mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
parent
c41fad7647
commit
cb6b82b5dc
@ -1,661 +0,0 @@
|
||||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
||||
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 13. File, Directory and Share Access Controls</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="groupmapping.html" title="Chapter 12. Mapping MS Windows and Unix Groups"><link rel="next" href="locking.html" title="Chapter 14. File and Record Locking"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 13. File, Directory and Share Access Controls</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="groupmapping.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="locking.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="AccessControls"></a>Chapter 13. File, Directory and Share Access Controls</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jra@samba.org">jra@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">May 10, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="AccessControls.html#id2920239">Features and Benefits</a></dt><dt><a href="AccessControls.html#id2920364">File System Access Controls</a></dt><dd><dl><dt><a href="AccessControls.html#id2920382">MS Windows NTFS Comparison with Unix File Systems</a></dt><dt><a href="AccessControls.html#id2917299">Managing Directories</a></dt><dt><a href="AccessControls.html#id2917394">File and Directory Access Control</a></dt></dl></dd><dt><a href="AccessControls.html#id2917800">Share Definition Access Controls</a></dt><dd><dl><dt><a href="AccessControls.html#id2917828">User and Group Based Controls</a></dt><dt><a href="AccessControls.html#id2918100">File and Directory Permissions Based Controls</a></dt><dt><a href="AccessControls.html#id2918346">Miscellaneous Controls</a></dt></dl></dd><dt><a href="AccessControls.html#id2922930">Access Controls on Shares</a></dt><dd><dl><dt><a href="AccessControls.html#id2923002">Share Permissions Management</a></dt></dl></dd><dt><a href="AccessControls.html#id2923301">MS Windows Access Control Lists and Unix Interoperability</a></dt><dd><dl><dt><a href="AccessControls.html#id2923309">Managing UNIX permissions Using NT Security Dialogs</a></dt><dt><a href="AccessControls.html#id2923347">Viewing File Security on a Samba Share</a></dt><dt><a href="AccessControls.html#id2923426">Viewing file ownership</a></dt><dt><a href="AccessControls.html#id2923548">Viewing File or Directory Permissions</a></dt><dt><a href="AccessControls.html#id2923776">Modifying file or directory permissions</a></dt><dt><a href="AccessControls.html#id2923928">Interaction with the standard Samba create mask
|
||||
parameters</a></dt><dt><a href="AccessControls.html#id2924258">Interaction with the standard Samba file attribute
|
||||
mapping</a></dt></dl></dd><dt><a href="AccessControls.html#id2924333">Common Errors</a></dt><dd><dl><dt><a href="AccessControls.html#id2924347">Users can not write to a public share</a></dt><dt><a href="AccessControls.html#id2924726">I have set force user and Samba still makes root the owner of all the files
|
||||
I touch!</a></dt></dl></dd></dl></div><p>
|
||||
Advanced MS Windows users are frequently perplexed when file, directory and share manipulation of
|
||||
resources shared via Samba do not behave in the manner they might expect. MS Windows network
|
||||
administrators are often confused regarding network access controls and what is the best way to
|
||||
provide users with the type of access they need while protecting resources from the consequences
|
||||
of untoward access capabilities.
|
||||
</p><p>
|
||||
Unix administrators frequently are not familiar with the MS Windows environment and in particular
|
||||
have difficulty in visualizing what the MS Windows user wishes to achieve in attempts to set file
|
||||
and directory access permissions.
|
||||
</p><p>
|
||||
The problem lies in the differences in how file and directory permissions and controls work
|
||||
between the two environments. This difference is one that Samba can not completely hide, even
|
||||
though it does try to make the chasm transparent.
|
||||
</p><p>
|
||||
POSIX Access Control List technology has been available (along with Extended Attributes)
|
||||
for Unix for many years, yet there is little evidence today of any significant use. This
|
||||
explains to some extent the slow adoption of ACLs into commercial Linux products. MS Windows
|
||||
administrators are astounded at this given that ACLs were a foundational capability of the now
|
||||
decade old MS Windows NT operating system.
|
||||
</p><p>
|
||||
The purpose of this chapter is to present each of the points of control that are possible with
|
||||
Samba-3 in the hope that this will help the network administrator to find the optimum method
|
||||
for delivering the best environment for MS Windows desktop users.
|
||||
</p><p>
|
||||
This is an opportune point to mention that it should be borne in mind that Samba was created to
|
||||
provide a means of interoperability and interchange of data between two operating environments
|
||||
that are quite different. It was never the intent to make Unix/Linux like MS Windows NT. Instead
|
||||
the purpose was an is to provide a sufficient level of exchange of data between the two environments.
|
||||
What is available today extends well beyond early plans and expectations, yet the gap continues to
|
||||
shrink.
|
||||
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2920239"></a>Features and Benefits</h2></div></div><div></div></div><p>
|
||||
Samba offers a lot of flexibility in file system access management. These are the key access control
|
||||
facilities present in Samba today:
|
||||
</p><div class="itemizedlist"><p class="title"><b>Samba Access Control Facilities</b></p><ul type="disc"><li><p>
|
||||
<span class="emphasis"><em>Unix File and Directory Permissions</em></span>
|
||||
</p><p>
|
||||
Samba honours and implements Unix file system access controls. Users
|
||||
who access a Samba server will do so as a particular MS Windows user.
|
||||
This information is passed to the Samba server as part of the logon or
|
||||
connection setup process. Samba uses this user identity to validate
|
||||
whether or not the user should be given access to file system resources
|
||||
(files and directories). This chapter provides an overview for those
|
||||
to whom the Unix permissions and controls are a little strange or unknown.
|
||||
</p></li><li><p>
|
||||
<span class="emphasis"><em>Samba Share Definitions</em></span>
|
||||
</p><p>
|
||||
In configuring share settings and controls in the <tt class="filename">smb.conf</tt> file
|
||||
the network administrator can exercise over-rides to native file
|
||||
system permissions and behaviours. This can be handy and convenient
|
||||
to affect behaviour that is more like what MS Windows NT users expect
|
||||
but it is seldom the <span class="emphasis"><em>best</em></span> way to achieve this.
|
||||
The basic options and techniques are described herein.
|
||||
</p></li><li><p>
|
||||
<span class="emphasis"><em>Samba Share ACLs</em></span>
|
||||
</p><p>
|
||||
Just like it is possible in MS Windows NT to set ACLs on shares
|
||||
themselves, so it is possible to do this in Samba.
|
||||
Very few people make use of this facility, yet it remains on of the
|
||||
easiest ways to affect access controls (restrictions) and can often
|
||||
do so with minimum invasiveness compared with other methods.
|
||||
</p></li><li><p>
|
||||
<span class="emphasis"><em>MS Windows ACLs through Unix POSIX ACLs</em></span>
|
||||
</p><p>
|
||||
The use of POSIX ACLs on Unix/Linux is possible ONLY if the underlying
|
||||
operating system supports them. If not, then this option will not be
|
||||
available to you. Current Unix technology platforms have native support
|
||||
for POSIX ACLs. There are patches for the Linux kernel that provide
|
||||
this also. Sadly, few Linux platforms ship today with native ACLs and
|
||||
Extended Attributes enabled. This chapter has pertinent information
|
||||
for users of platforms that support them.
|
||||
</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2920364"></a>File System Access Controls</h2></div></div><div></div></div><p>
|
||||
Perhaps the most important recognition to be made is the simple fact that MS Windows NT4 / 200x / XP
|
||||
implement a totally divergent file system technology from what is provided in the Unix operating system
|
||||
environment. Firstly we should consider what the most significant differences are, then we shall look
|
||||
at how Samba helps to bridge the differences.
|
||||
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2920382"></a>MS Windows NTFS Comparison with Unix File Systems</h3></div></div><div></div></div><p>
|
||||
Samba operates on top of the Unix file system. This means it is subject to Unix file system conventions
|
||||
and permissions. It also means that if the MS Windows networking environment requires file system
|
||||
behaviour that differs from unix file system behaviour then somehow Samba is responsible for emulating
|
||||
that in a transparent and consistent manner.
|
||||
</p><p>
|
||||
It is good news that Samba does this to a very large extent and on top of that provides a high degree
|
||||
of optional configuration to over-ride the default behaviour. We will look at some of these over-rides,
|
||||
but for the greater part we will stay within the bounds of default behaviour. Those wishing to explore
|
||||
to depths of control ability should review the <tt class="filename">smb.conf</tt> man page.
|
||||
</p><div class="variablelist"><p class="title"><b>File System Feature Comparison</b></p><dl><dt><span class="term">Name Space</span></dt><dd><p>
|
||||
MS Windows NT4 / 200x/ XP files names may be up to 254 characters long, Unix file names
|
||||
may be 1023 characters long. In MS Windows file extensions indicate particular file types,
|
||||
in Unix this is not so rigorously observed as all names are considered arbitrary.
|
||||
</p><p>
|
||||
What MS Windows calls a Folder, Unix calls a directory,
|
||||
</p></dd><dt><span class="term">Case Sensitivity</span></dt><dd><p>
|
||||
MS Windows file names are generally Upper Case if made up of 8.3 (ie: 8 character file name
|
||||
and 3 character extension. If longer than 8.3 file names are Case Preserving, and Case
|
||||
Insensitive.
|
||||
</p><p>
|
||||
Unix file and directory names are Case Sensitive and Case Preserving. Samba implements the
|
||||
MS Windows file name behaviour, but it does so as a user application. The Unix file system
|
||||
provides no mechanism to perform case insensitive file name lookups. MS Windows does this
|
||||
by default. This means that Samba has to carry the processing overhead to provide features
|
||||
that are NOT native to the Unix operating system environment.
|
||||
</p><p>
|
||||
Consider the following, all are unique Unix names but one single MS Windows file name:
|
||||
<tt class="computeroutput">
|
||||
MYFILE.TXT
|
||||
MyFile.txt
|
||||
myfile.txt
|
||||
</tt>
|
||||
So clearly, In an MS Windows file name space these three files CAN NOT co-exist! But in Unix
|
||||
they can. So what should Samba do if all three are present? Answer, the one that is lexically
|
||||
first will be accessible to MS Windows users, the others are invisible and unaccessible - any
|
||||
other solution would be suicidal.
|
||||
</p></dd><dt><span class="term">Directory Separators</span></dt><dd><p>
|
||||
MS Windows and DOS uses the back-slash '\' as a directory delimiter, Unix uses the forward-slash '/'
|
||||
as it's directory delimiter. This is transparently handled by Samba.
|
||||
</p></dd><dt><span class="term">Drive Identification</span></dt><dd><p>
|
||||
MS Windows products support a notion of drive letters, like <b class="command">C:</b> to represent
|
||||
disk partitions. Unix has NO concept if separate identifiers for file partitions since each
|
||||
such file system is <tt class="filename">mounted</tt> to become part of the over-all directory tree.
|
||||
The Unix directory tree begins at '/', just like the root of a DOS drive is specified like
|
||||
<b class="command">C:\</b>.
|
||||
</p></dd><dt><span class="term">File Naming Conventions</span></dt><dd><p>
|
||||
MS Windows generally never experiences file names that begin with a '.', while in Unix these
|
||||
are commonly found in a user's home directory. Files that begin with a '.' are typically
|
||||
either start up files for various Unix applications, or they may be files that contain
|
||||
start-up configuration data.
|
||||
</p></dd><dt><span class="term">Links and Short-Cuts</span></dt><dd><p>
|
||||
MS Windows make use of "links and Short-Cuts" that are actually special types of files that will
|
||||
redirect an attempt to execute the file to the real location of the file. Unix knows of file and directory
|
||||
links, but they are entirely different from what MS Windows users are used to.
|
||||
</p><p>
|
||||
Symbolic links are files in Unix that contain the actual location of the data (file OR directory). An
|
||||
operation (like read or write) will operate directly on the file referenced. Symbolic links are also
|
||||
referred to as 'soft links'. A hard link is something that MS Windows is NOT familiar with. It allows
|
||||
one physical file to be known simultaneously by more than one file name.
|
||||
</p></dd></dl></div><p>
|
||||
There are many other subtle differences that may cause the MS Windows administrator some temporary discomfort
|
||||
in the process of becoming familiar with Unix/Linux. These are best left for a text that is dedicated to the
|
||||
purpose of Unix/Linux training/education.
|
||||
</p></div><div xmlns:ns30="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2917299"></a>Managing Directories</h3></div></div><div></div></div><ns30:p>
|
||||
There are three basic operations for managing directories, <b class="command">create, delete, rename</b>.
|
||||
</ns30:p><div class="table"><a name="id2917317"></a><p class="title"><b>Table 13.1. Managing directories with unix and windows</b></p><table summary="Managing directories with unix and windows" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="center">Action</th><th align="center">MS Windows Command</th><th align="center">Unix Command</th></tr></thead><tbody><tr><td align="center">create</td><td align="center">md folder</td><td align="center">mkdir folder</td></tr><tr><td align="center">delete</td><td align="center">rd folder</td><td align="center">rmdir folder</td></tr><tr><td align="center">rename</td><td align="center">rename oldname newname</td><td align="center">mv oldname newname</td></tr></tbody></table></div><ns30:p>
|
||||
</ns30:p></div><div xmlns:ns31="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2917394"></a>File and Directory Access Control</h3></div></div><div></div></div><p>
|
||||
The network administrator is strongly advised to read foundational training manuals and reference materials
|
||||
regarding file and directory permissions maintenance. Much can be achieved with the basic Unix permissions
|
||||
without having to resort to more complex facilities like POSIX Access Control Lists (ACLs) or Extended
|
||||
Attributes (EAs).
|
||||
</p><ns31:p>
|
||||
Unix/Linux file and directory access permissions involves setting three (3) primary sets of data and one (1) control set.
|
||||
A Unix file listing looks as follows:-
|
||||
|
||||
</ns31:p><pre class="screen">
|
||||
<tt class="prompt">jht@frodo:~/stuff> </tt><b class="userinput"><tt>ls -la</tt></b>
|
||||
total 632
|
||||
drwxr-xr-x 13 jht users 816 2003-05-12 22:56 .
|
||||
drwxr-xr-x 37 jht users 3800 2003-05-12 22:29 ..
|
||||
d--------- 2 jht users 48 2003-05-12 22:29 muchado00
|
||||
d--x--x--x 2 jht users 48 2003-05-12 22:29 muchado01
|
||||
dr-xr-xr-x 2 jht users 48 2003-05-12 22:29 muchado02
|
||||
drwxrwxrwx 2 jht users 48 2003-05-12 22:29 muchado03
|
||||
drw-rw-rw- 2 jht users 48 2003-05-12 22:29 muchado04
|
||||
d-w--w--w- 2 jht users 48 2003-05-12 22:29 muchado05
|
||||
dr--r--r-- 2 jht users 48 2003-05-12 22:29 muchado06
|
||||
drwxrwxrwt 2 jht users 48 2003-05-12 22:29 muchado07
|
||||
drwsrwsrwx 2 jht users 48 2003-05-12 22:29 muchado08
|
||||
---------- 1 jht users 1242 2003-05-12 22:31 mydata00.lst
|
||||
---x--x--x 1 jht users 1674 2003-05-12 22:33 mydata01.lst
|
||||
--w--w--w- 1 jht users 7754 2003-05-12 22:33 mydata02.lst
|
||||
--wx-wx-wx 1 jht users 260179 2003-05-12 22:33 mydata03.lst
|
||||
-r--r--r-- 1 jht users 21017 2003-05-12 22:32 mydata04.lst
|
||||
-r-xr-xr-x 1 jht users 206339 2003-05-12 22:32 mydata05.lst
|
||||
-rw-rw-rw- 1 jht users 41105 2003-05-12 22:32 mydata06.lst
|
||||
-rwxrwxrwx 1 jht users 19312 2003-05-12 22:32 mydata07.lst
|
||||
<tt class="prompt">jht@frodo:~/stuff></tt>
|
||||
</pre><ns31:p>
|
||||
</ns31:p><p>
|
||||
The columns above represent (from left to right): permissions, no blocks used, owner, group, size (bytes), access date, access time, file name.
|
||||
</p><ns31:p>
|
||||
The permissions field is made up of:
|
||||
|
||||
</ns31:p><pre class="programlisting">
|
||||
<i><span class="comment"> JRV: Put this into a diagram of some sort</span></i>
|
||||
[ type ] [ users ] [ group ] [ others ] [File, Directory Permissions]
|
||||
[ d | l ] [ r w x ] [ r w x ] [ r w x ]
|
||||
| | | | | | | | | | |
|
||||
| | | | | | | | | | |-----> Can Execute, List files
|
||||
| | | | | | | | | |-------> Can Write, Create files
|
||||
| | | | | | | | |---------> Can Read, Read files
|
||||
| | | | | | | |---------------> Can Execute, List files
|
||||
| | | | | | |-----------------> Can Write, Create files
|
||||
| | | | | |-------------------> Can Read, Read files
|
||||
| | | | |-------------------------> Can Execute, List files
|
||||
| | | |---------------------------> Can Write, Create files
|
||||
| | |-----------------------------> Can Read, Read files
|
||||
| |-----------------------------------> Is a symbolic Link
|
||||
|---------------------------------------> Is a directory
|
||||
</pre><ns31:p>
|
||||
</ns31:p><ns31:p>
|
||||
Any bit flag may be unset. An unset bit flag is the equivalent of 'Can NOT' and is represented as a '-' character.
|
||||
|
||||
</ns31:p><div class="example"><a name="id2917721"></a><p class="title"><b>Example 13.1. Example File</b></p><pre class="programlisting">
|
||||
-rwxr-x--- Means: The owner (user) can read, write, execute
|
||||
the group can read and execute
|
||||
everyone else can NOT do anything with it
|
||||
</pre></div><ns31:p>
|
||||
|
||||
</ns31:p><p>
|
||||
Additional possibilities in the [type] field are: c = character device, b = block device, p = pipe device, s = Unix Domain Socket.
|
||||
</p><p>
|
||||
The letters `rwxXst' set permissions for the user, group and others as: read (r), write (w), execute (or access for directories) (x),
|
||||
execute only if the file is a directory or already has execute permission for some user (X), set user or group ID on execution (s),
|
||||
sticky (t).
|
||||
</p><p>
|
||||
When the sticky bit is set on a directory, files in that directory may be unlinked (deleted) or renamed only by root or their owner.
|
||||
Without the sticky bit, anyone able to write to the directory can delete or rename files. The sticky bit is commonly found on
|
||||
directories, such as /tmp, that are world-writable.
|
||||
</p><p>
|
||||
When the set user or group ID bit (s) is set on a directory, then all files created within it will be owned by the user and/or
|
||||
group whose 'set user or group' bit is set. This can be very helpful in setting up directories that for which it is desired that
|
||||
all users who are in a group should be able to write to and read from a file, particularly when it is undesirable for that file
|
||||
to be exclusively owned by a user who's primary group is not the group that all such users belong to.
|
||||
</p><p>
|
||||
When a directory is set <tt class="constant">drw-r-----</tt> this means that the owner can read and create (write) files in it, but because
|
||||
the (x) execute flags are not set files can not be listed (seen) in the directory by anyone. The group can read files in the
|
||||
directory but can NOT create new files. NOTE: If files in the directory are set to be readable and writable for the group, then
|
||||
group members will be able to write to (or delete) them.
|
||||
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2917800"></a>Share Definition Access Controls</h2></div></div><div></div></div><p>
|
||||
The following parameters in the <tt class="filename">smb.conf</tt> file sections that define a share control or affect access controls.
|
||||
Before using any of the following options please refer to the man page for <tt class="filename">smb.conf</tt>.
|
||||
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2917828"></a>User and Group Based Controls</h3></div></div><div></div></div><p>
|
||||
User and group based controls can prove very useful. In some situations it is distinctly desirable to affect all
|
||||
file system operations as if a single user is doing this, the use of the <i class="parameter"><tt>force user</tt></i> and
|
||||
<i class="parameter"><tt>force group</tt></i> behaviour will achieve this. In other situations it may be necessary to affect a
|
||||
paranoia level of control to ensure that only particular authorised persons will be able to access a share or
|
||||
it's contents, here the use of the <i class="parameter"><tt>valid users</tt></i> or the <i class="parameter"><tt>invalid users</tt></i> may
|
||||
be most useful.
|
||||
</p><p>
|
||||
As always, it is highly advisable to use the least difficult to maintain and the least ambiguous method for
|
||||
controlling access. Remember, that when you leave the scene someone else will need to provide assistance and
|
||||
if that person finds too great a mess, or if they do not understand what you have done then there is risk of
|
||||
Samba being removed and an alternative solution being adopted.
|
||||
</p><div class="table"><a name="id2917887"></a><p class="title"><b>Table 13.2. User and Group Based Controls</b></p><table summary="User and Group Based Controls" border="1"><colgroup><col><col></colgroup><thead><tr><th align="center">Control Parameter</th><th align="center">Description - Action - Notes</th></tr></thead><tbody><tr><td>admin users</td><td><p>
|
||||
List of users who will be granted administrative privileges on the share.
|
||||
They will do all file operations as the super-user (root).
|
||||
Any user in this list will be able to do anything they like on the share,
|
||||
irrespective of file permissions.
|
||||
</p></td></tr><tr><td>force group</td><td><p>
|
||||
Specifies a UNIX group name that will be assigned as the default primary group
|
||||
for all users connecting to this service.
|
||||
</p></td></tr><tr><td>force user</td><td><p>
|
||||
Specifies a UNIX user name that will be assigned as the default user for all users connecting to this service.
|
||||
This is useful for sharing files. Incorrect use can cause security problems.
|
||||
</p></td></tr><tr><td>guest ok</td><td><p>
|
||||
If this parameter is set for a service, then no password is required to connect to the service. Privileges will be
|
||||
those of the guest account.
|
||||
</p></td></tr><tr><td>invalid users</td><td><p>
|
||||
List of users that should not be allowed to login to this service.
|
||||
</p></td></tr><tr><td>only user</td><td><p>
|
||||
Controls whether connections with usernames not in the user list will be allowed.
|
||||
</p></td></tr><tr><td>read list</td><td><p>
|
||||
List of users that are given read-only access to a service. Users in this list
|
||||
will not be given write access, no matter what the read only option is set to.
|
||||
</p></td></tr><tr><td>username</td><td><p>
|
||||
Refer to the <tt class="filename">smb.conf</tt> man page for more information - this is a complex and potentially misused parameter.
|
||||
</p></td></tr><tr><td>valid users</td><td><p>
|
||||
List of users that should be allowed to login to this service.
|
||||
</p></td></tr><tr><td>write list</td><td><p>
|
||||
List of users that are given read-write access to a service.
|
||||
</p></td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2918100"></a>File and Directory Permissions Based Controls</h3></div></div><div></div></div><p>
|
||||
The following file and directory permission based controls, if misused, can result in considerable difficulty to
|
||||
diagnose the cause of mis-configuration. Use them sparingly and carefully. By gradually introducing each one by one
|
||||
undesirable side-effects may be detected. In the event of a problem, always comment all of them out and then gradually
|
||||
re-introduce them in a controlled fashion.
|
||||
</p><div class="table"><a name="id2918120"></a><p class="title"><b>Table 13.3. File and Directory Permission Based Controls</b></p><table summary="File and Directory Permission Based Controls" border="1"><colgroup><col><col></colgroup><thead><tr><th align="center">Control Parameter</th><th align="center">Description - Action - Notes</th></tr></thead><tbody><tr><td>create mask</td><td><p>
|
||||
Refer to the <tt class="filename">smb.conf</tt> man page.
|
||||
</p></td></tr><tr><td>directory mask</td><td><p>
|
||||
The octal modes used when converting DOS modes to UNIX modes when creating UNIX directories.
|
||||
See also: directory security mask.
|
||||
</p></td></tr><tr><td>dos filemode</td><td><p>
|
||||
Enabling this parameter allows a user who has write access to the file to modify the permissions on it.
|
||||
</p></td></tr><tr><td>force create mode</td><td><p>
|
||||
This parameter specifies a set of UNIX mode bit permissions that will always be set on a file created by Samba.
|
||||
</p></td></tr><tr><td>force directory mode</td><td><p>
|
||||
This parameter specifies a set of UNIX mode bit permissions that will always be set on a directory created by Samba.
|
||||
</p></td></tr><tr><td>force directory security mode</td><td><p>
|
||||
Controls UNIX permission bits modified when a Windows NT client is manipulating UNIX permissions on a directory
|
||||
</p></td></tr><tr><td>force security mode</td><td><p>
|
||||
Controls UNIX permission bits modified when a Windows NT client manipulates UNIX permissions.
|
||||
</p></td></tr><tr><td>hide unreadable</td><td><p>
|
||||
Prevents clients from seeing the existence of files that cannot be read.
|
||||
</p></td></tr><tr><td>hide unwriteable files</td><td><p>
|
||||
Prevents clients from seeing the existence of files that cannot be written to. Unwriteable directories are shown as usual.
|
||||
</p></td></tr><tr><td>nt acl support</td><td><p>
|
||||
This parameter controls whether smbd will attempt to map UNIX permissions into Windows NT access control lists.
|
||||
</p></td></tr><tr><td>security mask</td><td><p>
|
||||
Controls UNIX permission bits modified when a Windows NT client is manipulating the UNIX permissions on a file.
|
||||
</p></td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2918346"></a>Miscellaneous Controls</h3></div></div><div></div></div><p>
|
||||
The following are documented because of the prevalence of administrators creating inadvertant barriers to file
|
||||
access by not understanding the full implications of <tt class="filename">smb.conf</tt> file settings.
|
||||
</p><div class="table"><a name="id2918367"></a><p class="title"><b>Table 13.4. Other Controls</b></p><table summary="Other Controls" border="1"><colgroup><col><col></colgroup><thead><tr><th align="center">Control Parameter</th><th align="center">Description - Action - Notes</th></tr></thead><tbody><tr><td>case sensitive, default case, short preserve case</td><td><p>
|
||||
This means that all file name lookup will be done in a case sensitive manner.
|
||||
Files will be created with the precise filename Samba received from the MS Windows client.
|
||||
</p></td></tr><tr><td>csc policy</td><td><p>
|
||||
Client Side Caching Policy - parallels MS Windows client side file caching capabilities.
|
||||
</p></td></tr><tr><td>dont descend</td><td><p>
|
||||
Allows to specify a comma-delimited list of directories that the server should always show as empty.
|
||||
</p></td></tr><tr><td>dos filetime resolution</td><td><p>
|
||||
This option is mainly used as a compatibility option for Visual C++ when used against Samba shares.
|
||||
</p></td></tr><tr><td>dos filetimes</td><td><p>
|
||||
DOS and Windows allows users to change file time stamps if they can write to the file. POSIX semantics prevent this.
|
||||
This options allows DOS and Windows behaviour.
|
||||
</p></td></tr><tr><td>fake oplocks</td><td><p>
|
||||
Oplocks are the way that SMB clients get permission from a server to locally cache file operations. If a server grants an
|
||||
oplock then the client is free to assume that it is the only one accessing the file and it will aggressively cache file data.
|
||||
</p></td></tr><tr><td>hide dot files, hide files, veto files</td><td><p>
|
||||
Note: MS Windows Explorer allows over-ride of files marked as hidden so they will still be visible.
|
||||
</p></td></tr><tr><td>read only</td><td><p>
|
||||
If this parameter is yes, then users of a service may not create or modify files in the service's directory.
|
||||
</p></td></tr><tr><td>veto files</td><td><p>
|
||||
List of files and directories that are neither visible nor accessible.
|
||||
</p></td></tr></tbody></table></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2922930"></a>Access Controls on Shares</h2></div></div><div></div></div><p>
|
||||
This section deals with how to configure Samba per share access control restrictions.
|
||||
By default, Samba sets no restrictions on the share itself. Restrictions on the share itself
|
||||
can be set on MS Windows NT4/200x/XP shares. This can be a very effective way to limit who can
|
||||
connect to a share. In the absence of specific restrictions the default setting is to allow
|
||||
the global user <tt class="constant">Everyone</tt> Full Control (ie: Full control, Change and Read).
|
||||
</p><p>
|
||||
At this time Samba does NOT provide a tool for configuring access control setting on the Share
|
||||
itself. Samba does have the capacity to store and act on access control settings, but the only
|
||||
way to create those settings is to use either the NT4 Server Manager or the Windows 200x MMC for
|
||||
Computer Management.
|
||||
</p><p>
|
||||
Samba stores the per share access control settings in a file called <tt class="filename">share_info.tdb</tt>.
|
||||
The location of this file on your system will depend on how samba was compiled. The default location
|
||||
for Samba's tdb files is under <tt class="filename">/usr/local/samba/var</tt>. If the <tt class="filename">tdbdump</tt>
|
||||
utility has been compiled and installed on your system, then you can examine the contents of this file
|
||||
by: <b class="userinput"><tt>tdbdump share_info.tdb</tt></b>.
|
||||
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923002"></a>Share Permissions Management</h3></div></div><div></div></div><p>
|
||||
The best tool for the task is platform dependant. Choose the best tool for your environment.
|
||||
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2923015"></a>Windows NT4 Workstation/Server</h4></div></div><div></div></div><p>
|
||||
The tool you need to use to manage share permissions on a Samba server is the NT Server Manager.
|
||||
Server Manager is shipped with Windows NT4 Server products but not with Windows NT4 Workstation.
|
||||
You can obtain the NT Server Manager for MS Windows NT4 Workstation from Microsoft - see details below.
|
||||
</p><div class="procedure"><p class="title"><b>Procedure 13.1. Instructions</b></p><ol type="1"><li><p>
|
||||
Launch the <span class="application">NT4 Server Manager</span>, click on the Samba server you want to administer, then from the menu
|
||||
select <span class="guimenu">Computer</span>, then click on the <span class="guimenuitem">Shared Directories</span> entry.
|
||||
</p></li><li><p>
|
||||
Now click on the share that you wish to manage, then click on the <span class="guilabel">Properties</span> tab, next click on
|
||||
the <span class="guilabel">Permissions</span> tab. Now you can add or change access control settings as you wish.
|
||||
</p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2923098"></a>Windows 200x/XP</h4></div></div><div></div></div><p>
|
||||
On <span class="application">MS Windows NT4/200x/XP</span> system access control lists on the share itself are set using native
|
||||
tools, usually from filemanager. For example, in Windows 200x: right click on the shared folder,
|
||||
then select <span class="guimenuitem">Sharing</span>, then click on <span class="guilabel">Permissions</span>. The default
|
||||
Windows NT4/200x permission allows <span class="emphasis"><em>Everyone</em></span> Full Control on the Share.
|
||||
</p><p>
|
||||
MS Windows 200x and later all comes with a tool called the <span class="application">Computer Management</span> snap-in for the
|
||||
Microsoft Management Console (MMC). This tool is located by clicking on <tt class="filename">Control Panel ->
|
||||
Administrative Tools -> Computer Management</tt>.
|
||||
</p><div class="procedure"><p class="title"><b>Procedure 13.2. Instructions</b></p><ol type="1"><li><p>
|
||||
After launching the MMC with the Computer Management snap-in, click on the menu item <span class="guimenuitem">Action</span>,
|
||||
select <span class="guilabel">Connect to another computer</span>. If you are not logged onto a domain you will be prompted
|
||||
to enter a domain login user identifier and a password. This will authenticate you to the domain.
|
||||
If you where already logged in with administrative privilege this step is not offered.
|
||||
</p></li><li><p>
|
||||
If the Samba server is not shown in the <span class="guilabel">Select Computer</span> box, then type in the name of the target
|
||||
Samba server in the field <span class="guilabel">Name:</span>. Now click on the <span class="guibutton">[+]</span> next to
|
||||
<span class="guilabel">System Tools</span>, then on the <span class="guibutton">[+]</span> next to <span class="guilabel">Shared Folders</span> in the
|
||||
left panel.
|
||||
</p></li><li><p>
|
||||
Now in the right panel, double-click on the share you wish to set access control permissions on.
|
||||
Then click on the tab <span class="guilabel">Share Permissions</span>. It is now possible to add access control entities
|
||||
to the shared folder. Do NOT forget to set what type of access (full control, change, read) you
|
||||
wish to assign for each entry.
|
||||
</p></li></ol></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
|
||||
Be careful. If you take away all permissions from the <tt class="constant">Everyone</tt> user without removing this user
|
||||
then effectively no user will be able to access the share. This is a result of what is known as
|
||||
ACL precedence. ie: Everyone with <span class="emphasis"><em>no access</em></span> means that MaryK who is part of the group
|
||||
<tt class="constant">Everyone</tt> will have no access even if this user is given explicit full control access.
|
||||
</p></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2923301"></a>MS Windows Access Control Lists and Unix Interoperability</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923309"></a>Managing UNIX permissions Using NT Security Dialogs</h3></div></div><div></div></div><p>Windows NT clients can use their native security settings
|
||||
dialog box to view and modify the underlying UNIX permissions.</p><p>Note that this ability is careful not to compromise
|
||||
the security of the UNIX host Samba is running on, and
|
||||
still obeys all the file permission rules that a Samba
|
||||
administrator can set.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
|
||||
All access to Unix/Linux system file via Samba is controlled at
|
||||
the operating system file access control level. When trying to
|
||||
figure out file access problems it is vitally important to identify
|
||||
the identity of the Windows user as it is presented by Samba at
|
||||
the point of file access. This can best be determined from the
|
||||
Samba log files.
|
||||
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923347"></a>Viewing File Security on a Samba Share</h3></div></div><div></div></div><p>From an NT4/2000/XP client, single-click with the right
|
||||
mouse button on any file or directory in a Samba mounted
|
||||
drive letter or UNC path. When the menu pops-up, click
|
||||
on the <span class="guilabel">Properties</span> entry at the bottom of
|
||||
the menu. This brings up the file properties dialog
|
||||
box. Click on the tab <span class="guilabel">Security</span> and you
|
||||
will see three buttons, <span class="guibutton">Permissions</span>,
|
||||
<span class="guibutton">Auditing</span>, and <span class="guibutton">Ownership</span>.
|
||||
The <span class="guibutton">Auditing</span> button will cause either
|
||||
an error message <span class="errorname">A requested privilege is not held
|
||||
by the client</span> to appear if the user is not the
|
||||
NT Administrator, or a dialog which is intended to allow an
|
||||
Administrator to add auditing requirements to a file if the
|
||||
user is logged on as the NT Administrator. This dialog is
|
||||
non-functional with a Samba share at this time, as the only
|
||||
useful button, the <span class="guibutton">Add</span> button will not currently
|
||||
allow a list of users to be seen.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923426"></a>Viewing file ownership</h3></div></div><div></div></div><p>Clicking on the <span class="guibutton">Ownership</span> button
|
||||
brings up a dialog box telling you who owns the given file. The
|
||||
owner name will be of the form :</p><p><b class="command">"SERVER\user (Long name)"</b></p><p>Where <i class="replaceable"><tt>SERVER</tt></i> is the NetBIOS name of
|
||||
the Samba server, <i class="replaceable"><tt>user</tt></i> is the user name of
|
||||
the UNIX user who owns the file, and <i class="replaceable"><tt>(Long name)</tt></i>
|
||||
is the descriptive string identifying the user (normally found in the
|
||||
GECOS field of the UNIX password database). Click on the
|
||||
<span class="guibutton">Close </span> button to remove this dialog.</p><p>If the parameter <i class="parameter"><tt>nt acl support</tt></i>
|
||||
is set to <tt class="constant">false</tt> then the file owner will
|
||||
be shown as the NT user <tt class="constant">"Everyone"</tt>.</p><p>The <span class="guibutton">Take Ownership</span> button will not allow
|
||||
you to change the ownership of this file to yourself (clicking on
|
||||
it will display a dialog box complaining that the user you are
|
||||
currently logged onto the NT client cannot be found). The reason
|
||||
for this is that changing the ownership of a file is a privileged
|
||||
operation in UNIX, available only to the <span class="emphasis"><em>root</em></span>
|
||||
user. As clicking on this button causes NT to attempt to change
|
||||
the ownership of a file to the current user logged into the NT
|
||||
client this will not work with Samba at this time.</p><p>There is an NT chown command that will work with Samba
|
||||
and allow a user with Administrator privilege connected
|
||||
to a Samba server as root to change the ownership of
|
||||
files on both a local NTFS filesystem or remote mounted NTFS
|
||||
or Samba drive. This is available as part of the <span class="application">Seclib
|
||||
</span> NT security library written by Jeremy Allison of
|
||||
the Samba Team, available from the main Samba ftp site.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923548"></a>Viewing File or Directory Permissions</h3></div></div><div></div></div><p>The third button is the <span class="guibutton">Permissions</span>
|
||||
button. Clicking on this brings up a dialog box that shows both
|
||||
the permissions and the UNIX owner of the file or directory.
|
||||
The owner is displayed in the form :</p><p><b class="command">"<i class="replaceable"><tt>SERVER</tt></i>\
|
||||
<i class="replaceable"><tt>user</tt></i>
|
||||
<i class="replaceable"><tt>(Long name)</tt></i>"</b></p><p>Where <i class="replaceable"><tt>SERVER</tt></i> is the NetBIOS name of
|
||||
the Samba server, <i class="replaceable"><tt>user</tt></i> is the user name of
|
||||
the UNIX user who owns the file, and <i class="replaceable"><tt>(Long name)</tt></i>
|
||||
is the descriptive string identifying the user (normally found in the
|
||||
GECOS field of the UNIX password database).</p><p>If the parameter <i class="parameter"><tt>nt acl support</tt></i>
|
||||
is set to <tt class="constant">false</tt> then the file owner will
|
||||
be shown as the NT user <tt class="constant">"Everyone"</tt> and the
|
||||
permissions will be shown as NT "Full Control".</p><p>The permissions field is displayed differently for files
|
||||
and directories, so I'll describe the way file permissions
|
||||
are displayed first.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2923639"></a>File Permissions</h4></div></div><div></div></div><p>The standard UNIX user/group/world triplet and
|
||||
the corresponding "read", "write", "execute" permissions
|
||||
triplets are mapped by Samba into a three element NT ACL
|
||||
with the 'r', 'w', and 'x' bits mapped into the corresponding
|
||||
NT permissions. The UNIX world permissions are mapped into
|
||||
the global NT group <tt class="constant">Everyone</tt>, followed
|
||||
by the list of permissions allowed for UNIX world. The UNIX
|
||||
owner and group permissions are displayed as an NT
|
||||
<span class="guiicon">user</span> icon and an NT <span class="guiicon">local
|
||||
group</span> icon respectively followed by the list
|
||||
of permissions allowed for the UNIX user and group.</p><p>As many UNIX permission sets don't map into common
|
||||
NT names such as <tt class="constant">read</tt>, <tt class="constant">
|
||||
"change"</tt> or <tt class="constant">full control</tt> then
|
||||
usually the permissions will be prefixed by the words <tt class="constant">
|
||||
"Special Access"</tt> in the NT display list.</p><p>But what happens if the file has no permissions allowed
|
||||
for a particular UNIX user group or world component ? In order
|
||||
to allow "no permissions" to be seen and modified then Samba
|
||||
overloads the NT <b class="command">"Take Ownership"</b> ACL attribute
|
||||
(which has no meaning in UNIX) and reports a component with
|
||||
no permissions as having the NT <b class="command">"O"</b> bit set.
|
||||
This was chosen of course to make it look like a zero, meaning
|
||||
zero permissions. More details on the decision behind this will
|
||||
be given below.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2923731"></a>Directory Permissions</h4></div></div><div></div></div><p>Directories on an NT NTFS file system have two
|
||||
different sets of permissions. The first set of permissions
|
||||
is the ACL set on the directory itself, this is usually displayed
|
||||
in the first set of parentheses in the normal <tt class="constant">"RW"</tt>
|
||||
NT style. This first set of permissions is created by Samba in
|
||||
exactly the same way as normal file permissions are, described
|
||||
above, and is displayed in the same way.</p><p>The second set of directory permissions has no real meaning
|
||||
in the UNIX permissions world and represents the <tt class="constant">
|
||||
inherited</tt> permissions that any file created within
|
||||
this directory would inherit.</p><p>Samba synthesises these inherited permissions for NT by
|
||||
returning as an NT ACL the UNIX permission mode that a new file
|
||||
created by Samba on this share would receive.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923776"></a>Modifying file or directory permissions</h3></div></div><div></div></div><p>Modifying file and directory permissions is as simple
|
||||
as changing the displayed permissions in the dialog box, and
|
||||
clicking the <span class="guibutton">OK</span> button. However, there are
|
||||
limitations that a user needs to be aware of, and also interactions
|
||||
with the standard Samba permission masks and mapping of DOS
|
||||
attributes that need to also be taken into account.</p><p>If the parameter <i class="parameter"><tt>nt acl support</tt></i>
|
||||
is set to <tt class="constant">false</tt> then any attempt to set
|
||||
security permissions will fail with an <span class="errorname">"Access Denied"
|
||||
</span> message.</p><p>The first thing to note is that the <span class="guibutton">"Add"</span>
|
||||
button will not return a list of users in Samba (it will give
|
||||
an error message of <span class="errorname">The remote procedure call failed
|
||||
and did not execute</span>). This means that you can only
|
||||
manipulate the current user/group/world permissions listed in
|
||||
the dialog box. This actually works quite well as these are the
|
||||
only permissions that UNIX actually has.</p><p>If a permission triplet (either user, group, or world)
|
||||
is removed from the list of permissions in the NT dialog box,
|
||||
then when the <span class="guibutton">OK</span> button is pressed it will
|
||||
be applied as "no permissions" on the UNIX side. If you then
|
||||
view the permissions again the "no permissions" entry will appear
|
||||
as the NT <b class="command">"O"</b> flag, as described above. This
|
||||
allows you to add permissions back to a file or directory once
|
||||
you have removed them from a triplet component.</p><p>As UNIX supports only the "r", "w" and "x" bits of
|
||||
an NT ACL then if other NT security attributes such as "Delete
|
||||
access" are selected then they will be ignored when applied on
|
||||
the Samba server.</p><p>When setting permissions on a directory the second
|
||||
set of permissions (in the second set of parentheses) is
|
||||
by default applied to all files within that directory. If this
|
||||
is not what you want you must uncheck the <span class="guilabel">Replace
|
||||
permissions on existing files</span> checkbox in the NT
|
||||
dialog before clicking <span class="guibutton">OK</span>.</p><p>If you wish to remove all permissions from a
|
||||
user/group/world component then you may either highlight the
|
||||
component and click the <span class="guibutton">Remove</span> button,
|
||||
or set the component to only have the special <tt class="constant">Take
|
||||
Ownership</tt> permission (displayed as <b class="command">"O"
|
||||
</b>) highlighted.</p></div><div xmlns:ns32="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923928"></a>Interaction with the standard Samba create mask
|
||||
parameters</h3></div></div><div></div></div><ns32:p>There are four parameters
|
||||
to control interaction with the standard Samba create mask parameters.
|
||||
These are :
|
||||
|
||||
</ns32:p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>security mask</tt></i></td></tr><tr><td><i class="parameter"><tt>force security mode</tt></i></td></tr><tr><td><i class="parameter"><tt>directory security mask</tt></i></td></tr><tr><td><i class="parameter"><tt>force directory security mode</tt></i></td></tr></table><ns32:p>
|
||||
|
||||
</ns32:p><p>Once a user clicks <span class="guibutton">OK</span> to apply the
|
||||
permissions Samba maps the given permissions into a user/group/world
|
||||
r/w/x triplet set, and then will check the changed permissions for a
|
||||
file against the bits set in the <a href="smb.conf.5.html#SECURITYMASK" target="_top">
|
||||
<i class="parameter"><tt>security mask</tt></i></a> parameter. Any bits that
|
||||
were changed that are not set to '1' in this parameter are left alone
|
||||
in the file permissions.</p><p>Essentially, zero bits in the <i class="parameter"><tt>security mask</tt></i>
|
||||
mask may be treated as a set of bits the user is <span class="emphasis"><em>not</em></span>
|
||||
allowed to change, and one bits are those the user is allowed to change.
|
||||
</p><p>If not set explicitly this parameter is set to the same value as
|
||||
the <a href="smb.conf.5.html#CREATEMASK" target="_top"><i class="parameter"><tt>create mask
|
||||
</tt></i></a> parameter. To allow a user to modify all the
|
||||
user/group/world permissions on a file, set this parameter
|
||||
to 0777.</p><p>Next Samba checks the changed permissions for a file against
|
||||
the bits set in the <a href="smb.conf.5.html#FORCESECURITYMODE" target="_top">
|
||||
<i class="parameter"><tt>force security mode</tt></i></a> parameter. Any bits
|
||||
that were changed that correspond to bits set to '1' in this parameter
|
||||
are forced to be set.</p><p>Essentially, bits set in the <i class="parameter"><tt>force security mode
|
||||
</tt></i> parameter may be treated as a set of bits that, when
|
||||
modifying security on a file, the user has always set to be 'on'.</p><p>If not set explicitly this parameter is set to the same value
|
||||
as the <a href="smb.conf.5.html#FORCECREATEMODE" target="_top"><i class="parameter"><tt>force
|
||||
create mode</tt></i></a> parameter.
|
||||
To allow a user to modify all the user/group/world permissions on a file
|
||||
with no restrictions set this parameter to 000.</p><p>The <i class="parameter"><tt>security mask</tt></i> and <i class="parameter"><tt>force
|
||||
security mode</tt></i> parameters are applied to the change
|
||||
request in that order.</p><p>For a directory Samba will perform the same operations as
|
||||
described above for a file except using the parameter <i class="parameter"><tt>
|
||||
directory security mask</tt></i> instead of <i class="parameter"><tt>security
|
||||
mask</tt></i>, and <i class="parameter"><tt>force directory security mode
|
||||
</tt></i> parameter instead of <i class="parameter"><tt>force security mode
|
||||
</tt></i>.</p><p>The <i class="parameter"><tt>directory security mask</tt></i> parameter
|
||||
by default is set to the same value as the <i class="parameter"><tt>directory mask
|
||||
</tt></i> parameter and the <i class="parameter"><tt>force directory security
|
||||
mode</tt></i> parameter by default is set to the same value as
|
||||
the <i class="parameter"><tt>force directory mode</tt></i> parameter. </p><p>In this way Samba enforces the permission restrictions that
|
||||
an administrator can set on a Samba share, whilst still allowing users
|
||||
to modify the permission bits within that restriction.</p><p>If you want to set up a share that allows users full control
|
||||
in modifying the permission bits on their files and directories and
|
||||
doesn't force any particular bits to be set 'on', then set the following
|
||||
parameters in the <tt class="filename">smb.conf</tt> file in that share specific section :
|
||||
</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>security mask = 0777</tt></i></td></tr><tr><td><i class="parameter"><tt>force security mode = 0</tt></i></td></tr><tr><td><i class="parameter"><tt>directory security mask = 0777</tt></i></td></tr><tr><td><i class="parameter"><tt>force directory security mode = 0</tt></i></td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2924258"></a>Interaction with the standard Samba file attribute
|
||||
mapping</h3></div></div><div></div></div><p>Samba maps some of the DOS attribute bits (such as "read
|
||||
only") into the UNIX permissions of a file. This means there can
|
||||
be a conflict between the permission bits set via the security
|
||||
dialog and the permission bits set by the file attribute mapping.
|
||||
</p><p>One way this can show up is if a file has no UNIX read access
|
||||
for the owner it will show up as "read only" in the standard
|
||||
file attributes tabbed dialog. Unfortunately this dialog is
|
||||
the same one that contains the security info in another tab.</p><p>What this can mean is that if the owner changes the permissions
|
||||
to allow themselves read access using the security dialog, clicks
|
||||
<span class="guibutton">OK</span> to get back to the standard attributes tab
|
||||
dialog, and then clicks <span class="guibutton">OK</span> on that dialog, then
|
||||
NT will set the file permissions back to read-only (as that is what
|
||||
the attributes still say in the dialog). This means that after setting
|
||||
permissions and clicking <span class="guibutton">OK</span> to get back to the
|
||||
attributes dialog you should always hit <span class="guibutton">Cancel</span>
|
||||
rather than <span class="guibutton">OK</span> to ensure that your changes
|
||||
are not overridden.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2924333"></a>Common Errors</h2></div></div><div></div></div><p>
|
||||
File, Directory and Share access problems are very common on the mailing list. The following
|
||||
are examples taken from the mailing list in recent times.
|
||||
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2924347"></a>Users can not write to a public share</h3></div></div><div></div></div><p>
|
||||
“<span class="quote">
|
||||
We are facing some troubles with file / directory permissions. I can log on the domain as admin user(root),
|
||||
and there's a public share, on which everyone needs to have permission to create / modify files, but only
|
||||
root can change the file, no one else can. We need to constantly go to server to
|
||||
<b class="userinput"><tt>chgrp -R users *</tt></b> and <b class="userinput"><tt>chown -R nobody *</tt></b> to allow others users to change the file.
|
||||
</span>”
|
||||
</p><p>
|
||||
There are many ways to solve this problem, here are a few hints:
|
||||
</p><div class="procedure"><p class="title"><b>Procedure 13.3. Example Solution:</b></p><ol type="1"><li><p>
|
||||
Go to the top of the directory that is shared
|
||||
</p></li><li xmlns:ns33=""><ns33:p>
|
||||
Set the ownership to what ever public owner and group you want
|
||||
</ns33:p><pre class="programlisting">
|
||||
find 'directory_name' -type d -exec chown user.group {}\;
|
||||
find 'directory_name' -type d -exec chmod 6775 'directory_name'
|
||||
find 'directory_name' -type f -exec chmod 0775 {} \;
|
||||
find 'directory_name' -type f -exec chown user.group {}\;
|
||||
</pre><ns33:p>
|
||||
</ns33:p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
|
||||
The above will set the 'sticky bit' on all directories. Read your
|
||||
Unix/Linux man page on what that does. It causes the OS to assign
|
||||
to all files created in the directories the ownership of the
|
||||
directory.
|
||||
</p></div></li><li xmlns:ns34=""><ns34:p>
|
||||
|
||||
Directory is: <i class="replaceable"><tt>/foodbar</tt></i>
|
||||
</ns34:p><pre class="screen">
|
||||
<tt class="prompt">$ </tt><b class="userinput"><tt>chown jack.engr /foodbar</tt></b>
|
||||
</pre><ns34:p>
|
||||
</ns34:p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><ns34:p>
|
||||
</ns34:p><p>This is the same as doing:</p><ns34:p>
|
||||
</ns34:p><pre class="screen">
|
||||
<tt class="prompt">$ </tt><b class="userinput"><tt>chown jack /foodbar</tt></b>
|
||||
<tt class="prompt">$ </tt><b class="userinput"><tt>chgrp engr /foodbar</tt></b>
|
||||
</pre><ns34:p>
|
||||
</ns34:p></div></li><li xmlns:ns35=""><ns35:p>Now do:
|
||||
|
||||
</ns35:p><pre class="screen">
|
||||
<tt class="prompt">$ </tt><b class="userinput"><tt>chmod 6775 /foodbar</tt></b>
|
||||
<tt class="prompt">$ </tt><b class="userinput"><tt>ls -al /foodbar/..</tt></b>
|
||||
</pre><ns35:p>
|
||||
|
||||
</ns35:p><ns35:p>You should see:
|
||||
</ns35:p><pre class="screen">
|
||||
drwsrwsr-x 2 jack engr 48 2003-02-04 09:55 foodbar
|
||||
</pre><ns35:p>
|
||||
</ns35:p></li><li xmlns:ns36=""><ns36:p>Now do:
|
||||
</ns36:p><pre class="screen">
|
||||
<tt class="prompt">$ </tt><b class="userinput"><tt>su - jill</tt></b>
|
||||
<tt class="prompt">$ </tt><b class="userinput"><tt>cd /foodbar</tt></b>
|
||||
<tt class="prompt">$ </tt><b class="userinput"><tt>touch Afile</tt></b>
|
||||
<tt class="prompt">$ </tt><b class="userinput"><tt>ls -al</tt></b>
|
||||
</pre><ns36:p>
|
||||
</ns36:p><ns36:p>
|
||||
You should see that the file <tt class="filename">Afile</tt> created by Jill will have ownership
|
||||
and permissions of Jack, as follows:
|
||||
</ns36:p><pre class="screen">
|
||||
-rw-r--r-- 1 jack engr 0 2003-02-04 09:57 Afile
|
||||
</pre><ns36:p>
|
||||
</ns36:p></li><li xmlns:ns37=""><ns37:p>
|
||||
Now in your <tt class="filename">smb.conf</tt> for the share add:
|
||||
</ns37:p><pre class="programlisting">
|
||||
force create mode = 0775
|
||||
force directory mode = 6775
|
||||
</pre><ns37:p>
|
||||
</ns37:p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
|
||||
The above are only needed <span class="emphasis"><em>if</em></span> your users are <span class="emphasis"><em>not</em></span> members of the group
|
||||
you have used. ie: Within the OS do not have write permission on the directory.
|
||||
</p></div><ns37:p>
|
||||
An alternative is to set in the <tt class="filename">smb.conf</tt> entry for the share:
|
||||
</ns37:p><pre class="programlisting">
|
||||
force user = jack
|
||||
force group = engr
|
||||
</pre><ns37:p>
|
||||
</ns37:p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2924726"></a>I have set force user and Samba still makes <span class="emphasis"><em>root</em></span> the owner of all the files
|
||||
I touch!</h3></div></div><div></div></div><p>
|
||||
When you have a user in 'admin users', Samba will always do file operations for
|
||||
this user as <span class="emphasis"><em>root</em></span>, even if <i class="parameter"><tt>force user</tt></i> has been set.
|
||||
</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="groupmapping.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="locking.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 12. Mapping MS Windows and Unix Groups </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 14. File and Record Locking</td></tr></table></div></body></html>
|
@ -1,225 +0,0 @@
|
||||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
||||
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 22. Advanced Network Management</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="winbind.html" title="Chapter 21. Integrated Logon Support using Winbind"><link rel="next" href="PolicyMgmt.html" title="Chapter 23. System and Account Policies"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 22. Advanced Network Management</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="winbind.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="PolicyMgmt.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="AdvancedNetworkManagement"></a>Chapter 22. Advanced Network Management</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">April 3 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="AdvancedNetworkManagement.html#id2982630">Features and Benefits</a></dt><dt><a href="AdvancedNetworkManagement.html#id2982661">Remote Server Administration</a></dt><dt><a href="AdvancedNetworkManagement.html#id2981342">Remote Desktop Management</a></dt><dd><dl><dt><a href="AdvancedNetworkManagement.html#id2981359">Remote Management from NoMachines.Com</a></dt></dl></dd><dt><a href="AdvancedNetworkManagement.html#id2981560">Network Logon Script Magic</a></dt><dd><dl><dt><a href="AdvancedNetworkManagement.html#id2981755">Adding printers without user intervention</a></dt></dl></dd><dt><a href="AdvancedNetworkManagement.html#id2981788">Common Errors</a></dt></dl></div><p>
|
||||
This section documents peripheral issues that are of great importance to network
|
||||
administrators who want to improve network resource access control, to automate the user
|
||||
environment, and to make their lives a little easier.
|
||||
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2982630"></a>Features and Benefits</h2></div></div><div></div></div><p>
|
||||
Often the difference between a working network environment and a well appreciated one can
|
||||
best be measured by the <span class="emphasis"><em>little things</em></span> that makes everything work more
|
||||
harmoniously. A key part of every network environment solution is the ability to remotely
|
||||
manage MS Windows workstations, to remotely access the Samba server, to provide customised
|
||||
logon scripts, as well as other house keeping activities that help to sustain more reliable
|
||||
network operations.
|
||||
</p><p>
|
||||
This chapter presents information on each of these area. They are placed here, and not in
|
||||
other chapters, for ease of reference.
|
||||
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2982661"></a>Remote Server Administration</h2></div></div><div></div></div><p>
|
||||
<span class="emphasis"><em>How do I get 'User Manager' and 'Server Manager'?</em></span>
|
||||
</p><p>
|
||||
Since I don't need to buy an <span class="application">NT4 Server</span>, how do I get the 'User Manager for Domains',
|
||||
the 'Server Manager'?
|
||||
</p><p>
|
||||
Microsoft distributes a version of these tools called nexus for installation
|
||||
on <span class="application">Windows 9x / Me</span> systems. The tools set includes:
|
||||
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Server Manager</td></tr><tr><td>User Manager for Domains</td></tr><tr><td>Event Viewer</td></tr></table><p>
|
||||
Click here to download the archived file <a href="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE" target="_top">ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</a>
|
||||
</p><p>
|
||||
The <span class="application">Windows NT 4.0</span> version of the 'User Manager for
|
||||
Domains' and 'Server Manager' are available from Microsoft via ftp
|
||||
from <a href="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" target="_top">ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</a>
|
||||
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2981342"></a>Remote Desktop Management</h2></div></div><div></div></div><p>
|
||||
There are a number of possible remote desktop management solutions that range from free
|
||||
through costly. Do not let that put you off. Sometimes the most costly solutions is the
|
||||
most cost effective. In any case, you will need to draw your own conclusions as to which
|
||||
is the best tool in your network environment.
|
||||
</p><div xmlns:ns78="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2981359"></a>Remote Management from NoMachines.Com</h3></div></div><div></div></div><p>
|
||||
The following information was posted to the Samba mailing list at Apr 3 23:33:50 GMT 2003.
|
||||
It is presented in slightly edited form (with author details omitted for privacy reasons).
|
||||
The entire answer is reproduced below with some comments removed.
|
||||
</p><ns78:p>
|
||||
</ns78:p><pre class="screen">
|
||||
> I have a wonderful linux/samba server running as PDC for a network.
|
||||
> Now I would like to add remote desktop capabilities so that
|
||||
> users outside could login to the system and get their desktop up from
|
||||
> home or another country..
|
||||
>
|
||||
> Is there a way to accomplish this? Do I need a windows terminal server?
|
||||
> Do I need to configure it so that it is a member of the domain or a
|
||||
> BDC,PDC? Are there any hacks for MS Windows XP to enable remote login
|
||||
> even if the computer is in a domain?
|
||||
>
|
||||
> Any ideas/experience would be appreciated :)
|
||||
</pre><ns78:p>
|
||||
</ns78:p><p>
|
||||
Answer provided: Check out the new offer from NoMachine, "NX" software:
|
||||
<a href="http://www.nomachine.com/" target="_top">http://www.nomachine.com/</a>.
|
||||
</p><p>
|
||||
It implements a very easy-to-use interface to the remote X protocol as
|
||||
well as incorporating VNC/RFB and rdesktop/RDP into it, but at a speed
|
||||
performance much better than anything you may have ever seen...
|
||||
</p><p>
|
||||
Remote X is not new at all -- but what they did achieve successfully is
|
||||
a new way of compression and caching technologies which makes the thing
|
||||
fast enough to run even over slow modem/ISDN connections.
|
||||
</p><p>
|
||||
I could test drive their (public) RedHat machine in Italy, over a loaded
|
||||
internet connection, with enabled thumbnail previews in KDE konqueror
|
||||
which popped up immediately on "mouse-over". From inside that (remote X)
|
||||
session I started a rdesktop session on another, a Windows XP machine.
|
||||
To test the performance, I played Pinball. I am proud to announce here
|
||||
that my score was 631750 points at first try...
|
||||
</p><p>
|
||||
NX performs better on my local LAN than any of the other "pure"
|
||||
connection methods I am using from time to time: TightVNC, rdesktop or
|
||||
remote X. It is even faster than a direct crosslink connection between
|
||||
two nodes.
|
||||
</p><p>
|
||||
I even got sound playing from the remote X app to my local boxes, and
|
||||
had a working "copy'n'paste" from an NX window (running a KDE session
|
||||
in Italy) to my Mozilla mailing agent... These guys are certainly doing
|
||||
something right!
|
||||
</p><p>
|
||||
I recommend to test drive NX to anybody with a only a remote interest
|
||||
in remote computing
|
||||
<a href="http://www.nomachine.com/testdrive.php" target="_top">http://www.nomachine.com/testdrive.php</a>.
|
||||
</p><p>
|
||||
Just download the free of charge client software (available for RedHat,
|
||||
SuSE, Debian and Windows) and be up and running within 5 minutes (they
|
||||
need to send you your account data, though, because you are assigned
|
||||
a real Unix account on their testdrive.nomachine.com box...
|
||||
</p><p>
|
||||
They plan to get to the point were you can have NX application servers
|
||||
running as a cluster of nodes, and users simply start an NX session locally,
|
||||
and can select applications to run transparently (apps may even run on
|
||||
another NX node, but pretend to be on the same as used for initial login,
|
||||
because it displays in the same window.... well, you also can run it
|
||||
fullscreen, and after a short time you forget that it is a remote session
|
||||
at all).
|
||||
</p><p>
|
||||
Now the best thing at the end: all the core compression and caching
|
||||
technologies are released under the GPL and available as source code
|
||||
to anybody who wants to build on it! These technologies are working,
|
||||
albeit started from the command line only (and very inconvenient to
|
||||
use in order to get a fully running remote X session up and running....)
|
||||
</p><p>
|
||||
To answer your questions:
|
||||
</p><div class="itemizedlist"><ul type="disc"><li><p>
|
||||
You don't need to install a terminal server; XP has RDP support built in.
|
||||
</p></li><li><p>
|
||||
NX is much cheaper than Citrix -- and comparable in performance, probably faster
|
||||
</p></li><li><p>
|
||||
You don't need to hack XP -- it just works
|
||||
</p></li><li><p>
|
||||
You log into the XP box from remote transparently (and I think there is no
|
||||
need to change anything to get a connection, even if authentication is against a domain)
|
||||
</p></li><li><p>
|
||||
The NX core technologies are all Open Source and released under the GPL --
|
||||
you can today use a (very inconvenient) commandline to use it at no cost,
|
||||
but you can buy a comfortable (proprietary) NX GUI frontend for money
|
||||
</p></li><li><p>
|
||||
NoMachine are encouraging and offering help to OSS/Free Software implementations
|
||||
for such a frontend too, even if it means competition to them (they have written
|
||||
to this effect even to the LTSP, KDE and GNOME developer mailing lists)
|
||||
</p></li></ul></div></div></div><div xmlns:ns79="" class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2981560"></a>Network Logon Script Magic</h2></div></div><div></div></div><p>
|
||||
This section needs work. Volunteer contributions most welcome. Please send your patches or updates
|
||||
to <a href="mailto:jht@samba.org" target="_top">John Terpstra</a>.
|
||||
</p><p>
|
||||
There are several opportunities for creating a custom network startup configuration environment.
|
||||
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>No Logon Script</td></tr><tr><td>Simple universal Logon Script that applies to all users</td></tr><tr><td>Use of a conditional Logon Script that applies per user or per group attributes</td></tr><tr><td>Use of Samba's Preexec and Postexec functions on access to the NETLOGON share to create
|
||||
a custom Logon Script and then execute it.</td></tr><tr><td>User of a tool such as KixStart</td></tr></table><p>
|
||||
The Samba source code tree includes two logon script generation/execution tools.
|
||||
See <tt class="filename">examples</tt> directory <tt class="filename">genlogon</tt> and
|
||||
<tt class="filename">ntlogon</tt> subdirectories.
|
||||
</p><p>
|
||||
The following listings are from the genlogon directory.
|
||||
</p><ns79:p>
|
||||
This is the <tt class="filename">genlogon.pl</tt> file:
|
||||
|
||||
</ns79:p><pre class="programlisting">
|
||||
#!/usr/bin/perl
|
||||
#
|
||||
# genlogon.pl
|
||||
#
|
||||
# Perl script to generate user logon scripts on the fly, when users
|
||||
# connect from a Windows client. This script should be called from smb.conf
|
||||
# with the %U, %G and %L parameters. I.e:
|
||||
#
|
||||
# root preexec = genlogon.pl %U %G %L
|
||||
#
|
||||
# The script generated will perform
|
||||
# the following:
|
||||
#
|
||||
# 1. Log the user connection to /var/log/samba/netlogon.log
|
||||
# 2. Set the PC's time to the Linux server time (which is maintained
|
||||
# daily to the National Institute of Standard's Atomic clock on the
|
||||
# internet.
|
||||
# 3. Connect the user's home drive to H: (H for Home).
|
||||
# 4. Connect common drives that everyone uses.
|
||||
# 5. Connect group-specific drives for certain user groups.
|
||||
# 6. Connect user-specific drives for certain users.
|
||||
# 7. Connect network printers.
|
||||
|
||||
# Log client connection
|
||||
#($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
|
||||
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
|
||||
open LOG, ">>/var/log/samba/netlogon.log";
|
||||
print LOG "$mon/$mday/$year $hour:$min:$sec - User $ARGV[0] logged into $ARGV[1]\n";
|
||||
close LOG;
|
||||
|
||||
# Start generating logon script
|
||||
open LOGON, ">/shared/netlogon/$ARGV[0].bat";
|
||||
print LOGON "\@ECHO OFF\r\n";
|
||||
|
||||
# Connect shares just use by Software Development group
|
||||
if ($ARGV[1] eq "SOFTDEV" || $ARGV[0] eq "softdev")
|
||||
{
|
||||
print LOGON "NET USE M: \\\\$ARGV[2]\\SOURCE\r\n";
|
||||
}
|
||||
|
||||
# Connect shares just use by Technical Support staff
|
||||
if ($ARGV[1] eq "SUPPORT" || $ARGV[0] eq "support")
|
||||
{
|
||||
print LOGON "NET USE S: \\\\$ARGV[2]\\SUPPORT\r\n";
|
||||
}
|
||||
|
||||
# Connect shares just used by Administration staff
|
||||
If ($ARGV[1] eq "ADMIN" || $ARGV[0] eq "admin")
|
||||
{
|
||||
print LOGON "NET USE L: \\\\$ARGV[2]\\ADMIN\r\n";
|
||||
print LOGON "NET USE K: \\\\$ARGV[2]\\MKTING\r\n";
|
||||
}
|
||||
|
||||
# Now connect Printers. We handle just two or three users a little
|
||||
# differently, because they are the exceptions that have desktop
|
||||
# printers on LPT1: - all other user's go to the LaserJet on the
|
||||
# server.
|
||||
if ($ARGV[0] eq 'jim'
|
||||
|| $ARGV[0] eq 'yvonne')
|
||||
{
|
||||
print LOGON "NET USE LPT2: \\\\$ARGV[2]\\LJET3\r\n";
|
||||
print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n";
|
||||
}
|
||||
else
|
||||
{
|
||||
print LOGON "NET USE LPT1: \\\\$ARGV[2]\\LJET3\r\n";
|
||||
print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n";
|
||||
}
|
||||
|
||||
# All done! Close the output file.
|
||||
close LOGON;
|
||||
</pre><ns79:p>
|
||||
</ns79:p><p>
|
||||
Those wishing to use more elaborate or capable logon processing system should check out the following sites:
|
||||
</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a href="http://www.craigelachie.org/rhacer/ntlogon" target="_top">http://www.craigelachie.org/rhacer/ntlogon</a></td></tr><tr><td><a href="http://www.kixtart.org" target="_top">http://www.kixtart.org</a></td></tr><tr><td><a href="http://support.microsoft.com/default.asp?scid=kb;en-us;189105" target="_top">http://support.microsoft.com/default.asp?scid=kb;en-us;189105</a></td></tr></table><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2981755"></a>Adding printers without user intervention</h3></div></div><div></div></div><ns79:p>
|
||||
Printers may be added automatically during logon script processing through the use of:
|
||||
|
||||
</ns79:p><pre class="programlisting">
|
||||
rundll32 printui.dll,PrintUIEntry /?
|
||||
</pre><ns79:p>
|
||||
|
||||
See the documentation in the <a href="http://support.microsoft.com/default.asp?scid=kb;en-us;189105" target="_top">Microsoft knowledgebase article no: 189105</a>.
|
||||
</ns79:p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2981788"></a>Common Errors</h2></div></div><div></div></div><p>
|
||||
The information provided in this chapter has been reproduced from postings on the samba@samba.org
|
||||
mailing list. No implied endorsement or recommendation is offered. Administrators should conduct
|
||||
their own evaluation of alternatives and are encouraged to draw their own conclusions.
|
||||
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="winbind.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="PolicyMgmt.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 21. Integrated Logon Support using Winbind </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 23. System and Account Policies</td></tr></table></div></body></html>
|
@ -1,5 +0,0 @@
|
||||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
||||
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part VI. Appendixes</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="index.html" title="SAMBA Project Documentation"><link rel="previous" href="bugreport.html" title="Chapter 35. Reporting Bugs"><link rel="next" href="compiling.html" title="Chapter 36. How to compile SAMBA"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part VI. Appendixes</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="bugreport.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="compiling.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="Appendixes"></a>Appendixes</h1></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt>36. <a href="compiling.html">How to compile SAMBA</a></dt><dd><dl><dt><a href="compiling.html#id3008244">Access Samba source code via CVS</a></dt><dd><dl><dt><a href="compiling.html#id3008251">Introduction</a></dt><dt><a href="compiling.html#id3008280">CVS Access to samba.org</a></dt></dl></dd><dt><a href="compiling.html#id3009749">Accessing the samba sources via rsync and ftp</a></dt><dt><a href="compiling.html#id3009796">Verifying Samba's PGP signature</a></dt><dt><a href="compiling.html#id3009932">Building the Binaries</a></dt><dd><dl><dt><a href="compiling.html#id3010069">Compiling samba with Active Directory support</a></dt></dl></dd><dt><a href="compiling.html#id3010964">Starting the smbd and nmbd</a></dt><dd><dl><dt><a href="compiling.html#id3011056">Starting from inetd.conf</a></dt><dt><a href="compiling.html#id3011260">Alternative: starting it as a daemon</a></dt></dl></dd><dt><a href="compiling.html#id3011355">Common Errors</a></dt></dl></dd><dt>37. <a href="Portability.html">Portability</a></dt><dd><dl><dt><a href="Portability.html#id3012634">HPUX</a></dt><dt><a href="Portability.html#id3012719">SCO Unix</a></dt><dt><a href="Portability.html#id3012747">DNIX</a></dt><dt><a href="Portability.html#id3012917">RedHat Linux Rembrandt-II</a></dt><dt><a href="Portability.html#id3012960">AIX</a></dt><dd><dl><dt><a href="Portability.html#id3012967">Sequential Read Ahead</a></dt></dl></dd><dt><a href="Portability.html#id3012993">Solaris</a></dt><dd><dl><dt><a href="Portability.html#id3013000">Locking improvements</a></dt><dt><a href="Portability.html#winbind-solaris9">Winbind on Solaris 9</a></dt></dl></dd></dl></dd><dt>38. <a href="Other-Clients.html">Samba and other CIFS clients</a></dt><dd><dl><dt><a href="Other-Clients.html#id3013776">Macintosh clients?</a></dt><dt><a href="Other-Clients.html#id3013848">OS2 Client</a></dt><dd><dl><dt><a href="Other-Clients.html#id3013855">How can I configure OS/2 Warp Connect or
|
||||
OS/2 Warp 4 as a client for Samba?</a></dt><dt><a href="Other-Clients.html#id3013471">How can I configure OS/2 Warp 3 (not Connect),
|
||||
OS/2 1.2, 1.3 or 2.x for Samba?</a></dt><dt><a href="Other-Clients.html#id3013530">How do I get printer driver download working
|
||||
for OS/2 clients?</a></dt></dl></dd><dt><a href="Other-Clients.html#id3013628">Windows for Workgroups</a></dt><dd><dl><dt><a href="Other-Clients.html#id3013090">Use latest TCP/IP stack from Microsoft</a></dt><dt><a href="Other-Clients.html#id3013179">Delete .pwl files after password change</a></dt><dt><a href="Other-Clients.html#id3013210">Configure WfW password handling</a></dt><dt><a href="Other-Clients.html#id3013255">Case handling of passwords</a></dt><dt><a href="Other-Clients.html#id3013285">Use TCP/IP as default protocol</a></dt><dt><a href="Other-Clients.html#id3013303">Speed improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id3013349">Windows '95/'98</a></dt><dd><dl><dt><a href="Other-Clients.html#id3014379">Speed improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id3014403">Windows 2000 Service Pack 2</a></dt><dt><a href="Other-Clients.html#id3014514">Windows NT 3.1</a></dt></dl></dd><dt>39. <a href="speed.html">Samba Performance Tuning</a></dt><dd><dl><dt><a href="speed.html#id3016725">Comparisons</a></dt><dt><a href="speed.html#id3014565">Socket options</a></dt><dt><a href="speed.html#id3014636">Read size</a></dt><dt><a href="speed.html#id3014680">Max xmit</a></dt><dt><a href="speed.html#id3014732">Log level</a></dt><dt><a href="speed.html#id3014755">Read raw</a></dt><dt><a href="speed.html#id3014811">Write raw</a></dt><dt><a href="speed.html#id3014853">Slow Logins</a></dt><dt><a href="speed.html#id3015761">Client tuning</a></dt><dt><a href="speed.html#id3015784">Samba performance problem due changing kernel</a></dt><dt><a href="speed.html#id3015817">Corrupt tdb Files</a></dt></dl></dd><dt>40. <a href="DNSDHCP.html">DNS and DHCP Configuration Guide</a></dt><dd><dl><dt><a href="DNSDHCP.html#id3016535">Note</a></dt></dl></dd><dt>41. <a href="Further-Resources.html">Further Resources</a></dt><dd><dl><dt><a href="Further-Resources.html#id3015954">Websites</a></dt><dt><a href="Further-Resources.html#id3016336">Related updates from Microsoft</a></dt><dt><a href="Further-Resources.html#id3016404">Books</a></dt></dl></dd></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="bugreport.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="compiling.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 35. Reporting Bugs </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 36. How to compile SAMBA</td></tr></table></div></body></html>
|
@ -1,14 +0,0 @@
|
||||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
||||
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 28. Samba Backup Techniques</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="unicode.html" title="Chapter 27. Unicode/Charsets"><link rel="next" href="SambaHA.html" title="Chapter 29. High Availability Options"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 28. Samba Backup Techniques</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="unicode.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="SambaHA.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Backup"></a>Chapter 28. Samba Backup Techniques</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="Backup.html#id2999976">Note</a></dt><dt><a href="Backup.html#id2999997">Features and Benefits</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2999976"></a>Note</h2></div></div><div></div></div><p>
|
||||
This chapter did not make it into this release.
|
||||
It is planned for the published release of this document.
|
||||
If you have something to contribute for this section please email it to
|
||||
<a href="">jht@samba.org</a>/
|
||||
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2999997"></a>Features and Benefits</h2></div></div><div></div></div><p>
|
||||
We need feedback from people who are backing up samba servers.
|
||||
We would like to know what software tools you are using to backup
|
||||
your samba server/s.
|
||||
</p><p>
|
||||
In particular, if you have any success and / or failure stories you could
|
||||
share with other users this would be appreciated.
|
||||
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="unicode.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="SambaHA.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 27. Unicode/Charsets </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 29. High Availability Options</td></tr></table></div></body></html>
|
File diff suppressed because it is too large
Load Diff
@ -1,5 +0,0 @@
|
||||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
||||
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 9. MS Windows Network Configuration Guide</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="previous" href="StandAloneServer.html" title="Chapter 8. Stand-Alone Servers"><link rel="next" href="optional.html" title="Part III. Advanced Configuration"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 9. MS Windows Network Configuration Guide</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="StandAloneServer.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="optional.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ClientConfig"></a>Chapter 9. MS Windows Network Configuration Guide</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="ClientConfig.html#id2901302">Note</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2901302"></a>Note</h2></div></div><div></div></div><p>
|
||||
This chapter did not make it into this release.
|
||||
It is planned for the published release of this document.
|
||||
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="StandAloneServer.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="optional.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 8. Stand-Alone Servers </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part III. Advanced Configuration</td></tr></table></div></body></html>
|
@ -1,5 +0,0 @@
|
||||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
||||
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 40. DNS and DHCP Configuration Guide</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="speed.html" title="Chapter 39. Samba Performance Tuning"><link rel="next" href="Further-Resources.html" title="Chapter 41. Further Resources"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 40. DNS and DHCP Configuration Guide</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="speed.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="Further-Resources.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="DNSDHCP"></a>Chapter 40. DNS and DHCP Configuration Guide</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="DNSDHCP.html#id3016535">Note</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3016535"></a>Note</h2></div></div><div></div></div><p>
|
||||
This chapter did not make it into this release.
|
||||
It is planned for the published release of this document.
|
||||
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="speed.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendixes.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="Further-Resources.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 39. Samba Performance Tuning </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 41. Further Resources</td></tr></table></div></body></html>
|
@ -1,5 +1,4 @@
|
||||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
||||
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 3. Fast Start for the Impatient</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="introduction.html" title="Part I. General Installation"><link rel="previous" href="install.html" title="Chapter 2. How to Install and Test SAMBA"><link rel="next" href="type.html" title="Part II. Server Configuration Basics"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 3. Fast Start for the Impatient</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="install.html">Prev</a> </td><th width="60%" align="center">Part I. General Installation</th><td width="20%" align="right"> <a accesskey="n" href="type.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="FastStart"></a>Chapter 3. Fast Start for the Impatient</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="FastStart.html#id2886380">Note</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2886380"></a>Note</h2></div></div><div></div></div><p>
|
||||
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 3. Fast Start for the Impatient</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="samba-doc.html" title="SAMBA Project Documentation"><link rel="up" href="introduction.html" title="Part I. General Installation"><link rel="previous" href="install.html" title="Chapter 2. How to Install and Test SAMBA"><link rel="next" href="type.html" title="Part II. Server Configuration Basics"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 3. Fast Start for the Impatient</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="install.html">Prev</a> </td><th width="60%" align="center">Part I. General Installation</th><td width="20%" align="right"> <a accesskey="n" href="type.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="FastStart"></a>Chapter 3. Fast Start for the Impatient</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="FastStart.html#id2884787">Note</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2884787"></a>Note</h2></div></div><div></div></div><p>
|
||||
This chapter did not make it into this release.
|
||||
It is planned for the published release of this document.
|
||||
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="install.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="introduction.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="type.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 2. How to Install and Test SAMBA </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part II. Server Configuration Basics</td></tr></table></div></body></html>
|
||||
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="install.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="introduction.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="type.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 2. How to Install and Test SAMBA </td><td width="20%" align="center"><a accesskey="h" href="samba-doc.html">Home</a></td><td width="40%" align="right" valign="top"> Part II. Server Configuration Basics</td></tr></table></div></body></html>
|
||||
|
@ -1,101 +0,0 @@
|
||||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
||||
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 41. Further Resources</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="DNSDHCP.html" title="Chapter 40. DNS and DHCP Configuration Guide"><link rel="next" href="ix01.html" title="Index"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 41. Further Resources</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="DNSDHCP.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="ix01.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Further-Resources"></a>Chapter 41. Further Resources</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">Lechnyr</span></h3><div class="affiliation"><span class="orgname">Unofficial HOWTO<br></span><div class="address"><p><tt class="email"><<a href="mailto:david@lechnyr.com">david@lechnyr.com</a>></tt></p></div></div></div></div><div><p class="pubdate">May 1, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="Further-Resources.html#id3015954">Websites</a></dt><dt><a href="Further-Resources.html#id3016336">Related updates from Microsoft</a></dt><dt><a href="Further-Resources.html#id3016404">Books</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3015954"></a>Websites</h2></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>
|
||||
<a href="http://hr.uoregon.edu/davidrl/cifs.txt" target="_top">
|
||||
<span class="emphasis"><em>CIFS: Common Insecurities Fail Scrutiny</em></span> by "Hobbit"</a>
|
||||
</p></li><li><p>
|
||||
<a href="http://afr.com/it/2002/10/01/FFXDF43AP6D.html" target="_top">
|
||||
<span class="emphasis"><em>Doing the Samba on Windows</em></span> by Financial Review
|
||||
</a>
|
||||
</p></li><li><p>
|
||||
<a href="http://ubiqx.org/cifs/" target="_top">
|
||||
<span class="emphasis"><em>Implementing CIFS</em></span> by Christopher R. Hertel
|
||||
</a>
|
||||
</p></li><li><p>
|
||||
<a href="http://samba.anu.edu.au/cifs/docs/what-is-smb.html" target="_top">
|
||||
<span class="emphasis"><em>Just What Is SMB?</em></span> by Richard Sharpe
|
||||
</a>
|
||||
</p></li><li><p>
|
||||
<a href="http://www.linux-mag.com/1999-05/samba_01.html" target="_top">
|
||||
<span class="emphasis"><em>Opening Windows Everywhere</em></span> by Mike Warfield
|
||||
</a>
|
||||
</p></li><li><p>
|
||||
<a href="http://www.tldp.org/HOWTO/SMB-HOWTO.html" target="_top">
|
||||
<span class="emphasis"><em>SMB HOWTO</em></span> by David Wood
|
||||
</a>
|
||||
</p></li><li><p>
|
||||
<a href="http://www.phrack.org/phrack/60/p60-0x0b.txt" target="_top">
|
||||
<span class="emphasis"><em>SMB/CIFS by The Root</em></span> by "ledin"
|
||||
</a>
|
||||
</p></li><li><p>
|
||||
<a href="http://www.linux-mag.com/1999-09/samba_01.html" target="_top">
|
||||
<span class="emphasis"><em>The Story of Samba</em></span> by Christopher R. Hertel
|
||||
</a>
|
||||
</p></li><li><p>
|
||||
<a href="http://hr.uoregon.edu/davidrl/samba/" target="_top">
|
||||
<span class="emphasis"><em>The Unofficial Samba HOWTO</em></span> by David Lechnyr
|
||||
</a>
|
||||
</p></li><li><p>
|
||||
<a href="http://www.linux-mag.com/2001-05/smb_01.html" target="_top">
|
||||
<span class="emphasis"><em>Understanding the Network Neighborhood</em></span> by Christopher R. Hertel
|
||||
</a>
|
||||
</p></li><li><p>
|
||||
<a href="http://www.linux-mag.com/2002-02/samba_01.html" target="_top">
|
||||
<span class="emphasis"><em>Using Samba as a PDC</em></span> by Andrew Bartlett
|
||||
</a>
|
||||
</p></li><li><p>
|
||||
<a href="http://ru.samba.org/samba/ftp/docs/Samba24Hc13.pdf" target="_top">
|
||||
<span class="emphasis"><em>PDF version of the Troubleshooting Techniques chapter</em></span>
|
||||
from the second edition of Sam's Teach Yourself Samba in 24 Hours
|
||||
(publishing date of Dec. 12, 2001)</a>
|
||||
</p></li><li><p>
|
||||
<a href="http://ru.samba.org/samba/ftp/slides/" target="_top">
|
||||
<span class="emphasis"><em>Slide presentations</em></span> by Samba Team members
|
||||
</a>
|
||||
</p></li><li><p>
|
||||
<a href="http://www.atmarkit.co.jp/flinux/special/samba3/samba3a.html" target="_top">
|
||||
<span class="emphasis"><em>Introduction to Samba 3.0</em></span> by Motonobu Takahashi
|
||||
(written in Japanese). </a>
|
||||
</p></li><li><p>
|
||||
<a href="http://www.linux-mag.com/2001-05/smb_01.html" target="_top">
|
||||
<span class="emphasis"><em>Understanding the Network Neighborhood</em></span>, by team member
|
||||
Chris Hertel. This article appeared in the May 2001 issue of
|
||||
Linux Magazine.
|
||||
</a>
|
||||
</p></li><li><p>
|
||||
<a href="ftp://ftp.stratus.com/pub/vos/customers/samba/" target="_top">
|
||||
<span class="emphasis"><em>Samba 2.0.x Troubleshooting guide</em></span> from Paul Green
|
||||
</a>
|
||||
</p></li><li><p>
|
||||
<a href="http://samba.org/samba/docs/10years.html" target="_top">
|
||||
<span class="emphasis"><em>Ten Years of Samba</em></span>
|
||||
</a>
|
||||
</p></li><li><p>
|
||||
<a href="http://tldp.org/HOWTO/Samba-Authenticated-Gateway-HOWTO.html" target="_top">
|
||||
<span class="emphasis"><em>Samba Authenticated Gateway HOWTO</em></span>
|
||||
</a>
|
||||
</p></li><li><p>
|
||||
<a href="http://samba.org/samba/docs/SambaIntro.html" target="_top">
|
||||
<span class="emphasis"><em>An Introduction to Samba</em></span>
|
||||
</a>
|
||||
</p></li><li><p>
|
||||
<a href="http://www.samba.org/cifs/" target="_top">
|
||||
<span class="emphasis"><em>What is CIFS?</em></span>
|
||||
</a>
|
||||
</p></li><li><p>
|
||||
<a href="http://support.microsoft.com/support/kb/articles/q92/5/88.asp" target="_top">
|
||||
<span class="emphasis"><em>WFWG: Password Caching and How It Affects LAN Manager
|
||||
Security</em></span> at Microsoft Knowledge Base
|
||||
</a>
|
||||
</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3016336"></a>Related updates from Microsoft</h2></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>
|
||||
<a href="http://support.microsoft.com/support/kb/articles/q92/5/88.asp" target="_top">
|
||||
<span class="emphasis"><em>Enhanced Encryption for Windows 95 Password Cache</em></span>
|
||||
</a>
|
||||
</p></li><li><p>
|
||||
<a href="http://support.microsoft.com/support/kb/articles/q136/4/18.asp" target="_top">
|
||||
<span class="emphasis"><em>Windows '95 File Sharing Updates</em></span>
|
||||
</a>
|
||||
</p></li><li><p>
|
||||
<a href="http://support.microsoft.com/support/kb/articles/q136/4/18.asp" target="_top">
|
||||
<span class="emphasis"><em>Windows for Workgroups Sharing Updates</em></span>
|
||||
</a>
|
||||
</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3016404"></a>Books</h2></div></div><div></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="DNSDHCP.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendixes.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ix01.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 40. DNS and DHCP Configuration Guide </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Index</td></tr></table></div></body></html>
|
@ -1,176 +0,0 @@
|
||||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
||||
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 16. Interdomain Trust Relationships</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="securing-samba.html" title="Chapter 15. Securing Samba"><link rel="next" href="msdfs.html" title="Chapter 17. Hosting a Microsoft Distributed File System tree on Samba"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 16. Interdomain Trust Relationships</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="securing-samba.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="msdfs.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="InterdomainTrusts"></a>Chapter 16. Interdomain Trust Relationships</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Rafal</span> <span class="surname">Szczesniak</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:mimir@samba.org">mimir@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">April 3, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="InterdomainTrusts.html#id2929505">Features and Benefits</a></dt><dt><a href="InterdomainTrusts.html#id2929534">Trust Relationship Background</a></dt><dt><a href="InterdomainTrusts.html#id2929617">Native MS Windows NT4 Trusts Configuration</a></dt><dd><dl><dt><a href="InterdomainTrusts.html#id2929629">NT4 as the Trusting Domain (ie. creating the trusted account)</a></dt><dt><a href="InterdomainTrusts.html#id2931604">NT4 as the Trusted Domain (ie. creating trusted account's password)</a></dt></dl></dd><dt><a href="InterdomainTrusts.html#id2931642">Configuring Samba NT-style Domain Trusts</a></dt><dd><dl><dt><a href="InterdomainTrusts.html#id2931669">Samba-3 as the Trusting Domain</a></dt><dt><a href="InterdomainTrusts.html#id2931795">Samba-3 as the Trusted Domain</a></dt></dl></dd><dt><a href="InterdomainTrusts.html#id2929173">Common Errors</a></dt><dd><dl><dt><a href="InterdomainTrusts.html#id2929188">Tell me about Trust Relationships using Samba</a></dt></dl></dd></dl></div><p>
|
||||
Samba-3 supports NT4 style domain trust relationships. This is feature that many sites
|
||||
will want to use if they migrate to Samba-3 from and NT4 style domain and do NOT want to
|
||||
adopt Active Directory or an LDAP based authentication back end. This section explains
|
||||
some background information regarding trust relationships and how to create them. It is now
|
||||
possible for Samba-3 to NT4 trust (and vice versa), as well as Samba3 to Samba3 trusts.
|
||||
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2929505"></a>Features and Benefits</h2></div></div><div></div></div><p>
|
||||
Samba-3 can participate in Samba-to-Samba as well as in Samba-to-MS Windows NT4 style
|
||||
trust relationships. This imparts to Samba similar scalability as is possible with
|
||||
MS Windows NT4.
|
||||
</p><p>
|
||||
Given that Samba-3 has the capability to function with a scalable backend authentication
|
||||
database such as LDAP, and given it's ability to run in Primary as well as Backup Domain control
|
||||
modes, the administrator would be well advised to consider alternatives to the use of
|
||||
Interdomain trusts simply because by the very nature of how this works it is fragile.
|
||||
That was, after all, a key reason for the development and adoption of Microsoft Active Directory.
|
||||
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2929534"></a>Trust Relationship Background</h2></div></div><div></div></div><p>
|
||||
MS Windows NT3.x/4.0 type security domains employ a non-hierarchical security structure.
|
||||
The limitations of this architecture as it affects the scalability of MS Windows networking
|
||||
in large organisations is well known. Additionally, the flat-name space that results from
|
||||
this design significantly impacts the delegation of administrative responsibilities in
|
||||
large and diverse organisations.
|
||||
</p><p>
|
||||
Microsoft developed Active Directory Service (ADS), based on Kerberos and LDAP, as a means
|
||||
of circumventing the limitations of the older technologies. Not every organisation is ready
|
||||
or willing to embrace ADS. For small companies the older NT4 style domain security paradigm
|
||||
is quite adequate, there thus remains an entrenched user base for whom there is no direct
|
||||
desire to go through a disruptive change to adopt ADS.
|
||||
</p><p>
|
||||
Microsoft introduced with MS Windows NT the ability to allow differing security domains
|
||||
to affect a mechanism so that users from one domain may be given access rights and privileges
|
||||
in another domain. The language that describes this capability is couched in terms of
|
||||
<span class="emphasis"><em>Trusts</em></span>. Specifically, one domain will <span class="emphasis"><em>trust</em></span> the users
|
||||
from another domain. The domain from which users are available to another security domain is
|
||||
said to be a trusted domain. The domain in which those users have assigned rights and privileges
|
||||
is the trusting domain. With NT3.x/4.0 all trust relationships are always in one direction only,
|
||||
thus if users in both domains are to have privileges and rights in each others' domain, then it is
|
||||
necessary to establish two (2) relationships, one in each direction.
|
||||
</p><p>
|
||||
In an NT4 style MS security domain, all trusts are non-transitive. This means that if there
|
||||
are three (3) domains (let's call them RED, WHITE, and BLUE) where RED and WHITE have a trust
|
||||
relationship, and WHITE and BLUE have a trust relationship, then it holds that there is no
|
||||
implied trust between the RED and BLUE domains. ie: Relationships are explicit and not
|
||||
transitive.
|
||||
</p><p>
|
||||
New to MS Windows 2000 ADS security contexts is the fact that trust relationships are two-way
|
||||
by default. Also, all inter-ADS domain trusts are transitive. In the case of the RED, WHITE and BLUE
|
||||
domains above, with Windows 2000 and ADS the RED and BLUE domains CAN trust each other. This is
|
||||
an inherent feature of ADS domains. Samba-3 implements MS Windows NT4
|
||||
style Interdomain trusts and interoperates with MS Windows 200x ADS
|
||||
security domains in similar manner to MS Windows NT4 style domains.
|
||||
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2929617"></a>Native MS Windows NT4 Trusts Configuration</h2></div></div><div></div></div><p>
|
||||
There are two steps to creating an interdomain trust relationship.
|
||||
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2929629"></a>NT4 as the Trusting Domain (ie. creating the trusted account)</h3></div></div><div></div></div><p>
|
||||
For MS Windows NT4, all domain trust relationships are configured using the
|
||||
<span class="application">Domain User Manager</span>. To affect a two way trust relationship it is
|
||||
necessary for each domain administrator to make available (for use by an external domain) it's
|
||||
security resources. This is done from the Domain User Manager Policies entry on the menu bar.
|
||||
From the <span class="guimenu">Policy</span> menu, select <span class="guimenuitem">Trust Relationships</span>, then
|
||||
next to the lower box that is labelled <span class="guilabel">Permitted to Trust this Domain</span> are two
|
||||
buttons, <span class="guibutton">Add</span> and <span class="guibutton">Remove</span>. The <span class="guibutton">Add</span>
|
||||
button will open a panel in which needs to be entered the remote domain that will be able to assign
|
||||
user rights to your domain. In addition it is necessary to enter a password
|
||||
that is specific to this trust relationship. The password needs to be
|
||||
typed twice (for standard confirmation).
|
||||
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2931604"></a>NT4 as the Trusted Domain (ie. creating trusted account's password)</h3></div></div><div></div></div><p>
|
||||
A trust relationship will work only when the other (trusting) domain makes the appropriate connections
|
||||
with the trusted domain. To consummate the trust relationship the administrator will launch the
|
||||
Domain User Manager, from the menu select Policies, then select Trust Relationships, then click on the
|
||||
<span class="guibutton">Add</span> button that is next to the box that is labelled
|
||||
<span class="guilabel">Trusted Domains</span>. A panel will open in which must be entered the name of the remote
|
||||
domain as well as the password assigned to that trust.
|
||||
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2931642"></a>Configuring Samba NT-style Domain Trusts</h2></div></div><div></div></div><p>
|
||||
This description is meant to be a fairly short introduction about how to set up a Samba server so
|
||||
that it could participate in interdomain trust relationships. Trust relationship support in Samba
|
||||
is in its early stage, so lot of things don't work yet.
|
||||
</p><p>
|
||||
Each of the procedures described below is treated as they were performed with Windows NT4 Server on
|
||||
one end. The remote end could just as well be another Samba-3 domain. It can be clearly seen, after
|
||||
reading this document, that combining Samba-specific parts of what's written below leads to trust
|
||||
between domains in purely Samba environment.
|
||||
</p><div xmlns:ns44="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2931669"></a>Samba-3 as the Trusting Domain</h3></div></div><div></div></div><p>
|
||||
In order to set the Samba PDC to be the trusted party of the relationship first you need
|
||||
to create special account for the domain that will be the trusting party. To do that,
|
||||
you can use the 'smbpasswd' utility. Creating the trusted domain account is very
|
||||
similar to creating a trusted machine account. Suppose, your domain is
|
||||
called SAMBA, and the remote domain is called RUMBA. The first step
|
||||
will be to issue this command from your favourite shell:
|
||||
</p><ns44:p>
|
||||
</ns44:p><pre class="screen">
|
||||
<tt class="prompt">root# </tt> <b class="userinput"><tt>smbpasswd -a -i rumba</tt></b>
|
||||
New SMB password: XXXXXXXX
|
||||
Retype SMB password: XXXXXXXX
|
||||
Added user rumba$
|
||||
</pre><ns44:p>
|
||||
|
||||
where <tt class="option">-a</tt> means to add a new account into the
|
||||
passdb database and <tt class="option">-i</tt> means: ''create this
|
||||
account with the InterDomain trust flag''
|
||||
</ns44:p><p>
|
||||
The account name will be 'rumba$' (the name of the remote domain)
|
||||
</p><p>
|
||||
After issuing this command you'll be asked to enter the password for
|
||||
the account. You can use any password you want, but be aware that Windows NT will
|
||||
not change this password until 7 days following account creation.
|
||||
After the command returns successfully, you can look at the entry for the new account
|
||||
(in the standard way depending on your configuration) and see that account's name is
|
||||
really RUMBA$ and it has 'I' flag in the flags field. Now you're ready to confirm
|
||||
the trust by establishing it from Windows NT Server.
|
||||
</p><p>
|
||||
Open <span class="application">User Manager for Domains</span> and from menu
|
||||
<span class="guimenu">Policies</span> select <span class="guimenuitem">Trust Relationships...</span>.
|
||||
Right beside <span class="guilabel">Trusted domains</span> list box press the
|
||||
<span class="guimenu">Add...</span> button. You will be prompted for
|
||||
the trusted domain name and the relationship password. Type in SAMBA, as this is
|
||||
your domain name, and the password used at the time of account creation.
|
||||
Press OK and, if everything went without incident, you will see
|
||||
<tt class="computeroutput">Trusted domain relationship successfully
|
||||
established</tt> message.
|
||||
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2931795"></a>Samba-3 as the Trusted Domain</h3></div></div><div></div></div><p>
|
||||
This time activities are somewhat reversed. Again, we'll assume that your domain
|
||||
controlled by the Samba PDC is called SAMBA and NT-controlled domain is called RUMBA.
|
||||
</p><p>
|
||||
The very first thing requirement is to add an account for the SAMBA domain on RUMBA's PDC.
|
||||
</p><p>
|
||||
Launch the <span class="application">Domain User Manager</span>, then from the menu select
|
||||
<span class="guimenu">Policies</span>, <span class="guimenuitem">Trust Relationships</span>.
|
||||
Now, next to <span class="guilabel">Trusted Domains</span> box press the <span class="guibutton">Add</span>
|
||||
button, and type in the name of the trusted domain (SAMBA) and password securing
|
||||
the relationship.
|
||||
</p><p>
|
||||
The password can be arbitrarily chosen. It is easy to change the password
|
||||
from the Samba server whenever you want. After confirming the password your account is
|
||||
ready for use. Now it's Samba's turn.
|
||||
</p><p>
|
||||
Using your favourite shell while being logged in as root, issue this command:
|
||||
</p><p>
|
||||
<tt class="prompt">root# </tt><b class="userinput"><tt>net rpc trustdom establish rumba</tt></b>
|
||||
</p><p>
|
||||
You will be prompted for the password you just typed on your Windows NT4 Server box.
|
||||
Do not worry if you see an error message that mentions a returned code of
|
||||
<span class="errorname">NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT</span>. It means the
|
||||
password you gave is correct and the NT4 Server says the account is
|
||||
ready for interdomain connection and not for ordinary
|
||||
connection. After that, be patient it can take a while (especially
|
||||
in large networks), you should see the <tt class="computeroutput">Success</tt> message.
|
||||
Congratulations! Your trust relationship has just been established.
|
||||
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
|
||||
Note that you have to run this command as root because you must have write access to
|
||||
the <tt class="filename">secrets.tdb</tt> file.
|
||||
</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2929173"></a>Common Errors</h2></div></div><div></div></div><p>
|
||||
Interdomain trust relationships should NOT be attempted on networks that are unstable
|
||||
or that suffer regular outages. Network stability and integrity are key concerns with
|
||||
distributed trusted domains.
|
||||
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2929188"></a>Tell me about Trust Relationships using Samba</h3></div></div><div></div></div><p>
|
||||
Like many, I administer multiple LANs connected together using NT trust
|
||||
relationships. This was implemented about 4 years ago. I now have the
|
||||
occasion to consider performing this same task again, but this time, I
|
||||
would like to implement it solely through samba - no Microsoft PDCs
|
||||
anywhere.
|
||||
</p><p>
|
||||
I have read documentation on samba.org regarding NT-style trust
|
||||
relationships and am now wondering, can I do what I want to? I already
|
||||
have successfully implemented 2 samba servers, but they are not PDCs.
|
||||
They merely act as file servers. I seem to remember, and it appears to
|
||||
be true (according to samba.org) that trust relationships are a
|
||||
challenge.
|
||||
</p><p>
|
||||
Please provide any helpful feedback that you may have.
|
||||
</p><p>
|
||||
These are almost complete in Samba 3.0 snapshots. The main catch
|
||||
is getting winbindd to be able to allocate UID/GIDs for trusted
|
||||
users/groups. See the updated Samba HOWTO collection for more
|
||||
details.
|
||||
</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="securing-samba.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="msdfs.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 15. Securing Samba </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 17. Hosting a Microsoft Distributed File System tree on Samba</td></tr></table></div></body></html>
|
@ -1,5 +1,4 @@
|
||||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
||||
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 1. Introduction to Samba</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="introduction.html" title="Part I. General Installation"><link rel="previous" href="introduction.html" title="Part I. General Installation"><link rel="next" href="install.html" title="Chapter 2. How to Install and Test SAMBA"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 1. Introduction to Samba</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="introduction.html">Prev</a> </td><th width="60%" align="center">Part I. General Installation</th><td width="20%" align="right"> <a accesskey="n" href="install.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="IntroSMB"></a>Chapter 1. Introduction to Samba</h2></div><div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">Lechnyr</span></h3><div class="affiliation"><span class="orgname">Unofficial HOWTO<br></span><div class="address"><p><tt class="email"><<a href="mailto:david@lechnyr.com">david@lechnyr.com</a>></tt></p></div></div></div></div><div><p class="pubdate">April 14, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="IntroSMB.html#id2885266">Background</a></dt><dt><a href="IntroSMB.html#id2885320">Terminology</a></dt><dt><a href="IntroSMB.html#id2884044">Related Projects</a></dt><dt><a href="IntroSMB.html#id2884112">SMB Methodology</a></dt><dt><a href="IntroSMB.html#id2884199">Epilogue</a></dt><dt><a href="IntroSMB.html#id2884272">Miscellaneous</a></dt></dl></div><p>“<span class="quote">
|
||||
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 1. Introduction to Samba</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="samba-doc.html" title="SAMBA Project Documentation"><link rel="up" href="introduction.html" title="Part I. General Installation"><link rel="previous" href="introduction.html" title="Part I. General Installation"><link rel="next" href="install.html" title="Chapter 2. How to Install and Test SAMBA"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 1. Introduction to Samba</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="introduction.html">Prev</a> </td><th width="60%" align="center">Part I. General Installation</th><td width="20%" align="right"> <a accesskey="n" href="install.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="IntroSMB"></a>Chapter 1. Introduction to Samba</h2></div><div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">Lechnyr</span></h3><div class="affiliation"><span class="orgname">Unofficial HOWTO<br></span><div class="address"><p><tt class="email"><<a href="mailto:david@lechnyr.com">david@lechnyr.com</a>></tt></p></div></div></div></div><div><p class="pubdate">April 14, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="IntroSMB.html#id2817919">Background</a></dt><dt><a href="IntroSMB.html#id2817978">Terminology</a></dt><dt><a href="IntroSMB.html#id2818169">Related Projects</a></dt><dt><a href="IntroSMB.html#id2818237">SMB Methodology</a></dt><dt><a href="IntroSMB.html#id2818345">Epilogue</a></dt><dt><a href="IntroSMB.html#id2818430">Miscellaneous</a></dt></dl></div><p>“<span class="quote">
|
||||
"If you understand what you're doing, you're not learning anything."
|
||||
-- Anonymous
|
||||
</span>”</p><p>
|
||||
@ -8,7 +7,7 @@ transport protocol. In fact, it can support any SMB/CIFS-enabled client. One of
|
||||
strengths is that you can use it to blend your mix of Windows and Linux machines together
|
||||
without requiring a separate Windows NT/2000/2003 Server. Samba is actively being developed
|
||||
by a global team of about 30 active programmers and was originally developed by Andrew Tridgell.
|
||||
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2885266"></a>Background</h2></div></div><div></div></div><p>
|
||||
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2817919"></a>Background</h2></div></div><div></div></div><p>
|
||||
Once long ago, there was a buzzword referred to as DCE/RPC. This stood for Distributed
|
||||
Computing Environment/Remote Procedure Calls and conceptually was a good idea. It was
|
||||
originally developed by Apollo/HP as NCA 1.0 (Network Computing Architecture) and only
|
||||
@ -34,7 +33,7 @@ been dutifully waded through during the information-gathering stages of this pro
|
||||
are *still* many missing pieces... While often tedious, at least the way has been generously
|
||||
littered with occurrences of clapping hand to forehead and muttering 'crikey, what are they
|
||||
thinking?
|
||||
</em></span></p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2885320"></a>Terminology</h2></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>
|
||||
</em></span></p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2817978"></a>Terminology</h2></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>
|
||||
SMB: Acronym for "Server Message Block". This is Microsoft's file and printer sharing protocol.
|
||||
</p></li><li><p>
|
||||
CIFS: Acronym for "Common Internet File System". Around 1996, Microsoft apparently
|
||||
@ -84,7 +83,7 @@ thinking?
|
||||
W3K: Acronym for Windows 2003 Server
|
||||
</p></li></ul></div><p>If you plan on getting help, make sure to subscribe to the Samba Mailing List (available at
|
||||
<a href="http://www.samba.org/" target="_top">http://www.samba.org</a>).
|
||||
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2884044"></a>Related Projects</h2></div></div><div></div></div><p>
|
||||
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2818169"></a>Related Projects</h2></div></div><div></div></div><p>
|
||||
There are currently two network filesystem client projects for Linux that are directly
|
||||
related to Samba: SMBFS and CIFS VFS. These are both available in the Linux kernel itself.
|
||||
</p><div class="itemizedlist"><ul type="disc"><li><p>
|
||||
@ -106,7 +105,7 @@ nothing to do with acting as a file and print server for SMB/CIFS clients.
|
||||
There are other Open Source CIFS client implementations, such as the
|
||||
<a href="http://jcifs.samba.org/" target="_top">jCIFS project</a>
|
||||
which provides an SMB client toolkit written in Java.
|
||||
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2884112"></a>SMB Methodology</h2></div></div><div></div></div><p>
|
||||
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2818237"></a>SMB Methodology</h2></div></div><div></div></div><p>
|
||||
Traditionally, SMB uses UDP port 137 (NetBIOS name service, or netbios-ns),
|
||||
UDP port 138 (NetBIOS datagram service, or netbios-dgm), and TCP port 139 (NetBIOS
|
||||
session service, or netbios-ssn). Anyone looking at their network with a good
|
||||
@ -138,7 +137,7 @@ up a single file. In general, SMB sessions are established in the following orde
|
||||
A good way to examine this process in depth is to try out
|
||||
<a href="http://www.securityfriday.com/ToolDownload/SWB/swb_doc.html" target="_top">SecurityFriday's SWB program</a>.
|
||||
It allows you to walk through the establishment of a SMB/CIFS session step by step.
|
||||
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2884199"></a>Epilogue</h2></div></div><div></div></div><p>“<span class="quote">
|
||||
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2818345"></a>Epilogue</h2></div></div><div></div></div><p>“<span class="quote">
|
||||
What's fundamentally wrong is that nobody ever had any taste when they
|
||||
did it. Microsoft has been very much into making the user interface look good,
|
||||
but internally it's just a complete mess. And even people who program for Microsoft
|
||||
@ -167,9 +166,9 @@ not the completely clueless user who probably sits there shivering thinking
|
||||
That's what's really irritating to me."
|
||||
</span>”</p><p>--
|
||||
<a href="http://hr.uoregon.edu/davidrl/boot.txt" target="_top">Linus Torvalds, from an interview with BOOT Magazine, Sept 1998</a>
|
||||
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2884272"></a>Miscellaneous</h2></div></div><div></div></div><p>
|
||||
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2818430"></a>Miscellaneous</h2></div></div><div></div></div><p>
|
||||
This chapter is Copyright 2003 David Lechnyr (david at lechnyr dot com).
|
||||
Permission is granted to copy, distribute and/or modify this document under the terms
|
||||
of the GNU Free Documentation License, Version 1.2 or any later version published by the Free
|
||||
Software Foundation. A copy of the license is available at http://www.gnu.org/licenses/fdl.txt.
|
||||
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="introduction.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="introduction.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="install.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part I. General Installation </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 2. How to Install and Test SAMBA</td></tr></table></div></body></html>
|
||||
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="introduction.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="introduction.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="install.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part I. General Installation </td><td width="20%" align="center"><a accesskey="h" href="samba-doc.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 2. How to Install and Test SAMBA</td></tr></table></div></body></html>
|
||||
|
@ -1,203 +0,0 @@
|
||||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
||||
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 31. Migration from NT4 PDC to Samba-3 PDC</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="migration.html" title="Part IV. Migration and Updating"><link rel="previous" href="upgrading-to-3.0.html" title="Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0"><link rel="next" href="SWAT.html" title="Chapter 32. SWAT - The Samba Web Administration Tool"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 31. Migration from NT4 PDC to Samba-3 PDC</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="upgrading-to-3.0.html">Prev</a> </td><th width="60%" align="center">Part IV. Migration and Updating</th><td width="20%" align="right"> <a accesskey="n" href="SWAT.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="NT4Migration"></a>Chapter 31. Migration from NT4 PDC to Samba-3 PDC</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">April 3, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="NT4Migration.html#id3000463">Planning and Getting Started</a></dt><dd><dl><dt><a href="NT4Migration.html#id3000487">Objectives</a></dt><dt><a href="NT4Migration.html#id2999415">Steps In Migration Process</a></dt></dl></dd><dt><a href="NT4Migration.html#id3001632">Migration Options</a></dt><dd><dl><dt><a href="NT4Migration.html#id3001713">Planning for Success</a></dt><dt><a href="NT4Migration.html#id3001954">Samba Implementation Choices</a></dt></dl></dd></dl></div><p>
|
||||
This is a rough guide to assist those wishing to migrate from NT4 domain control to
|
||||
Samba-3 based domain control.
|
||||
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3000463"></a>Planning and Getting Started</h2></div></div><div></div></div><p>
|
||||
In the IT world there is often a saying that all problems are encountered because of
|
||||
poor planning. The corollary to this saying is that not all problems can be anticipated
|
||||
and planned for. Then again, good planning will anticipate most show stopper type situations.
|
||||
</p><p>
|
||||
Those wishing to migrate from MS Windows NT4 domain control to a Samba-3 domain control
|
||||
environment would do well to develop a detailed migration plan. So here are a few pointers to
|
||||
help migration get under way.
|
||||
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3000487"></a>Objectives</h3></div></div><div></div></div><p>
|
||||
The key objective for most organisations will be to make the migration from MS Windows NT4
|
||||
to Samba-3 domain control as painless as possible. One of the challenges you may experience
|
||||
in your migration process may well be one of convincing management that the new environment
|
||||
should remain in place. Many who have introduced open source technologies have experienced
|
||||
pressure to return to a Microsoft based platform solution at the first sign of trouble.
|
||||
</p><p>
|
||||
It is strongly advised that before attempting a migration to a Samba-3 controlled network
|
||||
that every possible effort be made to gain all-round commitment to the change. Firstly, you
|
||||
should know precisely <span class="emphasis"><em>why</em></span> the change is important for the organisation.
|
||||
Possible motivations to make a change include:
|
||||
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Improve network manageability</td></tr><tr><td>Obtain better user level functionality</td></tr><tr><td>Reduce network operating costs</td></tr><tr><td>Reduce exposure caused by Microsoft withdrawal of NT4 support</td></tr><tr><td>Avoid MS License 6 implications</td></tr><tr><td>Reduce organisation's dependency on Microsoft</td></tr></table><p>
|
||||
It is vital that it be well recognised that Samba-3 is NOT MS Windows NT4. Samba-3 offers
|
||||
an alternative solution that is both different from MS Windows NT4 and that offers some
|
||||
advantages compared with it. It should also be recognised that Samba-3 lacks many of the
|
||||
features that Microsoft has promoted as core values in migration from MS Windows NT4 to
|
||||
MS Windows 2000 and beyond (with or without Active Directory services).
|
||||
</p><p>
|
||||
What are the features that Samba-3 can NOT provide?
|
||||
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Active Directory Server</td></tr><tr><td>Group Policy Objects (in Active Directory)</td></tr><tr><td>Machine Policy objects</td></tr><tr><td>Logon Scripts in Active Directory</td></tr><tr><td>Software Application and Access Controls in Active Directory</td></tr></table><p>
|
||||
The features that Samba-3 DOES provide and that may be of compelling interest to your site
|
||||
includes:
|
||||
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Lower Cost of Ownership</td></tr><tr><td>Global availability of support with no strings attached</td></tr><tr><td>Dynamic SMB Servers (ie:Can run more than one server per Unix/Linux system)</td></tr><tr><td>Creation of on-the-fly logon scripts</td></tr><tr><td>Creation of on-the-fly Policy Files</td></tr><tr><td>Greater Stability, Reliability, Performance and Availability</td></tr><tr><td>Manageability via an ssh connection</td></tr><tr><td>Flexible choices of back-end authentication technologies (tdbsam, ldapsam, mysqlsam)</td></tr><tr><td>Ability to implement a full single-sign-on architecture</td></tr><tr><td>Ability to distribute authentication systems for absolute minimum wide area network bandwidth demand</td></tr></table><p>
|
||||
Before migrating a network from MS Windows NT4 to Samba-3 it is vital that all necessary factors are
|
||||
considered. Users should be educated about changes they may experience so that the change will be a
|
||||
welcome one and not become an obstacle to the work they need to do. The following are some of the
|
||||
factors that will go into a successful migration:
|
||||
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2999189"></a>Domain Layout</h4></div></div><div></div></div><p>
|
||||
Samba-3 can be configured as a domain controller, a back-up domain controller (probably best called
|
||||
a secondary controller), a domain member, or as a stand-alone server. The Windows network security
|
||||
domain context should be sized and scoped before implementation. Particular attention needs to be
|
||||
paid to the location of the primary domain controller (PDC) as well as backup controllers (BDCs).
|
||||
It should be noted that one way in which Samba-3 differs from Microsoft technology is that if one
|
||||
chooses to use an LDAP authentication backend then the same database can be used by several different
|
||||
domains. This means that in a complex organisation there can be a single LDAP database, that itself
|
||||
can be distributed, that can simultaneously serve multiple domains (that can also be widely distributed).
|
||||
</p><p>
|
||||
It is recommended that from a design perspective, the number of users per server, as well as the number
|
||||
of servers, per domain should be scaled according to needs and should also consider server capacity
|
||||
and network bandwidth.
|
||||
</p><p>
|
||||
A physical network segment may house several domains, each of which may span multiple network segments.
|
||||
Where domains span routed network segments it is most advisable to consider and test the performance
|
||||
implications of the design and layout of a network. A Centrally located domain controller that is being
|
||||
designed to serve multiple routed network segments may result in severe performance problems if the
|
||||
response time (eg: ping timing) between the remote segment and the PDC is more than 100 ms. In situations
|
||||
where the delay is too long it is highly recommended to locate a backup controller (BDC) to serve as
|
||||
the local authentication and access control server.
|
||||
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2999243"></a>Server Share and Directory Layout</h4></div></div><div></div></div><p>
|
||||
There are few cardinal rules to effective network design that can be broken with impunity.
|
||||
The most important rule of effective network management is that simplicity is king in every
|
||||
well controlled network. Every part of the infrastructure must be managed, the more complex
|
||||
it is, the greater will be the demand of keeping systems secure and functional.
|
||||
</p><p>
|
||||
The nature of the data that must be stored needs to be born in mind when deciding how many
|
||||
shares must be created. The physical disk space layout should also be taken into account
|
||||
when designing where share points will be created. Keep in mind that all data needs to be
|
||||
backed up, thus the simpler the disk layout the easier it will be to keep track of what must
|
||||
be backed up to tape or other off-line storage medium. Always plan and implement for minimum
|
||||
maintenance. Leave nothing to chance in your design, above all, do not leave backups to chance:
|
||||
Backup and test, validate every backup, create a disaster recovery plan and prove that it works.
|
||||
</p><p>
|
||||
Users should be grouped according to data access control needs. File and directory access
|
||||
is best controlled via group permissions and the use of the "sticky bit" on group controlled
|
||||
directories may substantially avoid file access complaints from samba share users.
|
||||
</p><p>
|
||||
Many network administrators who are new to the game will attempt to use elaborate techniques
|
||||
to set access controls, on files, directories, shares, as well as in share definitions.
|
||||
There is the ever present danger that that administrator's successor will not understand the
|
||||
complex mess that has been inherited. Remember, apparent job security through complex design
|
||||
and implementation may ultimately cause loss of operations and downtime to users as the new
|
||||
administrator learns to untangle your web. Keep access controls simple and effective and
|
||||
make sure that users will never be interrupted by the stupidity of complexity.
|
||||
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2999304"></a>Logon Scripts</h4></div></div><div></div></div><p>
|
||||
Please refer to the section of this document on Advanced Network Administration for information
|
||||
regarding the network logon script options for Samba-3. Logon scripts can help to ensure that
|
||||
all users gain share and printer connections they need.
|
||||
</p><p>
|
||||
Logon scripts can be created on-the-fly so that all commands executed are specific to the
|
||||
rights and privileges granted to the user. The preferred controls should be affected through
|
||||
group membership so that group information can be used to custom create a logon script using
|
||||
the <i class="parameter"><tt>root preexec</tt></i> parameters to the <tt class="filename">NETLOGON</tt> share.
|
||||
</p><p>
|
||||
Some sites prefer to use a tool such as <b class="command">kixstart</b> to establish a controlled
|
||||
user environment. In any case you may wish to do a google search for logon script process controls.
|
||||
In particular, you may wish to explore the use of the Microsoft knowledgebase article KB189105 that
|
||||
deals with how to add printers without user intervention via the logon script process.
|
||||
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2999361"></a>Profile Migration/Creation</h4></div></div><div></div></div><p>
|
||||
User and Group Profiles may be migrated using the tools described in the section titled Desktop Profile
|
||||
Management.
|
||||
</p><p>
|
||||
Profiles may also be managed using the Samba-3 tool <b class="command">profiles</b>. This tool allows
|
||||
the MS Windows NT style security identifiers (SIDs) that are stored inside the profile NTuser.DAT file
|
||||
to be changed to the SID of the Samba-3 domain.
|
||||
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2999390"></a>User and Group Accounts</h4></div></div><div></div></div><p>
|
||||
It is possible to migrate all account settings from an MS Windows NT4 domain to Samba-3. Before
|
||||
attempting to migrate user and group accounts it is STRONGLY advised to create in Samba-3 the
|
||||
groups that are present on the MS Windows NT4 domain <span class="emphasis"><em>AND</em></span> to connect these to
|
||||
suitable Unix/Linux groups. Following this simple advice will mean that all user and group attributes
|
||||
should migrate painlessly.
|
||||
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2999415"></a>Steps In Migration Process</h3></div></div><div></div></div><p>
|
||||
The approximate migration process is described below.
|
||||
</p><div class="itemizedlist"><ul type="disc"><li><p>
|
||||
You will have an NT4 PDC that has the users, groups, policies and profiles to be migrated
|
||||
</p></li><li><p>
|
||||
Samba-3 set up as a DC with netlogon share, profile share, etc.
|
||||
</p></li></ul></div><div class="procedure"><p class="title"><b>Procedure 31.1. The Account Migration Process</b></p><ol type="1"><li><p>Create a BDC account for the samba server using NT Server Manager</p><ol type="a"><li><p>Samba must NOT be running</p></li></ol></li><li><p><b class="userinput"><tt>rpcclient <i class="replaceable"><tt>NT4PDC</tt></i> -U Administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p><ol type="a"><li><p>lsaquery</p></li><li><p>Note the SID returned</p></li></ol></li><li><p><b class="userinput"><tt>net getsid -S <i class="replaceable"><tt>NT4PDC</tt></i> -w <i class="replaceable"><tt>DOMNAME</tt></i> -U Administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p><ol type="a"><li><p>Note the SID</p></li></ol></li><li><p><b class="userinput"><tt>net getlocalsid</tt></b></p><ol type="a"><li><p>Note the SID, now check that all three SIDS reported are the same!</p></li></ol></li><li><p><b class="userinput"><tt>net rpc join -S <i class="replaceable"><tt>NT4PDC</tt></i> -w <i class="replaceable"><tt>DOMNAME</tt></i> -U Administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p></li><li><p><b class="userinput"><tt>net rpc vampire -S <i class="replaceable"><tt>NT4PDC</tt></i> -U administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p></li><li><p><b class="userinput"><tt>pdbedit -L</tt></b></p><ol type="a"><li><p>Note - did the users migrate?</p></li></ol></li><li><p><b class="userinput"><tt>initGrps.sh <i class="replaceable"><tt>DOMNAME</tt></i></tt></b></p></li><li><p><b class="userinput"><tt>net groupmap list</tt></b></p><ol type="a"><li><p>Now check that all groups are recognised</p></li></ol></li><li><p><b class="userinput"><tt>net rpc vampire -S <i class="replaceable"><tt>NT4PDC</tt></i> -U administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p></li><li><p><b class="userinput"><tt>pdbedit -Lv</tt></b></p><ol type="a"><li><p>Note - check that all group membership has been migrated</p></li></ol></li></ol></div><p>
|
||||
Now it is time to migrate all the profiles, then migrate all policy files.
|
||||
More later.
|
||||
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3001632"></a>Migration Options</h2></div></div><div></div></div><p>
|
||||
Based on feedback from many sites as well as from actual installation and maintenance
|
||||
experience sites that wish to migrate from MS Windows NT4 Domain Control to a Samba
|
||||
based solution fit into three basic categories.
|
||||
</p><div class="table"><a name="id3001647"></a><p class="title"><b>Table 31.1. The 3 Major Site Types</b></p><table summary="The 3 Major Site Types" border="1"><colgroup><col><col></colgroup><thead><tr><th>Number of Users</th><th>Description</th></tr></thead><tbody><tr><td>< 50</td><td><p>Want simple conversion with NO pain</p></td></tr><tr><td>50 - 250</td><td><p>Want new features, can manage some in-house complexity</p></td></tr><tr><td>> 250</td><td><p>Solution/Implementation MUST scale well, complex needs. Cross departmental decision process. Local expertise in most areas</p></td></tr></tbody></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3001713"></a>Planning for Success</h3></div></div><div></div></div><p>
|
||||
There are three basic choices for sites that intend to migrate from MS Windows NT4
|
||||
to Samba-3.
|
||||
</p><div class="itemizedlist"><ul type="disc"><li><p>
|
||||
Simple Conversion (total replacement)
|
||||
</p></li><li><p>
|
||||
Upgraded Conversion (could be one of integration)
|
||||
</p></li><li><p>
|
||||
Complete Redesign (completely new solution)
|
||||
</p></li></ul></div><p>
|
||||
No matter what choice you make, the following rules will minimise down-stream problems:
|
||||
</p><div class="itemizedlist"><ul type="disc"><li><p>
|
||||
Take sufficient time
|
||||
</p></li><li><p>
|
||||
Avoid Panic
|
||||
</p></li><li><p>
|
||||
Test ALL assumptions
|
||||
</p></li><li><p>
|
||||
Test full roll-out program, including workstation deployment
|
||||
</p></li></ul></div><div class="table"><a name="id3001783"></a><p class="title"><b>Table 31.2. Nature of the Conversion Choices</b></p><table summary="Nature of the Conversion Choices" border="1"><colgroup><col><col><col></colgroup><thead><tr><th>Simple</th><th>Upgraded</th><th>Redesign</th></tr></thead><tbody><tr><td><p>Make use of minimal OS specific features</p></td><td><p>Translate NT4 features to new host OS features</p></td><td><p>Decide:</p></td></tr><tr><td><p>Suck all accounts from NT4 into Samba-3</p></td><td><p>Copy and improve:</p></td><td><p>Authentication Regime (database location and access)</p></td></tr><tr><td><p>Make least number of operational changes</p></td><td><p>Make progressive improvements</p></td><td><p>Desktop Management Methods</p></td></tr><tr><td><p>Take least amount of time to migrate</p></td><td><p>Minimise user impact</p></td><td><p>Better Control of Desktops / Users</p></td></tr><tr><td><p>Live versus Isolated Conversion</p></td><td><p>Maximise functionality</p></td><td><p>Identify Needs for: Manageability, Scalability, Security, Availability</p></td></tr><tr><td><p>Integrate Samba-3 then migrate while users are active, then Change of control (ie: swap out)</p></td><td><p>Take advantage of lower maintenance opportunity</p></td><td><p></p></td></tr></tbody></table></div></div><div xmlns:ns95="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3001954"></a>Samba Implementation Choices</h3></div></div><div></div></div><pre class="programlisting">
|
||||
Authentication database back end
|
||||
Winbind (external Samba or NT4/200x server)
|
||||
Can use pam_mkhomedir.so to auto-create home dirs
|
||||
External server could use Active Directory or NT4 Domain
|
||||
|
||||
Database type
|
||||
smbpasswd, tdbsam, ldapsam, mysqlsam
|
||||
|
||||
Access Control Points
|
||||
On the Share itself (Use NT4 Server Manager)
|
||||
On the file system
|
||||
Unix permissions on files and directories
|
||||
Enable Posix ACLs in file system?
|
||||
Through Samba share parameters
|
||||
Not recommended - except as only resort
|
||||
|
||||
Policies (migrate or create new ones)
|
||||
Group Policy Editor (NT4)
|
||||
Watch out for Tattoo effect
|
||||
|
||||
User and Group Profiles
|
||||
Platform specific so use platform tool to change from a Local
|
||||
to a Roaming profile Can use new profiles tool to change SIDs
|
||||
(NTUser.DAT)
|
||||
|
||||
Logon Scripts (Know how they work)
|
||||
|
||||
User and Group mapping to Unix/Linux
|
||||
username map facility may be needed
|
||||
Use 'net groupmap' to connect NT4 groups to Unix groups
|
||||
Use pdbedit to set/change user configuration
|
||||
NOTE:
|
||||
If migrating to LDAP back end it may be easier to dump initial LDAP database
|
||||
to LDIF, then edit, then reload into LDAP
|
||||
|
||||
OS specific scripts / programs may be needed
|
||||
Add / delete Users
|
||||
Note OS limits on size of name (Linux 8 chars)
|
||||
NT4 up to 254 chars
|
||||
Add / delete machines
|
||||
Applied only to domain members (note up to 16 chars)
|
||||
Add / delete Groups
|
||||
Note OS limits on size and nature
|
||||
Linux limit is 16 char,
|
||||
no spaces and no upper case chars (groupadd)
|
||||
|
||||
Migration Tools
|
||||
Domain Control (NT4 Style)
|
||||
Profiles, Policies, Access Controls, Security
|
||||
|
||||
Migration Tools
|
||||
Samba: net, rpcclient, smbpasswd, pdbedit, profiles
|
||||
Windows: NT4 Domain User Manager, Server Manager (NEXUS)
|
||||
|
||||
Authentication
|
||||
New SAM back end (smbpasswd, tdbsam, ldapsam, mysqlsam)
|
||||
</pre><ns95:p>
|
||||
</ns95:p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="upgrading-to-3.0.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="migration.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="SWAT.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0 </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 32. SWAT - The Samba Web Administration Tool</td></tr></table></div></body></html>
|
@ -1,958 +0,0 @@
|
||||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
||||
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 10. Samba / MS Windows Network Browsing Guide</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="optional.html" title="Part III. Advanced Configuration"><link rel="next" href="passdb.html" title="Chapter 11. Account Information Databases"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 10. Samba / MS Windows Network Browsing Guide</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="optional.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="passdb.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="NetworkBrowsing"></a>Chapter 10. Samba / MS Windows Network Browsing Guide</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">July 5, 1998</p></div><div><p class="pubdate">Updated: April 21, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="NetworkBrowsing.html#id2901654">Features and Benefits</a></dt><dt><a href="NetworkBrowsing.html#id2901733">What is Browsing?</a></dt><dt><a href="NetworkBrowsing.html#id2905839">Discussion</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2905855">NetBIOS over TCP/IP</a></dt><dt><a href="NetworkBrowsing.html#id2906017">TCP/IP - without NetBIOS</a></dt><dt><a href="NetworkBrowsing.html#id2900986">DNS and Active Directory</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2901119">How Browsing Functions</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2901245">Setting up WORKGROUP Browsing</a></dt><dt><a href="NetworkBrowsing.html#id2902631">Setting up DOMAIN Browsing</a></dt><dt><a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to be the master</a></dt><dt><a href="NetworkBrowsing.html#id2902896">Making Samba the domain master</a></dt><dt><a href="NetworkBrowsing.html#id2903052">Note about broadcast addresses</a></dt><dt><a href="NetworkBrowsing.html#id2903070">Multiple interfaces</a></dt><dt><a href="NetworkBrowsing.html#id2906571">Use of the Remote Announce parameter</a></dt><dt><a href="NetworkBrowsing.html#id2906680">Use of the Remote Browse Sync parameter</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2906741">WINS - The Windows Internetworking Name Server</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2906900">Setting up a WINS server</a></dt><dt><a href="NetworkBrowsing.html#id2907094">WINS Replication</a></dt><dt><a href="NetworkBrowsing.html#id2907119">Static WINS Entries</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2907203">Helpful Hints</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2907217">Windows Networking Protocols</a></dt><dt><a href="NetworkBrowsing.html#id2907283">Name Resolution Order</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2907421">Technical Overview of browsing</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2907468">Browsing support in Samba</a></dt><dt><a href="NetworkBrowsing.html#id2907575">Problem resolution</a></dt><dt><a href="NetworkBrowsing.html#id2907654">Browsing across subnets</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2908270">Common Errors</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2908285">How can one flush the Samba NetBIOS name cache without restarting Samba?</a></dt><dt><a href="NetworkBrowsing.html#id2908313">My client reports "This server is not configured to list shared resources"</a></dt></dl></dd></dl></div><p>
|
||||
This document contains detailed information as well as a fast track guide to
|
||||
implementing browsing across subnets and / or across workgroups (or domains).
|
||||
WINS is the best tool for resolution of NetBIOS names to IP addresses. WINS is
|
||||
NOT involved in browse list handling except by way of name to address resolution.
|
||||
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
|
||||
MS Windows 2000 and later can be configured to operate with NO NetBIOS
|
||||
over TCP/IP. Samba-3 and later also supports this mode of operation.
|
||||
When the use of NetBIOS over TCP/IP has been disabled then the primary
|
||||
means for resolution of MS Windows machine names is via DNS and Active Directory.
|
||||
The following information assumes that your site is running NetBIOS over TCP/IP.
|
||||
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2901654"></a>Features and Benefits</h2></div></div><div></div></div><p>
|
||||
Someone once referred to the past in terms of: <span class="emphasis"><em>They were the worst of times,
|
||||
they were the best of times. The more we look back, them more we long for what was and
|
||||
hope it never returns!</em></span>.
|
||||
</p><p>
|
||||
For many MS Windows network administrators, that statement sums up their feelings about
|
||||
NetBIOS networking precisely. For those who mastered NetBIOS networking, its fickle
|
||||
nature was just par for the course. For those who never quite managed to tame its
|
||||
lusty features, NetBIOS is like Paterson's Curse.
|
||||
</p><p>
|
||||
For those not familiar with botanical problems in Australia: Paterson's curse,
|
||||
Echium plantagineum, was introduced to Australia from Europe during the mid-nineteenth
|
||||
century. Since then it has spread rapidly. The high seed production, with densities of
|
||||
thousands of seeds per square metre, a seed longevity of more than seven years, and an
|
||||
ability to germinate at any time of year, given the right conditions, are some of the
|
||||
features which make it such a persistent weed.
|
||||
</p><p>
|
||||
In this chapter we explore vital aspects of SMB (Server Message Block) networking with
|
||||
a particular focus on SMB as implemented through running NetBIOS (Network Basic
|
||||
Input / Output System) over TCP/IP. Since Samba does NOT implement SMB or NetBIOS over
|
||||
any other protocols we need to know how to configure our network environment and simply
|
||||
remember to use nothing but TCP/IP on all our MS Windows network clients.
|
||||
</p><p>
|
||||
Samba provides the ability to implement a WINS (Windows Internetworking Name Server)
|
||||
and implements extensions to Microsoft's implementation of WINS. These extensions
|
||||
help Samba to affect stable WINS operations beyond the normal scope of MS WINS.
|
||||
</p><p>
|
||||
Please note that WINS is exclusively a service that applies only to those systems
|
||||
that run NetBIOS over TCP/IP. MS Windows 200x / XP have the capacity to turn off
|
||||
support for NetBIOS, in which case WINS is of no relevance. Samba-3 supports this also.
|
||||
</p><p>
|
||||
For those networks on which NetBIOS has been disabled (ie: WINS is NOT required)
|
||||
the use of DNS is necessary for host name resolution.
|
||||
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2901733"></a>What is Browsing?</h2></div></div><div></div></div><p>
|
||||
To most people browsing means that they can see the MS Windows and Samba servers
|
||||
in the Network Neighborhood, and when the computer icon for a particular server is
|
||||
clicked, it opens up and shows the shares and printers available on the target server.
|
||||
</p><p>
|
||||
What seems so simple is in fact a very complex interaction of different technologies.
|
||||
The technologies (or methods) employed in making all of this work includes:
|
||||
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>MS Windows machines register their presence to the network</td></tr><tr><td>Machines announce themselves to other machines on the network</td></tr><tr><td>One or more machine on the network collates the local announcements</td></tr><tr><td>The client machine finds the machine that has the collated list of machines</td></tr><tr><td>The client machine is able to resolve the machine names to IP addresses</td></tr><tr><td>The client machine is able to connect to a target machine</td></tr></table><p>
|
||||
The Samba application that controls browse list management and name resolution is
|
||||
called <tt class="filename">nmbd</tt>. The configuration parameters involved in nmbd's operation are:
|
||||
</p><pre class="programlisting">
|
||||
|
||||
Browsing options:
|
||||
-----------------
|
||||
* os level
|
||||
lm announce
|
||||
lm interval
|
||||
* preferred master
|
||||
* local master
|
||||
* domain master
|
||||
browse list
|
||||
enhanced browsing
|
||||
|
||||
Name Resolution Method:
|
||||
-----------------------
|
||||
* name resolve order
|
||||
|
||||
WINS options:
|
||||
-------------
|
||||
dns proxy
|
||||
wins proxy
|
||||
* wins server
|
||||
* wins support
|
||||
wins hook
|
||||
</pre><p>
|
||||
For Samba, the WINS Server and WINS Support are mutually exclusive options. Those marked with
|
||||
an '*' are the only options that commonly MAY need to be modified. Even if not one of these
|
||||
parameters is set <tt class="filename">nmbd</tt> will still do it's job.
|
||||
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2905839"></a>Discussion</h2></div></div><div></div></div><p>
|
||||
Firstly, all MS Windows networking uses SMB (Server Message Block) based messaging.
|
||||
SMB messaging may be implemented with or without NetBIOS. MS Windows 200x supports
|
||||
NetBIOS over TCP/IP for backwards compatibility. Microsoft is intent on phasing out NetBIOS
|
||||
support.
|
||||
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905855"></a>NetBIOS over TCP/IP</h3></div></div><div></div></div><p>
|
||||
Samba implements NetBIOS, as does MS Windows NT / 200x / XP, by encapsulating it over TCP/IP.
|
||||
MS Windows products can do likewise. NetBIOS based networking uses broadcast messaging to
|
||||
affect browse list management. When running NetBIOS over TCP/IP, this uses UDP based messaging.
|
||||
UDP messages can be broadcast or unicast.
|
||||
</p><p>
|
||||
Normally, only unicast UDP messaging can be forwarded by routers. The
|
||||
<b class="command">remote announce</b> parameter to smb.conf helps to project browse announcements
|
||||
to remote network segments via unicast UDP. Similarly, the
|
||||
<b class="command">remote browse sync</b> parameter of <tt class="filename">smb.conf</tt>
|
||||
implements browse list collation using unicast UDP.
|
||||
</p><p>
|
||||
Secondly, in those networks where Samba is the only SMB server technology,
|
||||
wherever possible <tt class="filename">nmbd</tt> should be configured on one (1) machine as the WINS
|
||||
server. This makes it easy to manage the browsing environment. If each network
|
||||
segment is configured with it's own Samba WINS server, then the only way to
|
||||
get cross segment browsing to work is by using the
|
||||
<b class="command">remote announce</b> and the <b class="command">remote browse sync</b>
|
||||
parameters to your <tt class="filename">smb.conf</tt> file.
|
||||
</p><p>
|
||||
If only one WINS server is used for an entire multi-segment network then
|
||||
the use of the <b class="command">remote announce</b> and the
|
||||
<b class="command">remote browse sync</b> parameters should NOT be necessary.
|
||||
</p><p>
|
||||
As of Samba 3 WINS replication is being worked on. The bulk of the code has
|
||||
been committed, but it still needs maturation. This is NOT a supported feature
|
||||
of the Samba-3.0.0 release. Hopefully, this will become a supported feature
|
||||
of one of the Samba-3 release series.
|
||||
</p><p>
|
||||
Right now Samba WINS does not support MS-WINS replication. This means that
|
||||
when setting up Samba as a WINS server there must only be one <tt class="filename">nmbd</tt>
|
||||
configured as a WINS server on the network. Some sites have used multiple Samba WINS
|
||||
servers for redundancy (one server per subnet) and then used
|
||||
<b class="command">remote browse sync</b> and <b class="command">remote announce</b>
|
||||
to affect browse list collation across all segments. Note that this means clients
|
||||
will only resolve local names, and must be configured to use DNS to resolve names
|
||||
on other subnets in order to resolve the IP addresses of the servers they can see
|
||||
on other subnets. This setup is not recommended, but is mentioned as a practical
|
||||
consideration (ie: an 'if all else fails' scenario).
|
||||
</p><p>
|
||||
Lastly, take note that browse lists are a collection of unreliable broadcast
|
||||
messages that are repeated at intervals of not more than 15 minutes. This means
|
||||
that it will take time to establish a browse list and it can take up to 45
|
||||
minutes to stabilise, particularly across network segments.
|
||||
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906017"></a>TCP/IP - without NetBIOS</h3></div></div><div></div></div><p>
|
||||
All TCP/IP using systems use various forms of host name resolution. The primary
|
||||
methods for TCP/IP hostname resolutions involves either a static file (<tt class="filename">/etc/hosts
|
||||
</tt>) or DNS (the Domain Name System). DNS is the technology that makes
|
||||
the Internet usable. DNS based host name resolution is supported by nearly all TCP/IP
|
||||
enabled systems. Only a few embedded TCP/IP systems do not support DNS.
|
||||
</p><p>
|
||||
When an MS Windows 200x / XP system attempts to resolve a host name to an IP address
|
||||
it follows a defined path:
|
||||
</p><div class="orderedlist"><ol type="1"><li><p>
|
||||
Checks the <tt class="filename">hosts</tt> file. It is located in
|
||||
<tt class="filename">C:\WinNT\System32\Drivers\etc</tt>.
|
||||
</p></li><li><p>
|
||||
Does a DNS lookup
|
||||
</p></li><li><p>
|
||||
Checks the NetBIOS name cache
|
||||
</p></li><li><p>
|
||||
Queries the WINS server
|
||||
</p></li><li><p>
|
||||
Does a broadcast name lookup over UDP
|
||||
</p></li><li><p>
|
||||
Looks up entries in LMHOSTS. It is located in
|
||||
<tt class="filename">C:\WinNT\System32\Drivers\etc</tt>.
|
||||
</p></li></ol></div><p>
|
||||
Windows 200x / XP can register it's host name with a Dynamic DNS server. You can
|
||||
force register with a Dynamic DNS server in Windows 200x / XP using:
|
||||
<b class="command">ipconfig /registerdns</b>
|
||||
</p><p>
|
||||
With Active Directory (ADS), a correctly functioning DNS server is absolutely
|
||||
essential. In the absence of a working DNS server that has been correctly configured,
|
||||
MS Windows clients and servers will be totally unable to locate each other,
|
||||
consequently network services will be severely impaired.
|
||||
</p><p>
|
||||
The use of Dynamic DNS is highly recommended with Active Directory, in which case
|
||||
the use of BIND9 is preferred for it's ability to adequately support the SRV (service)
|
||||
records that are needed for Active Directory.
|
||||
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2900986"></a>DNS and Active Directory</h3></div></div><div></div></div><p>
|
||||
Occasionally we hear from Unix network administrators who want to use a Unix based Dynamic
|
||||
DNS server in place of the Microsoft DNS server. While this might be desirable to some, the
|
||||
MS Windows 200x DNS server is auto-configured to work with Active Directory. It is possible
|
||||
to use BIND version 8 or 9, but it will almost certainly be necessary to create service records
|
||||
so that MS Active Directory clients can resolve host names to locate essential network services.
|
||||
The following are some of the default service records that Active Directory requires:
|
||||
</p><div class="itemizedlist"><ul type="disc"><li><p>_ldap._tcp.pdc.ms-dcs.<span class="emphasis"><em>Domain</em></span></p><p>
|
||||
This provides the address of the Windows NT PDC for the Domain.
|
||||
</p></li><li><p>_ldap._tcp.pdc.ms-dcs.<span class="emphasis"><em>DomainTree</em></span></p><p>
|
||||
Resolves the addresses of Global Catalog servers in the domain.
|
||||
</p></li><li><p>_ldap._tcp.<span class="emphasis"><em>site</em></span>.sites.writable.ms-dcs.<span class="emphasis"><em>Domain</em></span></p><p>
|
||||
Provides list of domain controllers based on sites.
|
||||
</p></li><li><p>_ldap._tcp.writable.ms-dcs.<span class="emphasis"><em>Domain</em></span></p><p>
|
||||
Enumerates list of domain controllers that have the writable
|
||||
copies of the Active Directory data store.
|
||||
</p></li><li><p>_ldap._tcp.<span class="emphasis"><em>GUID</em></span>.domains.ms-dcs.<span class="emphasis"><em>DomainTree</em></span></p><p>
|
||||
Entry used by MS Windows clients to locate machines using the
|
||||
Global Unique Identifier.
|
||||
</p></li><li><p>_ldap._tcp.<span class="emphasis"><em>Site</em></span>.gc.ms-dcs.<span class="emphasis"><em>DomainTree</em></span></p><p>
|
||||
Used by MS Windows clients to locate site configuration dependent
|
||||
Global Catalog server.
|
||||
</p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2901119"></a>How Browsing Functions</h2></div></div><div></div></div><p>
|
||||
MS Windows machines register their NetBIOS names
|
||||
(ie: the machine name for each service type in operation) on start
|
||||
up. The exact method by which this name registration
|
||||
takes place is determined by whether or not the MS Windows client/server
|
||||
has been given a WINS server address, whether or not LMHOSTS lookup
|
||||
is enabled, or if DNS for NetBIOS name resolution is enabled, etc.
|
||||
</p><p>
|
||||
In the case where there is no WINS server, all name registrations as
|
||||
well as name lookups are done by UDP broadcast. This isolates name
|
||||
resolution to the local subnet, unless LMHOSTS is used to list all
|
||||
names and IP addresses. In such situations Samba provides a means by
|
||||
which the Samba server name may be forcibly injected into the browse
|
||||
list of a remote MS Windows network (using the
|
||||
<b class="command">remote announce</b> parameter).
|
||||
</p><p>
|
||||
Where a WINS server is used, the MS Windows client will use UDP
|
||||
unicast to register with the WINS server. Such packets can be routed
|
||||
and thus WINS allows name resolution to function across routed networks.
|
||||
</p><p>
|
||||
During the startup process an election will take place to create a
|
||||
local master browser if one does not already exist. On each NetBIOS network
|
||||
one machine will be elected to function as the domain master browser. This
|
||||
domain browsing has nothing to do with MS security domain control.
|
||||
Instead, the domain master browser serves the role of contacting each local
|
||||
master browser (found by asking WINS or from LMHOSTS) and exchanging browse
|
||||
list contents. This way every master browser will eventually obtain a complete
|
||||
list of all machines that are on the network. Every 11-15 minutes an election
|
||||
is held to determine which machine will be the master browser. By the nature of
|
||||
the election criteria used, the machine with the highest uptime, or the
|
||||
most senior protocol version, or other criteria, will win the election
|
||||
as domain master browser.
|
||||
</p><p>
|
||||
Clients wishing to browse the network make use of this list, but also depend
|
||||
on the availability of correct name resolution to the respective IP
|
||||
address/addresses.
|
||||
</p><p>
|
||||
Any configuration that breaks name resolution and/or browsing intrinsics
|
||||
will annoy users because they will have to put up with protracted
|
||||
inability to use the network services.
|
||||
</p><p>
|
||||
Samba supports a feature that allows forced synchronisation
|
||||
of browse lists across routed networks using the <b class="command">remote
|
||||
browse sync</b> parameter in the <tt class="filename">smb.conf</tt> file.
|
||||
This causes Samba to contact the local master browser on a remote network and
|
||||
to request browse list synchronisation. This effectively bridges
|
||||
two networks that are separated by routers. The two remote
|
||||
networks may use either broadcast based name resolution or WINS
|
||||
based name resolution, but it should be noted that the <b class="command">remote
|
||||
browse sync</b> parameter provides browse list synchronisation - and
|
||||
that is distinct from name to address resolution, in other
|
||||
words, for cross subnet browsing to function correctly it is
|
||||
essential that a name to address resolution mechanism be provided.
|
||||
This mechanism could be via DNS, <tt class="filename">/etc/hosts</tt>,
|
||||
and so on.
|
||||
</p><div xmlns:ns14="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2901245"></a>Setting up WORKGROUP Browsing</h3></div></div><div></div></div><p>
|
||||
To set up cross subnet browsing on a network containing machines
|
||||
in up to be in a WORKGROUP, not an NT Domain you need to set up one
|
||||
Samba server to be the Domain Master Browser (note that this is *NOT*
|
||||
the same as a Primary Domain Controller, although in an NT Domain the
|
||||
same machine plays both roles). The role of a Domain master browser is
|
||||
to collate the browse lists from local master browsers on all the
|
||||
subnets that have a machine participating in the workgroup. Without
|
||||
one machine configured as a domain master browser each subnet would
|
||||
be an isolated workgroup, unable to see any machines on any other
|
||||
subnet. It is the presence of a domain master browser that makes
|
||||
cross subnet browsing possible for a workgroup.
|
||||
</p><p>
|
||||
In an WORKGROUP environment the domain master browser must be a
|
||||
Samba server, and there must only be one domain master browser per
|
||||
workgroup name. To set up a Samba server as a domain master browser,
|
||||
set the following option in the <i class="parameter"><tt>[global]</tt></i> section
|
||||
of the <tt class="filename">smb.conf</tt> file :
|
||||
</p><ns14:p>
|
||||
</ns14:p><pre class="programlisting">
|
||||
domain master = yes
|
||||
</pre><ns14:p>
|
||||
</ns14:p><p>
|
||||
The domain master browser should also preferrably be the local master
|
||||
browser for its own subnet. In order to achieve this set the following
|
||||
options in the <i class="parameter"><tt>[global]</tt></i> section of the <tt class="filename">smb.conf</tt> file :
|
||||
</p><ns14:p>
|
||||
</ns14:p><pre class="programlisting">
|
||||
domain master = yes
|
||||
local master = yes
|
||||
preferred master = yes
|
||||
os level = 65
|
||||
</pre><ns14:p>
|
||||
</ns14:p><p>
|
||||
The domain master browser may be the same machine as the WINS
|
||||
server, if you require.
|
||||
</p><p>
|
||||
Next, you should ensure that each of the subnets contains a
|
||||
machine that can act as a local master browser for the
|
||||
workgroup. Any MS Windows NT/2K/XP/2003 machine should be
|
||||
able to do this, as will Windows 9x machines (although these
|
||||
tend to get rebooted more often, so it's not such a good idea
|
||||
to use these). To make a Samba server a local master browser
|
||||
set the following options in the <i class="parameter"><tt>[global]</tt></i> section of the
|
||||
<tt class="filename">smb.conf</tt> file :
|
||||
</p><ns14:p>
|
||||
</ns14:p><pre class="programlisting">
|
||||
domain master = no
|
||||
local master = yes
|
||||
preferred master = yes
|
||||
os level = 65
|
||||
</pre><ns14:p>
|
||||
</ns14:p><p>
|
||||
Do not do this for more than one Samba server on each subnet,
|
||||
or they will war with each other over which is to be the local
|
||||
master browser.
|
||||
</p><p>
|
||||
The <i class="parameter"><tt>local master</tt></i> parameter allows Samba to act as a
|
||||
local master browser. The <i class="parameter"><tt>preferred master</tt></i> causes nmbd
|
||||
to force a browser election on startup and the <i class="parameter"><tt>os level</tt></i>
|
||||
parameter sets Samba high enough so that it should win any browser elections.
|
||||
</p><p>
|
||||
If you have an NT machine on the subnet that you wish to
|
||||
be the local master browser then you can disable Samba from
|
||||
becoming a local master browser by setting the following
|
||||
options in the <i class="parameter"><tt>[global]</tt></i> section of the
|
||||
<tt class="filename">smb.conf</tt> file :
|
||||
</p><ns14:p>
|
||||
</ns14:p><pre class="programlisting">
|
||||
domain master = no
|
||||
local master = no
|
||||
preferred master = no
|
||||
os level = 0
|
||||
</pre><ns14:p>
|
||||
</ns14:p></div><div xmlns:ns15="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2902631"></a>Setting up DOMAIN Browsing</h3></div></div><div></div></div><p>
|
||||
If you are adding Samba servers to a Windows NT Domain then
|
||||
you must not set up a Samba server as a domain master browser.
|
||||
By default, a Windows NT Primary Domain Controller for a domain
|
||||
is also the Domain master browser for that domain, and many
|
||||
things will break if a Samba server registers the Domain master
|
||||
browser NetBIOS name (<i class="replaceable"><tt>DOMAIN</tt></i><1B>)
|
||||
with WINS instead of the PDC.
|
||||
</p><p>
|
||||
For subnets other than the one containing the Windows NT PDC
|
||||
you may set up Samba servers as local master browsers as
|
||||
described. To make a Samba server a local master browser set
|
||||
the following options in the <b class="command">[global]</b> section
|
||||
of the <tt class="filename">smb.conf</tt> file :
|
||||
</p><ns15:p>
|
||||
</ns15:p><pre class="programlisting">
|
||||
domain master = no
|
||||
local master = yes
|
||||
preferred master = yes
|
||||
os level = 65
|
||||
</pre><ns15:p>
|
||||
</ns15:p><p>
|
||||
If you wish to have a Samba server fight the election with machines
|
||||
on the same subnet you may set the <i class="parameter"><tt>os level</tt></i> parameter
|
||||
to lower levels. By doing this you can tune the order of machines that
|
||||
will become local master browsers if they are running. For
|
||||
more details on this see the section <a href="NetworkBrowsing.html#browse-force-master" title="Forcing Samba to be the master">
|
||||
Forcing Samba to be the master browser</a>
|
||||
below.
|
||||
</p><p>
|
||||
If you have Windows NT machines that are members of the domain
|
||||
on all subnets, and you are sure they will always be running then
|
||||
you can disable Samba from taking part in browser elections and
|
||||
ever becoming a local master browser by setting following options
|
||||
in the <i class="parameter"><tt>[global]</tt></i> section of the <tt class="filename">smb.conf</tt>
|
||||
file :
|
||||
</p><ns15:p>
|
||||
</ns15:p><pre class="programlisting">
|
||||
domain master = no
|
||||
local master = no
|
||||
preferred master = no
|
||||
os level = 0
|
||||
</pre><ns15:p>
|
||||
</ns15:p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="browse-force-master"></a>Forcing Samba to be the master</h3></div></div><div></div></div><p>
|
||||
Who becomes the <i class="parameter"><tt>master browser</tt></i> is determined by an election
|
||||
process using broadcasts. Each election packet contains a number of parameters
|
||||
which determine what precedence (bias) a host should have in the
|
||||
election. By default Samba uses a very low precedence and thus loses
|
||||
elections to just about anyone else.
|
||||
</p><p>
|
||||
If you want Samba to win elections then just set the <i class="parameter"><tt>os level</tt></i> global
|
||||
option in <tt class="filename">smb.conf</tt> to a higher number. It defaults to 0. Using 34
|
||||
would make it win all elections over every other system (except other
|
||||
samba systems!)
|
||||
</p><p>
|
||||
A <i class="parameter"><tt>os level</tt></i> of 2 would make it beat WfWg and Win95, but not MS Windows
|
||||
NT/2K Server. A MS Windows NT/2K Server domain controller uses level 32.
|
||||
</p><p>The maximum os level is 255</p><p>
|
||||
If you want Samba to force an election on startup, then set the
|
||||
<i class="parameter"><tt>preferred master</tt></i> global option in <tt class="filename">smb.conf</tt> to <tt class="constant">yes</tt>. Samba will
|
||||
then have a slight advantage over other potential master browsers
|
||||
that are not preferred master browsers. Use this parameter with
|
||||
care, as if you have two hosts (whether they are Windows 95 or NT or
|
||||
Samba) on the same local subnet both set with <i class="parameter"><tt>preferred master</tt></i> to
|
||||
<tt class="constant">yes</tt>, then periodically and continually they will force an election
|
||||
in order to become the local master browser.
|
||||
</p><p>
|
||||
If you want Samba to be a <i class="parameter"><tt>domain master browser</tt></i>, then it is
|
||||
recommended that you also set <i class="parameter"><tt>preferred master</tt></i> to <tt class="constant">yes</tt>, because
|
||||
Samba will not become a domain master browser for the whole of your
|
||||
LAN or WAN if it is not also a local master browser on its own
|
||||
broadcast isolated subnet.
|
||||
</p><p>
|
||||
It is possible to configure two Samba servers to attempt to become
|
||||
the domain master browser for a domain. The first server that comes
|
||||
up will be the domain master browser. All other Samba servers will
|
||||
attempt to become the domain master browser every 5 minutes. They
|
||||
will find that another Samba server is already the domain master
|
||||
browser and will fail. This provides automatic redundancy, should
|
||||
the current domain master browser fail.
|
||||
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2902896"></a>Making Samba the domain master</h3></div></div><div></div></div><p>
|
||||
The domain master is responsible for collating the browse lists of
|
||||
multiple subnets so that browsing can occur between subnets. You can
|
||||
make Samba act as the domain master by setting <i class="parameter"><tt>domain master = yes</tt></i>
|
||||
in <tt class="filename">smb.conf</tt>. By default it will not be a domain master.
|
||||
</p><p>
|
||||
Note that you should <span class="emphasis"><em>not</em></span> set Samba to be the domain master for a
|
||||
workgroup that has the same name as an NT Domain.
|
||||
</p><p>
|
||||
When Samba is the domain master and the master browser, it will listen
|
||||
for master announcements (made roughly every twelve minutes) from local
|
||||
master browsers on other subnets and then contact them to synchronise
|
||||
browse lists.
|
||||
</p><p>
|
||||
If you want Samba to be the domain master then I suggest you also set
|
||||
the <i class="parameter"><tt>os level</tt></i> high enough to make sure it wins elections, and set
|
||||
<i class="parameter"><tt>preferred master</tt></i> to <tt class="constant">yes</tt>, to get Samba to force an election on
|
||||
startup.
|
||||
</p><p>
|
||||
Note that all your servers (including Samba) and clients should be
|
||||
using a WINS server to resolve NetBIOS names. If your clients are only
|
||||
using broadcasting to resolve NetBIOS names, then two things will occur:
|
||||
</p><div class="orderedlist"><ol type="1"><li><p>
|
||||
your local master browsers will be unable to find a domain master
|
||||
browser, as it will only be looking on the local subnet.
|
||||
</p></li><li><p>
|
||||
if a client happens to get hold of a domain-wide browse list, and
|
||||
a user attempts to access a host in that list, it will be unable to
|
||||
resolve the NetBIOS name of that host.
|
||||
</p></li></ol></div><p>
|
||||
If, however, both Samba and your clients are using a WINS server, then:
|
||||
</p><div class="orderedlist"><ol type="1"><li><p>
|
||||
your local master browsers will contact the WINS server and, as long as
|
||||
Samba has registered that it is a domain master browser with the WINS
|
||||
server, your local master browser will receive Samba's IP address
|
||||
as its domain master browser.
|
||||
</p></li><li><p>
|
||||
when a client receives a domain-wide browse list, and a user attempts
|
||||
to access a host in that list, it will contact the WINS server to
|
||||
resolve the NetBIOS name of that host. as long as that host has
|
||||
registered its NetBIOS name with the same WINS server, the user will
|
||||
be able to see that host.
|
||||
</p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2903052"></a>Note about broadcast addresses</h3></div></div><div></div></div><p>
|
||||
If your network uses a "0" based broadcast address (for example if it
|
||||
ends in a 0) then you will strike problems. Windows for Workgroups
|
||||
does not seem to support a 0's broadcast and you will probably find
|
||||
that browsing and name lookups won't work.
|
||||
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2903070"></a>Multiple interfaces</h3></div></div><div></div></div><p>
|
||||
Samba now supports machines with multiple network interfaces. If you
|
||||
have multiple interfaces then you will need to use the <b class="command">interfaces</b>
|
||||
option in <tt class="filename">smb.conf</tt> to configure them.
|
||||
</p></div><div xmlns:ns16="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906571"></a>Use of the Remote Announce parameter</h3></div></div><div></div></div><ns16:p>
|
||||
The <i class="parameter"><tt>remote announce</tt></i> parameter of
|
||||
<tt class="filename">smb.conf</tt> can be used to forcibly ensure
|
||||
that all the NetBIOS names on a network get announced to a remote network.
|
||||
The syntax of the <i class="parameter"><tt>remote announce</tt></i> parameter is:
|
||||
</ns16:p><pre class="programlisting">
|
||||
remote announce = a.b.c.d [e.f.g.h] ...
|
||||
</pre><ns16:p>
|
||||
<span class="emphasis"><em>or</em></span>
|
||||
</ns16:p><pre class="programlisting">
|
||||
remote announce = a.b.c.d/WORKGROUP [e.f.g.h/WORKGROUP] ...
|
||||
</pre><ns16:p>
|
||||
|
||||
where:
|
||||
</ns16:p><div class="variablelist"><dl><dt><span class="term"><i class="replaceable"><tt>a.b.c.d</tt></i> and
|
||||
<i class="replaceable"><tt>e.f.g.h</tt></i></span></dt><dd><p>is either the LMB (Local Master Browser) IP address
|
||||
or the broadcast address of the remote network.
|
||||
ie: the LMB is at 192.168.1.10, or the address
|
||||
could be given as 192.168.1.255 where the netmask
|
||||
is assumed to be 24 bits (255.255.255.0).
|
||||
When the remote announcement is made to the broadcast
|
||||
address of the remote network, every host will receive
|
||||
our announcements. This is noisy and therefore
|
||||
undesirable but may be necessary if we do NOT know
|
||||
the IP address of the remote LMB.</p></dd><dt><span class="term"><i class="replaceable"><tt>WORKGROUP</tt></i></span></dt><dd><p>is optional and can be either our own workgroup
|
||||
or that of the remote network. If you use the
|
||||
workgroup name of the remote network then our
|
||||
NetBIOS machine names will end up looking like
|
||||
they belong to that workgroup, this may cause
|
||||
name resolution problems and should be avoided.
|
||||
</p></dd></dl></div><ns16:p>
|
||||
</ns16:p></div><div xmlns:ns17="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906680"></a>Use of the Remote Browse Sync parameter</h3></div></div><div></div></div><p>
|
||||
The <i class="parameter"><tt>remote browse sync</tt></i> parameter of
|
||||
<tt class="filename">smb.conf</tt> is used to announce to
|
||||
another LMB that it must synchronise its NetBIOS name list with our
|
||||
Samba LMB. It works ONLY if the Samba server that has this option is
|
||||
simultaneously the LMB on its network segment.
|
||||
</p><ns17:p>
|
||||
The syntax of the <i class="parameter"><tt>remote browse sync</tt></i> parameter is:
|
||||
|
||||
</ns17:p><pre class="programlisting">
|
||||
remote browse sync = <i class="replaceable"><tt>a.b.c.d</tt></i>
|
||||
</pre><ns17:p>
|
||||
|
||||
where <i class="replaceable"><tt>a.b.c.d</tt></i> is either the IP address of the
|
||||
remote LMB or else is the network broadcast address of the remote segment.
|
||||
</ns17:p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2906741"></a>WINS - The Windows Internetworking Name Server</h2></div></div><div></div></div><p>
|
||||
Use of WINS (either Samba WINS <span class="emphasis"><em>or</em></span> MS Windows NT Server WINS) is highly
|
||||
recommended. Every NetBIOS machine registers its name together with a
|
||||
name_type value for each of several types of service it has available.
|
||||
eg: It registers its name directly as a unique (the type 0x03) name.
|
||||
It also registers its name if it is running the LanManager compatible
|
||||
server service (used to make shares and printers available to other users)
|
||||
by registering the server (the type 0x20) name.
|
||||
</p><p>
|
||||
All NetBIOS names are up to 15 characters in length. The name_type variable
|
||||
is added to the end of the name - thus creating a 16 character name. Any
|
||||
name that is shorter than 15 characters is padded with spaces to the 15th
|
||||
character. ie: All NetBIOS names are 16 characters long (including the
|
||||
name_type information).
|
||||
</p><p>
|
||||
WINS can store these 16 character names as they get registered. A client
|
||||
that wants to log onto the network can ask the WINS server for a list
|
||||
of all names that have registered the NetLogon service name_type. This saves
|
||||
broadcast traffic and greatly expedites logon processing. Since broadcast
|
||||
name resolution can not be used across network segments this type of
|
||||
information can only be provided via WINS <span class="emphasis"><em>or</em></span> via statically configured
|
||||
<tt class="filename">lmhosts</tt> files that must reside on all clients in the
|
||||
absence of WINS.
|
||||
</p><p>
|
||||
WINS also serves the purpose of forcing browse list synchronisation by all
|
||||
LMB's. LMB's must synchronise their browse list with the DMB (domain master
|
||||
browser) and WINS helps the LMB to identify it's DMB. By definition this
|
||||
will work only within a single workgroup. Note that the domain master browser
|
||||
has NOTHING to do with what is referred to as an MS Windows NT Domain. The
|
||||
later is a reference to a security environment while the DMB refers to the
|
||||
master controller for browse list information only.
|
||||
</p><p>
|
||||
Use of WINS will work correctly only if EVERY client TCP/IP protocol stack
|
||||
has been configured to use the WINS server/s. Any client that has not been
|
||||
configured to use the WINS server will continue to use only broadcast based
|
||||
name registration so that WINS may NEVER get to know about it. In any case,
|
||||
machines that have not registered with a WINS server will fail name to address
|
||||
lookup attempts by other clients and will therefore cause workstation access
|
||||
errors.
|
||||
</p><p>
|
||||
To configure Samba as a WINS server just add
|
||||
<i class="parameter"><tt>wins support = yes</tt></i> to the <tt class="filename">smb.conf</tt>
|
||||
file [globals] section.
|
||||
</p><p>
|
||||
To configure Samba to register with a WINS server just add
|
||||
<i class="parameter"><tt>wins server = a.b.c.d</tt></i> to your <tt class="filename">smb.conf</tt> file <i class="parameter"><tt>[globals]</tt></i> section.
|
||||
</p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>
|
||||
Never use both <i class="parameter"><tt>wins support = yes</tt></i> together
|
||||
with <i class="parameter"><tt>wins server = a.b.c.d</tt></i>
|
||||
particularly not using it's own IP address.
|
||||
Specifying both will cause <span class="application">nmbd</span> to refuse to start!
|
||||
</p></div><div xmlns:ns18="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906900"></a>Setting up a WINS server</h3></div></div><div></div></div><p>
|
||||
Either a Samba machine or a Windows NT Server machine may be set up
|
||||
as a WINS server. To set a Samba machine to be a WINS server you must
|
||||
add the following option to the <tt class="filename">smb.conf</tt> file on the selected machine :
|
||||
in the <i class="parameter"><tt>[globals]</tt></i> section add the line
|
||||
</p><ns18:p>
|
||||
</ns18:p><pre class="programlisting">
|
||||
wins support = yes
|
||||
</pre><ns18:p>
|
||||
</ns18:p><p>
|
||||
Versions of Samba prior to 1.9.17 had this parameter default to
|
||||
yes. If you have any older versions of Samba on your network it is
|
||||
strongly suggested you upgrade to a recent version, or at the very
|
||||
least set the parameter to 'no' on all these machines.
|
||||
</p><p>
|
||||
Machines with <i class="parameter"><tt>wins support = yes</tt></i> will keep a list of
|
||||
all NetBIOS names registered with them, acting as a DNS for NetBIOS names.
|
||||
</p><p>
|
||||
You should set up only ONE WINS server. Do NOT set the
|
||||
<i class="parameter"><tt>wins support = yes</tt></i> option on more than one Samba
|
||||
server.
|
||||
</p><p>
|
||||
To set up a Windows NT Server as a WINS server you need to set up
|
||||
the WINS service - see your NT documentation for details. Note that
|
||||
Windows NT WINS Servers can replicate to each other, allowing more
|
||||
than one to be set up in a complex subnet environment. As Microsoft
|
||||
refuses to document these replication protocols, Samba cannot currently
|
||||
participate in these replications. It is possible in the future that
|
||||
a Samba->Samba WINS replication protocol may be defined, in which
|
||||
case more than one Samba machine could be set up as a WINS server
|
||||
but currently only one Samba server should have the
|
||||
<i class="parameter"><tt>wins support = yes</tt></i> parameter set.
|
||||
</p><p>
|
||||
After the WINS server has been configured you must ensure that all
|
||||
machines participating on the network are configured with the address
|
||||
of this WINS server. If your WINS server is a Samba machine, fill in
|
||||
the Samba machine IP address in the <span class="guilabel">Primary WINS Server</span> field of
|
||||
the <span class="guilabel">Control Panel->Network->Protocols->TCP->WINS Server</span> dialogs
|
||||
in Windows 95 or Windows NT. To tell a Samba server the IP address
|
||||
of the WINS server add the following line to the <i class="parameter"><tt>[global]</tt></i> section of
|
||||
all <tt class="filename">smb.conf</tt> files :
|
||||
</p><ns18:p>
|
||||
</ns18:p><pre class="programlisting">
|
||||
wins server = <name or IP address>
|
||||
</pre><ns18:p>
|
||||
</ns18:p><p>
|
||||
where <name or IP address> is either the DNS name of the WINS server
|
||||
machine or its IP address.
|
||||
</p><p>
|
||||
Note that this line MUST NOT BE SET in the <tt class="filename">smb.conf</tt> file of the Samba
|
||||
server acting as the WINS server itself. If you set both the
|
||||
<i class="parameter"><tt>wins support = yes</tt></i> option and the
|
||||
<i class="parameter"><tt>wins server = <name></tt></i> option then
|
||||
nmbd will fail to start.
|
||||
</p><p>
|
||||
There are two possible scenarios for setting up cross subnet browsing.
|
||||
The first details setting up cross subnet browsing on a network containing
|
||||
Windows 95, Samba and Windows NT machines that are not configured as
|
||||
part of a Windows NT Domain. The second details setting up cross subnet
|
||||
browsing on networks that contain NT Domains.
|
||||
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2907094"></a>WINS Replication</h3></div></div><div></div></div><p>
|
||||
Samba-3 permits WINS replication through the use of the <tt class="filename">wrepld</tt> utility.
|
||||
This tool is not currently capable of being used as it is still in active development.
|
||||
As soon as this tool becomes moderately functional we will prepare man pages and enhance this
|
||||
section of the documentation to provide usage and technical details.
|
||||
</p></div><div xmlns:ns19="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2907119"></a>Static WINS Entries</h3></div></div><div></div></div><p>
|
||||
Adding static entries to your Samba-3 WINS server is actually fairly easy.
|
||||
All you have to do is add a line to <tt class="filename">wins.dat</tt>, typically
|
||||
located in <tt class="filename">/usr/local/samba/var/locks</tt>.
|
||||
</p><ns19:p>
|
||||
Entries in <tt class="filename">wins.dat</tt> take the form of
|
||||
|
||||
</ns19:p><pre class="programlisting">
|
||||
"NAME#TYPE" TTL ADDRESS+ FLAGS
|
||||
</pre><ns19:p>
|
||||
|
||||
where NAME is the NetBIOS name, TYPE is the NetBIOS type, TTL is the
|
||||
time-to-live as an absolute time in seconds, ADDRESS+ is one or more
|
||||
addresses corresponding to the registration and FLAGS are the NetBIOS
|
||||
flags for the registration.
|
||||
</ns19:p><ns19:p>
|
||||
A typical dynamic entry looks like:
|
||||
</ns19:p><pre class="programlisting">
|
||||
"MADMAN#03" 1055298378 192.168.1.2 66R
|
||||
</pre><ns19:p>
|
||||
|
||||
To make it static, all that has to be done is set the TTL to 0:
|
||||
|
||||
</ns19:p><pre class="programlisting">
|
||||
"MADMAN#03" 0 192.168.1.2 66R
|
||||
</pre><ns19:p>
|
||||
</ns19:p><p>
|
||||
Though this method works with early Samba-3 versions, there's a
|
||||
possibility that it may change in future versions if WINS replication
|
||||
is added.
|
||||
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2907203"></a>Helpful Hints</h2></div></div><div></div></div><p>
|
||||
The following hints should be carefully considered as they are stumbling points
|
||||
for many new network administrators.
|
||||
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2907217"></a>Windows Networking Protocols</h3></div></div><div></div></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
|
||||
Do NOT use more than one (1) protocol on MS Windows machines
|
||||
</p></div><p>
|
||||
A very common cause of browsing problems results from installing more than
|
||||
one protocol on an MS Windows machine.
|
||||
</p><p>
|
||||
Every NetBIOS machine takes part in a process of electing the LMB (and DMB)
|
||||
every 15 minutes. A set of election criteria is used to determine the order
|
||||
of precedence for winning this election process. A machine running Samba or
|
||||
Windows NT will be biased so that the most suitable machine will predictably
|
||||
win and thus retain it's role.
|
||||
</p><p>
|
||||
The election process is "fought out" so to speak over every NetBIOS network
|
||||
interface. In the case of a Windows 9x machine that has both TCP/IP and IPX
|
||||
installed and has NetBIOS enabled over both protocols the election will be
|
||||
decided over both protocols. As often happens, if the Windows 9x machine is
|
||||
the only one with both protocols then the LMB may be won on the NetBIOS
|
||||
interface over the IPX protocol. Samba will then lose the LMB role as Windows
|
||||
9x will insist it knows who the LMB is. Samba will then cease to function
|
||||
as an LMB and thus browse list operation on all TCP/IP only machines will
|
||||
fail.
|
||||
</p><p><span class="emphasis"><em>
|
||||
Windows 95, 98, 98se, Me are referred to generically as Windows 9x.
|
||||
The Windows NT4, 2000, XP and 2003 use common protocols. These are roughly
|
||||
referred to as the WinNT family, but it should be recognised that 2000 and
|
||||
XP/2003 introduce new protocol extensions that cause them to behave
|
||||
differently from MS Windows NT4. Generally, where a server does NOT support
|
||||
the newer or extended protocol, these will fall back to the NT4 protocols.
|
||||
</em></span></p><p>
|
||||
The safest rule of all to follow it this - USE ONLY ONE PROTOCOL!
|
||||
</p></div><div xmlns:ns20="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2907283"></a>Name Resolution Order</h3></div></div><div></div></div><p>
|
||||
Resolution of NetBIOS names to IP addresses can take place using a number
|
||||
of methods. The only ones that can provide NetBIOS name_type information
|
||||
are:
|
||||
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>WINS: the best tool!</td></tr><tr><td>LMHOSTS: is static and hard to maintain.</td></tr><tr><td>Broadcast: uses UDP and can not resolve names across remote segments.</td></tr></table><p>
|
||||
Alternative means of name resolution includes:
|
||||
</p><table class="simplelist" border="0" summary="Simple list"><tr><td><tt class="filename">/etc/hosts</tt>: is static, hard to maintain, and lacks name_type info</td></tr><tr><td>DNS: is a good choice but lacks essential name_type info.</td></tr></table><ns20:p>
|
||||
Many sites want to restrict DNS lookups and want to avoid broadcast name
|
||||
resolution traffic. The <i class="parameter"><tt>name resolve order</tt></i> parameter is
|
||||
of great help here. The syntax of the <i class="parameter"><tt>name resolve order</tt></i>
|
||||
parameter is:
|
||||
</ns20:p><pre class="programlisting">
|
||||
name resolve order = wins lmhosts bcast host
|
||||
</pre><ns20:p>
|
||||
<span class="emphasis"><em>or</em></span>
|
||||
</ns20:p><pre class="programlisting">
|
||||
name resolve order = wins lmhosts (eliminates bcast and host)
|
||||
</pre><ns20:p>
|
||||
The default is:
|
||||
</ns20:p><pre class="programlisting">
|
||||
name resolve order = host lmhost wins bcast
|
||||
</pre><ns20:p>
|
||||
where "host" refers the the native methods used by the Unix system
|
||||
to implement the gethostbyname() function call. This is normally
|
||||
controlled by <tt class="filename">/etc/host.conf</tt>, <tt class="filename">/etc/nsswitch.conf</tt> and <tt class="filename">/etc/resolv.conf</tt>.
|
||||
</ns20:p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2907421"></a>Technical Overview of browsing</h2></div></div><div></div></div><p>
|
||||
SMB networking provides a mechanism by which clients can access a list
|
||||
of machines in a network, a so-called <i class="parameter"><tt>browse list</tt></i>. This list
|
||||
contains machines that are ready to offer file and/or print services
|
||||
to other machines within the network. Thus it does not include
|
||||
machines which aren't currently able to do server tasks. The browse
|
||||
list is heavily used by all SMB clients. Configuration of SMB
|
||||
browsing has been problematic for some Samba users, hence this
|
||||
document.
|
||||
</p><p>
|
||||
MS Windows 2000 and later, as with Samba 3 and later, can be
|
||||
configured to not use NetBIOS over TCP/IP. When configured this way,
|
||||
it is imperative that name resolution (using DNS/LDAP/ADS) be correctly
|
||||
configured and operative. Browsing will NOT work if name resolution
|
||||
from SMB machine names to IP addresses does not function correctly.
|
||||
</p><p>
|
||||
Where NetBIOS over TCP/IP is enabled use of a WINS server is highly
|
||||
recommended to aid the resolution of NetBIOS (SMB) names to IP addresses.
|
||||
WINS allows remote segment clients to obtain NetBIOS name_type information
|
||||
that can NOT be provided by any other means of name resolution.
|
||||
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2907468"></a>Browsing support in Samba</h3></div></div><div></div></div><p>
|
||||
Samba facilitates browsing. The browsing is supported by <span class="application">nmbd</span>
|
||||
and is also controlled by options in the <tt class="filename">smb.conf</tt> file.
|
||||
Samba can act as a local browse master for a workgroup and the ability
|
||||
to support domain logons and scripts is now available.
|
||||
</p><p>
|
||||
Samba can also act as a domain master browser for a workgroup. This
|
||||
means that it will collate lists from local browse masters into a
|
||||
wide area network server list. In order for browse clients to
|
||||
resolve the names they may find in this list, it is recommended that
|
||||
both Samba and your clients use a WINS server.
|
||||
</p><p>
|
||||
Note that you should NOT set Samba to be the domain master for a
|
||||
workgroup that has the same name as an NT Domain: on each wide area
|
||||
network, you must only ever have one domain master browser per workgroup,
|
||||
regardless of whether it is NT, Samba or any other type of domain master
|
||||
that is providing this service.
|
||||
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
|
||||
Nmbd can be configured as a WINS server, but it is not
|
||||
necessary to specifically use Samba as your WINS server. MS Windows
|
||||
NT4, Server or Advanced Server 2000 or 2003 can be configured as
|
||||
your WINS server. In a mixed NT/2000/2003 server and Samba environment on
|
||||
a Wide Area Network, it is recommended that you use the Microsoft
|
||||
WINS server capabilities. In a Samba-only environment, it is
|
||||
recommended that you use one and only one Samba server as your WINS server.
|
||||
</p></div><p>
|
||||
To get browsing to work you need to run nmbd as usual, but will need
|
||||
to use the <i class="parameter"><tt>workgroup</tt></i> option in <tt class="filename">smb.conf</tt>
|
||||
to control what workgroup Samba becomes a part of.
|
||||
</p><p>
|
||||
Samba also has a useful option for a Samba server to offer itself for
|
||||
browsing on another subnet. It is recommended that this option is only
|
||||
used for 'unusual' purposes: announcements over the internet, for
|
||||
example. See <i class="parameter"><tt>remote announce</tt></i> in the
|
||||
<tt class="filename">smb.conf</tt> man page.
|
||||
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2907575"></a>Problem resolution</h3></div></div><div></div></div><p>
|
||||
If something doesn't work then hopefully the log.nmbd file will help
|
||||
you track down the problem. Try a debug level of 2 or 3 for finding
|
||||
problems. Also note that the current browse list usually gets stored
|
||||
in text form in a file called <tt class="filename">browse.dat</tt>.
|
||||
</p><p>
|
||||
Note that if it doesn't work for you, then you should still be able to
|
||||
type the server name as <tt class="filename">\\SERVER</tt> in filemanager then
|
||||
hit enter and filemanager should display the list of available shares.
|
||||
</p><p>
|
||||
Some people find browsing fails because they don't have the global
|
||||
<i class="parameter"><tt>guest account</tt></i> set to a valid account. Remember that the
|
||||
IPC$ connection that lists the shares is done as guest, and thus you must
|
||||
have a valid guest account.
|
||||
</p><p><span class="emphasis"><em>
|
||||
MS Windows 2000 and upwards (as with Samba) can be configured to disallow
|
||||
anonymous (ie: Guest account) access to the IPC$ share. In that case, the
|
||||
MS Windows 2000/XP/2003 machine acting as an SMB/CIFS client will use the
|
||||
name of the currently logged in user to query the IPC$ share. MS Windows
|
||||
9X clients are not able to do this and thus will NOT be able to browse
|
||||
server resources.
|
||||
</em></span></p><p>
|
||||
The other big problem people have is that their broadcast address,
|
||||
netmask or IP address is wrong (specified with the "interfaces" option
|
||||
in <tt class="filename">smb.conf</tt>)
|
||||
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2907654"></a>Browsing across subnets</h3></div></div><div></div></div><p>
|
||||
Since the release of Samba 1.9.17(alpha1), Samba has supported the
|
||||
replication of browse lists across subnet boundaries. This section
|
||||
describes how to set this feature up in different settings.
|
||||
</p><p>
|
||||
To see browse lists that span TCP/IP subnets (ie. networks separated
|
||||
by routers that don't pass broadcast traffic), you must set up at least
|
||||
one WINS server. The WINS server acts as a DNS for NetBIOS names, allowing
|
||||
NetBIOS name to IP address translation to be done by doing a direct
|
||||
query of the WINS server. This is done via a directed UDP packet on
|
||||
port 137 to the WINS server machine. The reason for a WINS server is
|
||||
that by default, all NetBIOS name to IP address translation is done
|
||||
by broadcasts from the querying machine. This means that machines
|
||||
on one subnet will not be able to resolve the names of machines on
|
||||
another subnet without using a WINS server.
|
||||
</p><p>
|
||||
Remember, for browsing across subnets to work correctly, all machines,
|
||||
be they Windows 95, Windows NT, or Samba servers must have the IP address
|
||||
of a WINS server given to them by a DHCP server, or by manual configuration
|
||||
(for Win95 and WinNT, this is in the TCP/IP Properties, under Network
|
||||
settings) for Samba this is in the <tt class="filename">smb.conf</tt> file.
|
||||
</p><div xmlns:ns21="" class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2907703"></a>How does cross subnet browsing work ?</h4></div></div><div></div></div><p>
|
||||
Cross subnet browsing is a complicated dance, containing multiple
|
||||
moving parts. It has taken Microsoft several years to get the code
|
||||
that achieves this correct, and Samba lags behind in some areas.
|
||||
Samba is capable of cross subnet browsing when configured correctly.
|
||||
</p><p>
|
||||
Consider a network set up as follows :
|
||||
</p><ns21:p>
|
||||
|
||||
</ns21:p><pre class="programlisting">
|
||||
(DMB)
|
||||
N1_A N1_B N1_C N1_D N1_E
|
||||
| | | | |
|
||||
-------------------------------------------------------
|
||||
| subnet 1 |
|
||||
+---+ +---+
|
||||
|R1 | Router 1 Router 2 |R2 |
|
||||
+---+ +---+
|
||||
| |
|
||||
| subnet 2 subnet 3 |
|
||||
-------------------------- ------------------------------------
|
||||
| | | | | | | |
|
||||
N2_A N2_B N2_C N2_D N3_A N3_B N3_C N3_D
|
||||
(WINS)
|
||||
</pre><ns21:p>
|
||||
</ns21:p><p>
|
||||
Consisting of 3 subnets (1, 2, 3) connected by two routers
|
||||
(R1, R2) - these do not pass broadcasts. Subnet 1 has 5 machines
|
||||
on it, subnet 2 has 4 machines, subnet 3 has 4 machines. Assume
|
||||
for the moment that all these machines are configured to be in the
|
||||
same workgroup (for simplicity's sake). Machine N1_C on subnet 1
|
||||
is configured as Domain Master Browser (ie. it will collate the
|
||||
browse lists for the workgroup). Machine N2_D is configured as
|
||||
WINS server and all the other machines are configured to register
|
||||
their NetBIOS names with it.
|
||||
</p><p>
|
||||
As all these machines are booted up, elections for master browsers
|
||||
will take place on each of the three subnets. Assume that machine
|
||||
N1_C wins on subnet 1, N2_B wins on subnet 2, and N3_D wins on
|
||||
subnet 3 - these machines are known as local master browsers for
|
||||
their particular subnet. N1_C has an advantage in winning as the
|
||||
local master browser on subnet 1 as it is set up as Domain Master
|
||||
Browser.
|
||||
</p><p>
|
||||
On each of the three networks, machines that are configured to
|
||||
offer sharing services will broadcast that they are offering
|
||||
these services. The local master browser on each subnet will
|
||||
receive these broadcasts and keep a record of the fact that
|
||||
the machine is offering a service. This list of records is
|
||||
the basis of the browse list. For this case, assume that
|
||||
all the machines are configured to offer services so all machines
|
||||
will be on the browse list.
|
||||
</p><p>
|
||||
For each network, the local master browser on that network is
|
||||
considered 'authoritative' for all the names it receives via
|
||||
local broadcast. This is because a machine seen by the local
|
||||
master browser via a local broadcast must be on the same
|
||||
network as the local master browser and thus is a 'trusted'
|
||||
and 'verifiable' resource. Machines on other networks that
|
||||
the local master browsers learn about when collating their
|
||||
browse lists have not been directly seen - these records are
|
||||
called 'non-authoritative'.
|
||||
</p><p>
|
||||
At this point the browse lists look as follows (these are
|
||||
the machines you would see in your network neighborhood if
|
||||
you looked in it on a particular network right now).
|
||||
</p><ns21:p>
|
||||
</ns21:p><div class="table"><a name="id2907818"></a><p class="title"><b>Table 10.1. Browse subnet example 1</b></p><table summary="Browse subnet example 1" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="left">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="left">N1_A, N1_B, N1_C, N1_D, N1_E</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="left">N2_A, N2_B, N2_C, N2_D</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="left">N3_A, N3_B, N3_C, N3_D</td></tr></tbody></table></div><ns21:p>
|
||||
</ns21:p><p>
|
||||
Note that at this point all the subnets are separate, no
|
||||
machine is seen across any of the subnets.
|
||||
</p><p>
|
||||
Now examine subnet 2. As soon as N2_B has become the local
|
||||
master browser it looks for a Domain master browser to synchronize
|
||||
its browse list with. It does this by querying the WINS server
|
||||
(N2_D) for the IP address associated with the NetBIOS name
|
||||
WORKGROUP<1B>. This name was registered by the Domain master
|
||||
browser (N1_C) with the WINS server as soon as it was booted.
|
||||
</p><p>
|
||||
Once N2_B knows the address of the Domain master browser it
|
||||
tells it that is the local master browser for subnet 2 by
|
||||
sending a MasterAnnouncement packet as a UDP port 138 packet.
|
||||
It then synchronizes with it by doing a NetServerEnum2 call. This
|
||||
tells the Domain Master Browser to send it all the server
|
||||
names it knows about. Once the domain master browser receives
|
||||
the MasterAnnouncement packet it schedules a synchronization
|
||||
request to the sender of that packet. After both synchronizations
|
||||
are done the browse lists look like :
|
||||
</p><ns21:p>
|
||||
</ns21:p><div class="table"><a name="id2907928"></a><p class="title"><b>Table 10.2. Browse subnet example 2</b></p><table summary="Browse subnet example 2" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="left">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="left">N1_A, N1_B, N1_C, N1_D, N1_E, N2_A(*), N2_B(*), N2_C(*), N2_D(*)</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="left">N2_A, N2_B, N2_C, N2_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="left">N3_A, N3_B, N3_C, N3_D</td></tr></tbody></table></div><ns21:p>
|
||||
|
||||
Servers with a (*) after them are non-authoritative names.
|
||||
</ns21:p><p>
|
||||
At this point users looking in their network neighborhood on
|
||||
subnets 1 or 2 will see all the servers on both, users on
|
||||
subnet 3 will still only see the servers on their own subnet.
|
||||
</p><p>
|
||||
The same sequence of events that occured for N2_B now occurs
|
||||
for the local master browser on subnet 3 (N3_D). When it
|
||||
synchronizes browse lists with the domain master browser (N1_A)
|
||||
it gets both the server entries on subnet 1, and those on
|
||||
subnet 2. After N3_D has synchronized with N1_C and vica-versa
|
||||
the browse lists look like.
|
||||
</p><ns21:p>
|
||||
</ns21:p><div class="table"><a name="id2908028"></a><p class="title"><b>Table 10.3. Browse subnet example 3</b></p><table summary="Browse subnet example 3" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="left">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="left">N1_A, N1_B, N1_C, N1_D, N1_E, N2_A(*), N2_B(*), N2_C(*), N2_D(*), N3_A(*), N3_B(*), N3_C(*), N3_D(*)</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="left">N2_A, N2_B, N2_C, N2_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="left">N3_A, N3_B, N3_C, N3_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), N2_A(*), N2_B(*), N2_C(*), N2_D(*)</td></tr></tbody></table></div><ns21:p>
|
||||
|
||||
Servers with a (*) after them are non-authoritative names.
|
||||
</ns21:p><p>
|
||||
At this point users looking in their network neighborhood on
|
||||
subnets 1 or 3 will see all the servers on all subnets, users on
|
||||
subnet 2 will still only see the servers on subnets 1 and 2, but not 3.
|
||||
</p><p>
|
||||
Finally, the local master browser for subnet 2 (N2_B) will sync again
|
||||
with the domain master browser (N1_C) and will receive the missing
|
||||
server entries. Finally - and as a steady state (if no machines
|
||||
are removed or shut off) the browse lists will look like :
|
||||
</p><ns21:p>
|
||||
</ns21:p><div class="table"><a name="id2908128"></a><p class="title"><b>Table 10.4. Browse subnet example 4</b></p><table summary="Browse subnet example 4" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="left">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="left">N1_A, N1_B, N1_C, N1_D, N1_E, N2_A(*), N2_B(*), N2_C(*), N2_D(*), N3_A(*), N3_B(*), N3_C(*), N3_D(*)</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="left">N2_A, N2_B, N2_C, N2_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), N3_A(*), N3_B(*), N3_C(*), N3_D(*)</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="left">N3_A, N3_B, N3_C, N3_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), N2_A(*), N2_B(*), N2_C(*), N2_D(*)</td></tr></tbody></table></div><ns21:p>
|
||||
|
||||
Servers with a (*) after them are non-authoritative names.
|
||||
</ns21:p><p>
|
||||
Synchronizations between the domain master browser and local
|
||||
master browsers will continue to occur, but this should be a
|
||||
steady state situation.
|
||||
</p><p>
|
||||
If either router R1 or R2 fails the following will occur:
|
||||
</p><div class="orderedlist"><ol type="1"><li><p>
|
||||
Names of computers on each side of the inaccessible network fragments
|
||||
will be maintained for as long as 36 minutes, in the network neighbourhood
|
||||
lists.
|
||||
</p></li><li><p>
|
||||
Attempts to connect to these inaccessible computers will fail, but the
|
||||
names will not be removed from the network neighbourhood lists.
|
||||
</p></li><li><p>
|
||||
If one of the fragments is cut off from the WINS server, it will only
|
||||
be able to access servers on its local subnet, by using subnet-isolated
|
||||
broadcast NetBIOS name resolution. The effects are similar to that of
|
||||
losing access to a DNS server.
|
||||
</p></li></ol></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2908270"></a>Common Errors</h2></div></div><div></div></div><p>
|
||||
Many questions are asked on the mailing lists regarding browsing. The majority of browsing
|
||||
problems originate out of incorrect configuration of NetBIOS name resolution. Some are of
|
||||
particular note.
|
||||
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2908285"></a>How can one flush the Samba NetBIOS name cache without restarting Samba?</h3></div></div><div></div></div><p>
|
||||
Samba's nmbd process controls all browse list handling. Under normal circumstances it is
|
||||
safe to restart nmbd. This will effectively flush the Samba NetBIOS name cache and cause it
|
||||
to be rebuilt. Note that this does NOT make certain that a rogue machine name will not re-appear
|
||||
in the browse list. When nmbd is taken out of service another machine on the network will
|
||||
become the browse master. This new list may still have the rogue entry in it. If you really
|
||||
want to clear a rogue machine from the list then every machine on the network will need to be
|
||||
shut down and restarted at after all machines are down. Failing a complete restart, the only
|
||||
other thing you can do is wait until the entry times out and is then flushed from the list.
|
||||
This may take a long time on some networks (months).
|
||||
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2908313"></a>My client reports "This server is not configured to list shared resources"</h3></div></div><div></div></div><p>
|
||||
Your guest account is probably invalid for some reason. Samba uses the
|
||||
guest account for browsing in smbd. Check that your guest account is
|
||||
valid.
|
||||
</p><p>See also <i class="parameter"><tt>guest account</tt></i> in the <tt class="filename">smb.conf</tt> man page.</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="optional.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="passdb.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part III. Advanced Configuration </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 11. Account Information Databases</td></tr></table></div></body></html>
|
@ -1,187 +0,0 @@
|
||||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
||||
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 38. Samba and other CIFS clients</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="Portability.html" title="Chapter 37. Portability"><link rel="next" href="speed.html" title="Chapter 39. Samba Performance Tuning"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 38. Samba and other CIFS clients</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Portability.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="speed.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Other-Clients"></a>Chapter 38. Samba and other CIFS clients</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jim</span> <span class="surname">McDonough</span></h3><div class="affiliation"><span class="orgname">IBM<br></span><div class="address"><p><tt class="email"><<a href="mailto:jmcd@us.ibm.com">jmcd@us.ibm.com</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">5 Mar 2001</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="Other-Clients.html#id3013776">Macintosh clients?</a></dt><dt><a href="Other-Clients.html#id3013848">OS2 Client</a></dt><dd><dl><dt><a href="Other-Clients.html#id3013855">How can I configure OS/2 Warp Connect or
|
||||
OS/2 Warp 4 as a client for Samba?</a></dt><dt><a href="Other-Clients.html#id3013471">How can I configure OS/2 Warp 3 (not Connect),
|
||||
OS/2 1.2, 1.3 or 2.x for Samba?</a></dt><dt><a href="Other-Clients.html#id3013530">How do I get printer driver download working
|
||||
for OS/2 clients?</a></dt></dl></dd><dt><a href="Other-Clients.html#id3013628">Windows for Workgroups</a></dt><dd><dl><dt><a href="Other-Clients.html#id3013090">Use latest TCP/IP stack from Microsoft</a></dt><dt><a href="Other-Clients.html#id3013179">Delete .pwl files after password change</a></dt><dt><a href="Other-Clients.html#id3013210">Configure WfW password handling</a></dt><dt><a href="Other-Clients.html#id3013255">Case handling of passwords</a></dt><dt><a href="Other-Clients.html#id3013285">Use TCP/IP as default protocol</a></dt><dt><a href="Other-Clients.html#id3013303">Speed improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id3013349">Windows '95/'98</a></dt><dd><dl><dt><a href="Other-Clients.html#id3014379">Speed improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id3014403">Windows 2000 Service Pack 2</a></dt><dt><a href="Other-Clients.html#id3014514">Windows NT 3.1</a></dt></dl></div><p>This chapter contains client-specific information.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3013776"></a>Macintosh clients?</h2></div></div><div></div></div><p>
|
||||
Yes. <a href="http://www.thursby.com/" target="_top">Thursby</a> now has a CIFS Client / Server called <a href="http://www.thursby.com/products/dave.html" target="_top">DAVE</a>
|
||||
</p><p>
|
||||
They test it against Windows 95, Windows NT and samba for
|
||||
compatibility issues. At the time of writing, DAVE was at version
|
||||
1.0.1. The 1.0.0 to 1.0.1 update is available as a free download from
|
||||
the Thursby web site (the speed of finder copies has been greatly
|
||||
enhanced, and there are bug-fixes included).
|
||||
</p><p>
|
||||
Alternatives - There are two free implementations of AppleTalk for
|
||||
several kinds of UNIX machines, and several more commercial ones.
|
||||
These products allow you to run file services and print services
|
||||
natively to Macintosh users, with no additional support required on
|
||||
the Macintosh. The two free implementations are
|
||||
<a href="http://www.umich.edu/~rsug/netatalk/" target="_top">Netatalk</a>, and
|
||||
<a href="http://www.cs.mu.oz.au/appletalk/atalk.html" target="_top">CAP</a>.
|
||||
What Samba offers MS
|
||||
Windows users, these packages offer to Macs. For more info on these
|
||||
packages, Samba, and Linux (and other UNIX-based systems) see
|
||||
<a href="http://www.eats.com/linux_mac_win.html" target="_top">http://www.eats.com/linux_mac_win.html</a>
|
||||
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3013848"></a>OS2 Client</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3013855"></a>How can I configure OS/2 Warp Connect or
|
||||
OS/2 Warp 4 as a client for Samba?</h3></div></div><div></div></div><p>A more complete answer to this question can be
|
||||
found on <a href="http://carol.wins.uva.nl/~leeuw/samba/warp.html" target="_top">
|
||||
http://carol.wins.uva.nl/~leeuw/samba/warp.html</a>.</p><p>Basically, you need three components:</p><table class="simplelist" border="0" summary="Simple list"><tr><td>The File and Print Client ('IBM Peer')</td></tr><tr><td>TCP/IP ('Internet support') </td></tr><tr><td>The "NetBIOS over TCP/IP" driver ('TCPBEUI')</td></tr></table><p>Installing the first two together with the base operating
|
||||
system on a blank system is explained in the Warp manual. If Warp
|
||||
has already been installed, but you now want to install the
|
||||
networking support, use the "Selective Install for Networking"
|
||||
object in the "System Setup" folder.</p><p>Adding the "NetBIOS over TCP/IP" driver is not described
|
||||
in the manual and just barely in the online documentation. Start
|
||||
MPTS.EXE, click on OK, click on "Configure LAPS" and click
|
||||
on "IBM OS/2 NETBIOS OVER TCP/IP" in 'Protocols'. This line
|
||||
is then moved to 'Current Configuration'. Select that line,
|
||||
click on "Change number" and increase it from 0 to 1. Save this
|
||||
configuration.</p><p>If the Samba server(s) is not on your local subnet, you
|
||||
can optionally add IP names and addresses of these servers
|
||||
to the "Names List", or specify a WINS server ('NetBIOS
|
||||
Nameserver' in IBM and RFC terminology). For Warp Connect you
|
||||
may need to download an update for 'IBM Peer' to bring it on
|
||||
the same level as Warp 4. See the webpage mentioned above.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3013471"></a>How can I configure OS/2 Warp 3 (not Connect),
|
||||
OS/2 1.2, 1.3 or 2.x for Samba?</h3></div></div><div></div></div><p>You can use the free Microsoft LAN Manager 2.2c Client
|
||||
for OS/2 from
|
||||
<a href="ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/" target="_top">
|
||||
ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/</a>.
|
||||
See <a href="http://carol.wins.uva.nl/~leeuw/lanman.html" target="_top">
|
||||
http://carol.wins.uva.nl/~leeuw/lanman.html</a> for
|
||||
more information on how to install and use this client. In
|
||||
a nutshell, edit the file \OS2VER in the root directory of
|
||||
the OS/2 boot partition and add the lines:</p><pre class="programlisting">
|
||||
20=setup.exe
|
||||
20=netwksta.sys
|
||||
20=netvdd.sys
|
||||
</pre><p>before you install the client. Also, don't use the
|
||||
included NE2000 driver because it is buggy. Try the NE2000
|
||||
or NS2000 driver from
|
||||
<a href="ftp://ftp.cdrom.com/pub/os2/network/ndis/" target="_top">
|
||||
ftp://ftp.cdrom.com/pub/os2/network/ndis/</a> instead.
|
||||
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3013530"></a>How do I get printer driver download working
|
||||
for OS/2 clients?</h3></div></div><div></div></div><p>First, create a share called <i class="parameter"><tt>[PRINTDRV]</tt></i> that is
|
||||
world-readable. Copy your OS/2 driver files there. Note
|
||||
that the .EA_ files must still be separate, so you will need
|
||||
to use the original install files, and not copy an installed
|
||||
driver from an OS/2 system.</p><p>Install the NT driver first for that printer. Then,
|
||||
add to your <tt class="filename">smb.conf</tt> a parameter, <i class="parameter"><tt>os2 driver map =
|
||||
<i class="replaceable"><tt>filename</tt></i></tt></i>. Then, in the file
|
||||
specified by <i class="replaceable"><tt>filename</tt></i>, map the
|
||||
name of the NT driver name to the OS/2 driver name as
|
||||
follows:</p><p><i class="parameter"><tt><i class="replaceable"><tt>nt driver name</tt></i> = <i class="replaceable"><tt>os2 driver name</tt></i>.<i class="replaceable"><tt>device name</tt></i></tt></i>, e.g.:</p><p><i class="parameter"><tt>
|
||||
HP LaserJet 5L = LASERJET.HP LaserJet 5L</tt></i></p><p>You can have multiple drivers mapped in this file.</p><p>If you only specify the OS/2 driver name, and not the
|
||||
device name, the first attempt to download the driver will
|
||||
actually download the files, but the OS/2 client will tell
|
||||
you the driver is not available. On the second attempt, it
|
||||
will work. This is fixed simply by adding the device name
|
||||
to the mapping, after which it will work on the first attempt.
|
||||
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3013628"></a>Windows for Workgroups</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3013090"></a>Use latest TCP/IP stack from Microsoft</h3></div></div><div></div></div><p>Use the latest TCP/IP stack from Microsoft if you use Windows
|
||||
for Workgroups.
|
||||
</p><p>The early TCP/IP stacks had lots of bugs.</p><p>
|
||||
Microsoft has released an incremental upgrade to their TCP/IP 32-Bit
|
||||
VxD drivers. The latest release can be found on their ftp site at
|
||||
ftp.microsoft.com, located in <tt class="filename">/peropsys/windows/public/tcpip/wfwt32.exe</tt>.
|
||||
There is an update.txt file there that describes the problems that were
|
||||
fixed. New files include <tt class="filename">WINSOCK.DLL</tt>,
|
||||
<tt class="filename">TELNET.EXE</tt>,
|
||||
<tt class="filename">WSOCK.386</tt>,
|
||||
<tt class="filename">VNBT.386</tt>,
|
||||
<tt class="filename">WSTCP.386</tt>,
|
||||
<tt class="filename">TRACERT.EXE</tt>,
|
||||
<tt class="filename">NETSTAT.EXE</tt>, and
|
||||
<tt class="filename">NBTSTAT.EXE</tt>.
|
||||
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3013179"></a>Delete .pwl files after password change</h3></div></div><div></div></div><p>
|
||||
WfWg does a lousy job with passwords. I find that if I change my
|
||||
password on either the unix box or the PC the safest thing to do is to
|
||||
delete the .pwl files in the windows directory. The PC will complain about not finding the files, but will soon get over it, allowing you to enter the new password.
|
||||
</p><p>
|
||||
If you don't do this you may find that WfWg remembers and uses the old
|
||||
password, even if you told it a new one.
|
||||
</p><p>
|
||||
Often WfWg will totally ignore a password you give it in a dialog box.
|
||||
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3013210"></a>Configure WfW password handling</h3></div></div><div></div></div><p>
|
||||
There is a program call admincfg.exe
|
||||
on the last disk (disk 8) of the WFW 3.11 disk set. To install it
|
||||
type <b class="userinput"><tt>EXPAND A:\ADMINCFG.EX_ C:\WINDOWS\ADMINCFG.EXE</tt></b>.
|
||||
Then add an icon
|
||||
for it via the <span class="application">Program Manager</span> <span class="guimenu">New</span> Menu.
|
||||
This program allows you to control how WFW handles passwords. ie disable Password Caching etc
|
||||
for use with <i class="parameter"><tt>security = user</tt></i>
|
||||
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3013255"></a>Case handling of passwords</h3></div></div><div></div></div><p>Windows for Workgroups uppercases the password before sending it to the server. Unix passwords can be case-sensitive though. Check the <a href="smb.conf.5.html" target="_top">smb.conf(5)</a> information on <i class="parameter"><tt>password level</tt></i> to specify what characters samba should try to uppercase when checking.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3013285"></a>Use TCP/IP as default protocol</h3></div></div><div></div></div><p>To support print queue reporting you may find
|
||||
that you have to use TCP/IP as the default protocol under
|
||||
WfWg. For some reason if you leave NetBEUI as the default
|
||||
it may break the print queue reporting on some systems.
|
||||
It is presumably a WfWg bug.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3013303"></a>Speed improvement</h3></div></div><div></div></div><p>
|
||||
Note that some people have found that setting <i class="parameter"><tt>DefaultRcvWindow</tt></i> in
|
||||
the <i class="parameter"><tt>[MSTCP]</tt></i> section of the
|
||||
<tt class="filename">SYSTEM.INI</tt> file under WfWg to 3072 gives a
|
||||
big improvement. I don't know why.
|
||||
</p><p>
|
||||
My own experience with DefaultRcvWindow is that I get much better
|
||||
performance with a large value (16384 or larger). Other people have
|
||||
reported that anything over 3072 slows things down enormously. One
|
||||
person even reported a speed drop of a factor of 30 when he went from
|
||||
3072 to 8192. I don't know why.
|
||||
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3013349"></a>Windows '95/'98</h2></div></div><div></div></div><p>
|
||||
When using Windows 95 OEM SR2 the following updates are recommended where Samba
|
||||
is being used. Please NOTE that the above change will affect you once these
|
||||
updates have been installed.
|
||||
</p><p>
|
||||
There are more updates than the ones mentioned here. You are referred to the
|
||||
Microsoft Web site for all currently available updates to your specific version
|
||||
of Windows 95.
|
||||
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Kernel Update: KRNLUPD.EXE</td></tr><tr><td>Ping Fix: PINGUPD.EXE</td></tr><tr><td>RPC Update: RPCRTUPD.EXE</td></tr><tr><td>TCP/IP Update: VIPUPD.EXE</td></tr><tr><td>Redirector Update: VRDRUPD.EXE</td></tr></table><p>
|
||||
Also, if using <span class="application">MS Outlook</span> it is desirable to
|
||||
install the <b class="command">OLEUPD.EXE</b> fix. This
|
||||
fix may stop your machine from hanging for an extended period when exiting
|
||||
Outlook and you may also notice a significant speedup when accessing network
|
||||
neighborhood services.
|
||||
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3014379"></a>Speed improvement</h3></div></div><div></div></div><p>
|
||||
Configure the win95 TCPIP registry settings to give better
|
||||
performance. I use a program called <b class="command">MTUSPEED.exe</b> which I got off the
|
||||
net. There are various other utilities of this type freely available.
|
||||
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3014403"></a>Windows 2000 Service Pack 2</h2></div></div><div></div></div><p>
|
||||
There are several annoyances with Windows 2000 SP2. One of which
|
||||
only appears when using a Samba server to host user profiles
|
||||
to Windows 2000 SP2 clients in a Windows domain. This assumes
|
||||
that Samba is a member of the domain, but the problem will
|
||||
likely occur if it is not.
|
||||
</p><p>
|
||||
In order to serve profiles successfully to Windows 2000 SP2
|
||||
clients (when not operating as a PDC), Samba must have
|
||||
<i class="parameter"><tt>nt acl support = no</tt></i>
|
||||
added to the file share which houses the roaming profiles.
|
||||
If this is not done, then the Windows 2000 SP2 client will
|
||||
complain about not being able to access the profile (Access
|
||||
Denied) and create multiple copies of it on disk (DOMAIN.user.001,
|
||||
DOMAIN.user.002, etc...). See the
|
||||
<a href="smb.conf.5.html" target="_top">smb.conf(5)</a> man page
|
||||
for more details on this option. Also note that the
|
||||
<i class="parameter"><tt>nt acl support</tt></i> parameter was formally a global parameter in
|
||||
releases prior to Samba 2.2.2.
|
||||
</p><p>
|
||||
The following is a minimal profile share:
|
||||
</p><pre class="programlisting">
|
||||
[profile]
|
||||
path = /export/profile
|
||||
create mask = 0600
|
||||
directory mask = 0700
|
||||
nt acl support = no
|
||||
read only = no
|
||||
</pre><p>
|
||||
The reason for this bug is that the Win2k SP2 client copies
|
||||
the security descriptor for the profile which contains
|
||||
the Samba server's SID, and not the domain SID. The client
|
||||
compares the SID for SAMBA\user and realizes it is
|
||||
different that the one assigned to DOMAIN\user. Hence the reason
|
||||
for the <span class="errorname">access denied</span> message.
|
||||
</p><p>
|
||||
By disabling the <i class="parameter"><tt>nt acl support</tt></i> parameter, Samba will send
|
||||
the Win2k client a response to the QuerySecurityDescriptor
|
||||
trans2 call which causes the client to set a default ACL
|
||||
for the profile. This default ACL includes
|
||||
</p><p><span class="emphasis"><em>DOMAIN\user "Full Control"</em></span>></p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This bug does not occur when using winbind to
|
||||
create accounts on the Samba host for Domain users.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3014514"></a>Windows NT 3.1</h2></div></div><div></div></div><p>If you have problems communicating across routers with Windows
|
||||
NT 3.1 workstations, read <a href="http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;Q103765" target="_top">this Microsoft Knowledge Base article</a>.
|
||||
|
||||
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Portability.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendixes.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="speed.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 37. Portability </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 39. Samba Performance Tuning</td></tr></table></div></body></html>
|
@ -1,261 +0,0 @@
|
||||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
||||
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 23. System and Account Policies</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="AdvancedNetworkManagement.html" title="Chapter 22. Advanced Network Management"><link rel="next" href="ProfileMgmt.html" title="Chapter 24. Desktop Profile Management"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 23. System and Account Policies</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="AdvancedNetworkManagement.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="ProfileMgmt.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="PolicyMgmt"></a>Chapter 23. System and Account Policies</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">April 3 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="PolicyMgmt.html#id2982185">Features and Benefits</a></dt><dt><a href="PolicyMgmt.html#id2982237">Creating and Managing System Policies</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2982348">Windows 9x/Me Policies</a></dt><dt><a href="PolicyMgmt.html#id2981896">Windows NT4 Style Policy Files</a></dt><dt><a href="PolicyMgmt.html#id2982030">MS Windows 200x / XP Professional Policies</a></dt></dl></dd><dt><a href="PolicyMgmt.html#id2983472">Managing Account/User Policies</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2983573">Samba Editreg Toolset</a></dt><dt><a href="PolicyMgmt.html#id2983593">Windows NT4/200x</a></dt><dt><a href="PolicyMgmt.html#id2983614">Samba PDC</a></dt></dl></dd><dt><a href="PolicyMgmt.html#id2983658">System Startup and Logon Processing Overview</a></dt><dt><a href="PolicyMgmt.html#id2983805">Common Errors</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2983819">Policy Does Not Work</a></dt></dl></dd></dl></div><p>
|
||||
This chapter summarises the current state of knowledge derived from personal
|
||||
practice and knowledge from samba mailing list subscribers. Before reproduction
|
||||
of posted information effort has been made to validate the information provided.
|
||||
Where additional information was uncovered through this validation it is provided
|
||||
also.
|
||||
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2982185"></a>Features and Benefits</h2></div></div><div></div></div><p>
|
||||
When MS Windows NT3.5 was introduced the hot new topic was the ability to implement
|
||||
Group Policies for users and group. Then along came MS Windows NT4 and a few sites
|
||||
started to adopt this capability. How do we know that? By way of the number of "booboos"
|
||||
(or mistakes) administrators made and then requested help to resolve.
|
||||
</p><p>
|
||||
By the time that MS Windows 2000 and Active Directory was released, administrators
|
||||
got the message: Group Policies are a good thing! They can help reduce administrative
|
||||
costs and actually can help to create happier users. But adoption of the true
|
||||
potential of MS Windows 200x Active Directory and Group Policy Objects (GPOs) for users
|
||||
and machines were picked up on rather slowly. This was very obvious from the samba
|
||||
mailing list as in 2000 and 2001 there were very few postings regarding GPOs and
|
||||
how to replicate them in a Samba environment.
|
||||
</p><p>
|
||||
Judging by the traffic volume since mid 2002, GPOs have become a standard part of
|
||||
the deployment in many sites. This chapter reviews techniques and methods that can
|
||||
be used to exploit opportunities for automation of control over user desktops and
|
||||
network client workstations.
|
||||
</p><p>
|
||||
A tool new to Samba-3 may become an important part of the future Samba Administrators'
|
||||
arsenal. The <b class="command">editreg</b> tool is described in this document.
|
||||
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2982237"></a>Creating and Managing System Policies</h2></div></div><div></div></div><p>
|
||||
Under MS Windows platforms, particularly those following the release of MS Windows
|
||||
NT4 and MS Windows 95) it is possible to create a type of file that would be placed
|
||||
in the NETLOGON share of a domain controller. As the client logs onto the network
|
||||
this file is read and the contents initiate changes to the registry of the client
|
||||
machine. This file allows changes to be made to those parts of the registry that
|
||||
affect users, groups of users, or machines.
|
||||
</p><p>
|
||||
For MS Windows 9x/Me this file must be called <tt class="filename">Config.POL</tt> and may
|
||||
be generated using a tool called <tt class="filename">poledit.exe</tt>, better known as the
|
||||
Policy Editor. The policy editor was provided on the Windows 98 installation CD, but
|
||||
disappeared again with the introduction of MS Windows Me (Millennium Edition). From
|
||||
comments from MS Windows network administrators it would appear that this tool became
|
||||
a part of the MS Windows Me Resource Kit.
|
||||
</p><p>
|
||||
MS Windows NT4 Server products include the <span class="emphasis"><em>System Policy Editor</em></span>
|
||||
under the <tt class="filename">Start -> Programs -> Administrative Tools</tt> menu item.
|
||||
For MS Windows NT4 and later clients this file must be called <tt class="filename">NTConfig.POL</tt>.
|
||||
</p><p>
|
||||
New with the introduction of MS Windows 2000 was the Microsoft Management Console
|
||||
or MMC. This tool is the new wave in the ever changing landscape of Microsoft
|
||||
methods for management of network access and security. Every new Microsoft product
|
||||
or technology seems to obsolete the old rules and to introduce newer and more
|
||||
complex tools and methods. To Microsoft's credit though, the MMC does appear to
|
||||
be a step forward, but improved functionality comes at a great price.
|
||||
</p><p>
|
||||
Before embarking on the configuration of network and system policies it is highly
|
||||
advisable to read the documentation available from Microsoft's web site regarding
|
||||
<a href="http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp" target="_top">
|
||||
Implementing Profiles and Policies in Windows NT 4.0 from http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp</a> available from Microsoft.
|
||||
There are a large number of documents in addition to this old one that should also
|
||||
be read and understood. Try searching on the Microsoft web site for "Group Policies".
|
||||
</p><p>
|
||||
What follows is a very brief discussion with some helpful notes. The information provided
|
||||
here is incomplete - you are warned.
|
||||
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2982348"></a>Windows 9x/Me Policies</h3></div></div><div></div></div><p>
|
||||
You need the Win98 Group Policy Editor to set Group Profiles up under Windows 9x/Me.
|
||||
It can be found on the Original full product Win98 installation CD under
|
||||
<tt class="filename">tools/reskit/netadmin/poledit</tt>. Install this using the
|
||||
Add/Remove Programs facility and then click on the 'Have Disk' tab.
|
||||
</p><p>
|
||||
Use the Group Policy Editor to create a policy file that specifies the location of
|
||||
user profiles and/or the <tt class="filename">My Documents</tt> etc. Then save these
|
||||
settings in a file called <tt class="filename">Config.POL</tt> that needs to be placed in the
|
||||
root of the <i class="parameter"><tt>[NETLOGON]</tt></i> share. If Win98 is configured to log onto
|
||||
the Samba Domain, it will automatically read this file and update the Win9x/Me registry
|
||||
of the machine as it logs on.
|
||||
</p><p>
|
||||
Further details are covered in the Win98 Resource Kit documentation.
|
||||
</p><p>
|
||||
If you do not take the right steps, then every so often Win9x/Me will check the
|
||||
integrity of the registry and will restore it's settings from the back-up
|
||||
copy of the registry it stores on each Win9x/Me machine. Hence, you will
|
||||
occasionally notice things changing back to the original settings.
|
||||
</p><p>
|
||||
Install the group policy handler for Win9x to pick up group policies. Look on the
|
||||
Win98 CD in <tt class="filename">\tools\reskit\netadmin\poledit</tt>.
|
||||
Install group policies on a Win9x client by double-clicking
|
||||
<tt class="filename">grouppol.inf</tt>. Log off and on again a couple of times and see
|
||||
if Win98 picks up group policies. Unfortunately this needs to be done on every
|
||||
Win9x/Me machine that uses group policies.
|
||||
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2981896"></a>Windows NT4 Style Policy Files</h3></div></div><div></div></div><p>
|
||||
To create or edit <tt class="filename">ntconfig.pol</tt> you must use the NT Server
|
||||
Policy Editor, <b class="command">poledit.exe</b> which is included with NT4 Server
|
||||
but <span class="emphasis"><em>not NT Workstation</em></span>. There is a Policy Editor on a NT4
|
||||
Workstation but it is not suitable for creating <span class="emphasis"><em>Domain Policies</em></span>.
|
||||
Further, although the Windows 95 Policy Editor can be installed on an NT4
|
||||
Workstation/Server, it will not work with NT clients. However, the files from
|
||||
the NT Server will run happily enough on an NT4 Workstation.
|
||||
</p><p>
|
||||
You need <tt class="filename">poledit.exe</tt>, <tt class="filename">common.adm</tt> and <tt class="filename">winnt.adm</tt>.
|
||||
It is convenient to put the two *.adm files in the <tt class="filename">c:\winnt\inf</tt>
|
||||
directory which is where the binary will look for them unless told otherwise. Note also that that
|
||||
directory is normally 'hidden'.
|
||||
</p><p>
|
||||
The Windows NT policy editor is also included with the Service Pack 3 (and
|
||||
later) for Windows NT 4.0. Extract the files using <b class="command">servicepackname /x</b>,
|
||||
i.e. that's <b class="command">Nt4sp6ai.exe /x</b> for service pack 6a. The policy editor,
|
||||
<b class="command">poledit.exe</b> and the associated template files (*.adm) should
|
||||
be extracted as well. It is also possible to downloaded the policy template
|
||||
files for Office97 and get a copy of the policy editor. Another possible
|
||||
location is with the Zero Administration Kit available for download from Microsoft.
|
||||
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2982006"></a>Registry Spoiling</h4></div></div><div></div></div><p>
|
||||
With NT4 style registry based policy changes, a large number of settings are not
|
||||
automatically reversed as the user logs off. Since the settings that were in the
|
||||
NTConfig.POL file were applied to the client machine registry and that apply to the
|
||||
hive key HKEY_LOCAL_MACHINE are permanent until explicitly reversed. This is known
|
||||
as tattooing. It can have serious consequences down-stream and the administrator must
|
||||
be extremely careful not to lock out the ability to manage the machine at a later date.
|
||||
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2982030"></a>MS Windows 200x / XP Professional Policies</h3></div></div><div></div></div><p>
|
||||
Windows NT4 System policies allows setting of registry parameters specific to
|
||||
users, groups and computers (client workstations) that are members of the NT4
|
||||
style domain. Such policy file will work with MS Windows 2000 / XP clients also.
|
||||
</p><p>
|
||||
New to MS Windows 2000 Microsoft introduced a new style of group policy that confers
|
||||
a superset of capabilities compared with NT4 style policies. Obviously, the tool used
|
||||
to create them is different, and the mechanism for implementing them is much changed.
|
||||
</p><p>
|
||||
The older NT4 style registry based policies are known as <span class="emphasis"><em>Administrative Templates</em></span>
|
||||
in MS Windows 2000/XP Group Policy Objects (GPOs). The later includes ability to set various security
|
||||
configurations, enforce Internet Explorer browser settings, change and redirect aspects of the
|
||||
users' desktop (including: the location of <tt class="filename">My Documents</tt> files (directory), as
|
||||
well as intrinsics of where menu items will appear in the Start menu). An additional new
|
||||
feature is the ability to make available particular software Windows applications to particular
|
||||
users and/or groups.
|
||||
</p><p>
|
||||
Remember: NT4 policy files are named <tt class="filename">NTConfig.POL</tt> and are stored in the root
|
||||
of the NETLOGON share on the domain controllers. A Windows NT4 user enters a username, a password
|
||||
and selects the domain name to which the logon will attempt to take place. During the logon
|
||||
process the client machine reads the NTConfig.POL file from the NETLOGON share on the authenticating
|
||||
server, modifies the local registry values according to the settings in this file.
|
||||
</p><p>
|
||||
Windows 2K GPOs are very feature rich. They are NOT stored in the NETLOGON share, rather part of
|
||||
a Windows 200x policy file is stored in the Active Directory itself and the other part is stored
|
||||
in a shared (and replicated) volume called the SYSVOL folder. This folder is present on all Active
|
||||
Directory domain controllers. The part that is stored in the Active Directory itself is called the
|
||||
group policy container (GPC), and the part that is stored in the replicated share called SYSVOL is
|
||||
known as the group policy template (GPT).
|
||||
</p><p>
|
||||
With NT4 clients the policy file is read and executed upon only as each user logs onto the network.
|
||||
MS Windows 200x policies are much more complex - GPOs are processed and applied at client machine
|
||||
startup (machine specific part) and when the user logs onto the network the user specific part
|
||||
is applied. In MS Windows 200x style policy management each machine and/or user may be subject
|
||||
to any number of concurrently applicable (and applied) policy sets (GPOs). Active Directory allows
|
||||
the administrator to also set filters over the policy settings. No such equivalent capability
|
||||
exists with NT4 style policy files.
|
||||
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2982130"></a>Administration of Win2K / XP Policies</h4></div></div><div></div></div><p>
|
||||
Instead of using the tool called <span class="application">The System Policy Editor</span>, commonly called Poledit (from the
|
||||
executable name <b class="command">poledit.exe</b>), <span class="acronym">GPOs</span> are created and managed using a
|
||||
<span class="application">Microsoft Management Console</span> <span class="acronym">(MMC)</span> snap-in as follows:</p><div class="procedure"><ol type="1"><li><p>
|
||||
Go to the Windows 200x / XP menu <span class="guimenu">Start->Programs->Administrative Tools</span>
|
||||
and select the MMC snap-in called <span class="guimenuitem">Active Directory Users and Computers</span>
|
||||
</p></li><li><p>
|
||||
Select the domain or organizational unit (OU) that you wish to manage, then right click
|
||||
to open the context menu for that object, select the properties item.
|
||||
</p></li><li><p>
|
||||
Now left click on the <span class="guilabel">Group Policy</span> tab, then left click on the New tab. Type a name
|
||||
for the new policy you will create.
|
||||
</p></li><li><p>
|
||||
Now left click on the <span class="guilabel">Edit</span> tab to commence the steps needed to create the GPO.
|
||||
</p></li></ol></div><p>
|
||||
All policy configuration options are controlled through the use of policy administrative
|
||||
templates. These files have a .adm extension, both in NT4 as well as in Windows 200x / XP.
|
||||
Beware however, since the .adm files are NOT interchangeable across NT4 and Windows 200x.
|
||||
The later introduces many new features as well as extended definition capabilities. It is
|
||||
well beyond the scope of this documentation to explain how to program .adm files, for that
|
||||
the administrator is referred to the Microsoft Windows Resource Kit for your particular
|
||||
version of MS Windows.
|
||||
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
|
||||
The MS Windows 2000 Resource Kit contains a tool called gpolmig.exe. This tool can be used
|
||||
to migrate an NT4 NTConfig.POL file into a Windows 200x style GPO. Be VERY careful how you
|
||||
use this powerful tool. Please refer to the resource kit manuals for specific usage information.
|
||||
</p></div></div></div></div><div xmlns:ns80="" class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2983472"></a>Managing Account/User Policies</h2></div></div><div></div></div><p>
|
||||
Policies can define a specific user's settings or the settings for a group of users. The resulting
|
||||
policy file contains the registry settings for all users, groups, and computers that will be using
|
||||
the policy file. Separate policy files for each user, group, or computer are not not necessary.
|
||||
</p><p>
|
||||
If you create a policy that will be automatically downloaded from validating domain controllers,
|
||||
you should name the file NTconfig.POL. As system administrator, you have the option of renaming the
|
||||
policy file and, by modifying the Windows NT-based workstation, directing the computer to update
|
||||
the policy from a manual path. You can do this by either manually changing the registry or by using
|
||||
the System Policy Editor. This path can even be a local path such that each machine has its own policy file,
|
||||
but if a change is necessary to all machines, this change must be made individually to each workstation.
|
||||
</p><p>
|
||||
When a Windows NT4/200x/XP machine logs onto the network the NETLOGON share on the authenticating domain
|
||||
controller for the presence of the NTConfig.POL file. If one exists it is downloaded, parsed and then
|
||||
applied to the user's part of the registry.
|
||||
</p><p>
|
||||
MS Windows 200x/XP clients that log onto an MS Windows Active Directory security domain may additionally,
|
||||
acquire policy settings through Group Policy Objects (GPOs) that are defined and stored in Active Directory
|
||||
itself. The key benefit of using AS GPOs is that they impose no registry <span class="emphasis"><em>spoiling</em></span> effect.
|
||||
This has considerable advantage compared with the use of NTConfig.POL (NT4) style policy updates.
|
||||
</p><p>
|
||||
In addition to user access controls that may be imposed or applied via system and/or group policies
|
||||
in a manner that works in conjunction with user profiles, the user management environment under
|
||||
MS Windows NT4/200x/XP allows per domain as well as per user account restrictions to be applied.
|
||||
Common restrictions that are frequently used includes:
|
||||
</p><ns80:p>
|
||||
</ns80:p><table class="simplelist" border="0" summary="Simple list"><tr><td>Logon Hours</td></tr><tr><td>Password Aging</td></tr><tr><td>Permitted Logon from certain machines only</td></tr><tr><td>Account type (Local or Global)</td></tr><tr><td>User Rights</td></tr></table><ns80:p>
|
||||
</ns80:p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2983573"></a>Samba Editreg Toolset</h3></div></div><div></div></div><p>
|
||||
Describe in detail the benefits of <b class="command">editreg</b> and how to use it.
|
||||
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2983593"></a>Windows NT4/200x</h3></div></div><div></div></div><p>
|
||||
The tools that may be used to configure these types of controls from the MS Windows environment are:
|
||||
The NT4 User Manager for domains, the NT4 System and Group Policy Editor, the registry editor (regedt32.exe).
|
||||
Under MS Windows 200x/XP this is done using the Microsoft Management Console (MMC) with appropriate
|
||||
"snap-ins", the registry editor, and potentially also the NT4 System and Group Policy Editor.
|
||||
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2983614"></a>Samba PDC</h3></div></div><div></div></div><p>
|
||||
With a Samba Domain Controller, the new tools for managing of user account and policy information includes:
|
||||
<b class="command">smbpasswd</b>, <b class="command">pdbedit</b>, <b class="command">net</b>, <b class="command">rpcclient</b>.
|
||||
The administrator should read the
|
||||
man pages for these tools and become familiar with their use.
|
||||
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2983658"></a>System Startup and Logon Processing Overview</h2></div></div><div></div></div><p>
|
||||
The following attempts to document the order of processing of system and user policies following a system
|
||||
reboot and as part of the user logon:
|
||||
</p><div class="orderedlist"><ol type="1"><li><p>
|
||||
Network starts, then Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming
|
||||
Convention Provider (MUP) start
|
||||
</p></li><li xmlns:ns81=""><ns81:p>
|
||||
Where Active Directory is involved, an ordered list of Group Policy Objects (GPOs) is downloaded
|
||||
and applied. The list may include GPOs that:
|
||||
</ns81:p><table class="simplelist" border="0" summary="Simple list"><tr><td>Apply to the location of machines in a Directory</td></tr><tr><td>Apply only when settings have changed</td></tr><tr><td>Depend on configuration of scope of applicability: local, site, domain, organizational unit, etc.</td></tr></table><ns81:p>
|
||||
No desktop user interface is presented until the above have been processed.
|
||||
</ns81:p></li><li><p>
|
||||
Execution of start-up scripts (hidden and synchronous by default).
|
||||
</p></li><li><p>
|
||||
A keyboard action to affect start of logon (Ctrl-Alt-Del).
|
||||
</p></li><li><p>
|
||||
User credentials are validated, User profile is loaded (depends on policy settings).
|
||||
</p></li><li xmlns:ns82=""><ns82:p>
|
||||
An ordered list of User GPOs is obtained. The list contents depends on what is configured in respect of:
|
||||
|
||||
</ns82:p><table class="simplelist" border="0" summary="Simple list"><tr><td>Is user a domain member, thus subject to particular policies</td></tr><tr><td>Loopback enablement, and the state of the loopback policy (Merge or Replace)</td></tr><tr><td>Location of the Active Directory itself</td></tr><tr><td>Has the list of GPOs changed. No processing is needed if not changed.</td></tr></table><ns82:p>
|
||||
</ns82:p></li><li><p>
|
||||
User Policies are applied from Active Directory. Note: There are several types.
|
||||
</p></li><li><p>
|
||||
Logon scripts are run. New to Win2K and Active Directory, logon scripts may be obtained based on Group
|
||||
Policy objects (hidden and executed synchronously). NT4 style logon scripts are then run in a normal
|
||||
window.
|
||||
</p></li><li><p>
|
||||
The User Interface as determined from the GPOs is presented. Note: In a Samba domain (like and NT4
|
||||
Domain) machine (system) policies are applied at start-up, User policies are applied at logon.
|
||||
</p></li></ol></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2983805"></a>Common Errors</h2></div></div><div></div></div><p>
|
||||
Policy related problems can be very difficult to diagnose and even more difficult to rectify. The following
|
||||
collection demonstrates only basic issues.
|
||||
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2983819"></a>Policy Does Not Work</h3></div></div><div></div></div><p>
|
||||
Question: We have created the <tt class="filename">config.pol</tt> file and put it in the <span class="emphasis"><em>NETLOGON</em></span> share.
|
||||
It has made no difference to our Win XP Pro machines, they just don't see it. IT worked fine with Win 98 but does not
|
||||
work any longer since we upgraded to Win XP Pro. Any hints?
|
||||
</p><p>
|
||||
<span class="emphasis"><em>ANSWER:</em></span> Policy files are NOT portable between Windows 9x / Me and MS Windows NT4 / 200x / XP based
|
||||
platforms. You need to use the NT4 Group Policy Editor to create a file called <tt class="filename">NTConfig.POL</tt> so that
|
||||
it is in the correct format for your MS Windows XP Pro clients.
|
||||
</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="AdvancedNetworkManagement.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ProfileMgmt.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 22. Advanced Network Management </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 24. Desktop Profile Management</td></tr></table></div></body></html>
|
@ -1,129 +0,0 @@
|
||||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
||||
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 37. Portability</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="compiling.html" title="Chapter 36. How to compile SAMBA"><link rel="next" href="Other-Clients.html" title="Chapter 38. Samba and other CIFS clients"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 37. Portability</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="compiling.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="Other-Clients.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Portability"></a>Chapter 37. Portability</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="Portability.html#id3012634">HPUX</a></dt><dt><a href="Portability.html#id3012719">SCO Unix</a></dt><dt><a href="Portability.html#id3012747">DNIX</a></dt><dt><a href="Portability.html#id3012917">RedHat Linux Rembrandt-II</a></dt><dt><a href="Portability.html#id3012960">AIX</a></dt><dd><dl><dt><a href="Portability.html#id3012967">Sequential Read Ahead</a></dt></dl></dd><dt><a href="Portability.html#id3012993">Solaris</a></dt><dd><dl><dt><a href="Portability.html#id3013000">Locking improvements</a></dt><dt><a href="Portability.html#winbind-solaris9">Winbind on Solaris 9</a></dt></dl></dd></dl></div><p>Samba works on a wide range of platforms but the interface all the
|
||||
platforms provide is not always compatible. This chapter contains
|
||||
platform-specific information about compiling and using samba.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3012634"></a>HPUX</h2></div></div><div></div></div><p>
|
||||
HP's implementation of supplementary groups is, er, non-standard (for
|
||||
hysterical reasons). There are two group files, <tt class="filename">/etc/group</tt> and
|
||||
<tt class="filename">/etc/logingroup</tt>; the system maps UIDs to numbers using the former, but
|
||||
initgroups() reads the latter. Most system admins who know the ropes
|
||||
symlink <tt class="filename">/etc/group</tt> to <tt class="filename">/etc/logingroup</tt>
|
||||
(hard link doesn't work for reasons too stupid to go into here). initgroups() will complain if one of the
|
||||
groups you're in in <tt class="filename">/etc/logingroup</tt> has what it considers to be an invalid
|
||||
ID, which means outside the range <tt class="constant">[0..UID_MAX]</tt>, where <tt class="constant">UID_MAX</tt> is (I think)
|
||||
60000 currently on HP-UX. This precludes -2 and 65534, the usual <tt class="constant">nobody</tt>
|
||||
GIDs.
|
||||
</p><p>
|
||||
If you encounter this problem, make sure that the programs that are failing
|
||||
to initgroups() be run as users not in any groups with GIDs outside the
|
||||
allowed range.
|
||||
</p><p>This is documented in the HP manual pages under setgroups(2) and passwd(4).
|
||||
</p><p>
|
||||
On HPUX you must use gcc or the HP ANSI compiler. The free compiler
|
||||
that comes with HP-UX is not ANSI compliant and cannot compile
|
||||
Samba.
|
||||
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3012719"></a>SCO Unix</h2></div></div><div></div></div><p>
|
||||
If you run an old version of SCO Unix then you may need to get important
|
||||
TCP/IP patches for Samba to work correctly. Without the patch, you may
|
||||
encounter corrupt data transfers using samba.
|
||||
</p><p>
|
||||
The patch you need is UOD385 Connection Drivers SLS. It is available from
|
||||
SCO (<a href="ftp://ftp.sco.com/" target="_top">ftp.sco.com</a>, directory SLS,
|
||||
files uod385a.Z and uod385a.ltr.Z).
|
||||
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3012747"></a>DNIX</h2></div></div><div></div></div><p>
|
||||
DNIX has a problem with seteuid() and setegid(). These routines are
|
||||
needed for Samba to work correctly, but they were left out of the DNIX
|
||||
C library for some reason.
|
||||
</p><p>
|
||||
For this reason Samba by default defines the macro NO_EID in the DNIX
|
||||
section of includes.h. This works around the problem in a limited way,
|
||||
but it is far from ideal, some things still won't work right.
|
||||
</p><p>
|
||||
To fix the problem properly you need to assemble the following two
|
||||
functions and then either add them to your C library or link them into
|
||||
Samba.
|
||||
</p><p>
|
||||
put this in the file <tt class="filename">setegid.s</tt>:
|
||||
</p><pre class="programlisting">
|
||||
.globl _setegid
|
||||
_setegid:
|
||||
moveq #47,d0
|
||||
movl #100,a0
|
||||
moveq #1,d1
|
||||
movl 4(sp),a1
|
||||
trap #9
|
||||
bccs 1$
|
||||
jmp cerror
|
||||
1$:
|
||||
clrl d0
|
||||
rts
|
||||
</pre><p>
|
||||
put this in the file <tt class="filename">seteuid.s</tt>:
|
||||
</p><pre class="programlisting">
|
||||
.globl _seteuid
|
||||
_seteuid:
|
||||
moveq #47,d0
|
||||
movl #100,a0
|
||||
moveq #0,d1
|
||||
movl 4(sp),a1
|
||||
trap #9
|
||||
bccs 1$
|
||||
jmp cerror
|
||||
1$:
|
||||
clrl d0
|
||||
rts
|
||||
</pre><p>
|
||||
after creating the above files you then assemble them using
|
||||
</p><pre class="screen">
|
||||
<tt class="prompt">$ </tt><b class="userinput"><tt>as seteuid.s</tt></b>
|
||||
<tt class="prompt">$ </tt><b class="userinput"><tt>as setegid.s</tt></b>
|
||||
</pre><p>
|
||||
that should produce the files <tt class="filename">seteuid.o</tt> and
|
||||
<tt class="filename">setegid.o</tt>
|
||||
</p><p>
|
||||
then you need to add these to the LIBSM line in the DNIX section of
|
||||
the Samba Makefile. Your LIBSM line will then look something like this:
|
||||
</p><pre class="programlisting">
|
||||
LIBSM = setegid.o seteuid.o -ln
|
||||
</pre><p>
|
||||
You should then remove the line:
|
||||
</p><pre class="programlisting">
|
||||
#define NO_EID
|
||||
</pre><p>from the DNIX section of <tt class="filename">includes.h</tt></p></div><div xmlns:ns102="" class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3012917"></a>RedHat Linux Rembrandt-II</h2></div></div><div></div></div><ns102:p>
|
||||
By default RedHat Rembrandt-II during installation adds an
|
||||
entry to <tt class="filename">/etc/hosts</tt> as follows:
|
||||
</ns102:p><pre class="programlisting">
|
||||
127.0.0.1 loopback "hostname"."domainname"
|
||||
</pre><ns102:p>
|
||||
</ns102:p><p>
|
||||
This causes Samba to loop back onto the loopback interface.
|
||||
The result is that Samba fails to communicate correctly with
|
||||
the world and therefor may fail to correctly negotiate who
|
||||
is the master browse list holder and who is the master browser.
|
||||
</p><p>
|
||||
Corrective Action: Delete the entry after the word loopback
|
||||
in the line starting 127.0.0.1
|
||||
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3012960"></a>AIX</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3012967"></a>Sequential Read Ahead</h3></div></div><div></div></div><p>
|
||||
Disabling Sequential Read Ahead using <b class="userinput"><tt>vmtune -r 0</tt></b> improves
|
||||
Samba performance significantly.
|
||||
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3012993"></a>Solaris</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3013000"></a>Locking improvements</h3></div></div><div></div></div><p>Some people have been experiencing problems with F_SETLKW64/fcntl
|
||||
when running Samba on Solaris. The built in file locking mechanism was
|
||||
not scalable. Performance would degrade to the point where processes would
|
||||
get into loops of trying to lock a file. It would try a lock, then fail,
|
||||
then try again. The lock attempt was failing before the grant was
|
||||
occurring. So the visible manifestation of this would be a handful of
|
||||
processes stealing all of the CPU, and when they were trussed they would
|
||||
be stuck if F_SETLKW64 loops.
|
||||
</p><p>
|
||||
Sun released patches for Solaris 2.6, 8, and 9. The patch for Solaris 7
|
||||
has not been released yet.
|
||||
</p><p>
|
||||
The patch revision for 2.6 is 105181-34
|
||||
for 8 is 108528-19 and for 9 is 112233-04
|
||||
</p><p>
|
||||
After the install of these patches it is recommended to reconfigure
|
||||
and rebuild samba.
|
||||
</p><p>Thanks to Joe Meslovich for reporting</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="winbind-solaris9"></a>Winbind on Solaris 9</h3></div></div><div></div></div><p>
|
||||
Nsswitch on Solaris 9 refuses to use the winbind nss module. This behavior
|
||||
is fixed by Sun in patch 113476-05 which as of March 2003 is not in any
|
||||
roll-up packages.
|
||||
</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="compiling.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendixes.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="Other-Clients.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 36. How to compile SAMBA </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 38. Samba and other CIFS clients</td></tr></table></div></body></html>
|
@ -1,681 +0,0 @@
|
||||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
||||
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 24. Desktop Profile Management</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="PolicyMgmt.html" title="Chapter 23. System and Account Policies"><link rel="next" href="pam.html" title="Chapter 25. PAM based Distributed Authentication"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 24. Desktop Profile Management</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="PolicyMgmt.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="pam.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ProfileMgmt"></a>Chapter 24. Desktop Profile Management</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">April 3 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="ProfileMgmt.html#id2983922">Features and Benefits</a></dt><dt><a href="ProfileMgmt.html#id2983955">Roaming Profiles</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2983996">Samba Configuration for Profile Handling</a></dt><dt><a href="ProfileMgmt.html#id2989358">Windows Client Profile Configuration Information</a></dt><dt><a href="ProfileMgmt.html#id2990295">Sharing Profiles between W9x/Me and NT4/200x/XP workstations</a></dt><dt><a href="ProfileMgmt.html#id2990360">Profile Migration from Windows NT4/200x Server to Samba</a></dt></dl></dd><dt><a href="ProfileMgmt.html#id2990620">Mandatory profiles</a></dt><dt><a href="ProfileMgmt.html#id2990678">Creating/Managing Group Profiles</a></dt><dt><a href="ProfileMgmt.html#id2990723">Default Profile for Windows Users</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2990743">MS Windows 9x/Me</a></dt><dt><a href="ProfileMgmt.html#id2990891">MS Windows NT4 Workstation</a></dt><dt><a href="ProfileMgmt.html#id2991445">MS Windows 200x/XP</a></dt></dl></dd><dt><a href="ProfileMgmt.html#id2991949">Common Errors</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2991962">How does one set up roaming profiles for just one (or a few) user/s or group/s?</a></dt><dt><a href="ProfileMgmt.html#id2992025">Can NOT use Roaming Profiles</a></dt><dt><a href="ProfileMgmt.html#id2992243">Changing the default profile</a></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2983922"></a>Features and Benefits</h2></div></div><div></div></div><p>
|
||||
Roaming Profiles are feared by some, hated by a few, loved by many, and a Godsend for
|
||||
some administrators.
|
||||
</p><p>
|
||||
Roaming Profiles allow an administrator to make available a consistent user desktop
|
||||
as the user moves from one machine to another. This chapter provides much information
|
||||
regarding how to configure and manage Roaming Profiles.
|
||||
</p><p>
|
||||
While Roaming Profiles might sound like nirvana to some, they are a real and tangible
|
||||
problem to others. In particular, users of mobile computing tools, where often there may not
|
||||
be a sustained network connection, are often better served by purely Local Profiles.
|
||||
This chapter provides information to help the Samba administrator to deal with those
|
||||
situations also.
|
||||
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2983955"></a>Roaming Profiles</h2></div></div><div></div></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
|
||||
Roaming profiles support is different for Win9x / Me and Windows NT4/200x.
|
||||
</p></div><p>
|
||||
Before discussing how to configure roaming profiles, it is useful to see how
|
||||
Windows 9x / Me and Windows NT4/200x clients implement these features.
|
||||
</p><p>
|
||||
Windows 9x / Me clients send a NetUserGetInfo request to the server to get the user's
|
||||
profiles location. However, the response does not have room for a separate
|
||||
profiles location field, only the user's home share. This means that Win9X/Me
|
||||
profiles are restricted to being stored in the user's home directory.
|
||||
</p><p>
|
||||
Windows NT4/200x clients send a NetSAMLogon RPC request, which contains many fields,
|
||||
including a separate field for the location of the user's profiles.
|
||||
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2983996"></a>Samba Configuration for Profile Handling</h3></div></div><div></div></div><p>
|
||||
This section documents how to configure Samba for MS Windows client profile support.
|
||||
</p><div xmlns:ns83="" class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2984009"></a>NT4/200x User Profiles</h4></div></div><div></div></div><p>
|
||||
To support Windows NT4/200x clients, in the [global] section of smb.conf set the
|
||||
following (for example):
|
||||
</p><ns83:p>
|
||||
</ns83:p><pre class="programlisting">
|
||||
logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath
|
||||
</pre><ns83:p>
|
||||
|
||||
This is typically implemented like:
|
||||
|
||||
</ns83:p><pre class="programlisting">
|
||||
logon path = \\%L\Profiles\%u
|
||||
</pre><ns83:p>
|
||||
where %L translates to the name of the Samba server and %u translates to the user name
|
||||
</ns83:p><p>
|
||||
The default for this option is <tt class="filename">\\%N\%U\profile</tt>,
|
||||
namely <tt class="filename">\\sambaserver\username\profile</tt>.
|
||||
The <tt class="filename">\\N%\%U</tt> service is created automatically by the [homes] service. If you are using
|
||||
a samba server for the profiles, you _must_ make the share specified in the logon path
|
||||
browseable. Please refer to the man page for <tt class="filename">smb.conf</tt> in respect of the different
|
||||
semantics of %L and %N, as well as %U and %u.
|
||||
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
|
||||
MS Windows NT/2K clients at times do not disconnect a connection to a server
|
||||
between logons. It is recommended to NOT use the <i class="parameter"><tt>homes</tt></i>
|
||||
meta-service name as part of the profile share path.
|
||||
</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2984098"></a>Windows 9x / Me User Profiles</h4></div></div><div></div></div><p>
|
||||
To support Windows 9x / Me clients, you must use the <i class="parameter"><tt>logon home</tt></i> parameter. Samba has
|
||||
now been fixed so that <b class="userinput"><tt>net use /home</tt></b> now works as well, and it, too, relies
|
||||
on the <b class="command">logon home</b> parameter.
|
||||
</p><p>
|
||||
By using the logon home parameter, you are restricted to putting Win9x / Me
|
||||
profiles in the user's home directory. But wait! There is a trick you
|
||||
can use. If you set the following in the <i class="parameter"><tt>[global]</tt></i> section of your <tt class="filename">smb.conf</tt> file:
|
||||
</p><pre class="programlisting">
|
||||
logon home = \\%L\%U\.profiles
|
||||
</pre><p>
|
||||
then your Windows 9x / Me clients will dutifully put their clients in a subdirectory
|
||||
of your home directory called <tt class="filename">.profiles</tt> (thus making them hidden).
|
||||
</p><p>
|
||||
Not only that, but <b class="userinput"><tt>net use /home</tt></b> will also work, because of a feature in
|
||||
Windows 9x / Me. It removes any directory stuff off the end of the home directory area
|
||||
and only uses the server and share portion. That is, it looks like you
|
||||
specified <tt class="filename">\\%L\%U</tt> for <i class="parameter"><tt>logon home</tt></i>.
|
||||
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2989173"></a>Mixed Windows 9x / Me and Windows NT4/200x User Profiles</h4></div></div><div></div></div><p>
|
||||
You can support profiles for both Win9X and WinNT clients by setting both the
|
||||
<i class="parameter"><tt>logon home</tt></i> and <i class="parameter"><tt>logon path</tt></i> parameters. For example:
|
||||
</p><pre class="programlisting">
|
||||
logon home = \\%L\%u\.profiles
|
||||
logon path = \\%L\profiles\%u
|
||||
</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2989209"></a>Disabling Roaming Profile Support</h4></div></div><div></div></div><p>
|
||||
A question often asked is “<span class="quote">How may I enforce use of local profiles?</span>” or
|
||||
“<span class="quote">How do I disable Roaming Profiles?</span>”
|
||||
</p><p>
|
||||
There are three ways of doing this:
|
||||
</p><div class="variablelist"><dl><dt><span class="term">In <tt class="filename">smb.conf</tt></span></dt><dd xmlns:ns84=""><ns84:p>
|
||||
Affect the following settings and ALL clients
|
||||
will be forced to use a local profile:
|
||||
</ns84:p><pre class="programlisting">
|
||||
logon home =
|
||||
logon path =
|
||||
</pre><ns84:p>
|
||||
</ns84:p></dd><dt><span class="term">MS Windows Registry:</span></dt><dd xmlns:ns85=""><ns85:p>
|
||||
By using the Microsoft Management Console gpedit.msc to instruct your MS Windows XP machine to use only a local profile. This of course modifies registry settings. The full path to the option is:
|
||||
|
||||
</ns85:p><pre class="programlisting">
|
||||
Local Computer Policy\
|
||||
Computer Configuration\
|
||||
Administrative Templates\
|
||||
System\
|
||||
User Profiles\
|
||||
|
||||
Disable: Only Allow Local User Profiles
|
||||
Disable: Prevent Roaming Profile Change from Propagating to the Server
|
||||
</pre><ns85:p>
|
||||
</ns85:p></dd><dt><span class="term">Change of Profile Type:</span></dt><dd><p>
|
||||
From the start menu right click on the
|
||||
My Computer icon, select <span class="guimenuitem">Properties</span>, click on the <span class="guilabel">User Profiles</span>
|
||||
tab, select the profile you wish to change from Roaming type to Local, click <span class="guibutton">Change Type</span>.
|
||||
</p></dd></dl></div><p>
|
||||
Consult the MS Windows registry guide for your particular MS Windows version for more
|
||||
information about which registry keys to change to enforce use of only local user
|
||||
profiles.
|
||||
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
|
||||
The specifics of how to convert a local profile to a roaming profile, or a roaming profile
|
||||
to a local one vary according to the version of MS Windows you are running. Consult the
|
||||
Microsoft MS Windows Resource Kit for your version of Windows for specific information.
|
||||
</p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2989358"></a>Windows Client Profile Configuration Information</h3></div></div><div></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2989366"></a>Windows 9x / Me Profile Setup</h4></div></div><div></div></div><p>
|
||||
When a user first logs in on Windows 9X, the file user.DAT is created,
|
||||
as are folders <tt class="filename">Start Menu</tt>, <tt class="filename">Desktop</tt>,
|
||||
<tt class="filename">Programs</tt> and <tt class="filename">Nethood</tt>.
|
||||
These directories and their contents will be merged with the local
|
||||
versions stored in <tt class="filename">c:\windows\profiles\username</tt> on subsequent logins,
|
||||
taking the most recent from each. You will need to use the <i class="parameter"><tt>[global]</tt></i>
|
||||
options <i class="parameter"><tt>preserve case = yes</tt></i>, <i class="parameter"><tt>short preserve case = yes</tt></i> and
|
||||
<i class="parameter"><tt>case sensitive = no</tt></i> in order to maintain capital letters in shortcuts
|
||||
in any of the profile folders.
|
||||
</p><p>
|
||||
The user.DAT file contains all the user's preferences. If you wish to
|
||||
enforce a set of preferences, rename their user.DAT file to user.MAN,
|
||||
and deny them write access to this file.
|
||||
</p><div class="orderedlist"><ol type="1"><li><p>
|
||||
On the Windows 9x / Me machine, go to <span class="guimenu">Control Panel</span> -> <span class="guimenuitem">Passwords</span> and
|
||||
select the <span class="guilabel">User Profiles</span> tab. Select the required level of
|
||||
roaming preferences. Press <span class="guibutton">OK</span>, but do _not_ allow the computer
|
||||
to reboot.
|
||||
</p></li><li><p>
|
||||
On the Windows 9x / Me machine, go to <span class="guimenu">Control Panel</span> -> <span class="guimenuitem">Network</span> ->
|
||||
<span class="guimenuitem">Client for Microsoft Networks</span> -> <span class="guilabel">Preferences</span>. Select <span class="guilabel">Log on to
|
||||
NT Domain</span>. Then, ensure that the Primary Logon is <span class="guilabel">Client for
|
||||
Microsoft Networks</span>. Press <span class="guibutton">OK</span>, and this time allow the computer
|
||||
to reboot.
|
||||
</p></li></ol></div><p>
|
||||
Under Windows 9x / Me Profiles are downloaded from the Primary Logon.
|
||||
If you have the Primary Logon as 'Client for Novell Networks', then
|
||||
the profiles and logon script will be downloaded from your Novell
|
||||
Server. If you have the Primary Logon as 'Windows Logon', then the
|
||||
profiles will be loaded from the local machine - a bit against the
|
||||
concept of roaming profiles, it would seem!
|
||||
</p><p>
|
||||
You will now find that the Microsoft Networks Login box contains
|
||||
[user, password, domain] instead of just [user, password]. Type in
|
||||
the samba server's domain name (or any other domain known to exist,
|
||||
but bear in mind that the user will be authenticated against this
|
||||
domain and profiles downloaded from it, if that domain logon server
|
||||
supports it), user name and user's password.
|
||||
</p><p>
|
||||
Once the user has been successfully validated, the Windows 9x / Me machine
|
||||
will inform you that <tt class="computeroutput">The user has not logged on before' and asks you
|
||||
if you wish to save the user's preferences?</tt> Select <span class="guibutton">yes</span>.
|
||||
</p><p>
|
||||
Once the Windows 9x / Me client comes up with the desktop, you should be able
|
||||
to examine the contents of the directory specified in the <i class="parameter"><tt>logon path</tt></i>
|
||||
on the samba server and verify that the <tt class="filename">Desktop</tt>, <tt class="filename">Start Menu</tt>,
|
||||
<tt class="filename">Programs</tt> and <tt class="filename">Nethood</tt> folders have been created.
|
||||
</p><p>
|
||||
These folders will be cached locally on the client, and updated when
|
||||
the user logs off (if you haven't made them read-only by then).
|
||||
You will find that if the user creates further folders or short-cuts,
|
||||
that the client will merge the profile contents downloaded with the
|
||||
contents of the profile directory already on the local client, taking
|
||||
the newest folders and short-cuts from each set.
|
||||
</p><p>
|
||||
If you have made the folders / files read-only on the samba server,
|
||||
then you will get errors from the Windows 9x / Me machine on logon and logout, as
|
||||
it attempts to merge the local and the remote profile. Basically, if
|
||||
you have any errors reported by the Windows 9x / Me machine, check the Unix file
|
||||
permissions and ownership rights on the profile directory contents,
|
||||
on the samba server.
|
||||
</p><p>
|
||||
If you have problems creating user profiles, you can reset the user's
|
||||
local desktop cache, as shown below. When this user then next logs in,
|
||||
they will be told that they are logging in "for the first time".
|
||||
</p><div class="orderedlist"><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
|
||||
Before deleting the contents of the
|
||||
directory listed in the ProfilePath (this is likely to be
|
||||
<tt class="filename">c:\windows\profiles\username)</tt>, ask them if they
|
||||
have any important files stored on their desktop or in their start menu.
|
||||
Delete the contents of the directory ProfilePath (making a backup if any
|
||||
of the files are needed).
|
||||
</p><p>
|
||||
This will have the effect of removing the local (read-only hidden
|
||||
system file) user.DAT in their profile directory, as well as the
|
||||
local "desktop", "nethood", "start menu" and "programs" folders.
|
||||
</p></div><ol type="1"><li><p>
|
||||
instead of logging in under the [user, password, domain] dialog,
|
||||
press <span class="guibutton">escape</span>.
|
||||
</p></li><li><p>
|
||||
run the <b class="command">regedit.exe</b> program, and look in:
|
||||
</p><p>
|
||||
<tt class="filename">HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList</tt>
|
||||
</p><p>
|
||||
you will find an entry, for each user, of ProfilePath. Note the
|
||||
contents of this key (likely to be <tt class="filename">c:\windows\profiles\username</tt>),
|
||||
then delete the key ProfilePath for the required user.
|
||||
</p><p>[Exit the registry editor].</p></li><li><p>
|
||||
search for the user's .PWL password-caching file in the <tt class="filename">c:\windows</tt>
|
||||
directory, and delete it.
|
||||
</p></li><li><p>
|
||||
log off the windows 9x / Me client.
|
||||
</p></li><li><p>
|
||||
check the contents of the profile path (see <i class="parameter"><tt>logon path</tt></i> described
|
||||
above), and delete the <tt class="filename">user.DAT</tt> or <tt class="filename">user.MAN</tt> file for the user,
|
||||
making a backup if required.
|
||||
</p></li></ol></div><p>
|
||||
If all else fails, increase samba's debug log levels to between 3 and 10,
|
||||
and / or run a packet trace program such as ethereal or <b class="command">netmon.exe</b>, and
|
||||
look for error messages.
|
||||
</p><p>
|
||||
If you have access to an Windows NT4/200x server, then first set up roaming profiles
|
||||
and / or netlogons on the Windows NT4/200x server. Make a packet trace, or examine
|
||||
the example packet traces provided with Windows NT4/200x server, and see what the
|
||||
differences are with the equivalent samba trace.
|
||||
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2985567"></a>Windows NT4 Workstation</h4></div></div><div></div></div><p>
|
||||
When a user first logs in to a Windows NT Workstation, the profile
|
||||
NTuser.DAT is created. The profile location can be now specified
|
||||
through the <i class="parameter"><tt>logon path</tt></i> parameter.
|
||||
</p><p>
|
||||
There is a parameter that is now available for use with NT Profiles:
|
||||
<i class="parameter"><tt>logon drive</tt></i>. This should be set to <tt class="filename">H:</tt> or any other drive, and
|
||||
should be used in conjunction with the new "logon home" parameter.
|
||||
</p><p>
|
||||
The entry for the NT4 profile is a _directory_ not a file. The NT
|
||||
help on profiles mentions that a directory is also created with a .PDS
|
||||
extension. The user, while logging in, must have write permission to
|
||||
create the full profile path (and the folder with the .PDS extension
|
||||
for those situations where it might be created.)
|
||||
</p><p>
|
||||
In the profile directory, Windows NT4 creates more folders than Windows 9x / Me.
|
||||
It creates <tt class="filename">Application Data</tt> and others, as well as <tt class="filename">Desktop</tt>, <tt class="filename">Nethood</tt>,
|
||||
<tt class="filename">Start Menu</tt> and <tt class="filename">Programs</tt>. The profile itself is stored in a file
|
||||
<tt class="filename">NTuser.DAT</tt>. Nothing appears to be stored in the .PDS directory, and
|
||||
its purpose is currently unknown.
|
||||
</p><p>
|
||||
You can use the <span class="application">System Control Panel</span> to copy a local profile onto
|
||||
a samba server (see NT Help on profiles: it is also capable of firing
|
||||
up the correct location in the <span class="application">System Control Panel</span> for you). The
|
||||
NT Help file also mentions that renaming <tt class="filename">NTuser.DAT</tt> to <tt class="filename">NTuser.MAN</tt>
|
||||
turns a profile into a mandatory one.
|
||||
</p><p>
|
||||
The case of the profile is significant. The file must be called
|
||||
<tt class="filename">NTuser.DAT</tt> or, for a mandatory profile, <tt class="filename">NTuser.MAN</tt>.
|
||||
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2985724"></a>Windows 2000/XP Professional</h4></div></div><div></div></div><p>
|
||||
You must first convert the profile from a local profile to a domain
|
||||
profile on the MS Windows workstation as follows:
|
||||
</p><div class="procedure"><ol type="1"><li><p>
|
||||
Log on as the <span class="emphasis"><em>LOCAL</em></span> workstation administrator.
|
||||
</p></li><li><p>
|
||||
Right click on the <span class="guiicon">My Computer</span> Icon, select <span class="guimenuitem">Properties</span>
|
||||
</p></li><li><p>
|
||||
Click on the <span class="guilabel">User Profiles</span> tab
|
||||
</p></li><li><p>
|
||||
Select the profile you wish to convert (click on it once)
|
||||
</p></li><li><p>
|
||||
Click on the button <span class="guibutton">Copy To</span>
|
||||
</p></li><li><p>
|
||||
In the <span class="guilabel">Permitted to use</span> box, click on the <span class="guibutton">Change</span> button.
|
||||
</p></li><li><p>
|
||||
Click on the 'Look in" area that lists the machine name, when you click
|
||||
here it will open up a selection box. Click on the domain to which the
|
||||
profile must be accessible.
|
||||
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>You will need to log on if a logon box opens up. Eg: In the connect
|
||||
as: <i class="replaceable"><tt>MIDEARTH</tt></i>\root, password: <i class="replaceable"><tt>mypassword</tt></i>.</p></div></li><li><p>
|
||||
To make the profile capable of being used by anyone select 'Everyone'
|
||||
</p></li><li><p>
|
||||
Click <span class="guibutton">OK</span>. The Selection box will close.
|
||||
</p></li><li><p>
|
||||
Now click on the <span class="guibutton">Ok</span> button to create the profile in the path you
|
||||
nominated.
|
||||
</p></li></ol></div><p>
|
||||
Done. You now have a profile that can be edited using the samba-3.0.0
|
||||
<b class="command">profiles</b> tool.
|
||||
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
|
||||
Under NT/2K the use of mandatory profiles forces the use of MS Exchange
|
||||
storage of mail data. That keeps desktop profiles usable.
|
||||
</p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><div class="procedure"><ol type="1"><li><p>
|
||||
This is a security check new to Windows XP (or maybe only
|
||||
Windows XP service pack 1). It can be disabled via a group policy in
|
||||
Active Directory. The policy is:</p><p><tt class="filename">Computer Configuration\Administrative Templates\System\User
|
||||
Profiles\Do not check for user ownership of Roaming Profile Folders</tt></p><p>...and it should be set to <tt class="constant">Enabled</tt>.
|
||||
Does the new version of samba have an Active Directory analogue? If so,
|
||||
then you may be able to set the policy through this.
|
||||
</p><p>
|
||||
If you cannot set group policies in samba, then you may be able to set
|
||||
the policy locally on each machine. If you want to try this, then do
|
||||
the following (N.B. I don't know for sure that this will work in the
|
||||
same way as a domain group policy):
|
||||
</p></li><li><p>
|
||||
On the XP workstation log in with an Administrator account.
|
||||
</p></li><li><p>Click: <span class="guimenu">Start</span>, <span class="guimenuitem">Run</span></p></li><li><p>Type: <b class="userinput"><tt>mmc</tt></b></p></li><li><p>Click: <span class="guibutton">OK</span></p></li><li><p>A Microsoft Management Console should appear.</p></li><li><p>Click: <span class="guimenu">File</span>, <span class="guimenuitem">Add/Remove Snap-in...</span>, <span class="guimenuitem">Add</span></p></li><li><p>Double-Click: <span class="guiicon">Group Policy</span></p></li><li><p>Click: <span class="guibutton">Finish</span>, <span class="guibutton">Close</span></p></li><li><p>Click: <span class="guibutton">OK</span></p></li><li><p>In the "Console Root" window:</p></li><li><p>Expand: <span class="guiicon">Local Computer Policy</span>, <span class="guiicon">Computer Configuration</span>,
|
||||
<span class="guiicon">Administrative Templates</span>, <span class="guiicon">System</span>, <span class="guiicon">User Profiles</span></p></li><li><p>Double-Click: <span class="guilabel">Do not check for user ownership of Roaming Profile Folders</span></p></li><li><p>Select: <span class="guilabel">Enabled</span></p></li><li><p>Click: <span class="guibutton">OK</span></p></li><li><p>Close the whole console. You do not need to save the settings (this
|
||||
refers to the console settings rather than the policies you have
|
||||
changed).</p></li><li><p>Reboot</p></li></ol></div></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2990295"></a>Sharing Profiles between W9x/Me and NT4/200x/XP workstations</h3></div></div><div></div></div><p>
|
||||
Sharing of desktop profiles between Windows versions is NOT recommended.
|
||||
Desktop profiles are an evolving phenomenon and profiles for later versions
|
||||
of MS Windows clients add features that may interfere with earlier versions
|
||||
of MS Windows clients. Probably the more salient reason to NOT mix profiles
|
||||
is that when logging off an earlier version of MS Windows the older format
|
||||
of profile contents may overwrite information that belongs to the newer
|
||||
version resulting in loss of profile information content when that user logs
|
||||
on again with the newer version of MS Windows.
|
||||
</p><p>
|
||||
If you then want to share the same Start Menu / Desktop with W9x/Me, you will
|
||||
need to specify a common location for the profiles. The smb.conf parameters
|
||||
that need to be common are <i class="parameter"><tt>logon path</tt></i> and
|
||||
<i class="parameter"><tt>logon home</tt></i>.
|
||||
</p><p>
|
||||
If you have this set up correctly, you will find separate <tt class="filename">user.DAT</tt> and
|
||||
<tt class="filename">NTuser.DAT</tt> files in the same profile directory.
|
||||
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2990360"></a>Profile Migration from Windows NT4/200x Server to Samba</h3></div></div><div></div></div><p>
|
||||
There is nothing to stop you specifying any path that you like for the
|
||||
location of users' profiles. Therefore, you could specify that the
|
||||
profile be stored on a samba server, or any other SMB server, as long as
|
||||
that SMB server supports encrypted passwords.
|
||||
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2990377"></a>Windows NT4 Profile Management Tools</h4></div></div><div></div></div><p>
|
||||
Unfortunately, the Resource Kit information is specific to the version of MS Windows
|
||||
NT4/200x. The correct resource kit is required for each platform.
|
||||
</p><p>
|
||||
Here is a quick guide:
|
||||
</p><div class="procedure"><ol type="1"><li><p>
|
||||
On your NT4 Domain Controller, right click on <span class="guiicon">My Computer</span>, then
|
||||
select the tab labelled <span class="guilabel">User Profiles</span>.
|
||||
</p></li><li><p>
|
||||
Select a user profile you want to migrate and click on it.
|
||||
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>I am using the term "migrate" loosely. You can copy a profile to
|
||||
create a group profile. You can give the user 'Everyone' rights to the
|
||||
profile you copy this to. That is what you need to do, since your samba
|
||||
domain is not a member of a trust relationship with your NT4 PDC.</p></div></li><li><p>Click the <span class="guibutton">Copy To</span> button.</p></li><li><p>In the box labelled <span class="guilabel">Copy Profile to</span> add your new path, eg:
|
||||
<tt class="filename">c:\temp\foobar</tt></p></li><li><p>Click on the button <span class="guibutton">Change</span> in the <span class="guilabel">Permitted to use</span> box.</p></li><li><p>Click on the group 'Everyone' and then click <span class="guibutton">OK</span>. This closes the
|
||||
'choose user' box.</p></li><li><p>Now click <span class="guibutton">OK</span>.</p></li></ol></div><p>
|
||||
Follow the above for every profile you need to migrate.
|
||||
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2990540"></a>Side bar Notes</h4></div></div><div></div></div><p>
|
||||
You should obtain the SID of your NT4 domain. You can use smbpasswd to do
|
||||
this. Read the man page.</p><p>
|
||||
With Samba-3.0.0 alpha code you can import all you NT4 domain accounts
|
||||
using the net samsync method. This way you can retain your profile
|
||||
settings as well as all your users.
|
||||
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2990562"></a>moveuser.exe</h4></div></div><div></div></div><p>
|
||||
The W2K professional resource kit has moveuser.exe. moveuser.exe changes
|
||||
the security of a profile from one user to another. This allows the account
|
||||
domain to change, and/or the user name to change.
|
||||
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2990578"></a>Get SID</h4></div></div><div></div></div><p>
|
||||
You can identify the SID by using GetSID.exe from the Windows NT Server 4.0
|
||||
Resource Kit.
|
||||
</p><p>
|
||||
Windows NT 4.0 stores the local profile information in the registry under
|
||||
the following key:
|
||||
<tt class="filename">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList</tt>
|
||||
</p><p>
|
||||
Under the ProfileList key, there will be subkeys named with the SIDs of the
|
||||
users who have logged on to this computer. (To find the profile information
|
||||
for the user whose locally cached profile you want to move, find the SID for
|
||||
the user with the GetSID.exe utility.) Inside of the appropriate user's
|
||||
subkey, you will see a string value named ProfileImagePath.
|
||||
</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2990620"></a>Mandatory profiles</h2></div></div><div></div></div><p>
|
||||
A Mandatory Profile is a profile that the user does NOT have the ability to overwrite.
|
||||
During the user's session it may be possible to change the desktop environment, but
|
||||
as the user logs out all changes made will be lost. If it is desired to NOT allow the
|
||||
user any ability to change the desktop environment then this must be done through
|
||||
policy settings. See previous chapter.
|
||||
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
|
||||
Under NO circumstances should the profile directory (or it's contents) be made read-only
|
||||
as this may render the profile un-usable.
|
||||
</p></div><p>
|
||||
For MS Windows NT4/200x/XP the above method can be used to create mandatory profiles
|
||||
also. To convert a group profile into a mandatory profile simply locate the NTUser.DAT
|
||||
file in the copied profile and rename it to NTUser.MAN.
|
||||
</p><p>
|
||||
For MS Windows 9x / Me it is the <tt class="filename">User.DAT</tt> file that must be renamed to <tt class="filename">User.MAN</tt> to
|
||||
affect a mandatory profile.
|
||||
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2990678"></a>Creating/Managing Group Profiles</h2></div></div><div></div></div><p>
|
||||
Most organisations are arranged into departments. There is a nice benefit in
|
||||
this fact since usually most users in a department will require the same desktop
|
||||
applications and the same desktop layout. MS Windows NT4/200x/XP will allow the
|
||||
use of Group Profiles. A Group Profile is a profile that is created firstly using
|
||||
a template (example) user. Then using the profile migration tool (see above) the
|
||||
profile is assigned access rights for the user group that needs to be given access
|
||||
to the group profile.
|
||||
</p><p>
|
||||
The next step is rather important. <span class="emphasis"><em>Please note:</em></span> Instead of assigning a group profile
|
||||
to users (ie: Using User Manager) on a "per user" basis, the group itself is assigned
|
||||
the now modified profile.
|
||||
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
|
||||
Be careful with group profiles, if the user who is a member of a group also
|
||||
has a personal profile, then the result will be a fusion (merge) of the two.
|
||||
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2990723"></a>Default Profile for Windows Users</h2></div></div><div></div></div><p>
|
||||
MS Windows 9x / Me and NT4/200x/XP will use a default profile for any user for whom
|
||||
a profile does not already exist. Armed with a knowledge of where the default profile
|
||||
is located on the Windows workstation, and knowing which registry keys affect the path
|
||||
from which the default profile is created, it is possible to modify the default profile
|
||||
to one that has been optimised for the site. This has significant administrative
|
||||
advantages.
|
||||
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2990743"></a>MS Windows 9x/Me</h3></div></div><div></div></div><p>
|
||||
To enable default per use profiles in Windows 9x / Me you can either use the <span class="application">Windows 98 System
|
||||
Policy Editor</span> or change the registry directly.
|
||||
</p><p>
|
||||
To enable default per user profiles in Windows 9x / Me, launch the <span class="application">System Policy Editor</span>, then
|
||||
select <span class="guimenu">File</span> -> <span class="guimenuitem">Open Registry</span>, then click on the
|
||||
<span class="guiicon">Local Computer</span> icon, click on <span class="guilabel">Windows 98 System</span>,
|
||||
select <span class="guilabel">User Profiles</span>, click on the enable box. Do not forget to save the registry changes.
|
||||
</p><p>
|
||||
To modify the registry directly, launch the <span class="application">Registry Editor</span> (<b class="command">regedit.exe</b>), select the hive
|
||||
<tt class="filename">HKEY_LOCAL_MACHINE\Network\Logon</tt>. Now add a DWORD type key with the name
|
||||
"User Profiles", to enable user profiles set the value to 1, to disable user profiles set it to 0.
|
||||
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2990841"></a>How User Profiles Are Handled in Windows 9x / Me?</h4></div></div><div></div></div><p>
|
||||
When a user logs on to a Windows 9x / Me machine, the local profile path,
|
||||
<tt class="filename">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProfileList</tt>, is checked
|
||||
for an existing entry for that user:
|
||||
</p><p>
|
||||
If the user has an entry in this registry location, Windows 9x / Me checks for a locally cached
|
||||
version of the user profile. Windows 9x / Me also checks the user's home directory (or other
|
||||
specified directory if the location has been modified) on the server for the User Profile.
|
||||
If a profile exists in both locations, the newer of the two is used. If the User Profile exists
|
||||
on the server, but does not exist on the local machine, the profile on the server is downloaded
|
||||
and used. If the User Profile only exists on the local machine, that copy is used.
|
||||
</p><p>
|
||||
If a User Profile is not found in either location, the Default User Profile from the Windows 9x / Me
|
||||
machine is used and is copied to a newly created folder for the logged on user. At log off, any
|
||||
changes that the user made are written to the user's local profile. If the user has a roaming
|
||||
profile, the changes are written to the user's profile on the server.
|
||||
</p></div></div><div xmlns:ns86="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2990891"></a>MS Windows NT4 Workstation</h3></div></div><div></div></div><p>
|
||||
On MS Windows NT4 the default user profile is obtained from the location
|
||||
<tt class="filename">%SystemRoot%\Profiles</tt> which in a default installation will translate to
|
||||
<tt class="filename">C:\WinNT\Profiles</tt>. Under this directory on a clean install there will be
|
||||
three (3) directories: <tt class="filename">Administrator</tt>, <tt class="filename">All Users</tt>, <tt class="filename">Default User</tt>.
|
||||
</p><p>
|
||||
The <tt class="filename">All Users</tt> directory contains menu settings that are common across all
|
||||
system users. The <tt class="filename">Default User</tt> directory contains menu entries that are
|
||||
customisable per user depending on the profile settings chosen/created.
|
||||
</p><p>
|
||||
When a new user first logs onto an MS Windows NT4 machine a new profile is created from:
|
||||
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>All Users settings</td></tr><tr><td>Default User settings (contains the default NTUser.DAT file)</td></tr></table><p>
|
||||
When a user logs onto an MS Windows NT4 machine that is a member of a Microsoft security domain
|
||||
the following steps are followed in respect of profile handling:
|
||||
</p><div class="procedure"><ol type="1"><li><p>
|
||||
The users' account information which is obtained during the logon process contains
|
||||
the location of the users' desktop profile. The profile path may be local to the
|
||||
machine or it may be located on a network share. If there exists a profile at the location
|
||||
of the path from the user account, then this profile is copied to the location
|
||||
<tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt>. This profile then inherits the
|
||||
settings in the <tt class="filename">All Users</tt> profile in the <tt class="filename">%SystemRoot%\Profiles</tt>
|
||||
location.
|
||||
</p></li><li><p>
|
||||
If the user account has a profile path, but at it's location a profile does not exist,
|
||||
then a new profile is created in the <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt>
|
||||
directory from reading the <tt class="filename">Default User</tt> profile.
|
||||
</p></li><li><p>
|
||||
If the NETLOGON share on the authenticating server (logon server) contains a policy file
|
||||
(<tt class="filename">NTConfig.POL</tt>) then it's contents are applied to the <tt class="filename">NTUser.DAT</tt>
|
||||
which is applied to the <tt class="filename">HKEY_CURRENT_USER</tt> part of the registry.
|
||||
</p></li><li><p>
|
||||
When the user logs out, if the profile is set to be a roaming profile it will be written
|
||||
out to the location of the profile. The <tt class="filename">NTuser.DAT</tt> file is then
|
||||
re-created from the contents of the <tt class="filename">HKEY_CURRENT_USER</tt> contents.
|
||||
Thus, should there not exist in the NETLOGON share an <tt class="filename">NTConfig.POL</tt> at the
|
||||
next logon, the effect of the previous <tt class="filename">NTConfig.POL</tt> will still be held
|
||||
in the profile. The effect of this is known as <span class="emphasis"><em>tatooing</em></span>.
|
||||
</p></li></ol></div><p>
|
||||
MS Windows NT4 profiles may be <span class="emphasis"><em>Local</em></span> or <span class="emphasis"><em>Roaming</em></span>. A Local profile
|
||||
will stored in the <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt> location. A roaming profile will
|
||||
also remain stored in the same way, unless the following registry key is created:
|
||||
</p><ns86:p>
|
||||
</ns86:p><pre class="programlisting">
|
||||
HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\
|
||||
"DeleteRoamingCache"=dword:00000001
|
||||
</pre><ns86:p>
|
||||
|
||||
In which case, the local copy (in <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt>) will be
|
||||
deleted on logout.
|
||||
</ns86:p><p>
|
||||
Under MS Windows NT4 default locations for common resources (like <tt class="filename">My Documents</tt>
|
||||
may be redirected to a network share by modifying the following registry keys. These changes may be affected
|
||||
via use of the System Policy Editor (to do so may require that you create your owns template extension
|
||||
for the policy editor to allow this to be done through the GUI. Another way to do this is by way of first
|
||||
creating a default user profile, then while logged in as that user, run regedt32 to edit the key settings.
|
||||
</p><p>
|
||||
The Registry Hive key that affects the behaviour of folders that are part of the default user profile
|
||||
are controlled by entries on Windows NT4 is:
|
||||
</p><p>
|
||||
<tt class="filename">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\</tt>
|
||||
</p><p>
|
||||
The above hive key contains a list of automatically managed folders. The default entries are:
|
||||
</p><ns86:p>
|
||||
</ns86:p><div class="table"><a name="id2991239"></a><p class="title"><b>Table 24.1. User Shell Folder registry keys default values</b></p><table summary="User Shell Folder registry keys default values" border="1"><colgroup><col><col></colgroup><thead><tr><th>Name</th><th>Default Value</th></tr></thead><tbody><tr><td>AppData</td><td>%USERPROFILE%\Application Data</td></tr><tr><td>Desktop</td><td>%USERPROFILE%\Desktop</td></tr><tr><td>Favorites</td><td>%USERPROFILE%\Favorites</td></tr><tr><td>NetHood</td><td>%USERPROFILE%\NetHood</td></tr><tr><td>PrintHood</td><td>%USERPROFILE%\PrintHood</td></tr><tr><td>Programs</td><td>%USERPROFILE%\Start Menu\Programs</td></tr><tr><td>Recent</td><td>%USERPROFILE%\Recent</td></tr><tr><td>SendTo</td><td>%USERPROFILE%\SendTo</td></tr><tr><td>Start Menu </td><td>%USERPROFILE%\Start Menu</td></tr><tr><td>Startup</td><td>%USERPROFILE%\Start Menu\Programs\Startup</td></tr></tbody></table></div><ns86:p>
|
||||
</ns86:p><p>
|
||||
The registry key that contains the location of the default profile settings is:
|
||||
</p><p>
|
||||
<tt class="filename">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</tt>
|
||||
</p><ns86:p>
|
||||
The default entries are:
|
||||
|
||||
</ns86:p><div class="table"><a name="id2991383"></a><p class="title"><b>Table 24.2. Defaults of profile settings registry keys</b></p><table summary="Defaults of profile settings registry keys" border="1"><colgroup><col><col></colgroup><tbody><tr><td>Common Desktop</td><td>%SystemRoot%\Profiles\All Users\Desktop</td></tr><tr><td>Common Programs</td><td>%SystemRoot%\Profiles\All Users\Programs</td></tr><tr><td>Common Start Menu</td><td>%SystemRoot%\Profiles\All Users\Start Menu</td></tr><tr><td>Common Startup</td><td>%SystemRoot%\Profiles\All Users\Start Menu\Programs\Startup</td></tr></tbody></table></div><ns86:p>
|
||||
</ns86:p></div><div xmlns:ns87="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2991445"></a>MS Windows 200x/XP</h3></div></div><div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
|
||||
MS Windows XP Home Edition does use default per user profiles, but can not participate
|
||||
in domain security, can not log onto an NT/ADS style domain, and thus can obtain the profile
|
||||
only from itself. While there are benefits in doing this the beauty of those MS Windows
|
||||
clients that CAN participate in domain logon processes allows the administrator to create
|
||||
a global default profile and to enforce it through the use of Group Policy Objects (GPOs).
|
||||
</p></div><p>
|
||||
When a new user first logs onto MS Windows 200x/XP machine the default profile is obtained from
|
||||
<tt class="filename">C:\Documents and Settings\Default User</tt>. The administrator can modify (or change
|
||||
the contents of this location and MS Windows 200x/XP will gladly use it. This is far from the optimum
|
||||
arrangement since it will involve copying a new default profile to every MS Windows 200x/XP client
|
||||
workstation.
|
||||
</p><p>
|
||||
When MS Windows 200x/XP participate in a domain security context, and if the default user
|
||||
profile is not found, then the client will search for a default profile in the NETLOGON share
|
||||
of the authenticating server. ie: In MS Windows parlance:
|
||||
<tt class="filename">%LOGONSERVER%\NETLOGON\Default User</tt> and if one exits there it will copy this
|
||||
to the workstation to the <tt class="filename">C:\Documents and Settings\</tt> under the Windows
|
||||
login name of the user.
|
||||
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
|
||||
This path translates, in Samba parlance, to the <tt class="filename">smb.conf</tt> <i class="parameter"><tt>[NETLOGON]</tt></i> share. The directory
|
||||
should be created at the root of this share and must be called <tt class="filename">Default Profile</tt>.
|
||||
</p></div><p>
|
||||
If a default profile does not exist in this location then MS Windows 200x/XP will use the local
|
||||
default profile.
|
||||
</p><p>
|
||||
On logging out, the users' desktop profile will be stored to the location specified in the registry
|
||||
settings that pertain to the user. If no specific policies have been created, or passed to the client
|
||||
during the login process (as Samba does automatically), then the user's profile will be written to
|
||||
the local machine only under the path <tt class="filename">C:\Documents and Settings\%USERNAME%</tt>.
|
||||
</p><p>
|
||||
Those wishing to modify the default behaviour can do so through three methods:
|
||||
</p><div class="itemizedlist"><ul type="disc"><li><p>
|
||||
Modify the registry keys on the local machine manually and place the new default profile in the
|
||||
NETLOGON share root - NOT recommended as it is maintenance intensive.
|
||||
</p></li><li><p>
|
||||
Create an NT4 style NTConfig.POL file that specified this behaviour and locate this file
|
||||
in the root of the NETLOGON share along with the new default profile.
|
||||
</p></li><li><p>
|
||||
Create a GPO that enforces this through Active Directory, and place the new default profile
|
||||
in the NETLOGON share.
|
||||
</p></li></ul></div><p>
|
||||
The Registry Hive key that affects the behaviour of folders that are part of the default user profile
|
||||
are controlled by entries on Windows 200x/XP is:
|
||||
</p><p>
|
||||
<tt class="filename">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\</tt>
|
||||
</p><p>
|
||||
The above hive key contains a list of automatically managed folders. The default entries are:
|
||||
</p><ns87:p>
|
||||
</ns87:p><div class="table"><a name="id2991638"></a><p class="title"><b>Table 24.3. Defaults of default user profile paths registry keys</b></p><table summary="Defaults of default user profile paths registry keys" border="1"><colgroup><col><col></colgroup><thead><tr><th>Name</th><th>Default Value</th></tr></thead><tbody><tr><td>AppData</td><td>%USERPROFILE%\Application Data</td></tr><tr><td>Cache</td><td>%USERPROFILE%\Local Settings\Temporary Internet Files</td></tr><tr><td>Cookies</td><td>%USERPROFILE%\Cookies</td></tr><tr><td>Desktop</td><td>%USERPROFILE%\Desktop</td></tr><tr><td>Favorites</td><td>%USERPROFILE%\Favorites</td></tr><tr><td>History</td><td>%USERPROFILE%\Local Settings\History</td></tr><tr><td>Local AppData</td><td>%USERPROFILE%\Local Settings\Application Data</td></tr><tr><td>Local Settings</td><td>%USERPROFILE%\Local Settings</td></tr><tr><td>My Pictures</td><td>%USERPROFILE%\My Documents\My Pictures</td></tr><tr><td>NetHood</td><td>%USERPROFILE%\NetHood</td></tr><tr><td>Personal</td><td>%USERPROFILE%\My Documents</td></tr><tr><td>PrintHood</td><td>%USERPROFILE%\PrintHood</td></tr><tr><td>Programs</td><td>%USERPROFILE%\Start Menu\Programs</td></tr><tr><td>Recent</td><td>%USERPROFILE%\Recent</td></tr><tr><td>SendTo</td><td>%USERPROFILE%\SendTo</td></tr><tr><td>Start Menu</td><td>%USERPROFILE%\Start Menu</td></tr><tr><td>Startup</td><td>%USERPROFILE%\Start Menu\Programs\Startup</td></tr><tr><td>Templates</td><td>%USERPROFILE%\Templates</td></tr></tbody></table></div><ns87:p>
|
||||
</ns87:p><p>
|
||||
There is also an entry called "Default" that has no value set. The default entry is of type <tt class="constant">REG_SZ</tt>, all
|
||||
the others are of type <tt class="constant">REG_EXPAND_SZ</tt>.
|
||||
</p><p>
|
||||
It makes a huge difference to the speed of handling roaming user profiles if all the folders are
|
||||
stored on a dedicated location on a network server. This means that it will NOT be necessary to
|
||||
write the Outlook PST file over the network for every login and logout.
|
||||
</p><p>
|
||||
To set this to a network location you could use the following examples:
|
||||
</p><p><tt class="filename">%LOGONSERVER%\%USERNAME%\Default Folders</tt></p><p>
|
||||
This would store the folders in the user's home directory under a directory called <tt class="filename">Default Folders</tt>
|
||||
You could also use:
|
||||
</p><p><tt class="filename">\\<i class="replaceable"><tt>SambaServer</tt></i>\<i class="replaceable"><tt>FolderShare</tt></i>\%USERNAME%</tt></p><p>
|
||||
in which case the default folders will be stored in the server named <i class="replaceable"><tt>SambaServer</tt></i>
|
||||
in the share called <i class="replaceable"><tt>FolderShare</tt></i> under a directory that has the name of the MS Windows
|
||||
user as seen by the Linux/Unix file system.
|
||||
</p><p>
|
||||
Please note that once you have created a default profile share, you MUST migrate a user's profile
|
||||
(default or custom) to it.
|
||||
</p><p>
|
||||
MS Windows 200x/XP profiles may be <span class="emphasis"><em>Local</em></span> or <span class="emphasis"><em>Roaming</em></span>.
|
||||
A roaming profile will be cached locally unless the following registry key is created:
|
||||
</p><p><tt class="filename">HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\"DeleteRoamingCache"=dword:00000001</tt></p><p>
|
||||
In which case, the local cache copy will be deleted on logout.
|
||||
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2991949"></a>Common Errors</h2></div></div><div></div></div><p>
|
||||
The following are some typical errors/problems/questions that have been asked.
|
||||
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2991962"></a>How does one set up roaming profiles for just one (or a few) user/s or group/s?</h3></div></div><div></div></div><p>
|
||||
With samba-2.2.x the choice you have is to enable or disable roaming
|
||||
profiles support. It is a global only setting. The default is to have
|
||||
roaming profiles and the default path will locate them in the user's home
|
||||
directory.
|
||||
</p><p>
|
||||
If disabled globally then no-one will have roaming profile ability.
|
||||
If enabled and you want it to apply only to certain machines, then on
|
||||
those machines on which roaming profile support is NOT wanted it is then
|
||||
necessary to disable roaming profile handling in the registry of each such
|
||||
machine.
|
||||
</p><p>
|
||||
With samba-3.0.0 (soon to be released) you can have a global profile
|
||||
setting in smb.conf _AND_ you can over-ride this by per-user settings
|
||||
using the Domain User Manager (as with MS Windows NT4/ Win 2Kx).
|
||||
</p><p>
|
||||
In any case, you can configure only one profile per user. That profile can
|
||||
be either:
|
||||
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>A profile unique to that user</td></tr><tr><td>A mandatory profile (one the user can not change)</td></tr><tr><td>A group profile (really should be mandatory ie:unchangable)</td></tr></table></div><div xmlns:ns89="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2992025"></a>Can NOT use Roaming Profiles</h3></div></div><div></div></div><p>
|
||||
“<span class="quote">
|
||||
I dont want Roaming profile to be implemented, I just want to give users
|
||||
local profiles only.
|
||||
...
|
||||
Please help me I am totally lost with this error from past two days I tried
|
||||
everything and googled around quite a bit but of no help. Please help me.
|
||||
</span>”</p><ns89:p>
|
||||
Your choices are:
|
||||
|
||||
|
||||
</ns89:p><div class="variablelist"><dl><dt><span class="term">Local profiles</span></dt><dd><p>
|
||||
I know of no registry keys that will allow auto-deletion of LOCAL profiles on log out
|
||||
</p></dd><dt><span class="term">Roaming profiles</span></dt><dd xmlns:ns88=""><ns88:p>
|
||||
</ns88:p><table class="simplelist" border="0" summary="Simple list"><tr><td>can use auto-delete on logout option</td></tr><tr><td>requires a registry key change on workstation</td></tr></table><ns88:p>
|
||||
|
||||
Your choices are:
|
||||
|
||||
</ns88:p><div class="variablelist"><dl><dt><span class="term">Personal Roaming profiles</span></dt><dd><p>
|
||||
- should be preserved on a central server
|
||||
- workstations 'cache' (store) a local copy
|
||||
- used in case the profile can not be downloaded
|
||||
at next logon
|
||||
</p></dd><dt><span class="term">Group profiles</span></dt><dd><p>- loaded from a central place</p></dd><dt><span class="term">Mandatory profiles</span></dt><dd><p>
|
||||
- can be personal or group
|
||||
- can NOT be changed (except by an administrator
|
||||
</p></dd></dl></div><ns88:p>
|
||||
</ns88:p></dd></dl></div><ns89:p>
|
||||
|
||||
</ns89:p><p>
|
||||
A WinNT4/2K/XP profile can vary in size from 130KB to off the scale.
|
||||
Outlook PST files are most often part of the profile and can be many GB in
|
||||
size. On average (in a well controlled environment) roaming profile size of
|
||||
2MB is a good rule of thumb to use for planning purposes. In an
|
||||
undisciplined environment I have seen up to 2GB profiles. Users tend to
|
||||
complain when it take an hour to log onto a workstation but they harvest
|
||||
the fruits of folly (and ignorance).
|
||||
</p><p>
|
||||
The point of all the above is to show that roaming profiles and good
|
||||
controls of how they can be changed as well as good discipline make up for
|
||||
a problem free site.
|
||||
</p><p>
|
||||
Microsoft's answer to the PST problem is to store all email in an MS
|
||||
Exchange Server back-end. But this is another story ...!
|
||||
</p><ns89:p>
|
||||
So, having LOCAL profiles means:
|
||||
|
||||
</ns89:p><table class="simplelist" border="0" summary="Simple list"><tr><td>If lots of users user each machine - lot's of local disk storage needed for local profiles</td></tr><tr><td>Every workstation the user logs into has it's own profile - can be very different from machine to machine</td></tr></table><ns89:p>
|
||||
|
||||
On the other hand, having roaming profiles means:
|
||||
</ns89:p><table class="simplelist" border="0" summary="Simple list"><tr><td>The network administrator can control EVERY aspect of user profiles</td></tr><tr><td>With the use of mandatory profiles - a drastic reduction in network management overheads</td></tr><tr><td>User unhappiness about not being able to change their profiles soon fades as they get used to being able to work reliably</td></tr></table><ns89:p>
|
||||
|
||||
</ns89:p><p>
|
||||
I have managed and installed MANY NT/2K networks and have NEVER found one
|
||||
where users who move from machine to machine are happy with local
|
||||
profiles. In the long run local profiles bite them.
|
||||
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2992243"></a>Changing the default profile</h3></div></div><div></div></div><p>“<span class="quote">
|
||||
When the client tries to logon to the PDC it looks for a profile to download
|
||||
where do I put this default profile.
|
||||
</span>”</p><p>
|
||||
Firstly, your samba server need to be configured as a domain controller.
|
||||
</p><pre class="programlisting">
|
||||
server = user
|
||||
os level = 32 (or more)
|
||||
domain logons = Yes
|
||||
</pre><p>
|
||||
Plus you need to have a <i class="parameter"><tt>[netlogon]</tt></i> share that is world readable.
|
||||
It is a good idea to add a logon script to pre-set printer and
|
||||
drive connections. There is also a facility for automatically
|
||||
synchronizing the workstation time clock with that of the logon
|
||||
server (another good thing to do).
|
||||
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
|
||||
To invoke auto-deletion of roaming profile from the local
|
||||
workstation cache (disk storage) you need to use the <span class="application">Group Policy Editor</span>
|
||||
to create a file called <tt class="filename">NTConfig.POL</tt> with the appropriate entries. This
|
||||
file needs to be located in the <i class="parameter"><tt>netlogon</tt></i> share root directory.</p></div><p>
|
||||
Oh, of course the windows clients need to be members of the domain.
|
||||
Workgroup machines do NOT do network logons - so they never see domain
|
||||
profiles.
|
||||
</p><p>
|
||||
Secondly, for roaming profiles you need:
|
||||
|
||||
logon path = \\%N\profiles\%U (with some such path)
|
||||
logon drive = H: (Z: is the default)
|
||||
|
||||
Plus you need a PROFILES share that is world writable.
|
||||
</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="PolicyMgmt.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="pam.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 23. System and Account Policies </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 25. PAM based Distributed Authentication</td></tr></table></div></body></html>
|
@ -1,201 +0,0 @@
|
||||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
||||
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 32. SWAT - The Samba Web Administration Tool</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="migration.html" title="Part IV. Migration and Updating"><link rel="previous" href="NT4Migration.html" title="Chapter 31. Migration from NT4 PDC to Samba-3 PDC"><link rel="next" href="troubleshooting.html" title="Part V. Troubleshooting"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 32. SWAT - The Samba Web Administration Tool</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="NT4Migration.html">Prev</a> </td><th width="60%" align="center">Part IV. Migration and Updating</th><td width="20%" align="right"> <a accesskey="n" href="troubleshooting.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SWAT"></a>Chapter 32. SWAT - The Samba Web Administration Tool</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">April 21, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="SWAT.html#id3002261">Features and Benefits</a></dt><dd><dl><dt><a href="SWAT.html#id3002111">Enabling SWAT for use</a></dt><dt><a href="SWAT.html#id3003000">Securing SWAT through SSL</a></dt><dt><a href="SWAT.html#id3003113">The SWAT Home Page</a></dt><dt><a href="SWAT.html#id3003176">Global Settings</a></dt><dt><a href="SWAT.html#id3003282">Share Settings</a></dt><dt><a href="SWAT.html#id3003346">Printers Settings</a></dt><dt><a href="SWAT.html#id3003411">The SWAT Wizard</a></dt><dt><a href="SWAT.html#id3003459">The Status Page</a></dt><dt><a href="SWAT.html#id3003511">The View Page</a></dt><dt><a href="SWAT.html#id3003534">The Password Change Page</a></dt></dl></dd></dl></div><p>
|
||||
There are many and varied opinions regarding the usefulness or otherwise of SWAT.
|
||||
No matter how hard one tries to produce the perfect configuration tool it remains
|
||||
an object of personal taste. SWAT is a tool that will allow web based configuration
|
||||
of samba. It has a wizard that may help to get samba configured quickly, it has context
|
||||
sensitive help on each smb.conf parameter, it provides for monitoring of current state
|
||||
of connection information, and it allows network wide MS Windows network password
|
||||
management.
|
||||
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3002261"></a>Features and Benefits</h2></div></div><div></div></div><p>
|
||||
There are network administrators who believe that it is a good idea to write systems
|
||||
documentation inside configuration files, for them SWAT will aways be a nasty tool. SWAT
|
||||
does not store the configuration file in any intermediate form, rather, it stores only the
|
||||
parameter settings, so when SWAT writes the smb.conf file to disk it will write only
|
||||
those parameters that are at other than the default settings. The result is that all comments
|
||||
will be lost from the <tt class="filename">smb.conf</tt> file. Additionally, the parameters will be written back in
|
||||
internal ordering.
|
||||
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
|
||||
So before using SWAT please be warned - SWAT will completely replace your smb.conf with
|
||||
a fully optimised file that has been stripped of all comments you might have placed there
|
||||
and only non-default settings will be written to the file.
|
||||
</p></div><div xmlns:ns96="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3002111"></a>Enabling SWAT for use</h3></div></div><div></div></div><p>
|
||||
SWAT should be installed to run via the network super daemon. Depending on which system
|
||||
your Unix/Linux system has you will have either an <b class="command">inetd</b> or
|
||||
<b class="command">xinetd</b> based system.
|
||||
</p><p>
|
||||
The nature and location of the network super-daemon varies with the operating system
|
||||
implementation. The control file (or files) can be located in the file
|
||||
<tt class="filename">/etc/inetd.conf</tt> or in the directory <tt class="filename">/etc/[x]inet.d</tt>
|
||||
or similar.
|
||||
</p><p>
|
||||
The control entry for the older style file might be:
|
||||
</p><pre class="programlisting">
|
||||
# swat is the Samba Web Administration Tool
|
||||
swat stream tcp nowait.400 root /usr/sbin/swat swat
|
||||
</pre><p>
|
||||
A control file for the newer style xinetd could be:
|
||||
</p><ns96:p>
|
||||
</ns96:p><pre class="programlisting">
|
||||
# default: off
|
||||
# description: SWAT is the Samba Web Admin Tool. Use swat \
|
||||
# to configure your Samba server. To use SWAT, \
|
||||
# connect to port 901 with your favorite web browser.
|
||||
service swat
|
||||
{
|
||||
port = 901
|
||||
socket_type = stream
|
||||
wait = no
|
||||
only_from = localhost
|
||||
user = root
|
||||
server = /usr/sbin/swat
|
||||
log_on_failure += USERID
|
||||
disable = yes
|
||||
}
|
||||
</pre><ns96:p>
|
||||
|
||||
</ns96:p><p>
|
||||
Both the above examples assume that the <b class="command">swat</b> binary has been
|
||||
located in the <tt class="filename">/usr/sbin</tt> directory. In addition to the above
|
||||
SWAT will use a directory access point from which it will load it's help files
|
||||
as well as other control information. The default location for this on most Linux
|
||||
systems is in the directory <tt class="filename">/usr/share/samba/swat</tt>. The default
|
||||
location using samba defaults will be <tt class="filename">/usr/local/samba/swat</tt>.
|
||||
</p><p>
|
||||
Access to SWAT will prompt for a logon. If you log onto SWAT as any non-root user
|
||||
the only permission allowed is to view certain aspects of configuration as well as
|
||||
access to the password change facility. The buttons that will be exposed to the non-root
|
||||
user are: <span class="guibutton">HOME</span>, <span class="guibutton">STATUS</span>, <span class="guibutton">VIEW</span>,
|
||||
<span class="guibutton">PASSWORD</span>. The only page that allows
|
||||
change capability in this case is <span class="guibutton">PASSWORD</span>.
|
||||
</p><p>
|
||||
So long as you log onto SWAT as the user <span class="emphasis"><em>root</em></span> you should obtain
|
||||
full change and commit ability. The buttons that will be exposed includes:
|
||||
<span class="guibutton">HOME</span>, <span class="guibutton">GLOBALS</span>, <span class="guibutton">SHARES</span>, <span class="guibutton">PRINTERS</span>,
|
||||
<span class="guibutton">WIZARD</span>, <span class="guibutton">STATUS</span>, <span class="guibutton">VIEW</span>, <span class="guibutton">PASSWORD</span>.
|
||||
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3003000"></a>Securing SWAT through SSL</h3></div></div><div></div></div><p>
|
||||
Lots of people have asked about how to setup SWAT with SSL to allow for secure remote
|
||||
administration of Samba. Here is a method that works, courtesy of Markus Krieger
|
||||
</p><p>
|
||||
Modifications to the swat setup are as following:
|
||||
</p><div class="procedure"><ol type="1"><li><p>
|
||||
install OpenSSL
|
||||
</p></li><li xmlns:ns97=""><ns97:p>
|
||||
generate certificate and private key
|
||||
|
||||
</ns97:p><pre class="screen">
|
||||
<tt class="prompt">root# </tt><b class="userinput"><tt>/usr/bin/openssl req -new -x509 -days 365 -nodes -config \
|
||||
/usr/share/doc/packages/stunnel/stunnel.cnf \
|
||||
-out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem</tt></b>
|
||||
</pre></li><li><p>
|
||||
remove swat-entry from [x]inetd
|
||||
</p></li><li xmlns:ns98=""><ns98:p>
|
||||
start stunnel
|
||||
|
||||
</ns98:p><pre class="screen">
|
||||
<tt class="prompt">root# </tt><b class="userinput"><tt>stunnel -p /etc/stunnel/stunnel.pem -d 901 \
|
||||
-l /usr/local/samba/bin/swat swat </tt></b>
|
||||
</pre></li></ol></div><p>
|
||||
afterwords simply contact to swat by using the URL <a href="https://myhost:901" target="_top">https://myhost:901</a>, accept the certificate
|
||||
and the SSL connection is up.
|
||||
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3003113"></a>The SWAT Home Page</h3></div></div><div></div></div><p>
|
||||
The SWAT title page provides access to the latest Samba documentation. The manual page for
|
||||
each samba component is accessible from this page as are the Samba-HOWTO-Collection (this
|
||||
document) as well as the O'Reilly book "Using Samba".
|
||||
</p><p>
|
||||
Administrators who wish to validate their samba configuration may obtain useful information
|
||||
from the man pages for the diagnostic utilities. These are available from the SWAT home page
|
||||
also. One diagnostic tool that is NOT mentioned on this page, but that is particularly
|
||||
useful is <b class="command">ethereal</b>, available from <a href="http://www.ethereal.com" target="_top">
|
||||
http://www.ethereal.com</a>.
|
||||
</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
|
||||
SWAT can be configured to run in <span class="emphasis"><em>demo</em></span> mode. This is NOT recommended
|
||||
as it runs SWAT without authentication and with full administrative ability. ie: Allows
|
||||
changes to smb.conf as well as general operation with root privileges. The option that
|
||||
creates this ability is the <tt class="option">-a</tt> flag to swat. <span class="emphasis"><em>Do not use this in any
|
||||
production environment.</em></span>
|
||||
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3003176"></a>Global Settings</h3></div></div><div></div></div><p>
|
||||
The Globals button will expose a page that allows configuration of the global parameters
|
||||
in smb.conf. There are three levels of exposure of the parameters:
|
||||
</p><div class="itemizedlist"><ul type="disc"><li><p>
|
||||
<span class="emphasis"><em>Basic</em></span> - exposes common configuration options.
|
||||
</p></li><li><p>
|
||||
<span class="emphasis"><em>Advanced</em></span> - exposes configuration options needed in more
|
||||
complex environments.
|
||||
</p></li><li><p>
|
||||
<span class="emphasis"><em>Developer</em></span> - exposes configuration options that only the brave
|
||||
will want to tamper with.
|
||||
</p></li></ul></div><p>
|
||||
To switch to other than <span class="emphasis"><em>Basic</em></span> editing ability click on either the
|
||||
<span class="emphasis"><em>Advanced</em></span> or the <span class="emphasis"><em>Developer</em></span> dial, then click the
|
||||
<span class="guibutton">Commit Changes</span> button.
|
||||
</p><p>
|
||||
After making any changes to configuration parameters make sure that you click on the
|
||||
<span class="guibutton">Commit Changes</span> button before moving to another area otherwise
|
||||
your changes will be immediately lost.
|
||||
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
|
||||
SWAT has context sensitive help. To find out what each parameter is for simply click the
|
||||
<span class="guibutton">Help</span> link to the left of the configuration parameter.
|
||||
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3003282"></a>Share Settings</h3></div></div><div></div></div><p>
|
||||
To affect a currently configured share, simply click on the pull down button between the
|
||||
<span class="guibutton">Choose Share</span> and the <span class="guibutton">Delete Share</span> buttons,
|
||||
select the share you wish to operate on, then to edit the settings click on the
|
||||
<span class="guibutton">Choose Share</span> button, to delete the share simply press the
|
||||
<span class="guibutton">Delete Share</span> button.
|
||||
</p><p>
|
||||
To create a new share, next to the button labelled <span class="guibutton">Create Share</span> enter
|
||||
into the text field the name of the share to be created, then click on the
|
||||
<span class="guibutton">Create Share</span> button.
|
||||
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3003346"></a>Printers Settings</h3></div></div><div></div></div><p>
|
||||
To affect a currently configured printer, simply click on the pull down button between the
|
||||
<span class="guibutton">Choose Printer</span> and the <span class="guibutton">Delete Printer</span> buttons,
|
||||
select the printer you wish to operate on, then to edit the settings click on the
|
||||
<span class="guibutton">Choose Printer</span> button, to delete the share simply press the
|
||||
<span class="guibutton">Delete Printer</span> button.
|
||||
</p><p>
|
||||
To create a new printer, next to the button labelled <span class="guibutton">Create Printer</span> enter
|
||||
into the text field the name of the share to be created, then click on the
|
||||
<span class="guibutton">Create Printer</span> button.
|
||||
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3003411"></a>The SWAT Wizard</h3></div></div><div></div></div><p>
|
||||
The purpose if the SWAT Wizard is to help the Microsoft knowledgeable network administrator
|
||||
to configure Samba with a minimum of effort.
|
||||
</p><p>
|
||||
The Wizard page provides a tool for rewriting the smb.conf file in fully optimised format.
|
||||
This will also happen if you press the commit button. The two differ in the the rewrite button
|
||||
ignores any changes that may have been made, while the Commit button causes all changes to be
|
||||
affected.
|
||||
</p><p>
|
||||
The <span class="guibutton">Edit</span> button permits the editing (setting) of the minimal set of
|
||||
options that may be necessary to create a working Samba server.
|
||||
</p><p>
|
||||
Finally, there are a limited set of options that will determine what type of server Samba
|
||||
will be configured for, whether it will be a WINS server, participate as a WINS client, or
|
||||
operate with no WINS support. By clicking on one button you can elect to expose (or not) user
|
||||
home directories.
|
||||
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3003459"></a>The Status Page</h3></div></div><div></div></div><p>
|
||||
The status page serves a limited purpose. Firstly, it allows control of the samba daemons.
|
||||
The key daemons that create the samba server environment are: <span class="application">smbd</span>, <span class="application">nmbd</span>, <span class="application">winbindd</span>.
|
||||
</p><p>
|
||||
The daemons may be controlled individually or as a total group. Additionally, you may set
|
||||
an automatic screen refresh timing. As MS Windows clients interact with Samba new smbd processes
|
||||
will be continually spawned. The auto-refresh facility will allow you to track the changing
|
||||
conditions with minimal effort.
|
||||
</p><p>
|
||||
Lastly, the Status page may be used to terminate specific smbd client connections in order to
|
||||
free files that may be locked.
|
||||
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3003511"></a>The View Page</h3></div></div><div></div></div><p>
|
||||
This page allows the administrator to view the optimised <tt class="filename">smb.conf</tt> file and, if you are
|
||||
particularly masochistic, will permit you also to see all possible global configuration
|
||||
parameters and their settings.
|
||||
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3003534"></a>The Password Change Page</h3></div></div><div></div></div><p>
|
||||
The Password Change page is a popular tool. This tool allows the creation, deletion, deactivation
|
||||
and reactivation of MS Windows networking users on the local machine. Alternatively, you can use
|
||||
this tool to change a local password for a user account.
|
||||
</p><p>
|
||||
When logged in as a non-root account the user will have to provide the old password as well as
|
||||
the new password (twice). When logged in as <span class="emphasis"><em>root</em></span> only the new password is
|
||||
required.
|
||||
</p><p>
|
||||
One popular use for this tool is to change user passwords across a range of remote MS Windows
|
||||
servers.
|
||||
</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="NT4Migration.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="migration.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="troubleshooting.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 31. Migration from NT4 PDC to Samba-3 PDC </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part V. Troubleshooting</td></tr></table></div></body></html>
|
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
Loading…
Reference in New Issue
Block a user