sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-14 19:24:43 +03:00
Code

Convert README.Win32-Viruses DHCP-Server-Configuration and Faxing to SGML...

Browse Source 
(This used to be commit 68a18e1a9ea44d7f0d84de5a23eef9d9a7568cbc)
This commit is contained in:
Jelmer Vernooij 2002-10-04 18:02:51 +00:00
parent 2f57636fcf
commit 7f58076bf7
6 changed files with 70 additions and 521 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
docs/README.Win32-Viruses
View File

@ -1,57 +0,0 @@
While this article is specific to the Nimda worm,
the information can be applied to preventing the spread
of many Win32 viruses. Thanks to the Samba Users Group of Japan
(SUGJ) for this article.
===============================================================================
Steps against Nimba Worm for Samba
Author: HASEGAWA Yosuke
Translator: TAKAHASHI Motonobu <monyo@samba.gr.jp>
The information in this article applies to
Samba 2.0.x
Samba 2.2.x
Windows 95/98/Me/NT/2000
SYMPTOMS
This article describes measures against Nimba Worm for Samba
server.
DESCRIPTION
Nimba Worm is infected through shared disks on a network, as well as through
Microsoft IIS, Internet Explorer and mailer of Outlook series.
At this time, the worm copies itself by the name *.nws and *.eml on
the shared disk, moreover, by the name of Riched20.dll in the folder
where *.doc file is included.
To prevent infection through the shared disk offered by Samba, set
up as follows:
-----
[global]
...
# This can break Administration installations of Office2k.
# in that case, don't veto the riched20.dll
veto files = /*.eml/*.nws/riched20.dll/
-----
By setting the "veto files" parameter, matched files on the Samba
server are completely hidden from the clients and making it impossible
to access them at all.
In addition to it, the following setting is also pointed out by the
samba-jp:09448 thread: when the
"readme.txt.{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}" file exists on
a Samba server, it is visible only as "readme.txt" and dangerous
code may be executed if this file is double-clicked.
Setting the following,
-----
veto files = /*.{*}/
-----
any files having CLSID in its file extension will be inaccessible from any
clients.
This technical article is created based on the discussion of
samba-jp:09448 and samba-jp:10900 threads.

2
docs/docbook/faq/sambafaq.sgml
View File

@ -3,6 +3,7 @@
<!ENTITY install SYSTEM "install.sgml">
<!ENTITY errors SYSTEM "errors.sgml">
<!ENTITY clientapp SYSTEM "clientapp.sgml">
<!ENTITY features SYSTEM "features.sgml">
]>
<book id="Samba-FAQ">
@ -30,4 +31,5 @@ and the old samba text documents which were mostly written by John Terpstra.
&install;
&clientapp;
&errors;
&features;
</book>

19
docs/faq/errors.html
View File

@ -11,7 +11,10 @@ TITLE="Samba FAQ"
HREF="samba-faq.html"><LINK
REL="PREVIOUS"
TITLE="Specific client application problems"
HREF="clientapp.html"></HEAD
HREF="clientapp.html"><LINK
REL="NEXT"
TITLE="Features"
HREF="features.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
@ -52,7 +55,11 @@ VALIGN="bottom"
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
>&nbsp;</TD
><A
HREF="features.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
@ -196,7 +203,11 @@ ACCESSKEY="H"
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>&nbsp;</TD
><A
HREF="features.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
@ -213,7 +224,7 @@ VALIGN="top"
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>&nbsp;</TD
>Features</TD
></TR
></TABLE
></DIV

53
docs/faq/samba-faq.html
View File

@ -197,6 +197,59 @@ HREF="errors.html#AEN206"
></DT
></DL
></DD
><DT
>5. <A
HREF="features.html"
>Features</A
></DT
><DD
><DL
><DT
>5.1. <A
HREF="features.html#AEN217"
>How can I prevent my samba server from being used to distribute the Nimda worm?</A
></DT
><DT
>5.2. <A
HREF="features.html#AEN231"
>How can I use samba as a fax server?</A
></DT
><DD
><DL
><DT
>5.2.1. <A
HREF="features.html#AEN242"
>Tools for printing faxes</A
></DT
><DT
>5.2.2. <A
HREF="features.html#AEN252"
>Making the fax-server</A
></DT
><DT
>5.2.3. <A
HREF="features.html#AEN268"
>Installing the client drivers</A
></DT
><DT
>5.2.4. <A
HREF="features.html#AEN282"
>Example smb.conf</A
></DT
></DL
></DD
><DT
>5.3. <A
HREF="features.html#AEN286"
>Samba doesn't work well together with DHCP!</A
></DT
><DT
>5.4. <A
HREF="features.html#AEN299"
>How can I assign NetBIOS names to clients with DHCP?</A
></DT
></DL
></DD
></DL
></DIV
></DIV

240
docs/textdocs/DHCP-Server-Configuration.txt
View File

@ -1,240 +0,0 @@
Subject: DHCP Server Configuration for SMB Clients
Date: March 1, 1998
Updated: May 15, 2001
Contributor: John H Terpstra <jht@samba.org>
Support: This is an unsupported document. Refer to documentation that is
supplied with the ISC DHCP Server. Do NOT email the contributor
for ANY assistance.
===============================================================================
Background:
===========
We wish to help those folks who wish to use the ISC DHCP Server and provide
sample configuration settings. Most operating systems today come ship with
the ISC DHCP Server. ISC DHCP is available from:
ftp://ftp.isc.org/isc/dhcp
Incorrect configuration of MS Windows clients (Windows9X, Windows ME, Windows
NT/2000) will lead to problems with browsing and with general network
operation. Windows 9X/ME users often report problems where the TCP/IP and related
network settings will inadvertantly become reset at machine start-up resulting
in loss of configuration settings. This results in increased maintenance
overheads as well as serious user frustration.
In recent times users on one mailing list incorrectly attributed the cause of
network operating problems to incorrect configuration of Samba.
One user insisted that the only way to provent Windows95 from periodically
performing a full system reset and hardware detection process on start-up was
to install the NetBEUI protocol in addition to TCP/IP. This assertion is not
correct.
In the first place, there is NO need for NetBEUI. All Microsoft Windows clients
natively run NetBIOS over TCP/IP, and that is the only protocol that is
recognised by Samba. Installation of NetBEUI and/or NetBIOS over IPX will
cause problems with browse list operation on most networks. Even Windows NT
networks experience these problems when incorrectly configured Windows95
systems share the same name space. It is important that only those protocols
that are strictly needed for site specific reasons should EVER be installed.
Secondly, and totally against common opinion, DHCP is NOT an evil design but is
an extension of the BOOTP protocol that has been in use in Unix environments
for many years without any of the melt-down problems that some sensationalists
would have us believe can be experienced with DHCP. In fact, DHCP in covered by
rfc1541 and is a very safe method of keeping an MS Windows desktop environment
under control and for ensuring stable network operation.
Please note that MS Windows systems as of MS Windows NT 3.1 and MS Windows 95
store all network configuration settings a registry. There are a few reports
from MS Windows network administrators that warrant mention here. It would appear
that when one sets certain MS TCP/IP protocol settings (either directly or via
DHCP) that these do get written to the registry. Even though a subsequent
change of setting may occur the old value may persist in the registry. This
has been known to create serious networking problems.
An example of this occurs when a manual TCP/IP environment is configured to
include a NetBIOS Scope. In this event, when the administrator then changes the
configuration of the MS TCP/IP protocol stack, without first deleting the
current settings, by simply checking the box to configure the MS TCP/IP stack
via DHCP then the NetBIOS Scope that is still persistent in the registry WILL be
applied to the resulting DHCP offered settings UNLESS the DHCP server also sets
a NetBIOS Scope. It may therefore be prudent to forcibly apply a NULL NetBIOS
Scope from your DHCP server. The can be done in the dhcpd.conf file with the
parameter:
option netbios-scope "";
While it is true that the Microsoft DHCP server that comes with Windows NT
Server provides only a sub-set of rfc1533 functionality this is hardly an issue
in those sites that already have a large investment and commitment to Unix
systems and technologies. The current state of the art of the DHCP Server
specification in covered in rfc2132.
This document aims to provide enough background information so that the
majority of site can without too much hardship get the Internet Software
Consortium's (ISC) DHCP Server into operation. The key benefits of using DHCP
includes:
1) Automated IP Address space management and maximised re-use of available IP
Addresses,
2) Automated control of MS Windows client TCP/IP network configuration,
3) Automatic recovery from start-up and run-time problems with Windows95.
Client Configuration for SMB Networking:
========================================
SMB network clients need to be configured so that all standard TCP/IP name to
address resolution works correctly. Once this has been achieved the SMB
environment provides additional tools and services that act as helper agents in
the translation of SMB (NetBIOS) names to their appropriate IP Addresses. One
such helper agent is the NetBIOS Name Server (NBNS) or as Microsoft called it
in their Windows NT Server implementation WINS (Windows Internet Name Server).
A client needs to be configured so that it has a unique Machine (Computer)
Name.
This can be done, but needs a few NT registry hacks and you need to be able to
speak UNICODE, which is of course no problem for a True Wizzard(tm) :)
Instructions on how to do this (including a small util for less capable
Wizzards) can be found at
http://www.unixtools.org/~nneul/sw/nt/dhcp-netbios-hostname.html
All remaining TCP/IP networking parameters can be assigned via DHCP. These include:
a) IP Address,
b) Netmask,
c) Gateway (Router) Address,
d) DNS Domain Name,
e) DNS Server addresses,
f) WINS (NBNS) Server addresses,
g) IP Forwarding,
h) Timezone offset,
i) Node Type,
j) NetBIOS Scope
Other assignments can be made from a DHCP server too, but the above cover the
major needs.
Note: IF ever an entry has has been made to the NetBIOS Scope field of the
TCP/IP configuration panel on an MS Windows machine, and it has then been
committed, then that setting may become persistent. In such a c ase it is better
to configure the DHCP server with a NetBIOS Scope consisting of an empty string
(ie: A NULL scope).
DHCP Server Installation:
=========================
It is assumed that you will have obtained a copy of the GPL'd ISC DHCP server
source files from ftp://ftp.isc.org/isc/dhcp, it is also assumed that you have
compiled the sources and have installed the binary files.
The following simply serves to provide sample configuration files to enable
dhcpd to operate. The sample files assume that your site is configured to use
private IP network address space using the Class B range of 172.16.1.0 -
172.16.1.255 and is using a netmask of 255.255.255.0 (ie:24 bits). It is
assumed that your router to the outside world is at 172.16.1.254 and that your
Internet Domain Name is bestnet.com.au. The IP Address range 172.16.1.100 to
172.16.1.240 has been set aside as your dynamically allocated range. In
addition, bestnet.com.au have two print servers that need to obtain settings
via BOOTP. The machine linux.bestnet.com.au has IP address 172.16.1.1 and is
you primary Samba server with WINS support enabled by adding the parameter to
the /etc/smb.conf file: [globals] wins support = yes. The dhcp lease time will
be set to 20 hours.
Configuration Files:
====================
Before dhcpd will run you need to install a file that speifies the
configuration settings, and another that holds the database of issued IP
addresses. On many systems these are stored in the /etc directory on the Unix
system.
Example /etc/dhcpd.conf:
========================
server-identifier linux.bestnet.com.au;
subnet 172.16.1.0 netmask 255.255.255.0 {
range 172.16.1.100 172.16.1.240;
default-lease-time 72000;
max-lease-time 144000;
option subnet-mask 255.255.255.0;
option broadcast-address 172.16.1.255;
option routers 172.16.1.254;
option domain-name-servers 172.16.1.1, 172.16.1.2;
option domain-name "bestnet.com.au";
option time-offset 39600;
option ip-forwarding off;
option netbios-name-servers 172.16.0.1, 172.16.0.1;
option netbios-dd-server 172.16.0.1;
option netbios-node-type 8;
option netbios-scope "";
}
; Note: The above netbios-scope is purposely an empty (NULL) string.
group {
next-server 172.16.1.10;
option subnet-mask 255.255.255.0;
option domain-name "bestnet.com.au";
option domain-name-servers 172.16.1.1, 172.16.0.2;
option netbios-name-servers 172.16.0.1, 172.16.0.1;
option netbios-dd-server 172.16.0.1;
option netbios-node-type 8;
option netbios-scope "SomeCrazyScope";
option routers 172.16.1.240;
option time-offset 39600;
host lexmark1 {
hardware ethernet 06:07:08:09:0a:0b;
fixed-address 172.16.1.245;
}
host epson4 {
hardware ethernet 01:02:03:04:05:06;
fixed-address 172.16.1.242;
}
}
Creating the /etc/dhcpd.leases file:
====================================
At a Unix shell create an empty dhcpd.leases file in the /etc directory.
You can do this by typing: cp /dev/null /etc/dhcpd.leases
Setting up a route table for all-ones addresses:
================================================
Quoting from the README file that comes with the ISC DHCPD Server:
BROADCAST
In order for dhcpd to work correctly with picky DHCP clients (e.g.,
Windows 95), it must be able to send packets with an IP destination
address of 255.255.255.255. Unfortunately, Linux insists on changing
255.255.255.255 into the local subnet broadcast address (here, that's
192.5.5.223). This results in a DHCP protocol violation, and while
many DHCP clients don't notice the problem, some (e.g., all Microsoft
DHCP clients) do. Clients that have this problem will appear not to
see DHCPOFFER messages from the server.
It is possible to work around this problem on some versions of Linux
by creating a host route from your network interface address to
255.255.255.255. The command you need to use to do this on Linux
varies from version to version. The easiest version is:
route add -host 255.255.255.255 dev eth0
On some older Linux systems, you will get an error if you try to do
this. On those systems, try adding the following entry to your
/etc/hosts file:
255.255.255.255 all-ones
Then, try:
route add -host all-ones dev eth0
For more information please refer to the ISC DHCPD Server documentation.

220
docs/textdocs/Faxing.txt
View File

@ -1,220 +0,0 @@
Contributor: Gerhard Zuber <zuber@berlin.snafu.de>
Date: August 5th 1997.
Status: Current
Subject: F A X I N G with S A M B A
==========================================================================
This text describes how to turn your SAMBA-server into a fax-server
for any environment, especially for Windows.
Author: Gerhard Zuber <zuber@berlin.snafu.de>
Version: 1.4
Date: 04. Aug. 1997
Requirements:
UNIX box (Linux preferred) with SAMBA and a faxmodem
ghostscript package
mgetty+sendfax package
pbm package (portable bitmap tools)
FTP sites:
sunsite.unc.edu:/pub/Linux/system/Serial/mgetty+sendfax*
tsx-11.mit.edu:/pub/linux/sources/sbin/mgetty+sendfax
ftp.leo.org:/pub/comp/networking/communication/modem/mgetty/mgetty1.1.6-May05.tar.gz
pbm10dec91.tgz
ftp.leo.org:/pub/comp/networking/communication/modem/mgetty/pbm10dec91.tgz
sunsite.unc.edu: ..../apps/graphics/convert/pbmplus-10dec91-bin.tar.gz
ftp.gwdg.de/pub/linux/grafik/pbmplus.src.tar.Z (this is 10dec91 source)
or ??? pbm10dec91.tgz pbmplus10dec91.tgz
making mgetty+sendfax running:
==============================
go to source tree: /usr/src/mgetty+sendfax
cp policy.h-dist policy.h
change your settings: valid tty ports, modem initstring, Station-Id
#define MODEM_INIT_STRING "AT &F S0=0 &D3 &K3 &C1\\\\N2"
#define FAX_STATION_ID "49 30 12345678"
#define FAX_MODEM_TTYS "ttyS1:ttyS2:ttyS3"
Modem initstring is for rockwell based modems
if you want to use mgetty+sendfax as PPP-dialin-server,
define AUTO_PPP in Makefile:
CFLAGS=-O2 -Wall -pipe -DAUTO_PPP
compile it and install the package.
edit your /etc/inittab and let mgetty running on your preferred
ports:
s3:45:respawn:/usr/local/sbin/mgetty ttyS2 vt100
now issue a
kill -HUP 1
and enjoy with the lightning LEDs on your modem
your now are ready to receive faxes !
if you want a PPP dialin-server, edit
/usr/local/etc/mgetty+sendfax/login.config
/AutoPPP/ - ppp /usr/sbin/pppd auth debug passive modem
Note: this package automatically decides between a fax call and
a modem call. In case of modem call you get a login prompt !
Tools for printing faxes:
=========================
your incomed faxes are in:
/var/spool/fax/incoming
print it with:
for i in *
do
g3cat $i | g3tolj | lpr -P hp
done
in case of low resolution use instead:
g3cat $i | g3tolj -aspect 2 | lpr -P hp
g3cat is in the tools-section, g3tolj is in the contrib-section
for printing to HP lasers.
If you want to produce files for displaying and printing with Windows, use
some tools from the pbm-package like follow
g3cat $i | g3topbm - | ppmtopcx - >$i.pcx
and view it with your favourite Windows tool (maybe paintbrush)
Now making the fax-server:
===========================
fetch the file
mgetty+sendfax/frontends/winword/faxfilter
and place it in
/usr/local/etc/mgetty+sendfax/
prepare your faxspool file as mentioned in this file
edit fax/faxspool.in and reinstall or change the final
/usr/local/bin/faxspool too.
if [ "$user" = "root" -o "$user" = "fax" -o \
"$user" = "lp" -o "$user" = "daemon" -o "$user" = "bin" ]
find the first line and change the second.
make sure you have pbmtext (from the pbm-package). This is
needed for creating the small header line on each page.
Notes on pbmplus:
Some peoples had problems with precompiled binaries (especially
at linux) with a shared lib libgr.so.x.x. The better way is
to fetch the source and compile it. One needs only pbmtext for
generating the small line on top of each page /faxheader). Install
only the individual programs you need. If you install the full
package then install pbmplus first and then mgetty+sendfax, because
this package has some changed programs by itself (but not pbmtext).
make sure your ghostscript is functional. You need fonts !
I prefer these from the OS/2 disks
prepare your faxheader
/usr/local/etc/mgetty+sendfax/faxheader
edit your /etc/printcap file:
# FAX
lp3|fax:\
:lp=/dev/null:\
:sd=/usr/spool/lp3:\
:if=/usr/local/etc/mgetty+sendfax/faxfilter:sh:sf:mx#0:\
:lf=/usr/spool/lp3/fax-log:
edit your /usr/local/samba/lib/smb.conf
so you have a smb based printer named "fax"
The final step:
===============
Now you have a printer called "fax" which can be used via
TCP/IP-printing (lpd-system) or via SAMBA (windows printing).
On every system you are able to produce postscript-files you
are ready to fax.
On Windows 3.1 95 and NT:
Install a printer wich produces postscript output,
e.g. apple laserwriter
connect the "fax" to your printer
Now write your first fax. Use your favourite wordprocessor,
write, winword, notepad or whatever you want, and start
with the headerpage.
Usually each fax has a header page. It carries your name,
your address, your phone/fax-number.
It carries also the recipient, his address and his *** fax
number ***. Now here is the trick:
Use the text:
Fax-Nr: 123456789
as the recipients fax-number. Make sure this text does not
occur in regular text ! Make sure this text is not broken
by formatting information, e.g. format it as a single entity.
(Windows Write and Win95 Wordpad are functional, maybe newer
versions of Winword are breaking formatting information).
The trick is that postscript output is human readable and
the faxfilter program scans the text for this pattern and
uses the found number as the fax-destination-number.
Now print your fax through the fax-printer and it will be
queued for later transmission. Use faxrunq for sending the
queue out.
Notes of SAMBA smb.conf:
Simply use fall through from the samba printer to the unix
printer. Sample:
printcap name = /etc/printcap
print command = /usr/bin/lpr -r -P %p %s
lpq command = /usr/bin/lpq -P %p
lprm command = /usr/bin/lprm -P %p %j
[fax]
comment = FAX (mgetty+sendfax)
path = /tmp
printable = yes
public = yes
writable = no
create mode = 0700
browseable = yes
guest ok = no