diff --git a/docs/docbook/projdoc/Browsing-Quickguide.sgml b/docs/docbook/projdoc/Browsing-Quickguide.sgml
index 0a5cf72038d..adf20b7386f 100644
--- a/docs/docbook/projdoc/Browsing-Quickguide.sgml
+++ b/docs/docbook/projdoc/Browsing-Quickguide.sgml
@@ -84,6 +84,81 @@ minutes to stabilise, particularly across network segments.
+
+How browsing functions and how to deploy stable and
+dependable browsing using Samba
+
+
+
+As stated above, MS Windows machines register their NetBIOS names
+(i.e.: the machine name for each service type in operation) on start
+up. Also, as stated above, the exact method by which this name registration
+takes place is determined by whether or not the MS Windows client/server
+has been given a WINS server address, whether or not LMHOSTS lookup
+is enabled, or if DNS for NetBIOS name resolution is enabled, etc.
+
+
+
+In the case where there is no WINS server all name registrations as
+well as name lookups are done by UDP broadcast. This isolates name
+resolution to the local subnet, unless LMHOSTS is used to list all
+names and IP addresses. In such situations Samba provides a means by
+which the samba server name may be forcibly injected into the browse
+list of a remote MS Windows network (using the "remote announce" parameter).
+
+
+
+Where a WINS server is used, the MS Windows client will use UDP
+unicast to register with the WINS server. Such packets can be routed
+and thus WINS allows name resolution to function across routed networks.
+
+
+
+During the startup process an election will take place to create a
+local master browser if one does not already exist. On each NetBIOS network
+one machine will be elected to function as the domain master browser. This
+domain browsing has nothing to do with MS security domain control.
+Instead, the domain master browser serves the role of contacting each local
+master browser (found by asking WINS or from LMHOSTS) and exchanging browse
+list contents. This way every master browser will eventually obtain a complete
+list of all machines that are on the network. Every 11-15 minutes an election
+is held to determine which machine will be the master browser. By the nature of
+the election criteria used, the machine with the highest uptime, or the
+most senior protocol version, or other criteria, will win the election
+as domain master browser.
+
+
+
+Clients wishing to browse the network make use of this list, but also depend
+on the availability of correct name resolution to the respective IP
+address/addresses.
+
+
+
+Any configuration that breaks name resolution and/or browsing intrinsics
+will annoy users because they will have to put up with protracted
+inability to use the network services.
+
+
+
+Samba supports a feature that allows forced synchonisation
+of browse lists across routed networks using the "remote
+browse sync" parameter in the smb.conf file. This causes Samba
+to contact the local master browser on a remote network and
+to request browse list synchronisation. This effectively bridges
+two networks that are separated by routers. The two remote
+networks may use either broadcast based name resolution or WINS
+based name resolution, but it should be noted that the "remote
+browse sync" parameter provides browse list synchronisation - and
+that is distinct from name to address resolution, in other
+words, for cross subnet browsing to function correctly it is
+essential that a name to address resolution mechanism be provided.
+This mechanism could be via DNS, /etc/hosts,
+and so on.
+
+
+
+
Use of the "Remote Announce" parameter
diff --git a/docs/docbook/projdoc/Integrating-with-Windows.sgml b/docs/docbook/projdoc/Integrating-with-Windows.sgml
index a4e79fd42bb..8a5c0c40f2d 100644
--- a/docs/docbook/projdoc/Integrating-with-Windows.sgml
+++ b/docs/docbook/projdoc/Integrating-with-Windows.sgml
@@ -18,48 +18,46 @@
Integrating MS Windows networks with Samba
-
-Agenda
-
-To identify the key functional mechanisms of MS Windows networking
-to enable the deployment of Samba as a means of extending and/or
-replacing MS Windows NT/2000 technology.
+This section deals with NetBIOS over TCP/IP name to IP address resolution. If you
+your MS Windows clients are NOT configured to use NetBIOS over TCP/IP then this
+section does not apply to your installation. If your installation involves use of
+NetBIOS over TCP/IP then this section may help you to resolve networking problems.
+
-We will examine:
+ NetBIOS over TCP/IP has nothing to do with NetBEUI. NetBEUI is NetBIOS
+ over Logical Link Control (LLC). On modern networks it is highly advised
+ to NOT run NetBEUI at all. Note also that there is NO such thing as
+ NetBEUI over TCP/IP - the existence of such a protocol is a complete
+ and utter mis-apprehension.
+
+
+
+
+Since the introduction of MS Windows 2000 it is possible to run MS Windows networking
+without the use of NetBIOS over TCP/IP. NetBIOS over TCP/IP uses UDP port 137 for NetBIOS
+name resolution and uses TCP port 139 for NetBIOS session services. When NetBIOS over
+TCP/IP is disabled on MS Windows 2000 and later clients then only TCP port 445 will be
+used and UDP port 137 and TCP port 139 will not.
-
- Name resolution in a pure Unix/Linux TCP/IP
- environment
-
+
+
+When using Windows 2000 or later clients, if NetBIOS over TCP/IP is NOT disabled, then
+the client will use UDP port 137 (NetBIOS Name Service, also known as the Windows Internet
+Name Service or WINS), TCP port 139 AND TCP port 445 (for actual file and print traffic).
+
+
- Name resolution as used within MS Windows
- networking
-
-
- How browsing functions and how to deploy stable
- and dependable browsing using Samba
-
-
- MS Windows security options and how to
- configure Samba for seemless integration
-
-
- Configuration of Samba as:
-
- A stand-alone server
- An MS Windows NT 3.x/4.0 security domain member
-
- An alternative to an MS Windows NT 3.x/4.0 Domain Controller
-
-
-
-
-
-
+
+When NetBIOS over TCP/IP is disabled the use of DNS is essential. Most installations that
+disable NetBIOS over TCP/IP today use MS Active Directory Service (ADS). ADS requires
+Dynamic DNS with Service Resource Records (SRV RR) and with Incremental Zone Transfers (IXFR).
+Use of DHCP with ADS is recommended as a further means of maintaining central control
+over client workstation network configuration.
+
@@ -555,381 +553,4 @@ of the WINS server.
-
-
-How browsing functions and how to deploy stable and
-dependable browsing using Samba
-
-
-
-As stated above, MS Windows machines register their NetBIOS names
-(i.e.: the machine name for each service type in operation) on start
-up. Also, as stated above, the exact method by which this name registration
-takes place is determined by whether or not the MS Windows client/server
-has been given a WINS server address, whether or not LMHOSTS lookup
-is enabled, or if DNS for NetBIOS name resolution is enabled, etc.
-
-
-
-In the case where there is no WINS server all name registrations as
-well as name lookups are done by UDP broadcast. This isolates name
-resolution to the local subnet, unless LMHOSTS is used to list all
-names and IP addresses. In such situations Samba provides a means by
-which the samba server name may be forcibly injected into the browse
-list of a remote MS Windows network (using the "remote announce" parameter).
-
-
-
-Where a WINS server is used, the MS Windows client will use UDP
-unicast to register with the WINS server. Such packets can be routed
-and thus WINS allows name resolution to function across routed networks.
-
-
-
-During the startup process an election will take place to create a
-local master browser if one does not already exist. On each NetBIOS network
-one machine will be elected to function as the domain master browser. This
-domain browsing has nothing to do with MS security domain control.
-Instead, the domain master browser serves the role of contacting each local
-master browser (found by asking WINS or from LMHOSTS) and exchanging browse
-list contents. This way every master browser will eventually obtain a complete
-list of all machines that are on the network. Every 11-15 minutes an election
-is held to determine which machine will be the master browser. By the nature of
-the election criteria used, the machine with the highest uptime, or the
-most senior protocol version, or other criteria, will win the election
-as domain master browser.
-
-
-
-Clients wishing to browse the network make use of this list, but also depend
-on the availability of correct name resolution to the respective IP
-address/addresses.
-
-
-
-Any configuration that breaks name resolution and/or browsing intrinsics
-will annoy users because they will have to put up with protracted
-inability to use the network services.
-
-
-
-Samba supports a feature that allows forced synchonisation
-of browse lists across routed networks using the "remote
-browse sync" parameter in the smb.conf file. This causes Samba
-to contact the local master browser on a remote network and
-to request browse list synchronisation. This effectively bridges
-two networks that are separated by routers. The two remote
-networks may use either broadcast based name resolution or WINS
-based name resolution, but it should be noted that the "remote
-browse sync" parameter provides browse list synchronisation - and
-that is distinct from name to address resolution, in other
-words, for cross subnet browsing to function correctly it is
-essential that a name to address resolution mechanism be provided.
-This mechanism could be via DNS, /etc/hosts,
-and so on.
-
-
-
-
-
-MS Windows security options and how to configure
-Samba for seemless integration
-
-
-MS Windows clients may use encrypted passwords as part of a
-challenege/response authentication model (a.k.a. NTLMv1) or
-alone, or clear text strings for simple password based
-authentication. It should be realized that with the SMB
-protocol the password is passed over the network either
-in plain text or encrypted, but not both in the same
-authentication requets.
-
-
-
-When encrypted passwords are used a password that has been
-entered by the user is encrypted in two ways:
-
-
-
- An MD4 hash of the UNICODE of the password
- string. This is known as the NT hash.
-
-
- The password is converted to upper case,
- and then padded or trucated to 14 bytes. This string is
- then appended with 5 bytes of NULL characters and split to
- form two 56 bit DES keys to encrypt a "magic" 8 byte value.
- The resulting 16 bytes for the LanMan hash.
-
-
-
-
-You should refer to the
-Password Encryption chapter in this HOWTO collection
-for more details on the inner workings
-
-
-
-MS Windows 95 pre-service pack 1, MS Windows NT versions 3.x
-and version 4.0 pre-service pack 3 will use either mode of
-password authentication. All versions of MS Windows that follow
-these versions no longer support plain text passwords by default.
-
-
-
-MS Windows clients have a habit of dropping network mappings that
-have been idle for 10 minutes or longer. When the user attempts to
-use the mapped drive connection that has been dropped, the client
-re-establishes the connection using
-a cached copy of the password.
-
-
-
-When Microsoft changed the default password mode, they dropped support for
-caching of the plain text password. This means that when the registry
-parameter is changed to re-enable use of plain text passwords it appears to
-work, but when a dropped mapping attempts to revalidate it will fail if
-the remote authentication server does not support encrypted passwords.
-This means that it is definitely not a good idea to re-enable plain text
-password support in such clients.
-
-
-
-The following parameters can be used to work around the
-issue of Windows 9x client upper casing usernames and
-password before transmitting them to the SMB server
-when using clear text authentication.
-
-
-
- passsword level = integer
- username level = integer
-
-
-
-By default Samba will lower case the username before attempting
-to lookup the user in the database of local system accounts.
-Because UNIX usernames conventionally only contain lower case
-character, the username level parameter
-is rarely even needed.
-
-
-
-However, password on UNIX systems often make use of mixed case
-characters. This means that in order for a user on a Windows 9x
-client to connect to a Samba server using clear text authentication,
-the password level must be set to the maximum
-number of upper case letter which could appear
-is a password. Note that is the server OS uses the traditional
-DES version of crypt(), then a password level
-of 8 will result in case insensitive passwords as seen from Windows
-users. This will also result in longer login times as Samba
-hash to compute the permutations of the password string and
-try them one by one until a match is located (or all combinations fail).
-
-
-
-The best option to adopt is to enable support for encrypted passwords
-where ever Samba is used. There are three configuration possibilities
-for support of encrypted passwords:
-
-
-
-
-Use MS Windows NT as an authentication server
-
-
-This method involves the additions of the following parameters
-in the smb.conf file:
-
-
-
- encrypt passwords = Yes
- security = server
- password server = "NetBIOS_name_of_PDC"
-
-
-
-
-There are two ways of identifying whether or not a username and
-password pair was valid or not. One uses the reply information provided
-as part of the authentication messaging process, the other uses
-just and error code.
-
-
-
-The down-side of this mode of configuration is the fact that
-for security reasons Samba will send the password server a bogus
-username and a bogus password and if the remote server fails to
-reject the username and password pair then an alternative mode
-of identification of validation is used. Where a site uses password
-lock out after a certain number of failed authentication attempts
-this will result in user lockouts.
-
-
-
-Use of this mode of authentication does require there to be
-a standard Unix account for the user, this account can be blocked
-to prevent logons by other than MS Windows clients.
-
-
-
-
-
-Make Samba a member of an MS Windows NT security domain
-
-
-This method involves additon of the following paramters in the smb.conf file:
-
-
-
- encrypt passwords = Yes
- security = domain
- workgroup = "name of NT domain"
- password server = *
-
-
-
-The use of the "*" argument to "password server" will cause samba
-to locate the domain controller in a way analogous to the way
-this is done within MS Windows NT.
-
-
-
-In order for this method to work the Samba server needs to join the
-MS Windows NT security domain. This is done as follows:
-
-
-
- On the MS Windows NT domain controller using
- the Server Manager add a machine account for the Samba server.
-
-
- Next, on the Linux system execute:
- smbpasswd -r PDC_NAME -j DOMAIN_NAME
-
-
-
-
-Use of this mode of authentication does require there to be
-a standard Unix account for the user in order to assign
-a uid once the account has been authenticated by the remote
-Windows DC. This account can be blocked to prevent logons by
-other than MS Windows clients by things such as setting an invalid
-shell in the /etc/passwd entry.
-
-
-
-An alternative to assigning UIDs to Windows users on a
-Samba member server is presented in the Winbind Overview chapter in
-this HOWTO collection.
-
-
-
-
-
-
-
-Configure Samba as an authentication server
-
-
-This mode of authentication demands that there be on the
-Unix/Linux system both a Unix style account as well as an
-smbpasswd entry for the user. The Unix system account can be
-locked if required as only the encrypted password will be
-used for SMB client authentication.
-
-
-
-This method involves addition of the following parameters to
-the smb.conf file:
-
-
-
-## please refer to the Samba PDC HOWTO chapter later in
-## this collection for more details
-[global]
- encrypt passwords = Yes
- security = user
- domain logons = Yes
- ; an OS level of 33 or more is recommended
- os level = 33
-
-[NETLOGON]
- path = /somewhare/in/file/system
- read only = yes
-
-
-
-in order for this method to work a Unix system account needs
-to be created for each user, as well as for each MS Windows NT/2000
-machine. The following structure is required.
-
-
-
-Users
-
-
-A user account that may provide a home directory should be
-created. The following Linux system commands are typical of
-the procedure for creating an account.
-
-
-
- # useradd -s /bin/bash -d /home/"userid" -m "userid"
- # passwd "userid"
- Enter Password: <pw>
-
- # smbpasswd -a "userid"
- Enter Password: <pw>
-
-
-
-
-MS Windows NT Machine Accounts
-
-
-These are required only when Samba is used as a domain
-controller. Refer to the Samba-PDC-HOWTO for more details.
-
-
-
- # useradd -s /bin/false -d /dev/null "machine_name"\$
- # passwd -l "machine_name"\$
- # smbpasswd -a -m "machine_name"
-
-
-
-
-
-
-
-Conclusions
-
-
-Samba provides a flexible means to operate as...
-
-
-
- A Stand-alone server - No special action is needed
- other than to create user accounts. Stand-alone servers do NOT
- provide network logon services, meaning that machines that use this
- server do NOT perform a domain logon but instead make use only of
- the MS Windows logon which is local to the MS Windows
- workstation/server.
-
-
- An MS Windows NT 3.x/4.0 security domain member.
-
-
-
- An alternative to an MS Windows NT 3.x/4.0
- Domain Controller.
-
-
-
-
-
-
diff --git a/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml b/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml
index d6fe6760b53..7608f821cf3 100644
--- a/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml
+++ b/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml
@@ -11,8 +11,6 @@
-
-
(Jun 21 2001)
@@ -42,6 +40,19 @@ PAM is configured either through one file /etc/pam.conf (So
or by editing individual files that are located in /etc/pam.d.
+
+
+ If the PAM authentication module (loadable link library file) is located in the
+ default location then it is not necessary to specify the path. In the case of
+ Linux, the default location is /lib/security. If the module
+ is located other than default then the path may be specified as:
+
+
+ eg: "auth required /other_path/pam_strange_module.so"
+
+
+
+
The following is an example /etc/pam.d/login configuration file.
This example had all options been uncommented is probably not usable
@@ -51,20 +62,20 @@ by commenting them out except the calls to pam_pwdb.so.
-#%PAM-1.0
-# The PAM configuration file for the `login' service
-#
-auth required pam_securetty.so
-auth required pam_nologin.so
-# auth required pam_dialup.so
-# auth optional pam_mail.so
-auth required pam_pwdb.so shadow md5
-# account requisite pam_time.so
-account required pam_pwdb.so
-session required pam_pwdb.so
-# session optional pam_lastlog.so
-# password required pam_cracklib.so retry=3
-password required pam_pwdb.so shadow md5
+ #%PAM-1.0
+ # The PAM configuration file for the `login' service
+ #
+ auth required pam_securetty.so
+ auth required pam_nologin.so
+ # auth required pam_dialup.so
+ # auth optional pam_mail.so
+ auth required pam_pwdb.so shadow md5
+ # account requisite pam_time.so
+ account required pam_pwdb.so
+ session required pam_pwdb.so
+ # session optional pam_lastlog.so
+ # password required pam_cracklib.so retry=3
+ password required pam_pwdb.so shadow md5
@@ -73,19 +84,19 @@ sample system include:
-$ /bin/ls /lib/security
-pam_access.so pam_ftp.so pam_limits.so
-pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so
-pam_cracklib.so pam_group.so pam_listfile.so
-pam_nologin.so pam_rootok.so pam_tally.so
-pam_deny.so pam_issue.so pam_mail.so
-pam_permit.so pam_securetty.so pam_time.so
-pam_dialup.so pam_lastlog.so pam_mkhomedir.so
-pam_pwdb.so pam_shells.so pam_unix.so
-pam_env.so pam_ldap.so pam_motd.so
-pam_radius.so pam_smbpass.so pam_unix_acct.so
-pam_wheel.so pam_unix_auth.so pam_unix_passwd.so
-pam_userdb.so pam_warn.so pam_unix_session.so
+ $ /bin/ls /lib/security
+ pam_access.so pam_ftp.so pam_limits.so
+ pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so
+ pam_cracklib.so pam_group.so pam_listfile.so
+ pam_nologin.so pam_rootok.so pam_tally.so
+ pam_deny.so pam_issue.so pam_mail.so
+ pam_permit.so pam_securetty.so pam_time.so
+ pam_dialup.so pam_lastlog.so pam_mkhomedir.so
+ pam_pwdb.so pam_shells.so pam_unix.so
+ pam_env.so pam_ldap.so pam_motd.so
+ pam_radius.so pam_smbpass.so pam_unix_acct.so
+ pam_wheel.so pam_unix_auth.so pam_unix_passwd.so
+ pam_userdb.so pam_warn.so pam_unix_session.so
@@ -110,13 +121,13 @@ source distribution.
-#%PAM-1.0
-# The PAM configuration file for the `login' service
-#
-auth required pam_smbpass.so nodelay
-account required pam_smbpass.so nodelay
-session required pam_smbpass.so nodelay
-password required pam_smbpass.so nodelay
+ #%PAM-1.0
+ # The PAM configuration file for the `login' service
+ #
+ auth required pam_smbpass.so nodelay
+ account required pam_smbpass.so nodelay
+ session required pam_smbpass.so nodelay
+ password required pam_smbpass.so nodelay
@@ -125,13 +136,13 @@ Linux system. The default condition uses pam_pwdb.so.
-#%PAM-1.0
-# The PAM configuration file for the `samba' service
-#
-auth required /lib/security/pam_pwdb.so nullok nodelay shadow audit
-account required /lib/security/pam_pwdb.so audit nodelay
-session required /lib/security/pam_pwdb.so nodelay
-password required /lib/security/pam_pwdb.so shadow md5
+ #%PAM-1.0
+ # The PAM configuration file for the `samba' service
+ #
+ auth required /lib/security/pam_pwdb.so nullok nodelay shadow audit
+ account required /lib/security/pam_pwdb.so audit nodelay
+ session required /lib/security/pam_pwdb.so nodelay
+ password required /lib/security/pam_pwdb.so shadow md5
@@ -143,13 +154,13 @@ program.
-#%PAM-1.0
-# The PAM configuration file for the `samba' service
-#
-auth required /lib/security/pam_smbpass.so nodelay
-account required /lib/security/pam_pwdb.so audit nodelay
-session required /lib/security/pam_pwdb.so nodelay
-password required /lib/security/pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf
+ #%PAM-1.0
+ # The PAM configuration file for the `samba' service
+ #
+ auth required /lib/security/pam_smbpass.so nodelay
+ account required /lib/security/pam_pwdb.so audit nodelay
+ session required /lib/security/pam_pwdb.so nodelay
+ password required /lib/security/pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf
PAM allows stacking of authentication mechanisms. It is
diff --git a/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml
index e3bee32db01..46e69e4ba9f 100644
--- a/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml
+++ b/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml
@@ -13,7 +13,7 @@
-How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain
+Samba Backup Domain Controller to Samba Domain Control
diff --git a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml
index 53dae21775a..c8a20ba8d93 100644
--- a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml
+++ b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml
@@ -68,27 +68,32 @@ PDC functionality.
- domain logons for Windows NT 4.0 / 200x / XP Professional clients.
+ Domain logons for Windows NT 4.0 / 200x / XP Professional clients.
- placing Windows 9x / Me clients in user level security
+ Placing Windows 9x / Me clients in user level security
- retrieving a list of users and groups from a Samba PDC to
+ Retrieving a list of users and groups from a Samba PDC to
Windows 9x / Me / NT / 200x / XP Professional clients
- roaming user profiles
+ Roaming Profiles
- Windows NT 4.0-style system policies
+ Network/System Policies
+
+
+Roaming Profiles and System/Network policies are advanced network administration topics
+that are covered separately in this document.
+
The following functionalities are new to the Samba 3.0 release:
@@ -587,18 +592,17 @@ version of Windows.
I joined the domain successfully but after upgrading
to a newer version of the Samba code I get the message, "The system
- can not log you on (C000019B), Please try a gain or consult your
+ can not log you on (C000019B), Please try again or consult your
system administrator" when attempting to logon.
- This occurs when the domain SID stored in
- private/WORKGROUP.SID is
- changed. For example, you remove the file and smbd automatically
- creates a new one. Or you are swapping back and forth between
- versions 2.0.7, TNG and the HEAD branch code (not recommended). The
- only way to correct the problem is to restore the original domain
- SID or remove the domain client from the domain and rejoin.
+ This occurs when the domain SID stored in the secrets.tdb database
+ is changed. The most common cause of a change in domain SID is when
+ the domain name and/or the server name (netbios name) is changed.
+ The only way to correct the problem is to restore the original domain
+ SID or remove the domain client from the domain and rejoin. The domain
+ SID may be reset using either the smbpasswd or rpcclient utilities.
@@ -675,128 +679,6 @@ version of Windows.
-
-
-
-
-
-
-System Policies and Profiles
-
-
-
-Much of the information necessary to implement System Policies and
-Roving User Profiles in a Samba domain is the same as that for
-implementing these same items in a Windows NT 4.0 domain.
-You should read the white paper Implementing
-Profiles and Policies in Windows NT 4.0 available from Microsoft.
-
-
-
-Here are some additional details:
-
-
-
-
-
-
- What about Windows NT Policy Editor?
-
-
-
- To create or edit ntconfig.pol you must use
- the NT Server Policy Editor, poledit.exe which
- is included with NT Server but not NT Workstation.
- There is a Policy Editor on a NTws
- but it is not suitable for creating Domain Policies.
- Further, although the Windows 95
- Policy Editor can be installed on an NT Workstation/Server, it will not
- work with NT policies because the registry key that are set by the policy templates.
- However, the files from the NT Server will run happily enough on an NTws.
- You need poledit.exe, common.adm and winnt.adm. It is convenient
- to put the two *.adm files in c:\winnt\inf which is where
- the binary will look for them unless told otherwise. Note also that that
- directory is 'hidden'.
-
-
-
- The Windows NT policy editor is also included with the Service Pack 3 (and
- later) for Windows NT 4.0. Extract the files using servicepackname /x,
- i.e. that's Nt4sp6ai.exe /x for service pack 6a. The policy editor,
- poledit.exe and the associated template files (*.adm) should
- be extracted as well. It is also possible to downloaded the policy template
- files for Office97 and get a copy of the policy editor. Another possible
- location is with the Zero Administration Kit available for download from Microsoft.
-
-
-
-
-
-
- Can Win95 do Policies?
-
-
-
- Install the group policy handler for Win9x to pick up group
- policies. Look on the Win98 CD in \tools\reskit\netadmin\poledit.
- Install group policies on a Win9x client by double-clicking
- grouppol.inf. Log off and on again a couple of
- times and see if Win98 picks up group policies. Unfortunately this needs
- to be done on every Win9x machine that uses group policies....
-
-
-
- If group policies don't work one reports suggests getting the updated
- (read: working) grouppol.dll for Windows 9x. The group list is grabbed
- from /etc/group.
-
-
-
-
-
-
- How do I get 'User Manager' and 'Server Manager'
-
-
-
- Since I don't need to buy an NT Server CD now, how do I get
- the 'User Manager for Domains', the 'Server Manager'?
-
-
-
- Microsoft distributes a version of these tools called nexus for
- installation on Windows 95 systems. The tools set includes
-
-
-
- Server Manager
-
- User Manager for Domains
-
- Event Viewer
-
-
-
- Click here to download the archived file ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE
-
-
-
- The Windows NT 4.0 version of the 'User Manager for
- Domains' and 'Server Manager' are available from Microsoft via ftp
- from ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE
-
-
-
-
-
-
-
-
-
-
-
-DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba
-
-
-
- Possibly Outdated Material
-
-
- This appendix was originally authored by John H Terpstra of
- the Samba Team and is included here for posterity.
-
-
-
-
-
-NOTE :
-The term "Domain Controller" and those related to it refer to one specific
-method of authentication that can underly an SMB domain. Domain Controllers
-prior to Windows NT Server 3.1 were sold by various companies and based on
-private extensions to the LAN Manager 2.1 protocol. Windows NT introduced
-Microsoft-specific ways of distributing the user authentication database.
-See DOMAIN.txt for examples of how Samba can participate in or create
-SMB domains based on shared authentication database schemes other than the
-Windows NT SAM.
-
-
-
-Windows NT Server can be installed as either a plain file and print server
-(WORKGROUP workstation or server) or as a server that participates in Domain
-Control (DOMAIN member, Primary Domain controller or Backup Domain controller).
-The same is true for OS/2 Warp Server, Digital Pathworks and other similar
-products, all of which can participate in Domain Control along with Windows NT.
-
-
-
-To many people these terms can be confusing, so let's try to clear the air.
-
-
-
-Every Windows NT system (workstation or server) has a registry database.
-The registry contains entries that describe the initialization information
-for all services (the equivalent of Unix Daemons) that run within the Windows
-NT environment. The registry also contains entries that tell application
-software where to find dynamically loadable libraries that they depend upon.
-In fact, the registry contains entries that describes everything that anything
-may need to know to interact with the rest of the system.
-
-
-
-The registry files can be located on any Windows NT machine by opening a
-command prompt and typing:
-
-
-
-C:\WINNT\> dir %SystemRoot%\System32\config
-
-
-
-The environment variable %SystemRoot% value can be obtained by typing:
-
-
-
-C:\WINNT>echo %SystemRoot%
-
-
-
-The active parts of the registry that you may want to be familiar with are
-the files called: default, system, software, sam and security.
-
-
-
-In a domain environment, Microsoft Windows NT domain controllers participate
-in replication of the SAM and SECURITY files so that all controllers within
-the domain have an exactly identical copy of each.
-
-
-
-The Microsoft Windows NT system is structured within a security model that
-says that all applications and services must authenticate themselves before
-they can obtain permission from the security manager to do what they set out
-to do.
-
-
-
-The Windows NT User database also resides within the registry. This part of
-the registry contains the user's security identifier, home directory, group
-memberships, desktop profile, and so on.
-
-
-
-Every Windows NT system (workstation as well as server) will have its own
-registry. Windows NT Servers that participate in Domain Security control
-have a database that they share in common - thus they do NOT own an
-independent full registry database of their own, as do Workstations and
-plain Servers.
-
-
-
-The User database is called the SAM (Security Access Manager) database and
-is used for all user authentication as well as for authentication of inter-
-process authentication (i.e. to ensure that the service action a user has
-requested is permitted within the limits of that user's privileges).
-
-
-
-The Samba team have produced a utility that can dump the Windows NT SAM into
-smbpasswd format: see ENCRYPTION.txt for information on smbpasswd and
-/pub/samba/pwdump on your nearest Samba mirror for the utility. This
-facility is useful but cannot be easily used to implement SAM replication
-to Samba systems.
-
-
-
-Windows for Workgroups, Windows 95, and Windows NT Workstations and Servers
-can participate in a Domain security system that is controlled by Windows NT
-servers that have been correctly configured. Almost every domain will have
-ONE Primary Domain Controller (PDC). It is desirable that each domain will
-have at least one Backup Domain Controller (BDC).
-
-
-
-The PDC and BDCs then participate in replication of the SAM database so that
-each Domain Controlling participant will have an up to date SAM component
-within its registry.
-
-
-
-
diff --git a/docs/docbook/projdoc/ServerType.sgml b/docs/docbook/projdoc/ServerType.sgml
index 41b1c0ed2f7..91478740d6d 100644
--- a/docs/docbook/projdoc/ServerType.sgml
+++ b/docs/docbook/projdoc/ServerType.sgml
@@ -44,6 +44,13 @@ discussions regarding "security mode". The smb.conf configuration parameters
that control security mode are: "security = user" and "security = share".
+
+No special action is needed other than to create user accounts. Stand-alone
+servers do NOT provide network logon services, meaning that machines that
+use this server do NOT perform a domain logon but instead make use only of
+the MS Windows logon which is local to the MS Windows workstation/server.
+
+
Samba tends to blur the distinction a little in respect of what is
a stand alone server. This is because the authentication database may be
diff --git a/docs/docbook/projdoc/samba-doc.sgml b/docs/docbook/projdoc/samba-doc.sgml
index 1a2e2855967..8784bad1b71 100644
--- a/docs/docbook/projdoc/samba-doc.sgml
+++ b/docs/docbook/projdoc/samba-doc.sgml
@@ -22,11 +22,11 @@
-
+
]>
@@ -102,30 +102,30 @@ for various environments.
-Optional configuration
+Advanced Configuration
Introduction
Samba has several features that you might want or might not want to use. The chapters in this
part each cover one specific feature.
-&IntegratingWithWindows;
+&AdvancedNetworkManagment;
&NT-Security;
+&GROUP-MAPPING-HOWTO;
&Samba-PAM;
-&MS-Dfs-Setup;
&PRINTER-DRIVER2;
&CUPS;
&WINBIND;
+&IntegratingWithWindows;
&BROWSING;
+&MS-Dfs-Setup;
&VFS;
-&GROUP-MAPPING-HOWTO;
-&SPEED;
-&GroupProfiles;
&SecuringSamba;
&unicode;
Appendixes
+&SPEED;
&Portability;
&Other-Clients;
&Compiling;
@@ -133,4 +133,4 @@ part each cover one specific feature.
&Diagnosis;
-
+
diff --git a/docs/docbook/projdoc/security_level.sgml b/docs/docbook/projdoc/security_level.sgml
index 00dcc6e83b6..fd0fef90fe6 100644
--- a/docs/docbook/projdoc/security_level.sgml
+++ b/docs/docbook/projdoc/security_level.sgml
@@ -8,8 +8,15 @@
+Samba as Stand-Alone ServerSamba as Stand-Alone server (User and Share security level)
+
+In this section the function and purpose of Samba's security
+modes are described.
+
+
+
+User and Share security level
A SMB server tells the client at startup what "security level" it is
@@ -23,6 +30,9 @@ can only tell the client what is available and whether an action is
allowed.
+
+User Level Security
+
I'll describe user level security first, as its simpler. In user level
security the client will send a "session setup" command directly after
@@ -53,6 +63,11 @@ maintain multiple authentication contexts in this way (WinDD is an
example of an application that does this)
+
+
+
+Share Level Security>
+
<para>
Ok, now for share level security. In share level security the client
authenticates itself separately for each share. It will send a
@@ -79,6 +94,11 @@ usernames". If a match is found then the client is authenticated as
that user.
</para>
+</sect2>
+
+<sect2>
+<title>Server Level Security
+
Finally "server level" security. In server level security the samba
server reports to the client that it is in user level security. The
@@ -113,4 +133,204 @@ That real authentication server can be another Samba server or can be a
Windows NT server, the later natively capable of encrypted password support.
+
+Configuring Samba for Seemless Windows Network Integration
+
+
+MS Windows clients may use encrypted passwords as part of a challenege/response
+authentication model (a.k.a. NTLMv1) or alone, or clear text strings for simple
+password based authentication. It should be realized that with the SMB protocol
+the password is passed over the network either in plain text or encrypted, but
+not both in the same authentication requests.
+
+
+
+When encrypted passwords are used a password that has been entered by the user
+is encrypted in two ways:
+
+
+
+ An MD4 hash of the UNICODE of the password
+ string. This is known as the NT hash.
+
+
+ The password is converted to upper case,
+ and then padded or trucated to 14 bytes. This string is
+ then appended with 5 bytes of NULL characters and split to
+ form two 56 bit DES keys to encrypt a "magic" 8 byte value.
+ The resulting 16 bytes for the LanMan hash.
+
+
+
+
+MS Windows 95 pre-service pack 1, MS Windows NT versions 3.x and version 4.0
+pre-service pack 3 will use either mode of password authentication. All
+versions of MS Windows that follow these versions no longer support plain
+text passwords by default.
+
+
+
+MS Windows clients have a habit of dropping network mappings that have been idle
+for 10 minutes or longer. When the user attempts to use the mapped drive
+connection that has been dropped, the client re-establishes the connection using
+a cached copy of the password.
+
+
+
+When Microsoft changed the default password mode, support was dropped for caching
+of the plain text password. This means that when the registry parameter is changed
+to re-enable use of plain text passwords it appears to work, but when a dropped
+service connection mapping attempts to revalidate it will fail if the remote
+authentication server does not support encrypted passwords. This means that it
+is definitely not a good idea to re-enable plain text password support in such clients.
+
+
+
+The following parameters can be used to work around the issue of Windows 9x client
+upper casing usernames and password before transmitting them to the SMB server
+when using clear text authentication.
+
+
+
+ passsword level = integer
+ username level = integer
+
+
+
+By default Samba will lower case the username before attempting to lookup the user
+in the database of local system accounts. Because UNIX usernames conventionally
+only contain lower case character, the username level parameter
+is rarely needed.
+
+
+
+However, passwords on UNIX systems often make use of mixed case characters.
+This means that in order for a user on a Windows 9x client to connect to a Samba
+server using clear text authentication, the password level
+must be set to the maximum number of upper case letter which could
+appear is a password. Note that is the server OS uses the traditional DES version
+of crypt(), then a password level of 8 will result in case
+insensitive passwords as seen from Windows users. This will also result in longer
+login times as Samba hash to compute the permutations of the password string and
+try them one by one until a match is located (or all combinations fail).
+
+
+
+The best option to adopt is to enable support for encrypted passwords
+where ever Samba is used. There are three configuration possibilities
+for support of encrypted passwords:
+
+
+
+
+Use MS Windows NT as an authentication server
+
+
+This method involves the additions of the following parameters in the smb.conf file:
+
+
+
+ encrypt passwords = Yes
+ security = server
+ password server = "NetBIOS_name_of_PDC"
+
+
+
+
+There are two ways of identifying whether or not a username and
+password pair was valid or not. One uses the reply information provided
+as part of the authentication messaging process, the other uses
+just and error code.
+
+
+
+The down-side of this mode of configuration is the fact that
+for security reasons Samba will send the password server a bogus
+username and a bogus password and if the remote server fails to
+reject the username and password pair then an alternative mode
+of identification of validation is used. Where a site uses password
+lock out after a certain number of failed authentication attempts
+this will result in user lockouts.
+
+
+
+Use of this mode of authentication does require there to be
+a standard Unix account for the user, this account can be blocked
+to prevent logons by other than MS Windows clients.
+
+
+
+
+
+
+Domain Level Security
+
+
+When samba is operating in security = domain mode this means that
+the Samba server has a domain security trust account (a machine account) and will cause
+all authentication requests to be passed through to the domain controllers.
+
+
+
+Samba as a member of an MS Windows NT security domain
+
+
+This method involves additon of the following paramters in the smb.conf file:
+
+
+
+ encrypt passwords = Yes
+ security = domain
+ workgroup = "name of NT domain"
+ password server = *
+
+
+
+The use of the "*" argument to "password server" will cause samba to locate the
+domain controller in a way analogous to the way this is done within MS Windows NT.
+This is the default behaviour.
+
+
+
+In order for this method to work the Samba server needs to join the
+MS Windows NT security domain. This is done as follows:
+
+
+
+ On the MS Windows NT domain controller using
+ the Server Manager add a machine account for the Samba server.
+
+
+ Next, on the Linux system execute:
+ smbpasswd -r PDC_NAME -j DOMAIN_NAME
+
+
+
+
+Use of this mode of authentication does require there to be a standard Unix account
+for the user in order to assign a uid once the account has been authenticated by
+the remote Windows DC. This account can be blocked to prevent logons by other than
+MS Windows clients by things such as setting an invalid shell in the
+/etc/passwd entry.
+
+
+
+An alternative to assigning UIDs to Windows users on a Samba member server is
+presented in the Winbind Overview chapter
+in this HOWTO collection.
+
+
+
+
+
+
+ADS Level Security
+
+
+For information about the configuration option please refer to the entire section entitled
+Samba as an ADS Domain Member.
+
+
+
+