sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-08-03 04:22:09 +03:00
Code Activity

mega-merge from 2.2

Browse Source 
(This used to be commit c76bf8ed32)
This commit is contained in:
Gerald Carter
2001-10-10 17:19:10 +00:00
parent 1347bd6057
commit 55abd936a8
94 changed files with 10399 additions and 4218 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
docs/htmldocs/CVS-Access.html
View File

@ -19,7 +19,7 @@ CLASS="TITLEPAGE"
><H1
CLASS="TITLE"
><A
NAME="AEN1"
NAME="CVS-ACCESS"
>HOWTO Access Samba source code via CVS</A
></H1
><HR></DIV
@ -32,10 +32,10 @@ NAME="AEN3"
>Introduction</A
></H1
><P
>Samba is developed in an open environnment. Developers use CVS
>Samba is developed in an open environment. Developers use CVS
(Concurrent Versioning System) to "checkin" (also known as
"commit") new source code. Samba's various CVS branches can
be accessed via anonymouns CVS using the instructions
be accessed via anonymous CVS using the instructions
detailed in this chapter.</P
><P
>This document is a modified version of the instructions found at
@ -91,7 +91,7 @@ NAME="AEN16"
>You can also access the source code via a
normal cvs client. This gives you much more control over you can
do with the repository and allows you to checkout whole source trees
and keep them uptodate via normal cvs commands. This is the
and keep them up to date via normal cvs commands. This is the
preferred method of access if you are a developer and not
just a casual browser.</P
><P

2
docs/htmldocs/DOMAIN_MEMBER.html
View File

@ -19,7 +19,7 @@ CLASS="TITLEPAGE"
><H1
CLASS="TITLE"
><A
NAME="AEN1"
NAME="DOMAIN-SECURITY"
>security = domain in Samba 2.x</A
></H1
><HR></DIV

6
docs/htmldocs/ENCRYPTION.html
View File

@ -19,7 +19,7 @@ CLASS="TITLEPAGE"
><H1
CLASS="TITLE"
><A
NAME="AEN1"
NAME="PWENCRYPT"
>LanMan and NT Password Encryption in Samba 2.x</A
></H1
><HR></DIV
@ -118,7 +118,7 @@ NAME="AEN18"
><P
>The unix and SMB password encryption techniques seem similar
on the surface. This similarity is, however, only skin deep. The unix
scheme typically sends clear text passwords over the nextwork when
scheme typically sends clear text passwords over the network when
logging in. This is bad. The SMB encryption scheme never sends the
cleartext password over the network but it does store the 16 byte
hashed values on disk. This is also bad. Why? Because the 16 byte hashed
@ -196,7 +196,7 @@ CLASS="EMPHASIS"
Microsoft SMB/CIFS clients support authentication via the
SMB Challenge/Response mechanism described here. Enabling
clear text authentication does not disable the ability
of the client to particpate in encrypted authentication.</P
of the client to participate in encrypted authentication.</P
></TD
></TR
></TABLE

1072
docs/htmldocs/Integrating-with-Windows.html Normal file
View File

File diff suppressed because it is too large Load Diff

22
docs/htmldocs/NT_Security.html
View File

@ -1,7 +1,7 @@
<HTML
><HEAD
><TITLE
>UNIX Permission Bits and WIndows NT Access Control Lists</TITLE
>UNIX Permission Bits and Windows NT Access Control Lists</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD
@ -19,8 +19,8 @@ CLASS="TITLEPAGE"
><H1
CLASS="TITLE"
><A
NAME="AEN1"
>UNIX Permission Bits and WIndows NT Access Control Lists</A
NAME="UNIX-PERMISSIONS"
>UNIX Permission Bits and Windows NT Access Control Lists</A
></H1
><HR></DIV
><DIV
@ -153,7 +153,7 @@ CLASS="REPLACEABLE"
>(Long name)</I
></TT
>
is the discriptive string identifying the user (normally found in the
is the descriptive string identifying the user (normally found in the
GECOS field of the UNIX password database). Click on the <B
CLASS="COMMAND"
>Close
@ -182,7 +182,7 @@ CLASS="COMMAND"
you to change the ownership of this file to yourself (clicking on
it will display a dialog box complaining that the user you are
currently logged onto the NT client cannot be found). The reason
for this is that changing the ownership of a file is a privilaged
for this is that changing the ownership of a file is a privileged
operation in UNIX, available only to the <I
CLASS="EMPHASIS"
>root</I
@ -192,7 +192,7 @@ CLASS="EMPHASIS"
client this will not work with Samba at this time.</P
><P
>There is an NT chown command that will work with Samba
and allow a user with Administrator privillage connected
and allow a user with Administrator privilege connected
to a Samba 2.0.4 server as root to change the ownership of
files on both a local NTFS filesystem or remote mounted NTFS
or Samba drive. This is available as part of the <I
@ -242,7 +242,7 @@ CLASS="REPLACEABLE"
>(Long name)</I
></TT
>
is the discriptive string identifying the user (normally found in the
is the descriptive string identifying the user (normally found in the
GECOS field of the UNIX password database).</P
><P
>If the parameter <TT
@ -274,7 +274,7 @@ NAME="AEN58"
></H2
><P
>The standard UNIX user/group/world triple and
the correspinding "read", "write", "execute" permissions
the corresponding "read", "write", "execute" permissions
triples are mapped by Samba into a three element NT ACL
with the 'r', 'w', and 'x' bits mapped into the corresponding
NT permissions. The UNIX world permissions are mapped into
@ -400,7 +400,7 @@ CLASS="COMMAND"
button will not return a list of users in Samba 2.0.4 (it will give
an error message of <B
CLASS="COMMAND"
>"The remote proceedure call failed
>"The remote procedure call failed
and did not execute"</B
>). This means that you can only
manipulate the current user/group/world permissions listed in
@ -450,7 +450,7 @@ CLASS="COMMAND"
CLASS="COMMAND"
>"Take
Ownership"</B
> permission (dsplayed as <B
> permission (displayed as <B
CLASS="COMMAND"
>"O"
</B
@ -582,7 +582,7 @@ CLASS="PARAMETER"
></A
> parameter to provide compatibility
with Samba 2.0.4 where the permission change facility was introduced.
To allow a user to modify all the user/group/world permissions on a file,
To allow a user to modify all the user/group/world permissions on a file
with no restrictions set this parameter to 000.</P
><P
>The <TT

4
docs/htmldocs/OS2-Client-HOWTO.html
View File

@ -19,7 +19,7 @@ CLASS="TITLEPAGE"
><H1
CLASS="TITLE"
><A
NAME="AEN1"
NAME="OS2"
>OS2 Client HOWTO</A
></H1
><HR></DIV
@ -173,7 +173,7 @@ NAME="AEN33"
driver from an OS/2 system.</P
><P
>Install the NT driver first for that printer. Then,
add to your smb.conf a paramater, "os2 driver map =
add to your smb.conf a parameter, "os2 driver map =
<TT
CLASS="REPLACEABLE"
><I

309
docs/htmldocs/PAM-Authentication-And-Samba.html Normal file
View File

@ -0,0 +1,309 @@
<HTML
><HEAD
><TITLE
>Configuring PAM for distributed but centrally
managed authentication</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD
><BODY
CLASS="ARTICLE"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="ARTICLE"
><DIV
CLASS="TITLEPAGE"
><H1
CLASS="TITLE"
><A
NAME="PAM"
>Configuring PAM for distributed but centrally
managed authentication</A
></H1
><HR></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN3"
>Samba and PAM</A
></H1
><P
>A number of Unix systems (eg: Sun Solaris), as well as the
xxxxBSD family and Linux, now utilize the Pluggable Authentication
Modules (PAM) facility to provide all authentication,
authorization and resource control services. Prior to the
introduction of PAM, a decision to use an alternative to
the system password database (<TT
CLASS="FILENAME"
>/etc/passwd</TT
>)
would require the provision of alternatives for all programs that provide
security services. Such a choice would involve provision of
alternatives to such programs as: <B
CLASS="COMMAND"
>login</B
>,
<B
CLASS="COMMAND"
>passwd</B
>, <B
CLASS="COMMAND"
>chown</B
>, etc.</P
><P
>PAM provides a mechanism that disconnects these security programs
from the underlying authentication/authorization infrastructure.
PAM is configured either through one file <TT
CLASS="FILENAME"
>/etc/pam.conf</TT
> (Solaris),
or by editing individual files that are located in <TT
CLASS="FILENAME"
>/etc/pam.d</TT
>.</P
><P
>The following is an example <TT
CLASS="FILENAME"
>/etc/pam.d/login</TT
> configuration file.
This example had all options been uncommented is probably not usable
as it stacks many conditions before allowing successful completion
of the login process. Essentially all conditions can be disabled
by commenting them out except the calls to <TT
CLASS="FILENAME"
>pam_pwdb.so</TT
>.</P
><P
><PRE
CLASS="PROGRAMLISTING"
>#%PAM-1.0
# The PAM configuration file for the `login' service
#
auth required pam_securetty.so
auth required pam_nologin.so
# auth required pam_dialup.so
# auth optional pam_mail.so
auth required pam_pwdb.so shadow md5
# account requisite pam_time.so
account required pam_pwdb.so
session required pam_pwdb.so
# session optional pam_lastlog.so
# password required pam_cracklib.so retry=3
password required pam_pwdb.so shadow md5</PRE
></P
><P
>PAM allows use of replacable modules. Those available on a
sample system include:</P
><P
><PRE
CLASS="PROGRAMLISTING"
>$ /bin/ls /lib/security
pam_access.so pam_ftp.so pam_limits.so
pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so
pam_cracklib.so pam_group.so pam_listfile.so
pam_nologin.so pam_rootok.so pam_tally.so
pam_deny.so pam_issue.so pam_mail.so
pam_permit.so pam_securetty.so pam_time.so
pam_dialup.so pam_lastlog.so pam_mkhomedir.so
pam_pwdb.so pam_shells.so pam_unix.so
pam_env.so pam_ldap.so pam_motd.so
pam_radius.so pam_smbpass.so pam_unix_acct.so
pam_wheel.so pam_unix_auth.so pam_unix_passwd.so
pam_userdb.so pam_warn.so pam_unix_session.so</PRE
></P
><P
>The following example for the login program replaces the use of
the <TT
CLASS="FILENAME"
>pam_pwdb.so</TT
> module which uses the system
password database (<TT
CLASS="FILENAME"
>/etc/passwd</TT
>,
<TT
CLASS="FILENAME"
>/etc/shadow</TT
>, <TT
CLASS="FILENAME"
>/etc/group</TT
>) with
the module <TT
CLASS="FILENAME"
>pam_smbpass.so</TT
> which uses the Samba
database which contains the Microsoft MD4 encrypted password
hashes. This database is stored in either
<TT
CLASS="FILENAME"
>/usr/local/samba/private/smbpasswd</TT
>,
<TT
CLASS="FILENAME"
>/etc/samba/smbpasswd</TT
>, or in
<TT
CLASS="FILENAME"
>/etc/samba.d/smbpasswd</TT
>, depending on the
Samba implementation for your Unix/Linux system. The
<TT
CLASS="FILENAME"
>pam_smbpass.so</TT
> module is provided by
Samba version 2.2.1 or later. It can be compiled only if the
<TT
CLASS="CONSTANT"
>--with-pam --with-pam_smbpass</TT
> options are both
provided to the Samba <B
CLASS="COMMAND"
>configure</B
> program.</P
><P
><PRE
CLASS="PROGRAMLISTING"
>#%PAM-1.0
# The PAM configuration file for the `login' service
#
auth required pam_smbpass.so nodelay
account required pam_smbpass.so nodelay
session required pam_smbpass.so nodelay
password required pam_smbpass.so nodelay</PRE
></P
><P
>The following is the PAM configuration file for a particular
Linux system. The default condition uses <TT
CLASS="FILENAME"
>pam_pwdb.so</TT
>.</P
><P
><PRE
CLASS="PROGRAMLISTING"
>#%PAM-1.0
# The PAM configuration file for the `samba' service
#
auth required /lib/security/pam_pwdb.so nullok nodelay shadow audit
account required /lib/security/pam_pwdb.so audit nodelay
session required /lib/security/pam_pwdb.so nodelay
password required /lib/security/pam_pwdb.so shadow md5</PRE
></P
><P
>In the following example the decision has been made to use the
smbpasswd database even for basic samba authentication. Such a
decision could also be made for the passwd program and would
thus allow the smbpasswd passwords to be changed using the passwd
program.</P
><P
><PRE
CLASS="PROGRAMLISTING"
>#%PAM-1.0
# The PAM configuration file for the `samba' service
#
auth required /lib/security/pam_smbpass.so nodelay
account required /lib/security/pam_pwdb.so audit nodelay
session required /lib/security/pam_pwdb.so nodelay
password required /lib/security/pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf</PRE
></P
><P
>Note: PAM allows stacking of authentication mechanisms. It is
also possible to pass information obtained within on PAM module through
to the next module in the PAM stack. Please refer to the documentation for
your particular system implementation for details regarding the specific
capabilities of PAM in this environment. Some Linux implmentations also
provide the <TT
CLASS="FILENAME"
>pam_stack.so</TT
> module that allows all
authentication to be configured in a single central file. The
<TT
CLASS="FILENAME"
>pam_stack.so</TT
> method has some very devoted followers
on the basis that it allows for easier administration. As with all issues in
life though, every decision makes trade-offs, so you may want examine the
PAM documentation for further helpful information.</P
></DIV
><DIV
CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="AEN45"
>Distributed Authentication</A
></H1
><P
>The astute administrator will realize from this that the
combination of <TT
CLASS="FILENAME"
>pam_smbpass.so</TT
>,
<B
CLASS="COMMAND"
>winbindd</B
>, and <B
CLASS="COMMAND"
>rsync</B
> (see
<A
HREF="http://rsync.samba.org/"
TARGET="_top"
>http://rsync.samba.org/</A
>)
will allow the establishment of a centrally managed, distributed
user/password database that can also be used by all
PAM (eg: Linux) aware programs and applications. This arrangement
can have particularly potent advantages compared with the
use of Microsoft Active Directory Service (ADS) in so far as
reduction of wide area network authentication traffic.</P
></DIV
><DIV
CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="AEN52"
>PAM Configuration in smb.conf</A
></H1
><P
>There is an option in smb.conf called <A
HREF="smb.conf.5.html#OBEYPAMRESTRICTIONS"
TARGET="_top"
>obey pam restrictions</A
>.
The following is from the on-line help for this option in SWAT;</P
><P
>When Samba 2.2 is configure to enable PAM support (i.e.
<TT
CLASS="CONSTANT"
>--with-pam</TT
>), this parameter will
control whether or not Samba should obey PAM's account
and session management directives. The default behavior
is to use PAM for clear text authentication only and to
ignore any account or session management. Note that Samba always
ignores PAM for authentication in the case of
<A
HREF="smb.conf.5.html#ENCRYPTPASSWORDS"
TARGET="_top"
>encrypt passwords = yes</A
>.
The reason is that PAM modules cannot support the challenge/response
authentication mechanism needed in the presence of SMB
password encryption. </P
><P
>Default: <B
CLASS="COMMAND"
>obey pam restrictions = no</B
></P
></DIV
></DIV
></BODY
></HTML
>

4709
docs/htmldocs/Samba-HOWTO-Collection.html
View File

File diff suppressed because it is too large Load Diff

118
docs/htmldocs/Samba-PDC-HOWTO.html
View File

@ -19,7 +19,7 @@ CLASS="TITLEPAGE"
><H1
CLASS="TITLE"
><A
NAME="AEN1"
NAME="SAMBA-PDC"
>How to Configure Samba 2.2 as a Primary Domain Controller</A
></H1
><HR></DIV
@ -32,9 +32,9 @@ NAME="AEN3"
>Prerequisite Reading</A
></H1
><P
>Before you continue readingin this chapter, please make sure
>Before you continue reading in this chapter, please make sure
that you are comfortable with configuring basic files services
in smb.conf and how to enable and administrate password
in smb.conf and how to enable and administer password
encryption in Samba. Theses two topics are covered in the
<A
HREF="smb.conf.5.html"
@ -45,7 +45,7 @@ CLASS="FILENAME"
></A
>
manpage and the <A
HREF="EMCRYPTION.html"
HREF="ENCRYPTION.html"
TARGET="_top"
>Encryption chapter</A
>
@ -71,12 +71,12 @@ CLASS="EMPHASIS"
>Author's Note :</I
> This document is a combination
of David Bannon's Samba 2.2 PDC HOWTO and the Samba NT Domain FAQ.
Both documents are superceeded by this one.</P
Both documents are superseded by this one.</P
></BLOCKQUOTE
></DIV
><P
>Version of Samba prior to release 2.2 had marginal capabilities to
act as a Windows NT 4.0 Primary Domain Controller (PDC). Beginning with
act as a Windows NT 4.0 Primary DOmain Controller (PDC). Beginning with
Samba 2.2.0, we are proud to announce official support for Windows NT 4.0
style domain logons from Windows NT 4.0 (through SP6) and Windows 2000 (through
SP1) clients. This article outlines the steps necessary for configuring Samba
@ -214,7 +214,7 @@ CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="AEN49"
NAME="AEN51"
>Configuring the Samba Domain Controller</A
></H1
><P
@ -410,16 +410,11 @@ CLASS="FILENAME"
>As Samba 2.2 does not offer a complete implementation of group mapping between
Windows NT groups and UNIX groups (this is really quite complicated to explain
in a short space), you should refer to the <A
HREF="smb.conf.5.html#DOMAINADMINUSERS"
TARGET="_top"
>domain
admin users</A
> and <A
HREF="smb.conf.5.html#DOMAINADMINGROUP"
TARGET="_top"
>domain
admin group</A
> smb.conf parameters for information of creating a Domain Admins
> smb.conf parameter for information of creating "Domain Admins"
style accounts.</P
></DIV
><DIV
@ -427,7 +422,7 @@ CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="AEN92"
NAME="AEN93"
>Creating Machine Trust Accounts and Joining Clients
to the Domain</A
></H1
@ -435,7 +430,7 @@ to the Domain</A
>A machine trust account is a samba user account owned by a computer.
The account password acts as the shared secret for secure
communication with the Domain Controller. This is a security feature
to prevent an unauthorized machine with the same netbios name from
to prevent an unauthorized machine with the same NetBIOS name from
joining the domain and gaining access to domain user/group accounts.
Hence a Windows 9x host is never a true member of a domain because it does
not posses a machine trust account, and thus has no shared secret with the DC.</P
@ -468,7 +463,7 @@ CLASS="FILENAME"
><P
> Manual creation before joining the client to the domain. In this case,
the password is set to a known value -- the lower case of the
machine's netbios name.
machine's NetBIOS name.
</P
></LI
><LI
@ -485,7 +480,7 @@ CLASS="SECT2"
><HR><H2
CLASS="SECT2"
><A
NAME="AEN106"
NAME="AEN107"
>Manually creating machine trust accounts</A
></H2
><P
@ -504,9 +499,20 @@ CLASS="PROMPT"
>/usr/sbin/useradd -g 100 -d /dev/null -c <TT
CLASS="REPLACEABLE"
><I
>machine_nickname</I
>"machine
nickname"</I
></TT
> -m -s /bin/false <TT
> -s /bin/false <TT
CLASS="REPLACEABLE"
><I
>machine_name</I
></TT
>$ </P
><P
><TT
CLASS="PROMPT"
>root# </TT
>passwd -l <TT
CLASS="REPLACEABLE"
><I
>machine_name</I
@ -546,7 +552,7 @@ CLASS="REPLACEABLE"
>machine_name</I
></TT
> absolutely must be
the netbios name of the pc to be added to the domain. The "$" must append the netbios
the NetBIOS name of the pc to be added to the domain. The "$" must append the NetBIOS
name of the pc or samba will not recognize this as a machine account</P
><P
>Now that the UNIX account has been created, the next step is to create
@ -576,7 +582,7 @@ CLASS="REPLACEABLE"
><I
>machine_name</I
></TT
> is the machine's netbios
> is the machine's NetBIOS
name. </P
><DIV
CLASS="WARNING"
@ -602,7 +608,7 @@ ALIGN="LEFT"
the "Server Manager". From the time at which the account is created
to the time which th client joins the domain and changes the password,
your domain is vulnerable to an intruder joining your domain using a
a machine with the same netbios name. A PDC inherently trusts
a machine with the same NetBIOS name. A PDC inherently trusts
members of the domain and will serve out a large degree of user
information to such clients. You have been warned!
</P
@ -616,7 +622,7 @@ CLASS="SECT2"
><HR><H2
CLASS="SECT2"
><A
NAME="AEN134"
NAME="AEN138"
>Creating machine trust accounts "on the fly"</A
></H2
><P
@ -646,7 +652,7 @@ CLASS="EMPHASIS"
<I
CLASS="EMPHASIS"
>SHOULD</I
> be set to s different password that the
> be set to a different password that the
associated <TT
CLASS="FILENAME"
>/etc/passwd</TT
@ -658,7 +664,7 @@ CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="AEN145"
NAME="AEN149"
>Common Problems and Errors</A
></H1
><P
@ -781,8 +787,8 @@ CLASS="PARAMETER"
have not been created correctly. Make sure that you have the entry
correct for the machine account in smbpasswd file on the Samba PDC.
If you added the account using an editor rather than using the smbpasswd
utility, make sure that the account name is the machine netbios name
with a '$' appended to it ( ie. computer_name$ ). There must be an entry
utility, make sure that the account name is the machine NetBIOS name
with a '$' appended to it ( i.e. computer_name$ ). There must be an entry
in both /etc/passwd and the smbpasswd file. Some people have reported
that inconsistent subnet masks between the Samba server and the NT
client have caused this problem. Make sure that these are consistent
@ -808,7 +814,7 @@ CLASS="EMPHASIS"
CLASS="COMMAND"
>smbpasswd -e
%user%</B
>, this is normaly done, when you create an account.
>, this is normally done, when you create an account.
</P
><P
> In order to work around this problem in 2.2.0, configure the
@ -853,7 +859,7 @@ CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="AEN193"
NAME="AEN197"
>System Policies and Profiles</A
></H1
><P
@ -920,7 +926,7 @@ CLASS="FILENAME"
CLASS="COMMAND"
>servicepackname /x</B
>,
ie thats <B
i.e. that's <B
CLASS="COMMAND"
>Nt4sp6ai.exe /x</B
> for service pack 6a. The policy editor,
@ -1015,7 +1021,7 @@ CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="AEN237"
NAME="AEN241"
>What other help can I get ?</A
></H1
><P
@ -1036,7 +1042,7 @@ CLASS="EMPHASIS"
</P
><P
> One of the best diagnostic tools for debugging problems is Samba itself.
You can use the -d option for both smbd and nmbd to specifiy what
You can use the -d option for both smbd and nmbd to specify what
'debug level' at which to run. See the man pages on smbd, nmbd and
smb.conf for more information on debugging options. The debug
level can range from 1 (the default) to 10 (100 for debugging passwords).
@ -1092,7 +1098,7 @@ TARGET="_top"
(aka. netmon) is available on the Microsoft Developer Network CD's,
the Windows NT Server install CD and the SMS CD's. The version of
netmon that ships with SMS allows for dumping packets between any two
computers (ie. placing the network interface in promiscuous mode).
computers (i.e. placing the network interface in promiscuous mode).
The version on the NT Server install CD will only allow monitoring
of network traffic directed to the local NT box and broadcasts on the
local subnet. Be aware that Ethereal can read and write netmon
@ -1347,7 +1353,7 @@ TARGET="_top"
><LI
><P
> Don't cross post. Work out which is the best list to post to
and see what happens, ie don't post to both samba-ntdom and samba-technical.
and see what happens, i.e. don't post to both samba-ntdom and samba-technical.
Many people active on the lists subscribe to more
than one list and get annoyed to see the same message two or more times.
Often someone will see a message and thinking it would be better dealt
@ -1417,7 +1423,7 @@ CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="AEN351"
NAME="AEN355"
>Domain Control for Windows 9x/ME</A
></H1
><DIV
@ -1455,7 +1461,7 @@ profiles for MS Windows for workgroups and MS Windows 9X clients.</P
logon server. The first one to reply gets the job, and validates its
password using whatever mechanism the Samba administrator has installed.
It is possible (but very stupid) to create a domain where the user
database is not shared between servers, ie they are effectively workgroup
database is not shared between servers, i.e. they are effectively workgroup
servers advertising themselves as participating in a domain. This
demonstrates how authentication is quite different from but closely
involved with domains.</P
@ -1535,7 +1541,7 @@ TYPE="1"
><LI
><P
> The client then connects to the user's home share and searches for the
user's profile. As it turns out, you can specify the users home share as
user's profile. As it turns out, you can specify the user's home share as
a sharename and path. For example, \\server\fred\.profile.
If the profiles are found, they are implemented.
</P
@ -1553,7 +1559,7 @@ CLASS="SECT2"
><HR><H2
CLASS="SECT2"
><A
NAME="AEN381"
NAME="AEN385"
>Configuration Instructions: Network Logons</A
></H2
><P
@ -1636,7 +1642,7 @@ CLASS="PROGRAMLISTING"
></LI
><LI
><P
> you will probabaly find that your clients automatically mount the
> you will probably find that your clients automatically mount the
\\SERVER\NETLOGON share as drive z: while logging in. You can put
some useful programs there to execute from the batch files.
</P
@ -1686,7 +1692,7 @@ or not Samba must be the domain master browser for its workgroup
when operating as a DC. While it may technically be possible
to configure a server as such (after all, browsing and domain logons
are two distinctly different functions), it is not a good idea to
so. You should remember that the DC must register the DOMAIN#1b netbios
so. You should remember that the DC must register the DOMAIN#1b NetBIOS
name. This is the name used by Windows clients to locate the DC.
Windows clients do not distinguish between the DC and the DMB.
For this reason, it is very wise to configure the Samba DC as the DMB.</P
@ -1715,7 +1721,7 @@ CLASS="SECT2"
><HR><H2
CLASS="SECT2"
><A
NAME="AEN415"
NAME="AEN419"
>Configuration Instructions: Setting up Roaming User Profiles</A
></H2
><DIV
@ -1752,7 +1758,7 @@ Win9X and WinNT clients implement these features.</P
><P
>Win9X clients send a NetUserGetInfo request to the server to get the user's
profiles location. However, the response does not have room for a separate
profiles location field, only the users home share. This means that Win9X
profiles location field, only the user's home share. This means that Win9X
profiles are restricted to being in the user's home directory.</P
><P
>WinNT clients send a NetSAMLogon RPC request, which contains many fields,
@ -1763,7 +1769,7 @@ CLASS="SECT3"
><HR><H3
CLASS="SECT3"
><A
NAME="AEN423"
NAME="AEN427"
>Windows NT Configuration</A
></H3
><P
@ -1798,7 +1804,7 @@ CLASS="SECT3"
><HR><H3
CLASS="SECT3"
><A
NAME="AEN431"
NAME="AEN435"
>Windows 9X Configuration</A
></H3
><P
@ -1829,7 +1835,7 @@ CLASS="SECT3"
><HR><H3
CLASS="SECT3"
><A
NAME="AEN439"
NAME="AEN443"
>Win9X and WinNT Configuration</A
></H3
><P
@ -1858,7 +1864,7 @@ CLASS="SECT3"
><HR><H3
CLASS="SECT3"
><A
NAME="AEN446"
NAME="AEN450"
>Windows 9X Profile Setup</A
></H3
><P
@ -1867,7 +1873,7 @@ as are folders "Start Menu", "Desktop", "Programs" and "Nethood".
These directories and their contents will be merged with the local
versions stored in c:\windows\profiles\username on subsequent logins,
taking the most recent from each. You will need to use the [global]
options "preserve case = yes", "short case preserve = yes" and
options "preserve case = yes", "short preserve case = yes" and
"case sensitive = no" in order to maintain capital letters in shortcuts
in any of the profile folders.</P
><P
@ -1983,7 +1989,7 @@ CLASS="EMPHASIS"
></LI
><LI
><P
> search for the user's .PWL password-cacheing file in the c:\windows
> search for the user's .PWL password-caching file in the c:\windows
directory, and delete it.
</P
></LI
@ -2015,7 +2021,7 @@ CLASS="SECT3"
><HR><H3
CLASS="SECT3"
><A
NAME="AEN482"
NAME="AEN486"
>Windows NT Workstation 4.0</A
></H3
><P
@ -2077,11 +2083,11 @@ case, or whether there is some configuration issue, as yet unknown,
that makes NT Workstation _think_ that the link is a slow one is a
matter to be resolved].</P
><P
>[lkcl 20aug97 - after samba digest correspondance, one user found, and
>[lkcl 20aug97 - after samba digest correspondence, one user found, and
another confirmed, that profiles cannot be loaded from a samba server
unless "security = user" and "encrypt passwords = yes" (see the file
ENCRYPTION.txt) or "security = server" and "password server = ip.address.
of.yourNTserver" are used. either of these options will allow the NT
of.yourNTserver" are used. Either of these options will allow the NT
workstation to access the samba server using LAN manager encrypted
passwords, without the user intervention normally required by NT
workstation for clear-text passwords].</P
@ -2097,7 +2103,7 @@ CLASS="SECT3"
><HR><H3
CLASS="SECT3"
><A
NAME="AEN495"
NAME="AEN499"
>Windows NT Server</A
></H3
><P
@ -2111,7 +2117,7 @@ CLASS="SECT3"
><HR><H3
CLASS="SECT3"
><A
NAME="AEN498"
NAME="AEN502"
>Sharing Profiles between W95 and NT Workstation 4.0</A
></H3
><DIV
@ -2176,7 +2182,7 @@ CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="AEN508"
NAME="AEN512"
>DOMAIN_CONTROL.txt : Windows NT Domain Control &#38; Samba</A
></H1
><DIV
@ -2274,7 +2280,7 @@ plain Servers.</P
><P
>The User database is called the SAM (Security Access Manager) database and
is used for all user authentication as well as for authentication of inter-
process authentication (ie: to ensure that the service action a user has
process authentication (i.e. to ensure that the service action a user has
requested is permitted within the limits of that user's privileges).</P
><P
>The Samba team have produced a utility that can dump the Windows NT SAM into
@ -2285,7 +2291,7 @@ to Samba systems.</P
><P
>Windows for Workgroups, Windows 95, and Windows NT Workstations and Servers
can participate in a Domain security system that is controlled by Windows NT
servers that have been correctly configured. At most every domain will have
servers that have been correctly configured. Almost every domain will have
ONE Primary Domain Controller (PDC). It is desirable that each domain will
have at least one Backup Domain Controller (BDC).</P
><P

49
docs/htmldocs/UNIX_INSTALL.html
View File

@ -19,7 +19,7 @@ CLASS="TITLEPAGE"
><H1
CLASS="TITLE"
><A
NAME="AEN1"
NAME="INSTALL"
>How to Install and Test SAMBA</A
></H1
><HR></DIV
@ -84,7 +84,7 @@ CLASS="USERINPUT"
></P
><P
>first to see what special options you can enable.
Then exectuting</P
Then executing</P
><P
><TT
CLASS="PROMPT"
@ -202,7 +202,7 @@ CLASS="PROGRAMLISTING"
>which would allow connections by anyone with an
account on the server, using either their login name or
"homes" as the service name. (Note that I also set the
workgroup that Samba is part of. See BROWSING.txt for defails)</P
workgroup that Samba is part of. See BROWSING.txt for details)</P
><P
>Note that <B
CLASS="COMMAND"
@ -249,7 +249,7 @@ CLASS="FILENAME"
not it will give an error message.</P
><P
>Make sure it runs OK and that the services look
resonable before proceeding. </P
reasonable before proceeding. </P
></DIV
><DIV
CLASS="SECT1"
@ -358,7 +358,7 @@ CLASS="FILENAME"
<TT
CLASS="FILENAME"
>/etc/inetd.conf</TT
> to make them consistant.</P
> to make them consistent.</P
><P
>NOTE: On many systems you may need to use the
"interfaces" option in smb.conf to specify the IP address
@ -371,7 +371,7 @@ CLASS="COMMAND"
CLASS="COMMAND"
>nmbd</B
> tries to determine it at run
time, but fails on somunixes. See the section on "testing nmbd"
time, but fails on some unixes. See the section on "testing nmbd"
for a method of finding if you need to do this.</P
><P
>!!!WARNING!!! Many unixes only accept around 5
@ -637,7 +637,7 @@ NAME="AEN162"
>Diagnosing Problems</A
></H2
><P
>If you have instalation problems then go to
>If you have installation problems then go to
<TT
CLASS="FILENAME"
>DIAGNOSIS.txt</TT
@ -736,20 +736,25 @@ NAME="AEN182"
The second is the "deny modes" that are specified when a file
is open.</P
><P
>Samba supports "record locking" using the fcntl() unix system
call. This is often implemented using rpc calls to a rpc.lockd process
running on the system that owns the filesystem. Unfortunately many
rpc.lockd implementations are very buggy, particularly when made to
talk to versions from other vendors. It is not uncommon for the
rpc.lockd to crash.</P
>Record locking semantics under Unix is very
different from record locking under Windows. Versions
of Samba before 2.2 have tried to use the native
fcntl() unix system call to implement proper record
locking between different Samba clients. This can not
be fully correct due to several reasons. The simplest
is the fact that a Windows client is allowed to lock a
byte range up to 2^32 or 2^64, depending on the client
OS. The unix locking only supports byte ranges up to
2^31. So it is not possible to correctly satisfy a
lock request above 2^31. There are many more
differences, too many to be listed here.</P
><P
>There is also a problem translating the 32 bit lock
requests generated by PC clients to 31 bit requests supported
by most unixes. Unfortunately many PC applications (typically
OLE2 applications) use byte ranges with the top bit set
as semaphore sets. Samba attempts translation to support
these types of applications, and the translation has proved
to be quite successful.</P
>Samba 2.2 and above implements record locking
completely independent of the underlying unix
system. If a byte range lock that the client requests
happens to fall into the range 0-2^31, Samba hands
this request down to the Unix system. All other locks
can not be seen by unix anyway.</P
><P
>Strictly a SMB server should check for locks before
every read and write call on a file. Unfortunately with the
@ -771,7 +776,7 @@ NAME="AEN182"
are set by an application when it opens a file to determine
what types of access should be allowed simultaneously with
its open. A client may ask for DENY_NONE, DENY_READ, DENY_WRITE
or DENY_ALL. There are also special compatability modes called
or DENY_ALL. There are also special compatibility modes called
DENY_FCB and DENY_DOS.</P
><P
>You can disable share modes using "share modes = no".
@ -804,7 +809,7 @@ NAME="AEN195"
><P
>If you have problems using filenames with accented
characters in them (like the German, French or Scandinavian
character sets) then I recommmend you look at the "valid chars"
character sets) then I recommend you look at the "valid chars"
option in smb.conf and also take a look at the validchars
package in the examples directory.</P
></DIV

2
docs/htmldocs/lmhosts.5.html
View File

@ -50,7 +50,7 @@ NAME="AEN12"
><H2
>DESCRIPTION</H2
><P
>This file is part of the &#60;<A
>This file is part of the <A
HREF="samba.7.html"
TARGET="_top"
> Samba</A

2
docs/htmldocs/make_unicodemap.1.html
View File

@ -58,7 +58,7 @@ TARGET="_top"
CLASS="COMMAND"
>make_unicodemap</B
> compiles text unicode map
files into binary unicodef map files for use with the
files into binary unicode map files for use with the
internationalization features of Samba 2.2.
</P
></DIV

2
docs/htmldocs/msdfs_setup.html
View File

@ -19,7 +19,7 @@ CLASS="TITLEPAGE"
><H1
CLASS="TITLE"
><A
NAME="AEN1"
NAME="MSDFS"
>Hosting a Microsoft Distributed File System tree on Samba</A
></H1
><HR></DIV

36
docs/htmldocs/nmbd.8.html
View File

@ -36,7 +36,7 @@ NAME="AEN8"
><P
><B
CLASS="COMMAND"
>smbd</B
>nmbd</B
> [-D] [-a] [-o] [-P] [-h] [-V] [-d &#60;debug level&#62;] [-H &#60;lmhosts file&#62;] [-l &#60;log file&#62;] [-n &#60;primary netbios name&#62;] [-p &#60;port number&#62;] [-s &#60;configuration file&#62;]</P
></DIV
><DIV
@ -539,7 +539,7 @@ CLASS="COMMAND"
CLASS="COMMAND"
>nmbd</B
> will accept SIGHUP, which will cause
it to dump out it's namelists into the file <TT
it to dump out its namelists into the file <TT
CLASS="FILENAME"
>namelist.debug
</TT
@ -555,27 +555,29 @@ CLASS="FILENAME"
cause <B
CLASS="COMMAND"
>nmbd</B
> to dump out it's server database in
> to dump out its server database in
the <TT
CLASS="FILENAME"
>log.nmb</TT
> file. In addition, the debug log level
of nmbd may be raised by sending it a SIGUSR1 (<B
> file.</P
><P
>The debug log level of nmbd may be raised or lowered using
<A
HREF="smbcontrol.1.html"
TARGET="_top"
><B
CLASS="COMMAND"
>kill -USR1
&#60;nmbd-pid&#62;</B
>) and lowered by sending it a
SIGUSR2 (<B
CLASS="COMMAND"
>kill -USR2 &#60;nmbd-pid&#62;</B
>). This is to
allow transient problems to be diagnosed, whilst still running at a
normally low log level.</P
>smbcontrol(1)</B
>
</A
> (SIGUSR[1|2] signals are no longer used in Samba 2.2). This is
to allow transient problems to be diagnosed, whilst still running
at a normally low log level.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN186"
NAME="AEN187"
></A
><H2
>VERSION</H2
@ -586,7 +588,7 @@ NAME="AEN186"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN189"
NAME="AEN190"
></A
><H2
>SEE ALSO</H2
@ -651,7 +653,7 @@ TARGET="_top"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN206"
NAME="AEN207"
></A
><H2
>AUTHOR</H2

2
docs/htmldocs/nmblookup.1.html
View File

@ -128,7 +128,7 @@ CLASS="CONSTANT"
datagrams. The reason for this option is a bug in Windows 95
where it ignores the source port of the requesting packet
and only replies to UDP port 137. Unfortunately, on most UNIX
systems root privilage is needed to bind to this port, and
systems root privilege is needed to bind to this port, and
in addition, if the <A
HREF="nmbd.8.html"
TARGET="_top"

197
docs/htmldocs/printer_driver2.html
View File

@ -19,7 +19,7 @@ CLASS="TITLEPAGE"
><H1
CLASS="TITLE"
><A
NAME="AEN1"
NAME="PRINTING"
>Printing Support in Samba 2.2.x</A
></H1
><HR></DIV
@ -192,14 +192,21 @@ the name is very important (print$ is the service used by
Windows NT print servers to provide support for printer driver
download).</P
><P
>You should modify the server's smb.conf file to create the
>You should modify the server's smb.conf file to add the global
parameters and to create the
following file share (of course, some of the parameter values,
such as 'path' are arbitrary and should be replaced with
appropriate values for your site):</P
><P
><PRE
CLASS="PROGRAMLISTING"
>[print$]
>[global]
; members of the ntadmin group should be able
; to add drivers and set printer properties
; root is implicitly a 'printer admin'
printer admin = @ntadmin
[print$]
path = /usr/local/samba/printers
guest ok = yes
browseable = yes
@ -209,7 +216,7 @@ CLASS="PROGRAMLISTING"
; sure this account can copy files to the share. If this
; is setup to a non-root account, then it should also exist
; as a 'printer admin'
write list = ntadmin</PRE
write list = @ntadmin,root</PRE
></P
><P
>The <A
@ -224,7 +231,7 @@ CLASS="PARAMETER"
> is used to allow administrative
level user accounts to have write access in order to update files
on the share. See the <A
HREF="smb./conf.5.html"
HREF="smb.conf.5.html"
TARGET="_top"
>smb.conf(5)
man page</A
@ -514,7 +521,7 @@ Add Printer Wizard icon. The APW will be show only if</P
><P
>The connected user is able to successfully
execute an OpenPrinterEx(\\server) with administrative
priviledges (i.e. root or <TT
privileges (i.e. root or <TT
CLASS="PARAMETER"
><I
>printer admin</I
@ -788,7 +795,7 @@ foreach (supported architecture for a given driver)
the Imprints tool set was the name space issues between
various supported client architectures. For example, Windows
NT includes a driver named "Apple LaserWriter II NTX v51.8"
and Windows 95 callsits version of this driver "Apple
and Windows 95 calls its version of this driver "Apple
LaserWriter II NTX"</P
><P
>The problem is how to know what client drivers have
@ -830,52 +837,67 @@ NAME="MIGRATION"
><P
>Given that printer driver management has changed (we hope improved) in
2.2 over prior releases, migration from an existing setup to 2.2 can
follow several paths.</P
follow several paths. Here are the possible scenarios for
migration:</P
><P
>Windows clients have a tendency to remember things for quite a while.
For example, if a Windows NT client has attached to a Samba 2.0 server,
it will remember the server as a LanMan printer server. Upgrading
the Samba host to 2.2 makes support for MSRPC printing possible, but
the NT client will still remember the previous setting.</P
><P
>In order to give an NT client printing "amesia" (only necessary if you
want to use the newer MSRPC printing functionality in Samba), delete
the registry keys associated with the print server contained in
<TT
CLASS="CONSTANT"
>[HKLM\SYSTEM\CurrentControlSet\Control\Print]</TT
>. The
spooler service on the client should be stopped prior to doing this:</P
><P
><TT
CLASS="PROMPT"
>C:\WINNT\ &#62;</TT
> <TT
CLASS="USERINPUT"
><B
>net stop spooler</B
></TT
></P
><UL
><LI
><P
><I
CLASS="EMPHASIS"
>All the normal disclaimers about editing the registry go
here.</I
> Be careful, and know what you are doing.</P
>If you do not desire the new Windows NT
print driver support, nothing needs to be done.
All existing parameters work the same.</P
></LI
><LI
><P
>The spooler service should be restarted after you have finished
removing the appropriate registry entries by replacing the
<B
>If you want to take advantage of NT printer
driver support but do not want to migrate the
9x drivers to the new setup, the leave the existing
<TT
CLASS="FILENAME"
>printers.def</TT
> file. When smbd attempts
to locate a
9x driver for the printer in the TDB and fails it
will drop down to using the printers.def (and all
associated parameters). The <B
CLASS="COMMAND"
>stop</B
> command above with <B
CLASS="COMMAND"
>start</B
>.</P
>make_printerdef</B
>
tool will also remain for backwards compatibility but will
be removed in the next major release.</P
></LI
><LI
><P
>Windows 9x clients will continue to use LanMan printing calls
with a 2.2 Samba server so there is no need to perform any of these
modifications on non-NT clients.</P
>If you install a Windows 9x driver for a printer
on your Samba host (in the printing TDB), this information will
take precedence and the three old printing parameters
will be ignored (including print driver location).</P
></LI
><LI
><P
>If you want to migrate an existing <TT
CLASS="FILENAME"
>printers.def</TT
>
file into the new setup, the current only solution is to use the Windows
NT APW to install the NT drivers and the 9x drivers. This can be scripted
using <B
CLASS="COMMAND"
>smbclient</B
> and <B
CLASS="COMMAND"
>rpcclient</B
>. See the
Imprints installation client at <A
HREF="http://imprints.sourceforge.net/"
TARGET="_top"
>http://imprints.sourceforge.net/</A
>
for an example.
</P
></LI
></UL
><DIV
CLASS="WARNING"
><P
@ -895,8 +917,12 @@ ALIGN="CENTER"
><TD
ALIGN="LEFT"
><P
>The following smb.conf parameters are considered to be depreciated and will
be removed soon. Do not use them in new installations</P
>The following <TT
CLASS="FILENAME"
>smb.conf</TT
> parameters are considered to
be deprecated and will be removed soon. Do not use them in new
installations</P
><P
></P
><UL
@ -936,63 +962,22 @@ CLASS="PARAMETER"
></TABLE
></DIV
><P
>Here are the possible scenarios for supporting migration:</P
><P
></P
><UL
><LI
><P
>If you do not desire the new Windows NT
print driver support, nothing needs to be done.
All existing parameters work the same.</P
></LI
><LI
><P
>If you want to take advantage of NT printer
driver support but do not want to migrate the
9x drivers to the new setup, the leave the existing
printers.def file. When smbd attempts to locate a
9x driver for the printer in the TDB and fails it
will drop down to using the printers.def (and all
associated parameters). The <B
CLASS="COMMAND"
>make_printerdef</B
>
tool will also remain for backwards compatibility but will
be moved to the "this tool is the old way of doing it"
pile.</P
></LI
><LI
><P
>If you install a Windows 9x driver for a printer
on your Samba host (in the printing TDB), this information will
take precedence and the three old printing parameters
will be ignored (including print driver location).</P
></LI
><LI
><P
>If you want to migrate an existing <TT
CLASS="FILENAME"
>printers.def</TT
>
file into the new setup, the current only solution is to use the Windows
NT APW to install the NT drivers and the 9x drivers. This can be scripted
using <B
CLASS="COMMAND"
>smbclient</B
> and <B
CLASS="COMMAND"
>rpcclient</B
>. See the
Imprints installation client at <A
HREF="http://imprints.sourceforge.net/"
TARGET="_top"
>http://imprints.sourceforge.net/</A
>
for an example.
</P
></LI
></UL
>The have been two new parameters add in Samba 2.2.2 to for
better support of Samba 2.0.x backwards capability (<TT
CLASS="PARAMETER"
><I
>disable
spoolss</I
></TT
>) and for using local printers drivers on Windows
NT/2000 clients (<TT
CLASS="PARAMETER"
><I
>use client driver</I
></TT
>). Both of
these options are described in the smb.coinf(5) man page and are
disabled by default.</P
></DIV
></DIV
></BODY

24
docs/htmldocs/rpcclient.1.html
View File

@ -137,7 +137,10 @@ CLASS="PROGRAMLISTING"
><P
>set the debuglevel. Debug level 0 is the lowest
and 100 being the highest. This should be set to 100 if you are
planning on submitting a bug report to the Samba team (see BUGS.txt).
planning on submitting a bug report to the Samba team (see <TT
CLASS="FILENAME"
>BUGS.txt</TT
>).
</P
></DD
><DT
@ -152,7 +155,10 @@ CLASS="PROGRAMLISTING"
><DD
><P
>File name for log/debug files. The extension
'.client' will be appended. The log file is never removed
<TT
CLASS="CONSTANT"
>'.client'</TT
> will be appended. The log file is never removed
by the client.
</P
></DD
@ -199,7 +205,7 @@ CLASS="ENVAR"
<TT
CLASS="ENVAR"
>LOGNAME</TT
> variable and if either exist, the
> variable and if either exists, the
string is uppercased. If these environmental variables are not
found, the username <TT
CLASS="CONSTANT"
@ -247,7 +253,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN90"
NAME="AEN92"
></A
><H2
>COMMANDS</H2
@ -641,7 +647,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN210"
NAME="AEN212"
></A
><H2
>BUGS</H2
@ -663,7 +669,7 @@ CLASS="COMMAND"
available from the original creators (Microsoft) on how MSRPC over
SMB works, or how the individual MSRPC services work. Microsoft's
implementation of these services has been demonstrated (and reported)
to be... a bit flakey in places. </P
to be... a bit flaky in places. </P
><P
>The development of Samba's implementation is also a bit rough,
and as more of the services are understood, it can even result in
@ -682,7 +688,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN220"
NAME="AEN222"
></A
><H2
>VERSION</H2
@ -693,7 +699,7 @@ NAME="AEN220"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN223"
NAME="AEN225"
></A
><H2
>AUTHOR</H2
@ -704,7 +710,7 @@ NAME="AEN223"
to the way the Linux kernel is developed.</P
><P
>The original rpcclient man page was written by Matthew
Geddes, Luke Kenneth Casson, and rewriten by Gerald Carter.
Geddes, Luke Kenneth Casson Leighton, and rewritten by Gerald Carter.
The conversion to DocBook for Samba 2.2 was done by Gerald
Carter.</P
></DIV

1240
docs/htmldocs/smb.conf.5.html
View File

File diff suppressed because it is too large Load Diff

29
docs/htmldocs/smbcacls.1.html
View File

@ -52,18 +52,24 @@ TARGET="_top"
> Samba</A
> suite.</P
><P
>The smbcacls program manipulates NT Access Control Lists
>The <B
CLASS="COMMAND"
>smbcacls</B
> program manipulates NT Access Control Lists
(ACLs) on SMB file shares. </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN27"
NAME="AEN28"
></A
><H2
>OPTIONS</H2
><P
>The following options are available to the smbcacls program.
>The following options are available to the <B
CLASS="COMMAND"
>smbcacls</B
> program.
The format of ACLs is described in the section ACL FORMAT </P
><P
></P
@ -90,7 +96,7 @@ CLASS="VARIABLELIST"
>-D acls</DT
><DD
><P
>Delete any ACLs specfied on the command line.
>Delete any ACLs specified on the command line.
An error will be printed for each ACL specified that was not
already present in the ACL list. </P
></DD
@ -175,7 +181,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN73"
NAME="AEN75"
></A
><H2
>ACL FORMAT</H2
@ -322,7 +328,7 @@ ACL:&#60;sid or name&#62;:&#60;type&#62;/&#60;flags&#62;/&#60;mask&#62;
><DIV
CLASS="REFSECT1"
><A
NAME="AEN123"
NAME="AEN125"
></A
><H2
>EXIT STATUS</H2
@ -334,8 +340,11 @@ CLASS="COMMAND"
depending on the success or otherwise of the operations performed.
The exit status may be one of the following values. </P
><P
>If the operation succeded, smbcacls returns and exit
status of 0. If smbcacls couldn't connect to the specified server,
>If the operation succeeded, smbcacls returns and exit
status of 0. If <B
CLASS="COMMAND"
>smbcacls</B
> couldn't connect to the specified server,
or there was an error getting or setting the ACLs, an exit status
of 1 is returned. If there was an error parsing any command line
arguments, an exit status of 2 is returned. </P
@ -343,7 +352,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN128"
NAME="AEN131"
></A
><H2
>VERSION</H2
@ -354,7 +363,7 @@ NAME="AEN128"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN131"
NAME="AEN134"
></A
><H2
>AUTHOR</H2

278
docs/htmldocs/smbclient.1.html
View File

@ -37,12 +37,12 @@ NAME="AEN8"
><B
CLASS="COMMAND"
>smbclient</B
> {servicename} [password] [-b &#60;buffer size&#62;] [-d debuglevel] [-D Directory] [-S server] [-U username] [-W workgroup] [-M &#60;netbios name&#62;] [-m maxprotocol] [-A authfile] [-N] [-l logfile] [-L &#60;netbios name&#62;] [-I destinationIP] [-E &#60;terminal code&#62;] [-c &#60;command string&#62;] [-i scope] [-O &#60;socket options&#62;] [-p port] [-R &#60;name resolve order&#62;] [-s &#60;smb config file&#62;] [-T&#60;c|x&#62;IXFqgbNan]</P
> {servicename} [password] [-b &#60;buffer size&#62;] [-d debuglevel] [-D Directory] [-U username] [-W workgroup] [-M &#60;netbios name&#62;] [-m maxprotocol] [-A authfile] [-N] [-l logfile] [-L &#60;netbios name&#62;] [-I destinationIP] [-E &#60;terminal code&#62;] [-c &#60;command string&#62;] [-i scope] [-O &#60;socket options&#62;] [-p port] [-R &#60;name resolve order&#62;] [-s &#60;smb config file&#62;] [-T&#60;c|x&#62;IXFqgbNan]</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN34"
NAME="AEN33"
></A
><H2
>DESCRIPTION</H2
@ -70,7 +70,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN41"
NAME="AEN40"
></A
><H2
>OPTIONS</H2
@ -121,8 +121,14 @@ CLASS="PARAMETER"
><I
>-R</I
></TT
> parameter to smbclient or
using the name resolve order parameter in the smb.conf file,
> parameter to <B
CLASS="COMMAND"
>smbclient</B
> or
using the name resolve order parameter in the <TT
CLASS="FILENAME"
>smb.conf</TT
> file,
allowing an administrator to change the order and methods
by which server names are looked up. </P
></DD
@ -194,7 +200,7 @@ CLASS="FILENAME"
><P
>This option is used by the programs in the Samba
suite to determine what naming services and in what order to resolve
host names to IP addresses. The option takes a space separated
host names to IP addresses. The option takes a space-separated
string of different name resolution options.</P
><P
>The options are :"lmhosts", "host", "wins" and "bcast". They
@ -227,7 +233,7 @@ CLASS="FILENAME"
>/etc/hosts
</TT
>, NIS, or DNS lookups. This method of name resolution
is operating system depended for instance on IRIX or Solaris this
is operating system dependent, for instance on IRIX or Solaris this
may be controlled by the <TT
CLASS="FILENAME"
>/etc/nsswitch.conf</TT
@ -284,7 +290,10 @@ CLASS="PARAMETER"
>name resolve order
</I
></TT
> parameter of the smb.conf file the name resolution
> parameter of the <TT
CLASS="FILENAME"
>smb.conf</TT
> file the name resolution
methods will be attempted in this order. </P
></DD
><DT
@ -351,7 +360,14 @@ CLASS="FILENAME"
><P
>This specifies a NetBIOS scope that smbclient will
use to communicate with when generating NetBIOS names. For details
on the use of NetBIOS scopes, see rfc1001.txt and rfc1002.txt.
on the use of NetBIOS scopes, see <TT
CLASS="FILENAME"
>rfc1001.txt</TT
>
and <TT
CLASS="FILENAME"
>rfc1002.txt</TT
>.
NetBIOS scopes are <EM
>very</EM
> rarely used, only set
@ -383,7 +399,12 @@ CLASS="FILENAME"
>-d debuglevel</DT
><DD
><P
>debuglevel is an integer from 0 to 10, or
><TT
CLASS="REPLACEABLE"
><I
>debuglevel</I
></TT
> is an integer from 0 to 10, or
the letter 'A'. </P
><P
>The default value if this parameter is not specified
@ -400,7 +421,12 @@ CLASS="FILENAME"
data, and should only be used when investigating a problem.
Levels above 3 are designed for use only by developers and
generate HUGE amounts of log data, most of which is extremely
cryptic. If debuglevel is set to the letter 'A', then <EM
cryptic. If <TT
CLASS="REPLACEABLE"
><I
>debuglevel</I
></TT
> is set to the letter 'A', then <EM
>all
</EM
> debug messages will be printed. This setting
@ -410,9 +436,9 @@ CLASS="FILENAME"
to know how the code works internally). </P
><P
>Note that specifying this parameter here will override
the log level parameter in the <B
CLASS="COMMAND"
>smb.conf (5)</B
the log level parameter in the <TT
CLASS="FILENAME"
>smb.conf (5)</TT
>
file. </P
></DD
@ -429,7 +455,12 @@ CLASS="COMMAND"
>-l logfilename</DT
><DD
><P
>If specified, logfilename specifies a base filename
>If specified, <TT
CLASS="REPLACEABLE"
><I
>logfilename</I
></TT
> specifies a base filename
into which operational data from the running client will be
logged. </P
><P
@ -455,7 +486,12 @@ CLASS="FILENAME"
>-I IP-address</DT
><DD
><P
>IP address is the address of the server to connect to.
><TT
CLASS="REPLACEABLE"
><I
>IP address</I
></TT
> is the address of the server to connect to.
It should be specified in standard "a.b.c.d" notation. </P
><P
>Normally the client would attempt to locate a named
@ -492,35 +528,37 @@ CLASS="PARAMETER"
><P
>Sets the SMB username or username and password.
If %pass is not specified, The user will be prompted. The client
will first check the USER environment variable, then the
will first check the <TT
CLASS="ENVAR"
>USER</TT
> environment variable, then the
<TT
CLASS="PARAMETER"
><I
>$LOGNAME</I
></TT
> variable and if either exist, the
CLASS="ENVAR"
>LOGNAME</TT
> variable and if either exists, the
string is uppercased. Anything in these variables following a '%'
sign will be treated as the password. If these environmental
sign will be treated as the password. If these environment
variables are not found, the username <TT
CLASS="CONSTANT"
>GUEST</TT
>
is used. </P
><P
>If the password is not included in these environment
variables (using the %pass syntax), rpcclient will look for
>If the password is not included in these environment
variables (using the %pass syntax), <B
CLASS="COMMAND"
>smbclient</B
> will look for
a <TT
CLASS="PARAMETER"
><I
>$PASSWD</I
></TT
CLASS="ENVAR"
>PASSWD</TT
> environment variable from which
to read the password. </P
><P
>A third option is to use a credentials file which
contains the plaintext of the username and password. This
option is mainly provided for scripts where the admin doesn't
desire to pass the credentials on the command line or via environment
wish to pass the credentials on the command line or via environment
variables. If this method is used, make certain that the permissions
on the file restrict access from unwanted users. See the
<TT
@ -532,10 +570,8 @@ CLASS="PARAMETER"
><P
>Be cautious about including passwords in scripts or in
the <TT
CLASS="PARAMETER"
><I
>$PASSWD</I
></TT
CLASS="ENVAR"
>PASSWD</TT
> environment variable. Also, on
many systems the command line of a running process may be seen
via the <B
@ -544,7 +580,7 @@ CLASS="COMMAND"
> command to be safe always allow
<B
CLASS="COMMAND"
>rpcclient</B
>smbclient</B
> to prompt for a password and type
it in directly. </P
></DD
@ -592,14 +628,17 @@ CLASS="PARAMETER"
</I
></TT
> option may be useful if your NetBIOS names don't
match your tcp/ip dns host names or if you are trying to reach a
match your TCP/IP DNS host names or if you are trying to reach a
host on another network. </P
></DD
><DT
>-t terminal code</DT
><DD
><P
>This option tells smbclient how to interpret
>This option tells <B
CLASS="COMMAND"
>smbclient</B
> how to interpret
filenames coming from the remote server. Usually Asian language
multibyte UNIX implementations use different character sets than
SMB/CIFS servers (<EM
@ -771,7 +810,7 @@ CLASS="PARAMETER"
>r</I
></TT
> - Regular expression include
or exclude. Uses regular regular expression matching for
or exclude. Uses regular expression matching for
excluding or excluding files if compiled with HAVE_REGEX_H.
However this mode can be very slow. If not compiled with
HAVE_REGEX_H, does a limited wildcard match on '*' and '?'.
@ -829,7 +868,10 @@ CLASS="COMMAND"
>'s tar option now supports long
file names both on backup and restore. However, the full path
name of the file must be less than 1024 bytes. Also, when
a tar archive is created, smbclient's tar option places all
a tar archive is created, <B
CLASS="COMMAND"
>smbclient</B
>'s tar option places all
files in the archive with relative names, not absolute names.
</P
><P
@ -845,12 +887,15 @@ CLASS="COMMAND"
>Examples</EM
></P
><P
>Restore from tar file backup.tar into myshare on mypc
>Restore from tar file <TT
CLASS="FILENAME"
>backup.tar</TT
> into myshare on mypc
(no password on share). </P
><P
><B
CLASS="COMMAND"
>smbclient //mypc/myshare "" -N -Tx backup.tar
>smbclient //mypc/yshare "" -N -Tx backup.tar
</B
></P
><P
@ -906,7 +951,7 @@ CLASS="COMMAND"
>-c command string</DT
><DD
><P
>command string is a semicolon separated list of
>command string is a semicolon-separated list of
commands to be executed instead of prompting from stdin. <TT
CLASS="PARAMETER"
><I
@ -931,7 +976,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN297"
NAME="AEN310"
></A
><H2
>OPERATIONS</H2
@ -979,7 +1024,12 @@ CLASS="VARIABLELIST"
>? [command]</DT
><DD
><P
>If "command" is specified, the ? command will display
>If <TT
CLASS="REPLACEABLE"
><I
>command</I
></TT
> is specified, the ? command will display
a brief informative message about the specified command. If no
command is specified, a list of available commands will
be displayed. </P
@ -988,7 +1038,12 @@ CLASS="VARIABLELIST"
>! [shell command]</DT
><DD
><P
>If "shell command" is specified, the !
>If <TT
CLASS="REPLACEABLE"
><I
>shell command</I
></TT
> is specified, the !
command will execute a shell locally and run the specified shell
command. If no command is specified, a local shell will be run.
</P
@ -1010,14 +1065,24 @@ CLASS="VARIABLELIST"
><DD
><P
>The client will request that the server attempt
to delete all files matching "mask" from the current working
to delete all files matching <TT
CLASS="REPLACEABLE"
><I
>mask</I
></TT
> from the current working
directory on the server. </P
></DD
><DT
>dir &#60;mask&#62;</DT
><DD
><P
>A list of the files matching "mask" in the current
>A list of the files matching <TT
CLASS="REPLACEABLE"
><I
>mask</I
></TT
> in the current
working directory on the server will be retrieved from the server
and displayed. </P
></DD
@ -1032,9 +1097,15 @@ CLASS="VARIABLELIST"
>get &#60;remote file name&#62; [local file name]</DT
><DD
><P
>Copy the file called "remote file name" from
>Copy the file called <TT
CLASS="FILENAME"
>remote file name</TT
> from
the server to the machine running the client. If specified, name
the local copy "local file name". Note that all transfers in
the local copy <TT
CLASS="FILENAME"
>local file name</TT
>. Note that all transfers in
<B
CLASS="COMMAND"
>smbclient</B
@ -1051,7 +1122,12 @@ CLASS="COMMAND"
>lcd [directory name]</DT
><DD
><P
>If "directory name" is specified, the current
>If <TT
CLASS="REPLACEABLE"
><I
>directory name</I
></TT
> is specified, the current
working directory on the local machine will be changed to
the directory specified. This operation will fail if for any
reason the specified directory is inaccessible. </P
@ -1114,13 +1190,26 @@ CLASS="COMMAND"
>mget &#60;mask&#62;</DT
><DD
><P
>Copy all files matching mask from the server to
>Copy all files matching <TT
CLASS="REPLACEABLE"
><I
>mask</I
></TT
> from the server to
the machine running the client. </P
><P
>Note that mask is interpreted differently during recursive
>Note that <TT
CLASS="REPLACEABLE"
><I
>mask</I
></TT
> is interpreted differently during recursive
operation and non-recursive operation - refer to the recurse and
mask commands for more information. Note that all transfers in
smbclient are binary. See also the lowercase command. </P
<B
CLASS="COMMAND"
>smbclient</B
> are binary. See also the lowercase command. </P
></DD
><DT
>mkdir &#60;directory name&#62;</DT
@ -1133,13 +1222,26 @@ CLASS="COMMAND"
>mput &#60;mask&#62;</DT
><DD
><P
>Copy all files matching mask in the current working
>Copy all files matching <TT
CLASS="REPLACEABLE"
><I
>mask</I
></TT
> in the current working
directory on the local machine to the current working directory on
the server. </P
><P
>Note that mask is interpreted differently during recursive
>Note that <TT
CLASS="REPLACEABLE"
><I
>mask</I
></TT
> is interpreted differently during recursive
operation and non-recursive operation - refer to the recurse and mask
commands for more information. Note that all transfers in smbclient
commands for more information. Note that all transfers in <B
CLASS="COMMAND"
>smbclient</B
>
are binary. </P
></DD
><DT
@ -1175,10 +1277,19 @@ CLASS="COMMAND"
>put &#60;local file name&#62; [remote file name]</DT
><DD
><P
>Copy the file called "local file name" from the
>Copy the file called <TT
CLASS="FILENAME"
>local file name</TT
> from the
machine running the client to the server. If specified,
name the remote copy "remote file name". Note that all transfers
in smbclient are binary. See also the lowercase command.
name the remote copy <TT
CLASS="FILENAME"
>remote file name</TT
>. Note that all transfers
in <B
CLASS="COMMAND"
>smbclient</B
> are binary. See also the lowercase command.
</P
></DD
><DT
@ -1223,7 +1334,12 @@ CLASS="COMMAND"
>rm &#60;mask&#62;</DT
><DD
><P
>Remove all files matching mask from the current
>Remove all files matching <TT
CLASS="REPLACEABLE"
><I
>mask</I
></TT
> from the current
working directory on the server. </P
></DD
><DT
@ -1255,7 +1371,12 @@ CLASS="PARAMETER"
><P
>Blocksize. Must be followed by a valid (greater
than zero) blocksize. Causes tar file to be written out in
blocksize*TBLOCK (usually 512 byte) blocks. </P
<TT
CLASS="REPLACEABLE"
><I
>blocksize</I
></TT
>*TBLOCK (usually 512 byte) blocks. </P
></DD
><DT
>tarmode &#60;full|inc|reset|noreset&#62;</DT
@ -1288,7 +1409,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN446"
NAME="AEN477"
></A
><H2
>NOTES</H2
@ -1309,35 +1430,40 @@ NAME="AEN446"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN451"
NAME="AEN482"
></A
><H2
>ENVIRONMENT VARIABLES</H2
><P
>The variable <TT
CLASS="PARAMETER"
><I
>$USER</I
></TT
CLASS="ENVAR"
>USER</TT
> may contain the
username of the person using the client. This information is
used only if the protocol level is high enough to support
session-level passwords.</P
><P
>The variable <TT
CLASS="PARAMETER"
><I
>$PASSWD</I
></TT
CLASS="ENVAR"
>PASSWD</TT
> may contain
the password of the person using the client. This information is
used only if the protocol level is high enough to support
session-level passwords. </P
><P
>The variable <TT
CLASS="ENVAR"
>LIBSMB_PROG</TT
> may contain
the path, executed with system(), which the client should connect
to instead of connecting to a server. This functionality is primarily
intended as a development aid, and works best when using a LMHOSTS
file</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN457"
NAME="AEN490"
></A
><H2
>INSTALLATION</H2
@ -1368,14 +1494,14 @@ CLASS="FILENAME"
CLASS="COMMAND"
>smbd(8)
</B
> an ordinary user - running that server as a daemon
> as an ordinary user - running that server as a daemon
on a user-accessible port (typically any port number over 1024)
would provide a suitable test server. </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN467"
NAME="AEN500"
></A
><H2
>DIAGNOSTICS</H2
@ -1391,7 +1517,7 @@ NAME="AEN467"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN471"
NAME="AEN504"
></A
><H2
>VERSION</H2
@ -1402,7 +1528,7 @@ NAME="AEN471"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN474"
NAME="AEN507"
></A
><H2
>AUTHOR</H2

14
docs/htmldocs/smbcontrol.1.html
View File

@ -231,6 +231,14 @@ CLASS="CONSTANT"
CLASS="CONSTANT"
>smbd</TT
>.</P
><P
>The <TT
CLASS="CONSTANT"
>close-share</TT
> message-type sends a
message to smbd which forces smbd to close the share that was
specified as an argument. This may be useful if you made changes
to the access controls on the share. </P
></DD
><DT
>parameters</DT
@ -244,7 +252,7 @@ CLASS="CONSTANT"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN76"
NAME="AEN78"
></A
><H2
>VERSION</H2
@ -255,7 +263,7 @@ NAME="AEN76"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN79"
NAME="AEN81"
></A
><H2
>SEE ALSO</H2
@ -281,7 +289,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN86"
NAME="AEN88"
></A
><H2
>AUTHOR</H2

193
docs/htmldocs/smbd.8.html
View File

@ -98,12 +98,15 @@ CLASS="FILENAME"
can force a reload by sending a SIGHUP to the server. Reloading
the configuration file will not affect connections to any service
that is already established. Either the user will have to
disconnect from the service, or smbd killed and restarted.</P
disconnect from the service, or <B
CLASS="COMMAND"
>smbd</B
> killed and restarted.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN35"
NAME="AEN36"
></A
><H2
>OPTIONS</H2
@ -120,9 +123,12 @@ CLASS="VARIABLELIST"
the server to operate as a daemon. That is, it detaches
itself and runs in the background, fielding requests
on the appropriate port. Operating the server as a
daemon is the recommended way of running smbd for
daemon is the recommended way of running <B
CLASS="COMMAND"
>smbd</B
> for
servers that provide more than casual use file and
print services. This switch is assumed is <B
print services. This switch is assumed if <B
CLASS="COMMAND"
>smbd
</B
@ -153,7 +159,10 @@ CLASS="COMMAND"
>-P</DT
><DD
><P
>Passive option. Causes smbd not to
>Passive option. Causes <B
CLASS="COMMAND"
>smbd</B
> not to
send any network traffic out. Used for debugging by
the developers only.</P
></DD
@ -181,7 +190,12 @@ CLASS="COMMAND"
>-d &#60;debug level&#62;</DT
><DD
><P
>debuglevel is an integer
><TT
CLASS="REPLACEABLE"
><I
>debuglevel</I
></TT
> is an integer
from 0 to 10. The default value if this parameter is
not specified is zero.</P
><P
@ -217,8 +231,11 @@ CLASS="FILENAME"
>-l &#60;log file&#62;</DT
><DD
><P
>If specified, <EM
>log file</EM
>If specified, <TT
CLASS="REPLACEABLE"
><I
>log file</I
></TT
>
specifies a log filename into which informational and debug
messages from the running server will be logged. The log
@ -261,7 +278,12 @@ CLASS="FILENAME"
>-p &#60;port number&#62;</DT
><DD
><P
>port number is a positive integer
><TT
CLASS="REPLACEABLE"
><I
>port number</I
></TT
> is a positive integer
value. The default value if this parameter is not
specified is 139.</P
><P
@ -309,7 +331,7 @@ CLASS="FILENAME"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN104"
NAME="AEN109"
></A
><H2
>FILES</H2
@ -407,7 +429,7 @@ CLASS="FILENAME"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN137"
NAME="AEN142"
></A
><H2
>LIMITATIONS</H2
@ -426,7 +448,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN141"
NAME="AEN146"
></A
><H2
>ENVIRONMENTVARIABLES</H2
@ -436,12 +458,18 @@ NAME="AEN141"
CLASS="VARIABLELIST"
><DL
><DT
>PRINTER</DT
><TT
CLASS="ENVAR"
>PRINTER</TT
></DT
><DD
><P
>If no printer name is specified to
printable services, most systems will use the value of
this variable (or lp if this variable is
this variable (or <TT
CLASS="CONSTANT"
>lp</TT
> if this variable is
not defined) as the name of the printer to use. This
is not specific to the server, however.</P
></DD
@ -451,7 +479,7 @@ CLASS="VARIABLELIST"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN148"
NAME="AEN155"
></A
><H2
>INSTALLATION</H2
@ -469,10 +497,16 @@ CLASS="FILENAME"
program itself should be executable by all, as users may wish to
run the server themselves (in which case it will of course run
with their privileges). The server should NOT be setuid. On some
systems it may be worthwhile to make smbd setgid to an empty group.
systems it may be worthwhile to make <B
CLASS="COMMAND"
>smbd</B
> setgid to an empty group.
This is because some systems may have a security hole where daemon
processes that become a user can be attached to with a debugger.
Making the smbd file setgid to an empty group may prevent
Making the <B
CLASS="COMMAND"
>smbd</B
> file setgid to an empty group may prevent
this hole from being exploited. This security hole and the suggested
fix has only been confirmed on old versions (pre-kernel 2.0) of Linux
at the time this was written. It is possible that this hole only
@ -567,7 +601,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN179"
NAME="AEN188"
></A
><H2
>RUNNING THE SERVER AS A DAEMON</H2
@ -622,7 +656,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN192"
NAME="AEN201"
></A
><H2
>RUNNING THE SERVER ON REQUEST</H2
@ -631,7 +665,10 @@ NAME="AEN192"
CLASS="COMMAND"
>inetd
</B
>, you can arrange to have the smbd server started
>, you can arrange to have the <B
CLASS="COMMAND"
>smbd</B
> server started
whenever a process attempts to connect to it. This requires several
changes to the startup files on the host machine. If you are
experimenting as an ordinary user rather than as root, you will
@ -755,7 +792,52 @@ CLASS="COMPUTEROUTPUT"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN223"
NAME="AEN233"
></A
><H2
>PAM INTERACTION</H2
><P
>Samba uses PAM for authentication (when presented with a plaintext
password), for account checking (is this account disabled?) and for
session management. The degree too which samba supports PAM is restricted
by the limitations of the SMB protocol and the
<A
HREF="smb.conf.5.html#OBEYPAMRESRICTIONS"
TARGET="_top"
>obey pam restricions</A
>
smb.conf paramater. When this is set, the following restrictions apply:
</P
><P
></P
><UL
><LI
><P
><EM
>Account Validation</EM
>: All acccesses to a
samba server are checked
against PAM to see if the account is vaild, not disabled and is permitted to
login at this time. This also applies to encrypted logins.
</P
></LI
><LI
><P
><EM
>Session Management</EM
>: When not using share
level secuirty, users must pass PAM's session checks before access
is granted. Note however, that this is bypassed in share level secuirty.
Note also that some older pam configuration files may need a line
added for session support.
</P
></LI
></UL
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN244"
></A
><H2
>TESTING THE INSTALLATION</H2
@ -769,8 +851,18 @@ CLASS="COMMAND"
> will reread their configuration
tables if they receive a HUP signal.</P
><P
>If your machine's name is fred and your
name is mary, you should now be able to connect
>If your machine's name is <TT
CLASS="REPLACEABLE"
><I
>fred</I
></TT
> and your
name is <TT
CLASS="REPLACEABLE"
><I
>mary</I
></TT
>, you should now be able to connect
to the service <TT
CLASS="FILENAME"
>\\fred\mary</TT
@ -803,7 +895,7 @@ CLASS="FILENAME"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN235"
NAME="AEN258"
></A
><H2
>VERSION</H2
@ -814,7 +906,7 @@ NAME="AEN235"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN238"
NAME="AEN261"
></A
><H2
>DIAGNOSTICS</H2
@ -837,19 +929,25 @@ NAME="AEN238"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN243"
NAME="AEN266"
></A
><H2
>SIGNALS</H2
><P
>Sending the smbd a SIGHUP will cause it to
re-load its <TT
>Sending the <B
CLASS="COMMAND"
>smbd</B
> a SIGHUP will cause it to
reload its <TT
CLASS="FILENAME"
>smb.conf</TT
> configuration
file within a short period of time.</P
><P
>To shut down a users smbd process it is recommended
>To shut down a user's <B
CLASS="COMMAND"
>smbd</B
> process it is recommended
that <B
CLASS="COMMAND"
>SIGKILL (-9)</B
@ -858,24 +956,37 @@ CLASS="COMMAND"
>
be used, except as a last resort, as this may leave the shared
memory area in an inconsistent state. The safe way to terminate
an smbd is to send it a SIGTERM (-15) signal and wait for
an <B
CLASS="COMMAND"
>smbd</B
> is to send it a SIGTERM (-15) signal and wait for
it to die on its own.</P
><P
>The debug log level of smbd may be raised by sending
it a SIGUSR1 (<B
>The debug log level of <B
CLASS="COMMAND"
>kill -USR1 &#60;smbd-pid&#62;</B
>)
and lowered by sending it a SIGUSR2 (<B
>smbd</B
> may be raised
or lowered using <A
HREF="smbcontrol.1.html"
TARGET="_top"
><B
CLASS="COMMAND"
>kill -USR2 &#60;smbd-pid&#62;
>smbcontrol(1)
</B
>). This is to allow transient problems to be diagnosed,
></A
> program (SIGUSR[1|2] signals are no longer used in
Samba 2.2). This is to allow transient problems to be diagnosed,
whilst still running at a normally low log level.</P
><P
>Note that as the signal handlers send a debug write,
they are not re-entrant in smbd. This you should wait until
smbd is in a state of waiting for an incoming smb before
they are not re-entrant in <B
CLASS="COMMAND"
>smbd</B
>. This you should wait until
<B
CLASS="COMMAND"
>smbd</B
> is in a state of waiting for an incoming SMB before
issuing them. It is possible to make the signal handlers safe
by un-blocking the signals before the select call and re-blocking
them after, however this would affect performance.</P
@ -883,7 +994,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN254"
NAME="AEN283"
></A
><H2
>SEE ALSO</H2
@ -949,7 +1060,7 @@ TARGET="_top"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN271"
NAME="AEN300"
></A
><H2
>AUTHOR</H2

18
docs/htmldocs/smbmnt.8.html
View File

@ -54,10 +54,11 @@ CLASS="COMMAND"
<B
CLASS="COMMAND"
>smbmnt</B
> is meant to be installed setuid root
so that normal users can mount their smb shares. It checks
whether the user has write permissions on the mount point and
then mounts the directory.</P
> can be installed setuid root if you want
normal users to be able to mount their SMB shares.</P
><P
>A setuid smbmnt will only allow mounts on directories owned
by the user, and that the user has write permission on.</P
><P
>The <B
CLASS="COMMAND"
@ -72,11 +73,14 @@ CLASS="COMMAND"
>
</A
>. It should not be invoked directly by users. </P
><P
>smbmount searches the normal PATH for smbmnt. You must ensure
that the smbmnt version in your path matches the smbmount used.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN28"
NAME="AEN30"
></A
><H2
>OPTIONS</H2
@ -125,7 +129,7 @@ CLASS="VARIABLELIST"
><DD
><P
> list of options that are passed as-is to smbfs, if this
command is run on a 2.4 or higher linux kernel.
command is run on a 2.4 or higher Linux kernel.
</P
></DD
></DL
@ -134,7 +138,7 @@ CLASS="VARIABLELIST"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN55"
NAME="AEN57"
></A
><H2
>AUTHOR</H2

100
docs/htmldocs/smbmount.8.html
View File

@ -49,28 +49,41 @@ NAME="AEN14"
><B
CLASS="COMMAND"
>smbmount</B
> mounts a SMB filesystem. It
> mounts a Linux SMB filesystem. It
is usually invoked as <B
CLASS="COMMAND"
>mount.smb</B
> from
>mount.smbfs</B
> by
the <B
CLASS="COMMAND"
>mount(8)</B
> command when using the
"-t smb" option. The kernel must support the smbfs filesystem. </P
"-t smbfs" option. This command only works in Linux, and the kernel must
support the smbfs filesystem. </P
><P
>Options to smbmount are specified as a comma separated
>Options to <B
CLASS="COMMAND"
>smbmount</B
> are specified as a comma-separated
list of key=value pairs. It is possible to send options other
than those listed here, assuming that smbfs supports them. If
you get mount failures, check your kernel log for errors on
unknown options.</P
><P
>smbmount is a daemon. After mounting it keeps running until
><B
CLASS="COMMAND"
>smbmount</B
> is a daemon. After mounting it keeps running until
the mounted smbfs is umounted. It will log things that happen
when in daemon mode using the "machine name" smbmount, so
typically this output will end up in log.smbmount. The
smbmount process may also be called mount.smbfs.</P
typically this output will end up in <TT
CLASS="FILENAME"
>log.smbmount</TT
>. The
<B
CLASS="COMMAND"
>smbmount</B
> process may also be called mount.smbfs.</P
><P
><EM
>NOTE:</EM
@ -91,7 +104,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN27"
NAME="AEN31"
></A
><H2
>OPTIONS</H2
@ -129,6 +142,13 @@ CLASS="COMMAND"
> will prompt
for a passeword, unless the guest option is
given. </P
><P
> Note that password which contain the arguement delimiter
character (i.e. a comma ',') will failed to be parsed correctly
on the command line. However, the same password defined
in the PASSWD environment variable or a credentials file (see
below) will be read correctly.
</P
></DD
><DT
>credentials=&#60;filename&#62;</DT
@ -155,7 +175,10 @@ CLASS="PROGRAMLISTING"
</P
><P
>This is preferred over having passwords in plaintext in a
shared file, such as /etc/fstab. Be sure to protect any
shared file, such as <TT
CLASS="FILENAME"
>/etc/fstab</TT
>. Be sure to protect any
credentials file properly.
</P
></DD
@ -203,7 +226,7 @@ CLASS="PROGRAMLISTING"
>dmask=&#60;arg&#62;</DT
><DD
><P
>sets the directory mask. This deterines the
>sets the directory mask. This determines the
permissions that remote directories have in the local filesystem.
The default is based on the current umask. </P
></DD
@ -212,7 +235,9 @@ CLASS="PROGRAMLISTING"
><DD
><P
>sets the debug level. This is useful for
tracking down SMB connection problems. </P
tracking down SMB connection problems. A suggested value to
start with is 4. If set too high there will be a lot of
output, possibly hiding the useful output.</P
></DD
><DT
>ip=&#60;arg&#62;</DT
@ -275,7 +300,7 @@ CLASS="PARAMETER"
>iocharset=&#60;arg&#62;</DT
><DD
><P
> sets the charset used by the linux side for codepage
> sets the charset used by the Linux side for codepage
to charset translations (NLS). Argument should be the
name of a charset, like iso8859-1. (Note: only kernel
2.4.0 or later)
@ -311,7 +336,7 @@ CLASS="PARAMETER"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN119"
NAME="AEN125"
></A
><H2
>ENVIRONMENT VARIABLES</H2
@ -336,20 +361,27 @@ CLASS="ENVAR"
>The variable <TT
CLASS="ENVAR"
>PASSWD_FILE</TT
> may contain the pathname of
a file to read the password from. A single line of input is
read and used as password.</P
> may contain the pathname
of a file to read the password from. A single line of input is
read and used as the password.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN127"
NAME="AEN133"
></A
><H2
>BUGS</H2
><P
>Not many known smbmount bugs. But one smbfs bug is
important enough to mention here anyway:</P
>Passwords and other options containing , can not be handled.
For passwords an alternative way of passing them is in a credentials
file or in the PASSWD environment.</P
><P
>The credentials file does not handle usernames or passwords with
leading space.</P
><P
>One smbfs bug is important enough to mention here, even if it
is a bit misplaced:</P
><P
></P
><UL
@ -357,13 +389,13 @@ NAME="AEN127"
><P
>Mounts sometimes stop working. This is usually
caused by smbmount terminating. Since smbfs needs smbmount to
reconnect when the server disconnects, the mount will go
dead. A re-mount normally fixes this. At least 2 ways to
reconnect when the server disconnects, the mount will eventually go
dead. An umount/mount normally fixes this. At least 2 ways to
trigger this bug are known.</P
></LI
></UL
><P
>Note that the typical response to a bugreport is suggestion
>Note that the typical response to a bug report is suggestion
to try the latest version first. So please try doing that first,
and always include which versions you use of relevant software
when reporting bugs (minimum: samba, kernel, distribution)</P
@ -371,18 +403,32 @@ NAME="AEN127"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN134"
NAME="AEN142"
></A
><H2
>SEE ALSO</H2
><P
>Documentation/filesystems/smbfs.txt in the kernel source tree
may contain additional options and information.</P
>Documentation/filesystems/smbfs.txt in the linux kernel
source tree may contain additional options and information.</P
><P
>FreeBSD also has a smbfs, but it is not related to smbmount</P
><P
>For Solaris, HP-UX and others you may want to look at
<A
HREF="smbsh.1.html"
TARGET="_top"
><B
CLASS="COMMAND"
>smbsh(1)</B
></A
> or at other
solutions, such as sharity or perhaps replacing the SMB server with
a NFS server.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN137"
NAME="AEN149"
></A
><H2
>AUTHOR</H2

14
docs/htmldocs/smbpasswd.5.html
View File

@ -101,9 +101,9 @@ CLASS="VARIABLELIST"
>Lanman Password Hash</DT
><DD
><P
>This is the LANMAN hash of the users password,
>This is the LANMAN hash of the user's password,
encoded as 32 hex digits. The LANMAN hash is created by DES
encrypting a well known string with the users password as the
encrypting a well known string with the user's password as the
DES key. This is the same password used by Windows 95/98 machines.
Note that this password hash is regarded as weak as it is
vulnerable to dictionary attacks and if two users choose the
@ -111,7 +111,7 @@ CLASS="VARIABLELIST"
is not "salted" as the UNIX password is). If the user has a
null password this field will contain the characters "NO PASSWORD"
as the start of the hex string. If the hex string is equal to
32 'X' characters then the users account is marked as
32 'X' characters then the user's account is marked as
<TT
CLASS="CONSTANT"
>disabled</TT
@ -140,14 +140,14 @@ CLASS="CONSTANT"
>NT Password Hash</DT
><DD
><P
>This is the Windows NT hash of the users
>This is the Windows NT hash of the user's
password, encoded as 32 hex digits. The Windows NT hash is
created by taking the users password as represented in
created by taking the user's password as represented in
16-bit, little-endian UNICODE and then applying the MD4
(internet rfc1321) hashing algorithm to it. </P
><P
>This password hash is considered more secure than
the Lanman Password Hash as it preserves the case of the
the LANMAN Password Hash as it preserves the case of the
password and uses a much higher quality hashing algorithm.
However, it is still the case that if two users choose the same
password this entry will be identical (i.e. the password is
@ -198,7 +198,7 @@ CLASS="CONSTANT"
><EM
>N</EM
> - This means the
account has no password (the passwords in the fields Lanman
account has no password (the passwords in the fields LANMAN
Password Hash and NT Password Hash are ignored). Note that this
will only allow users to log on with no password if the <TT
CLASS="PARAMETER"

16
docs/htmldocs/smbpasswd.8.html
View File

@ -24,7 +24,7 @@ NAME="AEN5"
></A
><H2
>Name</H2
>smbpasswd&nbsp;--&nbsp;change a users SMB password</DIV
>smbpasswd&nbsp;--&nbsp;change a user's SMB password</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
@ -36,7 +36,7 @@ NAME="AEN8"
><B
CLASS="COMMAND"
>smbpasswd</B
> [-a] [-x] [-d] [-e] [-D debuglevel] [-n] [-r &#60;remote machine&#62;] [-R &#60;name resolve order&#62;] [-m] [-j DOMAIN] [-U username] [-h] [-s] [username]</P
> [-a] [-x] [-d] [-e] [-D debuglevel] [-n] [-r &#60;remote machine&#62;] [-R &#60;name resolve order&#62;] [-m] [-j DOMAIN] [-U username[%password]] [-h] [-s] [username]</P
></DIV
><DIV
CLASS="REFSECT1"
@ -61,7 +61,7 @@ TARGET="_top"
SMB passwords. </P
><P
>By default (when run with no arguments) it will attempt to
change the current users SMB password on the local machine. This is
change the current user's SMB password on the local machine. This is
similar to the way the <B
CLASS="COMMAND"
>passwd(1)</B
@ -86,10 +86,10 @@ CLASS="FILENAME"
> file. </P
><P
>When run by an ordinary user with no options. smbpasswd
will prompt them for their old smb password and then ask them
will prompt them for their old SMB password and then ask them
for their new password twice, to ensure that the new password
was typed correctly. No passwords will be echoed on the screen
whilst being typed. If you have a blank smb password (specified by
whilst being typed. If you have a blank SMB password (specified by
the string "NO PASSWORD" in the smbpasswd file) then just press
the &#60;Enter&#62; key when asked for your old password. </P
><P
@ -167,7 +167,7 @@ CLASS="CONSTANT"
will fail. </P
><P
>If the smbpasswd file is in the 'old' format (pre-Samba 2.0
format) there is no space in the users password entry to write
format) there is no space in the user's password entry to write
this information and so the user is disabled by writing 'X' characters
into the password space in the smbpasswd file. See <B
CLASS="COMMAND"
@ -217,7 +217,7 @@ CLASS="COMMAND"
><DD
><P
><TT
CLASS="PARAMETER"
CLASS="REPLACEABLE"
><I
>debuglevel</I
></TT
@ -500,7 +500,7 @@ CLASS="COMMAND"
><DD
><P
>This option causes smbpasswd to be silent (i.e.
not issue prompts) and to read it's old and new passwords from
not issue prompts) and to read its old and new passwords from
standard input, rather than from <TT
CLASS="FILENAME"
>/dev/tty</TT

23
docs/htmldocs/smbsh.1.html
View File

@ -14,7 +14,7 @@ VLINK="#840084"
ALINK="#0000FF"
><H1
><A
NAME="FINDSMB"
NAME="SMBSH"
>smbsh</A
></H1
><DIV
@ -67,7 +67,7 @@ CLASS="COMMAND"
CLASS="COMMAND"
>rcp</B
>. You must use a
shell that is dynmanically linked in order for <B
shell that is dynamically linked in order for <B
CLASS="COMMAND"
>smbsh</B
>
@ -80,7 +80,7 @@ CLASS="COMMAND"
CLASS="COMMAND"
> smbsh</B
> from the prompt and enter the username and password
that authenticate you to the machine running the Windows NT
that authenticates you to the machine running the Windows NT
operating system.</P
><P
><TABLE
@ -133,10 +133,15 @@ CLASS="FILENAME"
CLASS="COMMAND"
>ls /smb
</B
> will show all the machines in your workgroup. The command
> will show a list of workgroups. The command
<B
CLASS="COMMAND"
>ls /smb/&#60;machine-name&#62;</B
>ls /smb/MYGROUP </B
> will show all the machines in
the workgroup MYGROUP. The command
<B
CLASS="COMMAND"
>ls /smb/MYGROUP/&#60;machine-name&#62;</B
> will show the share
names for that machine. You could then, for example, use the <B
CLASS="COMMAND"
@ -153,7 +158,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN39"
NAME="AEN40"
></A
><H2
>VERSION</H2
@ -164,7 +169,7 @@ NAME="AEN39"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN42"
NAME="AEN43"
></A
><H2
>BUGS</H2
@ -197,7 +202,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN51"
NAME="AEN52"
></A
><H2
>SEE ALSO</H2
@ -220,7 +225,7 @@ TARGET="_top"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN57"
NAME="AEN58"
></A
><H2
>AUTHOR</H2

12
docs/htmldocs/smbspool.8.html
View File

@ -89,10 +89,8 @@ TARGET="_top"
><P
>smbspool tries to get the URI from argv[0]. If argv[0]
contains the name of the program then it looks in the <TT
CLASS="PARAMETER"
><I
> DEVICE_URI</I
></TT
CLASS="ENVAR"
> DEVICE_URI</TT
> environment variable.</P
><P
>Programs using the <B
@ -101,10 +99,8 @@ CLASS="COMMAND"
> functions can
pass the URI in argv[0], while shell scripts must set the
<TT
CLASS="PARAMETER"
><I
>DEVICE_URI</I
></TT
CLASS="ENVAR"
>DEVICE_URI</TT
> environment variable prior to
running smbspool.</P
></DIV

2
docs/htmldocs/smbumount.8.html
View File

@ -51,7 +51,7 @@ NAME="AEN12"
CLASS="COMMAND"
>smbumount</B
> has
been written to give normal linux-users more control over their
been written to give normal Linux users more control over their
resources. It is safe to install this program suid root, because only
the user who has mounted a filesystem is allowed to unmount it again.
For root it is not necessary to use smbumount. The normal umount

55
docs/htmldocs/swat.8.html
View File

@ -68,15 +68,24 @@ CLASS="FILENAME"
CLASS="COMMAND"
>swat</B
> configuration page has help links
to all the configurable options in the smb.conf file allowing an
to all the configurable options in the <TT
CLASS="FILENAME"
>smb.conf</TT
> file allowing an
administrator to easily look up the effects of any change. </P
><P
>swat is run from inetd </P
><B
CLASS="COMMAND"
>swat</B
> is run from <B
CLASS="COMMAND"
>inetd</B
> </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN23"
NAME="AEN26"
></A
><H2
>OPTIONS</H2
@ -95,7 +104,10 @@ CLASS="VARIABLELIST"
CLASS="COMMAND"
>smbd
</B
> server. This is the file that swat will modify.
> server. This is the file that <B
CLASS="COMMAND"
>swat</B
> will modify.
The information in this file includes server-specific
information such as what printcap file to use, as well as
descriptions of all the services that the server is to provide.
@ -110,8 +122,14 @@ CLASS="FILENAME"
><DD
><P
>This option disables authentication and puts
swat in demo mode. In that mode anyone will be able to modify
the smb.conf file. </P
<B
CLASS="COMMAND"
>swat</B
> in demo mode. In that mode anyone will be able to modify
the <TT
CLASS="FILENAME"
>smb.conf</TT
> file. </P
><P
><EM
>Do NOT enable this option on a production
@ -124,7 +142,7 @@ CLASS="FILENAME"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN38"
NAME="AEN44"
></A
><H2
>INSTALLATION</H2
@ -158,7 +176,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT2"
><A
NAME="AEN50"
NAME="AEN56"
></A
><H3
>Inetd Installation</H3
@ -171,7 +189,10 @@ CLASS="FILENAME"
CLASS="FILENAME"
>/etc/services</TT
>
to enable SWAT to be launched via inetd.</P
to enable SWAT to be launched via <B
CLASS="COMMAND"
>inetd</B
>.</P
><P
>In <TT
CLASS="FILENAME"
@ -228,15 +249,15 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT2"
><A
NAME="AEN71"
NAME="AEN78"
></A
><H3
>Launching</H3
><P
>To launch swat just run your favorite web browser and
>To launch SWAT just run your favorite web browser and
point it at "http://localhost:901/".</P
><P
>Note that you can attach to swat from any IP connected
>Note that you can attach to SWAT from any IP connected
machine but connecting from a remote machine leaves your
connection open to password sniffing as passwords will be sent
in the clear over the wire. </P
@ -245,7 +266,7 @@ NAME="AEN71"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN75"
NAME="AEN82"
></A
><H2
>FILES</H2
@ -303,7 +324,7 @@ CLASS="FILENAME"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN96"
NAME="AEN103"
></A
><H2
>WARNINGS</H2
@ -335,7 +356,7 @@ CLASS="FILENAME"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN104"
NAME="AEN111"
></A
><H2
>VERSION</H2
@ -346,7 +367,7 @@ NAME="AEN104"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN107"
NAME="AEN114"
></A
><H2
>SEE ALSO</H2
@ -373,7 +394,7 @@ TARGET="_top"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN114"
NAME="AEN121"
></A
><H2
>AUTHOR</H2

24
docs/htmldocs/testparm.1.html
View File

@ -125,7 +125,12 @@ CLASS="COMMAND"
>-L servername</DT
><DD
><P
>Sets the value of the %L macro to servername.
>Sets the value of the %L macro to <TT
CLASS="REPLACEABLE"
><I
>servername</I
></TT
>.
This is useful for testing include files specified with the
%L macro. </P
></DD
@ -146,7 +151,10 @@ CLASS="FILENAME"
><DD
><P
>If this parameter and the following are
specified, then testparm will examine the <TT
specified, then <B
CLASS="COMMAND"
>testparm</B
> will examine the <TT
CLASS="PARAMETER"
><I
>hosts
@ -184,7 +192,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN64"
NAME="AEN66"
></A
><H2
>FILES</H2
@ -213,13 +221,13 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN73"
NAME="AEN75"
></A
><H2
>DIAGNOSTICS</H2
><P
>The program will issue a message saying whether the
configuration file loaded OK or not. This message may be preceeded by
configuration file loaded OK or not. This message may be preceded by
errors and warnings if the file did not load. If the file was
loaded OK, the program then dumps all known service details
to stdout. </P
@ -227,7 +235,7 @@ NAME="AEN73"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN76"
NAME="AEN78"
></A
><H2
>VERSION</H2
@ -238,7 +246,7 @@ NAME="AEN76"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN79"
NAME="AEN81"
></A
><H2
>SEE ALSO</H2
@ -264,7 +272,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN86"
NAME="AEN88"
></A
><H2
>AUTHOR</H2

18
docs/htmldocs/wbinfo.1.html
View File

@ -35,7 +35,7 @@ NAME="AEN8"
><P
><B
CLASS="COMMAND"
>nmblookup</B
>wbinfo</B
> [-u] [-g] [-n name] [-s sid] [-U uid] [-G gid] [-S sid] [-Y sid] [-t] [-m]</P
></DIV
><DIV
@ -243,25 +243,27 @@ NAME="AEN88"
CLASS="COMMAND"
>winbindd(8)
</B
> daemon is not working wbinfo will always return
> daemon is not working <B
CLASS="COMMAND"
>wbinfo</B
> will always return
failure. </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN92"
NAME="AEN93"
></A
><H2
>VERSION</H2
><P
>This man page is correct for version 2.2 of
the Samba suite. winbindd is however not available in
stable release of Samba as of yet.</P
the Samba suite.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN95"
NAME="AEN96"
></A
><H2
>SEE ALSO</H2
@ -279,7 +281,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN100"
NAME="AEN101"
></A
><H2
>AUTHOR</H2
@ -296,7 +298,7 @@ CLASS="COMMAND"
CLASS="COMMAND"
>winbindd</B
>
were written by TIm Potter.</P
were written by Tim Potter.</P
><P
>The conversion to DocBook for Samba 2.2 was done
by Gerald Carter</P

784
docs/htmldocs/winbind.html
View File

@ -1,7 +1,7 @@
<HTML
><HEAD
><TITLE
>Unifed Logons between Windows NT and UNIX using Winbind</TITLE
>Unified Logons between Windows NT and UNIX using Winbind</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD
@ -19,8 +19,8 @@ CLASS="TITLEPAGE"
><H1
CLASS="TITLE"
><A
NAME="AEN1"
>Unifed Logons between Windows NT and UNIX using Winbind</A
NAME="WINBIND"
>Unified Logons between Windows NT and UNIX using Winbind</A
></H1
><HR></DIV
><DIV
@ -34,12 +34,13 @@ NAME="AEN3"
><P
>Integration of UNIX and Microsoft Windows NT through
a unified logon has been considered a "holy grail" in heterogeneous
computing environments for a long time. We present <I
computing environments for a long time. We present
<I
CLASS="EMPHASIS"
>winbind
</I
>, a component of the Samba suite of programs as a
solution to the unied logon problem. Winbind uses a UNIX implementation
>winbind</I
>, a component of the Samba suite
of programs as a solution to the unified logon problem. Winbind
uses a UNIX implementation
of Microsoft RPC calls, Pluggable Authentication Modules, and the Name
Service Switch to allow Windows NT domain users to appear and operate
as UNIX users on a UNIX machine. This paper describes the winbind
@ -66,11 +67,11 @@ NAME="AEN7"
and use the Samba suite of programs to provide file and print services
between the two. This solution is far from perfect however, as
adding and deleting users on both sets of machines becomes a chore
and two sets of passwords are required both of which which
and two sets of passwords are required both of which
can lead to synchronization problems between the UNIX and Windows
systems and confusion for users.</P
><P
>We divide the unifed logon problem for UNIX machines into
>We divide the unified logon problem for UNIX machines into
three smaller problems:</P
><P
></P
@ -97,7 +98,7 @@ NAME="AEN7"
information on the UNIX machines and without creating additional
tasks for the system administrator when maintaining users and
groups on either system. The winbind system provides a simple
and elegant solution to all three components of the unifed logon
and elegant solution to all three components of the unified logon
problem.</P
></DIV
><DIV
@ -119,7 +120,7 @@ NAME="AEN20"
>The end result is that whenever any
program on the UNIX machine asks the operating system to lookup
a user or group name, the query will be resolved by asking the
NT domain controller for the specied domain to do the lookup.
NT domain controller for the specified domain to do the lookup.
Because Winbind hooks into the operating system at a low level
(via the NSS name resolution modules in the C library) this
redirection to the NT domain controller is completely
@ -136,11 +137,11 @@ NAME="AEN20"
that redirection to a domain controller is wanted for a particular
lookup and which trusted domain is being referenced.</P
><P
>Additionally, Winbind provides a authentication service
>Additionally, Winbind provides an authentication service
that hooks into the Pluggable Authentication Modules (PAM) system
to provide authentication via a NT domain to any PAM enabled
applications. This capability solves the problem of synchronizing
passwords between systems as all passwords are stored in a single
passwords between systems since all passwords are stored in a single
location (on the domain controller).</P
><DIV
CLASS="SECT2"
@ -155,9 +156,9 @@ NAME="AEN27"
existing NT based domain infrastructure into which they wish
to put UNIX workstations or servers. Winbind will allow these
organizations to deploy UNIX workstations without having to
maintain a separate account infrastructure. This greatly simplies
the administrative overhead of deploying UNIX workstations into
a NT based organization.</P
maintain a separate account infrastructure. This greatly
simplifies the administrative overhead of deploying UNIX
workstations into a NT based organization.</P
><P
>Another interesting way in which we expect Winbind to
be used is as a central part of UNIX based appliances. Appliances
@ -224,11 +225,11 @@ NAME="AEN40"
>The Name Service Switch, or NSS, is a feature that is
present in many UNIX operating systems. It allows system
information such as hostnames, mail aliases and user information
to be resolved from dierent sources. For example, a standalone
to be resolved from different sources. For example, a standalone
UNIX workstation may resolve system information from a series of
flat files stored on the local lesystem. A networked workstation
flat files stored on the local filesystem. A networked workstation
may first attempt to resolve system information from local files,
then consult a NIS database for user information or a DNS server
and then consult a NIS database for user information or a DNS server
for hostname information.</P
><P
>The NSS application programming interface allows winbind
@ -241,11 +242,12 @@ NAME="AEN40"
a NT domain plus any trusted domain as though they were local
users and groups.</P
><P
>The primary control le for NSS is <TT
>The primary control file for NSS is
<TT
CLASS="FILENAME"
>/etc/nsswitch.conf
</TT
>. When a UNIX application makes a request to do a lookup
>/etc/nsswitch.conf</TT
>.
When a UNIX application makes a request to do a lookup
the C library looks in <TT
CLASS="FILENAME"
>/etc/nsswitch.conf</TT
@ -253,7 +255,7 @@ CLASS="FILENAME"
for a line which matches the service type being requested, for
example the "passwd" service type is used when user or group names
are looked up. This config line species which implementations
of that service should be tried andin what order. If the passwd
of that service should be tried and in what order. If the passwd
config line is:</P
><P
><B
@ -303,7 +305,7 @@ NAME="AEN56"
>Pluggable Authentication Modules, also known as PAM,
is a system for abstracting authentication and authorization
technologies. With a PAM module it is possible to specify different
authentication methods for dierent system applications without
authentication methods for different system applications without
having to recompile these applications. PAM is also useful
for implementing a particular policy for authorization. For example,
a system administrator may only allow console logins from users
@ -315,10 +317,10 @@ NAME="AEN56"
UNIX system. This allows Windows NT users to log in to a UNIX
machine and be authenticated against a suitable Primary Domain
Controller. These users can also change their passwords and have
this change take eect directly on the Primary Domain Controller.
this change take effect directly on the Primary Domain Controller.
</P
><P
>PAM is congured by providing control files in the directory
>PAM is configured by providing control files in the directory
<TT
CLASS="FILENAME"
>/etc/pam.d/</TT
@ -335,7 +337,7 @@ CLASS="FILENAME"
is copied to <TT
CLASS="FILENAME"
>/lib/security/</TT
> and the pam
> and the PAM
control files for relevant services are updated to allow
authentication via winbind. See the PAM documentation
for more details.</P
@ -350,11 +352,11 @@ NAME="AEN64"
></H2
><P
>When a user or group is created under Windows NT
is it allocated a numerical relative identier (RID). This is
slightly dierent to UNIX which has a range of numbers which are
is it allocated a numerical relative identifier (RID). This is
slightly different to UNIX which has a range of numbers that are
used to identify users, and the same range in which to identify
groups. It is winbind's job to convert RIDs to UNIX id numbers and
vice versa. When winbind is congured it is given part of the UNIX
vice versa. When winbind is configured it is given part of the UNIX
user id space and a part of the UNIX group id space in which to
store Windows NT users and groups. If a Windows NT user is
resolved for the first time, it is allocated the next UNIX id from
@ -363,7 +365,7 @@ NAME="AEN64"
to UNIX user ids and group ids.</P
><P
>The results of this mapping are stored persistently in
a ID mapping database held in a tdb database). This ensures that
an ID mapping database held in a tdb database). This ensures that
RIDs are mapped to UNIX IDs in a consistent way.</P
></DIV
><DIV
@ -381,7 +383,7 @@ NAME="AEN68"
by NT domain controllers. User or group information returned
by a PDC is cached by winbind along with a sequence number also
returned by the PDC. This sequence number is incremented by
Windows NT whenever any user or group information is modied. If
Windows NT whenever any user or group information is modified. If
a cached entry has expired, the sequence number is requested from
the PDC and compared against the sequence number of the cached entry.
If the sequence numbers do not match, then the cached information
@ -398,39 +400,702 @@ NAME="AEN71"
>Installation and Configuration</A
></H1
><P
>The easiest way to install winbind is by using the packages
provided in the <TT
CLASS="FILENAME"
>pub/samba/appliance/</TT
>
directory on your nearest
Samba mirror. These packages provide snapshots of the Samba source
code and binaries already setup to provide the full functionality
of winbind. This setup is a little more complex than a normal Samba
build as winbind needs a small amount of functionality from a
development code branch called SAMBA_TNG.</P
>Many thanks to John Trostel <A
HREF="mailto:jtrostel@snapserver.com"
TARGET="_top"
>jtrostel@snapserver.com</A
>
for providing the HOWTO for this section.</P
><P
>Once you have installed the packages you should read
the <B
>This HOWTO describes how to get winbind services up and running
to control access and authenticate users on your Linux box using
the winbind services which come with SAMBA 2.2.2.</P
><DIV
CLASS="SECT2"
><HR><H2
CLASS="SECT2"
><A
NAME="AEN76"
>Introduction</A
></H2
><P
>This HOWTO describes the procedures used to get winbind up and
running on my RedHat 7.1 system. Winbind is capable of providing access
and authentication control for Windows Domain users through an NT
or Win2K PDC for 'regular' services, such as telnet a nd ftp, as
well for SAMBA services.</P
><P
>This HOWTO has been written from a 'RedHat-centric' perspective, so if
you are using another distribution, you may have to modify the instructions
somewhat to fit the way your distribution works.</P
><P
></P
><UL
><LI
><P
> <I
CLASS="EMPHASIS"
>Why should I to this?</I
>
</P
><P
>This allows the SAMBA administrator to rely on the
authentication mechanisms on the NT/Win2K PDC for the authentication
of domain members. NT/Win2K users no longer need to have separate
accounts on the SAMBA server.
</P
></LI
><LI
><P
> <I
CLASS="EMPHASIS"
>Who should be reading this document?</I
>
</P
><P
> This HOWTO is designed for system administrators. If you are
implementing SAMBA on a file server and wish to (fairly easily)
integrate existing NT/Win2K users from your PDC onto the
SAMBA server, this HOWTO is for you. That said, I am no NT or PAM
expert, so you may find a better or easier way to accomplish
these tasks.
</P
></LI
></UL
></DIV
><DIV
CLASS="SECT2"
><HR><H2
CLASS="SECT2"
><A
NAME="AEN89"
>Requirements</A
></H2
><P
>If you have a samba configuration file that you are currently
using... BACK IT UP! If your system already uses PAM, BACK UP
THE <TT
CLASS="FILENAME"
>/etc/pam.d</TT
> directory contents! If you
haven't already made a boot disk, MAKE ON NOW!</P
><P
>Messing with the pam configuration files can make it nearly impossible
to log in to yourmachine. That's why you want to be able to boot back
into your machine in single user mode and restore your
<TT
CLASS="FILENAME"
>/etc/pam.d</TT
> back to the original state they were in if
you get frustrated with the way things are going. ;-)</P
><P
>The newest version of SAMBA (version 2.2.2), available from
cvs.samba.org, now include a functioning winbindd daemon. Please refer
to the main SAMBA web page or, better yet, your closest SAMBA mirror
site for instructions on downloading the source code.</P
><P
>To allow Domain users the ability to access SAMBA shares and
files, as well as potentially other services provided by your
SAMBA machine, PAM (pluggable authentication modules) must
be setup properly on your machine. In order to compile the
winbind modules, you should have at least the pam libraries resident
on your system. For recent RedHat systems (7.1, for instance), that
means 'pam-0.74-22'. For best results, it is helpful to also
install the development packages in 'pam-devel-0.74-22'.</P
></DIV
><DIV
CLASS="SECT2"
><HR><H2
CLASS="SECT2"
><A
NAME="AEN97"
>Testing Things Out</A
></H2
><P
>Before starting, it is probably best to kill off all the SAMBA
related daemons running on your server. Kill off all <B
CLASS="COMMAND"
>winbindd(8)</B
> man page which will provide you
with conguration information and give you sample conguration files.
You may also wish to update the main Samba daemons smbd and nmbd)
with a more recent development release, such as the recently
announced Samba 2.2 alpha release.</P
>smbd</B
>,
<B
CLASS="COMMAND"
>nmbd</B
>, and <B
CLASS="COMMAND"
>winbindd</B
> processes that may
be running. To use PAM, you will want to make sure that you have the
standard PAM package (for RedHat) which supplies the <TT
CLASS="FILENAME"
>/etc/pam.d</TT
>
directory structure, including the pam modules are used by pam-aware
services, several pam libraries, and the <TT
CLASS="FILENAME"
>/usr/doc</TT
>
and <TT
CLASS="FILENAME"
>/usr/man</TT
> entries for pam. Winbind built better
in SAMBA if the pam-devel package was also installed. This package includes
the header files needed to compile pam-aware applications. For instance, my RedHat
system has both 'pam-0.74-22' and 'pam-devel-0.74-22' RPMs installed.</P
><DIV
CLASS="SECT3"
><HR><H3
CLASS="SECT3"
><A
NAME="AEN106"
>Configure and compile SAMBA</A
></H3
><P
>The configuration and compilation of SAMBA is pretty straightforward.
The first three steps maynot be necessary depending upon
whether or not you have previously built the Samba binaries.</P
><P
><PRE
CLASS="PROGRAMLISTING"
><TT
CLASS="PROMPT"
>root# </TT
> autoconf
<TT
CLASS="PROMPT"
>root# </TT
> make clean
<TT
CLASS="PROMPT"
>root# </TT
> rm config.cache
<TT
CLASS="PROMPT"
>root# </TT
> ./configure --with-winbind
<TT
CLASS="PROMPT"
>root# </TT
> make
<TT
CLASS="PROMPT"
>root# </TT
> make install</PRE
></P
><P
>This will, by default, install SAMBA in /usr/local/samba. See the
main SAMBA documentation if you want to install SAMBA somewhere else.
It will also build the winbindd executable and libraries. </P
></DIV
><DIV
CLASS="SECT3"
><HR><H3
CLASS="SECT3"
><A
NAME="AEN118"
>Configure nsswitch.conf and the winbind libraries</A
></H3
><P
>The libraries needed to run the winbind daemon through nsswitch
need to be copied to their proper locations, so</P
><P
><TT
CLASS="PROMPT"
>root# </TT
> cp ../samba/source/nsswitch/libnss_winbind.so /lib</P
><P
>I also found it necessary to make the following symbolic link:</P
><P
><TT
CLASS="PROMPT"
>root# </TT
> ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</P
><P
>Now, as root you need to edit <TT
CLASS="FILENAME"
>/etc/nsswitch.conf</TT
> to
allow user and group entries to be visible from the <B
CLASS="COMMAND"
>winbindd</B
>
daemon, as well as from your /etc/hosts files and NIS servers. My
<TT
CLASS="FILENAME"
>/etc/nsswitch.conf</TT
> file look like this after editing:</P
><P
><PRE
CLASS="PROGRAMLISTING"
> passwd: files winbind
shadow: files winbind
group: files winbind</PRE
></P
><P
>
The libraries needed by the winbind daemon will be automatically
entered into the ldconfig cache the next time your system reboots, but it
is faster (and you don't need to reboot) if you do it manually:</P
><P
><TT
CLASS="PROMPT"
>root# </TT
> /sbin/ldconfig -v | grep winbind</P
><P
>This makes <TT
CLASS="FILENAME"
>libnss_winbind</TT
> available to winbindd
and echos back a check to you.</P
></DIV
><DIV
CLASS="SECT3"
><HR><H3
CLASS="SECT3"
><A
NAME="AEN137"
>Configure smb.conf</A
></H3
><P
>Several parameters are needed in the smb.conf file to control
the behavior of <B
CLASS="COMMAND"
>winbindd</B
>. Configure
<TT
CLASS="FILENAME"
>smb.conf</TT
> These are described in more detail in
the <A
HREF="winbindd.8.html"
TARGET="_top"
>winbindd(8)</A
> man page. My
<TT
CLASS="FILENAME"
>smb.conf</TT
> file was modified to
include the following entries in the [global] section:</P
><P
><PRE
CLASS="PROGRAMLISTING"
>[global]
&#60;...&#62;
# separate domain and username with '+', like DOMAIN+username
winbind separator = +
# use uids from 10000 to 20000 for domain users
winbind uid = 10000-20000
# use gids from 10000 to 20000 for domain groups
winbind gid = 10000-20000
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
# give winbind users a real shell (only needed if they have telnet access)
template shell = /bin/bash</PRE
></P
></DIV
><DIV
CLASS="SECT3"
><HR><H3
CLASS="SECT3"
><A
NAME="AEN146"
>Join the SAMBA server to the PDC domain</A
></H3
><P
>Enter the following command to make the SAMBA server join the
PDC domain, where <TT
CLASS="REPLACEABLE"
><I
>DOMAIN</I
></TT
> is the name of
your Windows domain and <TT
CLASS="REPLACEABLE"
><I
>Administrator</I
></TT
> is
a domain user who has administrative privileges in the domain.</P
><P
><TT
CLASS="PROMPT"
>root# </TT
>/usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U Administrator</P
><P
>The proper response to the command should be: "Joined the domain
<TT
CLASS="REPLACEABLE"
><I
>DOMAIN</I
></TT
>" where <TT
CLASS="REPLACEABLE"
><I
>DOMAIN</I
></TT
>
is your DOMAIN name.</P
></DIV
><DIV
CLASS="SECT3"
><HR><H3
CLASS="SECT3"
><A
NAME="AEN156"
>Start up the winbindd daemon and test it!</A
></H3
><P
>Eventually, you will want to modify your smb startup script to
automatically invoke the winbindd daemon when the other parts of
SAMBA start, but it is possible to test out just the winbind
portion first. To start up winbind services, enter the following
command as root:</P
><P
><TT
CLASS="PROMPT"
>root# </TT
>/usr/local/samba/bin/winbindd</P
><P
>I'm always paranoid and like to make sure the daemon
is really running...</P
><P
><TT
CLASS="PROMPT"
>root# </TT
> ps -ae | grep winbindd
3025 ? 00:00:00 winbindd</P
><P
>Now... for the real test, try to get some information about the
users on your PDC</P
><P
><TT
CLASS="PROMPT"
>root# </TT
> # /usr/local/samba/bin/wbinfo -u</P
><P
>
This should echo back a list of users on your Windows users on
your PDC. For example, I get the following response:</P
><P
><PRE
CLASS="PROGRAMLISTING"
>CEO+Administrator
CEO+burdell
CEO+Guest
CEO+jt-ad
CEO+krbtgt
CEO+TsInternetUser</PRE
></P
><P
>Obviously, I have named my domain 'CEO' and my winbindd separator is '+'.</P
><P
>You can do the same sort of thing to get group information from
the PDC:</P
><P
><PRE
CLASS="PROGRAMLISTING"
><TT
CLASS="PROMPT"
>root# </TT
>/usr/local/samba/bin/wbinfo -g
CEO+Domain Admins
CEO+Domain Users
CEO+Domain Guests
CEO+Domain Computers
CEO+Domain Controllers
CEO+Cert Publishers
CEO+Schema Admins
CEO+Enterprise Admins
CEO+Group Policy Creator Owners</PRE
></P
><P
>The function 'getent' can now be used to get unified
lists of both local and PDC users and groups.
Try the following command:</P
><P
><TT
CLASS="PROMPT"
>root# </TT
> getent passwd</P
><P
>You should get a list that looks like your <TT
CLASS="FILENAME"
>/etc/passwd</TT
>
list followed by the domain users with their new uids, gids, home
directories and default shells.</P
><P
>The same thing can be done for groups with the command</P
><P
><TT
CLASS="PROMPT"
>root# </TT
> getent group</P
></DIV
><DIV
CLASS="SECT3"
><HR><H3
CLASS="SECT3"
><A
NAME="AEN183"
>Fix the /etc/rc.d/init.d/smb startup files</A
></H3
><P
>The <B
CLASS="COMMAND"
>winbindd</B
> daemon needs to start up after the
<B
CLASS="COMMAND"
>smbd</B
> and <B
CLASS="COMMAND"
>nmbd</B
> daemons are running.
To accomplish this task, you need to modify the <TT
CLASS="FILENAME"
>/etc/init.d/smb</TT
>
script to add commands to invoke this daemon in the proper sequence. My
<TT
CLASS="FILENAME"
>/etc/init.d/smb</TT
> file starts up <B
CLASS="COMMAND"
>smbd</B
>,
<B
CLASS="COMMAND"
>nmbd</B
>, and <B
CLASS="COMMAND"
>winbindd</B
> from the
<TT
CLASS="FILENAME"
>/usr/local/samba/bin</TT
> directory directly. The 'start'
function in the script looks like this:</P
><P
><PRE
CLASS="PROGRAMLISTING"
>start() {
KIND="SMB"
echo -n $"Starting $KIND services: "
daemon /usr/local/samba/bin/smbd $SMBDOPTIONS
RETVAL=$?
echo
KIND="NMB"
echo -n $"Starting $KIND services: "
daemon /usr/local/samba/bin/nmbd $NMBDOPTIONS
RETVAL2=$?
echo
KIND="Winbind"
echo -n $"Starting $KIND services: "
daemon /usr/local/samba/bin/winbindd
RETVAL3=$?
echo
[ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] &#38;&#38; touch /var/lock/subsys/smb || \
RETVAL=1
return $RETVAL
}</PRE
></P
><P
>The 'stop' function has a corresponding entry to shut down the
services and look s like this:</P
><P
><PRE
CLASS="PROGRAMLISTING"
>stop() {
KIND="SMB"
echo -n $"Shutting down $KIND services: "
killproc smbd
RETVAL=$?
echo
KIND="NMB"
echo -n $"Shutting down $KIND services: "
killproc nmbd
RETVAL2=$?
echo
KIND="Winbind"
echo -n $"Shutting down $KIND services: "
killproc winbindd
RETVAL3=$?
[ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] &#38;&#38; rm -f /var/lock/subsys/smb
echo ""
return $RETVAL
}</PRE
></P
></DIV
><DIV
CLASS="SECT3"
><HR><H3
CLASS="SECT3"
><A
NAME="AEN200"
>Configure Winbind and PAM</A
></H3
><P
>If you have made it this far, you know that winbindd is working.
Now it is time to integrate it into the operation of samba and other
services. The pam configuration files need to be altered in
this step. (Did you remember to make backups of your original
<TT
CLASS="FILENAME"
>/etc/pam.d</TT
> files? If not, do it now.)</P
><P
>To get samba to allow domain users and groups, I modified the
<TT
CLASS="FILENAME"
>/etc/pam.d/samba</TT
> file from</P
><P
><PRE
CLASS="PROGRAMLISTING"
>auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth</PRE
></P
><P
>to</P
><P
><PRE
CLASS="PROGRAMLISTING"
>auth required /lib/security/pam_winbind.so
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_winbind.so
account required /lib/security/pam_stack.so service=system-auth</PRE
></P
><P
>The other services that I modified to allow the use of winbind
as an authentication service were the normal login on the console (or a terminal
session), telnet logins, and ftp service. In order to enable these
services, you may first need to change the entries in
<TT
CLASS="FILENAME"
>/etc/xinetd.d</TT
> (or <TT
CLASS="FILENAME"
>/etc/inetd.conf</TT
>).
RedHat 7.1 uses the new xinetd.d structure, in this case you need
to change the lines in <TT
CLASS="FILENAME"
>/etc/xinetd.d/telnet</TT
>
and <TT
CLASS="FILENAME"
>/etc/xinetd.d/wu-ftp</TT
> from </P
><P
><PRE
CLASS="PROGRAMLISTING"
>enable = no</PRE
></P
><P
>to</P
><P
><PRE
CLASS="PROGRAMLISTING"
>enable = yes</PRE
></P
><P
>
For ftp services to work properly, you will also need to either
have individual directories for the domain users already present on
the server, or change the home directory template to a general
directory for all domain users. These can be easily set using
the <TT
CLASS="FILENAME"
>smb.conf</TT
> global entry
<B
CLASS="COMMAND"
>template homedir</B
>.</P
><P
>The <TT
CLASS="FILENAME"
>/etc/pam.d/ftp</TT
> file can be changed
to allow winbind ftp access in a manner similar to the
samba file. My <TT
CLASS="FILENAME"
>/etc/pam.d/ftp</TT
> file was
changed to look like this:</P
><P
><PRE
CLASS="PROGRAMLISTING"
>auth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_shells.so
account required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth</PRE
></P
><P
>The <TT
CLASS="FILENAME"
>/etc/pam.d/login</TT
> file can be changed nearly the
same way. It now looks like this:</P
><P
><PRE
CLASS="PROGRAMLISTING"
>auth required /lib/security/pam_securetty.so
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so use_first_pass
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account sufficient /lib/security/pam_winbind.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so</PRE
></P
><P
>In this case, I added the <B
CLASS="COMMAND"
>auth sufficient /lib/security/pam_winbind.so</B
>
lines as before, but also added the <B
CLASS="COMMAND"
>required pam_securetty.so</B
>
above it, to disallow root logins over the network. I also added a
<B
CLASS="COMMAND"
>sufficient /lib/security/pam_unix.so use_first_pass</B
>
line after the <B
CLASS="COMMAND"
>winbind.so</B
> line to get rid of annoying
double prompts for passwords.</P
><P
>Finally, don't forget to copy the winbind pam modules from
the source directory in which you originally compiled the new
SAMBA up to the /lib/security directory so that pam can use it:</P
><P
><TT
CLASS="PROMPT"
>root# </TT
> cp ../samba/source/nsswitch/pam_winbind.so /lib/security</P
></DIV
></DIV
></DIV
><DIV
CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="AEN77"
NAME="AEN241"
>Limitations</A
></H1
><P
>Winbind has a number of limitations in its current
released version which we hope to overcome in future
released version that we hope to overcome in future
releases:</P
><P
></P
@ -459,13 +1124,6 @@ NAME="AEN77"
into account possible workstation and logon time restrictions
that may be been set for Windows NT users.</P
></LI
><LI
><P
>Building winbind from source is currently
quite tedious as it requires combining source code from two Samba
branches. Work is underway to solve this by providing all
the necessary functionality in the main Samba code branch.</P
></LI
></UL
></DIV
><DIV
@ -473,7 +1131,7 @@ CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="AEN89"
NAME="AEN251"
>Conclusion</A
></H1
><P

102
docs/htmldocs/winbindd.8.html
View File

@ -36,23 +36,22 @@ NAME="AEN8"
><P
><B
CLASS="COMMAND"
>nmblookup</B
> [-d debuglevel] [-i] [-S] [-r] [-A] [-h] [-B &#60;broadcast address&#62;] [-U &#60;unicast address&#62;] [-d &#60;debug level&#62;] [-s &#60;smb config file&#62;] [-i &#60;NetBIOS scope&#62;] [-T] {name}</P
>winbindd</B
> [-i] [-d &#60;debug level&#62;] [-s &#60;smb config file&#62;]</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN24"
NAME="AEN14"
></A
><H2
>DESCRIPTION</H2
><P
>This tool is part of the <A
>This program is part of the <A
HREF="samba.7.html"
TARGET="_top"
> Samba</A
> suite version 3.0 and describes functionality not
yet implemented in the main version of Samba.</P
> suite.</P
><P
><B
CLASS="COMMAND"
@ -70,7 +69,10 @@ CLASS="FILENAME"
of user and group ids specified by the administrator of the
Samba system.</P
><P
>The service provided by winbindd is called `winbind' and
>The service provided by <B
CLASS="COMMAND"
>winbindd</B
> is called `winbind' and
can be used to resolve user and group information from a
Windows NT server. The service can also provide authentication
services via an associated PAM module. </P
@ -147,7 +149,7 @@ group: files winbind
><DIV
CLASS="REFSECT1"
><A
NAME="AEN52"
NAME="AEN43"
></A
><H2
>OPTIONS</H2
@ -186,7 +188,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN65"
NAME="AEN56"
></A
><H2
>NAME AND ID RESOLUTION</H2
@ -217,7 +219,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN71"
NAME="AEN62"
></A
><H2
>CONFIGURATION</H2
@ -252,7 +254,7 @@ CLASS="COMMAND"
DOMAIN\username. In some cases this separator character may
cause problems as the '\' character has special meaning in
unix shells. In that case you can use the winbind separator
option to specify an alternative sepataror character. Good
option to specify an alternative separator character. Good
alternatives may be '/' (although that conflicts
with the unix directory separator) or a '+ 'character.
The '+' character appears to be the best choice for 100%
@ -276,7 +278,7 @@ CLASS="COMMAND"
><P
>The winbind uid parameter specifies the
range of user ids that are allocated by the winbindd daemon.
This range of ids should have no existing local or nis users
This range of ids should have no existing local or NIS users
within it as strange conflicts can occur otherwise. </P
><P
>Default: <B
@ -296,7 +298,7 @@ CLASS="COMMAND"
><P
>The winbind gid parameter specifies the
range of group ids that are allocated by the winbindd daemon.
This range of group ids should have no existing local or nis
This range of group ids should have no existing local or NIS
groups within it as strange conflicts can occur otherwise.</P
><P
>Default: <B
@ -319,7 +321,7 @@ CLASS="COMMAND"
seconds the winbindd daemon will cache user and group information
before querying a Windows NT server again. When a item in the
cache is older than this time winbindd will ask the domain
controller for the sequence number of the servers account database.
controller for the sequence number of the server's account database.
If the sequence number has not changed then the cached item is
marked as valid for a further <TT
CLASS="PARAMETER"
@ -375,7 +377,10 @@ CLASS="COMMAND"
><EM
>Warning:</EM
> Turning off user enumeration
may cause some programs to behave oddly. For example, the finger
may cause some programs to behave oddly. For example, the <B
CLASS="COMMAND"
>finger</B
>
program relies on having access to the full user list when
searching for matching usernames. </P
><P
@ -479,7 +484,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN152"
NAME="AEN144"
></A
><H2
>EXAMPLE SETUP</H2
@ -563,12 +568,13 @@ CLASS="COMMAND"
>The next step is to join the domain. To do that use the
<B
CLASS="COMMAND"
>samedit</B
>smbpasswd</B
> program like this: </P
><P
><B
CLASS="COMMAND"
>samedit -S '*' -W DOMAIN -UAdministrator</B
>smbpasswd -j DOMAIN -r PDC -U
Administrator</B
></P
><P
>The username after the <TT
@ -576,20 +582,10 @@ CLASS="PARAMETER"
><I
>-U</I
></TT
> can be any Domain
user that has administrator priviliges on the machine. Next from
within <B
CLASS="COMMAND"
>samedit</B
>, run the command: </P
><P
><B
CLASS="COMMAND"
>createuser MACHINE$ -j DOMAIN -L</B
></P
><P
>This assumes your domain is called "DOMAIN" and your Samba
workstation is called "MACHINE". </P
> can be any
Domain user that has administrator privileges on the machine.
Substitute your domain name for "DOMAIN" and the name of your PDC
for "PDC".</P
><P
>Next copy <TT
CLASS="FILENAME"
@ -620,7 +616,10 @@ CLASS="FILENAME"
>/lib/libnss_winbind.so.1</TT
>.</P
><P
>Finally, setup a smb.conf containing directives like the
>Finally, setup a <TT
CLASS="FILENAME"
>smb.conf</TT
> containing directives like the
following: </P
><P
><TABLE
@ -663,10 +662,10 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN194"
NAME="AEN183"
></A
><H2
>Notes</H2
>NOTES</H2
><P
>The following notes are useful when configuring and
running <B
@ -697,10 +696,8 @@ CLASS="COMMAND"
>winbindd</B
>
nsswitch module read an environment variable named <TT
CLASS="PARAMETER"
><I
> $WINBINDD_DOMAIN</I
></TT
CLASS="ENVAR"
> $WINBINDD_DOMAIN</TT
>. If this variable contains a comma separated
list of Windows NT domain names, then winbindd will only resolve users
and groups within those Windows NT domains. </P
@ -723,10 +720,10 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN210"
NAME="AEN199"
></A
><H2
>Signals</H2
>SIGNALS</H2
><P
>The following signals can be used to manipulate the
<B
@ -774,10 +771,10 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN227"
NAME="AEN216"
></A
><H2
>Files</H2
>FILES</H2
><P
></P
><DIV
@ -826,9 +823,11 @@ CLASS="FILENAME"
>Storage for the Windows NT rid to UNIX user/group
id mapping. The lock directory is specified when Samba is initially
compiled using the <TT
CLASS="FILENAME"
>--with-lockdir</TT
> option.
CLASS="PARAMETER"
><I
>--with-lockdir</I
></TT
> option.
This directory is by default <TT
CLASS="FILENAME"
>/usr/local/samba/var/locks
@ -848,19 +847,18 @@ CLASS="FILENAME"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN256"
NAME="AEN245"
></A
><H2
>VERSION</H2
><P
>This man page is correct for version 2.2 of
the Samba suite. winbindd is however not available in
stable release of Samba as of yet.</P
>This man page is correct for version 2.2 of
the Samba suite.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN259"
NAME="AEN248"
></A
><H2
>SEE ALSO</H2
@ -888,7 +886,7 @@ TARGET="_top"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN266"
NAME="AEN255"
></A
><H2
>AUTHOR</H2