1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00

Regenerate docs

(This used to be commit 85414c8780)
This commit is contained in:
Jelmer Vernooij 2003-08-13 03:57:48 +00:00
parent c41fad7647
commit cb6b82b5dc
20 changed files with 4146 additions and 12354 deletions

View File

@ -1,661 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 13. File, Directory and Share Access Controls</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="groupmapping.html" title="Chapter 12. Mapping MS Windows and Unix Groups"><link rel="next" href="locking.html" title="Chapter 14. File and Record Locking"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 13. File, Directory and Share Access Controls</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="groupmapping.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="locking.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="AccessControls"></a>Chapter 13. File, Directory and Share Access Controls</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jra@samba.org">jra@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">May 10, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="AccessControls.html#id2920239">Features and Benefits</a></dt><dt><a href="AccessControls.html#id2920364">File System Access Controls</a></dt><dd><dl><dt><a href="AccessControls.html#id2920382">MS Windows NTFS Comparison with Unix File Systems</a></dt><dt><a href="AccessControls.html#id2917299">Managing Directories</a></dt><dt><a href="AccessControls.html#id2917394">File and Directory Access Control</a></dt></dl></dd><dt><a href="AccessControls.html#id2917800">Share Definition Access Controls</a></dt><dd><dl><dt><a href="AccessControls.html#id2917828">User and Group Based Controls</a></dt><dt><a href="AccessControls.html#id2918100">File and Directory Permissions Based Controls</a></dt><dt><a href="AccessControls.html#id2918346">Miscellaneous Controls</a></dt></dl></dd><dt><a href="AccessControls.html#id2922930">Access Controls on Shares</a></dt><dd><dl><dt><a href="AccessControls.html#id2923002">Share Permissions Management</a></dt></dl></dd><dt><a href="AccessControls.html#id2923301">MS Windows Access Control Lists and Unix Interoperability</a></dt><dd><dl><dt><a href="AccessControls.html#id2923309">Managing UNIX permissions Using NT Security Dialogs</a></dt><dt><a href="AccessControls.html#id2923347">Viewing File Security on a Samba Share</a></dt><dt><a href="AccessControls.html#id2923426">Viewing file ownership</a></dt><dt><a href="AccessControls.html#id2923548">Viewing File or Directory Permissions</a></dt><dt><a href="AccessControls.html#id2923776">Modifying file or directory permissions</a></dt><dt><a href="AccessControls.html#id2923928">Interaction with the standard Samba create mask
parameters</a></dt><dt><a href="AccessControls.html#id2924258">Interaction with the standard Samba file attribute
mapping</a></dt></dl></dd><dt><a href="AccessControls.html#id2924333">Common Errors</a></dt><dd><dl><dt><a href="AccessControls.html#id2924347">Users can not write to a public share</a></dt><dt><a href="AccessControls.html#id2924726">I have set force user and Samba still makes root the owner of all the files
I touch!</a></dt></dl></dd></dl></div><p>
Advanced MS Windows users are frequently perplexed when file, directory and share manipulation of
resources shared via Samba do not behave in the manner they might expect. MS Windows network
administrators are often confused regarding network access controls and what is the best way to
provide users with the type of access they need while protecting resources from the consequences
of untoward access capabilities.
</p><p>
Unix administrators frequently are not familiar with the MS Windows environment and in particular
have difficulty in visualizing what the MS Windows user wishes to achieve in attempts to set file
and directory access permissions.
</p><p>
The problem lies in the differences in how file and directory permissions and controls work
between the two environments. This difference is one that Samba can not completely hide, even
though it does try to make the chasm transparent.
</p><p>
POSIX Access Control List technology has been available (along with Extended Attributes)
for Unix for many years, yet there is little evidence today of any significant use. This
explains to some extent the slow adoption of ACLs into commercial Linux products. MS Windows
administrators are astounded at this given that ACLs were a foundational capability of the now
decade old MS Windows NT operating system.
</p><p>
The purpose of this chapter is to present each of the points of control that are possible with
Samba-3 in the hope that this will help the network administrator to find the optimum method
for delivering the best environment for MS Windows desktop users.
</p><p>
This is an opportune point to mention that it should be borne in mind that Samba was created to
provide a means of interoperability and interchange of data between two operating environments
that are quite different. It was never the intent to make Unix/Linux like MS Windows NT. Instead
the purpose was an is to provide a sufficient level of exchange of data between the two environments.
What is available today extends well beyond early plans and expectations, yet the gap continues to
shrink.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2920239"></a>Features and Benefits</h2></div></div><div></div></div><p>
Samba offers a lot of flexibility in file system access management. These are the key access control
facilities present in Samba today:
</p><div class="itemizedlist"><p class="title"><b>Samba Access Control Facilities</b></p><ul type="disc"><li><p>
<span class="emphasis"><em>Unix File and Directory Permissions</em></span>
</p><p>
Samba honours and implements Unix file system access controls. Users
who access a Samba server will do so as a particular MS Windows user.
This information is passed to the Samba server as part of the logon or
connection setup process. Samba uses this user identity to validate
whether or not the user should be given access to file system resources
(files and directories). This chapter provides an overview for those
to whom the Unix permissions and controls are a little strange or unknown.
</p></li><li><p>
<span class="emphasis"><em>Samba Share Definitions</em></span>
</p><p>
In configuring share settings and controls in the <tt class="filename">smb.conf</tt> file
the network administrator can exercise over-rides to native file
system permissions and behaviours. This can be handy and convenient
to affect behaviour that is more like what MS Windows NT users expect
but it is seldom the <span class="emphasis"><em>best</em></span> way to achieve this.
The basic options and techniques are described herein.
</p></li><li><p>
<span class="emphasis"><em>Samba Share ACLs</em></span>
</p><p>
Just like it is possible in MS Windows NT to set ACLs on shares
themselves, so it is possible to do this in Samba.
Very few people make use of this facility, yet it remains on of the
easiest ways to affect access controls (restrictions) and can often
do so with minimum invasiveness compared with other methods.
</p></li><li><p>
<span class="emphasis"><em>MS Windows ACLs through Unix POSIX ACLs</em></span>
</p><p>
The use of POSIX ACLs on Unix/Linux is possible ONLY if the underlying
operating system supports them. If not, then this option will not be
available to you. Current Unix technology platforms have native support
for POSIX ACLs. There are patches for the Linux kernel that provide
this also. Sadly, few Linux platforms ship today with native ACLs and
Extended Attributes enabled. This chapter has pertinent information
for users of platforms that support them.
</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2920364"></a>File System Access Controls</h2></div></div><div></div></div><p>
Perhaps the most important recognition to be made is the simple fact that MS Windows NT4 / 200x / XP
implement a totally divergent file system technology from what is provided in the Unix operating system
environment. Firstly we should consider what the most significant differences are, then we shall look
at how Samba helps to bridge the differences.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2920382"></a>MS Windows NTFS Comparison with Unix File Systems</h3></div></div><div></div></div><p>
Samba operates on top of the Unix file system. This means it is subject to Unix file system conventions
and permissions. It also means that if the MS Windows networking environment requires file system
behaviour that differs from unix file system behaviour then somehow Samba is responsible for emulating
that in a transparent and consistent manner.
</p><p>
It is good news that Samba does this to a very large extent and on top of that provides a high degree
of optional configuration to over-ride the default behaviour. We will look at some of these over-rides,
but for the greater part we will stay within the bounds of default behaviour. Those wishing to explore
to depths of control ability should review the <tt class="filename">smb.conf</tt> man page.
</p><div class="variablelist"><p class="title"><b>File System Feature Comparison</b></p><dl><dt><span class="term">Name Space</span></dt><dd><p>
MS Windows NT4 / 200x/ XP files names may be up to 254 characters long, Unix file names
may be 1023 characters long. In MS Windows file extensions indicate particular file types,
in Unix this is not so rigorously observed as all names are considered arbitrary.
</p><p>
What MS Windows calls a Folder, Unix calls a directory,
</p></dd><dt><span class="term">Case Sensitivity</span></dt><dd><p>
MS Windows file names are generally Upper Case if made up of 8.3 (ie: 8 character file name
and 3 character extension. If longer than 8.3 file names are Case Preserving, and Case
Insensitive.
</p><p>
Unix file and directory names are Case Sensitive and Case Preserving. Samba implements the
MS Windows file name behaviour, but it does so as a user application. The Unix file system
provides no mechanism to perform case insensitive file name lookups. MS Windows does this
by default. This means that Samba has to carry the processing overhead to provide features
that are NOT native to the Unix operating system environment.
</p><p>
Consider the following, all are unique Unix names but one single MS Windows file name:
<tt class="computeroutput">
MYFILE.TXT
MyFile.txt
myfile.txt
</tt>
So clearly, In an MS Windows file name space these three files CAN NOT co-exist! But in Unix
they can. So what should Samba do if all three are present? Answer, the one that is lexically
first will be accessible to MS Windows users, the others are invisible and unaccessible - any
other solution would be suicidal.
</p></dd><dt><span class="term">Directory Separators</span></dt><dd><p>
MS Windows and DOS uses the back-slash '\' as a directory delimiter, Unix uses the forward-slash '/'
as it's directory delimiter. This is transparently handled by Samba.
</p></dd><dt><span class="term">Drive Identification</span></dt><dd><p>
MS Windows products support a notion of drive letters, like <b class="command">C:</b> to represent
disk partitions. Unix has NO concept if separate identifiers for file partitions since each
such file system is <tt class="filename">mounted</tt> to become part of the over-all directory tree.
The Unix directory tree begins at '/', just like the root of a DOS drive is specified like
<b class="command">C:\</b>.
</p></dd><dt><span class="term">File Naming Conventions</span></dt><dd><p>
MS Windows generally never experiences file names that begin with a '.', while in Unix these
are commonly found in a user's home directory. Files that begin with a '.' are typically
either start up files for various Unix applications, or they may be files that contain
start-up configuration data.
</p></dd><dt><span class="term">Links and Short-Cuts</span></dt><dd><p>
MS Windows make use of &quot;links and Short-Cuts&quot; that are actually special types of files that will
redirect an attempt to execute the file to the real location of the file. Unix knows of file and directory
links, but they are entirely different from what MS Windows users are used to.
</p><p>
Symbolic links are files in Unix that contain the actual location of the data (file OR directory). An
operation (like read or write) will operate directly on the file referenced. Symbolic links are also
referred to as 'soft links'. A hard link is something that MS Windows is NOT familiar with. It allows
one physical file to be known simultaneously by more than one file name.
</p></dd></dl></div><p>
There are many other subtle differences that may cause the MS Windows administrator some temporary discomfort
in the process of becoming familiar with Unix/Linux. These are best left for a text that is dedicated to the
purpose of Unix/Linux training/education.
</p></div><div xmlns:ns30="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2917299"></a>Managing Directories</h3></div></div><div></div></div><ns30:p>
There are three basic operations for managing directories, <b class="command">create, delete, rename</b>.
</ns30:p><div class="table"><a name="id2917317"></a><p class="title"><b>Table 13.1. Managing directories with unix and windows</b></p><table summary="Managing directories with unix and windows" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="center">Action</th><th align="center">MS Windows Command</th><th align="center">Unix Command</th></tr></thead><tbody><tr><td align="center">create</td><td align="center">md folder</td><td align="center">mkdir folder</td></tr><tr><td align="center">delete</td><td align="center">rd folder</td><td align="center">rmdir folder</td></tr><tr><td align="center">rename</td><td align="center">rename oldname newname</td><td align="center">mv oldname newname</td></tr></tbody></table></div><ns30:p>
</ns30:p></div><div xmlns:ns31="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2917394"></a>File and Directory Access Control</h3></div></div><div></div></div><p>
The network administrator is strongly advised to read foundational training manuals and reference materials
regarding file and directory permissions maintenance. Much can be achieved with the basic Unix permissions
without having to resort to more complex facilities like POSIX Access Control Lists (ACLs) or Extended
Attributes (EAs).
</p><ns31:p>
Unix/Linux file and directory access permissions involves setting three (3) primary sets of data and one (1) control set.
A Unix file listing looks as follows:-
</ns31:p><pre class="screen">
<tt class="prompt">jht@frodo:~/stuff&gt; </tt><b class="userinput"><tt>ls -la</tt></b>
total 632
drwxr-xr-x 13 jht users 816 2003-05-12 22:56 .
drwxr-xr-x 37 jht users 3800 2003-05-12 22:29 ..
d--------- 2 jht users 48 2003-05-12 22:29 muchado00
d--x--x--x 2 jht users 48 2003-05-12 22:29 muchado01
dr-xr-xr-x 2 jht users 48 2003-05-12 22:29 muchado02
drwxrwxrwx 2 jht users 48 2003-05-12 22:29 muchado03
drw-rw-rw- 2 jht users 48 2003-05-12 22:29 muchado04
d-w--w--w- 2 jht users 48 2003-05-12 22:29 muchado05
dr--r--r-- 2 jht users 48 2003-05-12 22:29 muchado06
drwxrwxrwt 2 jht users 48 2003-05-12 22:29 muchado07
drwsrwsrwx 2 jht users 48 2003-05-12 22:29 muchado08
---------- 1 jht users 1242 2003-05-12 22:31 mydata00.lst
---x--x--x 1 jht users 1674 2003-05-12 22:33 mydata01.lst
--w--w--w- 1 jht users 7754 2003-05-12 22:33 mydata02.lst
--wx-wx-wx 1 jht users 260179 2003-05-12 22:33 mydata03.lst
-r--r--r-- 1 jht users 21017 2003-05-12 22:32 mydata04.lst
-r-xr-xr-x 1 jht users 206339 2003-05-12 22:32 mydata05.lst
-rw-rw-rw- 1 jht users 41105 2003-05-12 22:32 mydata06.lst
-rwxrwxrwx 1 jht users 19312 2003-05-12 22:32 mydata07.lst
<tt class="prompt">jht@frodo:~/stuff&gt;</tt>
</pre><ns31:p>
</ns31:p><p>
The columns above represent (from left to right): permissions, no blocks used, owner, group, size (bytes), access date, access time, file name.
</p><ns31:p>
The permissions field is made up of:
</ns31:p><pre class="programlisting">
<i><span class="comment"> JRV: Put this into a diagram of some sort</span></i>
[ type ] [ users ] [ group ] [ others ] [File, Directory Permissions]
[ d | l ] [ r w x ] [ r w x ] [ r w x ]
| | | | | | | | | | |
| | | | | | | | | | |-----&gt; Can Execute, List files
| | | | | | | | | |-------&gt; Can Write, Create files
| | | | | | | | |---------&gt; Can Read, Read files
| | | | | | | |---------------&gt; Can Execute, List files
| | | | | | |-----------------&gt; Can Write, Create files
| | | | | |-------------------&gt; Can Read, Read files
| | | | |-------------------------&gt; Can Execute, List files
| | | |---------------------------&gt; Can Write, Create files
| | |-----------------------------&gt; Can Read, Read files
| |-----------------------------------&gt; Is a symbolic Link
|---------------------------------------&gt; Is a directory
</pre><ns31:p>
</ns31:p><ns31:p>
Any bit flag may be unset. An unset bit flag is the equivalent of 'Can NOT' and is represented as a '-' character.
</ns31:p><div class="example"><a name="id2917721"></a><p class="title"><b>Example 13.1. Example File</b></p><pre class="programlisting">
-rwxr-x--- Means: The owner (user) can read, write, execute
the group can read and execute
everyone else can NOT do anything with it
</pre></div><ns31:p>
</ns31:p><p>
Additional possibilities in the [type] field are: c = character device, b = block device, p = pipe device, s = Unix Domain Socket.
</p><p>
The letters `rwxXst' set permissions for the user, group and others as: read (r), write (w), execute (or access for directories) (x),
execute only if the file is a directory or already has execute permission for some user (X), set user or group ID on execution (s),
sticky (t).
</p><p>
When the sticky bit is set on a directory, files in that directory may be unlinked (deleted) or renamed only by root or their owner.
Without the sticky bit, anyone able to write to the directory can delete or rename files. The sticky bit is commonly found on
directories, such as /tmp, that are world-writable.
</p><p>
When the set user or group ID bit (s) is set on a directory, then all files created within it will be owned by the user and/or
group whose 'set user or group' bit is set. This can be very helpful in setting up directories that for which it is desired that
all users who are in a group should be able to write to and read from a file, particularly when it is undesirable for that file
to be exclusively owned by a user who's primary group is not the group that all such users belong to.
</p><p>
When a directory is set <tt class="constant">drw-r-----</tt> this means that the owner can read and create (write) files in it, but because
the (x) execute flags are not set files can not be listed (seen) in the directory by anyone. The group can read files in the
directory but can NOT create new files. NOTE: If files in the directory are set to be readable and writable for the group, then
group members will be able to write to (or delete) them.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2917800"></a>Share Definition Access Controls</h2></div></div><div></div></div><p>
The following parameters in the <tt class="filename">smb.conf</tt> file sections that define a share control or affect access controls.
Before using any of the following options please refer to the man page for <tt class="filename">smb.conf</tt>.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2917828"></a>User and Group Based Controls</h3></div></div><div></div></div><p>
User and group based controls can prove very useful. In some situations it is distinctly desirable to affect all
file system operations as if a single user is doing this, the use of the <i class="parameter"><tt>force user</tt></i> and
<i class="parameter"><tt>force group</tt></i> behaviour will achieve this. In other situations it may be necessary to affect a
paranoia level of control to ensure that only particular authorised persons will be able to access a share or
it's contents, here the use of the <i class="parameter"><tt>valid users</tt></i> or the <i class="parameter"><tt>invalid users</tt></i> may
be most useful.
</p><p>
As always, it is highly advisable to use the least difficult to maintain and the least ambiguous method for
controlling access. Remember, that when you leave the scene someone else will need to provide assistance and
if that person finds too great a mess, or if they do not understand what you have done then there is risk of
Samba being removed and an alternative solution being adopted.
</p><div class="table"><a name="id2917887"></a><p class="title"><b>Table 13.2. User and Group Based Controls</b></p><table summary="User and Group Based Controls" border="1"><colgroup><col><col></colgroup><thead><tr><th align="center">Control Parameter</th><th align="center">Description - Action - Notes</th></tr></thead><tbody><tr><td>admin users</td><td><p>
List of users who will be granted administrative privileges on the share.
They will do all file operations as the super-user (root).
Any user in this list will be able to do anything they like on the share,
irrespective of file permissions.
</p></td></tr><tr><td>force group</td><td><p>
Specifies a UNIX group name that will be assigned as the default primary group
for all users connecting to this service.
</p></td></tr><tr><td>force user</td><td><p>
Specifies a UNIX user name that will be assigned as the default user for all users connecting to this service.
This is useful for sharing files. Incorrect use can cause security problems.
</p></td></tr><tr><td>guest ok</td><td><p>
If this parameter is set for a service, then no password is required to connect to the service. Privileges will be
those of the guest account.
</p></td></tr><tr><td>invalid users</td><td><p>
List of users that should not be allowed to login to this service.
</p></td></tr><tr><td>only user</td><td><p>
Controls whether connections with usernames not in the user list will be allowed.
</p></td></tr><tr><td>read list</td><td><p>
List of users that are given read-only access to a service. Users in this list
will not be given write access, no matter what the read only option is set to.
</p></td></tr><tr><td>username</td><td><p>
Refer to the <tt class="filename">smb.conf</tt> man page for more information - this is a complex and potentially misused parameter.
</p></td></tr><tr><td>valid users</td><td><p>
List of users that should be allowed to login to this service.
</p></td></tr><tr><td>write list</td><td><p>
List of users that are given read-write access to a service.
</p></td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2918100"></a>File and Directory Permissions Based Controls</h3></div></div><div></div></div><p>
The following file and directory permission based controls, if misused, can result in considerable difficulty to
diagnose the cause of mis-configuration. Use them sparingly and carefully. By gradually introducing each one by one
undesirable side-effects may be detected. In the event of a problem, always comment all of them out and then gradually
re-introduce them in a controlled fashion.
</p><div class="table"><a name="id2918120"></a><p class="title"><b>Table 13.3. File and Directory Permission Based Controls</b></p><table summary="File and Directory Permission Based Controls" border="1"><colgroup><col><col></colgroup><thead><tr><th align="center">Control Parameter</th><th align="center">Description - Action - Notes</th></tr></thead><tbody><tr><td>create mask</td><td><p>
Refer to the <tt class="filename">smb.conf</tt> man page.
</p></td></tr><tr><td>directory mask</td><td><p>
The octal modes used when converting DOS modes to UNIX modes when creating UNIX directories.
See also: directory security mask.
</p></td></tr><tr><td>dos filemode</td><td><p>
Enabling this parameter allows a user who has write access to the file to modify the permissions on it.
</p></td></tr><tr><td>force create mode</td><td><p>
This parameter specifies a set of UNIX mode bit permissions that will always be set on a file created by Samba.
</p></td></tr><tr><td>force directory mode</td><td><p>
This parameter specifies a set of UNIX mode bit permissions that will always be set on a directory created by Samba.
</p></td></tr><tr><td>force directory security mode</td><td><p>
Controls UNIX permission bits modified when a Windows NT client is manipulating UNIX permissions on a directory
</p></td></tr><tr><td>force security mode</td><td><p>
Controls UNIX permission bits modified when a Windows NT client manipulates UNIX permissions.
</p></td></tr><tr><td>hide unreadable</td><td><p>
Prevents clients from seeing the existence of files that cannot be read.
</p></td></tr><tr><td>hide unwriteable files</td><td><p>
Prevents clients from seeing the existence of files that cannot be written to. Unwriteable directories are shown as usual.
</p></td></tr><tr><td>nt acl support</td><td><p>
This parameter controls whether smbd will attempt to map UNIX permissions into Windows NT access control lists.
</p></td></tr><tr><td>security mask</td><td><p>
Controls UNIX permission bits modified when a Windows NT client is manipulating the UNIX permissions on a file.
</p></td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2918346"></a>Miscellaneous Controls</h3></div></div><div></div></div><p>
The following are documented because of the prevalence of administrators creating inadvertant barriers to file
access by not understanding the full implications of <tt class="filename">smb.conf</tt> file settings.
</p><div class="table"><a name="id2918367"></a><p class="title"><b>Table 13.4. Other Controls</b></p><table summary="Other Controls" border="1"><colgroup><col><col></colgroup><thead><tr><th align="center">Control Parameter</th><th align="center">Description - Action - Notes</th></tr></thead><tbody><tr><td>case sensitive, default case, short preserve case</td><td><p>
This means that all file name lookup will be done in a case sensitive manner.
Files will be created with the precise filename Samba received from the MS Windows client.
</p></td></tr><tr><td>csc policy</td><td><p>
Client Side Caching Policy - parallels MS Windows client side file caching capabilities.
</p></td></tr><tr><td>dont descend</td><td><p>
Allows to specify a comma-delimited list of directories that the server should always show as empty.
</p></td></tr><tr><td>dos filetime resolution</td><td><p>
This option is mainly used as a compatibility option for Visual C++ when used against Samba shares.
</p></td></tr><tr><td>dos filetimes</td><td><p>
DOS and Windows allows users to change file time stamps if they can write to the file. POSIX semantics prevent this.
This options allows DOS and Windows behaviour.
</p></td></tr><tr><td>fake oplocks</td><td><p>
Oplocks are the way that SMB clients get permission from a server to locally cache file operations. If a server grants an
oplock then the client is free to assume that it is the only one accessing the file and it will aggressively cache file data.
</p></td></tr><tr><td>hide dot files, hide files, veto files</td><td><p>
Note: MS Windows Explorer allows over-ride of files marked as hidden so they will still be visible.
</p></td></tr><tr><td>read only</td><td><p>
If this parameter is yes, then users of a service may not create or modify files in the service's directory.
</p></td></tr><tr><td>veto files</td><td><p>
List of files and directories that are neither visible nor accessible.
</p></td></tr></tbody></table></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2922930"></a>Access Controls on Shares</h2></div></div><div></div></div><p>
This section deals with how to configure Samba per share access control restrictions.
By default, Samba sets no restrictions on the share itself. Restrictions on the share itself
can be set on MS Windows NT4/200x/XP shares. This can be a very effective way to limit who can
connect to a share. In the absence of specific restrictions the default setting is to allow
the global user <tt class="constant">Everyone</tt> Full Control (ie: Full control, Change and Read).
</p><p>
At this time Samba does NOT provide a tool for configuring access control setting on the Share
itself. Samba does have the capacity to store and act on access control settings, but the only
way to create those settings is to use either the NT4 Server Manager or the Windows 200x MMC for
Computer Management.
</p><p>
Samba stores the per share access control settings in a file called <tt class="filename">share_info.tdb</tt>.
The location of this file on your system will depend on how samba was compiled. The default location
for Samba's tdb files is under <tt class="filename">/usr/local/samba/var</tt>. If the <tt class="filename">tdbdump</tt>
utility has been compiled and installed on your system, then you can examine the contents of this file
by: <b class="userinput"><tt>tdbdump share_info.tdb</tt></b>.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923002"></a>Share Permissions Management</h3></div></div><div></div></div><p>
The best tool for the task is platform dependant. Choose the best tool for your environment.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2923015"></a>Windows NT4 Workstation/Server</h4></div></div><div></div></div><p>
The tool you need to use to manage share permissions on a Samba server is the NT Server Manager.
Server Manager is shipped with Windows NT4 Server products but not with Windows NT4 Workstation.
You can obtain the NT Server Manager for MS Windows NT4 Workstation from Microsoft - see details below.
</p><div class="procedure"><p class="title"><b>Procedure 13.1. Instructions</b></p><ol type="1"><li><p>
Launch the <span class="application">NT4 Server Manager</span>, click on the Samba server you want to administer, then from the menu
select <span class="guimenu">Computer</span>, then click on the <span class="guimenuitem">Shared Directories</span> entry.
</p></li><li><p>
Now click on the share that you wish to manage, then click on the <span class="guilabel">Properties</span> tab, next click on
the <span class="guilabel">Permissions</span> tab. Now you can add or change access control settings as you wish.
</p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2923098"></a>Windows 200x/XP</h4></div></div><div></div></div><p>
On <span class="application">MS Windows NT4/200x/XP</span> system access control lists on the share itself are set using native
tools, usually from filemanager. For example, in Windows 200x: right click on the shared folder,
then select <span class="guimenuitem">Sharing</span>, then click on <span class="guilabel">Permissions</span>. The default
Windows NT4/200x permission allows <span class="emphasis"><em>Everyone</em></span> Full Control on the Share.
</p><p>
MS Windows 200x and later all comes with a tool called the <span class="application">Computer Management</span> snap-in for the
Microsoft Management Console (MMC). This tool is located by clicking on <tt class="filename">Control Panel -&gt;
Administrative Tools -&gt; Computer Management</tt>.
</p><div class="procedure"><p class="title"><b>Procedure 13.2. Instructions</b></p><ol type="1"><li><p>
After launching the MMC with the Computer Management snap-in, click on the menu item <span class="guimenuitem">Action</span>,
select <span class="guilabel">Connect to another computer</span>. If you are not logged onto a domain you will be prompted
to enter a domain login user identifier and a password. This will authenticate you to the domain.
If you where already logged in with administrative privilege this step is not offered.
</p></li><li><p>
If the Samba server is not shown in the <span class="guilabel">Select Computer</span> box, then type in the name of the target
Samba server in the field <span class="guilabel">Name:</span>. Now click on the <span class="guibutton">[+]</span> next to
<span class="guilabel">System Tools</span>, then on the <span class="guibutton">[+]</span> next to <span class="guilabel">Shared Folders</span> in the
left panel.
</p></li><li><p>
Now in the right panel, double-click on the share you wish to set access control permissions on.
Then click on the tab <span class="guilabel">Share Permissions</span>. It is now possible to add access control entities
to the shared folder. Do NOT forget to set what type of access (full control, change, read) you
wish to assign for each entry.
</p></li></ol></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
Be careful. If you take away all permissions from the <tt class="constant">Everyone</tt> user without removing this user
then effectively no user will be able to access the share. This is a result of what is known as
ACL precedence. ie: Everyone with <span class="emphasis"><em>no access</em></span> means that MaryK who is part of the group
<tt class="constant">Everyone</tt> will have no access even if this user is given explicit full control access.
</p></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2923301"></a>MS Windows Access Control Lists and Unix Interoperability</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923309"></a>Managing UNIX permissions Using NT Security Dialogs</h3></div></div><div></div></div><p>Windows NT clients can use their native security settings
dialog box to view and modify the underlying UNIX permissions.</p><p>Note that this ability is careful not to compromise
the security of the UNIX host Samba is running on, and
still obeys all the file permission rules that a Samba
administrator can set.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
All access to Unix/Linux system file via Samba is controlled at
the operating system file access control level. When trying to
figure out file access problems it is vitally important to identify
the identity of the Windows user as it is presented by Samba at
the point of file access. This can best be determined from the
Samba log files.
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923347"></a>Viewing File Security on a Samba Share</h3></div></div><div></div></div><p>From an NT4/2000/XP client, single-click with the right
mouse button on any file or directory in a Samba mounted
drive letter or UNC path. When the menu pops-up, click
on the <span class="guilabel">Properties</span> entry at the bottom of
the menu. This brings up the file properties dialog
box. Click on the tab <span class="guilabel">Security</span> and you
will see three buttons, <span class="guibutton">Permissions</span>,
<span class="guibutton">Auditing</span>, and <span class="guibutton">Ownership</span>.
The <span class="guibutton">Auditing</span> button will cause either
an error message <span class="errorname">A requested privilege is not held
by the client</span> to appear if the user is not the
NT Administrator, or a dialog which is intended to allow an
Administrator to add auditing requirements to a file if the
user is logged on as the NT Administrator. This dialog is
non-functional with a Samba share at this time, as the only
useful button, the <span class="guibutton">Add</span> button will not currently
allow a list of users to be seen.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923426"></a>Viewing file ownership</h3></div></div><div></div></div><p>Clicking on the <span class="guibutton">Ownership</span> button
brings up a dialog box telling you who owns the given file. The
owner name will be of the form :</p><p><b class="command">&quot;SERVER\user (Long name)&quot;</b></p><p>Where <i class="replaceable"><tt>SERVER</tt></i> is the NetBIOS name of
the Samba server, <i class="replaceable"><tt>user</tt></i> is the user name of
the UNIX user who owns the file, and <i class="replaceable"><tt>(Long name)</tt></i>
is the descriptive string identifying the user (normally found in the
GECOS field of the UNIX password database). Click on the
<span class="guibutton">Close </span> button to remove this dialog.</p><p>If the parameter <i class="parameter"><tt>nt acl support</tt></i>
is set to <tt class="constant">false</tt> then the file owner will
be shown as the NT user <tt class="constant">&quot;Everyone&quot;</tt>.</p><p>The <span class="guibutton">Take Ownership</span> button will not allow
you to change the ownership of this file to yourself (clicking on
it will display a dialog box complaining that the user you are
currently logged onto the NT client cannot be found). The reason
for this is that changing the ownership of a file is a privileged
operation in UNIX, available only to the <span class="emphasis"><em>root</em></span>
user. As clicking on this button causes NT to attempt to change
the ownership of a file to the current user logged into the NT
client this will not work with Samba at this time.</p><p>There is an NT chown command that will work with Samba
and allow a user with Administrator privilege connected
to a Samba server as root to change the ownership of
files on both a local NTFS filesystem or remote mounted NTFS
or Samba drive. This is available as part of the <span class="application">Seclib
</span> NT security library written by Jeremy Allison of
the Samba Team, available from the main Samba ftp site.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923548"></a>Viewing File or Directory Permissions</h3></div></div><div></div></div><p>The third button is the <span class="guibutton">Permissions</span>
button. Clicking on this brings up a dialog box that shows both
the permissions and the UNIX owner of the file or directory.
The owner is displayed in the form :</p><p><b class="command">&quot;<i class="replaceable"><tt>SERVER</tt></i>\
<i class="replaceable"><tt>user</tt></i>
<i class="replaceable"><tt>(Long name)</tt></i>&quot;</b></p><p>Where <i class="replaceable"><tt>SERVER</tt></i> is the NetBIOS name of
the Samba server, <i class="replaceable"><tt>user</tt></i> is the user name of
the UNIX user who owns the file, and <i class="replaceable"><tt>(Long name)</tt></i>
is the descriptive string identifying the user (normally found in the
GECOS field of the UNIX password database).</p><p>If the parameter <i class="parameter"><tt>nt acl support</tt></i>
is set to <tt class="constant">false</tt> then the file owner will
be shown as the NT user <tt class="constant">&quot;Everyone&quot;</tt> and the
permissions will be shown as NT &quot;Full Control&quot;.</p><p>The permissions field is displayed differently for files
and directories, so I'll describe the way file permissions
are displayed first.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2923639"></a>File Permissions</h4></div></div><div></div></div><p>The standard UNIX user/group/world triplet and
the corresponding &quot;read&quot;, &quot;write&quot;, &quot;execute&quot; permissions
triplets are mapped by Samba into a three element NT ACL
with the 'r', 'w', and 'x' bits mapped into the corresponding
NT permissions. The UNIX world permissions are mapped into
the global NT group <tt class="constant">Everyone</tt>, followed
by the list of permissions allowed for UNIX world. The UNIX
owner and group permissions are displayed as an NT
<span class="guiicon">user</span> icon and an NT <span class="guiicon">local
group</span> icon respectively followed by the list
of permissions allowed for the UNIX user and group.</p><p>As many UNIX permission sets don't map into common
NT names such as <tt class="constant">read</tt>, <tt class="constant">
&quot;change&quot;</tt> or <tt class="constant">full control</tt> then
usually the permissions will be prefixed by the words <tt class="constant">
&quot;Special Access&quot;</tt> in the NT display list.</p><p>But what happens if the file has no permissions allowed
for a particular UNIX user group or world component ? In order
to allow &quot;no permissions&quot; to be seen and modified then Samba
overloads the NT <b class="command">&quot;Take Ownership&quot;</b> ACL attribute
(which has no meaning in UNIX) and reports a component with
no permissions as having the NT <b class="command">&quot;O&quot;</b> bit set.
This was chosen of course to make it look like a zero, meaning
zero permissions. More details on the decision behind this will
be given below.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2923731"></a>Directory Permissions</h4></div></div><div></div></div><p>Directories on an NT NTFS file system have two
different sets of permissions. The first set of permissions
is the ACL set on the directory itself, this is usually displayed
in the first set of parentheses in the normal <tt class="constant">&quot;RW&quot;</tt>
NT style. This first set of permissions is created by Samba in
exactly the same way as normal file permissions are, described
above, and is displayed in the same way.</p><p>The second set of directory permissions has no real meaning
in the UNIX permissions world and represents the <tt class="constant">
inherited</tt> permissions that any file created within
this directory would inherit.</p><p>Samba synthesises these inherited permissions for NT by
returning as an NT ACL the UNIX permission mode that a new file
created by Samba on this share would receive.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923776"></a>Modifying file or directory permissions</h3></div></div><div></div></div><p>Modifying file and directory permissions is as simple
as changing the displayed permissions in the dialog box, and
clicking the <span class="guibutton">OK</span> button. However, there are
limitations that a user needs to be aware of, and also interactions
with the standard Samba permission masks and mapping of DOS
attributes that need to also be taken into account.</p><p>If the parameter <i class="parameter"><tt>nt acl support</tt></i>
is set to <tt class="constant">false</tt> then any attempt to set
security permissions will fail with an <span class="errorname">&quot;Access Denied&quot;
</span> message.</p><p>The first thing to note is that the <span class="guibutton">&quot;Add&quot;</span>
button will not return a list of users in Samba (it will give
an error message of <span class="errorname">The remote procedure call failed
and did not execute</span>). This means that you can only
manipulate the current user/group/world permissions listed in
the dialog box. This actually works quite well as these are the
only permissions that UNIX actually has.</p><p>If a permission triplet (either user, group, or world)
is removed from the list of permissions in the NT dialog box,
then when the <span class="guibutton">OK</span> button is pressed it will
be applied as &quot;no permissions&quot; on the UNIX side. If you then
view the permissions again the &quot;no permissions&quot; entry will appear
as the NT <b class="command">&quot;O&quot;</b> flag, as described above. This
allows you to add permissions back to a file or directory once
you have removed them from a triplet component.</p><p>As UNIX supports only the &quot;r&quot;, &quot;w&quot; and &quot;x&quot; bits of
an NT ACL then if other NT security attributes such as &quot;Delete
access&quot; are selected then they will be ignored when applied on
the Samba server.</p><p>When setting permissions on a directory the second
set of permissions (in the second set of parentheses) is
by default applied to all files within that directory. If this
is not what you want you must uncheck the <span class="guilabel">Replace
permissions on existing files</span> checkbox in the NT
dialog before clicking <span class="guibutton">OK</span>.</p><p>If you wish to remove all permissions from a
user/group/world component then you may either highlight the
component and click the <span class="guibutton">Remove</span> button,
or set the component to only have the special <tt class="constant">Take
Ownership</tt> permission (displayed as <b class="command">&quot;O&quot;
</b>) highlighted.</p></div><div xmlns:ns32="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923928"></a>Interaction with the standard Samba create mask
parameters</h3></div></div><div></div></div><ns32:p>There are four parameters
to control interaction with the standard Samba create mask parameters.
These are :
</ns32:p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>security mask</tt></i></td></tr><tr><td><i class="parameter"><tt>force security mode</tt></i></td></tr><tr><td><i class="parameter"><tt>directory security mask</tt></i></td></tr><tr><td><i class="parameter"><tt>force directory security mode</tt></i></td></tr></table><ns32:p>
</ns32:p><p>Once a user clicks <span class="guibutton">OK</span> to apply the
permissions Samba maps the given permissions into a user/group/world
r/w/x triplet set, and then will check the changed permissions for a
file against the bits set in the <a href="smb.conf.5.html#SECURITYMASK" target="_top">
<i class="parameter"><tt>security mask</tt></i></a> parameter. Any bits that
were changed that are not set to '1' in this parameter are left alone
in the file permissions.</p><p>Essentially, zero bits in the <i class="parameter"><tt>security mask</tt></i>
mask may be treated as a set of bits the user is <span class="emphasis"><em>not</em></span>
allowed to change, and one bits are those the user is allowed to change.
</p><p>If not set explicitly this parameter is set to the same value as
the <a href="smb.conf.5.html#CREATEMASK" target="_top"><i class="parameter"><tt>create mask
</tt></i></a> parameter. To allow a user to modify all the
user/group/world permissions on a file, set this parameter
to 0777.</p><p>Next Samba checks the changed permissions for a file against
the bits set in the <a href="smb.conf.5.html#FORCESECURITYMODE" target="_top">
<i class="parameter"><tt>force security mode</tt></i></a> parameter. Any bits
that were changed that correspond to bits set to '1' in this parameter
are forced to be set.</p><p>Essentially, bits set in the <i class="parameter"><tt>force security mode
</tt></i> parameter may be treated as a set of bits that, when
modifying security on a file, the user has always set to be 'on'.</p><p>If not set explicitly this parameter is set to the same value
as the <a href="smb.conf.5.html#FORCECREATEMODE" target="_top"><i class="parameter"><tt>force
create mode</tt></i></a> parameter.
To allow a user to modify all the user/group/world permissions on a file
with no restrictions set this parameter to 000.</p><p>The <i class="parameter"><tt>security mask</tt></i> and <i class="parameter"><tt>force
security mode</tt></i> parameters are applied to the change
request in that order.</p><p>For a directory Samba will perform the same operations as
described above for a file except using the parameter <i class="parameter"><tt>
directory security mask</tt></i> instead of <i class="parameter"><tt>security
mask</tt></i>, and <i class="parameter"><tt>force directory security mode
</tt></i> parameter instead of <i class="parameter"><tt>force security mode
</tt></i>.</p><p>The <i class="parameter"><tt>directory security mask</tt></i> parameter
by default is set to the same value as the <i class="parameter"><tt>directory mask
</tt></i> parameter and the <i class="parameter"><tt>force directory security
mode</tt></i> parameter by default is set to the same value as
the <i class="parameter"><tt>force directory mode</tt></i> parameter. </p><p>In this way Samba enforces the permission restrictions that
an administrator can set on a Samba share, whilst still allowing users
to modify the permission bits within that restriction.</p><p>If you want to set up a share that allows users full control
in modifying the permission bits on their files and directories and
doesn't force any particular bits to be set 'on', then set the following
parameters in the <tt class="filename">smb.conf</tt> file in that share specific section :
</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>security mask = 0777</tt></i></td></tr><tr><td><i class="parameter"><tt>force security mode = 0</tt></i></td></tr><tr><td><i class="parameter"><tt>directory security mask = 0777</tt></i></td></tr><tr><td><i class="parameter"><tt>force directory security mode = 0</tt></i></td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2924258"></a>Interaction with the standard Samba file attribute
mapping</h3></div></div><div></div></div><p>Samba maps some of the DOS attribute bits (such as &quot;read
only&quot;) into the UNIX permissions of a file. This means there can
be a conflict between the permission bits set via the security
dialog and the permission bits set by the file attribute mapping.
</p><p>One way this can show up is if a file has no UNIX read access
for the owner it will show up as &quot;read only&quot; in the standard
file attributes tabbed dialog. Unfortunately this dialog is
the same one that contains the security info in another tab.</p><p>What this can mean is that if the owner changes the permissions
to allow themselves read access using the security dialog, clicks
<span class="guibutton">OK</span> to get back to the standard attributes tab
dialog, and then clicks <span class="guibutton">OK</span> on that dialog, then
NT will set the file permissions back to read-only (as that is what
the attributes still say in the dialog). This means that after setting
permissions and clicking <span class="guibutton">OK</span> to get back to the
attributes dialog you should always hit <span class="guibutton">Cancel</span>
rather than <span class="guibutton">OK</span> to ensure that your changes
are not overridden.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2924333"></a>Common Errors</h2></div></div><div></div></div><p>
File, Directory and Share access problems are very common on the mailing list. The following
are examples taken from the mailing list in recent times.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2924347"></a>Users can not write to a public share</h3></div></div><div></div></div><p>
&#8220;<span class="quote">
We are facing some troubles with file / directory permissions. I can log on the domain as admin user(root),
and there's a public share, on which everyone needs to have permission to create / modify files, but only
root can change the file, no one else can. We need to constantly go to server to
<b class="userinput"><tt>chgrp -R users *</tt></b> and <b class="userinput"><tt>chown -R nobody *</tt></b> to allow others users to change the file.
</span>&#8221;
</p><p>
There are many ways to solve this problem, here are a few hints:
</p><div class="procedure"><p class="title"><b>Procedure 13.3. Example Solution:</b></p><ol type="1"><li><p>
Go to the top of the directory that is shared
</p></li><li xmlns:ns33=""><ns33:p>
Set the ownership to what ever public owner and group you want
</ns33:p><pre class="programlisting">
find 'directory_name' -type d -exec chown user.group {}\;
find 'directory_name' -type d -exec chmod 6775 'directory_name'
find 'directory_name' -type f -exec chmod 0775 {} \;
find 'directory_name' -type f -exec chown user.group {}\;
</pre><ns33:p>
</ns33:p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
The above will set the 'sticky bit' on all directories. Read your
Unix/Linux man page on what that does. It causes the OS to assign
to all files created in the directories the ownership of the
directory.
</p></div></li><li xmlns:ns34=""><ns34:p>
Directory is: <i class="replaceable"><tt>/foodbar</tt></i>
</ns34:p><pre class="screen">
<tt class="prompt">$ </tt><b class="userinput"><tt>chown jack.engr /foodbar</tt></b>
</pre><ns34:p>
</ns34:p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><ns34:p>
</ns34:p><p>This is the same as doing:</p><ns34:p>
</ns34:p><pre class="screen">
<tt class="prompt">$ </tt><b class="userinput"><tt>chown jack /foodbar</tt></b>
<tt class="prompt">$ </tt><b class="userinput"><tt>chgrp engr /foodbar</tt></b>
</pre><ns34:p>
</ns34:p></div></li><li xmlns:ns35=""><ns35:p>Now do:
</ns35:p><pre class="screen">
<tt class="prompt">$ </tt><b class="userinput"><tt>chmod 6775 /foodbar</tt></b>
<tt class="prompt">$ </tt><b class="userinput"><tt>ls -al /foodbar/..</tt></b>
</pre><ns35:p>
</ns35:p><ns35:p>You should see:
</ns35:p><pre class="screen">
drwsrwsr-x 2 jack engr 48 2003-02-04 09:55 foodbar
</pre><ns35:p>
</ns35:p></li><li xmlns:ns36=""><ns36:p>Now do:
</ns36:p><pre class="screen">
<tt class="prompt">$ </tt><b class="userinput"><tt>su - jill</tt></b>
<tt class="prompt">$ </tt><b class="userinput"><tt>cd /foodbar</tt></b>
<tt class="prompt">$ </tt><b class="userinput"><tt>touch Afile</tt></b>
<tt class="prompt">$ </tt><b class="userinput"><tt>ls -al</tt></b>
</pre><ns36:p>
</ns36:p><ns36:p>
You should see that the file <tt class="filename">Afile</tt> created by Jill will have ownership
and permissions of Jack, as follows:
</ns36:p><pre class="screen">
-rw-r--r-- 1 jack engr 0 2003-02-04 09:57 Afile
</pre><ns36:p>
</ns36:p></li><li xmlns:ns37=""><ns37:p>
Now in your <tt class="filename">smb.conf</tt> for the share add:
</ns37:p><pre class="programlisting">
force create mode = 0775
force directory mode = 6775
</pre><ns37:p>
</ns37:p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
The above are only needed <span class="emphasis"><em>if</em></span> your users are <span class="emphasis"><em>not</em></span> members of the group
you have used. ie: Within the OS do not have write permission on the directory.
</p></div><ns37:p>
An alternative is to set in the <tt class="filename">smb.conf</tt> entry for the share:
</ns37:p><pre class="programlisting">
force user = jack
force group = engr
</pre><ns37:p>
</ns37:p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2924726"></a>I have set force user and Samba still makes <span class="emphasis"><em>root</em></span> the owner of all the files
I touch!</h3></div></div><div></div></div><p>
When you have a user in 'admin users', Samba will always do file operations for
this user as <span class="emphasis"><em>root</em></span>, even if <i class="parameter"><tt>force user</tt></i> has been set.
</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="groupmapping.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="locking.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 12. Mapping MS Windows and Unix Groups </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 14. File and Record Locking</td></tr></table></div></body></html>

View File

@ -1,225 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 22. Advanced Network Management</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="winbind.html" title="Chapter 21. Integrated Logon Support using Winbind"><link rel="next" href="PolicyMgmt.html" title="Chapter 23. System and Account Policies"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 22. Advanced Network Management</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="winbind.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="PolicyMgmt.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="AdvancedNetworkManagement"></a>Chapter 22. Advanced Network Management</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">April 3 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="AdvancedNetworkManagement.html#id2982630">Features and Benefits</a></dt><dt><a href="AdvancedNetworkManagement.html#id2982661">Remote Server Administration</a></dt><dt><a href="AdvancedNetworkManagement.html#id2981342">Remote Desktop Management</a></dt><dd><dl><dt><a href="AdvancedNetworkManagement.html#id2981359">Remote Management from NoMachines.Com</a></dt></dl></dd><dt><a href="AdvancedNetworkManagement.html#id2981560">Network Logon Script Magic</a></dt><dd><dl><dt><a href="AdvancedNetworkManagement.html#id2981755">Adding printers without user intervention</a></dt></dl></dd><dt><a href="AdvancedNetworkManagement.html#id2981788">Common Errors</a></dt></dl></div><p>
This section documents peripheral issues that are of great importance to network
administrators who want to improve network resource access control, to automate the user
environment, and to make their lives a little easier.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2982630"></a>Features and Benefits</h2></div></div><div></div></div><p>
Often the difference between a working network environment and a well appreciated one can
best be measured by the <span class="emphasis"><em>little things</em></span> that makes everything work more
harmoniously. A key part of every network environment solution is the ability to remotely
manage MS Windows workstations, to remotely access the Samba server, to provide customised
logon scripts, as well as other house keeping activities that help to sustain more reliable
network operations.
</p><p>
This chapter presents information on each of these area. They are placed here, and not in
other chapters, for ease of reference.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2982661"></a>Remote Server Administration</h2></div></div><div></div></div><p>
<span class="emphasis"><em>How do I get 'User Manager' and 'Server Manager'?</em></span>
</p><p>
Since I don't need to buy an <span class="application">NT4 Server</span>, how do I get the 'User Manager for Domains',
the 'Server Manager'?
</p><p>
Microsoft distributes a version of these tools called nexus for installation
on <span class="application">Windows 9x / Me</span> systems. The tools set includes:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Server Manager</td></tr><tr><td>User Manager for Domains</td></tr><tr><td>Event Viewer</td></tr></table><p>
Click here to download the archived file <a href="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE" target="_top">ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</a>
</p><p>
The <span class="application">Windows NT 4.0</span> version of the 'User Manager for
Domains' and 'Server Manager' are available from Microsoft via ftp
from <a href="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" target="_top">ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</a>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2981342"></a>Remote Desktop Management</h2></div></div><div></div></div><p>
There are a number of possible remote desktop management solutions that range from free
through costly. Do not let that put you off. Sometimes the most costly solutions is the
most cost effective. In any case, you will need to draw your own conclusions as to which
is the best tool in your network environment.
</p><div xmlns:ns78="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2981359"></a>Remote Management from NoMachines.Com</h3></div></div><div></div></div><p>
The following information was posted to the Samba mailing list at Apr 3 23:33:50 GMT 2003.
It is presented in slightly edited form (with author details omitted for privacy reasons).
The entire answer is reproduced below with some comments removed.
</p><ns78:p>
</ns78:p><pre class="screen">
&gt; I have a wonderful linux/samba server running as PDC for a network.
&gt; Now I would like to add remote desktop capabilities so that
&gt; users outside could login to the system and get their desktop up from
&gt; home or another country..
&gt;
&gt; Is there a way to accomplish this? Do I need a windows terminal server?
&gt; Do I need to configure it so that it is a member of the domain or a
&gt; BDC,PDC? Are there any hacks for MS Windows XP to enable remote login
&gt; even if the computer is in a domain?
&gt;
&gt; Any ideas/experience would be appreciated :)
</pre><ns78:p>
</ns78:p><p>
Answer provided: Check out the new offer from NoMachine, &quot;NX&quot; software:
<a href="http://www.nomachine.com/" target="_top">http://www.nomachine.com/</a>.
</p><p>
It implements a very easy-to-use interface to the remote X protocol as
well as incorporating VNC/RFB and rdesktop/RDP into it, but at a speed
performance much better than anything you may have ever seen...
</p><p>
Remote X is not new at all -- but what they did achieve successfully is
a new way of compression and caching technologies which makes the thing
fast enough to run even over slow modem/ISDN connections.
</p><p>
I could test drive their (public) RedHat machine in Italy, over a loaded
internet connection, with enabled thumbnail previews in KDE konqueror
which popped up immediately on &quot;mouse-over&quot;. From inside that (remote X)
session I started a rdesktop session on another, a Windows XP machine.
To test the performance, I played Pinball. I am proud to announce here
that my score was 631750 points at first try...
</p><p>
NX performs better on my local LAN than any of the other &quot;pure&quot;
connection methods I am using from time to time: TightVNC, rdesktop or
remote X. It is even faster than a direct crosslink connection between
two nodes.
</p><p>
I even got sound playing from the remote X app to my local boxes, and
had a working &quot;copy'n'paste&quot; from an NX window (running a KDE session
in Italy) to my Mozilla mailing agent... These guys are certainly doing
something right!
</p><p>
I recommend to test drive NX to anybody with a only a remote interest
in remote computing
<a href="http://www.nomachine.com/testdrive.php" target="_top">http://www.nomachine.com/testdrive.php</a>.
</p><p>
Just download the free of charge client software (available for RedHat,
SuSE, Debian and Windows) and be up and running within 5 minutes (they
need to send you your account data, though, because you are assigned
a real Unix account on their testdrive.nomachine.com box...
</p><p>
They plan to get to the point were you can have NX application servers
running as a cluster of nodes, and users simply start an NX session locally,
and can select applications to run transparently (apps may even run on
another NX node, but pretend to be on the same as used for initial login,
because it displays in the same window.... well, you also can run it
fullscreen, and after a short time you forget that it is a remote session
at all).
</p><p>
Now the best thing at the end: all the core compression and caching
technologies are released under the GPL and available as source code
to anybody who wants to build on it! These technologies are working,
albeit started from the command line only (and very inconvenient to
use in order to get a fully running remote X session up and running....)
</p><p>
To answer your questions:
</p><div class="itemizedlist"><ul type="disc"><li><p>
You don't need to install a terminal server; XP has RDP support built in.
</p></li><li><p>
NX is much cheaper than Citrix -- and comparable in performance, probably faster
</p></li><li><p>
You don't need to hack XP -- it just works
</p></li><li><p>
You log into the XP box from remote transparently (and I think there is no
need to change anything to get a connection, even if authentication is against a domain)
</p></li><li><p>
The NX core technologies are all Open Source and released under the GPL --
you can today use a (very inconvenient) commandline to use it at no cost,
but you can buy a comfortable (proprietary) NX GUI frontend for money
</p></li><li><p>
NoMachine are encouraging and offering help to OSS/Free Software implementations
for such a frontend too, even if it means competition to them (they have written
to this effect even to the LTSP, KDE and GNOME developer mailing lists)
</p></li></ul></div></div></div><div xmlns:ns79="" class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2981560"></a>Network Logon Script Magic</h2></div></div><div></div></div><p>
This section needs work. Volunteer contributions most welcome. Please send your patches or updates
to <a href="mailto:jht@samba.org" target="_top">John Terpstra</a>.
</p><p>
There are several opportunities for creating a custom network startup configuration environment.
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>No Logon Script</td></tr><tr><td>Simple universal Logon Script that applies to all users</td></tr><tr><td>Use of a conditional Logon Script that applies per user or per group attributes</td></tr><tr><td>Use of Samba's Preexec and Postexec functions on access to the NETLOGON share to create
a custom Logon Script and then execute it.</td></tr><tr><td>User of a tool such as KixStart</td></tr></table><p>
The Samba source code tree includes two logon script generation/execution tools.
See <tt class="filename">examples</tt> directory <tt class="filename">genlogon</tt> and
<tt class="filename">ntlogon</tt> subdirectories.
</p><p>
The following listings are from the genlogon directory.
</p><ns79:p>
This is the <tt class="filename">genlogon.pl</tt> file:
</ns79:p><pre class="programlisting">
#!/usr/bin/perl
#
# genlogon.pl
#
# Perl script to generate user logon scripts on the fly, when users
# connect from a Windows client. This script should be called from smb.conf
# with the %U, %G and %L parameters. I.e:
#
# root preexec = genlogon.pl %U %G %L
#
# The script generated will perform
# the following:
#
# 1. Log the user connection to /var/log/samba/netlogon.log
# 2. Set the PC's time to the Linux server time (which is maintained
# daily to the National Institute of Standard's Atomic clock on the
# internet.
# 3. Connect the user's home drive to H: (H for Home).
# 4. Connect common drives that everyone uses.
# 5. Connect group-specific drives for certain user groups.
# 6. Connect user-specific drives for certain users.
# 7. Connect network printers.
# Log client connection
#($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
open LOG, &quot;&gt;&gt;/var/log/samba/netlogon.log&quot;;
print LOG &quot;$mon/$mday/$year $hour:$min:$sec - User $ARGV[0] logged into $ARGV[1]\n&quot;;
close LOG;
# Start generating logon script
open LOGON, &quot;&gt;/shared/netlogon/$ARGV[0].bat&quot;;
print LOGON &quot;\@ECHO OFF\r\n&quot;;
# Connect shares just use by Software Development group
if ($ARGV[1] eq &quot;SOFTDEV&quot; || $ARGV[0] eq &quot;softdev&quot;)
{
print LOGON &quot;NET USE M: \\\\$ARGV[2]\\SOURCE\r\n&quot;;
}
# Connect shares just use by Technical Support staff
if ($ARGV[1] eq &quot;SUPPORT&quot; || $ARGV[0] eq &quot;support&quot;)
{
print LOGON &quot;NET USE S: \\\\$ARGV[2]\\SUPPORT\r\n&quot;;
}
# Connect shares just used by Administration staff
If ($ARGV[1] eq &quot;ADMIN&quot; || $ARGV[0] eq &quot;admin&quot;)
{
print LOGON &quot;NET USE L: \\\\$ARGV[2]\\ADMIN\r\n&quot;;
print LOGON &quot;NET USE K: \\\\$ARGV[2]\\MKTING\r\n&quot;;
}
# Now connect Printers. We handle just two or three users a little
# differently, because they are the exceptions that have desktop
# printers on LPT1: - all other user's go to the LaserJet on the
# server.
if ($ARGV[0] eq 'jim'
|| $ARGV[0] eq 'yvonne')
{
print LOGON &quot;NET USE LPT2: \\\\$ARGV[2]\\LJET3\r\n&quot;;
print LOGON &quot;NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n&quot;;
}
else
{
print LOGON &quot;NET USE LPT1: \\\\$ARGV[2]\\LJET3\r\n&quot;;
print LOGON &quot;NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n&quot;;
}
# All done! Close the output file.
close LOGON;
</pre><ns79:p>
</ns79:p><p>
Those wishing to use more elaborate or capable logon processing system should check out the following sites:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a href="http://www.craigelachie.org/rhacer/ntlogon" target="_top">http://www.craigelachie.org/rhacer/ntlogon</a></td></tr><tr><td><a href="http://www.kixtart.org" target="_top">http://www.kixtart.org</a></td></tr><tr><td><a href="http://support.microsoft.com/default.asp?scid=kb;en-us;189105" target="_top">http://support.microsoft.com/default.asp?scid=kb;en-us;189105</a></td></tr></table><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2981755"></a>Adding printers without user intervention</h3></div></div><div></div></div><ns79:p>
Printers may be added automatically during logon script processing through the use of:
</ns79:p><pre class="programlisting">
rundll32 printui.dll,PrintUIEntry /?
</pre><ns79:p>
See the documentation in the <a href="http://support.microsoft.com/default.asp?scid=kb;en-us;189105" target="_top">Microsoft knowledgebase article no: 189105</a>.
</ns79:p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2981788"></a>Common Errors</h2></div></div><div></div></div><p>
The information provided in this chapter has been reproduced from postings on the samba@samba.org
mailing list. No implied endorsement or recommendation is offered. Administrators should conduct
their own evaluation of alternatives and are encouraged to draw their own conclusions.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="winbind.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="PolicyMgmt.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 21. Integrated Logon Support using Winbind </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 23. System and Account Policies</td></tr></table></div></body></html>

View File

@ -1,5 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part VI. Appendixes</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="index.html" title="SAMBA Project Documentation"><link rel="previous" href="bugreport.html" title="Chapter 35. Reporting Bugs"><link rel="next" href="compiling.html" title="Chapter 36. How to compile SAMBA"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part VI. Appendixes</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="bugreport.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="compiling.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="Appendixes"></a>Appendixes</h1></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt>36. <a href="compiling.html">How to compile SAMBA</a></dt><dd><dl><dt><a href="compiling.html#id3008244">Access Samba source code via CVS</a></dt><dd><dl><dt><a href="compiling.html#id3008251">Introduction</a></dt><dt><a href="compiling.html#id3008280">CVS Access to samba.org</a></dt></dl></dd><dt><a href="compiling.html#id3009749">Accessing the samba sources via rsync and ftp</a></dt><dt><a href="compiling.html#id3009796">Verifying Samba's PGP signature</a></dt><dt><a href="compiling.html#id3009932">Building the Binaries</a></dt><dd><dl><dt><a href="compiling.html#id3010069">Compiling samba with Active Directory support</a></dt></dl></dd><dt><a href="compiling.html#id3010964">Starting the smbd and nmbd</a></dt><dd><dl><dt><a href="compiling.html#id3011056">Starting from inetd.conf</a></dt><dt><a href="compiling.html#id3011260">Alternative: starting it as a daemon</a></dt></dl></dd><dt><a href="compiling.html#id3011355">Common Errors</a></dt></dl></dd><dt>37. <a href="Portability.html">Portability</a></dt><dd><dl><dt><a href="Portability.html#id3012634">HPUX</a></dt><dt><a href="Portability.html#id3012719">SCO Unix</a></dt><dt><a href="Portability.html#id3012747">DNIX</a></dt><dt><a href="Portability.html#id3012917">RedHat Linux Rembrandt-II</a></dt><dt><a href="Portability.html#id3012960">AIX</a></dt><dd><dl><dt><a href="Portability.html#id3012967">Sequential Read Ahead</a></dt></dl></dd><dt><a href="Portability.html#id3012993">Solaris</a></dt><dd><dl><dt><a href="Portability.html#id3013000">Locking improvements</a></dt><dt><a href="Portability.html#winbind-solaris9">Winbind on Solaris 9</a></dt></dl></dd></dl></dd><dt>38. <a href="Other-Clients.html">Samba and other CIFS clients</a></dt><dd><dl><dt><a href="Other-Clients.html#id3013776">Macintosh clients?</a></dt><dt><a href="Other-Clients.html#id3013848">OS2 Client</a></dt><dd><dl><dt><a href="Other-Clients.html#id3013855">How can I configure OS/2 Warp Connect or
OS/2 Warp 4 as a client for Samba?</a></dt><dt><a href="Other-Clients.html#id3013471">How can I configure OS/2 Warp 3 (not Connect),
OS/2 1.2, 1.3 or 2.x for Samba?</a></dt><dt><a href="Other-Clients.html#id3013530">How do I get printer driver download working
for OS/2 clients?</a></dt></dl></dd><dt><a href="Other-Clients.html#id3013628">Windows for Workgroups</a></dt><dd><dl><dt><a href="Other-Clients.html#id3013090">Use latest TCP/IP stack from Microsoft</a></dt><dt><a href="Other-Clients.html#id3013179">Delete .pwl files after password change</a></dt><dt><a href="Other-Clients.html#id3013210">Configure WfW password handling</a></dt><dt><a href="Other-Clients.html#id3013255">Case handling of passwords</a></dt><dt><a href="Other-Clients.html#id3013285">Use TCP/IP as default protocol</a></dt><dt><a href="Other-Clients.html#id3013303">Speed improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id3013349">Windows '95/'98</a></dt><dd><dl><dt><a href="Other-Clients.html#id3014379">Speed improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id3014403">Windows 2000 Service Pack 2</a></dt><dt><a href="Other-Clients.html#id3014514">Windows NT 3.1</a></dt></dl></dd><dt>39. <a href="speed.html">Samba Performance Tuning</a></dt><dd><dl><dt><a href="speed.html#id3016725">Comparisons</a></dt><dt><a href="speed.html#id3014565">Socket options</a></dt><dt><a href="speed.html#id3014636">Read size</a></dt><dt><a href="speed.html#id3014680">Max xmit</a></dt><dt><a href="speed.html#id3014732">Log level</a></dt><dt><a href="speed.html#id3014755">Read raw</a></dt><dt><a href="speed.html#id3014811">Write raw</a></dt><dt><a href="speed.html#id3014853">Slow Logins</a></dt><dt><a href="speed.html#id3015761">Client tuning</a></dt><dt><a href="speed.html#id3015784">Samba performance problem due changing kernel</a></dt><dt><a href="speed.html#id3015817">Corrupt tdb Files</a></dt></dl></dd><dt>40. <a href="DNSDHCP.html">DNS and DHCP Configuration Guide</a></dt><dd><dl><dt><a href="DNSDHCP.html#id3016535">Note</a></dt></dl></dd><dt>41. <a href="Further-Resources.html">Further Resources</a></dt><dd><dl><dt><a href="Further-Resources.html#id3015954">Websites</a></dt><dt><a href="Further-Resources.html#id3016336">Related updates from Microsoft</a></dt><dt><a href="Further-Resources.html#id3016404">Books</a></dt></dl></dd></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="bugreport.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="compiling.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 35. Reporting Bugs </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 36. How to compile SAMBA</td></tr></table></div></body></html>

View File

@ -1,14 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 28. Samba Backup Techniques</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="unicode.html" title="Chapter 27. Unicode/Charsets"><link rel="next" href="SambaHA.html" title="Chapter 29. High Availability Options"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 28. Samba Backup Techniques</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="unicode.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="SambaHA.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Backup"></a>Chapter 28. Samba Backup Techniques</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="Backup.html#id2999976">Note</a></dt><dt><a href="Backup.html#id2999997">Features and Benefits</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2999976"></a>Note</h2></div></div><div></div></div><p>
This chapter did not make it into this release.
It is planned for the published release of this document.
If you have something to contribute for this section please email it to
<a href="">jht@samba.org</a>/
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2999997"></a>Features and Benefits</h2></div></div><div></div></div><p>
We need feedback from people who are backing up samba servers.
We would like to know what software tools you are using to backup
your samba server/s.
</p><p>
In particular, if you have any success and / or failure stories you could
share with other users this would be appreciated.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="unicode.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="SambaHA.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 27. Unicode/Charsets </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 29. High Availability Options</td></tr></table></div></body></html>

File diff suppressed because it is too large Load Diff

View File

@ -1,5 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 9. MS Windows Network Configuration Guide</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="previous" href="StandAloneServer.html" title="Chapter 8. Stand-Alone Servers"><link rel="next" href="optional.html" title="Part III. Advanced Configuration"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 9. MS Windows Network Configuration Guide</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="StandAloneServer.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="optional.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ClientConfig"></a>Chapter 9. MS Windows Network Configuration Guide</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="ClientConfig.html#id2901302">Note</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2901302"></a>Note</h2></div></div><div></div></div><p>
This chapter did not make it into this release.
It is planned for the published release of this document.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="StandAloneServer.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="optional.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 8. Stand-Alone Servers </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part III. Advanced Configuration</td></tr></table></div></body></html>

View File

@ -1,5 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 40. DNS and DHCP Configuration Guide</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="speed.html" title="Chapter 39. Samba Performance Tuning"><link rel="next" href="Further-Resources.html" title="Chapter 41. Further Resources"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 40. DNS and DHCP Configuration Guide</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="speed.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="Further-Resources.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="DNSDHCP"></a>Chapter 40. DNS and DHCP Configuration Guide</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="DNSDHCP.html#id3016535">Note</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3016535"></a>Note</h2></div></div><div></div></div><p>
This chapter did not make it into this release.
It is planned for the published release of this document.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="speed.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendixes.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="Further-Resources.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 39. Samba Performance Tuning </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 41. Further Resources</td></tr></table></div></body></html>

View File

@ -1,5 +1,4 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 3. Fast Start for the Impatient</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="introduction.html" title="Part I. General Installation"><link rel="previous" href="install.html" title="Chapter 2. How to Install and Test SAMBA"><link rel="next" href="type.html" title="Part II. Server Configuration Basics"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 3. Fast Start for the Impatient</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="install.html">Prev</a> </td><th width="60%" align="center">Part I. General Installation</th><td width="20%" align="right"> <a accesskey="n" href="type.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="FastStart"></a>Chapter 3. Fast Start for the Impatient</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="FastStart.html#id2886380">Note</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2886380"></a>Note</h2></div></div><div></div></div><p>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 3. Fast Start for the Impatient</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="samba-doc.html" title="SAMBA Project Documentation"><link rel="up" href="introduction.html" title="Part I. General Installation"><link rel="previous" href="install.html" title="Chapter 2. How to Install and Test SAMBA"><link rel="next" href="type.html" title="Part II. Server Configuration Basics"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 3. Fast Start for the Impatient</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="install.html">Prev</a> </td><th width="60%" align="center">Part I. General Installation</th><td width="20%" align="right"> <a accesskey="n" href="type.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="FastStart"></a>Chapter 3. Fast Start for the Impatient</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="FastStart.html#id2884787">Note</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2884787"></a>Note</h2></div></div><div></div></div><p>
This chapter did not make it into this release.
It is planned for the published release of this document.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="install.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="introduction.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="type.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 2. How to Install and Test SAMBA </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part II. Server Configuration Basics</td></tr></table></div></body></html>
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="install.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="introduction.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="type.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 2. How to Install and Test SAMBA </td><td width="20%" align="center"><a accesskey="h" href="samba-doc.html">Home</a></td><td width="40%" align="right" valign="top"> Part II. Server Configuration Basics</td></tr></table></div></body></html>

View File

@ -1,101 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 41. Further Resources</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="DNSDHCP.html" title="Chapter 40. DNS and DHCP Configuration Guide"><link rel="next" href="ix01.html" title="Index"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 41. Further Resources</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="DNSDHCP.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="ix01.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Further-Resources"></a>Chapter 41. Further Resources</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">Lechnyr</span></h3><div class="affiliation"><span class="orgname">Unofficial HOWTO<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:david@lechnyr.com">david@lechnyr.com</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">May 1, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="Further-Resources.html#id3015954">Websites</a></dt><dt><a href="Further-Resources.html#id3016336">Related updates from Microsoft</a></dt><dt><a href="Further-Resources.html#id3016404">Books</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3015954"></a>Websites</h2></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>
<a href="http://hr.uoregon.edu/davidrl/cifs.txt" target="_top">
<span class="emphasis"><em>CIFS: Common Insecurities Fail Scrutiny</em></span> by &quot;Hobbit&quot;</a>
</p></li><li><p>
<a href="http://afr.com/it/2002/10/01/FFXDF43AP6D.html" target="_top">
<span class="emphasis"><em>Doing the Samba on Windows</em></span> by Financial Review
</a>
</p></li><li><p>
<a href="http://ubiqx.org/cifs/" target="_top">
<span class="emphasis"><em>Implementing CIFS</em></span> by Christopher R. Hertel
</a>
</p></li><li><p>
<a href="http://samba.anu.edu.au/cifs/docs/what-is-smb.html" target="_top">
<span class="emphasis"><em>Just What Is SMB?</em></span> by Richard Sharpe
</a>
</p></li><li><p>
<a href="http://www.linux-mag.com/1999-05/samba_01.html" target="_top">
<span class="emphasis"><em>Opening Windows Everywhere</em></span> by Mike Warfield
</a>
</p></li><li><p>
<a href="http://www.tldp.org/HOWTO/SMB-HOWTO.html" target="_top">
<span class="emphasis"><em>SMB HOWTO</em></span> by David Wood
</a>
</p></li><li><p>
<a href="http://www.phrack.org/phrack/60/p60-0x0b.txt" target="_top">
<span class="emphasis"><em>SMB/CIFS by The Root</em></span> by &quot;ledin&quot;
</a>
</p></li><li><p>
<a href="http://www.linux-mag.com/1999-09/samba_01.html" target="_top">
<span class="emphasis"><em>The Story of Samba</em></span> by Christopher R. Hertel
</a>
</p></li><li><p>
<a href="http://hr.uoregon.edu/davidrl/samba/" target="_top">
<span class="emphasis"><em>The Unofficial Samba HOWTO</em></span> by David Lechnyr
</a>
</p></li><li><p>
<a href="http://www.linux-mag.com/2001-05/smb_01.html" target="_top">
<span class="emphasis"><em>Understanding the Network Neighborhood</em></span> by Christopher R. Hertel
</a>
</p></li><li><p>
<a href="http://www.linux-mag.com/2002-02/samba_01.html" target="_top">
<span class="emphasis"><em>Using Samba as a PDC</em></span> by Andrew Bartlett
</a>
</p></li><li><p>
<a href="http://ru.samba.org/samba/ftp/docs/Samba24Hc13.pdf" target="_top">
<span class="emphasis"><em>PDF version of the Troubleshooting Techniques chapter</em></span>
from the second edition of Sam's Teach Yourself Samba in 24 Hours
(publishing date of Dec. 12, 2001)</a>
</p></li><li><p>
<a href="http://ru.samba.org/samba/ftp/slides/" target="_top">
<span class="emphasis"><em>Slide presentations</em></span> by Samba Team members
</a>
</p></li><li><p>
<a href="http://www.atmarkit.co.jp/flinux/special/samba3/samba3a.html" target="_top">
<span class="emphasis"><em>Introduction to Samba 3.0</em></span> by Motonobu Takahashi
(written in Japanese). </a>
</p></li><li><p>
<a href="http://www.linux-mag.com/2001-05/smb_01.html" target="_top">
<span class="emphasis"><em>Understanding the Network Neighborhood</em></span>, by team member
Chris Hertel. This article appeared in the May 2001 issue of
Linux Magazine.
</a>
</p></li><li><p>
<a href="ftp://ftp.stratus.com/pub/vos/customers/samba/" target="_top">
<span class="emphasis"><em>Samba 2.0.x Troubleshooting guide</em></span> from Paul Green
</a>
</p></li><li><p>
<a href="http://samba.org/samba/docs/10years.html" target="_top">
<span class="emphasis"><em>Ten Years of Samba</em></span>
</a>
</p></li><li><p>
<a href="http://tldp.org/HOWTO/Samba-Authenticated-Gateway-HOWTO.html" target="_top">
<span class="emphasis"><em>Samba Authenticated Gateway HOWTO</em></span>
</a>
</p></li><li><p>
<a href="http://samba.org/samba/docs/SambaIntro.html" target="_top">
<span class="emphasis"><em>An Introduction to Samba</em></span>
</a>
</p></li><li><p>
<a href="http://www.samba.org/cifs/" target="_top">
<span class="emphasis"><em>What is CIFS?</em></span>
</a>
</p></li><li><p>
<a href="http://support.microsoft.com/support/kb/articles/q92/5/88.asp" target="_top">
<span class="emphasis"><em>WFWG: Password Caching and How It Affects LAN Manager
Security</em></span> at Microsoft Knowledge Base
</a>
</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3016336"></a>Related updates from Microsoft</h2></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>
<a href="http://support.microsoft.com/support/kb/articles/q92/5/88.asp" target="_top">
<span class="emphasis"><em>Enhanced Encryption for Windows 95 Password Cache</em></span>
</a>
</p></li><li><p>
<a href="http://support.microsoft.com/support/kb/articles/q136/4/18.asp" target="_top">
<span class="emphasis"><em>Windows '95 File Sharing Updates</em></span>
</a>
</p></li><li><p>
<a href="http://support.microsoft.com/support/kb/articles/q136/4/18.asp" target="_top">
<span class="emphasis"><em>Windows for Workgroups Sharing Updates</em></span>
</a>
</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3016404"></a>Books</h2></div></div><div></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="DNSDHCP.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendixes.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ix01.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 40. DNS and DHCP Configuration Guide </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Index</td></tr></table></div></body></html>

View File

@ -1,176 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 16. Interdomain Trust Relationships</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="securing-samba.html" title="Chapter 15. Securing Samba"><link rel="next" href="msdfs.html" title="Chapter 17. Hosting a Microsoft Distributed File System tree on Samba"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 16. Interdomain Trust Relationships</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="securing-samba.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="msdfs.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="InterdomainTrusts"></a>Chapter 16. Interdomain Trust Relationships</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Rafal</span> <span class="surname">Szczesniak</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:mimir@samba.org">mimir@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">April 3, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="InterdomainTrusts.html#id2929505">Features and Benefits</a></dt><dt><a href="InterdomainTrusts.html#id2929534">Trust Relationship Background</a></dt><dt><a href="InterdomainTrusts.html#id2929617">Native MS Windows NT4 Trusts Configuration</a></dt><dd><dl><dt><a href="InterdomainTrusts.html#id2929629">NT4 as the Trusting Domain (ie. creating the trusted account)</a></dt><dt><a href="InterdomainTrusts.html#id2931604">NT4 as the Trusted Domain (ie. creating trusted account's password)</a></dt></dl></dd><dt><a href="InterdomainTrusts.html#id2931642">Configuring Samba NT-style Domain Trusts</a></dt><dd><dl><dt><a href="InterdomainTrusts.html#id2931669">Samba-3 as the Trusting Domain</a></dt><dt><a href="InterdomainTrusts.html#id2931795">Samba-3 as the Trusted Domain</a></dt></dl></dd><dt><a href="InterdomainTrusts.html#id2929173">Common Errors</a></dt><dd><dl><dt><a href="InterdomainTrusts.html#id2929188">Tell me about Trust Relationships using Samba</a></dt></dl></dd></dl></div><p>
Samba-3 supports NT4 style domain trust relationships. This is feature that many sites
will want to use if they migrate to Samba-3 from and NT4 style domain and do NOT want to
adopt Active Directory or an LDAP based authentication back end. This section explains
some background information regarding trust relationships and how to create them. It is now
possible for Samba-3 to NT4 trust (and vice versa), as well as Samba3 to Samba3 trusts.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2929505"></a>Features and Benefits</h2></div></div><div></div></div><p>
Samba-3 can participate in Samba-to-Samba as well as in Samba-to-MS Windows NT4 style
trust relationships. This imparts to Samba similar scalability as is possible with
MS Windows NT4.
</p><p>
Given that Samba-3 has the capability to function with a scalable backend authentication
database such as LDAP, and given it's ability to run in Primary as well as Backup Domain control
modes, the administrator would be well advised to consider alternatives to the use of
Interdomain trusts simply because by the very nature of how this works it is fragile.
That was, after all, a key reason for the development and adoption of Microsoft Active Directory.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2929534"></a>Trust Relationship Background</h2></div></div><div></div></div><p>
MS Windows NT3.x/4.0 type security domains employ a non-hierarchical security structure.
The limitations of this architecture as it affects the scalability of MS Windows networking
in large organisations is well known. Additionally, the flat-name space that results from
this design significantly impacts the delegation of administrative responsibilities in
large and diverse organisations.
</p><p>
Microsoft developed Active Directory Service (ADS), based on Kerberos and LDAP, as a means
of circumventing the limitations of the older technologies. Not every organisation is ready
or willing to embrace ADS. For small companies the older NT4 style domain security paradigm
is quite adequate, there thus remains an entrenched user base for whom there is no direct
desire to go through a disruptive change to adopt ADS.
</p><p>
Microsoft introduced with MS Windows NT the ability to allow differing security domains
to affect a mechanism so that users from one domain may be given access rights and privileges
in another domain. The language that describes this capability is couched in terms of
<span class="emphasis"><em>Trusts</em></span>. Specifically, one domain will <span class="emphasis"><em>trust</em></span> the users
from another domain. The domain from which users are available to another security domain is
said to be a trusted domain. The domain in which those users have assigned rights and privileges
is the trusting domain. With NT3.x/4.0 all trust relationships are always in one direction only,
thus if users in both domains are to have privileges and rights in each others' domain, then it is
necessary to establish two (2) relationships, one in each direction.
</p><p>
In an NT4 style MS security domain, all trusts are non-transitive. This means that if there
are three (3) domains (let's call them RED, WHITE, and BLUE) where RED and WHITE have a trust
relationship, and WHITE and BLUE have a trust relationship, then it holds that there is no
implied trust between the RED and BLUE domains. ie: Relationships are explicit and not
transitive.
</p><p>
New to MS Windows 2000 ADS security contexts is the fact that trust relationships are two-way
by default. Also, all inter-ADS domain trusts are transitive. In the case of the RED, WHITE and BLUE
domains above, with Windows 2000 and ADS the RED and BLUE domains CAN trust each other. This is
an inherent feature of ADS domains. Samba-3 implements MS Windows NT4
style Interdomain trusts and interoperates with MS Windows 200x ADS
security domains in similar manner to MS Windows NT4 style domains.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2929617"></a>Native MS Windows NT4 Trusts Configuration</h2></div></div><div></div></div><p>
There are two steps to creating an interdomain trust relationship.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2929629"></a>NT4 as the Trusting Domain (ie. creating the trusted account)</h3></div></div><div></div></div><p>
For MS Windows NT4, all domain trust relationships are configured using the
<span class="application">Domain User Manager</span>. To affect a two way trust relationship it is
necessary for each domain administrator to make available (for use by an external domain) it's
security resources. This is done from the Domain User Manager Policies entry on the menu bar.
From the <span class="guimenu">Policy</span> menu, select <span class="guimenuitem">Trust Relationships</span>, then
next to the lower box that is labelled <span class="guilabel">Permitted to Trust this Domain</span> are two
buttons, <span class="guibutton">Add</span> and <span class="guibutton">Remove</span>. The <span class="guibutton">Add</span>
button will open a panel in which needs to be entered the remote domain that will be able to assign
user rights to your domain. In addition it is necessary to enter a password
that is specific to this trust relationship. The password needs to be
typed twice (for standard confirmation).
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2931604"></a>NT4 as the Trusted Domain (ie. creating trusted account's password)</h3></div></div><div></div></div><p>
A trust relationship will work only when the other (trusting) domain makes the appropriate connections
with the trusted domain. To consummate the trust relationship the administrator will launch the
Domain User Manager, from the menu select Policies, then select Trust Relationships, then click on the
<span class="guibutton">Add</span> button that is next to the box that is labelled
<span class="guilabel">Trusted Domains</span>. A panel will open in which must be entered the name of the remote
domain as well as the password assigned to that trust.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2931642"></a>Configuring Samba NT-style Domain Trusts</h2></div></div><div></div></div><p>
This description is meant to be a fairly short introduction about how to set up a Samba server so
that it could participate in interdomain trust relationships. Trust relationship support in Samba
is in its early stage, so lot of things don't work yet.
</p><p>
Each of the procedures described below is treated as they were performed with Windows NT4 Server on
one end. The remote end could just as well be another Samba-3 domain. It can be clearly seen, after
reading this document, that combining Samba-specific parts of what's written below leads to trust
between domains in purely Samba environment.
</p><div xmlns:ns44="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2931669"></a>Samba-3 as the Trusting Domain</h3></div></div><div></div></div><p>
In order to set the Samba PDC to be the trusted party of the relationship first you need
to create special account for the domain that will be the trusting party. To do that,
you can use the 'smbpasswd' utility. Creating the trusted domain account is very
similar to creating a trusted machine account. Suppose, your domain is
called SAMBA, and the remote domain is called RUMBA. The first step
will be to issue this command from your favourite shell:
</p><ns44:p>
</ns44:p><pre class="screen">
<tt class="prompt">root# </tt> <b class="userinput"><tt>smbpasswd -a -i rumba</tt></b>
New SMB password: XXXXXXXX
Retype SMB password: XXXXXXXX
Added user rumba$
</pre><ns44:p>
where <tt class="option">-a</tt> means to add a new account into the
passdb database and <tt class="option">-i</tt> means: ''create this
account with the InterDomain trust flag''
</ns44:p><p>
The account name will be 'rumba$' (the name of the remote domain)
</p><p>
After issuing this command you'll be asked to enter the password for
the account. You can use any password you want, but be aware that Windows NT will
not change this password until 7 days following account creation.
After the command returns successfully, you can look at the entry for the new account
(in the standard way depending on your configuration) and see that account's name is
really RUMBA$ and it has 'I' flag in the flags field. Now you're ready to confirm
the trust by establishing it from Windows NT Server.
</p><p>
Open <span class="application">User Manager for Domains</span> and from menu
<span class="guimenu">Policies</span> select <span class="guimenuitem">Trust Relationships...</span>.
Right beside <span class="guilabel">Trusted domains</span> list box press the
<span class="guimenu">Add...</span> button. You will be prompted for
the trusted domain name and the relationship password. Type in SAMBA, as this is
your domain name, and the password used at the time of account creation.
Press OK and, if everything went without incident, you will see
<tt class="computeroutput">Trusted domain relationship successfully
established</tt> message.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2931795"></a>Samba-3 as the Trusted Domain</h3></div></div><div></div></div><p>
This time activities are somewhat reversed. Again, we'll assume that your domain
controlled by the Samba PDC is called SAMBA and NT-controlled domain is called RUMBA.
</p><p>
The very first thing requirement is to add an account for the SAMBA domain on RUMBA's PDC.
</p><p>
Launch the <span class="application">Domain User Manager</span>, then from the menu select
<span class="guimenu">Policies</span>, <span class="guimenuitem">Trust Relationships</span>.
Now, next to <span class="guilabel">Trusted Domains</span> box press the <span class="guibutton">Add</span>
button, and type in the name of the trusted domain (SAMBA) and password securing
the relationship.
</p><p>
The password can be arbitrarily chosen. It is easy to change the password
from the Samba server whenever you want. After confirming the password your account is
ready for use. Now it's Samba's turn.
</p><p>
Using your favourite shell while being logged in as root, issue this command:
</p><p>
<tt class="prompt">root# </tt><b class="userinput"><tt>net rpc trustdom establish rumba</tt></b>
</p><p>
You will be prompted for the password you just typed on your Windows NT4 Server box.
Do not worry if you see an error message that mentions a returned code of
<span class="errorname">NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT</span>. It means the
password you gave is correct and the NT4 Server says the account is
ready for interdomain connection and not for ordinary
connection. After that, be patient it can take a while (especially
in large networks), you should see the <tt class="computeroutput">Success</tt> message.
Congratulations! Your trust relationship has just been established.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
Note that you have to run this command as root because you must have write access to
the <tt class="filename">secrets.tdb</tt> file.
</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2929173"></a>Common Errors</h2></div></div><div></div></div><p>
Interdomain trust relationships should NOT be attempted on networks that are unstable
or that suffer regular outages. Network stability and integrity are key concerns with
distributed trusted domains.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2929188"></a>Tell me about Trust Relationships using Samba</h3></div></div><div></div></div><p>
Like many, I administer multiple LANs connected together using NT trust
relationships. This was implemented about 4 years ago. I now have the
occasion to consider performing this same task again, but this time, I
would like to implement it solely through samba - no Microsoft PDCs
anywhere.
</p><p>
I have read documentation on samba.org regarding NT-style trust
relationships and am now wondering, can I do what I want to? I already
have successfully implemented 2 samba servers, but they are not PDCs.
They merely act as file servers. I seem to remember, and it appears to
be true (according to samba.org) that trust relationships are a
challenge.
</p><p>
Please provide any helpful feedback that you may have.
</p><p>
These are almost complete in Samba 3.0 snapshots. The main catch
is getting winbindd to be able to allocate UID/GIDs for trusted
users/groups. See the updated Samba HOWTO collection for more
details.
</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="securing-samba.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="msdfs.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 15. Securing Samba </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 17. Hosting a Microsoft Distributed File System tree on Samba</td></tr></table></div></body></html>

View File

@ -1,5 +1,4 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 1. Introduction to Samba</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="introduction.html" title="Part I. General Installation"><link rel="previous" href="introduction.html" title="Part I. General Installation"><link rel="next" href="install.html" title="Chapter 2. How to Install and Test SAMBA"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 1. Introduction to Samba</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="introduction.html">Prev</a> </td><th width="60%" align="center">Part I. General Installation</th><td width="20%" align="right"> <a accesskey="n" href="install.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="IntroSMB"></a>Chapter 1. Introduction to Samba</h2></div><div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">Lechnyr</span></h3><div class="affiliation"><span class="orgname">Unofficial HOWTO<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:david@lechnyr.com">david@lechnyr.com</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">April 14, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="IntroSMB.html#id2885266">Background</a></dt><dt><a href="IntroSMB.html#id2885320">Terminology</a></dt><dt><a href="IntroSMB.html#id2884044">Related Projects</a></dt><dt><a href="IntroSMB.html#id2884112">SMB Methodology</a></dt><dt><a href="IntroSMB.html#id2884199">Epilogue</a></dt><dt><a href="IntroSMB.html#id2884272">Miscellaneous</a></dt></dl></div><p>&#8220;<span class="quote">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 1. Introduction to Samba</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="samba-doc.html" title="SAMBA Project Documentation"><link rel="up" href="introduction.html" title="Part I. General Installation"><link rel="previous" href="introduction.html" title="Part I. General Installation"><link rel="next" href="install.html" title="Chapter 2. How to Install and Test SAMBA"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 1. Introduction to Samba</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="introduction.html">Prev</a> </td><th width="60%" align="center">Part I. General Installation</th><td width="20%" align="right"> <a accesskey="n" href="install.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="IntroSMB"></a>Chapter 1. Introduction to Samba</h2></div><div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">Lechnyr</span></h3><div class="affiliation"><span class="orgname">Unofficial HOWTO<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:david@lechnyr.com">david@lechnyr.com</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">April 14, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="IntroSMB.html#id2817919">Background</a></dt><dt><a href="IntroSMB.html#id2817978">Terminology</a></dt><dt><a href="IntroSMB.html#id2818169">Related Projects</a></dt><dt><a href="IntroSMB.html#id2818237">SMB Methodology</a></dt><dt><a href="IntroSMB.html#id2818345">Epilogue</a></dt><dt><a href="IntroSMB.html#id2818430">Miscellaneous</a></dt></dl></div><p>&#8220;<span class="quote">
&quot;If you understand what you're doing, you're not learning anything.&quot;
-- Anonymous
</span>&#8221;</p><p>
@ -8,7 +7,7 @@ transport protocol. In fact, it can support any SMB/CIFS-enabled client. One of
strengths is that you can use it to blend your mix of Windows and Linux machines together
without requiring a separate Windows NT/2000/2003 Server. Samba is actively being developed
by a global team of about 30 active programmers and was originally developed by Andrew Tridgell.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2885266"></a>Background</h2></div></div><div></div></div><p>
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2817919"></a>Background</h2></div></div><div></div></div><p>
Once long ago, there was a buzzword referred to as DCE/RPC. This stood for Distributed
Computing Environment/Remote Procedure Calls and conceptually was a good idea. It was
originally developed by Apollo/HP as NCA 1.0 (Network Computing Architecture) and only
@ -34,7 +33,7 @@ been dutifully waded through during the information-gathering stages of this pro
are *still* many missing pieces... While often tedious, at least the way has been generously
littered with occurrences of clapping hand to forehead and muttering 'crikey, what are they
thinking?
</em></span></p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2885320"></a>Terminology</h2></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>
</em></span></p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2817978"></a>Terminology</h2></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>
SMB: Acronym for &quot;Server Message Block&quot;. This is Microsoft's file and printer sharing protocol.
</p></li><li><p>
CIFS: Acronym for &quot;Common Internet File System&quot;. Around 1996, Microsoft apparently
@ -84,7 +83,7 @@ thinking?
W3K: Acronym for Windows 2003 Server
</p></li></ul></div><p>If you plan on getting help, make sure to subscribe to the Samba Mailing List (available at
<a href="http://www.samba.org/" target="_top">http://www.samba.org</a>).
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2884044"></a>Related Projects</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2818169"></a>Related Projects</h2></div></div><div></div></div><p>
There are currently two network filesystem client projects for Linux that are directly
related to Samba: SMBFS and CIFS VFS. These are both available in the Linux kernel itself.
</p><div class="itemizedlist"><ul type="disc"><li><p>
@ -106,7 +105,7 @@ nothing to do with acting as a file and print server for SMB/CIFS clients.
There are other Open Source CIFS client implementations, such as the
<a href="http://jcifs.samba.org/" target="_top">jCIFS project</a>
which provides an SMB client toolkit written in Java.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2884112"></a>SMB Methodology</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2818237"></a>SMB Methodology</h2></div></div><div></div></div><p>
Traditionally, SMB uses UDP port 137 (NetBIOS name service, or netbios-ns),
UDP port 138 (NetBIOS datagram service, or netbios-dgm), and TCP port 139 (NetBIOS
session service, or netbios-ssn). Anyone looking at their network with a good
@ -138,7 +137,7 @@ up a single file. In general, SMB sessions are established in the following orde
A good way to examine this process in depth is to try out
<a href="http://www.securityfriday.com/ToolDownload/SWB/swb_doc.html" target="_top">SecurityFriday's SWB program</a>.
It allows you to walk through the establishment of a SMB/CIFS session step by step.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2884199"></a>Epilogue</h2></div></div><div></div></div><p>&#8220;<span class="quote">
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2818345"></a>Epilogue</h2></div></div><div></div></div><p>&#8220;<span class="quote">
What's fundamentally wrong is that nobody ever had any taste when they
did it. Microsoft has been very much into making the user interface look good,
but internally it's just a complete mess. And even people who program for Microsoft
@ -167,9 +166,9 @@ not the completely clueless user who probably sits there shivering thinking
That's what's really irritating to me.&quot;
</span>&#8221;</p><p>--
<a href="http://hr.uoregon.edu/davidrl/boot.txt" target="_top">Linus Torvalds, from an interview with BOOT Magazine, Sept 1998</a>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2884272"></a>Miscellaneous</h2></div></div><div></div></div><p>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2818430"></a>Miscellaneous</h2></div></div><div></div></div><p>
This chapter is Copyright 2003 David Lechnyr (david at lechnyr dot com).
Permission is granted to copy, distribute and/or modify this document under the terms
of the GNU Free Documentation License, Version 1.2 or any later version published by the Free
Software Foundation. A copy of the license is available at http://www.gnu.org/licenses/fdl.txt.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="introduction.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="introduction.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="install.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part I. General Installation </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 2. How to Install and Test SAMBA</td></tr></table></div></body></html>
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="introduction.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="introduction.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="install.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part I. General Installation </td><td width="20%" align="center"><a accesskey="h" href="samba-doc.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 2. How to Install and Test SAMBA</td></tr></table></div></body></html>

View File

@ -1,203 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 31. Migration from NT4 PDC to Samba-3 PDC</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="migration.html" title="Part IV. Migration and Updating"><link rel="previous" href="upgrading-to-3.0.html" title="Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0"><link rel="next" href="SWAT.html" title="Chapter 32. SWAT - The Samba Web Administration Tool"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 31. Migration from NT4 PDC to Samba-3 PDC</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="upgrading-to-3.0.html">Prev</a> </td><th width="60%" align="center">Part IV. Migration and Updating</th><td width="20%" align="right"> <a accesskey="n" href="SWAT.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="NT4Migration"></a>Chapter 31. Migration from NT4 PDC to Samba-3 PDC</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">April 3, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="NT4Migration.html#id3000463">Planning and Getting Started</a></dt><dd><dl><dt><a href="NT4Migration.html#id3000487">Objectives</a></dt><dt><a href="NT4Migration.html#id2999415">Steps In Migration Process</a></dt></dl></dd><dt><a href="NT4Migration.html#id3001632">Migration Options</a></dt><dd><dl><dt><a href="NT4Migration.html#id3001713">Planning for Success</a></dt><dt><a href="NT4Migration.html#id3001954">Samba Implementation Choices</a></dt></dl></dd></dl></div><p>
This is a rough guide to assist those wishing to migrate from NT4 domain control to
Samba-3 based domain control.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3000463"></a>Planning and Getting Started</h2></div></div><div></div></div><p>
In the IT world there is often a saying that all problems are encountered because of
poor planning. The corollary to this saying is that not all problems can be anticipated
and planned for. Then again, good planning will anticipate most show stopper type situations.
</p><p>
Those wishing to migrate from MS Windows NT4 domain control to a Samba-3 domain control
environment would do well to develop a detailed migration plan. So here are a few pointers to
help migration get under way.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3000487"></a>Objectives</h3></div></div><div></div></div><p>
The key objective for most organisations will be to make the migration from MS Windows NT4
to Samba-3 domain control as painless as possible. One of the challenges you may experience
in your migration process may well be one of convincing management that the new environment
should remain in place. Many who have introduced open source technologies have experienced
pressure to return to a Microsoft based platform solution at the first sign of trouble.
</p><p>
It is strongly advised that before attempting a migration to a Samba-3 controlled network
that every possible effort be made to gain all-round commitment to the change. Firstly, you
should know precisely <span class="emphasis"><em>why</em></span> the change is important for the organisation.
Possible motivations to make a change include:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Improve network manageability</td></tr><tr><td>Obtain better user level functionality</td></tr><tr><td>Reduce network operating costs</td></tr><tr><td>Reduce exposure caused by Microsoft withdrawal of NT4 support</td></tr><tr><td>Avoid MS License 6 implications</td></tr><tr><td>Reduce organisation's dependency on Microsoft</td></tr></table><p>
It is vital that it be well recognised that Samba-3 is NOT MS Windows NT4. Samba-3 offers
an alternative solution that is both different from MS Windows NT4 and that offers some
advantages compared with it. It should also be recognised that Samba-3 lacks many of the
features that Microsoft has promoted as core values in migration from MS Windows NT4 to
MS Windows 2000 and beyond (with or without Active Directory services).
</p><p>
What are the features that Samba-3 can NOT provide?
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Active Directory Server</td></tr><tr><td>Group Policy Objects (in Active Directory)</td></tr><tr><td>Machine Policy objects</td></tr><tr><td>Logon Scripts in Active Directory</td></tr><tr><td>Software Application and Access Controls in Active Directory</td></tr></table><p>
The features that Samba-3 DOES provide and that may be of compelling interest to your site
includes:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Lower Cost of Ownership</td></tr><tr><td>Global availability of support with no strings attached</td></tr><tr><td>Dynamic SMB Servers (ie:Can run more than one server per Unix/Linux system)</td></tr><tr><td>Creation of on-the-fly logon scripts</td></tr><tr><td>Creation of on-the-fly Policy Files</td></tr><tr><td>Greater Stability, Reliability, Performance and Availability</td></tr><tr><td>Manageability via an ssh connection</td></tr><tr><td>Flexible choices of back-end authentication technologies (tdbsam, ldapsam, mysqlsam)</td></tr><tr><td>Ability to implement a full single-sign-on architecture</td></tr><tr><td>Ability to distribute authentication systems for absolute minimum wide area network bandwidth demand</td></tr></table><p>
Before migrating a network from MS Windows NT4 to Samba-3 it is vital that all necessary factors are
considered. Users should be educated about changes they may experience so that the change will be a
welcome one and not become an obstacle to the work they need to do. The following are some of the
factors that will go into a successful migration:
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2999189"></a>Domain Layout</h4></div></div><div></div></div><p>
Samba-3 can be configured as a domain controller, a back-up domain controller (probably best called
a secondary controller), a domain member, or as a stand-alone server. The Windows network security
domain context should be sized and scoped before implementation. Particular attention needs to be
paid to the location of the primary domain controller (PDC) as well as backup controllers (BDCs).
It should be noted that one way in which Samba-3 differs from Microsoft technology is that if one
chooses to use an LDAP authentication backend then the same database can be used by several different
domains. This means that in a complex organisation there can be a single LDAP database, that itself
can be distributed, that can simultaneously serve multiple domains (that can also be widely distributed).
</p><p>
It is recommended that from a design perspective, the number of users per server, as well as the number
of servers, per domain should be scaled according to needs and should also consider server capacity
and network bandwidth.
</p><p>
A physical network segment may house several domains, each of which may span multiple network segments.
Where domains span routed network segments it is most advisable to consider and test the performance
implications of the design and layout of a network. A Centrally located domain controller that is being
designed to serve multiple routed network segments may result in severe performance problems if the
response time (eg: ping timing) between the remote segment and the PDC is more than 100 ms. In situations
where the delay is too long it is highly recommended to locate a backup controller (BDC) to serve as
the local authentication and access control server.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2999243"></a>Server Share and Directory Layout</h4></div></div><div></div></div><p>
There are few cardinal rules to effective network design that can be broken with impunity.
The most important rule of effective network management is that simplicity is king in every
well controlled network. Every part of the infrastructure must be managed, the more complex
it is, the greater will be the demand of keeping systems secure and functional.
</p><p>
The nature of the data that must be stored needs to be born in mind when deciding how many
shares must be created. The physical disk space layout should also be taken into account
when designing where share points will be created. Keep in mind that all data needs to be
backed up, thus the simpler the disk layout the easier it will be to keep track of what must
be backed up to tape or other off-line storage medium. Always plan and implement for minimum
maintenance. Leave nothing to chance in your design, above all, do not leave backups to chance:
Backup and test, validate every backup, create a disaster recovery plan and prove that it works.
</p><p>
Users should be grouped according to data access control needs. File and directory access
is best controlled via group permissions and the use of the &quot;sticky bit&quot; on group controlled
directories may substantially avoid file access complaints from samba share users.
</p><p>
Many network administrators who are new to the game will attempt to use elaborate techniques
to set access controls, on files, directories, shares, as well as in share definitions.
There is the ever present danger that that administrator's successor will not understand the
complex mess that has been inherited. Remember, apparent job security through complex design
and implementation may ultimately cause loss of operations and downtime to users as the new
administrator learns to untangle your web. Keep access controls simple and effective and
make sure that users will never be interrupted by the stupidity of complexity.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2999304"></a>Logon Scripts</h4></div></div><div></div></div><p>
Please refer to the section of this document on Advanced Network Administration for information
regarding the network logon script options for Samba-3. Logon scripts can help to ensure that
all users gain share and printer connections they need.
</p><p>
Logon scripts can be created on-the-fly so that all commands executed are specific to the
rights and privileges granted to the user. The preferred controls should be affected through
group membership so that group information can be used to custom create a logon script using
the <i class="parameter"><tt>root preexec</tt></i> parameters to the <tt class="filename">NETLOGON</tt> share.
</p><p>
Some sites prefer to use a tool such as <b class="command">kixstart</b> to establish a controlled
user environment. In any case you may wish to do a google search for logon script process controls.
In particular, you may wish to explore the use of the Microsoft knowledgebase article KB189105 that
deals with how to add printers without user intervention via the logon script process.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2999361"></a>Profile Migration/Creation</h4></div></div><div></div></div><p>
User and Group Profiles may be migrated using the tools described in the section titled Desktop Profile
Management.
</p><p>
Profiles may also be managed using the Samba-3 tool <b class="command">profiles</b>. This tool allows
the MS Windows NT style security identifiers (SIDs) that are stored inside the profile NTuser.DAT file
to be changed to the SID of the Samba-3 domain.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2999390"></a>User and Group Accounts</h4></div></div><div></div></div><p>
It is possible to migrate all account settings from an MS Windows NT4 domain to Samba-3. Before
attempting to migrate user and group accounts it is STRONGLY advised to create in Samba-3 the
groups that are present on the MS Windows NT4 domain <span class="emphasis"><em>AND</em></span> to connect these to
suitable Unix/Linux groups. Following this simple advice will mean that all user and group attributes
should migrate painlessly.
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2999415"></a>Steps In Migration Process</h3></div></div><div></div></div><p>
The approximate migration process is described below.
</p><div class="itemizedlist"><ul type="disc"><li><p>
You will have an NT4 PDC that has the users, groups, policies and profiles to be migrated
</p></li><li><p>
Samba-3 set up as a DC with netlogon share, profile share, etc.
</p></li></ul></div><div class="procedure"><p class="title"><b>Procedure 31.1. The Account Migration Process</b></p><ol type="1"><li><p>Create a BDC account for the samba server using NT Server Manager</p><ol type="a"><li><p>Samba must NOT be running</p></li></ol></li><li><p><b class="userinput"><tt>rpcclient <i class="replaceable"><tt>NT4PDC</tt></i> -U Administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p><ol type="a"><li><p>lsaquery</p></li><li><p>Note the SID returned</p></li></ol></li><li><p><b class="userinput"><tt>net getsid -S <i class="replaceable"><tt>NT4PDC</tt></i> -w <i class="replaceable"><tt>DOMNAME</tt></i> -U Administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p><ol type="a"><li><p>Note the SID</p></li></ol></li><li><p><b class="userinput"><tt>net getlocalsid</tt></b></p><ol type="a"><li><p>Note the SID, now check that all three SIDS reported are the same!</p></li></ol></li><li><p><b class="userinput"><tt>net rpc join -S <i class="replaceable"><tt>NT4PDC</tt></i> -w <i class="replaceable"><tt>DOMNAME</tt></i> -U Administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p></li><li><p><b class="userinput"><tt>net rpc vampire -S <i class="replaceable"><tt>NT4PDC</tt></i> -U administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p></li><li><p><b class="userinput"><tt>pdbedit -L</tt></b></p><ol type="a"><li><p>Note - did the users migrate?</p></li></ol></li><li><p><b class="userinput"><tt>initGrps.sh <i class="replaceable"><tt>DOMNAME</tt></i></tt></b></p></li><li><p><b class="userinput"><tt>net groupmap list</tt></b></p><ol type="a"><li><p>Now check that all groups are recognised</p></li></ol></li><li><p><b class="userinput"><tt>net rpc vampire -S <i class="replaceable"><tt>NT4PDC</tt></i> -U administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p></li><li><p><b class="userinput"><tt>pdbedit -Lv</tt></b></p><ol type="a"><li><p>Note - check that all group membership has been migrated</p></li></ol></li></ol></div><p>
Now it is time to migrate all the profiles, then migrate all policy files.
More later.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3001632"></a>Migration Options</h2></div></div><div></div></div><p>
Based on feedback from many sites as well as from actual installation and maintenance
experience sites that wish to migrate from MS Windows NT4 Domain Control to a Samba
based solution fit into three basic categories.
</p><div class="table"><a name="id3001647"></a><p class="title"><b>Table 31.1. The 3 Major Site Types</b></p><table summary="The 3 Major Site Types" border="1"><colgroup><col><col></colgroup><thead><tr><th>Number of Users</th><th>Description</th></tr></thead><tbody><tr><td>&lt; 50</td><td><p>Want simple conversion with NO pain</p></td></tr><tr><td>50 - 250</td><td><p>Want new features, can manage some in-house complexity</p></td></tr><tr><td>&gt; 250</td><td><p>Solution/Implementation MUST scale well, complex needs. Cross departmental decision process. Local expertise in most areas</p></td></tr></tbody></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3001713"></a>Planning for Success</h3></div></div><div></div></div><p>
There are three basic choices for sites that intend to migrate from MS Windows NT4
to Samba-3.
</p><div class="itemizedlist"><ul type="disc"><li><p>
Simple Conversion (total replacement)
</p></li><li><p>
Upgraded Conversion (could be one of integration)
</p></li><li><p>
Complete Redesign (completely new solution)
</p></li></ul></div><p>
No matter what choice you make, the following rules will minimise down-stream problems:
</p><div class="itemizedlist"><ul type="disc"><li><p>
Take sufficient time
</p></li><li><p>
Avoid Panic
</p></li><li><p>
Test ALL assumptions
</p></li><li><p>
Test full roll-out program, including workstation deployment
</p></li></ul></div><div class="table"><a name="id3001783"></a><p class="title"><b>Table 31.2. Nature of the Conversion Choices</b></p><table summary="Nature of the Conversion Choices" border="1"><colgroup><col><col><col></colgroup><thead><tr><th>Simple</th><th>Upgraded</th><th>Redesign</th></tr></thead><tbody><tr><td><p>Make use of minimal OS specific features</p></td><td><p>Translate NT4 features to new host OS features</p></td><td><p>Decide:</p></td></tr><tr><td><p>Suck all accounts from NT4 into Samba-3</p></td><td><p>Copy and improve:</p></td><td><p>Authentication Regime (database location and access)</p></td></tr><tr><td><p>Make least number of operational changes</p></td><td><p>Make progressive improvements</p></td><td><p>Desktop Management Methods</p></td></tr><tr><td><p>Take least amount of time to migrate</p></td><td><p>Minimise user impact</p></td><td><p>Better Control of Desktops / Users</p></td></tr><tr><td><p>Live versus Isolated Conversion</p></td><td><p>Maximise functionality</p></td><td><p>Identify Needs for: Manageability, Scalability, Security, Availability</p></td></tr><tr><td><p>Integrate Samba-3 then migrate while users are active, then Change of control (ie: swap out)</p></td><td><p>Take advantage of lower maintenance opportunity</p></td><td><p></p></td></tr></tbody></table></div></div><div xmlns:ns95="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3001954"></a>Samba Implementation Choices</h3></div></div><div></div></div><pre class="programlisting">
Authentication database back end
Winbind (external Samba or NT4/200x server)
Can use pam_mkhomedir.so to auto-create home dirs
External server could use Active Directory or NT4 Domain
Database type
smbpasswd, tdbsam, ldapsam, mysqlsam
Access Control Points
On the Share itself (Use NT4 Server Manager)
On the file system
Unix permissions on files and directories
Enable Posix ACLs in file system?
Through Samba share parameters
Not recommended - except as only resort
Policies (migrate or create new ones)
Group Policy Editor (NT4)
Watch out for Tattoo effect
User and Group Profiles
Platform specific so use platform tool to change from a Local
to a Roaming profile Can use new profiles tool to change SIDs
(NTUser.DAT)
Logon Scripts (Know how they work)
User and Group mapping to Unix/Linux
username map facility may be needed
Use 'net groupmap' to connect NT4 groups to Unix groups
Use pdbedit to set/change user configuration
NOTE:
If migrating to LDAP back end it may be easier to dump initial LDAP database
to LDIF, then edit, then reload into LDAP
OS specific scripts / programs may be needed
Add / delete Users
Note OS limits on size of name (Linux 8 chars)
NT4 up to 254 chars
Add / delete machines
Applied only to domain members (note up to 16 chars)
Add / delete Groups
Note OS limits on size and nature
Linux limit is 16 char,
no spaces and no upper case chars (groupadd)
Migration Tools
Domain Control (NT4 Style)
Profiles, Policies, Access Controls, Security
Migration Tools
Samba: net, rpcclient, smbpasswd, pdbedit, profiles
Windows: NT4 Domain User Manager, Server Manager (NEXUS)
Authentication
New SAM back end (smbpasswd, tdbsam, ldapsam, mysqlsam)
</pre><ns95:p>
</ns95:p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="upgrading-to-3.0.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="migration.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="SWAT.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0 </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 32. SWAT - The Samba Web Administration Tool</td></tr></table></div></body></html>

View File

@ -1,958 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 10. Samba / MS Windows Network Browsing Guide</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="optional.html" title="Part III. Advanced Configuration"><link rel="next" href="passdb.html" title="Chapter 11. Account Information Databases"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 10. Samba / MS Windows Network Browsing Guide</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="optional.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="passdb.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="NetworkBrowsing"></a>Chapter 10. Samba / MS Windows Network Browsing Guide</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">July 5, 1998</p></div><div><p class="pubdate">Updated: April 21, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="NetworkBrowsing.html#id2901654">Features and Benefits</a></dt><dt><a href="NetworkBrowsing.html#id2901733">What is Browsing?</a></dt><dt><a href="NetworkBrowsing.html#id2905839">Discussion</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2905855">NetBIOS over TCP/IP</a></dt><dt><a href="NetworkBrowsing.html#id2906017">TCP/IP - without NetBIOS</a></dt><dt><a href="NetworkBrowsing.html#id2900986">DNS and Active Directory</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2901119">How Browsing Functions</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2901245">Setting up WORKGROUP Browsing</a></dt><dt><a href="NetworkBrowsing.html#id2902631">Setting up DOMAIN Browsing</a></dt><dt><a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to be the master</a></dt><dt><a href="NetworkBrowsing.html#id2902896">Making Samba the domain master</a></dt><dt><a href="NetworkBrowsing.html#id2903052">Note about broadcast addresses</a></dt><dt><a href="NetworkBrowsing.html#id2903070">Multiple interfaces</a></dt><dt><a href="NetworkBrowsing.html#id2906571">Use of the Remote Announce parameter</a></dt><dt><a href="NetworkBrowsing.html#id2906680">Use of the Remote Browse Sync parameter</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2906741">WINS - The Windows Internetworking Name Server</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2906900">Setting up a WINS server</a></dt><dt><a href="NetworkBrowsing.html#id2907094">WINS Replication</a></dt><dt><a href="NetworkBrowsing.html#id2907119">Static WINS Entries</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2907203">Helpful Hints</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2907217">Windows Networking Protocols</a></dt><dt><a href="NetworkBrowsing.html#id2907283">Name Resolution Order</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2907421">Technical Overview of browsing</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2907468">Browsing support in Samba</a></dt><dt><a href="NetworkBrowsing.html#id2907575">Problem resolution</a></dt><dt><a href="NetworkBrowsing.html#id2907654">Browsing across subnets</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2908270">Common Errors</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2908285">How can one flush the Samba NetBIOS name cache without restarting Samba?</a></dt><dt><a href="NetworkBrowsing.html#id2908313">My client reports &quot;This server is not configured to list shared resources&quot;</a></dt></dl></dd></dl></div><p>
This document contains detailed information as well as a fast track guide to
implementing browsing across subnets and / or across workgroups (or domains).
WINS is the best tool for resolution of NetBIOS names to IP addresses. WINS is
NOT involved in browse list handling except by way of name to address resolution.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
MS Windows 2000 and later can be configured to operate with NO NetBIOS
over TCP/IP. Samba-3 and later also supports this mode of operation.
When the use of NetBIOS over TCP/IP has been disabled then the primary
means for resolution of MS Windows machine names is via DNS and Active Directory.
The following information assumes that your site is running NetBIOS over TCP/IP.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2901654"></a>Features and Benefits</h2></div></div><div></div></div><p>
Someone once referred to the past in terms of: <span class="emphasis"><em>They were the worst of times,
they were the best of times. The more we look back, them more we long for what was and
hope it never returns!</em></span>.
</p><p>
For many MS Windows network administrators, that statement sums up their feelings about
NetBIOS networking precisely. For those who mastered NetBIOS networking, its fickle
nature was just par for the course. For those who never quite managed to tame its
lusty features, NetBIOS is like Paterson's Curse.
</p><p>
For those not familiar with botanical problems in Australia: Paterson's curse,
Echium plantagineum, was introduced to Australia from Europe during the mid-nineteenth
century. Since then it has spread rapidly. The high seed production, with densities of
thousands of seeds per square metre, a seed longevity of more than seven years, and an
ability to germinate at any time of year, given the right conditions, are some of the
features which make it such a persistent weed.
</p><p>
In this chapter we explore vital aspects of SMB (Server Message Block) networking with
a particular focus on SMB as implemented through running NetBIOS (Network Basic
Input / Output System) over TCP/IP. Since Samba does NOT implement SMB or NetBIOS over
any other protocols we need to know how to configure our network environment and simply
remember to use nothing but TCP/IP on all our MS Windows network clients.
</p><p>
Samba provides the ability to implement a WINS (Windows Internetworking Name Server)
and implements extensions to Microsoft's implementation of WINS. These extensions
help Samba to affect stable WINS operations beyond the normal scope of MS WINS.
</p><p>
Please note that WINS is exclusively a service that applies only to those systems
that run NetBIOS over TCP/IP. MS Windows 200x / XP have the capacity to turn off
support for NetBIOS, in which case WINS is of no relevance. Samba-3 supports this also.
</p><p>
For those networks on which NetBIOS has been disabled (ie: WINS is NOT required)
the use of DNS is necessary for host name resolution.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2901733"></a>What is Browsing?</h2></div></div><div></div></div><p>
To most people browsing means that they can see the MS Windows and Samba servers
in the Network Neighborhood, and when the computer icon for a particular server is
clicked, it opens up and shows the shares and printers available on the target server.
</p><p>
What seems so simple is in fact a very complex interaction of different technologies.
The technologies (or methods) employed in making all of this work includes:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>MS Windows machines register their presence to the network</td></tr><tr><td>Machines announce themselves to other machines on the network</td></tr><tr><td>One or more machine on the network collates the local announcements</td></tr><tr><td>The client machine finds the machine that has the collated list of machines</td></tr><tr><td>The client machine is able to resolve the machine names to IP addresses</td></tr><tr><td>The client machine is able to connect to a target machine</td></tr></table><p>
The Samba application that controls browse list management and name resolution is
called <tt class="filename">nmbd</tt>. The configuration parameters involved in nmbd's operation are:
</p><pre class="programlisting">
Browsing options:
-----------------
* os level
lm announce
lm interval
* preferred master
* local master
* domain master
browse list
enhanced browsing
Name Resolution Method:
-----------------------
* name resolve order
WINS options:
-------------
dns proxy
wins proxy
* wins server
* wins support
wins hook
</pre><p>
For Samba, the WINS Server and WINS Support are mutually exclusive options. Those marked with
an '*' are the only options that commonly MAY need to be modified. Even if not one of these
parameters is set <tt class="filename">nmbd</tt> will still do it's job.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2905839"></a>Discussion</h2></div></div><div></div></div><p>
Firstly, all MS Windows networking uses SMB (Server Message Block) based messaging.
SMB messaging may be implemented with or without NetBIOS. MS Windows 200x supports
NetBIOS over TCP/IP for backwards compatibility. Microsoft is intent on phasing out NetBIOS
support.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905855"></a>NetBIOS over TCP/IP</h3></div></div><div></div></div><p>
Samba implements NetBIOS, as does MS Windows NT / 200x / XP, by encapsulating it over TCP/IP.
MS Windows products can do likewise. NetBIOS based networking uses broadcast messaging to
affect browse list management. When running NetBIOS over TCP/IP, this uses UDP based messaging.
UDP messages can be broadcast or unicast.
</p><p>
Normally, only unicast UDP messaging can be forwarded by routers. The
<b class="command">remote announce</b> parameter to smb.conf helps to project browse announcements
to remote network segments via unicast UDP. Similarly, the
<b class="command">remote browse sync</b> parameter of <tt class="filename">smb.conf</tt>
implements browse list collation using unicast UDP.
</p><p>
Secondly, in those networks where Samba is the only SMB server technology,
wherever possible <tt class="filename">nmbd</tt> should be configured on one (1) machine as the WINS
server. This makes it easy to manage the browsing environment. If each network
segment is configured with it's own Samba WINS server, then the only way to
get cross segment browsing to work is by using the
<b class="command">remote announce</b> and the <b class="command">remote browse sync</b>
parameters to your <tt class="filename">smb.conf</tt> file.
</p><p>
If only one WINS server is used for an entire multi-segment network then
the use of the <b class="command">remote announce</b> and the
<b class="command">remote browse sync</b> parameters should NOT be necessary.
</p><p>
As of Samba 3 WINS replication is being worked on. The bulk of the code has
been committed, but it still needs maturation. This is NOT a supported feature
of the Samba-3.0.0 release. Hopefully, this will become a supported feature
of one of the Samba-3 release series.
</p><p>
Right now Samba WINS does not support MS-WINS replication. This means that
when setting up Samba as a WINS server there must only be one <tt class="filename">nmbd</tt>
configured as a WINS server on the network. Some sites have used multiple Samba WINS
servers for redundancy (one server per subnet) and then used
<b class="command">remote browse sync</b> and <b class="command">remote announce</b>
to affect browse list collation across all segments. Note that this means clients
will only resolve local names, and must be configured to use DNS to resolve names
on other subnets in order to resolve the IP addresses of the servers they can see
on other subnets. This setup is not recommended, but is mentioned as a practical
consideration (ie: an 'if all else fails' scenario).
</p><p>
Lastly, take note that browse lists are a collection of unreliable broadcast
messages that are repeated at intervals of not more than 15 minutes. This means
that it will take time to establish a browse list and it can take up to 45
minutes to stabilise, particularly across network segments.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906017"></a>TCP/IP - without NetBIOS</h3></div></div><div></div></div><p>
All TCP/IP using systems use various forms of host name resolution. The primary
methods for TCP/IP hostname resolutions involves either a static file (<tt class="filename">/etc/hosts
</tt>) or DNS (the Domain Name System). DNS is the technology that makes
the Internet usable. DNS based host name resolution is supported by nearly all TCP/IP
enabled systems. Only a few embedded TCP/IP systems do not support DNS.
</p><p>
When an MS Windows 200x / XP system attempts to resolve a host name to an IP address
it follows a defined path:
</p><div class="orderedlist"><ol type="1"><li><p>
Checks the <tt class="filename">hosts</tt> file. It is located in
<tt class="filename">C:\WinNT\System32\Drivers\etc</tt>.
</p></li><li><p>
Does a DNS lookup
</p></li><li><p>
Checks the NetBIOS name cache
</p></li><li><p>
Queries the WINS server
</p></li><li><p>
Does a broadcast name lookup over UDP
</p></li><li><p>
Looks up entries in LMHOSTS. It is located in
<tt class="filename">C:\WinNT\System32\Drivers\etc</tt>.
</p></li></ol></div><p>
Windows 200x / XP can register it's host name with a Dynamic DNS server. You can
force register with a Dynamic DNS server in Windows 200x / XP using:
<b class="command">ipconfig /registerdns</b>
</p><p>
With Active Directory (ADS), a correctly functioning DNS server is absolutely
essential. In the absence of a working DNS server that has been correctly configured,
MS Windows clients and servers will be totally unable to locate each other,
consequently network services will be severely impaired.
</p><p>
The use of Dynamic DNS is highly recommended with Active Directory, in which case
the use of BIND9 is preferred for it's ability to adequately support the SRV (service)
records that are needed for Active Directory.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2900986"></a>DNS and Active Directory</h3></div></div><div></div></div><p>
Occasionally we hear from Unix network administrators who want to use a Unix based Dynamic
DNS server in place of the Microsoft DNS server. While this might be desirable to some, the
MS Windows 200x DNS server is auto-configured to work with Active Directory. It is possible
to use BIND version 8 or 9, but it will almost certainly be necessary to create service records
so that MS Active Directory clients can resolve host names to locate essential network services.
The following are some of the default service records that Active Directory requires:
</p><div class="itemizedlist"><ul type="disc"><li><p>_ldap._tcp.pdc.ms-dcs.<span class="emphasis"><em>Domain</em></span></p><p>
This provides the address of the Windows NT PDC for the Domain.
</p></li><li><p>_ldap._tcp.pdc.ms-dcs.<span class="emphasis"><em>DomainTree</em></span></p><p>
Resolves the addresses of Global Catalog servers in the domain.
</p></li><li><p>_ldap._tcp.<span class="emphasis"><em>site</em></span>.sites.writable.ms-dcs.<span class="emphasis"><em>Domain</em></span></p><p>
Provides list of domain controllers based on sites.
</p></li><li><p>_ldap._tcp.writable.ms-dcs.<span class="emphasis"><em>Domain</em></span></p><p>
Enumerates list of domain controllers that have the writable
copies of the Active Directory data store.
</p></li><li><p>_ldap._tcp.<span class="emphasis"><em>GUID</em></span>.domains.ms-dcs.<span class="emphasis"><em>DomainTree</em></span></p><p>
Entry used by MS Windows clients to locate machines using the
Global Unique Identifier.
</p></li><li><p>_ldap._tcp.<span class="emphasis"><em>Site</em></span>.gc.ms-dcs.<span class="emphasis"><em>DomainTree</em></span></p><p>
Used by MS Windows clients to locate site configuration dependent
Global Catalog server.
</p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2901119"></a>How Browsing Functions</h2></div></div><div></div></div><p>
MS Windows machines register their NetBIOS names
(ie: the machine name for each service type in operation) on start
up. The exact method by which this name registration
takes place is determined by whether or not the MS Windows client/server
has been given a WINS server address, whether or not LMHOSTS lookup
is enabled, or if DNS for NetBIOS name resolution is enabled, etc.
</p><p>
In the case where there is no WINS server, all name registrations as
well as name lookups are done by UDP broadcast. This isolates name
resolution to the local subnet, unless LMHOSTS is used to list all
names and IP addresses. In such situations Samba provides a means by
which the Samba server name may be forcibly injected into the browse
list of a remote MS Windows network (using the
<b class="command">remote announce</b> parameter).
</p><p>
Where a WINS server is used, the MS Windows client will use UDP
unicast to register with the WINS server. Such packets can be routed
and thus WINS allows name resolution to function across routed networks.
</p><p>
During the startup process an election will take place to create a
local master browser if one does not already exist. On each NetBIOS network
one machine will be elected to function as the domain master browser. This
domain browsing has nothing to do with MS security domain control.
Instead, the domain master browser serves the role of contacting each local
master browser (found by asking WINS or from LMHOSTS) and exchanging browse
list contents. This way every master browser will eventually obtain a complete
list of all machines that are on the network. Every 11-15 minutes an election
is held to determine which machine will be the master browser. By the nature of
the election criteria used, the machine with the highest uptime, or the
most senior protocol version, or other criteria, will win the election
as domain master browser.
</p><p>
Clients wishing to browse the network make use of this list, but also depend
on the availability of correct name resolution to the respective IP
address/addresses.
</p><p>
Any configuration that breaks name resolution and/or browsing intrinsics
will annoy users because they will have to put up with protracted
inability to use the network services.
</p><p>
Samba supports a feature that allows forced synchronisation
of browse lists across routed networks using the <b class="command">remote
browse sync</b> parameter in the <tt class="filename">smb.conf</tt> file.
This causes Samba to contact the local master browser on a remote network and
to request browse list synchronisation. This effectively bridges
two networks that are separated by routers. The two remote
networks may use either broadcast based name resolution or WINS
based name resolution, but it should be noted that the <b class="command">remote
browse sync</b> parameter provides browse list synchronisation - and
that is distinct from name to address resolution, in other
words, for cross subnet browsing to function correctly it is
essential that a name to address resolution mechanism be provided.
This mechanism could be via DNS, <tt class="filename">/etc/hosts</tt>,
and so on.
</p><div xmlns:ns14="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2901245"></a>Setting up WORKGROUP Browsing</h3></div></div><div></div></div><p>
To set up cross subnet browsing on a network containing machines
in up to be in a WORKGROUP, not an NT Domain you need to set up one
Samba server to be the Domain Master Browser (note that this is *NOT*
the same as a Primary Domain Controller, although in an NT Domain the
same machine plays both roles). The role of a Domain master browser is
to collate the browse lists from local master browsers on all the
subnets that have a machine participating in the workgroup. Without
one machine configured as a domain master browser each subnet would
be an isolated workgroup, unable to see any machines on any other
subnet. It is the presence of a domain master browser that makes
cross subnet browsing possible for a workgroup.
</p><p>
In an WORKGROUP environment the domain master browser must be a
Samba server, and there must only be one domain master browser per
workgroup name. To set up a Samba server as a domain master browser,
set the following option in the <i class="parameter"><tt>[global]</tt></i> section
of the <tt class="filename">smb.conf</tt> file :
</p><ns14:p>
</ns14:p><pre class="programlisting">
domain master = yes
</pre><ns14:p>
</ns14:p><p>
The domain master browser should also preferrably be the local master
browser for its own subnet. In order to achieve this set the following
options in the <i class="parameter"><tt>[global]</tt></i> section of the <tt class="filename">smb.conf</tt> file :
</p><ns14:p>
</ns14:p><pre class="programlisting">
domain master = yes
local master = yes
preferred master = yes
os level = 65
</pre><ns14:p>
</ns14:p><p>
The domain master browser may be the same machine as the WINS
server, if you require.
</p><p>
Next, you should ensure that each of the subnets contains a
machine that can act as a local master browser for the
workgroup. Any MS Windows NT/2K/XP/2003 machine should be
able to do this, as will Windows 9x machines (although these
tend to get rebooted more often, so it's not such a good idea
to use these). To make a Samba server a local master browser
set the following options in the <i class="parameter"><tt>[global]</tt></i> section of the
<tt class="filename">smb.conf</tt> file :
</p><ns14:p>
</ns14:p><pre class="programlisting">
domain master = no
local master = yes
preferred master = yes
os level = 65
</pre><ns14:p>
</ns14:p><p>
Do not do this for more than one Samba server on each subnet,
or they will war with each other over which is to be the local
master browser.
</p><p>
The <i class="parameter"><tt>local master</tt></i> parameter allows Samba to act as a
local master browser. The <i class="parameter"><tt>preferred master</tt></i> causes nmbd
to force a browser election on startup and the <i class="parameter"><tt>os level</tt></i>
parameter sets Samba high enough so that it should win any browser elections.
</p><p>
If you have an NT machine on the subnet that you wish to
be the local master browser then you can disable Samba from
becoming a local master browser by setting the following
options in the <i class="parameter"><tt>[global]</tt></i> section of the
<tt class="filename">smb.conf</tt> file :
</p><ns14:p>
</ns14:p><pre class="programlisting">
domain master = no
local master = no
preferred master = no
os level = 0
</pre><ns14:p>
</ns14:p></div><div xmlns:ns15="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2902631"></a>Setting up DOMAIN Browsing</h3></div></div><div></div></div><p>
If you are adding Samba servers to a Windows NT Domain then
you must not set up a Samba server as a domain master browser.
By default, a Windows NT Primary Domain Controller for a domain
is also the Domain master browser for that domain, and many
things will break if a Samba server registers the Domain master
browser NetBIOS name (<i class="replaceable"><tt>DOMAIN</tt></i>&lt;1B&gt;)
with WINS instead of the PDC.
</p><p>
For subnets other than the one containing the Windows NT PDC
you may set up Samba servers as local master browsers as
described. To make a Samba server a local master browser set
the following options in the <b class="command">[global]</b> section
of the <tt class="filename">smb.conf</tt> file :
</p><ns15:p>
</ns15:p><pre class="programlisting">
domain master = no
local master = yes
preferred master = yes
os level = 65
</pre><ns15:p>
</ns15:p><p>
If you wish to have a Samba server fight the election with machines
on the same subnet you may set the <i class="parameter"><tt>os level</tt></i> parameter
to lower levels. By doing this you can tune the order of machines that
will become local master browsers if they are running. For
more details on this see the section <a href="NetworkBrowsing.html#browse-force-master" title="Forcing Samba to be the master">
Forcing Samba to be the master browser</a>
below.
</p><p>
If you have Windows NT machines that are members of the domain
on all subnets, and you are sure they will always be running then
you can disable Samba from taking part in browser elections and
ever becoming a local master browser by setting following options
in the <i class="parameter"><tt>[global]</tt></i> section of the <tt class="filename">smb.conf</tt>
file :
</p><ns15:p>
</ns15:p><pre class="programlisting">
domain master = no
local master = no
preferred master = no
os level = 0
</pre><ns15:p>
</ns15:p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="browse-force-master"></a>Forcing Samba to be the master</h3></div></div><div></div></div><p>
Who becomes the <i class="parameter"><tt>master browser</tt></i> is determined by an election
process using broadcasts. Each election packet contains a number of parameters
which determine what precedence (bias) a host should have in the
election. By default Samba uses a very low precedence and thus loses
elections to just about anyone else.
</p><p>
If you want Samba to win elections then just set the <i class="parameter"><tt>os level</tt></i> global
option in <tt class="filename">smb.conf</tt> to a higher number. It defaults to 0. Using 34
would make it win all elections over every other system (except other
samba systems!)
</p><p>
A <i class="parameter"><tt>os level</tt></i> of 2 would make it beat WfWg and Win95, but not MS Windows
NT/2K Server. A MS Windows NT/2K Server domain controller uses level 32.
</p><p>The maximum os level is 255</p><p>
If you want Samba to force an election on startup, then set the
<i class="parameter"><tt>preferred master</tt></i> global option in <tt class="filename">smb.conf</tt> to <tt class="constant">yes</tt>. Samba will
then have a slight advantage over other potential master browsers
that are not preferred master browsers. Use this parameter with
care, as if you have two hosts (whether they are Windows 95 or NT or
Samba) on the same local subnet both set with <i class="parameter"><tt>preferred master</tt></i> to
<tt class="constant">yes</tt>, then periodically and continually they will force an election
in order to become the local master browser.
</p><p>
If you want Samba to be a <i class="parameter"><tt>domain master browser</tt></i>, then it is
recommended that you also set <i class="parameter"><tt>preferred master</tt></i> to <tt class="constant">yes</tt>, because
Samba will not become a domain master browser for the whole of your
LAN or WAN if it is not also a local master browser on its own
broadcast isolated subnet.
</p><p>
It is possible to configure two Samba servers to attempt to become
the domain master browser for a domain. The first server that comes
up will be the domain master browser. All other Samba servers will
attempt to become the domain master browser every 5 minutes. They
will find that another Samba server is already the domain master
browser and will fail. This provides automatic redundancy, should
the current domain master browser fail.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2902896"></a>Making Samba the domain master</h3></div></div><div></div></div><p>
The domain master is responsible for collating the browse lists of
multiple subnets so that browsing can occur between subnets. You can
make Samba act as the domain master by setting <i class="parameter"><tt>domain master = yes</tt></i>
in <tt class="filename">smb.conf</tt>. By default it will not be a domain master.
</p><p>
Note that you should <span class="emphasis"><em>not</em></span> set Samba to be the domain master for a
workgroup that has the same name as an NT Domain.
</p><p>
When Samba is the domain master and the master browser, it will listen
for master announcements (made roughly every twelve minutes) from local
master browsers on other subnets and then contact them to synchronise
browse lists.
</p><p>
If you want Samba to be the domain master then I suggest you also set
the <i class="parameter"><tt>os level</tt></i> high enough to make sure it wins elections, and set
<i class="parameter"><tt>preferred master</tt></i> to <tt class="constant">yes</tt>, to get Samba to force an election on
startup.
</p><p>
Note that all your servers (including Samba) and clients should be
using a WINS server to resolve NetBIOS names. If your clients are only
using broadcasting to resolve NetBIOS names, then two things will occur:
</p><div class="orderedlist"><ol type="1"><li><p>
your local master browsers will be unable to find a domain master
browser, as it will only be looking on the local subnet.
</p></li><li><p>
if a client happens to get hold of a domain-wide browse list, and
a user attempts to access a host in that list, it will be unable to
resolve the NetBIOS name of that host.
</p></li></ol></div><p>
If, however, both Samba and your clients are using a WINS server, then:
</p><div class="orderedlist"><ol type="1"><li><p>
your local master browsers will contact the WINS server and, as long as
Samba has registered that it is a domain master browser with the WINS
server, your local master browser will receive Samba's IP address
as its domain master browser.
</p></li><li><p>
when a client receives a domain-wide browse list, and a user attempts
to access a host in that list, it will contact the WINS server to
resolve the NetBIOS name of that host. as long as that host has
registered its NetBIOS name with the same WINS server, the user will
be able to see that host.
</p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2903052"></a>Note about broadcast addresses</h3></div></div><div></div></div><p>
If your network uses a &quot;0&quot; based broadcast address (for example if it
ends in a 0) then you will strike problems. Windows for Workgroups
does not seem to support a 0's broadcast and you will probably find
that browsing and name lookups won't work.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2903070"></a>Multiple interfaces</h3></div></div><div></div></div><p>
Samba now supports machines with multiple network interfaces. If you
have multiple interfaces then you will need to use the <b class="command">interfaces</b>
option in <tt class="filename">smb.conf</tt> to configure them.
</p></div><div xmlns:ns16="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906571"></a>Use of the Remote Announce parameter</h3></div></div><div></div></div><ns16:p>
The <i class="parameter"><tt>remote announce</tt></i> parameter of
<tt class="filename">smb.conf</tt> can be used to forcibly ensure
that all the NetBIOS names on a network get announced to a remote network.
The syntax of the <i class="parameter"><tt>remote announce</tt></i> parameter is:
</ns16:p><pre class="programlisting">
remote announce = a.b.c.d [e.f.g.h] ...
</pre><ns16:p>
<span class="emphasis"><em>or</em></span>
</ns16:p><pre class="programlisting">
remote announce = a.b.c.d/WORKGROUP [e.f.g.h/WORKGROUP] ...
</pre><ns16:p>
where:
</ns16:p><div class="variablelist"><dl><dt><span class="term"><i class="replaceable"><tt>a.b.c.d</tt></i> and
<i class="replaceable"><tt>e.f.g.h</tt></i></span></dt><dd><p>is either the LMB (Local Master Browser) IP address
or the broadcast address of the remote network.
ie: the LMB is at 192.168.1.10, or the address
could be given as 192.168.1.255 where the netmask
is assumed to be 24 bits (255.255.255.0).
When the remote announcement is made to the broadcast
address of the remote network, every host will receive
our announcements. This is noisy and therefore
undesirable but may be necessary if we do NOT know
the IP address of the remote LMB.</p></dd><dt><span class="term"><i class="replaceable"><tt>WORKGROUP</tt></i></span></dt><dd><p>is optional and can be either our own workgroup
or that of the remote network. If you use the
workgroup name of the remote network then our
NetBIOS machine names will end up looking like
they belong to that workgroup, this may cause
name resolution problems and should be avoided.
</p></dd></dl></div><ns16:p>
</ns16:p></div><div xmlns:ns17="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906680"></a>Use of the Remote Browse Sync parameter</h3></div></div><div></div></div><p>
The <i class="parameter"><tt>remote browse sync</tt></i> parameter of
<tt class="filename">smb.conf</tt> is used to announce to
another LMB that it must synchronise its NetBIOS name list with our
Samba LMB. It works ONLY if the Samba server that has this option is
simultaneously the LMB on its network segment.
</p><ns17:p>
The syntax of the <i class="parameter"><tt>remote browse sync</tt></i> parameter is:
</ns17:p><pre class="programlisting">
remote browse sync = <i class="replaceable"><tt>a.b.c.d</tt></i>
</pre><ns17:p>
where <i class="replaceable"><tt>a.b.c.d</tt></i> is either the IP address of the
remote LMB or else is the network broadcast address of the remote segment.
</ns17:p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2906741"></a>WINS - The Windows Internetworking Name Server</h2></div></div><div></div></div><p>
Use of WINS (either Samba WINS <span class="emphasis"><em>or</em></span> MS Windows NT Server WINS) is highly
recommended. Every NetBIOS machine registers its name together with a
name_type value for each of several types of service it has available.
eg: It registers its name directly as a unique (the type 0x03) name.
It also registers its name if it is running the LanManager compatible
server service (used to make shares and printers available to other users)
by registering the server (the type 0x20) name.
</p><p>
All NetBIOS names are up to 15 characters in length. The name_type variable
is added to the end of the name - thus creating a 16 character name. Any
name that is shorter than 15 characters is padded with spaces to the 15th
character. ie: All NetBIOS names are 16 characters long (including the
name_type information).
</p><p>
WINS can store these 16 character names as they get registered. A client
that wants to log onto the network can ask the WINS server for a list
of all names that have registered the NetLogon service name_type. This saves
broadcast traffic and greatly expedites logon processing. Since broadcast
name resolution can not be used across network segments this type of
information can only be provided via WINS <span class="emphasis"><em>or</em></span> via statically configured
<tt class="filename">lmhosts</tt> files that must reside on all clients in the
absence of WINS.
</p><p>
WINS also serves the purpose of forcing browse list synchronisation by all
LMB's. LMB's must synchronise their browse list with the DMB (domain master
browser) and WINS helps the LMB to identify it's DMB. By definition this
will work only within a single workgroup. Note that the domain master browser
has NOTHING to do with what is referred to as an MS Windows NT Domain. The
later is a reference to a security environment while the DMB refers to the
master controller for browse list information only.
</p><p>
Use of WINS will work correctly only if EVERY client TCP/IP protocol stack
has been configured to use the WINS server/s. Any client that has not been
configured to use the WINS server will continue to use only broadcast based
name registration so that WINS may NEVER get to know about it. In any case,
machines that have not registered with a WINS server will fail name to address
lookup attempts by other clients and will therefore cause workstation access
errors.
</p><p>
To configure Samba as a WINS server just add
<i class="parameter"><tt>wins support = yes</tt></i> to the <tt class="filename">smb.conf</tt>
file [globals] section.
</p><p>
To configure Samba to register with a WINS server just add
<i class="parameter"><tt>wins server = a.b.c.d</tt></i> to your <tt class="filename">smb.conf</tt> file <i class="parameter"><tt>[globals]</tt></i> section.
</p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>
Never use both <i class="parameter"><tt>wins support = yes</tt></i> together
with <i class="parameter"><tt>wins server = a.b.c.d</tt></i>
particularly not using it's own IP address.
Specifying both will cause <span class="application">nmbd</span> to refuse to start!
</p></div><div xmlns:ns18="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906900"></a>Setting up a WINS server</h3></div></div><div></div></div><p>
Either a Samba machine or a Windows NT Server machine may be set up
as a WINS server. To set a Samba machine to be a WINS server you must
add the following option to the <tt class="filename">smb.conf</tt> file on the selected machine :
in the <i class="parameter"><tt>[globals]</tt></i> section add the line
</p><ns18:p>
</ns18:p><pre class="programlisting">
wins support = yes
</pre><ns18:p>
</ns18:p><p>
Versions of Samba prior to 1.9.17 had this parameter default to
yes. If you have any older versions of Samba on your network it is
strongly suggested you upgrade to a recent version, or at the very
least set the parameter to 'no' on all these machines.
</p><p>
Machines with <i class="parameter"><tt>wins support = yes</tt></i> will keep a list of
all NetBIOS names registered with them, acting as a DNS for NetBIOS names.
</p><p>
You should set up only ONE WINS server. Do NOT set the
<i class="parameter"><tt>wins support = yes</tt></i> option on more than one Samba
server.
</p><p>
To set up a Windows NT Server as a WINS server you need to set up
the WINS service - see your NT documentation for details. Note that
Windows NT WINS Servers can replicate to each other, allowing more
than one to be set up in a complex subnet environment. As Microsoft
refuses to document these replication protocols, Samba cannot currently
participate in these replications. It is possible in the future that
a Samba-&gt;Samba WINS replication protocol may be defined, in which
case more than one Samba machine could be set up as a WINS server
but currently only one Samba server should have the
<i class="parameter"><tt>wins support = yes</tt></i> parameter set.
</p><p>
After the WINS server has been configured you must ensure that all
machines participating on the network are configured with the address
of this WINS server. If your WINS server is a Samba machine, fill in
the Samba machine IP address in the <span class="guilabel">Primary WINS Server</span> field of
the <span class="guilabel">Control Panel-&gt;Network-&gt;Protocols-&gt;TCP-&gt;WINS Server</span> dialogs
in Windows 95 or Windows NT. To tell a Samba server the IP address
of the WINS server add the following line to the <i class="parameter"><tt>[global]</tt></i> section of
all <tt class="filename">smb.conf</tt> files :
</p><ns18:p>
</ns18:p><pre class="programlisting">
wins server = &lt;name or IP address&gt;
</pre><ns18:p>
</ns18:p><p>
where &lt;name or IP address&gt; is either the DNS name of the WINS server
machine or its IP address.
</p><p>
Note that this line MUST NOT BE SET in the <tt class="filename">smb.conf</tt> file of the Samba
server acting as the WINS server itself. If you set both the
<i class="parameter"><tt>wins support = yes</tt></i> option and the
<i class="parameter"><tt>wins server = &lt;name&gt;</tt></i> option then
nmbd will fail to start.
</p><p>
There are two possible scenarios for setting up cross subnet browsing.
The first details setting up cross subnet browsing on a network containing
Windows 95, Samba and Windows NT machines that are not configured as
part of a Windows NT Domain. The second details setting up cross subnet
browsing on networks that contain NT Domains.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2907094"></a>WINS Replication</h3></div></div><div></div></div><p>
Samba-3 permits WINS replication through the use of the <tt class="filename">wrepld</tt> utility.
This tool is not currently capable of being used as it is still in active development.
As soon as this tool becomes moderately functional we will prepare man pages and enhance this
section of the documentation to provide usage and technical details.
</p></div><div xmlns:ns19="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2907119"></a>Static WINS Entries</h3></div></div><div></div></div><p>
Adding static entries to your Samba-3 WINS server is actually fairly easy.
All you have to do is add a line to <tt class="filename">wins.dat</tt>, typically
located in <tt class="filename">/usr/local/samba/var/locks</tt>.
</p><ns19:p>
Entries in <tt class="filename">wins.dat</tt> take the form of
</ns19:p><pre class="programlisting">
&quot;NAME#TYPE&quot; TTL ADDRESS+ FLAGS
</pre><ns19:p>
where NAME is the NetBIOS name, TYPE is the NetBIOS type, TTL is the
time-to-live as an absolute time in seconds, ADDRESS+ is one or more
addresses corresponding to the registration and FLAGS are the NetBIOS
flags for the registration.
</ns19:p><ns19:p>
A typical dynamic entry looks like:
</ns19:p><pre class="programlisting">
&quot;MADMAN#03&quot; 1055298378 192.168.1.2 66R
</pre><ns19:p>
To make it static, all that has to be done is set the TTL to 0:
</ns19:p><pre class="programlisting">
&quot;MADMAN#03&quot; 0 192.168.1.2 66R
</pre><ns19:p>
</ns19:p><p>
Though this method works with early Samba-3 versions, there's a
possibility that it may change in future versions if WINS replication
is added.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2907203"></a>Helpful Hints</h2></div></div><div></div></div><p>
The following hints should be carefully considered as they are stumbling points
for many new network administrators.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2907217"></a>Windows Networking Protocols</h3></div></div><div></div></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
Do NOT use more than one (1) protocol on MS Windows machines
</p></div><p>
A very common cause of browsing problems results from installing more than
one protocol on an MS Windows machine.
</p><p>
Every NetBIOS machine takes part in a process of electing the LMB (and DMB)
every 15 minutes. A set of election criteria is used to determine the order
of precedence for winning this election process. A machine running Samba or
Windows NT will be biased so that the most suitable machine will predictably
win and thus retain it's role.
</p><p>
The election process is &quot;fought out&quot; so to speak over every NetBIOS network
interface. In the case of a Windows 9x machine that has both TCP/IP and IPX
installed and has NetBIOS enabled over both protocols the election will be
decided over both protocols. As often happens, if the Windows 9x machine is
the only one with both protocols then the LMB may be won on the NetBIOS
interface over the IPX protocol. Samba will then lose the LMB role as Windows
9x will insist it knows who the LMB is. Samba will then cease to function
as an LMB and thus browse list operation on all TCP/IP only machines will
fail.
</p><p><span class="emphasis"><em>
Windows 95, 98, 98se, Me are referred to generically as Windows 9x.
The Windows NT4, 2000, XP and 2003 use common protocols. These are roughly
referred to as the WinNT family, but it should be recognised that 2000 and
XP/2003 introduce new protocol extensions that cause them to behave
differently from MS Windows NT4. Generally, where a server does NOT support
the newer or extended protocol, these will fall back to the NT4 protocols.
</em></span></p><p>
The safest rule of all to follow it this - USE ONLY ONE PROTOCOL!
</p></div><div xmlns:ns20="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2907283"></a>Name Resolution Order</h3></div></div><div></div></div><p>
Resolution of NetBIOS names to IP addresses can take place using a number
of methods. The only ones that can provide NetBIOS name_type information
are:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>WINS: the best tool!</td></tr><tr><td>LMHOSTS: is static and hard to maintain.</td></tr><tr><td>Broadcast: uses UDP and can not resolve names across remote segments.</td></tr></table><p>
Alternative means of name resolution includes:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td><tt class="filename">/etc/hosts</tt>: is static, hard to maintain, and lacks name_type info</td></tr><tr><td>DNS: is a good choice but lacks essential name_type info.</td></tr></table><ns20:p>
Many sites want to restrict DNS lookups and want to avoid broadcast name
resolution traffic. The <i class="parameter"><tt>name resolve order</tt></i> parameter is
of great help here. The syntax of the <i class="parameter"><tt>name resolve order</tt></i>
parameter is:
</ns20:p><pre class="programlisting">
name resolve order = wins lmhosts bcast host
</pre><ns20:p>
<span class="emphasis"><em>or</em></span>
</ns20:p><pre class="programlisting">
name resolve order = wins lmhosts (eliminates bcast and host)
</pre><ns20:p>
The default is:
</ns20:p><pre class="programlisting">
name resolve order = host lmhost wins bcast
</pre><ns20:p>
where &quot;host&quot; refers the the native methods used by the Unix system
to implement the gethostbyname() function call. This is normally
controlled by <tt class="filename">/etc/host.conf</tt>, <tt class="filename">/etc/nsswitch.conf</tt> and <tt class="filename">/etc/resolv.conf</tt>.
</ns20:p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2907421"></a>Technical Overview of browsing</h2></div></div><div></div></div><p>
SMB networking provides a mechanism by which clients can access a list
of machines in a network, a so-called <i class="parameter"><tt>browse list</tt></i>. This list
contains machines that are ready to offer file and/or print services
to other machines within the network. Thus it does not include
machines which aren't currently able to do server tasks. The browse
list is heavily used by all SMB clients. Configuration of SMB
browsing has been problematic for some Samba users, hence this
document.
</p><p>
MS Windows 2000 and later, as with Samba 3 and later, can be
configured to not use NetBIOS over TCP/IP. When configured this way,
it is imperative that name resolution (using DNS/LDAP/ADS) be correctly
configured and operative. Browsing will NOT work if name resolution
from SMB machine names to IP addresses does not function correctly.
</p><p>
Where NetBIOS over TCP/IP is enabled use of a WINS server is highly
recommended to aid the resolution of NetBIOS (SMB) names to IP addresses.
WINS allows remote segment clients to obtain NetBIOS name_type information
that can NOT be provided by any other means of name resolution.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2907468"></a>Browsing support in Samba</h3></div></div><div></div></div><p>
Samba facilitates browsing. The browsing is supported by <span class="application">nmbd</span>
and is also controlled by options in the <tt class="filename">smb.conf</tt> file.
Samba can act as a local browse master for a workgroup and the ability
to support domain logons and scripts is now available.
</p><p>
Samba can also act as a domain master browser for a workgroup. This
means that it will collate lists from local browse masters into a
wide area network server list. In order for browse clients to
resolve the names they may find in this list, it is recommended that
both Samba and your clients use a WINS server.
</p><p>
Note that you should NOT set Samba to be the domain master for a
workgroup that has the same name as an NT Domain: on each wide area
network, you must only ever have one domain master browser per workgroup,
regardless of whether it is NT, Samba or any other type of domain master
that is providing this service.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
Nmbd can be configured as a WINS server, but it is not
necessary to specifically use Samba as your WINS server. MS Windows
NT4, Server or Advanced Server 2000 or 2003 can be configured as
your WINS server. In a mixed NT/2000/2003 server and Samba environment on
a Wide Area Network, it is recommended that you use the Microsoft
WINS server capabilities. In a Samba-only environment, it is
recommended that you use one and only one Samba server as your WINS server.
</p></div><p>
To get browsing to work you need to run nmbd as usual, but will need
to use the <i class="parameter"><tt>workgroup</tt></i> option in <tt class="filename">smb.conf</tt>
to control what workgroup Samba becomes a part of.
</p><p>
Samba also has a useful option for a Samba server to offer itself for
browsing on another subnet. It is recommended that this option is only
used for 'unusual' purposes: announcements over the internet, for
example. See <i class="parameter"><tt>remote announce</tt></i> in the
<tt class="filename">smb.conf</tt> man page.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2907575"></a>Problem resolution</h3></div></div><div></div></div><p>
If something doesn't work then hopefully the log.nmbd file will help
you track down the problem. Try a debug level of 2 or 3 for finding
problems. Also note that the current browse list usually gets stored
in text form in a file called <tt class="filename">browse.dat</tt>.
</p><p>
Note that if it doesn't work for you, then you should still be able to
type the server name as <tt class="filename">\\SERVER</tt> in filemanager then
hit enter and filemanager should display the list of available shares.
</p><p>
Some people find browsing fails because they don't have the global
<i class="parameter"><tt>guest account</tt></i> set to a valid account. Remember that the
IPC$ connection that lists the shares is done as guest, and thus you must
have a valid guest account.
</p><p><span class="emphasis"><em>
MS Windows 2000 and upwards (as with Samba) can be configured to disallow
anonymous (ie: Guest account) access to the IPC$ share. In that case, the
MS Windows 2000/XP/2003 machine acting as an SMB/CIFS client will use the
name of the currently logged in user to query the IPC$ share. MS Windows
9X clients are not able to do this and thus will NOT be able to browse
server resources.
</em></span></p><p>
The other big problem people have is that their broadcast address,
netmask or IP address is wrong (specified with the &quot;interfaces&quot; option
in <tt class="filename">smb.conf</tt>)
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2907654"></a>Browsing across subnets</h3></div></div><div></div></div><p>
Since the release of Samba 1.9.17(alpha1), Samba has supported the
replication of browse lists across subnet boundaries. This section
describes how to set this feature up in different settings.
</p><p>
To see browse lists that span TCP/IP subnets (ie. networks separated
by routers that don't pass broadcast traffic), you must set up at least
one WINS server. The WINS server acts as a DNS for NetBIOS names, allowing
NetBIOS name to IP address translation to be done by doing a direct
query of the WINS server. This is done via a directed UDP packet on
port 137 to the WINS server machine. The reason for a WINS server is
that by default, all NetBIOS name to IP address translation is done
by broadcasts from the querying machine. This means that machines
on one subnet will not be able to resolve the names of machines on
another subnet without using a WINS server.
</p><p>
Remember, for browsing across subnets to work correctly, all machines,
be they Windows 95, Windows NT, or Samba servers must have the IP address
of a WINS server given to them by a DHCP server, or by manual configuration
(for Win95 and WinNT, this is in the TCP/IP Properties, under Network
settings) for Samba this is in the <tt class="filename">smb.conf</tt> file.
</p><div xmlns:ns21="" class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2907703"></a>How does cross subnet browsing work ?</h4></div></div><div></div></div><p>
Cross subnet browsing is a complicated dance, containing multiple
moving parts. It has taken Microsoft several years to get the code
that achieves this correct, and Samba lags behind in some areas.
Samba is capable of cross subnet browsing when configured correctly.
</p><p>
Consider a network set up as follows :
</p><ns21:p>
</ns21:p><pre class="programlisting">
(DMB)
N1_A N1_B N1_C N1_D N1_E
| | | | |
-------------------------------------------------------
| subnet 1 |
+---+ +---+
|R1 | Router 1 Router 2 |R2 |
+---+ +---+
| |
| subnet 2 subnet 3 |
-------------------------- ------------------------------------
| | | | | | | |
N2_A N2_B N2_C N2_D N3_A N3_B N3_C N3_D
(WINS)
</pre><ns21:p>
</ns21:p><p>
Consisting of 3 subnets (1, 2, 3) connected by two routers
(R1, R2) - these do not pass broadcasts. Subnet 1 has 5 machines
on it, subnet 2 has 4 machines, subnet 3 has 4 machines. Assume
for the moment that all these machines are configured to be in the
same workgroup (for simplicity's sake). Machine N1_C on subnet 1
is configured as Domain Master Browser (ie. it will collate the
browse lists for the workgroup). Machine N2_D is configured as
WINS server and all the other machines are configured to register
their NetBIOS names with it.
</p><p>
As all these machines are booted up, elections for master browsers
will take place on each of the three subnets. Assume that machine
N1_C wins on subnet 1, N2_B wins on subnet 2, and N3_D wins on
subnet 3 - these machines are known as local master browsers for
their particular subnet. N1_C has an advantage in winning as the
local master browser on subnet 1 as it is set up as Domain Master
Browser.
</p><p>
On each of the three networks, machines that are configured to
offer sharing services will broadcast that they are offering
these services. The local master browser on each subnet will
receive these broadcasts and keep a record of the fact that
the machine is offering a service. This list of records is
the basis of the browse list. For this case, assume that
all the machines are configured to offer services so all machines
will be on the browse list.
</p><p>
For each network, the local master browser on that network is
considered 'authoritative' for all the names it receives via
local broadcast. This is because a machine seen by the local
master browser via a local broadcast must be on the same
network as the local master browser and thus is a 'trusted'
and 'verifiable' resource. Machines on other networks that
the local master browsers learn about when collating their
browse lists have not been directly seen - these records are
called 'non-authoritative'.
</p><p>
At this point the browse lists look as follows (these are
the machines you would see in your network neighborhood if
you looked in it on a particular network right now).
</p><ns21:p>
</ns21:p><div class="table"><a name="id2907818"></a><p class="title"><b>Table 10.1. Browse subnet example 1</b></p><table summary="Browse subnet example 1" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="left">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="left">N1_A, N1_B, N1_C, N1_D, N1_E</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="left">N2_A, N2_B, N2_C, N2_D</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="left">N3_A, N3_B, N3_C, N3_D</td></tr></tbody></table></div><ns21:p>
</ns21:p><p>
Note that at this point all the subnets are separate, no
machine is seen across any of the subnets.
</p><p>
Now examine subnet 2. As soon as N2_B has become the local
master browser it looks for a Domain master browser to synchronize
its browse list with. It does this by querying the WINS server
(N2_D) for the IP address associated with the NetBIOS name
WORKGROUP&lt;1B&gt;. This name was registered by the Domain master
browser (N1_C) with the WINS server as soon as it was booted.
</p><p>
Once N2_B knows the address of the Domain master browser it
tells it that is the local master browser for subnet 2 by
sending a MasterAnnouncement packet as a UDP port 138 packet.
It then synchronizes with it by doing a NetServerEnum2 call. This
tells the Domain Master Browser to send it all the server
names it knows about. Once the domain master browser receives
the MasterAnnouncement packet it schedules a synchronization
request to the sender of that packet. After both synchronizations
are done the browse lists look like :
</p><ns21:p>
</ns21:p><div class="table"><a name="id2907928"></a><p class="title"><b>Table 10.2. Browse subnet example 2</b></p><table summary="Browse subnet example 2" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="left">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="left">N1_A, N1_B, N1_C, N1_D, N1_E, N2_A(*), N2_B(*), N2_C(*), N2_D(*)</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="left">N2_A, N2_B, N2_C, N2_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="left">N3_A, N3_B, N3_C, N3_D</td></tr></tbody></table></div><ns21:p>
Servers with a (*) after them are non-authoritative names.
</ns21:p><p>
At this point users looking in their network neighborhood on
subnets 1 or 2 will see all the servers on both, users on
subnet 3 will still only see the servers on their own subnet.
</p><p>
The same sequence of events that occured for N2_B now occurs
for the local master browser on subnet 3 (N3_D). When it
synchronizes browse lists with the domain master browser (N1_A)
it gets both the server entries on subnet 1, and those on
subnet 2. After N3_D has synchronized with N1_C and vica-versa
the browse lists look like.
</p><ns21:p>
</ns21:p><div class="table"><a name="id2908028"></a><p class="title"><b>Table 10.3. Browse subnet example 3</b></p><table summary="Browse subnet example 3" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="left">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="left">N1_A, N1_B, N1_C, N1_D, N1_E, N2_A(*), N2_B(*), N2_C(*), N2_D(*), N3_A(*), N3_B(*), N3_C(*), N3_D(*)</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="left">N2_A, N2_B, N2_C, N2_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="left">N3_A, N3_B, N3_C, N3_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), N2_A(*), N2_B(*), N2_C(*), N2_D(*)</td></tr></tbody></table></div><ns21:p>
Servers with a (*) after them are non-authoritative names.
</ns21:p><p>
At this point users looking in their network neighborhood on
subnets 1 or 3 will see all the servers on all subnets, users on
subnet 2 will still only see the servers on subnets 1 and 2, but not 3.
</p><p>
Finally, the local master browser for subnet 2 (N2_B) will sync again
with the domain master browser (N1_C) and will receive the missing
server entries. Finally - and as a steady state (if no machines
are removed or shut off) the browse lists will look like :
</p><ns21:p>
</ns21:p><div class="table"><a name="id2908128"></a><p class="title"><b>Table 10.4. Browse subnet example 4</b></p><table summary="Browse subnet example 4" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="left">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="left">N1_A, N1_B, N1_C, N1_D, N1_E, N2_A(*), N2_B(*), N2_C(*), N2_D(*), N3_A(*), N3_B(*), N3_C(*), N3_D(*)</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="left">N2_A, N2_B, N2_C, N2_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), N3_A(*), N3_B(*), N3_C(*), N3_D(*)</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="left">N3_A, N3_B, N3_C, N3_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), N2_A(*), N2_B(*), N2_C(*), N2_D(*)</td></tr></tbody></table></div><ns21:p>
Servers with a (*) after them are non-authoritative names.
</ns21:p><p>
Synchronizations between the domain master browser and local
master browsers will continue to occur, but this should be a
steady state situation.
</p><p>
If either router R1 or R2 fails the following will occur:
</p><div class="orderedlist"><ol type="1"><li><p>
Names of computers on each side of the inaccessible network fragments
will be maintained for as long as 36 minutes, in the network neighbourhood
lists.
</p></li><li><p>
Attempts to connect to these inaccessible computers will fail, but the
names will not be removed from the network neighbourhood lists.
</p></li><li><p>
If one of the fragments is cut off from the WINS server, it will only
be able to access servers on its local subnet, by using subnet-isolated
broadcast NetBIOS name resolution. The effects are similar to that of
losing access to a DNS server.
</p></li></ol></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2908270"></a>Common Errors</h2></div></div><div></div></div><p>
Many questions are asked on the mailing lists regarding browsing. The majority of browsing
problems originate out of incorrect configuration of NetBIOS name resolution. Some are of
particular note.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2908285"></a>How can one flush the Samba NetBIOS name cache without restarting Samba?</h3></div></div><div></div></div><p>
Samba's nmbd process controls all browse list handling. Under normal circumstances it is
safe to restart nmbd. This will effectively flush the Samba NetBIOS name cache and cause it
to be rebuilt. Note that this does NOT make certain that a rogue machine name will not re-appear
in the browse list. When nmbd is taken out of service another machine on the network will
become the browse master. This new list may still have the rogue entry in it. If you really
want to clear a rogue machine from the list then every machine on the network will need to be
shut down and restarted at after all machines are down. Failing a complete restart, the only
other thing you can do is wait until the entry times out and is then flushed from the list.
This may take a long time on some networks (months).
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2908313"></a>My client reports &quot;This server is not configured to list shared resources&quot;</h3></div></div><div></div></div><p>
Your guest account is probably invalid for some reason. Samba uses the
guest account for browsing in smbd. Check that your guest account is
valid.
</p><p>See also <i class="parameter"><tt>guest account</tt></i> in the <tt class="filename">smb.conf</tt> man page.</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="optional.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="passdb.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part III. Advanced Configuration </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 11. Account Information Databases</td></tr></table></div></body></html>

View File

@ -1,187 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 38. Samba and other CIFS clients</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="Portability.html" title="Chapter 37. Portability"><link rel="next" href="speed.html" title="Chapter 39. Samba Performance Tuning"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 38. Samba and other CIFS clients</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Portability.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="speed.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Other-Clients"></a>Chapter 38. Samba and other CIFS clients</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jim</span> <span class="surname">McDonough</span></h3><div class="affiliation"><span class="orgname">IBM<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jmcd@us.ibm.com">jmcd@us.ibm.com</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">5 Mar 2001</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="Other-Clients.html#id3013776">Macintosh clients?</a></dt><dt><a href="Other-Clients.html#id3013848">OS2 Client</a></dt><dd><dl><dt><a href="Other-Clients.html#id3013855">How can I configure OS/2 Warp Connect or
OS/2 Warp 4 as a client for Samba?</a></dt><dt><a href="Other-Clients.html#id3013471">How can I configure OS/2 Warp 3 (not Connect),
OS/2 1.2, 1.3 or 2.x for Samba?</a></dt><dt><a href="Other-Clients.html#id3013530">How do I get printer driver download working
for OS/2 clients?</a></dt></dl></dd><dt><a href="Other-Clients.html#id3013628">Windows for Workgroups</a></dt><dd><dl><dt><a href="Other-Clients.html#id3013090">Use latest TCP/IP stack from Microsoft</a></dt><dt><a href="Other-Clients.html#id3013179">Delete .pwl files after password change</a></dt><dt><a href="Other-Clients.html#id3013210">Configure WfW password handling</a></dt><dt><a href="Other-Clients.html#id3013255">Case handling of passwords</a></dt><dt><a href="Other-Clients.html#id3013285">Use TCP/IP as default protocol</a></dt><dt><a href="Other-Clients.html#id3013303">Speed improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id3013349">Windows '95/'98</a></dt><dd><dl><dt><a href="Other-Clients.html#id3014379">Speed improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id3014403">Windows 2000 Service Pack 2</a></dt><dt><a href="Other-Clients.html#id3014514">Windows NT 3.1</a></dt></dl></div><p>This chapter contains client-specific information.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3013776"></a>Macintosh clients?</h2></div></div><div></div></div><p>
Yes. <a href="http://www.thursby.com/" target="_top">Thursby</a> now has a CIFS Client / Server called <a href="http://www.thursby.com/products/dave.html" target="_top">DAVE</a>
</p><p>
They test it against Windows 95, Windows NT and samba for
compatibility issues. At the time of writing, DAVE was at version
1.0.1. The 1.0.0 to 1.0.1 update is available as a free download from
the Thursby web site (the speed of finder copies has been greatly
enhanced, and there are bug-fixes included).
</p><p>
Alternatives - There are two free implementations of AppleTalk for
several kinds of UNIX machines, and several more commercial ones.
These products allow you to run file services and print services
natively to Macintosh users, with no additional support required on
the Macintosh. The two free implementations are
<a href="http://www.umich.edu/~rsug/netatalk/" target="_top">Netatalk</a>, and
<a href="http://www.cs.mu.oz.au/appletalk/atalk.html" target="_top">CAP</a>.
What Samba offers MS
Windows users, these packages offer to Macs. For more info on these
packages, Samba, and Linux (and other UNIX-based systems) see
<a href="http://www.eats.com/linux_mac_win.html" target="_top">http://www.eats.com/linux_mac_win.html</a>
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3013848"></a>OS2 Client</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3013855"></a>How can I configure OS/2 Warp Connect or
OS/2 Warp 4 as a client for Samba?</h3></div></div><div></div></div><p>A more complete answer to this question can be
found on <a href="http://carol.wins.uva.nl/~leeuw/samba/warp.html" target="_top">
http://carol.wins.uva.nl/~leeuw/samba/warp.html</a>.</p><p>Basically, you need three components:</p><table class="simplelist" border="0" summary="Simple list"><tr><td>The File and Print Client ('IBM Peer')</td></tr><tr><td>TCP/IP ('Internet support') </td></tr><tr><td>The &quot;NetBIOS over TCP/IP&quot; driver ('TCPBEUI')</td></tr></table><p>Installing the first two together with the base operating
system on a blank system is explained in the Warp manual. If Warp
has already been installed, but you now want to install the
networking support, use the &quot;Selective Install for Networking&quot;
object in the &quot;System Setup&quot; folder.</p><p>Adding the &quot;NetBIOS over TCP/IP&quot; driver is not described
in the manual and just barely in the online documentation. Start
MPTS.EXE, click on OK, click on &quot;Configure LAPS&quot; and click
on &quot;IBM OS/2 NETBIOS OVER TCP/IP&quot; in 'Protocols'. This line
is then moved to 'Current Configuration'. Select that line,
click on &quot;Change number&quot; and increase it from 0 to 1. Save this
configuration.</p><p>If the Samba server(s) is not on your local subnet, you
can optionally add IP names and addresses of these servers
to the &quot;Names List&quot;, or specify a WINS server ('NetBIOS
Nameserver' in IBM and RFC terminology). For Warp Connect you
may need to download an update for 'IBM Peer' to bring it on
the same level as Warp 4. See the webpage mentioned above.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3013471"></a>How can I configure OS/2 Warp 3 (not Connect),
OS/2 1.2, 1.3 or 2.x for Samba?</h3></div></div><div></div></div><p>You can use the free Microsoft LAN Manager 2.2c Client
for OS/2 from
<a href="ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/" target="_top">
ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/</a>.
See <a href="http://carol.wins.uva.nl/~leeuw/lanman.html" target="_top">
http://carol.wins.uva.nl/~leeuw/lanman.html</a> for
more information on how to install and use this client. In
a nutshell, edit the file \OS2VER in the root directory of
the OS/2 boot partition and add the lines:</p><pre class="programlisting">
20=setup.exe
20=netwksta.sys
20=netvdd.sys
</pre><p>before you install the client. Also, don't use the
included NE2000 driver because it is buggy. Try the NE2000
or NS2000 driver from
<a href="ftp://ftp.cdrom.com/pub/os2/network/ndis/" target="_top">
ftp://ftp.cdrom.com/pub/os2/network/ndis/</a> instead.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3013530"></a>How do I get printer driver download working
for OS/2 clients?</h3></div></div><div></div></div><p>First, create a share called <i class="parameter"><tt>[PRINTDRV]</tt></i> that is
world-readable. Copy your OS/2 driver files there. Note
that the .EA_ files must still be separate, so you will need
to use the original install files, and not copy an installed
driver from an OS/2 system.</p><p>Install the NT driver first for that printer. Then,
add to your <tt class="filename">smb.conf</tt> a parameter, <i class="parameter"><tt>os2 driver map =
<i class="replaceable"><tt>filename</tt></i></tt></i>. Then, in the file
specified by <i class="replaceable"><tt>filename</tt></i>, map the
name of the NT driver name to the OS/2 driver name as
follows:</p><p><i class="parameter"><tt><i class="replaceable"><tt>nt driver name</tt></i> = <i class="replaceable"><tt>os2 driver name</tt></i>.<i class="replaceable"><tt>device name</tt></i></tt></i>, e.g.:</p><p><i class="parameter"><tt>
HP LaserJet 5L = LASERJET.HP LaserJet 5L</tt></i></p><p>You can have multiple drivers mapped in this file.</p><p>If you only specify the OS/2 driver name, and not the
device name, the first attempt to download the driver will
actually download the files, but the OS/2 client will tell
you the driver is not available. On the second attempt, it
will work. This is fixed simply by adding the device name
to the mapping, after which it will work on the first attempt.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3013628"></a>Windows for Workgroups</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3013090"></a>Use latest TCP/IP stack from Microsoft</h3></div></div><div></div></div><p>Use the latest TCP/IP stack from Microsoft if you use Windows
for Workgroups.
</p><p>The early TCP/IP stacks had lots of bugs.</p><p>
Microsoft has released an incremental upgrade to their TCP/IP 32-Bit
VxD drivers. The latest release can be found on their ftp site at
ftp.microsoft.com, located in <tt class="filename">/peropsys/windows/public/tcpip/wfwt32.exe</tt>.
There is an update.txt file there that describes the problems that were
fixed. New files include <tt class="filename">WINSOCK.DLL</tt>,
<tt class="filename">TELNET.EXE</tt>,
<tt class="filename">WSOCK.386</tt>,
<tt class="filename">VNBT.386</tt>,
<tt class="filename">WSTCP.386</tt>,
<tt class="filename">TRACERT.EXE</tt>,
<tt class="filename">NETSTAT.EXE</tt>, and
<tt class="filename">NBTSTAT.EXE</tt>.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3013179"></a>Delete .pwl files after password change</h3></div></div><div></div></div><p>
WfWg does a lousy job with passwords. I find that if I change my
password on either the unix box or the PC the safest thing to do is to
delete the .pwl files in the windows directory. The PC will complain about not finding the files, but will soon get over it, allowing you to enter the new password.
</p><p>
If you don't do this you may find that WfWg remembers and uses the old
password, even if you told it a new one.
</p><p>
Often WfWg will totally ignore a password you give it in a dialog box.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3013210"></a>Configure WfW password handling</h3></div></div><div></div></div><p>
There is a program call admincfg.exe
on the last disk (disk 8) of the WFW 3.11 disk set. To install it
type <b class="userinput"><tt>EXPAND A:\ADMINCFG.EX_ C:\WINDOWS\ADMINCFG.EXE</tt></b>.
Then add an icon
for it via the <span class="application">Program Manager</span> <span class="guimenu">New</span> Menu.
This program allows you to control how WFW handles passwords. ie disable Password Caching etc
for use with <i class="parameter"><tt>security = user</tt></i>
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3013255"></a>Case handling of passwords</h3></div></div><div></div></div><p>Windows for Workgroups uppercases the password before sending it to the server. Unix passwords can be case-sensitive though. Check the <a href="smb.conf.5.html" target="_top">smb.conf(5)</a> information on <i class="parameter"><tt>password level</tt></i> to specify what characters samba should try to uppercase when checking.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3013285"></a>Use TCP/IP as default protocol</h3></div></div><div></div></div><p>To support print queue reporting you may find
that you have to use TCP/IP as the default protocol under
WfWg. For some reason if you leave NetBEUI as the default
it may break the print queue reporting on some systems.
It is presumably a WfWg bug.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3013303"></a>Speed improvement</h3></div></div><div></div></div><p>
Note that some people have found that setting <i class="parameter"><tt>DefaultRcvWindow</tt></i> in
the <i class="parameter"><tt>[MSTCP]</tt></i> section of the
<tt class="filename">SYSTEM.INI</tt> file under WfWg to 3072 gives a
big improvement. I don't know why.
</p><p>
My own experience with DefaultRcvWindow is that I get much better
performance with a large value (16384 or larger). Other people have
reported that anything over 3072 slows things down enormously. One
person even reported a speed drop of a factor of 30 when he went from
3072 to 8192. I don't know why.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3013349"></a>Windows '95/'98</h2></div></div><div></div></div><p>
When using Windows 95 OEM SR2 the following updates are recommended where Samba
is being used. Please NOTE that the above change will affect you once these
updates have been installed.
</p><p>
There are more updates than the ones mentioned here. You are referred to the
Microsoft Web site for all currently available updates to your specific version
of Windows 95.
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Kernel Update: KRNLUPD.EXE</td></tr><tr><td>Ping Fix: PINGUPD.EXE</td></tr><tr><td>RPC Update: RPCRTUPD.EXE</td></tr><tr><td>TCP/IP Update: VIPUPD.EXE</td></tr><tr><td>Redirector Update: VRDRUPD.EXE</td></tr></table><p>
Also, if using <span class="application">MS Outlook</span> it is desirable to
install the <b class="command">OLEUPD.EXE</b> fix. This
fix may stop your machine from hanging for an extended period when exiting
Outlook and you may also notice a significant speedup when accessing network
neighborhood services.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3014379"></a>Speed improvement</h3></div></div><div></div></div><p>
Configure the win95 TCPIP registry settings to give better
performance. I use a program called <b class="command">MTUSPEED.exe</b> which I got off the
net. There are various other utilities of this type freely available.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3014403"></a>Windows 2000 Service Pack 2</h2></div></div><div></div></div><p>
There are several annoyances with Windows 2000 SP2. One of which
only appears when using a Samba server to host user profiles
to Windows 2000 SP2 clients in a Windows domain. This assumes
that Samba is a member of the domain, but the problem will
likely occur if it is not.
</p><p>
In order to serve profiles successfully to Windows 2000 SP2
clients (when not operating as a PDC), Samba must have
<i class="parameter"><tt>nt acl support = no</tt></i>
added to the file share which houses the roaming profiles.
If this is not done, then the Windows 2000 SP2 client will
complain about not being able to access the profile (Access
Denied) and create multiple copies of it on disk (DOMAIN.user.001,
DOMAIN.user.002, etc...). See the
<a href="smb.conf.5.html" target="_top">smb.conf(5)</a> man page
for more details on this option. Also note that the
<i class="parameter"><tt>nt acl support</tt></i> parameter was formally a global parameter in
releases prior to Samba 2.2.2.
</p><p>
The following is a minimal profile share:
</p><pre class="programlisting">
[profile]
path = /export/profile
create mask = 0600
directory mask = 0700
nt acl support = no
read only = no
</pre><p>
The reason for this bug is that the Win2k SP2 client copies
the security descriptor for the profile which contains
the Samba server's SID, and not the domain SID. The client
compares the SID for SAMBA\user and realizes it is
different that the one assigned to DOMAIN\user. Hence the reason
for the <span class="errorname">access denied</span> message.
</p><p>
By disabling the <i class="parameter"><tt>nt acl support</tt></i> parameter, Samba will send
the Win2k client a response to the QuerySecurityDescriptor
trans2 call which causes the client to set a default ACL
for the profile. This default ACL includes
</p><p><span class="emphasis"><em>DOMAIN\user &quot;Full Control&quot;</em></span>&gt;</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This bug does not occur when using winbind to
create accounts on the Samba host for Domain users.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3014514"></a>Windows NT 3.1</h2></div></div><div></div></div><p>If you have problems communicating across routers with Windows
NT 3.1 workstations, read <a href="http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;Q103765" target="_top">this Microsoft Knowledge Base article</a>.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Portability.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendixes.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="speed.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 37. Portability </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 39. Samba Performance Tuning</td></tr></table></div></body></html>

View File

@ -1,261 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 23. System and Account Policies</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="AdvancedNetworkManagement.html" title="Chapter 22. Advanced Network Management"><link rel="next" href="ProfileMgmt.html" title="Chapter 24. Desktop Profile Management"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 23. System and Account Policies</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="AdvancedNetworkManagement.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="ProfileMgmt.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="PolicyMgmt"></a>Chapter 23. System and Account Policies</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">April 3 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="PolicyMgmt.html#id2982185">Features and Benefits</a></dt><dt><a href="PolicyMgmt.html#id2982237">Creating and Managing System Policies</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2982348">Windows 9x/Me Policies</a></dt><dt><a href="PolicyMgmt.html#id2981896">Windows NT4 Style Policy Files</a></dt><dt><a href="PolicyMgmt.html#id2982030">MS Windows 200x / XP Professional Policies</a></dt></dl></dd><dt><a href="PolicyMgmt.html#id2983472">Managing Account/User Policies</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2983573">Samba Editreg Toolset</a></dt><dt><a href="PolicyMgmt.html#id2983593">Windows NT4/200x</a></dt><dt><a href="PolicyMgmt.html#id2983614">Samba PDC</a></dt></dl></dd><dt><a href="PolicyMgmt.html#id2983658">System Startup and Logon Processing Overview</a></dt><dt><a href="PolicyMgmt.html#id2983805">Common Errors</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2983819">Policy Does Not Work</a></dt></dl></dd></dl></div><p>
This chapter summarises the current state of knowledge derived from personal
practice and knowledge from samba mailing list subscribers. Before reproduction
of posted information effort has been made to validate the information provided.
Where additional information was uncovered through this validation it is provided
also.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2982185"></a>Features and Benefits</h2></div></div><div></div></div><p>
When MS Windows NT3.5 was introduced the hot new topic was the ability to implement
Group Policies for users and group. Then along came MS Windows NT4 and a few sites
started to adopt this capability. How do we know that? By way of the number of &quot;booboos&quot;
(or mistakes) administrators made and then requested help to resolve.
</p><p>
By the time that MS Windows 2000 and Active Directory was released, administrators
got the message: Group Policies are a good thing! They can help reduce administrative
costs and actually can help to create happier users. But adoption of the true
potential of MS Windows 200x Active Directory and Group Policy Objects (GPOs) for users
and machines were picked up on rather slowly. This was very obvious from the samba
mailing list as in 2000 and 2001 there were very few postings regarding GPOs and
how to replicate them in a Samba environment.
</p><p>
Judging by the traffic volume since mid 2002, GPOs have become a standard part of
the deployment in many sites. This chapter reviews techniques and methods that can
be used to exploit opportunities for automation of control over user desktops and
network client workstations.
</p><p>
A tool new to Samba-3 may become an important part of the future Samba Administrators'
arsenal. The <b class="command">editreg</b> tool is described in this document.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2982237"></a>Creating and Managing System Policies</h2></div></div><div></div></div><p>
Under MS Windows platforms, particularly those following the release of MS Windows
NT4 and MS Windows 95) it is possible to create a type of file that would be placed
in the NETLOGON share of a domain controller. As the client logs onto the network
this file is read and the contents initiate changes to the registry of the client
machine. This file allows changes to be made to those parts of the registry that
affect users, groups of users, or machines.
</p><p>
For MS Windows 9x/Me this file must be called <tt class="filename">Config.POL</tt> and may
be generated using a tool called <tt class="filename">poledit.exe</tt>, better known as the
Policy Editor. The policy editor was provided on the Windows 98 installation CD, but
disappeared again with the introduction of MS Windows Me (Millennium Edition). From
comments from MS Windows network administrators it would appear that this tool became
a part of the MS Windows Me Resource Kit.
</p><p>
MS Windows NT4 Server products include the <span class="emphasis"><em>System Policy Editor</em></span>
under the <tt class="filename">Start -&gt; Programs -&gt; Administrative Tools</tt> menu item.
For MS Windows NT4 and later clients this file must be called <tt class="filename">NTConfig.POL</tt>.
</p><p>
New with the introduction of MS Windows 2000 was the Microsoft Management Console
or MMC. This tool is the new wave in the ever changing landscape of Microsoft
methods for management of network access and security. Every new Microsoft product
or technology seems to obsolete the old rules and to introduce newer and more
complex tools and methods. To Microsoft's credit though, the MMC does appear to
be a step forward, but improved functionality comes at a great price.
</p><p>
Before embarking on the configuration of network and system policies it is highly
advisable to read the documentation available from Microsoft's web site regarding
<a href="http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp" target="_top">
Implementing Profiles and Policies in Windows NT 4.0 from http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp</a> available from Microsoft.
There are a large number of documents in addition to this old one that should also
be read and understood. Try searching on the Microsoft web site for &quot;Group Policies&quot;.
</p><p>
What follows is a very brief discussion with some helpful notes. The information provided
here is incomplete - you are warned.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2982348"></a>Windows 9x/Me Policies</h3></div></div><div></div></div><p>
You need the Win98 Group Policy Editor to set Group Profiles up under Windows 9x/Me.
It can be found on the Original full product Win98 installation CD under
<tt class="filename">tools/reskit/netadmin/poledit</tt>. Install this using the
Add/Remove Programs facility and then click on the 'Have Disk' tab.
</p><p>
Use the Group Policy Editor to create a policy file that specifies the location of
user profiles and/or the <tt class="filename">My Documents</tt> etc. Then save these
settings in a file called <tt class="filename">Config.POL</tt> that needs to be placed in the
root of the <i class="parameter"><tt>[NETLOGON]</tt></i> share. If Win98 is configured to log onto
the Samba Domain, it will automatically read this file and update the Win9x/Me registry
of the machine as it logs on.
</p><p>
Further details are covered in the Win98 Resource Kit documentation.
</p><p>
If you do not take the right steps, then every so often Win9x/Me will check the
integrity of the registry and will restore it's settings from the back-up
copy of the registry it stores on each Win9x/Me machine. Hence, you will
occasionally notice things changing back to the original settings.
</p><p>
Install the group policy handler for Win9x to pick up group policies. Look on the
Win98 CD in <tt class="filename">\tools\reskit\netadmin\poledit</tt>.
Install group policies on a Win9x client by double-clicking
<tt class="filename">grouppol.inf</tt>. Log off and on again a couple of times and see
if Win98 picks up group policies. Unfortunately this needs to be done on every
Win9x/Me machine that uses group policies.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2981896"></a>Windows NT4 Style Policy Files</h3></div></div><div></div></div><p>
To create or edit <tt class="filename">ntconfig.pol</tt> you must use the NT Server
Policy Editor, <b class="command">poledit.exe</b> which is included with NT4 Server
but <span class="emphasis"><em>not NT Workstation</em></span>. There is a Policy Editor on a NT4
Workstation but it is not suitable for creating <span class="emphasis"><em>Domain Policies</em></span>.
Further, although the Windows 95 Policy Editor can be installed on an NT4
Workstation/Server, it will not work with NT clients. However, the files from
the NT Server will run happily enough on an NT4 Workstation.
</p><p>
You need <tt class="filename">poledit.exe</tt>, <tt class="filename">common.adm</tt> and <tt class="filename">winnt.adm</tt>.
It is convenient to put the two *.adm files in the <tt class="filename">c:\winnt\inf</tt>
directory which is where the binary will look for them unless told otherwise. Note also that that
directory is normally 'hidden'.
</p><p>
The Windows NT policy editor is also included with the Service Pack 3 (and
later) for Windows NT 4.0. Extract the files using <b class="command">servicepackname /x</b>,
i.e. that's <b class="command">Nt4sp6ai.exe /x</b> for service pack 6a. The policy editor,
<b class="command">poledit.exe</b> and the associated template files (*.adm) should
be extracted as well. It is also possible to downloaded the policy template
files for Office97 and get a copy of the policy editor. Another possible
location is with the Zero Administration Kit available for download from Microsoft.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2982006"></a>Registry Spoiling</h4></div></div><div></div></div><p>
With NT4 style registry based policy changes, a large number of settings are not
automatically reversed as the user logs off. Since the settings that were in the
NTConfig.POL file were applied to the client machine registry and that apply to the
hive key HKEY_LOCAL_MACHINE are permanent until explicitly reversed. This is known
as tattooing. It can have serious consequences down-stream and the administrator must
be extremely careful not to lock out the ability to manage the machine at a later date.
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2982030"></a>MS Windows 200x / XP Professional Policies</h3></div></div><div></div></div><p>
Windows NT4 System policies allows setting of registry parameters specific to
users, groups and computers (client workstations) that are members of the NT4
style domain. Such policy file will work with MS Windows 2000 / XP clients also.
</p><p>
New to MS Windows 2000 Microsoft introduced a new style of group policy that confers
a superset of capabilities compared with NT4 style policies. Obviously, the tool used
to create them is different, and the mechanism for implementing them is much changed.
</p><p>
The older NT4 style registry based policies are known as <span class="emphasis"><em>Administrative Templates</em></span>
in MS Windows 2000/XP Group Policy Objects (GPOs). The later includes ability to set various security
configurations, enforce Internet Explorer browser settings, change and redirect aspects of the
users' desktop (including: the location of <tt class="filename">My Documents</tt> files (directory), as
well as intrinsics of where menu items will appear in the Start menu). An additional new
feature is the ability to make available particular software Windows applications to particular
users and/or groups.
</p><p>
Remember: NT4 policy files are named <tt class="filename">NTConfig.POL</tt> and are stored in the root
of the NETLOGON share on the domain controllers. A Windows NT4 user enters a username, a password
and selects the domain name to which the logon will attempt to take place. During the logon
process the client machine reads the NTConfig.POL file from the NETLOGON share on the authenticating
server, modifies the local registry values according to the settings in this file.
</p><p>
Windows 2K GPOs are very feature rich. They are NOT stored in the NETLOGON share, rather part of
a Windows 200x policy file is stored in the Active Directory itself and the other part is stored
in a shared (and replicated) volume called the SYSVOL folder. This folder is present on all Active
Directory domain controllers. The part that is stored in the Active Directory itself is called the
group policy container (GPC), and the part that is stored in the replicated share called SYSVOL is
known as the group policy template (GPT).
</p><p>
With NT4 clients the policy file is read and executed upon only as each user logs onto the network.
MS Windows 200x policies are much more complex - GPOs are processed and applied at client machine
startup (machine specific part) and when the user logs onto the network the user specific part
is applied. In MS Windows 200x style policy management each machine and/or user may be subject
to any number of concurrently applicable (and applied) policy sets (GPOs). Active Directory allows
the administrator to also set filters over the policy settings. No such equivalent capability
exists with NT4 style policy files.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2982130"></a>Administration of Win2K / XP Policies</h4></div></div><div></div></div><p>
Instead of using the tool called <span class="application">The System Policy Editor</span>, commonly called Poledit (from the
executable name <b class="command">poledit.exe</b>), <span class="acronym">GPOs</span> are created and managed using a
<span class="application">Microsoft Management Console</span> <span class="acronym">(MMC)</span> snap-in as follows:</p><div class="procedure"><ol type="1"><li><p>
Go to the Windows 200x / XP menu <span class="guimenu">Start-&gt;Programs-&gt;Administrative Tools</span>
and select the MMC snap-in called <span class="guimenuitem">Active Directory Users and Computers</span>
</p></li><li><p>
Select the domain or organizational unit (OU) that you wish to manage, then right click
to open the context menu for that object, select the properties item.
</p></li><li><p>
Now left click on the <span class="guilabel">Group Policy</span> tab, then left click on the New tab. Type a name
for the new policy you will create.
</p></li><li><p>
Now left click on the <span class="guilabel">Edit</span> tab to commence the steps needed to create the GPO.
</p></li></ol></div><p>
All policy configuration options are controlled through the use of policy administrative
templates. These files have a .adm extension, both in NT4 as well as in Windows 200x / XP.
Beware however, since the .adm files are NOT interchangeable across NT4 and Windows 200x.
The later introduces many new features as well as extended definition capabilities. It is
well beyond the scope of this documentation to explain how to program .adm files, for that
the administrator is referred to the Microsoft Windows Resource Kit for your particular
version of MS Windows.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
The MS Windows 2000 Resource Kit contains a tool called gpolmig.exe. This tool can be used
to migrate an NT4 NTConfig.POL file into a Windows 200x style GPO. Be VERY careful how you
use this powerful tool. Please refer to the resource kit manuals for specific usage information.
</p></div></div></div></div><div xmlns:ns80="" class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2983472"></a>Managing Account/User Policies</h2></div></div><div></div></div><p>
Policies can define a specific user's settings or the settings for a group of users. The resulting
policy file contains the registry settings for all users, groups, and computers that will be using
the policy file. Separate policy files for each user, group, or computer are not not necessary.
</p><p>
If you create a policy that will be automatically downloaded from validating domain controllers,
you should name the file NTconfig.POL. As system administrator, you have the option of renaming the
policy file and, by modifying the Windows NT-based workstation, directing the computer to update
the policy from a manual path. You can do this by either manually changing the registry or by using
the System Policy Editor. This path can even be a local path such that each machine has its own policy file,
but if a change is necessary to all machines, this change must be made individually to each workstation.
</p><p>
When a Windows NT4/200x/XP machine logs onto the network the NETLOGON share on the authenticating domain
controller for the presence of the NTConfig.POL file. If one exists it is downloaded, parsed and then
applied to the user's part of the registry.
</p><p>
MS Windows 200x/XP clients that log onto an MS Windows Active Directory security domain may additionally,
acquire policy settings through Group Policy Objects (GPOs) that are defined and stored in Active Directory
itself. The key benefit of using AS GPOs is that they impose no registry <span class="emphasis"><em>spoiling</em></span> effect.
This has considerable advantage compared with the use of NTConfig.POL (NT4) style policy updates.
</p><p>
In addition to user access controls that may be imposed or applied via system and/or group policies
in a manner that works in conjunction with user profiles, the user management environment under
MS Windows NT4/200x/XP allows per domain as well as per user account restrictions to be applied.
Common restrictions that are frequently used includes:
</p><ns80:p>
</ns80:p><table class="simplelist" border="0" summary="Simple list"><tr><td>Logon Hours</td></tr><tr><td>Password Aging</td></tr><tr><td>Permitted Logon from certain machines only</td></tr><tr><td>Account type (Local or Global)</td></tr><tr><td>User Rights</td></tr></table><ns80:p>
</ns80:p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2983573"></a>Samba Editreg Toolset</h3></div></div><div></div></div><p>
Describe in detail the benefits of <b class="command">editreg</b> and how to use it.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2983593"></a>Windows NT4/200x</h3></div></div><div></div></div><p>
The tools that may be used to configure these types of controls from the MS Windows environment are:
The NT4 User Manager for domains, the NT4 System and Group Policy Editor, the registry editor (regedt32.exe).
Under MS Windows 200x/XP this is done using the Microsoft Management Console (MMC) with appropriate
&quot;snap-ins&quot;, the registry editor, and potentially also the NT4 System and Group Policy Editor.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2983614"></a>Samba PDC</h3></div></div><div></div></div><p>
With a Samba Domain Controller, the new tools for managing of user account and policy information includes:
<b class="command">smbpasswd</b>, <b class="command">pdbedit</b>, <b class="command">net</b>, <b class="command">rpcclient</b>.
The administrator should read the
man pages for these tools and become familiar with their use.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2983658"></a>System Startup and Logon Processing Overview</h2></div></div><div></div></div><p>
The following attempts to document the order of processing of system and user policies following a system
reboot and as part of the user logon:
</p><div class="orderedlist"><ol type="1"><li><p>
Network starts, then Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming
Convention Provider (MUP) start
</p></li><li xmlns:ns81=""><ns81:p>
Where Active Directory is involved, an ordered list of Group Policy Objects (GPOs) is downloaded
and applied. The list may include GPOs that:
</ns81:p><table class="simplelist" border="0" summary="Simple list"><tr><td>Apply to the location of machines in a Directory</td></tr><tr><td>Apply only when settings have changed</td></tr><tr><td>Depend on configuration of scope of applicability: local, site, domain, organizational unit, etc.</td></tr></table><ns81:p>
No desktop user interface is presented until the above have been processed.
</ns81:p></li><li><p>
Execution of start-up scripts (hidden and synchronous by default).
</p></li><li><p>
A keyboard action to affect start of logon (Ctrl-Alt-Del).
</p></li><li><p>
User credentials are validated, User profile is loaded (depends on policy settings).
</p></li><li xmlns:ns82=""><ns82:p>
An ordered list of User GPOs is obtained. The list contents depends on what is configured in respect of:
</ns82:p><table class="simplelist" border="0" summary="Simple list"><tr><td>Is user a domain member, thus subject to particular policies</td></tr><tr><td>Loopback enablement, and the state of the loopback policy (Merge or Replace)</td></tr><tr><td>Location of the Active Directory itself</td></tr><tr><td>Has the list of GPOs changed. No processing is needed if not changed.</td></tr></table><ns82:p>
</ns82:p></li><li><p>
User Policies are applied from Active Directory. Note: There are several types.
</p></li><li><p>
Logon scripts are run. New to Win2K and Active Directory, logon scripts may be obtained based on Group
Policy objects (hidden and executed synchronously). NT4 style logon scripts are then run in a normal
window.
</p></li><li><p>
The User Interface as determined from the GPOs is presented. Note: In a Samba domain (like and NT4
Domain) machine (system) policies are applied at start-up, User policies are applied at logon.
</p></li></ol></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2983805"></a>Common Errors</h2></div></div><div></div></div><p>
Policy related problems can be very difficult to diagnose and even more difficult to rectify. The following
collection demonstrates only basic issues.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2983819"></a>Policy Does Not Work</h3></div></div><div></div></div><p>
Question: We have created the <tt class="filename">config.pol</tt> file and put it in the <span class="emphasis"><em>NETLOGON</em></span> share.
It has made no difference to our Win XP Pro machines, they just don't see it. IT worked fine with Win 98 but does not
work any longer since we upgraded to Win XP Pro. Any hints?
</p><p>
<span class="emphasis"><em>ANSWER:</em></span> Policy files are NOT portable between Windows 9x / Me and MS Windows NT4 / 200x / XP based
platforms. You need to use the NT4 Group Policy Editor to create a file called <tt class="filename">NTConfig.POL</tt> so that
it is in the correct format for your MS Windows XP Pro clients.
</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="AdvancedNetworkManagement.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ProfileMgmt.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 22. Advanced Network Management </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 24. Desktop Profile Management</td></tr></table></div></body></html>

View File

@ -1,129 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 37. Portability</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="compiling.html" title="Chapter 36. How to compile SAMBA"><link rel="next" href="Other-Clients.html" title="Chapter 38. Samba and other CIFS clients"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 37. Portability</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="compiling.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="Other-Clients.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Portability"></a>Chapter 37. Portability</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="Portability.html#id3012634">HPUX</a></dt><dt><a href="Portability.html#id3012719">SCO Unix</a></dt><dt><a href="Portability.html#id3012747">DNIX</a></dt><dt><a href="Portability.html#id3012917">RedHat Linux Rembrandt-II</a></dt><dt><a href="Portability.html#id3012960">AIX</a></dt><dd><dl><dt><a href="Portability.html#id3012967">Sequential Read Ahead</a></dt></dl></dd><dt><a href="Portability.html#id3012993">Solaris</a></dt><dd><dl><dt><a href="Portability.html#id3013000">Locking improvements</a></dt><dt><a href="Portability.html#winbind-solaris9">Winbind on Solaris 9</a></dt></dl></dd></dl></div><p>Samba works on a wide range of platforms but the interface all the
platforms provide is not always compatible. This chapter contains
platform-specific information about compiling and using samba.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3012634"></a>HPUX</h2></div></div><div></div></div><p>
HP's implementation of supplementary groups is, er, non-standard (for
hysterical reasons). There are two group files, <tt class="filename">/etc/group</tt> and
<tt class="filename">/etc/logingroup</tt>; the system maps UIDs to numbers using the former, but
initgroups() reads the latter. Most system admins who know the ropes
symlink <tt class="filename">/etc/group</tt> to <tt class="filename">/etc/logingroup</tt>
(hard link doesn't work for reasons too stupid to go into here). initgroups() will complain if one of the
groups you're in in <tt class="filename">/etc/logingroup</tt> has what it considers to be an invalid
ID, which means outside the range <tt class="constant">[0..UID_MAX]</tt>, where <tt class="constant">UID_MAX</tt> is (I think)
60000 currently on HP-UX. This precludes -2 and 65534, the usual <tt class="constant">nobody</tt>
GIDs.
</p><p>
If you encounter this problem, make sure that the programs that are failing
to initgroups() be run as users not in any groups with GIDs outside the
allowed range.
</p><p>This is documented in the HP manual pages under setgroups(2) and passwd(4).
</p><p>
On HPUX you must use gcc or the HP ANSI compiler. The free compiler
that comes with HP-UX is not ANSI compliant and cannot compile
Samba.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3012719"></a>SCO Unix</h2></div></div><div></div></div><p>
If you run an old version of SCO Unix then you may need to get important
TCP/IP patches for Samba to work correctly. Without the patch, you may
encounter corrupt data transfers using samba.
</p><p>
The patch you need is UOD385 Connection Drivers SLS. It is available from
SCO (<a href="ftp://ftp.sco.com/" target="_top">ftp.sco.com</a>, directory SLS,
files uod385a.Z and uod385a.ltr.Z).
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3012747"></a>DNIX</h2></div></div><div></div></div><p>
DNIX has a problem with seteuid() and setegid(). These routines are
needed for Samba to work correctly, but they were left out of the DNIX
C library for some reason.
</p><p>
For this reason Samba by default defines the macro NO_EID in the DNIX
section of includes.h. This works around the problem in a limited way,
but it is far from ideal, some things still won't work right.
</p><p>
To fix the problem properly you need to assemble the following two
functions and then either add them to your C library or link them into
Samba.
</p><p>
put this in the file <tt class="filename">setegid.s</tt>:
</p><pre class="programlisting">
.globl _setegid
_setegid:
moveq #47,d0
movl #100,a0
moveq #1,d1
movl 4(sp),a1
trap #9
bccs 1$
jmp cerror
1$:
clrl d0
rts
</pre><p>
put this in the file <tt class="filename">seteuid.s</tt>:
</p><pre class="programlisting">
.globl _seteuid
_seteuid:
moveq #47,d0
movl #100,a0
moveq #0,d1
movl 4(sp),a1
trap #9
bccs 1$
jmp cerror
1$:
clrl d0
rts
</pre><p>
after creating the above files you then assemble them using
</p><pre class="screen">
<tt class="prompt">$ </tt><b class="userinput"><tt>as seteuid.s</tt></b>
<tt class="prompt">$ </tt><b class="userinput"><tt>as setegid.s</tt></b>
</pre><p>
that should produce the files <tt class="filename">seteuid.o</tt> and
<tt class="filename">setegid.o</tt>
</p><p>
then you need to add these to the LIBSM line in the DNIX section of
the Samba Makefile. Your LIBSM line will then look something like this:
</p><pre class="programlisting">
LIBSM = setegid.o seteuid.o -ln
</pre><p>
You should then remove the line:
</p><pre class="programlisting">
#define NO_EID
</pre><p>from the DNIX section of <tt class="filename">includes.h</tt></p></div><div xmlns:ns102="" class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3012917"></a>RedHat Linux Rembrandt-II</h2></div></div><div></div></div><ns102:p>
By default RedHat Rembrandt-II during installation adds an
entry to <tt class="filename">/etc/hosts</tt> as follows:
</ns102:p><pre class="programlisting">
127.0.0.1 loopback &quot;hostname&quot;.&quot;domainname&quot;
</pre><ns102:p>
</ns102:p><p>
This causes Samba to loop back onto the loopback interface.
The result is that Samba fails to communicate correctly with
the world and therefor may fail to correctly negotiate who
is the master browse list holder and who is the master browser.
</p><p>
Corrective Action: Delete the entry after the word loopback
in the line starting 127.0.0.1
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3012960"></a>AIX</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3012967"></a>Sequential Read Ahead</h3></div></div><div></div></div><p>
Disabling Sequential Read Ahead using <b class="userinput"><tt>vmtune -r 0</tt></b> improves
Samba performance significantly.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3012993"></a>Solaris</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3013000"></a>Locking improvements</h3></div></div><div></div></div><p>Some people have been experiencing problems with F_SETLKW64/fcntl
when running Samba on Solaris. The built in file locking mechanism was
not scalable. Performance would degrade to the point where processes would
get into loops of trying to lock a file. It would try a lock, then fail,
then try again. The lock attempt was failing before the grant was
occurring. So the visible manifestation of this would be a handful of
processes stealing all of the CPU, and when they were trussed they would
be stuck if F_SETLKW64 loops.
</p><p>
Sun released patches for Solaris 2.6, 8, and 9. The patch for Solaris 7
has not been released yet.
</p><p>
The patch revision for 2.6 is 105181-34
for 8 is 108528-19 and for 9 is 112233-04
</p><p>
After the install of these patches it is recommended to reconfigure
and rebuild samba.
</p><p>Thanks to Joe Meslovich for reporting</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="winbind-solaris9"></a>Winbind on Solaris 9</h3></div></div><div></div></div><p>
Nsswitch on Solaris 9 refuses to use the winbind nss module. This behavior
is fixed by Sun in patch 113476-05 which as of March 2003 is not in any
roll-up packages.
</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="compiling.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendixes.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="Other-Clients.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 36. How to compile SAMBA </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 38. Samba and other CIFS clients</td></tr></table></div></body></html>

View File

@ -1,681 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 24. Desktop Profile Management</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="PolicyMgmt.html" title="Chapter 23. System and Account Policies"><link rel="next" href="pam.html" title="Chapter 25. PAM based Distributed Authentication"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 24. Desktop Profile Management</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="PolicyMgmt.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="pam.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ProfileMgmt"></a>Chapter 24. Desktop Profile Management</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">April 3 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="ProfileMgmt.html#id2983922">Features and Benefits</a></dt><dt><a href="ProfileMgmt.html#id2983955">Roaming Profiles</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2983996">Samba Configuration for Profile Handling</a></dt><dt><a href="ProfileMgmt.html#id2989358">Windows Client Profile Configuration Information</a></dt><dt><a href="ProfileMgmt.html#id2990295">Sharing Profiles between W9x/Me and NT4/200x/XP workstations</a></dt><dt><a href="ProfileMgmt.html#id2990360">Profile Migration from Windows NT4/200x Server to Samba</a></dt></dl></dd><dt><a href="ProfileMgmt.html#id2990620">Mandatory profiles</a></dt><dt><a href="ProfileMgmt.html#id2990678">Creating/Managing Group Profiles</a></dt><dt><a href="ProfileMgmt.html#id2990723">Default Profile for Windows Users</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2990743">MS Windows 9x/Me</a></dt><dt><a href="ProfileMgmt.html#id2990891">MS Windows NT4 Workstation</a></dt><dt><a href="ProfileMgmt.html#id2991445">MS Windows 200x/XP</a></dt></dl></dd><dt><a href="ProfileMgmt.html#id2991949">Common Errors</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2991962">How does one set up roaming profiles for just one (or a few) user/s or group/s?</a></dt><dt><a href="ProfileMgmt.html#id2992025">Can NOT use Roaming Profiles</a></dt><dt><a href="ProfileMgmt.html#id2992243">Changing the default profile</a></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2983922"></a>Features and Benefits</h2></div></div><div></div></div><p>
Roaming Profiles are feared by some, hated by a few, loved by many, and a Godsend for
some administrators.
</p><p>
Roaming Profiles allow an administrator to make available a consistent user desktop
as the user moves from one machine to another. This chapter provides much information
regarding how to configure and manage Roaming Profiles.
</p><p>
While Roaming Profiles might sound like nirvana to some, they are a real and tangible
problem to others. In particular, users of mobile computing tools, where often there may not
be a sustained network connection, are often better served by purely Local Profiles.
This chapter provides information to help the Samba administrator to deal with those
situations also.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2983955"></a>Roaming Profiles</h2></div></div><div></div></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
Roaming profiles support is different for Win9x / Me and Windows NT4/200x.
</p></div><p>
Before discussing how to configure roaming profiles, it is useful to see how
Windows 9x / Me and Windows NT4/200x clients implement these features.
</p><p>
Windows 9x / Me clients send a NetUserGetInfo request to the server to get the user's
profiles location. However, the response does not have room for a separate
profiles location field, only the user's home share. This means that Win9X/Me
profiles are restricted to being stored in the user's home directory.
</p><p>
Windows NT4/200x clients send a NetSAMLogon RPC request, which contains many fields,
including a separate field for the location of the user's profiles.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2983996"></a>Samba Configuration for Profile Handling</h3></div></div><div></div></div><p>
This section documents how to configure Samba for MS Windows client profile support.
</p><div xmlns:ns83="" class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2984009"></a>NT4/200x User Profiles</h4></div></div><div></div></div><p>
To support Windows NT4/200x clients, in the [global] section of smb.conf set the
following (for example):
</p><ns83:p>
</ns83:p><pre class="programlisting">
logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath
</pre><ns83:p>
This is typically implemented like:
</ns83:p><pre class="programlisting">
logon path = \\%L\Profiles\%u
</pre><ns83:p>
where %L translates to the name of the Samba server and %u translates to the user name
</ns83:p><p>
The default for this option is <tt class="filename">\\%N\%U\profile</tt>,
namely <tt class="filename">\\sambaserver\username\profile</tt>.
The <tt class="filename">\\N%\%U</tt> service is created automatically by the [homes] service. If you are using
a samba server for the profiles, you _must_ make the share specified in the logon path
browseable. Please refer to the man page for <tt class="filename">smb.conf</tt> in respect of the different
semantics of %L and %N, as well as %U and %u.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
MS Windows NT/2K clients at times do not disconnect a connection to a server
between logons. It is recommended to NOT use the <i class="parameter"><tt>homes</tt></i>
meta-service name as part of the profile share path.
</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2984098"></a>Windows 9x / Me User Profiles</h4></div></div><div></div></div><p>
To support Windows 9x / Me clients, you must use the <i class="parameter"><tt>logon home</tt></i> parameter. Samba has
now been fixed so that <b class="userinput"><tt>net use /home</tt></b> now works as well, and it, too, relies
on the <b class="command">logon home</b> parameter.
</p><p>
By using the logon home parameter, you are restricted to putting Win9x / Me
profiles in the user's home directory. But wait! There is a trick you
can use. If you set the following in the <i class="parameter"><tt>[global]</tt></i> section of your <tt class="filename">smb.conf</tt> file:
</p><pre class="programlisting">
logon home = \\%L\%U\.profiles
</pre><p>
then your Windows 9x / Me clients will dutifully put their clients in a subdirectory
of your home directory called <tt class="filename">.profiles</tt> (thus making them hidden).
</p><p>
Not only that, but <b class="userinput"><tt>net use /home</tt></b> will also work, because of a feature in
Windows 9x / Me. It removes any directory stuff off the end of the home directory area
and only uses the server and share portion. That is, it looks like you
specified <tt class="filename">\\%L\%U</tt> for <i class="parameter"><tt>logon home</tt></i>.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2989173"></a>Mixed Windows 9x / Me and Windows NT4/200x User Profiles</h4></div></div><div></div></div><p>
You can support profiles for both Win9X and WinNT clients by setting both the
<i class="parameter"><tt>logon home</tt></i> and <i class="parameter"><tt>logon path</tt></i> parameters. For example:
</p><pre class="programlisting">
logon home = \\%L\%u\.profiles
logon path = \\%L\profiles\%u
</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2989209"></a>Disabling Roaming Profile Support</h4></div></div><div></div></div><p>
A question often asked is &#8220;<span class="quote">How may I enforce use of local profiles?</span>&#8221; or
&#8220;<span class="quote">How do I disable Roaming Profiles?</span>&#8221;
</p><p>
There are three ways of doing this:
</p><div class="variablelist"><dl><dt><span class="term">In <tt class="filename">smb.conf</tt></span></dt><dd xmlns:ns84=""><ns84:p>
Affect the following settings and ALL clients
will be forced to use a local profile:
</ns84:p><pre class="programlisting">
logon home =
logon path =
</pre><ns84:p>
</ns84:p></dd><dt><span class="term">MS Windows Registry:</span></dt><dd xmlns:ns85=""><ns85:p>
By using the Microsoft Management Console gpedit.msc to instruct your MS Windows XP machine to use only a local profile. This of course modifies registry settings. The full path to the option is:
</ns85:p><pre class="programlisting">
Local Computer Policy\
Computer Configuration\
Administrative Templates\
System\
User Profiles\
Disable: Only Allow Local User Profiles
Disable: Prevent Roaming Profile Change from Propagating to the Server
</pre><ns85:p>
</ns85:p></dd><dt><span class="term">Change of Profile Type:</span></dt><dd><p>
From the start menu right click on the
My Computer icon, select <span class="guimenuitem">Properties</span>, click on the <span class="guilabel">User Profiles</span>
tab, select the profile you wish to change from Roaming type to Local, click <span class="guibutton">Change Type</span>.
</p></dd></dl></div><p>
Consult the MS Windows registry guide for your particular MS Windows version for more
information about which registry keys to change to enforce use of only local user
profiles.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
The specifics of how to convert a local profile to a roaming profile, or a roaming profile
to a local one vary according to the version of MS Windows you are running. Consult the
Microsoft MS Windows Resource Kit for your version of Windows for specific information.
</p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2989358"></a>Windows Client Profile Configuration Information</h3></div></div><div></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2989366"></a>Windows 9x / Me Profile Setup</h4></div></div><div></div></div><p>
When a user first logs in on Windows 9X, the file user.DAT is created,
as are folders <tt class="filename">Start Menu</tt>, <tt class="filename">Desktop</tt>,
<tt class="filename">Programs</tt> and <tt class="filename">Nethood</tt>.
These directories and their contents will be merged with the local
versions stored in <tt class="filename">c:\windows\profiles\username</tt> on subsequent logins,
taking the most recent from each. You will need to use the <i class="parameter"><tt>[global]</tt></i>
options <i class="parameter"><tt>preserve case = yes</tt></i>, <i class="parameter"><tt>short preserve case = yes</tt></i> and
<i class="parameter"><tt>case sensitive = no</tt></i> in order to maintain capital letters in shortcuts
in any of the profile folders.
</p><p>
The user.DAT file contains all the user's preferences. If you wish to
enforce a set of preferences, rename their user.DAT file to user.MAN,
and deny them write access to this file.
</p><div class="orderedlist"><ol type="1"><li><p>
On the Windows 9x / Me machine, go to <span class="guimenu">Control Panel</span> -&gt; <span class="guimenuitem">Passwords</span> and
select the <span class="guilabel">User Profiles</span> tab. Select the required level of
roaming preferences. Press <span class="guibutton">OK</span>, but do _not_ allow the computer
to reboot.
</p></li><li><p>
On the Windows 9x / Me machine, go to <span class="guimenu">Control Panel</span> -&gt; <span class="guimenuitem">Network</span> -&gt;
<span class="guimenuitem">Client for Microsoft Networks</span> -&gt; <span class="guilabel">Preferences</span>. Select <span class="guilabel">Log on to
NT Domain</span>. Then, ensure that the Primary Logon is <span class="guilabel">Client for
Microsoft Networks</span>. Press <span class="guibutton">OK</span>, and this time allow the computer
to reboot.
</p></li></ol></div><p>
Under Windows 9x / Me Profiles are downloaded from the Primary Logon.
If you have the Primary Logon as 'Client for Novell Networks', then
the profiles and logon script will be downloaded from your Novell
Server. If you have the Primary Logon as 'Windows Logon', then the
profiles will be loaded from the local machine - a bit against the
concept of roaming profiles, it would seem!
</p><p>
You will now find that the Microsoft Networks Login box contains
[user, password, domain] instead of just [user, password]. Type in
the samba server's domain name (or any other domain known to exist,
but bear in mind that the user will be authenticated against this
domain and profiles downloaded from it, if that domain logon server
supports it), user name and user's password.
</p><p>
Once the user has been successfully validated, the Windows 9x / Me machine
will inform you that <tt class="computeroutput">The user has not logged on before' and asks you
if you wish to save the user's preferences?</tt> Select <span class="guibutton">yes</span>.
</p><p>
Once the Windows 9x / Me client comes up with the desktop, you should be able
to examine the contents of the directory specified in the <i class="parameter"><tt>logon path</tt></i>
on the samba server and verify that the <tt class="filename">Desktop</tt>, <tt class="filename">Start Menu</tt>,
<tt class="filename">Programs</tt> and <tt class="filename">Nethood</tt> folders have been created.
</p><p>
These folders will be cached locally on the client, and updated when
the user logs off (if you haven't made them read-only by then).
You will find that if the user creates further folders or short-cuts,
that the client will merge the profile contents downloaded with the
contents of the profile directory already on the local client, taking
the newest folders and short-cuts from each set.
</p><p>
If you have made the folders / files read-only on the samba server,
then you will get errors from the Windows 9x / Me machine on logon and logout, as
it attempts to merge the local and the remote profile. Basically, if
you have any errors reported by the Windows 9x / Me machine, check the Unix file
permissions and ownership rights on the profile directory contents,
on the samba server.
</p><p>
If you have problems creating user profiles, you can reset the user's
local desktop cache, as shown below. When this user then next logs in,
they will be told that they are logging in &quot;for the first time&quot;.
</p><div class="orderedlist"><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
Before deleting the contents of the
directory listed in the ProfilePath (this is likely to be
<tt class="filename">c:\windows\profiles\username)</tt>, ask them if they
have any important files stored on their desktop or in their start menu.
Delete the contents of the directory ProfilePath (making a backup if any
of the files are needed).
</p><p>
This will have the effect of removing the local (read-only hidden
system file) user.DAT in their profile directory, as well as the
local &quot;desktop&quot;, &quot;nethood&quot;, &quot;start menu&quot; and &quot;programs&quot; folders.
</p></div><ol type="1"><li><p>
instead of logging in under the [user, password, domain] dialog,
press <span class="guibutton">escape</span>.
</p></li><li><p>
run the <b class="command">regedit.exe</b> program, and look in:
</p><p>
<tt class="filename">HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList</tt>
</p><p>
you will find an entry, for each user, of ProfilePath. Note the
contents of this key (likely to be <tt class="filename">c:\windows\profiles\username</tt>),
then delete the key ProfilePath for the required user.
</p><p>[Exit the registry editor].</p></li><li><p>
search for the user's .PWL password-caching file in the <tt class="filename">c:\windows</tt>
directory, and delete it.
</p></li><li><p>
log off the windows 9x / Me client.
</p></li><li><p>
check the contents of the profile path (see <i class="parameter"><tt>logon path</tt></i> described
above), and delete the <tt class="filename">user.DAT</tt> or <tt class="filename">user.MAN</tt> file for the user,
making a backup if required.
</p></li></ol></div><p>
If all else fails, increase samba's debug log levels to between 3 and 10,
and / or run a packet trace program such as ethereal or <b class="command">netmon.exe</b>, and
look for error messages.
</p><p>
If you have access to an Windows NT4/200x server, then first set up roaming profiles
and / or netlogons on the Windows NT4/200x server. Make a packet trace, or examine
the example packet traces provided with Windows NT4/200x server, and see what the
differences are with the equivalent samba trace.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2985567"></a>Windows NT4 Workstation</h4></div></div><div></div></div><p>
When a user first logs in to a Windows NT Workstation, the profile
NTuser.DAT is created. The profile location can be now specified
through the <i class="parameter"><tt>logon path</tt></i> parameter.
</p><p>
There is a parameter that is now available for use with NT Profiles:
<i class="parameter"><tt>logon drive</tt></i>. This should be set to <tt class="filename">H:</tt> or any other drive, and
should be used in conjunction with the new &quot;logon home&quot; parameter.
</p><p>
The entry for the NT4 profile is a _directory_ not a file. The NT
help on profiles mentions that a directory is also created with a .PDS
extension. The user, while logging in, must have write permission to
create the full profile path (and the folder with the .PDS extension
for those situations where it might be created.)
</p><p>
In the profile directory, Windows NT4 creates more folders than Windows 9x / Me.
It creates <tt class="filename">Application Data</tt> and others, as well as <tt class="filename">Desktop</tt>, <tt class="filename">Nethood</tt>,
<tt class="filename">Start Menu</tt> and <tt class="filename">Programs</tt>. The profile itself is stored in a file
<tt class="filename">NTuser.DAT</tt>. Nothing appears to be stored in the .PDS directory, and
its purpose is currently unknown.
</p><p>
You can use the <span class="application">System Control Panel</span> to copy a local profile onto
a samba server (see NT Help on profiles: it is also capable of firing
up the correct location in the <span class="application">System Control Panel</span> for you). The
NT Help file also mentions that renaming <tt class="filename">NTuser.DAT</tt> to <tt class="filename">NTuser.MAN</tt>
turns a profile into a mandatory one.
</p><p>
The case of the profile is significant. The file must be called
<tt class="filename">NTuser.DAT</tt> or, for a mandatory profile, <tt class="filename">NTuser.MAN</tt>.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2985724"></a>Windows 2000/XP Professional</h4></div></div><div></div></div><p>
You must first convert the profile from a local profile to a domain
profile on the MS Windows workstation as follows:
</p><div class="procedure"><ol type="1"><li><p>
Log on as the <span class="emphasis"><em>LOCAL</em></span> workstation administrator.
</p></li><li><p>
Right click on the <span class="guiicon">My Computer</span> Icon, select <span class="guimenuitem">Properties</span>
</p></li><li><p>
Click on the <span class="guilabel">User Profiles</span> tab
</p></li><li><p>
Select the profile you wish to convert (click on it once)
</p></li><li><p>
Click on the button <span class="guibutton">Copy To</span>
</p></li><li><p>
In the <span class="guilabel">Permitted to use</span> box, click on the <span class="guibutton">Change</span> button.
</p></li><li><p>
Click on the 'Look in&quot; area that lists the machine name, when you click
here it will open up a selection box. Click on the domain to which the
profile must be accessible.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>You will need to log on if a logon box opens up. Eg: In the connect
as: <i class="replaceable"><tt>MIDEARTH</tt></i>\root, password: <i class="replaceable"><tt>mypassword</tt></i>.</p></div></li><li><p>
To make the profile capable of being used by anyone select 'Everyone'
</p></li><li><p>
Click <span class="guibutton">OK</span>. The Selection box will close.
</p></li><li><p>
Now click on the <span class="guibutton">Ok</span> button to create the profile in the path you
nominated.
</p></li></ol></div><p>
Done. You now have a profile that can be edited using the samba-3.0.0
<b class="command">profiles</b> tool.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
Under NT/2K the use of mandatory profiles forces the use of MS Exchange
storage of mail data. That keeps desktop profiles usable.
</p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><div class="procedure"><ol type="1"><li><p>
This is a security check new to Windows XP (or maybe only
Windows XP service pack 1). It can be disabled via a group policy in
Active Directory. The policy is:</p><p><tt class="filename">Computer Configuration\Administrative Templates\System\User
Profiles\Do not check for user ownership of Roaming Profile Folders</tt></p><p>...and it should be set to <tt class="constant">Enabled</tt>.
Does the new version of samba have an Active Directory analogue? If so,
then you may be able to set the policy through this.
</p><p>
If you cannot set group policies in samba, then you may be able to set
the policy locally on each machine. If you want to try this, then do
the following (N.B. I don't know for sure that this will work in the
same way as a domain group policy):
</p></li><li><p>
On the XP workstation log in with an Administrator account.
</p></li><li><p>Click: <span class="guimenu">Start</span>, <span class="guimenuitem">Run</span></p></li><li><p>Type: <b class="userinput"><tt>mmc</tt></b></p></li><li><p>Click: <span class="guibutton">OK</span></p></li><li><p>A Microsoft Management Console should appear.</p></li><li><p>Click: <span class="guimenu">File</span>, <span class="guimenuitem">Add/Remove Snap-in...</span>, <span class="guimenuitem">Add</span></p></li><li><p>Double-Click: <span class="guiicon">Group Policy</span></p></li><li><p>Click: <span class="guibutton">Finish</span>, <span class="guibutton">Close</span></p></li><li><p>Click: <span class="guibutton">OK</span></p></li><li><p>In the &quot;Console Root&quot; window:</p></li><li><p>Expand: <span class="guiicon">Local Computer Policy</span>, <span class="guiicon">Computer Configuration</span>,
<span class="guiicon">Administrative Templates</span>, <span class="guiicon">System</span>, <span class="guiicon">User Profiles</span></p></li><li><p>Double-Click: <span class="guilabel">Do not check for user ownership of Roaming Profile Folders</span></p></li><li><p>Select: <span class="guilabel">Enabled</span></p></li><li><p>Click: <span class="guibutton">OK</span></p></li><li><p>Close the whole console. You do not need to save the settings (this
refers to the console settings rather than the policies you have
changed).</p></li><li><p>Reboot</p></li></ol></div></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2990295"></a>Sharing Profiles between W9x/Me and NT4/200x/XP workstations</h3></div></div><div></div></div><p>
Sharing of desktop profiles between Windows versions is NOT recommended.
Desktop profiles are an evolving phenomenon and profiles for later versions
of MS Windows clients add features that may interfere with earlier versions
of MS Windows clients. Probably the more salient reason to NOT mix profiles
is that when logging off an earlier version of MS Windows the older format
of profile contents may overwrite information that belongs to the newer
version resulting in loss of profile information content when that user logs
on again with the newer version of MS Windows.
</p><p>
If you then want to share the same Start Menu / Desktop with W9x/Me, you will
need to specify a common location for the profiles. The smb.conf parameters
that need to be common are <i class="parameter"><tt>logon path</tt></i> and
<i class="parameter"><tt>logon home</tt></i>.
</p><p>
If you have this set up correctly, you will find separate <tt class="filename">user.DAT</tt> and
<tt class="filename">NTuser.DAT</tt> files in the same profile directory.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2990360"></a>Profile Migration from Windows NT4/200x Server to Samba</h3></div></div><div></div></div><p>
There is nothing to stop you specifying any path that you like for the
location of users' profiles. Therefore, you could specify that the
profile be stored on a samba server, or any other SMB server, as long as
that SMB server supports encrypted passwords.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2990377"></a>Windows NT4 Profile Management Tools</h4></div></div><div></div></div><p>
Unfortunately, the Resource Kit information is specific to the version of MS Windows
NT4/200x. The correct resource kit is required for each platform.
</p><p>
Here is a quick guide:
</p><div class="procedure"><ol type="1"><li><p>
On your NT4 Domain Controller, right click on <span class="guiicon">My Computer</span>, then
select the tab labelled <span class="guilabel">User Profiles</span>.
</p></li><li><p>
Select a user profile you want to migrate and click on it.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>I am using the term &quot;migrate&quot; loosely. You can copy a profile to
create a group profile. You can give the user 'Everyone' rights to the
profile you copy this to. That is what you need to do, since your samba
domain is not a member of a trust relationship with your NT4 PDC.</p></div></li><li><p>Click the <span class="guibutton">Copy To</span> button.</p></li><li><p>In the box labelled <span class="guilabel">Copy Profile to</span> add your new path, eg:
<tt class="filename">c:\temp\foobar</tt></p></li><li><p>Click on the button <span class="guibutton">Change</span> in the <span class="guilabel">Permitted to use</span> box.</p></li><li><p>Click on the group 'Everyone' and then click <span class="guibutton">OK</span>. This closes the
'choose user' box.</p></li><li><p>Now click <span class="guibutton">OK</span>.</p></li></ol></div><p>
Follow the above for every profile you need to migrate.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2990540"></a>Side bar Notes</h4></div></div><div></div></div><p>
You should obtain the SID of your NT4 domain. You can use smbpasswd to do
this. Read the man page.</p><p>
With Samba-3.0.0 alpha code you can import all you NT4 domain accounts
using the net samsync method. This way you can retain your profile
settings as well as all your users.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2990562"></a>moveuser.exe</h4></div></div><div></div></div><p>
The W2K professional resource kit has moveuser.exe. moveuser.exe changes
the security of a profile from one user to another. This allows the account
domain to change, and/or the user name to change.
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2990578"></a>Get SID</h4></div></div><div></div></div><p>
You can identify the SID by using GetSID.exe from the Windows NT Server 4.0
Resource Kit.
</p><p>
Windows NT 4.0 stores the local profile information in the registry under
the following key:
<tt class="filename">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList</tt>
</p><p>
Under the ProfileList key, there will be subkeys named with the SIDs of the
users who have logged on to this computer. (To find the profile information
for the user whose locally cached profile you want to move, find the SID for
the user with the GetSID.exe utility.) Inside of the appropriate user's
subkey, you will see a string value named ProfileImagePath.
</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2990620"></a>Mandatory profiles</h2></div></div><div></div></div><p>
A Mandatory Profile is a profile that the user does NOT have the ability to overwrite.
During the user's session it may be possible to change the desktop environment, but
as the user logs out all changes made will be lost. If it is desired to NOT allow the
user any ability to change the desktop environment then this must be done through
policy settings. See previous chapter.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
Under NO circumstances should the profile directory (or it's contents) be made read-only
as this may render the profile un-usable.
</p></div><p>
For MS Windows NT4/200x/XP the above method can be used to create mandatory profiles
also. To convert a group profile into a mandatory profile simply locate the NTUser.DAT
file in the copied profile and rename it to NTUser.MAN.
</p><p>
For MS Windows 9x / Me it is the <tt class="filename">User.DAT</tt> file that must be renamed to <tt class="filename">User.MAN</tt> to
affect a mandatory profile.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2990678"></a>Creating/Managing Group Profiles</h2></div></div><div></div></div><p>
Most organisations are arranged into departments. There is a nice benefit in
this fact since usually most users in a department will require the same desktop
applications and the same desktop layout. MS Windows NT4/200x/XP will allow the
use of Group Profiles. A Group Profile is a profile that is created firstly using
a template (example) user. Then using the profile migration tool (see above) the
profile is assigned access rights for the user group that needs to be given access
to the group profile.
</p><p>
The next step is rather important. <span class="emphasis"><em>Please note:</em></span> Instead of assigning a group profile
to users (ie: Using User Manager) on a &quot;per user&quot; basis, the group itself is assigned
the now modified profile.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
Be careful with group profiles, if the user who is a member of a group also
has a personal profile, then the result will be a fusion (merge) of the two.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2990723"></a>Default Profile for Windows Users</h2></div></div><div></div></div><p>
MS Windows 9x / Me and NT4/200x/XP will use a default profile for any user for whom
a profile does not already exist. Armed with a knowledge of where the default profile
is located on the Windows workstation, and knowing which registry keys affect the path
from which the default profile is created, it is possible to modify the default profile
to one that has been optimised for the site. This has significant administrative
advantages.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2990743"></a>MS Windows 9x/Me</h3></div></div><div></div></div><p>
To enable default per use profiles in Windows 9x / Me you can either use the <span class="application">Windows 98 System
Policy Editor</span> or change the registry directly.
</p><p>
To enable default per user profiles in Windows 9x / Me, launch the <span class="application">System Policy Editor</span>, then
select <span class="guimenu">File</span> -&gt; <span class="guimenuitem">Open Registry</span>, then click on the
<span class="guiicon">Local Computer</span> icon, click on <span class="guilabel">Windows 98 System</span>,
select <span class="guilabel">User Profiles</span>, click on the enable box. Do not forget to save the registry changes.
</p><p>
To modify the registry directly, launch the <span class="application">Registry Editor</span> (<b class="command">regedit.exe</b>), select the hive
<tt class="filename">HKEY_LOCAL_MACHINE\Network\Logon</tt>. Now add a DWORD type key with the name
&quot;User Profiles&quot;, to enable user profiles set the value to 1, to disable user profiles set it to 0.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2990841"></a>How User Profiles Are Handled in Windows 9x / Me?</h4></div></div><div></div></div><p>
When a user logs on to a Windows 9x / Me machine, the local profile path,
<tt class="filename">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProfileList</tt>, is checked
for an existing entry for that user:
</p><p>
If the user has an entry in this registry location, Windows 9x / Me checks for a locally cached
version of the user profile. Windows 9x / Me also checks the user's home directory (or other
specified directory if the location has been modified) on the server for the User Profile.
If a profile exists in both locations, the newer of the two is used. If the User Profile exists
on the server, but does not exist on the local machine, the profile on the server is downloaded
and used. If the User Profile only exists on the local machine, that copy is used.
</p><p>
If a User Profile is not found in either location, the Default User Profile from the Windows 9x / Me
machine is used and is copied to a newly created folder for the logged on user. At log off, any
changes that the user made are written to the user's local profile. If the user has a roaming
profile, the changes are written to the user's profile on the server.
</p></div></div><div xmlns:ns86="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2990891"></a>MS Windows NT4 Workstation</h3></div></div><div></div></div><p>
On MS Windows NT4 the default user profile is obtained from the location
<tt class="filename">%SystemRoot%\Profiles</tt> which in a default installation will translate to
<tt class="filename">C:\WinNT\Profiles</tt>. Under this directory on a clean install there will be
three (3) directories: <tt class="filename">Administrator</tt>, <tt class="filename">All Users</tt>, <tt class="filename">Default User</tt>.
</p><p>
The <tt class="filename">All Users</tt> directory contains menu settings that are common across all
system users. The <tt class="filename">Default User</tt> directory contains menu entries that are
customisable per user depending on the profile settings chosen/created.
</p><p>
When a new user first logs onto an MS Windows NT4 machine a new profile is created from:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>All Users settings</td></tr><tr><td>Default User settings (contains the default NTUser.DAT file)</td></tr></table><p>
When a user logs onto an MS Windows NT4 machine that is a member of a Microsoft security domain
the following steps are followed in respect of profile handling:
</p><div class="procedure"><ol type="1"><li><p>
The users' account information which is obtained during the logon process contains
the location of the users' desktop profile. The profile path may be local to the
machine or it may be located on a network share. If there exists a profile at the location
of the path from the user account, then this profile is copied to the location
<tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt>. This profile then inherits the
settings in the <tt class="filename">All Users</tt> profile in the <tt class="filename">%SystemRoot%\Profiles</tt>
location.
</p></li><li><p>
If the user account has a profile path, but at it's location a profile does not exist,
then a new profile is created in the <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt>
directory from reading the <tt class="filename">Default User</tt> profile.
</p></li><li><p>
If the NETLOGON share on the authenticating server (logon server) contains a policy file
(<tt class="filename">NTConfig.POL</tt>) then it's contents are applied to the <tt class="filename">NTUser.DAT</tt>
which is applied to the <tt class="filename">HKEY_CURRENT_USER</tt> part of the registry.
</p></li><li><p>
When the user logs out, if the profile is set to be a roaming profile it will be written
out to the location of the profile. The <tt class="filename">NTuser.DAT</tt> file is then
re-created from the contents of the <tt class="filename">HKEY_CURRENT_USER</tt> contents.
Thus, should there not exist in the NETLOGON share an <tt class="filename">NTConfig.POL</tt> at the
next logon, the effect of the previous <tt class="filename">NTConfig.POL</tt> will still be held
in the profile. The effect of this is known as <span class="emphasis"><em>tatooing</em></span>.
</p></li></ol></div><p>
MS Windows NT4 profiles may be <span class="emphasis"><em>Local</em></span> or <span class="emphasis"><em>Roaming</em></span>. A Local profile
will stored in the <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt> location. A roaming profile will
also remain stored in the same way, unless the following registry key is created:
</p><ns86:p>
</ns86:p><pre class="programlisting">
HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\
&quot;DeleteRoamingCache&quot;=dword:00000001
</pre><ns86:p>
In which case, the local copy (in <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt>) will be
deleted on logout.
</ns86:p><p>
Under MS Windows NT4 default locations for common resources (like <tt class="filename">My Documents</tt>
may be redirected to a network share by modifying the following registry keys. These changes may be affected
via use of the System Policy Editor (to do so may require that you create your owns template extension
for the policy editor to allow this to be done through the GUI. Another way to do this is by way of first
creating a default user profile, then while logged in as that user, run regedt32 to edit the key settings.
</p><p>
The Registry Hive key that affects the behaviour of folders that are part of the default user profile
are controlled by entries on Windows NT4 is:
</p><p>
<tt class="filename">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\</tt>
</p><p>
The above hive key contains a list of automatically managed folders. The default entries are:
</p><ns86:p>
</ns86:p><div class="table"><a name="id2991239"></a><p class="title"><b>Table 24.1. User Shell Folder registry keys default values</b></p><table summary="User Shell Folder registry keys default values" border="1"><colgroup><col><col></colgroup><thead><tr><th>Name</th><th>Default Value</th></tr></thead><tbody><tr><td>AppData</td><td>%USERPROFILE%\Application Data</td></tr><tr><td>Desktop</td><td>%USERPROFILE%\Desktop</td></tr><tr><td>Favorites</td><td>%USERPROFILE%\Favorites</td></tr><tr><td>NetHood</td><td>%USERPROFILE%\NetHood</td></tr><tr><td>PrintHood</td><td>%USERPROFILE%\PrintHood</td></tr><tr><td>Programs</td><td>%USERPROFILE%\Start Menu\Programs</td></tr><tr><td>Recent</td><td>%USERPROFILE%\Recent</td></tr><tr><td>SendTo</td><td>%USERPROFILE%\SendTo</td></tr><tr><td>Start Menu </td><td>%USERPROFILE%\Start Menu</td></tr><tr><td>Startup</td><td>%USERPROFILE%\Start Menu\Programs\Startup</td></tr></tbody></table></div><ns86:p>
</ns86:p><p>
The registry key that contains the location of the default profile settings is:
</p><p>
<tt class="filename">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</tt>
</p><ns86:p>
The default entries are:
</ns86:p><div class="table"><a name="id2991383"></a><p class="title"><b>Table 24.2. Defaults of profile settings registry keys</b></p><table summary="Defaults of profile settings registry keys" border="1"><colgroup><col><col></colgroup><tbody><tr><td>Common Desktop</td><td>%SystemRoot%\Profiles\All Users\Desktop</td></tr><tr><td>Common Programs</td><td>%SystemRoot%\Profiles\All Users\Programs</td></tr><tr><td>Common Start Menu</td><td>%SystemRoot%\Profiles\All Users\Start Menu</td></tr><tr><td>Common Startup</td><td>%SystemRoot%\Profiles\All Users\Start Menu\Programs\Startup</td></tr></tbody></table></div><ns86:p>
</ns86:p></div><div xmlns:ns87="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2991445"></a>MS Windows 200x/XP</h3></div></div><div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
MS Windows XP Home Edition does use default per user profiles, but can not participate
in domain security, can not log onto an NT/ADS style domain, and thus can obtain the profile
only from itself. While there are benefits in doing this the beauty of those MS Windows
clients that CAN participate in domain logon processes allows the administrator to create
a global default profile and to enforce it through the use of Group Policy Objects (GPOs).
</p></div><p>
When a new user first logs onto MS Windows 200x/XP machine the default profile is obtained from
<tt class="filename">C:\Documents and Settings\Default User</tt>. The administrator can modify (or change
the contents of this location and MS Windows 200x/XP will gladly use it. This is far from the optimum
arrangement since it will involve copying a new default profile to every MS Windows 200x/XP client
workstation.
</p><p>
When MS Windows 200x/XP participate in a domain security context, and if the default user
profile is not found, then the client will search for a default profile in the NETLOGON share
of the authenticating server. ie: In MS Windows parlance:
<tt class="filename">%LOGONSERVER%\NETLOGON\Default User</tt> and if one exits there it will copy this
to the workstation to the <tt class="filename">C:\Documents and Settings\</tt> under the Windows
login name of the user.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
This path translates, in Samba parlance, to the <tt class="filename">smb.conf</tt> <i class="parameter"><tt>[NETLOGON]</tt></i> share. The directory
should be created at the root of this share and must be called <tt class="filename">Default Profile</tt>.
</p></div><p>
If a default profile does not exist in this location then MS Windows 200x/XP will use the local
default profile.
</p><p>
On logging out, the users' desktop profile will be stored to the location specified in the registry
settings that pertain to the user. If no specific policies have been created, or passed to the client
during the login process (as Samba does automatically), then the user's profile will be written to
the local machine only under the path <tt class="filename">C:\Documents and Settings\%USERNAME%</tt>.
</p><p>
Those wishing to modify the default behaviour can do so through three methods:
</p><div class="itemizedlist"><ul type="disc"><li><p>
Modify the registry keys on the local machine manually and place the new default profile in the
NETLOGON share root - NOT recommended as it is maintenance intensive.
</p></li><li><p>
Create an NT4 style NTConfig.POL file that specified this behaviour and locate this file
in the root of the NETLOGON share along with the new default profile.
</p></li><li><p>
Create a GPO that enforces this through Active Directory, and place the new default profile
in the NETLOGON share.
</p></li></ul></div><p>
The Registry Hive key that affects the behaviour of folders that are part of the default user profile
are controlled by entries on Windows 200x/XP is:
</p><p>
<tt class="filename">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\</tt>
</p><p>
The above hive key contains a list of automatically managed folders. The default entries are:
</p><ns87:p>
</ns87:p><div class="table"><a name="id2991638"></a><p class="title"><b>Table 24.3. Defaults of default user profile paths registry keys</b></p><table summary="Defaults of default user profile paths registry keys" border="1"><colgroup><col><col></colgroup><thead><tr><th>Name</th><th>Default Value</th></tr></thead><tbody><tr><td>AppData</td><td>%USERPROFILE%\Application Data</td></tr><tr><td>Cache</td><td>%USERPROFILE%\Local Settings\Temporary Internet Files</td></tr><tr><td>Cookies</td><td>%USERPROFILE%\Cookies</td></tr><tr><td>Desktop</td><td>%USERPROFILE%\Desktop</td></tr><tr><td>Favorites</td><td>%USERPROFILE%\Favorites</td></tr><tr><td>History</td><td>%USERPROFILE%\Local Settings\History</td></tr><tr><td>Local AppData</td><td>%USERPROFILE%\Local Settings\Application Data</td></tr><tr><td>Local Settings</td><td>%USERPROFILE%\Local Settings</td></tr><tr><td>My Pictures</td><td>%USERPROFILE%\My Documents\My Pictures</td></tr><tr><td>NetHood</td><td>%USERPROFILE%\NetHood</td></tr><tr><td>Personal</td><td>%USERPROFILE%\My Documents</td></tr><tr><td>PrintHood</td><td>%USERPROFILE%\PrintHood</td></tr><tr><td>Programs</td><td>%USERPROFILE%\Start Menu\Programs</td></tr><tr><td>Recent</td><td>%USERPROFILE%\Recent</td></tr><tr><td>SendTo</td><td>%USERPROFILE%\SendTo</td></tr><tr><td>Start Menu</td><td>%USERPROFILE%\Start Menu</td></tr><tr><td>Startup</td><td>%USERPROFILE%\Start Menu\Programs\Startup</td></tr><tr><td>Templates</td><td>%USERPROFILE%\Templates</td></tr></tbody></table></div><ns87:p>
</ns87:p><p>
There is also an entry called &quot;Default&quot; that has no value set. The default entry is of type <tt class="constant">REG_SZ</tt>, all
the others are of type <tt class="constant">REG_EXPAND_SZ</tt>.
</p><p>
It makes a huge difference to the speed of handling roaming user profiles if all the folders are
stored on a dedicated location on a network server. This means that it will NOT be necessary to
write the Outlook PST file over the network for every login and logout.
</p><p>
To set this to a network location you could use the following examples:
</p><p><tt class="filename">%LOGONSERVER%\%USERNAME%\Default Folders</tt></p><p>
This would store the folders in the user's home directory under a directory called <tt class="filename">Default Folders</tt>
You could also use:
</p><p><tt class="filename">\\<i class="replaceable"><tt>SambaServer</tt></i>\<i class="replaceable"><tt>FolderShare</tt></i>\%USERNAME%</tt></p><p>
in which case the default folders will be stored in the server named <i class="replaceable"><tt>SambaServer</tt></i>
in the share called <i class="replaceable"><tt>FolderShare</tt></i> under a directory that has the name of the MS Windows
user as seen by the Linux/Unix file system.
</p><p>
Please note that once you have created a default profile share, you MUST migrate a user's profile
(default or custom) to it.
</p><p>
MS Windows 200x/XP profiles may be <span class="emphasis"><em>Local</em></span> or <span class="emphasis"><em>Roaming</em></span>.
A roaming profile will be cached locally unless the following registry key is created:
</p><p><tt class="filename">HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\&quot;DeleteRoamingCache&quot;=dword:00000001</tt></p><p>
In which case, the local cache copy will be deleted on logout.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2991949"></a>Common Errors</h2></div></div><div></div></div><p>
The following are some typical errors/problems/questions that have been asked.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2991962"></a>How does one set up roaming profiles for just one (or a few) user/s or group/s?</h3></div></div><div></div></div><p>
With samba-2.2.x the choice you have is to enable or disable roaming
profiles support. It is a global only setting. The default is to have
roaming profiles and the default path will locate them in the user's home
directory.
</p><p>
If disabled globally then no-one will have roaming profile ability.
If enabled and you want it to apply only to certain machines, then on
those machines on which roaming profile support is NOT wanted it is then
necessary to disable roaming profile handling in the registry of each such
machine.
</p><p>
With samba-3.0.0 (soon to be released) you can have a global profile
setting in smb.conf _AND_ you can over-ride this by per-user settings
using the Domain User Manager (as with MS Windows NT4/ Win 2Kx).
</p><p>
In any case, you can configure only one profile per user. That profile can
be either:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>A profile unique to that user</td></tr><tr><td>A mandatory profile (one the user can not change)</td></tr><tr><td>A group profile (really should be mandatory ie:unchangable)</td></tr></table></div><div xmlns:ns89="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2992025"></a>Can NOT use Roaming Profiles</h3></div></div><div></div></div><p>
&#8220;<span class="quote">
I dont want Roaming profile to be implemented, I just want to give users
local profiles only.
...
Please help me I am totally lost with this error from past two days I tried
everything and googled around quite a bit but of no help. Please help me.
</span>&#8221;</p><ns89:p>
Your choices are:
</ns89:p><div class="variablelist"><dl><dt><span class="term">Local profiles</span></dt><dd><p>
I know of no registry keys that will allow auto-deletion of LOCAL profiles on log out
</p></dd><dt><span class="term">Roaming profiles</span></dt><dd xmlns:ns88=""><ns88:p>
</ns88:p><table class="simplelist" border="0" summary="Simple list"><tr><td>can use auto-delete on logout option</td></tr><tr><td>requires a registry key change on workstation</td></tr></table><ns88:p>
Your choices are:
</ns88:p><div class="variablelist"><dl><dt><span class="term">Personal Roaming profiles</span></dt><dd><p>
- should be preserved on a central server
- workstations 'cache' (store) a local copy
- used in case the profile can not be downloaded
at next logon
</p></dd><dt><span class="term">Group profiles</span></dt><dd><p>- loaded from a central place</p></dd><dt><span class="term">Mandatory profiles</span></dt><dd><p>
- can be personal or group
- can NOT be changed (except by an administrator
</p></dd></dl></div><ns88:p>
</ns88:p></dd></dl></div><ns89:p>
</ns89:p><p>
A WinNT4/2K/XP profile can vary in size from 130KB to off the scale.
Outlook PST files are most often part of the profile and can be many GB in
size. On average (in a well controlled environment) roaming profile size of
2MB is a good rule of thumb to use for planning purposes. In an
undisciplined environment I have seen up to 2GB profiles. Users tend to
complain when it take an hour to log onto a workstation but they harvest
the fruits of folly (and ignorance).
</p><p>
The point of all the above is to show that roaming profiles and good
controls of how they can be changed as well as good discipline make up for
a problem free site.
</p><p>
Microsoft's answer to the PST problem is to store all email in an MS
Exchange Server back-end. But this is another story ...!
</p><ns89:p>
So, having LOCAL profiles means:
</ns89:p><table class="simplelist" border="0" summary="Simple list"><tr><td>If lots of users user each machine - lot's of local disk storage needed for local profiles</td></tr><tr><td>Every workstation the user logs into has it's own profile - can be very different from machine to machine</td></tr></table><ns89:p>
On the other hand, having roaming profiles means:
</ns89:p><table class="simplelist" border="0" summary="Simple list"><tr><td>The network administrator can control EVERY aspect of user profiles</td></tr><tr><td>With the use of mandatory profiles - a drastic reduction in network management overheads</td></tr><tr><td>User unhappiness about not being able to change their profiles soon fades as they get used to being able to work reliably</td></tr></table><ns89:p>
</ns89:p><p>
I have managed and installed MANY NT/2K networks and have NEVER found one
where users who move from machine to machine are happy with local
profiles. In the long run local profiles bite them.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2992243"></a>Changing the default profile</h3></div></div><div></div></div><p>&#8220;<span class="quote">
When the client tries to logon to the PDC it looks for a profile to download
where do I put this default profile.
</span>&#8221;</p><p>
Firstly, your samba server need to be configured as a domain controller.
</p><pre class="programlisting">
server = user
os level = 32 (or more)
domain logons = Yes
</pre><p>
Plus you need to have a <i class="parameter"><tt>[netlogon]</tt></i> share that is world readable.
It is a good idea to add a logon script to pre-set printer and
drive connections. There is also a facility for automatically
synchronizing the workstation time clock with that of the logon
server (another good thing to do).
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
To invoke auto-deletion of roaming profile from the local
workstation cache (disk storage) you need to use the <span class="application">Group Policy Editor</span>
to create a file called <tt class="filename">NTConfig.POL</tt> with the appropriate entries. This
file needs to be located in the <i class="parameter"><tt>netlogon</tt></i> share root directory.</p></div><p>
Oh, of course the windows clients need to be members of the domain.
Workgroup machines do NOT do network logons - so they never see domain
profiles.
</p><p>
Secondly, for roaming profiles you need:
logon path = \\%N\profiles\%U (with some such path)
logon drive = H: (Z: is the default)
Plus you need a PROFILES share that is world writable.
</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="PolicyMgmt.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="pam.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 23. System and Account Policies </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 25. PAM based Distributed Authentication</td></tr></table></div></body></html>

View File

@ -1,201 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 32. SWAT - The Samba Web Administration Tool</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="migration.html" title="Part IV. Migration and Updating"><link rel="previous" href="NT4Migration.html" title="Chapter 31. Migration from NT4 PDC to Samba-3 PDC"><link rel="next" href="troubleshooting.html" title="Part V. Troubleshooting"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 32. SWAT - The Samba Web Administration Tool</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="NT4Migration.html">Prev</a> </td><th width="60%" align="center">Part IV. Migration and Updating</th><td width="20%" align="right"> <a accesskey="n" href="troubleshooting.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SWAT"></a>Chapter 32. SWAT - The Samba Web Administration Tool</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">April 21, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="SWAT.html#id3002261">Features and Benefits</a></dt><dd><dl><dt><a href="SWAT.html#id3002111">Enabling SWAT for use</a></dt><dt><a href="SWAT.html#id3003000">Securing SWAT through SSL</a></dt><dt><a href="SWAT.html#id3003113">The SWAT Home Page</a></dt><dt><a href="SWAT.html#id3003176">Global Settings</a></dt><dt><a href="SWAT.html#id3003282">Share Settings</a></dt><dt><a href="SWAT.html#id3003346">Printers Settings</a></dt><dt><a href="SWAT.html#id3003411">The SWAT Wizard</a></dt><dt><a href="SWAT.html#id3003459">The Status Page</a></dt><dt><a href="SWAT.html#id3003511">The View Page</a></dt><dt><a href="SWAT.html#id3003534">The Password Change Page</a></dt></dl></dd></dl></div><p>
There are many and varied opinions regarding the usefulness or otherwise of SWAT.
No matter how hard one tries to produce the perfect configuration tool it remains
an object of personal taste. SWAT is a tool that will allow web based configuration
of samba. It has a wizard that may help to get samba configured quickly, it has context
sensitive help on each smb.conf parameter, it provides for monitoring of current state
of connection information, and it allows network wide MS Windows network password
management.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3002261"></a>Features and Benefits</h2></div></div><div></div></div><p>
There are network administrators who believe that it is a good idea to write systems
documentation inside configuration files, for them SWAT will aways be a nasty tool. SWAT
does not store the configuration file in any intermediate form, rather, it stores only the
parameter settings, so when SWAT writes the smb.conf file to disk it will write only
those parameters that are at other than the default settings. The result is that all comments
will be lost from the <tt class="filename">smb.conf</tt> file. Additionally, the parameters will be written back in
internal ordering.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
So before using SWAT please be warned - SWAT will completely replace your smb.conf with
a fully optimised file that has been stripped of all comments you might have placed there
and only non-default settings will be written to the file.
</p></div><div xmlns:ns96="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3002111"></a>Enabling SWAT for use</h3></div></div><div></div></div><p>
SWAT should be installed to run via the network super daemon. Depending on which system
your Unix/Linux system has you will have either an <b class="command">inetd</b> or
<b class="command">xinetd</b> based system.
</p><p>
The nature and location of the network super-daemon varies with the operating system
implementation. The control file (or files) can be located in the file
<tt class="filename">/etc/inetd.conf</tt> or in the directory <tt class="filename">/etc/[x]inet.d</tt>
or similar.
</p><p>
The control entry for the older style file might be:
</p><pre class="programlisting">
# swat is the Samba Web Administration Tool
swat stream tcp nowait.400 root /usr/sbin/swat swat
</pre><p>
A control file for the newer style xinetd could be:
</p><ns96:p>
</ns96:p><pre class="programlisting">
# default: off
# description: SWAT is the Samba Web Admin Tool. Use swat \
# to configure your Samba server. To use SWAT, \
# connect to port 901 with your favorite web browser.
service swat
{
port = 901
socket_type = stream
wait = no
only_from = localhost
user = root
server = /usr/sbin/swat
log_on_failure += USERID
disable = yes
}
</pre><ns96:p>
</ns96:p><p>
Both the above examples assume that the <b class="command">swat</b> binary has been
located in the <tt class="filename">/usr/sbin</tt> directory. In addition to the above
SWAT will use a directory access point from which it will load it's help files
as well as other control information. The default location for this on most Linux
systems is in the directory <tt class="filename">/usr/share/samba/swat</tt>. The default
location using samba defaults will be <tt class="filename">/usr/local/samba/swat</tt>.
</p><p>
Access to SWAT will prompt for a logon. If you log onto SWAT as any non-root user
the only permission allowed is to view certain aspects of configuration as well as
access to the password change facility. The buttons that will be exposed to the non-root
user are: <span class="guibutton">HOME</span>, <span class="guibutton">STATUS</span>, <span class="guibutton">VIEW</span>,
<span class="guibutton">PASSWORD</span>. The only page that allows
change capability in this case is <span class="guibutton">PASSWORD</span>.
</p><p>
So long as you log onto SWAT as the user <span class="emphasis"><em>root</em></span> you should obtain
full change and commit ability. The buttons that will be exposed includes:
<span class="guibutton">HOME</span>, <span class="guibutton">GLOBALS</span>, <span class="guibutton">SHARES</span>, <span class="guibutton">PRINTERS</span>,
<span class="guibutton">WIZARD</span>, <span class="guibutton">STATUS</span>, <span class="guibutton">VIEW</span>, <span class="guibutton">PASSWORD</span>.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3003000"></a>Securing SWAT through SSL</h3></div></div><div></div></div><p>
Lots of people have asked about how to setup SWAT with SSL to allow for secure remote
administration of Samba. Here is a method that works, courtesy of Markus Krieger
</p><p>
Modifications to the swat setup are as following:
</p><div class="procedure"><ol type="1"><li><p>
install OpenSSL
</p></li><li xmlns:ns97=""><ns97:p>
generate certificate and private key
</ns97:p><pre class="screen">
<tt class="prompt">root# </tt><b class="userinput"><tt>/usr/bin/openssl req -new -x509 -days 365 -nodes -config \
/usr/share/doc/packages/stunnel/stunnel.cnf \
-out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem</tt></b>
</pre></li><li><p>
remove swat-entry from [x]inetd
</p></li><li xmlns:ns98=""><ns98:p>
start stunnel
</ns98:p><pre class="screen">
<tt class="prompt">root# </tt><b class="userinput"><tt>stunnel -p /etc/stunnel/stunnel.pem -d 901 \
-l /usr/local/samba/bin/swat swat </tt></b>
</pre></li></ol></div><p>
afterwords simply contact to swat by using the URL <a href="https://myhost:901" target="_top">https://myhost:901</a>, accept the certificate
and the SSL connection is up.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3003113"></a>The SWAT Home Page</h3></div></div><div></div></div><p>
The SWAT title page provides access to the latest Samba documentation. The manual page for
each samba component is accessible from this page as are the Samba-HOWTO-Collection (this
document) as well as the O'Reilly book &quot;Using Samba&quot;.
</p><p>
Administrators who wish to validate their samba configuration may obtain useful information
from the man pages for the diagnostic utilities. These are available from the SWAT home page
also. One diagnostic tool that is NOT mentioned on this page, but that is particularly
useful is <b class="command">ethereal</b>, available from <a href="http://www.ethereal.com" target="_top">
http://www.ethereal.com</a>.
</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
SWAT can be configured to run in <span class="emphasis"><em>demo</em></span> mode. This is NOT recommended
as it runs SWAT without authentication and with full administrative ability. ie: Allows
changes to smb.conf as well as general operation with root privileges. The option that
creates this ability is the <tt class="option">-a</tt> flag to swat. <span class="emphasis"><em>Do not use this in any
production environment.</em></span>
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3003176"></a>Global Settings</h3></div></div><div></div></div><p>
The Globals button will expose a page that allows configuration of the global parameters
in smb.conf. There are three levels of exposure of the parameters:
</p><div class="itemizedlist"><ul type="disc"><li><p>
<span class="emphasis"><em>Basic</em></span> - exposes common configuration options.
</p></li><li><p>
<span class="emphasis"><em>Advanced</em></span> - exposes configuration options needed in more
complex environments.
</p></li><li><p>
<span class="emphasis"><em>Developer</em></span> - exposes configuration options that only the brave
will want to tamper with.
</p></li></ul></div><p>
To switch to other than <span class="emphasis"><em>Basic</em></span> editing ability click on either the
<span class="emphasis"><em>Advanced</em></span> or the <span class="emphasis"><em>Developer</em></span> dial, then click the
<span class="guibutton">Commit Changes</span> button.
</p><p>
After making any changes to configuration parameters make sure that you click on the
<span class="guibutton">Commit Changes</span> button before moving to another area otherwise
your changes will be immediately lost.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
SWAT has context sensitive help. To find out what each parameter is for simply click the
<span class="guibutton">Help</span> link to the left of the configuration parameter.
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3003282"></a>Share Settings</h3></div></div><div></div></div><p>
To affect a currently configured share, simply click on the pull down button between the
<span class="guibutton">Choose Share</span> and the <span class="guibutton">Delete Share</span> buttons,
select the share you wish to operate on, then to edit the settings click on the
<span class="guibutton">Choose Share</span> button, to delete the share simply press the
<span class="guibutton">Delete Share</span> button.
</p><p>
To create a new share, next to the button labelled <span class="guibutton">Create Share</span> enter
into the text field the name of the share to be created, then click on the
<span class="guibutton">Create Share</span> button.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3003346"></a>Printers Settings</h3></div></div><div></div></div><p>
To affect a currently configured printer, simply click on the pull down button between the
<span class="guibutton">Choose Printer</span> and the <span class="guibutton">Delete Printer</span> buttons,
select the printer you wish to operate on, then to edit the settings click on the
<span class="guibutton">Choose Printer</span> button, to delete the share simply press the
<span class="guibutton">Delete Printer</span> button.
</p><p>
To create a new printer, next to the button labelled <span class="guibutton">Create Printer</span> enter
into the text field the name of the share to be created, then click on the
<span class="guibutton">Create Printer</span> button.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3003411"></a>The SWAT Wizard</h3></div></div><div></div></div><p>
The purpose if the SWAT Wizard is to help the Microsoft knowledgeable network administrator
to configure Samba with a minimum of effort.
</p><p>
The Wizard page provides a tool for rewriting the smb.conf file in fully optimised format.
This will also happen if you press the commit button. The two differ in the the rewrite button
ignores any changes that may have been made, while the Commit button causes all changes to be
affected.
</p><p>
The <span class="guibutton">Edit</span> button permits the editing (setting) of the minimal set of
options that may be necessary to create a working Samba server.
</p><p>
Finally, there are a limited set of options that will determine what type of server Samba
will be configured for, whether it will be a WINS server, participate as a WINS client, or
operate with no WINS support. By clicking on one button you can elect to expose (or not) user
home directories.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3003459"></a>The Status Page</h3></div></div><div></div></div><p>
The status page serves a limited purpose. Firstly, it allows control of the samba daemons.
The key daemons that create the samba server environment are: <span class="application">smbd</span>, <span class="application">nmbd</span>, <span class="application">winbindd</span>.
</p><p>
The daemons may be controlled individually or as a total group. Additionally, you may set
an automatic screen refresh timing. As MS Windows clients interact with Samba new smbd processes
will be continually spawned. The auto-refresh facility will allow you to track the changing
conditions with minimal effort.
</p><p>
Lastly, the Status page may be used to terminate specific smbd client connections in order to
free files that may be locked.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3003511"></a>The View Page</h3></div></div><div></div></div><p>
This page allows the administrator to view the optimised <tt class="filename">smb.conf</tt> file and, if you are
particularly masochistic, will permit you also to see all possible global configuration
parameters and their settings.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3003534"></a>The Password Change Page</h3></div></div><div></div></div><p>
The Password Change page is a popular tool. This tool allows the creation, deletion, deactivation
and reactivation of MS Windows networking users on the local machine. Alternatively, you can use
this tool to change a local password for a user account.
</p><p>
When logged in as a non-root account the user will have to provide the old password as well as
the new password (twice). When logged in as <span class="emphasis"><em>root</em></span> only the new password is
required.
</p><p>
One popular use for this tool is to change user passwords across a range of remote MS Windows
servers.
</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="NT4Migration.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="migration.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="troubleshooting.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 31. Migration from NT4 PDC to Samba-3 PDC </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part V. Troubleshooting</td></tr></table></div></body></html>

File diff suppressed because one or more lines are too long

File diff suppressed because one or more lines are too long