sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-27 03:21:53 +03:00
Code

Applied Vance Lankhaar's spelling fixes.

Browse Source
This commit is contained in:
John Terpstra 0001-01-01 00:00:00 +00:00
parent fa66e2e1e1
commit 7eea35ba9f
36 changed files with 507 additions and 450 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
docs/docbook/projdoc/AccessControls.xml
View File

@ -9,7 +9,7 @@
<para>
Advanced MS Windows users are frequently perplexed when file, directory and share manipulation of
resources shared via Samba do not behave in the manner they might expect. MS Windows network
adminstrators are often confused regarding network access controls and what is the best way to
administrators are often confused regarding network access controls and what is the best way to
provide users with the type of access they need while protecting resources from the consequences
of untoward access capabilities.
</para>
@ -45,7 +45,7 @@ This is an opportune point to mention that it should be borne in mind that Samba
provide a means of interoperability and interchange of data between two operating environments
that are quite different. It was never the intent to make Unix/Linux like MS Windows NT. Instead
the purpose was an is to provide a sufficient level of exchange of data between the two environments.
What is available today extends well beyond early plans and expections, yet the gap continues to
What is available today extends well beyond early plans and expectations, yet the gap continues to
shrink.
</para>
@ -110,7 +110,7 @@ shrink.
operating system supports them. If not, then this option will not be
available to you. Current Unix technology platforms have native support
for POSIX ACLs. There are patches for the Linux kernel that provide
this also. Sadly, few Linux paltforms ship today with native ACLs and
this also. Sadly, few Linux platforms ship today with native ACLs and
Extended Attributes enabled. This chapter has pertinent information
for users of platforms that support them.
</para>
@ -142,7 +142,7 @@ at how Samba helps to bridge the differences.
<para>
It is good news that Samba does this to a very large extent and on top of that provides a high degree
of optional configuration to over-ride the default behaviour. We will look at some of these over-rides,
but for the greater part we will stay withing the bounds of default behaviour. Those wishing to explore
but for the greater part we will stay within the bounds of default behaviour. Those wishing to explore
to depths of control ability should review the &smb.conf; man page.
</para>
@ -239,7 +239,7 @@ at how Samba helps to bridge the differences.
Symbolic links are files in Unix that contain the actual location of the data (file OR directory). An
operation (like read or write) will operate directly on the file referenced. Symbolic links are also
referred to as 'soft links'. A hard link is something that MS Windows is NOT familiar with. It allows
one physical file to be known simulataneously by more than one file name.
one physical file to be known simultaneously by more than one file name.
</para>
</listitem>
</varlistentry>
@ -287,7 +287,7 @@ at how Samba helps to bridge the differences.
</para>
<para>
Unix/Linux file and directory access permissions invloves setting three (3) primary sets of data and one (1) control set.
Unix/Linux file and directory access permissions involves setting three (3) primary sets of data and one (1) control set.
A Unix file listing looks as follows:-
<screen>
@ -357,11 +357,11 @@ at how Samba helps to bridge the differences.
</para>
<para>
Additional posibilities in the [type] field are: c = character device, b = block device, p = pipe device, s = Unix Domain Socket.
Additional possibilities in the [type] field are: c = character device, b = block device, p = pipe device, s = Unix Domain Socket.
</para>
<para>
The letters `rwxXst' set permissions for the user, group and others as: read (r), write (w), execute (or access for directories) (x),r
The letters `rwxXst' set permissions for the user, group and others as: read (r), write (w), execute (or access for directories) (x),
execute only if the file is a directory or already has execute permission for some user (X), set user or group ID on execution (s),
sticky (t).
</para>
@ -506,7 +506,7 @@ Before using any of the following options please refer to the man page for &smb.
The following file and directory permission based controls, if misused, can result in considerable difficulty to
diagnose the cause of mis-configuration. Use them sparingly and carefully. By gradually introducing each one by one
undesirable side-effects may be detected. In the event of a problem, always comment all of them out and then gradually
re-instroduce them in a controlled fashion.
re-introduce them in a controlled fashion.
</para>
<table frame='all'><title>File and Directory Permission Based Controls</title>
@ -563,13 +563,13 @@ Before using any of the following options please refer to the man page for &smb.
<row>
<entry>hide unreadable</entry>
<entry><para>
Prevents clients from seeing the existance of files that cannot be read.
Prevents clients from seeing the existence of files that cannot be read.
</para></entry>
</row>
<row>
<entry>hide unwriteable files</entry>
<entry><para>
Prevents clients from seeing the existance of files that cannot be written to. Unwriteable directories are shown as usual.
Prevents clients from seeing the existence of files that cannot be written to. Unwriteable directories are shown as usual.
</para></entry>
</row>
<row>
@ -677,7 +677,7 @@ Before using any of the following options please refer to the man page for &smb.
<para>
This section deals with how to configure Samba per share access control restrictions.
By default samba sets no restrictions on the share itself. Restrictions on the share itself
By default, Samba sets no restrictions on the share itself. Restrictions on the share itself
can be set on MS Windows NT4/200x/XP shares. This can be a very effective way to limit who can
connect to a share. In the absence of specific restrictions the default setting is to allow
the global user <constant>Everyone</constant> Full Control (ie: Full control, Change and Read).
@ -693,8 +693,8 @@ Before using any of the following options please refer to the man page for &smb.
<para>
Samba stores the per share access control settings in a file called <filename>share_info.tdb</filename>.
The location of this file on your system will depend on how samba was compiled. The default location
for samba's tdb files is under <filename>/usr/local/samba/var</filename>. If the <filename>tdbdump</filename>
utility has been compiled and installed on your system then you can examine the contents of this file
for Samba's tdb files is under <filename>/usr/local/samba/var</filename>. If the <filename>tdbdump</filename>
utility has been compiled and installed on your system, then you can examine the contents of this file
by: <userinput>tdbdump share_info.tdb</userinput>.
</para>
@ -702,7 +702,7 @@ Before using any of the following options please refer to the man page for &smb.
<title>Share Permissions Management</title>
<para>
The best tool for the task is platform dependant. Choose the best tool for your environmemt.
The best tool for the task is platform dependant. Choose the best tool for your environment.
</para>
<sect3>
@ -750,7 +750,7 @@ Before using any of the following options please refer to the man page for &smb.
After launching the MMC with the Computer Management snap-in, click on the menu item <guimenuitem>Action</guimenuitem>,
select <guilabel>Connect to another computer</guilabel>. If you are not logged onto a domain you will be prompted
to enter a domain login user identifier and a password. This will authenticate you to the domain.
If you where already logged in with administrative privilidge this step is not offered.
If you where already logged in with administrative privilege this step is not offered.
</para></step>
<step><para>
@ -902,9 +902,9 @@ Before using any of the following options please refer to the man page for &smb.
<sect3>
<title>File Permissions</title>
<para>The standard UNIX user/group/world triple and
<para>The standard UNIX user/group/world triplet and
the corresponding "read", "write", "execute" permissions
triples are mapped by Samba into a three element NT ACL
triplets are mapped by Samba into a three element NT ACL
with the 'r', 'w', and 'x' bits mapped into the corresponding
NT permissions. The UNIX world permissions are mapped into
the global NT group <constant>Everyone</constant>, followed
@ -976,14 +976,14 @@ Before using any of the following options please refer to the man page for &smb.
the dialog box. This actually works quite well as these are the
only permissions that UNIX actually has.</para>
<para>If a permission triple (either user, group, or world)
<para>If a permission triplet (either user, group, or world)
is removed from the list of permissions in the NT dialog box,
then when the <guibutton>OK</guibutton> button is pressed it will
be applied as "no permissions" on the UNIX side. If you then
view the permissions again the "no permissions" entry will appear
as the NT <command>"O"</command> flag, as described above. This
allows you to add permissions back to a file or directory once
you have removed them from a triple component.</para>
you have removed them from a triplet component.</para>
<para>As UNIX supports only the "r", "w" and "x" bits of
an NT ACL then if other NT security attributes such as "Delete
@ -1024,7 +1024,7 @@ Before using any of the following options please refer to the man page for &smb.
<para>Once a user clicks <guibutton>OK</guibutton> to apply the
permissions Samba maps the given permissions into a user/group/world
r/w/x triple set, and then will check the changed permissions for a
r/w/x triplet set, and then will check the changed permissions for a
file against the bits set in the <ulink url="smb.conf.5.html#SECURITYMASK">
<parameter>security mask</parameter></ulink> parameter. Any bits that
were changed that are not set to '1' in this parameter are left alone
@ -1135,7 +1135,7 @@ are examples taken from the mailing list in recent times.
<para>
<quote>
We are facing some troubles with file / directory permissions. I can log on the domain as admin user(root),
and theres a public share, on which everyone needs to have permission to create / modify files, but only
and there's a public share, on which everyone needs to have permission to create / modify files, but only
root can change the file, no one else can. We need to constantly go to server to
<userinput>chgrp -R users *</userinput> and <userinput>chown -R nobody *</userinput> to allow others users to change the file.
</quote>
@ -1229,7 +1229,7 @@ are examples taken from the mailing list in recent times.
Now in your &smb.conf; for the share add:
<programlisting>
force create mode = 0775
force direcrtory mode = 6775
force directory mode = 6775
</programlisting>
</para>
@ -1252,10 +1252,10 @@ are examples taken from the mailing list in recent times.
<sect2>
<title>I have set force user and samba still makes <emphasis>root</emphasis> the owner of all the files
<title>I have set force user and Samba still makes <emphasis>root</emphasis> the owner of all the files
I touch!</title>
<para>
When you have a user in 'admin users', samba will always do file operations for
When you have a user in 'admin users', Samba will always do file operations for
this user as <emphasis>root</emphasis>, even if <parameter>force user</parameter> has been set.
</para>
</sect2>

16
docs/docbook/projdoc/AdvancedNetworkAdmin.xml
View File

@ -4,7 +4,7 @@
<pubdate>April 3 2003</pubdate>
</chapterinfo>
<title>Advanced Network Manangement</title>
<title>Advanced Network Management</title>
<para>
This section documents peripheral issues that are of great importance to network
@ -88,12 +88,12 @@ is the best tool in your network environment.
<para>
<screen>
&gt; I have a wounderfull linux/samba server running as pdc for a network.
&gt; Now I would like to add remote desktop capabilites so that
&gt; I have a wonderful linux/samba server running as PDC for a network.
&gt; Now I would like to add remote desktop capabilities so that
&gt; users outside could login to the system and get their desktop up from
&gt; home or another country..
&gt;
&gt; Is there a way to acomplish this? Do I need a windows terminal server?
&gt; Is there a way to accomplish this? Do I need a windows terminal server?
&gt; Do I need to configure it so that it is a member of the domain or a
&gt; BDC,PDC? Are there any hacks for MS Windows XP to enable remote login
&gt; even if the computer is in a domain?
@ -120,7 +120,7 @@ is the best tool in your network environment.
</para>
<para>
I could testdrive their (public) RedHat machine in Italy, over a loaded
I could test drive their (public) RedHat machine in Italy, over a loaded
internet connection, with enabled thumbnail previews in KDE konqueror
which popped up immediately on "mouse-over". From inside that (remote X)
session I started a rdesktop session on another, a Windows XP machine.
@ -143,7 +143,7 @@ is the best tool in your network environment.
</para>
<para>
I recommend to testdrive NX to anybody with a only a remote interest
I recommend to test drive NX to anybody with a only a remote interest
in remote computing
<ulink url="http://www.nomachine.com/testdrive.php">http://www.nomachine.com/testdrive.php</ulink>.
</para>
@ -168,7 +168,7 @@ is the best tool in your network environment.
<para>
Now the best thing at the end: all the core compression and caching
technologies are released under the GPL and available as source code
to anybody who wants to build on it! These technolgies are working,
to anybody who wants to build on it! These technologies are working,
albeit started from the command line only (and very inconvenient to
use in order to get a fully running remote X session up and running....)
</para>
@ -227,7 +227,7 @@ There are several opportunities for creating a custom network startup configurat
<simplelist>
<member>No Logon Script</member>
<member>Simple universal Logon Script that applies to all users</member>
<member>Use of a conditional Logon Script that applies per user or per group attirbutes</member>
<member>Use of a conditional Logon Script that applies per user or per group attributes</member>
<member>Use of Samba's Preexec and Postexec functions on access to the NETLOGON share to create
a custom Logon Script and then execute it.</member>
<member>User of a tool such as KixStart</member>

4
docs/docbook/projdoc/Bugs.xml
View File

@ -75,7 +75,7 @@ time, and exactly what the results were.
If the bug has anything to do with Samba behaving incorrectly as a
server (like refusing to open a file) then the log files will probably
be very useful. Depending on the problem a log level of between 3 and
10 showing the problem may be appropriate. A higher level givesmore
10 showing the problem may be appropriate. A higher level gives more
detail, but may use too much disk space.
</para>
@ -166,7 +166,7 @@ If you know any assembly language then do a
where the problem occurred (if its in a library routine then
disassemble the routine that called it) and try to work out exactly
where the problem is by looking at the surrounding code. Even if you
don't know assembly then incuding this info in the bug report can be
don't know assembly, including this info in the bug report can be
useful.
</para>
</sect1>

60
docs/docbook/projdoc/CUPS-printing.xml
View File

@ -169,7 +169,7 @@
<para>
To summarize, here is the simplest printing-related setup
for<filename>smb.conf</filename> to enable basic CUPS support:
for <filename>smb.conf</filename> to enable basic CUPS support:
</para>
<para><screen>
@ -215,7 +215,7 @@ CUPS</title>
<para>
Here is a slightly more complex printing-related setup
for<filename>smb.conf</filename>. It enables general CUPS printing
for <filename>smb.conf</filename>. It enables general CUPS printing
support for all printers, but defines one printer share which is set
up differently.
</para>
@ -257,7 +257,7 @@ up differently.
<para>
This special share is only there for my testing purposes. It doesn't
even write the printjob to a file. It just logs the job parameters
even write the print job to a file. It just logs the job parameters
known to Samba into the <filename>/tmp/smbprn.log</filename> file and
deletes the jobfile. Moreover, the <parameter>printer
admin</parameter> of this share is "kurt" (not the "@ntadmins" group);
@ -309,7 +309,7 @@ Most traditionally configured Unix print servers acting on behalf of
Samba's Windows clients represented a really simple setup. Their only
task was to manage the "raw" spooling of all jobs handed to them by
Samba. This approach meant that the Windows clients were expected to
prepare the printjob file in such a way that it became fit to be fed to
prepare the print job file in such a way that it became fit to be fed to
the printing device. Here a native (vendor-supplied) Windows printer
driver for the target device needed to be installed on each and every
client.
@ -539,8 +539,8 @@ You can't expect for most file formats to just throw them towards
printers and they get printed. There needs to be a file format
conversion in between. The problem is: there is no common standard for
print file formats across all manufacturers and printer types. While
<emphasis>PostScript</emphasis> (trademark held by Adobe), and to an
extend<emphasis>PCL</emphasis> (trademark held by HP), have developed
<emphasis>PostScript</emphasis> (trademark held by Adobe), and, to an
extent, <emphasis>PCL</emphasis> (trademark held by HP), have developed
into semi-official "standards", by being the most widely used PDLs
(<emphasis>Page Description Languages</emphasis>), there are still
many manufacturers who "roll their own" (their reasons may be
@ -688,7 +688,7 @@ on the host, before you can send it away.
<title>Ghostscript -- the Software RIP for non-PostScript Printers</title>
<para>
Here is where<emphasis>Ghostscript</emphasis> kicks in. Ghostscript is
Here is where <emphasis>Ghostscript</emphasis> kicks in. Ghostscript is
the traditional (and quite powerful) PostScript interpreter used on
Unix platforms. It is a RIP in software, capable to do a
<emphasis>lot</emphasis> of file format conversions, for a very broad
@ -1244,7 +1244,7 @@ filtering:
</sect2>
<sect2>
<title>rasterto [printerspecific]</title>
<title>rasterto [printers specific]</title>
<para>
CUPS ships with quite some different raster drivers processing CUPS
@ -1378,8 +1378,8 @@ PDF (through a "pdfgen:/" backend) or dump them to "/dev/null" (In
fact I have the system-wide default printer set up to be connected to
a "devnull:/" backend: there are just too many people sending jobs
without specifying a printer, or scripts and programs which don't name
a printer. The system-wided default deletes the job and sends a polite
mail back to the $USER asking him to alsways specify a correct
a printer. The system-wide default deletes the job and sends a polite
mail back to the $USER asking him to always specify a correct
printername).
</para>
@ -1428,7 +1428,7 @@ You can recognize these PPDs from the line calling the
This line you may find amongst the first 40 or so lines of the PPD
file. If you have such a PPD installed, the printer shows up in the
CUPS web interface with a <emphasis>foomatic</emphasis> namepart for
the driver description. cupsomatic is a Perlscript that runs
the driver description. cupsomatic is a Perl script that runs
Ghostscript, with all the complicated commandline options
auto-constructed from the selected PPD and commandline options give to
the printjob.
@ -1616,7 +1616,7 @@ does not by default allow one to send deliberate (possibly binary)
data to printing devices. (This could be easily abused to launch a
Denial of Service attack on your printer(s), causing at least the loss
of a lot of paper and ink...) "Unknown" data are regarded by CUPS
as<emphasis>MIME type</emphasis>
as <emphasis>MIME type</emphasis>
<emphasis>application/octet-stream</emphasis>. While you
<emphasis>can</emphasis> send data "raw", the MIME type for these must
be one that is known to CUPS and an allowed one. The file
@ -1730,7 +1730,7 @@ specific model supports):
</varlistentry>
<varlistentry><term>laserjet.ppd</term>
<listitem><para>all PCL printersFurther below is a discussion
<listitem><para>all PCL printers. Further below is a discussion
of several other driver/PPD-packages suitable fur use with CUPS.
</para></listitem>
</varlistentry>
@ -1783,7 +1783,7 @@ supported. It has now been replaced by
<emphasis>foomatic-rip</emphasis>. foomatic-rip is a complete re-write
of the old cupsomatic idea, but very much improved and generalized to
other (non-CUPS) spoolers. An upgrade to foomatic-rip is strongly
adviced, especially if you are upgrading to a recent version of CUPS
advised, especially if you are upgrading to a recent version of CUPS
too.
</para>
@ -1806,7 +1806,7 @@ which works best for you.
<para>
cupsomatic "kidnaps" the printfile after the
<emphasis>application/vnd.cups-postscript</emphasis> stage and
deviates it through the CUPS-external, systemwide Ghostscript
deviates it through the CUPS-external, system wide Ghostscript
installation: Therefore the printfile bypasses the "pstoraster" filter
(and thus also bypasses the CUPS-raster-drivers
"rastertosomething"). After Ghostscript finished its rasterization,
@ -1947,7 +1947,7 @@ quality;</para></listitem>
url="http://www-124.ibm.com/developerworks/oss/linux/projects/omni/">OMNI
(http://www-124.ibm.com/developerworks/oss/linux/projects/omni/)</ulink>
(LPGL, Free) is a package made by IBM, now containing support for more
than 400 printers, stemming from the inheritance of IBM OS/2 KnowHow
than 400 printers, stemming from the inheritance of IBM OS/2 Know-How
ported over to Linux (CUPS support is in a Beta-stage at
present);</para></listitem>
@ -2169,7 +2169,7 @@ simply use <parameter>printing = sysv</parameter>).
<title>Samba receiving Jobfiles and passing them to CUPS</title>
<para>
Samba<emphasis>must</emphasis> use its own spool directory (it is set
Samba <emphasis>must</emphasis> use its own spool directory (it is set
by a line similar to <parameter>path = /var/spool/samba</parameter>,
in the <parameter>[printers]</parameter> or
<parameter>[printername]</parameter> section of
@ -2403,7 +2403,7 @@ named in its man page.
<para>
The CUPS printer driver is available from the CUPS download site. Its
package name is <filename>cups-samba-[version].tar.gz</filename> . It
is prefered over the Adobe drivers since it has a number of
is preferred over the Adobe drivers since it has a number of
advantages:
</para>
@ -2761,7 +2761,7 @@ receiving the exact number of pages; instead the dummy page number
of "1" is logged in a standard setup)</para></listitem>
<listitem><para>the Adobe driver has more options to "mis-configure" the
PostScript generated by it (like setting it inadvertedly to
PostScript generated by it (like setting it inadvertently to
<emphasis>Optimize for Speed</emphasis>, instead of
<emphasis>Optimize for Portability</emphasis>, which
could lead to CUPS being unable to process it)</para></listitem>
@ -2835,7 +2835,7 @@ Here is an example of a successfully run cupsaddsmb command.
</screen></para>
<para>
To share<emphasis>all</emphasis> printers and drivers, use the
To share <emphasis>all</emphasis> printers and drivers, use the
<parameter>-a</parameter> parameter instead of a printer name. Since
cupsaddsmb "exports" the printer drivers to Samba, it should be
obvious that it only works for queues with a CUPS driver associated.
@ -2925,7 +2925,7 @@ unencrypted!
Running command: rpcclient localhost -N -U'root%secret' \
-c 'setdriver infotec_2105 infotec_2105'
cmd = setdriver infotec_2105 infotec_2105
Succesfully set infotec_2105 to driver infotec_2105.
Successfully set infotec_2105 to driver infotec_2105.
</screen></para>
@ -3004,7 +3004,7 @@ architecture...)</para></listitem>
installed.</emphasis> # (for the WIN40 == Win9x/ME
architecture...)</para></listitem>
<listitem><para><emphasis>Succesfully set [printerXPZ] to driver
<listitem><para><emphasis>Successfully set [printerXPZ] to driver
[printerXYZ].</emphasis></para></listitem>
</orderedlist>
@ -3144,7 +3144,7 @@ driver settings produce. Treat it well:
<itemizedlist>
<listitem><para>Avoid the <emphasis>PostScript Output Option: Optimize
for Speed</emphasis> settting. Rather use the <emphasis>Optimize for
for Speed</emphasis> setting. Rather use the <emphasis>Optimize for
Portability</emphasis> instead (Adobe PostScript
driver).</para></listitem>
@ -3166,7 +3166,7 @@ get a printout at all) (Adobe)</para></listitem>
<listitem><para>Sometimes you can choose <emphasis>PostScript Language
Level</emphasis>: in case of problems try <emphasis>2</emphasis>
instead of <emphasis>3</emphasis> (the latest ESP Ghostscript package
handels Level 3 PostScript very well) (Adobe).</para></listitem>
handles Level 3 PostScript very well) (Adobe).</para></listitem>
<listitem><para>Say <emphasis>Yes</emphasis> to <emphasis>PostScript
Error Handler</emphasis> (Adobe)</para></listitem>
@ -3208,7 +3208,7 @@ sub-commands. <command>enumprinters</command>,
the most interesting ones. rpcclient implements an important part of
the MS-RPC protocol. You can use it to query (and command) a Win NT
(or 2K/XP) PC too. MS-RPC is used by Windows clients, amongst other
things, to benefit from the "Point'n' Print" features. Samba can now
things, to benefit from the "Point'n'Print" features. Samba can now
mimic this too.
</para>
@ -3376,7 +3376,7 @@ PostScript driver): therefore the field will get a "NULL" entry.
<para>
From the manpage (and from the quoted output
of<emphasis>cupsaddsmb</emphasis>, above) it becomes clear that you
of <emphasis>cupsaddsmb</emphasis>, above) it becomes clear that you
need to have certain conditions in order to make the manual uploading
and initializing of the driver files succeed. The two rpcclient
subcommands (<command>adddriver</command> and
@ -3750,7 +3750,7 @@ back.
</sect3>
<sect3>
<title>Twelveth Step: Install the Printer on a Client
<title>Twelfth Step: Install the Printer on a Client
("Point'n'Print")</title>
<para><screen>
@ -3960,7 +3960,7 @@ with no argument, it prints a little usage message:
Version:3.0a
-h this help message
-s suffix set the backup suffix
-v veryify mode (restore if corrupt)
-v verify mode (restore if corrupt)
</screen></para>
@ -4044,7 +4044,7 @@ to create their printing related software (which, BTW, works on all
UNIXes and on Mac OS X or Darwin too). It is not known as well as it
should be, that it also has a very end-user friendly interface which
allows for an easy update of drivers and PPDs, for all supported
models, all spoolers, all operatings systems and all package formats
models, all spoolers, all operating systems and all package formats
(because there is none). Its history goes back a few years.
</para>
@ -4073,7 +4073,7 @@ automatically supported supported by CUPS to perfection, by using
their own manufacturer-provided Windows-PPD...), and that a
multifunctional device never qualifies as working "perfectly" if it
doesn't also scan and copy and fax under GNU/Linux: then this is a
truely astonishing achievement. Three years ago the number was not
truly astonishing achievement. Three years ago the number was not
more than 500, and Linux or UNIX "printing" at the time wasn't
anywhere near the quality it is today!
</para>

6
docs/docbook/projdoc/Compiling.xml
View File

@ -139,7 +139,7 @@ on this system just substitute the correct package name
<option>-r</option> and defining a tag name. A list of branch tag names
can be found on the "Development" page of the samba web site. A common
request is to obtain the latest 3.0 release code. This could be done by
using the following userinput.
using the following command:
</para>
<para>
@ -283,7 +283,7 @@ example of what you would not want to see would be:
<listitem><para>the MIT kerberos development libraries
(either install from the sources or use a package). The
heimdal libraries will not work.</para></listitem>
Heimdal libraries will not work.</para></listitem>
<listitem><para>the OpenLDAP development libraries.</para></listitem>
@ -345,7 +345,7 @@ example of what you would not want to see would be:
<title>Starting the &smbd; and &nmbd;</title>
<para>You must choose to start &smbd; and &nmbd; either
as daemons or from <application>inetd</application>Don't try
as daemons or from <application>inetd</application>. Don't try
to do both! Either you can put them in <filename>
inetd.conf</filename> and have them started on demand
by <application>inetd</application>, or you can start them as

57
docs/docbook/projdoc/DOMAIN_MEMBER.xml
View File

@ -59,7 +59,7 @@ Domain membership has many advantages:
<listitem><para>
Domain user access rights and file ownership / access controls can be set
from the single Domain SAM (Security Accounts Management) database
from the single Domain SAM (Security Account Manager) database
(works with Domain member servers as well as with MS Windows workstations
that are domain members)
</para></listitem>
@ -76,7 +76,7 @@ Domain membership has many advantages:
</para></listitem>
<listitem><para>
Through the use of logon scripts users can be given transparent access to network
Through the use of logon scripts, users can be given transparent access to network
applications that run off application servers
</para></listitem>
@ -236,7 +236,7 @@ as shown here:
<para>
<screen>
&rootprompt;<userinput>smbpasswd -a -m <replaceable>machine_name</replaceable></userinput>
</screen>>
</screen>
</para>
<para>
@ -412,19 +412,19 @@ with the version of Windows:
<sect3>
<title>Samba</title>
<para>Joining a samba client to a domain is documented in
the <link linkend="domain-member">Domain Member</link> chapter.
<para>Joining a Samba client to a domain is documented in
the <link linkend="domain-member-server">Domain Member Server</link> section of this chapter chapter.
</para>
</sect3>
</sect2>
</sect1>
<sect1>
<sect1 id="domain-member-server">
<title>Domain Member Server</title>
<para>
This mode of server operation involves the samba machine being made a member
This mode of server operation involves the Samba machine being made a member
of a domain security context. This means by definition that all user
authentication will be done from a centrally defined authentication regime.
The authentication regime may come from an NT3/4 style (old domain technology)
@ -445,7 +445,7 @@ Server, etc.
Please refer to the <link linkend="samba-pdc">Domain Control chapter</link>
for more information regarding how to create a domain
machine account for a domain member server as well as for information
regarding how to enable the samba domain member machine to join the domain and
regarding how to enable the Samba domain member machine to join the domain and
to be fully trusted by it.
</para>
@ -537,7 +537,7 @@ password server = *
</para>
<para>
This method, allows Samba to use exactly the same mechanism that NT does. This
This method allows Samba to use exactly the same mechanism that NT does. This
method either broadcasts or uses a WINS database in order to
find domain controllers to authenticate against.
</para>
@ -560,7 +560,8 @@ the domain name will be obtained from &smb.conf;.
<para>
As we are joining the domain DOM and the PDC for that domain
(the only machine that has write access to the domain SAM database)
is DOMPDC. The <replaceable>Administrator%password</replaceable> is
is DOMPDC, we use it for the <option>-S</option> option.
The <replaceable>Administrator%password</replaceable> is
the login name and password for an account which has the necessary
privilege to add machines to the domain. If this is successful
you will see the message:
@ -585,7 +586,7 @@ trust account on the PDC beforehand.
This command goes through the machine account password
change protocol, then writes the new (random) machine account
password for this Samba server into a file in the same directory
in which an smbpasswd file would be stored - normally :
in which an smbpasswd file would be stored - normally:
</para>
<para>
@ -622,8 +623,8 @@ NT server in the same way as a Windows 95 or Windows 98 server would.
</para>
<para>
Please refer to the <ulink url="winbind.html">Winbind
paper</ulink> for information on a system to automatically
Please refer to the <link linkend="winbind">Winbind</link> chapter
for information on a system to automatically
assign UNIX uids and gids to Windows NT Domain users and groups.
</para>
@ -672,8 +673,8 @@ the NIS/NT Samba</ulink>.
<title>Samba ADS Domain Membership</title>
<para>
This is a rough guide to setting up Samba 3.0 with kerberos authentication against a
Windows2000 KDC.
This is a rough guide to setting up Samba 3.0 with Kerberos authentication against a
Windows2000 KDC. A familiarity with Kerberos is assumed.
</para>
<sect2>
@ -729,7 +730,7 @@ making sure that your password is accepted by the Win2000 KDC.
<note><para>
The realm must be uppercase or you will get <errorname>Cannot find KDC for
requested realm while getting initial credentials</errorname> error
requested realm while getting initial credentials</errorname> error.
</para></note>
<note><para>
@ -741,24 +742,24 @@ if the time difference is more than five minutes.
<para>
You also must ensure that you can do a reverse DNS lookup on the IP
address of your KDC. Also, the name that this reverse lookup maps to
must either be the netbios name of the KDC (ie. the hostname with no
domain attached) or it can alternatively be the netbios name
must either be the NetBIOS name of the KDC (ie. the hostname with no
domain attached) or it can alternatively be the NetBIOS name
followed by the realm.
</para>
<para>
The easiest way to ensure you get this right is to add a
<filename>/etc/hosts</filename> entry mapping the IP address of your KDC to
its netbios name. If you don't get this right then you will get a
its NetBIOS name. If you don't get this right then you will get a
<errorname>local error</errorname> when you try to join the realm.
</para>
<para>
If all you want is kerberos support in &smbclient; then you can skip
If all you want is Kerberos support in &smbclient; then you can skip
straight to <link linkend="ads-test-smbclient">Test with &smbclient;</link> now.
<link linkend="ads-create-machine-account">Creating a computer account</link>
and <link linkend="ads-test-server">testing your servers</link>
is only needed if you want kerberos support for &smbd; and &winbindd;.
is only needed if you want Kerberos support for &smbd; and &winbindd;.
</para>
</sect2>
@ -770,7 +771,7 @@ is only needed if you want kerberos support for &smbd; and &winbindd;.
As a user that has write permission on the Samba private directory
(usually root) run:
<programlisting>
<userinput>net join -U Administrator%password</userinput>
&rootprompt;<userinput>net join -U Administrator%password</userinput>
</programlisting>
</para>
@ -781,7 +782,7 @@ As a user that has write permission on the Samba private directory
<variablelist>
<varlistentry><term><errorname>ADS support not compiled in</errorname></term>
<listitem><para>Samba must be reconfigured (remove config.cache) and recompiled
(make clean all install) after the kerberos libs and headers are installed.
(make clean all install) after the Kerberos libs and headers are installed.
</para></listitem></varlistentry>
<varlistentry><term><errorname>net join prompts for user name</errorname></term>
@ -807,7 +808,7 @@ folder under Users and Computers.
<para>
On a Windows 2000 client try <userinput>net use * \\server\share</userinput>. You should
be logged in with kerberos without needing to know a password. If
be logged in with Kerberos without needing to know a password. If
this fails then run <userinput>klist tickets</userinput>. Did you get a ticket for the
server? Does it have an encoding type of DES-CBC-MD5 ?
</para>
@ -819,8 +820,8 @@ server? Does it have an encoding type of DES-CBC-MD5 ?
<para>
On your Samba server try to login to a Win2000 server or your Samba
server using &smbclient; and kerberos. Use &smbclient; as usual, but
specify the <parameter>-k</parameter> option to choose kerberos authentication.
server using &smbclient; and Kerberos. Use &smbclient; as usual, but
specify the <parameter>-k</parameter> option to choose Kerberos authentication.
</para>
</sect2>
@ -846,7 +847,7 @@ their defaults DNS setup. Maybe fixed in service packs?
<para>
In the process of adding / deleting / re-adding domain member machine accounts there are
many traps for the unwary player and there are many "little" things that can go wrong.
many traps for the unwary player and there are many <quote>little</quote> things that can go wrong.
It is particularly interesting how often subscribers on the samba mailing list have concluded
after repeated failed attempts to add a machine account that it is necessary to "re-install"
MS Windows on t he machine. In truth, it is seldom necessary to reinstall because of this type
@ -861,7 +862,7 @@ networking functions. easily overcome.
<emphasis>Problem:</emphasis> A Windows workstation was reinstalled. The original domain machine
account was deleted and added immediately. The workstation will not join the domain if I use
the same machine name. Attempts to add the machine fail with a message that the machine already
exists on the network - I know it doen't. Why is this failing?
exists on the network - I know it doesn't. Why is this failing?
</para>
<para>

14
docs/docbook/projdoc/Diagnosis.xml
View File

@ -5,7 +5,7 @@
<pubdate>Wed Jan 15</pubdate>
</chapterinfo>
<title>The samba checklist</title>
<title>The Samba checklist</title>
<sect1>
<title>Introduction</title>
@ -205,7 +205,7 @@ the following &smb.conf; file entries:
<para>
In the above, no allowance has been made for any session requests that
will automatically translate to the loopback adaptor address 127.0.0.1.
will automatically translate to the loopback adapter address 127.0.0.1.
To solve this problem change these lines to:
</para>
@ -236,7 +236,7 @@ to start &smbd; as a daemon, it can avoid a lot of frustration!
And yet another possible cause for failure of this test is when the subnet mask
and / or broadcast address settings are incorrect. Please check that the
network interface IP Address / Broadcast Address / Subnet Mask settings are
correct and that Samba has correctly noted these in the <filename>log.nmb</filename> file.
correct and that Samba has correctly noted these in the <filename>log.nmbd</filename> file.
</para>
</step>
@ -289,7 +289,7 @@ Run the command <userinput>nmblookup -d 2 '*'</userinput>
<para>
This time we are trying the same as the previous test but are trying
it via a broadcast to the default broadcast address. A number of
Netbios/TCPIP hosts on the network should respond, although Samba may
NetBIOS / TCP/IP hosts on the network should respond, although Samba may
not catch all of the responses in the short time it listens. You
should see <errorname>got a positive name query response</errorname>
messages from several hosts.
@ -346,7 +346,7 @@ If it says <errorname>bad password</errorname> then the likely causes are:
<orderedlist>
<listitem>
<para>
you have shadow passords (or some other password system) but didn't
you have shadow passwords (or some other password system) but didn't
compile in support for them in &smbd;
</para>
</listitem>
@ -409,12 +409,12 @@ to choose one of them):
<listitem><para>
add the IP address of BIGSERVER to the <command>wins server</command> box in the
advanced tcp/ip setup on the PC.
advanced TCP/IP setup on the PC.
</para></listitem>
<listitem><para>
enable windows name resolution via DNS in the advanced section of
the tcp/ip setup
the TCP/IP setup
</para></listitem>
<listitem><para>

2
docs/docbook/projdoc/FastStart.xml
View File

@ -3,7 +3,7 @@
&author.jht;
</chapterinfo>
<title>FastStart for the Impatient</title>
<title>Fast Start for the Impatient</title>
<sect1>
<title>Note</title>

2
docs/docbook/projdoc/Further-Resources.xml
View File

@ -146,7 +146,7 @@
</sect1>
<sect1>
<title>Related updates from microsoft</title>
<title>Related updates from Microsoft</title>
<itemizedlist>
<listitem><para>

29
docs/docbook/projdoc/GROUP-MAPPING-HOWTO.xml
View File

@ -35,7 +35,7 @@
<para>
Group accounts can be managed using the MS Windows NT4 or MS Windows 200x MMC tools
so long as appropriate interface scripts have been provided to &smb.conf;
so long as appropriate interface scripts have been provided to &smb.conf;.
</para>
<para>
@ -52,7 +52,7 @@
There are several possible work-arounds for the operating system tools limitation. One
method is to use a script that generates a name for the Unix/Linux system group that
fits the operating system limits, and that then just passes the Unix/Linux group id (GID)
back to the calling samba interface. This will provide a dynamic work-around solution.
back to the calling Samba interface. This will provide a dynamic work-around solution.
</para>
<para>
@ -68,9 +68,9 @@
<para>
When installing <application>MS Windows NT4 / 200x</application> on a computer, the installation
program creates default users and groups. Notably the <constant>Administrators</constant> group,
and gives to that group privileges necessary privilidges to perform essential system tasks.
eg: Ability to change the date and time or to kill any process (or close too) running on the
program creates default users and groups, notably the <constant>Administrators</constant> group,
and gives that group privileges necessary privileges to perform essential system tasks.
eg: Ability to change the date and time or to kill (or close) any process running on the
local machine.
</para>
@ -81,14 +81,14 @@
</para>
<para>
When an MS Windows NT4 / W200x is made a domain member, the "Domain Adminis" group of the
When an MS Windows NT4 / W200x is made a domain member, the "Domain Admins" group of the
PDC is added to the local 'Administrators' group of the workstation. Every member of the
'Domain Administrators' group inherits the rights of the local 'Administrators' group when
logging on the workstation.
</para>
<para>
The following steps describe how to make samba PDC users members of the 'Domain Admins' group?
The following steps describe how to make Samba PDC users members of the 'Domain Admins' group?
</para>
<orderedlist>
@ -97,7 +97,7 @@
</para></listitem>
<listitem><para>add to this group the users that must be Administrators. For example
if you want joe,john and mary, your entry in <filename>/etc/group</filename> will
if you want joe, john and mary, your entry in <filename>/etc/group</filename> will
look like:
</para>
@ -140,7 +140,7 @@
</para>
<para>
Be aware that the RID parmeter is a unsigned 32 bit integer that should
Be aware that the RID parameter is a unsigned 32 bit integer that should
normally start at 1000. However, this rid must not overlap with any RID assigned
to a user. Verifying this is done differently depending on on the passdb backend
you are using. Future versions of the tools may perform the verification automatically,
@ -185,7 +185,7 @@
<title>Sample &smb.conf; add group script</title>
<para>
A script to great complying group names for use by the samba group interfaces:
A script to great complying group names for use by the Samba group interfaces:
</para>
<para>
@ -201,7 +201,8 @@ groupadd smbtmpgrp00
thegid=`cat /etc/group | grep smbtmpgrp00 | cut -d ":" -f3`
# Now change the name to what we want for the MS Windows networking end
cat /etc/group | sed s/smbtmpgrp00/$1/g > /etc/group
cp /etc/group /etc/group.bak
cat /etc/group.bak | sed s/smbtmpgrp00/$1/g > /etc/group
# Now return the GID as would normally happen.
echo $thegid
@ -255,7 +256,7 @@ net groupmap modify ntgroup="Power Users" unixgroup=sys
</para>
<para>
Of course it is expected that the admininstrator will modify this to suit local needs.
Of course it is expected that the administrator will modify this to suit local needs.
For information regarding the use of the <command>net groupmap</command> tool please
refer to the man page.
</para>
@ -278,12 +279,12 @@ manually before putting them into active service.
<para>
This is a common problem when the <command>groupadd</command> is called directly
by the samba interface script for the <parameter>add group script</parameter> in
by the Samba interface script for the <parameter>add group script</parameter> in
the &smb.conf; file.
</para>
<para>
The most common cause of failure is an attempt to add an MS Windows group acocunt
The most common cause of failure is an attempt to add an MS Windows group account
that has either an upper case character and/or a space character in it.
</para>

24
docs/docbook/projdoc/Integrating-with-Windows.xml
View File

@ -30,7 +30,7 @@ NetBIOS over TCP/IP then this section may help you to resolve networking problem
<para>
Many MS Windows network administrators have never been exposed to basic TCP/IP
networking as it is implemented in a Unix/Linux operating system. Likewise, many Unix and
Linux adminsitrators have not been exposed to the intricacies of MS Windows TCP/IP based
Linux administrators have not been exposed to the intricacies of MS Windows TCP/IP based
networking (and may have no desire to be either).
</para>
@ -121,7 +121,7 @@ as two digit hexadecimal numbers separated by colons. eg:
Every network interface must have an MAC address. Associated with
a MAC address there may be one or more IP addresses. There is NO
relationship between an IP address and a MAC address, all such assignments
are arbitary or discretionary in nature. At the most basic level all
are arbitrary or discretionary in nature. At the most basic level all
network communications takes place using MAC addressing. Since MAC
addresses must be globally unique, and generally remains fixed for
any particular interface, the assignment of an IP address makes sense
@ -154,7 +154,7 @@ interface.
<para>
The <filename>/etc/hosts</filename> file is foundational to all
Unix/Linux TCP/IP installations and as a minumum will contain
Unix/Linux TCP/IP installations and as a minimum will contain
the localhost and local network interface IP addresses and the
primary names by which they are known within the local machine.
This file helps to prime the pump so that a basic level of name
@ -199,7 +199,7 @@ This file tells the name resolution libraries:
<filename>/etc/host.conf</filename> is the primary means by
which the setting in /etc/resolv.conf may be affected. It is a
critical configuration file. This file controls the order by
which name resolution may procede. The typical structure is:
which name resolution may proceed. The typical structure is:
</para>
<para><screen>
@ -240,7 +240,7 @@ file typically has resolver object specifications as follows:
hosts: files nis dns
# Alternative entries for host name resolution are:
# hosts: files dns nis nis+ hesoid db compat ldap wins
# hosts: files dns nis nis+ hesiod db compat ldap wins
networks: nis files dns
ethers: nis files
@ -422,7 +422,7 @@ It typically looks like:
# This file contains the mappings of IP addresses to NT computernames
# (NetBIOS) names. Each entry should be kept on an individual line.
# The IP address should be placed in the first column followed by the
# corresponding computername. The address and the comptername
# corresponding computername. The address and the computername
# should be separated by at least one space or tab. The "#" character
# is generally used to denote the start of a comment (see the exceptions
# below).
@ -454,7 +454,7 @@ It typically looks like:
# centralized lmhosts file to be maintained on a server.
# It is ALWAYS necessary to provide a mapping for the IP address of the
# server prior to the #INCLUDE. This mapping must use the #PRE directive.
# In addtion the share "public" in the example below must be in the
# In addition the share "public" in the example below must be in the
# LanManServer list of "NullSessionShares" in order for client machines to
# be able to read the lmhosts file successfully. This key is under
# \machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares
@ -530,7 +530,7 @@ lookup is used.
<title>WINS Lookup</title>
<para>
A WINS (Windows Internet Name Server) service is the equivaent of the
A WINS (Windows Internet Name Server) service is the equivalent of the
rfc1001/1002 specified NBNS (NetBIOS Name Server). A WINS server stores
the names and IP addresses that are registered by a Windows client
if the TCP/IP setup has been given at least one WINS Server IP Address.
@ -568,8 +568,8 @@ of the WINS server.
<para>
TCP/IP network configuration problems find every network administrator sooner or later.
The cause can be anything from keybaord mishaps, forgetfulness, simple mistakes, and
carelessness. Of course, noone is every deliberately careless!
The cause can be anything from keyboard mishaps, forgetfulness, simple mistakes, and
carelessness. Of course, no one is every deliberately careless!
</para>
<sect2>
@ -582,7 +582,7 @@ carelessness. Of course, noone is every deliberately careless!
<para>
The Windows machine was at IP Address 192.168.1.2 with netmask 255.255.255.0, the
Samba server (Linux) was at IP Address 192.168.1.130 with netmast 255.255.255.128.
Samba server (Linux) was at IP Address 192.168.1.130 with netmask 255.255.255.128.
The machines were on a local network with no external connections.
</para>
@ -643,7 +643,7 @@ carelessness. Of course, noone is every deliberately careless!
Name Type Status
------------------------------------------------
SLACK &lt;03&gt; UNIQUE Registered
ADMININSTRATOR &lt;03&gt; UNIQUE Registered
ADMINISTRATOR &lt;03&gt; UNIQUE Registered
SLACK &lt;00&gt; UNIQUE Registered
SARDON &lt;00&gt; GROUP Registered
SLACK &lt;20&gt; UNIQUE Registered

12
docs/docbook/projdoc/InterdomainTrusts.xml
View File

@ -28,8 +28,8 @@ MS Windows NT4.
Given that Samba-3 has the capability to function with a scalable backend authentication
database such as LDAP, and given it's ability to run in Primary as well as Backup Domain control
modes, the administrator would be well advised to consider alternatives to the use of
Interdomain trusts simplt because by the very nature of how this works it is fragile.
That was after all a key reason for the development and adoption of Microsoft Active Directory.
Interdomain trusts simply because by the very nature of how this works it is fragile.
That was, after all, a key reason for the development and adoption of Microsoft Active Directory.
</para>
</sect1>
@ -115,7 +115,7 @@ typed twice (for standard confirmation).
<para>
A trust relationship will work only when the other (trusting) domain makes the appropriate connections
with the trusted domain. To consumate the trust relationship the administrator will launch the
with the trusted domain. To consummate the trust relationship the administrator will launch the
Domain User Manager, from the menu select Policies, then select Trust Relationships, then click on the
<guibutton>Add</guibutton> button that is next to the box that is labelled
<guilabel>Trusted Domains</guilabel>. A panel will open in which must be entered the name of the remote
@ -148,7 +148,7 @@ between domains in purely Samba environment.
In order to set the Samba PDC to be the trusted party of the relationship first you need
to create special account for the domain that will be the trusting party. To do that,
you can use the 'smbpasswd' utility. Creating the trusted domain account is very
similiar to creating a trusted machine account. Suppose, your domain is
similar to creating a trusted machine account. Suppose, your domain is
called SAMBA, and the remote domain is called RUMBA. The first step
will be to issue this command from your favourite shell:
</para>
@ -175,7 +175,7 @@ After issuing this command you'll be asked to enter the password for
the account. You can use any password you want, but be aware that Windows NT will
not change this password until 7 days following account creation.
After the command returns successfully, you can look at the entry for the new account
(in the stardard way depending on your configuration) and see that account's name is
(in the standard way depending on your configuration) and see that account's name is
really RUMBA$ and it has 'I' flag in the flags field. Now you're ready to confirm
the trust by establishing it from Windows NT Server.
</para>
@ -281,7 +281,7 @@ distributed trusted domains.
<para>
These are almost complete in Samba 3.0 snapshots. The main catch
is getting winbindd to be able to allocate uid/gid's for trusted
is getting winbindd to be able to allocate UID/GIDs for trusted
users/groups. See the updated Samba HOWTO collection for more
details.
</para>

2
docs/docbook/projdoc/IntroSMB.xml
View File

@ -157,7 +157,7 @@ related to Samba: SMBFS and CIFS VFS. These are both available in the Linux ker
<listitem><para>
CIFS VFS (Common Internet File System Virtual File System) is the successor to SMBFS, and
is being actively developed for the upcoming version of the Linux kernel. The intent of this module
is to provide advanced network file system functionality including support for dfs (heirarchical
is to provide advanced network file system functionality including support for dfs (hierarchical
name space), secure per-user session establishment, safe distributed caching (oplock),
optional packet signing, Unicode and other internationalization improvements, and optional
Winbind (nsswitch) integration.

26
docs/docbook/projdoc/NT4Migration.xml
View File

@ -16,8 +16,8 @@ Samba-3 based domain control.
<para>
In the IT world there is often a saying that all problems are encountered because of
poor planning. The corrollary to this saying is that not all problems can be anticpated
and planned for. Then again, good planning will anticpate most show stopper type situations.
poor planning. The corollary to this saying is that not all problems can be anticipated
and planned for. Then again, good planning will anticipate most show stopper type situations.
</para>
<para>
@ -67,9 +67,9 @@ What are the features that Samba-3 can NOT provide?
<simplelist>
<member>Active Directory Server</member>
<member>Group Policy Objects (in Active Direcrtory)</member>
<member>Group Policy Objects (in Active Directory)</member>
<member>Machine Policy objects</member>
<member>Logon Scripts in Active Directorty</member>
<member>Logon Scripts in Active Directory</member>
<member>Software Application and Access Controls in Active Directory</member>
</simplelist>
@ -87,7 +87,7 @@ includes:
<member>Greater Stability, Reliability, Performance and Availability</member>
<member>Manageability via an ssh connection</member>
<member>Flexible choices of back-end authentication technologies (tdbsam, ldapsam, mysqlsam)</member>
<member>Ability to implement a full single-signon architecture</member>
<member>Ability to implement a full single-sign-on architecture</member>
<member>Ability to distribute authentication systems for absolute minimum wide area network bandwidth demand</member>
</simplelist>
@ -122,7 +122,7 @@ and network bandwidth.
A physical network segment may house several domains, each of which may span multiple network segments.
Where domains span routed network segments it is most advisable to consider and test the performance
implications of the design and layout of a network. A Centrally located domain controller that is being
designed to serve mulitple routed network segments may result in severe performance problems if the
designed to serve multiple routed network segments may result in severe performance problems if the
response time (eg: ping timing) between the remote segment and the PDC is more than 100 ms. In situations
where the delay is too long it is highly recommended to locate a backup controller (BDC) to serve as
the local authentication and access control server.
@ -170,15 +170,15 @@ make sure that users will never be interrupted by the stupidity of complexity.
<title>Logon Scripts</title>
<para>
Please refer to the section of this document on Advanced Network Adminsitration for information
Please refer to the section of this document on Advanced Network Administration for information
regarding the network logon script options for Samba-3. Logon scripts can help to ensure that
all users gain share and printer connections they need.
</para>
<para>
Logon scripts can be created on-the-fly so that all commands executed are specific to the
rights and privilidges granted to the user. The preferred controls should be affected through
group membership so that group information can be used to custom create a logong script using
rights and privileges granted to the user. The preferred controls should be affected through
group membership so that group information can be used to custom create a logon script using
the <parameter>root preexec</parameter> parameters to the <filename>NETLOGON</filename> share.
</para>
@ -271,7 +271,7 @@ Samba-3 set up as a DC with netlogon share, profile share, etc.
<substeps><step><para>Now check that all groups are recognised</para></step></substeps>
</step>
<step><para><userinput>net rpc campire -S <replaceable>NT4PDC</replaceable> -U administrator%<replaceable>passwd</replaceable></userinput></para></step>
<step><para><userinput>net rpc vampire -S <replaceable>NT4PDC</replaceable> -U administrator%<replaceable>passwd</replaceable></userinput></para></step>
<step><para><userinput>pdbedit -Lv</userinput></para>
<substeps><step>
@ -314,7 +314,7 @@ based solution fit into three basic categories.
<title>Planning for Success</title>
<para>
There are three basic choices for sites that intend to migrate from MS Windwows NT4
There are three basic choices for sites that intend to migrate from MS Windows NT4
to Samba-3.
</para>
@ -406,13 +406,13 @@ Authentication database back end
External server could use Active Directory or NT4 Domain
Database type
smbpasswd, tdbsam, ldapsam, MySQLsam
smbpasswd, tdbsam, ldapsam, mysqlsam
Access Control Points
On the Share itself (Use NT4 Server Manager)
On the file system
Unix permissions on files and directories
Posix ACLs enablement in file system?
Enable Posix ACLs in file system?
Through Samba share parameters
Not recommended - except as only resort

192
docs/docbook/projdoc/NetworkBrowsing.xml
View File

@ -10,7 +10,7 @@
<para>
This document contains detailed information as well as a fast track guide to
implementing browsing across subnets and / or across workgroups (or domains).
WINS is the best tool for resolution of NetBIOS names to IP addesses. WINS is
WINS is the best tool for resolution of NetBIOS names to IP addresses. WINS is
NOT involved in browse list handling except by way of name to address resolution.
</para>
@ -32,10 +32,10 @@ hope it never returns!</emphasis>.
</para>
<para>
For many MS Windows network administrators that statement sums up their feelings about
NetBIOS networking precisely. For those who mastered NetBIOS networking it's fickle
nature was just par for the course. For those who never quite managed to tame it's
lusty features NetBIOS is like Paterson's Curse.
For many MS Windows network administrators, that statement sums up their feelings about
NetBIOS networking precisely. For those who mastered NetBIOS networking, its fickle
nature was just par for the course. For those who never quite managed to tame its
lusty features, NetBIOS is like Paterson's Curse.
</para>
<para>
@ -49,7 +49,7 @@ features which make it such a persistent weed.
<para>
In this chapter we explore vital aspects of SMB (Server Message Block) networking with
a particular focus on SMB as implmented through running NetBIOS (Network Basic
a particular focus on SMB as implemented through running NetBIOS (Network Basic
Input / Output System) over TCP/IP. Since Samba does NOT implement SMB or NetBIOS over
any other protocols we need to know how to configure our network environment and simply
remember to use nothing but TCP/IP on all our MS Windows network clients.
@ -98,7 +98,7 @@ The technologies (or methods) employed in making all of this work includes:
</simplelist>
<para>
The samba application that controls/manages browse list management and name resolution is
The Samba application that controls browse list management and name resolution is
called <filename>nmbd</filename>. The configuration parameters involved in nmbd's operation are:
</para>
@ -129,9 +129,9 @@ called <filename>nmbd</filename>. The configuration parameters involved in nmbd'
</programlisting></para>
<para>
For Samba the WINS Server and WINS Support are mutually exclusive options. Those marked with
For Samba, the WINS Server and WINS Support are mutually exclusive options. Those marked with
an '*' are the only options that commonly MAY need to be modified. Even if not one of these
parameters is set nmbd will still do it's job.
parameters is set <filename>nmbd</filename> will still do it's job.
</para>
</sect1>
@ -142,7 +142,7 @@ parameters is set nmbd will still do it's job.
<para>
Firstly, all MS Windows networking uses SMB (Server Message Block) based messaging.
SMB messaging may be implemented with or without NetBIOS. MS Windows 200x supports
NetBIOS over TCP/IP for backwards compatibility. Microsoft are intent on phasing out NetBIOS
NetBIOS over TCP/IP for backwards compatibility. Microsoft is intent on phasing out NetBIOS
support.
</para>
@ -152,7 +152,7 @@ support.
<para>
Samba implements NetBIOS, as does MS Windows NT / 200x / XP, by encapsulating it over TCP/IP.
MS Windows products can do likewise. NetBIOS based networking uses broadcast messaging to
affect browse list management. When running NetBIOS over TCP/IP this uses UDP based messaging.
affect browse list management. When running NetBIOS over TCP/IP, this uses UDP based messaging.
UDP messages can be broadcast or unicast.
</para>
@ -165,7 +165,7 @@ implements browse list collation using unicast UDP.
</para>
<para>
Secondly, in those networks where Samba is the only SMB server technology
Secondly, in those networks where Samba is the only SMB server technology,
wherever possible <filename>nmbd</filename> should be configured on one (1) machine as the WINS
server. This makes it easy to manage the browsing environment. If each network
segment is configured with it's own Samba WINS server, then the only way to
@ -184,11 +184,11 @@ the use of the <command>remote announce</command> and the
As of Samba 3 WINS replication is being worked on. The bulk of the code has
been committed, but it still needs maturation. This is NOT a supported feature
of the Samba-3.0.0 release. Hopefully, this will become a supported feature
of one of the samba-3 release series.
of one of the Samba-3 release series.
</para>
<para>
Right now samba WINS does not support MS-WINS replication. This means that
Right now Samba WINS does not support MS-WINS replication. This means that
when setting up Samba as a WINS server there must only be one <filename>nmbd</filename>
configured as a WINS server on the network. Some sites have used multiple Samba WINS
servers for redundancy (one server per subnet) and then used
@ -261,7 +261,7 @@ force register with a Dynamic DNS server in Windows 200x / XP using:
<para>
With Active Directory (ADS), a correctly functioning DNS server is absolutely
essential. In the absence of a working DNS server that has been correctly configured
essential. In the absence of a working DNS server that has been correctly configured,
MS Windows clients and servers will be totally unable to locate each other,
consequently network services will be severely impaired.
</para>
@ -324,7 +324,7 @@ The following are some of the default service records that Active Directory requ
<listitem><para>_ldap._tcp.<emphasis>Site</emphasis>.gc.ms-dcs.<emphasis>DomainTree</emphasis></para>
<para>
Used by MS Windows clients to locate site configuration dependant
Used by MS Windows clients to locate site configuration dependent
Global Catalog server.
</para>
</listitem>
@ -347,11 +347,11 @@ is enabled, or if DNS for NetBIOS name resolution is enabled, etc.
</para>
<para>
In the case where there is no WINS server all name registrations as
In the case where there is no WINS server, all name registrations as
well as name lookups are done by UDP broadcast. This isolates name
resolution to the local subnet, unless LMHOSTS is used to list all
names and IP addresses. In such situations Samba provides a means by
which the samba server name may be forcibly injected into the browse
which the Samba server name may be forcibly injected into the browse
list of a remote MS Windows network (using the
<command>remote announce</command> parameter).
</para>
@ -390,7 +390,7 @@ inability to use the network services.
</para>
<para>
Samba supports a feature that allows forced synchonisation
Samba supports a feature that allows forced synchronisation
of browse lists across routed networks using the <command>remote
browse sync</command> parameter in the <filename>smb.conf</filename> file.
This causes Samba to contact the local master browser on a remote network and
@ -419,7 +419,7 @@ to collate the browse lists from local master browsers on all the
subnets that have a machine participating in the workgroup. Without
one machine configured as a domain master browser each subnet would
be an isolated workgroup, unable to see any machines on any other
subnet. It is the presense of a domain master browser that makes
subnet. It is the presence of a domain master browser that makes
cross subnet browsing possible for a workgroup.
</para>
@ -515,8 +515,8 @@ options in the <parameter>[global]</parameter> section of the
<para>
If you are adding Samba servers to a Windows NT Domain then
you must not set up a Samba server as a domain master browser.
By default, a Windows NT Primary Domain Controller for a Domain
name is also the Domain master browser for that name, and many
By default, a Windows NT Primary Domain Controller for a domain
is also the Domain master browser for that domain, and many
things will break if a Samba server registers the Domain master
browser NetBIOS name (<replaceable>DOMAIN</replaceable>&lt;1B&gt;)
with WINS instead of the PDC.
@ -545,7 +545,7 @@ on the same subnet you may set the <parameter>os level</parameter> parameter
to lower levels. By doing this you can tune the order of machines that
will become local master browsers if they are running. For
more details on this see the section <link linkend="browse-force-master">
Forcing samba to be the master browser</link>
Forcing Samba to be the master browser</link>
below.
</para>
@ -570,7 +570,7 @@ file :
</sect2>
<sect2 id="browse-force-master">
<title>Forcing samba to be the master</title>
<title>Forcing Samba to be the master</title>
<para>
Who becomes the <parameter>master browser</parameter> is determined by an election
@ -595,30 +595,30 @@ NT/2K Server. A MS Windows NT/2K Server domain controller uses level 32.
<para>The maximum os level is 255</para>
<para>
If you want samba to force an election on startup, then set the
If you want Samba to force an election on startup, then set the
<parameter>preferred master</parameter> global option in &smb.conf; to <constant>yes</constant>. Samba will
then have a slight advantage over other potential master browsers
that are not preferred master browsers. Use this parameter with
care, as if you have two hosts (whether they are windows 95 or NT or
samba) on the same local subnet both set with <parameter>preferred master</parameter> to
care, as if you have two hosts (whether they are Windows 95 or NT or
Samba) on the same local subnet both set with <parameter>preferred master</parameter> to
<constant>yes</constant>, then periodically and continually they will force an election
in order to become the local master browser.
</para>
<para>
If you want samba to be a <parameter>domain master browser</parameter>, then it is
If you want Samba to be a <parameter>domain master browser</parameter>, then it is
recommended that you also set <parameter>preferred master</parameter> to <constant>yes</constant>, because
samba will not become a domain master browser for the whole of your
Samba will not become a domain master browser for the whole of your
LAN or WAN if it is not also a local master browser on its own
broadcast isolated subnet.
</para>
<para>
It is possible to configure two samba servers to attempt to become
It is possible to configure two Samba servers to attempt to become
the domain master browser for a domain. The first server that comes
up will be the domain master browser. All other samba servers will
up will be the domain master browser. All other Samba servers will
attempt to become the domain master browser every 5 minutes. They
will find that another samba server is already the domain master
will find that another Samba server is already the domain master
browser and will fail. This provides automatic redundancy, should
the current domain master browser fail.
</para>
@ -626,12 +626,12 @@ the current domain master browser fail.
</sect2>
<sect2>
<title>Making samba the domain master</title>
<title>Making Samba the domain master</title>
<para>
The domain master is responsible for collating the browse lists of
multiple subnets so that browsing can occur between subnets. You can
make samba act as the domain master by setting <parameter>domain master = yes</parameter>
make Samba act as the domain master by setting <parameter>domain master = yes</parameter>
in &smb.conf;. By default it will not be a domain master.
</para>
@ -641,21 +641,21 @@ workgroup that has the same name as an NT Domain.
</para>
<para>
When samba is the domain master and the master browser it will listen
When Samba is the domain master and the master browser, it will listen
for master announcements (made roughly every twelve minutes) from local
master browsers on other subnets and then contact them to synchronise
browse lists.
</para>
<para>
If you want samba to be the domain master then I suggest you also set
If you want Samba to be the domain master then I suggest you also set
the <parameter>os level</parameter> high enough to make sure it wins elections, and set
<parameter>preferred master</parameter> to <constant>yes</constant>, to get samba to force an election on
<parameter>preferred master</parameter> to <constant>yes</constant>, to get Samba to force an election on
startup.
</para>
<para>
Note that all your servers (including samba) and clients should be
Note that all your servers (including Samba) and clients should be
using a WINS server to resolve NetBIOS names. If your clients are only
using broadcasting to resolve NetBIOS names, then two things will occur:
</para>
@ -678,15 +678,15 @@ using broadcasting to resolve NetBIOS names, then two things will occur:
</orderedlist>
<para>
If, however, both samba and your clients are using a WINS server, then:
If, however, both Samba and your clients are using a WINS server, then:
</para>
<orderedlist>
<listitem>
<para>
your local master browsers will contact the WINS server and, as long as
samba has registered that it is a domain master browser with the WINS
server, your local master browser will receive samba's ip address
Samba has registered that it is a domain master browser with the WINS
server, your local master browser will receive Samba's IP address
as its domain master browser.
</para>
</listitem>
@ -734,7 +734,7 @@ The syntax of the <parameter>remote announce</parameter> parameter is:
<programlisting>
remote announce = a.b.c.d [e.f.g.h] ...
</programlisting>
_or_
<emphasis>or</emphasis>
<programlisting>
remote announce = a.b.c.d/WORKGROUP [e.f.g.h/WORKGROUP] ...
</programlisting>
@ -744,12 +744,12 @@ where:
<varlistentry><term><replaceable>a.b.c.d</replaceable> and
<replaceable>e.f.g.h</replaceable></term>
<listitem><para>is either the LMB (Local Master Browser) IP address
or the broadcst address of the remote network.
or the broadcast address of the remote network.
ie: the LMB is at 192.168.1.10, or the address
could be given as 192.168.1.255 where the netmask
is assumed to be 24 bits (255.255.255.0).
When the remote announcement is made to the broadcast
address of the remote network every host will receive
address of the remote network, every host will receive
our announcements. This is noisy and therefore
undesirable but may be necessary if we do NOT know
the IP address of the remote LMB.</para></listitem>
@ -776,9 +776,9 @@ name resolution problems and should be avoided.
<para>
The <parameter>remote browse sync</parameter> parameter of
<filename>smb.conf</filename> is used to announce to
another LMB that it must synchronise it's NetBIOS name list with our
another LMB that it must synchronise its NetBIOS name list with our
Samba LMB. It works ONLY if the Samba server that has this option is
simultaneously the LMB on it's network segment.
simultaneously the LMB on its network segment.
</para>
<para>
@ -800,11 +800,11 @@ remote LMB or else is the network broadcast address of the remote segment.
<title>WINS - The Windows Internetworking Name Server</title>
<para>
Use of WINS (either Samba WINS _or_ MS Windows NT Server WINS) is highly
Use of WINS (either Samba WINS <emphasis>or</emphasis> MS Windows NT Server WINS) is highly
recommended. Every NetBIOS machine registers its name together with a
name_type value for each of of several types of service it has available.
name_type value for each of several types of service it has available.
eg: It registers its name directly as a unique (the type 0x03) name.
It also registers its name if it is running the lanmanager compatible
It also registers its name if it is running the LanManager compatible
server service (used to make shares and printers available to other users)
by registering the server (the type 0x20) name.
</para>
@ -823,7 +823,7 @@ that wants to log onto the network can ask the WINS server for a list
of all names that have registered the NetLogon service name_type. This saves
broadcast traffic and greatly expedites logon processing. Since broadcast
name resolution can not be used across network segments this type of
information can only be provided via WINS _or_ via statically configured
information can only be provided via WINS <emphasis>or</emphasis> via statically configured
<filename>lmhosts</filename> files that must reside on all clients in the
absence of WINS.
</para>
@ -895,7 +895,7 @@ all NetBIOS names registered with them, acting as a DNS for NetBIOS names.
</para>
<para>
You should set up only ONE wins server. Do NOT set the
You should set up only ONE WINS server. Do NOT set the
<parameter>wins support = yes</parameter> option on more than one Samba
server.
</para>
@ -905,7 +905,7 @@ To set up a Windows NT Server as a WINS server you need to set up
the WINS service - see your NT documentation for details. Note that
Windows NT WINS Servers can replicate to each other, allowing more
than one to be set up in a complex subnet environment. As Microsoft
refuse to document these replication protocols Samba cannot currently
refuses to document these replication protocols, Samba cannot currently
participate in these replications. It is possible in the future that
a Samba->Samba WINS replication protocol may be defined, in which
case more than one Samba machine could be set up as a WINS server
@ -968,14 +968,41 @@ section of the documentation to provide usage and technical details.
<title>Static WINS Entries</title>
<para>
New to Samba-3 is a tool called <command>winsedit</command> that may be used to add
static WINS entries to the WINS database. This tool can be used also to modify entries
existing in the WINS database.
Adding static entries to your Samba-3 WINS server is actually fairly easy.
All you have to do is add a line to <filename>wins.dat</filename>, typically
located in <filename class="directory">/usr/local/samba/var/locks</filename>.
</para>
<para>
The development of the winsedit tool was made necessary due to the migration
of the older style wins.dat file into a new tdb binary backend data store.
Entries in <filename>wins.dat</filename> take the form of
<programlisting>
"NAME#TYPE" TTL ADDRESS+ FLAGS
</programlisting>
where NAME is the NetBIOS name, TYPE is the NetBIOS type, TTL is the
time-to-live as an absolute time in seconds, ADDRESS+ is one or more
addresses corresponding to the registration and FLAGS are the NetBIOS
flags for the registration.
</para>
<para>
A typical dynamic entry looks like:
<programlisting>
"MADMAN#03" 1055298378 192.168.1.2 66R
</programlisting>
To make it static, all that has to be done is set the TTL to 0:
<programlisting>
"MADMAN#03" 0 192.168.1.2 66R
</programlisting>
</para>
<para>
Though this method works with early Samba-3 versions, there's a
possibility that it may change in future versions if WINS replication
is added.
</para>
</sect2>
@ -1004,7 +1031,7 @@ one protocol on an MS Windows machine.
<para>
Every NetBIOS machine takes part in a process of electing the LMB (and DMB)
every 15 minutes. A set of election criteria is used to determine the order
of precidence for winning this election process. A machine running Samba or
of precedence for winning this election process. A machine running Samba or
Windows NT will be biased so that the most suitable machine will predictably
win and thus retain it's role.
</para>
@ -1042,7 +1069,8 @@ The safest rule of all to follow it this - USE ONLY ONE PROTOCOL!
<para>
Resolution of NetBIOS names to IP addresses can take place using a number
of methods. The only ones that can provide NetBIOS name_type information
are:</para>
are:
</para>
<simplelist>
<member>WINS: the best tool!</member>
@ -1051,7 +1079,8 @@ are:</para>
</simplelist>
<para>
Alternative means of name resolution includes:</para>
Alternative means of name resolution includes:
</para>
<simplelist>
<member><filename>/etc/hosts</filename>: is static, hard to maintain, and lacks name_type info</member>
<member>DNS: is a good choice but lacks essential name_type info.</member>
@ -1059,18 +1088,19 @@ Alternative means of name resolution includes:</para>
<para>
Many sites want to restrict DNS lookups and want to avoid broadcast name
resolution traffic. The "name resolve order" parameter is of great help here.
The syntax of the "name resolve order" parameter is:
resolution traffic. The <parameter>name resolve order</parameter> parameter is
of great help here. The syntax of the <parameter>name resolve order</parameter>
parameter is:
<programlisting>
name resolve order = wins lmhosts bcast host
</programlisting>
_or_
<emphasis>or</emphasis>
<programlisting>
name resolve order = wins lmhosts (eliminates bcast and host)
</programlisting>
The default is:
<programlisting>
name resolve order = host lmhost wins bcast
name resolve order = host lmhost wins bcast
</programlisting>
where "host" refers the the native methods used by the Unix system
to implement the gethostbyname() function call. This is normally
@ -1095,7 +1125,7 @@ document.
<para>
MS Windows 2000 and later, as with Samba 3 and later, can be
configured to not use NetBIOS over TCP/IP. When configured this way
configured to not use NetBIOS over TCP/IP. When configured this way,
it is imperative that name resolution (using DNS/LDAP/ADS) be correctly
configured and operative. Browsing will NOT work if name resolution
from SMB machine names to IP addresses does not function correctly.
@ -1109,7 +1139,7 @@ that can NOT be provided by any other means of name resolution.
</para>
<sect2>
<title>Browsing support in samba</title>
<title>Browsing support in Samba</title>
<para>
Samba facilitates browsing. The browsing is supported by &nmbd;
@ -1123,7 +1153,7 @@ Samba can also act as a domain master browser for a workgroup. This
means that it will collate lists from local browse masters into a
wide area network server list. In order for browse clients to
resolve the names they may find in this list, it is recommended that
both samba and your clients use a WINS server.
both Samba and your clients use a WINS server.
</para>
<para>
@ -1136,11 +1166,11 @@ that is providing this service.
<note><para>
Nmbd can be configured as a WINS server, but it is not
necessary to specifically use samba as your WINS server. MS Windows
necessary to specifically use Samba as your WINS server. MS Windows
NT4, Server or Advanced Server 2000 or 2003 can be configured as
your WINS server. In a mixed NT/2000/2003 server and samba environment on
your WINS server. In a mixed NT/2000/2003 server and Samba environment on
a Wide Area Network, it is recommended that you use the Microsoft
WINS server capabilities. In a samba-only environment, it is
WINS server capabilities. In a Samba-only environment, it is
recommended that you use one and only one Samba server as your WINS server.
</para></note>
@ -1163,7 +1193,7 @@ example. See <parameter>remote announce</parameter> in the
<title>Problem resolution</title>
<para>
If something doesn't work then hopefully the log.nmb file will help
If something doesn't work then hopefully the log.nmbd file will help
you track down the problem. Try a debug level of 2 or 3 for finding
problems. Also note that the current browse list usually gets stored
in text form in a file called <filename>browse.dat</filename>.
@ -1201,16 +1231,14 @@ in &smb.conf;)
<sect2>
<title>Browsing across subnets</title>
<para>
Since the release of Samba 1.9.17(alpha1) Samba has been
updated to enable it to support the replication of browse lists
across subnet boundaries. New code and options have been added to
achieve this. This section describes how to set this feature up
in different settings.
Since the release of Samba 1.9.17(alpha1), Samba has supported the
replication of browse lists across subnet boundaries. This section
describes how to set this feature up in different settings.
</para>
<para>
To see browse lists that span TCP/IP subnets (ie. networks separated
by routers that don't pass broadcast traffic) you must set up at least
by routers that don't pass broadcast traffic), you must set up at least
one WINS server. The WINS server acts as a DNS for NetBIOS names, allowing
NetBIOS name to IP address translation to be done by doing a direct
query of the WINS server. This is done via a directed UDP packet on
@ -1412,13 +1440,13 @@ Servers with a (*) after them are non-authoritative names.
<para>
At this point users looking in their network neighborhood on
subnets 1 or 3 will see all the servers on all sunbets, users on
subnets 1 or 3 will see all the servers on all subnets, users on
subnet 2 will still only see the servers on subnets 1 and 2, but not 3.
</para>
<para>
Finally, the local master browser for subnet 2 (N2_B) will sync again
with the domain master browser (N1_C) and will recieve the missing
with the domain master browser (N1_C) and will receive the missing
server entries. Finally - and as a steady state (if no machines
are removed or shut off) the browse lists will look like :
</para>
@ -1485,17 +1513,17 @@ If either router R1 or R2 fails the following will occur:
<title>Common Errors</title>
<para>
Many questions are sked on the mailing lists regarding browsing. The majority of browsing
Many questions are asked on the mailing lists regarding browsing. The majority of browsing
problems originate out of incorrect configuration of NetBIOS name resolution. Some are of
particular note.
</para>
<sect2>
<title>How can one flush the Samba NetBIOS name cache without restarting samba?</title>
<title>How can one flush the Samba NetBIOS name cache without restarting Samba?</title>
<para>
Samba's nmbd process controls all browse list handling. Under normal circumstances it is
safe to restart nmbd. This will effectively flush the samba NetBIOS name cache and cause it
safe to restart nmbd. This will effectively flush the Samba NetBIOS name cache and cause it
to be rebuilt. Note that this does NOT make certain that a rogue machine name will not re-appear
in the browse list. When nmbd is taken out of service another machine on the network will
become the browse master. This new list may still have the rogue entry in it. If you really

20
docs/docbook/projdoc/Other-Clients.xml
View File

@ -14,7 +14,7 @@
<title>Macintosh clients?</title>
<para>
Yes. <ulink url="http://www.thursby.com/">Thursby</ulink> now have a CIFS Client / Server called <ulink url="http://www.thursby.com/products/dave.html">DAVE</ulink>
Yes. <ulink url="http://www.thursby.com/">Thursby</ulink> now has a CIFS Client / Server called <ulink url="http://www.thursby.com/products/dave.html">DAVE</ulink>
</para>
<para>
@ -27,10 +27,10 @@ enhanced, and there are bug-fixes included).
<para>
Alternatives - There are two free implementations of AppleTalk for
several kinds of UNIX machnes, and several more commercial ones.
several kinds of UNIX machines, and several more commercial ones.
These products allow you to run file services and print services
natively to Macintosh users, with no additional support required on
the Macintosh. The two free omplementations are
the Macintosh. The two free implementations are
<ulink url="http://www.umich.edu/~rsug/netatalk/">Netatalk</ulink>, and
<ulink url="http://www.cs.mu.oz.au/appletalk/atalk.html">CAP</ulink>.
What Samba offers MS
@ -150,8 +150,8 @@ packages, Samba, and Linux (and other UNIX-based systems) see
<sect2>
<title>Use latest TCP/IP stack from Microsoft</title>
<para>Use the latest TCP/IP stack from microsoft if you use Windows
for workgroups.
<para>Use the latest TCP/IP stack from Microsoft if you use Windows
for Workgroups.
</para>
<para>The early TCP/IP stacks had lots of bugs.</para>
@ -220,7 +220,7 @@ for use with <parameter>security = user</parameter>
<para>To support print queue reporting you may find
that you have to use TCP/IP as the default protocol under
WfWg. For some reason if you leave Netbeui as the default
WfWg. For some reason if you leave NetBEUI as the default
it may break the print queue reporting on some systems.
It is presumably a WfWg bug.</para>
@ -237,9 +237,9 @@ big improvement. I don't know why.
</para>
<para>
My own experience wth DefaultRcvWindow is that I get much better
My own experience with DefaultRcvWindow is that I get much better
performance with a large value (16384 or larger). Other people have
reported that anything over 3072 slows things down enourmously. One
reported that anything over 3072 slows things down enormously. One
person even reported a speed drop of a factor of 30 when he went from
3072 to 8192. I don't know why.
</para>
@ -270,10 +270,10 @@ of Windows 95.
</simplelist>
<para>
Also, if using <application>MS OutLook</application> it is desirable to
Also, if using <application>MS Outlook</application> it is desirable to
install the <command>OLEUPD.EXE</command> fix. This
fix may stop your machine from hanging for an extended period when exiting
OutLook and you may also notice a significant speedup when accessing network
Outlook and you may also notice a significant speedup when accessing network
neighborhood services.
</para>

20
docs/docbook/projdoc/PAM-Authentication-And-Samba.xml
View File

@ -21,8 +21,8 @@ controls that are appropriate to your Samba configuration.
</para>
<para>
In addition to knowing how to configure winbind into PAM, you will learn generic PAM managment
possibilities and in particular how to deploy tools like pam_smbpass.so to your adavantage.
In addition to knowing how to configure winbind into PAM, you will learn generic PAM management
possibilities and in particular how to deploy tools like pam_smbpass.so to your advantage.
</para>
<note><para>
@ -240,8 +240,8 @@ Once we have explained the meaning of the above tokens, we will describe this me
<listitem><para>
<emphasis>session:</emphasis> primarily, this module is associated with doing things that need
to be done for the user before/after they can be given service. Such things include the loggin
of information concerning the opening/closing of some data exchange with a user, mountin
to be done for the user before/after they can be given service. Such things include the logging
of information concerning the opening/closing of some data exchange with a user, mounting
directories, etc.
</para></listitem>
@ -312,7 +312,7 @@ Once we have explained the meaning of the above tokens, we will describe this me
<para>
The more elaborate (newer) syntax is much more specific and gives the administrator a great deal of control
over how the user is authenticated. This form of the control flag is delimeted with square brackets and
over how the user is authenticated. This form of the control flag is delimited with square brackets and
consists of a series of value=action tokens:
</para>
@ -321,7 +321,7 @@ Once we have explained the meaning of the above tokens, we will describe this me
</screen></para>
<para>
Here, valueI is one of the following return values: success; open_err; symbol_err; service_err;
Here, value1 is one of the following return values: success; open_err; symbol_err; service_err;
system_err; buf_err; perm_denied; auth_err; cred_insufficient; authinfo_unavail; user_unknown; maxtries;
new_authtok_reqd; acct_expired; session_err; cred_unavail; cred_expired; cred_err; no_module_data; conv_err;
authtok_err; authtok_recover_err; authtok_lock_busy; authtok_disable_aging; try_again; ignore; abort;
@ -330,7 +330,7 @@ Once we have explained the meaning of the above tokens, we will describe this me
</para>
<para>
The actionI can be a positive integer or one of the following tokens: ignore; ok; done; bad; die; and reset.
The action1 can be a positive integer or one of the following tokens: ignore; ok; done; bad; die; and reset.
A positive integer, J, when specified as the action, can be used to indicate that the next J modules of the
current module-type will be skipped. In this way, the administrator can develop a moderately sophisticated
stack of modules with a number of different paths of execution. Which path is taken can be determined by the
@ -492,7 +492,7 @@ password required pam_pwdb.so shadow md5
<title>PAM: login using pam_smbpass</title>
<para>
PAM allows use of replacable modules. Those available on a sample system include:
PAM allows use of replaceable modules. Those available on a sample system include:
</para>
<para><prompt>$</prompt><userinput>/bin/ls /lib/security</userinput>
@ -579,7 +579,7 @@ password required pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf
also possible to pass information obtained within one PAM module through
to the next module in the PAM stack. Please refer to the documentation for
your particular system implementation for details regarding the specific
capabilities of PAM in this environment. Some Linux implmentations also
capabilities of PAM in this environment. Some Linux implementations also
provide the <filename>pam_stack.so</filename> module that allows all
authentication to be configured in a single central file. The
<filename>pam_stack.so</filename> method has some very devoted followers
@ -623,7 +623,7 @@ password encryption.
<title>Remote CIFS Authentication using winbindd.so</title>
<para>
All operating systems depend on the provision of users credentials accecptable to the platform.
All operating systems depend on the provision of users credentials acceptable to the platform.
Unix requires the provision of a user identifier (UID) as well as a group identifier (GID).
These are both simple integer type numbers that are obtained from a password backend such
as <filename>/etc/passwd</filename>.

18
docs/docbook/projdoc/PolicyMgmt.xml
View File

@ -18,7 +18,7 @@ also.
<title>Features and Benefits</title>
<para>
When MS Windows NT3.5 was introduced the hot new topic was the ability to implmement
When MS Windows NT3.5 was introduced the hot new topic was the ability to implement
Group Policies for users and group. Then along came MS Windows NT4 and a few sites
started to adopt this capability. How do we know that? By way of the number of "booboos"
(or mistakes) administrators made and then requested help to resolve.
@ -64,7 +64,7 @@ affect users, groups of users, or machines.
For MS Windows 9x/Me this file must be called <filename>Config.POL</filename> and may
be generated using a tool called <filename>poledit.exe</filename>, better known as the
Policy Editor. The policy editor was provided on the Windows 98 installation CD, but
dissappeared again with the introduction of MS Windows Me (Millenium Edition). From
disappeared again with the introduction of MS Windows Me (Millennium Edition). From
comments from MS Windows network administrators it would appear that this tool became
a part of the MS Windows Me Resource Kit.
</para>
@ -230,7 +230,7 @@ here is incomplete - you are warned.
MS Windows 200x policies are much more complex - GPOs are processed and applied at client machine
startup (machine specific part) and when the user logs onto the network the user specific part
is applied. In MS Windows 200x style policy management each machine and/or user may be subject
to any number of concurently applicable (and applied) policy sets (GPOs). Active Directory allows
to any number of concurrently applicable (and applied) policy sets (GPOs). Active Directory allows
the administrator to also set filters over the policy settings. No such equivalent capability
exists with NT4 style policy files.
</para>
@ -268,10 +268,10 @@ here is incomplete - you are warned.
<para>
All policy configuration options are controlled through the use of policy administrative
templates. These files have a .adm extension, both in NT4 as well as in Windows 200x / XP.
Beware however, since the .adm files are NOT interchangible across NT4 and Windows 200x.
Beware however, since the .adm files are NOT interchangeable across NT4 and Windows 200x.
The later introduces many new features as well as extended definition capabilities. It is
well beyond the scope of this documentation to explain how to program .adm files, for that
the adminsitrator is referred to the Microsoft Windows Resource Kit for your particular
the administrator is referred to the Microsoft Windows Resource Kit for your particular
version of MS Windows.
</para>
@ -315,7 +315,7 @@ applied to the user's part of the registry.
MS Windows 200x/XP clients that log onto an MS Windows Active Directory security domain may additionally,
acquire policy settings through Group Policy Objects (GPOs) that are defined and stored in Active Directory
itself. The key benefit of using AS GPOs is that they impose no registry <emphasis>spoiling</emphasis> effect.
This has considerable advanage compared with the use of NTConfig.POL (NT4) style policy updates.
This has considerable advantage compared with the use of NTConfig.POL (NT4) style policy updates.
</para>
<para>
@ -350,7 +350,7 @@ Common restrictions that are frequently used includes:
<para>
The tools that may be used to configure these types of controls from the MS Windows environment are:
The NT4 User Manager for domains, the NT4 System and Group Policy Editor, the registry editor (regedt32.exe).
Under MS Windows 200x/XP this is done using the Microsoft Managment Console (MMC) with approapriate
Under MS Windows 200x/XP this is done using the Microsoft Management Console (MMC) with appropriate
"snap-ins", the registry editor, and potentially also the NT4 System and Group Policy Editor.
</para>
</sect2>
@ -394,7 +394,7 @@ reboot and as part of the user logon:
</para></listitem>
<listitem><para>
Execution of start-up scripts (hidden and synchronous by defaut).
Execution of start-up scripts (hidden and synchronous by default).
</para></listitem>
<listitem><para>
@ -406,7 +406,7 @@ reboot and as part of the user logon:
</para></listitem>
<listitem><para>
An ordered list of User GPOs is obtained. The list contents depends on what is configured in respsect of:
An ordered list of User GPOs is obtained. The list contents depends on what is configured in respect of:
<simplelist>
<member>Is user a domain member, thus subject to particular policies</member>

10
docs/docbook/projdoc/Portability.xml
View File

@ -37,8 +37,8 @@ allowed range.
</para>
<para>
On HPUX you must use gcc or the HP Ansi compiler. The free compiler
that comes with HP-UX is not Ansi compliant and cannot compile
On HPUX you must use gcc or the HP ANSI compiler. The free compiler
that comes with HP-UX is not ANSI compliant and cannot compile
Samba.
</para>
@ -186,7 +186,7 @@ Corrective Action: Delete the entry after the word loopback
<!-- From an email by William Jojo <jojowil@hvcc.edu> -->
<para>
Disabling Sequential Read Ahead using <userinput>vmtune -r 0</userinput> improves
samba performance significally.
Samba performance significantly.
</para>
</sect2>
</sect1>
@ -198,9 +198,9 @@ samba performance significally.
<title>Locking improvements</title>
<para>Some people have been experiencing problems with F_SETLKW64/fcntl
when running samba on solaris. The built in file locking mechanism was
when running Samba on Solaris. The built in file locking mechanism was
not scalable. Performance would degrade to the point where processes would
get into loops of trying to lock a file. It woul try a lock, then fail,
get into loops of trying to lock a file. It would try a lock, then fail,
then try again. The lock attempt was failing before the grant was
occurring. So the visible manifestation of this would be a handful of
processes stealing all of the CPU, and when they were trussed they would

6
docs/docbook/projdoc/Problems.xml
View File

@ -52,7 +52,7 @@ Some useful samba commands worth investigating:
</para>
<screen>
<prompt>$ </prompt><userinput>testparam | more</userinput>
<prompt>$ </prompt><userinput>testparm | more</userinput>
<prompt>$ </prompt><userinput>smbclient -L //{netbios name of server}</userinput>
</screen>
@ -155,7 +155,7 @@ Netmon installation.
</sect1>
<sect1>
<title>Useful URL's</title>
<title>Useful URLs</title>
<itemizedlist>
<listitem><para>See how Scott Merrill simulates a BDC behavior at
@ -240,7 +240,7 @@ smb.conf in their attach directory?</para></listitem>
</sect1>
<sect1>
<title>How to get off the mailinglists</title>
<title>How to get off the mailing lists</title>
<para>To have your name removed from a samba mailing list, go to the
same place you went to to get on it. Go to <ulink

28
docs/docbook/projdoc/ProfileMgmt.xml
View File

@ -68,7 +68,7 @@ This section documents how to configure Samba for MS Windows client profile supp
<title>NT4/200x User Profiles</title>
<para>
To support Windowns NT4/200x clients, in the [global] section of smb.conf set the
To support Windows NT4/200x clients, in the [global] section of smb.conf set the
following (for example):
</para>
@ -91,7 +91,7 @@ namely <filename>\\sambaserver\username\profile</filename>.
The <filename>\\N%\%U</filename> service is created automatically by the [homes] service. If you are using
a samba server for the profiles, you _must_ make the share specified in the logon path
browseable. Please refer to the man page for &smb.conf; in respect of the different
symantics of %L and %N, as well as %U and %u.
semantics of %L and %N, as well as %U and %u.
</para>
<note>
@ -186,7 +186,7 @@ There are three ways of doing this:
User Profiles\
Disable: Only Allow Local User Profiles
Disable: Prevent Roaming Profile Change from Propogating to the Server
Disable: Prevent Roaming Profile Change from Propagating to the Server
</programlisting>
</para> </listitem>
</varlistentry>
@ -500,13 +500,13 @@ profile on the MS Windows workstation as follows:
</procedure>
<para>
Done. You now have a profile that can be editted using the samba-3.0.0
Done. You now have a profile that can be edited using the samba-3.0.0
<command>profiles</command> tool.
</para>
<note>
<para>
Under NT/2K the use of mandotory profiles forces the use of MS Exchange
Under NT/2K the use of mandatory profiles forces the use of MS Exchange
storage of mail data. That keeps desktop profiles usable.
</para>
</note>
@ -627,7 +627,7 @@ select the tab labelled <guilabel>User Profiles</guilabel>.
Select a user profile you want to migrate and click on it.
</para>
<note><para>I am using the term &quot;migrate&quot; lossely. You can copy a profile to
<note><para>I am using the term &quot;migrate&quot; loosely. You can copy a profile to
create a group profile. You can give the user 'Everyone' rights to the
profile you copy this to. That is what you need to do, since your samba
domain is not a member of a trust relationship with your NT4 PDC.</para></note>
@ -739,7 +739,7 @@ affect a mandatory profile.
<title>Creating/Managing Group Profiles</title>
<para>
Most organisations are arranged into departments. There is a nice benenfit in
Most organisations are arranged into departments. There is a nice benefit in
this fact since usually most users in a department will require the same desktop
applications and the same desktop layout. MS Windows NT4/200x/XP will allow the
use of Group Profiles. A Group Profile is a profile that is created firstly using
@ -889,7 +889,7 @@ the following steps are followed in respect of profile handling:
out to the location of the profile. The <filename>NTuser.DAT</filename> file is then
re-created from the contents of the <filename>HKEY_CURRENT_USER</filename> contents.
Thus, should there not exist in the NETLOGON share an <filename>NTConfig.POL</filename> at the
next logon, the effect of the provious <filename>NTConfig.POL</filename> will still be held
next logon, the effect of the previous <filename>NTConfig.POL</filename> will still be held
in the profile. The effect of this is known as <emphasis>tatooing</emphasis>.
</para>
</step>
@ -973,7 +973,7 @@ The default entries are:
<row><entry>Common Desktop</entry><entry>%SystemRoot%\Profiles\All Users\Desktop</entry></row>
<row><entry>Common Programs</entry><entry>%SystemRoot%\Profiles\All Users\Programs</entry></row>
<row><entry>Common Start Menu</entry><entry>%SystemRoot%\Profiles\All Users\Start Menu</entry></row>
<row><entry>Common Startup</entry><entry>%SystemRoot%\Profiles\All Users\Start Menu\Progams\Startup</entry></row>
<row><entry>Common Startup</entry><entry>%SystemRoot%\Profiles\All Users\Start Menu\Programs\Startup</entry></row>
</tbody>
</tgroup>
</table>
@ -1024,7 +1024,7 @@ default profile.
</para>
<para>
On loging out, the users' desktop profile will be stored to the location specified in the registry
On logging out, the users' desktop profile will be stored to the location specified in the registry
settings that pertain to the user. If no specific policies have been created, or passed to the client
during the login process (as Samba does automatically), then the user's profile will be written to
the local machine only under the path <filename>C:\Documents and Settings\%USERNAME%</filename>.
@ -1149,7 +1149,7 @@ In which case, the local cache copy will be deleted on logout.
<title>Common Errors</title>
<para>
THe following are some typical errors/problems/questions that have been asked.
The following are some typical errors/problems/questions that have been asked.
</para>
<sect2>
@ -1236,7 +1236,7 @@ Your choices are:
<varlistentry>
<term>Group profiles</term>
<listitem><para>- loaded from a cetral place</para></listitem>
<listitem><para>- loaded from a central place</para></listitem>
</varlistentry>
<varlistentry>
@ -1256,11 +1256,11 @@ Your choices are:
<para>
A WinNT4/2K/XP profile can vary in size from 130KB to off the scale.
Outlook PST files are most often part of the profile and can be many GB in
size. On average (in a well controlled environment) roaming profie size of
size. On average (in a well controlled environment) roaming profile size of
2MB is a good rule of thumb to use for planning purposes. In an
undisciplined environment I have seen up to 2GB profiles. Users tend to
complain when it take an hour to log onto a workstation but they harvest
the fuits of folly (and ignorance).
the fruits of folly (and ignorance).
</para>
<para>

26
docs/docbook/projdoc/SWAT.xml
View File

@ -152,7 +152,7 @@ Modifications to the swat setup are as following:
</procedure>
<para>
afterwards simply contact to swat by using the URL <ulink url="https://myhost:901">https://myhost:901</ulink>, accept the certificate
afterwords simply contact to swat by using the URL <ulink url="https://myhost:901">https://myhost:901</ulink>, accept the certificate
and the SSL connection is up.
</para>
@ -169,7 +169,7 @@ document) as well as the O'Reilly book "Using Samba".
<para>
Administrators who wish to validate their samba configuration may obtain useful information
from the man pages for the diganostic utilities. These are available from the SWAT home page
from the man pages for the diagnostic utilities. These are available from the SWAT home page
also. One diagnostic tool that is NOT mentioned on this page, but that is particularly
useful is <command>ethereal</command>, available from <ulink url="http://www.ethereal.com">
http://www.ethereal.com</ulink>.
@ -178,7 +178,7 @@ http://www.ethereal.com</ulink>.
<warning><para>
SWAT can be configured to run in <emphasis>demo</emphasis> mode. This is NOT recommended
as it runs SWAT without authentication and with full administrative ability. ie: Allows
changes to smb.conf as well as general operation with root privilidges. The option that
changes to smb.conf as well as general operation with root privileges. The option that
creates this ability is the <option>-a</option> flag to swat. <emphasis>Do not use this in any
production environment.</emphasis>
</para></warning>
@ -223,7 +223,7 @@ your changes will be immediately lost.
<note><para>
SWAT has context sensitive help. To find out what each parameter is for simply click the
<guibutton>Help</guibutton> link to the left of the configurartion parameter.
<guibutton>Help</guibutton> link to the left of the configuration parameter.
</para></note>
</sect2>
@ -232,7 +232,7 @@ SWAT has context sensitive help. To find out what each parameter is for simply c
<title>Share Settings</title>
<para>
To affect a currenly configured share, simply click on the pull down button between the
To affect a currently configured share, simply click on the pull down button between the
<guibutton>Choose Share</guibutton> and the <guibutton>Delete Share</guibutton> buttons,
select the share you wish to operate on, then to edit the settings click on the
<guibutton>Choose Share</guibutton> button, to delete the share simply press the
@ -251,7 +251,7 @@ into the text field the name of the share to be created, then click on the
<title>Printers Settings</title>
<para>
To affect a currenly configured printer, simply click on the pull down button between the
To affect a currently configured printer, simply click on the pull down button between the
<guibutton>Choose Printer</guibutton> and the <guibutton>Delete Printer</guibutton> buttons,
select the printer you wish to operate on, then to edit the settings click on the
<guibutton>Choose Printer</guibutton> button, to delete the share simply press the
@ -270,12 +270,12 @@ into the text field the name of the share to be created, then click on the
<title>The SWAT Wizard</title>
<para>
The purpose if the SWAT Wizard is to help the Microsoft knowledgable network administrator
The purpose if the SWAT Wizard is to help the Microsoft knowledgeable network administrator
to configure Samba with a minimum of effort.
</para>
<para>
The Wizard page provides a tool for rewiting the smb.conf file in fully optimised format.
The Wizard page provides a tool for rewriting the smb.conf file in fully optimised format.
This will also happen if you press the commit button. The two differ in the the rewrite button
ignores any changes that may have been made, while the Commit button causes all changes to be
affected.
@ -283,13 +283,13 @@ affected.
<para>
The <guibutton>Edit</guibutton> button permits the editing (setting) of the minimal set of
options that may be necessary to create a working samba server.
options that may be necessary to create a working Samba server.
</para>
<para>
Finally, there are a limited set of options that will determine what type of server samba
Finally, there are a limited set of options that will determine what type of server Samba
will be configured for, whether it will be a WINS server, participate as a WINS client, or
operate with no WINS support. By clicking on one button you can elect to epose (or not) user
operate with no WINS support. By clicking on one button you can elect to expose (or not) user
home directories.
</para>
@ -321,8 +321,8 @@ free files that may be locked.
<title>The View Page</title>
<para>
This page allows the administrator to view the optimised &smb.conf; file and if you are
particularly massochistic will permit you also to see all possible global configuration
This page allows the administrator to view the optimised &smb.conf; file and, if you are
particularly masochistic, will permit you also to see all possible global configuration
parameters and their settings.
</para>

61
docs/docbook/projdoc/Samba-BDC-HOWTO.xml
View File

@ -10,16 +10,16 @@
<para>
Before you continue reading in this section, please make sure that you are comfortable
with configuring a Samba Domain Controller as described in the
<ulink url="Samba-PDC-HOWTO.html">Domain Control Chapter</ulink>.
<link linkend="samba-pdc">Domain Control</link> chapter.
</para>
<sect1>
<title>Features And Benefits</title>
<para>
This is one of the most difficult chapters to summarise. It matters not what we say here
This is one of the most difficult chapters to summarise. It does not matter what we say here
for someone will still draw conclusions and / or approach the Samba-Team with expectations
that are either not yet capable of being delivered, or that can be achieved for more
that are either not yet capable of being delivered, or that can be achieved far more
effectively using a totally different approach. Since this HOWTO is already so large and
extensive, we have taken the decision to provide sufficient (but not comprehensive)
information regarding Backup Domain Control. In the event that you should have a persistent
@ -46,7 +46,7 @@ The use of a non-LDAP backend SAM database is particularly problematic because D
servers and workstations periodically change the machine trust account password. The new
password is then stored only locally. This means that in the absence of a centrally stored
accounts database (such as that provided with an LDAP based solution) if Samba-3 is running
as a BDC, the PDC instance of the Domain member trust account password will not reach the
as a BDC, the BDC instance of the Domain member trust account password will not reach the
PDC (master) copy of the SAM. If the PDC SAM is then replicated to BDCs this results in
overwriting of the SAM that contains the updated (changed) trust account password with resulting
breakage of the domain trust.
@ -74,7 +74,7 @@ lets consider each possible option and look at the pro's and con's for each theo
</listitem>
<listitem><para>
Passdb Backend is tdbsam based, BDCs use cron based "net rcp vampire" to
Passdb Backend is tdbsam based, BDCs use cron based "net rpc vampire" to
suck down the Accounts database from the PDC
</para>
@ -131,7 +131,7 @@ provided this capability. The technology has become known as the LanMan Netlogon
</para>
<para>
When MS Windows NT3.10 was first released it supported an new style of Domain Control
When MS Windows NT3.10 was first released, it supported an new style of Domain Control
and with it a new form of the network logon service that has extended functionality.
This service became known as the NT NetLogon Service. The nature of this service has
changed with the evolution of MS Windows NT and today provides a very complex array of
@ -142,11 +142,11 @@ services that are implemented over a complex spectrum of technologies.
<title>MS Windows NT4 Style Domain Control</title>
<para>
Whenever a user logs into a Windows NT4 / 200x / XP Profresional Workstation,
Whenever a user logs into a Windows NT4 / 200x / XP Professional Workstation,
the workstation connects to a Domain Controller (authentication server) to validate
the username and password that the user entered are valid. If the information entered
does not validate against the account information that has been stored in the Domain
Control database (the SAM, or Security Accounts Manager database) then a set of error
Control database (the SAM, or Security Account Manager database) then a set of error
codes is returned to the workstation that has made the authentication request.
</para>
@ -177,7 +177,7 @@ There are two situations in which it is desirable to install Backup Domain Contr
<itemizedlist>
<listitem><para>
On the local network that the Primary Domain Controller is on if there are many
On the local network that the Primary Domain Controller is on, if there are many
workstations and/or where the PDC is generally very busy. In this case the BDCs
will pick up network logon requests and help to add robustness to network services.
</para></listitem>
@ -198,7 +198,7 @@ has the PDC, the change will likely be made directly to the PDC instance of the
copy of the SAM. In the event that this update may be performed in a branch office the
change will likely be stored in a delta file on the local BDC. The BDC will then send
a trigger to the PDC to commence the process of SAM synchronisation. The PDC will then
request the delta from the BDC and apply it to the master SAM. THe PDC will then contact
request the delta from the BDC and apply it to the master SAM. The PDC will then contact
all the BDCs in the Domain and trigger them to obtain the update and then apply that to
their own copy of the SAM.
</para>
@ -237,7 +237,7 @@ parameters in the <parameter>[global]</parameter>-section of the &smb.conf; have
<para>
Several other things like a <parameter>[homes]</parameter> and a <parameter>[netlogon]</parameter> share also need to be set along with
settings for the profile path, the users home drive, etc.. This will not be covered in this
chapter, for more information please refer to the chapter on Domain Control.
chapter, for more information please refer to the chapter on <link linkend="samba-pdc">Domain Control</link>.
</para>
</sect3>
@ -251,7 +251,7 @@ As of the release of MS Windows 2000 and Active Directory, this information is n
in a directory that can be replicated and for which partial or full administrative control
can be delegated. Samba-3 is NOT able to be a Domain Controller within an Active Directory
tree, and it can not be an Active Directory server. This means that Samba-3 also can NOT
act as a Backup Domain Contoller to an Active Directory Domain Controller.
act as a Backup Domain Controller to an Active Directory Domain Controller.
</para>
</sect2>
@ -280,7 +280,7 @@ by doing a NetBIOS name query for the group name SAMBA&lt;#1c&gt;. It assumes th
of the machines it gets back from the queries is a domain controller and can answer logon
requests. To not open security holes both the workstation and the selected domain controller
authenticate each other. After that the workstation sends the user's credentials (name and
password) to the local Domain Controller, for valdation.
password) to the local Domain Controller, for validation.
</para>
</sect2>
@ -306,8 +306,12 @@ Several things have to be done:
<para>
To retrieve the domain SID from the PDC or an existing BDC and store it in the
secrets.tdb, execute 'net rpc getsid' on the BDC.
</para></listitem>
secrets.tdb, execute:
</para>
<screen>
&rootprompt;<userinput>net rpc getsid</userinput>
</screen>
</listitem>
<listitem><para>
The Unix user database has to be synchronized from the PDC to the
@ -316,14 +320,18 @@ Several things have to be done:
whenever changes are made, or the PDC is set up as a NIS master
server and the BDC as a NIS slave server. To set up the BDC as a
mere NIS client would not be enough, as the BDC would not be able to
access its user database in case of a PDC failure.
access its user database in case of a PDC failure. NIS is by no means
the only method to synchronize passwords. An LDAP solution would work
as well.
</para>
</listitem>
<listitem><para>
The Samba password database in the file private/smbpasswd has to be
replicated from the PDC to the BDC. This is a bit tricky, see the
next section.
The Samba password database has to be replicated from the PDC to the BDC.
As said above, though possible to synchronise the <filename>smbpasswd</filename>
file with rsync and ssh, this method is broken and flawed, and is
therefore not recommended. A better solution is to set up slave LDAP
servers for each BDC and a master LDAP server for the PDC.
</para></listitem>
<listitem><para>
@ -378,7 +386,12 @@ are not copied back to the central server. The newer machine account password is
written when the SAM is copied from the PDC. The result is that the Domain member machine
on start up will find that it's passwords does not match the one now in the database and
since the startup security check will now fail, this machine will not allow logon attempts
to procede and the account expiry error will be reported.
to proceed and the account expiry error will be reported.
</para>
<para>
The solution: use a more robust passdb backend, such as the ldapsam backend, setting up
an slave LDAP server for each BDC, and a master LDAP server for the PDC.
</para>
</sect2>
@ -418,10 +431,16 @@ has to be replicated to the BDC. So replicating the smbpasswd file very often is
As the smbpasswd file contains plain text password equivalents, it must not be
sent unencrypted over the wire. The best way to set up smbpasswd replication from
the PDC to the BDC is to use the utility rsync. rsync can use ssh as a transport.
Ssh itself can be set up to accept *only* rsync transfer without requiring the user
Ssh itself can be set up to accept <emphasis>only</emphasis> rsync transfer without requiring the user
to type a password.
</para>
<para>
As said a few times before, use of this method is broken and flawed. Machine trust
accounts will go out of sync, resulting in a very broken domain. This method is
<emphasis>not</emphasis> recommended. Try using LDAP instead.
</para>
</sect2>
<sect2>

20
docs/docbook/projdoc/Samba-PDC-HOWTO.xml
View File

@ -33,7 +33,7 @@ that in some magical way is expected to solve all ills.
</para>
<para>
From the Samba mailing list one can readilly identify many common networking issues.
From the Samba mailing list one can readily identify many common networking issues.
If you are not clear on the following subjects, then it will do much good to read the
sections of this HOWTO that deal with it. These are the most common causes of MS Windows
networking problems:
@ -168,7 +168,7 @@ there can be multiple back-ends for this including:
<itemizedlist>
<listitem><para>
<emphasis>smbpasswd</emphasis> - the plain ascii file stored used by
<emphasis>smbpasswd</emphasis> - the plain ASCII file stored used by
earlier versions of Samba. This file configuration option requires
a Unix/Linux system account for EVERY entry (ie: both for user and for
machine accounts). This file will be located in the <emphasis>private</emphasis>
@ -179,7 +179,7 @@ there can be multiple back-ends for this including:
<emphasis>tdbsam</emphasis> - a binary database backend that will be
stored in the <emphasis>private</emphasis> directory in a file called
<emphasis>passdb.tdb</emphasis>. The key benefit of this binary format
file is that it can store binary objects that can not be accomodated
file is that it can store binary objects that can not be accommodated
in the traditional plain text smbpasswd file. These permit the extended
account controls that MS Windows NT4 and later also have.
</para></listitem>
@ -255,7 +255,7 @@ database with Backup Domain Controllers.
<para>
With MS Windows 200x Server based Active Directory domains, one domain controller seeds a potential
hierachy of domain controllers, each with their own area of delegated control. The master domain
hierarchy of domain controllers, each with their own area of delegated control. The master domain
controller has the ability to override any down-stream controller, but a down-line controller has
control only over it's down-line. With Samba-3 this functionality can be implemented using an
LDAP based user and machine account back end.
@ -276,12 +276,12 @@ On a network segment that has a BDC and a PDC the BDC will be most likely to ser
logon requests. The PDC will answer network logon requests when the BDC is too busy (high load).
A BDC can be promoted to a PDC. If the PDC is on line at the time that a BDC is promoted to
PDC, the previous PDC is automatically demoted to a BDC. With Samba-3 this is NOT an automatic
operation; the PDB and BDC must be manually configured and changes need to be made likewise.
operation; the PDC and BDC must be manually configured and changes need to be made likewise.
</para>
<para>
With MS Windows NT4, it is an install time decision what type of machine the server will be.
It is possible to change the promote a BDC to a PDC and vica versa only, but the only way
It is possible to change the promote a BDC to a PDC and vice versa only, but the only way
to convert a domain controller to a domain member server or a stand-alone server is to
reinstall it. The install time choices offered are:
</para>
@ -376,7 +376,7 @@ The following provisions are required to serve MS Windows 9x / Me Clients:
<member>Configuration of basic TCP/IP and MS Windows Networking</member>
<member>Correct designation of the Server Role (<parameter>security = user</parameter>)</member>
<member>Network Logon Configuration (Since Windows 9x / XP Home are not technically domain
members, they do not really particpate in the security aspects of Domain logons as such)</member>
members, they do not really participate in the security aspects of Domain logons as such)</member>
<member>Roaming Profile Configuration</member>
<member>Configuration of System Policy handling</member>
<member>Installation of the Network driver "Client for MS Windows Networks" and configuration
@ -542,7 +542,7 @@ an Active Directory Primary Domain Controller. The protocols for some of the fun
the Active Directory Domain Controllers is have been partially implemented on an experimental
only basis. Please do NOT expect Samba-3 to support these protocols - nor should you depend
on any such functionality either now or in the future. The Samba-Team may well remove such
experiemental features or may change their behaviour.
experimental features or may change their behaviour.
</para>
</sect1>
@ -569,7 +569,7 @@ must be set.
<title>Example Configuration</title>
<programlisting>
[globals]
[global]
domain logons = Yes
domain master = (Yes on PDC, No on BDCs)
@ -884,7 +884,7 @@ admin user system is working.
<para>
Alternatively if you are creating account entries manually then they
have not been created correctly. Make sure that you have the entry
correct for the machine trust account in smbpasswd file on the Samba PDC.
correct for the machine trust account in <filename>smbpasswd</filename> file on the Samba PDC.
If you added the account using an editor rather than using the smbpasswd
utility, make sure that the account name is the machine NetBIOS name
with a '$' appended to it ( i.e. computer_name$ ). There must be an entry

12
docs/docbook/projdoc/ServerType.xml
View File

@ -11,7 +11,7 @@
This chapter provides information regarding the types of server that Samba may be
configured to be. A Microsoft network administrator who wishes to migrate to or to
use Samba will want to know what, within a Samba context, terms familiar to MS Windows
adminstrator mean. This means that it is essential also to define how critical security
administrator mean. This means that it is essential also to define how critical security
modes function BEFORE we get into the details of how to configure the server itself.
</para>
@ -31,7 +31,7 @@ features and benefits. These may be for or against Samba.
<para>
Two men were walking down a dusty road, when one suddenly kicked up a small red stone. It
hurt his toe and lodged in his sandle. He took the stone out and cursed it with a passion
hurt his toe and lodged in his sandal. He took the stone out and cursed it with a passion
and fury fitting his anguish. The other looked at the stone and said, that is a garnet - I
can turn that into a precious gem and some day it will make a princess very happy!
</para>
@ -92,7 +92,7 @@ So now, what are the benefits of features mentioned in this chapter?
<sect1>
<title>Server Types</title>
<para>Adminstrators of Microsoft networks often refer to three
<para>Administrators of Microsoft networks often refer to three
different type of servers:</para>
<itemizedlist>
@ -496,7 +496,7 @@ is encrypted in two ways:
</para></listitem>
<listitem><para>The password is converted to upper case,
and then padded or trucated to 14 bytes. This string is
and then padded or truncated to 14 bytes. This string is
then appended with 5 bytes of NULL characters and split to
form two 56 bit DES keys to encrypt a "magic" 8 byte value.
The resulting 16 bytes form the LanMan hash.
@ -533,7 +533,7 @@ when using clear text authentication.
</para>
<para><programlisting>
<ulink url="smb.conf.5.html#PASSWORDLEVEL">passsword level</ulink> = <replaceable>integer</replaceable>
<ulink url="smb.conf.5.html#PASSWORDLEVEL">password level</ulink> = <replaceable>integer</replaceable>
<ulink url="smb.conf.5.html#USERNAMELEVEL">username level</ulink> = <replaceable>integer</replaceable>
</programlisting></para>
@ -576,7 +576,7 @@ made in a developmental test lab is expected.
<para>
Here we look at common mistakes and misapprehensions that have been the subject of discussions
on the Samba mailing lists. Many of these are avoidable by doing you homework before attempting
a Samba implementation. Some are the result of misundertanding of the English language. The
a Samba implementation. Some are the result of misunderstanding of the English language. The
English language has many turns of phrase that are potentially vague and may be highly confusing
to those for whom English is not their native tongue.
</para>

20
docs/docbook/projdoc/Speed.xml
View File

@ -29,7 +29,7 @@ SMB server.
If you want to test against something like a NT or WfWg server then
you will have to disable all but TCP on either the client or
server. Otherwise you may well be using a totally different protocol
(such as Netbeui) and comparisons may not be valid.
(such as NetBEUI) and comparisons may not be valid.
</para>
<para>
@ -217,12 +217,12 @@ performance. Check the sections on the various clients in
Hi everyone. I am running Gentoo on my server and samba 2.2.8a. Recently
I changed kernel version from linux-2.4.19-gentoo-r10 to
linux-2.4.20-wolk4.0s. And now I have performance issue with samba. Ok
many of you will probably say that move to vanilla sources...well I ried
many of you will probably say that move to vanilla sources...well I tried
it too and it didn't work. I have 100mb LAN and two computers (linux +
Windows2000). Linux server shares directory with DivX files, client
(windows2000) plays them via LAN. Before when I was running 2.4.19 kernel
everything was fine, but now movies freezes and stops...I tried moving
files between server and Windows and it's trerribly slow.
files between server and Windows and it's terribly slow.
</para>
<para>
@ -238,31 +238,31 @@ error, collisions, etc... look normal for ethernet.
<title>Corrupt tdb Files</title>
<para>
Well today it happend, our first major problem using samba.
Well today it happened, Our first major problem using samba.
Our samba PDC server has been hosting 3 TB of data to our 500+ users
[Windows NT/XP] for the last 3 years using samba, no problem.
But today all shares went SLOW; very slow. Also the main smbd kept
spawning new processes so we had 1600+ running smbd's (normally we avg. 250).
It crashed the SUN E3500 cluster twice. After alot of searching I
decided to <command>rm /var/locks/*.tbl</command>. Happy again.
It crashed the SUN E3500 cluster twice. After a lot of searching I
decided to <command>rm /var/locks/*.tdb</command>. Happy again.
</para>
<para>
Q1) Is there any method of keeping the *.tbl files in top condition or
Q1) Is there any method of keeping the *.tdb files in top condition or
how to early detect corruption?
</para>
<para>
A1) Yes, run <command>tdbbackup</command> each time after stoping nmbd and before starting nmbd.
A1) Yes, run <command>tdbbackup</command> each time after stopping nmbd and before starting nmbd.
</para>
<para>
Q2) What I also would like to mention is that the service latency seems
alot lower then before the locks cleanup, any ideas on keeping it top notch?
a lot lower then before the locks cleanup, any ideas on keeping it top notch?
</para>
<para>
A2) Yes! Samba answer as for Q1!
A2) Yes! Same answer as for Q1!
</para>
</sect1>

30
docs/docbook/projdoc/StandAloneServer.xml
View File

@ -5,10 +5,10 @@
<title>Stand-Alone Servers</title>
<para>
Stand-Alone servers are independant of Domain Controllers on the network.
Stand-Alone servers are independent of Domain Controllers on the network.
They are NOT domain members and function more like workgroup servers. In many
cases a stand-alone server is configured with a minimum of security control
with the intent that all data served will be readilly accessible to all users.
with the intent that all data served will be readily accessible to all users.
</para>
<sect1>
@ -53,25 +53,25 @@ USER mode.
<para>
No special action is needed other than to create user accounts. Stand-alone
servers do NOT provide network logon services. This means that machines that
use this server do NOT perform a domain log onto it. Whatever logon facility
the workstations are subject to is independant of this machine. It is however
necessary to accomodate any network user so that the logon name they use will
use this server do NOT perform a domain logon to it. Whatever logon facility
the workstations are subject to is independent of this machine. It is however
necessary to accommodate any network user so that the logon name they use will
be translated (mapped) locally on the stand-alone server to a locally known
user name. There are several ways this cane be done.
user name. There are several ways this can be done.
</para>
<para>
Samba tends to blur the distinction a little in respect of what is
a stand-alone server. This is because the authentication database may be
local or on a remote server, even if from the samba protocol perspective
the samba server is NOT a member of a domain security context.
local or on a remote server, even if from the Samba protocol perspective
the Samba server is NOT a member of a domain security context.
</para>
<para>
Through the use of PAM (Pluggable Authentication Modules) and nsswitch
(the name service switcher) the source of authentication may reside on
another server. We would be inclined to call this the authentication server.
This means that the samba server may use the local Unix/Linux system password database
This means that the Samba server may use the local Unix/Linux system password database
(<filename>/etc/passwd</filename> or <filename>/etc/shadow</filename>), may use a
local smbpasswd file, or may use
an LDAP back end, or even via PAM and Winbind another CIFS/SMB server
@ -119,7 +119,7 @@ Unix system database. This is a very simple system to administer.
In the above example the machine name is set to REFDOCS, the workgroup is set to the name
of the local workgroup so that the machine will appear in with systems users are familiar
with. The only password backend required is the "guest" backend so as to allow default
unprivilidged account names to be used. Given that there is a WINS server on this network
unprivileged account names to be used. Given that there is a WINS server on this network
we do use it.
</para>
@ -141,11 +141,11 @@ on your system.
<listitem><para>
The print spooling and processing system on our print server will be CUPS.
(Please refer to the chapter on printing for more information).
(Please refer to the <link linkend="CUPS-printing">CUPS Printing</link> chapter for more information).
</para></listitem>
<listitem><para>
All printers will that the print server will service will be network
All printers that the print server will service will be network
printers. They will be correctly configured, by the administrator,
in the CUPS environment.
</para></listitem>
@ -159,12 +159,12 @@ on your system.
<para>
In this example our print server will spool all incoming print jobs to
<filename>/var/spool/samba</filename> until the job is ready to be submitted by
samba to the CUPS print processor. Since all incoming connections will be as
the anonymous (guest) user two things will be required:
Samba to the CUPS print processor. Since all incoming connections will be as
the anonymous (guest) user, two things will be required:
</para>
<itemizedlist>
<title>Enablement for Anonymous Printing</title>
<title>Enabling Anonymous Printing</title>
<listitem><para>
The Unix/Linux system must have a <command>guest</command> account.
The default for this is usually the account <command>nobody</command>.

2
docs/docbook/projdoc/UNIX_INSTALL.xml
View File

@ -73,7 +73,7 @@
<para>
Make sure you put the <filename>smb.conf</filename> file in the same place
you specified in the<filename>Makefile</filename> (the default is to
you specified in the <filename>Makefile</filename> (the default is to
look for it in <filename>/usr/local/samba/lib/</filename>).
</para>

2
docs/docbook/projdoc/VFS.xml
View File

@ -263,7 +263,7 @@ should be implied due to its presence here.
<para>
samba-vscan is a proof-of-concept module for Samba, which
uses the VFS (virtual file system) features of Samba 2.2.x/3.0
alphaX. Of couse, Samba has to be compiled with VFS support.
alphaX. Of course, Samba has to be compiled with VFS support.
samba-vscan supports various virus scanners and is maintained
by Rainer Link.
</para>

18
docs/docbook/projdoc/locking.xml
View File

@ -150,8 +150,8 @@ other processes.
The redirector sees that the file was opened with deny
none (allowing concurrent access), verifies that no
other process is accessing the file, checks that
oplocks are enabled, then grants deny-all/read-write/ex-
clusive access to the file. The client now performs
oplocks are enabled, then grants deny-all/read-write/exclusive
access to the file. The client now performs
operations on the cached local file.
</para>
@ -340,7 +340,7 @@ exposes the file to likely data corruption.
</para>
<para>
If files are shared between Windows clients, and either loca Unix
If files are shared between Windows clients, and either local Unix
or NFS users, then turn opportunistic locking off.
</para>
@ -543,7 +543,7 @@ Level1 Oplocks (aka just plain "oplocks") is another term for opportunistic lock
</para>
<para>
Level2 Oplocks provids opportunistic locking for a file that will be treated as
Level2 Oplocks provides opportunistic locking for a file that will be treated as
<emphasis>read only</emphasis>. Typically this is used on files that are read-only or
on files that the client has no initial intention to write to at time of opening the file.
</para>
@ -560,7 +560,7 @@ Unless your system supports kernel oplocks, you should disable oplocks if you ar
accessing the same files from both Unix/Linux and SMB clients. Regardless, oplocks should
always be disabled if you are sharing a database file (e.g., Microsoft Access) between
multiple clients, as any break the first client receives will affect synchronisation of
the entire file (not just the single record), which will result in a noticable performance
the entire file (not just the single record), which will result in a noticeable performance
impairment and, more likely, problems accessing the database in the first place. Notably,
Microsoft Outlook's personal folders (*.pst) react very badly to oplocks. If in doubt,
disable oplocks and tune your system from that point.
@ -583,7 +583,7 @@ measurable speed benefit on your network, it might not be worth the hassle of de
<title>Example Configuration</title>
<para>
In the following we examine two destinct aspects of samba locking controls.
In the following we examine two distinct aspects of Samba locking controls.
</para>
<sect3>
@ -940,8 +940,8 @@ our Knowledge Base.
<para>
In some sites locking problems surface as soon as a server is installed, in other sites
locking problems may not surface for a long time. Almost without exeception, when a locking
problem does surface it will cause embarassment and potential data corruption.
locking problems may not surface for a long time. Almost without exception, when a locking
problem does surface it will cause embarrassment and potential data corruption.
</para>
<para>
@ -995,7 +995,7 @@ so far:
</para>
<para>
Corrupted tdb. Stop all instancesd of smbd, delete locking.tdb, restart smbd.
Corrupted tdb. Stop all instances of smbd, delete locking.tdb, restart smbd.
</para>
</sect2>

88
docs/docbook/projdoc/passdb.xml
View File

@ -17,20 +17,20 @@
<title>Account Information Databases</title>
<para>
Samba-3 implements a new capability to work concurrently with mulitple account backends.
Samba-3 implements a new capability to work concurrently with multiple account backends.
The possible new combinations of password backends allows Samba-3 a degree of flexibility
and scalability that previously could be achieved only with MS Windows Active Directory.
This chapter describes the new functionality and how to get the most out of it.
</para>
<para>
In the course of development of Samba-3 a number of requests were received to provide the
In the course of development of Samba-3, a number of requests were received to provide the
ability to migrate MS Windows NT4 SAM accounts to Samba-3 without the need to provide
matching Unix/Linux accounts. We called this the <emphasis>Non Unix Accounts (NUA)</emphasis>
capability. The intent was that an administrator could decide to use the <emphasis>tdbsam</emphasis>
backend and by simply specifying <emphasis>"passdb backend = tdbsam_nua, guest"</emphasis>
this would allow Samba-3 to implement a solution that did not use Unix accounts per se. Late
in the development cycle the team doing this work hit upon some obstacles that prevents this
in the development cycle, the team doing this work hit upon some obstacles that prevents this
solution from being used. Given the delays with Samba-3 release a decision was made to NOT
deliver this functionality until a better method of recognising NT Group SIDs from NT User
SIDs could be found. This feature may thus return during the life cycle for the Samba-3 series.
@ -81,7 +81,7 @@ as follows:
</listitem>
</varlistentry>
<varlistentry><term>ldapsam_compat (Samba-2.2 LDAP Compatibilty):</term>
<varlistentry><term>ldapsam_compat (Samba-2.2 LDAP Compatibility):</term>
<listitem>
<para>
There is a password backend option that allows continued operation with
@ -140,13 +140,13 @@ Samba-3 introduces the following new password backend capabilities:
<varlistentry><term>ldapsam:</term>
<listitem>
<para>
This provides a rich directory backend for distributed account installation
This provides a rich directory backend for distributed account installation.
</para>
<para>
Samba-3 has a new and extended LDAP implementation that requires configuration
of OpenLDAP with a new format samba schema. The new format schema file is
included in the <filename>~samba/examples/LDAP</filename> directory.
included in the <filename class="directory">examples/LDAP</filename> directory of the Samba distribution.
</para>
<para>
@ -214,7 +214,7 @@ Samba-3 introduces the following new password backend capabilities:
</para>
<para>
These passwords can't be converted to unix style encrypted passwords. Because of that
These passwords can't be converted to unix style encrypted passwords. Because of that,
you can't use the standard unix user database, and you have to store the Lanman and NT
hashes somewhere else.
</para>
@ -361,10 +361,10 @@ Samba-3 introduces the following new password backend capabilities:
</para>
<para>
Firstly, all Samba SAM (Security Account Management database) accounts require
Firstly, all Samba SAM (Security Account Manager database) accounts require
a Unix/Linux UID that the account will map to. As users are added to the account
information database samba-3 will call the <parameter>add user script</parameter>
interface to add the account to the Samba host OS. In essence all accounts in
information database, Samba-3 will call the <parameter>add user script</parameter>
interface to add the account to the Samba host OS. In essence, all accounts in
the local SAM require a local user account.
</para>
@ -383,10 +383,10 @@ Samba-3 introduces the following new password backend capabilities:
<para>
Samba-3 provides two (2) tools for management of User and machine accounts. These tools are
called <filename>smbpasswd</filename> and <command>pdbedit</command>. A third tool is under
called <command>smbpasswd</command> and <command>pdbedit</command>. A third tool is under
development but is NOT expected to ship in time for Samba-3.0.0. The new tool will be a TCL/TK
GUI tool that looks much like the MS Windows NT4 Domain User Manager - hopefully this will
be announced in time for samba-3.0.1 release timing.
be announced in time for the Samba-3.0.1 release.
</para>
<sect2>
<title>The <emphasis>smbpasswd</emphasis> Command</title>
@ -399,7 +399,7 @@ be announced in time for samba-3.0.1 release timing.
<para>
<command>smbpasswd</command> works in a client-server mode where it contacts the
local smbd to change the user's password on its behalf.This has enormous benefits
local smbd to change the user's password on its behalf. This has enormous benefits
as follows:
</para>
@ -556,11 +556,11 @@ backends of the same type. For example, to use two different tdbsam databases:
<title>Plain Text</title>
<para>
Older versions of samba retrieved user information from the unix user database
Older versions of Samba retrieved user information from the unix user database
and eventually some other fields from the file <filename>/etc/samba/smbpasswd</filename>
or <filename>/etc/smbpasswd</filename>. When password encryption is disabled, no
SMB specific data is stored at all. Instead all operations are conduected via the way
that the samba host OS will access it's <filename>/etc/passwd</filename> database.
SMB specific data is stored at all. Instead all operations are conducted via the way
that the Samba host OS will access its <filename>/etc/passwd</filename> database.
eg: On Linux systems that is done via PAM.
</para>
@ -570,8 +570,8 @@ backends of the same type. For example, to use two different tdbsam databases:
<title>smbpasswd - Encrypted Password Database</title>
<para>
Traditionally, when configuring <ulink url="smb.conf.5.html#ENCRYPTPASSWORDS">"encrypt
passwords = yes"</ulink> in Samba's <filename>smb.conf</filename> file, user account
Traditionally, when configuring <ulink url="smb.conf.5.html#ENCRYPTPASSWORDS">encrypt
passwords = yes</ulink> in Samba's <filename>smb.conf</filename> file, user account
information such as username, LM/NT password hashes, password change times, and account
flags have been stored in the <filename>smbpasswd(5)</filename> file. There are several
disadvantages to this approach for sites with very large numbers of users (counted
@ -625,10 +625,10 @@ backends of the same type. For example, to use two different tdbsam databases:
</para>
<para>
As a general guide the Samba-Team do NOT recommend using the tdbsam backend for sites
As a general guide the Samba-Team does NOT recommend using the tdbsam backend for sites
that have 250 or more users. Additionally, tdbsam is not capable of scaling for use
in sites that require PDB/BDC implmentations that requires replication of the account
database. Clearly, for reason of scalability the use of ldapsam should be encouraged.
in sites that require PDB/BDC implementations that requires replication of the account
database. Clearly, for reason of scalability, the use of ldapsam should be encouraged.
</para>
</sect2>
@ -658,6 +658,13 @@ backends of the same type. For example, to use two different tdbsam databases:
more about configuration and administration of an OpenLDAP server.
</para>
<note>
<para>
This section is outdated for Samba-3 schema. Samba-3 introduces a new schema
that has not been documented at the time of this publication.
</para>
</note>
<para>
This document describes how to use an LDAP directory for storing Samba user
account information traditionally stored in the smbpasswd(5) file. It is
@ -709,7 +716,7 @@ backends of the same type. For example, to use two different tdbsam databases:
<para>
<programlisting>
objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaSamAccount' SUP top AUXILIARY
DESC 'Samba Auxilary Account'
DESC 'Samba Auxiliary Account'
MUST ( uid $ rid )
MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $
@ -791,7 +798,7 @@ include /etc/openldap/schema/nis.schema
</para>
<para>
It is recommended that you maintain some indices on some of the most usefull attributes,
It is recommended that you maintain some indices on some of the most useful attributes,
like in the following example, to speed up searches made on sambaSamAccount objectclasses
(and possibly posixAccount and posixGroup as well).
</para>
@ -907,7 +914,7 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
<note>
<para>
Before Samba can access the LDAP server you need to stoe the LDAP admin password
Before Samba can access the LDAP server you need to store the LDAP admin password
into the Samba-3 <filename>secrets.tdb</filename> database by:
<screen>
&rootprompt; <userinput>smbpasswd -w <replaceable>secret</replaceable></userinput>
@ -976,7 +983,7 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
ldap delete dn = no
# the machine and user suffix added to the base suffix
# wrote WITHOUT quotes. NULL siffixes by default
# wrote WITHOUT quotes. NULL suffixes by default
ldap user suffix = ou=People
ldap machine suffix = ou=Systems
@ -998,13 +1005,13 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
<title>Accounts and Groups management</title>
<para>
As users accounts are managed thru the sambaSamAccount objectclass, you should
As users accounts are managed through the sambaSamAccount objectclass, you should
modify your existing administration tools to deal with sambaSamAccount attributes.
</para>
<para>
Machines accounts are managed with the sambaSamAccount objectclass, just
like users accounts. However, it's up to you to store thoses accounts
like users accounts. However, it's up to you to store those accounts
in a different tree of your LDAP namespace: you should use
"ou=Groups,dc=plainjoe,dc=org" to store groups and
"ou=People,dc=plainjoe,dc=org" to store users. Just configure your
@ -1013,8 +1020,8 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
</para>
<para>
In Samba release 3.0, the group management system is based on posix
groups. This means that Samba makes usage of the posixGroup objectclass.
In Samba release 3.0, the group management system is based on POSIX
groups. This means that Samba makes use of the posixGroup objectclass.
For now, there is no NT-like group system management (global and local
groups).
</para>
@ -1090,9 +1097,9 @@ access to attrs=lmPassword,ntPassword
<tgroup cols="2" align="left">
<tbody>
<row><entry><constant>lmPassword</constant></entry><entry>the LANMAN password 16-byte hash stored as a character
representation of a hexidecimal string.</entry></row>
representation of a hexadecimal string.</entry></row>
<row><entry><constant>ntPassword</constant></entry><entry>the NT password hash 16-byte stored as a character
representation of a hexidecimal string.</entry></row>
representation of a hexadecimal string.</entry></row>
<row><entry><constant>pwdLastSet</constant></entry><entry>The integer time in seconds since 1970 when the
<constant>lmPassword</constant> and <constant>ntPassword</constant> attributes were last set.
</entry></row>
@ -1293,7 +1300,8 @@ access to attrs=lmPassword,ntPassword
for the column names) or use the default table. The file <filename>examples/pdb/mysql/mysql.dump</filename>
contains the correct queries to create the required tables. Use the command :
<screen><prompt>$ </prompt><userinput>mysql -u<replaceable>username</replaceable> -h<replaceable>hostname</replaceable> -p<replaceable>password</replaceable> <replaceable>databasename</replaceable> &gt; <filename>/path/to/samba/examples/pdb/mysql/mysql.dump</filename></userinput></screen>
<screen><prompt>$ </prompt><userinput>mysql -u<replaceable>username</replaceable> -h<replaceable>hostname</replaceable> -p<replaceable>password</replaceable> \
<replaceable>databasename</replaceable> &lt; <filename>/path/to/samba/examples/pdb/mysql/mysql.dump</filename></userinput></screen>
</para>
</sect3>
@ -1315,7 +1323,7 @@ access to attrs=lmPassword,ntPassword
</para>
<para>
Additional options can be given thru the &smb.conf; file in the <parameter>[global]</parameter> section.
Additional options can be given through the &smb.conf; file in the <parameter>[global]</parameter> section.
</para>
<para>
@ -1339,14 +1347,14 @@ access to attrs=lmPassword,ntPassword
<warning>
<para>
Since the password for the mysql user is stored in the
Since the password for the MySQL user is stored in the
&smb.conf; file, you should make the the &smb.conf; file
readable only to the user that runs samba. This is considered a security
readable only to the user that runs Samba This is considered a security
bug and will be fixed soon.
</para>
</warning>
<para>Names of the columns in this table(I've added column types those columns should have first):</para>
<para>Names of the columns in this table (I've added column types those columns should have first):</para>
<para>
<table frame="all">
@ -1449,7 +1457,7 @@ access to attrs=lmPassword,ntPassword
</para>
<para>
<prompt>$ </prompt><userinput>pdbedit -e xml:filename</userinput>
<prompt>$ </prompt> <userinput>pdbedit -e xml:filename</userinput>
</para>
<para>
@ -1458,7 +1466,7 @@ access to attrs=lmPassword,ntPassword
<para>
To import data, use:
<prompt>$ </prompt><userinput>pdbedit -i xml:filename</userinput>
<prompt>$ </prompt> <userinput>pdbedit -i xml:filename</userinput>
</para>
</sect2>
</sect1>
@ -1470,7 +1478,7 @@ access to attrs=lmPassword,ntPassword
<title>Users can not logon - Users not in Samba SAM</title>
<para>
People forget to put their users in their backend and then complain samba won't authorize them.
People forget to put their users in their backend and then complain Samba won't authorize them.
</para>
</sect2>
@ -1479,7 +1487,7 @@ access to attrs=lmPassword,ntPassword
<title>Users are being added to the wrong backend database</title>
<para>
A few complaints have been recieved from users that just moved to samba-3. The following
A few complaints have been received from users that just moved to Samba-3. The following
&smb.conf; file entries were causing problems, new accounts were being added to the old
smbpasswd file, not to the tdbsam passdb.tdb file:
</para>

56
docs/docbook/projdoc/printer_driver2.xml
View File

@ -36,7 +36,7 @@ install drivers and printers through their familiar "Point'n'Print"
mechanism. Printer installations executed by "Logon Scripts" are no
problem. Administrators can upload and manage drivers to be used by
clients through the familiar "Add Printer Wizard". As an additional
benefit, driver and printer management may be run from the commandline
benefit, driver and printer management may be run from the command line
or through scripts, making it more efficient in case of large numbers
of printers. If a central accounting of print jobs (tracking every
single page and supplying the raw data for all sorts of statistical
@ -113,7 +113,7 @@ to the UNIX print subsystem's spooling area</para></listitem>
<listitem><para>The Unix print subsystem processes the print
job</para></listitem>
<listitem><para>The printfile may need to be explicitely deleted
<listitem><para>The printfile may need to be explicitly deleted
from the Samba spooling area.</para></listitem>
</orderedlist>
@ -532,7 +532,7 @@ line consisting of, for example,
</para>
<para><screen>
printing =lprng #This defines LPRng as the printing system"
printing = lprng #This defines LPRng as the printing system"
</screen></para>
<para>
@ -804,7 +804,7 @@ yes</parameter>. Since we have <parameter>guest ok = yes</parameter>,
it really doesn't need to be here! (This leads to the interesting
question: <quote>What, if I by accident have to contradictory settings
for the same share?</quote> The answer is: the last one encountered by
Sambe wins. The "winner" is shown by testparm. Testparm doesn't
Samba wins. The "winner" is shown by testparm. Testparm doesn't
complain about different settings of the same parameter for the same
share! You can test this by setting up multiple lines for the "guest
account" parameter with different usernames, and then run testparm to
@ -1207,7 +1207,7 @@ server to have printers listed in the Printers folder which are
<emphasis>not</emphasis> shared. Samba does not make this
distinction. By definition, the only printers of which Samba is aware
are those which are specified as shares in
. The reason is that Windows NT/2k/XPprof
. The reason is that Windows NT/200x/XP Professional
clients do not normally need to use the standard SMB printer share;
rather they can print directly to any printer on another Windows NT
host using MS-RPC. This of course assumes that the printing client has
@ -1250,7 +1250,7 @@ different means:
<itemizedlist>
<listitem><para>running the <emphasis>APW</emphasis> on an
NT/2k/XPprof client (this doesn't work from 95/98/ME
NT/200x/XP Professional client (this doesn't work from 95/98/ME
clients);</para></listitem>
<listitem><para>using the <emphasis>Imprints</emphasis>
@ -1269,7 +1269,7 @@ etc.).</para></listitem>
Please take additional note of the following fact: <emphasis>Samba
does not use these uploaded drivers in any way to process spooled
files</emphasis>. Drivers are utilized entirely by the clients, who
download and install them via the "Point 'n'Print" mechanism supported
download and install them via the "Point'n'Print" mechanism supported
by Samba. The clients use these drivers to generate print files in the
format the printer (or the Unix print system) requires. Print files
received by Samba are handed over to the Unix printing system, which
@ -1318,7 +1318,7 @@ clients are thrown aside now. They can use Samba's
In order to support the up- and downloading of printer driver files,
you must first configure a file share named
<parameter>[print$]</parameter>. The "public" name of this share is
hard coded in Samba's internals (because it is hardcoded in the MS
hard coded in Samba's internals (because it is hard coded in the MS
Windows clients too). It cannot be renamed since Windows clients are
programmed to search for a service of exactly this name if they want
to retrieve printer driver files.
@ -1508,7 +1508,7 @@ You have successfully created the <parameter>[print$]</parameter>
share in ? And Samba has re-read its
configuration? Good. But you are not yet ready to take off. The
<emphasis>driver files</emphasis> need to be present in this share,
too! So far it is still an empty share. Unfortunatly, it is not enough
too! So far it is still an empty share. Unfortunately, it is not enough
to just copy the driver files over. They need to be <emphasis>set
up</emphasis> too. And that is a bit tricky, to say the least. We
will now discuss two alternative ways to install the drivers into
@ -1571,7 +1571,7 @@ either:
</para>
<itemizedlist>
<listitem><para>select a driver from the popup list of installed
<listitem><para>select a driver from the pop-up list of installed
drivers. <emphasis>Initially this list will be empty.</emphasis>
Or</para></listitem>
@ -1582,7 +1582,7 @@ APW).</para></listitem>
<para>
Once the APW is started, the procedure is exactly the same as the one
you are familiar with in Wiindows (we assume here that you are
you are familiar with in Windows (we assume here that you are
familiar with the printer driver installations procedure on Windows
NT). Make sure your connection is in fact setup as a user with
<parameter>printer admin</parameter> privileges (if in doubt, use
@ -1620,7 +1620,7 @@ and collecting the files together;</para></listitem>
(possibly by using <command>smbclient</command>);</para></listitem>
<listitem><para>running the <command>rpcclient</command>
commandline utility once with the <command>addriver</command>
commandline utility once with the <command>adddriver</command>
subcommand,</para></listitem>
<listitem><para>running <command>rpcclient</command> a second
@ -1746,7 +1746,7 @@ access them will be
<filename>\\WINDOWSHOST\print$\WIN40\0\</filename>.
</para>
<note><para> more recent drivers on Windows 2000 and Wndows XP are
<note><para> more recent drivers on Windows 2000 and Windows XP are
installed into the "3" subdirectory instead of the "2". The version 2
of drivers, as used in Windows NT, were running in Kernel Mode.
Windows 2000 changed this. While it still can use the Kernel Mode
@ -1980,7 +1980,7 @@ again, for readability:
<para>
After this step the driver should be recognized by Samba on the print
server. You need to be very carefull when typing the command. Don't
server. You need to be very careful when typing the command. Don't
exchange the order of the fields. Some changes would lead to a
<computeroutput>NT_STATUS_UNSUCCESSFUL</computeroutput> error
message. These become obvious. Other changes might install the driver
@ -2062,12 +2062,12 @@ files by at least three methods:
<itemizedlist>
<listitem><para>from any Windows client browse Network Neighbourhood,
finde the Samba host and open the Samba <guiicon>Printers and
find the Samba host and open the Samba <guiicon>Printers and
Faxes</guiicon> folder. Select any printer icon, right-click and
select the printer <guimenuitem>Properties</guimenuitem>. Click on the
<guilabel>Advanced</guilabel> tab. Here is a field indicating the
driver for that printer. A drop down menu allows you to change that
driver (be carefull to not do this unwittingly.). You can use this
driver (be careful to not do this unwittingly.). You can use this
list to view all drivers know to Samba. Your new one should be amongst
them. (Each type of client will only see his own architecture's
list. If you don't have every driver installed for each platform, the
@ -2115,7 +2115,7 @@ have to repeat the whole procedure with the WIN40 architecture and subdirectory.
</sect3>
<sect3>
<title>A sidenote: you are not bound to specific driver names</title>
<title>A side note: you are not bound to specific driver names</title>
<para>
You can name the driver as you like. If you repeat the
@ -2154,7 +2154,7 @@ repeatedly. Each run "consumes" the files you had put into the
<parameter>[print$]</parameter> share by moving them into the
respective subdirectories. So you <emphasis>must</emphasis> precede an
<command>smbclient ... put</command> command before each
<command>rpcclient ... addriver</command>" command.
<command>rpcclient ... adddriver</command>" command.
</para>
</sect3>
@ -2183,7 +2183,7 @@ name I intended:
<para><screen>
&rootprompt;<userinput>rpcclient -U'root%xxxx' -c 'setdriver dm9110 dm9110' <replaceable>SAMBA-CUPS</replaceable></userinput>
cmd = setdriver dm9110 dm9110
Succesfully set dm9110 to driver dm9110.
Successfully set dm9110 to driver dm9110.
</screen></para>
<para>
@ -2207,7 +2207,7 @@ signal to all running smbd processes to work around this:
</sect1>
<sect1>
<title>"The Proof of the Pudding lies in the Eating" (Client Driver Insta
<title>"The Proof of the Pudding lies in the Eating" (Client Driver Install
Procedure)</title>
<para>
@ -2508,7 +2508,7 @@ now. You <emphasis>may</emphasis> have tried to download and use it
onto your first client machine now. But wait... let's make you
acquainted first with a few tips and tricks you may find useful. For
example, suppose you didn't manage to "set the defaults" on the
printer, as advised in the preceeding paragraphs? And your users
printer, as advised in the preceding paragraphs? And your users
complain about various issues (such as <quote>We need to set the paper
size for each job from Letter to A4 and it won't store it!</quote>)
</para>
@ -2612,8 +2612,8 @@ defaults, you need to conduct these steps as administrator
(<parameter>printer admin</parameter> in )
<emphasis>before</emphasis> a client downloads the driver (the clients
can later set their own <emphasis>per-user defaults</emphasis> by
following the procedures<emphasis>A.</emphasis>
or<emphasis>B.</emphasis> above...). (This is new: Windows 2000 and
following the procedures <emphasis>A.</emphasis>
or <emphasis>B.</emphasis> above...). (This is new: Windows 2000 and
Windows XP allow <emphasis>per-user</emphasis> default settings and
the ones the administrator gives them, before they set up their own).
The "parents" of the identically looking dialogs have a slight
@ -2753,7 +2753,7 @@ empty string where the driver should have been listed (between the 2
commas in the "description" field). After the
<command>setdriver</command> command succeeded, all is well. (The
CUPS Printing chapter has more info about the installation of printer
drivers with the help of <command>rpccclient</command>).
drivers with the help of <command>rpcclient</command>).
</para>
</sect2>
@ -3326,15 +3326,15 @@ in.</para></listitem>
<listitem><para>Line 3 sets the default printer to this new network
printer (there might be several other printers installed with this
same method and some may be local as well -- so we deside for a
same method and some may be local as well -- so we decide for a
default printer). The default printer selection may of course be
different for different users.</para></listitem>
</itemizedlist>
<para>
Note that the second line only works if the printer
<emphasis>infotec2105-PS</emphasis> has an already working printqueue
on "sambacupsserver", and if the printer drivers have sucessfully been
<emphasis>infotec2105-PS</emphasis> has an already working print queue
on "sambacupsserver", and if the printer drivers have successfully been
uploaded (via <command>APW</command> ,
<command>smbclient/rpcclient</command> or
<command>cupsaddsmb</command>) into the
@ -3414,7 +3414,7 @@ driver file</parameter>", " <parameter>printer driver</parameter>" and
supported.</para></listitem>
<listitem><para>If you want to take advantage of WinNT printer driver
support you also need to migrate theWin9x/ME drivers to the new
support you also need to migrate the Win9x/ME drivers to the new
setup.</para></listitem>
<listitem><para>An existing <filename>printers.def</filename> file

2
docs/docbook/projdoc/samba-doc.xml
View File

@ -34,7 +34,7 @@ or without their knowledge contributed to this update. The size and scope of thi
project would not have been possible without significant community contribution. A not
insignificant number of ideas for inclusion (if not content itself) has been obtained
from a number of Unofficial HOWTOs - to each such author a big "Thank-you" is also offered.
Please keep publishing your Unofficial HOWTO's - they are a source of inspiration and
Please keep publishing your Unofficial HOWTOs - they are a source of inspiration and
application knowledge that is most to be desired by many Samba users and administrators.
</para>

4
docs/docbook/projdoc/securing-samba.xml
View File

@ -284,7 +284,7 @@ is discovered.
<para>
If all of samba and host platform configuration were really as intuitive as one might like then this
section would not be necessary. Security issues are often vexing for a support person to resolve, not
because of the complexity of the problem, but for reason that most admininstrators who post what turns
because of the complexity of the problem, but for reason that most administrators who post what turns
out to be a security problem request are totally convinced that the problem is with Samba.
</para>
@ -319,7 +319,7 @@ out to be a security problem request are totally convinced that the problem is w
<para><quote>
User xyzzy can map his home directory. Once mapped user xyzzy can also map
*anyone* elses home directory!
*anyone* else's home directory!
</quote></para>
<para>

4
docs/docbook/projdoc/unicode.xml
View File

@ -32,7 +32,7 @@ special mention. For more information about Openi18n please refer to:
<para>
Samba-2.x supported a single locale through a mechanism called
<emphasis>codepages</emphasis>. Samba-3 is destined to become a truely trans-global
<emphasis>codepages</emphasis>. Samba-3 is destined to become a truly trans-global
file and printer sharing platform.
</para>
@ -70,7 +70,7 @@ communicating.
</para>
<para>Old windows clients used to use single-byte charsets, named
'codepages' by microsoft. However, there is no support for
'codepages' by Microsoft. However, there is no support for
negotiating the charset to be used in the smb protocol. Thus, you
have to make sure you are using the same charset when talking to an old client.
Newer clients (Windows NT, 2K, XP) talk unicode over the wire.

14
docs/docbook/projdoc/winbind.xml
View File

@ -388,7 +388,7 @@ somewhat to fit the way your distribution works.
<title>Requirements</title>
<para>
If you have a samba configuration file that you are currently
If you have a Samba configuration file that you are currently
using... <emphasis>BACK IT UP!</emphasis> If your system already uses PAM,
<emphasis>back up the <filename>/etc/pam.d</filename> directory
contents!</emphasis> If you haven't already made a boot disk,
@ -396,8 +396,8 @@ contents!</emphasis> If you haven't already made a boot disk,
</para>
<para>
Messing with the pam configuration files can make it nearly impossible
to log in to yourmachine. That's why you want to be able to boot back
Messing with the PAM configuration files can make it nearly impossible
to log in to your machine. That's why you want to be able to boot back
into your machine in single user mode and restore your
<filename>/etc/pam.d</filename> back to the original state they were in if
you get frustrated with the way things are going. ;-)
@ -491,7 +491,7 @@ I also found it necessary to make the following symbolic link:
&rootprompt; <userinput>ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</userinput>
</para>
<para>And, in the case of Sun solaris:</para>
<para>And, in the case of Sun Solaris:</para>
<screen>
&rootprompt;<userinput>ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1</userinput>
&rootprompt;<userinput>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1</userinput>
@ -823,9 +823,9 @@ stop() {
<sect4>
<title>Solaris</title>
<para>Winbind doesn't work on solaris 9, see the <link linkend="winbind-solaris9">Portability</link> chapter for details.</para>
<para>Winbind doesn't work on Solaris 9, see the <link linkend="winbind-solaris9">Portability</link> chapter for details.</para>
<para>On solaris, you need to modify the
<para>On Solaris, you need to modify the
<filename>/etc/init.d/samba.server</filename> startup script. It usually
only starts smbd and nmbd but should now start winbindd too. If you
have samba installed in <filename>/usr/local/samba/bin</filename>,
@ -944,7 +944,7 @@ modules reside in <filename>/usr/lib/security</filename>.
<para>
The <filename>/etc/pam.d/samba</filename> file does not need to be changed. I
just left this fileas it was:
just left this file as it was:
</para>