sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-25 17:57:42 +03:00
Code

merge from 2.2

Browse Source
This commit is contained in:
Gerald Carter -
parent 05adb30eab
commit 2137c71634
13 changed files with 397 additions and 1018 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
docs/docbook/manpages/nmbd.8.sgml
View File

@ -232,7 +232,9 @@
<listitem><para>If the server is to be run by the
<command>inetd</command> meta-daemon, this file
must contain suitable startup information for the
meta-daemon. See the section INSTALLATION below.
meta-daemon. See the <ulink
url="UNIX_INSTALL.html">UNIX_INSTALL.html</ulink> document
for details.
</para></listitem>
</varlistentry>
@ -243,8 +245,9 @@
<para>If running the server as a daemon at startup,
this file will need to contain an appropriate startup
sequence for the server. See the section INSTALLATION
below.</para></listitem>
sequence for the server. See the <ulink
url="UNIX_INSTALL.html">UNIX_INSTALL.html</ulink> document
for details.</para></listitem>
</varlistentry>
<varlistentry>
@ -253,7 +256,8 @@
meta-daemon <command>inetd</command>, this file
must contain a mapping of service name (e.g., netbios-ssn)
to service port (e.g., 139) and protocol type (e.g., tcp).
See the section INSTALLATION below.</para></listitem>
See the <ulink url="UNIX_INSTALL.html">UNIX_INSTALL.html</ulink>
document for details.</para></listitem>
</varlistentry>
<varlistentry>
@ -265,18 +269,18 @@
and <filename>/etc/smb.conf</filename>.</para>
<para>When run as a WINS server (see the
<ulink url="smb.conf.5.html#winssupport">wins support</ulink>
parameter in the <ulink url="smb.conf.5.html"><filename>
smb.conf(5)</filename></ulink> man page), <command>nmbd</command>
<ulink url="smb.conf.5.html#WINSSUPPORT">wins support</ulink>
parameter in the <filename>smb.conf(5)</filename> man page),
<command>nmbd</command>
will store the WINS database in the file <filename>wins.dat</filename>
in the <filename>var/locks</filename> directory configured under
wherever Samba was configured to install itself.</para>
<para>If <command>nmbd</command> is acting as a <emphasis>
browse master</emphasis> (see the <ulink
url="smb.conf.5.html#localmaster">local master</ulink>
parameter in the <ulink url="smb.conf.5.html"><filename>
smb.conf(5)</filename></ulink> man page), <command>nmbd</command>
url="smb.conf.5.html#LOCALMASTER">local master</ulink>
parameter in the <filename>smb.conf(5)</filename> man page,
<command>nmbd</command>
will store the browsing database in the file <filename>browse.dat
</filename> in the <filename>var/locks</filename> directory
configured under wherever Samba was configured to install itself.

2
docs/docbook/manpages/smb.conf.5.sgml
View File

@ -4951,6 +4951,7 @@
<para>NOTE: These userids never appear on the system and Samba will never
'become' these users. They are used only to ensure that the algorithmic
RID mapping does not conflict with normal users.
</para>
<para>Default: <command>non unix account range = &lt;empty string&gt;
</command></para>
@ -8236,7 +8237,6 @@ veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
<varlistentry>
<term>winbind use default domain</term>
<varlistentry>
<term><anchor id="WINBINDUSEDEFAULTDOMAIN">winbind use default domain</term>
<listitem><para>This parameter specifies whether the <ulink url="winbindd.8.html">
winbindd(8)</ulink>

210
docs/docbook/manpages/smbd.8.sgml
View File

@ -240,7 +240,8 @@
<listitem><para>If the server is to be run by the
<command>inetd</command> meta-daemon, this file
must contain suitable startup information for the
meta-daemon. See the section INSTALLATION below.
meta-daemon. See the <ulink url="UNIX_INSTALL.html">UNIX_INSTALL.html</ulink>
document for details.
</para></listitem>
</varlistentry>
@ -251,8 +252,8 @@
<para>If running the server as a daemon at startup,
this file will need to contain an appropriate startup
sequence for the server. See the section INSTALLATION
below.</para></listitem>
sequence for the server. See the <ulink url="UNIX_INSTALL.html">UNIX_INSTALL.html</ulink>
document for details.</para></listitem>
</varlistentry>
<varlistentry>
@ -261,7 +262,8 @@
meta-daemon <command>inetd</command>, this file
must contain a mapping of service name (e.g., netbios-ssn)
to service port (e.g., 139) and protocol type (e.g., tcp).
See the section INSTALLATION below.</para></listitem>
See the <ulink url="UNIX_INSTALL.html">UNIX_INSTALL.html</ulink>
document for details.</para></listitem>
</varlistentry>
<varlistentry>
@ -306,184 +308,6 @@
</variablelist>
</refsect1>
<refsect1>
<title>INSTALLATION</title>
<para>The location of the server and its support files
is a matter for individual system administrators. The following
are thus suggestions only.</para>
<para>It is recommended that the server software be installed
under the <filename>/usr/local/samba/</filename> hierarchy,
in a directory readable by all, writeable only by root. The server
program itself should be executable by all, as users may wish to
run the server themselves (in which case it will of course run
with their privileges). The server should NOT be setuid. On some
systems it may be worthwhile to make <command>smbd</command> setgid to an empty group.
This is because some systems may have a security hole where daemon
processes that become a user can be attached to with a debugger.
Making the <command>smbd</command> file setgid to an empty group may prevent
this hole from being exploited. This security hole and the suggested
fix has only been confirmed on old versions (pre-kernel 2.0) of Linux
at the time this was written. It is possible that this hole only
exists in Linux, as testing on other systems has thus far shown them
to be immune.</para>
<para>The server log files should be put in a directory readable and
writeable only by root, as the log files may contain sensitive
information.</para>
<para>The configuration file should be placed in a directory
readable and writeable only by root, as the configuration file
controls security for the services offered by the server. The
configuration file can be made readable by all if desired, but
this is not necessary for correct operation of the server and is
not recommended. A sample configuration file <filename>smb.conf.sample
</filename> is supplied with the source to the server - this may
be renamed to <filename>smb.conf</filename> and modified to suit
your needs.</para>
<para>The remaining notes will assume the following:</para>
<itemizedlist>
<listitem><para><command>smbd</command> (the server program)
installed in <filename>/usr/local/samba/bin</filename></para>
</listitem>
<listitem><para><filename>smb.conf</filename> (the configuration
file) installed in <filename>/usr/local/samba/lib</filename></para>
</listitem>
<listitem><para>log files stored in <filename>/var/adm/smblogs
</filename></para></listitem>
</itemizedlist>
<para>The server may be run either as a daemon by users
or at startup, or it may be run from a meta-daemon such as
<command>inetd</command> upon request. If run as a daemon,
the server will always be ready, so starting sessions will be
faster. If run from a meta-daemon some memory will be saved and
utilities such as the tcpd TCP-wrapper may be used for extra
security. For serious use as file server it is recommended
that <command>smbd</command> be run as a daemon.</para>
<para>When you've decided, continue with either</para>
<itemizedlist>
<listitem><para>RUNNING THE SERVER AS A DAEMON or</para></listitem>
<listitem><para>RUNNING THE SERVER ON REQUEST.</para></listitem>
</itemizedlist>
</refsect1>
<refsect1>
<title>RUNNING THE SERVER AS A DAEMON</title>
<para>To run the server as a daemon from the command
line, simply put the <emphasis>-D</emphasis> option on the
command line. There is no need to place an ampersand at
the end of the command line - the <emphasis>-D</emphasis>
option causes the server to detach itself from the tty
anyway.</para>
<para>Any user can run the server as a daemon (execute
permissions permitting, of course). This is useful for
testing purposes, and may even be useful as a temporary
substitute for something like ftp. When run this way, however,
the server will only have the privileges of the user who ran
it.</para>
<para>To ensure that the server is run as a daemon whenever
the machine is started, and to ensure that it runs as root
so that it can serve multiple clients, you will need to modify
the system startup files. Wherever appropriate (for example, in
<filename>/etc/rc</filename>), insert the following line,
substituting port number, log file location, configuration file
location and debug level as desired:</para>
<para><command>/usr/local/samba/bin/smbd -D -l /var/adm/smblogs/log
-s /usr/local/samba/lib/smb.conf</command></para>
<para>(The above should appear in your initialization script
as a single line. Depending on your terminal characteristics,
it may not appear that way in this man page. If the above appears
as more than one line, please treat any newlines or indentation
as a single space or TAB character.)</para>
<para>If the options used at compile time are appropriate for
your system, all parameters except <emphasis>-D</emphasis> may
be omitted. See the section OPTIONS above.</para>
</refsect1>
<refsect1>
<title>RUNNING THE SERVER ON REQUEST</title>
<para>If your system uses a meta-daemon such as <command>inetd
</command>, you can arrange to have the <command>smbd</command> server started
whenever a process attempts to connect to it. This requires several
changes to the startup files on the host machine. If you are
experimenting as an ordinary user rather than as root, you will
need the assistance of your system administrator to modify the
system files.</para>
<para>You will probably want to set up the NetBIOS name server
<ulink url="nmbd.8.html"><command>nmbd</command></ulink> at
the same time as <command>smbd</command>. To do this refer to the
man page for <ulink url="nmbd.8.html"><command>nmbd(8)</command>
</ulink>.</para>
<para>First, ensure that a port is configured in the file
<filename>/etc/services</filename>. The well-known port 139
should be used if possible, though any port may be used.</para>
<para>Ensure that a line similar to the following is in
<filename>/etc/services</filename>:</para>
<para><command>netbios-ssn 139/tcp</command></para>
<para>Note for NIS/YP users - you may need to rebuild the
NIS service maps rather than alter your local <filename>/etc/services
</filename> file.</para>
<para>Next, put a suitable line in the file <filename>/etc/inetd.conf
</filename> (in the unlikely event that you are using a meta-daemon
other than inetd, you are on your own). Note that the first item
in this line matches the service name in <filename>/etc/services
</filename>. Substitute appropriate values for your system
in this line (see <command>inetd(8)</command>):</para>
<para><command>netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd
-d1 -l/var/adm/smblogs/log -s/usr/local/samba/lib/smb.conf</command></para>
<para>(The above should appear in <filename>/etc/inetd.conf</filename>
as a single line. Depending on your terminal characteristics, it may
not appear that way in this man page. If the above appears as more
than one line, please treat any newlines or indentation as a single
space or TAB character.)</para>
<para>Note that there is no need to specify a port number here,
even if you are using a non-standard port number.</para>
<para>Lastly, edit the configuration file to provide suitable
services. To start with, the following two services should be
all you need:</para>
<screen>
<computeroutput>
[homes]
writeable = yes
[printers]
writeable = no
printable = yes
path = /tmp
public = yes
</computeroutput>
</screen>
<para>This will allow you to connect to your home directory
and print to any printer supported by the host (user privileges
permitting).</para>
</refsect1>
<refsect1>
<title>PAM INTERACTION</title>
@ -511,28 +335,6 @@
</itemizedlist>
</refsect1>
<refsect1>
<title>TESTING THE INSTALLATION</title>
<para>If running the server as a daemon, execute it before
proceeding. If using a meta-daemon, either restart the system
or kill and restart the meta-daemon. Some versions of
<command>inetd</command> will reread their configuration
tables if they receive a HUP signal.</para>
<para>If your machine's name is <replaceable>fred</replaceable> and your
name is <replaceable>mary</replaceable>, you should now be able to connect
to the service <filename>\\fred\mary</filename>.
</para>
<para>To properly test and experiment with the server, we
recommend using the <command>smbclient</command> program (see
<ulink url="smbclient.1.html"><command>smbclient(1)</command></ulink>)
and also going through the steps outlined in the file
<filename>DIAGNOSIS.txt</filename> in the <filename>docs/</filename>
directory of your Samba installation.</para>
</refsect1>
<refsect1>
<title>VERSION</title>

60
docs/htmldocs/nmbd.8.html
View File

@ -399,7 +399,12 @@ CLASS="COMMAND"
>inetd</B
> meta-daemon, this file
must contain suitable startup information for the
meta-daemon. See the section INSTALLATION below.
meta-daemon. See the <A
HREF="UNIX_INSTALL.html"
TARGET="_top"
>UNIX_INSTALL.html</A
> document
for details.
</P
></DD
><DT
@ -414,8 +419,12 @@ CLASS="FILENAME"
><P
>If running the server as a daemon at startup,
this file will need to contain an appropriate startup
sequence for the server. See the section INSTALLATION
below.</P
sequence for the server. See the <A
HREF="UNIX_INSTALL.html"
TARGET="_top"
>UNIX_INSTALL.html</A
> document
for details.</P
></DD
><DT
><TT
@ -431,7 +440,12 @@ CLASS="COMMAND"
>, this file
must contain a mapping of service name (e.g., netbios-ssn)
to service port (e.g., 139) and protocol type (e.g., tcp).
See the section INSTALLATION below.</P
See the <A
HREF="UNIX_INSTALL.html"
TARGET="_top"
>UNIX_INSTALL.html</A
>
document for details.</P
></DD
><DT
><TT
@ -461,21 +475,18 @@ CLASS="FILENAME"
><P
>When run as a WINS server (see the
<A
HREF="smb.conf.5.html#winssupport"
HREF="smb.conf.5.html#WINSSUPPORT"
TARGET="_top"
>wins support</A
>
parameter in the <A
HREF="smb.conf.5.html"
TARGET="_top"
><TT
parameter in the <TT
CLASS="FILENAME"
> smb.conf(5)</TT
></A
> man page), <B
>smb.conf(5)</TT
> man page),
<B
CLASS="COMMAND"
>nmbd</B
>
>
will store the WINS database in the file <TT
CLASS="FILENAME"
>wins.dat</TT
@ -492,21 +503,18 @@ CLASS="COMMAND"
> is acting as a <EM
> browse master</EM
> (see the <A
HREF="smb.conf.5.html#localmaster"
HREF="smb.conf.5.html#LOCALMASTER"
TARGET="_top"
>local master</A
>
parameter in the <A
HREF="smb.conf.5.html"
TARGET="_top"
><TT
parameter in the <TT
CLASS="FILENAME"
> smb.conf(5)</TT
></A
> man page), <B
>smb.conf(5)</TT
> man page,
<B
CLASS="COMMAND"
>nmbd</B
>
>
will store the browsing database in the file <TT
CLASS="FILENAME"
>browse.dat
@ -524,7 +532,7 @@ CLASS="FILENAME"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN176"
NAME="AEN177"
></A
><H2
>SIGNALS</H2
@ -585,7 +593,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN192"
NAME="AEN193"
></A
><H2
>VERSION</H2
@ -596,7 +604,7 @@ NAME="AEN192"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN195"
NAME="AEN196"
></A
><H2
>SEE ALSO</H2
@ -661,7 +669,7 @@ TARGET="_top"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN212"
NAME="AEN213"
></A
><H2
>AUTHOR</H2

212
docs/htmldocs/smb.conf.5.html
View File

@ -957,6 +957,18 @@ CLASS="PARAMETER"
><LI
><P
><A
HREF="#AUTHMETHODS"
><TT
CLASS="PARAMETER"
><I
>auth methods</I
></TT
></A
></P
></LI
><LI
><P
><A
HREF="#AUTOSERVICES"
><TT
CLASS="PARAMETER"
@ -1953,11 +1965,11 @@ CLASS="PARAMETER"
><LI
><P
><A
HREF="#NTPIPESUPPORT"
HREF="#NONUNIXACCOUNTRANGE"
><TT
CLASS="PARAMETER"
><I
>nt pipe support</I
>non unix account range</I
></TT
></A
></P
@ -1965,11 +1977,11 @@ CLASS="PARAMETER"
><LI
><P
><A
HREF="#NTSMBSUPPORT"
HREF="#NTPIPESUPPORT"
><TT
CLASS="PARAMETER"
><I
>nt smb support</I
>nt pipe support</I
></TT
></A
></P
@ -2061,6 +2073,18 @@ CLASS="PARAMETER"
><LI
><P
><A
HREF="#PASSDBBACKEND"
><TT
CLASS="PARAMETER"
><I
>passdb backend</I
></TT
></A
></P
></LI
><LI
><P
><A
HREF="#PASSWDCHAT"
><TT
CLASS="PARAMETER"
@ -2925,6 +2949,18 @@ CLASS="PARAMETER"
><LI
><P
><A
HREF="#WINBINDUSEDEFAULTDOMAIN"
><TT
CLASS="PARAMETER"
><I
>winbind use default domain</I
></TT
></A
></P
></LI
><LI
><P
><A
HREF="#WINSHOOK"
><TT
CLASS="PARAMETER"
@ -2999,7 +3035,7 @@ CLASS="PARAMETER"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN970"
NAME="AEN982"
></A
><H2
>COMPLETE LIST OF SERVICE PARAMETERS</H2
@ -4430,7 +4466,7 @@ CLASS="PARAMETER"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1446"
NAME="AEN1458"
></A
><H2
>EXPLANATION OF EACH PARAMETER</H2
@ -5127,6 +5163,43 @@ CLASS="PARAMETER"
></DD
><DT
><A
NAME="AUTHMETHODS"
></A
>auth methods (G)</DT
><DD
><P
>This option allows the administrator to chose what
authentication methods <B
CLASS="COMMAND"
>smbd</B
> will use when authenticating
a user. This option defaults to sensible values based on <A
HREF="#SECURITY"
><TT
CLASS="PARAMETER"
><I
> security</I
></TT
></A
>.
Each entry in the list attempts to authenticate the user in turn, until
the user authenticates. In practice only one method will ever actually
be able to complete the authentication.
</P
><P
>Default: <B
CLASS="COMMAND"
>auth methods = &#60;empty string&#62;</B
></P
><P
>Example: <B
CLASS="COMMAND"
>auth methods = guest sam ntdomain</B
></P
></DD
><DT
><A
NAME="AVAILABLE"
></A
>available (S)</DT
@ -7925,7 +7998,7 @@ CLASS="COMMAND"
> program for information on how to set up
and maintain this file), or set the <A
HREF="#SECURITY"
>security = [server|domain]</A
>security = [server|domain|ads]</A
> parameter which
causes <B
CLASS="COMMAND"
@ -12576,6 +12649,37 @@ CLASS="COMMAND"
></DD
><DT
><A
NAME="NONUNIXACCOUNTRANGE"
></A
>non unix account range (G)</DT
><DD
><P
>The non unix account range parameter specifies
the range of 'user ids' that are allocated by the various 'non unix
account' passdb backends. These backends allow
the storage of passwords for users who don't exist in /etc/passwd.
This is most often used for machine account creation.
This range of ids should have no existing local or NIS users within
it as strange conflicts can occur otherwise.</P
><P
>NOTE: These userids never appear on the system and Samba will never
'become' these users. They are used only to ensure that the algorithmic
RID mapping does not conflict with normal users.
</P
><P
>Default: <B
CLASS="COMMAND"
>non unix account range = &#60;empty string&#62;
</B
></P
><P
>Example: <B
CLASS="COMMAND"
>non unix account range = 10000-20000</B
></P
></DD
><DT
><A
NAME="NTACLSUPPORT"
></A
>nt acl support (S)</DT
@ -12623,40 +12727,6 @@ CLASS="COMMAND"
></DD
><DT
><A
NAME="NTSMBSUPPORT"
></A
>nt smb support (G)</DT
><DD
><P
>This boolean parameter controls whether <A
HREF="smbd.8.html"
TARGET="_top"
>smbd(8)</A
> will negotiate NT specific SMB
support with Windows NT clients. Although this is a developer
debugging option and should be left alone, benchmarking has discovered
that Windows NT clients give faster performance with this option
set to <TT
CLASS="CONSTANT"
>no</TT
>. This is still being investigated.
If this option is set to <TT
CLASS="CONSTANT"
>no</TT
> then Samba offers
exactly the same SMB calls that versions prior to Samba 2.0 offered.
This information may be of use if any users are having problems
with NT SMB support.</P
><P
>You should not need to ever disable this parameter.</P
><P
>Default: <B
CLASS="COMMAND"
>nt smb support = yes</B
></P
></DD
><DT
><A
NAME="NULLPASSWORDS"
></A
>null passwords (G)</DT
@ -13077,6 +13147,30 @@ CLASS="COMMAND"
></DD
><DT
><A
NAME="PASSDBBACKEND"
></A
>passdb backend (G)</DT
><DD
><P
>This option allows the administrator to chose what
backend in which to store passwords. This allows (for example) both
smbpasswd and tdbsam to be used without a recompile. Only one can
be used at a time however, and experimental backends must still be selected
(eg --with-tdbsam) at configure time.
</P
><P
>Default: <B
CLASS="COMMAND"
>passdb backend = smbpasswd</B
></P
><P
>Example: <B
CLASS="COMMAND"
>passdb backend = tdbsam</B
></P
></DD
><DT
><A
NAME="PASSWDCHAT"
></A
>passwd chat (G)</DT
@ -18825,6 +18919,34 @@ CLASS="COMMAND"
></P
></DD
><DT
>winbind use default domain, <A
NAME="WINBINDUSEDEFAULTDOMAIN"
></A
>winbind use default domain</DT
><DD
><P
>This parameter specifies whether the <A
HREF="winbindd.8.html"
TARGET="_top"
> winbindd(8)</A
>
daemon should operate on users without domain component in their username.
Users without a domain component are treated as is part of the winbindd server's
own domain. While this does not benifit Windows users, it makes SSH, FTP and e-mail
function in a way much closer to the way they would in a native unix system.</P
><P
>Default: <B
CLASS="COMMAND"
>winbind use default domain = &#60;falseg&#62;
</B
></P
><P
>Example: <B
CLASS="COMMAND"
>winbind use default domain = true</B
></P
></DD
><DT
><A
NAME="WINSHOOK"
></A
@ -19193,7 +19315,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6054"
NAME="AEN6097"
></A
><H2
>WARNINGS</H2
@ -19223,7 +19345,7 @@ TARGET="_top"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6060"
NAME="AEN6103"
></A
><H2
>VERSION</H2
@ -19234,7 +19356,7 @@ NAME="AEN6060"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6063"
NAME="AEN6106"
></A
><H2
>SEE ALSO</H2
@ -19313,7 +19435,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6083"
NAME="AEN6126"
></A
><H2
>AUTHOR</H2

409
docs/htmldocs/smbd.8.html
View File

@ -376,7 +376,12 @@ CLASS="COMMAND"
>inetd</B
> meta-daemon, this file
must contain suitable startup information for the
meta-daemon. See the section INSTALLATION below.
meta-daemon. See the <A
HREF="UNIX_INSTALL.html"
TARGET="_top"
>UNIX_INSTALL.html</A
>
document for details.
</P
></DD
><DT
@ -391,8 +396,12 @@ CLASS="FILENAME"
><P
>If running the server as a daemon at startup,
this file will need to contain an appropriate startup
sequence for the server. See the section INSTALLATION
below.</P
sequence for the server. See the <A
HREF="UNIX_INSTALL.html"
TARGET="_top"
>UNIX_INSTALL.html</A
>
document for details.</P
></DD
><DT
><TT
@ -408,7 +417,12 @@ CLASS="COMMAND"
>, this file
must contain a mapping of service name (e.g., netbios-ssn)
to service port (e.g., 139) and protocol type (e.g., tcp).
See the section INSTALLATION below.</P
See the <A
HREF="UNIX_INSTALL.html"
TARGET="_top"
>UNIX_INSTALL.html</A
>
document for details.</P
></DD
><DT
><TT
@ -452,7 +466,7 @@ CLASS="FILENAME"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN153"
NAME="AEN156"
></A
><H2
>LIMITATIONS</H2
@ -471,7 +485,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN157"
NAME="AEN160"
></A
><H2
>ENVIRONMENT VARIABLES</H2
@ -502,320 +516,7 @@ CLASS="CONSTANT"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN166"
></A
><H2
>INSTALLATION</H2
><P
>The location of the server and its support files
is a matter for individual system administrators. The following
are thus suggestions only.</P
><P
>It is recommended that the server software be installed
under the <TT
CLASS="FILENAME"
>/usr/local/samba/</TT
> hierarchy,
in a directory readable by all, writeable only by root. The server
program itself should be executable by all, as users may wish to
run the server themselves (in which case it will of course run
with their privileges). The server should NOT be setuid. On some
systems it may be worthwhile to make <B
CLASS="COMMAND"
>smbd</B
> setgid to an empty group.
This is because some systems may have a security hole where daemon
processes that become a user can be attached to with a debugger.
Making the <B
CLASS="COMMAND"
>smbd</B
> file setgid to an empty group may prevent
this hole from being exploited. This security hole and the suggested
fix has only been confirmed on old versions (pre-kernel 2.0) of Linux
at the time this was written. It is possible that this hole only
exists in Linux, as testing on other systems has thus far shown them
to be immune.</P
><P
>The server log files should be put in a directory readable and
writeable only by root, as the log files may contain sensitive
information.</P
><P
>The configuration file should be placed in a directory
readable and writeable only by root, as the configuration file
controls security for the services offered by the server. The
configuration file can be made readable by all if desired, but
this is not necessary for correct operation of the server and is
not recommended. A sample configuration file <TT
CLASS="FILENAME"
>smb.conf.sample
</TT
> is supplied with the source to the server - this may
be renamed to <TT
CLASS="FILENAME"
>smb.conf</TT
> and modified to suit
your needs.</P
><P
>The remaining notes will assume the following:</P
><P
></P
><UL
><LI
><P
><B
CLASS="COMMAND"
>smbd</B
> (the server program)
installed in <TT
CLASS="FILENAME"
>/usr/local/samba/bin</TT
></P
></LI
><LI
><P
><TT
CLASS="FILENAME"
>smb.conf</TT
> (the configuration
file) installed in <TT
CLASS="FILENAME"
>/usr/local/samba/lib</TT
></P
></LI
><LI
><P
>log files stored in <TT
CLASS="FILENAME"
>/var/adm/smblogs
</TT
></P
></LI
></UL
><P
>The server may be run either as a daemon by users
or at startup, or it may be run from a meta-daemon such as
<B
CLASS="COMMAND"
>inetd</B
> upon request. If run as a daemon,
the server will always be ready, so starting sessions will be
faster. If run from a meta-daemon some memory will be saved and
utilities such as the tcpd TCP-wrapper may be used for extra
security. For serious use as file server it is recommended
that <B
CLASS="COMMAND"
>smbd</B
> be run as a daemon.</P
><P
>When you've decided, continue with either</P
><P
></P
><UL
><LI
><P
>RUNNING THE SERVER AS A DAEMON or</P
></LI
><LI
><P
>RUNNING THE SERVER ON REQUEST.</P
></LI
></UL
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN199"
></A
><H2
>RUNNING THE SERVER AS A DAEMON</H2
><P
>To run the server as a daemon from the command
line, simply put the <EM
>-D</EM
> option on the
command line. There is no need to place an ampersand at
the end of the command line - the <EM
>-D</EM
>
option causes the server to detach itself from the tty
anyway.</P
><P
>Any user can run the server as a daemon (execute
permissions permitting, of course). This is useful for
testing purposes, and may even be useful as a temporary
substitute for something like ftp. When run this way, however,
the server will only have the privileges of the user who ran
it.</P
><P
>To ensure that the server is run as a daemon whenever
the machine is started, and to ensure that it runs as root
so that it can serve multiple clients, you will need to modify
the system startup files. Wherever appropriate (for example, in
<TT
CLASS="FILENAME"
>/etc/rc</TT
>), insert the following line,
substituting port number, log file location, configuration file
location and debug level as desired:</P
><P
><B
CLASS="COMMAND"
>/usr/local/samba/bin/smbd -D -l /var/adm/smblogs/log
-s /usr/local/samba/lib/smb.conf</B
></P
><P
>(The above should appear in your initialization script
as a single line. Depending on your terminal characteristics,
it may not appear that way in this man page. If the above appears
as more than one line, please treat any newlines or indentation
as a single space or TAB character.)</P
><P
>If the options used at compile time are appropriate for
your system, all parameters except <EM
>-D</EM
> may
be omitted. See the section OPTIONS above.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN212"
></A
><H2
>RUNNING THE SERVER ON REQUEST</H2
><P
>If your system uses a meta-daemon such as <B
CLASS="COMMAND"
>inetd
</B
>, you can arrange to have the <B
CLASS="COMMAND"
>smbd</B
> server started
whenever a process attempts to connect to it. This requires several
changes to the startup files on the host machine. If you are
experimenting as an ordinary user rather than as root, you will
need the assistance of your system administrator to modify the
system files.</P
><P
>You will probably want to set up the NetBIOS name server
<A
HREF="nmbd.8.html"
TARGET="_top"
><B
CLASS="COMMAND"
>nmbd</B
></A
> at
the same time as <B
CLASS="COMMAND"
>smbd</B
>. To do this refer to the
man page for <A
HREF="nmbd.8.html"
TARGET="_top"
><B
CLASS="COMMAND"
>nmbd(8)</B
>
</A
>.</P
><P
>First, ensure that a port is configured in the file
<TT
CLASS="FILENAME"
>/etc/services</TT
>. The well-known port 139
should be used if possible, though any port may be used.</P
><P
>Ensure that a line similar to the following is in
<TT
CLASS="FILENAME"
>/etc/services</TT
>:</P
><P
><B
CLASS="COMMAND"
>netbios-ssn 139/tcp</B
></P
><P
>Note for NIS/YP users - you may need to rebuild the
NIS service maps rather than alter your local <TT
CLASS="FILENAME"
>/etc/services
</TT
> file.</P
><P
>Next, put a suitable line in the file <TT
CLASS="FILENAME"
>/etc/inetd.conf
</TT
> (in the unlikely event that you are using a meta-daemon
other than inetd, you are on your own). Note that the first item
in this line matches the service name in <TT
CLASS="FILENAME"
>/etc/services
</TT
>. Substitute appropriate values for your system
in this line (see <B
CLASS="COMMAND"
>inetd(8)</B
>):</P
><P
><B
CLASS="COMMAND"
>netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd
-d1 -l/var/adm/smblogs/log -s/usr/local/samba/lib/smb.conf</B
></P
><P
>(The above should appear in <TT
CLASS="FILENAME"
>/etc/inetd.conf</TT
>
as a single line. Depending on your terminal characteristics, it may
not appear that way in this man page. If the above appears as more
than one line, please treat any newlines or indentation as a single
space or TAB character.)</P
><P
>Note that there is no need to specify a port number here,
even if you are using a non-standard port number.</P
><P
>Lastly, edit the configuration file to provide suitable
services. To start with, the following two services should be
all you need:</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="SCREEN"
> <TT
CLASS="COMPUTEROUTPUT"
> [homes]
writeable = yes
[printers]
writeable = no
printable = yes
path = /tmp
public = yes
</TT
>
</PRE
></TD
></TR
></TABLE
><P
>This will allow you to connect to your home directory
and print to any printer supported by the host (user privileges
permitting).</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN244"
NAME="AEN169"
></A
><H2
>PAM INTERACTION</H2
@ -860,65 +561,7 @@ TARGET="_top"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN255"
></A
><H2
>TESTING THE INSTALLATION</H2
><P
>If running the server as a daemon, execute it before
proceeding. If using a meta-daemon, either restart the system
or kill and restart the meta-daemon. Some versions of
<B
CLASS="COMMAND"
>inetd</B
> will reread their configuration
tables if they receive a HUP signal.</P
><P
>If your machine's name is <TT
CLASS="REPLACEABLE"
><I
>fred</I
></TT
> and your
name is <TT
CLASS="REPLACEABLE"
><I
>mary</I
></TT
>, you should now be able to connect
to the service <TT
CLASS="FILENAME"
>\\fred\mary</TT
>.
</P
><P
>To properly test and experiment with the server, we
recommend using the <B
CLASS="COMMAND"
>smbclient</B
> program (see
<A
HREF="smbclient.1.html"
TARGET="_top"
><B
CLASS="COMMAND"
>smbclient(1)</B
></A
>)
and also going through the steps outlined in the file
<TT
CLASS="FILENAME"
>DIAGNOSIS.txt</TT
> in the <TT
CLASS="FILENAME"
>docs/</TT
>
directory of your Samba installation.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN269"
NAME="AEN180"
></A
><H2
>VERSION</H2
@ -929,7 +572,7 @@ NAME="AEN269"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN272"
NAME="AEN183"
></A
><H2
>DIAGNOSTICS</H2
@ -952,7 +595,7 @@ NAME="AEN272"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN277"
NAME="AEN188"
></A
><H2
>SIGNALS</H2
@ -1017,7 +660,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN294"
NAME="AEN205"
></A
><H2
>SEE ALSO</H2
@ -1083,7 +726,7 @@ TARGET="_top"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN311"
NAME="AEN222"
></A
><H2
>AUTHOR</H2

93
docs/htmldocs/smbpasswd.8.html
View File

@ -128,12 +128,13 @@ CLASS="VARIABLELIST"
new password typed (type &#60;Enter&#62; for the old password). This
option is ignored if the username following already exists in
the smbpasswd file and it is treated like a regular change
password command. Note that the user to be added must already exist
in the system password file (usually <TT
password command. Note that the default passdb backends require
the user to already exist in the system password file (usually
<TT
CLASS="FILENAME"
>/etc/passwd</TT
>)
else the request to add the user will fail. </P
>), else the request to add the
user will fail. </P
><P
>This option is only available when running smbpasswd
as root. </P
@ -168,8 +169,7 @@ CLASS="CONSTANT"
><P
>If the smbpasswd file is in the 'old' format (pre-Samba 2.0
format) there is no space in the user's password entry to write
this information and so the user is disabled by writing 'X' characters
into the password space in the smbpasswd file. See <B
this information and the command will FAIL. See <B
CLASS="COMMAND"
>smbpasswd(5)
</B
@ -195,15 +195,8 @@ CLASS="CONSTANT"
>If the smbpasswd file is in the 'old' format, then <B
CLASS="COMMAND"
> smbpasswd</B
> will prompt for a new password for this user,
otherwise the account will be enabled by removing the <TT
CLASS="CONSTANT"
>'D'
</TT
> flag from account control space in the <TT
CLASS="FILENAME"
> smbpasswd</TT
> file. See <B
> will FAIL to enable the account.
See <B
CLASS="COMMAND"
>smbpasswd (5)</B
> for
@ -410,66 +403,6 @@ CLASS="FILENAME"
</P
></DD
><DT
>-j DOMAIN</DT
><DD
><P
>This option is used to add a Samba server
into a Windows NT Domain, as a Domain member capable of authenticating
user accounts to any Domain Controller in the same way as a Windows
NT Server. See the <B
CLASS="COMMAND"
>security = domain</B
> option in
the <TT
CLASS="FILENAME"
>smb.conf(5)</TT
> man page. </P
><P
>In order to be used in this way, the Administrator for
the Windows NT Domain must have used the program "Server Manager
for Domains" to add the primary NetBIOS name of the Samba server
as a member of the Domain. </P
><P
>After this has been done, to join the Domain invoke <B
CLASS="COMMAND"
> smbpasswd</B
> with this parameter. smbpasswd will then
look up the Primary Domain Controller for the Domain (found in
the <TT
CLASS="FILENAME"
>smb.conf</TT
> file in the parameter
<TT
CLASS="PARAMETER"
><I
>password server</I
></TT
> and change the machine account
password used to create the secure Domain communication. This
password is then stored by smbpasswd in a TDB, writeable only by root,
called <TT
CLASS="FILENAME"
>secrets.tdb</TT
> </P
><P
>Once this operation has been performed the <TT
CLASS="FILENAME"
> smb.conf</TT
> file may be updated to set the <B
CLASS="COMMAND"
> security = domain</B
> option and all future logins
to the Samba server will be authenticated to the Windows NT
PDC. </P
><P
>Note that even though the authentication is being
done to the PDC all users accessing the Samba server must still
have a valid UNIX account on that machine. </P
><P
>This option is only available when running smbpasswd as root.
</P
></DD
><DT
>-U username</DT
><DD
><P
@ -570,7 +503,7 @@ CLASS="PARAMETER"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN182"
NAME="AEN163"
></A
><H2
>NOTES</H2
@ -613,18 +546,18 @@ CLASS="FILENAME"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN192"
NAME="AEN173"
></A
><H2
>VERSION</H2
><P
>This man page is correct for version 2.2 of
>This man page is correct for version 3.0 of
the Samba suite.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN195"
NAME="AEN176"
></A
><H2
>SEE ALSO</H2
@ -647,7 +580,7 @@ TARGET="_top"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN201"
NAME="AEN182"
></A
><H2
>AUTHOR</H2

38
docs/htmldocs/winbindd.8.html
View File

@ -502,13 +502,37 @@ CLASS="COMMAND"
>
</P
></DD
><DT
>winbind use default domain</DT
><DD
><P
>This parameter specifies whether the <B
CLASS="COMMAND"
>winbindd</B
>
daemon should operate on users without domain component in their username.
Users without a domain component are treated as is part of the winbindd server's
own domain. While this does not benifit Windows users, it makes SSH, FTP and e-mail
function in a way much closer to the way they would in a native unix system.</P
><P
>Default: <B
CLASS="COMMAND"
>winbind use default domain = &#60;falseg&#62;
</B
></P
><P
>Example: <B
CLASS="COMMAND"
>winbind use default domain = true</B
></P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN149"
NAME="AEN158"
></A
><H2
>EXAMPLE SETUP</H2
@ -686,7 +710,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN188"
NAME="AEN197"
></A
><H2
>NOTES</H2
@ -744,7 +768,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN204"
NAME="AEN213"
></A
><H2
>SIGNALS</H2
@ -795,7 +819,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN221"
NAME="AEN230"
></A
><H2
>FILES</H2
@ -871,7 +895,7 @@ CLASS="FILENAME"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN250"
NAME="AEN259"
></A
><H2
>VERSION</H2
@ -882,7 +906,7 @@ NAME="AEN250"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN253"
NAME="AEN262"
></A
><H2
>SEE ALSO</H2
@ -910,7 +934,7 @@ TARGET="_top"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN260"
NAME="AEN269"
></A
><H2
>AUTHOR</H2

18
docs/manpages/nmbd.8
View File

@ -3,7 +3,7 @@
.\" <http://shell.ipoline.com/~elmert/hacks/docbook2X/>
.\" Please send any bug reports, improvements, comments, patches,
.\" etc. to Steve Cheng <steve@ggi-project.org>.
.TH "NMBD" "8" "04 January 2002" "" ""
.TH "NMBD" "8" "24 January 2002" "" ""
.SH NAME
nmbd \- NetBIOS name server to provide NetBIOS over IP naming services to clients
.SH SYNOPSIS
@ -161,7 +161,8 @@ required by the server. See
If the server is to be run by the
\fBinetd\fR meta-daemon, this file
must contain suitable startup information for the
meta-daemon. See the section INSTALLATION below.
meta-daemon. See the UNIX_INSTALL.htmldocument
for details.
.TP
\fB\fI/etc/rc\fB\fR
or whatever initialization script your
@ -169,15 +170,16 @@ system uses).
If running the server as a daemon at startup,
this file will need to contain an appropriate startup
sequence for the server. See the section INSTALLATION
below.
sequence for the server. See the UNIX_INSTALL.htmldocument
for details.
.TP
\fB\fI/etc/services\fB\fR
If running the server via the
meta-daemon \fBinetd\fR, this file
must contain a mapping of service name (e.g., netbios-ssn)
to service port (e.g., 139) and protocol type (e.g., tcp).
See the section INSTALLATION below.
See the UNIX_INSTALL.html
document for details.
.TP
\fB\fI/usr/local/samba/lib/smb.conf\fB\fR
This is the default location of the
@ -188,13 +190,15 @@ and \fI/etc/smb.conf\fR.
When run as a WINS server (see the
wins support
parameter in the \fI smb.conf(5)\fRman page), \fBnmbd\fR
parameter in the \fIsmb.conf(5)\fR man page),
\fBnmbd\fR
will store the WINS database in the file \fIwins.dat\fR
in the \fIvar/locks\fR directory configured under
wherever Samba was configured to install itself.
If \fBnmbd\fR is acting as a \fB browse master\fR (see the local master
parameter in the \fI smb.conf(5)\fRman page), \fBnmbd\fR
parameter in the \fIsmb.conf(5)\fR man page,
\fBnmbd\fR
will store the browsing database in the file \fIbrowse.dat
\fRin the \fIvar/locks\fR directory
configured under wherever Samba was configured to install itself.

85
docs/manpages/smb.conf.5
View File

@ -3,7 +3,7 @@
.\" <http://shell.ipoline.com/~elmert/hacks/docbook2X/>
.\" Please send any bug reports, improvements, comments, patches,
.\" etc. to Steve Cheng <steve@ggi-project.org>.
.TH "SMB.CONF" "5" "04 January 2002" "" ""
.TH "SMB.CONF" "5" "24 January 2002" "" ""
.SH NAME
smb.conf \- The configuration file for the Samba suite
.SH "SYNOPSIS"
@ -527,6 +527,9 @@ each parameter for details. Note that some are synonyms.
\fIannounce version\fR
.TP 0.2i
\(bu
\fIauth methods\fR
.TP 0.2i
\(bu
\fIauto services\fR
.TP 0.2i
\(bu
@ -776,10 +779,10 @@ each parameter for details. Note that some are synonyms.
\fInis homedir\fR
.TP 0.2i
\(bu
\fInt pipe support\fR
\fInon unix account range\fR
.TP 0.2i
\(bu
\fInt smb support\fR
\fInt pipe support\fR
.TP 0.2i
\(bu
\fInull passwords\fR
@ -803,6 +806,9 @@ each parameter for details. Note that some are synonyms.
\fIpanic action\fR
.TP 0.2i
\(bu
\fIpassdb backend\fR
.TP 0.2i
\(bu
\fIpasswd chat\fR
.TP 0.2i
\(bu
@ -1019,6 +1025,9 @@ each parameter for details. Note that some are synonyms.
\fIwinbind uid\fR
.TP 0.2i
\(bu
\fIwinbind use default domain\fR
.TP 0.2i
\(bu
\fIwins hook\fR
.TP 0.2i
\(bu
@ -1639,6 +1648,18 @@ Example: \fBannounce version = 2.0\fR
\fBauto services (G)\fR
This is a synonym for the \fIpreload\fR.
.TP
\fBauth methods (G)\fR
This option allows the administrator to chose what
authentication methods \fBsmbd\fR will use when authenticating
a user. This option defaults to sensible values based on \fI security\fR.
Each entry in the list attempts to authenticate the user in turn, until
the user authenticates. In practice only one method will ever actually
be able to complete the authentication.
Default: \fBauth methods = <empty string>\fR
Example: \fBauth methods = guest sam ntdomain\fR
.TP
\fBavailable (S)\fR
This parameter lets you "turn off" a service. If
\fIavailable = no\fR, then \fBALL\fR
@ -2678,7 +2699,7 @@ In order for encrypted passwords to work correctly
\fBsmbd(8)\fRmust either
have access to a local \fIsmbpasswd(5)
\fRprogram for information on how to set up
and maintain this file), or set the security = [server|domain] parameter which
and maintain this file), or set the security = [server|domain|ads] parameter which
causes \fBsmbd\fR to authenticate against another
server.
@ -4596,6 +4617,23 @@ be a logon server.
Default: \fBnis homedir = no\fR
.TP
\fBnon unix account range (G)\fR
The non unix account range parameter specifies
the range of 'user ids' that are allocated by the various 'non unix
account' passdb backends. These backends allow
the storage of passwords for users who don't exist in /etc/passwd.
This is most often used for machine account creation.
This range of ids should have no existing local or NIS users within
it as strange conflicts can occur otherwise.
NOTE: These userids never appear on the system and Samba will never
\&'become' these users. They are used only to ensure that the algorithmic
RID mapping does not conflict with normal users.
Default: \fBnon unix account range = <empty string>
\fR
Example: \fBnon unix account range = 10000-20000\fR
.TP
\fBnt acl support (S)\fR
This boolean parameter controls whether
smbd(8)will attempt to map
@ -4614,21 +4652,6 @@ alone.
Default: \fBnt pipe support = yes\fR
.TP
\fBnt smb support (G)\fR
This boolean parameter controls whether smbd(8)will negotiate NT specific SMB
support with Windows NT clients. Although this is a developer
debugging option and should be left alone, benchmarking has discovered
that Windows NT clients give faster performance with this option
set to no. This is still being investigated.
If this option is set to no then Samba offers
exactly the same SMB calls that versions prior to Samba 2.0 offered.
This information may be of use if any users are having problems
with NT SMB support.
You should not need to ever disable this parameter.
Default: \fBnt smb support = yes\fR
.TP
\fBnull passwords (G)\fR
Allow or disallow client access to accounts
that have null passwords.
@ -4788,6 +4811,17 @@ Default: \fBpanic action = <empty string>\fR
Example: \fBpanic action = "/bin/sleep 90000"\fR
.TP
\fBpassdb backend (G)\fR
This option allows the administrator to chose what
backend in which to store passwords. This allows (for example) both
smbpasswd and tdbsam to be used without a recompile. Only one can
be used at a time however, and experimental backends must still be selected
(eg --with-tdbsam) at configure time.
Default: \fBpassdb backend = smbpasswd\fR
Example: \fBpassdb backend = tdbsam\fR
.TP
\fBpasswd chat (G)\fR
This string controls the \fB"chat"\fR
conversation that takes places between smbdand the local password changing
@ -7165,6 +7199,19 @@ Default: \fBwinbind uid = <empty string>
\fR
Example: \fBwinbind uid = 10000-20000\fR
.TP
\fBwinbind use default domain\fR
.TP
\fBwinbind use default domain\fR
This parameter specifies whether the winbindd(8)
daemon should operate on users without domain component in their username.
Users without a domain component are treated as is part of the winbindd server's
own domain. While this does not benifit Windows users, it makes SSH, FTP and e-mail
function in a way much closer to the way they would in a native unix system.
Default: \fBwinbind use default domain = <falseg>
\fR
Example: \fBwinbind use default domain = true\fR
.TP
\fBwins hook (G)\fR
When Samba is running as a WINS server this
allows you to call an external program for all changes to the

202
docs/manpages/smbd.8
View File

@ -3,7 +3,7 @@
.\" <http://shell.ipoline.com/~elmert/hacks/docbook2X/>
.\" Please send any bug reports, improvements, comments, patches,
.\" etc. to Steve Cheng <steve@ggi-project.org>.
.TH "SMBD" "8" "04 January 2002" "" ""
.TH "SMBD" "8" "24 January 2002" "" ""
.SH NAME
smbd \- server to provide SMB/CIFS services to clients
.SH SYNOPSIS
@ -172,7 +172,8 @@ compile time.
If the server is to be run by the
\fBinetd\fR meta-daemon, this file
must contain suitable startup information for the
meta-daemon. See the section INSTALLATION below.
meta-daemon. See the UNIX_INSTALL.html
document for details.
.TP
\fB\fI/etc/rc\fB\fR
or whatever initialization script your
@ -180,15 +181,16 @@ system uses).
If running the server as a daemon at startup,
this file will need to contain an appropriate startup
sequence for the server. See the section INSTALLATION
below.
sequence for the server. See the UNIX_INSTALL.html
document for details.
.TP
\fB\fI/etc/services\fB\fR
If running the server via the
meta-daemon \fBinetd\fR, this file
must contain a mapping of service name (e.g., netbios-ssn)
to service port (e.g., 139) and protocol type (e.g., tcp).
See the section INSTALLATION below.
See the UNIX_INSTALL.html
document for details.
.TP
\fB\fI/usr/local/samba/lib/smb.conf\fB\fR
This is the default location of the
@ -216,178 +218,6 @@ printable services, most systems will use the value of
this variable (or lp if this variable is
not defined) as the name of the printer to use. This
is not specific to the server, however.
.SH "INSTALLATION"
.PP
The location of the server and its support files
is a matter for individual system administrators. The following
are thus suggestions only.
.PP
It is recommended that the server software be installed
under the \fI/usr/local/samba/\fR hierarchy,
in a directory readable by all, writeable only by root. The server
program itself should be executable by all, as users may wish to
run the server themselves (in which case it will of course run
with their privileges). The server should NOT be setuid. On some
systems it may be worthwhile to make \fBsmbd\fR setgid to an empty group.
This is because some systems may have a security hole where daemon
processes that become a user can be attached to with a debugger.
Making the \fBsmbd\fR file setgid to an empty group may prevent
this hole from being exploited. This security hole and the suggested
fix has only been confirmed on old versions (pre-kernel 2.0) of Linux
at the time this was written. It is possible that this hole only
exists in Linux, as testing on other systems has thus far shown them
to be immune.
.PP
The server log files should be put in a directory readable and
writeable only by root, as the log files may contain sensitive
information.
.PP
The configuration file should be placed in a directory
readable and writeable only by root, as the configuration file
controls security for the services offered by the server. The
configuration file can be made readable by all if desired, but
this is not necessary for correct operation of the server and is
not recommended. A sample configuration file \fIsmb.conf.sample
\fRis supplied with the source to the server - this may
be renamed to \fIsmb.conf\fR and modified to suit
your needs.
.PP
The remaining notes will assume the following:
.TP 0.2i
\(bu
\fBsmbd\fR (the server program)
installed in \fI/usr/local/samba/bin\fR
.TP 0.2i
\(bu
\fIsmb.conf\fR (the configuration
file) installed in \fI/usr/local/samba/lib\fR
.TP 0.2i
\(bu
log files stored in \fI/var/adm/smblogs
\fR.PP
The server may be run either as a daemon by users
or at startup, or it may be run from a meta-daemon such as
\fBinetd\fR upon request. If run as a daemon,
the server will always be ready, so starting sessions will be
faster. If run from a meta-daemon some memory will be saved and
utilities such as the tcpd TCP-wrapper may be used for extra
security. For serious use as file server it is recommended
that \fBsmbd\fR be run as a daemon.
.PP
.PP
When you've decided, continue with either
.PP
.TP 0.2i
\(bu
RUNNING THE SERVER AS A DAEMON or
.TP 0.2i
\(bu
RUNNING THE SERVER ON REQUEST.
.SH "RUNNING THE SERVER AS A DAEMON"
.PP
To run the server as a daemon from the command
line, simply put the \fB-D\fR option on the
command line. There is no need to place an ampersand at
the end of the command line - the \fB-D\fR
option causes the server to detach itself from the tty
anyway.
.PP
Any user can run the server as a daemon (execute
permissions permitting, of course). This is useful for
testing purposes, and may even be useful as a temporary
substitute for something like ftp. When run this way, however,
the server will only have the privileges of the user who ran
it.
.PP
To ensure that the server is run as a daemon whenever
the machine is started, and to ensure that it runs as root
so that it can serve multiple clients, you will need to modify
the system startup files. Wherever appropriate (for example, in
\fI/etc/rc\fR), insert the following line,
substituting port number, log file location, configuration file
location and debug level as desired:
.PP
\fB/usr/local/samba/bin/smbd -D -l /var/adm/smblogs/log
-s /usr/local/samba/lib/smb.conf\fR
.PP
(The above should appear in your initialization script
as a single line. Depending on your terminal characteristics,
it may not appear that way in this man page. If the above appears
as more than one line, please treat any newlines or indentation
as a single space or TAB character.)
.PP
If the options used at compile time are appropriate for
your system, all parameters except \fB-D\fR may
be omitted. See the section OPTIONS above.
.SH "RUNNING THE SERVER ON REQUEST"
.PP
If your system uses a meta-daemon such as \fBinetd
\fR, you can arrange to have the \fBsmbd\fR server started
whenever a process attempts to connect to it. This requires several
changes to the startup files on the host machine. If you are
experimenting as an ordinary user rather than as root, you will
need the assistance of your system administrator to modify the
system files.
.PP
You will probably want to set up the NetBIOS name server
\fBnmbd\fRat
the same time as \fBsmbd\fR. To do this refer to the
man page for \fBnmbd(8)\fR
.
.PP
First, ensure that a port is configured in the file
\fI/etc/services\fR. The well-known port 139
should be used if possible, though any port may be used.
.PP
Ensure that a line similar to the following is in
\fI/etc/services\fR:
.PP
\fBnetbios-ssn 139/tcp\fR
.PP
Note for NIS/YP users - you may need to rebuild the
NIS service maps rather than alter your local \fI/etc/services
\fRfile.
.PP
Next, put a suitable line in the file \fI/etc/inetd.conf
\fR(in the unlikely event that you are using a meta-daemon
other than inetd, you are on your own). Note that the first item
in this line matches the service name in \fI/etc/services
\fR\&. Substitute appropriate values for your system
in this line (see \fBinetd(8)\fR):
.PP
\fBnetbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd
-d1 -l/var/adm/smblogs/log -s/usr/local/samba/lib/smb.conf\fR
.PP
(The above should appear in \fI/etc/inetd.conf\fR
as a single line. Depending on your terminal characteristics, it may
not appear that way in this man page. If the above appears as more
than one line, please treat any newlines or indentation as a single
space or TAB character.)
.PP
Note that there is no need to specify a port number here,
even if you are using a non-standard port number.
.PP
Lastly, edit the configuration file to provide suitable
services. To start with, the following two services should be
all you need:
.sp
.nf
[homes]
writeable = yes
[printers]
writeable = no
printable = yes
path = /tmp
public = yes
.sp
.fi
.PP
This will allow you to connect to your home directory
and print to any printer supported by the host (user privileges
permitting).
.SH "PAM INTERACTION"
.PP
Samba uses PAM for authentication (when presented with a plaintext
@ -409,24 +239,6 @@ level secuirty, users must pass PAM's session checks before access
is granted. Note however, that this is bypassed in share level secuirty.
Note also that some older pam configuration files may need a line
added for session support.
.SH "TESTING THE INSTALLATION"
.PP
If running the server as a daemon, execute it before
proceeding. If using a meta-daemon, either restart the system
or kill and restart the meta-daemon. Some versions of
\fBinetd\fR will reread their configuration
tables if they receive a HUP signal.
.PP
If your machine's name is \fIfred\fR and your
name is \fImary\fR, you should now be able to connect
to the service \fI\\\\fred\\mary\fR.
.PP
To properly test and experiment with the server, we
recommend using the \fBsmbclient\fR program (see
\fBsmbclient(1)\fR)
and also going through the steps outlined in the file
\fIDIAGNOSIS.txt\fR in the \fIdocs/\fR
directory of your Samba installation.
.SH "VERSION"
.PP
This man page is correct for version 2.2 of

49
docs/manpages/smbpasswd.8
View File

@ -3,7 +3,7 @@
.\" <http://shell.ipoline.com/~elmert/hacks/docbook2X/>
.\" Please send any bug reports, improvements, comments, patches,
.\" etc. to Steve Cheng <steve@ggi-project.org>.
.TH "SMBPASSWD" "8" "04 January 2002" "" ""
.TH "SMBPASSWD" "8" "24 January 2002" "" ""
.SH NAME
smbpasswd \- change a user's SMB password
.SH SYNOPSIS
@ -56,9 +56,10 @@ following should be added to the local smbpasswd file, with the
new password typed (type <Enter> for the old password). This
option is ignored if the username following already exists in
the smbpasswd file and it is treated like a regular change
password command. Note that the user to be added must already exist
in the system password file (usually \fI/etc/passwd\fR)
else the request to add the user will fail.
password command. Note that the default passdb backends require
the user to already exist in the system password file (usually
\fI/etc/passwd\fR), else the request to add the
user will fail.
This option is only available when running smbpasswd
as root.
@ -80,8 +81,7 @@ will fail.
If the smbpasswd file is in the 'old' format (pre-Samba 2.0
format) there is no space in the user's password entry to write
this information and so the user is disabled by writing 'X' characters
into the password space in the smbpasswd file. See \fBsmbpasswd(5)
this information and the command will FAIL. See \fBsmbpasswd(5)
\fRfor details on the 'old' and new password file formats.
This option is only available when running smbpasswd as
@ -94,9 +94,8 @@ if the account was previously disabled. If the account was not
disabled this option has no effect. Once the account is enabled then
the user will be able to authenticate via SMB once again.
If the smbpasswd file is in the 'old' format, then \fB smbpasswd\fR will prompt for a new password for this user,
otherwise the account will be enabled by removing the 'D'
flag from account control space in the \fI smbpasswd\fR file. See \fBsmbpasswd (5)\fR for
If the smbpasswd file is in the 'old' format, then \fB smbpasswd\fR will FAIL to enable the account.
See \fBsmbpasswd (5)\fR for
details on the 'old' and new password file formats.
This option is only available when running smbpasswd as root.
@ -208,36 +207,6 @@ This option tells smbpasswd that the account
being changed is a MACHINE account. Currently this is used
when Samba is being used as an NT Primary Domain Controller.
This option is only available when running smbpasswd as root.
.TP
\fB-j DOMAIN\fR
This option is used to add a Samba server
into a Windows NT Domain, as a Domain member capable of authenticating
user accounts to any Domain Controller in the same way as a Windows
NT Server. See the \fBsecurity = domain\fR option in
the \fIsmb.conf(5)\fR man page.
In order to be used in this way, the Administrator for
the Windows NT Domain must have used the program "Server Manager
for Domains" to add the primary NetBIOS name of the Samba server
as a member of the Domain.
After this has been done, to join the Domain invoke \fB smbpasswd\fR with this parameter. smbpasswd will then
look up the Primary Domain Controller for the Domain (found in
the \fIsmb.conf\fR file in the parameter
\fIpassword server\fR and change the machine account
password used to create the secure Domain communication. This
password is then stored by smbpasswd in a TDB, writeable only by root,
called \fIsecrets.tdb\fR
Once this operation has been performed the \fI smb.conf\fR file may be updated to set the \fB security = domain\fR option and all future logins
to the Samba server will be authenticated to the Windows NT
PDC.
Note that even though the authentication is being
done to the PDC all users accessing the Samba server must still
have a valid UNIX account on that machine.
This option is only available when running smbpasswd as root.
.TP
\fB-U username\fR
@ -292,7 +261,7 @@ has been set up to use encrypted passwords. See the file
on how to do this.
.SH "VERSION"
.PP
This man page is correct for version 2.2 of
This man page is correct for version 3.0 of
the Samba suite.
.SH "SEE ALSO"
.PP

13
docs/manpages/winbindd.8
View File

@ -3,7 +3,7 @@
.\" <http://shell.ipoline.com/~elmert/hacks/docbook2X/>
.\" Please send any bug reports, improvements, comments, patches,
.\" etc. to Steve Cheng <steve@ggi-project.org>.
.TH "WINBINDD" "8" "04 January 2002" "" ""
.TH "WINBINDD" "8" "24 January 2002" "" ""
.SH NAME
winbindd \- Name Service Switch daemon for resolving names from NT servers
.SH SYNOPSIS
@ -205,6 +205,17 @@ a Windows NT user, the \fBwinbindd\fR daemon
uses this parameter to fill in the shell for that user.
Default: \fBtemplate shell = /bin/false \fR
.TP
\fBwinbind use default domain\fR
This parameter specifies whether the \fBwinbindd\fR
daemon should operate on users without domain component in their username.
Users without a domain component are treated as is part of the winbindd server's
own domain. While this does not benifit Windows users, it makes SSH, FTP and e-mail
function in a way much closer to the way they would in a native unix system.
Default: \fBwinbind use default domain = <falseg>
\fR
Example: \fBwinbind use default domain = true\fR
.SH "EXAMPLE SETUP"
.PP
To setup winbindd for user and group lookups plus