sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-02 09:47:23 +03:00
Code

trying to get HEAD building again. If you want the code

Browse Source 
prior to this merge, checkout HEAD_PRE_3_0_0_BETA_3_MERGE
(This used to be commit adb98e7b7cd0f025b52c570e4034eebf4047b1ad)
This commit is contained in:
Gerald Carter 2003-07-16 05:34:56 +00:00
parent 95fe826700
commit 4a090ba06a
536 changed files with 56624 additions and 34211 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README
View File

@ -6,7 +6,7 @@ the Samba Team, who support the original author, Andrew Tridgell.
>>>> about the configuration and use of Samba.
NOTE: Installation instructions may be found in
docs/htmldocs/UNIX_INSTALL.html
docs/htmldocs/install.html
This software is freely distributable under the GNU public license, a
copy of which you should have received with this software (in a file
@ -19,7 +19,7 @@ WHAT IS SMB?
This is a big question.
The very short answer is that it is the protocol by which a lot of
PC-related machines share files and printers and other informatiuon
PC-related machines share files and printers and other information
such as lists of available files and printers. Operating systems that
support this natively include Windows NT, OS/2, and Linux and add on
packages that achieve the same thing are available for DOS, Windows,

42
Roadmap
View File

@ -1,43 +1,29 @@
Copyright (C) 1997-1999 - Samba-Team
Copyright (C) 1997-2003 Samba-Team
The Samba-Team are committed to an aggressive program to deliver quality
controlled software to a well defined roadmap.
The current Samba release 2.0.4 is called the "NT Security update".
It correctly implements the Windows NT specific SMB calls,
and will operate correctly as a client in a Windows NT
Domain environment.
In addition, the first implementation of the Web-based GUI
management tool ships with 2.0.0, thus fullfilling some of
the commitments made in the 1.9.18 release Roadmap document.
Some work has been done on ensuring compatibility with
Windows NT 5.0 (now Windows 2000 :-) although this is
a somewhat (slowly) moving target.
The current Samba Beta series of Samba 3.0.0 is called the "Domain Integration"
release.
The following development objectives for future releases
are in place:
are in progress:
----------------------------------------------------------------------------
2.0.x - "NT Security update" - Allowing Windows NT Clients to
manipulate file security and ownership using native tools.
Samba-3.0.0 The Domain Integration Release
Note that the "NT Security update" part of the Roadmap has been
achieved with the Samba 2.0.4 release.
Samba-3.0.x Refinments to the User and Group IDMAP facility and
general code stabilization work.
2.0.xx - "Thin Server" mode, allowing a Samba server to be
inserted into a network with no UNIX setup required.
Some management capabilities for Samba using native NT tools.
Provision of command-line equivalents to native NT tools.
Samba-3.x.x Improvements in Management and Migration tools,
the introduction of further integration capabilities.
2.X - "Domain Controller" - able to serve as a Windows NT PDC.
Samba-4 Danger Will Robinson, a big code clean up with major
system redesign. More will be announced as this work
starts to take shape.
X.XX - "Full Domain Integration" - allowing both PDC and BDC modes.
Note that it is a given that the Samba Team will continue to track
Windows (NT/2000) update releases, ensuring that Samba will work
Note that it is a given that the Samba-Team will continue to track
Windows (NT/200x) update releases, ensuring that Samba will work
well with whatever "Beta" releases Redmond throws our way :-).
You may also note that the release numbers get fuzzier the

1053
WHATSNEW.txt
View File

File diff suppressed because it is too large Load Diff

BIN
docs/Samba-Developers-Guide.pdf
View File

Binary file not shown.

BIN
docs/Samba-HOWTO-Collection.pdf
View File

Binary file not shown.

122
docs/docbook/Makefile.in
View File

@ -30,16 +30,23 @@ MANPAGES_NAMES=findsmb.1 smbclient.1 \
XSLTPROC = @XSLTPROC@
PDFLATEX = @PDFLATEX@
LATEX = @LATEX@
DVIPS = @DVIPS@
HTMLDOC = @HTMLDOC@
PNGTOPNM = @PNGTOPNM@
PNMTOPS = @PNMTOPS@
XMLTO = @XMLTO@
SRCDIR = @srcdir@
MANDIR=../manpages
HTMLDIR=../htmldocs
MANPROJDOC = manpages
PROJDOC = projdoc
IMAGEPROJDIR = $(PROJDOC)/imagefiles
DEVDOC = devdoc
SMBDOTCONFDOC = smbdotconf
PSDIR = ..
PDFDIR = ..
DVIDIR = ..
TXTDIR = ../textdocs
FAQPROJDOC = faq
FAQDIR = ../faq
@ -47,53 +54,114 @@ FAQDIR = ../faq
MANPAGES=$(patsubst %,$(MANDIR)/%,$(MANPAGES_NAMES))
MANPAGES_HTML=$(patsubst %,$(HTMLDIR)/%.html,$(MANPAGES_NAMES))
PROJDOC_IMAGES_PNG = $(wildcard $(IMAGEPROJDIR)/*.png)
PROJDOC_IMAGES_EPS=$(patsubst %.png,%.eps,$(wildcard $(IMAGEPROJDIR)/*.png))
PROJDOC_DEPS = $(PROJDOC)/*.xml $(PROJDOC)/attributions.xml
DEVDOC_DEPS = $(DEVDOC)/*.xml $(DEVDOC)/attributions.xml
all:
@echo "Supported make targets:"
@echo "manpages - Build manpages"
@echo "pdf - Build PDF version of HOWTO Collection"
@echo "pdf - Build PDF version of HOWTO Collection and Developers Guide"
@echo "tex - Build Latex version of HOWTO Collection and Developers Guide"
@echo "dvi - Build Device Independant Files of HOWTO Collection and Developers Guide"
@echo "ps - Build PostScript version of HOWTO Collection and Developers Guide"
@echo "txt - Build plain text version of HOWTO Collection and Developers Guide"
@echo -n "html-single - Build single file HTML version of HOWTO Collection"
@echo " and developers guide"
@echo "html - Build HTML version of HOWTO Collection"
@echo "html - Build HTML version of HOWTO Collection and Developers Guide"
@echo "htmlman - Build html version of manpages"
@echo "htmlfaq - Build html version of the FAQ"
@echo "undocumented - Output list of undocumented smb.conf options"
@echo "everything - Build all of the above"
everything: manpages pdf html-single html htmlman htmlfaq
everything: manpages pdf html-single html htmlman htmlfaq txt ps
# Global rules
manpages: $(MANDIR) $(MANPAGES)
tex: samba-doc.tex dev-doc.tex
pdf: $(PDFDIR) $(PDFDIR)/Samba-HOWTO-Collection.pdf $(PDFDIR)/Samba-Developers-Guide.pdf
dvi: $(DVIDIR) $(DVIDIR)/Samba-HOWTO-Collection.dvi $(DVIDIR)/Samba-Developers-Guide.dvi
ps: $(PSDIR) $(PSDIR)/Samba-HOWTO-Collection.ps $(PSDIR)/Samba-Developers-Guide.ps
hpdf: $(PDFDIR) $(PDFDIR)/Samba-HOWTO-Collection.pdf
txt: $(TXTDIR) $(TXTDIR)/Samba-HOWTO-Collection.txt $(TXTDIR)/Samba-Developers-Guide.txt
htmlman: $(HTMLDIR) $(MANPAGES_HTML) CSS
htmlfaq: $(HTMLDIR) CSS
@$(XSLTPROC) --stringparam base.dir "$(FAQDIR)/" --stringparam root.filename samba-faq xslt/html-chunk.xsl $(FAQPROJDOC)/sambafaq.xml
html-single: $(HTMLDIR) CSS $(HTMLDIR)/Samba-HOWTO-Collection.html $(HTMLDIR)/Samba-Developers-Guide.html
html: $(HTMLDIR) CSS
html: $(HTMLDIR) CSS $(PROJDOC_DEPS)
@$(XSLTPROC) xslt/html-chunk.xsl $(PROJDOC)/samba-doc.xml
# Text files
$(TXTDIR):
mkdir $(TXTDIR)
$(TXTDIR)/Samba-HOWTO-Collection.txt: $(PROJDOC)/samba-doc.xml $(PROJDOC_DEPS)
@echo "Converting samba-doc to plain text..."
@$(XMLTO) txt -o $(TXTDIR) $<
@mv $(TXTDIR)/samba-doc.txt $(TXTDIR)/Samba-HOWTO-Collection.txt
$(TXTDIR)/Samba-Developers-Guide.txt: $(DEVDOC)/dev-doc.xml $(DEVDOC_DEPS)
@echo "Converting dev-doc to plain text..."
@$(XMLTO) txt -o $(TXTDIR) $<
@mv $(TXTDIR)/dev-doc.txt $(TXTDIR)/Samba-Developers-Guide.txt
# Tex files
samba-doc.tex: $(PROJDOC)/samba-doc.xml $(PROJDOC_DEPS)
@echo "Converting samba-doc to LaTeX..."
@$(XSLTPROC) --output $@ xslt/latex.xsl $<
dev-doc.tex: $(DEVDOC)/dev-doc.xml $(DEVDOC_DEPS)
@echo "Converting dev-doc to LaTeX..."
@$(XSLTPROC) --output $@ xslt/latex.xsl $<
# Adobe PDF files
$(PDFDIR)/Samba-HOWTO-Collection.pdf: $(PROJDOC)/samba-doc.xml
@echo "Converting samba-doc to LaTeX..."
@$(XSLTPROC) --output samba-doc.tex xslt/latex.xsl $<
$(PDFDIR)/Samba-HOWTO-Collection.pdf: samba-doc.tex $(PROJDOC_IMAGES_PNG)
@echo "Building LaTeX sources via $(PDFLATEX)..."
@$(PDFLATEX) samba-doc.tex | grep 'Rerun to get cross-references right' && \
$(PDFLATEX) samba-doc.tex | grep 'Rerun to get cross-references right' && \
$(PDFLATEX) samba-doc.tex || echo
@$(PDFLATEX) $< | grep 'Rerun to get cross-references right' && \
$(PDFLATEX) $< | grep 'Rerun to get cross-references right' && \
$(PDFLATEX) $< || echo
@echo "done"
@mv samba-doc.pdf $@
$(PDFDIR)/Samba-Developers-Guide.pdf: $(DEVDOC)/dev-doc.xml
@echo "Converting dev-doc to LaTeX..."
@$(XSLTPROC) --output dev-doc.tex xslt/latex.xsl $<
$(PDFDIR)/Samba-Developers-Guide.pdf: dev-doc.tex
@echo "Building LaTeX sources via $(PDFLATEX)..."
@$(PDFLATEX) dev-doc.tex | grep 'Rerun to get cross-references right' && \
$(PDFLATEX) dev-doc.tex | grep 'Rerun to get cross-references right' && \
$(PDFLATEX) dev-doc.tex || echo
@$(PDFLATEX) $< | grep 'Rerun to get cross-references right' && \
$(PDFLATEX) $< | grep 'Rerun to get cross-references right' && \
$(PDFLATEX) $< || echo
@echo "done"
@mv dev-doc.pdf $@
epsimages: $(PROJDOC_IMAGES_EPS)
# DVI files
$(DVIDIR)/Samba-HOWTO-Collection.dvi: samba-doc.tex $(PROJDOC_IMAGES_EPS)
@echo "Building LaTeX sources via $(LATEX)..."
@$(LATEX) $< 2>&1 | grep 'Rerun to get cross-references right' && \
$(LATEX) $< 2>&1 | grep 'Rerun to get cross-references right' && \
$(LATEX) $< 2>&1 || echo
@echo "done"
@mv samba-doc.dvi $@
$(DVIDIR)/Samba-Developers-Guide.dvi: dev-doc.tex
@echo "Building LaTeX sources via $(LATEX)..."
@$(LATEX) $< 2>&1 | grep 'Rerun to get cross-references right' && \
$(LATEX) $< 2>&1 | grep 'Rerun to get cross-references right' && \
$(LATEX) $< 2>&1 || echo
@echo "done"
@mv dev-doc.dvi $@
$(IMAGEPROJDIR)/%.eps: $(IMAGEPROJDIR)/%.png
@$(PNGTOPNM) $< | $(PNMTOPS) > $@
# PostScript files
$(PSDIR)/Samba-HOWTO-Collection.ps: $(DVIDIR)/Samba-HOWTO-Collection.dvi
$(DVIPS) -o $@ $<
$(PSDIR)/Samba-Developers-Guide.ps: $(DVIDIR)/Samba-Developers-Guide.dvi
$(DVIPS) -o $@ $<
# Single large HTML files
$(HTMLDIR):
@ -102,10 +170,10 @@ $(HTMLDIR):
CSS: $(HTMLDIR) xslt/html/samba.css
@cp xslt/html/samba.css $(HTMLDIR)/
$(HTMLDIR)/Samba-HOWTO-Collection.html: $(PROJDOC)/samba-doc.xml
$(HTMLDIR)/Samba-HOWTO-Collection.html: $(PROJDOC)/samba-doc.xml $(PROJDOC_DEPS) $(PROJDOC_IMAGES_PNG)
@$(XSLTPROC) --output $@ xslt/html.xsl $<
$(HTMLDIR)/Samba-Developers-Guide.html: $(DEVDOC)/dev-doc.xml
$(HTMLDIR)/Samba-Developers-Guide.html: $(DEVDOC)/dev-doc.xml $(DEVDOC_DEPS)
@$(XSLTPROC) --output $@ xslt/html.xsl $<
@ -139,14 +207,28 @@ $(MANPROJDOC)/smb.conf.5.xml: $(SMBDOTCONFDOC)/smb.conf.5.xml $(SMBDOTCONFDOC)/p
$(SMBDOTCONFDOC)/expand-smb.conf.xsl
@$(XSLTPROC) --xinclude --output $(MANPROJDOC)/smb.conf.5.xml $(SMBDOTCONFDOC)/expand-smb.conf.xsl $(SMBDOTCONFDOC)/smb.conf.5.xml
$(PROJDOC)/attributions.xml: $(PROJDOC)/samba-doc.xml
@echo > $@ # Make sure we don't get recursive dependencies, etc!
@echo "Generating attributions page"
@$(XSLTPROC) --output $@ xslt/generate-attributions.xsl $<
$(DEVDOC)/attributions.xml: $(DEVDOC)/dev-doc.xml
@echo > $@ # Make sure we don't get recursive dependencies, etc!
@echo "Generating attributions page"
@$(XSLTPROC) --output $@ xslt/generate-attributions.xsl $<
$(MANDIR):
mkdir $(MANDIR)
$(MANDIR)/%: $(MANPROJDOC)/%.xml
@$(XSLTPROC) xslt/man.xsl $<
undocumented: $(SMBDOTCONFDOC)/parameters.all.xml
$(PERL) scripts/find_missing_doc.pl ../..
clean:
@rm -f $(MANPAGES) $(MANPAGES_HTML) $(HTMLDIR)/*.html $(HTMLDIR)/*.css $(TXTDIR)/*.txt $(PSDIR)/*.ps $(PDFDIR)/*.pdf
@rm -f $(MANPROJDOC)/smb.conf.5.xml $(SMBDOTCONFDOC)/parameters.*.xml
@rm -f samba-doc.* dev-doc.*
@rm -f $(MANPROJDOC)/smb.conf.5.xml $(SMBDOTCONFDOC)/parameters.*.xml $(DVIDIR)/*.dvi
@rm -f samba-doc.* dev-doc.* $(PROJDOC)/attributions.xml
@rm -f $(IMAGEPROJDIR)/*.eps

2319
docs/docbook/configure vendored
View File

File diff suppressed because it is too large Load Diff

6
docs/docbook/configure.in
View File

@ -9,6 +9,12 @@ if test "x$PDFLATEX" = x; then
AC_MSG_ERROR("pdflatex is required")
fi
AC_PATH_PROG(XMLTO, xmlto)
AC_PATH_PROG(LATEX, latex)
AC_PATH_PROG(DVIPS, dvips)
AC_PATH_PROG(PNGTOPNM, pngtopnm)
AC_PATH_PROG(PNMTOPS, pnmtops)
DOC_BUILD_DATE=`date '+%d-%m-%Y'`
AC_SUBST(DOC_BUILD_DATE)

3
docs/docbook/devdoc/contributing.xml
View File

@ -35,6 +35,7 @@
because someone else was working on the same thing or because your
implementation is not the correct one.
</para>
</listitem>
</varlistentry>
<varlistentry>
@ -67,6 +68,8 @@
<member>Make sure your patch complies to the samba coding style as
suggested in the coding-suggestions chapter. </member>
</simplelist>
</para>
</listitem>
</varlistentry>
<varlistentry>

32
docs/docbook/devdoc/dev-doc.xml
View File

@ -1,5 +1,6 @@
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE book SYSTEM "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY % globalentities SYSTEM '../global.ent'> %globalentities;
<!ENTITY NetBIOS SYSTEM "NetBIOS.xml">
<!ENTITY Architecture SYSTEM "architecture.xml">
<!ENTITY debug SYSTEM "debug.xml">
@ -17,6 +18,8 @@
<!ENTITY modules SYSTEM "modules.xml">
<!ENTITY packagers SYSTEM "packagers.xml">
<!ENTITY contributing SYSTEM "contributing.xml">
<!ENTITY vfs SYSTEM "vfs.xml">
<!ENTITY windows-deb SYSTEM "windows-debug.xml">
]>
<book id="Samba-Developers-Guide">
@ -28,13 +31,9 @@
<surname>SAMBA Team</surname>
</author>
<address><email>samba@samba.org</email></address>
</bookinfo>
<dedication>
<title>Abstract</title>
<abstract>
<para>
<emphasis>Last Update</emphasis> : Mon Sep 30 15:23:53 CDT 2002
<emphasis>Last Update</emphasis> : Fri Jun 6 00:45:54 CEST 2003
</para>
<para>
@ -45,7 +44,7 @@ the internals of various parts of samba and the SMB protocol. It's still incompl
The most recent version of this document
can be found at <ulink url="http://devel.samba.org/">http://devel.samba.org/</ulink>.
Please send updates to <ulink
url="mailto:jelmer@samba.org">Jelmer Veenrooij</ulink>.
url="mailto:jelmer@samba.org">Jelmer Vernooij</ulink>.
</para>
<para>
@ -55,7 +54,20 @@ distribution. A copy can be found on-line at <ulink
url="http://www.fsf.org/licenses/gpl.txt">http://www.fsf.org/licenses/gpl.txt</ulink>
</para>
</dedication>
</abstract>
<legalnotice>
<formalpara>
<title>Attributions</title>
<para>
&attributions-dev;
</para>
</formalpara>
</legalnotice>
</bookinfo>
<!-- Contents -->
<toc/>
@ -69,6 +81,7 @@ url="http://www.fsf.org/licenses/gpl.txt">http://www.fsf.org/licenses/gpl.txt</u
&parsing;
&unix-smb;
&Tracing;
&windows-deb;
&cifsntdomain;
&printing;
&wins;
@ -76,6 +89,7 @@ url="http://www.fsf.org/licenses/gpl.txt">http://www.fsf.org/licenses/gpl.txt</u
&encryption;
&modules;
&rpc-plugin;
&vfs;
&packagers;
&contributing;

16
docs/docbook/devdoc/modules.xml
View File

@ -40,7 +40,7 @@ the passdb subsystem has:
</para>
<para><programlisting>
BOOL smb_register_passdb(const char *name, pdb_init_function init, int version);
NTSTATUS smb_register_passdb(int version, const char *name, pdb_init_function init);
</programlisting></para>
<para>
@ -99,21 +99,21 @@ The prototype for these functions is:
</para>
<para><programlisting>
int init_module(void);
NTSTATUS init_module(void);
</programlisting></para>
<para>This function should call one or more
registration functions. The function should return non-zero on success and zero on
failure.</para>
registration functions. The function should return NT_STATUS_OK on success and
NT_STATUS_UNSUCCESSFUL or a more useful nt error code on failure.</para>
<para>For example, pdb_ldap_init() contains: </para>
<para><programlisting>
int pdb_ldap_init(void)
NTSTATUS pdb_ldap_init(void)
{
smb_register_passdb("ldapsam", pdb_init_ldapsam, PASSDB_INTERFACE_VERSION);
smb_register_passdb("ldapsam_nua", pdb_init_ldapsam_nua, PASSDB_INTERFACE_VERSION);
return TRUE;
smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam", pdb_init_ldapsam);
smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam_nua", pdb_init_ldapsam_nua);
return NT_STATUS_OK;
}
</programlisting></para>

7
docs/docbook/devdoc/rpc_plugin.xml
View File

@ -50,12 +50,17 @@ rpc_pipe_register_commands(). This function takes the following arguments:
</para>
<para><programlisting>
int rpc_pipe_register_commands(const char *clnt, const char *srv,
NTSTATUS rpc_pipe_register_commands(int version, const char *clnt, const char *srv,
const struct api_struct *cmds, int size);
</programlisting></para>
<variablelist>
<varlistentry><term>version</term>
<listitem><para>Version number of the RPC interface. Use the define <emphasis>SMB_RPC_INTERFACE_VERSION</emphasis> for this
argument.</para></listitem>
</varlistentry>
<varlistentry><term>clnt</term>
<listitem><para>the Client name of the named pipe</para></listitem>
</varlistentry>

53
docs/docbook/docbook.txt
View File

@ -1,52 +1,53 @@
!==
!== docbook.txt for Samba HEAD
!== docbook.txt for Samba 3.0
!==
!== Author: David Bannon, D.Bannon@latrobe.edu.au November, 2000
!== Updates: Gerald (Jerry) Carter, jerry@samba.org, Feb. 2001
!== Updates: Jelmer Vernooij, jelmer@samba.org, Aug, 2002
!== Updates: Jelmer Vernooij, jelmer@samba.org, Jun, 2003
What are DocBook documents doing in the Samba Distribution ?
-----------------------------------------------------------
We are planning to convert all of the samba docs to SGML/DocBook V4.1
We have converted all samba docs to XML/DocBook V4.2
in order to make them easier to maintain and produce a nicer looking
product.
This short note (strange isn't it how it always starts out as a short note
and becomes a long one ?) will explain very briefly how and why we are
doing this.
and becomes a long one ?) will explain very briefly how and why we have
done this.
The format
----------
If you are new to xml, regard an xml file as 'source code'. You don't
read it directly, but use it to create other formats (like the txt and html
included in ../txtdocs and ../htmldocs).
If you are new to sgml, regard an sgml file as 'source code'. You don't
read it directly, use it to create other formats (like the txt and html
included in ../txt and ../html).
Docbook is a particular SGML style, particularly suited to producing
technical manuals. In the two documents I have produced so far I have used
DocBook 4.1, it seems that products like RedHat Linux is still include only
version 3.1, the differences are minor. The Linux Documentation Project is
using a modified version of 3.1 but are really geared up to make multi
paged documents, something we want to avoid for logistic reasons.
Docbook is a particular XML style, particularly suited to producing
technical manuals.
For more information on DocBook tags and format, see "DocBook: The
Definitive Guide" by Walsh and Muellner, (c) O'Reilly Publishing.
This book covers DocBook V3.1 and is available on-line
This book covers DocBook V4.2 and is available on-line
at http://www.docbook.org/
The Output
----------
The current Samba CVS tree contains the SGML/DocBook source files as well
The current Samba CVS tree contains the XML/DocBook source files as well
as the following autogenerated formats:
* man pages
* HTML
* ASCII text (where appropriate)
* PDF
The following formats are not available in CVS but can be generated by
the build scripts:
* PostScript
* DVI
* LaTeX
* ASCII text
The Tools
---------
@ -54,8 +55,20 @@ The Tools
To generate the docs, you need to have the following packages installed:
* docbook-utils
* htmldoc
* xsltproc
* pngtopnm and pnmtops (from the netpbm utilities)
For generating PDF (thru LaTeX):
* pdflatex
For generating PostScript (thru LaTeX):
* latex
* dvips
For generating ASCII:
* xmlto
This directory now contains a ./configure script and Makefile to
support the automated building of man pages (including HTML versions), and
the building of the Samba-HOWTO-Collection (HTML,PDF,PS,Text versions).
the building of the Samba-HOWTO-Collection and the
Samba Developers Guide (HTML,DVI,TeX,PDF,PS,Text versions).

77
docs/docbook/faq/errors.xml
View File

@ -45,7 +45,7 @@ SMB password encryption.
<member>enable SMB password encryption in Samba. See the encryption part of
the samba HOWTO Collection</member>
<member>disable this new behaviour in NT. See the section about
<member>disable this behaviour in NT. See the section about
Windows NT in the chapter "Portability" of the samba HOWTO collection
</member>
</simplelist>
@ -98,79 +98,4 @@ before exporting it with Samba.
</sect1>
<sect1>
<title>Why can users access home directories of other users?</title>
<para>
<quote>
We are unable to keep individual users from mapping to any other user's
home directory once they have supplied a valid password! They only need
to enter their own password. I have not found *any* method that I can
use to configure samba to enforce that only a user may map their own
home directory.
</quote>
</para>
<para><quote>
User xyzzy can map his home directory. Once mapped user xyzzy can also map
*anyone* elses home directory!
</quote></para>
<para>
This is not a security flaw, it is by design. Samba allows
users to have *exactly* the same access to the UNIX filesystem
as they would if they were logged onto the UNIX box, except
that it only allows such views onto the file system as are
allowed by the defined shares.
</para>
<para>
This means that if your UNIX home directories are set up
such that one user can happily cd into another users
directory and do an ls, the UNIX security solution is to
change the UNIX file permissions on the users home directories
such that the cd and ls would be denied.
</para>
<para>
Samba tries very hard not to second guess the UNIX administrators
security policies, and trusts the UNIX admin to set
the policies and permissions he or she desires.
</para>
<para>
Samba does allow the setup you require when you have set the
"only user = yes" option on the share, is that you have not set the
valid users list for the share.
</para>
<para>
Note that only user works in conjunction with the users= list,
so to get the behavior you require, add the line :
<programlisting>
users = %S
</programlisting>
this is equivalent to:
<programlisting>
valid users = %S
</programlisting>
to the definition of the [homes] share, as recommended in
the smb.conf man page.
</para>
</sect1>
<sect1>
<title>Until a few minutes after samba has started, clients get the error "Domain Controller Unavailable"</title>
<para>
A domain controller has to announce on the network who it is. This usually takes a while.
</para>
</sect1>
<sect1>
<title>I'm getting "open_oplock_ipc: Failed to get local UDP socket for address 100007f. Error was Cannot assign requested" in the logs</title>
<para>Your loopback device isn't working correctly. Make sure it's running.
</para>
</sect1>
</chapter>

60
docs/docbook/faq/features.xml
View File

@ -2,66 +2,6 @@
<title>Features</title>
<sect1>
<title>How can I prevent my samba server from being used to distribute the Nimda worm?</title>
<para>Author: HASEGAWA Yosuke (translated by <ulink url="monyo@samba.gr.jp">TAKAHASHI Motonobu</ulink>)</para>
<para>
Nimba Worm is infected through shared disks on a network, as well as through
Microsoft IIS, Internet Explorer and mailer of Outlook series.
</para>
<para>
At this time, the worm copies itself by the name *.nws and *.eml on
the shared disk, moreover, by the name of Riched20.dll in the folder
where *.doc file is included.
</para>
<para>
To prevent infection through the shared disk offered by Samba, set
up as follows:
</para>
<para>
<programlisting>
[global]
...
# This can break Administration installations of Office2k.
# in that case, don't veto the riched20.dll
veto files = /*.eml/*.nws/riched20.dll/
</programlisting>
</para>
<para>
By setting the "veto files" parameter, matched files on the Samba
server are completely hidden from the clients and making it impossible
to access them at all.
</para>
<para>
In addition to it, the following setting is also pointed out by the
samba-jp:09448 thread: when the
"readme.txt.{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}" file exists on
a Samba server, it is visible only as "readme.txt" and dangerous
code may be executed if this file is double-clicked.
</para>
<para>
Setting the following,
<programlisting>
veto files = /*.{*}/
</programlisting>
any files having CLSID in its file extension will be inaccessible from any
clients.
</para>
<para>
This technical article is created based on the discussion of
samba-jp:09448 and samba-jp:10900 threads.
</para>
</sect1>
<sect1>
<title>How can I use samba as a fax server?</title>

7
docs/docbook/faq/general.xml
View File

@ -1,13 +1,6 @@
<chapter id="FAQ-general">
<title>General Information</title>
<sect1>
<title>Where can I get it?</title>
<para>
The Samba suite is available at the <ulink url="http://samba.org/">samba website</ulink>.
</para>
</sect1>
<sect1>
<title>What do the version numbers mean?</title>
<para>

216
docs/docbook/faq/install.xml
View File

@ -1,89 +1,6 @@
<chapter id="FAQ-Install">
<title>Compiling and installing Samba on a Unix host</title>
<sect1>
<title>I can't see the Samba server in any browse lists!</title>
<para>
See Browsing.html in the docs directory of the samba source
for more information on browsing.
</para>
<para>
If your GUI client does not permit you to select non-browsable
servers, you may need to do so on the command line. For example, under
Lan Manager you might connect to the above service as disk drive M:
thusly:
<programlisting>
net use M: \\mary\fred
</programlisting>
The details of how to do this and the specific syntax varies from
client to client - check your client's documentation.
</para>
</sect1>
<sect1>
<title>Some files that I KNOW are on the server don't show up when I view the files from my client!</title>
<para>See the next question.</para>
</sect1>
<sect1>
<title>Some files on the server show up with really wierd filenames when I view the files from my client!</title>
<para>
If you check what files are not showing up, you will note that they
are files which contain upper case letters or which are otherwise not
DOS-compatible (ie, they are not legal DOS filenames for some reason).
</para>
<para>
The Samba server can be configured either to ignore such files
completely, or to present them to the client in "mangled" form. If you
are not seeing the files at all, the Samba server has most likely been
configured to ignore them. Consult the man page smb.conf(5) for
details of how to change this - the parameter you need to set is
"mangled names = yes".
</para>
</sect1>
<sect1>
<title>My client reports "cannot locate specified computer" or similar</title>
<para>
This indicates one of three things: You supplied an incorrect server
name, the underlying TCP/IP layer is not working correctly, or the
name you specified cannot be resolved.
</para>
<para>
After carefully checking that the name you typed is the name you
should have typed, try doing things like pinging a host or telnetting
to somewhere on your network to see if TCP/IP is functioning OK. If it
is, the problem is most likely name resolution.
</para>
<para>
If your client has a facility to do so, hardcode a mapping between the
hosts IP and the name you want to use. For example, with Lan Manager
or Windows for Workgroups you would put a suitable entry in the file
LMHOSTS. If this works, the problem is in the communication between
your client and the netbios name server. If it does not work, then
there is something fundamental wrong with your naming and the solution
is beyond the scope of this document.
</para>
<para>
If you do not have any server on your subnet supplying netbios name
resolution, hardcoded mappings are your only option. If you DO have a
netbios name server running (such as the Samba suite's nmbd program),
the problem probably lies in the way it is set up. Refer to Section
Two of this FAQ for more ideas.
</para>
<para>
By the way, remember to REMOVE the hardcoded mapping before further
tests :-)
</para>
</sect1>
<sect1>
<title>My client reports "cannot locate specified share name" or similar</title>
<para>
@ -107,106 +24,6 @@ to specify a service name correctly), read on:
</simplelist>
</sect1>
<sect1>
<title>Printing doesn't work</title>
<para>
Make sure that the specified print command for the service you are
connecting to is correct and that it has a fully-qualified path (eg.,
use "/usr/bin/lpr" rather than just "lpr").
</para>
<para>
Make sure that the spool directory specified for the service is
writable by the user connected to the service. In particular the user
"nobody" often has problems with printing, even if it worked with an
earlier version of Samba. Try creating another guest user other than
"nobody".
</para>
<para>
Make sure that the user specified in the service is permitted to use
the printer.
</para>
<para>
Check the debug log produced by smbd. Search for the printer name and
see if the log turns up any clues. Note that error messages to do with
a service ipc$ are meaningless - they relate to the way the client
attempts to retrieve status information when using the LANMAN1
protocol.
</para>
<para>
If using WfWg then you need to set the default protocol to TCP/IP, not
Netbeui. This is a WfWg bug.
</para>
<para>
If using the Lanman1 protocol (the default) then try switching to
coreplus. Also not that print status error messages don't mean
printing won't work. The print status is received by a different
mechanism.
</para>
</sect1>
<sect1>
<title>My client reports "This server is not configured to list shared resources"</title>
<para>
Your guest account is probably invalid for some reason. Samba uses the
guest account for browsing in smbd. Check that your guest account is
valid.
</para>
<para>See also 'guest account' in smb.conf man page.</para>
</sect1>
<sect1>
<title>Log message "you appear to have a trapdoor uid system" </title>
<para>
This can have several causes. It might be because you are using a uid
or gid of 65535 or -1. This is a VERY bad idea, and is a big security
hole. Check carefully in your /etc/passwd file and make sure that no
user has uid 65535 or -1. Especially check the "nobody" user, as many
broken systems are shipped with nobody setup with a uid of 65535.
</para>
<para>It might also mean that your OS has a trapdoor uid/gid system :-)</para>
<para>
This means that once a process changes effective uid from root to
another user it can't go back to root. Unfortunately Samba relies on
being able to change effective uid from root to non-root and back
again to implement its security policy. If your OS has a trapdoor uid
system this won't work, and several things in Samba may break. Less
things will break if you use user or server level security instead of
the default share level security, but you may still strike
problems.
</para>
<para>
The problems don't give rise to any security holes, so don't panic,
but it does mean some of Samba's capabilities will be unavailable.
In particular you will not be able to connect to the Samba server as
two different uids at once. This may happen if you try to print as a
"guest" while accessing a share as a normal user. It may also affect
your ability to list the available shares as this is normally done as
the guest user.
</para>
<para>
Complain to your OS vendor and ask them to fix their system.
</para>
<para>
Note: the reason why 65535 is a VERY bad choice of uid and gid is that
it casts to -1 as a uid, and the setreuid() system call ignores (with
no error) uid changes to -1. This means any daemon attempting to run
as uid 65535 will actually run as root. This is not good!
</para>
</sect1>
<sect1>
<title>Why are my file's timestamps off by an hour, or by a few hours?</title>
<para>
@ -297,37 +114,4 @@ zones.
</para>
</sect1>
<sect1>
<title>How do I set the printer driver name correctly?</title>
<para>Question:
<quote> On NT, I opened "Printer Manager" and "Connect to Printer".
Enter ["\\ptdi270\ps1"] in the box of printer. I got the
following error message
</quote></para>
<para>
<programlisting>
You do not have sufficient access to your machine
to connect to the selected printer, since a driver
needs to be installed locally.
</programlisting>
</para>
<para>Answer:</para>
<para>In the more recent versions of Samba you can now set the "printer
driver" in smb.conf. This tells the client what driver to use. For
example:</para>
<para><programlisting>
printer driver = HP LaserJet 4L
</programlisting></para>
<para>With this, NT knows to use the right driver. You have to get this string
exactly right.</para>
<para>To find the exact string to use, you need to get to the dialog box in
your client where you select which printer driver to install. The
correct strings for all the different printers are shown in a listbox
in that dialog box.</para>
</sect1>
</chapter>

7
docs/docbook/faq/sambafaq.xml
View File

@ -1,12 +1,11 @@
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE book SYSTEM "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY general SYSTEM "general.xml">
<!ENTITY install SYSTEM "install.xml">
<!ENTITY errors SYSTEM "errors.xml">
<!ENTITY clientapp SYSTEM "clientapp.xml">
<!ENTITY features SYSTEM "features.xml">
<!ENTITY config SYSTEM "config.xml">
<!ENTITY printing SYSTEM "printing.xml">
]>
<book id="Samba-FAQ">
@ -34,9 +33,7 @@ and the old samba text documents which were mostly written by John Terpstra.
&general;
&install;
&config;
&clientapp;
&errors;
&features;
&printing;
</book>

14
docs/docbook/global.ent
View File

@ -463,14 +463,19 @@ an Active Directory environment.
<!ENTITY AccessControls SYSTEM "projdoc/AccessControls.xml">
<!ENTITY AdvancedNetworkAdmin SYSTEM "projdoc/AdvancedNetworkAdmin.xml">
<!ENTITY BUGS SYSTEM "projdoc/Bugs.xml">
<!ENTITY Backup SYSTEM "projdoc/Backup.xml">
<!ENTITY CUPS SYSTEM "projdoc/CUPS-printing.xml">
<!ENTITY CVS-Access SYSTEM "projdoc/CVS-Access.xml">
<!ENTITY Compiling SYSTEM "projdoc/Compiling.xml">
<!ENTITY DNS-DHCP-Configuration SYSTEM "projdoc/DNS-DHCP-Configuration.xml">
<!ENTITY DOMAIN-MEMBER SYSTEM "projdoc/DOMAIN_MEMBER.xml">
<!ENTITY Diagnosis SYSTEM "projdoc/Diagnosis.xml">
<!ENTITY ENCRYPTION SYSTEM "projdoc/ENCRYPTION.xml">
<!ENTITY FastStart SYSTEM "projdoc/FastStart.xml">
<!ENTITY Further-Resources SYSTEM "projdoc/Further-Resources.xml">
<!ENTITY Further-Resources SYSTEM "projdoc/Further-Resources.xml">
<!ENTITY GROUP-MAPPING-HOWTO SYSTEM "projdoc/GROUP-MAPPING-HOWTO.xml">
<!ENTITY HighAvailability SYSTEM "projdoc/HighAvailability.xml">
<!ENTITY IntegratingWithWindows SYSTEM "projdoc/Integrating-with-Windows.xml">
<!ENTITY IntroSMB SYSTEM "projdoc/IntroSMB.xml">
<!ENTITY MS-Dfs-Setup SYSTEM "projdoc/msdfs_setup.xml">
@ -493,13 +498,16 @@ an Active Directory environment.
<!ENTITY StandAloneServer SYSTEM "projdoc/StandAloneServer.xml">
<!ENTITY Trusts SYSTEM "projdoc/InterdomainTrusts.xml">
<!ENTITY UNIX-INSTALL SYSTEM "projdoc/UNIX_INSTALL.xml">
<!ENTITY upgrading SYSTEM "projdoc/upgrading-to-3.0.xml">
<!ENTITY VFS SYSTEM "projdoc/VFS.xml">
<!ENTITY WINBIND SYSTEM "projdoc/winbind.xml">
<!ENTITY ClientConfig SYSTEM "projdoc/WindowsClientConfig.xml">
<!ENTITY locking SYSTEM "projdoc/locking.xml">
<!ENTITY pdb-mysql SYSTEM "projdoc/pdb_mysql.xml">
<!ENTITY pdb.xml SYSTEM "projdoc/pdb.xml.xml">
<!ENTITY problems SYSTEM "projdoc/Problems.xml">
<!ENTITY unicode SYSTEM "projdoc/unicode.xml">
<!ENTITY Further-Resources SYSTEM "projdoc/Further-Resources.xml">
<!ENTITY attributions SYSTEM "projdoc/attributions.xml">
<!ENTITY attributions-dev SYSTEM "devdoc/attributions.xml">
<!ENTITY windows-debug SYSTEM "devdoc/windows-debug.xml">
<!ENTITY not.implemented "<note><para>Currently NOT implemented.</para></note>">
<!ENTITY rootprompt "<prompt>root# </prompt>">

9
docs/docbook/manpages/net.8.xml
View File

@ -4,15 +4,6 @@
<!ENTITY % globalentities SYSTEM './../global.ent'> %globalentities;
<!-- This one is only used for adding users using RAP -->
<!ENTITY net.arg.flags '
<varlistentry>
<term>-F flags</term>
<listitem><para>
FIXME. Defaults to 0x21
</para></listitem>
</varlistentry>'>
<!-- This one is only used by shutdown (RPC) -->
<!ENTITY net.arg.shutdown '
<varlistentry>

77
docs/docbook/manpages/pdbedit.8.xml
View File

@ -20,7 +20,7 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>pdbedit</command>
<arg choice="opt">-l</arg>
<arg choice="opt">-L</arg>
<arg choice="opt">-v</arg>
<arg choice="opt">-w</arg>
<arg choice="opt">-u username</arg>
@ -34,7 +34,6 @@
<arg choice="opt">-x</arg>
<arg choice="opt">-i passdb-backend</arg>
<arg choice="opt">-e passdb-backend</arg>
<arg choice="opt">-g</arg>
<arg choice="opt">-b passdb-backend</arg>
<arg choice="opt">-g</arg>
<arg choice="opt">-d debuglevel</arg>
@ -67,12 +66,12 @@
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>-l</term>
<term>-L</term>
<listitem><para>This option lists all the user accounts
present in the users database.
This option prints a list of user/uid pairs separated by
the ':' character.</para>
<para>Example: <command>pdbedit -l</command></para>
<para>Example: <command>pdbedit -L</command></para>
<para><screen>
sorce:500:Simo Sorce
samba:45:Test User
@ -88,7 +87,7 @@ samba:45:Test User
It causes pdbedit to list the users in the database, printing
out the account fields in a descriptive format.</para>
<para>Example: <command>pdbedit -l -v</command></para>
<para>Example: <command>pdbedit -L -v</command></para>
<para><screen>
---------------
username: sorce
@ -123,7 +122,7 @@ Profile Path: \\BERSERKER\profile
<citerefentry><refentrytitle>smbpasswd</refentrytitle>
<manvolnum>5</manvolnum></citerefentry> for details)</para>
<para>Example: <command>pdbedit -l -w</command></para>
<para>Example: <command>pdbedit -L -w</command></para>
<screen>
sorce:500:508818B733CE64BEAAD3B435B51404EE:D2A2418EFC466A8A0F6B1DBB5C3DB80C:[UX ]:LCT-00000000:
samba:45:0F2B255F7B67A7A9AAD3B435B51404EE:BC281CE3F53B6A5146629CD4751D3490:[UX ]:LCT-3BFA1E8D:
@ -152,8 +151,6 @@ samba:45:0F2B255F7B67A7A9AAD3B435B51404EE:BC281CE3F53B6A5146629CD4751D3490:[UX
</listitem>
</varlistentry>
<varlistentry>
<term>-h homedir</term>
<listitem><para>This option can be used while adding or
@ -200,6 +197,38 @@ samba:45:0F2B255F7B67A7A9AAD3B435B51404EE:BC281CE3F53B6A5146629CD4751D3490:[UX
</listitem>
</varlistentry>
<varlistentry>
<term>-G SID|rid</term>
<listitem><para>
This option can be used while adding or modifying a user account. It
will specify the users' new primary group SID (Security Identifier) or
rid. </para>
<para>Example: <command>-G S-1-5-21-2447931902-1787058256-3961074038-1201</command></para>
</listitem>
</varlistentry>
<varlistentry>
<term>-U SID|rid</term>
<listitem><para>
This option can be used while adding or modifying a user account. It
will specify the users' new SID (Security Identifier) or
rid. </para>
<para>Example: <command>-U S-1-5-21-2447931902-1787058256-3961074038-5004</command></para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c account-control</term>
<listitem><para>This option can be used while adding or modifying a user
account. It will specify the users' account control property. Possible
flags that can be set are: N, D, H, L, X.
</para>
<para>Example: <command>-c "[X ]"</command></para>
</listitem>
</varlistentry>
<varlistentry>
<term>-a</term>
@ -216,7 +245,15 @@ retype new password
</listitem>
</varlistentry>
<varlistentry>
<term>-r</term>
<listitem><para>This option is used to modify an existing user
in the database. This command needs a user name specified with the -u
switch. Other options can be specified to modify the properties of
the specified user. This flag is kept for backwards compatibility, but
it is no longer necessary to specify it.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-m</term>
@ -280,18 +317,6 @@ retype new password
</listitem>
</varlistentry>
<varlistentry>
<term>-g</term>
<listitem><para>If you specify <parameter>-g</parameter>,
then <parameter>-i in-backend -e out-backend</parameter>
applies to the group mapping instead of the user database.</para>
<para>This option will ease migration from one passdb backend to
another and will ease backing up.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-b passdb-backend</term>
<listitem><para>Use a different default passdb backend. </para>
@ -315,6 +340,7 @@ account policy value for bad lockout attempt is 0
</listitem>
</varlistentry>
<varlistentry>
<term>-C account-policy-value</term>
<listitem><para>Sets an account policy to a specified value.
@ -347,7 +373,7 @@ account policy value for bad lockout attempt is now 3
<refsect1>
<title>VERSION</title>
<para>This man page is correct for version 2.2 of
<para>This man page is correct for version 3.0 of
the Samba suite.</para>
</refsect1>
@ -366,13 +392,6 @@ account policy value for bad lockout attempt is now 3
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed.</para>
<para>The original Samba man pages were written by Karl Auer.
The man page sources were converted to YODL format (another
excellent piece of Open Source software, available at <ulink url="ftp://ftp.icce.rug.nl/pub/unix/">
ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0
release by Jeremy Allison. The conversion to DocBook for
Samba 2.2 was done by Gerald Carter. The conversion to DocBook
XML 4.2 for Samba 3.0 was done by Alexander Bokovoy.</para>
</refsect1>
</refentry>

2
docs/docbook/manpages/rpcclient.1.xml
View File

@ -299,7 +299,7 @@ Comma Separated list of Files
<listitem><para>Execute an EnumPrinters() call. This lists the various installed
and share printers. Refer to the MS Platform SDK documentation for
more details of the various flags and calling options. Currently
supported info levels are 0, 1, and 2.</para></listitem></varlistentry>
supported info levels are 1, 2 and 5.</para></listitem></varlistentry>

17
docs/docbook/manpages/samba.7.xml
View File

@ -13,7 +13,7 @@
<refnamediv>
<refname>Samba</refname>
<refname>samba</refname>
<refpurpose>A Windows SMB/CIFS fileserver for UNIX</refpurpose>
</refnamediv>
@ -341,21 +341,14 @@
<para>Contributors to the project are now too numerous
to mention here but all deserve the thanks of all Samba
users. To see a full list, look at <ulink
url="ftp://samba.org/pub/samba/alpha/change-log">
ftp://samba.org/pub/samba/alpha/change-log</ulink>
users. To see a full list, look at the
<filename>change-log</filename> in the source package
for the pre-CVS changes and at <ulink
url="ftp://samba.org/pub/samba/alpha/cvs.log">
ftp://samba.org/pub/samba/alpha/cvs.log</ulink>
url="http://cvs.samba.org/">
http://cvs.samba.org/</ulink>
for the contributors to Samba post-CVS. CVS is the Open Source
source code control system used by the Samba Team to develop
Samba. The project would have been unmanageable without it.</para>
<para>In addition, several commercial organizations now help
fund the Samba Team with money and equipment. For details see
the Samba Web pages at <ulink
url="http://samba.org/samba/samba-thanks.html">
http://samba.org/samba/samba-thanks.html</ulink>.</para>
</refsect1>
<refsect1>

7
docs/docbook/manpages/smbcontrol.1.xml
View File

@ -254,6 +254,13 @@
sent to smbd.</para></listitem>
</varlistentry>
<varlistentry>
<term>reload-config</term>
<listitem><para>Force daemon to reload smb.conf configuration file. Can be sent
to <constant>smbd</constant>, <constant>nmbd</constant>, or <constant>winbindd</constant>.
</para></listitem>
</varlistentry>
</variablelist>
</refsect1>

6
docs/docbook/manpages/smbmount.8.xml
View File

@ -48,11 +48,11 @@
typically this output will end up in <filename>log.smbmount</filename>. The <command>
smbmount</command> process may also be called mount.smbfs.</para>
<para><emphasis>NOTE:</emphasis> <command>smbmount</command>
<note><para> <command>smbmount</command>
calls <citerefentry><refentrytitle>smbmnt</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> to do the actual mount. You
must make sure that <command>smbmnt</command> is in the path so
that it can be found. </para>
that it can be found. </para></note>
</refsect1>
@ -144,6 +144,7 @@ password = &lt;value&gt;
<term>fmask=&lt;arg&gt;</term>
<listitem><para>sets the file mask. This determines the
permissions that remote files have in the local filesystem.
This is not a umask, but the actual permissions for the files.
The default is based on the current umask. </para></listitem>
</varlistentry>
@ -152,6 +153,7 @@ password = &lt;value&gt;
<term>dmask=&lt;arg&gt;</term>
<listitem><para>Sets the directory mask. This determines the
permissions that remote directories have in the local filesystem.
This is not a umask, but the actual permissions for the directories.
The default is based on the current umask. </para></listitem>
</varlistentry>

4
docs/docbook/manpages/wbinfo.1.xml
View File

@ -35,7 +35,7 @@
<arg choice="opt">--sequence</arg>
<arg choice="opt">-r user</arg>
<arg choice="opt">-a user%password</arg>
<arg choice="opt">-A user%password</arg>
<arg choice="opt">--set-auth-user user%password</arg>
<arg choice="opt">--get-auth-user</arg>
<arg choice="opt">-p</arg>
</cmdsynopsis>
@ -207,7 +207,7 @@
<varlistentry>
<term>-A username%password</term>
<term>--set-auth-user username%password</term>
<listitem><para>Store username and password used by winbindd
during session setup to a domain controller. This enables
winbindd to operate in a Windows 2000 domain with Restrict

13
docs/docbook/manpages/winbindd.8.xml
View File

@ -24,7 +24,7 @@
<arg choice="opt">-F</arg>
<arg choice="opt">-S</arg>
<arg choice="opt">-i</arg>
<arg choice="opt">-B</arg>
<arg choice="opt">-Y</arg>
<arg choice="opt">-d &lt;debug level&gt;</arg>
<arg choice="opt">-s &lt;smb config file&gt;</arg>
<arg choice="opt">-n</arg>
@ -159,12 +159,11 @@ group: files winbind
</varlistentry>
<varlistentry>
<term>-B</term>
<listitem><para>Dual daemon mode. This means winbindd will run
as 2 threads. The first will answer all requests from the cache,
thus making responses to clients faster. The other will
update the cache for the query that the first has just responded.
Advantage of this is that responses stay accurate and are faster.
<term>-Y</term>
<listitem><para>Single daemon mode. This means winbindd will run
as a single process (the mode of operation in Samba 2.2). Winbindd's
default behavior is to launch a child process that is responsible for
updating expired cache entries.
</para></listitem>
</varlistentry>

372
docs/docbook/projdoc/AccessControls.xml
View File

@ -9,7 +9,7 @@
<para>
Advanced MS Windows users are frequently perplexed when file, directory and share manipulation of
resources shared via Samba do not behave in the manner they might expect. MS Windows network
adminstrators are often confused regarding network access controls and what is the best way to
administrators are often confused regarding network access controls and what is the best way to
provide users with the type of access they need while protecting resources from the consequences
of untoward access capabilities.
</para>
@ -45,7 +45,7 @@ This is an opportune point to mention that it should be borne in mind that Samba
provide a means of interoperability and interchange of data between two operating environments
that are quite different. It was never the intent to make Unix/Linux like MS Windows NT. Instead
the purpose was an is to provide a sufficient level of exchange of data between the two environments.
What is available today extends well beyond early plans and expections, yet the gap continues to
What is available today extends well beyond early plans and expectations, yet the gap continues to
shrink.
</para>
@ -66,7 +66,7 @@ shrink.
<para>
Samba honours and implements Unix file system access controls. Users
who access a Samba server will do so as a particular MS Windows user.
This information is passed to the Samba server as part of the logon orr
This information is passed to the Samba server as part of the logon or
connection setup process. Samba uses this user identity to validate
whether or not the user should be given access to file system resources
(files and directories). This chapter provides an overview for those
@ -110,7 +110,7 @@ shrink.
operating system supports them. If not, then this option will not be
available to you. Current Unix technology platforms have native support
for POSIX ACLs. There are patches for the Linux kernel that provide
this also. Sadly, few Linux paltforms ship today with native ACLs and
this also. Sadly, few Linux platforms ship today with native ACLs and
Extended Attributes enabled. This chapter has pertinent information
for users of platforms that support them.
</para>
@ -142,14 +142,15 @@ at how Samba helps to bridge the differences.
<para>
It is good news that Samba does this to a very large extent and on top of that provides a high degree
of optional configuration to over-ride the default behaviour. We will look at some of these over-rides,
but for the greater part we will stay withing the bounds of default behaviour. Those wishing to explore
but for the greater part we will stay within the bounds of default behaviour. Those wishing to explore
to depths of control ability should review the &smb.conf; man page.
</para>
<itemizedlist>
<variablelist>
<title>File System Feature Comparison</title>
<varlistentry>
<term>Name Space</term>
<listitem>
<para><emphasis>Name Space</emphasis></para>
<para>
MS Windows NT4 / 200x/ XP files names may be up to 254 characters long, Unix file names
may be 1023 characters long. In MS Windows file extensions indicate particular file types,
@ -159,9 +160,11 @@ at how Samba helps to bridge the differences.
What MS Windows calls a Folder, Unix calls a directory,
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Case Sensitivity</term>
<listitem>
<para><emphasis>Case Sensitivity</emphasis></para>
<para>
MS Windows file names are generally Upper Case if made up of 8.3 (ie: 8 character file name
and 3 character extension. If longer than 8.3 file names are Case Preserving, and Case
@ -176,28 +179,32 @@ at how Samba helps to bridge the differences.
</para>
<para>
Consider the following, all are unique Unix names but one single MS Windows file name:
<programlisting>
<computeroutput>
MYFILE.TXT
MyFile.txt
myfile.txt
</programlisting>
</computeroutput>
So clearly, In an MS Windows file name space these three files CAN NOT co-exist! But in Unix
they can. So what should Samba do if all three are present? Answer, the one that is lexically
first will be accessible to MS Windows users, the others are invisible and unaccessible - any
other solution would be suicidal.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Directory Separators</term>
<listitem>
<para><emphasis>Directory Separators</emphasis></para>
<para>
MS Windows and DOS uses the back-slash '\' as a directory delimiter, Unix uses the forward-slash '/'
as it's directory delimiter. This is transparently handled by Samba.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Drive Identification</term>
<listitem>
<para><emphasis>Drive Identification</emphasis></para>
<para>
MS Windows products support a notion of drive letters, like <command>C:</command> to represent
disk partitions. Unix has NO concept if separate identifiers for file partitions since each
@ -206,9 +213,11 @@ at how Samba helps to bridge the differences.
<command>C:\</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>File Naming Conventions</term>
<listitem>
<para><emphasis>File Naming Conventions</emphasis></para>
<para>
MS Windows generally never experiences file names that begin with a '.', while in Unix these
are commonly found in a user's home directory. Files that begin with a '.' are typically
@ -216,9 +225,11 @@ at how Samba helps to bridge the differences.
start-up configuration data.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Links and Short-Cuts</term>
<listitem>
<para><emphasis>Links and Short-Cuts</emphasis></para>
<para>
MS Windows make use of "links and Short-Cuts" that are actually special types of files that will
redirect an attempt to execute the file to the real location of the file. Unix knows of file and directory
@ -228,10 +239,11 @@ at how Samba helps to bridge the differences.
Symbolic links are files in Unix that contain the actual location of the data (file OR directory). An
operation (like read or write) will operate directly on the file referenced. Symbolic links are also
referred to as 'soft links'. A hard link is something that MS Windows is NOT familiar with. It allows
one physical file to be known simulataneously by more than one file name.
one physical file to be known simultaneously by more than one file name.
</para>
</listitem>
</itemizedlist>
</varlistentry>
</variablelist>
<para>
There are many other subtle differences that may cause the MS Windows administrator some temporary discomfort
@ -246,13 +258,20 @@ at how Samba helps to bridge the differences.
<para>
There are three basic operations for managing directories, <command>create, delete, rename</command>.
<programlisting>
Action MS Windows Command Unix Command
------ ------------------ ------------
create md folder mkdir folder
delete rd folder rmdir folder
rename rename oldname newname mv oldname newname
</programlisting>
<table frame="all">
<title>Managing directories with unix and windows</title>
<tgroup align="center" cols="3">
<thead>
<row><entry>Action</entry><entry>MS Windows Command</entry><entry>Unix Command</entry></row>
</thead>
<tbody>
<row><entry>create</entry><entry>md folder</entry><entry>mkdir folder</entry></row>
<row><entry>delete</entry><entry>rd folder</entry><entry>rmdir folder</entry></row>
<row><entry>rename</entry><entry>rename oldname newname</entry><entry>mv oldname newname</entry></row>
</tbody>
</tgroup>
</table>
</para>
</sect2>
@ -268,11 +287,11 @@ at how Samba helps to bridge the differences.
</para>
<para>
Unix/Linux file and directory access permissions invloves setting three (3) primary sets of data and one (1) control set.
Unix/Linux file and directory access permissions involves setting three (3) primary sets of data and one (1) control set.
A Unix file listing looks as follows:-
<programlisting>
jht@frodo:~/stuff> ls -la
<screen>
<prompt>jht@frodo:~/stuff> </prompt><userinput>ls -la</userinput>
total 632
drwxr-xr-x 13 jht users 816 2003-05-12 22:56 .
drwxr-xr-x 37 jht users 3800 2003-05-12 22:29 ..
@ -293,8 +312,8 @@ at how Samba helps to bridge the differences.
-r-xr-xr-x 1 jht users 206339 2003-05-12 22:32 mydata05.lst
-rw-rw-rw- 1 jht users 41105 2003-05-12 22:32 mydata06.lst
-rwxrwxrwx 1 jht users 19312 2003-05-12 22:32 mydata07.lst
jht@frodo:~/stuff>
</programlisting>
<prompt>jht@frodo:~/stuff></prompt>
</screen>
</para>
<para>
@ -305,6 +324,7 @@ at how Samba helps to bridge the differences.
The permissions field is made up of:
<programlisting>
<comment> JRV: Put this into a diagram of some sort</comment>
[ type ] [ users ] [ group ] [ others ] [File, Directory Permissions]
[ d | l ] [ r w x ] [ r w x ] [ r w x ]
| | | | | | | | | | |
@ -324,20 +344,24 @@ at how Samba helps to bridge the differences.
<para>
Any bit flag may be unset. An unset bit flag is the equivalent of 'Can NOT' and is represented as a '-' character.
<programlisting>
<example>
<title>Example File</title>
<programlisting>
-rwxr-x--- Means: The owner (user) can read, write, execute
the group can read and execute
everyone else can NOT do anything with it
</programlisting>
</example>
</para>
<para>
Additional posibilities in the [type] field are: c = character device, b = block device, p = pipe device, s = Unix Domain Socket.
Additional possibilities in the [type] field are: c = character device, b = block device, p = pipe device, s = Unix Domain Socket.
</para>
<para>
The letters `rwxXst' set permissions for the user, group and others as: read (r), write (w), execute (or access for directories) (x),r
The letters `rwxXst' set permissions for the user, group and others as: read (r), write (w), execute (or access for directories) (x),
execute only if the file is a directory or already has execute permission for some user (X), set user or group ID on execution (s),
sticky (t).
</para>
@ -356,7 +380,7 @@ at how Samba helps to bridge the differences.
</para>
<para>
When a directory is set <command>drw-r-----</command> this means that the owner can read and create (write) files in it, but because
When a directory is set <constant>drw-r-----</constant> this means that the owner can read and create (write) files in it, but because
the (x) execute flags are not set files can not be listed (seen) in the directory by anyone. The group can read files in the
directory but can NOT create new files. NOTE: If files in the directory are set to be readable and writable for the group, then
group members will be able to write to (or delete) them.
@ -379,17 +403,17 @@ Before using any of the following options please refer to the man page for &smb.
<para>
User and group based controls can prove very useful. In some situations it is distinctly desirable to affect all
file system operations as if a single user is doing this, the use of the <emphasis>force user</emphasis> and
<emphasis>force group</emphasis> behaviour will achieve this. In other situations it may be necessary to affect a
file system operations as if a single user is doing this, the use of the <parameter>force user</parameter> and
<parameter>force group</parameter> behaviour will achieve this. In other situations it may be necessary to affect a
paranoia level of control to ensure that only particular authorised persons will be able to access a share or
it's contents, here the use of the <emphasis>valid users</emphasis> or the <emphasis>invalid users</emphasis> may
it's contents, here the use of the <parameter>valid users</parameter> or the <parameter>invalid users</parameter> may
be most useful.
</para>
<para>
As always, it is highly advisable to use the least difficult to maintain and the least ambiguous method for
controlling access. Remember, that when you leave the scene someone else will need to provide assistance and
if that person finds to great a mess, or if they do not understand what you have done then there is risk of
if that person finds too great a mess, or if they do not understand what you have done then there is risk of
Samba being removed and an alternative solution being adopted.
</para>
@ -482,7 +506,7 @@ Before using any of the following options please refer to the man page for &smb.
The following file and directory permission based controls, if misused, can result in considerable difficulty to
diagnose the cause of mis-configuration. Use them sparingly and carefully. By gradually introducing each one by one
undesirable side-effects may be detected. In the event of a problem, always comment all of them out and then gradually
re-instroduce them in a controlled fashion.
re-introduce them in a controlled fashion.
</para>
<table frame='all'><title>File and Directory Permission Based Controls</title>
@ -539,13 +563,13 @@ Before using any of the following options please refer to the man page for &smb.
<row>
<entry>hide unreadable</entry>
<entry><para>
Prevents clients from seeing the existance of files that cannot be read.
Prevents clients from seeing the existence of files that cannot be read.
</para></entry>
</row>
<row>
<entry>hide unwriteable files</entry>
<entry><para>
Prevents clients from seeing the existance of files that cannot be written to. Unwriteable directories are shown as usual.
Prevents clients from seeing the existence of files that cannot be written to. Unwriteable directories are shown as usual.
</para></entry>
</row>
<row>
@ -653,10 +677,10 @@ Before using any of the following options please refer to the man page for &smb.
<para>
This section deals with how to configure Samba per share access control restrictions.
By default samba sets no restrictions on the share itself. Restrictions on the share itself
By default, Samba sets no restrictions on the share itself. Restrictions on the share itself
can be set on MS Windows NT4/200x/XP shares. This can be a very effective way to limit who can
connect to a share. In the absence of specific restrictions the default setting is to allow
the global user <emphasis>Everyone</emphasis> Full Control (ie: Full control, Change and Read).
the global user <constant>Everyone</constant> Full Control (ie: Full control, Change and Read).
</para>
<para>
@ -669,8 +693,8 @@ Before using any of the following options please refer to the man page for &smb.
<para>
Samba stores the per share access control settings in a file called <filename>share_info.tdb</filename>.
The location of this file on your system will depend on how samba was compiled. The default location
for samba's tdb files is under <filename>/usr/local/samba/var</filename>. If the <filename>tdbdump</filename>
utility has been compiled and installed on your system then you can examine the contents of this file
for Samba's tdb files is under <filename>/usr/local/samba/var</filename>. If the <filename>tdbdump</filename>
utility has been compiled and installed on your system, then you can examine the contents of this file
by: <userinput>tdbdump share_info.tdb</userinput>.
</para>
@ -678,7 +702,7 @@ Before using any of the following options please refer to the man page for &smb.
<title>Share Permissions Management</title>
<para>
The best tool for the task is platform dependant. Choose the best tool for your environmemt.
The best tool for the task is platform dependant. Choose the best tool for your environment.
</para>
<sect3>
@ -692,13 +716,13 @@ Before using any of the following options please refer to the man page for &smb.
<procedure>
<title>Instructions</title>
<step><para>
Launch the NT4 Server Manager, click on the Samba server you want to administer, then from the menu
select Computer, then click on the Shared Directories entry.
Launch the <application>NT4 Server Manager</application>, click on the Samba server you want to administer, then from the menu
select <guimenu>Computer</guimenu>, then click on the <guimenuitem>Shared Directories</guimenuitem> entry.
</para></step>
<step><para>
Now click on the share that you wish to manage, then click on the Properties tab, next click on
the Permissions tab. Now you can Add or change access control settings as you wish.
Now click on the share that you wish to manage, then click on the <guilabel>Properties</guilabel> tab, next click on
the <guilabel>Permissions</guilabel> tab. Now you can add or change access control settings as you wish.
</para></step>
</procedure>
@ -708,14 +732,14 @@ Before using any of the following options please refer to the man page for &smb.
<title>Windows 200x/XP</title>
<para>
On MS Windows NT4/200x/XP system access control lists on the share itself are set using native
On <application>MS Windows NT4/200x/XP</application> system access control lists on the share itself are set using native
tools, usually from filemanager. For example, in Windows 200x: right click on the shared folder,
then select 'Sharing', then click on 'Permissions'. The default Windows NT4/200x permission allows
<emphasis>Everyone</emphasis> Full Control on the Share.
then select <guimenuitem>Sharing</guimenuitem>, then click on <guilabel>Permissions</guilabel>. The default
Windows NT4/200x permission allows <emphasis>Everyone</emphasis> Full Control on the Share.
</para>
<para>
MS Windows 200x and later all comes with a tool called the 'Computer Management' snap-in for the
MS Windows 200x and later all comes with a tool called the <application>Computer Management</application> snap-in for the
Microsoft Management Console (MMC). This tool is located by clicking on <filename>Control Panel ->
Administrative Tools -> Computer Management</filename>.
</para>
@ -723,21 +747,22 @@ Before using any of the following options please refer to the man page for &smb.
<procedure>
<title>Instructions</title>
<step><para>
After launching the MMC with the Computer Management snap-in, click on the menu item 'Action',
select 'Connect to another computer'. If you are not logged onto a domain you will be prompted
After launching the MMC with the Computer Management snap-in, click on the menu item <guimenuitem>Action</guimenuitem>,
select <guilabel>Connect to another computer</guilabel>. If you are not logged onto a domain you will be prompted
to enter a domain login user identifier and a password. This will authenticate you to the domain.
If you where already logged in with administrative privilidge this step is not offered.
If you where already logged in with administrative privilege this step is not offered.
</para></step>
<step><para>
If the Samba server is not shown in the Select Computer box, then type in the name of the target
Samba server in the field 'Name:'. Now click on the [+] next to 'System Tools', then on the [+]
next to 'Shared Folders' in the left panel.
If the Samba server is not shown in the <guilabel>Select Computer</guilabel> box, then type in the name of the target
Samba server in the field <guilabel>Name:</guilabel>. Now click on the <guibutton>[+]</guibutton> next to
<guilabel>System Tools</guilabel>, then on the <guibutton>[+]</guibutton> next to <guilabel>Shared Folders</guilabel> in the
left panel.
</para></step>
<step><para>
Now in the right panel, double-click on the share you wish to set access control permissions on.
Then click on the tab 'Share Permissions'. It is now possible to add access control entities
Then click on the tab <guilabel>Share Permissions</guilabel>. It is now possible to add access control entities
to the shared folder. Do NOT forget to set what type of access (full control, change, read) you
wish to assign for each entry.
</para></step>
@ -745,10 +770,10 @@ Before using any of the following options please refer to the man page for &smb.
<warning>
<para>
Be careful. If you take away all permissions from the Everyone user without removing this user
Be careful. If you take away all permissions from the <constant>Everyone</constant> user without removing this user
then effectively no user will be able to access the share. This is a result of what is known as
ACL precidence. ie: Everyone with NO ACCESS means that MaryK who is part of the group Everyone
will have no access even if this user is given explicit full control access.
ACL precedence. ie: Everyone with <emphasis>no access</emphasis> means that MaryK who is part of the group
<constant>Everyone</constant> will have no access even if this user is given explicit full control access.
</para>
</warning>
@ -789,19 +814,19 @@ Before using any of the following options please refer to the man page for &smb.
<para>From an NT4/2000/XP client, single-click with the right
mouse button on any file or directory in a Samba mounted
drive letter or UNC path. When the menu pops-up, click
on the <emphasis>Properties</emphasis> entry at the bottom of
on the <guilabel>Properties</guilabel> entry at the bottom of
the menu. This brings up the file properties dialog
box. Click on the tab <emphasis>Security</emphasis> and you
will see three buttons, <emphasis>Permissions</emphasis>,
<emphasis>Auditing</emphasis>, and <emphasis>Ownership</emphasis>.
The <emphasis>Auditing</emphasis> button will cause either
box. Click on the tab <guilabel>Security</guilabel> and you
will see three buttons, <guibutton>Permissions</guibutton>,
<guibutton>Auditing</guibutton>, and <guibutton>Ownership</guibutton>.
The <guibutton>Auditing</guibutton> button will cause either
an error message <errorname>A requested privilege is not held
by the client</errorname> to appear if the user is not the
NT Administrator, or a dialog which is intended to allow an
Administrator to add auditing requirements to a file if the
user is logged on as the NT Administrator. This dialog is
non-functional with a Samba share at this time, as the only
useful button, the <command>Add</command> button will not currently
useful button, the <guibutton>Add</guibutton> button will not currently
allow a list of users to be seen.</para>
</sect2>
@ -809,7 +834,7 @@ Before using any of the following options please refer to the man page for &smb.
<sect2>
<title>Viewing file ownership</title>
<para>Clicking on the <command>"Ownership"</command> button
<para>Clicking on the <guibutton>Ownership</guibutton> button
brings up a dialog box telling you who owns the given file. The
owner name will be of the form :</para>
@ -819,14 +844,14 @@ Before using any of the following options please refer to the man page for &smb.
the Samba server, <replaceable>user</replaceable> is the user name of
the UNIX user who owns the file, and <replaceable>(Long name)</replaceable>
is the descriptive string identifying the user (normally found in the
GECOS field of the UNIX password database). Click on the <command>Close
</command> button to remove this dialog.</para>
GECOS field of the UNIX password database). Click on the
<guibutton>Close </guibutton> button to remove this dialog.</para>
<para>If the parameter <parameter>nt acl support</parameter>
is set to <constant>false</constant> then the file owner will
be shown as the NT user <command>"Everyone"</command>.</para>
be shown as the NT user <constant>"Everyone"</constant>.</para>
<para>The <command>Take Ownership</command> button will not allow
<para>The <guibutton>Take Ownership</guibutton> button will not allow
you to change the ownership of this file to yourself (clicking on
it will display a dialog box complaining that the user you are
currently logged onto the NT client cannot be found). The reason
@ -840,8 +865,8 @@ Before using any of the following options please refer to the man page for &smb.
and allow a user with Administrator privilege connected
to a Samba server as root to change the ownership of
files on both a local NTFS filesystem or remote mounted NTFS
or Samba drive. This is available as part of the <emphasis>Seclib
</emphasis> NT security library written by Jeremy Allison of
or Samba drive. This is available as part of the <application>Seclib
</application> NT security library written by Jeremy Allison of
the Samba Team, available from the main Samba ftp site.</para>
</sect2>
@ -849,12 +874,14 @@ Before using any of the following options please refer to the man page for &smb.
<sect2>
<title>Viewing File or Directory Permissions</title>
<para>The third button is the <command>"Permissions"</command>
<para>The third button is the <guibutton>Permissions</guibutton>
button. Clicking on this brings up a dialog box that shows both
the permissions and the UNIX owner of the file or directory.
The owner is displayed in the form :</para>
<para><command>"SERVER\user (Long name)"</command></para>
<para><command>"<replaceable>SERVER</replaceable>\
<replaceable>user</replaceable>
<replaceable>(Long name)</replaceable>"</command></para>
<para>Where <replaceable>SERVER</replaceable> is the NetBIOS name of
the Samba server, <replaceable>user</replaceable> is the user name of
@ -864,7 +891,7 @@ Before using any of the following options please refer to the man page for &smb.
<para>If the parameter <parameter>nt acl support</parameter>
is set to <constant>false</constant> then the file owner will
be shown as the NT user <command>"Everyone"</command> and the
be shown as the NT user <constant>"Everyone"</constant> and the
permissions will be shown as NT "Full Control".</para>
@ -875,23 +902,23 @@ Before using any of the following options please refer to the man page for &smb.
<sect3>
<title>File Permissions</title>
<para>The standard UNIX user/group/world triple and
<para>The standard UNIX user/group/world triplet and
the corresponding "read", "write", "execute" permissions
triples are mapped by Samba into a three element NT ACL
triplets are mapped by Samba into a three element NT ACL
with the 'r', 'w', and 'x' bits mapped into the corresponding
NT permissions. The UNIX world permissions are mapped into
the global NT group <command>Everyone</command>, followed
the global NT group <constant>Everyone</constant>, followed
by the list of permissions allowed for UNIX world. The UNIX
owner and group permissions are displayed as an NT
<command>user</command> icon and an NT <command>local
group</command> icon respectively followed by the list
<guiicon>user</guiicon> icon and an NT <guiicon>local
group</guiicon> icon respectively followed by the list
of permissions allowed for the UNIX user and group.</para>
<para>As many UNIX permission sets don't map into common
NT names such as <command>"read"</command>, <command>
"change"</command> or <command>"full control"</command> then
usually the permissions will be prefixed by the words <command>
"Special Access"</command> in the NT display list.</para>
NT names such as <constant>read</constant>, <constant>
"change"</constant> or <constant>full control</constant> then
usually the permissions will be prefixed by the words <constant>
"Special Access"</constant> in the NT display list.</para>
<para>But what happens if the file has no permissions allowed
for a particular UNIX user group or world component ? In order
@ -910,14 +937,14 @@ Before using any of the following options please refer to the man page for &smb.
<para>Directories on an NT NTFS file system have two
different sets of permissions. The first set of permissions
is the ACL set on the directory itself, this is usually displayed
in the first set of parentheses in the normal <command>"RW"</command>
in the first set of parentheses in the normal <constant>"RW"</constant>
NT style. This first set of permissions is created by Samba in
exactly the same way as normal file permissions are, described
above, and is displayed in the same way.</para>
<para>The second set of directory permissions has no real meaning
in the UNIX permissions world and represents the <command>
"inherited"</command> permissions that any file created within
in the UNIX permissions world and represents the <constant>
inherited</constant> permissions that any file created within
this directory would inherit.</para>
<para>Samba synthesises these inherited permissions for NT by
@ -931,32 +958,32 @@ Before using any of the following options please refer to the man page for &smb.
<para>Modifying file and directory permissions is as simple
as changing the displayed permissions in the dialog box, and
clicking the <command>OK</command> button. However, there are
clicking the <guibutton>OK</guibutton> button. However, there are
limitations that a user needs to be aware of, and also interactions
with the standard Samba permission masks and mapping of DOS
attributes that need to also be taken into account.</para>
<para>If the parameter <parameter>nt acl support</parameter>
is set to <constant>false</constant> then any attempt to set
security permissions will fail with an <command>"Access Denied"
</command> message.</para>
security permissions will fail with an <errorname>"Access Denied"
</errorname> message.</para>
<para>The first thing to note is that the <command>"Add"</command>
<para>The first thing to note is that the <guibutton>"Add"</guibutton>
button will not return a list of users in Samba (it will give
an error message of <command>"The remote procedure call failed
and did not execute"</command>). This means that you can only
an error message of <errorname>The remote procedure call failed
and did not execute</errorname>). This means that you can only
manipulate the current user/group/world permissions listed in
the dialog box. This actually works quite well as these are the
only permissions that UNIX actually has.</para>
<para>If a permission triple (either user, group, or world)
<para>If a permission triplet (either user, group, or world)
is removed from the list of permissions in the NT dialog box,
then when the <command>"OK"</command> button is pressed it will
then when the <guibutton>OK</guibutton> button is pressed it will
be applied as "no permissions" on the UNIX side. If you then
view the permissions again the "no permissions" entry will appear
as the NT <command>"O"</command> flag, as described above. This
allows you to add permissions back to a file or directory once
you have removed them from a triple component.</para>
you have removed them from a triplet component.</para>
<para>As UNIX supports only the "r", "w" and "x" bits of
an NT ACL then if other NT security attributes such as "Delete
@ -966,15 +993,15 @@ Before using any of the following options please refer to the man page for &smb.
<para>When setting permissions on a directory the second
set of permissions (in the second set of parentheses) is
by default applied to all files within that directory. If this
is not what you want you must uncheck the <command>"Replace
permissions on existing files"</command> checkbox in the NT
dialog before clicking <command>"OK"</command>.</para>
is not what you want you must uncheck the <guilabel>Replace
permissions on existing files</guilabel> checkbox in the NT
dialog before clicking <guibutton>OK</guibutton>.</para>
<para>If you wish to remove all permissions from a
user/group/world component then you may either highlight the
component and click the <command>"Remove"</command> button,
or set the component to only have the special <command>"Take
Ownership"</command> permission (displayed as <command>"O"
component and click the <guibutton>Remove</guibutton> button,
or set the component to only have the special <constant>Take
Ownership</constant> permission (displayed as <command>"O"
</command>) highlighted.</para>
</sect2>
@ -984,16 +1011,20 @@ Before using any of the following options please refer to the man page for &smb.
<para>There are four parameters
to control interaction with the standard Samba create mask parameters.
These are :</para>
These are :
<para><parameter>security mask</parameter></para>
<para><parameter>force security mode</parameter></para>
<para><parameter>directory security mask</parameter></para>
<para><parameter>force directory security mode</parameter></para>
<simplelist>
<member><parameter>security mask</parameter></member>
<member><parameter>force security mode</parameter></member>
<member><parameter>directory security mask</parameter></member>
<member><parameter>force directory security mode</parameter></member>
</simplelist>
<para>Once a user clicks <command>"OK"</command> to apply the
</para>
<para>Once a user clicks <guibutton>OK</guibutton> to apply the
permissions Samba maps the given permissions into a user/group/world
r/w/x triple set, and then will check the changed permissions for a
r/w/x triplet set, and then will check the changed permissions for a
file against the bits set in the <ulink url="smb.conf.5.html#SECURITYMASK">
<parameter>security mask</parameter></ulink> parameter. Any bits that
were changed that are not set to '1' in this parameter are left alone
@ -1050,12 +1081,15 @@ Before using any of the following options please refer to the man page for &smb.
<para>If you want to set up a share that allows users full control
in modifying the permission bits on their files and directories and
doesn't force any particular bits to be set 'on', then set the following
parameters in the &smb.conf; file in that share specific section :</para>
parameters in the &smb.conf; file in that share specific section :
</para>
<para><parameter>security mask = 0777</parameter></para>
<para><parameter>force security mode = 0</parameter></para>
<para><parameter>directory security mask = 0777</parameter></para>
<para><parameter>force directory security mode = 0</parameter></para>
<simplelist>
<member><parameter>security mask = 0777</parameter></member>
<member><parameter>force security mode = 0</parameter></member>
<member><parameter>directory security mask = 0777</parameter></member>
<member><parameter>force directory security mode = 0</parameter></member>
</simplelist>
</sect2>
<sect2>
@ -1075,13 +1109,13 @@ Before using any of the following options please refer to the man page for &smb.
<para>What this can mean is that if the owner changes the permissions
to allow themselves read access using the security dialog, clicks
<command>"OK"</command> to get back to the standard attributes tab
dialog, and then clicks <command>"OK"</command> on that dialog, then
<guibutton>OK</guibutton> to get back to the standard attributes tab
dialog, and then clicks <guibutton>OK</guibutton> on that dialog, then
NT will set the file permissions back to read-only (as that is what
the attributes still say in the dialog). This means that after setting
permissions and clicking <command>"OK"</command> to get back to the
attributes dialog you should always hit <command>"Cancel"</command>
rather than <command>"OK"</command> to ensure that your changes
permissions and clicking <guibutton>OK</guibutton> to get back to the
attributes dialog you should always hit <guibutton>Cancel</guibutton>
rather than <guibutton>OK</guibutton> to ensure that your changes
are not overridden.</para>
</sect2>
</sect1>
@ -1099,10 +1133,12 @@ are examples taken from the mailing list in recent times.
<title>Users can not write to a public share</title>
<para>
<quote>
We are facing some troubles with file / directory permissions. I can log on the domain as admin user(root),
and theres a public share, on which everyone needs to have permission to create / modify files, but only
and there's a public share, on which everyone needs to have permission to create / modify files, but only
root can change the file, no one else can. We need to constantly go to server to
<command>chgrp -R users *</command> and <command>chown -R nobody *</command> to allow others users to change the file.
<userinput>chgrp -R users *</userinput> and <userinput>chown -R nobody *</userinput> to allow others users to change the file.
</quote>
</para>
<para>
@ -1128,61 +1164,83 @@ are examples taken from the mailing list in recent times.
</programlisting>
</para>
<note><para>
The above will set the 'sticky bit' on all directories. Read your
Unix/Linux man page on what that does. It causes the OS to assign
to all files created in the directories the ownership of the
directory.
</para></note>
</step>
<step>
<para>
Note: The above will set the 'sticky bit' on all directories. Read your
Unix/Linux man page on what that does. It causes the OS to assign to all
files created in the directories the ownership of the directory.
Directory is: <replaceable>/foodbar</replaceable>
<screen>
<prompt>$ </prompt><userinput>chown jack.engr /foodbar</userinput>
</screen>
</para>
<para>
<programlisting>
Directory is: /foodbar
chown jack.engr /foodbar
<note><para>
<para>This is the same as doing:</para>
<screen>
<prompt>$ </prompt><userinput>chown jack /foodbar</userinput>
<prompt>$ </prompt><userinput>chgrp engr /foodbar</userinput>
</screen>
</para></note>
</step>
<step>
<para>Now do:
Note: This is the same as doing:
chown jack /foodbar
chgrp engr /foodbar
<screen>
<prompt>$ </prompt><userinput>chmod 6775 /foodbar</userinput>
<prompt>$ </prompt><userinput>ls -al /foodbar/..</userinput>
</screen>
Now do:
chmod 6775 /foodbar
ls -al /foodbar/..
</para>
You should see:
<para>You should see:
<screen>
drwsrwsr-x 2 jack engr 48 2003-02-04 09:55 foodbar
</screen>
</para>
</step>
<step>
Now do:
su - jill
cd /foodbar
touch Afile
ls -al
</programlisting>
<para>Now do:
<screen>
<prompt>$ </prompt><userinput>su - jill</userinput>
<prompt>$ </prompt><userinput>cd /foodbar</userinput>
<prompt>$ </prompt><userinput>touch Afile</userinput>
<prompt>$ </prompt><userinput>ls -al</userinput>
</screen>
</para>
<para>
You should see that the file 'Afile' created by Jill will have ownership
You should see that the file <filename>Afile</filename> created by Jill will have ownership
and permissions of Jack, as follows:
<programlisting>
<screen>
-rw-r--r-- 1 jack engr 0 2003-02-04 09:57 Afile
</programlisting>
</screen>
</para>
</step>
<step>
<para>
Now in your smb.conf for the share add:
Now in your &smb.conf; for the share add:
<programlisting>
force create mode = 0775
force direcrtory mode = 6775
force directory mode = 6775
</programlisting>
</para>
<para>
Note: The above are only needed IF your users are NOT members of the group
<note><para>
The above are only needed <emphasis>if</emphasis> your users are <emphasis>not</emphasis> members of the group
you have used. ie: Within the OS do not have write permission on the directory.
</para>
</note>
<para>
An alternative is to set in the smb.conf entry for the share:
An alternative is to set in the &smb.conf; entry for the share:
<programlisting>
force user = jack
force group = engr
@ -1193,6 +1251,16 @@ are examples taken from the mailing list in recent times.
</sect2>
<sect2>
<title>I have set force user and Samba still makes <emphasis>root</emphasis> the owner of all the files
I touch!</title>
<para>
When you have a user in 'admin users', Samba will always do file operations for
this user as <emphasis>root</emphasis>, even if <parameter>force user</parameter> has been set.
</para>
</sect2>
</sect1>
</chapter>

216
docs/docbook/projdoc/AdvancedNetworkAdmin.xml
View File

@ -4,14 +4,33 @@
<pubdate>April 3 2003</pubdate>
</chapterinfo>
<title>Advanced Network Manangement</title>
<title>Advanced Network Management</title>
<para>
This section attempts to document peripheral issues that are of great importance to network
This section documents peripheral issues that are of great importance to network
administrators who want to improve network resource access control, to automate the user
environment, and to make their lives a little easier.
</para>
<sect1>
<title>Features and Benefits</title>
<para>
Often the difference between a working network environment and a well appreciated one can
best be measured by the <emphasis>little things</emphasis> that makes everything work more
harmoniously. A key part of every network environment solution is the ability to remotely
manage MS Windows workstations, to remotely access the Samba server, to provide customised
logon scripts, as well as other house keeping activities that help to sustain more reliable
network operations.
</para>
<para>
This chapter presents information on each of these area. They are placed here, and not in
other chapters, for ease of reference.
</para>
</sect1>
<sect1>
<title>Remote Server Administration</title>
@ -20,20 +39,20 @@ environment, and to make their lives a little easier.
</para>
<para>
Since I don't need to buy an NT4 Server, how do I get the 'User Manager for Domains',
Since I don't need to buy an <application>NT4 Server</application>, how do I get the 'User Manager for Domains',
the 'Server Manager'?
</para>
<para>
Microsoft distributes a version of these tools called nexus for installation on Windows 9x / Me
systems. The tools set includes:
Microsoft distributes a version of these tools called nexus for installation
on <application>Windows 9x / Me</application> systems. The tools set includes:
</para>
<itemizedlist>
<listitem><para>Server Manager</para></listitem>
<listitem><para>User Manager for Domains</para></listitem>
<listitem><para>Event Viewer</para></listitem>
</itemizedlist>
<simplelist>
<member>Server Manager</member>
<member>User Manager for Domains</member>
<member>Event Viewer</member>
</simplelist>
<para>
Click here to download the archived file <ulink
@ -41,12 +60,158 @@ url="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE">ftp://ftp.microsoft.com
</para>
<para>
The Windows NT 4.0 version of the 'User Manager for
The <application>Windows NT 4.0</application> version of the 'User Manager for
Domains' and 'Server Manager' are available from Microsoft via ftp
from <ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</ulink>
</para>
</sect1>
<sect1>
<title>Remote Desktop Management</title>
<para>
There are a number of possible remote desktop management solutions that range from free
through costly. Do not let that put you off. Sometimes the most costly solutions is the
most cost effective. In any case, you will need to draw your own conclusions as to which
is the best tool in your network environment.
</para>
<sect2>
<title>Remote Management from NoMachines.Com</title>
<para>
The following information was posted to the Samba mailing list at Apr 3 23:33:50 GMT 2003.
It is presented in slightly edited form (with author details omitted for privacy reasons).
The entire answer is reproduced below with some comments removed.
</para>
<para>
<screen>
&gt; I have a wonderful linux/samba server running as PDC for a network.
&gt; Now I would like to add remote desktop capabilities so that
&gt; users outside could login to the system and get their desktop up from
&gt; home or another country..
&gt;
&gt; Is there a way to accomplish this? Do I need a windows terminal server?
&gt; Do I need to configure it so that it is a member of the domain or a
&gt; BDC,PDC? Are there any hacks for MS Windows XP to enable remote login
&gt; even if the computer is in a domain?
&gt;
&gt; Any ideas/experience would be appreciated :)
</screen>
</para>
<para>
Answer provided: Check out the new offer from NoMachine, "NX" software:
<ulink url="http://www.nomachine.com/">http://www.nomachine.com/</ulink>.
</para>
<para>
It implements a very easy-to-use interface to the remote X protocol as
well as incorporating VNC/RFB and rdesktop/RDP into it, but at a speed
performance much better than anything you may have ever seen...
</para>
<para>
Remote X is not new at all -- but what they did achieve successfully is
a new way of compression and caching technologies which makes the thing
fast enough to run even over slow modem/ISDN connections.
</para>
<para>
I could test drive their (public) RedHat machine in Italy, over a loaded
internet connection, with enabled thumbnail previews in KDE konqueror
which popped up immediately on "mouse-over". From inside that (remote X)
session I started a rdesktop session on another, a Windows XP machine.
To test the performance, I played Pinball. I am proud to announce here
that my score was 631750 points at first try...
</para>
<para>
NX performs better on my local LAN than any of the other "pure"
connection methods I am using from time to time: TightVNC, rdesktop or
remote X. It is even faster than a direct crosslink connection between
two nodes.
</para>
<para>
I even got sound playing from the remote X app to my local boxes, and
had a working "copy'n'paste" from an NX window (running a KDE session
in Italy) to my Mozilla mailing agent... These guys are certainly doing
something right!
</para>
<para>
I recommend to test drive NX to anybody with a only a remote interest
in remote computing
<ulink url="http://www.nomachine.com/testdrive.php">http://www.nomachine.com/testdrive.php</ulink>.
</para>
<para>
Just download the free of charge client software (available for RedHat,
SuSE, Debian and Windows) and be up and running within 5 minutes (they
need to send you your account data, though, because you are assigned
a real Unix account on their testdrive.nomachine.com box...
</para>
<para>
They plan to get to the point were you can have NX application servers
running as a cluster of nodes, and users simply start an NX session locally,
and can select applications to run transparently (apps may even run on
another NX node, but pretend to be on the same as used for initial login,
because it displays in the same window.... well, you also can run it
fullscreen, and after a short time you forget that it is a remote session
at all).
</para>
<para>
Now the best thing at the end: all the core compression and caching
technologies are released under the GPL and available as source code
to anybody who wants to build on it! These technologies are working,
albeit started from the command line only (and very inconvenient to
use in order to get a fully running remote X session up and running....)
</para>
<para>
To answer your questions:
</para>
<itemizedlist>
<listitem><para>
You don't need to install a terminal server; XP has RDP support built in.
</para></listitem>
<listitem><para>
NX is much cheaper than Citrix -- and comparable in performance, probably faster
</para></listitem>
<listitem><para>
You don't need to hack XP -- it just works
</para></listitem>
<listitem><para>
You log into the XP box from remote transparently (and I think there is no
need to change anything to get a connection, even if authentication is against a domain)
</para></listitem>
<listitem><para>
The NX core technologies are all Open Source and released under the GPL --
you can today use a (very inconvenient) commandline to use it at no cost,
but you can buy a comfortable (proprietary) NX GUI frontend for money
</para></listitem>
<listitem><para>
NoMachine are encouraging and offering help to OSS/Free Software implementations
for such a frontend too, even if it means competition to them (they have written
to this effect even to the LTSP, KDE and GNOME developer mailing lists)
</para></listitem>
</itemizedlist>
</sect2>
</sect1>
<sect1>
<title>Network Logon Script Magic</title>
@ -62,14 +227,16 @@ There are several opportunities for creating a custom network startup configurat
<simplelist>
<member>No Logon Script</member>
<member>Simple universal Logon Script that applies to all users</member>
<member>Use of a conditional Logon Script that applies per user or per group attirbutes</member>
<member>Use of a conditional Logon Script that applies per user or per group attributes</member>
<member>Use of Samba's Preexec and Postexec functions on access to the NETLOGON share to create
a custom Logon Script and then execute it.</member>
<member>User of a tool such as KixStart</member>
</simplelist>
<para>
The Samba source code tree includes two logon script generation/execution tools. See <filename>examples</filename> directory <filename>genlogon</filename> and <filename>ntlogon</filename> subdirectories.
The Samba source code tree includes two logon script generation/execution tools.
See <filename>examples</filename> directory <filename>genlogon</filename> and
<filename>ntlogon</filename> subdirectories.
</para>
<para>
@ -77,7 +244,7 @@ The following listings are from the genlogon directory.
</para>
<para>
This is the genlogon.pl file:
This is the <filename>genlogon.pl</filename> file:
<programlisting>
#!/usr/bin/perl
@ -159,9 +326,9 @@ Those wishing to use more elaborate or capable logon processing system should ch
</para>
<simplelist>
<member>http://www.craigelachie.org/rhacer/ntlogon</member>
<member>http://www.kixtart.org</member>
<member>http://support.microsoft.com/default.asp?scid=kb;en-us;189105</member>
<member><ulink url="http://www.craigelachie.org/rhacer/ntlogon">http://www.craigelachie.org/rhacer/ntlogon</ulink></member>
<member><ulink url="http://www.kixtart.org">http://www.kixtart.org</ulink></member>
<member><ulink url="http://support.microsoft.com/default.asp?scid=kb;en-us;189105">http://support.microsoft.com/default.asp?scid=kb;en-us;189105</ulink></member>
</simplelist>
<sect2>
@ -174,10 +341,21 @@ Printers may be added automatically during logon script processing through the u
rundll32 printui.dll,PrintUIEntry /?
</programlisting>
See the documentation in the Microsoft knowledgebase article no: 189105 referred to above.
See the documentation in the <ulink url="http://support.microsoft.com/default.asp?scid=kb;en-us;189105">Microsoft knowledgebase article no: 189105</ulink>.
</para>
</sect2>
</sect1>
</chapter>
<sect1>
<title>Common Errors</title>
<para>
The information provided in this chapter has been reproduced from postings on the samba@samba.org
mailing list. No implied endorsement or recommendation is offered. Administrators should conduct
their own evaluation of alternatives and are encouraged to draw their own conclusions.
</para>
</sect1>
</chapter>

54
docs/docbook/projdoc/Bugs.xml
View File

@ -2,11 +2,7 @@
<chapterinfo>
&author.jelmer;
<author>
<affiliation>
<orgname>Samba Team</orgname>
</affiliation>
</author>
<author><surname>Someone; Tridge or Karl Auer perhaps?</surname></author>
<pubdate> 27 June 1997 </pubdate>
</chapterinfo>
@ -15,7 +11,8 @@
<sect1>
<title>Introduction</title>
<para>Please report bugs using <ulink url="https://bugzilla.samba.org/">bugzilla</ulink>.</para>
<para>Please report bugs using
<ulink url="https://bugzilla.samba.org/">bugzilla</ulink>.</para>
<para>
Please take the time to read this file before you submit a bug
@ -83,7 +80,7 @@ detail, but may use too much disk space.
</para>
<para>
To set the debug level use <command>log level =</command> in your
To set the debug level use the <parameter>log level</parameter> in your
&smb.conf;. You may also find it useful to set the log
level higher for just one machine and keep separate logs for each machine.
To do this use:
@ -100,24 +97,25 @@ then create a file
<filename>/usr/local/samba/lib/smb.conf.<replaceable>machine</replaceable></filename> where
<replaceable>machine</replaceable> is the name of the client you wish to debug. In that file
put any &smb.conf; commands you want, for example
<command>log level=</command> may be useful. This also allows you to
<parameter>log level</parameter> may be useful. This also allows you to
experiment with different security systems, protocol levels etc on just
one machine.
</para>
<para>
The &smb.conf; entry <command>log level =</command>
is synonymous with the entry <command>debuglevel =</command> that has been
used in older versions of Samba and is being retained for backwards
The &smb.conf; entry <parameter>log level</parameter>
is synonymous with the parameter <parameter>debuglevel</parameter> that has
been used in older versions of Samba and is being retained for backwards
compatibility of &smb.conf; files.
</para>
<para>
As the <command>log level =</command> value is increased you will record
As the <parameter>log level</parameter> value is increased you will record
a significantly increasing level of debugging information. For most
debugging operations you may not need a setting higher than 3. Nearly
all bugs can be tracked at a setting of 10, but be prepared for a VERY
large volume of log data.
debugging operations you may not need a setting higher than
<constant>3</constant>. Nearly
all bugs can be tracked at a setting of <constant>10</constant>, but be
prepared for a VERY large volume of log data.
</para>
</sect1>
@ -126,8 +124,8 @@ large volume of log data.
<title>Internal errors</title>
<para>
If you get a "INTERNAL ERROR" message in your log files it means that
Samba got an unexpected signal while running. It is probably a
If you get a <errorname>INTERNAL ERROR</errorname> message in your log files
it means that Samba got an unexpected signal while running. It is probably a
segmentation fault and almost certainly means a bug in Samba (unless
you have faulty hardware or system software).
</para>
@ -151,21 +149,24 @@ files. This file is the most useful tool for tracking down the bug. To
use it you do this:
</para>
<para><command>gdb smbd core</command></para>
<screen>
<prompt>$ </prompt><userinput>gdb smbd core</userinput>
</screen>
<para>
adding appropriate paths to smbd and core so gdb can find them. If you
don't have gdb then try <userinput>dbx</userinput>. Then within the debugger use the
command <userinput>where</userinput> to give a stack trace of where the problem
occurred. Include this in your mail.
don't have gdb then try <userinput>dbx</userinput>. Then within the debugger
use the command <command>where</command> to give a stack trace of where the
problem occurred. Include this in your report.
</para>
<para>
If you know any assembly language then do a <userinput>disass</userinput> of the routine
If you know any assembly language then do a
<command>disass</command> of the routine
where the problem occurred (if its in a library routine then
disassemble the routine that called it) and try to work out exactly
where the problem is by looking at the surrounding code. Even if you
don't know assembly then incuding this info in the bug report can be
don't know assembly, including this info in the bug report can be
useful.
</para>
</sect1>
@ -177,8 +178,10 @@ useful.
Unfortunately some unixes (in particular some recent linux kernels)
refuse to dump a core file if the task has changed uid (which smbd
does often). To debug with this sort of system you could try to attach
to the running process using <userinput>gdb smbd <replaceable>PID</replaceable></userinput> where you get <replaceable>PID</replaceable> from
<application>smbstatus</application>. Then use <userinput>c</userinput> to continue and try to cause the core dump
to the running process using
<userinput>gdb smbd <replaceable>PID</replaceable></userinput> where you get
<replaceable>PID</replaceable> from <application>smbstatus</application>.
Then use <command>c</command> to continue and try to cause the core dump
using the client. The debugger should catch the fault and tell you
where it occurred.
</para>
@ -198,4 +201,3 @@ exactly what version you used.
</sect1>
</chapter>

6888
docs/docbook/projdoc/CUPS-printing.xml
View File

File diff suppressed because it is too large Load Diff

207
docs/docbook/projdoc/Compiling.xml
View File

@ -1,20 +1,17 @@
<chapter id="compiling">
<chapterinfo>
<author>
<affiliation>
<orgname>Samba Team</orgname>
</affiliation>
</author>
&author.jelmer;
<author><surname>Someone; Jerry perhaps?</surname></author>
<pubdate> (22 May 2001) </pubdate>
<pubdate> 22 May 2001 </pubdate>
<pubdate> 18 March 2003 </pubdate>
</chapterinfo>
<title>How to compile SAMBA</title>
<para>
You can obtain the samba source from the <ulink url="http://samba.org/">samba website</ulink>. To obtain a development version,
You can obtain the samba source from the
<ulink url="http://samba.org/">samba website</ulink>. To obtain a development version,
you can download samba from CVS or using rsync.
</para>
@ -45,8 +42,8 @@ This chapter is a modified version of the instructions found at
<para>
The machine samba.org runs a publicly accessible CVS
repository for access to the source code of several packages,
including samba, rsync and jitterbug. There are two main ways of
accessing the CVS server on this host.
including samba, rsync, distcc, ccache and jitterbug. There are two main ways
of accessing the CVS server on this host.
</para>
<sect3>
@ -80,11 +77,12 @@ just a casual browser.
<para>
To download the latest cvs source code, point your
browser at the URL : <ulink url="http://www.cyclic.com/">http://www.cyclic.com/</ulink>.
browser at the URL :
<ulink url="http://www.cyclic.com/">http://www.cyclic.com/</ulink>.
and click on the 'How to get cvs' link. CVS is free software under
the GNU GPL (as is Samba). Note that there are several graphical CVS clients
which provide a graphical interface to the sometimes mundane CVS commands.
Links to theses clients are also available from http://www.cyclic.com.
Links to theses clients are also available from the Cyclic website.
</para>
<para>
@ -94,16 +92,17 @@ samba source code. For the other source code repositories
on this system just substitute the correct package name
</para>
<orderedlist>
<listitem>
<procedure>
<title>Retrieving samba using CVS</title>
<step>
<para>
Install a recent copy of cvs. All you really need is a
copy of the cvs client binary.
</para>
</listitem>
</step>
<listitem>
<step>
<para>
Run the command
</para>
@ -111,14 +110,16 @@ on this system just substitute the correct package name
<para>
<userinput>cvs -d :pserver:cvs@samba.org:/cvsroot login</userinput>
</para>
</step>
<step>
<para>
When it asks you for a password type <userinput>cvs</userinput>.
</para>
</listitem>
</step>
<listitem>
<step>
<para>
Run the command
</para>
@ -134,18 +135,19 @@ on this system just substitute the correct package name
</para>
<para>
CVS branches other then HEAD can be obtained by using the <parameter>-r</parameter>
and defining a tag name. A list of branch tag names can be found on the
"Development" page of the samba web site. A common request is to obtain the
latest 2.2 release code. This could be done by using the following userinput.
CVS branches other then HEAD can be obtained by using the
<option>-r</option> and defining a tag name. A list of branch tag names
can be found on the "Development" page of the samba web site. A common
request is to obtain the latest 3.0 release code. This could be done by
using the following command:
</para>
<para>
<userinput>cvs -d :pserver:cvs@samba.org:/cvsroot co -r SAMBA_2_2 samba</userinput>
<userinput>cvs -d :pserver:cvs@samba.org:/cvsroot co -r SAMBA_3_0 samba</userinput>
</para>
</listitem>
</step>
<listitem>
<step>
<para>
Whenever you want to merge in the latest code changes use
the following command from within the samba directory:
@ -154,8 +156,8 @@ on this system just substitute the correct package name
<para>
<userinput>cvs update -d -P</userinput>
</para>
</listitem>
</orderedlist>
</step>
</procedure>
</sect3>
</sect2>
@ -166,16 +168,16 @@ on this system just substitute the correct package name
<title>Accessing the samba sources via rsync and ftp</title>
<para>
pserver.samba.org also exports unpacked copies of most parts of the CVS tree at <ulink url="ftp://pserver.samba.org/pub/unpacked">ftp://pserver.samba.org/pub/unpacked</ulink> and also via anonymous rsync at rsync://pserver.samba.org/ftp/unpacked/. I recommend using rsync rather than ftp.
pserver.samba.org also exports unpacked copies of most parts of the CVS
tree at <ulink url="ftp://pserver.samba.org/pub/unpacked">ftp://pserver.samba.org/pub/unpacked</ulink> and also via anonymous rsync at
<ulink url="rsync://pserver.samba.org/ftp/unpacked/">rsync://pserver.samba.org/ftp/unpacked/</ulink>. I recommend using rsync rather than ftp.
See <ulink url="http://rsync.samba.org/">the rsync homepage</ulink> for more info on rsync.
</para>
<para>
The disadvantage of the unpacked trees
is that they do not support automatic
merging of local changes like CVS does.
rsync access is most convenient for an
initial install.
The disadvantage of the unpacked trees is that they do not support automatic
merging of local changes like CVS does. rsync access is most convenient
for an initial install.
</para>
</sect1>
@ -183,11 +185,10 @@ on this system just substitute the correct package name
<title>Verifying Samba's PGP signature</title>
<para>
In these days of insecurity, it's strongly recommended that you verify the PGP signature for any
source file before installing it. According to Jerry Carter of the Samba Team, only about 22% of
all Samba downloads have had a corresponding PGP signature download (a very low percentage, which
should be considered a bad thing). Even if you're not downloading from a mirror site, verifying PGP
signatures should be a standard reflex.
In these days of insecurity, it's strongly recommended that you verify the PGP
signature for any source file before installing it. Even if you're not
downloading from a mirror site, verifying PGP signatures should be a
standard reflex.
</para>
@ -195,38 +196,39 @@ signatures should be a standard reflex.
With that said, go ahead and download the following files:
</para>
<para><programlisting>
$ wget http://us1.samba.org/samba/ftp/samba-2.2.8a.tar.asc
$ wget http://us1.samba.org/samba/ftp/samba-pubkey.asc
</programlisting></para>
<para><screen>
<prompt>$ </prompt><userinput> wget http://us1.samba.org/samba/ftp/samba-2.2.8a.tar.asc</userinput>
<prompt>$ </prompt><userinput> wget http://us1.samba.org/samba/ftp/samba-pubkey.asc</userinput>
</screen></para>
<para>
The first file is the PGP signature for the Samba source file; the other is the Samba public
PGP key itself. Import the public PGP key with:
</para>
<programlisting>
$ gpg --import samba-pubkey.asc
</programlisting>
<screen>
<prompt>$ </prompt><userinput>gpg --import samba-pubkey.asc</userinput>
</screen>
<para>
And verify the Samba source code integrity with:
</para>
<programlisting>
$ gzip -d samba-2.2.8a.tar.gz
$ gpg --verify samba-2.2.8a.tar.asc
</programlisting>
<screen>
<prompt>$ </prompt><userinput>gzip -d samba-2.2.8a.tar.gz</userinput>
<prompt>$ </prompt><userinput>gpg --verify samba-2.2.8a.tar.asc</userinput>
</screen>
<para>
If you receive a message like, "Good signature from Samba Distribution Verification Key..."
then all is well. The warnings about trust relationships can be ignored. An example of what
you would not want to see would be:
If you receive a message like, "Good signature from Samba Distribution
Verification Key..."
then all is well. The warnings about trust relationships can be ignored. An
example of what you would not want to see would be:
</para>
<programlisting>
<computeroutput>
gpg: BAD signature from "Samba Distribution Verification Key"
</programlisting>
</computeroutput>
</sect1>
@ -238,28 +240,28 @@ you would not want to see would be:
configure Samba for your operating system. If you have unusual
needs then you may wish to run</para>
<para><prompt>root# </prompt><userinput>./configure --help
<para>&rootprompt;<userinput>./configure --help
</userinput></para>
<para>first to see what special options you can enable.
Then executing</para>
<para><prompt>root# </prompt><userinput>make</userinput></para>
<para>&rootprompt;<userinput>make</userinput></para>
<para>will create the binaries. Once it's successfully
compiled you can use </para>
<para><prompt>root# </prompt><userinput>make install</userinput></para>
<para>&rootprompt;<userinput>make install</userinput></para>
<para>to install the binaries and manual pages. You can
separately install the binaries and/or man pages using</para>
<para><prompt>root# </prompt><userinput>make installbin
<para>&rootprompt;<userinput>make installbin
</userinput></para>
<para>and</para>
<para><prompt>root# </prompt><userinput>make installman
<para>&rootprompt;<userinput>make installman
</userinput></para>
<para>Note that if you are upgrading for a previous version
@ -267,7 +269,7 @@ you would not want to see would be:
the binaries will be renamed with a ".old" extension. You
can go back to the previous version with</para>
<para><prompt>root# </prompt><userinput>make revert
<para>&rootprompt;<userinput>make revert
</userinput></para>
<para>if you find this version a disaster!</para>
@ -281,16 +283,19 @@ you would not want to see would be:
<listitem><para>the MIT kerberos development libraries
(either install from the sources or use a package). The
heimdal libraries will not work.</para></listitem>
Heimdal libraries will not work.</para></listitem>
<listitem><para>the OpenLDAP development libraries.</para></listitem>
</itemizedlist>
<para>If your kerberos libraries are in a non-standard location then
remember to add the configure option --with-krb5=DIR.</para>
remember to add the configure option
<option>--with-krb5=<replaceable>DIR</replaceable></option>.</para>
<para>After you run configure make sure that <filename>include/config.h</filename> it generates contains lines like this:</para>
<para>After you run configure make sure that
<filename>include/config.h</filename> it generates contains lines like
this:</para>
<para><programlisting>
#define HAVE_KRB5 1
@ -298,18 +303,18 @@ you would not want to see would be:
</programlisting></para>
<para>If it doesn't then configure did not find your krb5 libraries or
your ldap libraries. Look in config.log to figure out why and fix
it.</para>
your ldap libraries. Look in <filename>config.log</filename> to figure
out why and fix it.</para>
<sect3>
<title>Installing the required packages for Debian</title>
<para>On Debian you need to install the following packages:</para>
<para>
<itemizedlist>
<listitem>libkrb5-dev</listitem>
<listitem>krb5-user</listitem>
</itemizedlist>
<simplelist>
<member>libkrb5-dev</member>
<member>krb5-user</member>
</simplelist>
</para>
</sect3>
@ -318,11 +323,11 @@ you would not want to see would be:
<para>On RedHat this means you should have at least: </para>
<para>
<itemizedlist>
<listitem>krb5-workstation (for kinit)</listitem>
<listitem>krb5-libs (for linking with)</listitem>
<listitem>krb5-devel (because you are compiling from source)</listitem>
</itemizedlist>
<simplelist>
<member>krb5-workstation (for kinit)</member>
<member>krb5-libs (for linking with)</member>
<member>krb5-devel (because you are compiling from source)</member>
</simplelist>
</para>
<para>in addition to the standard development environment.</para>
@ -337,10 +342,10 @@ you would not want to see would be:
</sect1>
<sect1>
<title>Starting the smbd and nmbd</title>
<title>Starting the &smbd; and &nmbd;</title>
<para>You must choose to start smbd and nmbd either
as daemons or from <application>inetd</application>Don't try
<para>You must choose to start &smbd; and &nmbd; either
as daemons or from <application>inetd</application>. Don't try
to do both! Either you can put them in <filename>
inetd.conf</filename> and have them started on demand
by <application>inetd</application>, or you can start them as
@ -350,26 +355,28 @@ you would not want to see would be:
the bit about what user you need to be in order to start
Samba. In many cases you must be root.</para>
<para>The main advantage of starting <application>smbd</application>
and <application>nmbd</application> using the recommended daemon method
<para>The main advantage of starting &smbd;
and &nmbd; using the recommended daemon method
is that they will respond slightly more quickly to an initial connection
request.</para>
<sect2>
<title>Starting from inetd.conf</title>
<para>NOTE; The following will be different if
<note>
<para>The following will be different if
you use NIS, NIS+ or LDAP to distribute services maps.</para>
</note>
<para>Look at your <filename>/etc/services</filename>.
What is defined at port 139/tcp. If nothing is defined
then add a line like this:</para>
<para><userinput>netbios-ssn 139/tcp</userinput></para>
<para><programlisting>netbios-ssn 139/tcp</programlisting></para>
<para>similarly for 137/udp you should have an entry like:</para>
<para><userinput>netbios-ns 137/udp</userinput></para>
<para><programlisting>netbios-ns 137/udp</programlisting></para>
<para>Next edit your <filename>/etc/inetd.conf</filename>
and add two lines something like this:</para>
@ -386,11 +393,13 @@ you would not want to see would be:
<note><para>Some unixes already have entries like netbios_ns
(note the underscore) in <filename>/etc/services</filename>.
You must either edit <filename>/etc/services</filename> or
<filename>/etc/inetd.conf</filename> to make them consistent.</para></note>
<filename>/etc/inetd.conf</filename> to make them consistent.
</para></note>
<note><para>On many systems you may need to use the
<command>interfaces</command> option in &smb.conf; to specify the IP address
and netmask of your interfaces. Run <application>ifconfig</application>
<parameter>interfaces</parameter> option in &smb.conf; to specify the IP
address and netmask of your interfaces. Run
<application>ifconfig</application>
as root if you don't know what the broadcast is for your
net. &nmbd; tries to determine it at run
time, but fails on some unixes.
@ -402,9 +411,9 @@ you would not want to see would be:
arguments, or you should use a script, and start the script
from <command>inetd</command>.</para></warning>
<para>Restart <command>inetd</command>, perhaps just send
it a HUP. If you have installed an earlier version of <application>
nmbd</application> then you may need to kill nmbd as well.</para>
<para>Restart <application>inetd</application>, perhaps just send
it a HUP. If you have installed an earlier version of &nmbd; then
you may need to kill &nmbd; as well.</para>
</sect2>
<sect2>
@ -428,11 +437,29 @@ you would not want to see would be:
</para>
<para>To kill it send a kill signal to the processes
<command>nmbd</command> and <command>smbd</command>.</para>
&nmbd; and &smbd;.</para>
<note><para>If you use the SVR4 style init system then
you may like to look at the <filename>examples/svr4-startup</filename>
script to make Samba fit into that system.</para></note>
</sect2>
</sect1>
<sect1>
<title>Common Errors</title>
<para><quote>
I'm using gcc 3 and I've compiled Samba-3 from the CVS and the
binaries are very large files (40 Mb and 20 Mb). I've the same result with
<option>--enable-shared</option> ?
</quote>
</para>
<para>
The dwarf format used by GCC 3 for storing debugging symbols is very inefficient.
Strip the binaries, don't compile with -g or compile with -gstabs.
</para>
</sect1>
</chapter>

379
docs/docbook/projdoc/DOMAIN_MEMBER.xml
View File

@ -4,40 +4,48 @@
&author.jht;
&author.jeremy;
&author.jerry;
<!-- Authors of the ADS-HOWTO -->
&author.tridge;
&author.jelmer;
</chapterinfo>
<title>Domain Membership</title>
<para>
Domain Membership is a subject of vital concern, Samba must be able to participate
as a member server in a Microsoft Domain security context, and Samba must be capable of
providing Domain machine member trust accounts, otherwise it would not be capable of offering
a viable option for many users.
Domain Membership is a subject of vital concern, Samba must be able to
participate as a member server in a Microsoft Domain security context, and
Samba must be capable of providing Domain machine member trust accounts,
otherwise it would not be capable of offering a viable option for many users.
</para>
<para>
This chapter covers background information pertaining to domain membership, Samba
configuration for it, and MS Windows client procedures for joining a domain. Why is
this necessary? Because both are areas in which there exists within the current MS
Windows networking world and particularly in the Unix/Linux networking and administration
world, a considerable level of mis-information, incorrect understanding, and a lack of
knowledge. Hopefully this chapter will fill the voids.
This chapter covers background information pertaining to domain membership,
Samba configuration for it, and MS Windows client procedures for joining a
domain. Why is this necessary? Because both are areas in which there exists
within the current MS Windows networking world and particularly in the
Unix/Linux networking and administration world, a considerable level of
mis-information, incorrect understanding, and a lack of knowledge. Hopefully
this chapter will fill the voids.
</para>
<sect1>
<title>Features and Benefits</title>
<para>
MS Windows workstations and servers that want to participate in domain security need to
MS Windows workstations and servers that want to participate in domain
security need to
be made Domain members. Participating in Domain security is often called
<emphasis>Single Sign On</emphasis> or SSO for short. This chapter describes the process
that must be followed to make a workstation (or another server - be it an MS Windows NT4 / 200x
<emphasis>Single Sign On</emphasis> or <acronym>SSO</acronym> for short. This
chapter describes the process that must be followed to make a workstation
(or another server - be it an <application>MS Windows NT4 / 200x</application>
server) or a Samba server a member of an MS Windows Domain security context.
</para>
<para>
Samba-3 can join an MS Windows NT4 style domain as a native member server, an MS Windows
Active Directory Domain as a native member server, or a Samba Domain Control network.
Samba-3 can join an MS Windows NT4 style domain as a native member server, an
MS Windows Active Directory Domain as a native member server, or a Samba Domain
Control network.
</para>
<para>
@ -50,31 +58,34 @@ Domain membership has many advantages:
</para></listitem>
<listitem><para>
Domain user access rights and file ownership / access controls can be set from
the single Domain SAM (Security Accounts Management) database (works with Domain member
servers as well as with MS Windows workstations that are domain members)
Domain user access rights and file ownership / access controls can be set
from the single Domain SAM (Security Account Manager) database
(works with Domain member servers as well as with MS Windows workstations
that are domain members)
</para></listitem>
<listitem><para>
Only MS Windows NT4 / 200x / XP Professional workstations that are Domain members
Only <application>MS Windows NT4 / 200x / XP Professional</application>
workstations that are Domain members
can use network logon facilities
</para></listitem>
<listitem><para>
Domain Member workstations can be better controlled through the use of Policy files
(NTConfig.POL) and Desktop Profiles.
Domain Member workstations can be better controlled through the use of
Policy files (<filename>NTConfig.POL</filename>) and Desktop Profiles.
</para></listitem>
<listitem><para>
Through the use of logon scripts users can be given transparent access to network
Through the use of logon scripts, users can be given transparent access to network
applications that run off application servers
</para></listitem>
<listitem><para>
Network administrators gain better application and user access management abilities
because there is no need to maintain user accounts on any network client or server,
other than the central Domain database (either NT4/Samba SAM style Domain, NT4 Domain
that is back ended with an LDAP directory, or via an Active Directory infrastructure)
Network administrators gain better application and user access management
abilities because there is no need to maintain user accounts on any network
client or server, other than the central Domain database
(either NT4/Samba SAM style Domain, NT4 Domain that is back ended with an
LDAP directory, or via an Active Directory infrastructure)
</para></listitem>
</itemizedlist>
@ -84,7 +95,8 @@ Domain membership has many advantages:
<title>MS Windows Workstation/Server Machine Trust Accounts</title>
<para>
A machine trust account is an account that is used to authenticate a client machine
A machine trust account is an account that is used to authenticate a client
machine
(rather than a user) to the Domain Controller server. In Windows terminology,
this is known as a "Computer Account."
</para>
@ -113,10 +125,10 @@ as follows:
<itemizedlist>
<listitem><para>
A Domain Security Account (stored in the <emphasis>passdb backend</emphasis>
that has been configured in the &smb.conf; file. The precise nature of the
account information that is stored depends on the type of backend database
that has been chosen.
A Domain Security Account (stored in the
<parameter>passdb backend</parameter> that has been configured in the
&smb.conf; file. The precise nature of the account information that is
stored depends on the type of backend database that has been chosen.
</para>
<para>
@ -127,15 +139,17 @@ as follows:
</para>
<para>
The two newer database types are called <emphasis>ldapsam, tdbsam</emphasis>.
Both store considerably more data than the older <filename>smbpasswd</filename>
file did. The extra information enables new user account controls to be used.
The two newer database types are called <emphasis>ldapsam</emphasis>,
<emphasis>tdbsam</emphasis>. Both store considerably more data than the
older <filename>smbpasswd</filename> file did. The extra information
enables new user account controls to be used.
</para></listitem>
<listitem><para>
A corresponding Unix account, typically stored in <filename>/etc/passwd</filename>.
Work is in progress to allow a simplified mode of operation that does not require
Unix user accounts, but this may not be a feature of the early releases of Samba-3.
A corresponding Unix account, typically stored in
<filename>/etc/passwd</filename>. Work is in progress to allow a
simplified mode of operation that does not require Unix user accounts, but
this may not be a feature of the early releases of Samba-3.
</para></listitem>
</itemizedlist>
</para>
@ -146,20 +160,22 @@ There are three ways to create machine trust accounts:
<itemizedlist>
<listitem><para>
Manual creation from the Unix/Linux command line. Here, both the Samba and corresponding
Unix account are created by hand.
Manual creation from the Unix/Linux command line. Here, both the Samba and
corresponding Unix account are created by hand.
</para></listitem>
<listitem><para>
Using the MS Windows NT4 Server Manager (either from an NT4 Domain member server, or using
the Nexus toolkit available from the Microsoft web site. This tool can be run from any
MS Windows machine so long as the user is logged on as the administrator account.
Using the MS Windows NT4 Server Manager (either from an NT4 Domain member
server, or using the Nexus toolkit available from the Microsoft web site.
This tool can be run from any MS Windows machine so long as the user is
logged on as the administrator account.
</para></listitem>
<listitem><para>
"On-the-fly" creation. The Samba machine trust account is automatically created by
Samba at the time the client is joined to the domain. (For security, this is the
recommended method.) The corresponding Unix account may be created automatically or manually.
"On-the-fly" creation. The Samba machine trust account is automatically
created by Samba at the time the client is joined to the domain.
(For security, this is the recommended method.) The corresponding Unix
account may be created automatically or manually.
</para></listitem>
</itemizedlist>
@ -167,26 +183,26 @@ There are three ways to create machine trust accounts:
<title>Manual Creation of Machine Trust Accounts</title>
<para>
The first step in manually creating a machine trust account is to manually create the
corresponding Unix account in <filename>/etc/passwd</filename>. This can be done using
<command>vipw</command> or other 'add user' command that is normally used to create new
Unix accounts. The following is an example for a Linux based Samba server:
The first step in manually creating a machine trust account is to manually
create the corresponding Unix account in <filename>/etc/passwd</filename>.
This can be done using <command>vipw</command> or another 'add user' command
that is normally used to create new Unix accounts. The following is an example for a Linux based Samba server:
</para>
<para>
<prompt>root# </prompt><command>/usr/sbin/useradd -g 100 -d /dev/null -c <replaceable>"machine nickname"</replaceable> -s /bin/false <replaceable>machine_name</replaceable>$ </command>
&rootprompt;<userinput>/usr/sbin/useradd -g 100 -d /dev/null -c <replaceable>"machine nickname"</replaceable> -s /bin/false <replaceable>machine_name</replaceable>$ </userinput>
</para>
<para>
<prompt>root# </prompt><command>passwd -l <replaceable>machine_name</replaceable>$</command>
&rootprompt;<userinput>passwd -l <replaceable>machine_name</replaceable>$</userinput>
</para>
<para>
On *BSD systems, this can be done using the 'chpass' utility:
On *BSD systems, this can be done using the <command>chpass</command> utility:
</para>
<para>
<prompt>root# </prompt><command>chpass -a "<replaceable>machine_name</replaceable>$:*:101:100::0:0:Workstation <replaceable>machine_name</replaceable>:/dev/null:/sbin/nologin"</command>
&rootprompt;<userinput>chpass -a "<replaceable>machine_name</replaceable>$:*:101:100::0:0:Workstation <replaceable>machine_name</replaceable>:/dev/null:/sbin/nologin"</userinput>
</para>
<para>
@ -196,9 +212,9 @@ home directory. For example a machine named 'doppy' would have an
<filename>/etc/passwd</filename> entry like this:
</para>
<para>
<programlisting>
doppy$:x:505:501:<replaceable>machine_nickname</replaceable>:/dev/null:/bin/false
</para>
</programlisting>
<para>
Above, <replaceable>machine_nickname</replaceable> can be any
@ -218,9 +234,9 @@ as shown here:
</para>
<para>
<programlisting>
<prompt>root# </prompt><userinput>smbpasswd -a -m <replaceable>machine_name</replaceable></userinput>
</programlisting>
<screen>
&rootprompt;<userinput>smbpasswd -a -m <replaceable>machine_name</replaceable></userinput>
</screen>
</para>
<para>
@ -235,11 +251,11 @@ the corresponding Unix account.
<para>
Manually creating a machine trust account using this method is the
equivalent of creating a machine trust account on a Windows NT PDC using
the "Server Manager". From the time at which the account is created
to the time which the client joins the domain and changes the password,
your domain is vulnerable to an intruder joining your domain using
a machine with the same NetBIOS name. A PDC inherently trusts
members of the domain and will serve out a large degree of user
the <application>Server Manager</application>. From the time at which the
account is created to the time which the client joins the domain and
changes the password, your domain is vulnerable to an intruder joining
your domain using a machine with the same NetBIOS name. A PDC inherently
trusts members of the domain and will serve out a large degree of user
information to such clients. You have been warned!
</para>
</warning>
@ -249,16 +265,19 @@ the corresponding Unix account.
<title>Using NT4 Server Manager to Add Machine Accounts to the Domain</title>
<para>
If the machine from which you are trying to manage the domain is an MS Windows NT4 workstation
then the tool of choice is the package called SRVTOOLS.EXE. When executed in the target directory
this will unpack SrvMge.exe and UsrMgr.exe (both are Domain Management tools for MS Windows NT4
workstation.
If the machine from which you are trying to manage the domain is an
<application>MS Windows NT4 workstation</application>
then the tool of choice is the package called <command>SRVTOOLS.EXE</command>.
When executed in the target directory this will unpack
<command>SrvMge.exe</command> and <command>UsrMgr.exe</command> (both are
Domain Management tools for MS Windows NT4 workstation.
</para>
<para>
If your workstation is any other MS Windows product you should download the Nexus.exe package
from the Microsoft web site. When executed from the target directory this will unpack the same
tools but for use on MS Windows 9x/Me/200x/XP.
If your workstation is any other MS Windows product you should download the
<command>Nexus.exe</command> package from the Microsoft web site. When executed
from the target directory this will unpack the same tools but for use on
<application>MS Windows 9x/Me/200x/XP</application>.
</para>
<para>
@ -268,29 +287,32 @@ Launch the <command>srvmgr.exe</command> (Server Manager for Domains) and follow
<procedure>
<title>Server Manager Account Machine Account Management</title>
<step><para>
From the menu select Computer
From the menu select <guimenu>Computer</guimenu>
</para></step>
<step><para>
Click on "Select Domain"
Click on <guimenuitem>Select Domain</guimenuitem>
</para></step>
<step><para>
Click on the name of the domain you wish to administer in the "Select Domain" panel
and then Click OK.
Click on the name of the domain you wish to administer in the
<guilabel>Select Domain</guilabel> panel and then click
<guibutton>OK</guibutton>.
</para></step>
<step><para>
Again from the menu select Computer
Again from the menu select <guimenu>Computer</guimenu>
</para></step>
<step><para>
Select "Add to Domain"
Select <guimenuitem>Add to Domain</guimenuitem>
</para></step>
<step><para>
In the dialog box, click on the radio button to "Add NT Workstation of Server", then
enter the machine name in the field provided, then Click the "Add" button.
In the dialog box, click on the radio button to
<guilabel>Add NT Workstation of Server</guilabel>, then
enter the machine name in the field provided, then click the
<guibutton>Add</guibutton> button.
</para></step>
</procedure>
@ -334,8 +356,8 @@ The procedure for making an MS Windows workstation of server a member of the dom
with the version of Windows:
</para>
<itemizedlist>
<listitem><para><emphasis>Windows 200x XP Professional</emphasis></para>
<sect3>
<title>Windows 200x XP Professional</title>
<para>
When the user elects to make the client a domain member, Windows 200x prompts for
@ -353,9 +375,9 @@ with the version of Windows:
<para>
The name of the account that is used to create domain member machine accounts can be
anything the network administrator may choose. If it is other than <command>root</command>
anything the network administrator may choose. If it is other than <emphasis>root</emphasis>
then this is easily mapped to root using the file pointed to be the &smb.conf; parameter
<emphasis>username map =</emphasis> <command>/etc/samba/smbusers</command>.
<parameter>username map = /etc/samba/smbusers</parameter>.
</para>
<para>
@ -363,73 +385,84 @@ with the version of Windows:
encryption key for setting the password of the machine trust
account. The machine trust account will be created on-the-fly, or
updated if it already exists.
</para></listitem>
</para>
</sect3>
<listitem><para><emphasis>Windows NT4</emphasis></para>
<sect3>
<title>Windows NT4</title>
<para>
If the machine trust account was created manually, on the
Identification Changes menu enter the domain name, but do not
check the box "Create a Computer Account in the Domain." In this case,
the existing machine trust account is used to join the machine to
the domain.
check the box <guilabel>Create a Computer Account in the Domain</guilabel>.
In this case, the existing machine trust account is used to join the machine
to the domain.
</para>
<para>
If the machine trust account is to be created
on-the-fly, on the Identification Changes menu enter the domain
name, and check the box "Create a Computer Account in the Domain." In
this case, joining the domain proceeds as above for Windows 2000
(i.e., you must supply a Samba administrative account when
name, and check the box <guilabel>Create a Computer Account in the
Domain</guilabel>. In this case, joining the domain proceeds as above
for Windows 2000 (i.e., you must supply a Samba administrative account when
prompted).
</para></listitem>
</para>
</sect3>
<listitem><para><emphasis>Samba</emphasis></para>
<para>Joining a samba client to a domain is documented in
the <link linkend="domain-member">Domain Member</link> chapter.
</para></listitem>
</itemizedlist>
<sect3>
<title>Samba</title>
<para>Joining a Samba client to a domain is documented in
the <link linkend="domain-member-server">Domain Member Server</link> section of this chapter chapter.
</para>
</sect3>
</sect2>
</sect1>
<sect1>
<sect1 id="domain-member-server">
<title>Domain Member Server</title>
<para>
This mode of server operation involves the samba machine being made a member
of a domain security context. This means by definition that all user authentication
will be done from a centrally defined authentication regime. The authentication
regime may come from an NT3/4 style (old domain technology) server, or it may be
provided from an Active Directory server (ADS) running on MS Windows 2000 or later.
This mode of server operation involves the Samba machine being made a member
of a domain security context. This means by definition that all user
authentication will be done from a centrally defined authentication regime.
The authentication regime may come from an NT3/4 style (old domain technology)
server, or it may be provided from an Active Directory server (ADS) running on
MS Windows 2000 or later.
</para>
<para>
<emphasis>
Of course it should be clear that the authentication back end itself could be from any
distributed directory architecture server that is supported by Samba. This can be
LDAP (from OpenLDAP), or Sun's iPlanet, of NetWare Directory Server, etc.
Of course it should be clear that the authentication back end itself could be
from any distributed directory architecture server that is supported by Samba.
This can be LDAP (from OpenLDAP), or Sun's iPlanet, of NetWare Directory
Server, etc.
</emphasis>
</para>
<para>
Please refer to the section on Howto configure Samba as a Primary Domain Controller
and for more information regarding how to create a domain machine account for a
domain member server as well as for information regarding how to enable the samba
domain member machine to join the domain and to be fully trusted by it.
Please refer to the <link linkend="samba-pdc">Domain Control chapter</link>
for more information regarding how to create a domain
machine account for a domain member server as well as for information
regarding how to enable the Samba domain member machine to join the domain and
to be fully trusted by it.
</para>
<sect2>
<title>Joining an NT4 type Domain with Samba-3</title>
<para>
<emphasis>Assumptions:</emphasis>
<programlisting>
NetBIOS name: SERV1
Win2K/NT domain name: DOM
Domain's PDC NetBIOS name: DOMPDC
Domain's BDC NetBIOS names: DOMBDC1 and DOMBDC2
</programlisting>
<table frame="all"><title>Assumptions</title>
<tgroup align="left" cols="2">
<tbody>
<row><entry>NetBIOS name:</entry><entry>SERV1</entry></row>
<row><entry>Win2K/NT domain name:</entry><entry>DOM</entry></row>
<row><entry>Domain's PDC NetBIOS name:</entry><entry>DOMPDC</entry></row>
<row><entry>Domain's BDC NetBIOS names:</entry><entry>DOMBDC1 and DOMBDC2</entry></row>
</tbody>
</tgroup>
</table>
</para>
<para>
@ -439,24 +472,25 @@ now use domain security.
<para>
Change (or add) your <ulink url="smb.conf.5.html#SECURITY">
<parameter>security =</parameter></ulink> line in the [global] section
<parameter>security</parameter></ulink> line in the [global] section
of your &smb.conf; to read:
</para>
<para>
<programlisting>
<command>security = domain</command>
security = domain
</programlisting>
</para>
<para>
Next change the <ulink url="smb.conf.5.html#WORKGROUP"><parameter>
workgroup =</parameter></ulink> line in the [global] section to read:
workgroup</parameter></ulink> line in the <parameter>[global]</parameter>
section to read:
</para>
<para>
<programlisting>
<command>workgroup = DOM</command>
workgroup = DOM
</programlisting>
</para>
@ -472,13 +506,13 @@ You must also have the parameter <ulink url="smb.conf.5.html#ENCRYPTPASSWORDS">
<para>
Finally, add (or modify) a <ulink url="smb.conf.5.html#PASSWORDSERVER">
<parameter>password server =</parameter></ulink> line in the [global]
<parameter>password server</parameter></ulink> line in the [global]
section to read:
</para>
<para>
<programlisting>
<command>password server = DOMPDC DOMBDC1 DOMBDC2</command>
password server = DOMPDC DOMBDC1 DOMBDC2
</programlisting>
</para>
@ -498,12 +532,12 @@ set this line to be:
<para>
<programlisting>
<command>password server = *</command>
password server = *
</programlisting>
</para>
<para>
This method, allows Samba to use exactly the same mechanism that NT does. This
This method allows Samba to use exactly the same mechanism that NT does. This
method either broadcasts or uses a WINS database in order to
find domain controllers to authenticate against.
</para>
@ -513,20 +547,21 @@ In order to actually join the domain, you must run this command:
</para>
<para>
<programlisting>
<screen>
<prompt>root# </prompt><userinput>net join -S DOMPDC -U<replaceable>Administrator%password</replaceable></userinput>
</programlisting>
</screen>
</para>
<para>
If the <userinput>-S DOMPDC</userinput> argument is not given then
the domain name will be obtained from smb.conf.
If the <option>-S DOMPDC</option> argument is not given then
the domain name will be obtained from &smb.conf;.
</para>
<para>
As we are joining the domain DOM and the PDC for that domain
(the only machine that has write access to the domain SAM database)
is DOMPDC. The <replaceable>Administrator%password</replaceable> is
is DOMPDC, we use it for the <option>-S</option> option.
The <replaceable>Administrator%password</replaceable> is
the login name and password for an account which has the necessary
privilege to add machines to the domain. If this is successful
you will see the message:
@ -588,8 +623,8 @@ NT server in the same way as a Windows 95 or Windows 98 server would.
</para>
<para>
Please refer to the <ulink url="winbind.html">Winbind
paper</ulink> for information on a system to automatically
Please refer to the <link linkend="winbind">Winbind</link> chapter
for information on a system to automatically
assign UNIX uids and gids to Windows NT Domain users and groups.
</para>
@ -604,11 +639,11 @@ domain PDC to an account domain PDC).
</para>
<para>
In addition, with <command>security = server</command> every Samba
In addition, with <parameter>security = server</parameter> every Samba
daemon on a server has to keep a connection open to the
authenticating server for as long as that daemon lasts. This can drain
the connection resources on a Microsoft NT server and cause it to run
out of available connections. With <command>security = domain</command>,
out of available connections. With <parameter>security = domain</parameter>,
however, the Samba daemons connect to the PDC/BDC only for as long
as is necessary to authenticate the user, and then drop the connection,
thus conserving PDC connection resources.
@ -624,8 +659,8 @@ as the user SID, the list of NT groups the user belongs to, etc.
<note>
<para>
Much of the text of this document
was first published in the Web magazine <ulink url="http://www.linuxworld.com">
LinuxWorld</ulink> as the article <ulink
was first published in the Web magazine
<ulink url="http://www.linuxworld.com">LinuxWorld</ulink> as the article <ulink
url="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html">Doing
the NIS/NT Samba</ulink>.
</para>
@ -634,19 +669,19 @@ the NIS/NT Samba</ulink>.
</sect2>
</sect1>
<sect1>
<sect1 id="ads-member">
<title>Samba ADS Domain Membership</title>
<para>
This is a rough guide to setting up Samba 3.0 with kerberos authentication against a
Windows2000 KDC.
This is a rough guide to setting up Samba 3.0 with Kerberos authentication against a
Windows2000 KDC. A familiarity with Kerberos is assumed.
</para>
<sect2>
<title>Setup your <filename>smb.conf</filename></title>
<para>
You must use at least the following 3 options in smb.conf:
You must use at least the following 3 options in &smb.conf;:
</para>
<para><programlisting>
@ -657,17 +692,18 @@ You must use at least the following 3 options in smb.conf:
<para>
In case samba can't figure out your ads server using your realm name, use the
<command>ads server</command> option in <filename>smb.conf</filename>:
<parameter>ads server</parameter> option in <filename>smb.conf</filename>:
<programlisting>
ads server = your.kerberos.server
</programlisting>
</para>
<note><para>
You do *not* need a smbpasswd file, and older clients will be authenticated as if
<command>security = domain</command>, although it won't do any harm and allows you
to have local users not in the domain. I expect that the above required options will
change soon when we get better active directory integration.
You do <emphasis>not</emphasis> need a smbpasswd file, and older clients will be authenticated as
if <parameter>security = domain</parameter>, although it won't do any harm and
allows you to have local users not in the domain. It is expected that the above
required options will change soon when active directory integration will get
better.
</para></note>
</sect2>
@ -675,15 +711,14 @@ change soon when we get better active directory integration.
<sect2>
<title>Setup your <filename>/etc/krb5.conf</filename></title>
<para>
Note: you will need the krb5 workstation, devel, and libs installed
</para>
<para>
The minimal configuration for <filename>krb5.conf</filename> is:
</para>
<para><programlisting>
[libdefaults]
default_realm = YOUR.KERBEROS.REALM
[realms]
YOUR.KERBEROS.REALM = {
kdc = your.kerberos.server
@ -697,37 +732,37 @@ making sure that your password is accepted by the Win2000 KDC.
</para>
<note><para>
The realm must be uppercase or you will get "Cannot find KDC for requested
realm while getting initial credentials" error
The realm must be uppercase or you will get <errorname>Cannot find KDC for
requested realm while getting initial credentials</errorname> error.
</para></note>
<note><para>
Time between the two servers must be synchronized. You will get a
"kinit(v5): Clock skew too great while getting initial credentials" if the time
difference is more than five minutes.
<errorname>kinit(v5): Clock skew too great while getting initial credentials</errorname>
if the time difference is more than five minutes.
</para></note>
<para>
You also must ensure that you can do a reverse DNS lookup on the IP
address of your KDC. Also, the name that this reverse lookup maps to
must either be the netbios name of the KDC (ie. the hostname with no
domain attached) or it can alternatively be the netbios name
must either be the NetBIOS name of the KDC (ie. the hostname with no
domain attached) or it can alternatively be the NetBIOS name
followed by the realm.
</para>
<para>
The easiest way to ensure you get this right is to add a
<filename>/etc/hosts</filename> entry mapping the IP address of your KDC to
its netbios name. If you don't get this right then you will get a
"local error" when you try to join the realm.
its NetBIOS name. If you don't get this right then you will get a
<errorname>local error</errorname> when you try to join the realm.
</para>
<para>
If all you want is kerberos support in &smbclient; then you can skip
If all you want is Kerberos support in &smbclient; then you can skip
straight to <link linkend="ads-test-smbclient">Test with &smbclient;</link> now.
<link linkend="ads-create-machine-account">Creating a computer account</link>
and <link linkend="ads-test-server">testing your servers</link>
is only needed if you want kerberos support for &smbd; and &winbindd;.
is only needed if you want Kerberos support for &smbd; and &winbindd;.
</para>
</sect2>
@ -739,7 +774,7 @@ is only needed if you want kerberos support for &smbd; and &winbindd;.
As a user that has write permission on the Samba private directory
(usually root) run:
<programlisting>
<userinput>net join -U Administrator%password</userinput>
&rootprompt;<userinput>net join -U Administrator%password</userinput>
</programlisting>
</para>
@ -748,12 +783,12 @@ As a user that has write permission on the Samba private directory
<para>
<variablelist>
<varlistentry><term>"ADS support not compiled in"</term>
<varlistentry><term><errorname>ADS support not compiled in</errorname></term>
<listitem><para>Samba must be reconfigured (remove config.cache) and recompiled
(make clean all install) after the kerberos libs and headers are installed.
(make clean all install) after the Kerberos libs and headers are installed.
</para></listitem></varlistentry>
<varlistentry><term>net join prompts for user name</term>
<varlistentry><term><errorname>net join prompts for user name</errorname></term>
<listitem><para>You need to login to the domain using <userinput>kinit
<replaceable>USERNAME</replaceable>@<replaceable>REALM</replaceable></userinput>.
<replaceable>USERNAME</replaceable> must be a user who has rights to add a machine
@ -776,7 +811,7 @@ folder under Users and Computers.
<para>
On a Windows 2000 client try <userinput>net use * \\server\share</userinput>. You should
be logged in with kerberos without needing to know a password. If
be logged in with Kerberos without needing to know a password. If
this fails then run <userinput>klist tickets</userinput>. Did you get a ticket for the
server? Does it have an encoding type of DES-CBC-MD5 ?
</para>
@ -788,8 +823,8 @@ server? Does it have an encoding type of DES-CBC-MD5 ?
<para>
On your Samba server try to login to a Win2000 server or your Samba
server using &smbclient; and kerberos. Use &smbclient; as usual, but
specify the <parameter>-k</parameter> option to choose kerberos authentication.
server using &smbclient; and Kerberos. Use &smbclient; as usual, but
specify the <parameter>-k</parameter> option to choose Kerberos authentication.
</para>
</sect2>
@ -803,7 +838,7 @@ install, to create the right encoding types
</para>
<para>
w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in
W2k doesn't seem to create the _kerberos._udp and _ldap._tcp in
their defaults DNS setup. Maybe fixed in service packs?
</para>
@ -815,7 +850,7 @@ their defaults DNS setup. Maybe fixed in service packs?
<para>
In the process of adding / deleting / re-adding domain member machine accounts there are
many traps for the unwary player and there are many "little" things that can go wrong.
many traps for the unwary player and there are many <quote>little</quote> things that can go wrong.
It is particularly interesting how often subscribers on the samba mailing list have concluded
after repeated failed attempts to add a machine account that it is necessary to "re-install"
MS Windows on t he machine. In truth, it is seldom necessary to reinstall because of this type
@ -830,7 +865,7 @@ networking functions. easily overcome.
<emphasis>Problem:</emphasis> A Windows workstation was reinstalled. The original domain machine
account was deleted and added immediately. The workstation will not join the domain if I use
the same machine name. Attempts to add the machine fail with a message that the machine already
exists on the network - I know it doen't. Why is this failing?
exists on the network - I know it doesn't. Why is this failing?
</para>
<para>
@ -846,14 +881,14 @@ the old account and then to add the machine with a new name.
<para>
Adding a Windows 200x or XP Professional machine to the Samba PDC Domain fails with a
message that, "The machine could not be added at this time, there is a network problem.
Please try again later." Why?
message that, <errorname>The machine could not be added at this time, there is a network problem.
Please try again later.</errorname> Why?
</para>
<para>
You should check that there is an <emphasis>add machine script</emphasis> in your &smb.conf;
You should check that there is an <parameter>add machine script</parameter> in your &smb.conf;
file. If there is not, please add one that is appropriate for your OS platform. If a script
has been defined you will need to debug it's operation. Increase the <emphasis>log level</emphasis>
has been defined you will need to debug it's operation. Increase the <parameter>log level</parameter>
in the &smb.conf; file to level 10, then try to rejoin the domain. Check the logs to see which
operation is failing.
</para>

66
docs/docbook/projdoc/Diagnosis.xml
View File

@ -5,7 +5,7 @@
<pubdate>Wed Jan 15</pubdate>
</chapterinfo>
<title>The samba checklist</title>
<title>The Samba checklist</title>
<sect1>
<title>Introduction</title>
@ -129,7 +129,7 @@ run ping.
</para>
<para>
If you get a message saying "host not found" or similar then your DNS
If you get a message saying <errorname>host not found</errorname> or similar then your DNS
software or <filename>/etc/hosts</filename> file is not correctly setup.
It is possible to
run samba without DNS entries for the server and client, but I assume
@ -143,10 +143,12 @@ in question, perhaps by allowing access from another subnet (on Linux
this is done via the <application>ipfwadm</application> program.)
</para>
<note>
<para>
Note: Modern Linux distributions install ipchains/iptables by default.
Modern Linux distributions install ipchains/iptables by default.
This is a common problem that is often overlooked.
</para>
</note>
</step>
<step performance="required">
@ -165,7 +167,7 @@ temporarily remove any <command>hosts allow</command>, <command>hosts deny</comm
</para>
<para>
If you get a "connection refused" response then the smbd server may
If you get a <errorname>connection refused</errorname> response then the smbd server may
not be running. If you installed it in inetd.conf then you probably edited
that file incorrectly. If you installed it as a daemon then check that
it is running, and check that the netbios-ssn port is in a LISTEN
@ -180,7 +182,7 @@ this network super daemon.
</para></note>
<para>
If you get a "session request failed" then the server refused the
If you get a <errorname>session request failed</errorname> then the server refused the
connection. If it says "Your server software is being unfriendly" then
its probably because you have invalid command line parameters to &smbd;,
or a similar fatal problem with the initial startup of &smbd;. Also
@ -203,7 +205,7 @@ the following &smb.conf; file entries:
<para>
In the above, no allowance has been made for any session requests that
will automatically translate to the loopback adaptor address 127.0.0.1.
will automatically translate to the loopback adapter address 127.0.0.1.
To solve this problem change these lines to:
</para>
@ -213,7 +215,7 @@ To solve this problem change these lines to:
</programlisting></para>
<para>
Do NOT use the <command>bind interfaces only</command> parameter where you
Do <emphasis>not</emphasis> use the <command>bind interfaces only</command> parameter where you
may wish to
use the samba password change facility, or where &smbclient; may need to
access a local service for name resolution or for local resource
@ -224,7 +226,8 @@ fixed soon).
<para>
Another common cause of these two errors is having something already running
on port 139, such as Samba (ie: smbd is running from <application>inetd</application> already) or
on port <constant>139</constant>, such as Samba
(ie: &smbd; is running from <application>inetd</application> already) or
something like Digital's Pathworks. Check your <filename>inetd.conf</filename> file before trying
to start &smbd; as a daemon, it can avoid a lot of frustration!
</para>
@ -233,7 +236,7 @@ to start &smbd; as a daemon, it can avoid a lot of frustration!
And yet another possible cause for failure of this test is when the subnet mask
and / or broadcast address settings are incorrect. Please check that the
network interface IP Address / Broadcast Address / Subnet Mask settings are
correct and that Samba has correctly noted these in the <filename>log.nmb</filename> file.
correct and that Samba has correctly noted these in the <filename>log.nmbd</filename> file.
</para>
</step>
@ -286,10 +289,10 @@ Run the command <userinput>nmblookup -d 2 '*'</userinput>
<para>
This time we are trying the same as the previous test but are trying
it via a broadcast to the default broadcast address. A number of
Netbios/TCPIP hosts on the network should respond, although Samba may
NetBIOS / TCP/IP hosts on the network should respond, although Samba may
not catch all of the responses in the short time it listens. You
should see "got a positive name query response" messages from several
hosts.
should see <errorname>got a positive name query response</errorname>
messages from several hosts.
</para>
<para>
@ -332,18 +335,18 @@ as follows:
<para>
Once you enter the password you should get the <prompt>smb></prompt> prompt. If you
don't then look at the error message. If it says "invalid network
name" then the service "tmp" is not correctly setup in your &smb.conf;.
don't then look at the error message. If it says <errorname>invalid network
name</errorname> then the service <emphasis>"tmp"</emphasis> is not correctly setup in your &smb.conf;.
</para>
<para>
If it says "bad password" then the likely causes are:
If it says <errorname>bad password</errorname> then the likely causes are:
</para>
<orderedlist>
<listitem>
<para>
you have shadow passords (or some other password system) but didn't
you have shadow passwords (or some other password system) but didn't
compile in support for them in &smbd;
</para>
</listitem>
@ -369,8 +372,7 @@ If it says "bad password" then the likely causes are:
<listitem>
<para>
you enabled password encryption but didn't create the SMB encrypted
password file
you enabled password encryption but didn't map unix to samba users
</para>
</listitem>
</orderedlist>
@ -394,7 +396,7 @@ list of available shares on the server.
</para>
<para>
If you get a "network name not found" or similar error then netbios
If you get a <errorname>network name not found</errorname> or similar error then netbios
name resolution is not working. This is usually caused by a problem in
nmbd. To overcome it you could do one of the following (you only need
to choose one of them):
@ -407,12 +409,12 @@ to choose one of them):
<listitem><para>
add the IP address of BIGSERVER to the <command>wins server</command> box in the
advanced tcp/ip setup on the PC.
advanced TCP/IP setup on the PC.
</para></listitem>
<listitem><para>
enable windows name resolution via DNS in the advanced section of
the tcp/ip setup
the TCP/IP setup
</para></listitem>
<listitem><para>
@ -421,7 +423,7 @@ to choose one of them):
</orderedlist>
<para>
If you get a "invalid network name" or "bad password error" then the
If you get a <errorname>invalid network name</errorname> or <errorname>bad password error</errorname> then the
same fixes apply as they did for the <userinput>smbclient -L</userinput> test above. In
particular, make sure your <command>hosts allow</command> line is correct (see the man
pages)
@ -436,7 +438,7 @@ name and password.
</para>
<para>
If you get "specified computer is not receiving requests" or similar
If you get <errorname>specified computer is not receiving requests</errorname> or similar
it probably means that the host is not contactable via tcp services.
Check to see if the host is running tcp wrappers, and if so add an entry in
the <filename>hosts.allow</filename> file for your client (or subnet, etc.)
@ -448,16 +450,16 @@ the <filename>hosts.allow</filename> file for your client (or subnet, etc.)
<para>
Run the command <userinput>net use x: \\BIGSERVER\TMP</userinput>. You should
be prompted for a password then you should get a "command completed
successfully" message. If not then your PC software is incorrectly
be prompted for a password then you should get a <computeroutput>command completed
successfully</computeroutput> message. If not then your PC software is incorrectly
installed or your smb.conf is incorrect. make sure your <command>hosts allow</command>
and other config lines in &smb.conf; are correct.
</para>
<para>
It's also possible that the server can't work out what user name to
connect you as. To see if this is the problem add the line <command>user =
<replaceable>username</replaceable></command> to the <command>[tmp]</command> section of
connect you as. To see if this is the problem add the line <parameter>user =
<replaceable>username</replaceable></parameter> to the <parameter>[tmp]</parameter> section of
&smb.conf; where <replaceable>username</replaceable> is the
username corresponding to the password you typed. If you find this
fixes things you may need the username mapping option.
@ -465,7 +467,7 @@ fixes things you may need the username mapping option.
<para>
It might also be the case that your client only sends encrypted passwords
and you have <command>encrypt passwords = no</command> in &smb.conf;
and you have <parameter>encrypt passwords = no</parameter> in &smb.conf;
Turn it back on to fix.
</para>
@ -484,7 +486,7 @@ master browser for that workgroup.
If you don't then the election process has failed. Wait a minute to
see if it is just being slow then try again. If it still fails after
that then look at the browsing options you have set in &smb.conf;. Make
sure you have <command>preferred master = yes</command> to ensure that
sure you have <parameter>preferred master = yes</parameter> to ensure that
an election is held at startup.
</para>
@ -500,9 +502,9 @@ of the server and get a list of shares. If you get a "invalid
password" error when you do then you are probably running WinNT and it
is refusing to browse a server that has no encrypted password
capability and is in user level security mode. In this case either set
<command>security = server</command> AND
<command>password server = Windows_NT_Machine</command> in your
&smb.conf; file, or make sure <command>encrypted passwords</command> is
<parameter>security = server</parameter> AND
<parameter>password server = Windows_NT_Machine</parameter> in your
&smb.conf; file, or make sure <parameter>encrypted passwords</parameter> is
set to "yes".
</para>

99
docs/docbook/projdoc/Further-Resources.xml
View File

@ -7,6 +7,9 @@
<title>Further Resources</title>
<sect1>
<title>Websites</title>
<itemizedlist>
<listitem><para>
@ -74,6 +77,102 @@
</ulink>
</para></listitem>
<listitem><para>
<ulink url="http://ru.samba.org/samba/ftp/docs/Samba24Hc13.pdf">
<emphasis>PDF version of the Troubleshooting Techniques chapter</emphasis>
from the second edition of Sam's Teach Yourself Samba in 24 Hours
(publishing date of Dec. 12, 2001)</ulink>
</para></listitem>
<listitem><para>
<ulink url="http://ru.samba.org/samba/ftp/slides/">
<emphasis>Slide presentations</emphasis> by Samba Team members
</ulink>
</para></listitem>
<listitem><para>
<ulink url="http://www.atmarkit.co.jp/flinux/special/samba3/samba3a.html">
<emphasis>Introduction to Samba 3.0</emphasis> by Motonobu Takahashi
(written in Japanese). </ulink>
</para></listitem>
<listitem><para>
<ulink url="http://www.linux-mag.com/2001-05/smb_01.html">
<emphasis>Understanding the Network Neighborhood</emphasis>, by team member
Chris Hertel. This article appeared in the May 2001 issue of
Linux Magazine.
</ulink>
</para></listitem>
<listitem><para>
<ulink url="ftp://ftp.stratus.com/pub/vos/customers/samba/">
<emphasis>Samba 2.0.x Troubleshooting guide</emphasis> from Paul Green
</ulink>
</para></listitem>
<listitem><para>
<ulink url="http://samba.org/samba/docs/10years.html">
<emphasis>Ten Years of Samba</emphasis>
</ulink>
</para></listitem>
<listitem><para>
<ulink url="http://tldp.org/HOWTO/Samba-Authenticated-Gateway-HOWTO.html">
<emphasis>Samba Authenticated Gateway HOWTO</emphasis>
</ulink>
</para></listitem>
<listitem><para>
<ulink url="http://samba.org/samba/docs/SambaIntro.html">
<emphasis>An Introduction to Samba</emphasis>
</ulink>
</para></listitem>
<listitem><para>
<ulink url="http://www.samba.org/cifs/">
<emphasis>What is CIFS?</emphasis>
</ulink>
</para></listitem>
<listitem><para>
<ulink url="http://support.microsoft.com/support/kb/articles/q92/5/88.asp">
<emphasis>WFWG: Password Caching and How It Affects LAN Manager
Security</emphasis> at Microsoft Knowledge Base
</ulink>
</para></listitem>
</itemizedlist>
</sect1>
<sect1>
<title>Related updates from Microsoft</title>
<itemizedlist>
<listitem><para>
<ulink url="http://support.microsoft.com/support/kb/articles/q92/5/88.asp">
<emphasis>Enhanced Encryption for Windows 95 Password Cache</emphasis>
</ulink>
</para></listitem>
<listitem><para>
<ulink url="http://support.microsoft.com/support/kb/articles/q136/4/18.asp">
<emphasis>Windows '95 File Sharing Updates</emphasis>
</ulink>
</para></listitem>
<listitem><para>
<ulink url="http://support.microsoft.com/support/kb/articles/q136/4/18.asp">
<emphasis>Windows for Workgroups Sharing Updates</emphasis>
</ulink>
</para></listitem>
</itemizedlist>
</sect1>
<sect1>
<title>Books</title>
</sect1>
</chapter>

321
docs/docbook/projdoc/GROUP-MAPPING-HOWTO.xml
View File

@ -5,100 +5,309 @@
<firstname>Jean François</firstname><surname>Micouleau</surname>
</author>
&author.jerry;
&author.jht;
</chapterinfo>
<title>Configuring Group Mapping</title>
<title>Mapping MS Windows and Unix Groups</title>
<para>
Starting with Samba 3.0 alpha 2, new group mapping functionality
is available to create associations between Windows SIDs and UNIX
groups. The <parameter>groupmap</parameter> subcommand included with
the <command>net</command> tool can be used to manage these associations.
Starting with Samba-3, new group mapping functionality is available to create associations
between Windows group SIDs and UNIX groups. The <parameter>groupmap</parameter> subcommand
included with the &net; tool can be used to manage these associations.
</para>
<warning>
<para>
The first immediate reason to use the group mapping on a Samba PDC, is that
the <parameter>domain admin group</parameter> &smb.conf; has been removed.
This parameter was used to give the listed users membership in the "Domain Admins"
Windows group which gave local admin rights on their workstations (in
default configurations).
the <parameter>domain admin group</parameter> has been removed and should no longer
be specified in &smb.conf;. This parameter was used to give the listed users membership
in the <constant>Domain Admins</constant> Windows group which gave local admin rights on their workstations
(in default configurations).
</para>
</warning>
<sect1>
<title>Features and Benefits</title>
<para>
Samba allows the administrator to create MS Windows NT4 / 200x group accounts and to
arbitrarily associate them with Unix/Linux group accounts.
</para>
<para>
When installing NT/W2K on a computer, the installer program creates some users
and groups. Notably the 'Administrators' group, and gives to that group some
privileges like the ability to change the date and time or to kill any process
(or close too) running on the local machine. The 'Administrator' user is a
member of the 'Administrators' group, and thus 'inherit' the 'Administrators'
group privileges. If a 'joe' user is created and become a member of the
Group accounts can be managed using the MS Windows NT4 or MS Windows 200x MMC tools
so long as appropriate interface scripts have been provided to &smb.conf;.
</para>
<para>
Administrators should be aware that where &smb.conf; group interface scripts make
direct calls to the Unix/Linux system tools (eg: the shadow utilities, <command>groupadd</command>,
<command>groupdel</command>, <command>groupmod</command>) then the resulting Unix/Linux group names will be subject
to any limits imposed by these tools. If the tool does NOT allow upper case characters
or space characters, then the creation of an MS Windows NT4 / 200x style group of
<parameter>Engineering Managers</parameter> will attempt to create an identically named
Unix/Linux group, an attempt that will of course fail!
</para>
<para>
There are several possible work-arounds for the operating system tools limitation. One
method is to use a script that generates a name for the Unix/Linux system group that
fits the operating system limits, and that then just passes the Unix/Linux group id (GID)
back to the calling Samba interface. This will provide a dynamic work-around solution.
</para>
<para>
Another work-around is to manually create a Unix/Linux group, then manually create the
MS Windows NT4 / 200x group on the Samba server and then use the <command>net groupmap</command>
tool to connect the two to each other.
</para>
</sect1>
<sect1>
<title>Discussion</title>
<para>
When installing <application>MS Windows NT4 / 200x</application> on a computer, the installation
program creates default users and groups, notably the <constant>Administrators</constant> group,
and gives that group privileges necessary privileges to perform essential system tasks.
eg: Ability to change the date and time or to kill (or close) any process running on the
local machine.
</para>
<para>
The 'Administrator' user is a member of the 'Administrators' group, and thus inherits
'Administrators' group privileges. If a 'joe' user is created to be a member of the
'Administrator' group, 'joe' has exactly the same rights as 'Administrator'.
</para>
<para>
When a NT/W2K machine is joined to a domain, the "Domain Adminis" group of the
PDC is added to the local 'Administrators' group of the workstation. Every
member of the 'Domain Administrators' group 'inherit' the
rights of the local 'Administrators' group when logging on the workstation.
When an MS Windows NT4 / W200x is made a domain member, the "Domain Admins" group of the
PDC is added to the local 'Administrators' group of the workstation. Every member of the
'Domain Administrators' group inherits the rights of the local 'Administrators' group when
logging on the workstation.
</para>
<para>
The following steps describe how to make samba PDC users members of the
'Domain Admins' group?
The following steps describe how to make Samba PDC users members of the 'Domain Admins' group?
</para>
<orderedlist>
<listitem><para>create a unix group (usually in <filename>/etc/group</filename>),
let's call it domadm</para></listitem>
<listitem><para>
create a unix group (usually in <filename>/etc/group</filename>), let's call it domadm
</para></listitem>
<listitem><para>add to this group the users that must be Administrators. For example
if you want joe, john and mary, your entry in <filename>/etc/group</filename> will
look like:</para>
look like:
</para>
<para><programlisting>
domadm:x:502:joe,john,mary
</programlisting></para>
</programlisting>
</para></listitem>
</listitem>
<listitem><para>Map this domadm group to the "Domain Admins" group
by running the command:</para>
<para><prompt>root# </prompt><userinput>net groupmap add ntgroup="Domain Admins" unixgroup=domadm</userinput></para>
<para>The quotes around "Domain Admins" are necessary due to the space in the group name. Also make
sure to leave no whitespace surrounding the equal character (=).</para>
</listitem>
</orderedlist>
<para>Now joe, john and mary are domain administrators!</para>
<para>
It is possible to map any arbitrary UNIX group to any Windows NT
group as well as making any UNIX group a Windows domain group.
For example, if you wanted to include a UNIX group (e.g. acct) in a ACL on a
local file or printer on a domain member machine, you would flag
that group as a domain group by running the following on the Samba PDC:
<listitem><para>
Map this domadm group to the "Domain Admins" group by running the command:
</para>
<para><prompt>root# </prompt><userinput>net groupmap add rid=1000 ntgroup="Accounting" unixgroup=acct</userinput></para>
<para>
<screen>
&rootprompt;<userinput>net groupmap add ntgroup="Domain Admins" unixgroup=domadm</userinput>
</screen>
</para>
<para>Be aware that the rid parmeter is a unsigned 32 bit integer that should
<para>
The quotes around "Domain Admins" are necessary due to the space in the group name.
Also make sure to leave no whitespace surrounding the equal character (=).
</para></listitem>
</orderedlist>
<para>
Now joe, john and mary are domain administrators!
</para>
<para>
It is possible to map any arbitrary UNIX group to any Windows NT4 / 200x group as well as
making any UNIX group a Windows domain group. For example, if you wanted to include a
UNIX group (e.g. acct) in a ACL on a local file or printer on a domain member machine,
you would flag that group as a domain group by running the following on the Samba PDC:
</para>
<para>
<screen>
&rootprompt;<userinput>net groupmap add rid=1000 ntgroup="Accounting" unixgroup=acct</userinput>
</screen>
</para>
<para>
Be aware that the RID parameter is a unsigned 32 bit integer that should
normally start at 1000. However, this rid must not overlap with any RID assigned
to a user. Verifying this is done differently depending on on the passdb backend
you are using. Future versions of the tools may perform the verification automatically,
but for now the burden in on you.</para>
but for now the burden is on you.
</para>
<para>You can list the various groups in the mapping database by executing
<command>net groupmap list</command>. Here is an example:</para>
<sect2>
<title>Example Configuration</title>
<para><programlisting><prompt>root# </prompt>net groupmap list
<para>
You can list the various groups in the mapping database by executing
<command>net groupmap list</command>. Here is an example:
</para>
<para>
<screen>
&rootprompt; <userinput>net groupmap list</userinput>
System Administrators (S-1-5-21-2547222302-1596225915-2414751004-1002) -> sysadmin
Domain Admins (S-1-5-21-2547222302-1596225915-2414751004-512) -> domadmin
Domain Users (S-1-5-21-2547222302-1596225915-2414751004-513) -> domuser
Domain Guests (S-1-5-21-2547222302-1596225915-2414751004-514) -> domguest
</programlisting></para>
</screen>
</para>
<para>For complete details on <command>net groupmap</command>, refer to the
net(8) man page.</para>
<para>
For complete details on <command>net groupmap</command>, refer to the net(8) man page.
</para>
</sect2>
</sect1>
<sect1>
<title>Configuration Scripts</title>
<para>
Everyone needs tools. Some of us like to create our own, others prefer to use canned tools
(ie: prepared by someone else for general use).
</para>
<sect2>
<title>Sample &smb.conf; add group script</title>
<para>
A script to great complying group names for use by the Samba group interfaces:
</para>
<para>
<example>
<title>smbgrpadd.sh</title>
<programlisting>
#!/bin/bash
# Add the group using normal system groupadd tool.
groupadd smbtmpgrp00
thegid=`cat /etc/group | grep smbtmpgrp00 | cut -d ":" -f3`
# Now change the name to what we want for the MS Windows networking end
cp /etc/group /etc/group.bak
cat /etc/group.bak | sed s/smbtmpgrp00/$1/g > /etc/group
# Now return the GID as would normally happen.
echo $thegid
exit 0
</programlisting>
</example>
</para>
<para>
The &smb.conf; entry for the above script would look like:
<programlisting>
add group script = /path_to_tool/smbgrpadd.sh %g
</programlisting>
</para>
</sect2>
<sect2>
<title>Script to configure Group Mapping</title>
<para>
In our example we have created a Unix/Linux group called <parameter>ntadmin</parameter>.
Our script will create the additional groups <parameter>Engineers, Marketoids, Gnomes</parameter>:
</para>
<para>
<programlisting>
#!/bin/bash
net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmin
net groupmap modify ntgroup="Domain Users" unixgroup=users
net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
net groupmap modify ntgroup="Administrators" unixgroup=root
net groupmap modify ntgroup="Users" unixgroup=users
net groupmap modify ntgroup="Guests" unixgroup=nobody
net groupmap modify ntgroup="System Operators" unixgroup=sys
net groupmap modify ntgroup="Account Operators" unixgroup=root
net groupmap modify ntgroup="Backup Operators" unixgroup=bin
net groupmap modify ntgroup="Print Operators" unixgroup=lp
net groupmap modify ntgroup="Replicators" unixgroup=daemon
net groupmap modify ntgroup="Power Users" unixgroup=sys
#groupadd Engineers
#groupadd Marketoids
#groupadd Gnomes
#net groupmap add ntgroup="Engineers" unixgroup=Engineers type=d
#net groupmap add ntgroup="Marketoids" unixgroup=Marketoids type=d
#net groupmap add ntgroup="Gnomes" unixgroup=Gnomes type=d
</programlisting>
</para>
<para>
Of course it is expected that the administrator will modify this to suit local needs.
For information regarding the use of the <command>net groupmap</command> tool please
refer to the man page.
</para>
</sect2>
</sect1>
<sect1>
<title>Common Errors</title>
<para>
At this time there are many little surprises for the unwary administrator. In a real sense
it is imperative that every step of automated control scripts must be carefully tested
manually before putting them into active service.
</para>
<sect2>
<title>Adding Groups Fails</title>
<para>
This is a common problem when the <command>groupadd</command> is called directly
by the Samba interface script for the <parameter>add group script</parameter> in
the &smb.conf; file.
</para>
<para>
The most common cause of failure is an attempt to add an MS Windows group account
that has either an upper case character and/or a space character in it.
</para>
<para>
There are three possible work-arounds. Firstly, use only group names that comply
with the limitations of the Unix/Linux <command>groupadd</command> system tool.
The second involves use of the script mentioned earlier in this chapter, and the
third option is to manually create a Unix/Linux group account that can substitute
for the MS Windows group name, then use the procedure listed above to map that group
to the MS Windows group.
</para>
</sect2>
<sect2>
<title>Adding MS Windows Groups to MS Windows Groups Fails</title>
<para>
Samba-3 does NOT support nested groups from the MS Windows control environment.
</para>
</sect2>
</sect1>
</chapter>

205
docs/docbook/projdoc/Integrating-with-Windows.xml
View File

@ -24,6 +24,26 @@ NetBIOS over TCP/IP then this section may help you to resolve networking problem
</para>
</note>
<sect1>
<title>Features and Benefits</title>
<para>
Many MS Windows network administrators have never been exposed to basic TCP/IP
networking as it is implemented in a Unix/Linux operating system. Likewise, many Unix and
Linux administrators have not been exposed to the intricacies of MS Windows TCP/IP based
networking (and may have no desire to be either).
</para>
<para>
This chapter gives a short introduction to the basics of how a name can be resolved to
it's IP address for each operating system environment.
</para>
</sect1>
<sect1>
<title>Background Information</title>
<para>
Since the introduction of MS Windows 2000 it is possible to run MS Windows networking
without the use of NetBIOS over TCP/IP. NetBIOS over TCP/IP uses UDP port 137 for NetBIOS
@ -48,6 +68,7 @@ Use of DHCP with ADS is recommended as a further means of maintaining central co
over client workstation network configuration.
</para>
</sect1>
<sect1>
<title>Name Resolution in a pure Unix/Linux world</title>
@ -67,13 +88,13 @@ The key configuration files covered in this section are:
<title><filename>/etc/hosts</filename></title>
<para>
Contains a static list of IP Addresses and names.
Contains a static list of IP addresses and names.
eg:
</para>
<para><programlisting>
<para><screen>
127.0.0.1 localhost localhost.localdomain
192.168.1.1 bigbox.caldera.com bigbox alias4box
</programlisting></para>
</screen></para>
<para>
The purpose of <filename>/etc/hosts</filename> is to provide a
@ -85,9 +106,9 @@ IP addresses.
<para>
Network packets that are sent over the physical network transport
layer communicate not via IP addresses but rather using the Media
Access Control address, or MAC address. IP Addresses are currently
Access Control address, or MAC address. IP addresses are currently
32 bits in length and are typically presented as four (4) decimal
numbers that are separated by a dot (or period). eg: 168.192.1.1
numbers that are separated by a dot (or period). eg: 168.192.1.1.
</para>
<para>
@ -97,10 +118,10 @@ as two digit hexadecimal numbers separated by colons. eg:
</para>
<para>
Every network interfrace must have an MAC address. Associated with
Every network interface must have an MAC address. Associated with
a MAC address there may be one or more IP addresses. There is NO
relationship between an IP address and a MAC address, all such assignments
are arbitary or discretionary in nature. At the most basic level all
are arbitrary or discretionary in nature. At the most basic level all
network communications takes place using MAC addressing. Since MAC
addresses must be globally unique, and generally remains fixed for
any particular interface, the assignment of an IP address makes sense
@ -133,7 +154,7 @@ interface.
<para>
The <filename>/etc/hosts</filename> file is foundational to all
Unix/Linux TCP/IP installations and as a minumum will contain
Unix/Linux TCP/IP installations and as a minimum will contain
the localhost and local network interface IP addresses and the
primary names by which they are known within the local machine.
This file helps to prime the pump so that a basic level of name
@ -178,13 +199,13 @@ This file tells the name resolution libraries:
<filename>/etc/host.conf</filename> is the primary means by
which the setting in /etc/resolv.conf may be affected. It is a
critical configuration file. This file controls the order by
which name resolution may procede. The typical structure is:
which name resolution may proceed. The typical structure is:
</para>
<para><programlisting>
<para><screen>
order hosts,bind
multi on
</programlisting></para>
</screen></para>
<para>
then both addresses should be returned. Please refer to the
@ -205,7 +226,7 @@ file typically has resolver object specifications as follows:
</para>
<para><programlisting>
<para><screen>
# /etc/nsswitch.conf
#
# Name Service Switch configuration file.
@ -219,14 +240,14 @@ file typically has resolver object specifications as follows:
hosts: files nis dns
# Alternative entries for host name resolution are:
# hosts: files dns nis nis+ hesoid db compat ldap wins
# hosts: files dns nis nis+ hesiod db compat ldap wins
networks: nis files dns
ethers: nis files
protocols: nis files
rpc: nis files
services: nis files
</programlisting></para>
</screen></para>
<para>
Of course, each of these mechanisms requires that the appropriate
@ -244,12 +265,12 @@ Starting with version 2.2.0 samba has Linux support for extensions to
the name service switch infrastructure so that linux clients will
be able to obtain resolution of MS Windows NetBIOS names to IP
Addresses. To gain this functionality Samba needs to be compiled
with appropriate arguments to the make command (ie: <command>make
nsswitch/libnss_wins.so</command>). The resulting library should
with appropriate arguments to the make command (i.e.: <userinput>make
nsswitch/libnss_wins.so</userinput>). The resulting library should
then be installed in the <filename>/lib</filename> directory and
the "wins" parameter needs to be added to the "hosts:" line in
the <filename>/etc/nsswitch.conf</filename> file. At this point it
will be possible to ping any MS Windows machine by it's NetBIOS
will be possible to ping any MS Windows machine by its NetBIOS
machine name, so long as that machine is within the workgroup to
which both the samba machine and the MS Windows machine belong.
</para>
@ -265,10 +286,10 @@ which both the samba machine and the MS Windows machine belong.
MS Windows networking is predicated about the name each machine
is given. This name is known variously (and inconsistently) as
the "computer name", "machine name", "networking name", "netbios name",
"SMB name". All terms mean the same thing with the exception of
or "SMB name". All terms mean the same thing with the exception of
"netbios name" which can apply also to the name of the workgroup or the
domain name. The terms "workgroup" and "domain" are really just a
simply name with which the machine is associated. All NetBIOS names
simple name with which the machine is associated. All NetBIOS names
are exactly 16 characters in length. The 16th character is reserved.
It is used to store a one byte value that indicates service level
information for the NetBIOS name that is registered. A NetBIOS machine
@ -280,7 +301,7 @@ the client/server.
The following are typical NetBIOS name/service type registrations:
</para>
<para><programlisting>
<para><screen>
Unique NetBIOS Names:
MACHINENAME&lt;00&gt; = Server Service is running on MACHINENAME
MACHINENAME&lt;03&gt; = Generic Machine Name (NetBIOS name)
@ -292,7 +313,7 @@ The following are typical NetBIOS name/service type registrations:
WORKGROUP&lt;1c&gt; = Domain Controllers / Netlogon Servers
WORKGROUP&lt;1d&gt; = Local Master Browsers
WORKGROUP&lt;1e&gt; = Internet Name Resolvers
</programlisting></para>
</screen></para>
<para>
It should be noted that all NetBIOS machines register their own
@ -311,8 +332,8 @@ wants to locate a domain logon server. It finds this service and the IP
address of a server that provides it by performing a lookup (via a
NetBIOS broadcast) for enumeration of all machines that have
registered the name type *&lt;1c&gt;. A logon request is then sent to each
IP address that is returned in the enumerated list of IP addresses. Which
ever machine first replies then ends up providing the logon services.
IP address that is returned in the enumerated list of IP addresses.
Whichever machine first replies then ends up providing the logon services.
</para>
<para>
@ -372,7 +393,7 @@ frustrating for users - but it is a characteristic of the protocol.
<para>
The MS Windows utility that allows examination of the NetBIOS
name cache is called "nbtstat". The Samba equivalent of this
is called "nmblookup".
is called <command>nmblookup</command>.
</para>
</sect2>
@ -392,7 +413,7 @@ to IP address mapping.
It typically looks like:
</para>
<para><programlisting>
<para><screen>
# Copyright (c) 1998 Microsoft Corp.
#
# This is a sample LMHOSTS file used by the Microsoft Wins Client (NetBIOS
@ -401,7 +422,7 @@ It typically looks like:
# This file contains the mappings of IP addresses to NT computernames
# (NetBIOS) names. Each entry should be kept on an individual line.
# The IP address should be placed in the first column followed by the
# corresponding computername. The address and the comptername
# corresponding computername. The address and the computername
# should be separated by at least one space or tab. The "#" character
# is generally used to denote the start of a comment (see the exceptions
# below).
@ -433,7 +454,7 @@ It typically looks like:
# centralized lmhosts file to be maintained on a server.
# It is ALWAYS necessary to provide a mapping for the IP address of the
# server prior to the #INCLUDE. This mapping must use the #PRE directive.
# In addtion the share "public" in the example below must be in the
# In addition the share "public" in the example below must be in the
# LanManServer list of "NullSessionShares" in order for client machines to
# be able to read the lmhosts file successfully. This key is under
# \machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares
@ -469,7 +490,7 @@ It typically looks like:
# so keeping the number of comments to a minimum will improve performance.
# Therefore it is not advisable to simply add lmhosts file entries onto the
# end of this file.
</programlisting></para>
</screen></para>
</sect2>
@ -492,10 +513,10 @@ every way the equivalent of the Unix/Linux <filename>/etc/hosts</filename> file.
<para>
This capability is configured in the TCP/IP setup area in the network
configuration facility. If enabled an elaborate name resolution sequence
is followed the precise nature of which is dependant on what the NetBIOS
Node Type parameter is configured to. A Node Type of 0 means use
NetBIOS broadcast (over UDP broadcast) is first used if the name
configuration facility. If enabled, an elaborate name resolution sequence
is followed the precise nature of which is dependant on how the NetBIOS
Node Type parameter is configured. A Node Type of 0 means that
NetBIOS broadcast (over UDP broadcast) is used if the name
that is the subject of a name lookup is not found in the NetBIOS name
cache. If that fails then DNS, HOSTS and LMHOSTS are checked. If set to
Node Type 8, then a NetBIOS Unicast (over UDP Unicast) is sent to the
@ -509,7 +530,7 @@ lookup is used.
<title>WINS Lookup</title>
<para>
A WINS (Windows Internet Name Server) service is the equivaent of the
A WINS (Windows Internet Name Server) service is the equivalent of the
rfc1001/1002 specified NBNS (NetBIOS Name Server). A WINS server stores
the names and IP addresses that are registered by a Windows client
if the TCP/IP setup has been given at least one WINS Server IP Address.
@ -520,19 +541,19 @@ To configure Samba to be a WINS server the following parameter needs
to be added to the &smb.conf; file:
</para>
<para><programlisting>
<para><screen>
wins support = Yes
</programlisting></para>
</screen></para>
<para>
To configure Samba to use a WINS server the following parameters are
needed in the &smb.conf; file:
</para>
<para><programlisting>
<para><screen>
wins support = No
wins server = xxx.xxx.xxx.xxx
</programlisting></para>
</screen></para>
<para>
where <replaceable>xxx.xxx.xxx.xxx</replaceable> is the IP address
@ -542,4 +563,114 @@ of the WINS server.
</sect2>
</sect1>
<sect1>
<title>Common Errors</title>
<para>
TCP/IP network configuration problems find every network administrator sooner or later.
The cause can be anything from keyboard mishaps, forgetfulness, simple mistakes, and
carelessness. Of course, no one is every deliberately careless!
</para>
<sect2>
<title>My Boomerang Won't Come Back</title>
<para>
Well, the real complaint said, "I can ping my samba server from Windows, but I can
not ping my Windows machine from the samba server."
</para>
<para>
The Windows machine was at IP Address 192.168.1.2 with netmask 255.255.255.0, the
Samba server (Linux) was at IP Address 192.168.1.130 with netmask 255.255.255.128.
The machines were on a local network with no external connections.
</para>
<para>
Due to inconsistent netmasks, the Windows machine was on network 192.168.1.0/24, while
the Samba server was on network 192.168.1.128/25 - logically a different network.
</para>
</sect2>
<sect2>
<title>Very Slow Network Connections</title>
<para>
A common causes of slow network response includes:
</para>
<itemizedlist>
<listitem><para>Client is configured to use DNS and DNS server is down</para></listitem>
<listitem><para>Client is configured to use remote DNS server, but remote connection is down</para></listitem>
<listitem><para>Client is configured to use a WINS server, but there is no WINS server</para></listitem>
<listitem><para>Client is NOT configured to use a WINS server, but there is a WINS server</para></listitem>
<listitem><para>Firewall is filtering our DNS or WINS traffic</para></listitem>
</itemizedlist>
</sect2>
<sect2>
<title>Samba server name change problem</title>
<para>
The name of the samba server was changed, samba was restarted, samba server can not be
pinged by new name from MS Windows NT4 Workstation, but it does still respond to ping using
the old name. Why?
</para>
<para>
From this description three (3) things are rather obvious:
</para>
<itemizedlist>
<listitem><para>WINS is NOT in use, only broadcast based name resolution is used</para></listitem>
<listitem><para>The samba server was renamed and restarted within the last 10-15 minutes</para></listitem>
<listitem><para>The old samba server name is still in the NetBIOS name cache on the MS Windows NT4 Workstation</para></listitem>
</itemizedlist>
<para>
To find what names are present in the NetBIOS name cache on the MS Windows NT4 machine,
open a cmd shell, then:
</para>
<para>
<screen>
C:\temp\&gt;nbtstat -n
NetBIOS Local Name Table
Name Type Status
------------------------------------------------
SLACK &lt;03&gt; UNIQUE Registered
ADMINISTRATOR &lt;03&gt; UNIQUE Registered
SLACK &lt;00&gt; UNIQUE Registered
SARDON &lt;00&gt; GROUP Registered
SLACK &lt;20&gt; UNIQUE Registered
SLACK &lt;1F&gt; UNIQUE Registered
C:\Temp\&gt;nbtstat -c
NetBIOS Remote Cache Name Table
Name Type Host Address Life [sec]
--------------------------------------------------------------
FRODO &lt;20&gt; UNIQUE 192.168.1.1 240
C:\Temp\&gt;
</screen>
</para>
<para>
In the above example, FRODO is the Samba server and SLACK is the MS Windows NT4 Workstation.
The first listing shows the contents of the Local Name Table (i.e.: Identity information on
the MS Windows workstation), the second shows the NetBIOS name in the NetBIOS name cache.
The name cache contains the remote machines known to this workstation.
</para>
</sect2>
</sect1>
</chapter>

121
docs/docbook/projdoc/InterdomainTrusts.xml
View File

@ -15,6 +15,25 @@ some background information regarding trust relationships and how to create them
possible for Samba-3 to NT4 trust (and vice versa), as well as Samba3 to Samba3 trusts.
</para>
<sect1>
<title>Features and Benefits</title>
<para>
Samba-3 can participate in Samba-to-Samba as well as in Samba-to-MS Windows NT4 style
trust relationships. This imparts to Samba similar scalability as is possible with
MS Windows NT4.
</para>
<para>
Given that Samba-3 has the capability to function with a scalable backend authentication
database such as LDAP, and given it's ability to run in Primary as well as Backup Domain control
modes, the administrator would be well advised to consider alternatives to the use of
Interdomain trusts simply because by the very nature of how this works it is fragile.
That was, after all, a key reason for the development and adoption of Microsoft Active Directory.
</para>
</sect1>
<sect1>
<title>Trust Relationship Background</title>
@ -76,13 +95,15 @@ There are two steps to creating an interdomain trust relationship.
<title>NT4 as the Trusting Domain (ie. creating the trusted account)</title>
<para>
For MS Windows NT4, all domain trust relationships are configured using the Domain User Manager.
To affect a two way trust relationship it is necessary for each domain administrator to make
available (for use by an external domain) it's security resources. This is done from the Domain
User Manager Policies entry on the menu bar. From the Policy menu, select Trust Relationships, then
next to the lower box that is labelled "Permitted to Trust this Domain" are two buttons, "Add" and
"Remove". The "Add" button will open a panel in which needs to be entered the remote domain that
will be able to assign user rights to your domain. In addition it is necessary to enter a password
For MS Windows NT4, all domain trust relationships are configured using the
<application>Domain User Manager</application>. To affect a two way trust relationship it is
necessary for each domain administrator to make available (for use by an external domain) it's
security resources. This is done from the Domain User Manager Policies entry on the menu bar.
From the <guimenu>Policy</guimenu> menu, select <guimenuitem>Trust Relationships</guimenuitem>, then
next to the lower box that is labelled <guilabel>Permitted to Trust this Domain</guilabel> are two
buttons, <guibutton>Add</guibutton> and <guibutton>Remove</guibutton>. The <guibutton>Add</guibutton>
button will open a panel in which needs to be entered the remote domain that will be able to assign
user rights to your domain. In addition it is necessary to enter a password
that is specific to this trust relationship. The password needs to be
typed twice (for standard confirmation).
</para>
@ -94,10 +115,11 @@ typed twice (for standard confirmation).
<para>
A trust relationship will work only when the other (trusting) domain makes the appropriate connections
with the trusted domain. To consumate the trust relationship the administrator will launch the
with the trusted domain. To consummate the trust relationship the administrator will launch the
Domain User Manager, from the menu select Policies, then select Trust Relationships, then click on the
"Add" button that is next to the box that is labelled "Trusted Domains". A panel will open in
which must be entered the name of the remote domain as well as the password assigned to that trust.
<guibutton>Add</guibutton> button that is next to the box that is labelled
<guilabel>Trusted Domains</guilabel>. A panel will open in which must be entered the name of the remote
domain as well as the password assigned to that trust.
</para>
</sect2>
@ -126,21 +148,21 @@ between domains in purely Samba environment.
In order to set the Samba PDC to be the trusted party of the relationship first you need
to create special account for the domain that will be the trusting party. To do that,
you can use the 'smbpasswd' utility. Creating the trusted domain account is very
similiar to creating a trusted machine account. Suppose, your domain is
similar to creating a trusted machine account. Suppose, your domain is
called SAMBA, and the remote domain is called RUMBA. The first step
will be to issue this command from your favourite shell:
</para>
<para>
<screen>
<prompt>deity#</prompt> <userinput>smbpasswd -a -i rumba</userinput>
&rootprompt; <userinput>smbpasswd -a -i rumba</userinput>
New SMB password: XXXXXXXX
Retype SMB password: XXXXXXXX
Added user rumba$
</screen>
where <parameter>-a</parameter> means to add a new account into the
passdb database and <parameter>-i</parameter> means: ''create this
where <option>-a</option> means to add a new account into the
passdb database and <option>-i</option> means: ''create this
account with the InterDomain trust flag''
</para>
@ -153,18 +175,21 @@ After issuing this command you'll be asked to enter the password for
the account. You can use any password you want, but be aware that Windows NT will
not change this password until 7 days following account creation.
After the command returns successfully, you can look at the entry for the new account
(in the stardard way depending on your configuration) and see that account's name is
(in the standard way depending on your configuration) and see that account's name is
really RUMBA$ and it has 'I' flag in the flags field. Now you're ready to confirm
the trust by establishing it from Windows NT Server.
</para>
<para>
Open 'User Manager for Domains' and from menu 'Policies' select 'Trust Relationships...'.
Right beside 'Trusted domains' list box press 'Add...' button. You will be prompted for
Open <application>User Manager for Domains</application> and from menu
<guimenu>Policies</guimenu> select <guimenuitem>Trust Relationships...</guimenuitem>.
Right beside <guilabel>Trusted domains</guilabel> list box press the
<guimenu>Add...</guimenu> button. You will be prompted for
the trusted domain name and the relationship password. Type in SAMBA, as this is
your domain name, and the password used at the time of account creation.
Press OK and, if everything went without incident, you will see 'Trusted domain relationship
successfully established' message.
Press OK and, if everything went without incident, you will see
<computeroutput>Trusted domain relationship successfully
established</computeroutput> message.
</para>
</sect2>
@ -181,9 +206,11 @@ The very first thing requirement is to add an account for the SAMBA domain on RU
</para>
<para>
Launch the Domain User Manager, then from the menu select 'Policies', 'Trust Relationships'.
Now, next to 'Trusted Domains' box press the 'Add' button, and type in the name of the trusted
domain (SAMBA) and password securing the relationship.
Launch the <application>Domain User Manager</application>, then from the menu select
<guimenu>Policies</guimenu>, <guimenuitem>Trust Relationships</guimenuitem>.
Now, next to <guilabel>Trusted Domains</guilabel> box press the <guibutton>Add</guibutton>
button, and type in the name of the trusted domain (SAMBA) and password securing
the relationship.
</para>
<para>
@ -197,7 +224,7 @@ Using your favourite shell while being logged in as root, issue this command:
</para>
<para>
<prompt>deity# </prompt><userinput>net rpc trustdom establish rumba</userinput>
&rootprompt;<userinput>net rpc trustdom establish rumba</userinput>
</para>
<para>
@ -207,8 +234,8 @@ Do not worry if you see an error message that mentions a returned code of
password you gave is correct and the NT4 Server says the account is
ready for interdomain connection and not for ordinary
connection. After that, be patient it can take a while (especially
in large networks), you should see the 'Success' message. Congratulations! Your trust
relationship has just been established.
in large networks), you should see the <computeroutput>Success</computeroutput> message.
Congratulations! Your trust relationship has just been established.
</para>
<note><para>
@ -219,4 +246,48 @@ the <filename>secrets.tdb</filename> file.
</sect2>
</sect1>
<sect1>
<title>Common Errors</title>
<para>
Interdomain trust relationships should NOT be attempted on networks that are unstable
or that suffer regular outages. Network stability and integrity are key concerns with
distributed trusted domains.
</para>
<sect2>
<title>Tell me about Trust Relationships using Samba</title>
<para>
Like many, I administer multiple LANs connected together using NT trust
relationships. This was implemented about 4 years ago. I now have the
occasion to consider performing this same task again, but this time, I
would like to implement it solely through samba - no Microsoft PDCs
anywhere.
</para>
<para>
I have read documentation on samba.org regarding NT-style trust
relationships and am now wondering, can I do what I want to? I already
have successfully implemented 2 samba servers, but they are not PDCs.
They merely act as file servers. I seem to remember, and it appears to
be true (according to samba.org) that trust relationships are a
challenge.
</para>
<para>
Please provide any helpful feedback that you may have.
</para>
<para>
These are almost complete in Samba 3.0 snapshots. The main catch
is getting winbindd to be able to allocate UID/GIDs for trusted
users/groups. See the updated Samba HOWTO collection for more
details.
</para>
</sect2>
</sect1>
</chapter>

46
docs/docbook/projdoc/IntroSMB.xml
View File

@ -6,10 +6,10 @@
<title>Introduction to Samba</title>
<para><emphasis>
<para><quote>
"If you understand what you're doing, you're not learning anything."
-- Anonymous
</emphasis></para>
</quote></para>
<para>
Samba is a file and print server for Windows-based clients using TCP/IP as the underlying
@ -132,7 +132,7 @@ thinking?
</itemizedlist>
<para>If you plan on getting help, make sure to subscribe to the Samba Mailing List (available at
http://www.samba.org). Optionally, you could just search mailing.unix.samba at http://groups.google.com
<ulink url="http://www.samba.org/">http://www.samba.org</ulink>).
</para>
</sect1>
@ -157,7 +157,7 @@ related to Samba: SMBFS and CIFS VFS. These are both available in the Linux ker
<listitem><para>
CIFS VFS (Common Internet File System Virtual File System) is the successor to SMBFS, and
is being actively developed for the upcoming version of the Linux kernel. The intent of this module
is to provide advanced network file system functionality including support for dfs (heirarchical
is to provide advanced network file system functionality including support for dfs (hierarchical
name space), secure per-user session establishment, safe distributed caching (oplock),
optional packet signing, Unicode and other internationalization improvements, and optional
Winbind (nsswitch) integration.
@ -171,8 +171,9 @@ nothing to do with acting as a file and print server for SMB/CIFS clients.
</para>
<para>
There are other Open Source CIFS client implementations, such as the jCIFS project
(jcifs.samba.org) which provides an SMB client toolkit written in Java.
There are other Open Source CIFS client implementations, such as the
<ulink url="http://jcifs.samba.org/">jCIFS project</ulink>
which provides an SMB client toolkit written in Java.
</para>
@ -226,9 +227,9 @@ up a single file. In general, SMB sessions are established in the following orde
</itemizedlist>
<para>
A good way to examine this process in depth is to try out SecurityFriday's SWB program
at http://www.securityfriday.com/ToolDownload/SWB/swb_doc.html. It allows you to
walk through the establishment of a SMB/CIFS session step by step.
A good way to examine this process in depth is to try out
<ulink url="http://www.securityfriday.com/ToolDownload/SWB/swb_doc.html">SecurityFriday's SWB program</ulink>.
It allows you to walk through the establishment of a SMB/CIFS session step by step.
</para>
</sect1>
@ -236,8 +237,8 @@ walk through the establishment of a SMB/CIFS session step by step.
<sect1>
<title>Epilogue</title>
<para><emphasis>
"What's fundamentally wrong is that nobody ever had any taste when they
<para><quote>
What's fundamentally wrong is that nobody ever had any taste when they
did it. Microsoft has been very much into making the user interface look good,
but internally it's just a complete mess. And even people who program for Microsoft
and who have had years of experience, just don't know how it works internally.
@ -246,16 +247,16 @@ mess that fixing one bug might just break a hundred programs that depend on
that bug. And Microsoft isn't interested in anyone fixing bugs -- they're interested
in making money. They don't have anybody who takes pride in Windows 95 as an
operating system.
</emphasis></para>
</quote></para>
<para><emphasis>
<para><quote>
People inside Microsoft know it's a bad operating system and they still
continue obviously working on it because they want to get the next version out
because they want to have all these new features to sell more copies of the
system.
</emphasis></para>
</quote></para>
<para><emphasis>
<para><quote>
The problem with that is that over time, when you have this kind of approach,
and because nobody understands it, because nobody REALLY fixes bugs (other than
when they're really obvious), the end result is really messy. You can't trust
@ -265,11 +266,11 @@ fine and then once in a blue moon for some completely unknown reason, it's dead,
and nobody knows why. Not Microsoft, not the experienced user and certainly
not the completely clueless user who probably sits there shivering thinking
"What did I do wrong?" when they didn't do anything wrong at all.
</emphasis></para>
</quote></para>
<para><emphasis>
<para><quote>
That's what's really irritating to me."
</emphasis></para>
</quote></para>
<para>--
<ulink url="http://hr.uoregon.edu/davidrl/boot.txt">Linus Torvalds, from an interview with BOOT Magazine, Sept 1998</ulink>
@ -280,15 +281,10 @@ That's what's really irritating to me."
<sect1>
<title>Miscellaneous</title>
<para>
This chapter was lovingly handcrafted on a Dell Latitude C400 laptop running Slackware Linux 9.0,
in case anyone asks.
</para>
<!-- This really needs to go... -->
<!--FIXME: This really needs to go... -->
<para>
This chapter is Copyright &copy; 2003 David Lechnyr (david at lechnyr dot com).
This chapter is Copyright 2003 David Lechnyr (david at lechnyr dot com).
Permission is granted to copy, distribute and/or modify this document under the terms
of the GNU Free Documentation License, Version 1.2 or any later version published by the Free
Software Foundation. A copy of the license is available at http://www.gnu.org/licenses/fdl.txt.

141
docs/docbook/projdoc/NT4Migration.xml
View File

@ -16,8 +16,8 @@ Samba-3 based domain control.
<para>
In the IT world there is often a saying that all problems are encountered because of
poor planning. The corrollary to this saying is that not all problems can be anticpated
and planned for. Then again, good planning will anticpate most show stopper type situations.
poor planning. The corollary to this saying is that not all problems can be anticipated
and planned for. Then again, good planning will anticipate most show stopper type situations.
</para>
<para>
@ -44,26 +44,14 @@ should know precisely <emphasis>why</emphasis> the change is important for the o
Possible motivations to make a change include:
</para>
<itemizedlist>
<listitem>
<para>Improve network manageability</para>
</listitem>
<listitem>
<para>Obtain better user level functionality</para>
</listitem>
<listitem>
<para>Reduce network operating costs</para>
</listitem>
<listitem>
<para>Reduce exposure caused by Microsoft withdrawal of NT4 support</para>
</listitem>
<listitem>
<para>Avoid MS License 6 implications</para>
</listitem>
<listitem>
<para>Reduce organisation's dependency on Microsoft</para>
</listitem>
</itemizedlist>
<simplelist>
<member>Improve network manageability</member>
<member>Obtain better user level functionality</member>
<member>Reduce network operating costs</member>
<member>Reduce exposure caused by Microsoft withdrawal of NT4 support</member>
<member>Avoid MS License 6 implications</member>
<member>Reduce organisation's dependency on Microsoft</member>
</simplelist>
<para>
It is vital that it be well recognised that Samba-3 is NOT MS Windows NT4. Samba-3 offers
@ -77,61 +65,31 @@ MS Windows 2000 and beyond (with or without Active Directory services).
What are the features that Samba-3 can NOT provide?
</para>
<itemizedlist>
<listitem>
<para>Active Directory Server</para>
</listitem>
<listitem>
<para>Group Policy Objects (in Active Direcrtory)</para>
</listitem>
<listitem>
<para>Machine Policy objects</para>
</listitem>
<listitem>
<para>Logon Scripts in Active Directorty</para>
</listitem>
<listitem>
<para>Software Application and Access Controls in Active Directory</para>
</listitem>
</itemizedlist>
<simplelist>
<member>Active Directory Server</member>
<member>Group Policy Objects (in Active Directory)</member>
<member>Machine Policy objects</member>
<member>Logon Scripts in Active Directory</member>
<member>Software Application and Access Controls in Active Directory</member>
</simplelist>
<para>
The features that Samba-3 DOES provide and that may be of compelling interest to your site
includes:
</para>
<itemizedlist>
<listitem>
<para>Lower Cost of Ownership</para>
</listitem>
<listitem>
<para>Global availability of support with no strings attached</para>
</listitem>
<listitem>
<para>Dynamic SMB Servers (ie:Can run more than one server per Unix/Linux system)</para>
</listitem>
<listitem>
<para>Creation of on-the-fly logon scripts</para>
</listitem>
<listitem>
<para>Creation of on-the-fly Policy Files</para>
</listitem>
<listitem>
<para>Greater Stability, Reliability, Performance and Availability</para>
</listitem>
<listitem>
<para>Manageability via an ssh connection</para>
</listitem>
<listitem>
<para>Flexible choices of back-end authentication technologies (tdbsam, ldapsam, mysqlsam)</para>
</listitem>
<listitem>
<para>Ability to implement a full single-signon architecture</para>
</listitem>
<listitem>
<para>Ability to distribute authentication systems for absolute minimum wide area network bandwidth demand</para>
</listitem>
</itemizedlist>
<simplelist>
<member>Lower Cost of Ownership</member>
<member>Global availability of support with no strings attached</member>
<member>Dynamic SMB Servers (ie:Can run more than one server per Unix/Linux system)</member>
<member>Creation of on-the-fly logon scripts</member>
<member>Creation of on-the-fly Policy Files</member>
<member>Greater Stability, Reliability, Performance and Availability</member>
<member>Manageability via an ssh connection</member>
<member>Flexible choices of back-end authentication technologies (tdbsam, ldapsam, mysqlsam)</member>
<member>Ability to implement a full single-sign-on architecture</member>
<member>Ability to distribute authentication systems for absolute minimum wide area network bandwidth demand</member>
</simplelist>
<para>
Before migrating a network from MS Windows NT4 to Samba-3 it is vital that all necessary factors are
@ -164,7 +122,7 @@ and network bandwidth.
A physical network segment may house several domains, each of which may span multiple network segments.
Where domains span routed network segments it is most advisable to consider and test the performance
implications of the design and layout of a network. A Centrally located domain controller that is being
designed to serve mulitple routed network segments may result in severe performance problems if the
designed to serve multiple routed network segments may result in severe performance problems if the
response time (eg: ping timing) between the remote segment and the PDC is more than 100 ms. In situations
where the delay is too long it is highly recommended to locate a backup controller (BDC) to serve as
the local authentication and access control server.
@ -212,20 +170,20 @@ make sure that users will never be interrupted by the stupidity of complexity.
<title>Logon Scripts</title>
<para>
Please refer to the section of this document on Advanced Network Adminsitration for information
Please refer to the section of this document on Advanced Network Administration for information
regarding the network logon script options for Samba-3. Logon scripts can help to ensure that
all users gain share and printer connections they need.
</para>
<para>
Logon scripts can be created on-the-fly so that all commands executed are specific to the
rights and privilidges granted to the user. The preferred controls should be affected through
group membership so that group information can be used to custom create a logong script using
the <filename>root preexec</filename> parameters to the <filename>NETLOGON</filename> share.
rights and privileges granted to the user. The preferred controls should be affected through
group membership so that group information can be used to custom create a logon script using
the <parameter>root preexec</parameter> parameters to the <filename>NETLOGON</filename> share.
</para>
<para>
Some sites prefer to use a tool such as <filename>kixstart</filename> to establish a controlled
Some sites prefer to use a tool such as <command>kixstart</command> to establish a controlled
user environment. In any case you may wish to do a google search for logon script process controls.
In particular, you may wish to explore the use of the Microsoft knowledgebase article KB189105 that
deals with how to add printers without user intervention via the logon script process.
@ -241,7 +199,7 @@ Management.
</para>
<para>
Profiles may also be managed using the Samba-3 tool <filename>profiles</filename>. This tool allows
Profiles may also be managed using the Samba-3 tool <command>profiles</command>. This tool allows
the MS Windows NT style security identifiers (SIDs) that are stored inside the profile NTuser.DAT file
to be changed to the SID of the Samba-3 domain.
</para>
@ -283,39 +241,39 @@ Samba-3 set up as a DC with netlogon share, profile share, etc.
<substeps><step><para>Samba must NOT be running</para></step></substeps></step>
<step>
<para>rpcclient NT4PDC -U Administrator%passwd</para>
<para><userinput>rpcclient <replaceable>NT4PDC</replaceable> -U Administrator%<replaceable>passwd</replaceable></userinput></para>
<substeps><step><para>lsaquery</para></step>
<step><para>Note the SID returned</para></step>
</substeps>
</step>
<step><para>net getsid -S NT4PDC -w DOMNAME -U Administrator%passwd</para>
<step><para><userinput>net getsid -S <replaceable>NT4PDC</replaceable> -w <replaceable>DOMNAME</replaceable> -U Administrator%<replaceable>passwd</replaceable></userinput></para>
<substeps><step><para>Note the SID</para></step></substeps>
</step>
<step><para>net getlocalsid</para>
<step><para><userinput>net getlocalsid</userinput></para>
<substeps>
<step><para>Note the SID, now check that all three SIDS reported are the same!</para></step>
</substeps>
</step>
<step><para>net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd</para></step>
<step><para><userinput>net rpc join -S <replaceable>NT4PDC</replaceable> -w <replaceable>DOMNAME</replaceable> -U Administrator%<replaceable>passwd</replaceable></userinput></para></step>
<step><para>net rpc vampire -S NT4PDC -U administrator%passwd</para></step>
<step><para><userinput>net rpc vampire -S <replaceable>NT4PDC</replaceable> -U administrator%<replaceable>passwd</replaceable></userinput></para></step>
<step><para>pdbedit -l</para>
<step><para><userinput>pdbedit -L</userinput></para>
<substeps><step><para>Note - did the users migrate?</para></step></substeps>
</step>
<step><para>initGrps.sh DOMNAME</para></step>
<step><para><userinput>initGrps.sh <replaceable>DOMNAME</replaceable></userinput></para></step>
<step><para>net groupmap list</para>
<step><para><userinput>net groupmap list</userinput></para>
<substeps><step><para>Now check that all groups are recognised</para></step></substeps>
</step>
<step><para>net rpc campire -S NT4PDC -U administrator%passwd</para></step>
<step><para><userinput>net rpc vampire -S <replaceable>NT4PDC</replaceable> -U administrator%<replaceable>passwd</replaceable></userinput></para></step>
<step><para>pdbedit -lv</para>
<step><para><userinput>pdbedit -Lv</userinput></para>
<substeps><step>
<para>Note - check that all group membership has been migrated</para>
</step></substeps>
@ -356,7 +314,7 @@ based solution fit into three basic categories.
<title>Planning for Success</title>
<para>
There are three basic choices for sites that intend to migrate from MS Windwows NT4
There are three basic choices for sites that intend to migrate from MS Windows NT4
to Samba-3.
</para>
@ -440,6 +398,7 @@ No matter what choice you make, the following rules will minimise down-stream pr
<sect2>
<title>Samba Implementation Choices</title>
<!-- FIXME: Either a better layout or more written-out text-->
<para><programlisting>
Authentication database back end
Winbind (external Samba or NT4/200x server)
@ -447,13 +406,13 @@ Authentication database back end
External server could use Active Directory or NT4 Domain
Database type
smbpasswd, tdbsam, ldapsam, MySQLsam
smbpasswd, tdbsam, ldapsam, mysqlsam
Access Control Points
On the Share itself (Use NT4 Server Manager)
On the file system
Unix permissions on files and directories
Posix ACLs enablement in file system?
Enable Posix ACLs in file system?
Through Samba share parameters
Not recommended - except as only resort

396
docs/docbook/projdoc/NetworkBrowsing.xml
View File

@ -10,7 +10,7 @@
<para>
This document contains detailed information as well as a fast track guide to
implementing browsing across subnets and / or across workgroups (or domains).
WINS is the best tool for resolution of NetBIOS names to IP addesses. WINS is
WINS is the best tool for resolution of NetBIOS names to IP addresses. WINS is
NOT involved in browse list handling except by way of name to address resolution.
</para>
@ -32,10 +32,10 @@ hope it never returns!</emphasis>.
</para>
<para>
For many MS Windows network administrators that statement sums up their feelings about
NetBIOS networking precisely. For those who mastered NetBIOS networking it's fickle
nature was just par for the course. For those who never quite managed to tame it's
lusty features NetBIOS is like Paterson's Curse.
For many MS Windows network administrators, that statement sums up their feelings about
NetBIOS networking precisely. For those who mastered NetBIOS networking, its fickle
nature was just par for the course. For those who never quite managed to tame its
lusty features, NetBIOS is like Paterson's Curse.
</para>
<para>
@ -49,7 +49,7 @@ features which make it such a persistent weed.
<para>
In this chapter we explore vital aspects of SMB (Server Message Block) networking with
a particular focus on SMB as implmented through running NetBIOS (Network Basic
a particular focus on SMB as implemented through running NetBIOS (Network Basic
Input / Output System) over TCP/IP. Since Samba does NOT implement SMB or NetBIOS over
any other protocols we need to know how to configure our network environment and simply
remember to use nothing but TCP/IP on all our MS Windows network clients.
@ -98,11 +98,12 @@ The technologies (or methods) employed in making all of this work includes:
</simplelist>
<para>
The samba application that controls/manages browse list management and name resolution is
The Samba application that controls browse list management and name resolution is
called <filename>nmbd</filename>. The configuration parameters involved in nmbd's operation are:
</para>
<para><programlisting>
<!--FIXME-->
Browsing options:
-----------------
* os level
@ -128,9 +129,9 @@ called <filename>nmbd</filename>. The configuration parameters involved in nmbd'
</programlisting></para>
<para>
For Samba the WINS Server and WINS Support are mutually exclusive options. Those marked with
For Samba, the WINS Server and WINS Support are mutually exclusive options. Those marked with
an '*' are the only options that commonly MAY need to be modified. Even if not one of these
parameters is set nmbd will still do it's job.
parameters is set <filename>nmbd</filename> will still do it's job.
</para>
</sect1>
@ -141,7 +142,7 @@ parameters is set nmbd will still do it's job.
<para>
Firstly, all MS Windows networking uses SMB (Server Message Block) based messaging.
SMB messaging may be implemented with or without NetBIOS. MS Windows 200x supports
NetBIOS over TCP/IP for backwards compatibility. Microsoft are intent on phasing out NetBIOS
NetBIOS over TCP/IP for backwards compatibility. Microsoft is intent on phasing out NetBIOS
support.
</para>
@ -151,7 +152,7 @@ support.
<para>
Samba implements NetBIOS, as does MS Windows NT / 200x / XP, by encapsulating it over TCP/IP.
MS Windows products can do likewise. NetBIOS based networking uses broadcast messaging to
affect browse list management. When running NetBIOS over TCP/IP this uses UDP based messaging.
affect browse list management. When running NetBIOS over TCP/IP, this uses UDP based messaging.
UDP messages can be broadcast or unicast.
</para>
@ -164,7 +165,7 @@ implements browse list collation using unicast UDP.
</para>
<para>
Secondly, in those networks where Samba is the only SMB server technology
Secondly, in those networks where Samba is the only SMB server technology,
wherever possible <filename>nmbd</filename> should be configured on one (1) machine as the WINS
server. This makes it easy to manage the browsing environment. If each network
segment is configured with it's own Samba WINS server, then the only way to
@ -183,11 +184,11 @@ the use of the <command>remote announce</command> and the
As of Samba 3 WINS replication is being worked on. The bulk of the code has
been committed, but it still needs maturation. This is NOT a supported feature
of the Samba-3.0.0 release. Hopefully, this will become a supported feature
of one of the samba-3 release series.
of one of the Samba-3 release series.
</para>
<para>
Right now samba WINS does not support MS-WINS replication. This means that
Right now Samba WINS does not support MS-WINS replication. This means that
when setting up Samba as a WINS server there must only be one <filename>nmbd</filename>
configured as a WINS server on the network. Some sites have used multiple Samba WINS
servers for redundancy (one server per subnet) and then used
@ -260,7 +261,7 @@ force register with a Dynamic DNS server in Windows 200x / XP using:
<para>
With Active Directory (ADS), a correctly functioning DNS server is absolutely
essential. In the absence of a working DNS server that has been correctly configured
essential. In the absence of a working DNS server that has been correctly configured,
MS Windows clients and servers will be totally unable to locate each other,
consequently network services will be severely impaired.
</para>
@ -323,7 +324,7 @@ The following are some of the default service records that Active Directory requ
<listitem><para>_ldap._tcp.<emphasis>Site</emphasis>.gc.ms-dcs.<emphasis>DomainTree</emphasis></para>
<para>
Used by MS Windows clients to locate site configuration dependant
Used by MS Windows clients to locate site configuration dependent
Global Catalog server.
</para>
</listitem>
@ -346,11 +347,11 @@ is enabled, or if DNS for NetBIOS name resolution is enabled, etc.
</para>
<para>
In the case where there is no WINS server all name registrations as
In the case where there is no WINS server, all name registrations as
well as name lookups are done by UDP broadcast. This isolates name
resolution to the local subnet, unless LMHOSTS is used to list all
names and IP addresses. In such situations Samba provides a means by
which the samba server name may be forcibly injected into the browse
which the Samba server name may be forcibly injected into the browse
list of a remote MS Windows network (using the
<command>remote announce</command> parameter).
</para>
@ -389,7 +390,7 @@ inability to use the network services.
</para>
<para>
Samba supports a feature that allows forced synchonisation
Samba supports a feature that allows forced synchronisation
of browse lists across routed networks using the <command>remote
browse sync</command> parameter in the <filename>smb.conf</filename> file.
This causes Samba to contact the local master browser on a remote network and
@ -418,7 +419,7 @@ to collate the browse lists from local master browsers on all the
subnets that have a machine participating in the workgroup. Without
one machine configured as a domain master browser each subnet would
be an isolated workgroup, unable to see any machines on any other
subnet. It is the presense of a domain master browser that makes
subnet. It is the presence of a domain master browser that makes
cross subnet browsing possible for a workgroup.
</para>
@ -426,7 +427,8 @@ cross subnet browsing possible for a workgroup.
In an WORKGROUP environment the domain master browser must be a
Samba server, and there must only be one domain master browser per
workgroup name. To set up a Samba server as a domain master browser,
set the following option in the [global] section of the &smb.conf; file :
set the following option in the <parameter>[global]</parameter> section
of the &smb.conf; file :
</para>
<para>
@ -438,7 +440,7 @@ set the following option in the [global] section of the &smb.conf; file :
<para>
The domain master browser should also preferrably be the local master
browser for its own subnet. In order to achieve this set the following
options in the [global] section of the &smb.conf; file :
options in the <parameter>[global]</parameter> section of the &smb.conf; file :
</para>
<para>
@ -462,7 +464,7 @@ workgroup. Any MS Windows NT/2K/XP/2003 machine should be
able to do this, as will Windows 9x machines (although these
tend to get rebooted more often, so it's not such a good idea
to use these). To make a Samba server a local master browser
set the following options in the [global] section of the
set the following options in the <parameter>[global]</parameter> section of the
&smb.conf; file :
</para>
@ -482,9 +484,9 @@ master browser.
</para>
<para>
The <command>local master</command> parameter allows Samba to act as a
local master browser. The <command>preferred master</command> causes nmbd
to force a browser election on startup and the <command>os level</command>
The <parameter>local master</parameter> parameter allows Samba to act as a
local master browser. The <parameter>preferred master</parameter> causes nmbd
to force a browser election on startup and the <parameter>os level</parameter>
parameter sets Samba high enough so that it should win any browser elections.
</para>
@ -492,7 +494,7 @@ parameter sets Samba high enough so that it should win any browser elections.
If you have an NT machine on the subnet that you wish to
be the local master browser then you can disable Samba from
becoming a local master browser by setting the following
options in the <command>[global]</command> section of the
options in the <parameter>[global]</parameter> section of the
&smb.conf; file :
</para>
@ -513,8 +515,8 @@ options in the <command>[global]</command> section of the
<para>
If you are adding Samba servers to a Windows NT Domain then
you must not set up a Samba server as a domain master browser.
By default, a Windows NT Primary Domain Controller for a Domain
name is also the Domain master browser for that name, and many
By default, a Windows NT Primary Domain Controller for a domain
is also the Domain master browser for that domain, and many
things will break if a Samba server registers the Domain master
browser NetBIOS name (<replaceable>DOMAIN</replaceable>&lt;1B&gt;)
with WINS instead of the PDC.
@ -539,11 +541,11 @@ of the &smb.conf; file :
<para>
If you wish to have a Samba server fight the election with machines
on the same subnet you may set the <command>os level</command> parameter
on the same subnet you may set the <parameter>os level</parameter> parameter
to lower levels. By doing this you can tune the order of machines that
will become local master browsers if they are running. For
more details on this see the section <link linkend="browse-force-master">
Forcing samba to be the master browser</link>
Forcing Samba to be the master browser</link>
below.
</para>
@ -552,7 +554,7 @@ If you have Windows NT machines that are members of the domain
on all subnets, and you are sure they will always be running then
you can disable Samba from taking part in browser elections and
ever becoming a local master browser by setting following options
in the <command>[global]</command> section of the &smb.conf;
in the <parameter>[global]</parameter> section of the &smb.conf;
file :
</para>
@ -568,10 +570,10 @@ file :
</sect2>
<sect2 id="browse-force-master">
<title>Forcing samba to be the master</title>
<title>Forcing Samba to be the master</title>
<para>
Who becomes the <command>master browser</command> is determined by an election
Who becomes the <parameter>master browser</parameter> is determined by an election
process using broadcasts. Each election packet contains a number of parameters
which determine what precedence (bias) a host should have in the
election. By default Samba uses a very low precedence and thus loses
@ -579,44 +581,44 @@ elections to just about anyone else.
</para>
<para>
If you want Samba to win elections then just set the <command>os level</command> global
If you want Samba to win elections then just set the <parameter>os level</parameter> global
option in &smb.conf; to a higher number. It defaults to 0. Using 34
would make it win all elections over every other system (except other
samba systems!)
</para>
<para>
A <command>os level</command> of 2 would make it beat WfWg and Win95, but not MS Windows
A <parameter>os level</parameter> of 2 would make it beat WfWg and Win95, but not MS Windows
NT/2K Server. A MS Windows NT/2K Server domain controller uses level 32.
</para>
<para>The maximum os level is 255</para>
<para>
If you want samba to force an election on startup, then set the
<command>preferred master</command> global option in &smb.conf; to "yes". Samba will
If you want Samba to force an election on startup, then set the
<parameter>preferred master</parameter> global option in &smb.conf; to <constant>yes</constant>. Samba will
then have a slight advantage over other potential master browsers
that are not preferred master browsers. Use this parameter with
care, as if you have two hosts (whether they are windows 95 or NT or
samba) on the same local subnet both set with <command>preferred master</command> to
"yes", then periodically and continually they will force an election
care, as if you have two hosts (whether they are Windows 95 or NT or
Samba) on the same local subnet both set with <parameter>preferred master</parameter> to
<constant>yes</constant>, then periodically and continually they will force an election
in order to become the local master browser.
</para>
<para>
If you want samba to be a <command>domain master browser</command>, then it is
recommended that you also set <command>preferred master</command> to "yes", because
samba will not become a domain master browser for the whole of your
If you want Samba to be a <parameter>domain master browser</parameter>, then it is
recommended that you also set <parameter>preferred master</parameter> to <constant>yes</constant>, because
Samba will not become a domain master browser for the whole of your
LAN or WAN if it is not also a local master browser on its own
broadcast isolated subnet.
</para>
<para>
It is possible to configure two samba servers to attempt to become
It is possible to configure two Samba servers to attempt to become
the domain master browser for a domain. The first server that comes
up will be the domain master browser. All other samba servers will
up will be the domain master browser. All other Samba servers will
attempt to become the domain master browser every 5 minutes. They
will find that another samba server is already the domain master
will find that another Samba server is already the domain master
browser and will fail. This provides automatic redundancy, should
the current domain master browser fail.
</para>
@ -624,36 +626,36 @@ the current domain master browser fail.
</sect2>
<sect2>
<title>Making samba the domain master</title>
<title>Making Samba the domain master</title>
<para>
The domain master is responsible for collating the browse lists of
multiple subnets so that browsing can occur between subnets. You can
make samba act as the domain master by setting <command>domain master = yes</command>
make Samba act as the domain master by setting <parameter>domain master = yes</parameter>
in &smb.conf;. By default it will not be a domain master.
</para>
<para>
Note that you should NOT set Samba to be the domain master for a
Note that you should <emphasis>not</emphasis> set Samba to be the domain master for a
workgroup that has the same name as an NT Domain.
</para>
<para>
When samba is the domain master and the master browser it will listen
When Samba is the domain master and the master browser, it will listen
for master announcements (made roughly every twelve minutes) from local
master browsers on other subnets and then contact them to synchronise
browse lists.
</para>
<para>
If you want samba to be the domain master then I suggest you also set
the <command>os level</command> high enough to make sure it wins elections, and set
<command>preferred master</command> to "yes", to get samba to force an election on
If you want Samba to be the domain master then I suggest you also set
the <parameter>os level</parameter> high enough to make sure it wins elections, and set
<parameter>preferred master</parameter> to <constant>yes</constant>, to get Samba to force an election on
startup.
</para>
<para>
Note that all your servers (including samba) and clients should be
Note that all your servers (including Samba) and clients should be
using a WINS server to resolve NetBIOS names. If your clients are only
using broadcasting to resolve NetBIOS names, then two things will occur:
</para>
@ -676,15 +678,15 @@ using broadcasting to resolve NetBIOS names, then two things will occur:
</orderedlist>
<para>
If, however, both samba and your clients are using a WINS server, then:
If, however, both Samba and your clients are using a WINS server, then:
</para>
<orderedlist>
<listitem>
<para>
your local master browsers will contact the WINS server and, as long as
samba has registered that it is a domain master browser with the WINS
server, your local master browser will receive samba's ip address
Samba has registered that it is a domain master browser with the WINS
server, your local master browser will receive Samba's IP address
as its domain master browser.
</para>
</listitem>
@ -723,16 +725,16 @@ option in &smb.conf; to configure them.
</para>
</sect2>
<sect2>
<title>Use of the <command>Remote Announce</command> parameter</title>
<title>Use of the Remote Announce parameter</title>
<para>
The <command>remote announce</command> parameter of
The <parameter>remote announce</parameter> parameter of
<filename>smb.conf</filename> can be used to forcibly ensure
that all the NetBIOS names on a network get announced to a remote network.
The syntax of the <command>remote announce</command> parameter is:
The syntax of the <parameter>remote announce</parameter> parameter is:
<programlisting>
remote announce = a.b.c.d [e.f.g.h] ...
</programlisting>
_or_
<emphasis>or</emphasis>
<programlisting>
remote announce = a.b.c.d/WORKGROUP [e.f.g.h/WORKGROUP] ...
</programlisting>
@ -742,12 +744,12 @@ where:
<varlistentry><term><replaceable>a.b.c.d</replaceable> and
<replaceable>e.f.g.h</replaceable></term>
<listitem><para>is either the LMB (Local Master Browser) IP address
or the broadcst address of the remote network.
or the broadcast address of the remote network.
ie: the LMB is at 192.168.1.10, or the address
could be given as 192.168.1.255 where the netmask
is assumed to be 24 bits (255.255.255.0).
When the remote announcement is made to the broadcast
address of the remote network every host will receive
address of the remote network, every host will receive
our announcements. This is noisy and therefore
undesirable but may be necessary if we do NOT know
the IP address of the remote LMB.</para></listitem>
@ -769,18 +771,18 @@ name resolution problems and should be avoided.
</sect2>
<sect2>
<title>Use of the <command>Remote Browse Sync</command> parameter</title>
<title>Use of the Remote Browse Sync parameter</title>
<para>
The <command>remote browse sync</command> parameter of
The <parameter>remote browse sync</parameter> parameter of
<filename>smb.conf</filename> is used to announce to
another LMB that it must synchronise it's NetBIOS name list with our
another LMB that it must synchronise its NetBIOS name list with our
Samba LMB. It works ONLY if the Samba server that has this option is
simultaneously the LMB on it's network segment.
simultaneously the LMB on its network segment.
</para>
<para>
The syntax of the <command>remote browse sync</command> parameter is:
The syntax of the <parameter>remote browse sync</parameter> parameter is:
<programlisting>
remote browse sync = <replaceable>a.b.c.d</replaceable>
@ -798,11 +800,11 @@ remote LMB or else is the network broadcast address of the remote segment.
<title>WINS - The Windows Internetworking Name Server</title>
<para>
Use of WINS (either Samba WINS _or_ MS Windows NT Server WINS) is highly
recommended. Every NetBIOS machine registers it's name together with a
name_type value for each of of several types of service it has available.
eg: It registers it's name directly as a unique (the type 0x03) name.
It also registers it's name if it is running the lanmanager compatible
Use of WINS (either Samba WINS <emphasis>or</emphasis> MS Windows NT Server WINS) is highly
recommended. Every NetBIOS machine registers its name together with a
name_type value for each of several types of service it has available.
eg: It registers its name directly as a unique (the type 0x03) name.
It also registers its name if it is running the LanManager compatible
server service (used to make shares and printers available to other users)
by registering the server (the type 0x20) name.
</para>
@ -821,7 +823,7 @@ that wants to log onto the network can ask the WINS server for a list
of all names that have registered the NetLogon service name_type. This saves
broadcast traffic and greatly expedites logon processing. Since broadcast
name resolution can not be used across network segments this type of
information can only be provided via WINS _or_ via statically configured
information can only be provided via WINS <emphasis>or</emphasis> via statically configured
<filename>lmhosts</filename> files that must reside on all clients in the
absence of WINS.
</para>
@ -848,18 +850,18 @@ errors.
<para>
To configure Samba as a WINS server just add
<command>wins support = yes</command> to the <filename>smb.conf</filename>
<parameter>wins support = yes</parameter> to the <filename>smb.conf</filename>
file [globals] section.
</para>
<para>
To configure Samba to register with a WINS server just add
"wins server = a.b.c.d" to your smb.conf file [globals] section.
<parameter>wins server = a.b.c.d</parameter> to your &smb.conf; file <parameter>[globals]</parameter> section.
</para>
<important><para>
Never use both <command>wins support = yes</command> together
with <command>wins server = a.b.c.d</command>
Never use both <parameter>wins support = yes</parameter> together
with <parameter>wins server = a.b.c.d</parameter>
particularly not using it's own IP address.
Specifying both will cause &nmbd; to refuse to start!
</para></important>
@ -871,7 +873,7 @@ Specifying both will cause &nmbd; to refuse to start!
Either a Samba machine or a Windows NT Server machine may be set up
as a WINS server. To set a Samba machine to be a WINS server you must
add the following option to the &smb.conf; file on the selected machine :
in the [globals] section add the line
in the <parameter>[globals]</parameter> section add the line
</para>
<para>
@ -888,13 +890,13 @@ least set the parameter to 'no' on all these machines.
</para>
<para>
Machines with <command>wins support = yes</command> will keep a list of
Machines with <parameter>wins support = yes</parameter> will keep a list of
all NetBIOS names registered with them, acting as a DNS for NetBIOS names.
</para>
<para>
You should set up only ONE wins server. Do NOT set the
<command>wins support = yes</command> option on more than one Samba
You should set up only ONE WINS server. Do NOT set the
<parameter>wins support = yes</parameter> option on more than one Samba
server.
</para>
@ -903,22 +905,22 @@ To set up a Windows NT Server as a WINS server you need to set up
the WINS service - see your NT documentation for details. Note that
Windows NT WINS Servers can replicate to each other, allowing more
than one to be set up in a complex subnet environment. As Microsoft
refuse to document these replication protocols Samba cannot currently
refuses to document these replication protocols, Samba cannot currently
participate in these replications. It is possible in the future that
a Samba->Samba WINS replication protocol may be defined, in which
case more than one Samba machine could be set up as a WINS server
but currently only one Samba server should have the
<command>wins support = yes</command> parameter set.
<parameter>wins support = yes</parameter> parameter set.
</para>
<para>
After the WINS server has been configured you must ensure that all
machines participating on the network are configured with the address
of this WINS server. If your WINS server is a Samba machine, fill in
the Samba machine IP address in the "Primary WINS Server" field of
the "Control Panel->Network->Protocols->TCP->WINS Server" dialogs
the Samba machine IP address in the <guilabel>Primary WINS Server</guilabel> field of
the <guilabel>Control Panel->Network->Protocols->TCP->WINS Server</guilabel> dialogs
in Windows 95 or Windows NT. To tell a Samba server the IP address
of the WINS server add the following line to the [global] section of
of the WINS server add the following line to the <parameter>[global]</parameter> section of
all &smb.conf; files :
</para>
@ -936,8 +938,8 @@ machine or its IP address.
<para>
Note that this line MUST NOT BE SET in the &smb.conf; file of the Samba
server acting as the WINS server itself. If you set both the
<command>wins support = yes</command> option and the
<command>wins server = &lt;name&gt;</command> option then
<parameter>wins support = yes</parameter> option and the
<parameter>wins server = &lt;name&gt;</parameter> option then
nmbd will fail to start.
</para>
@ -966,14 +968,41 @@ section of the documentation to provide usage and technical details.
<title>Static WINS Entries</title>
<para>
New to Samba-3 is a tool called <filename>winsedit</filename> that may be used to add
static WINS entries to the WINS database. This tool can be used also to modify entries
existing in the WINS database.
Adding static entries to your Samba-3 WINS server is actually fairly easy.
All you have to do is add a line to <filename>wins.dat</filename>, typically
located in <filename class="directory">/usr/local/samba/var/locks</filename>.
</para>
<para>
The development of the winsedit tool was made necessary due to the migration
of the older style wins.dat file into a new tdb binary backend data store.
Entries in <filename>wins.dat</filename> take the form of
<programlisting>
"NAME#TYPE" TTL ADDRESS+ FLAGS
</programlisting>
where NAME is the NetBIOS name, TYPE is the NetBIOS type, TTL is the
time-to-live as an absolute time in seconds, ADDRESS+ is one or more
addresses corresponding to the registration and FLAGS are the NetBIOS
flags for the registration.
</para>
<para>
A typical dynamic entry looks like:
<programlisting>
"MADMAN#03" 1055298378 192.168.1.2 66R
</programlisting>
To make it static, all that has to be done is set the TTL to 0:
<programlisting>
"MADMAN#03" 0 192.168.1.2 66R
</programlisting>
</para>
<para>
Though this method works with early Samba-3 versions, there's a
possibility that it may change in future versions if WINS replication
is added.
</para>
</sect2>
@ -1002,7 +1031,7 @@ one protocol on an MS Windows machine.
<para>
Every NetBIOS machine takes part in a process of electing the LMB (and DMB)
every 15 minutes. A set of election criteria is used to determine the order
of precidence for winning this election process. A machine running Samba or
of precedence for winning this election process. A machine running Samba or
Windows NT will be biased so that the most suitable machine will predictably
win and thus retain it's role.
</para>
@ -1040,7 +1069,8 @@ The safest rule of all to follow it this - USE ONLY ONE PROTOCOL!
<para>
Resolution of NetBIOS names to IP addresses can take place using a number
of methods. The only ones that can provide NetBIOS name_type information
are:</para>
are:
</para>
<simplelist>
<member>WINS: the best tool!</member>
@ -1049,20 +1079,22 @@ are:</para>
</simplelist>
<para>
Alternative means of name resolution includes:</para>
Alternative means of name resolution includes:
</para>
<simplelist>
<member>/etc/hosts: is static, hard to maintain, and lacks name_type info</member>
<member><filename>/etc/hosts</filename>: is static, hard to maintain, and lacks name_type info</member>
<member>DNS: is a good choice but lacks essential name_type info.</member>
</simplelist>
<para>
Many sites want to restrict DNS lookups and want to avoid broadcast name
resolution traffic. The "name resolve order" parameter is of great help here.
The syntax of the "name resolve order" parameter is:
resolution traffic. The <parameter>name resolve order</parameter> parameter is
of great help here. The syntax of the <parameter>name resolve order</parameter>
parameter is:
<programlisting>
name resolve order = wins lmhosts bcast host
</programlisting>
_or_
<emphasis>or</emphasis>
<programlisting>
name resolve order = wins lmhosts (eliminates bcast and host)
</programlisting>
@ -1082,7 +1114,7 @@ controlled by <filename>/etc/host.conf</filename>, <filename>/etc/nsswitch.conf<
<para>
SMB networking provides a mechanism by which clients can access a list
of machines in a network, a so-called <command>browse list</command>. This list
of machines in a network, a so-called <parameter>browse list</parameter>. This list
contains machines that are ready to offer file and/or print services
to other machines within the network. Thus it does not include
machines which aren't currently able to do server tasks. The browse
@ -1093,7 +1125,7 @@ document.
<para>
MS Windows 2000 and later, as with Samba 3 and later, can be
configured to not use NetBIOS over TCP/IP. When configured this way
configured to not use NetBIOS over TCP/IP. When configured this way,
it is imperative that name resolution (using DNS/LDAP/ADS) be correctly
configured and operative. Browsing will NOT work if name resolution
from SMB machine names to IP addresses does not function correctly.
@ -1107,7 +1139,7 @@ that can NOT be provided by any other means of name resolution.
</para>
<sect2>
<title>Browsing support in samba</title>
<title>Browsing support in Samba</title>
<para>
Samba facilitates browsing. The browsing is supported by &nmbd;
@ -1121,7 +1153,7 @@ Samba can also act as a domain master browser for a workgroup. This
means that it will collate lists from local browse masters into a
wide area network server list. In order for browse clients to
resolve the names they may find in this list, it is recommended that
both samba and your clients use a WINS server.
both Samba and your clients use a WINS server.
</para>
<para>
@ -1134,17 +1166,17 @@ that is providing this service.
<note><para>
Nmbd can be configured as a WINS server, but it is not
necessary to specifically use samba as your WINS server. MS Windows
necessary to specifically use Samba as your WINS server. MS Windows
NT4, Server or Advanced Server 2000 or 2003 can be configured as
your WINS server. In a mixed NT/2000/2003 server and samba environment on
your WINS server. In a mixed NT/2000/2003 server and Samba environment on
a Wide Area Network, it is recommended that you use the Microsoft
WINS server capabilities. In a samba-only environment, it is
WINS server capabilities. In a Samba-only environment, it is
recommended that you use one and only one Samba server as your WINS server.
</para></note>
<para>
To get browsing to work you need to run nmbd as usual, but will need
to use the <command>workgroup</command> option in &smb.conf;
to use the <parameter>workgroup</parameter> option in &smb.conf;
to control what workgroup Samba becomes a part of.
</para>
@ -1152,7 +1184,7 @@ to control what workgroup Samba becomes a part of.
Samba also has a useful option for a Samba server to offer itself for
browsing on another subnet. It is recommended that this option is only
used for 'unusual' purposes: announcements over the internet, for
example. See <command>remote announce</command> in the
example. See <parameter>remote announce</parameter> in the
&smb.conf; man page.
</para>
</sect2>
@ -1161,7 +1193,7 @@ example. See <command>remote announce</command> in the
<title>Problem resolution</title>
<para>
If something doesn't work then hopefully the log.nmb file will help
If something doesn't work then hopefully the log.nmbd file will help
you track down the problem. Try a debug level of 2 or 3 for finding
problems. Also note that the current browse list usually gets stored
in text form in a file called <filename>browse.dat</filename>.
@ -1175,7 +1207,7 @@ hit enter and filemanager should display the list of available shares.
<para>
Some people find browsing fails because they don't have the global
<command>guest account</command> set to a valid account. Remember that the
<parameter>guest account</parameter> set to a valid account. Remember that the
IPC$ connection that lists the shares is done as guest, and thus you must
have a valid guest account.
</para>
@ -1199,16 +1231,14 @@ in &smb.conf;)
<sect2>
<title>Browsing across subnets</title>
<para>
Since the release of Samba 1.9.17(alpha1) Samba has been
updated to enable it to support the replication of browse lists
across subnet boundaries. New code and options have been added to
achieve this. This section describes how to set this feature up
in different settings.
Since the release of Samba 1.9.17(alpha1), Samba has supported the
replication of browse lists across subnet boundaries. This section
describes how to set this feature up in different settings.
</para>
<para>
To see browse lists that span TCP/IP subnets (ie. networks separated
by routers that don't pass broadcast traffic) you must set up at least
by routers that don't pass broadcast traffic), you must set up at least
one WINS server. The WINS server acts as a DNS for NetBIOS names, allowing
NetBIOS name to IP address translation to be done by doing a direct
query of the WINS server. This is done via a directed UDP packet on
@ -1242,6 +1272,7 @@ Consider a network set up as follows :
</para>
<para>
<!-- FIXME: Convert this to diagram -->
<programlisting>
(DMB)
N1_A N1_B N1_C N1_D N1_E
@ -1265,7 +1296,7 @@ Consisting of 3 subnets (1, 2, 3) connected by two routers
(R1, R2) - these do not pass broadcasts. Subnet 1 has 5 machines
on it, subnet 2 has 4 machines, subnet 3 has 4 machines. Assume
for the moment that all these machines are configured to be in the
same workgroup (for simplicities sake). Machine N1_C on subnet 1
same workgroup (for simplicity's sake). Machine N1_C on subnet 1
is configured as Domain Master Browser (ie. it will collate the
browse lists for the workgroup). Machine N2_D is configured as
WINS server and all the other machines are configured to register
@ -1312,15 +1343,20 @@ you looked in it on a particular network right now).
</para>
<para>
<programlisting>
Subnet Browse Master List
------ ------------- ----
Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E
<table frame="all">
<title>Browse subnet example 1</title>
<tgroup align="left" cols="3">
<thead>
<row><entry>Subnet</entry><entry>Browse Master</entry><entry>List</entry></row>
</thead>
Subnet2 N2_B N2_A, N2_B, N2_C, N2_D
Subnet3 N3_D N3_A, N3_B, N3_C, N3_D
</programlisting>
<tbody>
<row><entry>Subnet1</entry><entry>N1_C</entry><entry>N1_A, N1_B, N1_C, N1_D, N1_E</entry></row>
<row><entry>Subnet2</entry><entry>N2_B</entry><entry>N2_A, N2_B, N2_C, N2_D</entry></row>
<row><entry>Subnet3</entry><entry>N3_D</entry><entry>N3_A, N3_B, N3_C, N3_D</entry></row>
</tbody>
</tgroup>
</table>
</para>
<para>
@ -1333,7 +1369,7 @@ Now examine subnet 2. As soon as N2_B has become the local
master browser it looks for a Domain master browser to synchronize
its browse list with. It does this by querying the WINS server
(N2_D) for the IP address associated with the NetBIOS name
WORKGROUP&lt;1B&gt;. This name was registerd by the Domain master
WORKGROUP&lt;1B&gt;. This name was registered by the Domain master
browser (N1_C) with the WINS server as soon as it was booted.
</para>
@ -1350,19 +1386,22 @@ are done the browse lists look like :
</para>
<para>
<programlisting>
Subnet Browse Master List
------ ------------- ----
Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E,
N2_A(*), N2_B(*), N2_C(*), N2_D(*)
<table frame="all">
<title>Browse subnet example 2</title>
<tgroup align="left" cols="3">
<thead>
<row><entry>Subnet</entry><entry>Browse Master</entry><entry>List</entry></row>
</thead>
Subnet2 N2_B N2_A, N2_B, N2_C, N2_D
N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)
Subnet3 N3_D N3_A, N3_B, N3_C, N3_D
<tbody>
<row><entry>Subnet1</entry><entry>N1_C</entry><entry>N1_A, N1_B, N1_C, N1_D, N1_E, N2_A(*), N2_B(*), N2_C(*), N2_D(*)</entry></row>
<row><entry>Subnet2</entry><entry>N2_B</entry><entry>N2_A, N2_B, N2_C, N2_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)</entry></row>
<row><entry>Subnet3</entry><entry>N3_D</entry><entry>N3_A, N3_B, N3_C, N3_D</entry></row>
</tbody>
</tgroup>
</table>
Servers with a (*) after them are non-authoritative names.
</programlisting>
</para>
<para>
@ -1381,55 +1420,54 @@ the browse lists look like.
</para>
<para>
<programlisting>
Subnet Browse Master List
------ ------------- ----
Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E,
N2_A(*), N2_B(*), N2_C(*), N2_D(*),
N3_A(*), N3_B(*), N3_C(*), N3_D(*)
<table frame="all">
<title>Browse subnet example 3</title>
<tgroup cols="3" align="left">
<thead>
<row><entry>Subnet</entry><entry>Browse Master</entry><entry>List</entry></row>
</thead>
Subnet2 N2_B N2_A, N2_B, N2_C, N2_D
N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)
Subnet3 N3_D N3_A, N3_B, N3_C, N3_D
N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*),
N2_A(*), N2_B(*), N2_C(*), N2_D(*)
<tbody>
<row><entry>Subnet1</entry><entry>N1_C</entry><entry>N1_A, N1_B, N1_C, N1_D, N1_E, N2_A(*), N2_B(*), N2_C(*), N2_D(*), N3_A(*), N3_B(*), N3_C(*), N3_D(*)</entry></row>
<row><entry>Subnet2</entry><entry>N2_B</entry><entry>N2_A, N2_B, N2_C, N2_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)</entry></row>
<row><entry>Subnet3</entry><entry>N3_D</entry><entry>N3_A, N3_B, N3_C, N3_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), N2_A(*), N2_B(*), N2_C(*), N2_D(*)</entry></row>
</tbody>
</tgroup>
</table>
Servers with a (*) after them are non-authoritative names.
</programlisting>
</para>
<para>
At this point users looking in their network neighborhood on
subnets 1 or 3 will see all the servers on all sunbets, users on
subnets 1 or 3 will see all the servers on all subnets, users on
subnet 2 will still only see the servers on subnets 1 and 2, but not 3.
</para>
<para>
Finally, the local master browser for subnet 2 (N2_B) will sync again
with the domain master browser (N1_C) and will recieve the missing
with the domain master browser (N1_C) and will receive the missing
server entries. Finally - and as a steady state (if no machines
are removed or shut off) the browse lists will look like :
</para>
<para>
<programlisting>
Subnet Browse Master List
------ ------------- ----
Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E,
N2_A(*), N2_B(*), N2_C(*), N2_D(*),
N3_A(*), N3_B(*), N3_C(*), N3_D(*)
<table frame="all">
<title>Browse subnet example 4</title>
<tgroup cols="3" align="left">
<thead>
<row><entry>Subnet</entry><entry>Browse Master</entry><entry>List</entry></row>
</thead>
Subnet2 N2_B N2_A, N2_B, N2_C, N2_D
N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)
N3_A(*), N3_B(*), N3_C(*), N3_D(*)
Subnet3 N3_D N3_A, N3_B, N3_C, N3_D
N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*),
N2_A(*), N2_B(*), N2_C(*), N2_D(*)
<tbody>
<row><entry>Subnet1</entry><entry>N1_C</entry><entry>N1_A, N1_B, N1_C, N1_D, N1_E, N2_A(*), N2_B(*), N2_C(*), N2_D(*), N3_A(*), N3_B(*), N3_C(*), N3_D(*)</entry></row>
<row><entry>Subnet2</entry><entry>N2_B</entry><entry>N2_A, N2_B, N2_C, N2_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), N3_A(*), N3_B(*), N3_C(*), N3_D(*)</entry></row>
<row><entry>Subnet3</entry><entry>N3_D</entry><entry>N3_A, N3_B, N3_C, N3_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), N2_A(*), N2_B(*), N2_C(*), N2_D(*)</entry></row>
</tbody>
</tgroup>
</table>
Servers with a (*) after them are non-authoritative names.
</programlisting>
</para>
<para>
@ -1475,17 +1513,17 @@ If either router R1 or R2 fails the following will occur:
<title>Common Errors</title>
<para>
Many questions are sked on the mailing lists regarding browsing. The majority of browsing
Many questions are asked on the mailing lists regarding browsing. The majority of browsing
problems originate out of incorrect configuration of NetBIOS name resolution. Some are of
particular note.
</para>
<sect2>
<title>How can one flush the Samba NetBIOS name cache without restarting samba?</title>
<title>How can one flush the Samba NetBIOS name cache without restarting Samba?</title>
<para>
Sambas' nmbd process controls all browse list handling. Under normal circumstances it is
safe to restart nmbd. This will effectively flush the samba NetBIOS name cache and cause it
Samba's nmbd process controls all browse list handling. Under normal circumstances it is
safe to restart nmbd. This will effectively flush the Samba NetBIOS name cache and cause it
to be rebuilt. Note that this does NOT make certain that a rogue machine name will not re-appear
in the browse list. When nmbd is taken out of service another machine on the network will
become the browse master. This new list may still have the rogue entry in it. If you really
@ -1496,5 +1534,19 @@ This may take a long time on some networks (months).
</para>
</sect2>
<sect2>
<title>My client reports "This server is not configured to list shared resources"</title>
<para>
Your guest account is probably invalid for some reason. Samba uses the
guest account for browsing in smbd. Check that your guest account is
valid.
</para>
<para>See also <parameter>guest account</parameter> in the &smb.conf; man page.</para>
</sect2>
</sect1>
</chapter>

116
docs/docbook/projdoc/Other-Clients.xml
View File

@ -14,7 +14,7 @@
<title>Macintosh clients?</title>
<para>
Yes. <ulink url="http://www.thursby.com/">Thursby</ulink> now have a CIFS Client / Server called <ulink url="http://www.thursby.com/products/dave.html">DAVE</ulink>
Yes. <ulink url="http://www.thursby.com/">Thursby</ulink> now has a CIFS Client / Server called <ulink url="http://www.thursby.com/products/dave.html">DAVE</ulink>
</para>
<para>
@ -27,10 +27,10 @@ enhanced, and there are bug-fixes included).
<para>
Alternatives - There are two free implementations of AppleTalk for
several kinds of UNIX machnes, and several more commercial ones.
several kinds of UNIX machines, and several more commercial ones.
These products allow you to run file services and print services
natively to Macintosh users, with no additional support required on
the Macintosh. The two free omplementations are
the Macintosh. The two free implementations are
<ulink url="http://www.umich.edu/~rsug/netatalk/">Netatalk</ulink>, and
<ulink url="http://www.cs.mu.oz.au/appletalk/atalk.html">CAP</ulink>.
What Samba offers MS
@ -54,14 +54,11 @@ packages, Samba, and Linux (and other UNIX-based systems) see
<para>Basically, you need three components:</para>
<itemizedlist>
<listitem><para>The File and Print Client ('IBM Peer')
</para></listitem>
<listitem><para>TCP/IP ('Internet support')
</para></listitem>
<listitem><para>The "NetBIOS over TCP/IP" driver ('TCPBEUI')
</para></listitem>
</itemizedlist>
<simplelist>
<member>The File and Print Client ('IBM Peer')</member>
<member>TCP/IP ('Internet support') </member>
<member>The "NetBIOS over TCP/IP" driver ('TCPBEUI')</member>
</simplelist>
<para>Installing the first two together with the base operating
system on a blank system is explained in the Warp manual. If Warp
@ -113,41 +110,27 @@ packages, Samba, and Linux (and other UNIX-based systems) see
</para>
</sect2>
<sect2>
<title>Are there any other issues when OS/2 (any version)
is used as a client?</title>
<para>When you do a NET VIEW or use the "File and Print
Client Resource Browser", no Samba servers show up. This can
be fixed by a patch from <ulink
url="http://carol.wins.uva.nl/~leeuw/samba/fix.html">
http://carol.wins.uva.nl/~leeuw/samba/fix.html</ulink>.
The patch will be included in a later version of Samba. It also
fixes a couple of other problems, such as preserving long
filenames when objects are dragged from the Workplace Shell
to the Samba server. </para>
</sect2>
<sect2>
<title>How do I get printer driver download working
for OS/2 clients?</title>
<para>First, create a share called [PRINTDRV] that is
<para>First, create a share called <parameter>[PRINTDRV]</parameter> that is
world-readable. Copy your OS/2 driver files there. Note
that the .EA_ files must still be separate, so you will need
to use the original install files, and not copy an installed
driver from an OS/2 system.</para>
<para>Install the NT driver first for that printer. Then,
add to your smb.conf a parameter, os2 driver map =
<replaceable>filename</replaceable>". Then, in the file
add to your &smb.conf; a parameter, <parameter>os2 driver map =
<replaceable>filename</replaceable></parameter>. Then, in the file
specified by <replaceable>filename</replaceable>, map the
name of the NT driver name to the OS/2 driver name as
follows:</para>
<para><command>nt driver name = os2 "driver
name"."device name"</command>, e.g.:
HP LaserJet 5L = LASERJET.HP LaserJet 5L</para>
<para><parameter><replaceable>nt driver name</replaceable> = <replaceable>os2 driver name</replaceable>.<replaceable>device name</replaceable></parameter>, e.g.:</para>
<para><parameter>
HP LaserJet 5L = LASERJET.HP LaserJet 5L</parameter></para>
<para>You can have multiple drivers mapped in this file.</para>
@ -167,8 +150,8 @@ packages, Samba, and Linux (and other UNIX-based systems) see
<sect2>
<title>Use latest TCP/IP stack from Microsoft</title>
<para>Use the latest TCP/IP stack from microsoft if you use Windows
for workgroups.
<para>Use the latest TCP/IP stack from Microsoft if you use Windows
for Workgroups.
</para>
<para>The early TCP/IP stacks had lots of bugs.</para>
@ -176,10 +159,16 @@ for workgroups.
<para>
Microsoft has released an incremental upgrade to their TCP/IP 32-Bit
VxD drivers. The latest release can be found on their ftp site at
ftp.microsoft.com, located in /peropsys/windows/public/tcpip/wfwt32.exe.
ftp.microsoft.com, located in <filename>/peropsys/windows/public/tcpip/wfwt32.exe</filename>.
There is an update.txt file there that describes the problems that were
fixed. New files include WINSOCK.DLL, TELNET.EXE, WSOCK.386, VNBT.386,
WSTCP.386, TRACERT.EXE, NETSTAT.EXE, and NBTSTAT.EXE.
fixed. New files include <filename>WINSOCK.DLL</filename>,
<filename>TELNET.EXE</filename>,
<filename>WSOCK.386</filename>,
<filename>VNBT.386</filename>,
<filename>WSTCP.386</filename>,
<filename>TRACERT.EXE</filename>,
<filename>NETSTAT.EXE</filename>, and
<filename>NBTSTAT.EXE</filename>.
</para>
</sect2>
@ -210,10 +199,11 @@ Often WfWg will totally ignore a password you give it in a dialog box.
<para>
There is a program call admincfg.exe
on the last disk (disk 8) of the WFW 3.11 disk set. To install it
type EXPAND A:\ADMINCFG.EX_ C:\WINDOWS\ADMINCFG.EXE Then add an icon
for it via the "Progam Manager" "New" Menu. This program allows you
to control how WFW handles passwords. ie disable Password Caching etc
for use with <command>security = user</command>
type <userinput>EXPAND A:\ADMINCFG.EX_ C:\WINDOWS\ADMINCFG.EXE</userinput>.
Then add an icon
for it via the <application>Program Manager</application> <guimenu>New</guimenu> Menu.
This program allows you to control how WFW handles passwords. ie disable Password Caching etc
for use with <parameter>security = user</parameter>
</para>
</sect2>
@ -221,7 +211,7 @@ for use with <command>security = user</command>
<sect2>
<title>Case handling of passwords</title>
<para>Windows for Workgroups uppercases the password before sending it to the server. Unix passwords can be case-sensitive though. Check the <ulink url="smb.conf.5.html">smb.conf(5)</ulink> information on <command>password level</command> to specify what characters samba should try to uppercase when checking.</para>
<para>Windows for Workgroups uppercases the password before sending it to the server. Unix passwords can be case-sensitive though. Check the <ulink url="smb.conf.5.html">smb.conf(5)</ulink> information on <parameter>password level</parameter> to specify what characters samba should try to uppercase when checking.</para>
</sect2>
@ -230,7 +220,7 @@ for use with <command>security = user</command>
<para>To support print queue reporting you may find
that you have to use TCP/IP as the default protocol under
WfWg. For some reason if you leave Netbeui as the default
WfWg. For some reason if you leave NetBEUI as the default
it may break the print queue reporting on some systems.
It is presumably a WfWg bug.</para>
@ -240,15 +230,16 @@ It is presumably a WfWg bug.</para>
<title>Speed improvement</title>
<para>
Note that some people have found that setting DefaultRcvWindow in
the [MSTCP] section of the SYSTEM.INI file under WfWg to 3072 gives a
Note that some people have found that setting <parameter>DefaultRcvWindow</parameter> in
the <parameter>[MSTCP]</parameter> section of the
<filename>SYSTEM.INI</filename> file under WfWg to 3072 gives a
big improvement. I don't know why.
</para>
<para>
My own experience wth DefaultRcvWindow is that I get much better
My own experience with DefaultRcvWindow is that I get much better
performance with a large value (16384 or larger). Other people have
reported that anything over 3072 slows things down enourmously. One
reported that anything over 3072 slows things down enormously. One
person even reported a speed drop of a factor of 30 when he went from
3072 to 8192. I don't know why.
</para>
@ -270,18 +261,19 @@ Microsoft Web site for all currently available updates to your specific version
of Windows 95.
</para>
<orderedlist>
<listitem><para>Kernel Update: KRNLUPD.EXE</para></listitem>
<listitem><para>Ping Fix: PINGUPD.EXE</para></listitem>
<listitem><para>RPC Update: RPCRTUPD.EXE</para></listitem>
<listitem><para>TCP/IP Update: VIPUPD.EXE</para></listitem>
<listitem><para>Redirector Update: VRDRUPD.EXE</para></listitem>
</orderedlist>
<simplelist>
<member>Kernel Update: KRNLUPD.EXE</member>
<member>Ping Fix: PINGUPD.EXE</member>
<member>RPC Update: RPCRTUPD.EXE</member>
<member>TCP/IP Update: VIPUPD.EXE</member>
<member>Redirector Update: VRDRUPD.EXE</member>
</simplelist>
<para>
Also, if using MS OutLook it is desirable to install the OLEUPD.EXE fix. This
Also, if using <application>MS Outlook</application> it is desirable to
install the <command>OLEUPD.EXE</command> fix. This
fix may stop your machine from hanging for an extended period when exiting
OutLook and you may also notice a significant speedup when accessing network
Outlook and you may also notice a significant speedup when accessing network
neighborhood services.
</para>
@ -290,7 +282,7 @@ neighborhood services.
<para>
Configure the win95 TCPIP registry settings to give better
performance. I use a program called MTUSPEED.exe which I got off the
performance. I use a program called <command>MTUSPEED.exe</command> which I got off the
net. There are various other utilities of this type freely available.
</para>
@ -312,7 +304,7 @@ likely occur if it is not.
<para>
In order to serve profiles successfully to Windows 2000 SP2
clients (when not operating as a PDC), Samba must have
<command>nt acl support = no</command>
<parameter>nt acl support = no</parameter>
added to the file share which houses the roaming profiles.
If this is not done, then the Windows 2000 SP2 client will
complain about not being able to access the profile (Access
@ -320,7 +312,7 @@ Denied) and create multiple copies of it on disk (DOMAIN.user.001,
DOMAIN.user.002, etc...). See the
<ulink url="smb.conf.5.html">smb.conf(5)</ulink> man page
for more details on this option. Also note that the
<command>nt acl support</command> parameter was formally a global parameter in
<parameter>nt acl support</parameter> parameter was formally a global parameter in
releases prior to Samba 2.2.2.
</para>
@ -343,17 +335,17 @@ the security descriptor for the profile which contains
the Samba server's SID, and not the domain SID. The client
compares the SID for SAMBA\user and realizes it is
different that the one assigned to DOMAIN\user. Hence the reason
for the "access denied" message.
for the <errorname>access denied</errorname> message.
</para>
<para>
By disabling the <command>nt acl support</command> parameter, Samba will send
By disabling the <parameter>nt acl support</parameter> parameter, Samba will send
the Win2k client a response to the QuerySecurityDescriptor
trans2 call which causes the client to set a default ACL
for the profile. This default ACL includes
</para>
<para><command>DOMAIN\user "Full Control"</command></para>
<para><emphasis>DOMAIN\user "Full Control"</emphasis>></para>
<note><para>This bug does not occur when using winbind to
create accounts on the Samba host for Domain users.</para></note>

703
docs/docbook/projdoc/PAM-Authentication-And-Samba.xml
View File

@ -1,46 +1,462 @@
<chapter id="pam">
<chapterinfo>
&author.jht;
<pubdate> (Jun 21 2001) </pubdate>
<author>
<firstname>Stephen</firstname><surname>Langasek</surname>
<affiliation>
<address><email>vorlon@netexpress.net</email></address>
</affiliation>
</author>
<pubdate>May 31, 2003</pubdate>
</chapterinfo>
<title>PAM Configuration for Centrally Managed Authentication</title>
<sect1>
<title>Samba and PAM</title>
<title>PAM based Distributed Authentication</title>
<para>
A number of Unix systems (eg: Sun Solaris), as well as the
xxxxBSD family and Linux, now utilize the Pluggable Authentication
Modules (PAM) facility to provide all authentication,
authorization and resource control services. Prior to the
introduction of PAM, a decision to use an alternative to
the system password database (<filename>/etc/passwd</filename>)
would require the provision of alternatives for all programs that provide
security services. Such a choice would involve provision of
alternatives to such programs as: <command>login</command>,
This chapter you should help you to deploy winbind based authentication on any PAM enabled
Unix/Linux system. Winbind can be used to enable user level application access authentication
from any MS Windows NT Domain, MS Windows 200x Active Directory based domain, or any Samba
based domain environment. It will also help you to configure PAM based local host access
controls that are appropriate to your Samba configuration.
</para>
<para>
In addition to knowing how to configure winbind into PAM, you will learn generic PAM management
possibilities and in particular how to deploy tools like pam_smbpass.so to your advantage.
</para>
<note><para>
The use of Winbind require more than PAM configuration alone. Please refer to <link linkend="winbind">the Winbind chapter</link>.
</para></note>
<sect1>
<title>Features and Benefits</title>
<para>
A number of Unix systems (eg: Sun Solaris), as well as the xxxxBSD family and Linux,
now utilize the Pluggable Authentication Modules (PAM) facility to provide all authentication,
authorization and resource control services. Prior to the introduction of PAM, a decision
to use an alternative to the system password database (<filename>/etc/passwd</filename>)
would require the provision of alternatives for all programs that provide security services.
Such a choice would involve provision of alternatives to such programs as: <command>login</command>,
<command>passwd</command>, <command>chown</command>, etc.
</para>
<para>
PAM provides a mechanism that disconnects these security programs
from the underlying authentication/authorization infrastructure.
PAM is configured either through one file <filename>/etc/pam.conf</filename> (Solaris),
or by editing individual files that are located in <filename>/etc/pam.d</filename>.
PAM provides a mechanism that disconnects these security programs from the underlying
authentication/authorization infrastructure. PAM is configured either through one file
<filename>/etc/pam.conf</filename> (Solaris), or by editing individual files that are
located in <filename>/etc/pam.d</filename>.
</para>
<para>
On PAM enabled Unix/Linux systems it is an easy matter to configure the system to use any
authentication backend, so long as the appropriate dynamically loadable library modules
are available for it. The backend may be local to the system, or may be centralised on a
remote server.
</para>
<para>
PAM support modules are available for:
</para>
<variablelist>
<varlistentry><term><filename>/etc/passwd</filename></term><listitem><para>-</para>
<para>
There are several PAM modules that interact with this standard Unix user
database. The most common are called: pam_unix.so, pam_unix2.so, pam_pwdb.so
and pam_userdb.so.
</para>
</listitem></varlistentry>
<varlistentry><term>Kerberos</term><listitem><para>-</para>
<para>
The pam_krb5.so module allows the use of any Kerberos compliant server.
This tool is used to access MIT Kerberos, Heimdal Kerberos, and potentially
Microsoft Active Directory (if enabled).
</para>
</listitem></varlistentry>
<varlistentry><term>LDAP</term><listitem><para>-</para>
<para>
The pam_ldap.so module allows the use of any LDAP v2 or v3 compatible backend
server. Commonly used LDAP backend servers include: OpenLDAP v2.0 and v2.1,
Sun ONE iDentity server, Novell eDirectory server, Microsoft Active Directory.
</para>
</listitem></varlistentry>
<varlistentry><term>NetWare Bindery</term><listitem><para>-</para>
<para>
The pam_ncp_auth.so module allows authentication off any bindery enabled
NetWare Core Protocol based server.
</para>
</listitem></varlistentry>
<varlistentry><term>SMB Password</term><listitem><para>-</para>
<para>
This module, called pam_smbpass.so, will allow user authentication off
the passdb backend that is configured in the Samba &smb.conf; file.
</para>
</listitem></varlistentry>
<varlistentry><term>SMB Server</term><listitem><para>-</para>
<para>
The pam_smb_auth.so module is the original MS Windows networking authentication
tool. This module has been somewhat outdated by the Winbind module.
</para>
</listitem></varlistentry>
<varlistentry><term>Winbind</term><listitem><para>-</para>
<para>
The pam_winbind.so module allows Samba to obtain authentication from any
MS Windows Domain Controller. It can just as easily be used to authenticate
users for access to any PAM enabled application.
</para>
</listitem></varlistentry>
<varlistentry><term>RADIUS</term><listitem><para>-</para>
<para>
There is a PAM RADIUS (Remote Access Dial-In User Service) authentication
module. In most cases the administrator will need to locate the source code
for this tool and compile and install it themselves. RADIUS protocols are
used by many routers and terminal servers.
</para>
</listitem></varlistentry>
</variablelist>
<para>
Of the above, Samba provides the pam_smbpasswd.so and the pam_winbind.so modules alone.
</para>
<para>
Once configured, these permit a remarkable level of flexibility in the location and use
of distributed samba domain controllers that can provide wide are network bandwidth
efficient authentication services for PAM capable systems. In effect, this allows the
deployment of centrally managed and maintained distributed authentication from a single
user account database.
</para>
</sect1>
<sect1>
<title>Technical Discussion</title>
<para>
PAM is designed to provide the system administrator with a great deal of flexibility in
configuration of the privilege granting applications of their system. The local
configuration of system security controlled by PAM is contained in one of two places:
either the single system file, /etc/pam.conf; or the /etc/pam.d/ directory.
</para>
<sect2>
<title>PAM Configuration Syntax</title>
<para>
In this section we discuss the correct syntax of and generic options respected by entries to these files.
PAM specific tokens in the configuration file are case insensitive. The module paths, however, are case
sensitive since they indicate a file's name and reflect the case dependence of typical file-systems.
The case-sensitivity of the arguments to any given module is defined for each module in turn.
</para>
<para>
In addition to the lines described below, there are two special characters provided for the convenience
of the system administrator: comments are preceded by a `#' and extend to the next end-of-line; also,
module specification lines may be extended with a `\' escaped newline.
</para>
<note>
<para>
If the PAM authentication module (loadable link library file) is located in the
default location then it is not necessary to specify the path. In the case of
Linux, the default location is <filename>/lib/security</filename>. If the module
is located outside the default then the path must be specified as:
<programlisting>
auth required /other_path/pam_strange_module.so
</programlisting>
</para>
</note>
<para>
<screen>
auth required /other_path/pam_strange_module.so
</screen>
</para>
<sect3>
<title>Anatomy of <filename>/etc/pam.d</filename> Entries</title>
<para>
The remaining information in this subsection was taken from the documentation of the Linux-PAM
project. For more information on PAM, see
<ulink url="http://ftp.kernel.org/pub/linux/libs/pam/">
http://ftp.kernel.org/pub/linux/libs/pam</ulink> The Official Linux-PAM home page.
</para>
<para>
A general configuration line of the /etc/pam.conf file has the following form:
</para>
<para>
<screen>
service-name module-type control-flag module-path args
</screen>
</para>
<para>
Below, we explain the meaning of each of these tokens. The second (and more recently adopted)
way of configuring Linux-PAM is via the contents of the <filename>/etc/pam.d/</filename> directory.
Once we have explained the meaning of the above tokens, we will describe this method.
</para>
<variablelist>
<varlistentry><term>service-name</term><listitem><para>-</para>
<para>
The name of the service associated with this entry. Frequently the service name is the conventional
name of the given application. For example, `ftpd', `rlogind' and `su', etc. .
</para>
<para>
There is a special service-name, reserved for defining a default authentication mechanism. It has
the name `OTHER' and may be specified in either lower or upper case characters. Note, when there
is a module specified for a named service, the `OTHER' entries are ignored.
</para></listitem>
</varlistentry>
<varlistentry><term>module-type</term><listitem><para>-</para>
<para>
One of (currently) four types of module. The four types are as follows:
</para>
<itemizedlist>
<listitem><para>
<emphasis>auth:</emphasis> this module type provides two aspects of authenticating the user.
Firstly, it establishes that the user is who they claim to be, by instructing the application
to prompt the user for a password or other means of identification. Secondly, the module can
grant group membership (independently of the <filename>/etc/groups</filename> file discussed
above) or other privileges through its credential granting properties.
</para></listitem>
<listitem><para>
<emphasis>account:</emphasis> this module performs non-authentication based account management.
It is typically used to restrict/permit access to a service based on the time of day, currently
available system resources (maximum number of users) or perhaps the location of the applicant
user `root' login only on the console.
</para></listitem>
<listitem><para>
<emphasis>session:</emphasis> primarily, this module is associated with doing things that need
to be done for the user before/after they can be given service. Such things include the logging
of information concerning the opening/closing of some data exchange with a user, mounting
directories, etc.
</para></listitem>
<listitem><para>
<emphasis>password:</emphasis> this last module type is required for updating the authentication
token associated with the user. Typically, there is one module for each `challenge/response'
based authentication (auth) module-type.
</para></listitem>
</itemizedlist></listitem>
</varlistentry>
<varlistentry><term>control-flag</term><listitem><para>-</para>
<para>
The control-flag is used to indicate how the PAM library will react to the success or failure of the
module it is associated with. Since modules can be stacked (modules of the same type execute in series,
one after another), the control-flags determine the relative importance of each module. The application
is not made aware of the individual success or failure of modules listed in the
<filename>/etc/pam.conf</filename> file. Instead, it receives a summary success or fail response from
the Linux-PAM library. The order of execution of these modules is that of the entries in the
<filename>/etc/pam.conf</filename> file; earlier entries are executed before later ones.
As of Linux-PAM v0.60, this control-flag can be defined with one of two syntaxes.
</para>
<para>
The simpler (and historical) syntax for the control-flag is a single keyword defined to indicate the
severity of concern associated with the success or failure of a specific module. There are four such
<emphasis>keywords: required, requisite, sufficient and optional</emphasis>.
</para>
<para>
The Linux-PAM library interprets these keywords in the following manner:
</para>
<itemizedlist>
<listitem><para>
<emphasis>required:</emphasis> this indicates that the success of the module is required for the
module-type facility to succeed. Failure of this module will not be apparent to the user until all
of the remaining modules (of the same module-type) have been executed.
</para></listitem>
<listitem><para>
<emphasis>requisite:</emphasis> like required, however, in the case that such a module returns a
failure, control is directly returned to the application. The return value is that associated with
the first required or requisite module to fail. Note, this flag can be used to protect against the
possibility of a user getting the opportunity to enter a password over an unsafe medium. It is
conceivable that such behavior might inform an attacker of valid accounts on a system. This
possibility should be weighed against the not insignificant concerns of exposing a sensitive
password in a hostile environment.
</para></listitem>
<listitem><para>
<emphasis>sufficient:</emphasis> the success of this module is deemed `sufficient' to satisfy
the Linux-PAM library that this module-type has succeeded in its purpose. In the event that no
previous required module has failed, no more `stacked' modules of this type are invoked. (Note,
in this case subsequent required modules are not invoked.). A failure of this module is not deemed
as fatal to satisfying the application that this module-type has succeeded.
</para></listitem>
<listitem><para>
<emphasis>optional:</emphasis> as its name suggests, this control-flag marks the module as not
being critical to the success or failure of the user's application for service. In general,
Linux-PAM ignores such a module when determining if the module stack will succeed or fail.
However, in the absence of any definite successes or failures of previous or subsequent stacked
modules this module will determine the nature of the response to the application. One example of
this latter case, is when the other modules return something like PAM_IGNORE.
</para></listitem>
</itemizedlist>
<para>
The more elaborate (newer) syntax is much more specific and gives the administrator a great deal of control
over how the user is authenticated. This form of the control flag is delimited with square brackets and
consists of a series of value=action tokens:
</para>
<para><screen>
[value1=action1 value2=action2 ...]
</screen></para>
<para>
Here, value1 is one of the following return values: success; open_err; symbol_err; service_err;
system_err; buf_err; perm_denied; auth_err; cred_insufficient; authinfo_unavail; user_unknown; maxtries;
new_authtok_reqd; acct_expired; session_err; cred_unavail; cred_expired; cred_err; no_module_data; conv_err;
authtok_err; authtok_recover_err; authtok_lock_busy; authtok_disable_aging; try_again; ignore; abort;
authtok_expired; module_unknown; bad_item; and default. The last of these (default) can be used to set
the action for those return values that are not explicitly defined.
</para>
<para>
The action1 can be a positive integer or one of the following tokens: ignore; ok; done; bad; die; and reset.
A positive integer, J, when specified as the action, can be used to indicate that the next J modules of the
current module-type will be skipped. In this way, the administrator can develop a moderately sophisticated
stack of modules with a number of different paths of execution. Which path is taken can be determined by the
reactions of individual modules.
</para>
<itemizedlist>
<listitem><para>
<emphasis>ignore:</emphasis> when used with a stack of modules, the module's return status will not
contribute to the return code the application obtains.
</para></listitem>
<listitem><para>
<emphasis>bad:</emphasis> this action indicates that the return code should be thought of as indicative
of the module failing. If this module is the first in the stack to fail, its status value will be used
for that of the whole stack.
</para></listitem>
<listitem><para>
<emphasis>die:</emphasis> equivalent to bad with the side effect of terminating the module stack and
PAM immediately returning to the application.
</para></listitem>
<listitem><para>
<emphasis>ok:</emphasis> this tells PAM that the administrator thinks this return code should
contribute directly to the return code of the full stack of modules. In other words, if the former
state of the stack would lead to a return of PAM_SUCCESS, the module's return code will override
this value. Note, if the former state of the stack holds some value that is indicative of a modules
failure, this 'ok' value will not be used to override that value.
</para></listitem>
<listitem><para>
<emphasis>done:</emphasis> equivalent to ok with the side effect of terminating the module stack and
PAM immediately returning to the application.
</para></listitem>
<listitem><para>
<emphasis>reset:</emphasis> clear all memory of the state of the module stack and start again with
the next stacked module.
</para></listitem>
</itemizedlist>
<para>
Each of the four keywords: required; requisite; sufficient; and optional, have an equivalent expression in
terms of the [...] syntax. They are as follows:
</para>
<para>
<itemizedlist>
<listitem><para>
required is equivalent to [success=ok new_authtok_reqd=ok ignore=ignore default=bad]
</para></listitem>
<listitem><para>
requisite is equivalent to [success=ok new_authtok_reqd=ok ignore=ignore default=die]
</para></listitem>
<listitem><para>
sufficient is equivalent to [success=done new_authtok_reqd=done default=ignore]
</para></listitem>
<listitem><para>
optional is equivalent to [success=ok new_authtok_reqd=ok default=ignore]
</para></listitem>
</itemizedlist>
</para>
<para>
Just to get a feel for the power of this new syntax, here is a taste of what you can do with it. With Linux-PAM-0.63,
the notion of client plug-in agents was introduced. This is something that makes it possible for PAM to support
machine-machine authentication using the transport protocol inherent to the client/server application. With the
<emphasis>[ ... value=action ... ]</emphasis> control syntax, it is possible for an application to be configured
to support binary prompts with compliant clients, but to gracefully fall over into an alternative authentication
mode for older, legacy, applications.
</para>
</listitem>
</varlistentry>
<varlistentry><term>module-path</term><listitem><para>-</para>
<para>
The path-name of the dynamically loadable object file; the pluggable module itself. If the first character of the
module path is `/', it is assumed to be a complete path. If this is not the case, the given module path is appended
to the default module path: <filename>/lib/security</filename> (but see the notes above).
</para>
<para>
The args are a list of tokens that are passed to the module when it is invoked. Much like arguments to a typical
Linux shell command. Generally, valid arguments are optional and are specific to any given module. Invalid arguments
are ignored by a module, however, when encountering an invalid argument, the module is required to write an error
to syslog(3). For a list of generic options see the next section.
</para>
<para>
Note, if you wish to include spaces in an argument, you should surround that argument with square brackets. For example:
</para>
<para><screen>
squid auth required pam_mysql.so user=passwd_query passwd=mada \
db=eminence [query=select user_name from internet_service where \
user_name='%u' and password=PASSWORD('%p') and \
service='web_proxy']
</screen></para>
<para>
Note, when using this convention, you can include `[' characters inside the string, and if you wish to include a `]'
character inside the string that will survive the argument parsing, you should use `\['. In other words:
</para>
<para><screen>
[..[..\]..] --> ..[..]..
</screen></para>
<para>
Any line in (one of) the configuration file(s), that is not formatted correctly, will generally tend (erring on the
side of caution) to make the authentication process fail. A corresponding error is written to the system log files
with a call to syslog(3).
</para></listitem>
</varlistentry>
</variablelist>
</sect3>
</sect2>
<sect2>
<title>Example System Configurations</title>
<para>
The following is an example <filename>/etc/pam.d/login</filename> configuration file.
@ -50,7 +466,10 @@ of the login process. Essentially all conditions can be disabled
by commenting them out except the calls to <filename>pam_pwdb.so</filename>.
</para>
<para><programlisting>
<sect3>
<title>PAM: original login config</title>
<para><screen>
#%PAM-1.0
# The PAM configuration file for the `login' service
#
@ -65,15 +484,19 @@ by commenting them out except the calls to <filename>pam_pwdb.so</filename>.
# session optional pam_lastlog.so
# password required pam_cracklib.so retry=3
password required pam_pwdb.so shadow md5
</programlisting></para>
</screen></para>
</sect3>
<sect3>
<title>PAM: login using pam_smbpass</title>
<para>
PAM allows use of replacable modules. Those available on a
sample system include:
PAM allows use of replaceable modules. Those available on a sample system include:
</para>
<para><prompt>$</prompt><userinput>/bin/ls /lib/security</userinput>
<programlisting>
<screen>
pam_access.so pam_ftp.so pam_limits.so
pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so
pam_cracklib.so pam_group.so pam_listfile.so
@ -86,7 +509,7 @@ sample system include:
pam_radius.so pam_smbpass.so pam_unix_acct.so
pam_wheel.so pam_unix_auth.so pam_unix_passwd.so
pam_userdb.so pam_warn.so pam_unix_session.so
</programlisting></para>
</screen></para>
<para>
The following example for the login program replaces the use of
@ -102,14 +525,14 @@ hashes. This database is stored in either
Samba implementation for your Unix/Linux system. The
<filename>pam_smbpass.so</filename> module is provided by
Samba version 2.2.1 or later. It can be compiled by specifying the
<command>--with-pam_smbpass</command> options when running Samba's
<filename>configure</filename> script. For more information
<option>--with-pam_smbpass</option> options when running Samba's
<command>configure</command> script. For more information
on the <filename>pam_smbpass</filename> module, see the documentation
in the <filename>source/pam_smbpass</filename> directory of the Samba
source distribution.
</para>
<para><programlisting>
<para><screen>
#%PAM-1.0
# The PAM configuration file for the `login' service
#
@ -117,14 +540,14 @@ source distribution.
account required pam_smbpass.so nodelay
session required pam_smbpass.so nodelay
password required pam_smbpass.so nodelay
</programlisting></para>
</screen></para>
<para>
The following is the PAM configuration file for a particular
Linux system. The default condition uses <filename>pam_pwdb.so</filename>.
</para>
<para><programlisting>
<para><screen>
#%PAM-1.0
# The PAM configuration file for the `samba' service
#
@ -132,7 +555,7 @@ Linux system. The default condition uses <filename>pam_pwdb.so</filename>.
account required pam_pwdb.so audit nodelay
session required pam_pwdb.so nodelay
password required pam_pwdb.so shadow md5
</programlisting></para>
</screen></para>
<para>
In the following example the decision has been made to use the
@ -142,7 +565,7 @@ thus allow the smbpasswd passwords to be changed using the passwd
program.
</para>
<para><programlisting>
<para><screen>
#%PAM-1.0
# The PAM configuration file for the `samba' service
#
@ -150,13 +573,13 @@ program.
account required pam_pwdb.so audit nodelay
session required pam_pwdb.so nodelay
password required pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf
</programlisting></para>
</screen></para>
<note><para>PAM allows stacking of authentication mechanisms. It is
also possible to pass information obtained within one PAM module through
to the next module in the PAM stack. Please refer to the documentation for
your particular system implementation for details regarding the specific
capabilities of PAM in this environment. Some Linux implmentations also
capabilities of PAM in this environment. Some Linux implementations also
provide the <filename>pam_stack.so</filename> module that allows all
authentication to be configured in a single central file. The
<filename>pam_stack.so</filename> method has some very devoted followers
@ -165,8 +588,12 @@ life though, every decision makes trade-offs, so you may want examine the
PAM documentation for further helpful information.
</para></note>
</sect3>
</sect2>
<sect2>
<title>PAM Configuration in smb.conf</title>
<title>smb.conf PAM Configuration</title>
<para>
There is an option in smb.conf called <ulink
@ -175,8 +602,8 @@ The following is from the on-line help for this option in SWAT;
</para>
<para>
When Samba is configured to enable PAM support (i.e.
<constant>--with-pam</constant>), this parameter will
When Samba-3 is configured to enable PAM support (i.e.
<option>--with-pam</option>), this parameter will
control whether or not Samba should obey PAM's account
and session management directives. The default behavior
is to use PAM for clear text authentication only and to
@ -188,12 +615,53 @@ authentication mechanism needed in the presence of SMB
password encryption.
</para>
<para>Default: <command>obey pam restrictions = no</command></para>
<para>Default: <parameter>obey pam restrictions = no</parameter></para>
</sect2>
<sect2>
<title>Password Synchronisation using pam_smbpass.so</title>
<title>Remote CIFS Authentication using winbindd.so</title>
<para>
All operating systems depend on the provision of users credentials acceptable to the platform.
Unix requires the provision of a user identifier (UID) as well as a group identifier (GID).
These are both simple integer type numbers that are obtained from a password backend such
as <filename>/etc/passwd</filename>.
</para>
<para>
Users and groups on a Windows NT server are assigned a relative id (rid) which is unique for
the domain when the user or group is created. To convert the Windows NT user or group into
a unix user or group, a mapping between rids and unix user and group ids is required. This
is one of the jobs that winbind performs.
</para>
<para>
As winbind users and groups are resolved from a server, user and group ids are allocated
from a specified range. This is done on a first come, first served basis, although all
existing users and groups will be mapped as soon as a client performs a user or group
enumeration command. The allocated unix ids are stored in a database file under the Samba
lock directory and will be remembered.
</para>
<para>
The astute administrator will realize from this that the combination of <filename>pam_smbpass.so</filename>,
<command>winbindd</command>, and a distributed passdb backend, such as ldap, will allow the establishment of a
centrally managed, distributed user/password database that can also be used by all PAM (eg: Linux) aware
programs and applications. This arrangement can have particularly potent advantages compared with the use of
Microsoft Active Directory Service (ADS) in so far as reduction of wide area network authentication traffic.
</para>
<warning><para>
The rid to unix id database is the only location where the user and group mappings are
stored by winbindd. If this file is deleted or corrupted, there is no way for winbindd
to determine which user and group ids correspond to Windows NT user and group rids.
</para></warning>
</sect2>
<sect2>
<title>Password Synchronization using pam_smbpass.so</title>
<para>
pam_smbpass is a PAM module which can be used on conforming systems to
@ -203,10 +671,6 @@ under some Unices, such as Solaris, HPUX and Linux, that provides a
generic interface to authentication mechanisms.
</para>
<para>
For more information on PAM, see http://ftp.kernel.org/pub/linux/libs/pam/
</para>
<para>
This module authenticates a local smbpasswd user database. If you require
support for authenticating against a remote SMB server, or if you're
@ -214,52 +678,42 @@ concerned about the presence of suid root binaries on your system, it is
recommended that you use pam_winbind instead.
</para>
<para><programlisting>
<para>
Options recognized by this module are as follows:
<table frame="all">
<title>Options recognized by pam_smbpass</title>
<tgroup cols="2" align="left">
<tbody>
<row><entry>debug</entry><entry>log more debugging info</entry></row>
<row><entry>audit</entry><entry>like debug, but also logs unknown usernames</entry></row>
<row><entry>use_first_pass</entry><entry>don't prompt the user for passwords; take them from PAM_ items instead</entry></row>
<row><entry>try_first_pass</entry><entry>try to get the password from a previous PAM module, fall back to prompting the user</entry></row>
<row><entry>use_authtok</entry><entry>like try_first_pass, but *fail* if the new PAM_AUTHTOK has not been previously set. (intended for stacking password modules only)</entry></row>
<row><entry>not_set_pass</entry><entry>don't make passwords used by this module available to other modules.</entry></row>
<row><entry>nodelay</entry><entry>don't insert ~1 second delays on authentication failure.</entry></row>
<row><entry>nullok</entry><entry>null passwords are allowed.</entry></row>
<row><entry>nonull</entry><entry>null passwords are not allowed. Used to override the Samba configuration.</entry></row>
<row><entry>migrate</entry><entry>only meaningful in an "auth" context; used to update smbpasswd file with a password used for successful authentication.</entry></row>
<row><entry>smbconf=<replaceable>file</replaceable></entry><entry>specify an alternate path to the &smb.conf; file.</entry></row>
</tbody>
</tgroup>
</table>
</para>
debug - log more debugging info
audit - like debug, but also logs unknown usernames
use_first_pass - don't prompt the user for passwords;
take them from PAM_ items instead
try_first_pass - try to get the password from a previous
PAM module, fall back to prompting the user
use_authtok - like try_first_pass, but *fail* if the new
PAM_AUTHTOK has not been previously set.
(intended for stacking password modules only)
not_set_pass - don't make passwords used by this module
available to other modules.
nodelay - don't insert ~1 second delays on authentication
failure.
nullok - null passwords are allowed.
nonull - null passwords are not allowed. Used to
override the Samba configuration.
migrate - only meaningful in an "auth" context;
used to update smbpasswd file with a
password used for successful authentication.
smbconf=&lt; file &gt; - specify an alternate path to the smb.conf
file.
</programlisting></para>
<para><programlisting>
<para>
Thanks go to the following people:
<simplelist>
<member><ulink url="mailto:morgan@transmeta.com">Andrew Morgan</ulink>, for providing the Linux-PAM
framework, without which none of this would have happened</member>
* Andrew Morgan &lt; morgan@transmeta.com &gt;, for providing the Linux-PAM
framework, without which none of this would have happened
<member><ulink url="gafton@redhat.com">Christian Gafton</ulink> and Andrew Morgan again, for the
pam_pwdb module upon which pam_smbpass was originally based</member>
* Christian Gafton &lt; gafton@redhat.com &gt; and Andrew Morgan again, for the
pam_pwdb module upon which pam_smbpass was originally based
* Luke Leighton &lt; lkcl@switchboard.net &gt; for being receptive to the idea,
<member><ulink url="lkcl@switchboard.net">Luke Leighton</ulink> for being receptive to the idea,
and for the occasional good-natured complaint about the project's status
that keep me working on it :)
* and of course, all the other members of the Samba team
&lt;http://www.samba.org/samba/team.html&gt;, for creating a great product
and for giving this project a purpose
---------------------
Stephen Langasek &lt; vorlon@netexpress.net &gt;
</programlisting></para>
that keep me working on it :)</member>
</simplelist>.
</para>
<para>
The following are examples of the use of pam_smbpass.so in the format of Linux
@ -268,7 +722,7 @@ tool on other platforms will need to adapt this appropriately.
</para>
<sect3>
<title>Password Synchonisation Configuration</title>
<title>Password Synchronisation Configuration</title>
<para>
A sample PAM configuration that shows the use of pam_smbpass to make
@ -277,7 +731,7 @@ is changed. Useful when an expired password might be changed by an
application (such as ssh).
</para>
<para><programlisting>
<para><screen>
#%PAM-1.0
# password-sync
#
@ -288,7 +742,7 @@ application (such as ssh).
password requisite pam_unix.so shadow md5 use_authtok try_first_pass
password required pam_smbpass.so nullok use_authtok try_first_pass
session required pam_unix.so
</programlisting></para>
</screen></para>
</sect3>
<sect3>
@ -302,12 +756,12 @@ password migration takes place when users ftp in, login using ssh, pop
their mail, etc.
</para>
<para><programlisting>
<para><screen>
#%PAM-1.0
# password-migration
#
auth requisite pam_nologin.so
# pam_smbpass is called IFF pam_unix succeeds.
# pam_smbpass is called IF pam_unix succeeds.
auth requisite pam_unix.so
auth optional pam_smbpass.so migrate
account required pam_unix.so
@ -315,7 +769,7 @@ their mail, etc.
password requisite pam_unix.so shadow md5 use_authtok try_first_pass
password optional pam_smbpass.so nullok use_authtok try_first_pass
session required pam_unix.so
</programlisting></para>
</screen></para>
</sect3>
<sect3>
@ -327,7 +781,7 @@ private/smbpasswd is fully populated, and we consider it an error if
the smbpasswd doesn't exist or doesn't match the Unix password.
</para>
<para><programlisting>
<para><screen>
#%PAM-1.0
# password-mature
#
@ -338,7 +792,7 @@ the smbpasswd doesn't exist or doesn't match the Unix password.
password requisite pam_unix.so shadow md5 use_authtok try_first_pass
password required pam_smbpass.so use_authtok use_first_pass
session required pam_unix.so
</programlisting></para>
</screen></para>
</sect3>
<sect3>
@ -350,7 +804,7 @@ pam_krb5. This could be useful on a Samba PDC that is also a member of
a Kerberos realm.
</para>
<para><programlisting>
<para><screen>
#%PAM-1.0
# kdc-pdc
#
@ -362,28 +816,59 @@ a Kerberos realm.
password optional pam_smbpass.so nullok use_authtok try_first_pass
password required pam_krb5.so use_authtok try_first_pass
session required pam_krb5.so
</programlisting></para>
</screen></para>
</sect3>
</sect2>
</sect1>
<sect1>
<title>Distributed Authentication</title>
<title>Common Errors</title>
<para>
The astute administrator will realize from this that the
combination of <filename>pam_smbpass.so</filename>,
<command>winbindd</command>, and a distributed
passdb backend, such as ldap, will allow the establishment of a
centrally managed, distributed
user/password database that can also be used by all
PAM (eg: Linux) aware programs and applications. This arrangement
can have particularly potent advantages compared with the
use of Microsoft Active Directory Service (ADS) in so far as
reduction of wide area network authentication traffic.
PAM can be a very fickle and sensitive to configuration glitches. Here we look at a few cases from
the Samba mailing list.
</para>
<sect2>
<title>pam_winbind problem</title>
<para>
I have the following PAM configuration:
</para>
<para>
<screen>
auth required /lib/security/pam_securetty.so
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so use_first_pass nullok
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_winbind.so
password required /lib/security/pam_stack.so service=system-auth
</screen>
</para>
<para>
When I open a new console with [ctrl][alt][F1], then I cant log in with my user "pitie".
I've tried with user "scienceu+pitie" also.
</para>
<para>
Answer: The problem may lie with your inclusion of <parameter>pam_stack.so
service=system-auth</parameter>. That file often contains a lot of stuff that may
duplicate what you're already doing. Try commenting out the pam_stack lines
for auth and account and see if things work. If they do, look at
<filename>/etc/pam.d/system-auth</filename> and copy only what you need from it into your
<filename>/etc/pam.d/login</filename> file. Alternatively, if you want all services to use
winbind, you can put the winbind-specific stuff in <filename>/etc/pam.d/system-auth</filename>.
</para>
</sect2>
</sect1>
</chapter>

132
docs/docbook/projdoc/PolicyMgmt.xml
View File

@ -3,8 +3,51 @@
&author.jht;
<pubdate>April 3 2003</pubdate>
</chapterinfo>
<title>System and Account Policies</title>
<para>
This chapter summarises the current state of knowledge derived from personal
practice and knowledge from samba mailing list subscribers. Before reproduction
of posted information effort has been made to validate the information provided.
Where additional information was uncovered through this validation it is provided
also.
</para>
<sect1>
<title>Features and Benefits</title>
<para>
When MS Windows NT3.5 was introduced the hot new topic was the ability to implement
Group Policies for users and group. Then along came MS Windows NT4 and a few sites
started to adopt this capability. How do we know that? By way of the number of "booboos"
(or mistakes) administrators made and then requested help to resolve.
</para>
<para>
By the time that MS Windows 2000 and Active Directory was released, administrators
got the message: Group Policies are a good thing! They can help reduce administrative
costs and actually can help to create happier users. But adoption of the true
potential of MS Windows 200x Active Directory and Group Policy Objects (GPOs) for users
and machines were picked up on rather slowly. This was very obvious from the samba
mailing list as in 2000 and 2001 there were very few postings regarding GPOs and
how to replicate them in a Samba environment.
</para>
<para>
Judging by the traffic volume since mid 2002, GPOs have become a standard part of
the deployment in many sites. This chapter reviews techniques and methods that can
be used to exploit opportunities for automation of control over user desktops and
network client workstations.
</para>
<para>
A tool new to Samba-3 may become an important part of the future Samba Administrators'
arsenal. The <command>editreg</command> tool is described in this document.
</para>
</sect1>
<sect1>
<title>Creating and Managing System Policies</title>
@ -21,7 +64,7 @@ affect users, groups of users, or machines.
For MS Windows 9x/Me this file must be called <filename>Config.POL</filename> and may
be generated using a tool called <filename>poledit.exe</filename>, better known as the
Policy Editor. The policy editor was provided on the Windows 98 installation CD, but
dissappeared again with the introduction of MS Windows Me (Millenium Edition). From
disappeared again with the introduction of MS Windows Me (Millennium Edition). From
comments from MS Windows network administrators it would appear that this tool became
a part of the MS Windows Me Resource Kit.
</para>
@ -67,9 +110,9 @@ Add/Remove Programs facility and then click on the 'Have Disk' tab.
<para>
Use the Group Policy Editor to create a policy file that specifies the location of
user profiles and/or the <filename>My Documents</filename> etc. stuff. Then
save these settings in a file called <filename>Config.POL</filename> that needs to
be placed in the root of the [NETLOGON] share. If Win98 is configured to log onto
user profiles and/or the <filename>My Documents</filename> etc. Then save these
settings in a file called <filename>Config.POL</filename> that needs to be placed in the
root of the <parameter>[NETLOGON]</parameter> share. If Win98 is configured to log onto
the Samba Domain, it will automatically read this file and update the Win9x/Me registry
of the machine as it logs on.
</para>
@ -109,7 +152,7 @@ the NT Server will run happily enough on an NT4 Workstation.
</para>
<para>
You need <filename>poledit.exe, common.adm</filename> and <filename>winnt.adm</filename>.
You need <filename>poledit.exe</filename>, <filename>common.adm</filename> and <filename>winnt.adm</filename>.
It is convenient to put the two *.adm files in the <filename>c:\winnt\inf</filename>
directory which is where the binary will look for them unless told otherwise. Note also that that
directory is normally 'hidden'.
@ -126,7 +169,7 @@ location is with the Zero Administration Kit available for download from Microso
</para>
<sect3>
<title>Registry Tattoos</title>
<title>Registry Spoiling</title>
<para>
With NT4 style registry based policy changes, a large number of settings are not
@ -159,7 +202,7 @@ to create them is different, and the mechanism for implementing them is much cha
The older NT4 style registry based policies are known as <emphasis>Administrative Templates</emphasis>
in MS Windows 2000/XP Group Policy Objects (GPOs). The later includes ability to set various security
configurations, enforce Internet Explorer browser settings, change and redirect aspects of the
users' desktop (including: the location of <emphasis>My Documents</emphasis> files (directory), as
users' desktop (including: the location of <filename>My Documents</filename> files (directory), as
well as intrinsics of where menu items will appear in the Start menu). An additional new
feature is the ability to make available particular software Windows applications to particular
users and/or groups.
@ -187,7 +230,7 @@ With NT4 clients the policy file is read and executed upon only as each user log
MS Windows 200x policies are much more complex - GPOs are processed and applied at client machine
startup (machine specific part) and when the user logs onto the network the user specific part
is applied. In MS Windows 200x style policy management each machine and/or user may be subject
to any number of concurently applicable (and applied) policy sets (GPOs). Active Directory allows
to any number of concurrently applicable (and applied) policy sets (GPOs). Active Directory allows
the administrator to also set filters over the policy settings. No such equivalent capability
exists with NT4 style policy files.
</para>
@ -195,16 +238,15 @@ exists with NT4 style policy files.
<sect3>
<title>Administration of Win2K / XP Policies</title>
<title>Instructions</title>
<para>
Instead of using the tool called "The System Policy Editor", commonly called Poledit (from the
executable name poledit.exe), GPOs are created and managed using a Microsoft Management Console
(MMC) snap-in as follows:</para>
Instead of using the tool called <application>The System Policy Editor</application>, commonly called Poledit (from the
executable name <command>poledit.exe</command>), <acronym>GPOs</acronym> are created and managed using a
<application>Microsoft Management Console</application> <acronym>(MMC)</acronym> snap-in as follows:</para>
<procedure>
<step>
<para>
Go to the Windows 200x / XP menu <filename>Start->Programs->Administrative Tools</filename>
and select the MMC snap-in called "Active Directory Users and Computers"
Go to the Windows 200x / XP menu <guimenu>Start->Programs->Administrative Tools</guimenu>
and select the MMC snap-in called <guimenuitem>Active Directory Users and Computers</guimenuitem>
</para>
</step>
@ -214,22 +256,22 @@ to open the context menu for that object, select the properties item.
</para></step>
<step><para>
Now left click on the Group Policy tab, then left click on the New tab. Type a name
Now left click on the <guilabel>Group Policy</guilabel> tab, then left click on the New tab. Type a name
for the new policy you will create.
</para></step>
<step><para>
Now left click on the Edit tab to commence the steps needed to create the GPO.
Now left click on the <guilabel>Edit</guilabel> tab to commence the steps needed to create the GPO.
</para></step>
</procedure>
<para>
All policy configuration options are controlled through the use of policy administrative
templates. These files have a .adm extension, both in NT4 as well as in Windows 200x / XP.
Beware however, since the .adm files are NOT interchangible across NT4 and Windows 200x.
Beware however, since the .adm files are NOT interchangeable across NT4 and Windows 200x.
The later introduces many new features as well as extended definition capabilities. It is
well beyond the scope of this documentation to explain how to program .adm files, for that
the adminsitrator is referred to the Microsoft Windows Resource Kit for your particular
the administrator is referred to the Microsoft Windows Resource Kit for your particular
version of MS Windows.
</para>
@ -272,8 +314,8 @@ applied to the user's part of the registry.
<para>
MS Windows 200x/XP clients that log onto an MS Windows Active Directory security domain may additionally,
acquire policy settings through Group Policy Objects (GPOs) that are defined and stored in Active Directory
itself. The key benefit of using AS GPOs is that they impose no registry <emphasis>tatooing</emphasis> effect.
This has considerable advanage compared with the use of NTConfig.POL (NT4) style policy updates.
itself. The key benefit of using AS GPOs is that they impose no registry <emphasis>spoiling</emphasis> effect.
This has considerable advantage compared with the use of NTConfig.POL (NT4) style policy updates.
</para>
<para>
@ -294,22 +336,32 @@ Common restrictions that are frequently used includes:
</para>
<sect2>
<title>With Windows NT4/200x</title>
<title>Samba Editreg Toolset</title>
<para>
Describe in detail the benefits of <command>editreg</command> and how to use it.
</para>
</sect2>
<sect2>
<title>Windows NT4/200x</title>
<para>
The tools that may be used to configure these types of controls from the MS Windows environment are:
The NT4 User Manager for domains, the NT4 System and Group Policy Editor, the registry editor (regedt32.exe).
Under MS Windows 200x/XP this is done using the Microsoft Managment Console (MMC) with approapriate
Under MS Windows 200x/XP this is done using the Microsoft Management Console (MMC) with appropriate
"snap-ins", the registry editor, and potentially also the NT4 System and Group Policy Editor.
</para>
</sect2>
<sect2>
<title>With a Samba PDC</title>
<title>Samba PDC</title>
<para>
With a Samba Domain Controller, the new tools for managing of user account and policy information includes:
<filename>smbpasswd, pdbedit, net, rpcclient.</filename>. The administrator should read the
<command>smbpasswd</command>, <command>pdbedit</command>, <command>net</command>, <command>rpcclient</command>.
The administrator should read the
man pages for these tools and become familiar with their use.
</para>
@ -342,7 +394,7 @@ reboot and as part of the user logon:
</para></listitem>
<listitem><para>
Execution of start-up scripts (hidden and synchronous by defaut).
Execution of start-up scripts (hidden and synchronous by default).
</para></listitem>
<listitem><para>
@ -354,7 +406,7 @@ reboot and as part of the user logon:
</para></listitem>
<listitem><para>
An ordered list of User GPOs is obtained. The list contents depends on what is configured in respsect of:
An ordered list of User GPOs is obtained. The list contents depends on what is configured in respect of:
<simplelist>
<member>Is user a domain member, thus subject to particular policies</member>
@ -381,4 +433,32 @@ reboot and as part of the user logon:
</orderedlist>
</sect1>
<sect1>
<title>Common Errors</title>
<para>
Policy related problems can be very difficult to diagnose and even more difficult to rectify. The following
collection demonstrates only basic issues.
</para>
<sect2>
<title>Policy Does Not Work</title>
<para>
Question: We have created the <filename>config.pol</filename> file and put it in the <emphasis>NETLOGON</emphasis> share.
It has made no difference to our Win XP Pro machines, they just don't see it. IT worked fine with Win 98 but does not
work any longer since we upgraded to Win XP Pro. Any hints?
</para>
<para>
<emphasis>ANSWER:</emphasis> Policy files are NOT portable between Windows 9x / Me and MS Windows NT4 / 200x / XP based
platforms. You need to use the NT4 Group Policy Editor to create a file called <filename>NTConfig.POL</filename> so that
it is in the correct format for your MS Windows XP Pro clients.
</para>
</sect2>
</sect1>
</chapter>

40
docs/docbook/projdoc/Portability.xml
View File

@ -1,6 +1,8 @@
<chapter id="Portability">
<chapterinfo>
&author.jelmer;
<!-- Some other people as well, but there were no author names in the text files
this file is based on-->
</chapterinfo>
<title>Portability</title>
@ -14,14 +16,14 @@ platform-specific information about compiling and using samba.</para>
<para>
HP's implementation of supplementary groups is, er, non-standard (for
hysterical reasons). There are two group files, /etc/group and
/etc/logingroup; the system maps UIDs to numbers using the former, but
hysterical reasons). There are two group files, <filename>/etc/group</filename> and
<filename>/etc/logingroup</filename>; the system maps UIDs to numbers using the former, but
initgroups() reads the latter. Most system admins who know the ropes
symlink /etc/group to /etc/logingroup (hard link doesn't work for reasons
too stupid to go into here). initgroups() will complain if one of the
groups you're in in /etc/logingroup has what it considers to be an invalid
ID, which means outside the range [0..UID_MAX], where UID_MAX is (I think)
60000 currently on HP-UX. This precludes -2 and 65534, the usual 'nobody'
symlink <filename>/etc/group</filename> to <filename>/etc/logingroup</filename>
(hard link doesn't work for reasons too stupid to go into here). initgroups() will complain if one of the
groups you're in in <filename>/etc/logingroup</filename> has what it considers to be an invalid
ID, which means outside the range <constant>[0..UID_MAX]</constant>, where <constant>UID_MAX</constant> is (I think)
60000 currently on HP-UX. This precludes -2 and 65534, the usual <constant>nobody</constant>
GIDs.
</para>
@ -35,8 +37,8 @@ allowed range.
</para>
<para>
On HPUX you must use gcc or the HP Ansi compiler. The free compiler
that comes with HP-UX is not Ansi compliant and cannot compile
On HPUX you must use gcc or the HP ANSI compiler. The free compiler
that comes with HP-UX is not ANSI compliant and cannot compile
Samba.
</para>
@ -53,7 +55,8 @@ encounter corrupt data transfers using samba.
<para>
The patch you need is UOD385 Connection Drivers SLS. It is available from
SCO (ftp.sco.com, directory SLS, files uod385a.Z and uod385a.ltr.Z).
SCO (<ulink url="ftp://ftp.sco.com/">ftp.sco.com</ulink>, directory SLS,
files uod385a.Z and uod385a.ltr.Z).
</para>
</sect1>
@ -121,8 +124,10 @@ _seteuid:
after creating the above files you then assemble them using
</para>
<para><command>as seteuid.s</command></para>
<para><command>as setegid.s</command></para>
<screen>
<prompt>$ </prompt><userinput>as seteuid.s</userinput>
<prompt>$ </prompt><userinput>as setegid.s</userinput>
</screen>
<para>
that should produce the files <filename>seteuid.o</filename> and
@ -155,7 +160,7 @@ You should then remove the line:
<para>
By default RedHat Rembrandt-II during installation adds an
entry to /etc/hosts as follows:
entry to <filename>/etc/hosts</filename> as follows:
<programlisting>
127.0.0.1 loopback "hostname"."domainname"
</programlisting>
@ -181,7 +186,7 @@ Corrective Action: Delete the entry after the word loopback
<!-- From an email by William Jojo <jojowil@hvcc.edu> -->
<para>
Disabling Sequential Read Ahead using <userinput>vmtune -r 0</userinput> improves
samba performance significally.
Samba performance significantly.
</para>
</sect2>
</sect1>
@ -193,9 +198,9 @@ samba performance significally.
<title>Locking improvements</title>
<para>Some people have been experiencing problems with F_SETLKW64/fcntl
when running samba on solaris. The built in file locking mechanism was
when running Samba on Solaris. The built in file locking mechanism was
not scalable. Performance would degrade to the point where processes would
get into loops of trying to lock a file. It woul try a lock, then fail,
get into loops of trying to lock a file. It would try a lock, then fail,
then try again. The lock attempt was failing before the grant was
occurring. So the visible manifestation of this would be a handful of
processes stealing all of the CPU, and when they were trussed they would
@ -209,8 +214,7 @@ has not been released yet.
<para>
The patch revision for 2.6 is 105181-34
for 8 is 108528-19
and for 9 is 112233-04
for 8 is 108528-19 and for 9 is 112233-04
</para>
<para>

62
docs/docbook/projdoc/Problems.xml
View File

@ -26,15 +26,15 @@ general SMB topics such as browsing.</para>
<para>
One of the best diagnostic tools for debugging problems is Samba itself.
You can use the -d option for both smbd and nmbd to specify what
'debug level' at which to run. See the man pages on smbd, nmbd and
You can use the <option>-d option</option> for both &smbd; and &nmbd; to specify what
<parameter>debug level</parameter> at which to run. See the man pages on smbd, nmbd and
smb.conf for more information on debugging options. The debug
level can range from 1 (the default) to 10 (100 for debugging passwords).
</para>
<para>
Another helpful method of debugging is to compile samba using the
<command>gcc -g </command> flag. This will include debug
<userinput>gcc -g </userinput> flag. This will include debug
information in the binaries and allow you to attach gdb to the
running smbd / nmbd process. In order to attach gdb to an smbd
process for an NT workstation, first get the workstation to make the
@ -51,10 +51,10 @@ typing in your password, you can attach gdb and continue.
Some useful samba commands worth investigating:
</para>
<itemizedlist>
<listitem><para>testparam | more</para></listitem>
<listitem><para>smbclient -L //{netbios name of server}</para></listitem>
</itemizedlist>
<screen>
<prompt>$ </prompt><userinput>testparm | more</userinput>
<prompt>$ </prompt><userinput>smbclient -L //{netbios name of server}</userinput>
</screen>
<para>
An SMB enabled version of tcpdump is available from
@ -91,18 +91,18 @@ NT Server 4.0 Install CD and the Workstation 4.0 Install CD.
</para>
<para>
Initially you will need to install 'Network Monitor Tools and Agent'
Initially you will need to install <application>Network Monitor Tools and Agent</application>
on the NT Server. To do this
</para>
<itemizedlist>
<listitem><para>Goto Start - Settings - Control Panel -
Network - Services - Add </para></listitem>
<listitem><para>Goto <guibutton>Start</guibutton> - <guibutton>Settings</guibutton> - <guibutton>Control Panel</guibutton> -
<guibutton>Network</guibutton> - <guibutton>Services</guibutton> - <guibutton>Add</guibutton> </para></listitem>
<listitem><para>Select the 'Network Monitor Tools and Agent' and
click on 'OK'.</para></listitem>
<listitem><para>Select the <guilabel>Network Monitor Tools and Agent</guilabel> and
click on <guibutton>OK</guibutton>.</para></listitem>
<listitem><para>Click 'OK' on the Network Control Panel.
<listitem><para>Click <guibutton>OK</guibutton> on the Network Control Panel.
</para></listitem>
<listitem><para>Insert the Windows NT Server 4.0 install CD
@ -124,13 +124,13 @@ install CD.
</para>
<itemizedlist>
<listitem><para>Goto Start - Settings - Control Panel -
Network - Services - Add</para></listitem>
<listitem><para>Goto <guibutton>Start</guibutton> - <guibutton>Settings</guibutton> - <guibutton>Control Panel</guibutton> -
<guibutton>Network</guibutton> - <guibutton>Services</guibutton> - <guibutton>Add</guibutton></para></listitem>
<listitem><para>Select the 'Network Monitor Agent' and click
on 'OK'.</para></listitem>
<listitem><para>Select the <guilabel>Network Monitor Agent</guilabel> and click
on <guibutton>OK</guibutton>.</para></listitem>
<listitem><para>Click 'OK' on the Network Control Panel.
<listitem><para>Click <guibutton>OK</guibutton> on the Network Control Panel.
</para></listitem>
<listitem><para>Insert the Windows NT Workstation 4.0 install
@ -138,15 +138,15 @@ install CD.
</itemizedlist>
<para>
Now copy the files from the NT Server in %SYSTEMROOT%\System32\netmon\*.*
to %SYSTEMROOT%\System32\netmon\*.* on the Workstation and set
Now copy the files from the NT Server in <filename>%SYSTEMROOT%\System32\netmon\*.*</filename>
to <filename>%SYSTEMROOT%\System32\netmon\*.*</filename> on the Workstation and set
permissions as you deem appropriate for your site. You will need
administrative rights on the NT box to run netmon.
</para>
<para>
To install Netmon on a Windows 9x box install the network monitor agent
from the Windows 9x CD (\admin\nettools\netmon). There is a readme
from the Windows 9x CD (<filename>\admin\nettools\netmon</filename>). There is a readme
file located with the netmon driver files on the CD if you need
information on how to do this. Copy the files from a working
Netmon installation.
@ -155,35 +155,19 @@ Netmon installation.
</sect1>
<sect1>
<title>Useful URL's</title>
<title>Useful URLs</title>
<itemizedlist>
<listitem><para>Home of Samba site <ulink url="http://samba.org">
http://samba.org</ulink>. We have a mirror near you !</para></listitem>
<listitem><para> The <emphasis>Development</emphasis> document
on the Samba mirrors might mention your problem. If so,
it might mean that the developers are working on it.</para></listitem>
<listitem><para>See how Scott Merrill simulates a BDC behavior at
<ulink url="http://www.skippy.net/linux/smb-howto.html">
http://www.skippy.net/linux/smb-howto.html</ulink>. </para></listitem>
<listitem><para>Although 2.0.7 has almost had its day as a PDC, David Bannon will
keep the 2.0.7 PDC pages at <ulink url="http://bioserve.latrobe.edu.au/samba">
http://bioserve.latrobe.edu.au/samba</ulink> going for a while yet.</para></listitem>
<listitem><para>Misc links to CIFS information
<ulink url="http://samba.org/cifs/">http://samba.org/cifs/</ulink></para></listitem>
<listitem><para>NT Domains for Unix <ulink url="http://mailhost.cb1.com/~lkcl/ntdom/">
http://mailhost.cb1.com/~lkcl/ntdom/</ulink></para></listitem>
<listitem><para>FTP site for older SMB specs:
<ulink url="ftp://ftp.microsoft.com/developr/drg/CIFS/">
ftp://ftp.microsoft.com/developr/drg/CIFS/</ulink></para></listitem>
</itemizedlist>
<!-- FIXME: Merge with Further Resources -->
</sect1>

705
docs/docbook/projdoc/ProfileMgmt.xml
View File

File diff suppressed because it is too large Load Diff

124
docs/docbook/projdoc/SWAT.xml
View File

@ -4,7 +4,7 @@
<pubdate>April 21, 2003</pubdate>
</chapterinfo>
<title>SWAT - The Samba Web Admininistration Tool</title>
<title>SWAT - The Samba Web Administration Tool</title>
<para>
There are many and varied opinions regarding the usefulness or otherwise of SWAT.
@ -17,7 +17,7 @@ management.
</para>
<sect1>
<title>SWAT Features and Benefits</title>
<title>Features and Benefits</title>
<para>
There are network administrators who believe that it is a good idea to write systems
@ -25,7 +25,7 @@ documentation inside configuration files, for them SWAT will aways be a nasty to
does not store the configuration file in any intermediate form, rather, it stores only the
parameter settings, so when SWAT writes the smb.conf file to disk it will write only
those parameters that are at other than the default settings. The result is that all comments
will be lost from the smb.conf file. Additionally, the parameters will be written back in
will be lost from the &smb.conf; file. Additionally, the parameters will be written back in
internal ordering.
</para>
@ -40,8 +40,8 @@ and only non-default settings will be written to the file.
<para>
SWAT should be installed to run via the network super daemon. Depending on which system
your Unix/Linux system has you will have either an <filename>inetd</filename> or
<filename>xinetd</filename> based system.
your Unix/Linux system has you will have either an <command>inetd</command> or
<command>xinetd</command> based system.
</para>
<para>
@ -86,7 +86,7 @@ A control file for the newer style xinetd could be:
</para>
<para>
Both the above examples assume that the <filename>swat</filename> binary has been
Both the above examples assume that the <command>swat</command> binary has been
located in the <filename>/usr/sbin</filename> directory. In addition to the above
SWAT will use a directory access point from which it will load it's help files
as well as other control information. The default location for this on most Linux
@ -98,14 +98,16 @@ location using samba defaults will be <filename>/usr/local/samba/swat</filename>
Access to SWAT will prompt for a logon. If you log onto SWAT as any non-root user
the only permission allowed is to view certain aspects of configuration as well as
access to the password change facility. The buttons that will be exposed to the non-root
user are: <emphasis>HOME, STATUS, VIEW, PASSWORD</emphasis>. The only page that allows
change capability in this case is <emphasis>PASSWORD</emphasis>.
user are: <guibutton>HOME</guibutton>, <guibutton>STATUS</guibutton>, <guibutton>VIEW</guibutton>,
<guibutton>PASSWORD</guibutton>. The only page that allows
change capability in this case is <guibutton>PASSWORD</guibutton>.
</para>
<para>
So long as you log onto SWAT as the user <command>root</command> you should obtain
So long as you log onto SWAT as the user <emphasis>root</emphasis> you should obtain
full change and commit ability. The buttons that will be exposed includes:
<emphasis>HOME, GLOBALS, SHARES, PRINTERS, WIZARD, STATUS, VIEW, PASSWORD</emphasis>.
<guibutton>HOME</guibutton>, <guibutton>GLOBALS</guibutton>, <guibutton>SHARES</guibutton>, <guibutton>PRINTERS</guibutton>,
<guibutton>WIZARD</guibutton>, <guibutton>STATUS</guibutton>, <guibutton>VIEW</guibutton>, <guibutton>PASSWORD</guibutton>.
</para>
</sect2>
@ -122,35 +124,35 @@ administration of Samba. Here is a method that works, courtesy of Markus Krieger
Modifications to the swat setup are as following:
</para>
<itemizedlist>
<listitem><para>
<procedure>
<step><para>
install OpenSSL
</para></listitem>
</para></step>
<listitem><para>
<step><para>
generate certificate and private key
<programlisting>
root# /usr/bin/openssl req -new -x509 -days 365 -nodes -config \
<screen>
&rootprompt;<userinput>/usr/bin/openssl req -new -x509 -days 365 -nodes -config \
/usr/share/doc/packages/stunnel/stunnel.cnf \
-out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem
</programlisting></para></listitem>
-out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem</userinput>
</screen></para></step>
<listitem><para>
<step><para>
remove swat-entry from [x]inetd
</para></listitem>
</para></step>
<listitem><para>
<step><para>
start stunnel
<programlisting>
root# stunnel -p /etc/stunnel/stunnel.pem -d 901 \
-l /usr/local/samba/bin/swat swat
</programlisting></para></listitem>
</itemizedlist>
<screen>
&rootprompt;<userinput>stunnel -p /etc/stunnel/stunnel.pem -d 901 \
-l /usr/local/samba/bin/swat swat </userinput>
</screen></para></step>
</procedure>
<para>
afterwards simply contact to swat by using the URL "https://myhost:901", accept the certificate
afterwords simply contact to swat by using the URL <ulink url="https://myhost:901">https://myhost:901</ulink>, accept the certificate
and the SSL connection is up.
</para>
@ -167,19 +169,19 @@ document) as well as the O'Reilly book "Using Samba".
<para>
Administrators who wish to validate their samba configuration may obtain useful information
from the man pages for the diganostic utilities. These are available from the SWAT home page
from the man pages for the diagnostic utilities. These are available from the SWAT home page
also. One diagnostic tool that is NOT mentioned on this page, but that is particularly
useful is <command>ethereal</command>, available from <ulink url="http://www.ethereal.com">
http://www.ethereal.com</ulink>.
</para>
<note><para>
<warning><para>
SWAT can be configured to run in <emphasis>demo</emphasis> mode. This is NOT recommended
as it runs SWAT without authentication and with full administrative ability. ie: Allows
changes to smb.conf as well as general operation with root privilidges. The option that
creates this ability is the <command>-a</command> flag to swat. DO NOT USE THIS IN ANY
PRODUCTION ENVIRONMENT - you have been warned!
</para></note>
changes to smb.conf as well as general operation with root privileges. The option that
creates this ability is the <option>-a</option> flag to swat. <emphasis>Do not use this in any
production environment.</emphasis>
</para></warning>
</sect2>
@ -193,16 +195,16 @@ in smb.conf. There are three levels of exposure of the parameters:
<itemizedlist>
<listitem><para>
<command>Basic</command> - exposes common configuration options.
<emphasis>Basic</emphasis> - exposes common configuration options.
</para></listitem>
<listitem><para>
<command>Advanced</command> - exposes configuration options needed in more
<emphasis>Advanced</emphasis> - exposes configuration options needed in more
complex environments.
</para></listitem>
<listitem><para>
<command>Developer</command> - exposes configuration options that only the brave
<emphasis>Developer</emphasis> - exposes configuration options that only the brave
will want to tamper with.
</para></listitem>
</itemizedlist>
@ -210,18 +212,18 @@ in smb.conf. There are three levels of exposure of the parameters:
<para>
To switch to other than <emphasis>Basic</emphasis> editing ability click on either the
<emphasis>Advanced</emphasis> or the <emphasis>Developer</emphasis> dial, then click the
<emphasis>Commit Changes</emphasis> button.
<guibutton>Commit Changes</guibutton> button.
</para>
<para>
After making any changes to configuration parameters make sure that you click on the
<emphasis>Commit Changes</emphasis> button before moving to another area otherwise
<guibutton>Commit Changes</guibutton> button before moving to another area otherwise
your changes will be immediately lost.
</para>
<note><para>
SWAT has context sensitive help. To find out what each parameter is for simply click the
<command>Help</command> link to the left of the configurartion parameter.
<guibutton>Help</guibutton> link to the left of the configuration parameter.
</para></note>
</sect2>
@ -230,17 +232,17 @@ SWAT has context sensitive help. To find out what each parameter is for simply c
<title>Share Settings</title>
<para>
To affect a currenly configured share, simply click on the pull down button between the
<emphasis>Choose Share</emphasis> and the <emphasis>Delete Share</emphasis> buttons,
To affect a currently configured share, simply click on the pull down button between the
<guibutton>Choose Share</guibutton> and the <guibutton>Delete Share</guibutton> buttons,
select the share you wish to operate on, then to edit the settings click on the
<emphasis>Choose Share</emphasis> button, to delete the share simply press the
<emphasis>Delete Share</emphasis> button.
<guibutton>Choose Share</guibutton> button, to delete the share simply press the
<guibutton>Delete Share</guibutton> button.
</para>
<para>
To create a new share, next to the button labelled <emphasis>Create Share</emphasis> enter
To create a new share, next to the button labelled <guibutton>Create Share</guibutton> enter
into the text field the name of the share to be created, then click on the
<emphasis>Create Share</emphasis> button.
<guibutton>Create Share</guibutton> button.
</para>
</sect2>
@ -249,17 +251,17 @@ into the text field the name of the share to be created, then click on the
<title>Printers Settings</title>
<para>
To affect a currenly configured printer, simply click on the pull down button between the
<emphasis>Choose Printer</emphasis> and the <emphasis>Delete Printer</emphasis> buttons,
To affect a currently configured printer, simply click on the pull down button between the
<guibutton>Choose Printer</guibutton> and the <guibutton>Delete Printer</guibutton> buttons,
select the printer you wish to operate on, then to edit the settings click on the
<emphasis>Choose Printer</emphasis> button, to delete the share simply press the
<emphasis>Delete Printer</emphasis> button.
<guibutton>Choose Printer</guibutton> button, to delete the share simply press the
<guibutton>Delete Printer</guibutton> button.
</para>
<para>
To create a new printer, next to the button labelled <emphasis>Create Printer</emphasis> enter
To create a new printer, next to the button labelled <guibutton>Create Printer</guibutton> enter
into the text field the name of the share to be created, then click on the
<emphasis>Create Printer</emphasis> button.
<guibutton>Create Printer</guibutton> button.
</para>
</sect2>
@ -268,26 +270,26 @@ into the text field the name of the share to be created, then click on the
<title>The SWAT Wizard</title>
<para>
The purpose if the SWAT Wizard is to help the Microsoft knowledgable network administrator
The purpose if the SWAT Wizard is to help the Microsoft knowledgeable network administrator
to configure Samba with a minimum of effort.
</para>
<para>
The Wizard page provides a tool for rewiting the smb.conf file in fully optimised format.
The Wizard page provides a tool for rewriting the smb.conf file in fully optimised format.
This will also happen if you press the commit button. The two differ in the the rewrite button
ignores any changes that may have been made, while the Commit button causes all changes to be
affected.
</para>
<para>
The <emphasis>Edit</emphasis> button permits the editing (setting) of the minimal set of
options that may be necessary to create a working samba server.
The <guibutton>Edit</guibutton> button permits the editing (setting) of the minimal set of
options that may be necessary to create a working Samba server.
</para>
<para>
Finally, there are a limited set of options that will determine what type of server samba
Finally, there are a limited set of options that will determine what type of server Samba
will be configured for, whether it will be a WINS server, participate as a WINS client, or
operate with no WINS support. By clicking on one button you can elect to epose (or not) user
operate with no WINS support. By clicking on one button you can elect to expose (or not) user
home directories.
</para>
@ -298,7 +300,7 @@ home directories.
<para>
The status page serves a limited purpose. Firstly, it allows control of the samba daemons.
The key daemons that create the samba server environment are: <command> smbd, nmbd, winbindd</command>.
The key daemons that create the samba server environment are: &smbd;, &nmbd;, &winbindd;.
</para>
<para>
@ -319,8 +321,8 @@ free files that may be locked.
<title>The View Page</title>
<para>
This page allows the administrator to view the optimised smb.conf file and if you are
particularly massochistic will permit you also to see all possible global configuration
This page allows the administrator to view the optimised &smb.conf; file and, if you are
particularly masochistic, will permit you also to see all possible global configuration
parameters and their settings.
</para>
@ -337,7 +339,7 @@ this tool to change a local password for a user account.
<para>
When logged in as a non-root account the user will have to provide the old password as well as
the new password (twice). When logged in as <command>root</command> only the new password is
the new password (twice). When logged in as <emphasis>root</emphasis> only the new password is
required.
</para>

70
docs/docbook/projdoc/Samba-BDC-HOWTO.xml
View File

@ -10,16 +10,16 @@
<para>
Before you continue reading in this section, please make sure that you are comfortable
with configuring a Samba Domain Controller as described in the
<ulink url="Samba-PDC-HOWTO.html">Domain Control Chapter</ulink>.
<link linkend="samba-pdc">Domain Control</link> chapter.
</para>
<sect1>
<title>Features And Benefits</title>
<para>
This is one of the most difficult chapters to summarise. It matters not what we say here
This is one of the most difficult chapters to summarise. It does not matter what we say here
for someone will still draw conclusions and / or approach the Samba-Team with expectations
that are either not yet capable of being delivered, or that can be achieved for more
that are either not yet capable of being delivered, or that can be achieved far more
effectively using a totally different approach. Since this HOWTO is already so large and
extensive, we have taken the decision to provide sufficient (but not comprehensive)
information regarding Backup Domain Control. In the event that you should have a persistent
@ -46,7 +46,7 @@ The use of a non-LDAP backend SAM database is particularly problematic because D
servers and workstations periodically change the machine trust account password. The new
password is then stored only locally. This means that in the absence of a centrally stored
accounts database (such as that provided with an LDAP based solution) if Samba-3 is running
as a BDC, the PDC instance of the Domain member trust account password will not reach the
as a BDC, the BDC instance of the Domain member trust account password will not reach the
PDC (master) copy of the SAM. If the PDC SAM is then replicated to BDCs this results in
overwriting of the SAM that contains the updated (changed) trust account password with resulting
breakage of the domain trust.
@ -74,7 +74,7 @@ lets consider each possible option and look at the pro's and con's for each theo
</listitem>
<listitem><para>
Passdb Backend is tdbsam based, BDCs use cron based "net rcp vampire" to
Passdb Backend is tdbsam based, BDCs use cron based "net rpc vampire" to
suck down the Accounts database from the PDC
</para>
@ -131,7 +131,7 @@ provided this capability. The technology has become known as the LanMan Netlogon
</para>
<para>
When MS Windows NT3.10 was first released it supported an new style of Domain Control
When MS Windows NT3.10 was first released, it supported an new style of Domain Control
and with it a new form of the network logon service that has extended functionality.
This service became known as the NT NetLogon Service. The nature of this service has
changed with the evolution of MS Windows NT and today provides a very complex array of
@ -142,11 +142,11 @@ services that are implemented over a complex spectrum of technologies.
<title>MS Windows NT4 Style Domain Control</title>
<para>
Whenever a user logs into a Windows NT4 / 200x / XP Profresional Workstation,
Whenever a user logs into a Windows NT4 / 200x / XP Professional Workstation,
the workstation connects to a Domain Controller (authentication server) to validate
the username and password that the user entered are valid. If the information entered
does not validate against the account information that has been stored in the Domain
Control database (the SAM, or Security Accounts Manager database) then a set of error
Control database (the SAM, or Security Account Manager database) then a set of error
codes is returned to the workstation that has made the authentication request.
</para>
@ -177,7 +177,7 @@ There are two situations in which it is desirable to install Backup Domain Contr
<itemizedlist>
<listitem><para>
On the local network that the Primary Domain Controller is on if there are many
On the local network that the Primary Domain Controller is on, if there are many
workstations and/or where the PDC is generally very busy. In this case the BDCs
will pick up network logon requests and help to add robustness to network services.
</para></listitem>
@ -198,7 +198,7 @@ has the PDC, the change will likely be made directly to the PDC instance of the
copy of the SAM. In the event that this update may be performed in a branch office the
change will likely be stored in a delta file on the local BDC. The BDC will then send
a trigger to the PDC to commence the process of SAM synchronisation. The PDC will then
request the delta from the BDC and apply it to the master SAM. THe PDC will then contact
request the delta from the BDC and apply it to the master SAM. The PDC will then contact
all the BDCs in the Domain and trigger them to obtain the update and then apply that to
their own copy of the SAM.
</para>
@ -225,7 +225,7 @@ Server Manager for Domains.
<para>
Since version 2.2 Samba officially supports domain logons for all current Windows Clients,
including Windows NT4, 2003 and XP Professional. For samba to be enabled as a PDC some
parameters in the [global]-section of the smb.conf have to be set:
parameters in the <parameter>[global]</parameter>-section of the &smb.conf; have to be set:
</para>
<para><programlisting>
@ -235,9 +235,9 @@ parameters in the [global]-section of the smb.conf have to be set:
</programlisting></para>
<para>
Several other things like a [homes] and a [netlogon] share also need to be set along with
Several other things like a <parameter>[homes]</parameter> and a <parameter>[netlogon]</parameter> share also need to be set along with
settings for the profile path, the users home drive, etc.. This will not be covered in this
chapter, for more information please refer to the chapter on Domain Control.
chapter, for more information please refer to the chapter on <link linkend="samba-pdc">Domain Control</link>.
</para>
</sect3>
@ -251,7 +251,7 @@ As of the release of MS Windows 2000 and Active Directory, this information is n
in a directory that can be replicated and for which partial or full administrative control
can be delegated. Samba-3 is NOT able to be a Domain Controller within an Active Directory
tree, and it can not be an Active Directory server. This means that Samba-3 also can NOT
act as a Backup Domain Contoller to an Active Directory Domain Controller.
act as a Backup Domain Controller to an Active Directory Domain Controller.
</para>
</sect2>
@ -280,7 +280,7 @@ by doing a NetBIOS name query for the group name SAMBA&lt;#1c&gt;. It assumes th
of the machines it gets back from the queries is a domain controller and can answer logon
requests. To not open security holes both the workstation and the selected domain controller
authenticate each other. After that the workstation sends the user's credentials (name and
password) to the local Domain Controller, for valdation.
password) to the local Domain Controller, for validation.
</para>
</sect2>
@ -306,8 +306,12 @@ Several things have to be done:
<para>
To retrieve the domain SID from the PDC or an existing BDC and store it in the
secrets.tdb, execute 'net rpc getsid' on the BDC.
</para></listitem>
secrets.tdb, execute:
</para>
<screen>
&rootprompt;<userinput>net rpc getsid</userinput>
</screen>
</listitem>
<listitem><para>
The Unix user database has to be synchronized from the PDC to the
@ -316,14 +320,18 @@ Several things have to be done:
whenever changes are made, or the PDC is set up as a NIS master
server and the BDC as a NIS slave server. To set up the BDC as a
mere NIS client would not be enough, as the BDC would not be able to
access its user database in case of a PDC failure.
access its user database in case of a PDC failure. NIS is by no means
the only method to synchronize passwords. An LDAP solution would work
as well.
</para>
</listitem>
<listitem><para>
The Samba password database in the file private/smbpasswd has to be
replicated from the PDC to the BDC. This is a bit tricky, see the
next section.
The Samba password database has to be replicated from the PDC to the BDC.
As said above, though possible to synchronise the <filename>smbpasswd</filename>
file with rsync and ssh, this method is broken and flawed, and is
therefore not recommended. A better solution is to set up slave LDAP
servers for each BDC and a master LDAP server for the PDC.
</para></listitem>
<listitem><para>
@ -343,14 +351,13 @@ Finally, the BDC has to be found by the workstations. This can be done by settin
</para>
<para><programlisting>
<title>Essential Parameters for BDC Operation</title>
workgroup = SAMBA
domain master = no
domain logons = yes
</programlisting></para>
<para>
in the [global]-section of the smb.conf of the BDC. This makes the BDC
in the <parameter>[global]</parameter>-section of the &smb.conf; of the BDC. This makes the BDC
only register the name SAMBA&lt;#1c&gt; with the WINS server. This is no
problem as the name SAMBA&lt;#1c&gt; is a NetBIOS group name that is meant to
be registered by more than one machine. The parameter 'domain master =
@ -365,7 +372,7 @@ name is reserved for the Primary Domain Controller.
<title>Common Errors</title>
<para>
As this is a rather new area for Samba there are not many examples thta we may refer to. Keep
As this is a rather new area for Samba there are not many examples that we may refer to. Keep
watching for updates to this section.
</para>
@ -379,7 +386,12 @@ are not copied back to the central server. The newer machine account password is
written when the SAM is copied from the PDC. The result is that the Domain member machine
on start up will find that it's passwords does not match the one now in the database and
since the startup security check will now fail, this machine will not allow logon attempts
to procede and the account expiry error will be reported.
to proceed and the account expiry error will be reported.
</para>
<para>
The solution: use a more robust passdb backend, such as the ldapsam backend, setting up
an slave LDAP server for each BDC, and a master LDAP server for the PDC.
</para>
</sect2>
@ -419,10 +431,16 @@ has to be replicated to the BDC. So replicating the smbpasswd file very often is
As the smbpasswd file contains plain text password equivalents, it must not be
sent unencrypted over the wire. The best way to set up smbpasswd replication from
the PDC to the BDC is to use the utility rsync. rsync can use ssh as a transport.
Ssh itself can be set up to accept *only* rsync transfer without requiring the user
Ssh itself can be set up to accept <emphasis>only</emphasis> rsync transfer without requiring the user
to type a password.
</para>
<para>
As said a few times before, use of this method is broken and flawed. Machine trust
accounts will go out of sync, resulting in a very broken domain. This method is
<emphasis>not</emphasis> recommended. Try using LDAP instead.
</para>
</sect2>
<sect2>

315
docs/docbook/projdoc/Samba-PDC-HOWTO.xml
View File

@ -17,7 +17,7 @@
<formalpara><title><emphasis>The Essence of Learning:</emphasis></title>
<para>
There are many who approach MS Windows networking with incredible misconceptions.
That's OK, because it give the rest of us plenty of opportunity to be of assistance.
That's OK, because it gives the rest of us plenty of opportunity to be of assistance.
Those who really want help would be well advised to become familiar with information
that is already available.
</para>
@ -33,34 +33,34 @@ that in some magical way is expected to solve all ills.
</para>
<para>
From the Samba mailing list one can readilly identify many common networking issues.
From the Samba mailing list one can readily identify many common networking issues.
If you are not clear on the following subjects, then it will do much good to read the
sections of this HOWTO that deal with it. These are the most common causes of MS Windows
networking problems:
</para>
<itemizedlist>
<listitem><para>Basic TCP/IP configuration</para></listitem>
<listitem><para>NetBIOS name resolution</para></listitem>
<listitem><para>Authentication configuration</para></listitem>
<listitem><para>User and Group configuration</para></listitem>
<listitem><para>Basic File and Directory Permission Control in Unix/Linux</para></listitem>
<listitem><para>Understanding of how MS Windows clients interoperate in a network
environment</para></listitem>
</itemizedlist>
<simplelist>
<member>Basic TCP/IP configuration</member>
<member>NetBIOS name resolution</member>
<member>Authentication configuration</member>
<member>User and Group configuration</member>
<member>Basic File and Directory Permission Control in Unix/Linux</member>
<member>Understanding of how MS Windows clients interoperate in a network
environment</member>
</simplelist>
<para>
Do not be put off, on the surface of it MS Windows networking seems so simple that any fool
Do not be put off; on the surface of it MS Windows networking seems so simple that any fool
can do it. In fact, it is not a good idea to set up an MS Windows network with
inadequate training and preparation. But let's get our first indelible principle out of the
way: <emphasis>It is perfectly OK to make mistakes!</emphasis> In the right place and at
the right time, mistakes are the essence of learning. It is <emphasis>very much</emphasis>
not Ok to make mistakes that cause loss of productivity and impose an avoidable financial
not ok to make mistakes that cause loss of productivity and impose an avoidable financial
burden on an organisation.
</para>
<para>
Where is the right place to make mistakes? Only out of harms' way! If you are going to
Where is the right place to make mistakes? Only out of harm's way! If you are going to
make mistakes, then please do this on a test network, away from users and in such a way as
to not inflict pain on others. Do your learning on a test network.
</para>
@ -73,7 +73,7 @@ to not inflict pain on others. Do your learning on a test network.
</para>
<para>
In a word, <emphasis>Single Sign On</emphasis>, or SSO for short. This to many is the holy
In a word, <emphasis>Single Sign On</emphasis>, or SSO for short. To many, this is the holy
grail of MS Windows NT and beyond networking. SSO allows users in a well designed network
to log onto any workstation that is a member of the domain that their user account is in
(or in a domain that has an appropriate trust relationship with the domain they are visiting)
@ -90,8 +90,8 @@ The benefits of Domain security are fully available to those sites that deploy a
Network clients of an MS Windows Domain security environment must be Domain members to be
able to gain access to the advanced features provided. Domain membership involves more than just
setting the workgroup name to the Domain name. It requires the creation of a Domain trust account
for the workstation (called a machine account). Please refer to the chapter on Domain Membership
for more information.
for the workstation (called a machine account). Please refer to the chapter on
<link linkend="domain-member">Domain Membership</link> for more information.
</para></note>
<para>
@ -106,20 +106,20 @@ The following functionalities are new to the Samba-3 release:
<listitem><para>
Adding users via the User Manager for Domains. This can be done on any MS Windows
client using the Nexus toolkit that is available from Microsoft's web site.
At some later date Samba-3 may get support for the use of the Microsoft Manangement
At some later date Samba-3 may get support for the use of the Microsoft Management
Console for user management.
</para></listitem>
<listitem><para>
Introduces replaceable and multiple user account (authentication)
back ends. In the case where the back end is placed in an LDAP database
back ends. In the case where the back end is placed in an LDAP database,
Samba-3 confers the benefits of a back end that can be distributed, replicated,
and highly scalable.
and is highly scalable.
</para></listitem>
<listitem><para>
Implements full Unicode support. This simplifies cross locale internationalisation
support. It also opens up the use of protocols that samba-2.2.x had but could not use due
support. It also opens up the use of protocols that Samba-2.2.x had but could not use due
to the need to fully support Unicode.
</para></listitem>
</itemizedlist>
@ -140,7 +140,7 @@ The following functionalities are NOT provided by Samba-3:
Active Directory Domain Control ability that is at this time
purely experimental <emphasis>AND</emphasis> that is certain
to change as it becomes a fully supported feature some time
during the samba-3 (or later) life cycle.
during the Samba-3 (or later) life cycle.
</para></listitem>
</itemizedlist>
@ -149,24 +149,26 @@ Windows 9x / Me / XP Home clients are not true members of a domain for reasons o
in this chapter. The protocol for support of Windows 9x / Me style network (domain) logons
is completely different from NT4 / Win2k type domain logons and has been officially supported
for some time. These clients use the old LanMan Network Logon facilities that are supported
in Samba since approximately the samba-1.9.15 series.
in Samba since approximately the Samba-1.9.15 series.
</para>
<para>
Samba-3 has an implementation of group mapping between Windows NT groups
and Unix groups (this is really quite complicated to explain in a short space) this is
discussed more fully in a chapter dedicated to this topic..
and Unix groups (this is really quite complicated to explain in a short space). This is
discussed more fully in the <link linkend="groupmapping">Group Mapping</link> chapter.
</para>
<para>
A Samba-3, like an MS Windows NT4 PDC or a Windows 200x Active Directory, needs to store
Samba-3, like an MS Windows NT4 PDC or a Windows 200x Active Directory, needs to store
user and machine trust account information in a suitable backend data store. With Samba-3
there can be multiple back-ends for this including:
</para>
<!-- FIXME: Doesn't this belong in passdb.xml ? -->
<itemizedlist>
<listitem><para>
<emphasis>smbpasswd</emphasis> - the plain ascii file stored used by
<emphasis>smbpasswd</emphasis> - the plain ASCII file stored used by
earlier versions of Samba. This file configuration option requires
a Unix/Linux system account for EVERY entry (ie: both for user and for
machine accounts). This file will be located in the <emphasis>private</emphasis>
@ -176,8 +178,8 @@ there can be multiple back-ends for this including:
<listitem><para>
<emphasis>tdbsam</emphasis> - a binary database backend that will be
stored in the <emphasis>private</emphasis> directory in a file called
<emphasis>passwd.tdb</emphasis>. The key benefit of this binary format
file is that it can store binary objects that can not be accomodated
<emphasis>passdb.tdb</emphasis>. The key benefit of this binary format
file is that it can store binary objects that can not be accommodated
in the traditional plain text smbpasswd file. These permit the extended
account controls that MS Windows NT4 and later also have.
</para></listitem>
@ -194,13 +196,13 @@ there can be multiple back-ends for this including:
<listitem><para>
<emphasis>ldapsam_compat</emphasis> - An LDAP back-end that maintains backwards
compatibility with the behaviour of samba-2.2.x. You should use this in the process
of mirgrating from samba-2.2.x to samba-3 if you do not want to rebuild your LDAP
of migrating from samba-2.2.x to samba-3 if you do not want to rebuild your LDAP
database.
</para></listitem>
</itemizedlist>
<para>
Read the chapter about the <link linkend="passdb">User Database</link> for details
Read the chapter about <link linkend="passdb">Account Information Database</link> for details
regarding the choices available and how to configure them.
</para>
@ -220,8 +222,8 @@ to the default configuration.
<title>Basics of Domain Control</title>
<para>
Over the years public perceptions of what Domain Control really is has taken on an
almost mystical nature. Before we branch into a brief overview of Domain Control
Over the years, public perceptions of what Domain Control really is has taken on an
almost mystical nature. Before we branch into a brief overview of Domain Control,
there are three basic types of domain controllers:
</para>
@ -238,22 +240,22 @@ there are three basic types of domain controllers:
The <emphasis>Primary Domain Controller</emphasis> or PDC plays an important role in the MS
Windows NT4 and Windows 200x Domain Control architecture, but not in the manner that so many
expect. There is folk lore that dictates that because of it's role in the MS Windows
network that the PDC should be the most powerful and most capable machine in the network.
network, the PDC should be the most powerful and most capable machine in the network.
As strange as it may seem to say this here, good over all network performance dictates that
the entire infrastructure needs to be balanced. It is advisable to invest more in the Backup
Domain Controllers and Stand-Alone (or Domain Member) servers than in the PDC.
</para>
<para>
In the case of MS Windows NT4 style domaines it is the PDC seeds the Domain Control database,
a part of the Windows registry called the SAM (Security Accounts Management). It plays a key
In the case of MS Windows NT4 style domains, it is the PDC seeds the Domain Control database,
a part of the Windows registry called the SAM (Security Account Manager). It plays a key
part in NT4 type domain user authentication and in synchronisation of the domain authentication
database with Backup Domain Controllers.
</para>
<para>
With MS Windows 200x Server based Active Directory domains, one domain controller seeds a potential
hierachy of domain controllers, each with their own area of delegated control. The master domain
hierarchy of domain controllers, each with their own area of delegated control. The master domain
controller has the ability to override any down-stream controller, but a down-line controller has
control only over it's down-line. With Samba-3 this functionality can be implemented using an
LDAP based user and machine account back end.
@ -262,9 +264,9 @@ LDAP based user and machine account back end.
<para>
New to Samba-3 is the ability to use a back-end database that holds the same type of data as
the NT4 style SAM (Security Account Manager) database (one of the registry files).
The samba-3 SAM can be specified via the smb.conf file parameter
<emphasis>passwd backend</emphasis> and valid options include
<emphasis>smbpasswd, tdbsam, ldapsam, nisplussam, xmlsam, mysqlsam, plugin, guest</emphasis>.
The Samba-3 SAM can be specified via the smb.conf file parameter
<parameter>passwd backend</parameter> and valid options include
<emphasis>smbpasswd, tdbsam, ldapsam, nisplussam, xmlsam, mysqlsam, guest</emphasis>.
</para>
<para>
@ -272,23 +274,23 @@ The <emphasis>Backup Domain Controller</emphasis> or BDC plays a key role in ser
authentication requests. The BDC is biased to answer logon requests in preference to the PDC.
On a network segment that has a BDC and a PDC the BDC will be most likely to service network
logon requests. The PDC will answer network logon requests when the BDC is too busy (high load).
A BDC can be promoted to a PDC. If the PDC is on line at the time that the BDC is promoted to
PDC the previous PDC is automatically demoted to a BDC. With Samba-3 this is NOT an automatic
operation, the PDB and BDC must be manually configured and changes need to be made likewise.
A BDC can be promoted to a PDC. If the PDC is on line at the time that a BDC is promoted to
PDC, the previous PDC is automatically demoted to a BDC. With Samba-3 this is NOT an automatic
operation; the PDC and BDC must be manually configured and changes need to be made likewise.
</para>
<para>
With MS Windows NT4 it is an install time decision what type of machine the server will be.
It is possible to change the promote a BDC to a PDC and vica versa only, but the only way
With MS Windows NT4, it is an install time decision what type of machine the server will be.
It is possible to change the promote a BDC to a PDC and vice versa only, but the only way
to convert a domain controller to a domain member server or a stand-alone server is to
reinstall it. The install time choices offered are:
</para>
<itemizedlist>
<listitem><para>Primary Domain Controller - The one that seeds the domain SAM</para></listitem>
<listitem><para>Backup Domain Controller - One that obtains a copy of the domain SAM</para></listitem>
<listitem><para>Domain Member Server - One that has NO copy of the domain SAM, rather it obtains authentication from a Domain Controller for all access controls.</para></listitem>
<listitem><para>Stand-Alone Server - One that plays NO part is SAM synchronisation, has it's own authentication database and plays no role in Domain security.</para></listitem>
<listitem><para><emphasis>Primary Domain Controller</emphasis> - The one that seeds the domain SAM</para></listitem>
<listitem><para><emphasis>Backup Domain Controller</emphasis> - One that obtains a copy of the domain SAM</para></listitem>
<listitem><para><emphasis>Domain Member Server</emphasis> - One that has NO copy of the domain SAM, rather it obtains authentication from a Domain Controller for all access controls.</para></listitem>
<listitem><para><emphasis>Stand-Alone Server</emphasis> - One that plays NO part is SAM synchronisation, has it's own authentication database and plays no role in Domain security.</para></listitem>
</itemizedlist>
<para>
@ -300,14 +302,14 @@ Active Directory domain.
<para>
New to Samba-3 is the ability to function fully as an MS Windows NT4 style Domain Controller,
excluding the SAM replication components. However, please be aware that Samba-3 support the
MS Windows 200x domain control protcols also.
MS Windows 200x domain control protocols also.
</para>
<para>
At this time any appearance that Samba-3 is capable of acting as an
<emphasis>ADS Domain Controller</emphasis> is limited and experimental in nature.
This functionality should not be used until the samba-team offers formal support for it.
At such a time, the documentation will be revised to duely reflect all configuration and
This functionality should not be used until the Samba-Team offers formal support for it.
At such a time, the documentation will be revised to duly reflect all configuration and
management requirements.
</para>
@ -329,14 +331,14 @@ other than the machine being configured so that the network configuration has a
for it's workgroup entry. It is not uncommon for the name WORKGROUP to be used for this. With this
mode of configuration there are NO machine trust accounts and any concept of membership as such
is limited to the fact that all machines appear in the network neighbourhood to be logically
groupped together. Again, just to be clear: WORKGROUP MODE DOES NOT INVOLVE ANY SECURITY MACHINE
ACCOUNTS.
grouped together. Again, just to be clear: <emphasis>workgroup mode does not involve any security machine
accounts</emphasis>.
</para>
<para>
Domain member machines have a machine account in the Domain accounts database. A special procedure
must be followed on each machine to affect Domain membership. This procedure, which can be done
only by the local machine Adminisistrator account, will create the Domain machine account (if
only by the local machine Administrator account, will create the Domain machine account (if
if does not exist), and then initializes that account. When the client first logs onto the
Domain it triggers a machine password change.
</para>
@ -344,8 +346,9 @@ Domain it triggers a machine password change.
<note><para>
When running a Domain all MS Windows NT / 200x / XP Professional clients should be configured
as full Domain Members - IF A SECURE NETWORK IS WANTED. If the machine is NOT made a member of the
Domain, then it will operate like a workgroup (stand-alone) machine. Please refer to the chapter
on Domain Membership for information regarding HOW to make your MS Windows clients Domain members.
Domain, then it will operate like a workgroup (stand-alone) machine. Please refer the
<link linkend="domain-member">Domain Membership</link> chapter for information regarding
HOW to make your MS Windows clients Domain members.
</para></note>
<para>
@ -353,85 +356,40 @@ The following are necessary for configuring Samba-3 as an MS Windows NT4 style P
NT4 / 200x / XP clients.
</para>
<orderedlist>
<listitem><para>
Configuration of basic TCP/IP and MS Windows Networking
</para></listitem>
<listitem><para>
Correct designation of the Server Role (<emphasis>security = user</emphasis>)
</para></listitem>
<listitem><para>
Consistent configuration of Name Resolution (See chapter on Browsing and on
MS Windows network Integration)
</para></listitem>
<listitem><para>
Domain logons for Windows NT4 / 200x / XP Professional clients
</para></listitem>
<listitem><para>
Configuration of Roaming Profiles or explicit configuration to force local profile usage
</para></listitem>
<listitem><para>
Configuration of Network/System Policies
</para></listitem>
<listitem><para>
Adding and managing domain user accounts
</para></listitem>
<listitem><para>
Configuring MS Windows client machines to become domain members
</para></listitem>
</orderedlist>
<simplelist>
<member>Configuration of basic TCP/IP and MS Windows Networking</member>
<member>Correct designation of the Server Role (<parameter>security = user</parameter>)</member>
<member>Consistent configuration of Name Resolution (See chapter on <link linkend="NetworkBrowsing">Browsing</link> and on
<link linkend="integrate-ms-networks">MS Windows network Integration</link>)</member>
<member>Domain logons for Windows NT4 / 200x / XP Professional clients</member>
<member>Configuration of Roaming Profiles or explicit configuration to force local profile usage</member>
<member>Configuration of Network/System Policies</member>
<member>Adding and managing domain user accounts</member>
<member>Configuring MS Windows client machines to become domain members</member>
</simplelist>
<para>
The following provisions are required to serve MS Windows 9x / Me Clients:
</para>
<orderedlist>
<listitem><para>
Configuration of basic TCP/IP and MS Windows Networking
</para></listitem>
<listitem><para>
Correct designation of the Server Role (<emphasis>security = user</emphasis>)
</para></listitem>
<listitem><para>
Network Logon Configuration (Since Windows 9x / XP Home are not technically domain
members, they do not really particpate in the security aspects of Domain logons as such)
</para></listitem>
<listitem><para>
Roaming Profile Configuration
</para></listitem>
<listitem><para>
Configuration of System Policy handling
</para></listitem>
<listitem><para>
Installation of the Network driver "Client for MS Windows Networks" and configuration
to log onto the domain
</para></listitem>
<listitem><para>
Placing Windows 9x / Me clients in user level security - if it is desired to allow
all client share access to be controlled according to domain user / group identities.
</para></listitem>
<listitem><para>
Adding and managing domain user accounts
</para></listitem>
</orderedlist>
<simplelist>
<member>Configuration of basic TCP/IP and MS Windows Networking</member>
<member>Correct designation of the Server Role (<parameter>security = user</parameter>)</member>
<member>Network Logon Configuration (Since Windows 9x / XP Home are not technically domain
members, they do not really participate in the security aspects of Domain logons as such)</member>
<member>Roaming Profile Configuration</member>
<member>Configuration of System Policy handling</member>
<member>Installation of the Network driver "Client for MS Windows Networks" and configuration
to log onto the domain</member>
<member>Placing Windows 9x / Me clients in user level security - if it is desired to allow
all client share access to be controlled according to domain user / group identities.</member>
<member>Adding and managing domain user accounts</member>
</simplelist>
<note><para>
Roaming Profiles and System/Network policies are advanced network administration topics
that are covered separately in this document. However, these are not necessarily specific
that are covered in the <link linkend="ProfileMgmt">Profile Management</link> and
<link linkend="PolicyMgmt">Policy Management</link> chapters of this document. However, these are not necessarily specific
to a Samba PDC as much as they are related to Windows NT networking concepts.
</para></note>
@ -441,7 +399,7 @@ A Domain Controller is an SMB/CIFS server that:
<itemizedlist>
<listitem><para>
Advertises and registers itself as a Domain Controller (Through NetBIOS broadcasts
Registers and advertises itself as a Domain Controller (through NetBIOS broadcasts
as well as by way of name registrations either by Mailslot Broadcasts over UDP broadcast,
to a WINS server over UDP unicast, or via DNS and Active Directory)
</para></listitem>
@ -458,8 +416,8 @@ A Domain Controller is an SMB/CIFS server that:
</itemizedlist>
<para>
For samba to provide these is rather easy to configure. Each Samba Domain Controller must provide
the NETLOGON service which samba calls the <emphasis>domain logons</emphasis> functionality
For Samba to provide these is rather easy to configure. Each Samba Domain Controller must provide
the NETLOGON service which Samba calls the <emphasis>domain logons</emphasis> functionality
(after the name of the parameter in the &smb.conf; file). Additionally, one (1) server in a Samba-3
Domain must advertise itself as the domain master browser. This causes the Primary Domain Controller
to claim domain specific NetBIOS name that identifies it as a domain master browser for its given
@ -557,12 +515,12 @@ There are a couple of points to emphasize in the above configuration.
<itemizedlist>
<listitem><para>
Encrypted passwords must be enabled. For more details on how
to do this, refer to <link linkend="passdb">the User Database chapter</link>.
to do this, refer to <link linkend="passdb">Account Information Database chapter</link>.
</para></listitem>
<listitem><para>
The server must support domain logons and have a
<filename>[netlogon]</filename> share
<parameter>[netlogon]</parameter> share
</para></listitem>
<listitem><para>
@ -579,12 +537,12 @@ There are a couple of points to emphasize in the above configuration.
<title>Samba ADS Domain Control</title>
<para>
Samba-3 is not and can not act as an Active Directory Server. It can not truely function as
Samba-3 is not and can not act as an Active Directory Server. It can not truly function as
an Active Directory Primary Domain Controller. The protocols for some of the functionality
the Active Directory Domain Controllers is have been partially implemented on an experiemental
the Active Directory Domain Controllers is have been partially implemented on an experimental
only basis. Please do NOT expect Samba-3 to support these protocols - nor should you depend
on any such functionality either now or in the future. The Samba-Team may well remove such
experiemental features or may change their behaviour.
experimental features or may change their behaviour.
</para>
</sect1>
@ -602,8 +560,8 @@ an integral part of the essential functionality that is provided by a Domain Con
<para>
All Domain Controllers must run the netlogon service (<emphasis>domain logons</emphasis>
in Samba. One Domain Controller must be configured with <emphasis>domain master = Yes</emphasis>
(the Primary Domain Controller), on ALL Backup Domain Controllers <emphasis>domain master = No</emphasis>
in Samba). One Domain Controller must be configured with <parameter>domain master = Yes</parameter>
(the Primary Domain Controller); on ALL Backup Domain Controllers <parameter>domain master = No</parameter>
must be set.
</para>
@ -611,9 +569,7 @@ must be set.
<title>Example Configuration</title>
<programlisting>
<title> A minimal configuration to support Domain Logons</title>
<para>
[globals]
[global]
domain logons = Yes
domain master = (Yes on PDC, No on BDCs)
@ -622,7 +578,6 @@ must be set.
path = /var/lib/samba/netlogon
guest ok = Yes
browseable = No
</para>
</programlisting>
</sect3>
@ -677,7 +632,7 @@ which are the focus of this section.
</para>
<para>
When an SMB client in a domain wishes to logon it broadcast requests for a
When an SMB client in a domain wishes to logon, it broadcasts requests for a
logon server. The first one to reply gets the job, and validates its
password using whatever mechanism the Samba administrator has installed.
It is possible (but very stupid) to create a domain where the user
@ -710,7 +665,7 @@ worthwhile to look at how a Windows 9x/ME client performs a logon:
a NetLogon request. This is sent to the NetBIOS name DOMAIN&lt;#1c&gt; at the
NetBIOS layer. The client chooses the first response it receives, which
contains the NetBIOS name of the logon server to use in the format of
\\SERVER.
<filename>\\SERVER</filename>.
</para>
</listitem>
@ -730,7 +685,7 @@ worthwhile to look at how a Windows 9x/ME client performs a logon:
<listitem>
<para>
The client then connects to the NetLogon share and searches for this
The client then connects to the NetLogon share and searches for said script
and if it is found and can be read, is retrieved and executed by the client.
After this, the client disconnects from the NetLogon share.
</para>
@ -740,7 +695,7 @@ worthwhile to look at how a Windows 9x/ME client performs a logon:
<para>
The client then sends a NetUserGetInfo request to the server, to retrieve
the user's home share, which is used to search for profiles. Since the
response to the NetUserGetInfo request does not contain much more then
response to the NetUserGetInfo request does not contain much more than
the user's home share, profiles for Win9X clients MUST reside in the user
home directory.
</para>
@ -750,7 +705,7 @@ worthwhile to look at how a Windows 9x/ME client performs a logon:
<para>
The client then connects to the user's home share and searches for the
user's profile. As it turns out, you can specify the user's home share as
a sharename and path. For example, \\server\fred\.winprofile.
a sharename and path. For example, <filename>\\server\fred\.winprofile</filename>.
If the profiles are found, they are implemented.
</para>
</listitem>
@ -758,7 +713,7 @@ worthwhile to look at how a Windows 9x/ME client performs a logon:
<listitem>
<para>
The client then disconnects from the user's home share, and reconnects to
the NetLogon share and looks for CONFIG.POL, the policies file. If this is
the NetLogon share and looks for <filename>CONFIG.POL</filename>, the policies file. If this is
found, it is read and implemented.
</para>
</listitem>
@ -782,7 +737,7 @@ The main difference between a PDC and a Windows 9x logon server configuration is
</itemizedlist>
<para>
A Samba PDC will act as a Windows 9x logon server, after all it does provide the
A Samba PDC will act as a Windows 9x logon server; after all, it does provide the
network logon services that MS Windows 9x / Me expect to find.
</para>
@ -816,12 +771,12 @@ For this reason, it is very wise to configure the Samba DC as the DMB.
<para>
Now back to the issue of configuring a Samba DC to use a mode other
than <emphasis>security = user</emphasis>. If a Samba host is configured to use
than <parameter>security = user</parameter>. If a Samba host is configured to use
another SMB server or DC in order to validate user connection
requests, then it is a fact that some other machine on the network
(the <emphasis>password server</emphasis>) knows more about the user than the Samba host.
(the <parameter>password server</parameter>) knows more about the user than the Samba host.
99% of the time, this other host is a domain controller. Now
in order to operate in domain mode security, the <emphasis>workgroup</emphasis> parameter
in order to operate in domain mode security, the <parameter>workgroup</parameter> parameter
must be set to the name of the Windows NT domain (which already
has a domain controller). If the domain does NOT already have a Domain Controller
then you do not yet have a Domain!
@ -830,7 +785,7 @@ then you do not yet have a Domain!
<para>
Configuring a Samba box as a DC for a domain that already by definition has a
PDC is asking for trouble. Therefore, you should always configure the Samba DC
to be the DMB for its domain and set <emphasis>security = user</emphasis>.
to be the DMB for its domain and set <parameter>security = user</parameter>.
This is the only officially supported mode of operation.
</para>
@ -844,15 +799,15 @@ This is the only officially supported mode of operation.
<sect2>
<title>I cannot include a '$' in a machine name</title>
<para>
A 'machine name' in (typically) <filename>/etc/passwd</filename>
of the machine name with a '$' appended. FreeBSD (and other BSD
A 'machine account', (typically) stored in <filename>/etc/passwd</filename>,
takes the form of the machine name with a '$' appended. FreeBSD (and other BSD
systems?) won't create a user with a '$' in their name.
</para>
<para>
The problem is only in the program used to make the entry. Once made, it works perfectly.
Create a user without the '$' using <command>vipw</command> to edit the entry, adding
the '$'. Or create the whole entry with vipw if you like, make sure you use a unique User ID!
Create a user without the '$'. Then use <command>vipw</command> to edit the entry, adding
the '$'. Or create the whole entry with vipw if you like; make sure you use a unique User ID!
</para>
</sect2>
@ -868,9 +823,9 @@ to a share (or IPC$) on the Samba PDC. The following command
will remove all network drive connections:
</para>
<para>
<prompt>C:\WINNT\></prompt> <command>net use * /d</command>
</para>
<screen>
<prompt>C:\WINNT\></prompt> <userinput>net use * /d</userinput>
</screen>
<para>
Further, if the machine is already a 'member of a workgroup' that
@ -884,15 +839,15 @@ does not matter what, reboot, and try again.
<title>The system can not log you on (C000019B)....</title>
<para>I joined the domain successfully but after upgrading
to a newer version of the Samba code I get the message, "The system
to a newer version of the Samba code I get the message, <errorname>The system
can not log you on (C000019B), Please try again or consult your
system administrator" when attempting to logon.
system administrator</errorname> when attempting to logon.
</para>
<para>
This occurs when the domain SID stored in the secrets.tdb database
is changed. The most common cause of a change in domain SID is when
the domain name and/or the server name (netbios name) is changed.
the domain name and/or the server name (NetBIOS name) is changed.
The only way to correct the problem is to restore the original domain
SID or remove the domain client from the domain and rejoin. The domain
SID may be reset using either the net or rpcclient utilities.
@ -901,10 +856,10 @@ SID may be reset using either the net or rpcclient utilities.
<para>
The reset or change the domain SID you can use the net command as follows:
<programlisting>
net getlocalsid 'OLDNAME'
net setlocalsid 'SID'
</programlisting>
<screen>
&rootprompt;<userinput>net getlocalsid 'OLDNAME'</userinput>
&rootprompt;<userinput>net setlocalsid 'SID'</userinput>
</screen>
</para>
</sect2>
@ -914,8 +869,8 @@ The reset or change the domain SID you can use the net command as follows:
exist or is not accessible.</title>
<para>
When I try to join the domain I get the message "The machine account
for this computer either does not exist or is not accessible". What's
When I try to join the domain I get the message <errorname>The machine account
for this computer either does not exist or is not accessible</errorname>. What's
wrong?
</para>
@ -929,13 +884,17 @@ admin user system is working.
<para>
Alternatively if you are creating account entries manually then they
have not been created correctly. Make sure that you have the entry
correct for the machine trust account in smbpasswd file on the Samba PDC.
correct for the machine trust account in <filename>smbpasswd</filename> file on the Samba PDC.
If you added the account using an editor rather than using the smbpasswd
utility, make sure that the account name is the machine NetBIOS name
with a '$' appended to it ( i.e. computer_name$ ). There must be an entry
in both /etc/passwd and the smbpasswd file. Some people have reported
in both /etc/passwd and the smbpasswd file.
</para>
<para>
Some people have also reported
that inconsistent subnet masks between the Samba server and the NT
client have caused this problem. Make sure that these are consistent
client can cause this problem. Make sure that these are consistent
for both client and server.
</para>
</sect2>
@ -945,10 +904,18 @@ for both client and server.
I get a message about my account being disabled.</title>
<para>
At first be ensure to enable the useraccounts with <command>smbpasswd -e
%user%</command>, this is normally done, when you create an account.
Enable the user accounts with <userinput>smbpasswd -e <replaceable>username</replaceable>
</userinput>, this is normally done as an account is created.
</para>
</sect2>
<sect2>
<title>Until a few minutes after Samba has started, clients get the error "Domain Controller Unavailable"</title>
<para>
A domain controller has to announce on the network who it is. This usually takes a while.
</para>
</sect2>
</sect1>
</chapter>

277
docs/docbook/projdoc/ServerType.xml
View File

@ -10,8 +10,8 @@
<para>
This chapter provides information regarding the types of server that Samba may be
configured to be. A Microsoft network administrator who wishes to migrate to or to
use Samba will want to know what within a Samba context, terms familiar to MS Windows
adminstrator mean. This means that it is essential also to define how critical security
use Samba will want to know what, within a Samba context, terms familiar to MS Windows
administrator mean. This means that it is essential also to define how critical security
modes function BEFORE we get into the details of how to configure the server itself.
</para>
@ -31,21 +31,21 @@ features and benefits. These may be for or against Samba.
<para>
Two men were walking down a dusty road, when one suddenly kicked up a small red stone. It
hurt his toe and lodged in his sandle. He took the stone out and cursed it with a passion
hurt his toe and lodged in his sandal. He took the stone out and cursed it with a passion
and fury fitting his anguish. The other looked at the stone and said, that is a garnet - I
can turn that into a precious gem and some day it will make a princess very happy!
</para>
<para>
The moral of this tale: Two men, two very different perspectives regarding the same stone.
Like it or not, Samba is like that stone. Treated the right way and it can bring great
pleasure, but if you are forced upon it and have no time for it's secrets then it can be
Like it or not, Samba is like that stone. Treat it the right way and it can bring great
pleasure, but if you are forced upon it and have no time for its secrets then it can be
a source of discomfort.
</para>
<para>
Samba started out as a project that sought to provide interoperability for MS Windows 3.x
clients with a Unix server. It has grown up a lot since it's humble beginnings and now provides
clients with a Unix server. It has grown up a lot since its humble beginnings and now provides
features and functionality fit for large scale deployment. It also has some warts. In sections
like this one we will tell of both.
</para>
@ -92,22 +92,22 @@ So now, what are the benefits of features mentioned in this chapter?
<sect1>
<title>Server Types</title>
<para>Adminstrators of Microsoft networks often refer to there being three
<para>Administrators of Microsoft networks often refer to three
different type of servers:</para>
<itemizedlist>
<listitem><para>Domain Controller</para>
<itemizedlist>
<listitem><para>Primary Domain Controller</para></listitem>
<listitem><para>Backup Domain Controller</para></listitem>
<listitem><para>ADS Domain Controller</para></listitem>
</itemizedlist>
<simplelist>
<member>Primary Domain Controller</member>
<member>Backup Domain Controller</member>
<member>ADS Domain Controller</member>
</simplelist>
</listitem>
<listitem><para>Domain Member Server</para>
<itemizedlist>
<listitem><para>Active Directory Member Server</para></listitem>
<listitem><para>NT4 Style Domain Member Server</para></listitem>
</itemizedlist>
<simplelist>
<member>Active Directory Member Server</member>
<member>NT4 Style Domain Member Server</member>
</simplelist>
</listitem>
<listitem><para>Stand Alone Server</para></listitem>
</itemizedlist>
@ -125,26 +125,27 @@ presented.
<title>Samba Security Modes</title>
<para>
In this section the function and purpose of Samba's <emphasis>security</emphasis>
modes are described. An acurate understanding of how Samba implements each security
In this section the function and purpose of Samba's <parameter>security</parameter>
modes are described. An accurate understanding of how Samba implements each security
mode as well as how to configure MS Windows clients for each mode will significantly
reduce user complaints and administrator heartache.
</para>
<para>
There are in the SMB/CIFS networking world only two types of security: <emphasis>USER Level</emphasis>
and <emphasis>SHARE Level</emphasis>. We refer to these collectively as <emphasis>security levels</emphasis>. In implementing these two <emphasis>security levels</emphasis> samba provides flexibilities
In the SMB/CIFS networking world, there are only two types of security: <emphasis>USER Level</emphasis>
and <emphasis>SHARE Level</emphasis>. We refer to these collectively as <emphasis>security levels</emphasis>. In implementing these two <emphasis>security levels</emphasis> Samba provides flexibilities
that are not available with Microsoft Windows NT4 / 200x servers. Samba knows of five (5)
ways that allow the security levels to be implemented. In actual fact, Samba implements
<emphasis>SHARE Level</emphasis> security only one way, but has for ways of implementing
<emphasis>USER Level</emphasis> security. Collectively, we call the samba implementations
<emphasis>Security Modes</emphasis>. These are: <emphasis>SHARE, USER, DOMAIN, ADS, and SERVER</emphasis>
<emphasis>SHARE Level</emphasis> security only one way, but has four ways of implementing
<emphasis>USER Level</emphasis> security. Collectively, we call the Samba implementations
<emphasis>Security Modes</emphasis>. These are: <emphasis>SHARE</emphasis>, <emphasis>USER</emphasis>, <emphasis>DOMAIN</emphasis>,
<emphasis>ADS</emphasis>, and <emphasis>SERVER</emphasis>
modes. They are documented in this chapter.
</para>
<para>
A SMB server tells the client at startup what <emphasis>security level</emphasis>
it is running. There are two options <emphasis>share level</emphasis> and
A SMB server tells the client at startup what <parameter>security level</parameter>
it is running. There are two options: <emphasis>share level</emphasis> and
<emphasis>user level</emphasis>. Which of these two the client receives affects
the way the client then tries to authenticate itself. It does not directly affect
(to any great extent) the way the Samba server does security. This may sound strange,
@ -157,8 +158,8 @@ available and whether an action is allowed.
<title>User Level Security</title>
<para>
We will describe<emphasis>user level</emphasis> security first, as its simpler.
In <emphasis>user level</emphasis> security the client will send a
We will describe <parameter>user level</parameter> security first, as it's simpler.
In <emphasis>user level</emphasis> security, the client will send a
<emphasis>session setup</emphasis> command directly after the protocol negotiation.
This contains a username and password. The server can either accept or reject that
username/password combination. Note that at this stage the server has no idea what
@ -180,7 +181,7 @@ specified in the <emphasis>session setup</emphasis>.
<para>
It is also possible for a client to send multiple <emphasis>session setup</emphasis>
requests. When the server responds it gives the client a <emphasis>uid</emphasis> to use
requests. When the server responds, it gives the client a <emphasis>uid</emphasis> to use
as an authentication tag for that username/password. The client can maintain multiple
authentication contexts in this way (WinDD is an example of an application that does this).
</para>
@ -207,14 +208,14 @@ This is the default setting since samba-2.2.x.
<title>Share Level Security</title>
<para>
Ok, now for share level security. In share level security the client authenticates
Ok, now for share level security. In share level security, the client authenticates
itself separately for each share. It will send a password along with each
<emphasis>tree connection</emphasis> (share mount). It does not explicitly send a
username with this operation. The client is expecting a password to be associated
with each share, independent of the user. This means that samba has to work out what
username with this operation. The client expects a password to be associated
with each share, independent of the user. This means that Samba has to work out what
username the client probably wants to use. It is never explicitly sent the username.
Some commercial SMB servers such as NT actually associate passwords directly with
shares in share level security, but samba always uses the unix authentication scheme
shares in share level security, but Samba always uses the unix authentication scheme
where it is a username/password pair that is authenticated, not a share/password pair.
</para>
@ -230,7 +231,7 @@ level security. They normally send a valid username but no password. Samba recor
this username in a list of <emphasis>possible usernames</emphasis>. When the client
then does a <emphasis>tree connection</emphasis> it also adds to this list the name
of the share they try to connect to (useful for home directories) and any users
listed in the <command>user =</command> &smb.conf; line. The password is then checked
listed in the <parameter>user =</parameter> &smb.conf; line. The password is then checked
in turn against these <emphasis>possible usernames</emphasis>. If a match is found
then the client is authenticated as that user.
</para>
@ -247,8 +248,8 @@ The &smb.conf; parameter that sets <emphasis>Share Level Security</emphasis> is:
</programlisting></para>
<para>
Plese note that there are reports that recent MS Widows clients do not like to work
with share mode security servers. You are strongly discouraged from use of this parameter.
Please note that there are reports that recent MS Windows clients do not like to work
with share mode security servers. You are strongly discouraged from using share level security.
</para>
</sect3>
@ -258,7 +259,7 @@ with share mode security servers. You are strongly discouraged from use of this
<title>Domain Security Mode (User Level Security)</title>
<para>
When samba is operating in <emphasis>security = domain</emphasis> mode this means that
When Samba is operating in <parameter>security = domain</parameter> mode,
the Samba server has a domain security trust account (a machine account) and will cause
all authentication requests to be passed through to the domain controllers.
</para>
@ -274,58 +275,48 @@ This method involves addition of the following parameters in the &smb.conf; file
</para>
<para><programlisting>
encrypt passwords = Yes
security = domain
workgroup = "name_of_NT_domain"
password server = *
</programlisting></para>
<para>
The use of the "*" argument to <command>password server</command> will cause samba to locate the
domain controller in a way analogous to the way this is done within MS Windows NT.
This is the default behaviour.
</para>
<para>
In order for this method to work the Samba server needs to join the MS Windows NT
In order for this method to work, the Samba server needs to join the MS Windows NT
security domain. This is done as follows:
</para>
<itemizedlist>
<listitem><para>On the MS Windows NT domain controller using
the Server Manager add a machine account for the Samba server.
</para></listitem>
<procedure>
<step><para>On the MS Windows NT domain controller, using
the Server Manager, add a machine account for the Samba server.
</para></step>
<listitem><para>Next, on the Unix/Linux system execute:</para>
<para><programlisting>
<command>smbpasswd -r PDC_NAME -j DOMAIN_NAME</command> (samba 2.x)
<step><para>Next, on the Unix/Linux system execute:</para>
<command>net join -U administrator%password</command> (samba-3)
</programlisting>
</para>
</listitem>
</itemizedlist>
<para>&rootprompt;<userinput>smbpasswd -j DOMAIN_NAME -r PDC_NAME</userinput> (samba-2.x)</para>
<para>&rootprompt;<userinput>net join -U administrator%password</userinput> (samba-3)</para>
</step>
</procedure>
<note><para>
As of Samba-2.2.4 the Samba 2.2.x series can auto-join a Windows NT4 style Domain just
by executing:
<programlisting>
smbpasswd -j DOMAIN_NAME -r PDC_NAME -U Administrator%password
</programlisting>
<screen>
&rootprompt;<userinput>smbpasswd -j <replaceable>DOMAIN_NAME</replaceable> -r <replaceable>PDC_NAME</replaceable> -U Administrator%<replaceable>password</replaceable></userinput>
</screen>
As of Samba-3 the same can be done by executing:
<programlisting>
net join -U Administrator%password
</programlisting>
It is not necessary with Samba-3 to specify the DOMAIN_NAME or the PDC_NAME as it figures this
out from the smb.conf file settings.
<screen>
&rootprompt;<userinput>net join -U Administrator%<replaceable>password</replaceable></userinput>
</screen>
It is not necessary with Samba-3 to specify the <replaceable>DOMAIN_NAME</replaceable> or the <replaceable>PDC_NAME</replaceable> as it
figures this out from the &smb.conf; file settings.
</para></note>
<para>
Use of this mode of authentication does require there to be a standard Unix account
for the user in order to assign a uid once the account has been authenticated by
for each user in order to assign a UID once the account has been authenticated by
the remote Windows DC. This account can be blocked to prevent logons by clients other than
MS Windows through things such as setting an invalid shell in the
MS Windows through means such as setting an invalid shell in the
<filename>/etc/passwd</filename> entry.
</para>
@ -335,6 +326,11 @@ presented in the <link linkend="winbind">Winbind Overview</link> chapter
in this HOWTO collection.
</para>
<para>
For more information of being a domain member, see the <link linkend="domain-member">Domain
Member</link> section of this Howto.
</para>
</sect3>
</sect2>
@ -342,7 +338,7 @@ in this HOWTO collection.
<title>ADS Security Mode (User Level Security)</title>
<para>
Both Samba 2.2 and 3.0 can join an active directory domain. This is
Both Samba 2.2 and 3.0 can join an Active Directory domain. This is
possible even if the domain is run in native mode. Active Directory in
native mode perfectly allows NT4-style domain members, contrary to
popular belief. The only thing that Active Directory in native mode
@ -362,21 +358,22 @@ AD-member mode can accept Kerberos.
<sect3>
<title>Example Configuration</title>
<para>
<programlisting>
<para><programlisting>
realm = your.kerberos.REALM
security = ADS
encrypt passwords = Yes
The following parameter may be required:
ads server = your.kerberos.server
</programlisting>
</para>
</programlisting></para>
<para>
Please refer to the Domain Membership section, Active Directory Membership for more information
regarding this configuration option.
The following parameter may be required:
</para>
<para><programlisting>
ads server = your.kerberos.server
</programlisting></para>
<para>
Please refer to the <link linkend="domain-member">Domain Membership</link> and <link linkend="ads-member">Active Directory
Membership</link> sections for more information regarding this configuration option.
</para>
</sect3>
@ -386,28 +383,28 @@ regarding this configuration option.
<title>Server Security (User Level Security)</title>
<para>
Server level security is a left over from the time when Samba was not capable of acting
as a domain member server. It is highly recommended NOT to use this feature. Server level
security has many draw backs. The draw backs include:
Server security mode is a left over from the time when Samba was not capable of acting
as a domain member server. It is highly recommended NOT to use this feature. Server
security mode has many draw backs. The draw backs include:
</para>
<itemizedlist>
<listitem><para>Potential Account Lockout on MS Windows NT4/200x password servers</para></listitem>
<listitem><para>Lack of assurance that the password server is the one specified</para></listitem>
<listitem><para>Does not work with Winbind, particularly needed when storing profiles remotely</para></listitem>
<listitem><para>This mode may open connections to the password server, and keep them open for extended periods.</para></listitem>
<listitem><para>Security on the samba server breaks badly when the remote password server suddenly shuts down</para></listitem>
<listitem><para>With this mode there is NO security account in the domain that the password server belongs to for the samba server.</para></listitem>
</itemizedlist>
<simplelist>
<member>Potential Account Lockout on MS Windows NT4/200x password servers</member>
<member>Lack of assurance that the password server is the one specified</member>
<member>Does not work with Winbind, particularly needed when storing profiles remotely</member>
<member>This mode may open connections to the password server, and keep them open for extended periods.</member>
<member>Security on the Samba server breaks badly when the remote password server suddenly shuts down</member>
<member>With this mode there is NO security account in the domain that the password server belongs to for the Samba server.</member>
</simplelist>
<para>
In server level security the samba server reports to the client that it is in user level
In server security mode the Samba server reports to the client that it is in user level
security. The client then does a <emphasis>session setup</emphasis> as described earlier.
The samba server takes the username/password that the client sends and attempts to login to the
<emphasis>password server</emphasis> by sending exactly the same username/password that
it got from the client. If that server is in user level security and accepts the password
then samba accepts the clients connection. This allows the samba server to use another SMB
server as the <emphasis>password server</emphasis>.
The Samba server takes the username/password that the client sends and attempts to login to the
<parameter>password server</parameter> by sending exactly the same username/password that
it got from the client. If that server is in user level security and accepts the password,
then Samba accepts the clients connection. This allows the Samba server to use another SMB
server as the <parameter>password server</parameter>.
</para>
<para>
@ -418,21 +415,21 @@ passwords in encrypted form. Samba supports this type of encryption by default.
</para>
<para>
The parameter <emphasis>security = server</emphasis> means that Samba reports to clients that
The parameter <parameter>security = server</parameter> means that Samba reports to clients that
it is running in <emphasis>user mode</emphasis> but actually passes off all authentication
requests to another <emphasis>user mode</emphasis> server. This requires an additional
parameter <emphasis>password server</emphasis> that points to the real authentication server.
parameter <parameter>password server</parameter> that points to the real authentication server.
That real authentication server can be another Samba server or can be a Windows NT server,
the later natively capable of encrypted password support.
</para>
<note><para>
When Samba is running in <emphasis>server level</emphasis> security it is essential that
the parameter <emphasis>password server</emphasis> is set to the precise netbios machine
When Samba is running in <emphasis>server security mode</emphasis> it is essential that
the parameter <emphasis>password server</emphasis> is set to the precise NetBIOS machine
name of the target authentication server. Samba can NOT determine this from NetBIOS name
lookups because the choice of the target authentication server arbitrary and can not
be determined from a domain name. In essence a samba server that is in
<emphasis>server level</emphasis> security is operating in what used to be known as
lookups because the choice of the target authentication server is arbitrary and can not
be determined from a domain name. In essence, a Samba server that is in
<emphasis>server security mode</emphasis> is operating in what used to be known as
workgroup mode.
</para></note>
@ -454,8 +451,8 @@ This method involves the additions of the following parameters in the &smb.conf;
<para>
There are two ways of identifying whether or not a username and password pair was valid
or not. One uses the reply information provided as part of the authentication messaging
There are two ways of identifying whether or not a username and password pair was valid.
One uses the reply information provided as part of the authentication messaging
process, the other uses just an error code.
</para>
@ -469,7 +466,7 @@ certain number of failed authentication attempts this will result in user lockou
<para>
Use of this mode of authentication does require there to be a standard Unix account
for the user, this account can be blocked to prevent logons by other than MS Windows clients.
for the user, though this account can be blocked to prevent logons by non-SMB/CIFS clients.
</para>
</sect3>
@ -481,15 +478,15 @@ for the user, this account can be blocked to prevent logons by other than MS Win
<title>Seamless Windows Network Integration</title>
<para>
MS Windows clients may use encrypted passwords as part of a challenege/response
MS Windows clients may use encrypted passwords as part of a challenge/response
authentication model (a.k.a. NTLMv1 and NTLMv2) or alone, or clear text strings for simple
password based authentication. It should be realized that with the SMB protocol
password based authentication. It should be realized that with the SMB protocol,
the password is passed over the network either in plain text or encrypted, but
not both in the same authentication request.
</para>
<para>
When encrypted passwords are used a password that has been entered by the user
When encrypted passwords are used, a password that has been entered by the user
is encrypted in two ways:
</para>
@ -499,10 +496,10 @@ is encrypted in two ways:
</para></listitem>
<listitem><para>The password is converted to upper case,
and then padded or trucated to 14 bytes. This string is
and then padded or truncated to 14 bytes. This string is
then appended with 5 bytes of NULL characters and split to
form two 56 bit DES keys to encrypt a "magic" 8 byte value.
The resulting 16 bytes for the LanMan hash.
The resulting 16 bytes form the LanMan hash.
</para></listitem>
</itemizedlist>
@ -530,29 +527,29 @@ is definitely not a good idea to re-enable plain text password support in such c
</para>
<para>
The following parameters can be used to work around the issue of Windows 9x client
The following parameters can be used to work around the issue of Windows 9x clients
upper casing usernames and password before transmitting them to the SMB server
when using clear text authentication.
</para>
<para><programlisting>
<ulink url="smb.conf.5.html#PASSWORDLEVEL">passsword level</ulink> = <replaceable>integer</replaceable>
<ulink url="smb.conf.5.html#PASSWORDLEVEL">password level</ulink> = <replaceable>integer</replaceable>
<ulink url="smb.conf.5.html#USERNAMELEVEL">username level</ulink> = <replaceable>integer</replaceable>
</programlisting></para>
<para>
By default Samba will lower case the username before attempting to lookup the user
in the database of local system accounts. Because UNIX usernames conventionally
only contain lower case character, the <parameter>username level</parameter> parameter
only contain lower-case characters, the <parameter>username level</parameter> parameter
is rarely needed.
</para>
<para>
However, passwords on UNIX systems often make use of mixed case characters.
However, passwords on UNIX systems often make use of mixed-case characters.
This means that in order for a user on a Windows 9x client to connect to a Samba
server using clear text authentication, the <parameter>password level</parameter>
must be set to the maximum number of upper case letter which <emphasis>could</emphasis>
appear is a password. Note that the server OS uses the traditional DES version
must be set to the maximum number of upper case letters which <emphasis>could</emphasis>
appear in a password. Note that the server OS uses the traditional DES version
of crypt(), a <parameter>password level</parameter> of 8 will result in case
insensitive passwords as seen from Windows users. This will also result in longer
login times as Samba has to compute the permutations of the password string and
@ -560,7 +557,7 @@ try them one by one until a match is located (or all combinations fail).
</para>
<para>
The best option to adopt is to enable support for encrypted passwords where ever
The best option to adopt is to enable support for encrypted passwords wherever
Samba is used. Most attempts to apply the registry change to re-enable plain text
passwords will eventually lead to user complaints and unhappiness.
</para>
@ -572,15 +569,15 @@ passwords will eventually lead to user complaints and unhappiness.
<para>
We all make mistakes. It is Ok to make mistakes, so long as they are made in the right places
and at the right time. A mistake that causes lost productivity is seldom tollerated. A mistake
and at the right time. A mistake that causes lost productivity is seldom tolerated. A mistake
made in a developmental test lab is expected.
</para>
<para>
Here we look at common mistakes and misapprehensions that have been the subject of discussions
on the samba mailing lists. Many of these are avoidable by doing you homework before attempting
a Samba implementation. Some are the result of misundertanding of the English language. The
English language has many terms of phrase that are potentially vague and may be highly confusing
on the Samba mailing lists. Many of these are avoidable by doing you homework before attempting
a Samba implementation. Some are the result of misunderstanding of the English language. The
English language has many turns of phrase that are potentially vague and may be highly confusing
to those for whom English is not their native tongue.
</para>
@ -588,10 +585,10 @@ to those for whom English is not their native tongue.
<title>What makes Samba a SERVER?</title>
<para>
To some the nature of the samba <emphasis>security</emphasis> mode is very obvious, but entirely
wrong all the same. It is assumed that <emphasis>security = server</emphasis> means that Samba
will act as a server. Not so! See above - this setting means that samba will <emphasis>try</emphasis>
to use another SMB server as it's source of user authentication alone.
To some the nature of the Samba <emphasis>security</emphasis> mode is very obvious, but entirely
wrong all the same. It is assumed that <parameter>security = server</parameter> means that Samba
will act as a server. Not so! See above - this setting means that Samba will <emphasis>try</emphasis>
to use another SMB server as its source of user authentication alone.
</para>
</sect2>
@ -600,8 +597,8 @@ to use another SMB server as it's source of user authentication alone.
<title>What makes Samba a Domain Controller?</title>
<para>
The &smb.conf; parameter <emphasis>security = domain</emphasis> does NOT really make Samba behave
as a Domain Controller! This setting means we want samba to be a domain member!
The &smb.conf; parameter <parameter>security = domain</parameter> does NOT really make Samba behave
as a Domain Controller! This setting means we want Samba to be a domain member!
</para>
</sect2>
@ -610,8 +607,28 @@ as a Domain Controller! This setting means we want samba to be a domain member!
<title>What makes Samba a Domain Member?</title>
<para>
Guess! So many others do. But whatever you do, do NOT think that <emphasis>security = user</emphasis>
makes Samba act as a domain member. Read the manufacturers manual before the warranty expires!
Guess! So many others do. But whatever you do, do NOT think that <parameter>security = user</parameter>
makes Samba act as a domain member. Read the manufacturers manual before the warranty expires! See
the <link linkend="domain-member">Domain Member</link> section of this Howto for more information.
</para>
</sect2>
<sect2>
<title>Constantly Losing Connections to Password Server</title>
<para>
Why does server_validate() simply give up rather than re-establishing its connection to the
password server? Though I am not fluent in the SMB protocol, perhaps the cluster server
process passes along to its client workstation the session key it receives from the password
server, which means the password hashes submitted by the client would not work on a subsequent
connection, whose session key would be different. So server_validate() must give up.
</para>
<para>
Indeed. That's why security = server is at best a nasty hack. Please use security = domain.
<parameter>security = server</parameter> mode is also known as pass-through authentication.
</para>
</sect2>

104
docs/docbook/projdoc/Speed.xml
View File

@ -9,9 +9,10 @@
</affiliation>
</author>
&author.jelmer;
&author.jht;
</chapterinfo>
<title>Samba performance issues</title>
<title>Samba Performance Tuning</title>
<sect1>
<title>Comparisons</title>
@ -28,7 +29,7 @@ SMB server.
If you want to test against something like a NT or WfWg server then
you will have to disable all but TCP on either the client or
server. Otherwise you may well be using a totally different protocol
(such as Netbeui) and comparisons may not be valid.
(such as NetBEUI) and comparisons may not be valid.
</para>
<para>
@ -58,11 +59,11 @@ performance of a TCP based server like Samba.
<para>
The socket options that Samba uses are settable both on the command
line with the -O option, or in the smb.conf file.
line with the <option>-O</option> option, or in the &smb.conf; file.
</para>
<para>
The <command>socket options</command> section of the &smb.conf; manual page describes how
The <parameter>socket options</parameter> section of the &smb.conf; manual page describes how
to set these and gives recommendations.
</para>
@ -75,7 +76,7 @@ much. The correct settings are very dependent on your local network.
<para>
The socket option TCP_NODELAY is the one that seems to make the
biggest single difference for most networks. Many people report that
adding <command>socket options = TCP_NODELAY</command> doubles the read
adding <parameter>socket options = TCP_NODELAY</parameter> doubles the read
performance of a Samba drive. The best explanation I have seen for this is
that the Microsoft TCP/IP stack is slow in sending tcp ACKs.
</para>
@ -86,7 +87,7 @@ that the Microsoft TCP/IP stack is slow in sending tcp ACKs.
<title>Read size</title>
<para>
The option <command>read size</command> affects the overlap of disk
The option <parameter>read size</parameter> affects the overlap of disk
reads/writes with network reads/writes. If the amount of data being
transferred in several of the SMB commands (currently SMBwrite, SMBwriteX and
SMBreadbraw) is larger than this value then the server begins writing
@ -114,9 +115,9 @@ pointless and will cause you to allocate memory unnecessarily.
<title>Max xmit</title>
<para>
At startup the client and server negotiate a <command>maximum transmit</command> size,
At startup the client and server negotiate a <parameter>maximum transmit</parameter> size,
which limits the size of nearly all SMB commands. You can set the
maximum size that Samba will negotiate using the <command>max xmit = </command> option
maximum size that Samba will negotiate using the <parameter>max xmit = </parameter> option
in &smb.conf;. Note that this is the maximum size of SMB requests that
Samba will accept, but not the maximum size that the *client* will accept.
The client maximum receive size is sent to Samba by the client and Samba
@ -139,7 +140,7 @@ In most cases the default is the best option.
<title>Log level</title>
<para>
If you set the log level (also known as <command>debug level</command>) higher than 2
If you set the log level (also known as <parameter>debug level</parameter>) higher than 2
then you may suffer a large drop in performance. This is because the
server flushes the log file after each operation, which can be very
expensive.
@ -150,20 +151,20 @@ expensive.
<title>Read raw</title>
<para>
The <command>read raw</command> operation is designed to be an optimised, low-latency
The <parameter>read raw</parameter> operation is designed to be an optimised, low-latency
file read operation. A server may choose to not support it,
however. and Samba makes support for <command>read raw</command> optional, with it
however. and Samba makes support for <parameter>read raw</parameter> optional, with it
being enabled by default.
</para>
<para>
In some cases clients don't handle <command>read raw</command> very well and actually
In some cases clients don't handle <parameter>read raw</parameter> very well and actually
get lower performance using it than they get using the conventional
read operations.
</para>
<para>
So you might like to try <command>read raw = no</command> and see what happens on your
So you might like to try <parameter>read raw = no</parameter> and see what happens on your
network. It might lower, raise or not affect your performance. Only
testing can really tell.
</para>
@ -174,14 +175,14 @@ testing can really tell.
<title>Write raw</title>
<para>
The <command>write raw</command> operation is designed to be an optimised, low-latency
The <parameter>write raw</parameter> operation is designed to be an optimised, low-latency
file write operation. A server may choose to not support it,
however. and Samba makes support for <command>write raw</command> optional, with it
however. and Samba makes support for <parameter>write raw</parameter> optional, with it
being enabled by default.
</para>
<para>
Some machines may find <command>write raw</command> slower than normal write, in which
Some machines may find <parameter>write raw</parameter> slower than normal write, in which
case you may wish to change this option.
</para>
@ -192,22 +193,11 @@ case you may wish to change this option.
<para>
Slow logins are almost always due to the password checking time. Using
the lowest practical <command>password level</command> will improve things.
the lowest practical <parameter>password level</parameter> will improve things.
</para>
</sect1>
<sect1>
<title>LDAP</title>
<para>
LDAP can be vastly improved by using the
<ulink url="smb.conf.5.html#LDAPTRUSTIDS">ldap trust ids</ulink> parameter.
</para>
</sect1>
<sect1>
<title>Client tuning</title>
@ -219,4 +209,62 @@ performance. Check the sections on the various clients in
</para>
</sect1>
<sect1>
<title>Samba performance problem due changing kernel</title>
<para>
Hi everyone. I am running Gentoo on my server and samba 2.2.8a. Recently
I changed kernel version from linux-2.4.19-gentoo-r10 to
linux-2.4.20-wolk4.0s. And now I have performance issue with samba. Ok
many of you will probably say that move to vanilla sources...well I tried
it too and it didn't work. I have 100mb LAN and two computers (linux +
Windows2000). Linux server shares directory with DivX files, client
(windows2000) plays them via LAN. Before when I was running 2.4.19 kernel
everything was fine, but now movies freezes and stops...I tried moving
files between server and Windows and it's terribly slow.
</para>
<para>
Grab mii-tool and check the duplex settings on the NIC.
My guess is that it is a link layer issue, not an application
layer problem. Also run ifconfig and verify that the framing
error, collisions, etc... look normal for ethernet.
</para>
</sect1>
<sect1>
<title>Corrupt tdb Files</title>
<para>
Well today it happened, Our first major problem using samba.
Our samba PDC server has been hosting 3 TB of data to our 500+ users
[Windows NT/XP] for the last 3 years using samba, no problem.
But today all shares went SLOW; very slow. Also the main smbd kept
spawning new processes so we had 1600+ running smbd's (normally we avg. 250).
It crashed the SUN E3500 cluster twice. After a lot of searching I
decided to <command>rm /var/locks/*.tdb</command>. Happy again.
</para>
<para>
Q1) Is there any method of keeping the *.tdb files in top condition or
how to early detect corruption?
</para>
<para>
A1) Yes, run <command>tdbbackup</command> each time after stopping nmbd and before starting nmbd.
</para>
<para>
Q2) What I also would like to mention is that the service latency seems
a lot lower then before the locks cleanup, any ideas on keeping it top notch?
</para>
<para>
A2) Yes! Same answer as for Q1!
</para>
</sect1>
</chapter>

51
docs/docbook/projdoc/StandAloneServer.xml
View File

@ -5,10 +5,10 @@
<title>Stand-Alone Servers</title>
<para>
Stand-Alone servers are independant of Domain Controllers on the network.
Stand-Alone servers are independent of Domain Controllers on the network.
They are NOT domain members and function more like workgroup servers. In many
cases a stand-alone server is configured with a minimum of security control
with the intent that all data served will be readilly accessible to all users.
with the intent that all data served will be readily accessible to all users.
</para>
<sect1>
@ -54,25 +54,26 @@ USER mode.
No special action is needed other than to create user accounts. Stand-alone
servers do NOT provide network logon services. This means that machines that
use this server do NOT perform a domain logon to it. Whatever logon facility
the workstations are subject to is independant of this machine. It is however
necessary to accomodate any network user so that the logon name they use will
the workstations are subject to is independent of this machine. It is however
necessary to accommodate any network user so that the logon name they use will
be translated (mapped) locally on the stand-alone server to a locally known
user name. There are several ways this cane be done.
user name. There are several ways this can be done.
</para>
<para>
Samba tends to blur the distinction a little in respect of what is
a stand-alone server. This is because the authentication database may be
local or on a remote server, even if from the samba protocol perspective
the samba server is NOT a member of a domain security context.
local or on a remote server, even if from the Samba protocol perspective
the Samba server is NOT a member of a domain security context.
</para>
<para>
Through the use of PAM (Pluggable Authentication Modules) and nsswitch
(the name service switcher) the source of authentication may reside on
another server. We would be inclined to call this the authentication server.
This means that the samba server may use the local Unix/Linux system password database
(/etc/passwd or /etc/shadow), may use a local smbpasswd file, or may use
This means that the Samba server may use the local Unix/Linux system password database
(<filename>/etc/passwd</filename> or <filename>/etc/shadow</filename>), may use a
local smbpasswd file, or may use
an LDAP back end, or even via PAM and Winbind another CIFS/SMB server
for authentication.
</para>
@ -99,9 +100,7 @@ nobody. No home directories are shared, that are no users in the <filename>/etc/
Unix system database. This is a very simple system to administer.
</para>
<para>
<programlisting>
<title>Share Mode Read Only Stand-Alone Server</title>
# Global parameters
[global]
workgroup = MYGROUP
@ -115,13 +114,12 @@ Unix system database. This is a very simple system to administer.
path = /export
guest only = Yes
</programlisting>
</para>
<para>
In the above example the machine name is set to REFDOCS, the workgroup is set to the name
of the local workgroup so that the machine will appear in with systems users are familiar
with. The only password backend required is the "guest" backend so as to allow default
unprivilidged account names to be used. Given that there is a WINS server on this network
unprivileged account names to be used. Given that there is a WINS server on this network
we do use it.
</para>
@ -143,11 +141,11 @@ on your system.
<listitem><para>
The print spooling and processing system on our print server will be CUPS.
(Please refer to the chapter on printing for more information).
(Please refer to the <link linkend="CUPS-printing">CUPS Printing</link> chapter for more information).
</para></listitem>
<listitem><para>
All printers will that the print server will service will be network
All printers that the print server will service will be network
printers. They will be correctly configured, by the administrator,
in the CUPS environment.
</para></listitem>
@ -161,20 +159,20 @@ on your system.
<para>
In this example our print server will spool all incoming print jobs to
<filename>/var/spool/samba</filename> until the job is ready to be submitted by
samba to the CUPS print processor. Since all incoming connections will be as
the anonymous (guest) user two things will be required:
Samba to the CUPS print processor. Since all incoming connections will be as
the anonymous (guest) user, two things will be required:
</para>
<itemizedlist>
<title>Enablement for Anonymous Printing</title>
<title>Enabling Anonymous Printing</title>
<listitem><para>
The Unix/Linux system must have a <command>guest</command> account.
The default for this is usually the account <command>nobody</command>.
To find the correct name to use for your version of Samba do the
following:
<programlisting>
testparm -s -v | grep "guest account"
</programlisting>
<screen>
<prompt>$ </prompt><userinput>testparm -s -v | grep "guest account"</userinput>
</screen>
Then make sure that this account exists in your system password
database (<filename>/etc/passwd</filename>).
</para></listitem>
@ -183,17 +181,16 @@ the anonymous (guest) user two things will be required:
The directory into which Samba will spool the file must have write
access for the guest account. The following commands will ensure that
this directory is available for use:
<programlisting>
mkdir /var/spool/samba
chown nobody.nobody /var/spool/samba
chmod a+rwt /var/spool/samba
</programlisting>
<screen>
&rootprompt;<userinput>mkdir /var/spool/samba</userinput>
&rootprompt;<userinput>chown nobody.nobody /var/spool/samba</userinput>
&rootprompt;<userinput>chmod a+rwt /var/spool/samba</userinput>
</screen>
</para></listitem>
</itemizedlist>
<para>
<programlisting>
<title>Simple Central Print Server</title>
# Global parameters
[global]
workgroup = MYGROUP

42
docs/docbook/projdoc/UNIX_INSTALL.xml
View File

@ -33,7 +33,7 @@
<title>Configuring samba (smb.conf)</title>
<para>
Samba's configuration is stored in the smb.conf file,
Samba's configuration is stored in the &smb.conf; file,
that usually resides in <filename>/etc/samba/smb.conf</filename>
or <filename>/usr/local/samba/lib/smb.conf</filename>. You can either
edit this file yourself or do it using one of the many graphical
@ -67,7 +67,7 @@
<para>
This will allow connections by anyone with an account on the server, using either
their login name or "<command>homes</command>" as the service name.
their login name or "<parameter>homes</parameter>" as the service name.
(Note that the workgroup that Samba must also be set.)
</para>
@ -79,7 +79,7 @@
<para>
For more information about security settings for the
<command>[homes]</command> share please refer to the chapter
<parameter>[homes]</parameter> share please refer to the chapter
<link linkend="securing-samba">Securing Samba</link>.
</para>
@ -88,7 +88,7 @@
<para>
It's important that you test the validity of your <filename>smb.conf</filename>
file using the <application>testparm</application> program. If testparm runs OK
file using the &testparm; program. If testparm runs OK
then it will list the loaded services. If not it will give an error message.
</para>
@ -97,7 +97,7 @@
</para>
<para>
Always run testparm again when you change <filename>smb.conf</filename>!
Always run testparm again when you change &smb.conf;!
</para>
</sect3>
@ -115,7 +115,7 @@
<para>
To launch SWAT just run your favorite web browser and
point it at "http://localhost:901/". Replace
point it at <ulink url="http://localhost:901/">http://localhost:901/</ulink>. Replace
<replaceable>localhost</replaceable>
with the name of the computer you are running samba on if you
are running samba on a different computer than your browser.
@ -160,7 +160,7 @@
would be the name of the host where you installed &smbd;.
The <replaceable>aservice</replaceable> is
any service you have defined in the &smb.conf;
file. Try your user name if you just have a <command>[homes]</command>
file. Try your user name if you just have a <parameter>[homes]</parameter>
section
in &smb.conf;.</para>
@ -212,19 +212,23 @@ The following questions and issues get raised on the samba mailing list over and
<title>Why are so many smbd processes eating memory?</title>
<para>
<quote>
Site that is running Samba on an AIX box. They are sharing out about 2 terabytes using samba.
Samba was installed using smitty and the binaries. We seem to be experiencing a memory problem
with this box. When I do a svmon -Pu the monitoring program shows that smbd has several
with this box. When I do a <command>svmon -Pu</command> the monitoring program shows that &smbd; has several
processes of smbd running:
</quote>
</para>
<para>
<quote>
Is samba suppose to start this many different smbd processes? Or does it run as one smbd process? Also
is it normal for it to be taking up this much memory?
</quote>
</para>
<para>
<programlisting>
<screen>
Inuse * 4096 = amount of memory being used by this process
Pid Command Inuse Pin Pgsp Virtual 64-bit Mthrd
@ -251,34 +255,40 @@ Inuse * 4096 = amount of memory being used by this process
19110 smbd 8404 1906 181 4862 N N
Total memory used: 841,592,832 bytes
</programlisting>
</screen>
</para>
<para>
<emphasis>ANSWER:</emphasis> Samba consists on three core programs:
<emphasis>nmbd, smbd, winbindd</emphasis>. <command>nmbd</command> is the name server message daemon,
<command>smbd</command> is the server message daemon, <command>winbind</command> is the daemon that
Samba consists on three core programs:
&nmbd;, &smbd;, &winbindd;. &nmbd; is the name server message daemon,
&smbd; is the server message daemon, &winbindd; is the daemon that
handles communication with Domain Controllers.
</para>
<para>
If your system is NOT running as a WINS server, then there will be one (1) single instance of
<command>nmbd</command> running on your system. If it is running as a WINS server then there will be
&nmbd; running on your system. If it is running as a WINS server then there will be
two (2) instances - one to handle the WINS requests.
</para>
<para>
<command>smbd</command> handles ALL connection requests and then spawns a new process for each client
&smbd; handles ALL connection requests and then spawns a new process for each client
connection made. That is why you are seeing so many of them, one (1) per client connection.
</para>
<para>
<command>winbindd</command> will run as one or two daemons, depending on whether or not it is being
&winbindd; will run as one or two daemons, depending on whether or not it is being
run in "split mode" (in which case there will be two instances).
</para>
</sect2>
<sect2>
<title>I'm getting "open_oplock_ipc: Failed to get local UDP socket for address 100007f. Error was Cannot assign requested" in the logs</title>
<para>Your loopback device isn't working correctly. Make sure it's running. </para>
</sect2>
</sect1>
</chapter>

108
docs/docbook/projdoc/VFS.xml
View File

@ -2,51 +2,77 @@
<chapterinfo>
&author.jelmer;
&author.jht;
<author><firstname>Alexander</firstname><surname>Bokovoy</surname></author>
<author><firstname>Tim</firstname><surname>Potter</surname></author>
<author><firstname>Simo</firstname><surname>Sorce</surname></author>
<author><firstname>Simo</firstname><surname>Sorce</surname><contrib>original vfs_skel README</contrib></author>
<author><firstname>Alexander</firstname><surname>Bokovoy</surname><contrib>original vfs_netatalk docs</contrib></author>
<author><firstname>Stefan</firstname><surname>Metzmacher</surname><contrib>Update for multiple modules</contrib></author>
</chapterinfo>
<title>Stackable VFS modules</title>
<sect1>
<title>Introduction and configuration</title>
<title>Features and Benefits</title>
<para>
Since samba 3.0, samba supports stackable VFS(Virtual File System) modules.
Since Samba-3, there is support for stackable VFS(Virtual File System) modules.
Samba passes each request to access the unix file system thru the loaded VFS modules.
This chapter covers all the modules that come with the samba source and references to
some external modules.
</para>
</sect1>
<sect1>
<title>Discussion</title>
<para>
You may have problems to compile these modules, as shared libraries are
compiled and linked in different ways on different systems.
They currently have been tested against GNU/linux and IRIX.
If not supplied with your platform distribution binary Samba package you may have problems
to compile these modules, as shared libraries are compiled and linked in different ways
on different systems. They currently have been tested against GNU/Linux and IRIX.
</para>
<para>
To use the VFS modules, create a share similar to the one below. The
important parameter is the <command>vfs object</command> parameter which must point to
the exact pathname of the shared library objects. For example, to log all access
to files and use a recycle bin:
important parameter is the <command>vfs objects</command> parameter where
you can list one or more VFS modules by name. For example, to log all access
to files and put deleted files in a recycle bin:
<programlisting>
[audit]
comment = Audited /data directory
path = /data
vfs object = /path/to/audit.so /path/to/recycle.so
vfs objects = audit recycle
writeable = yes
browseable = yes
</programlisting>
</para>
<para>
The modules are used in the order they are specified.
The modules are used in the order in which they are specified.
</para>
<para>
Further documentation on writing VFS modules for Samba can be found in
the Samba Developers Guide.
Samba will attempt to load modules from the <emphasis>lib</emphasis>
directory in the root directory of the samba installation (usually
<filename>/usr/lib/samba/vfs</filename> or <filename>/usr/local/samba/lib/vfs
</filename>).
</para>
<para>
Some modules can be used twice for the same share.
This can be done using a configuration similar to the one below.
<programlisting>
[test]
comment = VFS TEST
path = /data
writeable = yes
browseable = yes
vfs objects = example:example1 example example:test
example1: parameter = 1
example: parameter = 5
test: parameter = 7
</programlisting>
</para>
</sect1>
@ -56,7 +82,9 @@ the Samba Developers Guide.
<sect2>
<title>audit</title>
<para>A simple module to audit file access to the syslog
<para>
A simple module to audit file access to the syslog
facility. The following operations are logged:
<simplelist>
<member>share</member>
@ -65,10 +93,12 @@ facility. The following operations are logged:
<member>file open/close/rename/unlink/chmod</member>
</simplelist>
</para>
</sect2>
<sect2>
<title>extd_audit</title>
<para>
This module is identical with the <emphasis>audit</emphasis> module above except
that it sends audit logs to both syslog as well as the smbd log file/s. The
@ -77,7 +107,7 @@ loglevel for this module is set in the smb.conf file.
<para>
The logging information that will be written to the smbd log file is controlled by
the <emphasis>log level</emphasis> parameter in <filename>smb.conf</filename>. The
the <parameter>log level</parameter> parameter in <filename>smb.conf</filename>. The
following information will be recorded:
</para>
@ -96,8 +126,21 @@ following information will be recorded:
</sect2>
<sect2>
<title>fake_perms</title>
<para>
This module was created to allow Roaming Profile files and directories to be set (on the Samba server
under Unix) as read only. This module will if installed on the Profiles share will report to the client
that the Profile files and directories are writable. This satisfies the client even though the files
will never be overwritten as the client logs out or shuts down.
</para>
</sect2>
<sect2>
<title>recycle</title>
<para>
A recycle-bin like module. When used any unlink call
will be intercepted and files moved to the recycle
@ -107,42 +150,42 @@ directory instead of being deleted.
<para>Supported options:
<variablelist>
<varlistentry>
<term>vfs_recycle_bin:repository</term>
<term>recycle:repository</term>
<listitem><para>FIXME</para></listitem>
</varlistentry>
<varlistentry>
<term>vfs_recycle_bin:keeptree</term>
<term>recycle:keeptree</term>
<listitem><para>FIXME</para></listitem>
</varlistentry>
<varlistentry>
<term>vfs_recycle_bin:versions</term>
<term>recycle:versions</term>
<listitem><para>FIXME</para></listitem>
</varlistentry>
<varlistentry>
<term>vfs_recycle_bin:touch</term>
<term>recycle:touch</term>
<listitem><para>FIXME</para></listitem>
</varlistentry>
<varlistentry>
<term>vfs_recycle_bin:maxsize</term>
<term>recycle:maxsize</term>
<listitem><para>FIXME</para></listitem>
</varlistentry>
<varlistentry>
<term>vfs_recycle_bin:exclude</term>
<term>recycle:exclude</term>
<listitem><para>FIXME</para></listitem>
</varlistentry>
<varlistentry>
<term>vfs_recycle_bin:exclude_dir</term>
<term>recycle:exclude_dir</term>
<listitem><para>FIXME</para></listitem>
</varlistentry>
<varlistentry>
<term>vfs_recycle_bin:noversions</term>
<term>recycle:noversions</term>
<listitem><para>FIXME</para></listitem>
</varlistentry>
</variablelist>
@ -152,6 +195,7 @@ directory instead of being deleted.
<sect2>
<title>netatalk</title>
<para>
A netatalk module, that will ease co-existence of samba and
netatalk file sharing services.
@ -160,7 +204,7 @@ netatalk file sharing services.
<para>Advantages compared to the old netatalk module:
<simplelist>
<member>it doesn't care about creating of .AppleDouble forks, just keeps them in sync</member>
<member>if share in smb.conf doesn't contain .AppleDouble item in hide or veto list, it will be added automatically</member>
<member>if a share in &smb.conf; doesn't contain .AppleDouble item in hide or veto list, it will be added automatically</member>
</simplelist>
</para>
@ -179,7 +223,7 @@ to have his or her own CVS tree).
</para>
<para>
No statemets about the stability or functionality of any module
No statements about the stability or functionality of any module
should be implied due to its presence here.
</para>
@ -213,18 +257,26 @@ else who wishes to create a virtual filesystem.
<sect2>
<title>vscan</title>
<para>URL: <ulink url="http://www.openantivirus.org/">http://www.openantivirus.org/</ulink></para>
<para>
samba-vscan is a proof-of-concept module for Samba, which
uses the VFS (virtual file system) features of Samba 2.2.x/3.0
alphaX. Of couse, Samba has to be compiled with VFS support.
alphaX. Of course, Samba has to be compiled with VFS support.
samba-vscan supports various virus scanners and is maintained
by Rainer Link.
</para>
</sect2>
</sect1>
<sect1>
<title>Common Errors</title>
<para>
There must be some gotchas we should record here! Jelmer???
</para>
</sect1>
</chapter>

73
docs/docbook/projdoc/locking.xml
View File

@ -62,7 +62,7 @@ that are specified when a file is open.
</para>
<para>
Record locking semantics under Unix is very different from record locking under
Record locking semantics under Unix are very different from record locking under
Windows. Versions of Samba before 2.2 have tried to use the native fcntl() unix
system call to implement proper record locking between different Samba clients.
This can not be fully correct due to several reasons. The simplest is the fact
@ -82,33 +82,34 @@ All other locks can not be seen by unix anyway.
<para>
Strictly a SMB server should check for locks before every read and write call on
a file. Unfortunately with the way fcntl() works this can be slow and may overstress
the rpc.lockd. It is also almost always unnecessary as clients are supposed to
the <command>rpc.lockd</command>. It is also almost always unnecessary as clients are supposed to
independently make locking calls before reads and writes anyway if locking is
important to them. By default Samba only makes locking calls when explicitly asked
to by a client, but if you set <emphasis>strict locking = yes</emphasis> then it
to by a client, but if you set <parameter>strict locking = yes</parameter> then it
will make lock checking calls on every read and write.
</para>
<para>
You can also disable by range locking completely using <emphasis>locking = no</emphasis>.
You can also disable byte range locking completely using <parameter>locking = no</parameter>.
This is useful for those shares that don't support locking or don't need it
(such as cdroms). In this case Samba fakes the return codes of locking calls to
tell clients that everything is OK.
</para>
<para>
The second class of locking is the <emphasis>deny modes</emphasis>. These
The second class of locking is the <parameter>deny modes</parameter>. These
are set by an application when it opens a file to determine what types of
access should be allowed simultaneously with its open. A client may ask for
DENY_NONE, DENY_READ, DENY_WRITE or DENY_ALL. There are also special compatibility
modes called DENY_FCB and DENY_DOS.
<constant>DENY_NONE</constant>, <constant>DENY_READ</constant>,
<constant>DENY_WRITE</constant> or <constant>DENY_ALL</constant>. There are also special compatibility
modes called <constant>DENY_FCB</constant> and <constant>DENY_DOS</constant>.
</para>
<sect2>
<title>Opportunistic Locking Overview</title>
<para>
OPPORTUNISTIC LOCKING (Oplocks) is invoked by the Windows file system
Opportunistic locking (Oplocks) is invoked by the Windows file system
(as opposed to an API) via registry entries (on the server AND client)
for the purpose of enhancing network performance when accessing a file
residing on a server. Performance is enhanced by caching the file
@ -149,8 +150,8 @@ other processes.
The redirector sees that the file was opened with deny
none (allowing concurrent access), verifies that no
other process is accessing the file, checks that
oplocks are enabled, then grants deny-all/read-write/ex-
clusive access to the file. The client now performs
oplocks are enabled, then grants deny-all/read-write/exclusive
access to the file. The client now performs
operations on the cached local file.
</para>
@ -339,7 +340,7 @@ exposes the file to likely data corruption.
</para>
<para>
If files are shared between Windows clients, and either loca Unix
If files are shared between Windows clients, and either local Unix
or NFS users, then turn opportunistic locking off.
</para>
@ -408,7 +409,7 @@ the share.
<title>Beware of Force User</title>
<para>
Samba includes an smb.conf parameter called "force user" that changes
Samba includes an &smb.conf; parameter called <parameter>force user</parameter> that changes
the user accessing a share from the incoming user to whatever user is
defined by the smb.conf variable. If opportunistic locking is enabled
on a share, the change in user access causes an oplock break to be sent
@ -425,7 +426,7 @@ Avoid the combination of the following:
<itemizedlist>
<listitem><para>
<emphasis>force user</emphasis> in the &smb.conf; share configuration.
<parameter>force user</parameter> in the &smb.conf; share configuration.
</para></listitem>
<listitem><para>
@ -447,8 +448,9 @@ Samba provides opportunistic locking parameters that allow the
administrator to adjust various properties of the oplock mechanism to
account for timing and usage levels. These parameters provide good
versatility for implementing oplocks in environments where they would
likely cause problems. The parameters are: <emphasis>oplock break wait time,
oplock contention limit</emphasis>.
likely cause problems. The parameters are:
<parameter>oplock break wait time</parameter>,
<parameter>oplock contention limit</parameter>.
</para>
<para>
@ -541,7 +543,7 @@ Level1 Oplocks (aka just plain "oplocks") is another term for opportunistic lock
</para>
<para>
Level2 Oplocks provids opportunistic locking for a file that will be treated as
Level2 Oplocks provides opportunistic locking for a file that will be treated as
<emphasis>read only</emphasis>. Typically this is used on files that are read-only or
on files that the client has no initial intention to write to at time of opening the file.
</para>
@ -558,7 +560,7 @@ Unless your system supports kernel oplocks, you should disable oplocks if you ar
accessing the same files from both Unix/Linux and SMB clients. Regardless, oplocks should
always be disabled if you are sharing a database file (e.g., Microsoft Access) between
multiple clients, as any break the first client receives will affect synchronisation of
the entire file (not just the single record), which will result in a noticable performance
the entire file (not just the single record), which will result in a noticeable performance
impairment and, more likely, problems accessing the database in the first place. Notably,
Microsoft Outlook's personal folders (*.pst) react very badly to oplocks. If in doubt,
disable oplocks and tune your system from that point.
@ -581,7 +583,7 @@ measurable speed benefit on your network, it might not be worth the hassle of de
<title>Example Configuration</title>
<para>
In the following we examine two destinct aspects of samba locking controls.
In the following we examine two distinct aspects of Samba locking controls.
</para>
<sect3>
@ -622,7 +624,7 @@ you may want to play it safe and disable oplocks and level2 oplocks.
</sect3>
<sect3>
<title>Diabling Kernel OpLocks</title>
<title>Disabling Kernel OpLocks</title>
<para>
Kernel OpLocks is an &smb.conf; parameter that notifies Samba (if
@ -639,12 +641,11 @@ basis in the &smb.conf; file.
</para>
<para>
<programlisting><title>Example:</title>
<programlisting>
[global]
kernel oplocks = yes
The default is "no".
</programlisting>
The default is "no".
</para>
<para>
@ -676,7 +677,7 @@ enabled on a per-share basis, or globally for the entire server, in the
interval for Samba to reply to an oplock break request. Samba
recommends "DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND
UNDERSTOOD THE SAMBA OPLOCK CODE." Oplock Break Wait Time can only be
configured globally in the smb.conf file:
configured globally in the &smb.conf; file:
</para>
<para>
@ -722,7 +723,7 @@ operating system known as <emphasis>Opportunistic Locking</emphasis>. When a wor
attempts to access shared data files located on another Windows 2000/XP computer,
the Windows 2000/XP operating system will attempt to increase performance by locking the
files and caching information locally. When this occurs, the application is unable to
properly function, which results in an <emphasis>Access Denied</emphasis>
properly function, which results in an <errorname>Access Denied</errorname>
error message being displayed during network operations.
</para>
@ -939,8 +940,8 @@ our Knowledge Base.
<para>
In some sites locking problems surface as soon as a server is installed, in other sites
locking problems may not surface for a long time. Almost without exeception, when a locking
problem does surface it will cause embarassment and potential data corruption.
locking problems may not surface for a long time. Almost without exception, when a locking
problem does surface it will cause embarrassment and potential data corruption.
</para>
<para>
@ -979,6 +980,26 @@ so far:
</para></listitem>
</itemizedlist>
<sect2>
<title>locking.tdb error messages</title>
<para>
<screen>
> We are seeing lots of errors in the samba logs like:
>
> tdb(/usr/local/samba_2.2.7/var/locks/locking.tdb): rec_read bad magic
> 0x4d6f4b61 at offset=36116
>
> What do these mean?
</screen>
</para>
<para>
Corrupted tdb. Stop all instances of smbd, delete locking.tdb, restart smbd.
</para>
</sect2>
</sect1>
<sect1>

93
docs/docbook/projdoc/msdfs_setup.xml
View File

@ -14,49 +14,54 @@
<pubdate>12 Jul 2000</pubdate>
</chapterinfo>
<title>Hosting a Microsoft Distributed File System tree on Samba</title>
<sect1>
<title>Features and Benefits</title>
<title>Instructions</title>
<para>
The Distributed File System (or DFS) provides a means of separating the logical
view of files and directories that users see from the actual physical locations
of these resources on the network. It allows for higher availability, smoother
storage expansion, load balancing etc.
</para>
<para>The Distributed File System (or Dfs) provides a means of
separating the logical view of files and directories that users
see from the actual physical locations of these resources on the
network. It allows for higher availability, smoother storage expansion,
load balancing etc. For more information about Dfs, refer to <ulink
url="http://www.microsoft.com/NTServer/nts/downloads/winfeatures/NTSDistrFile/AdminGuide.asp">
Microsoft documentation</ulink>. </para>
<para>
For information about DFS, refer to
<ulink url="http://www.microsoft.com/NTServer/nts/downloads/winfeatures/NTSDistrFile/AdminGuide.asp">
Microsoft documentation at http://www.microsoft.com/NTServer/nts/downloads/winfeatures/NTSDistrFile/AdminGuide.asp</ulink>.
</para>
<para>This document explains how to host a Dfs tree on a Unix
machine (for Dfs-aware clients to browse) using Samba.</para>
<para>
This document explains how to host a DFS tree on a Unix machine (for DFS-aware
clients to browse) using Samba.
</para>
<para>To enable SMB-based DFS for Samba, configure it with the
<parameter>--with-msdfs</parameter> option. Once built, a
Samba server can be made a Dfs server by setting the global
boolean <ulink url="smb.conf.5.html#HOSTMSDFS"><parameter>
host msdfs</parameter></ulink> parameter in the <filename>smb.conf
</filename> file. You designate a share as a Dfs root using the share
level boolean <ulink url="smb.conf.5.html#MSDFSROOT"><parameter>
msdfs root</parameter></ulink> parameter. A Dfs root directory on
Samba hosts Dfs links in the form of symbolic links that point
to other servers. For example, a symbolic link
<filename>junction-&gt;msdfs:storage1\share1</filename> in
the share directory acts as the Dfs junction. When Dfs-aware
clients attempt to access the junction link, they are redirected
to the storage location (in this case, \\storage1\share1).</para>
<para>
To enable SMB-based DFS for Samba, configure it with the <parameter>--with-msdfs</parameter>
option. Once built, a Samba server can be made a DFS server by setting the global
boolean <ulink url="smb.conf.5.html#HOSTMSDFS"><parameter> host msdfs</parameter></ulink>
parameter in the <filename>smb.conf </filename> file. You designate a share as a DFS
root using the share level boolean <ulink url="smb.conf.5.html#MSDFSROOT"><parameter>
msdfs root</parameter></ulink> parameter. A DFS root directory on Samba hosts DFS
links in the form of symbolic links that point to other servers. For example, a symbolic link
<filename>junction-&gt;msdfs:storage1\share1</filename> in the share directory acts
as the DFS junction. When DFS-aware clients attempt to access the junction link,
they are redirected to the storage location (in this case, \\storage1\share1).
</para>
<para>Dfs trees on Samba work with all Dfs-aware clients ranging
from Windows 95 to 2000.</para>
<para>
DFS trees on Samba work with all DFS-aware clients ranging from Windows 95 to 200x.
</para>
<para>Here's an example of setting up a Dfs tree on a Samba
server.</para>
<para>
Here's an example of setting up a DFS tree on a Samba server.
</para>
<para><programlisting>
# The smb.conf file:
[global]
netbios name = SAMBA
netbios name = SMOKEY
host msdfs = yes
[dfs]
@ -68,29 +73,30 @@
<para>In the /export/dfsroot directory we set up our dfs links to
other servers on the network.</para>
<para><prompt>root# </prompt><userinput>cd /export/dfsroot</userinput></para>
<para><prompt>root# </prompt><userinput>chown root /export/dfsroot</userinput></para>
<para><prompt>root# </prompt><userinput>chmod 755 /export/dfsroot</userinput></para>
<para><prompt>root# </prompt><userinput>ln -s msdfs:storageA\\shareA linka</userinput></para>
<para><prompt>root# </prompt><userinput>ln -s msdfs:serverB\\share,serverC\\share linkb</userinput></para>
<screen>
&rootprompt;<userinput>cd /export/dfsroot</userinput>
&rootprompt;<userinput>chown root /export/dfsroot</userinput>
&rootprompt;<userinput>chmod 755 /export/dfsroot</userinput>
&rootprompt;<userinput>ln -s msdfs:storageA\\shareA linka</userinput>
&rootprompt;<userinput>ln -s msdfs:serverB\\share,serverC\\share linkb</userinput>
</screen>
<para>You should set up the permissions and ownership of
the directory acting as the Dfs root such that only designated
the directory acting as the DFS root such that only designated
users can create, delete or modify the msdfs links. Also note
that symlink names should be all lowercase. This limitation exists
to have Samba avoid trying all the case combinations to get at
the link name. Finally set up the symbolic links to point to the
network shares you want, and start Samba.</para>
<para>Users on Dfs-aware clients can now browse the Dfs tree
<para>Users on DFS-aware clients can now browse the DFS tree
on the Samba server at \\samba\dfs. Accessing
links linka or linkb (which appear as directories to the client)
takes users directly to the appropriate shares on the network.</para>
</sect1>
<sect2>
<title>Notes</title>
<sect1>
<title>Common Errors</title>
<itemizedlist>
<listitem><para>Windows clients need to be rebooted
if a previously mounted non-dfs share is made a dfs
@ -103,14 +109,11 @@
</listitem>
<listitem><para>For security purposes, the directory
acting as the root of the Dfs tree should have ownership
acting as the root of the DFS tree should have ownership
and permissions set so that only designated users can
modify the symbolic links in the directory.</para>
</listitem>
</itemizedlist>
</sect2>
</sect1>
</chapter>

715
docs/docbook/projdoc/passdb.xml
View File

File diff suppressed because it is too large Load Diff

4195
docs/docbook/projdoc/printer_driver2.xml
View File

File diff suppressed because it is too large Load Diff

32
docs/docbook/projdoc/samba-doc.xml
View File

@ -9,10 +9,6 @@
<bookinfo>
<authorgroup>
<author>
<othername>SAMBA Team</othername>
<affiliation><address><email>samba@samba.org</email></address></affiliation>
</author>
<editor>&person.jelmer;</editor>
<editor>&person.jht;</editor>
<editor>&person.jerry;</editor>
@ -28,7 +24,7 @@ The most recent version of this document can be found at
<ulink url="http://www.samba.org/">http://www.samba.org/</ulink>
on the "Documentation" page. Please send updates to
<ulink url="mailto:jelmer@samba.org">Jelmer Vernooij</ulink>,
<ulink url="mailto:jht@samba.org">John H Terpstra</ulink> or
<ulink url="mailto:jht@samba.org">John H. Terpstra</ulink> or
<ulink url="mailto:jerry@samba.org">Gerald (Jerry) Carter</ulink>.
</para>
@ -38,7 +34,7 @@ or without their knowledge contributed to this update. The size and scope of thi
project would not have been possible without significant community contribution. A not
insignificant number of ideas for inclusion (if not content itself) has been obtained
from a number of Unofficial HOWTOs - to each such author a big "Thank-you" is also offered.
Please keep publishing your Unofficial HOWTO's - they are a source of inspiration and
Please keep publishing your Unofficial HOWTOs - they are a source of inspiration and
application knowledge that is most to be desired by many Samba users and administrators.
</para>
@ -50,6 +46,14 @@ version 2. A copy of the license is included with the Samba source
distribution. A copy can be found on-line at <ulink
url="http://www.fsf.org/licenses/gpl.txt">http://www.fsf.org/licenses/gpl.txt</ulink>
</para>
<formalpara>
<title>Attributions</title>
<para>
&attributions;
</para>
</formalpara>
</legalnotice>
</bookinfo>
@ -67,6 +71,7 @@ PLEASE read this.</para>
</partintro>
&IntroSMB;
&UNIX-INSTALL;
&FastStart;
</part>
<part id="type">
@ -84,6 +89,7 @@ section carefully.
&Samba-BDC-HOWTO;
&DOMAIN-MEMBER;
&StandAloneServer;
&ClientConfig;
</part>
<part id="optional">
@ -112,6 +118,15 @@ Samba has several features that you might want or might not want to use. The cha
&Samba-PAM;
&IntegratingWithWindows;
&unicode;
&Backup;
&HighAvailability;
</part>
<part id="migration">
<title>Migration and Updating</title>
&upgrading;
&NT4Migration;
&SWAT;
</part>
<part id="troubleshooting">
@ -124,12 +139,13 @@ Samba has several features that you might want or might not want to use. The cha
<part id="Appendixes">
<title>Appendixes</title>
&Compiling;
&NT4Migration;
&Portability;
&Other-Clients;
&SWAT;
&SPEED;
&DNS-DHCP-Configuration;
&Further-Resources;
</part>
<index/>
</book>

193
docs/docbook/projdoc/securing-samba.xml
View File

@ -3,7 +3,7 @@
<chapterinfo>
&author.tridge;
&author.jht;
<pubdate>17 March 2003</pubdate>
<pubdate>May 26, 2003</pubdate>
</chapterinfo>
<title>Securing Samba</title>
@ -16,9 +16,64 @@ important security fix. The information contained here applies to Samba
installations in general.
</para>
<para>
A new apprentice reported for duty to the Chief Engineer of a boiler house. He said, "Here I am,
if you will show me the boiler I'll start working on it." Then engineer replied, "You're leaning
on it!"
</para>
<para>
Security concerns are just like that: You need to know a little about the subject to appreciate
how obvious most of it really is. The challenge for most of us is to discover that first morsel
of knowledge with which we may unlock the secrets of the masters.
</para>
</sect1>
<sect1>
<title>Features and Benefits</title>
<para>
There are three level at which security principals must be observed in order to render a site
at least moderately secure. These are: the perimeter firewall, the configuration of the host
server that is running Samba, and Samba itself.
</para>
<para>
Samba permits a most flexible approach to network security. As far as possible Samba implements
the latest protocols to permit more secure MS Windows file and print operations.
</para>
<para>
Samba may be secured from connections that originate from outside the local network. This may be
done using <emphasis>host based protection</emphasis> (using samba's implementation of a technology
known as "tcpwrappers", or it may be done be using <emphasis>interface based exclusion</emphasis>
so that &smbd; will bind only to specifically permitted interfaces. It is also
possible to set specific share or resource based exclusions, eg: on the <parameter>IPC$</parameter>
auto-share. The <parameter>IPC$</parameter> share is used for browsing purposes as well as to establish
TCP/IP connections.
</para>
<para>
Another method by which Samba may be secured is by way of setting Access Control Entries in an Access
Control List on the shares themselves. This is discussed in the chapter on File, Directory and Share Access
Control.
</para>
</sect1>
<sect1>
<title>Technical Discussion of Protective Measures and Issues</title>
<para>
The key challenge of security is the fact that protective measures suffice at best
only to close the door on known exploits and breach techniques. Never assume that
because you have followed these few measures that the Samba server is now an impenetrable
fortress! Given the history of information systems so far, it is only a matter of time
before someone will find yet another vulnerability.
</para>
<sect2>
<title>Using host based protection</title>
<para>
@ -30,8 +85,8 @@ especially vulnerable.
</para>
<para>
One of the simplest fixes in this case is to use the <command>hosts allow</command> and
<command>hosts deny</command> options in the Samba &smb.conf; configuration file to only
One of the simplest fixes in this case is to use the <parameter>hosts allow</parameter> and
<parameter>hosts deny</parameter> options in the Samba &smb.conf; configuration file to only
allow access to your server from a specific range of hosts. An example
might be:
</para>
@ -46,17 +101,17 @@ The above will only allow SMB connections from 'localhost' (your own
computer) and from the two private networks 192.168.2 and
192.168.3. All other connections will be refused as soon
as the client sends its first packet. The refusal will be marked as a
'not listening on called name' error.
<errorname>not listening on called name</errorname> error.
</para>
</sect1>
</sect2>
<sect1>
<sect2>
<title>User based protection</title>
<para>
If you want to restrict access to your server to valid users only then the following
method may be of use. In the smb.conf [globals] section put:
method may be of use. In the &smb.conf; <parameter>[globals]</parameter> section put:
</para>
<para><programlisting>
@ -68,9 +123,9 @@ What this does is, it restricts all server access to either the user <emphasis>j
or to members of the system group <emphasis>smbusers</emphasis>.
</para>
</sect1>
</sect2>
<sect1>
<sect2>
<title>Using interface protection</title>
@ -106,9 +161,9 @@ the operating system has been told not to pass connections from that
interface to any samba process.
</para>
</sect1>
</sect2>
<sect1>
<sect2>
<title>Using a firewall</title>
<para>
@ -124,12 +179,12 @@ If you are setting up a firewall then you need to know what TCP and
UDP ports to allow and block. Samba uses the following:
</para>
<para><programlisting>
UDP/137 - used by nmbd
UDP/138 - used by nmbd
TCP/139 - used by smbd
TCP/445 - used by smbd
</programlisting></para>
<simplelist>
<member>UDP/137 - used by nmbd</member>
<member>UDP/138 - used by nmbd</member>
<member>TCP/139 - used by smbd</member>
<member>TCP/445 - used by smbd</member>
</simplelist>
<para>
The last one is important as many older firewall setups may not be
@ -137,9 +192,9 @@ aware of it, given that this port was only added to the protocol in
recent years.
</para>
</sect1>
</sect2>
<sect1>
<sect2>
<title>Using a IPC$ share deny</title>
<para>
@ -170,7 +225,7 @@ know a username/password for your host.
</para>
<para>
If you use this method then clients will be given a 'access denied'
If you use this method then clients will be given a <errorname>access denied</errorname>
reply when they try to access the IPC$ share. That means that those
clients will not be able to browse shares, and may also be unable to
access some other resources.
@ -181,17 +236,18 @@ This is not recommended unless you cannot use one of the other
methods listed above for some reason.
</para>
</sect1>
</sect2>
<sect1>
<sect2>
<title>NTLMv2 Security</title>
<para>
To configure NTLMv2 authentication the following registry keys are worth knowing about:
</para>
<!-- FIXME -->
<para>
<programlisting>
<screen>
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"lmcompatibilitylevel"=dword:00000003
@ -205,8 +261,9 @@ To configure NTLMv2 authentication the following registry keys are worth knowing
0x80000 - NTLMv2 session security. If either NtlmMinClientSec or
NtlmMinServerSec is set to 0x80000, the connection will fail if NTLMv2
session security is not negotiated.
</programlisting>
</screen>
</para>
</sect2>
</sect1>
<sect1>
@ -221,4 +278,92 @@ is discovered.
</sect1>
<sect1>
<title>Common Errors</title>
<para>
If all of samba and host platform configuration were really as intuitive as one might like then this
section would not be necessary. Security issues are often vexing for a support person to resolve, not
because of the complexity of the problem, but for reason that most administrators who post what turns
out to be a security problem request are totally convinced that the problem is with Samba.
</para>
<sect2>
<title>Smbclient works on localhost, but the network is dead</title>
<para>
This is a very common problem. Red Hat Linux (as do others) will install a default firewall.
With the default firewall in place only traffic on the loopback adapter (IP address 127.0.0.1)
will be allowed through the firewall.
</para>
<para>
The solution is either to remove the firewall (stop it) or to modify the firewall script to
allow SMB networking traffic through. See section above in this chapter.
</para>
</sect2>
<sect2>
<title>Why can users access home directories of other users?</title>
<para>
<quote>
We are unable to keep individual users from mapping to any other user's
home directory once they have supplied a valid password! They only need
to enter their own password. I have not found *any* method that I can
use to configure samba to enforce that only a user may map their own
home directory.
</quote>
</para>
<para><quote>
User xyzzy can map his home directory. Once mapped user xyzzy can also map
*anyone* else's home directory!
</quote></para>
<para>
This is not a security flaw, it is by design. Samba allows
users to have *exactly* the same access to the UNIX filesystem
as they would if they were logged onto the UNIX box, except
that it only allows such views onto the file system as are
allowed by the defined shares.
</para>
<para>
This means that if your UNIX home directories are set up
such that one user can happily cd into another users
directory and do an ls, the UNIX security solution is to
change the UNIX file permissions on the users home directories
such that the cd and ls would be denied.
</para>
<para>
Samba tries very hard not to second guess the UNIX administrators
security policies, and trusts the UNIX admin to set
the policies and permissions he or she desires.
</para>
<para>
Samba does allow the setup you require when you have set the
<parameter>only user = yes</parameter> option on the share, is that you have not set the
valid users list for the share.
</para>
<para>
Note that only user works in conjunction with the users= list,
so to get the behavior you require, add the line :
<programlisting>
users = %S
</programlisting>
this is equivalent to:
<programlisting>
valid users = %S
</programlisting>
to the definition of the <parameter>[homes]</parameter> share, as recommended in
the &smb.conf; man page.
</para>
</sect2>
</sect1>
</chapter>

48
docs/docbook/projdoc/unicode.xml
View File

@ -12,6 +12,32 @@
<title>Unicode/Charsets</title>
<sect1>
<title>Features and Benefits</title>
<para>
Every industry eventually matures. One of the great areas of maturation is in
the focus that has been given over the past decade to make it possible for anyone
anywhere to use a computer. It has not always been that way, in fact, not so long
ago it was common for software to be written for exclusive use in the country of
origin.
</para>
<para>
Of all the effort that has been brought to bear on providing native language support
for all computer users, the efforts of the Openi18n organisation is deserving of
special mention. For more information about Openi18n please refer to:
<link url="http://www.openi18n.org/">http://www.openi18n.org/</link>.
</para>
<para>
Samba-2.x supported a single locale through a mechanism called
<emphasis>codepages</emphasis>. Samba-3 is destined to become a truly trans-global
file and printer sharing platform.
</para>
</sect1>
<sect1>
<title>What are charsets and unicode?</title>
@ -44,7 +70,7 @@ communicating.
</para>
<para>Old windows clients used to use single-byte charsets, named
'codepages' by microsoft. However, there is no support for
'codepages' by Microsoft. However, there is no support for
negotiating the charset to be used in the smb protocol. Thus, you
have to make sure you are using the same charset when talking to an old client.
Newer clients (Windows NT, 2K, XP) talk unicode over the wire.
@ -61,7 +87,7 @@ samba knows of three kinds of character sets:
<variablelist>
<varlistentry>
<term>unix charset</term>
<term><parameter>unix charset</parameter></term>
<listitem><para>
This is the charset used internally by your operating system.
The default is <constant>ASCII</constant>, which is fine for most
@ -70,14 +96,14 @@ samba knows of three kinds of character sets:
</varlistentry>
<varlistentry>
<term>display charset</term>
<term><parameter>display charset</parameter></term>
<listitem><para>This is the charset samba will use to print messages
on your screen. It should generally be the same as the <command>unix charset</command>.
</para></listitem>
</varlistentry>
<varlistentry>
<term>dos charset</term>
<term><parameter>dos charset</parameter></term>
<listitem><para>This is the charset samba uses when communicating with
DOS and Windows 9x clients. It will talk unicode to all newer clients.
The default depends on the charsets you have installed on your system.
@ -114,24 +140,24 @@ points of attention when setting it up:</para>
<itemizedlist>
<listitem><para>You should set <command>mangling method =
hash</command></para></listitem>
<listitem><para>You should set <parameter>mangling method =
hash</parameter></para></listitem>
<listitem><para>There are various iconv() implementations around and not
all of them work equally well. glibc2's iconv() has a critical problem
in CP932. libiconv-1.8 works with CP932 but still has some problems and
does not work with EUC-JP.</para></listitem>
<listitem><para>You should set <command>dos charset = CP932</command>, not
<listitem><para>You should set <parameter>dos charset = CP932</parameter>, not
Shift_JIS, SJIS...</para></listitem>
<listitem><para>Currently only <command>unix charset = CP932</command>
<listitem><para>Currently only <parameter>unix charset = CP932</parameter>
will work (but still has some problems...) because of iconv() issues.
<command>unix charset = EUC-JP</command> doesn't work well because of
<parameter>unix charset = EUC-JP</parameter> doesn't work well because of
iconv() issues.</para></listitem>
<listitem><para>Currently Samba 3.0 does not support <command>unix charset
= UTF8-MAC/CAP/HEX/JIS*</command></para></listitem>
<listitem><para>Currently Samba 3.0 does not support <parameter>unix charset
= UTF8-MAC/CAP/HEX/JIS*</parameter></para></listitem>
</itemizedlist>

30
docs/docbook/projdoc/upgrading-to-3.0.xml
View File

@ -4,7 +4,7 @@
<pubdate>25 October 2002</pubdate>
</chapterinfo>
<title>Issues when upgrading from 2.2 to 3.0</title>
<title>Upgrading from Samba-2.x to Samba-3.0.0</title>
<sect1>
<title>Charsets</title>
@ -31,6 +31,34 @@ In 3.0, the following configuration options have been removed.
<member>use rhosts</member>
<member>postscript</member>
<member>client code page (replaced by dos charset)</member>
<member>vfs path</member>
<member>vfs options</member>
</simplelist>
</sect1>
<sect1>
<title>Password Backend</title>
<para>
Effective with the release of samba-3 it is now imperative that the password backend
be correctly defined in smb.conf.
</para>
<para>
Those migrating from samba-2.x with plaintext password support need the following:
<emphasis>passdb backend = guest</emphasis>.
</para>
<para>
Those migrating from samba-2.x with encrypted password support should add to smb.conf
<emphasis>passdb backend = smbpasswd, guest</emphasis>.
</para>
<para>
LDAP using Samba-2.x systems can continue to operate with the following entry
<emphasis>passdb backend = ldapsam_compat, guest</emphasis>.
</para>
</sect1>
</chapter>

161
docs/docbook/projdoc/winbind.xml
View File

@ -6,11 +6,10 @@
<firstname>Tim</firstname><surname>Potter</surname>
<affiliation>
<orgname>Samba Team</orgname>
<address><email>tpot@linuxcare.com.au</email></address>
<address><email>tpot@samba.org</email></address>
</affiliation>
</author>
&author.tridge;
&author.jht;
<author>
<firstname>Naag</firstname><surname>Mummaneni</surname>
<affiliation>
@ -18,14 +17,15 @@
</affiliation>
</author>
&author.jelmer;
&author.jht;
</authorgroup>
<pubdate>27 June 2002</pubdate>
</chapterinfo>
<title>Unified Logons between Windows NT and UNIX using Winbind</title>
<title>Integrated Logon Support using Winbind</title>
<sect1>
<title>Abstract</title>
<title>Features and Benefits</title>
<para>Integration of UNIX and Microsoft Windows NT through
a unified logon has been considered a "holy grail" in heterogeneous
@ -223,7 +223,9 @@
of that service should be tried and in what order. If the passwd
config line is:</para>
<para><command>passwd: files example</command></para>
<para><programlisting>
passwd: files example
</programlisting></para>
<para>then the C library will first load a module called
<filename>/lib/libnss_files.so</filename> followed by
@ -337,8 +339,8 @@ the winbind services which come with SAMBA 3.0.
<title>Introduction</title>
<para>
This HOWTO describes the procedures used to get winbind up and
running on my RedHat 7.1 system. Winbind is capable of providing access
This section describes the procedures used to get winbind up and
running on a RedHat 7.1 system. Winbind is capable of providing access
and authentication control for Windows Domain users through an NT
or Win2K PDC for 'regular' services, such as telnet a nd ftp, as
well for SAMBA services.
@ -386,7 +388,7 @@ somewhat to fit the way your distribution works.
<title>Requirements</title>
<para>
If you have a samba configuration file that you are currently
If you have a Samba configuration file that you are currently
using... <emphasis>BACK IT UP!</emphasis> If your system already uses PAM,
<emphasis>back up the <filename>/etc/pam.d</filename> directory
contents!</emphasis> If you haven't already made a boot disk,
@ -394,7 +396,7 @@ contents!</emphasis> If you haven't already made a boot disk,
</para>
<para>
Messing with the pam configuration files can make it nearly impossible
Messing with the PAM configuration files can make it nearly impossible
to log in to your machine. That's why you want to be able to boot back
into your machine in single user mode and restore your
<filename>/etc/pam.d</filename> back to the original state they were in if
@ -428,17 +430,15 @@ install the development packages in <filename>pam-devel-0.74-22</filename>.
<para>
Before starting, it is probably best to kill off all the SAMBA
related daemons running on your server. Kill off all <command>smbd</command>,
<command>nmbd</command>, and <command>winbindd</command> processes that may
related daemons running on your server. Kill off all &smbd;,
&nmbd;, and &winbindd; processes that may
be running. To use PAM, you will want to make sure that you have the
standard PAM package (for RedHat) which supplies the <filename>/etc/pam.d</filename>
directory structure, including the pam modules are used by pam-aware
services, several pam libraries, and the <filename>/usr/doc</filename>
and <filename>/usr/man</filename> entries for pam. Winbind built better
in SAMBA if the pam-devel package was also installed. This package includes
the header files needed to compile pam-aware applications. For instance,
my RedHat system has both <filename>pam-0.74-22</filename> and
<filename>pam-devel-0.74-22</filename> RPMs installed.
the header files needed to compile pam-aware applications.
</para>
<sect3>
@ -450,14 +450,14 @@ The first three steps may not be necessary depending upon
whether or not you have previously built the Samba binaries.
</para>
<para><programlisting>
<prompt>root#</prompt> <command>autoconf</command>
<prompt>root#</prompt> <command>make clean</command>
<prompt>root#</prompt> <command>rm config.cache</command>
<prompt>root#</prompt> <command>./configure</command>
<prompt>root#</prompt> <command>make</command>
<prompt>root#</prompt> <command>make install</command>
</programlisting></para>
<para><screen>
&rootprompt;<command>autoconf</command>
&rootprompt;<command>make clean</command>
&rootprompt;<command>rm config.cache</command>
&rootprompt;<command>./configure</command>
&rootprompt;<command>make</command>
&rootprompt;<command>make install</command>
</screen></para>
<para>
@ -473,12 +473,14 @@ It will also build the winbindd executable and libraries.
winbind libraries on Linux and Solaris</title>
<para>
The libraries needed to run the <command>winbindd</command> daemon
The libraries needed to run the &winbindd; daemon
through nsswitch need to be copied to their proper locations, so
</para>
<para>
<prompt>root#</prompt> <command>cp ../samba/source/nsswitch/libnss_winbind.so /lib</command>
<screen>
&rootprompt;<userinput>cp ../samba/source/nsswitch/libnss_winbind.so /lib</userinput>
</screen>
</para>
<para>
@ -486,19 +488,19 @@ I also found it necessary to make the following symbolic link:
</para>
<para>
<prompt>root#</prompt> <command>ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</command>
&rootprompt; <userinput>ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</userinput>
</para>
<para>And, in the case of Sun solaris:</para>
<para>
<prompt>root#</prompt> <userinput>ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1</userinput>
<prompt>root#</prompt> <userinput>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1</userinput>
<prompt>root#</prompt> <userinput>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2</userinput>
</para>
<para>And, in the case of Sun Solaris:</para>
<screen>
&rootprompt;<userinput>ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1</userinput>
&rootprompt;<userinput>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1</userinput>
&rootprompt;<userinput>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2</userinput>
</screen>
<para>
Now, as root you need to edit <filename>/etc/nsswitch.conf</filename> to
allow user and group entries to be visible from the <command>winbindd</command>
allow user and group entries to be visible from the &winbindd;
daemon. My <filename>/etc/nsswitch.conf</filename> file look like
this after editing:
</para>
@ -517,7 +519,7 @@ is faster (and you don't need to reboot) if you do it manually:
</para>
<para>
<prompt>root#</prompt> <command>/sbin/ldconfig -v | grep winbind</command>
&rootprompt;<userinput>/sbin/ldconfig -v | grep winbind</userinput>
</para>
<para>
@ -566,11 +568,11 @@ url="http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/baseadmn/ia
<para>
Several parameters are needed in the smb.conf file to control
the behavior of <command>winbindd</command>. Configure
<filename>smb.conf</filename> These are described in more detail in
the behavior of &winbindd;. Configure
&smb.conf; These are described in more detail in
the <citerefentry><refentrytitle>winbindd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> man page. My
<filename>smb.conf</filename> file was modified to
&smb.conf; file was modified to
include the following entries in the [global] section:
</para>
@ -580,9 +582,9 @@ include the following entries in the [global] section:
# separate domain and username with '+', like DOMAIN+username
<ulink url="winbindd.8.html#WINBINDSEPARATOR">winbind separator</ulink> = +
# use uids from 10000 to 20000 for domain users
<ulink url="winbindd.8.html#WINBINDUID">winbind uid</ulink> = 10000-20000
<ulink url="winbindd.8.html#WINBINDUID">idmap uid</ulink> = 10000-20000
# use gids from 10000 to 20000 for domain groups
<ulink url="winbindd.8.html#WINBINDGID">winbind gid</ulink> = 10000-20000
<ulink url="winbindd.8.html#WINBINDGID">idmap gid</ulink> = 10000-20000
# allow enumeration of winbind users and groups
<ulink url="winbindd.8.html#WINBINDENUMUSERS">winbind enum users</ulink> = yes
<ulink url="winbindd.8.html#WINBINDENUMGROUP">winbind enum groups</ulink> = yes
@ -606,7 +608,7 @@ a domain user who has administrative privileges in the domain.
<para>
<prompt>root#</prompt> <command>/usr/local/samba/bin/net join -S PDC -U Administrator</command>
&rootprompt;<userinput>/usr/local/samba/bin/net join -S PDC -U Administrator</userinput>
</para>
@ -631,7 +633,7 @@ command as root:
</para>
<para>
<prompt>root#</prompt> <command>/usr/local/samba/bin/winbindd</command>
&rootprompt;<userinput>/usr/local/samba/bin/winbindd</userinput>
</para>
<para>
@ -640,11 +642,11 @@ run as 2 processes. The first will answer all requests from the cache,
thus making responses to clients faster. The other will
update the cache for the query that the first has just responded.
Advantage of this is that responses stay accurate and are faster.
You can enable dual daemon mode by adding '-B' to the commandline:
You can enable dual daemon mode by adding <option>-B</option> to the commandline:
</para>
<para>
<prompt>root#</prompt> <command>/usr/local/samba/bin/winbindd -B</command>
&rootprompt;<userinput>/usr/local/samba/bin/winbindd -B</userinput>
</para>
<para>
@ -653,14 +655,14 @@ is really running...
</para>
<para>
<prompt>root#</prompt> <command>ps -ae | grep winbindd</command>
&rootprompt;<userinput>ps -ae | grep winbindd</userinput>
</para>
<para>
This command should produce output like this, if the daemon is running
</para>
<para>
<screen>
3025 ? 00:00:00 winbindd
</para>
</screen>
<para>
Now... for the real test, try to get some information about the
@ -668,7 +670,7 @@ users on your PDC
</para>
<para>
<prompt>root#</prompt> <command>/usr/local/samba/bin/wbinfo -u</command>
&rootprompt;<userinput>/usr/local/samba/bin/wbinfo -u</userinput>
</para>
<para>
@ -676,14 +678,14 @@ This should echo back a list of users on your Windows users on
your PDC. For example, I get the following response:
</para>
<para><programlisting>
<para><screen>
CEO+Administrator
CEO+burdell
CEO+Guest
CEO+jt-ad
CEO+krbtgt
CEO+TsInternetUser
</programlisting></para>
</screen></para>
<para>
Obviously, I have named my domain 'CEO' and my <parameter>winbind
@ -695,8 +697,8 @@ You can do the same sort of thing to get group information from
the PDC:
</para>
<para><programlisting>
<prompt>root#</prompt> <command>/usr/local/samba/bin/wbinfo -g</command>
<para><screen>
&rootprompt;<userinput>/usr/local/samba/bin/wbinfo -g</userinput>
CEO+Domain Admins
CEO+Domain Users
CEO+Domain Guests
@ -706,7 +708,7 @@ the PDC:
CEO+Schema Admins
CEO+Enterprise Admins
CEO+Group Policy Creator Owners
</programlisting></para>
</screen></para>
<para>
The function 'getent' can now be used to get unified
@ -715,7 +717,7 @@ Try the following command:
</para>
<para>
<prompt>root#</prompt> <command>getent passwd</command>
&rootprompt;<userinput>getent passwd</userinput>
</para>
<para>
@ -729,7 +731,7 @@ The same thing can be done for groups with the command
</para>
<para>
<prompt>root#</prompt> <command>getent group</command>
&rootprompt;<userinput>getent group</userinput>
</para>
</sect3>
@ -742,14 +744,13 @@ The same thing can be done for groups with the command
<title>Linux</title>
<para>
The <command>winbindd</command> daemon needs to start up after the
<command>smbd</command> and <command>nmbd</command> daemons are running.
The &winbindd; daemon needs to start up after the
&smbd; and &nmbd; daemons are running.
To accomplish this task, you need to modify the startup scripts of your system.
They are located at <filename>/etc/init.d/smb</filename> in RedHat and
<filename>/etc/init.d/samba</filename> in Debian.
script to add commands to invoke this daemon in the proper sequence. My
startup script starts up <command>smbd</command>,
<command>nmbd</command>, and <command>winbindd</command> from the
startup script starts up &smbd;, &nmbd;, and &winbindd; from the
<filename>/usr/local/samba/bin</filename> directory directly. The 'start'
function in the script looks like this:
</para>
@ -822,9 +823,9 @@ stop() {
<sect4>
<title>Solaris</title>
<para>Winbind doesn't work on solaris 9, see the <link linkend="winbind-solaris9">Portability</link> chapter for details.</para>
<para>Winbind doesn't work on Solaris 9, see the <link linkend="winbind-solaris9">Portability</link> chapter for details.</para>
<para>On solaris, you need to modify the
<para>On Solaris, you need to modify the
<filename>/etc/init.d/samba.server</filename> startup script. It usually
only starts smbd and nmbd but should now start winbindd too. If you
have samba installed in <filename>/usr/local/samba/bin</filename>,
@ -898,8 +899,7 @@ in the script above with:
<sect4>
<title>Restarting</title>
<para>
If you restart the <command>smbd</command>, <command>nmbd</command>,
and <command>winbindd</command> daemons at this point, you
If you restart the &smbd;, &nmbd;, and &winbindd; daemons at this point, you
should be able to connect to the samba server as a domain member just as
if you were a local user.
</para>
@ -924,7 +924,7 @@ by invoking the command
</para>
<para>
<prompt>root#</prompt> <command>make nsswitch/pam_winbind.so</command>
&rootprompt;<userinput>make nsswitch/pam_winbind.so</userinput>
</para>
<para>
@ -936,7 +936,7 @@ modules reside in <filename>/usr/lib/security</filename>.
</para>
<para>
<prompt>root#</prompt> <command>cp ../samba/source/nsswitch/pam_winbind.so /lib/security</command>
&rootprompt;<userinput>cp ../samba/source/nsswitch/pam_winbind.so /lib/security</userinput>
</para>
<sect4>
@ -981,8 +981,8 @@ For ftp services to work properly, you will also need to either
have individual directories for the domain users already present on
the server, or change the home directory template to a general
directory for all domain users. These can be easily set using
the <filename>smb.conf</filename> global entry
<command>template homedir</command>.
the &smb.conf; global entry
<parameter>template homedir</parameter>.
</para>
<para>
@ -1022,8 +1022,8 @@ same way. It now looks like this:
</programlisting></para>
<para>
In this case, I added the <command>auth sufficient /lib/security/pam_winbind.so</command>
lines as before, but also added the <command>required pam_securetty.so</command>
In this case, I added the <programlisting>auth sufficient /lib/security/pam_winbind.so</programlisting>
lines as before, but also added the <programlisting>required pam_securetty.so</programlisting>
above it, to disallow root logins over the network. I also added a
<command>sufficient /lib/security/pam_unix.so use_first_pass</command>
line after the <command>winbind.so</command> line to get rid of annoying
@ -1124,7 +1124,19 @@ configured in the pam.conf.
</sect1>
<sect1>
<title>Limitations</title>
<title>Conclusion</title>
<para>The winbind system, through the use of the Name Service
Switch, Pluggable Authentication Modules, and appropriate
Microsoft RPC calls have allowed us to provide seamless
integration of Microsoft Windows NT domain users on a
UNIX system. The result is a great reduction in the administrative
cost of running a mixed UNIX and NT network.</para>
</sect1>
<sect1>
<title>Common Errors</title>
<para>Winbind has a number of limitations in its current
released version that we hope to overcome in future
@ -1153,17 +1165,4 @@ configured in the pam.conf.
</itemizedlist>
</sect1>
<sect1>
<title>Conclusion</title>
<para>The winbind system, through the use of the Name Service
Switch, Pluggable Authentication Modules, and appropriate
Microsoft RPC calls have allowed us to provide seamless
integration of Microsoft Windows NT domain users on a
UNIX system. The result is a great reduction in the administrative
cost of running a mixed UNIX and NT network.</para>
</sect1>
</chapter>

2
docs/docbook/smbdotconf/filename/mangledstack.xml
View File

@ -1,4 +1,4 @@
<samba:parameter name="mangling stack"
<samba:parameter name="mangled stack"
context="G"
advanced="1" developer="1"
xmlns:samba="http://samba.org/common">

2
docs/docbook/smbdotconf/filename/mangleprefix.xml
View File

@ -1,4 +1,4 @@
<samba:parameter name="mangling prefix"
<samba:parameter name="mangle prefix"
context="G"
advanced="1" developer="1"
xmlns:samba="http://samba.org/common">

8
docs/docbook/smbdotconf/generate-context.xsl
View File

@ -24,17 +24,11 @@
</xsl:template>
<xsl:template match="//samba:parameter">
<xsl:message>
<xsl:text>Processing samba:parameter (</xsl:text>
<xsl:value-of select="@name"/>
<xsl:text>)</xsl:text>
</xsl:message>
<xsl:variable name="name"><xsl:value-of select="translate(translate(string(@name),' ',''),
'abcdefghijklmnopqrstuvwxyz','ABCDEFGHIJKLMNOPQRSTUVWXYZ')"/>
</xsl:variable>
<xsl:if test="contains(@context,$smb.context)">
<xsl:if test="contains(@context,$smb.context) or $smb.context='ALL'">
<xsl:element name="listitem">
<xsl:element name="para">
<xsl:element name="link">

6
docs/docbook/smbdotconf/generate-file-list.sh
View File

@ -1,8 +1,8 @@
#!/bin/sh
echo "<variablelist>"
find . -type f -name '*.xml' -mindepth 2 | sort -t/ -k3 |
while read ; do
echo "<xi:include href='$REPLY' parse='xml' xmlns:xi='http://www.w3.org/2001/XInclude'/>"
for I in `find . -type f -name '*.xml' -mindepth 2 | sort -t/ -k3 | xargs`
do
echo "<xi:include href='$I' parse='xml' xmlns:xi='http://www.w3.org/2001/XInclude'/>"
done
echo "</variablelist>"

2
docs/docbook/smbdotconf/printing/printcommand.xml
View File

@ -15,7 +15,7 @@
<para>The print command is simply a text string. It will be used
verbatim after macro substitutions have been made:</para>
<para>%s, %p - the path to the spool
<para>%s, %f - the path to the spool
file name</para>
<para>%p - the appropriate printer

22
docs/docbook/smbdotconf/protocol/nameresolveorder.xml
View File

@ -5,7 +5,8 @@
<listitem>
<para>This option is used by the programs in the Samba
suite to determine what naming services to use and in what order
to resolve host names to IP addresses. The option takes a space
to resolve host names to IP addresses. Its main purpose to is to
control how netbios name resolution is performed. The option takes a space
separated string of name resolution options.</para>
<para>The options are: &quot;lmhosts&quot;, &quot;host&quot;,
@ -16,7 +17,8 @@
<listitem>
<para><constant>lmhosts</constant> : Lookup an IP
address in the Samba lmhosts file. If the line in lmhosts has
no name type attached to the NetBIOS name (see the <ulink url="lmhosts.5.html">lmhosts(5)</ulink> for details) then
no name type attached to the NetBIOS name (see the <ulink
url="lmhosts.5.html">lmhosts(5)</ulink> for details) then
any name type matches for lookup.</para>
</listitem>
@ -26,9 +28,10 @@
</filename>, NIS, or DNS lookups. This method of name resolution
is operating system depended for instance on IRIX or Solaris this
may be controlled by the <filename moreinfo="none">/etc/nsswitch.conf</filename>
file. Note that this method is only used if the NetBIOS name
type being queried is the 0x20 (server) name type, otherwise
it is ignored.</para>
file. Note that this method is used only if the NetBIOS name
type being queried is the 0x20 (server) name type or 0x1c (domain controllers).
The latter case is only useful for active directory domains and results in a DNS
query for the SRV RR entry matching _ldap._tcp.domain.</para>
</listitem>
<listitem>
@ -54,5 +57,14 @@
<para>This will cause the local lmhosts file to be examined
first, followed by a broadcast attempt, followed by a normal
system hostname lookup.</para>
<para>When Samba is functioning in ADS security mode (<command moreinfo="none">security = ads</command>)
it is advised to use following settings for <parameter moreinfo="none">name resolve order</parameter>:</para>
<para><command moreinfo="none">name resolve order = wins bcast</command></para>
<para>DC lookups will still be done via DNS, but fallbacks to netbios names will
not inundate your DNS servers with needless querys for DOMAIN&lt;0x1c&gt; lookups.</para>
</listitem>
</samba:parameter>

2
docs/docbook/smbdotconf/protocol/usespnego.xml
View File

@ -5,7 +5,7 @@
<listitem>
<para> This variable controls controls whether samba will try
to use Simple and Protected NEGOciation (as specified by rfc2478) with
WindowsXP and Windows2000sp2 clients to agree upon an authentication mechanism.
WindowsXP and Windows2000 clients to agree upon an authentication mechanism.
Unless further issues are discovered with our SPNEGO
implementation, there is no reason this should ever be
disabled.</para>

14
docs/docbook/smbdotconf/security/authmethods.xml
View File

@ -6,14 +6,24 @@
<para>This option allows the administrator to chose what
authentication methods <command moreinfo="none">smbd</command> will use when authenticating
a user. This option defaults to sensible values based on <link linkend="SECURITY">
<parameter moreinfo="none">security</parameter></link>.</para>
<parameter moreinfo="none">security</parameter></link>. This should be considered
a developer option and used only in rare circumstances. In the majority (if not all)
of production servers, the default setting should be adequate.</para>
<para>Each entry in the list attempts to authenticate the user in turn, until
the user authenticates. In practice only one method will ever actually
be able to complete the authentication.
</para>
<para>Possible options include <constant>guest</constant> (anonymous access),
<constant>sam</constant> (lookups in local list of accounts based on netbios
name or domain name), <constant>winbind</constant> (relay authentication requests
for remote users through winbindd), <constant>ntdomain</constant> (pre-winbindd
method of authentication for remote domain users; deprecated in favour of winbind method),
<constant>trustdomain</constant> (authenticate trusted users by contacting the
remote DC directly from smbd; deprecated in favour of winbind method).</para>
<para>Default: <command moreinfo="none">auth methods = &lt;empty string&gt;</command></para>
<para>Example: <command moreinfo="none">auth methods = guest sam ntdomain</command></para>
<para>Example: <command moreinfo="none">auth methods = guest sam winbind</command></para>
</listitem>
</samba:parameter>

16
docs/docbook/smbdotconf/security/lanmanauth.xml
View File

@ -9,6 +9,22 @@
password hashes (e.g. Windows NT/2000 clients, smbclient, etc... but not
Windows 95/98 or the MS DOS network client) will be able to connect to the Samba host.</para>
<para>The LANMAN encrypted response is easily broken, due to it's
case-insensitive nature, and the choice of algorithm. Servers
without Windows 95/98 or MS DOS clients are advised to disable
this option. </para>
<para>Unlike the <command moreinfo="none">encypt
passwords</command> option, this parameter cannot alter client
behaviour, and the LANMAN response will still be sent over the
network. See the <command moreinfo="none">client lanman
auth</command> to disable this for Samba's clients (such as smbclient)</para>
<para>If this option, and <command moreinfo="none">ntlm
auth</command> are both disabled, then only NTLMv2 logins will be
permited. Not all clients support NTLMv2, and most will require
special configuration to us it.</para>
<para>Default : <command moreinfo="none">lanman auth = yes</command></para>
</listitem>
</samba:parameter>

12
docs/docbook/smbdotconf/security/ntlmauth.xml
View File

@ -4,11 +4,15 @@
xmlns:samba="http://samba.org/common">
<listitem>
<para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> will attempt to authenticate users using the NTLM password hash.
If disabled, only the lanman password hashes will be used.</para>
<manvolnum>8</manvolnum></citerefentry> will attempt to
authenticate users using the NTLM encrypted password response.
If disabled, either the lanman password hash or an NTLMv2 response
will need to be sent by the client.</para>
<para>Please note that at least this option or <command moreinfo="none">lanman auth</command> should
be enabled in order to be able to log in.</para>
<para>If this option, and <command moreinfo="none">lanman
auth</command> are both disabled, then only NTLMv2 logins will be
permited. Not all clients support NTLMv2, and most will require
special configuration to us it.</para>
<para>Default : <command moreinfo="none">ntlm auth = yes</command></para>
</listitem>

51
docs/docbook/smbdotconf/security/passdbbackend.xml
View File

@ -23,15 +23,6 @@
</para>
</listitem>
<listitem>
<para><command moreinfo="none">smbpasswd_nua</command> - The smbpasswd
backend, but with support for 'not unix accounts'.
Takes a path to the smbpasswd file as an optional argument.</para>
<para>See also <link linkend="NONUNIXACCOUNTRANGE">
<parameter moreinfo="none">non unix account range</parameter></link></para>
</listitem>
<listitem>
<para><command moreinfo="none">tdbsam</command> - The TDB based password storage
backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb
@ -39,32 +30,10 @@
<parameter moreinfo="none">private dir</parameter></link> directory.</para>
</listitem>
<listitem>
<para><command moreinfo="none">tdbsam_nua</command> - The TDB based password storage
backend, with non unix account support. Takes a path to the TDB as an optional argument (defaults to passdb.tdb
in the <link linkend="PRIVATEDIR">
<parameter moreinfo="none">private dir</parameter></link> directory.</para>
<para>See also <link linkend="NONUNIXACCOUNTRANGE">
<parameter moreinfo="none">non unix account range</parameter></link></para>
</listitem>
<listitem>
<para><command moreinfo="none">ldapsam</command> - The LDAP based passdb
backend. Takes an LDAP URL as an optional argument (defaults to
<command moreinfo="none">ldap://localhost</command>)</para>
</listitem>
<listitem>
<para><command moreinfo="none">ldapsam_nua</command> - The LDAP based passdb
backend, with non unix account support. Takes an LDAP URL as an optional argument (defaults to
<command moreinfo="none">ldap://localhost</command>)</para>
<para>Note: In this module, any account without a matching POSIX account is regarded
as 'non unix'. </para>
<para>See also <link linkend="NONUNIXACCOUNTRANGE">
<parameter moreinfo="none">non unix account range</parameter></link></para>
<para>LDAP connections should be secured where possible. This may be done using either
Start-TLS (see <link linkend="LDAPSSL"><parameter moreinfo="none">ldap ssl</parameter></link>) or by
@ -79,15 +48,29 @@
</para>
</listitem>
<listitem>
<para><command moreinfo="none">mysql</command> -
The MySQL based passdb backend. Takes an identifier as
argument. Read the Samba HOWTO Collection for configuration
details.
</para></listitem>
<listitem>
<para><command moreinfo="none">guest</command> -
Very simple backend that only provides one user: the guest user.
Only maps the NT guest user to the <parameter>guest account</parameter>.
Required in pretty much all situations.
</para></listitem>
</itemizedlist>
</para>
<para>Default: <command moreinfo="none">passdb backend = smbpasswd unixsam</command></para>
<para>Default: <command moreinfo="none">passdb backend = smbpasswd</command></para>
<para>Example: <command moreinfo="none">passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd guest</command></para>
<para>Example: <command moreinfo="none">passdb backend = ldapsam_nua:ldaps://ldap.example.com guest</command></para>
<para>Example: <command moreinfo="none">passdb backend = ldapsam:ldaps://ldap.example.com guest</command></para>
<para>Example: <command moreinfo="none">passdb backend = mysql:my_plugin_args tdbsam:/etc/samba/private/passdb.tdb</command></para>
<para>Example: <command moreinfo="none">passdb backend = mysql:my_plugin_args tdbsam:/etc/samba/private/passdb.tdb guest</command></para>
</listitem>
</samba:parameter>

30
docs/docbook/smbdotconf/security/passwordserver.xml
View File

@ -3,18 +3,22 @@
advanced="1" wizard="1" developer="1"
xmlns:samba="http://samba.org/common">
<listitem>
<para>By specifying the name of another SMB server (such
as a WinNT box) with this option, and using <command moreinfo="none">security = domain
</command> or <command moreinfo="none">security = server</command> you can get Samba
to do all its username/password validation via a remote server.</para>
<para>By specifying the name of another SMB server
or Active Directory domain controller with this option,
and using <command moreinfo="none">security = [ads|domain|server]</command>
it is possible to get Samba to
to do all its username/password validation using a specific remote server.</para>
<para>This option sets the name of the password server to use.
It must be a NetBIOS name, so if the machine's NetBIOS name is
different from its Internet name then you may have to add its NetBIOS
name to the lmhosts file which is stored in the same directory
as the <filename moreinfo="none">smb.conf</filename> file.</para>
<para>This option sets the name or IP address of the password server to use.
New syntax has been added to support defining the port to use when connecting
to the server the case of an ADS realm. To define a port other than the
default LDAP port of 389, add the port number using a colon after the
name or IP address (e.g. 192.168.1.100:389). If you do not specify a port,
Samba will use the standard LDAP port of tcp/389. Note that port numbers
have no effect on password servers for Windows NT 4.0 domains or netbios
connections.</para>
<para>The name of the password server is looked up using the
<para>If parameter is a name, it is looked up using the
parameter <link linkend="NAMERESOLVEORDER"><parameter moreinfo="none">name
resolve order</parameter></link> and so may resolved
by any method and order described in that parameter.</para>
@ -38,7 +42,7 @@
trust your clients, and you had better restrict them with hosts allow!</para>
<para>If the <parameter moreinfo="none">security</parameter> parameter is set to
<constant>domain</constant>, then the list of machines in this
<constant>domain</constant> or <constant>ads</constant>, then the list of machines in this
option must be a list of Primary or Backup Domain controllers for the
Domain or the character '*', as the Samba server is effectively
in that domain, and will use cryptographically authenticated RPC calls
@ -55,7 +59,7 @@
and then contacting each server returned in the list of IP
addresses from the name resolution source. </para>
<para>If the list of servers contains both names and the '*'
<para>If the list of servers contains both names/IP's and the '*'
character, the list is treated as a list of preferred
domain controllers, but an auto lookup of all remaining DC's
will be added to the list as well. Samba will not attempt to optimize
@ -93,6 +97,8 @@
<para>Example: <command moreinfo="none">password server = NT-PDC, NT-BDC1, NT-BDC2, *</command></para>
<para>Example: <command moreinfo="none">password server = windc.mydomain.com:389 192.168.1.101 *</command></para>
<para>Example: <command moreinfo="none">password server = *</command></para>
</listitem>
</samba:parameter>

11
docs/docbook/smbdotconf/security/restrictanonymous.xml
View File

@ -14,13 +14,22 @@
Windows 2000/XP and Samba, no anonymous connections are allowed at
all. This can break third party and Microsoft
applications which expect to be allowed to perform
operations anonymously.
operations anonymously.</para>
<para>
The security advantage of using restrict anonymous = 1 is dubious,
as user and group list information can be obtained using other
means.
</para>
<note>
<para>
The security advantage of using restrict anonymous = 2 is removed
by setting <link linkend="GUESTOK"><parameter moreinfo="none">guest
ok</parameter> = yes</link> on any share.
</para>
</note>
<para>Default: <command moreinfo="none">restrict anonymous = 0</command></para>
</listitem>
</samba:parameter>

28
docs/docbook/smbdotconf/security/security.xml
View File

@ -212,10 +212,9 @@
does not support them. However note that if encrypted passwords have been
negotiated then Samba cannot revert back to checking the UNIX password file,
it must have a valid <filename moreinfo="none">smbpasswd</filename> file to check
users against. See the documentation file in the <filename moreinfo="none">docs/</filename> directory
<filename moreinfo="none">ENCRYPTION.txt</filename> for details on how to set this up.</para>
users against. See the chapter about the User Database in the Samba HOWTO Collection for details on how to set this up.</para>
<para><emphasis>Note</emphasis> this mode of operation has
<note><para>This mode of operation has
significant pitfalls, due to the fact that is activly initiates a
man-in-the-middle attack on the remote SMB server. In particular,
this mode of operation can cause significant resource consuption on
@ -223,13 +222,13 @@
of the user's session. Furthermore, if this connection is lost,
there is no way to reestablish it, and futher authenticaions to the
Samba server may fail. (From a single client, till it disconnects).
</para>
</para></note>
<para><emphasis>Note</emphasis> that from the client's point of
<note><para>From the client's point of
view <command moreinfo="none">security = server</command> is the
same as <command moreinfo="none">security = user</command>. It
only affects how the server deals with the authentication, it does
not in any way affect what the client sees.</para>
not in any way affect what the client sees.</para></note>
<para><emphasis>Note</emphasis> that the name of the resource being
requested is <emphasis>not</emphasis> sent to the server until after
@ -247,6 +246,23 @@
server</parameter></link> parameter and the <link linkend="ENCRYPTPASSWORDS">
<parameter moreinfo="none">encrypted passwords</parameter></link> parameter.</para>
<para><anchor id="SECURITYEQUALSADS"/><emphasis>SECURITY = ADS</emphasis></para>
<para>In this mode, Samba will act as a domain member in an ADS realm. To operate
in this mode, the machine running Samba will need to have Kerberos installed
and configured and Samba will need to be joined to the ADS realm using the
net utility. </para>
<para>Note that this mode does NOT make Samba operate as a Active Directory Domain
Controller. </para>
<para>Read the chapter about Domain Membership in the HOWTO for details.</para>
<para>See also the <link linkend="ADSSERVER"><parameter moreinfo="none">ads server
</parameter></link> parameter, the <link linkend="REALM"><parameter moreinfo="none">realm
</parameter></link> paramter and the <link linkend="ENCRYPTPASSWORDS">
<parameter moreinfo="none">encrypted passwords</parameter></link> parameter.</para>
<para>Default: <command moreinfo="none">security = USER</command></para>
<para>Example: <command moreinfo="none">security = DOMAIN</command></para>

12
docs/docbook/smbdotconf/vfs/vfsobject.xml
View File

@ -1,12 +1,12 @@
<samba:parameter name="vfs object"
context="S"
hide="1"
xmlns:samba="http://samba.org/common">
<listitem>
<para>This parameter specifies a shared object files that
are used for Samba VFS I/O operations. By default, normal
disk I/O operations are used but these can be overloaded
with one or more VFS objects. </para>
<para>Default: <emphasis>no value</emphasis></para>
<para>Synonym for
<link linkend="VFSOBJECTS">
<parameter moreinfo="none">vfs objects</parameter>
</link>.
</para>
</listitem>
</samba:parameter>

2
docs/docbook/smbdotconf/winbind/winbindgid.xml
View File

@ -3,6 +3,8 @@
advanced="1" developer="1" hide="1"
xmlns:samba="http://samba.org/common">
<listitem>
<para>This parameter is now an alias for <command moreinfo="none">idmap gid</command></para>
<para>The winbind gid parameter specifies the range of group
ids that are allocated by the <citerefentry><refentrytitle>winbindd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> daemon. This range of group ids should have no

11
docs/docbook/smbdotconf/winbind/winbinduid.xml
View File

@ -3,11 +3,12 @@
advanced="1" developer="1" hide="1"
xmlns:samba="http://samba.org/common">
<listitem>
<para>The winbind gid parameter specifies the range of group
ids that are allocated by the <citerefentry><refentrytitle>winbindd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> daemon. This range of ids should have no
existing local or NIS users within it as strange conflicts can
occur otherwise.</para>
<para>This parameter is now an alias for <command moreinfo="none">idmap uid</command></para>
<para>The winbind gid parameter specifies the range of user ids that are allocated by the
<citerefentry><refentrytitle>winbindd</refentrytitle> <manvolnum>8</manvolnum></citerefentry>
daemon. This range of ids should have no existing local or NIS users within it as strange
conflicts can occur otherwise.</para>
<para>Default: <command moreinfo="none">winbind uid = &lt;empty string&gt;</command></para>

2
docs/docbook/smbdotconf/winbind/winbindusedefaultdomain.xml
View File

@ -1,4 +1,4 @@
<samba:parameter name="winbind used default domain"
<samba:parameter name="winbind use default domain"
context="G"
advanced="1" developer="1"
xmlns:samba="http://samba.org/common">

2
docs/docbook/smbdotconf/wins/winspartners.xml
View File

@ -1,4 +1,4 @@
<samba:parameter name="wins partner"
<samba:parameter name="wins partners"
context="G"
advanced="1" wizard="1" developer="1"
xmlns:samba="http://samba.org/common">

3
docs/docbook/xslt/db2latex/VERSION.xml
View File

@ -1,8 +1,6 @@
<?xml version='1.0'?>
<!--#############################################################################
| $Id: VERSION.xml,v 1.1 2003/04/30 21:39:49 ab Exp $
|- #############################################################################
| $Author: ab $
|
| PURPOSE:
+ ############################################################################## -->
@ -17,7 +15,6 @@
<xsl:otherwise><xsl:value-of select="$RCSTAG" /></xsl:otherwise>
</xsl:choose>
</xsl:variable>
<xsl:variable name="CVSVERSION">$Id: VERSION.xml,v 1.1 2003/04/30 21:39:49 ab Exp $</xsl:variable>
</xsl:stylesheet>

3
docs/docbook/xslt/db2latex/abstract.mod.xsl
View File

@ -1,8 +1,6 @@
<?xml version='1.0'?>
<!--#############################################################################
| $Id: abstract.mod.xsl,v 1.1 2003/04/30 21:39:49 ab Exp $
|- #############################################################################
| $Author: ab $
|
| PURPOSE:
+ ############################################################################## -->
@ -18,7 +16,6 @@
<doc:reference id="abstract" xmlns="">
<referenceinfo>
<releaseinfo role="meta">
$Id: abstract.mod.xsl,v 1.1 2003/04/30 21:39:49 ab Exp $
</releaseinfo>
<authorgroup>
<author><firstname>Ramon</firstname> <surname>Casellas</surname></author>

3
docs/docbook/xslt/db2latex/admonition.mod.xsl
View File

@ -1,8 +1,6 @@
<?xml version='1.0'?>
<!--#############################################################################
| $Id: admonition.mod.xsl,v 1.1 2003/04/30 21:39:49 ab Exp $
|- #############################################################################
| $Author: ab $
|
| PURPOSE: Admonition templates.
+ ############################################################################## -->
@ -17,7 +15,6 @@
<doc:reference name="admonition" xmlns="">
<referenceinfo>
<releaseinfo role="meta">
$Id: admonition.mod.xsl,v 1.1 2003/04/30 21:39:49 ab Exp $
</releaseinfo>
<authorgroup>
<author><firstname>Ramon</firstname> <surname>Casellas</surname></author>

3
docs/docbook/xslt/db2latex/authorgroup.mod.xsl
View File

@ -1,8 +1,6 @@
<?xml version='1.0'?>
<!--#############################################################################
| $Id: authorgroup.mod.xsl,v 1.1 2003/04/30 21:39:49 ab Exp $
|- #############################################################################
| $Author: ab $
|
| PURPOSE: Manage Authorgroups
+ ############################################################################## -->
@ -19,7 +17,6 @@
<doc:reference id="authorgroup" xmlns="">
<referenceinfo>
<releaseinfo role="meta">
$Id: authorgroup.mod.xsl,v 1.1 2003/04/30 21:39:49 ab Exp $
</releaseinfo>
<authorgroup>
<author><firstname>Ramon</firstname> <surname>Casellas</surname></author>

3
docs/docbook/xslt/db2latex/biblio.mod.xsl
View File

@ -1,8 +1,6 @@
<?xml version='1.0'?>
<!--#############################################################################
| $Id: biblio.mod.xsl,v 1.1 2003/04/30 21:39:49 ab Exp $
|- #############################################################################
| $Author: ab $
|
| PURPOSE: Manage Bibliography.
+ ############################################################################## -->
@ -19,7 +17,6 @@
<doc:reference id="biblio" xmlns="">
<referenceinfo>
<releaseinfo role="meta">
$Id: biblio.mod.xsl,v 1.1 2003/04/30 21:39:49 ab Exp $
</releaseinfo>
<authorgroup>
<author> <firstname>Ramon</firstname> <surname>Casellas</surname> </author>

3
docs/docbook/xslt/db2latex/block.mod.xsl
View File

@ -1,8 +1,6 @@
<?xml version='1.0'?>
<!--#############################################################################
| $Id: block.mod.xsl,v 1.1 2003/04/30 21:39:49 ab Exp $
|- #############################################################################
| $Author: ab $
|
| PURPOSE:
+ ############################################################################## -->
@ -18,7 +16,6 @@
<doc:reference id="block" xmlns="">
<referenceinfo>
<releaseinfo role="meta">
$Id: block.mod.xsl,v 1.1 2003/04/30 21:39:49 ab Exp $
</releaseinfo>
<authorgroup>
<author><firstname>Ramon</firstname> <surname>Casellas</surname></author>

5
docs/docbook/xslt/db2latex/book-article.mod.xsl
View File

@ -1,8 +1,6 @@
<?xml version='1.0'?>
<!--#############################################################################
| $Id: book-article.mod.xsl,v 1.1 2003/04/30 21:39:49 ab Exp $
|- #############################################################################
| $Author: ab $
|
| PURPOSE:
| This template matches a book / article
@ -20,7 +18,6 @@
<doc:reference id="book-article" xmlns="">
<referenceinfo>
<releaseinfo role="meta">
$Id: book-article.mod.xsl,v 1.1 2003/04/30 21:39:49 ab Exp $
</releaseinfo>
<authorgroup>
<author> <firstname>Ramon</firstname> <surname>Casellas</surname> </author>
@ -467,9 +464,7 @@
<!--#############################################################################
| $Id: book-article.mod.xsl,v 1.1 2003/04/30 21:39:49 ab Exp $
|- #############################################################################
| $Author: ab $
|
| PURPOSE: Table of Contents, Figures, ...
+ ############################################################################## -->

3
docs/docbook/xslt/db2latex/bridgehead.mod.xsl
View File

@ -1,8 +1,6 @@
<?xml version='1.0'?>
<!--#############################################################################
| $Id: bridgehead.mod.xsl,v 1.1 2003/04/30 21:39:49 ab Exp $
|- #############################################################################
| $Author: ab $
|
| PURPOSE:
+ ############################################################################## -->
@ -17,7 +15,6 @@
<doc:reference id="bridgehead" xmlns="">
<referenceinfo>
<releaseinfo role="meta">
$Id: bridgehead.mod.xsl,v 1.1 2003/04/30 21:39:49 ab Exp $
</releaseinfo>
<authorgroup>
<author><firstname>Ramon</firstname> <surname>Casellas</surname></author>

3
docs/docbook/xslt/db2latex/callout.mod.xsl
View File

@ -1,8 +1,6 @@
<?xml version='1.0'?>
<!--#############################################################################
| $Id: callout.mod.xsl,v 1.1 2003/04/30 21:39:49 ab Exp $
|- #############################################################################
| $Author: ab $
|
| PURPOSE:
+ ############################################################################## -->
@ -17,7 +15,6 @@
<doc:reference id="callout" xmlns="">
<referenceinfo>
<releaseinfo role="meta">
$Id: callout.mod.xsl,v 1.1 2003/04/30 21:39:49 ab Exp $
</releaseinfo>
<authorgroup>
<author> <firstname>Ramon</firstname> <surname>Casellas</surname> </author>

3
docs/docbook/xslt/db2latex/citation.mod.xsl
View File

@ -1,8 +1,6 @@
<?xml version='1.0'?>
<!--#############################################################################
| $Id: citation.mod.xsl,v 1.1 2003/04/30 21:39:49 ab Exp $
|- #############################################################################
| $Author: ab $
|
| PURPOSE:
+ ############################################################################## -->
@ -18,7 +16,6 @@
<doc:reference id="citation" xmlns="">
<referenceinfo>
<releaseinfo role="meta">
$Id: citation.mod.xsl,v 1.1 2003/04/30 21:39:49 ab Exp $
</releaseinfo>
<authorgroup>
<author> <firstname>Ramon</firstname> <surname>Casellas</surname> </author>

2
docs/docbook/xslt/db2latex/common/common.xsl
View File

@ -5,7 +5,6 @@
version='1.0'>
<!-- ********************************************************************
$Id: common.xsl,v 1.1 2003/04/30 21:39:49 ab Exp $
********************************************************************
Derived from the official DocBook XSL Stylesheets
@ -17,7 +16,6 @@
<doc:reference xmlns="">
<referenceinfo>
<releaseinfo role="meta"> $Id: common.xsl,v 1.1 2003/04/30 21:39:49 ab Exp $ </releaseinfo>
<author>
<surname>Ramon</surname>
<firstname>Casellas</firstname>

1
docs/docbook/xslt/db2latex/common/l10n.xsl
View File

@ -3,7 +3,6 @@
version='1.0'>
<!-- ********************************************************************
$Id: l10n.xsl,v 1.1 2003/04/30 21:39:49 ab Exp $
********************************************************************
Derived from the official XSL DocBook Stylesheet distribution.

3
docs/docbook/xslt/db2latex/component.mod.xsl
View File

@ -1,8 +1,6 @@
<?xml version='1.0'?>
<!--#############################################################################
| $Id: component.mod.xsl,v 1.1 2003/04/30 21:39:49 ab Exp $
|- #############################################################################
| $Author: ab $
|
| PURPOSE:
+ ############################################################################## -->
@ -19,7 +17,6 @@
<doc:reference id="component" xmlns="">
<referenceinfo>
<releaseinfo role="meta">
$Id: component.mod.xsl,v 1.1 2003/04/30 21:39:49 ab Exp $
</releaseinfo>
<authorgroup>
<author> <firstname>Ramon</firstname> <surname>Casellas</surname> </author>

3
docs/docbook/xslt/db2latex/dedication.mod.xsl
View File

@ -1,8 +1,6 @@
<?xml version='1.0'?>
<!--#############################################################################
| $Id: dedication.mod.xsl,v 1.1 2003/04/30 21:39:49 ab Exp $
|- #############################################################################
| $Author: ab $
|
| PURPOSE:
+ ############################################################################## -->
@ -19,7 +17,6 @@
<doc:reference id="dedication" xmlns="">
<referenceinfo>
<releaseinfo role="meta">
$Id: dedication.mod.xsl,v 1.1 2003/04/30 21:39:49 ab Exp $
</releaseinfo>
<authorgroup>
<author> <firstname>Ramon</firstname> <surname>Casellas</surname> </author>

3
docs/docbook/xslt/db2latex/dingbat.mod.xsl
View File

@ -1,8 +1,6 @@
<?xml version='1.0'?>
<!--#############################################################################
| $Id: dingbat.mod.xsl,v 1.1 2003/04/30 21:39:49 ab Exp $
|- #############################################################################
| $Author: ab $
|
| PURPOSE:
|
@ -20,7 +18,6 @@
<doc:reference id="dingbat" xmlns="">
<referenceinfo>
<releaseinfo role="meta">
$Id: dingbat.mod.xsl,v 1.1 2003/04/30 21:39:49 ab Exp $
</releaseinfo>
<authorgroup>
<author> <firstname>Ramon</firstname> <surname>Casellas</surname> </author>

5
docs/docbook/xslt/db2latex/docbook.xsl
View File

@ -1,8 +1,6 @@
<?xml version='1.0'?>
<!--#############################################################################
| $Id: docbook.xsl,v 1.1 2003/04/30 21:39:49 ab Exp $
|- #############################################################################
| $Author: ab $
|
| PURPOSE:
| This is the "parent" stylesheet. The used "modules" are included here.
@ -103,9 +101,6 @@
<xsl:message> XSLT stylesheets DocBook - LaTeX 2e </xsl:message>
<xsl:message> Reqs: LaTeX 2e installation common packages </xsl:message>
<xsl:message>################################################################################</xsl:message>
<xsl:message> RELEASE : <xsl:value-of select="$VERSION"/> </xsl:message>
<xsl:message> VERSION : <xsl:value-of select="$CVSVERSION"/> </xsl:message>
<xsl:message> TAG : <xsl:value-of select="$TAG"/> </xsl:message>
<xsl:message> WWW : http://db2latex.sourceforge.net </xsl:message>
<xsl:message> SUMMARY : http://www.sourceforge.net/projects/db2latex </xsl:message>
<xsl:message> AUTHOR : Ramon Casellas casellas@infres.enst.fr </xsl:message>

3
docs/docbook/xslt/db2latex/email.mod.xsl
View File

@ -1,8 +1,6 @@
<?xml version='1.0'?>
<!--#############################################################################
| $Id: email.mod.xsl,v 1.1 2003/04/30 21:39:49 ab Exp $
|- #############################################################################
| $Author: ab $
|
| PURPOSE:
+ ############################################################################## -->
@ -18,7 +16,6 @@
<doc:reference id="email" xmlns="">
<referenceinfo>
<releaseinfo role="meta">
$Id: email.mod.xsl,v 1.1 2003/04/30 21:39:49 ab Exp $
</releaseinfo>
<authorgroup>
<author> <firstname>Ramon</firstname> <surname>Casellas</surname> </author>

Some files were not shown because too many files have changed in this diff Show More