sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-04 17:47:26 +03:00
Code

regenerate docs

Browse Source 
(This used to be commit cc02d3bc170fe5c8c4474156edb6c83720a47aa0)
This commit is contained in:
Jelmer Vernooij 2003-07-01 22:58:52 +00:00
parent b32d48533f
commit 3878085eca
86 changed files with 3968 additions and 16177 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
docs/faq/FAQ-ClientApp.html
View File

@ -1,5 +1,4 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 4. Specific client application problems</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.59.1"><link rel="home" href="samba-faq.html" title="Samba FAQ"><link rel="up" href="samba-faq.html" title="Samba FAQ"><link rel="previous" href="FAQ-Config.html" title="Chapter 3. Configuration problems"><link rel="next" href="FAQ-errors.html" title="Chapter 5. Common errors"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 4. Specific client application problems</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="FAQ-Config.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="FAQ-errors.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><h2 class="title"><a name="FAQ-ClientApp"></a>Chapter 4. Specific client application problems</h2></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="FAQ-ClientApp.html#id2808466">MS Office Setup reports &quot;Cannot change properties of '\\MSOFFICE\\SETUP.INI'&quot;</a></dt><dt><a href="FAQ-ClientApp.html#id2808495">How to use a Samba share as an administrative share for MS Office, etc.</a></dt><dt><a href="FAQ-ClientApp.html#id2808433">Microsoft Access database opening errors</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2808466"></a>MS Office Setup reports &quot;Cannot change properties of '\\MSOFFICE\\SETUP.INI'&quot;</h2></div></div><p>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 3. Specific client application problems</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="samba-faq.html" title="Samba FAQ"><link rel="up" href="samba-faq.html" title="Samba FAQ"><link rel="previous" href="FAQ-Install.html" title="Chapter 2. Compiling and installing Samba on a Unix host"><link rel="next" href="FAQ-errors.html" title="Chapter 4. Common errors"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 3. Specific client application problems</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="FAQ-Install.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="FAQ-errors.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="FAQ-ClientApp"></a>Chapter 3. Specific client application problems</h2></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="FAQ-ClientApp.html#id2815105">MS Office Setup reports &quot;Cannot change properties of '\\MSOFFICE\\SETUP.INI'&quot;</a></dt><dt><a href="FAQ-ClientApp.html#id2815137">How to use a Samba share as an administrative share for MS Office, etc.</a></dt><dt><a href="FAQ-ClientApp.html#id2882001">Microsoft Access database opening errors</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2815105"></a>MS Office Setup reports &quot;Cannot change properties of '\\MSOFFICE\\SETUP.INI'&quot;</h2></div></div><div></div></div><p>
When installing MS Office on a Samba drive for which you have admin
user permissions, ie. admin users = username, you will find the
setup program unable to complete the installation.
@ -11,14 +10,14 @@ rdonly by trying to open it for writing.
Admin users can always open a file for writing, as they run as root.
You just have to install as a non-admin user and then use &quot;chown -R&quot;
to fix the owner.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2808495"></a>How to use a Samba share as an administrative share for MS Office, etc.</h2></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2815137"></a>How to use a Samba share as an administrative share for MS Office, etc.</h2></div></div><div></div></div><p>
Microsoft Office products can be installed as an administrative installation
from which the application can either be run off the administratively installed
product that resides on a shared resource, or from which that product can be
installed onto workstation clients.
</p><p>
The general mechanism for implementing an adminstrative installation involves
running <b>X:\setup /A</b>, where X is the drive letter of either CDROM or floppy.
running <b class="command">X:\setup /A</b>, where X is the drive letter of either CDROM or floppy.
</p><p>
This installation process will NOT install the product for use per se, but
rather results in unpacking of the compressed distribution files into a target
@ -45,8 +44,8 @@ set the following parameters on the share containing it:
browseable = yes
public = yes
</pre></li><li><p>Now you are ready to run the setup program from the Microsoft Windows
workstation as follows: <b>\\&quot;Server_Name&quot;\MSOP95\msoffice\setup</b>
</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2808433"></a>Microsoft Access database opening errors</h2></div></div><p>
workstation as follows: <b class="command">\\&quot;Server_Name&quot;\MSOP95\msoffice\setup</b>
</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2882001"></a>Microsoft Access database opening errors</h2></div></div><div></div></div><p>
Here are some notes on running MS-Access on a Samba drive from <a href="stefank@esi.com.au" target="_top">Stefan Kjellberg</a>
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Opening a database in 'exclusive' mode does NOT work. Samba ignores r/w/share modes on file open.</td></tr><tr><td>Make sure that you open the database as 'shared' and to 'lock modified records'</td></tr><tr><td>Of course locking must be enabled for the particular share (smb.conf)</td></tr></table><p>
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="FAQ-Config.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="samba-faq.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="FAQ-errors.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 3. Configuration problems </td><td width="20%" align="center"><a accesskey="h" href="samba-faq.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 5. Common errors</td></tr></table></div></body></html>
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="FAQ-Install.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="samba-faq.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="FAQ-errors.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 2. Compiling and installing Samba on a Unix host </td><td width="20%" align="center"><a accesskey="h" href="samba-faq.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 4. Common errors</td></tr></table></div></body></html>

136
docs/faq/FAQ-Install.html
View File

@ -1,55 +1,4 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 2. Compiling and installing Samba on a Unix host</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.59.1"><link rel="home" href="samba-faq.html" title="Samba FAQ"><link rel="up" href="samba-faq.html" title="Samba FAQ"><link rel="previous" href="FAQ-general.html" title="Chapter 1. General Information"><link rel="next" href="FAQ-Config.html" title="Chapter 3. Configuration problems"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 2. Compiling and installing Samba on a Unix host</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="FAQ-general.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="FAQ-Config.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><h2 class="title"><a name="FAQ-Install"></a>Chapter 2. Compiling and installing Samba on a Unix host</h2></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="FAQ-Install.html#id2808542">I can't see the Samba server in any browse lists!</a></dt><dt><a href="FAQ-Install.html#id2811456">Some files that I KNOW are on the server don't show up when I view the files from my client!</a></dt><dt><a href="FAQ-Install.html#id2811470">Some files on the server show up with really wierd filenames when I view the files from my client!</a></dt><dt><a href="FAQ-Install.html#id2860743">My client reports &quot;cannot locate specified computer&quot; or similar</a></dt><dt><a href="FAQ-Install.html#id2860797">My client reports &quot;cannot locate specified share name&quot; or similar</a></dt><dt><a href="FAQ-Install.html#id2806029">Printing doesn't work</a></dt><dt><a href="FAQ-Install.html#id2807904">My client reports &quot;This server is not configured to list shared resources&quot;</a></dt><dt><a href="FAQ-Install.html#id2807925">Log message &quot;you appear to have a trapdoor uid system&quot; </a></dt><dt><a href="FAQ-Install.html#id2807990">Why are my file's timestamps off by an hour, or by a few hours?</a></dt><dt><a href="FAQ-Install.html#id2811127">How do I set the printer driver name correctly?</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2808542"></a>I can't see the Samba server in any browse lists!</h2></div></div><p>
See Browsing.html in the docs directory of the samba source
for more information on browsing.
</p><p>
If your GUI client does not permit you to select non-browsable
servers, you may need to do so on the command line. For example, under
Lan Manager you might connect to the above service as disk drive M:
thusly:
</p><pre class="programlisting">
net use M: \\mary\fred
</pre><p>
The details of how to do this and the specific syntax varies from
client to client - check your client's documentation.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2811456"></a>Some files that I KNOW are on the server don't show up when I view the files from my client!</h2></div></div><p>See the next question.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2811470"></a>Some files on the server show up with really wierd filenames when I view the files from my client!</h2></div></div><p>
If you check what files are not showing up, you will note that they
are files which contain upper case letters or which are otherwise not
DOS-compatible (ie, they are not legal DOS filenames for some reason).
</p><p>
The Samba server can be configured either to ignore such files
completely, or to present them to the client in &quot;mangled&quot; form. If you
are not seeing the files at all, the Samba server has most likely been
configured to ignore them. Consult the man page smb.conf(5) for
details of how to change this - the parameter you need to set is
&quot;mangled names = yes&quot;.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2860743"></a>My client reports &quot;cannot locate specified computer&quot; or similar</h2></div></div><p>
This indicates one of three things: You supplied an incorrect server
name, the underlying TCP/IP layer is not working correctly, or the
name you specified cannot be resolved.
</p><p>
After carefully checking that the name you typed is the name you
should have typed, try doing things like pinging a host or telnetting
to somewhere on your network to see if TCP/IP is functioning OK. If it
is, the problem is most likely name resolution.
</p><p>
If your client has a facility to do so, hardcode a mapping between the
hosts IP and the name you want to use. For example, with Lan Manager
or Windows for Workgroups you would put a suitable entry in the file
LMHOSTS. If this works, the problem is in the communication between
your client and the netbios name server. If it does not work, then
there is something fundamental wrong with your naming and the solution
is beyond the scope of this document.
</p><p>
If you do not have any server on your subnet supplying netbios name
resolution, hardcoded mappings are your only option. If you DO have a
netbios name server running (such as the Samba suite's nmbd program),
the problem probably lies in the way it is set up. Refer to Section
Two of this FAQ for more ideas.
</p><p>
By the way, remember to REMOVE the hardcoded mapping before further
tests :-)
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2860797"></a>My client reports &quot;cannot locate specified share name&quot; or similar</h2></div></div><p>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 2. Compiling and installing Samba on a Unix host</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="samba-faq.html" title="Samba FAQ"><link rel="up" href="samba-faq.html" title="Samba FAQ"><link rel="previous" href="FAQ-general.html" title="Chapter 1. General Information"><link rel="next" href="FAQ-ClientApp.html" title="Chapter 3. Specific client application problems"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 2. Compiling and installing Samba on a Unix host</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="FAQ-general.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="FAQ-ClientApp.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="FAQ-Install"></a>Chapter 2. Compiling and installing Samba on a Unix host</h2></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="FAQ-Install.html#id2816137">My client reports &quot;cannot locate specified share name&quot; or similar</a></dt><dt><a href="FAQ-Install.html#id2816189">Why are my file's timestamps off by an hour, or by a few hours?</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2816137"></a>My client reports &quot;cannot locate specified share name&quot; or similar</h2></div></div><div></div></div><p>
This message indicates that your client CAN locate the specified
server, which is a good start, but that it cannot find a service of
the name you gave.
@ -58,68 +7,7 @@ The first step is to check the exact name of the service you are
trying to connect to (consult your system administrator). Assuming it
exists and you specified it correctly (read your client's docs on how
to specify a service name correctly), read on:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Many clients cannot accept or use service names longer than eight characters.</td></tr><tr><td>Many clients cannot accept or use service names containing spaces.</td></tr><tr><td>Some servers (not Samba though) are case sensitive with service names.</td></tr><tr><td>Some clients force service names into upper case.</td></tr></table></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2806029"></a>Printing doesn't work</h2></div></div><p>
Make sure that the specified print command for the service you are
connecting to is correct and that it has a fully-qualified path (eg.,
use &quot;/usr/bin/lpr&quot; rather than just &quot;lpr&quot;).
</p><p>
Make sure that the spool directory specified for the service is
writable by the user connected to the service. In particular the user
&quot;nobody&quot; often has problems with printing, even if it worked with an
earlier version of Samba. Try creating another guest user other than
&quot;nobody&quot;.
</p><p>
Make sure that the user specified in the service is permitted to use
the printer.
</p><p>
Check the debug log produced by smbd. Search for the printer name and
see if the log turns up any clues. Note that error messages to do with
a service ipc$ are meaningless - they relate to the way the client
attempts to retrieve status information when using the LANMAN1
protocol.
</p><p>
If using WfWg then you need to set the default protocol to TCP/IP, not
Netbeui. This is a WfWg bug.
</p><p>
If using the Lanman1 protocol (the default) then try switching to
coreplus. Also not that print status error messages don't mean
printing won't work. The print status is received by a different
mechanism.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2807904"></a>My client reports &quot;This server is not configured to list shared resources&quot;</h2></div></div><p>
Your guest account is probably invalid for some reason. Samba uses the
guest account for browsing in smbd. Check that your guest account is
valid.
</p><p>See also 'guest account' in smb.conf man page.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2807925"></a>Log message &quot;you appear to have a trapdoor uid system&quot; </h2></div></div><p>
This can have several causes. It might be because you are using a uid
or gid of 65535 or -1. This is a VERY bad idea, and is a big security
hole. Check carefully in your /etc/passwd file and make sure that no
user has uid 65535 or -1. Especially check the &quot;nobody&quot; user, as many
broken systems are shipped with nobody setup with a uid of 65535.
</p><p>It might also mean that your OS has a trapdoor uid/gid system :-)</p><p>
This means that once a process changes effective uid from root to
another user it can't go back to root. Unfortunately Samba relies on
being able to change effective uid from root to non-root and back
again to implement its security policy. If your OS has a trapdoor uid
system this won't work, and several things in Samba may break. Less
things will break if you use user or server level security instead of
the default share level security, but you may still strike
problems.
</p><p>
The problems don't give rise to any security holes, so don't panic,
but it does mean some of Samba's capabilities will be unavailable.
In particular you will not be able to connect to the Samba server as
two different uids at once. This may happen if you try to print as a
&quot;guest&quot; while accessing a share as a normal user. It may also affect
your ability to list the available shares as this is normally done as
the guest user.
</p><p>
Complain to your OS vendor and ask them to fix their system.
</p><p>
Note: the reason why 65535 is a VERY bad choice of uid and gid is that
it casts to -1 as a uid, and the setreuid() system call ignores (with
no error) uid changes to -1. This means any daemon attempting to run
as uid 65535 will actually run as root. This is not good!
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2807990"></a>Why are my file's timestamps off by an hour, or by a few hours?</h2></div></div><p>
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Many clients cannot accept or use service names longer than eight characters.</td></tr><tr><td>Many clients cannot accept or use service names containing spaces.</td></tr><tr><td>Some servers (not Samba though) are case sensitive with service names.</td></tr><tr><td>Some clients force service names into upper case.</td></tr></table></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2816189"></a>Why are my file's timestamps off by an hour, or by a few hours?</h2></div></div><div></div></div><p>
This is from Paul Eggert eggert@twinsun.com.
</p><p>
Most likely it's a problem with your time zone settings.
@ -173,22 +61,4 @@ time zone is also set appropriately. [[I don't know how to do this.]]
Samba traditionally has had many problems dealing with time zones, due
to the bizarre ways that Microsoft network protocols handle time
zones.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2811127"></a>How do I set the printer driver name correctly?</h2></div></div><p>Question:
&#8220; On NT, I opened &quot;Printer Manager&quot; and &quot;Connect to Printer&quot;.
Enter [&quot;\\ptdi270\ps1&quot;] in the box of printer. I got the
following error message
&#8221;</p><p>
</p><pre class="programlisting">
You do not have sufficient access to your machine
to connect to the selected printer, since a driver
needs to be installed locally.
</pre><p>
</p><p>Answer:</p><p>In the more recent versions of Samba you can now set the &quot;printer
driver&quot; in smb.conf. This tells the client what driver to use. For
example:</p><pre class="programlisting">
printer driver = HP LaserJet 4L
</pre><p>With this, NT knows to use the right driver. You have to get this string
exactly right.</p><p>To find the exact string to use, you need to get to the dialog box in
your client where you select which printer driver to install. The
correct strings for all the different printers are shown in a listbox
in that dialog box.</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="FAQ-general.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="samba-faq.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="FAQ-Config.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 1. General Information </td><td width="20%" align="center"><a accesskey="h" href="samba-faq.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 3. Configuration problems</td></tr></table></div></body></html>
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="FAQ-general.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="samba-faq.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="FAQ-ClientApp.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 1. General Information </td><td width="20%" align="center"><a accesskey="h" href="samba-faq.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 3. Specific client application problems</td></tr></table></div></body></html>

67
docs/faq/FAQ-errors.html
View File

@ -1,5 +1,4 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 5. Common errors</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.59.1"><link rel="home" href="samba-faq.html" title="Samba FAQ"><link rel="up" href="samba-faq.html" title="Samba FAQ"><link rel="previous" href="FAQ-ClientApp.html" title="Chapter 4. Specific client application problems"><link rel="next" href="FAQ-features.html" title="Chapter 6. Features"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 5. Common errors</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="FAQ-ClientApp.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="FAQ-features.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><h2 class="title"><a name="FAQ-errors"></a>Chapter 5. Common errors</h2></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="FAQ-errors.html#id2811288">Not listening for calling name</a></dt><dt><a href="FAQ-errors.html#id2811329">System Error 1240</a></dt><dt><a href="FAQ-errors.html#id2811215">smbclient ignores -N !</a></dt><dt><a href="FAQ-errors.html#id2811270">The data on the CD-Drive I've shared seems to be corrupted!</a></dt><dt><a href="FAQ-errors.html#id2874350">Why can users access home directories of other users?</a></dt><dt><a href="FAQ-errors.html#id2874436">Until a few minutes after samba has started, clients get the error &quot;Domain Controller Unavailable&quot;</a></dt><dt><a href="FAQ-errors.html#id2874451">I'm getting &quot;open_oplock_ipc: Failed to get local UDP socket for address 100007f. Error was Cannot assign requested&quot; in the logs</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2811288"></a>Not listening for calling name</h2></div></div><p>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 4. Common errors</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="samba-faq.html" title="Samba FAQ"><link rel="up" href="samba-faq.html" title="Samba FAQ"><link rel="previous" href="FAQ-ClientApp.html" title="Chapter 3. Specific client application problems"><link rel="next" href="FAQ-features.html" title="Chapter 5. Features"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 4. Common errors</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="FAQ-ClientApp.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="FAQ-features.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="FAQ-errors"></a>Chapter 4. Common errors</h2></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="FAQ-errors.html#id2816075">Not listening for calling name</a></dt><dt><a href="FAQ-errors.html#id2815985">System Error 1240</a></dt><dt><a href="FAQ-errors.html#id2816025">smbclient ignores -N !</a></dt><dt><a href="FAQ-errors.html#id2814553">The data on the CD-Drive I've shared seems to be corrupted!</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2816075"></a>Not listening for calling name</h2></div></div><div></div></div><p>
</p><pre class="programlisting">
Session request failed (131,129) with myname=HOBBES destname=CALVIN
Not listening for calling name
@ -15,85 +14,39 @@ global section of smb.conf.
It can also be a problem with reverse DNS lookups not functioning
correctly, leading to the remote host identity not being able to
be confirmed, but that is less likely.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2811329"></a>System Error 1240</h2></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2815985"></a>System Error 1240</h2></div></div><div></div></div><p>
System error 1240 means that the client is refusing to talk
to a non-encrypting server. Microsoft changed WinNT in service
pack 3 to refuse to connect to servers that do not support
SMB password encryption.
</p><p>There are two main solutions:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>enable SMB password encryption in Samba. See the encryption part of
the samba HOWTO Collection</td></tr><tr><td>disable this new behaviour in NT. See the section about
the samba HOWTO Collection</td></tr><tr><td>disable this behaviour in NT. See the section about
Windows NT in the chapter &quot;Portability&quot; of the samba HOWTO collection
</td></tr></table><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2811215"></a>smbclient ignores -N !</h2></div></div><p>
&#8220;When getting the list of shares available on a host using the command
<b>smbclient -N -L</b>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2816025"></a>smbclient ignores -N !</h2></div></div><div></div></div><p>
&#8220;<span class="quote">When getting the list of shares available on a host using the command
<b class="command">smbclient -N -L</b>
the program always prompts for the password if the server is a Samba server.
It also ignores the &quot;-N&quot; argument when querying some (but not all) of our
NT servers.
&#8221;
</span>&#8221;
</p><p>
No, it does not ignore -N, it is just that your server rejected the
null password in the connection, so smbclient prompts for a password
to try again.
</p><p>
To get the behaviour that you probably want use <b>smbclient -L host -U%</b>
To get the behaviour that you probably want use <b class="command">smbclient -L host -U%</b>
</p><p>
This will set both the username and password to null, which is
an anonymous login for SMB. Using -N would only set the password
to null, and this is not accepted as an anonymous login for most
SMB servers.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2811270"></a>The data on the CD-Drive I've shared seems to be corrupted!</h2></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2814553"></a>The data on the CD-Drive I've shared seems to be corrupted!</h2></div></div><div></div></div><p>
Some OSes (notably Linux) default to auto detection of file type on
cdroms and do cr/lf translation. This is a very bad idea when use with
Samba. It causes all sorts of stuff ups.
</p><p>
To overcome this problem use conv=binary when mounting the cdrom
before exporting it with Samba.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2874350"></a>Why can users access home directories of other users?</h2></div></div><p>
&#8220;
We are unable to keep individual users from mapping to any other user's
home directory once they have supplied a valid password! They only need
to enter their own password. I have not found *any* method that I can
use to configure samba to enforce that only a user may map their own
home directory.
&#8221;
</p><p>&#8220;
User xyzzy can map his home directory. Once mapped user xyzzy can also map
*anyone* elses home directory!
&#8221;</p><p>
This is not a security flaw, it is by design. Samba allows
users to have *exactly* the same access to the UNIX filesystem
as they would if they were logged onto the UNIX box, except
that it only allows such views onto the file system as are
allowed by the defined shares.
</p><p>
This means that if your UNIX home directories are set up
such that one user can happily cd into another users
directory and do an ls, the UNIX security solution is to
change the UNIX file permissions on the users home directories
such that the cd and ls would be denied.
</p><p>
Samba tries very hard not to second guess the UNIX administrators
security policies, and trusts the UNIX admin to set
the policies and permissions he or she desires.
</p><p>
Samba does allow the setup you require when you have set the
&quot;only user = yes&quot; option on the share, is that you have not set the
valid users list for the share.
</p><p>
Note that only user works in conjunction with the users= list,
so to get the behavior you require, add the line :
</p><pre class="programlisting">
users = %S
</pre><p>
this is equivalent to:
</p><pre class="programlisting">
valid users = %S
</pre><p>
to the definition of the [homes] share, as recommended in
the smb.conf man page.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2874436"></a>Until a few minutes after samba has started, clients get the error &quot;Domain Controller Unavailable&quot;</h2></div></div><p>
A domain controller has to announce on the network who it is. This usually takes a while.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2874451"></a>I'm getting &quot;open_oplock_ipc: Failed to get local UDP socket for address 100007f. Error was Cannot assign requested&quot; in the logs</h2></div></div><p>Your loopback device isn't working correctly. Make sure it's running.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="FAQ-ClientApp.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="samba-faq.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="FAQ-features.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 4. Specific client application problems </td><td width="20%" align="center"><a accesskey="h" href="samba-faq.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 6. Features</td></tr></table></div></body></html>
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="FAQ-ClientApp.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="samba-faq.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="FAQ-features.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 3. Specific client application problems </td><td width="20%" align="center"><a accesskey="h" href="samba-faq.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 5. Features</td></tr></table></div></body></html>

67
docs/faq/FAQ-features.html
View File

@ -1,47 +1,8 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 6. Features</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.59.1"><link rel="home" href="samba-faq.html" title="Samba FAQ"><link rel="up" href="samba-faq.html" title="Samba FAQ"><link rel="previous" href="FAQ-errors.html" title="Chapter 5. Common errors"><link rel="next" href="FAQ-Printing.html" title="Chapter 7. Printing problems"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 6. Features</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="FAQ-errors.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="FAQ-Printing.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><h2 class="title"><a name="FAQ-features"></a>Chapter 6. Features</h2></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="FAQ-features.html#id2874269">How can I prevent my samba server from being used to distribute the Nimda worm?</a></dt><dt><a href="FAQ-features.html#id2874209">How can I use samba as a fax server?</a></dt><dd><dl><dt><a href="FAQ-features.html#id2874628">Tools for printing faxes</a></dt><dt><a href="FAQ-features.html#id2874681">Making the fax-server</a></dt><dt><a href="FAQ-features.html#id2874774">Installing the client drivers</a></dt><dt><a href="FAQ-features.html#id2874858">Example smb.conf</a></dt></dl></dd><dt><a href="FAQ-features.html#id2874883">Samba doesn't work well together with DHCP!</a></dt><dt><a href="FAQ-features.html#id2874531">How can I assign NetBIOS names to clients with DHCP?</a></dt><dt><a href="FAQ-features.html#id2874581">How do I convert between unix and dos text formats?</a></dt><dt><a href="FAQ-features.html#id2874612">Does samba have wins replication support?</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2874269"></a>How can I prevent my samba server from being used to distribute the Nimda worm?</h2></div></div><p>Author: HASEGAWA Yosuke (translated by <a href="monyo@samba.gr.jp" target="_top">TAKAHASHI Motonobu</a>)</p><p>
Nimba Worm is infected through shared disks on a network, as well as through
Microsoft IIS, Internet Explorer and mailer of Outlook series.
</p><p>
At this time, the worm copies itself by the name *.nws and *.eml on
the shared disk, moreover, by the name of Riched20.dll in the folder
where *.doc file is included.
</p><p>
To prevent infection through the shared disk offered by Samba, set
up as follows:
</p><p>
</p><pre class="programlisting">
[global]
...
# This can break Administration installations of Office2k.
# in that case, don't veto the riched20.dll
veto files = /*.eml/*.nws/riched20.dll/
</pre><p>
</p><p>
By setting the &quot;veto files&quot; parameter, matched files on the Samba
server are completely hidden from the clients and making it impossible
to access them at all.
</p><p>
In addition to it, the following setting is also pointed out by the
samba-jp:09448 thread: when the
&quot;readme.txt.{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}&quot; file exists on
a Samba server, it is visible only as &quot;readme.txt&quot; and dangerous
code may be executed if this file is double-clicked.
</p><p>
Setting the following,
</p><pre class="programlisting">
veto files = /*.{*}/
</pre><p>
any files having CLSID in its file extension will be inaccessible from any
clients.
</p><p>
This technical article is created based on the discussion of
samba-jp:09448 and samba-jp:10900 threads.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2874209"></a>How can I use samba as a fax server?</h2></div></div><p>Contributor: <a href="mailto:zuber@berlin.snafu.de" target="_top">Gerhard Zuber</a></p><p>Requirements:
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 5. Features</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="samba-faq.html" title="Samba FAQ"><link rel="up" href="samba-faq.html" title="Samba FAQ"><link rel="previous" href="FAQ-errors.html" title="Chapter 4. Common errors"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 5. Features</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="FAQ-errors.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> </td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="FAQ-features"></a>Chapter 5. Features</h2></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="FAQ-features.html#id2814838">How can I use samba as a fax server?</a></dt><dd><dl><dt><a href="FAQ-features.html#id2814785">Tools for printing faxes</a></dt><dt><a href="FAQ-features.html#id2882696">Making the fax-server</a></dt><dt><a href="FAQ-features.html#id2882789">Installing the client drivers</a></dt><dt><a href="FAQ-features.html#id2882874">Example smb.conf</a></dt></dl></dd><dt><a href="FAQ-features.html#id2882898">Samba doesn't work well together with DHCP!</a></dt><dt><a href="FAQ-features.html#id2883025">How can I assign NetBIOS names to clients with DHCP?</a></dt><dt><a href="FAQ-features.html#id2883072">How do I convert between unix and dos text formats?</a></dt><dt><a href="FAQ-features.html#id2883101">Does samba have wins replication support?</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2814838"></a>How can I use samba as a fax server?</h2></div></div><div></div></div><p>Contributor: <a href="mailto:zuber@berlin.snafu.de" target="_top">Gerhard Zuber</a></p><p>Requirements:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>UNIX box (Linux preferred) with SAMBA and a faxmodem</td></tr><tr><td>ghostscript package</td></tr><tr><td>mgetty+sendfax package</td></tr><tr><td>pbm package (portable bitmap tools)</td></tr></table><p>
</p><p>First, install and configure the required packages. Be sure to read the mgetty+sendfax
manual carefully.</p><div class="sect2" lang="en"><div class="titlepage"><div><h3 class="title"><a name="id2874628"></a>Tools for printing faxes</h3></div></div><p>Your incomed faxes are in:
<tt>/var/spool/fax/incoming</tt>. Print it with:</p><pre class="programlisting">
manual carefully.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2814785"></a>Tools for printing faxes</h3></div></div><div></div></div><p>Your incomed faxes are in:
<tt class="filename">/var/spool/fax/incoming</tt>. Print it with:</p><pre class="programlisting">
for i in *
do
g3cat $i | g3tolj | lpr -P hp
@ -52,9 +13,9 @@ g3cat is in the tools-section, g3tolj is in the contrib-section
for printing to HP lasers.
</p><p>
If you want to produce files for displaying and printing with Windows, use
some tools from the pbm-package like the following command: <b>g3cat $i | g3topbm - | ppmtopcx - &gt;$i.pcx</b>
some tools from the pbm-package like the following command: <b class="command">g3cat $i | g3topbm - | ppmtopcx - &gt;$i.pcx</b>
and view it with your favourite Windows tool (maybe paintbrush)
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><h3 class="title"><a name="id2874681"></a>Making the fax-server</h3></div></div><p>fetch the file <tt>mgetty+sendfax/frontends/winword/faxfilter</tt> and place it in <tt>/usr/local/etc/mgetty+sendfax/</tt>(replace /usr/local/ with whatever place you installed mgetty+sendfax)</p><p>prepare your faxspool file as mentioned in this file
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2882696"></a>Making the fax-server</h3></div></div><div></div></div><p>fetch the file <tt class="filename">mgetty+sendfax/frontends/winword/faxfilter</tt> and place it in <tt class="filename">/usr/local/etc/mgetty+sendfax/</tt>(replace /usr/local/ with whatever place you installed mgetty+sendfax)</p><p>prepare your faxspool file as mentioned in this file
edit fax/faxspool.in and reinstall or change the final
/usr/local/bin/faxspool too.
</p><pre class="programlisting">
@ -63,7 +24,7 @@ if [ &quot;$user&quot; = &quot;root&quot; -o &quot;$user&quot; = &quot;fax&quot;
</pre><p>find the first line and change it to the second.</p><p>
make sure you have pbmtext (from the pbm-package). This is
needed for creating the small header line on each page.
</p><p>Prepare your faxheader <tt>/usr/local/etc/mgetty+sendfax/faxheader</tt></p><p>
</p><p>Prepare your faxheader <tt class="filename">/usr/local/etc/mgetty+sendfax/faxheader</tt></p><p>
Edit your /etc/printcap file:
</p><pre class="programlisting">
# FAX
@ -72,7 +33,7 @@ lp3|fax:\
:sd=/usr/spool/lp3:\
:if=/usr/local/etc/mgetty+sendfax/faxfilter:sh:sf:mx#0:\
:lf=/usr/spool/lp3/fax-log:
</pre><p>Now, edit your <tt>smb.conf</tt> so you have a smb based printer named &quot;fax&quot;</p></div><div class="sect2" lang="en"><div class="titlepage"><div><h3 class="title"><a name="id2874774"></a>Installing the client drivers</h3></div></div><p>
</pre><p>Now, edit your <tt class="filename">smb.conf</tt> so you have a smb based printer named &quot;fax&quot;</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2882789"></a>Installing the client drivers</h3></div></div><div></div></div><p>
Now you have a printer called &quot;fax&quot; which can be used via
TCP/IP-printing (lpd-system) or via SAMBA (windows printing).
</p><p>
@ -111,7 +72,7 @@ uses the found number as the fax-destination-number.
Now print your fax through the fax-printer and it will be
queued for later transmission. Use faxrunq for sending the
queue out.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><h3 class="title"><a name="id2874858"></a>Example smb.conf</h3></div></div><pre class="programlisting">
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2882874"></a>Example smb.conf</h3></div></div><div></div></div><pre class="programlisting">
[global]
printcap name = /etc/printcap
print command = /usr/bin/lpr -r -P %p %s
@ -127,7 +88,7 @@ queue out.
create mode = 0700
browseable = yes
guest ok = no
</pre></div></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2874883"></a>Samba doesn't work well together with DHCP!</h2></div></div><p>
</pre></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2882898"></a>Samba doesn't work well together with DHCP!</h2></div></div><div></div></div><p>
We wish to help those folks who wish to use the ISC DHCP Server and provide
sample configuration settings. Most operating systems today come ship with
the ISC DHCP Server. ISC DHCP is available from:
@ -180,14 +141,14 @@ applied to the resulting DHCP offered settings UNLESS the DHCP server also sets
a NetBIOS Scope. It may therefore be prudent to forcibly apply a NULL NetBIOS
Scope from your DHCP server. The can be done in the dhcpd.conf file with the
parameter:
<b>option netbios-scope &quot;&quot;;</b>
<b class="command">option netbios-scope &quot;&quot;;</b>
</p><p>
While it is true that the Microsoft DHCP server that comes with Windows NT
Server provides only a sub-set of rfc1533 functionality this is hardly an issue
in those sites that already have a large investment and commitment to Unix
systems and technologies. The current state of the art of the DHCP Server
specification in covered in rfc2132.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2874531"></a>How can I assign NetBIOS names to clients with DHCP?</h2></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2883025"></a>How can I assign NetBIOS names to clients with DHCP?</h2></div></div><div></div></div><p>
SMB network clients need to be configured so that all standard TCP/IP name to
address resolution works correctly. Once this has been achieved the SMB
environment provides additional tools and services that act as helper agents in
@ -202,13 +163,13 @@ This can be done, but needs a few NT registry hacks and you need to be able to
speak UNICODE, which is of course no problem for a True Wizzard(tm) :)
Instructions on how to do this (including a small util for less capable
Wizzards) can be found at
</p><p><a href="http://www.unixtools.org/~nneul/sw/nt/dhcp-netbios-hostname.html" target="_top">http://www.unixtools.org/~nneul/sw/nt/dhcp-netbios-hostname.html</a></p></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2874581"></a>How do I convert between unix and dos text formats?</h2></div></div><p>
</p><p><a href="http://www.unixtools.org/~nneul/sw/nt/dhcp-netbios-hostname.html" target="_top">http://www.unixtools.org/~nneul/sw/nt/dhcp-netbios-hostname.html</a></p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2883072"></a>How do I convert between unix and dos text formats?</h2></div></div><div></div></div><p>
Jim barry has written an <a href="ftp://samba.org/pub/samba/contributed/fixcrlf.zip" target="_top">
excellent drag-and-drop cr/lf converter for
windows</a>. Just drag your file onto the icon and it converts the file.
</p><p>
The utilities unix2dos and dos2unix(in the mtools package) should do
the job under unix.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2874612"></a>Does samba have wins replication support?</h2></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2883101"></a>Does samba have wins replication support?</h2></div></div><div></div></div><p>
At the time of writing there is currently being worked on a wins replication implementation(wrepld).
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="FAQ-errors.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="samba-faq.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="FAQ-Printing.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 5. Common errors </td><td width="20%" align="center"><a accesskey="h" href="samba-faq.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 7. Printing problems</td></tr></table></div></body></html>
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="FAQ-errors.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="samba-faq.html">Up</a></td><td width="40%" align="right"> </td></tr><tr><td width="40%" align="left" valign="top">Chapter 4. Common errors </td><td width="20%" align="center"><a accesskey="h" href="samba-faq.html">Home</a></td><td width="40%" align="right" valign="top"> </td></tr></table></div></body></html>

9
docs/faq/FAQ-general.html
View File

@ -1,7 +1,4 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 1. General Information</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.59.1"><link rel="home" href="samba-faq.html" title="Samba FAQ"><link rel="up" href="samba-faq.html" title="Samba FAQ"><link rel="previous" href="samba-faq.html" title="Samba FAQ"><link rel="next" href="FAQ-Install.html" title="Chapter 2. Compiling and installing Samba on a Unix host"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 1. General Information</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="samba-faq.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="FAQ-Install.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><h2 class="title"><a name="FAQ-general"></a>Chapter 1. General Information</h2></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="FAQ-general.html#id2808041">Where can I get it?</a></dt><dt><a href="FAQ-general.html#id2808063">What do the version numbers mean?</a></dt><dt><a href="FAQ-general.html#id2808152">What platforms are supported?</a></dt><dt><a href="FAQ-general.html#id2808341">How do I subscribe to the Samba Mailing Lists?</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2808041"></a>Where can I get it?</h2></div></div><p>
The Samba suite is available at the <a href="http://samba.org/" target="_top">samba website</a>.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2808063"></a>What do the version numbers mean?</h2></div></div><p>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 1. General Information</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="samba-faq.html" title="Samba FAQ"><link rel="up" href="samba-faq.html" title="Samba FAQ"><link rel="previous" href="samba-faq.html" title="Samba FAQ"><link rel="next" href="FAQ-Install.html" title="Chapter 2. Compiling and installing Samba on a Unix host"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 1. General Information</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="samba-faq.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="FAQ-Install.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="FAQ-general"></a>Chapter 1. General Information</h2></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="FAQ-general.html#id2868051">What do the version numbers mean?</a></dt><dt><a href="FAQ-general.html#id2867958">What platforms are supported?</a></dt><dt><a href="FAQ-general.html#id2816450">How do I subscribe to the Samba Mailing Lists?</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2868051"></a>What do the version numbers mean?</h2></div></div><div></div></div><p>
It is not recommended that you run a version of Samba with the word
&quot;alpha&quot; in its name unless you know what you are doing and are willing
to do some debugging. Many, many people just get the latest
@ -40,11 +37,11 @@ The above system means that whenever someone looks at the samba ftp
site they will be able to grab the highest numbered release without an
alpha in the name and be sure of getting the current recommended
version.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2808152"></a>What platforms are supported?</h2></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2867958"></a>What platforms are supported?</h2></div></div><div></div></div><p>
Many different platforms have run Samba successfully. The platforms
most widely used and thus best tested are Linux and SunOS.</p><p>
At time of writing, there is support (or has been support for in earlier
versions):
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>A/UX 3.0</td></tr><tr><td>AIX</td></tr><tr><td>Altos Series 386/1000</td></tr><tr><td>Amiga</td></tr><tr><td>Apollo Domain/OS sr10.3</td></tr><tr><td>BSDI </td></tr><tr><td>B.O.S. (Bull Operating System)</td></tr><tr><td>Cray, Unicos 8.0</td></tr><tr><td>Convex</td></tr><tr><td>DGUX. </td></tr><tr><td>DNIX.</td></tr><tr><td>FreeBSD</td></tr><tr><td>HP-UX</td></tr><tr><td>Intergraph. </td></tr><tr><td>Linux with/without shadow passwords and quota</td></tr><tr><td>LYNX 2.3.0</td></tr><tr><td>MachTen (a unix like system for Macintoshes)</td></tr><tr><td>Motorola 88xxx/9xx range of machines</td></tr><tr><td>NetBSD</td></tr><tr><td>NEXTSTEP Release 2.X, 3.0 and greater (including OPENSTEP for Mach).</td></tr><tr><td>OS/2 using EMX 0.9b</td></tr><tr><td>OSF1</td></tr><tr><td>QNX 4.22</td></tr><tr><td>RiscIX. </td></tr><tr><td>RISCOs 5.0B</td></tr><tr><td>SEQUENT. </td></tr><tr><td>SCO (including: 3.2v2, European dist., OpenServer 5)</td></tr><tr><td>SGI.</td></tr><tr><td>SMP_DC.OSx v1.1-94c079 on Pyramid S series</td></tr><tr><td>SONY NEWS, NEWS-OS (4.2.x and 6.1.x)</td></tr><tr><td>SUNOS 4</td></tr><tr><td>SUNOS 5.2, 5.3, and 5.4 (Solaris 2.2, 2.3, and '2.4 and later')</td></tr><tr><td>Sunsoft ISC SVR3V4</td></tr><tr><td>SVR4</td></tr><tr><td>System V with some berkely extensions (Motorola 88k R32V3.2).</td></tr><tr><td>ULTRIX.</td></tr><tr><td>UNIXWARE</td></tr><tr><td>UXP/DS</td></tr></table></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2808341"></a>How do I subscribe to the Samba Mailing Lists?</h2></div></div><p>
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>A/UX 3.0</td></tr><tr><td>AIX</td></tr><tr><td>Altos Series 386/1000</td></tr><tr><td>Amiga</td></tr><tr><td>Apollo Domain/OS sr10.3</td></tr><tr><td>BSDI </td></tr><tr><td>B.O.S. (Bull Operating System)</td></tr><tr><td>Cray, Unicos 8.0</td></tr><tr><td>Convex</td></tr><tr><td>DGUX. </td></tr><tr><td>DNIX.</td></tr><tr><td>FreeBSD</td></tr><tr><td>HP-UX</td></tr><tr><td>Intergraph. </td></tr><tr><td>Linux with/without shadow passwords and quota</td></tr><tr><td>LYNX 2.3.0</td></tr><tr><td>MachTen (a unix like system for Macintoshes)</td></tr><tr><td>Motorola 88xxx/9xx range of machines</td></tr><tr><td>NetBSD</td></tr><tr><td>NEXTSTEP Release 2.X, 3.0 and greater (including OPENSTEP for Mach).</td></tr><tr><td>OS/2 using EMX 0.9b</td></tr><tr><td>OSF1</td></tr><tr><td>QNX 4.22</td></tr><tr><td>RiscIX. </td></tr><tr><td>RISCOs 5.0B</td></tr><tr><td>SEQUENT. </td></tr><tr><td>SCO (including: 3.2v2, European dist., OpenServer 5)</td></tr><tr><td>SGI.</td></tr><tr><td>SMP_DC.OSx v1.1-94c079 on Pyramid S series</td></tr><tr><td>SONY NEWS, NEWS-OS (4.2.x and 6.1.x)</td></tr><tr><td>SUNOS 4</td></tr><tr><td>SUNOS 5.2, 5.3, and 5.4 (Solaris 2.2, 2.3, and '2.4 and later')</td></tr><tr><td>Sunsoft ISC SVR3V4</td></tr><tr><td>SVR4</td></tr><tr><td>System V with some berkely extensions (Motorola 88k R32V3.2).</td></tr><tr><td>ULTRIX.</td></tr><tr><td>UNIXWARE</td></tr><tr><td>UXP/DS</td></tr></table></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2816450"></a>How do I subscribe to the Samba Mailing Lists?</h2></div></div><div></div></div><p>
Look at <a href="http://samba.org/samba/archives.html" target="_top">the samba mailing list page</a>
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="samba-faq.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="samba-faq.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="FAQ-Install.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Samba FAQ </td><td width="20%" align="center"><a accesskey="h" href="samba-faq.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 2. Compiling and installing Samba on a Unix host</td></tr></table></div></body></html>

250
docs/faq/clientapp.html
View File

@ -1,250 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML
><HEAD
><TITLE
>Specific client application problems</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
TITLE="Samba FAQ"
HREF="samba-faq.html"><LINK
REL="PREVIOUS"
TITLE="Configuration problems"
HREF="config.html"><LINK
REL="NEXT"
TITLE="Common errors"
HREF="errors.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>Samba FAQ</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="config.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="errors.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="CHAPTER"
><H1
><A
NAME="CLIENTAPP">Chapter 4. Specific client application problems</H1
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN174">4.1. MS Office Setup reports "Cannot change properties of '\MSOFFICE\SETUP.INI'"</H1
><P
>When installing MS Office on a Samba drive for which you have admin
user permissions, ie. admin users = username, you will find the
setup program unable to complete the installation.</P
><P
>To get around this problem, do the installation without admin user
permissions The problem is that MS Office Setup checks that a file is
rdonly by trying to open it for writing.</P
><P
>Admin users can always open a file for writing, as they run as root.
You just have to install as a non-admin user and then use "chown -R"
to fix the owner.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN179">4.2. How to use a Samba share as an administrative share for MS Office, etc.</H1
><P
>Microsoft Office products can be installed as an administrative installation
from which the application can either be run off the administratively installed
product that resides on a shared resource, or from which that product can be
installed onto workstation clients.</P
><P
>The general mechanism for implementing an adminstrative installation involves
running <B
CLASS="COMMAND"
>X:\setup /A</B
>, where X is the drive letter of either CDROM or floppy.</P
><P
>This installation process will NOT install the product for use per se, but
rather results in unpacking of the compressed distribution files into a target
shared folder. For this process you need write privilidge to the share and it
is desirable to enable file locking and share mode operation during this
process.</P
><P
>Subsequent installation of MS Office from this share will FAIL unless certain
precautions are taken. This failure will be caused by share mode operation
which will prevent the MS Office installation process from re-opening various
dynamic link library files and will cause sporadic file not found problems.</P
><P
></P
><UL
><LI
><P
>As soon as the administrative installation (unpacking) has completed
set the following parameters on the share containing it:</P
><P
><PRE
CLASS="PROGRAMLISTING"
> [MSOP95]
path = /where_you_put_it
comment = Your comment
volume = "The_CD_ROM_Label"
read only = yes
available = yes
share modes = no
locking = no
browseable = yes
public = yes</PRE
></P
></LI
><LI
><P
>Now you are ready to run the setup program from the Microsoft Windows
workstation as follows: <B
CLASS="COMMAND"
>\\"Server_Name"\MSOP95\msoffice\setup</B
></P
></LI
></UL
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN194">4.3. Microsoft Access database opening errors</H1
><P
>Here are some notes on running MS-Access on a Samba drive from <A
HREF="stefank@esi.com.au"
TARGET="_top"
>Stefan Kjellberg</A
></P
><P
><P
></P
><TABLE
BORDER="0"
><TBODY
><TR
><TD
>Opening a database in 'exclusive' mode does NOT work. Samba ignores r/w/share modes on file open.</TD
></TR
><TR
><TD
>Make sure that you open the database as 'shared' and to 'lock modified records'</TD
></TR
><TR
><TD
>Of course locking must be enabled for the particular share (smb.conf)</TD
></TR
></TBODY
></TABLE
><P
></P
></P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="config.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="samba-faq.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="errors.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Configuration problems</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Common errors</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

314
docs/faq/errors.html
View File

@ -1,314 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML
><HEAD
><TITLE
>Common errors</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
TITLE="Samba FAQ"
HREF="samba-faq.html"><LINK
REL="PREVIOUS"
TITLE="Specific client application problems"
HREF="clientapp.html"><LINK
REL="NEXT"
TITLE="Features"
HREF="features.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>Samba FAQ</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="clientapp.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="features.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="CHAPTER"
><H1
><A
NAME="ERRORS">Chapter 5. Common errors</H1
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN205">5.1. Not listening for calling name</H1
><P
><PRE
CLASS="PROGRAMLISTING"
>Session request failed (131,129) with myname=HOBBES destname=CALVIN
Not listening for calling name</PRE
></P
><P
>If you get this when talking to a Samba box then it means that your
global "hosts allow" or "hosts deny" settings are causing the Samba
server to refuse the connection. </P
><P
>Look carefully at your "hosts allow" and "hosts deny" lines in the
global section of smb.conf. </P
><P
>It can also be a problem with reverse DNS lookups not functioning
correctly, leading to the remote host identity not being able to
be confirmed, but that is less likely.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN212">5.2. System Error 1240</H1
><P
>System error 1240 means that the client is refusing to talk
to a non-encrypting server. Microsoft changed WinNT in service
pack 3 to refuse to connect to servers that do not support
SMB password encryption.</P
><P
>There are two main solutions:
<P
></P
><TABLE
BORDER="0"
><TBODY
><TR
><TD
>enable SMB password encryption in Samba. See the encryption part of
the samba HOWTO Collection</TD
></TR
><TR
><TD
>disable this new behaviour in NT. See the section about
Windows NT in the chapter "Portability" of the samba HOWTO collection</TD
></TR
></TBODY
></TABLE
><P
></P
></P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN219">5.3. smbclient ignores -N !</H1
><P
><SPAN
CLASS="QUOTE"
>"When getting the list of shares available on a host using the command
<B
CLASS="COMMAND"
>smbclient -N -L</B
>
the program always prompts for the password if the server is a Samba server.
It also ignores the "-N" argument when querying some (but not all) of our
NT servers."</SPAN
></P
><P
>No, it does not ignore -N, it is just that your server rejected the
null password in the connection, so smbclient prompts for a password
to try again.</P
><P
>To get the behaviour that you probably want use <B
CLASS="COMMAND"
>smbclient -L host -U%</B
></P
><P
>This will set both the username and password to null, which is
an anonymous login for SMB. Using -N would only set the password
to null, and this is not accepted as an anonymous login for most
SMB servers.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN228">5.4. The data on the CD-Drive I've shared seems to be corrupted!</H1
><P
>Some OSes (notably Linux) default to auto detection of file type on
cdroms and do cr/lf translation. This is a very bad idea when use with
Samba. It causes all sorts of stuff ups.</P
><P
>To overcome this problem use conv=binary when mounting the cdrom
before exporting it with Samba.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN232">5.5. Why can users access home directories of other users?</H1
><P
><SPAN
CLASS="QUOTE"
>"We are unable to keep individual users from mapping to any other user's
home directory once they have supplied a valid password! They only need
to enter their own password. I have not found *any* method that I can
use to configure samba to enforce that only a user may map their own
home directory."</SPAN
></P
><P
><SPAN
CLASS="QUOTE"
>"User xyzzy can map his home directory. Once mapped user xyzzy can also map
*anyone* elses home directory!"</SPAN
></P
><P
>This is not a security flaw, it is by design. Samba allows
users to have *exactly* the same access to the UNIX filesystem
as they would if they were logged onto the UNIX box, except
that it only allows such views onto the file system as are
allowed by the defined shares.</P
><P
>This means that if your UNIX home directories are set up
such that one user can happily cd into another users
directory and do an ls, the UNIX security solution is to
change the UNIX file permissions on the users home directories
such that the cd and ls would be denied.</P
><P
>Samba tries very hard not to second guess the UNIX administrators
security policies, and trusts the UNIX admin to set
the policies and permissions he or she desires.</P
><P
>Samba does allow the setup you require when you have set the
"only user = yes" option on the share, is that you have not set the
valid users list for the share.</P
><P
>Note that only user works in conjunction with the users= list,
so to get the behavior you require, add the line :
<PRE
CLASS="PROGRAMLISTING"
>users = %S</PRE
>
this is equivalent to:
<PRE
CLASS="PROGRAMLISTING"
>valid users = %S</PRE
>
to the definition of the [homes] share, as recommended in
the smb.conf man page.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN245">5.6. Until a few minutes after samba has started, clients get the error "Domain Controller Unavailable"</H1
><P
>A domain controller has to announce on the network who it is. This usually takes a while.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN248">5.7. I'm getting "open_oplock_ipc: Failed to get local UDP socket for address 100007f. Error was Cannot assign requested" in the logs</H1
><P
>Your loopback device isn't working correctly. Make sure it's running.</P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="clientapp.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="samba-faq.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="features.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Specific client application problems</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Features</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

439
docs/faq/general.html
View File

@ -1,439 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML
><HEAD
><TITLE
>General Information</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
TITLE="Samba FAQ"
HREF="samba-faq.html"><LINK
REL="PREVIOUS"
TITLE="Samba FAQ"
HREF="samba-faq.html"><LINK
REL="NEXT"
TITLE="Compiling and installing Samba on a Unix host"
HREF="install.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>Samba FAQ</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="samba-faq.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="install.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="CHAPTER"
><H1
><A
NAME="GENERAL">Chapter 1. General Information</H1
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN12">1.1. Where can I get it?</H1
><P
>The Samba suite is available at the <A
HREF="http://samba.org/"
TARGET="_top"
>samba website</A
>.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN16">1.2. What do the version numbers mean?</H1
><P
>It is not recommended that you run a version of Samba with the word
"alpha" in its name unless you know what you are doing and are willing
to do some debugging. Many, many people just get the latest
recommended stable release version and are happy. If you are brave, by
all means take the plunge and help with the testing and development -
but don't install it on your departmental server. Samba is typically
very stable and safe, and this is mostly due to the policy of many
public releases.</P
><P
>How the scheme works:
<P
></P
><TABLE
BORDER="0"
><TBODY
><TR
><TD
>When major changes are made the version number is increased. For
example, the transition from 1.9.15 to 1.9.16. However, this version
number will not appear immediately and people should continue to use
1.9.15 for production systems (see next point.)</TD
></TR
><TR
><TD
>Just after major changes are made the software is considered
unstable, and a series of alpha releases are distributed, for example
1.9.16alpha1. These are for testing by those who know what they are
doing. The "alpha" in the filename will hopefully scare off those who
are just looking for the latest version to install.</TD
></TR
><TR
><TD
>When Andrew thinks that the alphas have stabilised to the point
where he would recommend new users install it, he renames it to the
same version number without the alpha, for example 1.9.16.</TD
></TR
><TR
><TD
>Inevitably bugs are found in the "stable" releases and minor patch
levels are released which give us the pXX series, for example 1.9.16p2.</TD
></TR
></TBODY
></TABLE
><P
></P
></P
><P
>So the progression goes:
<PRE
CLASS="PROGRAMLISTING"
>1.9.15p7 (production)
1.9.15p8 (production)
1.9.16alpha1 (test sites only)
:
1.9.16alpha20 (test sites only)
1.9.16 (production)
1.9.16p1 (production)</PRE
></P
><P
>The above system means that whenever someone looks at the samba ftp
site they will be able to grab the highest numbered release without an
alpha in the name and be sure of getting the current recommended
version.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN28">1.3. What platforms are supported?</H1
><P
>Many different platforms have run Samba successfully. The platforms
most widely used and thus best tested are Linux and SunOS.</P
><P
>At time of writing, there is support (or has been support for in earlier
versions):</P
><P
></P
><TABLE
BORDER="0"
><TBODY
><TR
><TD
>A/UX 3.0</TD
></TR
><TR
><TD
>AIX</TD
></TR
><TR
><TD
>Altos Series 386/1000</TD
></TR
><TR
><TD
>Amiga</TD
></TR
><TR
><TD
>Apollo Domain/OS sr10.3</TD
></TR
><TR
><TD
>BSDI </TD
></TR
><TR
><TD
>B.O.S. (Bull Operating System)</TD
></TR
><TR
><TD
>Cray, Unicos 8.0</TD
></TR
><TR
><TD
>Convex</TD
></TR
><TR
><TD
>DGUX. </TD
></TR
><TR
><TD
>DNIX.</TD
></TR
><TR
><TD
>FreeBSD</TD
></TR
><TR
><TD
>HP-UX</TD
></TR
><TR
><TD
>Intergraph. </TD
></TR
><TR
><TD
>Linux with/without shadow passwords and quota</TD
></TR
><TR
><TD
>LYNX 2.3.0</TD
></TR
><TR
><TD
>MachTen (a unix like system for Macintoshes)</TD
></TR
><TR
><TD
>Motorola 88xxx/9xx range of machines</TD
></TR
><TR
><TD
>NetBSD</TD
></TR
><TR
><TD
>NEXTSTEP Release 2.X, 3.0 and greater (including OPENSTEP for Mach).</TD
></TR
><TR
><TD
>OS/2 using EMX 0.9b</TD
></TR
><TR
><TD
>OSF1</TD
></TR
><TR
><TD
>QNX 4.22</TD
></TR
><TR
><TD
>RiscIX. </TD
></TR
><TR
><TD
>RISCOs 5.0B</TD
></TR
><TR
><TD
>SEQUENT. </TD
></TR
><TR
><TD
>SCO (including: 3.2v2, European dist., OpenServer 5)</TD
></TR
><TR
><TD
>SGI.</TD
></TR
><TR
><TD
>SMP_DC.OSx v1.1-94c079 on Pyramid S series</TD
></TR
><TR
><TD
>SONY NEWS, NEWS-OS (4.2.x and 6.1.x)</TD
></TR
><TR
><TD
>SUNOS 4</TD
></TR
><TR
><TD
>SUNOS 5.2, 5.3, and 5.4 (Solaris 2.2, 2.3, and '2.4 and later')</TD
></TR
><TR
><TD
>Sunsoft ISC SVR3V4</TD
></TR
><TR
><TD
>SVR4</TD
></TR
><TR
><TD
>System V with some berkely extensions (Motorola 88k R32V3.2).</TD
></TR
><TR
><TD
>ULTRIX.</TD
></TR
><TR
><TD
>UNIXWARE</TD
></TR
><TR
><TD
>UXP/DS</TD
></TR
></TBODY
></TABLE
><P
></P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN71">1.4. How do I subscribe to the Samba Mailing Lists?</H1
><P
>Look at <A
HREF="http://samba.org/samba/archives.html"
TARGET="_top"
>the samba mailing list page</A
></P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN75">1.5. Pizza supply details</H1
><P
>Those who have registered in the Samba survey as "Pizza Factory" will
already know this, but the rest may need some help. Andrew doesn't ask
for payment, but he does appreciate it when people give him
pizza. This calls for a little organisation when the pizza donor is
twenty thousand kilometres away, but it has been done.</P
><P
>Method 1: Ring up your local branch of an international pizza chain
and see if they honour their vouchers internationally. Pizza Hut do,
which is how the entire Canberra Linux Users Group got to eat pizza
one night, courtesy of someone in the US.</P
><P
>Method 2: Ring up a local pizza shop in Canberra and quote a credit
card number for a certain amount, and tell them that Andrew will be
collecting it (don't forget to tell him.) One kind soul from Germany
did this.</P
><P
>Method 3: Purchase a pizza voucher from your local pizza shop that has
no international affiliations and send it to Andrew. It is completely
useless but he can hang it on the wall next to the one he already has
from Germany :-)</P
><P
>Method 4: Air freight him a pizza with your favourite regional
flavours. It will probably get stuck in customs or torn apart by
hungry sniffer dogs but it will have been a noble gesture.</P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="samba-faq.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="samba-faq.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="install.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Samba FAQ</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Compiling and installing Samba on a Unix host</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

502
docs/faq/install.html
View File

@ -1,502 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML
><HEAD
><TITLE
>Compiling and installing Samba on a Unix host</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
TITLE="Samba FAQ"
HREF="samba-faq.html"><LINK
REL="PREVIOUS"
TITLE="General Information"
HREF="general.html"><LINK
REL="NEXT"
TITLE="Configuration problems"
HREF="config.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>Samba FAQ</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="general.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="config.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="CHAPTER"
><H1
><A
NAME="INSTALL">Chapter 2. Compiling and installing Samba on a Unix host</H1
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN84">2.1. I can't see the Samba server in any browse lists!</H1
><P
>See Browsing.html in the docs directory of the samba source
for more information on browsing.</P
><P
>If your GUI client does not permit you to select non-browsable
servers, you may need to do so on the command line. For example, under
Lan Manager you might connect to the above service as disk drive M:
thusly:
<PRE
CLASS="PROGRAMLISTING"
> net use M: \\mary\fred</PRE
>
The details of how to do this and the specific syntax varies from
client to client - check your client's documentation.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN89">2.2. Some files that I KNOW are on the server doesn't show up when I view the files from my client!</H1
><P
>See the next question.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN92">2.3. Some files on the server show up with really wierd filenames when I view the files from my client!</H1
><P
>If you check what files are not showing up, you will note that they
are files which contain upper case letters or which are otherwise not
DOS-compatible (ie, they are not legal DOS filenames for some reason).</P
><P
>The Samba server can be configured either to ignore such files
completely, or to present them to the client in "mangled" form. If you
are not seeing the files at all, the Samba server has most likely been
configured to ignore them. Consult the man page smb.conf(5) for
details of how to change this - the parameter you need to set is
"mangled names = yes".</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN96">2.4. My client reports "cannot locate specified computer" or similar</H1
><P
>This indicates one of three things: You supplied an incorrect server
name, the underlying TCP/IP layer is not working correctly, or the
name you specified cannot be resolved.</P
><P
>After carefully checking that the name you typed is the name you
should have typed, try doing things like pinging a host or telnetting
to somewhere on your network to see if TCP/IP is functioning OK. If it
is, the problem is most likely name resolution.</P
><P
>If your client has a facility to do so, hardcode a mapping between the
hosts IP and the name you want to use. For example, with Lan Manager
or Windows for Workgroups you would put a suitable entry in the file
LMHOSTS. If this works, the problem is in the communication between
your client and the netbios name server. If it does not work, then
there is something fundamental wrong with your naming and the solution
is beyond the scope of this document.</P
><P
>If you do not have any server on your subnet supplying netbios name
resolution, hardcoded mappings are your only option. If you DO have a
netbios name server running (such as the Samba suite's nmbd program),
the problem probably lies in the way it is set up. Refer to Section
Two of this FAQ for more ideas.</P
><P
>By the way, remember to REMOVE the hardcoded mapping before further
tests :-)</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN103">2.5. My client reports "cannot locate specified share name" or similar</H1
><P
>This message indicates that your client CAN locate the specified
server, which is a good start, but that it cannot find a service of
the name you gave.</P
><P
>The first step is to check the exact name of the service you are
trying to connect to (consult your system administrator). Assuming it
exists and you specified it correctly (read your client's docs on how
to specify a service name correctly), read on:</P
><P
></P
><TABLE
BORDER="0"
><TBODY
><TR
><TD
>Many clients cannot accept or use service names longer than eight characters.</TD
></TR
><TR
><TD
>Many clients cannot accept or use service names containing spaces.</TD
></TR
><TR
><TD
>Some servers (not Samba though) are case sensitive with service names.</TD
></TR
><TR
><TD
>Some clients force service names into upper case.</TD
></TR
></TBODY
></TABLE
><P
></P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN112">2.6. Printing doesn't work</H1
><P
>Make sure that the specified print command for the service you are
connecting to is correct and that it has a fully-qualified path (eg.,
use "/usr/bin/lpr" rather than just "lpr").</P
><P
>Make sure that the spool directory specified for the service is
writable by the user connected to the service. In particular the user
"nobody" often has problems with printing, even if it worked with an
earlier version of Samba. Try creating another guest user other than
"nobody".</P
><P
>Make sure that the user specified in the service is permitted to use
the printer.</P
><P
>Check the debug log produced by smbd. Search for the printer name and
see if the log turns up any clues. Note that error messages to do with
a service ipc$ are meaningless - they relate to the way the client
attempts to retrieve status information when using the LANMAN1
protocol.</P
><P
>If using WfWg then you need to set the default protocol to TCP/IP, not
Netbeui. This is a WfWg bug.</P
><P
>If using the Lanman1 protocol (the default) then try switching to
coreplus. Also not that print status error messages don't mean
printing won't work. The print status is received by a different
mechanism.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN120">2.7. My client reports "This server is not configured to list shared resources"</H1
><P
>Your guest account is probably invalid for some reason. Samba uses the
guest account for browsing in smbd. Check that your guest account is
valid.</P
><P
>See also 'guest account' in smb.conf man page.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN124">2.8. Log message "you appear to have a trapdoor uid system"</H1
><P
>This can have several causes. It might be because you are using a uid
or gid of 65535 or -1. This is a VERY bad idea, and is a big security
hole. Check carefully in your /etc/passwd file and make sure that no
user has uid 65535 or -1. Especially check the "nobody" user, as many
broken systems are shipped with nobody setup with a uid of 65535.</P
><P
>It might also mean that your OS has a trapdoor uid/gid system :-)</P
><P
>This means that once a process changes effective uid from root to
another user it can't go back to root. Unfortunately Samba relies on
being able to change effective uid from root to non-root and back
again to implement its security policy. If your OS has a trapdoor uid
system this won't work, and several things in Samba may break. Less
things will break if you use user or server level security instead of
the default share level security, but you may still strike
problems.</P
><P
>The problems don't give rise to any security holes, so don't panic,
but it does mean some of Samba's capabilities will be unavailable.
In particular you will not be able to connect to the Samba server as
two different uids at once. This may happen if you try to print as a
"guest" while accessing a share as a normal user. It may also affect
your ability to list the available shares as this is normally done as
the guest user.</P
><P
>Complain to your OS vendor and ask them to fix their system.</P
><P
>Note: the reason why 65535 is a VERY bad choice of uid and gid is that
it casts to -1 as a uid, and the setreuid() system call ignores (with
no error) uid changes to -1. This means any daemon attempting to run
as uid 65535 will actually run as root. This is not good!</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN132">2.9. Why are my file's timestamps off by an hour, or by a few hours?</H1
><P
>This is from Paul Eggert eggert@twinsun.com.</P
><P
>Most likely it's a problem with your time zone settings.</P
><P
>Internally, Samba maintains time in traditional Unix format,
namely, the number of seconds since 1970-01-01 00:00:00 Universal Time
(or ``GMT''), not counting leap seconds.</P
><P
>On the server side, Samba uses the Unix TZ variable to convert
internal timestamps to and from local time. So on the server side, there are
two things to get right.
<P
></P
><TABLE
BORDER="0"
><TBODY
><TR
><TD
>The Unix system clock must have the correct Universal time. Use the shell command "sh -c 'TZ=UTC0 date'" to check this.</TD
></TR
><TR
><TD
>The TZ environment variable must be set on the server before Samba is invoked. The details of this depend on the server OS, but typically you must edit a file whose name is /etc/TIMEZONE or /etc/default/init, or run the command `zic -l'.</TD
></TR
></TBODY
></TABLE
><P
></P
></P
><P
>TZ must have the correct value.</P
><P
>If possible, use geographical time zone settings
(e.g. TZ='America/Los_Angeles' or perhaps
TZ=':US/Pacific'). These are supported by most
popular Unix OSes, are easier to get right, and are
more accurate for historical timestamps. If your
operating system has out-of-date tables, you should be
able to update them from the public domain time zone
tables at <A
HREF="ftp://elsie.nci.nih.gov/pub/"
TARGET="_top"
>ftp://elsie.nci.nih.gov/pub/</A
>.</P
><P
>If your system does not support geographical timezone
settings, you must use a Posix-style TZ strings, e.g.
TZ='PST8PDT,M4.1.0/2,M10.5.0/2' for US Pacific time.
Posix TZ strings can take the following form (with optional
items in brackets):
<PRE
CLASS="PROGRAMLISTING"
> StdOffset[Dst[Offset],Date/Time,Date/Time]</PRE
>
where:</P
><P
><P
></P
><TABLE
BORDER="0"
><TBODY
><TR
><TD
>`Std' is the standard time designation (e.g. `PST').</TD
></TR
><TR
><TD
>`Offset' is the number of hours behind UTC (e.g. `8').
Prepend a `-' if you are ahead of UTC, and
append `:30' if you are at a half-hour offset.
Omit all the remaining items if you do not use
daylight-saving time.</TD
></TR
><TR
><TD
>`Dst' is the daylight-saving time designation
(e.g. `PDT').</TD
></TR
><TR
><TD
>The optional second `Offset' is the number of
hours that daylight-saving time is behind UTC.
The default is 1 hour ahead of standard time.</TD
></TR
><TR
><TD
>`Date/Time,Date/Time' specify when daylight-saving
time starts and ends. The format for a date is
`Mm.n.d', which specifies the dth day (0 is Sunday)
of the nth week of the mth month, where week 5 means
the last such day in the month. The format for a
time is [h]h[:mm[:ss]], using a 24-hour clock.</TD
></TR
></TBODY
></TABLE
><P
></P
></P
><P
>Other Posix string formats are allowed but you don't want
to know about them.</P
><P
>On the client side, you must make sure that your client's clock and
time zone is also set appropriately. [[I don't know how to do this.]]
Samba traditionally has had many problems dealing with time zones, due
to the bizarre ways that Microsoft network protocols handle time
zones. </P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN155">2.10. How do I set the printer driver name correctly?</H1
><P
>Question:
<SPAN
CLASS="QUOTE"
>" On NT, I opened "Printer Manager" and "Connect to Printer".
Enter ["\\ptdi270\ps1"] in the box of printer. I got the
following error message
"</SPAN
></P
><P
> <PRE
CLASS="PROGRAMLISTING"
> You do not have sufficient access to your machine
to connect to the selected printer, since a driver
needs to be installed locally.
</PRE
>
</P
><P
>Answer:</P
><P
>In the more recent versions of Samba you can now set the "printer
driver" in smb.conf. This tells the client what driver to use. For
example:</P
><P
><PRE
CLASS="PROGRAMLISTING"
> printer driver = HP LaserJet 4L</PRE
></P
><P
>With this, NT knows to use the right driver. You have to get this string
exactly right.</P
><P
>To find the exact string to use, you need to get to the dialog box in
your client where you select which printer driver to install. The
correct strings for all the different printers are shown in a listbox
in that dialog box.</P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="general.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="samba-faq.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="config.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>General Information</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Configuration problems</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

4
docs/faq/samba-faq.html
View File

@ -1,4 +1,4 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Samba FAQ</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="samba-faq.html" title="Samba FAQ"><link rel="next" href="FAQ-general.html" title="Chapter 1. General Information"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Samba FAQ</th></tr><tr><td width="20%" align="left"> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="FAQ-general.html">Next</a></td></tr></table><hr></div><div class="book" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="Samba-FAQ"></a>Samba FAQ</h1></div><div><div class="author"><h3 class="author"><span class="surname">Samba Team</span></h3></div></div><div><p class="pubdate">October 2002</p></div></div><div></div><hr></div><div class="dedication" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="id2881798"></a>Dedication</h2></div></div><div></div></div><p>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Samba FAQ</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="samba-faq.html" title="Samba FAQ"><link rel="next" href="FAQ-general.html" title="Chapter 1. General Information"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Samba FAQ</th></tr><tr><td width="20%" align="left"> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="FAQ-general.html">Next</a></td></tr></table><hr></div><div class="book" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="Samba-FAQ"></a>Samba FAQ</h1></div><div><div class="author"><h3 class="author"><span class="surname">Samba Team</span></h3></div></div><div><p class="pubdate">October 2002</p></div></div><div></div><hr></div><div class="dedication" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="id2881182"></a>Dedication</h2></div></div><div></div></div><p>
This is the Frequently Asked Questions (FAQ) document for
Samba, the free and very popular SMB server product. An SMB server
allows file and printer connections from clients such as Windows,
@ -7,4 +7,4 @@ corrections to the samba documentation mailinglist at
<a href="mailto:samba-doc@samba.org" target="_top">samba-doc@samba.org</a>.
This FAQ was based on the old Samba FAQ by Dan Shearer and Paul Blackman,
and the old samba text documents which were mostly written by John Terpstra.
</p></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt>1. <a href="FAQ-general.html">General Information</a></dt><dd><dl><dt><a href="FAQ-general.html#id2868206">Where can I get it?</a></dt><dt><a href="FAQ-general.html#id2868226">What do the version numbers mean?</a></dt><dt><a href="FAQ-general.html#id2812633">What platforms are supported?</a></dt><dt><a href="FAQ-general.html#id2816472">How do I subscribe to the Samba Mailing Lists?</a></dt></dl></dd><dt>2. <a href="FAQ-Install.html">Compiling and installing Samba on a Unix host</a></dt><dd><dl><dt><a href="FAQ-Install.html#id2814644">My client reports &quot;cannot locate specified share name&quot; or similar</a></dt><dt><a href="FAQ-Install.html#id2814696">Why are my file's timestamps off by an hour, or by a few hours?</a></dt></dl></dd><dt>3. <a href="FAQ-ClientApp.html">Specific client application problems</a></dt><dd><dl><dt><a href="FAQ-ClientApp.html#id2815240">MS Office Setup reports &quot;Cannot change properties of '\\MSOFFICE\\SETUP.INI'&quot;</a></dt><dt><a href="FAQ-ClientApp.html#id2814506">How to use a Samba share as an administrative share for MS Office, etc.</a></dt><dt><a href="FAQ-ClientApp.html#id2814601">Microsoft Access database opening errors</a></dt></dl></dd><dt>4. <a href="FAQ-errors.html">Common errors</a></dt><dd><dl><dt><a href="FAQ-errors.html#id2815193">Not listening for calling name</a></dt><dt><a href="FAQ-errors.html#id2815954">System Error 1240</a></dt><dt><a href="FAQ-errors.html#id2815994">smbclient ignores -N !</a></dt><dt><a href="FAQ-errors.html#id2816048">The data on the CD-Drive I've shared seems to be corrupted!</a></dt></dl></dd><dt>5. <a href="FAQ-features.html">Features</a></dt><dd><dl><dt><a href="FAQ-features.html#id2814469">How can I use samba as a fax server?</a></dt><dd><dl><dt><a href="FAQ-features.html#id2814427">Tools for printing faxes</a></dt><dt><a href="FAQ-features.html#id2882827">Making the fax-server</a></dt><dt><a href="FAQ-features.html#id2882919">Installing the client drivers</a></dt><dt><a href="FAQ-features.html#id2883004">Example smb.conf</a></dt></dl></dd><dt><a href="FAQ-features.html#id2883029">Samba doesn't work well together with DHCP!</a></dt><dt><a href="FAQ-features.html#id2883155">How can I assign NetBIOS names to clients with DHCP?</a></dt><dt><a href="FAQ-features.html#id2883203">How do I convert between unix and dos text formats?</a></dt><dt><a href="FAQ-features.html#id2883232">Does samba have wins replication support?</a></dt></dl></dd></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="FAQ-general.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top"> </td><td width="20%" align="center"> </td><td width="40%" align="right" valign="top"> Chapter 1. General Information</td></tr></table></div></body></html>
</p></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt>1. <a href="FAQ-general.html">General Information</a></dt><dd><dl><dt><a href="FAQ-general.html#id2868051">What do the version numbers mean?</a></dt><dt><a href="FAQ-general.html#id2867958">What platforms are supported?</a></dt><dt><a href="FAQ-general.html#id2816450">How do I subscribe to the Samba Mailing Lists?</a></dt></dl></dd><dt>2. <a href="FAQ-Install.html">Compiling and installing Samba on a Unix host</a></dt><dd><dl><dt><a href="FAQ-Install.html#id2816137">My client reports &quot;cannot locate specified share name&quot; or similar</a></dt><dt><a href="FAQ-Install.html#id2816189">Why are my file's timestamps off by an hour, or by a few hours?</a></dt></dl></dd><dt>3. <a href="FAQ-ClientApp.html">Specific client application problems</a></dt><dd><dl><dt><a href="FAQ-ClientApp.html#id2815105">MS Office Setup reports &quot;Cannot change properties of '\\MSOFFICE\\SETUP.INI'&quot;</a></dt><dt><a href="FAQ-ClientApp.html#id2815137">How to use a Samba share as an administrative share for MS Office, etc.</a></dt><dt><a href="FAQ-ClientApp.html#id2882001">Microsoft Access database opening errors</a></dt></dl></dd><dt>4. <a href="FAQ-errors.html">Common errors</a></dt><dd><dl><dt><a href="FAQ-errors.html#id2816075">Not listening for calling name</a></dt><dt><a href="FAQ-errors.html#id2815985">System Error 1240</a></dt><dt><a href="FAQ-errors.html#id2816025">smbclient ignores -N !</a></dt><dt><a href="FAQ-errors.html#id2814553">The data on the CD-Drive I've shared seems to be corrupted!</a></dt></dl></dd><dt>5. <a href="FAQ-features.html">Features</a></dt><dd><dl><dt><a href="FAQ-features.html#id2814838">How can I use samba as a fax server?</a></dt><dd><dl><dt><a href="FAQ-features.html#id2814785">Tools for printing faxes</a></dt><dt><a href="FAQ-features.html#id2882696">Making the fax-server</a></dt><dt><a href="FAQ-features.html#id2882789">Installing the client drivers</a></dt><dt><a href="FAQ-features.html#id2882874">Example smb.conf</a></dt></dl></dd><dt><a href="FAQ-features.html#id2882898">Samba doesn't work well together with DHCP!</a></dt><dt><a href="FAQ-features.html#id2883025">How can I assign NetBIOS names to clients with DHCP?</a></dt><dt><a href="FAQ-features.html#id2883072">How do I convert between unix and dos text formats?</a></dt><dt><a href="FAQ-features.html#id2883101">Does samba have wins replication support?</a></dt></dl></dd></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="FAQ-general.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top"> </td><td width="20%" align="center"> </td><td width="40%" align="right" valign="top"> Chapter 1. General Information</td></tr></table></div></body></html>

199
docs/htmldocs/AccessControls.html
View File

@ -1,11 +1,10 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 13. File, Directory and Share Access Controls</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="groupmapping.html" title="Chapter 12. Mapping MS Windows and Unix Groups"><link rel="next" href="locking.html" title="Chapter 14. File and Record Locking"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 13. File, Directory and Share Access Controls</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="groupmapping.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="locking.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="AccessControls"></a>Chapter 13. File, Directory and Share Access Controls</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jra@samba.org">jra@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">May 10, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="AccessControls.html#id2919879">Features and Benefits</a></dt><dt><a href="AccessControls.html#id2920005">File System Access Controls</a></dt><dd><dl><dt><a href="AccessControls.html#id2920023">MS Windows NTFS Comparison with Unix File Systems</a></dt><dt><a href="AccessControls.html#id2916939">Managing Directories</a></dt><dt><a href="AccessControls.html#id2917034">File and Directory Access Control</a></dt></dl></dd><dt><a href="AccessControls.html#id2917441">Share Definition Access Controls</a></dt><dd><dl><dt><a href="AccessControls.html#id2917469">User and Group Based Controls</a></dt><dt><a href="AccessControls.html#id2917741">File and Directory Permissions Based Controls</a></dt><dt><a href="AccessControls.html#id2917987">Miscellaneous Controls</a></dt></dl></dd><dt><a href="AccessControls.html#id2922570">Access Controls on Shares</a></dt><dd><dl><dt><a href="AccessControls.html#id2922641">Share Permissions Management</a></dt></dl></dd><dt><a href="AccessControls.html#id2922940">MS Windows Access Control Lists and Unix Interoperability</a></dt><dd><dl><dt><a href="AccessControls.html#id2922948">Managing UNIX permissions Using NT Security Dialogs</a></dt><dt><a href="AccessControls.html#id2922986">Viewing File Security on a Samba Share</a></dt><dt><a href="AccessControls.html#id2923065">Viewing file ownership</a></dt><dt><a href="AccessControls.html#id2923187">Viewing File or Directory Permissions</a></dt><dt><a href="AccessControls.html#id2923415">Modifying file or directory permissions</a></dt><dt><a href="AccessControls.html#id2923567">Interaction with the standard Samba create mask
parameters</a></dt><dt><a href="AccessControls.html#id2923897">Interaction with the standard Samba file attribute
mapping</a></dt></dl></dd><dt><a href="AccessControls.html#id2923972">Common Errors</a></dt><dd><dl><dt><a href="AccessControls.html#id2923986">Users can not write to a public share</a></dt><dt><a href="AccessControls.html#id2924365">I have set force user and samba still makes root the owner of all the files
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 13. File, Directory and Share Access Controls</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="groupmapping.html" title="Chapter 12. Mapping MS Windows and Unix Groups"><link rel="next" href="locking.html" title="Chapter 14. File and Record Locking"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 13. File, Directory and Share Access Controls</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="groupmapping.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="locking.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="AccessControls"></a>Chapter 13. File, Directory and Share Access Controls</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jra@samba.org">jra@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">May 10, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="AccessControls.html#id2920271">Features and Benefits</a></dt><dt><a href="AccessControls.html#id2920308">File System Access Controls</a></dt><dd><dl><dt><a href="AccessControls.html#id2920326">MS Windows NTFS Comparison with Unix File Systems</a></dt><dt><a href="AccessControls.html#id2920583">Managing Directories</a></dt><dt><a href="AccessControls.html#id2920678">File and Directory Access Control</a></dt></dl></dd><dt><a href="AccessControls.html#id2920894">Share Definition Access Controls</a></dt><dd><dl><dt><a href="AccessControls.html#id2922074">User and Group Based Controls</a></dt><dt><a href="AccessControls.html#id2922346">File and Directory Permissions Based Controls</a></dt><dt><a href="AccessControls.html#id2922591">Miscellaneous Controls</a></dt></dl></dd><dt><a href="AccessControls.html#id2922807">Access Controls on Shares</a></dt><dd><dl><dt><a href="AccessControls.html#id2922879">Share Permissions Management</a></dt></dl></dd><dt><a href="AccessControls.html#id2923178">MS Windows Access Control Lists and Unix Interoperability</a></dt><dd><dl><dt><a href="AccessControls.html#id2923186">Managing UNIX permissions Using NT Security Dialogs</a></dt><dt><a href="AccessControls.html#id2923224">Viewing File Security on a Samba Share</a></dt><dt><a href="AccessControls.html#id2923303">Viewing file ownership</a></dt><dt><a href="AccessControls.html#id2923425">Viewing File or Directory Permissions</a></dt><dt><a href="AccessControls.html#id2923653">Modifying file or directory permissions</a></dt><dt><a href="AccessControls.html#id2923805">Interaction with the standard Samba create mask
parameters</a></dt><dt><a href="AccessControls.html#id2924134">Interaction with the standard Samba file attribute
mapping</a></dt></dl></dd><dt><a href="AccessControls.html#id2924210">Common Errors</a></dt><dd><dl><dt><a href="AccessControls.html#id2924224">Users can not write to a public share</a></dt><dt><a href="AccessControls.html#id2924604">I have set force user and Samba still makes root the owner of all the files
I touch!</a></dt></dl></dd></dl></div><p>
Advanced MS Windows users are frequently perplexed when file, directory and share manipulation of
resources shared via Samba do not behave in the manner they might expect. MS Windows network
adminstrators are often confused regarding network access controls and what is the best way to
administrators are often confused regarding network access controls and what is the best way to
provide users with the type of access they need while protecting resources from the consequences
of untoward access capabilities.
</p><p>
@ -31,9 +30,9 @@ This is an opportune point to mention that it should be borne in mind that Samba
provide a means of interoperability and interchange of data between two operating environments
that are quite different. It was never the intent to make Unix/Linux like MS Windows NT. Instead
the purpose was an is to provide a sufficient level of exchange of data between the two environments.
What is available today extends well beyond early plans and expections, yet the gap continues to
What is available today extends well beyond early plans and expectations, yet the gap continues to
shrink.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2919879"></a>Features and Benefits</h2></div></div><div></div></div><p>
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2920271"></a>Features and Benefits</h2></div></div><div></div></div><p>
Samba offers a lot of flexibility in file system access management. These are the key access control
facilities present in Samba today:
</p><div class="itemizedlist"><p class="title"><b>Samba Access Control Facilities</b></p><ul type="disc"><li><p>
@ -70,15 +69,15 @@ shrink.
operating system supports them. If not, then this option will not be
available to you. Current Unix technology platforms have native support
for POSIX ACLs. There are patches for the Linux kernel that provide
this also. Sadly, few Linux paltforms ship today with native ACLs and
this also. Sadly, few Linux platforms ship today with native ACLs and
Extended Attributes enabled. This chapter has pertinent information
for users of platforms that support them.
</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2920005"></a>File System Access Controls</h2></div></div><div></div></div><p>
</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2920308"></a>File System Access Controls</h2></div></div><div></div></div><p>
Perhaps the most important recognition to be made is the simple fact that MS Windows NT4 / 200x / XP
implement a totally divergent file system technology from what is provided in the Unix operating system
environment. Firstly we should consider what the most significant differences are, then we shall look
at how Samba helps to bridge the differences.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2920023"></a>MS Windows NTFS Comparison with Unix File Systems</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2920326"></a>MS Windows NTFS Comparison with Unix File Systems</h3></div></div><div></div></div><p>
Samba operates on top of the Unix file system. This means it is subject to Unix file system conventions
and permissions. It also means that if the MS Windows networking environment requires file system
behaviour that differs from unix file system behaviour then somehow Samba is responsible for emulating
@ -86,7 +85,7 @@ at how Samba helps to bridge the differences.
</p><p>
It is good news that Samba does this to a very large extent and on top of that provides a high degree
of optional configuration to over-ride the default behaviour. We will look at some of these over-rides,
but for the greater part we will stay withing the bounds of default behaviour. Those wishing to explore
but for the greater part we will stay within the bounds of default behaviour. Those wishing to explore
to depths of control ability should review the <tt class="filename">smb.conf</tt> man page.
</p><div class="variablelist"><p class="title"><b>File System Feature Comparison</b></p><dl><dt><span class="term">Name Space</span></dt><dd><p>
MS Windows NT4 / 200x/ XP files names may be up to 254 characters long, Unix file names
@ -137,24 +136,24 @@ at how Samba helps to bridge the differences.
Symbolic links are files in Unix that contain the actual location of the data (file OR directory). An
operation (like read or write) will operate directly on the file referenced. Symbolic links are also
referred to as 'soft links'. A hard link is something that MS Windows is NOT familiar with. It allows
one physical file to be known simulataneously by more than one file name.
one physical file to be known simultaneously by more than one file name.
</p></dd></dl></div><p>
There are many other subtle differences that may cause the MS Windows administrator some temporary discomfort
in the process of becoming familiar with Unix/Linux. These are best left for a text that is dedicated to the
purpose of Unix/Linux training/education.
</p></div><div xmlns:ns29="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2916939"></a>Managing Directories</h3></div></div><div></div></div><ns29:p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2920583"></a>Managing Directories</h3></div></div><div></div></div><p>
There are three basic operations for managing directories, <b class="command">create, delete, rename</b>.
</ns29:p><div class="table"><a name="id2916957"></a><p class="title"><b>Table 13.1. Managing directories with unix and windows</b></p><table summary="Managing directories with unix and windows" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="center">Action</th><th align="center">MS Windows Command</th><th align="center">Unix Command</th></tr></thead><tbody><tr><td align="center">create</td><td align="center">md folder</td><td align="center">mkdir folder</td></tr><tr><td align="center">delete</td><td align="center">rd folder</td><td align="center">rmdir folder</td></tr><tr><td align="center">rename</td><td align="center">rename oldname newname</td><td align="center">mv oldname newname</td></tr></tbody></table></div><ns29:p>
</ns29:p></div><div xmlns:ns30="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2917034"></a>File and Directory Access Control</h3></div></div><div></div></div><p>
</p><div class="table"><a name="id2920603"></a><p class="title"><b>Table 13.1. Managing directories with unix and windows</b></p><table summary="Managing directories with unix and windows" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="center">Action</th><th align="center">MS Windows Command</th><th align="center">Unix Command</th></tr></thead><tbody><tr><td align="center">create</td><td align="center">md folder</td><td align="center">mkdir folder</td></tr><tr><td align="center">delete</td><td align="center">rd folder</td><td align="center">rmdir folder</td></tr><tr><td align="center">rename</td><td align="center">rename oldname newname</td><td align="center">mv oldname newname</td></tr></tbody></table></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2920678"></a>File and Directory Access Control</h3></div></div><div></div></div><p>
The network administrator is strongly advised to read foundational training manuals and reference materials
regarding file and directory permissions maintenance. Much can be achieved with the basic Unix permissions
without having to resort to more complex facilities like POSIX Access Control Lists (ACLs) or Extended
Attributes (EAs).
</p><ns30:p>
Unix/Linux file and directory access permissions invloves setting three (3) primary sets of data and one (1) control set.
</p><p>
Unix/Linux file and directory access permissions involves setting three (3) primary sets of data and one (1) control set.
A Unix file listing looks as follows:-
</ns30:p><pre class="screen">
</p><pre class="screen">
<tt class="prompt">jht@frodo:~/stuff&gt; </tt><b class="userinput"><tt>ls -la</tt></b>
total 632
drwxr-xr-x 13 jht users 816 2003-05-12 22:56 .
@ -177,13 +176,13 @@ at how Samba helps to bridge the differences.
-rw-rw-rw- 1 jht users 41105 2003-05-12 22:32 mydata06.lst
-rwxrwxrwx 1 jht users 19312 2003-05-12 22:32 mydata07.lst
<tt class="prompt">jht@frodo:~/stuff&gt;</tt>
</pre><ns30:p>
</ns30:p><p>
</pre><p>
</p><p>
The columns above represent (from left to right): permissions, no blocks used, owner, group, size (bytes), access date, access time, file name.
</p><ns30:p>
</p><p>
The permissions field is made up of:
</ns30:p><pre class="programlisting">
</p><pre class="programlisting">
<i><span class="comment"> JRV: Put this into a diagram of some sort</span></i>
[ type ] [ users ] [ group ] [ others ] [File, Directory Permissions]
[ d | l ] [ r w x ] [ r w x ] [ r w x ]
@ -199,20 +198,20 @@ at how Samba helps to bridge the differences.
| | |-----------------------------&gt; Can Read, Read files
| |-----------------------------------&gt; Is a symbolic Link
|---------------------------------------&gt; Is a directory
</pre><ns30:p>
</ns30:p><ns30:p>
</pre><p>
</p><p>
Any bit flag may be unset. An unset bit flag is the equivalent of 'Can NOT' and is represented as a '-' character.
</ns30:p><div class="example"><a name="id2917362"></a><p class="title"><b>Example 13.1. Example File</b></p><pre class="programlisting">
</p><div class="example"><a name="id2920816"></a><p class="title"><b>Example 13.1. Example File</b></p><pre class="programlisting">
-rwxr-x--- Means: The owner (user) can read, write, execute
the group can read and execute
everyone else can NOT do anything with it
</pre></div><ns30:p>
</pre></div><p>
</ns30:p><p>
Additional posibilities in the [type] field are: c = character device, b = block device, p = pipe device, s = Unix Domain Socket.
</p><p>
The letters `rwxXst' set permissions for the user, group and others as: read (r), write (w), execute (or access for directories) (x),r
Additional possibilities in the [type] field are: c = character device, b = block device, p = pipe device, s = Unix Domain Socket.
</p><p>
The letters `rwxXst' set permissions for the user, group and others as: read (r), write (w), execute (or access for directories) (x),
execute only if the file is a directory or already has execute permission for some user (X), set user or group ID on execution (s),
sticky (t).
</p><p>
@ -229,10 +228,10 @@ at how Samba helps to bridge the differences.
the (x) execute flags are not set files can not be listed (seen) in the directory by anyone. The group can read files in the
directory but can NOT create new files. NOTE: If files in the directory are set to be readable and writable for the group, then
group members will be able to write to (or delete) them.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2917441"></a>Share Definition Access Controls</h2></div></div><div></div></div><p>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2920894"></a>Share Definition Access Controls</h2></div></div><div></div></div><p>
The following parameters in the <tt class="filename">smb.conf</tt> file sections that define a share control or affect access controls.
Before using any of the following options please refer to the man page for <tt class="filename">smb.conf</tt>.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2917469"></a>User and Group Based Controls</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2922074"></a>User and Group Based Controls</h3></div></div><div></div></div><p>
User and group based controls can prove very useful. In some situations it is distinctly desirable to affect all
file system operations as if a single user is doing this, the use of the <i class="parameter"><tt>force user</tt></i> and
<i class="parameter"><tt>force group</tt></i> behaviour will achieve this. In other situations it may be necessary to affect a
@ -244,7 +243,7 @@ Before using any of the following options please refer to the man page for <tt c
controlling access. Remember, that when you leave the scene someone else will need to provide assistance and
if that person finds too great a mess, or if they do not understand what you have done then there is risk of
Samba being removed and an alternative solution being adopted.
</p><div class="table"><a name="id2917528"></a><p class="title"><b>Table 13.2. User and Group Based Controls</b></p><table summary="User and Group Based Controls" border="1"><colgroup><col><col></colgroup><thead><tr><th align="center">Control Parameter</th><th align="center">Description - Action - Notes</th></tr></thead><tbody><tr><td>admin users</td><td><p>
</p><div class="table"><a name="id2922134"></a><p class="title"><b>Table 13.2. User and Group Based Controls</b></p><table summary="User and Group Based Controls" border="1"><colgroup><col><col></colgroup><thead><tr><th align="center">Control Parameter</th><th align="center">Description - Action - Notes</th></tr></thead><tbody><tr><td>admin users</td><td><p>
List of users who will be granted administrative privileges on the share.
They will do all file operations as the super-user (root).
Any user in this list will be able to do anything they like on the share,
@ -271,12 +270,12 @@ Before using any of the following options please refer to the man page for <tt c
List of users that should be allowed to login to this service.
</p></td></tr><tr><td>write list</td><td><p>
List of users that are given read-write access to a service.
</p></td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2917741"></a>File and Directory Permissions Based Controls</h3></div></div><div></div></div><p>
</p></td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2922346"></a>File and Directory Permissions Based Controls</h3></div></div><div></div></div><p>
The following file and directory permission based controls, if misused, can result in considerable difficulty to
diagnose the cause of mis-configuration. Use them sparingly and carefully. By gradually introducing each one by one
undesirable side-effects may be detected. In the event of a problem, always comment all of them out and then gradually
re-instroduce them in a controlled fashion.
</p><div class="table"><a name="id2917761"></a><p class="title"><b>Table 13.3. File and Directory Permission Based Controls</b></p><table summary="File and Directory Permission Based Controls" border="1"><colgroup><col><col></colgroup><thead><tr><th align="center">Control Parameter</th><th align="center">Description - Action - Notes</th></tr></thead><tbody><tr><td>create mask</td><td><p>
re-introduce them in a controlled fashion.
</p><div class="table"><a name="id2922367"></a><p class="title"><b>Table 13.3. File and Directory Permission Based Controls</b></p><table summary="File and Directory Permission Based Controls" border="1"><colgroup><col><col></colgroup><thead><tr><th align="center">Control Parameter</th><th align="center">Description - Action - Notes</th></tr></thead><tbody><tr><td>create mask</td><td><p>
Refer to the <tt class="filename">smb.conf</tt> man page.
</p></td></tr><tr><td>directory mask</td><td><p>
The octal modes used when converting DOS modes to UNIX modes when creating UNIX directories.
@ -292,17 +291,17 @@ Before using any of the following options please refer to the man page for <tt c
</p></td></tr><tr><td>force security mode</td><td><p>
Controls UNIX permission bits modified when a Windows NT client manipulates UNIX permissions.
</p></td></tr><tr><td>hide unreadable</td><td><p>
Prevents clients from seeing the existance of files that cannot be read.
Prevents clients from seeing the existence of files that cannot be read.
</p></td></tr><tr><td>hide unwriteable files</td><td><p>
Prevents clients from seeing the existance of files that cannot be written to. Unwriteable directories are shown as usual.
Prevents clients from seeing the existence of files that cannot be written to. Unwriteable directories are shown as usual.
</p></td></tr><tr><td>nt acl support</td><td><p>
This parameter controls whether smbd will attempt to map UNIX permissions into Windows NT access control lists.
</p></td></tr><tr><td>security mask</td><td><p>
Controls UNIX permission bits modified when a Windows NT client is manipulating the UNIX permissions on a file.
</p></td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2917987"></a>Miscellaneous Controls</h3></div></div><div></div></div><p>
</p></td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2922591"></a>Miscellaneous Controls</h3></div></div><div></div></div><p>
The following are documented because of the prevalence of administrators creating inadvertant barriers to file
access by not understanding the full implications of <tt class="filename">smb.conf</tt> file settings.
</p><div class="table"><a name="id2918008"></a><p class="title"><b>Table 13.4. Other Controls</b></p><table summary="Other Controls" border="1"><colgroup><col><col></colgroup><thead><tr><th align="center">Control Parameter</th><th align="center">Description - Action - Notes</th></tr></thead><tbody><tr><td>case sensitive, default case, short preserve case</td><td><p>
</p><div class="table"><a name="id2922614"></a><p class="title"><b>Table 13.4. Other Controls</b></p><table summary="Other Controls" border="1"><colgroup><col><col></colgroup><thead><tr><th align="center">Control Parameter</th><th align="center">Description - Action - Notes</th></tr></thead><tbody><tr><td>case sensitive, default case, short preserve case</td><td><p>
This means that all file name lookup will be done in a case sensitive manner.
Files will be created with the precise filename Samba received from the MS Windows client.
</p></td></tr><tr><td>csc policy</td><td><p>
@ -323,9 +322,9 @@ Before using any of the following options please refer to the man page for <tt c
If this parameter is yes, then users of a service may not create or modify files in the service's directory.
</p></td></tr><tr><td>veto files</td><td><p>
List of files and directories that are neither visible nor accessible.
</p></td></tr></tbody></table></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2922570"></a>Access Controls on Shares</h2></div></div><div></div></div><p>
</p></td></tr></tbody></table></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2922807"></a>Access Controls on Shares</h2></div></div><div></div></div><p>
This section deals with how to configure Samba per share access control restrictions.
By default samba sets no restrictions on the share itself. Restrictions on the share itself
By default, Samba sets no restrictions on the share itself. Restrictions on the share itself
can be set on MS Windows NT4/200x/XP shares. This can be a very effective way to limit who can
connect to a share. In the absence of specific restrictions the default setting is to allow
the global user <tt class="constant">Everyone</tt> Full Control (ie: Full control, Change and Read).
@ -337,12 +336,12 @@ Before using any of the following options please refer to the man page for <tt c
</p><p>
Samba stores the per share access control settings in a file called <tt class="filename">share_info.tdb</tt>.
The location of this file on your system will depend on how samba was compiled. The default location
for samba's tdb files is under <tt class="filename">/usr/local/samba/var</tt>. If the <tt class="filename">tdbdump</tt>
utility has been compiled and installed on your system then you can examine the contents of this file
for Samba's tdb files is under <tt class="filename">/usr/local/samba/var</tt>. If the <tt class="filename">tdbdump</tt>
utility has been compiled and installed on your system, then you can examine the contents of this file
by: <b class="userinput"><tt>tdbdump share_info.tdb</tt></b>.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2922641"></a>Share Permissions Management</h3></div></div><div></div></div><p>
The best tool for the task is platform dependant. Choose the best tool for your environmemt.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2922654"></a>Windows NT4 Workstation/Server</h4></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2922879"></a>Share Permissions Management</h3></div></div><div></div></div><p>
The best tool for the task is platform dependant. Choose the best tool for your environment.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2922892"></a>Windows NT4 Workstation/Server</h4></div></div><div></div></div><p>
The tool you need to use to manage share permissions on a Samba server is the NT Server Manager.
Server Manager is shipped with Windows NT4 Server products but not with Windows NT4 Workstation.
You can obtain the NT Server Manager for MS Windows NT4 Workstation from Microsoft - see details below.
@ -352,7 +351,7 @@ Before using any of the following options please refer to the man page for <tt c
</p></li><li><p>
Now click on the share that you wish to manage, then click on the <span class="guilabel">Properties</span> tab, next click on
the <span class="guilabel">Permissions</span> tab. Now you can add or change access control settings as you wish.
</p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2922737"></a>Windows 200x/XP</h4></div></div><div></div></div><p>
</p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2922975"></a>Windows 200x/XP</h4></div></div><div></div></div><p>
On <span class="application">MS Windows NT4/200x/XP</span> system access control lists on the share itself are set using native
tools, usually from filemanager. For example, in Windows 200x: right click on the shared folder,
then select <span class="guimenuitem">Sharing</span>, then click on <span class="guilabel">Permissions</span>. The default
@ -365,7 +364,7 @@ Before using any of the following options please refer to the man page for <tt c
After launching the MMC with the Computer Management snap-in, click on the menu item <span class="guimenuitem">Action</span>,
select <span class="guilabel">Connect to another computer</span>. If you are not logged onto a domain you will be prompted
to enter a domain login user identifier and a password. This will authenticate you to the domain.
If you where already logged in with administrative privilidge this step is not offered.
If you where already logged in with administrative privilege this step is not offered.
</p></li><li><p>
If the Samba server is not shown in the <span class="guilabel">Select Computer</span> box, then type in the name of the target
Samba server in the field <span class="guilabel">Name:</span>. Now click on the <span class="guibutton">[+]</span> next to
@ -381,7 +380,7 @@ Before using any of the following options please refer to the man page for <tt c
then effectively no user will be able to access the share. This is a result of what is known as
ACL precedence. ie: Everyone with <span class="emphasis"><em>no access</em></span> means that MaryK who is part of the group
<tt class="constant">Everyone</tt> will have no access even if this user is given explicit full control access.
</p></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2922940"></a>MS Windows Access Control Lists and Unix Interoperability</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2922948"></a>Managing UNIX permissions Using NT Security Dialogs</h3></div></div><div></div></div><p>Windows NT clients can use their native security settings
</p></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2923178"></a>MS Windows Access Control Lists and Unix Interoperability</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923186"></a>Managing UNIX permissions Using NT Security Dialogs</h3></div></div><div></div></div><p>Windows NT clients can use their native security settings
dialog box to view and modify the underlying UNIX permissions.</p><p>Note that this ability is careful not to compromise
the security of the UNIX host Samba is running on, and
still obeys all the file permission rules that a Samba
@ -392,7 +391,7 @@ Before using any of the following options please refer to the man page for <tt c
the identity of the Windows user as it is presented by Samba at
the point of file access. This can best be determined from the
Samba log files.
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2922986"></a>Viewing File Security on a Samba Share</h3></div></div><div></div></div><p>From an NT4/2000/XP client, single-click with the right
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923224"></a>Viewing File Security on a Samba Share</h3></div></div><div></div></div><p>From an NT4/2000/XP client, single-click with the right
mouse button on any file or directory in a Samba mounted
drive letter or UNC path. When the menu pops-up, click
on the <span class="guilabel">Properties</span> entry at the bottom of
@ -408,7 +407,7 @@ Before using any of the following options please refer to the man page for <tt c
user is logged on as the NT Administrator. This dialog is
non-functional with a Samba share at this time, as the only
useful button, the <span class="guibutton">Add</span> button will not currently
allow a list of users to be seen.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923065"></a>Viewing file ownership</h3></div></div><div></div></div><p>Clicking on the <span class="guibutton">Ownership</span> button
allow a list of users to be seen.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923303"></a>Viewing file ownership</h3></div></div><div></div></div><p>Clicking on the <span class="guibutton">Ownership</span> button
brings up a dialog box telling you who owns the given file. The
owner name will be of the form :</p><p><b class="command">&quot;SERVER\user (Long name)&quot;</b></p><p>Where <i class="replaceable"><tt>SERVER</tt></i> is the NetBIOS name of
the Samba server, <i class="replaceable"><tt>user</tt></i> is the user name of
@ -431,7 +430,7 @@ Before using any of the following options please refer to the man page for <tt c
files on both a local NTFS filesystem or remote mounted NTFS
or Samba drive. This is available as part of the <span class="application">Seclib
</span> NT security library written by Jeremy Allison of
the Samba Team, available from the main Samba ftp site.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923187"></a>Viewing File or Directory Permissions</h3></div></div><div></div></div><p>The third button is the <span class="guibutton">Permissions</span>
the Samba Team, available from the main Samba ftp site.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923425"></a>Viewing File or Directory Permissions</h3></div></div><div></div></div><p>The third button is the <span class="guibutton">Permissions</span>
button. Clicking on this brings up a dialog box that shows both
the permissions and the UNIX owner of the file or directory.
The owner is displayed in the form :</p><p><b class="command">&quot;<i class="replaceable"><tt>SERVER</tt></i>\
@ -445,9 +444,9 @@ Before using any of the following options please refer to the man page for <tt c
be shown as the NT user <tt class="constant">&quot;Everyone&quot;</tt> and the
permissions will be shown as NT &quot;Full Control&quot;.</p><p>The permissions field is displayed differently for files
and directories, so I'll describe the way file permissions
are displayed first.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2923278"></a>File Permissions</h4></div></div><div></div></div><p>The standard UNIX user/group/world triple and
are displayed first.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2923516"></a>File Permissions</h4></div></div><div></div></div><p>The standard UNIX user/group/world triplet and
the corresponding &quot;read&quot;, &quot;write&quot;, &quot;execute&quot; permissions
triples are mapped by Samba into a three element NT ACL
triplets are mapped by Samba into a three element NT ACL
with the 'r', 'w', and 'x' bits mapped into the corresponding
NT permissions. The UNIX world permissions are mapped into
the global NT group <tt class="constant">Everyone</tt>, followed
@ -467,7 +466,7 @@ Before using any of the following options please refer to the man page for <tt c
no permissions as having the NT <b class="command">&quot;O&quot;</b> bit set.
This was chosen of course to make it look like a zero, meaning
zero permissions. More details on the decision behind this will
be given below.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2923370"></a>Directory Permissions</h4></div></div><div></div></div><p>Directories on an NT NTFS file system have two
be given below.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2923608"></a>Directory Permissions</h4></div></div><div></div></div><p>Directories on an NT NTFS file system have two
different sets of permissions. The first set of permissions
is the ACL set on the directory itself, this is usually displayed
in the first set of parentheses in the normal <tt class="constant">&quot;RW&quot;</tt>
@ -478,7 +477,7 @@ Before using any of the following options please refer to the man page for <tt c
inherited</tt> permissions that any file created within
this directory would inherit.</p><p>Samba synthesises these inherited permissions for NT by
returning as an NT ACL the UNIX permission mode that a new file
created by Samba on this share would receive.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923415"></a>Modifying file or directory permissions</h3></div></div><div></div></div><p>Modifying file and directory permissions is as simple
created by Samba on this share would receive.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923653"></a>Modifying file or directory permissions</h3></div></div><div></div></div><p>Modifying file and directory permissions is as simple
as changing the displayed permissions in the dialog box, and
clicking the <span class="guibutton">OK</span> button. However, there are
limitations that a user needs to be aware of, and also interactions
@ -492,14 +491,14 @@ Before using any of the following options please refer to the man page for <tt c
and did not execute</span>). This means that you can only
manipulate the current user/group/world permissions listed in
the dialog box. This actually works quite well as these are the
only permissions that UNIX actually has.</p><p>If a permission triple (either user, group, or world)
only permissions that UNIX actually has.</p><p>If a permission triplet (either user, group, or world)
is removed from the list of permissions in the NT dialog box,
then when the <span class="guibutton">OK</span> button is pressed it will
be applied as &quot;no permissions&quot; on the UNIX side. If you then
view the permissions again the &quot;no permissions&quot; entry will appear
as the NT <b class="command">&quot;O&quot;</b> flag, as described above. This
allows you to add permissions back to a file or directory once
you have removed them from a triple component.</p><p>As UNIX supports only the &quot;r&quot;, &quot;w&quot; and &quot;x&quot; bits of
you have removed them from a triplet component.</p><p>As UNIX supports only the &quot;r&quot;, &quot;w&quot; and &quot;x&quot; bits of
an NT ACL then if other NT security attributes such as &quot;Delete
access&quot; are selected then they will be ignored when applied on
the Samba server.</p><p>When setting permissions on a directory the second
@ -512,16 +511,16 @@ Before using any of the following options please refer to the man page for <tt c
component and click the <span class="guibutton">Remove</span> button,
or set the component to only have the special <tt class="constant">Take
Ownership</tt> permission (displayed as <b class="command">&quot;O&quot;
</b>) highlighted.</p></div><div xmlns:ns31="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923567"></a>Interaction with the standard Samba create mask
parameters</h3></div></div><div></div></div><ns31:p>There are four parameters
</b>) highlighted.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923805"></a>Interaction with the standard Samba create mask
parameters</h3></div></div><div></div></div><p>There are four parameters
to control interaction with the standard Samba create mask parameters.
These are :
</ns31:p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>security mask</tt></i></td></tr><tr><td><i class="parameter"><tt>force security mode</tt></i></td></tr><tr><td><i class="parameter"><tt>directory security mask</tt></i></td></tr><tr><td><i class="parameter"><tt>force directory security mode</tt></i></td></tr></table><ns31:p>
</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>security mask</tt></i></td></tr><tr><td><i class="parameter"><tt>force security mode</tt></i></td></tr><tr><td><i class="parameter"><tt>directory security mask</tt></i></td></tr><tr><td><i class="parameter"><tt>force directory security mode</tt></i></td></tr></table><p>
</ns31:p><p>Once a user clicks <span class="guibutton">OK</span> to apply the
</p><p>Once a user clicks <span class="guibutton">OK</span> to apply the
permissions Samba maps the given permissions into a user/group/world
r/w/x triple set, and then will check the changed permissions for a
r/w/x triplet set, and then will check the changed permissions for a
file against the bits set in the <a href="smb.conf.5.html#SECURITYMASK" target="_top">
<i class="parameter"><tt>security mask</tt></i></a> parameter. Any bits that
were changed that are not set to '1' in this parameter are left alone
@ -559,7 +558,7 @@ Before using any of the following options please refer to the man page for <tt c
in modifying the permission bits on their files and directories and
doesn't force any particular bits to be set 'on', then set the following
parameters in the <tt class="filename">smb.conf</tt> file in that share specific section :
</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>security mask = 0777</tt></i></td></tr><tr><td><i class="parameter"><tt>force security mode = 0</tt></i></td></tr><tr><td><i class="parameter"><tt>directory security mask = 0777</tt></i></td></tr><tr><td><i class="parameter"><tt>force directory security mode = 0</tt></i></td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923897"></a>Interaction with the standard Samba file attribute
</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>security mask = 0777</tt></i></td></tr><tr><td><i class="parameter"><tt>force security mode = 0</tt></i></td></tr><tr><td><i class="parameter"><tt>directory security mask = 0777</tt></i></td></tr><tr><td><i class="parameter"><tt>force directory security mode = 0</tt></i></td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2924134"></a>Interaction with the standard Samba file attribute
mapping</h3></div></div><div></div></div><p>Samba maps some of the DOS attribute bits (such as &quot;read
only&quot;) into the UNIX permissions of a file. This means there can
be a conflict between the permission bits set via the security
@ -576,13 +575,13 @@ Before using any of the following options please refer to the man page for <tt c
permissions and clicking <span class="guibutton">OK</span> to get back to the
attributes dialog you should always hit <span class="guibutton">Cancel</span>
rather than <span class="guibutton">OK</span> to ensure that your changes
are not overridden.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2923972"></a>Common Errors</h2></div></div><div></div></div><p>
are not overridden.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2924210"></a>Common Errors</h2></div></div><div></div></div><p>
File, Directory and Share access problems are very common on the mailing list. The following
are examples taken from the mailing list in recent times.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923986"></a>Users can not write to a public share</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2924224"></a>Users can not write to a public share</h3></div></div><div></div></div><p>
&#8220;<span class="quote">
We are facing some troubles with file / directory permissions. I can log on the domain as admin user(root),
and theres a public share, on which everyone needs to have permission to create / modify files, but only
and there's a public share, on which everyone needs to have permission to create / modify files, but only
root can change the file, no one else can. We need to constantly go to server to
<b class="userinput"><tt>chgrp -R users *</tt></b> and <b class="userinput"><tt>chown -R nobody *</tt></b> to allow others users to change the file.
</span>&#8221;
@ -590,72 +589,72 @@ are examples taken from the mailing list in recent times.
There are many ways to solve this problem, here are a few hints:
</p><div class="procedure"><p class="title"><b>Procedure 13.3. Example Solution:</b></p><ol type="1"><li><p>
Go to the top of the directory that is shared
</p></li><li xmlns:ns32=""><ns32:p>
</p></li><li><p>
Set the ownership to what ever public owner and group you want
</ns32:p><pre class="programlisting">
</p><pre class="programlisting">
find 'directory_name' -type d -exec chown user.group {}\;
find 'directory_name' -type d -exec chmod 6775 'directory_name'
find 'directory_name' -type f -exec chmod 0775 {} \;
find 'directory_name' -type f -exec chown user.group {}\;
</pre><ns32:p>
</ns32:p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
</pre><p>
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
The above will set the 'sticky bit' on all directories. Read your
Unix/Linux man page on what that does. It causes the OS to assign
to all files created in the directories the ownership of the
directory.
</p></div></li><li xmlns:ns33=""><ns33:p>
</p></div></li><li><p>
Directory is: <i class="replaceable"><tt>/foodbar</tt></i>
</ns33:p><pre class="screen">
</p><pre class="screen">
<tt class="prompt">$ </tt><b class="userinput"><tt>chown jack.engr /foodbar</tt></b>
</pre><ns33:p>
</ns33:p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><ns33:p>
</ns33:p><p>This is the same as doing:</p><ns33:p>
</ns33:p><pre class="screen">
</pre><p>
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
</p><p>This is the same as doing:</p><p>
</p><pre class="screen">
<tt class="prompt">$ </tt><b class="userinput"><tt>chown jack /foodbar</tt></b>
<tt class="prompt">$ </tt><b class="userinput"><tt>chgrp engr /foodbar</tt></b>
</pre><ns33:p>
</ns33:p></div></li><li xmlns:ns34=""><ns34:p>Now do:
</pre><p>
</p></div></li><li><p>Now do:
</ns34:p><pre class="screen">
</p><pre class="screen">
<tt class="prompt">$ </tt><b class="userinput"><tt>chmod 6775 /foodbar</tt></b>
<tt class="prompt">$ </tt><b class="userinput"><tt>ls -al /foodbar/..</tt></b>
</pre><ns34:p>
</pre><p>
</ns34:p><ns34:p>You should see:
</ns34:p><pre class="screen">
</p><p>You should see:
</p><pre class="screen">
drwsrwsr-x 2 jack engr 48 2003-02-04 09:55 foodbar
</pre><ns34:p>
</ns34:p></li><li xmlns:ns35=""><ns35:p>Now do:
</ns35:p><pre class="screen">
</pre><p>
</p></li><li><p>Now do:
</p><pre class="screen">
<tt class="prompt">$ </tt><b class="userinput"><tt>su - jill</tt></b>
<tt class="prompt">$ </tt><b class="userinput"><tt>cd /foodbar</tt></b>
<tt class="prompt">$ </tt><b class="userinput"><tt>touch Afile</tt></b>
<tt class="prompt">$ </tt><b class="userinput"><tt>ls -al</tt></b>
</pre><ns35:p>
</ns35:p><ns35:p>
</pre><p>
</p><p>
You should see that the file <tt class="filename">Afile</tt> created by Jill will have ownership
and permissions of Jack, as follows:
</ns35:p><pre class="screen">
</p><pre class="screen">
-rw-r--r-- 1 jack engr 0 2003-02-04 09:57 Afile
</pre><ns35:p>
</ns35:p></li><li xmlns:ns36=""><ns36:p>
</pre><p>
</p></li><li><p>
Now in your <tt class="filename">smb.conf</tt> for the share add:
</ns36:p><pre class="programlisting">
</p><pre class="programlisting">
force create mode = 0775
force direcrtory mode = 6775
</pre><ns36:p>
</ns36:p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
force directory mode = 6775
</pre><p>
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
The above are only needed <span class="emphasis"><em>if</em></span> your users are <span class="emphasis"><em>not</em></span> members of the group
you have used. ie: Within the OS do not have write permission on the directory.
</p></div><ns36:p>
</p></div><p>
An alternative is to set in the <tt class="filename">smb.conf</tt> entry for the share:
</ns36:p><pre class="programlisting">
</p><pre class="programlisting">
force user = jack
force group = engr
</pre><ns36:p>
</ns36:p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2924365"></a>I have set force user and samba still makes <span class="emphasis"><em>root</em></span> the owner of all the files
</pre><p>
</p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2924604"></a>I have set force user and Samba still makes <span class="emphasis"><em>root</em></span> the owner of all the files
I touch!</h3></div></div><div></div></div><p>
When you have a user in 'admin users', samba will always do file operations for
When you have a user in 'admin users', Samba will always do file operations for
this user as <span class="emphasis"><em>root</em></span>, even if <i class="parameter"><tt>force user</tt></i> has been set.
</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="groupmapping.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="locking.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 12. Mapping MS Windows and Unix Groups </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 14. File and Record Locking</td></tr></table></div></body></html>

51
docs/htmldocs/AdvancedNetworkManagement.html
View File

@ -1,9 +1,8 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 22. Advanced Network Manangement</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="winbind.html" title="Chapter 21. Integrated Logon Support using Winbind"><link rel="next" href="PolicyMgmt.html" title="Chapter 23. System and Account Policies"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 22. Advanced Network Manangement</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="winbind.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="PolicyMgmt.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="AdvancedNetworkManagement"></a>Chapter 22. Advanced Network Manangement</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">April 3 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="AdvancedNetworkManagement.html#id2982176">Features and Benefits</a></dt><dt><a href="AdvancedNetworkManagement.html#id2982207">Remote Server Administration</a></dt><dt><a href="AdvancedNetworkManagement.html#id2980888">Remote Desktop Management</a></dt><dd><dl><dt><a href="AdvancedNetworkManagement.html#id2980905">Remote Management from NoMachines.Com</a></dt></dl></dd><dt><a href="AdvancedNetworkManagement.html#id2981105">Network Logon Script Magic</a></dt><dd><dl><dt><a href="AdvancedNetworkManagement.html#id2981300">Adding printers without user intervention</a></dt></dl></dd><dt><a href="AdvancedNetworkManagement.html#id2981333">Common Errors</a></dt></dl></div><p>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 22. Advanced Network Management</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="winbind.html" title="Chapter 21. Integrated Logon Support using Winbind"><link rel="next" href="PolicyMgmt.html" title="Chapter 23. System and Account Policies"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 22. Advanced Network Management</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="winbind.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="PolicyMgmt.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="AdvancedNetworkManagement"></a>Chapter 22. Advanced Network Management</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">April 3 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="AdvancedNetworkManagement.html#id2984570">Features and Benefits</a></dt><dt><a href="AdvancedNetworkManagement.html#id2984759">Remote Server Administration</a></dt><dt><a href="AdvancedNetworkManagement.html#id2984858">Remote Desktop Management</a></dt><dd><dl><dt><a href="AdvancedNetworkManagement.html#id2984876">Remote Management from NoMachines.Com</a></dt></dl></dd><dt><a href="AdvancedNetworkManagement.html#id2985087">Network Logon Script Magic</a></dt><dd><dl><dt><a href="AdvancedNetworkManagement.html#id2985283">Adding printers without user intervention</a></dt></dl></dd><dt><a href="AdvancedNetworkManagement.html#id2985316">Common Errors</a></dt></dl></div><p>
This section documents peripheral issues that are of great importance to network
administrators who want to improve network resource access control, to automate the user
environment, and to make their lives a little easier.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2982176"></a>Features and Benefits</h2></div></div><div></div></div><p>
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2984570"></a>Features and Benefits</h2></div></div><div></div></div><p>
Often the difference between a working network environment and a well appreciated one can
best be measured by the <span class="emphasis"><em>little things</em></span> that makes everything work more
harmoniously. A key part of every network environment solution is the ability to remotely
@ -13,7 +12,7 @@ network operations.
</p><p>
This chapter presents information on each of these area. They are placed here, and not in
other chapters, for ease of reference.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2982207"></a>Remote Server Administration</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2984759"></a>Remote Server Administration</h2></div></div><div></div></div><p>
<span class="emphasis"><em>How do I get 'User Manager' and 'Server Manager'?</em></span>
</p><p>
Since I don't need to buy an <span class="application">NT4 Server</span>, how do I get the 'User Manager for Domains',
@ -27,30 +26,30 @@ Click here to download the archived file <a href="ftp://ftp.microsoft.com/Softli
The <span class="application">Windows NT 4.0</span> version of the 'User Manager for
Domains' and 'Server Manager' are available from Microsoft via ftp
from <a href="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" target="_top">ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</a>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2980888"></a>Remote Desktop Management</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2984858"></a>Remote Desktop Management</h2></div></div><div></div></div><p>
There are a number of possible remote desktop management solutions that range from free
through costly. Do not let that put you off. Sometimes the most costly solutions is the
most cost effective. In any case, you will need to draw your own conclusions as to which
is the best tool in your network environment.
</p><div xmlns:ns77="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2980905"></a>Remote Management from NoMachines.Com</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2984876"></a>Remote Management from NoMachines.Com</h3></div></div><div></div></div><p>
The following information was posted to the Samba mailing list at Apr 3 23:33:50 GMT 2003.
It is presented in slightly edited form (with author details omitted for privacy reasons).
The entire answer is reproduced below with some comments removed.
</p><ns77:p>
</ns77:p><pre class="screen">
&gt; I have a wounderfull linux/samba server running as pdc for a network.
&gt; Now I would like to add remote desktop capabilites so that
</p><p>
</p><pre class="screen">
&gt; I have a wonderful linux/samba server running as PDC for a network.
&gt; Now I would like to add remote desktop capabilities so that
&gt; users outside could login to the system and get their desktop up from
&gt; home or another country..
&gt;
&gt; Is there a way to acomplish this? Do I need a windows terminal server?
&gt; Is there a way to accomplish this? Do I need a windows terminal server?
&gt; Do I need to configure it so that it is a member of the domain or a
&gt; BDC,PDC? Are there any hacks for MS Windows XP to enable remote login
&gt; even if the computer is in a domain?
&gt;
&gt; Any ideas/experience would be appreciated :)
</pre><ns77:p>
</ns77:p><p>
</pre><p>
</p><p>
Answer provided: Check out the new offer from NoMachine, &quot;NX&quot; software:
<a href="http://www.nomachine.com/" target="_top">http://www.nomachine.com/</a>.
</p><p>
@ -62,7 +61,7 @@ is the best tool in your network environment.
a new way of compression and caching technologies which makes the thing
fast enough to run even over slow modem/ISDN connections.
</p><p>
I could testdrive their (public) RedHat machine in Italy, over a loaded
I could test drive their (public) RedHat machine in Italy, over a loaded
internet connection, with enabled thumbnail previews in KDE konqueror
which popped up immediately on &quot;mouse-over&quot;. From inside that (remote X)
session I started a rdesktop session on another, a Windows XP machine.
@ -79,7 +78,7 @@ is the best tool in your network environment.
in Italy) to my Mozilla mailing agent... These guys are certainly doing
something right!
</p><p>
I recommend to testdrive NX to anybody with a only a remote interest
I recommend to test drive NX to anybody with a only a remote interest
in remote computing
<a href="http://www.nomachine.com/testdrive.php" target="_top">http://www.nomachine.com/testdrive.php</a>.
</p><p>
@ -98,7 +97,7 @@ is the best tool in your network environment.
</p><p>
Now the best thing at the end: all the core compression and caching
technologies are released under the GPL and available as source code
to anybody who wants to build on it! These technolgies are working,
to anybody who wants to build on it! These technologies are working,
albeit started from the command line only (and very inconvenient to
use in order to get a fully running remote X session up and running....)
</p><p>
@ -120,22 +119,22 @@ is the best tool in your network environment.
NoMachine are encouraging and offering help to OSS/Free Software implementations
for such a frontend too, even if it means competition to them (they have written
to this effect even to the LTSP, KDE and GNOME developer mailing lists)
</p></li></ul></div></div></div><div xmlns:ns78="" class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2981105"></a>Network Logon Script Magic</h2></div></div><div></div></div><p>
</p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2985087"></a>Network Logon Script Magic</h2></div></div><div></div></div><p>
This section needs work. Volunteer contributions most welcome. Please send your patches or updates
to <a href="mailto:jht@samba.org" target="_top">John Terpstra</a>.
</p><p>
There are several opportunities for creating a custom network startup configuration environment.
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>No Logon Script</td></tr><tr><td>Simple universal Logon Script that applies to all users</td></tr><tr><td>Use of a conditional Logon Script that applies per user or per group attirbutes</td></tr><tr><td>Use of Samba's Preexec and Postexec functions on access to the NETLOGON share to create
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>No Logon Script</td></tr><tr><td>Simple universal Logon Script that applies to all users</td></tr><tr><td>Use of a conditional Logon Script that applies per user or per group attributes</td></tr><tr><td>Use of Samba's Preexec and Postexec functions on access to the NETLOGON share to create
a custom Logon Script and then execute it.</td></tr><tr><td>User of a tool such as KixStart</td></tr></table><p>
The Samba source code tree includes two logon script generation/execution tools.
See <tt class="filename">examples</tt> directory <tt class="filename">genlogon</tt> and
<tt class="filename">ntlogon</tt> subdirectories.
</p><p>
The following listings are from the genlogon directory.
</p><ns78:p>
</p><p>
This is the <tt class="filename">genlogon.pl</tt> file:
</ns78:p><pre class="programlisting">
</p><pre class="programlisting">
#!/usr/bin/perl
#
# genlogon.pl
@ -207,18 +206,18 @@ This is the <tt class="filename">genlogon.pl</tt> file:
# All done! Close the output file.
close LOGON;
</pre><ns78:p>
</ns78:p><p>
</pre><p>
</p><p>
Those wishing to use more elaborate or capable logon processing system should check out the following sites:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a href="http://www.craigelachie.org/rhacer/ntlogon" target="_top">http://www.craigelachie.org/rhacer/ntlogon</a></td></tr><tr><td><a href="http://www.kixtart.org" target="_top">http://www.kixtart.org</a></td></tr><tr><td><a href="http://support.microsoft.com/default.asp?scid=kb;en-us;189105" target="_top">http://support.microsoft.com/default.asp?scid=kb;en-us;189105</a></td></tr></table><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2981300"></a>Adding printers without user intervention</h3></div></div><div></div></div><ns78:p>
</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a href="http://www.craigelachie.org/rhacer/ntlogon" target="_top">http://www.craigelachie.org/rhacer/ntlogon</a></td></tr><tr><td><a href="http://www.kixtart.org" target="_top">http://www.kixtart.org</a></td></tr><tr><td><a href="http://support.microsoft.com/default.asp?scid=kb;en-us;189105" target="_top">http://support.microsoft.com/default.asp?scid=kb;en-us;189105</a></td></tr></table><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2985283"></a>Adding printers without user intervention</h3></div></div><div></div></div><p>
Printers may be added automatically during logon script processing through the use of:
</ns78:p><pre class="programlisting">
</p><pre class="programlisting">
rundll32 printui.dll,PrintUIEntry /?
</pre><ns78:p>
</pre><p>
See the documentation in the <a href="http://support.microsoft.com/default.asp?scid=kb;en-us;189105" target="_top">Microsoft knowledgebase article no: 189105</a>.
</ns78:p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2981333"></a>Common Errors</h2></div></div><div></div></div><p>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2985316"></a>Common Errors</h2></div></div><div></div></div><p>
The information provided in this chapter has been reproduced from postings on the samba@samba.org
mailing list. No implied endorsement or recommendation is offered. Administrators should conduct
their own evaluation of alternatives and are encouraged to draw their own conclusions.

9
docs/htmldocs/Appendixes.html
View File

@ -1,5 +1,4 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part VI. Appendixes</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="index.html" title="SAMBA Project Documentation"><link rel="previous" href="bugreport.html" title="Chapter 35. Reporting Bugs"><link rel="next" href="compiling.html" title="Chapter 36. How to compile SAMBA"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part VI. Appendixes</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="bugreport.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="compiling.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="Appendixes"></a>Appendixes</h1></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt>36. <a href="compiling.html">How to compile SAMBA</a></dt><dd><dl><dt><a href="compiling.html#id3007789">Access Samba source code via CVS</a></dt><dd><dl><dt><a href="compiling.html#id3007797">Introduction</a></dt><dt><a href="compiling.html#id3007826">CVS Access to samba.org</a></dt></dl></dd><dt><a href="compiling.html#id3009294">Accessing the samba sources via rsync and ftp</a></dt><dt><a href="compiling.html#id3009342">Verifying Samba's PGP signature</a></dt><dt><a href="compiling.html#id3009477">Building the Binaries</a></dt><dd><dl><dt><a href="compiling.html#id3009615">Compiling samba with Active Directory support</a></dt></dl></dd><dt><a href="compiling.html#id3010510">Starting the smbd and nmbd</a></dt><dd><dl><dt><a href="compiling.html#id3010602">Starting from inetd.conf</a></dt><dt><a href="compiling.html#id3010805">Alternative: starting it as a daemon</a></dt></dl></dd><dt><a href="compiling.html#id3010900">Common Errors</a></dt></dl></dd><dt>37. <a href="Portability.html">Portability</a></dt><dd><dl><dt><a href="Portability.html#id3012180">HPUX</a></dt><dt><a href="Portability.html#id3012265">SCO Unix</a></dt><dt><a href="Portability.html#id3012293">DNIX</a></dt><dt><a href="Portability.html#id3012463">RedHat Linux Rembrandt-II</a></dt><dt><a href="Portability.html#id3012506">AIX</a></dt><dd><dl><dt><a href="Portability.html#id3012513">Sequential Read Ahead</a></dt></dl></dd><dt><a href="Portability.html#id3012539">Solaris</a></dt><dd><dl><dt><a href="Portability.html#id3012546">Locking improvements</a></dt><dt><a href="Portability.html#winbind-solaris9">Winbind on Solaris 9</a></dt></dl></dd></dl></dd><dt>38. <a href="Other-Clients.html">Samba and other CIFS clients</a></dt><dd><dl><dt><a href="Other-Clients.html#id3013323">Macintosh clients?</a></dt><dt><a href="Other-Clients.html#id3013394">OS2 Client</a></dt><dd><dl><dt><a href="Other-Clients.html#id3013401">How can I configure OS/2 Warp Connect or
OS/2 Warp 4 as a client for Samba?</a></dt><dt><a href="Other-Clients.html#id3013017">How can I configure OS/2 Warp 3 (not Connect),
OS/2 1.2, 1.3 or 2.x for Samba?</a></dt><dt><a href="Other-Clients.html#id3013077">How do I get printer driver download working
for OS/2 clients?</a></dt></dl></dd><dt><a href="Other-Clients.html#id3013174">Windows for Workgroups</a></dt><dd><dl><dt><a href="Other-Clients.html#id3012636">Use latest TCP/IP stack from Microsoft</a></dt><dt><a href="Other-Clients.html#id3012726">Delete .pwl files after password change</a></dt><dt><a href="Other-Clients.html#id3012756">Configure WfW password handling</a></dt><dt><a href="Other-Clients.html#id3012802">Case handling of passwords</a></dt><dt><a href="Other-Clients.html#id3012831">Use TCP/IP as default protocol</a></dt><dt><a href="Other-Clients.html#id3012849">Speed improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id3012895">Windows '95/'98</a></dt><dd><dl><dt><a href="Other-Clients.html#id3013925">Speed improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id3013949">Windows 2000 Service Pack 2</a></dt><dt><a href="Other-Clients.html#id3014059">Windows NT 3.1</a></dt></dl></dd><dt>39. <a href="speed.html">Samba Performance Tuning</a></dt><dd><dl><dt><a href="speed.html#id3014177">Comparisons</a></dt><dt><a href="speed.html#id3014222">Socket options</a></dt><dt><a href="speed.html#id3014295">Read size</a></dt><dt><a href="speed.html#id3014339">Max xmit</a></dt><dt><a href="speed.html#id3014392">Log level</a></dt><dt><a href="speed.html#id3014415">Read raw</a></dt><dt><a href="speed.html#id3015357">Write raw</a></dt><dt><a href="speed.html#id3015399">Slow Logins</a></dt><dt><a href="speed.html#id3015420">LDAP</a></dt><dt><a href="speed.html#id3015445">Client tuning</a></dt><dt><a href="speed.html#id3015468">Samba performance problem due changing kernel</a></dt><dt><a href="speed.html#id3015501">Corrupt tdb Files</a></dt></dl></dd><dt>40. <a href="DNSDHCP.html">DNS and DHCP Configuration Guide</a></dt><dd><dl><dt><a href="DNSDHCP.html#id3016219">Note</a></dt></dl></dd><dt>41. <a href="Further-Resources.html">Further Resources</a></dt><dd><dl><dt><a href="Further-Resources.html#id3015638">Websites</a></dt><dt><a href="Further-Resources.html#id3016020">Related updates from microsoft</a></dt><dt><a href="Further-Resources.html#id3016088">Books</a></dt></dl></dd></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="bugreport.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="compiling.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 35. Reporting Bugs </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 36. How to compile SAMBA</td></tr></table></div></body></html>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part VI. Appendixes</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="index.html" title="SAMBA Project Documentation"><link rel="previous" href="bugreport.html" title="Chapter 35. Reporting Bugs"><link rel="next" href="compiling.html" title="Chapter 36. How to compile SAMBA"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part VI. Appendixes</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="bugreport.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="compiling.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="Appendixes"></a>Appendixes</h1></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt>36. <a href="compiling.html">How to compile SAMBA</a></dt><dd><dl><dt><a href="compiling.html#id3012145">Access Samba source code via CVS</a></dt><dd><dl><dt><a href="compiling.html#id3012152">Introduction</a></dt><dt><a href="compiling.html#id3012182">CVS Access to samba.org</a></dt></dl></dd><dt><a href="compiling.html#id3013701">Accessing the samba sources via rsync and ftp</a></dt><dt><a href="compiling.html#id3013750">Verifying Samba's PGP signature</a></dt><dt><a href="compiling.html#id3013886">Building the Binaries</a></dt><dd><dl><dt><a href="compiling.html#id3014023">Compiling samba with Active Directory support</a></dt></dl></dd><dt><a href="compiling.html#id3014188">Starting the smbd and nmbd</a></dt><dd><dl><dt><a href="compiling.html#id3014280">Starting from inetd.conf</a></dt><dt><a href="compiling.html#id3014484">Alternative: starting it as a daemon</a></dt></dl></dd><dt><a href="compiling.html#id3014579">Common Errors</a></dt></dl></dd><dt>37. <a href="Portability.html">Portability</a></dt><dd><dl><dt><a href="Portability.html#id3013478">HPUX</a></dt><dt><a href="Portability.html#id3016009">SCO Unix</a></dt><dt><a href="Portability.html#id3016039">DNIX</a></dt><dt><a href="Portability.html#id3016210">RedHat Linux Rembrandt-II</a></dt><dt><a href="Portability.html#id3016254">AIX</a></dt><dd><dl><dt><a href="Portability.html#id3016261">Sequential Read Ahead</a></dt></dl></dd><dt><a href="Portability.html#id3016287">Solaris</a></dt><dd><dl><dt><a href="Portability.html#id3016294">Locking improvements</a></dt><dt><a href="Portability.html#winbind-solaris9">Winbind on Solaris 9</a></dt></dl></dd></dl></dd><dt>38. <a href="Other-Clients.html">Samba and other CIFS clients</a></dt><dd><dl><dt><a href="Other-Clients.html#id3015663">Macintosh clients?</a></dt><dt><a href="Other-Clients.html#id3017016">OS2 Client</a></dt><dd><dl><dt><a href="Other-Clients.html#id3017023">How can I configure OS/2 Warp Connect or
OS/2 Warp 4 as a client for Samba?</a></dt><dt><a href="Other-Clients.html#id3017102">How can I configure OS/2 Warp 3 (not Connect),
OS/2 1.2, 1.3 or 2.x for Samba?</a></dt><dt><a href="Other-Clients.html#id3017164">How do I get printer driver download working
for OS/2 clients?</a></dt></dl></dd><dt><a href="Other-Clients.html#id3017260">Windows for Workgroups</a></dt><dd><dl><dt><a href="Other-Clients.html#id3017268">Use latest TCP/IP stack from Microsoft</a></dt><dt><a href="Other-Clients.html#id3017357">Delete .pwl files after password change</a></dt><dt><a href="Other-Clients.html#id3017388">Configure WfW password handling</a></dt><dt><a href="Other-Clients.html#id3017433">Case handling of passwords</a></dt><dt><a href="Other-Clients.html#id3017464">Use TCP/IP as default protocol</a></dt><dt><a href="Other-Clients.html#id3017481">Speed improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id3017528">Windows '95/'98</a></dt><dd><dl><dt><a href="Other-Clients.html#id3017601">Speed improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id3017625">Windows 2000 Service Pack 2</a></dt><dt><a href="Other-Clients.html#id3017736">Windows NT 3.1</a></dt></dl></dd><dt>39. <a href="speed.html">Samba Performance Tuning</a></dt><dd><dl><dt><a href="speed.html#id3018768">Comparisons</a></dt><dt><a href="speed.html#id3018812">Socket options</a></dt><dt><a href="speed.html#id3018887">Read size</a></dt><dt><a href="speed.html#id3018931">Max xmit</a></dt><dt><a href="speed.html#id3018984">Log level</a></dt><dt><a href="speed.html#id3019007">Read raw</a></dt><dt><a href="speed.html#id3019064">Write raw</a></dt><dt><a href="speed.html#id3019106">Slow Logins</a></dt><dt><a href="speed.html#id3019127">Client tuning</a></dt><dt><a href="speed.html#id3019154">Samba performance problem due changing kernel</a></dt><dt><a href="speed.html#id3019185">Corrupt tdb Files</a></dt></dl></dd><dt>40. <a href="DNSDHCP.html">DNS and DHCP Configuration Guide</a></dt><dd><dl><dt><a href="DNSDHCP.html#id3018605">Note</a></dt></dl></dd><dt>41. <a href="Further-Resources.html">Further Resources</a></dt><dd><dl><dt><a href="Further-Resources.html#id3018765">Websites</a></dt><dt><a href="Further-Resources.html#id3020416">Related updates from Microsoft</a></dt><dt><a href="Further-Resources.html#id3020431">Books</a></dt></dl></dd></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="bugreport.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="compiling.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 35. Reporting Bugs </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 36. How to compile SAMBA</td></tr></table></div></body></html>

5
docs/htmldocs/Backup.html
View File

@ -1,10 +1,9 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 28. Samba Backup Techniques</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="unicode.html" title="Chapter 27. Unicode/Charsets"><link rel="next" href="SambaHA.html" title="Chapter 29. High Availability Options"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 28. Samba Backup Techniques</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="unicode.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="SambaHA.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Backup"></a>Chapter 28. Samba Backup Techniques</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="Backup.html#id2999523">Note</a></dt><dt><a href="Backup.html#id2999544">Features and Benefits</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2999523"></a>Note</h2></div></div><div></div></div><p>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 28. Samba Backup Techniques</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="unicode.html" title="Chapter 27. Unicode/Charsets"><link rel="next" href="SambaHA.html" title="Chapter 29. High Availability Options"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 28. Samba Backup Techniques</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="unicode.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="SambaHA.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Backup"></a>Chapter 28. Samba Backup Techniques</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="Backup.html#id3001533">Note</a></dt><dt><a href="Backup.html#id3001557">Features and Benefits</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3001533"></a>Note</h2></div></div><div></div></div><p>
This chapter did not make it into this release.
It is planned for the published release of this document.
If you have something to contribute for this section please email it to
<a href="">jht@samba.org</a>/
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2999544"></a>Features and Benefits</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3001557"></a>Features and Benefits</h2></div></div><div></div></div><p>
We need feedback from people who are backing up samba servers.
We would like to know what software tools you are using to backup
your samba server/s.

459
docs/htmldocs/CUPS-printing.html
View File

File diff suppressed because it is too large Load Diff

3
docs/htmldocs/ClientConfig.html
View File

@ -1,5 +1,4 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 9. MS Windows Network Configuration Guide</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="previous" href="StandAloneServer.html" title="Chapter 8. Stand-Alone Servers"><link rel="next" href="optional.html" title="Part III. Advanced Configuration"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 9. MS Windows Network Configuration Guide</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="StandAloneServer.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="optional.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ClientConfig"></a>Chapter 9. MS Windows Network Configuration Guide</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="ClientConfig.html#id2901115">Note</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2901115"></a>Note</h2></div></div><div></div></div><p>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 9. MS Windows Network Configuration Guide</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="previous" href="StandAloneServer.html" title="Chapter 8. Stand-Alone Servers"><link rel="next" href="optional.html" title="Part III. Advanced Configuration"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 9. MS Windows Network Configuration Guide</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="StandAloneServer.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="optional.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ClientConfig"></a>Chapter 9. MS Windows Network Configuration Guide</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="ClientConfig.html#id2901966">Note</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2901966"></a>Note</h2></div></div><div></div></div><p>
This chapter did not make it into this release.
It is planned for the published release of this document.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="StandAloneServer.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="optional.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 8. Stand-Alone Servers </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part III. Advanced Configuration</td></tr></table></div></body></html>

3
docs/htmldocs/DNSDHCP.html
View File

@ -1,5 +1,4 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 40. DNS and DHCP Configuration Guide</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="speed.html" title="Chapter 39. Samba Performance Tuning"><link rel="next" href="Further-Resources.html" title="Chapter 41. Further Resources"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 40. DNS and DHCP Configuration Guide</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="speed.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="Further-Resources.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="DNSDHCP"></a>Chapter 40. DNS and DHCP Configuration Guide</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="DNSDHCP.html#id3016219">Note</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3016219"></a>Note</h2></div></div><div></div></div><p>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 40. DNS and DHCP Configuration Guide</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="speed.html" title="Chapter 39. Samba Performance Tuning"><link rel="next" href="Further-Resources.html" title="Chapter 41. Further Resources"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 40. DNS and DHCP Configuration Guide</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="speed.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="Further-Resources.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="DNSDHCP"></a>Chapter 40. DNS and DHCP Configuration Guide</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="DNSDHCP.html#id3018605">Note</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3018605"></a>Note</h2></div></div><div></div></div><p>
This chapter did not make it into this release.
It is planned for the published release of this document.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="speed.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendixes.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="Further-Resources.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 39. Samba Performance Tuning </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 41. Further Resources</td></tr></table></div></body></html>

3
docs/htmldocs/FastStart.html
View File

@ -1,5 +1,4 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 3. FastStart for the Impatient</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="introduction.html" title="Part I. General Installation"><link rel="previous" href="install.html" title="Chapter 2. How to Install and Test SAMBA"><link rel="next" href="type.html" title="Part II. Server Configuration Basics"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 3. FastStart for the Impatient</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="install.html">Prev</a> </td><th width="60%" align="center">Part I. General Installation</th><td width="20%" align="right"> <a accesskey="n" href="type.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="FastStart"></a>Chapter 3. FastStart for the Impatient</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="FastStart.html#id2886367">Note</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2886367"></a>Note</h2></div></div><div></div></div><p>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 3. Fast Start for the Impatient</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="introduction.html" title="Part I. General Installation"><link rel="previous" href="install.html" title="Chapter 2. How to Install and Test SAMBA"><link rel="next" href="type.html" title="Part II. Server Configuration Basics"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 3. Fast Start for the Impatient</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="install.html">Prev</a> </td><th width="60%" align="center">Part I. General Installation</th><td width="20%" align="right"> <a accesskey="n" href="type.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="FastStart"></a>Chapter 3. Fast Start for the Impatient</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="FastStart.html#id2886744">Note</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2886744"></a>Note</h2></div></div><div></div></div><p>
This chapter did not make it into this release.
It is planned for the published release of this document.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="install.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="introduction.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="type.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 2. How to Install and Test SAMBA </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part II. Server Configuration Basics</td></tr></table></div></body></html>

7
docs/htmldocs/Further-Resources.html
View File

@ -1,5 +1,4 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 41. Further Resources</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="DNSDHCP.html" title="Chapter 40. DNS and DHCP Configuration Guide"><link rel="next" href="ix01.html" title="Index"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 41. Further Resources</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="DNSDHCP.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="ix01.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Further-Resources"></a>Chapter 41. Further Resources</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">Lechnyr</span></h3><div class="affiliation"><span class="orgname">Unofficial HOWTO<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:david@lechnyr.com">david@lechnyr.com</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">May 1, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="Further-Resources.html#id3015638">Websites</a></dt><dt><a href="Further-Resources.html#id3016020">Related updates from microsoft</a></dt><dt><a href="Further-Resources.html#id3016088">Books</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3015638"></a>Websites</h2></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 41. Further Resources</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="DNSDHCP.html" title="Chapter 40. DNS and DHCP Configuration Guide"><link rel="next" href="ix01.html" title="Index"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 41. Further Resources</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="DNSDHCP.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="ix01.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Further-Resources"></a>Chapter 41. Further Resources</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">Lechnyr</span></h3><div class="affiliation"><span class="orgname">Unofficial HOWTO<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:david@lechnyr.com">david@lechnyr.com</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">May 1, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="Further-Resources.html#id3018765">Websites</a></dt><dt><a href="Further-Resources.html#id3020416">Related updates from Microsoft</a></dt><dt><a href="Further-Resources.html#id3020431">Books</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3018765"></a>Websites</h2></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>
<a href="http://hr.uoregon.edu/davidrl/cifs.txt" target="_top">
<span class="emphasis"><em>CIFS: Common Insecurities Fail Scrutiny</em></span> by &quot;Hobbit&quot;</a>
</p></li><li><p>
@ -86,7 +85,7 @@
<span class="emphasis"><em>WFWG: Password Caching and How It Affects LAN Manager
Security</em></span> at Microsoft Knowledge Base
</a>
</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3016020"></a>Related updates from microsoft</h2></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>
</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3020416"></a>Related updates from Microsoft</h2></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>
<a href="http://support.microsoft.com/support/kb/articles/q92/5/88.asp" target="_top">
<span class="emphasis"><em>Enhanced Encryption for Windows 95 Password Cache</em></span>
</a>
@ -98,4 +97,4 @@
<a href="http://support.microsoft.com/support/kb/articles/q136/4/18.asp" target="_top">
<span class="emphasis"><em>Windows for Workgroups Sharing Updates</em></span>
</a>
</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3016088"></a>Books</h2></div></div><div></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="DNSDHCP.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendixes.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ix01.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 40. DNS and DHCP Configuration Guide </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Index</td></tr></table></div></body></html>
</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3020431"></a>Books</h2></div></div><div></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="DNSDHCP.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendixes.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ix01.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 40. DNS and DHCP Configuration Guide </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Index</td></tr></table></div></body></html>

43
docs/htmldocs/InterdomainTrusts.html
View File

@ -1,11 +1,10 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 16. Interdomain Trust Relationships</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="securing-samba.html" title="Chapter 15. Securing Samba"><link rel="next" href="msdfs.html" title="Chapter 17. Hosting a Microsoft Distributed File System tree on Samba"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 16. Interdomain Trust Relationships</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="securing-samba.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="msdfs.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="InterdomainTrusts"></a>Chapter 16. Interdomain Trust Relationships</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Rafal</span> <span class="surname">Szczesniak</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:mimir@samba.org">mimir@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">April 3, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="InterdomainTrusts.html#id2929145">Features and Benefits</a></dt><dt><a href="InterdomainTrusts.html#id2929173">Trust Relationship Background</a></dt><dt><a href="InterdomainTrusts.html#id2929256">Native MS Windows NT4 Trusts Configuration</a></dt><dd><dl><dt><a href="InterdomainTrusts.html#id2929268">NT4 as the Trusting Domain (ie. creating the trusted account)</a></dt><dt><a href="InterdomainTrusts.html#id2931243">NT4 as the Trusted Domain (ie. creating trusted account's password)</a></dt></dl></dd><dt><a href="InterdomainTrusts.html#id2931281">Configuring Samba NT-style Domain Trusts</a></dt><dd><dl><dt><a href="InterdomainTrusts.html#id2931308">Samba-3 as the Trusting Domain</a></dt><dt><a href="InterdomainTrusts.html#id2931434">Samba-3 as the Trusted Domain</a></dt></dl></dd><dt><a href="InterdomainTrusts.html#id2928812">Common Errors</a></dt><dd><dl><dt><a href="InterdomainTrusts.html#id2928827">Tell me about Trust Relationships using Samba</a></dt></dl></dd></dl></div><p>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 16. Interdomain Trust Relationships</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="securing-samba.html" title="Chapter 15. Securing Samba"><link rel="next" href="msdfs.html" title="Chapter 17. Hosting a Microsoft Distributed File System tree on Samba"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 16. Interdomain Trust Relationships</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="securing-samba.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="msdfs.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="InterdomainTrusts"></a>Chapter 16. Interdomain Trust Relationships</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Rafal</span> <span class="surname">Szczesniak</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:mimir@samba.org">mimir@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">April 3, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="InterdomainTrusts.html#id2933376">Features and Benefits</a></dt><dt><a href="InterdomainTrusts.html#id2933404">Trust Relationship Background</a></dt><dt><a href="InterdomainTrusts.html#id2933488">Native MS Windows NT4 Trusts Configuration</a></dt><dd><dl><dt><a href="InterdomainTrusts.html#id2933501">NT4 as the Trusting Domain (ie. creating the trusted account)</a></dt><dt><a href="InterdomainTrusts.html#id2933586">NT4 as the Trusted Domain (ie. creating trusted account's password)</a></dt></dl></dd><dt><a href="InterdomainTrusts.html#id2933622">Configuring Samba NT-style Domain Trusts</a></dt><dd><dl><dt><a href="InterdomainTrusts.html#id2933649">Samba-3 as the Trusting Domain</a></dt><dt><a href="InterdomainTrusts.html#id2933790">Samba-3 as the Trusted Domain</a></dt></dl></dd><dt><a href="InterdomainTrusts.html#id2933922">Common Errors</a></dt><dd><dl><dt><a href="InterdomainTrusts.html#id2933937">Tell me about Trust Relationships using Samba</a></dt></dl></dd></dl></div><p>
Samba-3 supports NT4 style domain trust relationships. This is feature that many sites
will want to use if they migrate to Samba-3 from and NT4 style domain and do NOT want to
adopt Active Directory or an LDAP based authentication back end. This section explains
some background information regarding trust relationships and how to create them. It is now
possible for Samba-3 to NT4 trust (and vice versa), as well as Samba3 to Samba3 trusts.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2929145"></a>Features and Benefits</h2></div></div><div></div></div><p>
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2933376"></a>Features and Benefits</h2></div></div><div></div></div><p>
Samba-3 can participate in Samba-to-Samba as well as in Samba-to-MS Windows NT4 style
trust relationships. This imparts to Samba similar scalability as is possible with
MS Windows NT4.
@ -13,9 +12,9 @@ MS Windows NT4.
Given that Samba-3 has the capability to function with a scalable backend authentication
database such as LDAP, and given it's ability to run in Primary as well as Backup Domain control
modes, the administrator would be well advised to consider alternatives to the use of
Interdomain trusts simplt because by the very nature of how this works it is fragile.
That was after all a key reason for the development and adoption of Microsoft Active Directory.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2929173"></a>Trust Relationship Background</h2></div></div><div></div></div><p>
Interdomain trusts simply because by the very nature of how this works it is fragile.
That was, after all, a key reason for the development and adoption of Microsoft Active Directory.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2933404"></a>Trust Relationship Background</h2></div></div><div></div></div><p>
MS Windows NT3.x/4.0 type security domains employ a non-hierarchical security structure.
The limitations of this architecture as it affects the scalability of MS Windows networking
in large organisations is well known. Additionally, the flat-name space that results from
@ -50,9 +49,9 @@ domains above, with Windows 2000 and ADS the RED and BLUE domains CAN trust each
an inherent feature of ADS domains. Samba-3 implements MS Windows NT4
style Interdomain trusts and interoperates with MS Windows 200x ADS
security domains in similar manner to MS Windows NT4 style domains.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2929256"></a>Native MS Windows NT4 Trusts Configuration</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2933488"></a>Native MS Windows NT4 Trusts Configuration</h2></div></div><div></div></div><p>
There are two steps to creating an interdomain trust relationship.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2929268"></a>NT4 as the Trusting Domain (ie. creating the trusted account)</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2933501"></a>NT4 as the Trusting Domain (ie. creating the trusted account)</h3></div></div><div></div></div><p>
For MS Windows NT4, all domain trust relationships are configured using the
<span class="application">Domain User Manager</span>. To affect a two way trust relationship it is
necessary for each domain administrator to make available (for use by an external domain) it's
@ -64,14 +63,14 @@ button will open a panel in which needs to be entered the remote domain that wil
user rights to your domain. In addition it is necessary to enter a password
that is specific to this trust relationship. The password needs to be
typed twice (for standard confirmation).
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2931243"></a>NT4 as the Trusted Domain (ie. creating trusted account's password)</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2933586"></a>NT4 as the Trusted Domain (ie. creating trusted account's password)</h3></div></div><div></div></div><p>
A trust relationship will work only when the other (trusting) domain makes the appropriate connections
with the trusted domain. To consumate the trust relationship the administrator will launch the
with the trusted domain. To consummate the trust relationship the administrator will launch the
Domain User Manager, from the menu select Policies, then select Trust Relationships, then click on the
<span class="guibutton">Add</span> button that is next to the box that is labelled
<span class="guilabel">Trusted Domains</span>. A panel will open in which must be entered the name of the remote
domain as well as the password assigned to that trust.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2931281"></a>Configuring Samba NT-style Domain Trusts</h2></div></div><div></div></div><p>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2933622"></a>Configuring Samba NT-style Domain Trusts</h2></div></div><div></div></div><p>
This description is meant to be a fairly short introduction about how to set up a Samba server so
that it could participate in interdomain trust relationships. Trust relationship support in Samba
is in its early stage, so lot of things don't work yet.
@ -80,32 +79,32 @@ Each of the procedures described below is treated as they were performed with Wi
one end. The remote end could just as well be another Samba-3 domain. It can be clearly seen, after
reading this document, that combining Samba-specific parts of what's written below leads to trust
between domains in purely Samba environment.
</p><div xmlns:ns43="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2931308"></a>Samba-3 as the Trusting Domain</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2933649"></a>Samba-3 as the Trusting Domain</h3></div></div><div></div></div><p>
In order to set the Samba PDC to be the trusted party of the relationship first you need
to create special account for the domain that will be the trusting party. To do that,
you can use the 'smbpasswd' utility. Creating the trusted domain account is very
similiar to creating a trusted machine account. Suppose, your domain is
similar to creating a trusted machine account. Suppose, your domain is
called SAMBA, and the remote domain is called RUMBA. The first step
will be to issue this command from your favourite shell:
</p><ns43:p>
</ns43:p><pre class="screen">
</p><p>
</p><pre class="screen">
<tt class="prompt">root# </tt> <b class="userinput"><tt>smbpasswd -a -i rumba</tt></b>
New SMB password: XXXXXXXX
Retype SMB password: XXXXXXXX
Added user rumba$
</pre><ns43:p>
</pre><p>
where <tt class="option">-a</tt> means to add a new account into the
passdb database and <tt class="option">-i</tt> means: ''create this
account with the InterDomain trust flag''
</ns43:p><p>
</p><p>
The account name will be 'rumba$' (the name of the remote domain)
</p><p>
After issuing this command you'll be asked to enter the password for
the account. You can use any password you want, but be aware that Windows NT will
not change this password until 7 days following account creation.
After the command returns successfully, you can look at the entry for the new account
(in the stardard way depending on your configuration) and see that account's name is
(in the standard way depending on your configuration) and see that account's name is
really RUMBA$ and it has 'I' flag in the flags field. Now you're ready to confirm
the trust by establishing it from Windows NT Server.
</p><p>
@ -118,7 +117,7 @@ your domain name, and the password used at the time of account creation.
Press OK and, if everything went without incident, you will see
<tt class="computeroutput">Trusted domain relationship successfully
established</tt> message.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2931434"></a>Samba-3 as the Trusted Domain</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2933790"></a>Samba-3 as the Trusted Domain</h3></div></div><div></div></div><p>
This time activities are somewhat reversed. Again, we'll assume that your domain
controlled by the Samba PDC is called SAMBA and NT-controlled domain is called RUMBA.
</p><p>
@ -149,11 +148,11 @@ Congratulations! Your trust relationship has just been established.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
Note that you have to run this command as root because you must have write access to
the <tt class="filename">secrets.tdb</tt> file.
</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2928812"></a>Common Errors</h2></div></div><div></div></div><p>
</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2933922"></a>Common Errors</h2></div></div><div></div></div><p>
Interdomain trust relationships should NOT be attempted on networks that are unstable
or that suffer regular outages. Network stability and integrity are key concerns with
distributed trusted domains.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2928827"></a>Tell me about Trust Relationships using Samba</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2933937"></a>Tell me about Trust Relationships using Samba</h3></div></div><div></div></div><p>
Like many, I administer multiple LANs connected together using NT trust
relationships. This was implemented about 4 years ago. I now have the
occasion to consider performing this same task again, but this time, I
@ -170,7 +169,7 @@ distributed trusted domains.
Please provide any helpful feedback that you may have.
</p><p>
These are almost complete in Samba 3.0 snapshots. The main catch
is getting winbindd to be able to allocate uid/gid's for trusted
is getting winbindd to be able to allocate UID/GIDs for trusted
users/groups. See the updated Samba HOWTO collection for more
details.
</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="securing-samba.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="msdfs.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 15. Securing Samba </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 17. Hosting a Microsoft Distributed File System tree on Samba</td></tr></table></div></body></html>

17
docs/htmldocs/IntroSMB.html
View File

@ -1,5 +1,4 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 1. Introduction to Samba</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="introduction.html" title="Part I. General Installation"><link rel="previous" href="introduction.html" title="Part I. General Installation"><link rel="next" href="install.html" title="Chapter 2. How to Install and Test SAMBA"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 1. Introduction to Samba</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="introduction.html">Prev</a> </td><th width="60%" align="center">Part I. General Installation</th><td width="20%" align="right"> <a accesskey="n" href="install.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="IntroSMB"></a>Chapter 1. Introduction to Samba</h2></div><div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">Lechnyr</span></h3><div class="affiliation"><span class="orgname">Unofficial HOWTO<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:david@lechnyr.com">david@lechnyr.com</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">April 14, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="IntroSMB.html#id2885255">Background</a></dt><dt><a href="IntroSMB.html#id2885309">Terminology</a></dt><dt><a href="IntroSMB.html#id2884034">Related Projects</a></dt><dt><a href="IntroSMB.html#id2884102">SMB Methodology</a></dt><dt><a href="IntroSMB.html#id2884189">Epilogue</a></dt><dt><a href="IntroSMB.html#id2884263">Miscellaneous</a></dt></dl></div><p>&#8220;<span class="quote">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 1. Introduction to Samba</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="introduction.html" title="Part I. General Installation"><link rel="previous" href="introduction.html" title="Part I. General Installation"><link rel="next" href="install.html" title="Chapter 2. How to Install and Test SAMBA"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 1. Introduction to Samba</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="introduction.html">Prev</a> </td><th width="60%" align="center">Part I. General Installation</th><td width="20%" align="right"> <a accesskey="n" href="install.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="IntroSMB"></a>Chapter 1. Introduction to Samba</h2></div><div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">Lechnyr</span></h3><div class="affiliation"><span class="orgname">Unofficial HOWTO<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:david@lechnyr.com">david@lechnyr.com</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">April 14, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="IntroSMB.html#id2885613">Background</a></dt><dt><a href="IntroSMB.html#id2885824">Terminology</a></dt><dt><a href="IntroSMB.html#id2885978">Related Projects</a></dt><dt><a href="IntroSMB.html#id2886047">SMB Methodology</a></dt><dt><a href="IntroSMB.html#id2886135">Epilogue</a></dt><dt><a href="IntroSMB.html#id2886209">Miscellaneous</a></dt></dl></div><p>&#8220;<span class="quote">
&quot;If you understand what you're doing, you're not learning anything.&quot;
-- Anonymous
</span>&#8221;</p><p>
@ -8,7 +7,7 @@ transport protocol. In fact, it can support any SMB/CIFS-enabled client. One of
strengths is that you can use it to blend your mix of Windows and Linux machines together
without requiring a separate Windows NT/2000/2003 Server. Samba is actively being developed
by a global team of about 30 active programmers and was originally developed by Andrew Tridgell.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2885255"></a>Background</h2></div></div><div></div></div><p>
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2885613"></a>Background</h2></div></div><div></div></div><p>
Once long ago, there was a buzzword referred to as DCE/RPC. This stood for Distributed
Computing Environment/Remote Procedure Calls and conceptually was a good idea. It was
originally developed by Apollo/HP as NCA 1.0 (Network Computing Architecture) and only
@ -34,7 +33,7 @@ been dutifully waded through during the information-gathering stages of this pro
are *still* many missing pieces... While often tedious, at least the way has been generously
littered with occurrences of clapping hand to forehead and muttering 'crikey, what are they
thinking?
</em></span></p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2885309"></a>Terminology</h2></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>
</em></span></p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2885824"></a>Terminology</h2></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>
SMB: Acronym for &quot;Server Message Block&quot;. This is Microsoft's file and printer sharing protocol.
</p></li><li><p>
CIFS: Acronym for &quot;Common Internet File System&quot;. Around 1996, Microsoft apparently
@ -84,7 +83,7 @@ thinking?
W3K: Acronym for Windows 2003 Server
</p></li></ul></div><p>If you plan on getting help, make sure to subscribe to the Samba Mailing List (available at
<a href="http://www.samba.org/" target="_top">http://www.samba.org</a>).
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2884034"></a>Related Projects</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2885978"></a>Related Projects</h2></div></div><div></div></div><p>
There are currently two network filesystem client projects for Linux that are directly
related to Samba: SMBFS and CIFS VFS. These are both available in the Linux kernel itself.
</p><div class="itemizedlist"><ul type="disc"><li><p>
@ -95,7 +94,7 @@ related to Samba: SMBFS and CIFS VFS. These are both available in the Linux ker
</p></li><li><p>
CIFS VFS (Common Internet File System Virtual File System) is the successor to SMBFS, and
is being actively developed for the upcoming version of the Linux kernel. The intent of this module
is to provide advanced network file system functionality including support for dfs (heirarchical
is to provide advanced network file system functionality including support for dfs (hierarchical
name space), secure per-user session establishment, safe distributed caching (oplock),
optional packet signing, Unicode and other internationalization improvements, and optional
Winbind (nsswitch) integration.
@ -106,7 +105,7 @@ nothing to do with acting as a file and print server for SMB/CIFS clients.
There are other Open Source CIFS client implementations, such as the
<a href="http://jcifs.samba.org/" target="_top">jCIFS project</a>
which provides an SMB client toolkit written in Java.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2884102"></a>SMB Methodology</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2886047"></a>SMB Methodology</h2></div></div><div></div></div><p>
Traditionally, SMB uses UDP port 137 (NetBIOS name service, or netbios-ns),
UDP port 138 (NetBIOS datagram service, or netbios-dgm), and TCP port 139 (NetBIOS
session service, or netbios-ssn). Anyone looking at their network with a good
@ -138,7 +137,7 @@ up a single file. In general, SMB sessions are established in the following orde
A good way to examine this process in depth is to try out
<a href="http://www.securityfriday.com/ToolDownload/SWB/swb_doc.html" target="_top">SecurityFriday's SWB program</a>.
It allows you to walk through the establishment of a SMB/CIFS session step by step.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2884189"></a>Epilogue</h2></div></div><div></div></div><p>&#8220;<span class="quote">
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2886135"></a>Epilogue</h2></div></div><div></div></div><p>&#8220;<span class="quote">
What's fundamentally wrong is that nobody ever had any taste when they
did it. Microsoft has been very much into making the user interface look good,
but internally it's just a complete mess. And even people who program for Microsoft
@ -167,7 +166,7 @@ not the completely clueless user who probably sits there shivering thinking
That's what's really irritating to me.&quot;
</span>&#8221;</p><p>--
<a href="http://hr.uoregon.edu/davidrl/boot.txt" target="_top">Linus Torvalds, from an interview with BOOT Magazine, Sept 1998</a>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2884263"></a>Miscellaneous</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2886209"></a>Miscellaneous</h2></div></div><div></div></div><p>
This chapter is Copyright 2003 David Lechnyr (david at lechnyr dot com).
Permission is granted to copy, distribute and/or modify this document under the terms
of the GNU Free Documentation License, Version 1.2 or any later version published by the Free

53
docs/htmldocs/NT4Migration.html
View File

@ -1,16 +1,15 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 31. Migration from NT4 PDC to Samba-3 PDC</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="migration.html" title="Part IV. Migration and Updating"><link rel="previous" href="upgrading-to-3.0.html" title="Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0"><link rel="next" href="SWAT.html" title="Chapter 32. SWAT - The Samba Web Administration Tool"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 31. Migration from NT4 PDC to Samba-3 PDC</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="upgrading-to-3.0.html">Prev</a> </td><th width="60%" align="center">Part IV. Migration and Updating</th><td width="20%" align="right"> <a accesskey="n" href="SWAT.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="NT4Migration"></a>Chapter 31. Migration from NT4 PDC to Samba-3 PDC</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">April 3, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="NT4Migration.html#id3000009">Planning and Getting Started</a></dt><dd><dl><dt><a href="NT4Migration.html#id3000033">Objectives</a></dt><dt><a href="NT4Migration.html#id2998961">Steps In Migration Process</a></dt></dl></dd><dt><a href="NT4Migration.html#id3001178">Migration Options</a></dt><dd><dl><dt><a href="NT4Migration.html#id3001259">Planning for Success</a></dt><dt><a href="NT4Migration.html#id3001500">Samba Implementation Choices</a></dt></dl></dd></dl></div><p>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 31. Migration from NT4 PDC to Samba-3 PDC</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="migration.html" title="Part IV. Migration and Updating"><link rel="previous" href="upgrading-to-3.0.html" title="Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0"><link rel="next" href="SWAT.html" title="Chapter 32. SWAT - The Samba Web Administration Tool"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 31. Migration from NT4 PDC to Samba-3 PDC</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="upgrading-to-3.0.html">Prev</a> </td><th width="60%" align="center">Part IV. Migration and Updating</th><td width="20%" align="right"> <a accesskey="n" href="SWAT.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="NT4Migration"></a>Chapter 31. Migration from NT4 PDC to Samba-3 PDC</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">April 3, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="NT4Migration.html#id3001339">Planning and Getting Started</a></dt><dd><dl><dt><a href="NT4Migration.html#id3001368">Objectives</a></dt><dt><a href="NT4Migration.html#id3004043">Steps In Migration Process</a></dt></dl></dd><dt><a href="NT4Migration.html#id3004381">Migration Options</a></dt><dd><dl><dt><a href="NT4Migration.html#id3004462">Planning for Success</a></dt><dt><a href="NT4Migration.html#id3004704">Samba Implementation Choices</a></dt></dl></dd></dl></div><p>
This is a rough guide to assist those wishing to migrate from NT4 domain control to
Samba-3 based domain control.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3000009"></a>Planning and Getting Started</h2></div></div><div></div></div><p>
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3001339"></a>Planning and Getting Started</h2></div></div><div></div></div><p>
In the IT world there is often a saying that all problems are encountered because of
poor planning. The corrollary to this saying is that not all problems can be anticpated
and planned for. Then again, good planning will anticpate most show stopper type situations.
poor planning. The corollary to this saying is that not all problems can be anticipated
and planned for. Then again, good planning will anticipate most show stopper type situations.
</p><p>
Those wishing to migrate from MS Windows NT4 domain control to a Samba-3 domain control
environment would do well to develop a detailed migration plan. So here are a few pointers to
help migration get under way.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3000033"></a>Objectives</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3001368"></a>Objectives</h3></div></div><div></div></div><p>
The key objective for most organisations will be to make the migration from MS Windows NT4
to Samba-3 domain control as painless as possible. One of the challenges you may experience
in your migration process may well be one of convincing management that the new environment
@ -29,15 +28,15 @@ features that Microsoft has promoted as core values in migration from MS Windows
MS Windows 2000 and beyond (with or without Active Directory services).
</p><p>
What are the features that Samba-3 can NOT provide?
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Active Directory Server</td></tr><tr><td>Group Policy Objects (in Active Direcrtory)</td></tr><tr><td>Machine Policy objects</td></tr><tr><td>Logon Scripts in Active Directorty</td></tr><tr><td>Software Application and Access Controls in Active Directory</td></tr></table><p>
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Active Directory Server</td></tr><tr><td>Group Policy Objects (in Active Directory)</td></tr><tr><td>Machine Policy objects</td></tr><tr><td>Logon Scripts in Active Directory</td></tr><tr><td>Software Application and Access Controls in Active Directory</td></tr></table><p>
The features that Samba-3 DOES provide and that may be of compelling interest to your site
includes:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Lower Cost of Ownership</td></tr><tr><td>Global availability of support with no strings attached</td></tr><tr><td>Dynamic SMB Servers (ie:Can run more than one server per Unix/Linux system)</td></tr><tr><td>Creation of on-the-fly logon scripts</td></tr><tr><td>Creation of on-the-fly Policy Files</td></tr><tr><td>Greater Stability, Reliability, Performance and Availability</td></tr><tr><td>Manageability via an ssh connection</td></tr><tr><td>Flexible choices of back-end authentication technologies (tdbsam, ldapsam, mysqlsam)</td></tr><tr><td>Ability to implement a full single-signon architecture</td></tr><tr><td>Ability to distribute authentication systems for absolute minimum wide area network bandwidth demand</td></tr></table><p>
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Lower Cost of Ownership</td></tr><tr><td>Global availability of support with no strings attached</td></tr><tr><td>Dynamic SMB Servers (ie:Can run more than one server per Unix/Linux system)</td></tr><tr><td>Creation of on-the-fly logon scripts</td></tr><tr><td>Creation of on-the-fly Policy Files</td></tr><tr><td>Greater Stability, Reliability, Performance and Availability</td></tr><tr><td>Manageability via an ssh connection</td></tr><tr><td>Flexible choices of back-end authentication technologies (tdbsam, ldapsam, mysqlsam)</td></tr><tr><td>Ability to implement a full single-sign-on architecture</td></tr><tr><td>Ability to distribute authentication systems for absolute minimum wide area network bandwidth demand</td></tr></table><p>
Before migrating a network from MS Windows NT4 to Samba-3 it is vital that all necessary factors are
considered. Users should be educated about changes they may experience so that the change will be a
welcome one and not become an obstacle to the work they need to do. The following are some of the
factors that will go into a successful migration:
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2998734"></a>Domain Layout</h4></div></div><div></div></div><p>
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id3002882"></a>Domain Layout</h4></div></div><div></div></div><p>
Samba-3 can be configured as a domain controller, a back-up domain controller (probably best called
a secondary controller), a domain member, or as a stand-alone server. The Windows network security
domain context should be sized and scoped before implementation. Particular attention needs to be
@ -54,11 +53,11 @@ and network bandwidth.
A physical network segment may house several domains, each of which may span multiple network segments.
Where domains span routed network segments it is most advisable to consider and test the performance
implications of the design and layout of a network. A Centrally located domain controller that is being
designed to serve mulitple routed network segments may result in severe performance problems if the
designed to serve multiple routed network segments may result in severe performance problems if the
response time (eg: ping timing) between the remote segment and the PDC is more than 100 ms. In situations
where the delay is too long it is highly recommended to locate a backup controller (BDC) to serve as
the local authentication and access control server.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2998787"></a>Server Share and Directory Layout</h4></div></div><div></div></div><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id3002935"></a>Server Share and Directory Layout</h4></div></div><div></div></div><p>
There are few cardinal rules to effective network design that can be broken with impunity.
The most important rule of effective network management is that simplicity is king in every
well controlled network. Every part of the infrastructure must be managed, the more complex
@ -83,48 +82,48 @@ complex mess that has been inherited. Remember, apparent job security through co
and implementation may ultimately cause loss of operations and downtime to users as the new
administrator learns to untangle your web. Keep access controls simple and effective and
make sure that users will never be interrupted by the stupidity of complexity.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2998849"></a>Logon Scripts</h4></div></div><div></div></div><p>
Please refer to the section of this document on Advanced Network Adminsitration for information
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id3002997"></a>Logon Scripts</h4></div></div><div></div></div><p>
Please refer to the section of this document on Advanced Network Administration for information
regarding the network logon script options for Samba-3. Logon scripts can help to ensure that
all users gain share and printer connections they need.
</p><p>
Logon scripts can be created on-the-fly so that all commands executed are specific to the
rights and privilidges granted to the user. The preferred controls should be affected through
group membership so that group information can be used to custom create a logong script using
rights and privileges granted to the user. The preferred controls should be affected through
group membership so that group information can be used to custom create a logon script using
the <i class="parameter"><tt>root preexec</tt></i> parameters to the <tt class="filename">NETLOGON</tt> share.
</p><p>
Some sites prefer to use a tool such as <b class="command">kixstart</b> to establish a controlled
user environment. In any case you may wish to do a google search for logon script process controls.
In particular, you may wish to explore the use of the Microsoft knowledgebase article KB189105 that
deals with how to add printers without user intervention via the logon script process.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2998906"></a>Profile Migration/Creation</h4></div></div><div></div></div><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id3003055"></a>Profile Migration/Creation</h4></div></div><div></div></div><p>
User and Group Profiles may be migrated using the tools described in the section titled Desktop Profile
Management.
</p><p>
Profiles may also be managed using the Samba-3 tool <b class="command">profiles</b>. This tool allows
the MS Windows NT style security identifiers (SIDs) that are stored inside the profile NTuser.DAT file
to be changed to the SID of the Samba-3 domain.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2998936"></a>User and Group Accounts</h4></div></div><div></div></div><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id3004018"></a>User and Group Accounts</h4></div></div><div></div></div><p>
It is possible to migrate all account settings from an MS Windows NT4 domain to Samba-3. Before
attempting to migrate user and group accounts it is STRONGLY advised to create in Samba-3 the
groups that are present on the MS Windows NT4 domain <span class="emphasis"><em>AND</em></span> to connect these to
suitable Unix/Linux groups. Following this simple advice will mean that all user and group attributes
should migrate painlessly.
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2998961"></a>Steps In Migration Process</h3></div></div><div></div></div><p>
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3004043"></a>Steps In Migration Process</h3></div></div><div></div></div><p>
The approximate migration process is described below.
</p><div class="itemizedlist"><ul type="disc"><li><p>
You will have an NT4 PDC that has the users, groups, policies and profiles to be migrated
</p></li><li><p>
Samba-3 set up as a DC with netlogon share, profile share, etc.
</p></li></ul></div><div class="procedure"><p class="title"><b>Procedure 31.1. The Account Migration Process</b></p><ol type="1"><li><p>Create a BDC account for the samba server using NT Server Manager</p><ol type="a"><li><p>Samba must NOT be running</p></li></ol></li><li><p><b class="userinput"><tt>rpcclient <i class="replaceable"><tt>NT4PDC</tt></i> -U Administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p><ol type="a"><li><p>lsaquery</p></li><li><p>Note the SID returned</p></li></ol></li><li><p><b class="userinput"><tt>net getsid -S <i class="replaceable"><tt>NT4PDC</tt></i> -w <i class="replaceable"><tt>DOMNAME</tt></i> -U Administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p><ol type="a"><li><p>Note the SID</p></li></ol></li><li><p><b class="userinput"><tt>net getlocalsid</tt></b></p><ol type="a"><li><p>Note the SID, now check that all three SIDS reported are the same!</p></li></ol></li><li><p><b class="userinput"><tt>net rpc join -S <i class="replaceable"><tt>NT4PDC</tt></i> -w <i class="replaceable"><tt>DOMNAME</tt></i> -U Administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p></li><li><p><b class="userinput"><tt>net rpc vampire -S <i class="replaceable"><tt>NT4PDC</tt></i> -U administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p></li><li><p><b class="userinput"><tt>pdbedit -L</tt></b></p><ol type="a"><li><p>Note - did the users migrate?</p></li></ol></li><li><p><b class="userinput"><tt>initGrps.sh <i class="replaceable"><tt>DOMNAME</tt></i></tt></b></p></li><li><p><b class="userinput"><tt>net groupmap list</tt></b></p><ol type="a"><li><p>Now check that all groups are recognised</p></li></ol></li><li><p><b class="userinput"><tt>net rpc campire -S <i class="replaceable"><tt>NT4PDC</tt></i> -U administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p></li><li><p><b class="userinput"><tt>pdbedit -Lv</tt></b></p><ol type="a"><li><p>Note - check that all group membership has been migrated</p></li></ol></li></ol></div><p>
</p></li></ul></div><div class="procedure"><p class="title"><b>Procedure 31.1. The Account Migration Process</b></p><ol type="1"><li><p>Create a BDC account for the samba server using NT Server Manager</p><ol type="a"><li><p>Samba must NOT be running</p></li></ol></li><li><p><b class="userinput"><tt>rpcclient <i class="replaceable"><tt>NT4PDC</tt></i> -U Administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p><ol type="a"><li><p>lsaquery</p></li><li><p>Note the SID returned</p></li></ol></li><li><p><b class="userinput"><tt>net getsid -S <i class="replaceable"><tt>NT4PDC</tt></i> -w <i class="replaceable"><tt>DOMNAME</tt></i> -U Administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p><ol type="a"><li><p>Note the SID</p></li></ol></li><li><p><b class="userinput"><tt>net getlocalsid</tt></b></p><ol type="a"><li><p>Note the SID, now check that all three SIDS reported are the same!</p></li></ol></li><li><p><b class="userinput"><tt>net rpc join -S <i class="replaceable"><tt>NT4PDC</tt></i> -w <i class="replaceable"><tt>DOMNAME</tt></i> -U Administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p></li><li><p><b class="userinput"><tt>net rpc vampire -S <i class="replaceable"><tt>NT4PDC</tt></i> -U administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p></li><li><p><b class="userinput"><tt>pdbedit -L</tt></b></p><ol type="a"><li><p>Note - did the users migrate?</p></li></ol></li><li><p><b class="userinput"><tt>initGrps.sh <i class="replaceable"><tt>DOMNAME</tt></i></tt></b></p></li><li><p><b class="userinput"><tt>net groupmap list</tt></b></p><ol type="a"><li><p>Now check that all groups are recognised</p></li></ol></li><li><p><b class="userinput"><tt>net rpc vampire -S <i class="replaceable"><tt>NT4PDC</tt></i> -U administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p></li><li><p><b class="userinput"><tt>pdbedit -Lv</tt></b></p><ol type="a"><li><p>Note - check that all group membership has been migrated</p></li></ol></li></ol></div><p>
Now it is time to migrate all the profiles, then migrate all policy files.
More later.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3001178"></a>Migration Options</h2></div></div><div></div></div><p>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3004381"></a>Migration Options</h2></div></div><div></div></div><p>
Based on feedback from many sites as well as from actual installation and maintenance
experience sites that wish to migrate from MS Windows NT4 Domain Control to a Samba
based solution fit into three basic categories.
</p><div class="table"><a name="id3001193"></a><p class="title"><b>Table 31.1. The 3 Major Site Types</b></p><table summary="The 3 Major Site Types" border="1"><colgroup><col><col></colgroup><thead><tr><th>Number of Users</th><th>Description</th></tr></thead><tbody><tr><td>&lt; 50</td><td><p>Want simple conversion with NO pain</p></td></tr><tr><td>50 - 250</td><td><p>Want new features, can manage some in-house complexity</p></td></tr><tr><td>&gt; 250</td><td><p>Solution/Implementation MUST scale well, complex needs. Cross departmental decision process. Local expertise in most areas</p></td></tr></tbody></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3001259"></a>Planning for Success</h3></div></div><div></div></div><p>
There are three basic choices for sites that intend to migrate from MS Windwows NT4
</p><div class="table"><a name="id3004398"></a><p class="title"><b>Table 31.1. The 3 Major Site Types</b></p><table summary="The 3 Major Site Types" border="1"><colgroup><col><col></colgroup><thead><tr><th>Number of Users</th><th>Description</th></tr></thead><tbody><tr><td>&lt; 50</td><td><p>Want simple conversion with NO pain</p></td></tr><tr><td>50 - 250</td><td><p>Want new features, can manage some in-house complexity</p></td></tr><tr><td>&gt; 250</td><td><p>Solution/Implementation MUST scale well, complex needs. Cross departmental decision process. Local expertise in most areas</p></td></tr></tbody></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3004462"></a>Planning for Success</h3></div></div><div></div></div><p>
There are three basic choices for sites that intend to migrate from MS Windows NT4
to Samba-3.
</p><div class="itemizedlist"><ul type="disc"><li><p>
Simple Conversion (total replacement)
@ -142,20 +141,20 @@ No matter what choice you make, the following rules will minimise down-stream pr
Test ALL assumptions
</p></li><li><p>
Test full roll-out program, including workstation deployment
</p></li></ul></div><div class="table"><a name="id3001329"></a><p class="title"><b>Table 31.2. Nature of the Conversion Choices</b></p><table summary="Nature of the Conversion Choices" border="1"><colgroup><col><col><col></colgroup><thead><tr><th>Simple</th><th>Upgraded</th><th>Redesign</th></tr></thead><tbody><tr><td><p>Make use of minimal OS specific features</p></td><td><p>Translate NT4 features to new host OS features</p></td><td><p>Decide:</p></td></tr><tr><td><p>Suck all accounts from NT4 into Samba-3</p></td><td><p>Copy and improve:</p></td><td><p>Authentication Regime (database location and access)</p></td></tr><tr><td><p>Make least number of operational changes</p></td><td><p>Make progressive improvements</p></td><td><p>Desktop Management Methods</p></td></tr><tr><td><p>Take least amount of time to migrate</p></td><td><p>Minimise user impact</p></td><td><p>Better Control of Desktops / Users</p></td></tr><tr><td><p>Live versus Isolated Conversion</p></td><td><p>Maximise functionality</p></td><td><p>Identify Needs for: Manageability, Scalability, Security, Availability</p></td></tr><tr><td><p>Integrate Samba-3 then migrate while users are active, then Change of control (ie: swap out)</p></td><td><p>Take advantage of lower maintenance opportunity</p></td><td><p></p></td></tr></tbody></table></div></div><div xmlns:ns94="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3001500"></a>Samba Implementation Choices</h3></div></div><div></div></div><pre class="programlisting">
</p></li></ul></div><div class="table"><a name="id3004535"></a><p class="title"><b>Table 31.2. Nature of the Conversion Choices</b></p><table summary="Nature of the Conversion Choices" border="1"><colgroup><col><col><col></colgroup><thead><tr><th>Simple</th><th>Upgraded</th><th>Redesign</th></tr></thead><tbody><tr><td><p>Make use of minimal OS specific features</p></td><td><p>Translate NT4 features to new host OS features</p></td><td><p>Decide:</p></td></tr><tr><td><p>Suck all accounts from NT4 into Samba-3</p></td><td><p>Copy and improve:</p></td><td><p>Authentication Regime (database location and access)</p></td></tr><tr><td><p>Make least number of operational changes</p></td><td><p>Make progressive improvements</p></td><td><p>Desktop Management Methods</p></td></tr><tr><td><p>Take least amount of time to migrate</p></td><td><p>Minimise user impact</p></td><td><p>Better Control of Desktops / Users</p></td></tr><tr><td><p>Live versus Isolated Conversion</p></td><td><p>Maximise functionality</p></td><td><p>Identify Needs for: Manageability, Scalability, Security, Availability</p></td></tr><tr><td><p>Integrate Samba-3 then migrate while users are active, then Change of control (ie: swap out)</p></td><td><p>Take advantage of lower maintenance opportunity</p></td><td><p></p></td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3004704"></a>Samba Implementation Choices</h3></div></div><div></div></div><pre class="programlisting">
Authentication database back end
Winbind (external Samba or NT4/200x server)
Can use pam_mkhomedir.so to auto-create home dirs
External server could use Active Directory or NT4 Domain
Database type
smbpasswd, tdbsam, ldapsam, MySQLsam
smbpasswd, tdbsam, ldapsam, mysqlsam
Access Control Points
On the Share itself (Use NT4 Server Manager)
On the file system
Unix permissions on files and directories
Posix ACLs enablement in file system?
Enable Posix ACLs in file system?
Through Samba share parameters
Not recommended - except as only resort
@ -199,5 +198,5 @@ Migration Tools
Authentication
New SAM back end (smbpasswd, tdbsam, ldapsam, mysqlsam)
</pre><ns94:p>
</ns94:p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="upgrading-to-3.0.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="migration.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="SWAT.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0 </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 32. SWAT - The Samba Web Administration Tool</td></tr></table></div></body></html>
</pre><p>
</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="upgrading-to-3.0.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="migration.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="SWAT.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0 </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 32. SWAT - The Samba Web Administration Tool</td></tr></table></div></body></html>

367
docs/htmldocs/NetworkBrowsing.html
View File

@ -1,8 +1,7 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 10. Samba / MS Windows Network Browsing Guide</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="optional.html" title="Part III. Advanced Configuration"><link rel="next" href="passdb.html" title="Chapter 11. Account Information Databases"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 10. Samba / MS Windows Network Browsing Guide</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="optional.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="passdb.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="NetworkBrowsing"></a>Chapter 10. Samba / MS Windows Network Browsing Guide</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">July 5, 1998</p></div><div><p class="pubdate">Updated: April 21, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="NetworkBrowsing.html#id2901232">Features and Benefits</a></dt><dt><a href="NetworkBrowsing.html#id2901310">What is Browsing?</a></dt><dt><a href="NetworkBrowsing.html#id2901493">Discussion</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2901509">NetBIOS over TCP/IP</a></dt><dt><a href="NetworkBrowsing.html#id2900816">TCP/IP - without NetBIOS</a></dt><dt><a href="NetworkBrowsing.html#id2900944">DNS and Active Directory</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2901080">How Browsing Functions</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2902385">Setting up WORKGROUP Browsing</a></dt><dt><a href="NetworkBrowsing.html#id2902592">Setting up DOMAIN Browsing</a></dt><dt><a href="NetworkBrowsing.html#browse-force-master">Forcing samba to be the master</a></dt><dt><a href="NetworkBrowsing.html#id2902857">Making samba the domain master</a></dt><dt><a href="NetworkBrowsing.html#id2906252">Note about broadcast addresses</a></dt><dt><a href="NetworkBrowsing.html#id2906270">Multiple interfaces</a></dt><dt><a href="NetworkBrowsing.html#id2906299">Use of the Remote Announce parameter</a></dt><dt><a href="NetworkBrowsing.html#id2906403">Use of the Remote Browse Sync parameter</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2906464">WINS - The Windows Internetworking Name Server</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2906615">Setting up a WINS server</a></dt><dt><a href="NetworkBrowsing.html#id2906810">WINS Replication</a></dt><dt><a href="NetworkBrowsing.html#id2906835">Static WINS Entries</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2906866">Helpful Hints</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2906879">Windows Networking Protocols</a></dt><dt><a href="NetworkBrowsing.html#id2906946">Name Resolution Order</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2907067">Technical Overview of browsing</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2907113">Browsing support in samba</a></dt><dt><a href="NetworkBrowsing.html#id2907220">Problem resolution</a></dt><dt><a href="NetworkBrowsing.html#id2907300">Browsing across subnets</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2907917">Common Errors</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2907932">How can one flush the Samba NetBIOS name cache without restarting samba?</a></dt><dt><a href="NetworkBrowsing.html#id2907960">My client reports &quot;This server is not configured to list shared resources&quot;</a></dt></dl></dd></dl></div><p>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 10. Samba / MS Windows Network Browsing Guide</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="optional.html" title="Part III. Advanced Configuration"><link rel="next" href="passdb.html" title="Chapter 11. Account Information Databases"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 10. Samba / MS Windows Network Browsing Guide</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="optional.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="passdb.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="NetworkBrowsing"></a>Chapter 10. Samba / MS Windows Network Browsing Guide</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">July 5, 1998</p></div><div><p class="pubdate">Updated: April 21, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="NetworkBrowsing.html#id2903558">Features and Benefits</a></dt><dt><a href="NetworkBrowsing.html#id2903637">What is Browsing?</a></dt><dt><a href="NetworkBrowsing.html#id2903747">Discussion</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2903764">NetBIOS over TCP/IP</a></dt><dt><a href="NetworkBrowsing.html#id2903926">TCP/IP - without NetBIOS</a></dt><dt><a href="NetworkBrowsing.html#id2904058">DNS and Active Directory</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2904194">How Browsing Functions</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2904320">Setting up WORKGROUP Browsing</a></dt><dt><a href="NetworkBrowsing.html#id2904541">Setting up DOMAIN Browsing</a></dt><dt><a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to be the master</a></dt><dt><a href="NetworkBrowsing.html#id2904811">Making Samba the domain master</a></dt><dt><a href="NetworkBrowsing.html#id2904967">Note about broadcast addresses</a></dt><dt><a href="NetworkBrowsing.html#id2904984">Multiple interfaces</a></dt><dt><a href="NetworkBrowsing.html#id2905013">Use of the Remote Announce parameter</a></dt><dt><a href="NetworkBrowsing.html#id2905122">Use of the Remote Browse Sync parameter</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2905183">WINS - The Windows Internetworking Name Server</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2905341">Setting up a WINS server</a></dt><dt><a href="NetworkBrowsing.html#id2905540">WINS Replication</a></dt><dt><a href="NetworkBrowsing.html#id2905565">Static WINS Entries</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2905650">Helpful Hints</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2905663">Windows Networking Protocols</a></dt><dt><a href="NetworkBrowsing.html#id2905730">Name Resolution Order</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2905867">Technical Overview of browsing</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2905914">Browsing support in Samba</a></dt><dt><a href="NetworkBrowsing.html#id2906021">Problem resolution</a></dt><dt><a href="NetworkBrowsing.html#id2906100">Browsing across subnets</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2906720">Common Errors</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2906735">How can one flush the Samba NetBIOS name cache without restarting Samba?</a></dt><dt><a href="NetworkBrowsing.html#id2906764">My client reports &quot;This server is not configured to list shared resources&quot;</a></dt></dl></dd></dl></div><p>
This document contains detailed information as well as a fast track guide to
implementing browsing across subnets and / or across workgroups (or domains).
WINS is the best tool for resolution of NetBIOS names to IP addesses. WINS is
WINS is the best tool for resolution of NetBIOS names to IP addresses. WINS is
NOT involved in browse list handling except by way of name to address resolution.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
MS Windows 2000 and later can be configured to operate with NO NetBIOS
@ -10,15 +9,15 @@ over TCP/IP. Samba-3 and later also supports this mode of operation.
When the use of NetBIOS over TCP/IP has been disabled then the primary
means for resolution of MS Windows machine names is via DNS and Active Directory.
The following information assumes that your site is running NetBIOS over TCP/IP.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2901232"></a>Features and Benefits</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2903558"></a>Features and Benefits</h2></div></div><div></div></div><p>
Someone once referred to the past in terms of: <span class="emphasis"><em>They were the worst of times,
they were the best of times. The more we look back, them more we long for what was and
hope it never returns!</em></span>.
</p><p>
For many MS Windows network administrators that statement sums up their feelings about
NetBIOS networking precisely. For those who mastered NetBIOS networking it's fickle
nature was just par for the course. For those who never quite managed to tame it's
lusty features NetBIOS is like Paterson's Curse.
For many MS Windows network administrators, that statement sums up their feelings about
NetBIOS networking precisely. For those who mastered NetBIOS networking, its fickle
nature was just par for the course. For those who never quite managed to tame its
lusty features, NetBIOS is like Paterson's Curse.
</p><p>
For those not familiar with botanical problems in Australia: Paterson's curse,
Echium plantagineum, was introduced to Australia from Europe during the mid-nineteenth
@ -28,7 +27,7 @@ ability to germinate at any time of year, given the right conditions, are some o
features which make it such a persistent weed.
</p><p>
In this chapter we explore vital aspects of SMB (Server Message Block) networking with
a particular focus on SMB as implmented through running NetBIOS (Network Basic
a particular focus on SMB as implemented through running NetBIOS (Network Basic
Input / Output System) over TCP/IP. Since Samba does NOT implement SMB or NetBIOS over
any other protocols we need to know how to configure our network environment and simply
remember to use nothing but TCP/IP on all our MS Windows network clients.
@ -43,7 +42,7 @@ support for NetBIOS, in which case WINS is of no relevance. Samba-3 supports thi
</p><p>
For those networks on which NetBIOS has been disabled (ie: WINS is NOT required)
the use of DNS is necessary for host name resolution.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2901310"></a>What is Browsing?</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2903637"></a>What is Browsing?</h2></div></div><div></div></div><p>
To most people browsing means that they can see the MS Windows and Samba servers
in the Network Neighborhood, and when the computer icon for a particular server is
clicked, it opens up and shows the shares and printers available on the target server.
@ -51,7 +50,7 @@ clicked, it opens up and shows the shares and printers available on the target s
What seems so simple is in fact a very complex interaction of different technologies.
The technologies (or methods) employed in making all of this work includes:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>MS Windows machines register their presence to the network</td></tr><tr><td>Machines announce themselves to other machines on the network</td></tr><tr><td>One or more machine on the network collates the local announcements</td></tr><tr><td>The client machine finds the machine that has the collated list of machines</td></tr><tr><td>The client machine is able to resolve the machine names to IP addresses</td></tr><tr><td>The client machine is able to connect to a target machine</td></tr></table><p>
The samba application that controls/manages browse list management and name resolution is
The Samba application that controls browse list management and name resolution is
called <tt class="filename">nmbd</tt>. The configuration parameters involved in nmbd's operation are:
</p><pre class="programlisting">
@ -78,18 +77,18 @@ called <tt class="filename">nmbd</tt>. The configuration parameters involved in
* wins support
wins hook
</pre><p>
For Samba the WINS Server and WINS Support are mutually exclusive options. Those marked with
For Samba, the WINS Server and WINS Support are mutually exclusive options. Those marked with
an '*' are the only options that commonly MAY need to be modified. Even if not one of these
parameters is set nmbd will still do it's job.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2901493"></a>Discussion</h2></div></div><div></div></div><p>
parameters is set <tt class="filename">nmbd</tt> will still do it's job.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2903747"></a>Discussion</h2></div></div><div></div></div><p>
Firstly, all MS Windows networking uses SMB (Server Message Block) based messaging.
SMB messaging may be implemented with or without NetBIOS. MS Windows 200x supports
NetBIOS over TCP/IP for backwards compatibility. Microsoft are intent on phasing out NetBIOS
NetBIOS over TCP/IP for backwards compatibility. Microsoft is intent on phasing out NetBIOS
support.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2901509"></a>NetBIOS over TCP/IP</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2903764"></a>NetBIOS over TCP/IP</h3></div></div><div></div></div><p>
Samba implements NetBIOS, as does MS Windows NT / 200x / XP, by encapsulating it over TCP/IP.
MS Windows products can do likewise. NetBIOS based networking uses broadcast messaging to
affect browse list management. When running NetBIOS over TCP/IP this uses UDP based messaging.
affect browse list management. When running NetBIOS over TCP/IP, this uses UDP based messaging.
UDP messages can be broadcast or unicast.
</p><p>
Normally, only unicast UDP messaging can be forwarded by routers. The
@ -98,7 +97,7 @@ to remote network segments via unicast UDP. Similarly, the
<b class="command">remote browse sync</b> parameter of <tt class="filename">smb.conf</tt>
implements browse list collation using unicast UDP.
</p><p>
Secondly, in those networks where Samba is the only SMB server technology
Secondly, in those networks where Samba is the only SMB server technology,
wherever possible <tt class="filename">nmbd</tt> should be configured on one (1) machine as the WINS
server. This makes it easy to manage the browsing environment. If each network
segment is configured with it's own Samba WINS server, then the only way to
@ -113,9 +112,9 @@ the use of the <b class="command">remote announce</b> and the
As of Samba 3 WINS replication is being worked on. The bulk of the code has
been committed, but it still needs maturation. This is NOT a supported feature
of the Samba-3.0.0 release. Hopefully, this will become a supported feature
of one of the samba-3 release series.
of one of the Samba-3 release series.
</p><p>
Right now samba WINS does not support MS-WINS replication. This means that
Right now Samba WINS does not support MS-WINS replication. This means that
when setting up Samba as a WINS server there must only be one <tt class="filename">nmbd</tt>
configured as a WINS server on the network. Some sites have used multiple Samba WINS
servers for redundancy (one server per subnet) and then used
@ -130,7 +129,7 @@ Lastly, take note that browse lists are a collection of unreliable broadcast
messages that are repeated at intervals of not more than 15 minutes. This means
that it will take time to establish a browse list and it can take up to 45
minutes to stabilise, particularly across network segments.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2900816"></a>TCP/IP - without NetBIOS</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2903926"></a>TCP/IP - without NetBIOS</h3></div></div><div></div></div><p>
All TCP/IP using systems use various forms of host name resolution. The primary
methods for TCP/IP hostname resolutions involves either a static file (<tt class="filename">/etc/hosts
</tt>) or DNS (the Domain Name System). DNS is the technology that makes
@ -159,14 +158,14 @@ force register with a Dynamic DNS server in Windows 200x / XP using:
<b class="command">ipconfig /registerdns</b>
</p><p>
With Active Directory (ADS), a correctly functioning DNS server is absolutely
essential. In the absence of a working DNS server that has been correctly configured
essential. In the absence of a working DNS server that has been correctly configured,
MS Windows clients and servers will be totally unable to locate each other,
consequently network services will be severely impaired.
</p><p>
The use of Dynamic DNS is highly recommended with Active Directory, in which case
the use of BIND9 is preferred for it's ability to adequately support the SRV (service)
records that are needed for Active Directory.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2900944"></a>DNS and Active Directory</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2904058"></a>DNS and Active Directory</h3></div></div><div></div></div><p>
Occasionally we hear from Unix network administrators who want to use a Unix based Dynamic
DNS server in place of the Microsoft DNS server. While this might be desirable to some, the
MS Windows 200x DNS server is auto-configured to work with Active Directory. It is possible
@ -186,9 +185,9 @@ The following are some of the default service records that Active Directory requ
Entry used by MS Windows clients to locate machines using the
Global Unique Identifier.
</p></li><li><p>_ldap._tcp.<span class="emphasis"><em>Site</em></span>.gc.ms-dcs.<span class="emphasis"><em>DomainTree</em></span></p><p>
Used by MS Windows clients to locate site configuration dependant
Used by MS Windows clients to locate site configuration dependent
Global Catalog server.
</p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2901080"></a>How Browsing Functions</h2></div></div><div></div></div><p>
</p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2904194"></a>How Browsing Functions</h2></div></div><div></div></div><p>
MS Windows machines register their NetBIOS names
(ie: the machine name for each service type in operation) on start
up. The exact method by which this name registration
@ -196,11 +195,11 @@ takes place is determined by whether or not the MS Windows client/server
has been given a WINS server address, whether or not LMHOSTS lookup
is enabled, or if DNS for NetBIOS name resolution is enabled, etc.
</p><p>
In the case where there is no WINS server all name registrations as
In the case where there is no WINS server, all name registrations as
well as name lookups are done by UDP broadcast. This isolates name
resolution to the local subnet, unless LMHOSTS is used to list all
names and IP addresses. In such situations Samba provides a means by
which the samba server name may be forcibly injected into the browse
which the Samba server name may be forcibly injected into the browse
list of a remote MS Windows network (using the
<b class="command">remote announce</b> parameter).
</p><p>
@ -229,7 +228,7 @@ Any configuration that breaks name resolution and/or browsing intrinsics
will annoy users because they will have to put up with protracted
inability to use the network services.
</p><p>
Samba supports a feature that allows forced synchonisation
Samba supports a feature that allows forced synchronisation
of browse lists across routed networks using the <b class="command">remote
browse sync</b> parameter in the <tt class="filename">smb.conf</tt> file.
This causes Samba to contact the local master browser on a remote network and
@ -243,7 +242,7 @@ words, for cross subnet browsing to function correctly it is
essential that a name to address resolution mechanism be provided.
This mechanism could be via DNS, <tt class="filename">/etc/hosts</tt>,
and so on.
</p><div xmlns:ns14="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2902385"></a>Setting up WORKGROUP Browsing</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2904320"></a>Setting up WORKGROUP Browsing</h3></div></div><div></div></div><p>
To set up cross subnet browsing on a network containing machines
in up to be in a WORKGROUP, not an NT Domain you need to set up one
Samba server to be the Domain Master Browser (note that this is *NOT*
@ -253,7 +252,7 @@ to collate the browse lists from local master browsers on all the
subnets that have a machine participating in the workgroup. Without
one machine configured as a domain master browser each subnet would
be an isolated workgroup, unable to see any machines on any other
subnet. It is the presense of a domain master browser that makes
subnet. It is the presence of a domain master browser that makes
cross subnet browsing possible for a workgroup.
</p><p>
In an WORKGROUP environment the domain master browser must be a
@ -261,22 +260,22 @@ Samba server, and there must only be one domain master browser per
workgroup name. To set up a Samba server as a domain master browser,
set the following option in the <i class="parameter"><tt>[global]</tt></i> section
of the <tt class="filename">smb.conf</tt> file :
</p><ns14:p>
</ns14:p><pre class="programlisting">
</p><p>
</p><pre class="programlisting">
domain master = yes
</pre><ns14:p>
</ns14:p><p>
</pre><p>
</p><p>
The domain master browser should also preferrably be the local master
browser for its own subnet. In order to achieve this set the following
options in the <i class="parameter"><tt>[global]</tt></i> section of the <tt class="filename">smb.conf</tt> file :
</p><ns14:p>
</ns14:p><pre class="programlisting">
</p><p>
</p><pre class="programlisting">
domain master = yes
local master = yes
preferred master = yes
os level = 65
</pre><ns14:p>
</ns14:p><p>
</pre><p>
</p><p>
The domain master browser may be the same machine as the WINS
server, if you require.
</p><p>
@ -288,14 +287,14 @@ tend to get rebooted more often, so it's not such a good idea
to use these). To make a Samba server a local master browser
set the following options in the <i class="parameter"><tt>[global]</tt></i> section of the
<tt class="filename">smb.conf</tt> file :
</p><ns14:p>
</ns14:p><pre class="programlisting">
</p><p>
</p><pre class="programlisting">
domain master = no
local master = yes
preferred master = yes
os level = 65
</pre><ns14:p>
</ns14:p><p>
</pre><p>
</p><p>
Do not do this for more than one Samba server on each subnet,
or they will war with each other over which is to be the local
master browser.
@ -310,18 +309,18 @@ be the local master browser then you can disable Samba from
becoming a local master browser by setting the following
options in the <i class="parameter"><tt>[global]</tt></i> section of the
<tt class="filename">smb.conf</tt> file :
</p><ns14:p>
</ns14:p><pre class="programlisting">
</p><p>
</p><pre class="programlisting">
domain master = no
local master = no
preferred master = no
os level = 0
</pre><ns14:p>
</ns14:p></div><div xmlns:ns15="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2902592"></a>Setting up DOMAIN Browsing</h3></div></div><div></div></div><p>
</pre><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2904541"></a>Setting up DOMAIN Browsing</h3></div></div><div></div></div><p>
If you are adding Samba servers to a Windows NT Domain then
you must not set up a Samba server as a domain master browser.
By default, a Windows NT Primary Domain Controller for a Domain
name is also the Domain master browser for that name, and many
By default, a Windows NT Primary Domain Controller for a domain
is also the Domain master browser for that domain, and many
things will break if a Samba server registers the Domain master
browser NetBIOS name (<i class="replaceable"><tt>DOMAIN</tt></i>&lt;1B&gt;)
with WINS instead of the PDC.
@ -331,20 +330,20 @@ you may set up Samba servers as local master browsers as
described. To make a Samba server a local master browser set
the following options in the <b class="command">[global]</b> section
of the <tt class="filename">smb.conf</tt> file :
</p><ns15:p>
</ns15:p><pre class="programlisting">
</p><p>
</p><pre class="programlisting">
domain master = no
local master = yes
preferred master = yes
os level = 65
</pre><ns15:p>
</ns15:p><p>
</pre><p>
</p><p>
If you wish to have a Samba server fight the election with machines
on the same subnet you may set the <i class="parameter"><tt>os level</tt></i> parameter
to lower levels. By doing this you can tune the order of machines that
will become local master browsers if they are running. For
more details on this see the section <a href="NetworkBrowsing.html#browse-force-master" title="Forcing samba to be the master">
Forcing samba to be the master browser</a>
more details on this see the section <a href="NetworkBrowsing.html#browse-force-master" title="Forcing Samba to be the master">
Forcing Samba to be the master browser</a>
below.
</p><p>
If you have Windows NT machines that are members of the domain
@ -353,14 +352,14 @@ you can disable Samba from taking part in browser elections and
ever becoming a local master browser by setting following options
in the <i class="parameter"><tt>[global]</tt></i> section of the <tt class="filename">smb.conf</tt>
file :
</p><ns15:p>
</ns15:p><pre class="programlisting">
</p><p>
</p><pre class="programlisting">
domain master = no
local master = no
preferred master = no
os level = 0
</pre><ns15:p>
</ns15:p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="browse-force-master"></a>Forcing samba to be the master</h3></div></div><div></div></div><p>
</pre><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="browse-force-master"></a>Forcing Samba to be the master</h3></div></div><div></div></div><p>
Who becomes the <i class="parameter"><tt>master browser</tt></i> is determined by an election
process using broadcasts. Each election packet contains a number of parameters
which determine what precedence (bias) a host should have in the
@ -375,48 +374,48 @@ samba systems!)
A <i class="parameter"><tt>os level</tt></i> of 2 would make it beat WfWg and Win95, but not MS Windows
NT/2K Server. A MS Windows NT/2K Server domain controller uses level 32.
</p><p>The maximum os level is 255</p><p>
If you want samba to force an election on startup, then set the
If you want Samba to force an election on startup, then set the
<i class="parameter"><tt>preferred master</tt></i> global option in <tt class="filename">smb.conf</tt> to <tt class="constant">yes</tt>. Samba will
then have a slight advantage over other potential master browsers
that are not preferred master browsers. Use this parameter with
care, as if you have two hosts (whether they are windows 95 or NT or
samba) on the same local subnet both set with <i class="parameter"><tt>preferred master</tt></i> to
care, as if you have two hosts (whether they are Windows 95 or NT or
Samba) on the same local subnet both set with <i class="parameter"><tt>preferred master</tt></i> to
<tt class="constant">yes</tt>, then periodically and continually they will force an election
in order to become the local master browser.
</p><p>
If you want samba to be a <i class="parameter"><tt>domain master browser</tt></i>, then it is
If you want Samba to be a <i class="parameter"><tt>domain master browser</tt></i>, then it is
recommended that you also set <i class="parameter"><tt>preferred master</tt></i> to <tt class="constant">yes</tt>, because
samba will not become a domain master browser for the whole of your
Samba will not become a domain master browser for the whole of your
LAN or WAN if it is not also a local master browser on its own
broadcast isolated subnet.
</p><p>
It is possible to configure two samba servers to attempt to become
It is possible to configure two Samba servers to attempt to become
the domain master browser for a domain. The first server that comes
up will be the domain master browser. All other samba servers will
up will be the domain master browser. All other Samba servers will
attempt to become the domain master browser every 5 minutes. They
will find that another samba server is already the domain master
will find that another Samba server is already the domain master
browser and will fail. This provides automatic redundancy, should
the current domain master browser fail.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2902857"></a>Making samba the domain master</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2904811"></a>Making Samba the domain master</h3></div></div><div></div></div><p>
The domain master is responsible for collating the browse lists of
multiple subnets so that browsing can occur between subnets. You can
make samba act as the domain master by setting <i class="parameter"><tt>domain master = yes</tt></i>
make Samba act as the domain master by setting <i class="parameter"><tt>domain master = yes</tt></i>
in <tt class="filename">smb.conf</tt>. By default it will not be a domain master.
</p><p>
Note that you should <span class="emphasis"><em>not</em></span> set Samba to be the domain master for a
workgroup that has the same name as an NT Domain.
</p><p>
When samba is the domain master and the master browser it will listen
When Samba is the domain master and the master browser, it will listen
for master announcements (made roughly every twelve minutes) from local
master browsers on other subnets and then contact them to synchronise
browse lists.
</p><p>
If you want samba to be the domain master then I suggest you also set
If you want Samba to be the domain master then I suggest you also set
the <i class="parameter"><tt>os level</tt></i> high enough to make sure it wins elections, and set
<i class="parameter"><tt>preferred master</tt></i> to <tt class="constant">yes</tt>, to get samba to force an election on
<i class="parameter"><tt>preferred master</tt></i> to <tt class="constant">yes</tt>, to get Samba to force an election on
startup.
</p><p>
Note that all your servers (including samba) and clients should be
Note that all your servers (including Samba) and clients should be
using a WINS server to resolve NetBIOS names. If your clients are only
using broadcasting to resolve NetBIOS names, then two things will occur:
</p><div class="orderedlist"><ol type="1"><li><p>
@ -427,11 +426,11 @@ using broadcasting to resolve NetBIOS names, then two things will occur:
a user attempts to access a host in that list, it will be unable to
resolve the NetBIOS name of that host.
</p></li></ol></div><p>
If, however, both samba and your clients are using a WINS server, then:
If, however, both Samba and your clients are using a WINS server, then:
</p><div class="orderedlist"><ol type="1"><li><p>
your local master browsers will contact the WINS server and, as long as
samba has registered that it is a domain master browser with the WINS
server, your local master browser will receive samba's ip address
Samba has registered that it is a domain master browser with the WINS
server, your local master browser will receive Samba's IP address
as its domain master browser.
</p></li><li><p>
when a client receives a domain-wide browse list, and a user attempts
@ -439,37 +438,37 @@ If, however, both samba and your clients are using a WINS server, then:
resolve the NetBIOS name of that host. as long as that host has
registered its NetBIOS name with the same WINS server, the user will
be able to see that host.
</p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906252"></a>Note about broadcast addresses</h3></div></div><div></div></div><p>
</p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2904967"></a>Note about broadcast addresses</h3></div></div><div></div></div><p>
If your network uses a &quot;0&quot; based broadcast address (for example if it
ends in a 0) then you will strike problems. Windows for Workgroups
does not seem to support a 0's broadcast and you will probably find
that browsing and name lookups won't work.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906270"></a>Multiple interfaces</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2904984"></a>Multiple interfaces</h3></div></div><div></div></div><p>
Samba now supports machines with multiple network interfaces. If you
have multiple interfaces then you will need to use the <b class="command">interfaces</b>
option in <tt class="filename">smb.conf</tt> to configure them.
</p></div><div xmlns:ns16="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906299"></a>Use of the Remote Announce parameter</h3></div></div><div></div></div><ns16:p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905013"></a>Use of the Remote Announce parameter</h3></div></div><div></div></div><p>
The <i class="parameter"><tt>remote announce</tt></i> parameter of
<tt class="filename">smb.conf</tt> can be used to forcibly ensure
that all the NetBIOS names on a network get announced to a remote network.
The syntax of the <i class="parameter"><tt>remote announce</tt></i> parameter is:
</ns16:p><pre class="programlisting">
</p><pre class="programlisting">
remote announce = a.b.c.d [e.f.g.h] ...
</pre><ns16:p>
_or_
</ns16:p><pre class="programlisting">
</pre><p>
<span class="emphasis"><em>or</em></span>
</p><pre class="programlisting">
remote announce = a.b.c.d/WORKGROUP [e.f.g.h/WORKGROUP] ...
</pre><ns16:p>
</pre><p>
where:
</ns16:p><div class="variablelist"><dl><dt><span class="term"><i class="replaceable"><tt>a.b.c.d</tt></i> and
</p><div class="variablelist"><dl><dt><span class="term"><i class="replaceable"><tt>a.b.c.d</tt></i> and
<i class="replaceable"><tt>e.f.g.h</tt></i></span></dt><dd><p>is either the LMB (Local Master Browser) IP address
or the broadcst address of the remote network.
or the broadcast address of the remote network.
ie: the LMB is at 192.168.1.10, or the address
could be given as 192.168.1.255 where the netmask
is assumed to be 24 bits (255.255.255.0).
When the remote announcement is made to the broadcast
address of the remote network every host will receive
address of the remote network, every host will receive
our announcements. This is noisy and therefore
undesirable but may be necessary if we do NOT know
the IP address of the remote LMB.</p></dd><dt><span class="term"><i class="replaceable"><tt>WORKGROUP</tt></i></span></dt><dd><p>is optional and can be either our own workgroup
@ -478,28 +477,28 @@ workgroup name of the remote network then our
NetBIOS machine names will end up looking like
they belong to that workgroup, this may cause
name resolution problems and should be avoided.
</p></dd></dl></div><ns16:p>
</ns16:p></div><div xmlns:ns17="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906403"></a>Use of the Remote Browse Sync parameter</h3></div></div><div></div></div><p>
</p></dd></dl></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905122"></a>Use of the Remote Browse Sync parameter</h3></div></div><div></div></div><p>
The <i class="parameter"><tt>remote browse sync</tt></i> parameter of
<tt class="filename">smb.conf</tt> is used to announce to
another LMB that it must synchronise it's NetBIOS name list with our
another LMB that it must synchronise its NetBIOS name list with our
Samba LMB. It works ONLY if the Samba server that has this option is
simultaneously the LMB on it's network segment.
</p><ns17:p>
simultaneously the LMB on its network segment.
</p><p>
The syntax of the <i class="parameter"><tt>remote browse sync</tt></i> parameter is:
</ns17:p><pre class="programlisting">
</p><pre class="programlisting">
remote browse sync = <i class="replaceable"><tt>a.b.c.d</tt></i>
</pre><ns17:p>
</pre><p>
where <i class="replaceable"><tt>a.b.c.d</tt></i> is either the IP address of the
remote LMB or else is the network broadcast address of the remote segment.
</ns17:p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2906464"></a>WINS - The Windows Internetworking Name Server</h2></div></div><div></div></div><p>
Use of WINS (either Samba WINS _or_ MS Windows NT Server WINS) is highly
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2905183"></a>WINS - The Windows Internetworking Name Server</h2></div></div><div></div></div><p>
Use of WINS (either Samba WINS <span class="emphasis"><em>or</em></span> MS Windows NT Server WINS) is highly
recommended. Every NetBIOS machine registers its name together with a
name_type value for each of of several types of service it has available.
name_type value for each of several types of service it has available.
eg: It registers its name directly as a unique (the type 0x03) name.
It also registers its name if it is running the lanmanager compatible
It also registers its name if it is running the LanManager compatible
server service (used to make shares and printers available to other users)
by registering the server (the type 0x20) name.
</p><p>
@ -514,7 +513,7 @@ that wants to log onto the network can ask the WINS server for a list
of all names that have registered the NetLogon service name_type. This saves
broadcast traffic and greatly expedites logon processing. Since broadcast
name resolution can not be used across network segments this type of
information can only be provided via WINS _or_ via statically configured
information can only be provided via WINS <span class="emphasis"><em>or</em></span> via statically configured
<tt class="filename">lmhosts</tt> files that must reside on all clients in the
absence of WINS.
</p><p>
@ -545,16 +544,16 @@ Never use both <i class="parameter"><tt>wins support = yes</tt></i> together
with <i class="parameter"><tt>wins server = a.b.c.d</tt></i>
particularly not using it's own IP address.
Specifying both will cause <span class="application">nmbd</span> to refuse to start!
</p></div><div xmlns:ns18="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906615"></a>Setting up a WINS server</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905341"></a>Setting up a WINS server</h3></div></div><div></div></div><p>
Either a Samba machine or a Windows NT Server machine may be set up
as a WINS server. To set a Samba machine to be a WINS server you must
add the following option to the <tt class="filename">smb.conf</tt> file on the selected machine :
in the <i class="parameter"><tt>[globals]</tt></i> section add the line
</p><ns18:p>
</ns18:p><pre class="programlisting">
</p><p>
</p><pre class="programlisting">
wins support = yes
</pre><ns18:p>
</ns18:p><p>
</pre><p>
</p><p>
Versions of Samba prior to 1.9.17 had this parameter default to
yes. If you have any older versions of Samba on your network it is
strongly suggested you upgrade to a recent version, or at the very
@ -563,7 +562,7 @@ least set the parameter to 'no' on all these machines.
Machines with <i class="parameter"><tt>wins support = yes</tt></i> will keep a list of
all NetBIOS names registered with them, acting as a DNS for NetBIOS names.
</p><p>
You should set up only ONE wins server. Do NOT set the
You should set up only ONE WINS server. Do NOT set the
<i class="parameter"><tt>wins support = yes</tt></i> option on more than one Samba
server.
</p><p>
@ -571,7 +570,7 @@ To set up a Windows NT Server as a WINS server you need to set up
the WINS service - see your NT documentation for details. Note that
Windows NT WINS Servers can replicate to each other, allowing more
than one to be set up in a complex subnet environment. As Microsoft
refuse to document these replication protocols Samba cannot currently
refuses to document these replication protocols, Samba cannot currently
participate in these replications. It is possible in the future that
a Samba-&gt;Samba WINS replication protocol may be defined, in which
case more than one Samba machine could be set up as a WINS server
@ -586,11 +585,11 @@ the <span class="guilabel">Control Panel-&gt;Network-&gt;Protocols-&gt;TCP-&gt;W
in Windows 95 or Windows NT. To tell a Samba server the IP address
of the WINS server add the following line to the <i class="parameter"><tt>[global]</tt></i> section of
all <tt class="filename">smb.conf</tt> files :
</p><ns18:p>
</ns18:p><pre class="programlisting">
</p><p>
</p><pre class="programlisting">
wins server = &lt;name or IP address&gt;
</pre><ns18:p>
</ns18:p><p>
</pre><p>
</p><p>
where &lt;name or IP address&gt; is either the DNS name of the WINS server
machine or its IP address.
</p><p>
@ -605,22 +604,45 @@ The first details setting up cross subnet browsing on a network containing
Windows 95, Samba and Windows NT machines that are not configured as
part of a Windows NT Domain. The second details setting up cross subnet
browsing on networks that contain NT Domains.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906810"></a>WINS Replication</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905540"></a>WINS Replication</h3></div></div><div></div></div><p>
Samba-3 permits WINS replication through the use of the <tt class="filename">wrepld</tt> utility.
This tool is not currently capable of being used as it is still in active development.
As soon as this tool becomes moderately functional we will prepare man pages and enhance this
section of the documentation to provide usage and technical details.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906835"></a>Static WINS Entries</h3></div></div><div></div></div><p>
New to Samba-3 is a tool called <b class="command">winsedit</b> that may be used to add
static WINS entries to the WINS database. This tool can be used also to modify entries
existing in the WINS database.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905565"></a>Static WINS Entries</h3></div></div><div></div></div><p>
Adding static entries to your Samba-3 WINS server is actually fairly easy.
All you have to do is add a line to <tt class="filename">wins.dat</tt>, typically
located in <tt class="filename">/usr/local/samba/var/locks</tt>.
</p><p>
The development of the winsedit tool was made necessary due to the migration
of the older style wins.dat file into a new tdb binary backend data store.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2906866"></a>Helpful Hints</h2></div></div><div></div></div><p>
Entries in <tt class="filename">wins.dat</tt> take the form of
</p><pre class="programlisting">
&quot;NAME#TYPE&quot; TTL ADDRESS+ FLAGS
</pre><p>
where NAME is the NetBIOS name, TYPE is the NetBIOS type, TTL is the
time-to-live as an absolute time in seconds, ADDRESS+ is one or more
addresses corresponding to the registration and FLAGS are the NetBIOS
flags for the registration.
</p><p>
A typical dynamic entry looks like:
</p><pre class="programlisting">
&quot;MADMAN#03&quot; 1055298378 192.168.1.2 66R
</pre><p>
To make it static, all that has to be done is set the TTL to 0:
</p><pre class="programlisting">
&quot;MADMAN#03&quot; 0 192.168.1.2 66R
</pre><p>
</p><p>
Though this method works with early Samba-3 versions, there's a
possibility that it may change in future versions if WINS replication
is added.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2905650"></a>Helpful Hints</h2></div></div><div></div></div><p>
The following hints should be carefully considered as they are stumbling points
for many new network administrators.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906879"></a>Windows Networking Protocols</h3></div></div><div></div></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905663"></a>Windows Networking Protocols</h3></div></div><div></div></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
Do NOT use more than one (1) protocol on MS Windows machines
</p></div><p>
A very common cause of browsing problems results from installing more than
@ -628,7 +650,7 @@ one protocol on an MS Windows machine.
</p><p>
Every NetBIOS machine takes part in a process of electing the LMB (and DMB)
every 15 minutes. A set of election criteria is used to determine the order
of precidence for winning this election process. A machine running Samba or
of precedence for winning this election process. A machine running Samba or
Windows NT will be biased so that the most suitable machine will predictably
win and thus retain it's role.
</p><p>
@ -650,29 +672,32 @@ differently from MS Windows NT4. Generally, where a server does NOT support
the newer or extended protocol, these will fall back to the NT4 protocols.
</em></span></p><p>
The safest rule of all to follow it this - USE ONLY ONE PROTOCOL!
</p></div><div xmlns:ns19="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906946"></a>Name Resolution Order</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905730"></a>Name Resolution Order</h3></div></div><div></div></div><p>
Resolution of NetBIOS names to IP addresses can take place using a number
of methods. The only ones that can provide NetBIOS name_type information
are:</p><table class="simplelist" border="0" summary="Simple list"><tr><td>WINS: the best tool!</td></tr><tr><td>LMHOSTS: is static and hard to maintain.</td></tr><tr><td>Broadcast: uses UDP and can not resolve names across remote segments.</td></tr></table><p>
Alternative means of name resolution includes:</p><table class="simplelist" border="0" summary="Simple list"><tr><td><tt class="filename">/etc/hosts</tt>: is static, hard to maintain, and lacks name_type info</td></tr><tr><td>DNS: is a good choice but lacks essential name_type info.</td></tr></table><ns19:p>
are:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>WINS: the best tool!</td></tr><tr><td>LMHOSTS: is static and hard to maintain.</td></tr><tr><td>Broadcast: uses UDP and can not resolve names across remote segments.</td></tr></table><p>
Alternative means of name resolution includes:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td><tt class="filename">/etc/hosts</tt>: is static, hard to maintain, and lacks name_type info</td></tr><tr><td>DNS: is a good choice but lacks essential name_type info.</td></tr></table><p>
Many sites want to restrict DNS lookups and want to avoid broadcast name
resolution traffic. The &quot;name resolve order&quot; parameter is of great help here.
The syntax of the &quot;name resolve order&quot; parameter is:
</ns19:p><pre class="programlisting">
resolution traffic. The <i class="parameter"><tt>name resolve order</tt></i> parameter is
of great help here. The syntax of the <i class="parameter"><tt>name resolve order</tt></i>
parameter is:
</p><pre class="programlisting">
name resolve order = wins lmhosts bcast host
</pre><ns19:p>
_or_
</ns19:p><pre class="programlisting">
</pre><p>
<span class="emphasis"><em>or</em></span>
</p><pre class="programlisting">
name resolve order = wins lmhosts (eliminates bcast and host)
</pre><ns19:p>
</pre><p>
The default is:
</ns19:p><pre class="programlisting">
name resolve order = host lmhost wins bcast
</pre><ns19:p>
</p><pre class="programlisting">
name resolve order = host lmhost wins bcast
</pre><p>
where &quot;host&quot; refers the the native methods used by the Unix system
to implement the gethostbyname() function call. This is normally
controlled by <tt class="filename">/etc/host.conf</tt>, <tt class="filename">/etc/nsswitch.conf</tt> and <tt class="filename">/etc/resolv.conf</tt>.
</ns19:p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2907067"></a>Technical Overview of browsing</h2></div></div><div></div></div><p>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2905867"></a>Technical Overview of browsing</h2></div></div><div></div></div><p>
SMB networking provides a mechanism by which clients can access a list
of machines in a network, a so-called <i class="parameter"><tt>browse list</tt></i>. This list
contains machines that are ready to offer file and/or print services
@ -683,7 +708,7 @@ browsing has been problematic for some Samba users, hence this
document.
</p><p>
MS Windows 2000 and later, as with Samba 3 and later, can be
configured to not use NetBIOS over TCP/IP. When configured this way
configured to not use NetBIOS over TCP/IP. When configured this way,
it is imperative that name resolution (using DNS/LDAP/ADS) be correctly
configured and operative. Browsing will NOT work if name resolution
from SMB machine names to IP addresses does not function correctly.
@ -692,7 +717,7 @@ Where NetBIOS over TCP/IP is enabled use of a WINS server is highly
recommended to aid the resolution of NetBIOS (SMB) names to IP addresses.
WINS allows remote segment clients to obtain NetBIOS name_type information
that can NOT be provided by any other means of name resolution.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2907113"></a>Browsing support in samba</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905914"></a>Browsing support in Samba</h3></div></div><div></div></div><p>
Samba facilitates browsing. The browsing is supported by <span class="application">nmbd</span>
and is also controlled by options in the <tt class="filename">smb.conf</tt> file.
Samba can act as a local browse master for a workgroup and the ability
@ -702,7 +727,7 @@ Samba can also act as a domain master browser for a workgroup. This
means that it will collate lists from local browse masters into a
wide area network server list. In order for browse clients to
resolve the names they may find in this list, it is recommended that
both samba and your clients use a WINS server.
both Samba and your clients use a WINS server.
</p><p>
Note that you should NOT set Samba to be the domain master for a
workgroup that has the same name as an NT Domain: on each wide area
@ -711,11 +736,11 @@ regardless of whether it is NT, Samba or any other type of domain master
that is providing this service.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
Nmbd can be configured as a WINS server, but it is not
necessary to specifically use samba as your WINS server. MS Windows
necessary to specifically use Samba as your WINS server. MS Windows
NT4, Server or Advanced Server 2000 or 2003 can be configured as
your WINS server. In a mixed NT/2000/2003 server and samba environment on
your WINS server. In a mixed NT/2000/2003 server and Samba environment on
a Wide Area Network, it is recommended that you use the Microsoft
WINS server capabilities. In a samba-only environment, it is
WINS server capabilities. In a Samba-only environment, it is
recommended that you use one and only one Samba server as your WINS server.
</p></div><p>
To get browsing to work you need to run nmbd as usual, but will need
@ -727,8 +752,8 @@ browsing on another subnet. It is recommended that this option is only
used for 'unusual' purposes: announcements over the internet, for
example. See <i class="parameter"><tt>remote announce</tt></i> in the
<tt class="filename">smb.conf</tt> man page.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2907220"></a>Problem resolution</h3></div></div><div></div></div><p>
If something doesn't work then hopefully the log.nmb file will help
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906021"></a>Problem resolution</h3></div></div><div></div></div><p>
If something doesn't work then hopefully the log.nmbd file will help
you track down the problem. Try a debug level of 2 or 3 for finding
problems. Also note that the current browse list usually gets stored
in text form in a file called <tt class="filename">browse.dat</tt>.
@ -752,15 +777,13 @@ server resources.
The other big problem people have is that their broadcast address,
netmask or IP address is wrong (specified with the &quot;interfaces&quot; option
in <tt class="filename">smb.conf</tt>)
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2907300"></a>Browsing across subnets</h3></div></div><div></div></div><p>
Since the release of Samba 1.9.17(alpha1) Samba has been
updated to enable it to support the replication of browse lists
across subnet boundaries. New code and options have been added to
achieve this. This section describes how to set this feature up
in different settings.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906100"></a>Browsing across subnets</h3></div></div><div></div></div><p>
Since the release of Samba 1.9.17(alpha1), Samba has supported the
replication of browse lists across subnet boundaries. This section
describes how to set this feature up in different settings.
</p><p>
To see browse lists that span TCP/IP subnets (ie. networks separated
by routers that don't pass broadcast traffic) you must set up at least
by routers that don't pass broadcast traffic), you must set up at least
one WINS server. The WINS server acts as a DNS for NetBIOS names, allowing
NetBIOS name to IP address translation to be done by doing a direct
query of the WINS server. This is done via a directed UDP packet on
@ -775,16 +798,16 @@ be they Windows 95, Windows NT, or Samba servers must have the IP address
of a WINS server given to them by a DHCP server, or by manual configuration
(for Win95 and WinNT, this is in the TCP/IP Properties, under Network
settings) for Samba this is in the <tt class="filename">smb.conf</tt> file.
</p><div xmlns:ns20="" class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2907350"></a>How does cross subnet browsing work ?</h4></div></div><div></div></div><p>
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2906150"></a>How does cross subnet browsing work ?</h4></div></div><div></div></div><p>
Cross subnet browsing is a complicated dance, containing multiple
moving parts. It has taken Microsoft several years to get the code
that achieves this correct, and Samba lags behind in some areas.
Samba is capable of cross subnet browsing when configured correctly.
</p><p>
Consider a network set up as follows :
</p><ns20:p>
</p><p>
</ns20:p><pre class="programlisting">
</p><pre class="programlisting">
(DMB)
N1_A N1_B N1_C N1_D N1_E
| | | | |
@ -799,8 +822,8 @@ Consider a network set up as follows :
| | | | | | | |
N2_A N2_B N2_C N2_D N3_A N3_B N3_C N3_D
(WINS)
</pre><ns20:p>
</ns20:p><p>
</pre><p>
</p><p>
Consisting of 3 subnets (1, 2, 3) connected by two routers
(R1, R2) - these do not pass broadcasts. Subnet 1 has 5 machines
on it, subnet 2 has 4 machines, subnet 3 has 4 machines. Assume
@ -841,9 +864,9 @@ called 'non-authoritative'.
At this point the browse lists look as follows (these are
the machines you would see in your network neighborhood if
you looked in it on a particular network right now).
</p><ns20:p>
</ns20:p><div class="table"><a name="id2907465"></a><p class="title"><b>Table 10.1. Browse subnet example 1</b></p><table summary="Browse subnet example 1" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="left">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="left">N1_A, N1_B, N1_C, N1_D, N1_E</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="left">N2_A, N2_B, N2_C, N2_D</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="left">N3_A, N3_B, N3_C, N3_D</td></tr></tbody></table></div><ns20:p>
</ns20:p><p>
</p><p>
</p><div class="table"><a name="id2906267"></a><p class="title"><b>Table 10.1. Browse subnet example 1</b></p><table summary="Browse subnet example 1" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="left">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="left">N1_A, N1_B, N1_C, N1_D, N1_E</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="left">N2_A, N2_B, N2_C, N2_D</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="left">N3_A, N3_B, N3_C, N3_D</td></tr></tbody></table></div><p>
</p><p>
Note that at this point all the subnets are separate, no
machine is seen across any of the subnets.
</p><p>
@ -863,11 +886,11 @@ names it knows about. Once the domain master browser receives
the MasterAnnouncement packet it schedules a synchronization
request to the sender of that packet. After both synchronizations
are done the browse lists look like :
</p><ns20:p>
</ns20:p><div class="table"><a name="id2907576"></a><p class="title"><b>Table 10.2. Browse subnet example 2</b></p><table summary="Browse subnet example 2" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="left">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="left">N1_A, N1_B, N1_C, N1_D, N1_E, N2_A(*), N2_B(*), N2_C(*), N2_D(*)</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="left">N2_A, N2_B, N2_C, N2_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="left">N3_A, N3_B, N3_C, N3_D</td></tr></tbody></table></div><ns20:p>
</p><p>
</p><div class="table"><a name="id2906382"></a><p class="title"><b>Table 10.2. Browse subnet example 2</b></p><table summary="Browse subnet example 2" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="left">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="left">N1_A, N1_B, N1_C, N1_D, N1_E, N2_A(*), N2_B(*), N2_C(*), N2_D(*)</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="left">N2_A, N2_B, N2_C, N2_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="left">N3_A, N3_B, N3_C, N3_D</td></tr></tbody></table></div><p>
Servers with a (*) after them are non-authoritative names.
</ns20:p><p>
</p><p>
At this point users looking in their network neighborhood on
subnets 1 or 2 will see all the servers on both, users on
subnet 3 will still only see the servers on their own subnet.
@ -878,24 +901,24 @@ synchronizes browse lists with the domain master browser (N1_A)
it gets both the server entries on subnet 1, and those on
subnet 2. After N3_D has synchronized with N1_C and vica-versa
the browse lists look like.
</p><ns20:p>
</ns20:p><div class="table"><a name="id2907675"></a><p class="title"><b>Table 10.3. Browse subnet example 3</b></p><table summary="Browse subnet example 3" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="left">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="left">N1_A, N1_B, N1_C, N1_D, N1_E, N2_A(*), N2_B(*), N2_C(*), N2_D(*), N3_A(*), N3_B(*), N3_C(*), N3_D(*)</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="left">N2_A, N2_B, N2_C, N2_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="left">N3_A, N3_B, N3_C, N3_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), N2_A(*), N2_B(*), N2_C(*), N2_D(*)</td></tr></tbody></table></div><ns20:p>
</p><p>
</p><div class="table"><a name="id2906481"></a><p class="title"><b>Table 10.3. Browse subnet example 3</b></p><table summary="Browse subnet example 3" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="left">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="left">N1_A, N1_B, N1_C, N1_D, N1_E, N2_A(*), N2_B(*), N2_C(*), N2_D(*), N3_A(*), N3_B(*), N3_C(*), N3_D(*)</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="left">N2_A, N2_B, N2_C, N2_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="left">N3_A, N3_B, N3_C, N3_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), N2_A(*), N2_B(*), N2_C(*), N2_D(*)</td></tr></tbody></table></div><p>
Servers with a (*) after them are non-authoritative names.
</ns20:p><p>
</p><p>
At this point users looking in their network neighborhood on
subnets 1 or 3 will see all the servers on all sunbets, users on
subnets 1 or 3 will see all the servers on all subnets, users on
subnet 2 will still only see the servers on subnets 1 and 2, but not 3.
</p><p>
Finally, the local master browser for subnet 2 (N2_B) will sync again
with the domain master browser (N1_C) and will recieve the missing
with the domain master browser (N1_C) and will receive the missing
server entries. Finally - and as a steady state (if no machines
are removed or shut off) the browse lists will look like :
</p><ns20:p>
</ns20:p><div class="table"><a name="id2907775"></a><p class="title"><b>Table 10.4. Browse subnet example 4</b></p><table summary="Browse subnet example 4" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="left">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="left">N1_A, N1_B, N1_C, N1_D, N1_E, N2_A(*), N2_B(*), N2_C(*), N2_D(*), N3_A(*), N3_B(*), N3_C(*), N3_D(*)</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="left">N2_A, N2_B, N2_C, N2_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), N3_A(*), N3_B(*), N3_C(*), N3_D(*)</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="left">N3_A, N3_B, N3_C, N3_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), N2_A(*), N2_B(*), N2_C(*), N2_D(*)</td></tr></tbody></table></div><ns20:p>
</p><p>
</p><div class="table"><a name="id2906581"></a><p class="title"><b>Table 10.4. Browse subnet example 4</b></p><table summary="Browse subnet example 4" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="left">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="left">N1_A, N1_B, N1_C, N1_D, N1_E, N2_A(*), N2_B(*), N2_C(*), N2_D(*), N3_A(*), N3_B(*), N3_C(*), N3_D(*)</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="left">N2_A, N2_B, N2_C, N2_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), N3_A(*), N3_B(*), N3_C(*), N3_D(*)</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="left">N3_A, N3_B, N3_C, N3_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), N2_A(*), N2_B(*), N2_C(*), N2_D(*)</td></tr></tbody></table></div><p>
Servers with a (*) after them are non-authoritative names.
</ns20:p><p>
</p><p>
Synchronizations between the domain master browser and local
master browsers will continue to occur, but this should be a
steady state situation.
@ -913,13 +936,13 @@ If either router R1 or R2 fails the following will occur:
be able to access servers on its local subnet, by using subnet-isolated
broadcast NetBIOS name resolution. The effects are similar to that of
losing access to a DNS server.
</p></li></ol></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2907917"></a>Common Errors</h2></div></div><div></div></div><p>
Many questions are sked on the mailing lists regarding browsing. The majority of browsing
</p></li></ol></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2906720"></a>Common Errors</h2></div></div><div></div></div><p>
Many questions are asked on the mailing lists regarding browsing. The majority of browsing
problems originate out of incorrect configuration of NetBIOS name resolution. Some are of
particular note.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2907932"></a>How can one flush the Samba NetBIOS name cache without restarting samba?</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906735"></a>How can one flush the Samba NetBIOS name cache without restarting Samba?</h3></div></div><div></div></div><p>
Samba's nmbd process controls all browse list handling. Under normal circumstances it is
safe to restart nmbd. This will effectively flush the samba NetBIOS name cache and cause it
safe to restart nmbd. This will effectively flush the Samba NetBIOS name cache and cause it
to be rebuilt. Note that this does NOT make certain that a rogue machine name will not re-appear
in the browse list. When nmbd is taken out of service another machine on the network will
become the browse master. This new list may still have the rogue entry in it. If you really
@ -927,7 +950,7 @@ want to clear a rogue machine from the list then every machine on the network wi
shut down and restarted at after all machines are down. Failing a complete restart, the only
other thing you can do is wait until the entry times out and is then flushed from the list.
This may take a long time on some networks (months).
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2907960"></a>My client reports &quot;This server is not configured to list shared resources&quot;</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906764"></a>My client reports &quot;This server is not configured to list shared resources&quot;</h3></div></div><div></div></div><p>
Your guest account is probably invalid for some reason. Samba uses the
guest account for browsing in smbd. Check that your guest account is
valid.

51
docs/htmldocs/Other-Clients.html
View File

@ -1,9 +1,8 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 38. Samba and other CIFS clients</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="Portability.html" title="Chapter 37. Portability"><link rel="next" href="speed.html" title="Chapter 39. Samba Performance Tuning"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 38. Samba and other CIFS clients</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Portability.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="speed.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Other-Clients"></a>Chapter 38. Samba and other CIFS clients</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jim</span> <span class="surname">McDonough</span></h3><div class="affiliation"><span class="orgname">IBM<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jmcd@us.ibm.com">jmcd@us.ibm.com</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">5 Mar 2001</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="Other-Clients.html#id3013323">Macintosh clients?</a></dt><dt><a href="Other-Clients.html#id3013394">OS2 Client</a></dt><dd><dl><dt><a href="Other-Clients.html#id3013401">How can I configure OS/2 Warp Connect or
OS/2 Warp 4 as a client for Samba?</a></dt><dt><a href="Other-Clients.html#id3013017">How can I configure OS/2 Warp 3 (not Connect),
OS/2 1.2, 1.3 or 2.x for Samba?</a></dt><dt><a href="Other-Clients.html#id3013077">How do I get printer driver download working
for OS/2 clients?</a></dt></dl></dd><dt><a href="Other-Clients.html#id3013174">Windows for Workgroups</a></dt><dd><dl><dt><a href="Other-Clients.html#id3012636">Use latest TCP/IP stack from Microsoft</a></dt><dt><a href="Other-Clients.html#id3012726">Delete .pwl files after password change</a></dt><dt><a href="Other-Clients.html#id3012756">Configure WfW password handling</a></dt><dt><a href="Other-Clients.html#id3012802">Case handling of passwords</a></dt><dt><a href="Other-Clients.html#id3012831">Use TCP/IP as default protocol</a></dt><dt><a href="Other-Clients.html#id3012849">Speed improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id3012895">Windows '95/'98</a></dt><dd><dl><dt><a href="Other-Clients.html#id3013925">Speed improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id3013949">Windows 2000 Service Pack 2</a></dt><dt><a href="Other-Clients.html#id3014059">Windows NT 3.1</a></dt></dl></div><p>This chapter contains client-specific information.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3013323"></a>Macintosh clients?</h2></div></div><div></div></div><p>
Yes. <a href="http://www.thursby.com/" target="_top">Thursby</a> now have a CIFS Client / Server called <a href="http://www.thursby.com/products/dave.html" target="_top">DAVE</a>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 38. Samba and other CIFS clients</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="Portability.html" title="Chapter 37. Portability"><link rel="next" href="speed.html" title="Chapter 39. Samba Performance Tuning"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 38. Samba and other CIFS clients</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Portability.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="speed.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Other-Clients"></a>Chapter 38. Samba and other CIFS clients</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jim</span> <span class="surname">McDonough</span></h3><div class="affiliation"><span class="orgname">IBM<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jmcd@us.ibm.com">jmcd@us.ibm.com</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">5 Mar 2001</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="Other-Clients.html#id3015663">Macintosh clients?</a></dt><dt><a href="Other-Clients.html#id3017016">OS2 Client</a></dt><dd><dl><dt><a href="Other-Clients.html#id3017023">How can I configure OS/2 Warp Connect or
OS/2 Warp 4 as a client for Samba?</a></dt><dt><a href="Other-Clients.html#id3017102">How can I configure OS/2 Warp 3 (not Connect),
OS/2 1.2, 1.3 or 2.x for Samba?</a></dt><dt><a href="Other-Clients.html#id3017164">How do I get printer driver download working
for OS/2 clients?</a></dt></dl></dd><dt><a href="Other-Clients.html#id3017260">Windows for Workgroups</a></dt><dd><dl><dt><a href="Other-Clients.html#id3017268">Use latest TCP/IP stack from Microsoft</a></dt><dt><a href="Other-Clients.html#id3017357">Delete .pwl files after password change</a></dt><dt><a href="Other-Clients.html#id3017388">Configure WfW password handling</a></dt><dt><a href="Other-Clients.html#id3017433">Case handling of passwords</a></dt><dt><a href="Other-Clients.html#id3017464">Use TCP/IP as default protocol</a></dt><dt><a href="Other-Clients.html#id3017481">Speed improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id3017528">Windows '95/'98</a></dt><dd><dl><dt><a href="Other-Clients.html#id3017601">Speed improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id3017625">Windows 2000 Service Pack 2</a></dt><dt><a href="Other-Clients.html#id3017736">Windows NT 3.1</a></dt></dl></div><p>This chapter contains client-specific information.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3015663"></a>Macintosh clients?</h2></div></div><div></div></div><p>
Yes. <a href="http://www.thursby.com/" target="_top">Thursby</a> now has a CIFS Client / Server called <a href="http://www.thursby.com/products/dave.html" target="_top">DAVE</a>
</p><p>
They test it against Windows 95, Windows NT and samba for
compatibility issues. At the time of writing, DAVE was at version
@ -12,17 +11,17 @@ the Thursby web site (the speed of finder copies has been greatly
enhanced, and there are bug-fixes included).
</p><p>
Alternatives - There are two free implementations of AppleTalk for
several kinds of UNIX machnes, and several more commercial ones.
several kinds of UNIX machines, and several more commercial ones.
These products allow you to run file services and print services
natively to Macintosh users, with no additional support required on
the Macintosh. The two free omplementations are
the Macintosh. The two free implementations are
<a href="http://www.umich.edu/~rsug/netatalk/" target="_top">Netatalk</a>, and
<a href="http://www.cs.mu.oz.au/appletalk/atalk.html" target="_top">CAP</a>.
What Samba offers MS
Windows users, these packages offer to Macs. For more info on these
packages, Samba, and Linux (and other UNIX-based systems) see
<a href="http://www.eats.com/linux_mac_win.html" target="_top">http://www.eats.com/linux_mac_win.html</a>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3013394"></a>OS2 Client</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3013401"></a>How can I configure OS/2 Warp Connect or
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3017016"></a>OS2 Client</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017023"></a>How can I configure OS/2 Warp Connect or
OS/2 Warp 4 as a client for Samba?</h3></div></div><div></div></div><p>A more complete answer to this question can be
found on <a href="http://carol.wins.uva.nl/~leeuw/samba/warp.html" target="_top">
http://carol.wins.uva.nl/~leeuw/samba/warp.html</a>.</p><p>Basically, you need three components:</p><table class="simplelist" border="0" summary="Simple list"><tr><td>The File and Print Client ('IBM Peer')</td></tr><tr><td>TCP/IP ('Internet support') </td></tr><tr><td>The &quot;NetBIOS over TCP/IP&quot; driver ('TCPBEUI')</td></tr></table><p>Installing the first two together with the base operating
@ -40,7 +39,7 @@ packages, Samba, and Linux (and other UNIX-based systems) see
to the &quot;Names List&quot;, or specify a WINS server ('NetBIOS
Nameserver' in IBM and RFC terminology). For Warp Connect you
may need to download an update for 'IBM Peer' to bring it on
the same level as Warp 4. See the webpage mentioned above.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3013017"></a>How can I configure OS/2 Warp 3 (not Connect),
the same level as Warp 4. See the webpage mentioned above.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017102"></a>How can I configure OS/2 Warp 3 (not Connect),
OS/2 1.2, 1.3 or 2.x for Samba?</h3></div></div><div></div></div><p>You can use the free Microsoft LAN Manager 2.2c Client
for OS/2 from
<a href="ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/" target="_top">
@ -58,7 +57,7 @@ packages, Samba, and Linux (and other UNIX-based systems) see
or NS2000 driver from
<a href="ftp://ftp.cdrom.com/pub/os2/network/ndis/" target="_top">
ftp://ftp.cdrom.com/pub/os2/network/ndis/</a> instead.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3013077"></a>How do I get printer driver download working
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017164"></a>How do I get printer driver download working
for OS/2 clients?</h3></div></div><div></div></div><p>First, create a share called <i class="parameter"><tt>[PRINTDRV]</tt></i> that is
world-readable. Copy your OS/2 driver files there. Note
that the .EA_ files must still be separate, so you will need
@ -75,8 +74,8 @@ packages, Samba, and Linux (and other UNIX-based systems) see
you the driver is not available. On the second attempt, it
will work. This is fixed simply by adding the device name
to the mapping, after which it will work on the first attempt.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3013174"></a>Windows for Workgroups</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3012636"></a>Use latest TCP/IP stack from Microsoft</h3></div></div><div></div></div><p>Use the latest TCP/IP stack from microsoft if you use Windows
for workgroups.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3017260"></a>Windows for Workgroups</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017268"></a>Use latest TCP/IP stack from Microsoft</h3></div></div><div></div></div><p>Use the latest TCP/IP stack from Microsoft if you use Windows
for Workgroups.
</p><p>The early TCP/IP stacks had lots of bugs.</p><p>
Microsoft has released an incremental upgrade to their TCP/IP 32-Bit
VxD drivers. The latest release can be found on their ftp site at
@ -90,7 +89,7 @@ fixed. New files include <tt class="filename">WINSOCK.DLL</tt>,
<tt class="filename">TRACERT.EXE</tt>,
<tt class="filename">NETSTAT.EXE</tt>, and
<tt class="filename">NBTSTAT.EXE</tt>.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3012726"></a>Delete .pwl files after password change</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017357"></a>Delete .pwl files after password change</h3></div></div><div></div></div><p>
WfWg does a lousy job with passwords. I find that if I change my
password on either the unix box or the PC the safest thing to do is to
delete the .pwl files in the windows directory. The PC will complain about not finding the files, but will soon get over it, allowing you to enter the new password.
@ -99,7 +98,7 @@ If you don't do this you may find that WfWg remembers and uses the old
password, even if you told it a new one.
</p><p>
Often WfWg will totally ignore a password you give it in a dialog box.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3012756"></a>Configure WfW password handling</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017388"></a>Configure WfW password handling</h3></div></div><div></div></div><p>
There is a program call admincfg.exe
on the last disk (disk 8) of the WFW 3.11 disk set. To install it
type <b class="userinput"><tt>EXPAND A:\ADMINCFG.EX_ C:\WINDOWS\ADMINCFG.EXE</tt></b>.
@ -107,22 +106,22 @@ Then add an icon
for it via the <span class="application">Program Manager</span> <span class="guimenu">New</span> Menu.
This program allows you to control how WFW handles passwords. ie disable Password Caching etc
for use with <i class="parameter"><tt>security = user</tt></i>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3012802"></a>Case handling of passwords</h3></div></div><div></div></div><p>Windows for Workgroups uppercases the password before sending it to the server. Unix passwords can be case-sensitive though. Check the <a href="smb.conf.5.html" target="_top">smb.conf(5)</a> information on <i class="parameter"><tt>password level</tt></i> to specify what characters samba should try to uppercase when checking.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3012831"></a>Use TCP/IP as default protocol</h3></div></div><div></div></div><p>To support print queue reporting you may find
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017433"></a>Case handling of passwords</h3></div></div><div></div></div><p>Windows for Workgroups uppercases the password before sending it to the server. Unix passwords can be case-sensitive though. Check the <a href="smb.conf.5.html" target="_top">smb.conf(5)</a> information on <i class="parameter"><tt>password level</tt></i> to specify what characters samba should try to uppercase when checking.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017464"></a>Use TCP/IP as default protocol</h3></div></div><div></div></div><p>To support print queue reporting you may find
that you have to use TCP/IP as the default protocol under
WfWg. For some reason if you leave Netbeui as the default
WfWg. For some reason if you leave NetBEUI as the default
it may break the print queue reporting on some systems.
It is presumably a WfWg bug.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3012849"></a>Speed improvement</h3></div></div><div></div></div><p>
It is presumably a WfWg bug.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017481"></a>Speed improvement</h3></div></div><div></div></div><p>
Note that some people have found that setting <i class="parameter"><tt>DefaultRcvWindow</tt></i> in
the <i class="parameter"><tt>[MSTCP]</tt></i> section of the
<tt class="filename">SYSTEM.INI</tt> file under WfWg to 3072 gives a
big improvement. I don't know why.
</p><p>
My own experience wth DefaultRcvWindow is that I get much better
My own experience with DefaultRcvWindow is that I get much better
performance with a large value (16384 or larger). Other people have
reported that anything over 3072 slows things down enourmously. One
reported that anything over 3072 slows things down enormously. One
person even reported a speed drop of a factor of 30 when he went from
3072 to 8192. I don't know why.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3012895"></a>Windows '95/'98</h2></div></div><div></div></div><p>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3017528"></a>Windows '95/'98</h2></div></div><div></div></div><p>
When using Windows 95 OEM SR2 the following updates are recommended where Samba
is being used. Please NOTE that the above change will affect you once these
updates have been installed.
@ -131,16 +130,16 @@ There are more updates than the ones mentioned here. You are referred to the
Microsoft Web site for all currently available updates to your specific version
of Windows 95.
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Kernel Update: KRNLUPD.EXE</td></tr><tr><td>Ping Fix: PINGUPD.EXE</td></tr><tr><td>RPC Update: RPCRTUPD.EXE</td></tr><tr><td>TCP/IP Update: VIPUPD.EXE</td></tr><tr><td>Redirector Update: VRDRUPD.EXE</td></tr></table><p>
Also, if using <span class="application">MS OutLook</span> it is desirable to
Also, if using <span class="application">MS Outlook</span> it is desirable to
install the <b class="command">OLEUPD.EXE</b> fix. This
fix may stop your machine from hanging for an extended period when exiting
OutLook and you may also notice a significant speedup when accessing network
Outlook and you may also notice a significant speedup when accessing network
neighborhood services.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3013925"></a>Speed improvement</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017601"></a>Speed improvement</h3></div></div><div></div></div><p>
Configure the win95 TCPIP registry settings to give better
performance. I use a program called <b class="command">MTUSPEED.exe</b> which I got off the
net. There are various other utilities of this type freely available.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3013949"></a>Windows 2000 Service Pack 2</h2></div></div><div></div></div><p>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3017625"></a>Windows 2000 Service Pack 2</h2></div></div><div></div></div><p>
There are several annoyances with Windows 2000 SP2. One of which
only appears when using a Samba server to host user profiles
to Windows 2000 SP2 clients in a Windows domain. This assumes
@ -181,7 +180,7 @@ the Win2k client a response to the QuerySecurityDescriptor
trans2 call which causes the client to set a default ACL
for the profile. This default ACL includes
</p><p><span class="emphasis"><em>DOMAIN\user &quot;Full Control&quot;</em></span>&gt;</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This bug does not occur when using winbind to
create accounts on the Samba host for Domain users.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3014059"></a>Windows NT 3.1</h2></div></div><div></div></div><p>If you have problems communicating across routers with Windows
create accounts on the Samba host for Domain users.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3017736"></a>Windows NT 3.1</h2></div></div><div></div></div><p>If you have problems communicating across routers with Windows
NT 3.1 workstations, read <a href="http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;Q103765" target="_top">this Microsoft Knowledge Base article</a>.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Portability.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendixes.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="speed.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 37. Portability </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 39. Samba Performance Tuning</td></tr></table></div></body></html>

67
docs/htmldocs/PolicyMgmt.html
View File

@ -1,12 +1,11 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 23. System and Account Policies</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="AdvancedNetworkManagement.html" title="Chapter 22. Advanced Network Manangement"><link rel="next" href="ProfileMgmt.html" title="Chapter 24. Desktop Profile Management"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 23. System and Account Policies</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="AdvancedNetworkManagement.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="ProfileMgmt.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="PolicyMgmt"></a>Chapter 23. System and Account Policies</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">April 3 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="PolicyMgmt.html#id2981730">Features and Benefits</a></dt><dt><a href="PolicyMgmt.html#id2981782">Creating and Managing System Policies</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2981893">Windows 9x/Me Policies</a></dt><dt><a href="PolicyMgmt.html#id2981442">Windows NT4 Style Policy Files</a></dt><dt><a href="PolicyMgmt.html#id2981575">MS Windows 200x / XP Professional Policies</a></dt></dl></dd><dt><a href="PolicyMgmt.html#id2983019">Managing Account/User Policies</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2983120">Samba Editreg Toolset</a></dt><dt><a href="PolicyMgmt.html#id2983140">Windows NT4/200x</a></dt><dt><a href="PolicyMgmt.html#id2983161">Samba PDC</a></dt></dl></dd><dt><a href="PolicyMgmt.html#id2983205">System Startup and Logon Processing Overview</a></dt><dt><a href="PolicyMgmt.html#id2983352">Common Errors</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2983366">Policy Does Not Work</a></dt></dl></dd></dl></div><p>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 23. System and Account Policies</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="AdvancedNetworkManagement.html" title="Chapter 22. Advanced Network Management"><link rel="next" href="ProfileMgmt.html" title="Chapter 24. Desktop Profile Management"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 23. System and Account Policies</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="AdvancedNetworkManagement.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="ProfileMgmt.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="PolicyMgmt"></a>Chapter 23. System and Account Policies</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">April 3 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="PolicyMgmt.html#id2984380">Features and Benefits</a></dt><dt><a href="PolicyMgmt.html#id2984435">Creating and Managing System Policies</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2986217">Windows 9x/Me Policies</a></dt><dt><a href="PolicyMgmt.html#id2986312">Windows NT4 Style Policy Files</a></dt><dt><a href="PolicyMgmt.html#id2986445">MS Windows 200x / XP Professional Policies</a></dt></dl></dd><dt><a href="PolicyMgmt.html#id2986697">Managing Account/User Policies</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2986798">Samba Editreg Toolset</a></dt><dt><a href="PolicyMgmt.html#id2986819">Windows NT4/200x</a></dt><dt><a href="PolicyMgmt.html#id2986839">Samba PDC</a></dt></dl></dd><dt><a href="PolicyMgmt.html#id2986883">System Startup and Logon Processing Overview</a></dt><dt><a href="PolicyMgmt.html#id2987030">Common Errors</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2987044">Policy Does Not Work</a></dt></dl></dd></dl></div><p>
This chapter summarises the current state of knowledge derived from personal
practice and knowledge from samba mailing list subscribers. Before reproduction
of posted information effort has been made to validate the information provided.
Where additional information was uncovered through this validation it is provided
also.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2981730"></a>Features and Benefits</h2></div></div><div></div></div><p>
When MS Windows NT3.5 was introduced the hot new topic was the ability to implmement
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2984380"></a>Features and Benefits</h2></div></div><div></div></div><p>
When MS Windows NT3.5 was introduced the hot new topic was the ability to implement
Group Policies for users and group. Then along came MS Windows NT4 and a few sites
started to adopt this capability. How do we know that? By way of the number of &quot;booboos&quot;
(or mistakes) administrators made and then requested help to resolve.
@ -26,7 +25,7 @@ network client workstations.
</p><p>
A tool new to Samba-3 may become an important part of the future Samba Administrators'
arsenal. The <b class="command">editreg</b> tool is described in this document.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2981782"></a>Creating and Managing System Policies</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2984435"></a>Creating and Managing System Policies</h2></div></div><div></div></div><p>
Under MS Windows platforms, particularly those following the release of MS Windows
NT4 and MS Windows 95) it is possible to create a type of file that would be placed
in the NETLOGON share of a domain controller. As the client logs onto the network
@ -37,7 +36,7 @@ affect users, groups of users, or machines.
For MS Windows 9x/Me this file must be called <tt class="filename">Config.POL</tt> and may
be generated using a tool called <tt class="filename">poledit.exe</tt>, better known as the
Policy Editor. The policy editor was provided on the Windows 98 installation CD, but
dissappeared again with the introduction of MS Windows Me (Millenium Edition). From
disappeared again with the introduction of MS Windows Me (Millennium Edition). From
comments from MS Windows network administrators it would appear that this tool became
a part of the MS Windows Me Resource Kit.
</p><p>
@ -61,7 +60,7 @@ be read and understood. Try searching on the Microsoft web site for &quot;Group
</p><p>
What follows is a very brief discussion with some helpful notes. The information provided
here is incomplete - you are warned.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2981893"></a>Windows 9x/Me Policies</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2986217"></a>Windows 9x/Me Policies</h3></div></div><div></div></div><p>
You need the Win98 Group Policy Editor to set Group Profiles up under Windows 9x/Me.
It can be found on the Original full product Win98 installation CD under
<tt class="filename">tools/reskit/netadmin/poledit</tt>. Install this using the
@ -87,7 +86,7 @@ here is incomplete - you are warned.
<tt class="filename">grouppol.inf</tt>. Log off and on again a couple of times and see
if Win98 picks up group policies. Unfortunately this needs to be done on every
Win9x/Me machine that uses group policies.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2981442"></a>Windows NT4 Style Policy Files</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2986312"></a>Windows NT4 Style Policy Files</h3></div></div><div></div></div><p>
To create or edit <tt class="filename">ntconfig.pol</tt> you must use the NT Server
Policy Editor, <b class="command">poledit.exe</b> which is included with NT4 Server
but <span class="emphasis"><em>not NT Workstation</em></span>. There is a Policy Editor on a NT4
@ -108,14 +107,14 @@ here is incomplete - you are warned.
be extracted as well. It is also possible to downloaded the policy template
files for Office97 and get a copy of the policy editor. Another possible
location is with the Zero Administration Kit available for download from Microsoft.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2981551"></a>Registry Spoiling</h4></div></div><div></div></div><p>
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2986421"></a>Registry Spoiling</h4></div></div><div></div></div><p>
With NT4 style registry based policy changes, a large number of settings are not
automatically reversed as the user logs off. Since the settings that were in the
NTConfig.POL file were applied to the client machine registry and that apply to the
hive key HKEY_LOCAL_MACHINE are permanent until explicitly reversed. This is known
as tattooing. It can have serious consequences down-stream and the administrator must
be extremely careful not to lock out the ability to manage the machine at a later date.
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2981575"></a>MS Windows 200x / XP Professional Policies</h3></div></div><div></div></div><p>
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2986445"></a>MS Windows 200x / XP Professional Policies</h3></div></div><div></div></div><p>
Windows NT4 System policies allows setting of registry parameters specific to
users, groups and computers (client workstations) that are members of the NT4
style domain. Such policy file will work with MS Windows 2000 / XP clients also.
@ -149,10 +148,10 @@ here is incomplete - you are warned.
MS Windows 200x policies are much more complex - GPOs are processed and applied at client machine
startup (machine specific part) and when the user logs onto the network the user specific part
is applied. In MS Windows 200x style policy management each machine and/or user may be subject
to any number of concurently applicable (and applied) policy sets (GPOs). Active Directory allows
to any number of concurrently applicable (and applied) policy sets (GPOs). Active Directory allows
the administrator to also set filters over the policy settings. No such equivalent capability
exists with NT4 style policy files.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2981675"></a>Administration of Win2K / XP Policies</h4></div></div><div></div></div><p>
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2986546"></a>Administration of Win2K / XP Policies</h4></div></div><div></div></div><p>
Instead of using the tool called <span class="application">The System Policy Editor</span>, commonly called Poledit (from the
executable name <b class="command">poledit.exe</b>), <span class="acronym">GPOs</span> are created and managed using a
<span class="application">Microsoft Management Console</span> <span class="acronym">(MMC)</span> snap-in as follows:</p><div class="procedure"><ol type="1"><li><p>
@ -169,16 +168,16 @@ here is incomplete - you are warned.
</p></li></ol></div><p>
All policy configuration options are controlled through the use of policy administrative
templates. These files have a .adm extension, both in NT4 as well as in Windows 200x / XP.
Beware however, since the .adm files are NOT interchangible across NT4 and Windows 200x.
Beware however, since the .adm files are NOT interchangeable across NT4 and Windows 200x.
The later introduces many new features as well as extended definition capabilities. It is
well beyond the scope of this documentation to explain how to program .adm files, for that
the adminsitrator is referred to the Microsoft Windows Resource Kit for your particular
the administrator is referred to the Microsoft Windows Resource Kit for your particular
version of MS Windows.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
The MS Windows 2000 Resource Kit contains a tool called gpolmig.exe. This tool can be used
to migrate an NT4 NTConfig.POL file into a Windows 200x style GPO. Be VERY careful how you
use this powerful tool. Please refer to the resource kit manuals for specific usage information.
</p></div></div></div></div><div xmlns:ns79="" class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2983019"></a>Managing Account/User Policies</h2></div></div><div></div></div><p>
</p></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2986697"></a>Managing Account/User Policies</h2></div></div><div></div></div><p>
Policies can define a specific user's settings or the settings for a group of users. The resulting
policy file contains the registry settings for all users, groups, and computers that will be using
the policy file. Separate policy files for each user, group, or computer are not not necessary.
@ -197,48 +196,48 @@ applied to the user's part of the registry.
MS Windows 200x/XP clients that log onto an MS Windows Active Directory security domain may additionally,
acquire policy settings through Group Policy Objects (GPOs) that are defined and stored in Active Directory
itself. The key benefit of using AS GPOs is that they impose no registry <span class="emphasis"><em>spoiling</em></span> effect.
This has considerable advanage compared with the use of NTConfig.POL (NT4) style policy updates.
This has considerable advantage compared with the use of NTConfig.POL (NT4) style policy updates.
</p><p>
In addition to user access controls that may be imposed or applied via system and/or group policies
in a manner that works in conjunction with user profiles, the user management environment under
MS Windows NT4/200x/XP allows per domain as well as per user account restrictions to be applied.
Common restrictions that are frequently used includes:
</p><ns79:p>
</ns79:p><table class="simplelist" border="0" summary="Simple list"><tr><td>Logon Hours</td></tr><tr><td>Password Aging</td></tr><tr><td>Permitted Logon from certain machines only</td></tr><tr><td>Account type (Local or Global)</td></tr><tr><td>User Rights</td></tr></table><ns79:p>
</ns79:p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2983120"></a>Samba Editreg Toolset</h3></div></div><div></div></div><p>
</p><p>
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Logon Hours</td></tr><tr><td>Password Aging</td></tr><tr><td>Permitted Logon from certain machines only</td></tr><tr><td>Account type (Local or Global)</td></tr><tr><td>User Rights</td></tr></table><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2986798"></a>Samba Editreg Toolset</h3></div></div><div></div></div><p>
Describe in detail the benefits of <b class="command">editreg</b> and how to use it.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2983140"></a>Windows NT4/200x</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2986819"></a>Windows NT4/200x</h3></div></div><div></div></div><p>
The tools that may be used to configure these types of controls from the MS Windows environment are:
The NT4 User Manager for domains, the NT4 System and Group Policy Editor, the registry editor (regedt32.exe).
Under MS Windows 200x/XP this is done using the Microsoft Managment Console (MMC) with approapriate
Under MS Windows 200x/XP this is done using the Microsoft Management Console (MMC) with appropriate
&quot;snap-ins&quot;, the registry editor, and potentially also the NT4 System and Group Policy Editor.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2983161"></a>Samba PDC</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2986839"></a>Samba PDC</h3></div></div><div></div></div><p>
With a Samba Domain Controller, the new tools for managing of user account and policy information includes:
<b class="command">smbpasswd</b>, <b class="command">pdbedit</b>, <b class="command">net</b>, <b class="command">rpcclient</b>.
The administrator should read the
man pages for these tools and become familiar with their use.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2983205"></a>System Startup and Logon Processing Overview</h2></div></div><div></div></div><p>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2986883"></a>System Startup and Logon Processing Overview</h2></div></div><div></div></div><p>
The following attempts to document the order of processing of system and user policies following a system
reboot and as part of the user logon:
</p><div class="orderedlist"><ol type="1"><li><p>
Network starts, then Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming
Convention Provider (MUP) start
</p></li><li xmlns:ns80=""><ns80:p>
</p></li><li><p>
Where Active Directory is involved, an ordered list of Group Policy Objects (GPOs) is downloaded
and applied. The list may include GPOs that:
</ns80:p><table class="simplelist" border="0" summary="Simple list"><tr><td>Apply to the location of machines in a Directory</td></tr><tr><td>Apply only when settings have changed</td></tr><tr><td>Depend on configuration of scope of applicability: local, site, domain, organizational unit, etc.</td></tr></table><ns80:p>
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Apply to the location of machines in a Directory</td></tr><tr><td>Apply only when settings have changed</td></tr><tr><td>Depend on configuration of scope of applicability: local, site, domain, organizational unit, etc.</td></tr></table><p>
No desktop user interface is presented until the above have been processed.
</ns80:p></li><li><p>
Execution of start-up scripts (hidden and synchronous by defaut).
</p></li><li><p>
Execution of start-up scripts (hidden and synchronous by default).
</p></li><li><p>
A keyboard action to affect start of logon (Ctrl-Alt-Del).
</p></li><li><p>
User credentials are validated, User profile is loaded (depends on policy settings).
</p></li><li xmlns:ns81=""><ns81:p>
An ordered list of User GPOs is obtained. The list contents depends on what is configured in respsect of:
</p></li><li><p>
An ordered list of User GPOs is obtained. The list contents depends on what is configured in respect of:
</ns81:p><table class="simplelist" border="0" summary="Simple list"><tr><td>Is user a domain member, thus subject to particular policies</td></tr><tr><td>Loopback enablement, and the state of the loopback policy (Merge or Replace)</td></tr><tr><td>Location of the Active Directory itself</td></tr><tr><td>Has the list of GPOs changed. No processing is needed if not changed.</td></tr></table><ns81:p>
</ns81:p></li><li><p>
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Is user a domain member, thus subject to particular policies</td></tr><tr><td>Loopback enablement, and the state of the loopback policy (Merge or Replace)</td></tr><tr><td>Location of the Active Directory itself</td></tr><tr><td>Has the list of GPOs changed. No processing is needed if not changed.</td></tr></table><p>
</p></li><li><p>
User Policies are applied from Active Directory. Note: There are several types.
</p></li><li><p>
Logon scripts are run. New to Win2K and Active Directory, logon scripts may be obtained based on Group
@ -247,10 +246,10 @@ reboot and as part of the user logon:
</p></li><li><p>
The User Interface as determined from the GPOs is presented. Note: In a Samba domain (like and NT4
Domain) machine (system) policies are applied at start-up, User policies are applied at logon.
</p></li></ol></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2983352"></a>Common Errors</h2></div></div><div></div></div><p>
</p></li></ol></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2987030"></a>Common Errors</h2></div></div><div></div></div><p>
Policy related problems can be very difficult to diagnose and even more difficult to rectify. The following
collection demonstrates only basic issues.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2983366"></a>Policy Does Not Work</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2987044"></a>Policy Does Not Work</h3></div></div><div></div></div><p>
Question: We have created the <tt class="filename">config.pol</tt> file and put it in the <span class="emphasis"><em>NETLOGON</em></span> share.
It has made no difference to our Win XP Pro machines, they just don't see it. IT worked fine with Win 98 but does not
work any longer since we upgraded to Win XP Pro. Any hints?
@ -258,4 +257,4 @@ work any longer since we upgraded to Win XP Pro. Any hints?
<span class="emphasis"><em>ANSWER:</em></span> Policy files are NOT portable between Windows 9x / Me and MS Windows NT4 / 200x / XP based
platforms. You need to use the NT4 Group Policy Editor to create a file called <tt class="filename">NTConfig.POL</tt> so that
it is in the correct format for your MS Windows XP Pro clients.
</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="AdvancedNetworkManagement.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ProfileMgmt.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 22. Advanced Network Manangement </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 24. Desktop Profile Management</td></tr></table></div></body></html>
</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="AdvancedNetworkManagement.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ProfileMgmt.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 22. Advanced Network Management </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 24. Desktop Profile Management</td></tr></table></div></body></html>

31
docs/htmldocs/Portability.html
View File

@ -1,7 +1,6 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 37. Portability</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="compiling.html" title="Chapter 36. How to compile SAMBA"><link rel="next" href="Other-Clients.html" title="Chapter 38. Samba and other CIFS clients"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 37. Portability</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="compiling.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="Other-Clients.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Portability"></a>Chapter 37. Portability</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="Portability.html#id3012180">HPUX</a></dt><dt><a href="Portability.html#id3012265">SCO Unix</a></dt><dt><a href="Portability.html#id3012293">DNIX</a></dt><dt><a href="Portability.html#id3012463">RedHat Linux Rembrandt-II</a></dt><dt><a href="Portability.html#id3012506">AIX</a></dt><dd><dl><dt><a href="Portability.html#id3012513">Sequential Read Ahead</a></dt></dl></dd><dt><a href="Portability.html#id3012539">Solaris</a></dt><dd><dl><dt><a href="Portability.html#id3012546">Locking improvements</a></dt><dt><a href="Portability.html#winbind-solaris9">Winbind on Solaris 9</a></dt></dl></dd></dl></div><p>Samba works on a wide range of platforms but the interface all the
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 37. Portability</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="compiling.html" title="Chapter 36. How to compile SAMBA"><link rel="next" href="Other-Clients.html" title="Chapter 38. Samba and other CIFS clients"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 37. Portability</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="compiling.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="Other-Clients.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Portability"></a>Chapter 37. Portability</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="Portability.html#id3013478">HPUX</a></dt><dt><a href="Portability.html#id3016009">SCO Unix</a></dt><dt><a href="Portability.html#id3016039">DNIX</a></dt><dt><a href="Portability.html#id3016210">RedHat Linux Rembrandt-II</a></dt><dt><a href="Portability.html#id3016254">AIX</a></dt><dd><dl><dt><a href="Portability.html#id3016261">Sequential Read Ahead</a></dt></dl></dd><dt><a href="Portability.html#id3016287">Solaris</a></dt><dd><dl><dt><a href="Portability.html#id3016294">Locking improvements</a></dt><dt><a href="Portability.html#winbind-solaris9">Winbind on Solaris 9</a></dt></dl></dd></dl></div><p>Samba works on a wide range of platforms but the interface all the
platforms provide is not always compatible. This chapter contains
platform-specific information about compiling and using samba.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3012180"></a>HPUX</h2></div></div><div></div></div><p>
platform-specific information about compiling and using samba.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3013478"></a>HPUX</h2></div></div><div></div></div><p>
HP's implementation of supplementary groups is, er, non-standard (for
hysterical reasons). There are two group files, <tt class="filename">/etc/group</tt> and
<tt class="filename">/etc/logingroup</tt>; the system maps UIDs to numbers using the former, but
@ -18,10 +17,10 @@ to initgroups() be run as users not in any groups with GIDs outside the
allowed range.
</p><p>This is documented in the HP manual pages under setgroups(2) and passwd(4).
</p><p>
On HPUX you must use gcc or the HP Ansi compiler. The free compiler
that comes with HP-UX is not Ansi compliant and cannot compile
On HPUX you must use gcc or the HP ANSI compiler. The free compiler
that comes with HP-UX is not ANSI compliant and cannot compile
Samba.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3012265"></a>SCO Unix</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3016009"></a>SCO Unix</h2></div></div><div></div></div><p>
If you run an old version of SCO Unix then you may need to get important
TCP/IP patches for Samba to work correctly. Without the patch, you may
encounter corrupt data transfers using samba.
@ -29,7 +28,7 @@ encounter corrupt data transfers using samba.
The patch you need is UOD385 Connection Drivers SLS. It is available from
SCO (<a href="ftp://ftp.sco.com/" target="_top">ftp.sco.com</a>, directory SLS,
files uod385a.Z and uod385a.ltr.Z).
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3012293"></a>DNIX</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3016039"></a>DNIX</h2></div></div><div></div></div><p>
DNIX has a problem with seteuid() and setegid(). These routines are
needed for Samba to work correctly, but they were left out of the DNIX
C library for some reason.
@ -88,13 +87,13 @@ LIBSM = setegid.o seteuid.o -ln
You should then remove the line:
</p><pre class="programlisting">
#define NO_EID
</pre><p>from the DNIX section of <tt class="filename">includes.h</tt></p></div><div xmlns:ns101="" class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3012463"></a>RedHat Linux Rembrandt-II</h2></div></div><div></div></div><ns101:p>
</pre><p>from the DNIX section of <tt class="filename">includes.h</tt></p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3016210"></a>RedHat Linux Rembrandt-II</h2></div></div><div></div></div><p>
By default RedHat Rembrandt-II during installation adds an
entry to <tt class="filename">/etc/hosts</tt> as follows:
</ns101:p><pre class="programlisting">
</p><pre class="programlisting">
127.0.0.1 loopback &quot;hostname&quot;.&quot;domainname&quot;
</pre><ns101:p>
</ns101:p><p>
</pre><p>
</p><p>
This causes Samba to loop back onto the loopback interface.
The result is that Samba fails to communicate correctly with
the world and therefor may fail to correctly negotiate who
@ -102,13 +101,13 @@ is the master browse list holder and who is the master browser.
</p><p>
Corrective Action: Delete the entry after the word loopback
in the line starting 127.0.0.1
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3012506"></a>AIX</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3012513"></a>Sequential Read Ahead</h3></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3016254"></a>AIX</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3016261"></a>Sequential Read Ahead</h3></div></div><div></div></div><p>
Disabling Sequential Read Ahead using <b class="userinput"><tt>vmtune -r 0</tt></b> improves
samba performance significally.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3012539"></a>Solaris</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3012546"></a>Locking improvements</h3></div></div><div></div></div><p>Some people have been experiencing problems with F_SETLKW64/fcntl
when running samba on solaris. The built in file locking mechanism was
Samba performance significantly.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3016287"></a>Solaris</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3016294"></a>Locking improvements</h3></div></div><div></div></div><p>Some people have been experiencing problems with F_SETLKW64/fcntl
when running Samba on Solaris. The built in file locking mechanism was
not scalable. Performance would degrade to the point where processes would
get into loops of trying to lock a file. It woul try a lock, then fail,
get into loops of trying to lock a file. It would try a lock, then fail,
then try again. The lock attempt was failing before the grant was
occurring. So the visible manifestation of this would be a handful of
processes stealing all of the CPU, and when they were trussed they would

155
docs/htmldocs/ProfileMgmt.html
View File

@ -1,5 +1,4 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 24. Desktop Profile Management</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="PolicyMgmt.html" title="Chapter 23. System and Account Policies"><link rel="next" href="pam.html" title="Chapter 25. PAM based Distributed Authentication"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 24. Desktop Profile Management</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="PolicyMgmt.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="pam.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ProfileMgmt"></a>Chapter 24. Desktop Profile Management</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">April 3 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="ProfileMgmt.html#id2983469">Features and Benefits</a></dt><dt><a href="ProfileMgmt.html#id2983502">Roaming Profiles</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2983543">Samba Configuration for Profile Handling</a></dt><dt><a href="ProfileMgmt.html#id2988905">Windows Client Profile Configuration Information</a></dt><dt><a href="ProfileMgmt.html#id2989842">Sharing Profiles between W9x/Me and NT4/200x/XP workstations</a></dt><dt><a href="ProfileMgmt.html#id2989906">Profile Migration from Windows NT4/200x Server to Samba</a></dt></dl></dd><dt><a href="ProfileMgmt.html#id2990166">Mandatory profiles</a></dt><dt><a href="ProfileMgmt.html#id2990224">Creating/Managing Group Profiles</a></dt><dt><a href="ProfileMgmt.html#id2990270">Default Profile for Windows Users</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2990290">MS Windows 9x/Me</a></dt><dt><a href="ProfileMgmt.html#id2990438">MS Windows NT4 Workstation</a></dt><dt><a href="ProfileMgmt.html#id2990991">MS Windows 200x/XP</a></dt></dl></dd><dt><a href="ProfileMgmt.html#id2991496">Common Errors</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2991508">How does one set up roaming profiles for just one (or a few) user/s or group/s?</a></dt><dt><a href="ProfileMgmt.html#id2991571">Can NOT use Roaming Profiles</a></dt><dt><a href="ProfileMgmt.html#id2991790">Changing the default profile</a></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2983469"></a>Features and Benefits</h2></div></div><div></div></div><p>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 24. Desktop Profile Management</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="PolicyMgmt.html" title="Chapter 23. System and Account Policies"><link rel="next" href="pam.html" title="Chapter 25. PAM based Distributed Authentication"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 24. Desktop Profile Management</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="PolicyMgmt.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="pam.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ProfileMgmt"></a>Chapter 24. Desktop Profile Management</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">April 3 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="ProfileMgmt.html#id2988251">Features and Benefits</a></dt><dt><a href="ProfileMgmt.html#id2988285">Roaming Profiles</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2988326">Samba Configuration for Profile Handling</a></dt><dt><a href="ProfileMgmt.html#id2988731">Windows Client Profile Configuration Information</a></dt><dt><a href="ProfileMgmt.html#id2989902">Sharing Profiles between W9x/Me and NT4/200x/XP workstations</a></dt><dt><a href="ProfileMgmt.html#id2989967">Profile Migration from Windows NT4/200x Server to Samba</a></dt></dl></dd><dt><a href="ProfileMgmt.html#id2990232">Mandatory profiles</a></dt><dt><a href="ProfileMgmt.html#id2990290">Creating/Managing Group Profiles</a></dt><dt><a href="ProfileMgmt.html#id2990336">Default Profile for Windows Users</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2990356">MS Windows 9x/Me</a></dt><dt><a href="ProfileMgmt.html#id2990504">MS Windows NT4 Workstation</a></dt><dt><a href="ProfileMgmt.html#id2991058">MS Windows 200x/XP</a></dt></dl></dd><dt><a href="ProfileMgmt.html#id2991562">Common Errors</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2991575">How does one set up roaming profiles for just one (or a few) user/s or group/s?</a></dt><dt><a href="ProfileMgmt.html#id2991638">Can NOT use Roaming Profiles</a></dt><dt><a href="ProfileMgmt.html#id2991859">Changing the default profile</a></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2988251"></a>Features and Benefits</h2></div></div><div></div></div><p>
Roaming Profiles are feared by some, hated by a few, loved by many, and a Godsend for
some administrators.
</p><p>
@ -12,7 +11,7 @@ problem to others. In particular, users of mobile computing tools, where often t
be a sustained network connection, are often better served by purely Local Profiles.
This chapter provides information to help the Samba administrator to deal with those
situations also.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2983502"></a>Roaming Profiles</h2></div></div><div></div></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2988285"></a>Roaming Profiles</h2></div></div><div></div></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
Roaming profiles support is different for Win9x / Me and Windows NT4/200x.
</p></div><p>
Before discussing how to configure roaming profiles, it is useful to see how
@ -25,34 +24,34 @@ profiles are restricted to being stored in the user's home directory.
</p><p>
Windows NT4/200x clients send a NetSAMLogon RPC request, which contains many fields,
including a separate field for the location of the user's profiles.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2983543"></a>Samba Configuration for Profile Handling</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2988326"></a>Samba Configuration for Profile Handling</h3></div></div><div></div></div><p>
This section documents how to configure Samba for MS Windows client profile support.
</p><div xmlns:ns82="" class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2983556"></a>NT4/200x User Profiles</h4></div></div><div></div></div><p>
To support Windowns NT4/200x clients, in the [global] section of smb.conf set the
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2988340"></a>NT4/200x User Profiles</h4></div></div><div></div></div><p>
To support Windows NT4/200x clients, in the [global] section of smb.conf set the
following (for example):
</p><ns82:p>
</ns82:p><pre class="programlisting">
</p><p>
</p><pre class="programlisting">
logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath
</pre><ns82:p>
</pre><p>
This is typically implemented like:
</ns82:p><pre class="programlisting">
</p><pre class="programlisting">
logon path = \\%L\Profiles\%u
</pre><ns82:p>
</pre><p>
where %L translates to the name of the Samba server and %u translates to the user name
</ns82:p><p>
</p><p>
The default for this option is <tt class="filename">\\%N\%U\profile</tt>,
namely <tt class="filename">\\sambaserver\username\profile</tt>.
The <tt class="filename">\\N%\%U</tt> service is created automatically by the [homes] service. If you are using
a samba server for the profiles, you _must_ make the share specified in the logon path
browseable. Please refer to the man page for <tt class="filename">smb.conf</tt> in respect of the different
symantics of %L and %N, as well as %U and %u.
semantics of %L and %N, as well as %U and %u.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
MS Windows NT/2K clients at times do not disconnect a connection to a server
between logons. It is recommended to NOT use the <i class="parameter"><tt>homes</tt></i>
meta-service name as part of the profile share path.
</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2983646"></a>Windows 9x / Me User Profiles</h4></div></div><div></div></div><p>
</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2988432"></a>Windows 9x / Me User Profiles</h4></div></div><div></div></div><p>
To support Windows 9x / Me clients, you must use the <i class="parameter"><tt>logon home</tt></i> parameter. Samba has
now been fixed so that <b class="userinput"><tt>net use /home</tt></b> now works as well, and it, too, relies
on the <b class="command">logon home</b> parameter.
@ -70,28 +69,28 @@ Not only that, but <b class="userinput"><tt>net use /home</tt></b> will also wor
Windows 9x / Me. It removes any directory stuff off the end of the home directory area
and only uses the server and share portion. That is, it looks like you
specified <tt class="filename">\\%L\%U</tt> for <i class="parameter"><tt>logon home</tt></i>.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2988720"></a>Mixed Windows 9x / Me and Windows NT4/200x User Profiles</h4></div></div><div></div></div><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2988541"></a>Mixed Windows 9x / Me and Windows NT4/200x User Profiles</h4></div></div><div></div></div><p>
You can support profiles for both Win9X and WinNT clients by setting both the
<i class="parameter"><tt>logon home</tt></i> and <i class="parameter"><tt>logon path</tt></i> parameters. For example:
</p><pre class="programlisting">
logon home = \\%L\%u\.profiles
logon path = \\%L\profiles\%u
</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2988756"></a>Disabling Roaming Profile Support</h4></div></div><div></div></div><p>
</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2988580"></a>Disabling Roaming Profile Support</h4></div></div><div></div></div><p>
A question often asked is &#8220;<span class="quote">How may I enforce use of local profiles?</span>&#8221; or
&#8220;<span class="quote">How do I disable Roaming Profiles?</span>&#8221;
</p><p>
There are three ways of doing this:
</p><div class="variablelist"><dl><dt><span class="term">In <tt class="filename">smb.conf</tt></span></dt><dd xmlns:ns83=""><ns83:p>
</p><div class="variablelist"><dl><dt><span class="term">In <tt class="filename">smb.conf</tt></span></dt><dd><p>
Affect the following settings and ALL clients
will be forced to use a local profile:
</ns83:p><pre class="programlisting">
</p><pre class="programlisting">
logon home =
logon path =
</pre><ns83:p>
</ns83:p></dd><dt><span class="term">MS Windows Registry:</span></dt><dd xmlns:ns84=""><ns84:p>
</pre><p>
</p></dd><dt><span class="term">MS Windows Registry:</span></dt><dd><p>
By using the Microsoft Management Console gpedit.msc to instruct your MS Windows XP machine to use only a local profile. This of course modifies registry settings. The full path to the option is:
</ns84:p><pre class="programlisting">
</p><pre class="programlisting">
Local Computer Policy\
Computer Configuration\
Administrative Templates\
@ -99,9 +98,9 @@ There are three ways of doing this:
User Profiles\
Disable: Only Allow Local User Profiles
Disable: Prevent Roaming Profile Change from Propogating to the Server
</pre><ns84:p>
</ns84:p></dd><dt><span class="term">Change of Profile Type:</span></dt><dd><p>
Disable: Prevent Roaming Profile Change from Propagating to the Server
</pre><p>
</p></dd><dt><span class="term">Change of Profile Type:</span></dt><dd><p>
From the start menu right click on the
My Computer icon, select <span class="guimenuitem">Properties</span>, click on the <span class="guilabel">User Profiles</span>
tab, select the profile you wish to change from Roaming type to Local, click <span class="guibutton">Change Type</span>.
@ -113,7 +112,7 @@ profiles.
The specifics of how to convert a local profile to a roaming profile, or a roaming profile
to a local one vary according to the version of MS Windows you are running. Consult the
Microsoft MS Windows Resource Kit for your version of Windows for specific information.
</p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2988905"></a>Windows Client Profile Configuration Information</h3></div></div><div></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2988913"></a>Windows 9x / Me Profile Setup</h4></div></div><div></div></div><p>
</p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2988731"></a>Windows Client Profile Configuration Information</h3></div></div><div></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2988739"></a>Windows 9x / Me Profile Setup</h4></div></div><div></div></div><p>
When a user first logs in on Windows 9X, the file user.DAT is created,
as are folders <tt class="filename">Start Menu</tt>, <tt class="filename">Desktop</tt>,
<tt class="filename">Programs</tt> and <tt class="filename">Nethood</tt>.
@ -219,7 +218,7 @@ If you have access to an Windows NT4/200x server, then first set up roaming prof
and / or netlogons on the Windows NT4/200x server. Make a packet trace, or examine
the example packet traces provided with Windows NT4/200x server, and see what the
differences are with the equivalent samba trace.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2985113"></a>Windows NT4 Workstation</h4></div></div><div></div></div><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2989233"></a>Windows NT4 Workstation</h4></div></div><div></div></div><p>
When a user first logs in to a Windows NT Workstation, the profile
NTuser.DAT is created. The profile location can be now specified
through the <i class="parameter"><tt>logon path</tt></i> parameter.
@ -248,7 +247,7 @@ turns a profile into a mandatory one.
</p><p>
The case of the profile is significant. The file must be called
<tt class="filename">NTuser.DAT</tt> or, for a mandatory profile, <tt class="filename">NTuser.MAN</tt>.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2985271"></a>Windows 2000/XP Professional</h4></div></div><div></div></div><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2989391"></a>Windows 2000/XP Professional</h4></div></div><div></div></div><p>
You must first convert the profile from a local profile to a domain
profile on the MS Windows workstation as follows:
</p><div class="procedure"><ol type="1"><li><p>
@ -276,10 +275,10 @@ profile on the MS Windows workstation as follows:
Now click on the <span class="guibutton">Ok</span> button to create the profile in the path you
nominated.
</p></li></ol></div><p>
Done. You now have a profile that can be editted using the samba-3.0.0
Done. You now have a profile that can be edited using the samba-3.0.0
<b class="command">profiles</b> tool.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
Under NT/2K the use of mandotory profiles forces the use of MS Exchange
Under NT/2K the use of mandatory profiles forces the use of MS Exchange
storage of mail data. That keeps desktop profiles usable.
</p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><div class="procedure"><ol type="1"><li><p>
This is a security check new to Windows XP (or maybe only
@ -298,7 +297,7 @@ On the XP workstation log in with an Administrator account.
</p></li><li><p>Click: <span class="guimenu">Start</span>, <span class="guimenuitem">Run</span></p></li><li><p>Type: <b class="userinput"><tt>mmc</tt></b></p></li><li><p>Click: <span class="guibutton">OK</span></p></li><li><p>A Microsoft Management Console should appear.</p></li><li><p>Click: <span class="guimenu">File</span>, <span class="guimenuitem">Add/Remove Snap-in...</span>, <span class="guimenuitem">Add</span></p></li><li><p>Double-Click: <span class="guiicon">Group Policy</span></p></li><li><p>Click: <span class="guibutton">Finish</span>, <span class="guibutton">Close</span></p></li><li><p>Click: <span class="guibutton">OK</span></p></li><li><p>In the &quot;Console Root&quot; window:</p></li><li><p>Expand: <span class="guiicon">Local Computer Policy</span>, <span class="guiicon">Computer Configuration</span>,
<span class="guiicon">Administrative Templates</span>, <span class="guiicon">System</span>, <span class="guiicon">User Profiles</span></p></li><li><p>Double-Click: <span class="guilabel">Do not check for user ownership of Roaming Profile Folders</span></p></li><li><p>Select: <span class="guilabel">Enabled</span></p></li><li><p>Click: <span class="guibutton">OK</span></p></li><li><p>Close the whole console. You do not need to save the settings (this
refers to the console settings rather than the policies you have
changed).</p></li><li><p>Reboot</p></li></ol></div></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2989842"></a>Sharing Profiles between W9x/Me and NT4/200x/XP workstations</h3></div></div><div></div></div><p>
changed).</p></li><li><p>Reboot</p></li></ol></div></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2989902"></a>Sharing Profiles between W9x/Me and NT4/200x/XP workstations</h3></div></div><div></div></div><p>
Sharing of desktop profiles between Windows versions is NOT recommended.
Desktop profiles are an evolving phenomenon and profiles for later versions
of MS Windows clients add features that may interfere with earlier versions
@ -315,12 +314,12 @@ that need to be common are <i class="parameter"><tt>logon path</tt></i> and
</p><p>
If you have this set up correctly, you will find separate <tt class="filename">user.DAT</tt> and
<tt class="filename">NTuser.DAT</tt> files in the same profile directory.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2989906"></a>Profile Migration from Windows NT4/200x Server to Samba</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2989967"></a>Profile Migration from Windows NT4/200x Server to Samba</h3></div></div><div></div></div><p>
There is nothing to stop you specifying any path that you like for the
location of users' profiles. Therefore, you could specify that the
profile be stored on a samba server, or any other SMB server, as long as
that SMB server supports encrypted passwords.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2989923"></a>Windows NT4 Profile Management Tools</h4></div></div><div></div></div><p>
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2989984"></a>Windows NT4 Profile Management Tools</h4></div></div><div></div></div><p>
Unfortunately, the Resource Kit information is specific to the version of MS Windows
NT4/200x. The correct resource kit is required for each platform.
</p><p>
@ -330,24 +329,24 @@ On your NT4 Domain Controller, right click on <span class="guiicon">My Computer<
select the tab labelled <span class="guilabel">User Profiles</span>.
</p></li><li><p>
Select a user profile you want to migrate and click on it.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>I am using the term &quot;migrate&quot; lossely. You can copy a profile to
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>I am using the term &quot;migrate&quot; loosely. You can copy a profile to
create a group profile. You can give the user 'Everyone' rights to the
profile you copy this to. That is what you need to do, since your samba
domain is not a member of a trust relationship with your NT4 PDC.</p></div></li><li><p>Click the <span class="guibutton">Copy To</span> button.</p></li><li><p>In the box labelled <span class="guilabel">Copy Profile to</span> add your new path, eg:
<tt class="filename">c:\temp\foobar</tt></p></li><li><p>Click on the button <span class="guibutton">Change</span> in the <span class="guilabel">Permitted to use</span> box.</p></li><li><p>Click on the group 'Everyone' and then click <span class="guibutton">OK</span>. This closes the
'choose user' box.</p></li><li><p>Now click <span class="guibutton">OK</span>.</p></li></ol></div><p>
Follow the above for every profile you need to migrate.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2990086"></a>Side bar Notes</h4></div></div><div></div></div><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2990153"></a>Side bar Notes</h4></div></div><div></div></div><p>
You should obtain the SID of your NT4 domain. You can use smbpasswd to do
this. Read the man page.</p><p>
With Samba-3.0.0 alpha code you can import all you NT4 domain accounts
using the net samsync method. This way you can retain your profile
settings as well as all your users.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2990108"></a>moveuser.exe</h4></div></div><div></div></div><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2990175"></a>moveuser.exe</h4></div></div><div></div></div><p>
The W2K professional resource kit has moveuser.exe. moveuser.exe changes
the security of a profile from one user to another. This allows the account
domain to change, and/or the user name to change.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2990124"></a>Get SID</h4></div></div><div></div></div><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2990191"></a>Get SID</h4></div></div><div></div></div><p>
You can identify the SID by using GetSID.exe from the Windows NT Server 4.0
Resource Kit.
</p><p>
@ -360,7 +359,7 @@ users who have logged on to this computer. (To find the profile information
for the user whose locally cached profile you want to move, find the SID for
the user with the GetSID.exe utility.) Inside of the appropriate user's
subkey, you will see a string value named ProfileImagePath.
</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2990166"></a>Mandatory profiles</h2></div></div><div></div></div><p>
</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2990232"></a>Mandatory profiles</h2></div></div><div></div></div><p>
A Mandatory Profile is a profile that the user does NOT have the ability to overwrite.
During the user's session it may be possible to change the desktop environment, but
as the user logs out all changes made will be lost. If it is desired to NOT allow the
@ -376,8 +375,8 @@ file in the copied profile and rename it to NTUser.MAN.
</p><p>
For MS Windows 9x / Me it is the <tt class="filename">User.DAT</tt> file that must be renamed to <tt class="filename">User.MAN</tt> to
affect a mandatory profile.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2990224"></a>Creating/Managing Group Profiles</h2></div></div><div></div></div><p>
Most organisations are arranged into departments. There is a nice benenfit in
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2990290"></a>Creating/Managing Group Profiles</h2></div></div><div></div></div><p>
Most organisations are arranged into departments. There is a nice benefit in
this fact since usually most users in a department will require the same desktop
applications and the same desktop layout. MS Windows NT4/200x/XP will allow the
use of Group Profiles. A Group Profile is a profile that is created firstly using
@ -391,14 +390,14 @@ the now modified profile.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
Be careful with group profiles, if the user who is a member of a group also
has a personal profile, then the result will be a fusion (merge) of the two.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2990270"></a>Default Profile for Windows Users</h2></div></div><div></div></div><p>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2990336"></a>Default Profile for Windows Users</h2></div></div><div></div></div><p>
MS Windows 9x / Me and NT4/200x/XP will use a default profile for any user for whom
a profile does not already exist. Armed with a knowledge of where the default profile
is located on the Windows workstation, and knowing which registry keys affect the path
from which the default profile is created, it is possible to modify the default profile
to one that has been optimised for the site. This has significant administrative
advantages.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2990290"></a>MS Windows 9x/Me</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2990356"></a>MS Windows 9x/Me</h3></div></div><div></div></div><p>
To enable default per use profiles in Windows 9x / Me you can either use the <span class="application">Windows 98 System
Policy Editor</span> or change the registry directly.
</p><p>
@ -410,7 +409,7 @@ select <span class="guilabel">User Profiles</span>, click on the enable box. Do
To modify the registry directly, launch the <span class="application">Registry Editor</span> (<b class="command">regedit.exe</b>), select the hive
<tt class="filename">HKEY_LOCAL_MACHINE\Network\Logon</tt>. Now add a DWORD type key with the name
&quot;User Profiles&quot;, to enable user profiles set the value to 1, to disable user profiles set it to 0.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2990387"></a>How User Profiles Are Handled in Windows 9x / Me?</h4></div></div><div></div></div><p>
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2990454"></a>How User Profiles Are Handled in Windows 9x / Me?</h4></div></div><div></div></div><p>
When a user logs on to a Windows 9x / Me machine, the local profile path,
<tt class="filename">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProfileList</tt>, is checked
for an existing entry for that user:
@ -426,7 +425,7 @@ If a User Profile is not found in either location, the Default User Profile from
machine is used and is copied to a newly created folder for the logged on user. At log off, any
changes that the user made are written to the user's local profile. If the user has a roaming
profile, the changes are written to the user's profile on the server.
</p></div></div><div xmlns:ns85="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2990438"></a>MS Windows NT4 Workstation</h3></div></div><div></div></div><p>
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2990504"></a>MS Windows NT4 Workstation</h3></div></div><div></div></div><p>
On MS Windows NT4 the default user profile is obtained from the location
<tt class="filename">%SystemRoot%\Profiles</tt> which in a default installation will translate to
<tt class="filename">C:\WinNT\Profiles</tt>. Under this directory on a clean install there will be
@ -461,21 +460,21 @@ the following steps are followed in respect of profile handling:
out to the location of the profile. The <tt class="filename">NTuser.DAT</tt> file is then
re-created from the contents of the <tt class="filename">HKEY_CURRENT_USER</tt> contents.
Thus, should there not exist in the NETLOGON share an <tt class="filename">NTConfig.POL</tt> at the
next logon, the effect of the provious <tt class="filename">NTConfig.POL</tt> will still be held
next logon, the effect of the previous <tt class="filename">NTConfig.POL</tt> will still be held
in the profile. The effect of this is known as <span class="emphasis"><em>tatooing</em></span>.
</p></li></ol></div><p>
MS Windows NT4 profiles may be <span class="emphasis"><em>Local</em></span> or <span class="emphasis"><em>Roaming</em></span>. A Local profile
will stored in the <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt> location. A roaming profile will
also remain stored in the same way, unless the following registry key is created:
</p><ns85:p>
</ns85:p><pre class="programlisting">
</p><p>
</p><pre class="programlisting">
HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\
&quot;DeleteRoamingCache&quot;=dword:00000001
</pre><ns85:p>
</pre><p>
In which case, the local copy (in <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt>) will be
deleted on logout.
</ns85:p><p>
</p><p>
Under MS Windows NT4 default locations for common resources (like <tt class="filename">My Documents</tt>
may be redirected to a network share by modifying the following registry keys. These changes may be affected
via use of the System Policy Editor (to do so may require that you create your owns template extension
@ -488,17 +487,17 @@ are controlled by entries on Windows NT4 is:
<tt class="filename">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\</tt>
</p><p>
The above hive key contains a list of automatically managed folders. The default entries are:
</p><ns85:p>
</ns85:p><div class="table"><a name="id2990785"></a><p class="title"><b>Table 24.1. User Shell Folder registry keys default values</b></p><table summary="User Shell Folder registry keys default values" border="1"><colgroup><col><col></colgroup><thead><tr><th>Name</th><th>Default Value</th></tr></thead><tbody><tr><td>AppData</td><td>%USERPROFILE%\Application Data</td></tr><tr><td>Desktop</td><td>%USERPROFILE%\Desktop</td></tr><tr><td>Favorites</td><td>%USERPROFILE%\Favorites</td></tr><tr><td>NetHood</td><td>%USERPROFILE%\NetHood</td></tr><tr><td>PrintHood</td><td>%USERPROFILE%\PrintHood</td></tr><tr><td>Programs</td><td>%USERPROFILE%\Start Menu\Programs</td></tr><tr><td>Recent</td><td>%USERPROFILE%\Recent</td></tr><tr><td>SendTo</td><td>%USERPROFILE%\SendTo</td></tr><tr><td>Start Menu </td><td>%USERPROFILE%\Start Menu</td></tr><tr><td>Startup</td><td>%USERPROFILE%\Start Menu\Programs\Startup</td></tr></tbody></table></div><ns85:p>
</ns85:p><p>
</p><p>
</p><div class="table"><a name="id2990854"></a><p class="title"><b>Table 24.1. User Shell Folder registry keys default values</b></p><table summary="User Shell Folder registry keys default values" border="1"><colgroup><col><col></colgroup><thead><tr><th>Name</th><th>Default Value</th></tr></thead><tbody><tr><td>AppData</td><td>%USERPROFILE%\Application Data</td></tr><tr><td>Desktop</td><td>%USERPROFILE%\Desktop</td></tr><tr><td>Favorites</td><td>%USERPROFILE%\Favorites</td></tr><tr><td>NetHood</td><td>%USERPROFILE%\NetHood</td></tr><tr><td>PrintHood</td><td>%USERPROFILE%\PrintHood</td></tr><tr><td>Programs</td><td>%USERPROFILE%\Start Menu\Programs</td></tr><tr><td>Recent</td><td>%USERPROFILE%\Recent</td></tr><tr><td>SendTo</td><td>%USERPROFILE%\SendTo</td></tr><tr><td>Start Menu </td><td>%USERPROFILE%\Start Menu</td></tr><tr><td>Startup</td><td>%USERPROFILE%\Start Menu\Programs\Startup</td></tr></tbody></table></div><p>
</p><p>
The registry key that contains the location of the default profile settings is:
</p><p>
<tt class="filename">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</tt>
</p><ns85:p>
</p><p>
The default entries are:
</ns85:p><div class="table"><a name="id2990930"></a><p class="title"><b>Table 24.2. Defaults of profile settings registry keys</b></p><table summary="Defaults of profile settings registry keys" border="1"><colgroup><col><col></colgroup><tbody><tr><td>Common Desktop</td><td>%SystemRoot%\Profiles\All Users\Desktop</td></tr><tr><td>Common Programs</td><td>%SystemRoot%\Profiles\All Users\Programs</td></tr><tr><td>Common Start Menu</td><td>%SystemRoot%\Profiles\All Users\Start Menu</td></tr><tr><td>Common Startup</td><td>%SystemRoot%\Profiles\All Users\Start Menu\Progams\Startup</td></tr></tbody></table></div><ns85:p>
</ns85:p></div><div xmlns:ns86="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2990991"></a>MS Windows 200x/XP</h3></div></div><div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
</p><div class="table"><a name="id2990998"></a><p class="title"><b>Table 24.2. Defaults of profile settings registry keys</b></p><table summary="Defaults of profile settings registry keys" border="1"><colgroup><col><col></colgroup><tbody><tr><td>Common Desktop</td><td>%SystemRoot%\Profiles\All Users\Desktop</td></tr><tr><td>Common Programs</td><td>%SystemRoot%\Profiles\All Users\Programs</td></tr><tr><td>Common Start Menu</td><td>%SystemRoot%\Profiles\All Users\Start Menu</td></tr><tr><td>Common Startup</td><td>%SystemRoot%\Profiles\All Users\Start Menu\Programs\Startup</td></tr></tbody></table></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2991058"></a>MS Windows 200x/XP</h3></div></div><div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
MS Windows XP Home Edition does use default per user profiles, but can not participate
in domain security, can not log onto an NT/ADS style domain, and thus can obtain the profile
only from itself. While there are benefits in doing this the beauty of those MS Windows
@ -524,7 +523,7 @@ login name of the user.
If a default profile does not exist in this location then MS Windows 200x/XP will use the local
default profile.
</p><p>
On loging out, the users' desktop profile will be stored to the location specified in the registry
On logging out, the users' desktop profile will be stored to the location specified in the registry
settings that pertain to the user. If no specific policies have been created, or passed to the client
during the login process (as Samba does automatically), then the user's profile will be written to
the local machine only under the path <tt class="filename">C:\Documents and Settings\%USERNAME%</tt>.
@ -546,9 +545,9 @@ are controlled by entries on Windows 200x/XP is:
<tt class="filename">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\</tt>
</p><p>
The above hive key contains a list of automatically managed folders. The default entries are:
</p><ns86:p>
</ns86:p><div class="table"><a name="id2991184"></a><p class="title"><b>Table 24.3. Defaults of default user profile paths registry keys</b></p><table summary="Defaults of default user profile paths registry keys" border="1"><colgroup><col><col></colgroup><thead><tr><th>Name</th><th>Default Value</th></tr></thead><tbody><tr><td>AppData</td><td>%USERPROFILE%\Application Data</td></tr><tr><td>Cache</td><td>%USERPROFILE%\Local Settings\Temporary Internet Files</td></tr><tr><td>Cookies</td><td>%USERPROFILE%\Cookies</td></tr><tr><td>Desktop</td><td>%USERPROFILE%\Desktop</td></tr><tr><td>Favorites</td><td>%USERPROFILE%\Favorites</td></tr><tr><td>History</td><td>%USERPROFILE%\Local Settings\History</td></tr><tr><td>Local AppData</td><td>%USERPROFILE%\Local Settings\Application Data</td></tr><tr><td>Local Settings</td><td>%USERPROFILE%\Local Settings</td></tr><tr><td>My Pictures</td><td>%USERPROFILE%\My Documents\My Pictures</td></tr><tr><td>NetHood</td><td>%USERPROFILE%\NetHood</td></tr><tr><td>Personal</td><td>%USERPROFILE%\My Documents</td></tr><tr><td>PrintHood</td><td>%USERPROFILE%\PrintHood</td></tr><tr><td>Programs</td><td>%USERPROFILE%\Start Menu\Programs</td></tr><tr><td>Recent</td><td>%USERPROFILE%\Recent</td></tr><tr><td>SendTo</td><td>%USERPROFILE%\SendTo</td></tr><tr><td>Start Menu</td><td>%USERPROFILE%\Start Menu</td></tr><tr><td>Startup</td><td>%USERPROFILE%\Start Menu\Programs\Startup</td></tr><tr><td>Templates</td><td>%USERPROFILE%\Templates</td></tr></tbody></table></div><ns86:p>
</ns86:p><p>
</p><p>
</p><div class="table"><a name="id2991253"></a><p class="title"><b>Table 24.3. Defaults of default user profile paths registry keys</b></p><table summary="Defaults of default user profile paths registry keys" border="1"><colgroup><col><col></colgroup><thead><tr><th>Name</th><th>Default Value</th></tr></thead><tbody><tr><td>AppData</td><td>%USERPROFILE%\Application Data</td></tr><tr><td>Cache</td><td>%USERPROFILE%\Local Settings\Temporary Internet Files</td></tr><tr><td>Cookies</td><td>%USERPROFILE%\Cookies</td></tr><tr><td>Desktop</td><td>%USERPROFILE%\Desktop</td></tr><tr><td>Favorites</td><td>%USERPROFILE%\Favorites</td></tr><tr><td>History</td><td>%USERPROFILE%\Local Settings\History</td></tr><tr><td>Local AppData</td><td>%USERPROFILE%\Local Settings\Application Data</td></tr><tr><td>Local Settings</td><td>%USERPROFILE%\Local Settings</td></tr><tr><td>My Pictures</td><td>%USERPROFILE%\My Documents\My Pictures</td></tr><tr><td>NetHood</td><td>%USERPROFILE%\NetHood</td></tr><tr><td>Personal</td><td>%USERPROFILE%\My Documents</td></tr><tr><td>PrintHood</td><td>%USERPROFILE%\PrintHood</td></tr><tr><td>Programs</td><td>%USERPROFILE%\Start Menu\Programs</td></tr><tr><td>Recent</td><td>%USERPROFILE%\Recent</td></tr><tr><td>SendTo</td><td>%USERPROFILE%\SendTo</td></tr><tr><td>Start Menu</td><td>%USERPROFILE%\Start Menu</td></tr><tr><td>Startup</td><td>%USERPROFILE%\Start Menu\Programs\Startup</td></tr><tr><td>Templates</td><td>%USERPROFILE%\Templates</td></tr></tbody></table></div><p>
</p><p>
There is also an entry called &quot;Default&quot; that has no value set. The default entry is of type <tt class="constant">REG_SZ</tt>, all
the others are of type <tt class="constant">REG_EXPAND_SZ</tt>.
</p><p>
@ -572,9 +571,9 @@ MS Windows 200x/XP profiles may be <span class="emphasis"><em>Local</em></span>
A roaming profile will be cached locally unless the following registry key is created:
</p><p><tt class="filename">HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\&quot;DeleteRoamingCache&quot;=dword:00000001</tt></p><p>
In which case, the local cache copy will be deleted on logout.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2991496"></a>Common Errors</h2></div></div><div></div></div><p>
THe following are some typical errors/problems/questions that have been asked.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2991508"></a>How does one set up roaming profiles for just one (or a few) user/s or group/s?</h3></div></div><div></div></div><p>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2991562"></a>Common Errors</h2></div></div><div></div></div><p>
The following are some typical errors/problems/questions that have been asked.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2991575"></a>How does one set up roaming profiles for just one (or a few) user/s or group/s?</h3></div></div><div></div></div><p>
With samba-2.2.x the choice you have is to enable or disable roaming
profiles support. It is a global only setting. The default is to have
roaming profiles and the default path will locate them in the user's home
@ -592,43 +591,43 @@ using the Domain User Manager (as with MS Windows NT4/ Win 2Kx).
</p><p>
In any case, you can configure only one profile per user. That profile can
be either:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>A profile unique to that user</td></tr><tr><td>A mandatory profile (one the user can not change)</td></tr><tr><td>A group profile (really should be mandatory ie:unchangable)</td></tr></table></div><div xmlns:ns88="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2991571"></a>Can NOT use Roaming Profiles</h3></div></div><div></div></div><p>
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>A profile unique to that user</td></tr><tr><td>A mandatory profile (one the user can not change)</td></tr><tr><td>A group profile (really should be mandatory ie:unchangable)</td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2991638"></a>Can NOT use Roaming Profiles</h3></div></div><div></div></div><p>
&#8220;<span class="quote">
I dont want Roaming profile to be implemented, I just want to give users
local profiles only.
...
Please help me I am totally lost with this error from past two days I tried
everything and googled around quite a bit but of no help. Please help me.
</span>&#8221;</p><ns88:p>
</span>&#8221;</p><p>
Your choices are:
</ns88:p><div class="variablelist"><dl><dt><span class="term">Local profiles</span></dt><dd><p>
</p><div class="variablelist"><dl><dt><span class="term">Local profiles</span></dt><dd><p>
I know of no registry keys that will allow auto-deletion of LOCAL profiles on log out
</p></dd><dt><span class="term">Roaming profiles</span></dt><dd xmlns:ns87=""><ns87:p>
</ns87:p><table class="simplelist" border="0" summary="Simple list"><tr><td>can use auto-delete on logout option</td></tr><tr><td>requires a registry key change on workstation</td></tr></table><ns87:p>
</p></dd><dt><span class="term">Roaming profiles</span></dt><dd><p>
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>can use auto-delete on logout option</td></tr><tr><td>requires a registry key change on workstation</td></tr></table><p>
Your choices are:
</ns87:p><div class="variablelist"><dl><dt><span class="term">Personal Roaming profiles</span></dt><dd><p>
</p><div class="variablelist"><dl><dt><span class="term">Personal Roaming profiles</span></dt><dd><p>
- should be preserved on a central server
- workstations 'cache' (store) a local copy
- used in case the profile can not be downloaded
at next logon
</p></dd><dt><span class="term">Group profiles</span></dt><dd><p>- loaded from a cetral place</p></dd><dt><span class="term">Mandatory profiles</span></dt><dd><p>
</p></dd><dt><span class="term">Group profiles</span></dt><dd><p>- loaded from a central place</p></dd><dt><span class="term">Mandatory profiles</span></dt><dd><p>
- can be personal or group
- can NOT be changed (except by an administrator
</p></dd></dl></div><ns87:p>
</ns87:p></dd></dl></div><ns88:p>
</p></dd></dl></div><p>
</p></dd></dl></div><p>
</ns88:p><p>
</p><p>
A WinNT4/2K/XP profile can vary in size from 130KB to off the scale.
Outlook PST files are most often part of the profile and can be many GB in
size. On average (in a well controlled environment) roaming profie size of
size. On average (in a well controlled environment) roaming profile size of
2MB is a good rule of thumb to use for planning purposes. In an
undisciplined environment I have seen up to 2GB profiles. Users tend to
complain when it take an hour to log onto a workstation but they harvest
the fuits of folly (and ignorance).
the fruits of folly (and ignorance).
</p><p>
The point of all the above is to show that roaming profiles and good
controls of how they can be changed as well as good discipline make up for
@ -636,19 +635,19 @@ a problem free site.
</p><p>
Microsoft's answer to the PST problem is to store all email in an MS
Exchange Server back-end. But this is another story ...!
</p><ns88:p>
</p><p>
So, having LOCAL profiles means:
</ns88:p><table class="simplelist" border="0" summary="Simple list"><tr><td>If lots of users user each machine - lot's of local disk storage needed for local profiles</td></tr><tr><td>Every workstation the user logs into has it's own profile - can be very different from machine to machine</td></tr></table><ns88:p>
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>If lots of users user each machine - lot's of local disk storage needed for local profiles</td></tr><tr><td>Every workstation the user logs into has it's own profile - can be very different from machine to machine</td></tr></table><p>
On the other hand, having roaming profiles means:
</ns88:p><table class="simplelist" border="0" summary="Simple list"><tr><td>The network administrator can control EVERY aspect of user profiles</td></tr><tr><td>With the use of mandatory profiles - a drastic reduction in network management overheads</td></tr><tr><td>User unhappiness about not being able to change their profiles soon fades as they get used to being able to work reliably</td></tr></table><ns88:p>
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>The network administrator can control EVERY aspect of user profiles</td></tr><tr><td>With the use of mandatory profiles - a drastic reduction in network management overheads</td></tr><tr><td>User unhappiness about not being able to change their profiles soon fades as they get used to being able to work reliably</td></tr></table><p>
</ns88:p><p>
</p><p>
I have managed and installed MANY NT/2K networks and have NEVER found one
where users who move from machine to machine are happy with local
profiles. In the long run local profiles bite them.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2991790"></a>Changing the default profile</h3></div></div><div></div></div><p>&#8220;<span class="quote">
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2991859"></a>Changing the default profile</h3></div></div><div></div></div><p>&#8220;<span class="quote">
When the client tries to logon to the PDC it looks for a profile to download
where do I put this default profile.
</span>&#8221;</p><p>

67
docs/htmldocs/SWAT.html
View File

@ -1,5 +1,4 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 32. SWAT - The Samba Web Administration Tool</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="migration.html" title="Part IV. Migration and Updating"><link rel="previous" href="NT4Migration.html" title="Chapter 31. Migration from NT4 PDC to Samba-3 PDC"><link rel="next" href="troubleshooting.html" title="Part V. Troubleshooting"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 32. SWAT - The Samba Web Administration Tool</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="NT4Migration.html">Prev</a> </td><th width="60%" align="center">Part IV. Migration and Updating</th><td width="20%" align="right"> <a accesskey="n" href="troubleshooting.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SWAT"></a>Chapter 32. SWAT - The Samba Web Administration Tool</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">April 21, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="SWAT.html#id3001807">Features and Benefits</a></dt><dd><dl><dt><a href="SWAT.html#id3001657">Enabling SWAT for use</a></dt><dt><a href="SWAT.html#id3002547">Securing SWAT through SSL</a></dt><dt><a href="SWAT.html#id3002659">The SWAT Home Page</a></dt><dt><a href="SWAT.html#id3002723">Global Settings</a></dt><dt><a href="SWAT.html#id3002828">Share Settings</a></dt><dt><a href="SWAT.html#id3002893">Printers Settings</a></dt><dt><a href="SWAT.html#id3002957">The SWAT Wizard</a></dt><dt><a href="SWAT.html#id3003005">The Status Page</a></dt><dt><a href="SWAT.html#id3003057">The View Page</a></dt><dt><a href="SWAT.html#id3003080">The Password Change Page</a></dt></dl></dd></dl></div><p>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 32. SWAT - The Samba Web Administration Tool</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="migration.html" title="Part IV. Migration and Updating"><link rel="previous" href="NT4Migration.html" title="Chapter 31. Migration from NT4 PDC to Samba-3 PDC"><link rel="next" href="troubleshooting.html" title="Part V. Troubleshooting"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 32. SWAT - The Samba Web Administration Tool</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="NT4Migration.html">Prev</a> </td><th width="60%" align="center">Part IV. Migration and Updating</th><td width="20%" align="right"> <a accesskey="n" href="troubleshooting.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SWAT"></a>Chapter 32. SWAT - The Samba Web Administration Tool</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">April 21, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="SWAT.html#id3003929">Features and Benefits</a></dt><dd><dl><dt><a href="SWAT.html#id3003963">Enabling SWAT for use</a></dt><dt><a href="SWAT.html#id3006322">Securing SWAT through SSL</a></dt><dt><a href="SWAT.html#id3006435">The SWAT Home Page</a></dt><dt><a href="SWAT.html#id3006499">Global Settings</a></dt><dt><a href="SWAT.html#id3006604">Share Settings</a></dt><dt><a href="SWAT.html#id3006669">Printers Settings</a></dt><dt><a href="SWAT.html#id3006733">The SWAT Wizard</a></dt><dt><a href="SWAT.html#id3006781">The Status Page</a></dt><dt><a href="SWAT.html#id3006833">The View Page</a></dt><dt><a href="SWAT.html#id3006856">The Password Change Page</a></dt></dl></dd></dl></div><p>
There are many and varied opinions regarding the usefulness or otherwise of SWAT.
No matter how hard one tries to produce the perfect configuration tool it remains
an object of personal taste. SWAT is a tool that will allow web based configuration
@ -7,7 +6,7 @@ of samba. It has a wizard that may help to get samba configured quickly, it has
sensitive help on each smb.conf parameter, it provides for monitoring of current state
of connection information, and it allows network wide MS Windows network password
management.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3001807"></a>Features and Benefits</h2></div></div><div></div></div><p>
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3003929"></a>Features and Benefits</h2></div></div><div></div></div><p>
There are network administrators who believe that it is a good idea to write systems
documentation inside configuration files, for them SWAT will aways be a nasty tool. SWAT
does not store the configuration file in any intermediate form, rather, it stores only the
@ -19,7 +18,7 @@ internal ordering.
So before using SWAT please be warned - SWAT will completely replace your smb.conf with
a fully optimised file that has been stripped of all comments you might have placed there
and only non-default settings will be written to the file.
</p></div><div xmlns:ns95="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3001657"></a>Enabling SWAT for use</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3003963"></a>Enabling SWAT for use</h3></div></div><div></div></div><p>
SWAT should be installed to run via the network super daemon. Depending on which system
your Unix/Linux system has you will have either an <b class="command">inetd</b> or
<b class="command">xinetd</b> based system.
@ -35,8 +34,8 @@ The control entry for the older style file might be:
swat stream tcp nowait.400 root /usr/sbin/swat swat
</pre><p>
A control file for the newer style xinetd could be:
</p><ns95:p>
</ns95:p><pre class="programlisting">
</p><p>
</p><pre class="programlisting">
# default: off
# description: SWAT is the Samba Web Admin Tool. Use swat \
# to configure your Samba server. To use SWAT, \
@ -52,9 +51,9 @@ A control file for the newer style xinetd could be:
log_on_failure += USERID
disable = yes
}
</pre><ns95:p>
</pre><p>
</ns95:p><p>
</p><p>
Both the above examples assume that the <b class="command">swat</b> binary has been
located in the <tt class="filename">/usr/sbin</tt> directory. In addition to the above
SWAT will use a directory access point from which it will load it's help files
@ -73,48 +72,48 @@ So long as you log onto SWAT as the user <span class="emphasis"><em>root</em></s
full change and commit ability. The buttons that will be exposed includes:
<span class="guibutton">HOME</span>, <span class="guibutton">GLOBALS</span>, <span class="guibutton">SHARES</span>, <span class="guibutton">PRINTERS</span>,
<span class="guibutton">WIZARD</span>, <span class="guibutton">STATUS</span>, <span class="guibutton">VIEW</span>, <span class="guibutton">PASSWORD</span>.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3002547"></a>Securing SWAT through SSL</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3006322"></a>Securing SWAT through SSL</h3></div></div><div></div></div><p>
Lots of people have asked about how to setup SWAT with SSL to allow for secure remote
administration of Samba. Here is a method that works, courtesy of Markus Krieger
</p><p>
Modifications to the swat setup are as following:
</p><div class="procedure"><ol type="1"><li><p>
install OpenSSL
</p></li><li xmlns:ns96=""><ns96:p>
</p></li><li><p>
generate certificate and private key
</ns96:p><pre class="screen">
</p><pre class="screen">
<tt class="prompt">root# </tt><b class="userinput"><tt>/usr/bin/openssl req -new -x509 -days 365 -nodes -config \
/usr/share/doc/packages/stunnel/stunnel.cnf \
-out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem</tt></b>
</pre></li><li><p>
remove swat-entry from [x]inetd
</p></li><li xmlns:ns97=""><ns97:p>
</p></li><li><p>
start stunnel
</ns97:p><pre class="screen">
</p><pre class="screen">
<tt class="prompt">root# </tt><b class="userinput"><tt>stunnel -p /etc/stunnel/stunnel.pem -d 901 \
-l /usr/local/samba/bin/swat swat </tt></b>
</pre></li></ol></div><p>
afterwards simply contact to swat by using the URL <a href="https://myhost:901" target="_top">https://myhost:901</a>, accept the certificate
afterwords simply contact to swat by using the URL <a href="https://myhost:901" target="_top">https://myhost:901</a>, accept the certificate
and the SSL connection is up.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3002659"></a>The SWAT Home Page</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3006435"></a>The SWAT Home Page</h3></div></div><div></div></div><p>
The SWAT title page provides access to the latest Samba documentation. The manual page for
each samba component is accessible from this page as are the Samba-HOWTO-Collection (this
document) as well as the O'Reilly book &quot;Using Samba&quot;.
</p><p>
Administrators who wish to validate their samba configuration may obtain useful information
from the man pages for the diganostic utilities. These are available from the SWAT home page
from the man pages for the diagnostic utilities. These are available from the SWAT home page
also. One diagnostic tool that is NOT mentioned on this page, but that is particularly
useful is <b class="command">ethereal</b>, available from <a href="http://www.ethereal.com" target="_top">
http://www.ethereal.com</a>.
</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
SWAT can be configured to run in <span class="emphasis"><em>demo</em></span> mode. This is NOT recommended
as it runs SWAT without authentication and with full administrative ability. ie: Allows
changes to smb.conf as well as general operation with root privilidges. The option that
changes to smb.conf as well as general operation with root privileges. The option that
creates this ability is the <tt class="option">-a</tt> flag to swat. <span class="emphasis"><em>Do not use this in any
production environment.</em></span>
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3002723"></a>Global Settings</h3></div></div><div></div></div><p>
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3006499"></a>Global Settings</h3></div></div><div></div></div><p>
The Globals button will expose a page that allows configuration of the global parameters
in smb.conf. There are three levels of exposure of the parameters:
</p><div class="itemizedlist"><ul type="disc"><li><p>
@ -135,9 +134,9 @@ After making any changes to configuration parameters make sure that you click on
your changes will be immediately lost.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
SWAT has context sensitive help. To find out what each parameter is for simply click the
<span class="guibutton">Help</span> link to the left of the configurartion parameter.
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3002828"></a>Share Settings</h3></div></div><div></div></div><p>
To affect a currenly configured share, simply click on the pull down button between the
<span class="guibutton">Help</span> link to the left of the configuration parameter.
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3006604"></a>Share Settings</h3></div></div><div></div></div><p>
To affect a currently configured share, simply click on the pull down button between the
<span class="guibutton">Choose Share</span> and the <span class="guibutton">Delete Share</span> buttons,
select the share you wish to operate on, then to edit the settings click on the
<span class="guibutton">Choose Share</span> button, to delete the share simply press the
@ -146,8 +145,8 @@ select the share you wish to operate on, then to edit the settings click on the
To create a new share, next to the button labelled <span class="guibutton">Create Share</span> enter
into the text field the name of the share to be created, then click on the
<span class="guibutton">Create Share</span> button.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3002893"></a>Printers Settings</h3></div></div><div></div></div><p>
To affect a currenly configured printer, simply click on the pull down button between the
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3006669"></a>Printers Settings</h3></div></div><div></div></div><p>
To affect a currently configured printer, simply click on the pull down button between the
<span class="guibutton">Choose Printer</span> and the <span class="guibutton">Delete Printer</span> buttons,
select the printer you wish to operate on, then to edit the settings click on the
<span class="guibutton">Choose Printer</span> button, to delete the share simply press the
@ -156,23 +155,23 @@ select the printer you wish to operate on, then to edit the settings click on th
To create a new printer, next to the button labelled <span class="guibutton">Create Printer</span> enter
into the text field the name of the share to be created, then click on the
<span class="guibutton">Create Printer</span> button.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3002957"></a>The SWAT Wizard</h3></div></div><div></div></div><p>
The purpose if the SWAT Wizard is to help the Microsoft knowledgable network administrator
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3006733"></a>The SWAT Wizard</h3></div></div><div></div></div><p>
The purpose if the SWAT Wizard is to help the Microsoft knowledgeable network administrator
to configure Samba with a minimum of effort.
</p><p>
The Wizard page provides a tool for rewiting the smb.conf file in fully optimised format.
The Wizard page provides a tool for rewriting the smb.conf file in fully optimised format.
This will also happen if you press the commit button. The two differ in the the rewrite button
ignores any changes that may have been made, while the Commit button causes all changes to be
affected.
</p><p>
The <span class="guibutton">Edit</span> button permits the editing (setting) of the minimal set of
options that may be necessary to create a working samba server.
options that may be necessary to create a working Samba server.
</p><p>
Finally, there are a limited set of options that will determine what type of server samba
Finally, there are a limited set of options that will determine what type of server Samba
will be configured for, whether it will be a WINS server, participate as a WINS client, or
operate with no WINS support. By clicking on one button you can elect to epose (or not) user
operate with no WINS support. By clicking on one button you can elect to expose (or not) user
home directories.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3003005"></a>The Status Page</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3006781"></a>The Status Page</h3></div></div><div></div></div><p>
The status page serves a limited purpose. Firstly, it allows control of the samba daemons.
The key daemons that create the samba server environment are: <span class="application">smbd</span>, <span class="application">nmbd</span>, <span class="application">winbindd</span>.
</p><p>
@ -183,11 +182,11 @@ conditions with minimal effort.
</p><p>
Lastly, the Status page may be used to terminate specific smbd client connections in order to
free files that may be locked.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3003057"></a>The View Page</h3></div></div><div></div></div><p>
This page allows the administrator to view the optimised <tt class="filename">smb.conf</tt> file and if you are
particularly massochistic will permit you also to see all possible global configuration
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3006833"></a>The View Page</h3></div></div><div></div></div><p>
This page allows the administrator to view the optimised <tt class="filename">smb.conf</tt> file and, if you are
particularly masochistic, will permit you also to see all possible global configuration
parameters and their settings.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3003080"></a>The Password Change Page</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3006856"></a>The Password Change Page</h3></div></div><div></div></div><p>
The Password Change page is a popular tool. This tool allows the creation, deletion, deactivation
and reactivation of MS Windows networking users on the local machine. Alternatively, you can use
this tool to change a local password for a user account.

338
docs/htmldocs/Samba-Developers-Guide.html
View File

File diff suppressed because one or more lines are too long

3613
docs/htmldocs/Samba-HOWTO-Collection.html
View File

File diff suppressed because one or more lines are too long

3
docs/htmldocs/SambaHA.html
View File

@ -1,5 +1,4 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 29. High Availability Options</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="Backup.html" title="Chapter 28. Samba Backup Techniques"><link rel="next" href="migration.html" title="Part IV. Migration and Updating"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 29. High Availability Options</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Backup.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="migration.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SambaHA"></a>Chapter 29. High Availability Options</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="SambaHA.html#id2999354">Note</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2999354"></a>Note</h2></div></div><div></div></div><p>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 29. High Availability Options</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="Backup.html" title="Chapter 28. Samba Backup Techniques"><link rel="next" href="migration.html" title="Part IV. Migration and Updating"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 29. High Availability Options</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Backup.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="migration.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SambaHA"></a>Chapter 29. High Availability Options</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="SambaHA.html#id3003099">Note</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3003099"></a>Note</h2></div></div><div></div></div><p>
This chapter did not make it into this release.
It is planned for the published release of this document.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Backup.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="migration.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 28. Samba Backup Techniques </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part IV. Migration and Updating</td></tr></table></div></body></html>

63
docs/htmldocs/ServerType.html
View File

@ -1,9 +1,8 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 4. Server Types and Security Modes</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="previous" href="type.html" title="Part II. Server Configuration Basics"><link rel="next" href="samba-pdc.html" title="Chapter 5. Domain Control"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 4. Server Types and Security Modes</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="type.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="samba-pdc.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ServerType"></a>Chapter 4. Server Types and Security Modes</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:tridge@samba.org">tridge@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="ServerType.html#id2889441">Features and Benefits</a></dt><dt><a href="ServerType.html#id2889533">Server Types</a></dt><dt><a href="ServerType.html#id2889614">Samba Security Modes</a></dt><dd><dl><dt><a href="ServerType.html#id2886042">User Level Security</a></dt><dt><a href="ServerType.html#id2886175">Share Level Security</a></dt><dt><a href="ServerType.html#id2887246">Domain Security Mode (User Level Security)</a></dt><dt><a href="ServerType.html#id2887488">ADS Security Mode (User Level Security)</a></dt><dt><a href="ServerType.html#id2887572">Server Security (User Level Security)</a></dt></dl></dd><dt><a href="ServerType.html#id2887797">Seamless Windows Network Integration</a></dt><dt><a href="ServerType.html#id2887974">Common Errors</a></dt><dd><dl><dt><a href="ServerType.html#id2888002">What makes Samba a SERVER?</a></dt><dt><a href="ServerType.html#id2888035">What makes Samba a Domain Controller?</a></dt><dt><a href="ServerType.html#id2888063">What makes Samba a Domain Member?</a></dt><dt><a href="ServerType.html#id2889975">Constantly Losing Connections to Password Server</a></dt></dl></dd></dl></div><p>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 4. Server Types and Security Modes</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="previous" href="type.html" title="Part II. Server Configuration Basics"><link rel="next" href="samba-pdc.html" title="Chapter 5. Domain Control"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 4. Server Types and Security Modes</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="type.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="samba-pdc.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ServerType"></a>Chapter 4. Server Types and Security Modes</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:tridge@samba.org">tridge@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="ServerType.html#id2888767">Features and Benefits</a></dt><dt><a href="ServerType.html#id2888862">Server Types</a></dt><dt><a href="ServerType.html#id2888947">Samba Security Modes</a></dt><dd><dl><dt><a href="ServerType.html#id2889062">User Level Security</a></dt><dt><a href="ServerType.html#id2889195">Share Level Security</a></dt><dt><a href="ServerType.html#id2889317">Domain Security Mode (User Level Security)</a></dt><dt><a href="ServerType.html#id2889568">ADS Security Mode (User Level Security)</a></dt><dt><a href="ServerType.html#id2889655">Server Security (User Level Security)</a></dt></dl></dd><dt><a href="ServerType.html#id2889880">Seamless Windows Network Integration</a></dt><dt><a href="ServerType.html#id2890056">Common Errors</a></dt><dd><dl><dt><a href="ServerType.html#id2890084">What makes Samba a SERVER?</a></dt><dt><a href="ServerType.html#id2890117">What makes Samba a Domain Controller?</a></dt><dt><a href="ServerType.html#id2890146">What makes Samba a Domain Member?</a></dt><dt><a href="ServerType.html#id2890179">Constantly Losing Connections to Password Server</a></dt></dl></dd></dl></div><p>
This chapter provides information regarding the types of server that Samba may be
configured to be. A Microsoft network administrator who wishes to migrate to or to
use Samba will want to know what, within a Samba context, terms familiar to MS Windows
adminstrator mean. This means that it is essential also to define how critical security
administrator mean. This means that it is essential also to define how critical security
modes function BEFORE we get into the details of how to configure the server itself.
</p><p>
The chapter provides an overview of the security modes of which Samba is capable
@ -12,9 +11,9 @@ and how these relate to MS Windows servers and clients.
Firstly we should recognise the question so often asked, &quot;Why would I want to use Samba?&quot;
So, in those chapters where the answer may be important you will see a section that highlights
features and benefits. These may be for or against Samba.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2889441"></a>Features and Benefits</h2></div></div><div></div></div><p>
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2888767"></a>Features and Benefits</h2></div></div><div></div></div><p>
Two men were walking down a dusty road, when one suddenly kicked up a small red stone. It
hurt his toe and lodged in his sandle. He took the stone out and cursed it with a passion
hurt his toe and lodged in his sandal. He took the stone out and cursed it with a passion
and fury fitting his anguish. The other looked at the stone and said, that is a garnet - I
can turn that into a precious gem and some day it will make a princess very happy!
</p><p>
@ -48,13 +47,13 @@ So now, what are the benefits of features mentioned in this chapter?
greater flexibility than MS Windows NT4 and in many cases a
significantly higher utility than Active Directory domains
with MS Windows 200x.
</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2889533"></a>Server Types</h2></div></div><div></div></div><p>Adminstrators of Microsoft networks often refer to three
</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2888862"></a>Server Types</h2></div></div><div></div></div><p>Administrators of Microsoft networks often refer to three
different type of servers:</p><div class="itemizedlist"><ul type="disc"><li><p>Domain Controller</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Primary Domain Controller</td></tr><tr><td>Backup Domain Controller</td></tr><tr><td>ADS Domain Controller</td></tr></table></li><li><p>Domain Member Server</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Active Directory Member Server</td></tr><tr><td>NT4 Style Domain Member Server</td></tr></table></li><li><p>Stand Alone Server</p></li></ul></div><p>
The chapters covering Domain Control, Backup Domain Control and Domain Membership provide
pertinent information regarding Samba-3 configuration for each of these server roles.
The reader is strongly encouraged to become intimately familiar with the information
presented.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2889614"></a>Samba Security Modes</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2888947"></a>Samba Security Modes</h2></div></div><div></div></div><p>
In this section the function and purpose of Samba's <i class="parameter"><tt>security</tt></i>
modes are described. An accurate understanding of how Samba implements each security
mode as well as how to configure MS Windows clients for each mode will significantly
@ -78,7 +77,7 @@ the way the client then tries to authenticate itself. It does not directly affec
but it fits in with the client/server approach of SMB. In SMB everything is initiated
and controlled by the client, and the server can only tell the client what is
available and whether an action is allowed.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2886042"></a>User Level Security</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889062"></a>User Level Security</h3></div></div><div></div></div><p>
We will describe <i class="parameter"><tt>user level</tt></i> security first, as it's simpler.
In <span class="emphasis"><em>user level</em></span> security, the client will send a
<span class="emphasis"><em>session setup</em></span> command directly after the protocol negotiation.
@ -96,13 +95,13 @@ It is also possible for a client to send multiple <span class="emphasis"><em>ses
requests. When the server responds, it gives the client a <span class="emphasis"><em>uid</em></span> to use
as an authentication tag for that username/password. The client can maintain multiple
authentication contexts in this way (WinDD is an example of an application that does this).
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2886136"></a>Example Configuration</h4></div></div><div></div></div><p>
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2889156"></a>Example Configuration</h4></div></div><div></div></div><p>
The <tt class="filename">smb.conf</tt> parameter that sets <span class="emphasis"><em>User Level Security</em></span> is:
</p><pre class="programlisting">
security = user
</pre><p>
This is the default setting since samba-2.2.x.
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2886175"></a>Share Level Security</h3></div></div><div></div></div><p>
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889195"></a>Share Level Security</h3></div></div><div></div></div><p>
Ok, now for share level security. In share level security, the client authenticates
itself separately for each share. It will send a password along with each
<span class="emphasis"><em>tree connection</em></span> (share mount). It does not explicitly send a
@ -125,18 +124,18 @@ of the share they try to connect to (useful for home directories) and any users
listed in the <i class="parameter"><tt>user =</tt></i> <tt class="filename">smb.conf</tt> line. The password is then checked
in turn against these <span class="emphasis"><em>possible usernames</em></span>. If a match is found
then the client is authenticated as that user.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2886255"></a>Example Configuration</h4></div></div><div></div></div><p>
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2889275"></a>Example Configuration</h4></div></div><div></div></div><p>
The <tt class="filename">smb.conf</tt> parameter that sets <span class="emphasis"><em>Share Level Security</em></span> is:
</p><pre class="programlisting">
security = share
</pre><p>
Please note that there are reports that recent MS Windows clients do not like to work
with share mode security servers. You are strongly discouraged from using share level security.
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2887246"></a>Domain Security Mode (User Level Security)</h3></div></div><div></div></div><p>
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889317"></a>Domain Security Mode (User Level Security)</h3></div></div><div></div></div><p>
When Samba is operating in <i class="parameter"><tt>security = domain</tt></i> mode,
the Samba server has a domain security trust account (a machine account) and will cause
all authentication requests to be passed through to the domain controllers.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2887268"></a>Example Configuration</h4></div></div><div></div></div><p><span class="emphasis"><em>
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2889339"></a>Example Configuration</h4></div></div><div></div></div><p><span class="emphasis"><em>
Samba as a Domain Member Server
</em></span></p><p>
This method involves addition of the following parameters in the <tt class="filename">smb.conf</tt> file:
@ -148,20 +147,20 @@ In order for this method to work, the Samba server needs to join the MS Windows
security domain. This is done as follows:
</p><div class="procedure"><ol type="1"><li><p>On the MS Windows NT domain controller, using
the Server Manager, add a machine account for the Samba server.
</p></li><li><p>Next, on the Unix/Linux system execute:</p><p><tt class="prompt">root# </tt><b class="userinput"><tt>smbpasswd -j DOMAIN_NAME -r PDC_NAME</tt></b> (samba-2.x)</p><p><tt class="prompt">root# </tt><b class="userinput"><tt>net join -U administrator%password</tt></b> (samba-3)</p></li></ol></div><div xmlns:ns4="" class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><ns4:p>
</p></li><li><p>Next, on the Unix/Linux system execute:</p><p><tt class="prompt">root# </tt><b class="userinput"><tt>smbpasswd -j DOMAIN_NAME -r PDC_NAME</tt></b> (samba-2.x)</p><p><tt class="prompt">root# </tt><b class="userinput"><tt>net join -U administrator%password</tt></b> (samba-3)</p></li></ol></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
As of Samba-2.2.4 the Samba 2.2.x series can auto-join a Windows NT4 style Domain just
by executing:
</ns4:p><pre class="screen">
</p><pre class="screen">
<tt class="prompt">root# </tt><b class="userinput"><tt>smbpasswd -j <i class="replaceable"><tt>DOMAIN_NAME</tt></i> -r <i class="replaceable"><tt>PDC_NAME</tt></i> -U Administrator%<i class="replaceable"><tt>password</tt></i></tt></b>
</pre><ns4:p>
</pre><p>
As of Samba-3 the same can be done by executing:
</ns4:p><pre class="screen">
</p><pre class="screen">
<tt class="prompt">root# </tt><b class="userinput"><tt>net join -U Administrator%<i class="replaceable"><tt>password</tt></i></tt></b>
</pre><ns4:p>
</pre><p>
It is not necessary with Samba-3 to specify the <i class="replaceable"><tt>DOMAIN_NAME</tt></i> or the <i class="replaceable"><tt>PDC_NAME</tt></i> as it
figures this out from the <tt class="filename">smb.conf</tt> file settings.
</ns4:p></div><p>
</p></div><p>
Use of this mode of authentication does require there to be a standard Unix account
for each user in order to assign a uid once the account has been authenticated by
the remote Windows DC. This account can be blocked to prevent logons by clients other than
@ -174,7 +173,7 @@ in this HOWTO collection.
</p><p>
For more information of being a domain member, see the <a href="domain-member.html" title="Chapter 7. Domain Membership">Domain
Member</a> section of this Howto.
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2887488"></a>ADS Security Mode (User Level Security)</h3></div></div><div></div></div><p>
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889568"></a>ADS Security Mode (User Level Security)</h3></div></div><div></div></div><p>
Both Samba 2.2 and 3.0 can join an Active Directory domain. This is
possible even if the domain is run in native mode. Active Directory in
native mode perfectly allows NT4-style domain members, contrary to
@ -188,7 +187,7 @@ authentication protocols. All your machines are running Windows 2000
and above and all use full Kerberos. In this case Samba as a NT4-style
domain would still require NT-compatible authentication data. Samba in
AD-member mode can accept Kerberos.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2887519"></a>Example Configuration</h4></div></div><div></div></div><pre class="programlisting">
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2889598"></a>Example Configuration</h4></div></div><div></div></div><pre class="programlisting">
realm = your.kerberos.REALM
security = ADS
</pre><p>
@ -198,7 +197,7 @@ AD-member mode can accept Kerberos.
</pre><p>
Please refer to the <a href="domain-member.html" title="Chapter 7. Domain Membership">Domain Membership</a> and <a href="domain-member.html#ads-member" title="Samba ADS Domain Membership">Active Directory
Membership</a> sections for more information regarding this configuration option.
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2887572"></a>Server Security (User Level Security)</h3></div></div><div></div></div><p>
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889655"></a>Server Security (User Level Security)</h3></div></div><div></div></div><p>
Server security mode is a left over from the time when Samba was not capable of acting
as a domain member server. It is highly recommended NOT to use this feature. Server
security mode has many draw backs. The draw backs include:
@ -230,7 +229,7 @@ lookups because the choice of the target authentication server is arbitrary and
be determined from a domain name. In essence, a Samba server that is in
<span class="emphasis"><em>server security mode</em></span> is operating in what used to be known as
workgroup mode.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2887729"></a>Example Configuration</h4></div></div><div></div></div><p><span class="emphasis"><em>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2889811"></a>Example Configuration</h4></div></div><div></div></div><p><span class="emphasis"><em>
Using MS Windows NT as an authentication server
</em></span></p><p>
This method involves the additions of the following parameters in the <tt class="filename">smb.conf</tt> file:
@ -251,7 +250,7 @@ certain number of failed authentication attempts this will result in user lockou
</p><p>
Use of this mode of authentication does require there to be a standard Unix account
for the user, though this account can be blocked to prevent logons by non-SMB/CIFS clients.
</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2887797"></a>Seamless Windows Network Integration</h2></div></div><div></div></div><p>
</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2889880"></a>Seamless Windows Network Integration</h2></div></div><div></div></div><p>
MS Windows clients may use encrypted passwords as part of a challenge/response
authentication model (a.k.a. NTLMv1 and NTLMv2) or alone, or clear text strings for simple
password based authentication. It should be realized that with the SMB protocol,
@ -263,7 +262,7 @@ is encrypted in two ways:
</p><div class="itemizedlist"><ul type="disc"><li><p>An MD4 hash of the UNICODE of the password
string. This is known as the NT hash.
</p></li><li><p>The password is converted to upper case,
and then padded or trucated to 14 bytes. This string is
and then padded or truncated to 14 bytes. This string is
then appended with 5 bytes of NULL characters and split to
form two 56 bit DES keys to encrypt a &quot;magic&quot; 8 byte value.
The resulting 16 bytes form the LanMan hash.
@ -289,7 +288,7 @@ The following parameters can be used to work around the issue of Windows 9x clie
upper casing usernames and password before transmitting them to the SMB server
when using clear text authentication.
</p><pre class="programlisting">
<a href="smb.conf.5.html#PASSWORDLEVEL" target="_top">passsword level</a> = <i class="replaceable"><tt>integer</tt></i>
<a href="smb.conf.5.html#PASSWORDLEVEL" target="_top">password level</a> = <i class="replaceable"><tt>integer</tt></i>
<a href="smb.conf.5.html#USERNAMELEVEL" target="_top">username level</a> = <i class="replaceable"><tt>integer</tt></i>
</pre><p>
By default Samba will lower case the username before attempting to lookup the user
@ -310,29 +309,29 @@ try them one by one until a match is located (or all combinations fail).
The best option to adopt is to enable support for encrypted passwords where ever
Samba is used. Most attempts to apply the registry change to re-enable plain text
passwords will eventually lead to user complaints and unhappiness.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2887974"></a>Common Errors</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2890056"></a>Common Errors</h2></div></div><div></div></div><p>
We all make mistakes. It is Ok to make mistakes, so long as they are made in the right places
and at the right time. A mistake that causes lost productivity is seldom tolerated. A mistake
made in a developmental test lab is expected.
</p><p>
Here we look at common mistakes and misapprehensions that have been the subject of discussions
on the Samba mailing lists. Many of these are avoidable by doing you homework before attempting
a Samba implementation. Some are the result of misundertanding of the English language. The
a Samba implementation. Some are the result of misunderstanding of the English language. The
English language has many turns of phrase that are potentially vague and may be highly confusing
to those for whom English is not their native tongue.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2888002"></a>What makes Samba a SERVER?</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2890084"></a>What makes Samba a SERVER?</h3></div></div><div></div></div><p>
To some the nature of the Samba <span class="emphasis"><em>security</em></span> mode is very obvious, but entirely
wrong all the same. It is assumed that <i class="parameter"><tt>security = server</tt></i> means that Samba
will act as a server. Not so! See above - this setting means that Samba will <span class="emphasis"><em>try</em></span>
to use another SMB server as its source of user authentication alone.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2888035"></a>What makes Samba a Domain Controller?</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2890117"></a>What makes Samba a Domain Controller?</h3></div></div><div></div></div><p>
The <tt class="filename">smb.conf</tt> parameter <i class="parameter"><tt>security = domain</tt></i> does NOT really make Samba behave
as a Domain Controller! This setting means we want Samba to be a domain member!
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2888063"></a>What makes Samba a Domain Member?</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2890146"></a>What makes Samba a Domain Member?</h3></div></div><div></div></div><p>
Guess! So many others do. But whatever you do, do NOT think that <i class="parameter"><tt>security = user</tt></i>
makes Samba act as a domain member. Read the manufacturers manual before the warranty expires! See
the <a href="domain-member.html" title="Chapter 7. Domain Membership">Domain Member</a> section of this Howto for more information.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889975"></a>Constantly Losing Connections to Password Server</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2890179"></a>Constantly Losing Connections to Password Server</h3></div></div><div></div></div><p>
Why does server_validate() simply give up rather than re-establishing its connection to the
password server? Though I am not fluent in the SMB protocol, perhaps the cluster server
process passes along to its client workstation the session key it receives from the password

61
docs/htmldocs/StandAloneServer.html
View File

@ -1,10 +1,9 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 8. Stand-Alone Servers</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="previous" href="domain-member.html" title="Chapter 7. Domain Membership"><link rel="next" href="ClientConfig.html" title="Chapter 9. MS Windows Network Configuration Guide"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 8. Stand-Alone Servers</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="domain-member.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="ClientConfig.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="StandAloneServer"></a>Chapter 8. Stand-Alone Servers</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="StandAloneServer.html#id2901785">Features and Benefits</a></dt><dt><a href="StandAloneServer.html#id2901823">Background</a></dt><dt><a href="StandAloneServer.html#id2901891">Example Configuration</a></dt><dd><dl><dt><a href="StandAloneServer.html#id2900494">Reference Documentation Server</a></dt><dt><a href="StandAloneServer.html#id2900541">Central Print Serving</a></dt></dl></dd><dt><a href="StandAloneServer.html#id2900747">Common Errors</a></dt></dl></div><p>
Stand-Alone servers are independant of Domain Controllers on the network.
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 8. Stand-Alone Servers</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="previous" href="domain-member.html" title="Chapter 7. Domain Membership"><link rel="next" href="ClientConfig.html" title="Chapter 9. MS Windows Network Configuration Guide"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 8. Stand-Alone Servers</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="domain-member.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="ClientConfig.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="StandAloneServer"></a>Chapter 8. Stand-Alone Servers</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="StandAloneServer.html#id2902304">Features and Benefits</a></dt><dt><a href="StandAloneServer.html#id2902501">Background</a></dt><dt><a href="StandAloneServer.html#id2902573">Example Configuration</a></dt><dd><dl><dt><a href="StandAloneServer.html#id2902588">Reference Documentation Server</a></dt><dt><a href="StandAloneServer.html#id2902638">Central Print Serving</a></dt></dl></dd><dt><a href="StandAloneServer.html#id2902852">Common Errors</a></dt></dl></div><p>
Stand-Alone servers are independent of Domain Controllers on the network.
They are NOT domain members and function more like workgroup servers. In many
cases a stand-alone server is configured with a minimum of security control
with the intent that all data served will be readilly accessible to all users.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2901785"></a>Features and Benefits</h2></div></div><div></div></div><p>
with the intent that all data served will be readily accessible to all users.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2902304"></a>Features and Benefits</h2></div></div><div></div></div><p>
Stand-Alone servers can be as secure or as insecure as needs dictate. They can
have simple or complex configurations. Above all, despite the hoopla about
Domain security they remain a very common installation.
@ -21,7 +20,7 @@ that are queued off a single central server. Everyone needs to be able to print
to the printers, there is no need to affect any access controls and no files will
be served from the print server. Again a share mode stand-alone server makes
a great solution.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2901823"></a>Background</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2902501"></a>Background</h2></div></div><div></div></div><p>
The term <span class="emphasis"><em>stand-alone server</em></span> means that the server
will provide local authentication and access control for all resources
that are available from it. In general this means that there will be a
@ -31,30 +30,30 @@ USER mode.
</p><p>
No special action is needed other than to create user accounts. Stand-alone
servers do NOT provide network logon services. This means that machines that
use this server do NOT perform a domain log onto it. Whatever logon facility
the workstations are subject to is independant of this machine. It is however
necessary to accomodate any network user so that the logon name they use will
use this server do NOT perform a domain logon to it. Whatever logon facility
the workstations are subject to is independent of this machine. It is however
necessary to accommodate any network user so that the logon name they use will
be translated (mapped) locally on the stand-alone server to a locally known
user name. There are several ways this cane be done.
user name. There are several ways this can be done.
</p><p>
Samba tends to blur the distinction a little in respect of what is
a stand-alone server. This is because the authentication database may be
local or on a remote server, even if from the samba protocol perspective
the samba server is NOT a member of a domain security context.
local or on a remote server, even if from the Samba protocol perspective
the Samba server is NOT a member of a domain security context.
</p><p>
Through the use of PAM (Pluggable Authentication Modules) and nsswitch
(the name service switcher) the source of authentication may reside on
another server. We would be inclined to call this the authentication server.
This means that the samba server may use the local Unix/Linux system password database
This means that the Samba server may use the local Unix/Linux system password database
(<tt class="filename">/etc/passwd</tt> or <tt class="filename">/etc/shadow</tt>), may use a
local smbpasswd file, or may use
an LDAP back end, or even via PAM and Winbind another CIFS/SMB server
for authentication.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2901891"></a>Example Configuration</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2902573"></a>Example Configuration</h2></div></div><div></div></div><p>
The following examples are designed to inspire simplicity. It is too easy to
attempt a high level of creativity and to introduce too much complexity in
server and network design.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2900494"></a>Reference Documentation Server</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2902588"></a>Reference Documentation Server</h3></div></div><div></div></div><p>
Configuration of a read-only data server that EVERYONE can access is very simple.
Here is the smb.conf file that will do this. Assume that all the reference documents
are stored in the directory /export, that the documents are owned by a user other than
@ -77,18 +76,18 @@ Unix system database. This is a very simple system to administer.
In the above example the machine name is set to REFDOCS, the workgroup is set to the name
of the local workgroup so that the machine will appear in with systems users are familiar
with. The only password backend required is the &quot;guest&quot; backend so as to allow default
unprivilidged account names to be used. Given that there is a WINS server on this network
unprivileged account names to be used. Given that there is a WINS server on this network
we do use it.
</p></div><div xmlns:ns13="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2900541"></a>Central Print Serving</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2902638"></a>Central Print Serving</h3></div></div><div></div></div><p>
Configuration of a simple print server is very simple if you have all the right tools
on your system.
</p><div class="orderedlist"><p class="title"><b> Assumptions:</b></p><ol type="1"><li><p>
The print server must require no administration
</p></li><li><p>
The print spooling and processing system on our print server will be CUPS.
(Please refer to the chapter on printing for more information).
(Please refer to the <a href="CUPS-printing.html" title="Chapter 19. CUPS Printing Support in Samba 3.0">CUPS Printing</a> chapter for more information).
</p></li><li><p>
All printers will that the print server will service will be network
All printers that the print server will service will be network
printers. They will be correctly configured, by the administrator,
in the CUPS environment.
</p></li><li><p>
@ -97,29 +96,29 @@ on your system.
</p></li></ol></div><p>
In this example our print server will spool all incoming print jobs to
<tt class="filename">/var/spool/samba</tt> until the job is ready to be submitted by
samba to the CUPS print processor. Since all incoming connections will be as
the anonymous (guest) user two things will be required:
</p><div class="itemizedlist"><p class="title"><b>Enablement for Anonymous Printing</b></p><ul type="disc"><li xmlns:ns11=""><ns11:p>
Samba to the CUPS print processor. Since all incoming connections will be as
the anonymous (guest) user, two things will be required:
</p><div class="itemizedlist"><p class="title"><b>Enabling Anonymous Printing</b></p><ul type="disc"><li><p>
The Unix/Linux system must have a <b class="command">guest</b> account.
The default for this is usually the account <b class="command">nobody</b>.
To find the correct name to use for your version of Samba do the
following:
</ns11:p><pre class="screen">
</p><pre class="screen">
<tt class="prompt">$ </tt><b class="userinput"><tt>testparm -s -v | grep &quot;guest account&quot;</tt></b>
</pre><ns11:p>
</pre><p>
Then make sure that this account exists in your system password
database (<tt class="filename">/etc/passwd</tt>).
</ns11:p></li><li xmlns:ns12=""><ns12:p>
</p></li><li><p>
The directory into which Samba will spool the file must have write
access for the guest account. The following commands will ensure that
this directory is available for use:
</ns12:p><pre class="screen">
</p><pre class="screen">
<tt class="prompt">root# </tt><b class="userinput"><tt>mkdir /var/spool/samba</tt></b>
<tt class="prompt">root# </tt><b class="userinput"><tt>chown nobody.nobody /var/spool/samba</tt></b>
<tt class="prompt">root# </tt><b class="userinput"><tt>chmod a+rwt /var/spool/samba</tt></b>
</pre><ns12:p>
</ns12:p></li></ul></div><ns13:p>
</ns13:p><pre class="programlisting">
</pre><p>
</p></li></ul></div><p>
</p><pre class="programlisting">
# Global parameters
[global]
workgroup = MYGROUP
@ -137,8 +136,8 @@ the anonymous (guest) user two things will be required:
printing = cups
use client driver = Yes
browseable = No
</pre><ns13:p>
</ns13:p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2900747"></a>Common Errors</h2></div></div><div></div></div><p>
</pre><p>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2902852"></a>Common Errors</h2></div></div><div></div></div><p>
The greatest mistake so often made is to make a network configuration too complex.
It pays to use the simplest solution that will meet the needs of the moment.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="domain-member.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ClientConfig.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 7. Domain Membership </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 9. MS Windows Network Configuration Guide</td></tr></table></div></body></html>

90
docs/htmldocs/VFS.html
View File

@ -1,61 +1,77 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 20. Stackable VFS modules</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="CUPS-printing.html" title="Chapter 19. CUPS Printing Support in Samba 3.0"><link rel="next" href="winbind.html" title="Chapter 21. Integrated Logon Support using Winbind"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 20. Stackable VFS modules</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="CUPS-printing.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="winbind.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="VFS"></a>Chapter 20. Stackable VFS modules</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Alexander</span> <span class="surname">Bokovoy</span></h3></div></div><div><div class="author"><h3 class="author"><span class="firstname">Tim</span> <span class="surname">Potter</span></h3></div></div><div><div class="author"><h3 class="author"><span class="firstname">Simo</span> <span class="surname">Sorce</span></h3></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="VFS.html#id2975746">Features and Benefits</a></dt><dt><a href="VFS.html#id2975763">Discussion</a></dt><dt><a href="VFS.html#id2975814">Included modules</a></dt><dd><dl><dt><a href="VFS.html#id2974410">audit</a></dt><dt><a href="VFS.html#id2974449">extd_audit</a></dt><dt><a href="VFS.html#id2974571">fake_perms</a></dt><dt><a href="VFS.html#id2974591">recycle</a></dt><dt><a href="VFS.html#id2974730">netatalk</a></dt></dl></dd><dt><a href="VFS.html#id2974775">VFS modules available elsewhere</a></dt><dd><dl><dt><a href="VFS.html#id2974797">DatabaseFS</a></dt><dt><a href="VFS.html#id2974851">vscan</a></dt></dl></dd><dt><a href="VFS.html#id2974880">Common Errors</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2975746"></a>Features and Benefits</h2></div></div><div></div></div><p>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 20. Stackable VFS modules</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="CUPS-printing.html" title="Chapter 19. CUPS Printing Support in Samba 3.0"><link rel="next" href="winbind.html" title="Chapter 21. Integrated Logon Support using Winbind"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 20. Stackable VFS modules</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="CUPS-printing.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="winbind.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="VFS"></a>Chapter 20. Stackable VFS modules</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Tim</span> <span class="surname">Potter</span></h3></div></div><div><div class="author"><h3 class="author"><span class="firstname">Simo</span> <span class="surname">Sorce</span></h3><span class="contrib">original vfs_skel README</span></div></div><div><div class="author"><h3 class="author"><span class="firstname">Alexander</span> <span class="surname">Bokovoy</span></h3><span class="contrib">original vfs_netatalk docs</span></div></div><div><div class="author"><h3 class="author"><span class="firstname">Stefan</span> <span class="surname">Metzmacher</span></h3><span class="contrib">Update for multiple modules</span></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="VFS.html#id2978211">Features and Benefits</a></dt><dt><a href="VFS.html#id2978229">Discussion</a></dt><dt><a href="VFS.html#id2978320">Included modules</a></dt><dd><dl><dt><a href="VFS.html#id2978327">audit</a></dt><dt><a href="VFS.html#id2978365">extd_audit</a></dt><dt><a href="VFS.html#id2978489">fake_perms</a></dt><dt><a href="VFS.html#id2978508">recycle</a></dt><dt><a href="VFS.html#id2978645">netatalk</a></dt></dl></dd><dt><a href="VFS.html#id2978690">VFS modules available elsewhere</a></dt><dd><dl><dt><a href="VFS.html#id2978712">DatabaseFS</a></dt><dt><a href="VFS.html#id2978768">vscan</a></dt></dl></dd><dt><a href="VFS.html#id2978797">Common Errors</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2978211"></a>Features and Benefits</h2></div></div><div></div></div><p>
Since Samba-3, there is support for stackable VFS(Virtual File System) modules.
Samba passes each request to access the unix file system thru the loaded VFS modules.
This chapter covers all the modules that come with the samba source and references to
some external modules.
</p></div><div xmlns:ns69="" class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2975763"></a>Discussion</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2978229"></a>Discussion</h2></div></div><div></div></div><p>
If not supplied with your platform distribution binary Samba package you may have problems
to compile these modules, as shared libraries are compiled and linked in different ways
on different systems. They currently have been tested against GNU/Linux and IRIX.
</p><ns69:p>
To use the VFS modules, create a share similar to the one below. The
important parameter is the <i class="parameter"><tt>vfs object</tt></i> parameter which must point to
the exact pathname of the shared library objects. For example, to log all access
to files and use a recycle bin:
</ns69:p><pre class="programlisting">
[audit]
comment = Audited /data directory
path = /data
vfs object = /path/to/audit.so /path/to/recycle.so
writeable = yes
browseable = yes
</pre><ns69:p>
</ns69:p><p>
The modules are used in the order they are specified.
</p><p>
Further documentation on writing VFS modules for Samba can be found in
the Samba Developers Guide.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2975814"></a>Included modules</h2></div></div><div></div></div><div xmlns:ns70="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2974410"></a>audit</h3></div></div><div></div></div><ns70:p>
To use the VFS modules, create a share similar to the one below. The
important parameter is the <b class="command">vfs objects</b> parameter where
you can list one or more VFS modules by name. For example, to log all access
to files and put deleted files in a recycle bin:
</p><pre class="programlisting">
[audit]
comment = Audited /data directory
path = /data
vfs objects = audit recycle
writeable = yes
browseable = yes
</pre><p>
</p><p>
The modules are used in the order in which they are specified.
</p><p>
Samba will attempt to load modules from the <span class="emphasis"><em>lib</em></span>
directory in the root directory of the samba installation (usually
<tt class="filename">/usr/lib/samba/vfs</tt> or <tt class="filename">/usr/local/samba/lib/vfs
</tt>).
</p><p>
Some modules can be used twice for the same share.
This can be done using a configuration similar to the one below.
</p><pre class="programlisting">
[test]
comment = VFS TEST
path = /data
writeable = yes
browseable = yes
vfs objects = example:example1 example example:test
example1: parameter = 1
example: parameter = 5
test: parameter = 7
</pre><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2978320"></a>Included modules</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2978327"></a>audit</h3></div></div><div></div></div><p>
A simple module to audit file access to the syslog
facility. The following operations are logged:
</ns70:p><table class="simplelist" border="0" summary="Simple list"><tr><td>share</td></tr><tr><td>connect/disconnect</td></tr><tr><td>directory opens/create/remove</td></tr><tr><td>file open/close/rename/unlink/chmod</td></tr></table><ns70:p>
</ns70:p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2974449"></a>extd_audit</h3></div></div><div></div></div><p>
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>share</td></tr><tr><td>connect/disconnect</td></tr><tr><td>directory opens/create/remove</td></tr><tr><td>file open/close/rename/unlink/chmod</td></tr></table><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2978365"></a>extd_audit</h3></div></div><div></div></div><p>
This module is identical with the <span class="emphasis"><em>audit</em></span> module above except
that it sends audit logs to both syslog as well as the smbd log file/s. The
loglevel for this module is set in the smb.conf file.
loglevel for this module is set in the smb.conf file.
</p><p>
The logging information that will be written to the smbd log file is controlled by
the <i class="parameter"><tt>log level</tt></i> parameter in <tt class="filename">smb.conf</tt>. The
following information will be recorded:
</p><div class="table"><a name="id2974488"></a><p class="title"><b>Table 20.1. Extended Auditing Log Information</b></p><table summary="Extended Auditing Log Information" border="1"><colgroup><col><col></colgroup><thead><tr><th align="center">Log Level</th><th align="center">Log Details - File and Directory Operations</th></tr></thead><tbody><tr><td align="center">0</td><td align="left">Creation / Deletion</td></tr><tr><td align="center">1</td><td align="left">Create / Delete / Rename / Permission Changes</td></tr><tr><td align="center">2</td><td align="left">Create / Delete / Rename / Perm Change / Open / Close</td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2974571"></a>fake_perms</h3></div></div><div></div></div><p>
</p><div class="table"><a name="id2978406"></a><p class="title"><b>Table 20.1. Extended Auditing Log Information</b></p><table summary="Extended Auditing Log Information" border="1"><colgroup><col><col></colgroup><thead><tr><th align="center">Log Level</th><th align="center">Log Details - File and Directory Operations</th></tr></thead><tbody><tr><td align="center">0</td><td align="left">Creation / Deletion</td></tr><tr><td align="center">1</td><td align="left">Create / Delete / Rename / Permission Changes</td></tr><tr><td align="center">2</td><td align="left">Create / Delete / Rename / Perm Change / Open / Close</td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2978489"></a>fake_perms</h3></div></div><div></div></div><p>
This module was created to allow Roaming Profile files and directories to be set (on the Samba server
under Unix) as read only. This module will if installed on the Profiles share will report to the client
that the Profile files and directories are writable. This satisfies the client even though the files
will never be overwritten as the client logs out or shuts down.
</p></div><div xmlns:ns71="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2974591"></a>recycle</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2978508"></a>recycle</h3></div></div><div></div></div><p>
A recycle-bin like module. When used any unlink call
will be intercepted and files moved to the recycle
directory instead of being deleted.
</p><ns71:p>Supported options:
</ns71:p><div class="variablelist"><dl><dt><span class="term">vfs_recycle_bin:repository</span></dt><dd><p>FIXME</p></dd><dt><span class="term">vfs_recycle_bin:keeptree</span></dt><dd><p>FIXME</p></dd><dt><span class="term">vfs_recycle_bin:versions</span></dt><dd><p>FIXME</p></dd><dt><span class="term">vfs_recycle_bin:touch</span></dt><dd><p>FIXME</p></dd><dt><span class="term">vfs_recycle_bin:maxsize</span></dt><dd><p>FIXME</p></dd><dt><span class="term">vfs_recycle_bin:exclude</span></dt><dd><p>FIXME</p></dd><dt><span class="term">vfs_recycle_bin:exclude_dir</span></dt><dd><p>FIXME</p></dd><dt><span class="term">vfs_recycle_bin:noversions</span></dt><dd><p>FIXME</p></dd></dl></div><ns71:p>
</ns71:p></div><div xmlns:ns72="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2974730"></a>netatalk</h3></div></div><div></div></div><p>
</p><p>Supported options:
</p><div class="variablelist"><dl><dt><span class="term">recycle:repository</span></dt><dd><p>FIXME</p></dd><dt><span class="term">recycle:keeptree</span></dt><dd><p>FIXME</p></dd><dt><span class="term">recycle:versions</span></dt><dd><p>FIXME</p></dd><dt><span class="term">recycle:touch</span></dt><dd><p>FIXME</p></dd><dt><span class="term">recycle:maxsize</span></dt><dd><p>FIXME</p></dd><dt><span class="term">recycle:exclude</span></dt><dd><p>FIXME</p></dd><dt><span class="term">recycle:exclude_dir</span></dt><dd><p>FIXME</p></dd><dt><span class="term">recycle:noversions</span></dt><dd><p>FIXME</p></dd></dl></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2978645"></a>netatalk</h3></div></div><div></div></div><p>
A netatalk module, that will ease co-existence of samba and
netatalk file sharing services.
</p><ns72:p>Advantages compared to the old netatalk module:
</ns72:p><table class="simplelist" border="0" summary="Simple list"><tr><td>it doesn't care about creating of .AppleDouble forks, just keeps them in sync</td></tr><tr><td>if a share in <tt class="filename">smb.conf</tt> doesn't contain .AppleDouble item in hide or veto list, it will be added automatically</td></tr></table><ns72:p>
</ns72:p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2974775"></a>VFS modules available elsewhere</h2></div></div><div></div></div><p>
</p><p>Advantages compared to the old netatalk module:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>it doesn't care about creating of .AppleDouble forks, just keeps them in sync</td></tr><tr><td>if a share in <tt class="filename">smb.conf</tt> doesn't contain .AppleDouble item in hide or veto list, it will be added automatically</td></tr></table><p>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2978690"></a>VFS modules available elsewhere</h2></div></div><div></div></div><p>
This section contains a listing of various other VFS modules that
have been posted but don't currently reside in the Samba CVS
tree for one reason or another (e.g. it is easy for the maintainer
@ -63,7 +79,7 @@ to have his or her own CVS tree).
</p><p>
No statements about the stability or functionality of any module
should be implied due to its presence here.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2974797"></a>DatabaseFS</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2978712"></a>DatabaseFS</h3></div></div><div></div></div><p>
URL: <a href="http://www.css.tayloru.edu/~elorimer/databasefs/index.php" target="_top">http://www.css.tayloru.edu/~elorimer/databasefs/index.php</a>
</p><p>By <a href="mailto:elorimer@css.tayloru.edu" target="_top">Eric Lorimer</a>.</p><p>
I have created a VFS module which implements a fairly complete read-only
@ -78,12 +94,12 @@ should be implied due to its presence here.
Any feedback would be appreciated: comments, suggestions, patches,
etc... If nothing else, hopefully it might prove useful for someone
else who wishes to create a virtual filesystem.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2974851"></a>vscan</h3></div></div><div></div></div><p>URL: <a href="http://www.openantivirus.org/" target="_top">http://www.openantivirus.org/</a></p><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2978768"></a>vscan</h3></div></div><div></div></div><p>URL: <a href="http://www.openantivirus.org/" target="_top">http://www.openantivirus.org/</a></p><p>
samba-vscan is a proof-of-concept module for Samba, which
uses the VFS (virtual file system) features of Samba 2.2.x/3.0
alphaX. Of couse, Samba has to be compiled with VFS support.
alphaX. Of course, Samba has to be compiled with VFS support.
samba-vscan supports various virus scanners and is maintained
by Rainer Link.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2974880"></a>Common Errors</h2></div></div><div></div></div><p>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2978797"></a>Common Errors</h2></div></div><div></div></div><p>
There must be some gotchas we should record here! Jelmer???
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="CUPS-printing.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="winbind.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 19. CUPS Printing Support in Samba 3.0 </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 21. Integrated Logon Support using Winbind</td></tr></table></div></body></html>

411
docs/htmldocs/ads.html
View File

@ -1,411 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML
><HEAD
><TITLE
>Samba as a ADS domain member</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
TITLE="SAMBA Project Documentation"
HREF="samba-howto-collection.html"><LINK
REL="UP"
TITLE="Type of installation"
HREF="type.html"><LINK
REL="PREVIOUS"
TITLE="How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain"
HREF="samba-bdc.html"><LINK
REL="NEXT"
TITLE="Samba as a NT4 domain member"
HREF="domain-security.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>SAMBA Project Documentation</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="samba-bdc.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="domain-security.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="CHAPTER"
><H1
><A
NAME="ADS">Chapter 8. Samba as a ADS domain member</H1
><P
>This is a rough guide to setting up Samba 3.0 with kerberos authentication against a
Windows2000 KDC. </P
><P
>Pieces you need before you begin:
<P
></P
><TABLE
BORDER="0"
><TBODY
><TR
><TD
>a Windows 2000 server.</TD
></TR
><TR
><TD
>samba 3.0 or higher.</TD
></TR
><TR
><TD
>the MIT kerberos development libraries (either install from the above sources or use a package). The heimdal libraries will not work.</TD
></TR
><TR
><TD
>the OpenLDAP development libraries.</TD
></TR
></TBODY
></TABLE
><P
></P
></P
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN1187">8.1. Installing the required packages for Debian</H1
><P
>On Debian you need to install the following packages:
<P
></P
><TABLE
BORDER="0"
><TBODY
><TR
><TD
>libkrb5-dev</TD
></TR
><TR
><TD
>krb5-user</TD
></TR
></TBODY
></TABLE
><P
></P
></P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN1193">8.2. Installing the required packages for RedHat</H1
><P
>On RedHat this means you should have at least:
<P
></P
><TABLE
BORDER="0"
><TBODY
><TR
><TD
>krb5-workstation (for kinit)</TD
></TR
><TR
><TD
>krb5-libs (for linking with)</TD
></TR
><TR
><TD
>krb5-devel (because you are compiling from source)</TD
></TR
></TBODY
></TABLE
><P
></P
></P
><P
>in addition to the standard development environment.</P
><P
>Note that these are not standard on a RedHat install, and you may need
to get them off CD2.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN1202">8.3. Compile Samba</H1
><P
>If your kerberos libraries are in a non-standard location then
remember to add the configure option --with-krb5=DIR.</P
><P
>After you run configure make sure that include/config.h contains
lines like this:</P
><P
><PRE
CLASS="PROGRAMLISTING"
>#define HAVE_KRB5 1
#define HAVE_LDAP 1</PRE
></P
><P
>If it doesn't then configure did not find your krb5 libraries or
your ldap libraries. Look in config.log to figure out why and fix
it.</P
><P
>Then compile and install Samba as usual. You must use at least the
following 3 options in smb.conf:</P
><P
><PRE
CLASS="PROGRAMLISTING"
> realm = YOUR.KERBEROS.REALM
security = ADS
encrypt passwords = yes</PRE
></P
><P
>In case samba can't figure out your ads server using your realm name, use the
<B
CLASS="COMMAND"
>ads server</B
> option in <TT
CLASS="FILENAME"
>smb.conf</TT
>:
<PRE
CLASS="PROGRAMLISTING"
> ads server = your.kerberos.server</PRE
></P
><P
>You do *not* need a smbpasswd file, although it won't do any harm
and if you have one then Samba will be able to fall back to normal
password security for older clients. I expect that the above
required options will change soon when we get better active
directory integration.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN1217">8.4. Setup your /etc/krb5.conf</H1
><P
>The minimal configuration for krb5.conf is:</P
><P
><PRE
CLASS="PROGRAMLISTING"
> [realms]
YOUR.KERBEROS.REALM = {
kdc = your.kerberos.server
}</PRE
></P
><P
>Test your config by doing a "kinit USERNAME@REALM" and making sure that
your password is accepted by the Win2000 KDC. </P
><P
>NOTE: The realm must be uppercase. </P
><P
>You also must ensure that you can do a reverse DNS lookup on the IP
address of your KDC. Also, the name that this reverse lookup maps to
must either be the netbios name of the KDC (ie. the hostname with no
domain attached) or it can alternatively be the netbios name
followed by the realm. </P
><P
>The easiest way to ensure you get this right is to add a /etc/hosts
entry mapping the IP address of your KDC to its netbios name. If you
don't get this right then you will get a "local error" when you try
to join the realm.</P
><P
>If all you want is kerberos support in smbclient then you can skip
straight to step 5 now. Step 3 is only needed if you want kerberos
support in smbd.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN1227">8.5. Create the computer account</H1
><P
>Do a "kinit" as a user that has authority to change arbitrary
passwords on the KDC ("Administrator" is a good choice). Then as a
user that has write permission on the Samba private directory
(usually root) run:
<B
CLASS="COMMAND"
>net ads join</B
></P
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN1231">8.5.1. Possible errors</H2
><P
><P
></P
><DIV
CLASS="VARIABLELIST"
><DL
><DT
>"bash: kinit: command not found"</DT
><DD
><P
>kinit is in the krb5-workstation RPM on RedHat systems, and is in /usr/kerberos/bin, so it won't be in the path until you log in again (or open a new terminal)</P
></DD
><DT
>"ADS support not compiled in"</DT
><DD
><P
>Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the kerberos libs and headers are installed.</P
></DD
></DL
></DIV
></P
></DIV
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN1243">8.6. Test your server setup</H1
><P
>On a Windows 2000 client try <B
CLASS="COMMAND"
>net use * \\server\share</B
>. You should
be logged in with kerberos without needing to know a password. If
this fails then run <B
CLASS="COMMAND"
>klist tickets</B
>. Did you get a ticket for the
server? Does it have an encoding type of DES-CBC-MD5 ? </P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN1248">8.7. Testing with smbclient</H1
><P
>On your Samba server try to login to a Win2000 server or your Samba
server using smbclient and kerberos. Use smbclient as usual, but
specify the -k option to choose kerberos authentication.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN1251">8.8. Notes</H1
><P
>You must change administrator password at least once after DC install,
to create the right encoding types</P
><P
>w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in
their defaults DNS setup. Maybe fixed in service packs?</P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="samba-bdc.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="samba-howto-collection.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="domain-security.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="type.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Samba as a NT4 domain member</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

390
docs/htmldocs/appendixes.html
View File

@ -1,390 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML
><HEAD
><TITLE
>Appendixes</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
TITLE="SAMBA Project Documentation"
HREF="samba-howto-collection.html"><LINK
REL="PREVIOUS"
TITLE="Samba performance issues"
HREF="speed.html"><LINK
REL="NEXT"
TITLE="Portability"
HREF="portability.html"></HEAD
><BODY
CLASS="PART"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>SAMBA Project Documentation</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="speed.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="portability.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="PART"
><A
NAME="APPENDIXES"><DIV
CLASS="TITLEPAGE"
><H1
CLASS="TITLE"
>IV. Appendixes</H1
><DIV
CLASS="TOC"
><DL
><DT
><B
>Table of Contents</B
></DT
><DT
>23. <A
HREF="portability.html"
>Portability</A
></DT
><DD
><DL
><DT
>23.1. <A
HREF="portability.html#AEN3139"
>HPUX</A
></DT
><DT
>23.2. <A
HREF="portability.html#AEN3145"
>SCO Unix</A
></DT
><DT
>23.3. <A
HREF="portability.html#AEN3149"
>DNIX</A
></DT
><DT
>23.4. <A
HREF="portability.html#AEN3178"
>RedHat Linux Rembrandt-II</A
></DT
></DL
></DD
><DT
>24. <A
HREF="other-clients.html"
>Samba and other CIFS clients</A
></DT
><DD
><DL
><DT
>24.1. <A
HREF="other-clients.html#AEN3199"
>Macintosh clients?</A
></DT
><DT
>24.2. <A
HREF="other-clients.html#AEN3208"
>OS2 Client</A
></DT
><DD
><DL
><DT
>24.2.1. <A
HREF="other-clients.html#AEN3210"
>How can I configure OS/2 Warp Connect or
OS/2 Warp 4 as a client for Samba?</A
></DT
><DT
>24.2.2. <A
HREF="other-clients.html#AEN3225"
>How can I configure OS/2 Warp 3 (not Connect),
OS/2 1.2, 1.3 or 2.x for Samba?</A
></DT
><DT
>24.2.3. <A
HREF="other-clients.html#AEN3234"
>Are there any other issues when OS/2 (any version)
is used as a client?</A
></DT
><DT
>24.2.4. <A
HREF="other-clients.html#AEN3238"
>How do I get printer driver download working
for OS/2 clients?</A
></DT
></DL
></DD
><DT
>24.3. <A
HREF="other-clients.html#AEN3248"
>Windows for Workgroups</A
></DT
><DD
><DL
><DT
>24.3.1. <A
HREF="other-clients.html#AEN3250"
>Use latest TCP/IP stack from Microsoft</A
></DT
><DT
>24.3.2. <A
HREF="other-clients.html#AEN3255"
>Delete .pwl files after password change</A
></DT
><DT
>24.3.3. <A
HREF="other-clients.html#AEN3260"
>Configure WfW password handling</A
></DT
><DT
>24.3.4. <A
HREF="other-clients.html#AEN3264"
>Case handling of passwords</A
></DT
></DL
></DD
><DT
>24.4. <A
HREF="other-clients.html#AEN3269"
>Windows '95/'98</A
></DT
><DT
>24.5. <A
HREF="other-clients.html#AEN3285"
>Windows 2000 Service Pack 2</A
></DT
></DL
></DD
><DT
>25. <A
HREF="bugreport.html"
>Reporting Bugs</A
></DT
><DD
><DL
><DT
>25.1. <A
HREF="bugreport.html#AEN3309"
>Introduction</A
></DT
><DT
>25.2. <A
HREF="bugreport.html#AEN3319"
>General info</A
></DT
><DT
>25.3. <A
HREF="bugreport.html#AEN3325"
>Debug levels</A
></DT
><DT
>25.4. <A
HREF="bugreport.html#AEN3342"
>Internal errors</A
></DT
><DT
>25.5. <A
HREF="bugreport.html#AEN3352"
>Attaching to a running process</A
></DT
><DT
>25.6. <A
HREF="bugreport.html#AEN3355"
>Patches</A
></DT
></DL
></DD
><DT
>26. <A
HREF="diagnosis.html"
>Diagnosing your samba server</A
></DT
><DD
><DL
><DT
>26.1. <A
HREF="diagnosis.html#AEN3378"
>Introduction</A
></DT
><DT
>26.2. <A
HREF="diagnosis.html#AEN3383"
>Assumptions</A
></DT
><DT
>26.3. <A
HREF="diagnosis.html#AEN3393"
>Tests</A
></DT
><DD
><DL
><DT
>26.3.1. <A
HREF="diagnosis.html#AEN3395"
>Test 1</A
></DT
><DT
>26.3.2. <A
HREF="diagnosis.html#AEN3401"
>Test 2</A
></DT
><DT
>26.3.3. <A
HREF="diagnosis.html#AEN3407"
>Test 3</A
></DT
><DT
>26.3.4. <A
HREF="diagnosis.html#AEN3422"
>Test 4</A
></DT
><DT
>26.3.5. <A
HREF="diagnosis.html#AEN3427"
>Test 5</A
></DT
><DT
>26.3.6. <A
HREF="diagnosis.html#AEN3433"
>Test 6</A
></DT
><DT
>26.3.7. <A
HREF="diagnosis.html#AEN3441"
>Test 7</A
></DT
><DT
>26.3.8. <A
HREF="diagnosis.html#AEN3467"
>Test 8</A
></DT
><DT
>26.3.9. <A
HREF="diagnosis.html#AEN3484"
>Test 9</A
></DT
><DT
>26.3.10. <A
HREF="diagnosis.html#AEN3492"
>Test 10</A
></DT
><DT
>26.3.11. <A
HREF="diagnosis.html#AEN3498"
>Test 11</A
></DT
></DL
></DD
><DT
>26.4. <A
HREF="diagnosis.html#AEN3503"
>Still having troubles?</A
></DT
></DL
></DD
></DL
></DIV
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="speed.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="samba-howto-collection.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="portability.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Samba performance issues</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Portability</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

439
docs/htmldocs/browsing-quick.html
View File

@ -1,439 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML
><HEAD
><TITLE
>Quick Cross Subnet Browsing / Cross Workgroup Browsing guide</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
TITLE="SAMBA Project Documentation"
HREF="samba-howto-collection.html"><LINK
REL="UP"
TITLE="General installation"
HREF="introduction.html"><LINK
REL="PREVIOUS"
TITLE="Improved browsing in samba"
HREF="improved-browsing.html"><LINK
REL="NEXT"
TITLE="LanMan and NT Password Encryption in Samba"
HREF="pwencrypt.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>SAMBA Project Documentation</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="improved-browsing.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="pwencrypt.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="CHAPTER"
><H1
><A
NAME="BROWSING-QUICK">Chapter 3. Quick Cross Subnet Browsing / Cross Workgroup Browsing guide</H1
><P
>This document should be read in conjunction with Browsing and may
be taken as the fast track guide to implementing browsing across subnets
and / or across workgroups (or domains). WINS is the best tool for resolution
of NetBIOS names to IP addesses. WINS is NOT involved in browse list handling
except by way of name to address mapping.</P
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN377">3.1. Discussion</H1
><P
>Firstly, all MS Windows networking is based on SMB (Server Message
Block) based messaging. SMB messaging is implemented using NetBIOS. Samba
implements NetBIOS by encapsulating it over TCP/IP. MS Windows products can
do likewise. NetBIOS based networking uses broadcast messaging to affect
browse list management. When running NetBIOS over TCP/IP this uses UDP
based messaging. UDP messages can be broadcast or unicast.</P
><P
>Normally, only unicast UDP messaging can be forwarded by routers. The
"remote announce" parameter to smb.conf helps to project browse announcements
to remote network segments via unicast UDP. Similarly, the "remote browse sync"
parameter of smb.conf implements browse list collation using unicast UDP.</P
><P
>Secondly, in those networks where Samba is the only SMB server technology
wherever possible nmbd should be configured on one (1) machine as the WINS
server. This makes it easy to manage the browsing environment. If each network
segment is configured with it's own Samba WINS server, then the only way to
get cross segment browsing to work is by using the "remote announce" and
the "remote browse sync" parameters to your smb.conf file.</P
><P
>If only one WINS server is used then the use of the "remote announce" and the
"remote browse sync" parameters should NOT be necessary.</P
><P
>Samba WINS does not support MS-WINS replication. This means that when setting up
Samba as a WINS server there must only be one nmbd configured as a WINS server
on the network. Some sites have used multiple Samba WINS servers for redundancy
(one server per subnet) and then used "remote browse sync" and "remote announce"
to affect browse list collation across all segments. Note that this means
clients will only resolve local names, and must be configured to use DNS to
resolve names on other subnets in order to resolve the IP addresses of the
servers they can see on other subnets. This setup is not recommended, but is
mentioned as a practical consideration (ie: an 'if all else fails' scenario).</P
><P
>Lastly, take note that browse lists are a collection of unreliable broadcast
messages that are repeated at intervals of not more than 15 minutes. This means
that it will take time to establish a browse list and it can take up to 45
minutes to stabilise, particularly across network segments.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN385">3.2. Use of the "Remote Announce" parameter</H1
><P
>The "remote announce" parameter of smb.conf can be used to forcibly ensure
that all the NetBIOS names on a network get announced to a remote network.
The syntax of the "remote announce" parameter is:
<PRE
CLASS="PROGRAMLISTING"
> remote announce = a.b.c.d [e.f.g.h] ...</PRE
>
_or_
<PRE
CLASS="PROGRAMLISTING"
> remote announce = a.b.c.d/WORKGROUP [e.f.g.h/WORKGROUP] ...</PRE
>
where:
<P
></P
><DIV
CLASS="VARIABLELIST"
><DL
><DT
>a.b.c.d and e.f.g.h</DT
><DD
><P
>is either the LMB (Local Master Browser) IP address
or the broadcst address of the remote network.
ie: the LMB is at 192.168.1.10, or the address
could be given as 192.168.1.255 where the netmask
is assumed to be 24 bits (255.255.255.0).
When the remote announcement is made to the broadcast
address of the remote network every host will receive
our announcements. This is noisy and therefore
undesirable but may be necessary if we do NOT know
the IP address of the remote LMB.</P
></DD
><DT
>WORKGROUP</DT
><DD
><P
>is optional and can be either our own workgroup
or that of the remote network. If you use the
workgroup name of the remote network then our
NetBIOS machine names will end up looking like
they belong to that workgroup, this may cause
name resolution problems and should be avoided.</P
></DD
></DL
></DIV
></P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN399">3.3. Use of the "Remote Browse Sync" parameter</H1
><P
>The "remote browse sync" parameter of smb.conf is used to announce to
another LMB that it must synchronise it's NetBIOS name list with our
Samba LMB. It works ONLY if the Samba server that has this option is
simultaneously the LMB on it's network segment.</P
><P
>The syntax of the "remote browse sync" parameter is:
<PRE
CLASS="PROGRAMLISTING"
> remote browse sync = a.b.c.d</PRE
>
where a.b.c.d is either the IP address of the remote LMB or else is the network broadcast address of the remote segment.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN404">3.4. Use of WINS</H1
><P
>Use of WINS (either Samba WINS _or_ MS Windows NT Server WINS) is highly
recommended. Every NetBIOS machine registers it's name together with a
name_type value for each of of several types of service it has available.
eg: It registers it's name directly as a unique (the type 0x03) name.
It also registers it's name if it is running the lanmanager compatible
server service (used to make shares and printers available to other users)
by registering the server (the type 0x20) name.</P
><P
>All NetBIOS names are up to 15 characters in length. The name_type variable
is added to the end of the name - thus creating a 16 character name. Any
name that is shorter than 15 characters is padded with spaces to the 15th
character. ie: All NetBIOS names are 16 characters long (including the
name_type information).</P
><P
>WINS can store these 16 character names as they get registered. A client
that wants to log onto the network can ask the WINS server for a list
of all names that have registered the NetLogon service name_type. This saves
broadcast traffic and greatly expedites logon processing. Since broadcast
name resolution can not be used across network segments this type of
information can only be provided via WINS _or_ via statically configured
"lmhosts" files that must reside on all clients in the absence of WINS.</P
><P
>WINS also serves the purpose of forcing browse list synchronisation by all
LMB's. LMB's must synchronise their browse list with the DMB (domain master
browser) and WINS helps the LMB to identify it's DMB. By definition this
will work only within a single workgroup. Note that the domain master browser
has NOTHING to do with what is referred to as an MS Windows NT Domain. The
later is a reference to a security environment while the DMB refers to the
master controller for browse list information only.</P
><P
>Use of WINS will work correctly only if EVERY client TCP/IP protocol stack
has been configured to use the WINS server/s. Any client that has not been
configured to use the WINS server will continue to use only broadcast based
name registration so that WINS may NEVER get to know about it. In any case,
machines that have not registered with a WINS server will fail name to address
lookup attempts by other clients and will therefore cause workstation access
errors.</P
><P
>To configure Samba as a WINS server just add "wins support = yes" to the
smb.conf file [globals] section.</P
><P
>To configure Samba to register with a WINS server just add
"wins server = a.b.c.d" to your smb.conf file [globals] section.</P
><P
><SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>DO NOT EVER</I
></SPAN
> use both "wins support = yes" together with "wins server = a.b.c.d"
particularly not using it's own IP address.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN415">3.5. Do NOT use more than one (1) protocol on MS Windows machines</H1
><P
>A very common cause of browsing problems results from installing more than
one protocol on an MS Windows machine.</P
><P
>Every NetBIOS machine take part in a process of electing the LMB (and DMB)
every 15 minutes. A set of election criteria is used to determine the order
of precidence for winning this election process. A machine running Samba or
Windows NT will be biased so that the most suitable machine will predictably
win and thus retain it's role.</P
><P
>The election process is "fought out" so to speak over every NetBIOS network
interface. In the case of a Windows 9x machine that has both TCP/IP and IPX
installed and has NetBIOS enabled over both protocols the election will be
decided over both protocols. As often happens, if the Windows 9x machine is
the only one with both protocols then the LMB may be won on the NetBIOS
interface over the IPX protocol. Samba will then lose the LMB role as Windows
9x will insist it knows who the LMB is. Samba will then cease to function
as an LMB and thus browse list operation on all TCP/IP only machines will
fail.</P
><P
>The safest rule of all to follow it this - USE ONLY ONE PROTOCOL!</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN421">3.6. Name Resolution Order</H1
><P
>Resolution of NetBIOS names to IP addresses can take place using a number
of methods. The only ones that can provide NetBIOS name_type information
are:
<P
></P
><TABLE
BORDER="0"
><TBODY
><TR
><TD
>WINS: the best tool!</TD
></TR
><TR
><TD
>LMHOSTS: is static and hard to maintain.</TD
></TR
><TR
><TD
>Broadcast: uses UDP and can not resolve names across remote segments.</TD
></TR
></TBODY
></TABLE
><P
></P
></P
><P
>Alternative means of name resolution includes:
<P
></P
><TABLE
BORDER="0"
><TBODY
><TR
><TD
>/etc/hosts: is static, hard to maintain, and lacks name_type info</TD
></TR
><TR
><TD
>DNS: is a good choice but lacks essential name_type info.</TD
></TR
></TBODY
></TABLE
><P
></P
></P
><P
>Many sites want to restrict DNS lookups and want to avoid broadcast name
resolution traffic. The "name resolve order" parameter is of great help here.
The syntax of the "name resolve order" parameter is:
<PRE
CLASS="PROGRAMLISTING"
> name resolve order = wins lmhosts bcast host</PRE
>
_or_
<PRE
CLASS="PROGRAMLISTING"
> name resolve order = wins lmhosts (eliminates bcast and host)</PRE
>
The default is:
<PRE
CLASS="PROGRAMLISTING"
> name resolve order = host lmhost wins bcast</PRE
>.
where "host" refers the the native methods used by the Unix system
to implement the gethostbyname() function call. This is normally
controlled by <TT
CLASS="FILENAME"
>/etc/host.conf</TT
>, <TT
CLASS="FILENAME"
>/etc/nsswitch.conf</TT
> and <TT
CLASS="FILENAME"
>/etc/resolv.conf</TT
>.</P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="improved-browsing.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="samba-howto-collection.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="pwencrypt.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Improved browsing in samba</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="introduction.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>LanMan and NT Password Encryption in Samba</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

19
docs/htmldocs/bugreport.html
View File

@ -1,5 +1,4 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 35. Reporting Bugs</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="troubleshooting.html" title="Part V. Troubleshooting"><link rel="previous" href="problems.html" title="Chapter 34. Analysing and solving samba problems"><link rel="next" href="Appendixes.html" title="Part VI. Appendixes"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 35. Reporting Bugs</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="problems.html">Prev</a> </td><th width="60%" align="center">Part V. Troubleshooting</th><td width="20%" align="right"> <a accesskey="n" href="Appendixes.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="bugreport"></a>Chapter 35. Reporting Bugs</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="surname">Someone; Tridge or Karl Auer perhaps?</span></h3></div></div><div><p class="pubdate"> 27 June 1997 </p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="bugreport.html#id3009871">Introduction</a></dt><dt><a href="bugreport.html#id3009931">General info</a></dt><dt><a href="bugreport.html#id3009966">Debug levels</a></dt><dt><a href="bugreport.html#id3008063">Internal errors</a></dt><dt><a href="bugreport.html#id3008171">Attaching to a running process</a></dt><dt><a href="bugreport.html#id3007672">Patches</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3009871"></a>Introduction</h2></div></div><div></div></div><p>Please report bugs using
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 35. Reporting Bugs</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="troubleshooting.html" title="Part V. Troubleshooting"><link rel="previous" href="problems.html" title="Chapter 34. Analysing and solving samba problems"><link rel="next" href="Appendixes.html" title="Part VI. Appendixes"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 35. Reporting Bugs</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="problems.html">Prev</a> </td><th width="60%" align="center">Part V. Troubleshooting</th><td width="20%" align="right"> <a accesskey="n" href="Appendixes.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="bugreport"></a>Chapter 35. Reporting Bugs</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="surname">Someone; Tridge or Karl Auer perhaps?</span></h3></div></div><div><p class="pubdate"> 27 June 1997 </p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="bugreport.html#id3012269">Introduction</a></dt><dt><a href="bugreport.html#id3012491">General info</a></dt><dt><a href="bugreport.html#id3012528">Debug levels</a></dt><dt><a href="bugreport.html#id3012670">Internal errors</a></dt><dt><a href="bugreport.html#id3012778">Attaching to a running process</a></dt><dt><a href="bugreport.html#id3012825">Patches</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3012269"></a>Introduction</h2></div></div><div></div></div><p>Please report bugs using
<a href="https://bugzilla.samba.org/" target="_top">bugzilla</a>.</p><p>
Please take the time to read this file before you submit a bug
report. Also, please see if it has changed between releases, as we
@ -21,23 +20,23 @@ that list that may be able to help you.
You may also like to look though the recent mailing list archives,
which are conveniently accessible on the Samba web pages
at <a href="http://samba.org/samba/" target="_top">http://samba.org/samba/</a>.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3009931"></a>General info</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3012491"></a>General info</h2></div></div><div></div></div><p>
Before submitting a bug report check your config for silly
errors. Look in your log files for obvious messages that tell you that
you've misconfigured something and run testparm to test your config
file for correct syntax.
</p><p>
Have you run through the <a href="diagnosis.html" title="Chapter 33. The samba checklist">diagnosis</a>?
Have you run through the <a href="diagnosis.html" title="Chapter 33. The Samba checklist">diagnosis</a>?
This is very important.
</p><p>
If you include part of a log file with your bug report then be sure to
annotate it with exactly what you were doing on the client at the
time, and exactly what the results were.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3009966"></a>Debug levels</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3012528"></a>Debug levels</h2></div></div><div></div></div><p>
If the bug has anything to do with Samba behaving incorrectly as a
server (like refusing to open a file) then the log files will probably
be very useful. Depending on the problem a log level of between 3 and
10 showing the problem may be appropriate. A higher level givesmore
10 showing the problem may be appropriate. A higher level gives more
detail, but may use too much disk space.
</p><p>
To set the debug level use the <i class="parameter"><tt>log level</tt></i> in your
@ -68,7 +67,7 @@ debugging operations you may not need a setting higher than
<tt class="constant">3</tt>. Nearly
all bugs can be tracked at a setting of <tt class="constant">10</tt>, but be
prepared for a VERY large volume of log data.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3008063"></a>Internal errors</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3012670"></a>Internal errors</h2></div></div><div></div></div><p>
If you get a <span class="errorname">INTERNAL ERROR</span> message in your log files
it means that Samba got an unexpected signal while running. It is probably a
segmentation fault and almost certainly means a bug in Samba (unless
@ -99,9 +98,9 @@ If you know any assembly language then do a
where the problem occurred (if its in a library routine then
disassemble the routine that called it) and try to work out exactly
where the problem is by looking at the surrounding code. Even if you
don't know assembly then incuding this info in the bug report can be
don't know assembly, including this info in the bug report can be
useful.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3008171"></a>Attaching to a running process</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3012778"></a>Attaching to a running process</h2></div></div><div></div></div><p>
Unfortunately some unixes (in particular some recent linux kernels)
refuse to dump a core file if the task has changed uid (which smbd
does often). To debug with this sort of system you could try to attach
@ -111,7 +110,7 @@ to the running process using
Then use <b class="command">c</b> to continue and try to cause the core dump
using the client. The debugger should catch the fault and tell you
where it occurred.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3007672"></a>Patches</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3012825"></a>Patches</h2></div></div><div></div></div><p>
The best sort of bug report is one that includes a fix! If you send us
patches please use <b class="userinput"><tt>diff -u</tt></b> format if your version of
diff supports it, otherwise use <b class="userinput"><tt>diff -c4</tt></b>. Make sure

43
docs/htmldocs/compiling.html
View File

@ -1,9 +1,8 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 36. How to compile SAMBA</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="Appendixes.html" title="Part VI. Appendixes"><link rel="next" href="Portability.html" title="Chapter 37. Portability"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 36. How to compile SAMBA</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Appendixes.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="Portability.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="compiling"></a>Chapter 36. How to compile SAMBA</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="surname">Someone; Jerry perhaps?</span></h3></div></div><div><p class="pubdate"> 22 May 2001 </p></div><div><p class="pubdate"> 18 March 2003 </p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="compiling.html#id3007789">Access Samba source code via CVS</a></dt><dd><dl><dt><a href="compiling.html#id3007797">Introduction</a></dt><dt><a href="compiling.html#id3007826">CVS Access to samba.org</a></dt></dl></dd><dt><a href="compiling.html#id3009294">Accessing the samba sources via rsync and ftp</a></dt><dt><a href="compiling.html#id3009342">Verifying Samba's PGP signature</a></dt><dt><a href="compiling.html#id3009477">Building the Binaries</a></dt><dd><dl><dt><a href="compiling.html#id3009615">Compiling samba with Active Directory support</a></dt></dl></dd><dt><a href="compiling.html#id3010510">Starting the smbd and nmbd</a></dt><dd><dl><dt><a href="compiling.html#id3010602">Starting from inetd.conf</a></dt><dt><a href="compiling.html#id3010805">Alternative: starting it as a daemon</a></dt></dl></dd><dt><a href="compiling.html#id3010900">Common Errors</a></dt></dl></div><p>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 36. How to compile SAMBA</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="Appendixes.html" title="Part VI. Appendixes"><link rel="next" href="Portability.html" title="Chapter 37. Portability"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 36. How to compile SAMBA</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Appendixes.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="Portability.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="compiling"></a>Chapter 36. How to compile SAMBA</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="surname">Someone; Jerry perhaps?</span></h3></div></div><div><p class="pubdate"> 22 May 2001 </p></div><div><p class="pubdate"> 18 March 2003 </p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="compiling.html#id3012145">Access Samba source code via CVS</a></dt><dd><dl><dt><a href="compiling.html#id3012152">Introduction</a></dt><dt><a href="compiling.html#id3012182">CVS Access to samba.org</a></dt></dl></dd><dt><a href="compiling.html#id3013701">Accessing the samba sources via rsync and ftp</a></dt><dt><a href="compiling.html#id3013750">Verifying Samba's PGP signature</a></dt><dt><a href="compiling.html#id3013886">Building the Binaries</a></dt><dd><dl><dt><a href="compiling.html#id3014023">Compiling samba with Active Directory support</a></dt></dl></dd><dt><a href="compiling.html#id3014188">Starting the smbd and nmbd</a></dt><dd><dl><dt><a href="compiling.html#id3014280">Starting from inetd.conf</a></dt><dt><a href="compiling.html#id3014484">Alternative: starting it as a daemon</a></dt></dl></dd><dt><a href="compiling.html#id3014579">Common Errors</a></dt></dl></div><p>
You can obtain the samba source from the
<a href="http://samba.org/" target="_top">samba website</a>. To obtain a development version,
you can download samba from CVS or using rsync.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3007789"></a>Access Samba source code via CVS</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3007797"></a>Introduction</h3></div></div><div></div></div><p>
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3012145"></a>Access Samba source code via CVS</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3012152"></a>Introduction</h3></div></div><div></div></div><p>
Samba is developed in an open environment. Developers use CVS
(Concurrent Versioning System) to &quot;checkin&quot; (also known as
&quot;commit&quot;) new source code. Samba's various CVS branches can
@ -12,12 +11,12 @@ detailed in this chapter.
</p><p>
This chapter is a modified version of the instructions found at
<a href="http://samba.org/samba/cvs.html" target="_top">http://samba.org/samba/cvs.html</a>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3007826"></a>CVS Access to samba.org</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3012182"></a>CVS Access to samba.org</h3></div></div><div></div></div><p>
The machine samba.org runs a publicly accessible CVS
repository for access to the source code of several packages,
including samba, rsync, distcc, ccache and jitterbug. There are two main ways
of accessing the CVS server on this host.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id3007841"></a>Access via CVSweb</h4></div></div><div></div></div><p>
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id3012198"></a>Access via CVSweb</h4></div></div><div></div></div><p>
You can access the source code via your
favourite WWW browser. This allows you to access the contents of
individual files in the repository and also to look at the revision
@ -25,7 +24,7 @@ history and commit logs of individual files. You can also ask for a diff
listing between any two versions on the repository.
</p><p>
Use the URL : <a href="http://samba.org/cgi-bin/cvsweb" target="_top">http://samba.org/cgi-bin/cvsweb</a>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id3007871"></a>Access via cvs</h4></div></div><div></div></div><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id3013511"></a>Access via cvs</h4></div></div><div></div></div><p>
You can also access the source code via a
normal cvs client. This gives you much more control over what you can
do with the repository and allows you to checkout whole source trees
@ -67,7 +66,7 @@ on this system just substitute the correct package name
<tt class="option">-r</tt> and defining a tag name. A list of branch tag names
can be found on the &quot;Development&quot; page of the samba web site. A common
request is to obtain the latest 3.0 release code. This could be done by
using the following userinput.
using the following command:
</p><p>
<b class="userinput"><tt>cvs -d :pserver:cvs@samba.org:/cvsroot co -r SAMBA_3_0 samba</tt></b>
</p></li><li><p>
@ -75,7 +74,7 @@ on this system just substitute the correct package name
the following command from within the samba directory:
</p><p>
<b class="userinput"><tt>cvs update -d -P</tt></b>
</p></li></ol></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3009294"></a>Accessing the samba sources via rsync and ftp</h2></div></div><div></div></div><p>
</p></li></ol></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3013701"></a>Accessing the samba sources via rsync and ftp</h2></div></div><div></div></div><p>
pserver.samba.org also exports unpacked copies of most parts of the CVS
tree at <a href="ftp://pserver.samba.org/pub/unpacked" target="_top">ftp://pserver.samba.org/pub/unpacked</a> and also via anonymous rsync at
<a href="rsync://pserver.samba.org/ftp/unpacked/" target="_top">rsync://pserver.samba.org/ftp/unpacked/</a>. I recommend using rsync rather than ftp.
@ -84,7 +83,7 @@ on this system just substitute the correct package name
The disadvantage of the unpacked trees is that they do not support automatic
merging of local changes like CVS does. rsync access is most convenient
for an initial install.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3009342"></a>Verifying Samba's PGP signature</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3013750"></a>Verifying Samba's PGP signature</h2></div></div><div></div></div><p>
In these days of insecurity, it's strongly recommended that you verify the PGP
signature for any source file before installing it. Even if you're not
downloading from a mirror site, verifying PGP signatures should be a
@ -111,7 +110,7 @@ then all is well. The warnings about trust relationships can be ignored. An
example of what you would not want to see would be:
</p><tt class="computeroutput">
gpg: BAD signature from &quot;Samba Distribution Verification Key&quot;
</tt></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3009477"></a>Building the Binaries</h2></div></div><div></div></div><p>To do this, first run the program <b class="userinput"><tt>./configure
</tt></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3013886"></a>Building the Binaries</h2></div></div><div></div></div><p>To do this, first run the program <b class="userinput"><tt>./configure
</tt></b> in the source directory. This should automatically
configure Samba for your operating system. If you have unusual
needs then you may wish to run</p><p><tt class="prompt">root# </tt><b class="userinput"><tt>./configure --help
@ -124,10 +123,10 @@ example of what you would not want to see would be:
of Samba you might like to know that the old versions of
the binaries will be renamed with a &quot;.old&quot; extension. You
can go back to the previous version with</p><p><tt class="prompt">root# </tt><b class="userinput"><tt>make revert
</tt></b></p><p>if you find this version a disaster!</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3009615"></a>Compiling samba with Active Directory support</h3></div></div><div></div></div><p>In order to compile samba with ADS support, you need to have installed
</tt></b></p><p>if you find this version a disaster!</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3014023"></a>Compiling samba with Active Directory support</h3></div></div><div></div></div><p>In order to compile samba with ADS support, you need to have installed
on your system:</p><div class="itemizedlist"><ul type="disc"><li><p>the MIT kerberos development libraries
(either install from the sources or use a package). The
heimdal libraries will not work.</p></li><li><p>the OpenLDAP development libraries.</p></li></ul></div><p>If your kerberos libraries are in a non-standard location then
Heimdal libraries will not work.</p></li><li><p>the OpenLDAP development libraries.</p></li></ul></div><p>If your kerberos libraries are in a non-standard location then
remember to add the configure option
<tt class="option">--with-krb5=<i class="replaceable"><tt>DIR</tt></i></tt>.</p><p>After you run configure make sure that
<tt class="filename">include/config.h</tt> it generates contains lines like
@ -136,13 +135,13 @@ example of what you would not want to see would be:
#define HAVE_LDAP 1
</pre><p>If it doesn't then configure did not find your krb5 libraries or
your ldap libraries. Look in <tt class="filename">config.log</tt> to figure
out why and fix it.</p><div xmlns:ns99="" class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id3010424"></a>Installing the required packages for Debian</h4></div></div><div></div></div><p>On Debian you need to install the following packages:</p><ns99:p>
</ns99:p><table class="simplelist" border="0" summary="Simple list"><tr><td>libkrb5-dev</td></tr><tr><td>krb5-user</td></tr></table><ns99:p>
</ns99:p></div><div xmlns:ns100="" class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id3010457"></a>Installing the required packages for RedHat</h4></div></div><div></div></div><p>On RedHat this means you should have at least: </p><ns100:p>
</ns100:p><table class="simplelist" border="0" summary="Simple list"><tr><td>krb5-workstation (for kinit)</td></tr><tr><td>krb5-libs (for linking with)</td></tr><tr><td>krb5-devel (because you are compiling from source)</td></tr></table><ns100:p>
</ns100:p><p>in addition to the standard development environment.</p><p>Note that these are not standard on a RedHat install, and you may need
to get them off CD2.</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3010510"></a>Starting the <span class="application">smbd</span> and <span class="application">nmbd</span></h2></div></div><div></div></div><p>You must choose to start <span class="application">smbd</span> and <span class="application">nmbd</span> either
as daemons or from <span class="application">inetd</span>Don't try
out why and fix it.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id3014104"></a>Installing the required packages for Debian</h4></div></div><div></div></div><p>On Debian you need to install the following packages:</p><p>
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>libkrb5-dev</td></tr><tr><td>krb5-user</td></tr></table><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id3014136"></a>Installing the required packages for RedHat</h4></div></div><div></div></div><p>On RedHat this means you should have at least: </p><p>
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>krb5-workstation (for kinit)</td></tr><tr><td>krb5-libs (for linking with)</td></tr><tr><td>krb5-devel (because you are compiling from source)</td></tr></table><p>
</p><p>in addition to the standard development environment.</p><p>Note that these are not standard on a RedHat install, and you may need
to get them off CD2.</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3014188"></a>Starting the <span class="application">smbd</span> and <span class="application">nmbd</span></h2></div></div><div></div></div><p>You must choose to start <span class="application">smbd</span> and <span class="application">nmbd</span> either
as daemons or from <span class="application">inetd</span>. Don't try
to do both! Either you can put them in <tt class="filename">
inetd.conf</tt> and have them started on demand
by <span class="application">inetd</span>, or you can start them as
@ -153,7 +152,7 @@ example of what you would not want to see would be:
Samba. In many cases you must be root.</p><p>The main advantage of starting <span class="application">smbd</span>
and <span class="application">nmbd</span> using the recommended daemon method
is that they will respond slightly more quickly to an initial connection
request.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3010602"></a>Starting from inetd.conf</h3></div></div><div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>The following will be different if
request.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3014280"></a>Starting from inetd.conf</h3></div></div><div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>The following will be different if
you use NIS, NIS+ or LDAP to distribute services maps.</p></div><p>Look at your <tt class="filename">/etc/services</tt>.
What is defined at port 139/tcp. If nothing is defined
then add a line like this:</p><pre class="programlisting">netbios-ssn 139/tcp</pre><p>similarly for 137/udp you should have an entry like:</p><pre class="programlisting">netbios-ns 137/udp</pre><p>Next edit your <tt class="filename">/etc/inetd.conf</tt>
@ -179,7 +178,7 @@ example of what you would not want to see would be:
arguments, or you should use a script, and start the script
from <b class="command">inetd</b>.</p></div><p>Restart <span class="application">inetd</span>, perhaps just send
it a HUP. If you have installed an earlier version of <span class="application">nmbd</span> then
you may need to kill <span class="application">nmbd</span> as well.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3010805"></a>Alternative: starting it as a daemon</h3></div></div><div></div></div><p>To start the server as a daemon you should create
you may need to kill <span class="application">nmbd</span> as well.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3014484"></a>Alternative: starting it as a daemon</h3></div></div><div></div></div><p>To start the server as a daemon you should create
a script something like this one, perhaps calling
it <tt class="filename">startsmb</tt>.</p><pre class="programlisting">
#!/bin/sh
@ -191,7 +190,7 @@ example of what you would not want to see would be:
</p><p>To kill it send a kill signal to the processes
<span class="application">nmbd</span> and <span class="application">smbd</span>.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>If you use the SVR4 style init system then
you may like to look at the <tt class="filename">examples/svr4-startup</tt>
script to make Samba fit into that system.</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3010900"></a>Common Errors</h2></div></div><div></div></div><p>&#8220;<span class="quote">
script to make Samba fit into that system.</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3014579"></a>Common Errors</h2></div></div><div></div></div><p>&#8220;<span class="quote">
I'm using gcc 3 and I've compiled Samba-3 from the CVS and the
binaries are very large files (40 Mb and 20 Mb). I've the same result with
<tt class="option">--enable-shared</tt> ?

298
docs/htmldocs/cvs-access.html
View File

@ -1,298 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML
><HEAD
><TITLE
>HOWTO Access Samba source code via CVS</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
TITLE="SAMBA Project Documentation"
HREF="samba-howto-collection.html"><LINK
REL="UP"
TITLE="Optional configuration"
HREF="optional.html"><LINK
REL="PREVIOUS"
TITLE="Storing Samba's User/Machine Account information in an LDAP Directory"
HREF="samba-ldap-howto.html"><LINK
REL="NEXT"
TITLE="Group mapping HOWTO"
HREF="groupmapping.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>SAMBA Project Documentation</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="samba-ldap-howto.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="groupmapping.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="CHAPTER"
><H1
><A
NAME="CVS-ACCESS">Chapter 20. HOWTO Access Samba source code via CVS</H1
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN2964">20.1. Introduction</H1
><P
>Samba is developed in an open environment. Developers use CVS
(Concurrent Versioning System) to "checkin" (also known as
"commit") new source code. Samba's various CVS branches can
be accessed via anonymous CVS using the instructions
detailed in this chapter.</P
><P
>This document is a modified version of the instructions found at
<A
HREF="http://samba.org/samba/cvs.html"
TARGET="_top"
>http://samba.org/samba/cvs.html</A
></P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN2969">20.2. CVS Access to samba.org</H1
><P
>The machine samba.org runs a publicly accessible CVS
repository for access to the source code of several packages,
including samba, rsync and jitterbug. There are two main ways of
accessing the CVS server on this host.</P
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN2972">20.2.1. Access via CVSweb</H2
><P
>You can access the source code via your
favourite WWW browser. This allows you to access the contents of
individual files in the repository and also to look at the revision
history and commit logs of individual files. You can also ask for a diff
listing between any two versions on the repository.</P
><P
>Use the URL : <A
HREF="http://samba.org/cgi-bin/cvsweb"
TARGET="_top"
>http://samba.org/cgi-bin/cvsweb</A
></P
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN2977">20.2.2. Access via cvs</H2
><P
>You can also access the source code via a
normal cvs client. This gives you much more control over you can
do with the repository and allows you to checkout whole source trees
and keep them up to date via normal cvs commands. This is the
preferred method of access if you are a developer and not
just a casual browser.</P
><P
>To download the latest cvs source code, point your
browser at the URL : <A
HREF="http://www.cyclic.com/"
TARGET="_top"
>http://www.cyclic.com/</A
>.
and click on the 'How to get cvs' link. CVS is free software under
the GNU GPL (as is Samba). Note that there are several graphical CVS clients
which provide a graphical interface to the sometimes mundane CVS commands.
Links to theses clients are also available from http://www.cyclic.com.</P
><P
>To gain access via anonymous cvs use the following steps.
For this example it is assumed that you want a copy of the
samba source code. For the other source code repositories
on this system just substitute the correct package name</P
><P
></P
><OL
TYPE="1"
><LI
><P
> Install a recent copy of cvs. All you really need is a
copy of the cvs client binary.
</P
></LI
><LI
><P
> Run the command
</P
><P
> <B
CLASS="COMMAND"
>cvs -d :pserver:cvs@samba.org:/cvsroot login</B
>
</P
><P
> When it asks you for a password type <TT
CLASS="USERINPUT"
><B
>cvs</B
></TT
>.
</P
></LI
><LI
><P
> Run the command
</P
><P
> <B
CLASS="COMMAND"
>cvs -d :pserver:cvs@samba.org:/cvsroot co samba</B
>
</P
><P
> This will create a directory called samba containing the
latest samba source code (i.e. the HEAD tagged cvs branch). This
currently corresponds to the 3.0 development tree.
</P
><P
> CVS branches other HEAD can be obtained by using the <TT
CLASS="PARAMETER"
><I
>-r</I
></TT
>
and defining a tag name. A list of branch tag names can be found on the
"Development" page of the samba web site. A common request is to obtain the
latest 2.2 release code. This could be done by using the following command.
</P
><P
> <B
CLASS="COMMAND"
>cvs -d :pserver:cvs@samba.org:/cvsroot co -r SAMBA_2_2 samba</B
>
</P
></LI
><LI
><P
> Whenever you want to merge in the latest code changes use
the following command from within the samba directory:
</P
><P
> <B
CLASS="COMMAND"
>cvs update -d -P</B
>
</P
></LI
></OL
></DIV
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="samba-ldap-howto.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="samba-howto-collection.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="groupmapping.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Storing Samba's User/Machine Account information in an LDAP Directory</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="optional.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Group mapping HOWTO</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

25
docs/htmldocs/diagnosis.html
View File

@ -1,5 +1,4 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 33. The samba checklist</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="troubleshooting.html" title="Part V. Troubleshooting"><link rel="previous" href="troubleshooting.html" title="Part V. Troubleshooting"><link rel="next" href="problems.html" title="Chapter 34. Analysing and solving samba problems"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 33. The samba checklist</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="troubleshooting.html">Prev</a> </td><th width="60%" align="center">Part V. Troubleshooting</th><td width="20%" align="right"> <a accesskey="n" href="problems.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="diagnosis"></a>Chapter 33. The samba checklist</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:tridge@samba.org">tridge@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">Wed Jan 15</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="diagnosis.html#id3003201">Introduction</a></dt><dt><a href="diagnosis.html#id3003235">Assumptions</a></dt><dt><a href="diagnosis.html#id3003407">The tests</a></dt><dt><a href="diagnosis.html#id3006959">Still having troubles?</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3003201"></a>Introduction</h2></div></div><div></div></div><p>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 33. The Samba checklist</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="troubleshooting.html" title="Part V. Troubleshooting"><link rel="previous" href="troubleshooting.html" title="Part V. Troubleshooting"><link rel="next" href="problems.html" title="Chapter 34. Analysing and solving samba problems"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 33. The Samba checklist</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="troubleshooting.html">Prev</a> </td><th width="60%" align="center">Part V. Troubleshooting</th><td width="20%" align="right"> <a accesskey="n" href="problems.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="diagnosis"></a>Chapter 33. The Samba checklist</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:tridge@samba.org">tridge@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">Wed Jan 15</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="diagnosis.html#id3006072">Introduction</a></dt><dt><a href="diagnosis.html#id3007931">Assumptions</a></dt><dt><a href="diagnosis.html#id3008108">The tests</a></dt><dt><a href="diagnosis.html#id3009283">Still having troubles?</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3006072"></a>Introduction</h2></div></div><div></div></div><p>
This file contains a list of tests you can perform to validate your
Samba server. It also tells you what the likely cause of the problem
is if it fails any one of these steps. If it passes all these tests
@ -14,7 +13,7 @@ to solve a problem.
If you send one of the samba mailing lists an email saying &quot;it doesn't work&quot;
and you have not followed this test procedure then you should not be surprised
if your email is ignored.
</p></div><div xmlns:ns98="" class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3003235"></a>Assumptions</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3007931"></a>Assumptions</h2></div></div><div></div></div><p>
In all of the tests it is assumed you have a Samba server called
BIGSERVER and a PC called ACLIENT both in workgroup TESTGROUP.
</p><p>
@ -31,8 +30,8 @@ following to <tt class="filename">smb.conf</tt>:
path = /tmp
read only = yes
</pre><ns98:p>
</ns98:p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
</pre><p>
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
These tests assume version 3.0 or later of the samba suite.
Some commands shown did not exist in earlier versions.
</p></div><p>
@ -55,7 +54,7 @@ depending on how or if you specified logging in your <tt class="filename">smb.co
</p><p>
If you make changes to your <tt class="filename">smb.conf</tt> file while going through these test,
don't forget to restart <span class="application">smbd</span> and <span class="application">nmbd</span>.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3003407"></a>The tests</h2></div></div><div></div></div><div class="procedure"><p class="title"><b>Procedure 33.1. Diagnosing your samba server</b></p><ol type="1"><li><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3008108"></a>The tests</h2></div></div><div></div></div><div class="procedure"><p class="title"><b>Procedure 33.1. Diagnosing your samba server</b></p><ol type="1"><li><p>
In the directory in which you store your <tt class="filename">smb.conf</tt> file, run the command
<b class="userinput"><tt>testparm smb.conf</tt></b>. If it reports any errors then your <tt class="filename">smb.conf</tt>
configuration file is faulty.
@ -123,7 +122,7 @@ the following <tt class="filename">smb.conf</tt> file entries:
bind interfaces only = Yes
</pre><p>
In the above, no allowance has been made for any session requests that
will automatically translate to the loopback adaptor address 127.0.0.1.
will automatically translate to the loopback adapter address 127.0.0.1.
To solve this problem change these lines to:
</p><pre class="programlisting">
hosts deny = ALL
@ -146,7 +145,7 @@ to start <span class="application">smbd</span> as a daemon, it can avoid a lot o
And yet another possible cause for failure of this test is when the subnet mask
and / or broadcast address settings are incorrect. Please check that the
network interface IP Address / Broadcast Address / Subnet Mask settings are
correct and that Samba has correctly noted these in the <tt class="filename">log.nmb</tt> file.
correct and that Samba has correctly noted these in the <tt class="filename">log.nmbd</tt> file.
</p></li><li><p>
Run the command <b class="userinput"><tt>nmblookup -B BIGSERVER __SAMBA__</tt></b>. You should get the
IP address of your Samba server back.
@ -171,7 +170,7 @@ Run the command <b class="userinput"><tt>nmblookup -d 2 '*'</tt></b>
</p><p>
This time we are trying the same as the previous test but are trying
it via a broadcast to the default broadcast address. A number of
Netbios/TCPIP hosts on the network should respond, although Samba may
NetBIOS / TCP/IP hosts on the network should respond, although Samba may
not catch all of the responses in the short time it listens. You
should see <span class="errorname">got a positive name query response</span>
messages from several hosts.
@ -206,7 +205,7 @@ name</span> then the service <span class="emphasis"><em>&quot;tmp&quot;</em></sp
</p><p>
If it says <span class="errorname">bad password</span> then the likely causes are:
</p><div class="orderedlist"><ol type="1"><li><p>
you have shadow passords (or some other password system) but didn't
you have shadow passwords (or some other password system) but didn't
compile in support for them in <span class="application">smbd</span>
</p></li><li><p>
your <b class="command">valid users</b> configuration is incorrect
@ -236,10 +235,10 @@ to choose one of them):
fixup the <span class="application">nmbd</span> installation
</p></li><li><p>
add the IP address of BIGSERVER to the <b class="command">wins server</b> box in the
advanced tcp/ip setup on the PC.
advanced TCP/IP setup on the PC.
</p></li><li><p>
enable windows name resolution via DNS in the advanced section of
the tcp/ip setup
the TCP/IP setup
</p></li><li><p>
add BIGSERVER to your lmhosts file on the PC.
</p></li></ol></div><p>
@ -298,6 +297,6 @@ capability and is in user level security mode. In this case either set
<i class="parameter"><tt>password server = Windows_NT_Machine</tt></i> in your
<tt class="filename">smb.conf</tt> file, or make sure <i class="parameter"><tt>encrypted passwords</tt></i> is
set to &quot;yes&quot;.
</p></li></ol></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3006959"></a>Still having troubles?</h2></div></div><div></div></div><p>Read the chapter on
</p></li></ol></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3009283"></a>Still having troubles?</h2></div></div><div></div></div><p>Read the chapter on
<a href="problems.html" title="Chapter 34. Analysing and solving samba problems">Analysing and Solving Problems</a>.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="troubleshooting.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="troubleshooting.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="problems.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part V. Troubleshooting </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 34. Analysing and solving samba problems</td></tr></table></div></body></html>

172
docs/htmldocs/domain-member.html
View File

@ -1,5 +1,4 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 7. Domain Membership</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="previous" href="samba-bdc.html" title="Chapter 6. Backup Domain Control"><link rel="next" href="StandAloneServer.html" title="Chapter 8. Stand-Alone Servers"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 7. Domain Membership</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="samba-bdc.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="StandAloneServer.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="domain-member"></a>Chapter 7. Domain Membership</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jra@samba.org">jra@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jerry@samba.org">jerry@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:tridge@samba.org">tridge@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="domain-member.html#id2895146">Features and Benefits</a></dt><dt><a href="domain-member.html#id2894718">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dd><dl><dt><a href="domain-member.html#id2894878">Manual Creation of Machine Trust Accounts</a></dt><dt><a href="domain-member.html#id2896660">Using NT4 Server Manager to Add Machine Accounts to the Domain</a></dt><dt><a href="domain-member.html#id2896857">&quot;On-the-Fly&quot; Creation of Machine Trust Accounts</a></dt><dt><a href="domain-member.html#id2896912">Making an MS Windows Workstation or Server a Domain Member</a></dt></dl></dd><dt><a href="domain-member.html#id2897057">Domain Member Server</a></dt><dd><dl><dt><a href="domain-member.html#id2897105">Joining an NT4 type Domain with Samba-3</a></dt><dt><a href="domain-member.html#id2899703">Why is this better than security = server?</a></dt></dl></dd><dt><a href="domain-member.html#ads-member">Samba ADS Domain Membership</a></dt><dd><dl><dt><a href="domain-member.html#id2899841">Setup your smb.conf</a></dt><dt><a href="domain-member.html#id2899924">Setup your /etc/krb5.conf</a></dt><dt><a href="domain-member.html#ads-create-machine-account">Create the computer account</a></dt><dt><a href="domain-member.html#ads-test-server">Test your server setup</a></dt><dt><a href="domain-member.html#ads-test-smbclient">Testing with smbclient</a></dt><dt><a href="domain-member.html#id2900266">Notes</a></dt></dl></dd><dt><a href="domain-member.html#id2900288">Common Errors</a></dt><dd><dl><dt><a href="domain-member.html#id2900310">Can Not Add Machine Back to Domain</a></dt><dt><a href="domain-member.html#id2900342">Adding Machine to Domain Fails</a></dt></dl></dd></dl></div><p>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 7. Domain Membership</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="previous" href="samba-bdc.html" title="Chapter 6. Backup Domain Control"><link rel="next" href="StandAloneServer.html" title="Chapter 8. Stand-Alone Servers"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 7. Domain Membership</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="samba-bdc.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="StandAloneServer.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="domain-member"></a>Chapter 7. Domain Membership</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jra@samba.org">jra@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jerry@samba.org">jerry@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:tridge@samba.org">tridge@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="domain-member.html#id2897897">Features and Benefits</a></dt><dt><a href="domain-member.html#id2898012">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dd><dl><dt><a href="domain-member.html#id2898188">Manual Creation of Machine Trust Accounts</a></dt><dt><a href="domain-member.html#id2898440">Using NT4 Server Manager to Add Machine Accounts to the Domain</a></dt><dt><a href="domain-member.html#id2898636">&quot;On-the-Fly&quot; Creation of Machine Trust Accounts</a></dt><dt><a href="domain-member.html#id2898699">Making an MS Windows Workstation or Server a Domain Member</a></dt></dl></dd><dt><a href="domain-member.html#domain-member-server">Domain Member Server</a></dt><dd><dl><dt><a href="domain-member.html#id2898901">Joining an NT4 type Domain with Samba-3</a></dt><dt><a href="domain-member.html#id2899283">Why is this better than security = server?</a></dt></dl></dd><dt><a href="domain-member.html#ads-member">Samba ADS Domain Membership</a></dt><dd><dl><dt><a href="domain-member.html#id2899424">Setup your smb.conf</a></dt><dt><a href="domain-member.html#id2899508">Setup your /etc/krb5.conf</a></dt><dt><a href="domain-member.html#ads-create-machine-account">Create the computer account</a></dt><dt><a href="domain-member.html#ads-test-server">Test your server setup</a></dt><dt><a href="domain-member.html#ads-test-smbclient">Testing with smbclient</a></dt><dt><a href="domain-member.html#id2899872">Notes</a></dt></dl></dd><dt><a href="domain-member.html#id2899892">Common Errors</a></dt><dd><dl><dt><a href="domain-member.html#id2899919">Can Not Add Machine Back to Domain</a></dt><dt><a href="domain-member.html#id2899951">Adding Machine to Domain Fails</a></dt></dl></dd></dl></div><p>
Domain Membership is a subject of vital concern, Samba must be able to
participate as a member server in a Microsoft Domain security context, and
Samba must be capable of providing Domain machine member trust accounts,
@ -12,7 +11,7 @@ within the current MS Windows networking world and particularly in the
Unix/Linux networking and administration world, a considerable level of
mis-information, incorrect understanding, and a lack of knowledge. Hopefully
this chapter will fill the voids.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2895146"></a>Features and Benefits</h2></div></div><div></div></div><p>
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2897897"></a>Features and Benefits</h2></div></div><div></div></div><p>
MS Windows workstations and servers that want to participate in domain
security need to
be made Domain members. Participating in Domain security is often called
@ -30,7 +29,7 @@ Domain membership has many advantages:
MS Windows workstation users get the benefit of SSO
</p></li><li><p>
Domain user access rights and file ownership / access controls can be set
from the single Domain SAM (Security Accounts Management) database
from the single Domain SAM (Security Account Manager) database
(works with Domain member servers as well as with MS Windows workstations
that are domain members)
</p></li><li><p>
@ -41,7 +40,7 @@ Domain membership has many advantages:
Domain Member workstations can be better controlled through the use of
Policy files (<tt class="filename">NTConfig.POL</tt>) and Desktop Profiles.
</p></li><li><p>
Through the use of logon scripts users can be given transparent access to network
Through the use of logon scripts, users can be given transparent access to network
applications that run off application servers
</p></li><li><p>
Network administrators gain better application and user access management
@ -49,7 +48,7 @@ Domain membership has many advantages:
client or server, other than the central Domain database
(either NT4/Samba SAM style Domain, NT4 Domain that is back ended with an
LDAP directory, or via an Active Directory infrastructure)
</p></li></ul></div></div><div xmlns:ns7="" class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2894718"></a>MS Windows Workstation/Server Machine Trust Accounts</h2></div></div><div></div></div><p>
</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2898012"></a>MS Windows Workstation/Server Machine Trust Accounts</h2></div></div><div></div></div><p>
A machine trust account is an account that is used to authenticate a client
machine
(rather than a user) to the Domain Controller server. In Windows terminology,
@ -68,11 +67,11 @@ shared secret with the domain controller.
A Windows NT4 PDC stores each machine trust account in the Windows Registry.
The introduction of MS Windows 2000 saw the introduction of Active Directory,
the new repository for machine trust accounts.
</p><ns7:p>
</p><p>
A Samba PDC, however, stores each machine trust account in two parts,
as follows:
</ns7:p><div class="itemizedlist"><ul type="disc"><li><p>
</p><div class="itemizedlist"><ul type="disc"><li><p>
A Domain Security Account (stored in the
<i class="parameter"><tt>passdb backend</tt></i> that has been configured in the
<tt class="filename">smb.conf</tt> file. The precise nature of the account information that is
@ -92,8 +91,8 @@ as follows:
<tt class="filename">/etc/passwd</tt>. Work is in progress to allow a
simplified mode of operation that does not require Unix user accounts, but
this may not be a feature of the early releases of Samba-3.
</p></li></ul></div><ns7:p>
</ns7:p><p>
</p></li></ul></div><p>
</p><p>
There are three ways to create machine trust accounts:
</p><div class="itemizedlist"><ul type="disc"><li><p>
Manual creation from the Unix/Linux command line. Here, both the Samba and
@ -108,7 +107,7 @@ There are three ways to create machine trust accounts:
created by Samba at the time the client is joined to the domain.
(For security, this is the recommended method.) The corresponding Unix
account may be created automatically or manually.
</p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2894878"></a>Manual Creation of Machine Trust Accounts</h3></div></div><div></div></div><p>
</p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2898188"></a>Manual Creation of Machine Trust Accounts</h3></div></div><div></div></div><p>
The first step in manually creating a machine trust account is to manually
create the corresponding Unix account in <tt class="filename">/etc/passwd</tt>.
This can be done using <b class="command">vipw</b> or another 'add user' command
@ -140,11 +139,11 @@ Now that the corresponding Unix account has been created, the next step is to cr
the Samba account for the client containing the well-known initial
machine trust account password. This can be done using the <a href="smbpasswd.8.html" target="_top"><b class="command">smbpasswd(8)</b></a> command
as shown here:
</p><ns7:p>
</ns7:p><pre class="screen">
</p><p>
</p><pre class="screen">
<tt class="prompt">root# </tt><b class="userinput"><tt>smbpasswd -a -m <i class="replaceable"><tt>machine_name</tt></i></tt></b>
</pre><ns7:p>&gt;
</ns7:p><p>
</pre><p>
</p><p>
where <i class="replaceable"><tt>machine_name</tt></i> is the machine's NetBIOS
name. The RID of the new machine account is generated from the UID of
the corresponding Unix account.
@ -157,7 +156,7 @@ the corresponding Unix account.
your domain using a machine with the same NetBIOS name. A PDC inherently
trusts members of the domain and will serve out a large degree of user
information to such clients. You have been warned!
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2896660"></a>Using NT4 Server Manager to Add Machine Accounts to the Domain</h3></div></div><div></div></div><p>
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2898440"></a>Using NT4 Server Manager to Add Machine Accounts to the Domain</h3></div></div><div></div></div><p>
If the machine from which you are trying to manage the domain is an
<span class="application">MS Windows NT4 workstation</span>
then the tool of choice is the package called <b class="command">SRVTOOLS.EXE</b>.
@ -188,7 +187,7 @@ Launch the <b class="command">srvmgr.exe</b> (Server Manager for Domains) and fo
<span class="guilabel">Add NT Workstation of Server</span>, then
enter the machine name in the field provided, then click the
<span class="guibutton">Add</span> button.
</p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2896857"></a>&quot;On-the-Fly&quot; Creation of Machine Trust Accounts</h3></div></div><div></div></div><p>
</p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2898636"></a>&quot;On-the-Fly&quot; Creation of Machine Trust Accounts</h3></div></div><div></div></div><p>
The second (and recommended) way of creating machine trust accounts is
simply to allow the Samba server to create them as needed when the client
is joined to the domain.
@ -203,10 +202,10 @@ Below is an example for a RedHat Linux system.
[global]
# &lt;...remainder of parameters...&gt;
add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2896912"></a>Making an MS Windows Workstation or Server a Domain Member</h3></div></div><div></div></div><p>
</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2898699"></a>Making an MS Windows Workstation or Server a Domain Member</h3></div></div><div></div></div><p>
The procedure for making an MS Windows workstation of server a member of the domain varies
with the version of Windows:
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2896925"></a>Windows 200x XP Professional</h4></div></div><div></div></div><p>
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2898711"></a>Windows 200x XP Professional</h4></div></div><div></div></div><p>
When the user elects to make the client a domain member, Windows 200x prompts for
an account and password that has privileges to create machine accounts in the domain.
A Samba administrative account (i.e., a Samba account that has root privileges on the
@ -226,7 +225,7 @@ with the version of Windows:
encryption key for setting the password of the machine trust
account. The machine trust account will be created on-the-fly, or
updated if it already exists.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2896993"></a>Windows NT4</h4></div></div><div></div></div><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2898779"></a>Windows NT4</h4></div></div><div></div></div><p>
If the machine trust account was created manually, on the
Identification Changes menu enter the domain name, but do not
check the box <span class="guilabel">Create a Computer Account in the Domain</span>.
@ -239,10 +238,10 @@ with the version of Windows:
Domain</span>. In this case, joining the domain proceeds as above
for Windows 2000 (i.e., you must supply a Samba administrative account when
prompted).
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2897034"></a>Samba</h4></div></div><div></div></div><p>Joining a samba client to a domain is documented in
the <a href="domain-member.html" title="Chapter 7. Domain Membership">Domain Member</a> chapter.
</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2897057"></a>Domain Member Server</h2></div></div><div></div></div><p>
This mode of server operation involves the samba machine being made a member
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2898820"></a>Samba</h4></div></div><div></div></div><p>Joining a Samba client to a domain is documented in
the <a href="domain-member.html#domain-member-server" title="Domain Member Server">Domain Member Server</a> section of this chapter chapter.
</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="domain-member-server"></a>Domain Member Server</h2></div></div><div></div></div><p>
This mode of server operation involves the Samba machine being made a member
of a domain security context. This means by definition that all user
authentication will be done from a centrally defined authentication regime.
The authentication regime may come from an NT3/4 style (old domain technology)
@ -259,30 +258,30 @@ Server, etc.
Please refer to the <a href="samba-pdc.html" title="Chapter 5. Domain Control">Domain Control chapter</a>
for more information regarding how to create a domain
machine account for a domain member server as well as for information
regarding how to enable the samba domain member machine to join the domain and
regarding how to enable the Samba domain member machine to join the domain and
to be fully trusted by it.
</p><div xmlns:ns8="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2897105"></a>Joining an NT4 type Domain with Samba-3</h3></div></div><div></div></div><ns8:p>
</ns8:p><div class="table"><a name="id2897115"></a><p class="title"><b>Table 7.1. Assumptions</b></p><table summary="Assumptions" border="1"><colgroup><col><col></colgroup><tbody><tr><td align="left">NetBIOS name:</td><td align="left">SERV1</td></tr><tr><td align="left">Win2K/NT domain name:</td><td align="left">DOM</td></tr><tr><td align="left">Domain's PDC NetBIOS name:</td><td align="left">DOMPDC</td></tr><tr><td align="left">Domain's BDC NetBIOS names:</td><td align="left">DOMBDC1 and DOMBDC2</td></tr></tbody></table></div><ns8:p>
</ns8:p><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2898901"></a>Joining an NT4 type Domain with Samba-3</h3></div></div><div></div></div><p>
</p><div class="table"><a name="id2898912"></a><p class="title"><b>Table 7.1. Assumptions</b></p><table summary="Assumptions" border="1"><colgroup><col><col></colgroup><tbody><tr><td align="left">NetBIOS name:</td><td align="left">SERV1</td></tr><tr><td align="left">Win2K/NT domain name:</td><td align="left">DOM</td></tr><tr><td align="left">Domain's PDC NetBIOS name:</td><td align="left">DOMPDC</td></tr><tr><td align="left">Domain's BDC NetBIOS names:</td><td align="left">DOMBDC1 and DOMBDC2</td></tr></tbody></table></div><p>
</p><p>
First, you must edit your <tt class="filename">smb.conf</tt> file to tell Samba it should
now use domain security.
</p><p>
Change (or add) your <a href="smb.conf.5.html#SECURITY" target="_top">
<i class="parameter"><tt>security</tt></i></a> line in the [global] section
of your <tt class="filename">smb.conf</tt> to read:
</p><ns8:p>
</ns8:p><pre class="programlisting">
</p><p>
</p><pre class="programlisting">
security = domain
</pre><ns8:p>
</ns8:p><p>
</pre><p>
</p><p>
Next change the <a href="smb.conf.5.html#WORKGROUP" target="_top"><i class="parameter"><tt>
workgroup</tt></i></a> line in the <i class="parameter"><tt>[global]</tt></i>
section to read:
</p><ns8:p>
</ns8:p><pre class="programlisting">
</p><p>
</p><pre class="programlisting">
workgroup = DOM
</pre><ns8:p>
</ns8:p><p>
</pre><p>
</p><p>
as this is the name of the domain we are joining.
</p><p>
You must also have the parameter <a href="smb.conf.5.html#ENCRYPTPASSWORDS" target="_top">
@ -292,11 +291,11 @@ You must also have the parameter <a href="smb.conf.5.html#ENCRYPTPASSWORDS" targ
Finally, add (or modify) a <a href="smb.conf.5.html#PASSWORDSERVER" target="_top">
<i class="parameter"><tt>password server</tt></i></a> line in the [global]
section to read:
</p><ns8:p>
</ns8:p><pre class="programlisting">
</p><p>
</p><pre class="programlisting">
password server = DOMPDC DOMBDC1 DOMBDC2
</pre><ns8:p>
</ns8:p><p>
</pre><p>
</p><p>
These are the primary and backup domain controllers Samba
will attempt to contact in order to authenticate users. Samba will
try to contact each of these servers in order, so you may want to
@ -306,27 +305,28 @@ among domain controllers.
Alternatively, if you want smbd to automatically determine
the list of Domain controllers to use for authentication, you may
set this line to be:
</p><ns8:p>
</ns8:p><pre class="programlisting">
</p><p>
</p><pre class="programlisting">
password server = *
</pre><ns8:p>
</ns8:p><p>
This method, allows Samba to use exactly the same mechanism that NT does. This
</pre><p>
</p><p>
This method allows Samba to use exactly the same mechanism that NT does. This
method either broadcasts or uses a WINS database in order to
find domain controllers to authenticate against.
</p><p>
In order to actually join the domain, you must run this command:
</p><ns8:p>
</ns8:p><pre class="screen">
</p><p>
</p><pre class="screen">
<tt class="prompt">root# </tt><b class="userinput"><tt>net join -S DOMPDC -U<i class="replaceable"><tt>Administrator%password</tt></i></tt></b>
</pre><ns8:p>
</ns8:p><p>
</pre><p>
</p><p>
If the <tt class="option">-S DOMPDC</tt> argument is not given then
the domain name will be obtained from <tt class="filename">smb.conf</tt>.
</p><p>
As we are joining the domain DOM and the PDC for that domain
(the only machine that has write access to the domain SAM database)
is DOMPDC. The <i class="replaceable"><tt>Administrator%password</tt></i> is
is DOMPDC, we use it for the <tt class="option">-S</tt> option.
The <i class="replaceable"><tt>Administrator%password</tt></i> is
the login name and password for an account which has the necessary
privilege to add machines to the domain. If this is successful
you will see the message:
@ -343,7 +343,7 @@ trust account on the PDC beforehand.
This command goes through the machine account password
change protocol, then writes the new (random) machine account
password for this Samba server into a file in the same directory
in which an smbpasswd file would be stored - normally :
in which an smbpasswd file would be stored - normally:
</p><p>
<tt class="filename">/usr/local/samba/private/secrets.tdb</tt>
</p><p>
@ -354,7 +354,7 @@ as a shadow password file.
</p><p>
Finally, restart your Samba daemons and get ready for
clients to begin using domain security!
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2899703"></a>Why is this better than security = server?</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2899283"></a>Why is this better than security = server?</h3></div></div><div></div></div><p>
Currently, domain security in Samba doesn't free you from
having to create local Unix users to represent the users attaching
to your server. This means that if domain user <tt class="constant">DOM\fred
@ -365,8 +365,8 @@ filesystem. This is very similar to the older Samba security mode
where Samba would pass through the authentication request to a Windows
NT server in the same way as a Windows 95 or Windows 98 server would.
</p><p>
Please refer to the <a href="winbind.html" target="_top">Winbind
paper</a> for information on a system to automatically
Please refer to the <a href="winbind.html" title="Chapter 21. Integrated Logon Support using Winbind">Winbind</a> chapter
for information on a system to automatically
assign UNIX uids and gids to Windows NT Domain users and groups.
</p><p>
The advantage to domain-level security is that the
@ -396,27 +396,27 @@ was first published in the Web magazine
<a href="http://www.linuxworld.com" target="_top">LinuxWorld</a> as the article <a href="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html" target="_top">Doing
the NIS/NT Samba</a>.
</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ads-member"></a>Samba ADS Domain Membership</h2></div></div><div></div></div><p>
This is a rough guide to setting up Samba 3.0 with kerberos authentication against a
Windows2000 KDC.
</p><div xmlns:ns9="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2899841"></a>Setup your <tt class="filename">smb.conf</tt></h3></div></div><div></div></div><p>
This is a rough guide to setting up Samba 3.0 with Kerberos authentication against a
Windows2000 KDC. A familiarity with Kerberos is assumed.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2899424"></a>Setup your <tt class="filename">smb.conf</tt></h3></div></div><div></div></div><p>
You must use at least the following 3 options in <tt class="filename">smb.conf</tt>:
</p><pre class="programlisting">
realm = your.kerberos.REALM
security = ADS
encrypt passwords = yes
</pre><ns9:p>
</pre><p>
In case samba can't figure out your ads server using your realm name, use the
<i class="parameter"><tt>ads server</tt></i> option in <tt class="filename">smb.conf</tt>:
</ns9:p><pre class="programlisting">
</p><pre class="programlisting">
ads server = your.kerberos.server
</pre><ns9:p>
</ns9:p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
</pre><p>
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
You do <span class="emphasis"><em>not</em></span> need a smbpasswd file, and older clients will be authenticated as
if <i class="parameter"><tt>security = domain</tt></i>, although it won't do any harm and
allows you to have local users not in the domain. It is expected that the above
required options will change soon when active directory integration will get
better.
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2899924"></a>Setup your <tt class="filename">/etc/krb5.conf</tt></h3></div></div><div></div></div><p>
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2899508"></a>Setup your <tt class="filename">/etc/krb5.conf</tt></h3></div></div><div></div></div><p>
The minimal configuration for <tt class="filename">krb5.conf</tt> is:
</p><pre class="programlisting">
[realms]
@ -429,7 +429,7 @@ Test your config by doing a <b class="userinput"><tt>kinit
making sure that your password is accepted by the Win2000 KDC.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
The realm must be uppercase or you will get <span class="errorname">Cannot find KDC for
requested realm while getting initial credentials</span> error
requested realm while getting initial credentials</span> error.
</p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
Time between the two servers must be synchronized. You will get a
<span class="errorname">kinit(v5): Clock skew too great while getting initial credentials</span>
@ -437,70 +437,70 @@ if the time difference is more than five minutes.
</p></div><p>
You also must ensure that you can do a reverse DNS lookup on the IP
address of your KDC. Also, the name that this reverse lookup maps to
must either be the netbios name of the KDC (ie. the hostname with no
domain attached) or it can alternatively be the netbios name
must either be the NetBIOS name of the KDC (ie. the hostname with no
domain attached) or it can alternatively be the NetBIOS name
followed by the realm.
</p><p>
The easiest way to ensure you get this right is to add a
<tt class="filename">/etc/hosts</tt> entry mapping the IP address of your KDC to
its netbios name. If you don't get this right then you will get a
its NetBIOS name. If you don't get this right then you will get a
<span class="errorname">local error</span> when you try to join the realm.
</p><p>
If all you want is kerberos support in <span class="application">smbclient</span> then you can skip
If all you want is Kerberos support in <span class="application">smbclient</span> then you can skip
straight to <a href="domain-member.html#ads-test-smbclient" title="Testing with smbclient">Test with <span class="application">smbclient</span></a> now.
<a href="domain-member.html#ads-create-machine-account" title="Create the computer account">Creating a computer account</a>
and <a href="domain-member.html#ads-test-server" title="Test your server setup">testing your servers</a>
is only needed if you want kerberos support for <span class="application">smbd</span> and <span class="application">winbindd</span>.
</p></div><div xmlns:ns10="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ads-create-machine-account"></a>Create the computer account</h3></div></div><div></div></div><ns10:p>
is only needed if you want Kerberos support for <span class="application">smbd</span> and <span class="application">winbindd</span>.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ads-create-machine-account"></a>Create the computer account</h3></div></div><div></div></div><p>
As a user that has write permission on the Samba private directory
(usually root) run:
</ns10:p><pre class="programlisting">
<b class="userinput"><tt>net join -U Administrator%password</tt></b>
</pre><ns10:p>
</ns10:p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2900115"></a>Possible errors</h4></div></div><div></div></div><ns10:p>
</ns10:p><div class="variablelist"><dl><dt><span class="term"><span class="errorname">ADS support not compiled in</span></span></dt><dd><p>Samba must be reconfigured (remove config.cache) and recompiled
(make clean all install) after the kerberos libs and headers are installed.
</p><pre class="programlisting">
<tt class="prompt">root# </tt><b class="userinput"><tt>net join -U Administrator%password</tt></b>
</pre><p>
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2899718"></a>Possible errors</h4></div></div><div></div></div><p>
</p><div class="variablelist"><dl><dt><span class="term"><span class="errorname">ADS support not compiled in</span></span></dt><dd><p>Samba must be reconfigured (remove config.cache) and recompiled
(make clean all install) after the Kerberos libs and headers are installed.
</p></dd><dt><span class="term"><span class="errorname">net join prompts for user name</span></span></dt><dd><p>You need to login to the domain using <b class="userinput"><tt>kinit
<i class="replaceable"><tt>USERNAME</tt></i>@<i class="replaceable"><tt>REALM</tt></i></tt></b>.
<i class="replaceable"><tt>USERNAME</tt></i> must be a user who has rights to add a machine
to the domain. </p></dd></dl></div><ns10:p>
</ns10:p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ads-test-server"></a>Test your server setup</h3></div></div><div></div></div><p>
to the domain. </p></dd></dl></div><p>
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ads-test-server"></a>Test your server setup</h3></div></div><div></div></div><p>
If the join was successful, you will see a new computer account with the
NetBIOS name of your Samba server in Active Directory (in the &quot;Computers&quot;
folder under Users and Computers.
</p><p>
On a Windows 2000 client try <b class="userinput"><tt>net use * \\server\share</tt></b>. You should
be logged in with kerberos without needing to know a password. If
be logged in with Kerberos without needing to know a password. If
this fails then run <b class="userinput"><tt>klist tickets</tt></b>. Did you get a ticket for the
server? Does it have an encoding type of DES-CBC-MD5 ?
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ads-test-smbclient"></a>Testing with <span class="application">smbclient</span></h3></div></div><div></div></div><p>
On your Samba server try to login to a Win2000 server or your Samba
server using <span class="application">smbclient</span> and kerberos. Use <span class="application">smbclient</span> as usual, but
specify the <i class="parameter"><tt>-k</tt></i> option to choose kerberos authentication.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2900266"></a>Notes</h3></div></div><div></div></div><p>
server using <span class="application">smbclient</span> and Kerberos. Use <span class="application">smbclient</span> as usual, but
specify the <i class="parameter"><tt>-k</tt></i> option to choose Kerberos authentication.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2899872"></a>Notes</h3></div></div><div></div></div><p>
You must change administrator password at least once after DC
install, to create the right encoding types
</p><p>
W2k doesn't seem to create the _kerberos._udp and _ldap._tcp in
their defaults DNS setup. Maybe fixed in service packs?
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2900288"></a>Common Errors</h2></div></div><div></div></div><p>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2899892"></a>Common Errors</h2></div></div><div></div></div><p>
In the process of adding / deleting / re-adding domain member machine accounts there are
many traps for the unwary player and there are many &quot;little&quot; things that can go wrong.
many traps for the unwary player and there are many &#8220;<span class="quote">little</span>&#8221; things that can go wrong.
It is particularly interesting how often subscribers on the samba mailing list have concluded
after repeated failed attempts to add a machine account that it is necessary to &quot;re-install&quot;
MS Windows on t he machine. In truth, it is seldom necessary to reinstall because of this type
of problem. The real solution is often very simple, and with understanding of how MS Windows
networking functions. easily overcome.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2900310"></a>Can Not Add Machine Back to Domain</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2899919"></a>Can Not Add Machine Back to Domain</h3></div></div><div></div></div><p>
<span class="emphasis"><em>Problem:</em></span> A Windows workstation was reinstalled. The original domain machine
account was deleted and added immediately. The workstation will not join the domain if I use
the same machine name. Attempts to add the machine fail with a message that the machine already
exists on the network - I know it doen't. Why is this failing?
exists on the network - I know it doesn't. Why is this failing?
</p><p>
The original name is still in the NetBIOS name cache and must expire after machine account
deletion BEFORE adding that same name as a domain member again. The best advice is to delete
the old account and then to add the machine with a new name.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2900342"></a>Adding Machine to Domain Fails</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2899951"></a>Adding Machine to Domain Fails</h3></div></div><div></div></div><p>
Adding a Windows 200x or XP Professional machine to the Samba PDC Domain fails with a
message that, <span class="errorname">The machine could not be added at this time, there is a network problem.
Please try again later.</span> Why?

482
docs/htmldocs/domain-security.html
View File

@ -1,482 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML
><HEAD
><TITLE
>Samba as a NT4 domain member</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
TITLE="SAMBA Project Documentation"
HREF="samba-howto-collection.html"><LINK
REL="UP"
TITLE="Type of installation"
HREF="type.html"><LINK
REL="PREVIOUS"
TITLE="Samba as a ADS domain member"
HREF="ads.html"><LINK
REL="NEXT"
TITLE="Optional configuration"
HREF="optional.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>SAMBA Project Documentation</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="ads.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="optional.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="CHAPTER"
><H1
><A
NAME="DOMAIN-SECURITY">Chapter 9. Samba as a NT4 domain member</H1
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN1273">9.1. Joining an NT Domain with Samba 2.2</H1
><P
>Assume you have a Samba 2.x server with a NetBIOS name of
<TT
CLASS="CONSTANT"
>SERV1</TT
> and are joining an NT domain called
<TT
CLASS="CONSTANT"
>DOM</TT
>, which has a PDC with a NetBIOS name
of <TT
CLASS="CONSTANT"
>DOMPDC</TT
> and two backup domain controllers
with NetBIOS names <TT
CLASS="CONSTANT"
>DOMBDC1</TT
> and <TT
CLASS="CONSTANT"
>DOMBDC2
</TT
>.</P
><P
>In order to join the domain, first stop all Samba daemons
and run the command:</P
><P
><TT
CLASS="PROMPT"
>root# </TT
><TT
CLASS="USERINPUT"
><B
>smbpasswd -j DOM -r DOMPDC
-U<TT
CLASS="REPLACEABLE"
><I
>Administrator%password</I
></TT
></B
></TT
></P
><P
>as we are joining the domain DOM and the PDC for that domain
(the only machine that has write access to the domain SAM database)
is DOMPDC. The <TT
CLASS="REPLACEABLE"
><I
>Administrator%password</I
></TT
> is
the login name and password for an account which has the necessary
privilege to add machines to the domain. If this is successful
you will see the message:</P
><P
><TT
CLASS="COMPUTEROUTPUT"
>smbpasswd: Joined domain DOM.</TT
>
</P
><P
>in your terminal window. See the <A
HREF="smbpasswd.8.html"
TARGET="_top"
> smbpasswd(8)</A
> man page for more details.</P
><P
>There is existing development code to join a domain
without having to create the machine trust account on the PDC
beforehand. This code will hopefully be available soon
in release branches as well.</P
><P
>This command goes through the machine account password
change protocol, then writes the new (random) machine account
password for this Samba server into a file in the same directory
in which an smbpasswd file would be stored - normally :</P
><P
><TT
CLASS="FILENAME"
>/usr/local/samba/private</TT
></P
><P
>In Samba 2.0.x, the filename looks like this:</P
><P
><TT
CLASS="FILENAME"
><TT
CLASS="REPLACEABLE"
><I
>&lt;NT DOMAIN NAME&gt;</I
></TT
>.<TT
CLASS="REPLACEABLE"
><I
>&lt;Samba
Server Name&gt;</I
></TT
>.mac</TT
></P
><P
>The <TT
CLASS="FILENAME"
>.mac</TT
> suffix stands for machine account
password file. So in our example above, the file would be called:</P
><P
><TT
CLASS="FILENAME"
>DOM.SERV1.mac</TT
></P
><P
>In Samba 2.2, this file has been replaced with a TDB
(Trivial Database) file named <TT
CLASS="FILENAME"
>secrets.tdb</TT
>.
</P
><P
>This file is created and owned by root and is not
readable by any other user. It is the key to the domain-level
security for your system, and should be treated as carefully
as a shadow password file.</P
><P
>Now, before restarting the Samba daemons you must
edit your <A
HREF="smb.conf.5.html"
TARGET="_top"
><TT
CLASS="FILENAME"
>smb.conf(5)</TT
>
</A
> file to tell Samba it should now use domain security.</P
><P
>Change (or add) your <A
HREF="smb.conf.5.html#SECURITY"
TARGET="_top"
> <TT
CLASS="PARAMETER"
><I
>security =</I
></TT
></A
> line in the [global] section
of your smb.conf to read:</P
><P
><B
CLASS="COMMAND"
>security = domain</B
></P
><P
>Next change the <A
HREF="smb.conf.5.html#WORKGROUP"
TARGET="_top"
><TT
CLASS="PARAMETER"
><I
> workgroup =</I
></TT
></A
> line in the [global] section to read: </P
><P
><B
CLASS="COMMAND"
>workgroup = DOM</B
></P
><P
>as this is the name of the domain we are joining. </P
><P
>You must also have the parameter <A
HREF="smb.conf.5.html#ENCRYPTPASSWORDS"
TARGET="_top"
> <TT
CLASS="PARAMETER"
><I
>encrypt passwords</I
></TT
></A
> set to <TT
CLASS="CONSTANT"
>yes
</TT
> in order for your users to authenticate to the NT PDC.</P
><P
>Finally, add (or modify) a <A
HREF="smb.conf.5.html#PASSWORDSERVER"
TARGET="_top"
> <TT
CLASS="PARAMETER"
><I
>password server =</I
></TT
></A
> line in the [global]
section to read: </P
><P
><B
CLASS="COMMAND"
>password server = DOMPDC DOMBDC1 DOMBDC2</B
></P
><P
>These are the primary and backup domain controllers Samba
will attempt to contact in order to authenticate users. Samba will
try to contact each of these servers in order, so you may want to
rearrange this list in order to spread out the authentication load
among domain controllers.</P
><P
>Alternatively, if you want smbd to automatically determine
the list of Domain controllers to use for authentication, you may
set this line to be :</P
><P
><B
CLASS="COMMAND"
>password server = *</B
></P
><P
>This method, which was introduced in Samba 2.0.6,
allows Samba to use exactly the same mechanism that NT does. This
method either broadcasts or uses a WINS database in order to
find domain controllers to authenticate against.</P
><P
>Finally, restart your Samba daemons and get ready for
clients to begin using domain security!</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN1337">9.2. Samba and Windows 2000 Domains</H1
><P
>Many people have asked regarding the state of Samba's ability to participate in
a Windows 2000 Domain. Samba 3.0 is able to act as a member server of a Windows
2000 domain operating in mixed or native mode.</P
><P
>There is much confusion between the circumstances that require a "mixed" mode
Win2k DC and a when this host can be switched to "native" mode. A "mixed" mode
Win2k domain controller is only needed if Windows NT BDCs must exist in the same
domain. By default, a Win2k DC in "native" mode will still support
NetBIOS and NTLMv1 for authentication of legacy clients such as Windows 9x and
NT 4.0. Samba has the same requirements as a Windows NT 4.0 member server.</P
><P
>The steps for adding a Samba 2.2 host to a Win2k domain are the same as those
for adding a Samba server to a Windows NT 4.0 domain. The only exception is that
the "Server Manager" from NT 4 has been replaced by the "Active Directory Users and
Computers" MMC (Microsoft Management Console) plugin.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN1342">9.3. Why is this better than security = server?</H1
><P
>Currently, domain security in Samba doesn't free you from
having to create local Unix users to represent the users attaching
to your server. This means that if domain user <TT
CLASS="CONSTANT"
>DOM\fred
</TT
> attaches to your domain security Samba server, there needs
to be a local Unix user fred to represent that user in the Unix
filesystem. This is very similar to the older Samba security mode
<A
HREF="smb.conf.5.html#SECURITYEQUALSSERVER"
TARGET="_top"
>security = server</A
>,
where Samba would pass through the authentication request to a Windows
NT server in the same way as a Windows 95 or Windows 98 server would.
</P
><P
>Please refer to the <A
HREF="winbind.html"
TARGET="_top"
>Winbind
paper</A
> for information on a system to automatically
assign UNIX uids and gids to Windows NT Domain users and groups.
This code is available in development branches only at the moment,
but will be moved to release branches soon.</P
><P
>The advantage to domain-level security is that the
authentication in domain-level security is passed down the authenticated
RPC channel in exactly the same way that an NT server would do it. This
means Samba servers now participate in domain trust relationships in
exactly the same way NT servers do (i.e., you can add Samba servers into
a resource domain and have the authentication passed on from a resource
domain PDC to an account domain PDC.</P
><P
>In addition, with <B
CLASS="COMMAND"
>security = server</B
> every Samba
daemon on a server has to keep a connection open to the
authenticating server for as long as that daemon lasts. This can drain
the connection resources on a Microsoft NT server and cause it to run
out of available connections. With <B
CLASS="COMMAND"
>security = domain</B
>,
however, the Samba daemons connect to the PDC/BDC only for as long
as is necessary to authenticate the user, and then drop the connection,
thus conserving PDC connection resources.</P
><P
>And finally, acting in the same manner as an NT server
authenticating to a PDC means that as part of the authentication
reply, the Samba server gets the user identification information such
as the user SID, the list of NT groups the user belongs to, etc. All
this information will allow Samba to be extended in the future into
a mode the developers currently call appliance mode. In this mode,
no local Unix users will be necessary, and Samba will generate Unix
uids and gids from the information passed back from the PDC when a
user is authenticated, making a Samba server truly plug and play
in an NT domain environment. Watch for this code soon.</P
><P
><SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>NOTE:</I
></SPAN
> Much of the text of this document
was first published in the Web magazine <A
HREF="http://www.linuxworld.com"
TARGET="_top"
>
LinuxWorld</A
> as the article <A
HREF="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html"
TARGET="_top"
>Doing
the NIS/NT Samba</A
>.</P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="ads.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="samba-howto-collection.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="optional.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Samba as a ADS domain member</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="type.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Optional configuration</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

100
docs/htmldocs/groupmapping.html
View File

@ -1,5 +1,4 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 12. Mapping MS Windows and Unix Groups</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="passdb.html" title="Chapter 11. Account Information Databases"><link rel="next" href="AccessControls.html" title="Chapter 13. File, Directory and Share Access Controls"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 12. Mapping MS Windows and Unix Groups</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="passdb.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="AccessControls.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="groupmapping"></a>Chapter 12. Mapping MS Windows and Unix Groups</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jean François</span> <span class="surname">Micouleau</span></h3></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jerry@samba.org">jerry@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="groupmapping.html#id2916109">Features and Benefits</a></dt><dt><a href="groupmapping.html#id2916209">Discussion</a></dt><dd><dl><dt><a href="groupmapping.html#id2916398">Example Configuration</a></dt></dl></dd><dt><a href="groupmapping.html#id2916463">Configuration Scripts</a></dt><dd><dl><dt><a href="groupmapping.html#id2916477">Sample smb.conf add group script</a></dt><dt><a href="groupmapping.html#id2916544">Script to configure Group Mapping</a></dt></dl></dd><dt><a href="groupmapping.html#id2916618">Common Errors</a></dt><dd><dl><dt><a href="groupmapping.html#id2916633">Adding Groups Fails</a></dt><dt><a href="groupmapping.html#id2916694">Adding MS Windows Groups to MS Windows Groups Fails</a></dt></dl></dd></dl></div><p>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 12. Mapping MS Windows and Unix Groups</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="passdb.html" title="Chapter 11. Account Information Databases"><link rel="next" href="AccessControls.html" title="Chapter 13. File, Directory and Share Access Controls"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 12. Mapping MS Windows and Unix Groups</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="passdb.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="AccessControls.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="groupmapping"></a>Chapter 12. Mapping MS Windows and Unix Groups</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jean François</span> <span class="surname">Micouleau</span></h3></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jerry@samba.org">jerry@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="groupmapping.html#id2921449">Features and Benefits</a></dt><dt><a href="groupmapping.html#id2921551">Discussion</a></dt><dd><dl><dt><a href="groupmapping.html#id2921742">Example Configuration</a></dt></dl></dd><dt><a href="groupmapping.html#id2921806">Configuration Scripts</a></dt><dd><dl><dt><a href="groupmapping.html#id2921820">Sample smb.conf add group script</a></dt><dt><a href="groupmapping.html#id2921889">Script to configure Group Mapping</a></dt></dl></dd><dt><a href="groupmapping.html#id2921981">Common Errors</a></dt><dd><dl><dt><a href="groupmapping.html#id2921997">Adding Groups Fails</a></dt><dt><a href="groupmapping.html#id2922057">Adding MS Windows Groups to MS Windows Groups Fails</a></dt></dl></dd></dl></div><p>
Starting with Samba-3, new group mapping functionality is available to create associations
between Windows group SIDs and UNIX groups. The <i class="parameter"><tt>groupmap</tt></i> subcommand
included with the <span class="application">net</span> tool can be used to manage these associations.
@ -9,12 +8,12 @@
be specified in <tt class="filename">smb.conf</tt>. This parameter was used to give the listed users membership
in the <tt class="constant">Domain Admins</tt> Windows group which gave local admin rights on their workstations
(in default configurations).
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2916109"></a>Features and Benefits</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2921449"></a>Features and Benefits</h2></div></div><div></div></div><p>
Samba allows the administrator to create MS Windows NT4 / 200x group accounts and to
arbitrarily associate them with Unix/Linux group accounts.
</p><p>
Group accounts can be managed using the MS Windows NT4 or MS Windows 200x MMC tools
so long as appropriate interface scripts have been provided to <tt class="filename">smb.conf</tt>
so long as appropriate interface scripts have been provided to <tt class="filename">smb.conf</tt>.
</p><p>
Administrators should be aware that where <tt class="filename">smb.conf</tt> group interface scripts make
direct calls to the Unix/Linux system tools (eg: the shadow utilities, <b class="command">groupadd</b>,
@ -27,43 +26,43 @@
There are several possible work-arounds for the operating system tools limitation. One
method is to use a script that generates a name for the Unix/Linux system group that
fits the operating system limits, and that then just passes the Unix/Linux group id (GID)
back to the calling samba interface. This will provide a dynamic work-around solution.
back to the calling Samba interface. This will provide a dynamic work-around solution.
</p><p>
Another work-around is to manually create a Unix/Linux group, then manually create the
MS Windows NT4 / 200x group on the Samba server and then use the <b class="command">net groupmap</b>
tool to connect the two to each other.
</p></div><div xmlns:ns26="" class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2916209"></a>Discussion</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2921551"></a>Discussion</h2></div></div><div></div></div><p>
When installing <span class="application">MS Windows NT4 / 200x</span> on a computer, the installation
program creates default users and groups. Notably the <tt class="constant">Administrators</tt> group,
and gives to that group privileges necessary privilidges to perform essential system tasks.
eg: Ability to change the date and time or to kill any process (or close too) running on the
program creates default users and groups, notably the <tt class="constant">Administrators</tt> group,
and gives that group privileges necessary privileges to perform essential system tasks.
eg: Ability to change the date and time or to kill (or close) any process running on the
local machine.
</p><p>
The 'Administrator' user is a member of the 'Administrators' group, and thus inherits
'Administrators' group privileges. If a 'joe' user is created to be a member of the
'Administrator' group, 'joe' has exactly the same rights as 'Administrator'.
</p><p>
When an MS Windows NT4 / W200x is made a domain member, the &quot;Domain Adminis&quot; group of the
When an MS Windows NT4 / W200x is made a domain member, the &quot;Domain Admins&quot; group of the
PDC is added to the local 'Administrators' group of the workstation. Every member of the
'Domain Administrators' group inherits the rights of the local 'Administrators' group when
logging on the workstation.
</p><p>
The following steps describe how to make samba PDC users members of the 'Domain Admins' group?
The following steps describe how to make Samba PDC users members of the 'Domain Admins' group?
</p><div class="orderedlist"><ol type="1"><li><p>
create a unix group (usually in <tt class="filename">/etc/group</tt>), let's call it domadm
</p></li><li xmlns:ns24=""><p>add to this group the users that must be Administrators. For example
if you want joe,john and mary, your entry in <tt class="filename">/etc/group</tt> will
</p></li><li><p>add to this group the users that must be Administrators. For example
if you want joe, john and mary, your entry in <tt class="filename">/etc/group</tt> will
look like:
</p><pre class="programlisting">
domadm:x:502:joe,john,mary
</pre><ns24:p>
</ns24:p></li><li xmlns:ns25=""><p>
</pre><p>
</p></li><li><p>
Map this domadm group to the &quot;Domain Admins&quot; group by running the command:
</p><ns25:p>
</ns25:p><pre class="screen">
</p><p>
</p><pre class="screen">
<tt class="prompt">root# </tt><b class="userinput"><tt>net groupmap add ntgroup=&quot;Domain Admins&quot; unixgroup=domadm</tt></b>
</pre><ns25:p>
</ns25:p><p>
</pre><p>
</p><p>
The quotes around &quot;Domain Admins&quot; are necessary due to the space in the group name.
Also make sure to leave no whitespace surrounding the equal character (=).
</p></li></ol></div><p>
@ -73,36 +72,36 @@
making any UNIX group a Windows domain group. For example, if you wanted to include a
UNIX group (e.g. acct) in a ACL on a local file or printer on a domain member machine,
you would flag that group as a domain group by running the following on the Samba PDC:
</p><ns26:p>
</ns26:p><pre class="screen">
</p><p>
</p><pre class="screen">
<tt class="prompt">root# </tt><b class="userinput"><tt>net groupmap add rid=1000 ntgroup=&quot;Accounting&quot; unixgroup=acct</tt></b>
</pre><ns26:p>
</ns26:p><p>
Be aware that the RID parmeter is a unsigned 32 bit integer that should
</pre><p>
</p><p>
Be aware that the RID parameter is a unsigned 32 bit integer that should
normally start at 1000. However, this rid must not overlap with any RID assigned
to a user. Verifying this is done differently depending on on the passdb backend
you are using. Future versions of the tools may perform the verification automatically,
but for now the burden is on you.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2916398"></a>Example Configuration</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2921742"></a>Example Configuration</h3></div></div><div></div></div><p>
You can list the various groups in the mapping database by executing
<b class="command">net groupmap list</b>. Here is an example:
</p><ns26:p>
</ns26:p><pre class="screen">
</p><p>
</p><pre class="screen">
<tt class="prompt">root# </tt> <b class="userinput"><tt>net groupmap list</tt></b>
System Administrators (S-1-5-21-2547222302-1596225915-2414751004-1002) -&gt; sysadmin
Domain Admins (S-1-5-21-2547222302-1596225915-2414751004-512) -&gt; domadmin
Domain Users (S-1-5-21-2547222302-1596225915-2414751004-513) -&gt; domuser
Domain Guests (S-1-5-21-2547222302-1596225915-2414751004-514) -&gt; domguest
</pre><ns26:p>
</ns26:p><p>
</pre><p>
</p><p>
For complete details on <b class="command">net groupmap</b>, refer to the net(8) man page.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2916463"></a>Configuration Scripts</h2></div></div><div></div></div><p>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2921806"></a>Configuration Scripts</h2></div></div><div></div></div><p>
Everyone needs tools. Some of us like to create our own, others prefer to use canned tools
(ie: prepared by someone else for general use).
</p><div xmlns:ns27="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2916477"></a>Sample <tt class="filename">smb.conf</tt> add group script</h3></div></div><div></div></div><p>
A script to great complying group names for use by the samba group interfaces:
</p><ns27:p>
</ns27:p><div class="example"><a name="id2916499"></a><p class="title"><b>Example 12.1. smbgrpadd.sh</b></p><pre class="programlisting">
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2921820"></a>Sample <tt class="filename">smb.conf</tt> add group script</h3></div></div><div></div></div><p>
A script to great complying group names for use by the Samba group interfaces:
</p><p>
</p><div class="example"><a name="id2921843"></a><p class="title"><b>Example 12.1. smbgrpadd.sh</b></p><pre class="programlisting">
#!/bin/bash
@ -112,22 +111,23 @@ groupadd smbtmpgrp00
thegid=`cat /etc/group | grep smbtmpgrp00 | cut -d &quot;:&quot; -f3`
# Now change the name to what we want for the MS Windows networking end
cat /etc/group | sed s/smbtmpgrp00/$1/g &gt; /etc/group
cp /etc/group /etc/group.bak
cat /etc/group.bak | sed s/smbtmpgrp00/$1/g &gt; /etc/group
# Now return the GID as would normally happen.
echo $thegid
exit 0
</pre></div><ns27:p>
</ns27:p><ns27:p>
</pre></div><p>
</p><p>
The <tt class="filename">smb.conf</tt> entry for the above script would look like:
</ns27:p><pre class="programlisting">
</p><pre class="programlisting">
add group script = /path_to_tool/smbgrpadd.sh %g
</pre><ns27:p>
</ns27:p></div><div xmlns:ns28="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2916544"></a>Script to configure Group Mapping</h3></div></div><div></div></div><p>
</pre><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2921889"></a>Script to configure Group Mapping</h3></div></div><div></div></div><p>
In our example we have created a Unix/Linux group called <i class="parameter"><tt>ntadmin</tt></i>.
Our script will create the additional groups <i class="parameter"><tt>Engineers, Marketoids, Gnomes</tt></i>:
</p><ns28:p>
</ns28:p><pre class="programlisting">
</p><p>
</p><pre class="programlisting">
#!/bin/bash
net groupmap modify ntgroup=&quot;Domain Admins&quot; unixgroup=ntadmin
@ -150,21 +150,21 @@ net groupmap modify ntgroup=&quot;Power Users&quot; unixgroup=sys
#net groupmap add ntgroup=&quot;Engineers&quot; unixgroup=Engineers type=d
#net groupmap add ntgroup=&quot;Marketoids&quot; unixgroup=Marketoids type=d
#net groupmap add ntgroup=&quot;Gnomes&quot; unixgroup=Gnomes type=d
</pre><ns28:p>
</ns28:p><p>
Of course it is expected that the admininstrator will modify this to suit local needs.
</pre><p>
</p><p>
Of course it is expected that the administrator will modify this to suit local needs.
For information regarding the use of the <b class="command">net groupmap</b> tool please
refer to the man page.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2916618"></a>Common Errors</h2></div></div><div></div></div><p>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2921981"></a>Common Errors</h2></div></div><div></div></div><p>
At this time there are many little surprises for the unwary administrator. In a real sense
it is imperative that every step of automated control scripts must be carefully tested
manually before putting them into active service.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2916633"></a>Adding Groups Fails</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2921997"></a>Adding Groups Fails</h3></div></div><div></div></div><p>
This is a common problem when the <b class="command">groupadd</b> is called directly
by the samba interface script for the <i class="parameter"><tt>add group script</tt></i> in
by the Samba interface script for the <i class="parameter"><tt>add group script</tt></i> in
the <tt class="filename">smb.conf</tt> file.
</p><p>
The most common cause of failure is an attempt to add an MS Windows group acocunt
The most common cause of failure is an attempt to add an MS Windows group account
that has either an upper case character and/or a space character in it.
</p><p>
There are three possible work-arounds. Firstly, use only group names that comply
@ -173,6 +173,6 @@ manually before putting them into active service.
third option is to manually create a Unix/Linux group account that can substitute
for the MS Windows group name, then use the procedure listed above to map that group
to the MS Windows group.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2916694"></a>Adding MS Windows Groups to MS Windows Groups Fails</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2922057"></a>Adding MS Windows Groups to MS Windows Groups Fails</h3></div></div><div></div></div><p>
Samba-3 does NOT support nested groups from the MS Windows control environment.
</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="passdb.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="AccessControls.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 11. Account Information Databases </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 13. File, Directory and Share Access Controls</td></tr></table></div></body></html>

830
docs/htmldocs/improved-browsing.html
View File

@ -1,830 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML
><HEAD
><TITLE
>Improved browsing in samba</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
TITLE="SAMBA Project Documentation"
HREF="samba-howto-collection.html"><LINK
REL="UP"
TITLE="General installation"
HREF="introduction.html"><LINK
REL="PREVIOUS"
TITLE="How to Install and Test SAMBA"
HREF="install.html"><LINK
REL="NEXT"
TITLE="Quick Cross Subnet Browsing / Cross Workgroup Browsing guide"
HREF="browsing-quick.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>SAMBA Project Documentation</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="install.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="browsing-quick.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="CHAPTER"
><H1
><A
NAME="IMPROVED-BROWSING">Chapter 2. Improved browsing in samba</H1
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN229">2.1. Overview of browsing</H1
><P
>SMB networking provides a mechanism by which clients can access a list
of machines in a network, a so-called "browse list". This list
contains machines that are ready to offer file and/or print services
to other machines within the network. Thus it does not include
machines which aren't currently able to do server tasks. The browse
list is heavily used by all SMB clients. Configuration of SMB
browsing has been problematic for some Samba users, hence this
document.</P
><P
>Browsing will NOT work if name resolution from NetBIOS names to IP
addresses does not function correctly. Use of a WINS server is highly
recommended to aid the resolution of NetBIOS (SMB) names to IP addresses.
WINS allows remote segment clients to obtain NetBIOS name_type information
that can NOT be provided by any other means of name resolution.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN233">2.2. Browsing support in samba</H1
><P
>Samba now fully supports browsing. The browsing is supported by nmbd
and is also controlled by options in the smb.conf file (see smb.conf(5)).</P
><P
>Samba can act as a local browse master for a workgroup and the ability
for samba to support domain logons and scripts is now available. See
DOMAIN.txt for more information on domain logons.</P
><P
>Samba can also act as a domain master browser for a workgroup. This
means that it will collate lists from local browse masters into a
wide area network server list. In order for browse clients to
resolve the names they may find in this list, it is recommended that
both samba and your clients use a WINS server.</P
><P
>Note that you should NOT set Samba to be the domain master for a
workgroup that has the same name as an NT Domain: on each wide area
network, you must only ever have one domain master browser per workgroup,
regardless of whether it is NT, Samba or any other type of domain master
that is providing this service.</P
><P
>[Note that nmbd can be configured as a WINS server, but it is not
necessary to specifically use samba as your WINS server. NTAS can
be configured as your WINS server. In a mixed NT server and
samba environment on a Wide Area Network, it is recommended that
you use the NT server's WINS server capabilities. In a samba-only
environment, it is recommended that you use one and only one nmbd
as your WINS server].</P
><P
>To get browsing to work you need to run nmbd as usual, but will need
to use the "workgroup" option in smb.conf to control what workgroup
Samba becomes a part of.</P
><P
>Samba also has a useful option for a Samba server to offer itself for
browsing on another subnet. It is recommended that this option is only
used for 'unusual' purposes: announcements over the internet, for
example. See "remote announce" in the smb.conf man page. </P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN242">2.3. Problem resolution</H1
><P
>If something doesn't work then hopefully the log.nmb file will help
you track down the problem. Try a debug level of 2 or 3 for finding
problems. Also note that the current browse list usually gets stored
in text form in a file called browse.dat.</P
><P
>Note that if it doesn't work for you, then you should still be able to
type the server name as \\SERVER in filemanager then hit enter and
filemanager should display the list of available shares.</P
><P
>Some people find browsing fails because they don't have the global
"guest account" set to a valid account. Remember that the IPC$
connection that lists the shares is done as guest, and thus you must
have a valid guest account.</P
><P
>Also, a lot of people are getting bitten by the problem of too many
parameters on the command line of nmbd in inetd.conf. This trick is to
not use spaces between the option and the parameter (eg: -d2 instead
of -d 2), and to not use the -B and -N options. New versions of nmbd
are now far more likely to correctly find your broadcast and network
address, so in most cases these aren't needed.</P
><P
>The other big problem people have is that their broadcast address,
netmask or IP address is wrong (specified with the "interfaces" option
in smb.conf)</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN249">2.4. Browsing across subnets</H1
><P
>With the release of Samba 1.9.17(alpha1 and above) Samba has been
updated to enable it to support the replication of browse lists
across subnet boundaries. New code and options have been added to
achieve this. This section describes how to set this feature up
in different settings.</P
><P
>To see browse lists that span TCP/IP subnets (ie. networks separated
by routers that don't pass broadcast traffic) you must set up at least
one WINS server. The WINS server acts as a DNS for NetBIOS names, allowing
NetBIOS name to IP address translation to be done by doing a direct
query of the WINS server. This is done via a directed UDP packet on
port 137 to the WINS server machine. The reason for a WINS server is
that by default, all NetBIOS name to IP address translation is done
by broadcasts from the querying machine. This means that machines
on one subnet will not be able to resolve the names of machines on
another subnet without using a WINS server.</P
><P
>Remember, for browsing across subnets to work correctly, all machines,
be they Windows 95, Windows NT, or Samba servers must have the IP address
of a WINS server given to them by a DHCP server, or by manual configuration
(for Win95 and WinNT, this is in the TCP/IP Properties, under Network
settings) for Samba this is in the smb.conf file.</P
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN254">2.4.1. How does cross subnet browsing work ?</H2
><P
>Cross subnet browsing is a complicated dance, containing multiple
moving parts. It has taken Microsoft several years to get the code
that achieves this correct, and Samba lags behind in some areas.
However, with the 1.9.17 release, Samba is capable of cross subnet
browsing when configured correctly.</P
><P
>Consider a network set up as follows :</P
><P
><PRE
CLASS="PROGRAMLISTING"
> (DMB)
N1_A N1_B N1_C N1_D N1_E
| | | | |
-------------------------------------------------------
| subnet 1 |
+---+ +---+
|R1 | Router 1 Router 2 |R2 |
+---+ +---+
| |
| subnet 2 subnet 3 |
-------------------------- ------------------------------------
| | | | | | | |
N2_A N2_B N2_C N2_D N3_A N3_B N3_C N3_D
(WINS)</PRE
></P
><P
>Consisting of 3 subnets (1, 2, 3) connected by two routers
(R1, R2) - these do not pass broadcasts. Subnet 1 has 5 machines
on it, subnet 2 has 4 machines, subnet 3 has 4 machines. Assume
for the moment that all these machines are configured to be in the
same workgroup (for simplicities sake). Machine N1_C on subnet 1
is configured as Domain Master Browser (ie. it will collate the
browse lists for the workgroup). Machine N2_D is configured as
WINS server and all the other machines are configured to register
their NetBIOS names with it.</P
><P
>As all these machines are booted up, elections for master browsers
will take place on each of the three subnets. Assume that machine
N1_C wins on subnet 1, N2_B wins on subnet 2, and N3_D wins on
subnet 3 - these machines are known as local master browsers for
their particular subnet. N1_C has an advantage in winning as the
local master browser on subnet 1 as it is set up as Domain Master
Browser.</P
><P
>On each of the three networks, machines that are configured to
offer sharing services will broadcast that they are offering
these services. The local master browser on each subnet will
receive these broadcasts and keep a record of the fact that
the machine is offering a service. This list of records is
the basis of the browse list. For this case, assume that
all the machines are configured to offer services so all machines
will be on the browse list.</P
><P
>For each network, the local master browser on that network is
considered 'authoritative' for all the names it receives via
local broadcast. This is because a machine seen by the local
master browser via a local broadcast must be on the same
network as the local master browser and thus is a 'trusted'
and 'verifiable' resource. Machines on other networks that
the local master browsers learn about when collating their
browse lists have not been directly seen - these records are
called 'non-authoritative'.</P
><P
>At this point the browse lists look as follows (these are
the machines you would see in your network neighborhood if
you looked in it on a particular network right now).</P
><P
><PRE
CLASS="PROGRAMLISTING"
>Subnet Browse Master List
------ ------------- ----
Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E
Subnet2 N2_B N2_A, N2_B, N2_C, N2_D
Subnet3 N3_D N3_A, N3_B, N3_C, N3_D</PRE
></P
><P
>Note that at this point all the subnets are separate, no
machine is seen across any of the subnets.</P
><P
>Now examine subnet 2. As soon as N2_B has become the local
master browser it looks for a Domain master browser to synchronize
its browse list with. It does this by querying the WINS server
(N2_D) for the IP address associated with the NetBIOS name
WORKGROUP&gt;1B&lt;. This name was registerd by the Domain master
browser (N1_C) with the WINS server as soon as it was booted.</P
><P
>Once N2_B knows the address of the Domain master browser it
tells it that is the local master browser for subnet 2 by
sending a MasterAnnouncement packet as a UDP port 138 packet.
It then synchronizes with it by doing a NetServerEnum2 call. This
tells the Domain Master Browser to send it all the server
names it knows about. Once the domain master browser receives
the MasterAnnouncement packet it schedules a synchronization
request to the sender of that packet. After both synchronizations
are done the browse lists look like :</P
><P
><PRE
CLASS="PROGRAMLISTING"
>Subnet Browse Master List
------ ------------- ----
Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E,
N2_A(*), N2_B(*), N2_C(*), N2_D(*)
Subnet2 N2_B N2_A, N2_B, N2_C, N2_D
N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)
Subnet3 N3_D N3_A, N3_B, N3_C, N3_D
Servers with a (*) after them are non-authoritative names.</PRE
></P
><P
>At this point users looking in their network neighborhood on
subnets 1 or 2 will see all the servers on both, users on
subnet 3 will still only see the servers on their own subnet.</P
><P
>The same sequence of events that occured for N2_B now occurs
for the local master browser on subnet 3 (N3_D). When it
synchronizes browse lists with the domain master browser (N1_A)
it gets both the server entries on subnet 1, and those on
subnet 2. After N3_D has synchronized with N1_C and vica-versa
the browse lists look like.</P
><P
><PRE
CLASS="PROGRAMLISTING"
>Subnet Browse Master List
------ ------------- ----
Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E,
N2_A(*), N2_B(*), N2_C(*), N2_D(*),
N3_A(*), N3_B(*), N3_C(*), N3_D(*)
Subnet2 N2_B N2_A, N2_B, N2_C, N2_D
N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)
Subnet3 N3_D N3_A, N3_B, N3_C, N3_D
N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*),
N2_A(*), N2_B(*), N2_C(*), N2_D(*)
Servers with a (*) after them are non-authoritative names.</PRE
></P
><P
>At this point users looking in their network neighborhood on
subnets 1 or 3 will see all the servers on all sunbets, users on
subnet 2 will still only see the servers on subnets 1 and 2, but not 3.</P
><P
>Finally, the local master browser for subnet 2 (N2_B) will sync again
with the domain master browser (N1_C) and will recieve the missing
server entries. Finally - and as a steady state (if no machines
are removed or shut off) the browse lists will look like :</P
><P
><PRE
CLASS="PROGRAMLISTING"
>Subnet Browse Master List
------ ------------- ----
Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E,
N2_A(*), N2_B(*), N2_C(*), N2_D(*),
N3_A(*), N3_B(*), N3_C(*), N3_D(*)
Subnet2 N2_B N2_A, N2_B, N2_C, N2_D
N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)
N3_A(*), N3_B(*), N3_C(*), N3_D(*)
Subnet3 N3_D N3_A, N3_B, N3_C, N3_D
N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*),
N2_A(*), N2_B(*), N2_C(*), N2_D(*)
Servers with a (*) after them are non-authoritative names.</PRE
></P
><P
>Synchronizations between the domain master browser and local
master browsers will continue to occur, but this should be a
steady state situation.</P
><P
>If either router R1 or R2 fails the following will occur:</P
><P
></P
><OL
TYPE="1"
><LI
><P
> Names of computers on each side of the inaccessible network fragments
will be maintained for as long as 36 minutes, in the network neighbourhood
lists.
</P
></LI
><LI
><P
> Attempts to connect to these inaccessible computers will fail, but the
names will not be removed from the network neighbourhood lists.
</P
></LI
><LI
><P
> If one of the fragments is cut off from the WINS server, it will only
be able to access servers on its local subnet, by using subnet-isolated
broadcast NetBIOS name resolution. The effects are similar to that of
losing access to a DNS server.
</P
></LI
></OL
></DIV
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN289">2.5. Setting up a WINS server</H1
><P
>Either a Samba machine or a Windows NT Server machine may be set up
as a WINS server. To set a Samba machine to be a WINS server you must
add the following option to the smb.conf file on the selected machine :
in the [globals] section add the line </P
><P
><B
CLASS="COMMAND"
> wins support = yes</B
></P
><P
>Versions of Samba previous to 1.9.17 had this parameter default to
yes. If you have any older versions of Samba on your network it is
strongly suggested you upgrade to 1.9.17 or above, or at the very
least set the parameter to 'no' on all these machines.</P
><P
>Machines with "<B
CLASS="COMMAND"
>wins support = yes</B
>" will keep a list of
all NetBIOS names registered with them, acting as a DNS for NetBIOS names.</P
><P
>You should set up only ONE wins server. Do NOT set the
"<B
CLASS="COMMAND"
>wins support = yes</B
>" option on more than one Samba
server.</P
><P
>To set up a Windows NT Server as a WINS server you need to set up
the WINS service - see your NT documentation for details. Note that
Windows NT WINS Servers can replicate to each other, allowing more
than one to be set up in a complex subnet environment. As Microsoft
refuse to document these replication protocols Samba cannot currently
participate in these replications. It is possible in the future that
a Samba-&#62;Samba WINS replication protocol may be defined, in which
case more than one Samba machine could be set up as a WINS server
but currently only one Samba server should have the "wins support = yes"
parameter set.</P
><P
>After the WINS server has been configured you must ensure that all
machines participating on the network are configured with the address
of this WINS server. If your WINS server is a Samba machine, fill in
the Samba machine IP address in the "Primary WINS Server" field of
the "Control Panel-&#62;Network-&#62;Protocols-&#62;TCP-&#62;WINS Server" dialogs
in Windows 95 or Windows NT. To tell a Samba server the IP address
of the WINS server add the following line to the [global] section of
all smb.conf files :</P
><P
><B
CLASS="COMMAND"
>wins server = &gt;name or IP address&lt;</B
></P
><P
>where &gt;name or IP address&lt; is either the DNS name of the WINS server
machine or its IP address.</P
><P
>Note that this line MUST NOT BE SET in the smb.conf file of the Samba
server acting as the WINS server itself. If you set both the
"<B
CLASS="COMMAND"
>wins support = yes</B
>" option and the
"<B
CLASS="COMMAND"
>wins server = &gt;name&lt;</B
>" option then
nmbd will fail to start.</P
><P
>There are two possible scenarios for setting up cross subnet browsing.
The first details setting up cross subnet browsing on a network containing
Windows 95, Samba and Windows NT machines that are not configured as
part of a Windows NT Domain. The second details setting up cross subnet
browsing on networks that contain NT Domains.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN308">2.6. Setting up Browsing in a WORKGROUP</H1
><P
>To set up cross subnet browsing on a network containing machines
in up to be in a WORKGROUP, not an NT Domain you need to set up one
Samba server to be the Domain Master Browser (note that this is *NOT*
the same as a Primary Domain Controller, although in an NT Domain the
same machine plays both roles). The role of a Domain master browser is
to collate the browse lists from local master browsers on all the
subnets that have a machine participating in the workgroup. Without
one machine configured as a domain master browser each subnet would
be an isolated workgroup, unable to see any machines on any other
subnet. It is the presense of a domain master browser that makes
cross subnet browsing possible for a workgroup.</P
><P
>In an WORKGROUP environment the domain master browser must be a
Samba server, and there must only be one domain master browser per
workgroup name. To set up a Samba server as a domain master browser,
set the following option in the [global] section of the smb.conf file :</P
><P
><B
CLASS="COMMAND"
>domain master = yes</B
></P
><P
>The domain master browser should also preferrably be the local master
browser for its own subnet. In order to achieve this set the following
options in the [global] section of the smb.conf file :</P
><P
><PRE
CLASS="PROGRAMLISTING"
> domain master = yes
local master = yes
preferred master = yes
os level = 65</PRE
></P
><P
>The domain master browser may be the same machine as the WINS
server, if you require.</P
><P
>Next, you should ensure that each of the subnets contains a
machine that can act as a local master browser for the
workgroup. Any NT machine should be able to do this, as will
Windows 95 machines (although these tend to get rebooted more
often, so it's not such a good idea to use these). To make a
Samba server a local master browser set the following
options in the [global] section of the smb.conf file :</P
><P
><PRE
CLASS="PROGRAMLISTING"
> domain master = no
local master = yes
preferred master = yes
os level = 65</PRE
></P
><P
>Do not do this for more than one Samba server on each subnet,
or they will war with each other over which is to be the local
master browser.</P
><P
>The "local master" parameter allows Samba to act as a local master
browser. The "preferred master" causes nmbd to force a browser
election on startup and the "os level" parameter sets Samba high
enough so that it should win any browser elections.</P
><P
>If you have an NT machine on the subnet that you wish to
be the local master browser then you can disable Samba from
becoming a local master browser by setting the following
options in the [global] section of the smb.conf file :</P
><P
><PRE
CLASS="PROGRAMLISTING"
> domain master = no
local master = no
preferred master = no
os level = 0</PRE
></P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN326">2.7. Setting up Browsing in a DOMAIN</H1
><P
>If you are adding Samba servers to a Windows NT Domain then
you must not set up a Samba server as a domain master browser.
By default, a Windows NT Primary Domain Controller for a Domain
name is also the Domain master browser for that name, and many
things will break if a Samba server registers the Domain master
browser NetBIOS name (DOMAIN&gt;1B&lt;) with WINS instead of the PDC.</P
><P
>For subnets other than the one containing the Windows NT PDC
you may set up Samba servers as local master browsers as
described. To make a Samba server a local master browser set
the following options in the [global] section of the smb.conf
file :</P
><P
><PRE
CLASS="PROGRAMLISTING"
> domain master = no
local master = yes
preferred master = yes
os level = 65</PRE
></P
><P
>If you wish to have a Samba server fight the election with machines
on the same subnet you may set the "os level" parameter to lower
levels. By doing this you can tune the order of machines that
will become local master browsers if they are running. For
more details on this see the section "FORCING SAMBA TO BE THE MASTER"
below.</P
><P
>If you have Windows NT machines that are members of the domain
on all subnets, and you are sure they will always be running then
you can disable Samba from taking part in browser elections and
ever becoming a local master browser by setting following options
in the [global] section of the smb.conf file :</P
><P
><B
CLASS="COMMAND"
> domain master = no
local master = no
preferred master = no
os level = 0</B
></P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN336">2.8. Forcing samba to be the master</H1
><P
>Who becomes the "master browser" is determined by an election process
using broadcasts. Each election packet contains a number of parameters
which determine what precedence (bias) a host should have in the
election. By default Samba uses a very low precedence and thus loses
elections to just about anyone else.</P
><P
>If you want Samba to win elections then just set the "os level" global
option in smb.conf to a higher number. It defaults to 0. Using 34
would make it win all elections over every other system (except other
samba systems!)</P
><P
>A "os level" of 2 would make it beat WfWg and Win95, but not NTAS. A
NTAS domain controller uses level 32.</P
><P
>The maximum os level is 255</P
><P
>If you want samba to force an election on startup, then set the
"preferred master" global option in smb.conf to "yes". Samba will
then have a slight advantage over other potential master browsers
that are not preferred master browsers. Use this parameter with
care, as if you have two hosts (whether they are windows 95 or NT or
samba) on the same local subnet both set with "preferred master" to
"yes", then periodically and continually they will force an election
in order to become the local master browser.</P
><P
>If you want samba to be a "domain master browser", then it is
recommended that you also set "preferred master" to "yes", because
samba will not become a domain master browser for the whole of your
LAN or WAN if it is not also a local master browser on its own
broadcast isolated subnet.</P
><P
>It is possible to configure two samba servers to attempt to become
the domain master browser for a domain. The first server that comes
up will be the domain master browser. All other samba servers will
attempt to become the domain master browser every 5 minutes. They
will find that another samba server is already the domain master
browser and will fail. This provides automatic redundancy, should
the current domain master browser fail.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN345">2.9. Making samba the domain master</H1
><P
>The domain master is responsible for collating the browse lists of
multiple subnets so that browsing can occur between subnets. You can
make samba act as the domain master by setting "domain master = yes"
in smb.conf. By default it will not be a domain master.</P
><P
>Note that you should NOT set Samba to be the domain master for a
workgroup that has the same name as an NT Domain.</P
><P
>When samba is the domain master and the master browser it will listen
for master announcements (made roughly every twelve minutes) from local
master browsers on other subnets and then contact them to synchronise
browse lists.</P
><P
>If you want samba to be the domain master then I suggest you also set
the "os level" high enough to make sure it wins elections, and set
"preferred master" to "yes", to get samba to force an election on
startup.</P
><P
>Note that all your servers (including samba) and clients should be
using a WINS server to resolve NetBIOS names. If your clients are only
using broadcasting to resolve NetBIOS names, then two things will occur:</P
><P
></P
><OL
TYPE="1"
><LI
><P
> your local master browsers will be unable to find a domain master
browser, as it will only be looking on the local subnet.
</P
></LI
><LI
><P
> if a client happens to get hold of a domain-wide browse list, and
a user attempts to access a host in that list, it will be unable to
resolve the NetBIOS name of that host.
</P
></LI
></OL
><P
>If, however, both samba and your clients are using a WINS server, then:</P
><P
></P
><OL
TYPE="1"
><LI
><P
> your local master browsers will contact the WINS server and, as long as
samba has registered that it is a domain master browser with the WINS
server, your local master browser will receive samba's ip address
as its domain master browser.
</P
></LI
><LI
><P
> when a client receives a domain-wide browse list, and a user attempts
to access a host in that list, it will contact the WINS server to
resolve the NetBIOS name of that host. as long as that host has
registered its NetBIOS name with the same WINS server, the user will
be able to see that host.
</P
></LI
></OL
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN363">2.10. Note about broadcast addresses</H1
><P
>If your network uses a "0" based broadcast address (for example if it
ends in a 0) then you will strike problems. Windows for Workgroups
does not seem to support a 0's broadcast and you will probably find
that browsing and name lookups won't work.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN366">2.11. Multiple interfaces</H1
><P
>Samba now supports machines with multiple network interfaces. If you
have multiple interfaces then you will need to use the "interfaces"
option in smb.conf to configure them. See smb.conf(5) for details.</P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="install.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="samba-howto-collection.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="browsing-quick.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>How to Install and Test SAMBA</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="introduction.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Quick Cross Subnet Browsing / Cross Workgroup Browsing guide</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

77
docs/htmldocs/index.html
View File

File diff suppressed because one or more lines are too long

49
docs/htmldocs/install.html
View File

@ -1,7 +1,6 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 2. How to Install and Test SAMBA</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="introduction.html" title="Part I. General Installation"><link rel="previous" href="IntroSMB.html" title="Chapter 1. Introduction to Samba"><link rel="next" href="FastStart.html" title="Chapter 3. FastStart for the Impatient"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 2. How to Install and Test SAMBA</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="IntroSMB.html">Prev</a> </td><th width="60%" align="center">Part I. General Installation</th><td width="20%" align="right"> <a accesskey="n" href="FastStart.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="install"></a>Chapter 2. How to Install and Test SAMBA</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:tridge@samba.org">tridge@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Karl</span> <span class="surname">Auer</span></h3></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="install.html#id2885029">Obtaining and installing samba</a></dt><dt><a href="install.html#id2885071">Configuring samba (smb.conf)</a></dt><dd><dl><dt><a href="install.html#id2884644">Example Configuration</a></dt><dt><a href="install.html#id2884788">SWAT</a></dt></dl></dd><dt><a href="install.html#id2884832">Try listing the shares available on your
server</a></dt><dt><a href="install.html#id2884338">Try connecting with the unix client</a></dt><dt><a href="install.html#id2884440">Try connecting from a DOS, WfWg, Win9x, WinNT,
Win2k, OS/2, etc... client</a></dt><dt><a href="install.html#id2884501">What If Things Don't Work?</a></dt><dt><a href="install.html#id2884530">Common Errors</a></dt><dd><dl><dt><a href="install.html#id2884543">Why are so many smbd processes eating memory?</a></dt><dt><a href="install.html#id2885918">I'm getting &quot;open_oplock_ipc: Failed to get local UDP socket for address 100007f. Error was Cannot assign requested&quot; in the logs</a></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2885029"></a>Obtaining and installing samba</h2></div></div><div></div></div><p>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 2. How to Install and Test SAMBA</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="introduction.html" title="Part I. General Installation"><link rel="previous" href="IntroSMB.html" title="Chapter 1. Introduction to Samba"><link rel="next" href="FastStart.html" title="Chapter 3. Fast Start for the Impatient"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 2. How to Install and Test SAMBA</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="IntroSMB.html">Prev</a> </td><th width="60%" align="center">Part I. General Installation</th><td width="20%" align="right"> <a accesskey="n" href="FastStart.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="install"></a>Chapter 2. How to Install and Test SAMBA</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:tridge@samba.org">tridge@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Karl</span> <span class="surname">Auer</span></h3></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="install.html#id2886868">Obtaining and installing samba</a></dt><dt><a href="install.html#id2886909">Configuring samba (smb.conf)</a></dt><dd><dl><dt><a href="install.html#id2886946">Example Configuration</a></dt><dt><a href="install.html#id2887096">SWAT</a></dt></dl></dd><dt><a href="install.html#id2887140">Try listing the shares available on your
server</a></dt><dt><a href="install.html#id2887191">Try connecting with the unix client</a></dt><dt><a href="install.html#id2887292">Try connecting from a DOS, WfWg, Win9x, WinNT,
Win2k, OS/2, etc... client</a></dt><dt><a href="install.html#id2887355">What If Things Don't Work?</a></dt><dt><a href="install.html#id2887388">Common Errors</a></dt><dd><dl><dt><a href="install.html#id2887401">Why are so many smbd processes eating memory?</a></dt><dt><a href="install.html#id2887617">I'm getting &quot;open_oplock_ipc: Failed to get local UDP socket for address 100007f. Error was Cannot assign requested&quot; in the logs</a></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2886868"></a>Obtaining and installing samba</h2></div></div><div></div></div><p>
Binary packages of samba are included in almost any Linux or
Unix distribution. There are also some packages available at
<a href="http://samba.org/" target="_top">the samba homepage</a>.
@ -9,41 +8,41 @@
<a href="compiling.html" title="Chapter 36. How to compile SAMBA">appropriate appendix chapter</a>.</p><p>If you have already installed samba, or if your operating system
was pre-installed with samba, then you may not need to bother with this
chapter. On the other hand, you may want to read this chapter anyhow
for information about updating samba.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2885071"></a>Configuring samba (smb.conf)</h2></div></div><div></div></div><p>
for information about updating samba.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2886909"></a>Configuring samba (smb.conf)</h2></div></div><div></div></div><p>
Samba's configuration is stored in the <tt class="filename">smb.conf</tt> file,
that usually resides in <tt class="filename">/etc/samba/smb.conf</tt>
or <tt class="filename">/usr/local/samba/lib/smb.conf</tt>. You can either
edit this file yourself or do it using one of the many graphical
tools that are available, such as the web-based interface swat, that
is included with samba.
</p><div xmlns:ns2="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2884644"></a>Example Configuration</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2886946"></a>Example Configuration</h3></div></div><div></div></div><p>
There are sample configuration files in the examples subdirectory in the
distribution. I suggest you read them carefully so you can see how the options
go together in practice. See the man page for all the options.
</p><p>
The simplest useful configuration file would be something like this:
</p><ns2:p>
</ns2:p><pre class="programlisting">
</p><p>
</p><pre class="programlisting">
[global]
workgroup = MYGROUP
[homes]
guest ok = no
read only = no
</pre><ns2:p>
</ns2:p><p>
</pre><p>
</p><p>
This will allow connections by anyone with an account on the server, using either
their login name or &quot;<i class="parameter"><tt>homes</tt></i>&quot; as the service name.
(Note that the workgroup that Samba must also be set.)
</p><p>
Make sure you put the <tt class="filename">smb.conf</tt> file in the same place
you specified in the<tt class="filename">Makefile</tt> (the default is to
you specified in the <tt class="filename">Makefile</tt> (the default is to
look for it in <tt class="filename">/usr/local/samba/lib/</tt>).
</p><p>
For more information about security settings for the
<i class="parameter"><tt>[homes]</tt></i> share please refer to the chapter
<a href="securing-samba.html" title="Chapter 15. Securing Samba">Securing Samba</a>.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2884735"></a>Test your config file with <b class="command">testparm</b></h4></div></div><div></div></div><p>
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2887041"></a>Test your config file with <b class="command">testparm</b></h4></div></div><div></div></div><p>
It's important that you test the validity of your <tt class="filename">smb.conf</tt>
file using the <span class="application">testparm</span> program. If testparm runs OK
then it will list the loaded services. If not it will give an error message.
@ -51,7 +50,7 @@
Make sure it runs OK and that the services look reasonable before proceeding.
</p><p>
Always run testparm again when you change <tt class="filename">smb.conf</tt>!
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2884788"></a>SWAT</h3></div></div><div></div></div><p>
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2887096"></a>SWAT</h3></div></div><div></div></div><p>
SWAT is a web-based interface that helps you configure samba.
SWAT might not be available in the samba package on your platform,
but in a separate package. Please read the swat manpage
@ -67,7 +66,7 @@
machine but connecting from a remote machine leaves your
connection open to password sniffing as passwords will be sent
in the clear over the wire.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2884832"></a>Try listing the shares available on your
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2887140"></a>Try listing the shares available on your
server</h2></div></div><div></div></div><p><tt class="prompt">$ </tt><b class="userinput"><tt>smbclient -L
<i class="replaceable"><tt>yourhostname</tt></i></tt></b></p><p>You should get back a list of shares available on
your server. If you don't then something is incorrectly setup.
@ -77,7 +76,7 @@
See the <b class="command">smbclient</b> man page for details. (you
can force it to list the shares without a password by
adding the option -U% to the command line. This will not work
with non-Samba servers)</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2884338"></a>Try connecting with the unix client</h2></div></div><div></div></div><p><tt class="prompt">$ </tt><b class="userinput"><tt>smbclient <i class="replaceable"><tt>
with non-Samba servers)</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2887191"></a>Try connecting with the unix client</h2></div></div><div></div></div><p><tt class="prompt">$ </tt><b class="userinput"><tt>smbclient <i class="replaceable"><tt>
//yourhostname/aservice</tt></i></tt></b></p><p>Typically the <i class="replaceable"><tt>yourhostname</tt></i>
would be the name of the host where you installed <span class="application">smbd</span>.
The <i class="replaceable"><tt>aservice</tt></i> is
@ -86,18 +85,18 @@
section
in <tt class="filename">smb.conf</tt>.</p><p>For example if your unix host is <i class="replaceable"><tt>bambi</tt></i>
and your login name is <i class="replaceable"><tt>fred</tt></i> you would type:</p><p><tt class="prompt">$ </tt><b class="userinput"><tt>smbclient //<i class="replaceable"><tt>bambi</tt></i>/<i class="replaceable"><tt>fred</tt></i>
</tt></b></p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2884440"></a>Try connecting from a DOS, WfWg, Win9x, WinNT,
</tt></b></p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2887292"></a>Try connecting from a DOS, WfWg, Win9x, WinNT,
Win2k, OS/2, etc... client</h2></div></div><div></div></div><p>Try mounting disks. eg:</p><p><tt class="prompt">C:\WINDOWS\&gt; </tt><b class="userinput"><tt>net use d: \\servername\service
</tt></b></p><p>Try printing. eg:</p><p><tt class="prompt">C:\WINDOWS\&gt; </tt><b class="userinput"><tt>net use lpt1:
\\servername\spoolservice</tt></b></p><p><tt class="prompt">C:\WINDOWS\&gt; </tt><b class="userinput"><tt>print filename
</tt></b></p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2884501"></a>What If Things Don't Work?</h2></div></div><div></div></div><p>Then you might read the file chapter
<a href="diagnosis.html" title="Chapter 33. The samba checklist">Diagnosis</a> and the
</tt></b></p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2887355"></a>What If Things Don't Work?</h2></div></div><div></div></div><p>Then you might read the file chapter
<a href="diagnosis.html" title="Chapter 33. The Samba checklist">Diagnosis</a> and the
FAQ. If you are still stuck then try to follow
the <a href="problems.html" title="Chapter 34. Analysing and solving samba problems">Analysing and Solving Problems chapter</a>
Samba has been successfully installed at thousands of sites worldwide,
so maybe someone else has hit your problem and has overcome it. </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2884530"></a>Common Errors</h2></div></div><div></div></div><p>
so maybe someone else has hit your problem and has overcome it. </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2887388"></a>Common Errors</h2></div></div><div></div></div><p>
The following questions and issues get raised on the samba mailing list over and over again.
</p><div xmlns:ns3="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2884543"></a>Why are so many smbd processes eating memory?</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2887401"></a>Why are so many smbd processes eating memory?</h3></div></div><div></div></div><p>
&#8220;<span class="quote">
Site that is running Samba on an AIX box. They are sharing out about 2 terabytes using samba.
Samba was installed using smitty and the binaries. We seem to be experiencing a memory problem
@ -109,8 +108,8 @@ processes of smbd running:
Is samba suppose to start this many different smbd processes? Or does it run as one smbd process? Also
is it normal for it to be taking up this much memory?
</span>&#8221;
</p><ns3:p>
</ns3:p><pre class="screen">
</p><p>
</p><pre class="screen">
Inuse * 4096 = amount of memory being used by this process
Pid Command Inuse Pin Pgsp Virtual 64-bit Mthrd
@ -137,8 +136,8 @@ Inuse * 4096 = amount of memory being used by this process
19110 smbd 8404 1906 181 4862 N N
Total memory used: 841,592,832 bytes
</pre><ns3:p>
</ns3:p><p>
</pre><p>
</p><p>
Samba consists on three core programs:
<span class="application">nmbd</span>, <span class="application">smbd</span>, <span class="application">winbindd</span>. <span class="application">nmbd</span> is the name server message daemon,
<span class="application">smbd</span> is the server message daemon, <span class="application">winbindd</span> is the daemon that
@ -153,4 +152,4 @@ connection made. That is why you are seeing so many of them, one (1) per client
</p><p>
<span class="application">winbindd</span> will run as one or two daemons, depending on whether or not it is being
run in &quot;split mode&quot; (in which case there will be two instances).
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2885918"></a>I'm getting &quot;open_oplock_ipc: Failed to get local UDP socket for address 100007f. Error was Cannot assign requested&quot; in the logs</h3></div></div><div></div></div><p>Your loopback device isn't working correctly. Make sure it's running. </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="IntroSMB.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="introduction.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="FastStart.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 1. Introduction to Samba </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 3. FastStart for the Impatient</td></tr></table></div></body></html>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2887617"></a>I'm getting &quot;open_oplock_ipc: Failed to get local UDP socket for address 100007f. Error was Cannot assign requested&quot; in the logs</h3></div></div><div></div></div><p>Your loopback device isn't working correctly. Make sure it's running. </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="IntroSMB.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="introduction.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="FastStart.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 1. Introduction to Samba </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 3. Fast Start for the Impatient</td></tr></table></div></body></html>

69
docs/htmldocs/integrate-ms-networks.html
View File

@ -1,5 +1,4 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 26. Integrating MS Windows networks with Samba</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="pam.html" title="Chapter 25. PAM based Distributed Authentication"><link rel="next" href="unicode.html" title="Chapter 27. Unicode/Charsets"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 26. Integrating MS Windows networks with Samba</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="pam.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="unicode.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="integrate-ms-networks"></a>Chapter 26. Integrating MS Windows networks with Samba</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate"> (Jan 01 2001) </p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="integrate-ms-networks.html#id2997481">Features and Benefits</a></dt><dt><a href="integrate-ms-networks.html#id2997505">Background Information</a></dt><dt><a href="integrate-ms-networks.html#id2997550">Name Resolution in a pure Unix/Linux world</a></dt><dd><dl><dt><a href="integrate-ms-networks.html#id2997602">/etc/hosts</a></dt><dt><a href="integrate-ms-networks.html#id2997726">/etc/resolv.conf</a></dt><dt><a href="integrate-ms-networks.html#id2995876">/etc/host.conf</a></dt><dt><a href="integrate-ms-networks.html#id2995919">/etc/nsswitch.conf</a></dt></dl></dd><dt><a href="integrate-ms-networks.html#id2996007">Name resolution as used within MS Windows networking</a></dt><dd><dl><dt><a href="integrate-ms-networks.html#id2996132">The NetBIOS Name Cache</a></dt><dt><a href="integrate-ms-networks.html#id2996176">The LMHOSTS file</a></dt><dt><a href="integrate-ms-networks.html#id2996290">HOSTS file</a></dt><dt><a href="integrate-ms-networks.html#id2996322">DNS Lookup</a></dt><dt><a href="integrate-ms-networks.html#id2996347">WINS Lookup</a></dt></dl></dd><dt><a href="integrate-ms-networks.html#id2996418">Common Errors</a></dt><dd><dl><dt><a href="integrate-ms-networks.html#id2996434">My Boomerang Won't Come Back</a></dt><dt><a href="integrate-ms-networks.html#id2996465">Very Slow Network Connections</a></dt><dt><a href="integrate-ms-networks.html#id2996517">Samba server name change problem</a></dt></dl></dd></dl></div><p>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 26. Integrating MS Windows networks with Samba</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="pam.html" title="Chapter 25. PAM based Distributed Authentication"><link rel="next" href="unicode.html" title="Chapter 27. Unicode/Charsets"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 26. Integrating MS Windows networks with Samba</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="pam.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="unicode.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="integrate-ms-networks"></a>Chapter 26. Integrating MS Windows networks with Samba</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate"> (Jan 01 2001) </p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="integrate-ms-networks.html#id2999705">Features and Benefits</a></dt><dt><a href="integrate-ms-networks.html#id2999730">Background Information</a></dt><dt><a href="integrate-ms-networks.html#id2999775">Name Resolution in a pure Unix/Linux world</a></dt><dd><dl><dt><a href="integrate-ms-networks.html#id2999831">/etc/hosts</a></dt><dt><a href="integrate-ms-networks.html#id2999956">/etc/resolv.conf</a></dt><dt><a href="integrate-ms-networks.html#id3000000">/etc/host.conf</a></dt><dt><a href="integrate-ms-networks.html#id3000042">/etc/nsswitch.conf</a></dt></dl></dd><dt><a href="integrate-ms-networks.html#id3000130">Name resolution as used within MS Windows networking</a></dt><dd><dl><dt><a href="integrate-ms-networks.html#id3000278">The NetBIOS Name Cache</a></dt><dt><a href="integrate-ms-networks.html#id3000323">The LMHOSTS file</a></dt><dt><a href="integrate-ms-networks.html#id3000567">HOSTS file</a></dt><dt><a href="integrate-ms-networks.html#id3000600">DNS Lookup</a></dt><dt><a href="integrate-ms-networks.html#id3000624">WINS Lookup</a></dt></dl></dd><dt><a href="integrate-ms-networks.html#id3000695">Common Errors</a></dt><dd><dl><dt><a href="integrate-ms-networks.html#id3000711">My Boomerang Won't Come Back</a></dt><dt><a href="integrate-ms-networks.html#id3000742">Very Slow Network Connections</a></dt><dt><a href="integrate-ms-networks.html#id3000794">Samba server name change problem</a></dt></dl></dd></dl></div><p>
This section deals with NetBIOS over TCP/IP name to IP address resolution. If
your MS Windows clients are NOT configured to use NetBIOS over TCP/IP then this
section does not apply to your installation. If your installation involves use of
@ -10,15 +9,15 @@ NetBIOS over TCP/IP then this section may help you to resolve networking problem
to NOT run NetBEUI at all. Note also that there is NO such thing as
NetBEUI over TCP/IP - the existence of such a protocol is a complete
and utter mis-apprehension.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2997481"></a>Features and Benefits</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2999705"></a>Features and Benefits</h2></div></div><div></div></div><p>
Many MS Windows network administrators have never been exposed to basic TCP/IP
networking as it is implemented in a Unix/Linux operating system. Likewise, many Unix and
Linux adminsitrators have not been exposed to the intricacies of MS Windows TCP/IP based
Linux administrators have not been exposed to the intricacies of MS Windows TCP/IP based
networking (and may have no desire to be either).
</p><p>
This chapter gives a short introduction to the basics of how a name can be resolved to
it's IP address for each operating system environment.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2997505"></a>Background Information</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2999730"></a>Background Information</h2></div></div><div></div></div><p>
Since the introduction of MS Windows 2000 it is possible to run MS Windows networking
without the use of NetBIOS over TCP/IP. NetBIOS over TCP/IP uses UDP port 137 for NetBIOS
name resolution and uses TCP port 139 for NetBIOS session services. When NetBIOS over
@ -34,9 +33,9 @@ disable NetBIOS over TCP/IP today use MS Active Directory Service (ADS). ADS req
Dynamic DNS with Service Resource Records (SRV RR) and with Incremental Zone Transfers (IXFR).
Use of DHCP with ADS is recommended as a further means of maintaining central control
over client workstation network configuration.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2997550"></a>Name Resolution in a pure Unix/Linux world</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2999775"></a>Name Resolution in a pure Unix/Linux world</h2></div></div><div></div></div><p>
The key configuration files covered in this section are:
</p><div class="itemizedlist"><ul type="disc"><li><p><tt class="filename">/etc/hosts</tt></p></li><li><p><tt class="filename">/etc/resolv.conf</tt></p></li><li><p><tt class="filename">/etc/host.conf</tt></p></li><li><p><tt class="filename">/etc/nsswitch.conf</tt></p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2997602"></a><tt class="filename">/etc/hosts</tt></h3></div></div><div></div></div><p>
</p><div class="itemizedlist"><ul type="disc"><li><p><tt class="filename">/etc/hosts</tt></p></li><li><p><tt class="filename">/etc/resolv.conf</tt></p></li><li><p><tt class="filename">/etc/host.conf</tt></p></li><li><p><tt class="filename">/etc/nsswitch.conf</tt></p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2999831"></a><tt class="filename">/etc/hosts</tt></h3></div></div><div></div></div><p>
Contains a static list of IP Addresses and names.
eg:
</p><pre class="screen">
@ -60,7 +59,7 @@ as two digit hexadecimal numbers separated by colons. eg:
Every network interface must have an MAC address. Associated with
a MAC address there may be one or more IP addresses. There is NO
relationship between an IP address and a MAC address, all such assignments
are arbitary or discretionary in nature. At the most basic level all
are arbitrary or discretionary in nature. At the most basic level all
network communications takes place using MAC addressing. Since MAC
addresses must be globally unique, and generally remains fixed for
any particular interface, the assignment of an IP address makes sense
@ -87,13 +86,13 @@ contain the MAC address and the primary IP address for each
interface.
</p><p>
The <tt class="filename">/etc/hosts</tt> file is foundational to all
Unix/Linux TCP/IP installations and as a minumum will contain
Unix/Linux TCP/IP installations and as a minimum will contain
the localhost and local network interface IP addresses and the
primary names by which they are known within the local machine.
This file helps to prime the pump so that a basic level of name
resolution can exist before any other method of name resolution
becomes available.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2997726"></a><tt class="filename">/etc/resolv.conf</tt></h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2999956"></a><tt class="filename">/etc/resolv.conf</tt></h3></div></div><div></div></div><p>
This file tells the name resolution libraries:
</p><div class="itemizedlist"><ul type="disc"><li><p>The name of the domain to which the machine
belongs
@ -103,18 +102,18 @@ This file tells the name resolution libraries:
</p></li><li><p>The name or IP address of available Domain
Name Servers that may be asked to perform name to address
translation lookups
</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2995876"></a><tt class="filename">/etc/host.conf</tt></h3></div></div><div></div></div><p>
</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3000000"></a><tt class="filename">/etc/host.conf</tt></h3></div></div><div></div></div><p>
<tt class="filename">/etc/host.conf</tt> is the primary means by
which the setting in /etc/resolv.conf may be affected. It is a
critical configuration file. This file controls the order by
which name resolution may procede. The typical structure is:
which name resolution may proceed. The typical structure is:
</p><pre class="screen">
order hosts,bind
multi on
</pre><p>
then both addresses should be returned. Please refer to the
man page for host.conf for further details.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2995919"></a><tt class="filename">/etc/nsswitch.conf</tt></h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3000042"></a><tt class="filename">/etc/nsswitch.conf</tt></h3></div></div><div></div></div><p>
This file controls the actual name resolution targets. The
file typically has resolver object specifications as follows:
</p><pre class="screen">
@ -131,7 +130,7 @@ file typically has resolver object specifications as follows:
hosts: files nis dns
# Alternative entries for host name resolution are:
# hosts: files dns nis nis+ hesoid db compat ldap wins
# hosts: files dns nis nis+ hesiod db compat ldap wins
networks: nis files dns
ethers: nis files
@ -158,7 +157,7 @@ the <tt class="filename">/etc/nsswitch.conf</tt> file. At this point it
will be possible to ping any MS Windows machine by it's NetBIOS
machine name, so long as that machine is within the workgroup to
which both the samba machine and the MS Windows machine belong.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2996007"></a>Name resolution as used within MS Windows networking</h2></div></div><div></div></div><p>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3000130"></a>Name resolution as used within MS Windows networking</h2></div></div><div></div></div><p>
MS Windows networking is predicated about the name each machine
is given. This name is known variously (and inconsistently) as
the &quot;computer name&quot;, &quot;machine name&quot;, &quot;networking name&quot;, &quot;netbios name&quot;,
@ -229,7 +228,7 @@ NBT or NetBT, the NetBIOS over TCP/IP.
MS Windows machines use a complex array of name resolution mechanisms.
Since we are primarily concerned with TCP/IP this demonstration is
limited to this area.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2996132"></a>The NetBIOS Name Cache</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3000278"></a>The NetBIOS Name Cache</h3></div></div><div></div></div><p>
All MS Windows machines employ an in memory buffer in which is
stored the NetBIOS names and IP addresses for all external
machines that that machine has communicated with over the
@ -247,7 +246,7 @@ frustrating for users - but it is a characteristic of the protocol.
The MS Windows utility that allows examination of the NetBIOS
name cache is called &quot;nbtstat&quot;. The Samba equivalent of this
is called <b class="command">nmblookup</b>.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2996176"></a>The LMHOSTS file</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3000323"></a>The LMHOSTS file</h3></div></div><div></div></div><p>
This file is usually located in MS Windows NT 4.0 or
2000 in <tt class="filename">C:\WINNT\SYSTEM32\DRIVERS\ETC</tt> and contains
the IP Address and the machine name in matched pairs. The
@ -264,7 +263,7 @@ It typically looks like:
# This file contains the mappings of IP addresses to NT computernames
# (NetBIOS) names. Each entry should be kept on an individual line.
# The IP address should be placed in the first column followed by the
# corresponding computername. The address and the comptername
# corresponding computername. The address and the computername
# should be separated by at least one space or tab. The &quot;#&quot; character
# is generally used to denote the start of a comment (see the exceptions
# below).
@ -296,7 +295,7 @@ It typically looks like:
# centralized lmhosts file to be maintained on a server.
# It is ALWAYS necessary to provide a mapping for the IP address of the
# server prior to the #INCLUDE. This mapping must use the #PRE directive.
# In addtion the share &quot;public&quot; in the example below must be in the
# In addition the share &quot;public&quot; in the example below must be in the
# LanManServer list of &quot;NullSessionShares&quot; in order for client machines to
# be able to read the lmhosts file successfully. This key is under
# \machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares
@ -332,14 +331,14 @@ It typically looks like:
# so keeping the number of comments to a minimum will improve performance.
# Therefore it is not advisable to simply add lmhosts file entries onto the
# end of this file.
</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2996290"></a>HOSTS file</h3></div></div><div></div></div><p>
</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3000567"></a>HOSTS file</h3></div></div><div></div></div><p>
This file is usually located in MS Windows NT 4.0 or 2000 in
<tt class="filename">C:\WINNT\SYSTEM32\DRIVERS\ETC</tt> and contains
the IP Address and the IP hostname in matched pairs. It can be
used by the name resolution infrastructure in MS Windows, depending
on how the TCP/IP environment is configured. This file is in
every way the equivalent of the Unix/Linux <tt class="filename">/etc/hosts</tt> file.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2996322"></a>DNS Lookup</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3000600"></a>DNS Lookup</h3></div></div><div></div></div><p>
This capability is configured in the TCP/IP setup area in the network
configuration facility. If enabled an elaborate name resolution sequence
is followed the precise nature of which is dependant on what the NetBIOS
@ -350,8 +349,8 @@ cache. If that fails then DNS, HOSTS and LMHOSTS are checked. If set to
Node Type 8, then a NetBIOS Unicast (over UDP Unicast) is sent to the
WINS Server to obtain a lookup before DNS, HOSTS, LMHOSTS, or broadcast
lookup is used.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2996347"></a>WINS Lookup</h3></div></div><div></div></div><p>
A WINS (Windows Internet Name Server) service is the equivaent of the
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3000624"></a>WINS Lookup</h3></div></div><div></div></div><p>
A WINS (Windows Internet Name Server) service is the equivalent of the
rfc1001/1002 specified NBNS (NetBIOS Name Server). A WINS server stores
the names and IP addresses that are registered by a Windows client
if the TCP/IP setup has been given at least one WINS Server IP Address.
@ -369,23 +368,23 @@ needed in the <tt class="filename">smb.conf</tt> file:
</pre><p>
where <i class="replaceable"><tt>xxx.xxx.xxx.xxx</tt></i> is the IP address
of the WINS server.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2996418"></a>Common Errors</h2></div></div><div></div></div><p>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3000695"></a>Common Errors</h2></div></div><div></div></div><p>
TCP/IP network configuration problems find every network administrator sooner or later.
The cause can be anything from keybaord mishaps, forgetfulness, simple mistakes, and
carelessness. Of course, noone is every deliberately careless!
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2996434"></a>My Boomerang Won't Come Back</h3></div></div><div></div></div><p>
The cause can be anything from keyboard mishaps, forgetfulness, simple mistakes, and
carelessness. Of course, no one is every deliberately careless!
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3000711"></a>My Boomerang Won't Come Back</h3></div></div><div></div></div><p>
Well, the real complaint said, &quot;I can ping my samba server from Windows, but I can
not ping my Windows machine from the samba server.&quot;
</p><p>
The Windows machine was at IP Address 192.168.1.2 with netmask 255.255.255.0, the
Samba server (Linux) was at IP Address 192.168.1.130 with netmast 255.255.255.128.
Samba server (Linux) was at IP Address 192.168.1.130 with netmask 255.255.255.128.
The machines were on a local network with no external connections.
</p><p>
Due to inconsistent netmasks, the Windows machine was on network 192.168.1.0/24, while
the Samba server was on network 192.168.1.128/25 - logically a different network.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2996465"></a>Very Slow Network Connections</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3000742"></a>Very Slow Network Connections</h3></div></div><div></div></div><p>
A common causes of slow network response includes:
</p><div class="itemizedlist"><ul type="disc"><li><p>Client is configured to use DNS and DNS server is down</p></li><li><p>Client is configured to use remote DNS server, but remote connection is down</p></li><li><p>Client is configured to use a WINS server, but there is no WINS server</p></li><li><p>Client is NOT configured to use a WINS server, but there is a WINS server</p></li><li><p>Firewall is filtering our DNS or WINS traffic</p></li></ul></div></div><div xmlns:ns93="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2996517"></a>Samba server name change problem</h3></div></div><div></div></div><p>
</p><div class="itemizedlist"><ul type="disc"><li><p>Client is configured to use DNS and DNS server is down</p></li><li><p>Client is configured to use remote DNS server, but remote connection is down</p></li><li><p>Client is configured to use a WINS server, but there is no WINS server</p></li><li><p>Client is NOT configured to use a WINS server, but there is a WINS server</p></li><li><p>Firewall is filtering our DNS or WINS traffic</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3000794"></a>Samba server name change problem</h3></div></div><div></div></div><p>
The name of the samba server was changed, samba was restarted, samba server can not be
pinged by new name from MS Windows NT4 Workstation, but it does still respond to ping using
the old name. Why?
@ -394,8 +393,8 @@ carelessness. Of course, noone is every deliberately careless!
</p><div class="itemizedlist"><ul type="disc"><li><p>WINS is NOT in use, only broadcast based name resolution is used</p></li><li><p>The samba server was renamed and restarted within the last 10-15 minutes</p></li><li><p>The old samba server name is still in the NetBIOS name cache on the MS Windows NT4 Workstation</p></li></ul></div><p>
To find what names are present in the NetBIOS name cache on the MS Windows NT4 machine,
open a cmd shell, then:
</p><ns93:p>
</ns93:p><pre class="screen">
</p><p>
</p><pre class="screen">
C:\temp\&gt;nbtstat -n
NetBIOS Local Name Table
@ -403,7 +402,7 @@ carelessness. Of course, noone is every deliberately careless!
Name Type Status
------------------------------------------------
SLACK &lt;03&gt; UNIQUE Registered
ADMININSTRATOR &lt;03&gt; UNIQUE Registered
ADMINISTRATOR &lt;03&gt; UNIQUE Registered
SLACK &lt;00&gt; UNIQUE Registered
SARDON &lt;00&gt; GROUP Registered
SLACK &lt;20&gt; UNIQUE Registered
@ -419,8 +418,8 @@ carelessness. Of course, noone is every deliberately careless!
FRODO &lt;20&gt; UNIQUE 192.168.1.1 240
C:\Temp\&gt;
</pre><ns93:p>
</ns93:p><p>
</pre><p>
</p><p>
In the above example, FRODO is the Samba server and SLACK is the MS Windows NT4 Workstation.
The first listing shows the contents of the Local Name Table (ie: Identity information on
the MS Windows workstation), the second shows the NetBIOS name in the NetBIOS name cache.

9
docs/htmldocs/introduction.html
View File

@ -1,6 +1,5 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part I. General Installation</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="index.html" title="SAMBA Project Documentation"><link rel="previous" href="index.html" title="SAMBA Project Documentation"><link rel="next" href="IntroSMB.html" title="Chapter 1. Introduction to Samba"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part I. General Installation</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="index.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="IntroSMB.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="introduction"></a>General Installation</h1></div></div><div></div></div><div class="partintro" lang="en"><div><div><div><h1 class="title"><a name="id2883915"></a>Preparing Samba for Configuration</h1></div></div><div></div></div><p>This section of the Samba-HOWTO-Collection contains general info on how to install samba
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part I. General Installation</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="index.html" title="SAMBA Project Documentation"><link rel="previous" href="index.html" title="SAMBA Project Documentation"><link rel="next" href="IntroSMB.html" title="Chapter 1. Introduction to Samba"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part I. General Installation</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="index.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="IntroSMB.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="introduction"></a>General Installation</h1></div></div><div></div></div><div class="partintro" lang="en"><div><div><div><h1 class="title"><a name="id2884330"></a>Preparing Samba for Configuration</h1></div></div><div></div></div><p>This section of the Samba-HOWTO-Collection contains general info on how to install samba
and how to configure the parts of samba you will most likely need.
PLEASE read this.</p><div class="toc"><p><b>Table of Contents</b></p><dl><dt>1. <a href="IntroSMB.html">Introduction to Samba</a></dt><dd><dl><dt><a href="IntroSMB.html#id2885255">Background</a></dt><dt><a href="IntroSMB.html#id2885309">Terminology</a></dt><dt><a href="IntroSMB.html#id2884034">Related Projects</a></dt><dt><a href="IntroSMB.html#id2884102">SMB Methodology</a></dt><dt><a href="IntroSMB.html#id2884189">Epilogue</a></dt><dt><a href="IntroSMB.html#id2884263">Miscellaneous</a></dt></dl></dd><dt>2. <a href="install.html">How to Install and Test SAMBA</a></dt><dd><dl><dt><a href="install.html#id2885029">Obtaining and installing samba</a></dt><dt><a href="install.html#id2885071">Configuring samba (smb.conf)</a></dt><dd><dl><dt><a href="install.html#id2884644">Example Configuration</a></dt><dt><a href="install.html#id2884788">SWAT</a></dt></dl></dd><dt><a href="install.html#id2884832">Try listing the shares available on your
server</a></dt><dt><a href="install.html#id2884338">Try connecting with the unix client</a></dt><dt><a href="install.html#id2884440">Try connecting from a DOS, WfWg, Win9x, WinNT,
Win2k, OS/2, etc... client</a></dt><dt><a href="install.html#id2884501">What If Things Don't Work?</a></dt><dt><a href="install.html#id2884530">Common Errors</a></dt><dd><dl><dt><a href="install.html#id2884543">Why are so many smbd processes eating memory?</a></dt><dt><a href="install.html#id2885918">I'm getting &quot;open_oplock_ipc: Failed to get local UDP socket for address 100007f. Error was Cannot assign requested&quot; in the logs</a></dt></dl></dd></dl></dd><dt>3. <a href="FastStart.html">FastStart for the Impatient</a></dt><dd><dl><dt><a href="FastStart.html#id2886367">Note</a></dt></dl></dd></dl></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="index.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="IntroSMB.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">SAMBA Project Documentation </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 1. Introduction to Samba</td></tr></table></div></body></html>
PLEASE read this.</p><div class="toc"><p><b>Table of Contents</b></p><dl><dt>1. <a href="IntroSMB.html">Introduction to Samba</a></dt><dd><dl><dt><a href="IntroSMB.html#id2885613">Background</a></dt><dt><a href="IntroSMB.html#id2885824">Terminology</a></dt><dt><a href="IntroSMB.html#id2885978">Related Projects</a></dt><dt><a href="IntroSMB.html#id2886047">SMB Methodology</a></dt><dt><a href="IntroSMB.html#id2886135">Epilogue</a></dt><dt><a href="IntroSMB.html#id2886209">Miscellaneous</a></dt></dl></dd><dt>2. <a href="install.html">How to Install and Test SAMBA</a></dt><dd><dl><dt><a href="install.html#id2886868">Obtaining and installing samba</a></dt><dt><a href="install.html#id2886909">Configuring samba (smb.conf)</a></dt><dd><dl><dt><a href="install.html#id2886946">Example Configuration</a></dt><dt><a href="install.html#id2887096">SWAT</a></dt></dl></dd><dt><a href="install.html#id2887140">Try listing the shares available on your
server</a></dt><dt><a href="install.html#id2887191">Try connecting with the unix client</a></dt><dt><a href="install.html#id2887292">Try connecting from a DOS, WfWg, Win9x, WinNT,
Win2k, OS/2, etc... client</a></dt><dt><a href="install.html#id2887355">What If Things Don't Work?</a></dt><dt><a href="install.html#id2887388">Common Errors</a></dt><dd><dl><dt><a href="install.html#id2887401">Why are so many smbd processes eating memory?</a></dt><dt><a href="install.html#id2887617">I'm getting &quot;open_oplock_ipc: Failed to get local UDP socket for address 100007f. Error was Cannot assign requested&quot; in the logs</a></dt></dl></dd></dl></dd><dt>3. <a href="FastStart.html">Fast Start for the Impatient</a></dt><dd><dl><dt><a href="FastStart.html#id2886744">Note</a></dt></dl></dd></dl></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="index.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="IntroSMB.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">SAMBA Project Documentation </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 1. Introduction to Samba</td></tr></table></div></body></html>

3
docs/htmldocs/ix01.html
View File

@ -1,2 +1 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Index</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="index.html" title="SAMBA Project Documentation"><link rel="previous" href="Further-Resources.html" title="Chapter 41. Further Resources"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Index</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Further-Resources.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> </td></tr></table><hr></div><div class="index"><div class="titlepage"><div><div><h2 class="title"><a name="id3016099"></a>Index</h2></div></div><div></div></div><div class="index"></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Further-Resources.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right"> </td></tr><tr><td width="40%" align="left" valign="top">Chapter 41. Further Resources </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> </td></tr></table></div></body></html>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Index</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="index.html" title="SAMBA Project Documentation"><link rel="previous" href="Further-Resources.html" title="Chapter 41. Further Resources"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Index</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Further-Resources.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> </td></tr></table><hr></div><div class="index"><div class="titlepage"><div><div><h2 class="title"><a name="id3018533"></a>Index</h2></div></div><div></div></div><div class="index"></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Further-Resources.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right"> </td></tr><tr><td width="40%" align="left" valign="top">Chapter 41. Further Resources </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> </td></tr></table></div></body></html>

135
docs/htmldocs/locking.html
View File

@ -1,8 +1,7 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 14. File and Record Locking</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="AccessControls.html" title="Chapter 13. File, Directory and Share Access Controls"><link rel="next" href="securing-samba.html" title="Chapter 15. Securing Samba"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 14. File and Record Locking</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="AccessControls.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="securing-samba.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="locking"></a>Chapter 14. File and Record Locking</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jra@samba.org">jra@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Eric</span> <span class="surname">Roseme</span></h3><div class="affiliation"><span class="orgname">HP Oplocks Usage Recommendations Whitepaper<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:eric.roseme@hp.com">eric.roseme@hp.com</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="locking.html#id2926486">Features and Benefits</a></dt><dt><a href="locking.html#id2926542">Discussion</a></dt><dd><dl><dt><a href="locking.html#id2926672">Opportunistic Locking Overview</a></dt></dl></dd><dt><a href="locking.html#id2925047">Samba Opportunistic Locking Control</a></dt><dd><dl><dt><a href="locking.html#id2925156">Example Configuration</a></dt></dl></dd><dt><a href="locking.html#id2925415">MS Windows Opportunistic Locking and Caching Controls</a></dt><dd><dl><dt><a href="locking.html#id2927852">Workstation Service Entries</a></dt><dt><a href="locking.html#id2927879">Server Service Entries</a></dt></dl></dd><dt><a href="locking.html#id2927959">Persistent Data Corruption</a></dt><dt><a href="locking.html#id2927989">Common Errors</a></dt><dd><dl><dt><a href="locking.html#id2928063">locking.tdb error messages</a></dt></dl></dd><dt><a href="locking.html#id2928093">Additional Reading</a></dt></dl></div><p>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 14. File and Record Locking</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="AccessControls.html" title="Chapter 13. File, Directory and Share Access Controls"><link rel="next" href="securing-samba.html" title="Chapter 15. Securing Samba"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 14. File and Record Locking</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="AccessControls.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="securing-samba.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="locking"></a>Chapter 14. File and Record Locking</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jra@samba.org">jra@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Eric</span> <span class="surname">Roseme</span></h3><div class="affiliation"><span class="orgname">HP Oplocks Usage Recommendations Whitepaper<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:eric.roseme@hp.com">eric.roseme@hp.com</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="locking.html#id2928216">Features and Benefits</a></dt><dt><a href="locking.html#id2928272">Discussion</a></dt><dd><dl><dt><a href="locking.html#id2928403">Opportunistic Locking Overview</a></dt></dl></dd><dt><a href="locking.html#id2929049">Samba Opportunistic Locking Control</a></dt><dd><dl><dt><a href="locking.html#id2929159">Example Configuration</a></dt></dl></dd><dt><a href="locking.html#id2929419">MS Windows Opportunistic Locking and Caching Controls</a></dt><dd><dl><dt><a href="locking.html#id2929649">Workstation Service Entries</a></dt><dt><a href="locking.html#id2929676">Server Service Entries</a></dt></dl></dd><dt><a href="locking.html#id2929755">Persistent Data Corruption</a></dt><dt><a href="locking.html#id2929785">Common Errors</a></dt><dd><dl><dt><a href="locking.html#id2929859">locking.tdb error messages</a></dt></dl></dd><dt><a href="locking.html#id2929890">Additional Reading</a></dt></dl></div><p>
One area which causes trouble for many network administrators is locking.
The extent of the problem is readily evident from searches over the internet.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2926486"></a>Features and Benefits</h2></div></div><div></div></div><p>
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2928216"></a>Features and Benefits</h2></div></div><div></div></div><p>
Samba provides all the same locking semantics that MS Windows clients expect
and that MS Windows NT4 / 200x servers provide also.
</p><p>
@ -24,7 +23,7 @@ settings on the MS Windows client.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
Sometimes it is necessary to disable locking control settings BOTH on the Samba
server as well as on each MS Windows client!
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2926542"></a>Discussion</h2></div></div><div></div></div><p>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2928272"></a>Discussion</h2></div></div><div></div></div><p>
There are two types of locking which need to be performed by a SMB server.
The first is <span class="emphasis"><em>record locking</em></span> which allows a client to lock
a range of bytes in a open file. The second is the <span class="emphasis"><em>deny modes</em></span>
@ -63,7 +62,7 @@ access should be allowed simultaneously with its open. A client may ask for
<tt class="constant">DENY_NONE</tt>, <tt class="constant">DENY_READ</tt>,
<tt class="constant">DENY_WRITE</tt> or <tt class="constant">DENY_ALL</tt>. There are also special compatibility
modes called <tt class="constant">DENY_FCB</tt> and <tt class="constant">DENY_DOS</tt>.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2926672"></a>Opportunistic Locking Overview</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2928403"></a>Opportunistic Locking Overview</h3></div></div><div></div></div><p>
Opportunistic locking (Oplocks) is invoked by the Windows file system
(as opposed to an API) via registry entries (on the server AND client)
for the purpose of enhancing network performance when accessing a file
@ -84,8 +83,8 @@ other processes.
The redirector sees that the file was opened with deny
none (allowing concurrent access), verifies that no
other process is accessing the file, checks that
oplocks are enabled, then grants deny-all/read-write/ex-
clusive access to the file. The client now performs
oplocks are enabled, then grants deny-all/read-write/exclusive
access to the file. The client now performs
operations on the cached local file.
</p><p>
If a second process attempts to open the file, the open
@ -186,7 +185,7 @@ In mission critical high availability environments, careful attention
should be given to opportunistic locking. Ideally, comprehensive
testing should be done with all affected applications with oplocks
enabled and disabled.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2924706"></a>Exclusively Accessed Shares</h4></div></div><div></div></div><p>
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928695"></a>Exclusively Accessed Shares</h4></div></div><div></div></div><p>
Opportunistic locking is most effective when it is confined to shares
that are exclusively accessed by a single user, or by only one user at
a time. Because the true value of opportunistic locking is the local
@ -195,7 +194,7 @@ mechanism will cause a delay.
</p><p>
Home directories are the most obvious examples of where the performance
benefit of opportunistic locking can be safely realized.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2924731"></a>Multiple-Accessed Shares or Files</h4></div></div><div></div></div><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928719"></a>Multiple-Accessed Shares or Files</h4></div></div><div></div></div><p>
As each additional user accesses a file in a share with opportunistic
locking enabled, the potential for delays and resulting perceived poor
performance increases. When multiple users are accessing a file on a
@ -207,7 +206,7 @@ of the caching user.
As each additional client attempts to access a file with oplocks set,
the potential performance improvement is negated and eventually results
in a performance bottleneck.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2924760"></a>Unix or NFS Client Accessed Files</h4></div></div><div></div></div><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928748"></a>Unix or NFS Client Accessed Files</h4></div></div><div></div></div><p>
Local Unix and NFS clients access files without a mandatory
file locking mechanism. Thus, these client platforms are incapable of
initiating an oplock break request from the server to a Windows client
@ -215,9 +214,9 @@ that has a file cached. Local Unix or NFS file access can therefore
write to a file that has been cached by a Windows client, which
exposes the file to likely data corruption.
</p><p>
If files are shared between Windows clients, and either loca Unix
If files are shared between Windows clients, and either local Unix
or NFS users, then turn opportunistic locking off.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2924786"></a>Slow and/or Unreliable Networks</h4></div></div><div></div></div><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928775"></a>Slow and/or Unreliable Networks</h4></div></div><div></div></div><p>
The biggest potential performance improvement for opportunistic locking
occurs when the client-side caching of reads and writes delivers the
most differential over sending those reads and writes over the wire.
@ -232,7 +231,7 @@ the most advantageous scenario to utilize opportunistic locking.
If the network is slow, unreliable, or a WAN, then do not configure
opportunistic locking if there is any chance of multiple users
regularly opening the same file.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2924820"></a>Multi-User Databases</h4></div></div><div></div></div><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928808"></a>Multi-User Databases</h4></div></div><div></div></div><p>
Multi-user databases clearly pose a risk due to their very nature -
they are typically heavily accessed by numerous users at random
intervals. Placing a multi-user database on a share with opportunistic
@ -240,7 +239,7 @@ locking enabled will likely result in a locking management bottleneck
on the Samba server. Whether the database application is developed
in-house or a commercially available product, ensure that the share
has opportunistic locking disabled.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2924841"></a>PDM Data Shares</h4></div></div><div></div></div><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928829"></a>PDM Data Shares</h4></div></div><div></div></div><p>
Process Data Management (PDM) applications such as IMAN, Enovia, and
Clearcase, are increasing in usage with Windows client platforms, and
therefore SMB data stores. PDM applications manage multi-user
@ -253,7 +252,7 @@ application and PDM server to negotiate and maintain. It is
appropriate to eliminate the client OS from any caching tasks, and the
server from any oplock management, by disabling opportunistic locking on
the share.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2924868"></a>Beware of Force User</h4></div></div><div></div></div><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928870"></a>Beware of Force User</h4></div></div><div></div></div><p>
Samba includes an <tt class="filename">smb.conf</tt> parameter called <i class="parameter"><tt>force user</tt></i> that changes
the user accessing a share from the incoming user to whatever user is
defined by the smb.conf variable. If opportunistic locking is enabled
@ -271,7 +270,7 @@ Avoid the combination of the following:
Slow or unreliable networks
</p></li><li><p>
Opportunistic Locking Enabled
</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2924945"></a>Advanced Samba Opportunistic Locking Parameters</h4></div></div><div></div></div><p>
</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928948"></a>Advanced Samba Opportunistic Locking Parameters</h4></div></div><div></div></div><p>
Samba provides opportunistic locking parameters that allow the
administrator to adjust various properties of the oplock mechanism to
account for timing and usage levels. These parameters provide good
@ -285,7 +284,7 @@ are required, then the better option is to simply turn oplocks off.
The samba SWAT help text for both parameters reads &quot;DO NOT CHANGE THIS
PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE.&quot;
This is good advice.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2924988"></a>Mission Critical High Availability</h4></div></div><div></div></div><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928991"></a>Mission Critical High Availability</h4></div></div><div></div></div><p>
In mission critical high availability environments, data integrity is
often a priority. Complex and expensive configurations are implemented
to ensure that if a client loses connectivity with a file server, a
@ -315,7 +314,7 @@ In mission critical high availability environments, careful attention
should be given to opportunistic locking. Ideally, comprehensive
testing should be done with all affected applications with oplocks
enabled and disabled.
</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2925047"></a>Samba Opportunistic Locking Control</h2></div></div><div></div></div><p>
</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2929049"></a>Samba Opportunistic Locking Control</h2></div></div><div></div></div><p>
Opportunistic Locking is a unique Windows file locking feature. It is
not really file locking, but is included in most discussions of Windows
file locking, so is considered a defacto locking feature.
@ -339,7 +338,7 @@ synchronising the contents of the entire file back to the server for a single ch
</p><p>
Level1 Oplocks (aka just plain &quot;oplocks&quot;) is another term for opportunistic locking.
</p><p>
Level2 Oplocks provids opportunistic locking for a file that will be treated as
Level2 Oplocks provides opportunistic locking for a file that will be treated as
<span class="emphasis"><em>read only</em></span>. Typically this is used on files that are read-only or
on files that the client has no initial intention to write to at time of opening the file.
</p><p>
@ -352,7 +351,7 @@ Unless your system supports kernel oplocks, you should disable oplocks if you ar
accessing the same files from both Unix/Linux and SMB clients. Regardless, oplocks should
always be disabled if you are sharing a database file (e.g., Microsoft Access) between
multiple clients, as any break the first client receives will affect synchronisation of
the entire file (not just the single record), which will result in a noticable performance
the entire file (not just the single record), which will result in a noticeable performance
impairment and, more likely, problems accessing the database in the first place. Notably,
Microsoft Outlook's personal folders (*.pst) react very badly to oplocks. If in doubt,
disable oplocks and tune your system from that point.
@ -365,29 +364,29 @@ of your client sending oplock breaks and will instead want to disable oplocks fo
</p><p>
Another factor to consider is the perceived performance of file access. If oplocks provide no
measurable speed benefit on your network, it might not be worth the hassle of dealing with them.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2925156"></a>Example Configuration</h3></div></div><div></div></div><p>
In the following we examine two destinct aspects of samba locking controls.
</p><div xmlns:ns37="" class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2925169"></a>Disabling Oplocks</h4></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2929159"></a>Example Configuration</h3></div></div><div></div></div><p>
In the following we examine two distinct aspects of Samba locking controls.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2929172"></a>Disabling Oplocks</h4></div></div><div></div></div><p>
You can disable oplocks on a per-share basis with the following:
</p><ns37:p>
</ns37:p><pre class="programlisting">
</p><p>
</p><pre class="programlisting">
[acctdata]
oplocks = False
level2 oplocks = False
</pre><ns37:p>
</ns37:p><p>
</pre><p>
</p><p>
The default oplock type is Level1. Level2 Oplocks are enabled on a per-share basis
in the <tt class="filename">smb.conf</tt> file.
</p><p>
Alternately, you could disable oplocks on a per-file basis within the share:
</p><ns37:p>
</ns37:p><pre class="programlisting">
</p><p>
</p><pre class="programlisting">
veto oplock files = /*.mdb/*.MDB/*.dbf/*.DBF/
</pre><ns37:p>
</ns37:p><p>
</pre><p>
</p><p>
If you are experiencing problems with oplocks as apparent from Samba's log entries,
you may want to play it safe and disable oplocks and level2 oplocks.
</p></div><div xmlns:ns38="" class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2925232"></a>Disabling Kernel OpLocks</h4></div></div><div></div></div><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2929235"></a>Disabling Kernel OpLocks</h4></div></div><div></div></div><p>
Kernel OpLocks is an <tt class="filename">smb.conf</tt> parameter that notifies Samba (if
the UNIX kernel has the capability to send a Windows client an oplock
break) when a UNIX process is attempting to open the file that is
@ -399,13 +398,13 @@ to the risk of data corruption. If the UNIX kernel has the ability to
send an oplock break, then the kernel oplocks parameter enables Samba
to send the oplock break. Kernel oplocks are enabled on a per-server
basis in the <tt class="filename">smb.conf</tt> file.
</p><ns38:p>
</ns38:p><pre class="programlisting">
</p><p>
</p><pre class="programlisting">
[global]
kernel oplocks = yes
</pre><ns38:p>
</pre><p>
The default is &quot;no&quot;.
</ns38:p><p>
</p><p>
Veto OpLocks is an <tt class="filename">smb.conf</tt> parameter that identifies specific files for
which Oplocks are disabled. When a Windows client opens a file that
has been configured for veto oplocks, the client will not be granted
@ -417,26 +416,26 @@ allow Windows clients to utilize the performance benefit of file
caching without the risk of data corruption. Veto Oplocks can be
enabled on a per-share basis, or globally for the entire server, in the
<tt class="filename">smb.conf</tt> file:
</p><ns38:p>
</ns38:p><pre class="programlisting"><font color="red">&lt;title&gt;Example Veto OpLock Settings&lt;/title&gt;</font>
</p><p>
</p><pre class="programlisting"><font color="red">&lt;title&gt;Example Veto OpLock Settings&lt;/title&gt;</font>
[global]
veto oplock files = /filename.htm/*.txt/
[share_name]
veto oplock files = /*.exe/filename.ext/
</pre><ns38:p>
</ns38:p><p>
</pre><p>
</p><p>
<span class="emphasis"><em>Oplock break wait time</em></span> is an <tt class="filename">smb.conf</tt> parameter that adjusts the time
interval for Samba to reply to an oplock break request. Samba
recommends &quot;DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND
UNDERSTOOD THE SAMBA OPLOCK CODE.&quot; Oplock Break Wait Time can only be
configured globally in the <tt class="filename">smb.conf</tt> file:
</p><ns38:p>
</ns38:p><pre class="programlisting">
</p><p>
</p><pre class="programlisting">
[global]
oplock break wait time = 0 (default)
</pre><ns38:p>
</ns38:p><p>
</pre><p>
</p><p>
<span class="emphasis"><em>Oplock break contention limit</em></span> is an <tt class="filename">smb.conf</tt> parameter that limits the
response of the Samba server to grant an oplock if the configured
number of contending clients reaches the limit specified by the
@ -444,15 +443,15 @@ parameter. Samba recommends &quot;DO NOT CHANGE THIS PARAMETER UNLESS YOU
HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE.&quot; Oplock Break
Contention Limit can be enable on a per-share basis, or globally for
the entire server, in the <tt class="filename">smb.conf</tt> file:
</p><ns38:p>
</ns38:p><pre class="programlisting">
</p><p>
</p><pre class="programlisting">
[global]
oplock break contention limit = 2 (default)
[share_name]
oplock break contention limit = 2 (default)
</pre><ns38:p>
</ns38:p></div></div></div><div xmlns:ns39="" class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2925415"></a>MS Windows Opportunistic Locking and Caching Controls</h2></div></div><div></div></div><p>
</pre><p>
</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2929419"></a>MS Windows Opportunistic Locking and Caching Controls</h2></div></div><div></div></div><p>
There is a known issue when running applications (like Norton Anti-Virus) on a Windows 2000/ XP
workstation computer that can affect any application attempting to access shared database files
across a network. This is a result of a default setting configured in the Windows 2000/XP
@ -489,20 +488,20 @@ Windows 2000 will still respect the EnableOplocks registry value used to disable
in earlier versions of Windows.
</p></div><p>
You can also deny the granting of opportunistic locks by changing the following registry entries:
</p><ns39:p>
</ns39:p><pre class="programlisting">
</p><p>
</p><pre class="programlisting">
HKEY_LOCAL_MACHINE\System\
CurrentControlSet\Services\MRXSmb\Parameters\
OplocksDisabled REG_DWORD 0 or 1
Default: 0 (not disabled)
</pre><ns39:p>
</ns39:p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
</pre><p>
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
The OplocksDisabled registry value configures Windows clients to either request or not
request opportunistic locks on a remote file. To disable oplocks, the value of
OplocksDisabled must be set to 1.
</p></div><ns39:p>
</ns39:p><pre class="programlisting">
</p></div><p>
</p><pre class="programlisting">
HKEY_LOCAL_MACHINE\System\
CurrentControlSet\Services\LanmanServer\Parameters
@ -511,8 +510,8 @@ request opportunistic locks on a remote file. To disable oplocks, the value of
EnableOpLockForceClose REG_DWORD 0 or 1
Default: 0 (Disabled by Default)
</pre><ns39:p>
</ns39:p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
</pre><p>
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
The EnableOplocks value configures Windows-based servers (including Workstations sharing
files) to allow or deny opportunistic locks on local files.
</p></div><p>
@ -544,7 +543,7 @@ An illustration of how level II oplocks work:
station holds any oplock on the file. Because the workstations can have no cached
writes or locks at this point, they need not respond to the break-to-none advisory;
all they need do is invalidate locally cashed read-ahead data.
</p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2927852"></a>Workstation Service Entries</h3></div></div><div></div></div><pre class="programlisting">
</p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2929649"></a>Workstation Service Entries</h3></div></div><div></div></div><pre class="programlisting">
\HKEY_LOCAL_MACHINE\System\
CurrentControlSet\Services\LanmanWorkstation\Parameters
@ -553,7 +552,7 @@ An illustration of how level II oplocks work:
</pre><p>
Indicates whether the redirector should use opportunistic-locking (oplock) performance
enhancement. This parameter should be disabled only to isolate problems.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2927879"></a>Server Service Entries</h3></div></div><div></div></div><pre class="programlisting">
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2929676"></a>Server Service Entries</h3></div></div><div></div></div><pre class="programlisting">
\HKEY_LOCAL_MACHINE\System\
CurrentControlSet\Services\LanmanServer\Parameters
@ -582,7 +581,7 @@ the server disables raw I/O and opportunistic locking for this connection.
Specifies the time that the server waits for a client to respond to an oplock break
request. Smaller values can allow detection of crashed clients more quickly but can
potentially cause loss of cached data.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2927959"></a>Persistent Data Corruption</h2></div></div><div></div></div><p>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2929755"></a>Persistent Data Corruption</h2></div></div><div></div></div><p>
If you have applied all of the settings discussed in this paper but data corruption problems
and other symptoms persist, here are some additional things to check out:
</p><p>
@ -593,10 +592,10 @@ rebuild the data files in question. This involves creating a new data file with
same definition as the file to be rebuilt and transferring the data from the old file
to the new one. There are several known methods for doing this that can be found in
our Knowledge Base.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2927989"></a>Common Errors</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2929785"></a>Common Errors</h2></div></div><div></div></div><p>
In some sites locking problems surface as soon as a server is installed, in other sites
locking problems may not surface for a long time. Almost without exeception, when a locking
problem does surface it will cause embarassment and potential data corruption.
locking problems may not surface for a long time. Almost without exception, when a locking
problem does surface it will cause embarrassment and potential data corruption.
</p><p>
Over the past few years there have been a number of complaints on the samba mailing lists
that have claimed that samba caused data corruption. Three causes have been identified
@ -623,18 +622,18 @@ so far:
report on https://bugzilla.samba.org without delay. Make sure that you give as much
information as you possibly can to help isolate the cause and to allow reproduction
of the problem (an essential step in problem isolation and correction).
</p></li></ul></div><div xmlns:ns40="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2928063"></a>locking.tdb error messages</h3></div></div><div></div></div><ns40:p>
</ns40:p><pre class="screen">
</p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2929859"></a>locking.tdb error messages</h3></div></div><div></div></div><p>
</p><pre class="screen">
&gt; We are seeing lots of errors in the samba logs like:
&gt;
&gt; tdb(/usr/local/samba_2.2.7/var/locks/locking.tdb): rec_read bad magic
&gt; 0x4d6f4b61 at offset=36116
&gt;
&gt; What do these mean?
</pre><ns40:p>
</ns40:p><p>
Corrupted tdb. Stop all instancesd of smbd, delete locking.tdb, restart smbd.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2928093"></a>Additional Reading</h2></div></div><div></div></div><p>
</pre><p>
</p><p>
Corrupted tdb. Stop all instances of smbd, delete locking.tdb, restart smbd.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2929890"></a>Additional Reading</h2></div></div><div></div></div><p>
You may want to check for an updated version of this white paper on our Web site from
time to time. Many of our white papers are updated as information changes. For those papers,
the Last Edited date is always at the top of the paper.

3
docs/htmldocs/migration.html
View File

@ -1,2 +1 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part IV. Migration and Updating</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="index.html" title="SAMBA Project Documentation"><link rel="previous" href="SambaHA.html" title="Chapter 29. High Availability Options"><link rel="next" href="upgrading-to-3.0.html" title="Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part IV. Migration and Updating</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="SambaHA.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="upgrading-to-3.0.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="migration"></a>Migration and Updating</h1></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt>30. <a href="upgrading-to-3.0.html">Upgrading from Samba-2.x to Samba-3.0.0</a></dt><dd><dl><dt><a href="upgrading-to-3.0.html#id3000689">Charsets</a></dt><dt><a href="upgrading-to-3.0.html#id3000712">Obsolete configuration options</a></dt><dt><a href="upgrading-to-3.0.html#id3000766">Password Backend</a></dt></dl></dd><dt>31. <a href="NT4Migration.html">Migration from NT4 PDC to Samba-3 PDC</a></dt><dd><dl><dt><a href="NT4Migration.html#id3000009">Planning and Getting Started</a></dt><dd><dl><dt><a href="NT4Migration.html#id3000033">Objectives</a></dt><dt><a href="NT4Migration.html#id2998961">Steps In Migration Process</a></dt></dl></dd><dt><a href="NT4Migration.html#id3001178">Migration Options</a></dt><dd><dl><dt><a href="NT4Migration.html#id3001259">Planning for Success</a></dt><dt><a href="NT4Migration.html#id3001500">Samba Implementation Choices</a></dt></dl></dd></dl></dd><dt>32. <a href="SWAT.html">SWAT - The Samba Web Administration Tool</a></dt><dd><dl><dt><a href="SWAT.html#id3001807">Features and Benefits</a></dt><dd><dl><dt><a href="SWAT.html#id3001657">Enabling SWAT for use</a></dt><dt><a href="SWAT.html#id3002547">Securing SWAT through SSL</a></dt><dt><a href="SWAT.html#id3002659">The SWAT Home Page</a></dt><dt><a href="SWAT.html#id3002723">Global Settings</a></dt><dt><a href="SWAT.html#id3002828">Share Settings</a></dt><dt><a href="SWAT.html#id3002893">Printers Settings</a></dt><dt><a href="SWAT.html#id3002957">The SWAT Wizard</a></dt><dt><a href="SWAT.html#id3003005">The Status Page</a></dt><dt><a href="SWAT.html#id3003057">The View Page</a></dt><dt><a href="SWAT.html#id3003080">The Password Change Page</a></dt></dl></dd></dl></dd></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="SambaHA.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="upgrading-to-3.0.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 29. High Availability Options </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0</td></tr></table></div></body></html>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part IV. Migration and Updating</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="index.html" title="SAMBA Project Documentation"><link rel="previous" href="SambaHA.html" title="Chapter 29. High Availability Options"><link rel="next" href="upgrading-to-3.0.html" title="Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part IV. Migration and Updating</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="SambaHA.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="upgrading-to-3.0.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="migration"></a>Migration and Updating</h1></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt>30. <a href="upgrading-to-3.0.html">Upgrading from Samba-2.x to Samba-3.0.0</a></dt><dd><dl><dt><a href="upgrading-to-3.0.html#id3001684">Charsets</a></dt><dt><a href="upgrading-to-3.0.html#id3001709">Obsolete configuration options</a></dt><dt><a href="upgrading-to-3.0.html#id3003319">Password Backend</a></dt></dl></dd><dt>31. <a href="NT4Migration.html">Migration from NT4 PDC to Samba-3 PDC</a></dt><dd><dl><dt><a href="NT4Migration.html#id3001339">Planning and Getting Started</a></dt><dd><dl><dt><a href="NT4Migration.html#id3001368">Objectives</a></dt><dt><a href="NT4Migration.html#id3004043">Steps In Migration Process</a></dt></dl></dd><dt><a href="NT4Migration.html#id3004381">Migration Options</a></dt><dd><dl><dt><a href="NT4Migration.html#id3004462">Planning for Success</a></dt><dt><a href="NT4Migration.html#id3004704">Samba Implementation Choices</a></dt></dl></dd></dl></dd><dt>32. <a href="SWAT.html">SWAT - The Samba Web Administration Tool</a></dt><dd><dl><dt><a href="SWAT.html#id3003929">Features and Benefits</a></dt><dd><dl><dt><a href="SWAT.html#id3003963">Enabling SWAT for use</a></dt><dt><a href="SWAT.html#id3006322">Securing SWAT through SSL</a></dt><dt><a href="SWAT.html#id3006435">The SWAT Home Page</a></dt><dt><a href="SWAT.html#id3006499">Global Settings</a></dt><dt><a href="SWAT.html#id3006604">Share Settings</a></dt><dt><a href="SWAT.html#id3006669">Printers Settings</a></dt><dt><a href="SWAT.html#id3006733">The SWAT Wizard</a></dt><dt><a href="SWAT.html#id3006781">The Status Page</a></dt><dt><a href="SWAT.html#id3006833">The View Page</a></dt><dt><a href="SWAT.html#id3006856">The Password Change Page</a></dt></dl></dd></dl></dd></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="SambaHA.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="upgrading-to-3.0.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 29. High Availability Options </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0</td></tr></table></div></body></html>

5
docs/htmldocs/msdfs.html
View File

@ -1,7 +1,6 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 17. Hosting a Microsoft Distributed File System tree on Samba</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="InterdomainTrusts.html" title="Chapter 16. Interdomain Trust Relationships"><link rel="next" href="printing.html" title="Chapter 18. Classical Printing Support"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 17. Hosting a Microsoft Distributed File System tree on Samba</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="InterdomainTrusts.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="printing.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="msdfs"></a>Chapter 17. Hosting a Microsoft Distributed File System tree on Samba</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Shirish</span> <span class="surname">Kalele</span></h3><div class="affiliation"><span class="orgname">Samba Team &amp; Veritas Software<br></span><div class="address"><p><br>
<tt class="email">&lt;<a href="mailto:samba@samba.org">samba@samba.org</a>&gt;</tt><br>
</p></div></div></div></div><div><p class="pubdate">12 Jul 2000</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="msdfs.html#id2928926">Features and Benefits</a></dt><dt><a href="msdfs.html#id2930336">Common Errors</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2928926"></a>Features and Benefits</h2></div></div><div></div></div><p>
</p></div></div></div></div><div><p class="pubdate">12 Jul 2000</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="msdfs.html#id2933279">Features and Benefits</a></dt><dt><a href="msdfs.html#id2934931">Common Errors</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2933279"></a>Features and Benefits</h2></div></div><div></div></div><p>
The Distributed File System (or DFS) provides a means of separating the logical
view of files and directories that users see from the actual physical locations
of these resources on the network. It allows for higher availability, smoother
@ -53,7 +52,7 @@
network shares you want, and start Samba.</p><p>Users on DFS-aware clients can now browse the DFS tree
on the Samba server at \\samba\dfs. Accessing
links linka or linkb (which appear as directories to the client)
takes users directly to the appropriate shares on the network.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2930336"></a>Common Errors</h2></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>Windows clients need to be rebooted
takes users directly to the appropriate shares on the network.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2934931"></a>Common Errors</h2></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>Windows clients need to be rebooted
if a previously mounted non-dfs share is made a dfs
root or vice versa. A better way is to introduce a
new share and make it the dfs root.</p></li><li><p>Currently there's a restriction that msdfs

208
docs/htmldocs/oplocks.html
View File

@ -1,208 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML
><HEAD
><TITLE
>Oplocks</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK
REL="HOME"
TITLE="SAMBA Project Documentation"
HREF="samba-howto-collection.html"><LINK
REL="UP"
TITLE="General installation"
HREF="introduction.html"><LINK
REL="PREVIOUS"
TITLE="Improved browsing in samba"
HREF="improved-browsing.html"><LINK
REL="NEXT"
TITLE="Quick Cross Subnet Browsing / Cross Workgroup Browsing guide"
HREF="browsing-quick.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>SAMBA Project Documentation</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="improved-browsing.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="browsing-quick.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="CHAPTER"
><H1
><A
NAME="OPLOCKS"
></A
>Chapter 3. Oplocks</H1
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN378"
></A
>3.1. What are oplocks?</H1
><P
>When a client opens a file it can request an "oplock" or file
lease. This is (to simplify a bit) a guarentee that no one else
has the file open simultaneously. It allows the client to not
send any updates on the file to the server, thus reducing a
network file access to local access (once the file is in
client cache). An "oplock break" is when the server sends
a request to the client to flush all its changes back to
the server, so the file is in a consistent state for other
opens to succeed. If a client fails to respond to this
asynchronous request then the file can be corrupted. Hence
the "turn off oplocks" answer if people are having multi-user
file access problems.</P
><P
>Unless the kernel is "oplock aware" (SGI IRIX and Linux are
the only two UNIXes that are at the moment) then if a local
UNIX process accesses the file simultaneously then Samba
has no way of telling this is occuring, so the guarentee
to the client is broken. This can corrupt the file. Short
answer - it you have UNIX clients accessing the same file
as smbd locally or via NFS and you're not running Linux or
IRIX then turn off oplocks for that file or share.</P
><P
>"Share modes". These are modes of opening a file, that
guarentee an invarient - such as DENY_WRITE - which means
that if any other opens are requested with write access after
this current open has succeeded then they should be denied
with a "sharing violation" error message. Samba handles these
internally inside smbd. UNIX clients accessing the same file
ignore these invarients. Just proving that if you need simultaneous
file access from a Windows and UNIX client you *must* have an
application that is written to lock records correctly on both
sides. Few applications are written like this, and even fewer
are cross platform (UNIX and Windows) so in practice this isn't
much of a problem.</P
><P
>"Locking". This really means "byte range locking" - such as
lock 10 bytes at file offset 24 for write access. This is the
area in which well written UNIX and Windows apps will cooperate.
Windows locks (at least from NT or above) are 64-bit unsigned
offsets. UNIX locks are either 31 bit or 63 bit and are signed
(the top bit is used for the sign). Samba handles these by
first ensuring that all the Windows locks don't conflict (ie.
if other Windows clients have competing locks then just reject
immediately) - this allows us to support 64-bit Windows locks
on 32-bit filesystems. Secondly any locks that are valid are
then mapped onto UNIX fcntl byte range locks. These are the
locks that will be seen by UNIX processes. If there is a conflict
here the lock is rejected.</P
><P
>Note that if a client has an oplock then it "knows" that no
other client can have the file open so usually doesn't bother
to send to lock request to the server - this means once again
if you need to share files between UNIX and Windows processes
either use IRIX or Linux, or turn off oplocks for these
files/shares.</P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="improved-browsing.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="samba-howto-collection.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="browsing-quick.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Improved browsing in samba</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="introduction.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Quick Cross Subnet Browsing / Cross Workgroup Browsing guide</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

51
docs/htmldocs/optional.html
View File

File diff suppressed because one or more lines are too long

566
docs/htmldocs/other-clients.html
View File

@ -1,566 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML
><HEAD
><TITLE
>Samba and other CIFS clients</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
TITLE="SAMBA Project Documentation"
HREF="samba-howto-collection.html"><LINK
REL="UP"
TITLE="Appendixes"
HREF="appendixes.html"><LINK
REL="PREVIOUS"
TITLE="Portability"
HREF="portability.html"><LINK
REL="NEXT"
TITLE="Reporting Bugs"
HREF="bugreport.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>SAMBA Project Documentation</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="portability.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="bugreport.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="CHAPTER"
><H1
><A
NAME="OTHER-CLIENTS">Chapter 24. Samba and other CIFS clients</H1
><P
>This chapter contains client-specific information.</P
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN3199">24.1. Macintosh clients?</H1
><P
>Yes. <A
HREF="http://www.thursby.com/"
TARGET="_top"
>Thursby</A
> now have a CIFS Client / Server called DAVE - see</P
><P
>They test it against Windows 95, Windows NT and samba for
compatibility issues. At the time of writing, DAVE was at version
1.0.1. The 1.0.0 to 1.0.1 update is available as a free download from
the Thursby web site (the speed of finder copies has been greatly
enhanced, and there are bug-fixes included).</P
><P
>
Alternatives - There are two free implementations of AppleTalk for
several kinds of UNIX machnes, and several more commercial ones.
These products allow you to run file services and print services
natively to Macintosh users, with no additional support required on
the Macintosh. The two free omplementations are
<A
HREF="http://www.umich.edu/~rsug/netatalk/"
TARGET="_top"
>Netatalk</A
>, and
<A
HREF="http://www.cs.mu.oz.au/appletalk/atalk.html"
TARGET="_top"
>CAP</A
>.
What Samba offers MS
Windows users, these packages offer to Macs. For more info on these
packages, Samba, and Linux (and other UNIX-based systems) see
<A
HREF="http://www.eats.com/linux_mac_win.html"
TARGET="_top"
>http://www.eats.com/linux_mac_win.html</A
></P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN3208">24.2. OS2 Client</H1
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN3210">24.2.1. How can I configure OS/2 Warp Connect or
OS/2 Warp 4 as a client for Samba?</H2
><P
>A more complete answer to this question can be
found on <A
HREF="http://carol.wins.uva.nl/~leeuw/samba/warp.html"
TARGET="_top"
> http://carol.wins.uva.nl/~leeuw/samba/warp.html</A
>.</P
><P
>Basically, you need three components:</P
><P
></P
><UL
><LI
><P
>The File and Print Client ('IBM Peer')
</P
></LI
><LI
><P
>TCP/IP ('Internet support')
</P
></LI
><LI
><P
>The "NetBIOS over TCP/IP" driver ('TCPBEUI')
</P
></LI
></UL
><P
>Installing the first two together with the base operating
system on a blank system is explained in the Warp manual. If Warp
has already been installed, but you now want to install the
networking support, use the "Selective Install for Networking"
object in the "System Setup" folder.</P
><P
>Adding the "NetBIOS over TCP/IP" driver is not described
in the manual and just barely in the online documentation. Start
MPTS.EXE, click on OK, click on "Configure LAPS" and click
on "IBM OS/2 NETBIOS OVER TCP/IP" in 'Protocols'. This line
is then moved to 'Current Configuration'. Select that line,
click on "Change number" and increase it from 0 to 1. Save this
configuration.</P
><P
>If the Samba server(s) is not on your local subnet, you
can optionally add IP names and addresses of these servers
to the "Names List", or specify a WINS server ('NetBIOS
Nameserver' in IBM and RFC terminology). For Warp Connect you
may need to download an update for 'IBM Peer' to bring it on
the same level as Warp 4. See the webpage mentioned above.</P
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN3225">24.2.2. How can I configure OS/2 Warp 3 (not Connect),
OS/2 1.2, 1.3 or 2.x for Samba?</H2
><P
>You can use the free Microsoft LAN Manager 2.2c Client
for OS/2 from
<A
HREF="ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/"
TARGET="_top"
> ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/</A
>.
See <A
HREF="http://carol.wins.uva.nl/~leeuw/lanman.html"
TARGET="_top"
> http://carol.wins.uva.nl/~leeuw/lanman.html</A
> for
more information on how to install and use this client. In
a nutshell, edit the file \OS2VER in the root directory of
the OS/2 boot partition and add the lines:</P
><P
><PRE
CLASS="PROGRAMLISTING"
> 20=setup.exe
20=netwksta.sys
20=netvdd.sys
</PRE
></P
><P
>before you install the client. Also, don't use the
included NE2000 driver because it is buggy. Try the NE2000
or NS2000 driver from
<A
HREF="ftp://ftp.cdrom.com/pub/os2/network/ndis/"
TARGET="_top"
> ftp://ftp.cdrom.com/pub/os2/network/ndis/</A
> instead.
</P
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN3234">24.2.3. Are there any other issues when OS/2 (any version)
is used as a client?</H2
><P
>When you do a NET VIEW or use the "File and Print
Client Resource Browser", no Samba servers show up. This can
be fixed by a patch from <A
HREF="http://carol.wins.uva.nl/~leeuw/samba/fix.html"
TARGET="_top"
> http://carol.wins.uva.nl/~leeuw/samba/fix.html</A
>.
The patch will be included in a later version of Samba. It also
fixes a couple of other problems, such as preserving long
filenames when objects are dragged from the Workplace Shell
to the Samba server. </P
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN3238">24.2.4. How do I get printer driver download working
for OS/2 clients?</H2
><P
>First, create a share called [PRINTDRV] that is
world-readable. Copy your OS/2 driver files there. Note
that the .EA_ files must still be separate, so you will need
to use the original install files, and not copy an installed
driver from an OS/2 system.</P
><P
>Install the NT driver first for that printer. Then,
add to your smb.conf a parameter, os2 driver map =
<TT
CLASS="REPLACEABLE"
><I
>filename</I
></TT
>". Then, in the file
specified by <TT
CLASS="REPLACEABLE"
><I
>filename</I
></TT
>, map the
name of the NT driver name to the OS/2 driver name as
follows:</P
><P
><B
CLASS="COMMAND"
>nt driver name = os2 "driver
name"."device name"</B
>, e.g.:
HP LaserJet 5L = LASERJET.HP LaserJet 5L</P
><P
>You can have multiple drivers mapped in this file.</P
><P
>If you only specify the OS/2 driver name, and not the
device name, the first attempt to download the driver will
actually download the files, but the OS/2 client will tell
you the driver is not available. On the second attempt, it
will work. This is fixed simply by adding the device name
to the mapping, after which it will work on the first attempt.
</P
></DIV
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN3248">24.3. Windows for Workgroups</H1
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN3250">24.3.1. Use latest TCP/IP stack from Microsoft</H2
><P
>Use the latest TCP/IP stack from microsoft if you use Windows
for workgroups.</P
><P
>The early TCP/IP stacks had lots of bugs.</P
><P
>
Microsoft has released an incremental upgrade to their TCP/IP 32-Bit
VxD drivers. The latest release can be found on their ftp site at
ftp.microsoft.com, located in /peropsys/windows/public/tcpip/wfwt32.exe.
There is an update.txt file there that describes the problems that were
fixed. New files include WINSOCK.DLL, TELNET.EXE, WSOCK.386, VNBT.386,
WSTCP.386, TRACERT.EXE, NETSTAT.EXE, and NBTSTAT.EXE.</P
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN3255">24.3.2. Delete .pwl files after password change</H2
><P
>WfWg does a lousy job with passwords. I find that if I change my
password on either the unix box or the PC the safest thing to do is to
delete the .pwl files in the windows directory. The PC will complain about not finding the files, but will soon get over it, allowing you to enter the new password.</P
><P
>
If you don't do this you may find that WfWg remembers and uses the old
password, even if you told it a new one.</P
><P
>
Often WfWg will totally ignore a password you give it in a dialog box.</P
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN3260">24.3.3. Configure WfW password handling</H2
><P
>There is a program call admincfg.exe
on the last disk (disk 8) of the WFW 3.11 disk set. To install it
type EXPAND A:\ADMINCFG.EX_ C:\WINDOWS\ADMINCFG.EXE Then add an icon
for it via the "Progam Manager" "New" Menu. This program allows you
to control how WFW handles passwords. ie disable Password Caching etc
for use with <B
CLASS="COMMAND"
>security = user</B
></P
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN3264">24.3.4. Case handling of passwords</H2
><P
>Windows for Workgroups uppercases the password before sending it to the server. Unix passwords can be case-sensitive though. Check the <A
HREF="smb.conf.5.html"
TARGET="_top"
>smb.conf(5)</A
> information on <B
CLASS="COMMAND"
>password level</B
> to specify what characters samba should try to uppercase when checking.</P
></DIV
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN3269">24.4. Windows '95/'98</H1
><P
>When using Windows 95 OEM SR2 the following updates are recommended where Samba
is being used. Please NOTE that the above change will affect you once these
updates have been installed.</P
><P
>
There are more updates than the ones mentioned here. You are referred to the
Microsoft Web site for all currently available updates to your specific version
of Windows 95.</P
><P
></P
><OL
TYPE="1"
><LI
><P
>Kernel Update: KRNLUPD.EXE</P
></LI
><LI
><P
>Ping Fix: PINGUPD.EXE</P
></LI
><LI
><P
>RPC Update: RPCRTUPD.EXE</P
></LI
><LI
><P
>TCP/IP Update: VIPUPD.EXE</P
></LI
><LI
><P
>Redirector Update: VRDRUPD.EXE</P
></LI
></OL
><P
>Also, if using MS OutLook it is desirable to install the OLEUPD.EXE fix. This
fix may stop your machine from hanging for an extended period when exiting
OutLook and you may also notice a significant speedup when accessing network
neighborhood services.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN3285">24.5. Windows 2000 Service Pack 2</H1
><P
>
There are several annoyances with Windows 2000 SP2. One of which
only appears when using a Samba server to host user profiles
to Windows 2000 SP2 clients in a Windows domain. This assumes
that Samba is a member of the domain, but the problem will
likely occur if it is not.</P
><P
>
In order to server profiles successfully to Windows 2000 SP2
clients (when not operating as a PDC), Samba must have
<B
CLASS="COMMAND"
>nt acl support = no</B
>
added to the file share which houses the roaming profiles.
If this is not done, then the Windows 2000 SP2 client will
complain about not being able to access the profile (Access
Denied) and create multiple copies of it on disk (DOMAIN.user.001,
DOMAIN.user.002, etc...). See the
<A
HREF="smb.conf.5.html"
TARGET="_top"
>smb.conf(5)</A
> man page
for more details on this option. Also note that the
<B
CLASS="COMMAND"
>nt acl support</B
> parameter was formally a global parameter in
releases prior to Samba 2.2.2.</P
><P
>
The following is a minimal profile share:</P
><P
><PRE
CLASS="PROGRAMLISTING"
> [profile]
path = /export/profile
create mask = 0600
directory mask = 0700
nt acl support = no
read only = no</PRE
></P
><P
>The reason for this bug is that the Win2k SP2 client copies
the security descriptor for the profile which contains
the Samba server's SID, and not the domain SID. The client
compares the SID for SAMBA\user and realizes it is
different that the one assigned to DOMAIN\user. Hence the reason
for the "access denied" message.</P
><P
>By disabling the <B
CLASS="COMMAND"
>nt acl support</B
> parameter, Samba will send
the Win2k client a response to the QuerySecurityDescriptor
trans2 call which causes the client to set a default ACL
for the profile. This default ACL includes </P
><P
><B
CLASS="COMMAND"
>DOMAIN\user "Full Control"</B
></P
><P
><SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>NOTE : This bug does not occur when using winbind to
create accounts on the Samba host for Domain users.</I
></SPAN
></P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="portability.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="samba-howto-collection.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="bugreport.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Portability</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="appendixes.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Reporting Bugs</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

917
docs/htmldocs/p1346.html
View File

@ -1,917 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML
><HEAD
><TITLE
>Optional configuration</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK
REL="HOME"
TITLE="SAMBA Project Documentation"
HREF="samba-howto-collection.html"><LINK
REL="PREVIOUS"
TITLE="Samba as a NT4 domain member"
HREF="domain-security.html"><LINK
REL="NEXT"
TITLE="Integrating MS Windows networks with Samba"
HREF="integrate-ms-networks.html"></HEAD
><BODY
CLASS="PART"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>SAMBA Project Documentation</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="domain-security.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="integrate-ms-networks.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="PART"
><A
NAME="AEN1346"
></A
><DIV
CLASS="TITLEPAGE"
><H1
CLASS="TITLE"
>III. Optional configuration</H1
><DIV
CLASS="PARTINTRO"
><A
NAME="AEN1348"
></A
><H1
>Introduction</H1
><P
>Samba has several features that you might want or might not want to use. The chapters in this
part each cover one specific feature.</P
></DIV
><DIV
CLASS="TOC"
><DL
><DT
><B
>Table of Contents</B
></DT
><DT
>10. <A
HREF="integrate-ms-networks.html"
>Integrating MS Windows networks with Samba</A
></DT
><DD
><DL
><DT
>10.1. <A
HREF="integrate-ms-networks.html#AEN1362"
>Agenda</A
></DT
><DT
>10.2. <A
HREF="integrate-ms-networks.html#AEN1384"
>Name Resolution in a pure Unix/Linux world</A
></DT
><DD
><DL
><DT
>10.2.1. <A
HREF="integrate-ms-networks.html#AEN1400"
><TT
CLASS="FILENAME"
>/etc/hosts</TT
></A
></DT
><DT
>10.2.2. <A
HREF="integrate-ms-networks.html#AEN1416"
><TT
CLASS="FILENAME"
>/etc/resolv.conf</TT
></A
></DT
><DT
>10.2.3. <A
HREF="integrate-ms-networks.html#AEN1427"
><TT
CLASS="FILENAME"
>/etc/host.conf</TT
></A
></DT
><DT
>10.2.4. <A
HREF="integrate-ms-networks.html#AEN1435"
><TT
CLASS="FILENAME"
>/etc/nsswitch.conf</TT
></A
></DT
></DL
></DD
><DT
>10.3. <A
HREF="integrate-ms-networks.html#AEN1447"
>Name resolution as used within MS Windows networking</A
></DT
><DD
><DL
><DT
>10.3.1. <A
HREF="integrate-ms-networks.html#AEN1459"
>The NetBIOS Name Cache</A
></DT
><DT
>10.3.2. <A
HREF="integrate-ms-networks.html#AEN1464"
>The LMHOSTS file</A
></DT
><DT
>10.3.3. <A
HREF="integrate-ms-networks.html#AEN1472"
>HOSTS file</A
></DT
><DT
>10.3.4. <A
HREF="integrate-ms-networks.html#AEN1477"
>DNS Lookup</A
></DT
><DT
>10.3.5. <A
HREF="integrate-ms-networks.html#AEN1480"
>WINS Lookup</A
></DT
></DL
></DD
><DT
>10.4. <A
HREF="integrate-ms-networks.html#AEN1492"
>How browsing functions and how to deploy stable and
dependable browsing using Samba</A
></DT
><DT
>10.5. <A
HREF="integrate-ms-networks.html#AEN1502"
>MS Windows security options and how to configure
Samba for seemless integration</A
></DT
><DD
><DL
><DT
>10.5.1. <A
HREF="integrate-ms-networks.html#AEN1530"
>Use MS Windows NT as an authentication server</A
></DT
><DT
>10.5.2. <A
HREF="integrate-ms-networks.html#AEN1538"
>Make Samba a member of an MS Windows NT security domain</A
></DT
><DT
>10.5.3. <A
HREF="integrate-ms-networks.html#AEN1555"
>Configure Samba as an authentication server</A
></DT
></DL
></DD
><DT
>10.6. <A
HREF="integrate-ms-networks.html#AEN1572"
>Conclusions</A
></DT
></DL
></DD
><DT
>11. <A
HREF="unix-permissions.html"
>UNIX Permission Bits and Windows NT Access Control Lists</A
></DT
><DD
><DL
><DT
>11.1. <A
HREF="unix-permissions.html#AEN1593"
>Viewing and changing UNIX permissions using the NT
security dialogs</A
></DT
><DT
>11.2. <A
HREF="unix-permissions.html#AEN1602"
>How to view file security on a Samba share</A
></DT
><DT
>11.3. <A
HREF="unix-permissions.html#AEN1613"
>Viewing file ownership</A
></DT
><DT
>11.4. <A
HREF="unix-permissions.html#AEN1633"
>Viewing file or directory permissions</A
></DT
><DD
><DL
><DT
>11.4.1. <A
HREF="unix-permissions.html#AEN1648"
>File Permissions</A
></DT
><DT
>11.4.2. <A
HREF="unix-permissions.html#AEN1662"
>Directory Permissions</A
></DT
></DL
></DD
><DT
>11.5. <A
HREF="unix-permissions.html#AEN1669"
>Modifying file or directory permissions</A
></DT
><DT
>11.6. <A
HREF="unix-permissions.html#AEN1691"
>Interaction with the standard Samba create mask
parameters</A
></DT
><DT
>11.7. <A
HREF="unix-permissions.html#AEN1755"
>Interaction with the standard Samba file attribute
mapping</A
></DT
></DL
></DD
><DT
>12. <A
HREF="pam.html"
>Configuring PAM for distributed but centrally
managed authentication</A
></DT
><DD
><DL
><DT
>12.1. <A
HREF="pam.html#AEN1776"
>Samba and PAM</A
></DT
><DT
>12.2. <A
HREF="pam.html#AEN1820"
>Distributed Authentication</A
></DT
><DT
>12.3. <A
HREF="pam.html#AEN1827"
>PAM Configuration in smb.conf</A
></DT
></DL
></DD
><DT
>13. <A
HREF="msdfs.html"
>Hosting a Microsoft Distributed File System tree on Samba</A
></DT
><DD
><DL
><DT
>13.1. <A
HREF="msdfs.html#AEN1847"
>Instructions</A
></DT
><DD
><DL
><DT
>13.1.1. <A
HREF="msdfs.html#AEN1882"
>Notes</A
></DT
></DL
></DD
></DL
></DD
><DT
>14. <A
HREF="printing.html"
>Printing Support</A
></DT
><DD
><DL
><DT
>14.1. <A
HREF="printing.html#AEN1908"
>Introduction</A
></DT
><DT
>14.2. <A
HREF="printing.html#AEN1930"
>Configuration</A
></DT
><DD
><DL
><DT
>14.2.1. <A
HREF="printing.html#AEN1938"
>Creating [print$]</A
></DT
><DT
>14.2.2. <A
HREF="printing.html#AEN1973"
>Setting Drivers for Existing Printers</A
></DT
><DT
>14.2.3. <A
HREF="printing.html#AEN1989"
>Support a large number of printers</A
></DT
><DT
>14.2.4. <A
HREF="printing.html#AEN2000"
>Adding New Printers via the Windows NT APW</A
></DT
><DT
>14.2.5. <A
HREF="printing.html#AEN2030"
>Samba and Printer Ports</A
></DT
></DL
></DD
><DT
>14.3. <A
HREF="printing.html#AEN2038"
>The Imprints Toolset</A
></DT
><DD
><DL
><DT
>14.3.1. <A
HREF="printing.html#AEN2042"
>What is Imprints?</A
></DT
><DT
>14.3.2. <A
HREF="printing.html#AEN2052"
>Creating Printer Driver Packages</A
></DT
><DT
>14.3.3. <A
HREF="printing.html#AEN2055"
>The Imprints server</A
></DT
><DT
>14.3.4. <A
HREF="printing.html#AEN2059"
>The Installation Client</A
></DT
></DL
></DD
><DT
>14.4. <A
HREF="printing.html#AEN2081"
>Diagnosis</A
></DT
><DD
><DL
><DT
>14.4.1. <A
HREF="printing.html#AEN2083"
>Introduction</A
></DT
><DT
>14.4.2. <A
HREF="printing.html#AEN2099"
>Debugging printer problems</A
></DT
><DT
>14.4.3. <A
HREF="printing.html#AEN2108"
>What printers do I have?</A
></DT
><DT
>14.4.4. <A
HREF="printing.html#AEN2116"
>Setting up printcap and print servers</A
></DT
><DT
>14.4.5. <A
HREF="printing.html#AEN2144"
>Job sent, no output</A
></DT
><DT
>14.4.6. <A
HREF="printing.html#AEN2155"
>Job sent, strange output</A
></DT
><DT
>14.4.7. <A
HREF="printing.html#AEN2167"
>Raw PostScript printed</A
></DT
><DT
>14.4.8. <A
HREF="printing.html#AEN2170"
>Advanced Printing</A
></DT
><DT
>14.4.9. <A
HREF="printing.html#AEN2173"
>Real debugging</A
></DT
></DL
></DD
></DL
></DD
><DT
>15. <A
HREF="securitylevels.html"
>Security levels</A
></DT
><DD
><DL
><DT
>15.1. <A
HREF="securitylevels.html#AEN2186"
>Introduction</A
></DT
><DT
>15.2. <A
HREF="securitylevels.html#AEN2197"
>More complete description of security levels</A
></DT
></DL
></DD
><DT
>16. <A
HREF="winbind.html"
>Unified Logons between Windows NT and UNIX using Winbind</A
></DT
><DD
><DL
><DT
>16.1. <A
HREF="winbind.html#AEN2249"
>Abstract</A
></DT
><DT
>16.2. <A
HREF="winbind.html#AEN2253"
>Introduction</A
></DT
><DT
>16.3. <A
HREF="winbind.html#AEN2266"
>What Winbind Provides</A
></DT
><DD
><DL
><DT
>16.3.1. <A
HREF="winbind.html#AEN2273"
>Target Uses</A
></DT
></DL
></DD
><DT
>16.4. <A
HREF="winbind.html#AEN2277"
>How Winbind Works</A
></DT
><DD
><DL
><DT
>16.4.1. <A
HREF="winbind.html#AEN2282"
>Microsoft Remote Procedure Calls</A
></DT
><DT
>16.4.2. <A
HREF="winbind.html#AEN2286"
>Name Service Switch</A
></DT
><DT
>16.4.3. <A
HREF="winbind.html#AEN2302"
>Pluggable Authentication Modules</A
></DT
><DT
>16.4.4. <A
HREF="winbind.html#AEN2310"
>User and Group ID Allocation</A
></DT
><DT
>16.4.5. <A
HREF="winbind.html#AEN2314"
>Result Caching</A
></DT
></DL
></DD
><DT
>16.5. <A
HREF="winbind.html#AEN2317"
>Installation and Configuration</A
></DT
><DD
><DL
><DT
>16.5.1. <A
HREF="winbind.html#AEN2324"
>Introduction</A
></DT
><DT
>16.5.2. <A
HREF="winbind.html#AEN2337"
>Requirements</A
></DT
><DT
>16.5.3. <A
HREF="winbind.html#AEN2351"
>Testing Things Out</A
></DT
></DL
></DD
><DT
>16.6. <A
HREF="winbind.html#AEN2566"
>Limitations</A
></DT
><DT
>16.7. <A
HREF="winbind.html#AEN2576"
>Conclusion</A
></DT
></DL
></DD
><DT
>17. <A
HREF="pdb-mysql.html"
>Passdb MySQL plugin</A
></DT
><DD
><DL
><DT
>17.1. <A
HREF="pdb-mysql.html#AEN2590"
>Building</A
></DT
><DT
>17.2. <A
HREF="pdb-mysql.html#AEN2596"
>Configuring</A
></DT
><DT
>17.3. <A
HREF="pdb-mysql.html#AEN2611"
>Using plaintext passwords or encrypted password</A
></DT
><DT
>17.4. <A
HREF="pdb-mysql.html#AEN2616"
>Getting non-column data from the table</A
></DT
></DL
></DD
><DT
>18. <A
HREF="pdb-xml.html"
>Passdb XML plugin</A
></DT
><DD
><DL
><DT
>18.1. <A
HREF="pdb-xml.html#AEN2635"
>Building</A
></DT
><DT
>18.2. <A
HREF="pdb-xml.html#AEN2641"
>Usage</A
></DT
></DL
></DD
><DT
>19. <A
HREF="samba-ldap-howto.html"
>Storing Samba's User/Machine Account information in an LDAP Directory</A
></DT
><DD
><DL
><DT
>19.1. <A
HREF="samba-ldap-howto.html#AEN2664"
>Purpose</A
></DT
><DT
>19.2. <A
HREF="samba-ldap-howto.html#AEN2684"
>Introduction</A
></DT
><DT
>19.3. <A
HREF="samba-ldap-howto.html#AEN2713"
>Supported LDAP Servers</A
></DT
><DT
>19.4. <A
HREF="samba-ldap-howto.html#AEN2718"
>Schema and Relationship to the RFC 2307 posixAccount</A
></DT
><DT
>19.5. <A
HREF="samba-ldap-howto.html#AEN2730"
>Configuring Samba with LDAP</A
></DT
><DD
><DL
><DT
>19.5.1. <A
HREF="samba-ldap-howto.html#AEN2732"
>OpenLDAP configuration</A
></DT
><DT
>19.5.2. <A
HREF="samba-ldap-howto.html#AEN2749"
>Configuring Samba</A
></DT
></DL
></DD
><DT
>19.6. <A
HREF="samba-ldap-howto.html#AEN2777"
>Accounts and Groups management</A
></DT
><DT
>19.7. <A
HREF="samba-ldap-howto.html#AEN2782"
>Security and sambaAccount</A
></DT
><DT
>19.8. <A
HREF="samba-ldap-howto.html#AEN2802"
>LDAP specials attributes for sambaAccounts</A
></DT
><DT
>19.9. <A
HREF="samba-ldap-howto.html#AEN2872"
>Example LDIF Entries for a sambaAccount</A
></DT
><DT
>19.10. <A
HREF="samba-ldap-howto.html#AEN2880"
>Comments</A
></DT
></DL
></DD
><DT
>20. <A
HREF="cvs-access.html"
>HOWTO Access Samba source code via CVS</A
></DT
><DD
><DL
><DT
>20.1. <A
HREF="cvs-access.html#AEN2891"
>Introduction</A
></DT
><DT
>20.2. <A
HREF="cvs-access.html#AEN2896"
>CVS Access to samba.org</A
></DT
><DD
><DL
><DT
>20.2.1. <A
HREF="cvs-access.html#AEN2899"
>Access via CVSweb</A
></DT
><DT
>20.2.2. <A
HREF="cvs-access.html#AEN2904"
>Access via cvs</A
></DT
></DL
></DD
></DL
></DD
><DT
>21. <A
HREF="groupmapping.html"
>Group mapping HOWTO</A
></DT
><DT
>22. <A
HREF="speed.html"
>Samba performance issues</A
></DT
><DD
><DL
><DT
>22.1. <A
HREF="speed.html#AEN2982"
>Comparisons</A
></DT
><DT
>22.2. <A
HREF="speed.html#AEN2988"
>Oplocks</A
></DT
><DD
><DL
><DT
>22.2.1. <A
HREF="speed.html#AEN2990"
>Overview</A
></DT
><DT
>22.2.2. <A
HREF="speed.html#AEN2998"
>Level2 Oplocks</A
></DT
><DT
>22.2.3. <A
HREF="speed.html#AEN3004"
>Old 'fake oplocks' option - deprecated</A
></DT
></DL
></DD
><DT
>22.3. <A
HREF="speed.html#AEN3008"
>Socket options</A
></DT
><DT
>22.4. <A
HREF="speed.html#AEN3015"
>Read size</A
></DT
><DT
>22.5. <A
HREF="speed.html#AEN3020"
>Max xmit</A
></DT
><DT
>22.6. <A
HREF="speed.html#AEN3025"
>Locking</A
></DT
><DT
>22.7. <A
HREF="speed.html#AEN3029"
>Share modes</A
></DT
><DT
>22.8. <A
HREF="speed.html#AEN3034"
>Log level</A
></DT
><DT
>22.9. <A
HREF="speed.html#AEN3037"
>Wide lines</A
></DT
><DT
>22.10. <A
HREF="speed.html#AEN3040"
>Read raw</A
></DT
><DT
>22.11. <A
HREF="speed.html#AEN3045"
>Write raw</A
></DT
><DT
>22.12. <A
HREF="speed.html#AEN3049"
>Read prediction</A
></DT
><DT
>22.13. <A
HREF="speed.html#AEN3056"
>Memory mapping</A
></DT
><DT
>22.14. <A
HREF="speed.html#AEN3061"
>Slow Clients</A
></DT
><DT
>22.15. <A
HREF="speed.html#AEN3065"
>Slow Logins</A
></DT
><DT
>22.16. <A
HREF="speed.html#AEN3068"
>Client tuning</A
></DT
><DT
>22.17. <A
HREF="speed.html#AEN3100"
>My Results</A
></DT
></DL
></DD
></DL
></DIV
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="domain-security.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="samba-howto-collection.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="integrate-ms-networks.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Samba as a NT4 domain member</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Integrating MS Windows networks with Samba</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

438
docs/htmldocs/p18.html
View File

@ -1,438 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML
><HEAD
><TITLE
>General installation</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK
REL="HOME"
TITLE="SAMBA Project Documentation"
HREF="samba-howto-collection.html"><LINK
REL="PREVIOUS"
TITLE="SAMBA Project Documentation"
HREF="samba-howto-collection.html"><LINK
REL="NEXT"
TITLE="How to Install and Test SAMBA"
HREF="install.html"></HEAD
><BODY
CLASS="PART"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>SAMBA Project Documentation</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="samba-howto-collection.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="install.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="PART"
><A
NAME="AEN18"
></A
><DIV
CLASS="TITLEPAGE"
><H1
CLASS="TITLE"
>I. General installation</H1
><DIV
CLASS="PARTINTRO"
><A
NAME="AEN20"
></A
><H1
>Introduction</H1
><P
>This part contains general info on how to install samba
and how to configure the parts of samba you will most likely need.
PLEASE read this.</P
></DIV
><DIV
CLASS="TOC"
><DL
><DT
><B
>Table of Contents</B
></DT
><DT
>1. <A
HREF="install.html"
>How to Install and Test SAMBA</A
></DT
><DD
><DL
><DT
>1.1. <A
HREF="install.html#AEN25"
>Read the man pages</A
></DT
><DT
>1.2. <A
HREF="install.html#AEN35"
>Building the Binaries</A
></DT
><DT
>1.3. <A
HREF="install.html#AEN63"
>The all important step</A
></DT
><DT
>1.4. <A
HREF="install.html#AEN67"
>Create the smb configuration file.</A
></DT
><DT
>1.5. <A
HREF="install.html#AEN81"
>Test your config file with
<B
CLASS="COMMAND"
>testparm</B
></A
></DT
><DT
>1.6. <A
HREF="install.html#AEN89"
>Starting the smbd and nmbd</A
></DT
><DD
><DL
><DT
>1.6.1. <A
HREF="install.html#AEN99"
>Starting from inetd.conf</A
></DT
><DT
>1.6.2. <A
HREF="install.html#AEN128"
>Alternative: starting it as a daemon</A
></DT
></DL
></DD
><DT
>1.7. <A
HREF="install.html#AEN144"
>Try listing the shares available on your
server</A
></DT
><DT
>1.8. <A
HREF="install.html#AEN153"
>Try connecting with the unix client</A
></DT
><DT
>1.9. <A
HREF="install.html#AEN169"
>Try connecting from a DOS, WfWg, Win9x, WinNT,
Win2k, OS/2, etc... client</A
></DT
><DT
>1.10. <A
HREF="install.html#AEN183"
>What If Things Don't Work?</A
></DT
><DD
><DL
><DT
>1.10.1. <A
HREF="install.html#AEN188"
>Diagnosing Problems</A
></DT
><DT
>1.10.2. <A
HREF="install.html#AEN192"
>Scope IDs</A
></DT
><DT
>1.10.3. <A
HREF="install.html#AEN195"
>Choosing the Protocol Level</A
></DT
><DT
>1.10.4. <A
HREF="install.html#AEN204"
>Printing from UNIX to a Client PC</A
></DT
><DT
>1.10.5. <A
HREF="install.html#AEN209"
>Locking</A
></DT
><DT
>1.10.6. <A
HREF="install.html#AEN218"
>Mapping Usernames</A
></DT
></DL
></DD
></DL
></DD
><DT
>2. <A
HREF="improved-browsing.html"
>Improved browsing in samba</A
></DT
><DD
><DL
><DT
>2.1. <A
HREF="improved-browsing.html#AEN228"
>Overview of browsing</A
></DT
><DT
>2.2. <A
HREF="improved-browsing.html#AEN232"
>Browsing support in samba</A
></DT
><DT
>2.3. <A
HREF="improved-browsing.html#AEN241"
>Problem resolution</A
></DT
><DT
>2.4. <A
HREF="improved-browsing.html#AEN248"
>Browsing across subnets</A
></DT
><DD
><DL
><DT
>2.4.1. <A
HREF="improved-browsing.html#AEN253"
>How does cross subnet browsing work ?</A
></DT
></DL
></DD
><DT
>2.5. <A
HREF="improved-browsing.html#AEN288"
>Setting up a WINS server</A
></DT
><DT
>2.6. <A
HREF="improved-browsing.html#AEN307"
>Setting up Browsing in a WORKGROUP</A
></DT
><DT
>2.7. <A
HREF="improved-browsing.html#AEN325"
>Setting up Browsing in a DOMAIN</A
></DT
><DT
>2.8. <A
HREF="improved-browsing.html#AEN335"
>Forcing samba to be the master</A
></DT
><DT
>2.9. <A
HREF="improved-browsing.html#AEN344"
>Making samba the domain master</A
></DT
><DT
>2.10. <A
HREF="improved-browsing.html#AEN362"
>Note about broadcast addresses</A
></DT
><DT
>2.11. <A
HREF="improved-browsing.html#AEN365"
>Multiple interfaces</A
></DT
></DL
></DD
><DT
>3. <A
HREF="oplocks.html"
>Oplocks</A
></DT
><DD
><DL
><DT
>3.1. <A
HREF="oplocks.html#AEN377"
>What are oplocks?</A
></DT
></DL
></DD
><DT
>4. <A
HREF="browsing-quick.html"
>Quick Cross Subnet Browsing / Cross Workgroup Browsing guide</A
></DT
><DD
><DL
><DT
>4.1. <A
HREF="browsing-quick.html#AEN392"
>Discussion</A
></DT
><DT
>4.2. <A
HREF="browsing-quick.html#AEN400"
>Use of the "Remote Announce" parameter</A
></DT
><DT
>4.3. <A
HREF="browsing-quick.html#AEN414"
>Use of the "Remote Browse Sync" parameter</A
></DT
><DT
>4.4. <A
HREF="browsing-quick.html#AEN419"
>Use of WINS</A
></DT
><DT
>4.5. <A
HREF="browsing-quick.html#AEN430"
>Do NOT use more than one (1) protocol on MS Windows machines</A
></DT
><DT
>4.6. <A
HREF="browsing-quick.html#AEN436"
>Name Resolution Order</A
></DT
></DL
></DD
><DT
>5. <A
HREF="pwencrypt.html"
>LanMan and NT Password Encryption in Samba</A
></DT
><DD
><DL
><DT
>5.1. <A
HREF="pwencrypt.html#AEN472"
>Introduction</A
></DT
><DT
>5.2. <A
HREF="pwencrypt.html#AEN477"
>Important Notes About Security</A
></DT
><DD
><DL
><DT
>5.2.1. <A
HREF="pwencrypt.html#AEN496"
>Advantages of SMB Encryption</A
></DT
><DT
>5.2.2. <A
HREF="pwencrypt.html#AEN503"
>Advantages of non-encrypted passwords</A
></DT
></DL
></DD
><DT
>5.3. <A
HREF="pwencrypt.html#AEN512"
>The smbpasswd Command</A
></DT
></DL
></DD
></DL
></DIV
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="samba-howto-collection.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="samba-howto-collection.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="install.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>SAMBA Project Documentation</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>How to Install and Test SAMBA</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

391
docs/htmldocs/p3106.html
View File

@ -1,391 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML
><HEAD
><TITLE
>Appendixes</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK
REL="HOME"
TITLE="SAMBA Project Documentation"
HREF="samba-howto-collection.html"><LINK
REL="PREVIOUS"
TITLE="Samba performance issues"
HREF="speed.html"><LINK
REL="NEXT"
TITLE="Portability"
HREF="portability.html"></HEAD
><BODY
CLASS="PART"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>SAMBA Project Documentation</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="speed.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="portability.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="PART"
><A
NAME="AEN3106"
></A
><DIV
CLASS="TITLEPAGE"
><H1
CLASS="TITLE"
>IV. Appendixes</H1
><DIV
CLASS="TOC"
><DL
><DT
><B
>Table of Contents</B
></DT
><DT
>23. <A
HREF="portability.html"
>Portability</A
></DT
><DD
><DL
><DT
>23.1. <A
HREF="portability.html#AEN3115"
>HPUX</A
></DT
><DT
>23.2. <A
HREF="portability.html#AEN3121"
>SCO Unix</A
></DT
><DT
>23.3. <A
HREF="portability.html#AEN3125"
>DNIX</A
></DT
><DT
>23.4. <A
HREF="portability.html#AEN3154"
>RedHat Linux Rembrandt-II</A
></DT
></DL
></DD
><DT
>24. <A
HREF="other-clients.html"
>Samba and other CIFS clients</A
></DT
><DD
><DL
><DT
>24.1. <A
HREF="other-clients.html#AEN3175"
>Macintosh clients?</A
></DT
><DT
>24.2. <A
HREF="other-clients.html#AEN3184"
>OS2 Client</A
></DT
><DD
><DL
><DT
>24.2.1. <A
HREF="other-clients.html#AEN3186"
>How can I configure OS/2 Warp Connect or
OS/2 Warp 4 as a client for Samba?</A
></DT
><DT
>24.2.2. <A
HREF="other-clients.html#AEN3201"
>How can I configure OS/2 Warp 3 (not Connect),
OS/2 1.2, 1.3 or 2.x for Samba?</A
></DT
><DT
>24.2.3. <A
HREF="other-clients.html#AEN3210"
>Are there any other issues when OS/2 (any version)
is used as a client?</A
></DT
><DT
>24.2.4. <A
HREF="other-clients.html#AEN3214"
>How do I get printer driver download working
for OS/2 clients?</A
></DT
></DL
></DD
><DT
>24.3. <A
HREF="other-clients.html#AEN3224"
>Windows for Workgroups</A
></DT
><DD
><DL
><DT
>24.3.1. <A
HREF="other-clients.html#AEN3226"
>Use latest TCP/IP stack from Microsoft</A
></DT
><DT
>24.3.2. <A
HREF="other-clients.html#AEN3231"
>Delete .pwl files after password change</A
></DT
><DT
>24.3.3. <A
HREF="other-clients.html#AEN3236"
>Configure WfW password handling</A
></DT
><DT
>24.3.4. <A
HREF="other-clients.html#AEN3240"
>Case handling of passwords</A
></DT
></DL
></DD
><DT
>24.4. <A
HREF="other-clients.html#AEN3245"
>Windows '95/'98</A
></DT
><DT
>24.5. <A
HREF="other-clients.html#AEN3261"
>Windows 2000 Service Pack 2</A
></DT
></DL
></DD
><DT
>25. <A
HREF="bugreport.html"
>Reporting Bugs</A
></DT
><DD
><DL
><DT
>25.1. <A
HREF="bugreport.html#AEN3285"
>Introduction</A
></DT
><DT
>25.2. <A
HREF="bugreport.html#AEN3295"
>General info</A
></DT
><DT
>25.3. <A
HREF="bugreport.html#AEN3301"
>Debug levels</A
></DT
><DT
>25.4. <A
HREF="bugreport.html#AEN3318"
>Internal errors</A
></DT
><DT
>25.5. <A
HREF="bugreport.html#AEN3328"
>Attaching to a running process</A
></DT
><DT
>25.6. <A
HREF="bugreport.html#AEN3331"
>Patches</A
></DT
></DL
></DD
><DT
>26. <A
HREF="diagnosis.html"
>Diagnosing your samba server</A
></DT
><DD
><DL
><DT
>26.1. <A
HREF="diagnosis.html#AEN3354"
>Introduction</A
></DT
><DT
>26.2. <A
HREF="diagnosis.html#AEN3359"
>Assumptions</A
></DT
><DT
>26.3. <A
HREF="diagnosis.html#AEN3369"
>Tests</A
></DT
><DD
><DL
><DT
>26.3.1. <A
HREF="diagnosis.html#AEN3371"
>Test 1</A
></DT
><DT
>26.3.2. <A
HREF="diagnosis.html#AEN3377"
>Test 2</A
></DT
><DT
>26.3.3. <A
HREF="diagnosis.html#AEN3383"
>Test 3</A
></DT
><DT
>26.3.4. <A
HREF="diagnosis.html#AEN3398"
>Test 4</A
></DT
><DT
>26.3.5. <A
HREF="diagnosis.html#AEN3403"
>Test 5</A
></DT
><DT
>26.3.6. <A
HREF="diagnosis.html#AEN3409"
>Test 6</A
></DT
><DT
>26.3.7. <A
HREF="diagnosis.html#AEN3417"
>Test 7</A
></DT
><DT
>26.3.8. <A
HREF="diagnosis.html#AEN3443"
>Test 8</A
></DT
><DT
>26.3.9. <A
HREF="diagnosis.html#AEN3460"
>Test 9</A
></DT
><DT
>26.3.10. <A
HREF="diagnosis.html#AEN3468"
>Test 10</A
></DT
><DT
>26.3.11. <A
HREF="diagnosis.html#AEN3474"
>Test 11</A
></DT
></DL
></DD
><DT
>26.4. <A
HREF="diagnosis.html#AEN3479"
>Still having troubles?</A
></DT
></DL
></DD
></DL
></DIV
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="speed.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="samba-howto-collection.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="portability.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Samba performance issues</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Portability</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

388
docs/htmldocs/p544.html
View File

@ -1,388 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML
><HEAD
><TITLE
>Type of installation</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK
REL="HOME"
TITLE="SAMBA Project Documentation"
HREF="samba-howto-collection.html"><LINK
REL="PREVIOUS"
TITLE="LanMan and NT Password Encryption in Samba"
HREF="pwencrypt.html"><LINK
REL="NEXT"
TITLE="How to Configure Samba as a NT4 Primary Domain Controller"
HREF="samba-pdc.html"></HEAD
><BODY
CLASS="PART"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>SAMBA Project Documentation</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="pwencrypt.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="samba-pdc.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="PART"
><A
NAME="AEN544"
></A
><DIV
CLASS="TITLEPAGE"
><H1
CLASS="TITLE"
>II. Type of installation</H1
><DIV
CLASS="PARTINTRO"
><A
NAME="AEN546"
></A
><H1
>Introduction</H1
><P
>This part contains information on using samba in a (NT 4 or ADS) domain.
If you wish to run samba as a domain member or DC, read the appropriate chapter in
this part.</P
></DIV
><DIV
CLASS="TOC"
><DL
><DT
><B
>Table of Contents</B
></DT
><DT
>6. <A
HREF="samba-pdc.html"
>How to Configure Samba as a NT4 Primary Domain Controller</A
></DT
><DD
><DL
><DT
>6.1. <A
HREF="samba-pdc.html#AEN566"
>Prerequisite Reading</A
></DT
><DT
>6.2. <A
HREF="samba-pdc.html#AEN572"
>Background</A
></DT
><DT
>6.3. <A
HREF="samba-pdc.html#AEN611"
>Configuring the Samba Domain Controller</A
></DT
><DT
>6.4. <A
HREF="samba-pdc.html#AEN654"
>Creating Machine Trust Accounts and Joining Clients to the
Domain</A
></DT
><DD
><DL
><DT
>6.4.1. <A
HREF="samba-pdc.html#AEN673"
>Manual Creation of Machine Trust Accounts</A
></DT
><DT
>6.4.2. <A
HREF="samba-pdc.html#AEN714"
>"On-the-Fly" Creation of Machine Trust Accounts</A
></DT
><DT
>6.4.3. <A
HREF="samba-pdc.html#AEN723"
>Joining the Client to the Domain</A
></DT
></DL
></DD
><DT
>6.5. <A
HREF="samba-pdc.html#AEN738"
>Common Problems and Errors</A
></DT
><DT
>6.6. <A
HREF="samba-pdc.html#AEN786"
>System Policies and Profiles</A
></DT
><DT
>6.7. <A
HREF="samba-pdc.html#AEN830"
>What other help can I get?</A
></DT
><DT
>6.8. <A
HREF="samba-pdc.html#AEN944"
>Domain Control for Windows 9x/ME</A
></DT
><DD
><DL
><DT
>6.8.1. <A
HREF="samba-pdc.html#AEN970"
>Configuration Instructions: Network Logons</A
></DT
><DT
>6.8.2. <A
HREF="samba-pdc.html#AEN989"
>Configuration Instructions: Setting up Roaming User Profiles</A
></DT
></DL
></DD
><DT
>6.9. <A
HREF="samba-pdc.html#AEN1082"
>DOMAIN_CONTROL.txt : Windows NT Domain Control &#38; Samba</A
></DT
></DL
></DD
><DT
>7. <A
HREF="samba-bdc.html"
>How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain</A
></DT
><DD
><DL
><DT
>7.1. <A
HREF="samba-bdc.html#AEN1118"
>Prerequisite Reading</A
></DT
><DT
>7.2. <A
HREF="samba-bdc.html#AEN1122"
>Background</A
></DT
><DT
>7.3. <A
HREF="samba-bdc.html#AEN1130"
>What qualifies a Domain Controller on the network?</A
></DT
><DD
><DL
><DT
>7.3.1. <A
HREF="samba-bdc.html#AEN1133"
>How does a Workstation find its domain controller?</A
></DT
><DT
>7.3.2. <A
HREF="samba-bdc.html#AEN1136"
>When is the PDC needed?</A
></DT
></DL
></DD
><DT
>7.4. <A
HREF="samba-bdc.html#AEN1139"
>Can Samba be a Backup Domain Controller?</A
></DT
><DT
>7.5. <A
HREF="samba-bdc.html#AEN1143"
>How do I set up a Samba BDC?</A
></DT
><DD
><DL
><DT
>7.5.1. <A
HREF="samba-bdc.html#AEN1160"
>How do I replicate the smbpasswd file?</A
></DT
></DL
></DD
></DL
></DD
><DT
>8. <A
HREF="ads.html"
>Samba as a ADS domain member</A
></DT
><DD
><DL
><DT
>8.1. <A
HREF="ads.html#AEN1178"
>Installing the required packages for Debian</A
></DT
><DT
>8.2. <A
HREF="ads.html#AEN1184"
>Installing the required packages for RedHat</A
></DT
><DT
>8.3. <A
HREF="ads.html#AEN1193"
>Compile Samba</A
></DT
><DT
>8.4. <A
HREF="ads.html#AEN1205"
>Setup your /etc/krb5.conf</A
></DT
><DT
>8.5. <A
HREF="ads.html#AEN1215"
>Create the computer account</A
></DT
><DD
><DL
><DT
>8.5.1. <A
HREF="ads.html#AEN1219"
>Possible errors</A
></DT
></DL
></DD
><DT
>8.6. <A
HREF="ads.html#AEN1231"
>Test your server setup</A
></DT
><DT
>8.7. <A
HREF="ads.html#AEN1236"
>Testing with smbclient</A
></DT
><DT
>8.8. <A
HREF="ads.html#AEN1239"
>Notes</A
></DT
></DL
></DD
><DT
>9. <A
HREF="domain-security.html"
>Samba as a NT4 domain member</A
></DT
><DD
><DL
><DT
>9.1. <A
HREF="domain-security.html#AEN1261"
>Joining an NT Domain with Samba 2.2</A
></DT
><DT
>9.2. <A
HREF="domain-security.html#AEN1325"
>Samba and Windows 2000 Domains</A
></DT
><DT
>9.3. <A
HREF="domain-security.html#AEN1330"
>Why is this better than security = server?</A
></DT
></DL
></DD
></DL
></DIV
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="pwencrypt.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="samba-howto-collection.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="samba-pdc.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>LanMan and NT Password Encryption in Samba</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>How to Configure Samba as a NT4 Primary Domain Controller</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

101
docs/htmldocs/pam.html
View File

@ -1,16 +1,15 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 25. PAM based Distributed Authentication</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="ProfileMgmt.html" title="Chapter 24. Desktop Profile Management"><link rel="next" href="integrate-ms-networks.html" title="Chapter 26. Integrating MS Windows networks with Samba"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 25. PAM based Distributed Authentication</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ProfileMgmt.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="integrate-ms-networks.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="pam"></a>Chapter 25. PAM based Distributed Authentication</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Stephen</span> <span class="surname">Langasek</span></h3><div class="affiliation"><div class="address"><p><tt class="email">&lt;<a href="mailto:vorlon@netexpress.net">vorlon@netexpress.net</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">May 31, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="pam.html#id2993246">Features and Benefits</a></dt><dt><a href="pam.html#id2992101">Technical Discussion</a></dt><dd><dl><dt><a href="pam.html#id2992118">PAM Configuration Syntax</a></dt><dt><a href="pam.html#id2992783">Example System Configurations</a></dt><dt><a href="pam.html#id2995216">smb.conf PAM Configuration</a></dt><dt><a href="pam.html#id2995273">Remote CIFS Authentication using winbindd.so</a></dt><dt><a href="pam.html#id2995357">Password Synchronization using pam_smbpass.so</a></dt></dl></dd><dt><a href="pam.html#id2995723">Common Errors</a></dt><dd><dl><dt><a href="pam.html#id2995737">pam_winbind problem</a></dt></dl></dd></dl></div><p>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 25. PAM based Distributed Authentication</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="ProfileMgmt.html" title="Chapter 24. Desktop Profile Management"><link rel="next" href="integrate-ms-networks.html" title="Chapter 26. Integrating MS Windows networks with Samba"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 25. PAM based Distributed Authentication</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ProfileMgmt.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="integrate-ms-networks.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="pam"></a>Chapter 25. PAM based Distributed Authentication</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Stephen</span> <span class="surname">Langasek</span></h3><div class="affiliation"><div class="address"><p><tt class="email">&lt;<a href="mailto:vorlon@netexpress.net">vorlon@netexpress.net</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">May 31, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="pam.html#id2995804">Features and Benefits</a></dt><dt><a href="pam.html#id2996071">Technical Discussion</a></dt><dd><dl><dt><a href="pam.html#id2996089">PAM Configuration Syntax</a></dt><dt><a href="pam.html#id2996760">Example System Configurations</a></dt><dt><a href="pam.html#id2997062">smb.conf PAM Configuration</a></dt><dt><a href="pam.html#id2997119">Remote CIFS Authentication using winbindd.so</a></dt><dt><a href="pam.html#id2997203">Password Synchronization using pam_smbpass.so</a></dt></dl></dd><dt><a href="pam.html#id2997570">Common Errors</a></dt><dd><dl><dt><a href="pam.html#id2997583">pam_winbind problem</a></dt></dl></dd></dl></div><p>
This chapter you should help you to deploy winbind based authentication on any PAM enabled
Unix/Linux system. Winbind can be used to enable user level application access authentication
from any MS Windows NT Domain, MS Windows 200x Active Directory based domain, or any Samba
based domain environment. It will also help you to configure PAM based local host access
controls that are appropriate to your Samba configuration.
</p><p>
In addition to knowing how to configure winbind into PAM, you will learn generic PAM managment
possibilities and in particular how to deploy tools like pam_smbpass.so to your adavantage.
In addition to knowing how to configure winbind into PAM, you will learn generic PAM management
possibilities and in particular how to deploy tools like pam_smbpass.so to your advantage.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
The use of Winbind require more than PAM configuration alone. Please refer to <a href="winbind.html" title="Chapter 21. Integrated Logon Support using Winbind">the Winbind chapter</a>.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2993246"></a>Features and Benefits</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2995804"></a>Features and Benefits</h2></div></div><div></div></div><p>
A number of Unix systems (eg: Sun Solaris), as well as the xxxxBSD family and Linux,
now utilize the Pluggable Authentication Modules (PAM) facility to provide all authentication,
authorization and resource control services. Prior to the introduction of PAM, a decision
@ -68,12 +67,12 @@ of distributed samba domain controllers that can provide wide are network bandwi
efficient authentication services for PAM capable systems. In effect, this allows the
deployment of centrally managed and maintained distributed authentication from a single
user account database.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2992101"></a>Technical Discussion</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2996071"></a>Technical Discussion</h2></div></div><div></div></div><p>
PAM is designed to provide the system administrator with a great deal of flexibility in
configuration of the privilege granting applications of their system. The local
configuration of system security controlled by PAM is contained in one of two places:
either the single system file, /etc/pam.conf; or the /etc/pam.d/ directory.
</p><div xmlns:ns89="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2992118"></a>PAM Configuration Syntax</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2996089"></a>PAM Configuration Syntax</h3></div></div><div></div></div><p>
In this section we discuss the correct syntax of and generic options respected by entries to these files.
PAM specific tokens in the configuration file are case insensitive. The module paths, however, are case
sensitive since they indicate a file's name and reflect the case dependence of typical file-systems.
@ -87,22 +86,22 @@ If the PAM authentication module (loadable link library file) is located in the
default location then it is not necessary to specify the path. In the case of
Linux, the default location is <tt class="filename">/lib/security</tt>. If the module
is located outside the default then the path must be specified as:
</p><ns89:p>
</ns89:p><pre class="screen">
</p><p>
</p><pre class="screen">
auth required /other_path/pam_strange_module.so
</pre><ns89:p>
</ns89:p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2992174"></a>Anatomy of <tt class="filename">/etc/pam.d</tt> Entries</h4></div></div><div></div></div><p>
</pre><p>
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2996146"></a>Anatomy of <tt class="filename">/etc/pam.d</tt> Entries</h4></div></div><div></div></div><p>
The remaining information in this subsection was taken from the documentation of the Linux-PAM
project. For more information on PAM, see
<a href="http://ftp.kernel.org/pub/linux/libs/pam/" target="_top">
http://ftp.kernel.org/pub/linux/libs/pam</a> The Official Linux-PAM home page.
</p><p>
A general configuration line of the /etc/pam.conf file has the following form:
</p><ns89:p>
</ns89:p><pre class="screen">
</p><p>
</p><pre class="screen">
service-name module-type control-flag module-path args
</pre><ns89:p>
</ns89:p><p>
</pre><p>
</p><p>
Below, we explain the meaning of each of these tokens. The second (and more recently adopted)
way of configuring Linux-PAM is via the contents of the <tt class="filename">/etc/pam.d/</tt> directory.
Once we have explained the meaning of the above tokens, we will describe this method.
@ -128,8 +127,8 @@ Once we have explained the meaning of the above tokens, we will describe this me
user `root' login only on the console.
</p></li><li><p>
<span class="emphasis"><em>session:</em></span> primarily, this module is associated with doing things that need
to be done for the user before/after they can be given service. Such things include the loggin
of information concerning the opening/closing of some data exchange with a user, mountin
to be done for the user before/after they can be given service. Such things include the logging
of information concerning the opening/closing of some data exchange with a user, mounting
directories, etc.
</p></li><li><p>
<span class="emphasis"><em>password:</em></span> this last module type is required for updating the authentication
@ -177,19 +176,19 @@ Once we have explained the meaning of the above tokens, we will describe this me
this latter case, is when the other modules return something like PAM_IGNORE.
</p></li></ul></div><p>
The more elaborate (newer) syntax is much more specific and gives the administrator a great deal of control
over how the user is authenticated. This form of the control flag is delimeted with square brackets and
over how the user is authenticated. This form of the control flag is delimited with square brackets and
consists of a series of value=action tokens:
</p><pre class="screen">
[value1=action1 value2=action2 ...]
</pre><p>
Here, valueI is one of the following return values: success; open_err; symbol_err; service_err;
Here, value1 is one of the following return values: success; open_err; symbol_err; service_err;
system_err; buf_err; perm_denied; auth_err; cred_insufficient; authinfo_unavail; user_unknown; maxtries;
new_authtok_reqd; acct_expired; session_err; cred_unavail; cred_expired; cred_err; no_module_data; conv_err;
authtok_err; authtok_recover_err; authtok_lock_busy; authtok_disable_aging; try_again; ignore; abort;
authtok_expired; module_unknown; bad_item; and default. The last of these (default) can be used to set
the action for those return values that are not explicitly defined.
</p><p>
The actionI can be a positive integer or one of the following tokens: ignore; ok; done; bad; die; and reset.
The action1 can be a positive integer or one of the following tokens: ignore; ok; done; bad; die; and reset.
A positive integer, J, when specified as the action, can be used to indicate that the next J modules of the
current module-type will be skipped. In this way, the administrator can develop a moderately sophisticated
stack of modules with a number of different paths of execution. Which path is taken can be determined by the
@ -219,8 +218,8 @@ Once we have explained the meaning of the above tokens, we will describe this me
</p></li></ul></div><p>
Each of the four keywords: required; requisite; sufficient; and optional, have an equivalent expression in
terms of the [...] syntax. They are as follows:
</p><ns89:p>
</ns89:p><div class="itemizedlist"><ul type="disc"><li><p>
</p><p>
</p><div class="itemizedlist"><ul type="disc"><li><p>
required is equivalent to [success=ok new_authtok_reqd=ok ignore=ignore default=bad]
</p></li><li><p>
requisite is equivalent to [success=ok new_authtok_reqd=ok ignore=ignore default=die]
@ -228,8 +227,8 @@ Once we have explained the meaning of the above tokens, we will describe this me
sufficient is equivalent to [success=done new_authtok_reqd=done default=ignore]
</p></li><li><p>
optional is equivalent to [success=ok new_authtok_reqd=ok default=ignore]
</p></li></ul></div><ns89:p>
</ns89:p><p>
</p></li></ul></div><p>
</p><p>
Just to get a feel for the power of this new syntax, here is a taste of what you can do with it. With Linux-PAM-0.63,
the notion of client plug-in agents was introduced. This is something that makes it possible for PAM to support
machine-machine authentication using the transport protocol inherent to the client/server application. With the
@ -261,13 +260,13 @@ squid auth required pam_mysql.so user=passwd_query passwd=mada \
Any line in (one of) the configuration file(s), that is not formatted correctly, will generally tend (erring on the
side of caution) to make the authentication process fail. A corresponding error is written to the system log files
with a call to syslog(3).
</p></dd></dl></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2992783"></a>Example System Configurations</h3></div></div><div></div></div><p>
</p></dd></dl></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2996760"></a>Example System Configurations</h3></div></div><div></div></div><p>
The following is an example <tt class="filename">/etc/pam.d/login</tt> configuration file.
This example had all options been uncommented is probably not usable
as it stacks many conditions before allowing successful completion
of the login process. Essentially all conditions can be disabled
by commenting them out except the calls to <tt class="filename">pam_pwdb.so</tt>.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2992814"></a>PAM: original login config</h4></div></div><div></div></div><pre class="screen">
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2996790"></a>PAM: original login config</h4></div></div><div></div></div><pre class="screen">
#%PAM-1.0
# The PAM configuration file for the `login' service
#
@ -282,10 +281,10 @@ session required pam_pwdb.so
# session optional pam_lastlog.so
# password required pam_cracklib.so retry=3
password required pam_pwdb.so shadow md5
</pre></div><div xmlns:ns90="" class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2992841"></a>PAM: login using pam_smbpass</h4></div></div><div></div></div><p>
PAM allows use of replacable modules. Those available on a sample system include:
</p><ns90:p><tt class="prompt">$</tt><b class="userinput"><tt>/bin/ls /lib/security</tt></b>
</ns90:p><pre class="screen">
</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2996817"></a>PAM: login using pam_smbpass</h4></div></div><div></div></div><p>
PAM allows use of replaceable modules. Those available on a sample system include:
</p><p><tt class="prompt">$</tt><b class="userinput"><tt>/bin/ls /lib/security</tt></b>
</p><pre class="screen">
pam_access.so pam_ftp.so pam_limits.so
pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so
pam_cracklib.so pam_group.so pam_listfile.so
@ -354,14 +353,14 @@ password required pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf
also possible to pass information obtained within one PAM module through
to the next module in the PAM stack. Please refer to the documentation for
your particular system implementation for details regarding the specific
capabilities of PAM in this environment. Some Linux implmentations also
capabilities of PAM in this environment. Some Linux implementations also
provide the <tt class="filename">pam_stack.so</tt> module that allows all
authentication to be configured in a single central file. The
<tt class="filename">pam_stack.so</tt> method has some very devoted followers
on the basis that it allows for easier administration. As with all issues in
life though, every decision makes trade-offs, so you may want examine the
PAM documentation for further helpful information.
</p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2995216"></a>smb.conf PAM Configuration</h3></div></div><div></div></div><p>
</p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2997062"></a>smb.conf PAM Configuration</h3></div></div><div></div></div><p>
There is an option in smb.conf called <a href="smb.conf.5.html#OBEYPAMRESTRICTIONS" target="_top">obey pam restrictions</a>.
The following is from the on-line help for this option in SWAT;
</p><p>
@ -376,8 +375,8 @@ ignores PAM for authentication in the case of
The reason is that PAM modules cannot support the challenge/response
authentication mechanism needed in the presence of SMB
password encryption.
</p><p>Default: <i class="parameter"><tt>obey pam restrictions = no</tt></i></p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2995273"></a>Remote CIFS Authentication using winbindd.so</h3></div></div><div></div></div><p>
All operating systems depend on the provision of users credentials accecptable to the platform.
</p><p>Default: <i class="parameter"><tt>obey pam restrictions = no</tt></i></p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2997119"></a>Remote CIFS Authentication using winbindd.so</h3></div></div><div></div></div><p>
All operating systems depend on the provision of users credentials acceptable to the platform.
Unix requires the provision of a user identifier (UID) as well as a group identifier (GID).
These are both simple integer type numbers that are obtained from a password backend such
as <tt class="filename">/etc/passwd</tt>.
@ -402,7 +401,7 @@ Microsoft Active Directory Service (ADS) in so far as reduction of wide area net
The rid to unix id database is the only location where the user and group mappings are
stored by winbindd. If this file is deleted or corrupted, there is no way for winbindd
to determine which user and group ids correspond to Windows NT user and group rids.
</p></div></div><div xmlns:ns91="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2995357"></a>Password Synchronization using pam_smbpass.so</h3></div></div><div></div></div><p>
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2997203"></a>Password Synchronization using pam_smbpass.so</h3></div></div><div></div></div><p>
pam_smbpass is a PAM module which can be used on conforming systems to
keep the smbpasswd (Samba password) database in sync with the unix
password file. PAM (Pluggable Authentication Modules) is an API supported
@ -413,21 +412,21 @@ This module authenticates a local smbpasswd user database. If you require
support for authenticating against a remote SMB server, or if you're
concerned about the presence of suid root binaries on your system, it is
recommended that you use pam_winbind instead.
</p><ns91:p>
</p><p>
Options recognized by this module are as follows:
</ns91:p><div class="table"><a name="id2995388"></a><p class="title"><b>Table 25.1. Options recognized by pam_smbpass</b></p><table summary="Options recognized by pam_smbpass" border="1"><colgroup><col><col></colgroup><tbody><tr><td align="left">debug</td><td align="left">log more debugging info</td></tr><tr><td align="left">audit</td><td align="left">like debug, but also logs unknown usernames</td></tr><tr><td align="left">use_first_pass</td><td align="left">don't prompt the user for passwords; take them from PAM_ items instead</td></tr><tr><td align="left">try_first_pass</td><td align="left">try to get the password from a previous PAM module, fall back to prompting the user</td></tr><tr><td align="left">use_authtok</td><td align="left">like try_first_pass, but *fail* if the new PAM_AUTHTOK has not been previously set. (intended for stacking password modules only)</td></tr><tr><td align="left">not_set_pass</td><td align="left">don't make passwords used by this module available to other modules.</td></tr><tr><td align="left">nodelay</td><td align="left">don't insert ~1 second delays on authentication failure.</td></tr><tr><td align="left">nullok</td><td align="left">null passwords are allowed.</td></tr><tr><td align="left">nonull</td><td align="left">null passwords are not allowed. Used to override the Samba configuration.</td></tr><tr><td align="left">migrate</td><td align="left">only meaningful in an &quot;auth&quot; context; used to update smbpasswd file with a password used for successful authentication.</td></tr><tr><td align="left">smbconf=<i class="replaceable"><tt>file</tt></i></td><td align="left">specify an alternate path to the <tt class="filename">smb.conf</tt> file.</td></tr></tbody></table></div><ns91:p>
</ns91:p><ns91:p>
</p><div class="table"><a name="id2997236"></a><p class="title"><b>Table 25.1. Options recognized by pam_smbpass</b></p><table summary="Options recognized by pam_smbpass" border="1"><colgroup><col><col></colgroup><tbody><tr><td align="left">debug</td><td align="left">log more debugging info</td></tr><tr><td align="left">audit</td><td align="left">like debug, but also logs unknown usernames</td></tr><tr><td align="left">use_first_pass</td><td align="left">don't prompt the user for passwords; take them from PAM_ items instead</td></tr><tr><td align="left">try_first_pass</td><td align="left">try to get the password from a previous PAM module, fall back to prompting the user</td></tr><tr><td align="left">use_authtok</td><td align="left">like try_first_pass, but *fail* if the new PAM_AUTHTOK has not been previously set. (intended for stacking password modules only)</td></tr><tr><td align="left">not_set_pass</td><td align="left">don't make passwords used by this module available to other modules.</td></tr><tr><td align="left">nodelay</td><td align="left">don't insert ~1 second delays on authentication failure.</td></tr><tr><td align="left">nullok</td><td align="left">null passwords are allowed.</td></tr><tr><td align="left">nonull</td><td align="left">null passwords are not allowed. Used to override the Samba configuration.</td></tr><tr><td align="left">migrate</td><td align="left">only meaningful in an &quot;auth&quot; context; used to update smbpasswd file with a password used for successful authentication.</td></tr><tr><td align="left">smbconf=<i class="replaceable"><tt>file</tt></i></td><td align="left">specify an alternate path to the <tt class="filename">smb.conf</tt> file.</td></tr></tbody></table></div><p>
</p><p>
Thanks go to the following people:
</ns91:p><table class="simplelist" border="0" summary="Simple list"><tr><td><a href="mailto:morgan@transmeta.com" target="_top">Andrew Morgan</a>, for providing the Linux-PAM
</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a href="mailto:morgan@transmeta.com" target="_top">Andrew Morgan</a>, for providing the Linux-PAM
framework, without which none of this would have happened</td></tr><tr><td><a href="gafton@redhat.com" target="_top">Christian Gafton</a> and Andrew Morgan again, for the
pam_pwdb module upon which pam_smbpass was originally based</td></tr><tr><td><a href="lkcl@switchboard.net" target="_top">Luke Leighton</a> for being receptive to the idea,
and for the occasional good-natured complaint about the project's status
that keep me working on it :)</td></tr></table><ns91:p>.
</ns91:p><p>
that keep me working on it :)</td></tr></table><p>.
</p><p>
The following are examples of the use of pam_smbpass.so in the format of Linux
<tt class="filename">/etc/pam.d/</tt> files structure. Those wishing to implement this
tool on other platforms will need to adapt this appropriately.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2995589"></a>Password Synchronisation Configuration</h4></div></div><div></div></div><p>
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2997436"></a>Password Synchronisation Configuration</h4></div></div><div></div></div><p>
A sample PAM configuration that shows the use of pam_smbpass to make
sure private/smbpasswd is kept in sync when /etc/passwd (/etc/shadow)
is changed. Useful when an expired password might be changed by an
@ -443,7 +442,7 @@ password requisite pam_cracklib.so retry=3
password requisite pam_unix.so shadow md5 use_authtok try_first_pass
password required pam_smbpass.so nullok use_authtok try_first_pass
session required pam_unix.so
</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2995621"></a>Password Migration Configuration</h4></div></div><div></div></div><p>
</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2997469"></a>Password Migration Configuration</h4></div></div><div></div></div><p>
A sample PAM configuration that shows the use of pam_smbpass to migrate
from plaintext to encrypted passwords for Samba. Unlike other methods,
this can be used for users who have never connected to Samba shares:
@ -462,7 +461,7 @@ password requisite pam_cracklib.so retry=3
password requisite pam_unix.so shadow md5 use_authtok try_first_pass
password optional pam_smbpass.so nullok use_authtok try_first_pass
session required pam_unix.so
</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2995657"></a>Mature Password Configuration</h4></div></div><div></div></div><p>
</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2997504"></a>Mature Password Configuration</h4></div></div><div></div></div><p>
A sample PAM configuration for a 'mature' smbpasswd installation.
private/smbpasswd is fully populated, and we consider it an error if
the smbpasswd doesn't exist or doesn't match the Unix password.
@ -477,7 +476,7 @@ password requisite pam_cracklib.so retry=3
password requisite pam_unix.so shadow md5 use_authtok try_first_pass
password required pam_smbpass.so use_authtok use_first_pass
session required pam_unix.so
</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2995689"></a>Kerberos Password Integration Configuration</h4></div></div><div></div></div><p>
</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2997536"></a>Kerberos Password Integration Configuration</h4></div></div><div></div></div><p>
A sample PAM configuration that shows pam_smbpass used together with
pam_krb5. This could be useful on a Samba PDC that is also a member of
a Kerberos realm.
@ -493,13 +492,13 @@ password requisite pam_cracklib.so retry=3
password optional pam_smbpass.so nullok use_authtok try_first_pass
password required pam_krb5.so use_authtok try_first_pass
session required pam_krb5.so
</pre></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2995723"></a>Common Errors</h2></div></div><div></div></div><p>
</pre></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2997570"></a>Common Errors</h2></div></div><div></div></div><p>
PAM can be a very fickle and sensitive to configuration glitches. Here we look at a few cases from
the Samba mailing list.
</p><div xmlns:ns92="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2995737"></a>pam_winbind problem</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2997583"></a>pam_winbind problem</h3></div></div><div></div></div><p>
I have the following PAM configuration:
</p><ns92:p>
</ns92:p><pre class="screen">
</p><p>
</p><pre class="screen">
auth required /lib/security/pam_securetty.so
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so use_first_pass nullok
@ -508,8 +507,8 @@ auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_winbind.so
password required /lib/security/pam_stack.so service=system-auth
</pre><ns92:p>
</ns92:p><p>
</pre><p>
</p><p>
When I open a new console with [ctrl][alt][F1], then I cant log in with my user &quot;pitie&quot;.
I've tried with user &quot;scienceu+pitie&quot; also.
</p><p>

349
docs/htmldocs/passdb.html
View File

@ -1,23 +1,22 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 11. Account Information Databases</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="NetworkBrowsing.html" title="Chapter 10. Samba / MS Windows Network Browsing Guide"><link rel="next" href="groupmapping.html" title="Chapter 12. Mapping MS Windows and Unix Groups"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 11. Account Information Databases</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="NetworkBrowsing.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="groupmapping.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="passdb"></a>Chapter 11. Account Information Databases</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jerry@samba.org">jerry@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jra@samba.org">jra@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Olivier (lem)</span> <span class="surname">Lemaire</span></h3><div class="affiliation"><span class="orgname">IDEALX<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:olem@IDEALX.org">olem@IDEALX.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">May 24, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="passdb.html#id2908055">Features and Benefits</a></dt><dt><a href="passdb.html#id2908379">Technical Information</a></dt><dd><dl><dt><a href="passdb.html#id2908443">Important Notes About Security</a></dt><dt><a href="passdb.html#id2908686">Mapping User Identifiers between MS Windows and Unix</a></dt></dl></dd><dt><a href="passdb.html#id2908741">Account Management Tools</a></dt><dd><dl><dt><a href="passdb.html#id2908773">The smbpasswd Command</a></dt><dt><a href="passdb.html#id2909038">The pdbedit Command</a></dt></dl></dd><dt><a href="passdb.html#id2909172">Password Backends</a></dt><dd><dl><dt><a href="passdb.html#id2913386">Plain Text</a></dt><dt><a href="passdb.html#id2913426">smbpasswd - Encrypted Password Database</a></dt><dt><a href="passdb.html#id2913533">tdbsam</a></dt><dt><a href="passdb.html#id2913560">ldapsam</a></dt><dt><a href="passdb.html#id2915051">MySQL</a></dt><dt><a href="passdb.html#XMLpassdb">XML</a></dt></dl></dd><dt><a href="passdb.html#id2915854">Common Errors</a></dt><dd><dl><dt><a href="passdb.html#id2915861">Users can not logon - Users not in Samba SAM</a></dt><dt><a href="passdb.html#id2915876">Users are being added to the wrong backend database</a></dt><dt><a href="passdb.html#id2915936">auth methods does not work</a></dt></dl></dd></dl></div><p>
Samba-3 implements a new capability to work concurrently with mulitple account backends.
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 11. Account Information Databases</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="NetworkBrowsing.html" title="Chapter 10. Samba / MS Windows Network Browsing Guide"><link rel="next" href="groupmapping.html" title="Chapter 12. Mapping MS Windows and Unix Groups"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 11. Account Information Databases</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="NetworkBrowsing.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="groupmapping.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="passdb"></a>Chapter 11. Account Information Databases</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jerry@samba.org">jerry@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jra@samba.org">jra@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Olivier (lem)</span> <span class="surname">Lemaire</span></h3><div class="affiliation"><span class="orgname">IDEALX<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:olem@IDEALX.org">olem@IDEALX.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">May 24, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="passdb.html#id2910308">Features and Benefits</a></dt><dt><a href="passdb.html#id2910636">Technical Information</a></dt><dd><dl><dt><a href="passdb.html#id2910700">Important Notes About Security</a></dt><dt><a href="passdb.html#id2910954">Mapping User Identifiers between MS Windows and Unix</a></dt></dl></dd><dt><a href="passdb.html#id2911009">Account Management Tools</a></dt><dd><dl><dt><a href="passdb.html#id2911041">The smbpasswd Command</a></dt><dt><a href="passdb.html#id2911306">The pdbedit Command</a></dt></dl></dd><dt><a href="passdb.html#id2911458">Password Backends</a></dt><dd><dl><dt><a href="passdb.html#id2911494">Plain Text</a></dt><dt><a href="passdb.html#id2911534">smbpasswd - Encrypted Password Database</a></dt><dt><a href="passdb.html#id2911641">tdbsam</a></dt><dt><a href="passdb.html#id2911668">ldapsam</a></dt><dt><a href="passdb.html#id2913185">MySQL</a></dt><dt><a href="passdb.html#XMLpassdb">XML</a></dt></dl></dd><dt><a href="passdb.html#id2913989">Common Errors</a></dt><dd><dl><dt><a href="passdb.html#id2913997">Users can not logon - Users not in Samba SAM</a></dt><dt><a href="passdb.html#id2914012">Users are being added to the wrong backend database</a></dt><dt><a href="passdb.html#id2914072">auth methods does not work</a></dt></dl></dd></dl></div><p>
Samba-3 implements a new capability to work concurrently with multiple account backends.
The possible new combinations of password backends allows Samba-3 a degree of flexibility
and scalability that previously could be achieved only with MS Windows Active Directory.
This chapter describes the new functionality and how to get the most out of it.
</p><p>
In the course of development of Samba-3 a number of requests were received to provide the
In the course of development of Samba-3, a number of requests were received to provide the
ability to migrate MS Windows NT4 SAM accounts to Samba-3 without the need to provide
matching Unix/Linux accounts. We called this the <span class="emphasis"><em>Non Unix Accounts (NUA)</em></span>
capability. The intent was that an administrator could decide to use the <span class="emphasis"><em>tdbsam</em></span>
backend and by simply specifying <span class="emphasis"><em>&quot;passdb backend = tdbsam_nua, guest&quot;</em></span>
this would allow Samba-3 to implement a solution that did not use Unix accounts per se. Late
in the development cycle the team doing this work hit upon some obstacles that prevents this
in the development cycle, the team doing this work hit upon some obstacles that prevents this
solution from being used. Given the delays with Samba-3 release a decision was made to NOT
deliver this functionality until a better method of recognising NT Group SIDs from NT User
SIDs could be found. This feature may thus return during the life cycle for the Samba-3 series.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
Samba-3.0.0 does NOT support Non-Unix Account (NUA) operation.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2908055"></a>Features and Benefits</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2910308"></a>Features and Benefits</h2></div></div><div></div></div><p>
Samba-3 provides for complete backwards compatibility with Samba-2.2.x functionality
as follows:
</p><div class="variablelist"><p class="title"><b>Backwards Compatibility Backends</b></p><dl><dt><span class="term">Plain Text:</span></dt><dd><p>
@ -37,7 +36,7 @@ as follows:
</p><p>
This backend should be used only for backwards compatibility with older
versions of Samba. It may be deprecated in future releases.
</p></dd><dt><span class="term">ldapsam_compat (Samba-2.2 LDAP Compatibilty):</span></dt><dd><p>
</p></dd><dt><span class="term">ldapsam_compat (Samba-2.2 LDAP Compatibility):</span></dt><dd><p>
There is a password backend option that allows continued operation with
a existing OpenLDAP backend that uses the Samba-2.2.x LDAP schema extension.
This option is provided primarily as a migration tool, although there is
@ -67,11 +66,11 @@ Samba-3 introduces the following new password backend capabilities:
for sites that have fewer than 250 users. For larger sites or implementations
the use of OpenLDAP or of Active Directory integration is strongly recommended.
</p></dd><dt><span class="term">ldapsam:</span></dt><dd><p>
This provides a rich directory backend for distributed account installation
This provides a rich directory backend for distributed account installation.
</p><p>
Samba-3 has a new and extended LDAP implementation that requires configuration
of OpenLDAP with a new format samba schema. The new format schema file is
included in the <tt class="filename">~samba/examples/LDAP</tt> directory.
included in the <tt class="filename">examples/LDAP</tt> directory of the Samba distribution.
</p><p>
The new LDAP implementation significantly expands the control abilities that
were possible with prior versions of Samba. It is now possible to specify
@ -94,7 +93,7 @@ Samba-3 introduces the following new password backend capabilities:
</p></dd><dt><span class="term">nisplussam:</span></dt><dd><p>
The NIS+ based passdb backend. Takes name NIS domain as an
optional argument. Only works with Sun NIS+ servers.
</p></dd></dl></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2908379"></a>Technical Information</h2></div></div><div></div></div><p>
</p></dd></dl></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2910636"></a>Technical Information</h2></div></div><div></div></div><p>
Old windows clients send plain text passwords over the wire. Samba can check these
passwords by crypting them and comparing them to the hash stored in the unix user database.
</p><p>
@ -102,7 +101,7 @@ Samba-3 introduces the following new password backend capabilities:
the wire, instead of plain text passwords. The newest clients will send only encrypted
passwords and refuse to send plain text passwords, unless their registry is tweaked.
</p><p>
These passwords can't be converted to unix style encrypted passwords. Because of that
These passwords can't be converted to unix style encrypted passwords. Because of that,
you can't use the standard unix user database, and you have to store the Lanman and NT
hashes somewhere else.
</p><p>
@ -112,7 +111,7 @@ Samba-3 introduces the following new password backend capabilities:
information using a <i class="parameter"><tt>passdb backend</tt></i>. Commonly available backends are LDAP, plain text
file, MySQL and nisplus. For more information, see the man page for <tt class="filename">smb.conf</tt> regarding the
<i class="parameter"><tt>passdb backend</tt></i> parameter.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2908443"></a>Important Notes About Security</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2910700"></a>Important Notes About Security</h3></div></div><div></div></div><p>
The unix and SMB password encryption techniques seem similar on the surface. This
similarity is, however, only skin deep. The unix scheme typically sends clear text
passwords over the network when logging in. This is bad. The SMB encryption scheme
@ -154,7 +153,7 @@ Samba-3 introduces the following new password backend capabilities:
(broken) only the cached (encrypted) password will be sent to the resource server to
affect a auto-reconnect. If the resource server does not support encrypted passwords the
auto-reconnect will fail. <span class="emphasis"><em>USE OF ENCRYPTED PASSWORDS IS STRONGLY ADVISED.</em></span>
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2908595"></a>Advantages of Encrypted Passwords</h4></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>Plain text passwords are not passed across
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2910863"></a>Advantages of Encrypted Passwords</h4></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>Plain text passwords are not passed across
the network. Someone using a network sniffer cannot just
record passwords going to the SMB server.</p></li><li><p>Plain text passwords are not stored anywhere in
memory or on disk.</p></li><li><p>WinNT doesn't like talking to a server
@ -165,38 +164,38 @@ Samba-3 introduces the following new password backend capabilities:
only things you can do to stop this is to use SMB encryption.
</p></li><li><p>Encrypted password support allows automatic share
(resource) reconnects.</p></li><li><p>Encrypted passwords are essential for PDC/BDC
operation.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2908649"></a>Advantages of non-encrypted passwords</h4></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>Plain text passwords are not kept
operation.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2910917"></a>Advantages of non-encrypted passwords</h4></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>Plain text passwords are not kept
on disk, and are NOT cached in memory. </p></li><li><p>Uses same password file as other unix
services such as login and ftp</p></li><li><p>Use of other services (such as telnet and ftp) which
send plain text passwords over the net, so sending them for SMB
isn't such a big deal.</p></li></ul></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2908686"></a>Mapping User Identifiers between MS Windows and Unix</h3></div></div><div></div></div><p>
isn't such a big deal.</p></li></ul></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2910954"></a>Mapping User Identifiers between MS Windows and Unix</h3></div></div><div></div></div><p>
Every operation in Unix/Linux requires a user identifier (UID), just as in
MS Windows NT4 / 200x this requires a Security Identifier (SID). Samba provides
two means for mapping an MS Windows user to a Unix/Linux UID.
</p><p>
Firstly, all Samba SAM (Security Account Management database) accounts require
Firstly, all Samba SAM (Security Account Manager database) accounts require
a Unix/Linux UID that the account will map to. As users are added to the account
information database samba-3 will call the <i class="parameter"><tt>add user script</tt></i>
interface to add the account to the Samba host OS. In essence all accounts in
information database, Samba-3 will call the <i class="parameter"><tt>add user script</tt></i>
interface to add the account to the Samba host OS. In essence, all accounts in
the local SAM require a local user account.
</p><p>
The second way to affect Windows SID to Unix UID mapping is via the
<span class="emphasis"><em>idmap uid, idmap gid</em></span> parameters in <tt class="filename">smb.conf</tt>.
Please refer to the man page for information about these parameters.
These parameters are essential when mapping users from a remote SAM server.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2908741"></a>Account Management Tools</h2></div></div><div></div></div><p>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2911009"></a>Account Management Tools</h2></div></div><div></div></div><p>
Samba-3 provides two (2) tools for management of User and machine accounts. These tools are
called <tt class="filename">smbpasswd</tt> and <b class="command">pdbedit</b>. A third tool is under
called <b class="command">smbpasswd</b> and <b class="command">pdbedit</b>. A third tool is under
development but is NOT expected to ship in time for Samba-3.0.0. The new tool will be a TCL/TK
GUI tool that looks much like the MS Windows NT4 Domain User Manager - hopefully this will
be announced in time for samba-3.0.1 release timing.
</p><div xmlns:ns21="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2908773"></a>The <span class="emphasis"><em>smbpasswd</em></span> Command</h3></div></div><div></div></div><p>
be announced in time for the Samba-3.0.1 release.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2911041"></a>The <span class="emphasis"><em>smbpasswd</em></span> Command</h3></div></div><div></div></div><p>
The smbpasswd utility is a utility similar to the <b class="command">passwd</b>
or <b class="command">yppasswd</b> programs. It maintains the two 32 byte password
fields in the passdb backend.
</p><p>
<b class="command">smbpasswd</b> works in a client-server mode where it contacts the
local smbd to change the user's password on its behalf.This has enormous benefits
local smbd to change the user's password on its behalf. This has enormous benefits
as follows:
</p><p>
<b class="command">smbpasswd</b> has the capability to change passwords on Windows NT
@ -206,18 +205,18 @@ be announced in time for samba-3.0.1 release timing.
<b class="command">smbpasswd</b> can be used to:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td><span class="emphasis"><em>add</em></span> user or machine accounts</td></tr><tr><td><span class="emphasis"><em>delete</em></span> user or machine accounts</td></tr><tr><td><span class="emphasis"><em>enable</em></span> user or machine accounts</td></tr><tr><td><span class="emphasis"><em>disable</em></span> user or machine accounts</td></tr><tr><td><span class="emphasis"><em>set to NULL</em></span> user passwords</td></tr><tr><td><span class="emphasis"><em>manage interdomain trust accounts</em></span></td></tr></table><p>
To run smbpasswd as a normal user just type:
</p><ns21:p>
</ns21:p><pre class="screen">
</p><p>
</p><pre class="screen">
<tt class="prompt">$ </tt><b class="userinput"><tt>smbpasswd</tt></b>
<tt class="prompt">Old SMB password: </tt><b class="userinput"><tt><i class="replaceable"><tt>secret</tt></i></tt></b>
</pre><ns21:p>
</pre><p>
For <i class="replaceable"><tt>secret</tt></i> type old value here - or hit return if
there was no old password
</ns21:p><pre class="screen">
</p><pre class="screen">
<tt class="prompt">New SMB Password: </tt><b class="userinput"><tt><i class="replaceable"><tt>new secret</tt></i></tt></b>
<tt class="prompt">Repeat New SMB Password: </tt><b class="userinput"><tt><i class="replaceable"><tt>new secret</tt></i></tt></b>
</pre><ns21:p>
</ns21:p><p>
</pre><p>
</p><p>
If the old value does not match the current value stored for that user, or the two
new values do not match each other, then the password will not be changed.
</p><p>
@ -236,7 +235,7 @@ be announced in time for samba-3.0.1 release timing.
</p><p>
For more details on using <b class="command">smbpasswd</b> refer to the man page (the
definitive reference).
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2909038"></a>The <span class="emphasis"><em>pdbedit</em></span> Command</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2911306"></a>The <span class="emphasis"><em>pdbedit</em></span> Command</h3></div></div><div></div></div><p>
<b class="command">pdbedit</b> is a tool that can be used only by root. It is used to
manage the passdb backend. <b class="command">pdbedit</b> can be used to:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>add, remove or modify user accounts</td></tr><tr><td>listing user accounts</td></tr><tr><td>migrate user accounts</td></tr></table><p>
@ -272,29 +271,29 @@ be announced in time for samba-3.0.1 release timing.
Password last set: Sat, 14 Dec 2002 14:37:03 GMT
Password can change: Sat, 14 Dec 2002 14:37:03 GMT
Password must change: Mon, 18 Jan 2038 20:14:07 GMT
</pre></div></div><div xmlns:ns22="" class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2909172"></a>Password Backends</h2></div></div><div></div></div><p>
</pre></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2911458"></a>Password Backends</h2></div></div><div></div></div><p>
Samba-3 offers the greatest flexibility in backend account database design of any SMB/CIFS server
technology available today. The flexibility is immediately obvious as one begins to explore this
capability.
</p><p>
It is possible to specify not only multiple different password backends, but even multiple
backends of the same type. For example, to use two different tdbsam databases:
</p><ns22:p>
</ns22:p><pre class="programlisting">
</p><p>
</p><pre class="programlisting">
[globals]
passdb backend = tdbsam:/etc/samba/passdb.tdb, \
tdbsam:/etc/samba/old-passdb.tdb, guest
</pre><ns22:p>
</ns22:p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2913386"></a>Plain Text</h3></div></div><div></div></div><p>
Older versions of samba retrieved user information from the unix user database
</pre><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2911494"></a>Plain Text</h3></div></div><div></div></div><p>
Older versions of Samba retrieved user information from the unix user database
and eventually some other fields from the file <tt class="filename">/etc/samba/smbpasswd</tt>
or <tt class="filename">/etc/smbpasswd</tt>. When password encryption is disabled, no
SMB specific data is stored at all. Instead all operations are conduected via the way
that the samba host OS will access it's <tt class="filename">/etc/passwd</tt> database.
SMB specific data is stored at all. Instead all operations are conducted via the way
that the Samba host OS will access its <tt class="filename">/etc/passwd</tt> database.
eg: On Linux systems that is done via PAM.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2913426"></a>smbpasswd - Encrypted Password Database</h3></div></div><div></div></div><p>
Traditionally, when configuring <a href="smb.conf.5.html#ENCRYPTPASSWORDS" target="_top">&quot;encrypt
passwords = yes&quot;</a> in Samba's <tt class="filename">smb.conf</tt> file, user account
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2911534"></a>smbpasswd - Encrypted Password Database</h3></div></div><div></div></div><p>
Traditionally, when configuring <a href="smb.conf.5.html#ENCRYPTPASSWORDS" target="_top">encrypt
passwords = yes</a> in Samba's <tt class="filename">smb.conf</tt> file, user account
information such as username, LM/NT password hashes, password change times, and account
flags have been stored in the <tt class="filename">smbpasswd(5)</tt> file. There are several
disadvantages to this approach for sites with very large numbers of users (counted
@ -323,15 +322,15 @@ backends of the same type. For example, to use two different tdbsam databases:
Samba-3 provides an enhanced set of passdb backends that overcome the deficiencies
of the smbpasswd plain text database. These are tdbsam, ldapsam, and xmlsam.
Of these ldapsam will be of most interest to large corporate or enterprise sites.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2913533"></a>tdbsam</h3></div></div><div></div></div><p>Samba can store user and machine account data in a &quot;TDB&quot; (Trivial Database).
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2911641"></a>tdbsam</h3></div></div><div></div></div><p>Samba can store user and machine account data in a &quot;TDB&quot; (Trivial Database).
Using this backend doesn't require any additional configuration. This backend is
recommended for new installations that do not require LDAP.
</p><p>
As a general guide the Samba-Team do NOT recommend using the tdbsam backend for sites
As a general guide the Samba-Team does NOT recommend using the tdbsam backend for sites
that have 250 or more users. Additionally, tdbsam is not capable of scaling for use
in sites that require PDB/BDC implmentations that requires replication of the account
database. Clearly, for reason of scalability the use of ldapsam should be encouraged.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2913560"></a>ldapsam</h3></div></div><div></div></div><p>
in sites that require PDB/BDC implementations that requires replication of the account
database. Clearly, for reason of scalability, the use of ldapsam should be encouraged.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2911668"></a>ldapsam</h3></div></div><div></div></div><p>
There are a few points to stress that the ldapsam does not provide. The LDAP
support referred to in the this documentation does not include:
</p><div class="itemizedlist"><ul type="disc"><li><p>A means of retrieving user account information from
@ -344,7 +343,10 @@ backends of the same type. For example, to use two different tdbsam databases:
Refer to <a href="http://safari.oreilly.com/?XmlId=1-56592-491-6" target="_top">
http://safari.oreilly.com/?XmlId=1-56592-491-6</a> for those who might wish to know
more about configuration and administration of an OpenLDAP server.
</p><p>
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
This section is outdated for Samba-3 schema. Samba-3 introduces a new schema
that has not been documented at the time of this publication.
</p></div><p>
This document describes how to use an LDAP directory for storing Samba user
account information traditionally stored in the smbpasswd(5) file. It is
assumed that the reader already has a basic understanding of LDAP concepts
@ -356,25 +358,25 @@ backends of the same type. For example, to use two different tdbsam databases:
</p><div class="itemizedlist"><ul type="disc"><li><p>The <a href="http://www.unav.es/cti/ldap-smb/ldap-smb-3-howto.html" target="_top">Samba-PDC-LDAP-HOWTO</a>
maintained by Ignacio Coupeau.</p></li><li><p>The NT migration scripts from <a href="http://samba.idealx.org/" target="_top">IDEALX</a> that are
geared to manage users and group in such a Samba-LDAP Domain Controller configuration.
</p></li></ul></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2913698"></a>Supported LDAP Servers</h4></div></div><div></div></div><p>
</p></li></ul></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2911821"></a>Supported LDAP Servers</h4></div></div><div></div></div><p>
The LDAP ldapsam code has been developed and tested using the OpenLDAP 2.0 and 2.1 server and
client libraries. The same code should work with Netscape's Directory Server and client SDK.
However, there are bound to be compile errors and bugs. These should not be hard to fix.
Please submit fixes via <a href="bugreport.html" title="Chapter 35. Reporting Bugs">Bug reporting facility</a>.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2913724"></a>Schema and Relationship to the RFC 2307 posixAccount</h4></div></div><div></div></div><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2911847"></a>Schema and Relationship to the RFC 2307 posixAccount</h4></div></div><div></div></div><p>
Samba 3.0 includes the necessary schema file for OpenLDAP 2.0 in
<tt class="filename">examples/LDAP/samba.schema</tt>. The sambaAccount objectclass is given here:
</p><ns22:p>
</ns22:p><pre class="programlisting">
objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY
DESC 'Samba Auxilary Account'
<tt class="filename">examples/LDAP/samba.schema</tt>. The sambaSamAccount objectclass is given here:
</p><p>
</p><pre class="programlisting">
objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaSamAccount' SUP top AUXILIARY
DESC 'Samba Auxiliary Account'
MUST ( uid $ rid )
MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $
displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $
description $ userWorkstations $ primaryGroupID $ domain ))
</pre><ns22:p>
</ns22:p><p>
</pre><p>
</p><p>
The <tt class="filename">samba.schema</tt> file has been formatted for OpenLDAP 2.0/2.1.
The OID's are owned by the Samba Team and as such is legal to be openly published.
If you translate the schema to be used with Netscape DS, please
@ -382,55 +384,55 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY
<a href="mailto:jerry@samba.org" target="_top">jerry@samba.org</a>.
</p><p>
Just as the smbpasswd file is meant to store information which supplements a
user's <tt class="filename">/etc/passwd</tt> entry, so is the sambaAccount object
meant to supplement the UNIX user account information. A sambaAccount is a
user's <tt class="filename">/etc/passwd</tt> entry, so is the sambaSamAccount object
meant to supplement the UNIX user account information. A sambaSamAccount is a
<tt class="constant">STRUCTURAL</tt> objectclass so it can be stored individually
in the directory. However, there are several fields (e.g. uid) which overlap
with the posixAccount objectclass outlined in RFC2307. This is by design.
</p><p>
In order to store all user account information (UNIX and Samba) in the directory,
it is necessary to use the sambaAccount and posixAccount objectclasses in
it is necessary to use the sambaSamAccount and posixAccount objectclasses in
combination. However, smbd will still obtain the user's UNIX account
information via the standard C library calls (e.g. getpwnam(), et. al.).
This means that the Samba server must also have the LDAP NSS library installed
and functioning correctly. This division of information makes it possible to
store all Samba account information in LDAP, but still maintain UNIX account
information in NIS while the network is transitioning to a full LDAP infrastructure.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2913832"></a>OpenLDAP configuration</h4></div></div><div></div></div><p>
To include support for the sambaAccount object in an OpenLDAP directory
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2911953"></a>OpenLDAP configuration</h4></div></div><div></div></div><p>
To include support for the sambaSamAccount object in an OpenLDAP directory
server, first copy the samba.schema file to slapd's configuration directory.
The samba.schema file can be found in the directory <tt class="filename">examples/LDAP</tt>
in the samba source distribution.
</p><ns22:p>
</ns22:p><pre class="screen">
</p><p>
</p><pre class="screen">
<tt class="prompt">root# </tt><b class="userinput"><tt>cp samba.schema /etc/openldap/schema/</tt></b>
</pre><ns22:p>
</ns22:p><p>
</pre><p>
</p><p>
Next, include the <tt class="filename">samba.schema</tt> file in <tt class="filename">slapd.conf</tt>.
The sambaAccount object contains two attributes which depend upon other schema
The sambaSamAccount object contains two attributes which depend upon other schema
files. The 'uid' attribute is defined in <tt class="filename">cosine.schema</tt> and
the 'displayName' attribute is defined in the <tt class="filename">inetorgperson.schema</tt>
file. Both of these must be included before the <tt class="filename">samba.schema</tt> file.
</p><ns22:p>
</ns22:p><pre class="programlisting">
</p><p>
</p><pre class="programlisting">
## /etc/openldap/slapd.conf
## schema files (core.schema is required by default)
include /etc/openldap/schema/core.schema
## needed for sambaAccount
## needed for sambaSamAccount
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/nis.schema
....
</pre><ns22:p>
</ns22:p><p>
It is recommended that you maintain some indices on some of the most usefull attributes,
like in the following example, to speed up searches made on sambaAccount objectclasses
</pre><p>
</p><p>
It is recommended that you maintain some indices on some of the most useful attributes,
like in the following example, to speed up searches made on sambaSamAccount objectclasses
(and possibly posixAccount and posixGroup as well).
</p><ns22:p>
</ns22:p><pre class="screen">
</p><p>
</p><pre class="screen">
# Indices to maintain
## required by OpenLDAP
index objectclass eq
@ -452,25 +454,25 @@ index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
</pre><ns22:p>
</ns22:p><p>
</pre><p>
</p><p>
Create the new index by executing:
</p><ns22:p>
</ns22:p><pre class="screen">
</p><p>
</p><pre class="screen">
./sbin/slapindex -f slapd.conf
</pre><ns22:p>
</ns22:p><p>
</pre><p>
</p><p>
Remember to restart slapd after making these changes:
</p><ns22:p>
</ns22:p><pre class="screen">
</p><p>
</p><pre class="screen">
<tt class="prompt">root# </tt><b class="userinput"><tt>/etc/init.d/slapd restart</tt></b>
</pre><ns22:p>
</ns22:p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2914019"></a>Initialise the LDAP database</h4></div></div><div></div></div><p>
</pre><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2912141"></a>Initialise the LDAP database</h4></div></div><div></div></div><p>
Before you can add accounts to the LDAP database you must create the account containers
that they will be stored in. The following LDIF file should be modified to match your
needs (ie: Your DNS entries, etc.).
</p><ns22:p>
</ns22:p><pre class="screen">
</p><p>
</p><pre class="screen">
# Organization for Samba Base
dn: dc=plainjoe,dc=org
objectclass: dcObject
@ -498,26 +500,26 @@ objectclass: top
objectclass: organizationalRole
objectclass: simpleSecurityObject
userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
</pre><ns22:p>
</ns22:p><p>
</pre><p>
</p><p>
The userPassword shown above should be generated using <b class="command">slappasswd</b>.
</p><p>
The following command will then load the contents of the LDIF file into the LDAP
database.
</p><ns22:p>
</ns22:p><pre class="screen">
</p><p>
</p><pre class="screen">
<tt class="prompt">$ </tt><b class="userinput"><tt>slapadd -v -l initldap.dif</tt></b>
</pre><ns22:p>
</ns22:p><p>
</pre><p>
</p><p>
Do not forget to secure your LDAP server with an adequate access control list,
as well as an admin password.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><ns22:p>
Before Samba can access the LDAP server you need to stoe the LDAP admin password
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
Before Samba can access the LDAP server you need to store the LDAP admin password
into the Samba-3 <tt class="filename">secrets.tdb</tt> database by:
</ns22:p><pre class="screen">
</p><pre class="screen">
<tt class="prompt">root# </tt> <b class="userinput"><tt>smbpasswd -w <i class="replaceable"><tt>secret</tt></i></tt></b>
</pre><ns22:p>
</ns22:p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2914149"></a>Configuring Samba</h4></div></div><div></div></div><p>
</pre><p>
</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2912270"></a>Configuring Samba</h4></div></div><div></div></div><p>
The following parameters are available in smb.conf only if your
version of samba was built with LDAP support. Samba automatically builds with LDAP support if the
LDAP libraries are found.
@ -525,8 +527,8 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
These are described in the <tt class="filename">smb.conf</tt> man
page and so will not be repeated here. However, a sample smb.conf file for
use with an LDAP directory could appear as
</p><ns22:p>
</ns22:p><pre class="programlisting">
</p><p>
</p><pre class="programlisting">
## /usr/local/samba/lib/smb.conf
[global]
security = user
@ -555,7 +557,7 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
ldap delete dn = no
# the machine and user suffix added to the base suffix
# wrote WITHOUT quotes. NULL siffixes by default
# wrote WITHOUT quotes. NULL suffixes by default
ldap user suffix = ou=People
ldap machine suffix = ou=Systems
@ -567,27 +569,27 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
ldap suffix = &quot;ou=people,dc=samba,dc=org&quot;
# generally the default ldap search filter is ok
# ldap filter = &quot;(&amp;(uid=%u)(objectclass=sambaAccount))&quot;
</pre><ns22:p>
</ns22:p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2914327"></a>Accounts and Groups management</h4></div></div><div></div></div><p>
As users accounts are managed thru the sambaAccount objectclass, you should
modify your existing administration tools to deal with sambaAccount attributes.
# ldap filter = &quot;(&amp;(uid=%u)(objectclass=sambaSamAccount))&quot;
</pre><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2912468"></a>Accounts and Groups management</h4></div></div><div></div></div><p>
As users accounts are managed through the sambaSamAccount objectclass, you should
modify your existing administration tools to deal with sambaSamAccount attributes.
</p><p>
Machines accounts are managed with the sambaAccount objectclass, just
like users accounts. However, it's up to you to store thoses accounts
Machines accounts are managed with the sambaSamAccount objectclass, just
like users accounts. However, it's up to you to store those accounts
in a different tree of your LDAP namespace: you should use
&quot;ou=Groups,dc=plainjoe,dc=org&quot; to store groups and
&quot;ou=People,dc=plainjoe,dc=org&quot; to store users. Just configure your
NSS and PAM accordingly (usually, in the /etc/ldap.conf configuration
file).
</p><p>
In Samba release 3.0, the group management system is based on posix
groups. This means that Samba makes usage of the posixGroup objectclass.
In Samba release 3.0, the group management system is based on POSIX
groups. This means that Samba makes use of the posixGroup objectclass.
For now, there is no NT-like group system management (global and local
groups).
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2914363"></a>Security and sambaAccount</h4></div></div><div></div></div><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2912505"></a>Security and sambaSamAccount</h4></div></div><div></div></div><p>
There are two important points to remember when discussing the security
of sambaAccount entries in the directory.
of sambaSamAccount entries in the directory.
</p><div class="itemizedlist"><ul type="disc"><li><p><span class="emphasis"><em>Never</em></span> retrieve the lmPassword or
ntPassword attribute values over an unencrypted LDAP session.</p></li><li><p><span class="emphasis"><em>Never</em></span> allow non-admin users to
view the lmPassword or ntPassword attribute values.</p></li></ul></div><p>
@ -596,7 +598,7 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
on the details of LM/NT password hashes, refer to the
<a href="passdb.html" title="Chapter 11. Account Information Databases">Account Information Database</a> section of this chapter.
</p><p>
To remedy the first security issue, the &quot;ldap ssl&quot; smb.conf parameter defaults
To remedy the first security issue, the <i class="parameter"><tt>ldap ssl</tt></i> <tt class="filename">smb.conf</tt> parameter defaults
to require an encrypted session (<i class="parameter"><tt>ldap ssl = on</tt></i>) using
the default port of <tt class="constant">636</tt>
when contacting the directory server. When using an OpenLDAP server, it
@ -611,19 +613,19 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
The second security precaution is to prevent non-administrative users from
harvesting password hashes from the directory. This can be done using the
following ACL in <tt class="filename">slapd.conf</tt>:
</p><ns22:p>
</ns22:p><pre class="programlisting">
</p><p>
</p><pre class="programlisting">
## allow the &quot;ldap admin dn&quot; access, but deny everyone else
access to attrs=lmPassword,ntPassword
by dn=&quot;cn=Samba Admin,ou=people,dc=plainjoe,dc=org&quot; write
by * none
</pre><ns22:p>
</ns22:p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2914485"></a>LDAP special attributes for sambaAccounts</h4></div></div><div></div></div><p>
The sambaAccount objectclass is composed of the following attributes:
</p><ns22:p>
</ns22:p><div class="table"><a name="id2914501"></a><p class="title"><b>Table 11.1. Attributes in the sambaAccount objectclass (LDAP)</b></p><table summary="Attributes in the sambaAccount objectclass (LDAP)" border="1"><colgroup><col><col></colgroup><tbody><tr><td align="left"><tt class="constant">lmPassword</tt></td><td align="left">the LANMAN password 16-byte hash stored as a character
representation of a hexidecimal string.</td></tr><tr><td align="left"><tt class="constant">ntPassword</tt></td><td align="left">the NT password hash 16-byte stored as a character
representation of a hexidecimal string.</td></tr><tr><td align="left"><tt class="constant">pwdLastSet</tt></td><td align="left">The integer time in seconds since 1970 when the
</pre><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2912642"></a>LDAP special attributes for sambaSamAccounts</h4></div></div><div></div></div><p>
The sambaSamAccount objectclass is composed of the following attributes:
</p><p>
</p><div class="table"><a name="id2912659"></a><p class="title"><b>Table 11.1. Attributes in the sambaSamAccount objectclass (LDAP)</b></p><table summary="Attributes in the sambaSamAccount objectclass (LDAP)" border="1"><colgroup><col><col></colgroup><tbody><tr><td align="left"><tt class="constant">lmPassword</tt></td><td align="left">the LANMAN password 16-byte hash stored as a character
representation of a hexadecimal string.</td></tr><tr><td align="left"><tt class="constant">ntPassword</tt></td><td align="left">the NT password hash 16-byte stored as a character
representation of a hexadecimal string.</td></tr><tr><td align="left"><tt class="constant">pwdLastSet</tt></td><td align="left">The integer time in seconds since 1970 when the
<tt class="constant">lmPassword</tt> and <tt class="constant">ntPassword</tt> attributes were last set.
</td></tr><tr><td align="left"><tt class="constant">acctFlags</tt></td><td align="left">string of 11 characters surrounded by square brackets []
representing account flags such as U (user), W(workstation), X(no password expiration),
@ -644,14 +646,14 @@ access to attrs=lmPassword,ntPassword
</td></tr><tr><td align="left"><tt class="constant">userWorkstation</tt></td><td align="left">character string value currently unused.
</td></tr><tr><td align="left"><tt class="constant">rid</tt></td><td align="left">the integer representation of the user's relative identifier
(RID).</td></tr><tr><td align="left"><tt class="constant">primaryGroupID</tt></td><td align="left">the relative identifier (RID) of the primary group
of the user.</td></tr><tr><td align="left"><tt class="constant">domain</tt></td><td align="left">domain the user is part of.</td></tr></tbody></table></div><ns22:p>
</ns22:p><p>
of the user.</td></tr><tr><td align="left"><tt class="constant">domain</tt></td><td align="left">domain the user is part of.</td></tr></tbody></table></div><p>
</p><p>
The majority of these parameters are only used when Samba is acting as a PDC of
a domain (refer to the <a href="samba-pdc.html" title="Chapter 5. Domain Control">Samba as a primary domain controller</a> chapter for details on
how to configure Samba as a Primary Domain Controller). The following four attributes
are only stored with the sambaAccount entry if the values are non-default values:
are only stored with the sambaSamAccount entry if the values are non-default values:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>smbHome</td></tr><tr><td>scriptPath</td></tr><tr><td>logonPath</td></tr><tr><td>homeDrive</td></tr></table><p>
These attributes are only stored with the sambaAccount entry if
These attributes are only stored with the sambaSamAccount entry if
the values are non-default values. For example, assume TASHTEGO has now been
configured as a PDC and that <i class="parameter"><tt>logon home = \\%L\%u</tt></i> was defined in
its <tt class="filename">smb.conf</tt> file. When a user named &quot;becky&quot; logons to the domain,
@ -661,10 +663,10 @@ access to attrs=lmPassword,ntPassword
of the <i class="parameter"><tt>logon home</tt></i> parameter is used in its place. Samba
will only write the attribute value to the directory entry if the value is
something other than the default (e.g. <tt class="filename">\\MOBY\becky</tt>).
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2914848"></a>Example LDIF Entries for a sambaAccount</h4></div></div><div></div></div><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2913008"></a>Example LDIF Entries for a sambaSamAccount</h4></div></div><div></div></div><p>
The following is a working LDIF with the inclusion of the posixAccount objectclass:
</p><ns22:p>
</ns22:p><pre class="programlisting">
</p><p>
</p><pre class="programlisting">
dn: uid=guest2, ou=people,dc=plainjoe,dc=org
ntPassword: 878D8014606CDA29677A44EFA1353FC7
pwdMustChange: 2147483647
@ -672,26 +674,26 @@ access to attrs=lmPassword,ntPassword
lmPassword: 552902031BEDE9EFAAD3B435B51404EE
pwdLastSet: 1010179124
logonTime: 0
objectClass: sambaAccount
objectClass: sambaSamAccount
uid: guest2
kickoffTime: 2147483647
acctFlags: [UX ]
logoffTime: 2147483647
rid: 19006
pwdCanChange: 0
</pre><ns22:p>
</ns22:p><p>
The following is an LDIF entry for using both the sambaAccount and
</pre><p>
</p><p>
The following is an LDIF entry for using both the sambaSamAccount and
posixAccount objectclasses:
</p><ns22:p>
</ns22:p><pre class="programlisting">
</p><p>
</p><pre class="programlisting">
dn: uid=gcarter, ou=people,dc=plainjoe,dc=org
logonTime: 0
displayName: Gerald Carter
lmPassword: 552902031BEDE9EFAAD3B435B51404EE
primaryGroupID: 1201
objectClass: posixAccount
objectClass: sambaAccount
objectClass: sambaSamAccount
acctFlags: [UX ]
userPassword: {crypt}BpM2ej8Rkzogo
uid: gcarter
@ -707,56 +709,53 @@ access to attrs=lmPassword,ntPassword
pwdCanChange: 0
pwdMustChange: 2147483647
ntPassword: 878D8014606CDA29677A44EFA1353FC7
</pre><ns22:p>
</ns22:p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2914909"></a>Password synchronisation</h4></div></div><div></div></div><p>
</pre><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2913071"></a>Password synchronisation</h4></div></div><div></div></div><p>
Since version 3.0 samba can update the non-samba (LDAP) password stored with an account. When
using pam_ldap, this allows changing both unix and windows passwords at once.
</p><p>The <i class="parameter"><tt>ldap passwd sync</tt></i> options can have the following values:</p><div class="variablelist"><dl><dt><span class="term">yes</span></dt><dd><p>When the user changes his password, update
<tt class="constant">ntPassword</tt>, <tt class="constant">lmPassword</tt>
and the <tt class="constant">password</tt> fields.</p></dd><dt><span class="term">no</span></dt><dd><p>Only update <tt class="constant">ntPassword</tt> and <tt class="constant">lmPassword</tt>.</p></dd><dt><span class="term">only</span></dt><dd><p>Only update the LDAP password and let the LDAP server worry
about the other fields. This option is only available when
the LDAP library supports LDAP_EXOP_X_MODIFY_PASSWD. </p></dd></dl></div><p>More information can be found in the <a href="smb.conf.5.html#LDAPPASSWDSYNC" target="_top">smb.conf</a> manpage.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2915021"></a>ldap trust ids</h4></div></div><div></div></div><p>
LDAP Performance can be improved by using the <b class="command">ldap trust ids</b> parameter.
See the <a href="smb.conf.5.html#LDAPTRUSTIDS" target="_top">smb.conf</a> manpage for details.
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2915051"></a>MySQL</h3></div></div><div></div></div><p>
about the other fields. This option is only available when the LDAP server supports LDAP_EXOP_X_MODIFY_PASSWD. </p></dd></dl></div><p>More information can be found in the <a href="smb.conf.5.html#LDAPPASSWDSYNC" target="_top">smb.conf</a> manpage.
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2913185"></a>MySQL</h3></div></div><div></div></div><p>
Every so often someone will come along with a great new idea. Storing of user accounts in an
SQL backend is one of them. Those who want to do this are in the best position to know what the
specific benefits are to them. This may sound like a cop-out, but in truth we can not attempt
to document every nitty little detail why certain things of marginal utility to the bulk of
Samba users might make sense to the rest. In any case, the following instructions should help
the determined SQL user to implement a working system.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2915072"></a>Creating the database</h4></div></div><div></div></div><ns22:p>
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2913204"></a>Creating the database</h4></div></div><div></div></div><p>
You either can set up your own table and specify the field names to pdb_mysql (see below
for the column names) or use the default table. The file <tt class="filename">examples/pdb/mysql/mysql.dump</tt>
contains the correct queries to create the required tables. Use the command :
</ns22:p><pre class="screen"><tt class="prompt">$ </tt><b class="userinput"><tt>mysql -u<i class="replaceable"><tt>username</tt></i> -h<i class="replaceable"><tt>hostname</tt></i> -p<i class="replaceable"><tt>password</tt></i> <i class="replaceable"><tt>databasename</tt></i> &gt; <tt class="filename">/path/to/samba/examples/pdb/mysql/mysql.dump</tt></tt></b></pre><ns22:p>
</ns22:p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2915136"></a>Configuring</h4></div></div><div></div></div><p>This plugin lacks some good documentation, but here is some short info:</p><ns22:p>Add a the following to the <i class="parameter"><tt>passdb backend</tt></i> variable in your <tt class="filename">smb.conf</tt>:
</ns22:p><pre class="programlisting">
</p><pre class="screen"><tt class="prompt">$ </tt><b class="userinput"><tt>mysql -u<i class="replaceable"><tt>username</tt></i> -h<i class="replaceable"><tt>hostname</tt></i> -p<i class="replaceable"><tt>password</tt></i> \
<i class="replaceable"><tt>databasename</tt></i> &lt; <tt class="filename">/path/to/samba/examples/pdb/mysql/mysql.dump</tt></tt></b></pre><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2913268"></a>Configuring</h4></div></div><div></div></div><p>This plugin lacks some good documentation, but here is some short info:</p><p>Add a the following to the <i class="parameter"><tt>passdb backend</tt></i> variable in your <tt class="filename">smb.conf</tt>:
</p><pre class="programlisting">
passdb backend = [other-plugins] mysql:identifier [other-plugins]
</pre><ns22:p>
</ns22:p><p>The identifier can be any string you like, as long as it doesn't collide with
</pre><p>
</p><p>The identifier can be any string you like, as long as it doesn't collide with
the identifiers of other plugins or other instances of pdb_mysql. If you
specify multiple pdb_mysql.so entries in <i class="parameter"><tt>passdb backend</tt></i>, you also need to
use different identifiers!
</p><p>
Additional options can be given thru the <tt class="filename">smb.conf</tt> file in the <i class="parameter"><tt>[global]</tt></i> section.
</p><ns22:p>
</ns22:p><div class="table"><a name="id2915212"></a><p class="title"><b>Table 11.2. Basic smb.conf options for MySQL passdb backend</b></p><table summary="Basic smb.conf options for MySQL passdb backend" border="1"><colgroup><col><col></colgroup><thead><tr><th align="left">Field</th><th align="left">Contents</th></tr></thead><tbody><tr><td align="left">identifier:mysql host</td><td align="left">host name, defaults to 'localhost'</td></tr><tr><td align="left">identifier:mysql password</td><td align="left"> </td></tr><tr><td align="left">identifier:mysql user</td><td align="left">defaults to 'samba'</td></tr><tr><td align="left">identifier:mysql database</td><td align="left">defaults to 'samba'</td></tr><tr><td align="left">identifier:mysql port</td><td align="left">defaults to 3306</td></tr><tr><td align="left">identifier:table</td><td align="left">Name of the table containing users</td></tr></tbody></table></div><ns22:p>
</ns22:p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
Since the password for the mysql user is stored in the
Additional options can be given through the <tt class="filename">smb.conf</tt> file in the <i class="parameter"><tt>[global]</tt></i> section.
</p><p>
</p><div class="table"><a name="id2913346"></a><p class="title"><b>Table 11.2. Basic smb.conf options for MySQL passdb backend</b></p><table summary="Basic smb.conf options for MySQL passdb backend" border="1"><colgroup><col><col></colgroup><thead><tr><th align="left">Field</th><th align="left">Contents</th></tr></thead><tbody><tr><td align="left">identifier:mysql host</td><td align="left">host name, defaults to 'localhost'</td></tr><tr><td align="left">identifier:mysql password</td><td align="left"> </td></tr><tr><td align="left">identifier:mysql user</td><td align="left">defaults to 'samba'</td></tr><tr><td align="left">identifier:mysql database</td><td align="left">defaults to 'samba'</td></tr><tr><td align="left">identifier:mysql port</td><td align="left">defaults to 3306</td></tr><tr><td align="left">identifier:table</td><td align="left">Name of the table containing users</td></tr></tbody></table></div><p>
</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
Since the password for the MySQL user is stored in the
<tt class="filename">smb.conf</tt> file, you should make the the <tt class="filename">smb.conf</tt> file
readable only to the user that runs samba. This is considered a security
readable only to the user that runs Samba This is considered a security
bug and will be fixed soon.
</p></div><p>Names of the columns in this table(I've added column types those columns should have first):</p><ns22:p>
</ns22:p><div class="table"><a name="id2915337"></a><p class="title"><b>Table 11.3. MySQL field names for MySQL passdb backend</b></p><table summary="MySQL field names for MySQL passdb backend" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="left">Field</th><th align="left">Type</th><th align="left">Contents</th></tr></thead><tbody><tr><td align="left">identifier:logon time column</td><td align="left">int(9)</td><td align="left"> </td></tr><tr><td align="left">identifier:logoff time column</td><td align="left">int(9)</td><td align="left"> </td></tr><tr><td align="left">identifier:kickoff time column</td><td align="left">int(9)</td><td align="left"> </td></tr><tr><td align="left">identifier:pass last set time column</td><td align="left">int(9)</td><td align="left"> </td></tr><tr><td align="left">identifier:pass can change time column</td><td align="left">int(9)</td><td align="left"> </td></tr><tr><td align="left">identifier:pass must change time column</td><td align="left">int(9)</td><td align="left"> </td></tr><tr><td align="left">identifier:username column</td><td align="left">varchar(255)</td><td align="left">unix username</td></tr><tr><td align="left">identifier:domain column</td><td align="left">varchar(255)</td><td align="left">NT domain user is part of</td></tr><tr><td align="left">identifier:nt username column</td><td align="left">varchar(255)</td><td align="left">NT username</td></tr><tr><td align="left">identifier:fullname column</td><td align="left">varchar(255)</td><td align="left">Full name of user</td></tr><tr><td align="left">identifier:home dir column</td><td align="left">varchar(255)</td><td align="left">Unix homedir path</td></tr><tr><td align="left">identifier:dir drive column</td><td align="left">varchar(2)</td><td align="left">Directory drive path (eg: 'H:')</td></tr><tr><td align="left">identifier:logon script column</td><td align="left">varchar(255)</td><td align="left">Batch file to run on client side when logging on</td></tr><tr><td align="left">identifier:profile path column</td><td align="left">varchar(255)</td><td align="left">Path of profile</td></tr><tr><td align="left">identifier:acct desc column</td><td align="left">varchar(255)</td><td align="left">Some ASCII NT user data</td></tr><tr><td align="left">identifier:workstations column</td><td align="left">varchar(255)</td><td align="left">Workstations user can logon to (or NULL for all)</td></tr><tr><td align="left">identifier:unknown string column</td><td align="left">varchar(255)</td><td align="left">unknown string</td></tr><tr><td align="left">identifier:munged dial column</td><td align="left">varchar(255)</td><td align="left">?</td></tr><tr><td align="left">identifier:user sid column</td><td align="left">varchar(255)</td><td align="left">NT user SID</td></tr><tr><td align="left">identifier:group sid column</td><td align="left">varchar(255)</td><td align="left">NT group ID</td></tr><tr><td align="left">identifier:lanman pass column</td><td align="left">varchar(255)</td><td align="left">encrypted lanman password</td></tr><tr><td align="left">identifier:nt pass column</td><td align="left">varchar(255)</td><td align="left">encrypted nt passwd</td></tr><tr><td align="left">identifier:plain pass column</td><td align="left">varchar(255)</td><td align="left">plaintext password</td></tr><tr><td align="left">identifier:acct control column</td><td align="left">int(9)</td><td align="left">nt user data</td></tr><tr><td align="left">identifier:unknown 3 column</td><td align="left">int(9)</td><td align="left">unknown</td></tr><tr><td align="left">identifier:logon divs column</td><td align="left">int(9)</td><td align="left">?</td></tr><tr><td align="left">identifier:hours len column</td><td align="left">int(9)</td><td align="left">?</td></tr><tr><td align="left">identifier:unknown 5 column</td><td align="left">int(9)</td><td align="left">unknown</td></tr><tr><td align="left">identifier:unknown 6 column</td><td align="left">int(9)</td><td align="left">unknown</td></tr></tbody></table></div><ns22:p>
</ns22:p><p>
</p></div><p>Names of the columns in this table (I've added column types those columns should have first):</p><p>
</p><div class="table"><a name="id2913471"></a><p class="title"><b>Table 11.3. MySQL field names for MySQL passdb backend</b></p><table summary="MySQL field names for MySQL passdb backend" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="left">Field</th><th align="left">Type</th><th align="left">Contents</th></tr></thead><tbody><tr><td align="left">identifier:logon time column</td><td align="left">int(9)</td><td align="left"> </td></tr><tr><td align="left">identifier:logoff time column</td><td align="left">int(9)</td><td align="left"> </td></tr><tr><td align="left">identifier:kickoff time column</td><td align="left">int(9)</td><td align="left"> </td></tr><tr><td align="left">identifier:pass last set time column</td><td align="left">int(9)</td><td align="left"> </td></tr><tr><td align="left">identifier:pass can change time column</td><td align="left">int(9)</td><td align="left"> </td></tr><tr><td align="left">identifier:pass must change time column</td><td align="left">int(9)</td><td align="left"> </td></tr><tr><td align="left">identifier:username column</td><td align="left">varchar(255)</td><td align="left">unix username</td></tr><tr><td align="left">identifier:domain column</td><td align="left">varchar(255)</td><td align="left">NT domain user is part of</td></tr><tr><td align="left">identifier:nt username column</td><td align="left">varchar(255)</td><td align="left">NT username</td></tr><tr><td align="left">identifier:fullname column</td><td align="left">varchar(255)</td><td align="left">Full name of user</td></tr><tr><td align="left">identifier:home dir column</td><td align="left">varchar(255)</td><td align="left">Unix homedir path</td></tr><tr><td align="left">identifier:dir drive column</td><td align="left">varchar(2)</td><td align="left">Directory drive path (eg: 'H:')</td></tr><tr><td align="left">identifier:logon script column</td><td align="left">varchar(255)</td><td align="left">Batch file to run on client side when logging on</td></tr><tr><td align="left">identifier:profile path column</td><td align="left">varchar(255)</td><td align="left">Path of profile</td></tr><tr><td align="left">identifier:acct desc column</td><td align="left">varchar(255)</td><td align="left">Some ASCII NT user data</td></tr><tr><td align="left">identifier:workstations column</td><td align="left">varchar(255)</td><td align="left">Workstations user can logon to (or NULL for all)</td></tr><tr><td align="left">identifier:unknown string column</td><td align="left">varchar(255)</td><td align="left">unknown string</td></tr><tr><td align="left">identifier:munged dial column</td><td align="left">varchar(255)</td><td align="left">?</td></tr><tr><td align="left">identifier:user sid column</td><td align="left">varchar(255)</td><td align="left">NT user SID</td></tr><tr><td align="left">identifier:group sid column</td><td align="left">varchar(255)</td><td align="left">NT group ID</td></tr><tr><td align="left">identifier:lanman pass column</td><td align="left">varchar(255)</td><td align="left">encrypted lanman password</td></tr><tr><td align="left">identifier:nt pass column</td><td align="left">varchar(255)</td><td align="left">encrypted nt passwd</td></tr><tr><td align="left">identifier:plain pass column</td><td align="left">varchar(255)</td><td align="left">plaintext password</td></tr><tr><td align="left">identifier:acct control column</td><td align="left">int(9)</td><td align="left">nt user data</td></tr><tr><td align="left">identifier:unknown 3 column</td><td align="left">int(9)</td><td align="left">unknown</td></tr><tr><td align="left">identifier:logon divs column</td><td align="left">int(9)</td><td align="left">?</td></tr><tr><td align="left">identifier:hours len column</td><td align="left">int(9)</td><td align="left">?</td></tr><tr><td align="left">identifier:unknown 5 column</td><td align="left">int(9)</td><td align="left">unknown</td></tr><tr><td align="left">identifier:unknown 6 column</td><td align="left">int(9)</td><td align="left">unknown</td></tr></tbody></table></div><p>
</p><p>
Eventually, you can put a colon (:) after the name of each column, which
should specify the column to update when updating the table. You can also
specify nothing behind the colon - then the data from the field will not be
updated.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2915718"></a>Using plaintext passwords or encrypted password</h4></div></div><div></div></div><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2913850"></a>Using plaintext passwords or encrypted password</h4></div></div><div></div></div><p>
I strongly discourage the use of plaintext passwords, however, you can use them:
</p><p>
If you would like to use plaintext passwords, set
@ -766,7 +765,7 @@ access to attrs=lmPassword,ntPassword
</p><p>
If you use encrypted passwords, set the 'identifier:plain pass
column' to 'NULL' (without the quotes). This is the default.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2915749"></a>Getting non-column data from the table</h4></div></div><div></div></div><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2913881"></a>Getting non-column data from the table</h4></div></div><div></div></div><p>
It is possible to have not all data in the database and making some 'constant'.
</p><p>
For example, you can set 'identifier:fullname column' to :
@ -775,36 +774,36 @@ access to attrs=lmPassword,ntPassword
Or, set 'identifier:workstations column' to :
<b class="command">NULL</b></p><p>See the MySQL documentation for more language constructs.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="XMLpassdb"></a>XML</h3></div></div><div></div></div><p>This module requires libxml2 to be installed.</p><p>The usage of pdb_xml is pretty straightforward. To export data, use:
</p><p>
<tt class="prompt">$ </tt><b class="userinput"><tt>pdbedit -e xml:filename</tt></b>
<tt class="prompt">$ </tt> <b class="userinput"><tt>pdbedit -e xml:filename</tt></b>
</p><p>
(where filename is the name of the file to put the data in)
</p><p>
To import data, use:
<tt class="prompt">$ </tt><b class="userinput"><tt>pdbedit -i xml:filename</tt></b>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2915854"></a>Common Errors</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2915861"></a>Users can not logon - Users not in Samba SAM</h3></div></div><div></div></div><p>
People forget to put their users in their backend and then complain samba won't authorize them.
</p></div><div xmlns:ns23="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2915876"></a>Users are being added to the wrong backend database</h3></div></div><div></div></div><p>
A few complaints have been recieved from users that just moved to samba-3. The following
<tt class="prompt">$ </tt> <b class="userinput"><tt>pdbedit -i xml:filename</tt></b>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2913989"></a>Common Errors</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2913997"></a>Users can not logon - Users not in Samba SAM</h3></div></div><div></div></div><p>
People forget to put their users in their backend and then complain Samba won't authorize them.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2914012"></a>Users are being added to the wrong backend database</h3></div></div><div></div></div><p>
A few complaints have been received from users that just moved to Samba-3. The following
<tt class="filename">smb.conf</tt> file entries were causing problems, new accounts were being added to the old
smbpasswd file, not to the tdbsam passdb.tdb file:
</p><ns23:p>
</ns23:p><pre class="programlisting">
</p><p>
</p><pre class="programlisting">
[globals]
...
passdb backend = smbpasswd, tdbsam, guest
...
</pre><ns23:p>
</ns23:p><p>
</pre><p>
</p><p>
Samba will add new accounts to the first entry in the <span class="emphasis"><em>passdb backend</em></span>
parameter entry. If you want to update to the tdbsam, then change the entry to:
</p><ns23:p>
</ns23:p><pre class="programlisting">
</p><p>
</p><pre class="programlisting">
[globals]
...
passdb backend = tdbsam, smbpasswd, guest
...
</pre><ns23:p>
</ns23:p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2915936"></a>auth methods does not work</h3></div></div><div></div></div><p>
</pre><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2914072"></a>auth methods does not work</h3></div></div><div></div></div><p>
If you explicitly set an 'auth methods' parameter, guest must be specified as the first
entry on the line. Eg: <i class="parameter"><tt>auth methods = guest sam</tt></i>.
</p><p>

288
docs/htmldocs/pdb-mysql.html
View File

@ -1,288 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML
><HEAD
><TITLE
>Passdb MySQL plugin</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
TITLE="SAMBA Project Documentation"
HREF="samba-howto-collection.html"><LINK
REL="UP"
TITLE="Optional configuration"
HREF="optional.html"><LINK
REL="PREVIOUS"
TITLE="Unified Logons between Windows NT and UNIX using Winbind"
HREF="winbind.html"><LINK
REL="NEXT"
TITLE="Passdb XML plugin"
HREF="pdb-xml.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>SAMBA Project Documentation</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="winbind.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="pdb-xml.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="CHAPTER"
><H1
><A
NAME="PDB-MYSQL">Chapter 16. Passdb MySQL plugin</H1
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN2566">16.1. Building</H1
><P
>To build the plugin, run <B
CLASS="COMMAND"
>make bin/pdb_mysql.so</B
>
in the <TT
CLASS="FILENAME"
>source/</TT
> directory of samba distribution. </P
><P
>Next, copy pdb_mysql.so to any location you want. I
strongly recommend installing it in $PREFIX/lib or /usr/lib/samba/</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN2572">16.2. Configuring</H1
><P
>This plugin lacks some good documentation, but here is some short info:</P
><P
>Add a the following to the <B
CLASS="COMMAND"
>passdb backend</B
> variable in your <TT
CLASS="FILENAME"
>smb.conf</TT
>:
<PRE
CLASS="PROGRAMLISTING"
>passdb backend = [other-plugins] plugin:/location/to/pdb_mysql.so:identifier [other-plugins]</PRE
></P
><P
>The identifier can be any string you like, as long as it doesn't collide with
the identifiers of other plugins or other instances of pdb_mysql. If you
specify multiple pdb_mysql.so entries in 'passdb backend', you also need to
use different identifiers!</P
><P
>Additional options can be given thru the smb.conf file in the [global] section.</P
><P
><PRE
CLASS="PROGRAMLISTING"
>identifier:mysql host - host name, defaults to 'localhost'
identifier:mysql password
identifier:mysql user - defaults to 'samba'
identifier:mysql database - defaults to 'samba'
identifier:mysql port - defaults to 3306
identifier:table - Name of the table containing users</PRE
></P
><P
><SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>WARNING: since the password for the mysql user is stored in the
smb.conf file, you should make the the smb.conf file
readable only to the user that runs samba. This is considered a security
bug and will be fixed soon.</I
></SPAN
></P
><P
>Names of the columns in this table(I've added column types those columns should have first):</P
><P
><PRE
CLASS="PROGRAMLISTING"
>identifier:logon time column - int(9)
identifier:logoff time column - int(9)
identifier:kickoff time column - int(9)
identifier:pass last set time column - int(9)
identifier:pass can change time column - int(9)
identifier:pass must change time column - int(9)
identifier:username column - varchar(255) - unix username
identifier:domain column - varchar(255) - NT domain user is part of
identifier:nt username column - varchar(255) - NT username
identifier:fullname column - varchar(255) - Full name of user
identifier:home dir column - varchar(255) - Unix homedir path
identifier:dir drive column - varchar(2) - Directory drive path (eg: 'H:')
identifier:logon script column - varchar(255) - Batch file to run on client side when logging on
identifier:profile path column - varchar(255) - Path of profile
identifier:acct desc column - varchar(255) - Some ASCII NT user data
identifier:workstations column - varchar(255) - Workstations user can logon to (or NULL for all)
identifier:unknown string column - varchar(255) - unknown string
identifier:munged dial column - varchar(255) - ?
identifier:uid column - int(9) - Unix user ID (uid)
identifier:gid column - int(9) - Unix user group (gid)
identifier:user sid column - varchar(255) - NT user SID
identifier:group sid column - varchar(255) - NT group ID
identifier:lanman pass column - varchar(255) - encrypted lanman password
identifier:nt pass column - varchar(255) - encrypted nt passwd
identifier:plain pass column - varchar(255) - plaintext password
identifier:acct control column - int(9) - nt user data
identifier:unknown 3 column - int(9) - unknown
identifier:logon divs column - int(9) - ?
identifier:hours len column - int(9) - ?
identifier:unknown 5 column - int(9) - unknown
identifier:unknown 6 column - int(9) - unknown</PRE
></P
><P
>Eventually, you can put a colon (:) after the name of each column, which
should specify the column to update when updating the table. You can also
specify nothing behind the colon - then the data from the field will not be
updated. </P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN2589">16.3. Using plaintext passwords or encrypted password</H1
><P
>I strongly discourage the use of plaintext passwords, however, you can use them:</P
><P
>If you would like to use plaintext passwords, set 'identifier:lanman pass column' and 'identifier:nt pass column' to 'NULL' (without the quotes) and 'identifier:plain pass column' to the name of the column containing the plaintext passwords. </P
><P
>If you use encrypted passwords, set the 'identifier:plain pass column' to 'NULL' (without the quotes). This is the default.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN2594">16.4. Getting non-column data from the table</H1
><P
>It is possible to have not all data in the database and making some 'constant'.</P
><P
>For example, you can set 'identifier:fullname column' to :
<B
CLASS="COMMAND"
>CONCAT(First_name,' ',Sur_name)</B
></P
><P
>Or, set 'identifier:workstations column' to :
<B
CLASS="COMMAND"
>NULL</B
></P
><P
>See the MySQL documentation for more language constructs.</P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="winbind.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="samba-howto-collection.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="pdb-xml.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Unified Logons between Windows NT and UNIX using Winbind</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="optional.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Passdb XML plugin</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

184
docs/htmldocs/pdb-xml.html
View File

@ -1,184 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML
><HEAD
><TITLE
>Passdb XML plugin</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
TITLE="SAMBA Project Documentation"
HREF="samba-howto-collection.html"><LINK
REL="UP"
TITLE="Optional configuration"
HREF="optional.html"><LINK
REL="PREVIOUS"
TITLE="Passdb MySQL plugin"
HREF="pdb-mysql.html"><LINK
REL="NEXT"
TITLE="Stackable VFS modules"
HREF="vfs.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>SAMBA Project Documentation</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="pdb-mysql.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="vfs.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="CHAPTER"
><H1
><A
NAME="PDB-XML">Chapter 17. Passdb XML plugin</H1
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN2613">17.1. Building</H1
><P
>This module requires libxml2 to be installed.</P
><P
>To build pdb_xml, run: <B
CLASS="COMMAND"
>make bin/pdb_xml.so</B
> in
the directory <TT
CLASS="FILENAME"
>source/</TT
>. </P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN2619">17.2. Usage</H1
><P
>The usage of pdb_xml is pretty straightforward. To export data, use:
<B
CLASS="COMMAND"
>pdbedit -e plugin:/usr/lib/samba/pdb_xml.so:filename</B
>
(where filename is the name of the file to put the data in)</P
><P
>To import data, use:
<B
CLASS="COMMAND"
>pdbedit -i plugin:/usr/lib/samba/pdb_xml.so:filename -e current-pdb</B
>
Where filename is the name to read the data from and current-pdb to put it in.</P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="pdb-mysql.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="samba-howto-collection.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="vfs.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Passdb MySQL plugin</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="optional.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Stackable VFS modules</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

2
docs/htmldocs/pdbedit.8.html
View File

@ -12,7 +12,7 @@ sorce:500:Simo Sorce
samba:45:Test User
</pre></dd><dt><span class="term">-v</span></dt><dd><p>This option enables the verbose listing format.
It causes pdbedit to list the users in the database, printing
out the account fields in a descriptive format.</p><p>Example: <b class="command">pdbedit -l -v</b></p><pre class="screen">
out the account fields in a descriptive format.</p><p>Example: <b class="command">pdbedit -L -v</b></p><pre class="screen">
---------------
username: sorce
user ID/Group: 500/500

316
docs/htmldocs/portability.html
View File

@ -1,316 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML
><HEAD
><TITLE
>Portability</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
TITLE="SAMBA Project Documentation"
HREF="samba-howto-collection.html"><LINK
REL="UP"
TITLE="Appendixes"
HREF="appendixes.html"><LINK
REL="PREVIOUS"
TITLE="Appendixes"
HREF="appendixes.html"><LINK
REL="NEXT"
TITLE="Samba and other CIFS clients"
HREF="other-clients.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>SAMBA Project Documentation</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="appendixes.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="other-clients.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="CHAPTER"
><H1
><A
NAME="PORTABILITY">Chapter 23. Portability</H1
><P
>Samba works on a wide range of platforms but the interface all the
platforms provide is not always compatible. This chapter contains
platform-specific information about compiling and using samba.</P
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN3139">23.1. HPUX</H1
><P
>HP's implementation of supplementary groups is, er, non-standard (for
hysterical reasons). There are two group files, /etc/group and
/etc/logingroup; the system maps UIDs to numbers using the former, but
initgroups() reads the latter. Most system admins who know the ropes
symlink /etc/group to /etc/logingroup (hard link doesn't work for reasons
too stupid to go into here). initgroups() will complain if one of the
groups you're in in /etc/logingroup has what it considers to be an invalid
ID, which means outside the range [0..UID_MAX], where UID_MAX is (I think)
60000 currently on HP-UX. This precludes -2 and 65534, the usual 'nobody'
GIDs.</P
><P
>If you encounter this problem, make sure that the programs that are failing
to initgroups() be run as users not in any groups with GIDs outside the
allowed range.</P
><P
>This is documented in the HP manual pages under setgroups(2) and passwd(4).</P
><P
>On HPUX you must use gcc or the HP Ansi compiler. The free compiler
that comes with HP-UX is not Ansi compliant and cannot compile
Samba.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN3145">23.2. SCO Unix</H1
><P
>
If you run an old version of SCO Unix then you may need to get important
TCP/IP patches for Samba to work correctly. Without the patch, you may
encounter corrupt data transfers using samba.</P
><P
>The patch you need is UOD385 Connection Drivers SLS. It is available from
SCO (ftp.sco.com, directory SLS, files uod385a.Z and uod385a.ltr.Z).</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN3149">23.3. DNIX</H1
><P
>DNIX has a problem with seteuid() and setegid(). These routines are
needed for Samba to work correctly, but they were left out of the DNIX
C library for some reason.</P
><P
>For this reason Samba by default defines the macro NO_EID in the DNIX
section of includes.h. This works around the problem in a limited way,
but it is far from ideal, some things still won't work right.</P
><P
>
To fix the problem properly you need to assemble the following two
functions and then either add them to your C library or link them into
Samba.</P
><P
>
put this in the file <TT
CLASS="FILENAME"
>setegid.s</TT
>:</P
><P
><PRE
CLASS="PROGRAMLISTING"
> .globl _setegid
_setegid:
moveq #47,d0
movl #100,a0
moveq #1,d1
movl 4(sp),a1
trap #9
bccs 1$
jmp cerror
1$:
clrl d0
rts</PRE
></P
><P
>put this in the file <TT
CLASS="FILENAME"
>seteuid.s</TT
>:</P
><P
><PRE
CLASS="PROGRAMLISTING"
> .globl _seteuid
_seteuid:
moveq #47,d0
movl #100,a0
moveq #0,d1
movl 4(sp),a1
trap #9
bccs 1$
jmp cerror
1$:
clrl d0
rts</PRE
></P
><P
>after creating the above files you then assemble them using</P
><P
><B
CLASS="COMMAND"
>as seteuid.s</B
></P
><P
><B
CLASS="COMMAND"
>as setegid.s</B
></P
><P
>that should produce the files <TT
CLASS="FILENAME"
>seteuid.o</TT
> and
<TT
CLASS="FILENAME"
>setegid.o</TT
></P
><P
>then you need to add these to the LIBSM line in the DNIX section of
the Samba Makefile. Your LIBSM line will then look something like this:</P
><P
><PRE
CLASS="PROGRAMLISTING"
>LIBSM = setegid.o seteuid.o -ln</PRE
></P
><P
>
You should then remove the line:</P
><P
><PRE
CLASS="PROGRAMLISTING"
>#define NO_EID</PRE
></P
><P
>from the DNIX section of <TT
CLASS="FILENAME"
>includes.h</TT
></P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN3178">23.4. RedHat Linux Rembrandt-II</H1
><P
>By default RedHat Rembrandt-II during installation adds an
entry to /etc/hosts as follows:
<PRE
CLASS="PROGRAMLISTING"
> 127.0.0.1 loopback "hostname"."domainname"</PRE
></P
><P
>This causes Samba to loop back onto the loopback interface.
The result is that Samba fails to communicate correctly with
the world and therefor may fail to correctly negotiate who
is the master browse list holder and who is the master browser.</P
><P
>Corrective Action: Delete the entry after the word loopback
in the line starting 127.0.0.1</P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="appendixes.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="samba-howto-collection.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="other-clients.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Appendixes</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="appendixes.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Samba and other CIFS clients</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

251
docs/htmldocs/printing.html
View File

@ -1,8 +1,7 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 18. Classical Printing Support</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="msdfs.html" title="Chapter 17. Hosting a Microsoft Distributed File System tree on Samba"><link rel="next" href="CUPS-printing.html" title="Chapter 19. CUPS Printing Support in Samba 3.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 18. Classical Printing Support</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="msdfs.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="CUPS-printing.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="printing"></a>Chapter 18. Classical Printing Support</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Kurt</span> <span class="surname">Pfeifle</span></h3><div class="affiliation"><span class="orgname"> Danka Deutschland GmbH <br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:kpfeifle@danka.de">kpfeifle@danka.de</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jerry@samba.org">jerry@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">May 32, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="printing.html#id2931857">Features and Benefits</a></dt><dt><a href="printing.html#id2931921">Technical Introduction</a></dt><dd><dl><dt><a href="printing.html#id2931958">What happens if you send a Job from a Client</a></dt><dt><a href="printing.html#id2932028">Printing Related Configuration Parameters</a></dt><dt><a href="printing.html#id2935137">Parameters Recommended for Use</a></dt><dt><a href="printing.html#id2930497">Parameters for Backwards Compatibility</a></dt><dt><a href="printing.html#id2930606">Parameters no longer in use</a></dt></dl></dd><dt><a href="printing.html#id2930699">A simple Configuration to Print with Samba-3</a></dt><dd><dl><dt><a href="printing.html#id2932704">Verification of &quot;Settings in Use&quot; with testparm</a></dt><dt><a href="printing.html#id2932787">A little Experiment to warn you</a></dt></dl></dd><dt><a href="printing.html#id2933095">Extended Sample Configuration to Print with Samba-3</a></dt><dt><a href="printing.html#id2933186">Detailed Explanation of the Example's Settings</a></dt><dd><dl><dt><a href="printing.html#id2933200">The [global] Section</a></dt><dt><a href="printing.html#id2942661">The [printers] Section</a></dt><dt><a href="printing.html#id2942990">Any [my_printer_name] Section</a></dt><dt><a href="printing.html#id2943210">Print Commands</a></dt><dt><a href="printing.html#id2943262">Default Print Commands for various Unix Print Subsystems</a></dt><dt><a href="printing.html#id2943787">Setting up your own Print Commands</a></dt></dl></dd><dt><a href="printing.html#id2944064">Innovations in Samba Printing since 2.2</a></dt><dd><dl><dt><a href="printing.html#id2944219">Client Drivers on Samba Server for Point'n'Print</a></dt><dt><a href="printing.html#id2944370">The [printer$] Section is removed from Samba-3</a></dt><dt><a href="printing.html#id2944483">Creating the [print$] Share</a></dt><dt><a href="printing.html#id2944553">Parameters in the [print$] Section</a></dt><dt><a href="printing.html#id2944774">Subdirectory Structure in [print$]</a></dt></dl></dd><dt><a href="printing.html#id2944935">Installing Drivers into [print$]</a></dt><dd><dl><dt><a href="printing.html#id2945029">Setting Drivers for existing Printers with a Client GUI</a></dt><dt><a href="printing.html#id2945213">Setting Drivers for existing Printers with
rpcclient</a></dt></dl></dd><dt><a href="printing.html#id2946811">&quot;The Proof of the Pudding lies in the Eating&quot; (Client Driver Insta
Procedure)</a></dt><dd><dl><dt><a href="printing.html#id2946832">The first Client Driver Installation</a></dt><dt><a href="printing.html#id2947030">IMPORTANT! Setting Device Modes on new Printers</a></dt><dt><a href="printing.html#id2947319">Further Client Driver Install Procedures</a></dt><dt><a href="printing.html#id2947414">Always make first Client Connection as root or &quot;printer admin&quot;</a></dt></dl></dd><dt><a href="printing.html#id2947556">Other Gotchas</a></dt><dd><dl><dt><a href="printing.html#id2947589">Setting Default Print Options for the Client Drivers</a></dt><dt><a href="printing.html#id2948023">Supporting large Numbers of Printers</a></dt><dt><a href="printing.html#id2948326">Adding new Printers with the Windows NT APW</a></dt><dt><a href="printing.html#id2948569">Weird Error Message Cannot connect under a
different Name</a></dt><dt><a href="printing.html#id2948667">Be careful when assembling Driver Files</a></dt><dt><a href="printing.html#id2948938">Samba and Printer Ports</a></dt><dt><a href="printing.html#id2949009">Avoiding the most common Misconfigurations of the Client Driver</a></dt></dl></dd><dt><a href="printing.html#id2949031">The Imprints Toolset</a></dt><dd><dl><dt><a href="printing.html#id2949076">What is Imprints?</a></dt><dt><a href="printing.html#id2949118">Creating Printer Driver Packages</a></dt><dt><a href="printing.html#id2949137">The Imprints Server</a></dt><dt><a href="printing.html#id2949161">The Installation Client</a></dt></dl></dd><dt><a href="printing.html#id2949313">Add Network Printers at Logon without User Interaction</a></dt><dt><a href="printing.html#id2949643">The addprinter command</a></dt><dt><a href="printing.html#id2949688">Migration of &quot;Classical&quot; printing to Samba-3</a></dt><dt><a href="printing.html#id2949856">Publishing Printer Information in Active Directory or LDAP</a></dt><dt><a href="printing.html#id2949870">Common Errors and Problems</a></dt><dd><dl><dt><a href="printing.html#id2949884">I give my root password but I don't get access</a></dt><dt><a href="printing.html#id2949917">My printjobs get spooled into the spooling directory, but then get lost</a></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2931857"></a>Features and Benefits</h2></div></div><div></div></div><p>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 18. Classical Printing Support</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="msdfs.html" title="Chapter 17. Hosting a Microsoft Distributed File System tree on Samba"><link rel="next" href="CUPS-printing.html" title="Chapter 19. CUPS Printing Support in Samba 3.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 18. Classical Printing Support</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="msdfs.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="CUPS-printing.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="printing"></a>Chapter 18. Classical Printing Support</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Kurt</span> <span class="surname">Pfeifle</span></h3><div class="affiliation"><span class="orgname"> Danka Deutschland GmbH <br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:kpfeifle@danka.de">kpfeifle@danka.de</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jerry@samba.org">jerry@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">May 32, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="printing.html#id2934522">Features and Benefits</a></dt><dt><a href="printing.html#id2934590">Technical Introduction</a></dt><dd><dl><dt><a href="printing.html#id2934627">What happens if you send a Job from a Client</a></dt><dt><a href="printing.html#id2934698">Printing Related Configuration Parameters</a></dt><dt><a href="printing.html#id2935615">Parameters Recommended for Use</a></dt><dt><a href="printing.html#id2935946">Parameters for Backwards Compatibility</a></dt><dt><a href="printing.html#id2936054">Parameters no longer in use</a></dt></dl></dd><dt><a href="printing.html#id2936147">A simple Configuration to Print with Samba-3</a></dt><dd><dl><dt><a href="printing.html#id2936216">Verification of &quot;Settings in Use&quot; with testparm</a></dt><dt><a href="printing.html#id2936305">A little Experiment to warn you</a></dt></dl></dd><dt><a href="printing.html#id2936612">Extended Sample Configuration to Print with Samba-3</a></dt><dt><a href="printing.html#id2936715">Detailed Explanation of the Example's Settings</a></dt><dd><dl><dt><a href="printing.html#id2936728">The [global] Section</a></dt><dt><a href="printing.html#id2937111">The [printers] Section</a></dt><dt><a href="printing.html#id2937440">Any [my_printer_name] Section</a></dt><dt><a href="printing.html#id2937660">Print Commands</a></dt><dt><a href="printing.html#id2937711">Default Print Commands for various Unix Print Subsystems</a></dt><dt><a href="printing.html#id2938236">Setting up your own Print Commands</a></dt></dl></dd><dt><a href="printing.html#id2938516">Innovations in Samba Printing since 2.2</a></dt><dd><dl><dt><a href="printing.html#id2938681">Client Drivers on Samba Server for Point'n'Print</a></dt><dt><a href="printing.html#id2938833">The [printer$] Section is removed from Samba-3</a></dt><dt><a href="printing.html#id2938945">Creating the [print$] Share</a></dt><dt><a href="printing.html#id2939016">Parameters in the [print$] Section</a></dt><dt><a href="printing.html#id2939247">Subdirectory Structure in [print$]</a></dt></dl></dd><dt><a href="printing.html#id2939408">Installing Drivers into [print$]</a></dt><dd><dl><dt><a href="printing.html#id2939503">Setting Drivers for existing Printers with a Client GUI</a></dt><dt><a href="printing.html#id2939686">Setting Drivers for existing Printers with
rpcclient</a></dt></dl></dd><dt><a href="printing.html#id2941408">&quot;The Proof of the Pudding lies in the Eating&quot; (Client Driver Install
Procedure)</a></dt><dd><dl><dt><a href="printing.html#id2941428">The first Client Driver Installation</a></dt><dt><a href="printing.html#id2941626">IMPORTANT! Setting Device Modes on new Printers</a></dt><dt><a href="printing.html#id2941915">Further Client Driver Install Procedures</a></dt><dt><a href="printing.html#id2942010">Always make first Client Connection as root or &quot;printer admin&quot;</a></dt></dl></dd><dt><a href="printing.html#id2942152">Other Gotchas</a></dt><dd><dl><dt><a href="printing.html#id2942185">Setting Default Print Options for the Client Drivers</a></dt><dt><a href="printing.html#id2942622">Supporting large Numbers of Printers</a></dt><dt><a href="printing.html#id2942924">Adding new Printers with the Windows NT APW</a></dt><dt><a href="printing.html#id2943168">Weird Error Message Cannot connect under a
different Name</a></dt><dt><a href="printing.html#id2943267">Be careful when assembling Driver Files</a></dt><dt><a href="printing.html#id2943612">Samba and Printer Ports</a></dt><dt><a href="printing.html#id2943683">Avoiding the most common Misconfigurations of the Client Driver</a></dt></dl></dd><dt><a href="printing.html#id2943705">The Imprints Toolset</a></dt><dd><dl><dt><a href="printing.html#id2943751">What is Imprints?</a></dt><dt><a href="printing.html#id2943792">Creating Printer Driver Packages</a></dt><dt><a href="printing.html#id2943811">The Imprints Server</a></dt><dt><a href="printing.html#id2943835">The Installation Client</a></dt></dl></dd><dt><a href="printing.html#id2943987">Add Network Printers at Logon without User Interaction</a></dt><dt><a href="printing.html#id2944316">The addprinter command</a></dt><dt><a href="printing.html#id2944362">Migration of &quot;Classical&quot; printing to Samba-3</a></dt><dt><a href="printing.html#id2944531">Publishing Printer Information in Active Directory or LDAP</a></dt><dt><a href="printing.html#id2944545">Common Errors and Problems</a></dt><dd><dl><dt><a href="printing.html#id2944558">I give my root password but I don't get access</a></dt><dt><a href="printing.html#id2944591">My printjobs get spooled into the spooling directory, but then get lost</a></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2934522"></a>Features and Benefits</h2></div></div><div></div></div><p>
Printing is often a mission-critical service for the users. Samba can
provide this service reliably and seamlessly for a client network
consisting of Windows workstations.
@ -19,7 +18,7 @@ install drivers and printers through their familiar &quot;Point'n'Print&quot;
mechanism. Printer installations executed by &quot;Logon Scripts&quot; are no
problem. Administrators can upload and manage drivers to be used by
clients through the familiar &quot;Add Printer Wizard&quot;. As an additional
benefit, driver and printer management may be run from the commandline
benefit, driver and printer management may be run from the command line
or through scripts, making it more efficient in case of large numbers
of printers. If a central accounting of print jobs (tracking every
single page and supplying the raw data for all sorts of statistical
@ -38,7 +37,7 @@ Professional clients. Where this document describes the responses to
commands given, bear in mind that Windows 2000 clients are very
similar, but may differ in details. Windows NT is somewhat different
again.
</p></div></div><div xmlns:ns44="" class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2931921"></a>Technical Introduction</h2></div></div><div></div></div><ns44:p>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2934590"></a>Technical Introduction</h2></div></div><div></div></div><p>
Samba's printing support always relies on the installed print
subsystem of the Unix OS it runs on. Samba is a &quot;middleman&quot;. It takes
printfiles from Windows (or other SMB) clients and passes them to the
@ -53,18 +52,18 @@ the next chapter covers in great detail the more modern
<span class="emphasis"><em>Common UNIX Printing System</em></span>
(CUPS).
</ns44:p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>CUPS users, be warned: don't just jump on to the next
</p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>CUPS users, be warned: don't just jump on to the next
chapter. You might miss important information contained only
here!</p></div><ns44:p>
</ns44:p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2931958"></a>What happens if you send a Job from a Client</h3></div></div><div></div></div><p>
here!</p></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2934627"></a>What happens if you send a Job from a Client</h3></div></div><div></div></div><p>
To successfully print a job from a Windows client via a Samba
print server to a UNIX printer, there are 6 (potentially 7)
stages:
</p><div class="orderedlist"><ol type="1"><li><p>Windows opens a connection to the printershare</p></li><li><p>Samba must authenticate the user</p></li><li><p>Windows sends a copy of the printfile over the network
into Samba's spooling area</p></li><li><p>Windows closes the connection again</p></li><li><p>Samba invokes the print command to hand the file over
to the UNIX print subsystem's spooling area</p></li><li><p>The Unix print subsystem processes the print
job</p></li><li><p>The printfile may need to be explicitely deleted
from the Samba spooling area.</p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2932028"></a>Printing Related Configuration Parameters</h3></div></div><div></div></div><p>
job</p></li><li><p>The printfile may need to be explicitly deleted
from the Samba spooling area.</p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2934698"></a>Printing Related Configuration Parameters</h3></div></div><div></div></div><p>
There are a number of configuration parameters in
controlling Samba's printing
behaviour. Please also refer to the man page for smb.conf to
@ -78,20 +77,20 @@ behaviour of all individual or service level shares (provided those
don't have a different setting defined for the same parameter, thus
overriding the global default).</p></dd><dt><span class="term">Global Parameters</span></dt><dd><p>These <span class="emphasis"><em>may not</em></span> go into individual
shares. If they go in by error, the &quot;testparm&quot; utility can discover
this (if you run it) and tell you so.</p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2935137"></a>Parameters Recommended for Use</h3></div></div><div></div></div><p>The following <tt class="filename">smb.conf</tt> parameters directly
this (if you run it) and tell you so.</p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2935615"></a>Parameters Recommended for Use</h3></div></div><div></div></div><p>The following <tt class="filename">smb.conf</tt> parameters directly
related to printing are used in Samba-3. See also the
<tt class="filename">smb.conf</tt> man page for detailed explanations:
</p><ns44:p><b>List of printing related parameters in Samba-3. </b>
</ns44:p><div class="itemizedlist"><p class="title"><b>Global level parameters:</b></p><ul type="disc"><li><p><i class="parameter"><tt>addprinter command (G)</tt></i></p></li><li><p><i class="parameter"><tt>deleteprinter command (G)</tt></i></p></li><li><p><i class="parameter"><tt>disable spoolss (G)</tt></i></p></li><li><p><i class="parameter"><tt>enumports command (G)</tt></i></p></li><li><p><i class="parameter"><tt>load printers (G)</tt></i></p></li><li><p><i class="parameter"><tt>lpq cache time (G)</tt></i></p></li><li><p><i class="parameter"><tt>os2 driver map (G)</tt></i></p></li><li><p><i class="parameter"><tt>printcap name (G), printcap (G)</tt></i></p></li><li><p><i class="parameter"><tt>show add printer wizard (G)</tt></i></p></li><li><p><i class="parameter"><tt>total print jobs (G)</tt></i></p></li><li><p><i class="parameter"><tt>use client driver (G)</tt></i></p></li></ul></div><ns44:p>
</p><p><b>List of printing related parameters in Samba-3. </b>
</p><div class="itemizedlist"><p class="title"><b>Global level parameters:</b></p><ul type="disc"><li><p><i class="parameter"><tt>addprinter command (G)</tt></i></p></li><li><p><i class="parameter"><tt>deleteprinter command (G)</tt></i></p></li><li><p><i class="parameter"><tt>disable spoolss (G)</tt></i></p></li><li><p><i class="parameter"><tt>enumports command (G)</tt></i></p></li><li><p><i class="parameter"><tt>load printers (G)</tt></i></p></li><li><p><i class="parameter"><tt>lpq cache time (G)</tt></i></p></li><li><p><i class="parameter"><tt>os2 driver map (G)</tt></i></p></li><li><p><i class="parameter"><tt>printcap name (G), printcap (G)</tt></i></p></li><li><p><i class="parameter"><tt>show add printer wizard (G)</tt></i></p></li><li><p><i class="parameter"><tt>total print jobs (G)</tt></i></p></li><li><p><i class="parameter"><tt>use client driver (G)</tt></i></p></li></ul></div><p>
</ns44:p><div class="itemizedlist"><p class="title"><b>Service level parameters:</b></p><ul type="disc"><li><p><i class="parameter"><tt>hosts allow (S)</tt></i></p></li><li><p><i class="parameter"><tt>hosts deny (S)</tt></i></p></li><li><p><i class="parameter"><tt>lppause command (S)</tt></i></p></li><li><p><i class="parameter"><tt>lpq command (S)</tt></i></p></li><li><p><i class="parameter"><tt>lpresume command (S)</tt></i></p></li><li><p><i class="parameter"><tt>lprm command (S)</tt></i></p></li><li><p><i class="parameter"><tt>max print jobs (S)</tt></i></p></li><li><p><i class="parameter"><tt>min print space (S)</tt></i></p></li><li><p><i class="parameter"><tt>print command (S)</tt></i></p></li><li><p><i class="parameter"><tt>printable (S), print ok (S)</tt></i></p></li><li><p><i class="parameter"><tt>printer name (S), printer (S)</tt></i></p></li><li><p><i class="parameter"><tt>printer admin (S)</tt></i></p></li><li><p><i class="parameter"><tt>printing = [cups|bsd|lprng...] (S)</tt></i></p></li><li><p><i class="parameter"><tt>queuepause command (S)</tt></i></p></li><li><p><i class="parameter"><tt>queueresume command (S)</tt></i></p></li><li><p><i class="parameter"><tt>total print jobs (S)</tt></i></p></li></ul></div><ns44:p>
</ns44:p><p>
</p><div class="itemizedlist"><p class="title"><b>Service level parameters:</b></p><ul type="disc"><li><p><i class="parameter"><tt>hosts allow (S)</tt></i></p></li><li><p><i class="parameter"><tt>hosts deny (S)</tt></i></p></li><li><p><i class="parameter"><tt>lppause command (S)</tt></i></p></li><li><p><i class="parameter"><tt>lpq command (S)</tt></i></p></li><li><p><i class="parameter"><tt>lpresume command (S)</tt></i></p></li><li><p><i class="parameter"><tt>lprm command (S)</tt></i></p></li><li><p><i class="parameter"><tt>max print jobs (S)</tt></i></p></li><li><p><i class="parameter"><tt>min print space (S)</tt></i></p></li><li><p><i class="parameter"><tt>print command (S)</tt></i></p></li><li><p><i class="parameter"><tt>printable (S), print ok (S)</tt></i></p></li><li><p><i class="parameter"><tt>printer name (S), printer (S)</tt></i></p></li><li><p><i class="parameter"><tt>printer admin (S)</tt></i></p></li><li><p><i class="parameter"><tt>printing = [cups|bsd|lprng...] (S)</tt></i></p></li><li><p><i class="parameter"><tt>queuepause command (S)</tt></i></p></li><li><p><i class="parameter"><tt>queueresume command (S)</tt></i></p></li><li><p><i class="parameter"><tt>total print jobs (S)</tt></i></p></li></ul></div><p>
</p><p>
Samba's printing support implements the Microsoft Remote Procedure
Calls (MS-RPC) methods for printing. These are used by Windows NT (and
later) print servers. The old &quot;LanMan&quot; protocol is still supported as
a fallback resort, and for older clients to use. More details will
follow further beneath.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2930497"></a>Parameters for Backwards Compatibility</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2935946"></a>Parameters for Backwards Compatibility</h3></div></div><div></div></div><p>
Two new parameters that were added in Samba 2.2.2, are still present
in Samba-3.0. Both of these options are described in the
<tt class="filename">smb.conf</tt> man page and are disabled by
@ -101,19 +100,19 @@ provided for better support of Samba 2.0.x backwards capability. It
will disable Samba's support for MS-RPC printing and yield identical
printing behaviour to Samba 2.0.x.</p></dd><dt><span class="term"><i class="parameter"><tt>use client driver (G)</tt></i></span></dt><dd><p> was provided
for using local printer drivers on Windows NT/2000 clients. It does
not apply to Windows 95/98/ME clients.</p></dd></dl></div><ns44:p><b>Parameters &quot;for backward compatibility only&quot;, use with caution. </b>
</ns44:p><div class="itemizedlist"><ul type="disc"><li><p><i class="parameter"><tt>disable spoolss (G)</tt></i></p></li><li><p><i class="parameter"><tt>use client driver (S)</tt></i></p></li></ul></div><ns44:p>
</ns44:p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2930606"></a>Parameters no longer in use</h3></div></div><div></div></div><p>
not apply to Windows 95/98/ME clients.</p></dd></dl></div><p><b>Parameters &quot;for backward compatibility only&quot;, use with caution. </b>
</p><div class="itemizedlist"><ul type="disc"><li><p><i class="parameter"><tt>disable spoolss (G)</tt></i></p></li><li><p><i class="parameter"><tt>use client driver (S)</tt></i></p></li></ul></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2936054"></a>Parameters no longer in use</h3></div></div><div></div></div><p>
Samba users upgrading from 2.2.x to 3.0 need to be aware that some
previously available settings are no longer supported (as was
announced some time ago). Here is a list of them:
</p><ns44:p><b>&quot;old&quot; parameters, removed in Samba-3. </b>
</p><p><b>&quot;old&quot; parameters, removed in Samba-3. </b>
The following <tt class="filename">smb.conf</tt> parameters have been
deprecated already in Samba 2.2 and are now completely removed from
Samba-3. You cannot use them in new 3.0 installations:
</ns44:p><div class="itemizedlist"><ul type="disc"><li><p><i class="parameter"><tt>printer driver file (G)</tt></i></p></li><li><p><i class="parameter"><tt>total print jobs (G)</tt></i></p></li><li><p><i class="parameter"><tt>postscript (S)</tt></i></p></li><li><p><i class="parameter"><tt>printer driver (S)</tt></i></p></li><li><p><i class="parameter"><tt>printer driver location (S)</tt></i></p></li></ul></div><ns44:p>
</ns44:p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2930699"></a>A simple Configuration to Print with Samba-3</h2></div></div><div></div></div><p>
</p><div class="itemizedlist"><ul type="disc"><li><p><i class="parameter"><tt>printer driver file (G)</tt></i></p></li><li><p><i class="parameter"><tt>total print jobs (G)</tt></i></p></li><li><p><i class="parameter"><tt>postscript (S)</tt></i></p></li><li><p><i class="parameter"><tt>printer driver (S)</tt></i></p></li><li><p><i class="parameter"><tt>printer driver location (S)</tt></i></p></li></ul></div><p>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2936147"></a>A simple Configuration to Print with Samba-3</h2></div></div><div></div></div><p>
Here is a very simple example configuration for print related settings
in the file. If you compare it with your
own system's , you probably find some
@ -148,7 +147,7 @@ reminder: It even tolerates some spelling errors (like &quot;browsable&quot;
instead of &quot;browseable&quot;). Most spelling is case-insensitive. Also, you
can use &quot;Yes|No&quot; or &quot;True|False&quot; for boolean settings. Lists of names
may be separated by commas, spaces or tabs.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2932704"></a>Verification of &quot;Settings in Use&quot; with <b class="command">testparm</b></h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2936216"></a>Verification of &quot;Settings in Use&quot; with <b class="command">testparm</b></h3></div></div><div></div></div><p>
To see all (or at least most) printing related settings in Samba,
including the implicitly used ones, try the command outlined below
(hit &quot;ENTER&quot; twice!). It greps for all occurrences of &quot;lp&quot;, &quot;print&quot;,
@ -202,7 +201,7 @@ be important in your future dealings with Samba.</em></span>
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> testparm in Samba-3.0 behaves differently from 2.2.x: used
without the &quot;-v&quot; switch it only shows you the settings actually
written into ! To see the complete
configuration used, add the &quot;-v&quot; parameter to testparm.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2932787"></a>A little Experiment to warn you</h3></div></div><div></div></div><p>
configuration used, add the &quot;-v&quot; parameter to testparm.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2936305"></a>A little Experiment to warn you</h3></div></div><div></div></div><p>
Should you need to troubleshoot at any stage, please always come back
to this point first and verify if &quot;testparm&quot; shows the parameters you
expect! To give you an example from personal experience as a warning,
@ -306,12 +305,12 @@ Samba version(s). But the man page states: &#8220;<span class="quote">Internal w
in a parameter value is retained verbatim.</span>&#8221; This means that a
line consisting of, for example,
</p><pre class="screen">
printing =lprng #This defines LPRng as the printing system&quot;
printing = lprng #This defines LPRng as the printing system&quot;
</pre><p>
will regard the whole of the string after the &quot;=&quot;
sign as the value you want to define. And this is an invalid value
that will be ignored, and a default value used instead.]
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2933095"></a>Extended Sample Configuration to Print with Samba-3</h2></div></div><div></div></div><p>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2936612"></a>Extended Sample Configuration to Print with Samba-3</h2></div></div><div></div></div><p>
Here we show a more verbose example configuration for print related
settings in an . Below is a discussion
and explanation of the various parameters. We chose to use BSD-style
@ -369,9 +368,9 @@ default, because these have been compiled in. To see all settings, let
root use the <b class="command">testparm</b>
utility. <b class="command">testparm</b> also gives warnings if you have
mis-configured certain things..
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2933186"></a>Detailed Explanation of the Example's Settings</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2936715"></a>Detailed Explanation of the Example's Settings</h2></div></div><div></div></div><p>
Following is a discussion of the settings from above shown example.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2933200"></a>The [global] Section</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2936728"></a>The [global] Section</h3></div></div><div></div></div><p>
The <i class="parameter"><tt>[global]</tt></i> section is one of 4 special
sections (along with [<i class="parameter"><tt>[homes]</tt></i>,
<i class="parameter"><tt>[printers]</tt></i> and
@ -445,7 +444,7 @@ It must <span class="emphasis"><em>not</em></span> be enabled on print shares
(with a <tt class="constant">yes</tt> or <tt class="constant">true</tt> setting) which
have valid drivers installed on the Samba server! For more detailed
explanations see the man page of <tt class="filename">smb.conf</tt>.
</p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2942661"></a>The [printers] Section</h3></div></div><div></div></div><p>
</p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2937111"></a>The [printers] Section</h3></div></div><div></div></div><p>
This is the second special section. If a section with this name
appears in the <tt class="filename">smb.conf</tt>, users are able to
connect to any printer specified in the Samba host's printcap file,
@ -493,7 +492,7 @@ yes</tt></i>. Since we have <i class="parameter"><tt>guest ok = yes</tt></i>,
it really doesn't need to be here! (This leads to the interesting
question: &#8220;<span class="quote">What, if I by accident have to contradictory settings
for the same share?</span>&#8221; The answer is: the last one encountered by
Sambe wins. The &quot;winner&quot; is shown by testparm. Testparm doesn't
Samba wins. The &quot;winner&quot; is shown by testparm. Testparm doesn't
complain about different settings of the same parameter for the same
share! You can test this by setting up multiple lines for the &quot;guest
account&quot; parameter with different usernames, and then run testparm to
@ -505,7 +504,7 @@ write to the directory (if user privileges allow the connection), but
only via print spooling operations. &quot;Normal&quot; write operations are not
allowed. </p></dd><dt><span class="term"><i class="parameter"><tt>writeable = no</tt></i></span></dt><dd><p>
synonym for <i class="parameter"><tt>read only = yes</tt></i>
</p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2942990"></a>Any [my_printer_name] Section</h3></div></div><div></div></div><p>
</p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2937440"></a>Any [my_printer_name] Section</h3></div></div><div></div></div><p>
If a section appears in the , which is
tagged as <i class="parameter"><tt>printable = yes</tt></i>, Samba presents it as
a printer share to its clients. Note, that Win95/98/ME clients may
@ -540,7 +539,7 @@ belong to the &quot;allowed subnets&quot;). As you can see, you could name IP
addresses as well as NetBIOS hostnames
here.
</p></dd><dt><span class="term"><i class="parameter"><tt>guest ok = no</tt></i></span></dt><dd><p>this printer is not open for the guest account!
</p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2943210"></a>Print Commands</h3></div></div><div></div></div><p>
</p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2937660"></a>Print Commands</h3></div></div><div></div></div><p>
In each section defining a printer (or in the
<i class="parameter"><tt>[printers]</tt></i> section), a <i class="parameter"><tt>print
command</tt></i> parameter may be defined. It sets a command to
@ -558,7 +557,7 @@ your own print commands (or even develop print command shell scripts),
make sure you pay attention to the need to remove the files from the
Samba spool directory. Otherwise your hard disk may soon suffer from
shortage of free space.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2943262"></a>Default Print Commands for various Unix Print Subsystems</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2937711"></a>Default Print Commands for various Unix Print Subsystems</h3></div></div><div></div></div><p>
You learned earlier on, that Samba in most cases uses its built-in
settings for many parameters if it can not find an explicitly stated
one in its configuration file. The same is true for the
@ -598,7 +597,7 @@ check which command takes effect. Then check that this command is
adequate and actually works for your installed print subsystem. It is
always a good idea to explicitly set up your configuration files the
way you want them to work and not rely on any built-in defaults.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2943787"></a>Setting up your own Print Commands</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2938236"></a>Setting up your own Print Commands</h3></div></div><div></div></div><p>
After a print job has finished spooling to a service, the
<i class="parameter"><tt>print command</tt></i> will be used by Samba via a
<span class="emphasis"><em>system()</em></span> call to process the spool file. Usually
@ -668,7 +667,7 @@ for the <i class="parameter"><tt>print command</tt></i> parameter varies dependi
the <i class="parameter"><tt>printing</tt></i> parameter. Another example is:
</p><pre class="programlisting">
print command = /usr/local/samba/bin/myprintscript %p %s
</pre></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2944064"></a>Innovations in Samba Printing since 2.2</h2></div></div><div></div></div><p>
</pre></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2938516"></a>Innovations in Samba Printing since 2.2</h2></div></div><div></div></div><p>
Before version 2.2.0, Samba's print server support for Windows clients
was limited to the level of <span class="emphasis"><em>LanMan</em></span> printing
calls. This is the same protocol level as Windows 9x PCs offer when
@ -700,7 +699,7 @@ server to have printers listed in the Printers folder which are
<span class="emphasis"><em>not</em></span> shared. Samba does not make this
distinction. By definition, the only printers of which Samba is aware
are those which are specified as shares in
. The reason is that Windows NT/2k/XPprof
. The reason is that Windows NT/200x/XP Professional
clients do not normally need to use the standard SMB printer share;
rather they can print directly to any printer on another Windows NT
host using MS-RPC. This of course assumes that the printing client has
@ -709,7 +708,7 @@ default permissions assigned by Windows NT to a printer gives the
&quot;Print&quot; permissions to the well-known <span class="emphasis"><em>Everyone</em></span>
group. (The older clients of type Win9x can only print to &quot;shared&quot;
printers).
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2944219"></a>Client Drivers on Samba Server for <span class="emphasis"><em>Point'n'Print</em></span></h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2938681"></a>Client Drivers on Samba Server for <span class="emphasis"><em>Point'n'Print</em></span></h3></div></div><div></div></div><p>
There is still confusion about what all this means: <span class="emphasis"><em>Is it or
is it not a requirement for printer drivers to be installed on a Samba
host in order to support printing from Windows clients?</em></span> The
@ -733,7 +732,7 @@ connect to this printer share. The <span class="emphasis"><em>uploading</em></sp
this driver to an existing Samba printer share can be achieved by
different means:
</p><div class="itemizedlist"><ul type="disc"><li><p>running the <span class="emphasis"><em>APW</em></span> on an
NT/2k/XPprof client (this doesn't work from 95/98/ME
NT/200x/XP Professional client (this doesn't work from 95/98/ME
clients);</p></li><li><p>using the <span class="emphasis"><em>Imprints</em></span>
toolset;</p></li><li><p>using the <span class="emphasis"><em>smbclient</em></span> and
<span class="emphasis"><em>rpcclient</em></span> commandline tools;</p></li><li><p>using <span class="emphasis"><em>cupsaddsmb</em></span>(only works for
@ -742,12 +741,12 @@ etc.).</p></li></ul></div><p>
Please take additional note of the following fact: <span class="emphasis"><em>Samba
does not use these uploaded drivers in any way to process spooled
files</em></span>. Drivers are utilized entirely by the clients, who
download and install them via the &quot;Point 'n'Print&quot; mechanism supported
download and install them via the &quot;Point'n'Print&quot; mechanism supported
by Samba. The clients use these drivers to generate print files in the
format the printer (or the Unix print system) requires. Print files
received by Samba are handed over to the Unix printing system, which
is responsible for all further processing, if needed.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2944370"></a>The [printer$] Section is removed from Samba-3</h3></div></div><div></div></div><p><b>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2938833"></a>The [printer$] Section is removed from Samba-3</h3></div></div><div></div></div><p><b>
<i class="parameter"><tt>[print$]</tt></i> vs. <i class="parameter"><tt>[printer$]</tt></i>
. </b>
Versions of Samba prior to 2.2 made it possible to use a share
@ -773,11 +772,11 @@ access (in the context of its ACLs) in order to support printer driver
down- and uploads. Don't fear -- this does not mean Windows 9x
clients are thrown aside now. They can use Samba's
<i class="parameter"><tt>[print$]</tt></i> share support just fine.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2944483"></a>Creating the [print$] Share</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2938945"></a>Creating the [print$] Share</h3></div></div><div></div></div><p>
In order to support the up- and downloading of printer driver files,
you must first configure a file share named
<i class="parameter"><tt>[print$]</tt></i>. The &quot;public&quot; name of this share is
hard coded in Samba's internals (because it is hardcoded in the MS
hard coded in Samba's internals (because it is hard coded in the MS
Windows clients too). It cannot be renamed since Windows clients are
programmed to search for a service of exactly this name if they want
to retrieve printer driver files.
@ -807,7 +806,7 @@ with appropriate values for your site):
</pre><p>
Of course, you also need to ensure that the directory named by the
<i class="parameter"><tt>path</tt></i> parameter exists on the Unix file system.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2944553"></a>Parameters in the [print$] Section</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2939016"></a>Parameters in the [print$] Section</h3></div></div><div></div></div><p>
<i class="parameter"><tt>[print$]</tt></i> is a special section in
. It contains settings relevant to
potential printer driver download and local installation by clients.
@ -852,7 +851,7 @@ sure these accounts can copy files to the share. If this is a non-root
account, then the account should also be mentioned in the global
<i class="parameter"><tt>printer admin </tt></i> parameter. See the
man page for more information on
configuring file shares. </p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2944774"></a>Subdirectory Structure in [print$]</h3></div></div><div></div></div><p>
configuring file shares. </p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2939247"></a>Subdirectory Structure in [print$]</h3></div></div><div></div></div><p>
In order for a Windows NT print server to support the downloading of
driver files by multiple client architectures, you must create several
subdirectories within the <i class="parameter"><tt>[print$]</tt></i> service
@ -891,12 +890,12 @@ client workstation. Open <span class="guiicon">Network Neighbourhood</span> or
Once you have located the server, navigate to its <span class="guiicon">Printers and
Faxes</span> folder. You should see an initial listing of printers
that matches the printer shares defined on your Samba host.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2944935"></a>Installing Drivers into [print$]</h2></div></div><div></div></div><p>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2939408"></a>Installing Drivers into [print$]</h2></div></div><div></div></div><p>
You have successfully created the <i class="parameter"><tt>[print$]</tt></i>
share in ? And Samba has re-read its
configuration? Good. But you are not yet ready to take off. The
<span class="emphasis"><em>driver files</em></span> need to be present in this share,
too! So far it is still an empty share. Unfortunatly, it is not enough
too! So far it is still an empty share. Unfortunately, it is not enough
to just copy the driver files over. They need to be <span class="emphasis"><em>set
up</em></span> too. And that is a bit tricky, to say the least. We
will now discuss two alternative ways to install the drivers into
@ -909,7 +908,7 @@ Properties</em></span> and <span class="emphasis"><em>Add Printer Wizard</em></s
from any Windows NT/2k/XP client workstation.</p></li></ul></div><p>
The latter option is probably the easier one (even if the only
entrance to this realm seems a little bit weird at first).
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2945029"></a>Setting Drivers for existing Printers with a Client GUI</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2939503"></a>Setting Drivers for existing Printers with a Client GUI</h3></div></div><div></div></div><p>
The initial listing of printers in the Samba host's
<span class="guiicon">Printers</span> folder accessed from a client's Explorer
will have no real printer driver assigned to them. By default, in
@ -935,13 +934,13 @@ now?</span></p><p>
Only now you will be presented with the printer properties window. From here,
the way to assign a driver to a printer is open to us. You have now the choice
either:
</p><div class="itemizedlist"><ul type="disc"><li><p>select a driver from the popup list of installed
</p><div class="itemizedlist"><ul type="disc"><li><p>select a driver from the pop-up list of installed
drivers. <span class="emphasis"><em>Initially this list will be empty.</em></span>
Or</p></li><li><p>use the <span class="guibutton">New Driver...</span> button to
install a new printer driver (which will in fact start up the
APW).</p></li></ul></div><p>
Once the APW is started, the procedure is exactly the same as the one
you are familiar with in Wiindows (we assume here that you are
you are familiar with in Windows (we assume here that you are
familiar with the printer driver installations procedure on Windows
NT). Make sure your connection is in fact setup as a user with
<i class="parameter"><tt>printer admin</tt></i> privileges (if in doubt, use
@ -955,7 +954,7 @@ Assuming you have connected with an administrative (or root) account
you will also be able to modify other printer properties such as ACLs
and default device settings using this dialog. For the default device
settings, please consider the advice given further below.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2945213"></a>Setting Drivers for existing Printers with
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2939686"></a>Setting Drivers for existing Printers with
<b class="command">rpcclient</b></h3></div></div><div></div></div><p>
The second way to install printer drivers into
<i class="parameter"><tt>[print$]</tt></i> and set them up in a valid way can be
@ -964,13 +963,13 @@ done from the UNIX command line. This involves four distinct steps:
and collecting the files together;</p></li><li><p>deposit the driver files into the
<i class="parameter"><tt>[print$]</tt></i> share's correct subdirectories
(possibly by using <b class="command">smbclient</b>);</p></li><li><p>running the <b class="command">rpcclient</b>
commandline utility once with the <b class="command">addriver</b>
commandline utility once with the <b class="command">adddriver</b>
subcommand,</p></li><li><p>running <b class="command">rpcclient</b> a second
time with the <b class="command">setdriver</b>
subcommand.</p></li></ol></div><p>
We will provide detailed hints for each of these steps in the next few
paragraphs.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2945322"></a>Identifying the Driver Files</h4></div></div><div></div></div><p>
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2939795"></a>Identifying the Driver Files</h4></div></div><div></div></div><p>
To find out about the driver files, you have two options: you could
investigate the driver CD which comes with your printer. Study the
<tt class="filename">*.inf</tt> file on the CD, if it is contained. This
@ -1066,14 +1065,14 @@ from Windows Explorer to poke at it. The Win9x driver files will end
up in subdirectory &quot;0&quot; of the &quot;WIN40&quot; directory. The full path to
access them will be
<tt class="filename">\\WINDOWSHOST\print$\WIN40\0\</tt>.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> more recent drivers on Windows 2000 and Wndows XP are
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> more recent drivers on Windows 2000 and Windows XP are
installed into the &quot;3&quot; subdirectory instead of the &quot;2&quot;. The version 2
of drivers, as used in Windows NT, were running in Kernel Mode.
Windows 2000 changed this. While it still can use the Kernel Mode
drivers (if this is enabled by the Admin), its native mode for printer
drivers is User Mode execution. This requires drivers designed for
this. These type of drivers install into the &quot;3&quot; subdirectory.
</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2945650"></a>Collecting the Driver Files from a Windows Host's
</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2940123"></a>Collecting the Driver Files from a Windows Host's
[print$] Share</h4></div></div><div></div></div><p>
Now we need to collect all the driver files we identified. in our
previous step. Where do we get them from? Well, why not retrieve them
@ -1109,7 +1108,7 @@ files for these architectures are in the WIN40/0/ subdir. Once we are
complete, we can run <b class="command">smbclient ... put</b> to store
the collected files on the Samba server's
<i class="parameter"><tt>[print$]</tt></i> share.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2945802"></a>Depositing the Driver Files into [print$]</h4></div></div><div></div></div><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2940276"></a>Depositing the Driver Files into [print$]</h4></div></div><div></div></div><p>
So, now we are going to put the driver files into the
<i class="parameter"><tt>[print$]</tt></i> share. Remember, the UNIX path to this
share has been defined previously in your
@ -1170,7 +1169,7 @@ re-location will automatically be done by the
don't forget to also put the files for the Win95/98/ME architecture
into the <tt class="filename">WIN40/</tt> subdirectory should you need
them).
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2946005"></a>Check if the Driver Files are there (with smbclient)</h4></div></div><div></div></div><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2940512"></a>Check if the Driver Files are there (with smbclient)</h4></div></div><div></div></div><p>
For now we verify that our files are there. This can be done with
<b class="command">smbclient</b> too (but of course you can log in via SSH
also and do this through a standard UNIX shell access too):
@ -1223,7 +1222,7 @@ Point'n'Print. The reason is: Samba doesn't know yet that these files
are something special, namely <span class="emphasis"><em>printer driver
files</em></span> and it doesn't know yet to which print queue(s) these
driver files belong.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2946121"></a>Running <b class="command">rpcclient</b> with
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2940672"></a>Running <b class="command">rpcclient</b> with
<b class="command">adddriver</b></h4></div></div><div></div></div><p>
So, next you must tell Samba about the special category of the files
you just uploaded into the <i class="parameter"><tt>[print$]</tt></i> share. This
@ -1250,7 +1249,7 @@ again, for readability:
</pre><p>
After this step the driver should be recognized by Samba on the print
server. You need to be very carefull when typing the command. Don't
server. You need to be very careful when typing the command. Don't
exchange the order of the fields. Some changes would lead to a
<tt class="computeroutput">NT_STATUS_UNSUCCESSFUL</tt> error
message. These become obvious. Other changes might install the driver
@ -1258,7 +1257,7 @@ files successfully, but render the driver unworkable. So take care!
Hints about the syntax of the adddriver command are in the man
page. The CUPS printing chapter of this HOWTO collection provides a
more detailed description, if you should need it.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2946221"></a>Check how Driver Files have been moved after
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2940772"></a>Check how Driver Files have been moved after
<b class="command">adddriver</b> finished</h4></div></div><div></div></div><p>
One indication for Samba's recognition of the files as driver files is
the <tt class="computeroutput">successfully installed</tt> message.
@ -1306,19 +1305,19 @@ subdirectory. You can check this again with
</pre><p>
Another verification is that the timestamp of the printing TDB files
is now updated (and possibly their filesize has increased).
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2946345"></a>Check if the Driver is recognized by Samba</h4></div></div><div></div></div><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2940941"></a>Check if the Driver is recognized by Samba</h4></div></div><div></div></div><p>
Now the driver should be registered with Samba. We can easily verify
this, and will do so in a moment. However, this driver is
<span class="emphasis"><em>not yet</em></span> associated with a particular
<span class="emphasis"><em>printer</em></span>. We may check the driver status of the
files by at least three methods:
</p><div class="itemizedlist"><ul type="disc"><li><p>from any Windows client browse Network Neighbourhood,
finde the Samba host and open the Samba <span class="guiicon">Printers and
find the Samba host and open the Samba <span class="guiicon">Printers and
Faxes</span> folder. Select any printer icon, right-click and
select the printer <span class="guimenuitem">Properties</span>. Click on the
<span class="guilabel">Advanced</span> tab. Here is a field indicating the
driver for that printer. A drop down menu allows you to change that
driver (be carefull to not do this unwittingly.). You can use this
driver (be careful to not do this unwittingly.). You can use this
list to view all drivers know to Samba. Your new one should be amongst
them. (Each type of client will only see his own architecture's
list. If you don't have every driver installed for each platform, the
@ -1350,7 +1349,7 @@ time. Our new driver only shows up for
<span class="application">Windows NT 4.0 or 2000</span>. To
have it present for <span class="application">Windows 95, 98 and ME</span> you'll
have to repeat the whole procedure with the WIN40 architecture and subdirectory.
</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2946548"></a>A sidenote: you are not bound to specific driver names</h4></div></div><div></div></div><p>
</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2941145"></a>A side note: you are not bound to specific driver names</h4></div></div><div></div></div><p>
You can name the driver as you like. If you repeat the
<b class="command">adddriver</b> step, with the same files as before, but
with a different driver name, it will work the same:
@ -1383,8 +1382,8 @@ repeatedly. Each run &quot;consumes&quot; the files you had put into the
<i class="parameter"><tt>[print$]</tt></i> share by moving them into the
respective subdirectories. So you <span class="emphasis"><em>must</em></span> precede an
<b class="command">smbclient ... put</b> command before each
<b class="command">rpcclient ... addriver</b>&quot; command.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2946660"></a>La Grande Finale: Running <b class="command">rpcclient</b> with
<b class="command">rpcclient ... adddriver</b>&quot; command.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2941256"></a>La Grande Finale: Running <b class="command">rpcclient</b> with
<b class="command">setdriver</b></h4></div></div><div></div></div><p>
Samba still needs to know <span class="emphasis"><em>which</em></span> printer's driver
this is. It needs to create a mapping of the driver to a printer, and
@ -1400,7 +1399,7 @@ name I intended:
</p><pre class="screen">
<tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient -U'root%xxxx' -c 'setdriver dm9110 dm9110' <i class="replaceable"><tt>SAMBA-CUPS</tt></i></tt></b>
cmd = setdriver dm9110 dm9110
Succesfully set dm9110 to driver dm9110.
Successfully set dm9110 to driver dm9110.
</pre><p>
The syntax of the command is <b class="userinput"><tt>rpcclient
-U'root%<i class="replaceable"><tt>sambapassword</tt></i>' -c 'setdriver
@ -1414,13 +1413,13 @@ known to
Samba already. A bug in 2.2.x prevented Samba from recognizing freshly
installed printers. You had to restart Samba, or at least send a HUP
signal to all running smbd processes to work around this:
<b class="userinput"><tt>kill -HUP `pidof smbd`</tt></b>. </p></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2946811"></a>&quot;The Proof of the Pudding lies in the Eating&quot; (Client Driver Insta
<b class="userinput"><tt>kill -HUP `pidof smbd`</tt></b>. </p></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2941408"></a>&quot;The Proof of the Pudding lies in the Eating&quot; (Client Driver Install
Procedure)</h2></div></div><div></div></div><p>
A famous philosopher said once: &#8220;<span class="quote">The Proof of the Pudding lies
in the Eating</span>&#8221;. The proof for our setup lies in the printing.
So let's install the printer driver onto the client PCs. This is not
as straightforward as it may seem. Read on.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2946832"></a>The first Client Driver Installation</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2941428"></a>The first Client Driver Installation</h3></div></div><div></div></div><p>
Especially important is the installation onto the first client PC (for
each architectural platform separately). Once this is done correctly,
all further clients are easy to setup and shouldn't need further
@ -1463,7 +1462,7 @@ Data&quot; set is still incomplete.
</p><p>
You must now make sure that a valid &quot;Device Mode&quot; is set for the
driver. Don't fear -- we will explain now what that means.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2947030"></a>IMPORTANT! Setting Device Modes on new Printers</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2941626"></a>IMPORTANT! Setting Device Modes on new Printers</h3></div></div><div></div></div><p>
In order for a printer to be truly usable by a Windows NT/2K/XP
client, it must possess:
</p><div class="itemizedlist"><ul type="disc"><li><p>a valid <span class="emphasis"><em>Device Mode</em></span> generated by
@ -1535,7 +1534,7 @@ properties. Others may crash the client's spooler service. So use this
parameter with caution. It is always better to have the client
generate a valid device mode for the printer and store it on the
server for you.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2947319"></a>Further Client Driver Install Procedures</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2941915"></a>Further Client Driver Install Procedures</h3></div></div><div></div></div><p>
Every further driver may be done by any user, along the lines
described above: Browse network, open printers folder on Samba server,
right-click printer and choose <span class="guimenuitem">Connect...</span>. Once
@ -1555,7 +1554,7 @@ rundll32 shell32.dll,Control_RunDLL MAIN.CPL @2
You can enter the commands either inside a <span class="guilabel">DOS box</span> window
or in the <span class="guimenuitem">Run command...</span> field from the
<span class="guimenu">Start</span> menu.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2947414"></a>Always make first Client Connection as root or &quot;printer admin&quot;</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2942010"></a>Always make first Client Connection as root or &quot;printer admin&quot;</h3></div></div><div></div></div><p>
After you installed the driver on the Samba server (in its
<i class="parameter"><tt>[print$]</tt></i> share, you should always make sure
that your first client installation completes correctly. Make it a habit for
@ -1587,17 +1586,17 @@ the same way (called <span class="emphasis"><em>Point'n'Print</em></span>) will
have the same defaults set for them. If you miss this step you'll
get a lot of helpdesk calls from your users. But maybe you like to
talk to people.... ;-)
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2947556"></a>Other Gotchas</h2></div></div><div></div></div><p>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2942152"></a>Other Gotchas</h2></div></div><div></div></div><p>
Your driver is installed. It is ready for
<span class="emphasis"><em>Point'n'Print</em></span> installation by the clients
now. You <span class="emphasis"><em>may</em></span> have tried to download and use it
onto your first client machine now. But wait... let's make you
acquainted first with a few tips and tricks you may find useful. For
example, suppose you didn't manage to &quot;set the defaults&quot; on the
printer, as advised in the preceeding paragraphs? And your users
printer, as advised in the preceding paragraphs? And your users
complain about various issues (such as &#8220;<span class="quote">We need to set the paper
size for each job from Letter to A4 and it won't store it!</span>&#8221;)
</p><div xmlns:ns48="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2947589"></a>Setting Default Print Options for the Client Drivers</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2942185"></a>Setting Default Print Options for the Client Drivers</h3></div></div><div></div></div><p>
The last sentence might be viewed with mixed feelings by some users and
admins. They have struggled for hours and hours and couldn't arrive at
a point were their settings seemed to be saved. It is not their
@ -1607,7 +1606,7 @@ up when you right-click the printer name and select
looking dialogs, each claiming that they help you to set printer options,
in three different ways. Here is the definite answer to the &quot;Samba
Default Driver Setting FAQ&quot;:
</p><ns48:p><b>&#8220;<span class="quote">I can't set and save default print options
</p><p><b>&#8220;<span class="quote">I can't set and save default print options
for all users on Win2K/XP! Why not?</span>&#8221; </b>
How are you doing it? I bet the wrong way.... (it is not very
easy to find out, though). There are 3 different ways to bring you to
@ -1618,34 +1617,34 @@ dialogs <span class="emphasis"><em>look</em></span> the same. Only one of them
Administrator to do this for all users. Here is how I reproduce it in
on XP Professional:
</ns48:p><div class="orderedlist"><ol type="A"><li xmlns:ns45=""><ns45:p>The first &quot;wrong&quot; way:
</p><div class="orderedlist"><ol type="A"><li><p>The first &quot;wrong&quot; way:
</ns45:p><div class="orderedlist"><ol type="1"><li><p>Open the <span class="guiicon">Printers</span>
</p><div class="orderedlist"><ol type="1"><li><p>Open the <span class="guiicon">Printers</span>
folder.</p></li><li><p>Right-click on the printer
(<span class="emphasis"><em>remoteprinter on cupshost</em></span>) and
select in context menu <span class="guimenu">Printing
Preferences...</span></p></li><li><p>Look at this dialog closely and remember what it looks
like.</p></li></ol></div><ns45:p>
</ns45:p></li><li xmlns:ns46=""><ns46:p>The second &quot;wrong&quot; way:
like.</p></li></ol></div><p>
</p></li><li><p>The second &quot;wrong&quot; way:
</ns46:p><div class="orderedlist"><ol type="1"><li><p>Open the <span class="guimenu">Printers</span>
</p><div class="orderedlist"><ol type="1"><li><p>Open the <span class="guimenu">Printers</span>
folder.</p></li><li><p>Right-click on the printer (<span class="emphasis"><em>remoteprinter on
cupshost</em></span>) and select in the context menu
<span class="guimenuitem">Properties</span></p></li><li><p>Click on the <span class="guilabel">General</span>
tab</p></li><li><p>Click on the button <span class="guibutton">Printing
Preferences...</span></p></li><li><p>A new dialog opens. Keep this dialog open and go back
to the parent dialog.</p></li></ol></div><ns46:p>
</ns46:p></li><li xmlns:ns47=""><ns47:p>The third, the &quot;correct&quot; way: (should you do
to the parent dialog.</p></li></ol></div><p>
</p></li><li><p>The third, the &quot;correct&quot; way: (should you do
this from the beginning, just carry out steps 1. and 2. from second
&quot;way&quot; above)
</ns47:p><div class="orderedlist"><ol type="1"><li><p>Click on the <span class="guilabel">Advanced</span>
</p><div class="orderedlist"><ol type="1"><li><p>Click on the <span class="guilabel">Advanced</span>
tab. (Hmmm... if everything is &quot;Grayed Out&quot;, then you are not logged
in as a user with enough privileges).</p></li><li><p>Click on the <span class="guibutton">Printing
Defaults...</span> button.</p></li><li><p>On any of the two new tabs, click on the
<span class="guilabel">Advanced...</span> button.</p></li><li><p>A new dialog opens. Compare this one to the other,
identical looking one from &quot;B.5&quot; or A.3&quot;.</p></li></ol></div><ns47:p>
</ns47:p></li></ol></div><ns48:p>
identical looking one from &quot;B.5&quot; or A.3&quot;.</p></li></ol></div><p>
</p></li></ol></div><p>
Do you see any difference in the two settings dialogs? I don't
either. However, only the last one, which you arrived at with steps
@ -1655,8 +1654,8 @@ defaults, you need to conduct these steps as administrator
(<i class="parameter"><tt>printer admin</tt></i> in )
<span class="emphasis"><em>before</em></span> a client downloads the driver (the clients
can later set their own <span class="emphasis"><em>per-user defaults</em></span> by
following the procedures<span class="emphasis"><em>A.</em></span>
or<span class="emphasis"><em>B.</em></span> above...). (This is new: Windows 2000 and
following the procedures <span class="emphasis"><em>A.</em></span>
or <span class="emphasis"><em>B.</em></span> above...). (This is new: Windows 2000 and
Windows XP allow <span class="emphasis"><em>per-user</em></span> default settings and
the ones the administrator gives them, before they set up their own).
The &quot;parents&quot; of the identically looking dialogs have a slight
@ -1672,7 +1671,7 @@ try the same way with Win2k or WinXP. You wouldn't dream
that there is now a different &quot;clicking path&quot; to arrive at an
identically looking, but functionally different dialog to set defaults
for all users!
</ns48:p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>Try (on Win2000 and WinXP) to run this command (as a user
</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>Try (on Win2000 and WinXP) to run this command (as a user
with the right privileges):
</p><p><b class="userinput"><tt>
rundll32 printui.dll,PrintUIEntry /p /t3 /n\\<i class="replaceable"><tt>SAMBA-SERVER</tt></i>\<i class="replaceable"><tt>printersharename</tt></i>
@ -1686,7 +1685,7 @@ to see the tab with the <span class="guilabel">Printing Preferences...</span>
button (the one which doesn't set system-wide defaults). You can
start the commands from inside a DOS box&quot; or from the <span class="guimenu">Start</span>
-- <span class="guimenuitem">Run...</span> menu.
</p></div></div><div xmlns:ns49="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2948023"></a>Supporting large Numbers of Printers</h3></div></div><div></div></div><p>
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2942622"></a>Supporting large Numbers of Printers</h3></div></div><div></div></div><p>
One issue that has arisen during the recent development phase of Samba
is the need to support driver downloads for 100's of printers. Using
Windows NT APW here is somewhat awkward (to say the least). If you
@ -1723,9 +1722,9 @@ following is an example of how this could be accomplished:
Driver Name: [myphantasydrivername]
[....]
</pre><ns49:p>
</pre><p>
</ns49:p><pre class="screen">
</p><pre class="screen">
<tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient <i class="replaceable"><tt>SAMBA-CUPS</tt></i> -U root%<i class="replaceable"><tt>secret</tt></i> -c 'enumprinters'</tt></b>
cmd = enumprinters
flags:[0x800000]
@ -1733,15 +1732,15 @@ following is an example of how this could be accomplished:
description:[\\SAMBA-CUPS\dm9110,,110ppm HiVolume DANKA Stuttgart]
comment:[110 ppm HiVolume DANKA Stuttgart]
[....]
</pre><ns49:p>
</pre><p>
</ns49:p><pre class="screen">
</p><pre class="screen">
<tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient <i class="replaceable"><tt>SAMBA-CUPS</tt></i> -U root%<i class="replaceable"><tt>secret</tt></i> -c 'setdriver <i class="replaceable"><tt>dm9110</tt></i> &quot;<i class="replaceable"><tt>Heidelberg Digimaster 9110 (PS)</tt></i>&quot;'</tt></b>
cmd = setdriver dm9110 Heidelberg Digimaster 9110 (PPD)
Successfully set dm9110 to driver Heidelberg Digimaster 9110 (PS).
</pre><ns49:p>
</pre><p>
</ns49:p><pre class="screen">
</p><pre class="screen">
<tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient <i class="replaceable"><tt>SAMBA-CUPS</tt></i> -U root%<i class="replaceable"><tt>secret</tt></i> -c 'enumprinters'</tt></b>
cmd = enumprinters
flags:[0x800000]
@ -1749,15 +1748,15 @@ following is an example of how this could be accomplished:
description:[\\SAMBA-CUPS\dm9110,Heidelberg Digimaster 9110 (PS),110ppm HiVolume DANKA Stuttgart]
comment:[110ppm HiVolume DANKA Stuttgart]
[....]
</pre><ns49:p>
</pre><p>
</ns49:p><pre class="screen">
</p><pre class="screen">
<tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient <i class="replaceable"><tt>SAMBA-CUPS</tt></i> -U root%<i class="replaceable"><tt>secret</tt></i> -c 'setdriver <i class="replaceable"><tt>dm9110</tt></i> <i class="replaceable"><tt>myphantasydrivername</tt></i>'</tt></b>
cmd = setdriver dm9110 myphantasydrivername
Successfully set dm9110 to myphantasydrivername.
</pre><ns49:p>
</pre><p>
</ns49:p><pre class="screen">
</p><pre class="screen">
<tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient <i class="replaceable"><tt>SAMBA-CUPS</tt></i> -U root%<i class="replaceable"><tt>secret</tt></i> -c 'enumprinters'</tt></b>
cmd = enumprinters
flags:[0x800000]
@ -1772,8 +1771,8 @@ empty string where the driver should have been listed (between the 2
commas in the &quot;description&quot; field). After the
<b class="command">setdriver</b> command succeeded, all is well. (The
CUPS Printing chapter has more info about the installation of printer
drivers with the help of <b class="command">rpccclient</b>).
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2948326"></a>Adding new Printers with the Windows NT APW</h3></div></div><div></div></div><p>
drivers with the help of <b class="command">rpcclient</b>).
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2942924"></a>Adding new Printers with the Windows NT APW</h3></div></div><div></div></div><p>
By default, Samba exhibits all printer shares defined in
<tt class="filename">smb.conf</tt> in the
<span class="guiicon">Printers...</span> folder. Also located in this folder
@ -1819,7 +1818,7 @@ user, not necessarily a root account. A <i class="parameter"><tt>map to guest =
user</tt></i> may have connected you unwittingly under the wrong
privilege; you should check it by using the
<b class="command">smbstatus</b> command.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2948569"></a>Weird Error Message <span class="errorname">Cannot connect under a
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2943168"></a>Weird Error Message <span class="errorname">Cannot connect under a
different Name</span></h3></div></div><div></div></div><p>
Once you are connected with the wrong credentials, there is no means
to reverse the situation other than to close all Explorer windows, and
@ -1849,7 +1848,7 @@ message. You close all Explorer Windows and start it again. You try to
connect - and this times it works! Windows seems to cache connection
info somewhere and doesn't keep it up to date (if you are unlucky you
might need to reboot to get rid of the error message).
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2948667"></a>Be careful when assembling Driver Files</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2943267"></a>Be careful when assembling Driver Files</h3></div></div><div></div></div><p>
You need to be very careful when you take notes about the files and
belonging to a particular driver. Don't confuse the files for driver
version &quot;0&quot; (for Win95/98/ME, going into
@ -1990,7 +1989,7 @@ In my example were even more differences than shown here. Conclusion:
you must be very careful to select the correct driver files for each
driver version. Don't rely on the names alone. Don't interchange files
belonging to different driver versions.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2948938"></a>Samba and Printer Ports</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2943612"></a>Samba and Printer Ports</h3></div></div><div></div></div><p>
Windows NT/2000 print servers associate a port with each
printer. These normally take the form of <tt class="filename">LPT1:</tt>,
<tt class="filename">COM1:</tt>, <tt class="filename">FILE:</tt>, etc. Samba
@ -2011,14 +2010,14 @@ another (&#8220;<span class="quote">My users and my Boss should not know that th
working with Samba</span>&#8221;), possesses a
<i class="parameter"><tt>enumports command</tt></i> which can be used to define
an external program that generates a listing of ports on a system.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2949009"></a>Avoiding the most common Misconfigurations of the Client Driver</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2943683"></a>Avoiding the most common Misconfigurations of the Client Driver</h3></div></div><div></div></div><p>
So - printing works, but there are still problems. Most jobs print
well, some don't print at all. Some jobs have problems with fonts,
which don't look good at all. Some jobs print fast, and some are
dead-slow. We can't cover it all; but we want to encourage you to read
the little paragraph about &quot;Avoiding the wrong PostScript Driver
Settings&quot; in the CUPS Printing part of this document.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2949031"></a>The Imprints Toolset</h2></div></div><div></div></div><p>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2943705"></a>The Imprints Toolset</h2></div></div><div></div></div><p>
The Imprints tool set provides a UNIX equivalent of the
Windows NT Add Printer Wizard. For complete information, please
refer to the Imprints web site
@ -2035,20 +2034,20 @@ coordinate your efforts on the samba-technical mailing list. The
toolset is still in usable form; but only for a series of older
printer models, where there are prepared packages to use. Packages for
more up to date print devices are needed if Imprints should have a
future.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2949076"></a>What is Imprints?</h3></div></div><div></div></div><p>
future.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2943751"></a>What is Imprints?</h3></div></div><div></div></div><p>
Imprints is a collection of tools for supporting these goals:
</p><div class="itemizedlist"><ul type="disc"><li><p>Providing a central repository information regarding
Windows NT and 95/98 printer driver packages</p></li><li><p>Providing the tools necessary for creating the
Imprints printer driver packages.</p></li><li><p>Providing an installation client which will obtain
printer drivers from a central internet (or intranet) Imprints Server
repository and install them on remote Samba and Windows NT4 print
servers.</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2949118"></a>Creating Printer Driver Packages</h3></div></div><div></div></div><p>
servers.</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2943792"></a>Creating Printer Driver Packages</h3></div></div><div></div></div><p>
The process of creating printer driver packages is beyond the scope of
this document (refer to Imprints.txt also included with the Samba
distribution for more information). In short, an Imprints driver
package is a gzipped tarball containing the driver files, related INF
files, and a control file needed by the installation client.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2949137"></a>The Imprints Server</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2943811"></a>The Imprints Server</h3></div></div><div></div></div><p>
The Imprints server is really a database server that may be queried
via standard HTTP mechanisms. Each printer entry in the database has
an associated URL for the actual downloading of the package. Each
@ -2056,7 +2055,7 @@ package is digitally signed via GnuPG which can be used to verify that
package downloaded is actually the one referred in the Imprints
database. It is strongly recommended that this security check
<span class="emphasis"><em>not</em></span> be disabled.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2949161"></a>The Installation Client</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2943835"></a>The Installation Client</h3></div></div><div></div></div><p>
More information regarding the Imprints installation client is
available in the <tt class="filename">Imprints-Client-HOWTO.ps</tt> file
included with the imprints source package.
@ -2071,10 +2070,10 @@ remote Samba and Windows NT print servers.
</p><p>
The basic installation process is in four steps and perl code is
wrapped around smbclient and rpcclient
</p><div class="itemizedlist"><ul type="disc"><li xmlns:ns50=""><ns50:p>
</p><div class="itemizedlist"><ul type="disc"><li><p>
foreach (supported architecture for a given driver)
</ns50:p><div class="orderedlist"><ol type="1"><li><p>rpcclient: Get the appropriate upload directory on the remote server</p></li><li><p>smbclient: Upload the driver files</p></li><li><p>rpcclient: Issues an AddPrinterDriver() MS-RPC</p></li></ol></div><ns50:p>
</ns50:p></li><li><p>rpcclient: Issue an AddPrinterEx() MS-RPC to actually create the printer</p></li></ul></div><p>
</p><div class="orderedlist"><ol type="1"><li><p>rpcclient: Get the appropriate upload directory on the remote server</p></li><li><p>smbclient: Upload the driver files</p></li><li><p>rpcclient: Issues an AddPrinterDriver() MS-RPC</p></li></ol></div><p>
</p></li><li><p>rpcclient: Issue an AddPrinterEx() MS-RPC to actually create the printer</p></li></ul></div><p>
One of the problems encountered when implementing the Imprints tool
set was the name space issues between various supported client
architectures. For example, Windows NT includes a driver named &quot;Apple
@ -2097,7 +2096,7 @@ if is has not already been installed?
The way of sidestepping this limitation is to require that all
Imprints printer driver packages include both the Intel Windows NT and
95/98 printer drivers and that NT driver is installed first.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2949313"></a>Add Network Printers at Logon without User Interaction</h2></div></div><div></div></div><p>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2943987"></a>Add Network Printers at Logon without User Interaction</h2></div></div><div></div></div><p>
The following MS Knowledge Base article may be of some help if you
need to handle Windows 2000 clients: <span class="emphasis"><em>How to Add Printers
with No User Interaction in Windows 2000.</em></span> ( <a href="http://support.microsoft.com/default.aspx?scid=kb;en-us;189105" target="_top">http://support.microsoft.com/default.aspx?scid=kb;en-us;189105</a>
@ -2143,12 +2142,12 @@ or by running <b class="command">cupsaddsmb</b>). The driver is now
auto-downloaded to the client PC where the user is about to log
in.</p></li><li><p>Line 3 sets the default printer to this new network
printer (there might be several other printers installed with this
same method and some may be local as well -- so we deside for a
same method and some may be local as well -- so we decide for a
default printer). The default printer selection may of course be
different for different users.</p></li></ul></div><p>
Note that the second line only works if the printer
<span class="emphasis"><em>infotec2105-PS</em></span> has an already working printqueue
on &quot;sambacupsserver&quot;, and if the printer drivers have sucessfully been
<span class="emphasis"><em>infotec2105-PS</em></span> has an already working print queue
on &quot;sambacupsserver&quot;, and if the printer drivers have successfully been
uploaded (via <b class="command">APW</b> ,
<b class="command">smbclient/rpcclient</b> or
<b class="command">cupsaddsmb</b>) into the
@ -2172,7 +2171,7 @@ at logon time will not really be noticeable. Printers can be centrally
added, changed, and deleted at will on the server with no user
intervention required on the clients (you just need to keep the logon
scripts up to date).
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2949643"></a>The <b class="command">addprinter</b> command</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2944316"></a>The <b class="command">addprinter</b> command</h2></div></div><div></div></div><p>
The <b class="command">addprinter</b> command can be configured to be a
shell script or program executed by Samba. It is triggered by running
the APW from a client against the Samba print server. The APW asks the
@ -2184,7 +2183,7 @@ on legacy systems, or execute the <b class="command">lpadmin</b> command
on more modern systems) and create the associated share in
, then the APW will in effect really
create a new printer on Samba and the UNIX print subsystem!
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2949688"></a>Migration of &quot;Classical&quot; printing to Samba-3</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2944362"></a>Migration of &quot;Classical&quot; printing to Samba-3</h2></div></div><div></div></div><p>
The basic &quot;NT-style&quot; printer driver management has not changed
considerably in 3.0 over the 2.2.x releases (apart from many small
improvements). Here migration should be quite easy, especially if you
@ -2199,7 +2198,7 @@ and driver support. Previously used parameters &quot;<i class="parameter"><tt>pr
driver file</tt></i>&quot;, &quot; <i class="parameter"><tt>printer driver</tt></i>&quot; and
&quot;<i class="parameter"><tt>printer driver location</tt></i>&quot; are no longer
supported.</p></li><li><p>If you want to take advantage of WinNT printer driver
support you also need to migrate theWin9x/ME drivers to the new
support you also need to migrate the Win9x/ME drivers to the new
setup.</p></li><li><p>An existing <tt class="filename">printers.def</tt> file
(the one specified in the now removed parameter <i class="parameter"><tt>printer
driver file = ...</tt></i>) will work no longer with Samba-3.0. In
@ -2221,12 +2220,12 @@ rpcclient. See the Imprints installation client at:
<a href="http://imprints.sourceforge.net/" target="_top"><span class="emphasis"><em>http://imprints.sourceforge.net/</em></span></a>
</p><p>
for an example. See also the discussion of rpcclient usage in the
&quot;CUPS Printing&quot; section.</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2949856"></a>Publishing Printer Information in Active Directory or LDAP</h2></div></div><div></div></div><p>
&quot;CUPS Printing&quot; section.</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2944531"></a>Publishing Printer Information in Active Directory or LDAP</h2></div></div><div></div></div><p>
We will publish an update to this section shortly.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2949870"></a>Common Errors and Problems</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2944545"></a>Common Errors and Problems</h2></div></div><div></div></div><p>
Here are a few typical errors and problems people have
encountered. You can avoid them. Read on.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2949884"></a>I give my root password but I don't get access</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2944558"></a>I give my root password but I don't get access</h3></div></div><div></div></div><p>
Don't confuse the root password which is valid for the Unix system
(and in most cases stored in the form of a one-way hash in a file
named <tt class="filename">/etc/shadow</tt>) with the password used to
@ -2234,7 +2233,7 @@ authenticate against Samba!. Samba doesn't know the UNIX password; for
root to access Samba resources via Samba-type access, a Samba account
for root must be created first. This is often done with the
<b class="command">smbpasswd</b> command.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2949917"></a>My printjobs get spooled into the spooling directory, but then get lost</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2944591"></a>My printjobs get spooled into the spooling directory, but then get lost</h3></div></div><div></div></div><p>
Don't use the existing Unix print system spool directory for the Samba
spool directory. It may seem convenient and a saving of space, but it
only leads to problems. The two <span class="emphasis"><em>must</em></span> be separate.

17
docs/htmldocs/problems.html
View File

@ -1,9 +1,8 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 34. Analysing and solving samba problems</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="troubleshooting.html" title="Part V. Troubleshooting"><link rel="previous" href="diagnosis.html" title="Chapter 33. The samba checklist"><link rel="next" href="bugreport.html" title="Chapter 35. Reporting Bugs"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 34. Analysing and solving samba problems</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="diagnosis.html">Prev</a> </td><th width="60%" align="center">Part V. Troubleshooting</th><td width="20%" align="right"> <a accesskey="n" href="bugreport.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="problems"></a>Chapter 34. Analysing and solving samba problems</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jerry@samba.org">jerry@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">Bannon</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:dbannon@samba.org">dbannon@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">8 Apr 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="problems.html#id3008351">Diagnostics tools</a></dt><dt><a href="problems.html#id3007077">Installing 'Network Monitor' on an NT Workstation or a Windows 9x box</a></dt><dt><a href="problems.html#id3007361">Useful URL's</a></dt><dt><a href="problems.html#id3007404">Getting help from the mailing lists</a></dt><dt><a href="problems.html#id3007558">How to get off the mailinglists</a></dt></dl></div><p>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 34. Analysing and solving samba problems</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="troubleshooting.html" title="Part V. Troubleshooting"><link rel="previous" href="diagnosis.html" title="Chapter 33. The Samba checklist"><link rel="next" href="bugreport.html" title="Chapter 35. Reporting Bugs"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 34. Analysing and solving samba problems</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="diagnosis.html">Prev</a> </td><th width="60%" align="center">Part V. Troubleshooting</th><td width="20%" align="right"> <a accesskey="n" href="bugreport.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="problems"></a>Chapter 34. Analysing and solving samba problems</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jerry@samba.org">jerry@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">Bannon</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:dbannon@samba.org">dbannon@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">8 Apr 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="problems.html#id3010907">Diagnostics tools</a></dt><dt><a href="problems.html#id3011048">Installing 'Network Monitor' on an NT Workstation or a Windows 9x box</a></dt><dt><a href="problems.html#id3011333">Useful URLs</a></dt><dt><a href="problems.html#id3011378">Getting help from the mailing lists</a></dt><dt><a href="problems.html#id3011530">How to get off the mailing lists</a></dt></dl></div><p>
There are many sources of information available in the form
of mailing lists, RFC's and documentation. The docs that come
with the samba distribution contain very good explanations of
general SMB topics such as browsing.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3008351"></a>Diagnostics tools</h2></div></div><div></div></div><p>
general SMB topics such as browsing.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3010907"></a>Diagnostics tools</h2></div></div><div></div></div><p>
One of the best diagnostic tools for debugging problems is Samba itself.
You can use the <tt class="option">-d option</tt> for both <span class="application">smbd</span> and <span class="application">nmbd</span> to specify what
<i class="parameter"><tt>debug level</tt></i> at which to run. See the man pages on smbd, nmbd and
@ -25,7 +24,7 @@ typing in your password, you can attach gdb and continue.
</p><p>
Some useful samba commands worth investigating:
</p><pre class="screen">
<tt class="prompt">$ </tt><b class="userinput"><tt>testparam | more</tt></b>
<tt class="prompt">$ </tt><b class="userinput"><tt>testparm | more</tt></b>
<tt class="prompt">$ </tt><b class="userinput"><tt>smbclient -L //{netbios name of server}</tt></b>
</pre><p>
An SMB enabled version of tcpdump is available from
@ -42,7 +41,7 @@ The version on the NT Server install CD will only allow monitoring
of network traffic directed to the local NT box and broadcasts on the
local subnet. Be aware that Ethereal can read and write netmon
formatted files.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3007077"></a>Installing 'Network Monitor' on an NT Workstation or a Windows 9x box</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3011048"></a>Installing 'Network Monitor' on an NT Workstation or a Windows 9x box</h2></div></div><div></div></div><p>
Installing netmon on an NT workstation requires a couple
of steps. The following are for installing Netmon V4.00.349, which comes
with Microsoft Windows NT Server 4.0, on Microsoft Windows NT
@ -81,11 +80,11 @@ from the Windows 9x CD (<tt class="filename">\admin\nettools\netmon</tt>). Ther
file located with the netmon driver files on the CD if you need
information on how to do this. Copy the files from a working
Netmon installation.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3007361"></a>Useful URL's</h2></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>See how Scott Merrill simulates a BDC behavior at
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3011333"></a>Useful URLs</h2></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>See how Scott Merrill simulates a BDC behavior at
<a href="http://www.skippy.net/linux/smb-howto.html" target="_top">
http://www.skippy.net/linux/smb-howto.html</a>. </p></li><li><p>FTP site for older SMB specs:
<a href="ftp://ftp.microsoft.com/developr/drg/CIFS/" target="_top">
ftp://ftp.microsoft.com/developr/drg/CIFS/</a></p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3007404"></a>Getting help from the mailing lists</h2></div></div><div></div></div><p>
ftp://ftp.microsoft.com/developr/drg/CIFS/</a></p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3011378"></a>Getting help from the mailing lists</h2></div></div><div></div></div><p>
There are a number of Samba related mailing lists. Go to <a href="http://samba.org" target="_top">http://samba.org</a>, click on your nearest mirror
and then click on <b class="command">Support</b> and then click on <b class="command">
Samba related mailing lists</b>.
@ -119,7 +118,7 @@ error messages.</p></li><li><p>(Possibly) If you have a complete netmon trace (
the pipe to the error ) you can send the *.CAP file as well.</p></li><li><p>Please think carefully before attaching a document to an email.
Consider pasting the relevant parts into the body of the message. The samba
mailing lists go to a huge number of people, do they all need a copy of your
smb.conf in their attach directory?</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3007558"></a>How to get off the mailinglists</h2></div></div><div></div></div><p>To have your name removed from a samba mailing list, go to the
smb.conf in their attach directory?</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3011530"></a>How to get off the mailing lists</h2></div></div><div></div></div><p>To have your name removed from a samba mailing list, go to the
same place you went to to get on it. Go to <a href="http://lists.samba.org/" target="_top">http://lists.samba.org</a>,
click on your nearest mirror and then click on <b class="command">Support</b> and
then click on <b class="command"> Samba related mailing lists</b>. Or perhaps see
@ -127,4 +126,4 @@ then click on <b class="command"> Samba related mailing lists</b>. Or perhaps se
</p><p>
Please don't post messages to the list asking to be removed, you will just
be referred to the above address (unless that process failed in some way...)
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="diagnosis.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="troubleshooting.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="bugreport.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 33. The samba checklist </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 35. Reporting Bugs</td></tr></table></div></body></html>
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="diagnosis.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="troubleshooting.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="bugreport.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 33. The Samba checklist </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 35. Reporting Bugs</td></tr></table></div></body></html>

434
docs/htmldocs/pwencrypt.html
View File

@ -1,434 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML
><HEAD
><TITLE
>LanMan and NT Password Encryption in Samba</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
TITLE="SAMBA Project Documentation"
HREF="samba-howto-collection.html"><LINK
REL="UP"
TITLE="General installation"
HREF="introduction.html"><LINK
REL="PREVIOUS"
TITLE="Quick Cross Subnet Browsing / Cross Workgroup Browsing guide"
HREF="browsing-quick.html"><LINK
REL="NEXT"
TITLE="Type of installation"
HREF="type.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>SAMBA Project Documentation</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="browsing-quick.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="type.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="CHAPTER"
><H1
><A
NAME="PWENCRYPT">Chapter 4. LanMan and NT Password Encryption in Samba</H1
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN457">4.1. Introduction</H1
><P
>Newer windows clients send encrypted passwords over
the wire, instead of plain text passwords. The newest clients
will only send encrypted passwords and refuse to send plain text
passwords, unless their registry is tweaked.</P
><P
>These passwords can't be converted to unix style encrypted
passwords. Because of that you can't use the standard unix
user database, and you have to store the Lanman and NT hashes
somewhere else. For more information, see the documentation
about the <B
CLASS="COMMAND"
>passdb backend = </B
> parameter.
</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN462">4.2. Important Notes About Security</H1
><P
>The unix and SMB password encryption techniques seem similar
on the surface. This similarity is, however, only skin deep. The unix
scheme typically sends clear text passwords over the network when
logging in. This is bad. The SMB encryption scheme never sends the
cleartext password over the network but it does store the 16 byte
hashed values on disk. This is also bad. Why? Because the 16 byte hashed
values are a "password equivalent". You cannot derive the user's
password from them, but they could potentially be used in a modified
client to gain access to a server. This would require considerable
technical knowledge on behalf of the attacker but is perfectly possible.
You should thus treat the smbpasswd file as though it contained the
cleartext passwords of all your users. Its contents must be kept
secret, and the file should be protected accordingly.</P
><P
>Ideally we would like a password scheme which neither requires
plain text passwords on the net or on disk. Unfortunately this
is not available as Samba is stuck with being compatible with
other SMB systems (WinNT, WfWg, Win95 etc). </P
><DIV
CLASS="WARNING"
><P
></P
><TABLE
CLASS="WARNING"
WIDTH="100%"
BORDER="0"
><TR
><TD
WIDTH="25"
ALIGN="CENTER"
VALIGN="TOP"
><IMG
SRC="../images/warning.gif"
HSPACE="5"
ALT="Warning"></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
><P
>Note that Windows NT 4.0 Service pack 3 changed the
default for permissible authentication so that plaintext
passwords are <SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>never</I
></SPAN
> sent over the wire.
The solution to this is either to switch to encrypted passwords
with Samba or edit the Windows NT registry to re-enable plaintext
passwords. See the document WinNT.txt for details on how to do
this.</P
><P
>Other Microsoft operating systems which also exhibit
this behavior includes</P
><P
></P
><UL
><LI
><P
>MS DOS Network client 3.0 with
the basic network redirector installed</P
></LI
><LI
><P
>Windows 95 with the network redirector
update installed</P
></LI
><LI
><P
>Windows 98 [se]</P
></LI
><LI
><P
>Windows 2000</P
></LI
></UL
><P
><SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>Note :</I
></SPAN
>All current release of
Microsoft SMB/CIFS clients support authentication via the
SMB Challenge/Response mechanism described here. Enabling
clear text authentication does not disable the ability
of the client to participate in encrypted authentication.</P
></TD
></TR
></TABLE
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN481">4.2.1. Advantages of SMB Encryption</H2
><P
></P
><UL
><LI
><P
>plain text passwords are not passed across
the network. Someone using a network sniffer cannot just
record passwords going to the SMB server.</P
></LI
><LI
><P
>WinNT doesn't like talking to a server
that isn't using SMB encrypted passwords. It will refuse
to browse the server if the server is also in user level
security mode. It will insist on prompting the user for the
password on each connection, which is very annoying. The
only things you can do to stop this is to use SMB encryption.
</P
></LI
></UL
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN488">4.2.2. Advantages of non-encrypted passwords</H2
><P
></P
><UL
><LI
><P
>plain text passwords are not kept
on disk. </P
></LI
><LI
><P
>uses same password file as other unix
services such as login and ftp</P
></LI
><LI
><P
>you are probably already using other
services (such as telnet and ftp) which send plain text
passwords over the net, so sending them for SMB isn't
such a big deal.</P
></LI
></UL
></DIV
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN497">4.3. The smbpasswd Command</H1
><P
>The smbpasswd command maintains the two 32 byte password fields
in the smbpasswd file. If you wish to make it similar to the unix
<B
CLASS="COMMAND"
>passwd</B
> or <B
CLASS="COMMAND"
>yppasswd</B
> programs,
install it in <TT
CLASS="FILENAME"
>/usr/local/samba/bin/</TT
> (or your
main Samba binary directory).</P
><P
><B
CLASS="COMMAND"
>smbpasswd</B
> now works in a client-server mode
where it contacts the local smbd to change the user's password on its
behalf. This has enormous benefits - as follows.</P
><P
><B
CLASS="COMMAND"
>smbpasswd</B
> now has the capability
to change passwords on Windows NT servers (this only works when
the request is sent to the NT Primary Domain Controller if you
are changing an NT Domain user's password).</P
><P
>To run smbpasswd as a normal user just type :</P
><P
><TT
CLASS="PROMPT"
>$ </TT
><TT
CLASS="USERINPUT"
><B
>smbpasswd</B
></TT
></P
><P
><TT
CLASS="PROMPT"
>Old SMB password: </TT
><TT
CLASS="USERINPUT"
><B
>&lt;type old value here -
or hit return if there was no old password&gt;</B
></TT
></P
><P
><TT
CLASS="PROMPT"
>New SMB Password: </TT
><TT
CLASS="USERINPUT"
><B
>&lt;type new value&gt;
</B
></TT
></P
><P
><TT
CLASS="PROMPT"
>Repeat New SMB Password: </TT
><TT
CLASS="USERINPUT"
><B
>&lt;re-type new value
</B
></TT
></P
><P
>If the old value does not match the current value stored for
that user, or the two new values do not match each other, then the
password will not be changed.</P
><P
>If invoked by an ordinary user it will only allow the user
to change his or her own Samba password.</P
><P
>If run by the root user smbpasswd may take an optional
argument, specifying the user name whose SMB password you wish to
change. Note that when run as root smbpasswd does not prompt for
or check the old password value, thus allowing root to set passwords
for users who have forgotten their passwords.</P
><P
><B
CLASS="COMMAND"
>smbpasswd</B
> is designed to work in the same way
and be familiar to UNIX users who use the <B
CLASS="COMMAND"
>passwd</B
> or
<B
CLASS="COMMAND"
>yppasswd</B
> commands.</P
><P
>For more details on using <B
CLASS="COMMAND"
>smbpasswd</B
> refer
to the man page which will always be the definitive reference.</P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="browsing-quick.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="samba-howto-collection.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="type.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Quick Cross Subnet Browsing / Cross Workgroup Browsing guide</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="introduction.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Type of installation</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

86
docs/htmldocs/samba-bdc.html
View File

@ -1,12 +1,11 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 6. Backup Domain Control</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="previous" href="samba-pdc.html" title="Chapter 5. Domain Control"><link rel="next" href="domain-member.html" title="Chapter 7. Domain Membership"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 6. Backup Domain Control</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="samba-pdc.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="domain-member.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="samba-bdc"></a>Chapter 6. Backup Domain Control</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Volker</span> <span class="surname">Lendecke</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:Volker.Lendecke@SerNet.DE">Volker.Lendecke@SerNet.DE</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="samba-bdc.html#id2896177">Features And Benefits</a></dt><dt><a href="samba-bdc.html#id2896342">Essential Background Information</a></dt><dd><dl><dt><a href="samba-bdc.html#id2896370">MS Windows NT4 Style Domain Control</a></dt><dt><a href="samba-bdc.html#id2894331">Active Directory Domain Control</a></dt><dt><a href="samba-bdc.html#id2894352">What qualifies a Domain Controller on the network?</a></dt><dt><a href="samba-bdc.html#id2894375">How does a Workstation find its domain controller?</a></dt></dl></dd><dt><a href="samba-bdc.html#id2894401">Backup Domain Controller Configuration</a></dt><dd><dl><dt><a href="samba-bdc.html#id2894471">Example Configuration</a></dt></dl></dd><dt><a href="samba-bdc.html#id2894521">Common Errors</a></dt><dd><dl><dt><a href="samba-bdc.html#id2894535">Machine Accounts keep expiring, what can I do?</a></dt><dt><a href="samba-bdc.html#id2894560">Can Samba be a Backup Domain Controller to an NT4 PDC?</a></dt><dt><a href="samba-bdc.html#id2894593">How do I replicate the smbpasswd file?</a></dt><dt><a href="samba-bdc.html#id2894621">Can I do this all with LDAP?</a></dt></dl></dd></dl></div><p>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 6. Backup Domain Control</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="previous" href="samba-pdc.html" title="Chapter 5. Domain Control"><link rel="next" href="domain-member.html" title="Chapter 7. Domain Membership"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 6. Backup Domain Control</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="samba-pdc.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="domain-member.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="samba-bdc"></a>Chapter 6. Backup Domain Control</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Volker</span> <span class="surname">Lendecke</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:Volker.Lendecke@SerNet.DE">Volker.Lendecke@SerNet.DE</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="samba-bdc.html#id2896028">Features And Benefits</a></dt><dt><a href="samba-bdc.html#id2896201">Essential Background Information</a></dt><dd><dl><dt><a href="samba-bdc.html#id2896230">MS Windows NT4 Style Domain Control</a></dt><dt><a href="samba-bdc.html#id2896450">Active Directory Domain Control</a></dt><dt><a href="samba-bdc.html#id2896471">What qualifies a Domain Controller on the network?</a></dt><dt><a href="samba-bdc.html#id2896497">How does a Workstation find its domain controller?</a></dt></dl></dd><dt><a href="samba-bdc.html#id2896542">Backup Domain Controller Configuration</a></dt><dd><dl><dt><a href="samba-bdc.html#id2896645">Example Configuration</a></dt></dl></dd><dt><a href="samba-bdc.html#id2896706">Common Errors</a></dt><dd><dl><dt><a href="samba-bdc.html#id2896719">Machine Accounts keep expiring, what can I do?</a></dt><dt><a href="samba-bdc.html#id2896750">Can Samba be a Backup Domain Controller to an NT4 PDC?</a></dt><dt><a href="samba-bdc.html#id2896783">How do I replicate the smbpasswd file?</a></dt><dt><a href="samba-bdc.html#id2896828">Can I do this all with LDAP?</a></dt></dl></dd></dl></div><p>
Before you continue reading in this section, please make sure that you are comfortable
with configuring a Samba Domain Controller as described in the
<a href="Samba-PDC-HOWTO.html" target="_top">Domain Control Chapter</a>.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2896177"></a>Features And Benefits</h2></div></div><div></div></div><p>
This is one of the most difficult chapters to summarise. It matters not what we say here
<a href="samba-pdc.html" title="Chapter 5. Domain Control">Domain Control</a> chapter.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2896028"></a>Features And Benefits</h2></div></div><div></div></div><p>
This is one of the most difficult chapters to summarise. It does not matter what we say here
for someone will still draw conclusions and / or approach the Samba-Team with expectations
that are either not yet capable of being delivered, or that can be achieved for more
that are either not yet capable of being delivered, or that can be achieved far more
effectively using a totally different approach. Since this HOWTO is already so large and
extensive, we have taken the decision to provide sufficient (but not comprehensive)
information regarding Backup Domain Control. In the event that you should have a persistent
@ -27,7 +26,7 @@ The use of a non-LDAP backend SAM database is particularly problematic because D
servers and workstations periodically change the machine trust account password. The new
password is then stored only locally. This means that in the absence of a centrally stored
accounts database (such as that provided with an LDAP based solution) if Samba-3 is running
as a BDC, the PDC instance of the Domain member trust account password will not reach the
as a BDC, the BDC instance of the Domain member trust account password will not reach the
PDC (master) copy of the SAM. If the PDC SAM is then replicated to BDCs this results in
overwriting of the SAM that contains the updated (changed) trust account password with resulting
breakage of the domain trust.
@ -42,7 +41,7 @@ lets consider each possible option and look at the pro's and con's for each theo
</p><p>
Arguments Against: Complexity
</p></li><li><p>
Passdb Backend is tdbsam based, BDCs use cron based &quot;net rcp vampire&quot; to
Passdb Backend is tdbsam based, BDCs use cron based &quot;net rpc vampire&quot; to
suck down the Accounts database from the PDC
</p><p>
Arguments For: It would be a nice solution
@ -64,22 +63,22 @@ lets consider each possible option and look at the pro's and con's for each theo
Arguments Against: All machine trust accounts and user accounts will be locally
maintained. Domain users will NOT be able to roam from office to office. This is
a broken and flawed solution. Do NOT do this.
</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2896342"></a>Essential Background Information</h2></div></div><div></div></div><p>
</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2896201"></a>Essential Background Information</h2></div></div><div></div></div><p>
A Domain Controller is a machine that is able to answer logon requests from network
workstations. Microsoft LanManager and IBM LanServer were two early products that
provided this capability. The technology has become known as the LanMan Netlogon service.
</p><p>
When MS Windows NT3.10 was first released it supported an new style of Domain Control
When MS Windows NT3.10 was first released, it supported an new style of Domain Control
and with it a new form of the network logon service that has extended functionality.
This service became known as the NT NetLogon Service. The nature of this service has
changed with the evolution of MS Windows NT and today provides a very complex array of
services that are implemented over a complex spectrum of technologies.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2896370"></a>MS Windows NT4 Style Domain Control</h3></div></div><div></div></div><p>
Whenever a user logs into a Windows NT4 / 200x / XP Profresional Workstation,
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2896230"></a>MS Windows NT4 Style Domain Control</h3></div></div><div></div></div><p>
Whenever a user logs into a Windows NT4 / 200x / XP Professional Workstation,
the workstation connects to a Domain Controller (authentication server) to validate
the username and password that the user entered are valid. If the information entered
does not validate against the account information that has been stored in the Domain
Control database (the SAM, or Security Accounts Manager database) then a set of error
Control database (the SAM, or Security Account Manager database) then a set of error
codes is returned to the workstation that has made the authentication request.
</p><p>
When the username / password pair has been validated, the Domain Controller
@ -101,7 +100,7 @@ Controllers are present on the network.
</p><p>
There are two situations in which it is desirable to install Backup Domain Controllers:
</p><div class="itemizedlist"><ul type="disc"><li><p>
On the local network that the Primary Domain Controller is on if there are many
On the local network that the Primary Domain Controller is on, if there are many
workstations and/or where the PDC is generally very busy. In this case the BDCs
will pick up network logon requests and help to add robustness to network services.
</p></li><li><p>
@ -117,7 +116,7 @@ has the PDC, the change will likely be made directly to the PDC instance of the
copy of the SAM. In the event that this update may be performed in a branch office the
change will likely be stored in a delta file on the local BDC. The BDC will then send
a trigger to the PDC to commence the process of SAM synchronisation. The PDC will then
request the delta from the BDC and apply it to the master SAM. THe PDC will then contact
request the delta from the BDC and apply it to the master SAM. The PDC will then contact
all the BDCs in the Domain and trigger them to obtain the update and then apply that to
their own copy of the SAM.
</p><p>
@ -132,7 +131,7 @@ one of the BDCs can be promoted to a PDC. If this happens while the original PDC
line then it is automatically demoted to a BDC. This is an important aspect of Domain
Controller management. The tool that is used to affect a promotion or a demotion is the
Server Manager for Domains.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2894268"></a>Example PDC Configuration</h4></div></div><div></div></div><p>
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2896379"></a>Example PDC Configuration</h4></div></div><div></div></div><p>
Since version 2.2 Samba officially supports domain logons for all current Windows Clients,
including Windows NT4, 2003 and XP Professional. For samba to be enabled as a PDC some
parameters in the <i class="parameter"><tt>[global]</tt></i>-section of the <tt class="filename">smb.conf</tt> have to be set:
@ -143,29 +142,29 @@ parameters in the <i class="parameter"><tt>[global]</tt></i>-section of the <tt
</pre><p>
Several other things like a <i class="parameter"><tt>[homes]</tt></i> and a <i class="parameter"><tt>[netlogon]</tt></i> share also need to be set along with
settings for the profile path, the users home drive, etc.. This will not be covered in this
chapter, for more information please refer to the chapter on Domain Control.
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2894331"></a>Active Directory Domain Control</h3></div></div><div></div></div><p>
chapter, for more information please refer to the chapter on <a href="samba-pdc.html" title="Chapter 5. Domain Control">Domain Control</a>.
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2896450"></a>Active Directory Domain Control</h3></div></div><div></div></div><p>
As of the release of MS Windows 2000 and Active Directory, this information is now stored
in a directory that can be replicated and for which partial or full administrative control
can be delegated. Samba-3 is NOT able to be a Domain Controller within an Active Directory
tree, and it can not be an Active Directory server. This means that Samba-3 also can NOT
act as a Backup Domain Contoller to an Active Directory Domain Controller.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2894352"></a>What qualifies a Domain Controller on the network?</h3></div></div><div></div></div><p>
act as a Backup Domain Controller to an Active Directory Domain Controller.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2896471"></a>What qualifies a Domain Controller on the network?</h3></div></div><div></div></div><p>
Every machine that is a Domain Controller for the domain SAMBA has to register the NetBIOS
group name SAMBA&lt;#1c&gt; with the WINS server and/or by broadcast on the local network.
The PDC also registers the unique NetBIOS name SAMBA&lt;#1b&gt; with the WINS server.
The name type &lt;#1b&gt; name is normally reserved for the Domain Master Browser, a role
that has nothing to do with anything related to authentication, but the Microsoft Domain
implementation requires the domain master browser to be on the same machine as the PDC.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2894375"></a>How does a Workstation find its domain controller?</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2896497"></a>How does a Workstation find its domain controller?</h3></div></div><div></div></div><p>
An MS Windows NT4 / 200x / XP Professional workstation in the domain SAMBA that wants a
local user to be authenticated has to find the domain controller for SAMBA. It does this
by doing a NetBIOS name query for the group name SAMBA&lt;#1c&gt;. It assumes that each
of the machines it gets back from the queries is a domain controller and can answer logon
requests. To not open security holes both the workstation and the selected domain controller
authenticate each other. After that the workstation sends the user's credentials (name and
password) to the local Domain Controller, for valdation.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2894401"></a>Backup Domain Controller Configuration</h2></div></div><div></div></div><p>
password) to the local Domain Controller, for validation.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2896542"></a>Backup Domain Controller Configuration</h2></div></div><div></div></div><p>
Several things have to be done:
</p><div class="itemizedlist"><ul type="disc"><li><p>
The domain SID has to be the same on the PDC and the BDC. This used to
@ -176,25 +175,31 @@ Several things have to be done:
generate a new SID for itself and override the domain SID with this
new BDC SID.</p><p>
To retrieve the domain SID from the PDC or an existing BDC and store it in the
secrets.tdb, execute 'net rpc getsid' on the BDC.
</p></li><li><p>
secrets.tdb, execute:
</p><pre class="screen">
<tt class="prompt">root# </tt><b class="userinput"><tt>net rpc getsid</tt></b>
</pre></li><li><p>
The Unix user database has to be synchronized from the PDC to the
BDC. This means that both the /etc/passwd and /etc/group have to be
replicated from the PDC to the BDC. This can be done manually
whenever changes are made, or the PDC is set up as a NIS master
server and the BDC as a NIS slave server. To set up the BDC as a
mere NIS client would not be enough, as the BDC would not be able to
access its user database in case of a PDC failure.
access its user database in case of a PDC failure. NIS is by no means
the only method to synchronize passwords. An LDAP solution would work
as well.
</p></li><li><p>
The Samba password database in the file private/smbpasswd has to be
replicated from the PDC to the BDC. This is a bit tricky, see the
next section.
The Samba password database has to be replicated from the PDC to the BDC.
As said above, though possible to synchronise the <tt class="filename">smbpasswd</tt>
file with rsync and ssh, this method is broken and flawed, and is
therefore not recommended. A better solution is to set up slave LDAP
servers for each BDC and a master LDAP server for the PDC.
</p></li><li><p>
Any netlogon share has to be replicated from the PDC to the
BDC. This can be done manually whenever login scripts are changed,
or it can be done automatically together with the smbpasswd
synchronization.
</p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2894471"></a>Example Configuration</h3></div></div><div></div></div><p>
</p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2896645"></a>Example Configuration</h3></div></div><div></div></div><p>
Finally, the BDC has to be found by the workstations. This can be done by setting:
</p><pre class="programlisting">
workgroup = SAMBA
@ -207,18 +212,21 @@ problem as the name SAMBA&lt;#1c&gt; is a NetBIOS group name that is meant to
be registered by more than one machine. The parameter 'domain master =
no' forces the BDC not to register SAMBA&lt;#1b&gt; which as a unique NetBIOS
name is reserved for the Primary Domain Controller.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2894521"></a>Common Errors</h2></div></div><div></div></div><p>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2896706"></a>Common Errors</h2></div></div><div></div></div><p>
As this is a rather new area for Samba there are not many examples that we may refer to. Keep
watching for updates to this section.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2894535"></a>Machine Accounts keep expiring, what can I do?</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2896719"></a>Machine Accounts keep expiring, what can I do?</h3></div></div><div></div></div><p>
This problem will occur when occur when the passdb (SAM) files are copied from a central
server but the local Backup Domain Controllers. Local machine trust account password updates
are not copied back to the central server. The newer machine account password is then over
written when the SAM is copied from the PDC. The result is that the Domain member machine
on start up will find that it's passwords does not match the one now in the database and
since the startup security check will now fail, this machine will not allow logon attempts
to procede and the account expiry error will be reported.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2894560"></a>Can Samba be a Backup Domain Controller to an NT4 PDC?</h3></div></div><div></div></div><p>
to proceed and the account expiry error will be reported.
</p><p>
The solution: use a more robust passdb backend, such as the ldapsam backend, setting up
an slave LDAP server for each BDC, and a master LDAP server for the PDC.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2896750"></a>Can Samba be a Backup Domain Controller to an NT4 PDC?</h3></div></div><div></div></div><p>
With version 2.2, no. The native NT4 SAM replication protocols have not yet been fully
implemented. The Samba Team is working on understanding and implementing the protocols,
but this work has not been finished for version 2.2.
@ -229,7 +237,7 @@ mechanism has progressed, and some form of NT4 BDC support is expected soon.
Can I get the benefits of a BDC with Samba? Yes. The main reason for implementing a
BDC is availability. If the PDC is a Samba machine, a second Samba machine can be set up to
service logon requests whenever the PDC is down.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2894593"></a>How do I replicate the smbpasswd file?</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2896783"></a>How do I replicate the smbpasswd file?</h3></div></div><div></div></div><p>
Replication of the smbpasswd file is sensitive. It has to be done whenever changes
to the SAM are made. Every user's password change is done in the smbpasswd file and
has to be replicated to the BDC. So replicating the smbpasswd file very often is necessary.
@ -237,9 +245,13 @@ has to be replicated to the BDC. So replicating the smbpasswd file very often is
As the smbpasswd file contains plain text password equivalents, it must not be
sent unencrypted over the wire. The best way to set up smbpasswd replication from
the PDC to the BDC is to use the utility rsync. rsync can use ssh as a transport.
Ssh itself can be set up to accept *only* rsync transfer without requiring the user
Ssh itself can be set up to accept <span class="emphasis"><em>only</em></span> rsync transfer without requiring the user
to type a password.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2894621"></a>Can I do this all with LDAP?</h3></div></div><div></div></div><p>
</p><p>
As said a few times before, use of this method is broken and flawed. Machine trust
accounts will go out of sync, resulting in a very broken domain. This method is
<span class="emphasis"><em>not</em></span> recommended. Try using LDAP instead.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2896828"></a>Can I do this all with LDAP?</h3></div></div><div></div></div><p>
The simple answer is YES. Samba's pdb_ldap code supports binding to a replica
LDAP server, and will also follow referrals and rebind to the master if it ever
needs to make a modification to the database. (Normally BDCs are read only, so

1076
docs/htmldocs/samba-howto-collection.html
View File

File diff suppressed because it is too large Load Diff

986
docs/htmldocs/samba-ldap-howto.html
View File

@ -1,986 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML
><HEAD
><TITLE
>Storing Samba's User/Machine Account information in an LDAP Directory</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
TITLE="SAMBA Project Documentation"
HREF="samba-howto-collection.html"><LINK
REL="UP"
TITLE="Optional configuration"
HREF="optional.html"><LINK
REL="PREVIOUS"
TITLE="Stackable VFS modules"
HREF="vfs.html"><LINK
REL="NEXT"
TITLE="HOWTO Access Samba source code via CVS"
HREF="cvs-access.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>SAMBA Project Documentation</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="vfs.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="cvs-access.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="CHAPTER"
><H1
><A
NAME="SAMBA-LDAP-HOWTO">Chapter 19. Storing Samba's User/Machine Account information in an LDAP Directory</H1
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN2737">19.1. Purpose</H1
><P
>This document describes how to use an LDAP directory for storing Samba user
account information traditionally stored in the smbpasswd(5) file. It is
assumed that the reader already has a basic understanding of LDAP concepts
and has a working directory server already installed. For more information
on LDAP architectures and Directories, please refer to the following sites.</P
><P
></P
><UL
><LI
><P
>OpenLDAP - <A
HREF="http://www.openldap.org/"
TARGET="_top"
>http://www.openldap.org/</A
></P
></LI
><LI
><P
>iPlanet Directory Server - <A
HREF="http://iplanet.netscape.com/directory"
TARGET="_top"
>http://iplanet.netscape.com/directory</A
></P
></LI
></UL
><P
>Note that <A
HREF="http://www.ora.com/"
TARGET="_top"
>O'Reilly Publishing</A
> is working on
a guide to LDAP for System Administrators which has a planned release date of
early summer, 2002.</P
><P
>Two additional Samba resources which may prove to be helpful are</P
><P
></P
><UL
><LI
><P
>The <A
HREF="http://www.unav.es/cti/ldap-smb/ldap-smb-3-howto.html"
TARGET="_top"
>Samba-PDC-LDAP-HOWTO</A
>
maintained by Ignacio Coupeau.</P
></LI
><LI
><P
>The NT migration scripts from <A
HREF="http://samba.idealx.org/"
TARGET="_top"
>IDEALX</A
> that are
geared to manage users and group in such a Samba-LDAP Domain Controller configuration.
</P
></LI
></UL
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN2757">19.2. Introduction</H1
><P
>Traditionally, when configuring <A
HREF="smb.conf.5.html#ENCRYPTPASSWORDS"
TARGET="_top"
>"encrypt
passwords = yes"</A
> in Samba's <TT
CLASS="FILENAME"
>smb.conf</TT
> file, user account
information such as username, LM/NT password hashes, password change times, and account
flags have been stored in the <TT
CLASS="FILENAME"
>smbpasswd(5)</TT
> file. There are several
disadvantages to this approach for sites with very large numbers of users (counted
in the thousands).</P
><P
></P
><UL
><LI
><P
>The first is that all lookups must be performed sequentially. Given that
there are approximately two lookups per domain logon (one for a normal
session connection such as when mapping a network drive or printer), this
is a performance bottleneck for lareg sites. What is needed is an indexed approach
such as is used in databases.</P
></LI
><LI
><P
>The second problem is that administrators who desired to replicate a
smbpasswd file to more than one Samba server were left to use external
tools such as <B
CLASS="COMMAND"
>rsync(1)</B
> and <B
CLASS="COMMAND"
>ssh(1)</B
>
and wrote custom, in-house scripts.</P
></LI
><LI
><P
>And finally, the amount of information which is stored in an
smbpasswd entry leaves no room for additional attributes such as
a home directory, password expiration time, or even a Relative
Identified (RID).</P
></LI
></UL
><P
>As a result of these defeciencies, a more robust means of storing user attributes
used by smbd was developed. The API which defines access to user accounts
is commonly referred to as the samdb interface (previously this was called the passdb
API, and is still so named in the CVS trees). In Samba 2.2.3, enabling support
for a samdb backend (e.g. <TT
CLASS="PARAMETER"
><I
>--with-ldapsam</I
></TT
> or
<TT
CLASS="PARAMETER"
><I
>--with-tdbsam</I
></TT
>) requires compile time support.</P
><P
>When compiling Samba to include the <TT
CLASS="PARAMETER"
><I
>--with-ldapsam</I
></TT
> autoconf
option, smbd (and associated tools) will store and lookup user accounts in
an LDAP directory. In reality, this is very easy to understand. If you are
comfortable with using an smbpasswd file, simply replace "smbpasswd" with
"LDAP directory" in all the documentation.</P
><P
>There are a few points to stress about what the <TT
CLASS="PARAMETER"
><I
>--with-ldapsam</I
></TT
>
does not provide. The LDAP support referred to in the this documentation does not
include:</P
><P
></P
><UL
><LI
><P
>A means of retrieving user account information from
an Windows 2000 Active Directory server.</P
></LI
><LI
><P
>A means of replacing /etc/passwd.</P
></LI
></UL
><P
>The second item can be accomplished by using LDAP NSS and PAM modules. LGPL
versions of these libraries can be obtained from PADL Software
(<A
HREF="http://www.padl.com/"
TARGET="_top"
>http://www.padl.com/</A
>). However,
the details of configuring these packages are beyond the scope of this document.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN2786">19.3. Supported LDAP Servers</H1
><P
>The LDAP samdb code in 2.2.3 has been developed and tested using the OpenLDAP
2.0 server and client libraries. The same code should be able to work with
Netscape's Directory Server and client SDK. However, due to lack of testing
so far, there are bound to be compile errors and bugs. These should not be
hard to fix. If you are so inclined, please be sure to forward all patches to
<A
HREF="samba-patches@samba.org"
TARGET="_top"
>samba-patches@samba.org</A
> and
<A
HREF="jerry@samba.org"
TARGET="_top"
>jerry@samba.org</A
>.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN2791">19.4. Schema and Relationship to the RFC 2307 posixAccount</H1
><P
>Samba 2.2.3 includes the necessary schema file for OpenLDAP 2.0 in
<TT
CLASS="FILENAME"
>examples/LDAP/samba.schema</TT
>. (Note that this schema
file has been modified since the experimental support initially included
in 2.2.2). The sambaAccount objectclass is given here:</P
><P
><PRE
CLASS="PROGRAMLISTING"
>objectclass ( 1.3.1.5.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top STRUCTURAL
DESC 'Samba Account'
MUST ( uid $ rid )
MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $
displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $
description $ userWorkstations $ primaryGroupID $ domain ))</PRE
></P
><P
>The samba.schema file has been formatted for OpenLDAP 2.0. The OID's are
owned by the Samba Team and as such is legal to be openly published.
If you translate the schema to be used with Netscape DS, please
submit the modified schema file as a patch to <A
HREF="jerry@samba.org"
TARGET="_top"
>jerry@samba.org</A
></P
><P
>Just as the smbpasswd file is mean to store information which supplements a
user's <TT
CLASS="FILENAME"
>/etc/passwd</TT
> entry, so is the sambaAccount object
meant to supplement the UNIX user account information. A sambaAccount is a
<TT
CLASS="CONSTANT"
>STRUCTURAL</TT
> objectclass so it can be stored individually
in the directory. However, there are several fields (e.g. uid) which overlap
with the posixAccount objectclass outlined in RFC2307. This is by design.</P
><P
>In order to store all user account information (UNIX and Samba) in the directory,
it is necessary to use the sambaAccount and posixAccount objectclasses in
combination. However, smbd will still obtain the user's UNIX account
information via the standard C library calls (e.g. getpwnam(), et. al.).
This means that the Samba server must also have the LDAP NSS library installed
and functioning correctly. This division of information makes it possible to
store all Samba account information in LDAP, but still maintain UNIX account
information in NIS while the network is transitioning to a full LDAP infrastructure.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN2803">19.5. Configuring Samba with LDAP</H1
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN2805">19.5.1. OpenLDAP configuration</H2
><P
>To include support for the sambaAccount object in an OpenLDAP directory
server, first copy the samba.schema file to slapd's configuration directory.</P
><P
><TT
CLASS="PROMPT"
>root# </TT
><B
CLASS="COMMAND"
>cp samba.schema /etc/openldap/schema/</B
></P
><P
>Next, include the <TT
CLASS="FILENAME"
>samba.schema</TT
> file in <TT
CLASS="FILENAME"
>slapd.conf</TT
>.
The sambaAccount object contains two attributes which depend upon other schema
files. The 'uid' attribute is defined in <TT
CLASS="FILENAME"
>cosine.schema</TT
> and
the 'displayName' attribute is defined in the <TT
CLASS="FILENAME"
>inetorgperson.schema</TT
>
file. Both of these must be included before the <TT
CLASS="FILENAME"
>samba.schema</TT
> file.</P
><P
><PRE
CLASS="PROGRAMLISTING"
>## /etc/openldap/slapd.conf
## schema files (core.schema is required by default)
include /etc/openldap/schema/core.schema
## needed for sambaAccount
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/samba.schema
## uncomment this line if you want to support the RFC2307 (NIS) schema
## include /etc/openldap/schema/nis.schema
....</PRE
></P
><P
>It is recommended that you maintain some indices on some of the most usefull attributes,
like in the following example, to speed up searches made on sambaAccount objectclasses
(and possibly posixAccount and posixGroup as well).</P
><P
><PRE
CLASS="PROGRAMLISTING"
># Indices to maintain
## required by OpenLDAP 2.0
index objectclass eq
## support pb_getsampwnam()
index uid pres,eq
## support pdb_getsambapwrid()
index rid eq
## uncomment these if you are storing posixAccount and
## posixGroup entries in the directory as well
##index uidNumber eq
##index gidNumber eq
##index cn eq
##index memberUid eq</PRE
></P
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN2822">19.5.2. Configuring Samba</H2
><P
>The following parameters are available in smb.conf only with <TT
CLASS="PARAMETER"
><I
>--with-ldapsam</I
></TT
>
was included with compiling Samba.</P
><P
></P
><UL
><LI
><P
><A
HREF="smb.conf.5.html#LDAPSSL"
TARGET="_top"
>ldap ssl</A
></P
></LI
><LI
><P
><A
HREF="smb.conf.5.html#LDAPSERVER"
TARGET="_top"
>ldap server</A
></P
></LI
><LI
><P
><A
HREF="smb.conf.5.html#LDAPADMINDN"
TARGET="_top"
>ldap admin dn</A
></P
></LI
><LI
><P
><A
HREF="smb.conf.5.html#LDAPSUFFIX"
TARGET="_top"
>ldap suffix</A
></P
></LI
><LI
><P
><A
HREF="smb.conf.5.html#LDAPFILTER"
TARGET="_top"
>ldap filter</A
></P
></LI
><LI
><P
><A
HREF="smb.conf.5.html#LDAPPORT"
TARGET="_top"
>ldap port</A
></P
></LI
></UL
><P
>These are described in the <A
HREF="smb.conf.5.html"
TARGET="_top"
>smb.conf(5)</A
> man
page and so will not be repeated here. However, a sample smb.conf file for
use with an LDAP directory could appear as</P
><P
><PRE
CLASS="PROGRAMLISTING"
>## /usr/local/samba/lib/smb.conf
[global]
security = user
encrypt passwords = yes
netbios name = TASHTEGO
workgroup = NARNIA
# ldap related parameters
# define the DN to use when binding to the directory servers
# The password for this DN is not stored in smb.conf. Rather it
# must be set by using 'smbpasswd -w <TT
CLASS="REPLACEABLE"
><I
>secretpw</I
></TT
>' to store the
# passphrase in the secrets.tdb file. If the "ldap admin dn" values
# changes, this password will need to be reset.
ldap admin dn = "cn=Samba Manager,ou=people,dc=samba,dc=org"
# specify the LDAP server's hostname (defaults to locahost)
ldap server = ahab.samba.org
# Define the SSL option when connecting to the directory
# ('off', 'start tls', or 'on' (default))
ldap ssl = start tls
# define the port to use in the LDAP session (defaults to 636 when
# "ldap ssl = on")
ldap port = 389
# specify the base DN to use when searching the directory
ldap suffix = "ou=people,dc=samba,dc=org"
# generally the default ldap search filter is ok
# ldap filter = "(&amp;(uid=%u)(objectclass=sambaAccount))"</PRE
></P
></DIV
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN2850">19.6. Accounts and Groups management</H1
><P
>As users accounts are managed thru the sambaAccount objectclass, you should
modify you existing administration tools to deal with sambaAccount attributes.</P
><P
>Machines accounts are managed with the sambaAccount objectclass, just
like users accounts. However, it's up to you to stored thoses accounts
in a different tree of you LDAP namespace: you should use
"ou=Groups,dc=plainjoe,dc=org" to store groups and
"ou=People,dc=plainjoe,dc=org" to store users. Just configure your
NSS and PAM accordingly (usually, in the /etc/ldap.conf configuration
file).</P
><P
>In Samba release 2.2.3, the group management system is based on posix
groups. This meand that Samba make usage of the posixGroup objectclass.
For now, there is no NT-like group system management (global and local
groups).</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN2855">19.7. Security and sambaAccount</H1
><P
>There are two important points to remember when discussing the security
of sambaAccount entries in the directory.</P
><P
></P
><UL
><LI
><P
><SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>Never</I
></SPAN
> retrieve the lmPassword or
ntPassword attribute values over an unencrypted LDAP session.</P
></LI
><LI
><P
><SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>Never</I
></SPAN
> allow non-admin users to
view the lmPassword or ntPassword attribute values.</P
></LI
></UL
><P
>These password hashes are clear text equivalents and can be used to impersonate
the user without deriving the original clear text strings. For more information
on the details of LM/NT password hashes, refer to the <A
HREF="ENCRYPTION.html"
TARGET="_top"
>ENCRYPTION chapter</A
> of the Samba-HOWTO-Collection.</P
><P
>To remedy the first security issue, the "ldap ssl" smb.conf parameter defaults
to require an encrypted session (<B
CLASS="COMMAND"
>ldap ssl = on</B
>) using
the default port of 636
when contacting the directory server. When using an OpenLDAP 2.0 server, it
is possible to use the use the StartTLS LDAP extended operation in the place of
LDAPS. In either case, you are strongly discouraged to disable this security
(<B
CLASS="COMMAND"
>ldap ssl = off</B
>).</P
><P
>Note that the LDAPS protocol is deprecated in favor of the LDAPv3 StartTLS
extended operation. However, the OpenLDAP library still provides support for
the older method of securing communication between clients and servers.</P
><P
>The second security precaution is to prevent non-administrative users from
harvesting password hashes from the directory. This can be done using the
following ACL in <TT
CLASS="FILENAME"
>slapd.conf</TT
>:</P
><P
><PRE
CLASS="PROGRAMLISTING"
>## allow the "ldap admin dn" access, but deny everyone else
access to attrs=lmPassword,ntPassword
by dn="cn=Samba Admin,ou=people,dc=plainjoe,dc=org" write
by * none</PRE
></P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN2875">19.8. LDAP specials attributes for sambaAccounts</H1
><P
>The sambaAccount objectclass is composed of the following attributes:</P
><P
></P
><UL
><LI
><P
><TT
CLASS="CONSTANT"
>lmPassword</TT
>: the LANMAN password 16-byte hash stored as a character
representation of a hexidecimal string.</P
></LI
><LI
><P
><TT
CLASS="CONSTANT"
>ntPassword</TT
>: the NT password hash 16-byte stored as a character
representation of a hexidecimal string.</P
></LI
><LI
><P
><TT
CLASS="CONSTANT"
>pwdLastSet</TT
>: The integer time in seconds since 1970 when the
<TT
CLASS="CONSTANT"
>lmPassword</TT
> and <TT
CLASS="CONSTANT"
>ntPassword</TT
> attributes were last set.
</P
></LI
><LI
><P
><TT
CLASS="CONSTANT"
>acctFlags</TT
>: string of 11 characters surrounded by square brackets []
representing account flags such as U (user), W(workstation), X(no password expiration), and
D(disabled).</P
></LI
><LI
><P
><TT
CLASS="CONSTANT"
>logonTime</TT
>: Integer value currently unused</P
></LI
><LI
><P
><TT
CLASS="CONSTANT"
>logoffTime</TT
>: Integer value currently unused</P
></LI
><LI
><P
><TT
CLASS="CONSTANT"
>kickoffTime</TT
>: Integer value currently unused</P
></LI
><LI
><P
><TT
CLASS="CONSTANT"
>pwdCanChange</TT
>: Integer value currently unused</P
></LI
><LI
><P
><TT
CLASS="CONSTANT"
>pwdMustChange</TT
>: Integer value currently unused</P
></LI
><LI
><P
><TT
CLASS="CONSTANT"
>homeDrive</TT
>: specifies the drive letter to which to map the
UNC path specified by homeDirectory. The drive letter must be specified in the form "X:"
where X is the letter of the drive to map. Refer to the "logon drive" parameter in the
smb.conf(5) man page for more information.</P
></LI
><LI
><P
><TT
CLASS="CONSTANT"
>scriptPath</TT
>: The scriptPath property specifies the path of
the user's logon script, .CMD, .EXE, or .BAT file. The string can be null. The path
is relative to the netlogon share. Refer to the "logon script" parameter in the
smb.conf(5) man page for more information.</P
></LI
><LI
><P
><TT
CLASS="CONSTANT"
>profilePath</TT
>: specifies a path to the user's profile.
This value can be a null string, a local absolute path, or a UNC path. Refer to the
"logon path" parameter in the smb.conf(5) man page for more information.</P
></LI
><LI
><P
><TT
CLASS="CONSTANT"
>smbHome</TT
>: The homeDirectory property specifies the path of
the home directory for the user. The string can be null. If homeDrive is set and specifies
a drive letter, homeDirectory should be a UNC path. The path must be a network
UNC path of the form \\server\share\directory. This value can be a null string.
Refer to the "logon home" parameter in the smb.conf(5) man page for more information.
</P
></LI
><LI
><P
><TT
CLASS="CONSTANT"
>userWorkstation</TT
>: character string value currently unused.
</P
></LI
><LI
><P
><TT
CLASS="CONSTANT"
>rid</TT
>: the integer representation of the user's relative identifier
(RID).</P
></LI
><LI
><P
><TT
CLASS="CONSTANT"
>primaryGroupID</TT
>: the relative identifier (RID) of the primary group
of the user.</P
></LI
></UL
><P
>The majority of these parameters are only used when Samba is acting as a PDC of
a domain (refer to the <A
HREF="Samba-PDC-HOWTO.html"
TARGET="_top"
>Samba-PDC-HOWTO</A
> for details on
how to configure Samba as a Primary Domain Controller). The following four attributes
are only stored with the sambaAccount entry if the values are non-default values:</P
><P
></P
><UL
><LI
><P
>smbHome</P
></LI
><LI
><P
>scriptPath</P
></LI
><LI
><P
>logonPath</P
></LI
><LI
><P
>homeDrive</P
></LI
></UL
><P
>These attributes are only stored with the sambaAccount entry if
the values are non-default values. For example, assume TASHTEGO has now been
configured as a PDC and that <B
CLASS="COMMAND"
>logon home = \\%L\%u</B
> was defined in
its <TT
CLASS="FILENAME"
>smb.conf</TT
> file. When a user named "becky" logons to the domain,
the <TT
CLASS="PARAMETER"
><I
>logon home</I
></TT
> string is expanded to \\TASHTEGO\becky.
If the smbHome attribute exists in the entry "uid=becky,ou=people,dc=samba,dc=org",
this value is used. However, if this attribute does not exist, then the value
of the <TT
CLASS="PARAMETER"
><I
>logon home</I
></TT
> parameter is used in its place. Samba
will only write the attribute value to the directory entry is the value is
something other than the default (e.g. \\MOBY\becky).</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN2945">19.9. Example LDIF Entries for a sambaAccount</H1
><P
>The following is a working LDIF with the inclusion of the posixAccount objectclass:</P
><P
><PRE
CLASS="PROGRAMLISTING"
>dn: uid=guest2, ou=people,dc=plainjoe,dc=org
ntPassword: 878D8014606CDA29677A44EFA1353FC7
pwdMustChange: 2147483647
primaryGroupID: 1201
lmPassword: 552902031BEDE9EFAAD3B435B51404EE
pwdLastSet: 1010179124
logonTime: 0
objectClass: sambaAccount
uid: guest2
kickoffTime: 2147483647
acctFlags: [UX ]
logoffTime: 2147483647
rid: 19006
pwdCanChange: 0</PRE
></P
><P
>The following is an LDIF entry for using both the sambaAccount and
posixAccount objectclasses:</P
><P
><PRE
CLASS="PROGRAMLISTING"
>dn: uid=gcarter, ou=people,dc=plainjoe,dc=org
logonTime: 0
displayName: Gerald Carter
lmPassword: 552902031BEDE9EFAAD3B435B51404EE
primaryGroupID: 1201
objectClass: posixAccount
objectClass: sambaAccount
acctFlags: [UX ]
userPassword: {crypt}BpM2ej8Rkzogo
uid: gcarter
uidNumber: 9000
cn: Gerald Carter
loginShell: /bin/bash
logoffTime: 2147483647
gidNumber: 100
kickoffTime: 2147483647
pwdLastSet: 1010179230
rid: 19000
homeDirectory: /home/tashtego/gcarter
pwdCanChange: 0
pwdMustChange: 2147483647
ntPassword: 878D8014606CDA29677A44EFA1353FC7</PRE
></P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN2953">19.10. Comments</H1
><P
>Please mail all comments regarding this HOWTO to <A
HREF="mailto:jerry@samba.org"
TARGET="_top"
>jerry@samba.org</A
>. This documents was
last updated to reflect the Samba 2.2.3 release.&#13;</P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="vfs.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="samba-howto-collection.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="cvs-access.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Stackable VFS modules</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="optional.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>HOWTO Access Samba source code via CVS</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

79
docs/htmldocs/samba-pdc.html
View File

@ -1,9 +1,8 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 5. Domain Control</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="previous" href="ServerType.html" title="Chapter 4. Server Types and Security Modes"><link rel="next" href="samba-bdc.html" title="Chapter 6. Backup Domain Control"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 5. Domain Control</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ServerType.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="samba-bdc.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="samba-pdc"></a>Chapter 5. Domain Control</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jerry@samba.org">jerry@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">Bannon</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:dbannon@samba.org">dbannon@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="samba-pdc.html#id2892606">Features and Benefits</a></dt><dt><a href="samba-pdc.html#id2890204">Basics of Domain Control</a></dt><dd><dl><dt><a href="samba-pdc.html#id2890219">Domain Controller Types</a></dt><dt><a href="samba-pdc.html#id2890419">Preparing for Domain Control</a></dt></dl></dd><dt><a href="samba-pdc.html#id2890733">Domain Control - Example Configuration</a></dt><dt><a href="samba-pdc.html#id2891029">Samba ADS Domain Control</a></dt><dt><a href="samba-pdc.html#id2891052">Domain and Network Logon Configuration</a></dt><dd><dl><dt><a href="samba-pdc.html#id2891067">Domain Network Logon Service</a></dt><dt><a href="samba-pdc.html#id2893786">Security Mode and Master Browsers</a></dt></dl></dd><dt><a href="samba-pdc.html#id2893891">Common Problems and Errors</a></dt><dd><dl><dt><a href="samba-pdc.html#id2893898">I cannot include a '$' in a machine name</a></dt><dt><a href="samba-pdc.html#id2893936">I get told &quot;You already have a connection to the Domain....&quot;
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 5. Domain Control</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="previous" href="ServerType.html" title="Chapter 4. Server Types and Security Modes"><link rel="next" href="samba-bdc.html" title="Chapter 6. Backup Domain Control"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 5. Domain Control</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ServerType.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="samba-bdc.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="samba-pdc"></a>Chapter 5. Domain Control</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jerry@samba.org">jerry@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">Bannon</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:dbannon@samba.org">dbannon@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="samba-pdc.html#id2891986">Features and Benefits</a></dt><dt><a href="samba-pdc.html#id2892290">Basics of Domain Control</a></dt><dd><dl><dt><a href="samba-pdc.html#id2892306">Domain Controller Types</a></dt><dt><a href="samba-pdc.html#id2892517">Preparing for Domain Control</a></dt></dl></dd><dt><a href="samba-pdc.html#id2892837">Domain Control - Example Configuration</a></dt><dt><a href="samba-pdc.html#id2893136">Samba ADS Domain Control</a></dt><dt><a href="samba-pdc.html#id2893157">Domain and Network Logon Configuration</a></dt><dd><dl><dt><a href="samba-pdc.html#id2893173">Domain Network Logon Service</a></dt><dt><a href="samba-pdc.html#id2893499">Security Mode and Master Browsers</a></dt></dl></dd><dt><a href="samba-pdc.html#id2893607">Common Problems and Errors</a></dt><dd><dl><dt><a href="samba-pdc.html#id2893614">I cannot include a '$' in a machine name</a></dt><dt><a href="samba-pdc.html#id2893653">I get told &quot;You already have a connection to the Domain....&quot;
or &quot;Cannot join domain, the credentials supplied conflict with an
existing set..&quot; when creating a machine trust account.</a></dt><dt><a href="samba-pdc.html#id2893986">The system can not log you on (C000019B)....</a></dt><dt><a href="samba-pdc.html#id2894057">The machine trust account for this computer either does not
exist or is not accessible.</a></dt><dt><a href="samba-pdc.html#id2894114">When I attempt to login to a Samba Domain from a NT4/W2K workstation,
I get a message about my account being disabled.</a></dt><dt><a href="samba-pdc.html#id2894140">Until a few minutes after Samba has started, clients get the error &quot;Domain Controller Unavailable&quot;</a></dt></dl></dd></dl></div><p><b><span class="emphasis"><em>The Essence of Learning:</em></span> </b>
existing set..&quot; when creating a machine trust account.</a></dt><dt><a href="samba-pdc.html#id2893703">The system can not log you on (C000019B)....</a></dt><dt><a href="samba-pdc.html#id2893773">The machine trust account for this computer either does not
exist or is not accessible.</a></dt><dt><a href="samba-pdc.html#id2893836">When I attempt to login to a Samba Domain from a NT4/W2K workstation,
I get a message about my account being disabled.</a></dt><dt><a href="samba-pdc.html#id2893863">Until a few minutes after Samba has started, clients get the error &quot;Domain Controller Unavailable&quot;</a></dt></dl></dd></dl></div><p><b><span class="emphasis"><em>The Essence of Learning:</em></span> </b>
There are many who approach MS Windows networking with incredible misconceptions.
That's OK, because it gives the rest of us plenty of opportunity to be of assistance.
Those who really want help would be well advised to become familiar with information
@ -16,7 +15,7 @@ of persistent niggles that may be caused by broken network or system configurati
To a great many people however, MS Windows networking starts with a domain controller
that in some magical way is expected to solve all ills.
</p><p>
From the Samba mailing list one can readilly identify many common networking issues.
From the Samba mailing list one can readily identify many common networking issues.
If you are not clear on the following subjects, then it will do much good to read the
sections of this HOWTO that deal with it. These are the most common causes of MS Windows
networking problems:
@ -33,7 +32,7 @@ burden on an organisation.
Where is the right place to make mistakes? Only out of harm's way! If you are going to
make mistakes, then please do this on a test network, away from users and in such a way as
to not inflict pain on others. Do your learning on a test network.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2892606"></a>Features and Benefits</h2></div></div><div></div></div><p>
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2891986"></a>Features and Benefits</h2></div></div><div></div></div><p>
<span class="emphasis"><em>What is the key benefit of Microsoft Domain security?</em></span>
</p><p>
In a word, <span class="emphasis"><em>Single Sign On</em></span>, or SSO for short. To many, this is the holy
@ -96,7 +95,7 @@ Samba-3, like an MS Windows NT4 PDC or a Windows 200x Active Directory, needs to
user and machine trust account information in a suitable backend data store. With Samba-3
there can be multiple back-ends for this including:
</p><div class="itemizedlist"><ul type="disc"><li><p>
<span class="emphasis"><em>smbpasswd</em></span> - the plain ascii file stored used by
<span class="emphasis"><em>smbpasswd</em></span> - the plain ASCII file stored used by
earlier versions of Samba. This file configuration option requires
a Unix/Linux system account for EVERY entry (ie: both for user and for
machine accounts). This file will be located in the <span class="emphasis"><em>private</em></span>
@ -105,7 +104,7 @@ there can be multiple back-ends for this including:
<span class="emphasis"><em>tdbsam</em></span> - a binary database backend that will be
stored in the <span class="emphasis"><em>private</em></span> directory in a file called
<span class="emphasis"><em>passdb.tdb</em></span>. The key benefit of this binary format
file is that it can store binary objects that can not be accomodated
file is that it can store binary objects that can not be accommodated
in the traditional plain text smbpasswd file. These permit the extended
account controls that MS Windows NT4 and later also have.
</p></li><li><p>
@ -131,11 +130,11 @@ per user settings for many parameters, over-riding global settings given in the
Thus, with samba-3 it is possible to have a default system configuration for profiles,
and on a per user basis to over-ride this for those users who should not be subject
to the default configuration.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2890204"></a>Basics of Domain Control</h2></div></div><div></div></div><p>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2892290"></a>Basics of Domain Control</h2></div></div><div></div></div><p>
Over the years, public perceptions of what Domain Control really is has taken on an
almost mystical nature. Before we branch into a brief overview of Domain Control,
there are three basic types of domain controllers:
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2890219"></a>Domain Controller Types</h3></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>Primary Domain Controller</p></li><li><p>Backup Domain Controller</p></li><li><p>ADS Domain Controller</p></li></ul></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2892306"></a>Domain Controller Types</h3></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>Primary Domain Controller</p></li><li><p>Backup Domain Controller</p></li><li><p>ADS Domain Controller</p></li></ul></div><p>
The <span class="emphasis"><em>Primary Domain Controller</em></span> or PDC plays an important role in the MS
Windows NT4 and Windows 200x Domain Control architecture, but not in the manner that so many
expect. There is folk lore that dictates that because of it's role in the MS Windows
@ -150,7 +149,7 @@ part in NT4 type domain user authentication and in synchronisation of the domain
database with Backup Domain Controllers.
</p><p>
With MS Windows 200x Server based Active Directory domains, one domain controller seeds a potential
hierachy of domain controllers, each with their own area of delegated control. The master domain
hierarchy of domain controllers, each with their own area of delegated control. The master domain
controller has the ability to override any down-stream controller, but a down-line controller has
control only over it's down-line. With Samba-3 this functionality can be implemented using an
LDAP based user and machine account back end.
@ -167,10 +166,10 @@ On a network segment that has a BDC and a PDC the BDC will be most likely to ser
logon requests. The PDC will answer network logon requests when the BDC is too busy (high load).
A BDC can be promoted to a PDC. If the PDC is on line at the time that a BDC is promoted to
PDC, the previous PDC is automatically demoted to a BDC. With Samba-3 this is NOT an automatic
operation; the PDB and BDC must be manually configured and changes need to be made likewise.
operation; the PDC and BDC must be manually configured and changes need to be made likewise.
</p><p>
With MS Windows NT4, it is an install time decision what type of machine the server will be.
It is possible to change the promote a BDC to a PDC and vica versa only, but the only way
It is possible to change the promote a BDC to a PDC and vice versa only, but the only way
to convert a domain controller to a domain member server or a stand-alone server is to
reinstall it. The install time choices offered are:
</p><div class="itemizedlist"><ul type="disc"><li><p><span class="emphasis"><em>Primary Domain Controller</em></span> - The one that seeds the domain SAM</p></li><li><p><span class="emphasis"><em>Backup Domain Controller</em></span> - One that obtains a copy of the domain SAM</p></li><li><p><span class="emphasis"><em>Domain Member Server</em></span> - One that has NO copy of the domain SAM, rather it obtains authentication from a Domain Controller for all access controls.</p></li><li><p><span class="emphasis"><em>Stand-Alone Server</em></span> - One that plays NO part is SAM synchronisation, has it's own authentication database and plays no role in Domain security.</p></li></ul></div><p>
@ -187,7 +186,7 @@ At this time any appearance that Samba-3 is capable of acting as an
This functionality should not be used until the Samba-Team offers formal support for it.
At such a time, the documentation will be revised to duly reflect all configuration and
management requirements.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2890419"></a>Preparing for Domain Control</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2892517"></a>Preparing for Domain Control</h3></div></div><div></div></div><p>
There are two ways that MS Windows machines may interact with each other, with other servers,
and with Domain Controllers: Either as <span class="emphasis"><em>Stand-Alone</em></span> systems, more commonly
called <span class="emphasis"><em>Workgroup</em></span> members, or as full participants in a security system,
@ -219,7 +218,7 @@ NT4 / 200x / XP clients.
<a href="integrate-ms-networks.html" title="Chapter 26. Integrating MS Windows networks with Samba">MS Windows network Integration</a>)</td></tr><tr><td>Domain logons for Windows NT4 / 200x / XP Professional clients</td></tr><tr><td>Configuration of Roaming Profiles or explicit configuration to force local profile usage</td></tr><tr><td>Configuration of Network/System Policies</td></tr><tr><td>Adding and managing domain user accounts</td></tr><tr><td>Configuring MS Windows client machines to become domain members</td></tr></table><p>
The following provisions are required to serve MS Windows 9x / Me Clients:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Configuration of basic TCP/IP and MS Windows Networking</td></tr><tr><td>Correct designation of the Server Role (<i class="parameter"><tt>security = user</tt></i>)</td></tr><tr><td>Network Logon Configuration (Since Windows 9x / XP Home are not technically domain
members, they do not really particpate in the security aspects of Domain logons as such)</td></tr><tr><td>Roaming Profile Configuration</td></tr><tr><td>Configuration of System Policy handling</td></tr><tr><td>Installation of the Network driver &quot;Client for MS Windows Networks&quot; and configuration
members, they do not really participate in the security aspects of Domain logons as such)</td></tr><tr><td>Roaming Profile Configuration</td></tr><tr><td>Configuration of System Policy handling</td></tr><tr><td>Installation of the Network driver &quot;Client for MS Windows Networks&quot; and configuration
to log onto the domain</td></tr><tr><td>Placing Windows 9x / Me clients in user level security - if it is desired to allow
all client share access to be controlled according to domain user / group identities.</td></tr><tr><td>Adding and managing domain user accounts</td></tr></table><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
Roaming Profiles and System/Network policies are advanced network administration topics
@ -248,7 +247,7 @@ domain/workgroup. Local master browsers in the same domain/workgroup on broadcas
then ask for a complete copy of the browse list for the whole wide area network. Browser clients
will then contact their local master browser, and will receive the domain-wide browse list,
instead of just the list for their broadcast-isolated subnet.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2890733"></a>Domain Control - Example Configuration</h2></div></div><div></div></div><p>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2892837"></a>Domain Control - Example Configuration</h2></div></div><div></div></div><p>
The first step in creating a working Samba PDC is to understand the parameters necessary
in <tt class="filename">smb.conf</tt>. Here we attempt to explain the parameters that are covered in
the <tt class="filename">smb.conf</tt> man page.
@ -302,20 +301,20 @@ Here is an example <tt class="filename">smb.conf</tt> for acting as a PDC:
<a href="smb.conf.5.html#READONLY" target="_top">read only</a> = no
<a href="smb.conf.5.html#CREATEMASK" target="_top">create mask</a> = 0600
<a href="smb.conf.5.html#DIRECTORYMASK" target="_top">directory mask</a> = 0700
</pre><div xmlns:ns5="" class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><ns5:p>
</pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
The above parameters make for a full set of parameters that may define the server's mode
of operation. The following parameters are the essentials alone:
</ns5:p><pre class="programlisting">
</p><pre class="programlisting">
workgroup = NARNIA
domain logons = Yes
domain master = Yes
security = User
</pre><ns5:p>
</pre><p>
The additional parameters shown in the longer listing above just makes for a
more complete environment.
</ns5:p></div><p>
</p></div><p>
There are a couple of points to emphasize in the above configuration.
</p><div class="itemizedlist"><ul type="disc"><li><p>
Encrypted passwords must be enabled. For more details on how
@ -328,23 +327,23 @@ There are a couple of points to emphasize in the above configuration.
client to locate the server as a DC. Please refer to the various
Network Browsing documentation included with this distribution for
details.
</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2891029"></a>Samba ADS Domain Control</h2></div></div><div></div></div><p>
</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2893136"></a>Samba ADS Domain Control</h2></div></div><div></div></div><p>
Samba-3 is not and can not act as an Active Directory Server. It can not truly function as
an Active Directory Primary Domain Controller. The protocols for some of the functionality
the Active Directory Domain Controllers is have been partially implemented on an experimental
only basis. Please do NOT expect Samba-3 to support these protocols - nor should you depend
on any such functionality either now or in the future. The Samba-Team may well remove such
experiemental features or may change their behaviour.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2891052"></a>Domain and Network Logon Configuration</h2></div></div><div></div></div><p>
experimental features or may change their behaviour.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2893157"></a>Domain and Network Logon Configuration</h2></div></div><div></div></div><p>
The subject of Network or Domain Logons is discussed here because it rightly forms
an integral part of the essential functionality that is provided by a Domain Controller.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2891067"></a>Domain Network Logon Service</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2893173"></a>Domain Network Logon Service</h3></div></div><div></div></div><p>
All Domain Controllers must run the netlogon service (<span class="emphasis"><em>domain logons</em></span>
in Samba). One Domain Controller must be configured with <i class="parameter"><tt>domain master = Yes</tt></i>
(the Primary Domain Controller); on ALL Backup Domain Controllers <i class="parameter"><tt>domain master = No</tt></i>
must be set.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2891100"></a>Example Configuration</h4></div></div><div></div></div><pre class="programlisting">
[globals]
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2893206"></a>Example Configuration</h4></div></div><div></div></div><pre class="programlisting">
[global]
domain logons = Yes
domain master = (Yes on PDC, No on BDCs)
@ -353,7 +352,7 @@ must be set.
path = /var/lib/samba/netlogon
guest ok = Yes
browseable = No
</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2891119"></a>The Special Case of MS Windows XP Home Edition</h4></div></div><div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2893226"></a>The Special Case of MS Windows XP Home Edition</h4></div></div><div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
MS Windows XP Home Edition does not have the ability to join any type of Domain
security facility. Unlike, MS Windows 9x / Me, MS Windows XP Home Edition also completely
lacks the ability to log onto a network.
@ -365,7 +364,7 @@ MS Windows XP Professional.
</p><p>
Now that this has been said, please do NOT ask the mailing list, or email any of the
Samba-Team members with your questions asking how to make this work. It can't be done.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2891154"></a>The Special Case of Windows 9x / Me</h4></div></div><div></div></div><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2893261"></a>The Special Case of Windows 9x / Me</h4></div></div><div></div></div><p>
A domain and a workgroup are exactly the same thing in terms of network
browsing. The difference is that a distributable authentication
database is associated with a domain, for secure login access to a
@ -445,7 +444,7 @@ The main difference between a PDC and a Windows 9x logon server configuration is
</p></li></ul></div><p>
A Samba PDC will act as a Windows 9x logon server; after all, it does provide the
network logon services that MS Windows 9x / Me expect to find.
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2893786"></a>Security Mode and Master Browsers</h3></div></div><div></div></div><p>
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2893499"></a>Security Mode and Master Browsers</h3></div></div><div></div></div><p>
There are a few comments to make in order to tie up some
loose ends. There has been much debate over the issue of whether
or not it is ok to configure Samba as a Domain Controller in security
@ -479,7 +478,7 @@ Configuring a Samba box as a DC for a domain that already by definition has a
PDC is asking for trouble. Therefore, you should always configure the Samba DC
to be the DMB for its domain and set <i class="parameter"><tt>security = user</tt></i>.
This is the only officially supported mode of operation.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2893891"></a>Common Problems and Errors</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2893898"></a>I cannot include a '$' in a machine name</h3></div></div><div></div></div><p>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2893607"></a>Common Problems and Errors</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2893614"></a>I cannot include a '$' in a machine name</h3></div></div><div></div></div><p>
A 'machine account', (typically) stored in <tt class="filename">/etc/passwd</tt>,
takes the form of the machine name with a '$' appended. FreeBSD (and other BSD
systems?) won't create a user with a '$' in their name.
@ -487,7 +486,7 @@ systems?) won't create a user with a '$' in their name.
The problem is only in the program used to make the entry. Once made, it works perfectly.
Create a user without the '$'. Then use <b class="command">vipw</b> to edit the entry, adding
the '$'. Or create the whole entry with vipw if you like; make sure you use a unique User ID!
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2893936"></a>I get told &quot;You already have a connection to the Domain....&quot;
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2893653"></a>I get told &quot;You already have a connection to the Domain....&quot;
or &quot;Cannot join domain, the credentials supplied conflict with an
existing set..&quot; when creating a machine trust account.</h3></div></div><div></div></div><p>
This happens if you try to create a machine trust account from the
@ -501,7 +500,7 @@ Further, if the machine is already a 'member of a workgroup' that
is the same name as the domain you are joining (bad idea) you will
get this message. Change the workgroup name to something else, it
does not matter what, reboot, and try again.
</p></div><div xmlns:ns6="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2893986"></a>The system can not log you on (C000019B)....</h3></div></div><div></div></div><p>I joined the domain successfully but after upgrading
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2893703"></a>The system can not log you on (C000019B)....</h3></div></div><div></div></div><p>I joined the domain successfully but after upgrading
to a newer version of the Samba code I get the message, <span class="errorname">The system
can not log you on (C000019B), Please try again or consult your
system administrator</span> when attempting to logon.
@ -512,14 +511,14 @@ the domain name and/or the server name (NetBIOS name) is changed.
The only way to correct the problem is to restore the original domain
SID or remove the domain client from the domain and rejoin. The domain
SID may be reset using either the net or rpcclient utilities.
</p><ns6:p>
</p><p>
The reset or change the domain SID you can use the net command as follows:
</ns6:p><pre class="screen">
</p><pre class="screen">
<tt class="prompt">root# </tt><b class="userinput"><tt>net getlocalsid 'OLDNAME'</tt></b>
<tt class="prompt">root# </tt><b class="userinput"><tt>net setlocalsid 'SID'</tt></b>
</pre><ns6:p>
</ns6:p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2894057"></a>The machine trust account for this computer either does not
</pre><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2893773"></a>The machine trust account for this computer either does not
exist or is not accessible.</h3></div></div><div></div></div><p>
When I try to join the domain I get the message <span class="errorname">The machine account
for this computer either does not exist or is not accessible</span>. What's
@ -532,7 +531,7 @@ admin user system is working.
</p><p>
Alternatively if you are creating account entries manually then they
have not been created correctly. Make sure that you have the entry
correct for the machine trust account in smbpasswd file on the Samba PDC.
correct for the machine trust account in <tt class="filename">smbpasswd</tt> file on the Samba PDC.
If you added the account using an editor rather than using the smbpasswd
utility, make sure that the account name is the machine NetBIOS name
with a '$' appended to it ( i.e. computer_name$ ). There must be an entry
@ -542,10 +541,10 @@ Some people have also reported
that inconsistent subnet masks between the Samba server and the NT
client can cause this problem. Make sure that these are consistent
for both client and server.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2894114"></a>When I attempt to login to a Samba Domain from a NT4/W2K workstation,
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2893836"></a>When I attempt to login to a Samba Domain from a NT4/W2K workstation,
I get a message about my account being disabled.</h3></div></div><div></div></div><p>
Enable the user accounts with <b class="userinput"><tt>smbpasswd -e <i class="replaceable"><tt>username</tt></i>
</tt></b>, this is normally done as an account is created.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2894140"></a>Until a few minutes after Samba has started, clients get the error &quot;Domain Controller Unavailable&quot;</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2893863"></a>Until a few minutes after Samba has started, clients get the error &quot;Domain Controller Unavailable&quot;</h3></div></div><div></div></div><p>
A domain controller has to announce on the network who it is. This usually takes a while.
</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ServerType.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="samba-bdc.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 4. Server Types and Security Modes </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 6. Backup Domain Control</td></tr></table></div></body></html>

2
docs/htmldocs/samba.7.html
View File

@ -1,4 +1,4 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>samba</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="samba.7"></a><div class="titlepage"><div></div><div></div></div><div class="refnamediv"><h2>Name</h2><p>Samba &#8212; A Windows SMB/CIFS fileserver for UNIX</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><tt class="command">Samba</tt> </p></div></div><div class="refsect1" lang="en"><h2>DESCRIPTION</h2><p>The Samba software suite is a collection of programs
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>samba</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="samba.7"></a><div class="titlepage"><div></div><div></div></div><div class="refnamediv"><h2>Name</h2><p>samba &#8212; A Windows SMB/CIFS fileserver for UNIX</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><tt class="command">Samba</tt> </p></div></div><div class="refsect1" lang="en"><h2>DESCRIPTION</h2><p>The Samba software suite is a collection of programs
that implements the Server Message Block (commonly abbreviated
as SMB) protocol for UNIX systems. This protocol is sometimes
also referred to as the Common Internet File System (CIFS). For a

49
docs/htmldocs/securing-samba.html
View File

@ -1,5 +1,4 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 15. Securing Samba</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="locking.html" title="Chapter 14. File and Record Locking"><link rel="next" href="InterdomainTrusts.html" title="Chapter 16. Interdomain Trust Relationships"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 15. Securing Samba</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="locking.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="InterdomainTrusts.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="securing-samba"></a>Chapter 15. Securing Samba</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:tridge@samba.org">tridge@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">May 26, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="securing-samba.html#id2929518">Introduction</a></dt><dt><a href="securing-samba.html#id2929550">Features and Benefits</a></dt><dt><a href="securing-samba.html#id2928211">Technical Discussion of Protective Measures and Issues</a></dt><dd><dl><dt><a href="securing-samba.html#id2928229">Using host based protection</a></dt><dt><a href="securing-samba.html#id2928297">User based protection</a></dt><dt><a href="securing-samba.html#id2928349">Using interface protection</a></dt><dt><a href="securing-samba.html#id2928399">Using a firewall</a></dt><dt><a href="securing-samba.html#id2928455">Using a IPC$ share deny</a></dt><dt><a href="securing-samba.html#id2928521">NTLMv2 Security</a></dt></dl></dd><dt><a href="securing-samba.html#id2928559">Upgrading Samba</a></dt><dt><a href="securing-samba.html#id2928583">Common Errors</a></dt><dd><dl><dt><a href="securing-samba.html#id2928602">Smbclient works on localhost, but the network is dead</a></dt><dt><a href="securing-samba.html#id2928626">Why can users access home directories of other users?</a></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2929518"></a>Introduction</h2></div></div><div></div></div><p>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 15. Securing Samba</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="locking.html" title="Chapter 14. File and Record Locking"><link rel="next" href="InterdomainTrusts.html" title="Chapter 16. Interdomain Trust Relationships"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 15. Securing Samba</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="locking.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="InterdomainTrusts.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="securing-samba"></a>Chapter 15. Securing Samba</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:tridge@samba.org">tridge@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">May 26, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="securing-samba.html#id2931943">Introduction</a></dt><dt><a href="securing-samba.html#id2931976">Features and Benefits</a></dt><dt><a href="securing-samba.html#id2932050">Technical Discussion of Protective Measures and Issues</a></dt><dd><dl><dt><a href="securing-samba.html#id2932069">Using host based protection</a></dt><dt><a href="securing-samba.html#id2932140">User based protection</a></dt><dt><a href="securing-samba.html#id2932191">Using interface protection</a></dt><dt><a href="securing-samba.html#id2932244">Using a firewall</a></dt><dt><a href="securing-samba.html#id2932300">Using a IPC$ share deny</a></dt><dt><a href="securing-samba.html#id2932362">NTLMv2 Security</a></dt></dl></dd><dt><a href="securing-samba.html#id2932402">Upgrading Samba</a></dt><dt><a href="securing-samba.html#id2932426">Common Errors</a></dt><dd><dl><dt><a href="securing-samba.html#id2932444">Smbclient works on localhost, but the network is dead</a></dt><dt><a href="securing-samba.html#id2932469">Why can users access home directories of other users?</a></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2931943"></a>Introduction</h2></div></div><div></div></div><p>
This note was attached to the Samba 2.2.8 release notes as it contained an
important security fix. The information contained here applies to Samba
installations in general.
@ -11,7 +10,7 @@ on it!&quot;
Security concerns are just like that: You need to know a little about the subject to appreciate
how obvious most of it really is. The challenge for most of us is to discover that first morsel
of knowledge with which we may unlock the secrets of the masters.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2929550"></a>Features and Benefits</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2931976"></a>Features and Benefits</h2></div></div><div></div></div><p>
There are three level at which security principals must be observed in order to render a site
at least moderately secure. These are: the perimeter firewall, the configuration of the host
server that is running Samba, and Samba itself.
@ -30,13 +29,13 @@ TCP/IP connections.
Another method by which Samba may be secured is by way of setting Access Control Entries in an Access
Control List on the shares themselves. This is discussed in the chapter on File, Directory and Share Access
Control.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2928211"></a>Technical Discussion of Protective Measures and Issues</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2932050"></a>Technical Discussion of Protective Measures and Issues</h2></div></div><div></div></div><p>
The key challenge of security is the fact that protective measures suffice at best
only to close the door on known exploits and breach techniques. Never assume that
because you have followed these few measures that the Samba server is now an impenetrable
fortress! Given the history of information systems so far, it is only a matter of time
before someone will find yet another vulnerability.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2928229"></a>Using host based protection</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2932069"></a>Using host based protection</h3></div></div><div></div></div><p>
In many installations of Samba the greatest threat comes for outside
your immediate network. By default Samba will accept connections from
any host, which means that if you run an insecure version of Samba on
@ -56,7 +55,7 @@ before someone will find yet another vulnerability.
192.168.3. All other connections will be refused as soon
as the client sends its first packet. The refusal will be marked as a
<span class="errorname">not listening on called name</span> error.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2928297"></a>User based protection</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2932140"></a>User based protection</h3></div></div><div></div></div><p>
If you want to restrict access to your server to valid users only then the following
method may be of use. In the <tt class="filename">smb.conf</tt> <i class="parameter"><tt>[globals]</tt></i> section put:
</p><pre class="programlisting">
@ -64,7 +63,7 @@ before someone will find yet another vulnerability.
</pre><p>
What this does is, it restricts all server access to either the user <span class="emphasis"><em>jacko</em></span>
or to members of the system group <span class="emphasis"><em>smbusers</em></span>.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2928349"></a>Using interface protection</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2932191"></a>Using interface protection</h3></div></div><div></div></div><p>
By default Samba will accept connections on any network interface that
it finds on your system. That means if you have a ISDN line or a PPP
connection to the Internet then Samba will accept connections on those
@ -86,7 +85,7 @@ before someone will find yet another vulnerability.
connection refused reply. In that case no Samba code is run at all as
the operating system has been told not to pass connections from that
interface to any samba process.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2928399"></a>Using a firewall</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2932244"></a>Using a firewall</h3></div></div><div></div></div><p>
Many people use a firewall to deny access to services that they don't
want exposed outside their network. This can be a very good idea,
although I would recommend using it in conjunction with the above
@ -99,7 +98,7 @@ before someone will find yet another vulnerability.
The last one is important as many older firewall setups may not be
aware of it, given that this port was only added to the protocol in
recent years.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2928455"></a>Using a IPC$ share deny</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2932300"></a>Using a IPC$ share deny</h3></div></div><div></div></div><p>
If the above methods are not suitable, then you could also place a
more specific deny on the IPC$ share that is used in the recently
discovered security hole. This allows you to offer access to other
@ -126,10 +125,10 @@ before someone will find yet another vulnerability.
</p><p>
This is not recommended unless you cannot use one of the other
methods listed above for some reason.
</p></div><div xmlns:ns41="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2928521"></a>NTLMv2 Security</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2932362"></a>NTLMv2 Security</h3></div></div><div></div></div><p>
To configure NTLMv2 authentication the following registry keys are worth knowing about:
</p><ns41:p>
</ns41:p><pre class="screen">
</p><p>
</p><pre class="screen">
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
&quot;lmcompatibilitylevel&quot;=dword:00000003
@ -143,25 +142,25 @@ before someone will find yet another vulnerability.
0x80000 - NTLMv2 session security. If either NtlmMinClientSec or
NtlmMinServerSec is set to 0x80000, the connection will fail if NTLMv2
session security is not negotiated.
</pre><ns41:p>
</ns41:p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2928559"></a>Upgrading Samba</h2></div></div><div></div></div><p>
</pre><p>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2932402"></a>Upgrading Samba</h2></div></div><div></div></div><p>
Please check regularly on <a href="http://www.samba.org/" target="_top">http://www.samba.org/</a> for updates and
important announcements. Occasionally security releases are made and
it is highly recommended to upgrade Samba when a security vulnerability
is discovered.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2928583"></a>Common Errors</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2932426"></a>Common Errors</h2></div></div><div></div></div><p>
If all of samba and host platform configuration were really as intuitive as one might like then this
section would not be necessary. Security issues are often vexing for a support person to resolve, not
because of the complexity of the problem, but for reason that most admininstrators who post what turns
because of the complexity of the problem, but for reason that most administrators who post what turns
out to be a security problem request are totally convinced that the problem is with Samba.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2928602"></a>Smbclient works on localhost, but the network is dead</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2932444"></a>Smbclient works on localhost, but the network is dead</h3></div></div><div></div></div><p>
This is a very common problem. Red Hat Linux (as do others) will install a default firewall.
With the default firewall in place only traffic on the loopback adapter (IP address 127.0.0.1)
will be allowed through the firewall.
</p><p>
The solution is either to remove the firewall (stop it) or to modify the firewall script to
allow SMB networking traffic through. See section above in this chapter.
</p></div><div xmlns:ns42="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2928626"></a>Why can users access home directories of other users?</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2932469"></a>Why can users access home directories of other users?</h3></div></div><div></div></div><p>
&#8220;<span class="quote">
We are unable to keep individual users from mapping to any other user's
home directory once they have supplied a valid password! They only need
@ -171,7 +170,7 @@ out to be a security problem request are totally convinced that the problem is w
</span>&#8221;
</p><p>&#8220;<span class="quote">
User xyzzy can map his home directory. Once mapped user xyzzy can also map
*anyone* elses home directory!
*anyone* else's home directory!
</span>&#8221;</p><p>
This is not a security flaw, it is by design. Samba allows
users to have *exactly* the same access to the UNIX filesystem
@ -192,16 +191,16 @@ out to be a security problem request are totally convinced that the problem is w
Samba does allow the setup you require when you have set the
<i class="parameter"><tt>only user = yes</tt></i> option on the share, is that you have not set the
valid users list for the share.
</p><ns42:p>
</p><p>
Note that only user works in conjunction with the users= list,
so to get the behavior you require, add the line :
</ns42:p><pre class="programlisting">
</p><pre class="programlisting">
users = %S
</pre><ns42:p>
</pre><p>
this is equivalent to:
</ns42:p><pre class="programlisting">
</p><pre class="programlisting">
valid users = %S
</pre><ns42:p>
</pre><p>
to the definition of the <i class="parameter"><tt>[homes]</tt></i> share, as recommended in
the <tt class="filename">smb.conf</tt> man page.
</ns42:p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="locking.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="InterdomainTrusts.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 14. File and Record Locking </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 16. Interdomain Trust Relationships</td></tr></table></div></body></html>
</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="locking.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="InterdomainTrusts.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 14. File and Record Locking </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 16. Interdomain Trust Relationships</td></tr></table></div></body></html>

234
docs/htmldocs/securitylevels.html
View File

@ -1,234 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML
><HEAD
><TITLE
>User and Share security level (for servers not in a domain)</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
TITLE="SAMBA Project Documentation"
HREF="samba-howto-collection.html"><LINK
REL="UP"
TITLE="Type of installation"
HREF="type.html"><LINK
REL="PREVIOUS"
TITLE="Type of installation"
HREF="type.html"><LINK
REL="NEXT"
TITLE="How to Configure Samba as a NT4 Primary Domain Controller"
HREF="samba-pdc.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>SAMBA Project Documentation</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="type.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="samba-pdc.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="CHAPTER"
><H1
><A
NAME="SECURITYLEVELS">Chapter 5. User and Share security level (for servers not in a domain)</H1
><P
>A SMB server tells the client at startup what "security level" it is
running. There are two options "share level" and "user level". Which
of these two the client receives affects the way the client then tries
to authenticate itself. It does not directly affect (to any great
extent) the way the Samba server does security. I know this is
strange, but it fits in with the client/server approach of SMB. In SMB
everything is initiated and controlled by the client, and the server
can only tell the client what is available and whether an action is
allowed. </P
><P
>I'll describe user level security first, as its simpler. In user level
security the client will send a "session setup" command directly after
the protocol negotiation. This contains a username and password. The
server can either accept or reject that username/password
combination. Note that at this stage the server has no idea what
share the client will eventually try to connect to, so it can't base
the "accept/reject" on anything other than:</P
><P
></P
><OL
TYPE="1"
><LI
><P
>the username/password</P
></LI
><LI
><P
>the machine that the client is coming from</P
></LI
></OL
><P
>If the server accepts the username/password then the client expects to
be able to mount any share (using a "tree connection") without
specifying a password. It expects that all access rights will be as
the username/password specified in the "session setup". </P
><P
>It is also possible for a client to send multiple "session setup"
requests. When the server responds it gives the client a "uid" to use
as an authentication tag for that username/password. The client can
maintain multiple authentication contexts in this way (WinDD is an
example of an application that does this)</P
><P
>Ok, now for share level security. In share level security the client
authenticates itself separately for each share. It will send a
password along with each "tree connection" (share mount). It does not
explicitly send a username with this operation. The client is
expecting a password to be associated with each share, independent of
the user. This means that samba has to work out what username the
client probably wants to use. It is never explicitly sent the
username. Some commercial SMB servers such as NT actually associate
passwords directly with shares in share level security, but samba
always uses the unix authentication scheme where it is a
username/password that is authenticated, not a "share/password".</P
><P
>Many clients send a "session setup" even if the server is in share
level security. They normally send a valid username but no
password. Samba records this username in a list of "possible
usernames". When the client then does a "tree connection" it also adds
to this list the name of the share they try to connect to (useful for
home directories) and any users listed in the "user =" smb.conf
line. The password is then checked in turn against these "possible
usernames". If a match is found then the client is authenticated as
that user.</P
><P
>Finally "server level" security. In server level security the samba
server reports to the client that it is in user level security. The
client then does a "session setup" as described earlier. The samba
server takes the username/password that the client sends and attempts
to login to the "password server" by sending exactly the same
username/password that it got from the client. If that server is in
user level security and accepts the password then samba accepts the
clients connection. This allows the samba server to use another SMB
server as the "password server". </P
><P
>You should also note that at the very start of all this, where the
server tells the client what security level it is in, it also tells
the client if it supports encryption. If it does then it supplies the
client with a random "cryptkey". The client will then send all
passwords in encrypted form. You have to compile samba with encryption
enabled to support this feature, and you have to maintain a separate
smbpasswd file with SMB style encrypted passwords. It is
cryptographically impossible to translate from unix style encryption
to SMB style encryption, although there are some fairly simple management
schemes by which the two could be kept in sync.</P
><P
>"security = server" means that Samba reports to clients that
it is running in "user mode" but actually passes off all authentication
requests to another "user mode" server. This requires an additional
parameter "password server =" that points to the real authentication server.
That real authentication server can be another Samba server or can be a
Windows NT server, the later natively capable of encrypted password support.</P
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="type.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="samba-howto-collection.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="samba-pdc.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Type of installation</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="type.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>How to Configure Samba as a NT4 Primary Domain Controller</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

121
docs/htmldocs/smb.conf.5.html
View File

File diff suppressed because one or more lines are too long

46
docs/htmldocs/speed.html
View File

@ -1,5 +1,4 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 39. Samba Performance Tuning</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="Other-Clients.html" title="Chapter 38. Samba and other CIFS clients"><link rel="next" href="DNSDHCP.html" title="Chapter 40. DNS and DHCP Configuration Guide"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 39. Samba Performance Tuning</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Other-Clients.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="DNSDHCP.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="speed"></a>Chapter 39. Samba Performance Tuning</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Paul</span> <span class="surname">Cochrane</span></h3><div class="affiliation"><span class="orgname">Dundee Limb Fitting Centre<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:paulc@dth.scot.nhs.uk">paulc@dth.scot.nhs.uk</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="speed.html#id3014177">Comparisons</a></dt><dt><a href="speed.html#id3014222">Socket options</a></dt><dt><a href="speed.html#id3014295">Read size</a></dt><dt><a href="speed.html#id3014339">Max xmit</a></dt><dt><a href="speed.html#id3014392">Log level</a></dt><dt><a href="speed.html#id3014415">Read raw</a></dt><dt><a href="speed.html#id3015357">Write raw</a></dt><dt><a href="speed.html#id3015399">Slow Logins</a></dt><dt><a href="speed.html#id3015420">LDAP</a></dt><dt><a href="speed.html#id3015445">Client tuning</a></dt><dt><a href="speed.html#id3015468">Samba performance problem due changing kernel</a></dt><dt><a href="speed.html#id3015501">Corrupt tdb Files</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3014177"></a>Comparisons</h2></div></div><div></div></div><p>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 39. Samba Performance Tuning</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="Other-Clients.html" title="Chapter 38. Samba and other CIFS clients"><link rel="next" href="DNSDHCP.html" title="Chapter 40. DNS and DHCP Configuration Guide"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 39. Samba Performance Tuning</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Other-Clients.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="DNSDHCP.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="speed"></a>Chapter 39. Samba Performance Tuning</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Paul</span> <span class="surname">Cochrane</span></h3><div class="affiliation"><span class="orgname">Dundee Limb Fitting Centre<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:paulc@dth.scot.nhs.uk">paulc@dth.scot.nhs.uk</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="speed.html#id3018768">Comparisons</a></dt><dt><a href="speed.html#id3018812">Socket options</a></dt><dt><a href="speed.html#id3018887">Read size</a></dt><dt><a href="speed.html#id3018931">Max xmit</a></dt><dt><a href="speed.html#id3018984">Log level</a></dt><dt><a href="speed.html#id3019007">Read raw</a></dt><dt><a href="speed.html#id3019064">Write raw</a></dt><dt><a href="speed.html#id3019106">Slow Logins</a></dt><dt><a href="speed.html#id3019127">Client tuning</a></dt><dt><a href="speed.html#id3019154">Samba performance problem due changing kernel</a></dt><dt><a href="speed.html#id3019185">Corrupt tdb Files</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3018768"></a>Comparisons</h2></div></div><div></div></div><p>
The Samba server uses TCP to talk to the client. Thus if you are
trying to see if it performs well you should really compare it to
programs that use the same protocol. The most readily available
@ -9,7 +8,7 @@ SMB server.
If you want to test against something like a NT or WfWg server then
you will have to disable all but TCP on either the client or
server. Otherwise you may well be using a totally different protocol
(such as Netbeui) and comparisons may not be valid.
(such as NetBEUI) and comparisons may not be valid.
</p><p>
Generally you should find that Samba performs similarly to ftp at raw
transfer speed. It should perform quite a bit faster than NFS,
@ -21,7 +20,7 @@ suspect the biggest factor is not Samba vs some other system but the
hardware and drivers used on the various systems. Given similar
hardware Samba should certainly be competitive in speed with other
systems.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3014222"></a>Socket options</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3018812"></a>Socket options</h2></div></div><div></div></div><p>
There are a number of socket options that can greatly affect the
performance of a TCP based server like Samba.
</p><p>
@ -40,7 +39,7 @@ biggest single difference for most networks. Many people report that
adding <i class="parameter"><tt>socket options = TCP_NODELAY</tt></i> doubles the read
performance of a Samba drive. The best explanation I have seen for this is
that the Microsoft TCP/IP stack is slow in sending tcp ACKs.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3014295"></a>Read size</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3018887"></a>Read size</h2></div></div><div></div></div><p>
The option <i class="parameter"><tt>read size</tt></i> affects the overlap of disk
reads/writes with network reads/writes. If the amount of data being
transferred in several of the SMB commands (currently SMBwrite, SMBwriteX and
@ -57,7 +56,7 @@ The default value is 16384, but very little experimentation has been
done yet to determine the optimal value, and it is likely that the best
value will vary greatly between systems anyway. A value over 65536 is
pointless and will cause you to allocate memory unnecessarily.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3014339"></a>Max xmit</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3018931"></a>Max xmit</h2></div></div><div></div></div><p>
At startup the client and server negotiate a <i class="parameter"><tt>maximum transmit</tt></i> size,
which limits the size of nearly all SMB commands. You can set the
maximum size that Samba will negotiate using the <i class="parameter"><tt>max xmit = </tt></i> option
@ -71,12 +70,12 @@ clients may perform better with a smaller transmit unit. Trying values
of less than 2048 is likely to cause severe problems.
</p><p>
In most cases the default is the best option.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3014392"></a>Log level</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3018984"></a>Log level</h2></div></div><div></div></div><p>
If you set the log level (also known as <i class="parameter"><tt>debug level</tt></i>) higher than 2
then you may suffer a large drop in performance. This is because the
server flushes the log file after each operation, which can be very
expensive.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3014415"></a>Read raw</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3019007"></a>Read raw</h2></div></div><div></div></div><p>
The <i class="parameter"><tt>read raw</tt></i> operation is designed to be an optimised, low-latency
file read operation. A server may choose to not support it,
however. and Samba makes support for <i class="parameter"><tt>read raw</tt></i> optional, with it
@ -89,7 +88,7 @@ read operations.
So you might like to try <i class="parameter"><tt>read raw = no</tt></i> and see what happens on your
network. It might lower, raise or not affect your performance. Only
testing can really tell.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3015357"></a>Write raw</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3019064"></a>Write raw</h2></div></div><div></div></div><p>
The <i class="parameter"><tt>write raw</tt></i> operation is designed to be an optimised, low-latency
file write operation. A server may choose to not support it,
however. and Samba makes support for <i class="parameter"><tt>write raw</tt></i> optional, with it
@ -97,48 +96,45 @@ being enabled by default.
</p><p>
Some machines may find <i class="parameter"><tt>write raw</tt></i> slower than normal write, in which
case you may wish to change this option.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3015399"></a>Slow Logins</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3019106"></a>Slow Logins</h2></div></div><div></div></div><p>
Slow logins are almost always due to the password checking time. Using
the lowest practical <i class="parameter"><tt>password level</tt></i> will improve things.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3015420"></a>LDAP</h2></div></div><div></div></div><p>
LDAP can be vastly improved by using the
<a href="smb.conf.5.html#LDAPTRUSTIDS" target="_top"><i class="parameter"><tt>ldap trust ids</tt></i></a> parameter.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3015445"></a>Client tuning</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3019127"></a>Client tuning</h2></div></div><div></div></div><p>
Often a speed problem can be traced to the client. The client (for
example Windows for Workgroups) can often be tuned for better TCP
performance. Check the sections on the various clients in
<a href="Other-Clients.html" title="Chapter 38. Samba and other CIFS clients">Samba and Other Clients</a>.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3015468"></a>Samba performance problem due changing kernel</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3019154"></a>Samba performance problem due changing kernel</h2></div></div><div></div></div><p>
Hi everyone. I am running Gentoo on my server and samba 2.2.8a. Recently
I changed kernel version from linux-2.4.19-gentoo-r10 to
linux-2.4.20-wolk4.0s. And now I have performance issue with samba. Ok
many of you will probably say that move to vanilla sources...well I ried
many of you will probably say that move to vanilla sources...well I tried
it too and it didn't work. I have 100mb LAN and two computers (linux +
Windows2000). Linux server shares directory with DivX files, client
(windows2000) plays them via LAN. Before when I was running 2.4.19 kernel
everything was fine, but now movies freezes and stops...I tried moving
files between server and Windows and it's trerribly slow.
files between server and Windows and it's terribly slow.
</p><p>
Grab mii-tool and check the duplex settings on the NIC.
My guess is that it is a link layer issue, not an application
layer problem. Also run ifconfig and verify that the framing
error, collisions, etc... look normal for ethernet.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3015501"></a>Corrupt tdb Files</h2></div></div><div></div></div><p>
Well today it happend, our first major problem using samba.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3019185"></a>Corrupt tdb Files</h2></div></div><div></div></div><p>
Well today it happened, Our first major problem using samba.
Our samba PDC server has been hosting 3 TB of data to our 500+ users
[Windows NT/XP] for the last 3 years using samba, no problem.
But today all shares went SLOW; very slow. Also the main smbd kept
spawning new processes so we had 1600+ running smbd's (normally we avg. 250).
It crashed the SUN E3500 cluster twice. After alot of searching I
decided to <b class="command">rm /var/locks/*.tbl</b>. Happy again.
It crashed the SUN E3500 cluster twice. After a lot of searching I
decided to <b class="command">rm /var/locks/*.tdb</b>. Happy again.
</p><p>
Q1) Is there any method of keeping the *.tbl files in top condition or
Q1) Is there any method of keeping the *.tdb files in top condition or
how to early detect corruption?
</p><p>
A1) Yes, run <b class="command">tdbbackup</b> each time after stoping nmbd and before starting nmbd.
A1) Yes, run <b class="command">tdbbackup</b> each time after stopping nmbd and before starting nmbd.
</p><p>
Q2) What I also would like to mention is that the service latency seems
alot lower then before the locks cleanup, any ideas on keeping it top notch?
a lot lower then before the locks cleanup, any ideas on keeping it top notch?
</p><p>
A2) Yes! Samba answer as for Q1!
A2) Yes! Same answer as for Q1!
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Other-Clients.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendixes.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="DNSDHCP.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 38. Samba and other CIFS clients </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 40. DNS and DHCP Configuration Guide</td></tr></table></div></body></html>

3
docs/htmldocs/troubleshooting.html
View File

@ -1,2 +1 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part V. Troubleshooting</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="index.html" title="SAMBA Project Documentation"><link rel="previous" href="SWAT.html" title="Chapter 32. SWAT - The Samba Web Administration Tool"><link rel="next" href="diagnosis.html" title="Chapter 33. The samba checklist"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part V. Troubleshooting</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="SWAT.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="diagnosis.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="troubleshooting"></a>Troubleshooting</h1></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt>33. <a href="diagnosis.html">The samba checklist</a></dt><dd><dl><dt><a href="diagnosis.html#id3003201">Introduction</a></dt><dt><a href="diagnosis.html#id3003235">Assumptions</a></dt><dt><a href="diagnosis.html#id3003407">The tests</a></dt><dt><a href="diagnosis.html#id3006959">Still having troubles?</a></dt></dl></dd><dt>34. <a href="problems.html">Analysing and solving samba problems</a></dt><dd><dl><dt><a href="problems.html#id3008351">Diagnostics tools</a></dt><dt><a href="problems.html#id3007077">Installing 'Network Monitor' on an NT Workstation or a Windows 9x box</a></dt><dt><a href="problems.html#id3007361">Useful URL's</a></dt><dt><a href="problems.html#id3007404">Getting help from the mailing lists</a></dt><dt><a href="problems.html#id3007558">How to get off the mailinglists</a></dt></dl></dd><dt>35. <a href="bugreport.html">Reporting Bugs</a></dt><dd><dl><dt><a href="bugreport.html#id3009871">Introduction</a></dt><dt><a href="bugreport.html#id3009931">General info</a></dt><dt><a href="bugreport.html#id3009966">Debug levels</a></dt><dt><a href="bugreport.html#id3008063">Internal errors</a></dt><dt><a href="bugreport.html#id3008171">Attaching to a running process</a></dt><dt><a href="bugreport.html#id3007672">Patches</a></dt></dl></dd></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="SWAT.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="diagnosis.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 32. SWAT - The Samba Web Administration Tool </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 33. The samba checklist</td></tr></table></div></body></html>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part V. Troubleshooting</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="index.html" title="SAMBA Project Documentation"><link rel="previous" href="SWAT.html" title="Chapter 32. SWAT - The Samba Web Administration Tool"><link rel="next" href="diagnosis.html" title="Chapter 33. The Samba checklist"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part V. Troubleshooting</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="SWAT.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="diagnosis.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="troubleshooting"></a>Troubleshooting</h1></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt>33. <a href="diagnosis.html">The Samba checklist</a></dt><dd><dl><dt><a href="diagnosis.html#id3006072">Introduction</a></dt><dt><a href="diagnosis.html#id3007931">Assumptions</a></dt><dt><a href="diagnosis.html#id3008108">The tests</a></dt><dt><a href="diagnosis.html#id3009283">Still having troubles?</a></dt></dl></dd><dt>34. <a href="problems.html">Analysing and solving samba problems</a></dt><dd><dl><dt><a href="problems.html#id3010907">Diagnostics tools</a></dt><dt><a href="problems.html#id3011048">Installing 'Network Monitor' on an NT Workstation or a Windows 9x box</a></dt><dt><a href="problems.html#id3011333">Useful URLs</a></dt><dt><a href="problems.html#id3011378">Getting help from the mailing lists</a></dt><dt><a href="problems.html#id3011530">How to get off the mailing lists</a></dt></dl></dd><dt>35. <a href="bugreport.html">Reporting Bugs</a></dt><dd><dl><dt><a href="bugreport.html#id3012269">Introduction</a></dt><dt><a href="bugreport.html#id3012491">General info</a></dt><dt><a href="bugreport.html#id3012528">Debug levels</a></dt><dt><a href="bugreport.html#id3012670">Internal errors</a></dt><dt><a href="bugreport.html#id3012778">Attaching to a running process</a></dt><dt><a href="bugreport.html#id3012825">Patches</a></dt></dl></dd></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="SWAT.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="diagnosis.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 32. SWAT - The Samba Web Administration Tool </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 33. The Samba checklist</td></tr></table></div></body></html>

11
docs/htmldocs/type.html
View File

@ -1,10 +1,9 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part II. Server Configuration Basics</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="index.html" title="SAMBA Project Documentation"><link rel="previous" href="FastStart.html" title="Chapter 3. FastStart for the Impatient"><link rel="next" href="ServerType.html" title="Chapter 4. Server Types and Security Modes"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part II. Server Configuration Basics</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="FastStart.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="ServerType.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="type"></a>Server Configuration Basics</h1></div></div><div></div></div><div class="partintro" lang="en"><div><div><div><h1 class="title"><a name="id2886394"></a>First Steps in Server Configuration</h1></div></div><div></div></div><p>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part II. Server Configuration Basics</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="index.html" title="SAMBA Project Documentation"><link rel="previous" href="FastStart.html" title="Chapter 3. Fast Start for the Impatient"><link rel="next" href="ServerType.html" title="Chapter 4. Server Types and Security Modes"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part II. Server Configuration Basics</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="FastStart.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="ServerType.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="type"></a>Server Configuration Basics</h1></div></div><div></div></div><div class="partintro" lang="en"><div><div><div><h1 class="title"><a name="id2886812"></a>First Steps in Server Configuration</h1></div></div><div></div></div><p>
Samba can operate in various modes within SMB networks. This HOWTO section contains information on
configuring samba to function as the type of server your network requires. Please read this
section carefully.
</p><div class="toc"><p><b>Table of Contents</b></p><dl><dt>4. <a href="ServerType.html">Server Types and Security Modes</a></dt><dd><dl><dt><a href="ServerType.html#id2889441">Features and Benefits</a></dt><dt><a href="ServerType.html#id2889533">Server Types</a></dt><dt><a href="ServerType.html#id2889614">Samba Security Modes</a></dt><dd><dl><dt><a href="ServerType.html#id2886042">User Level Security</a></dt><dt><a href="ServerType.html#id2886175">Share Level Security</a></dt><dt><a href="ServerType.html#id2887246">Domain Security Mode (User Level Security)</a></dt><dt><a href="ServerType.html#id2887488">ADS Security Mode (User Level Security)</a></dt><dt><a href="ServerType.html#id2887572">Server Security (User Level Security)</a></dt></dl></dd><dt><a href="ServerType.html#id2887797">Seamless Windows Network Integration</a></dt><dt><a href="ServerType.html#id2887974">Common Errors</a></dt><dd><dl><dt><a href="ServerType.html#id2888002">What makes Samba a SERVER?</a></dt><dt><a href="ServerType.html#id2888035">What makes Samba a Domain Controller?</a></dt><dt><a href="ServerType.html#id2888063">What makes Samba a Domain Member?</a></dt><dt><a href="ServerType.html#id2889975">Constantly Losing Connections to Password Server</a></dt></dl></dd></dl></dd><dt>5. <a href="samba-pdc.html">Domain Control</a></dt><dd><dl><dt><a href="samba-pdc.html#id2892606">Features and Benefits</a></dt><dt><a href="samba-pdc.html#id2890204">Basics of Domain Control</a></dt><dd><dl><dt><a href="samba-pdc.html#id2890219">Domain Controller Types</a></dt><dt><a href="samba-pdc.html#id2890419">Preparing for Domain Control</a></dt></dl></dd><dt><a href="samba-pdc.html#id2890733">Domain Control - Example Configuration</a></dt><dt><a href="samba-pdc.html#id2891029">Samba ADS Domain Control</a></dt><dt><a href="samba-pdc.html#id2891052">Domain and Network Logon Configuration</a></dt><dd><dl><dt><a href="samba-pdc.html#id2891067">Domain Network Logon Service</a></dt><dt><a href="samba-pdc.html#id2893786">Security Mode and Master Browsers</a></dt></dl></dd><dt><a href="samba-pdc.html#id2893891">Common Problems and Errors</a></dt><dd><dl><dt><a href="samba-pdc.html#id2893898">I cannot include a '$' in a machine name</a></dt><dt><a href="samba-pdc.html#id2893936">I get told &quot;You already have a connection to the Domain....&quot;
</p><div class="toc"><p><b>Table of Contents</b></p><dl><dt>4. <a href="ServerType.html">Server Types and Security Modes</a></dt><dd><dl><dt><a href="ServerType.html#id2888767">Features and Benefits</a></dt><dt><a href="ServerType.html#id2888862">Server Types</a></dt><dt><a href="ServerType.html#id2888947">Samba Security Modes</a></dt><dd><dl><dt><a href="ServerType.html#id2889062">User Level Security</a></dt><dt><a href="ServerType.html#id2889195">Share Level Security</a></dt><dt><a href="ServerType.html#id2889317">Domain Security Mode (User Level Security)</a></dt><dt><a href="ServerType.html#id2889568">ADS Security Mode (User Level Security)</a></dt><dt><a href="ServerType.html#id2889655">Server Security (User Level Security)</a></dt></dl></dd><dt><a href="ServerType.html#id2889880">Seamless Windows Network Integration</a></dt><dt><a href="ServerType.html#id2890056">Common Errors</a></dt><dd><dl><dt><a href="ServerType.html#id2890084">What makes Samba a SERVER?</a></dt><dt><a href="ServerType.html#id2890117">What makes Samba a Domain Controller?</a></dt><dt><a href="ServerType.html#id2890146">What makes Samba a Domain Member?</a></dt><dt><a href="ServerType.html#id2890179">Constantly Losing Connections to Password Server</a></dt></dl></dd></dl></dd><dt>5. <a href="samba-pdc.html">Domain Control</a></dt><dd><dl><dt><a href="samba-pdc.html#id2891986">Features and Benefits</a></dt><dt><a href="samba-pdc.html#id2892290">Basics of Domain Control</a></dt><dd><dl><dt><a href="samba-pdc.html#id2892306">Domain Controller Types</a></dt><dt><a href="samba-pdc.html#id2892517">Preparing for Domain Control</a></dt></dl></dd><dt><a href="samba-pdc.html#id2892837">Domain Control - Example Configuration</a></dt><dt><a href="samba-pdc.html#id2893136">Samba ADS Domain Control</a></dt><dt><a href="samba-pdc.html#id2893157">Domain and Network Logon Configuration</a></dt><dd><dl><dt><a href="samba-pdc.html#id2893173">Domain Network Logon Service</a></dt><dt><a href="samba-pdc.html#id2893499">Security Mode and Master Browsers</a></dt></dl></dd><dt><a href="samba-pdc.html#id2893607">Common Problems and Errors</a></dt><dd><dl><dt><a href="samba-pdc.html#id2893614">I cannot include a '$' in a machine name</a></dt><dt><a href="samba-pdc.html#id2893653">I get told &quot;You already have a connection to the Domain....&quot;
or &quot;Cannot join domain, the credentials supplied conflict with an
existing set..&quot; when creating a machine trust account.</a></dt><dt><a href="samba-pdc.html#id2893986">The system can not log you on (C000019B)....</a></dt><dt><a href="samba-pdc.html#id2894057">The machine trust account for this computer either does not
exist or is not accessible.</a></dt><dt><a href="samba-pdc.html#id2894114">When I attempt to login to a Samba Domain from a NT4/W2K workstation,
I get a message about my account being disabled.</a></dt><dt><a href="samba-pdc.html#id2894140">Until a few minutes after Samba has started, clients get the error &quot;Domain Controller Unavailable&quot;</a></dt></dl></dd></dl></dd><dt>6. <a href="samba-bdc.html">Backup Domain Control</a></dt><dd><dl><dt><a href="samba-bdc.html#id2896177">Features And Benefits</a></dt><dt><a href="samba-bdc.html#id2896342">Essential Background Information</a></dt><dd><dl><dt><a href="samba-bdc.html#id2896370">MS Windows NT4 Style Domain Control</a></dt><dt><a href="samba-bdc.html#id2894331">Active Directory Domain Control</a></dt><dt><a href="samba-bdc.html#id2894352">What qualifies a Domain Controller on the network?</a></dt><dt><a href="samba-bdc.html#id2894375">How does a Workstation find its domain controller?</a></dt></dl></dd><dt><a href="samba-bdc.html#id2894401">Backup Domain Controller Configuration</a></dt><dd><dl><dt><a href="samba-bdc.html#id2894471">Example Configuration</a></dt></dl></dd><dt><a href="samba-bdc.html#id2894521">Common Errors</a></dt><dd><dl><dt><a href="samba-bdc.html#id2894535">Machine Accounts keep expiring, what can I do?</a></dt><dt><a href="samba-bdc.html#id2894560">Can Samba be a Backup Domain Controller to an NT4 PDC?</a></dt><dt><a href="samba-bdc.html#id2894593">How do I replicate the smbpasswd file?</a></dt><dt><a href="samba-bdc.html#id2894621">Can I do this all with LDAP?</a></dt></dl></dd></dl></dd><dt>7. <a href="domain-member.html">Domain Membership</a></dt><dd><dl><dt><a href="domain-member.html#id2895146">Features and Benefits</a></dt><dt><a href="domain-member.html#id2894718">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dd><dl><dt><a href="domain-member.html#id2894878">Manual Creation of Machine Trust Accounts</a></dt><dt><a href="domain-member.html#id2896660">Using NT4 Server Manager to Add Machine Accounts to the Domain</a></dt><dt><a href="domain-member.html#id2896857">&quot;On-the-Fly&quot; Creation of Machine Trust Accounts</a></dt><dt><a href="domain-member.html#id2896912">Making an MS Windows Workstation or Server a Domain Member</a></dt></dl></dd><dt><a href="domain-member.html#id2897057">Domain Member Server</a></dt><dd><dl><dt><a href="domain-member.html#id2897105">Joining an NT4 type Domain with Samba-3</a></dt><dt><a href="domain-member.html#id2899703">Why is this better than security = server?</a></dt></dl></dd><dt><a href="domain-member.html#ads-member">Samba ADS Domain Membership</a></dt><dd><dl><dt><a href="domain-member.html#id2899841">Setup your smb.conf</a></dt><dt><a href="domain-member.html#id2899924">Setup your /etc/krb5.conf</a></dt><dt><a href="domain-member.html#ads-create-machine-account">Create the computer account</a></dt><dt><a href="domain-member.html#ads-test-server">Test your server setup</a></dt><dt><a href="domain-member.html#ads-test-smbclient">Testing with smbclient</a></dt><dt><a href="domain-member.html#id2900266">Notes</a></dt></dl></dd><dt><a href="domain-member.html#id2900288">Common Errors</a></dt><dd><dl><dt><a href="domain-member.html#id2900310">Can Not Add Machine Back to Domain</a></dt><dt><a href="domain-member.html#id2900342">Adding Machine to Domain Fails</a></dt></dl></dd></dl></dd><dt>8. <a href="StandAloneServer.html">Stand-Alone Servers</a></dt><dd><dl><dt><a href="StandAloneServer.html#id2901785">Features and Benefits</a></dt><dt><a href="StandAloneServer.html#id2901823">Background</a></dt><dt><a href="StandAloneServer.html#id2901891">Example Configuration</a></dt><dd><dl><dt><a href="StandAloneServer.html#id2900494">Reference Documentation Server</a></dt><dt><a href="StandAloneServer.html#id2900541">Central Print Serving</a></dt></dl></dd><dt><a href="StandAloneServer.html#id2900747">Common Errors</a></dt></dl></dd><dt>9. <a href="ClientConfig.html">MS Windows Network Configuration Guide</a></dt><dd><dl><dt><a href="ClientConfig.html#id2901115">Note</a></dt></dl></dd></dl></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="FastStart.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ServerType.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 3. FastStart for the Impatient </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 4. Server Types and Security Modes</td></tr></table></div></body></html>
existing set..&quot; when creating a machine trust account.</a></dt><dt><a href="samba-pdc.html#id2893703">The system can not log you on (C000019B)....</a></dt><dt><a href="samba-pdc.html#id2893773">The machine trust account for this computer either does not
exist or is not accessible.</a></dt><dt><a href="samba-pdc.html#id2893836">When I attempt to login to a Samba Domain from a NT4/W2K workstation,
I get a message about my account being disabled.</a></dt><dt><a href="samba-pdc.html#id2893863">Until a few minutes after Samba has started, clients get the error &quot;Domain Controller Unavailable&quot;</a></dt></dl></dd></dl></dd><dt>6. <a href="samba-bdc.html">Backup Domain Control</a></dt><dd><dl><dt><a href="samba-bdc.html#id2896028">Features And Benefits</a></dt><dt><a href="samba-bdc.html#id2896201">Essential Background Information</a></dt><dd><dl><dt><a href="samba-bdc.html#id2896230">MS Windows NT4 Style Domain Control</a></dt><dt><a href="samba-bdc.html#id2896450">Active Directory Domain Control</a></dt><dt><a href="samba-bdc.html#id2896471">What qualifies a Domain Controller on the network?</a></dt><dt><a href="samba-bdc.html#id2896497">How does a Workstation find its domain controller?</a></dt></dl></dd><dt><a href="samba-bdc.html#id2896542">Backup Domain Controller Configuration</a></dt><dd><dl><dt><a href="samba-bdc.html#id2896645">Example Configuration</a></dt></dl></dd><dt><a href="samba-bdc.html#id2896706">Common Errors</a></dt><dd><dl><dt><a href="samba-bdc.html#id2896719">Machine Accounts keep expiring, what can I do?</a></dt><dt><a href="samba-bdc.html#id2896750">Can Samba be a Backup Domain Controller to an NT4 PDC?</a></dt><dt><a href="samba-bdc.html#id2896783">How do I replicate the smbpasswd file?</a></dt><dt><a href="samba-bdc.html#id2896828">Can I do this all with LDAP?</a></dt></dl></dd></dl></dd><dt>7. <a href="domain-member.html">Domain Membership</a></dt><dd><dl><dt><a href="domain-member.html#id2897897">Features and Benefits</a></dt><dt><a href="domain-member.html#id2898012">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dd><dl><dt><a href="domain-member.html#id2898188">Manual Creation of Machine Trust Accounts</a></dt><dt><a href="domain-member.html#id2898440">Using NT4 Server Manager to Add Machine Accounts to the Domain</a></dt><dt><a href="domain-member.html#id2898636">&quot;On-the-Fly&quot; Creation of Machine Trust Accounts</a></dt><dt><a href="domain-member.html#id2898699">Making an MS Windows Workstation or Server a Domain Member</a></dt></dl></dd><dt><a href="domain-member.html#domain-member-server">Domain Member Server</a></dt><dd><dl><dt><a href="domain-member.html#id2898901">Joining an NT4 type Domain with Samba-3</a></dt><dt><a href="domain-member.html#id2899283">Why is this better than security = server?</a></dt></dl></dd><dt><a href="domain-member.html#ads-member">Samba ADS Domain Membership</a></dt><dd><dl><dt><a href="domain-member.html#id2899424">Setup your smb.conf</a></dt><dt><a href="domain-member.html#id2899508">Setup your /etc/krb5.conf</a></dt><dt><a href="domain-member.html#ads-create-machine-account">Create the computer account</a></dt><dt><a href="domain-member.html#ads-test-server">Test your server setup</a></dt><dt><a href="domain-member.html#ads-test-smbclient">Testing with smbclient</a></dt><dt><a href="domain-member.html#id2899872">Notes</a></dt></dl></dd><dt><a href="domain-member.html#id2899892">Common Errors</a></dt><dd><dl><dt><a href="domain-member.html#id2899919">Can Not Add Machine Back to Domain</a></dt><dt><a href="domain-member.html#id2899951">Adding Machine to Domain Fails</a></dt></dl></dd></dl></dd><dt>8. <a href="StandAloneServer.html">Stand-Alone Servers</a></dt><dd><dl><dt><a href="StandAloneServer.html#id2902304">Features and Benefits</a></dt><dt><a href="StandAloneServer.html#id2902501">Background</a></dt><dt><a href="StandAloneServer.html#id2902573">Example Configuration</a></dt><dd><dl><dt><a href="StandAloneServer.html#id2902588">Reference Documentation Server</a></dt><dt><a href="StandAloneServer.html#id2902638">Central Print Serving</a></dt></dl></dd><dt><a href="StandAloneServer.html#id2902852">Common Errors</a></dt></dl></dd><dt>9. <a href="ClientConfig.html">MS Windows Network Configuration Guide</a></dt><dd><dl><dt><a href="ClientConfig.html#id2901966">Note</a></dt></dl></dd></dl></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="FastStart.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ServerType.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 3. Fast Start for the Impatient </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 4. Server Types and Security Modes</td></tr></table></div></body></html>

15
docs/htmldocs/unicode.html
View File

@ -1,5 +1,4 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 27. Unicode/Charsets</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="integrate-ms-networks.html" title="Chapter 26. Integrating MS Windows networks with Samba"><link rel="next" href="Backup.html" title="Chapter 28. Samba Backup Techniques"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 27. Unicode/Charsets</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="integrate-ms-networks.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="Backup.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="unicode"></a>Chapter 27. Unicode/Charsets</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">TAKAHASHI</span> <span class="surname">Motonobu</span></h3><div class="affiliation"><div class="address"><p><tt class="email">&lt;<a href="mailto:monyo@home.monyo.com">monyo@home.monyo.com</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">25 March 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="unicode.html#id2996672">Features and Benefits</a></dt><dt><a href="unicode.html#id2996714">What are charsets and unicode?</a></dt><dt><a href="unicode.html#id2996782">Samba and charsets</a></dt><dt><a href="unicode.html#id2996883">Conversion from old names</a></dt><dt><a href="unicode.html#id2996928">Japanese charsets</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2996672"></a>Features and Benefits</h2></div></div><div></div></div><p>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 27. Unicode/Charsets</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="integrate-ms-networks.html" title="Chapter 26. Integrating MS Windows networks with Samba"><link rel="next" href="Backup.html" title="Chapter 28. Samba Backup Techniques"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 27. Unicode/Charsets</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="integrate-ms-networks.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="Backup.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="unicode"></a>Chapter 27. Unicode/Charsets</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">TAKAHASHI</span> <span class="surname">Motonobu</span></h3><div class="affiliation"><div class="address"><p><tt class="email">&lt;<a href="mailto:monyo@home.monyo.com">monyo@home.monyo.com</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">25 March 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="unicode.html#id3001913">Features and Benefits</a></dt><dt><a href="unicode.html#id3002114">What are charsets and unicode?</a></dt><dt><a href="unicode.html#id3002184">Samba and charsets</a></dt><dt><a href="unicode.html#id3002284">Conversion from old names</a></dt><dt><a href="unicode.html#id3002329">Japanese charsets</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3001913"></a>Features and Benefits</h2></div></div><div></div></div><p>
Every industry eventually matures. One of the great areas of maturation is in
the focus that has been given over the past decade to make it possible for anyone
anywhere to use a computer. It has not always been that way, in fact, not so long
@ -12,9 +11,9 @@ special mention. For more information about Openi18n please refer to:
<a href="">http://www.openi18n.org/</a>.
</p><p>
Samba-2.x supported a single locale through a mechanism called
<span class="emphasis"><em>codepages</em></span>. Samba-3 is destined to become a truely trans-global
<span class="emphasis"><em>codepages</em></span>. Samba-3 is destined to become a truly trans-global
file and printer sharing platform.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2996714"></a>What are charsets and unicode?</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3002114"></a>What are charsets and unicode?</h2></div></div><div></div></div><p>
Computers communicate in numbers. In texts, each number will be
translated to a corresponding letter. The meaning that will be assigned
to a certain number depends on the <span class="emphasis"><em>character set(charset)
@ -37,11 +36,11 @@ A big advantage of using a multibyte charset is that you only need one; no
need to make sure two computers use the same charset when they are
communicating.
</p><p>Old windows clients used to use single-byte charsets, named
'codepages' by microsoft. However, there is no support for
'codepages' by Microsoft. However, there is no support for
negotiating the charset to be used in the smb protocol. Thus, you
have to make sure you are using the same charset when talking to an old client.
Newer clients (Windows NT, 2K, XP) talk unicode over the wire.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2996782"></a>Samba and charsets</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3002184"></a>Samba and charsets</h2></div></div><div></div></div><p>
As of samba 3.0, samba can (and will) talk unicode over the wire. Internally,
samba knows of three kinds of character sets:
</p><div class="variablelist"><dl><dt><span class="term"><i class="parameter"><tt>unix charset</tt></i></span></dt><dd><p>
@ -55,14 +54,14 @@ samba knows of three kinds of character sets:
The default depends on the charsets you have installed on your system.
Run <b class="command">testparm -v | grep &quot;dos charset&quot;</b> to see
what the default is on your system.
</p></dd></dl></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2996883"></a>Conversion from old names</h2></div></div><div></div></div><p>Because previous samba versions did not do any charset conversion,
</p></dd></dl></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3002284"></a>Conversion from old names</h2></div></div><div></div></div><p>Because previous samba versions did not do any charset conversion,
characters in filenames are usually not correct in the unix charset but only
for the local charset used by the DOS/Windows clients.</p><p>The following script from Steve Langasek converts all
filenames from CP850 to the iso8859-15 charset.</p><p>
<tt class="prompt">#</tt><b class="userinput"><tt>find <i class="replaceable"><tt>/path/to/share</tt></i> -type f -exec bash -c 'CP=&quot;{}&quot;; ISO=`echo -n &quot;$CP&quot; | iconv -f cp850 \
-t iso8859-15`; if [ &quot;$CP&quot; != &quot;$ISO&quot; ]; then mv &quot;$CP&quot; &quot;$ISO&quot;; fi' \;
</tt></b>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2996928"></a>Japanese charsets</h2></div></div><div></div></div><p>Samba doesn't work correctly with Japanese charsets yet. Here are
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3002329"></a>Japanese charsets</h2></div></div><div></div></div><p>Samba doesn't work correctly with Japanese charsets yet. Here are
points of attention when setting it up:</p><div class="itemizedlist"><ul type="disc"><li><p>You should set <i class="parameter"><tt>mangling method =
hash</tt></i></p></li><li><p>There are various iconv() implementations around and not
all of them work equally well. glibc2's iconv() has a critical problem

907
docs/htmldocs/unix-permissions.html
View File

@ -1,907 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML
><HEAD
><TITLE
>UNIX Permission Bits and Windows NT Access Control Lists</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
TITLE="SAMBA Project Documentation"
HREF="samba-howto-collection.html"><LINK
REL="UP"
TITLE="Optional configuration"
HREF="optional.html"><LINK
REL="PREVIOUS"
TITLE="Integrating MS Windows networks with Samba"
HREF="integrate-ms-networks.html"><LINK
REL="NEXT"
TITLE="Configuring PAM for distributed but centrally
managed authentication"
HREF="pam.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>SAMBA Project Documentation</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="integrate-ms-networks.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="pam.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="CHAPTER"
><H1
><A
NAME="UNIX-PERMISSIONS">Chapter 11. UNIX Permission Bits and Windows NT Access Control Lists</H1
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN1605">11.1. Viewing and changing UNIX permissions using the NT
security dialogs</H1
><P
>New in the Samba 2.0.4 release is the ability for Windows
NT clients to use their native security settings dialog box to
view and modify the underlying UNIX permissions.</P
><P
>Note that this ability is careful not to compromise
the security of the UNIX host Samba is running on, and
still obeys all the file permission rules that a Samba
administrator can set.</P
><P
>In Samba 2.0.4 and above the default value of the
parameter <A
HREF="smb.conf.5.html#NTACLSUPPORT"
TARGET="_top"
><TT
CLASS="PARAMETER"
><I
> nt acl support</I
></TT
></A
> has been changed from
<TT
CLASS="CONSTANT"
>false</TT
> to <TT
CLASS="CONSTANT"
>true</TT
>, so
manipulation of permissions is turned on by default.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN1614">11.2. How to view file security on a Samba share</H1
><P
>From an NT 4.0 client, single-click with the right
mouse button on any file or directory in a Samba mounted
drive letter or UNC path. When the menu pops-up, click
on the <SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>Properties</I
></SPAN
> entry at the bottom of
the menu. This brings up the normal file properties dialog
box, but with Samba 2.0.4 this will have a new tab along the top
marked <SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>Security</I
></SPAN
>. Click on this tab and you
will see three buttons, <SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>Permissions</I
></SPAN
>,
<SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>Auditing</I
></SPAN
>, and <SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>Ownership</I
></SPAN
>.
The <SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>Auditing</I
></SPAN
> button will cause either
an error message <SPAN
CLASS="ERRORNAME"
>A requested privilege is not held
by the client</SPAN
> to appear if the user is not the
NT Administrator, or a dialog which is intended to allow an
Administrator to add auditing requirements to a file if the
user is logged on as the NT Administrator. This dialog is
non-functional with a Samba share at this time, as the only
useful button, the <B
CLASS="COMMAND"
>Add</B
> button will not currently
allow a list of users to be seen.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN1625">11.3. Viewing file ownership</H1
><P
>Clicking on the <B
CLASS="COMMAND"
>"Ownership"</B
> button
brings up a dialog box telling you who owns the given file. The
owner name will be of the form :</P
><P
><B
CLASS="COMMAND"
>"SERVER\user (Long name)"</B
></P
><P
>Where <TT
CLASS="REPLACEABLE"
><I
>SERVER</I
></TT
> is the NetBIOS name of
the Samba server, <TT
CLASS="REPLACEABLE"
><I
>user</I
></TT
> is the user name of
the UNIX user who owns the file, and <TT
CLASS="REPLACEABLE"
><I
>(Long name)</I
></TT
>
is the descriptive string identifying the user (normally found in the
GECOS field of the UNIX password database). Click on the <B
CLASS="COMMAND"
>Close
</B
> button to remove this dialog.</P
><P
>If the parameter <TT
CLASS="PARAMETER"
><I
>nt acl support</I
></TT
>
is set to <TT
CLASS="CONSTANT"
>false</TT
> then the file owner will
be shown as the NT user <B
CLASS="COMMAND"
>"Everyone"</B
>.</P
><P
>The <B
CLASS="COMMAND"
>Take Ownership</B
> button will not allow
you to change the ownership of this file to yourself (clicking on
it will display a dialog box complaining that the user you are
currently logged onto the NT client cannot be found). The reason
for this is that changing the ownership of a file is a privileged
operation in UNIX, available only to the <SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>root</I
></SPAN
>
user. As clicking on this button causes NT to attempt to change
the ownership of a file to the current user logged into the NT
client this will not work with Samba at this time.</P
><P
>There is an NT chown command that will work with Samba
and allow a user with Administrator privilege connected
to a Samba 2.0.4 server as root to change the ownership of
files on both a local NTFS filesystem or remote mounted NTFS
or Samba drive. This is available as part of the <SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>Seclib
</I
></SPAN
> NT security library written by Jeremy Allison of
the Samba Team, available from the main Samba ftp site.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN1645">11.4. Viewing file or directory permissions</H1
><P
>The third button is the <B
CLASS="COMMAND"
>"Permissions"</B
>
button. Clicking on this brings up a dialog box that shows both
the permissions and the UNIX owner of the file or directory.
The owner is displayed in the form :</P
><P
><B
CLASS="COMMAND"
>"SERVER\user (Long name)"</B
></P
><P
>Where <TT
CLASS="REPLACEABLE"
><I
>SERVER</I
></TT
> is the NetBIOS name of
the Samba server, <TT
CLASS="REPLACEABLE"
><I
>user</I
></TT
> is the user name of
the UNIX user who owns the file, and <TT
CLASS="REPLACEABLE"
><I
>(Long name)</I
></TT
>
is the descriptive string identifying the user (normally found in the
GECOS field of the UNIX password database).</P
><P
>If the parameter <TT
CLASS="PARAMETER"
><I
>nt acl support</I
></TT
>
is set to <TT
CLASS="CONSTANT"
>false</TT
> then the file owner will
be shown as the NT user <B
CLASS="COMMAND"
>"Everyone"</B
> and the
permissions will be shown as NT "Full Control".</P
><P
>The permissions field is displayed differently for files
and directories, so I'll describe the way file permissions
are displayed first.</P
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN1660">11.4.1. File Permissions</H2
><P
>The standard UNIX user/group/world triple and
the corresponding "read", "write", "execute" permissions
triples are mapped by Samba into a three element NT ACL
with the 'r', 'w', and 'x' bits mapped into the corresponding
NT permissions. The UNIX world permissions are mapped into
the global NT group <B
CLASS="COMMAND"
>Everyone</B
>, followed
by the list of permissions allowed for UNIX world. The UNIX
owner and group permissions are displayed as an NT
<B
CLASS="COMMAND"
>user</B
> icon and an NT <B
CLASS="COMMAND"
>local
group</B
> icon respectively followed by the list
of permissions allowed for the UNIX user and group.</P
><P
>As many UNIX permission sets don't map into common
NT names such as <B
CLASS="COMMAND"
>"read"</B
>, <B
CLASS="COMMAND"
> "change"</B
> or <B
CLASS="COMMAND"
>"full control"</B
> then
usually the permissions will be prefixed by the words <B
CLASS="COMMAND"
> "Special Access"</B
> in the NT display list.</P
><P
>But what happens if the file has no permissions allowed
for a particular UNIX user group or world component ? In order
to allow "no permissions" to be seen and modified then Samba
overloads the NT <B
CLASS="COMMAND"
>"Take Ownership"</B
> ACL attribute
(which has no meaning in UNIX) and reports a component with
no permissions as having the NT <B
CLASS="COMMAND"
>"O"</B
> bit set.
This was chosen of course to make it look like a zero, meaning
zero permissions. More details on the decision behind this will
be given below.</P
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN1674">11.4.2. Directory Permissions</H2
><P
>Directories on an NT NTFS file system have two
different sets of permissions. The first set of permissions
is the ACL set on the directory itself, this is usually displayed
in the first set of parentheses in the normal <B
CLASS="COMMAND"
>"RW"</B
>
NT style. This first set of permissions is created by Samba in
exactly the same way as normal file permissions are, described
above, and is displayed in the same way.</P
><P
>The second set of directory permissions has no real meaning
in the UNIX permissions world and represents the <B
CLASS="COMMAND"
> "inherited"</B
> permissions that any file created within
this directory would inherit.</P
><P
>Samba synthesises these inherited permissions for NT by
returning as an NT ACL the UNIX permission mode that a new file
created by Samba on this share would receive.</P
></DIV
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN1681">11.5. Modifying file or directory permissions</H1
><P
>Modifying file and directory permissions is as simple
as changing the displayed permissions in the dialog box, and
clicking the <B
CLASS="COMMAND"
>OK</B
> button. However, there are
limitations that a user needs to be aware of, and also interactions
with the standard Samba permission masks and mapping of DOS
attributes that need to also be taken into account.</P
><P
>If the parameter <TT
CLASS="PARAMETER"
><I
>nt acl support</I
></TT
>
is set to <TT
CLASS="CONSTANT"
>false</TT
> then any attempt to set
security permissions will fail with an <B
CLASS="COMMAND"
>"Access Denied"
</B
> message.</P
><P
>The first thing to note is that the <B
CLASS="COMMAND"
>"Add"</B
>
button will not return a list of users in Samba 2.0.4 (it will give
an error message of <B
CLASS="COMMAND"
>"The remote procedure call failed
and did not execute"</B
>). This means that you can only
manipulate the current user/group/world permissions listed in
the dialog box. This actually works quite well as these are the
only permissions that UNIX actually has.</P
><P
>If a permission triple (either user, group, or world)
is removed from the list of permissions in the NT dialog box,
then when the <B
CLASS="COMMAND"
>"OK"</B
> button is pressed it will
be applied as "no permissions" on the UNIX side. If you then
view the permissions again the "no permissions" entry will appear
as the NT <B
CLASS="COMMAND"
>"O"</B
> flag, as described above. This
allows you to add permissions back to a file or directory once
you have removed them from a triple component.</P
><P
>As UNIX supports only the "r", "w" and "x" bits of
an NT ACL then if other NT security attributes such as "Delete
access" are selected then they will be ignored when applied on
the Samba server.</P
><P
>When setting permissions on a directory the second
set of permissions (in the second set of parentheses) is
by default applied to all files within that directory. If this
is not what you want you must uncheck the <B
CLASS="COMMAND"
>"Replace
permissions on existing files"</B
> checkbox in the NT
dialog before clicking <B
CLASS="COMMAND"
>"OK"</B
>.</P
><P
>If you wish to remove all permissions from a
user/group/world component then you may either highlight the
component and click the <B
CLASS="COMMAND"
>"Remove"</B
> button,
or set the component to only have the special <B
CLASS="COMMAND"
>"Take
Ownership"</B
> permission (displayed as <B
CLASS="COMMAND"
>"O"
</B
>) highlighted.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN1703">11.6. Interaction with the standard Samba create mask
parameters</H1
><P
>Note that with Samba 2.0.5 there are four new parameters
to control this interaction. These are :</P
><P
><TT
CLASS="PARAMETER"
><I
>security mask</I
></TT
></P
><P
><TT
CLASS="PARAMETER"
><I
>force security mode</I
></TT
></P
><P
><TT
CLASS="PARAMETER"
><I
>directory security mask</I
></TT
></P
><P
><TT
CLASS="PARAMETER"
><I
>force directory security mode</I
></TT
></P
><P
>Once a user clicks <B
CLASS="COMMAND"
>"OK"</B
> to apply the
permissions Samba maps the given permissions into a user/group/world
r/w/x triple set, and then will check the changed permissions for a
file against the bits set in the <A
HREF="smb.conf.5.html#SECURITYMASK"
TARGET="_top"
>
<TT
CLASS="PARAMETER"
><I
>security mask</I
></TT
></A
> parameter. Any bits that
were changed that are not set to '1' in this parameter are left alone
in the file permissions.</P
><P
>Essentially, zero bits in the <TT
CLASS="PARAMETER"
><I
>security mask</I
></TT
>
mask may be treated as a set of bits the user is <SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>not</I
></SPAN
>
allowed to change, and one bits are those the user is allowed to change.
</P
><P
>If not set explicitly this parameter is set to the same value as
the <A
HREF="smb.conf.5.html#CREATEMASK"
TARGET="_top"
><TT
CLASS="PARAMETER"
><I
>create mask
</I
></TT
></A
> parameter to provide compatibility with Samba 2.0.4
where this permission change facility was introduced. To allow a user to
modify all the user/group/world permissions on a file, set this parameter
to 0777.</P
><P
>Next Samba checks the changed permissions for a file against
the bits set in the <A
HREF="smb.conf.5.html#FORCESECURITYMODE"
TARGET="_top"
> <TT
CLASS="PARAMETER"
><I
>force security mode</I
></TT
></A
> parameter. Any bits
that were changed that correspond to bits set to '1' in this parameter
are forced to be set.</P
><P
>Essentially, bits set in the <TT
CLASS="PARAMETER"
><I
>force security mode
</I
></TT
> parameter may be treated as a set of bits that, when
modifying security on a file, the user has always set to be 'on'.</P
><P
>If not set explicitly this parameter is set to the same value
as the <A
HREF="smb.conf.5.html#FORCECREATEMODE"
TARGET="_top"
><TT
CLASS="PARAMETER"
><I
>force
create mode</I
></TT
></A
> parameter to provide compatibility
with Samba 2.0.4 where the permission change facility was introduced.
To allow a user to modify all the user/group/world permissions on a file
with no restrictions set this parameter to 000.</P
><P
>The <TT
CLASS="PARAMETER"
><I
>security mask</I
></TT
> and <TT
CLASS="PARAMETER"
><I
>force
security mode</I
></TT
> parameters are applied to the change
request in that order.</P
><P
>For a directory Samba will perform the same operations as
described above for a file except using the parameter <TT
CLASS="PARAMETER"
><I
> directory security mask</I
></TT
> instead of <TT
CLASS="PARAMETER"
><I
>security
mask</I
></TT
>, and <TT
CLASS="PARAMETER"
><I
>force directory security mode
</I
></TT
> parameter instead of <TT
CLASS="PARAMETER"
><I
>force security mode
</I
></TT
>.</P
><P
>The <TT
CLASS="PARAMETER"
><I
>directory security mask</I
></TT
> parameter
by default is set to the same value as the <TT
CLASS="PARAMETER"
><I
>directory mask
</I
></TT
> parameter and the <TT
CLASS="PARAMETER"
><I
>force directory security
mode</I
></TT
> parameter by default is set to the same value as
the <TT
CLASS="PARAMETER"
><I
>force directory mode</I
></TT
> parameter to provide
compatibility with Samba 2.0.4 where the permission change facility
was introduced.</P
><P
>In this way Samba enforces the permission restrictions that
an administrator can set on a Samba share, whilst still allowing users
to modify the permission bits within that restriction.</P
><P
>If you want to set up a share that allows users full control
in modifying the permission bits on their files and directories and
doesn't force any particular bits to be set 'on', then set the following
parameters in the <A
HREF="smb.conf.5.html"
TARGET="_top"
><TT
CLASS="FILENAME"
>smb.conf(5)
</TT
></A
> file in that share specific section :</P
><P
><TT
CLASS="PARAMETER"
><I
>security mask = 0777</I
></TT
></P
><P
><TT
CLASS="PARAMETER"
><I
>force security mode = 0</I
></TT
></P
><P
><TT
CLASS="PARAMETER"
><I
>directory security mask = 0777</I
></TT
></P
><P
><TT
CLASS="PARAMETER"
><I
>force directory security mode = 0</I
></TT
></P
><P
>As described, in Samba 2.0.4 the parameters :</P
><P
><TT
CLASS="PARAMETER"
><I
>create mask</I
></TT
></P
><P
><TT
CLASS="PARAMETER"
><I
>force create mode</I
></TT
></P
><P
><TT
CLASS="PARAMETER"
><I
>directory mask</I
></TT
></P
><P
><TT
CLASS="PARAMETER"
><I
>force directory mode</I
></TT
></P
><P
>were used instead of the parameters discussed here.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN1767">11.7. Interaction with the standard Samba file attribute
mapping</H1
><P
>Samba maps some of the DOS attribute bits (such as "read
only") into the UNIX permissions of a file. This means there can
be a conflict between the permission bits set via the security
dialog and the permission bits set by the file attribute mapping.
</P
><P
>One way this can show up is if a file has no UNIX read access
for the owner it will show up as "read only" in the standard
file attributes tabbed dialog. Unfortunately this dialog is
the same one that contains the security info in another tab.</P
><P
>What this can mean is that if the owner changes the permissions
to allow themselves read access using the security dialog, clicks
<B
CLASS="COMMAND"
>"OK"</B
> to get back to the standard attributes tab
dialog, and then clicks <B
CLASS="COMMAND"
>"OK"</B
> on that dialog, then
NT will set the file permissions back to read-only (as that is what
the attributes still say in the dialog). This means that after setting
permissions and clicking <B
CLASS="COMMAND"
>"OK"</B
> to get back to the
attributes dialog you should always hit <B
CLASS="COMMAND"
>"Cancel"</B
>
rather than <B
CLASS="COMMAND"
>"OK"</B
> to ensure that your changes
are not overridden.</P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="integrate-ms-networks.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="samba-howto-collection.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="pam.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Integrating MS Windows networks with Samba</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="optional.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Configuring PAM for distributed but centrally
managed authentication</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

7
docs/htmldocs/upgrading-to-3.0.html
View File

@ -1,11 +1,10 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="migration.html" title="Part IV. Migration and Updating"><link rel="previous" href="migration.html" title="Part IV. Migration and Updating"><link rel="next" href="NT4Migration.html" title="Chapter 31. Migration from NT4 PDC to Samba-3 PDC"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="migration.html">Prev</a> </td><th width="60%" align="center">Part IV. Migration and Updating</th><td width="20%" align="right"> <a accesskey="n" href="NT4Migration.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="upgrading-to-3.0"></a>Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">25 October 2002</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="upgrading-to-3.0.html#id3000689">Charsets</a></dt><dt><a href="upgrading-to-3.0.html#id3000712">Obsolete configuration options</a></dt><dt><a href="upgrading-to-3.0.html#id3000766">Password Backend</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3000689"></a>Charsets</h2></div></div><div></div></div><p>You might experience problems with special characters
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="migration.html" title="Part IV. Migration and Updating"><link rel="previous" href="migration.html" title="Part IV. Migration and Updating"><link rel="next" href="NT4Migration.html" title="Chapter 31. Migration from NT4 PDC to Samba-3 PDC"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="migration.html">Prev</a> </td><th width="60%" align="center">Part IV. Migration and Updating</th><td width="20%" align="right"> <a accesskey="n" href="NT4Migration.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="upgrading-to-3.0"></a>Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">25 October 2002</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="upgrading-to-3.0.html#id3001684">Charsets</a></dt><dt><a href="upgrading-to-3.0.html#id3001709">Obsolete configuration options</a></dt><dt><a href="upgrading-to-3.0.html#id3003319">Password Backend</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3001684"></a>Charsets</h2></div></div><div></div></div><p>You might experience problems with special characters
when communicating with old DOS clients. Codepage
support has changed in samba 3.0. Read the chapter
<a href="unicode.html" title="Chapter 27. Unicode/Charsets">Unicode support</a> for details.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3000712"></a>Obsolete configuration options</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3001709"></a>Obsolete configuration options</h2></div></div><div></div></div><p>
In 3.0, the following configuration options have been removed.
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>printer driver (replaced by new driver procedures) </td></tr><tr><td>printer driver file (replaced by new driver procedures)</td></tr><tr><td>printer driver location (replaced by new driver procedures)</td></tr><tr><td>use rhosts</td></tr><tr><td>postscript</td></tr><tr><td>client code page (replaced by dos charset)</td></tr><tr><td>vfs path</td></tr><tr><td>vfs options</td></tr></table></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3000766"></a>Password Backend</h2></div></div><div></div></div><p>
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>printer driver (replaced by new driver procedures) </td></tr><tr><td>printer driver file (replaced by new driver procedures)</td></tr><tr><td>printer driver location (replaced by new driver procedures)</td></tr><tr><td>use rhosts</td></tr><tr><td>postscript</td></tr><tr><td>client code page (replaced by dos charset)</td></tr><tr><td>vfs path</td></tr><tr><td>vfs options</td></tr></table></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3003319"></a>Password Backend</h2></div></div><div></div></div><p>
Effective with the release of samba-3 it is now imperative that the password backend
be correctly defined in smb.conf.
</p><p>

389
docs/htmldocs/vfs.html
View File

@ -1,389 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML
><HEAD
><TITLE
>Stackable VFS modules</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
TITLE="SAMBA Project Documentation"
HREF="samba-howto-collection.html"><LINK
REL="UP"
TITLE="Optional configuration"
HREF="optional.html"><LINK
REL="PREVIOUS"
TITLE="Passdb XML plugin"
HREF="pdb-xml.html"><LINK
REL="NEXT"
TITLE="Storing Samba's User/Machine Account information in an LDAP Directory"
HREF="samba-ldap-howto.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>SAMBA Project Documentation</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="pdb-xml.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="samba-ldap-howto.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="CHAPTER"
><H1
><A
NAME="VFS">Chapter 18. Stackable VFS modules</H1
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN2640">18.1. Introduction and configuration</H1
><P
>Since samba 3.0, samba supports stackable VFS(Virtual File System) modules.
Samba passes each request to access the unix file system thru the loaded VFS modules.
This chapter covers all the modules that come with the samba source and references to
some external modules.</P
><P
>You may have problems to compile these modules, as shared libraries are
compiled and linked in different ways on different systems.
They currently have been tested against GNU/linux and IRIX.</P
><P
>To use the VFS modules, create a share similar to the one below. The
important parameter is the <B
CLASS="COMMAND"
>vfs object</B
> parameter which must point to
the exact pathname of the shared library objects. For example, to log all access
to files and use a recycle bin:
<PRE
CLASS="PROGRAMLISTING"
> [audit]
comment = Audited /data directory
path = /data
vfs object = /path/to/audit.so /path/to/recycle.so
writeable = yes
browseable = yes</PRE
></P
><P
>The modules are used in the order they are specified.</P
><P
>Further documentation on writing VFS modules for Samba can be found in
the Samba Developers Guide.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN2649">18.2. Included modules</H1
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN2651">18.2.1. audit</H2
><P
>A simple module to audit file access to the syslog
facility. The following operations are logged:
<P
></P
><TABLE
BORDER="0"
><TBODY
><TR
><TD
>share</TD
></TR
><TR
><TD
>connect/disconnect</TD
></TR
><TR
><TD
>directory opens/create/remove</TD
></TR
><TR
><TD
>file open/close/rename/unlink/chmod</TD
></TR
></TBODY
></TABLE
><P
></P
></P
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN2659">18.2.2. recycle</H2
><P
>A recycle-bin like modules. When used any unlink call
will be intercepted and files moved to the recycle
directory instead of beeing deleted.</P
><P
>Supported options:
<P
></P
><DIV
CLASS="VARIABLELIST"
><DL
><DT
>vfs_recycle_bin:repository</DT
><DD
><P
>FIXME</P
></DD
><DT
>vfs_recycle_bin:keeptree</DT
><DD
><P
>FIXME</P
></DD
><DT
>vfs_recycle_bin:versions</DT
><DD
><P
>FIXME</P
></DD
><DT
>vfs_recycle_bin:touch</DT
><DD
><P
>FIXME</P
></DD
><DT
>vfs_recycle_bin:maxsize</DT
><DD
><P
>FIXME</P
></DD
><DT
>vfs_recycle_bin:exclude</DT
><DD
><P
>FIXME</P
></DD
><DT
>vfs_recycle_bin:exclude_dir</DT
><DD
><P
>FIXME</P
></DD
><DT
>vfs_recycle_bin:noversions</DT
><DD
><P
>FIXME</P
></DD
></DL
></DIV
></P
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN2696">18.2.3. netatalk</H2
><P
>A netatalk module, that will ease co-existence of samba and
netatalk file sharing services.</P
><P
>Advantages compared to the old netatalk module:
<P
></P
><TABLE
BORDER="0"
><TBODY
><TR
><TD
>it doesn't care about creating of .AppleDouble forks, just keeps ones in sync</TD
></TR
><TR
><TD
>if share in smb.conf doesn't contain .AppleDouble item in hide or veto list, it will be added automatically</TD
></TR
></TBODY
></TABLE
><P
></P
></P
></DIV
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN2703">18.3. VFS modules available elsewhere</H1
><P
>This section contains a listing of various other VFS modules that
have been posted but don't currently reside in the Samba CVS
tree for one reason ot another (e.g. it is easy for the maintainer
to have his or her own CVS tree).</P
><P
>No statemets about the stability or functionality any module
should be implied due to its presence here.</P
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN2707">18.3.1. DatabaseFS</H2
><P
>URL: <A
HREF="http://www.css.tayloru.edu/~elorimer/databasefs/index.php"
TARGET="_top"
>http://www.css.tayloru.edu/~elorimer/databasefs/index.php</A
></P
><P
>By <A
HREF="mailto:elorimer@css.tayloru.edu"
TARGET="_top"
>Eric Lorimer</A
>.</P
><P
>I have created a VFS module which implements a fairly complete read-only
filesystem. It presents information from a database as a filesystem in
a modular and generic way to allow different databases to be used
(originally designed for organizing MP3s under directories such as
"Artists," "Song Keywords," etc... I have since applied it to a student
roster database very easily). The directory structure is stored in the
database itself and the module makes no assumptions about the database
structure beyond the table it requires to run.</P
><P
>Any feedback would be appreciated: comments, suggestions, patches,
etc... If nothing else, hopefully it might prove useful for someone
else who wishes to create a virtual filesystem.</P
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN2715">18.3.2. vscan</H2
><P
>URL: <A
HREF="http://www.openantivirus.org/"
TARGET="_top"
>http://www.openantivirus.org/</A
></P
><P
>samba-vscan is a proof-of-concept module for Samba, which
uses the VFS (virtual file system) features of Samba 2.2.x/3.0
alphaX. Of couse, Samba has to be compiled with VFS support.
samba-vscan supports various virus scanners and is maintained
by Rainer Link.</P
></DIV
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="pdb-xml.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="samba-howto-collection.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="samba-ldap-howto.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Passdb XML plugin</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="optional.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Storing Samba's User/Machine Account information in an LDAP Directory</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

4
docs/htmldocs/wbinfo.1.html
View File

@ -1,4 +1,4 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>wbinfo</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="wbinfo.1"></a><div class="titlepage"><div></div><div></div></div><div class="refnamediv"><h2>Name</h2><p>wbinfo &#8212; Query information from winbind daemon</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><tt class="command">wbinfo</tt> [-u] [-g] [-N netbios-name] [-I ip] [-n name] [-s sid] [-U uid] [-G gid] [-S sid] [-Y sid] [-t] [-m] [--sequence] [-r user] [-a user%password] [-A user%password] [--get-auth-user] [-p]</p></div></div><div class="refsect1" lang="en"><h2>DESCRIPTION</h2><p>This tool is part of the <a href="Samba.7.html"><span class="citerefentry"><span class="refentrytitle">Samba</span>(7)</span></a> suite.</p><p>The <b class="command">wbinfo</b> program queries and returns information
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>wbinfo</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="wbinfo.1"></a><div class="titlepage"><div></div><div></div></div><div class="refnamediv"><h2>Name</h2><p>wbinfo &#8212; Query information from winbind daemon</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><tt class="command">wbinfo</tt> [-u] [-g] [-N netbios-name] [-I ip] [-n name] [-s sid] [-U uid] [-G gid] [-S sid] [-Y sid] [-t] [-m] [--sequence] [-r user] [-a user%password] [--set-auth-user user%password] [--get-auth-user] [-p]</p></div></div><div class="refsect1" lang="en"><h2>DESCRIPTION</h2><p>This tool is part of the <a href="Samba.7.html"><span class="citerefentry"><span class="refentrytitle">Samba</span>(7)</span></a> suite.</p><p>The <b class="command">wbinfo</b> program queries and returns information
created and used by the <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon. </p><p>The <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon must be configured
and running for the <b class="command">wbinfo</b> program to be able
to return information.</p></div><div class="refsect1" lang="en"><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">-u</span></dt><dd><p>This option will list all users available
@ -47,7 +47,7 @@
defined on a Domain Controller.
</p></dd><dt><span class="term">-a username%password</span></dt><dd><p>Attempt to authenticate a user via winbindd.
This checks both authenticaion methods and reports its results.
</p></dd><dt><span class="term">-A username%password</span></dt><dd><p>Store username and password used by winbindd
</p></dd><dt><span class="term">--set-auth-user username%password</span></dt><dd><p>Store username and password used by winbindd
during session setup to a domain controller. This enables
winbindd to operate in a Windows 2000 domain with Restrict
Anonymous turned on (a.k.a. Permissions compatiable with

111
docs/htmldocs/winbind.html
View File

@ -1,5 +1,4 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 21. Integrated Logon Support using Winbind</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="VFS.html" title="Chapter 20. Stackable VFS modules"><link rel="next" href="AdvancedNetworkManagement.html" title="Chapter 22. Advanced Network Manangement"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 21. Integrated Logon Support using Winbind</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="VFS.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="AdvancedNetworkManagement.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="winbind"></a>Chapter 21. Integrated Logon Support using Winbind</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tim</span> <span class="surname">Potter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:tpot@linuxcare.com.au">tpot@linuxcare.com.au</a>&gt;</tt></p></div></div></div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:tridge@samba.org">tridge@samba.org</a>&gt;</tt></p></div></div></div><div class="author"><h3 class="author"><span class="firstname">Naag</span> <span class="surname">Mummaneni</span></h3><div class="affiliation"><div class="address"><p><tt class="email">&lt;<a href="mailto:getnag@rediffmail.com">getnag@rediffmail.com</a>&gt;</tt></p></div></div></div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div></div><div><p class="pubdate">27 June 2002</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="winbind.html#id2975375">Features and Benefits</a></dt><dt><a href="winbind.html#id2975403">Introduction</a></dt><dt><a href="winbind.html#id2977384">What Winbind Provides</a></dt><dd><dl><dt><a href="winbind.html#id2977444">Target Uses</a></dt></dl></dd><dt><a href="winbind.html#id2977475">How Winbind Works</a></dt><dd><dl><dt><a href="winbind.html#id2977502">Microsoft Remote Procedure Calls</a></dt><dt><a href="winbind.html#id2977536">Microsoft Active Directory Services</a></dt><dt><a href="winbind.html#id2977558">Name Service Switch</a></dt><dt><a href="winbind.html#id2974921">Pluggable Authentication Modules</a></dt><dt><a href="winbind.html#id2974992">User and Group ID Allocation</a></dt><dt><a href="winbind.html#id2975027">Result Caching</a></dt></dl></dd><dt><a href="winbind.html#id2975055">Installation and Configuration</a></dt><dd><dl><dt><a href="winbind.html#id2975083">Introduction</a></dt><dt><a href="winbind.html#id2975158">Requirements</a></dt><dt><a href="winbind.html#id2976434">Testing Things Out</a></dt></dl></dd><dt><a href="winbind.html#id2980783">Conclusion</a></dt><dt><a href="winbind.html#id2980802">Common Errors</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2975375"></a>Features and Benefits</h2></div></div><div></div></div><p>Integration of UNIX and Microsoft Windows NT through
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 21. Integrated Logon Support using Winbind</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="VFS.html" title="Chapter 20. Stackable VFS modules"><link rel="next" href="AdvancedNetworkManagement.html" title="Chapter 22. Advanced Network Management"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 21. Integrated Logon Support using Winbind</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="VFS.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="AdvancedNetworkManagement.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="winbind"></a>Chapter 21. Integrated Logon Support using Winbind</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tim</span> <span class="surname">Potter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:tpot@linuxcare.com.au">tpot@linuxcare.com.au</a>&gt;</tt></p></div></div></div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:tridge@samba.org">tridge@samba.org</a>&gt;</tt></p></div></div></div><div class="author"><h3 class="author"><span class="firstname">Naag</span> <span class="surname">Mummaneni</span></h3><div class="affiliation"><div class="address"><p><tt class="email">&lt;<a href="mailto:getnag@rediffmail.com">getnag@rediffmail.com</a>&gt;</tt></p></div></div></div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div></div><div><p class="pubdate">27 June 2002</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="winbind.html#id2979695">Features and Benefits</a></dt><dt><a href="winbind.html#id2979724">Introduction</a></dt><dt><a href="winbind.html#id2979795">What Winbind Provides</a></dt><dd><dl><dt><a href="winbind.html#id2979856">Target Uses</a></dt></dl></dd><dt><a href="winbind.html#id2979886">How Winbind Works</a></dt><dd><dl><dt><a href="winbind.html#id2979914">Microsoft Remote Procedure Calls</a></dt><dt><a href="winbind.html#id2979949">Microsoft Active Directory Services</a></dt><dt><a href="winbind.html#id2979971">Name Service Switch</a></dt><dt><a href="winbind.html#id2980108">Pluggable Authentication Modules</a></dt><dt><a href="winbind.html#id2980179">User and Group ID Allocation</a></dt><dt><a href="winbind.html#id2980214">Result Caching</a></dt></dl></dd><dt><a href="winbind.html#id2980242">Installation and Configuration</a></dt><dd><dl><dt><a href="winbind.html#id2980271">Introduction</a></dt><dt><a href="winbind.html#id2980346">Requirements</a></dt><dt><a href="winbind.html#id2980438">Testing Things Out</a></dt></dl></dd><dt><a href="winbind.html#id2982058">Conclusion</a></dt><dt><a href="winbind.html#id2982077">Common Errors</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2979695"></a>Features and Benefits</h2></div></div><div></div></div><p>Integration of UNIX and Microsoft Windows NT through
a unified logon has been considered a &quot;holy grail&quot; in heterogeneous
computing environments for a long time. We present
<span class="emphasis"><em>winbind</em></span>, a component of the Samba suite
@ -9,7 +8,7 @@
Service Switch to allow Windows NT domain users to appear and operate
as UNIX users on a UNIX machine. This paper describes the winbind
system, explaining the functionality it provides, how it is configured,
and how it works internally.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2975403"></a>Introduction</h2></div></div><div></div></div><p>It is well known that UNIX and Microsoft Windows NT have
and how it works internally.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2979724"></a>Introduction</h2></div></div><div></div></div><p>It is well known that UNIX and Microsoft Windows NT have
different models for representing user and group information and
use different technologies for implementing them. This fact has
made it difficult to integrate the two systems in a satisfactory
@ -30,7 +29,7 @@
tasks for the system administrator when maintaining users and
groups on either system. The winbind system provides a simple
and elegant solution to all three components of the unified logon
problem.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2977384"></a>What Winbind Provides</h2></div></div><div></div></div><p>Winbind unifies UNIX and Windows NT account management by
problem.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2979795"></a>What Winbind Provides</h2></div></div><div></div></div><p>Winbind unifies UNIX and Windows NT account management by
allowing a UNIX box to become a full member of a NT domain. Once
this is done the UNIX box will see NT users and groups as if
they were native UNIX users and groups, allowing the NT domain
@ -54,7 +53,7 @@
to provide authentication via a NT domain to any PAM enabled
applications. This capability solves the problem of synchronizing
passwords between systems since all passwords are stored in a single
location (on the domain controller).</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2977444"></a>Target Uses</h3></div></div><div></div></div><p>Winbind is targeted at organizations that have an
location (on the domain controller).</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2979856"></a>Target Uses</h3></div></div><div></div></div><p>Winbind is targeted at organizations that have an
existing NT based domain infrastructure into which they wish
to put UNIX workstations or servers. Winbind will allow these
organizations to deploy UNIX workstations without having to
@ -64,12 +63,12 @@
be used is as a central part of UNIX based appliances. Appliances
that provide file and print services to Microsoft based networks
will be able to use Winbind to provide seamless integration of
the appliance into the domain.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2977475"></a>How Winbind Works</h2></div></div><div></div></div><p>The winbind system is designed around a client/server
the appliance into the domain.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2979886"></a>How Winbind Works</h2></div></div><div></div></div><p>The winbind system is designed around a client/server
architecture. A long running <b class="command">winbindd</b> daemon
listens on a UNIX domain socket waiting for requests
to arrive. These requests are generated by the NSS and PAM
clients and processed sequentially.</p><p>The technologies used to implement winbind are described
in detail below.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2977502"></a>Microsoft Remote Procedure Calls</h3></div></div><div></div></div><p>Over the last few years, efforts have been underway
in detail below.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2979914"></a>Microsoft Remote Procedure Calls</h3></div></div><div></div></div><p>Over the last few years, efforts have been underway
by various Samba Team members to decode various aspects of
the Microsoft Remote Procedure Call (MSRPC) system. This
system is used for most network related operations between
@ -82,7 +81,7 @@
users or groups. Other MSRPC calls can be used to authenticate
NT domain users and to change user passwords. By directly querying
a Windows PDC for user and group information, winbind maps the
NT account information onto UNIX user and group names.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2977536"></a>Microsoft Active Directory Services</h3></div></div><div></div></div><p>
NT account information onto UNIX user and group names.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2979949"></a>Microsoft Active Directory Services</h3></div></div><div></div></div><p>
Since late 2001, Samba has gained the ability to
interact with Microsoft Windows 2000 using its 'Native
Mode' protocols, rather than the NT4 RPC services.
@ -91,7 +90,7 @@
same way as a Win2k client would, and in so doing
provide a much more efficient and
effective winbind implementation.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2977558"></a>Name Service Switch</h3></div></div><div></div></div><p>The Name Service Switch, or NSS, is a feature that is
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2979971"></a>Name Service Switch</h3></div></div><div></div></div><p>The Name Service Switch, or NSS, is a feature that is
present in many UNIX operating systems. It allows system
information such as hostnames, mail aliases and user information
to be resolved from different sources. For example, a standalone
@ -128,7 +127,7 @@ passwd: files example
is to put <tt class="filename">libnss_winbind.so</tt> in <tt class="filename">/lib/</tt>
then add &quot;winbind&quot; into <tt class="filename">/etc/nsswitch.conf</tt> at
the appropriate place. The C library will then call Winbind to
resolve user and group names.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2974921"></a>Pluggable Authentication Modules</h3></div></div><div></div></div><p>Pluggable Authentication Modules, also known as PAM,
resolve user and group names.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2980108"></a>Pluggable Authentication Modules</h3></div></div><div></div></div><p>Pluggable Authentication Modules, also known as PAM,
is a system for abstracting authentication and authorization
technologies. With a PAM module it is possible to specify different
authentication methods for different system applications without
@ -153,7 +152,7 @@ passwd: files example
is copied to <tt class="filename">/lib/security/</tt> and the PAM
control files for relevant services are updated to allow
authentication via winbind. See the PAM documentation
for more details.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2974992"></a>User and Group ID Allocation</h3></div></div><div></div></div><p>When a user or group is created under Windows NT
for more details.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2980179"></a>User and Group ID Allocation</h3></div></div><div></div></div><p>When a user or group is created under Windows NT
is it allocated a numerical relative identifier (RID). This is
slightly different to UNIX which has a range of numbers that are
used to identify users, and the same range in which to identify
@ -166,7 +165,7 @@ passwd: files example
time, winbind will have mapped all Windows NT users and groups
to UNIX user ids and group ids.</p><p>The results of this mapping are stored persistently in
an ID mapping database held in a tdb database). This ensures that
RIDs are mapped to UNIX IDs in a consistent way.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2975027"></a>Result Caching</h3></div></div><div></div></div><p>An active system can generate a lot of user and group
RIDs are mapped to UNIX IDs in a consistent way.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2980214"></a>Result Caching</h3></div></div><div></div></div><p>An active system can generate a lot of user and group
name lookups. To reduce the network cost of these lookups winbind
uses a caching scheme based on the SAM sequence number supplied
by NT domain controllers. User or group information returned
@ -177,14 +176,14 @@ passwd: files example
the PDC and compared against the sequence number of the cached entry.
If the sequence numbers do not match, then the cached information
is discarded and up to date information is requested directly
from the PDC.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2975055"></a>Installation and Configuration</h2></div></div><div></div></div><p>
from the PDC.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2980242"></a>Installation and Configuration</h2></div></div><div></div></div><p>
Many thanks to John Trostel <a href="mailto:jtrostel@snapserver.com" target="_top">jtrostel@snapserver.com</a>
for providing the HOWTO for this section.
</p><p>
This HOWTO describes how to get winbind services up and running
to control access and authenticate users on your Linux box using
the winbind services which come with SAMBA 3.0.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2975083"></a>Introduction</h3></div></div><div></div></div><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2980271"></a>Introduction</h3></div></div><div></div></div><p>
This section describes the procedures used to get winbind up and
running on a RedHat 7.1 system. Winbind is capable of providing access
and authentication control for Windows Domain users through an NT
@ -209,15 +208,15 @@ somewhat to fit the way your distribution works.
SAMBA server, this HOWTO is for you. That said, I am no NT or PAM
expert, so you may find a better or easier way to accomplish
these tasks.
</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2975158"></a>Requirements</h3></div></div><div></div></div><p>
If you have a samba configuration file that you are currently
</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2980346"></a>Requirements</h3></div></div><div></div></div><p>
If you have a Samba configuration file that you are currently
using... <span class="emphasis"><em>BACK IT UP!</em></span> If your system already uses PAM,
<span class="emphasis"><em>back up the <tt class="filename">/etc/pam.d</tt> directory
contents!</em></span> If you haven't already made a boot disk,
<span class="emphasis"><em>MAKE ONE NOW!</em></span>
</p><p>
Messing with the pam configuration files can make it nearly impossible
to log in to yourmachine. That's why you want to be able to boot back
Messing with the PAM configuration files can make it nearly impossible
to log in to your machine. That's why you want to be able to boot back
into your machine in single user mode and restore your
<tt class="filename">/etc/pam.d</tt> back to the original state they were in if
you get frustrated with the way things are going. ;-)
@ -236,7 +235,7 @@ winbind modules, you should have at least the pam libraries resident
on your system. For recent RedHat systems (7.1, for instance), that
means <tt class="filename">pam-0.74-22</tt>. For best results, it is helpful to also
install the development packages in <tt class="filename">pam-devel-0.74-22</tt>.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2976434"></a>Testing Things Out</h3></div></div><div></div></div><p>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2980438"></a>Testing Things Out</h3></div></div><div></div></div><p>
Before starting, it is probably best to kill off all the SAMBA
related daemons running on your server. Kill off all <span class="application">smbd</span>,
<span class="application">nmbd</span>, and <span class="application">winbindd</span> processes that may
@ -247,7 +246,7 @@ services, several pam libraries, and the <tt class="filename">/usr/doc</tt>
and <tt class="filename">/usr/man</tt> entries for pam. Winbind built better
in SAMBA if the pam-devel package was also installed. This package includes
the header files needed to compile pam-aware applications.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2976496"></a>Configure and compile SAMBA</h4></div></div><div></div></div><p>
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2980500"></a>Configure and compile SAMBA</h4></div></div><div></div></div><p>
The configuration and compilation of SAMBA is pretty straightforward.
The first three steps may not be necessary depending upon
whether or not you have previously built the Samba binaries.
@ -262,19 +261,19 @@ whether or not you have previously built the Samba binaries.
This will, by default, install SAMBA in <tt class="filename">/usr/local/samba</tt>.
See the main SAMBA documentation if you want to install SAMBA somewhere else.
It will also build the winbindd executable and libraries.
</p></div><div xmlns:ns73="" class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2976608"></a>Configure <tt class="filename">nsswitch.conf</tt> and the
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2980613"></a>Configure <tt class="filename">nsswitch.conf</tt> and the
winbind libraries on Linux and Solaris</h4></div></div><div></div></div><p>
The libraries needed to run the <span class="application">winbindd</span> daemon
through nsswitch need to be copied to their proper locations, so
</p><ns73:p>
</ns73:p><pre class="screen">
</p><p>
</p><pre class="screen">
<tt class="prompt">root# </tt><b class="userinput"><tt>cp ../samba/source/nsswitch/libnss_winbind.so /lib</tt></b>
</pre><ns73:p>
</ns73:p><p>
</pre><p>
</p><p>
I also found it necessary to make the following symbolic link:
</p><p>
<tt class="prompt">root# </tt> <b class="userinput"><tt>ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</tt></b>
</p><p>And, in the case of Sun solaris:</p><pre class="screen">
</p><p>And, in the case of Sun Solaris:</p><pre class="screen">
<tt class="prompt">root# </tt><b class="userinput"><tt>ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1</tt></b>
<tt class="prompt">root# </tt><b class="userinput"><tt>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1</tt></b>
<tt class="prompt">root# </tt><b class="userinput"><tt>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2</tt></b>
@ -297,7 +296,7 @@ is faster (and you don't need to reboot) if you do it manually:
</p><p>
This makes <tt class="filename">libnss_winbind</tt> available to winbindd
and echos back a check to you.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2976815"></a>NSS Winbind on AIX</h4></div></div><div></div></div><p>(This section is only for those running AIX)</p><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2980820"></a>NSS Winbind on AIX</h4></div></div><div></div></div><p>(This section is only for those running AIX)</p><p>
The winbind AIX identification module gets built as libnss_winbind.so in the
nsswitch directory of the samba source. This file can be copied to
/usr/lib/security, and the AIX naming convention would indicate that it
@ -317,7 +316,7 @@ Programming Concepts for AIX&quot;: <a href="http://publibn.boulder.ibm.com/doc_
Chapter 18. Loadable Authentication Module Programming Interface</a>
and more information on administering the modules at <a href="http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/baseadmn/iandaadmin.htm" target="_top">
&quot;System Management Guide: Operating System and Devices&quot;</a>.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2976887"></a>Configure smb.conf</h4></div></div><div></div></div><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2980900"></a>Configure smb.conf</h4></div></div><div></div></div><p>
Several parameters are needed in the smb.conf file to control
the behavior of <span class="application">winbindd</span>. Configure
<tt class="filename">smb.conf</tt> These are described in more detail in
@ -330,16 +329,16 @@ include the following entries in the [global] section:
# separate domain and username with '+', like DOMAIN+username
<a href="winbindd.8.html#WINBINDSEPARATOR" target="_top">winbind separator</a> = +
# use uids from 10000 to 20000 for domain users
<a href="winbindd.8.html#WINBINDUID" target="_top">winbind uid</a> = 10000-20000
<a href="winbindd.8.html#WINBINDUID" target="_top">idmap uid</a> = 10000-20000
# use gids from 10000 to 20000 for domain groups
<a href="winbindd.8.html#WINBINDGID" target="_top">winbind gid</a> = 10000-20000
<a href="winbindd.8.html#WINBINDGID" target="_top">idmap gid</a> = 10000-20000
# allow enumeration of winbind users and groups
<a href="winbindd.8.html#WINBINDENUMUSERS" target="_top">winbind enum users</a> = yes
<a href="winbindd.8.html#WINBINDENUMGROUP" target="_top">winbind enum groups</a> = yes
# give winbind users a real shell (only needed if they have telnet access)
<a href="winbindd.8.html#TEMPLATEHOMEDIR" target="_top">template homedir</a> = /home/winnt/%D/%U
<a href="winbindd.8.html#TEMPLATESHELL" target="_top">template shell</a> = /bin/bash
</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2977000"></a>Join the SAMBA server to the PDC domain</h4></div></div><div></div></div><p>
</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2981017"></a>Join the SAMBA server to the PDC domain</h4></div></div><div></div></div><p>
Enter the following command to make the SAMBA server join the
PDC domain, where <i class="replaceable"><tt>DOMAIN</tt></i> is the name of
your Windows domain and <i class="replaceable"><tt>Administrator</tt></i> is
@ -350,7 +349,7 @@ a domain user who has administrative privileges in the domain.
The proper response to the command should be: &quot;Joined the domain
<i class="replaceable"><tt>DOMAIN</tt></i>&quot; where <i class="replaceable"><tt>DOMAIN</tt></i>
is your DOMAIN name.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2979843"></a>Start up the winbindd daemon and test it!</h4></div></div><div></div></div><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2981071"></a>Start up the winbindd daemon and test it!</h4></div></div><div></div></div><p>
Eventually, you will want to modify your smb startup script to
automatically invoke the winbindd daemon when the other parts of
SAMBA start, but it is possible to test out just the winbind
@ -422,7 +421,7 @@ directories and default shells.
The same thing can be done for groups with the command
</p><p>
<tt class="prompt">root# </tt><b class="userinput"><tt>getent group</tt></b>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2980083"></a>Fix the init.d startup scripts</h4></div></div><div></div></div><div xmlns:ns74="" class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2980091"></a>Linux</h5></div></div><div></div></div><p>
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2981312"></a>Fix the init.d startup scripts</h4></div></div><div></div></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2981320"></a>Linux</h5></div></div><div></div></div><p>
The <span class="application">winbindd</span> daemon needs to start up after the
<span class="application">smbd</span> and <span class="application">nmbd</span> daemons are running.
To accomplish this task, you need to modify the startup scripts of your system.
@ -453,18 +452,18 @@ start() {
touch /var/lock/subsys/smb || RETVAL=1
return $RETVAL
}
</pre><ns74:p>If you would like to run winbindd in dual daemon mode, replace
</pre><p>If you would like to run winbindd in dual daemon mode, replace
the line
</ns74:p><pre class="programlisting">
</p><pre class="programlisting">
daemon /usr/local/samba/bin/winbindd
</pre><ns74:p>
</pre><p>
in the example above with:
</ns74:p><pre class="programlisting">
</p><pre class="programlisting">
daemon /usr/local/samba/bin/winbindd -B
</pre><ns74:p>.
</ns74:p><p>
</pre><p>.
</p><p>
The 'stop' function has a corresponding entry to shut down the
services and looks like this:
</p><pre class="programlisting">
@ -488,7 +487,7 @@ stop() {
echo &quot;&quot;
return $RETVAL
}
</pre></div><div xmlns:ns75="" class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2980236"></a>Solaris</h5></div></div><div></div></div><p>Winbind doesn't work on solaris 9, see the <a href="Portability.html#winbind-solaris9" title="Winbind on Solaris 9">Portability</a> chapter for details.</p><p>On solaris, you need to modify the
</pre></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2981482"></a>Solaris</h5></div></div><div></div></div><p>Winbind doesn't work on Solaris 9, see the <a href="Portability.html#winbind-solaris9" title="Winbind on Solaris 9">Portability</a> chapter for details.</p><p>On Solaris, you need to modify the
<tt class="filename">/etc/init.d/samba.server</tt> startup script. It usually
only starts smbd and nmbd but should now start winbindd too. If you
have samba installed in <tt class="filename">/usr/local/samba/bin</tt>,
@ -540,22 +539,22 @@ the file could contains something like this:
echo &quot;Usage: /etc/init.d/samba.server { start | stop }&quot;
;;
esac
</pre><ns75:p>
</pre><p>
Again, if you would like to run samba in dual daemon mode, replace
</ns75:p><pre class="programlisting">
</p><pre class="programlisting">
/usr/local/samba/bin/winbindd
</pre><ns75:p>
</pre><p>
in the script above with:
</ns75:p><pre class="programlisting">
</p><pre class="programlisting">
/usr/local/samba/bin/winbindd -B
</pre><ns75:p>
</ns75:p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2980325"></a>Restarting</h5></div></div><div></div></div><p>
</pre><p>
</p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2981600"></a>Restarting</h5></div></div><div></div></div><p>
If you restart the <span class="application">smbd</span>, <span class="application">nmbd</span>, and <span class="application">winbindd</span> daemons at this point, you
should be able to connect to the samba server as a domain member just as
if you were a local user.
</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2980361"></a>Configure Winbind and PAM</h4></div></div><div></div></div><p>
</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2981637"></a>Configure Winbind and PAM</h4></div></div><div></div></div><p>
If you have made it this far, you know that winbindd and samba are working
together. If you want to use winbind to provide authentication for other
services, keep reading. The pam configuration files need to be altered in
@ -575,9 +574,9 @@ your other pam security modules. On my RedHat system, this was the
modules reside in <tt class="filename">/usr/lib/security</tt>.
</p><p>
<tt class="prompt">root# </tt><b class="userinput"><tt>cp ../samba/source/nsswitch/pam_winbind.so /lib/security</tt></b>
</p><div xmlns:ns76="" class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2980468"></a>Linux/FreeBSD-specific PAM configuration</h5></div></div><div></div></div><p>
</p><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2981743"></a>Linux/FreeBSD-specific PAM configuration</h5></div></div><div></div></div><p>
The <tt class="filename">/etc/pam.d/samba</tt> file does not need to be changed. I
just left this fileas it was:
just left this file as it was:
</p><pre class="programlisting">
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
@ -631,14 +630,14 @@ same way. It now looks like this:
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so
</pre><ns76:p>
In this case, I added the </ns76:p><pre class="programlisting">auth sufficient /lib/security/pam_winbind.so</pre><ns76:p>
lines as before, but also added the </ns76:p><pre class="programlisting">required pam_securetty.so</pre><ns76:p>
</pre><p>
In this case, I added the </p><pre class="programlisting">auth sufficient /lib/security/pam_winbind.so</pre><p>
lines as before, but also added the </p><pre class="programlisting">required pam_securetty.so</pre><p>
above it, to disallow root logins over the network. I also added a
<b class="command">sufficient /lib/security/pam_unix.so use_first_pass</b>
line after the <b class="command">winbind.so</b> line to get rid of annoying
double prompts for passwords.
</ns76:p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2980691"></a>Solaris-specific configuration</h5></div></div><div></div></div><p>
</p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2981966"></a>Solaris-specific configuration</h5></div></div><div></div></div><p>
The /etc/pam.conf needs to be changed. I changed this file so that my Domain
users can logon both locally as well as telnet.The following are the changes
that I made.You can customize the pam.conf file as per your requirements,but
@ -710,12 +709,12 @@ annoying double prompts for passwords.
</p><p>
Now restart your Samba and try connecting through your application that you
configured in the pam.conf.
</p></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2980783"></a>Conclusion</h2></div></div><div></div></div><p>The winbind system, through the use of the Name Service
</p></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2982058"></a>Conclusion</h2></div></div><div></div></div><p>The winbind system, through the use of the Name Service
Switch, Pluggable Authentication Modules, and appropriate
Microsoft RPC calls have allowed us to provide seamless
integration of Microsoft Windows NT domain users on a
UNIX system. The result is a great reduction in the administrative
cost of running a mixed UNIX and NT network.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2980802"></a>Common Errors</h2></div></div><div></div></div><p>Winbind has a number of limitations in its current
cost of running a mixed UNIX and NT network.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2982077"></a>Common Errors</h2></div></div><div></div></div><p>Winbind has a number of limitations in its current
released version that we hope to overcome in future
releases:</p><div class="itemizedlist"><ul type="disc"><li><p>Winbind is currently only available for
the Linux, Solaris and IRIX operating systems, although ports to other operating
@ -730,4 +729,4 @@ configured in the pam.conf.
containing this information is corrupted or destroyed.</p></li><li><p>Currently the winbind PAM module does not take
into account possible workstation and logon time restrictions
that may be been set for Windows NT users, this is
instead up to the PDC to enforce.</p></li></ul></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="VFS.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="AdvancedNetworkManagement.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 20. Stackable VFS modules </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 22. Advanced Network Manangement</td></tr></table></div></body></html>
instead up to the PDC to enforce.</p></li></ul></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="VFS.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="AdvancedNetworkManagement.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 20. Stackable VFS modules </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 22. Advanced Network Management</td></tr></table></div></body></html>