sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-05 21:57:51 +03:00
Code

A lot of syntax updates, consistency when using certain tags and converting ASCII -> XML

Browse Source 
(This used to be commit 85434d3144656e6fe587637276d6a2667df1857f)
This commit is contained in:
Jelmer Vernooij 2003-05-27 16:46:06 +00:00
parent 090d70fc3f
commit cc841dde2f
13 changed files with 637 additions and 639 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
docs/docbook/projdoc/Compiling.xml
View File

@ -452,14 +452,16 @@ example of what you would not want to see would be:
<sect1>
<title>Common Errors</title>
<para>
I've compiled Samba-3 from the CVS and the two binaries (smbd and nmbd)
are very large files (40 Mg and 20 Mg). I've the same result with
--enable-shared ?
<para><quote>
I'm using gcc 3 and I've compiled Samba-3 from the CVS and the
binaries are very large files (40 Mb and 20 Mb). I've the same result with
<option>--enable-shared</option> ?
</quote>
</para>
<para>
Answer: Strip the binaries (or dond't compile with -g).
The dwarf format used by GCC 3 for storing debugging symbols is very inefficient.
Strip the binaries, don't compile with -g or compile with -gstabs.
</para>
</sect1>

574
docs/docbook/projdoc/ProfileMgmt.xml
View File

@ -320,7 +320,7 @@ they will be told that they are logging in "for the first time".
<listitem>
<para>
instead of logging in under the [user, password, domain] dialog,
press escape.
press <guibutton>escape</guibutton>.
</para>
</listitem>
@ -342,9 +342,9 @@ they will be told that they are logging in "for the first time".
<para>[Exit the registry editor].</para>
</listitem>
<listitem>
<para>
<emphasis>WARNING</emphasis> - before deleting the contents of the
<warning>
<para>
Before deleting the contents of the
directory listed in the ProfilePath (this is likely to be
<filename>c:\windows\profiles\username)</filename>, ask them if they
have any important files stored on their desktop or in their start menu.
@ -357,11 +357,11 @@ they will be told that they are logging in "for the first time".
system file) user.DAT in their profile directory, as well as the
local "desktop", "nethood", "start menu" and "programs" folders.
</para>
</listitem>
</warning>
<listitem>
<para>
search for the user's .PWL password-caching file in the c:\windows
search for the user's .PWL password-caching file in the <filename>c:\windows</filename>
directory, and delete it.
</para>
</listitem>
@ -374,8 +374,8 @@ they will be told that they are logging in "for the first time".
<listitem>
<para>
check the contents of the profile path (see "logon path" described
above), and delete the user.DAT or user.MAN file for the user,
check the contents of the profile path (see <parameter>logon path</parameter> described
above), and delete the <filename>user.DAT</filename> or <filename>user.MAN</filename> file for the user,
making a backup if required.
</para>
</listitem>
@ -384,7 +384,7 @@ they will be told that they are logging in "for the first time".
<para>
If all else fails, increase samba's debug log levels to between 3 and 10,
and / or run a packet trace program such as ethereal or netmon.exe, and
and / or run a packet trace program such as ethereal or <command>netmon.exe</command>, and
look for error messages.
</para>
@ -403,12 +403,12 @@ differences are with the equivalent samba trace.
<para>
When a user first logs in to a Windows NT Workstation, the profile
NTuser.DAT is created. The profile location can be now specified
through the "logon path" parameter.
through the <parameter>logon path</parameter> parameter.
</para>
<para>
There is a parameter that is now available for use with NT Profiles:
"logon drive". This should be set to <filename>H:</filename> or any other drive, and
<parameter>logon drive</parameter>. This should be set to <filename>H:</filename> or any other drive, and
should be used in conjunction with the new "logon home" parameter.
</para>
@ -422,23 +422,23 @@ for those situations where it might be created.)
<para>
In the profile directory, Windows NT4 creates more folders than Windows 9x / Me.
It creates "Application Data" and others, as well as "Desktop", "Nethood",
"Start Menu" and "Programs". The profile itself is stored in a file
NTuser.DAT. Nothing appears to be stored in the .PDS directory, and
It creates <filename>Application Data</filename> and others, as well as <filename>Desktop</filename>, <filename>Nethood</filename>,
<filename>Start Menu</filename> and <filename>Programs</filename>. The profile itself is stored in a file
<filename>NTuser.DAT</filename>. Nothing appears to be stored in the .PDS directory, and
its purpose is currently unknown.
</para>
<para>
You can use the System Control Panel to copy a local profile onto
You can use the <application>System Control Panel</application> to copy a local profile onto
a samba server (see NT Help on profiles: it is also capable of firing
up the correct location in the System Control Panel for you). The
NT Help file also mentions that renaming NTuser.DAT to NTuser.MAN
up the correct location in the <application>System Control Panel</application> for you). The
NT Help file also mentions that renaming <filename>NTuser.DAT</filename> to <filename>NTuser.MAN</filename>
turns a profile into a mandatory one.
</para>
<para>
The case of the profile is significant. The file must be called
NTuser.DAT or, for a mandatory profile, NTuser.MAN.
<filename>NTuser.DAT</filename> or, for a mandatory profile, <filename>NTuser.MAN</filename>.
</para>
</sect3>
@ -450,58 +450,58 @@ You must first convert the profile from a local profile to a domain
profile on the MS Windows workstation as follows:
</para>
<itemizedlist>
<listitem><para>
Log on as the LOCAL workstation administrator.
</para></listitem>
<procedure>
<step><para>
Log on as the <emphasis>LOCAL</emphasis> workstation administrator.
</para></step>
<listitem><para>
Right click on the 'My Computer' Icon, select 'Properties'
</para></listitem>
<step><para>
Right click on the <guiicon>My Computer</guiicon> Icon, select <guimenuitem>Properties</guimenuitem>
</para></step>
<listitem><para>
Click on the 'User Profiles' tab
</para></listitem>
<step><para>
Click on the <guilabel>User Profiles</guilabel> tab
</para></step>
<listitem><para>
<step><para>
Select the profile you wish to convert (click on it once)
</para></listitem>
</para></step>
<listitem><para>
Click on the button 'Copy To'
</para></listitem>
<step><para>
Click on the button <guibutton>Copy To</guibutton>
</para></step>
<listitem><para>
In the "Permitted to use" box, click on the 'Change' button.
</para></listitem>
<step><para>
In the <guilabel>Permitted to use</guilabel> box, click on the <guibutton>Change</guibutton> button.
</para></step>
<listitem><para>
<step><para>
Click on the 'Look in" area that lists the machine name, when you click
here it will open up a selection box. Click on the domain to which the
profile must be accessible.
</para>
<note><para>You will need to log on if a logon box opens up. Eg: In the connect
as: MIDEARTH\root, password: mypassword.</para></note>
</listitem>
as: <replaceable>MIDEARTH</replaceable>\root, password: <replaceable>mypassword</replaceable>.</para></note>
</step>
<listitem><para>
<step><para>
To make the profile capable of being used by anyone select 'Everyone'
</para></listitem>
</para></step>
<listitem><para>
Click OK. The Selection box will close.
</para></listitem>
<step><para>
Click <guibutton>OK</guibutton>. The Selection box will close.
</para></step>
<listitem><para>
Now click on the 'Ok' button to create the profile in the path you
<step><para>
Now click on the <guibutton>Ok</guibutton> button to create the profile in the path you
nominated.
</para></listitem>
</itemizedlist>
</para></step>
</procedure>
<para>
Done. You now have a profile that can be editted using the samba-3.0.0
<filename>profiles</filename> tool.
<command>profiles</command> tool.
</para>
<note>
@ -512,16 +512,16 @@ storage of mail data. That keeps desktop profiles usable.
</note>
<note>
<itemizedlist>
<listitem><para>
<procedure>
<step><para>
This is a security check new to Windows XP (or maybe only
Windows XP service pack 1). It can be disabled via a group policy in
Active Directory. The policy is:</para>
<para>"Computer Configuration\Administrative Templates\System\User
Profiles\Do not check for user ownership of Roaming Profile Folders"</para>
<para><filename>Computer Configuration\Administrative Templates\System\User
Profiles\Do not check for user ownership of Roaming Profile Folders</filename></para>
<para>...and it should be set to "Enabled".
<para>...and it should be set to <constant>Enabled</constant>.
Does the new version of samba have an Active Directory analogue? If so,
then you may be able to set the policy through this.
</para>
@ -533,36 +533,35 @@ the following (N.B. I don't know for sure that this will work in the
same way as a domain group policy):
</para>
</listitem>
</step>
<listitem><para>
<step><para>
On the XP workstation log in with an Administrator account.
</para></listitem>
</para></step>
<listitem><para>Click: "Start", "Run"</para></listitem>
<listitem><para>Type: "mmc"</para></listitem>
<listitem><para>Click: "OK"</para></listitem>
<step><para>Click: <guimenu>Start</guimenu>, <guimenuitem>Run</guimenuitem></para></step>
<step><para>Type: <userinput>mmc</userinput></para></step>
<step><para>Click: <guibutton>OK</guibutton></para></step>
<listitem><para>A Microsoft Management Console should appear.</para></listitem>
<listitem><para>Click: File, "Add/Remove Snap-in...", "Add"</para></listitem>
<listitem><para>Double-Click: "Group Policy"</para></listitem>
<listitem><para>Click: "Finish", "Close"</para></listitem>
<listitem><para>Click: "OK"</para></listitem>
<step><para>A Microsoft Management Console should appear.</para></step>
<step><para>Click: <guimenu>File</guimenu>, <guimenuitem>Add/Remove Snap-in...</guimenuitem>, <guimenuitem>Add</guimenuitem></para></step>
<step><para>Double-Click: <guiicon>Group Policy</guiicon></para></step>
<step><para>Click: <guibutton>Finish</guibutton>, <guibutton>Close</guibutton></para></step>
<step><para>Click: <guibutton>OK</guibutton></para></step>
<listitem><para>In the "Console Root" window:</para></listitem>
<listitem><para>Expand: "Local Computer Policy", "Computer Configuration",</para></listitem>
<listitem><para>"Administrative Templates", "System", "User Profiles"</para></listitem>
<listitem><para>Double-Click: "Do not check for user ownership of Roaming Profile</para></listitem>
<listitem><para>Folders"</para></listitem>
<listitem><para>Select: "Enabled"</para></listitem>
<listitem><para>Click: OK"</para></listitem>
<step><para>In the "Console Root" window:</para></step>
<step><para>Expand: <guiicon>Local Computer Policy</guiicon>, <guiicon>Computer Configuration</guiicon>,
<guiicon>Administrative Templates</guiicon>, <guiicon>System</guiicon>, <guiicon>User Profiles</guiicon></para></step>
<step><para>Double-Click: <guilabel>Do not check for user ownership of Roaming Profile Folders</guilabel></para></step>
<step><para>Select: <guilabel>Enabled</guilabel></para></step>
<step><para>Click: <guibutton>OK</guibutton></para></step>
<listitem><para>Close the whole console. You do not need to save the settings (this
<step><para>Close the whole console. You do not need to save the settings (this
refers to the console settings rather than the policies you have
changed).</para></listitem>
changed).</para></step>
<listitem><para>Reboot</para></listitem>
</itemizedlist>
<step><para>Reboot</para></step>
</procedure>
</note>
</sect3>
</sect2>
@ -584,13 +583,13 @@ on again with the newer version of MS Windows.
<para>
If you then want to share the same Start Menu / Desktop with W9x/Me, you will
need to specify a common location for the profiles. The smb.conf parameters
that need to be common are <emphasis>logon path</emphasis> and
<emphasis>logon home</emphasis>.
that need to be common are <parameter>logon path</parameter> and
<parameter>logon home</parameter>.
</para>
<para>
If you have this set up correctly, you will find separate user.DAT and
NTuser.DAT files in the same profile directory.
If you have this set up correctly, you will find separate <filename>user.DAT</filename> and
<filename>NTuser.DAT</filename> files in the same profile directory.
</para>
</sect2>
@ -617,14 +616,14 @@ NT4/200x. The correct resource kit is required for each platform.
Here is a quick guide:
</para>
<itemizedlist>
<procedure>
<listitem><para>
On your NT4 Domain Controller, right click on 'My Computer', then
select the tab labelled 'User Profiles'.
</para></listitem>
<step><para>
On your NT4 Domain Controller, right click on <guiicon>My Computer</guiicon>, then
select the tab labelled <guilabel>User Profiles</guilabel>.
</para></step>
<listitem><para>
<step><para>
Select a user profile you want to migrate and click on it.
</para>
@ -632,20 +631,20 @@ Select a user profile you want to migrate and click on it.
create a group profile. You can give the user 'Everyone' rights to the
profile you copy this to. That is what you need to do, since your samba
domain is not a member of a trust relationship with your NT4 PDC.</para></note>
</listitem>
</step>
<listitem><para>Click the 'Copy To' button.</para></listitem>
<step><para>Click the <guibutton>Copy To</guibutton> button.</para></step>
<listitem><para>In the box labelled 'Copy Profile to' add your new path, eg:
<filename>c:\temp\foobar</filename></para></listitem>
<step><para>In the box labelled <guilabel>Copy Profile to</guilabel> add your new path, eg:
<filename>c:\temp\foobar</filename></para></step>
<listitem><para>Click on the button labelled 'Change' in the "Permitted to use" box.</para></listitem>
<step><para>Click on the button <guibutton>Change</guibutton> in the <guilabel>Permitted to use</guilabel> box.</para></step>
<listitem><para>Click on the group 'Everyone' and then click OK. This closes the
'chose user' box.</para></listitem>
<step><para>Click on the group 'Everyone' and then click <guibutton>OK</guibutton>. This closes the
'choose user' box.</para></step>
<listitem><para>Now click OK.</para></listitem>
</itemizedlist>
<step><para>Now click <guibutton>OK</guibutton>.</para></step>
</procedure>
<para>
Follow the above for every profile you need to migrate.
@ -690,7 +689,7 @@ Resource Kit.
<para>
Windows NT 4.0 stores the local profile information in the registry under
the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
<filename>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList</filename>
</para>
<para>
@ -730,7 +729,7 @@ file in the copied profile and rename it to NTUser.MAN.
</para>
<para>
For MS Windows 9x / Me it is the User.DAT file that must be renamed to User.MAN to
For MS Windows 9x / Me it is the <filename>User.DAT</filename> file that must be renamed to <filename>User.MAN</filename> to
affect a mandatory profile.
</para>
@ -750,7 +749,7 @@ to the group profile.
</para>
<para>
The next step is rather important. PLEASE NOTE: Instead of assigning a group profile
The next step is rather important. <strong>Please note:</strong> Instead of assigning a group profile
to users (ie: Using User Manager) on a "per user" basis, the group itself is assigned
the now modified profile.
</para>
@ -780,18 +779,19 @@ advantages.
<title>MS Windows 9x/Me</title>
<para>
To enable default per use profiles in Windows 9x / Me you can either use the Windows 98 System
Policy Editor or change the registry directly.
To enable default per use profiles in Windows 9x / Me you can either use the <application>Windows 98 System
Policy Editor</application> or change the registry directly.
</para>
<para>
To enable default per user profiles in Windows 9x / Me, launch the System Policy Editor, then
select File -> Open Registry, then click on the Local Computer icon, click on Windows 98 System,
select User Profiles, click on the enable box. Do not forget to save the registry changes.
To enable default per user profiles in Windows 9x / Me, launch the <application>System Policy Editor</application>, then
select <guimenu>File</guimenu> -> <guimenuitem>Open Registry</guimenuitem>, then click on the
<guiicon>Local Computer</guiicon> icon, click on <guilabel>Windows 98 System</guilabel>,
select <guilabel>User Profiles</guilabel>, click on the enable box. Do not forget to save the registry changes.
</para>
<para>
To modify the registry directly, launch the Registry Editor (regedit.exe), select the hive
To modify the registry directly, launch the <application>Registry Editor</application> (<command>regedit.exe</command>), select the hive
<filename>HKEY_LOCAL_MACHINE\Network\Logon</filename>. Now add a DWORD type key with the name
"User Profiles", to enable user profiles set the value to 1, to disable user profiles set it to 0.
</para>
@ -831,7 +831,7 @@ profile, the changes are written to the user's profile on the server.
On MS Windows NT4 the default user profile is obtained from the location
<filename>%SystemRoot%\Profiles</filename> which in a default installation will translate to
<filename>C:\WinNT\Profiles</filename>. Under this directory on a clean install there will be
three (3) directories: <filename>Administrator, All Users, Default User</filename>.
three (3) directories: <filename>Administrator</filename>, <filename>All Users</filename>, <filename>Default User</filename>.
</para>
<para>
@ -854,8 +854,8 @@ When a user logs onto an MS Windows NT4 machine that is a member of a Microsoft
the following steps are followed in respect of profile handling:
</para>
<orderedlist>
<listitem>
<procedure>
<step>
<para>
The users' account information which is obtained during the logon process contains
the location of the users' desktop profile. The profile path may be local to the
@ -865,25 +865,25 @@ the following steps are followed in respect of profile handling:
settings in the <filename>All Users</filename> profile in the <filename>%SystemRoot%\Profiles</filename>
location.
</para>
</listitem>
</step>
<listitem>
<step>
<para>
If the user account has a profile path, but at it's location a profile does not exist,
then a new profile is created in the <filename>%SystemRoot%\Profiles\%USERNAME%</filename>
directory from reading the <filename>Default User</filename> profile.
</para>
</listitem>
</step>
<listitem>
<step>
<para>
If the NETLOGON share on the authenticating server (logon server) contains a policy file
(<filename>NTConfig.POL</filename>) then it's contents are applied to the <filename>NTUser.DAT</filename>
which is applied to the <filename>HKEY_CURRENT_USER</filename> part of the registry.
</para>
</listitem>
</step>
<listitem>
<step>
<para>
When the user logs out, if the profile is set to be a roaming profile it will be written
out to the location of the profile. The <filename>NTuser.DAT</filename> file is then
@ -892,8 +892,8 @@ the following steps are followed in respect of profile handling:
next logon, the effect of the provious <filename>NTConfig.POL</filename> will still be held
in the profile. The effect of this is known as <emphasis>tatooing</emphasis>.
</para>
</listitem>
</orderedlist>
</step>
</procedure>
<para>
MS Windows NT4 profiles may be <emphasis>Local</emphasis> or <emphasis>Roaming</emphasis>. A Local profile
@ -925,59 +925,58 @@ are controlled by entries on Windows NT4 is:
</para>
<para>
<programlisting>
HKEY_CURRENT_USER
\Software
\Microsoft
\Windows
\CurrentVersion
\Explorer
\User Shell Folders\
</programlisting>
<filename>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\</filename>
</para>
<para>
The above hive key contains a list of automatically managed folders. The default entries are:
</para>
<para>
<programlisting>
Name Default Value
-------------- -----------------------------------------
AppData %USERPROFILE%\Application Data
Desktop %USERPROFILE%\Desktop
Favorites %USERPROFILE%\Favorites
NetHood %USERPROFILE%\NetHood
PrintHood %USERPROFILE%\PrintHood
Programs %USERPROFILE%\Start Menu\Programs
Recent %USERPROFILE%\Recent
SendTo %USERPROFILE%\SendTo
Start Menu %USERPROFILE%\Start Menu
Startup %USERPROFILE%\Start Menu\Programs\Startup
</programlisting>
</para>
<para>
<table frame="all">
<title>User Shell Folder registry keys default values</title>
<tgroup cols="2">
<thead>
<row><entry>Name</entry><entry>Default Value</entry></row>
</thead>
<tbody>
<row><entry>AppData</entry><entry>%USERPROFILE%\Application Data</entry></row>
<row><entry>Desktop</entry><entry>%USERPROFILE%\Desktop</entry></row>
<row><entry>Favorites</entry><entry>%USERPROFILE%\Favorites</entry></row>
<row><entry>NetHood</entry><entry>%USERPROFILE%\NetHood</entry></row>
<row><entry>PrintHood</entry><entry>%USERPROFILE%\PrintHood</entry></row>
<row><entry>Programs</entry><entry>%USERPROFILE%\Start Menu\Programs</entry></row>
<row><entry>Recent</entry><entry>%USERPROFILE%\Recent</entry></row>
<row><entry>SendTo</entry><entry>%USERPROFILE%\SendTo</entry></row>
<row><entry>Start Menu </entry><entry>%USERPROFILE%\Start Menu</entry></row>
<row><entry>Startup</entry><entry>%USERPROFILE%\Start Menu\Programs\Startup</entry></row>
</tbody>
</tgroup>
</table>
</para>
<para>
The registry key that contains the location of the default profile settings is:
</para>
<programlisting>
HKEY_LOCAL_MACHINE
\SOFTWARE
\Microsoft
\Windows
\CurrentVersion
\Explorer
\User Shell Folders
</programlisting>
<para>
<filename>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</filename>
</para>
<para>
The default entries are:
<programlisting>
Common Desktop %SystemRoot%\Profiles\All Users\Desktop
Common Programs %SystemRoot%\Profiles\All Users\Programs
Common Start Menu %SystemRoot%\Profiles\All Users\Start Menu
Common Startup %SystemRoot%\Profiles\All Users\Start Menu\Progams\Startup
</programlisting>
<table frame="all">
<title>Defaults of profile settings registry keys</title>
<tgroup cols="2">
<tbody>
<row><entry>Common Desktop</entry><entry>%SystemRoot%\Profiles\All Users\Desktop</entry></row>
<row><entry>Common Programs</entry><entry>%SystemRoot%\Profiles\All Users\Programs</entry></row>
<row><entry>Common Start Menu</entry><entry>%SystemRoot%\Profiles\All Users\Start Menu</entry></row>
<row><entry>Common Startup</entry><entry>%SystemRoot%\Profiles\All Users\Start Menu\Progams\Startup</entry></row>
</tbody>
</tgroup>
</table>
</para>
</sect2>
@ -1014,7 +1013,7 @@ login name of the user.
<note>
<para>
This path translates, in Samba parlance, to the smb.conf [NETLOGON] share. The directory
This path translates, in Samba parlance, to the &smb.conf; <parameter>[NETLOGON]</parameter> share. The directory
should be created at the root of this share and must be called <filename>Default Profile</filename>.
</para>
</note>
@ -1064,49 +1063,43 @@ are controlled by entries on Windows 200x/XP is:
</para>
<para>
<programlisting>
HKEY_CURRENT_USER
\Software
\Microsoft
\Windows
\CurrentVersion
\Explorer
\User Shell Folders\
</programlisting>
<filename>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\</filename>
</para>
<para>
The above hive key contains a list of automatically managed folders. The default entries are:
</para>
<para>
<programlisting>
Name Default Value
-------------- -----------------------------------------
AppData %USERPROFILE%\Application Data
Cache %USERPROFILE%\Local Settings\Temporary Internet Files
Cookies %USERPROFILE%\Cookies
Desktop %USERPROFILE%\Desktop
Favorites %USERPROFILE%\Favorites
History %USERPROFILE%\Local Settings\History
Local AppData %USERPROFILE%\Local Settings\Application Data
Local Settings %USERPROFILE%\Local Settings
My Pictures %USERPROFILE%\My Documents\My Pictures
NetHood %USERPROFILE%\NetHood
Personal %USERPROFILE%\My Documents
PrintHood %USERPROFILE%\PrintHood
Programs %USERPROFILE%\Start Menu\Programs
Recent %USERPROFILE%\Recent
SendTo %USERPROFILE%\SendTo
Start Menu %USERPROFILE%\Start Menu
Startup %USERPROFILE%\Start Menu\Programs\Startup
Templates %USERPROFILE%\Templates
</programlisting>
</para>
<para>
<table frame="all">
<title>Defaults of default user profile paths registry keys</title>
<tgroup cols="2">
<thead><row><entry>Name</entry><entry>Default Value</entry></row></thead>
<tbody>
<row><entry>AppData</entry><entry>%USERPROFILE%\Application Data</entry></row>
<row><entry>Cache</entry><entry>%USERPROFILE%\Local Settings\Temporary Internet Files</entry></row>
<row><entry>Cookies</entry><entry>%USERPROFILE%\Cookies</entry></row>
<row><entry>Desktop</entry><entry>%USERPROFILE%\Desktop</entry></row>
<row><entry>Favorites</entry><entry>%USERPROFILE%\Favorites</entry></row>
<row><entry>History</entry><entry>%USERPROFILE%\Local Settings\History</entry></row>
<row><entry>Local AppData</entry><entry>%USERPROFILE%\Local Settings\Application Data</entry></row>
<row><entry>Local Settings</entry><entry>%USERPROFILE%\Local Settings</entry></row>
<row><entry>My Pictures</entry><entry>%USERPROFILE%\My Documents\My Pictures</entry></row>
<row><entry>NetHood</entry><entry>%USERPROFILE%\NetHood</entry></row>
<row><entry>Personal</entry><entry>%USERPROFILE%\My Documents</entry></row>
<row><entry>PrintHood</entry><entry>%USERPROFILE%\PrintHood</entry></row>
<row><entry>Programs</entry><entry>%USERPROFILE%\Start Menu\Programs</entry></row>
<row><entry>Recent</entry><entry>%USERPROFILE%\Recent</entry></row>
<row><entry>SendTo</entry><entry>%USERPROFILE%\SendTo</entry></row>
<row><entry>Start Menu</entry><entry>%USERPROFILE%\Start Menu</entry></row>
<row><entry>Startup</entry><entry>%USERPROFILE%\Start Menu\Programs\Startup</entry></row>
<row><entry>Templates</entry><entry>%USERPROFILE%\Templates</entry></row>
</tbody></tgroup></table>
</para>
<para>
There is also an entry called "Default" that has no value set. The default entry is of type REG_SZ, all
the others are of type REG_EXPAND_SZ.
There is also an entry called "Default" that has no value set. The default entry is of type <constant>REG_SZ</constant>, all
the others are of type <constant>REG_EXPAND_SZ</constant>.
</para>
<para>
@ -1117,21 +1110,20 @@ write the Outlook PST file over the network for every login and logout.
<para>
To set this to a network location you could use the following examples:
</para>
<programlisting>
%LOGONSERVER%\%USERNAME%\Default Folders
</programlisting>
This would store the folders in the user's home directory under a directory called "Default Folders"
<para><filename>%LOGONSERVER%\%USERNAME%\Default Folders</filename></para>
<para>
This would store the folders in the user's home directory under a directory called <filename>Default Folders</filename>
You could also use:
</para>
<programlisting>
\\SambaServer\FolderShare\%USERNAME%
</programlisting>
<para><filename>\\<replaceable>SambaServer</replaceable>\<replaceable>FolderShare</replaceable>\%USERNAME%</filename></para>
in which case the default folders will be stored in the server named <emphasis>SambaServer</emphasis>
in the share called <emphasis>FolderShare</emphasis> under a directory that has the name of the MS Windows
<para>
in which case the default folders will be stored in the server named <replaceable>SambaServer</replaceable>
in the share called <replaceable>FolderShare</replaceable> under a directory that has the name of the MS Windows
user as seen by the Linux/Unix file system.
</para>
@ -1145,12 +1137,9 @@ MS Windows 200x/XP profiles may be <emphasis>Local</emphasis> or <emphasis>Roami
A roaming profile will be cached locally unless the following registry key is created:
</para>
<para>
<programlisting>
HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\
"DeleteRoamingCache"=dword:00000001
</programlisting>
<para><filename>HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\"DeleteRoamingCache"=dword:00000001</filename></para>
<para>
In which case, the local cache copy will be deleted on logout.
</para>
</sect2>
@ -1192,17 +1181,11 @@ In any case, you can configure only one profile per user. That profile can
be either:
</para>
<itemizedlist>
<listitem><para>
A profile unique to that user
</para></listitem>
<listitem><para>
A mandatory profile (one the user can not change)
</para></listitem>
<listitem><para>
A group profile (really should be mandatory ie:unchangable)
</para></listitem>
</itemizedlist>
<simplelist>
<member>A profile unique to that user</member>
<member>A mandatory profile (one the user can not change)</member>
<member>A group profile (really should be mandatory ie:unchangable)</member>
</simplelist>
</sect2>
@ -1210,33 +1193,67 @@ be either:
<title>Can NOT use Roaming Profiles</title>
<para>
<screen>
> I dont want Roaming profile to be implemented, I just want to give users
> local profiles only.
<quote>
I dont want Roaming profile to be implemented, I just want to give users
local profiles only.
...
> Please help me I am totally lost with this error from past two days I tried
> everything and googled around quite a bit but of no help. Please help me.
Please help me I am totally lost with this error from past two days I tried
everything and googled around quite a bit but of no help. Please help me.
</quote></para>
<para>
Your choices are:
1. Local profiles
- I know of no registry keys that will allow auto-deletion
of LOCAL profiles on log out
2. Roaming profiles
- your options here are:
- can use auto-delete on logout option
- requires a registry key change on workstation
a) Personal Roaming profiles
- should be preserved on a central server
- workstations 'cache' (store) a local copy
<!-- FIXME: Write to whole sentences -->
<variablelist>
<varlistentry>
<term>Local profiles</term>
<listitem><para>
I know of no registry keys that will allow auto-deletion of LOCAL profiles on log out
</para></listitem>
</varlistentry>
<varlistentry>
<term>Roaming profiles</term>
<listitem><para>
<simplelist>
<member>can use auto-delete on logout option</member>
<member>requires a registry key change on workstation</member>
</simplelist>
Your choices are:
<variablelist>
<varlistentry>
<term>Personal Roaming profiles</term>
<listitem><para>
- should be preserved on a central server
- workstations 'cache' (store) a local copy
- used in case the profile can not be downloaded
at next logon
b) Group profiles
- loaded from a cetral place
c) Mandatory profiles
- can be personal or group
- can NOT be changed (except by an administrator
</para></listitem>
</varlistentry>
<varlistentry>
<term>Group profiles</term>
<listitem><para>- loaded from a cetral place</para></listitem>
</varlistentry>
<varlistentry>
<term>Mandatory profiles</term>
<listitem><para>
- can be personal or group
- can NOT be changed (except by an administrator
</para></listitem>
</varlistentry>
</variablelist>
</para></listitem>
</varlistentry>
</variablelist>
</para>
<para>
A WinNT4/2K/XP profile can vary in size from 130KB to off the scale.
Outlook PST files are most often part of the profile and can be many GB in
size. On average (in a well controlled environment) roaming profie size of
@ -1244,64 +1261,91 @@ size. On average (in a well controlled environment) roaming profie size of
undisciplined environment I have seen up to 2GB profiles. Users tend to
complain when it take an hour to log onto a workstation but they harvest
the fuits of folly (and ignorance).
</para>
<para>
The point of all the above is to show that roaming profiles and good
controls of how they can be changed as well as good discipline make up for
a problem free site.
</para>
PS: Microsoft's answer to the PST problem is to store all email in an MS
<para>
Microsoft's answer to the PST problem is to store all email in an MS
Exchange Server back-end. But this is another story ...!
</para>
<para>
So, having LOCAL profiles means:
a) If lots of users user each machine
- lot's of local disk storage needed for local profiles
b) Every workstation the user logs into has it's own profile
- can be very different from machine to machine
<simplelist>
<member>If lots of users user each machine - lot's of local disk storage needed for local profiles</member>
<member>Every workstation the user logs into has it's own profile - can be very different from machine to machine</member>
</simplelist>
On the other hand, having roaming profiles means:
a) The network administrator can control EVERY aspect of user
profiles
b) With the use of mandatory profiles - a drastic reduction
in network management overheads
c) User unhappiness about not being able to change their profiles
soon fades as they get used to being able to work reliably
<simplelist>
<member>The network administrator can control EVERY aspect of user profiles</member>
<member>With the use of mandatory profiles - a drastic reduction in network management overheads</member>
<member>User unhappiness about not being able to change their profiles soon fades as they get used to being able to work reliably</member>
</simplelist>
But note:
</para>
<para>
I have managed and installed MANY NT/2K networks and have NEVER found one
where users who move from machine to machine are happy with local
profiles. In the long run local profiles bite them.
</para>
> When the client tries to logon to the PDC it looks for a profile to download
> where do I put this default profile.
</sect2>
<!-- FIXME: Everything below this is a mess. I didn't quite understand it - Jelmer -->
<sect2>
<title>Changing the default profile</title>
<para><quote>
When the client tries to logon to the PDC it looks for a profile to download
where do I put this default profile.
</quote></para>
<para>
Firstly, your samba server need to be configured as a domain controller.
server = user
os level = 32 (or more)
domain logons = Yes
</para>
Plus you need to have a NETLOGON share that is world readable.
It is a good idea to add a logon script to pre-set printer and
drive connections. There is also a facility for automatically
synchronizing the workstation time clock with that of the logon
server (another good thing to do).
<programlisting>
server = user
os level = 32 (or more)
domain logons = Yes
</programlisting>
Note: To invoke auto-deletion of roaming profile from the local
workstation cache (disk storage) you need to use the Group Policy Editor
to create a file called NTConfig.POL with the appropriate entries. This
file needs to be located in the NETLOGON share root directory.
<para>
Plus you need to have a <parameter>[netlogon]</parameter> share that is world readable.
It is a good idea to add a logon script to pre-set printer and
drive connections. There is also a facility for automatically
synchronizing the workstation time clock with that of the logon
server (another good thing to do).
</para>
<note><para>
To invoke auto-deletion of roaming profile from the local
workstation cache (disk storage) you need to use the <application>Group Policy Editor</application>
to create a file called <filename>NTConfig.POL</filename> with the appropriate entries. This
file needs to be located in the <parameter>netlogon</parameter> share root directory.</para></note>
<para>
Oh, of course the windows clients need to be members of the domain.
Workgroup machines do NOT do network logons - so they never see domain
profiles.
</para>
<para>
Secondly, for roaming profiles you need:
logon path = \\%N\profiles\%U (with some such path)
logon drive = H: (Z: is the default)
Plus you need a PROFILES share that is world writable.
</screen>
</para>
</sect2>

102
docs/docbook/projdoc/SWAT.xml
View File

@ -25,7 +25,7 @@ documentation inside configuration files, for them SWAT will aways be a nasty to
does not store the configuration file in any intermediate form, rather, it stores only the
parameter settings, so when SWAT writes the smb.conf file to disk it will write only
those parameters that are at other than the default settings. The result is that all comments
will be lost from the smb.conf file. Additionally, the parameters will be written back in
will be lost from the &smb.conf; file. Additionally, the parameters will be written back in
internal ordering.
</para>
@ -40,8 +40,8 @@ and only non-default settings will be written to the file.
<para>
SWAT should be installed to run via the network super daemon. Depending on which system
your Unix/Linux system has you will have either an <filename>inetd</filename> or
<filename>xinetd</filename> based system.
your Unix/Linux system has you will have either an <command>inetd</command> or
<command>xinetd</command> based system.
</para>
<para>
@ -86,7 +86,7 @@ A control file for the newer style xinetd could be:
</para>
<para>
Both the above examples assume that the <filename>swat</filename> binary has been
Both the above examples assume that the <command>swat</command> binary has been
located in the <filename>/usr/sbin</filename> directory. In addition to the above
SWAT will use a directory access point from which it will load it's help files
as well as other control information. The default location for this on most Linux
@ -98,14 +98,16 @@ location using samba defaults will be <filename>/usr/local/samba/swat</filename>
Access to SWAT will prompt for a logon. If you log onto SWAT as any non-root user
the only permission allowed is to view certain aspects of configuration as well as
access to the password change facility. The buttons that will be exposed to the non-root
user are: <emphasis>HOME, STATUS, VIEW, PASSWORD</emphasis>. The only page that allows
change capability in this case is <emphasis>PASSWORD</emphasis>.
user are: <guibutton>HOME</guibutton>, <guibutton>STATUS</guibutton>, <guibutton>VIEW</guibutton>,
<guibutton>PASSWORD</guibutton>. The only page that allows
change capability in this case is <guibutton>PASSWORD</guibutton>.
</para>
<para>
So long as you log onto SWAT as the user <command>root</command> you should obtain
So long as you log onto SWAT as the user <emphasis>root</emphasis> you should obtain
full change and commit ability. The buttons that will be exposed includes:
<emphasis>HOME, GLOBALS, SHARES, PRINTERS, WIZARD, STATUS, VIEW, PASSWORD</emphasis>.
<guibutton>HOME</guibutton>, <guibutton>GLOBALS</guibutton>, <guibutton>SHARES</guibutton>, <guibutton>PRINTERS</guibutton>,
<guibutton>WIZARD</guibutton>, <guibutton>STATUS</guibutton>, <guibutton>VIEW</guibutton>, <guibutton>PASSWORD</guibutton>.
</para>
</sect2>
@ -122,35 +124,35 @@ administration of Samba. Here is a method that works, courtesy of Markus Krieger
Modifications to the swat setup are as following:
</para>
<itemizedlist>
<listitem><para>
<procedure>
<step><para>
install OpenSSL
</para></listitem>
</para></step>
<listitem><para>
<step><para>
generate certificate and private key
<programlisting>
root# /usr/bin/openssl req -new -x509 -days 365 -nodes -config \
/usr/share/doc/packages/stunnel/stunnel.cnf \
-out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem
</programlisting></para></listitem>
<screen>
&rootprompt;<userinput>/usr/bin/openssl req -new -x509 -days 365 -nodes -config \
/usr/share/doc/packages/stunnel/stunnel.cnf \
-out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem</userinput>
</screen></para></step>
<listitem><para>
<step><para>
remove swat-entry from [x]inetd
</para></listitem>
</para></step>
<listitem><para>
<step><para>
start stunnel
<programlisting>
root# stunnel -p /etc/stunnel/stunnel.pem -d 901 \
-l /usr/local/samba/bin/swat swat
</programlisting></para></listitem>
</itemizedlist>
<screen>
&rootprompt;<userinput>stunnel -p /etc/stunnel/stunnel.pem -d 901 \
-l /usr/local/samba/bin/swat swat </userinput>
</screen></para></step>
</procedure>
<para>
afterwards simply contact to swat by using the URL "https://myhost:901", accept the certificate
afterwards simply contact to swat by using the URL <ulink url="https://myhost:901">https://myhost:901</ulink>, accept the certificate
and the SSL connection is up.
</para>
@ -173,13 +175,13 @@ useful is <command>ethereal</command>, available from <ulink url="http://www.eth
http://www.ethereal.com</ulink>.
</para>
<note><para>
<warning><para>
SWAT can be configured to run in <emphasis>demo</emphasis> mode. This is NOT recommended
as it runs SWAT without authentication and with full administrative ability. ie: Allows
changes to smb.conf as well as general operation with root privilidges. The option that
creates this ability is the <command>-a</command> flag to swat. DO NOT USE THIS IN ANY
PRODUCTION ENVIRONMENT - you have been warned!
</para></note>
creates this ability is the <option>-a</option> flag to swat. <strong>Do not use this in any
production environment.</strong>
</para></warning>
</sect2>
@ -193,16 +195,16 @@ in smb.conf. There are three levels of exposure of the parameters:
<itemizedlist>
<listitem><para>
<command>Basic</command> - exposes common configuration options.
<emphasis>Basic</emphasis> - exposes common configuration options.
</para></listitem>
<listitem><para>
<command>Advanced</command> - exposes configuration options needed in more
<emphasis>Advanced</emphasis> - exposes configuration options needed in more
complex environments.
</para></listitem>
<listitem><para>
<command>Developer</command> - exposes configuration options that only the brave
<emphasis>Developer</emphasis> - exposes configuration options that only the brave
will want to tamper with.
</para></listitem>
</itemizedlist>
@ -210,18 +212,18 @@ in smb.conf. There are three levels of exposure of the parameters:
<para>
To switch to other than <emphasis>Basic</emphasis> editing ability click on either the
<emphasis>Advanced</emphasis> or the <emphasis>Developer</emphasis> dial, then click the
<emphasis>Commit Changes</emphasis> button.
<guibutton>Commit Changes</guibutton> button.
</para>
<para>
After making any changes to configuration parameters make sure that you click on the
<emphasis>Commit Changes</emphasis> button before moving to another area otherwise
<guibutton>Commit Changes</guibutton> button before moving to another area otherwise
your changes will be immediately lost.
</para>
<note><para>
SWAT has context sensitive help. To find out what each parameter is for simply click the
<command>Help</command> link to the left of the configurartion parameter.
<guibutton>Help</guibutton> link to the left of the configurartion parameter.
</para></note>
</sect2>
@ -231,16 +233,16 @@ SWAT has context sensitive help. To find out what each parameter is for simply c
<para>
To affect a currenly configured share, simply click on the pull down button between the
<emphasis>Choose Share</emphasis> and the <emphasis>Delete Share</emphasis> buttons,
<guibutton>Choose Share</guibutton> and the <guibutton>Delete Share</guibutton> buttons,
select the share you wish to operate on, then to edit the settings click on the
<emphasis>Choose Share</emphasis> button, to delete the share simply press the
<emphasis>Delete Share</emphasis> button.
<guibutton>Choose Share</guibutton> button, to delete the share simply press the
<guibutton>Delete Share</guibutton> button.
</para>
<para>
To create a new share, next to the button labelled <emphasis>Create Share</emphasis> enter
To create a new share, next to the button labelled <guibutton>Create Share</guibutton> enter
into the text field the name of the share to be created, then click on the
<emphasis>Create Share</emphasis> button.
<guibutton>Create Share</guibutton> button.
</para>
</sect2>
@ -250,16 +252,16 @@ into the text field the name of the share to be created, then click on the
<para>
To affect a currenly configured printer, simply click on the pull down button between the
<emphasis>Choose Printer</emphasis> and the <emphasis>Delete Printer</emphasis> buttons,
<guibutton>Choose Printer</guibutton> and the <guibutton>Delete Printer</guibutton> buttons,
select the printer you wish to operate on, then to edit the settings click on the
<emphasis>Choose Printer</emphasis> button, to delete the share simply press the
<emphasis>Delete Printer</emphasis> button.
<guibutton>Choose Printer</guibutton> button, to delete the share simply press the
<guibutton>Delete Printer</guibutton> button.
</para>
<para>
To create a new printer, next to the button labelled <emphasis>Create Printer</emphasis> enter
To create a new printer, next to the button labelled <guibutton>Create Printer</guibutton> enter
into the text field the name of the share to be created, then click on the
<emphasis>Create Printer</emphasis> button.
<guibutton>Create Printer</guibutton> button.
</para>
</sect2>
@ -280,7 +282,7 @@ affected.
</para>
<para>
The <emphasis>Edit</emphasis> button permits the editing (setting) of the minimal set of
The <guibutton>Edit</guibutton> button permits the editing (setting) of the minimal set of
options that may be necessary to create a working samba server.
</para>
@ -298,7 +300,7 @@ home directories.
<para>
The status page serves a limited purpose. Firstly, it allows control of the samba daemons.
The key daemons that create the samba server environment are: <command> smbd, nmbd, winbindd</command>.
The key daemons that create the samba server environment are: &smbd;, &nmbd;, &winbindd;.
</para>
<para>
@ -319,7 +321,7 @@ free files that may be locked.
<title>The View Page</title>
<para>
This page allows the administrator to view the optimised smb.conf file and if you are
This page allows the administrator to view the optimised &smb.conf; file and if you are
particularly massochistic will permit you also to see all possible global configuration
parameters and their settings.
</para>
@ -337,7 +339,7 @@ this tool to change a local password for a user account.
<para>
When logged in as a non-root account the user will have to provide the old password as well as
the new password (twice). When logged in as <command>root</command> only the new password is
the new password (twice). When logged in as <emphasis>root</emphasis> only the new password is
required.
</para>

7
docs/docbook/projdoc/Samba-BDC-HOWTO.xml
View File

@ -225,7 +225,7 @@ Server Manager for Domains.
<para>
Since version 2.2 Samba officially supports domain logons for all current Windows Clients,
including Windows NT4, 2003 and XP Professional. For samba to be enabled as a PDC some
parameters in the [global]-section of the smb.conf have to be set:
parameters in the <parameter>[global]</parameter>-section of the &smb.conf; have to be set:
</para>
<para><programlisting>
@ -235,7 +235,7 @@ parameters in the [global]-section of the smb.conf have to be set:
</programlisting></para>
<para>
Several other things like a [homes] and a [netlogon] share also need to be set along with
Several other things like a <parameter>[homes]</parameter> and a <parameter>[netlogon]</parameter> share also need to be set along with
settings for the profile path, the users home drive, etc.. This will not be covered in this
chapter, for more information please refer to the chapter on Domain Control.
</para>
@ -343,14 +343,13 @@ Finally, the BDC has to be found by the workstations. This can be done by settin
</para>
<para><programlisting>
<title>Essential Parameters for BDC Operation</title>
workgroup = SAMBA
domain master = no
domain logons = yes
</programlisting></para>
<para>
in the [global]-section of the smb.conf of the BDC. This makes the BDC
in the <parameter>[global]</parameter>-section of the &smb.conf; of the BDC. This makes the BDC
only register the name SAMBA&lt;#1c&gt; with the WINS server. This is no
problem as the name SAMBA&lt;#1c&gt; is a NetBIOS group name that is meant to
be registered by more than one machine. The parameter 'domain master =

183
docs/docbook/projdoc/Samba-PDC-HOWTO.xml
View File

@ -39,15 +39,15 @@ sections of this HOWTO that deal with it. These are the most common causes of MS
networking problems:
</para>
<itemizedlist>
<listitem><para>Basic TCP/IP configuration</para></listitem>
<listitem><para>NetBIOS name resolution</para></listitem>
<listitem><para>Authentication configuration</para></listitem>
<listitem><para>User and Group configuration</para></listitem>
<listitem><para>Basic File and Directory Permission Control in Unix/Linux</para></listitem>
<listitem><para>Understanding of how MS Windows clients interoperate in a network
environment</para></listitem>
</itemizedlist>
<simplelist>
<member>Basic TCP/IP configuration</member>
<member>NetBIOS name resolution</member>
<member>Authentication configuration</member>
<member>User and Group configuration</member>
<member>Basic File and Directory Permission Control in Unix/Linux</member>
<member>Understanding of how MS Windows clients interoperate in a network
environment</member>
</simplelist>
<para>
Do not be put off, on the surface of it MS Windows networking seems so simple that any fool
@ -55,7 +55,7 @@ can do it. In fact, it is not a good idea to set up an MS Windows network with
inadequate training and preparation. But let's get our first indelible principle out of the
way: <emphasis>It is perfectly OK to make mistakes!</emphasis> In the right place and at
the right time, mistakes are the essence of learning. It is <emphasis>very much</emphasis>
not Ok to make mistakes that cause loss of productivity and impose an avoidable financial
not ok to make mistakes that cause loss of productivity and impose an avoidable financial
burden on an organisation.
</para>
@ -164,6 +164,8 @@ user and machine trust account information in a suitable backend data store. Wit
there can be multiple back-ends for this including:
</para>
<!-- FIXME: Doesn't this belong in passdb.xml ? -->
<itemizedlist>
<listitem><para>
<emphasis>smbpasswd</emphasis> - the plain ascii file stored used by
@ -263,8 +265,8 @@ LDAP based user and machine account back end.
New to Samba-3 is the ability to use a back-end database that holds the same type of data as
the NT4 style SAM (Security Account Manager) database (one of the registry files).
The samba-3 SAM can be specified via the smb.conf file parameter
<emphasis>passwd backend</emphasis> and valid options include
<emphasis>smbpasswd, tdbsam, ldapsam, nisplussam, xmlsam, mysqlsam, plugin, guest</emphasis>.
<parameter>passwd backend</parameter> and valid options include
<emphasis>smbpasswd, tdbsam, ldapsam, nisplussam, xmlsam, mysqlsam, guest</emphasis>.
</para>
<para>
@ -285,10 +287,10 @@ reinstall it. The install time choices offered are:
</para>
<itemizedlist>
<listitem><para>Primary Domain Controller - The one that seeds the domain SAM</para></listitem>
<listitem><para>Backup Domain Controller - One that obtains a copy of the domain SAM</para></listitem>
<listitem><para>Domain Member Server - One that has NO copy of the domain SAM, rather it obtains authentication from a Domain Controller for all access controls.</para></listitem>
<listitem><para>Stand-Alone Server - One that plays NO part is SAM synchronisation, has it's own authentication database and plays no role in Domain security.</para></listitem>
<listitem><para><emphasis>Primary Domain Controller</emphasis> - The one that seeds the domain SAM</para></listitem>
<listitem><para><emphasis>Backup Domain Controller</emphasis> - One that obtains a copy of the domain SAM</para></listitem>
<listitem><para><emphasis>Domain Member Server</emphasis> - One that has NO copy of the domain SAM, rather it obtains authentication from a Domain Controller for all access controls.</para></listitem>
<listitem><para><emphasis>Stand-Alone Server</emphasis> - One that plays NO part is SAM synchronisation, has it's own authentication database and plays no role in Domain security.</para></listitem>
</itemizedlist>
<para>
@ -329,14 +331,14 @@ other than the machine being configured so that the network configuration has a
for it's workgroup entry. It is not uncommon for the name WORKGROUP to be used for this. With this
mode of configuration there are NO machine trust accounts and any concept of membership as such
is limited to the fact that all machines appear in the network neighbourhood to be logically
groupped together. Again, just to be clear: WORKGROUP MODE DOES NOT INVOLVE ANY SECURITY MACHINE
ACCOUNTS.
groupped together. Again, just to be clear: <strong>workgroup mode does not involve any security machine
accounts</strong>.
</para>
<para>
Domain member machines have a machine account in the Domain accounts database. A special procedure
must be followed on each machine to affect Domain membership. This procedure, which can be done
only by the local machine Adminisistrator account, will create the Domain machine account (if
only by the local machine Administrator account, will create the Domain machine account (if
if does not exist), and then initializes that account. When the client first logs onto the
Domain it triggers a machine password change.
</para>
@ -353,81 +355,35 @@ The following are necessary for configuring Samba-3 as an MS Windows NT4 style P
NT4 / 200x / XP clients.
</para>
<orderedlist>
<listitem><para>
Configuration of basic TCP/IP and MS Windows Networking
</para></listitem>
<listitem><para>
Correct designation of the Server Role (<emphasis>security = user</emphasis>)
</para></listitem>
<listitem><para>
Consistent configuration of Name Resolution (See chapter on Browsing and on
MS Windows network Integration)
</para></listitem>
<listitem><para>
Domain logons for Windows NT4 / 200x / XP Professional clients
</para></listitem>
<listitem><para>
Configuration of Roaming Profiles or explicit configuration to force local profile usage
</para></listitem>
<listitem><para>
Configuration of Network/System Policies
</para></listitem>
<listitem><para>
Adding and managing domain user accounts
</para></listitem>
<listitem><para>
Configuring MS Windows client machines to become domain members
</para></listitem>
</orderedlist>
<simplelist>
<member>Configuration of basic TCP/IP and MS Windows Networking</member>
<member>Correct designation of the Server Role (<parameter>security = user</parameter>)</member>
<member>Consistent configuration of Name Resolution (See <link linkend="NetworkBrowsing">chapter on Browsing</link> and on
<link linkend="integrate-ms-networks">MS Windows network Integration</link>)</member>
<member>Domain logons for Windows NT4 / 200x / XP Professional clients</member>
<member>Configuration of Roaming Profiles or explicit configuration to force local profile usage</member>
<member>Configuration of Network/System Policies</member>
<member>Adding and managing domain user accounts</member>
<member>Configuring MS Windows client machines to become domain members</member>
</simplelist>
<para>
The following provisions are required to serve MS Windows 9x / Me Clients:
</para>
<orderedlist>
<listitem><para>
Configuration of basic TCP/IP and MS Windows Networking
</para></listitem>
<listitem><para>
Correct designation of the Server Role (<emphasis>security = user</emphasis>)
</para></listitem>
<listitem><para>
Network Logon Configuration (Since Windows 9x / XP Home are not technically domain
members, they do not really particpate in the security aspects of Domain logons as such)
</para></listitem>
<listitem><para>
Roaming Profile Configuration
</para></listitem>
<listitem><para>
Configuration of System Policy handling
</para></listitem>
<listitem><para>
Installation of the Network driver "Client for MS Windows Networks" and configuration
to log onto the domain
</para></listitem>
<listitem><para>
Placing Windows 9x / Me clients in user level security - if it is desired to allow
all client share access to be controlled according to domain user / group identities.
</para></listitem>
<listitem><para>
Adding and managing domain user accounts
</para></listitem>
</orderedlist>
<simplelist>
<member>Configuration of basic TCP/IP and MS Windows Networking</member>
<member>Correct designation of the Server Role (<parameter>security = user</parameter>)</member>
<member>Network Logon Configuration (Since Windows 9x / XP Home are not technically domain
members, they do not really particpate in the security aspects of Domain logons as such)</member>
<member>Roaming Profile Configuration</member>
<member>Configuration of System Policy handling</member>
<member>Installation of the Network driver "Client for MS Windows Networks" and configuration
to log onto the domain</member>
<member>Placing Windows 9x / Me clients in user level security - if it is desired to allow
all client share access to be controlled according to domain user / group identities.</member>
<member>Adding and managing domain user accounts</member>
</simplelist>
<note><para>
Roaming Profiles and System/Network policies are advanced network administration topics
@ -562,7 +518,7 @@ There are a couple of points to emphasize in the above configuration.
<listitem><para>
The server must support domain logons and have a
<filename>[netlogon]</filename> share
<parameter>[netlogon]</parameter> share
</para></listitem>
<listitem><para>
@ -602,8 +558,8 @@ an integral part of the essential functionality that is provided by a Domain Con
<para>
All Domain Controllers must run the netlogon service (<emphasis>domain logons</emphasis>
in Samba. One Domain Controller must be configured with <emphasis>domain master = Yes</emphasis>
(the Primary Domain Controller), on ALL Backup Domain Controllers <emphasis>domain master = No</emphasis>
in Samba. One Domain Controller must be configured with <parameter>domain master = Yes</parameter>
(the Primary Domain Controller), on ALL Backup Domain Controllers <parameter>domain master = No</parameter>
must be set.
</para>
@ -611,8 +567,6 @@ must be set.
<title>Example Configuration</title>
<programlisting>
<title> A minimal configuration to support Domain Logons</title>
<para>
[globals]
domain logons = Yes
domain master = (Yes on PDC, No on BDCs)
@ -622,7 +576,6 @@ must be set.
path = /var/lib/samba/netlogon
guest ok = Yes
browseable = No
</para>
</programlisting>
</sect3>
@ -710,7 +663,7 @@ worthwhile to look at how a Windows 9x/ME client performs a logon:
a NetLogon request. This is sent to the NetBIOS name DOMAIN&lt;#1c&gt; at the
NetBIOS layer. The client chooses the first response it receives, which
contains the NetBIOS name of the logon server to use in the format of
\\SERVER.
<filename>\\SERVER</filename>.
</para>
</listitem>
@ -750,7 +703,7 @@ worthwhile to look at how a Windows 9x/ME client performs a logon:
<para>
The client then connects to the user's home share and searches for the
user's profile. As it turns out, you can specify the user's home share as
a sharename and path. For example, \\server\fred\.winprofile.
a sharename and path. For example, <filename>\\server\fred\.winprofile</filename>.
If the profiles are found, they are implemented.
</para>
</listitem>
@ -758,7 +711,7 @@ worthwhile to look at how a Windows 9x/ME client performs a logon:
<listitem>
<para>
The client then disconnects from the user's home share, and reconnects to
the NetLogon share and looks for CONFIG.POL, the policies file. If this is
the NetLogon share and looks for <filename>CONFIG.POL</filename>, the policies file. If this is
found, it is read and implemented.
</para>
</listitem>
@ -816,12 +769,12 @@ For this reason, it is very wise to configure the Samba DC as the DMB.
<para>
Now back to the issue of configuring a Samba DC to use a mode other
than <emphasis>security = user</emphasis>. If a Samba host is configured to use
than <parameter>security = user</parameter>. If a Samba host is configured to use
another SMB server or DC in order to validate user connection
requests, then it is a fact that some other machine on the network
(the <emphasis>password server</emphasis>) knows more about the user than the Samba host.
(the <parameter>password server</parameter>) knows more about the user than the Samba host.
99% of the time, this other host is a domain controller. Now
in order to operate in domain mode security, the <emphasis>workgroup</emphasis> parameter
in order to operate in domain mode security, the <parameter>workgroup</parameter> parameter
must be set to the name of the Windows NT domain (which already
has a domain controller). If the domain does NOT already have a Domain Controller
then you do not yet have a Domain!
@ -830,7 +783,7 @@ then you do not yet have a Domain!
<para>
Configuring a Samba box as a DC for a domain that already by definition has a
PDC is asking for trouble. Therefore, you should always configure the Samba DC
to be the DMB for its domain and set <emphasis>security = user</emphasis>.
to be the DMB for its domain and set <parameter>security = user</parameter>.
This is the only officially supported mode of operation.
</para>
@ -868,9 +821,9 @@ to a share (or IPC$) on the Samba PDC. The following command
will remove all network drive connections:
</para>
<para>
<prompt>C:\WINNT\></prompt> <command>net use * /d</command>
</para>
<screen>
<prompt>C:\WINNT\></prompt> <userinput>net use * /d</userinput>
</screen>
<para>
Further, if the machine is already a 'member of a workgroup' that
@ -884,9 +837,9 @@ does not matter what, reboot, and try again.
<title>The system can not log you on (C000019B)....</title>
<para>I joined the domain successfully but after upgrading
to a newer version of the Samba code I get the message, "The system
to a newer version of the Samba code I get the message, <errorname>The system
can not log you on (C000019B), Please try again or consult your
system administrator" when attempting to logon.
system administrator</errorname> when attempting to logon.
</para>
<para>
@ -901,10 +854,10 @@ SID may be reset using either the net or rpcclient utilities.
<para>
The reset or change the domain SID you can use the net command as follows:
<programlisting>
net getlocalsid 'OLDNAME'
net setlocalsid 'SID'
</programlisting>
<screen>
<prompt>$ </prompt><userinput>net getlocalsid 'OLDNAME'</userinput>
<prompt>$ </prompt><userinput>net setlocalsid 'SID'</userinput>
</screen>
</para>
</sect2>
@ -914,8 +867,8 @@ The reset or change the domain SID you can use the net command as follows:
exist or is not accessible.</title>
<para>
When I try to join the domain I get the message "The machine account
for this computer either does not exist or is not accessible". What's
When I try to join the domain I get the message <errorname>The machine account
for this computer either does not exist or is not accessible</errorname>. What's
wrong?
</para>
@ -945,8 +898,8 @@ for both client and server.
I get a message about my account being disabled.</title>
<para>
At first be ensure to enable the useraccounts with <command>smbpasswd -e
%user%</command>, this is normally done, when you create an account.
At first be ensure to enable the useraccounts with <userinput>smbpasswd -e
<replaceable>username</replaceable></userinput>, this is normally done, when you create an account.
</para>
</sect2>

113
docs/docbook/projdoc/ServerType.xml
View File

@ -97,17 +97,17 @@ different type of servers:</para>
<itemizedlist>
<listitem><para>Domain Controller</para>
<itemizedlist>
<listitem><para>Primary Domain Controller</para></listitem>
<listitem><para>Backup Domain Controller</para></listitem>
<listitem><para>ADS Domain Controller</para></listitem>
</itemizedlist>
<simplelist>
<member>Primary Domain Controller</member>
<member>Backup Domain Controller</member>
<member>ADS Domain Controller</member>
</simplelist>
</listitem>
<listitem><para>Domain Member Server</para>
<itemizedlist>
<listitem><para>Active Directory Member Server</para></listitem>
<listitem><para>NT4 Style Domain Member Server</para></listitem>
</itemizedlist>
<simplelist>
<member>Active Directory Member Server</member>
<member>NT4 Style Domain Member Server</member>
</simplelist>
</listitem>
<listitem><para>Stand Alone Server</para></listitem>
</itemizedlist>
@ -125,7 +125,7 @@ presented.
<title>Samba Security Modes</title>
<para>
In this section the function and purpose of Samba's <emphasis>security</emphasis>
In this section the function and purpose of Samba's <parameter>security</parameter>
modes are described. An acurate understanding of how Samba implements each security
mode as well as how to configure MS Windows clients for each mode will significantly
reduce user complaints and administrator heartache.
@ -138,12 +138,13 @@ that are not available with Microsoft Windows NT4 / 200x servers. Samba knows of
ways that allow the security levels to be implemented. In actual fact, Samba implements
<emphasis>SHARE Level</emphasis> security only one way, but has for ways of implementing
<emphasis>USER Level</emphasis> security. Collectively, we call the samba implementations
<emphasis>Security Modes</emphasis>. These are: <emphasis>SHARE, USER, DOMAIN, ADS, and SERVER</emphasis>
<emphasis>Security Modes</emphasis>. These are: <emphasis>SHARE</emphasis>, <emphasis>USER</emphasis>, <emphasis>DOMAIN</emphasis>,
<emphasis>ADS</emphasis>, and <emphasis>SERVER</emphasis>
modes. They are documented in this chapter.
</para>
<para>
A SMB server tells the client at startup what <emphasis>security level</emphasis>
A SMB server tells the client at startup what <parameter>security level</parameter>
it is running. There are two options <emphasis>share level</emphasis> and
<emphasis>user level</emphasis>. Which of these two the client receives affects
the way the client then tries to authenticate itself. It does not directly affect
@ -157,7 +158,7 @@ available and whether an action is allowed.
<title>User Level Security</title>
<para>
We will describe<emphasis>user level</emphasis> security first, as its simpler.
We will describe<parameter>user level</parameter> security first, as its simpler.
In <emphasis>user level</emphasis> security the client will send a
<emphasis>session setup</emphasis> command directly after the protocol negotiation.
This contains a username and password. The server can either accept or reject that
@ -230,7 +231,7 @@ level security. They normally send a valid username but no password. Samba recor
this username in a list of <emphasis>possible usernames</emphasis>. When the client
then does a <emphasis>tree connection</emphasis> it also adds to this list the name
of the share they try to connect to (useful for home directories) and any users
listed in the <command>user =</command> &smb.conf; line. The password is then checked
listed in the <parameter>user =</parameter> &smb.conf; line. The password is then checked
in turn against these <emphasis>possible usernames</emphasis>. If a match is found
then the client is authenticated as that user.
</para>
@ -258,7 +259,7 @@ with share mode security servers. You are strongly discouraged from use of this
<title>Domain Security Mode (User Level Security)</title>
<para>
When samba is operating in <emphasis>security = domain</emphasis> mode this means that
When samba is operating in <parameter>security = domain</parameter> mode this means that
the Samba server has a domain security trust account (a machine account) and will cause
all authentication requests to be passed through to the domain controllers.
</para>
@ -281,7 +282,7 @@ This method involves addition of the following parameters in the &smb.conf; file
</programlisting></para>
<para>
The use of the "*" argument to <command>password server</command> will cause samba to locate the
The use of the "*" argument to <parameter>password server</parameter> will cause samba to locate the
domain controller in a way analogous to the way this is done within MS Windows NT.
This is the default behaviour.
</para>
@ -291,34 +292,32 @@ In order for this method to work the Samba server needs to join the MS Windows N
security domain. This is done as follows:
</para>
<itemizedlist>
<listitem><para>On the MS Windows NT domain controller using
<procedure>
<step><para>On the MS Windows NT domain controller using
the Server Manager add a machine account for the Samba server.
</para></listitem>
</para></step>
<listitem><para>Next, on the Unix/Linux system execute:</para>
<para><programlisting>
<command>smbpasswd -r PDC_NAME -j DOMAIN_NAME</command> (samba 2.x)
<step><para>Next, on the Unix/Linux system execute:</para>
<para>&rootprompt;<userinput>smbpasswd -r PDC_NAME -j DOMAIN_NAME</userinput> (samba 2.x)</para>
<command>net join -U administrator%password</command> (samba-3)
</programlisting>
</para>
</listitem>
</itemizedlist>
<para>&rootprompt;<userinput>net join -U administrator%password</userinput> (samba-3)</para>
</step>
</procedure>
<note><para>
As of Samba-2.2.4 the Samba 2.2.x series can auto-join a Windows NT4 style Domain just
by executing:
<programlisting>
smbpasswd -j DOMAIN_NAME -r PDC_NAME -U Administrator%password
</programlisting>
<screen>
&rootprompt;<userinput>smbpasswd -j <replaceable>DOMAIN_NAME</replaceable> -r <replaceable>PDC_NAME</replaceable> -U Administrator%<replaceable>password</replaceable></userinput>
</screen>
As of Samba-3 the same can be done by executing:
<programlisting>
net join -U Administrator%password
</programlisting>
It is not necessary with Samba-3 to specify the DOMAIN_NAME or the PDC_NAME as it figures this
out from the smb.conf file settings.
<screen>
&rootprompt;<userinput>net join -U Administrator%<replaceable>password</replaceable></userinput>
</screen>
It is not necessary with Samba-3 to specify the <replaceable>DOMAIN_NAME</replaceable> or the <replaceable>PDC_NAME</replaceable> as it
figures this out from the &smb.conf; file settings.
</para></note>
<para>
@ -362,18 +361,20 @@ AD-member mode can accept Kerberos.
<sect3>
<title>Example Configuration</title>
<para>
<programlisting>
<para><programlisting>
realm = your.kerberos.REALM
security = ADS
encrypt passwords = Yes
</programlisting></para>
The following parameter may be required:
ads server = your.kerberos.server
</programlisting>
<para>
The following parameter may be required:
</para>
<para><programlisting>
ads server = your.kerberos.server
</programlisting></para>
<para>
Please refer to the Domain Membership section, Active Directory Membership for more information
regarding this configuration option.
@ -391,23 +392,23 @@ as a domain member server. It is highly recommended NOT to use this feature. Ser
security has many draw backs. The draw backs include:
</para>
<itemizedlist>
<listitem><para>Potential Account Lockout on MS Windows NT4/200x password servers</para></listitem>
<listitem><para>Lack of assurance that the password server is the one specified</para></listitem>
<listitem><para>Does not work with Winbind, particularly needed when storing profiles remotely</para></listitem>
<listitem><para>This mode may open connections to the password server, and keep them open for extended periods.</para></listitem>
<listitem><para>Security on the samba server breaks badly when the remote password server suddenly shuts down</para></listitem>
<listitem><para>With this mode there is NO security account in the domain that the password server belongs to for the samba server.</para></listitem>
</itemizedlist>
<simplelist>
<member>Potential Account Lockout on MS Windows NT4/200x password servers</member>
<member>Lack of assurance that the password server is the one specified</member>
<member>Does not work with Winbind, particularly needed when storing profiles remotely</member>
<member>This mode may open connections to the password server, and keep them open for extended periods.</member>
<member>Security on the samba server breaks badly when the remote password server suddenly shuts down</member>
<member>With this mode there is NO security account in the domain that the password server belongs to for the samba server.</member>
</simplelist>
<para>
In server level security the samba server reports to the client that it is in user level
security. The client then does a <emphasis>session setup</emphasis> as described earlier.
The samba server takes the username/password that the client sends and attempts to login to the
<emphasis>password server</emphasis> by sending exactly the same username/password that
<parameter>password server</parameter> by sending exactly the same username/password that
it got from the client. If that server is in user level security and accepts the password
then samba accepts the clients connection. This allows the samba server to use another SMB
server as the <emphasis>password server</emphasis>.
server as the <parameter>password server</parameter>.
</para>
<para>
@ -418,10 +419,10 @@ passwords in encrypted form. Samba supports this type of encryption by default.
</para>
<para>
The parameter <emphasis>security = server</emphasis> means that Samba reports to clients that
The parameter <parameter>security = server</parameter> means that Samba reports to clients that
it is running in <emphasis>user mode</emphasis> but actually passes off all authentication
requests to another <emphasis>user mode</emphasis> server. This requires an additional
parameter <emphasis>password server</emphasis> that points to the real authentication server.
parameter <parameter>password server</parameter> that points to the real authentication server.
That real authentication server can be another Samba server or can be a Windows NT server,
the later natively capable of encrypted password support.
</para>
@ -589,7 +590,7 @@ to those for whom English is not their native tongue.
<para>
To some the nature of the samba <emphasis>security</emphasis> mode is very obvious, but entirely
wrong all the same. It is assumed that <emphasis>security = server</emphasis> means that Samba
wrong all the same. It is assumed that <parameter>security = server</parameter> means that Samba
will act as a server. Not so! See above - this setting means that samba will <emphasis>try</emphasis>
to use another SMB server as it's source of user authentication alone.
</para>
@ -600,7 +601,7 @@ to use another SMB server as it's source of user authentication alone.
<title>What makes Samba a Domain Controller?</title>
<para>
The &smb.conf; parameter <emphasis>security = domain</emphasis> does NOT really make Samba behave
The &smb.conf; parameter <parameter>security = domain</parameter> does NOT really make Samba behave
as a Domain Controller! This setting means we want samba to be a domain member!
</para>
@ -610,7 +611,7 @@ as a Domain Controller! This setting means we want samba to be a domain member!
<title>What makes Samba a Domain Member?</title>
<para>
Guess! So many others do. But whatever you do, do NOT think that <emphasis>security = user</emphasis>
Guess! So many others do. But whatever you do, do NOT think that <parameter>security = user</parameter>
makes Samba act as a domain member. Read the manufacturers manual before the warranty expires!
</para>

32
docs/docbook/projdoc/Speed.xml
View File

@ -58,11 +58,11 @@ performance of a TCP based server like Samba.
<para>
The socket options that Samba uses are settable both on the command
line with the -O option, or in the smb.conf file.
line with the <option>-O</option> option, or in the &smb.conf; file.
</para>
<para>
The <command>socket options</command> section of the &smb.conf; manual page describes how
The <parameter>socket options</parameter> section of the &smb.conf; manual page describes how
to set these and gives recommendations.
</para>
@ -75,7 +75,7 @@ much. The correct settings are very dependent on your local network.
<para>
The socket option TCP_NODELAY is the one that seems to make the
biggest single difference for most networks. Many people report that
adding <command>socket options = TCP_NODELAY</command> doubles the read
adding <parameter>socket options = TCP_NODELAY</parameter> doubles the read
performance of a Samba drive. The best explanation I have seen for this is
that the Microsoft TCP/IP stack is slow in sending tcp ACKs.
</para>
@ -86,7 +86,7 @@ that the Microsoft TCP/IP stack is slow in sending tcp ACKs.
<title>Read size</title>
<para>
The option <command>read size</command> affects the overlap of disk
The option <parameter>read size</parameter> affects the overlap of disk
reads/writes with network reads/writes. If the amount of data being
transferred in several of the SMB commands (currently SMBwrite, SMBwriteX and
SMBreadbraw) is larger than this value then the server begins writing
@ -114,9 +114,9 @@ pointless and will cause you to allocate memory unnecessarily.
<title>Max xmit</title>
<para>
At startup the client and server negotiate a <command>maximum transmit</command> size,
At startup the client and server negotiate a <parameter>maximum transmit</parameter> size,
which limits the size of nearly all SMB commands. You can set the
maximum size that Samba will negotiate using the <command>max xmit = </command> option
maximum size that Samba will negotiate using the <parameter>max xmit = </parameter> option
in &smb.conf;. Note that this is the maximum size of SMB requests that
Samba will accept, but not the maximum size that the *client* will accept.
The client maximum receive size is sent to Samba by the client and Samba
@ -139,7 +139,7 @@ In most cases the default is the best option.
<title>Log level</title>
<para>
If you set the log level (also known as <command>debug level</command>) higher than 2
If you set the log level (also known as <parameter>debug level</parameter>) higher than 2
then you may suffer a large drop in performance. This is because the
server flushes the log file after each operation, which can be very
expensive.
@ -150,20 +150,20 @@ expensive.
<title>Read raw</title>
<para>
The <command>read raw</command> operation is designed to be an optimised, low-latency
The <parameter>read raw</parameter> operation is designed to be an optimised, low-latency
file read operation. A server may choose to not support it,
however. and Samba makes support for <command>read raw</command> optional, with it
however. and Samba makes support for <parameter>read raw</parameter> optional, with it
being enabled by default.
</para>
<para>
In some cases clients don't handle <command>read raw</command> very well and actually
In some cases clients don't handle <parameter>read raw</parameter> very well and actually
get lower performance using it than they get using the conventional
read operations.
</para>
<para>
So you might like to try <command>read raw = no</command> and see what happens on your
So you might like to try <parameter>read raw = no</parameter> and see what happens on your
network. It might lower, raise or not affect your performance. Only
testing can really tell.
</para>
@ -174,14 +174,14 @@ testing can really tell.
<title>Write raw</title>
<para>
The <command>write raw</command> operation is designed to be an optimised, low-latency
The <parameter>write raw</parameter> operation is designed to be an optimised, low-latency
file write operation. A server may choose to not support it,
however. and Samba makes support for <command>write raw</command> optional, with it
however. and Samba makes support for <parameter>write raw</parameter> optional, with it
being enabled by default.
</para>
<para>
Some machines may find <command>write raw</command> slower than normal write, in which
Some machines may find <parameter>write raw</parameter> slower than normal write, in which
case you may wish to change this option.
</para>
@ -192,7 +192,7 @@ case you may wish to change this option.
<para>
Slow logins are almost always due to the password checking time. Using
the lowest practical <command>password level</command> will improve things.
the lowest practical <parameter>password level</parameter> will improve things.
</para>
</sect1>
@ -202,7 +202,7 @@ the lowest practical <command>password level</command> will improve things.
<para>
LDAP can be vastly improved by using the
<ulink url="smb.conf.5.html#LDAPTRUSTIDS">ldap trust ids</ulink> parameter.
<ulink url="smb.conf.5.html#LDAPTRUSTIDS"><parameter>ldap trust ids</parameter></ulink> parameter.
</para>
</sect1>

23
docs/docbook/projdoc/StandAloneServer.xml
View File

@ -72,7 +72,8 @@ Through the use of PAM (Pluggable Authentication Modules) and nsswitch
(the name service switcher) the source of authentication may reside on
another server. We would be inclined to call this the authentication server.
This means that the samba server may use the local Unix/Linux system password database
(/etc/passwd or /etc/shadow), may use a local smbpasswd file, or may use
(<filename>/etc/passwd</filename> or <filename>/etc/shadow</filename>), may use a
local smbpasswd file, or may use
an LDAP back end, or even via PAM and Winbind another CIFS/SMB server
for authentication.
</para>
@ -99,9 +100,7 @@ nobody. No home directories are shared, that are no users in the <filename>/etc/
Unix system database. This is a very simple system to administer.
</para>
<para>
<programlisting>
<title>Share Mode Read Only Stand-Alone Server</title>
# Global parameters
[global]
workgroup = MYGROUP
@ -115,7 +114,6 @@ Unix system database. This is a very simple system to administer.
path = /export
guest only = Yes
</programlisting>
</para>
<para>
In the above example the machine name is set to REFDOCS, the workgroup is set to the name
@ -172,9 +170,9 @@ the anonymous (guest) user two things will be required:
The default for this is usually the account <command>nobody</command>.
To find the correct name to use for your version of Samba do the
following:
<programlisting>
testparm -s -v | grep "guest account"
</programlisting>
<screen>
<prompt>$ </prompt><userinput>testparm -s -v | grep "guest account"</userinput>
</screen>
Then make sure that this account exists in your system password
database (<filename>/etc/passwd</filename>).
</para></listitem>
@ -183,17 +181,16 @@ the anonymous (guest) user two things will be required:
The directory into which Samba will spool the file must have write
access for the guest account. The following commands will ensure that
this directory is available for use:
<programlisting>
mkdir /var/spool/samba
chown nobody.nobody /var/spool/samba
chmod a+rwt /var/spool/samba
</programlisting>
<screen>
&rootprompt;<userinput>mkdir /var/spool/samba</userinput>
&rootprompt;<userinput>chown nobody.nobody /var/spool/samba</userinput>
&rootprompt;<userinput>chmod a+rwt /var/spool/samba</userinput>
</screen>
</para></listitem>
</itemizedlist>
<para>
<programlisting>
<title>Simple Central Print Server</title>
# Global parameters
[global]
workgroup = MYGROUP

30
docs/docbook/projdoc/UNIX_INSTALL.xml
View File

@ -33,7 +33,7 @@
<title>Configuring samba (smb.conf)</title>
<para>
Samba's configuration is stored in the smb.conf file,
Samba's configuration is stored in the &smb.conf; file,
that usually resides in <filename>/etc/samba/smb.conf</filename>
or <filename>/usr/local/samba/lib/smb.conf</filename>. You can either
edit this file yourself or do it using one of the many graphical
@ -67,7 +67,7 @@
<para>
This will allow connections by anyone with an account on the server, using either
their login name or "<command>homes</command>" as the service name.
their login name or "<parameter>homes</parameter>" as the service name.
(Note that the workgroup that Samba must also be set.)
</para>
@ -79,7 +79,7 @@
<para>
For more information about security settings for the
<command>[homes]</command> share please refer to the chapter
<parameter>[homes]</parameter> share please refer to the chapter
<link linkend="securing-samba">Securing Samba</link>.
</para>
@ -88,7 +88,7 @@
<para>
It's important that you test the validity of your <filename>smb.conf</filename>
file using the <application>testparm</application> program. If testparm runs OK
file using the &testparm; program. If testparm runs OK
then it will list the loaded services. If not it will give an error message.
</para>
@ -97,7 +97,7 @@
</para>
<para>
Always run testparm again when you change <filename>smb.conf</filename>!
Always run testparm again when you change &smb.conf;!
</para>
</sect3>
@ -115,7 +115,7 @@
<para>
To launch SWAT just run your favorite web browser and
point it at "http://localhost:901/". Replace
point it at <ulink url="http://localhost:901/">http://localhost:901/</ulink>. Replace
<replaceable>localhost</replaceable>
with the name of the computer you are running samba on if you
are running samba on a different computer than your browser.
@ -160,7 +160,7 @@
would be the name of the host where you installed &smbd;.
The <replaceable>aservice</replaceable> is
any service you have defined in the &smb.conf;
file. Try your user name if you just have a <command>[homes]</command>
file. Try your user name if you just have a <parameter>[homes]</parameter>
section
in &smb.conf;.</para>
@ -214,7 +214,7 @@ The following questions and issues get raised on the samba mailing list over and
<para>
Site that is running Samba on an AIX box. They are sharing out about 2 terabytes using samba.
Samba was installed using smitty and the binaries. We seem to be experiencing a memory problem
with this box. When I do a svmon -Pu the monitoring program shows that smbd has several
with this box. When I do a <command>svmon -Pu</command> the monitoring program shows that &smbd; has several
processes of smbd running:
</para>
@ -224,7 +224,7 @@ is it normal for it to be taking up this much memory?
</para>
<para>
<programlisting>
<screen>
Inuse * 4096 = amount of memory being used by this process
Pid Command Inuse Pin Pgsp Virtual 64-bit Mthrd
@ -251,30 +251,30 @@ Inuse * 4096 = amount of memory being used by this process
19110 smbd 8404 1906 181 4862 N N
Total memory used: 841,592,832 bytes
</programlisting>
</screen>
</para>
<para>
<emphasis>ANSWER:</emphasis> Samba consists on three core programs:
<emphasis>nmbd, smbd, winbindd</emphasis>. <command>nmbd</command> is the name server message daemon,
<command>smbd</command> is the server message daemon, <command>winbind</command> is the daemon that
&nmbd;, &smbd;, &winbindd;. &nmbd; is the name server message daemon,
&smbd; is the server message daemon, &winbindd; is the daemon that
handles communication with Domain Controllers.
</para>
<para>
If your system is NOT running as a WINS server, then there will be one (1) single instance of
<command>nmbd</command> running on your system. If it is running as a WINS server then there will be
&nmbd; running on your system. If it is running as a WINS server then there will be
two (2) instances - one to handle the WINS requests.
</para>
<para>
<command>smbd</command> handles ALL connection requests and then spawns a new process for each client
&smbd; handles ALL connection requests and then spawns a new process for each client
connection made. That is why you are seeing so many of them, one (1) per client connection.
</para>
<para>
<command>winbindd</command> will run as one or two daemons, depending on whether or not it is being
&winbindd; will run as one or two daemons, depending on whether or not it is being
run in "split mode" (in which case there will be two instances).
</para>

24
docs/docbook/projdoc/VFS.xml
View File

@ -32,18 +32,18 @@ on different systems. They currently have been tested against GNU/Linux and IRI
<para>
To use the VFS modules, create a share similar to the one below. The
important parameter is the <command>vfs object</command> parameter which must point to
important parameter is the <parameter>vfs object</parameter> parameter which must point to
the exact pathname of the shared library objects. For example, to log all access
to files and use a recycle bin:
<screen>
[audit]
comment = Audited /data directory
path = /data
vfs object = /path/to/audit.so /path/to/recycle.so
writeable = yes
browseable = yes
</screen>
<programlisting>
[audit]
comment = Audited /data directory
path = /data
vfs object = /path/to/audit.so /path/to/recycle.so
writeable = yes
browseable = yes
</programlisting>
</para>
<para>
@ -87,7 +87,7 @@ the Samba Developers Guide.
<para>
The logging information that will be written to the smbd log file is controlled by
the <emphasis>log level</emphasis> parameter in <filename>smb.conf</filename>. The
the <parameter>log level</parameter> parameter in <filename>smb.conf</filename>. The
following information will be recorded:
</para>
@ -184,7 +184,7 @@ the Samba Developers Guide.
<para>Advantages compared to the old netatalk module:
<simplelist>
<member>it doesn't care about creating of .AppleDouble forks, just keeps them in sync</member>
<member>if share in smb.conf doesn't contain .AppleDouble item in hide or veto list, it will be added automatically</member>
<member>if a share in &smb.conf; doesn't contain .AppleDouble item in hide or veto list, it will be added automatically</member>
</simplelist>
</para>
@ -203,7 +203,7 @@ to have his or her own CVS tree).
</para>
<para>
No statemets about the stability or functionality of any module
No statements about the stability or functionality of any module
should be implied due to its presence here.
</para>

47
docs/docbook/projdoc/securing-samba.xml
View File

@ -48,7 +48,7 @@ the latest protocols to permit more secure MS Windows file and print operations.
Samba may be secured from connections that originate from outside the local network. This may be
done using <emphasis>host based protection</emphasis> (using samba's implementation of a technology
known as "tcpwrappers", or it may be done be using <emphasis>interface based exclusion</emphasis>
so that <command>smbd</command> will bind only to specifically permitted interfaces. It is also
so that &smbd; will bind only to specifically permitted interfaces. It is also
possible to set specific share or resource based exclusions, eg: on the <parameter>IPC$</parameter>
auto-share. The <parameter>IPC$</parameter> share is used for browsing purposes as well as to establish
TCP/IP connections.
@ -85,23 +85,23 @@ before someone will find yet another vulnerability.
</para>
<para>
One of the simplest fixes in this case is to use the <command>hosts allow</command> and
<command>hosts deny</command> options in the Samba &smb.conf; configuration file to only
One of the simplest fixes in this case is to use the <parameter>hosts allow</parameter> and
<parameter>hosts deny</parameter> options in the Samba &smb.conf; configuration file to only
allow access to your server from a specific range of hosts. An example
might be:
</para>
<para><screen>
<para><programlisting>
hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24
hosts deny = 0.0.0.0/0
</screen></para>
</programlisting></para>
<para>
The above will only allow SMB connections from 'localhost' (your own
computer) and from the two private networks 192.168.2 and
192.168.3. All other connections will be refused as soon
as the client sends its first packet. The refusal will be marked as a
'not listening on called name' error.
<errorname>not listening on called name</errorname> error.
</para>
</sect2>
@ -111,12 +111,12 @@ before someone will find yet another vulnerability.
<para>
If you want to restrict access to your server to valid users only then the following
method may be of use. In the smb.conf [globals] section put:
method may be of use. In the &smb.conf; <parameter>[globals]</parameter> section put:
</para>
<para><screen>
<para><programlisting>
valid users = @smbusers, jacko
</screen></para>
</programlisting></para>
<para>
What this does is, it restricts all server access to either the user <emphasis>jacko</emphasis>
@ -140,10 +140,10 @@ before someone will find yet another vulnerability.
You can change this behaviour using options like the following:
</para>
<para><screen>
<para><programlisting>
interfaces = eth* lo
bind interfaces only = yes
</screen></para>
</programlisting></para>
<para>
This tells Samba to only listen for connections on interfaces with a
@ -179,12 +179,12 @@ before someone will find yet another vulnerability.
UDP ports to allow and block. Samba uses the following:
</para>
<para><screen>
UDP/137 - used by nmbd
UDP/138 - used by nmbd
TCP/139 - used by smbd
TCP/445 - used by smbd
</screen></para>
<simplelist>
<member>UDP/137 - used by nmbd</member>
<member>UDP/138 - used by nmbd</member>
<member>TCP/139 - used by smbd</member>
<member>TCP/445 - used by smbd</member>
</simplelist>
<para>
The last one is important as many older firewall setups may not be
@ -209,11 +209,11 @@ before someone will find yet another vulnerability.
To do that you could use:
</para>
<para><screen>
[ipc$]
hosts allow = 192.168.115.0/24 127.0.0.1
hosts deny = 0.0.0.0/0
</screen></para>
<para><programlisting>
[ipc$]
hosts allow = 192.168.115.0/24 127.0.0.1
hosts deny = 0.0.0.0/0
</programlisting></para>
<para>
this would tell Samba that IPC$ connections are not allowed from
@ -225,7 +225,7 @@ before someone will find yet another vulnerability.
</para>
<para>
If you use this method then clients will be given a 'access denied'
If you use this method then clients will be given a <errorname>access denied</errorname>
reply when they try to access the IPC$ share. That means that those
clients will not be able to browse shares, and may also be unable to
access some other resources.
@ -245,6 +245,7 @@ before someone will find yet another vulnerability.
To configure NTLMv2 authentication the following registry keys are worth knowing about:
</para>
<!-- FIXME -->
<para>
<screen>
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]

20
docs/docbook/projdoc/unicode.xml
View File

@ -61,7 +61,7 @@ samba knows of three kinds of character sets:
<variablelist>
<varlistentry>
<term>unix charset</term>
<term><parameter>unix charset</parameter></term>
<listitem><para>
This is the charset used internally by your operating system.
The default is <constant>ASCII</constant>, which is fine for most
@ -70,14 +70,14 @@ samba knows of three kinds of character sets:
</varlistentry>
<varlistentry>
<term>display charset</term>
<term><parameter>display charset</parameter></term>
<listitem><para>This is the charset samba will use to print messages
on your screen. It should generally be the same as the <command>unix charset</command>.
</para></listitem>
</varlistentry>
<varlistentry>
<term>dos charset</term>
<term><parameter>dos charset</parameter></term>
<listitem><para>This is the charset samba uses when communicating with
DOS and Windows 9x clients. It will talk unicode to all newer clients.
The default depends on the charsets you have installed on your system.
@ -114,24 +114,24 @@ points of attention when setting it up:</para>
<itemizedlist>
<listitem><para>You should set <command>mangling method =
hash</command></para></listitem>
<listitem><para>You should set <parameter>mangling method =
hash</parameter></para></listitem>
<listitem><para>There are various iconv() implementations around and not
all of them work equally well. glibc2's iconv() has a critical problem
in CP932. libiconv-1.8 works with CP932 but still has some problems and
does not work with EUC-JP.</para></listitem>
<listitem><para>You should set <command>dos charset = CP932</command>, not
<listitem><para>You should set <parameter>dos charset = CP932</parameter>, not
Shift_JIS, SJIS...</para></listitem>
<listitem><para>Currently only <command>unix charset = CP932</command>
<listitem><para>Currently only <parameter>unix charset = CP932</parameter>
will work (but still has some problems...) because of iconv() issues.
<command>unix charset = EUC-JP</command> doesn't work well because of
<parameter>unix charset = EUC-JP</parameter> doesn't work well because of
iconv() issues.</para></listitem>
<listitem><para>Currently Samba 3.0 does not support <command>unix charset
= UTF8-MAC/CAP/HEX/JIS*</command></para></listitem>
<listitem><para>Currently Samba 3.0 does not support <parameter>unix charset
= UTF8-MAC/CAP/HEX/JIS*</parameter></para></listitem>
</itemizedlist>

109
docs/docbook/projdoc/winbind.xml
View File

@ -10,7 +10,6 @@
</affiliation>
</author>
&author.tridge;
&author.jht;
<author>
<firstname>Naag</firstname><surname>Mummaneni</surname>
<affiliation>
@ -224,7 +223,9 @@
of that service should be tried and in what order. If the passwd
config line is:</para>
<para><command>passwd: files example</command></para>
<para><programlisting>
passwd: files example
</programlisting></para>
<para>then the C library will first load a module called
<filename>/lib/libnss_files.so</filename> followed by
@ -429,17 +430,15 @@ install the development packages in <filename>pam-devel-0.74-22</filename>.
<para>
Before starting, it is probably best to kill off all the SAMBA
related daemons running on your server. Kill off all <command>smbd</command>,
<command>nmbd</command>, and <command>winbindd</command> processes that may
related daemons running on your server. Kill off all &smbd;,
&nmbd;, and &winbindd; processes that may
be running. To use PAM, you will want to make sure that you have the
standard PAM package (for RedHat) which supplies the <filename>/etc/pam.d</filename>
directory structure, including the pam modules are used by pam-aware
services, several pam libraries, and the <filename>/usr/doc</filename>
and <filename>/usr/man</filename> entries for pam. Winbind built better
in SAMBA if the pam-devel package was also installed. This package includes
the header files needed to compile pam-aware applications. For instance,
my RedHat system has both <filename>pam-0.74-22</filename> and
<filename>pam-devel-0.74-22</filename> RPMs installed.
the header files needed to compile pam-aware applications.
</para>
<sect3>
@ -451,14 +450,14 @@ The first three steps may not be necessary depending upon
whether or not you have previously built the Samba binaries.
</para>
<para><programlisting>
<prompt>root#</prompt> <command>autoconf</command>
<prompt>root#</prompt> <command>make clean</command>
<prompt>root#</prompt> <command>rm config.cache</command>
<prompt>root#</prompt> <command>./configure</command>
<prompt>root#</prompt> <command>make</command>
<prompt>root#</prompt> <command>make install</command>
</programlisting></para>
<para><screen>
&rootprompt;<command>autoconf</command>
&rootprompt;<command>make clean</command>
&rootprompt;<command>rm config.cache</command>
&rootprompt;<command>./configure</command>
&rootprompt;<command>make</command>
&rootprompt;<command>make install</command>
</screen></para>
<para>
@ -474,12 +473,14 @@ It will also build the winbindd executable and libraries.
winbind libraries on Linux and Solaris</title>
<para>
The libraries needed to run the <command>winbindd</command> daemon
The libraries needed to run the &winbindd; daemon
through nsswitch need to be copied to their proper locations, so
</para>
<para>
<prompt>root#</prompt> <command>cp ../samba/source/nsswitch/libnss_winbind.so /lib</command>
<screen>
&rootprompt;<userinput>cp ../samba/source/nsswitch/libnss_winbind.so /lib</userinput>
</screen>
</para>
<para>
@ -487,19 +488,19 @@ I also found it necessary to make the following symbolic link:
</para>
<para>
<prompt>root#</prompt> <command>ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</command>
&rootprompt; <userinput>ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</userinput>
</para>
<para>And, in the case of Sun solaris:</para>
<para>
<prompt>root#</prompt> <userinput>ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1</userinput>
<prompt>root#</prompt> <userinput>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1</userinput>
<prompt>root#</prompt> <userinput>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2</userinput>
</para>
<screen>
&rootprompt;<userinput>ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1</userinput>
&rootprompt;<userinput>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1</userinput>
&rootprompt;<userinput>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2</userinput>
</screen>
<para>
Now, as root you need to edit <filename>/etc/nsswitch.conf</filename> to
allow user and group entries to be visible from the <command>winbindd</command>
allow user and group entries to be visible from the &winbindd;
daemon. My <filename>/etc/nsswitch.conf</filename> file look like
this after editing:
</para>
@ -518,7 +519,7 @@ is faster (and you don't need to reboot) if you do it manually:
</para>
<para>
<prompt>root#</prompt> <command>/sbin/ldconfig -v | grep winbind</command>
&rootprompt;<userinput>/sbin/ldconfig -v | grep winbind</userinput>
</para>
<para>
@ -567,11 +568,11 @@ url="http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/baseadmn/ia
<para>
Several parameters are needed in the smb.conf file to control
the behavior of <command>winbindd</command>. Configure
<filename>smb.conf</filename> These are described in more detail in
the behavior of &winbindd;. Configure
&smb.conf; These are described in more detail in
the <citerefentry><refentrytitle>winbindd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> man page. My
<filename>smb.conf</filename> file was modified to
&smb.conf; file was modified to
include the following entries in the [global] section:
</para>
@ -607,7 +608,7 @@ a domain user who has administrative privileges in the domain.
<para>
<prompt>root#</prompt> <command>/usr/local/samba/bin/net join -S PDC -U Administrator</command>
&rootprompt;<userinput>/usr/local/samba/bin/net join -S PDC -U Administrator</userinput>
</para>
@ -632,7 +633,7 @@ command as root:
</para>
<para>
<prompt>root#</prompt> <command>/usr/local/samba/bin/winbindd</command>
&rootprompt;<userinput>/usr/local/samba/bin/winbindd</userinput>
</para>
<para>
@ -641,11 +642,11 @@ run as 2 processes. The first will answer all requests from the cache,
thus making responses to clients faster. The other will
update the cache for the query that the first has just responded.
Advantage of this is that responses stay accurate and are faster.
You can enable dual daemon mode by adding '-B' to the commandline:
You can enable dual daemon mode by adding <option>-B</option> to the commandline:
</para>
<para>
<prompt>root#</prompt> <command>/usr/local/samba/bin/winbindd -B</command>
&rootprompt;<userinput>/usr/local/samba/bin/winbindd -B</userinput>
</para>
<para>
@ -654,14 +655,14 @@ is really running...
</para>
<para>
<prompt>root#</prompt> <command>ps -ae | grep winbindd</command>
&rootprompt;<userinput>ps -ae | grep winbindd</userinput>
</para>
<para>
This command should produce output like this, if the daemon is running
</para>
<para>
<screen>
3025 ? 00:00:00 winbindd
</para>
</screen>
<para>
Now... for the real test, try to get some information about the
@ -669,7 +670,7 @@ users on your PDC
</para>
<para>
<prompt>root#</prompt> <command>/usr/local/samba/bin/wbinfo -u</command>
&rootprompt;<userinput>/usr/local/samba/bin/wbinfo -u</userinput>
</para>
<para>
@ -677,14 +678,14 @@ This should echo back a list of users on your Windows users on
your PDC. For example, I get the following response:
</para>
<para><programlisting>
<para><screen>
CEO+Administrator
CEO+burdell
CEO+Guest
CEO+jt-ad
CEO+krbtgt
CEO+TsInternetUser
</programlisting></para>
</screen></para>
<para>
Obviously, I have named my domain 'CEO' and my <parameter>winbind
@ -696,8 +697,8 @@ You can do the same sort of thing to get group information from
the PDC:
</para>
<para><programlisting>
<prompt>root#</prompt> <command>/usr/local/samba/bin/wbinfo -g</command>
<para><screen>
&rootprompt;<userinput>/usr/local/samba/bin/wbinfo -g</userinput>
CEO+Domain Admins
CEO+Domain Users
CEO+Domain Guests
@ -707,7 +708,7 @@ the PDC:
CEO+Schema Admins
CEO+Enterprise Admins
CEO+Group Policy Creator Owners
</programlisting></para>
</screen></para>
<para>
The function 'getent' can now be used to get unified
@ -716,7 +717,7 @@ Try the following command:
</para>
<para>
<prompt>root#</prompt> <command>getent passwd</command>
&rootprompt;<userinput>getent passwd</userinput>
</para>
<para>
@ -730,7 +731,7 @@ The same thing can be done for groups with the command
</para>
<para>
<prompt>root#</prompt> <command>getent group</command>
&rootprompt;<userinput>getent group</userinput>
</para>
</sect3>
@ -743,14 +744,13 @@ The same thing can be done for groups with the command
<title>Linux</title>
<para>
The <command>winbindd</command> daemon needs to start up after the
<command>smbd</command> and <command>nmbd</command> daemons are running.
The &winbindd; daemon needs to start up after the
&smbd; and &nmbd; daemons are running.
To accomplish this task, you need to modify the startup scripts of your system.
They are located at <filename>/etc/init.d/smb</filename> in RedHat and
<filename>/etc/init.d/samba</filename> in Debian.
script to add commands to invoke this daemon in the proper sequence. My
startup script starts up <command>smbd</command>,
<command>nmbd</command>, and <command>winbindd</command> from the
startup script starts up &smbd;, &nmbd;, and &winbindd; from the
<filename>/usr/local/samba/bin</filename> directory directly. The 'start'
function in the script looks like this:
</para>
@ -899,8 +899,7 @@ in the script above with:
<sect4>
<title>Restarting</title>
<para>
If you restart the <command>smbd</command>, <command>nmbd</command>,
and <command>winbindd</command> daemons at this point, you
If you restart the &smbd;, &nmbd;, and &winbindd; daemons at this point, you
should be able to connect to the samba server as a domain member just as
if you were a local user.
</para>
@ -925,7 +924,7 @@ by invoking the command
</para>
<para>
<prompt>root#</prompt> <command>make nsswitch/pam_winbind.so</command>
&rootprompt;<userinput>make nsswitch/pam_winbind.so</userinput>
</para>
<para>
@ -937,7 +936,7 @@ modules reside in <filename>/usr/lib/security</filename>.
</para>
<para>
<prompt>root#</prompt> <command>cp ../samba/source/nsswitch/pam_winbind.so /lib/security</command>
&rootprompt;<userinput>cp ../samba/source/nsswitch/pam_winbind.so /lib/security</userinput>
</para>
<sect4>
@ -982,8 +981,8 @@ For ftp services to work properly, you will also need to either
have individual directories for the domain users already present on
the server, or change the home directory template to a general
directory for all domain users. These can be easily set using
the <filename>smb.conf</filename> global entry
<command>template homedir</command>.
the &smb.conf; global entry
<parameter>template homedir</parameter>.
</para>
<para>
@ -1023,8 +1022,8 @@ same way. It now looks like this:
</programlisting></para>
<para>
In this case, I added the <command>auth sufficient /lib/security/pam_winbind.so</command>
lines as before, but also added the <command>required pam_securetty.so</command>
In this case, I added the <programlisting>auth sufficient /lib/security/pam_winbind.so</programlisting>
lines as before, but also added the <programlisting>required pam_securetty.so</programlisting>
above it, to disallow root logins over the network. I also added a
<command>sufficient /lib/security/pam_unix.so use_first_pass</command>
line after the <command>winbind.so</command> line to get rid of annoying