1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-31 17:18:04 +03:00

Remove questions that have been moved to 'Common Errors' in the HOWTO Collection.

(This used to be commit 1e3f375568)
This commit is contained in:
Jelmer Vernooij 2003-06-03 17:12:45 +00:00
parent 0b43d7d02e
commit eb0c0845e2
6 changed files with 1 additions and 431 deletions

View File

@ -1,37 +0,0 @@
<chapter id="FAQ-Config">
<title>Configuration problems</title>
<sect1>
<title>I have set 'force user' and samba still makes 'root' the owner of all the files I touch!</title>
<para>
When you have a user in 'admin users', samba will always do file operations for
this user as 'root', even if 'force user' has been set.
</para>
</sect1>
<sect1>
<title>I have just installed samba and I'm trying to log in from Windows, but samba refuses all logins!</title>
<para>
Newer windows clients(NT4, 2000, XP) send encrypted passwords. Samba can't compare these
passwords to the unix password database, so it needs it's own user database. You can
add users to this database using "smbpasswd -a user-name".
</para>
<para>
See also the "User database" chapter of the samba HOWTO Collection.
</para>
</sect1>
<sect1>
<title>How can I make samba use netbios scope ID's</title>
<para>By default Samba uses a blank scope ID. This means
all your windows boxes must also have a blank scope ID.
If you really want to use a non-blank scope ID then you will
need to use the 'netbios scope' smb.conf option.
All your PCs will need to have the same setting for
this to work. Scope ID's are not recommended.</para>
</sect1>
</chapter>

View File

@ -45,7 +45,7 @@ SMB password encryption.
<member>enable SMB password encryption in Samba. See the encryption part of
the samba HOWTO Collection</member>
<member>disable this new behaviour in NT. See the section about
<member>disable this behaviour in NT. See the section about
Windows NT in the chapter "Portability" of the samba HOWTO collection
</member>
</simplelist>
@ -98,79 +98,4 @@ before exporting it with Samba.
</sect1>
<sect1>
<title>Why can users access home directories of other users?</title>
<para>
<quote>
We are unable to keep individual users from mapping to any other user's
home directory once they have supplied a valid password! They only need
to enter their own password. I have not found *any* method that I can
use to configure samba to enforce that only a user may map their own
home directory.
</quote>
</para>
<para><quote>
User xyzzy can map his home directory. Once mapped user xyzzy can also map
*anyone* elses home directory!
</quote></para>
<para>
This is not a security flaw, it is by design. Samba allows
users to have *exactly* the same access to the UNIX filesystem
as they would if they were logged onto the UNIX box, except
that it only allows such views onto the file system as are
allowed by the defined shares.
</para>
<para>
This means that if your UNIX home directories are set up
such that one user can happily cd into another users
directory and do an ls, the UNIX security solution is to
change the UNIX file permissions on the users home directories
such that the cd and ls would be denied.
</para>
<para>
Samba tries very hard not to second guess the UNIX administrators
security policies, and trusts the UNIX admin to set
the policies and permissions he or she desires.
</para>
<para>
Samba does allow the setup you require when you have set the
"only user = yes" option on the share, is that you have not set the
valid users list for the share.
</para>
<para>
Note that only user works in conjunction with the users= list,
so to get the behavior you require, add the line :
<programlisting>
users = %S
</programlisting>
this is equivalent to:
<programlisting>
valid users = %S
</programlisting>
to the definition of the [homes] share, as recommended in
the smb.conf man page.
</para>
</sect1>
<sect1>
<title>Until a few minutes after samba has started, clients get the error "Domain Controller Unavailable"</title>
<para>
A domain controller has to announce on the network who it is. This usually takes a while.
</para>
</sect1>
<sect1>
<title>I'm getting "open_oplock_ipc: Failed to get local UDP socket for address 100007f. Error was Cannot assign requested" in the logs</title>
<para>Your loopback device isn't working correctly. Make sure it's running.
</para>
</sect1>
</chapter>

View File

@ -2,66 +2,6 @@
<title>Features</title>
<sect1>
<title>How can I prevent my samba server from being used to distribute the Nimda worm?</title>
<para>Author: HASEGAWA Yosuke (translated by <ulink url="monyo@samba.gr.jp">TAKAHASHI Motonobu</ulink>)</para>
<para>
Nimba Worm is infected through shared disks on a network, as well as through
Microsoft IIS, Internet Explorer and mailer of Outlook series.
</para>
<para>
At this time, the worm copies itself by the name *.nws and *.eml on
the shared disk, moreover, by the name of Riched20.dll in the folder
where *.doc file is included.
</para>
<para>
To prevent infection through the shared disk offered by Samba, set
up as follows:
</para>
<para>
<programlisting>
[global]
...
# This can break Administration installations of Office2k.
# in that case, don't veto the riched20.dll
veto files = /*.eml/*.nws/riched20.dll/
</programlisting>
</para>
<para>
By setting the "veto files" parameter, matched files on the Samba
server are completely hidden from the clients and making it impossible
to access them at all.
</para>
<para>
In addition to it, the following setting is also pointed out by the
samba-jp:09448 thread: when the
"readme.txt.{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}" file exists on
a Samba server, it is visible only as "readme.txt" and dangerous
code may be executed if this file is double-clicked.
</para>
<para>
Setting the following,
<programlisting>
veto files = /*.{*}/
</programlisting>
any files having CLSID in its file extension will be inaccessible from any
clients.
</para>
<para>
This technical article is created based on the discussion of
samba-jp:09448 and samba-jp:10900 threads.
</para>
</sect1>
<sect1>
<title>How can I use samba as a fax server?</title>

View File

@ -1,89 +1,6 @@
<chapter id="FAQ-Install">
<title>Compiling and installing Samba on a Unix host</title>
<sect1>
<title>I can't see the Samba server in any browse lists!</title>
<para>
See Browsing.html in the docs directory of the samba source
for more information on browsing.
</para>
<para>
If your GUI client does not permit you to select non-browsable
servers, you may need to do so on the command line. For example, under
Lan Manager you might connect to the above service as disk drive M:
thusly:
<programlisting>
net use M: \\mary\fred
</programlisting>
The details of how to do this and the specific syntax varies from
client to client - check your client's documentation.
</para>
</sect1>
<sect1>
<title>Some files that I KNOW are on the server don't show up when I view the files from my client!</title>
<para>See the next question.</para>
</sect1>
<sect1>
<title>Some files on the server show up with really wierd filenames when I view the files from my client!</title>
<para>
If you check what files are not showing up, you will note that they
are files which contain upper case letters or which are otherwise not
DOS-compatible (ie, they are not legal DOS filenames for some reason).
</para>
<para>
The Samba server can be configured either to ignore such files
completely, or to present them to the client in "mangled" form. If you
are not seeing the files at all, the Samba server has most likely been
configured to ignore them. Consult the man page smb.conf(5) for
details of how to change this - the parameter you need to set is
"mangled names = yes".
</para>
</sect1>
<sect1>
<title>My client reports "cannot locate specified computer" or similar</title>
<para>
This indicates one of three things: You supplied an incorrect server
name, the underlying TCP/IP layer is not working correctly, or the
name you specified cannot be resolved.
</para>
<para>
After carefully checking that the name you typed is the name you
should have typed, try doing things like pinging a host or telnetting
to somewhere on your network to see if TCP/IP is functioning OK. If it
is, the problem is most likely name resolution.
</para>
<para>
If your client has a facility to do so, hardcode a mapping between the
hosts IP and the name you want to use. For example, with Lan Manager
or Windows for Workgroups you would put a suitable entry in the file
LMHOSTS. If this works, the problem is in the communication between
your client and the netbios name server. If it does not work, then
there is something fundamental wrong with your naming and the solution
is beyond the scope of this document.
</para>
<para>
If you do not have any server on your subnet supplying netbios name
resolution, hardcoded mappings are your only option. If you DO have a
netbios name server running (such as the Samba suite's nmbd program),
the problem probably lies in the way it is set up. Refer to Section
Two of this FAQ for more ideas.
</para>
<para>
By the way, remember to REMOVE the hardcoded mapping before further
tests :-)
</para>
</sect1>
<sect1>
<title>My client reports "cannot locate specified share name" or similar</title>
<para>
@ -107,106 +24,6 @@ to specify a service name correctly), read on:
</simplelist>
</sect1>
<sect1>
<title>Printing doesn't work</title>
<para>
Make sure that the specified print command for the service you are
connecting to is correct and that it has a fully-qualified path (eg.,
use "/usr/bin/lpr" rather than just "lpr").
</para>
<para>
Make sure that the spool directory specified for the service is
writable by the user connected to the service. In particular the user
"nobody" often has problems with printing, even if it worked with an
earlier version of Samba. Try creating another guest user other than
"nobody".
</para>
<para>
Make sure that the user specified in the service is permitted to use
the printer.
</para>
<para>
Check the debug log produced by smbd. Search for the printer name and
see if the log turns up any clues. Note that error messages to do with
a service ipc$ are meaningless - they relate to the way the client
attempts to retrieve status information when using the LANMAN1
protocol.
</para>
<para>
If using WfWg then you need to set the default protocol to TCP/IP, not
Netbeui. This is a WfWg bug.
</para>
<para>
If using the Lanman1 protocol (the default) then try switching to
coreplus. Also not that print status error messages don't mean
printing won't work. The print status is received by a different
mechanism.
</para>
</sect1>
<sect1>
<title>My client reports "This server is not configured to list shared resources"</title>
<para>
Your guest account is probably invalid for some reason. Samba uses the
guest account for browsing in smbd. Check that your guest account is
valid.
</para>
<para>See also 'guest account' in smb.conf man page.</para>
</sect1>
<sect1>
<title>Log message "you appear to have a trapdoor uid system" </title>
<para>
This can have several causes. It might be because you are using a uid
or gid of 65535 or -1. This is a VERY bad idea, and is a big security
hole. Check carefully in your /etc/passwd file and make sure that no
user has uid 65535 or -1. Especially check the "nobody" user, as many
broken systems are shipped with nobody setup with a uid of 65535.
</para>
<para>It might also mean that your OS has a trapdoor uid/gid system :-)</para>
<para>
This means that once a process changes effective uid from root to
another user it can't go back to root. Unfortunately Samba relies on
being able to change effective uid from root to non-root and back
again to implement its security policy. If your OS has a trapdoor uid
system this won't work, and several things in Samba may break. Less
things will break if you use user or server level security instead of
the default share level security, but you may still strike
problems.
</para>
<para>
The problems don't give rise to any security holes, so don't panic,
but it does mean some of Samba's capabilities will be unavailable.
In particular you will not be able to connect to the Samba server as
two different uids at once. This may happen if you try to print as a
"guest" while accessing a share as a normal user. It may also affect
your ability to list the available shares as this is normally done as
the guest user.
</para>
<para>
Complain to your OS vendor and ask them to fix their system.
</para>
<para>
Note: the reason why 65535 is a VERY bad choice of uid and gid is that
it casts to -1 as a uid, and the setreuid() system call ignores (with
no error) uid changes to -1. This means any daemon attempting to run
as uid 65535 will actually run as root. This is not good!
</para>
</sect1>
<sect1>
<title>Why are my file's timestamps off by an hour, or by a few hours?</title>
<para>
@ -297,37 +114,4 @@ zones.
</para>
</sect1>
<sect1>
<title>How do I set the printer driver name correctly?</title>
<para>Question:
<quote> On NT, I opened "Printer Manager" and "Connect to Printer".
Enter ["\\ptdi270\ps1"] in the box of printer. I got the
following error message
</quote></para>
<para>
<programlisting>
You do not have sufficient access to your machine
to connect to the selected printer, since a driver
needs to be installed locally.
</programlisting>
</para>
<para>Answer:</para>
<para>In the more recent versions of Samba you can now set the "printer
driver" in smb.conf. This tells the client what driver to use. For
example:</para>
<para><programlisting>
printer driver = HP LaserJet 4L
</programlisting></para>
<para>With this, NT knows to use the right driver. You have to get this string
exactly right.</para>
<para>To find the exact string to use, you need to get to the dialog box in
your client where you select which printer driver to install. The
correct strings for all the different printers are shown in a listbox
in that dialog box.</para>
</sect1>
</chapter>

View File

@ -1,38 +0,0 @@
<chapter id="FAQ-Printing">
<!-- Kurt Pfeifle's HOWTO chapter on printing should make this obsolete -->
<chapterinfo>
<author>
<firstname>Ronan</firstname><surname>Waide</surname>
</author>
</chapterinfo>
<title>Printing problems</title>
<sect1>
<title>setdriver or cupsaddsmb failes</title>
<para>
setdriver expects the following setup:
<simplelist>
<member>you are a printer admin, or root. this is the smb.conf printer admin group, not the Printer Operators group in NT. I've not tried the latter, but I don't believe it will work based on the current code.</member>
<member>printer admins has to be defined in [global]</member>
<member>upload the driver files to \\server\print$\w32x86 and win40 as appropriate. DON'T put them in the 0 or 2 subdirectories.</member>
<member>Make sure that the user you're connecting as is able to write to the print$ directories</member>
<member>Use adddriver (with appropriate parameters) to create the driver. note, this will not just update samba's notion of drivers, it will also move the files from the w32x86 and win40 directories to an appropriate subdirectory (based on driver version, I think, but not important enough for me to find out)</member>
<member>Use setdriver to associate the driver with a printer</member>
</simplelist>
</para>
<para>
The setdriver call will fail if the printer doesn't already exist in
samba's view of the world. Either create the printer in cups and
restart samba, or create an add printer command (see smb.conf doco)
and use RPC calls to create a printer. NB the add printer command MUST
return a single line of text indicating which port the printer was
added on. If it doesn't, Samba won't reload the printer
definitions. Although samba doesn't really support the notion of
ports, suitable add printer command and enumport command settings can
allow you pretty good remote control of the samba printer setup.
</para>
</sect1>
</chapter>

View File

@ -5,8 +5,6 @@
<!ENTITY errors SYSTEM "errors.xml">
<!ENTITY clientapp SYSTEM "clientapp.xml">
<!ENTITY features SYSTEM "features.xml">
<!ENTITY config SYSTEM "config.xml">
<!ENTITY printing SYSTEM "printing.xml">
]>
<book id="Samba-FAQ">
@ -34,9 +32,7 @@ and the old samba text documents which were mostly written by John Terpstra.
&general;
&install;
&config;
&clientapp;
&errors;
&features;
&printing;
</book>