsrwsr-x 2 jack engr 48 2003-02-04 09:55 foodbar
</pre><p>
</p></li><li><p>Now do:
</p><pre class="screen">
<tt class="prompt">$ </tt><b class="userinput"><tt>su - jill</tt></b>
<tt class="prompt">$ </tt><b class="userinput"><tt>cd /foodbar</tt></b>
<tt class="prompt">$ </tt><b class="userinput"><tt>touch Afile</tt></b>
<tt class="prompt">$ </tt><b class="userinput"><tt>ls -al</tt></b>
</pre><p>
</p><p>
You should see that the file <tt class="filename">Afile</tt> created by Jill will have ownership
and permissions of Jack, as follows:
</p><pre class="screen">
-rw-r--r-- 1 jack engr 0 2003-02-04 09:57 Afile
</pre><p>
</p></li><li><p>
Now in your <tt class="filename">smb.conf</tt> for the share add:
</p><pre class="programlisting">
force create mode = 0775
force directory mode = 6775
</pre><p>
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
The above are only needed <span class="emphasis"><em>if</em></span> your users are <span class="emphasis"><em>not</em></span> members of the group
you have used. ie: Within the OS do not have write permission on the directory.
</p></div><p>
An alternative is to set in the <tt class="filename">smb.conf</tt> entry for the share:
</p><pre class="programlisting">
force user = jack
force group = engr
</pre><p>
</p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2924604"></a>I have set force user and Samba still makes <span class="emphasis"><em>root</em></span> the owner of all the files
I touch!</h3></div></div><div></div></div><p>
When you have a user in 'admin users', Samba will always do file operations for
this user as <span class="emphasis"><em>root</em></span>, even if <i class="parameter"><tt>force user</tt></i> has been set.
</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="groupmapping.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="locking.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 12. Mapping MS Windows and Unix Groups </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 14. File and Record Locking</td></tr></table></div></body></html>

View File

@ -0,0 +1,224 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 22. Advanced Network Management</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="winbind.html" title="Chapter 21. Integrated Logon Support using Winbind"><link rel="next" href="PolicyMgmt.html" title="Chapter 23. System and Account Policies"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 22. Advanced Network Management</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="winbind.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="PolicyMgmt.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="AdvancedNetworkManagement"></a>Chapter 22. Advanced Network Management</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">April 3 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="AdvancedNetworkManagement.html#id2984570">Features and Benefits</a></dt><dt><a href="AdvancedNetworkManagement.html#id2984759">Remote Server Administration</a></dt><dt><a href="AdvancedNetworkManagement.html#id2984858">Remote Desktop Management</a></dt><dd><dl><dt><a href="AdvancedNetworkManagement.html#id2984876">Remote Management from NoMachines.Com</a></dt></dl></dd><dt><a href="AdvancedNetworkManagement.html#id2985087">Network Logon Script Magic</a></dt><dd><dl><dt><a href="AdvancedNetworkManagement.html#id2985283">Adding printers without user intervention</a></dt></dl></dd><dt><a href="AdvancedNetworkManagement.html#id2985316">Common Errors</a></dt></dl></div><p>
This section documents peripheral issues that are of great importance to network
administrators who want to improve network resource access control, to automate the user
environment, and to make their lives a little easier.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2984570"></a>Features and Benefits</h2></div></div><div></div></div><p>
Often the difference between a working network environment and a well appreciated one can
best be measured by the <span class="emphasis"><em>little things</em></span> that makes everything work more
harmoniously. A key part of every network environment solution is the ability to remotely
manage MS Windows workstations, to remotely access the Samba server, to provide customised
logon scripts, as well as other house keeping activities that help to sustain more reliable
network operations.
</p><p>
This chapter presents information on each of these area. They are placed here, and not in
other chapters, for ease of reference.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2984759"></a>Remote Server Administration</h2></div></div><div></div></div><p>
<span class="emphasis"><em>How do I get 'User Manager' and 'Server Manager'?</em></span>
</p><p>
Since I don't need to buy an <span class="application">NT4 Server</span>, how do I get the 'User Manager for Domains',
the 'Server Manager'?
</p><p>
Microsoft distributes a version of these tools called nexus for installation
on <span class="application">Windows 9x / Me</span> systems. The tools set includes:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Server Manager</td></tr><tr><td>User Manager for Domains</td></tr><tr><td>Event Viewer</td></tr></table><p>
Click here to download the archived file <a href="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE" target="_top">ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</a>
</p><p>
The <span class="application">Windows NT 4.0</span> version of the 'User Manager for
Domains' and 'Server Manager' are available from Microsoft via ftp
from <a href="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" target="_top">ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</a>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2984858"></a>Remote Desktop Management</h2></div></div><div></div></div><p>
There are a number of possible remote desktop management solutions that range from free
through costly. Do not let that put you off. Sometimes the most costly solutions is the
most cost effective. In any case, you will need to draw your own conclusions as to which
is the best tool in your network environment.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2984876"></a>Remote Management from NoMachines.Com</h3></div></div><div></div></div><p>
The following information was posted to the Samba mailing list at Apr 3 23:33:50 GMT 2003.
It is presented in slightly edited form (with author details omitted for privacy reasons).
The entire answer is reproduced below with some comments removed.
</p><p>
</p><pre class="screen">
&gt; I have a wonderful linux/samba server running as PDC for a network.
&gt; Now I would like to add remote desktop capabilities so that
&gt; users outside could login to the system and get their desktop up from
&gt; home or another country..
&gt;
&gt; Is there a way to accomplish this? Do I need a windows terminal server?
&gt; Do I need to configure it so that it is a member of the domain or a
&gt; BDC,PDC? Are there any hacks for MS Windows XP to enable remote login
&gt; even if the computer is in a domain?
&gt;
&gt; Any ideas/experience would be appreciated :)
</pre><p>
</p><p>
Answer provided: Check out the new offer from NoMachine, &quot;NX&quot; software:
<a href="http://www.nomachine.com/" target="_top">http://www.nomachine.com/</a>.
</p><p>
It implements a very easy-to-use interface to the remote X protocol as
well as incorporating VNC/RFB and rdesktop/RDP into it, but at a speed
performance much better than anything you may have ever seen...
</p><p>
Remote X is not new at all -- but what they did achieve successfully is
a new way of compression and caching technologies which makes the thing
fast enough to run even over slow modem/ISDN connections.
</p><p>
I could test drive their (public) RedHat machine in Italy, over a loaded
internet connection, with enabled thumbnail previews in KDE konqueror
which popped up immediately on &quot;mouse-over&quot;. From inside that (remote X)
session I started a rdesktop session on another, a Windows XP machine.
To test the performance, I played Pinball. I am proud to announce here
that my score was 631750 points at first try...
</p><p>
NX performs better on my local LAN than any of the other &quot;pure&quot;
connection methods I am using from time to time: TightVNC, rdesktop or
remote X. It is even faster than a direct crosslink connection between
two nodes.
</p><p>
I even got sound playing from the remote X app to my local boxes, and
had a working &quot;copy'n'paste&quot; from an NX window (running a KDE session
in Italy) to my Mozilla mailing agent... These guys are certainly doing
something right!
</p><p>
I recommend to test drive NX to anybody with a only a remote interest
in remote computing
<a href="http://www.nomachine.com/testdrive.php" target="_top">http://www.nomachine.com/testdrive.php</a>.
</p><p>
Just download the free of charge client software (available for RedHat,
SuSE, Debian and Windows) and be up and running within 5 minutes (they
need to send you your account data, though, because you are assigned
a real Unix account on their testdrive.nomachine.com box...
</p><p>
They plan to get to the point were you can have NX application servers
running as a cluster of nodes, and users simply start an NX session locally,
and can select applications to run transparently (apps may even run on
another NX node, but pretend to be on the same as used for initial login,
because it displays in the same window.... well, you also can run it
fullscreen, and after a short time you forget that it is a remote session
at all).
</p><p>
Now the best thing at the end: all the core compression and caching
technologies are released under the GPL and available as source code
to anybody who wants to build on it! These technologies are working,
albeit started from the command line only (and very inconvenient to
use in order to get a fully running remote X session up and running....)
</p><p>
To answer your questions:
</p><div class="itemizedlist"><ul type="disc"><li><p>
You don't need to install a terminal server; XP has RDP support built in.
</p></li><li><p>
NX is much cheaper than Citrix -- and comparable in performance, probably faster
</p></li><li><p>
You don't need to hack XP -- it just works
</p></li><li><p>
You log into the XP box from remote transparently (and I think there is no
need to change anything to get a connection, even if authentication is against a domain)
</p></li><li><p>
The NX core technologies are all Open Source and released under the GPL --
you can today use a (very inconvenient) commandline to use it at no cost,
but you can buy a comfortable (proprietary) NX GUI frontend for money
</p></li><li><p>
NoMachine are encouraging and offering help to OSS/Free Software implementations
for such a frontend too, even if it means competition to them (they have written
to this effect even to the LTSP, KDE and GNOME developer mailing lists)
</p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2985087"></a>Network Logon Script Magic</h2></div></div><div></div></div><p>
This section needs work. Volunteer contributions most welcome. Please send your patches or updates
to <a href="mailto:jht@samba.org" target="_top">John Terpstra</a>.
</p><p>
There are several opportunities for creating a custom network startup configuration environment.
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>No Logon Script</td></tr><tr><td>Simple universal Logon Script that applies to all users</td></tr><tr><td>Use of a conditional Logon Script that applies per user or per group attributes</td></tr><tr><td>Use of Samba's Preexec and Postexec functions on access to the NETLOGON share to create
a custom Logon Script and then execute it.</td></tr><tr><td>User of a tool such as KixStart</td></tr></table><p>
The Samba source code tree includes two logon script generation/execution tools.
See <tt class="filename">examples</tt> directory <tt class="filename">genlogon</tt> and
<tt class="filename">ntlogon</tt> subdirectories.
</p><p>
The following listings are from the genlogon directory.
</p><p>
This is the <tt class="filename">genlogon.pl</tt> file:
</p><pre class="programlisting">
#!/usr/bin/perl
#
# genlogon.pl
#
# Perl script to generate user logon scripts on the fly, when users
# connect from a Windows client. This script should be called from smb.conf
# with the %U, %G and %L parameters. I.e:
#
# root preexec = genlogon.pl %U %G %L
#
# The script generated will perform
# the following:
#
# 1. Log the user connection to /var/log/samba/netlogon.log
# 2. Set the PC's time to the Linux server time (which is maintained
# daily to the National Institute of Standard's Atomic clock on the
# internet.
# 3. Connect the user's home drive to H: (H for Home).
# 4. Connect common drives that everyone uses.
# 5. Connect group-specific drives for certain user groups.
# 6. Connect user-specific drives for certain users.
# 7. Connect network printers.
# Log client connection
#($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
open LOG, &quot;&gt;&gt;/var/log/samba/netlogon.log&quot;;
print LOG &quot;$mon/$mday/$year $hour:$min:$sec - User $ARGV[0] logged into $ARGV[1]\n&quot;;
close LOG;
# Start generating logon script
open LOGON, &quot;&gt;/shared/netlogon/$ARGV[0].bat&quot;;
print LOGON &quot;\@ECHO OFF\r\n&quot;;
# Connect shares just use by Software Development group
if ($ARGV[1] eq &quot;SOFTDEV&quot; || $ARGV[0] eq &quot;softdev&quot;)
{
print LOGON &quot;NET USE M: \\\\$ARGV[2]\\SOURCE\r\n&quot;;
}
# Connect shares just use by Technical Support staff
if ($ARGV[1] eq &quot;SUPPORT&quot; || $ARGV[0] eq &quot;support&quot;)
{
print LOGON &quot;NET USE S: \\\\$ARGV[2]\\SUPPORT\r\n&quot;;
}
# Connect shares just used by Administration staff
If ($ARGV[1] eq &quot;ADMIN&quot; || $ARGV[0] eq &quot;admin&quot;)
{
print LOGON &quot;NET USE L: \\\\$ARGV[2]\\ADMIN\r\n&quot;;
print LOGON &quot;NET USE K: \\\\$ARGV[2]\\MKTING\r\n&quot;;
}
# Now connect Printers. We handle just two or three users a little
# differently, because they are the exceptions that have desktop
# printers on LPT1: - all other user's go to the LaserJet on the
# server.
if ($ARGV[0] eq 'jim'
|| $ARGV[0] eq 'yvonne')
{
print LOGON &quot;NET USE LPT2: \\\\$ARGV[2]\\LJET3\r\n&quot;;
print LOGON &quot;NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n&quot;;
}
else
{
print LOGON &quot;NET USE LPT1: \\\\$ARGV[2]\\LJET3\r\n&quot;;
print LOGON &quot;NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n&quot;;
}
# All done! Close the output file.
close LOGON;
</pre><p>
</p><p>
Those wishing to use more elaborate or capable logon processing system should check out the following sites:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a href="http://www.craigelachie.org/rhacer/ntlogon" target="_top">http://www.craigelachie.org/rhacer/ntlogon</a></td></tr><tr><td><a href="http://www.kixtart.org" target="_top">http://www.kixtart.org</a></td></tr><tr><td><a href="http://support.microsoft.com/default.asp?scid=kb;en-us;189105" target="_top">http://support.microsoft.com/default.asp?scid=kb;en-us;189105</a></td></tr></table><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2985283"></a>Adding printers without user intervention</h3></div></div><div></div></div><p>
Printers may be added automatically during logon script processing through the use of:
</p><pre class="programlisting">
rundll32 printui.dll,PrintUIEntry /?
</pre><p>
See the documentation in the <a href="http://support.microsoft.com/default.asp?scid=kb;en-us;189105" target="_top">Microsoft knowledgebase article no: 189105</a>.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2985316"></a>Common Errors</h2></div></div><div></div></div><p>
The information provided in this chapter has been reproduced from postings on the samba@samba.org
mailing list. No implied endorsement or recommendation is offered. Administrators should conduct
their own evaluation of alternatives and are encouraged to draw their own conclusions.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="winbind.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="PolicyMgmt.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 21. Integrated Logon Support using Winbind </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 23. System and Account Policies</td></tr></table></div></body></html>

View File

@ -0,0 +1,4 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part VI. Appendixes</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="index.html" title="SAMBA Project Documentation"><link rel="previous" href="bugreport.html" title="Chapter 35. Reporting Bugs"><link rel="next" href="compiling.html" title="Chapter 36. How to compile SAMBA"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part VI. Appendixes</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="bugreport.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="compiling.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="Appendixes"></a>Appendixes</h1></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt>36. <a href="compiling.html">How to compile SAMBA</a></dt><dd><dl><dt><a href="compiling.html#id3012145">Access Samba source code via CVS</a></dt><dd><dl><dt><a href="compiling.html#id3012152">Introduction</a></dt><dt><a href="compiling.html#id3012182">CVS Access to samba.org</a></dt></dl></dd><dt><a href="compiling.html#id3013701">Accessing the samba sources via rsync and ftp</a></dt><dt><a href="compiling.html#id3013750">Verifying Samba's PGP signature</a></dt><dt><a href="compiling.html#id3013886">Building the Binaries</a></dt><dd><dl><dt><a href="compiling.html#id3014023">Compiling samba with Active Directory support</a></dt></dl></dd><dt><a href="compiling.html#id3014188">Starting the smbd and nmbd</a></dt><dd><dl><dt><a href="compiling.html#id3014280">Starting from inetd.conf</a></dt><dt><a href="compiling.html#id3014484">Alternative: starting it as a daemon</a></dt></dl></dd><dt><a href="compiling.html#id3014579">Common Errors</a></dt></dl></dd><dt>37. <a href="Portability.html">Portability</a></dt><dd><dl><dt><a href="Portability.html#id3013478">HPUX</a></dt><dt><a href="Portability.html#id3016009">SCO Unix</a></dt><dt><a href="Portability.html#id3016039">DNIX</a></dt><dt><a href="Portability.html#id3016210">RedHat Linux Rembrandt-II</a></dt><dt><a href="Portability.html#id3016254">AIX</a></dt><dd><dl><dt><a href="Portability.html#id3016261">Sequential Read Ahead</a></dt></dl></dd><dt><a href="Portability.html#id3016287">Solaris</a></dt><dd><dl><dt><a href="Portability.html#id3016294">Locking improvements</a></dt><dt><a href="Portability.html#winbind-solaris9">Winbind on Solaris 9</a></dt></dl></dd></dl></dd><dt>38. <a href="Other-Clients.html">Samba and other CIFS clients</a></dt><dd><dl><dt><a href="Other-Clients.html#id3015663">Macintosh clients?</a></dt><dt><a href="Other-Clients.html#id3017016">OS2 Client</a></dt><dd><dl><dt><a href="Other-Clients.html#id3017023">How can I configure OS/2 Warp Connect or
OS/2 Warp 4 as a client for Samba?</a></dt><dt><a href="Other-Clients.html#id3017102">How can I configure OS/2 Warp 3 (not Connect),
OS/2 1.2, 1.3 or 2.x for Samba?</a></dt><dt><a href="Other-Clients.html#id3017164">How do I get printer driver download working
for OS/2 clients?</a></dt></dl></dd><dt><a href="Other-Clients.html#id3017260">Windows for Workgroups</a></dt><dd><dl><dt><a href="Other-Clients.html#id3017268">Use latest TCP/IP stack from Microsoft</a></dt><dt><a href="Other-Clients.html#id3017357">Delete .pwl files after password change</a></dt><dt><a href="Other-Clients.html#id3017388">Configure WfW password handling</a></dt><dt><a href="Other-Clients.html#id3017433">Case handling of passwords</a></dt><dt><a href="Other-Clients.html#id3017464">Use TCP/IP as default protocol</a></dt><dt><a href="Other-Clients.html#id3017481">Speed improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id3017528">Windows '95/'98</a></dt><dd><dl><dt><a href="Other-Clients.html#id3017601">Speed improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id3017625">Windows 2000 Service Pack 2</a></dt><dt><a href="Other-Clients.html#id3017736">Windows NT 3.1</a></dt></dl></dd><dt>39. <a href="speed.html">Samba Performance Tuning</a></dt><dd><dl><dt><a href="speed.html#id3018768">Comparisons</a></dt><dt><a href="speed.html#id3018812">Socket options</a></dt><dt><a href="speed.html#id3018887">Read size</a></dt><dt><a href="speed.html#id3018931">Max xmit</a></dt><dt><a href="speed.html#id3018984">Log level</a></dt><dt><a href="speed.html#id3019007">Read raw</a></dt><dt><a href="speed.html#id3019064">Write raw</a></dt><dt><a href="speed.html#id3019106">Slow Logins</a></dt><dt><a href="speed.html#id3019127">Client tuning</a></dt><dt><a href="speed.html#id3019154">Samba performance problem due changing kernel</a></dt><dt><a href="speed.html#id3019185">Corrupt tdb Files</a></dt></dl></dd><dt>40. <a href="DNSDHCP.html">DNS and DHCP Configuration Guide</a></dt><dd><dl><dt><a href="DNSDHCP.html#id3018605">Note</a></dt></dl></dd><dt>41. <a href="Further-Resources.html">Further Resources</a></dt><dd><dl><dt><a href="Further-Resources.html#id3018765">Websites</a></dt><dt><a href="Further-Resources.html#id3020416">Related updates from Microsoft</a></dt><dt><a href="Further-Resources.html#id3020431">Books</a></dt></dl></dd></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="bugreport.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="compiling.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 35. Reporting Bugs </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 36. How to compile SAMBA</td></tr></table></div></body></html>

13
docs/htmldocs/Backup.html Normal file
View File

@ -0,0 +1,13 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 28. Samba Backup Techniques</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="unicode.html" title="Chapter 27. Unicode/Charsets"><link rel="next" href="SambaHA.html" title="Chapter 29. High Availability Options"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 28. Samba Backup Techniques</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="unicode.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="SambaHA.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Backup"></a>Chapter 28. Samba Backup Techniques</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="Backup.html#id3001533">Note</a></dt><dt><a href="Backup.html#id3001557">Features and Benefits</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3001533"></a>Note</h2></div></div><div></div></div><p>
This chapter did not make it into this release.
It is planned for the published release of this document.
If you have something to contribute for this section please email it to
<a href="">jht@samba.org</a>/
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3001557"></a>Features and Benefits</h2></div></div><div></div></div><p>
We need feedback from people who are backing up samba servers.
We would like to know what software tools you are using to backup
your samba server/s.
</p><p>
In particular, if you have any success and / or failure stories you could
share with other users this would be appreciated.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="unicode.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="SambaHA.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 27. Unicode/Charsets </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 29. High Availability Options</td></tr></table></div></body></html>

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,4 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 9. MS Windows Network Configuration Guide</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="previous" href="StandAloneServer.html" title="Chapter 8. Stand-Alone Servers"><link rel="next" href="optional.html" title="Part III. Advanced Configuration"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 9. MS Windows Network Configuration Guide</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="StandAloneServer.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="optional.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ClientConfig"></a>Chapter 9. MS Windows Network Configuration Guide</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="ClientConfig.html#id2901966">Note</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2901966"></a>Note</h2></div></div><div></div></div><p>
This chapter did not make it into this release.
It is planned for the published release of this document.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="StandAloneServer.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="optional.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 8. Stand-Alone Servers </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part III. Advanced Configuration</td></tr></table></div></body></html>

View File

@ -0,0 +1,4 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 40. DNS and DHCP Configuration Guide</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="speed.html" title="Chapter 39. Samba Performance Tuning"><link rel="next" href="Further-Resources.html" title="Chapter 41. Further Resources"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 40. DNS and DHCP Configuration Guide</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="speed.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="Further-Resources.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="DNSDHCP"></a>Chapter 40. DNS and DHCP Configuration Guide</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="DNSDHCP.html#id3018605">Note</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3018605"></a>Note</h2></div></div><div></div></div><p>
This chapter did not make it into this release.
It is planned for the published release of this document.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="speed.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendixes.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="Further-Resources.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 39. Samba Performance Tuning </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 41. Further Resources</td></tr></table></div></body></html>

View File

@ -0,0 +1,4 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 3. Fast Start for the Impatient</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="introduction.html" title="Part I. General Installation"><link rel="previous" href="install.html" title="Chapter 2. How to Install and Test SAMBA"><link rel="next" href="type.html" title="Part II. Server Configuration Basics"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 3. Fast Start for the Impatient</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="install.html">Prev</a> </td><th width="60%" align="center">Part I. General Installation</th><td width="20%" align="right"> <a accesskey="n" href="type.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="FastStart"></a>Chapter 3. Fast Start for the Impatient</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="FastStart.html#id2886744">Note</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2886744"></a>Note</h2></div></div><div></div></div><p>
This chapter did not make it into this release.
It is planned for the published release of this document.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="install.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="introduction.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="type.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 2. How to Install and Test SAMBA </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part II. Server Configuration Basics</td></tr></table></div></body></html>

View File

@ -0,0 +1,100 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 41. Further Resources</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="DNSDHCP.html" title="Chapter 40. DNS and DHCP Configuration Guide"><link rel="next" href="ix01.html" title="Index"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 41. Further Resources</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="DNSDHCP.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="ix01.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Further-Resources"></a>Chapter 41. Further Resources</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">Lechnyr</span></h3><div class="affiliation"><span class="orgname">Unofficial HOWTO<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:david@lechnyr.com">david@lechnyr.com</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">May 1, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="Further-Resources.html#id3018765">Websites</a></dt><dt><a href="Further-Resources.html#id3020416">Related updates from Microsoft</a></dt><dt><a href="Further-Resources.html#id3020431">Books</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3018765"></a>Websites</h2></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>
<a href="http://hr.uoregon.edu/davidrl/cifs.txt" target="_top">
<span class="emphasis"><em>CIFS: Common Insecurities Fail Scrutiny</em></span> by &quot;Hobbit&quot;</a>
</p></li><li><p>
<a href="http://afr.com/it/2002/10/01/FFXDF43AP6D.html" target="_top">
<span class="emphasis"><em>Doing the Samba on Windows</em></span> by Financial Review
</a>
</p></li><li><p>
<a href="http://ubiqx.org/cifs/" target="_top">
<span class="emphasis"><em>Implementing CIFS</em></span> by Christopher R. Hertel
</a>
</p></li><li><p>
<a href="http://samba.anu.edu.au/cifs/docs/what-is-smb.html" target="_top">
<span class="emphasis"><em>Just What Is SMB?</em></span> by Richard Sharpe
</a>
</p></li><li><p>
<a href="http://www.linux-mag.com/1999-05/samba_01.html" target="_top">
<span class="emphasis"><em>Opening Windows Everywhere</em></span> by Mike Warfield
</a>
</p></li><li><p>
<a href="http://www.tldp.org/HOWTO/SMB-HOWTO.html" target="_top">
<span class="emphasis"><em>SMB HOWTO</em></span> by David Wood
</a>
</p></li><li><p>
<a href="http://www.phrack.org/phrack/60/p60-0x0b.txt" target="_top">
<span class="emphasis"><em>SMB/CIFS by The Root</em></span> by &quot;ledin&quot;
</a>
</p></li><li><p>
<a href="http://www.linux-mag.com/1999-09/samba_01.html" target="_top">
<span class="emphasis"><em>The Story of Samba</em></span> by Christopher R. Hertel
</a>
</p></li><li><p>
<a href="http://hr.uoregon.edu/davidrl/samba/" target="_top">
<span class="emphasis"><em>The Unofficial Samba HOWTO</em></span> by David Lechnyr
</a>
</p></li><li><p>
<a href="http://www.linux-mag.com/2001-05/smb_01.html" target="_top">
<span class="emphasis"><em>Understanding the Network Neighborhood</em></span> by Christopher R. Hertel
</a>
</p></li><li><p>
<a href="http://www.linux-mag.com/2002-02/samba_01.html" target="_top">
<span class="emphasis"><em>Using Samba as a PDC</em></span> by Andrew Bartlett
</a>
</p></li><li><p>
<a href="http://ru.samba.org/samba/ftp/docs/Samba24Hc13.pdf" target="_top">
<span class="emphasis"><em>PDF version of the Troubleshooting Techniques chapter</em></span>
from the second edition of Sam's Teach Yourself Samba in 24 Hours
(publishing date of Dec. 12, 2001)</a>
</p></li><li><p>
<a href="http://ru.samba.org/samba/ftp/slides/" target="_top">
<span class="emphasis"><em>Slide presentations</em></span> by Samba Team members
</a>
</p></li><li><p>
<a href="http://www.atmarkit.co.jp/flinux/special/samba3/samba3a.html" target="_top">
<span class="emphasis"><em>Introduction to Samba 3.0</em></span> by Motonobu Takahashi
(written in Japanese). </a>
</p></li><li><p>
<a href="http://www.linux-mag.com/2001-05/smb_01.html" target="_top">
<span class="emphasis"><em>Understanding the Network Neighborhood</em></span>, by team member
Chris Hertel. This article appeared in the May 2001 issue of
Linux Magazine.
</a>
</p></li><li><p>
<a href="ftp://ftp.stratus.com/pub/vos/customers/samba/" target="_top">
<span class="emphasis"><em>Samba 2.0.x Troubleshooting guide</em></span> from Paul Green
</a>
</p></li><li><p>
<a href="http://samba.org/samba/docs/10years.html" target="_top">
<span class="emphasis"><em>Ten Years of Samba</em></span>
</a>
</p></li><li><p>
<a href="http://tldp.org/HOWTO/Samba-Authenticated-Gateway-HOWTO.html" target="_top">
<span class="emphasis"><em>Samba Authenticated Gateway HOWTO</em></span>
</a>
</p></li><li><p>
<a href="http://samba.org/samba/docs/SambaIntro.html" target="_top">
<span class="emphasis"><em>An Introduction to Samba</em></span>
</a>
</p></li><li><p>
<a href="http://www.samba.org/cifs/" target="_top">
<span class="emphasis"><em>What is CIFS?</em></span>
</a>
</p></li><li><p>
<a href="http://support.microsoft.com/support/kb/articles/q92/5/88.asp" target="_top">
<span class="emphasis"><em>WFWG: Password Caching and How It Affects LAN Manager
Security</em></span> at Microsoft Knowledge Base
</a>
</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3020416"></a>Related updates from Microsoft</h2></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>
<a href="http://support.microsoft.com/support/kb/articles/q92/5/88.asp" target="_top">
<span class="emphasis"><em>Enhanced Encryption for Windows 95 Password Cache</em></span>
</a>
</p></li><li><p>
<a href="http://support.microsoft.com/support/kb/articles/q136/4/18.asp" target="_top">
<span class="emphasis"><em>Windows '95 File Sharing Updates</em></span>
</a>
</p></li><li><p>
<a href="http://support.microsoft.com/support/kb/articles/q136/4/18.asp" target="_top">
<span class="emphasis"><em>Windows for Workgroups Sharing Updates</em></span>
</a>
</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3020431"></a>Books</h2></div></div><div></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="DNSDHCP.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendixes.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ix01.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 40. DNS and DHCP Configuration Guide </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Index</td></tr></table></div></body></html>

View File

@ -0,0 +1,175 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 16. Interdomain Trust Relationships</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="securing-samba.html" title="Chapter 15. Securing Samba"><link rel="next" href="msdfs.html" title="Chapter 17. Hosting a Microsoft Distributed File System tree on Samba"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 16. Interdomain Trust Relationships</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="securing-samba.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="msdfs.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="InterdomainTrusts"></a>Chapter 16. Interdomain Trust Relationships</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Rafal</span> <span class="surname">Szczesniak</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:mimir@samba.org">mimir@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">April 3, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="InterdomainTrusts.html#id2933376">Features and Benefits</a></dt><dt><a href="InterdomainTrusts.html#id2933404">Trust Relationship Background</a></dt><dt><a href="InterdomainTrusts.html#id2933488">Native MS Windows NT4 Trusts Configuration</a></dt><dd><dl><dt><a href="InterdomainTrusts.html#id2933501">NT4 as the Trusting Domain (ie. creating the trusted account)</a></dt><dt><a href="InterdomainTrusts.html#id2933586">NT4 as the Trusted Domain (ie. creating trusted account's password)</a></dt></dl></dd><dt><a href="InterdomainTrusts.html#id2933622">Configuring Samba NT-style Domain Trusts</a></dt><dd><dl><dt><a href="InterdomainTrusts.html#id2933649">Samba-3 as the Trusting Domain</a></dt><dt><a href="InterdomainTrusts.html#id2933790">Samba-3 as the Trusted Domain</a></dt></dl></dd><dt><a href="InterdomainTrusts.html#id2933922">Common Errors</a></dt><dd><dl><dt><a href="InterdomainTrusts.html#id2933937">Tell me about Trust Relationships using Samba</a></dt></dl></dd></dl></div><p>
Samba-3 supports NT4 style domain trust relationships. This is feature that many sites
will want to use if they migrate to Samba-3 from and NT4 style domain and do NOT want to
adopt Active Directory or an LDAP based authentication back end. This section explains
some background information regarding trust relationships and how to create them. It is now
possible for Samba-3 to NT4 trust (and vice versa), as well as Samba3 to Samba3 trusts.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2933376"></a>Features and Benefits</h2></div></div><div></div></div><p>
Samba-3 can participate in Samba-to-Samba as well as in Samba-to-MS Windows NT4 style
trust relationships. This imparts to Samba similar scalability as is possible with
MS Windows NT4.
</p><p>
Given that Samba-3 has the capability to function with a scalable backend authentication
database such as LDAP, and given it's ability to run in Primary as well as Backup Domain control
modes, the administrator would be well advised to consider alternatives to the use of
Interdomain trusts simply because by the very nature of how this works it is fragile.
That was, after all, a key reason for the development and adoption of Microsoft Active Directory.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2933404"></a>Trust Relationship Background</h2></div></div><div></div></div><p>
MS Windows NT3.x/4.0 type security domains employ a non-hierarchical security structure.
The limitations of this architecture as it affects the scalability of MS Windows networking
in large organisations is well known. Additionally, the flat-name space that results from
this design significantly impacts the delegation of administrative responsibilities in
large and diverse organisations.
</p><p>
Microsoft developed Active Directory Service (ADS), based on Kerberos and LDAP, as a means
of circumventing the limitations of the older technologies. Not every organisation is ready
or willing to embrace ADS. For small companies the older NT4 style domain security paradigm
is quite adequate, there thus remains an entrenched user base for whom there is no direct
desire to go through a disruptive change to adopt ADS.
</p><p>
Microsoft introduced with MS Windows NT the ability to allow differing security domains
to affect a mechanism so that users from one domain may be given access rights and privileges
in another domain. The language that describes this capability is couched in terms of
<span class="emphasis"><em>Trusts</em></span>. Specifically, one domain will <span class="emphasis"><em>trust</em></span> the users
from another domain. The domain from which users are available to another security domain is
said to be a trusted domain. The domain in which those users have assigned rights and privileges
is the trusting domain. With NT3.x/4.0 all trust relationships are always in one direction only,
thus if users in both domains are to have privileges and rights in each others' domain, then it is
necessary to establish two (2) relationships, one in each direction.
</p><p>
In an NT4 style MS security domain, all trusts are non-transitive. This means that if there
are three (3) domains (let's call them RED, WHITE, and BLUE) where RED and WHITE have a trust
relationship, and WHITE and BLUE have a trust relationship, then it holds that there is no
implied trust between the RED and BLUE domains. ie: Relationships are explicit and not
transitive.
</p><p>
New to MS Windows 2000 ADS security contexts is the fact that trust relationships are two-way
by default. Also, all inter-ADS domain trusts are transitive. In the case of the RED, WHITE and BLUE
domains above, with Windows 2000 and ADS the RED and BLUE domains CAN trust each other. This is
an inherent feature of ADS domains. Samba-3 implements MS Windows NT4
style Interdomain trusts and interoperates with MS Windows 200x ADS
security domains in similar manner to MS Windows NT4 style domains.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2933488"></a>Native MS Windows NT4 Trusts Configuration</h2></div></div><div></div></div><p>
There are two steps to creating an interdomain trust relationship.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2933501"></a>NT4 as the Trusting Domain (ie. creating the trusted account)</h3></div></div><div></div></div><p>
For MS Windows NT4, all domain trust relationships are configured using the
<span class="application">Domain User Manager</span>. To affect a two way trust relationship it is
necessary for each domain administrator to make available (for use by an external domain) it's
security resources. This is done from the Domain User Manager Policies entry on the menu bar.
From the <span class="guimenu">Policy</span> menu, select <span class="guimenuitem">Trust Relationships</span>, then
next to the lower box that is labelled <span class="guilabel">Permitted to Trust this Domain</span> are two
buttons, <span class="guibutton">Add</span> and <span class="guibutton">Remove</span>. The <span class="guibutton">Add</span>
button will open a panel in which needs to be entered the remote domain that will be able to assign
user rights to your domain. In addition it is necessary to enter a password
that is specific to this trust relationship. The password needs to be
typed twice (for standard confirmation).
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2933586"></a>NT4 as the Trusted Domain (ie. creating trusted account's password)</h3></div></div><div></div></div><p>
A trust relationship will work only when the other (trusting) domain makes the appropriate connections
with the trusted domain. To consummate the trust relationship the administrator will launch the
Domain User Manager, from the menu select Policies, then select Trust Relationships, then click on the
<span class="guibutton">Add</span> button that is next to the box that is labelled
<span class="guilabel">Trusted Domains</span>. A panel will open in which must be entered the name of the remote
domain as well as the password assigned to that trust.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2933622"></a>Configuring Samba NT-style Domain Trusts</h2></div></div><div></div></div><p>
This description is meant to be a fairly short introduction about how to set up a Samba server so
that it could participate in interdomain trust relationships. Trust relationship support in Samba
is in its early stage, so lot of things don't work yet.
</p><p>
Each of the procedures described below is treated as they were performed with Windows NT4 Server on
one end. The remote end could just as well be another Samba-3 domain. It can be clearly seen, after
reading this document, that combining Samba-specific parts of what's written below leads to trust
between domains in purely Samba environment.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2933649"></a>Samba-3 as the Trusting Domain</h3></div></div><div></div></div><p>
In order to set the Samba PDC to be the trusted party of the relationship first you need
to create special account for the domain that will be the trusting party. To do that,
you can use the 'smbpasswd' utility. Creating the trusted domain account is very
similar to creating a trusted machine account. Suppose, your domain is
called SAMBA, and the remote domain is called RUMBA. The first step
will be to issue this command from your favourite shell:
</p><p>
</p><pre class="screen">
<tt class="prompt">root# </tt> <b class="userinput"><tt>smbpasswd -a -i rumba</tt></b>
New SMB password: XXXXXXXX
Retype SMB password: XXXXXXXX
Added user rumba$
</pre><p>
where <tt class="option">-a</tt> means to add a new account into the
passdb database and <tt class="option">-i</tt> means: ''create this
account with the InterDomain trust flag''
</p><p>
The account name will be 'rumba$' (the name of the remote domain)
</p><p>
After issuing this command you'll be asked to enter the password for
the account. You can use any password you want, but be aware that Windows NT will
not change this password until 7 days following account creation.
After the command returns successfully, you can look at the entry for the new account
(in the standard way depending on your configuration) and see that account's name is
really RUMBA$ and it has 'I' flag in the flags field. Now you're ready to confirm
the trust by establishing it from Windows NT Server.
</p><p>
Open <span class="application">User Manager for Domains</span> and from menu
<span class="guimenu">Policies</span> select <span class="guimenuitem">Trust Relationships...</span>.
Right beside <span class="guilabel">Trusted domains</span> list box press the
<span class="guimenu">Add...</span> button. You will be prompted for
the trusted domain name and the relationship password. Type in SAMBA, as this is
your domain name, and the password used at the time of account creation.
Press OK and, if everything went without incident, you will see
<tt class="computeroutput">Trusted domain relationship successfully
established</tt> message.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2933790"></a>Samba-3 as the Trusted Domain</h3></div></div><div></div></div><p>
This time activities are somewhat reversed. Again, we'll assume that your domain
controlled by the Samba PDC is called SAMBA and NT-controlled domain is called RUMBA.
</p><p>
The very first thing requirement is to add an account for the SAMBA domain on RUMBA's PDC.
</p><p>
Launch the <span class="application">Domain User Manager</span>, then from the menu select
<span class="guimenu">Policies</span>, <span class="guimenuitem">Trust Relationships</span>.
Now, next to <span class="guilabel">Trusted Domains</span> box press the <span class="guibutton">Add</span>
button, and type in the name of the trusted domain (SAMBA) and password securing
the relationship.
</p><p>
The password can be arbitrarily chosen. It is easy to change the password
from the Samba server whenever you want. After confirming the password your account is
ready for use. Now it's Samba's turn.
</p><p>
Using your favourite shell while being logged in as root, issue this command:
</p><p>
<tt class="prompt">root# </tt><b class="userinput"><tt>net rpc trustdom establish rumba</tt></b>
</p><p>
You will be prompted for the password you just typed on your Windows NT4 Server box.
Do not worry if you see an error message that mentions a returned code of
<span class="errorname">NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT</span>. It means the
password you gave is correct and the NT4 Server says the account is
ready for interdomain connection and not for ordinary
connection. After that, be patient it can take a while (especially
in large networks), you should see the <tt class="computeroutput">Success</tt> message.
Congratulations! Your trust relationship has just been established.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
Note that you have to run this command as root because you must have write access to
the <tt class="filename">secrets.tdb</tt> file.
</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2933922"></a>Common Errors</h2></div></div><div></div></div><p>
Interdomain trust relationships should NOT be attempted on networks that are unstable
or that suffer regular outages. Network stability and integrity are key concerns with
distributed trusted domains.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2933937"></a>Tell me about Trust Relationships using Samba</h3></div></div><div></div></div><p>
Like many, I administer multiple LANs connected together using NT trust
relationships. This was implemented about 4 years ago. I now have the
occasion to consider performing this same task again, but this time, I
would like to implement it solely through samba - no Microsoft PDCs
anywhere.
</p><p>
I have read documentation on samba.org regarding NT-style trust
relationships and am now wondering, can I do what I want to? I already
have successfully implemented 2 samba servers, but they are not PDCs.
They merely act as file servers. I seem to remember, and it appears to
be true (according to samba.org) that trust relationships are a
challenge.
</p><p>
Please provide any helpful feedback that you may have.
</p><p>
These are almost complete in Samba 3.0 snapshots. The main catch
is getting winbindd to be able to allocate UID/GIDs for trusted
users/groups. See the updated Samba HOWTO collection for more
details.
</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="securing-samba.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="msdfs.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 15. Securing Samba </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 17. Hosting a Microsoft Distributed File System tree on Samba</td></tr></table></div></body></html>

174
docs/htmldocs/IntroSMB.html Normal file
View File

@ -0,0 +1,174 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 1. Introduction to Samba</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="introduction.html" title="Part I. General Installation"><link rel="previous" href="introduction.html" title="Part I. General Installation"><link rel="next" href="install.html" title="Chapter 2. How to Install and Test SAMBA"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 1. Introduction to Samba</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="introduction.html">Prev</a> </td><th width="60%" align="center">Part I. General Installation</th><td width="20%" align="right"> <a accesskey="n" href="install.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="IntroSMB"></a>Chapter 1. Introduction to Samba</h2></div><div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">Lechnyr</span></h3><div class="affiliation"><span class="orgname">Unofficial HOWTO<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:david@lechnyr.com">david@lechnyr.com</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">April 14, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="IntroSMB.html#id2885613">Background</a></dt><dt><a href="IntroSMB.html#id2885824">Terminology</a></dt><dt><a href="IntroSMB.html#id2885978">Related Projects</a></dt><dt><a href="IntroSMB.html#id2886047">SMB Methodology</a></dt><dt><a href="IntroSMB.html#id2886135">Epilogue</a></dt><dt><a href="IntroSMB.html#id2886209">Miscellaneous</a></dt></dl></div><p>&#8220;<span class="quote">
&quot;If you understand what you're doing, you're not learning anything.&quot;
-- Anonymous
</span>&#8221;</p><p>
Samba is a file and print server for Windows-based clients using TCP/IP as the underlying
transport protocol. In fact, it can support any SMB/CIFS-enabled client. One of Samba's big
strengths is that you can use it to blend your mix of Windows and Linux machines together
without requiring a separate Windows NT/2000/2003 Server. Samba is actively being developed
by a global team of about 30 active programmers and was originally developed by Andrew Tridgell.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2885613"></a>Background</h2></div></div><div></div></div><p>
Once long ago, there was a buzzword referred to as DCE/RPC. This stood for Distributed
Computing Environment/Remote Procedure Calls and conceptually was a good idea. It was
originally developed by Apollo/HP as NCA 1.0 (Network Computing Architecture) and only
ran over UDP. When there was a need to run it over TCP so that it would be compatible
with DECnet 3.0, it was redesigned, submitted to The Open Group, and officially became
known as DCE/RPC. Microsoft came along and decided, rather than pay $20 per seat to
license this technology, to reimplement DCE/RPC themselves as MSRPC. From this, the
concept continued in the form of SMB (Server Message Block, or the &quot;what&quot;) using the
NetBIOS (Network Basic Input/Output System, or the &quot;how&quot;) compatibility layer. You can
run SMB (i.e., transport) over several different protocols; many different implementations
arose as a result, including NBIPX (NetBIOS over IPX, NwLnkNb, or NWNBLink) and NBT
(NetBIOS over TCP/IP, or NetBT). As the years passed, NBT became the most common form
of implementation until the advance of &quot;Direct-Hosted TCP&quot; -- the Microsoft marketing
term for eliminating NetBIOS entirely and running SMB by itself across TCP port 445
only. As of yet, direct-hosted TCP has yet to catch on.
</p><p>
Perhaps the best summary of the origins of SMB are voiced in the 1997 article titled, CIFS:
Common Insecurities Fail Scrutiny:
</p><p><span class="emphasis"><em>
Several megabytes of NT-security archives, random whitepapers, RFCs, the CIFS spec, the Samba
stuff, a few MS knowledge-base articles, strings extracted from binaries, and packet dumps have
been dutifully waded through during the information-gathering stages of this project, and there
are *still* many missing pieces... While often tedious, at least the way has been generously
littered with occurrences of clapping hand to forehead and muttering 'crikey, what are they
thinking?
</em></span></p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2885824"></a>Terminology</h2></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>
SMB: Acronym for &quot;Server Message Block&quot;. This is Microsoft's file and printer sharing protocol.
</p></li><li><p>
CIFS: Acronym for &quot;Common Internet File System&quot;. Around 1996, Microsoft apparently
decided that SMB needed the word &quot;Internet&quot; in it, so they changed it to CIFS.
</p></li><li><p>
Direct-Hosted: A method of providing file/printer sharing services over port 445/tcp
only using DNS for name resolution instead of WINS.
</p></li><li><p>
IPC: Acronym for &quot;Inter-Process Communication&quot;. A method to communicate specific
information between programs.
</p></li><li><p>
Marshalling: - A method of serializing (i.e., sequential ordering of) variable data
suitable for transmission via a network connection or storing in a file. The source
data can be re-created using a similar process called unmarshalling.
</p></li><li><p>
NetBIOS: Acronym for &quot;Network Basic Input/Output System&quot;. This is not a protocol;
it is a method of communication across an existing protocol. This is a standard which
was originally developed for IBM by Sytek in 1983. To exaggerate the analogy a bit,
it can help to think of this in comparison your computer's BIOS -- it controls the
essential functions of your input/output hardware -- whereas NetBIOS controls the
essential functions of your input/output traffic via the network. Again, this is a bit
of an exaggeration but it should help that paradigm shift. What is important to realize
is that NetBIOS is a transport standard, not a protocol. Unfortunately, even technically
brilliant people tend to interchange NetBIOS with terms like NetBEUI without a second
thought; this will cause no end (and no doubt) of confusion.
</p></li><li><p>
NetBEUI: Acronym for the &quot;NetBIOS Extended User Interface&quot;. Unlike NetBIOS, NetBEUI
is a protocol, not a standard. It is also not routable, so traffic on one side of a
router will be unable to communicate with the other side. Understanding NetBEUI is
not essential to deciphering SMB; however it helps to point out that it is not the
same as NetBIOS and to improve your score in trivia at parties. NetBEUI was originally
referred to by Microsoft as &quot;NBF&quot;, or &quot;The Windows NT NetBEUI Frame protocol driver&quot;.
It is not often heard from these days.
</p></li><li><p>
NBT: Acronym for &quot;NetBIOS over TCP&quot;; also known as &quot;NetBT&quot;. Allows the continued use
of NetBIOS traffic proxied over TCP/IP. As a result, NetBIOS names are made
to IP addresses and NetBIOS name types are conceptually equivalent to TCP/IP ports.
This is how file and printer sharing are accomplished in Windows 95/98/ME. They
traditionally rely on three ports: NetBIOS Name Service (nbname) via UDP port 137,
NetBIOS Datagram Service (nbdatagram) via UDP port 138, and NetBIOS Session Service
(nbsession) via TCP port 139. All name resolution is done via WINS, NetBIOS broadcasts,
and DNS. NetBIOS over TCP is documented in RFC 1001 (Concepts and methods) and RFC 1002
(Detailed specifications).
</p></li><li><p>
W2K: Acronym for Windows 2000 Professional or Server
</p></li><li><p>
W3K: Acronym for Windows 2003 Server
</p></li></ul></div><p>If you plan on getting help, make sure to subscribe to the Samba Mailing List (available at
<a href="http://www.samba.org/" target="_top">http://www.samba.org</a>).
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2885978"></a>Related Projects</h2></div></div><div></div></div><p>
There are currently two network filesystem client projects for Linux that are directly
related to Samba: SMBFS and CIFS VFS. These are both available in the Linux kernel itself.
</p><div class="itemizedlist"><ul type="disc"><li><p>
SMBFS (Server Message Block File System) allows you to mount SMB shares (the protocol
that Microsoft Windows and OS/2 Lan Manager use to share files and printers
over local networks) and access them just like any other Unix directory. This is useful
if you just want to mount such filesystems without being a SMBFS server.
</p></li><li><p>
CIFS VFS (Common Internet File System Virtual File System) is the successor to SMBFS, and
is being actively developed for the upcoming version of the Linux kernel. The intent of this module
is to provide advanced network file system functionality including support for dfs (hierarchical
name space), secure per-user session establishment, safe distributed caching (oplock),
optional packet signing, Unicode and other internationalization improvements, and optional
Winbind (nsswitch) integration.
</p></li></ul></div><p>
Again, it's important to note that these are implementations for client filesystems, and have
nothing to do with acting as a file and print server for SMB/CIFS clients.
</p><p>
There are other Open Source CIFS client implementations, such as the
<a href="http://jcifs.samba.org/" target="_top">jCIFS project</a>
which provides an SMB client toolkit written in Java.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2886047"></a>SMB Methodology</h2></div></div><div></div></div><p>
Traditionally, SMB uses UDP port 137 (NetBIOS name service, or netbios-ns),
UDP port 138 (NetBIOS datagram service, or netbios-dgm), and TCP port 139 (NetBIOS
session service, or netbios-ssn). Anyone looking at their network with a good
packet sniffer will be amazed at the amount of traffic generated by just opening
up a single file. In general, SMB sessions are established in the following order:
</p><div class="itemizedlist"><ul type="disc"><li><p>
&quot;TCP Connection&quot; - establish 3-way handshake (connection) to port 139/tcp
or 445/tcp.
</p></li><li><p>
&quot;NetBIOS Session Request&quot; - using the following &quot;Calling Names&quot;: The local
machine's NetBIOS name plus the 16th character 0x00; The server's NetBIOS
name plus the 16th character 0x20
</p></li><li><p>
&quot;SMB Negotiate Protocol&quot; - determine the protocol dialect to use, which will
be one of the following: PC Network Program 1.0 (Core) - share level security
mode only; Microsoft Networks 1.03 (Core Plus) - share level security
mode only; Lanman1.0 (LAN Manager 1.0) - uses Challenge/Response
Authentication; Lanman2.1 (LAN Manager 2.1) - uses Challenge/Response
Authentication; NT LM 0.12 (NT LM 0.12) - uses Challenge/Response
Authentication
</p></li><li><p>
SMB Session Startup. Passwords are encrypted (or not) according to one of
the following methods: Null (no encryption); Cleartext (no encryption); LM
and NTLM; NTLM; NTLMv2
</p></li><li><p>
SMB Tree Connect: Connect to a share name (e.g., \\servername\share); Connect
to a service type (e.g., IPC$ named pipe)
</p></li></ul></div><p>
A good way to examine this process in depth is to try out
<a href="http://www.securityfriday.com/ToolDownload/SWB/swb_doc.html" target="_top">SecurityFriday's SWB program</a>.
It allows you to walk through the establishment of a SMB/CIFS session step by step.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2886135"></a>Epilogue</h2></div></div><div></div></div><p>&#8220;<span class="quote">
What's fundamentally wrong is that nobody ever had any taste when they
did it. Microsoft has been very much into making the user interface look good,
but internally it's just a complete mess. And even people who program for Microsoft
and who have had years of experience, just don't know how it works internally.
Worse, nobody dares change it. Nobody dares to fix bugs because it's such a
mess that fixing one bug might just break a hundred programs that depend on
that bug. And Microsoft isn't interested in anyone fixing bugs -- they're interested
in making money. They don't have anybody who takes pride in Windows 95 as an
operating system.
</span>&#8221;</p><p>&#8220;<span class="quote">
People inside Microsoft know it's a bad operating system and they still
continue obviously working on it because they want to get the next version out
because they want to have all these new features to sell more copies of the
system.
</span>&#8221;</p><p>&#8220;<span class="quote">
The problem with that is that over time, when you have this kind of approach,
and because nobody understands it, because nobody REALLY fixes bugs (other than
when they're really obvious), the end result is really messy. You can't trust
it because under certain circumstances it just spontaneously reboots or just
halts in the middle of something that shouldn't be strange. Normally it works
fine and then once in a blue moon for some completely unknown reason, it's dead,
and nobody knows why. Not Microsoft, not the experienced user and certainly
not the completely clueless user who probably sits there shivering thinking
&quot;What did I do wrong?&quot; when they didn't do anything wrong at all.
</span>&#8221;</p><p>&#8220;<span class="quote">
That's what's really irritating to me.&quot;
</span>&#8221;</p><p>--
<a href="http://hr.uoregon.edu/davidrl/boot.txt" target="_top">Linus Torvalds, from an interview with BOOT Magazine, Sept 1998</a>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2886209"></a>Miscellaneous</h2></div></div><div></div></div><p>
This chapter is Copyright 2003 David Lechnyr (david at lechnyr dot com).
Permission is granted to copy, distribute and/or modify this document under the terms
of the GNU Free Documentation License, Version 1.2 or any later version published by the Free
Software Foundation. A copy of the license is available at http://www.gnu.org/licenses/fdl.txt.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="introduction.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="introduction.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="install.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part I. General Installation </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 2. How to Install and Test SAMBA</td></tr></table></div></body></html>

View File

@ -0,0 +1,202 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 31. Migration from NT4 PDC to Samba-3 PDC</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="migration.html" title="Part IV. Migration and Updating"><link rel="previous" href="upgrading-to-3.0.html" title="Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0"><link rel="next" href="SWAT.html" title="Chapter 32. SWAT - The Samba Web Administration Tool"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 31. Migration from NT4 PDC to Samba-3 PDC</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="upgrading-to-3.0.html">Prev</a> </td><th width="60%" align="center">Part IV. Migration and Updating</th><td width="20%" align="right"> <a accesskey="n" href="SWAT.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="NT4Migration"></a>Chapter 31. Migration from NT4 PDC to Samba-3 PDC</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">April 3, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="NT4Migration.html#id3001339">Planning and Getting Started</a></dt><dd><dl><dt><a href="NT4Migration.html#id3001368">Objectives</a></dt><dt><a href="NT4Migration.html#id3004043">Steps In Migration Process</a></dt></dl></dd><dt><a href="NT4Migration.html#id3004381">Migration Options</a></dt><dd><dl><dt><a href="NT4Migration.html#id3004462">Planning for Success</a></dt><dt><a href="NT4Migration.html#id3004704">Samba Implementation Choices</a></dt></dl></dd></dl></div><p>
This is a rough guide to assist those wishing to migrate from NT4 domain control to
Samba-3 based domain control.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3001339"></a>Planning and Getting Started</h2></div></div><div></div></div><p>
In the IT world there is often a saying that all problems are encountered because of
poor planning. The corollary to this saying is that not all problems can be anticipated
and planned for. Then again, good planning will anticipate most show stopper type situations.
</p><p>
Those wishing to migrate from MS Windows NT4 domain control to a Samba-3 domain control
environment would do well to develop a detailed migration plan. So here are a few pointers to
help migration get under way.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3001368"></a>Objectives</h3></div></div><div></div></div><p>
The key objective for most organisations will be to make the migration from MS Windows NT4
to Samba-3 domain control as painless as possible. One of the challenges you may experience
in your migration process may well be one of convincing management that the new environment
should remain in place. Many who have introduced open source technologies have experienced
pressure to return to a Microsoft based platform solution at the first sign of trouble.
</p><p>
It is strongly advised that before attempting a migration to a Samba-3 controlled network
that every possible effort be made to gain all-round commitment to the change. Firstly, you
should know precisely <span class="emphasis"><em>why</em></span> the change is important for the organisation.
Possible motivations to make a change include:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Improve network manageability</td></tr><tr><td>Obtain better user level functionality</td></tr><tr><td>Reduce network operating costs</td></tr><tr><td>Reduce exposure caused by Microsoft withdrawal of NT4 support</td></tr><tr><td>Avoid MS License 6 implications</td></tr><tr><td>Reduce organisation's dependency on Microsoft</td></tr></table><p>
It is vital that it be well recognised that Samba-3 is NOT MS Windows NT4. Samba-3 offers
an alternative solution that is both different from MS Windows NT4 and that offers some
advantages compared with it. It should also be recognised that Samba-3 lacks many of the
features that Microsoft has promoted as core values in migration from MS Windows NT4 to
MS Windows 2000 and beyond (with or without Active Directory services).
</p><p>
What are the features that Samba-3 can NOT provide?
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Active Directory Server</td></tr><tr><td>Group Policy Objects (in Active Directory)</td></tr><tr><td>Machine Policy objects</td></tr><tr><td>Logon Scripts in Active Directory</td></tr><tr><td>Software Application and Access Controls in Active Directory</td></tr></table><p>
The features that Samba-3 DOES provide and that may be of compelling interest to your site
includes:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Lower Cost of Ownership</td></tr><tr><td>Global availability of support with no strings attached</td></tr><tr><td>Dynamic SMB Servers (ie:Can run more than one server per Unix/Linux system)</td></tr><tr><td>Creation of on-the-fly logon scripts</td></tr><tr><td>Creation of on-the-fly Policy Files</td></tr><tr><td>Greater Stability, Reliability, Performance and Availability</td></tr><tr><td>Manageability via an ssh connection</td></tr><tr><td>Flexible choices of back-end authentication technologies (tdbsam, ldapsam, mysqlsam)</td></tr><tr><td>Ability to implement a full single-sign-on architecture</td></tr><tr><td>Ability to distribute authentication systems for absolute minimum wide area network bandwidth demand</td></tr></table><p>
Before migrating a network from MS Windows NT4 to Samba-3 it is vital that all necessary factors are
considered. Users should be educated about changes they may experience so that the change will be a
welcome one and not become an obstacle to the work they need to do. The following are some of the
factors that will go into a successful migration:
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id3002882"></a>Domain Layout</h4></div></div><div></div></div><p>
Samba-3 can be configured as a domain controller, a back-up domain controller (probably best called
a secondary controller), a domain member, or as a stand-alone server. The Windows network security
domain context should be sized and scoped before implementation. Particular attention needs to be
paid to the location of the primary domain controller (PDC) as well as backup controllers (BDCs).
It should be noted that one way in which Samba-3 differs from Microsoft technology is that if one
chooses to use an LDAP authentication backend then the same database can be used by several different
domains. This means that in a complex organisation there can be a single LDAP database, that itself
can be distributed, that can simultaneously serve multiple domains (that can also be widely distributed).
</p><p>
It is recommended that from a design perspective, the number of users per server, as well as the number
of servers, per domain should be scaled according to needs and should also consider server capacity
and network bandwidth.
</p><p>
A physical network segment may house several domains, each of which may span multiple network segments.
Where domains span routed network segments it is most advisable to consider and test the performance
implications of the design and layout of a network. A Centrally located domain controller that is being
designed to serve multiple routed network segments may result in severe performance problems if the
response time (eg: ping timing) between the remote segment and the PDC is more than 100 ms. In situations
where the delay is too long it is highly recommended to locate a backup controller (BDC) to serve as
the local authentication and access control server.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id3002935"></a>Server Share and Directory Layout</h4></div></div><div></div></div><p>
There are few cardinal rules to effective network design that can be broken with impunity.
The most important rule of effective network management is that simplicity is king in every
well controlled network. Every part of the infrastructure must be managed, the more complex
it is, the greater will be the demand of keeping systems secure and functional.
</p><p>
The nature of the data that must be stored needs to be born in mind when deciding how many
shares must be created. The physical disk space layout should also be taken into account
when designing where share points will be created. Keep in mind that all data needs to be
backed up, thus the simpler the disk layout the easier it will be to keep track of what must
be backed up to tape or other off-line storage medium. Always plan and implement for minimum
maintenance. Leave nothing to chance in your design, above all, do not leave backups to chance:
Backup and test, validate every backup, create a disaster recovery plan and prove that it works.
</p><p>
Users should be grouped according to data access control needs. File and directory access
is best controlled via group permissions and the use of the &quot;sticky bit&quot; on group controlled
directories may substantially avoid file access complaints from samba share users.
</p><p>
Many network administrators who are new to the game will attempt to use elaborate techniques
to set access controls, on files, directories, shares, as well as in share definitions.
There is the ever present danger that that administrator's successor will not understand the
complex mess that has been inherited. Remember, apparent job security through complex design
and implementation may ultimately cause loss of operations and downtime to users as the new
administrator learns to untangle your web. Keep access controls simple and effective and
make sure that users will never be interrupted by the stupidity of complexity.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id3002997"></a>Logon Scripts</h4></div></div><div></div></div><p>
Please refer to the section of this document on Advanced Network Administration for information
regarding the network logon script options for Samba-3. Logon scripts can help to ensure that
all users gain share and printer connections they need.
</p><p>
Logon scripts can be created on-the-fly so that all commands executed are specific to the
rights and privileges granted to the user. The preferred controls should be affected through
group membership so that group information can be used to custom create a logon script using
the <i class="parameter"><tt>root preexec</tt></i> parameters to the <tt class="filename">NETLOGON</tt> share.
</p><p>
Some sites prefer to use a tool such as <b class="command">kixstart</b> to establish a controlled
user environment. In any case you may wish to do a google search for logon script process controls.
In particular, you may wish to explore the use of the Microsoft knowledgebase article KB189105 that
deals with how to add printers without user intervention via the logon script process.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id3003055"></a>Profile Migration/Creation</h4></div></div><div></div></div><p>
User and Group Profiles may be migrated using the tools described in the section titled Desktop Profile
Management.
</p><p>
Profiles may also be managed using the Samba-3 tool <b class="command">profiles</b>. This tool allows
the MS Windows NT style security identifiers (SIDs) that are stored inside the profile NTuser.DAT file
to be changed to the SID of the Samba-3 domain.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id3004018"></a>User and Group Accounts</h4></div></div><div></div></div><p>
It is possible to migrate all account settings from an MS Windows NT4 domain to Samba-3. Before
attempting to migrate user and group accounts it is STRONGLY advised to create in Samba-3 the
groups that are present on the MS Windows NT4 domain <span class="emphasis"><em>AND</em></span> to connect these to
suitable Unix/Linux groups. Following this simple advice will mean that all user and group attributes
should migrate painlessly.
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3004043"></a>Steps In Migration Process</h3></div></div><div></div></div><p>
The approximate migration process is described below.
</p><div class="itemizedlist"><ul type="disc"><li><p>
You will have an NT4 PDC that has the users, groups, policies and profiles to be migrated
</p></li><li><p>
Samba-3 set up as a DC with netlogon share, profile share, etc.
</p></li></ul></div><div class="procedure"><p class="title"><b>Procedure 31.1. The Account Migration Process</b></p><ol type="1"><li><p>Create a BDC account for the samba server using NT Server Manager</p><ol type="a"><li><p>Samba must NOT be running</p></li></ol></li><li><p><b class="userinput"><tt>rpcclient <i class="replaceable"><tt>NT4PDC</tt></i> -U Administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p><ol type="a"><li><p>lsaquery</p></li><li><p>Note the SID returned</p></li></ol></li><li><p><b class="userinput"><tt>net getsid -S <i class="replaceable"><tt>NT4PDC</tt></i> -w <i class="replaceable"><tt>DOMNAME</tt></i> -U Administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p><ol type="a"><li><p>Note the SID</p></li></ol></li><li><p><b class="userinput"><tt>net getlocalsid</tt></b></p><ol type="a"><li><p>Note the SID, now check that all three SIDS reported are the same!</p></li></ol></li><li><p><b class="userinput"><tt>net rpc join -S <i class="replaceable"><tt>NT4PDC</tt></i> -w <i class="replaceable"><tt>DOMNAME</tt></i> -U Administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p></li><li><p><b class="userinput"><tt>net rpc vampire -S <i class="replaceable"><tt>NT4PDC</tt></i> -U administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p></li><li><p><b class="userinput"><tt>pdbedit -L</tt></b></p><ol type="a"><li><p>Note - did the users migrate?</p></li></ol></li><li><p><b class="userinput"><tt>initGrps.sh <i class="replaceable"><tt>DOMNAME</tt></i></tt></b></p></li><li><p><b class="userinput"><tt>net groupmap list</tt></b></p><ol type="a"><li><p>Now check that all groups are recognised</p></li></ol></li><li><p><b class="userinput"><tt>net rpc vampire -S <i class="replaceable"><tt>NT4PDC</tt></i> -U administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p></li><li><p><b class="userinput"><tt>pdbedit -Lv</tt></b></p><ol type="a"><li><p>Note - check that all group membership has been migrated</p></li></ol></li></ol></div><p>
Now it is time to migrate all the profiles, then migrate all policy files.
More later.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3004381"></a>Migration Options</h2></div></div><div></div></div><p>
Based on feedback from many sites as well as from actual installation and maintenance
experience sites that wish to migrate from MS Windows NT4 Domain Control to a Samba
based solution fit into three basic categories.
</p><div class="table"><a name="id3004398"></a><p class="title"><b>Table 31.1. The 3 Major Site Types</b></p><table summary="The 3 Major Site Types" border="1"><colgroup><col><col></colgroup><thead><tr><th>Number of Users</th><th>Description</th></tr></thead><tbody><tr><td>&lt; 50</td><td><p>Want simple conversion with NO pain</p></td></tr><tr><td>50 - 250</td><td><p>Want new features, can manage some in-house complexity</p></td></tr><tr><td>&gt; 250</td><td><p>Solution/Implementation MUST scale well, complex needs. Cross departmental decision process. Local expertise in most areas</p></td></tr></tbody></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3004462"></a>Planning for Success</h3></div></div><div></div></div><p>
There are three basic choices for sites that intend to migrate from MS Windows NT4
to Samba-3.
</p><div class="itemizedlist"><ul type="disc"><li><p>
Simple Conversion (total replacement)
</p></li><li><p>
Upgraded Conversion (could be one of integration)
</p></li><li><p>
Complete Redesign (completely new solution)
</p></li></ul></div><p>
No matter what choice you make, the following rules will minimise down-stream problems:
</p><div class="itemizedlist"><ul type="disc"><li><p>
Take sufficient time
</p></li><li><p>
Avoid Panic
</p></li><li><p>
Test ALL assumptions
</p></li><li><p>
Test full roll-out program, including workstation deployment
</p></li></ul></div><div class="table"><a name="id3004535"></a><p class="title"><b>Table 31.2. Nature of the Conversion Choices</b></p><table summary="Nature of the Conversion Choices" border="1"><colgroup><col><col><col></colgroup><thead><tr><th>Simple</th><th>Upgraded</th><th>Redesign</th></tr></thead><tbody><tr><td><p>Make use of minimal OS specific features</p></td><td><p>Translate NT4 features to new host OS features</p></td><td><p>Decide:</p></td></tr><tr><td><p>Suck all accounts from NT4 into Samba-3</p></td><td><p>Copy and improve:</p></td><td><p>Authentication Regime (database location and access)</p></td></tr><tr><td><p>Make least number of operational changes</p></td><td><p>Make progressive improvements</p></td><td><p>Desktop Management Methods</p></td></tr><tr><td><p>Take least amount of time to migrate</p></td><td><p>Minimise user impact</p></td><td><p>Better Control of Desktops / Users</p></td></tr><tr><td><p>Live versus Isolated Conversion</p></td><td><p>Maximise functionality</p></td><td><p>Identify Needs for: Manageability, Scalability, Security, Availability</p></td></tr><tr><td><p>Integrate Samba-3 then migrate while users are active, then Change of control (ie: swap out)</p></td><td><p>Take advantage of lower maintenance opportunity</p></td><td><p></p></td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3004704"></a>Samba Implementation Choices</h3></div></div><div></div></div><pre class="programlisting">
Authentication database back end
Winbind (external Samba or NT4/200x server)
Can use pam_mkhomedir.so to auto-create home dirs
External server could use Active Directory or NT4 Domain
Database type
smbpasswd, tdbsam, ldapsam, mysqlsam
Access Control Points
On the Share itself (Use NT4 Server Manager)
On the file system
Unix permissions on files and directories
Enable Posix ACLs in file system?
Through Samba share parameters
Not recommended - except as only resort
Policies (migrate or create new ones)
Group Policy Editor (NT4)
Watch out for Tattoo effect
User and Group Profiles
Platform specific so use platform tool to change from a Local
to a Roaming profile Can use new profiles tool to change SIDs
(NTUser.DAT)
Logon Scripts (Know how they work)
User and Group mapping to Unix/Linux
username map facility may be needed
Use 'net groupmap' to connect NT4 groups to Unix groups
Use pdbedit to set/change user configuration
NOTE:
If migrating to LDAP back end it may be easier to dump initial LDAP database
to LDIF, then edit, then reload into LDAP
OS specific scripts / programs may be needed
Add / delete Users
Note OS limits on size of name (Linux 8 chars)
NT4 up to 254 chars
Add / delete machines
Applied only to domain members (note up to 16 chars)
Add / delete Groups
Note OS limits on size and nature
Linux limit is 16 char,
no spaces and no upper case chars (groupadd)
Migration Tools
Domain Control (NT4 Style)
Profiles, Policies, Access Controls, Security
Migration Tools
Samba: net, rpcclient, smbpasswd, pdbedit, profiles
Windows: NT4 Domain User Manager, Server Manager (NEXUS)
Authentication
New SAM back end (smbpasswd, tdbsam, ldapsam, mysqlsam)
</pre><p>
</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="upgrading-to-3.0.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="migration.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="SWAT.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0 </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 32. SWAT - The Samba Web Administration Tool</td></tr></table></div></body></html>

View File

@ -0,0 +1,957 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 10. Samba / MS Windows Network Browsing Guide</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="optional.html" title="Part III. Advanced Configuration"><link rel="next" href="passdb.html" title="Chapter 11. Account Information Databases"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 10. Samba / MS Windows Network Browsing Guide</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="optional.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="passdb.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="NetworkBrowsing"></a>Chapter 10. Samba / MS Windows Network Browsing Guide</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">July 5, 1998</p></div><div><p class="pubdate">Updated: April 21, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="NetworkBrowsing.html#id2903558">Features and Benefits</a></dt><dt><a href="NetworkBrowsing.html#id2903637">What is Browsing?</a></dt><dt><a href="NetworkBrowsing.html#id2903747">Discussion</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2903764">NetBIOS over TCP/IP</a></dt><dt><a href="NetworkBrowsing.html#id2903926">TCP/IP - without NetBIOS</a></dt><dt><a href="NetworkBrowsing.html#id2904058">DNS and Active Directory</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2904194">How Browsing Functions</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2904320">Setting up WORKGROUP Browsing</a></dt><dt><a href="NetworkBrowsing.html#id2904541">Setting up DOMAIN Browsing</a></dt><dt><a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to be the master</a></dt><dt><a href="NetworkBrowsing.html#id2904811">Making Samba the domain master</a></dt><dt><a href="NetworkBrowsing.html#id2904967">Note about broadcast addresses</a></dt><dt><a href="NetworkBrowsing.html#id2904984">Multiple interfaces</a></dt><dt><a href="NetworkBrowsing.html#id2905013">Use of the Remote Announce parameter</a></dt><dt><a href="NetworkBrowsing.html#id2905122">Use of the Remote Browse Sync parameter</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2905183">WINS - The Windows Internetworking Name Server</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2905341">Setting up a WINS server</a></dt><dt><a href="NetworkBrowsing.html#id2905540">WINS Replication</a></dt><dt><a href="NetworkBrowsing.html#id2905565">Static WINS Entries</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2905650">Helpful Hints</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2905663">Windows Networking Protocols</a></dt><dt><a href="NetworkBrowsing.html#id2905730">Name Resolution Order</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2905867">Technical Overview of browsing</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2905914">Browsing support in Samba</a></dt><dt><a href="NetworkBrowsing.html#id2906021">Problem resolution</a></dt><dt><a href="NetworkBrowsing.html#id2906100">Browsing across subnets</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2906720">Common Errors</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2906735">How can one flush the Samba NetBIOS name cache without restarting Samba?</a></dt><dt><a href="NetworkBrowsing.html#id2906764">My client reports &quot;This server is not configured to list shared resources&quot;</a></dt></dl></dd></dl></div><p>
This document contains detailed information as well as a fast track guide to
implementing browsing across subnets and / or across workgroups (or domains).
WINS is the best tool for resolution of NetBIOS names to IP addresses. WINS is
NOT involved in browse list handling except by way of name to address resolution.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
MS Windows 2000 and later can be configured to operate with NO NetBIOS
over TCP/IP. Samba-3 and later also supports this mode of operation.
When the use of NetBIOS over TCP/IP has been disabled then the primary
means for resolution of MS Windows machine names is via DNS and Active Directory.
The following information assumes that your site is running NetBIOS over TCP/IP.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2903558"></a>Features and Benefits</h2></div></div><div></div></div><p>
Someone once referred to the past in terms of: <span class="emphasis"><em>They were the worst of times,
they were the best of times. The more we look back, them more we long for what was and
hope it never returns!</em></span>.
</p><p>
For many MS Windows network administrators, that statement sums up their feelings about
NetBIOS networking precisely. For those who mastered NetBIOS networking, its fickle
nature was just par for the course. For those who never quite managed to tame its
lusty features, NetBIOS is like Paterson's Curse.
</p><p>
For those not familiar with botanical problems in Australia: Paterson's curse,
Echium plantagineum, was introduced to Australia from Europe during the mid-nineteenth
century. Since then it has spread rapidly. The high seed production, with densities of
thousands of seeds per square metre, a seed longevity of more than seven years, and an
ability to germinate at any time of year, given the right conditions, are some of the
features which make it such a persistent weed.
</p><p>
In this chapter we explore vital aspects of SMB (Server Message Block) networking with
a particular focus on SMB as implemented through running NetBIOS (Network Basic
Input / Output System) over TCP/IP. Since Samba does NOT implement SMB or NetBIOS over
any other protocols we need to know how to configure our network environment and simply
remember to use nothing but TCP/IP on all our MS Windows network clients.
</p><p>
Samba provides the ability to implement a WINS (Windows Internetworking Name Server)
and implements extensions to Microsoft's implementation of WINS. These extensions
help Samba to affect stable WINS operations beyond the normal scope of MS WINS.
</p><p>
Please note that WINS is exclusively a service that applies only to those systems
that run NetBIOS over TCP/IP. MS Windows 200x / XP have the capacity to turn off
support for NetBIOS, in which case WINS is of no relevance. Samba-3 supports this also.
</p><p>
For those networks on which NetBIOS has been disabled (ie: WINS is NOT required)
the use of DNS is necessary for host name resolution.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2903637"></a>What is Browsing?</h2></div></div><div></div></div><p>
To most people browsing means that they can see the MS Windows and Samba servers
in the Network Neighborhood, and when the computer icon for a particular server is
clicked, it opens up and shows the shares and printers available on the target server.
</p><p>
What seems so simple is in fact a very complex interaction of different technologies.
The technologies (or methods) employed in making all of this work includes:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>MS Windows machines register their presence to the network</td></tr><tr><td>Machines announce themselves to other machines on the network</td></tr><tr><td>One or more machine on the network collates the local announcements</td></tr><tr><td>The client machine finds the machine that has the collated list of machines</td></tr><tr><td>The client machine is able to resolve the machine names to IP addresses</td></tr><tr><td>The client machine is able to connect to a target machine</td></tr></table><p>
The Samba application that controls browse list management and name resolution is
called <tt class="filename">nmbd</tt>. The configuration parameters involved in nmbd's operation are:
</p><pre class="programlisting">
Browsing options:
-----------------
* os level
lm announce
lm interval
* preferred master
* local master
* domain master
browse list
enhanced browsing
Name Resolution Method:
-----------------------
* name resolve order
WINS options:
-------------
dns proxy
wins proxy
* wins server
* wins support
wins hook
</pre><p>
For Samba, the WINS Server and WINS Support are mutually exclusive options. Those marked with
an '*' are the only options that commonly MAY need to be modified. Even if not one of these
parameters is set <tt class="filename">nmbd</tt> will still do it's job.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2903747"></a>Discussion</h2></div></div><div></div></div><p>
Firstly, all MS Windows networking uses SMB (Server Message Block) based messaging.
SMB messaging may be implemented with or without NetBIOS. MS Windows 200x supports
NetBIOS over TCP/IP for backwards compatibility. Microsoft is intent on phasing out NetBIOS
support.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2903764"></a>NetBIOS over TCP/IP</h3></div></div><div></div></div><p>
Samba implements NetBIOS, as does MS Windows NT / 200x / XP, by encapsulating it over TCP/IP.
MS Windows products can do likewise. NetBIOS based networking uses broadcast messaging to
affect browse list management. When running NetBIOS over TCP/IP, this uses UDP based messaging.
UDP messages can be broadcast or unicast.
</p><p>
Normally, only unicast UDP messaging can be forwarded by routers. The
<b class="command">remote announce</b> parameter to smb.conf helps to project browse announcements
to remote network segments via unicast UDP. Similarly, the
<b class="command">remote browse sync</b> parameter of <tt class="filename">smb.conf</tt>
implements browse list collation using unicast UDP.
</p><p>
Secondly, in those networks where Samba is the only SMB server technology,
wherever possible <tt class="filename">nmbd</tt> should be configured on one (1) machine as the WINS
server. This makes it easy to manage the browsing environment. If each network
segment is configured with it's own Samba WINS server, then the only way to
get cross segment browsing to work is by using the
<b class="command">remote announce</b> and the <b class="command">remote browse sync</b>
parameters to your <tt class="filename">smb.conf</tt> file.
</p><p>
If only one WINS server is used for an entire multi-segment network then
the use of the <b class="command">remote announce</b> and the
<b class="command">remote browse sync</b> parameters should NOT be necessary.
</p><p>
As of Samba 3 WINS replication is being worked on. The bulk of the code has
been committed, but it still needs maturation. This is NOT a supported feature
of the Samba-3.0.0 release. Hopefully, this will become a supported feature
of one of the Samba-3 release series.
</p><p>
Right now Samba WINS does not support MS-WINS replication. This means that
when setting up Samba as a WINS server there must only be one <tt class="filename">nmbd</tt>
configured as a WINS server on the network. Some sites have used multiple Samba WINS
servers for redundancy (one server per subnet) and then used
<b class="command">remote browse sync</b> and <b class="command">remote announce</b>
to affect browse list collation across all segments. Note that this means clients
will only resolve local names, and must be configured to use DNS to resolve names
on other subnets in order to resolve the IP addresses of the servers they can see
on other subnets. This setup is not recommended, but is mentioned as a practical
consideration (ie: an 'if all else fails' scenario).
</p><p>
Lastly, take note that browse lists are a collection of unreliable broadcast
messages that are repeated at intervals of not more than 15 minutes. This means
that it will take time to establish a browse list and it can take up to 45
minutes to stabilise, particularly across network segments.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2903926"></a>TCP/IP - without NetBIOS</h3></div></div><div></div></div><p>
All TCP/IP using systems use various forms of host name resolution. The primary
methods for TCP/IP hostname resolutions involves either a static file (<tt class="filename">/etc/hosts
</tt>) or DNS (the Domain Name System). DNS is the technology that makes
the Internet usable. DNS based host name resolution is supported by nearly all TCP/IP
enabled systems. Only a few embedded TCP/IP systems do not support DNS.
</p><p>
When an MS Windows 200x / XP system attempts to resolve a host name to an IP address
it follows a defined path:
</p><div class="orderedlist"><ol type="1"><li><p>
Checks the <tt class="filename">hosts</tt> file. It is located in
<tt class="filename">C:\WinNT\System32\Drivers\etc</tt>.
</p></li><li><p>
Does a DNS lookup
</p></li><li><p>
Checks the NetBIOS name cache
</p></li><li><p>
Queries the WINS server
</p></li><li><p>
Does a broadcast name lookup over UDP
</p></li><li><p>
Looks up entries in LMHOSTS. It is located in
<tt class="filename">C:\WinNT\System32\Drivers\etc</tt>.
</p></li></ol></div><p>
Windows 200x / XP can register it's host name with a Dynamic DNS server. You can
force register with a Dynamic DNS server in Windows 200x / XP using:
<b class="command">ipconfig /registerdns</b>
</p><p>
With Active Directory (ADS), a correctly functioning DNS server is absolutely
essential. In the absence of a working DNS server that has been correctly configured,
MS Windows clients and servers will be totally unable to locate each other,
consequently network services will be severely impaired.
</p><p>
The use of Dynamic DNS is highly recommended with Active Directory, in which case
the use of BIND9 is preferred for it's ability to adequately support the SRV (service)
records that are needed for Active Directory.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2904058"></a>DNS and Active Directory</h3></div></div><div></div></div><p>
Occasionally we hear from Unix network administrators who want to use a Unix based Dynamic
DNS server in place of the Microsoft DNS server. While this might be desirable to some, the
MS Windows 200x DNS server is auto-configured to work with Active Directory. It is possible
to use BIND version 8 or 9, but it will almost certainly be necessary to create service records
so that MS Active Directory clients can resolve host names to locate essential network services.
The following are some of the default service records that Active Directory requires:
</p><div class="itemizedlist"><ul type="disc"><li><p>_ldap._tcp.pdc.ms-dcs.<span class="emphasis"><em>Domain</em></span></p><p>
This provides the address of the Windows NT PDC for the Domain.
</p></li><li><p>_ldap._tcp.pdc.ms-dcs.<span class="emphasis"><em>DomainTree</em></span></p><p>
Resolves the addresses of Global Catalog servers in the domain.
</p></li><li><p>_ldap._tcp.<span class="emphasis"><em>site</em></span>.sites.writable.ms-dcs.<span class="emphasis"><em>Domain</em></span></p><p>
Provides list of domain controllers based on sites.
</p></li><li><p>_ldap._tcp.writable.ms-dcs.<span class="emphasis"><em>Domain</em></span></p><p>
Enumerates list of domain controllers that have the writable
copies of the Active Directory data store.
</p></li><li><p>_ldap._tcp.<span class="emphasis"><em>GUID</em></span>.domains.ms-dcs.<span class="emphasis"><em>DomainTree</em></span></p><p>
Entry used by MS Windows clients to locate machines using the
Global Unique Identifier.
</p></li><li><p>_ldap._tcp.<span class="emphasis"><em>Site</em></span>.gc.ms-dcs.<span class="emphasis"><em>DomainTree</em></span></p><p>
Used by MS Windows clients to locate site configuration dependent
Global Catalog server.
</p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2904194"></a>How Browsing Functions</h2></div></div><div></div></div><p>
MS Windows machines register their NetBIOS names
(ie: the machine name for each service type in operation) on start
up. The exact method by which this name registration
takes place is determined by whether or not the MS Windows client/server
has been given a WINS server address, whether or not LMHOSTS lookup
is enabled, or if DNS for NetBIOS name resolution is enabled, etc.
</p><p>
In the case where there is no WINS server, all name registrations as
well as name lookups are done by UDP broadcast. This isolates name
resolution to the local subnet, unless LMHOSTS is used to list all
names and IP addresses. In such situations Samba provides a means by
which the Samba server name may be forcibly injected into the browse
list of a remote MS Windows network (using the
<b class="command">remote announce</b> parameter).
</p><p>
Where a WINS server is used, the MS Windows client will use UDP
unicast to register with the WINS server. Such packets can be routed
and thus WINS allows name resolution to function across routed networks.
</p><p>
During the startup process an election will take place to create a
local master browser if one does not already exist. On each NetBIOS network
one machine will be elected to function as the domain master browser. This
domain browsing has nothing to do with MS security domain control.
Instead, the domain master browser serves the role of contacting each local
master browser (found by asking WINS or from LMHOSTS) and exchanging browse
list contents. This way every master browser will eventually obtain a complete
list of all machines that are on the network. Every 11-15 minutes an election
is held to determine which machine will be the master browser. By the nature of
the election criteria used, the machine with the highest uptime, or the
most senior protocol version, or other criteria, will win the election
as domain master browser.
</p><p>
Clients wishing to browse the network make use of this list, but also depend
on the availability of correct name resolution to the respective IP
address/addresses.
</p><p>
Any configuration that breaks name resolution and/or browsing intrinsics
will annoy users because they will have to put up with protracted
inability to use the network services.
</p><p>
Samba supports a feature that allows forced synchronisation
of browse lists across routed networks using the <b class="command">remote
browse sync</b> parameter in the <tt class="filename">smb.conf</tt> file.
This causes Samba to contact the local master browser on a remote network and
to request browse list synchronisation. This effectively bridges
two networks that are separated by routers. The two remote
networks may use either broadcast based name resolution or WINS
based name resolution, but it should be noted that the <b class="command">remote
browse sync</b> parameter provides browse list synchronisation - and
that is distinct from name to address resolution, in other
words, for cross subnet browsing to function correctly it is
essential that a name to address resolution mechanism be provided.
This mechanism could be via DNS, <tt class="filename">/etc/hosts</tt>,
and so on.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2904320"></a>Setting up WORKGROUP Browsing</h3></div></div><div></div></div><p>
To set up cross subnet browsing on a network containing machines
in up to be in a WORKGROUP, not an NT Domain you need to set up one
Samba server to be the Domain Master Browser (note that this is *NOT*
the same as a Primary Domain Controller, although in an NT Domain the
same machine plays both roles). The role of a Domain master browser is
to collate the browse lists from local master browsers on all the
subnets that have a machine participating in the workgroup. Without
one machine configured as a domain master browser each subnet would
be an isolated workgroup, unable to see any machines on any other
subnet. It is the presence of a domain master browser that makes
cross subnet browsing possible for a workgroup.
</p><p>
In an WORKGROUP environment the domain master browser must be a
Samba server, and there must only be one domain master browser per
workgroup name. To set up a Samba server as a domain master browser,
set the following option in the <i class="parameter"><tt>[global]</tt></i> section
of the <tt class="filename">smb.conf</tt> file :
</p><p>
</p><pre class="programlisting">
domain master = yes
</pre><p>
</p><p>
The domain master browser should also preferrably be the local master
browser for its own subnet. In order to achieve this set the following
options in the <i class="parameter"><tt>[global]</tt></i> section of the <tt class="filename">smb.conf</tt> file :
</p><p>
</p><pre class="programlisting">
domain master = yes
local master = yes
preferred master = yes
os level = 65
</pre><p>
</p><p>
The domain master browser may be the same machine as the WINS
server, if you require.
</p><p>
Next, you should ensure that each of the subnets contains a
machine that can act as a local master browser for the
workgroup. Any MS Windows NT/2K/XP/2003 machine should be
able to do this, as will Windows 9x machines (although these
tend to get rebooted more often, so it's not such a good idea
to use these). To make a Samba server a local master browser
set the following options in the <i class="parameter"><tt>[global]</tt></i> section of the
<tt class="filename">smb.conf</tt> file :
</p><p>
</p><pre class="programlisting">
domain master = no
local master = yes
preferred master = yes
os level = 65
</pre><p>
</p><p>
Do not do this for more than one Samba server on each subnet,
or they will war with each other over which is to be the local
master browser.
</p><p>
The <i class="parameter"><tt>local master</tt></i> parameter allows Samba to act as a
local master browser. The <i class="parameter"><tt>preferred master</tt></i> causes nmbd
to force a browser election on startup and the <i class="parameter"><tt>os level</tt></i>
parameter sets Samba high enough so that it should win any browser elections.
</p><p>
If you have an NT machine on the subnet that you wish to
be the local master browser then you can disable Samba from
becoming a local master browser by setting the following
options in the <i class="parameter"><tt>[global]</tt></i> section of the
<tt class="filename">smb.conf</tt> file :
</p><p>
</p><pre class="programlisting">
domain master = no
local master = no
preferred master = no
os level = 0
</pre><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2904541"></a>Setting up DOMAIN Browsing</h3></div></div><div></div></div><p>
If you are adding Samba servers to a Windows NT Domain then
you must not set up a Samba server as a domain master browser.
By default, a Windows NT Primary Domain Controller for a domain
is also the Domain master browser for that domain, and many
things will break if a Samba server registers the Domain master
browser NetBIOS name (<i class="replaceable"><tt>DOMAIN</tt></i>&lt;1B&gt;)
with WINS instead of the PDC.
</p><p>
For subnets other than the one containing the Windows NT PDC
you may set up Samba servers as local master browsers as
described. To make a Samba server a local master browser set
the following options in the <b class="command">[global]</b> section
of the <tt class="filename">smb.conf</tt> file :
</p><p>
</p><pre class="programlisting">
domain master = no
local master = yes
preferred master = yes
os level = 65
</pre><p>
</p><p>
If you wish to have a Samba server fight the election with machines
on the same subnet you may set the <i class="parameter"><tt>os level</tt></i> parameter
to lower levels. By doing this you can tune the order of machines that
will become local master browsers if they are running. For
more details on this see the section <a href="NetworkBrowsing.html#browse-force-master" title="Forcing Samba to be the master">
Forcing Samba to be the master browser</a>
below.
</p><p>
If you have Windows NT machines that are members of the domain
on all subnets, and you are sure they will always be running then
you can disable Samba from taking part in browser elections and
ever becoming a local master browser by setting following options
in the <i class="parameter"><tt>[global]</tt></i> section of the <tt class="filename">smb.conf</tt>
file :
</p><p>
</p><pre class="programlisting">
domain master = no
local master = no
preferred master = no
os level = 0
</pre><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="browse-force-master"></a>Forcing Samba to be the master</h3></div></div><div></div></div><p>
Who becomes the <i class="parameter"><tt>master browser</tt></i> is determined by an election
process using broadcasts. Each election packet contains a number of parameters
which determine what precedence (bias) a host should have in the
election. By default Samba uses a very low precedence and thus loses
elections to just about anyone else.
</p><p>
If you want Samba to win elections then just set the <i class="parameter"><tt>os level</tt></i> global
option in <tt class="filename">smb.conf</tt> to a higher number. It defaults to 0. Using 34
would make it win all elections over every other system (except other
samba systems!)
</p><p>
A <i class="parameter"><tt>os level</tt></i> of 2 would make it beat WfWg and Win95, but not MS Windows
NT/2K Server. A MS Windows NT/2K Server domain controller uses level 32.
</p><p>The maximum os level is 255</p><p>
If you want Samba to force an election on startup, then set the
<i class="parameter"><tt>preferred master</tt></i> global option in <tt class="filename">smb.conf</tt> to <tt class="constant">yes</tt>. Samba will
then have a slight advantage over other potential master browsers
that are not preferred master browsers. Use this parameter with
care, as if you have two hosts (whether they are Windows 95 or NT or
Samba) on the same local subnet both set with <i class="parameter"><tt>preferred master</tt></i> to
<tt class="constant">yes</tt>, then periodically and continually they will force an election
in order to become the local master browser.
</p><p>
If you want Samba to be a <i class="parameter"><tt>domain master browser</tt></i>, then it is
recommended that you also set <i class="parameter"><tt>preferred master</tt></i> to <tt class="constant">yes</tt>, because
Samba will not become a domain master browser for the whole of your
LAN or WAN if it is not also a local master browser on its own
broadcast isolated subnet.
</p><p>
It is possible to configure two Samba servers to attempt to become
the domain master browser for a domain. The first server that comes
up will be the domain master browser. All other Samba servers will
attempt to become the domain master browser every 5 minutes. They
will find that another Samba server is already the domain master
browser and will fail. This provides automatic redundancy, should
the current domain master browser fail.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2904811"></a>Making Samba the domain master</h3></div></div><div></div></div><p>
The domain master is responsible for collating the browse lists of
multiple subnets so that browsing can occur between subnets. You can
make Samba act as the domain master by setting <i class="parameter"><tt>domain master = yes</tt></i>
in <tt class="filename">smb.conf</tt>. By default it will not be a domain master.
</p><p>
Note that you should <span class="emphasis"><em>not</em></span> set Samba to be the domain master for a
workgroup that has the same name as an NT Domain.
</p><p>
When Samba is the domain master and the master browser, it will listen
for master announcements (made roughly every twelve minutes) from local
master browsers on other subnets and then contact them to synchronise
browse lists.
</p><p>
If you want Samba to be the domain master then I suggest you also set
the <i class="parameter"><tt>os level</tt></i> high enough to make sure it wins elections, and set
<i class="parameter"><tt>preferred master</tt></i> to <tt class="constant">yes</tt>, to get Samba to force an election on
startup.
</p><p>
Note that all your servers (including Samba) and clients should be
using a WINS server to resolve NetBIOS names. If your clients are only
using broadcasting to resolve NetBIOS names, then two things will occur:
</p><div class="orderedlist"><ol type="1"><li><p>
your local master browsers will be unable to find a domain master
browser, as it will only be looking on the local subnet.
</p></li><li><p>
if a client happens to get hold of a domain-wide browse list, and
a user attempts to access a host in that list, it will be unable to
resolve the NetBIOS name of that host.
</p></li></ol></div><p>
If, however, both Samba and your clients are using a WINS server, then:
</p><div class="orderedlist"><ol type="1"><li><p>
your local master browsers will contact the WINS server and, as long as
Samba has registered that it is a domain master browser with the WINS
server, your local master browser will receive Samba's IP address
as its domain master browser.
</p></li><li><p>
when a client receives a domain-wide browse list, and a user attempts
to access a host in that list, it will contact the WINS server to
resolve the NetBIOS name of that host. as long as that host has
registered its NetBIOS name with the same WINS server, the user will
be able to see that host.
</p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2904967"></a>Note about broadcast addresses</h3></div></div><div></div></div><p>
If your network uses a &quot;0&quot; based broadcast address (for example if it
ends in a 0) then you will strike problems. Windows for Workgroups
does not seem to support a 0's broadcast and you will probably find
that browsing and name lookups won't work.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2904984"></a>Multiple interfaces</h3></div></div><div></div></div><p>
Samba now supports machines with multiple network interfaces. If you
have multiple interfaces then you will need to use the <b class="command">interfaces</b>
option in <tt class="filename">smb.conf</tt> to configure them.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905013"></a>Use of the Remote Announce parameter</h3></div></div><div></div></div><p>
The <i class="parameter"><tt>remote announce</tt></i> parameter of
<tt class="filename">smb.conf</tt> can be used to forcibly ensure
that all the NetBIOS names on a network get announced to a remote network.
The syntax of the <i class="parameter"><tt>remote announce</tt></i> parameter is:
</p><pre class="programlisting">
remote announce = a.b.c.d [e.f.g.h] ...
</pre><p>
<span class="emphasis"><em>or</em></span>
</p><pre class="programlisting">
remote announce = a.b.c.d/WORKGROUP [e.f.g.h/WORKGROUP] ...
</pre><p>
where:
</p><div class="variablelist"><dl><dt><span class="term"><i class="replaceable"><tt>a.b.c.d</tt></i> and
<i class="replaceable"><tt>e.f.g.h</tt></i></span></dt><dd><p>is either the LMB (Local Master Browser) IP address
or the broadcast address of the remote network.
ie: the LMB is at 192.168.1.10, or the address
could be given as 192.168.1.255 where the netmask
is assumed to be 24 bits (255.255.255.0).
When the remote announcement is made to the broadcast
address of the remote network, every host will receive
our announcements. This is noisy and therefore
undesirable but may be necessary if we do NOT know
the IP address of the remote LMB.</p></dd><dt><span class="term"><i class="replaceable"><tt>WORKGROUP</tt></i></span></dt><dd><p>is optional and can be either our own workgroup
or that of the remote network. If you use the
workgroup name of the remote network then our
NetBIOS machine names will end up looking like
they belong to that workgroup, this may cause
name resolution problems and should be avoided.
</p></dd></dl></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905122"></a>Use of the Remote Browse Sync parameter</h3></div></div><div></div></div><p>
The <i class="parameter"><tt>remote browse sync</tt></i> parameter of
<tt class="filename">smb.conf</tt> is used to announce to
another LMB that it must synchronise its NetBIOS name list with our
Samba LMB. It works ONLY if the Samba server that has this option is
simultaneously the LMB on its network segment.
</p><p>
The syntax of the <i class="parameter"><tt>remote browse sync</tt></i> parameter is:
</p><pre class="programlisting">
remote browse sync = <i class="replaceable"><tt>a.b.c.d</tt></i>
</pre><p>
where <i class="replaceable"><tt>a.b.c.d</tt></i> is either the IP address of the
remote LMB or else is the network broadcast address of the remote segment.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2905183"></a>WINS - The Windows Internetworking Name Server</h2></div></div><div></div></div><p>
Use of WINS (either Samba WINS <span class="emphasis"><em>or</em></span> MS Windows NT Server WINS) is highly
recommended. Every NetBIOS machine registers its name together with a
name_type value for each of several types of service it has available.
eg: It registers its name directly as a unique (the type 0x03) name.
It also registers its name if it is running the LanManager compatible
server service (used to make shares and printers available to other users)
by registering the server (the type 0x20) name.
</p><p>
All NetBIOS names are up to 15 characters in length. The name_type variable
is added to the end of the name - thus creating a 16 character name. Any
name that is shorter than 15 characters is padded with spaces to the 15th
character. ie: All NetBIOS names are 16 characters long (including the
name_type information).
</p><p>
WINS can store these 16 character names as they get registered. A client
that wants to log onto the network can ask the WINS server for a list
of all names that have registered the NetLogon service name_type. This saves
broadcast traffic and greatly expedites logon processing. Since broadcast
name resolution can not be used across network segments this type of
information can only be provided via WINS <span class="emphasis"><em>or</em></span> via statically configured
<tt class="filename">lmhosts</tt> files that must reside on all clients in the
absence of WINS.
</p><p>
WINS also serves the purpose of forcing browse list synchronisation by all
LMB's. LMB's must synchronise their browse list with the DMB (domain master
browser) and WINS helps the LMB to identify it's DMB. By definition this
will work only within a single workgroup. Note that the domain master browser
has NOTHING to do with what is referred to as an MS Windows NT Domain. The
later is a reference to a security environment while the DMB refers to the
master controller for browse list information only.
</p><p>
Use of WINS will work correctly only if EVERY client TCP/IP protocol stack
has been configured to use the WINS server/s. Any client that has not been
configured to use the WINS server will continue to use only broadcast based
name registration so that WINS may NEVER get to know about it. In any case,
machines that have not registered with a WINS server will fail name to address
lookup attempts by other clients and will therefore cause workstation access
errors.
</p><p>
To configure Samba as a WINS server just add
<i class="parameter"><tt>wins support = yes</tt></i> to the <tt class="filename">smb.conf</tt>
file [globals] section.
</p><p>
To configure Samba to register with a WINS server just add
<i class="parameter"><tt>wins server = a.b.c.d</tt></i> to your <tt class="filename">smb.conf</tt> file <i class="parameter"><tt>[globals]</tt></i> section.
</p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>
Never use both <i class="parameter"><tt>wins support = yes</tt></i> together
with <i class="parameter"><tt>wins server = a.b.c.d</tt></i>
particularly not using it's own IP address.
Specifying both will cause <span class="application">nmbd</span> to refuse to start!
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905341"></a>Setting up a WINS server</h3></div></div><div></div></div><p>
Either a Samba machine or a Windows NT Server machine may be set up
as a WINS server. To set a Samba machine to be a WINS server you must
add the following option to the <tt class="filename">smb.conf</tt> file on the selected machine :
in the <i class="parameter"><tt>[globals]</tt></i> section add the line
</p><p>
</p><pre class="programlisting">
wins support = yes
</pre><p>
</p><p>
Versions of Samba prior to 1.9.17 had this parameter default to
yes. If you have any older versions of Samba on your network it is
strongly suggested you upgrade to a recent version, or at the very
least set the parameter to 'no' on all these machines.
</p><p>
Machines with <i class="parameter"><tt>wins support = yes</tt></i> will keep a list of
all NetBIOS names registered with them, acting as a DNS for NetBIOS names.
</p><p>
You should set up only ONE WINS server. Do NOT set the
<i class="parameter"><tt>wins support = yes</tt></i> option on more than one Samba
server.
</p><p>
To set up a Windows NT Server as a WINS server you need to set up
the WINS service - see your NT documentation for details. Note that
Windows NT WINS Servers can replicate to each other, allowing more
than one to be set up in a complex subnet environment. As Microsoft
refuses to document these replication protocols, Samba cannot currently
participate in these replications. It is possible in the future that
a Samba-&gt;Samba WINS replication protocol may be defined, in which
case more than one Samba machine could be set up as a WINS server
but currently only one Samba server should have the
<i class="parameter"><tt>wins support = yes</tt></i> parameter set.
</p><p>
After the WINS server has been configured you must ensure that all
machines participating on the network are configured with the address
of this WINS server. If your WINS server is a Samba machine, fill in
the Samba machine IP address in the <span class="guilabel">Primary WINS Server</span> field of
the <span class="guilabel">Control Panel-&gt;Network-&gt;Protocols-&gt;TCP-&gt;WINS Server</span> dialogs
in Windows 95 or Windows NT. To tell a Samba server the IP address
of the WINS server add the following line to the <i class="parameter"><tt>[global]</tt></i> section of
all <tt class="filename">smb.conf</tt> files :
</p><p>
</p><pre class="programlisting">
wins server = &lt;name or IP address&gt;
</pre><p>
</p><p>
where &lt;name or IP address&gt; is either the DNS name of the WINS server
machine or its IP address.
</p><p>
Note that this line MUST NOT BE SET in the <tt class="filename">smb.conf</tt> file of the Samba
server acting as the WINS server itself. If you set both the
<i class="parameter"><tt>wins support = yes</tt></i> option and the
<i class="parameter"><tt>wins server = &lt;name&gt;</tt></i> option then
nmbd will fail to start.
</p><p>
There are two possible scenarios for setting up cross subnet browsing.
The first details setting up cross subnet browsing on a network containing
Windows 95, Samba and Windows NT machines that are not configured as
part of a Windows NT Domain. The second details setting up cross subnet
browsing on networks that contain NT Domains.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905540"></a>WINS Replication</h3></div></div><div></div></div><p>
Samba-3 permits WINS replication through the use of the <tt class="filename">wrepld</tt> utility.
This tool is not currently capable of being used as it is still in active development.
As soon as this tool becomes moderately functional we will prepare man pages and enhance this
section of the documentation to provide usage and technical details.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905565"></a>Static WINS Entries</h3></div></div><div></div></div><p>
Adding static entries to your Samba-3 WINS server is actually fairly easy.
All you have to do is add a line to <tt class="filename">wins.dat</tt>, typically
located in <tt class="filename">/usr/local/samba/var/locks</tt>.
</p><p>
Entries in <tt class="filename">wins.dat</tt> take the form of
</p><pre class="programlisting">
&quot;NAME#TYPE&quot; TTL ADDRESS+ FLAGS
</pre><p>
where NAME is the NetBIOS name, TYPE is the NetBIOS type, TTL is the
time-to-live as an absolute time in seconds, ADDRESS+ is one or more
addresses corresponding to the registration and FLAGS are the NetBIOS
flags for the registration.
</p><p>
A typical dynamic entry looks like:
</p><pre class="programlisting">
&quot;MADMAN#03&quot; 1055298378 192.168.1.2 66R
</pre><p>
To make it static, all that has to be done is set the TTL to 0:
</p><pre class="programlisting">
&quot;MADMAN#03&quot; 0 192.168.1.2 66R
</pre><p>
</p><p>
Though this method works with early Samba-3 versions, there's a
possibility that it may change in future versions if WINS replication
is added.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2905650"></a>Helpful Hints</h2></div></div><div></div></div><p>
The following hints should be carefully considered as they are stumbling points
for many new network administrators.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905663"></a>Windows Networking Protocols</h3></div></div><div></div></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
Do NOT use more than one (1) protocol on MS Windows machines
</p></div><p>
A very common cause of browsing problems results from installing more than
one protocol on an MS Windows machine.
</p><p>
Every NetBIOS machine takes part in a process of electing the LMB (and DMB)
every 15 minutes. A set of election criteria is used to determine the order
of precedence for winning this election process. A machine running Samba or
Windows NT will be biased so that the most suitable machine will predictably
win and thus retain it's role.
</p><p>
The election process is &quot;fought out&quot; so to speak over every NetBIOS network
interface. In the case of a Windows 9x machine that has both TCP/IP and IPX
installed and has NetBIOS enabled over both protocols the election will be
decided over both protocols. As often happens, if the Windows 9x machine is
the only one with both protocols then the LMB may be won on the NetBIOS
interface over the IPX protocol. Samba will then lose the LMB role as Windows
9x will insist it knows who the LMB is. Samba will then cease to function
as an LMB and thus browse list operation on all TCP/IP only machines will
fail.
</p><p><span class="emphasis"><em>
Windows 95, 98, 98se, Me are referred to generically as Windows 9x.
The Windows NT4, 2000, XP and 2003 use common protocols. These are roughly
referred to as the WinNT family, but it should be recognised that 2000 and
XP/2003 introduce new protocol extensions that cause them to behave
differently from MS Windows NT4. Generally, where a server does NOT support
the newer or extended protocol, these will fall back to the NT4 protocols.
</em></span></p><p>
The safest rule of all to follow it this - USE ONLY ONE PROTOCOL!
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905730"></a>Name Resolution Order</h3></div></div><div></div></div><p>
Resolution of NetBIOS names to IP addresses can take place using a number
of methods. The only ones that can provide NetBIOS name_type information
are:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>WINS: the best tool!</td></tr><tr><td>LMHOSTS: is static and hard to maintain.</td></tr><tr><td>Broadcast: uses UDP and can not resolve names across remote segments.</td></tr></table><p>
Alternative means of name resolution includes:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td><tt class="filename">/etc/hosts</tt>: is static, hard to maintain, and lacks name_type info</td></tr><tr><td>DNS: is a good choice but lacks essential name_type info.</td></tr></table><p>
Many sites want to restrict DNS lookups and want to avoid broadcast name
resolution traffic. The <i class="parameter"><tt>name resolve order</tt></i> parameter is
of great help here. The syntax of the <i class="parameter"><tt>name resolve order</tt></i>
parameter is:
</p><pre class="programlisting">
name resolve order = wins lmhosts bcast host
</pre><p>
<span class="emphasis"><em>or</em></span>
</p><pre class="programlisting">
name resolve order = wins lmhosts (eliminates bcast and host)
</pre><p>
The default is:
</p><pre class="programlisting">
name resolve order = host lmhost wins bcast
</pre><p>
where &quot;host&quot; refers the the native methods used by the Unix system
to implement the gethostbyname() function call. This is normally
controlled by <tt class="filename">/etc/host.conf</tt>, <tt class="filename">/etc/nsswitch.conf</tt> and <tt class="filename">/etc/resolv.conf</tt>.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2905867"></a>Technical Overview of browsing</h2></div></div><div></div></div><p>
SMB networking provides a mechanism by which clients can access a list
of machines in a network, a so-called <i class="parameter"><tt>browse list</tt></i>. This list
contains machines that are ready to offer file and/or print services
to other machines within the network. Thus it does not include
machines which aren't currently able to do server tasks. The browse
list is heavily used by all SMB clients. Configuration of SMB
browsing has been problematic for some Samba users, hence this
document.
</p><p>
MS Windows 2000 and later, as with Samba 3 and later, can be
configured to not use NetBIOS over TCP/IP. When configured this way,
it is imperative that name resolution (using DNS/LDAP/ADS) be correctly
configured and operative. Browsing will NOT work if name resolution
from SMB machine names to IP addresses does not function correctly.
</p><p>
Where NetBIOS over TCP/IP is enabled use of a WINS server is highly
recommended to aid the resolution of NetBIOS (SMB) names to IP addresses.
WINS allows remote segment clients to obtain NetBIOS name_type information
that can NOT be provided by any other means of name resolution.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905914"></a>Browsing support in Samba</h3></div></div><div></div></div><p>
Samba facilitates browsing. The browsing is supported by <span class="application">nmbd</span>
and is also controlled by options in the <tt class="filename">smb.conf</tt> file.
Samba can act as a local browse master for a workgroup and the ability
to support domain logons and scripts is now available.
</p><p>
Samba can also act as a domain master browser for a workgroup. This
means that it will collate lists from local browse masters into a
wide area network server list. In order for browse clients to
resolve the names they may find in this list, it is recommended that
both Samba and your clients use a WINS server.
</p><p>
Note that you should NOT set Samba to be the domain master for a
workgroup that has the same name as an NT Domain: on each wide area
network, you must only ever have one domain master browser per workgroup,
regardless of whether it is NT, Samba or any other type of domain master
that is providing this service.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
Nmbd can be configured as a WINS server, but it is not
necessary to specifically use Samba as your WINS server. MS Windows
NT4, Server or Advanced Server 2000 or 2003 can be configured as
your WINS server. In a mixed NT/2000/2003 server and Samba environment on
a Wide Area Network, it is recommended that you use the Microsoft
WINS server capabilities. In a Samba-only environment, it is
recommended that you use one and only one Samba server as your WINS server.
</p></div><p>
To get browsing to work you need to run nmbd as usual, but will need
to use the <i class="parameter"><tt>workgroup</tt></i> option in <tt class="filename">smb.conf</tt>
to control what workgroup Samba becomes a part of.
</p><p>
Samba also has a useful option for a Samba server to offer itself for
browsing on another subnet. It is recommended that this option is only
used for 'unusual' purposes: announcements over the internet, for
example. See <i class="parameter"><tt>remote announce</tt></i> in the
<tt class="filename">smb.conf</tt> man page.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906021"></a>Problem resolution</h3></div></div><div></div></div><p>
If something doesn't work then hopefully the log.nmbd file will help
you track down the problem. Try a debug level of 2 or 3 for finding
problems. Also note that the current browse list usually gets stored
in text form in a file called <tt class="filename">browse.dat</tt>.
</p><p>
Note that if it doesn't work for you, then you should still be able to
type the server name as <tt class="filename">\\SERVER</tt> in filemanager then
hit enter and filemanager should display the list of available shares.
</p><p>
Some people find browsing fails because they don't have the global
<i class="parameter"><tt>guest account</tt></i> set to a valid account. Remember that the
IPC$ connection that lists the shares is done as guest, and thus you must
have a valid guest account.
</p><p><span class="emphasis"><em>
MS Windows 2000 and upwards (as with Samba) can be configured to disallow
anonymous (ie: Guest account) access to the IPC$ share. In that case, the
MS Windows 2000/XP/2003 machine acting as an SMB/CIFS client will use the
name of the currently logged in user to query the IPC$ share. MS Windows
9X clients are not able to do this and thus will NOT be able to browse
server resources.
</em></span></p><p>
The other big problem people have is that their broadcast address,
netmask or IP address is wrong (specified with the &quot;interfaces&quot; option
in <tt class="filename">smb.conf</tt>)
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906100"></a>Browsing across subnets</h3></div></div><div></div></div><p>
Since the release of Samba 1.9.17(alpha1), Samba has supported the
replication of browse lists across subnet boundaries. This section
describes how to set this feature up in different settings.
</p><p>
To see browse lists that span TCP/IP subnets (ie. networks separated
by routers that don't pass broadcast traffic), you must set up at least
one WINS server. The WINS server acts as a DNS for NetBIOS names, allowing
NetBIOS name to IP address translation to be done by doing a direct
query of the WINS server. This is done via a directed UDP packet on
port 137 to the WINS server machine. The reason for a WINS server is
that by default, all NetBIOS name to IP address translation is done
by broadcasts from the querying machine. This means that machines
on one subnet will not be able to resolve the names of machines on
another subnet without using a WINS server.
</p><p>
Remember, for browsing across subnets to work correctly, all machines,
be they Windows 95, Windows NT, or Samba servers must have the IP address
of a WINS server given to them by a DHCP server, or by manual configuration
(for Win95 and WinNT, this is in the TCP/IP Properties, under Network
settings) for Samba this is in the <tt class="filename">smb.conf</tt> file.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2906150"></a>How does cross subnet browsing work ?</h4></div></div><div></div></div><p>
Cross subnet browsing is a complicated dance, containing multiple
moving parts. It has taken Microsoft several years to get the code
that achieves this correct, and Samba lags behind in some areas.
Samba is capable of cross subnet browsing when configured correctly.
</p><p>
Consider a network set up as follows :
</p><p>
</p><pre class="programlisting">
(DMB)
N1_A N1_B N1_C N1_D N1_E
| | | | |
-------------------------------------------------------
| subnet 1 |
+---+ +---+
|R1 | Router 1 Router 2 |R2 |
+---+ +---+
| |
| subnet 2 subnet 3 |
-------------------------- ------------------------------------
| | | | | | | |
N2_A N2_B N2_C N2_D N3_A N3_B N3_C N3_D
(WINS)
</pre><p>
</p><p>
Consisting of 3 subnets (1, 2, 3) connected by two routers
(R1, R2) - these do not pass broadcasts. Subnet 1 has 5 machines
on it, subnet 2 has 4 machines, subnet 3 has 4 machines. Assume
for the moment that all these machines are configured to be in the
same workgroup (for simplicity's sake). Machine N1_C on subnet 1
is configured as Domain Master Browser (ie. it will collate the
browse lists for the workgroup). Machine N2_D is configured as
WINS server and all the other machines are configured to register
their NetBIOS names with it.
</p><p>
As all these machines are booted up, elections for master browsers
will take place on each of the three subnets. Assume that machine
N1_C wins on subnet 1, N2_B wins on subnet 2, and N3_D wins on
subnet 3 - these machines are known as local master browsers for
their particular subnet. N1_C has an advantage in winning as the
local master browser on subnet 1 as it is set up as Domain Master
Browser.
</p><p>
On each of the three networks, machines that are configured to
offer sharing services will broadcast that they are offering
these services. The local master browser on each subnet will
receive these broadcasts and keep a record of the fact that
the machine is offering a service. This list of records is
the basis of the browse list. For this case, assume that
all the machines are configured to offer services so all machines
will be on the browse list.
</p><p>
For each network, the local master browser on that network is
considered 'authoritative' for all the names it receives via
local broadcast. This is because a machine seen by the local
master browser via a local broadcast must be on the same
network as the local master browser and thus is a 'trusted'
and 'verifiable' resource. Machines on other networks that
the local master browsers learn about when collating their
browse lists have not been directly seen - these records are
called 'non-authoritative'.
</p><p>
At this point the browse lists look as follows (these are
the machines you would see in your network neighborhood if
you looked in it on a particular network right now).
</p><p>
</p><div class="table"><a name="id2906267"></a><p class="title"><b>Table 10.1. Browse subnet example 1</b></p><table summary="Browse subnet example 1" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="left">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="left">N1_A, N1_B, N1_C, N1_D, N1_E</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="left">N2_A, N2_B, N2_C, N2_D</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="left">N3_A, N3_B, N3_C, N3_D</td></tr></tbody></table></div><p>
</p><p>
Note that at this point all the subnets are separate, no
machine is seen across any of the subnets.
</p><p>
Now examine subnet 2. As soon as N2_B has become the local
master browser it looks for a Domain master browser to synchronize
its browse list with. It does this by querying the WINS server
(N2_D) for the IP address associated with the NetBIOS name
WORKGROUP&lt;1B&gt;. This name was registered by the Domain master
browser (N1_C) with the WINS server as soon as it was booted.
</p><p>
Once N2_B knows the address of the Domain master browser it
tells it that is the local master browser for subnet 2 by
sending a MasterAnnouncement packet as a UDP port 138 packet.
It then synchronizes with it by doing a NetServerEnum2 call. This
tells the Domain Master Browser to send it all the server
names it knows about. Once the domain master browser receives
the MasterAnnouncement packet it schedules a synchronization
request to the sender of that packet. After both synchronizations
are done the browse lists look like :
</p><p>
</p><div class="table"><a name="id2906382"></a><p class="title"><b>Table 10.2. Browse subnet example 2</b></p><table summary="Browse subnet example 2" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="left">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="left">N1_A, N1_B, N1_C, N1_D, N1_E, N2_A(*), N2_B(*), N2_C(*), N2_D(*)</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="left">N2_A, N2_B, N2_C, N2_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="left">N3_A, N3_B, N3_C, N3_D</td></tr></tbody></table></div><p>
Servers with a (*) after them are non-authoritative names.
</p><p>
At this point users looking in their network neighborhood on
subnets 1 or 2 will see all the servers on both, users on
subnet 3 will still only see the servers on their own subnet.
</p><p>
The same sequence of events that occured for N2_B now occurs
for the local master browser on subnet 3 (N3_D). When it
synchronizes browse lists with the domain master browser (N1_A)
it gets both the server entries on subnet 1, and those on
subnet 2. After N3_D has synchronized with N1_C and vica-versa
the browse lists look like.
</p><p>
</p><div class="table"><a name="id2906481"></a><p class="title"><b>Table 10.3. Browse subnet example 3</b></p><table summary="Browse subnet example 3" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="left">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="left">N1_A, N1_B, N1_C, N1_D, N1_E, N2_A(*), N2_B(*), N2_C(*), N2_D(*), N3_A(*), N3_B(*), N3_C(*), N3_D(*)</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="left">N2_A, N2_B, N2_C, N2_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="left">N3_A, N3_B, N3_C, N3_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), N2_A(*), N2_B(*), N2_C(*), N2_D(*)</td></tr></tbody></table></div><p>
Servers with a (*) after them are non-authoritative names.
</p><p>
At this point users looking in their network neighborhood on
subnets 1 or 3 will see all the servers on all subnets, users on
subnet 2 will still only see the servers on subnets 1 and 2, but not 3.
</p><p>
Finally, the local master browser for subnet 2 (N2_B) will sync again
with the domain master browser (N1_C) and will receive the missing
server entries. Finally - and as a steady state (if no machines
are removed or shut off) the browse lists will look like :
</p><p>
</p><div class="table"><a name="id2906581"></a><p class="title"><b>Table 10.4. Browse subnet example 4</b></p><table summary="Browse subnet example 4" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="left">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="left">N1_A, N1_B, N1_C, N1_D, N1_E, N2_A(*), N2_B(*), N2_C(*), N2_D(*), N3_A(*), N3_B(*), N3_C(*), N3_D(*)</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="left">N2_A, N2_B, N2_C, N2_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), N3_A(*), N3_B(*), N3_C(*), N3_D(*)</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="left">N3_A, N3_B, N3_C, N3_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), N2_A(*), N2_B(*), N2_C(*), N2_D(*)</td></tr></tbody></table></div><p>
Servers with a (*) after them are non-authoritative names.
</p><p>
Synchronizations between the domain master browser and local
master browsers will continue to occur, but this should be a
steady state situation.
</p><p>
If either router R1 or R2 fails the following will occur:
</p><div class="orderedlist"><ol type="1"><li><p>
Names of computers on each side of the inaccessible network fragments
will be maintained for as long as 36 minutes, in the network neighbourhood
lists.
</p></li><li><p>
Attempts to connect to these inaccessible computers will fail, but the
names will not be removed from the network neighbourhood lists.
</p></li><li><p>
If one of the fragments is cut off from the WINS server, it will only
be able to access servers on its local subnet, by using subnet-isolated
broadcast NetBIOS name resolution. The effects are similar to that of
losing access to a DNS server.
</p></li></ol></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2906720"></a>Common Errors</h2></div></div><div></div></div><p>
Many questions are asked on the mailing lists regarding browsing. The majority of browsing
problems originate out of incorrect configuration of NetBIOS name resolution. Some are of
particular note.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906735"></a>How can one flush the Samba NetBIOS name cache without restarting Samba?</h3></div></div><div></div></div><p>
Samba's nmbd process controls all browse list handling. Under normal circumstances it is
safe to restart nmbd. This will effectively flush the Samba NetBIOS name cache and cause it
to be rebuilt. Note that this does NOT make certain that a rogue machine name will not re-appear
in the browse list. When nmbd is taken out of service another machine on the network will
become the browse master. This new list may still have the rogue entry in it. If you really
want to clear a rogue machine from the list then every machine on the network will need to be
shut down and restarted at after all machines are down. Failing a complete restart, the only
other thing you can do is wait until the entry times out and is then flushed from the list.
This may take a long time on some networks (months).
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906764"></a>My client reports &quot;This server is not configured to list shared resources&quot;</h3></div></div><div></div></div><p>
Your guest account is probably invalid for some reason. Samba uses the
guest account for browsing in smbd. Check that your guest account is
valid.
</p><p>See also <i class="parameter"><tt>guest account</tt></i> in the <tt class="filename">smb.conf</tt> man page.</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="optional.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="passdb.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part III. Advanced Configuration </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 11. Account Information Databases</td></tr></table></div></body></html>

View File

@ -0,0 +1,186 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 38. Samba and other CIFS clients</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="Portability.html" title="Chapter 37. Portability"><link rel="next" href="speed.html" title="Chapter 39. Samba Performance Tuning"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 38. Samba and other CIFS clients</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Portability.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="speed.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Other-Clients"></a>Chapter 38. Samba and other CIFS clients</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jim</span> <span class="surname">McDonough</span></h3><div class="affiliation"><span class="orgname">IBM<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jmcd@us.ibm.com">jmcd@us.ibm.com</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">5 Mar 2001</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="Other-Clients.html#id3015663">Macintosh clients?</a></dt><dt><a href="Other-Clients.html#id3017016">OS2 Client</a></dt><dd><dl><dt><a href="Other-Clients.html#id3017023">How can I configure OS/2 Warp Connect or
OS/2 Warp 4 as a client for Samba?</a></dt><dt><a href="Other-Clients.html#id3017102">How can I configure OS/2 Warp 3 (not Connect),
OS/2 1.2, 1.3 or 2.x for Samba?</a></dt><dt><a href="Other-Clients.html#id3017164">How do I get printer driver download working
for OS/2 clients?</a></dt></dl></dd><dt><a href="Other-Clients.html#id3017260">Windows for Workgroups</a></dt><dd><dl><dt><a href="Other-Clients.html#id3017268">Use latest TCP/IP stack from Microsoft</a></dt><dt><a href="Other-Clients.html#id3017357">Delete .pwl files after password change</a></dt><dt><a href="Other-Clients.html#id3017388">Configure WfW password handling</a></dt><dt><a href="Other-Clients.html#id3017433">Case handling of passwords</a></dt><dt><a href="Other-Clients.html#id3017464">Use TCP/IP as default protocol</a></dt><dt><a href="Other-Clients.html#id3017481">Speed improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id3017528">Windows '95/'98</a></dt><dd><dl><dt><a href="Other-Clients.html#id3017601">Speed improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id3017625">Windows 2000 Service Pack 2</a></dt><dt><a href="Other-Clients.html#id3017736">Windows NT 3.1</a></dt></dl></div><p>This chapter contains client-specific information.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3015663"></a>Macintosh clients?</h2></div></div><div></div></div><p>
Yes. <a href="http://www.thursby.com/" target="_top">Thursby</a> now has a CIFS Client / Server called <a href="http://www.thursby.com/products/dave.html" target="_top">DAVE</a>
</p><p>
They test it against Windows 95, Windows NT and samba for
compatibility issues. At the time of writing, DAVE was at version
1.0.1. The 1.0.0 to 1.0.1 update is available as a free download from
the Thursby web site (the speed of finder copies has been greatly
enhanced, and there are bug-fixes included).
</p><p>
Alternatives - There are two free implementations of AppleTalk for
several kinds of UNIX machines, and several more commercial ones.
These products allow you to run file services and print services
natively to Macintosh users, with no additional support required on
the Macintosh. The two free implementations are
<a href="http://www.umich.edu/~rsug/netatalk/" target="_top">Netatalk</a>, and
<a href="http://www.cs.mu.oz.au/appletalk/atalk.html" target="_top">CAP</a>.
What Samba offers MS
Windows users, these packages offer to Macs. For more info on these
packages, Samba, and Linux (and other UNIX-based systems) see
<a href="http://www.eats.com/linux_mac_win.html" target="_top">http://www.eats.com/linux_mac_win.html</a>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3017016"></a>OS2 Client</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017023"></a>How can I configure OS/2 Warp Connect or
OS/2 Warp 4 as a client for Samba?</h3></div></div><div></div></div><p>A more complete answer to this question can be
found on <a href="http://carol.wins.uva.nl/~leeuw/samba/warp.html" target="_top">
http://carol.wins.uva.nl/~leeuw/samba/warp.html</a>.</p><p>Basically, you need three components:</p><table class="simplelist" border="0" summary="Simple list"><tr><td>The File and Print Client ('IBM Peer')</td></tr><tr><td>TCP/IP ('Internet support') </td></tr><tr><td>The &quot;NetBIOS over TCP/IP&quot; driver ('TCPBEUI')</td></tr></table><p>Installing the first two together with the base operating
system on a blank system is explained in the Warp manual. If Warp
has already been installed, but you now want to install the
networking support, use the &quot;Selective Install for Networking&quot;
object in the &quot;System Setup&quot; folder.</p><p>Adding the &quot;NetBIOS over TCP/IP&quot; driver is not described
in the manual and just barely in the online documentation. Start
MPTS.EXE, click on OK, click on &quot;Configure LAPS&quot; and click
on &quot;IBM OS/2 NETBIOS OVER TCP/IP&quot; in 'Protocols'. This line
is then moved to 'Current Configuration'. Select that line,
click on &quot;Change number&quot; and increase it from 0 to 1. Save this
configuration.</p><p>If the Samba server(s) is not on your local subnet, you
can optionally add IP names and addresses of these servers
to the &quot;Names List&quot;, or specify a WINS server ('NetBIOS
Nameserver' in IBM and RFC terminology). For Warp Connect you
may need to download an update for 'IBM Peer' to bring it on
the same level as Warp 4. See the webpage mentioned above.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017102"></a>How can I configure OS/2 Warp 3 (not Connect),
OS/2 1.2, 1.3 or 2.x for Samba?</h3></div></div><div></div></div><p>You can use the free Microsoft LAN Manager 2.2c Client
for OS/2 from
<a href="ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/" target="_top">
ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/</a>.
See <a href="http://carol.wins.uva.nl/~leeuw/lanman.html" target="_top">
http://carol.wins.uva.nl/~leeuw/lanman.html</a> for
more information on how to install and use this client. In
a nutshell, edit the file \OS2VER in the root directory of
the OS/2 boot partition and add the lines:</p><pre class="programlisting">
20=setup.exe
20=netwksta.sys
20=netvdd.sys
</pre><p>before you install the client. Also, don't use the
included NE2000 driver because it is buggy. Try the NE2000
or NS2000 driver from
<a href="ftp://ftp.cdrom.com/pub/os2/network/ndis/" target="_top">
ftp://ftp.cdrom.com/pub/os2/network/ndis/</a> instead.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017164"></a>How do I get printer driver download working
for OS/2 clients?</h3></div></div><div></div></div><p>First, create a share called <i class="parameter"><tt>[PRINTDRV]</tt></i> that is
world-readable. Copy your OS/2 driver files there. Note
that the .EA_ files must still be separate, so you will need
to use the original install files, and not copy an installed
driver from an OS/2 system.</p><p>Install the NT driver first for that printer. Then,
add to your <tt class="filename">smb.conf</tt> a parameter, <i class="parameter"><tt>os2 driver map =
<i class="replaceable"><tt>filename</tt></i></tt></i>. Then, in the file
specified by <i class="replaceable"><tt>filename</tt></i>, map the
name of the NT driver name to the OS/2 driver name as
follows:</p><p><i class="parameter"><tt><i class="replaceable"><tt>nt driver name</tt></i> = <i class="replaceable"><tt>os2 driver name</tt></i>.<i class="replaceable"><tt>device name</tt></i></tt></i>, e.g.:</p><p><i class="parameter"><tt>
HP LaserJet 5L = LASERJET.HP LaserJet 5L</tt></i></p><p>You can have multiple drivers mapped in this file.</p><p>If you only specify the OS/2 driver name, and not the
device name, the first attempt to download the driver will
actually download the files, but the OS/2 client will tell
you the driver is not available. On the second attempt, it
will work. This is fixed simply by adding the device name
to the mapping, after which it will work on the first attempt.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3017260"></a>Windows for Workgroups</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017268"></a>Use latest TCP/IP stack from Microsoft</h3></div></div><div></div></div><p>Use the latest TCP/IP stack from Microsoft if you use Windows
for Workgroups.
</p><p>The early TCP/IP stacks had lots of bugs.</p><p>
Microsoft has released an incremental upgrade to their TCP/IP 32-Bit
VxD drivers. The latest release can be found on their ftp site at
ftp.microsoft.com, located in <tt class="filename">/peropsys/windows/public/tcpip/wfwt32.exe</tt>.
There is an update.txt file there that describes the problems that were
fixed. New files include <tt class="filename">WINSOCK.DLL</tt>,
<tt class="filename">TELNET.EXE</tt>,
<tt class="filename">WSOCK.386</tt>,
<tt class="filename">VNBT.386</tt>,
<tt class="filename">WSTCP.386</tt>,
<tt class="filename">TRACERT.EXE</tt>,
<tt class="filename">NETSTAT.EXE</tt>, and
<tt class="filename">NBTSTAT.EXE</tt>.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017357"></a>Delete .pwl files after password change</h3></div></div><div></div></div><p>
WfWg does a lousy job with passwords. I find that if I change my
password on either the unix box or the PC the safest thing to do is to
delete the .pwl files in the windows directory. The PC will complain about not finding the files, but will soon get over it, allowing you to enter the new password.
</p><p>
If you don't do this you may find that WfWg remembers and uses the old
password, even if you told it a new one.
</p><p>
Often WfWg will totally ignore a password you give it in a dialog box.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017388"></a>Configure WfW password handling</h3></div></div><div></div></div><p>
There is a program call admincfg.exe
on the last disk (disk 8) of the WFW 3.11 disk set. To install it
type <b class="userinput"><tt>EXPAND A:\ADMINCFG.EX_ C:\WINDOWS\ADMINCFG.EXE</tt></b>.
Then add an icon
for it via the <span class="application">Program Manager</span> <span class="guimenu">New</span> Menu.
This program allows you to control how WFW handles passwords. ie disable Password Caching etc
for use with <i class="parameter"><tt>security = user</tt></i>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017433"></a>Case handling of passwords</h3></div></div><div></div></div><p>Windows for Workgroups uppercases the password before sending it to the server. Unix passwords can be case-sensitive though. Check the <a href="smb.conf.5.html" target="_top">smb.conf(5)</a> information on <i class="parameter"><tt>password level</tt></i> to specify what characters samba should try to uppercase when checking.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017464"></a>Use TCP/IP as default protocol</h3></div></div><div></div></div><p>To support print queue reporting you may find
that you have to use TCP/IP as the default protocol under
WfWg. For some reason if you leave NetBEUI as the default
it may break the print queue reporting on some systems.
It is presumably a WfWg bug.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017481"></a>Speed improvement</h3></div></div><div></div></div><p>
Note that some people have found that setting <i class="parameter"><tt>DefaultRcvWindow</tt></i> in
the <i class="parameter"><tt>[MSTCP]</tt></i> section of the
<tt class="filename">SYSTEM.INI</tt> file under WfWg to 3072 gives a
big improvement. I don't know why.
</p><p>
My own experience with DefaultRcvWindow is that I get much better
performance with a large value (16384 or larger). Other people have
reported that anything over 3072 slows things down enormously. One
person even reported a speed drop of a factor of 30 when he went from
3072 to 8192. I don't know why.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3017528"></a>Windows '95/'98</h2></div></div><div></div></div><p>
When using Windows 95 OEM SR2 the following updates are recommended where Samba
is being used. Please NOTE that the above change will affect you once these
updates have been installed.
</p><p>
There are more updates than the ones mentioned here. You are referred to the
Microsoft Web site for all currently available updates to your specific version
of Windows 95.
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Kernel Update: KRNLUPD.EXE</td></tr><tr><td>Ping Fix: PINGUPD.EXE</td></tr><tr><td>RPC Update: RPCRTUPD.EXE</td></tr><tr><td>TCP/IP Update: VIPUPD.EXE</td></tr><tr><td>Redirector Update: VRDRUPD.EXE</td></tr></table><p>
Also, if using <span class="application">MS Outlook</span> it is desirable to
install the <b class="command">OLEUPD.EXE</b> fix. This
fix may stop your machine from hanging for an extended period when exiting
Outlook and you may also notice a significant speedup when accessing network
neighborhood services.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017601"></a>Speed improvement</h3></div></div><div></div></div><p>
Configure the win95 TCPIP registry settings to give better
performance. I use a program called <b class="command">MTUSPEED.exe</b> which I got off the
net. There are various other utilities of this type freely available.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3017625"></a>Windows 2000 Service Pack 2</h2></div></div><div></div></div><p>
There are several annoyances with Windows 2000 SP2. One of which
only appears when using a Samba server to host user profiles
to Windows 2000 SP2 clients in a Windows domain. This assumes
that Samba is a member of the domain, but the problem will
likely occur if it is not.
</p><p>
In order to serve profiles successfully to Windows 2000 SP2
clients (when not operating as a PDC), Samba must have
<i class="parameter"><tt>nt acl support = no</tt></i>
added to the file share which houses the roaming profiles.
If this is not done, then the Windows 2000 SP2 client will
complain about not being able to access the profile (Access
Denied) and create multiple copies of it on disk (DOMAIN.user.001,
DOMAIN.user.002, etc...). See the
<a href="smb.conf.5.html" target="_top">smb.conf(5)</a> man page
for more details on this option. Also note that the
<i class="parameter"><tt>nt acl support</tt></i> parameter was formally a global parameter in
releases prior to Samba 2.2.2.
</p><p>
The following is a minimal profile share:
</p><pre class="programlisting">
[profile]
path = /export/profile
create mask = 0600
directory mask = 0700
nt acl support = no
read only = no
</pre><p>
The reason for this bug is that the Win2k SP2 client copies
the security descriptor for the profile which contains
the Samba server's SID, and not the domain SID. The client
compares the SID for SAMBA\user and realizes it is
different that the one assigned to DOMAIN\user. Hence the reason
for the <span class="errorname">access denied</span> message.
</p><p>
By disabling the <i class="parameter"><tt>nt acl support</tt></i> parameter, Samba will send
the Win2k client a response to the QuerySecurityDescriptor
trans2 call which causes the client to set a default ACL
for the profile. This default ACL includes
</p><p><span class="emphasis"><em>DOMAIN\user &quot;Full Control&quot;</em></span>&gt;</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This bug does not occur when using winbind to
create accounts on the Samba host for Domain users.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3017736"></a>Windows NT 3.1</h2></div></div><div></div></div><p>If you have problems communicating across routers with Windows
NT 3.1 workstations, read <a href="http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;Q103765" target="_top">this Microsoft Knowledge Base article</a>.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Portability.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendixes.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="speed.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 37. Portability </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 39. Samba Performance Tuning</td></tr></table></div></body></html>

View File

@ -0,0 +1,260 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 23. System and Account Policies</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="AdvancedNetworkManagement.html" title="Chapter 22. Advanced Network Management"><link rel="next" href="ProfileMgmt.html" title="Chapter 24. Desktop Profile Management"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 23. System and Account Policies</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="AdvancedNetworkManagement.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="ProfileMgmt.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="PolicyMgmt"></a>Chapter 23. System and Account Policies</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">April 3 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="PolicyMgmt.html#id2984380">Features and Benefits</a></dt><dt><a href="PolicyMgmt.html#id2984435">Creating and Managing System Policies</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2986217">Windows 9x/Me Policies</a></dt><dt><a href="PolicyMgmt.html#id2986312">Windows NT4 Style Policy Files</a></dt><dt><a href="PolicyMgmt.html#id2986445">MS Windows 200x / XP Professional Policies</a></dt></dl></dd><dt><a href="PolicyMgmt.html#id2986697">Managing Account/User Policies</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2986798">Samba Editreg Toolset</a></dt><dt><a href="PolicyMgmt.html#id2986819">Windows NT4/200x</a></dt><dt><a href="PolicyMgmt.html#id2986839">Samba PDC</a></dt></dl></dd><dt><a href="PolicyMgmt.html#id2986883">System Startup and Logon Processing Overview</a></dt><dt><a href="PolicyMgmt.html#id2987030">Common Errors</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2987044">Policy Does Not Work</a></dt></dl></dd></dl></div><p>
This chapter summarises the current state of knowledge derived from personal
practice and knowledge from samba mailing list subscribers. Before reproduction
of posted information effort has been made to validate the information provided.
Where additional information was uncovered through this validation it is provided
also.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2984380"></a>Features and Benefits</h2></div></div><div></div></div><p>
When MS Windows NT3.5 was introduced the hot new topic was the ability to implement
Group Policies for users and group. Then along came MS Windows NT4 and a few sites
started to adopt this capability. How do we know that? By way of the number of &quot;booboos&quot;
(or mistakes) administrators made and then requested help to resolve.
</p><p>
By the time that MS Windows 2000 and Active Directory was released, administrators
got the message: Group Policies are a good thing! They can help reduce administrative
costs and actually can help to create happier users. But adoption of the true
potential of MS Windows 200x Active Directory and Group Policy Objects (GPOs) for users
and machines were picked up on rather slowly. This was very obvious from the samba
mailing list as in 2000 and 2001 there were very few postings regarding GPOs and
how to replicate them in a Samba environment.
</p><p>
Judging by the traffic volume since mid 2002, GPOs have become a standard part of
the deployment in many sites. This chapter reviews techniques and methods that can
be used to exploit opportunities for automation of control over user desktops and
network client workstations.
</p><p>
A tool new to Samba-3 may become an important part of the future Samba Administrators'
arsenal. The <b class="command">editreg</b> tool is described in this document.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2984435"></a>Creating and Managing System Policies</h2></div></div><div></div></div><p>
Under MS Windows platforms, particularly those following the release of MS Windows
NT4 and MS Windows 95) it is possible to create a type of file that would be placed
in the NETLOGON share of a domain controller. As the client logs onto the network
this file is read and the contents initiate changes to the registry of the client
machine. This file allows changes to be made to those parts of the registry that
affect users, groups of users, or machines.
</p><p>
For MS Windows 9x/Me this file must be called <tt class="filename">Config.POL</tt> and may
be generated using a tool called <tt class="filename">poledit.exe</tt>, better known as the
Policy Editor. The policy editor was provided on the Windows 98 installation CD, but
disappeared again with the introduction of MS Windows Me (Millennium Edition). From
comments from MS Windows network administrators it would appear that this tool became
a part of the MS Windows Me Resource Kit.
</p><p>
MS Windows NT4 Server products include the <span class="emphasis"><em>System Policy Editor</em></span>
under the <tt class="filename">Start -&gt; Programs -&gt; Administrative Tools</tt> menu item.
For MS Windows NT4 and later clients this file must be called <tt class="filename">NTConfig.POL</tt>.
</p><p>
New with the introduction of MS Windows 2000 was the Microsoft Management Console
or MMC. This tool is the new wave in the ever changing landscape of Microsoft
methods for management of network access and security. Every new Microsoft product
or technology seems to obsolete the old rules and to introduce newer and more
complex tools and methods. To Microsoft's credit though, the MMC does appear to
be a step forward, but improved functionality comes at a great price.
</p><p>
Before embarking on the configuration of network and system policies it is highly
advisable to read the documentation available from Microsoft's web site regarding
<a href="http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp" target="_top">
Implementing Profiles and Policies in Windows NT 4.0 from http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp</a> available from Microsoft.
There are a large number of documents in addition to this old one that should also
be read and understood. Try searching on the Microsoft web site for &quot;Group Policies&quot;.
</p><p>
What follows is a very brief discussion with some helpful notes. The information provided
here is incomplete - you are warned.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2986217"></a>Windows 9x/Me Policies</h3></div></div><div></div></div><p>
You need the Win98 Group Policy Editor to set Group Profiles up under Windows 9x/Me.
It can be found on the Original full product Win98 installation CD under
<tt class="filename">tools/reskit/netadmin/poledit</tt>. Install this using the
Add/Remove Programs facility and then click on the 'Have Disk' tab.
</p><p>
Use the Group Policy Editor to create a policy file that specifies the location of
user profiles and/or the <tt class="filename">My Documents</tt> etc. Then save these
settings in a file called <tt class="filename">Config.POL</tt> that needs to be placed in the
root of the <i class="parameter"><tt>[NETLOGON]</tt></i> share. If Win98 is configured to log onto
the Samba Domain, it will automatically read this file and update the Win9x/Me registry
of the machine as it logs on.
</p><p>
Further details are covered in the Win98 Resource Kit documentation.
</p><p>
If you do not take the right steps, then every so often Win9x/Me will check the
integrity of the registry and will restore it's settings from the back-up
copy of the registry it stores on each Win9x/Me machine. Hence, you will
occasionally notice things changing back to the original settings.
</p><p>
Install the group policy handler for Win9x to pick up group policies. Look on the
Win98 CD in <tt class="filename">\tools\reskit\netadmin\poledit</tt>.
Install group policies on a Win9x client by double-clicking
<tt class="filename">grouppol.inf</tt>. Log off and on again a couple of times and see
if Win98 picks up group policies. Unfortunately this needs to be done on every
Win9x/Me machine that uses group policies.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2986312"></a>Windows NT4 Style Policy Files</h3></div></div><div></div></div><p>
To create or edit <tt class="filename">ntconfig.pol</tt> you must use the NT Server
Policy Editor, <b class="command">poledit.exe</b> which is included with NT4 Server
but <span class="emphasis"><em>not NT Workstation</em></span>. There is a Policy Editor on a NT4
Workstation but it is not suitable for creating <span class="emphasis"><em>Domain Policies</em></span>.
Further, although the Windows 95 Policy Editor can be installed on an NT4
Workstation/Server, it will not work with NT clients. However, the files from
the NT Server will run happily enough on an NT4 Workstation.
</p><p>
You need <tt class="filename">poledit.exe</tt>, <tt class="filename">common.adm</tt> and <tt class="filename">winnt.adm</tt>.
It is convenient to put the two *.adm files in the <tt class="filename">c:\winnt\inf</tt>
directory which is where the binary will look for them unless told otherwise. Note also that that
directory is normally 'hidden'.
</p><p>
The Windows NT policy editor is also included with the Service Pack 3 (and
later) for Windows NT 4.0. Extract the files using <b class="command">servicepackname /x</b>,
i.e. that's <b class="command">Nt4sp6ai.exe /x</b> for service pack 6a. The policy editor,
<b class="command">poledit.exe</b> and the associated template files (*.adm) should
be extracted as well. It is also possible to downloaded the policy template
files for Office97 and get a copy of the policy editor. Another possible
location is with the Zero Administration Kit available for download from Microsoft.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2986421"></a>Registry Spoiling</h4></div></div><div></div></div><p>
With NT4 style registry based policy changes, a large number of settings are not
automatically reversed as the user logs off. Since the settings that were in the
NTConfig.POL file were applied to the client machine registry and that apply to the
hive key HKEY_LOCAL_MACHINE are permanent until explicitly reversed. This is known
as tattooing. It can have serious consequences down-stream and the administrator must
be extremely careful not to lock out the ability to manage the machine at a later date.
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2986445"></a>MS Windows 200x / XP Professional Policies</h3></div></div><div></div></div><p>
Windows NT4 System policies allows setting of registry parameters specific to
users, groups and computers (client workstations) that are members of the NT4
style domain. Such policy file will work with MS Windows 2000 / XP clients also.
</p><p>
New to MS Windows 2000 Microsoft introduced a new style of group policy that confers
a superset of capabilities compared with NT4 style policies. Obviously, the tool used
to create them is different, and the mechanism for implementing them is much changed.
</p><p>
The older NT4 style registry based policies are known as <span class="emphasis"><em>Administrative Templates</em></span>
in MS Windows 2000/XP Group Policy Objects (GPOs). The later includes ability to set various security
configurations, enforce Internet Explorer browser settings, change and redirect aspects of the
users' desktop (including: the location of <tt class="filename">My Documents</tt> files (directory), as
well as intrinsics of where menu items will appear in the Start menu). An additional new
feature is the ability to make available particular software Windows applications to particular
users and/or groups.
</p><p>
Remember: NT4 policy files are named <tt class="filename">NTConfig.POL</tt> and are stored in the root
of the NETLOGON share on the domain controllers. A Windows NT4 user enters a username, a password
and selects the domain name to which the logon will attempt to take place. During the logon
process the client machine reads the NTConfig.POL file from the NETLOGON share on the authenticating
server, modifies the local registry values according to the settings in this file.
</p><p>
Windows 2K GPOs are very feature rich. They are NOT stored in the NETLOGON share, rather part of
a Windows 200x policy file is stored in the Active Directory itself and the other part is stored
in a shared (and replicated) volume called the SYSVOL folder. This folder is present on all Active
Directory domain controllers. The part that is stored in the Active Directory itself is called the
group policy container (GPC), and the part that is stored in the replicated share called SYSVOL is
known as the group policy template (GPT).
</p><p>
With NT4 clients the policy file is read and executed upon only as each user logs onto the network.
MS Windows 200x policies are much more complex - GPOs are processed and applied at client machine
startup (machine specific part) and when the user logs onto the network the user specific part
is applied. In MS Windows 200x style policy management each machine and/or user may be subject
to any number of concurrently applicable (and applied) policy sets (GPOs). Active Directory allows
the administrator to also set filters over the policy settings. No such equivalent capability
exists with NT4 style policy files.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2986546"></a>Administration of Win2K / XP Policies</h4></div></div><div></div></div><p>
Instead of using the tool called <span class="application">The System Policy Editor</span>, commonly called Poledit (from the
executable name <b class="command">poledit.exe</b>), <span class="acronym">GPOs</span> are created and managed using a
<span class="application">Microsoft Management Console</span> <span class="acronym">(MMC)</span> snap-in as follows:</p><div class="procedure"><ol type="1"><li><p>
Go to the Windows 200x / XP menu <span class="guimenu">Start-&gt;Programs-&gt;Administrative Tools</span>
and select the MMC snap-in called <span class="guimenuitem">Active Directory Users and Computers</span>
</p></li><li><p>
Select the domain or organizational unit (OU) that you wish to manage, then right click
to open the context menu for that object, select the properties item.
</p></li><li><p>
Now left click on the <span class="guilabel">Group Policy</span> tab, then left click on the New tab. Type a name
for the new policy you will create.
</p></li><li><p>
Now left click on the <span class="guilabel">Edit</span> tab to commence the steps needed to create the GPO.
</p></li></ol></div><p>
All policy configuration options are controlled through the use of policy administrative
templates. These files have a .adm extension, both in NT4 as well as in Windows 200x / XP.
Beware however, since the .adm files are NOT interchangeable across NT4 and Windows 200x.
The later introduces many new features as well as extended definition capabilities. It is
well beyond the scope of this documentation to explain how to program .adm files, for that
the administrator is referred to the Microsoft Windows Resource Kit for your particular
version of MS Windows.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
The MS Windows 2000 Resource Kit contains a tool called gpolmig.exe. This tool can be used
to migrate an NT4 NTConfig.POL file into a Windows 200x style GPO. Be VERY careful how you
use this powerful tool. Please refer to the resource kit manuals for specific usage information.
</p></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2986697"></a>Managing Account/User Policies</h2></div></div><div></div></div><p>
Policies can define a specific user's settings or the settings for a group of users. The resulting
policy file contains the registry settings for all users, groups, and computers that will be using
the policy file. Separate policy files for each user, group, or computer are not not necessary.
</p><p>
If you create a policy that will be automatically downloaded from validating domain controllers,
you should name the file NTconfig.POL. As system administrator, you have the option of renaming the
policy file and, by modifying the Windows NT-based workstation, directing the computer to update
the policy from a manual path. You can do this by either manually changing the registry or by using
the System Policy Editor. This path can even be a local path such that each machine has its own policy file,
but if a change is necessary to all machines, this change must be made individually to each workstation.
</p><p>
When a Windows NT4/200x/XP machine logs onto the network the NETLOGON share on the authenticating domain
controller for the presence of the NTConfig.POL file. If one exists it is downloaded, parsed and then
applied to the user's part of the registry.
</p><p>
MS Windows 200x/XP clients that log onto an MS Windows Active Directory security domain may additionally,
acquire policy settings through Group Policy Objects (GPOs) that are defined and stored in Active Directory
itself. The key benefit of using AS GPOs is that they impose no registry <span class="emphasis"><em>spoiling</em></span> effect.
This has considerable advantage compared with the use of NTConfig.POL (NT4) style policy updates.
</p><p>
In addition to user access controls that may be imposed or applied via system and/or group policies
in a manner that works in conjunction with user profiles, the user management environment under
MS Windows NT4/200x/XP allows per domain as well as per user account restrictions to be applied.
Common restrictions that are frequently used includes:
</p><p>
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Logon Hours</td></tr><tr><td>Password Aging</td></tr><tr><td>Permitted Logon from certain machines only</td></tr><tr><td>Account type (Local or Global)</td></tr><tr><td>User Rights</td></tr></table><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2986798"></a>Samba Editreg Toolset</h3></div></div><div></div></div><p>
Describe in detail the benefits of <b class="command">editreg</b> and how to use it.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2986819"></a>Windows NT4/200x</h3></div></div><div></div></div><p>
The tools that may be used to configure these types of controls from the MS Windows environment are:
The NT4 User Manager for domains, the NT4 System and Group Policy Editor, the registry editor (regedt32.exe).
Under MS Windows 200x/XP this is done using the Microsoft Management Console (MMC) with appropriate
&quot;snap-ins&quot;, the registry editor, and potentially also the NT4 System and Group Policy Editor.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2986839"></a>Samba PDC</h3></div></div><div></div></div><p>
With a Samba Domain Controller, the new tools for managing of user account and policy information includes:
<b class="command">smbpasswd</b>, <b class="command">pdbedit</b>, <b class="command">net</b>, <b class="command">rpcclient</b>.
The administrator should read the
man pages for these tools and become familiar with their use.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2986883"></a>System Startup and Logon Processing Overview</h2></div></div><div></div></div><p>
The following attempts to document the order of processing of system and user policies following a system
reboot and as part of the user logon:
</p><div class="orderedlist"><ol type="1"><li><p>
Network starts, then Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming
Convention Provider (MUP) start
</p></li><li><p>
Where Active Directory is involved, an ordered list of Group Policy Objects (GPOs) is downloaded
and applied. The list may include GPOs that:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Apply to the location of machines in a Directory</td></tr><tr><td>Apply only when settings have changed</td></tr><tr><td>Depend on configuration of scope of applicability: local, site, domain, organizational unit, etc.</td></tr></table><p>
No desktop user interface is presented until the above have been processed.
</p></li><li><p>
Execution of start-up scripts (hidden and synchronous by default).
</p></li><li><p>
A keyboard action to affect start of logon (Ctrl-Alt-Del).
</p></li><li><p>
User credentials are validated, User profile is loaded (depends on policy settings).
</p></li><li><p>
An ordered list of User GPOs is obtained. The list contents depends on what is configured in respect of:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Is user a domain member, thus subject to particular policies</td></tr><tr><td>Loopback enablement, and the state of the loopback policy (Merge or Replace)</td></tr><tr><td>Location of the Active Directory itself</td></tr><tr><td>Has the list of GPOs changed. No processing is needed if not changed.</td></tr></table><p>
</p></li><li><p>
User Policies are applied from Active Directory. Note: There are several types.
</p></li><li><p>
Logon scripts are run. New to Win2K and Active Directory, logon scripts may be obtained based on Group
Policy objects (hidden and executed synchronously). NT4 style logon scripts are then run in a normal
window.
</p></li><li><p>
The User Interface as determined from the GPOs is presented. Note: In a Samba domain (like and NT4
Domain) machine (system) policies are applied at start-up, User policies are applied at logon.
</p></li></ol></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2987030"></a>Common Errors</h2></div></div><div></div></div><p>
Policy related problems can be very difficult to diagnose and even more difficult to rectify. The following
collection demonstrates only basic issues.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2987044"></a>Policy Does Not Work</h3></div></div><div></div></div><p>
Question: We have created the <tt class="filename">config.pol</tt> file and put it in the <span class="emphasis"><em>NETLOGON</em></span> share.
It has made no difference to our Win XP Pro machines, they just don't see it. IT worked fine with Win 98 but does not
work any longer since we upgraded to Win XP Pro. Any hints?
</p><p>
<span class="emphasis"><em>ANSWER:</em></span> Policy files are NOT portable between Windows 9x / Me and MS Windows NT4 / 200x / XP based
platforms. You need to use the NT4 Group Policy Editor to create a file called <tt class="filename">NTConfig.POL</tt> so that
it is in the correct format for your MS Windows XP Pro clients.
</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="AdvancedNetworkManagement.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ProfileMgmt.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 22. Advanced Network Management </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 24. Desktop Profile Management</td></tr></table></div></body></html>

View File

@ -0,0 +1,128 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 37. Portability</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="compiling.html" title="Chapter 36. How to compile SAMBA"><link rel="next" href="Other-Clients.html" title="Chapter 38. Samba and other CIFS clients"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 37. Portability</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="compiling.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="Other-Clients.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Portability"></a>Chapter 37. Portability</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="Portability.html#id3013478">HPUX</a></dt><dt><a href="Portability.html#id3016009">SCO Unix</a></dt><dt><a href="Portability.html#id3016039">DNIX</a></dt><dt><a href="Portability.html#id3016210">RedHat Linux Rembrandt-II</a></dt><dt><a href="Portability.html#id3016254">AIX</a></dt><dd><dl><dt><a href="Portability.html#id3016261">Sequential Read Ahead</a></dt></dl></dd><dt><a href="Portability.html#id3016287">Solaris</a></dt><dd><dl><dt><a href="Portability.html#id3016294">Locking improvements</a></dt><dt><a href="Portability.html#winbind-solaris9">Winbind on Solaris 9</a></dt></dl></dd></dl></div><p>Samba works on a wide range of platforms but the interface all the
platforms provide is not always compatible. This chapter contains
platform-specific information about compiling and using samba.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3013478"></a>HPUX</h2></div></div><div></div></div><p>
HP's implementation of supplementary groups is, er, non-standard (for
hysterical reasons). There are two group files, <tt class="filename">/etc/group</tt> and
<tt class="filename">/etc/logingroup</tt>; the system maps UIDs to numbers using the former, but
initgroups() reads the latter. Most system admins who know the ropes
symlink <tt class="filename">/etc/group</tt> to <tt class="filename">/etc/logingroup</tt>
(hard link doesn't work for reasons too stupid to go into here). initgroups() will complain if one of the
groups you're in in <tt class="filename">/etc/logingroup</tt> has what it considers to be an invalid
ID, which means outside the range <tt class="constant">[0..UID_MAX]</tt>, where <tt class="constant">UID_MAX</tt> is (I think)
60000 currently on HP-UX. This precludes -2 and 65534, the usual <tt class="constant">nobody</tt>
GIDs.
</p><p>
If you encounter this problem, make sure that the programs that are failing
to initgroups() be run as users not in any groups with GIDs outside the
allowed range.
</p><p>This is documented in the HP manual pages under setgroups(2) and passwd(4).
</p><p>
On HPUX you must use gcc or the HP ANSI compiler. The free compiler
that comes with HP-UX is not ANSI compliant and cannot compile
Samba.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3016009"></a>SCO Unix</h2></div></div><div></div></div><p>
If you run an old version of SCO Unix then you may need to get important
TCP/IP patches for Samba to work correctly. Without the patch, you may
encounter corrupt data transfers using samba.
</p><p>
The patch you need is UOD385 Connection Drivers SLS. It is available from
SCO (<a href="ftp://ftp.sco.com/" target="_top">ftp.sco.com</a>, directory SLS,
files uod385a.Z and uod385a.ltr.Z).
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3016039"></a>DNIX</h2></div></div><div></div></div><p>
DNIX has a problem with seteuid() and setegid(). These routines are
needed for Samba to work correctly, but they were left out of the DNIX
C library for some reason.
</p><p>
For this reason Samba by default defines the macro NO_EID in the DNIX
section of includes.h. This works around the problem in a limited way,
but it is far from ideal, some things still won't work right.
</p><p>
To fix the problem properly you need to assemble the following two
functions and then either add them to your C library or link them into
Samba.
</p><p>
put this in the file <tt class="filename">setegid.s</tt>:
</p><pre class="programlisting">
.globl _setegid
_setegid:
moveq #47,d0
movl #100,a0
moveq #1,d1
movl 4(sp),a1
trap #9
bccs 1$
jmp cerror
1$:
clrl d0
rts
</pre><p>
put this in the file <tt class="filename">seteuid.s</tt>:
</p><pre class="programlisting">
.globl _seteuid
_seteuid:
moveq #47,d0
movl #100,a0
moveq #0,d1
movl 4(sp),a1
trap #9
bccs 1$
jmp cerror
1$:
clrl d0
rts
</pre><p>
after creating the above files you then assemble them using
</p><pre class="screen">
<tt class="prompt">$ </tt><b class="userinput"><tt>as seteuid.s</tt></b>
<tt class="prompt">$ </tt><b class="userinput"><tt>as setegid.s</tt></b>
</pre><p>
that should produce the files <tt class="filename">seteuid.o</tt> and
<tt class="filename">setegid.o</tt>
</p><p>
then you need to add these to the LIBSM line in the DNIX section of
the Samba Makefile. Your LIBSM line will then look something like this:
</p><pre class="programlisting">
LIBSM = setegid.o seteuid.o -ln
</pre><p>
You should then remove the line:
</p><pre class="programlisting">
#define NO_EID
</pre><p>from the DNIX section of <tt class="filename">includes.h</tt></p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3016210"></a>RedHat Linux Rembrandt-II</h2></div></div><div></div></div><p>
By default RedHat Rembrandt-II during installation adds an
entry to <tt class="filename">/etc/hosts</tt> as follows:
</p><pre class="programlisting">
127.0.0.1 loopback &quot;hostname&quot;.&quot;domainname&quot;
</pre><p>
</p><p>
This causes Samba to loop back onto the loopback interface.
The result is that Samba fails to communicate correctly with
the world and therefor may fail to correctly negotiate who
is the master browse list holder and who is the master browser.
</p><p>
Corrective Action: Delete the entry after the word loopback
in the line starting 127.0.0.1
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3016254"></a>AIX</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3016261"></a>Sequential Read Ahead</h3></div></div><div></div></div><p>
Disabling Sequential Read Ahead using <b class="userinput"><tt>vmtune -r 0</tt></b> improves
Samba performance significantly.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3016287"></a>Solaris</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3016294"></a>Locking improvements</h3></div></div><div></div></div><p>Some people have been experiencing problems with F_SETLKW64/fcntl
when running Samba on Solaris. The built in file locking mechanism was
not scalable. Performance would degrade to the point where processes would
get into loops of trying to lock a file. It would try a lock, then fail,
then try again. The lock attempt was failing before the grant was
occurring. So the visible manifestation of this would be a handful of
processes stealing all of the CPU, and when they were trussed they would
be stuck if F_SETLKW64 loops.
</p><p>
Sun released patches for Solaris 2.6, 8, and 9. The patch for Solaris 7
has not been released yet.
</p><p>
The patch revision for 2.6 is 105181-34
for 8 is 108528-19 and for 9 is 112233-04
</p><p>
After the install of these patches it is recommended to reconfigure
and rebuild samba.
</p><p>Thanks to Joe Meslovich for reporting</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="winbind-solaris9"></a>Winbind on Solaris 9</h3></div></div><div></div></div><p>
Nsswitch on Solaris 9 refuses to use the winbind nss module. This behavior
is fixed by Sun in patch 113476-05 which as of March 2003 is not in any
roll-up packages.
</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="compiling.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendixes.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="Other-Clients.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 36. How to compile SAMBA </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 38. Samba and other CIFS clients</td></tr></table></div></body></html>

View File

@ -0,0 +1,680 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 24. Desktop Profile Management</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="PolicyMgmt.html" title="Chapter 23. System and Account Policies"><link rel="next" href="pam.html" title="Chapter 25. PAM based Distributed Authentication"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 24. Desktop Profile Management</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="PolicyMgmt.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="pam.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ProfileMgmt"></a>Chapter 24. Desktop Profile Management</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">April 3 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="ProfileMgmt.html#id2988251">Features and Benefits</a></dt><dt><a href="ProfileMgmt.html#id2988285">Roaming Profiles</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2988326">Samba Configuration for Profile Handling</a></dt><dt><a href="ProfileMgmt.html#id2988731">Windows Client Profile Configuration Information</a></dt><dt><a href="ProfileMgmt.html#id2989902">Sharing Profiles between W9x/Me and NT4/200x/XP workstations</a></dt><dt><a href="ProfileMgmt.html#id2989967">Profile Migration from Windows NT4/200x Server to Samba</a></dt></dl></dd><dt><a href="ProfileMgmt.html#id2990232">Mandatory profiles</a></dt><dt><a href="ProfileMgmt.html#id2990290">Creating/Managing Group Profiles</a></dt><dt><a href="ProfileMgmt.html#id2990336">Default Profile for Windows Users</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2990356">MS Windows 9x/Me</a></dt><dt><a href="ProfileMgmt.html#id2990504">MS Windows NT4 Workstation</a></dt><dt><a href="ProfileMgmt.html#id2991058">MS Windows 200x/XP</a></dt></dl></dd><dt><a href="ProfileMgmt.html#id2991562">Common Errors</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2991575">How does one set up roaming profiles for just one (or a few) user/s or group/s?</a></dt><dt><a href="ProfileMgmt.html#id2991638">Can NOT use Roaming Profiles</a></dt><dt><a href="ProfileMgmt.html#id2991859">Changing the default profile</a></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2988251"></a>Features and Benefits</h2></div></div><div></div></div><p>
Roaming Profiles are feared by some, hated by a few, loved by many, and a Godsend for
some administrators.
</p><p>
Roaming Profiles allow an administrator to make available a consistent user desktop
as the user moves from one machine to another. This chapter provides much information
regarding how to configure and manage Roaming Profiles.
</p><p>
While Roaming Profiles might sound like nirvana to some, they are a real and tangible
problem to others. In particular, users of mobile computing tools, where often there may not
be a sustained network connection, are often better served by purely Local Profiles.
This chapter provides information to help the Samba administrator to deal with those
situations also.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2988285"></a>Roaming Profiles</h2></div></div><div></div></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
Roaming profiles support is different for Win9x / Me and Windows NT4/200x.
</p></div><p>
Before discussing how to configure roaming profiles, it is useful to see how
Windows 9x / Me and Windows NT4/200x clients implement these features.
</p><p>
Windows 9x / Me clients send a NetUserGetInfo request to the server to get the user's
profiles location. However, the response does not have room for a separate
profiles location field, only the user's home share. This means that Win9X/Me
profiles are restricted to being stored in the user's home directory.
</p><p>
Windows NT4/200x clients send a NetSAMLogon RPC request, which contains many fields,
including a separate field for the location of the user's profiles.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2988326"></a>Samba Configuration for Profile Handling</h3></div></div><div></div></div><p>
This section documents how to configure Samba for MS Windows client profile support.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2988340"></a>NT4/200x User Profiles</h4></div></div><div></div></div><p>
To support Windows NT4/200x clients, in the [global] section of smb.conf set the
following (for example):
</p><p>
</p><pre class="programlisting">
logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath
</pre><p>
This is typically implemented like:
</p><pre class="programlisting">
logon path = \\%L\Profiles\%u
</pre><p>
where %L translates to the name of the Samba server and %u translates to the user name
</p><p>
The default for this option is <tt class="filename">\\%N\%U\profile</tt>,
namely <tt class="filename">\\sambaserver\username\profile</tt>.
The <tt class="filename">\\N%\%U</tt> service is created automatically by the [homes] service. If you are using
a samba server for the profiles, you _must_ make the share specified in the logon path
browseable. Please refer to the man page for <tt class="filename">smb.conf</tt> in respect of the different
semantics of %L and %N, as well as %U and %u.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
MS Windows NT/2K clients at times do not disconnect a connection to a server
between logons. It is recommended to NOT use the <i class="parameter"><tt>homes</tt></i>
meta-service name as part of the profile share path.
</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2988432"></a>Windows 9x / Me User Profiles</h4></div></div><div></div></div><p>
To support Windows 9x / Me clients, you must use the <i class="parameter"><tt>logon home</tt></i> parameter. Samba has
now been fixed so that <b class="userinput"><tt>net use /home</tt></b> now works as well, and it, too, relies
on the <b class="command">logon home</b> parameter.
</p><p>
By using the logon home parameter, you are restricted to putting Win9x / Me
profiles in the user's home directory. But wait! There is a trick you
can use. If you set the following in the <i class="parameter"><tt>[global]</tt></i> section of your <tt class="filename">smb.conf</tt> file:
</p><pre class="programlisting">
logon home = \\%L\%U\.profiles
</pre><p>
then your Windows 9x / Me clients will dutifully put their clients in a subdirectory
of your home directory called <tt class="filename">.profiles</tt> (thus making them hidden).
</p><p>
Not only that, but <b class="userinput"><tt>net use /home</tt></b> will also work, because of a feature in
Windows 9x / Me. It removes any directory stuff off the end of the home directory area
and only uses the server and share portion. That is, it looks like you
specified <tt class="filename">\\%L\%U</tt> for <i class="parameter"><tt>logon home</tt></i>.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2988541"></a>Mixed Windows 9x / Me and Windows NT4/200x User Profiles</h4></div></div><div></div></div><p>
You can support profiles for both Win9X and WinNT clients by setting both the
<i class="parameter"><tt>logon home</tt></i> and <i class="parameter"><tt>logon path</tt></i> parameters. For example:
</p><pre class="programlisting">
logon home = \\%L\%u\.profiles
logon path = \\%L\profiles\%u
</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2988580"></a>Disabling Roaming Profile Support</h4></div></div><div></div></div><p>
A question often asked is &#8220;<span class="quote">How may I enforce use of local profiles?</span>&#8221; or
&#8220;<span class="quote">How do I disable Roaming Profiles?</span>&#8221;
</p><p>
There are three ways of doing this:
</p><div class="variablelist"><dl><dt><span class="term">In <tt class="filename">smb.conf</tt></span></dt><dd><p>
Affect the following settings and ALL clients
will be forced to use a local profile:
</p><pre class="programlisting">
logon home =
logon path =
</pre><p>
</p></dd><dt><span class="term">MS Windows Registry:</span></dt><dd><p>
By using the Microsoft Management Console gpedit.msc to instruct your MS Windows XP machine to use only a local profile. This of course modifies registry settings. The full path to the option is:
</p><pre class="programlisting">
Local Computer Policy\
Computer Configuration\
Administrative Templates\
System\
User Profiles\
Disable: Only Allow Local User Profiles
Disable: Prevent Roaming Profile Change from Propagating to the Server
</pre><p>
</p></dd><dt><span class="term">Change of Profile Type:</span></dt><dd><p>
From the start menu right click on the
My Computer icon, select <span class="guimenuitem">Properties</span>, click on the <span class="guilabel">User Profiles</span>
tab, select the profile you wish to change from Roaming type to Local, click <span class="guibutton">Change Type</span>.
</p></dd></dl></div><p>
Consult the MS Windows registry guide for your particular MS Windows version for more
information about which registry keys to change to enforce use of only local user
profiles.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
The specifics of how to convert a local profile to a roaming profile, or a roaming profile
to a local one vary according to the version of MS Windows you are running. Consult the
Microsoft MS Windows Resource Kit for your version of Windows for specific information.
</p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2988731"></a>Windows Client Profile Configuration Information</h3></div></div><div></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2988739"></a>Windows 9x / Me Profile Setup</h4></div></div><div></div></div><p>
When a user first logs in on Windows 9X, the file user.DAT is created,
as are folders <tt class="filename">Start Menu</tt>, <tt class="filename">Desktop</tt>,
<tt class="filename">Programs</tt> and <tt class="filename">Nethood</tt>.
These directories and their contents will be merged with the local
versions stored in <tt class="filename">c:\windows\profiles\username</tt> on subsequent logins,
taking the most recent from each. You will need to use the <i class="parameter"><tt>[global]</tt></i>
options <i class="parameter"><tt>preserve case = yes</tt></i>, <i class="parameter"><tt>short preserve case = yes</tt></i> and
<i class="parameter"><tt>case sensitive = no</tt></i> in order to maintain capital letters in shortcuts
in any of the profile folders.
</p><p>
The user.DAT file contains all the user's preferences. If you wish to
enforce a set of preferences, rename their user.DAT file to user.MAN,
and deny them write access to this file.
</p><div class="orderedlist"><ol type="1"><li><p>
On the Windows 9x / Me machine, go to <span class="guimenu">Control Panel</span> -&gt; <span class="guimenuitem">Passwords</span> and
select the <span class="guilabel">User Profiles</span> tab. Select the required level of
roaming preferences. Press <span class="guibutton">OK</span>, but do _not_ allow the computer
to reboot.
</p></li><li><p>
On the Windows 9x / Me machine, go to <span class="guimenu">Control Panel</span> -&gt; <span class="guimenuitem">Network</span> -&gt;
<span class="guimenuitem">Client for Microsoft Networks</span> -&gt; <span class="guilabel">Preferences</span>. Select <span class="guilabel">Log on to
NT Domain</span>. Then, ensure that the Primary Logon is <span class="guilabel">Client for
Microsoft Networks</span>. Press <span class="guibutton">OK</span>, and this time allow the computer
to reboot.
</p></li></ol></div><p>
Under Windows 9x / Me Profiles are downloaded from the Primary Logon.
If you have the Primary Logon as 'Client for Novell Networks', then
the profiles and logon script will be downloaded from your Novell
Server. If you have the Primary Logon as 'Windows Logon', then the
profiles will be loaded from the local machine - a bit against the
concept of roaming profiles, it would seem!
</p><p>
You will now find that the Microsoft Networks Login box contains
[user, password, domain] instead of just [user, password]. Type in
the samba server's domain name (or any other domain known to exist,
but bear in mind that the user will be authenticated against this
domain and profiles downloaded from it, if that domain logon server
supports it), user name and user's password.
</p><p>
Once the user has been successfully validated, the Windows 9x / Me machine
will inform you that <tt class="computeroutput">The user has not logged on before' and asks you
if you wish to save the user's preferences?</tt> Select <span class="guibutton">yes</span>.
</p><p>
Once the Windows 9x / Me client comes up with the desktop, you should be able
to examine the contents of the directory specified in the <i class="parameter"><tt>logon path</tt></i>
on the samba server and verify that the <tt class="filename">Desktop</tt>, <tt class="filename">Start Menu</tt>,
<tt class="filename">Programs</tt> and <tt class="filename">Nethood</tt> folders have been created.
</p><p>
These folders will be cached locally on the client, and updated when
the user logs off (if you haven't made them read-only by then).
You will find that if the user creates further folders or short-cuts,
that the client will merge the profile contents downloaded with the
contents of the profile directory already on the local client, taking
the newest folders and short-cuts from each set.
</p><p>
If you have made the folders / files read-only on the samba server,
then you will get errors from the Windows 9x / Me machine on logon and logout, as
it attempts to merge the local and the remote profile. Basically, if
you have any errors reported by the Windows 9x / Me machine, check the Unix file
permissions and ownership rights on the profile directory contents,
on the samba server.
</p><p>
If you have problems creating user profiles, you can reset the user's
local desktop cache, as shown below. When this user then next logs in,
they will be told that they are logging in &quot;for the first time&quot;.
</p><div class="orderedlist"><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
Before deleting the contents of the
directory listed in the ProfilePath (this is likely to be
<tt class="filename">c:\windows\profiles\username)</tt>, ask them if they
have any important files stored on their desktop or in their start menu.
Delete the contents of the directory ProfilePath (making a backup if any
of the files are needed).
</p><p>
This will have the effect of removing the local (read-only hidden
system file) user.DAT in their profile directory, as well as the
local &quot;desktop&quot;, &quot;nethood&quot;, &quot;start menu&quot; and &quot;programs&quot; folders.
</p></div><ol type="1"><li><p>
instead of logging in under the [user, password, domain] dialog,
press <span class="guibutton">escape</span>.
</p></li><li><p>
run the <b class="command">regedit.exe</b> program, and look in:
</p><p>
<tt class="filename">HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList</tt>
</p><p>
you will find an entry, for each user, of ProfilePath. Note the
contents of this key (likely to be <tt class="filename">c:\windows\profiles\username</tt>),
then delete the key ProfilePath for the required user.
</p><p>[Exit the registry editor].</p></li><li><p>
search for the user's .PWL password-caching file in the <tt class="filename">c:\windows</tt>
directory, and delete it.
</p></li><li><p>
log off the windows 9x / Me client.
</p></li><li><p>
check the contents of the profile path (see <i class="parameter"><tt>logon path</tt></i> described
above), and delete the <tt class="filename">user.DAT</tt> or <tt class="filename">user.MAN</tt> file for the user,
making a backup if required.
</p></li></ol></div><p>
If all else fails, increase samba's debug log levels to between 3 and 10,
and / or run a packet trace program such as ethereal or <b class="command">netmon.exe</b>, and
look for error messages.
</p><p>
If you have access to an Windows NT4/200x server, then first set up roaming profiles
and / or netlogons on the Windows NT4/200x server. Make a packet trace, or examine
the example packet traces provided with Windows NT4/200x server, and see what the
differences are with the equivalent samba trace.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2989233"></a>Windows NT4 Workstation</h4></div></div><div></div></div><p>
When a user first logs in to a Windows NT Workstation, the profile
NTuser.DAT is created. The profile location can be now specified
through the <i class="parameter"><tt>logon path</tt></i> parameter.
</p><p>
There is a parameter that is now available for use with NT Profiles:
<i class="parameter"><tt>logon drive</tt></i>. This should be set to <tt class="filename">H:</tt> or any other drive, and
should be used in conjunction with the new &quot;logon home&quot; parameter.
</p><p>
The entry for the NT4 profile is a _directory_ not a file. The NT
help on profiles mentions that a directory is also created with a .PDS
extension. The user, while logging in, must have write permission to
create the full profile path (and the folder with the .PDS extension
for those situations where it might be created.)
</p><p>
In the profile directory, Windows NT4 creates more folders than Windows 9x / Me.
It creates <tt class="filename">Application Data</tt> and others, as well as <tt class="filename">Desktop</tt>, <tt class="filename">Nethood</tt>,
<tt class="filename">Start Menu</tt> and <tt class="filename">Programs</tt>. The profile itself is stored in a file
<tt class="filename">NTuser.DAT</tt>. Nothing appears to be stored in the .PDS directory, and
its purpose is currently unknown.
</p><p>
You can use the <span class="application">System Control Panel</span> to copy a local profile onto
a samba server (see NT Help on profiles: it is also capable of firing
up the correct location in the <span class="application">System Control Panel</span> for you). The
NT Help file also mentions that renaming <tt class="filename">NTuser.DAT</tt> to <tt class="filename">NTuser.MAN</tt>
turns a profile into a mandatory one.
</p><p>
The case of the profile is significant. The file must be called
<tt class="filename">NTuser.DAT</tt> or, for a mandatory profile, <tt class="filename">NTuser.MAN</tt>.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2989391"></a>Windows 2000/XP Professional</h4></div></div><div></div></div><p>
You must first convert the profile from a local profile to a domain
profile on the MS Windows workstation as follows:
</p><div class="procedure"><ol type="1"><li><p>
Log on as the <span class="emphasis"><em>LOCAL</em></span> workstation administrator.
</p></li><li><p>
Right click on the <span class="guiicon">My Computer</span> Icon, select <span class="guimenuitem">Properties</span>
</p></li><li><p>
Click on the <span class="guilabel">User Profiles</span> tab
</p></li><li><p>
Select the profile you wish to convert (click on it once)
</p></li><li><p>
Click on the button <span class="guibutton">Copy To</span>
</p></li><li><p>
In the <span class="guilabel">Permitted to use</span> box, click on the <span class="guibutton">Change</span> button.
</p></li><li><p>
Click on the 'Look in&quot; area that lists the machine name, when you click
here it will open up a selection box. Click on the domain to which the
profile must be accessible.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>You will need to log on if a logon box opens up. Eg: In the connect
as: <i class="replaceable"><tt>MIDEARTH</tt></i>\root, password: <i class="replaceable"><tt>mypassword</tt></i>.</p></div></li><li><p>
To make the profile capable of being used by anyone select 'Everyone'
</p></li><li><p>
Click <span class="guibutton">OK</span>. The Selection box will close.
</p></li><li><p>
Now click on the <span class="guibutton">Ok</span> button to create the profile in the path you
nominated.
</p></li></ol></div><p>
Done. You now have a profile that can be edited using the samba-3.0.0
<b class="command">profiles</b> tool.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
Under NT/2K the use of mandatory profiles forces the use of MS Exchange
storage of mail data. That keeps desktop profiles usable.
</p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><div class="procedure"><ol type="1"><li><p>
This is a security check new to Windows XP (or maybe only
Windows XP service pack 1). It can be disabled via a group policy in
Active Directory. The policy is:</p><p><tt class="filename">Computer Configuration\Administrative Templates\System\User
Profiles\Do not check for user ownership of Roaming Profile Folders</tt></p><p>...and it should be set to <tt class="constant">Enabled</tt>.
Does the new version of samba have an Active Directory analogue? If so,
then you may be able to set the policy through this.
</p><p>
If you cannot set group policies in samba, then you may be able to set
the policy locally on each machine. If you want to try this, then do
the following (N.B. I don't know for sure that this will work in the
same way as a domain group policy):
</p></li><li><p>
On the XP workstation log in with an Administrator account.
</p></li><li><p>Click: <span class="guimenu">Start</span>, <span class="guimenuitem">Run</span></p></li><li><p>Type: <b class="userinput"><tt>mmc</tt></b></p></li><li><p>Click: <span class="guibutton">OK</span></p></li><li><p>A Microsoft Management Console should appear.</p></li><li><p>Click: <span class="guimenu">File</span>, <span class="guimenuitem">Add/Remove Snap-in...</span>, <span class="guimenuitem">Add</span></p></li><li><p>Double-Click: <span class="guiicon">Group Policy</span></p></li><li><p>Click: <span class="guibutton">Finish</span>, <span class="guibutton">Close</span></p></li><li><p>Click: <span class="guibutton">OK</span></p></li><li><p>In the &quot;Console Root&quot; window:</p></li><li><p>Expand: <span class="guiicon">Local Computer Policy</span>, <span class="guiicon">Computer Configuration</span>,
<span class="guiicon">Administrative Templates</span>, <span class="guiicon">System</span>, <span class="guiicon">User Profiles</span></p></li><li><p>Double-Click: <span class="guilabel">Do not check for user ownership of Roaming Profile Folders</span></p></li><li><p>Select: <span class="guilabel">Enabled</span></p></li><li><p>Click: <span class="guibutton">OK</span></p></li><li><p>Close the whole console. You do not need to save the settings (this
refers to the console settings rather than the policies you have
changed).</p></li><li><p>Reboot</p></li></ol></div></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2989902"></a>Sharing Profiles between W9x/Me and NT4/200x/XP workstations</h3></div></div><div></div></div><p>
Sharing of desktop profiles between Windows versions is NOT recommended.
Desktop profiles are an evolving phenomenon and profiles for later versions
of MS Windows clients add features that may interfere with earlier versions
of MS Windows clients. Probably the more salient reason to NOT mix profiles
is that when logging off an earlier version of MS Windows the older format
of profile contents may overwrite information that belongs to the newer
version resulting in loss of profile information content when that user logs
on again with the newer version of MS Windows.
</p><p>
If you then want to share the same Start Menu / Desktop with W9x/Me, you will
need to specify a common location for the profiles. The smb.conf parameters
that need to be common are <i class="parameter"><tt>logon path</tt></i> and
<i class="parameter"><tt>logon home</tt></i>.
</p><p>
If you have this set up correctly, you will find separate <tt class="filename">user.DAT</tt> and
<tt class="filename">NTuser.DAT</tt> files in the same profile directory.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2989967"></a>Profile Migration from Windows NT4/200x Server to Samba</h3></div></div><div></div></div><p>
There is nothing to stop you specifying any path that you like for the
location of users' profiles. Therefore, you could specify that the
profile be stored on a samba server, or any other SMB server, as long as
that SMB server supports encrypted passwords.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2989984"></a>Windows NT4 Profile Management Tools</h4></div></div><div></div></div><p>
Unfortunately, the Resource Kit information is specific to the version of MS Windows
NT4/200x. The correct resource kit is required for each platform.
</p><p>
Here is a quick guide:
</p><div class="procedure"><ol type="1"><li><p>
On your NT4 Domain Controller, right click on <span class="guiicon">My Computer</span>, then
select the tab labelled <span class="guilabel">User Profiles</span>.
</p></li><li><p>
Select a user profile you want to migrate and click on it.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>I am using the term &quot;migrate&quot; loosely. You can copy a profile to
create a group profile. You can give the user 'Everyone' rights to the
profile you copy this to. That is what you need to do, since your samba
domain is not a member of a trust relationship with your NT4 PDC.</p></div></li><li><p>Click the <span class="guibutton">Copy To</span> button.</p></li><li><p>In the box labelled <span class="guilabel">Copy Profile to</span> add your new path, eg:
<tt class="filename">c:\temp\foobar</tt></p></li><li><p>Click on the button <span class="guibutton">Change</span> in the <span class="guilabel">Permitted to use</span> box.</p></li><li><p>Click on the group 'Everyone' and then click <span class="guibutton">OK</span>. This closes the
'choose user' box.</p></li><li><p>Now click <span class="guibutton">OK</span>.</p></li></ol></div><p>
Follow the above for every profile you need to migrate.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2990153"></a>Side bar Notes</h4></div></div><div></div></div><p>
You should obtain the SID of your NT4 domain. You can use smbpasswd to do
this. Read the man page.</p><p>
With Samba-3.0.0 alpha code you can import all you NT4 domain accounts
using the net samsync method. This way you can retain your profile
settings as well as all your users.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2990175"></a>moveuser.exe</h4></div></div><div></div></div><p>
The W2K professional resource kit has moveuser.exe. moveuser.exe changes
the security of a profile from one user to another. This allows the account
domain to change, and/or the user name to change.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2990191"></a>Get SID</h4></div></div><div></div></div><p>
You can identify the SID by using GetSID.exe from the Windows NT Server 4.0
Resource Kit.
</p><p>
Windows NT 4.0 stores the local profile information in the registry under
the following key:
<tt class="filename">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList</tt>
</p><p>
Under the ProfileList key, there will be subkeys named with the SIDs of the
users who have logged on to this computer. (To find the profile information
for the user whose locally cached profile you want to move, find the SID for
the user with the GetSID.exe utility.) Inside of the appropriate user's
subkey, you will see a string value named ProfileImagePath.
</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2990232"></a>Mandatory profiles</h2></div></div><div></div></div><p>
A Mandatory Profile is a profile that the user does NOT have the ability to overwrite.
During the user's session it may be possible to change the desktop environment, but
as the user logs out all changes made will be lost. If it is desired to NOT allow the
user any ability to change the desktop environment then this must be done through
policy settings. See previous chapter.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
Under NO circumstances should the profile directory (or it's contents) be made read-only
as this may render the profile un-usable.
</p></div><p>
For MS Windows NT4/200x/XP the above method can be used to create mandatory profiles
also. To convert a group profile into a mandatory profile simply locate the NTUser.DAT
file in the copied profile and rename it to NTUser.MAN.
</p><p>
For MS Windows 9x / Me it is the <tt class="filename">User.DAT</tt> file that must be renamed to <tt class="filename">User.MAN</tt> to
affect a mandatory profile.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2990290"></a>Creating/Managing Group Profiles</h2></div></div><div></div></div><p>
Most organisations are arranged into departments. There is a nice benefit in
this fact since usually most users in a department will require the same desktop
applications and the same desktop layout. MS Windows NT4/200x/XP will allow the
use of Group Profiles. A Group Profile is a profile that is created firstly using
a template (example) user. Then using the profile migration tool (see above) the
profile is assigned access rights for the user group that needs to be given access
to the group profile.
</p><p>
The next step is rather important. <span class="emphasis"><em>Please note:</em></span> Instead of assigning a group profile
to users (ie: Using User Manager) on a &quot;per user&quot; basis, the group itself is assigned
the now modified profile.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
Be careful with group profiles, if the user who is a member of a group also
has a personal profile, then the result will be a fusion (merge) of the two.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2990336"></a>Default Profile for Windows Users</h2></div></div><div></div></div><p>
MS Windows 9x / Me and NT4/200x/XP will use a default profile for any user for whom
a profile does not already exist. Armed with a knowledge of where the default profile
is located on the Windows workstation, and knowing which registry keys affect the path
from which the default profile is created, it is possible to modify the default profile
to one that has been optimised for the site. This has significant administrative
advantages.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2990356"></a>MS Windows 9x/Me</h3></div></div><div></div></div><p>
To enable default per use profiles in Windows 9x / Me you can either use the <span class="application">Windows 98 System
Policy Editor</span> or change the registry directly.
</p><p>
To enable default per user profiles in Windows 9x / Me, launch the <span class="application">System Policy Editor</span>, then
select <span class="guimenu">File</span> -&gt; <span class="guimenuitem">Open Registry</span>, then click on the
<span class="guiicon">Local Computer</span> icon, click on <span class="guilabel">Windows 98 System</span>,
select <span class="guilabel">User Profiles</span>, click on the enable box. Do not forget to save the registry changes.
</p><p>
To modify the registry directly, launch the <span class="application">Registry Editor</span> (<b class="command">regedit.exe</b>), select the hive
<tt class="filename">HKEY_LOCAL_MACHINE\Network\Logon</tt>. Now add a DWORD type key with the name
&quot;User Profiles&quot;, to enable user profiles set the value to 1, to disable user profiles set it to 0.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2990454"></a>How User Profiles Are Handled in Windows 9x / Me?</h4></div></div><div></div></div><p>
When a user logs on to a Windows 9x / Me machine, the local profile path,
<tt class="filename">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProfileList</tt>, is checked
for an existing entry for that user:
</p><p>
If the user has an entry in this registry location, Windows 9x / Me checks for a locally cached
version of the user profile. Windows 9x / Me also checks the user's home directory (or other
specified directory if the location has been modified) on the server for the User Profile.
If a profile exists in both locations, the newer of the two is used. If the User Profile exists
on the server, but does not exist on the local machine, the profile on the server is downloaded
and used. If the User Profile only exists on the local machine, that copy is used.
</p><p>
If a User Profile is not found in either location, the Default User Profile from the Windows 9x / Me
machine is used and is copied to a newly created folder for the logged on user. At log off, any
changes that the user made are written to the user's local profile. If the user has a roaming
profile, the changes are written to the user's profile on the server.
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2990504"></a>MS Windows NT4 Workstation</h3></div></div><div></div></div><p>
On MS Windows NT4 the default user profile is obtained from the location
<tt class="filename">%SystemRoot%\Profiles</tt> which in a default installation will translate to
<tt class="filename">C:\WinNT\Profiles</tt>. Under this directory on a clean install there will be
three (3) directories: <tt class="filename">Administrator</tt>, <tt class="filename">All Users</tt>, <tt class="filename">Default User</tt>.
</p><p>
The <tt class="filename">All Users</tt> directory contains menu settings that are common across all
system users. The <tt class="filename">Default User</tt> directory contains menu entries that are
customisable per user depending on the profile settings chosen/created.
</p><p>
When a new user first logs onto an MS Windows NT4 machine a new profile is created from:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>All Users settings</td></tr><tr><td>Default User settings (contains the default NTUser.DAT file)</td></tr></table><p>
When a user logs onto an MS Windows NT4 machine that is a member of a Microsoft security domain
the following steps are followed in respect of profile handling:
</p><div class="procedure"><ol type="1"><li><p>
The users' account information which is obtained during the logon process contains
the location of the users' desktop profile. The profile path may be local to the
machine or it may be located on a network share. If there exists a profile at the location
of the path from the user account, then this profile is copied to the location
<tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt>. This profile then inherits the
settings in the <tt class="filename">All Users</tt> profile in the <tt class="filename">%SystemRoot%\Profiles</tt>
location.
</p></li><li><p>
If the user account has a profile path, but at it's location a profile does not exist,
then a new profile is created in the <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt>
directory from reading the <tt class="filename">Default User</tt> profile.
</p></li><li><p>
If the NETLOGON share on the authenticating server (logon server) contains a policy file
(<tt class="filename">NTConfig.POL</tt>) then it's contents are applied to the <tt class="filename">NTUser.DAT</tt>
which is applied to the <tt class="filename">HKEY_CURRENT_USER</tt> part of the registry.
</p></li><li><p>
When the user logs out, if the profile is set to be a roaming profile it will be written
out to the location of the profile. The <tt class="filename">NTuser.DAT</tt> file is then
re-created from the contents of the <tt class="filename">HKEY_CURRENT_USER</tt> contents.
Thus, should there not exist in the NETLOGON share an <tt class="filename">NTConfig.POL</tt> at the
next logon, the effect of the previous <tt class="filename">NTConfig.POL</tt> will still be held
in the profile. The effect of this is known as <span class="emphasis"><em>tatooing</em></span>.
</p></li></ol></div><p>
MS Windows NT4 profiles may be <span class="emphasis"><em>Local</em></span> or <span class="emphasis"><em>Roaming</em></span>. A Local profile
will stored in the <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt> location. A roaming profile will
also remain stored in the same way, unless the following registry key is created:
</p><p>
</p><pre class="programlisting">
HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\
&quot;DeleteRoamingCache&quot;=dword:00000001
</pre><p>
In which case, the local copy (in <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt>) will be
deleted on logout.
</p><p>
Under MS Windows NT4 default locations for common resources (like <tt class="filename">My Documents</tt>
may be redirected to a network share by modifying the following registry keys. These changes may be affected
via use of the System Policy Editor (to do so may require that you create your owns template extension
for the policy editor to allow this to be done through the GUI. Another way to do this is by way of first
creating a default user profile, then while logged in as that user, run regedt32 to edit the key settings.
</p><p>
The Registry Hive key that affects the behaviour of folders that are part of the default user profile
are controlled by entries on Windows NT4 is:
</p><p>
<tt class="filename">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\</tt>
</p><p>
The above hive key contains a list of automatically managed folders. The default entries are:
</p><p>
</p><div class="table"><a name="id2990854"></a><p class="title"><b>Table 24.1. User Shell Folder registry keys default values</b></p><table summary="User Shell Folder registry keys default values" border="1"><colgroup><col><col></colgroup><thead><tr><th>Name</th><th>Default Value</th></tr></thead><tbody><tr><td>AppData</td><td>%USERPROFILE%\Application Data</td></tr><tr><td>Desktop</td><td>%USERPROFILE%\Desktop</td></tr><tr><td>Favorites</td><td>%USERPROFILE%\Favorites</td></tr><tr><td>NetHood</td><td>%USERPROFILE%\NetHood</td></tr><tr><td>PrintHood</td><td>%USERPROFILE%\PrintHood</td></tr><tr><td>Programs</td><td>%USERPROFILE%\Start Menu\Programs</td></tr><tr><td>Recent</td><td>%USERPROFILE%\Recent</td></tr><tr><td>SendTo</td><td>%USERPROFILE%\SendTo</td></tr><tr><td>Start Menu </td><td>%USERPROFILE%\Start Menu</td></tr><tr><td>Startup</td><td>%USERPROFILE%\Start Menu\Programs\Startup</td></tr></tbody></table></div><p>
</p><p>
The registry key that contains the location of the default profile settings is:
</p><p>
<tt class="filename">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</tt>
</p><p>
The default entries are:
</p><div class="table"><a name="id2990998"></a><p class="title"><b>Table 24.2. Defaults of profile settings registry keys</b></p><table summary="Defaults of profile settings registry keys" border="1"><colgroup><col><col></colgroup><tbody><tr><td>Common Desktop</td><td>%SystemRoot%\Profiles\All Users\Desktop</td></tr><tr><td>Common Programs</td><td>%SystemRoot%\Profiles\All Users\Programs</td></tr><tr><td>Common Start Menu</td><td>%SystemRoot%\Profiles\All Users\Start Menu</td></tr><tr><td>Common Startup</td><td>%SystemRoot%\Profiles\All Users\Start Menu\Programs\Startup</td></tr></tbody></table></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2991058"></a>MS Windows 200x/XP</h3></div></div><div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
MS Windows XP Home Edition does use default per user profiles, but can not participate
in domain security, can not log onto an NT/ADS style domain, and thus can obtain the profile
only from itself. While there are benefits in doing this the beauty of those MS Windows
clients that CAN participate in domain logon processes allows the administrator to create
a global default profile and to enforce it through the use of Group Policy Objects (GPOs).
</p></div><p>
When a new user first logs onto MS Windows 200x/XP machine the default profile is obtained from
<tt class="filename">C:\Documents and Settings\Default User</tt>. The administrator can modify (or change
the contents of this location and MS Windows 200x/XP will gladly use it. This is far from the optimum
arrangement since it will involve copying a new default profile to every MS Windows 200x/XP client
workstation.
</p><p>
When MS Windows 200x/XP participate in a domain security context, and if the default user
profile is not found, then the client will search for a default profile in the NETLOGON share
of the authenticating server. ie: In MS Windows parlance:
<tt class="filename">%LOGONSERVER%\NETLOGON\Default User</tt> and if one exits there it will copy this
to the workstation to the <tt class="filename">C:\Documents and Settings\</tt> under the Windows
login name of the user.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
This path translates, in Samba parlance, to the <tt class="filename">smb.conf</tt> <i class="parameter"><tt>[NETLOGON]</tt></i> share. The directory
should be created at the root of this share and must be called <tt class="filename">Default Profile</tt>.
</p></div><p>
If a default profile does not exist in this location then MS Windows 200x/XP will use the local
default profile.
</p><p>
On logging out, the users' desktop profile will be stored to the location specified in the registry
settings that pertain to the user. If no specific policies have been created, or passed to the client
during the login process (as Samba does automatically), then the user's profile will be written to
the local machine only under the path <tt class="filename">C:\Documents and Settings\%USERNAME%</tt>.
</p><p>
Those wishing to modify the default behaviour can do so through three methods:
</p><div class="itemizedlist"><ul type="disc"><li><p>
Modify the registry keys on the local machine manually and place the new default profile in the
NETLOGON share root - NOT recommended as it is maintenance intensive.
</p></li><li><p>
Create an NT4 style NTConfig.POL file that specified this behaviour and locate this file
in the root of the NETLOGON share along with the new default profile.
</p></li><li><p>
Create a GPO that enforces this through Active Directory, and place the new default profile
in the NETLOGON share.
</p></li></ul></div><p>
The Registry Hive key that affects the behaviour of folders that are part of the default user profile
are controlled by entries on Windows 200x/XP is:
</p><p>
<tt class="filename">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\</tt>
</p><p>
The above hive key contains a list of automatically managed folders. The default entries are:
</p><p>
</p><div class="table"><a name="id2991253"></a><p class="title"><b>Table 24.3. Defaults of default user profile paths registry keys</b></p><table summary="Defaults of default user profile paths registry keys" border="1"><colgroup><col><col></colgroup><thead><tr><th>Name</th><th>Default Value</th></tr></thead><tbody><tr><td>AppData</td><td>%USERPROFILE%\Application Data</td></tr><tr><td>Cache</td><td>%USERPROFILE%\Local Settings\Temporary Internet Files</td></tr><tr><td>Cookies</td><td>%USERPROFILE%\Cookies</td></tr><tr><td>Desktop</td><td>%USERPROFILE%\Desktop</td></tr><tr><td>Favorites</td><td>%USERPROFILE%\Favorites</td></tr><tr><td>History</td><td>%USERPROFILE%\Local Settings\History</td></tr><tr><td>Local AppData</td><td>%USERPROFILE%\Local Settings\Application Data</td></tr><tr><td>Local Settings</td><td>%USERPROFILE%\Local Settings</td></tr><tr><td>My Pictures</td><td>%USERPROFILE%\My Documents\My Pictures</td></tr><tr><td>NetHood</td><td>%USERPROFILE%\NetHood</td></tr><tr><td>Personal</td><td>%USERPROFILE%\My Documents</td></tr><tr><td>PrintHood</td><td>%USERPROFILE%\PrintHood</td></tr><tr><td>Programs</td><td>%USERPROFILE%\Start Menu\Programs</td></tr><tr><td>Recent</td><td>%USERPROFILE%\Recent</td></tr><tr><td>SendTo</td><td>%USERPROFILE%\SendTo</td></tr><tr><td>Start Menu</td><td>%USERPROFILE%\Start Menu</td></tr><tr><td>Startup</td><td>%USERPROFILE%\Start Menu\Programs\Startup</td></tr><tr><td>Templates</td><td>%USERPROFILE%\Templates</td></tr></tbody></table></div><p>
</p><p>
There is also an entry called &quot;Default&quot; that has no value set. The default entry is of type <tt class="constant">REG_SZ</tt>, all
the others are of type <tt class="constant">REG_EXPAND_SZ</tt>.
</p><p>
It makes a huge difference to the speed of handling roaming user profiles if all the folders are
stored on a dedicated location on a network server. This means that it will NOT be necessary to
write the Outlook PST file over the network for every login and logout.
</p><p>
To set this to a network location you could use the following examples:
</p><p><tt class="filename">%LOGONSERVER%\%USERNAME%\Default Folders</tt></p><p>
This would store the folders in the user's home directory under a directory called <tt class="filename">Default Folders</tt>
You could also use:
</p><p><tt class="filename">\\<i class="replaceable"><tt>SambaServer</tt></i>\<i class="replaceable"><tt>FolderShare</tt></i>\%USERNAME%</tt></p><p>
in which case the default folders will be stored in the server named <i class="replaceable"><tt>SambaServer</tt></i>
in the share called <i class="replaceable"><tt>FolderShare</tt></i> under a directory that has the name of the MS Windows
user as seen by the Linux/Unix file system.
</p><p>
Please note that once you have created a default profile share, you MUST migrate a user's profile
(default or custom) to it.
</p><p>
MS Windows 200x/XP profiles may be <span class="emphasis"><em>Local</em></span> or <span class="emphasis"><em>Roaming</em></span>.
A roaming profile will be cached locally unless the following registry key is created:
</p><p><tt class="filename">HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\&quot;DeleteRoamingCache&quot;=dword:00000001</tt></p><p>
In which case, the local cache copy will be deleted on logout.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2991562"></a>Common Errors</h2></div></div><div></div></div><p>
The following are some typical errors/problems/questions that have been asked.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2991575"></a>How does one set up roaming profiles for just one (or a few) user/s or group/s?</h3></div></div><div></div></div><p>
With samba-2.2.x the choice you have is to enable or disable roaming
profiles support. It is a global only setting. The default is to have
roaming profiles and the default path will locate them in the user's home
directory.
</p><p>
If disabled globally then no-one will have roaming profile ability.
If enabled and you want it to apply only to certain machines, then on
those machines on which roaming profile support is NOT wanted it is then
necessary to disable roaming profile handling in the registry of each such
machine.
</p><p>
With samba-3.0.0 (soon to be released) you can have a global profile
setting in smb.conf _AND_ you can over-ride this by per-user settings
using the Domain User Manager (as with MS Windows NT4/ Win 2Kx).
</p><p>
In any case, you can configure only one profile per user. That profile can
be either:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>A profile unique to that user</td></tr><tr><td>A mandatory profile (one the user can not change)</td></tr><tr><td>A group profile (really should be mandatory ie:unchangable)</td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2991638"></a>Can NOT use Roaming Profiles</h3></div></div><div></div></div><p>
&#8220;<span class="quote">
I dont want Roaming profile to be implemented, I just want to give users
local profiles only.
...
Please help me I am totally lost with this error from past two days I tried
everything and googled around quite a bit but of no help. Please help me.
</span>&#8221;</p><p>
Your choices are:
</p><div class="variablelist"><dl><dt><span class="term">Local profiles</span></dt><dd><p>
I know of no registry keys that will allow auto-deletion of LOCAL profiles on log out
</p></dd><dt><span class="term">Roaming profiles</span></dt><dd><p>
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>can use auto-delete on logout option</td></tr><tr><td>requires a registry key change on workstation</td></tr></table><p>
Your choices are:
</p><div class="variablelist"><dl><dt><span class="term">Personal Roaming profiles</span></dt><dd><p>
- should be preserved on a central server
- workstations 'cache' (store) a local copy
- used in case the profile can not be downloaded
at next logon
</p></dd><dt><span class="term">Group profiles</span></dt><dd><p>- loaded from a central place</p></dd><dt><span class="term">Mandatory profiles</span></dt><dd><p>
- can be personal or group
- can NOT be changed (except by an administrator
</p></dd></dl></div><p>
</p></dd></dl></div><p>
</p><p>
A WinNT4/2K/XP profile can vary in size from 130KB to off the scale.
Outlook PST files are most often part of the profile and can be many GB in
size. On average (in a well controlled environment) roaming profile size of
2MB is a good rule of thumb to use for planning purposes. In an
undisciplined environment I have seen up to 2GB profiles. Users tend to
complain when it take an hour to log onto a workstation but they harvest
the fruits of folly (and ignorance).
</p><p>
The point of all the above is to show that roaming profiles and good
controls of how they can be changed as well as good discipline make up for
a problem free site.
</p><p>
Microsoft's answer to the PST problem is to store all email in an MS
Exchange Server back-end. But this is another story ...!
</p><p>
So, having LOCAL profiles means:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>If lots of users user each machine - lot's of local disk storage needed for local profiles</td></tr><tr><td>Every workstation the user logs into has it's own profile - can be very different from machine to machine</td></tr></table><p>
On the other hand, having roaming profiles means:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>The network administrator can control EVERY aspect of user profiles</td></tr><tr><td>With the use of mandatory profiles - a drastic reduction in network management overheads</td></tr><tr><td>User unhappiness about not being able to change their profiles soon fades as they get used to being able to work reliably</td></tr></table><p>
</p><p>
I have managed and installed MANY NT/2K networks and have NEVER found one
where users who move from machine to machine are happy with local
profiles. In the long run local profiles bite them.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2991859"></a>Changing the default profile</h3></div></div><div></div></div><p>&#8220;<span class="quote">
When the client tries to logon to the PDC it looks for a profile to download
where do I put this default profile.
</span>&#8221;</p><p>
Firstly, your samba server need to be configured as a domain controller.
</p><pre class="programlisting">
server = user
os level = 32 (or more)
domain logons = Yes
</pre><p>
Plus you need to have a <i class="parameter"><tt>[netlogon]</tt></i> share that is world readable.
It is a good idea to add a logon script to pre-set printer and
drive connections. There is also a facility for automatically
synchronizing the workstation time clock with that of the logon
server (another good thing to do).
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
To invoke auto-deletion of roaming profile from the local
workstation cache (disk storage) you need to use the <span class="application">Group Policy Editor</span>
to create a file called <tt class="filename">NTConfig.POL</tt> with the appropriate entries. This
file needs to be located in the <i class="parameter"><tt>netlogon</tt></i> share root directory.</p></div><p>
Oh, of course the windows clients need to be members of the domain.
Workgroup machines do NOT do network logons - so they never see domain
profiles.
</p><p>
Secondly, for roaming profiles you need:
logon path = \\%N\profiles\%U (with some such path)
logon drive = H: (Z: is the default)
Plus you need a PROFILES share that is world writable.
</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="PolicyMgmt.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="pam.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 23. System and Account Policies </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 25. PAM based Distributed Authentication</td></tr></table></div></body></html>

200
docs/htmldocs/SWAT.html Normal file
View File

@ -0,0 +1,200 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 32. SWAT - The Samba Web Administration Tool</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="migration.html" title="Part IV. Migration and Updating"><link rel="previous" href="NT4Migration.html" title="Chapter 31. Migration from NT4 PDC to Samba-3 PDC"><link rel="next" href="troubleshooting.html" title="Part V. Troubleshooting"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 32. SWAT - The Samba Web Administration Tool</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="NT4Migration.html">Prev</a> </td><th width="60%" align="center">Part IV. Migration and Updating</th><td width="20%" align="right"> <a accesskey="n" href="troubleshooting.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SWAT"></a>Chapter 32. SWAT - The Samba Web Administration Tool</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">April 21, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="SWAT.html#id3003929">Features and Benefits</a></dt><dd><dl><dt><a href="SWAT.html#id3003963">Enabling SWAT for use</a></dt><dt><a href="SWAT.html#id3006322">Securing SWAT through SSL</a></dt><dt><a href="SWAT.html#id3006435">The SWAT Home Page</a></dt><dt><a href="SWAT.html#id3006499">Global Settings</a></dt><dt><a href="SWAT.html#id3006604">Share Settings</a></dt><dt><a href="SWAT.html#id3006669">Printers Settings</a></dt><dt><a href="SWAT.html#id3006733">The SWAT Wizard</a></dt><dt><a href="SWAT.html#id3006781">The Status Page</a></dt><dt><a href="SWAT.html#id3006833">The View Page</a></dt><dt><a href="SWAT.html#id3006856">The Password Change Page</a></dt></dl></dd></dl></div><p>
There are many and varied opinions regarding the usefulness or otherwise of SWAT.
No matter how hard one tries to produce the perfect configuration tool it remains
an object of personal taste. SWAT is a tool that will allow web based configuration
of samba. It has a wizard that may help to get samba configured quickly, it has context
sensitive help on each smb.conf parameter, it provides for monitoring of current state
of connection information, and it allows network wide MS Windows network password
management.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3003929"></a>Features and Benefits</h2></div></div><div></div></div><p>
There are network administrators who believe that it is a good idea to write systems
documentation inside configuration files, for them SWAT will aways be a nasty tool. SWAT
does not store the configuration file in any intermediate form, rather, it stores only the
parameter settings, so when SWAT writes the smb.conf file to disk it will write only
those parameters that are at other than the default settings. The result is that all comments
will be lost from the <tt class="filename">smb.conf</tt> file. Additionally, the parameters will be written back in
internal ordering.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
So before using SWAT please be warned - SWAT will completely replace your smb.conf with
a fully optimised file that has been stripped of all comments you might have placed there
and only non-default settings will be written to the file.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3003963"></a>Enabling SWAT for use</h3></div></div><div></div></div><p>
SWAT should be installed to run via the network super daemon. Depending on which system
your Unix/Linux system has you will have either an <b class="command">inetd</b> or
<b class="command">xinetd</b> based system.
</p><p>
The nature and location of the network super-daemon varies with the operating system
implementation. The control file (or files) can be located in the file
<tt class="filename">/etc/inetd.conf</tt> or in the directory <tt class="filename">/etc/[x]inet.d</tt>
or similar.
</p><p>
The control entry for the older style file might be:
</p><pre class="programlisting">
# swat is the Samba Web Administration Tool
swat stream tcp nowait.400 root /usr/sbin/swat swat
</pre><p>
A control file for the newer style xinetd could be:
</p><p>
</p><pre class="programlisting">
# default: off
# description: SWAT is the Samba Web Admin Tool. Use swat \
# to configure your Samba server. To use SWAT, \
# connect to port 901 with your favorite web browser.
service swat
{
port = 901
socket_type = stream
wait = no
only_from = localhost
user = root
server = /usr/sbin/swat
log_on_failure += USERID
disable = yes
}
</pre><p>
</p><p>
Both the above examples assume that the <b class="command">swat</b> binary has been
located in the <tt class="filename">/usr/sbin</tt> directory. In addition to the above
SWAT will use a directory access point from which it will load it's help files
as well as other control information. The default location for this on most Linux
systems is in the directory <tt class="filename">/usr/share/samba/swat</tt>. The default
location using samba defaults will be <tt class="filename">/usr/local/samba/swat</tt>.
</p><p>
Access to SWAT will prompt for a logon. If you log onto SWAT as any non-root user
the only permission allowed is to view certain aspects of configuration as well as
access to the password change facility. The buttons that will be exposed to the non-root
user are: <span class="guibutton">HOME</span>, <span class="guibutton">STATUS</span>, <span class="guibutton">VIEW</span>,
<span class="guibutton">PASSWORD</span>. The only page that allows
change capability in this case is <span class="guibutton">PASSWORD</span>.
</p><p>
So long as you log onto SWAT as the user <span class="emphasis"><em>root</em></span> you should obtain
full change and commit ability. The buttons that will be exposed includes:
<span class="guibutton">HOME</span>, <span class="guibutton">GLOBALS</span>, <span class="guibutton">SHARES</span>, <span class="guibutton">PRINTERS</span>,
<span class="guibutton">WIZARD</span>, <span class="guibutton">STATUS</span>, <span class="guibutton">VIEW</span>, <span class="guibutton">PASSWORD</span>.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3006322"></a>Securing SWAT through SSL</h3></div></div><div></div></div><p>
Lots of people have asked about how to setup SWAT with SSL to allow for secure remote
administration of Samba. Here is a method that works, courtesy of Markus Krieger
</p><p>
Modifications to the swat setup are as following:
</p><div class="procedure"><ol type="1"><li><p>
install OpenSSL
</p></li><li><p>
generate certificate and private key
</p><pre class="screen">
<tt class="prompt">root# </tt><b class="userinput"><tt>/usr/bin/openssl req -new -x509 -days 365 -nodes -config \
/usr/share/doc/packages/stunnel/stunnel.cnf \
-out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem</tt></b>
</pre></li><li><p>
remove swat-entry from [x]inetd
</p></li><li><p>
start stunnel
</p><pre class="screen">
<tt class="prompt">root# </tt><b class="userinput"><tt>stunnel -p /etc/stunnel/stunnel.pem -d 901 \
-l /usr/local/samba/bin/swat swat </tt></b>
</pre></li></ol></div><p>
afterwords simply contact to swat by using the URL <a href="https://myhost:901" target="_top">https://myhost:901</a>, accept the certificate
and the SSL connection is up.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3006435"></a>The SWAT Home Page</h3></div></div><div></div></div><p>
The SWAT title page provides access to the latest Samba documentation. The manual page for
each samba component is accessible from this page as are the Samba-HOWTO-Collection (this
document) as well as the O'Reilly book &quot;Using Samba&quot;.
</p><p>
Administrators who wish to validate their samba configuration may obtain useful information
from the man pages for the diagnostic utilities. These are available from the SWAT home page
also. One diagnostic tool that is NOT mentioned on this page, but that is particularly
useful is <b class="command">ethereal</b>, available from <a href="http://www.ethereal.com" target="_top">
http://www.ethereal.com</a>.
</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
SWAT can be configured to run in <span class="emphasis"><em>demo</em></span> mode. This is NOT recommended
as it runs SWAT without authentication and with full administrative ability. ie: Allows
changes to smb.conf as well as general operation with root privileges. The option that
creates this ability is the <tt class="option">-a</tt> flag to swat. <span class="emphasis"><em>Do not use this in any
production environment.</em></span>
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3006499"></a>Global Settings</h3></div></div><div></div></div><p>
The Globals button will expose a page that allows configuration of the global parameters
in smb.conf. There are three levels of exposure of the parameters:
</p><div class="itemizedlist"><ul type="disc"><li><p>
<span class="emphasis"><em>Basic</em></span> - exposes common configuration options.
</p></li><li><p>
<span class="emphasis"><em>Advanced</em></span> - exposes configuration options needed in more
complex environments.
</p></li><li><p>
<span class="emphasis"><em>Developer</em></span> - exposes configuration options that only the brave
will want to tamper with.
</p></li></ul></div><p>
To switch to other than <span class="emphasis"><em>Basic</em></span> editing ability click on either the
<span class="emphasis"><em>Advanced</em></span> or the <span class="emphasis"><em>Developer</em></span> dial, then click the
<span class="guibutton">Commit Changes</span> button.
</p><p>
After making any changes to configuration parameters make sure that you click on the
<span class="guibutton">Commit Changes</span> button before moving to another area otherwise
your changes will be immediately lost.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
SWAT has context sensitive help. To find out what each parameter is for simply click the
<span class="guibutton">Help</span> link to the left of the configuration parameter.
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3006604"></a>Share Settings</h3></div></div><div></div></div><p>
To affect a currently configured share, simply click on the pull down button between the
<span class="guibutton">Choose Share</span> and the <span class="guibutton">Delete Share</span> buttons,
select the share you wish to operate on, then to edit the settings click on the
<span class="guibutton">Choose Share</span> button, to delete the share simply press the
<span class="guibutton">Delete Share</span> button.
</p><p>
To create a new share, next to the button labelled <span class="guibutton">Create Share</span> enter
into the text field the name of the share to be created, then click on the
<span class="guibutton">Create Share</span> button.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3006669"></a>Printers Settings</h3></div></div><div></div></div><p>
To affect a currently configured printer, simply click on the pull down button between the
<span class="guibutton">Choose Printer</span> and the <span class="guibutton">Delete Printer</span> buttons,
select the printer you wish to operate on, then to edit the settings click on the
<span class="guibutton">Choose Printer</span> button, to delete the share simply press the
<span class="guibutton">Delete Printer</span> button.
</p><p>
To create a new printer, next to the button labelled <span class="guibutton">Create Printer</span> enter
into the text field the name of the share to be created, then click on the
<span class="guibutton">Create Printer</span> button.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3006733"></a>The SWAT Wizard</h3></div></div><div></div></div><p>
The purpose if the SWAT Wizard is to help the Microsoft knowledgeable network administrator
to configure Samba with a minimum of effort.
</p><p>
The Wizard page provides a tool for rewriting the smb.conf file in fully optimised format.
This will also happen if you press the commit button. The two differ in the the rewrite button
ignores any changes that may have been made, while the Commit button causes all changes to be
affected.
</p><p>
The <span class="guibutton">Edit</span> button permits the editing (setting) of the minimal set of
options that may be necessary to create a working Samba server.
</p><p>
Finally, there are a limited set of options that will determine what type of server Samba
will be configured for, whether it will be a WINS server, participate as a WINS client, or
operate with no WINS support. By clicking on one button you can elect to expose (or not) user
home directories.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3006781"></a>The Status Page</h3></div></div><div></div></div><p>
The status page serves a limited purpose. Firstly, it allows control of the samba daemons.
The key daemons that create the samba server environment are: <span class="application">smbd</span>, <span class="application">nmbd</span>, <span class="application">winbindd</span>.
</p><p>
The daemons may be controlled individually or as a total group. Additionally, you may set
an automatic screen refresh timing. As MS Windows clients interact with Samba new smbd processes
will be continually spawned. The auto-refresh facility will allow you to track the changing
conditions with minimal effort.
</p><p>
Lastly, the Status page may be used to terminate specific smbd client connections in order to
free files that may be locked.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3006833"></a>The View Page</h3></div></div><div></div></div><p>
This page allows the administrator to view the optimised <tt class="filename">smb.conf</tt> file and, if you are
particularly masochistic, will permit you also to see all possible global configuration
parameters and their settings.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3006856"></a>The Password Change Page</h3></div></div><div></div></div><p>
The Password Change page is a popular tool. This tool allows the creation, deletion, deactivation
and reactivation of MS Windows networking users on the local machine. Alternatively, you can use
this tool to change a local password for a user account.
</p><p>
When logged in as a non-root account the user will have to provide the old password as well as
the new password (twice). When logged in as <span class="emphasis"><em>root</em></span> only the new password is
required.
</p><p>
One popular use for this tool is to change user passwords across a range of remote MS Windows
servers.
</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="NT4Migration.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="migration.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="troubleshooting.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 31. Migration from NT4 PDC to Samba-3 PDC </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part V. Troubleshooting</td></tr></table></div></body></html>

View File

@ -0,0 +1,4 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 29. High Availability Options</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="Backup.html" title="Chapter 28. Samba Backup Techniques"><link rel="next" href="migration.html" title="Part IV. Migration and Updating"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 29. High Availability Options</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Backup.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="migration.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SambaHA"></a>Chapter 29. High Availability Options</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="SambaHA.html#id3003099">Note</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3003099"></a>Note</h2></div></div><div></div></div><p>
This chapter did not make it into this release.
It is planned for the published release of this document.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Backup.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="migration.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 28. Samba Backup Techniques </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part IV. Migration and Updating</td></tr></table></div></body></html>

View File

@ -0,0 +1,343 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 4. Server Types and Security Modes</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="previous" href="type.html" title="Part II. Server Configuration Basics"><link rel="next" href="samba-pdc.html" title="Chapter 5. Domain Control"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 4. Server Types and Security Modes</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="type.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="samba-pdc.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ServerType"></a>Chapter 4. Server Types and Security Modes</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:tridge@samba.org">tridge@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="ServerType.html#id2888767">Features and Benefits</a></dt><dt><a href="ServerType.html#id2888862">Server Types</a></dt><dt><a href="ServerType.html#id2888947">Samba Security Modes</a></dt><dd><dl><dt><a href="ServerType.html#id2889062">User Level Security</a></dt><dt><a href="ServerType.html#id2889195">Share Level Security</a></dt><dt><a href="ServerType.html#id2889317">Domain Security Mode (User Level Security)</a></dt><dt><a href="ServerType.html#id2889568">ADS Security Mode (User Level Security)</a></dt><dt><a href="ServerType.html#id2889655">Server Security (User Level Security)</a></dt></dl></dd><dt><a href="ServerType.html#id2889880">Seamless Windows Network Integration</a></dt><dt><a href="ServerType.html#id2890056">Common Errors</a></dt><dd><dl><dt><a href="ServerType.html#id2890084">What makes Samba a SERVER?</a></dt><dt><a href="ServerType.html#id2890117">What makes Samba a Domain Controller?</a></dt><dt><a href="ServerType.html#id2890146">What makes Samba a Domain Member?</a></dt><dt><a href="ServerType.html#id2890179">Constantly Losing Connections to Password Server</a></dt></dl></dd></dl></div><p>
This chapter provides information regarding the types of server that Samba may be
configured to be. A Microsoft network administrator who wishes to migrate to or to
use Samba will want to know what, within a Samba context, terms familiar to MS Windows
administrator mean. This means that it is essential also to define how critical security
modes function BEFORE we get into the details of how to configure the server itself.
</p><p>
The chapter provides an overview of the security modes of which Samba is capable
and how these relate to MS Windows servers and clients.
</p><p>
Firstly we should recognise the question so often asked, &quot;Why would I want to use Samba?&quot;
So, in those chapters where the answer may be important you will see a section that highlights
features and benefits. These may be for or against Samba.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2888767"></a>Features and Benefits</h2></div></div><div></div></div><p>
Two men were walking down a dusty road, when one suddenly kicked up a small red stone. It
hurt his toe and lodged in his sandal. He took the stone out and cursed it with a passion
and fury fitting his anguish. The other looked at the stone and said, that is a garnet - I
can turn that into a precious gem and some day it will make a princess very happy!
</p><p>
The moral of this tale: Two men, two very different perspectives regarding the same stone.
Like it or not, Samba is like that stone. Treat it the right way and it can bring great
pleasure, but if you are forced upon it and have no time for its secrets then it can be
a source of discomfort.
</p><p>
Samba started out as a project that sought to provide interoperability for MS Windows 3.x
clients with a Unix server. It has grown up a lot since its humble beginnings and now provides
features and functionality fit for large scale deployment. It also has some warts. In sections
like this one we will tell of both.
</p><p>
So now, what are the benefits of features mentioned in this chapter?
</p><div class="itemizedlist"><ul type="disc"><li><p>
Samba-3 can replace an MS Windows NT4 Domain Controller
</p></li><li><p>
Samba-3 offers excellent interoperability with MS Windows NT4
style domains as well as natively with Microsoft Active
Directory domains.
</p></li><li><p>
Samba-3 permits full NT4 style Interdomain Trusts
</p></li><li><p>
Samba has security modes that permit more flexible
authentication than is possible with MS Windows NT4 Domain Controllers.
</p></li><li><p>
Samba-3 permits use of multiple account database backends
</p></li><li><p>
The account (password) database backends can be distributed
and replicated using multiple methods. This gives Samba-3
greater flexibility than MS Windows NT4 and in many cases a
significantly higher utility than Active Directory domains
with MS Windows 200x.
</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2888862"></a>Server Types</h2></div></div><div></div></div><p>Administrators of Microsoft networks often refer to three
different type of servers:</p><div class="itemizedlist"><ul type="disc"><li><p>Domain Controller</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Primary Domain Controller</td></tr><tr><td>Backup Domain Controller</td></tr><tr><td>ADS Domain Controller</td></tr></table></li><li><p>Domain Member Server</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Active Directory Member Server</td></tr><tr><td>NT4 Style Domain Member Server</td></tr></table></li><li><p>Stand Alone Server</p></li></ul></div><p>
The chapters covering Domain Control, Backup Domain Control and Domain Membership provide
pertinent information regarding Samba-3 configuration for each of these server roles.
The reader is strongly encouraged to become intimately familiar with the information
presented.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2888947"></a>Samba Security Modes</h2></div></div><div></div></div><p>
In this section the function and purpose of Samba's <i class="parameter"><tt>security</tt></i>
modes are described. An accurate understanding of how Samba implements each security
mode as well as how to configure MS Windows clients for each mode will significantly
reduce user complaints and administrator heartache.
</p><p>
In the SMB/CIFS networking world, there are only two types of security: <span class="emphasis"><em>USER Level</em></span>
and <span class="emphasis"><em>SHARE Level</em></span>. We refer to these collectively as <span class="emphasis"><em>security levels</em></span>. In implementing these two <span class="emphasis"><em>security levels</em></span> Samba provides flexibilities
that are not available with Microsoft Windows NT4 / 200x servers. Samba knows of five (5)
ways that allow the security levels to be implemented. In actual fact, Samba implements
<span class="emphasis"><em>SHARE Level</em></span> security only one way, but has four ways of implementing
<span class="emphasis"><em>USER Level</em></span> security. Collectively, we call the Samba implementations
<span class="emphasis"><em>Security Modes</em></span>. These are: <span class="emphasis"><em>SHARE</em></span>, <span class="emphasis"><em>USER</em></span>, <span class="emphasis"><em>DOMAIN</em></span>,
<span class="emphasis"><em>ADS</em></span>, and <span class="emphasis"><em>SERVER</em></span>
modes. They are documented in this chapter.
</p><p>
A SMB server tells the client at startup what <i class="parameter"><tt>security level</tt></i>
it is running. There are two options: <span class="emphasis"><em>share level</em></span> and
<span class="emphasis"><em>user level</em></span>. Which of these two the client receives affects
the way the client then tries to authenticate itself. It does not directly affect
(to any great extent) the way the Samba server does security. This may sound strange,
but it fits in with the client/server approach of SMB. In SMB everything is initiated
and controlled by the client, and the server can only tell the client what is
available and whether an action is allowed.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889062"></a>User Level Security</h3></div></div><div></div></div><p>
We will describe <i class="parameter"><tt>user level</tt></i> security first, as it's simpler.
In <span class="emphasis"><em>user level</em></span> security, the client will send a
<span class="emphasis"><em>session setup</em></span> command directly after the protocol negotiation.
This contains a username and password. The server can either accept or reject that
username/password combination. Note that at this stage the server has no idea what
share the client will eventually try to connect to, so it can't base the
<span class="emphasis"><em>accept/reject</em></span> on anything other than:
</p><div class="orderedlist"><ol type="1"><li><p>The username/password</p></li><li><p>The name of the client machine</p></li></ol></div><p>
If the server accepts the username/password then the client expects to be able to
mount shares (using a <span class="emphasis"><em>tree connection</em></span>) without specifying a
password. It expects that all access rights will be as the username/password
specified in the <span class="emphasis"><em>session setup</em></span>.
</p><p>
It is also possible for a client to send multiple <span class="emphasis"><em>session setup</em></span>
requests. When the server responds, it gives the client a <span class="emphasis"><em>uid</em></span> to use
as an authentication tag for that username/password. The client can maintain multiple
authentication contexts in this way (WinDD is an example of an application that does this).
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2889156"></a>Example Configuration</h4></div></div><div></div></div><p>
The <tt class="filename">smb.conf</tt> parameter that sets <span class="emphasis"><em>User Level Security</em></span> is:
</p><pre class="programlisting">
security = user
</pre><p>
This is the default setting since samba-2.2.x.
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889195"></a>Share Level Security</h3></div></div><div></div></div><p>
Ok, now for share level security. In share level security, the client authenticates
itself separately for each share. It will send a password along with each
<span class="emphasis"><em>tree connection</em></span> (share mount). It does not explicitly send a
username with this operation. The client expects a password to be associated
with each share, independent of the user. This means that Samba has to work out what
username the client probably wants to use. It is never explicitly sent the username.
Some commercial SMB servers such as NT actually associate passwords directly with
shares in share level security, but Samba always uses the unix authentication scheme
where it is a username/password pair that is authenticated, not a share/password pair.
</p><p>
To gain understanding of the MS Windows networking parallels to this, one should think
in terms of MS Windows 9x/Me where one can create a shared folder that provides read-only
or full access, with or without a password.
</p><p>
Many clients send a <span class="emphasis"><em>session setup</em></span> even if the server is in share
level security. They normally send a valid username but no password. Samba records
this username in a list of <span class="emphasis"><em>possible usernames</em></span>. When the client
then does a <span class="emphasis"><em>tree connection</em></span> it also adds to this list the name
of the share they try to connect to (useful for home directories) and any users
listed in the <i class="parameter"><tt>user =</tt></i> <tt class="filename">smb.conf</tt> line. The password is then checked
in turn against these <span class="emphasis"><em>possible usernames</em></span>. If a match is found
then the client is authenticated as that user.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2889275"></a>Example Configuration</h4></div></div><div></div></div><p>
The <tt class="filename">smb.conf</tt> parameter that sets <span class="emphasis"><em>Share Level Security</em></span> is:
</p><pre class="programlisting">
security = share
</pre><p>
Please note that there are reports that recent MS Windows clients do not like to work
with share mode security servers. You are strongly discouraged from using share level security.
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889317"></a>Domain Security Mode (User Level Security)</h3></div></div><div></div></div><p>
When Samba is operating in <i class="parameter"><tt>security = domain</tt></i> mode,
the Samba server has a domain security trust account (a machine account) and will cause
all authentication requests to be passed through to the domain controllers.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2889339"></a>Example Configuration</h4></div></div><div></div></div><p><span class="emphasis"><em>
Samba as a Domain Member Server
</em></span></p><p>
This method involves addition of the following parameters in the <tt class="filename">smb.conf</tt> file:
</p><pre class="programlisting">
security = domain
workgroup = &quot;name_of_NT_domain&quot;
</pre><p>
In order for this method to work, the Samba server needs to join the MS Windows NT
security domain. This is done as follows:
</p><div class="procedure"><ol type="1"><li><p>On the MS Windows NT domain controller, using
the Server Manager, add a machine account for the Samba server.
</p></li><li><p>Next, on the Unix/Linux system execute:</p><p><tt class="prompt">root# </tt><b class="userinput"><tt>smbpasswd -j DOMAIN_NAME -r PDC_NAME</tt></b> (samba-2.x)</p><p><tt class="prompt">root# </tt><b class="userinput"><tt>net join -U administrator%password</tt></b> (samba-3)</p></li></ol></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
As of Samba-2.2.4 the Samba 2.2.x series can auto-join a Windows NT4 style Domain just
by executing:
</p><pre class="screen">
<tt class="prompt">root# </tt><b class="userinput"><tt>smbpasswd -j <i class="replaceable"><tt>DOMAIN_NAME</tt></i> -r <i class="replaceable"><tt>PDC_NAME</tt></i> -U Administrator%<i class="replaceable"><tt>password</tt></i></tt></b>
</pre><p>
As of Samba-3 the same can be done by executing:
</p><pre class="screen">
<tt class="prompt">root# </tt><b class="userinput"><tt>net join -U Administrator%<i class="replaceable"><tt>password</tt></i></tt></b>
</pre><p>
It is not necessary with Samba-3 to specify the <i class="replaceable"><tt>DOMAIN_NAME</tt></i> or the <i class="replaceable"><tt>PDC_NAME</tt></i> as it
figures this out from the <tt class="filename">smb.conf</tt> file settings.
</p></div><p>
Use of this mode of authentication does require there to be a standard Unix account
for each user in order to assign a uid once the account has been authenticated by
the remote Windows DC. This account can be blocked to prevent logons by clients other than
MS Windows through things such as setting an invalid shell in the
<tt class="filename">/etc/passwd</tt> entry.
</p><p>
An alternative to assigning UIDs to Windows users on a Samba member server is
presented in the <a href="winbind.html" title="Chapter 21. Integrated Logon Support using Winbind">Winbind Overview</a> chapter
in this HOWTO collection.
</p><p>
For more information of being a domain member, see the <a href="domain-member.html" title="Chapter 7. Domain Membership">Domain
Member</a> section of this Howto.
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889568"></a>ADS Security Mode (User Level Security)</h3></div></div><div></div></div><p>
Both Samba 2.2 and 3.0 can join an Active Directory domain. This is
possible even if the domain is run in native mode. Active Directory in
native mode perfectly allows NT4-style domain members, contrary to
popular belief. The only thing that Active Directory in native mode
prohibits is Backup Domain Controllers running NT4.
</p><p>
If you are running Active Directory starting with Samba 3.0 you can
however join as a native AD member. Why would you want to do that?
Your security policy might prohibit the use of NT-compatible
authentication protocols. All your machines are running Windows 2000
and above and all use full Kerberos. In this case Samba as a NT4-style
domain would still require NT-compatible authentication data. Samba in
AD-member mode can accept Kerberos.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2889598"></a>Example Configuration</h4></div></div><div></div></div><pre class="programlisting">
realm = your.kerberos.REALM
security = ADS
</pre><p>
The following parameter may be required:
</p><pre class="programlisting">
ads server = your.kerberos.server
</pre><p>
Please refer to the <a href="domain-member.html" title="Chapter 7. Domain Membership">Domain Membership</a> and <a href="domain-member.html#ads-member" title="Samba ADS Domain Membership">Active Directory
Membership</a> sections for more information regarding this configuration option.
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889655"></a>Server Security (User Level Security)</h3></div></div><div></div></div><p>
Server security mode is a left over from the time when Samba was not capable of acting
as a domain member server. It is highly recommended NOT to use this feature. Server
security mode has many draw backs. The draw backs include:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Potential Account Lockout on MS Windows NT4/200x password servers</td></tr><tr><td>Lack of assurance that the password server is the one specified</td></tr><tr><td>Does not work with Winbind, particularly needed when storing profiles remotely</td></tr><tr><td>This mode may open connections to the password server, and keep them open for extended periods.</td></tr><tr><td>Security on the Samba server breaks badly when the remote password server suddenly shuts down</td></tr><tr><td>With this mode there is NO security account in the domain that the password server belongs to for the Samba server.</td></tr></table><p>
In server security mode the Samba server reports to the client that it is in user level
security. The client then does a <span class="emphasis"><em>session setup</em></span> as described earlier.
The Samba server takes the username/password that the client sends and attempts to login to the
<i class="parameter"><tt>password server</tt></i> by sending exactly the same username/password that
it got from the client. If that server is in user level security and accepts the password,
then Samba accepts the clients connection. This allows the Samba server to use another SMB
server as the <i class="parameter"><tt>password server</tt></i>.
</p><p>
You should also note that at the very start of all this, where the server tells the client
what security level it is in, it also tells the client if it supports encryption. If it
does then it supplies the client with a random cryptkey. The client will then send all
passwords in encrypted form. Samba supports this type of encryption by default.
</p><p>
The parameter <i class="parameter"><tt>security = server</tt></i> means that Samba reports to clients that
it is running in <span class="emphasis"><em>user mode</em></span> but actually passes off all authentication
requests to another <span class="emphasis"><em>user mode</em></span> server. This requires an additional
parameter <i class="parameter"><tt>password server</tt></i> that points to the real authentication server.
That real authentication server can be another Samba server or can be a Windows NT server,
the later natively capable of encrypted password support.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
When Samba is running in <span class="emphasis"><em>server security mode</em></span> it is essential that
the parameter <span class="emphasis"><em>password server</em></span> is set to the precise NetBIOS machine
name of the target authentication server. Samba can NOT determine this from NetBIOS name
lookups because the choice of the target authentication server is arbitrary and can not
be determined from a domain name. In essence, a Samba server that is in
<span class="emphasis"><em>server security mode</em></span> is operating in what used to be known as
workgroup mode.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2889811"></a>Example Configuration</h4></div></div><div></div></div><p><span class="emphasis"><em>
Using MS Windows NT as an authentication server
</em></span></p><p>
This method involves the additions of the following parameters in the <tt class="filename">smb.conf</tt> file:
</p><pre class="programlisting">
encrypt passwords = Yes
security = server
password server = &quot;NetBIOS_name_of_a_DC&quot;
</pre><p>
There are two ways of identifying whether or not a username and password pair was valid
or not. One uses the reply information provided as part of the authentication messaging
process, the other uses just an error code.
</p><p>
The down-side of this mode of configuration is the fact that for security reasons Samba
will send the password server a bogus username and a bogus password and if the remote
server fails to reject the username and password pair then an alternative mode of
identification of validation is used. Where a site uses password lock out after a
certain number of failed authentication attempts this will result in user lockouts.
</p><p>
Use of this mode of authentication does require there to be a standard Unix account
for the user, though this account can be blocked to prevent logons by non-SMB/CIFS clients.
</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2889880"></a>Seamless Windows Network Integration</h2></div></div><div></div></div><p>
MS Windows clients may use encrypted passwords as part of a challenge/response
authentication model (a.k.a. NTLMv1 and NTLMv2) or alone, or clear text strings for simple
password based authentication. It should be realized that with the SMB protocol,
the password is passed over the network either in plain text or encrypted, but
not both in the same authentication request.
</p><p>
When encrypted passwords are used, a password that has been entered by the user
is encrypted in two ways:
</p><div class="itemizedlist"><ul type="disc"><li><p>An MD4 hash of the UNICODE of the password
string. This is known as the NT hash.
</p></li><li><p>The password is converted to upper case,
and then padded or truncated to 14 bytes. This string is
then appended with 5 bytes of NULL characters and split to
form two 56 bit DES keys to encrypt a &quot;magic&quot; 8 byte value.
The resulting 16 bytes form the LanMan hash.
</p></li></ul></div><p>
MS Windows 95 pre-service pack 1, MS Windows NT versions 3.x and version 4.0
pre-service pack 3 will use either mode of password authentication. All
versions of MS Windows that follow these versions no longer support plain
text passwords by default.
</p><p>
MS Windows clients have a habit of dropping network mappings that have been idle
for 10 minutes or longer. When the user attempts to use the mapped drive
connection that has been dropped, the client re-establishes the connection using
a cached copy of the password.
</p><p>
When Microsoft changed the default password mode, support was dropped for caching
of the plain text password. This means that when the registry parameter is changed
to re-enable use of plain text passwords it appears to work, but when a dropped
service connection mapping attempts to revalidate it will fail if the remote
authentication server does not support encrypted passwords. This means that it
is definitely not a good idea to re-enable plain text password support in such clients.
</p><p>
The following parameters can be used to work around the issue of Windows 9x clients
upper casing usernames and password before transmitting them to the SMB server
when using clear text authentication.
</p><pre class="programlisting">
<a href="smb.conf.5.html#PASSWORDLEVEL" target="_top">password level</a> = <i class="replaceable"><tt>integer</tt></i>
<a href="smb.conf.5.html#USERNAMELEVEL" target="_top">username level</a> = <i class="replaceable"><tt>integer</tt></i>
</pre><p>
By default Samba will lower case the username before attempting to lookup the user
in the database of local system accounts. Because UNIX usernames conventionally
only contain lower case character, the <i class="parameter"><tt>username level</tt></i> parameter
is rarely needed.
</p><p>
However, passwords on UNIX systems often make use of mixed case characters.
This means that in order for a user on a Windows 9x client to connect to a Samba
server using clear text authentication, the <i class="parameter"><tt>password level</tt></i>
must be set to the maximum number of upper case letter which <span class="emphasis"><em>could</em></span>
appear is a password. Note that the server OS uses the traditional DES version
of crypt(), a <i class="parameter"><tt>password level</tt></i> of 8 will result in case
insensitive passwords as seen from Windows users. This will also result in longer
login times as Samba has to compute the permutations of the password string and
try them one by one until a match is located (or all combinations fail).
</p><p>
The best option to adopt is to enable support for encrypted passwords where ever
Samba is used. Most attempts to apply the registry change to re-enable plain text
passwords will eventually lead to user complaints and unhappiness.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2890056"></a>Common Errors</h2></div></div><div></div></div><p>
We all make mistakes. It is Ok to make mistakes, so long as they are made in the right places
and at the right time. A mistake that causes lost productivity is seldom tolerated. A mistake
made in a developmental test lab is expected.
</p><p>
Here we look at common mistakes and misapprehensions that have been the subject of discussions
on the Samba mailing lists. Many of these are avoidable by doing you homework before attempting
a Samba implementation. Some are the result of misunderstanding of the English language. The
English language has many turns of phrase that are potentially vague and may be highly confusing
to those for whom English is not their native tongue.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2890084"></a>What makes Samba a SERVER?</h3></div></div><div></div></div><p>
To some the nature of the Samba <span class="emphasis"><em>security</em></span> mode is very obvious, but entirely
wrong all the same. It is assumed that <i class="parameter"><tt>security = server</tt></i> means that Samba
will act as a server. Not so! See above - this setting means that Samba will <span class="emphasis"><em>try</em></span>
to use another SMB server as its source of user authentication alone.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2890117"></a>What makes Samba a Domain Controller?</h3></div></div><div></div></div><p>
The <tt class="filename">smb.conf</tt> parameter <i class="parameter"><tt>security = domain</tt></i> does NOT really make Samba behave
as a Domain Controller! This setting means we want Samba to be a domain member!
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2890146"></a>What makes Samba a Domain Member?</h3></div></div><div></div></div><p>
Guess! So many others do. But whatever you do, do NOT think that <i class="parameter"><tt>security = user</tt></i>
makes Samba act as a domain member. Read the manufacturers manual before the warranty expires! See
the <a href="domain-member.html" title="Chapter 7. Domain Membership">Domain Member</a> section of this Howto for more information.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2890179"></a>Constantly Losing Connections to Password Server</h3></div></div><div></div></div><p>
Why does server_validate() simply give up rather than re-establishing its connection to the
password server? Though I am not fluent in the SMB protocol, perhaps the cluster server
process passes along to its client workstation the session key it receives from the password
server, which means the password hashes submitted by the client would not work on a subsequent
connection, whose session key would be different. So server_validate() must give up.
</p><p>
Indeed. That's why security = server is at best a nasty hack. Please use security = domain.
<i class="parameter"><tt>security = server</tt></i> mode is also known as pass-through authentication.
</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="type.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="samba-pdc.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part II. Server Configuration Basics </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 5. Domain Control</td></tr></table></div></body></html>

View File

@ -0,0 +1,143 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 8. Stand-Alone Servers</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="previous" href="domain-member.html" title="Chapter 7. Domain Membership"><link rel="next" href="ClientConfig.html" title="Chapter 9. MS Windows Network Configuration Guide"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 8. Stand-Alone Servers</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="domain-member.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="ClientConfig.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="StandAloneServer"></a>Chapter 8. Stand-Alone Servers</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="StandAloneServer.html#id2902304">Features and Benefits</a></dt><dt><a href="StandAloneServer.html#id2902501">Background</a></dt><dt><a href="StandAloneServer.html#id2902573">Example Configuration</a></dt><dd><dl><dt><a href="StandAloneServer.html#id2902588">Reference Documentation Server</a></dt><dt><a href="StandAloneServer.html#id2902638">Central Print Serving</a></dt></dl></dd><dt><a href="StandAloneServer.html#id2902852">Common Errors</a></dt></dl></div><p>
Stand-Alone servers are independent of Domain Controllers on the network.
They are NOT domain members and function more like workgroup servers. In many
cases a stand-alone server is configured with a minimum of security control
with the intent that all data served will be readily accessible to all users.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2902304"></a>Features and Benefits</h2></div></div><div></div></div><p>
Stand-Alone servers can be as secure or as insecure as needs dictate. They can
have simple or complex configurations. Above all, despite the hoopla about
Domain security they remain a very common installation.
</p><p>
If all that is needed is a server for read-only files, or for
printers alone, it may not make sense to affect a complex installation.
For example: A drafting office needs to store old drawings and reference
standards. No-one can write files to the server as it is legislatively
important that all documents remain unaltered. A share mode read-only stand-alone
server is an ideal solution.
</p><p>
Another situation that warrants simplicity is an office that has many printers
that are queued off a single central server. Everyone needs to be able to print
to the printers, there is no need to affect any access controls and no files will
be served from the print server. Again a share mode stand-alone server makes
a great solution.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2902501"></a>Background</h2></div></div><div></div></div><p>
The term <span class="emphasis"><em>stand-alone server</em></span> means that the server
will provide local authentication and access control for all resources
that are available from it. In general this means that there will be a
local user database. In more technical terms, it means that resources
on the machine will be made available in either SHARE mode or in
USER mode.
</p><p>
No special action is needed other than to create user accounts. Stand-alone
servers do NOT provide network logon services. This means that machines that
use this server do NOT perform a domain logon to it. Whatever logon facility
the workstations are subject to is independent of this machine. It is however
necessary to accommodate any network user so that the logon name they use will
be translated (mapped) locally on the stand-alone server to a locally known
user name. There are several ways this can be done.
</p><p>
Samba tends to blur the distinction a little in respect of what is
a stand-alone server. This is because the authentication database may be
local or on a remote server, even if from the Samba protocol perspective
the Samba server is NOT a member of a domain security context.
</p><p>
Through the use of PAM (Pluggable Authentication Modules) and nsswitch
(the name service switcher) the source of authentication may reside on
another server. We would be inclined to call this the authentication server.
This means that the Samba server may use the local Unix/Linux system password database
(<tt class="filename">/etc/passwd</tt> or <tt class="filename">/etc/shadow</tt>), may use a
local smbpasswd file, or may use
an LDAP back end, or even via PAM and Winbind another CIFS/SMB server
for authentication.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2902573"></a>Example Configuration</h2></div></div><div></div></div><p>
The following examples are designed to inspire simplicity. It is too easy to
attempt a high level of creativity and to introduce too much complexity in
server and network design.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2902588"></a>Reference Documentation Server</h3></div></div><div></div></div><p>
Configuration of a read-only data server that EVERYONE can access is very simple.
Here is the smb.conf file that will do this. Assume that all the reference documents
are stored in the directory /export, that the documents are owned by a user other than
nobody. No home directories are shared, that are no users in the <tt class="filename">/etc/passwd</tt>
Unix system database. This is a very simple system to administer.
</p><pre class="programlisting">
# Global parameters
[global]
workgroup = MYGROUP
netbios name = REFDOCS
security = SHARE
passdb backend = guest
wins server = 192.168.1.1
[data]
comment = Data
path = /export
guest only = Yes
</pre><p>
In the above example the machine name is set to REFDOCS, the workgroup is set to the name
of the local workgroup so that the machine will appear in with systems users are familiar
with. The only password backend required is the &quot;guest&quot; backend so as to allow default
unprivileged account names to be used. Given that there is a WINS server on this network
we do use it.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2902638"></a>Central Print Serving</h3></div></div><div></div></div><p>
Configuration of a simple print server is very simple if you have all the right tools
on your system.
</p><div class="orderedlist"><p class="title"><b> Assumptions:</b></p><ol type="1"><li><p>
The print server must require no administration
</p></li><li><p>
The print spooling and processing system on our print server will be CUPS.
(Please refer to the <a href="CUPS-printing.html" title="Chapter 19. CUPS Printing Support in Samba 3.0">CUPS Printing</a> chapter for more information).
</p></li><li><p>
All printers that the print server will service will be network
printers. They will be correctly configured, by the administrator,
in the CUPS environment.
</p></li><li><p>
All workstations will be installed using postscript drivers. The printer
of choice is the Apple Color LaserWriter.
</p></li></ol></div><p>
In this example our print server will spool all incoming print jobs to
<tt class="filename">/var/spool/samba</tt> until the job is ready to be submitted by
Samba to the CUPS print processor. Since all incoming connections will be as
the anonymous (guest) user, two things will be required:
</p><div class="itemizedlist"><p class="title"><b>Enabling Anonymous Printing</b></p><ul type="disc"><li><p>
The Unix/Linux system must have a <b class="command">guest</b> account.
The default for this is usually the account <b class="command">nobody</b>.
To find the correct name to use for your version of Samba do the
following:
</p><pre class="screen">
<tt class="prompt">$ </tt><b class="userinput"><tt>testparm -s -v | grep &quot;guest account&quot;</tt></b>
</pre><p>
Then make sure that this account exists in your system password
database (<tt class="filename">/etc/passwd</tt>).
</p></li><li><p>
The directory into which Samba will spool the file must have write
access for the guest account. The following commands will ensure that
this directory is available for use:
</p><pre class="screen">
<tt class="prompt">root# </tt><b class="userinput"><tt>mkdir /var/spool/samba</tt></b>
<tt class="prompt">root# </tt><b class="userinput"><tt>chown nobody.nobody /var/spool/samba</tt></b>
<tt class="prompt">root# </tt><b class="userinput"><tt>chmod a+rwt /var/spool/samba</tt></b>
</pre><p>
</p></li></ul></div><p>
</p><pre class="programlisting">
# Global parameters
[global]
workgroup = MYGROUP
netbios name = PTRSVR1
security = SHARE
passdb backend = guest
wins server = 192.168.1.1
[printers]
comment = All Printers
path = /var/spool/samba
printer admin = root
guest ok = Yes
printable = Yes
printing = cups
use client driver = Yes
browseable = No
</pre><p>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2902852"></a>Common Errors</h2></div></div><div></div></div><p>
The greatest mistake so often made is to make a network configuration too complex.
It pays to use the simplest solution that will meet the needs of the moment.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="domain-member.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ClientConfig.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 7. Domain Membership </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 9. MS Windows Network Configuration Guide</td></tr></table></div></body></html>

105
docs/htmldocs/VFS.html Normal file
View File

@ -0,0 +1,105 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 20. Stackable VFS modules</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="CUPS-printing.html" title="Chapter 19. CUPS Printing Support in Samba 3.0"><link rel="next" href="winbind.html" title="Chapter 21. Integrated Logon Support using Winbind"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 20. Stackable VFS modules</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="CUPS-printing.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="winbind.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="VFS"></a>Chapter 20. Stackable VFS modules</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Tim</span> <span class="surname">Potter</span></h3></div></div><div><div class="author"><h3 class="author"><span class="firstname">Simo</span> <span class="surname">Sorce</span></h3><span class="contrib">original vfs_skel README</span></div></div><div><div class="author"><h3 class="author"><span class="firstname">Alexander</span> <span class="surname">Bokovoy</span></h3><span class="contrib">original vfs_netatalk docs</span></div></div><div><div class="author"><h3 class="author"><span class="firstname">Stefan</span> <span class="surname">Metzmacher</span></h3><span class="contrib">Update for multiple modules</span></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="VFS.html#id2978211">Features and Benefits</a></dt><dt><a href="VFS.html#id2978229">Discussion</a></dt><dt><a href="VFS.html#id2978320">Included modules</a></dt><dd><dl><dt><a href="VFS.html#id2978327">audit</a></dt><dt><a href="VFS.html#id2978365">extd_audit</a></dt><dt><a href="VFS.html#id2978489">fake_perms</a></dt><dt><a href="VFS.html#id2978508">recycle</a></dt><dt><a href="VFS.html#id2978645">netatalk</a></dt></dl></dd><dt><a href="VFS.html#id2978690">VFS modules available elsewhere</a></dt><dd><dl><dt><a href="VFS.html#id2978712">DatabaseFS</a></dt><dt><a href="VFS.html#id2978768">vscan</a></dt></dl></dd><dt><a href="VFS.html#id2978797">Common Errors</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2978211"></a>Features and Benefits</h2></div></div><div></div></div><p>
Since Samba-3, there is support for stackable VFS(Virtual File System) modules.
Samba passes each request to access the unix file system thru the loaded VFS modules.
This chapter covers all the modules that come with the samba source and references to
some external modules.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2978229"></a>Discussion</h2></div></div><div></div></div><p>
If not supplied with your platform distribution binary Samba package you may have problems
to compile these modules, as shared libraries are compiled and linked in different ways
on different systems. They currently have been tested against GNU/Linux and IRIX.
</p><p>
To use the VFS modules, create a share similar to the one below. The
important parameter is the <b class="command">vfs objects</b> parameter where
you can list one or more VFS modules by name. For example, to log all access
to files and put deleted files in a recycle bin:
</p><pre class="programlisting">
[audit]
comment = Audited /data directory
path = /data
vfs objects = audit recycle
writeable = yes
browseable = yes
</pre><p>
</p><p>
The modules are used in the order in which they are specified.
</p><p>
Samba will attempt to load modules from the <span class="emphasis"><em>lib</em></span>
directory in the root directory of the samba installation (usually
<tt class="filename">/usr/lib/samba/vfs</tt> or <tt class="filename">/usr/local/samba/lib/vfs
</tt>).
</p><p>
Some modules can be used twice for the same share.
This can be done using a configuration similar to the one below.
</p><pre class="programlisting">
[test]
comment = VFS TEST
path = /data
writeable = yes
browseable = yes
vfs objects = example:example1 example example:test
example1: parameter = 1
example: parameter = 5
test: parameter = 7
</pre><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2978320"></a>Included modules</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2978327"></a>audit</h3></div></div><div></div></div><p>
A simple module to audit file access to the syslog
facility. The following operations are logged:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>share</td></tr><tr><td>connect/disconnect</td></tr><tr><td>directory opens/create/remove</td></tr><tr><td>file open/close/rename/unlink/chmod</td></tr></table><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2978365"></a>extd_audit</h3></div></div><div></div></div><p>
This module is identical with the <span class="emphasis"><em>audit</em></span> module above except
that it sends audit logs to both syslog as well as the smbd log file/s. The
loglevel for this module is set in the smb.conf file.
</p><p>
The logging information that will be written to the smbd log file is controlled by
the <i class="parameter"><tt>log level</tt></i> parameter in <tt class="filename">smb.conf</tt>. The
following information will be recorded:
</p><div class="table"><a name="id2978406"></a><p class="title"><b>Table 20.1. Extended Auditing Log Information</b></p><table summary="Extended Auditing Log Information" border="1"><colgroup><col><col></colgroup><thead><tr><th align="center">Log Level</th><th align="center">Log Details - File and Directory Operations</th></tr></thead><tbody><tr><td align="center">0</td><td align="left">Creation / Deletion</td></tr><tr><td align="center">1</td><td align="left">Create / Delete / Rename / Permission Changes</td></tr><tr><td align="center">2</td><td align="left">Create / Delete / Rename / Perm Change / Open / Close</td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2978489"></a>fake_perms</h3></div></div><div></div></div><p>
This module was created to allow Roaming Profile files and directories to be set (on the Samba server
under Unix) as read only. This module will if installed on the Profiles share will report to the client
that the Profile files and directories are writable. This satisfies the client even though the files
will never be overwritten as the client logs out or shuts down.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2978508"></a>recycle</h3></div></div><div></div></div><p>
A recycle-bin like module. When used any unlink call
will be intercepted and files moved to the recycle
directory instead of being deleted.
</p><p>Supported options:
</p><div class="variablelist"><dl><dt><span class="term">recycle:repository</span></dt><dd><p>FIXME</p></dd><dt><span class="term">recycle:keeptree</span></dt><dd><p>FIXME</p></dd><dt><span class="term">recycle:versions</span></dt><dd><p>FIXME</p></dd><dt><span class="term">recycle:touch</span></dt><dd><p>FIXME</p></dd><dt><span class="term">recycle:maxsize</span></dt><dd><p>FIXME</p></dd><dt><span class="term">recycle:exclude</span></dt><dd><p>FIXME</p></dd><dt><span class="term">recycle:exclude_dir</span></dt><dd><p>FIXME</p></dd><dt><span class="term">recycle:noversions</span></dt><dd><p>FIXME</p></dd></dl></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2978645"></a>netatalk</h3></div></div><div></div></div><p>
A netatalk module, that will ease co-existence of samba and
netatalk file sharing services.
</p><p>Advantages compared to the old netatalk module:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>it doesn't care about creating of .AppleDouble forks, just keeps them in sync</td></tr><tr><td>if a share in <tt class="filename">smb.conf</tt> doesn't contain .AppleDouble item in hide or veto list, it will be added automatically</td></tr></table><p>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2978690"></a>VFS modules available elsewhere</h2></div></div><div></div></div><p>
This section contains a listing of various other VFS modules that
have been posted but don't currently reside in the Samba CVS
tree for one reason or another (e.g. it is easy for the maintainer
to have his or her own CVS tree).
</p><p>
No statements about the stability or functionality of any module
should be implied due to its presence here.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2978712"></a>DatabaseFS</h3></div></div><div></div></div><p>
URL: <a href="http://www.css.tayloru.edu/~elorimer/databasefs/index.php" target="_top">http://www.css.tayloru.edu/~elorimer/databasefs/index.php</a>
</p><p>By <a href="mailto:elorimer@css.tayloru.edu" target="_top">Eric Lorimer</a>.</p><p>
I have created a VFS module which implements a fairly complete read-only
filesystem. It presents information from a database as a filesystem in
a modular and generic way to allow different databases to be used
(originally designed for organizing MP3s under directories such as
&quot;Artists,&quot; &quot;Song Keywords,&quot; etc... I have since applied it to a student
roster database very easily). The directory structure is stored in the
database itself and the module makes no assumptions about the database
structure beyond the table it requires to run.
</p><p>
Any feedback would be appreciated: comments, suggestions, patches,
etc... If nothing else, hopefully it might prove useful for someone
else who wishes to create a virtual filesystem.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2978768"></a>vscan</h3></div></div><div></div></div><p>URL: <a href="http://www.openantivirus.org/" target="_top">http://www.openantivirus.org/</a></p><p>
samba-vscan is a proof-of-concept module for Samba, which
uses the VFS (virtual file system) features of Samba 2.2.x/3.0
alphaX. Of course, Samba has to be compiled with VFS support.
samba-vscan supports various virus scanners and is maintained
by Rainer Link.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2978797"></a>Common Errors</h2></div></div><div></div></div><p>
There must be some gotchas we should record here! Jelmer???
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="CUPS-printing.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="winbind.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 19. CUPS Printing Support in Samba 3.0 </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 21. Integrated Logon Support using Winbind</td></tr></table></div></body></html>

76
docs/htmldocs/index.html Executable file

File diff suppressed because one or more lines are too long

1
docs/htmldocs/ix01.html Normal file
View File

@ -0,0 +1 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Index</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="index.html" title="SAMBA Project Documentation"><link rel="previous" href="Further-Resources.html" title="Chapter 41. Further Resources"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Index</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Further-Resources.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> </td></tr></table><hr></div><div class="index"><div class="titlepage"><div><div><h2 class="title"><a name="id3018533"></a>Index</h2></div></div><div></div></div><div class="index"></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Further-Resources.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right"> </td></tr><tr><td width="40%" align="left" valign="top">Chapter 41. Further Resources </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> </td></tr></table></div></body></html>

656
docs/htmldocs/locking.html Normal file
View File

@ -0,0 +1,656 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 14. File and Record Locking</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="AccessControls.html" title="Chapter 13. File, Directory and Share Access Controls"><link rel="next" href="securing-samba.html" title="Chapter 15. Securing Samba"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 14. File and Record Locking</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="AccessControls.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="securing-samba.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="locking"></a>Chapter 14. File and Record Locking</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jra@samba.org">jra@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Eric</span> <span class="surname">Roseme</span></h3><div class="affiliation"><span class="orgname">HP Oplocks Usage Recommendations Whitepaper<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:eric.roseme@hp.com">eric.roseme@hp.com</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="locking.html#id2928216">Features and Benefits</a></dt><dt><a href="locking.html#id2928272">Discussion</a></dt><dd><dl><dt><a href="locking.html#id2928403">Opportunistic Locking Overview</a></dt></dl></dd><dt><a href="locking.html#id2929049">Samba Opportunistic Locking Control</a></dt><dd><dl><dt><a href="locking.html#id2929159">Example Configuration</a></dt></dl></dd><dt><a href="locking.html#id2929419">MS Windows Opportunistic Locking and Caching Controls</a></dt><dd><dl><dt><a href="locking.html#id2929649">Workstation Service Entries</a></dt><dt><a href="locking.html#id2929676">Server Service Entries</a></dt></dl></dd><dt><a href="locking.html#id2929755">Persistent Data Corruption</a></dt><dt><a href="locking.html#id2929785">Common Errors</a></dt><dd><dl><dt><a href="locking.html#id2929859">locking.tdb error messages</a></dt></dl></dd><dt><a href="locking.html#id2929890">Additional Reading</a></dt></dl></div><p>
One area which causes trouble for many network administrators is locking.
The extent of the problem is readily evident from searches over the internet.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2928216"></a>Features and Benefits</h2></div></div><div></div></div><p>
Samba provides all the same locking semantics that MS Windows clients expect
and that MS Windows NT4 / 200x servers provide also.
</p><p>
The term <span class="emphasis"><em>locking</em></span> has exceptionally broad meaning and covers
a range of functions that are all categorized under this one term.
</p><p>
Opportunistic locking is a desirable feature when it can enhance the
perceived performance of applications on a networked client. However, the
opportunistic locking protocol is not robust, and therefore can
encounter problems when invoked beyond a simplistic configuration, or
on extended, slow, or faulty networks. In these cases, operating
system management of opportunistic locking and/or recovering from
repetitive errors can offset the perceived performance advantage that
it is intended to provide.
</p><p>
The MS Windows network administrator needs to be aware that file and record
locking semantics (behaviour) can be controlled either in Samba or by way of registry
settings on the MS Windows client.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
Sometimes it is necessary to disable locking control settings BOTH on the Samba
server as well as on each MS Windows client!
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2928272"></a>Discussion</h2></div></div><div></div></div><p>
There are two types of locking which need to be performed by a SMB server.
The first is <span class="emphasis"><em>record locking</em></span> which allows a client to lock
a range of bytes in a open file. The second is the <span class="emphasis"><em>deny modes</em></span>
that are specified when a file is open.
</p><p>
Record locking semantics under Unix is very different from record locking under
Windows. Versions of Samba before 2.2 have tried to use the native fcntl() unix
system call to implement proper record locking between different Samba clients.
This can not be fully correct due to several reasons. The simplest is the fact
that a Windows client is allowed to lock a byte range up to 2^32 or 2^64,
depending on the client OS. The unix locking only supports byte ranges up to 2^31.
So it is not possible to correctly satisfy a lock request above 2^31. There are
many more differences, too many to be listed here.
</p><p>
Samba 2.2 and above implements record locking completely independent of the
underlying unix system. If a byte range lock that the client requests happens
to fall into the range 0-2^31, Samba hands this request down to the Unix system.
All other locks can not be seen by unix anyway.
</p><p>
Strictly a SMB server should check for locks before every read and write call on
a file. Unfortunately with the way fcntl() works this can be slow and may overstress
the <b class="command">rpc.lockd</b>. It is also almost always unnecessary as clients are supposed to
independently make locking calls before reads and writes anyway if locking is
important to them. By default Samba only makes locking calls when explicitly asked
to by a client, but if you set <i class="parameter"><tt>strict locking = yes</tt></i> then it
will make lock checking calls on every read and write.
</p><p>
You can also disable by range locking completely using <i class="parameter"><tt>locking = no</tt></i>.
This is useful for those shares that don't support locking or don't need it
(such as cdroms). In this case Samba fakes the return codes of locking calls to
tell clients that everything is OK.
</p><p>
The second class of locking is the <i class="parameter"><tt>deny modes</tt></i>. These
are set by an application when it opens a file to determine what types of
access should be allowed simultaneously with its open. A client may ask for
<tt class="constant">DENY_NONE</tt>, <tt class="constant">DENY_READ</tt>,
<tt class="constant">DENY_WRITE</tt> or <tt class="constant">DENY_ALL</tt>. There are also special compatibility
modes called <tt class="constant">DENY_FCB</tt> and <tt class="constant">DENY_DOS</tt>.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2928403"></a>Opportunistic Locking Overview</h3></div></div><div></div></div><p>
Opportunistic locking (Oplocks) is invoked by the Windows file system
(as opposed to an API) via registry entries (on the server AND client)
for the purpose of enhancing network performance when accessing a file
residing on a server. Performance is enhanced by caching the file
locally on the client which allows:
</p><div class="variablelist"><dl><dt><span class="term">Read-ahead:</span></dt><dd><p>
The client reads the local copy of the file, eliminating network latency
</p></dd><dt><span class="term">Write caching:</span></dt><dd><p>
The client writes to the local copy of the file, eliminating network latency
</p></dd><dt><span class="term">Lock caching:</span></dt><dd><p>
The client caches application locks locally, eliminating network latency
</p></dd></dl></div><p>
The performance enhancement of oplocks is due to the opportunity of
exclusive access to the file - even if it is opened with deny-none -
because Windows monitors the file's status for concurrent access from
other processes.
</p><div class="variablelist"><p class="title"><b>Windows defines 4 kinds of Oplocks:</b></p><dl><dt><span class="term">Level1 Oplock:</span></dt><dd><p>
The redirector sees that the file was opened with deny
none (allowing concurrent access), verifies that no
other process is accessing the file, checks that
oplocks are enabled, then grants deny-all/read-write/exclusive
access to the file. The client now performs
operations on the cached local file.
</p><p>
If a second process attempts to open the file, the open
is deferred while the redirector &quot;breaks&quot; the original
oplock. The oplock break signals the caching client to
write the local file back to the server, flush the
local locks, and discard read-ahead data. The break is
then complete, the deferred open is granted, and the
multiple processes can enjoy concurrent file access as
dictated by mandatory or byte-range locking options.
However, if the original opening process opened the
file with a share mode other than deny-none, then the
second process is granted limited or no access, despite
the oplock break.
</p></dd><dt><span class="term">Level2 Oplock:</span></dt><dd><p>
Performs like a level1 oplock, except caching is only
operative for reads. All other operations are performed
on the server disk copy of the file.
</p></dd><dt><span class="term">Filter Oplock:</span></dt><dd><p>
Does not allow write or delete file access
</p></dd><dt><span class="term">Batch Oplock:</span></dt><dd><p>
Manipulates file openings and closings - allows caching
of file attributes
</p></dd></dl></div><p>
An important detail is that oplocks are invoked by the file system, not
an application API. Therefore, an application can close an oplocked
file, but the file system does not relinquish the oplock. When the
oplock break is issued, the file system then simply closes the file in
preparation for the subsequent open by the second process.
</p><p>
<span class="emphasis"><em>Opportunistic Locking</em></span> is actually an improper name for this feature.
The true benefit of this feature is client-side data caching, and
oplocks is merely a notification mechanism for writing data back to the
networked storage disk. The limitation of opportunistic locking is the
reliability of the mechanism to process an oplock break (notification)
between the server and the caching client. If this exchange is faulty
(usually due to timing out for any number of reasons) then the
client-side caching benefit is negated.
</p><p>
The actual decision that a user or administrator should consider is
whether it is sensible to share amongst multiple users data that will
be cached locally on a client. In many cases the answer is no.
Deciding when to cache or not cache data is the real question, and thus
&quot;opportunistic locking&quot; should be treated as a toggle for client-side
caching. Turn it &quot;ON&quot; when client-side caching is desirable and
reliable. Turn it &quot;OFF&quot; when client-side caching is redundant,
unreliable, or counter-productive.
</p><p>
Opportunistic locking is by default set to &quot;on&quot; by Samba on all
configured shares, so careful attention should be given to each case to
determine if the potential benefit is worth the potential for delays.
The following recommendations will help to characterize the environment
where opportunistic locking may be effectively configured.
</p><p>
Windows Opportunistic Locking is a lightweight performance-enhancing
feature. It is not a robust and reliable protocol. Every
implementation of Opportunistic Locking should be evaluated as a
tradeoff between perceived performance and reliability. Reliability
decreases as each successive rule above is not enforced. Consider a
share with oplocks enabled, over a wide area network, to a client on a
South Pacific atoll, on a high-availability server, serving a
mission-critical multi-user corporate database, during a tropical
storm. This configuration will likely encounter problems with oplocks.
</p><p>
Oplocks can be beneficial to perceived client performance when treated
as a configuration toggle for client-side data caching. If the data
caching is likely to be interrupted, then oplock usage should be
reviewed. Samba enables opportunistic locking by default on all
shares. Careful attention should be given to the client usage of
shared data on the server, the server network reliability, and the
opportunistic locking configuration of each share.
n mission critical high availability environments, data integrity is
often a priority. Complex and expensive configurations are implemented
to ensure that if a client loses connectivity with a file server, a
failover replacement will be available immediately to provide
continuous data availability.
</p><p>
Windows client failover behavior is more at risk of application
interruption than other platforms because it is dependant upon an
established TCP transport connection. If the connection is interrupted
- as in a file server failover - a new session must be established.
It is rare for Windows client applications to be coded to recover
correctly from a transport connection loss, therefore most applications
will experience some sort of interruption - at worst, abort and
require restarting.
</p><p>
If a client session has been caching writes and reads locally due to
opportunistic locking, it is likely that the data will be lost when the
application restarts, or recovers from the TCP interrupt. When the TCP
connection drops, the client state is lost. When the file server
recovers, an oplock break is not sent to the client. In this case, the
work from the prior session is lost. Observing this scenario with
oplocks disabled, and the client was writing data to the file server
real-time, then the failover will provide the data on disk as it
existed at the time of the disconnect.
</p><p>
In mission critical high availability environments, careful attention
should be given to opportunistic locking. Ideally, comprehensive
testing should be done with all affected applications with oplocks
enabled and disabled.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928695"></a>Exclusively Accessed Shares</h4></div></div><div></div></div><p>
Opportunistic locking is most effective when it is confined to shares
that are exclusively accessed by a single user, or by only one user at
a time. Because the true value of opportunistic locking is the local
client caching of data, any operation that interrupts the caching
mechanism will cause a delay.
</p><p>
Home directories are the most obvious examples of where the performance
benefit of opportunistic locking can be safely realized.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928719"></a>Multiple-Accessed Shares or Files</h4></div></div><div></div></div><p>
As each additional user accesses a file in a share with opportunistic
locking enabled, the potential for delays and resulting perceived poor
performance increases. When multiple users are accessing a file on a
share that has oplocks enabled, the management impact of sending and
receiving oplock breaks, and the resulting latency while other clients
wait for the caching client to flush data, offset the performance gains
of the caching user.
</p><p>
As each additional client attempts to access a file with oplocks set,
the potential performance improvement is negated and eventually results
in a performance bottleneck.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928748"></a>Unix or NFS Client Accessed Files</h4></div></div><div></div></div><p>
Local Unix and NFS clients access files without a mandatory
file locking mechanism. Thus, these client platforms are incapable of
initiating an oplock break request from the server to a Windows client
that has a file cached. Local Unix or NFS file access can therefore
write to a file that has been cached by a Windows client, which
exposes the file to likely data corruption.
</p><p>
If files are shared between Windows clients, and either local Unix
or NFS users, then turn opportunistic locking off.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928775"></a>Slow and/or Unreliable Networks</h4></div></div><div></div></div><p>
The biggest potential performance improvement for opportunistic locking
occurs when the client-side caching of reads and writes delivers the
most differential over sending those reads and writes over the wire.
This is most likely to occur when the network is extremely slow,
congested, or distributed (as in a WAN). However, network latency also
has a very high impact on the reliability of the oplock break
mechanism, and thus increases the likelihood of encountering oplock
problems that more than offset the potential perceived performance
gain. Of course, if an oplock break never has to be sent, then this is
the most advantageous scenario to utilize opportunistic locking.
</p><p>
If the network is slow, unreliable, or a WAN, then do not configure
opportunistic locking if there is any chance of multiple users
regularly opening the same file.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928808"></a>Multi-User Databases</h4></div></div><div></div></div><p>
Multi-user databases clearly pose a risk due to their very nature -
they are typically heavily accessed by numerous users at random
intervals. Placing a multi-user database on a share with opportunistic
locking enabled will likely result in a locking management bottleneck
on the Samba server. Whether the database application is developed
in-house or a commercially available product, ensure that the share
has opportunistic locking disabled.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928829"></a>PDM Data Shares</h4></div></div><div></div></div><p>
Process Data Management (PDM) applications such as IMAN, Enovia, and
Clearcase, are increasing in usage with Windows client platforms, and
therefore SMB data stores. PDM applications manage multi-user
environments for critical data security and access. The typical PDM
environment is usually associated with sophisticated client design
applications that will load data locally as demanded. In addition, the
PDM application will usually monitor the data-state of each client.
In this case, client-side data caching is best left to the local
application and PDM server to negotiate and maintain. It is
appropriate to eliminate the client OS from any caching tasks, and the
server from any oplock management, by disabling opportunistic locking on
the share.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928870"></a>Beware of Force User</h4></div></div><div></div></div><p>
Samba includes an <tt class="filename">smb.conf</tt> parameter called <i class="parameter"><tt>force user</tt></i> that changes
the user accessing a share from the incoming user to whatever user is
defined by the smb.conf variable. If opportunistic locking is enabled
on a share, the change in user access causes an oplock break to be sent
to the client, even if the user has not explicitly loaded a file. In
cases where the network is slow or unreliable, an oplock break can
become lost without the user even accessing a file. This can cause
apparent performance degradation as the client continually reconnects
to overcome the lost oplock break.
</p><p>
Avoid the combination of the following:
</p><div class="itemizedlist"><ul type="disc"><li><p>
<i class="parameter"><tt>force user</tt></i> in the <tt class="filename">smb.conf</tt> share configuration.
</p></li><li><p>
Slow or unreliable networks
</p></li><li><p>
Opportunistic Locking Enabled
</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928948"></a>Advanced Samba Opportunistic Locking Parameters</h4></div></div><div></div></div><p>
Samba provides opportunistic locking parameters that allow the
administrator to adjust various properties of the oplock mechanism to
account for timing and usage levels. These parameters provide good
versatility for implementing oplocks in environments where they would
likely cause problems. The parameters are:
<i class="parameter"><tt>oplock break wait time</tt></i>,
<i class="parameter"><tt>oplock contention limit</tt></i>.
</p><p>
For most users, administrators, and environments, if these parameters
are required, then the better option is to simply turn oplocks off.
The samba SWAT help text for both parameters reads &quot;DO NOT CHANGE THIS
PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE.&quot;
This is good advice.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928991"></a>Mission Critical High Availability</h4></div></div><div></div></div><p>
In mission critical high availability environments, data integrity is
often a priority. Complex and expensive configurations are implemented
to ensure that if a client loses connectivity with a file server, a
failover replacement will be available immediately to provide
continuous data availability.
</p><p>
Windows client failover behavior is more at risk of application
interruption than other platforms because it is dependant upon an
established TCP transport connection. If the connection is interrupted
- as in a file server failover - a new session must be established.
It is rare for Windows client applications to be coded to recover
correctly from a transport connection loss, therefore most applications
will experience some sort of interruption - at worst, abort and
require restarting.
</p><p>
If a client session has been caching writes and reads locally due to
opportunistic locking, it is likely that the data will be lost when the
application restarts, or recovers from the TCP interrupt. When the TCP
connection drops, the client state is lost. When the file server
recovers, an oplock break is not sent to the client. In this case, the
work from the prior session is lost. Observing this scenario with
oplocks disabled, and the client was writing data to the file server
real-time, then the failover will provide the data on disk as it
existed at the time of the disconnect.
</p><p>
In mission critical high availability environments, careful attention
should be given to opportunistic locking. Ideally, comprehensive
testing should be done with all affected applications with oplocks
enabled and disabled.
</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2929049"></a>Samba Opportunistic Locking Control</h2></div></div><div></div></div><p>
Opportunistic Locking is a unique Windows file locking feature. It is
not really file locking, but is included in most discussions of Windows
file locking, so is considered a defacto locking feature.
Opportunistic Locking is actually part of the Windows client file
caching mechanism. It is not a particularly robust or reliable feature
when implemented on the variety of customized networks that exist in
enterprise computing.
</p><p>
Like Windows, Samba implements Opportunistic Locking as a server-side
component of the client caching mechanism. Because of the lightweight
nature of the Windows feature design, effective configuration of
Opportunistic Locking requires a good understanding of its limitations,
and then applying that understanding when configuring data access for
each particular customized network and client usage state.
</p><p>
Opportunistic locking essentially means that the client is allowed to download and cache
a file on their hard drive while making changes; if a second client wants to access the
file, the first client receives a break and must synchronise the file back to the server.
This can give significant performance gains in some cases; some programs insist on
synchronising the contents of the entire file back to the server for a single change.
</p><p>
Level1 Oplocks (aka just plain &quot;oplocks&quot;) is another term for opportunistic locking.
</p><p>
Level2 Oplocks provides opportunistic locking for a file that will be treated as
<span class="emphasis"><em>read only</em></span>. Typically this is used on files that are read-only or
on files that the client has no initial intention to write to at time of opening the file.
</p><p>
Kernel Oplocks are essentially a method that allows the Linux kernel to co-exist with
Samba's oplocked files, although this has provided better integration of MS Windows network
file locking with the under lying OS, SGI IRIX and Linux are the only two OS's that are
oplock aware at this time.
</p><p>
Unless your system supports kernel oplocks, you should disable oplocks if you are
accessing the same files from both Unix/Linux and SMB clients. Regardless, oplocks should
always be disabled if you are sharing a database file (e.g., Microsoft Access) between
multiple clients, as any break the first client receives will affect synchronisation of
the entire file (not just the single record), which will result in a noticeable performance
impairment and, more likely, problems accessing the database in the first place. Notably,
Microsoft Outlook's personal folders (*.pst) react very badly to oplocks. If in doubt,
disable oplocks and tune your system from that point.
</p><p>
If client-side caching is desirable and reliable on your network, you will benefit from
turning on oplocks. If your network is slow and/or unreliable, or you are sharing your
files among other file sharing mechanisms (e.g., NFS) or across a WAN, or multiple people
will be accessing the same files frequently, you probably will not benefit from the overhead
of your client sending oplock breaks and will instead want to disable oplocks for the share.
</p><p>
Another factor to consider is the perceived performance of file access. If oplocks provide no
measurable speed benefit on your network, it might not be worth the hassle of dealing with them.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2929159"></a>Example Configuration</h3></div></div><div></div></div><p>
In the following we examine two distinct aspects of Samba locking controls.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2929172"></a>Disabling Oplocks</h4></div></div><div></div></div><p>
You can disable oplocks on a per-share basis with the following:
</p><p>
</p><pre class="programlisting">
[acctdata]
oplocks = False
level2 oplocks = False
</pre><p>
</p><p>
The default oplock type is Level1. Level2 Oplocks are enabled on a per-share basis
in the <tt class="filename">smb.conf</tt> file.
</p><p>
Alternately, you could disable oplocks on a per-file basis within the share:
</p><p>
</p><pre class="programlisting">
veto oplock files = /*.mdb/*.MDB/*.dbf/*.DBF/
</pre><p>
</p><p>
If you are experiencing problems with oplocks as apparent from Samba's log entries,
you may want to play it safe and disable oplocks and level2 oplocks.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2929235"></a>Disabling Kernel OpLocks</h4></div></div><div></div></div><p>
Kernel OpLocks is an <tt class="filename">smb.conf</tt> parameter that notifies Samba (if
the UNIX kernel has the capability to send a Windows client an oplock
break) when a UNIX process is attempting to open the file that is
cached. This parameter addresses sharing files between UNIX and
Windows with Oplocks enabled on the Samba server: the UNIX process
can open the file that is Oplocked (cached) by the Windows client and
the smbd process will not send an oplock break, which exposes the file
to the risk of data corruption. If the UNIX kernel has the ability to
send an oplock break, then the kernel oplocks parameter enables Samba
to send the oplock break. Kernel oplocks are enabled on a per-server
basis in the <tt class="filename">smb.conf</tt> file.
</p><p>
</p><pre class="programlisting">
[global]
kernel oplocks = yes
</pre><p>
The default is &quot;no&quot;.
</p><p>
Veto OpLocks is an <tt class="filename">smb.conf</tt> parameter that identifies specific files for
which Oplocks are disabled. When a Windows client opens a file that
has been configured for veto oplocks, the client will not be granted
the oplock, and all operations will be executed on the original file on
disk instead of a client-cached file copy. By explicitly identifying
files that are shared with UNIX processes, and disabling oplocks for
those files, the server-wide Oplock configuration can be enabled to
allow Windows clients to utilize the performance benefit of file
caching without the risk of data corruption. Veto Oplocks can be
enabled on a per-share basis, or globally for the entire server, in the
<tt class="filename">smb.conf</tt> file:
</p><p>
</p><pre class="programlisting"><font color="red">&lt;title&gt;Example Veto OpLock Settings&lt;/title&gt;</font>
[global]
veto oplock files = /filename.htm/*.txt/
[share_name]
veto oplock files = /*.exe/filename.ext/
</pre><p>
</p><p>
<span class="emphasis"><em>Oplock break wait time</em></span> is an <tt class="filename">smb.conf</tt> parameter that adjusts the time
interval for Samba to reply to an oplock break request. Samba
recommends &quot;DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND
UNDERSTOOD THE SAMBA OPLOCK CODE.&quot; Oplock Break Wait Time can only be
configured globally in the <tt class="filename">smb.conf</tt> file:
</p><p>
</p><pre class="programlisting">
[global]
oplock break wait time = 0 (default)
</pre><p>
</p><p>
<span class="emphasis"><em>Oplock break contention limit</em></span> is an <tt class="filename">smb.conf</tt> parameter that limits the
response of the Samba server to grant an oplock if the configured
number of contending clients reaches the limit specified by the
parameter. Samba recommends &quot;DO NOT CHANGE THIS PARAMETER UNLESS YOU
HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE.&quot; Oplock Break
Contention Limit can be enable on a per-share basis, or globally for
the entire server, in the <tt class="filename">smb.conf</tt> file:
</p><p>
</p><pre class="programlisting">
[global]
oplock break contention limit = 2 (default)
[share_name]
oplock break contention limit = 2 (default)
</pre><p>
</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2929419"></a>MS Windows Opportunistic Locking and Caching Controls</h2></div></div><div></div></div><p>
There is a known issue when running applications (like Norton Anti-Virus) on a Windows 2000/ XP
workstation computer that can affect any application attempting to access shared database files
across a network. This is a result of a default setting configured in the Windows 2000/XP
operating system known as <span class="emphasis"><em>Opportunistic Locking</em></span>. When a workstation
attempts to access shared data files located on another Windows 2000/XP computer,
the Windows 2000/XP operating system will attempt to increase performance by locking the
files and caching information locally. When this occurs, the application is unable to
properly function, which results in an <span class="errorname">Access Denied</span>
error message being displayed during network operations.
</p><p>
All Windows operating systems in the NT family that act as database servers for data files
(meaning that data files are stored there and accessed by other Windows PCs) may need to
have opportunistic locking disabled in order to minimize the risk of data file corruption.
This includes Windows 9x/Me, Windows NT, Windows 200x and Windows XP.
</p><p>
If you are using a Windows NT family workstation in place of a server, you must also
disable opportunistic locking (oplocks) on that workstation. For example, if you use a
PC with the Windows NT Workstation operating system instead of Windows NT Server, and you
have data files located on it that are accessed from other Windows PCs, you may need to
disable oplocks on that system.
</p><p>
The major difference is the location in the Windows registry where the values for disabling
oplocks are entered. Instead of the LanManServer location, the LanManWorkstation location
may be used.
</p><p>
You can verify (or change or add, if necessary) this Registry value using the Windows
Registry Editor. When you change this registry value, you will have to reboot the PC
to ensure that the new setting goes into effect.
</p><p>
The location of the client registry entry for opportunistic locking has changed in
Windows 2000 from the earlier location in Microsoft Windows NT.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
Windows 2000 will still respect the EnableOplocks registry value used to disable oplocks
in earlier versions of Windows.
</p></div><p>
You can also deny the granting of opportunistic locks by changing the following registry entries:
</p><p>
</p><pre class="programlisting">
HKEY_LOCAL_MACHINE\System\
CurrentControlSet\Services\MRXSmb\Parameters\
OplocksDisabled REG_DWORD 0 or 1
Default: 0 (not disabled)
</pre><p>
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
The OplocksDisabled registry value configures Windows clients to either request or not
request opportunistic locks on a remote file. To disable oplocks, the value of
OplocksDisabled must be set to 1.
</p></div><p>
</p><pre class="programlisting">
HKEY_LOCAL_MACHINE\System\
CurrentControlSet\Services\LanmanServer\Parameters
EnableOplocks REG_DWORD 0 or 1
Default: 1 (Enabled by Default)
EnableOpLockForceClose REG_DWORD 0 or 1
Default: 0 (Disabled by Default)
</pre><p>
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
The EnableOplocks value configures Windows-based servers (including Workstations sharing
files) to allow or deny opportunistic locks on local files.
</p></div><p>
To force closure of open oplocks on close or program exit EnableOpLockForceClose must be set to 1.
</p><p>
An illustration of how level II oplocks work:
</p><div class="itemizedlist"><ul type="disc"><li><p>
Station 1 opens the file, requesting oplock.
</p></li><li><p>
Since no other station has the file open, the server grants station 1 exclusive oplock.
</p></li><li><p>
Station 2 opens the file, requesting oplock.
</p></li><li><p>
Since station 1 has not yet written to the file, the server asks station 1 to Break
to Level II Oplock.
</p></li><li><p>
Station 1 complies by flushing locally buffered lock information to the server.
</p></li><li><p>
Station 1 informs the server that it has Broken to Level II Oplock (alternatively,
station 1 could have closed the file).
</p></li><li><p>
The server responds to station 2's open request, granting it level II oplock.
Other stations can likewise open the file and obtain level II oplock.
</p></li><li><p>
Station 2 (or any station that has the file open) sends a write request SMB.
The server returns the write response.
</p></li><li><p>
The server asks all stations that have the file open to Break to None, meaning no
station holds any oplock on the file. Because the workstations can have no cached
writes or locks at this point, they need not respond to the break-to-none advisory;
all they need do is invalidate locally cashed read-ahead data.
</p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2929649"></a>Workstation Service Entries</h3></div></div><div></div></div><pre class="programlisting">
\HKEY_LOCAL_MACHINE\System\
CurrentControlSet\Services\LanmanWorkstation\Parameters
UseOpportunisticLocking REG_DWORD 0 or 1
Default: 1 (true)
</pre><p>
Indicates whether the redirector should use opportunistic-locking (oplock) performance
enhancement. This parameter should be disabled only to isolate problems.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2929676"></a>Server Service Entries</h3></div></div><div></div></div><pre class="programlisting">
\HKEY_LOCAL_MACHINE\System\
CurrentControlSet\Services\LanmanServer\Parameters
EnableOplocks REG_DWORD 0 or 1
Default: 1 (true)
</pre><p>
Specifies whether the server allows clients to use oplocks on files. Oplocks are a
significant performance enhancement, but have the potential to cause lost cached
data on some networks, particularly wide-area networks.
</p><pre class="programlisting">
MinLinkThroughput REG_DWORD 0 to infinite bytes per second
Default: 0
</pre><p>
Specifies the minimum link throughput allowed by the server before it disables
raw and opportunistic locks for this connection.
</p><pre class="programlisting">
MaxLinkDelay REG_DWORD 0 to 100,000 seconds
Default: 60
</pre><p>
Specifies the maximum time allowed for a link delay. If delays exceed this number,
the server disables raw I/O and opportunistic locking for this connection.
</p><pre class="programlisting">
OplockBreakWait REG_DWORD 10 to 180 seconds
Default: 35
</pre><p>
Specifies the time that the server waits for a client to respond to an oplock break
request. Smaller values can allow detection of crashed clients more quickly but can
potentially cause loss of cached data.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2929755"></a>Persistent Data Corruption</h2></div></div><div></div></div><p>
If you have applied all of the settings discussed in this paper but data corruption problems
and other symptoms persist, here are some additional things to check out:
</p><p>
We have credible reports from developers that faulty network hardware, such as a single
faulty network card, can cause symptoms similar to read caching and data corruption.
If you see persistent data corruption even after repeated reindexing, you may have to
rebuild the data files in question. This involves creating a new data file with the
same definition as the file to be rebuilt and transferring the data from the old file
to the new one. There are several known methods for doing this that can be found in
our Knowledge Base.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2929785"></a>Common Errors</h2></div></div><div></div></div><p>
In some sites locking problems surface as soon as a server is installed, in other sites
locking problems may not surface for a long time. Almost without exception, when a locking
problem does surface it will cause embarrassment and potential data corruption.
</p><p>
Over the past few years there have been a number of complaints on the samba mailing lists
that have claimed that samba caused data corruption. Three causes have been identified
so far:
</p><div class="itemizedlist"><ul type="disc"><li><p>
Incorrect configuration of opportunistic locking (incompatible with the application
being used. This is a VERY common problem even where MS Windows NT4 or MS Windows 200x
based servers were in use. It is imperative that the software application vendors'
instructions for configuration of file locking should be followed. If in doubt,
disable oplocks on both the server and the client. Disabling of all forms of file
caching on the MS Windows client may be necessary also.
</p></li><li><p>
Defective network cards, cables, or HUBs / Switched. This is generally a more
prevalent factor with low cost networking hardware, though occasionally there
have been problems with incompatibilities in more up market hardware also.
</p></li><li><p>
There have been some random reports of samba log files being written over data
files. This has been reported by very few sites (about 5 in the past 3 years)
and all attempts to reproduce the problem have failed. The Samba-Team has been
unable to catch this happening and thus has NOT been able to isolate any particular
cause. Considering the millions of systems that use samba, for the sites that have
been affected by this as well as for the Samba-Team this is a frustrating and
a vexing challenge. If you see this type of thing happening please create a bug
report on https://bugzilla.samba.org without delay. Make sure that you give as much
information as you possibly can to help isolate the cause and to allow reproduction
of the problem (an essential step in problem isolation and correction).
</p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2929859"></a>locking.tdb error messages</h3></div></div><div></div></div><p>
</p><pre class="screen">
&gt; We are seeing lots of errors in the samba logs like:
&gt;
&gt; tdb(/usr/local/samba_2.2.7/var/locks/locking.tdb): rec_read bad magic
&gt; 0x4d6f4b61 at offset=36116
&gt;
&gt; What do these mean?
</pre><p>
</p><p>
Corrupted tdb. Stop all instances of smbd, delete locking.tdb, restart smbd.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2929890"></a>Additional Reading</h2></div></div><div></div></div><p>
You may want to check for an updated version of this white paper on our Web site from
time to time. Many of our white papers are updated as information changes. For those papers,
the Last Edited date is always at the top of the paper.
</p><p>
Section of the Microsoft MSDN Library on opportunistic locking:
</p><p>
Opportunistic Locks, Microsoft Developer Network (MSDN), Windows Development &gt;
Windows Base Services &gt; Files and I/O &gt; SDK Documentation &gt; File Storage &gt; File Systems
&gt; About File Systems &gt; Opportunistic Locks, Microsoft Corporation.
<a href="http://msdn.microsoft.com/library/en-us/fileio/storage_5yk3.asp" target="_top">http://msdn.microsoft.com/library/en-us/fileio/storage_5yk3.asp</a>
</p><p>
Microsoft Knowledge Base Article Q224992 &quot;Maintaining Transactional Integrity with OPLOCKS&quot;,
Microsoft Corporation, April 1999, <a href="http://support.microsoft.com/default.aspx?scid=kb;en-us;Q224992" target="_top">http://support.microsoft.com/default.aspx?scid=kb;en-us;Q224992</a>.
</p><p>
Microsoft Knowledge Base Article Q296264 &quot;Configuring Opportunistic Locking in Windows 2000&quot;,
Microsoft Corporation, April 2001, <a href="http://support.microsoft.com/default.aspx?scid=kb;en-us;Q296264" target="_top">http://support.microsoft.com/default.aspx?scid=kb;en-us;Q296264</a>.
</p><p>
Microsoft Knowledge Base Article Q129202 &quot;PC Ext: Explanation of Opportunistic Locking on Windows NT&quot;,
Microsoft Corporation, April 1995, <a href="http://support.microsoft.com/default.aspx?scid=kb;en-us;Q129202" target="_top">http://support.microsoft.com/default.aspx?scid=kb;en-us;Q129202</a>.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="AccessControls.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="securing-samba.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 13. File, Directory and Share Access Controls </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 15. Securing Samba</td></tr></table></div></body></html>

View File

@ -0,0 +1 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part IV. Migration and Updating</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="index.html" title="SAMBA Project Documentation"><link rel="previous" href="SambaHA.html" title="Chapter 29. High Availability Options"><link rel="next" href="upgrading-to-3.0.html" title="Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part IV. Migration and Updating</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="SambaHA.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="upgrading-to-3.0.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="migration"></a>Migration and Updating</h1></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt>30. <a href="upgrading-to-3.0.html">Upgrading from Samba-2.x to Samba-3.0.0</a></dt><dd><dl><dt><a href="upgrading-to-3.0.html#id3001684">Charsets</a></dt><dt><a href="upgrading-to-3.0.html#id3001709">Obsolete configuration options</a></dt><dt><a href="upgrading-to-3.0.html#id3003319">Password Backend</a></dt></dl></dd><dt>31. <a href="NT4Migration.html">Migration from NT4 PDC to Samba-3 PDC</a></dt><dd><dl><dt><a href="NT4Migration.html#id3001339">Planning and Getting Started</a></dt><dd><dl><dt><a href="NT4Migration.html#id3001368">Objectives</a></dt><dt><a href="NT4Migration.html#id3004043">Steps In Migration Process</a></dt></dl></dd><dt><a href="NT4Migration.html#id3004381">Migration Options</a></dt><dd><dl><dt><a href="NT4Migration.html#id3004462">Planning for Success</a></dt><dt><a href="NT4Migration.html#id3004704">Samba Implementation Choices</a></dt></dl></dd></dl></dd><dt>32. <a href="SWAT.html">SWAT - The Samba Web Administration Tool</a></dt><dd><dl><dt><a href="SWAT.html#id3003929">Features and Benefits</a></dt><dd><dl><dt><a href="SWAT.html#id3003963">Enabling SWAT for use</a></dt><dt><a href="SWAT.html#id3006322">Securing SWAT through SSL</a></dt><dt><a href="SWAT.html#id3006435">The SWAT Home Page</a></dt><dt><a href="SWAT.html#id3006499">Global Settings</a></dt><dt><a href="SWAT.html#id3006604">Share Settings</a></dt><dt><a href="SWAT.html#id3006669">Printers Settings</a></dt><dt><a href="SWAT.html#id3006733">The SWAT Wizard</a></dt><dt><a href="SWAT.html#id3006781">The Status Page</a></dt><dt><a href="SWAT.html#id3006833">The View Page</a></dt><dt><a href="SWAT.html#id3006856">The Password Change Page</a></dt></dl></dd></dl></dd></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="SambaHA.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="upgrading-to-3.0.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 29. High Availability Options </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0</td></tr></table></div></body></html>

View File

@ -0,0 +1,35 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>tdbbackup</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="tdbbackup.8"></a><div class="titlepage"><div></div><div></div></div><div class="refnamediv"><h2>Name</h2><p>tdbbackup &#8212; tool for backing up and for validating the integrity of samba .tdb files</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><tt class="command">tdbbackup</tt> [-s suffix] [-v] [-h]</p></div></div><div class="refsect1" lang="en"><h2>DESCRIPTION</h2><p>This tool is part of the <a href="Samba.1.html"><span class="citerefentry"><span class="refentrytitle">Samba</span>(1)</span></a> suite.</p><p><b class="command">tdbbackup</b> is a tool that may be used to backup samba .tdb
files. This tool may also be used to verify the integrity of the .tdb files prior
to samba startup, in which case, if it find file damage and it finds a prior backup
it will restore the backup file.
</p></div><div class="refsect1" lang="en"><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">-h</span></dt><dd><p>
Get help information.
</p></dd><dt><span class="term">-s suffix</span></dt><dd><p>
The <b class="command">-s</b> option allows the adminisistrator to specify a file
backup extension. This way it is possible to keep a history of tdb backup
files by using a new suffix for each backup.
</p></dd><dt><span class="term">-v</span></dt><dd><p>
The <b class="command">-v</b> will check the database for damages (currupt data)
which if detected causes the backup to be restored.
</p></dd></dl></div></div><div class="refsect1" lang="en"><h2>COMMANDS</h2><p><span class="emphasis"><em>GENERAL INFORMATION</em></span></p><p>
The <b class="command">tdbbackup</b> utility should be run as soon as samba has shut down.
Do NOT run this command on a live database. Typical usage for the command will be:
</p><p>tdbbackup [-s suffix] *.tdb</p><p>
Before restarting samba the following command may be run to validate .tdb files:
</p><p>tdbbackup -v [-s suffix] *.tdb</p><p>
Samba .tdb files are stored in various locations, be sure to run backup all
.tdb file on the system. Imporatant files includes:
</p><div class="itemizedlist"><ul type="disc"><li><p>
<b class="command">secrets.tdb</b> - usual location is in the /usr/local/samba/private
directory, or on some systems in /etc/samba.
</p></li><li><p>
<b class="command">passdb.tdb</b> - usual location is in the /usr/local/samba/private
directory, or on some systems in /etc/samba.
</p></li><li><p>
<b class="command">*.tdb</b> located in the /usr/local/samba/var directory or on some
systems in the /var/cache or /var/lib/samba directories.
</p></li></ul></div></div><div class="refsect1" lang="en"><h2>VERSION</h2><p>This man page is correct for version 3.0 of the Samba suite.</p></div><div class="refsect1" lang="en"><h2>AUTHOR</h2><p>
The original Samba software and related utilities were created by Andrew Tridgell.
Samba is now developed by the Samba Team as an Open Source project similar to the way
the Linux kernel is developed.
</p><p>The tdbbackup man page was written by John H Terpstra.</p></div></div></body></html>

View File

@ -0,0 +1 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part V. Troubleshooting</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="index.html" title="SAMBA Project Documentation"><link rel="previous" href="SWAT.html" title="Chapter 32. SWAT - The Samba Web Administration Tool"><link rel="next" href="diagnosis.html" title="Chapter 33. The Samba checklist"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part V. Troubleshooting</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="SWAT.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="diagnosis.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="troubleshooting"></a>Troubleshooting</h1></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt>33. <a href="diagnosis.html">The Samba checklist</a></dt><dd><dl><dt><a href="diagnosis.html#id3006072">Introduction</a></dt><dt><a href="diagnosis.html#id3007931">Assumptions</a></dt><dt><a href="diagnosis.html#id3008108">The tests</a></dt><dt><a href="diagnosis.html#id3009283">Still having troubles?</a></dt></dl></dd><dt>34. <a href="problems.html">Analysing and solving samba problems</a></dt><dd><dl><dt><a href="problems.html#id3010907">Diagnostics tools</a></dt><dt><a href="problems.html#id3011048">Installing 'Network Monitor' on an NT Workstation or a Windows 9x box</a></dt><dt><a href="problems.html#id3011333">Useful URLs</a></dt><dt><a href="problems.html#id3011378">Getting help from the mailing lists</a></dt><dt><a href="problems.html#id3011530">How to get off the mailing lists</a></dt></dl></dd><dt>35. <a href="bugreport.html">Reporting Bugs</a></dt><dd><dl><dt><a href="bugreport.html#id3012269">Introduction</a></dt><dt><a href="bugreport.html#id3012491">General info</a></dt><dt><a href="bugreport.html#id3012528">Debug levels</a></dt><dt><a href="bugreport.html#id3012670">Internal errors</a></dt><dt><a href="bugreport.html#id3012778">Attaching to a running process</a></dt><dt><a href="bugreport.html#id3012825">Patches</a></dt></dl></dd></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="SWAT.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="diagnosis.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 32. SWAT - The Samba Web Administration Tool </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 33. The Samba checklist</td></tr></table></div></body></html>

View File

@ -0,0 +1,19 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="migration.html" title="Part IV. Migration and Updating"><link rel="previous" href="migration.html" title="Part IV. Migration and Updating"><link rel="next" href="NT4Migration.html" title="Chapter 31. Migration from NT4 PDC to Samba-3 PDC"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="migration.html">Prev</a> </td><th width="60%" align="center">Part IV. Migration and Updating</th><td width="20%" align="right"> <a accesskey="n" href="NT4Migration.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="upgrading-to-3.0"></a>Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">25 October 2002</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="upgrading-to-3.0.html#id3001684">Charsets</a></dt><dt><a href="upgrading-to-3.0.html#id3001709">Obsolete configuration options</a></dt><dt><a href="upgrading-to-3.0.html#id3003319">Password Backend</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3001684"></a>Charsets</h2></div></div><div></div></div><p>You might experience problems with special characters
when communicating with old DOS clients. Codepage
support has changed in samba 3.0. Read the chapter
<a href="unicode.html" title="Chapter 27. Unicode/Charsets">Unicode support</a> for details.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3001709"></a>Obsolete configuration options</h2></div></div><div></div></div><p>
In 3.0, the following configuration options have been removed.
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>printer driver (replaced by new driver procedures) </td></tr><tr><td>printer driver file (replaced by new driver procedures)</td></tr><tr><td>printer driver location (replaced by new driver procedures)</td></tr><tr><td>use rhosts</td></tr><tr><td>postscript</td></tr><tr><td>client code page (replaced by dos charset)</td></tr><tr><td>vfs path</td></tr><tr><td>vfs options</td></tr></table></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3003319"></a>Password Backend</h2></div></div><div></div></div><p>
Effective with the release of samba-3 it is now imperative that the password backend
be correctly defined in smb.conf.
</p><p>
Those migrating from samba-2.x with plaintext password support need the following:
<span class="emphasis"><em>passdb backend = guest</em></span>.
</p><p>
Those migrating from samba-2.x with encrypted password support should add to smb.conf
<span class="emphasis"><em>passdb backend = smbpasswd, guest</em></span>.
</p><p>
LDAP using Samba-2.x systems can continue to operate with the following entry
<span class="emphasis"><em>passdb backend = ldapsam_compat, guest</em></span>.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="migration.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="migration.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="NT4Migration.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part IV. Migration and Updating </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 31. Migration from NT4 PDC to Samba-3 PDC</td></tr></table></div></body></html>

221
docs/manpages/Samba.7 Normal file
View File

@ -0,0 +1,221 @@
.\"Generated by db2man.xsl. Don't modify this, modify the source.
.de Sh \" Subsection
.br
.if t .Sp
.ne 5
.PP
\fB\\$1\fR
.PP
..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Ip \" List item
.br
.ie \\n(.$>=3 .ne \\$3
.el .ne 3
.IP "\\$1" \\$2
..
.TH "SAMBA" 7 "" "" ""
.SH NAME
Samba \- A Windows SMB/CIFS fileserver for UNIX
.SH "SYNOPSIS"
.nf
\fBSamba\fR
.fi
.SH "DESCRIPTION"
.PP
The Samba software suite is a collection of programs that implements the Server Message Block (commonly abbreviated as SMB) protocol for UNIX systems\&. This protocol is sometimes also referred to as the Common Internet File System (CIFS)\&. For a more thorough description, see http://www\&.ubiqx\&.org/cifs/\&. Samba also implements the NetBIOS protocol in nmbd\&.
.TP
\fBsmbd\fR(8)
The \fBsmbd\fR daemon provides the file and print services to SMB clients, such as Windows 95/98, Windows NT, Windows for Workgroups or LanManager\&. The configuration file for this daemon is described in \fBsmb.conf\fR(5)
.TP
\fBnmbd\fR(8)
The \fBnmbd\fR daemon provides NetBIOS nameservice and browsing support\&. The configuration file for this daemon is described in \fBsmb.conf\fR(5)
.TP
\fBsmbclient\fR(1)
The \fBsmbclient\fR program implements a simple ftp-like client\&. This is useful for accessing SMB shares on other compatible servers (such as Windows NT), and can also be used to allow a UNIX box to print to a printer attached to any SMB server (such as a PC running Windows NT)\&.
.TP
\fBtestparm\fR(1)
The \fBtestparm\fR utility is a simple syntax checker for Samba's \fBsmb.conf\fR(5) configuration file\&.
.TP
\fBtestprns\fR(1)
The \fBtestprns\fR utility supports testing printer names defined in your \fIprintcap\fR file used by Samba\&.
.TP
\fBsmbstatus\fR(1)
The \fBsmbstatus\fR tool provides access to information about the current connections to \fBsmbd\fR\&.
.TP
\fBnmblookup\fR(1)
The \fBnmblookup\fR tools allows NetBIOS name queries to be made from a UNIX host\&.
.TP
\fBsmbgroupedit\fR(8)
The \fBsmbgroupedit\fR tool allows for mapping unix groups to NT Builtin, Domain, or Local groups\&. Also it allows setting priviledges for that group, such as saAddUser, etc\&.
.TP
\fBsmbpasswd\fR(8)
The \fBsmbpasswd\fR command is a tool for changing LanMan and Windows NT password hashes on Samba and Windows NT servers\&.
.TP
\fBsmbcacls\fR(1)
The \fBsmbcacls\fR command is a tool to set ACL's on remote CIFS servers\&.
.TP
\fBsmbsh\fR(1)
The \fBsmbsh\fR command is a program that allows you to run a unix shell with with an overloaded VFS\&.
.TP
\fBsmbtree\fR(1)
The \fBsmbtree\fR command is a text-based network neighborhood tool\&.
.TP
\fBsmbtar\fR(1)
The \fBsmbtar\fR can make backups of data on CIFS/SMB servers\&.
.TP
\fBsmbspool\fR(8)
\fBsmbspool\fR is a helper utility for printing on printers connected to CIFS servers\&.
.TP
\fBsmbcontrol\fR(1)
\fBsmbcontrol\fR is a utility that can change the behaviour of running samba daemons\&.
.TP
\fBrpcclient\fR(1)
\fBrpcclient\fR is a utility that can be used to execute RPC commands on remote CIFS servers\&.
.TP
\fBpdbedit\fR(8)
The \fBpdbedit\fR command can be used to maintain the local user database on a samba server\&.
.TP
\fBfindsmb\fR(1)
The \fBfindsmb\fR command can be used to find SMB servers on the local network\&.
.TP
\fBnet\fR(8)
The \fBnet\fR command is supposed to work similar to the DOS/Windows NET\&.EXE command\&.
.TP
\fBswat\fR(8)
\fBswat\fR is a web-based interface to configuring \fIsmb\&.conf\fR\&.
.TP
\fBwinbindd\fR(8)
\fBwinbindd\fR is a daemon that is used for integrating authentication and the user database into unix\&.
.TP
\fBwbinfo\fR(1)
\fBwbinfo\fR is a utility that retrieves and stores information related to winbind\&.
.TP
\fBeditreg\fR(1)
\fBeditreg\fR is a command-line utility that can edit windows registry files\&.
.TP
\fBprofiles\fR(1)
\fBprofiles\fR is a command-line utility that can be used to replace all occurences of a certain SID with another SID\&.
.TP
\fBvfstest\fR(1)
\fBvfstest\fR is a utility that can be used to test vfs modules\&.
.TP
\fBntlm_auth\fR(1)
\fBntlm_auth\fR is a helper-utility for external programs wanting to do NTLM-authentication\&.
.TP
\fBsmbmount\fR(8), \fBsmbumount\fR(8), \fBsmbmount\fR(8)
\fBsmbmount\fR,\fBsmbmnt\fR and \fBsmbmnt\fR are commands that can be used to mount CIFS/SMB shares on Linux\&.
.TP
\fBsmbcquotas\fR(1)
\fBsmbcquotas\fR is a tool that can set remote QUOTA's on server with NTFS 5\&.
.SH "COMPONENTS"
.PP
The Samba suite is made up of several components\&. Each component is described in a separate manual page\&. It is strongly recommended that you read the documentation that comes with Samba and the manual pages of those components that you use\&. If the manual pages and documents aren't clear enough then please visithttp://devel\&.samba\&.org for information on how to file a bug report or submit a patch\&.
.PP
If you require help, visit the Samba webpage athttp://www\&.samba\&.org/ and explore the many option available to you\&.
.SH "AVAILABILITY"
.PP
The Samba software suite is licensed under the GNU Public License(GPL)\&. A copy of that license should have come with the package in the file COPYING\&. You are encouraged to distribute copies of the Samba suite, but please obey the terms of this license\&.
.PP
The latest version of the Samba suite can be obtained via anonymous ftp from samba\&.org in the directory pub/samba/\&. It is also available on several mirror sites worldwide\&.
.PP
You may also find useful information about Samba on the newsgroup comp\&.protocol\&.smb and the Samba mailing list\&. Details on how to join the mailing list are given in the README file that comes with Samba\&.
.PP
If you have access to a WWW viewer (such as Mozilla or Konqueror) then you will also find lots of useful information, including back issues of the Samba mailing list, athttp://lists\&.samba\&.org\&.
.SH "VERSION"
.PP
This man page is correct for version 3\&.0 of the Samba suite\&.
.SH "CONTRIBUTIONS"
.PP
If you wish to contribute to the Samba project, then I suggest you join the Samba mailing list athttp://lists\&.samba\&.org\&.
.PP
If you have patches to submit, visithttp://devel\&.samba\&.org/ for information on how to do it properly\&. We prefer patches in \fBdiff -u\fR format\&.
.SH "CONTRIBUTORS"
.PP
Contributors to the project are now too numerous to mention here but all deserve the thanks of all Samba users\&. To see a full list, look at the\fIchange-log\fR in the source package for the pre-CVS changes and at http://cvs\&.samba\&.org/ for the contributors to Samba post-CVS\&. CVS is the Open Source source code control system used by the Samba Team to develop Samba\&. The project would have been unmanageable without it\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
.PP
The original Samba man pages were written by Karl Auer\&. The man page sources were converted to YODL format (another excellent piece of Open Source software, available at ftp://ftp\&.icce\&.rug\&.nl/pub/unix/) and updated for the Samba 2\&.0 release by Jeremy Allison\&. The conversion to DocBook for Samba 2\&.2 was done by Gerald Carter\&. The conversion to DocBook XML 4\&.2 for Samba 3\&.0 was done by Alexander Bokovoy\&.

100
docs/manpages/tdbbackup.8 Normal file
View File

@ -0,0 +1,100 @@
.\"Generated by db2man.xsl. Don't modify this, modify the source.
.de Sh \" Subsection
.br
.if t .Sp
.ne 5
.PP
\fB\\$1\fR
.PP
..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Ip \" List item
.br
.ie \\n(.$>=3 .ne \\$3
.el .ne 3
.IP "\\$1" \\$2
..
.TH "TDBBACKUP" 8 "" "" ""
.SH NAME
tdbbackup \- tool for backing up and for validating the integrity of samba .tdb files
.SH "SYNOPSIS"
.nf
\fBtdbbackup\fR [-s suffix] [-v] [-h]
.fi
.SH "DESCRIPTION"
.PP
This tool is part of the \fBSamba\fR(1) suite\&.
.PP
\fBtdbbackup\fR is a tool that may be used to backup samba \&.tdb files\&. This tool may also be used to verify the integrity of the \&.tdb files prior to samba startup, in which case, if it find file damage and it finds a prior backup it will restore the backup file\&.
.SH "OPTIONS"
.TP
-h
Get help information\&.
.TP
-s suffix
The \fB-s\fR option allows the adminisistrator to specify a file backup extension\&. This way it is possible to keep a history of tdb backup files by using a new suffix for each backup\&.
.TP
-v
The \fB-v\fR will check the database for damages (currupt data) which if detected causes the backup to be restored\&.
.SH "COMMANDS"
.PP
\fBGENERAL INFORMATION\fR
.PP
The \fBtdbbackup\fR utility should be run as soon as samba has shut down\&. Do NOT run this command on a live database\&. Typical usage for the command will be:
.PP
tdbbackup [-s suffix] *\&.tdb
.PP
Before restarting samba the following command may be run to validate \&.tdb files:
.PP
tdbbackup -v [-s suffix] *\&.tdb
.PP
Samba \&.tdb files are stored in various locations, be sure to run backup all \&.tdb file on the system\&. Imporatant files includes:
.TP 3
\(bu
\fBsecrets.tdb\fR - usual location is in the /usr/local/samba/private directory, or on some systems in /etc/samba\&.
.TP
\(bu
\fBpassdb.tdb\fR - usual location is in the /usr/local/samba/private directory, or on some systems in /etc/samba\&.
.TP
\(bu
\fB*.tdb\fR located in the /usr/local/samba/var directory or on some systems in the /var/cache or /var/lib/samba directories\&.
.LP
.SH "VERSION"
.PP
This man page is correct for version 3\&.0 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
.PP
The tdbbackup man page was written by John H Terpstra\&.

149
docs/textdocs/README.jis Normal file
View File

@ -0,0 +1,149 @@
$B!|(B samba $BF|K\8lBP1~$K$D$$$F(B
1. $BL\E*(B
$BF|K\8lBP1~$O!"(B
(1) MS-Windows $B>e$G!"4A;z%U%!%$%kL>$r$I$&$7$F$b07$&I,MW$N$"$k%"%W%j%1!<%7%g%s$,$A$c(B
$B$s$HF0:n$9$k!#Nc$($P!"(BMS-WORD 5 $B$J$I$O!"%$%s%9%H!<%k;~$K4A;z$N%U%!%$%kL>$r>!<j(B
$B$K$D$1$F$7$^$$$^$9!#$3$&$$$C$?>l9g$K$A$c$s$HBP1~$G$-$k$h$&$K$9$k!#(B
(2) UNIX $B$O!":G6a$G$O$[$H$s$I$N$b$N$,(B 8 bits $B$N%U%!%$%kL>$r%5%]!<%H$7$F$$$^$9$,!"(B
$BCf$K$O!"$3$l$r%5%]!<%H$7$F$$$J$$$b$N$b$"$j$^$9!#$3$N$h$&$J>l9g$G$b!"(B(1)$B$NL\E*(B
$B$,K~B-$G$-$k$h$&$K$9$k!#(B
$B$rL\E*$H$7$F$$$^$9!#$=$N$?$a!"F|K\8lBP1~$O!"I,MW:G>.8B$7$+9T$J$C$F$*$j$^$;$s!#(B
$BF|K\8lBP1~$7$?(B samba $B$rMxMQ$9$k$?$a$K$O!"%3%s%Q%$%k$9$k;~$K!"I,$:!"(BKANJI $B$NDj5A$rDI(B
$B2C$7$F$/$@$5$$!#$3$N%*%W%7%g%s$r;XDj$7$F$$$J$$>l9g$O!"F|K\8l$N%U%!%$%kL>$r@5$7$/07(B
$B$&$3$H$O$G$-$^$;$s!#!J%3%s%Q%$%k$K$D$$$F$O!"2<5-(B 3. $B$r;2>H$7$F2<$5$$!K(B
2. $BMxMQJ}K!(B
(1) $BDI2C$7$?%Q%i%a!<%?(B
smb.conf $B%U%!%$%k$N(B global $B%;%/%7%g%s$K0J2<$N%Q%i%a!<%?$r@_Dj$G$-$k$h$&$K$7$^$7$?!#(B
[global]
....
coding system = <$B%3!<%I7O(B>
$B$3$3$G;XDj$5$l$?%3!<%I7O$,(B UNIX $B>e$N%U%!%$%k%7%9%F%`$N%U%!%$%kL>$N%3!<%I$K$J$j$^$9!#(B
$B@_Dj$G$-$k$b$N$O!"<!$N$h$&$K$J$C$F$$$^$9!#(B
sjis: SHIFT JIS (MS $B4A;z%3!<%I(B)
euc: EUC $B%3!<%I(B
hex: 7 bits $B$N(B ASCII $B%3!<%I0J30$N%3!<%I$r0J2<$N7A<0$GI=$9J}<0$G$9!#Nc$($P!"(B
'$B%*%U%#%9(B' $B$H$$$&L>A0$O!"(B':83:49:83:74:83:42:83:58' $B$N$h$&$K!"(B':' $B$N8e$K#27e(B
$B$N(B16$B?J?t$rB3$1$k7A<0$K$J$j$^$9!#(B
$B$3$3$G!"(B':' $B$rB>$NJ8;z$KJQ99$7$?$$>l9g$O!"(Bhex $B$N8e$m$K$=$NJ8;z$r;XDj$7$^$9!#(B
$BNc$($P!"(B@$B$rJQ$o$j$K;H$$$?$$>l9g$O!"(B'hex@'$B$N$h$&$K;XDj$7$^$9!#(B
cap: 7 bits $B$N(B ASCII $B%3!<%I0J30$N%3!<%I$r0J2<$N7A<0$GI=$9J}<0$H$$$&E@$G$O(B
hex$B$HF1MM$G$9$,!"(BCAP (The Columbia AppleTalk Package)$B$H8_49@-$r;}$DJQ49(B
$BJ}<0$H$J$C$F$$$^$9!#(Bhex$B$H$N0c$$$O(B0x80$B0J>e$N%3!<%I$N$_(B':80'$B$N$h$&$KJQ49(B
$B$5$l!"$=$NB>$O(BASCII$B%3!<%I$G8=$5$l$^$9!#(B
$BNc$($P!"(B'$B%*%U%#%9(B'$B$H$$$&L>A0$O!"(B':83I:83t:83B:83X'$B$H$J$j$^$9!#(B
JIS $B%3!<%I$K$D$$$F$O!"0J2<$NI=$r;2>H$7$F2<$5$$!#(B
$B(#(!(!(!(((!(!(!(!(((!(!(!(!(((!(!(!(!(((!(!(!(!(((!(!(!(!(((!(!(!(!(!(!(!(!(!($(B
$B(";XDj(B $B("4A;z3+;O("4A;z=*N;("%+%J3+;O("%+%J=*N;("1Q?t3+;O("Hw9M(B $B("(B
$B('(!(!(!(+(!(!(!(!(+(!(!(!(!(+(!(!(!(!(+(!(!(!(!(+(!(!(!(!(+(!(!(!(!(!(!(!(!(!()(B
$B("(Bjis7 $B("(B\E$B $B("(B\E(J $B("(B0x0e $B("(B0x0f $B("(B\E(J $B("(Bjis 7$BC10LId9f(B $B("(B
$B("(Bjunet $B("(B\E$B $B("(B\E(J $B("(B\E(I $B("(B\E(J $B("(B\E(J $B("(B7bits $B%3!<%I(B $B("(B
$B("(Bjis8 $B("(B\E$B $B("(B\E(J $B("(B-- $B("(B-- $B("(B\E(J $B("(Bjis 8$BC10LId9f(B $B("(B
$B("(Bj7bb $B("(B\E$B $B("(B\E(B $B("(B0x0e $B("(B0x0f $B("(B\E(B $B("(B $B("(B
$B("(Bj7bj $B("(B\E$B $B("(B\E(J $B("(B0x0e $B("(B0x0f $B("(B\E(J $B("(Bjis7$B$HF1$8(B $B("(B
$B("(Bj7bh $B("(B\E$B $B("(B\E(H $B("(B0x0e $B("(B0x0f $B("(B\E(H $B("(B $B("(B
$B("(Bj7@b $B("(B\E$@ $B("(B\E(B $B("(B0x0e $B("(B0x0f $B("(B\E(B $B("(B $B("(B
$B("(Bj7@j $B("(B\E$@ $B("(B\E(J $B("(B0x0e $B("(B0x0f $B("(B\E(J $B("(B $B("(B
$B("(Bj7@h $B("(B\E$@ $B("(B\E(H $B("(B0x0e $B("(B0x0f $B("(B\E(H $B("(B $B("(B
$B("(Bj8bb $B("(B\E$B $B("(B\E(B $B("(B-- $B("(B-- $B("(B\E(B $B("(B $B("(B
$B("(Bj8bj $B("(B\E$B $B("(B\E(J $B("(B-- $B("(B-- $B("(B\E(J $B("(Bjis8$B$HF1$8(B $B("(B
$B("(Bj8bh $B("(B\E$B $B("(B\E(H $B("(B-- $B("(B-- $B("(B\E(H $B("(B $B("(B
$B("(Bj8@b $B("(B\E@@ $B("(B\E(B $B("(B-- $B("(B-- $B("(B\E(B $B("(B $B("(B
$B("(Bj8@j $B("(B\E$@ $B("(B\E(J $B("(B-- $B("(B-- $B("(B\E(J $B("(B $B("(B
$B("(Bj8@h $B("(B\E$@ $B("(B\E(H $B("(B-- $B("(B-- $B("(B\E(H $B("(B $B("(B
$B("(Bjubb $B("(B\E$B $B("(B\E(B $B("(B\E(I $B("(B\E(B $B("(B\E(B $B("(B $B("(B
$B("(Bjubj $B("(B\E$B $B("(B\E(J $B("(B\E(I $B("(B\E(J $B("(B\E(J $B("(Bjunet$B$HF1$8(B $B("(B
$B("(Bjubh $B("(B\E$B $B("(B\E(H $B("(B\E(I $B("(B\E(H $B("(B\E(H $B("(B $B("(B
$B("(Bju@b $B("(B\E$@ $B("(B\E(B $B("(B\E(I $B("(B\E(B $B("(B\E(B $B("(B $B("(B
$B("(Bju@j $B("(B\E$@ $B("(B\E(J $B("(B\E(I $B("(B\E(J $B("(B\E(J $B("(B $B("(B
$B("(Bju@h $B("(B\E$@ $B("(B\E(H $B("(B\E(I $B("(B\E(H $B("(B\E(H $B("(B $B("(B
$B(&(!(!(!(*(!(!(!(!(*(!(!(!(!(*(!(!(!(!(*(!(!(!(!(*(!(!(!(!(*(!(!(!(!(!(!(!(!(!(%(B
$B$$$:$l$N>l9g$b!"$9$G$KB8:_$7$F$$$kL>A0$KBP$7$F$O!"4A;z$N3+;O=*N;%7!<%1%s%9$O!"0J2<(B
$B$N$b$N$rG'<1$7$^$9!#(B
$B4A;z$N;O$^$j(B: \E$B $B$+(B \E$@
$B4A;z$N=*$j(B: \E(J $B$+(B \E(B $B$+(B \E(H
(2) smbclient $B$N%*%W%7%g%s(B
$B%/%i%$%"%s%H%W%m%0%i%`$G$b!"4A;z$d2>L>$r4^$s$@%U%!%$%k$r07$($k$h$&$K!"<!$N%*%W%7%g%s(B
$B$rDI2C$7$^$7$?!#(B
-t <$B%?!<%_%J%k%3!<%I7O(B>
$B$3$3$G!"(B<$B%?!<%_%J%k%3!<%I7O(B>$B$K;XDj$G$-$k$b$N$O!">e$N(B<$B%3!<%I7O(B>$B$HF1$8$b$N$G$9!#(B
(3) $B%G%U%)%k%H(B
$B%G%U%)%k%H$N%3!<%I7O$O!"%3%s%Q%$%k;~$K7h$^$j$^$9!#(B
3. $B%3%s%Q%$%k;~$N@_Dj(B
Makefile $B$K@_Dj$9$k9`L\$r0J2<$K<($7$^$9!#(B
(1) KANJI $B%U%i%0(B
$B%3%s%Q%$%k%*%W%7%g%s$K(B -DKANJI=\"$B%3!<%I7O(B\" $B$r;XDj$7$^$9!#$3$N%3!<%I7O$O(B 2. $B$G;X(B
$BDj$9$k$b$N$HF1$8$G$9!#Nc$($P!"(B-DKANJI=\"euc\" $B$r(BFLAGSM $B$K@_Dj$9$k$H(B UNIX $B>e$N%U%!(B
$B%$%kL>$O!"(BEUC $B%3!<%I$K$J$j$^$9!#$3$3$G;XDj$7$?%3!<%I7O$O!"%5!<%P5Z$S%/%i%$%"%s%H(B
$B%W%m%0%i%`$N%G%U%)%k%H$KCM$J$j$^$9!#(B
$B>0!"%*%W%7%g%sCf$N(B \ $B$d(B " $B$bK:$l$:$K;XDj$7$F2<$5$$!#(B
3. $B@)8B;v9`(B
(1) $B4A;z%3!<%I(B
smbd $B$rF0:n$5$;$k%[%9%H$N(B UNIX $B$,%5%]!<%H$7$F$$$J$$4A;z%3!<%I$O!"MxMQ$G$-$J$$$3$H$,(B
$B$"$j$^$9!#JQ$JF0:n$r$9$k$h$&$J$i(B hex $B$N;XDj$r$9$k$N$,NI$$$G$7$g$&!#(B
(2) smbclient $B%3%^%s%I(B
$B%7%U%H%3!<%I$J$I$N4X78$G!"4A;z$d2>L>$r4^$s$@%U%!%$%kL>$N(B ls $B$NI=<($,Mp$l$k$3$H$,$"$j(B
$B$^$9!#(B
(3) $B%o%$%k%I%+!<%I$K$D$$$F(B
$B$A$c$s$H$7$?%9%Z%C%/$,$h$/$o$+$i$J$+$C$?$N$G$9$,!"0l1~!"(BDOS/V $B$NF0:n$HF1$8F0:n$r9T$J(B
$B$&$h$&$K$J$C$F$$$^$9!#(B
(4) $B%m%s%0%U%!%$%kL>$K$D$$$F(B
Windows NT/95 $B$G$O!"%m%s%0%U%!%$%kL>$,07$($^$9!#%m%s%0%U%!%$%kL>$r(B 8.3 $B%U%)!<%^%C%H(B
$B$G07$&$?$a$K!"(Bmangling $B$7$F$$$^$9$,!"$3$NJ}K!$O!"(BNT $B$d(B 95 $B$,9T$J$C$F$$$k(B mangling $B$H(B
$B$O0[$J$j$^$9$N$GCm0U$7$F2<$5$$!#(B
4. $B>c32Ey$N%l%]!<%H$K$D$$$F(B
$BF|K\8l$N%U%!%$%kL>$K4X$7$F!"J8;z2=$1Ey$N>c32$,$"$l$P!";d$K%l%]!<%H$7$FD:$1$l$P9,$$$G(B
$B$9!#$?$@$7!"%*%j%8%J%k$+$i$NLdBjE@$d<ALd$K$D$$$F$O!"%*%j%8%J%k$N:n<T$XD>@\Ld$$9g$o$;$k(B
$B$+!"$b$7$/$O%a!<%j%s%0%j%9%H$J$I$X%l%]!<%H$9$k$h$&$K$7$F2<$5$$!#(B
$B%l%]!<%H$5$l$k>l9g!"MxMQ$5$l$F$$$k4D6-(B(UNIX $B5Z$S(B PC $BB&$N(BOS$B$J$I(B)$B$H$G$-$^$7$?$i@_Dj%U%!(B
$B%$%k$d%m%0$J$I$rE:IU$7$FD:$1$k$H9,$$$G$9!#(B
5. $B$=$NB>(B
$B%3!<%IJQ49$O0J2<$NJ}!9$,:n$i$l$?%W%m%0%i%`$rMxMQ$7$F$$$^$9!#(B
hex $B7A<0(B $BBgLZ!wBgDM!&C^GH(B <ohki@gssm.otsuka.tsukuba.ac.jp>$B;a(B
cap $B7A<0(B $BI%ED(B $BF;O:(B (michiro@po.iijnet.or.jp)(michiro@dms.toppan.co.jp)$B;a(B
$B$=$NB>!"$?$/$5$s$NJ}!9$+$i$$$m$$$m$H8f65<($$$?$@$-$"$j$,$H$&$4$6$$$^$7$?!#:#8e$H$b$h(B
$B$m$7$/$*4j$$CW$7$^$9!#(B
1994$BG/(B10$B7n(B28$BF|(B $BBh#1HG(B
1995$BG/(B 8$B7n(B16$BF|(B $BBh#2HG(B
1995$BG/(B11$B7n(B24$BF|(B $BBh#3HG(B
1996$BG/(B 5$B7n(B13$BF|(B $BBh#4HG(B
$BF#ED(B $B?r(B fujita@ainix.isac.co.jp

View File

@ -0,0 +1,64 @@
#!/usr/bin/perl
##
## Example script to export ldap entries into an smbpasswd file format
## using the Mozilla PerLDAP module.
##
## writen by jerry@samba.org
##
## ported to Net::LDAP by dkrovich@slackworks.com
use Net::LDAP;
######################################################
## Set these values to whatever you need for your site
##
$DN="dc=samba,dc=my-domain,dc=com";
$ROOTDN="cn=Manager,dc=my-domain,dc=com";
$rootpw = "secret";
$LDAPSERVER="localhost";
##
## end local site variables
######################################################
$ldap = Net::LDAP->new($LDAPSERVER) or die "Unable to connect to LDAP server $LDAPSERVER";
print "##\n";
print "## Autogenerated smbpasswd file via ldapsearch\n";
print "## from $LDAPSERVER ($DN)\n";
print "##\n";
## scheck for the existence of the posixAccount first
$result = $ldap->search ( base => "$DN",
scope => "sub",
filter => "(objectclass=sambaAccount)"
);
## loop over the entries we found
while ( $entry = $result->shift_entry() ) {
@uid = $entry->get_value("uid");
@uidNumber = $entry->get_value("uidNumber");
@lm_pw = $entry->get_value("lmpassword");
@nt_pw = $entry->get_value("ntpassword");
@acct = $entry->get_value("acctFlags");
@pwdLastSet = $entry->get_value("pwdLastSet");
if (($#uid+1) && ($#uidNumber+1)) {
$lm_pw[0] = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" if (! ($#lm_pw+1));
$nt_pw[0] = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" if (! ($#nt_pw+1));
$acct[0] = "[DU ]" if (! ($#acct+1));
$pwdLastSet[0] = "FFFFFFFF" if (! ($#pwdLastSet+1));
print "$uid[0]:$uidNumber[0]:$lm_pw[0]:$nt_pw[0]:$acct[0]:LCT-$pwdLastSet[0]\n";
}
}
$ldap->unbind();
exit 0;

View File

@ -0,0 +1,119 @@
#!/usr/bin/perl
##
## Example script of how you could import a smbpasswd file into an LDAP
## directory using the Mozilla PerLDAP module.
##
## writen by jerry@samba.org
##
## ported to Net::LDAP by dkrovich@slackworks.com
use Net::LDAP;
#################################################
## set these to a value appropriate for your site
##
$DN="ou=people,dc=plainjoe,dc=org";
$ROOTDN="cn=Manager,dc=plainjoe,dc=org";
# If you use perl special character in your
# rootpw, escape them:
# $rootpw = "secr\@t" instead of $rootpw = "secr@t"
$rootpw = "n0pass";
$LDAPSERVER="scooby";
##
## end local site variables
#################################################
$ldap = Net::LDAP->new($LDAPSERVER) or die "Unable to connect to LDAP server $LDAPSERVER";
## Bind as $ROOTDN so you can do updates
$mesg = $ldap->bind($ROOTDN, password => $rootpw);
$mesg->error() if $mesg->code();
while ( $string = <STDIN> ) {
chomp ($string);
## Get the account info from the smbpasswd file
@smbentry = split (/:/, $string);
## Check for the existence of a system account
@getpwinfo = getpwnam($smbentry[0]);
if (! @getpwinfo ) {
print STDERR "**$smbentry[0] does not have a system account... \n";
next;
}
## Calculate RID = uid*2 +1000
$rid=@getpwinfo[2]*2+1000;
## check and see if account info already exists in LDAP.
$result = $ldap->search ( base => "$DN",
scope => "sub",
filter => "(uid=$smbentry[0])"
);
## If no LDAP entry exists, create one.
if ( $result->count == 0 ) {
$new_entry = Net::LDAP::Entry->new();
$new_entry->add( dn => "uid=$smbentry[0],$DN",
uid => $smbentry[0],
rid => $rid,
lmPassword => $smbentry[2],
ntPassword => $smbentry[3],
acctFlags => $smbentry[4],
cn => $smbentry[0],
pwdLastSet => hex(substr($smbentry[5],4)),
objectclass => 'sambaAccount' );
$result = $ldap->add( $new_entry );
$result->error() if $result->code();
print "Adding [uid=" . $smbentry[0] . "," . $DN . "]\n";
## Otherwise, supplement/update the existing entry.
}
elsif ($result->count == 1)
{
# Put the search results into an entry object
$entry = $result->entry(0);
print "Updating [" . $entry->dn . "]\n";
## Add the objectclass: sambaAccount attribute if it's not there
@values = $entry->get_value( "objectclass" );
$flag = 1;
foreach $item (@values) {
print "$item\n";
if ( "$item" eq "sambaAccount" ) {
$flag = 0;
}
}
if ( $flag ) {
## Adding sambaAccount objectclass requires adding at least rid:
## uid attribute already exists we know since we searched on it
$entry->add(objectclass => "sambaAccount",
rid => $rid );
}
## Set the other attribute values
$entry->replace(rid => $rid,
lmPassword => $smbentry[2],
ntPassword => $smbentry[3],
acctFlags => $smbentry[4],
pwdLastSet => hex(substr($smbentry[5],4)));
## Apply changes to the LDAP server
$updatemesg = $entry->update($ldap);
$updatemesg->error() if $updatemesg->code();
## If we get here, the LDAP search returned more than one value
## which shouldn't happen under normal circumstances.
} else {
print STDERR "LDAP search returned more than one entry for $smbentry[0]... skipping!\n";
next;
}
}
$ldap->unbind();
exit 0;

43
examples/VFS/Makefile.in Normal file
View File

@ -0,0 +1,43 @@
CC = @CC@
CFLAGS = @CFLAGS@
CPPFLAGS = @CPPFLAGS@
LDFLAGS = @LDFLAGS@
LDSHFLAGS = @LDSHFLAGS@
INSTALLCMD = @INSTALL@
SAMBA_SOURCE = @SAMBA_SOURCE@
SHLIBEXT = @SHLIBEXT@
OBJEXT = @OBJEXT@
FLAGS = $(CFLAGS) -Iinclude -I$(SAMBA_SOURCE)/include -I$(SAMBA_SOURCE)/ubiqx -I$(SAMBA_SOURCE)/smbwrapper -I. $(CPPFLAGS) -I$(SAMBA_SOURCE)
prefix = @prefix@
libdir = @libdir@
VFS_LIBDIR = $(libdir)/vfs
# Auto target
default: $(patsubst %.c,%.$(SHLIBEXT),$(wildcard *.c))
# Pattern rules
%.$(SHLIBEXT): %.$(OBJEXT)
@echo "Linking $@"
@$(CC) $(LDSHFLAGS) $(LDFLAGS) -o $@ $<
%.$(OBJEXT): %.c
@echo "Compiling $<"
@$(CC) $(FLAGS) -c $<
install: default
$(INSTALLCMD) -d $(VFS_LIBDIR)
$(INSTALLCMD) -m 755 *.$(SHLIBEXT) $(VFS_LIBDIR)
# Misc targets
clean:
rm -rf .libs
rm -f core *~ *% *.bak *.o *.$(SHLIBEXT)
distclean: clean
rm config.* Makefile

60
examples/VFS/autogen.sh Executable file
View File

@ -0,0 +1,60 @@
#!/bin/sh
# Run this script to build samba from CVS.
## insert all possible names (only works with
## autoconf 2.x
#TESTAUTOHEADER="autoheader autoheader-2.53"
TESTAUTOCONF="autoconf autoconf-2.53"
#AUTOHEADERFOUND="0"
AUTOCONFFOUND="0"
##
## Look for autoheader
##
#for i in $TESTAUTOHEADER; do
# if which $i > /dev/null 2>&1; then
# if [ `$i --version | head -n 1 | cut -d. -f 2` -ge 53 ]; then
# AUTOHEADER=$i
# AUTOHEADERFOUND="1"
# break
# fi
# fi
#done
##
## Look for autoconf
##
for i in $TESTAUTOCONF; do
if which $i > /dev/null 2>&1; then
if [ `$i --version | head -n 1 | cut -d. -f 2` -ge 53 ]; then
AUTOCONF=$i
AUTOCONFFOUND="1"
break
fi
fi
done
##
## do we have it?
##
if [ "$AUTOCONFFOUND" = "0" -o "$AUTOHEADERFOUND" = "0" ]; then
echo "$0: need autoconf 2.53 or later to build samba from CVS" >&2
exit 1
fi
#echo "$0: running $AUTOHEADER"
#$AUTOHEADER || exit 1
echo "$0: running $AUTOCONF"
$AUTOCONF || exit 1
echo "Now run ./configure and then make."
exit 0

353
examples/VFS/configure.in Normal file
View File

@ -0,0 +1,353 @@
dnl -*- mode: m4-mode -*-
dnl Process this file with autoconf to produce a configure script.
dnl We must use autotools 2.53 or above
AC_PREREQ(2.53)
AC_INIT(Makefile.in)
#dnl Uncomment this if you want to use your own define's too
#AC_CONFIG_HEADER(module_config.h)
#dnl To make sure that didn't get #define PACKAGE_* in modules_config.h
#echo "" > confdefs.h
dnl Checks for programs.
AC_PROG_CC
AC_PROG_INSTALL
#################################################
# Directory handling stuff to support both the
# legacy SAMBA directories and FHS compliant
# ones...
AC_PREFIX_DEFAULT(/usr/local/samba)
AC_ARG_WITH(fhs,
[ --with-fhs Use FHS-compliant paths (default=no)],
libdir="\${prefix}/lib/samba",
libdir="\${prefix}/lib")
AC_SUBST(libdir)
SAMBA_SOURCE="../../source"
####################################################
# set the location location of the samba source tree
AC_ARG_WITH(samba-source,
[ --with-samba-source=DIR Where is the samba source tree (../../source)],
[ case "$withval" in
yes|no)
#
# Just in case anybody calls it without argument
#
AC_MSG_WARN([--with-samba-source called without argument - will use default])
;;
* )
SAMBA_SOURCE="$withval"
;;
esac])
AC_SUBST(SAMBA_SOURCE)
dnl Unique-to-Samba variables we'll be playing with.
AC_SUBST(CC)
AC_SUBST(SHELL)
AC_SUBST(LDSHFLAGS)
AC_SUBST(SONAMEFLAG)
AC_SUBST(SHLD)
AC_SUBST(HOST_OS)
AC_SUBST(PICFLAG)
AC_SUBST(PICSUFFIX)
AC_SUBST(POBAD_CC)
AC_SUBST(SHLIBEXT)
AC_SUBST(INSTALLCLIENTCMD_SH)
AC_SUBST(INSTALLCLIENTCMD_A)
AC_SUBST(SHLIB_PROGS)
AC_SUBST(EXTRA_BIN_PROGS)
AC_SUBST(EXTRA_SBIN_PROGS)
AC_SUBST(EXTRA_ALL_TARGETS)
AC_ARG_ENABLE(debug,
[ --enable-debug Turn on compiler debugging information (default=no)],
[if eval "test x$enable_debug = xyes"; then
CFLAGS="${CFLAGS} -g"
fi])
AC_ARG_ENABLE(developer, [ --enable-developer Turn on developer warnings and debugging (default=no)],
[if eval "test x$enable_developer = xyes"; then
developer=yes
CFLAGS="${CFLAGS} -g -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -DDEBUG_PASSWORD -DDEVELOPER"
fi])
# compile with optimization and without debugging by default, but
# allow people to set their own preference.
if test "x$CFLAGS" = x
then
CFLAGS="-O ${CFLAGS}"
fi
#################################################
# check for krb5-config from recent MIT and Heimdal kerberos 5
AC_PATH_PROG(KRB5_CONFIG, krb5-config)
AC_MSG_CHECKING(for working krb5-config)
if test -x "$KRB5_CONFIG"; then
CFLAGS="$CFLAGS `$KRB5_CONFIG --cflags | sed s/@INCLUDE_des@//`"
CPPFLAGS="$CPPFLAGS `$KRB5_CONFIG --cflags | sed s/@INCLUDE_des@//`"
FOUND_KRB5=yes
AC_MSG_RESULT(yes)
else
AC_MSG_RESULT(no. Fallback to previous krb5 detection strategy)
fi
if test x$FOUND_KRB5 = x"no"; then
#################################################
# check for location of Kerberos 5 install
AC_MSG_CHECKING(for kerberos 5 install path)
AC_ARG_WITH(krb5,
[ --with-krb5=base-dir Locate Kerberos 5 support (default=/usr)],
[ case "$withval" in
no)
AC_MSG_RESULT(no)
;;
*)
AC_MSG_RESULT(yes)
CFLAGS="$CFLAGS -I$withval/include"
CPPFLAGS="$CPPFLAGS -I$withval/include"
FOUND_KRB5=yes
;;
esac ],
AC_MSG_RESULT(no)
)
fi
if test x$FOUND_KRB5 = x"no"; then
#################################################
# see if this box has the SuSE location for the heimdal kerberos implementation
AC_MSG_CHECKING(for /usr/include/heimdal)
if test -d /usr/include/heimdal; then
if test -f /usr/lib/heimdal/lib/libkrb5.a; then
CFLAGS="$CFLAGS -I/usr/include/heimdal"
CPPFLAGS="$CPPFLAGS -I/usr/include/heimdal"
AC_MSG_RESULT(yes)
else
CFLAGS="$CFLAGS -I/usr/include/heimdal"
CPPFLAGS="$CPPFLAGS -I/usr/include/heimdal"
AC_MSG_RESULT(yes)
fi
else
AC_MSG_RESULT(no)
fi
fi
if test x$FOUND_KRB5 = x"no"; then
#################################################
# see if this box has the RedHat location for kerberos
AC_MSG_CHECKING(for /usr/kerberos)
if test -d /usr/kerberos -a -f /usr/kerberos/lib/libkrb5.a; then
LDFLAGS="$LDFLAGS -L/usr/kerberos/lib"
CFLAGS="$CFLAGS -I/usr/kerberos/include"
CPPFLAGS="$CPPFLAGS -I/usr/kerberos/include"
AC_MSG_RESULT(yes)
else
AC_MSG_RESULT(no)
fi
fi
# now check for krb5.h. Some systems have the libraries without the headers!
# note that this check is done here to allow for different kerberos
# include paths
AC_CHECK_HEADERS(krb5.h)
# now check for gssapi headers. This is also done here to allow for
# different kerberos include paths
AC_CHECK_HEADERS(gssapi.h gssapi/gssapi_generic.h gssapi/gssapi.h com_err.h)
#dnl Check if we use GNU ld
#LD=ld
#AC_PROG_LD_GNU
#dnl look for executable suffix
#AC_EXEEXT
builddir=`pwd`
AC_SUBST(builddir)
# Assume non-shared by default and override below
BLDSHARED="false"
# these are the defaults, good for lots of systems
HOST_OS="$host_os"
LDSHFLAGS="-shared"
SONAMEFLAG="#"
SHLD="\${CC}"
PICFLAG=""
PICSUFFIX="po"
POBAD_CC="#"
SHLIBEXT="so"
if test "$enable_shared" = "yes"; then
# this bit needs to be modified for each OS that is suported by
# smbwrapper. You need to specify how to created a shared library and
# how to compile C code to produce PIC object files
AC_MSG_CHECKING([ability to build shared libraries])
# and these are for particular systems
case "$host_os" in
*linux*)
BLDSHARED="true"
LDSHFLAGS="-shared"
DYNEXP="-Wl,--export-dynamic"
PICFLAG="-fPIC"
SONAMEFLAG="-Wl,-soname="
;;
*solaris*)
BLDSHARED="true"
LDSHFLAGS="-G"
SONAMEFLAG="-h "
if test "${GCC}" = "yes"; then
PICFLAG="-fPIC"
if test "${ac_cv_prog_gnu_ld}" = "yes"; then
DYNEXP="-Wl,-E"
fi
else
PICFLAG="-KPIC"
## ${CFLAGS} added for building 64-bit shared
## libs using Sun's Compiler
LDSHFLAGS="-G \${CFLAGS}"
POBAD_CC=""
PICSUFFIX="po.o"
fi
;;
*sunos*)
BLDSHARED="true"
LDSHFLAGS="-G"
SONAMEFLAG="-Wl,-h,"
PICFLAG="-KPIC" # Is this correct for SunOS
;;
*netbsd* | *freebsd*) BLDSHARED="true"
LDSHFLAGS="-shared"
DYNEXP="-Wl,--export-dynamic"
SONAMEFLAG="-Wl,-soname,"
PICFLAG="-fPIC -DPIC"
;;
*openbsd*) BLDSHARED="true"
LDSHFLAGS="-shared"
DYNEXP="-Wl,-Bdynamic"
SONAMEFLAG="-Wl,-soname,"
PICFLAG="-fPIC"
;;
*irix*)
case "$host_os" in
*irix6*)
;;
esac
ATTEMPT_WRAP32_BUILD=yes
BLDSHARED="true"
LDSHFLAGS="-set_version sgi1.0 -shared"
SONAMEFLAG="-soname "
SHLD="\${LD}"
if test "${GCC}" = "yes"; then
PICFLAG="-fPIC"
else
PICFLAG="-KPIC"
fi
;;
*aix*)
BLDSHARED="true"
LDSHFLAGS="-Wl,-bexpall,-bM:SRE,-bnoentry,-berok"
DYNEXP="-Wl,-brtl,-bexpall"
PICFLAG="-O2"
if test "${GCC}" != "yes"; then
## for funky AIX compiler using strncpy()
CFLAGS="$CFLAGS -D_LINUX_SOURCE_COMPAT -qmaxmem=32000"
fi
;;
*hpux*)
SHLIBEXT="sl"
# Use special PIC flags for the native HP-UX compiler.
if test $ac_cv_prog_cc_Ae = yes; then
BLDSHARED="true"
SHLD="/usr/bin/ld"
LDSHFLAGS="-B symbolic -b -z"
SONAMEFLAG="+h "
PICFLAG="+z"
fi
DYNEXP="-Wl,-E"
;;
*qnx*)
;;
*osf*)
BLDSHARED="true"
LDSHFLAGS="-shared"
SONAMEFLAG="-Wl,-soname,"
PICFLAG="-fPIC"
;;
*sco*)
;;
*unixware*)
BLDSHARED="true"
LDSHFLAGS="-shared"
SONAMEFLAG="-Wl,-soname,"
PICFLAG="-KPIC"
;;
*next2*)
;;
*dgux*) AC_CHECK_PROG( ROFF, groff, [groff -etpsR -Tascii -man])
;;
*sysv4*)
case "$host" in
*-univel-*)
LDSHFLAGS="-G"
DYNEXP="-Bexport"
;;
*mips-sni-sysv4*)
;;
esac
;;
*sysv5*)
LDSHFLAGS="-G"
;;
*vos*)
BLDSHARED="false"
LDSHFLAGS=""
;;
*)
;;
esac
AC_SUBST(DYNEXP)
AC_MSG_RESULT($BLDSHARED)
AC_MSG_CHECKING([linker flags for shared libraries])
AC_MSG_RESULT([$LDSHFLAGS])
AC_MSG_CHECKING([compiler flags for position-independent code])
AC_MSG_RESULT([$PICFLAGS])
fi
#######################################################
# test whether building a shared library actually works
if test $BLDSHARED = true; then
AC_CACHE_CHECK([whether building shared libraries actually works],
[ac_cv_shlib_works],[
ac_cv_shlib_works=no
# try building a trivial shared library
if test "$PICSUFFIX" = "po"; then
$CC $CPPFLAGS $CFLAGS $PICFLAG -c -o shlib.po ${srcdir-.}/tests/shlib.c &&
$CC $CPPFLAGS $CFLAGS `eval echo $LDSHFLAGS` -o "shlib.$SHLIBEXT" shlib.po &&
ac_cv_shlib_works=yes
else
$CC $CPPFLAGS $CFLAGS $PICFLAG -c -o shlib.$PICSUFFIX ${srcdir-.}/tests/shlib.c &&
mv shlib.$PICSUFFIX shlib.po &&
$CC $CPPFLAGS $CFLAGS `eval echo $LDSHFLAGS` -o "shlib.$SHLIBEXT" shlib.po &&
ac_cv_shlib_works=yes
fi
rm -f "shlib.$SHLIBEXT" shlib.po
])
if test $ac_cv_shlib_works = no; then
BLDSHARED=false
fi
fi
AC_OUTPUT(Makefile)

238
examples/VFS/install-sh Normal file
View File

@ -0,0 +1,238 @@
#! /bin/sh
#
# install - install a program, script, or datafile
# This comes from X11R5.
#
# Calling this script install-sh is preferred over install.sh, to prevent
# `make' implicit rules from creating a file called install from it
# when there is no Makefile.
#
# This script is compatible with the BSD install script, but was written
# from scratch.
#
# set DOITPROG to echo to test this script
# Don't use :- since 4.3BSD and earlier shells don't like it.
doit="${DOITPROG-}"
# put in absolute paths if you don't have them in your path; or use env. vars.
mvprog="${MVPROG-mv}"
cpprog="${CPPROG-cp}"
chmodprog="${CHMODPROG-chmod}"
chownprog="${CHOWNPROG-chown}"
chgrpprog="${CHGRPPROG-chgrp}"
stripprog="${STRIPPROG-strip}"
rmprog="${RMPROG-rm}"
mkdirprog="${MKDIRPROG-mkdir}"
transformbasename=""
transform_arg=""
instcmd="$mvprog"
chmodcmd="$chmodprog 0755"
chowncmd=""
chgrpcmd=""
stripcmd=""
rmcmd="$rmprog -f"
mvcmd="$mvprog"
src=""
dst=""
dir_arg=""
while [ x"$1" != x ]; do
case $1 in
-c) instcmd="$cpprog"
shift
continue;;
-d) dir_arg=true
shift
continue;;
-m) chmodcmd="$chmodprog $2"
shift
shift
continue;;
-o) chowncmd="$chownprog $2"
shift
shift
continue;;
-g) chgrpcmd="$chgrpprog $2"
shift
shift
continue;;
-s) stripcmd="$stripprog"
shift
continue;;
-t=*) transformarg=`echo $1 | sed 's/-t=//'`
shift
continue;;
-b=*) transformbasename=`echo $1 | sed 's/-b=//'`
shift
continue;;
*) if [ x"$src" = x ]
then
src=$1
else
# this colon is to work around a 386BSD /bin/sh bug
:
dst=$1
fi
shift
continue;;
esac
done
if [ x"$src" = x ]
then
echo "install: no input file specified"
exit 1
else
true
fi
if [ x"$dir_arg" != x ]; then
dst=$src
src=""
if [ -d $dst ]; then
instcmd=:
else
instcmd=mkdir
fi
else
# Waiting for this to be detected by the "$instcmd $src $dsttmp" command
# might cause directories to be created, which would be especially bad
# if $src (and thus $dsttmp) contains '*'.
if [ -f $src -o -d $src ]
then
true
else
echo "install: $src does not exist"
exit 1
fi
if [ x"$dst" = x ]
then
echo "install: no destination specified"
exit 1
else
true
fi
# If destination is a directory, append the input filename; if your system
# does not like double slashes in filenames, you may need to add some logic
if [ -d $dst ]
then
dst="$dst"/`basename $src`
else
true
fi
fi
## this sed command emulates the dirname command
dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'`
# Make sure that the destination directory exists.
# this part is taken from Noah Friedman's mkinstalldirs script
# Skip lots of stat calls in the usual case.
if [ ! -d "$dstdir" ]; then
defaultIFS='
'
IFS="${IFS-${defaultIFS}}"
oIFS="${IFS}"
# Some sh's can't handle IFS=/ for some reason.
IFS='%'
set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'`
IFS="${oIFS}"
pathcomp=''
while [ $# -ne 0 ] ; do
pathcomp="${pathcomp}${1}"
shift
if [ ! -d "${pathcomp}" ] ;
then
$mkdirprog "${pathcomp}"
else
true
fi
pathcomp="${pathcomp}/"
done
fi
if [ x"$dir_arg" != x ]
then
$doit $instcmd $dst &&
if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi &&
if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi &&
if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi &&
if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi
else
# If we're going to rename the final executable, determine the name now.
if [ x"$transformarg" = x ]
then
dstfile=`basename $dst`
else
dstfile=`basename $dst $transformbasename |
sed $transformarg`$transformbasename
fi
# don't allow the sed command to completely eliminate the filename
if [ x"$dstfile" = x ]
then
dstfile=`basename $dst`
else
true
fi
# Make a temp file name in the proper directory.
dsttmp=$dstdir/#inst.$$#
# Move or copy the file name to the temp name
$doit $instcmd $src $dsttmp &&
trap "rm -f ${dsttmp}" 0 &&
# and set any options; do chmod last to preserve setuid bits
# If any of these fail, we abort the whole thing. If we want to
# ignore errors from any of these, just make sure not to ignore
# errors from the above "$doit $instcmd $src $dsttmp" command.
if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi &&
if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi &&
if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi &&
if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi &&
# Now rename the file to the real destination.
$doit $rmcmd -f $dstdir/$dstfile &&
$doit $mvcmd $dsttmp $dstdir/$dstfile
fi &&
exit 0

563
examples/VFS/skel_opaque.c Normal file
View File

@ -0,0 +1,563 @@
/*
* Skeleton VFS module. Implements passthrough operation of all VFS
* calls to disk functions.
*
* Copyright (C) Tim Potter, 1999-2000
* Copyright (C) Alexander Bokovoy, 2002
* Copyright (C) Stefan (metze) Metzmacher, 2003
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
/* PLEASE,PLEASE READ THE VFS MODULES CHAPTER OF THE
SAMBA DEVELOPERS GUIDE!!!!!!
*/
/* If you take this file as template for your module
* please make sure that you remove all vfswrap_* functions and
* implement your own function!!
*
* for functions you didn't want to provide implement dummy functions
* witch return ERROR and errno = ENOSYS; !
*
* --metze
*/
static int skel_connect(vfs_handle_struct *handle, connection_struct *conn, const char *service, const char *user)
{
return 0;
}
static void skel_disconnect(vfs_handle_struct *handle, connection_struct *conn)
{
return;
}
static SMB_BIG_UINT skel_disk_free(vfs_handle_struct *handle, connection_struct *conn, const char *path,
BOOL small_query, SMB_BIG_UINT *bsize,
SMB_BIG_UINT *dfree, SMB_BIG_UINT *dsize)
{
return vfswrap_disk_free(NULL, conn, path, small_query, bsize,
dfree, dsize);
}
static int skel_get_quota(vfs_handle_struct *handle, connection_struct *conn, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dq)
{
return vfswrap_get_quota(NULL, conn, qtype, id, dq);
}
static int skel_set_quota(vfs_handle_struct *handle, connection_struct *conn, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dq)
{
return vfswrap_set_quota(NULL, conn, qtype, id, dq);
}
static DIR *skel_opendir(vfs_handle_struct *handle, connection_struct *conn, const char *fname)
{
return vfswrap_opendir(NULL, conn, fname);
}
static struct dirent *skel_readdir(vfs_handle_struct *handle, connection_struct *conn, DIR *dirp)
{
return vfswrap_readdir(NULL, conn, dirp);
}
static int skel_mkdir(vfs_handle_struct *handle, connection_struct *conn, const char *path, mode_t mode)
{
return vfswrap_mkdir(NULL, conn, path, mode);
}
static int skel_rmdir(vfs_handle_struct *handle, connection_struct *conn, const char *path)
{
return vfswrap_rmdir(NULL, conn, path);
}
static int skel_closedir(vfs_handle_struct *handle, connection_struct *conn, DIR *dir)
{
return vfswrap_closedir(NULL, conn, dir);
}
static int skel_open(vfs_handle_struct *handle, connection_struct *conn, const char *fname, int flags, mode_t mode)
{
return vfswrap_open(NULL, conn, fname, flags, mode);
}
static int skel_close(vfs_handle_struct *handle, files_struct *fsp, int fd)
{
return vfswrap_close(NULL, fsp, fd);
}
static ssize_t skel_read(vfs_handle_struct *handle, files_struct *fsp, int fd, void *data, size_t n)
{
return vfswrap_read(NULL, fsp, fd, data, n);
}
static ssize_t skel_write(vfs_handle_struct *handle, files_struct *fsp, int fd, const void *data, size_t n)
{
return vfswrap_write(NULL, fsp, fd, data, n);
}
static SMB_OFF_T skel_lseek(vfs_handle_struct *handle, files_struct *fsp, int filedes, SMB_OFF_T offset, int whence)
{
return vfswrap_lseek(NULL, fsp, filedes, offset, whence);
}
static int skel_rename(vfs_handle_struct *handle, connection_struct *conn, const char *old, const char *new)
{
return vfswrap_rename(NULL, conn, old, new);
}
static int skel_fsync(vfs_handle_struct *handle, files_struct *fsp, int fd)
{
return vfswrap_fsync(NULL, fsp, fd);
}
static int skel_stat(vfs_handle_struct *handle, connection_struct *conn, const char *fname, SMB_STRUCT_STAT *sbuf)
{
return vfswrap_stat(NULL, conn, fname, sbuf);
}
static int skel_fstat(vfs_handle_struct *handle, files_struct *fsp, int fd, SMB_STRUCT_STAT *sbuf)
{
return vfswrap_fstat(NULL, fsp, fd, sbuf);
}
static int skel_lstat(vfs_handle_struct *handle, connection_struct *conn, const char *path, SMB_STRUCT_STAT *sbuf)
{
return vfswrap_lstat(NULL, conn, path, sbuf);
}
static int skel_unlink(vfs_handle_struct *handle, connection_struct *conn, const char *path)
{
return vfswrap_unlink(NULL, conn, path);
}
static int skel_chmod(vfs_handle_struct *handle, connection_struct *conn, const char *path, mode_t mode)
{
return vfswrap_chmod(NULL, conn, path, mode);
}
static int skel_fchmod(vfs_handle_struct *handle, files_struct *fsp, int fd, mode_t mode)
{
return vfswrap_fchmod(NULL, fsp, fd, mode);
}
static int skel_chown(vfs_handle_struct *handle, connection_struct *conn, const char *path, uid_t uid, gid_t gid)
{
return vfswrap_chown(NULL, conn, path, uid, gid);
}
static int skel_fchown(vfs_handle_struct *handle, files_struct *fsp, int fd, uid_t uid, gid_t gid)
{
return vfswrap_fchown(NULL, fsp, fd, uid, gid);
}
static int skel_chdir(vfs_handle_struct *handle, connection_struct *conn, const char *path)
{
return vfswrap_chdir(NULL, conn, path);
}
static char *skel_getwd(vfs_handle_struct *handle, connection_struct *conn, char *buf)
{
return vfswrap_getwd(NULL, conn, buf);
}
static int skel_utime(vfs_handle_struct *handle, connection_struct *conn, const char *path, struct utimbuf *times)
{
return vfswrap_utime(NULL, conn, path, times);
}
static int skel_ftruncate(vfs_handle_struct *handle, files_struct *fsp, int fd, SMB_OFF_T offset)
{
return vfswrap_ftruncate(NULL, fsp, fd, offset);
}
static BOOL skel_lock(vfs_handle_struct *handle, files_struct *fsp, int fd, int op, SMB_OFF_T offset, SMB_OFF_T count, int type)
{
return vfswrap_lock(NULL, fsp, fd, op, offset, count, type);
}
static BOOL skel_symlink(vfs_handle_struct *handle, connection_struct *conn, const char *oldpath, const char *newpath)
{
return vfswrap_symlink(NULL, conn, oldpath, newpath);
}
static BOOL skel_readlink(vfs_handle_struct *handle, connection_struct *conn, const char *path, char *buf, size_t bufsiz)
{
return vfswrap_readlink(NULL, conn, path, buf, bufsiz);
}
static int skel_link(vfs_handle_struct *handle, connection_struct *conn, const char *oldpath, const char *newpath)
{
return vfswrap_link(NULL, conn, oldpath, newpath);
}
static int skel_mknod(vfs_handle_struct *handle, connection_struct *conn, const char *path, mode_t mode, SMB_DEV_T dev)
{
return vfswrap_mknod(NULL, conn, path, mode, dev);
}
static char *skel_realpath(vfs_handle_struct *handle, connection_struct *conn, const char *path, char *resolved_path)
{
return vfswrap_realpath(NULL, conn, path, resolved_path);
}
static size_t skel_fget_nt_acl(vfs_handle_struct *handle, files_struct *fsp, int fd, uint32 security_info, struct security_descriptor_info **ppdesc)
{
errno = ENOSYS;
return 0;
}
static size_t skel_get_nt_acl(vfs_handle_struct *handle, files_struct *fsp, const char *name, uint32 security_info, struct security_descriptor_info **ppdesc)
{
errno = ENOSYS;
return 0;
}
static BOOL skel_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp, int fd, uint32 security_info_sent, struct security_descriptor_info *psd)
{
errno = ENOSYS;
return False;
}
static BOOL skel_set_nt_acl(vfs_handle_struct *handle, files_struct *fsp, const char *name, uint32 security_info_sent, struct security_descriptor_info *psd)
{
errno = ENOSYS;
return False;
}
static int skel_chmod_acl(vfs_handle_struct *handle, connection_struct *conn, const char *name, mode_t mode)
{
errno = ENOSYS;
return -1;
}
static int skel_fchmod_acl(vfs_handle_struct *handle, files_struct *fsp, int fd, mode_t mode)
{
errno = ENOSYS;
return -1;
}
static int skel_sys_acl_get_entry(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_T theacl, int entry_id, SMB_ACL_ENTRY_T *entry_p)
{
errno = ENOSYS;
return -1;
}
static int skel_sys_acl_get_tag_type(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_ENTRY_T entry_d, SMB_ACL_TAG_T *tag_type_p)
{
errno = ENOSYS;
return -1;
}
static int skel_sys_acl_get_permset(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_ENTRY_T entry_d, SMB_ACL_PERMSET_T *permset_p)
{
errno = ENOSYS;
return -1;
}
static void *skel_sys_acl_get_qualifier(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_ENTRY_T entry_d)
{
errno = ENOSYS;
return NULL;
}
static SMB_ACL_T skel_sys_acl_get_file(vfs_handle_struct *handle, connection_struct *conn, const char *path_p, SMB_ACL_TYPE_T type)
{
errno = ENOSYS;
return NULL;
}
static SMB_ACL_T skel_sys_acl_get_fd(vfs_handle_struct *handle, files_struct *fsp, int fd)
{
errno = ENOSYS;
return NULL;
}
static int skel_sys_acl_clear_perms(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_PERMSET_T permset)
{
errno = ENOSYS;
return -1;
}
static int skel_sys_acl_add_perm(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_PERMSET_T permset, SMB_ACL_PERM_T perm)
{
errno = ENOSYS;
return -1;
}
static char *skel_sys_acl_to_text(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_T theacl, ssize_t *plen)
{
errno = ENOSYS;
return NULL;
}
static SMB_ACL_T skel_sys_acl_init(vfs_handle_struct *handle, connection_struct *conn, int count)
{
errno = ENOSYS;
return NULL;
}
static int skel_sys_acl_create_entry(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_T *pacl, SMB_ACL_ENTRY_T *pentry)
{
errno = ENOSYS;
return -1;
}
static int skel_sys_acl_set_tag_type(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_ENTRY_T entry, SMB_ACL_TAG_T tagtype)
{
errno = ENOSYS;
return -1;
}
static int skel_sys_acl_set_qualifier(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_ENTRY_T entry, void *qual)
{
errno = ENOSYS;
return -1;
}
static int skel_sys_acl_set_permset(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_ENTRY_T entry, SMB_ACL_PERMSET_T permset)
{
errno = ENOSYS;
return -1;
}
static int skel_sys_acl_valid(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_T theacl )
{
errno = ENOSYS;
return -1;
}
static int skel_sys_acl_set_file(vfs_handle_struct *handle, connection_struct *conn, const char *name, SMB_ACL_TYPE_T acltype, SMB_ACL_T theacl)
{
errno = ENOSYS;
return -1;
}
static int skel_sys_acl_set_fd(vfs_handle_struct *handle, files_struct *fsp, int fd, SMB_ACL_T theacl)
{
errno = ENOSYS;
return -1;
}
static int skel_sys_acl_delete_def_file(vfs_handle_struct *handle, connection_struct *conn, const char *path)
{
errno = ENOSYS;
return -1;
}
static int skel_sys_acl_get_perm(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_PERMSET_T permset, SMB_ACL_PERM_T perm)
{
errno = ENOSYS;
return -1;
}
static int skel_sys_acl_free_text(vfs_handle_struct *handle, connection_struct *conn, char *text)
{
errno = ENOSYS;
return -1;
}
static int skel_sys_acl_free_acl(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_T posix_acl)
{
errno = ENOSYS;
return -1;
}
static int skel_sys_acl_free_qualifier(vfs_handle_struct *handle, connection_struct *conn, void *qualifier, SMB_ACL_TAG_T tagtype)
{
errno = ENOSYS;
return -1;
}
static ssize_t skel_getxattr(vfs_handle_struct *handle, struct connection_struct *conn,const char *path, const char *name, void *value, size_t size)
{
errno = ENOSYS;
return -1;
}
static ssize_t skel_lgetxattr(vfs_handle_struct *handle, struct connection_struct *conn,const char *path, const char *name, void *value, size_t
size)
{
errno = ENOSYS;
return -1;
}
static ssize_t skel_fgetxattr(vfs_handle_struct *handle, struct files_struct *fsp,int fd, const char *name, void *value, size_t size)
{
errno = ENOSYS;
return -1;
}
static ssize_t skel_listxattr(vfs_handle_struct *handle, struct connection_struct *conn,const char *path, char *list, size_t size)
{
errno = ENOSYS;
return -1;
}
static ssize_t skel_llistxattr(vfs_handle_struct *handle, struct connection_struct *conn,const char *path, char *list, size_t size)
{
errno = ENOSYS;
return -1;
}
static ssize_t skel_flistxattr(vfs_handle_struct *handle, struct files_struct *fsp,int fd, char *list, size_t size)
{
errno = ENOSYS;
return -1;
}
static int skel_removexattr(vfs_handle_struct *handle, struct connection_struct *conn,const char *path, const char *name)
{
errno = ENOSYS;
return -1;
}
static int skel_lremovexattr(vfs_handle_struct *handle, struct connection_struct *conn,const char *path, const char *name)
{
errno = ENOSYS;
return -1;
}
static int skel_fremovexattr(vfs_handle_struct *handle, struct files_struct *fsp,int fd, const char *name)
{
errno = ENOSYS;
return -1;
}
static int skel_setxattr(vfs_handle_struct *handle, struct connection_struct *conn,const char *path, const char *name, const void *value, size_t size, int flags)
{
errno = ENOSYS;
return -1;
}
static int skel_lsetxattr(vfs_handle_struct *handle, struct connection_struct *conn,const char *path, const char *name, const void *value, size_t size, int flags)
{
errno = ENOSYS;
return -1;
}
static int skel_fsetxattr(vfs_handle_struct *handle, struct files_struct *fsp,int fd, const char *name, const void *value, size_t size, int flags)
{
errno = ENOSYS;
return -1;
}
/* VFS operations structure */
static vfs_op_tuple skel_op_tuples[] = {
/* Disk operations */
{SMB_VFS_OP(skel_connect), SMB_VFS_OP_CONNECT, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_disconnect), SMB_VFS_OP_DISCONNECT, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_disk_free), SMB_VFS_OP_DISK_FREE, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_get_quota), SMB_VFS_OP_GET_QUOTA, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_set_quota), SMB_VFS_OP_SET_QUOTA, SMB_VFS_LAYER_OPAQUE},
/* Directory operations */
{SMB_VFS_OP(skel_opendir), SMB_VFS_OP_OPENDIR, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_readdir), SMB_VFS_OP_READDIR, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_mkdir), SMB_VFS_OP_MKDIR, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_rmdir), SMB_VFS_OP_RMDIR, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_closedir), SMB_VFS_OP_CLOSEDIR, SMB_VFS_LAYER_OPAQUE},
/* File operations */
{SMB_VFS_OP(skel_open), SMB_VFS_OP_OPEN, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_close), SMB_VFS_OP_CLOSE, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_read), SMB_VFS_OP_READ, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_write), SMB_VFS_OP_WRITE, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_lseek), SMB_VFS_OP_LSEEK, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_rename), SMB_VFS_OP_RENAME, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_fsync), SMB_VFS_OP_FSYNC, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_stat), SMB_VFS_OP_STAT, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_fstat), SMB_VFS_OP_FSTAT, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_lstat), SMB_VFS_OP_LSTAT, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_unlink), SMB_VFS_OP_UNLINK, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_chmod), SMB_VFS_OP_CHMOD, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_fchmod), SMB_VFS_OP_FCHMOD, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_chown), SMB_VFS_OP_CHOWN, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_fchown), SMB_VFS_OP_FCHOWN, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_chdir), SMB_VFS_OP_CHDIR, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_getwd), SMB_VFS_OP_GETWD, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_utime), SMB_VFS_OP_UTIME, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_ftruncate), SMB_VFS_OP_FTRUNCATE, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_lock), SMB_VFS_OP_LOCK, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_symlink), SMB_VFS_OP_SYMLINK, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_readlink), SMB_VFS_OP_READLINK, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_link), SMB_VFS_OP_LINK, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_mknod), SMB_VFS_OP_MKNOD, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_realpath), SMB_VFS_OP_REALPATH, SMB_VFS_LAYER_OPAQUE},
/* NT File ACL operations */
{SMB_VFS_OP(skel_fget_nt_acl), SMB_VFS_OP_FGET_NT_ACL, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_get_nt_acl), SMB_VFS_OP_GET_NT_ACL, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_fset_nt_acl), SMB_VFS_OP_FSET_NT_ACL, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_set_nt_acl), SMB_VFS_OP_SET_NT_ACL, SMB_VFS_LAYER_OPAQUE},
/* POSIX ACL operations */
{SMB_VFS_OP(skel_chmod_acl), SMB_VFS_OP_CHMOD_ACL, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_fchmod_acl), SMB_VFS_OP_FCHMOD_ACL, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_sys_acl_get_entry), SMB_VFS_OP_SYS_ACL_GET_ENTRY, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_sys_acl_get_tag_type), SMB_VFS_OP_SYS_ACL_GET_TAG_TYPE, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_sys_acl_get_permset), SMB_VFS_OP_SYS_ACL_GET_PERMSET, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_sys_acl_get_qualifier), SMB_VFS_OP_SYS_ACL_GET_QUALIFIER, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_sys_acl_get_file), SMB_VFS_OP_SYS_ACL_GET_FILE, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_sys_acl_get_fd), SMB_VFS_OP_SYS_ACL_GET_FD, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_sys_acl_clear_perms), SMB_VFS_OP_SYS_ACL_CLEAR_PERMS, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_sys_acl_add_perm), SMB_VFS_OP_SYS_ACL_ADD_PERM, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_sys_acl_to_text), SMB_VFS_OP_SYS_ACL_TO_TEXT, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_sys_acl_init), SMB_VFS_OP_SYS_ACL_INIT, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_sys_acl_create_entry), SMB_VFS_OP_SYS_ACL_CREATE_ENTRY, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_sys_acl_set_tag_type), SMB_VFS_OP_SYS_ACL_SET_TAG_TYPE, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_sys_acl_set_qualifier), SMB_VFS_OP_SYS_ACL_SET_QUALIFIER, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_sys_acl_set_permset), SMB_VFS_OP_SYS_ACL_SET_PERMSET, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_sys_acl_valid), SMB_VFS_OP_SYS_ACL_VALID, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_sys_acl_set_file), SMB_VFS_OP_SYS_ACL_SET_FILE, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_sys_acl_set_fd), SMB_VFS_OP_SYS_ACL_SET_FD, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_sys_acl_delete_def_file), SMB_VFS_OP_SYS_ACL_DELETE_DEF_FILE, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_sys_acl_get_perm), SMB_VFS_OP_SYS_ACL_GET_PERM, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_sys_acl_free_text), SMB_VFS_OP_SYS_ACL_FREE_TEXT, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_sys_acl_free_acl), SMB_VFS_OP_SYS_ACL_FREE_ACL, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_sys_acl_free_qualifier), SMB_VFS_OP_SYS_ACL_FREE_QUALIFIER, SMB_VFS_LAYER_OPAQUE},
/* EA operations. */
{SMB_VFS_OP(skel_getxattr), SMB_VFS_OP_GETXATTR, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_lgetxattr), SMB_VFS_OP_LGETXATTR, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_fgetxattr), SMB_VFS_OP_FGETXATTR, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_listxattr), SMB_VFS_OP_LISTXATTR, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_llistxattr), SMB_VFS_OP_LLISTXATTR, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_flistxattr), SMB_VFS_OP_FLISTXATTR, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_removexattr), SMB_VFS_OP_REMOVEXATTR, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_lremovexattr), SMB_VFS_OP_LREMOVEXATTR, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_fremovexattr), SMB_VFS_OP_FREMOVEXATTR, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_setxattr), SMB_VFS_OP_SETXATTR, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_lsetxattr), SMB_VFS_OP_LSETXATTR, SMB_VFS_LAYER_OPAQUE},
{SMB_VFS_OP(skel_fsetxattr), SMB_VFS_OP_FSETXATTR, SMB_VFS_LAYER_OPAQUE},
{NULL, SMB_VFS_OP_NOOP, SMB_VFS_LAYER_NOOP}
};
NTSTATUS init_module(void)
{
return smb_register_vfs(SMB_VFS_INTERFACE_VERSION, "skel_opaque", skel_op_tuples);
}

View File

@ -0,0 +1,532 @@
/*
* Skeleton VFS module. Implements passthrough operation of all VFS
* calls to disk functions.
*
* Copyright (C) Tim Potter, 1999-2000
* Copyright (C) Alexander Bokovoy, 2002
* Copyright (C) Stefan (metze) Metzmacher, 2003
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
/* PLEASE,PLEASE READ THE VFS MODULES CHAPTER OF THE
SAMBA DEVELOPERS GUIDE!!!!!!
*/
/* If you take this file as template for your module
* please make sure that you remove all functions you didn't
* want to implement!!
*
* This passthrough operations are useless in reall vfs modules!
*
* --metze
*/
static int skel_connect(vfs_handle_struct *handle, connection_struct *conn, const char *service, const char *user)
{
return SMB_VFS_NEXT_CONNECT(handle, conn, service, user);
}
static void skel_disconnect(vfs_handle_struct *handle, connection_struct *conn)
{
SMB_VFS_NEXT_DISCONNECT(handle, conn);
}
static SMB_BIG_UINT skel_disk_free(vfs_handle_struct *handle, connection_struct *conn, const char *path,
BOOL small_query, SMB_BIG_UINT *bsize,
SMB_BIG_UINT *dfree, SMB_BIG_UINT *dsize)
{
return SMB_VFS_NEXT_DISK_FREE(handle, conn, path, small_query, bsize,
dfree, dsize);
}
static int skel_get_quota(vfs_handle_struct *handle, connection_struct *conn, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dq)
{
return SMB_VFS_NEXT_GET_QUOTA(handle, conn, qtype, id, dq);
}
static int skel_set_quota(vfs_handle_struct *handle, connection_struct *conn, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dq)
{
return SMB_VFS_NEXT_SET_QUOTA(handle, conn, qtype, id, dq);
}
static DIR *skel_opendir(vfs_handle_struct *handle, connection_struct *conn, const char *fname)
{
return SMB_VFS_NEXT_OPENDIR(handle, conn, fname);
}
static struct dirent *skel_readdir(vfs_handle_struct *handle, connection_struct *conn, DIR *dirp)
{
return SMB_VFS_NEXT_READDIR(handle, conn, dirp);
}
static int skel_mkdir(vfs_handle_struct *handle, connection_struct *conn, const char *path, mode_t mode)
{
return SMB_VFS_NEXT_MKDIR(handle, conn, path, mode);
}
static int skel_rmdir(vfs_handle_struct *handle, connection_struct *conn, const char *path)
{
return SMB_VFS_NEXT_RMDIR(handle, conn, path);
}
static int skel_closedir(vfs_handle_struct *handle, connection_struct *conn, DIR *dir)
{
return SMB_VFS_NEXT_CLOSEDIR(handle, conn, dir);
}
static int skel_open(vfs_handle_struct *handle, connection_struct *conn, const char *fname, int flags, mode_t mode)
{
return SMB_VFS_NEXT_OPEN(handle, conn, fname, flags, mode);
}
static int skel_close(vfs_handle_struct *handle, files_struct *fsp, int fd)
{
return SMB_VFS_NEXT_CLOSE(handle, fsp, fd);
}
static ssize_t skel_read(vfs_handle_struct *handle, files_struct *fsp, int fd, void *data, size_t n)
{
return SMB_VFS_NEXT_READ(handle, fsp, fd, data, n);
}
static ssize_t skel_write(vfs_handle_struct *handle, files_struct *fsp, int fd, const void *data, size_t n)
{
return SMB_VFS_NEXT_WRITE(handle, fsp, fd, data, n);
}
static SMB_OFF_T skel_lseek(vfs_handle_struct *handle, files_struct *fsp, int filedes, SMB_OFF_T offset, int whence)
{
return SMB_VFS_NEXT_LSEEK(handle, fsp, filedes, offset, whence);
}
static int skel_rename(vfs_handle_struct *handle, connection_struct *conn, const char *old, const char *new)
{
return SMB_VFS_NEXT_RENAME(handle, conn, old, new);
}
static int skel_fsync(vfs_handle_struct *handle, files_struct *fsp, int fd)
{
return SMB_VFS_NEXT_FSYNC(handle, fsp, fd);
}
static int skel_stat(vfs_handle_struct *handle, connection_struct *conn, const char *fname, SMB_STRUCT_STAT *sbuf)
{
return SMB_VFS_NEXT_STAT(handle, conn, fname, sbuf);
}
static int skel_fstat(vfs_handle_struct *handle, files_struct *fsp, int fd, SMB_STRUCT_STAT *sbuf)
{
return SMB_VFS_NEXT_FSTAT(handle, fsp, fd, sbuf);
}
static int skel_lstat(vfs_handle_struct *handle, connection_struct *conn, const char *path, SMB_STRUCT_STAT *sbuf)
{
return SMB_VFS_NEXT_LSTAT(handle, conn, path, sbuf);
}
static int skel_unlink(vfs_handle_struct *handle, connection_struct *conn, const char *path)
{
return SMB_VFS_NEXT_UNLINK(handle, conn, path);
}
static int skel_chmod(vfs_handle_struct *handle, connection_struct *conn, const char *path, mode_t mode)
{
return SMB_VFS_NEXT_CHMOD(handle, conn, path, mode);
}
static int skel_fchmod(vfs_handle_struct *handle, files_struct *fsp, int fd, mode_t mode)
{
return SMB_VFS_NEXT_FCHMOD(handle, fsp, fd, mode);
}
static int skel_chown(vfs_handle_struct *handle, connection_struct *conn, const char *path, uid_t uid, gid_t gid)
{
return SMB_VFS_NEXT_CHOWN(handle, conn, path, uid, gid);
}
static int skel_fchown(vfs_handle_struct *handle, files_struct *fsp, int fd, uid_t uid, gid_t gid)
{
return SMB_VFS_NEXT_FCHOWN(handle, fsp, fd, uid, gid);
}
static int skel_chdir(vfs_handle_struct *handle, connection_struct *conn, const char *path)
{
return SMB_VFS_NEXT_CHDIR(handle, conn, path);
}
static char *skel_getwd(vfs_handle_struct *handle, connection_struct *conn, char *buf)
{
return SMB_VFS_NEXT_GETWD(handle, conn, buf);
}
static int skel_utime(vfs_handle_struct *handle, connection_struct *conn, const char *path, struct utimbuf *times)
{
return SMB_VFS_NEXT_UTIME(handle, conn, path, times);
}
static int skel_ftruncate(vfs_handle_struct *handle, files_struct *fsp, int fd, SMB_OFF_T offset)
{
return SMB_VFS_NEXT_FTRUNCATE(handle, fsp, fd, offset);
}
static BOOL skel_lock(vfs_handle_struct *handle, files_struct *fsp, int fd, int op, SMB_OFF_T offset, SMB_OFF_T count, int type)
{
return SMB_VFS_NEXT_LOCK(handle, fsp, fd, op, offset, count, type);
}
static BOOL skel_symlink(vfs_handle_struct *handle, connection_struct *conn, const char *oldpath, const char *newpath)
{
return SMB_VFS_NEXT_SYMLINK(handle, conn, oldpath, newpath);
}
static BOOL skel_readlink(vfs_handle_struct *handle, connection_struct *conn, const char *path, char *buf, size_t bufsiz)
{
return SMB_VFS_NEXT_READLINK(handle, conn, path, buf, bufsiz);
}
static int skel_link(vfs_handle_struct *handle, connection_struct *conn, const char *oldpath, const char *newpath)
{
return SMB_VFS_NEXT_LINK(handle, conn, oldpath, newpath);
}
static int skel_mknod(vfs_handle_struct *handle, connection_struct *conn, const char *path, mode_t mode, SMB_DEV_T dev)
{
return SMB_VFS_NEXT_MKNOD(handle, conn, path, mode, dev);
}
static char *skel_realpath(vfs_handle_struct *handle, connection_struct *conn, const char *path, char *resolved_path)
{
return SMB_VFS_NEXT_REALPATH(handle, conn, path, resolved_path);
}
static size_t skel_fget_nt_acl(vfs_handle_struct *handle, files_struct *fsp, int fd, uint32 security_info, struct security_descriptor_info **ppdesc)
{
return SMB_VFS_NEXT_FGET_NT_ACL(handle, fsp, fd, security_info, ppdesc);
}
static size_t skel_get_nt_acl(vfs_handle_struct *handle, files_struct *fsp, const char *name, uint32 security_info, struct security_descriptor_info **ppdesc)
{
return SMB_VFS_NEXT_GET_NT_ACL(handle, fsp, name, security_info, ppdesc);
}
static BOOL skel_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp, int fd, uint32 security_info_sent, struct security_descriptor_info *psd)
{
return SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, fd, security_info_sent, psd);
}
static BOOL skel_set_nt_acl(vfs_handle_struct *handle, files_struct *fsp, const char *name, uint32 security_info_sent, struct security_descriptor_info *psd)
{
return SMB_VFS_NEXT_SET_NT_ACL(handle, fsp, name, security_info_sent, psd);
}
static int skel_chmod_acl(vfs_handle_struct *handle, connection_struct *conn, const char *name, mode_t mode)
{
/* If the underlying VFS doesn't have ACL support... */
if (!handle->vfs_next.ops.chmod_acl) {
errno = ENOSYS;
return -1;
}
return SMB_VFS_NEXT_CHMOD_ACL(handle, conn, name, mode);
}
static int skel_fchmod_acl(vfs_handle_struct *handle, files_struct *fsp, int fd, mode_t mode)
{
/* If the underlying VFS doesn't have ACL support... */
if (!handle->vfs_next.ops.fchmod_acl) {
errno = ENOSYS;
return -1;
}
return SMB_VFS_NEXT_FCHMOD_ACL(handle, fsp, fd, mode);
}
static int skel_sys_acl_get_entry(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_T theacl, int entry_id, SMB_ACL_ENTRY_T *entry_p)
{
return SMB_VFS_NEXT_SYS_ACL_GET_ENTRY(handle, conn, theacl, entry_id, entry_p);
}
static int skel_sys_acl_get_tag_type(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_ENTRY_T entry_d, SMB_ACL_TAG_T *tag_type_p)
{
return SMB_VFS_NEXT_SYS_ACL_GET_TAG_TYPE(handle, conn, entry_d, tag_type_p);
}
static int skel_sys_acl_get_permset(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_ENTRY_T entry_d, SMB_ACL_PERMSET_T *permset_p)
{
return SMB_VFS_NEXT_SYS_ACL_GET_PERMSET(handle, conn, entry_d, permset_p);
}
static void *skel_sys_acl_get_qualifier(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_ENTRY_T entry_d)
{
return SMB_VFS_NEXT_SYS_ACL_GET_QUALIFIER(handle, conn, entry_d);
}
static SMB_ACL_T skel_sys_acl_get_file(vfs_handle_struct *handle, connection_struct *conn, const char *path_p, SMB_ACL_TYPE_T type)
{
return SMB_VFS_NEXT_SYS_ACL_GET_FILE(handle, conn, path_p, type);
}
static SMB_ACL_T skel_sys_acl_get_fd(vfs_handle_struct *handle, files_struct *fsp, int fd)
{
return SMB_VFS_NEXT_SYS_ACL_GET_FD(handle, fsp, fd);
}
static int skel_sys_acl_clear_perms(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_PERMSET_T permset)
{
return SMB_VFS_NEXT_SYS_ACL_CLEAR_PERMS(handle, conn, permset);
}
static int skel_sys_acl_add_perm(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_PERMSET_T permset, SMB_ACL_PERM_T perm)
{
return SMB_VFS_NEXT_SYS_ACL_ADD_PERM(handle, conn, permset, perm);
}
static char *skel_sys_acl_to_text(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_T theacl, ssize_t *plen)
{
return SMB_VFS_NEXT_SYS_ACL_TO_TEXT(handle, conn, theacl, plen);
}
static SMB_ACL_T skel_sys_acl_init(vfs_handle_struct *handle, connection_struct *conn, int count)
{
return SMB_VFS_NEXT_SYS_ACL_INIT(handle, conn, count);
}
static int skel_sys_acl_create_entry(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_T *pacl, SMB_ACL_ENTRY_T *pentry)
{
return SMB_VFS_NEXT_SYS_ACL_CREATE_ENTRY(handle, conn, pacl, pentry);
}
static int skel_sys_acl_set_tag_type(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_ENTRY_T entry, SMB_ACL_TAG_T tagtype)
{
return SMB_VFS_NEXT_SYS_ACL_SET_TAG_TYPE(handle, conn, entry, tagtype);
}
static int skel_sys_acl_set_qualifier(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_ENTRY_T entry, void *qual)
{
return SMB_VFS_NEXT_SYS_ACL_SET_QUALIFIER(handle, conn, entry, qual);
}
static int skel_sys_acl_set_permset(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_ENTRY_T entry, SMB_ACL_PERMSET_T permset)
{
return SMB_VFS_NEXT_SYS_ACL_SET_PERMSET(handle, conn, entry, permset);
}
static int skel_sys_acl_valid(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_T theacl )
{
return SMB_VFS_NEXT_SYS_ACL_VALID(handle, conn, theacl);
}
static int skel_sys_acl_set_file(vfs_handle_struct *handle, connection_struct *conn, const char *name, SMB_ACL_TYPE_T acltype, SMB_ACL_T theacl)
{
return SMB_VFS_NEXT_SYS_ACL_SET_FILE(handle, conn, name, acltype, theacl);
}
static int skel_sys_acl_set_fd(vfs_handle_struct *handle, files_struct *fsp, int fd, SMB_ACL_T theacl)
{
return SMB_VFS_NEXT_SYS_ACL_SET_FD(handle, fsp, fd, theacl);
}
static int skel_sys_acl_delete_def_file(vfs_handle_struct *handle, connection_struct *conn, const char *path)
{
return SMB_VFS_NEXT_SYS_ACL_DELETE_DEF_FILE(handle, conn, path);
}
static int skel_sys_acl_get_perm(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_PERMSET_T permset, SMB_ACL_PERM_T perm)
{
return SMB_VFS_NEXT_SYS_ACL_GET_PERM(handle, conn, permset, perm);
}
static int skel_sys_acl_free_text(vfs_handle_struct *handle, connection_struct *conn, char *text)
{
return SMB_VFS_NEXT_SYS_ACL_FREE_TEXT(handle, conn, text);
}
static int skel_sys_acl_free_acl(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_T posix_acl)
{
return SMB_VFS_NEXT_SYS_ACL_FREE_ACL(handle, conn, posix_acl);
}
static int skel_sys_acl_free_qualifier(vfs_handle_struct *handle, connection_struct *conn, void *qualifier, SMB_ACL_TAG_T tagtype)
{
return SMB_VFS_NEXT_SYS_ACL_FREE_QUALIFIER(handle, conn, qualifier, tagtype);
}
static ssize_t skel_getxattr(vfs_handle_struct *handle, struct connection_struct *conn,const char *path, const char *name, void *value, size_t size)
{
return SMB_VFS_NEXT_GETXATTR(handle, conn, path, name, value, size);
}
static ssize_t skel_lgetxattr(vfs_handle_struct *handle, struct connection_struct *conn,const char *path, const char *name, void *value, size_t
size)
{
return SMB_VFS_NEXT_LGETXATTR(handle, conn, path, name, value, size);
}
static ssize_t skel_fgetxattr(vfs_handle_struct *handle, struct files_struct *fsp,int fd, const char *name, void *value, size_t size)
{
return SMB_VFS_NEXT_FGETXATTR(handle, fsp, fd, name, value, size);
}
static ssize_t skel_listxattr(vfs_handle_struct *handle, struct connection_struct *conn,const char *path, char *list, size_t size)
{
return SMB_VFS_NEXT_LISTXATTR(handle, conn, path, list, size);
}
static ssize_t skel_llistxattr(vfs_handle_struct *handle, struct connection_struct *conn,const char *path, char *list, size_t size)
{
return SMB_VFS_NEXT_LLISTXATTR(handle, conn, path, list, size);
}
static ssize_t skel_flistxattr(vfs_handle_struct *handle, struct files_struct *fsp,int fd, char *list, size_t size)
{
return SMB_VFS_NEXT_FLISTXATTR(handle, fsp, fd, list, size);
}
static int skel_removexattr(vfs_handle_struct *handle, struct connection_struct *conn,const char *path, const char *name)
{
return SMB_VFS_NEXT_REMOVEXATTR(handle, conn, path, name);
}
static int skel_lremovexattr(vfs_handle_struct *handle, struct connection_struct *conn,const char *path, const char *name)
{
return SMB_VFS_NEXT_LREMOVEXATTR(handle, conn, path, name);
}
static int skel_fremovexattr(vfs_handle_struct *handle, struct files_struct *fsp,int fd, const char *name)
{
return SMB_VFS_NEXT_FREMOVEXATTR(handle, fsp, fd, name);
}
static int skel_setxattr(vfs_handle_struct *handle, struct connection_struct *conn,const char *path, const char *name, const void *value, size_t size, int flags)
{
return SMB_VFS_NEXT_SETXATTR(handle, conn, path, name, value, size, flags);
}
static int skel_lsetxattr(vfs_handle_struct *handle, struct connection_struct *conn,const char *path, const char *name, const void *value, size_t size, int flags)
{
return SMB_VFS_NEXT_LSETXATTR(handle, conn, path, name, value, size, flags);
}
static int skel_fsetxattr(vfs_handle_struct *handle, struct files_struct *fsp,int fd, const char *name, const void *value, size_t size, int flags)
{
return SMB_VFS_NEXT_FSETXATTR(handle, fsp, fd, name, value, size, flags);
}
/* VFS operations structure */
static vfs_op_tuple skel_op_tuples[] = {
/* Disk operations */
{SMB_VFS_OP(skel_connect), SMB_VFS_OP_CONNECT, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_disconnect), SMB_VFS_OP_DISCONNECT, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_disk_free), SMB_VFS_OP_DISK_FREE, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_get_quota), SMB_VFS_OP_GET_QUOTA, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_set_quota), SMB_VFS_OP_SET_QUOTA, SMB_VFS_LAYER_TRANSPARENT},
/* Directory operations */
{SMB_VFS_OP(skel_opendir), SMB_VFS_OP_OPENDIR, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_readdir), SMB_VFS_OP_READDIR, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_mkdir), SMB_VFS_OP_MKDIR, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_rmdir), SMB_VFS_OP_RMDIR, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_closedir), SMB_VFS_OP_CLOSEDIR, SMB_VFS_LAYER_TRANSPARENT},
/* File operations */
{SMB_VFS_OP(skel_open), SMB_VFS_OP_OPEN, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_close), SMB_VFS_OP_CLOSE, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_read), SMB_VFS_OP_READ, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_write), SMB_VFS_OP_WRITE, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_lseek), SMB_VFS_OP_LSEEK, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_rename), SMB_VFS_OP_RENAME, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_fsync), SMB_VFS_OP_FSYNC, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_stat), SMB_VFS_OP_STAT, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_fstat), SMB_VFS_OP_FSTAT, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_lstat), SMB_VFS_OP_LSTAT, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_unlink), SMB_VFS_OP_UNLINK, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_chmod), SMB_VFS_OP_CHMOD, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_fchmod), SMB_VFS_OP_FCHMOD, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_chown), SMB_VFS_OP_CHOWN, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_fchown), SMB_VFS_OP_FCHOWN, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_chdir), SMB_VFS_OP_CHDIR, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_getwd), SMB_VFS_OP_GETWD, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_utime), SMB_VFS_OP_UTIME, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_ftruncate), SMB_VFS_OP_FTRUNCATE, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_lock), SMB_VFS_OP_LOCK, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_symlink), SMB_VFS_OP_SYMLINK, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_readlink), SMB_VFS_OP_READLINK, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_link), SMB_VFS_OP_LINK, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_mknod), SMB_VFS_OP_MKNOD, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_realpath), SMB_VFS_OP_REALPATH, SMB_VFS_LAYER_TRANSPARENT},
/* NT File ACL operations */
{SMB_VFS_OP(skel_fget_nt_acl), SMB_VFS_OP_FGET_NT_ACL, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_get_nt_acl), SMB_VFS_OP_GET_NT_ACL, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_fset_nt_acl), SMB_VFS_OP_FSET_NT_ACL, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_set_nt_acl), SMB_VFS_OP_SET_NT_ACL, SMB_VFS_LAYER_TRANSPARENT},
/* POSIX ACL operations */
{SMB_VFS_OP(skel_chmod_acl), SMB_VFS_OP_CHMOD_ACL, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_fchmod_acl), SMB_VFS_OP_FCHMOD_ACL, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_sys_acl_get_entry), SMB_VFS_OP_SYS_ACL_GET_ENTRY, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_sys_acl_get_tag_type), SMB_VFS_OP_SYS_ACL_GET_TAG_TYPE, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_sys_acl_get_permset), SMB_VFS_OP_SYS_ACL_GET_PERMSET, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_sys_acl_get_qualifier), SMB_VFS_OP_SYS_ACL_GET_QUALIFIER, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_sys_acl_get_file), SMB_VFS_OP_SYS_ACL_GET_FILE, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_sys_acl_get_fd), SMB_VFS_OP_SYS_ACL_GET_FD, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_sys_acl_clear_perms), SMB_VFS_OP_SYS_ACL_CLEAR_PERMS, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_sys_acl_add_perm), SMB_VFS_OP_SYS_ACL_ADD_PERM, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_sys_acl_to_text), SMB_VFS_OP_SYS_ACL_TO_TEXT, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_sys_acl_init), SMB_VFS_OP_SYS_ACL_INIT, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_sys_acl_create_entry), SMB_VFS_OP_SYS_ACL_CREATE_ENTRY, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_sys_acl_set_tag_type), SMB_VFS_OP_SYS_ACL_SET_TAG_TYPE, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_sys_acl_set_qualifier), SMB_VFS_OP_SYS_ACL_SET_QUALIFIER, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_sys_acl_set_permset), SMB_VFS_OP_SYS_ACL_SET_PERMSET, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_sys_acl_valid), SMB_VFS_OP_SYS_ACL_VALID, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_sys_acl_set_file), SMB_VFS_OP_SYS_ACL_SET_FILE, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_sys_acl_set_fd), SMB_VFS_OP_SYS_ACL_SET_FD, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_sys_acl_delete_def_file), SMB_VFS_OP_SYS_ACL_DELETE_DEF_FILE, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_sys_acl_get_perm), SMB_VFS_OP_SYS_ACL_GET_PERM, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_sys_acl_free_text), SMB_VFS_OP_SYS_ACL_FREE_TEXT, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_sys_acl_free_acl), SMB_VFS_OP_SYS_ACL_FREE_ACL, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_sys_acl_free_qualifier), SMB_VFS_OP_SYS_ACL_FREE_QUALIFIER, SMB_VFS_LAYER_TRANSPARENT},
/* EA operations. */
{SMB_VFS_OP(skel_getxattr), SMB_VFS_OP_GETXATTR, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_lgetxattr), SMB_VFS_OP_LGETXATTR, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_fgetxattr), SMB_VFS_OP_FGETXATTR, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_listxattr), SMB_VFS_OP_LISTXATTR, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_llistxattr), SMB_VFS_OP_LLISTXATTR, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_flistxattr), SMB_VFS_OP_FLISTXATTR, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_removexattr), SMB_VFS_OP_REMOVEXATTR, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_lremovexattr), SMB_VFS_OP_LREMOVEXATTR, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_fremovexattr), SMB_VFS_OP_FREMOVEXATTR, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_setxattr), SMB_VFS_OP_SETXATTR, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_lsetxattr), SMB_VFS_OP_LSETXATTR, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(skel_fsetxattr), SMB_VFS_OP_FSETXATTR, SMB_VFS_LAYER_TRANSPARENT},
{NULL, SMB_VFS_OP_NOOP, SMB_VFS_LAYER_NOOP}
};
NTSTATUS init_module(void)
{
return smb_register_vfs(SMB_VFS_INTERFACE_VERSION, "skel_transparent", skel_op_tuples);
}

46
examples/pdb/sambapdb.dtd Normal file
View File

@ -0,0 +1,46 @@
<!ELEMENT samba:crypt (#PCDATA)* >
<!ATTLIST samba:crypt type CDATA #REQUIRED >
<!ELEMENT samba:password (samba:crypt*) >
<!ATTLIST samba:password last_set CDATA #IMPLIED
must_change CDATA #IMPLIED
can_change CDATA #IMPLIED>
<!ELEMENT samba:group (#PCDATA)* >
<!ATTLIST samba:group sid CDATA #REQUIRED
gid CDATA #IMPLIED >
<!ELEMENT samba:domain (#PCDATA)* >
<!ELEMENT samba:fullname (#PCDATA)* >
<!ELEMENT samba:nt_username (#PCDATA)* >
<!ELEMENT samba:logon_script (#PCDATA)* >
<!ELEMENT samba:profile_path (#PCDATA)* >
<!ELEMENT samba:logon_time (#PCDATA)* >
<!ELEMENT samba:logoff_time (#PCDATA)* >
<!ELEMENT samba:kickoff_time (#PCDATA)* >
<!ELEMENT samba:logon_divs (#PCDATA)* >
<!ELEMENT samba:hours_len (#PCDATA)* >
<!ELEMENT samba:unknown_3 (#PCDATA)* >
<!ELEMENT samba:unknown_5 (#PCDATA)* >
<!ELEMENT samba:unknown_6 (#PCDATA)* >
<!ELEMENT samba:homedir (#PCDATA)* >
<!ELEMENT samba:unknown_str (#PCDATA)* >
<!ELEMENT samba:dir_drive (#PCDATA)* >
<!ELEMENT samba:munged_dial (#PCDATA)* >
<!ELEMENT samba:acct_desc (#PCDATA)* >
<!ELEMENT samba:acct_ctrl (#PCDATA)* >
<!ELEMENT samba:workstations (#PCDATA)* >
<!ELEMENT samba:user ( samba:group?, samba:domain?, samba:nt_username?, samba:fullname?, samba:homedir?, samba:dir_drive?, samba:logon_script?, samba:profile_path?, samba:password?, samba:acct_ctrl?,samba:unknown_3?, samba:logon_divs?, samba:hours_len?, samba:logon_time?, samba:logoff_time?, samba:kickoff_time?, samba:unknown_5?, samba:unknown_6?, samba:unknown_str?, samba:munged_dial?, samba:acct_desc?, samba:workstations? ) >
<!ATTLIST samba:user sid CDATA #REQUIRED
uid CDATA #IMPLIED
name CDATA #REQUIRED>
<!ELEMENT samba:users (samba:user*) >
<!ELEMENT samba (samba:users?) >
<!ATTLIST samba
xmlns CDATA #FIXED 'http://samba.org/~jelmer/sambapdb.dtd'>

View File

@ -0,0 +1,685 @@
--- samba_3_0/source/Makefile.in.orig 2003-07-15 12:26:55.000000000 -0400
+++ samba_3_0/source/Makefile.in 2003-07-15 12:26:57.000000000 -0400
@@ -32,7 +32,6 @@
ACLLIBS=@ACLLIBS@
PASSDBLIBS=@PASSDBLIBS@
IDMAP_LIBS=@IDMAP_LIBS@
-ADSLIBS=@ADSLIBS@
KRB5LIBS=@KRB5_LIBS@
LDAPLIBS=@LDAP_LIBS@
@@ -735,12 +734,12 @@
bin/smbd@EXEEXT@: $(SMBD_OBJ) @BUILD_POPT@ bin/.dummy
@echo Linking $@
- @$(CC) $(FLAGS) -o $@ $(SMBD_OBJ) $(ADSLIBS) $(LDFLAGS) $(DYNEXP) $(PRINTLIBS) \
+ @$(CC) $(FLAGS) -o $@ $(SMBD_OBJ) $(KRB5LIBS) $(LDAPLIBS) $(LDFLAGS) $(DYNEXP) $(PRINTLIBS) \
$(AUTHLIBS) $(ACLLIBS) $(PASSDBLIBS) $(LIBS) @POPTLIBS@
bin/nmbd@EXEEXT@: $(NMBD_OBJ) @BUILD_POPT@ bin/.dummy
@echo Linking $@
- @$(CC) $(FLAGS) -o $@ $(NMBD_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) @POPTLIBS@ $(ADSLIBS)
+ @$(CC) $(FLAGS) -o $@ $(NMBD_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) @POPTLIBS@ $(KRB5LIBS) $(LDAPLIBS)
bin/wrepld@EXEEXT@: $(WREPL_OBJ) @BUILD_POPT@ bin/.dummy
@echo Linking $@
@@ -749,19 +748,19 @@
bin/swat@EXEEXT@: $(SWAT_OBJ) @BUILD_POPT@ bin/.dummy
@echo Linking $@
@$(CC) $(FLAGS) -o $@ $(SWAT_OBJ) $(LDFLAGS) $(DYNEXP) $(PRINTLIBS) \
- $(AUTHLIBS) $(LIBS) $(PASSDBLIBS) @POPTLIBS@ $(KRB5LIBS)
+ $(AUTHLIBS) $(LIBS) $(PASSDBLIBS) @POPTLIBS@ $(KRB5LIBS) $(LDAPLIBS)
bin/rpcclient@EXEEXT@: $(RPCCLIENT_OBJ) @BUILD_POPT@ bin/.dummy
@echo Linking $@
- @$(CC) $(FLAGS) -o $@ $(PASSDBLIBS) $(RPCCLIENT_OBJ) $(LDFLAGS) $(DYNEXP) $(TERMLDFLAGS) $(TERMLIBS) $(LIBS) @POPTLIBS@ $(ADSLIBS)
+ @$(CC) $(FLAGS) -o $@ $(PASSDBLIBS) $(RPCCLIENT_OBJ) $(LDFLAGS) $(DYNEXP) $(TERMLDFLAGS) $(TERMLIBS) $(LIBS) @POPTLIBS@ $(KRB5LIBS) $(LDAPLIBS)
bin/smbclient@EXEEXT@: $(CLIENT_OBJ) @BUILD_POPT@ bin/.dummy
@echo Linking $@
- @$(CC) $(FLAGS) -o $@ $(CLIENT_OBJ) $(LDFLAGS) $(DYNEXP) $(TERMLDFLAGS) $(TERMLIBS) $(LIBS) @POPTLIBS@ $(ADSLIBS)
+ @$(CC) $(FLAGS) -o $@ $(CLIENT_OBJ) $(LDFLAGS) $(DYNEXP) $(TERMLDFLAGS) $(TERMLIBS) $(LIBS) @POPTLIBS@ $(KRB5LIBS) $(LDAPLIBS)
bin/net@EXEEXT@: $(NET_OBJ) @BUILD_POPT@ bin/.dummy
@echo Linking $@
- @$(CC) $(FLAGS) -o $@ $(NET_OBJ) $(DYNEXP) $(LDFLAGS) $(LIBS) @POPTLIBS@ $(ADSLIBS) $(PASSDBLIBS)
+ @$(CC) $(FLAGS) -o $@ $(NET_OBJ) $(DYNEXP) $(LDFLAGS) $(LIBS) @POPTLIBS@ $(KRB5LIBS) $(LDAPLIBS) $(PASSDBLIBS)
bin/profiles@EXEEXT@: $(PROFILES_OBJ) @BUILD_POPT@ bin/.dummy
@echo Linking $@
@@ -809,7 +808,7 @@
bin/smbpasswd@EXEEXT@: $(SMBPASSWD_OBJ) bin/.dummy
@echo Linking $@
- @$(CC) $(FLAGS) -o $@ $(SMBPASSWD_OBJ) $(PASSDBLIBS) $(LDFLAGS) $(DYNEXP) $(LIBS) $(KRB5LIBS)
+ @$(CC) $(FLAGS) -o $@ $(SMBPASSWD_OBJ) $(PASSDBLIBS) $(LDFLAGS) $(DYNEXP) $(LIBS) $(KRB5LIBS) $(LDAPLIBS)
bin/pdbedit@EXEEXT@: $(PDBEDIT_OBJ) @BUILD_POPT@ bin/.dummy
@echo Linking $@
@@ -881,7 +880,7 @@
bin/smbw_sample@EXEEXT@: $(SMBW_OBJ) utils/smbw_sample.o bin/.dummy
@echo Linking $@
- @$(CC) $(FLAGS) -o $@ $(SMBW_OBJ) utils/smbw_sample.o $(LDFLAGS) $(LIBS) $(KRB5LIBS)
+ @$(CC) $(FLAGS) -o $@ $(SMBW_OBJ) utils/smbw_sample.o $(LDFLAGS) $(LIBS) $(KRB5LIBS) $(LDAPLIBS)
bin/smbsh@EXEEXT@: $(SMBSH_OBJ) bin/.dummy
@echo Linking $@
@@ -890,12 +889,14 @@
bin/smbwrapper.@SHLIBEXT@: $(PICOBJS) bin/.dummy
@echo Linking shared library $@
@$(SHLD) $(LDSHFLAGS) -o $@ $(PICOBJS) $(LIBS) \
- @SONAMEFLAG@`basename $@` $(KRB5LIBS)
+ $(KRB5LIBS) $(LDAPLIBS) \
+ @SONAMEFLAG@`basename $@`
bin/libsmbclient.@SHLIBEXT@: $(LIBSMBCLIENT_PICOBJS)
@echo Linking libsmbclient shared library $@
@$(SHLD) $(LDSHFLAGS) -o $@ $(LIBSMBCLIENT_PICOBJS) $(LDFLAGS) $(LIBS) \
- $(KRB5LIBS) @SONAMEFLAG@`basename $@`.$(LIBSMBCLIENT_MAJOR)
+ $(KRB5LIBS) $(LDAPLIBS) \
+ @SONAMEFLAG@`basename $@`.$(LIBSMBCLIENT_MAJOR)
bin/libsmbclient.a: $(LIBSMBCLIENT_PICOBJS)
@echo Linking libsmbclient non-shared library $@
@@ -905,7 +906,8 @@
bin/libbigballofmud.@SHLIBEXT@: $(LIBBIGBALLOFMUD_PICOBJS)
@echo Linking bigballofmud shared library $@
@$(SHLD) $(LDSHFLAGS) -o $@ $(LIBBIGBALLOFMUD_PICOBJS) $(LIBS) \
- @SONAMEFLAG@`basename $@`.$(LIBBIGBALLOFMUD_MAJOR) $(PASSDBLIBS) $(IDMAP_LIBS) $(ADSLIBS)
+ $(PASSDBLIBS) $(IDMAP_LIBS) $(KRB5LIBS) $(LDAPLIBS) \
+ @SONAMEFLAG@`basename $@`.$(LIBBIGBALLOFMUD_MAJOR)
ln -snf libbigballofmud.so bin/libbigballofmud.so.0
# It would be nice to build a static bigballofmud too, but when I try
diff -uNr samba-3.0.0beta2.orig/source/aclocal.m4 samba-3.0.0beta2/source/aclocal.m4
--- samba-3.0.0beta2.orig/source/aclocal.m4 2003-07-01 15:44:25.000000000 -0500
+++ samba-3.0.0beta2/source/aclocal.m4 2003-07-05 16:22:30.000000000 -0500
@@ -111,6 +111,113 @@
esac
])
+# AC_CHECK_LIB_EXT(LIBRARY, [EXT_LIBS], [FUNCTION],
+# [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND],
+# [ADD-ACTION-IF-FOUND],[OTHER-LIBRARIES])
+# ------------------------------------------------------
+#
+# Use a cache variable name containing both the library and function name,
+# because the test really is for library $1 defining function $3, not
+# just for library $1. Separate tests with the same $1 and different $3s
+# may have different results.
+#
+# Note that using directly AS_VAR_PUSHDEF([ac_Lib], [ac_cv_lib_$1_$3])
+# is asking for troubles, since AC_CHECK_LIB($lib, fun) would give
+# ac_cv_lib_$lib_fun, which is definitely not what was meant. Hence
+# the AS_LITERAL_IF indirection.
+#
+# FIXME: This macro is extremely suspicious. It DEFINEs unconditionnally,
+# whatever the FUNCTION, in addition to not being a *S macro. Note
+# that the cache does depend upon the function we are looking for.
+#
+# It is on purpose we used `ac_check_lib_ext_save_LIBS' and not just
+# `ac_save_LIBS': there are many macros which don't want to see `LIBS'
+# changed but still want to use AC_CHECK_LIB_EXT, so they save `LIBS'.
+# And ``ac_save_LIBS' is too tempting a name, so let's leave them some
+# freedom.
+AC_DEFUN([AC_CHECK_LIB_EXT],
+[
+AH_CHECK_LIB_EXT([$1])
+ac_check_lib_ext_save_LIBS=$LIBS
+LIBS="-l$1 $$2 $7 $LIBS"
+AS_LITERAL_IF([$1],
+ [AS_VAR_PUSHDEF([ac_Lib_ext], [ac_cv_lib_ext_$1])],
+ [AS_VAR_PUSHDEF([ac_Lib_ext], [ac_cv_lib_ext_$1''])])dnl
+
+m4_ifval([$3],
+ [
+ AH_CHECK_FUNC_EXT([$3])
+ AS_LITERAL_IF([$1],
+ [AS_VAR_PUSHDEF([ac_Lib_func], [ac_cv_lib_ext_$1_$3])],
+ [AS_VAR_PUSHDEF([ac_Lib_func], [ac_cv_lib_ext_$1''_$3])])dnl
+ AC_CACHE_CHECK([for $3 in -l$1], ac_Lib_func,
+ [AC_TRY_LINK_FUNC($3,
+ [AS_VAR_SET(ac_Lib_func, yes);
+ AS_VAR_SET(ac_Lib_ext, yes)],
+ [AS_VAR_SET(ac_Lib_func, no);
+ AS_VAR_SET(ac_Lib_ext, no)])
+ ])
+ AS_IF([test AS_VAR_GET(ac_Lib_func) = yes],
+ [AC_DEFINE_UNQUOTED(AS_TR_CPP(HAVE_$3))])dnl
+ AS_VAR_POPDEF([ac_Lib_func])dnl
+ ],[
+ AC_CACHE_CHECK([for -l$1], ac_Lib_ext,
+ [AC_TRY_LINK_FUNC([main],
+ [AS_VAR_SET(ac_Lib_ext, yes)],
+ [AS_VAR_SET(ac_Lib_ext, no)])
+ ])
+ ])
+LIBS=$ac_check_lib_ext_save_LIBS
+
+AS_IF([test AS_VAR_GET(ac_Lib_ext) = yes],
+ [m4_default([$4],
+ [AC_DEFINE_UNQUOTED(AS_TR_CPP(HAVE_LIB$1))
+ case "$$2" in
+ *-l$1*)
+ ;;
+ *)
+ $2="$$2 -l$1"
+ ;;
+ esac])
+ [$6]
+ ],
+ [$5])dnl
+AS_VAR_POPDEF([ac_Lib_ext])dnl
+])# AC_CHECK_LIB_EXT
+
+# AH_CHECK_LIB_EXT(LIBNAME)
+# ---------------------
+m4_define([AH_CHECK_LIB_EXT],
+[AH_TEMPLATE(AS_TR_CPP(HAVE_LIB$1),
+ [Define to 1 if you have the `]$1[' library (-l]$1[).])])
+
+# AC_CHECK_FUNCS_EXT(FUNCTION, [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
+# -----------------------------------------------------------------
+dnl check for a function in a $LIBS and $OTHER_LIBS libraries variable.
+dnl AC_CHECK_FUNC_EXT(func,OTHER_LIBS,IF-TRUE,IF-FALSE)
+AC_DEFUN([AC_CHECK_FUNC_EXT],
+[
+ AH_CHECK_FUNC_EXT($1)
+ ac_check_func_ext_save_LIBS=$LIBS
+ LIBS="$2 $LIBS"
+ AS_VAR_PUSHDEF([ac_var], [ac_cv_func_ext_$1])dnl
+ AC_CACHE_CHECK([for $1], ac_var,
+ [AC_LINK_IFELSE([AC_LANG_FUNC_LINK_TRY([$1])],
+ [AS_VAR_SET(ac_var, yes)],
+ [AS_VAR_SET(ac_var, no)])])
+ LIBS=$ac_check_func_ext_save_LIBS
+ AS_IF([test AS_VAR_GET(ac_var) = yes],
+ [AC_DEFINE_UNQUOTED(AS_TR_CPP([HAVE_$1])) $3],
+ [$4])dnl
+AS_VAR_POPDEF([ac_var])dnl
+])# AC_CHECK_FUNC
+
+# AH_CHECK_FUNC_EXT(FUNCNAME)
+# ---------------------
+m4_define([AH_CHECK_FUNC_EXT],
+[AH_TEMPLATE(AS_TR_CPP(HAVE_$1),
+ [Define to 1 if you have the `]$1[' function.])])
+
dnl Define an AC_DEFINE with ifndef guard.
dnl AC_N_DEFINE(VARIABLE [, VALUE])
define(AC_N_DEFINE,
diff -uNr samba-3.0.0beta2.orig/source/configure.in samba-3.0.0beta2/source/configure.in
--- samba-3.0.0beta2.orig/source/configure.in 2003-07-05 16:22:00.000000000 -0500
+++ samba-3.0.0beta2/source/configure.in 2003-07-05 16:23:53.000000000 -0500
@@ -162,12 +162,10 @@
AC_SUBST(PRINTLIBS)
AC_SUBST(AUTHLIBS)
AC_SUBST(ACLLIBS)
-AC_SUBST(ADSLIBS)
AC_SUBST(PASSDBLIBS)
AC_SUBST(IDMAP_LIBS)
AC_SUBST(KRB5_LIBS)
AC_SUBST(LDAP_LIBS)
-AC_SUBST(LDAP_OBJ)
AC_SUBST(SHLIB_PROGS)
AC_SUBST(SMBWRAPPER)
AC_SUBST(EXTRA_BIN_PROGS)
@@ -2105,14 +2103,107 @@
AC_MSG_RESULT(no)
)
+########################################################
+# Compile with LDAP support?
+
+with_ldap_support=auto
+AC_MSG_CHECKING([for LDAP support])
+
+AC_ARG_WITH(ldap,
+[ --with-ldap LDAP support (default yes)],
+[ case "$withval" in
+ yes|no)
+ with_ldap_support=$withval
+ ;;
+ esac ])
+
+AC_MSG_RESULT($with_ldap_support)
+
+SMBLDAP=""
+SMBLDAP_PROTO=""
+AC_SUBST(SMBLDAP)
+AC_SUBST(SMBLDAP_PROTO)
+if test x"$with_ldap_support" != x"no"; then
+
+ ##################################################################
+ # first test for ldap.h and lber.h
+ # (ldap.h is required for this test)
+ AC_CHECK_HEADERS(ldap.h lber.h)
+
+ if test x"$ac_cv_header_ldap_h" != x"yes"; then
+ if test x"$with_ldap_support" = x"yes"; then
+ AC_MSG_ERROR(ldap.h is needed for LDAP support)
+ else
+ AC_MSG_WARN(ldap.h is needed for LDAP support)
+ fi
+
+ with_ldap_support=no
+ fi
+fi
+
+if test x"$with_ldap_support" != x"no"; then
+ ac_save_LIBS=$LIBS
+
+ ##################################################################
+ # we might need the lber lib on some systems. To avoid link errors
+ # this test must be before the libldap test
+ AC_CHECK_LIB_EXT(lber, LDAP_LIBS, ber_scanf)
+
+ ########################################################
+ # now see if we can find the ldap libs in standard paths
+ AC_CHECK_LIB_EXT(ldap, LDAP_LIBS, ldap_init)
+
+ AC_CHECK_FUNC_EXT(ldap_domain2hostlist,$LDAP_LIBS)
+
+ ########################################################
+ # If we have LDAP, does it's rebind procedure take 2 or 3 arguments?
+ # Check found in pam_ldap 145.
+ AC_CHECK_FUNC_EXT(ldap_set_rebind_proc,$LDAP_LIBS)
+
+ LIBS="$LIBS $LDAP_LIBS"
+ AC_CACHE_CHECK(whether ldap_set_rebind_proc takes 3 arguments, smb_ldap_cv_ldap_set_rebind_proc, [
+ AC_TRY_COMPILE([
+ #include <lber.h>
+ #include <ldap.h>],
+ [ldap_set_rebind_proc(0, 0, 0);],
+ [smb_ldap_cv_ldap_set_rebind_proc=3],
+ [smb_ldap_cv_ldap_set_rebind_proc=2]
+ )
+ ])
+
+ AC_DEFINE_UNQUOTED(LDAP_SET_REBIND_PROC_ARGS, $smb_ldap_cv_ldap_set_rebind_proc, [Number of arguments to ldap_set_rebind_proc])
+
+ AC_CHECK_FUNC_EXT(ldap_initialize,$LDAP_LIBS)
+
+ if test x"$ac_cv_lib_ext_ldap_ldap_init" = x"yes" -a x"$ac_cv_func_ext_ldap_domain2hostlist" = x"yes"; then
+ AC_DEFINE(HAVE_LDAP,1,[Whether ldap is available])
+ default_static_modules="$default_static_modules pdb_ldap idmap_ldap";
+ SMBLDAP="lib/smbldap.o"
+ with_ldap_support=yes
+ AC_MSG_CHECKING(whether LDAP support is used)
+ AC_MSG_RESULT(yes)
+ else
+ if test x"$with_ldap_support" = x"yes"; then
+ AC_MSG_ERROR(libldap is needed for LDAP support)
+ else
+ AC_MSG_WARN(libldap is needed for LDAP support)
+ fi
+
+ LDAP_LIBS=""
+ with_ldap_support=no
+ fi
+ LIBS=$ac_save_LIBS
+fi
+
+
#################################################
# active directory support
with_ads_support=auto
-AC_MSG_CHECKING([whether to use Active Directory])
+AC_MSG_CHECKING([for Active Directory and krb5 support])
AC_ARG_WITH(ads,
-[ --with-ads Active Directory support (default yes)],
+[ --with-ads Active Directory support (default auto)],
[ case "$withval" in
yes|no)
with_ads_support="$withval"
@@ -2124,22 +2215,28 @@
FOUND_KRB5=no
KRB5_LIBS=""
+if test x"$with_ldap_support" != x"yes"; then
+ if test x"$with_ads_support" = x"yes"; then
+ AC_MSG_ERROR(Active Directory Support requires LDAP support)
+ elif test x"$with_ads_support" != x"no"; then
+ AC_MSG_WARN(Active Directory Support requires LDAP support)
+ fi
+ with_ads_support=no
+fi
+
if test x"$with_ads_support" != x"no"; then
# Do no harm to the values of CFLAGS and LIBS while testing for
# Kerberos support.
- ac_save_CFLAGS="$CFLAGS"
- ac_save_LIBS="$LIBS"
-
#################################################
# check for krb5-config from recent MIT and Heimdal kerberos 5
AC_PATH_PROG(KRB5_CONFIG, krb5-config)
AC_MSG_CHECKING(for working krb5-config)
if test -x "$KRB5_CONFIG"; then
- LIBS="$LIBS `$KRB5_CONFIG --libs`"
- CFLAGS="$CFLAGS `$KRB5_CONFIG --cflags | sed s/@INCLUDE_des@//`"
- CPPFLAGS="$CPPFLAGS `$KRB5_CONFIG --cflags | sed s/@INCLUDE_des@//`"
+ KRB5_LIBS="`CFLAGS='' $KRB5_CONFIG --libs gssapi`"
+ KRB5_CFLAGS="`$KRB5_CONFIG --cflags | sed s/@INCLUDE_des@//`"
+ KRB5_CPPFLAGS="`$KRB5_CONFIG --cflags | sed s/@INCLUDE_des@//`"
FOUND_KRB5=yes
AC_MSG_RESULT(yes)
else
@@ -2154,18 +2251,23 @@
[ --with-krb5=base-dir Locate Kerberos 5 support (default=/usr)],
[ case "$withval" in
no)
- AC_MSG_RESULT(no)
+ AC_MSG_RESULT(no krb5-path given)
+ ;;
+ yes)
+ AC_MSG_RESULT(/usr)
+ KRB5_LIBS="-lkrb5"
+ FOUND_KRB5=yes
;;
*)
- AC_MSG_RESULT(yes)
- LIBS="$LIBS -lkrb5"
- CFLAGS="$CFLAGS -I$withval/include"
- CPPFLAGS="$CPPFLAGS -I$withval/include"
- LDFLAGS="$LDFLAGS -L$withval/lib"
+ AC_MSG_RESULT($withval)
+ KRB5_LIBS="-lkrb5"
+ KRB5_CFLAGS="-I$withval/include"
+ KRB5_CPPFLAGS="-I$withval/include"
+ KRB5_LDFLAGS="-L$withval/lib"
FOUND_KRB5=yes
;;
esac ],
- AC_MSG_RESULT(no)
+ AC_MSG_RESULT(no krb5-path given)
)
fi
@@ -2175,15 +2277,15 @@
AC_MSG_CHECKING(for /usr/include/heimdal)
if test -d /usr/include/heimdal; then
if test -f /usr/lib/heimdal/lib/libkrb5.a; then
- LIBS="$LIBS -lkrb5"
- CFLAGS="$CFLAGS -I/usr/include/heimdal"
- CPPFLAGS="$CPPFLAGS -I/usr/include/heimdal"
- LDFLAGS="$LDFLAGS -L/usr/lib/heimdal/lib"
+ KRB5_LIBS="-lkrb5"
+ KRB5_CFLAGS="-I/usr/include/heimdal"
+ KRB5_CPPFLAGS="-I/usr/include/heimdal"
+ KRB5_LDFLAGS="-L/usr/lib/heimdal/lib"
AC_MSG_RESULT(yes)
else
- LIBS="$LIBS -lkrb5"
- CFLAGS="$CFLAGS -I/usr/include/heimdal"
- CPPFLAGS="$CPPFLAGS -I/usr/include/heimdal"
+ KRB5_LIBS="-lkrb5"
+ KRB5_CFLAGS="-I/usr/include/heimdal"
+ KRB5_CPPFLAGS="-I/usr/include/heimdal"
AC_MSG_RESULT(yes)
fi
else
@@ -2196,16 +2298,26 @@
# see if this box has the RedHat location for kerberos
AC_MSG_CHECKING(for /usr/kerberos)
if test -d /usr/kerberos -a -f /usr/kerberos/lib/libkrb5.a; then
- LIBS="$LIBS -lkrb5"
- LDFLAGS="$LDFLAGS -L/usr/kerberos/lib"
- CFLAGS="$CFLAGS -I/usr/kerberos/include"
- CPPFLAGS="$CPPFLAGS -I/usr/kerberos/include"
+ KRB5_LIBS="-lkrb5"
+ KRB5_LDFLAGS="-L/usr/kerberos/lib"
+ KRB5_CFLAGS="-I/usr/kerberos/include"
+ KRB5_CPPFLAGS="-I/usr/kerberos/include"
AC_MSG_RESULT(yes)
else
AC_MSG_RESULT(no)
fi
fi
+ ac_save_CFLAGS=$CFLAGS
+ ac_save_CPPFLAGS=$CPPFLAGS
+ ac_save_LDFLAGS=$LDFLAGS
+
+ CFLAGS="$CFLAGS $KRB5_CFLAGS"
+ CPPFLAGS="$CPPFLAGS $KRB5_CPPFLAGS"
+ LDFLAGS="$LDFLAGS $KRB5_LDFLAGS"
+
+ KRB5_LIBS="$KRB5_LDFLAGS $KRB5_LIBS"
+
# now check for krb5.h. Some systems have the libraries without the headers!
# note that this check is done here to allow for different kerberos
# include paths
@@ -2225,24 +2337,17 @@
# Turn off AD support and restore CFLAGS and LIBS variables
with_ads_support="no"
-
- CFLAGS="$ac_save_CFLAGS"
- LIBS="$ac_save_LIBS"
-
- else
-
- # Get rid of case where $with_ads_support=auto
-
- with_ads_support="yes"
-
+
+ CFLAGS=$ac_save_CFLAGS
+ CPPFLAGS=$ac_save_CPPFLAGS
+ LDFLAGS=$ac_save_LDFLAGS
fi
fi
# Now we have determined whether we really want ADS support
-if test x"$with_ads_support" = x"yes"; then
-
- AC_DEFINE(WITH_ADS,1,[Whether to include Active Directory support])
+if test x"$with_ads_support" != x"no"; then
+ ac_save_LIBS=$LIBS
# now check for gssapi headers. This is also done here to allow for
# different kerberos include paths
@@ -2250,62 +2355,45 @@
##################################################################
# we might need the k5crypto and com_err libraries on some systems
- AC_CHECK_LIB(com_err, _et_list)
- AC_CHECK_LIB(k5crypto, krb5_encrypt_data)
+ AC_CHECK_LIB_EXT(com_err, KRB5_LIBS, _et_list)
+ AC_CHECK_LIB_EXT(k5crypto, KRB5_LIBS, krb5_encrypt_data)
# Heimdal checks.
- AC_CHECK_LIB(crypto, des_set_key)
- AC_CHECK_LIB(asn1, copy_Authenticator)
- AC_CHECK_LIB(roken, roken_getaddrinfo_hostspec)
+ AC_CHECK_LIB_EXT(crypto, KRB5_LIBS, des_set_key)
+ AC_CHECK_LIB_EXT(asn1, KRB5_LIBS, copy_Authenticator)
+ AC_CHECK_LIB_EXT(roken, KRB5_LIBS, roken_getaddrinfo_hostspec)
# Heimdal checks. On static Heimdal gssapi must be linked before krb5.
- AC_CHECK_LIB(gssapi, gss_display_status, [LIBS="$LIBS -lgssapi -lkrb5";
- AC_DEFINE(HAVE_GSSAPI,1,[Whether GSSAPI is available])])
+ AC_CHECK_LIB_EXT(gssapi, KRB5_LIBS, gss_display_status, [KRB5_LIBS="$KRB5_LIBS -lgssapi -lkrb5";
+ AC_DEFINE(HAVE_GSSAPI,1,[Whether GSSAPI is available])])
+
+ ########################################################
+ # now see if we can find the krb5 libs in standard paths
+ # or as specified above
+ AC_CHECK_LIB_EXT(krb5, KRB5_LIBS, krb5_mk_req_extended)
+
+ ########################################################
+ # now see if we can find the gssapi libs in standard paths
+ AC_CHECK_LIB_EXT(gssapi_krb5, KRB5_LIBS,gss_display_status,[],[],
+ AC_DEFINE(HAVE_GSSAPI,1,[Whether GSSAPI is available]))
- AC_CHECK_LIB(krb5, krb5_set_real_time,
- [AC_DEFINE(HAVE_KRB5_SET_REAL_TIME,1,
- [Whether krb5_set_real_time is available])])
- AC_CHECK_LIB(krb5, krb5_set_default_in_tkt_etypes,
- [AC_DEFINE(HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES,1,
- [Whether krb5_set_default_in_tkt_etypes, is available])])
- AC_CHECK_LIB(krb5, krb5_set_default_tgs_ktypes,
- [AC_DEFINE(HAVE_KRB5_SET_DEFAULT_TGS_KTYPES,1,
- [Whether krb5_set_default_tgs_ktypes is available])])
-
- AC_CHECK_LIB(krb5, krb5_principal2salt,
- [AC_DEFINE(HAVE_KRB5_PRINCIPAL2SALT,1,
- [Whether krb5_principal2salt is available])])
- AC_CHECK_LIB(krb5, krb5_use_enctype,
- [AC_DEFINE(HAVE_KRB5_USE_ENCTYPE,1,
- [Whether krb5_use_enctype is available])])
- AC_CHECK_LIB(krb5, krb5_string_to_key,
- [AC_DEFINE(HAVE_KRB5_STRING_TO_KEY,1,
- [Whether krb5_string_to_key is available])])
- AC_CHECK_LIB(krb5, krb5_get_pw_salt,
- [AC_DEFINE(HAVE_KRB5_GET_PW_SALT,1,
- [Whether krb5_get_pw_salt is available])])
- AC_CHECK_LIB(krb5, krb5_string_to_key_salt,
- [AC_DEFINE(HAVE_KRB5_STRING_TO_KEY_SALT,1,
- [Whether krb5_string_to_key_salt is available])])
- AC_CHECK_LIB(krb5, krb5_auth_con_setkey,
- [AC_DEFINE(HAVE_KRB5_AUTH_CON_SETKEY,1,
- [Whether krb5_auth_con_setkey is available])])
- AC_CHECK_LIB(krb5, krb5_auth_con_setuseruserkey,
- [AC_DEFINE(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY,1,
- [Whether krb5_auth_con_setuseruserkey is available])])
- AC_CHECK_LIB(krb5, krb5_locate_kdc,
- [AC_DEFINE(HAVE_KRB5_LOCATE_KDC,1,
- [Whether krb5_locate_kdc is available])])
- AC_CHECK_LIB(krb5, krb5_get_permitted_enctypes,
- [AC_DEFINE(HAVE_KRB5_GET_PERMITTED_ENCTYPES,1,
- [Whether krb5_get_permitted_enctypes is available])])
- AC_CHECK_LIB(krb5, krb5_get_default_in_tkt_etypes,
- [AC_DEFINE(HAVE_KRB5_GET_DEFAULT_IN_TKT_ETYPES,1,
- [Whether krb5_get_default_in_tkt_etypes is available])])
- AC_CHECK_LIB(krb5, krb5_free_ktypes,
- [AC_DEFINE(HAVE_KRB5_FREE_KTYPES,1,
- [Whether krb5_free_ktypes is available])])
+ AC_CHECK_FUNC_EXT(krb5_set_real_time, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_set_default_in_tkt_etypes, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_set_default_tgs_ktypes, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_principal2salt, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_use_enctype, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_string_to_key, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_get_pw_salt, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_string_to_key_salt, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_auth_con_setkey, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_auth_con_setuseruserkey, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_locate_kdc, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_get_permitted_enctypes, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_get_default_in_tkt_etypes, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_free_ktypes, $KRB5_LIBS)
+ LIBS="$LIBS $KRB5_LIBS"
+
AC_CACHE_CHECK([for addrtype in krb5_address],
samba_cv_HAVE_ADDRTYPE_IN_KRB5_ADDRESS,[
AC_TRY_COMPILE([#include <krb5.h>],
@@ -2365,87 +2453,21 @@
[Whether the ENCTYPE_ARCFOUR_HMAC_MD5 key type is available])
fi
- ########################################################
- # now see if we can find the krb5 libs in standard paths
- # or as specified above
- AC_CHECK_LIB(krb5, krb5_mk_req_extended, [KRB5_LIBS="$LIBS -lkrb5";
- KRB5_CFLAGS="$CFLAGS";
- AC_DEFINE(HAVE_KRB5,1,[Whether KRB5 is available])])
-
- ########################################################
- # now see if we can find the gssapi libs in standard paths
- AC_CHECK_LIB(gssapi_krb5, gss_display_status,
- [KRB5_LIBS="$KRB5_LIBS -lgssapi_krb5";
- AC_DEFINE(HAVE_GSSAPI,1,[Whether GSSAPI is available])])
-
- CFLAGS="$ac_save_CFLAGS"
- LIBS="$ac_save_LIBS"
-fi
-
-########################################################
-# Compile with LDAP support?
-
-LDAP_OBJ=""
-with_ldap_support=yes
-AC_MSG_CHECKING([whether to use LDAP])
-
-AC_ARG_WITH(ldap,
-[ --with-ldap LDAP support (default yes)],
-[ case "$withval" in
- no)
- with_ldap_support=no
- ;;
- esac ])
-
-AC_MSG_RESULT($with_ldap_support)
-
-SMBLDAP=""
-if test x"$with_ldap_support" = x"yes"; then
- ac_save_LIBS="$LIBS"
- LIBS=""
-
- ##################################################################
- # we might need the lber lib on some systems. To avoid link errors
- # this test must be before the libldap test
- AC_CHECK_LIB(lber, ber_scanf)
-
- ########################################################
- # now see if we can find the ldap libs in standard paths
- if test x$have_ldap != xyes; then
- AC_CHECK_LIB(ldap, ldap_init, [
- LIBS="$LIBS -lldap";
- AC_CHECK_LIB(ldap, ldap_domain2hostlist, [
- AC_DEFINE(HAVE_LDAP,1,[Whether ldap is available])
- AC_CHECK_HEADERS([ldap.h lber.h],
- [default_static_modules="$default_static_modules pdb_ldap idmap_ldap";
- SMBLDAP="lib/smbldap.o"])
- ])
- ])
-
- ########################################################
- # If we have LDAP, does it's rebind procedure take 2 or 3 arguments?
- # Check found in pam_ldap 145.
- AC_CHECK_FUNCS(ldap_set_rebind_proc)
- AC_CACHE_CHECK(whether ldap_set_rebind_proc takes 3 arguments, pam_ldap_cv_ldap_set_rebind_proc, [
- AC_TRY_COMPILE([
- #include <lber.h>
- #include <ldap.h>], [ldap_set_rebind_proc(0, 0, 0);], [pam_ldap_cv_ldap_set_rebind_proc=3], [pam_ldap_cv_ldap_set_rebind_proc=2]) ])
- AC_DEFINE_UNQUOTED(LDAP_SET_REBIND_PROC_ARGS, $pam_ldap_cv_ldap_set_rebind_proc, [Number of arguments to ldap_set_rebind_proc])
- AC_CHECK_FUNCS(ldap_initialize)
- fi
-
- AC_SUBST(SMBLDAP)
- LDAP_LIBS="$LIBS";
- LIBS="$ac_save_LIBS";
-else
- # Can't have ADS support without LDAP
+ if test x"$ac_cv_lib_ext_krb5_krb5_mk_req_extended" = x"yes"; then
+ AC_DEFINE(HAVE_KRB5,1,[Whether to have KRB5 support])
+ AC_DEFINE(WITH_ADS,1,[Whether to include Active Directory support])
+ AC_MSG_CHECKING(whether Active Directory and krb5 support is used)
+ AC_MSG_RESULT(yes)
+ else
if test x"$with_ads_support" = x"yes"; then
- AC_MSG_ERROR(Active directory support requires LDAP)
+ AC_MSG_ERROR(libkrb5 is needed for Active Directory support)
+ else
+ AC_MSG_WARN(libkrb5 is needed for Active Directory support)
fi
-fi
-
-if test x"$with_ads_support" = x"yes"; then
- ADSLIBS="$LDAP_LIBS $KRB5_LIBS"
+ KRB5_LIBS=""
+ with_ads_support=no
+ fi
+ LIBS="$ac_save_LIBS"
fi
########################################################

View File

@ -0,0 +1,24 @@
diff -uNr samba-3.0.0beta2.orig/source/Makefile.in samba-3.0.0beta2/source/Makefile.in
--- samba-3.0.0beta2.orig/source/Makefile.in 2003-07-05 16:24:34.000000000 -0500
+++ samba-3.0.0beta2/source/Makefile.in 2003-07-05 16:24:54.000000000 -0500
@@ -579,8 +579,8 @@
PAM_SMBPASS_OBJ_0 = pam_smbpass/pam_smb_auth.o pam_smbpass/pam_smb_passwd.o \
pam_smbpass/pam_smb_acct.o pam_smbpass/support.o \
libsmb/smbencrypt.o libsmb/smbdes.o libsmb/nterr.o \
- $(PARAM_OBJ) $(LIB_OBJ) $(PASSDB_OBJ) $(GROUPDB_OBJ) \
- $(SECRETS_OBJ) $(UBIQX_OBJ)
+ $(LIBSAMBA_OBJ) $(PARAM_OBJ) $(LIB_OBJ) $(PASSDB_OBJ) \
+ $(GROUPDB_OBJ) $(SECRETS_OBJ) $(UBIQX_OBJ) $(SMBLDAP_OBJ)
PAM_SMBPASS_PICOOBJ = $(PAM_SMBPASS_OBJ_0:.o=.po)
@@ -1076,7 +1076,8 @@
bin/pam_smbpass.@SHLIBEXT@: $(PAM_SMBPASS_PICOOBJ)
@echo "Linking shared library $@"
- @$(SHLD) $(LDSHFLAGS) -o $@ $(PAM_SMBPASS_PICOOBJ) -lpam $(DYNEXP) $(LIBS) -lc
+ @$(SHLD) $(LDSHFLAGS) -o $@ $(PAM_SMBPASS_PICOOBJ) -lpam $(DYNEXP) \
+ $(PASSDBLIBS) $(LIBS) -lc
bin/libmsrpc.a: $(LIBMSRPC_PICOBJ)
@-$(AR) -rc $@ $(LIBMSRPC_PICOBJ)

View File

@ -0,0 +1,43 @@
diff -uNr samba-3.0.0beta2.orig/source/client/client.c samba-3.0.0beta2/source/client/client.c
--- samba-3.0.0beta2.orig/source/client/client.c 2003-07-01 22:36:24.000000000 -0500
+++ samba-3.0.0beta2/source/client/client.c 2003-07-06 15:17:36.000000000 -0500
@@ -2731,6 +2731,7 @@
int opt;
pstring query_host;
BOOL message = False;
+ char* tar_args = NULL;
extern char tar_type;
pstring term_code;
static const char *new_name_resolve_order = NULL;
@@ -2816,7 +2817,7 @@
max_protocol = interpret_protocol(poptGetOptArg(pc), max_protocol);
break;
case 'T':
- if (!tar_parseargs(argc, argv, poptGetOptArg(pc), optind)) {
+ if (!(tar_args = poptGetOptArg(pc))) {
poptPrintUsage(pc, stderr, 0);
exit(1);
}
@@ -2848,6 +2849,22 @@
pstrcpy(cmdline_auth_info.password,poptGetArg(pc));
}
+ /* The tar command may take a number of string options; pass
+ everything we have left to tar_parseargs(). */
+ if (tar_args) {
+ const char **argv2 = poptGetArgs(pc);
+ int argc2 = 0;
+
+ if (argv2) {
+ while (argv2[argc2]) argc2++;
+ }
+
+ if (!tar_parseargs(argc2, argv2, tar_args, 0)) {
+ poptPrintUsage(pc, stderr, 0);
+ exit(1);
+ }
+ }
+
init_names();
if(new_name_resolve_order)

Binary file not shown.

Binary file not shown.

Binary file not shown.

View File

@ -0,0 +1,440 @@
Summary: Samba SMB client and server
Name: samba
Version: PVERSION
Release: PRELEASE
License: GNU GPL version 2
Group: Networking
Source: http://download.samba.org/samba/ftp/samba-%{version}.tar.bz2
Packager: Gerald Carter [Samba-Team] <jerry@samba.org>
Requires: pam >= 0.72 kernel >= 2.2.1 glibc >= 2.1.2
Prereq: chkconfig fileutils
Provides: samba = %{version}
Obsoletes: samba-common, samba-client, samba-swat
BuildRoot: %{_tmppath}/%{name}-%{version}-root
Prefix: /usr
%description
Samba provides an SMB/CIFS server which can be used to provide
network file and print services to SMB/CIFS clients, including
various versions of MS Windows, OS/2, and other Linux machines.
Samba also provides some SMB clients, which complement the
built-in SMB filesystem in Linux. Samba uses NetBIOS over TCP/IP
(NetBT) protocols and does NOT need NetBEUI (Microsoft Raw NetBIOS
frame) protocol.
Samba 3.0 also introduces UNICODE support and kerberos/ldap
integration as a member server in a Windows 2000 domain.
Please refer to the WHATSNEW.txt document for fixup information.
docs directory for implementation details.
%changelog
* Mon Nov 18 2002 Gerald Carter <jerry@samba.org>
- removed change log entries since history
is being maintained in CVS
%prep
%setup
%build
## Build main Samba source
cd source
%ifarch ia64
libtoolize --copy --force # get it to recognize IA-64
autoheader
autoconf
EXTRA="-D_LARGEFILE64_SOURCE"
%endif
NUMCPU=`grep processor /proc/cpuinfo | wc -l`
if [ ! -f "configure" ]; then
./autogen.sh
fi
CFLAGS="$RPM_OPT_FLAGS $EXTRA" ./configure \
--prefix=%{prefix} \
--localstatedir=/var \
--with-configdir=/etc/samba \
--with-privatedir=/etc/samba \
--with-fhs \
--with-quotas \
--with-smbmount \
--with-pam \
--with-pam_smbpass \
--with-syslog \
--with-utmp \
--with-sambabook=%{prefix}/share/swat/using_samba \
--with-swatdir=%{prefix}/share/swat \
--with-libsmbclient
make -j${NUMCPU} proto
make -j${NUMCPU} all nsswitch/libnss_wins.so modules
make -j${NUMCPU} debug2html
make -j${NUMCPU} bin/smbspool
# Remove some permission bits to avoid to many dependencies
find examples docs -type f | xargs -r chmod -x
%install
rm -rf $RPM_BUILD_ROOT
mkdir -p $RPM_BUILD_ROOT
mkdir -p $RPM_BUILD_ROOT/sbin
mkdir -p $RPM_BUILD_ROOT/etc/samba
mkdir -p $RPM_BUILD_ROOT/etc/{logrotate.d,pam.d,samba}
mkdir -p $RPM_BUILD_ROOT/etc/rc.d/init.d
mkdir -p $RPM_BUILD_ROOT%{prefix}/{bin,sbin}
mkdir -p $RPM_BUILD_ROOT%{prefix}/share/swat/{images,help,include,using_samba}
mkdir -p $RPM_BUILD_ROOT%{prefix}/share/swat/using_samba/{figs,gifs}
mkdir -p $RPM_BUILD_ROOTMANDIR_MACRO
mkdir -p $RPM_BUILD_ROOT/var/cache/samba
mkdir -p $RPM_BUILD_ROOT/var/{log,run}/samba
mkdir -p $RPM_BUILD_ROOT/var/spool/samba
mkdir -p $RPM_BUILD_ROOT/lib/security
mkdir -p $RPM_BUILD_ROOT%{prefix}/lib/samba/vfs
mkdir -p $RPM_BUILD_ROOT%{prefix}/{lib,include}
# Install standard binary files
for i in nmblookup smbclient smbpasswd smbstatus testparm testprns \
rpcclient smbspool smbcacls smbcontrol wbinfo smbmnt net \
smbcacls pdbedit tdbbackup smbtree
do
install -m755 source/bin/$i $RPM_BUILD_ROOT%{prefix}/bin
done
for i in mksmbpasswd.sh smbtar findsmb
do
install -m755 source/script/$i $RPM_BUILD_ROOT%{prefix}/bin
done
# Install secure binary files
for i in smbd nmbd swat smbmount smbumount debug2html winbindd
do
install -m755 source/bin/$i $RPM_BUILD_ROOT%{prefix}/sbin
done
# we need a symlink for mount to recognise the smb and smbfs filesystem types
ln -sf %{prefix}/sbin/smbmount $RPM_BUILD_ROOT/sbin/mount.smbfs
ln -sf %{prefix}/sbin/smbmount $RPM_BUILD_ROOT/sbin/mount.smb
# This allows us to get away without duplicating code that
# sombody else can maintain for us.
cd source
make DESTDIR=$RPM_BUILD_ROOT \
BASEDIR=/usr \
CONFIGDIR=/etc/samba \
LIBDIR=%{prefix}/lib/samba \
VARDIR=/var \
SBINDIR=%{prefix}/sbin \
BINDIR=$%{prefix}/bin \
MANDIR=MANDIR_MACRO \
SWATDIR=%{prefix}/share/swat \
SAMBABOOK=%{prefix}/share/swat/using_samba \
installman installswat installdat installmodules
cd ..
# Install the nsswitch wins library
install -m755 source/nsswitch/libnss_wins.so $RPM_BUILD_ROOT/lib
( cd $RPM_BUILD_ROOT/lib; ln -sf libnss_wins.so libnss_wins.so.2; )
# Install winbind shared libraries
install -m755 source/nsswitch/libnss_winbind.so $RPM_BUILD_ROOT/lib
( cd $RPM_BUILD_ROOT/lib; ln -sf libnss_winbind.so libnss_winbind.so.2; )
install -m755 source/nsswitch/pam_winbind.so $RPM_BUILD_ROOT/lib/security
# Install pam_smbpass.so
install -m755 source/bin/pam_smbpass.so $RPM_BUILD_ROOT/lib/security
# libsmbclient
install -m 755 source/bin/libsmbclient.so $RPM_BUILD_ROOT%{prefix}/lib/
install -m 755 source/bin/libsmbclient.a $RPM_BUILD_ROOT%{prefix}/lib/
install -m 644 source/include/libsmbclient.h $RPM_BUILD_ROOT%{prefix}/include/
# Install SWAT helper files
#for i in swat/help/*.html docs/htmldocs/*.html
#do
# install -m644 $i $RPM_BUILD_ROOT%{prefix}/share/swat/help
#done
#for i in swat/images/*.gif
#do
# install -m644 $i $RPM_BUILD_ROOT%{prefix}/share/swat/images
#done
#for i in swat/include/*.html
#do
# install -m644 $i $RPM_BUILD_ROOT%{prefix}/share/swat/include
#done
# Install the miscellany
install -m755 swat/README $RPM_BUILD_ROOT%{prefix}/share/swat/README
install -m755 packaging/RedHat/smbprint $RPM_BUILD_ROOT%{prefix}/bin
install -m755 packaging/RedHat/smb.init $RPM_BUILD_ROOT/etc/rc.d/init.d/smb
install -m755 packaging/RedHat/winbind.init $RPM_BUILD_ROOT/etc/rc.d/init.d/winbind
install -m755 packaging/RedHat/smb.init $RPM_BUILD_ROOT%{prefix}/sbin/samba
install -m644 packaging/RedHat/samba.log $RPM_BUILD_ROOT/etc/logrotate.d/samba
install -m644 packaging/RedHat/smb.conf $RPM_BUILD_ROOT/etc/samba/smb.conf
install -m644 packaging/RedHat/smbusers $RPM_BUILD_ROOT/etc/samba/smbusers
install -m644 packaging/RedHat/samba.pamd $RPM_BUILD_ROOT/etc/pam.d/samba
install -m644 packaging/RedHat/samba.pamd.stack $RPM_BUILD_ROOT/etc/samba/samba.stack
install -m644 packaging/RedHat/samba.xinetd $RPM_BUILD_ROOT/etc/samba/samba.xinetd
echo 127.0.0.1 localhost > $RPM_BUILD_ROOT/etc/samba/lmhosts
# Remove "*.old" files
find $RPM_BUILD_ROOT -name "*.old" -exec rm -f {} \;
%clean
rm -rf $RPM_BUILD_ROOT
%post
if [ "$1" -eq "1" ]; then
/sbin/chkconfig --add smb
/sbin/chkconfig --add winbind
/sbin/chkconfig smb off
/sbin/chkconfig winbind off
fi
echo "Looking for old /etc/smb.conf..."
if [ -f /etc/smb.conf -a ! -f /etc/samba/smb.conf ]; then
echo "Moving old /etc/smb.conf to /etc/samba/smb.conf"
mv /etc/smb.conf /etc/samba/smb.conf
fi
echo "Looking for old /etc/smbusers..."
if [ -f /etc/smbusers -a ! -f /etc/samba/smbusers ]; then
echo "Moving old /etc/smbusers to /etc/samba/smbusers"
mv /etc/smbusers /etc/samba/smbusers
fi
echo "Looking for old /etc/lmhosts..."
if [ -f /etc/lmhosts -a ! -f /etc/samba/lmhosts ]; then
echo "Moving old /etc/lmhosts to /etc/samba/lmhosts"
mv /etc/lmhosts /etc/samba/lmhosts
fi
echo "Looking for old /etc/MACHINE.SID..."
if [ -f /etc/MACHINE.SID -a ! -f /etc/samba/MACHINE.SID ]; then
echo "Moving old /etc/MACHINE.SID to /etc/samba/MACHINE.SID"
mv /etc/MACHINE.SID /etc/samba/MACHINE.SID
fi
echo "Looking for old /etc/smbpasswd..."
if [ -f /etc/smbpasswd -a ! -f /etc/samba/smbpasswd ]; then
echo "Moving old /etc/smbpasswd to /etc/samba/smbpasswd"
mv /etc/smbpasswd /etc/samba/smbpasswd
fi
#
# For 2.2.1 we move the tdb files from /var/lock/samba to /var/cache/samba
# to preserve across reboots.
#
echo "Moving tdb files in /var/lock/samba/*.tdb to /var/cache/samba/*.tdb"
for i in /var/lock/samba/*.tdb
do
if [ -f $i ]; then
newname=`echo $i | sed -e's|var\/lock\/samba|var\/cache\/samba|'`
echo "Moving $i to $newname"
mv $i $newname
fi
done
# Remove the transient tdb files.
if [ -e /var/cache/samba/brlock.tdb ]; then
rm -f /var/cache/samba/brlock.tdb
fi
if [ -e /var/cache/samba/unexpected.tdb ]; then
rm -f /var/cache/samba/unexpected.tdb
fi
if [ -e /var/cache/samba/connections.tdb ]; then
rm -f /var/cache/samba/connections.tdb
fi
if [ -e /var/cache/samba/locking.tdb ]; then
rm -f /var/cache/samba/locking.tdb
fi
if [ -e /var/cache/samba/messages.tdb ]; then
rm -f /var/cache/samba/messages.tdb
fi
if [ -d /var/lock/samba ]; then
rm -rf /var/lock/samba
fi
# Add swat entry to /etc/services if not already there.
if !( grep ^[:space:]*swat /etc/services > /dev/null ) then
echo 'swat 901/tcp # Add swat service used via inetd' >> /etc/services
fi
# Add swat entry to /etc/inetd.conf if needed.
if [ -f /etc/inetd.conf ]; then
if !( grep ^[:space:]*swat /etc/inetd.conf > /dev/null ) then
echo 'swat stream tcp nowait.400 root %{prefix}/sbin/swat swat' >> /etc/inetd.conf
killall -1 inetd || :
fi
fi
# Add swat entry to xinetd.d if needed.
if [ -d $RPM_BUILD_ROOT/etc/xinetd.d -a ! -f /etc/xinetd.d/swat ]; then
mv /etc/samba/samba.xinetd /etc/xinetd.d/swat
else
rm -f /etc/samba/samba.xinetd
fi
# Install the correct version of the samba pam file, depending on pam version.
if [ -f /lib/security/pam_stack.so ]; then
echo "Installing stack version of /etc/pam.d/samba..."
mv /etc/samba/samba.stack /etc/pam.d/samba
else
echo "Installing non-stack version of /etc/pam.d/samba..."
rm -f /etc/samba/samba.stack
fi
# Create winbind nss client symlink
if [ -e /lib/libnss_winbind.so ]; then
ln -sf /lib/libnss_winbind.so /lib/libnss_winbind.so.2
fi
%preun
if [ $1 = 0 ] ; then
/sbin/chkconfig --del smb
# We want to remove the browse.dat and wins.dat files so they can not interfer with a new version of samba!
if [ -e /var/cache/samba/browse.dat ]; then
rm -f /var/cache/samba/browse.dat
fi
if [ -e /var/cache/samba/wins.dat ]; then
rm -f /var/cache/samba/wins.dat
fi
# Remove the transient tdb files.
if [ -e /var/cache/samba/brlock.tdb ]; then
rm -f /var/cache/samba/brlock.tdb
fi
if [ -e /var/cache/samba/unexpected.tdb ]; then
rm -f /var/cache/samba/unexpected.tdb
fi
if [ -e /var/cache/samba/connections.tdb ]; then
rm -f /var/cache/samba/connections.tdb
fi
if [ -e /var/cache/samba/locking.tdb ]; then
rm -f /var/cache/samba/locking.tdb
fi
if [ -e /var/cache/samba/messages.tdb ]; then
rm -f /var/cache/samba/messages.tdb
fi
# Remove winbind nss client symlink
if [ -L /lib/libnss_winbind.so.2 ]; then
rm -f /lib/libnss_winbind.so.2
fi
fi
%postun
# Only delete remnants of samba if this is the final deletion.
if [ $1 = 0 ] ; then
if [ -x /etc/pam.d/samba ]; then
rm -f /etc/pam.d/samba
fi
if [ -e /var/log/samba ]; then
rm -rf /var/log/samba
fi
if [ -e /var/cache/samba ]; then
rm -rf /var/cache/samba
fi
# Remove swat entries from /etc/inetd.conf and /etc/services
cd /etc
tmpfile=/etc/tmp.$$
if [ -f /etc/inetd.conf ]; then
# preserve inetd.conf permissions.
cp -p /etc/inetd.conf $tmpfile
sed -e '/^[:space:]*swat.*$/d' /etc/inetd.conf > $tmpfile
mv $tmpfile inetd.conf
fi
# preserve services permissions.
cp -p /etc/services $tmpfile
sed -e '/^[:space:]*swat.*$/d' /etc/services > $tmpfile
mv $tmpfile /etc/services
# Remove swat entry from /etc/xinetd.d
if [ -f /etc/xinetd.d/swat ]; then
rm -r /etc/xinetd.d/swat
fi
fi
%files
%defattr(-,root,root)
%doc README COPYING Manifest Read-Manifest-Now
%doc WHATSNEW.txt Roadmap
%doc docs
%doc swat/README
%doc examples
%{prefix}/sbin/smbd
%{prefix}/sbin/nmbd
%{prefix}/sbin/swat
%{prefix}/bin/smbmnt
%{prefix}/sbin/smbmount
%{prefix}/sbin/smbumount
%{prefix}/sbin/winbindd
%{prefix}/sbin/samba
%{prefix}/sbin/debug2html
/sbin/mount.smbfs
/sbin/mount.smb
%{prefix}/bin/mksmbpasswd.sh
%{prefix}/bin/smbclient
%{prefix}/bin/smbspool
%{prefix}/bin/rpcclient
%{prefix}/bin/testparm
%{prefix}/bin/testprns
%{prefix}/bin/findsmb
%{prefix}/bin/smbstatus
%{prefix}/bin/nmblookup
%{prefix}/bin/smbpasswd
%{prefix}/bin/smbtar
%{prefix}/bin/smbprint
%{prefix}/bin/smbcontrol
%{prefix}/bin/wbinfo
%{prefix}/bin/net
%{prefix}/bin/smbcacls
%{prefix}/bin/pdbedit
%{prefix}/bin/tdbbackup
%{prefix}/bin/smbtree
%attr(755,root,root) /lib/libnss_wins.s*
%attr(755,root,root) %{prefix}/lib/samba/vfs/*.so
#%attr(755,root,root) %{prefix}/lib/samba/pdb/*.so
%attr(755,root,root) %{prefix}/lib/samba/*.dat
%{prefix}/include/libsmbclient.h
%{prefix}/lib/libsmbclient.a
%{prefix}/lib/libsmbclient.so
%{prefix}/share/swat/help/*
%{prefix}/share/swat/images/*
%{prefix}/share/swat/include/*.html
%{prefix}/share/swat/lang/*/help/*
%{prefix}/share/swat/lang/*/images/*
%{prefix}/share/swat/lang/*/include/*.html
%{prefix}/share/swat/using_samba/*
%{prefix}/share/swat/README
%config(noreplace) /etc/samba/lmhosts
%config(noreplace) /etc/samba/smb.conf
%config(noreplace) /etc/samba/smbusers
/etc/samba/samba.stack
/etc/samba/samba.xinetd
/etc/rc.d/init.d/smb
/etc/rc.d/init.d/winbind
/etc/logrotate.d/samba
%config(noreplace) /etc/pam.d/samba
MANDIR_MACRO/man1/*
MANDIR_MACRO/man5/*
MANDIR_MACRO/man7/*
MANDIR_MACRO/man8/*
%attr(755,root,root) %dir /var/cache/samba
%dir /var/log/samba
%dir /var/run/samba
%attr(1777,root,root) %dir /var/spool/samba
%attr(-,root,root) /lib/libnss_winbind.so
%attr(-,root,root) /lib/security/pam_winbind.so
%attr(-,root,root) /lib/security/pam_smbpass.so

View File

@ -0,0 +1,4 @@
inetd.conf
pkginfo
prototype
samba.server

18
packaging/SuSE/README Normal file
View File

@ -0,0 +1,18 @@
Date: March 29, 2003
Note: The current packaging files are NOT officially supported files.
---------------------------------------------------------------------
While the SPEC file shows who the original author was, these files imply no warranty of
fitness what so ever. These files are NOT official SuSE files and are NOT supported by
them. If you have ANY problems with the use of these files then please email jht@samba.org
and NOT SuSE support.
These files may be used to build Samba-3.0 packages for SuSE Linux 8.1 and/or for
UnitedLinux 1.0 systems.
Note2: You most likely will need to update to heimdal-0.5.1 or later if you intend to
use any Kerberos functionality.
- John T.

View File

@ -0,0 +1,97 @@
--- source/param/loadparm.c Wed Oct 9 21:17:05 2002
+++ source/param/loadparm.c Mon Oct 14 16:33:08 2002
@@ -386,6 +386,8 @@
BOOL bInheritPerms;
BOOL bInheritACLS;
BOOL bMSDfsRoot;
+ BOOL bMSDfsProxy;
+ char *bMSDfsLinkName;
BOOL bUseClientDriver;
BOOL bDefaultDevmode;
BOOL bNTAclSupport;
@@ -508,6 +510,8 @@
False, /* bInheritPerms */
False, /* bInheritACLS */
False, /* bMSDfsRoot */
+ False, /* bMSDfsProxy */
+ NULL, /* bMSDfsLinkName */
False, /* bUseClientDriver */
False, /* bDefaultDevmode */
True, /* bNTAclSupport */
@@ -1079,6 +1083,8 @@
{"msdfs root", P_BOOL, P_LOCAL, &sDefault.bMSDfsRoot, NULL, NULL, FLAG_SHARE},
+ {"msdfs proxy", P_BOOL, P_LOCAL, &sDefault.bMSDfsProxy, NULL, NULL, FLAG_SHARE},
+ {"msdfs link name", P_STRING, P_LOCAL, &sDefault.bMSDfsLinkName, NULL, NULL, FLAG_SHARE},
{"host msdfs", P_BOOL, P_GLOBAL, &Globals.bHostMSDfs, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"Winbind options", P_SEP, P_SEPARATOR},
@@ -1730,6 +1736,8 @@
FN_LOCAL_STRING(lp_veto_oplocks, szVetoOplockFiles)
FN_LOCAL_STRING(lp_driverlocation, szPrinterDriverLocation)
FN_LOCAL_BOOL(lp_msdfs_root, bMSDfsRoot)
+FN_LOCAL_BOOL(lp_msdfs_proxy, bMSDfsProxy)
+FN_LOCAL_STRING(lp_msdfs_link_name, bMSDfsLinkName)
FN_LOCAL_BOOL(lp_autoloaded, autoloaded)
FN_LOCAL_BOOL(lp_preexec_close, bPreexecClose)
FN_LOCAL_BOOL(lp_rootpreexec_close, bRootpreexecClose)
--- source/msdfs/msdfs.c Tue Jul 2 08:34:24 2002
+++ source/msdfs/msdfs.c Mon Oct 14 16:49:57 2002
@@ -600,12 +600,38 @@
int reply_size = 0;
char *pathnamep = pathname;
+ struct connection_struct conns;
+ struct connection_struct* conn = &conns;
+ int snum;
+ pstring conn_path;
+ struct dfs_path dpi;
+
+ struct junction_map junction2;
+ parse_dfs_path(pathname, &dpi);
+ pstrcpy(junction2.service_name, dpi.servicename);
+ snum = lp_servicenumber(junction2.service_name);
+ create_conn_struct(conn, snum, conn_path);
+
+
ZERO_STRUCT(junction);
/* get the junction entry */
if (!pathnamep)
return -1;
+ if (lp_msdfs_proxy(SNUM(conn))) {
+ DEBUG(10,("running in proxy mode\n"));
+ pstrcpy(pathnamep, "\\");
+ pstrcat(pathnamep, dpi.hostname);
+ pstrcat(pathnamep, "\\");
+ pstrcat(pathnamep, dpi.servicename);
+ pstrcat(pathnamep, "\\");
+ pstrcat(pathnamep, (char *) lp_msdfs_link_name(SNUM(conn)));
+ } else {
+ DEBUG(10,("running in normal mode\n"));
+ }
+
+
/* Trim pathname sent by client so it begins with only one backslash.
Two backslashes confuse some dfs clients
*/
@@ -631,6 +657,17 @@
}
}
+ if ( lp_msdfs_proxy(SNUM(conn)) ) {
+ DEBUG(10,("running in proxy mode\n"));
+ pstrcpy ( pathnamep, "\\" );
+ pstrcat ( pathnamep, dpi.hostname);
+ pstrcat ( pathnamep, "\\" );
+ pstrcat ( pathnamep, dpi.servicename);
+ } else {
+ DEBUG(10,("running in normal mode\n"));
+ }
+
+
/* create the referral depeding on version */
DEBUG(10,("max_referral_level :%d\n",max_referral_level));
if(max_referral_level<2 || max_referral_level>3)

View File

@ -0,0 +1,140 @@
diff -Nur source/utils/net.c source/utils/net.c
--- source/utils/net.c Fri Sep 27 09:42:34 2002
+++ source/utils/net.c Tue Oct 1 12:22:00 2002
@@ -68,6 +68,7 @@
int opt_port = 0;
int opt_maxusers = -1;
char *opt_comment = "";
+char *opt_container = "cn=Users";
int opt_flags = -1;
int opt_jobid = 0;
int opt_timeout = 0;
@@ -459,6 +460,7 @@
{"myname", 'n', POPT_ARG_STRING, &opt_requester_name},
{"conf", 's', POPT_ARG_STRING, &servicesf},
{"server", 'S', POPT_ARG_STRING, &opt_host},
+ {"container", 'c', POPT_ARG_STRING, &opt_container},
{"comment", 'C', POPT_ARG_STRING, &opt_comment},
{"maxusers", 'M', POPT_ARG_INT, &opt_maxusers},
{"flags", 'F', POPT_ARG_INT, &opt_flags},
diff -Nur source/utils/net.h source/utils/net.h
--- source/utils/net.h Tue Jun 25 04:29:09 2002
+++ source/utils/net.h Tue Oct 1 12:19:51 2002
@@ -38,10 +38,8 @@
extern int opt_maxusers;
extern char *opt_comment;
+extern char *opt_container;
extern int opt_flags;
-
-extern char *opt_comment;
-
extern char *opt_target_workgroup;
extern int opt_long_list_entries;
extern int opt_reboot;
diff -Nur source/utils/net_ads.c source/utils/net_ads.c
--- source/utils/net_ads.c Tue Sep 17 14:15:52 2002
+++ source/utils/net_ads.c Tue Oct 1 12:33:44 2002
@@ -255,7 +255,7 @@
goto done;
}
- status = ads_add_user_acct(ads, argv[0], opt_comment);
+ status = ads_add_user_acct(ads, argv[0], opt_container, opt_comment);
if (!ADS_ERR_OK(status)) {
d_printf("Could not add user %s: %s\n", argv[0],
@@ -431,7 +431,7 @@
goto done;
}
- status = ads_add_group_acct(ads, argv[0], opt_comment);
+ status = ads_add_group_acct(ads, argv[0], opt_container, opt_comment);
if (ADS_ERR_OK(status)) {
d_printf("Group %s added\n", argv[0]);
diff -Nur source/utils/net_help.c source/utils/net_help.c
--- source/utils/net_help.c Tue Sep 24 20:10:30 2002
+++ source/utils/net_help.c Tue Oct 1 13:01:50 2002
@@ -69,14 +69,14 @@
"\n\tDelete specified user\n");
d_printf("\nnet [<method>] user INFO <name> [misc. options] [targets]"\
"\n\tList the domain groups of the specified user\n");
- d_printf("\nnet [<method>] user ADD <name> [password] "\
+ d_printf("\nnet [<method>] user ADD <name> [password] [-c container] "\
"[-F user flags] [misc. options]"\
" [targets]\n\tAdd specified user\n");
net_common_methods_usage(argc, argv);
net_common_flags_usage(argc, argv);
- d_printf(
- "\t-C or --comment=<comment>\tdescriptive comment (for add only)\n");
+ d_printf("\t-C or --comment=<comment>\tdescriptive comment (for add only)\n");
+ d_printf("\t-c or --container=<container>\tLDAP container, defaults to cn=Users (for add in ADS only)\n");
return -1;
}
@@ -85,12 +85,12 @@
"\n\tList user groups\n\n");
d_printf("net [<method>] group DELETE <name> [misc. options] [targets]"\
"\n\tDelete specified group\n");
- d_printf("\nnet [<method>] group ADD <name> [-C comment]"\
+ d_printf("\nnet [<method>] group ADD <name> [-C comment] [-c container]"\
" [misc. options] [targets]\n\tCreate specified group\n");
net_common_methods_usage(argc, argv);
net_common_flags_usage(argc, argv);
- d_printf(
- "\t-C or --comment=<comment>\tdescriptive comment (for add only)\n");
+ d_printf("\t-C or --comment=<comment>\tdescriptive comment (for add only)\n");
+ d_printf("\t-c or --container=<container>\tLDAP container, defaults to cn=Users (for add in ADS only)\n");
return -1;
}
diff -Nur source/libads/ldap_user.c source/libads/ldap_user.c
--- source/libads/ldap_user.c Wed Aug 7 12:33:22 2002
+++ source/libads/ldap_user.c Tue Oct 1 12:46:08 2002
@@ -38,7 +38,7 @@
}
ADS_STATUS ads_add_user_acct(ADS_STRUCT *ads, const char *user,
- const char *fullname)
+ const char *container, const char *fullname)
{
TALLOC_CTX *ctx;
ADS_MODLIST mods;
@@ -57,7 +60,7 @@
if (!(upn = talloc_asprintf(ctx, "%s@%s", user, ads->config.realm)))
goto done;
- if (!(new_dn = talloc_asprintf(ctx, "cn=%s,cn=Users,%s", name,
+ if (!(new_dn = talloc_asprintf(ctx, "cn=%s,%s,%s", name, container,
ads->config.bind_path)))
goto done;
if (!(controlstr = talloc_asprintf(ctx, "%u", UF_NORMAL_ACCOUNT)))
@@ -80,7 +83,7 @@
}
ADS_STATUS ads_add_group_acct(ADS_STRUCT *ads, const char *group,
- const char *comment)
+ const char *container, const char *comment)
{
TALLOC_CTX *ctx;
ADS_MODLIST mods;
@@ -93,7 +96,7 @@
status = ADS_ERROR(LDAP_NO_MEMORY);
- if (!(new_dn = talloc_asprintf(ctx, "cn=%s,cn=Users,%s", group,
+ if (!(new_dn = talloc_asprintf(ctx, "cn=%s,%s,%s", group, container,
ads->config.bind_path)))
goto done;
if (!(mods = ads_init_mods(ctx)))
@@ -102,7 +105,7 @@
ads_mod_str(ctx, &mods, "cn", group);
ads_mod_strlist(ctx, &mods, "objectClass",objectClass);
ads_mod_str(ctx, &mods, "name", group);
- if (comment)
+ if (comment && *comment)
ads_mod_str(ctx, &mods, "description", comment);
ads_mod_str(ctx, &mods, "sAMAccountName", group);
status = ads_gen_add(ads, new_dn, mods);

View File

@ -0,0 +1,11 @@
--- examples/pdb/Makefile Thu Sep 5 02:11:41 2002
+++ examples/pdb/Makefile Thu Sep 5 02:11:59 2002
@@ -8,7 +8,7 @@
SAMBA_INCL = ../../source/include
UBIQX_SRC = ../../source/ubiqx
SMBWR_SRC = ../../source/smbwrapper
-CFLAGS = -I$(SAMBA_SRC) -I$(SAMBA_INCL) -I$(UBIQX_SRC) -I$(SMBWR_SRC) -Wall -g
+CFLAGS = -I/usr/include/heimdal -I$(SAMBA_SRC) -I$(SAMBA_INCL) -I$(UBIQX_SRC) -I$(SMBWR_SRC) -Wall -g
PDB_OBJS = pdb_test.so
# Default target

View File

@ -0,0 +1,44 @@
--- source/python/py_common.c 2002-12-22 03:07:40.000000000 +0100
+++ source/python/py_common.c 2002-11-29 11:50:22.000000000 +0100
@@ -45,9 +45,6 @@
void py_samba_init(void)
{
- extern pstring global_myname;
- char *p;
-
if (initialised)
return;
@@ -59,11 +56,7 @@
/* Misc other stuff */
load_interfaces();
-
- fstrcpy(global_myname, myhostname());
- p = strchr(global_myname, '.');
- if (p)
- *p = 0;
+ init_names();
initialised = True;
}
--- source/python/py_smb.c 2002-11-27 03:54:20.000000000 +0100
+++ source/python/py_smb.c 2002-11-29 11:50:22.000000000 +0100
@@ -61,7 +61,6 @@
static char *kwlist[] = { "called", "calling", NULL };
char *calling_name = NULL, *called_name;
struct nmb_name calling, called;
- extern pstring global_myname;
BOOL result;
if (!PyArg_ParseTupleAndKeywords(args, kw, "s|s", kwlist, &called_name,
@@ -69,7 +68,7 @@
return NULL;
if (!calling_name)
- calling_name = global_myname;
+ calling_name = global_myname();
make_nmb_name(&calling, calling_name, 0x00);
make_nmb_name(&called, called_name, 0x20);

View File

@ -0,0 +1,80 @@
--- examples/VFS/samba-vscan-0.3.1/fprot/Makefile 2002-11-26 15:20:17.000000000 +0100
+++ examples/VFS/samba-vscan-0.3.1/fprot/Makefile 2002-12-19 13:26:19.000000000 +0100
@@ -14,7 +14,7 @@
SMBWR_SRC = ../../../../source/smbwrapper
SMBVS_INCL = ../include
SMBVS_GLB = ../global
-CFLAGS = -I$(SAMBA_SRC) -I$(SAMBA_INCL) -I$(UBIQX_SRC) -I$(SMBWR_SRC) -I$(SMBVS_INCL) -Wall -g -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
+CFLAGS = -I$(SAMBA_SRC) -I$(SAMBA_INCL) -I$(UBIQX_SRC) -I$(SMBWR_SRC) -I$(SMBVS_INCL) -Wall -g -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/heimdal
VFS_OBJS = vscan-fprotd.so
SOURCES = $(SMBVS_GLB)/vscan-functions.c $(SMBVS_GLB)/vscan-message.c $(SMBVS_GLB)/vscan-quarantine.c vscan-fprotd.c vscan-fprotd_core.c vscan-fprotd.h vscan-fprotd_core.h
OBJS = vscan-functions.lo vscan-message.lo vscan-quarantine.lo vscan-fprotd.lo vscan-fprotd_core.lo
--- examples/VFS/samba-vscan-0.3.1/include/vscan-global.h 2002-11-25 16:48:10.000000000 +0100
+++ examples/VFS/samba-vscan-0.3.1/include/vscan-global.h 2002-12-19 13:26:34.000000000 +0100
@@ -93,7 +93,7 @@
*/
#ifndef SAMBA_VERSION_MAJOR
-# define SAMBA_VERSION_MAJOR 2
+# define SAMBA_VERSION_MAJOR 3
#endif
#ifndef SAMBA_VERSION_MINOR
--- examples/VFS/samba-vscan-0.3.1/kaspersky/Makefile 2002-11-28 17:40:35.000000000 +0100
+++ examples/VFS/samba-vscan-0.3.1/kaspersky/Makefile 2002-12-19 13:27:23.000000000 +0100
@@ -23,9 +23,9 @@
VFS_OBJS = vscan-kavp.so
ifdef USE_DEBUG
-CFLAGS = -I$(SAMBA_SRC) -I$(SAMBA_INCL) -I$(UBIQX_SRC) -I$(SMBWR_SRC) -I$(SMBVS_INCL) -Wall -g -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
+CFLAGS = -I$(SAMBA_SRC) -I$(SAMBA_INCL) -I$(UBIQX_SRC) -I$(SMBWR_SRC) -I$(SMBVS_INCL) -Wall -g -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/heimdal
else
-CFLAGS = -I$(SAMBA_SRC) -I$(SAMBA_INCL) -I$(UBIQX_SRC) -I$(SMBWR_SRC) -I$(SMBVS_INCL) -Wall -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
+CFLAGS = -I$(SAMBA_SRC) -I$(SAMBA_INCL) -I$(UBIQX_SRC) -I$(SMBWR_SRC) -I$(SMBVS_INCL) -Wall -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/heimdal
endif
ifndef USE_KAVPSHAREDLIB
--- examples/VFS/samba-vscan-0.3.1/mks/Makefile 2002-11-26 16:29:55.000000000 +0100
+++ examples/VFS/samba-vscan-0.3.1/mks/Makefile 2002-12-19 13:27:53.000000000 +0100
@@ -13,7 +13,7 @@
SMBWR_SRC = ../../../../source/smbwrapper
SMBVS_INCL = ../include
SMBVS_GLB = ../global
-CFLAGS = -I$(SAMBA_SRC) -I$(SAMBA_INCL) -I$(UBIQX_SRC) -I$(SMBWR_SRC) -I$(SMBVS_INCL) -Wall -g -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
+CFLAGS = -I$(SAMBA_SRC) -I$(SAMBA_INCL) -I$(UBIQX_SRC) -I$(SMBWR_SRC) -I$(SMBVS_INCL) -Wall -g -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/heimdal
VFS_OBJS = vscan-mksd.so
SOURCES = $(SMBVS_GLB)/vscan-functions.c $(SMBVS_GLB)/vscan-message.c $(SMBVS_GLB)/vscan-quarantine.c vscan-mksd.c vscan-mksd_core.c vscan-mksd.h vscan-mksd_core.h mks.h mks_c.c
OBJS = vscan-functions.lo vscan-message.lo vscan-quarantine.lo vscan-mksd.lo vscan-mksd_core.lo mks_c.lo
--- examples/VFS/samba-vscan-0.3.1/openantivirus/Makefile 2002-11-27 19:24:03.000000000 +0100
+++ examples/VFS/samba-vscan-0.3.1/openantivirus/Makefile 2002-12-19 13:28:10.000000000 +0100
@@ -15,7 +15,7 @@
SMBWR_SRC = ../../../../source/smbwrapper
SMBVS_INCL = ../include
SMBVS_GLB = ../global
-CFLAGS = -I$(SAMBA_SRC) -I$(SAMBA_INCL) -I$(UBIQX_SRC) -I$(SMBWR_SRC) -I$(SMBVS_INCL) -Wall -g -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
+CFLAGS = -I$(SAMBA_SRC) -I$(SAMBA_INCL) -I$(UBIQX_SRC) -I$(SMBWR_SRC) -I$(SMBVS_INCL) -Wall -g -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/heimdal
VFS_OBJS = vscan-oav.so
SOURCES = $(SMBVS_GLB)/vscan-functions.c $(SMBVS_GLB)/vscan-message.c $(SMBVS_GLB)/vscan-quarantine.c vscan-oav.c vscan-oav_core.c vscan-oav.h vscan-oav_core.h
OBJS = vscan-functions.lo vscan-message.lo vscan-quarantine.lo vscan-oav.lo vscan-oav_core.lo
--- examples/VFS/samba-vscan-0.3.1/sophos/Makefile 2002-11-27 19:24:03.000000000 +0100
+++ examples/VFS/samba-vscan-0.3.1/sophos/Makefile 2002-12-19 13:29:20.000000000 +0100
@@ -15,7 +15,7 @@
SMBWR_SRC = ../../../../source/smbwrapper
SMBVS_INCL = ../include
SMBVS_GLB = ../global
-CFLAGS = -I$(SAMBA_SRC) -I$(SAMBA_INCL) -I$(UBIQX_SRC) -I$(SMBWR_SRC) -I$(SMBVS_INCL) -Wall -g -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
+CFLAGS = -I$(SAMBA_SRC) -I$(SAMBA_INCL) -I$(UBIQX_SRC) -I$(SMBWR_SRC) -I$(SMBVS_INCL) -Wall -g -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/heimdal
VFS_OBJS = vscan-sophos.so
SOURCES = $(SMBVS_GLB)/vscan-functions.c $(SMBVS_GLB)/vscan-message.c $(SMBVS_GLB)/vscan-quarantine.c vscan-sophos.c vscan-sophos_core.c vscan-sophos.h vscan-sophos_core.h
OBJS = vscan-functions.lo vscan-message.lo vscan-quarantine.lo vscan-sophos.lo vscan-sophos_core.lo
--- examples/VFS/samba-vscan-0.3.1/trend/Makefile 2002-11-27 19:24:03.000000000 +0100
+++ examples/VFS/samba-vscan-0.3.1/trend/Makefile 2002-12-19 13:29:31.000000000 +0100
@@ -15,7 +15,7 @@
SMBWR_SRC = ../../../../source/smbwrapper
SMBVS_INCL = ../include
SMBVS_GLB = ../global
-CFLAGS = -I$(SAMBA_SRC) -I$(SAMBA_INCL) -I$(UBIQX_SRC) -I$(SMBWR_SRC) -I$(SMBVS_INCL) -Wall -g -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
+CFLAGS = -I$(SAMBA_SRC) -I$(SAMBA_INCL) -I$(UBIQX_SRC) -I$(SMBWR_SRC) -I$(SMBVS_INCL) -Wall -g -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/heimdal
VFS_OBJS = vscan-trend.so
SOURCES = $(SMBVS_GLB)/vscan-functions.c $(SMBVS_GLB)/vscan-message.c $(SMBVS_GLB)/vscan-quarantine.c vscan-trend.c vscan-trend_core.c vscan-trend.h vscan-trend_core.h
OBJS = vscan-functions.lo vscan-message.lo vscan-quarantine.lo vscan-trend.lo vscan-trend_core.lo

Binary file not shown.

Binary file not shown.

764
packaging/SuSE/samba3.spec Normal file
View File

@ -0,0 +1,764 @@
#
# spec file for package samba (Version HEAD) CVS
#
# Copyright (c) 2002 SuSE Linux AG, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
# package are under the same license as the package itself.
#
# packaged by Guenther Deschner <gd@suse.de> - work is not finished yet !
# neededforbuild acl acl-devel attr attr-devel autoconf automake heimdal-devel heimdal-lib libxml2 libxml2-devel mysql-devel mysql-shared openldap2 openldap2-client openldap2-devel openssl openssl-devel popt popt-devel python python-devel readline readline-devel
# usedforbuild aaa_base aaa_version acl attr bash bind9-utils bison cpio cpp cyrus-sasl db devs diffutils e2fsprogs file filesystem fileutils fillup findutils flex gawk gdbm-devel glibc glibc-devel glibc-locale gpm grep groff gzip kbd less libgcc libstdc++ libxcrypt m4 make man mktemp modutils ncurses ncurses-devel net-tools netcfg pam pam-devel pam-modules patch permissions ps rcs readline sed sendmail sh-utils shadow strace syslogd sysvinit tar texinfo textutils timezone unzip util-linux vim zlib-devel acl-devel attr-devel autoconf automake binutils bzip2 cracklib gcc gdbm gettext heimdal-devel heimdal-lib libtool libxml2 libxml2-devel mysql-devel mysql-shared openldap2 openldap2-client openldap2-devel openssl openssl-devel perl popt popt-devel python python-devel readline-devel rpm zlib
Vendor: SuSE Linux AG, GS Berlin, Germany
Distribution: SuSE Linux 8.1 (i386)
Name: samba
Packager: gd@suse.de
License: GPL
Group: Productivity/Networking/Samba
Url: http://www.samba.org
Provides: samba smbfs
Obsoletes: samba-classic samba-ldap
Autoreqprov: on
%define smbwrap 0
%define mit_kerberos 0
%define heimdal_kerberos 1
%define devel 0
%define head 0
%define python 1
%define netatalk 0
%define newsam 0
%define samba_ver 3.0.0
Requires: samba-client = %{samba_ver}
Version: 3.0.0
Release: %(date +%%j)
Summary: An SMB file server for Unix
Source: %{name}-%{version}.tar.bz2
Source10: %{name}-%{version}.files.tar.bz2
Source50: http://prdownloads.sourceforge.net/openantivirus/samba-vscan-%{vscan_ver}.tar.bz2
Patch1: %{name}-%{version}-pdb.diff
Patch10: %{name}-%{version}-net_ads.diff
Patch22: %{name}-%{version}-msdfs.diff
Patch30: %{name}-%{version}-python.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
%define DOCDIR %{_defaultdocdir}/%{name}
%define SWATDIR %{_datadir}/samba/swat
%define vscan_ver 0.3.1
%define vscan_modules fprot kaspersky mks openantivirus sophos trend
Patch51: %{name}-%{version}-vscan.diff
%package client
Summary: Samba client utilities
Autoreqprov: on
Requires: cups-libs
Obsoletes: smbclnt samba-classic-client samba-ldap-client
Group: Productivity/Networking/Samba
%package winbind
Requires: samba-client samba
Summary: Samba Winbind-package
Autoreqprov: on
Group: Productivity/Networking/Samba
%package utils
Summary: Samba Testing Utilities
Autoreqprov: on
Group: Productivity/Networking/Samba
%package doc
Summary: Samba Documentation
Autoreqprov: on
Group: Productivity/Networking/Samba
%package pdb
Summary: Samba PDB-Modules
Autoreqprov: on
Group: Productivity/Networking/Samba
%package vfs
Summary: Samba VFS-Modules
Autoreqprov: on
Group: Productivity/Networking/Samba
%if %{newsam} > 0
%package sam
Summary: Samba SAM-Modules
Autoreqprov: on
Group: Productivity/Networking/Samba
%endif
%package vscan
Summary: Samba VFS-Modules for Virusscanners
Autoreqprov: on
Group: Productivity/Networking/Samba
Version: 0.3.1
%package python
Summary: Samba Python-Modules
Autoreqprov: on
Group: Productivity/Networking/Samba
%changelog
* Sat Nov 3 2001 - gd@suse.de
- start
%prep
[ $RPM_BUILD_ROOT = "/" ] && (echo "your buildroot is /" && exit 0) || rm -rf $RPM_BUILD_ROOT
mkdir $RPM_BUILD_ROOT
%setup -n %{name}-%{samba_ver}
%setup -T -D -a 50
cp -ar samba-vscan-%{vscan_ver} examples/VFS/
# untar my configs
%setup -T -D -a 10
%if %{heimdal_kerberos} > 0
%patch1
%patch51
%endif
#%patch10
#%patch22
#%patch30
find . -name CVS -print | xargs rm -rf
find . -name ".cvsignore" -print | xargs rm -rf
find . -name "'*.gd'" -print | xargs rm -rvf
find . -name "'*.orig'" -print | xargs rm -rvf
%build %{name}-%{samba_ver}
%{?suse_update_config:%{suse_update_config -f}}
cd source
./autogen.sh
libtoolize --force --copy
autoconf
export CFLAGS="$RPM_OPT_FLAGS -Wall -O -D_GNU_SOURCE -D_LARGEFILE64_SOURCE"
%ifarch ppc64
export CFLAGS="$CFLAGS -mminimal-toc"
%endif
CONF_OPTS_BASIC="\
--prefix=/usr \
--libdir=/etc/samba \
--localstatedir=/var/lib/samba \
--mandir=%{_mandir} \
--sbindir=/usr/sbin \
--with-privatedir=/etc/samba \
--with-piddir=/var/run/samba \
--with-codepagedir=/usr/share/samba/codepages \
--with-swatdir=/usr/share/samba/swat \
--with-smbmount \
--with-automount \
--enable-cups \
--with-msdfs \
--with-vfs \
--with-pam \
--with-pam_smbpass \
--with-utmp \
--with-winbind \
--with-tdbsam \
--with-ldapsam \
%if %{smbwrap}
--with-smbwrapper \
%endif
--with-quotas \
--with-acl-support \
--with-python=python2.2 \
--with-syslog \
"
CONF_OPTS_HEAD="\
--with-sam \
"
CONF_OPTS_HEIMDAL_KERBEROS="\
--with-krb5impl=heimdal \
"
CONF_OPTS_HEIMDAL_51_KERBEROS="\
--with-krb5impl=heimdal \
--with-krb5includes=/opt/heimdal-0.5.1/include \
--with-krb5libs=/opt/heimdal-0.5.1/lib \
"
CONF_OPTS_MIT_KERBEROS="\
--with-krb5impl=mit \
--with-krb5includes=/usr/kerberos/include \
--with-krb5libs=/usr/kerberos/lib \
"
CONF_OPTS_DEVEL="\
--enable-developer \
--enable-krb5developer \
--with-profiling-data \
"
CONF_OPTS="$CONF_OPTS_BASIC"
%if %{head} > 0
CONF_OPTS="$CONF_OPTS $CONF_OPTS_HEAD"
%endif
%if %{heimdal_kerberos} > 0
CONF_OPTS="$CONF_OPTS $CONF_OPTS_HEIMDAL_KERBEROS"
%endif
%if %{mit_kerberos} > 0
CONF_OPTS="$CONF_OPTS $CONF_OPTS_MIT_KERBEROS"
%endif
%if %{devel} > 0
CONF_OPTS="$CONF_OPTS $CONF_OPTS_DEVEL"
%endif
./configure $CONF_OPTS
### --with-ldapsam is now standard!
### --with-sendfile-support ---default now
# --with-nisplussam \
# --with-nisplus_home \
# with the new passdb-code we can finaly compile several passdb-backends
# and make our choice at runtime.
# HEAD and thus alpha21 no longer need this
#make proto
make \
LOCKDIR=/var/lib/samba \
LOGFILEBASE=/var/log/samba \
SBINDIR=/usr/sbin \
all \
torture \
nsswitch/libnss_wins.so \
debug2html \
libsmbclient \
bin/profiles \
everything
# everything = nsswitch smbwrapper smbtorture debug2html smbfilter nsswitch/libnss_wins.so
%if %{newsam} > 0
make bin/samtest
%endif
make modules
make -C tdb tdbdump tdbtest tdbtool tdbtorture
# tdbbackup is now in main Makefile
make talloctort
# VFS,PDB and SAM
EXAMPLEDIRS="pdb"
for i in $EXAMPLEDIRS; do make -C ../examples/$i; done
export USE_KAVPSHAREDLIB=0
for module in %{vscan_modules}; do
make -C ../examples/VFS/%{name}-vscan-%{vscan_ver}/${module};
done
# tim potters python
%if %{python} > 0
make python_ext
%endif
%install
mkdir -p \
$RPM_BUILD_ROOT/usr/{bin,sbin} \
$RPM_BUILD_ROOT/usr/share/{man,samba/{scripts,swat}} \
$RPM_BUILD_ROOT/usr/lib/samba/{vfs,pdb,sam,vscan} \
$RPM_BUILD_ROOT/usr/lib/python2.2/lib-dynload \
$RPM_BUILD_ROOT/usr/include \
$RPM_BUILD_ROOT/etc/{pam.d,init.d,samba} \
$RPM_BUILD_ROOT/var/adm \
$RPM_BUILD_ROOT/sbin \
$RPM_BUILD_ROOT/lib/security \
$RPM_BUILD_ROOT/%{DOCDIR} \
$RPM_BUILD_ROOT/%{DOCDIR}-vscan \
$RPM_BUILD_ROOT/var/spool/samba \
$RPM_BUILD_ROOT/var/log/samba \
$RPM_BUILD_ROOT/var/run/samba \
$RPM_BUILD_ROOT/var/lib/samba/{netlogon,drivers/{W32X86,WIN40,W32ALPHA,W32MIPS,W32PPC},profiles}
cd source/
make install \
LIBDIR=$RPM_BUILD_ROOT/etc/samba \
LOGFILEBASE=$RPM_BUILD_ROOT/var/log/samba \
CONFIGFILE=$RPM_BUILD_ROOT/etc/samba/smb.conf \
LMHOSTSFILE=$RPM_BUILD_ROOT/etc/samba/lmhosts \
SWATDIR=$RPM_BUILD_ROOT/usr/share/samba/swat \
SBINDIR=$RPM_BUILD_ROOT/usr/sbin \
LOCKDIR=$RPM_BUILD_ROOT/var/lock/samba \
CODEPAGEDIR=$RPM_BUILD_ROOT/usr/share/samba/codepages \
DRIVERFILE=$RPM_BUILD_ROOT/etc/samba/printers.def \
BINDIR=$RPM_BUILD_ROOT/usr/bin \
SMB_PASSWD_FILE=$RPM_BUILD_ROOT/etc/samba/smbpasswd \
TDB_PASSWD_FILE=$RPM_BUILD_ROOT/etc/samba/smbpasswd.tdb \
MANDIR=$RPM_BUILD_ROOT/usr/share/man
cd ..
# utility scripts
%if %{head} > 0
scripts="creategroup cvslog.pl scancvslog.pl"
%else
scripts="scancvslog.pl"
%endif
for i in $scripts; do
cp -a source/script/$i $RPM_BUILD_ROOT/usr/share/samba/scripts/
done
# move the man-pages (ugly lang thing, fixed in alpha16)
#mv $RPM_BUILD_ROOT/usr/share/man/lang/* $RPM_BUILD_ROOT/usr/share/man/
# configuration files
install -m 644 smb.conf* $RPM_BUILD_ROOT/etc/samba/
install -m 644 shares.conf $RPM_BUILD_ROOT/etc/samba/
install -m 644 lmhosts $RPM_BUILD_ROOT/etc/samba/
install -m 600 smbpasswd -o root -g root $RPM_BUILD_ROOT/etc/samba/
# pam
install -m 644 samba.pamd $RPM_BUILD_ROOT/etc/pam.d/samba
# sambamount
ln -sf /usr/bin/smbmount $RPM_BUILD_ROOT/sbin/mount.smbfs
# start scripts
install rc.smb $RPM_BUILD_ROOT/etc/init.d/smb
ln -sf ../../etc/init.d/smb $RPM_BUILD_ROOT/usr/sbin/rcsmb
install rc.smbfs $RPM_BUILD_ROOT/etc/init.d/smbfs
ln -sf ../../etc/init.d/smbfs $RPM_BUILD_ROOT/usr/sbin/rcsmbfs
install rc.winbind $RPM_BUILD_ROOT/etc/init.d/winbind
ln -sf ../../etc/init.d/winbind $RPM_BUILD_ROOT/usr/sbin/rcwinbind
install rc.wrepl $RPM_BUILD_ROOT/etc/init.d/wrepl
ln -sf ../../etc/init.d/wrepl $RPM_BUILD_ROOT/usr/sbin/rcwrepl
#### disabled for 8.0
### rc.config fragment
mkdir -p $RPM_BUILD_ROOT/var/adm/fillup-templates
cp rc.config.samba $RPM_BUILD_ROOT/var/adm/fillup-templates
cp rc.config.winbind $RPM_BUILD_ROOT/var/adm/fillup-templates
cp rc.config.wrepl $RPM_BUILD_ROOT/var/adm/fillup-templates
# libnss_wins.so
cp source/nsswitch/libnss_wins.so $RPM_BUILD_ROOT/lib/libnss_wins.so
ln -sf /lib/libnss_wins.so $RPM_BUILD_ROOT/lib/libnss_wins.so.2
# winbind stuff
cp -a source/nsswitch/pam_winbind.so $RPM_BUILD_ROOT/lib/security/
cp -a source/nsswitch/libnss_winbind.so $RPM_BUILD_ROOT/lib/
cp -a source/bin/winbindd $RPM_BUILD_ROOT/usr/sbin/
ln -sf /lib/libnss_winbind.so $RPM_BUILD_ROOT/lib/libnss_winbind.so.2
# pam_smbpass
cp -a source/bin/pam_smbpass.so $RPM_BUILD_ROOT/lib/security/
# smbfilter
cp -a source/bin/smbfilter $RPM_BUILD_ROOT/usr/bin/
%{?suse_check}
## install libsmbclient
install -m0755 source/bin/{libsmbclient.so,libsmbclient.a} $RPM_BUILD_ROOT/%{_libdir}
ln -s /usr/lib/libsmbclient.so $RPM_BUILD_ROOT/%{_libdir}/libsmbclient.so.0
install -m0644 source/include/libsmbclient.h $RPM_BUILD_ROOT/%{_includedir}
# install smbtorture and other test-programs
install -m0755 source/bin/smbtorture $RPM_BUILD_ROOT/usr/bin/
install -m0755 source/bin/talloctort $RPM_BUILD_ROOT/usr/bin/
install -m0755 source/bin/{msgtest,masktest,locktest*} $RPM_BUILD_ROOT/usr/bin/
install -m0755 source/bin/{vfstest,nsstest} $RPM_BUILD_ROOT/usr/bin/
%if %{head} > 0
%if %{newsam} > 0
install -m0755 source/bin/samtest $RPM_BUILD_ROOT/usr/bin/
%endif
%endif
# install tdb tools
install -m0755 source/tdb/{tdbdump,tdbtest,tdbtool,tdbtorture} $RPM_BUILD_ROOT/usr/bin/
# install VFS-modules
%if %{head} > 0
install -m0755 source/bin/developer.so $RPM_BUILD_ROOT/%{_libdir}/samba/vfs/
#install -m0755 examples/VFS/block/block.so $RPM_BUILD_ROOT/%{_libdir}/samba/vfs/
#install -m0755 examples/VFS/skel.so $RPM_BUILD_ROOT/%{_libdir}/samba/vfs/
%else
#install -m0755 examples/VFS/block/block.so $RPM_BUILD_ROOT/%{_libdir}/samba/vfs/
#install -m0755 examples/VFS/skel.so $RPM_BUILD_ROOT/%{_libdir}/samba/vfs/
%endif
install -m0755 source/bin/vfs_audit.so $RPM_BUILD_ROOT/%{_libdir}/samba/vfs/
install -m0755 source/bin/vfs_extd_audit.so $RPM_BUILD_ROOT/%{_libdir}/samba/vfs/
install -m0755 source/bin/vfs_recycle.so $RPM_BUILD_ROOT/%{_libdir}/samba/vfs/
%if %{netatalk}
install -m0755 source/bin/vfs_netatalk.so $RPM_BUILD_ROOT/%{_libdir}/samba/vfs/
%endif
# install PDB-modules
%if %{head} > 0
install -m0755 source/bin/xml.so $RPM_BUILD_ROOT/%{_libdir}/samba/pdb/
install -m0755 source/bin/mysql.so $RPM_BUILD_ROOT/%{_libdir}/samba/pdb/
%else
install -m0755 source/bin/pdb_xml.so $RPM_BUILD_ROOT/%{_libdir}/samba/pdb/
install -m0755 source/bin/pdb_mysql.so $RPM_BUILD_ROOT/%{_libdir}/samba/pdb/
%endif
install -m0755 examples/pdb/pdb_test.so $RPM_BUILD_ROOT/%{_libdir}/samba/pdb/
# install SAM-modules
%if %{head} > 0
%if %{newsam} > 0
install -m0755 examples/sam/sam_skel.so $RPM_BUILD_ROOT/%{_libdir}/samba/sam/
%endif
%endif
# install VSCAN-vfs-modules
install -m0755 examples/VFS/%{name}-vscan-%{vscan_ver}/*/*.so $RPM_BUILD_ROOT/%{_libdir}/samba/vscan/
# make examples clean
VFS="$RPM_BUILD_DIR/%{name}-%{samba_ver}/examples/VFS"
VSCAN="$VFS/%{name}-vscan-%{vscan_ver}"
PDB="$RPM_BUILD_DIR/%{name}-%{samba_ver}/examples/pdb"
%if %{head} > 0
%if %{newsam} > 0
SAM="$RPM_BUILD_DIR/%{name}-%{samba_ver}/examples/sam"
%endif
%endif
dirs="$PDB $SAM"
(for i in $dirs; do make -C $i clean; done)
(for i in %{vscan_modules}; do make -C $VSCAN/$i clean; done)
%if %{python} > 0
# install python
cp -a source/build/lib.*/samba $RPM_BUILD_ROOT/usr/lib/python2.2/lib-dynload/
%endif
# whats this ?
install -m0755 source/bin/debug2html $RPM_BUILD_ROOT/usr/bin/
%if %{smbwrap}
# install smbwrapper
install -m0755 source/bin/smbwrapper.so $RPM_BUILD_ROOT/%{_libdir}/samba/
install -m0755 source/bin/smbsh $RPM_BUILD_ROOT/usr/bin/
%endif
# finally obsolete with alpha17 makefile
# install unicode-codepages
#install -m0755 source/codepages/{lowcase,upcase,valid}.dat $RPM_BUILD_ROOT/etc/samba/
# cleanup docs
rm -rf docs/*.[0-9]
chmod 644 `find docs examples -type f`
chmod 755 `find docs examples -type d`
mv COPYING Manifest README Read-Manifest-Now Roadmap WHATSNEW.txt $RPM_BUILD_ROOT/%{DOCDIR}/
cp source/msdfs/README $RPM_BUILD_ROOT/%{DOCDIR}/README.msdfs
#cp source/nsswitch/README $RPM_BUILD_ROOT/%{DOCDIR}/README.nsswitch
cp source/smbwrapper/README $RPM_BUILD_ROOT/%{DOCDIR}/README.smbwrapper
cp -a docs/* $RPM_BUILD_ROOT/%{DOCDIR}
cp -a examples/ $RPM_BUILD_ROOT/%{DOCDIR}
# save space...
rm -r \
$RPM_BUILD_ROOT/%{SWATDIR}/using_samba
ln -s %{DOCDIR}/htmldocs/using_samba $RPM_BUILD_ROOT/%{SWATDIR}
%post
###### disabled for 8.1
###echo "Updating etc/rc.config..."
##if [ -x bin/fillup ] ; then
## bin/fillup -q -d = etc/rc.config var/adm/fillup-templates/rc.config.samba
## bin/fillup -q -d = etc/rc.config var/adm/fillup-templates/rc.config.winbind
##else
## echo "ERROR: fillup not found. This should not happen. Please compare"
## echo "etc/rc.config and var/adm/fillup-templates/rc.config.samba and"
## echo "var/adm/fillup-templates/rc.config.winbind and update by hand."
##fi
mkdir -p $RPM_BUILD_ROOT/var/adm/notify/messages
cat << EOF > var/adm/notify/messages/samba-notify
Achtung!
This is %{name}-%{samba_ver}. Please do not run on production systems.
You have been warned.
EOF
# Initialize runlevel links
#
%{fillup_and_insserv smb}
#sbin/insserv /etc/init.d/smb
%post client
#sbin/insserv /etc/init.d/smbfs
%{fillup_and_insserv -fpy smbfs}
%{fillup_only -ans samba client}
%postun
%{insserv_cleanup}
#sbin/insserv /etc/init.d/
%postun client
%{insserv_cleanup}
#sbin/insserv /etc/init.d/
%post winbind
%{fillup_and_insserv winbind}
#sbin/insserv /etc/init.d/winbind
%postun winbind
%{insserv_cleanup}
#sbin/insserv /etc/init.d/
%clean
#make -C source realclean
%files
%config(noreplace) /etc/samba/smbpasswd
%config /etc/pam.d/samba
%config /etc/init.d/smb
%config /etc/init.d/wrepl
#/usr/bin/make_printerdef
/usr/bin/addtosmbpass
/usr/bin/convert_smbpasswd
/usr/bin/ntlm_auth
/usr/bin/profiles
/usr/bin/smbfilter
/usr/bin/smbpasswd
/usr/bin/smbstatus
/usr/bin/testparm
/usr/bin/testprns
#%doc %{_mandir}/man1/smbrun.1.gz
%doc %{_mandir}/man1/smbsh.1.gz
%doc %{_mandir}/man1/smbstatus.1.gz
%doc %{_mandir}/man1/testparm.1.gz
%doc %{_mandir}/man1/testprns.1.gz
%doc %{_mandir}/man5/smbpasswd.5.gz
%doc %{_mandir}/man7/samba.7.gz
%doc %{_mandir}/man8/nmbd.8.gz
%doc %{_mandir}/man8/smbd.8.gz
%doc %{_mandir}/man8/smbpasswd.8.gz
%doc %{_mandir}/man8/swat.8.gz
/usr/sbin/nmbd
/usr/sbin/smbd
/usr/sbin/swat
/usr/sbin/wrepld
/usr/sbin/rcsmb
/usr/sbin/rcwrepl
#/var/adm/fillup-templates/rc.config.samba
/var/log/samba
/var/spool/samba
/var/run/samba
/var/lib/samba
/usr/share/samba
/lib/security/pam_smbpass.so
%files client
%config(noreplace) /etc/samba/smb.conf
%config(noreplace) /etc/samba/lmhosts
/etc/samba/lowcase.dat
/etc/samba/upcase.dat
/etc/samba/valid.dat
%config /etc/init.d/smbfs
/usr/sbin/rcsmbfs
/sbin/mount.smbfs
/usr/bin/findsmb
/usr/bin/net
/usr/bin/nmblookup
/usr/bin/pdbedit
/usr/bin/rpcclient
/usr/bin/smbcacls
/usr/bin/smbcontrol
/usr/bin/smbclient
/usr/bin/smbmnt
/usr/bin/smbmount
%if %{smbwrap}
/usr/bin/smbsh
%endif
/usr/bin/smbumount
/usr/bin/smbspool
/usr/bin/smbtar
/usr/bin/smbtree
%doc %{_mandir}/man1/nmblookup.1.gz
%doc %{_mandir}/man1/rpcclient.1.gz
%doc %{_mandir}/man1/smbclient.1.gz
%doc %{_mandir}/man1/smbcacls.1.gz
%doc %{_mandir}/man1/smbcontrol.1.gz
%doc %{_mandir}/man1/smbtar.1.gz
%doc %{_mandir}/man5/lmhosts.5.gz
%doc %{_mandir}/man5/smb.conf.5.gz
%doc %{_mandir}/man8/net.8.gz
%doc %{_mandir}/man8/pdbedit.8.gz
%doc %{_mandir}/man8/smbmnt.8.gz
%doc %{_mandir}/man8/smbmount.8.gz
%doc %{_mandir}/man8/smbspool.8.gz
%doc %{_mandir}/man8/smbumount.8.gz
/usr/include/libsmbclient.h
%if %{smbwrap}
/usr/lib/samba/smbwrapper.so
%endif
/usr/lib/libsmbclient.a
/usr/lib/libsmbclient.so
/usr/lib/libsmbclient.so.0
%files winbind
%config(noreplace) /etc/samba/smb.conf.winbind
%config /etc/init.d/winbind
%doc %{_mandir}/man1/wbinfo.1.gz
%doc %{_mandir}/man8/winbindd.8.gz
/usr/bin/wbinfo
%if %{head} > 0
/usr/bin/ntlm_auth
%endif
/usr/sbin/winbindd
/usr/sbin/rcwinbind
#/var/adm/fillup-templates/rc.config.winbind
/lib/security/pam_winbind.so
/lib/libnss_winbind.so
/lib/libnss_winbind.so.2
/lib/libnss_wins.so
/lib/libnss_wins.so.2
%files utils
/usr/bin/smbtorture
/usr/bin/msgtest
/usr/bin/masktest
/usr/bin/locktest
/usr/bin/locktest2
/usr/bin/debug2html
/usr/bin/talloctort
/usr/bin/tdbbackup
/usr/bin/tdbdump
/usr/bin/tdbtest
/usr/bin/tdbtool
/usr/bin/tdbtorture
/usr/bin/vfstest
/usr/bin/nsstest
%if %{head} > 0
%if %{newsam} > 0
/usr/bin/samtest
%endif
/usr/bin/profiles
/usr/bin/editreg
%endif
%doc %{_mandir}/man1/vfstest.1.gz
%files doc
%docdir %{DOCDIR}
%{DOCDIR}
%files pdb
/usr/lib/samba/pdb
%doc examples/pdb/*
%files vfs
/usr/lib/samba/vfs
%doc examples/VFS/README*
%doc examples/VFS/Makefile*
#doc examples/VFS/audit*
#%doc examples/VFS/block*
#doc examples/VFS/netatalk*
#doc examples/VFS/recycle*
%doc examples/VFS/skel*
%if %{newsam} > 0
%files sam
/usr/lib/samba/sam
%if %{head} > 0
%doc examples/sam/*
%endif
%endif
%files vscan
/usr/lib/samba/vscan
%doc %{name}-vscan-%{vscan_ver}/{AUTHORS,COPYING,ChangeLog,FAQ,NEWS,README,TODO}
%files python
%doc source/python/README
%if %{python} > 0
/usr/lib/python2.2/lib-dynload/samba
%doc source/python/examples
%doc source/python/gprinterdata
%doc source/python/gtdbtool
%doc source/python/gtkdictbrowser.py
%if %{head} > 0
%doc source/python/gtkdictbrowser.pyc
%doc source/python/printerdata.pyc
%endif
%endif
%description
Samba is a suite of programs which work together to allow clients to
access Unix filespace and printers via the SMB protocol (Server Message
Block).
In practice, this means that you can redirect disks and printers to
Unix disks and printers from LAN Manager clients, Windows for
Workgroups 3.11 clients, Windows'95 clients, Windows NT clients
and OS/2 clients. There is
also a Unix client program supplied as part of the suite which allows
Unix users to use an ftp-like interface to access filespace and
printers on any other SMB server.
Samba includes the following programs (in summary):
* smbd, the SMB server. This handles actual connections from clients.
* nmbd, the Netbios name server, which helps clients locate servers.
* smbclient, the Unix-hosted client program.
* smbrun, a little 'glue' program to help the server run external
programs.
* testprns, a program to test server access to printers.
* testparm, a program to test the Samba configuration file for correctness.
* smb.conf, the Samba configuration file.
* smbprint, a sample script to allow a Unix host to use smbclient
to print to an SMB server.
The suite is supplied with full source and is GPLed.
This package expects its config file under /etc/smb.conf .
Authors:
--------
Andrew Tridgell <Andrew.Tridgell@anu.edu.au>
Karl Auer <Karl.Auer@anu.edu.au>
Jeremy Allison <jeremy@netcom.com>
SuSE series: n
%description client
This package contains all programs, that are needed to act as a samba
client. This includes also smbmount, of course.
Authors:
--------
Andrew Tridgell <Andrew.Tridgell@anu.edu.au>
Karl Auer <Karl.Auer@anu.edu.au>
Jeremy Allison <jeremy@netcom.com>
SuSE series: n
%description winbind
This is the winbind-daemon and the wbinfo-tool.
%description utils
Some of the debug-tools for developpers.
Contains:
- debug2html
- locktest
- locktest2
- masktest
- msgtest
- smbtorture
- talloctort
- several tdb-tools
%description doc
The Samba Documentation.
%description vfs
The Samba VFS-Modules.
%description pdb
The Samba PDB-Modules.
%if %{newsam} > 0
%description sam
The Samba SAM-Modules.
%endif
%description vscan
The Samba VFS-Modules for Virusscanners.
%description python
The Samba python-Modules.

36
source3/build-me Executable file
View File

@ -0,0 +1,36 @@
#!/bin/sh
umask 022
## Build options
CONFIGUREOPT="--enable-debug --enable-developer --with-pam --with-libsmbclient=no --with-static-modules"
export CONFIGUREOPT
./autogen.sh
case "$1" in
dmalloc)
env CFLAGS="-Wall" ./configure \
--enable-dmalloc \
$CONFIGUREOPT
;;
insure)
env CFLAGS="-g" CC="insure" ./configure \
$CONFIGUREOPT
;;
ccache)
env CFLAGS="-Wall" CC="ccache gcc" ./configure \
$CONFIGUREOPT
;;
*)
env CFLAGS="-Wall" ./configure \
$CONFIGUREOPT
;;
esac
## disable optimization
sed 's/-O //g' Makefile | sed 's/-O2 //g' > Makefile.new; /bin/mv -f Makefile.new Makefile
## build
make proto
make all modules

142
source3/include/smbldap.h Normal file
View File

@ -0,0 +1,142 @@
/*
Unix SMB/CIFS mplementation.
LDAP protocol helper functions for SAMBA
Copyright (C) Gerald Carter 2001-2003
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#ifndef _SMBLDAP_H
#define _SMBLDAP_H
#ifdef HAVE_LDAP
/* specify schema versions between 2.2. and 3.0 */
#define SCHEMAVER_SAMBAACCOUNT 1
#define SCHEMAVER_SAMBASAMACCOUNT 2
/* objectclass names */
#define LDAP_OBJ_SAMBASAMACCOUNT "sambaSamAccount"
#define LDAP_OBJ_SAMBAACCOUNT "sambaAccount"
#define LDAP_OBJ_GROUPMAP "sambaGroupMapping"
#define LDAP_OBJ_DOMINFO "sambaDomain"
#define LDAP_OBJ_IDPOOL "sambaUnixIdPool"
#define LDAP_OBJ_IDMAP_ENTRY "sambaIdmapEntry"
#define LDAP_OBJ_SID_ENTRY "sambaSidEntry"
#define LDAP_OBJ_ACCOUNT "account"
#define LDAP_OBJ_POSIXACCOUNT "posixAccount"
#define LDAP_OBJ_POSIXGROUP "posixGroup"
#define LDAP_OBJ_OU "organizationalUnit"
/* some generic attributes that get reused a lot */
#define LDAP_ATTRIBUTE_SID "sambaSID"
#define LDAP_ATTRIBUTE_UIDNUMBER "uidNumber"
#define LDAP_ATTRIBUTE_GIDNUMBER "gidNumber"
/* attribute map table indexes */
#define LDAP_ATTR_LIST_END 0
#define LDAP_ATTR_UID 1
#define LDAP_ATTR_UIDNUMBER 2
#define LDAP_ATTR_GIDNUMBER 3
#define LDAP_ATTR_UNIX_HOME 4
#define LDAP_ATTR_PWD_LAST_SET 5
#define LDAP_ATTR_PWD_CAN_CHANGE 6
#define LDAP_ATTR_PWD_MUST_CHANGE 7
#define LDAP_ATTR_LOGON_TIME 8
#define LDAP_ATTR_LOGOFF_TIME 9
#define LDAP_ATTR_KICKOFF_TIME 10
#define LDAP_ATTR_CN 11
#define LDAP_ATTR_DISPLAY_NAME 12
#define LDAP_ATTR_HOME_PATH 13
#define LDAP_ATTR_LOGON_SCRIPT 14
#define LDAP_ATTR_PROFILE_PATH 15
#define LDAP_ATTR_DESC 16
#define LDAP_ATTR_USER_WKS 17
#define LDAP_ATTR_USER_SID 18
#define LDAP_ATTR_USER_RID 18
#define LDAP_ATTR_PRIMARY_GROUP_SID 19
#define LDAP_ATTR_PRIMARY_GROUP_RID 20
#define LDAP_ATTR_LMPW 21
#define LDAP_ATTR_NTPW 22
#define LDAP_ATTR_DOMAIN 23
#define LDAP_ATTR_OBJCLASS 24
#define LDAP_ATTR_ACB_INFO 25
#define LDAP_ATTR_NEXT_USERRID 26
#define LDAP_ATTR_NEXT_GROUPRID 27
#define LDAP_ATTR_DOM_SID 28
#define LDAP_ATTR_HOME_DRIVE 29
#define LDAP_ATTR_GROUP_SID 30
#define LDAP_ATTR_GROUP_TYPE 31
#define LDAP_ATTR_SID 32
#define LDAP_ATTR_ALGORITHMIC_RID_BASE 33
#define LDAP_ATTR_NEXT_RID 34
typedef struct _attrib_map_entry {
int attrib;
const char *name;
} ATTRIB_MAP_ENTRY;
/* structures */
extern ATTRIB_MAP_ENTRY attrib_map_v22[];
extern ATTRIB_MAP_ENTRY attrib_map_v30[];
extern ATTRIB_MAP_ENTRY dominfo_attr_list[];
extern ATTRIB_MAP_ENTRY groupmap_attr_list[];
extern ATTRIB_MAP_ENTRY groupmap_attr_list_to_delete[];
extern ATTRIB_MAP_ENTRY idpool_attr_list[];
extern ATTRIB_MAP_ENTRY sidmap_attr_list[];
/* Function declarations -- not included in proto.h so we don't
have to worry about LDAP structure types */
const char* get_attr_key2string( ATTRIB_MAP_ENTRY table[], int key );
char** get_attr_list( ATTRIB_MAP_ENTRY table[] );
void free_attr_list( char **list );
void smbldap_set_mod (LDAPMod *** modlist, int modop, const char *attribute, const char *value);
void smbldap_make_mod(LDAP *ldap_struct, LDAPMessage *existing,
LDAPMod ***mods,
const char *attribute, const char *newval);
BOOL smbldap_get_single_attribute (LDAP * ldap_struct, LDAPMessage * entry,
const char *attribute, pstring value);
/**
* Struct to keep the state for all the ldap stuff
*
*/
struct smbldap_state {
LDAP *ldap_struct;
time_t last_ping;
/* retrive-once info */
const char *uri;
char *bind_dn;
char *bind_secret;
unsigned int num_failures;
};
#endif /* HAVE_LDAP */
struct smbldap_state;
#endif /* _SMBLDAP_H */

204
source3/include/sysquotas.h Normal file
View File

@ -0,0 +1,204 @@
/*
Unix SMB/CIFS implementation.
SYS QUOTA code constants
Copyright (C) Stefan (metze) Metzmacher 2003
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#ifndef _SYSQUOTAS_H
#define _SYSQUOTAS_H
#ifdef HAVE_SYS_QUOTAS
/* Sometimes we need this on linux for linux/quota.h */
#ifdef HAVE_SYS_TYPES_H
#include <sys/types.h>
#endif
#ifdef HAVE_ASM_TYPES_H
#include <asm/types.h>
#endif
/*
* This shouldn't be neccessary - it should be /usr/include/sys/quota.h
* Unfortunately, RH7.1 ships with a different quota system using struct mem_dqblk
* rather than the struct dqblk defined in /usr/include/sys/quota.h.
* This means we must include linux/quota.h to have a hope of working on
* RH7.1 systems. And it also means this breaks if the kernel is upgraded
* to a Linus 2.4.x (where x > the minor number shipped with RH7.1) until
* Linus synchronises with the AC patches. Sometimes I *hate* Linux :-). JRA.
*/
#ifdef HAVE_LINUX_QUOTA_H
#include <linux/quota.h>
#elif defined(HAVE_SYS_QUOTA_H)
#include <sys/quota.h>
#endif
#if defined(HAVE_STRUCT_IF_DQBLK)
# define SYS_DQBLK if_dqblk
# define dqb_curblocks dqb_curspace/bsize
#elif defined(HAVE_STRUCT_MEM_DQBLK)
# define SYS_DQBLK mem_dqblk
# define dqb_curblocks dqb_curspace/bsize
#else /* STRUCT_DQBLK */
# define SYS_DQBLK dqblk
#endif
#ifndef Q_SETQLIM
#define Q_SETQLIM Q_SETQUOTA
#endif
/*********************************************
check for XFS QUOTA MANAGER
*********************************************/
/* on linux */
#ifdef HAVE_LINUX_XQM_H
# include <linux/xqm.h>
# define HAVE_XFS_QUOTA
#else
# ifdef HAVE_XFS_XQM_H
# include <xfs/xqm.h>
# define HAVE_XFS_QUOTA
# else
# ifdef HAVE_LINUX_DQBLK_XFS_H
# include <linux/dqblk_xfs.h>
# define HAVE_XFS_QUOTA
# endif
# endif
#endif
/* on IRIX */
#ifdef Q_XGETQUOTA
# ifndef HAVE_XFS_QUOTA
# define HAVE_XFS_QUOTA
# ifndef Q_XQUOTAON
# define Q_XQUOTAON Q_QUOTAON
# endif /* Q_XQUOTAON */
# ifndef Q_XQUOTAOFF
# define Q_XQUOTAOFF Q_QUOTAOFF
# endif /* Q_XQUOTAOFF */
# ifndef Q_XGETQSTAT
# define Q_XGETQSTAT Q_GETQSTAT
# endif /* Q_XGETQSTAT */
# endif /* HAVE_XFS_QUOTA */
#endif /* Q_XGETQUOTA */
#ifdef HAVE_XFS_QUOTA
/* Linux has BBSIZE in <linux/xfs_fs.h>
* or <xfs/xfs_fs.h>
* IRIX has BBSIZE in <sys/param.h>
*/
#ifdef HAVE_LINUX_XFS_FS_H
#include <linux/xfs_fs.h>
#elif defined(HAVE_XFS_XFS_FS_H)
#include <xfs/xfs_fs.h>
#endif /* *_XFS_FS_H */
#ifndef BBSHIFT
#define BBSHIFT 9
#endif /* BBSHIFT */
#ifndef BBSIZE
#define BBSIZE (1<<BBSHIFT)
#endif /* BBSIZE */
#endif /* HAVE_XFS_QUOTA */
#ifdef LINUX
# ifndef QUOTABLOCK_SIZE
# define QUOTABLOCK_SIZE 1024
# endif
/* end LINUX */
#elif defined(IRIX6)
# ifndef QUOTABLOCK_SIZE
# define QUOTABLOCK_SIZE BBSIZE
# endif
/* end IRIX6 */
#else /* HPUP,... */
# ifndef QUOTABLOCK_SIZE
# define QUOTABLOCK_SIZE DEV_BSIZE
# endif
#endif /* HPUP,... */
#if !defined(QUOTAFILENAME) && defined(QFILENAME)
#define QUOTAFILENAME QFILENAME
#endif
#ifdef INITQFNAMES
#define USERQUOTAFILE_EXTENSION ".user"
#else
#define USERQUOTAFILE_EXTENSION ""
#endif
/* this check should be before the QCMD fake! */
#if defined(QCMD)&&defined(GRPQUOTA)
#define HAVE_GROUP_QUOTA
#endif
/* on some systems we have to fake this up ...*/
#ifndef QCMD
#define QCMD(cmd,type) (cmd)
#endif /* QCMD */
#ifdef HAVE_DQB_FSOFTLIMIT
#define dqb_isoftlimit dqb_fsoftlimit
#define dqb_ihardlimit dqb_fhardlimit
#define dqb_curinodes dqb_curfiles
#endif
/* maybe we can add a configure test for HAVE_CADDR_T,
* but it's not needed
*/
#ifdef HAVE_CADDR_T
#define CADDR_T caddr_t
#else /* CADDR_T */
#define CADDR_T void*
#endif /* CADDR_T */
#if defined(HAVE_MNTENT_H)&&defined(HAVE_SETMNTENT)&&defined(HAVE_GETMNTENT)&&defined(HAVE_ENDMNTENT)
#include <mntent.h>
#define HAVE_MNTENT 1
/*#endif defined(HAVE_MNTENT_H)&&defined(HAVE_SETMNTENT)&&defined(HAVE_GETMNTENT)&&defined(HAVE_ENDMNTENT) */
#elif defined(HAVE_DEVNM_H)&&defined(HAVE_DEVNM)
#include <devnm.h>
#endif /* defined(HAVE_DEVNM_H)&&defined(HAVE_DEVNM) */
#endif /* HAVE_SYS_QUOTAS */
#ifndef QUOTABLOCK_SIZE
#define QUOTABLOCK_SIZE 1024
#endif
/**************************************************
Some stuff for the sys_quota api.
**************************************************/
#define SMB_QUOTAS_NO_LIMIT ((SMB_BIG_UINT)(0))
#define SMB_QUOTAS_NO_SPACE ((SMB_BIG_UINT)(1))
typedef struct _SMB_DISK_QUOTA {
enum SMB_QUOTA_TYPE qtype;
SMB_BIG_UINT bsize;
SMB_BIG_UINT hardlimit; /* In bsize units. */
SMB_BIG_UINT softlimit; /* In bsize units. */
SMB_BIG_UINT curblocks; /* In bsize units. */
SMB_BIG_UINT ihardlimit; /* inode hard limit. */
SMB_BIG_UINT isoftlimit; /* inode soft limit. */
SMB_BIG_UINT curinodes; /* Current used inodes. */
uint32 qflags;
} SMB_DISK_QUOTA;
#endif /*_SYSQUOTAS_H */

View File

@ -0,0 +1,309 @@
/*
Unix SMB/CIFS implementation.
VFS wrapper macros
Copyright (C) Stefan (metze) Metzmacher 2003
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#ifndef _VFS_MACROS_H
#define _VFS_MACROS_H
/*******************************************************************
Don't access conn->vfs.ops.* directly!!!
Use this macros!
(Fixes should go also into the vfs_opaque_* and vfs_next_* macros!)
********************************************************************/
/* Disk operations */
#define SMB_VFS_CONNECT(conn, service, user) ((conn)->vfs.ops.connect((conn)->vfs.handles.connect, (conn), (service), (user)))
#define SMB_VFS_DISCONNECT(conn) ((conn)->vfs.ops.disconnect((conn)->vfs.handles.disconnect, (conn)))
#define SMB_VFS_DISK_FREE(conn, path, small_query, bsize, dfree ,dsize) ((conn)->vfs.ops.disk_free((conn)->vfs.handles.disk_free, (conn), (path), (small_query), (bsize), (dfree), (dsize)))
#define SMB_VFS_GET_QUOTA(conn, qtype, id, qt) ((conn)->vfs.ops.get_quota((conn)->vfs.handles.get_quota, (conn), (qtype), (id), (qt)))
#define SMB_VFS_SET_QUOTA(conn, qtype, id, qt) ((conn)->vfs.ops.set_quota((conn)->vfs.handles.set_quota, (conn), (qtype), (id), (qt)))
/* Directory operations */
#define SMB_VFS_OPENDIR(conn, fname) ((conn)->vfs.ops.opendir((conn)->vfs.handles.opendir, (conn), (fname)))
#define SMB_VFS_READDIR(conn, dirp) ((conn)->vfs.ops.readdir((conn)->vfs.handles.readdir, (conn), (dirp)))
#define SMB_VFS_MKDIR(conn, path, mode) ((conn)->vfs.ops.mkdir((conn)->vfs.handles.mkdir,(conn), (path), (mode)))
#define SMB_VFS_RMDIR(conn, path) ((conn)->vfs.ops.rmdir((conn)->vfs.handles.rmdir, (conn), (path)))
#define SMB_VFS_CLOSEDIR(conn, dir) ((conn)->vfs.ops.closedir((conn)->vfs.handles.closedir, (conn), dir))
/* File operations */
#define SMB_VFS_OPEN(conn, fname, flags, mode) ((conn)->vfs.ops.open((conn)->vfs.handles.open, (conn), (fname), (flags), (mode)))
#define SMB_VFS_CLOSE(fsp, fd) ((fsp)->conn->vfs.ops.close((fsp)->conn->vfs.handles.close, (fsp), (fd)))
#define SMB_VFS_READ(fsp, fd, data, n) ((fsp)->conn->vfs.ops.read((fsp)->conn->vfs.handles.read, (fsp), (fd), (data), (n)))
#define SMB_VFS_WRITE(fsp, fd, data, n) ((fsp)->conn->vfs.ops.write((fsp)->conn->vfs.handles.write, (fsp), (fd), (data), (n)))
#define SMB_VFS_LSEEK(fsp, fd, offset, whence) ((fsp)->conn->vfs.ops.lseek((fsp)->conn->vfs.handles.lseek, (fsp), (fd), (offset), (whence)))
#define SMB_VFS_SENDFILE(tofd, fsp, fromfd, header, offset, count) ((fsp)->conn->vfs.ops.sendfile((fsp)->conn->vfs.handles.sendfile, (tofd), (fsp), (fromfd), (header), (offset), (count)))
#define SMB_VFS_RENAME(conn, old, new) ((conn)->vfs.ops.rename((conn)->vfs.handles.rename, (conn), (old), (new)))
#define SMB_VFS_FSYNC(fsp, fd) ((fsp)->conn->vfs.ops.fsync((fsp)->conn->vfs.handles.fsync, (fsp), (fd)))
#define SMB_VFS_STAT(conn, fname, sbuf) ((conn)->vfs.ops.stat((conn)->vfs.handles.stat, (conn), (fname), (sbuf)))
#define SMB_VFS_FSTAT(fsp, fd, sbuf) ((fsp)->conn->vfs.ops.fstat((fsp)->conn->vfs.handles.fstat, (fsp) ,(fd) ,(sbuf)))
#define SMB_VFS_LSTAT(conn, path, sbuf) ((conn)->vfs.ops.lstat((conn)->vfs.handles.lstat, (conn), (path), (sbuf)))
#define SMB_VFS_UNLINK(conn, path) ((conn)->vfs.ops.unlink((conn)->vfs.handles.unlink, (conn), (path)))
#define SMB_VFS_CHMOD(conn, path, mode) ((conn)->vfs.ops.chmod((conn)->vfs.handles.chmod, (conn), (path), (mode)))
#define SMB_VFS_FCHMOD(fsp, fd, mode) ((fsp)->conn->vfs.ops.fchmod((fsp)->conn->vfs.handles.fchmod, (fsp), (fd), (mode)))
#define SMB_VFS_CHOWN(conn, path, uid, gid) ((conn)->vfs.ops.chown((conn)->vfs.handles.chown, (conn), (path), (uid), (gid)))
#define SMB_VFS_FCHOWN(fsp, fd, uid, gid) ((fsp)->conn->vfs.ops.fchown((fsp)->conn->vfs.handles.fchown, (fsp), (fd), (uid), (gid)))
#define SMB_VFS_CHDIR(conn, path) ((conn)->vfs.ops.chdir((conn)->vfs.handles.chdir, (conn), (path)))
#define SMB_VFS_GETWD(conn, buf) ((conn)->vfs.ops.getwd((conn)->vfs.handles.getwd, (conn), (buf)))
#define SMB_VFS_UTIME(conn, path, times) ((conn)->vfs.ops.utime((conn)->vfs.handles.utime, (conn), (path), (times)))
#define SMB_VFS_FTRUNCATE(fsp, fd, offset) ((fsp)->conn->vfs.ops.ftruncate((fsp)->conn->vfs.handles.ftruncate, (fsp), (fd), (offset)))
#define SMB_VFS_LOCK(fsp, fd, op, offset, count, type) ((fsp)->conn->vfs.ops.lock((fsp)->conn->vfs.handles.lock, (fsp), (fd) ,(op), (offset), (count), (type)))
#define SMB_VFS_SYMLINK(conn, oldpath, newpath) ((conn)->vfs.ops.symlink((conn)->vfs.handles.symlink, (conn), (oldpath), (newpath)))
#define SMB_VFS_READLINK(conn, path, buf, bufsiz) ((conn)->vfs.ops.readlink((conn)->vfs.handles.readlink, (conn), (path), (buf), (bufsiz)))
#define SMB_VFS_LINK(conn, oldpath, newpath) ((conn)->vfs.ops.link((conn)->vfs.handles.link, (conn), (oldpath), (newpath)))
#define SMB_VFS_MKNOD(conn, path, mode, dev) ((conn)->vfs.ops.mknod((conn)->vfs.handles.mknod, (conn), (path), (mode), (dev)))
#define SMB_VFS_REALPATH(conn, path, resolved_path) ((conn)->vfs.ops.realpath((conn)->vfs.handles.realpath, (conn), (path), (resolved_path)))
/* NT ACL operations. */
#define SMB_VFS_FGET_NT_ACL(fsp, fd, security_info, ppdesc) ((fsp)->conn->vfs.ops.fget_nt_acl((fsp)->conn->vfs.handles.fget_nt_acl, (fsp), (fd), (security_info), (ppdesc)))
#define SMB_VFS_GET_NT_ACL(fsp, name, security_info, ppdesc) ((fsp)->conn->vfs.ops.get_nt_acl((fsp)->conn->vfs.handles.get_nt_acl, (fsp), (name), (security_info), (ppdesc)))
#define SMB_VFS_FSET_NT_ACL(fsp, fd, security_info_sent, psd) ((fsp)->conn->vfs.ops.fset_nt_acl((fsp)->conn->vfs.handles.fset_nt_acl, (fsp), (fd), (security_info_sent), (psd)))
#define SMB_VFS_SET_NT_ACL(fsp, name, security_info_sent, psd) ((fsp)->conn->vfs.ops.set_nt_acl((fsp)->conn->vfs.handles.set_nt_acl, (fsp), (name), (security_info_sent), (psd)))
/* POSIX ACL operations. */
#define SMB_VFS_CHMOD_ACL(conn, name, mode) ((conn)->vfs.ops.chmod_acl((conn)->vfs.handles.chmod_acl, (conn), (name), (mode)))
#define SMB_VFS_FCHMOD_ACL(fsp, fd, mode) ((fsp)->conn->vfs.ops.fchmod_acl((fsp)->conn->vfs.handles.chmod_acl, (fsp), (fd), (mode)))
#define SMB_VFS_SYS_ACL_GET_ENTRY(conn, theacl, entry_id, entry_p) ((conn)->vfs.ops.sys_acl_get_entry((conn)->vfs.handles.sys_acl_get_entry, (conn), (theacl), (entry_id), (entry_p)))
#define SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry_d, tag_type_p) ((conn)->vfs.ops.sys_acl_get_tag_type((conn)->vfs.handles.sys_acl_get_tag_type, (conn), (entry_d), (tag_type_p)))
#define SMB_VFS_SYS_ACL_GET_PERMSET(conn, entry_d, permset_p) ((conn)->vfs.ops.sys_acl_get_permset((conn)->vfs.handles.sys_acl_get_permset, (conn), (entry_d), (permset_p)))
#define SMB_VFS_SYS_ACL_GET_QUALIFIER(conn, entry_d) ((conn)->vfs.ops.sys_acl_get_qualifier((conn)->vfs.handles.sys_acl_get_qualifier, (conn), (entry_d)))
#define SMB_VFS_SYS_ACL_GET_FILE(conn, path_p, type) ((conn)->vfs.ops.sys_acl_get_file((conn)->vfs.handles.sys_acl_get_file, (conn), (path_p), (type)))
#define SMB_VFS_SYS_ACL_GET_FD(fsp, fd) ((fsp)->conn->vfs.ops.sys_acl_get_fd((fsp)->conn->vfs.handles.sys_acl_get_fd, (fsp), (fd)))
#define SMB_VFS_SYS_ACL_CLEAR_PERMS(conn, permset) ((conn)->vfs.ops.sys_acl_clear_perms((conn)->vfs.handles.sys_acl_clear_perms, (conn), (permset)))
#define SMB_VFS_SYS_ACL_ADD_PERM(conn, permset, perm) ((conn)->vfs.ops.sys_acl_add_perm((conn)->vfs.handles.sys_acl_add_perm, (conn), (permset), (perm)))
#define SMB_VFS_SYS_ACL_TO_TEXT(conn, theacl, plen) ((conn)->vfs.ops.sys_acl_to_text((conn)->vfs.handles.sys_acl_to_text, (conn), (theacl), (plen)))
#define SMB_VFS_SYS_ACL_INIT(conn, count) ((conn)->vfs.ops.sys_acl_init((conn)->vfs.handles.sys_acl_init, (conn), (count)))
#define SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, pacl, pentry) ((conn)->vfs.ops.sys_acl_create_entry((conn)->vfs.handles.sys_acl_create_entry, (conn), (pacl), (pentry)))
#define SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, entry, tagtype) ((conn)->vfs.ops.sys_acl_set_tag_type((conn)->vfs.handles.sys_acl_set_tag_type, (conn), (entry), (tagtype)))
#define SMB_VFS_SYS_ACL_SET_QUALIFIER(conn, entry, qual) ((conn)->vfs.ops.sys_acl_set_qualifier((conn)->vfs.handles.sys_acl_set_qualifier, (conn), (entry), (qual)))
#define SMB_VFS_SYS_ACL_SET_PERMSET(conn, entry, permset) ((conn)->vfs.ops.sys_acl_set_permset((conn)->vfs.handles.sys_acl_set_permset, (conn), (entry), (permset)))
#define SMB_VFS_SYS_ACL_VALID(conn, theacl) ((conn)->vfs.ops.sys_acl_valid((conn)->vfs.handles.sys_acl_valid, (conn), (theacl)))
#define SMB_VFS_SYS_ACL_SET_FILE(conn, name, acltype, theacl) ((conn)->vfs.ops.sys_acl_set_file((conn)->vfs.handles.sys_acl_set_file, (conn), (name), (acltype), (theacl)))
#define SMB_VFS_SYS_ACL_SET_FD(fsp, fd, theacl) ((fsp)->conn->vfs.ops.sys_acl_set_fd((fsp)->conn->vfs.handles.sys_acl_set_fd, (fsp), (fd), (theacl)))
#define SMB_VFS_SYS_ACL_DELETE_DEF_FILE(conn, path) ((conn)->vfs.ops.sys_acl_delete_def_file((conn)->vfs.handles.sys_acl_delete_def_file, (conn), (path)))
#define SMB_VFS_SYS_ACL_GET_PERM(conn, permset, perm) ((conn)->vfs.ops.sys_acl_get_perm((conn)->vfs.handles.sys_acl_get_perm, (conn), (permset), (perm)))
#define SMB_VFS_SYS_ACL_FREE_TEXT(conn, text) ((conn)->vfs.ops.sys_acl_free_text((conn)->vfs.handles.sys_acl_free_text, (conn), (text)))
#define SMB_VFS_SYS_ACL_FREE_ACL(conn, posix_acl) ((conn)->vfs.ops.sys_acl_free_acl((conn)->vfs.handles.sys_acl_free_acl, (conn), (posix_acl)))
#define SMB_VFS_SYS_ACL_FREE_QUALIFIER(conn, qualifier, tagtype) ((conn)->vfs.ops.sys_acl_free_qualifier((conn)->vfs.handles.sys_acl_free_qualifier, (conn), (qualifier), (tagtype)))
/* EA operations. */
#define SMB_VFS_GETXATTR(conn,path,name,value,size) ((conn)->vfs.ops.getxattr((conn)->vfs.handles.getxattr,(conn),(path),(name),(value),(size)))
#define SMB_VFS_LGETXATTR(conn,path,name,value,size) ((conn)->vfs.ops.lgetxattr((conn)->vfs.handles.lgetxattr,(conn),(path),(name),(value),(size)))
#define SMB_VFS_FGETXATTR(fsp,fd,name,value,size) ((fsp)->conn->vfs.ops.fgetxattr((fsp)->conn->vfs.handles.fgetxattr,(fsp),(fd),(name),(value),(size)))
#define SMB_VFS_LISTXATTR(conn,path,list,size) ((conn)->vfs.ops.listxattr((conn)->vfs.handles.listxattr,(conn),(path),(list),(size)))
#define SMB_VFS_LLISTXATTR(conn,path,list,size) ((conn)->vfs.ops.llistxattr((conn)->vfs.handles.llistxattr,(conn),(path),(list),(size)))
#define SMB_VFS_FLISTXATTR(fsp,fd,list,size) ((fsp)->conn->vfs.ops.flistxattr((fsp)->conn->vfs.handles.flistxattr,(fsp),(fd),(list),(size)))
#define SMB_VFS_REMOVEXATTR(conn,path,name) ((conn)->vfs.ops.removexattr((conn)->vfs.handles.removexattr,(conn),(path),(name)))
#define SMB_VFS_LREMOVEXATTR(conn,path,name) ((conn)->vfs.ops.lremovexattr((conn)->vfs.handles.lremovexattr,(conn),(path),(name)))
#define SMB_VFS_FREMOVEXATTR(fsp,fd,name) ((fsp)->conn->vfs.ops.fremovexattr((fsp)->conn->vfs.handles.fremovexattr,(fsp),(fd),(name)))
#define SMB_VFS_SETXATTR(conn,path,name,value,size,flags) ((conn)->vfs.ops.setxattr((conn)->vfs.handles.setxattr,(conn),(path),(name),(value),(size),(flags)))
#define SMB_VFS_LSETXATTR(conn,path,name,value,size,flags) ((conn)->vfs.ops.lsetxattr((conn)->vfs.handles.lsetxattr,(conn),(path),(name),(value),(size),(flags)))
#define SMB_VFS_FSETXATTR(fsp,fd,name,value,size,flags) ((fsp)->conn->vfs.ops.fsetxattr((fsp)->conn->vfs.handles.fsetxattr,(fsp),(fd),(name),(value),(size),(flags)))
/*******************************************************************
Don't access conn->vfs_opaque.ops directly!!!
Use this macros!
(Fixes should also go into the vfs_* and vfs_next_* macros!)
********************************************************************/
/* Disk operations */
#define SMB_VFS_OPAQUE_CONNECT(conn, service, user) ((conn)->vfs_opaque.ops.connect((conn)->vfs_opaque.handles.connect, (conn), (service), (user)))
#define SMB_VFS_OPAQUE_DISCONNECT(conn) ((conn)->vfs_opaque.ops.disconnect((conn)->vfs_opaque.handles.disconnect, (conn)))
#define SMB_VFS_OPAQUE_DISK_FREE(conn, path, small_query, bsize, dfree ,dsize) ((conn)->vfs_opaque.ops.disk_free((conn)->vfs_opaque.handles.disk_free, (conn), (path), (small_query), (bsize), (dfree), (dsize)))
#define SMB_VFS_OPAQUE_GET_QUOTA(conn, qtype, id, qt) ((conn)->vfs_opaque.ops.get_quota((conn)->vfs_opaque.handles.get_quota, (conn), (qtype), (id), (qt)))
#define SMB_VFS_OPAQUE_SET_QUOTA(conn, qtype, id, qt) ((conn)->vfs_opaque.ops.set_quota((conn)->vfs_opaque.handles.set_quota, (conn), (qtype), (id), (qt)))
/* Directory operations */
#define SMB_VFS_OPAQUE_OPENDIR(conn, fname) ((conn)->vfs_opaque.ops.opendir((conn)->vfs_opaque.handles.opendir, (conn), (fname)))
#define SMB_VFS_OPAQUE_READDIR(conn, dirp) ((conn)->vfs_opaque.ops.readdir((conn)->vfs_opaque.handles.readdir, (conn), (dirp)))
#define SMB_VFS_OPAQUE_MKDIR(conn, path, mode) ((conn)->vfs_opaque.ops.mkdir((conn)->vfs_opaque.handles.mkdir,(conn), (path), (mode)))
#define SMB_VFS_OPAQUE_RMDIR(conn, path) ((conn)->vfs_opaque.ops.rmdir((conn)->vfs_opaque.handles.rmdir, (conn), (path)))
#define SMB_VFS_OPAQUE_CLOSEDIR(conn, dir) ((conn)->vfs_opaque.ops.closedir((conn)->vfs_opaque.handles.closedir, (conn), dir))
/* File operations */
#define SMB_VFS_OPAQUE_OPEN(conn, fname, flags, mode) ((conn)->vfs_opaque.ops.open((conn)->vfs_opaque.handles.open, (conn), (fname), (flags), (mode)))
#define SMB_VFS_OPAQUE_CLOSE(fsp, fd) ((fsp)->conn->vfs_opaque.ops.close((fsp)->conn->vfs_opaque.handles.close, (fsp), (fd)))
#define SMB_VFS_OPAQUE_READ(fsp, fd, data, n) ((fsp)->conn->vfs_opaque.ops.read((fsp)->conn->vfs_opaque.handles.read, (fsp), (fd), (data), (n)))
#define SMB_VFS_OPAQUE_WRITE(fsp, fd, data, n) ((fsp)->conn->vfs_opaque.ops.write((fsp)->conn->vfs_opaque.handles.write, (fsp), (fd), (data), (n)))
#define SMB_VFS_OPAQUE_LSEEK(fsp, fd, offset, whence) ((fsp)->conn->vfs_opaque.ops.lseek((fsp)->conn->vfs_opaque.handles.lseek, (fsp), (fd), (offset), (whence)))
#define SMB_VFS_OPAQUE_SENDFILE(tofd, fsp, fromfd, header, offset, count) ((fsp)->conn->vfs_opaque.ops.sendfile((fsp)->conn->vfs_opaque.handles.sendfile, (tofd), (fsp), (fromfd), (header), (offset), (count)))
#define SMB_VFS_OPAQUE_RENAME(conn, old, new) ((conn)->vfs_opaque.ops.rename((conn)->vfs_opaque.handles.rename, (conn), (old), (new)))
#define SMB_VFS_OPAQUE_FSYNC(fsp, fd) ((fsp)->conn->vfs_opaque.ops.fsync((fsp)->conn->vfs_opaque.handles.fsync, (fsp), (fd)))
#define SMB_VFS_OPAQUE_STAT(conn, fname, sbuf) ((conn)->vfs_opaque.ops.stat((conn)->vfs_opaque.handles.stat, (conn), (fname), (sbuf)))
#define SMB_VFS_OPAQUE_FSTAT(fsp, fd, sbuf) ((fsp)->conn->vfs_opaque.ops.fstat((fsp)->conn->vfs_opaque.handles.fstat, (fsp) ,(fd) ,(sbuf)))
#define SMB_VFS_OPAQUE_LSTAT(conn, path, sbuf) ((conn)->vfs_opaque.ops.lstat((conn)->vfs_opaque.handles.lstat, (conn), (path), (sbuf)))
#define SMB_VFS_OPAQUE_UNLINK(conn, path) ((conn)->vfs_opaque.ops.unlink((conn)->vfs_opaque.handles.unlink, (conn), (path)))
#define SMB_VFS_OPAQUE_CHMOD(conn, path, mode) ((conn)->vfs_opaque.ops.chmod((conn)->vfs_opaque.handles.chmod, (conn), (path), (mode)))
#define SMB_VFS_OPAQUE_FCHMOD(fsp, fd, mode) ((fsp)->conn->vfs_opaque.ops.fchmod((fsp)->conn->vfs_opaque.handles.fchmod, (fsp), (fd), (mode)))
#define SMB_VFS_OPAQUE_CHOWN(conn, path, uid, gid) ((conn)->vfs_opaque.ops.chown((conn)->vfs_opaque.handles.chown, (conn), (path), (uid), (gid)))
#define SMB_VFS_OPAQUE_FCHOWN(fsp, fd, uid, gid) ((fsp)->conn->vfs_opaque.ops.fchown((fsp)->conn->vfs_opaque.handles.fchown, (fsp), (fd), (uid), (gid)))
#define SMB_VFS_OPAQUE_CHDIR(conn, path) ((conn)->vfs_opaque.ops.chdir((conn)->vfs_opaque.handles.chdir, (conn), (path)))
#define SMB_VFS_OPAQUE_GETWD(conn, buf) ((conn)->vfs_opaque.ops.getwd((conn)->vfs_opaque.handles.getwd, (conn), (buf)))
#define SMB_VFS_OPAQUE_UTIME(conn, path, times) ((conn)->vfs_opaque.ops.utime((conn)->vfs_opaque.handles.utime, (conn), (path), (times)))
#define SMB_VFS_OPAQUE_FTRUNCATE(fsp, fd, offset) ((fsp)->conn->vfs_opaque.ops.ftruncate((fsp)->conn->vfs_opaque.handles.ftruncate, (fsp), (fd), (offset)))
#define SMB_VFS_OPAQUE_LOCK(fsp, fd, op, offset, count, type) ((fsp)->conn->vfs_opaque.ops.lock((fsp)->conn->vfs_opaque.handles.lock, (fsp), (fd) ,(op), (offset), (count), (type)))
#define SMB_VFS_OPAQUE_SYMLINK(conn, oldpath, newpath) ((conn)->vfs_opaque.ops.symlink((conn)->vfs_opaque.handles.symlink, (conn), (oldpath), (newpath)))
#define SMB_VFS_OPAQUE_READLINK(conn, path, buf, bufsiz) ((conn)->vfs_opaque.ops.readlink((conn)->vfs_opaque.handles.readlink, (conn), (path), (buf), (bufsiz)))
#define SMB_VFS_OPAQUE_LINK(conn, oldpath, newpath) ((conn)->vfs_opaque.ops.link((conn)->vfs_opaque.handles.link, (conn), (oldpath), (newpath)))
#define SMB_VFS_OPAQUE_MKNOD(conn, path, mode, dev) ((conn)->vfs_opaque.ops.mknod((conn)->vfs_opaque.handles.mknod, (conn), (path), (mode), (dev)))
#define SMB_VFS_OPAQUE_REALPATH(conn, path, resolved_path) ((conn)->vfs_opaque.ops.realpath((conn)->vfs_opaque.handles.realpath, (conn), (path), (resolved_path)))
/* NT ACL operations. */
#define SMB_VFS_OPAQUE_FGET_NT_ACL(fsp, fd, security_info, ppdesc) ((fsp)->conn->vfs_opaque.ops.fget_nt_acl((fsp)->conn->vfs_opaque.handles.fget_nt_acl, (fsp), (fd), (security_info), (ppdesc)))
#define SMB_VFS_OPAQUE_GET_NT_ACL(fsp, name, security_info, ppdesc) ((fsp)->conn->vfs_opaque.ops.get_nt_acl((fsp)->conn->vfs_opaque.handles.get_nt_acl, (fsp), (name), (security_info), (ppdesc)))
#define SMB_VFS_OPAQUE_FSET_NT_ACL(fsp, fd, security_info_sent, psd) ((fsp)->conn->vfs_opaque.ops.fset_nt_acl((fsp)->conn->vfs_opaque.handles.fset_nt_acl, (fsp), (fd), (security_info_sent), (psd)))
#define SMB_VFS_OPAQUE_SET_NT_ACL(fsp, name, security_info_sent, psd) ((fsp)->conn->vfs_opaque.ops.set_nt_acl((fsp)->conn->vfs_opaque.handles.set_nt_acl, (fsp), (name), (security_info_sent), (psd)))
/* POSIX ACL operations. */
#define SMB_VFS_OPAQUE_CHMOD_ACL(conn, name, mode) ((conn)->vfs_opaque.ops.chmod_acl((conn)->vfs_opaque.handles.chmod_acl, (conn), (name), (mode)))
#define SMB_VFS_OPAQUE_FCHMOD_ACL(fsp, fd, mode) ((fsp)->conn->vfs_opaque.ops.fchmod_acl((fsp)->conn->vfs_opaque.handles.chmod_acl, (fsp), (fd), (mode)))
#define SMB_VFS_OPAQUE_SYS_ACL_GET_ENTRY(conn, theacl, entry_id, entry_p) ((conn)->vfs_opaque.ops.sys_acl_get_entry((conn)->vfs_opaque.handles.sys_acl_get_entry, (conn), (theacl), (entry_id), (entry_p)))
#define SMB_VFS_OPAQUE_SYS_ACL_GET_TAG_TYPE(conn, entry_d, tag_type_p) ((conn)->vfs_opaque.ops.sys_acl_get_tag_type((conn)->vfs_opaque.handles.sys_acl_get_tag_type, (conn), (entry_d), (tag_type_p)))
#define SMB_VFS_OPAQUE_SYS_ACL_GET_PERMSET(conn, entry_d, permset_p) ((conn)->vfs_opaque.ops.sys_acl_get_permset((conn)->vfs_opaque.handles.sys_acl_get_permset, (conn), (entry_d), (permset_p)))
#define SMB_VFS_OPAQUE_SYS_ACL_GET_QUALIFIER(conn, entry_d) ((conn)->vfs_opaque.ops.sys_acl_get_qualifier((conn)->vfs_opaque.handles.sys_acl_get_qualifier, (conn), (entry_d)))
#define SMB_VFS_OPAQUE_SYS_ACL_GET_FILE(conn, path_p, type) ((conn)->vfs_opaque.ops.sys_acl_get_file((conn)->vfs_opaque.handles.sys_acl_get_file, (conn), (path_p), (type)))
#define SMB_VFS_OPAQUE_SYS_ACL_GET_FD(fsp, fd) ((fsp)->conn->vfs_opaque.ops.sys_acl_get_fd((fsp)->conn->vfs_opaque.handles.sys_acl_get_fd, (fsp), (fd)))
#define SMB_VFS_OPAQUE_SYS_ACL_CLEAR_PERMS(conn, permset) ((conn)->vfs_opaque.ops.sys_acl_clear_perms((conn)->vfs_opaque.handles.sys_acl_clear_perms, (conn), (permset)))
#define SMB_VFS_OPAQUE_SYS_ACL_ADD_PERM(conn, permset, perm) ((conn)->vfs_opaque.ops.sys_acl_add_perm((conn)->vfs_opaque.handles.sys_acl_add_perm, (conn), (permset), (perm)))
#define SMB_VFS_OPAQUE_SYS_ACL_TO_TEXT(conn, theacl, plen) ((conn)->vfs_opaque.ops.sys_acl_to_text((conn)->vfs_opaque.handles.sys_acl_to_text, (conn), (theacl), (plen)))
#define SMB_VFS_OPAQUE_SYS_ACL_INIT(conn, count) ((conn)->vfs_opaque.ops.sys_acl_init((conn)->vfs_opaque.handles.sys_acl_init, (conn), (count)))
#define SMB_VFS_OPAQUE_SYS_ACL_CREATE_ENTRY(conn, pacl, pentry) ((conn)->vfs_opaque.ops.sys_acl_create_entry((conn)->vfs_opaque.handles.sys_acl_create_entry, (conn), (pacl), (pentry)))
#define SMB_VFS_OPAQUE_SYS_ACL_SET_TAG_TYPE(conn, entry, tagtype) ((conn)->vfs_opaque.ops.sys_acl_set_tag_type((conn)->vfs_opaque.handles.sys_acl_set_tag_type, (conn), (entry), (tagtype)))
#define SMB_VFS_OPAQUE_SYS_ACL_SET_QUALIFIER(conn, entry, qual) ((conn)->vfs_opaque.ops.sys_acl_set_qualifier((conn)->vfs_opaque.handles.sys_acl_set_qualifier, (conn), (entry), (qual)))
#define SMB_VFS_OPAQUE_SYS_ACL_SET_PERMSET(conn, entry, permset) ((conn)->vfs_opaque.ops.sys_acl_set_permset((conn)->vfs_opaque.handles.sys_acl_set_permset, (conn), (entry), (permset)))
#define SMB_VFS_OPAQUE_SYS_ACL_VALID(conn, theacl) ((conn)->vfs_opaque.ops.sys_acl_valid((conn)->vfs_opaque.handles.sys_acl_valid, (conn), (theacl)))
#define SMB_VFS_OPAQUE_SYS_ACL_SET_FILE(conn, name, acltype, theacl) ((conn)->vfs_opaque.ops.sys_acl_set_file((conn)->vfs_opaque.handles.sys_acl_set_file, (conn), (name), (acltype), (theacl)))
#define SMB_VFS_OPAQUE_SYS_ACL_SET_FD(fsp, fd, theacl) ((fsp)->conn->vfs_opaque.ops.sys_acl_set_fd((fsp)->conn->vfs_opaque.handles.sys_acl_set_fd, (fsp), (fd), (theacl)))
#define SMB_VFS_OPAQUE_SYS_ACL_DELETE_DEF_FILE(conn, path) ((conn)->vfs_opaque.ops.sys_acl_delete_def_file((conn)->vfs_opaque.handles.sys_acl_delete_def_file, (conn), (path)))
#define SMB_VFS_OPAQUE_SYS_ACL_GET_PERM(conn, permset, perm) ((conn)->vfs_opaque.ops.sys_acl_get_perm((conn)->vfs_opaque.handles.sys_acl_get_perm, (conn), (permset), (perm)))
#define SMB_VFS_OPAQUE_SYS_ACL_FREE_TEXT(conn, text) ((conn)->vfs_opaque.ops.sys_acl_free_text((conn)->vfs_opaque.handles.sys_acl_free_text, (conn), (text)))
#define SMB_VFS_OPAQUE_SYS_ACL_FREE_ACL(conn, posix_acl) ((conn)->vfs_opaque.ops.sys_acl_free_acl((conn)->vfs_opaque.handles.sys_acl_free_acl, (conn), (posix_acl)))
#define SMB_VFS_OPAQUE_SYS_ACL_FREE_QUALIFIER(conn, qualifier, tagtype) ((conn)->vfs_opaque.ops.sys_acl_free_qualifier((conn)->vfs_opaque.handles.sys_acl_free_qualifier, (conn), (qualifier), (tagtype)))
/* EA operations. */
#define SMB_VFS_OPAQUE_GETXATTR(conn,path,name,value,size) ((conn)->vfs_opaque.ops.getxattr((conn)->vfs_opaque.handles.getxattr,(conn),(path),(name),(value),(size)))
#define SMB_VFS_OPAQUE_LGETXATTR(conn,path,name,value,size) ((conn)->vfs_opaque.ops.lgetxattr((conn)->vfs_opaque.handles.lgetxattr,(conn),(path),(name),(value),(size)))
#define SMB_VFS_OPAQUE_FGETXATTR(fsp,fd,name,value,size) ((fsp)->conn->vfs_opaque.ops.fgetxattr((fsp)->conn->vfs_opaque.handles.fgetxattr,(fsp),(fd),(name),(value),(size)))
#define SMB_VFS_OPAQUE_LISTXATTR(conn,path,list,size) ((conn)->vfs_opaque.ops.listxattr((conn)->vfs_opaque.handles.listxattr,(conn),(path),(list),(size)))
#define SMB_VFS_OPAQUE_LLISTXATTR(conn,path,list,size) ((conn)->vfs_opaque.ops.llistxattr((conn)->vfs_opaque.handles.llistxattr,(conn),(path),(list),(size)))
#define SMB_VFS_OPAQUE_FLISTXATTR(fsp,fd,list,size) ((fsp)->conn->vfs_opaque.ops.flistxattr((fsp)->conn->vfs_opaque.handles.flistxattr,(fsp),(fd),(list),(size)))
#define SMB_VFS_OPAQUE_REMOVEXATTR(conn,path,name) ((conn)->vfs_opaque.ops.removexattr((conn)->vfs_opaque.handles.removexattr,(conn),(path),(name)))
#define SMB_VFS_OPAQUE_LREMOVEXATTR(conn,path,name) ((conn)->vfs_opaque.ops.lremovexattr((conn)->vfs_opaque.handles.lremovexattr,(conn),(path),(name)))
#define SMB_VFS_OPAQUE_FREMOVEXATTR(fsp,fd,name) ((fsp)->conn->vfs_opaque.ops.fremovexattr((fsp)->conn->vfs_opaque.handles.fremovexattr,(fsp),(fd),(name)))
#define SMB_VFS_OPAQUE_SETXATTR(conn,path,name,value,size,flags) ((conn)->vfs_opaque.ops.setxattr((conn)->vfs_opaque.handles.setxattr,(conn),(path),(name),(value),(size),(flags)))
#define SMB_VFS_OPAQUE_LSETXATTR(conn,path,name,value,size,flags) ((conn)->vfs_opaque.ops.lsetxattr((conn)->vfs_opaque.handles.lsetxattr,(conn),(path),(name),(value),(size),(flags)))
#define SMB_VFS_OPAQUE_FSETXATTR(fsp,fd,name,value,size,flags) ((fsp)->conn->vfs_opaque.ops.fsetxattr((fsp)->conn->vfs_opaque.handles.fsetxattr,(fsp),(fd),(name),(value),(size),(flags)))
/*******************************************************************
Don't access handle->vfs_next.ops.* directly!!!
Use this macros!
(Fixes should go also into the vfs_* and vfs_opaque_* macros!)
********************************************************************/
/* Disk operations */
#define SMB_VFS_NEXT_CONNECT(handle, conn, service, user) ((handle)->vfs_next.ops.connect((handle)->vfs_next.handles.connect, (conn), (service), (user)))
#define SMB_VFS_NEXT_DISCONNECT(handle, conn) ((handle)->vfs_next.ops.disconnect((handle)->vfs_next.handles.disconnect, (conn)))
#define SMB_VFS_NEXT_DISK_FREE(handle, conn, path, small_query, bsize, dfree ,dsize) ((handle)->vfs_next.ops.disk_free((handle)->vfs_next.handles.disk_free, (conn), (path), (small_query), (bsize), (dfree), (dsize)))
#define SMB_VFS_NEXT_GET_QUOTA(handle, conn, qtype, id, qt) ((handle)->vfs_next.ops.get_quota((handle)->vfs_next.handles.get_quota, (conn), (qtype), (id), (qt)))
#define SMB_VFS_NEXT_SET_QUOTA(handle, conn, qtype, id, qt) ((handle)->vfs_next.ops.set_quota((handle)->vfs_next.handles.set_quota, (conn), (qtype), (id), (qt)))
/* Directory operations */
#define SMB_VFS_NEXT_OPENDIR(handle, conn, fname) ((handle)->vfs_next.ops.opendir((handle)->vfs_next.handles.opendir, (conn), (fname)))
#define SMB_VFS_NEXT_READDIR(handle, conn, dirp) ((handle)->vfs_next.ops.readdir((handle)->vfs_next.handles.readdir, (conn), (dirp)))
#define SMB_VFS_NEXT_MKDIR(handle, conn, path, mode) ((handle)->vfs_next.ops.mkdir((handle)->vfs_next.handles.mkdir,(conn), (path), (mode)))
#define SMB_VFS_NEXT_RMDIR(handle, conn, path) ((handle)->vfs_next.ops.rmdir((handle)->vfs_next.handles.rmdir, (conn), (path)))
#define SMB_VFS_NEXT_CLOSEDIR(handle, conn, dir) ((handle)->vfs_next.ops.closedir((handle)->vfs_next.handles.closedir, (conn), dir))
/* File operations */
#define SMB_VFS_NEXT_OPEN(handle, conn, fname, flags, mode) ((handle)->vfs_next.ops.open((handle)->vfs_next.handles.open, (conn), (fname), (flags), (mode)))
#define SMB_VFS_NEXT_CLOSE(handle, fsp, fd) ((handle)->vfs_next.ops.close((handle)->vfs_next.handles.close, (fsp), (fd)))
#define SMB_VFS_NEXT_READ(handle, fsp, fd, data, n) ((handle)->vfs_next.ops.read((handle)->vfs_next.handles.read, (fsp), (fd), (data), (n)))
#define SMB_VFS_NEXT_WRITE(handle, fsp, fd, data, n) ((handle)->vfs_next.ops.write((handle)->vfs_next.handles.write, (fsp), (fd), (data), (n)))
#define SMB_VFS_NEXT_LSEEK(handle, fsp, fd, offset, whence) ((handle)->vfs_next.ops.lseek((handle)->vfs_next.handles.lseek, (fsp), (fd), (offset), (whence)))
#define SMB_VFS_NEXT_SENDFILE(handle, tofd, fsp, fromfd, header, offset, count) ((handle)->vfs_next.ops.sendfile((handle)->vfs_next.handles.sendfile, (tofd), (fsp), (fromfd), (header), (offset), (count)))
#define SMB_VFS_NEXT_RENAME(handle, conn, old, new) ((handle)->vfs_next.ops.rename((handle)->vfs_next.handles.rename, (conn), (old), (new)))
#define SMB_VFS_NEXT_FSYNC(handle, fsp, fd) ((handle)->vfs_next.ops.fsync((handle)->vfs_next.handles.fsync, (fsp), (fd)))
#define SMB_VFS_NEXT_STAT(handle, conn, fname, sbuf) ((handle)->vfs_next.ops.stat((handle)->vfs_next.handles.stat, (conn), (fname), (sbuf)))
#define SMB_VFS_NEXT_FSTAT(handle, fsp, fd, sbuf) ((handle)->vfs_next.ops.fstat((handle)->vfs_next.handles.fstat, (fsp) ,(fd) ,(sbuf)))
#define SMB_VFS_NEXT_LSTAT(handle, conn, path, sbuf) ((handle)->vfs_next.ops.lstat((handle)->vfs_next.handles.lstat, (conn), (path), (sbuf)))
#define SMB_VFS_NEXT_UNLINK(handle, conn, path) ((handle)->vfs_next.ops.unlink((handle)->vfs_next.handles.unlink, (conn), (path)))
#define SMB_VFS_NEXT_CHMOD(handle, conn, path, mode) ((handle)->vfs_next.ops.chmod((handle)->vfs_next.handles.chmod, (conn), (path), (mode)))
#define SMB_VFS_NEXT_FCHMOD(handle, fsp, fd, mode) ((handle)->vfs_next.ops.fchmod((handle)->vfs_next.handles.fchmod, (fsp), (fd), (mode)))
#define SMB_VFS_NEXT_CHOWN(handle, conn, path, uid, gid) ((handle)->vfs_next.ops.chown((handle)->vfs_next.handles.chown, (conn), (path), (uid), (gid)))
#define SMB_VFS_NEXT_FCHOWN(handle, fsp, fd, uid, gid) ((handle)->vfs_next.ops.fchown((handle)->vfs_next.handles.fchown, (fsp), (fd), (uid), (gid)))
#define SMB_VFS_NEXT_CHDIR(handle, conn, path) ((handle)->vfs_next.ops.chdir((handle)->vfs_next.handles.chdir, (conn), (path)))
#define SMB_VFS_NEXT_GETWD(handle, conn, buf) ((handle)->vfs_next.ops.getwd((handle)->vfs_next.handles.getwd, (conn), (buf)))
#define SMB_VFS_NEXT_UTIME(handle, conn, path, times) ((handle)->vfs_next.ops.utime((handle)->vfs_next.handles.utime, (conn), (path), (times)))
#define SMB_VFS_NEXT_FTRUNCATE(handle, fsp, fd, offset) ((handle)->vfs_next.ops.ftruncate((handle)->vfs_next.handles.ftruncate, (fsp), (fd), (offset)))
#define SMB_VFS_NEXT_LOCK(handle, fsp, fd, op, offset, count, type) ((handle)->vfs_next.ops.lock((handle)->vfs_next.handles.lock, (fsp), (fd) ,(op), (offset), (count), (type)))
#define SMB_VFS_NEXT_SYMLINK(handle, conn, oldpath, newpath) ((handle)->vfs_next.ops.symlink((handle)->vfs_next.handles.symlink, (conn), (oldpath), (newpath)))
#define SMB_VFS_NEXT_READLINK(handle, conn, path, buf, bufsiz) ((handle)->vfs_next.ops.readlink((handle)->vfs_next.handles.readlink, (conn), (path), (buf), (bufsiz)))
#define SMB_VFS_NEXT_LINK(handle, conn, oldpath, newpath) ((handle)->vfs_next.ops.link((handle)->vfs_next.handles.link, (conn), (oldpath), (newpath)))
#define SMB_VFS_NEXT_MKNOD(handle, conn, path, mode, dev) ((handle)->vfs_next.ops.mknod((handle)->vfs_next.handles.mknod, (conn), (path), (mode), (dev)))
#define SMB_VFS_NEXT_REALPATH(handle, conn, path, resolved_path) ((handle)->vfs_next.ops.realpath((handle)->vfs_next.handles.realpath, (conn), (path), (resolved_path)))
/* NT ACL operations. */
#define SMB_VFS_NEXT_FGET_NT_ACL(handle, fsp, fd, security_info, ppdesc) ((handle)->vfs_next.ops.fget_nt_acl((handle)->vfs_next.handles.fget_nt_acl, (fsp), (fd), (security_info), (ppdesc)))
#define SMB_VFS_NEXT_GET_NT_ACL(handle, fsp, name, security_info, ppdesc) ((handle)->vfs_next.ops.get_nt_acl((handle)->vfs_next.handles.get_nt_acl, (fsp), (name), (security_info), (ppdesc)))
#define SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, fd, security_info_sent, psd) ((handle)->vfs_next.ops.fset_nt_acl((handle)->vfs_next.handles.fset_nt_acl, (fsp), (fd), (security_info_sent), (psd)))
#define SMB_VFS_NEXT_SET_NT_ACL(handle, fsp, name, security_info_sent, psd) ((handle)->vfs_next.ops.set_nt_acl((handle)->vfs_next.handles.set_nt_acl, (fsp), (name), (security_info_sent), (psd)))
/* POSIX ACL operations. */
#define SMB_VFS_NEXT_CHMOD_ACL(handle, conn, name, mode) ((handle)->vfs_next.ops.chmod_acl((handle)->vfs_next.handles.chmod_acl, (conn), (name), (mode)))
#define SMB_VFS_NEXT_FCHMOD_ACL(handle, fsp, fd, mode) ((handle)->vfs_next.ops.fchmod_acl((handle)->vfs_next.handles.chmod_acl, (fsp), (fd), (mode)))
#define SMB_VFS_NEXT_SYS_ACL_GET_ENTRY(handle, conn, theacl, entry_id, entry_p) ((handle)->vfs_next.ops.sys_acl_get_entry((handle)->vfs_next.handles.sys_acl_get_entry, (conn), (theacl), (entry_id), (entry_p)))
#define SMB_VFS_NEXT_SYS_ACL_GET_TAG_TYPE(handle, conn, entry_d, tag_type_p) ((handle)->vfs_next.ops.sys_acl_get_tag_type((handle)->vfs_next.handles.sys_acl_get_tag_type, (conn), (entry_d), (tag_type_p)))
#define SMB_VFS_NEXT_SYS_ACL_GET_PERMSET(handle, conn, entry_d, permset_p) ((handle)->vfs_next.ops.sys_acl_get_permset((handle)->vfs_next.handles.sys_acl_get_permset, (conn), (entry_d), (permset_p)))
#define SMB_VFS_NEXT_SYS_ACL_GET_QUALIFIER(handle, conn, entry_d) ((handle)->vfs_next.ops.sys_acl_get_qualifier((handle)->vfs_next.handles.sys_acl_get_qualifier, (conn), (entry_d)))
#define SMB_VFS_NEXT_SYS_ACL_GET_FILE(handle, conn, path_p, type) ((handle)->vfs_next.ops.sys_acl_get_file((handle)->vfs_next.handles.sys_acl_get_file, (conn), (path_p), (type)))
#define SMB_VFS_NEXT_SYS_ACL_GET_FD(handle, fsp, fd) ((handle)->vfs_next.ops.sys_acl_get_fd((handle)->vfs_next.handles.sys_acl_get_fd, (fsp), (fd)))
#define SMB_VFS_NEXT_SYS_ACL_CLEAR_PERMS(handle, conn, permset) ((handle)->vfs_next.ops.sys_acl_clear_perms((handle)->vfs_next.handles.sys_acl_clear_perms, (conn), (permset)))
#define SMB_VFS_NEXT_SYS_ACL_ADD_PERM(handle, conn, permset, perm) ((handle)->vfs_next.ops.sys_acl_add_perm((handle)->vfs_next.handles.sys_acl_add_perm, (conn), (permset), (perm)))
#define SMB_VFS_NEXT_SYS_ACL_TO_TEXT(handle, conn, theacl, plen) ((handle)->vfs_next.ops.sys_acl_to_text((handle)->vfs_next.handles.sys_acl_to_text, (conn), (theacl), (plen)))
#define SMB_VFS_NEXT_SYS_ACL_INIT(handle, conn, count) ((handle)->vfs_next.ops.sys_acl_init((handle)->vfs_next.handles.sys_acl_init, (conn), (count)))
#define SMB_VFS_NEXT_SYS_ACL_CREATE_ENTRY(handle, conn, pacl, pentry) ((handle)->vfs_next.ops.sys_acl_create_entry((handle)->vfs_next.handles.sys_acl_create_entry, (conn), (pacl), (pentry)))
#define SMB_VFS_NEXT_SYS_ACL_SET_TAG_TYPE(handle, conn, entry, tagtype) ((handle)->vfs_next.ops.sys_acl_set_tag_type((handle)->vfs_next.handles.sys_acl_set_tag_type, (conn), (entry), (tagtype)))
#define SMB_VFS_NEXT_SYS_ACL_SET_QUALIFIER(handle, conn, entry, qual) ((handle)->vfs_next.ops.sys_acl_set_qualifier((handle)->vfs_next.handles.sys_acl_set_qualifier, (conn), (entry), (qual)))
#define SMB_VFS_NEXT_SYS_ACL_SET_PERMSET(handle, conn, entry, permset) ((handle)->vfs_next.ops.sys_acl_set_permset((handle)->vfs_next.handles.sys_acl_set_permset, (conn), (entry), (permset)))
#define SMB_VFS_NEXT_SYS_ACL_VALID(handle, conn, theacl) ((handle)->vfs_next.ops.sys_acl_valid((handle)->vfs_next.handles.sys_acl_valid, (conn), (theacl)))
#define SMB_VFS_NEXT_SYS_ACL_SET_FILE(handle, conn, name, acltype, theacl) ((handle)->vfs_next.ops.sys_acl_set_file((handle)->vfs_next.handles.sys_acl_set_file, (conn), (name), (acltype), (theacl)))
#define SMB_VFS_NEXT_SYS_ACL_SET_FD(handle, fsp, fd, theacl) ((handle)->vfs_next.ops.sys_acl_set_fd((handle)->vfs_next.handles.sys_acl_set_fd, (fsp), (fd), (theacl)))
#define SMB_VFS_NEXT_SYS_ACL_DELETE_DEF_FILE(handle, conn, path) ((handle)->vfs_next.ops.sys_acl_delete_def_file((handle)->vfs_next.handles.sys_acl_delete_def_file, (conn), (path)))
#define SMB_VFS_NEXT_SYS_ACL_GET_PERM(handle, conn, permset, perm) ((handle)->vfs_next.ops.sys_acl_get_perm((handle)->vfs_next.handles.sys_acl_get_perm, (conn), (permset), (perm)))
#define SMB_VFS_NEXT_SYS_ACL_FREE_TEXT(handle, conn, text) ((handle)->vfs_next.ops.sys_acl_free_text((handle)->vfs_next.handles.sys_acl_free_text, (conn), (text)))
#define SMB_VFS_NEXT_SYS_ACL_FREE_ACL(handle, conn, posix_acl) ((handle)->vfs_next.ops.sys_acl_free_acl((handle)->vfs_next.handles.sys_acl_free_acl, (conn), (posix_acl)))
#define SMB_VFS_NEXT_SYS_ACL_FREE_QUALIFIER(handle, conn, qualifier, tagtype) ((handle)->vfs_next.ops.sys_acl_free_qualifier((handle)->vfs_next.handles.sys_acl_free_qualifier, (conn), (qualifier), (tagtype)))
/* EA operations. */
#define SMB_VFS_NEXT_GETXATTR(handle,conn,path,name,value,size) ((handle)->vfs_next.ops.getxattr((handle)->vfs_next.handles.getxattr,(conn),(path),(name),(value),(size)))
#define SMB_VFS_NEXT_LGETXATTR(handle,conn,path,name,value,size) ((handle)->vfs_next.ops.lgetxattr((handle)->vfs_next.handles.lgetxattr,(conn),(path),(name),(value),(size)))
#define SMB_VFS_NEXT_FGETXATTR(handle,fsp,fd,name,value,size) ((handle)->vfs_next.ops.fgetxattr((handle)->vfs_next.handles.fgetxattr,(fsp),(fd),(name),(value),(size)))
#define SMB_VFS_NEXT_LISTXATTR(handle,conn,path,list,size) ((handle)->vfs_next.ops.listxattr((handle)->vfs_next.handles.listxattr,(conn),(path),(list),(size)))
#define SMB_VFS_NEXT_LLISTXATTR(handle,conn,path,list,size) ((handle)->vfs_next.ops.llistxattr((handle)->vfs_next.handles.llistxattr,(conn),(path),(list),(size)))
#define SMB_VFS_NEXT_FLISTXATTR(handle,fsp,fd,list,size) ((handle)->vfs_next.ops.flistxattr((handle)->vfs_next.handles.flistxattr,(fsp),(fd),(list),(size)))
#define SMB_VFS_NEXT_REMOVEXATTR(handle,conn,path,name) ((handle)->vfs_next.ops.removexattr((handle)->vfs_next.handles.removexattr,(conn),(path),(name)))
#define SMB_VFS_NEXT_LREMOVEXATTR(handle,conn,path,name) ((handle)->vfs_next.ops.lremovexattr((handle)->vfs_next.handles.lremovexattr,(conn),(path),(name)))
#define SMB_VFS_NEXT_FREMOVEXATTR(handle,fsp,fd,name) ((handle)->vfs_next.ops.fremovexattr((handle)->vfs_next.handles.fremovexattr,(fsp),(fd),(name)))
#define SMB_VFS_NEXT_SETXATTR(handle,conn,path,name,value,size,flags) ((handle)->vfs_next.ops.setxattr((handle)->vfs_next.handles.setxattr,(conn),(path),(name),(value),(size),(flags)))
#define SMB_VFS_NEXT_LSETXATTR(handle,conn,path,name,value,size,flags) ((handle)->vfs_next.ops.lsetxattr((handle)->vfs_next.handles.lsetxattr,(conn),(path),(name),(value),(size),(flags)))
#define SMB_VFS_NEXT_FSETXATTR(handle,fsp,fd,name,value,size,flags) ((handle)->vfs_next.ops.fsetxattr((handle)->vfs_next.handles.fsetxattr,(fsp),(fd),(name),(value),(size),(flags)))
#endif /* _VFS_MACROS_H */

View File

1262
source3/lib/smbldap.c Normal file

File diff suppressed because it is too large Load Diff

963
source3/lib/sysquotas.c Normal file
View File

@ -0,0 +1,963 @@
/*
Unix SMB/CIFS implementation.
System QUOTA function wrappers
Copyright (C) Stefan (metze) Metzmacher 2003
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#ifndef AUTOCONF_TEST
#include "includes.h"
#ifdef HAVE_SYS_QUOTAS
#if defined(HAVE_QUOTACTL_4A)
/* long quotactl(int cmd, char *special, qid_t id, caddr_t addr) */
/* this is used by: linux,HPUX,IRIX */
/****************************************************************************
Abstract out the old and new Linux quota get calls.
****************************************************************************/
static int sys_get_vfs_quota(const char *path, const char *bdev, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp)
{
int ret = -1;
uint32 qflags = 0;
struct SYS_DQBLK D;
SMB_BIG_UINT bsize = (SMB_BIG_UINT)QUOTABLOCK_SIZE;
if (!path||!bdev||!dp)
smb_panic("sys_get_vfs_quota: called with NULL pointer");
ZERO_STRUCT(D);
ZERO_STRUCT(*dp);
dp->qtype = qtype;
switch (qtype) {
case SMB_USER_QUOTA_TYPE:
/* we use id.uid == 0 for default quotas */
if (id.uid == 0) {
ret = 0;
break;
}
if ((ret = quotactl(QCMD(Q_GETQUOTA,USRQUOTA), bdev, id.uid, (CADDR_T)&D))) {
return ret;
}
if ((D.dqb_curblocks==0)&&
(D.dqb_bsoftlimit==0)&&
(D.dqb_bhardlimit==0)) {
/* the upper layer functions don't want empty quota records...*/
return -1;
}
break;
#ifdef HAVE_GROUP_QUOTA
case SMB_GROUP_QUOTA_TYPE:
if ((ret = quotactl(QCMD(Q_GETQUOTA,GRPQUOTA), bdev, id.gid, (CADDR_T)&D))) {
return ret;
}
if ((D.dqb_curblocks==0)&&
(D.dqb_bsoftlimit==0)&&
(D.dqb_bhardlimit==0)) {
/* the upper layer functions don't want empty quota records...*/
return -1;
}
break;
#endif /* HAVE_GROUP_QUOTA */
case SMB_USER_FS_QUOTA_TYPE:
id.uid = getuid();
if ((ret = quotactl(QCMD(Q_GETQUOTA,USRQUOTA), bdev, id.uid, (CADDR_T)&D))==0) {
qflags |= QUOTAS_DENY_DISK;
}
/* get the default quotas stored in the root's (uid =0) record */
if ((ret = quotactl(QCMD(Q_GETQUOTA,USRQUOTA), bdev, 0, (CADDR_T)&D))) {
return ret;
}
ret = 0;
break;
default:
errno = ENOSYS;
return -1;
}
dp->bsize = bsize;
dp->softlimit = (SMB_BIG_UINT)D.dqb_bsoftlimit;
dp->hardlimit = (SMB_BIG_UINT)D.dqb_bhardlimit;
dp->ihardlimit = (SMB_BIG_UINT)D.dqb_ihardlimit;
dp->isoftlimit = (SMB_BIG_UINT)D.dqb_isoftlimit;
dp->curinodes = (SMB_BIG_UINT)D.dqb_curinodes;
dp->curblocks = (SMB_BIG_UINT)D.dqb_curblocks;
dp->qflags = qflags;
return ret;
}
/****************************************************************************
Abstract out the old and new Linux quota set calls.
****************************************************************************/
static int sys_set_vfs_quota(const char *path, const char *bdev, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp)
{
int ret = -1;
uint32 qflags = 0;
struct SYS_DQBLK D;
SMB_BIG_UINT bsize = (SMB_BIG_UINT)QUOTABLOCK_SIZE;
if (!path||!bdev||!dp)
smb_panic("sys_set_vfs_quota: called with NULL pointer");
ZERO_STRUCT(D);
if (bsize == dp->bsize) {
D.dqb_bsoftlimit = dp->softlimit;
D.dqb_bhardlimit = dp->hardlimit;
D.dqb_ihardlimit = dp->ihardlimit;
D.dqb_isoftlimit = dp->isoftlimit;
} else {
D.dqb_bsoftlimit = (dp->softlimit*dp->bsize)/bsize;
D.dqb_bhardlimit = (dp->hardlimit*dp->bsize)/bsize;
D.dqb_ihardlimit = (dp->ihardlimit*dp->bsize)/bsize;
D.dqb_isoftlimit = (dp->isoftlimit*dp->bsize)/bsize;
}
qflags = dp->qflags;
switch (qtype) {
case SMB_USER_QUOTA_TYPE:
/* we use id.uid == 0 for default quotas */
if (id.uid>0) {
ret = quotactl(QCMD(Q_SETQLIM,USRQUOTA), bdev, id.uid, (CADDR_T)&D);
}
break;
#ifdef HAVE_GROUP_QUOTA
case SMB_GROUP_QUOTA_TYPE:
ret = quotactl(QCMD(Q_SETQLIM,GRPQUOTA), bdev, id.gid, (CADDR_T)&D);
break;
#endif /* HAVE_GROUP_QUOTA */
case SMB_USER_FS_QUOTA_TYPE:
/* this stuff didn't work as it should:
* switching on/off quota via quotactl()
* didn't work!
* So we only set the default limits
* --metze
*
* On HPUX we didn't have the mount path,
* we need to fix sys_path_to_bdev()
*
*/
#if 0
uid = getuid();
ret = quotactl(QCMD(Q_GETQUOTA,USRQUOTA), bdev, uid, (CADDR_T)&D);
if ((qflags&QUOTAS_DENY_DISK)||(qflags&QUOTAS_ENABLED)) {
if (ret == 0) {
char *quota_file = NULL;
asprintf(&quota_file,"/%s/%s%s",path, QUOTAFILENAME,USERQUOTAFILE_EXTENSION);
if (quota_file == NULL) {
DEBUG(0,("asprintf() failed!\n"));
errno = ENOMEM;
return -1;
}
ret = quotactl(QCMD(Q_QUOTAON,USRQUOTA), bdev, -1,(CADDR_T)quota_file);
} else {
ret = 0;
}
} else {
if (ret != 0) {
/* turn off */
ret = quotactl(QCMD(Q_QUOTAOFF,USRQUOTA), bdev, -1, (CADDR_T)0);
} else {
ret = 0;
}
}
DEBUG(0,("vfs_fs_quota: ret(%d) errno(%d)[%s] uid(%d) bdev[%s]\n",
ret,errno,strerror(errno),uid,bdev));
#endif
/* we use uid == 0 for default quotas */
ret = quotactl(QCMD(Q_SETQLIM,USRQUOTA), bdev, 0, (CADDR_T)&D);
break;
default:
errno = ENOSYS;
return -1;
}
return ret;
}
/*#endif HAVE_QUOTACTL_4A */
#elif defined(HAVE_QUOTACTL_4B)
#error HAVE_QUOTACTL_4B not implemeted
/*#endif HAVE_QUOTACTL_4B */
#elif defined(HAVE_QUOTACTL_3)
#error HAVE_QUOTACTL_3 not implemented
/* #endif HAVE_QUOTACTL_3 */
#else /* NO_QUOTACTL_USED */
static int sys_get_vfs_quota(const char *path, const char *bdev, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp)
{
int ret = -1;
if (!path||!bdev||!dp)
smb_panic("sys_get_vfs_quota: called with NULL pointer");
errno = ENOSYS;
return ret;
}
static int sys_set_vfs_quota(const char *path, const char *bdev, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp)
{
int ret = -1;
if (!path||!bdev||!dp)
smb_panic("sys_set_vfs_quota: called with NULL pointer");
errno = ENOSYS;
return ret;
}
#endif /* NO_QUOTACTL_USED */
#ifdef HAVE_MNTENT
static int sys_path_to_bdev(const char *path, char **mntpath, char **bdev, char **fs)
{
int ret = -1;
SMB_STRUCT_STAT S;
FILE *fp;
struct mntent *mnt;
SMB_DEV_T devno;
/* find the block device file */
if (!path||!mntpath||!bdev||!fs)
smb_panic("sys_path_to_bdev: called with NULL pointer");
(*mntpath) = NULL;
(*bdev) = NULL;
(*fs) = NULL;
if ( sys_stat(path, &S) == -1 )
return (-1);
devno = S.st_dev ;
fp = setmntent(MOUNTED,"r");
while ((mnt = getmntent(fp))) {
if ( sys_stat(mnt->mnt_dir,&S) == -1 )
continue ;
if (S.st_dev == devno) {
(*mntpath) = strdup(mnt->mnt_dir);
(*bdev) = strdup(mnt->mnt_fsname);
(*fs) = strdup(mnt->mnt_type);
if ((*mntpath)&&(*bdev)&&(*fs)) {
ret = 0;
} else {
SAFE_FREE(*mntpath);
SAFE_FREE(*bdev);
SAFE_FREE(*fs);
ret = -1;
}
break;
}
}
endmntent(fp) ;
return ret;
}
/* #endif HAVE_MNTENT */
#elif defined(HAVE_DEVNM)
/* we have this on HPUX, ... */
static int sys_path_to_bdev(const char *path, char **mntpath, char **bdev, char **fs)
{
int ret = -1;
char dev_disk[256];
SMB_STRUCT_STAT S;
if (!path||!mntpath||!bdev||!fs)
smb_panic("sys_path_to_bdev: called with NULL pointer");
(*mntpath) = NULL;
(*bdev) = NULL;
(*fs) = NULL;
/* find the block device file */
if ((ret=sys_stat(path, &S))!=0) {
return ret;
}
if ((ret=devnm(S_IFBLK, S.st_dev, dev_disk, 256, 1))!=0) {
return ret;
}
/* we should get the mntpath right...
* but I don't know how
* --metze
*/
(*mntpath) = strdup(path);
(*bdev) = strdup(dev_disk);
if ((*mntpath)&&(*bdev)) {
ret = 0;
} else {
SAFE_FREE(*mntpath);
SAFE_FREE(*bdev);
ret = -1;
}
return ret;
}
/* #endif HAVE_DEVNM */
#else
/* we should fake this up...*/
static int sys_path_to_bdev(const char *path, char **mntpath, char **bdev, char **fs)
{
int ret = -1;
if (!path||!mntpath||!bdev||!fs)
smb_panic("sys_path_to_bdev: called with NULL pointer");
(*mntpath) = NULL;
(*bdev) = NULL;
(*fs) = NULL;
(*mntpath) = strdup(path);
if (*mntpath) {
ret = 0;
} else {
SAFE_FREE(*mntpath);
ret = -1;
}
return ret;
}
#endif
/*********************************************************
if we have XFS QUOTAS we should use them
*********************************************************/
#ifdef HAVE_XFS_QUOTA
/****************************************************************************
Abstract out the XFS Quota Manager quota get call.
****************************************************************************/
static int sys_get_xfs_quota(const char *path, const char *bdev, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp)
{
int ret;
uint32 qflags = 0;
SMB_BIG_UINT bsize = (SMB_BIG_UINT)BBSIZE;
struct fs_disk_quota D;
struct fs_quota_stat F;
ZERO_STRUCT(D);
ZERO_STRUCT(F);
if (!bdev||!dp)
smb_panic("sys_get_xfs_quota: called with NULL pointer");
ZERO_STRUCT(*dp);
dp->qtype = qtype;
switch (qtype) {
case SMB_USER_QUOTA_TYPE:
/* we use id.uid == 0 for default quotas */
if (id.uid == 0) {
ret = 0;
break;
}
if ((ret=quotactl(QCMD(Q_XGETQUOTA,USRQUOTA), bdev, id.uid, (CADDR_T)&D)))
return ret;
break;
#ifdef HAVE_GROUP_QUOTA
case SMB_GROUP_QUOTA_TYPE:
if ((ret=quotactl(QCMD(Q_XGETQUOTA,GRPQUOTA), bdev, id.gid, (CADDR_T)&D)))
return ret;
break;
#endif /* HAVE_GROUP_QUOTA */
case SMB_USER_FS_QUOTA_TYPE:
/* TODO: get quota status from quotactl() ... */
if ((ret = quotactl(QCMD(Q_XGETQSTAT,USRQUOTA), bdev, -1, (CADDR_T)&F)))
return ret;
if (F.qs_flags & XFS_QUOTA_UDQ_ENFD) {
qflags |= QUOTAS_DENY_DISK;
}
else if (F.qs_flags & XFS_QUOTA_UDQ_ACCT) {
qflags |= QUOTAS_ENABLED;
}
/* we use uid == 0 for default quotas */
if ((ret=quotactl(QCMD(Q_XGETQUOTA,USRQUOTA), bdev, 0, (CADDR_T)&D)))
return ret;
break;
default:
errno = ENOSYS;
return -1;
}
dp->bsize = bsize;
dp->softlimit = (SMB_BIG_UINT)D.d_blk_softlimit;
dp->hardlimit = (SMB_BIG_UINT)D.d_blk_hardlimit;
dp->ihardlimit = (SMB_BIG_UINT)D.d_ino_hardlimit;
dp->isoftlimit = (SMB_BIG_UINT)D.d_ino_softlimit;
dp->curinodes = (SMB_BIG_UINT)D.d_icount;
dp->curblocks = (SMB_BIG_UINT)D.d_bcount;
dp->qflags = qflags;
return ret;
}
/****************************************************************************
Abstract out the XFS Quota Manager quota set call.
****************************************************************************/
static int sys_set_xfs_quota(const char *path, const char *bdev, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp)
{
int ret = -1;
uint32 qflags = 0;
SMB_BIG_UINT bsize = (SMB_BIG_UINT)BBSIZE;
struct fs_disk_quota D;
struct fs_quota_stat F;
int q_on = 0;
int q_off = 0;
ZERO_STRUCT(D);
ZERO_STRUCT(F);
if (!bdev||!dp)
smb_panic("sys_set_xfs_quota: called with NULL pointer");
if (bsize == dp->bsize) {
D.d_blk_softlimit = dp->softlimit;
D.d_blk_hardlimit = dp->hardlimit;
D.d_ino_hardlimit = dp->ihardlimit;
D.d_ino_softlimit = dp->isoftlimit;
} else {
D.d_blk_softlimit = (dp->softlimit*dp->bsize)/bsize;
D.d_blk_hardlimit = (dp->hardlimit*dp->bsize)/bsize;
D.d_ino_hardlimit = (dp->ihardlimit*dp->bsize)/bsize;
D.d_ino_softlimit = (dp->isoftlimit*dp->bsize)/bsize;
}
qflags = dp->qflags;
switch (qtype) {
case SMB_USER_QUOTA_TYPE:
/* we use uid == 0 for default quotas */
if (id.uid>0) {
D.d_fieldmask |= FS_DQ_LIMIT_MASK;
ret = quotactl(QCMD(Q_XSETQLIM,USRQUOTA), bdev, id.uid, (CADDR_T)&D);
}
break;
#ifdef HAVE_GROUP_QUOTA
case SMB_GROUP_QUOTA_TYPE:
D.d_fieldmask |= FS_DQ_LIMIT_MASK;
ret = quotactl(QCMD(Q_XSETQLIM,GRPQUOTA), bdev, id.gid, (CADDR_T)&D);
break;
#endif /* HAVE_GROUP_QUOTA */
case SMB_USER_FS_QUOTA_TYPE:
/* TODO */
quotactl(QCMD(Q_XGETQSTAT,USRQUOTA), bdev, -1, (CADDR_T)&F);
if (qflags & QUOTAS_DENY_DISK) {
if (!(F.qs_flags & XFS_QUOTA_UDQ_ENFD))
q_on |= XFS_QUOTA_UDQ_ENFD;
if (!(F.qs_flags & XFS_QUOTA_UDQ_ACCT))
q_on |= XFS_QUOTA_UDQ_ACCT;
if (q_on != 0) {
ret = quotactl(QCMD(Q_XQUOTAON,USRQUOTA),bdev, -1, (CADDR_T)&q_on);
}
} else if (qflags & QUOTAS_ENABLED) {
if (F.qs_flags & XFS_QUOTA_UDQ_ENFD)
q_off |= XFS_QUOTA_UDQ_ENFD;
if (q_off != 0) {
ret = quotactl(QCMD(Q_XQUOTAOFF,USRQUOTA),bdev, -1, (CADDR_T)&q_off);
}
if (!(F.qs_flags & XFS_QUOTA_UDQ_ACCT))
q_on |= XFS_QUOTA_UDQ_ACCT;
if (q_on != 0) {
ret = quotactl(QCMD(Q_XQUOTAON,USRQUOTA),bdev, -1, (CADDR_T)&q_on);
}
} else {
#if 0
/* Switch on XFS_QUOTA_UDQ_ACCT didn't work!
* only swittching off XFS_QUOTA_UDQ_ACCT work
*/
if (F.qs_flags & XFS_QUOTA_UDQ_ENFD)
q_off |= XFS_QUOTA_UDQ_ENFD;
if (F.qs_flags & XFS_QUOTA_UDQ_ACCT)
q_off |= XFS_QUOTA_UDQ_ACCT;
if (q_off !=0) {
ret = quotactl(QCMD(Q_XQUOTAOFF,USRQUOTA),bdev, -1, (CADDR_T)&q_off);
}
#endif
}
/* we use uid == 0 for default quotas */
D.d_fieldmask |= FS_DQ_LIMIT_MASK;
ret = quotactl(QCMD(Q_XSETQLIM,USRQUOTA), bdev, 0, (CADDR_T)&D);
break;
default:
errno = ENOSYS;
return -1;
}
return ret;
}
#endif /* HAVE_XFS_QUOTA */
/*********************************************************************
Now the list of all filesystem specific quota systems we have found
**********************************************************************/
static struct {
const char *name;
int (*get_quota)(const char *path, const char *bdev, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp);
int (*set_quota)(const char *path, const char *bdev, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp);
} sys_quota_backends[] = {
#ifdef HAVE_XFS_QUOTA
{"xfs", sys_get_xfs_quota, sys_set_xfs_quota},
#endif /* HAVE_XFS_QUOTA */
{NULL, NULL, NULL}
};
static int command_get_quota(const char *path, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp)
{
const char *get_quota_command;
get_quota_command = lp_get_quota_command();
if (get_quota_command && *get_quota_command) {
const char *p;
char *p2;
char **lines;
pstring syscmd;
int _id = -1;
switch(qtype) {
case SMB_USER_QUOTA_TYPE:
case SMB_USER_FS_QUOTA_TYPE:
_id = id.uid;
break;
case SMB_GROUP_QUOTA_TYPE:
case SMB_GROUP_FS_QUOTA_TYPE:
_id = id.gid;
break;
default:
DEBUG(0,("invalid quota type.\n"));
return -1;
}
slprintf(syscmd, sizeof(syscmd)-1,
"%s \"%s\" %d %d",
get_quota_command, path, qtype, _id);
DEBUG (3, ("get_quota: Running command %s\n", syscmd));
lines = file_lines_pload(syscmd, NULL);
if (lines) {
char *line = lines[0];
DEBUG (3, ("Read output from get_quota, \"r%s\"\n", line));
/* we need to deal with long long unsigned here, if supported */
dp->qflags = (enum SMB_QUOTA_TYPE)strtoul(line, &p2, 10);
p = p2;
while (p && *p && isspace(*p))
p++;
if (p && *p)
dp->curblocks = STR_TO_SMB_BIG_UINT(p, &p);
else
goto invalid_param;
while (p && *p && isspace(*p))
p++;
if (p && *p)
dp->softlimit = STR_TO_SMB_BIG_UINT(p, &p);
else
goto invalid_param;
while (p && *p && isspace(*p))
p++;
if (p && *p)
dp->hardlimit = STR_TO_SMB_BIG_UINT(p, &p);
else
goto invalid_param;
while (p && *p && isspace(*p))
p++;
if (p && *p)
dp->curinodes = STR_TO_SMB_BIG_UINT(p, &p);
else
goto invalid_param;
while (p && *p && isspace(*p))
p++;
if (p && *p)
dp->isoftlimit = STR_TO_SMB_BIG_UINT(p, &p);
else
goto invalid_param;
while (p && *p && isspace(*p))
p++;
if (p && *p)
dp->ihardlimit = STR_TO_SMB_BIG_UINT(p, &p);
else
goto invalid_param;
while (p && *p && isspace(*p))
p++;
if (p && *p)
dp->bsize = STR_TO_SMB_BIG_UINT(p, NULL);
else
dp->bsize = 1024;
file_lines_free(lines);
DEBUG (3, ("Parsed output of get_quota, ...\n"));
#ifdef LARGE_SMB_OFF_T
DEBUGADD (5,(
"qflags:%u curblocks:%llu softlimit:%llu hardlimit:%llu\n"
"curinodes:%llu isoftlimit:%llu ihardlimit:%llu bsize:%llu\n",
dp->qflags,(long long unsigned)dp->curblocks,
(long long unsigned)dp->softlimit,(long long unsigned)dp->hardlimit,
(long long unsigned)dp->curinodes,
(long long unsigned)dp->isoftlimit,(long long unsigned)dp->ihardlimit,
(long long unsigned)dp->bsize));
#else /* LARGE_SMB_OFF_T */
DEBUGADD (5,(
"qflags:%u curblocks:%lu softlimit:%lu hardlimit:%lu\n"
"curinodes:%lu isoftlimit:%lu ihardlimit:%lu bsize:%lu\n",
dp->qflags,(long unsigned)dp->curblocks,
(long unsigned)dp->softlimit,(long unsigned)dp->hardlimit,
(long unsigned)dp->curinodes,
(long unsigned)dp->isoftlimit,(long unsigned)dp->ihardlimit,
(long unsigned)dp->bsize));
#endif /* LARGE_SMB_OFF_T */
return 0;
}
DEBUG (0, ("get_quota_command failed!\n"));
return -1;
}
errno = ENOSYS;
return -1;
invalid_param:
DEBUG(0,("The output of get_quota_command is invalid!\n"));
return -1;
}
static int command_set_quota(const char *path, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp)
{
const char *set_quota_command;
set_quota_command = lp_set_quota_command();
if (set_quota_command && *set_quota_command) {
char **lines;
pstring syscmd;
int _id = -1;
switch(qtype) {
case SMB_USER_QUOTA_TYPE:
case SMB_USER_FS_QUOTA_TYPE:
_id = id.uid;
break;
case SMB_GROUP_QUOTA_TYPE:
case SMB_GROUP_FS_QUOTA_TYPE:
_id = id.gid;
break;
default:
return -1;
}
#ifdef LARGE_SMB_OFF_T
slprintf(syscmd, sizeof(syscmd)-1,
"%s \"%s\" %d %d "
"%u %llu %llu "
"%llu %llu %llu ",
set_quota_command, path, qtype, _id, dp->qflags,
(long long unsigned)dp->softlimit,(long long unsigned)dp->hardlimit,
(long long unsigned)dp->isoftlimit,(long long unsigned)dp->ihardlimit,
(long long unsigned)dp->bsize);
#else /* LARGE_SMB_OFF_T */
slprintf(syscmd, sizeof(syscmd)-1,
"%s \"%s\" %d %d "
"%u %lu %lu "
"%lu %lu %lu ",
set_quota_command, path, qtype, _id, dp->qflags,
(long unsigned)dp->softlimit,(long unsigned)dp->hardlimit,
(long unsigned)dp->isoftlimit,(long unsigned)dp->ihardlimit,
(long unsigned)dp->bsize);
#endif /* LARGE_SMB_OFF_T */
DEBUG (3, ("get_quota: Running command %s\n", syscmd));
lines = file_lines_pload(syscmd, NULL);
if (lines) {
char *line = lines[0];
DEBUG (3, ("Read output from set_quota, \"%s\"\n", line));
file_lines_free(lines);
return 0;
}
DEBUG (0, ("set_quota_command failed!\n"));
return -1;
}
errno = ENOSYS;
return -1;
}
int sys_get_quota(const char *path, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp)
{
int ret = -1;
int i;
BOOL ready = False;
char *mntpath = NULL;
char *bdev = NULL;
char *fs = NULL;
if (!path||!dp)
smb_panic("sys_get_quota: called with NULL pointer");
if (command_get_quota(path, qtype, id, dp)==0) {
return 0;
} else if (errno != ENOSYS) {
return -1;
}
if ((ret=sys_path_to_bdev(path,&mntpath,&bdev,&fs))!=0) {
return ret;
}
for (i=0;(fs && sys_quota_backends[i].name && sys_quota_backends[i].get_quota);i++) {
if (strcmp(fs,sys_quota_backends[i].name)==0) {
ret = sys_quota_backends[i].get_quota(mntpath, bdev, qtype, id, dp);
ready = True;
break;
}
}
if (!ready) {
/* use the default vfs quota functions */
ret = sys_get_vfs_quota(mntpath, bdev, qtype, id, dp);
}
SAFE_FREE(mntpath);
SAFE_FREE(bdev);
SAFE_FREE(fs);
if ((ret!=0)&& (errno == EDQUOT)) {
return 0;
}
return ret;
}
int sys_set_quota(const char *path, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp)
{
int ret = -1;
int i;
BOOL ready = False;
char *mntpath = NULL;
char *bdev = NULL;
char *fs = NULL;
/* find the block device file */
if (!path||!dp)
smb_panic("get_smb_quota: called with NULL pointer");
if (command_set_quota(path, qtype, id, dp)==0) {
return 0;
} else if (errno != ENOSYS) {
return -1;
}
if ((ret=sys_path_to_bdev(path,&mntpath,&bdev,&fs))!=0) {
return ret;
}
for (i=0;(fs && sys_quota_backends[i].name && sys_quota_backends[i].set_quota);i++) {
if (strcmp(fs,sys_quota_backends[i].name)==0) {
ret = sys_quota_backends[i].set_quota(mntpath, bdev, qtype, id, dp);
ready = True;
break;
}
}
if (!ready) {
/* use the default vfs quota functions */
ret=sys_set_vfs_quota(mntpath, bdev, qtype, id, dp);
}
SAFE_FREE(mntpath);
SAFE_FREE(bdev);
SAFE_FREE(fs);
if ((ret!=0)&& (errno == EDQUOT)) {
return 0;
}
return ret;
}
#else /* HAVE_SYS_QUOTAS */
void dummy_sysquotas_c(void)
{
return;
}
#endif /* HAVE_SYS_QUOTAS */
#else /* ! AUTOCONF_TEST */
/* this is the autoconf driver to test witch quota system we should use */
#if defined(HAVE_QUOTACTL_4A)
/* long quotactl(int cmd, char *special, qid_t id, caddr_t addr) */
#ifdef HAVE_SYS_TYPES_H
#include <sys/types.h>
#endif
#ifdef HAVE_ASM_TYPES_H
#include <asm/types.h>
#endif
#if defined(HAVE_LINUX_QUOTA_H)
# include <linux/quota.h>
# if defined(HAVE_STRUCT_IF_DQBLK)
# define SYS_DQBLK if_dqblk
# elif defined(HAVE_STRUCT_MEM_DQBLK)
# define SYS_DQBLK mem_dqblk
# endif
#elif defined(HAVE_SYS_QUOTA_H)
# include <sys/quota.h>
#endif
#ifndef SYS_DQBLK
#define SYS_DQBLK dqblk
#endif
int autoconf_quota(void)
{
int ret = -1;
struct SYS_DQBLK D;
ret = quotactl(Q_GETQUOTA,"/dev/hda1",0,(void *)&D);
return ret;
}
#elif defined(HAVE_QUOTACTL_4B)
/* int quotactl(const char *path, int cmd, int id, char *addr); */
#ifdef HAVE_SYS_QUOTA_H
#include <sys/quota.h>
#else /* *BSD */
#include <sys/types.h>
#include <ufs/ufs/quota.h>
#include <machine/param.h>
#endif
int autoconf_quota(void)
{
int ret = -1;
struct dqblk D;
ret = quotactl("/",Q_GETQUOTA,0,(char *) &D);
return ret;
}
#elif defined(HAVE_QUOTACTL_3)
/* int quotactl (char *spec, int request, char *arg); */
#ifdef HAVE_SYS_TYPES_H
#include <sys/types.h>
#endif
#ifdef HAVE_SYS_QUOTA_H
#include <sys/quota.h>
#endif
int autoconf_quota(void)
{
int ret = -1;
struct q_request request;
ret = quotactl("/", Q_GETQUOTA, &request);
return ret;
}
#elif defined(HAVE_QUOTACTL_2)
#error HAVE_QUOTACTL_2 not implemented
#else
#error Unknow QUOTACTL prototype
#endif
int main(void)
{
autoconf_quota();
return 0;
}
#endif /* AUTOCONF_TEST */

158
source3/libsmb/conncache.c Normal file
View File

@ -0,0 +1,158 @@
/*
Unix SMB/CIFS implementation.
Winbind daemon connection manager
Copyright (C) Tim Potter 2001
Copyright (C) Andrew Bartlett 2002
Copyright (C) Gerald (Jerry) Carter 2003
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
#define FAILED_CONNECTION_CACHE_TIMEOUT 30 /* Seconds between attempts */
#define CONNCACHE_ADDR 1
#define CONNCACHE_NAME 2
/* cache entry contains either a server name **or** and IP address as
the key. This means that a server could have two entries (one for each key) */
struct failed_connection_cache {
fstring domain_name;
fstring controller;
time_t lookup_time;
NTSTATUS nt_status;
struct failed_connection_cache *prev, *next;
};
static struct failed_connection_cache *failed_connection_cache;
/**********************************************************************
Check for a previously failed connection
**********************************************************************/
NTSTATUS check_negative_conn_cache( const char *domain, const char *server )
{
struct failed_connection_cache *fcc;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
/* can't check if we don't have strings */
if ( !domain || !server )
return NT_STATUS_OK;
for (fcc = failed_connection_cache; fcc; fcc = fcc->next) {
if ( !(strequal(domain, fcc->domain_name) && strequal(server, fcc->controller)) )
continue; /* no match; check the next entry */
/* we have a match so see if it is still current */
if ((time(NULL) - fcc->lookup_time) > FAILED_CONNECTION_CACHE_TIMEOUT)
{
/* Cache entry has expired, delete it */
DEBUG(10, ("check_negative_conn_cache: cache entry expired for %s, %s\n",
domain, server ));
DLIST_REMOVE(failed_connection_cache, fcc);
SAFE_FREE(fcc);
return NT_STATUS_OK;
}
/* The timeout hasn't expired yet so return false */
DEBUG(10, ("check_negative_conn_cache: returning negative entry for %s, %s\n",
domain, server ));
result = fcc->nt_status;
return result;
}
/* end of function means no cache entry */
return NT_STATUS_OK;
}
/**********************************************************************
Add an entry to the failed conneciton cache (aither a name of dotted
decimal IP
**********************************************************************/
void add_failed_connection_entry(const char *domain, const char *server, NTSTATUS result)
{
struct failed_connection_cache *fcc;
SMB_ASSERT(!NT_STATUS_IS_OK(result));
/* Check we already aren't in the cache. We always have to have
a domain, but maybe not a specific DC name. */
for (fcc = failed_connection_cache; fcc; fcc = fcc->next) {
if ( strequal(fcc->domain_name, domain) && strequal(fcc->controller, server) )
{
DEBUG(10, ("add_failed_connection_entry: domain %s (%s) already tried and failed\n",
domain, server ));
return;
}
}
/* Create negative lookup cache entry for this domain and controller */
if ( !(fcc = (struct failed_connection_cache *)malloc(sizeof(struct failed_connection_cache))) )
{
DEBUG(0, ("malloc failed in add_failed_connection_entry!\n"));
return;
}
ZERO_STRUCTP(fcc);
fstrcpy( fcc->domain_name, domain );
fstrcpy( fcc->controller, server );
fcc->lookup_time = time(NULL);
fcc->nt_status = result;
DEBUG(10,("add_failed_connection_entry: added domain %s (%s) to failed conn cache\n",
domain, server ));
DLIST_ADD(failed_connection_cache, fcc);
}
/****************************************************************************
****************************************************************************/
void flush_negative_conn_cache( void )
{
struct failed_connection_cache *fcc;
fcc = failed_connection_cache;
while (fcc) {
struct failed_connection_cache *fcc_next;
fcc_next = fcc->next;
DLIST_REMOVE(failed_connection_cache, fcc);
free(fcc);
fcc = fcc_next;
}
}

View File

@ -0,0 +1,238 @@
/*
Unix SMB/CIFS implementation.
Net_sam_logon info3 helpers
Copyright (C) Alexander Bokovoy 2002.
Copyright (C) Andrew Bartlett 2002.
Copyright (C) Gerald Carter 2003.
Copyright (C) Tim Potter 2003.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
#define NETSAMLOGON_TDB "netsamlogon_cache.tdb"
static TDB_CONTEXT *netsamlogon_tdb = NULL;
/***********************************************************************
open the tdb
***********************************************************************/
BOOL netsamlogon_cache_init(void)
{
if (!netsamlogon_tdb) {
netsamlogon_tdb = tdb_open_log(lock_path(NETSAMLOGON_TDB), 0,
TDB_DEFAULT, O_RDWR | O_CREAT, 0600);
}
return (netsamlogon_tdb != NULL);
}
/***********************************************************************
Shutdown samlogon_cache database
***********************************************************************/
BOOL netsamlogon_cache_shutdown(void)
{
if(netsamlogon_tdb)
return (tdb_close(netsamlogon_tdb) == 0);
return True;
}
/***********************************************************************
Clear cache getpwnam and getgroups entries from the winbindd cache
***********************************************************************/
void netsamlogon_clear_cached_user(TDB_CONTEXT *tdb, NET_USER_INFO_3 *user)
{
fstring domain;
TDB_DATA key;
BOOL got_tdb = False;
/* We may need to call this function from smbd which will not have
winbindd_cache.tdb open. Open the tdb if a NULL is passed. */
if (!tdb) {
tdb = tdb_open_log(lock_path("winbindd_cache.tdb"), 5000,
TDB_DEFAULT, O_RDWR, 0600);
if (!tdb) {
DEBUG(5, ("netsamlogon_clear_cached_user: failed to open cache\n"));
return;
}
got_tdb = True;
}
unistr2_to_ascii(domain, &user->uni_logon_dom, sizeof(domain) - 1);
/* Clear U/DOMAIN/RID cache entry */
asprintf(&key.dptr, "U/%s/%d", domain, user->user_rid);
key.dsize = strlen(key.dptr) - 1; /* keys are not NULL terminated */
DEBUG(10, ("netsamlogon_clear_cached_user: clearing %s\n", key.dptr));
tdb_delete(tdb, key);
SAFE_FREE(key.dptr);
/* Clear UG/DOMAIN/RID cache entry */
asprintf(&key.dptr, "UG/%s/%d", domain, user->user_rid);
key.dsize = strlen(key.dptr) - 1; /* keys are not NULL terminated */
DEBUG(10, ("netsamlogon_clear_cached_user: clearing %s\n", key.dptr));
tdb_delete(tdb, key);
SAFE_FREE(key.dptr);
if (got_tdb)
tdb_close(tdb);
}
/***********************************************************************
Store a NET_USER_INFO_3 structure in a tdb for later user
***********************************************************************/
BOOL netsamlogon_cache_store(TALLOC_CTX *mem_ctx, NET_USER_INFO_3 *user)
{
TDB_DATA data;
fstring keystr;
prs_struct ps;
BOOL result = False;
DOM_SID user_sid;
time_t t = time(NULL);
if (!netsamlogon_cache_init()) {
DEBUG(0,("netsamlogon_cache_store: cannot open %s for write!\n", NETSAMLOGON_TDB));
return False;
}
sid_copy( &user_sid, &user->dom_sid.sid );
sid_append_rid( &user_sid, user->user_rid );
/* Prepare key as DOMAIN-SID/USER-RID string */
slprintf(keystr, sizeof(keystr), "%s", sid_string_static(&user_sid));
DEBUG(10,("netsamlogon_cache_store: SID [%s]\n", keystr));
/* Prepare data */
prs_init( &ps,MAX_PDU_FRAG_LEN , mem_ctx, MARSHALL);
if ( !prs_uint32( "timestamp", &ps, 0, (uint32*)&t ) )
return False;
if ( net_io_user_info3("", user, &ps, 0, 3) )
{
data.dsize = prs_offset( &ps );
data.dptr = prs_data_p( &ps );
if (tdb_store_bystring(netsamlogon_tdb, keystr, data, TDB_REPLACE) != -1)
result = True;
prs_mem_free( &ps );
}
return result;
}
/***********************************************************************
Retrieves a NET_USER_INFO_3 structure from a tdb. Caller must
free the user_info struct (malloc()'d memory)
***********************************************************************/
NET_USER_INFO_3* netsamlogon_cache_get( TALLOC_CTX *mem_ctx, DOM_SID *user_sid)
{
NET_USER_INFO_3 *user = NULL;
TDB_DATA data, key;
prs_struct ps;
fstring keystr;
uint32 t;
if (!netsamlogon_cache_init()) {
DEBUG(0,("netsamlogon_cache_store: cannot open %s for write!\n", NETSAMLOGON_TDB));
return False;
}
/* Prepare key as DOMAIN-SID/USER-RID string */
slprintf(keystr, sizeof(keystr), "%s", sid_string_static(user_sid));
DEBUG(10,("netsamlogon_cache_get: SID [%s]\n", keystr));
key.dptr = keystr;
key.dsize = strlen(keystr)+1;
data = tdb_fetch( netsamlogon_tdb, key );
if ( data.dptr ) {
if ( (user = (NET_USER_INFO_3*)malloc(sizeof(NET_USER_INFO_3))) == NULL )
return NULL;
prs_init( &ps, 0, mem_ctx, UNMARSHALL );
prs_give_memory( &ps, data.dptr, data.dsize, True );
if ( !prs_uint32( "timestamp", &ps, 0, &t ) ) {
prs_mem_free( &ps );
return False;
}
if ( !net_io_user_info3("", user, &ps, 0, 3) ) {
SAFE_FREE( user );
}
prs_mem_free( &ps );
#if 0 /* The netsamlogon cache needs to hang around. Something about
this feels wrong, but it is the only way we can get all of the
groups. The old universal groups cache didn't expire either.
--jerry */
{
time_t now = time(NULL);
uint32 time_diff;
/* is the entry expired? */
time_diff = now - t;
if ( (time_diff < 0 ) || (time_diff > lp_winbind_cache_time()) ) {
DEBUG(10,("netsamlogon_cache_get: cache entry expired \n"));
tdb_delete( netsamlogon_tdb, key );
SAFE_FREE( user );
}
#endif
}
return user;
}
BOOL netsamlogon_cache_have(DOM_SID *user_sid)
{
TALLOC_CTX *mem_ctx = talloc_init("netsamlogon_cache_have");
NET_USER_INFO_3 *user = NULL;
BOOL result;
if (!mem_ctx)
return False;
user = netsamlogon_cache_get(mem_ctx, user_sid);
result = (user != NULL);
talloc_destroy(mem_ctx);
SAFE_FREE(user);
return result;
}

7
source3/mainpage.dox Normal file
View File

@ -0,0 +1,7 @@
/**
@mainpage
@li \ref CodingSuggestions
**/

131
source3/modules/weird.c Normal file
View File

@ -0,0 +1,131 @@
/*
Unix SMB/CIFS implementation.
Samba module with developer tools
Copyright (C) Andrew Tridgell 2001
Copyright (C) Jelmer Vernooij 2002
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
static struct {
char from;
char *to;
int len;
} weird_table[] = {
{'q', "^q^", 3},
{'Q', "^Q^", 3},
{0, NULL}
};
static size_t weird_pull(void *cd, char **inbuf, size_t *inbytesleft,
char **outbuf, size_t *outbytesleft)
{
while (*inbytesleft >= 1 && *outbytesleft >= 2) {
int i;
int done = 0;
for (i=0;weird_table[i].from;i++) {
if (strncmp((*inbuf),
weird_table[i].to,
weird_table[i].len) == 0) {
if (*inbytesleft < weird_table[i].len) {
DEBUG(0,("ERROR: truncated weird string\n"));
/* smb_panic("weird_pull"); */
} else {
(*outbuf)[0] = weird_table[i].from;
(*outbuf)[1] = 0;
(*inbytesleft) -= weird_table[i].len;
(*outbytesleft) -= 2;
(*inbuf) += weird_table[i].len;
(*outbuf) += 2;
done = 1;
break;
}
}
}
if (done) continue;
(*outbuf)[0] = (*inbuf)[0];
(*outbuf)[1] = 0;
(*inbytesleft) -= 1;
(*outbytesleft) -= 2;
(*inbuf) += 1;
(*outbuf) += 2;
}
if (*inbytesleft > 0) {
errno = E2BIG;
return -1;
}
return 0;
}
static size_t weird_push(void *cd, char **inbuf, size_t *inbytesleft,
char **outbuf, size_t *outbytesleft)
{
int ir_count=0;
while (*inbytesleft >= 2 && *outbytesleft >= 1) {
int i;
int done=0;
for (i=0;weird_table[i].from;i++) {
if ((*inbuf)[0] == weird_table[i].from &&
(*inbuf)[1] == 0) {
if (*outbytesleft < weird_table[i].len) {
DEBUG(0,("No room for weird character\n"));
/* smb_panic("weird_push"); */
} else {
memcpy(*outbuf, weird_table[i].to,
weird_table[i].len);
(*inbytesleft) -= 2;
(*outbytesleft) -= weird_table[i].len;
(*inbuf) += 2;
(*outbuf) += weird_table[i].len;
done = 1;
break;
}
}
}
if (done) continue;
(*outbuf)[0] = (*inbuf)[0];
if ((*inbuf)[1]) ir_count++;
(*inbytesleft) -= 2;
(*outbytesleft) -= 1;
(*inbuf) += 2;
(*outbuf) += 1;
}
if (*inbytesleft == 1) {
errno = EINVAL;
return -1;
}
if (*inbytesleft > 1) {
errno = E2BIG;
return -1;
}
return ir_count;
}
struct charset_functions weird_functions = {"WEIRD", weird_pull, weird_push};
NTSTATUS charset_weird_init(void)
{
return smb_register_charset(&weird_functions);
}

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1 @@
*.po

View File

@ -0,0 +1,78 @@
/*
Unix SMB/CIFS implementation.
Loadable passdb module interface.
Copyright (C) Jelmer Vernooij 2002
Copyright (C) Andrew Bartlett 2002
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_PASSDB
NTSTATUS pdb_init_plugin(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
{
void * dl_handle;
char *plugin_location, *plugin_name, *p;
pdb_init_function plugin_init;
int (*plugin_version)(void);
if (location == NULL) {
DEBUG(0, ("The plugin module needs an argument!\n"));
return NT_STATUS_UNSUCCESSFUL;
}
plugin_name = smb_xstrdup(location);
p = strchr(plugin_name, ':');
if (p) {
*p = 0;
plugin_location = p+1;
trim_string(plugin_location, " ", " ");
} else plugin_location = NULL;
trim_string(plugin_name, " ", " ");
DEBUG(5, ("Trying to load sam plugin %s\n", plugin_name));
dl_handle = sys_dlopen(plugin_name, RTLD_NOW );
if (!dl_handle) {
DEBUG(0, ("Failed to load sam plugin %s using sys_dlopen (%s)\n", plugin_name, sys_dlerror()));
return NT_STATUS_UNSUCCESSFUL;
}
plugin_version = sys_dlsym(dl_handle, "pdb_version");
if (!plugin_version) {
sys_dlclose(dl_handle);
DEBUG(0, ("Failed to find function 'pdb_version' using sys_dlsym in sam plugin %s (%s)\n", plugin_name, sys_dlerror()));
return NT_STATUS_UNSUCCESSFUL;
}
if (plugin_version() != PASSDB_INTERFACE_VERSION) {
sys_dlclose(dl_handle);
DEBUG(0, ("Wrong PASSDB_INTERFACE_VERSION! sam plugin has version %d and version %d is needed! Please update!\n",
plugin_version(),PASSDB_INTERFACE_VERSION));
return NT_STATUS_UNSUCCESSFUL;
}
plugin_init = sys_dlsym(dl_handle, "pdb_init");
if (!plugin_init) {
sys_dlclose(dl_handle);
DEBUG(0, ("Failed to find function 'pdb_init' using sys_dlsym in sam plugin %s (%s)\n", plugin_name, sys_dlerror()));
return NT_STATUS_UNSUCCESSFUL;
}
DEBUG(5, ("Starting sam plugin %s with location %s\n", plugin_name, plugin_location));
return plugin_init(pdb_context, pdb_method, plugin_location);
}

View File

@ -0,0 +1,262 @@
BEGIN {
print "/* ";
print " Unix SMB/CIFS implementation.";
print " Build Options for Samba Suite";
print " Copyright (C) Vance Lankhaar <vlankhaar@linux.ca> 2003";
print " Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001";
print " ";
print " This program is free software; you can redistribute it and/or modify";
print " it under the terms of the GNU General Public License as published by";
print " the Free Software Foundation; either version 2 of the License, or";
print " (at your option) any later version.";
print " ";
print " This program is distributed in the hope that it will be useful,";
print " but WITHOUT ANY WARRANTY; without even the implied warranty of";
print " MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the";
print " GNU General Public License for more details.";
print " ";
print " You should have received a copy of the GNU General Public License";
print " along with this program; if not, write to the Free Software";
print " Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.";
print "*/";
print "";
print "#include \"includes.h\"";
print "#include \"build_env.h\"";
print "#include \"dynconfig.h\"";
print "";
print "static void output(BOOL screen, const char *format, ...) PRINTF_ATTRIBUTE(2,3);";
print "";
print "";
print "/****************************************************************************";
print "helper function for build_options";
print "****************************************************************************/";
print "static void output(BOOL screen, const char *format, ...)";
print "{";
print " char *ptr;";
print " va_list ap;";
print " ";
print " va_start(ap, format);";
print " vasprintf(&ptr,format,ap);";
print " va_end(ap);";
print "";
print " if (screen) {";
print " d_printf(\"%s\", ptr);";
print " } else {";
print " DEBUG(4,(\"%s\", ptr));";
print " }";
print " ";
print " SAFE_FREE(ptr);";
print "}";
print "";
print "/****************************************************************************";
print "options set at build time for the samba suite";
print "****************************************************************************/";
print "void build_options(BOOL screen)";
print "{";
print " if ((DEBUGLEVEL < 4) && (!screen)) {";
print " return;";
print " }";
print "";
print "#ifdef _BUILD_ENV_H";
print " /* Output information about the build environment */";
print " output(screen,\"Build environment:\\n\");";
print " output(screen,\" Built by: %s@%s\\n\",BUILD_ENV_USER,BUILD_ENV_HOST);";
print " output(screen,\" Built on: %s\\n\",BUILD_ENV_DATE);";
print "";
print " output(screen,\" Built using: %s\\n\",BUILD_ENV_COMPILER);";
print " output(screen,\" Build host: %s\\n\",BUILD_ENV_UNAME);";
print " output(screen,\" SRCDIR: %s\\n\",BUILD_ENV_SRCDIR);";
print " output(screen,\" BUILDDIR: %s\\n\",BUILD_ENV_BUILDDIR);";
print "";
print " ";
print "#endif";
print "";
print " /* Output various paths to files and directories */";
print " output(screen,\"\\nPaths:\\n\");";
print " output(screen,\" SBINDIR: %s\\n\", dyn_SBINDIR);";
print " output(screen,\" BINDIR: %s\\n\", dyn_BINDIR);";
print " output(screen,\" SWATDIR: %s\\n\", dyn_SWATDIR);";
print " output(screen,\" CONFIGFILE: %s\\n\", dyn_CONFIGFILE);";
print " output(screen,\" LOGFILEBASE: %s\\n\", dyn_LOGFILEBASE);";
print " output(screen,\" LMHOSTSFILE: %s\\n\",dyn_LMHOSTSFILE);";
print " output(screen,\" LIBDIR: %s\\n\",dyn_LIBDIR);";
print " output(screen,\" SHLIBEXT: %s\\n\",dyn_SHLIBEXT);";
print " output(screen,\" LOCKDIR: %s\\n\",dyn_LOCKDIR);";
print " output(screen,\" PIDDIR: %s\\n\", dyn_PIDDIR);";
print " output(screen,\" SMB_PASSWD_FILE: %s\\n\",dyn_SMB_PASSWD_FILE);";
print " output(screen,\" PRIVATE_DIR: %s\\n\",dyn_PRIVATE_DIR);";
print "";
##################################################
# predefine first element of *_ary
# predefine *_i (num of elements in *_ary)
with_ary[0]="";
with_i=0;
have_ary[0]="";
have_i=0;
utmp_ary[0]="";
utmp_i=0;
misc_ary[0]="";
misc_i=0;
sys_ary[0]="";
sys_i=0;
headers_ary[0]="";
headers_i=0;
in_comment = 0;
}
# capture single line comments
/^\/\* (.*?)\*\// {
last_comment = $0;
next;
}
# end capture multi-line comments
/(.*?)\*\// {
last_comment = last_comment $0;
in_comment = 0;
next;
}
# capture middle lines of multi-line comments
in_comment {
last_comment = last_comment $0;
next;
}
# begin capture multi-line comments
/^\/\* (.*?)/ {
last_comment = $0;
in_comment = 1;
next
}
##################################################
# if we have an #undef and a last_comment, store it
/^\#undef/ {
split($0,a);
comments_ary[a[2]] = last_comment;
last_comment = "";
}
##################################################
# for each line, sort into appropriate section
# then move on
/^\#undef WITH/ {
with_ary[with_i++] = a[2];
# we want (I think) to allow --with to show up in more than one place, so no next
}
/^\#undef HAVE_UT_UT_/ || /^\#undef .*UTMP/ {
utmp_ary[utmp_i++] = a[2];
next;
}
/^\#undef HAVE_SYS_.*?_H$/ {
sys_ary[sys_i++] = a[2];
next;
}
/^\#undef HAVE_.*?_H$/ {
headers_ary[headers_i++] = a[2];
next;
}
/^\#undef HAVE_/ {
have_ary[have_i++] = a[2];
next;
}
/^\#undef/ {
misc_ary[misc_i++] = a[2];
next;
}
##################################################
# simple sort function
function sort(ARRAY, ELEMENTS) {
for (i = 1; i <= ELEMENTS; ++i) {
for (j = i; (j-1) in ARRAY && (j) in ARRAY && ARRAY[j-1] > ARRAY[j]; --j) {
temp = ARRAY[j];
ARRAY[j] = ARRAY[j-1];
ARRAY[j-1] = temp;
}
}
return;
}
##################################################
# output code from list of defined
# expects: ARRAY an array of things defined
# ELEMENTS number of elements in ARRAY
# TITLE title for section
# returns: nothing
function output(ARRAY, ELEMENTS, TITLE) {
# add section header
print "\n\t/* Show " TITLE " */";
print "\toutput(screen, \"\\n " TITLE ":\\n\");\n";
# sort element using bubble sort (slow, but easy)
sort(ARRAY, ELEMENTS);
# loop through array of defines, outputting code
for (i = 0; i < ELEMENTS; i++) {
print "#ifdef " ARRAY[i];
# I don't know which one to use....
print "\toutput(screen, \" " ARRAY[i] "\\n\");";
#printf "\toutput(screen, \" %s\\n %s\\n\\n\");\n", comments_ary[ARRAY[i]], ARRAY[i];
#printf "\toutput(screen, \" %-35s %s\\n\");\n", ARRAY[i], comments_ary[ARRAY[i]];
print "#endif";
}
return;
}
END {
##################################################
# add code to show various options
print "/* Output various other options (as gleaned from include/config.h.in) */";
output(sys_ary, sys_i, "System Headers");
output(headers_ary, headers_i, "Headers");
output(utmp_ary, utmp_i, "UTMP Options");
output(have_ary, have_i, "HAVE_* Defines");
output(with_ary, with_i, "--with Options");
output(misc_ary, misc_i, "Build Options");
##################################################
# add code to display the various type sizes
print " /* Output the sizes of the various types */";
print " output(screen, \"\\nType sizes:\\n\");";
print " output(screen, \" sizeof(char): %u\\n\",sizeof(char));";
print " output(screen, \" sizeof(int): %u\\n\",sizeof(int));";
print " output(screen, \" sizeof(long): %u\\n\",sizeof(long));";
print " output(screen, \" sizeof(uint8): %u\\n\",sizeof(uint8));";
print " output(screen, \" sizeof(uint16): %u\\n\",sizeof(uint16));";
print " output(screen, \" sizeof(uint32): %u\\n\",sizeof(uint32));";
print " output(screen, \" sizeof(short): %u\\n\",sizeof(short));";
print " output(screen, \" sizeof(void*): %u\\n\",sizeof(void*));";
##################################################
# add code to give information about modules
print " output(screen, \"\\nBuiltin modules:\\n\");";
print " output(screen, \" %s\\n\", STRING_STATIC_MODULES);";
print "}";
}

166
source3/smbd/fake_file.c Normal file
View File

@ -0,0 +1,166 @@
/*
Unix SMB/CIFS implementation.
FAKE FILE suppport, for faking up special files windows want access to
Copyright (C) Stefan (metze) Metzmacher 2003
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
/****************************************************************************
Open a file with a share mode.
****************************************************************************/
files_struct *open_fake_file_shared1(enum FAKE_FILE_TYPE fake_file_type, connection_struct *conn,char *fname,
SMB_STRUCT_STAT *psbuf,
uint32 desired_access,
int share_mode,int ofun, mode_t mode,int oplock_request,
int *Access,int *action)
{
extern struct current_user current_user;
int flags=0;
files_struct *fsp = NULL;
if (fake_file_type == 0) {
return open_file_shared1(conn,fname,psbuf,desired_access,
share_mode,ofun,mode,
oplock_request,Access,action);
}
/* access check */
if (conn->admin_user != True) {
DEBUG(1,("access_denied to service[%s] file[%s] user[%s]\n",
lp_servicename(SNUM(conn)),fname,conn->user));
errno = EACCES;
return NULL;
}
fsp = file_new(conn);
if(!fsp)
return NULL;
DEBUG(5,("open_fake_file_shared1: fname = %s, FID = %d, share_mode = %x, ofun = %x, mode = %o, oplock request = %d\n",
fname, fsp->fnum, share_mode, ofun, (int)mode, oplock_request ));
if (!check_name(fname,conn)) {
file_free(fsp);
return NULL;
}
fsp->fd = -1;
fsp->mode = psbuf->st_mode;
fsp->inode = psbuf->st_ino;
fsp->dev = psbuf->st_dev;
fsp->vuid = current_user.vuid;
fsp->size = psbuf->st_size;
fsp->pos = -1;
fsp->can_lock = True;
fsp->can_read = ((flags & O_WRONLY)==0);
fsp->can_write = ((flags & (O_WRONLY|O_RDWR))!=0);
fsp->share_mode = 0;
fsp->desired_access = desired_access;
fsp->print_file = False;
fsp->modified = False;
fsp->oplock_type = NO_OPLOCK;
fsp->sent_oplock_break = NO_BREAK_SENT;
fsp->is_directory = False;
fsp->is_stat = False;
fsp->directory_delete_on_close = False;
fsp->conn = conn;
string_set(&fsp->fsp_name,fname);
fsp->wcp = NULL; /* Write cache pointer. */
fsp->fake_file_handle = init_fake_file_handle(fake_file_type);
if (fsp->fake_file_handle==NULL) {
file_free(fsp);
return NULL;
}
conn->num_files_open++;
return fsp;
}
static FAKE_FILE fake_files[] = {
#ifdef WITH_QUOTAS
{FAKE_FILE_NAME_QUOTA, FAKE_FILE_TYPE_QUOTA, init_quota_handle, destroy_quota_handle},
#endif /* WITH_QUOTAS */
{NULL, FAKE_FILE_TYPE_NONE, NULL, NULL }
};
int is_fake_file(char *fname)
{
int i;
if (!fname)
return 0;
for (i=0;fake_files[i].name!=NULL;i++) {
if (strncmp(fname,fake_files[i].name,strlen(fake_files[i].name))==0) {
DEBUG(5,("is_fake_file: [%s] is a fake file\n",fname));
return fake_files[i].type;
}
}
return FAKE_FILE_TYPE_NONE;
}
struct _FAKE_FILE_HANDLE *init_fake_file_handle(enum FAKE_FILE_TYPE type)
{
TALLOC_CTX *mem_ctx = NULL;
FAKE_FILE_HANDLE *fh = NULL;
int i;
for (i=0;fake_files[i].name!=NULL;i++) {
if (fake_files[i].type==type) {
DEBUG(5,("init_fake_file_handle: for [%s]\n",fake_files[i].name));
if ((mem_ctx=talloc_init("fake_file_handle"))==NULL) {
DEBUG(0,("talloc_init(fake_file_handle) failed.\n"));
return NULL;
}
if ((fh =(FAKE_FILE_HANDLE *)talloc_zero(mem_ctx, sizeof(FAKE_FILE_HANDLE)))==NULL) {
DEBUG(0,("talloc_zero() failed.\n"));
talloc_destroy(mem_ctx);
return NULL;
}
fh->type = type;
fh->mem_ctx = mem_ctx;
if (fake_files[i].init_pd)
fh->pd = fake_files[i].init_pd(fh->mem_ctx);
fh->free_pd = fake_files[i].free_pd;
return fh;
}
}
return NULL;
}
void destroy_fake_file_handle(FAKE_FILE_HANDLE **fh)
{
if (!fh||!(*fh))
return ;
if ((*fh)->free_pd)
(*fh)->free_pd(&(*fh)->pd);
talloc_destroy((*fh)->mem_ctx);
(*fh) = NULL;
}

259
source3/smbd/ntquotas.c Normal file
View File

@ -0,0 +1,259 @@
/*
Unix SMB/CIFS implementation.
NT QUOTA suppport
Copyright (C) Stefan (metze) Metzmacher 2003
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
static SMB_BIG_UINT limit_nt2unix(SMB_BIG_UINT in, SMB_BIG_UINT bsize)
{
SMB_BIG_UINT ret = (SMB_BIG_UINT)0;
ret = (SMB_BIG_UINT)(in/bsize);
if (in>0 && ret==0) {
/* we have to make sure that a overflow didn't set NO_LIMIT */
ret = (SMB_BIG_UINT)1;
}
if (in == SMB_NTQUOTAS_NO_LIMIT)
ret = SMB_QUOTAS_NO_LIMIT;
else if (in == SMB_NTQUOTAS_NO_SPACE)
ret = SMB_QUOTAS_NO_SPACE;
else if (in == SMB_NTQUOTAS_NO_ENTRY)
ret = SMB_QUOTAS_NO_LIMIT;
return ret;
}
static SMB_BIG_UINT limit_unix2nt(SMB_BIG_UINT in, SMB_BIG_UINT bsize)
{
SMB_BIG_UINT ret = (SMB_BIG_UINT)0;
ret = (SMB_BIG_UINT)(in*bsize);
if (ret < in) {
/* we overflow */
ret = SMB_NTQUOTAS_NO_LIMIT;
}
if (in == SMB_QUOTAS_NO_LIMIT)
ret = SMB_NTQUOTAS_NO_LIMIT;
return ret;
}
static SMB_BIG_UINT limit_blk2inodes(SMB_BIG_UINT in)
{
SMB_BIG_UINT ret = (SMB_BIG_UINT)0;
ret = (SMB_BIG_UINT)(in/2);
if (ret == 0 && in != 0)
ret = (SMB_BIG_UINT)1;
return ret;
}
int vfs_get_ntquota(files_struct *fsp, enum SMB_QUOTA_TYPE qtype, DOM_SID *psid, SMB_NTQUOTA_STRUCT *qt)
{
int ret;
SMB_DISK_QUOTA D;
unid_t id;
ZERO_STRUCT(D);
if (!fsp||!fsp->conn||!qt)
return (-1);
ZERO_STRUCT(*qt);
id.uid = -1;
if (psid && !NT_STATUS_IS_OK(sid_to_uid(psid, &id.uid))) {
DEBUG(0,("sid_to_uid: failed, SID[%s]\n",
sid_string_static(psid)));
}
ret = SMB_VFS_GET_QUOTA(fsp->conn, qtype, id, &D);
if (psid)
qt->sid = *psid;
if (ret!=0) {
return ret;
}
qt->usedspace = (SMB_BIG_UINT)D.curblocks*D.bsize;
qt->softlim = limit_unix2nt(D.softlimit, D.bsize);
qt->hardlim = limit_unix2nt(D.hardlimit, D.bsize);
qt->qflags = D.qflags;
return 0;
}
int vfs_set_ntquota(files_struct *fsp, enum SMB_QUOTA_TYPE qtype, DOM_SID *psid, SMB_NTQUOTA_STRUCT *qt)
{
int ret;
SMB_DISK_QUOTA D;
unid_t id;
ZERO_STRUCT(D);
if (!fsp||!fsp->conn||!qt)
return (-1);
id.uid = -1;
D.bsize = (SMB_BIG_UINT)QUOTABLOCK_SIZE;
D.softlimit = limit_nt2unix(qt->softlim,D.bsize);
D.hardlimit = limit_nt2unix(qt->hardlim,D.bsize);
D.qflags = qt->qflags;
D.isoftlimit = limit_blk2inodes(D.softlimit);
D.ihardlimit = limit_blk2inodes(D.hardlimit);
if (psid && !NT_STATUS_IS_OK(sid_to_uid(psid, &id.uid))) {
DEBUG(0,("sid_to_uid: failed, SID[%s]\n",
sid_string_static(psid)));
}
ret = SMB_VFS_SET_QUOTA(fsp->conn, qtype, id, &D);
return ret;
}
static BOOL allready_in_quota_list(SMB_NTQUOTA_LIST *qt_list, uid_t uid)
{
SMB_NTQUOTA_LIST *tmp_list = NULL;
if (!qt_list)
return False;
for (tmp_list=qt_list;tmp_list!=NULL;tmp_list=tmp_list->next) {
if (tmp_list->uid == uid) {
return True;
}
}
return False;
}
int vfs_get_user_ntquota_list(files_struct *fsp, SMB_NTQUOTA_LIST **qt_list)
{
struct passwd *usr;
TALLOC_CTX *mem_ctx = NULL;
if (!fsp||!fsp->conn||!qt_list)
return (-1);
*qt_list = NULL;
if ((mem_ctx=talloc_init("SMB_USER_QUOTA_LIST"))==NULL) {
DEBUG(0,("talloc_init() failed\n"));
return (-1);
}
sys_setpwent();
while ((usr = sys_getpwent()) != NULL) {
SMB_NTQUOTA_STRUCT tmp_qt;
SMB_NTQUOTA_LIST *tmp_list_ent;
DOM_SID sid;
ZERO_STRUCT(tmp_qt);
if (allready_in_quota_list((*qt_list),usr->pw_uid)) {
DEBUG(5,("record for uid[%ld] allready in the list\n",(long)usr->pw_uid));
continue;
}
if (!NT_STATUS_IS_OK(uid_to_sid(&sid, usr->pw_uid))) {
DEBUG(0,("uid_to_sid failed for %ld\n",(long)usr->pw_uid));
continue;
}
if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &tmp_qt)!=0) {
DEBUG(1,("no quota entry for sid[%s] path[%s]\n",
sid_string_static(&sid),fsp->conn->connectpath));
continue;
}
DEBUG(15,("quota entry for id[%s] path[%s]\n",
sid_string_static(&sid),fsp->conn->connectpath));
if ((tmp_list_ent=(SMB_NTQUOTA_LIST *)talloc_zero(mem_ctx,sizeof(SMB_NTQUOTA_LIST)))==NULL) {
DEBUG(0,("talloc_zero() failed\n"));
*qt_list = NULL;
talloc_destroy(mem_ctx);
return (-1);
}
if ((tmp_list_ent->quotas=(SMB_NTQUOTA_STRUCT *)talloc_zero(mem_ctx,sizeof(SMB_NTQUOTA_STRUCT)))==NULL) {
DEBUG(0,("talloc_zero() failed\n"));
*qt_list = NULL;
talloc_destroy(mem_ctx);
return (-1);
}
tmp_list_ent->uid = usr->pw_uid;
memcpy(tmp_list_ent->quotas,&tmp_qt,sizeof(tmp_qt));
tmp_list_ent->mem_ctx = mem_ctx;
DLIST_ADD((*qt_list),tmp_list_ent);
}
sys_endpwent();
return 0;
}
void *init_quota_handle(TALLOC_CTX *mem_ctx)
{
SMB_NTQUOTA_HANDLE *qt_handle;
if (!mem_ctx)
return False;
qt_handle = (SMB_NTQUOTA_HANDLE *)talloc_zero(mem_ctx,sizeof(SMB_NTQUOTA_HANDLE));
if (qt_handle==NULL) {
DEBUG(0,("talloc_zero() failed\n"));
return NULL;
}
return (void *)qt_handle;
}
void destroy_quota_handle(void **pqt_handle)
{
SMB_NTQUOTA_HANDLE *qt_handle = NULL;
if (!pqt_handle||!(*pqt_handle))
return;
qt_handle = (*pqt_handle);
if (qt_handle->quota_list)
free_ntquota_list(&qt_handle->quota_list);
qt_handle->quota_list = NULL;
qt_handle->tmp_list = NULL;
qt_handle = NULL;
return;
}

Some files were not shown because too many files have changed in this diff Show More