1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00

Stage 1 of PHPTR Edits.

(This used to be commit 64a9e3e861)
This commit is contained in:
John Terpstra 2005-06-16 01:33:35 +00:00 committed by Gerald W. Carter
parent 77aa4181f1
commit fa96398866
32 changed files with 6141 additions and 6553 deletions

File diff suppressed because it is too large Load Diff

View File

@ -3,7 +3,7 @@
<chapter id="AdvancedNetworkManagement">
<chapterinfo>
&author.jht;
<pubdate>April 3 2003</pubdate>
<pubdate>June 15 2005</pubdate>
</chapterinfo>
<title>Advanced Network Management</title>
@ -11,17 +11,16 @@
<para>
This section documents peripheral issues that are of great importance to network
administrators who want to improve network resource access control, to automate the user
environment and to make their lives a little easier.
environment, and to make their lives a little easier.
</para>
<sect1>
<title>Features and Benefits</title>
<para>
Often the difference between a working network environment and a well appreciated one can
Often the difference between a working network environment and a well-appreciated one can
best be measured by the <emphasis>little things</emphasis> that make everything work more
harmoniously. A key part of every network environment solution is the
ability to remotely
harmoniously. A key part of every network environment solution is the ability to remotely
manage MS Windows workstations, remotely access the Samba server, provide customized
logon scripts, as well as other housekeeping activities that help to sustain more reliable
network operations.
@ -38,14 +37,14 @@ other chapters, for ease of reference.
<title>Remote Server Administration</title>
<para><quote>How do I get `User Manager' and `Server Manager'?</quote></para>
<para><quote>How do I get User Manager and Server Manager?</quote></para>
<para>
<indexterm><primary>User Manager</primary></indexterm>
<indexterm><primary>Server Manager</primary></indexterm>
<indexterm><primary>Event Viewer</primary></indexterm>
Since I do not need to buy an <application>NT4 Server</application>, how do I get the `User Manager for Domains'
and the `Server Manager'?
Since I do not need to buy an <application>NT4 server</application>, how do I get the User Manager for Domains
and the Server Manager?
</para>
<para>
@ -61,13 +60,15 @@ on <application>Windows 9x/Me</application> systems. The tools set includes:
</itemizedlist>
<para>
Download the archived file at <ulink noescape="1" url="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE">ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE.</ulink>
Download the archived file at the Microsoft <ulink noescape="1"
url="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE">Nexus</ulink> link.
</para>
<para>
<indexterm><primary>SRVTOOLS.EXE</primary></indexterm>
The <application>Windows NT 4.0</application> version of the `User Manager for
Domains' and `Server Manager' are available from Microsoft <ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">via ftp</ulink>.
The <application>Windows NT 4.0</application> version of the User Manager for
Domains and Server Manager are available from Microsoft
<ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">via ftp</ulink>.
</para>
</sect1>
@ -93,14 +94,14 @@ is the best tool in your network environment.
</para>
<para><quote>
I have a wonderful Linux/Samba server running as pdc for a network. Now I would like to add remote
I have a wonderful Linux/Samba server running as PDC for a network. Now I would like to add remote
desktop capabilities so users outside could login to the system and get their desktop up from home or
another country.
</quote></para>
<para><quote>
Is there a way to accomplish this? Do I need a Windows Terminal Server? Do I need to configure it so
it is a member of the domain or a BDC,PDC? Are there any hacks for MS Windows XP to enable remote login
Is there a way to accomplish this? Do I need a Windows Terminal server? Do I need to configure it so
it is a member of the domain or a BDC or PDC? Are there any hacks for MS Windows XP to enable remote login
even if the computer is in a domain?
</quote></para>
@ -122,17 +123,17 @@ is the best tool in your network environment.
</para>
<para>
I could test drive their (public) Red Hat machine in Italy, over a loaded
Internet connection, with enabled thumbnail previews in KDE konqueror
I test drove their (public) Red Hat machine in Italy, over a loaded
Internet connection, with enabled thumbnail previews in KDE konqueror,
which popped up immediately on <quote>mouse-over</quote>. From inside that (remote X)
session I started a rdesktop session on another, a Windows XP machine.
To test the performance, I played Pinball. I am proud to announce
that my score was 631750 points at first try.
that my score was 631,750 points at first try.
</para>
<para>
NX performs better on my local LAN than any of the other <quote>pure</quote>
connection methods I am using from time to time: TightVNC, rdesktop or
connection methods I use from time to time: TightVNC, rdesktop or
Remote X. It is even faster than a direct crosslink connection between
two nodes.
</para>
@ -145,20 +146,20 @@ is the best tool in your network environment.
</para>
<para>
I recommend to test drive NX to anybody with a only a passing interest in remote computing
<ulink noescape="1" url="http://www.nomachine.com/testdrive.php">http://www.nomachine.com/testdrive.php</ulink>.
I recommend test driving NX to anybody with a only a passing interest in remote computing
the <ulink noescape="1" url="http://www.nomachine.com/testdrive.php">NX</ulink> utility.
</para>
<para>
Just download the free of charge client software (available for Red Hat,
SuSE, Debian and Windows) and be up and running within five minutes (they
Just download the free-of-charge client software (available for Red Hat,
SuSE, Debian and Windows) and be up and running within 5 minutes (they
need to send you your account data, though, because you are assigned
a real UNIX account on their testdrive.nomachine.com box.
a real UNIX account on their testdrive.nomachine.com box).
</para>
<para>
They plan to get to the point were you can have NX application servers
running as a cluster of nodes, and users simply start an NX session locally,
running as a cluster of nodes, and users simply start an NX session locally
and can select applications to run transparently (apps may even run on
another NX node, but pretend to be on the same as used for initial login,
because it displays in the same window. You also can run it
@ -171,7 +172,7 @@ is the best tool in your network environment.
technologies are released under the GPL and available as source code
to anybody who wants to build on it! These technologies are working,
albeit started from the command line only (and very inconvenient to
use in order to get a fully running remote X session up and running.)
use in order to get a fully running remote X session up and running).
</para>
<para>
@ -198,14 +199,14 @@ is the best tool in your network environment.
<listitem><para>
The NX core technologies are all Open Source and released under the GPL &smbmdash;
you can now use a (very inconvenient) command-line at no cost,
you can now use a (very inconvenient) command line at no cost,
but you can buy a comfortable (proprietary) NX GUI front end for money.
</para></listitem>
<listitem><para>
NoMachine are encouraging and offering help to OSS/Free Software implementations
for such a front end too, even if it means competition to them (they have written
to this effect even to the LTSP, KDE and GNOME developer mailing lists).
NoMachine is encouraging and offering help to OSS/Free Software implementations
for such a front-end too, even if it means competition to them (they have written
to this effect even to the LTSP, KDE, and GNOME developer mailing lists).
</para></listitem>
</itemizedlist>
@ -223,7 +224,7 @@ There are several opportunities for creating a custom network startup configurat
<itemizedlist>
<listitem><para>No Logon Script.</para></listitem>
<listitem><para>Simple universal Logon Script that applies to all users.</para></listitem>
<listitem><para>Use of a conditional Logon Script that applies per user or per group attributes.</para></listitem>
<listitem><para>Use of a conditional Logon Script that applies per-user or per-group attributes.</para></listitem>
<listitem><para>Use of Samba's preexec and postexec functions on access to the NETLOGON share to create
a custom logon script and then execute it.</para></listitem>
<listitem><para>User of a tool such as KixStart.</para></listitem>
@ -321,7 +322,7 @@ This is the <filename>genlogon.pl</filename> file:
</para>
<para>
Those wishing to use more elaborate or capable logon processing system should check out these sites:
Those wishing to use a more elaborate or capable logon processing system should check out these sites:
</para>
<itemizedlist>
@ -341,7 +342,7 @@ Printers may be added automatically during logon script processing through the u
&dosprompt;<userinput>rundll32 printui.dll,PrintUIEntry /?</userinput>
</screen>
See the documentation in the <ulink url="http://support.microsoft.com/default.asp?scid=kb;en-us;189105">Microsoft knowledgebase article 189105.</ulink>
See the documentation in the <ulink url="http://support.microsoft.com/default.asp?scid=kb;en-us;189105">Microsoft Knowledge Base article 189105</ulink>.
</para>
</sect2>
@ -356,7 +357,7 @@ See the documentation in the <ulink url="http://support.microsoft.com/default.as
<para>
The Samba <parameter>preexec script</parameter> parameter can be used to permit only one
connection per user. Though this method is not fool-proof, and may have side-effects
connection per user. Though this method is not foolproof and may have side effects,
the following contributed method may inspire someone to provide a better solution.
</para>
@ -368,18 +369,18 @@ See the documentation in the <ulink url="http://support.microsoft.com/default.as
</para>
<para>
The following share configuration demonstrates use of the script shown in <link linkend="Tpees"/>:
<programlisting>
The following share configuration demonstrates use of the script shown in <link linkend="Tpees"/>.
<programlisting>
[myshare]
...
preexec script = /sbin/PermitSingleLogon.sh
preexec close = Yes
...
</programlisting>
</programlisting>
</para>
<example id="Tpees">
<title>Script to Enforce Single Resource Logon</title>
<title>Script to Enforce Single Resource Logon</title>
<screen>
#!/bin/bash

View File

@ -12,48 +12,48 @@
<para>
Before you continue reading this section, please make sure that you are comfortable
with configuring a Samba Domain Controller as described in <link linkend="samba-pdc">Domain Control</link>.
with configuring a Samba domain controller as described in <link linkend="samba-pdc">Domain Control</link>.
</para>
<sect1>
<title>Features and Benefits</title>
<para>
This is one of the most difficult chapters to summarize. It does not matter what we say here
This is one of the most difficult chapters to summarize. It does not matter what we say here,
for someone will still draw conclusions and/or approach the Samba Team with expectations
that are either not yet capable of being delivered, or that can be achieved far more
that are either not yet capable of being delivered or that can be achieved far more
effectively using a totally different approach. In the event that you should have a persistent
concern that is not addressed in this book, please email <ulink url="mailto:jht@samba.org">John H. Terpstra</ulink>
clearly setting out your requirements and/or question and we will do our best to provide a solution.
clearly setting out your requirements and/or question, and we will do our best to provide a solution.
</para>
<para>
<indexterm><primary>SAM backend</primary><secondary>LDAP</secondary></indexterm>
Samba-3 is capable of acting as a Backup Domain Controller (BDC) to another Samba Primary Domain
Controller (PDC). A Samba-3 PDC can operate with an LDAP Account backend. The LDAP backend can be
either a common master LDAP server, or a slave server. The use of a slave LDAP server has the
Samba-3 can act as a Backup Domain Controller (BDC) to another Samba Primary Domain
Controller (PDC). A Samba-3 PDC can operate with an LDAP account backend. The LDAP backend can be
either a common master LDAP server or a slave server. The use of a slave LDAP server has the
benefit that when the master is down, clients may still be able to log onto the network.
This effectively gives Samba a high degree of scalability and is an effective solution
for large organizations. If you use an LDAP slave server for a PDC,
you will need to ensure the master's continued availability - if the
slave finds it's master down at the wrong time, you will have
you will need to ensure the master's continued availability &smbmdash; if the
slave finds its master down at the wrong time, you will have
stability and operational problems.
</para>
<para>
<indexterm><primary>replication</primary><secondary>SAM</secondary></indexterm>
While it is possible to run a Samba-3 BDC with non-LDAP backend, that
backend must allow some form of 'two way' propagation, of changes
from the BDC to the master. Only LDAP is capable of this at this stage.
While it is possible to run a Samba-3 BDC with a non-LDAP backend, that
backend must allow some form of "two-way" propagation of changes
from the BDC to the master. Only LDAP has such capability at this stage.
</para>
<para>
<indexterm><primary>SAM backend</primary><secondary>non-LDAP</secondary></indexterm>
The use of a non-LDAP backend SAM database is particularly problematic because Domain Member
The use of a non-LDAP backend SAM database is particularly problematic because domain member
servers and workstations periodically change the Machine Trust Account password. The new
password is then stored only locally. This means that in the absence of a centrally stored
accounts database (such as that provided with an LDAP-based solution) if Samba-3 is running
as a BDC, the BDC instance of the Domain Member trust account password will not reach the
as a BDC, the BDC instance of the domain member trust account password will not reach the
PDC (master) copy of the SAM. If the PDC SAM is then replicated to BDCs, this results in
overwriting the SAM that contains the updated (changed) trust account password with resulting
breakage of the domain trust.
@ -62,7 +62,8 @@ breakage of the domain trust.
<para>
Considering the number of comments and questions raised concerning how to configure a BDC,
let's consider each possible option and look at the pros and cons for each possible solution.
<link linkend="pdc-bdc-table">Following table</link> lists possible design configurations for a PDC/BDC infrastructure.
<link linkend="pdc-bdc-table">The Domain Backend Account Distribution Options table below</link> lists
possible design configurations for a PDC/BDC infrastructure.
<indexterm><primary>net</primary><secondary>rpc</secondary></indexterm>
<indexterm><primary>SAM backend</primary><secondary>ldapsam</secondary></indexterm>
<indexterm><primary>SAM backend</primary><secondary>tdbsam</secondary></indexterm>
@ -89,14 +90,14 @@ let's consider each possible option and look at the pros and cons for each possi
<entry><para>Single Central LDAP Server</para></entry>
<entry><para>Single Central LDAP Server</para></entry>
<entry><para>
A workable solution without fail-over ability. This is a usable solution, but not optimal.
A workable solution without failover ability. This is a usable solution, but not optimal.
</para></entry>
</row>
<row>
<entry><para>tdbsam</para></entry>
<entry><para>tdbsam + <command>net rpc vampire</command></para></entry>
<entry><para>
Does not work with Samba-3.0; as Samba does not implement the
Does not work with Samba-3.0; Samba does not implement the
server-side protocols required.
</para></entry>
</row>
@ -130,7 +131,7 @@ let's consider each possible option and look at the pros and cons for each possi
<title>Essential Background Information</title>
<para>
A Domain Controller is a machine that is able to answer logon requests from network
A domain controller is a machine that is able to answer logon requests from network
workstations. Microsoft LanManager and IBM LanServer were two early products that
provided this capability. The technology has become known as the LanMan Netlogon service.
</para>
@ -147,19 +148,19 @@ services that are implemented over an intricate spectrum of technologies.
<title>MS Windows NT4-style Domain Control</title>
<para>
Whenever a user logs into a Windows NT4/200x/XP Professional Workstation,
the workstation connects to a Domain Controller (authentication server) to validate that
Whenever a user logs into a Windows NT4/200x/XP Professional workstation,
the workstation connects to a domain controller (authentication server) to validate that
the username and password the user entered are valid. If the information entered
does not match account information that has been stored in the Domain
Control database (the SAM, or Security Account Manager database), a set of error
does not match account information that has been stored in the domain
control database (the SAM, or Security Account Manager database), a set of error
codes is returned to the workstation that has made the authentication request.
</para>
<para>
When the username/password pair has been validated, the Domain Controller
When the username/password pair has been validated, the domain controller
(authentication server) will respond with full enumeration of the account information
that has been stored regarding that user in the User and Machine Accounts database
for that Domain. This information contains a complete network access profile for
that has been stored regarding that user in the user and machine accounts database
for that domain. This information contains a complete network access profile for
the user but excludes any information that is particular to the user's desktop profile,
or for that matter it excludes all desktop profiles for groups that the user may
belong to. It does include password time limits, password uniqueness controls,
@ -170,36 +171,36 @@ in all versions of MS Windows NT (3.10, 3.50, 3.51, 4.0).
<para>
<indexterm><primary>replication</primary><secondary>SAM</secondary></indexterm>
The account information (user and machine) on Domain Controllers is stored in two files,
one containing the Security information and the other the SAM. These are stored in files
The account information (user and machine) on domain controllers is stored in two files,
one containing the security information and the other the SAM. These are stored in files
by the same name in the <filename>%SystemRoot%\System32\config</filename> directory.
This normally translates to the path <filename>C:\WinNT\System32\config</filename>. These
are the files that are involved in replication of the SAM database where Backup Domain
Controllers are present on the network.
are the files that are involved in replication of the SAM database where BDCs are present
on the network.
</para>
<para>
There are two situations in which it is desirable to install Backup Domain Controllers:
There are two situations in which it is desirable to install BDCs:
</para>
<itemizedlist>
<listitem><para>
On the local network that the Primary Domain Controller is on, if there are many
On the local network that the PDC is on, if there are many
workstations and/or where the PDC is generally very busy. In this case the BDCs
will pick up network logon requests and help to add robustness to network services.
</para></listitem>
<listitem><para>
At each remote site, to reduce wide area network traffic and to add stability to
At each remote site, to reduce wide-area network traffic and to add stability to
remote network operations. The design of the network, the strategic placement of
Backup Domain Controllers, together with an implementation that localizes as much
of network to client interchange as possible will help to minimize wide area network
BDCs, together with an implementation that localizes as much
of network to client interchange as possible will help to minimize wide-area network
bandwidth needs (and thus costs).
</para></listitem>
</itemizedlist>
<para>
The inter-operation of a PDC and its BDCs in a true Windows NT4 environment is worth
The interoperation of a PDC and its BDCs in a true Windows NT4 environment is worth
mentioning here. The PDC contains the master copy of the SAM. In the event that an
administrator makes a change to the user account database while physically present
on the local network that has the PDC, the change will likely be made directly to
@ -207,19 +208,19 @@ the PDC instance of the master copy of the SAM. In the event that this update ma
be performed in a branch office, the change will likely be stored in a delta file
on the local BDC. The BDC will then send a trigger to the PDC to commence the process
of SAM synchronization. The PDC will then request the delta from the BDC and apply
it to the master SAM. The PDC will then contact all the BDCs in the Domain and
it to the master SAM. The PDC will then contact all the BDCs in the domain and
trigger them to obtain the update and then apply that to their own copy of the SAM.
</para>
<para>
Samba-3 can not participate in true SAM replication and is therefore not able to
Samba-3 cannot participate in true SAM replication and is therefore not able to
employ precisely the same protocols used by MS Windows NT4. A Samba-3 BDC will
not create SAM update delta files. It will not inter-operate with a PDC (NT4 or Samba)
not create SAM update delta files. It will not interoperate with a PDC (NT4 or Samba)
to synchronize the SAM from delta files that are held by BDCs.
</para>
<para>
Samba-3 cannot function as a BDC to an MS Windows NT4 PDC, and Samba-3 can not
Samba-3 cannot function as a BDC to an MS Windows NT4 PDC, and Samba-3 cannot
function correctly as a PDC to an MS Windows NT4 BDC. Both Samba-3 and MS Windows
NT4 can function as a BDC to its own type of PDC.
</para>
@ -227,17 +228,17 @@ NT4 can function as a BDC to its own type of PDC.
<para>
The BDC is said to hold a <emphasis>read-only</emphasis> of the SAM from which
it is able to process network logon requests and authenticate users. The BDC can
continue to provide this service, particularly while, for example, the wide area
continue to provide this service, particularly while, for example, the wide-area
network link to the PDC is down. A BDC plays a very important role in both the
maintenance of Domain Security as well as in network integrity.
maintenance of domain security as well as in network integrity.
</para>
<para>
In the event that the NT4 PDC should need to be taken out of service, or if it dies,
one of the NT4 BDCs can be promoted to a PDC. If this happens while the original NT4 PDC is on
line, it is automatically demoted to an NT4 BDC. This is an important aspect of Domain
Controller management. The tool that is used to effect a promotion or a demotion is the
Server Manager for Domains. It should be noted that Samba-3 BDCs can not be promoted
one of the NT4 BDCs can be promoted to a PDC. If this happens while the original NT4 PDC
is online, it is automatically demoted to an NT4 BDC. This is an important aspect of domain
controller management. The tool that is used to effect a promotion or a demotion is the
Server Manager for Domains. It should be noted that Samba-3 BDCs cannot be promoted
in this manner because reconfiguration of Samba requires changes to the &smb.conf; file.
</para>
@ -246,13 +247,14 @@ in this manner because reconfiguration of Samba requires changes to the &smb.con
<para>
Beginning with Version 2.2, Samba officially supports domain logons for all current Windows clients,
including Windows NT4, 2003 and XP Professional. For Samba to be enabled as a PDC, some
parameters in the <smbconfsection name="[global]"/>-section of the &smb.conf; have to be set.
Refer to <link linkend="minimalPDC">following configuration</link> for an example of the minimum required settings.
including Windows NT4, 2003, and XP Professional. For Samba to be enabled as a PDC, some
parameters in the <smbconfsection name="[global]"/> section of the &smb.conf; have to be set.
Refer to <link linkend="minimalPDC">the Minimal smb.conf for a PDC in Use with a BDC &smbmdash; LDAP Server on
PDC section</link> for an example of the minimum required settings.
</para>
<example id="minimalPDC">
<title>Minimal smb.conf for a PDC in Use With a BDC &smbmdash; LDAP Server on PDC.</title>
<title>Minimal smb.conf for a PDC in Use with a BDC &smbmdash; LDAP Server on PDC</title>
<smbconfblock>
<smbconfoption name="workgroup">&example.workgroup;</smbconfoption>
<smbconfoption name="passdb backend">ldapsam://localhost:389</smbconfoption>
@ -276,7 +278,7 @@ chapter; for more information please refer to <link linkend="samba-pdc">Domain C
<para>
When configuring a master and a slave LDAP server, it is advisable to use the master LDAP server
for the PDC and slave LDAP servers for the BDCs. It is not essential to use slave LDAP servers, however,
for the PDC and slave LDAP servers for the BDCs. It is not essential to use slave LDAP servers; however,
many administrators will want to do so in order to provide redundant services. Of course, one or more BDCs
may use any slave LDAP server. Then again, it is entirely possible to use a single LDAP server for the
entire network.
@ -292,12 +294,12 @@ subjectAltName certificate extension. More details on server certificate names a
<para>
It does not really fit within the scope of this document, but a working LDAP installation is
basic to LDAP enabled Samba operation. When using an OpenLDAP server with Transport Layer Security
basic to LDAP-enabled Samba operation. When using an OpenLDAP server with Transport Layer Security
(TLS), the machine name in <filename>/etc/ssl/certs/slapd.pem</filename> must be the
same as in <filename>/etc/openldap/sldap.conf</filename>. The Red Hat Linux startup script
creates the <filename>slapd.pem</filename> file with hostname <quote>localhost.localdomain.</quote>
It is impossible to access this LDAP server from a slave LDAP server (i.e., a Samba BDC) unless the
certificate is recreated with a correct hostname.
certificate is re-created with a correct hostname.
</para>
<para>
@ -305,7 +307,7 @@ For preference, do not install a Samba PDC on a OpenLDAP slave server. Joining c
will fail in this configuration because the change to the machine account in the LDAP tree
must take place on the master LDAP server. This is not replicated rapidly enough to the slave
server that the PDC queries. It therefore gives an error message on the client machine about
not being able to set up account credentials. The machine account is created on the LDAP server
not being able to set up account credentials. The machine account is created on the LDAP server,
but the password fields will be empty. Unfortunately, some sites are
unable to avoid such configurations, and these sites should review the
<smbconfoption name="ldap replication sleep"/> parameter, intended to slow down Samba sufficiently
@ -339,17 +341,15 @@ Possible PDC/BDC plus LDAP configurations include:
</itemizedlist>
<para>
In order to have a fall-back configuration (secondary) LDAP server one would specify
the secondary LDAP server in the &smb.conf; file as shown in <link linkend="mulitldapcfg">following example</link>.
In order to have a fallback configuration (secondary) LDAP server, you would specify
the secondary LDAP server in the &smb.conf; file as shown in <link linkend="mulitldapcfg">the Multiple LDAP
Servers in &smb.conf; example</link>.
</para>
<example id="mulitldapcfg">
<title>Multiple LDAP Servers in &smb.conf;</title>
<smbconfblock>
<member>...</member>
<smbconfoption name="passdb backend"> </smbconfoption>
<member><parameter>ldapsam:"ldap://master.quenya.org ldap://slave.quenya.org"</parameter></member>
<member>...</member>
<smbconfoption name="passdb backend">ldapsam:"ldap://master.quenya.org ldap://slave.quenya.org"</smbconfoption>
</smbconfblock>
</example>
@ -361,9 +361,9 @@ the secondary LDAP server in the &smb.conf; file as shown in <link linkend="muli
<para>
As of the release of MS Windows 2000 and Active Directory, this information is now stored
in a directory that can be replicated and for which partial or full administrative control
can be delegated. Samba-3 is not able to be a Domain Controller within an Active Directory
can be delegated. Samba-3 is not able to be a domain controller within an Active Directory
tree, and it cannot be an Active Directory server. This means that Samba-3 also cannot
act as a Backup Domain Controller to an Active Directory Domain Controller.
act as a BDC to an Active Directory domain controller.
</para>
</sect2>
@ -372,27 +372,27 @@ act as a Backup Domain Controller to an Active Directory Domain Controller.
<title>What Qualifies a Domain Controller on the Network?</title>
<para>
Every machine that is a Domain Controller for the domain MIDEARTH has to register the NetBIOS
Every machine that is a domain controller for the domain MIDEARTH has to register the NetBIOS
group name MIDEARTH&lt;#1c&gt; with the WINS server and/or by broadcast on the local network.
The PDC also registers the unique NetBIOS name MIDEARTH&lt;#1b&gt; with the WINS server.
The name type &lt;#1b&gt; name is normally reserved for the Domain Master Browser, a role
that has nothing to do with anything related to authentication, but the Microsoft Domain
implementation requires the Domain Master Browser to be on the same machine as the PDC.
The name type &lt;#1b&gt; name is normally reserved for the Domain Master Browser (DMB), a role
that has nothing to do with anything related to authentication, but the Microsoft domain
implementation requires the DMB to be on the same machine as the PDC.
</para>
<para>
Where a WINS server is not used, broadcast name registrations alone must suffice. Refer to
<link linkend="netdiscuss">Network Browsing: Discussion</link> for more information regarding TCP/IP network protocols and how
SMB/CIFS names are handled.
<link linkend="NetworkBrwosing">Network Browsing</link>,<link linkend="netdiscuss">Discussion</link>
for more information regarding TCP/IP network protocols and how SMB/CIFS names are handled.
</para>
</sect2>
<sect2>
<title>How does a Workstation find its Domain Controller?</title>
<title>How Does a Workstation find its Domain Controller?</title>
<para>
There are two different mechanisms to locate a domain controller, one method is used when
There are two different mechanisms to locate a domain controller: one method is used when
NetBIOS over TCP/IP is enabled and the other when it has been disabled in the TCP/IP
network configuration.
</para>
@ -408,12 +408,12 @@ environment all machines require appropriate DNS entries. More information may b
<title>NetBIOS Over TCP/IP Enabled</title>
<para>
An MS Windows NT4/200x/XP Professional workstation in the domain MIDEARTH that wants a
local user to be authenticated has to find the Domain Controller for MIDEARTH. It does this
local user to be authenticated has to find the domain controller for MIDEARTH. It does this
by doing a NetBIOS name query for the group name MIDEARTH&lt;#1c&gt;. It assumes that each
of the machines it gets back from the queries is a Domain Controller and can answer logon
requests. To not open security holes, both the workstation and the selected Domain Controller
of the machines it gets back from the queries is a domain controller and can answer logon
requests. To not open security holes, both the workstation and the selected domain controller
authenticate each other. After that the workstation sends the user's credentials (name and
password) to the local Domain Controller for validation.
password) to the local domain controller for validation.
</para>
</sect3>
@ -423,7 +423,7 @@ password) to the local Domain Controller for validation.
<para>
An MS Windows NT4/200x/XP Professional workstation in the realm <constant>quenya.org</constant>
that has a need to affect user logon authentication will locate the Domain Controller by
that has a need to affect user logon authentication will locate the domain controller by
re-querying DNS servers for the <constant>_ldap._tcp.pdc._msdcs.quenya.org</constant> record.
More information regarding this subject may be found in <link linkend="adsdnstech">DNS and Active Directory</link>.
</para>
@ -437,7 +437,7 @@ More information regarding this subject may be found in <link linkend="adsdnstec
<para>
The creation of a BDC requires some steps to prepare the Samba server before
&smbd; is executed for the first time. These steps are outlines as follows:
&smbd; is executed for the first time. These steps are as follows:
<indexterm><primary>SID</primary></indexterm>
</para>
@ -446,9 +446,9 @@ The creation of a BDC requires some steps to prepare the Samba server before
The domain SID has to be the same on the PDC and the BDC. In Samba versions
pre-2.2.5, the domain SID was stored in the file <filename>private/MACHINE.SID</filename>.
The domain SID is now stored in the file <filename>private/secrets.tdb</filename>. This file
is unique to each server and can not be copied from a PDC to a BDC, the BDC will generate
a new SID at start-up. It will over-write the PDC domain SID with the newly created BDC SID.
There is a procedure that will allow the BDC to aquire the Domain SID. This is described here.
is unique to each server and cannot be copied from a PDC to a BDC; the BDC will generate
a new SID at startup. It will overwrite the PDC domain SID with the newly created BDC SID.
There is a procedure that will allow the BDC to aquire the domain SID. This is described here.
</para>
<para>
@ -508,11 +508,12 @@ The creation of a BDC requires some steps to prepare the Samba server before
<title>Example Configuration</title>
<para> Finally, the BDC has to be found by the workstations. This can be
done by setting Samba as shown in <link linkend="minim-bdc">the next example</link>.
done by configuring the Samba &smb.conf; file <smbconfsection name="[global]"/> section
as shown in <link linkend="minim-bdc">Minimal Setup for Being a BDC</link>.
</para>
<example id="minim-bdc">
<title>Minimal setup for being a BDC</title>
<title>Minimal Setup for Being a BDC</title>
<smbconfblock>
<smbconfoption name="workgroup">&example.workgroup;</smbconfoption>
<smbconfoption name="passdb backend">ldapsam:ldap://slave-ldap.quenya.org</smbconfoption>
@ -523,13 +524,12 @@ done by setting Samba as shown in <link linkend="minim-bdc">the next example</li
</example>
<para>
In the <smbconfsection name="[global]"/>-section of the &smb.conf; of the BDC. This makes the BDC
only register the name MIDEARTH&lt;#1c&gt; with the WINS server. This is no
problem as the name MIDEARTH&lt;#1c&gt; is a NetBIOS group name that is meant to
be registered by more than one machine. The parameter
This configuration causes the BDC to register only the name MIDEARTH&lt;#1c&gt; with the
WINS server. This is not a problem, as the name MIDEARTH&lt;#1c&gt; is a NetBIOS group name
that is meant to be registered by more than one machine. The parameter
<smbconfoption name="domain master">no</smbconfoption>
forces the BDC not to register <?latex \linebreak ?>MIDEARTH&lt;#1b&gt; which as a unique NetBIOS
name is reserved for the Primary Domain Controller.
forces the BDC not to register MIDEARTH&lt;#1b&gt;, which is a unique NetBIOS name that
is reserved for the PDC.
</para>
<para>
@ -542,19 +542,19 @@ use the LDAP database to resolve all UIDs and GIDs for UNIX accounts.
<note><para>
<indexterm><primary>Server Type</primary><secondary>Domain Member</secondary></indexterm>
Samba-3 has introduced a new ID mapping facility. One of the features of this facility is that it
allows greater flexibility in how user and group IDs are handled in respect to NT Domain User and Group
allows greater flexibility in how user and group IDs are handled in respect to NT domain user and group
SIDs. One of the new facilities provides for explicitly ensuring that UNIX/Linux UID and GID values
will be consistent on the PDC, all BDCs and all Domain Member servers. The parameter that controls this
will be consistent on the PDC, all BDCs, and all domain member servers. The parameter that controls this
is called <parameter>idmap backend</parameter>. Please refer to the man page for &smb.conf; for more information
regarding its behavior.
</para></note>
<para>
The use of the <smbconfoption name="idmap backend">ldap:ldap://master.quenya.org</smbconfoption>
option on a BDC only make sense where ldapsam is used on a PDC. The purpose for an LDAP based idmap backend is
also to allow a domain-member (without its own passdb backend) to use winbindd to resolve Windows network users
and groups to common UID/GIDs. In other words, this option is generally intended for use on BDCs and on Domain
Member servers.
option on a BDC only makes sense where ldapsam is used on a PDC. The purpose of an LDAP-based idmap backend is
also to allow a domain member (without its own passdb backend) to use winbindd to resolve Windows network users
and groups to common UID/GIDs. In other words, this option is generally intended for use on BDCs and on domain
member servers.
</para>
</sect2>
@ -564,9 +564,9 @@ Member servers.
<title>Common Errors</title>
<para>
As this is a rather new area for Samba, there are not many examples that we may refer to.
As domain control is a rather new area for Samba, there are not many examples that we may refer to.
Updates will be published as they become available and may be found in later Samba releases or
from the Samba web <ulink url="http://samba.org">site.</ulink>
from the Samba Web <ulink url="http://samba.org">site</ulink>.
</para>
<sect2>
@ -575,18 +575,18 @@ from the Samba web <ulink url="http://samba.org">site.</ulink>
<para>
<indexterm><primary>Machine Trust Accounts</primary></indexterm>
This problem will occur when the passdb (SAM) files are copied from a central
server but the local Backup Domain Controller is acting as a PDC. This results in the application of
server but the local BDC is acting as a PDC. This results in the application of
Local Machine Trust Account password updates to the local SAM. Such updates
are not copied back to the central server. The newer machine account password is then over
written when the SAM is re-copied from the PDC. The result is that the Domain Member machine
on start up will find that its passwords do not match the one now in the database and
are not copied back to the central server. The newer machine account password is then
overwritten when the SAM is recopied from the PDC. The result is that the domain member machine
on startup will find that its passwords do not match the one now in the database, and
since the startup security check will now fail, this machine will not allow logon attempts
to proceed and the account expiry error will be reported.
</para>
<para>
The solution is to use a more robust passdb backend, such as the ldapsam backend, setting up
a slave LDAP server for each BDC, and a master LDAP server for the PDC.
a slave LDAP server for each BDC and a master LDAP server for the PDC.
</para>
</sect2>
@ -619,7 +619,7 @@ has to be replicated to the BDC. So replicating the smbpasswd file very often is
</para>
<para>
As the smbpasswd file contains plain text password equivalents, it must not be
As the smbpasswd file contains plaintext password equivalents, it must not be
sent unencrypted over the wire. The best way to set up smbpasswd replication from
the PDC to the BDC is to use the utility rsync. rsync can use ssh as a transport.
<command>ssh</command> itself can be set up to accept <emphasis>only</emphasis>
@ -639,8 +639,8 @@ accounts will go out of sync, resulting in a broken domain. This method is
<para>
The simple answer is yes. Samba's pdb_ldap code supports binding to a replica
LDAP server, and will also follow referrals and re-bind to the master if it ever
needs to make a modification to the database. (Normally BDCs are read only, so
LDAP server and will also follow referrals and rebind to the master if it ever
needs to make a modification to the database. (Normally BDCs are read-only, so
this will not occur often).
</para>

View File

@ -11,10 +11,10 @@
<title>Features and Benefits</title>
<para>
The Samba project is over ten years old. During the early history
The Samba project is over 10 years old. During the early history
of Samba, UNIX administrators were its key implementors. UNIX administrators
will use UNIX system tools to backup UNIX system files. Over the past
four years, an increasing number of Microsoft network administrators have
use UNIX system tools to backup UNIX system files. Over the past
4 years, an increasing number of Microsoft network administrators have
taken an interest in Samba. This is reflected in the questions about backup
in general on the Samba mailing lists.
</para>
@ -27,7 +27,7 @@ in general on the Samba mailing lists.
<para>
During discussions at a Microsoft Windows training course, one of
the pro-UNIX delegates stunned the class when he pointed out that Windows
NT4 is so limiting compared with UNIX. He likened UNIX to a Meccano set
NT4 is limiting compared with UNIX. He likened UNIX to a Meccano set
that has an unlimited number of tools that are simple, efficient,
and, in combination, capable of achieving any desired outcome.
</para>
@ -42,7 +42,7 @@ intent is preferred by some like her.
<para>
Please note that all information here is provided as is and without recommendation
of fitness or suitability. The network administrator is strongly encouraged to
perform due-diligence research before implementing any backup solution, whether free
perform due diligence research before implementing any backup solution, whether free
software or commercial.
</para>
@ -62,21 +62,21 @@ The following three free software projects might also merit consideration.
<para>
<indexterm><primary>BackupPC</primary></indexterm>
BackupPC version 2.0.0 has been released on <ulink url="http://backuppc.sourceforge.net">SourceForge.</ulink>
BackupPC version 2.0.0 has been released on <ulink url="http://backuppc.sourceforge.net">SourceForge</ulink>.
New features include support for <command>rsync/rsyncd</command> and internationalization of the CGI interface
(including English, French, Spanish, and German).
</para>
<para>
BackupPC is a high-performance Perl-based package for backing up Linux,
UNIX or Windows PCs and laptops to a server's disk. BackupPC is highly
UNIX, and Windows PCs and laptops to a server's disk. BackupPC is highly
configurable and easy to install and maintain. SMB (via smbclient),
<command>tar</command> over <command>rsh/ssh</command> or <command>rsync/rsyncd</command>
<command>tar</command> over <command>rsh/ssh</command>, or <command>rsync/rsyncd</command>
are used to extract client data.
</para>
<para>
Given the ever decreasing cost of disks and raid systems, it is now
Given the ever-decreasing cost of disks and RAID systems, it is now
practical and cost effective to backup a large number of machines onto
a server's local disk or network storage. This is what BackupPC does.
</para>
@ -89,8 +89,8 @@ The following three free software projects might also merit consideration.
<para>
BackupPC is free software distributed under a GNU GPL license.
BackupPC runs on Linux/UNIX/freenix servers, and has been tested
on Linux, UNIX, Windows 9x/ME, Windows 98, Windows 200x, Windows XP, and Mac OSX clients.
BackupPC runs on Linux/UNIX/freenix servers and has been tested
on Linux, UNIX, Windows 9x/Me, Windows 98, Windows 200x, Windows XP, and Mac OSX clients.
</para>
</sect2>
@ -175,7 +175,7 @@ The following three free software projects might also merit consideration.
<para>
For more information regarding Amanda, please check the <ulink url="http://www.amanda.org/">
www.amanda.org/ site.</ulink>
www.amanda.org/ site</ulink>.
</para>
</sect2>
@ -193,7 +193,7 @@ The following three free software projects might also merit consideration.
<para>
The home page for BOBS is located at <ulink url="http://bobs.sourceforge.net/">
bobs.sourceforge.net.</ulink>
bobs.sourceforge.net</ulink>.
</para>
</sect2>

File diff suppressed because it is too large Load Diff

View File

@ -14,19 +14,19 @@
<title>Domain Membership</title>
<para>
Domain Membership is a subject of vital concern. Samba must be able to
participate as a member server in a Microsoft Domain Security context, and
Samba must be capable of providing Domain machine member trust accounts,
Domain membership is a subject of vital concern. Samba must be able to
participate as a member server in a Microsoft domain security context, and
Samba must be capable of providing domain machine member trust accounts;
otherwise it would not be able to offer a viable option for many users.
</para>
<para>
This chapter covers background information pertaining to Domain Membership,
This chapter covers background information pertaining to domain membership,
the Samba configuration for it, and MS Windows client procedures for joining a
domain. Why is this necessary? Because both are areas in which there exists
within the current MS Windows networking world and particularly in the
within the current MS Windows networking world, and particularly in the
UNIX/Linux networking and administration world, a considerable level of
misinformation, incorrect understanding and a lack of knowledge. Hopefully
misinformation, incorrect understanding, and lack of knowledge. Hopefully
this chapter will fill the voids.
</para>
@ -34,19 +34,19 @@ this chapter will fill the voids.
<title>Features and Benefits</title>
<para>
MS Windows workstations and servers that want to participate in Domain Security need to
be made Domain Members. Participating in Domain Security is often called
<emphasis>Single Sign On</emphasis> or <acronym>SSO</acronym> for short. This
MS Windows workstations and servers that want to participate in domain security need to
be made domain members. Participating in domain security is often called
<emphasis>single sign-on</emphasis>, or <acronym>SSO</acronym> for short. This
chapter describes the process that must be followed to make a workstation
(or another server &smbmdash; be it an <application>MS Windows NT4 / 200x</application>
server) or a Samba server a member of an MS Windows Domain Security context.
(or another server &smbmdash; be it an <application>MS Windows NT4/200x</application>
server) or a Samba server a member of an MS Windows domain security context.
</para>
<para>
<indexterm><primary>Server Type</primary><secondary>Domain Member</secondary></indexterm>
Samba-3 can join an MS Windows NT4-style domain as a native member server, an
MS Windows Active Directory Domain as a native member server, or a Samba Domain
Control network. Domain Membership has many advantages:
MS Windows Active Directory domain as a native member server, or a Samba domain
control network. Domain membership has many advantages:
</para>
<itemizedlist>
@ -58,18 +58,18 @@ Control network. Domain Membership has many advantages:
<listitem><para>
Domain user access rights and file ownership/access controls can be set
from the single Domain Security Account Manager (SAM) database
(works with Domain Member servers as well as with MS Windows workstations
that are Domain Members).
(works with domain member servers as well as with MS Windows workstations
that are domain members).
</para></listitem>
<listitem><para>
Only <application>MS Windows NT4/200x/XP Professional</application>
workstations that are Domain Members can use network logon facilities.
workstations that are domain members can use network logon facilities.
</para></listitem>
<listitem><para>
Domain Member workstations can be better controlled through the use of
Policy files (<filename>NTConfig.POL</filename>) and Desktop Profiles.
Domain member workstations can be better controlled through the use of
policy files (<filename>NTConfig.POL</filename>) and desktop profiles.
</para></listitem>
<listitem><para>
@ -80,8 +80,8 @@ Control network. Domain Membership has many advantages:
<listitem><para>
Network administrators gain better application and user access management
abilities because there is no need to maintain user accounts on any network
client or server, other than the central Domain database
(either NT4/Samba SAM style Domain, NT4 Domain that is backend-ed with an
client or server other than the central domain database
(either NT4/Samba SAM-style domain, NT4 domain that is backend-ed with an
LDAP directory, or via an Active Directory infrastructure).
</para></listitem>
</itemizedlist>
@ -94,22 +94,22 @@ Control network. Domain Membership has many advantages:
<para>
<indexterm><primary>Machine Trust Accounts</primary></indexterm>
A Machine Trust Account is an account that is used to authenticate a client
machine (rather than a user) to the Domain Controller server. In Windows terminology,
this is known as a <quote>Computer Account.</quote> The purpose of the machine account
is to prevent a rogue user and Domain Controller from colluding to gain access to a
machine (rather than a user) to the domain controller server. In Windows terminology,
this is known as a <quote>computer account.</quote> The purpose of the machine account
is to prevent a rogue user and domain controller from colluding to gain access to a
domain member workstation.
</para>
<para>
The password of a Machine Trust Account acts as the shared secret for
secure communication with the Domain Controller. This is a security
secure communication with the domain controller. This is a security
feature to prevent an unauthorized machine with the same NetBIOS name
from joining the domain and gaining access to domain user/group
accounts. Windows NT/200x/XP Professional clients use machine trust
accounts, but Windows 9x/Me/XP Home clients do not. Hence, a
Windows 9x/Me/XP Home client is never a true member of a Domain
Windows 9x/Me/XP Home client is never a true member of a domain
because it does not possess a Machine Trust Account, and, thus, has no
shared secret with the Domain Controller.
shared secret with the domain controller.
</para>
<para>
@ -121,8 +121,8 @@ as follows:
<itemizedlist>
<listitem><para>
A Domain Security Account (stored in the
<smbconfoption name="passdb backend"/> that has been configured in the
A domain security account (stored in the
<smbconfoption name="passdb backend"/>) that has been configured in the
&smb.conf; file. The precise nature of the account information that is
stored depends on the type of backend database that has been chosen.
</para>
@ -130,12 +130,12 @@ as follows:
<para>
The older format of this data is the <filename>smbpasswd</filename> database
that contains the UNIX login ID, the UNIX user identifier (UID), and the
LanMan and NT encrypted passwords. There is also some other information in
LanMan and NT-encrypted passwords. There is also some other information in
this file that we do not need to concern ourselves with here.
</para>
<para>
The two newer database types are called ldapsam, and
The two newer database types are called ldapsam and
tdbsam. Both store considerably more data than the
older <filename>smbpasswd</filename> file did. The extra information
enables new user account controls to be implemented.
@ -163,8 +163,8 @@ There are three ways to create Machine Trust Accounts:
<listitem><para>
<indexterm><primary>Server Manager</primary></indexterm>
Using the MS Windows NT4 Server Manager, either from an NT4 Domain Member
server, or using the Nexus toolkit available from the Microsoft Web site.
Using the MS Windows NT4 Server Manager, either from an NT4 domain member
server or using the Nexus toolkit available from the Microsoft Web site.
This tool can be run from any MS Windows machine as long as the user is
logged on as the administrator account.
</para></listitem>
@ -200,8 +200,8 @@ a Linux-based Samba server:
</para>
<para>In the example above there is an existing system group <quote>machines</quote> which is used
as the primary group for all machine accounts. In the following examples the <quote>machines</quote> group has
numeric GID equal 100.</para>
as the primary group for all machine accounts. In the following examples the <quote>machines</quote> group
numeric GID is 100.</para>
<para>
<indexterm><primary>chpass</primary></indexterm>
@ -217,7 +217,7 @@ On *BSD systems, this can be done using the <command>chpass</command> utility:
<para>
The <filename>/etc/passwd</filename> entry will list the machine name
with a <quote>$</quote> appended, will not have a password, will have a null shell and no
with a <quote>$</quote> appended, and will not have a password, will have a null shell and no
home directory. For example, a machine named <quote>doppy</quote> would have an
<filename>/etc/passwd</filename> entry like this:
</para>
@ -227,8 +227,8 @@ doppy$:x:505:100:<replaceable>machine_nickname</replaceable>:/dev/null:/bin/fals
</programlisting>
<para>
Above, <replaceable>machine_nickname</replaceable> can be any
descriptive name for the client, i.e., BasementComputer.
in which <replaceable>machine_nickname</replaceable> can be any
descriptive name for the client, such as BasementComputer.
<replaceable>machine_name</replaceable> absolutely must be the NetBIOS
name of the client to be joined to the domain. The <quote>$</quote> must be
appended to the NetBIOS name of the client or Samba will not recognize
@ -278,7 +278,7 @@ information to such clients. You have been warned!
<para>
A working <smbconfoption name="add machine script"/> is essential
for machine trust accounts to be automatically created. This applies no matter whether
one uses automatic account creation, or if one wishes to use the NT4 Domain Server Manager.
you use automatic account creation or the NT4 Domain Server Manager.
</para>
<para>
@ -292,9 +292,9 @@ and <command>UsrMgr.exe</command> (both are domain management tools for MS Windo
<para>
<indexterm><primary>Nexus.exe</primary></indexterm>
If your workstation is a <application>Microsoft Windows 9x/Me</application> family product
you should download the <command>Nexus.exe</command> package from the Microsoft web site.
When executed from the target directory this will unpack the same tools but for use on
If your workstation is a <application>Microsoft Windows 9x/Me</application> family product,
you should download the <command>Nexus.exe</command> package from the Microsoft Web site.
When executed from the target directory, it will unpack the same tools but for use on
this platform.
</para>
@ -304,8 +304,10 @@ Further information about these tools may be obtained from the following locatio
<para>
<simplelist>
<member><ulink noescape="1" url="http://support.microsoft.com/default.aspx?scid=kb;en-us;173673"/></member>
<member><ulink noescape="1" url="http://support.microsoft.com/default.aspx?scid=kb;en-us;172540"/></member>
<member><ulink noescape="1" url="http://support.microsoft.com/default.aspx?scid=kb;en-us;173673">Knowledge
Base article 173673</ulink></member>
<member><ulink noescape="1" url="http://support.microsoft.com/default.aspx?scid=kb;en-us;172540">Knowledge
Base article 172540</ulink></member>
</simplelist>
</para>
@ -358,7 +360,7 @@ is joined to the domain.
<para>Since each Samba Machine Trust Account requires a corresponding UNIX account, a method
for automatically creating the UNIX account is usually supplied; this requires configuration of the
add machine script option in &smb.conf;. This method is not required, however, corresponding UNIX
add machine script option in &smb.conf;. This method is not required; however, corresponding UNIX
accounts may also be created manually.
</para>
@ -367,11 +369,11 @@ accounts may also be created manually.
Here is an example for a Red Hat Linux system.
</para>
<para><smbconfblock>
<smbconfblock>
<smbconfsection name="[global]"/>
<smbconfcomment>&lt;...remainder of parameters...&gt;</smbconfcomment>
<smbconfoption name="add machine script">/usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u</smbconfoption>
</smbconfblock></para>
</smbconfblock>
</sect2>
@ -388,27 +390,27 @@ with the version of Windows.
<title>Windows 200x/XP Professional Client</title>
<para>
When the user elects to make the client a Domain Member, Windows 200x prompts for
When the user elects to make the client a domain member, Windows 200x prompts for
an account and password that has privileges to create machine accounts in the domain.
A Samba Administrator Account (i.e., a Samba account that has <constant>root</constant> privileges on the
A Samba administrator account (i.e., a Samba account that has <constant>root</constant> privileges on the
Samba server) must be entered here; the operation will fail if an ordinary user
account is given.
</para>
<para>
For security reasons, the password for this Administrator Account should be set
For security reasons, the password for this administrator account should be set
to a password that is other than that used for the root user in <filename>/etc/passwd</filename>.
</para>
<para>
The name of the account that is used to create Domain Member machine accounts can be
anything the network administrator may choose. If it is other than <constant>root</constant>
The name of the account that is used to create domain member machine accounts can be
anything the network administrator may choose. If it is other than <constant>root</constant>,
then this is easily mapped to <constant>root</constant> in the file named in the &smb.conf; parameter
<smbconfoption name="username map">/etc/samba/smbusers</smbconfoption>.
</para>
<para>
The session key of the Samba Administrator Account acts as an encryption key for setting the password of the machine trust
The session key of the Samba administrator account acts as an encryption key for setting the password of the machine trust
account. The Machine Trust Account will be created on-the-fly, or updated if it already exists.
</para>
</sect3>
@ -425,9 +427,9 @@ with the version of Windows.
</para>
<para>
If the Machine Trust Account is to be created on-the-fly, on the Identification Changes menu enter the domain
If the Machine Trust Account is to be created on the fly, on the Identification Changes menu enter the domain
name and check the box <guilabel>Create a Computer Account in the Domain</guilabel>. In this case, joining
the domain proceeds as above for Windows 2000 (i.e., you must supply a Samba Administrator Account when
the domain proceeds as above for Windows 2000 (i.e., you must supply a Samba administrator account when
prompted).
</para>
</sect3>
@ -436,7 +438,7 @@ with the version of Windows.
<title>Samba Client</title>
<para>Joining a Samba client to a domain is documented in
<link linkend="domain-member-server">Domain Member Server</link>.
the next section<link linkend="domain-member-server"></link>.
</para>
</sect3>
@ -465,7 +467,7 @@ Server, and so on.
</para>
<note><para>
When Samba is configured to use an LDAP, or other identity management and/or
When Samba is configured to use an LDAP or other identity management and/or
directory service, it is Samba that continues to perform user and machine
authentication. It should be noted that the LDAP server does not perform
authentication handling in place of what Samba is designed to do.
@ -473,15 +475,15 @@ authentication handling in place of what Samba is designed to do.
<para>
Please refer to <link linkend="samba-pdc">Domain Control</link>, for more information regarding
how to create a domain machine account for a Domain Member server as well as for
information on how to enable the Samba Domain Member machine to join the domain
how to create a domain machine account for a domain member server as well as for
information on how to enable the Samba domain member machine to join the domain
and be fully trusted by it.
</para>
<sect2>
<title>Joining an NT4-type Domain with Samba-3</title>
<para><link linkend="assumptions">Next table</link> lists names that have been used in the remainder of this chapter.</para>
<para><link linkend="assumptions">Assumptions</link> lists names that have been used in the remainder of this chapter.</para>
<table frame="all" id="assumptions"><title>Assumptions</title>
<tgroup cols="2">
@ -509,27 +511,22 @@ First, you must edit your &smb.conf; file to tell Samba it should now use domain
</para>
<para>
Change (or add) your
<smbconfoption name="security"/> line in the [global] section
Change (or add) your <smbconfoption name="security"/> line in the [global] section
of your &smb.conf; to read:
</para>
<para>
<smbconfblock>
<smbconfoption name="security">domain</smbconfoption>
</smbconfblock>
</para>
<para>
Next change the <smbconfoption name="workgroup"/> line in the <smbconfsection name="[global]"/>
section to read:
</para>
<para>
<smbconfblock>
<smbconfoption name="workgroup">&example.workgroup;</smbconfoption>
</smbconfblock>
</para>
<para>
This is the name of the domain we are joining.
@ -547,14 +544,12 @@ Finally, add (or modify) a <smbconfoption name="password server"/> line in the [
section to read:
</para>
<para>
<smbconfblock>
<smbconfoption name="password server">DOMPDC DOMBDC1 DOMBDC2</smbconfoption>
</smbconfblock>
</para>
<para>
These are the primary and backup Domain Controllers Samba
These are the PDC and BDCs Samba
will attempt to contact in order to authenticate users. Samba will
try to contact each of these servers in order, so you may want to
rearrange this list in order to spread out the authentication load
@ -563,21 +558,19 @@ among Domain Controllers.
<para>
Alternately, if you want smbd to automatically determine
the list of Domain Controllers to use for authentication, you may
the list of domain controllers to use for authentication, you may
set this line to be:
</para>
<para>
<smbconfblock>
<smbconfoption name="password server">*</smbconfoption>
</smbconfblock>
</para>
<para>
This method allows Samba to use exactly the same mechanism that NT does. The
method either uses broadcast-based name resolution, performs a WINS database
lookup in order to find a Domain Controller against which to authenticate,
or locates the Domain Controller using DNS name resolution.
lookup in order to find a domain controller against which to authenticate,
or locates the domain controller using DNS name resolution.
</para>
<para>
@ -596,11 +589,11 @@ If the <option>-S DOMPDC</option> argument is not given, the domain name will be
<para>
The machine is joining the domain DOM, and the PDC for that domain (the only machine
that has write access to the domain SAM database) is DOMPDC, therefore use the <option>-S</option>
that has write access to the domain SAM database) is DOMPDC; therefore, use the <option>-S</option>
option. The <replaceable>Administrator%password</replaceable> is the login name and
password for an account that has the necessary privilege to add machines to the
domain. If this is successful, you will see the message in your terminal window the
text shown below. Where the older NT4 style domain architecture is used:
domain. If this is successful, you will see the following message in your terminal window.
Where the older NT4-style domain architecture is used:
<screen>
<computeroutput>Joined domain DOM.</computeroutput>
</screen>
@ -635,7 +628,7 @@ or
<para>
This file is created and owned by root and is not readable by any other user. It is
the key to the Domain-level security for your system, and should be treated as carefully
the key to the domain-level security for your system and should be treated as carefully
as a shadow password file.
</para>
@ -656,8 +649,8 @@ but in most cases the following will suffice:
<para>
Currently, domain security in Samba does not free you from
having to create local UNIX users to represent the users attaching
to your server. This means that if Domain user <constant>DOM\fred
</constant> attaches to your Domain Security Samba server, there needs
to your server. This means that if domain user <constant>DOM\fred
</constant> attaches to your domain security Samba server, there needs
to be a local UNIX user fred to represent that user in the UNIX
file system. This is similar to the older Samba security mode
<smbconfoption name="security">server</smbconfoption>,
@ -666,13 +659,13 @@ NT server in the same way as a Windows 95 or Windows 98 server would.
</para>
<para>
Please refer to <link linkend="winbind">Winbind: Use of Domain Accounts</link> chapter, for information on a system
to automatically assign UNIX UIDs and GIDs to Windows NT Domain users and groups.
Please refer to <link linkend="winbind">Winbind: Use of Domain Accounts</link>, for information on a system
to automatically assign UNIX UIDs and GIDs to Windows NT domain users and groups.
</para>
<para>
The advantage to Domain-level security is that the
authentication in Domain-level security is passed down the authenticated
The advantage of domain-level security is that the
authentication in domain-level security is passed down the authenticated
RPC channel in exactly the same way that an NT server would do it. This
means Samba servers now participate in domain trust relationships in
exactly the same way NT servers do (i.e., you can add Samba servers into
@ -686,13 +679,13 @@ daemon on a server has to keep a connection open to the
authenticating server for as long as that daemon lasts. This can drain
the connection resources on a Microsoft NT server and cause it to run
out of available connections. With <smbconfoption name="security">domain</smbconfoption>,
however, the Samba daemons connect to the PDC/BDC only for as long
however, the Samba daemons connect to the PDC or BDC only for as long
as is necessary to authenticate the user and then drop the connection,
thus conserving PDC connection resources.
</para>
<para>
And finally, acting in the same manner as an NT server
Finally, acting in the same manner as an NT server
authenticating to a PDC means that as part of the authentication
reply, the Samba server gets the user identification information such
as the user SID, the list of NT groups the user belongs to, and so on.
@ -701,7 +694,7 @@ as the user SID, the list of NT groups the user belongs to, and so on.
<note>
<para>
Much of the text of this document was first published in the Web magazine
<ulink url="http://www.linuxworld.com">LinuxWorld</ulink> as the article <ulink
<ulink url="http://www.linuxworld.com"><emphasis>LinuxWorld</emphasis></ulink> as the article <ulink
url="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html"/>
<emphasis>Doing the NIS/NT Samba</emphasis>.
</para>
@ -729,24 +722,25 @@ Windows 200x KDC. A familiarity with Kerberos is assumed.
You must use at least the following three options in &smb.conf;:
</para>
<para><smbconfblock>
<smbconfblock>
<smbconfoption name="realm">your.kerberos.REALM</smbconfoption>
<smbconfoption name="security">ADS</smbconfoption>
<smbconfcomment>The following parameter need only be specified if present.</smbconfcomment>
<smbconfcomment>The default setting is not present is Yes.</smbconfcomment>
<smbconfoption name="encrypt passwords">yes</smbconfoption>
</smbconfblock></para>
</smbconfblock>
<para>
In case samba cannot correctly identify the appropriate ADS server using the realm name, use the
<smbconfoption name="password server"/> option in &smb.conf;:
</para>
<smbconfblock>
<smbconfoption name="password server">your.kerberos.server</smbconfoption>
</smbconfblock>
</para>
<note><para>
You do <emphasis>not</emphasis> need a smbpasswd file, and older clients will be authenticated as
You do <emphasis>not</emphasis> need an smbpasswd file, and older clients will be authenticated as
if <smbconfoption name="security">domain</smbconfoption>, although it will not do any harm and
allows you to have local users not in the domain.
</para></note>
@ -764,9 +758,9 @@ With both MIT and Heimdal Kerberos, it is unnecessary to configure the
</para>
<para>
Microsoft Active Directory servers automatically create SRV records in the DNS zone
Microsoft ADS automatically create SRV records in the DNS zone
<parameter>_kerberos.REALM.NAME</parameter> for each KDC in the realm. This is part
of the installation and configuration process used to create an Active Directory Domain.
of the installation and configuration process used to create an Active Directory domain.
</para>
<para>
@ -778,10 +772,7 @@ libraries to use whichever KDCs are available.
<para>
When manually configuring <filename>krb5.conf</filename>, the minimal configuration is:
</para>
<para>
<programlisting>
<screen>
[libdefaults]
default_realm = YOUR.KERBEROS.REALM
@ -792,10 +783,11 @@ When manually configuring <filename>krb5.conf</filename>, the minimal configurat
[domain_realms]
.kerberos.server = YOUR.KERBEROS.REALM
</programlisting></para>
</screen>
</para>
<para>
When using Heimdal versions before 0.6 use the following configuration settings:
When using Heimdal versions before 0.6, use the following configuration settings:
<screen>
[libdefaults]
default_realm = YOUR.KERBEROS.REALM
@ -820,16 +812,16 @@ making sure that your password is accepted by the Win2000 KDC.
</para>
<para>
With Heimdal versions earlier than 0.6.x you only can use newly created accounts
With Heimdal versions earlier than 0.6.x you can use only newly created accounts
in ADS or accounts that have had the password changed once after migration, or
in case of <constant>Administrator</constant> after installation. At the
moment, a Windows 2003 KDC can only be used with a Heimdal releases later than 0.6
(and no default etypes in krb5.conf). Unfortunately this whole area is still
moment, a Windows 2003 KDC can only be used with Heimdal releases later than 0.6
(and no default etypes in krb5.conf). Unfortunately, this whole area is still
in a state of flux.
</para>
<note><para>
The realm must be in uppercase or you will get <quote><errorname>Cannot find KDC for
The realm must be in uppercase or you will get a <quote><errorname>Cannot find KDC for
requested realm while getting initial credentials</errorname></quote> error (Kerberos
is case-sensitive!).
</para></note>
@ -849,18 +841,18 @@ five minutes.
You also must ensure that you can do a reverse DNS lookup on the IP
address of your KDC. Also, the name that this reverse lookup maps to
must either be the NetBIOS name of the KDC (i.e., the hostname with no
domain attached) or it can alternately be the NetBIOS name followed by the realm.
domain attached) or it can be the NetBIOS name followed by the realm.
</para>
<para>
The easiest way to ensure you get this right is to add a
<filename>/etc/hosts</filename> entry mapping the IP address of your KDC to
its NetBIOS name. If you do not get this correct then you will get a
its NetBIOS name. If you do not get this correct, then you will get a
<errorname>local error</errorname> when you try to join the realm.
</para>
<para>
If all you want is Kerberos support in &smbclient; then you can skip
If all you want is Kerberos support in &smbclient;, then you can skip
directly to <link linkend="ads-test-smbclient">Testing with &smbclient;</link> now.
<link linkend="ads-create-machine-account">Create the Computer Account</link> and
<link linkend="ads-test-server">Testing Server Setup</link>
@ -891,14 +883,12 @@ this to be done using the following syntax:
<para>
For example, you may want to create the machine account in a container called <quote>Servers</quote>
under the organizational directory <quote>Computers\BusinessUnit\Department</quote> like this:
under the organizational directory <quote>Computers\BusinessUnit\Department,</quote> like this:
<screen>
&rootprompt; <userinput>net ads join "Computers\BusinessUnit\Department\Servers"</userinput>
</screen>
</para>
<?latex \newpage ?>
<sect3>
<title>Possible Errors</title>
@ -910,7 +900,7 @@ under the organizational directory <quote>Computers\BusinessUnit\Department</quo
</para></listitem></varlistentry>
<varlistentry><term><errorname>net ads join prompts for user name</errorname></term>
<listitem><para>You need to login to the domain using <userinput>kinit
<listitem><para>You need to log in to the domain using <userinput>kinit
<replaceable>USERNAME</replaceable>@<replaceable>REALM</replaceable></userinput>.
<replaceable>USERNAME</replaceable> must be a user who has rights to add a machine
to the domain. </para></listitem></varlistentry>
@ -938,7 +928,7 @@ folder under Users and Computers.
<para>
On a Windows 2000 client, try <userinput>net use * \\server\share</userinput>. You should
be logged in with Kerberos without needing to know a password. If this fails then run
be logged in with Kerberos without needing to know a password. If this fails, then run
<userinput>klist tickets</userinput>. Did you get a ticket for the server? Does it have
an encryption type of DES-CBC-MD5?
</para>
@ -955,7 +945,7 @@ Samba can use both DES-CBC-MD5 encryption as well as ARCFOUR-HMAC-MD5 encoding.
<para>
<indexterm><primary>smbclient</primary></indexterm>
On your Samba server try to login to a Win2000 server or your Samba
On your Samba server try to log in to a Win2000 server or your Samba
server using &smbclient; and Kerberos. Use &smbclient; as usual, but
specify the <option>-k</option> option to choose Kerberos authentication.
</para>
@ -966,8 +956,8 @@ specify the <option>-k</option> option to choose Kerberos authentication.
<title>Notes</title>
<para>
You must change administrator password at least once after DC
install, to create the right encryption types.
You must change the administrator password at least once after installing a domain controller,
to create the right encryption types.
</para>
<para>
@ -987,7 +977,7 @@ These mappings are done by the <parameter>idmap</parameter> subsystem of Samba.
</para>
<para>
In some cases it is useful to share these mappings between Samba Domain Members,
In some cases it is useful to share these mappings between Samba domain members,
so <emphasis>name->id</emphasis> mapping is identical on all machines.
This may be needed in particular when sharing files over both CIFS and NFS.
</para>
@ -1014,12 +1004,12 @@ and to make certain to set the LDAP administrative password into the <filename>s
<title>Common Errors</title>
<para>
In the process of adding/deleting/re-adding Domain Member machine accounts, there are
In the process of adding/deleting/re-adding domain member machine accounts, there are
many traps for the unwary player and many <quote>little</quote> things that can go wrong.
It is particularly interesting how often subscribers on the Samba mailing list have concluded
after repeated failed attempts to add a machine account that it is necessary to <quote>re-install</quote>
after repeated failed attempts to add a machine account that it is necessary to <quote>reinstall</quote>
MS Windows on the machine. In truth, it is seldom necessary to reinstall because of this type
of problem. The real solution is often quite simple and with an understanding of how MS Windows
of problem. The real solution is often quite simple, and with an understanding of how MS Windows
networking functions, it is easy to overcome.
</para>
@ -1027,7 +1017,7 @@ networking functions, it is easy to overcome.
<title>Cannot Add Machine Back to Domain</title>
<para>
<quote>A Windows workstation was re-installed. The original domain machine
<quote>A Windows workstation was reinstalled. The original domain machine
account was deleted and added immediately. The workstation will not join the domain if I use
the same machine name. Attempts to add the machine fail with a message that the machine already
exists on the network &smbmdash; I know it does not. Why is this failing?</quote>
@ -1035,7 +1025,7 @@ exists on the network &smbmdash; I know it does not. Why is this failing?</quote
<para>
The original name is still in the NetBIOS name cache and must expire after machine account
deletion before adding that same name as a Domain Member again. The best advice is to delete
deletion before adding that same name as a domain member again. The best advice is to delete
the old account and then add the machine with a new name.
</para>
@ -1046,8 +1036,8 @@ the old account and then add the machine with a new name.
<para>
<quote>Adding a Windows 200x or XP Professional machine to the Samba PDC Domain fails with a
message that, <errorname>`The machine could not be added at this time, there is a network problem.
Please try again later.'</errorname> Why?</quote>
message that says, <errorname>"The machine could not be added at this time, there is a network problem.
Please try again later."</errorname> Why?</quote>
</para>
<para>
@ -1080,14 +1070,14 @@ Possible causes include:
<emphasis>Corrective action:</emphasis> Check that the machine name is a legal UNIX
system account name. If the UNIX utility <command>useradd</command> is called,
then make sure that the machine name you are trying to add can be added using this
tool. <command>Useradd</command> on some systems will not allow any upper case characters
tool. <command>Useradd</command> on some systems will not allow any uppercase characters
nor will it allow spaces in the name.
</para></listitem>
</itemizedlist>
<para>
The <smbconfoption name="add machine script"/> does not create the
machine account in the Samba backend database, it is there only to create a UNIX system
machine account in the Samba backend database; it is there only to create a UNIX system
account to which the Samba backend database account can be mapped.
</para>
@ -1096,7 +1086,7 @@ account to which the Samba backend database account can be mapped.
<sect2>
<title>I Can't Join a Windows 2003 PDC</title>
<para>Windows 2003 requires SMB signing. Client side SMB signing has been implemented in Samba-3.0.
<para>Windows 2003 requires SMB signing. Client-side SMB signing has been implemented in Samba-3.0.
Set <smbconfoption name="client use spnego">yes</smbconfoption> when communicating
with a Windows 2003 server.</para>
</sect2>

View File

@ -10,7 +10,7 @@
<para>
When we first asked for suggestions for inclusion in the Samba HOWTO documentation,
someone wrote asking for example configurations &smbmdash; and lots of them. That is remarkably
difficult to do, without losing a lot of value that can be derived from presenting
difficult to do without losing a lot of value that can be derived from presenting
many extracts from working systems. That is what the rest of this document does.
It does so with extensive descriptions of the configuration possibilities within the
context of the chapter that covers it. We hope that this chapter is the medicine
@ -19,21 +19,21 @@ that has been requested.
<para>
The information in this chapter is very sparse compared with the book <quote>Samba-3 by Example</quote>
that was written after the original version of this book was nearly complete. Samba-3 by Example
that was written after the original version of this book was nearly complete. <quote>Samba-3 by Example</quote>
was the result of feedback from reviewers during the final copy editing of the first edition. It
was interesting to see that reader feedback mirrored that given be the original reviewers.
was interesting to see that reader feedback mirrored that given by the original reviewers.
In any case, a month and a half was spent in doing basic research to better understand what
new as well as experienced network administrators would best benefit from. The book Samba-3 by Example
new as well as experienced network administrators would best benefit from. The book <quote>Samba-3 by Example</quote>
is the result of that research. What is presented in the few pages of this book is covered
far more comprehensively in the second edition of Samba-3 by Example. The second edition
far more comprehensively in the second edition of <quote>Samba-3 by Example</quote>. The second edition
of both books will be released at the same time.
</para>
<para>
So in summary, the book <quote>The Official Samba-3 HOWTO &amp; Reference Guide</quote> is intended
as the equivalent of a auto mechanics' repair guide. The book <quote>Samba-3 by Example</quote> is the
equivalent of the drivers guide that explains how to drive the car. If you want complete network
configuration examples go to <quote>Samba-3 by Example</quote>.
as the equivalent of an auto mechanic's repair guide. The book <quote>Samba-3 by Example</quote> is the
equivalent of the driver's guide that explains how to drive the car. If you want complete network
configuration examples, go to <quote>Samba-3 by Example</quote>.
</para>
<sect1>
@ -50,7 +50,7 @@ features. These additional features are covered in the remainder of this documen
<para>
The examples used here have been obtained from a number of people who made
requests for example configurations. All identities have been obscured to protect
the guilty and any resemblance to unreal non-existent sites is deliberate.
the guilty, and any resemblance to unreal nonexistent sites is deliberate.
</para>
</sect1>
@ -80,16 +80,15 @@ mirror of the system described in <link linkend="StandAloneServer"></link>, <lin
<para>
The next example is of a secure office file and print server that will be accessible only
to users who have an account on the system. This server is meant to closely resemble a
Workgroup file and print server, but has to be more secure than an anonymous access machine.
workgroup file and print server, but has to be more secure than an anonymous access machine.
This type of system will typically suit the needs of a small office. The server provides no
network logon facilities, offers no Domain Control; instead it is just a network
attached storage (NAS) device and a print server.
network logon facilities, offers no domain control; instead it is just a network-attached storage (NAS) device and a print server.
</para>
<para>
Finally, we start looking at more complex systems that will either integrate into existing
Microsoft Windows networks, or replace them entirely. The examples provided cover domain
member servers as well as Samba Domain Control (PDC/BDC) and finally describes in detail
MS Windows networks or replace them entirely. The examples provided cover domain
member servers as well as Samba domain control (PDC/BDC) and finally describes in detail
a large distributed network with branch offices in remote locations.
</para>
@ -106,17 +105,17 @@ clearly beyond the scope of this text.
<para>
It is also assumed that Samba has been correctly installed, either by way of installation
of the packages that are provided by the operating system vendor, or through other means.
of the packages that are provided by the operating system vendor or through other means.
</para>
<sect2>
<title>Stand-alone Server</title>
<title>Standalone Server</title>
<para>
<indexterm><primary>Server Type</primary><secondary>Stand-alone</secondary></indexterm>
A Stand-alone Server implies no more than the fact that it is not a Domain Controller
and it does not participate in Domain Control. It can be a simple workgroup-like
server, or it may be a complex server that is a member of a domain security context.
A standalone server implies no more than the fact that it is not a domain controller
and it does not participate in domain control. It can be a simple, workgroup-like
server, or it can be a complex server that is a member of a domain security context.
</para>
<sect3 id="anon-ro">
@ -137,10 +136,13 @@ of the packages that are provided by the operating system vendor, or through oth
change.
</para>
<para>The configuration file is:</para>
<para>
The configuration file is presented in <link linkend="anon-example">Anonymous Read-Only Server
Configuration</link>.
</para>
<example id="anon-example">
<title>Anonymous Read-Only Server Configuration</title>
<title>Anonymous Read-Only Server Configuration</title>
<smbconfblock>
<smbconfcomment>Global parameters</smbconfcomment>
<smbconfsection name="[global]"/>
@ -171,9 +173,9 @@ of the packages that are provided by the operating system vendor, or through oth
</itemizedlist>
<procedure>
<title>Installation Procedure &smbmdash; Read-Only Server</title>
<title>Installation Procedure: Read-Only Server</title>
<step><para>
Add user to system (with creation of the users' home directory):
Add user to system (with creation of the user's home directory):
<screen>
&rootprompt;<userinput>useradd -c "Jack Baumbach" -m -g users -p m0r3pa1n jackb</userinput>
</screen>
@ -233,12 +235,12 @@ Press enter to see a dump of your service definitions
</para></step>
<step><para>
Configure your Microsoft Windows client for workgroup <emphasis>MIDEARTH</emphasis>,
Configure your MS Windows client for workgroup <emphasis>MIDEARTH</emphasis>,
set the machine name to ROBBINS, reboot, wait a few (2 - 5) minutes,
then open Windows Explorer and visit the network neighborhood.
then open Windows Explorer and visit the Network Neighborhood.
The machine HOBBIT should be visible. When you click this machine
icon, it should open up to reveal the <emphasis>data</emphasis> share. After
clicking the share it, should open up to reveal the files previously
you click the share, it should open up to reveal the files previously
placed in the <filename>/export</filename> directory.
</para></step>
</procedure>
@ -259,7 +261,7 @@ Press enter to see a dump of your service definitions
The difference is that shared access is now forced to the user identity of jackb
and to the primary group jackb belongs to. One other refinement we can make is to
add the user <emphasis>jackb</emphasis> to the <filename>smbpasswd</filename> file.
To do this execute:
To do this, execute:
<screen>
&rootprompt;<userinput>smbpasswd -a jackb</userinput>
New SMB password: <userinput>m0r3pa1n</userinput>
@ -275,8 +277,9 @@ Added user jackb.
The complete, modified &smb.conf; file is as shown in <link linkend="anon-rw"/>.
</para>
<example id="anon-rw"><title>Modified Anonymous Read-Write smb.conf</title>
<smbconfblock>
<example id="anon-rw">
<title>Modified Anonymous Read-Write smb.conf</title>
<smbconfblock>
<smbconfcomment>Global parameters</smbconfcomment>
<smbconfsection name="[global]"/>
<smbconfoption name="workgroup">MIDEARTH</smbconfoption>
@ -323,12 +326,13 @@ Added user jackb.
</para>
<para>
In this configuration it is undesirable to present the Add Printer Wizard and we do
not want to have automatic driver download, so we will disable it in the following
In this configuration, it is undesirable to present the Add Printer Wizard, and we do
not want to have automatic driver download, so we disable it in the following
configuration. <link linkend="anon-print"></link> is the resulting &smb.conf; file.
</para>
<example id="anon-print"><title>Anonymous Print Server smb.conf</title>
<example id="anon-print">
<title>Anonymous Print Server smb.conf</title>
<smbconfblock>
<smbconfcomment>Global parameters</smbconfcomment>
<smbconfsection name="[global]"/>
@ -376,12 +380,12 @@ Added user jackb.
<listitem><para>
Directory permissions should be set for public read-write with the
sticky-bit set as shown:
sticky bit set as shown:
<screen>
&rootprompt;<userinput>chmod a+trw TX /var/spool/samba</userinput>
</screen>
The purpose of setting the sticky bit is to prevent who does not own the temporary print file
from being able to take control of it with the potential for devious mis-use.
from being able to take control of it with the potential for devious misuse.
</para></listitem>
</itemizedlist>
@ -389,8 +393,8 @@ Added user jackb.
<note><para>
<indexterm><primary>MIME</primary><secondary>raw</secondary></indexterm>
<indexterm><primary>raw printing</primary></indexterm>
On CUPS enabled systems there is a facility to pass raw data directly to the printer without
intermediate processing via CUPS print filters. Where use of this mode of operation is desired
On CUPS-enabled systems there is a facility to pass raw data directly to the printer without
intermediate processing via CUPS print filters. Where use of this mode of operation is desired,
it is necessary to configure a raw printing device. It is also necessary to enable the raw mime
handler in the <filename>/etc/mime.conv</filename> and <filename>/etc/mime.types</filename>
files. Refer to <link linkend="cups-raw"></link>.
@ -419,19 +423,19 @@ Added user jackb.
</para>
<para>
Site users will be: Jack Baumbach, Mary Orville and Amed Sehkah. Each will have
Site users will be Jack Baumbach, Mary Orville, and Amed Sehkah. Each will have
a password (not shown in further examples). Mary will be the printer administrator and will
own all files in the public share.
</para>
<para>
This configuration will be based on <emphasis>User Level Security</emphasis> that
This configuration will be based on <emphasis>user-level security</emphasis> that
is the default, and for which the default is to store Microsoft Windows-compatible
encrypted passwords in a file called <filename>/etc/samba/smbpasswd</filename>.
The default &smb.conf; entry that makes this happen is:
<smbconfoption name="passdb backend">smbpasswd, guest</smbconfoption>. Since this is the default
The default &smb.conf; entry that makes this happen is
<smbconfoption name="passdb backend">smbpasswd, guest</smbconfoption>. Since this is the default,
it is not necessary to enter it into the configuration file. Note that guest backend is
added to the list of active passdb backends not matter was it specified directly in Samba configuration
added to the list of active passdb backends no matter whether it specified directly in Samba configuration
file or not.
</para>
@ -440,7 +444,7 @@ Added user jackb.
<title>Installing the Secure Office Server</title>
<step><para>
<indexterm><primary>office server</primary></indexterm>
Add all users to the Operating System:
Add all users to the operating system:
<screen>
&rootprompt;<userinput>useradd -c "Jack Baumbach" -m -g users -p m0r3pa1n jackb</userinput>
&rootprompt;<userinput>useradd -c "Mary Orville" -m -g users -p secret maryo</userinput>
@ -450,10 +454,11 @@ Added user jackb.
<step><para>
Configure the Samba &smb.conf; file as shown in <link linkend="OfficeServer"/>.
</para>
</para></step>
<example id="OfficeServer">
<title>Secure Office Server smb.conf</title>
<smbconfblock>
<title>Secure Office Server smb.conf</title>
<smbconfblock>
<smbconfcomment>Global parameters</smbconfcomment>
<smbconfsection name="[global]"/>
<smbconfoption name="workgroup">MIDEARTH</smbconfoption>
@ -486,8 +491,8 @@ Added user jackb.
<smbconfoption name="printable">Yes</smbconfoption>
<smbconfoption name="use client driver">Yes</smbconfoption>
<smbconfoption name="browseable">No</smbconfoption>
</smbconfblock>
</example></step>
</smbconfblock>
</example>
<step><para>
Initialize the Microsoft Windows password database with the new users:
@ -530,7 +535,7 @@ Added user ameds.
<screen>
&rootprompt;<userinput> nmbd; smbd;</userinput>
</screen>
Both applications automatically will execute as daemons. Those who are paranoid about
Both applications automatically execute as daemons. Those who are paranoid about
maintaining control can add the <constant>-D</constant> flag to coerce them to start
up in daemon mode.
</para></step>
@ -592,8 +597,8 @@ smb: \> <userinput>q</userinput>
<para>
By now you should be getting the hang of configuration basics. Clearly, it is time to
explore slightly more complex examples. For the remainder of this chapter we will abbreviate
instructions since there are previous examples.
explore slightly more complex examples. For the remainder of this chapter we abbreviate
instructions, since there are previous examples.
</para>
</sect3>
@ -603,10 +608,9 @@ smb: \> <userinput>q</userinput>
<sect2>
<title>Domain Member Server</title>
<para>
<indexterm><primary>Server Type</primary><secondary>Domain Member</secondary></indexterm>
In this instance we will consider the simplest server configuration we can get away with
In this instance we consider the simplest server configuration we can get away with
to make an accounting department happy. Let's be warned, the users are accountants and they
do have some nasty demands. There is a budget for only one server for this department.
</para>
@ -616,23 +620,23 @@ smb: \> <userinput>q</userinput>
Internal politics are typical of a medium-sized organization; Human Resources is of the
opinion that they run the ISG because they are always adding and disabling users. Also,
departmental managers have to fight tooth and nail to gain basic network resources access for
their staff. Accounting is different though, they get exactly what they want. So this should
their staff. Accounting is different, though, they get exactly what they want. So this should
set the scene.
</para>
<para>
We will use the users from the last example. The accounting department
has a general printer that all departmental users may. There is also a check printer
that may be used only by the person who has authority to print checks. The Chief Financial
Officer (CFO) wants that printer to be completely restricted and for it to be located in the
We use the users from the last example. The accounting department
has a general printer that all departmental users may use. There is also a check printer
that may be used only by the person who has authority to print checks. The chief financial
officer (CFO) wants that printer to be completely restricted and for it to be located in the
private storage area in her office. It therefore must be a network printer.
</para>
<para>
Accounting department uses an accounting application called <emphasis>SpytFull</emphasis>
The accounting department uses an accounting application called <emphasis>SpytFull</emphasis>
that must be run from a central application server. The software is licensed to run only off
one server, there are no workstation components, and it is run off a mapped share. The data
store is in a UNIX-based SQL backend. The UNIX gurus look after that, so is not our
store is in a UNIX-based SQL backend. The UNIX gurus look after that, so it is not our
problem.
</para>
@ -640,7 +644,7 @@ smb: \> <userinput>q</userinput>
The accounting department manager (maryo) wants a general filing system as well as a separate
file storage area for form letters (nastygrams). The form letter area should be read-only to
all accounting staff except the manager. The general filing system has to have a structured
layout with a general area for all staff to store general documents, as well as a separate
layout with a general area for all staff to store general documents as well as a separate
file area for each member of her team that is private to that person, but she wants full
access to all areas. Users must have a private home share for personal work-related files
and for materials not related to departmental operations.
@ -651,7 +655,7 @@ smb: \> <userinput>q</userinput>
<para>
The server <emphasis>valinor</emphasis> will be a member server of the company domain.
Accounting will have only a local server. User accounts will be on the Domain Controllers
Accounting will have only a local server. User accounts will be on the domain controllers,
as will desktop profiles and all network policy files.
</para>
@ -662,13 +666,14 @@ smb: \> <userinput>q</userinput>
</para></step>
<step><para>
Configure &smb.conf; according to <link linkend="fast-member-server"/>
and <link linkend="fast-memberserver-shares"></link>.
</para>
Configure &smb.conf; according to <link linkend="fast-member-server">Member server smb.conf
(globals)</link> and <link linkend="fast-memberserver-shares">Member server smb.conf (shares
and services)</link>.
</para></step>
<example id="fast-member-server">
<title>Member server smb.conf (globals)</title>
<smbconfblock>
<example id="fast-member-server">
<title>Member server smb.conf (globals)</title>
<smbconfblock>
<smbconfcomment>Global parameters</smbconfcomment>
<smbconfsection name="[global]"/>
<smbconfoption name="workgroup">MIDEARTH</smbconfoption>
@ -681,11 +686,12 @@ smb: \> <userinput>q</userinput>
<smbconfoption name="idmap gid">15000-20000</smbconfoption>
<smbconfoption name="winbind use default domain">Yes</smbconfoption>
<smbconfoption name="printing">cups</smbconfoption>
</smbconfblock></example>
</smbconfblock>
</example>
<example id="fast-memberserver-shares">
<title>Member server smb.conf (shares and services)</title>
<smbconfblock>
<example id="fast-memberserver-shares">
<title>Member server smb.conf (shares and services)</title>
<smbconfblock>
<smbconfsection name="[homes]"/>
<smbconfoption name="comment">Home Directories</smbconfoption>
<smbconfoption name="valid users">%S</smbconfoption>
@ -713,12 +719,11 @@ smb: \> <userinput>q</userinput>
<smbconfoption name="printable">Yes</smbconfoption>
<smbconfoption name="use client driver">Yes</smbconfoption>
<smbconfoption name="browseable">No</smbconfoption>
</smbconfblock>
</example></step>
</smbconfblock>
</example>
<step><para>
<indexterm><primary>net</primary><secondary>rpc</secondary></indexterm>
<indexterm><primary>net</primary><secondary>rpc</secondary></indexterm>
Join the domain. Note: Do not start Samba until this step has been completed!
<screen>
&rootprompt;<userinput>net rpc join -Uroot%'bigsecret'</userinput>
@ -733,7 +738,7 @@ Joined domain MIDEARTH.
<step><para>
Start Samba following the normal method for your operating system platform.
If you wish to this manually execute as root:
If you wish to do this manually, execute as root:
<indexterm><primary>smbd</primary></indexterm>
<indexterm><primary>nmbd</primary></indexterm>
<indexterm><primary>winbindd</primary></indexterm>
@ -746,7 +751,7 @@ Joined domain MIDEARTH.
</para></step>
<step><para>
Configure the name service switch control file on your system to resolve user and group names
Configure the name service switch (NSS) control file on your system to resolve user and group names
via winbind. Edit the following lines in <filename>/etc/nsswitch.conf</filename>:
<programlisting>
passwd: files winbind
@ -825,25 +830,25 @@ maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false
<para>
<indexterm><primary>Server Type</primary><secondary>Domain Controller</secondary></indexterm>
For the remainder of this chapter the focus is on the configuration of Domain Control.
For the remainder of this chapter the focus is on the configuration of domain control.
The examples that follow are for two implementation strategies. Remember, our objective is
to create a simple but working solution. The remainder of this book should help to highlight
opportunity for greater functionality and the complexity that goes with it.
</para>
<para>
A Domain Controller configuration can be achieved with a simple configuration using the new
A domain controller configuration can be achieved with a simple configuration using the new
tdbsam password backend. This type of configuration is good for small
offices, but has limited scalability (cannot be replicated) and performance can be expected
offices, but has limited scalability (cannot be replicated), and performance can be expected
to fall as the size and complexity of the domain increases.
</para>
<para>
The use of tdbsam is best limited to sites that do not need
more than a primary Domain Controller (PDC). As the size of a domain grows the need
for additional Domain Controllers becomes apparent. Do not attempt to under-resource
a Microsoft Windows network environment; Domain Controllers provide essential
authentication services. The following are symptoms of an under-resourced Domain Control
more than a Primary Domain Controller (PDC). As the size of a domain grows the need
for additional domain controllers becomes apparent. Do not attempt to under-resource
a Microsoft Windows network environment; domain controllers provide essential
authentication services. The following are symptoms of an under-resourced domain control
environment:
</para>
@ -853,27 +858,27 @@ maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false
</para></listitem>
<listitem><para>
File access on a Domain Member server intermittently fails, giving a permission denied
File access on a domain member server intermittently fails, giving a permission denied
error message.
</para></listitem>
</itemizedlist>
<para>
A more scalable Domain Control authentication backend option might use
Microsoft Active Directory, or an LDAP-based backend. Samba-3 provides
for both options as a Domain Member server. As a PDC Samba-3 is not able to provide
A more scalable domain control authentication backend option might use
Microsoft Active Directory or an LDAP-based backend. Samba-3 provides
for both options as a domain member server. As a PDC, Samba-3 is not able to provide
an exact alternative to the functionality that is available with Active Directory.
Samba-3 can provide a scalable LDAP-based PDC/BDC solution.
</para>
<para>
The tdbsam authentication backend provides no facility to replicate
the contents of the database, except by external means. (i.e., there is no self-contained protocol
in Samba-3 for Security Account Manager database [SAM] replication.)
the contents of the database, except by external means (i.e., there is no self-contained protocol
in Samba-3 for Security Account Manager database [SAM] replication).
</para>
<note><para>
If you need more than one Domain Controller, do not use a tdbsam authentication backend.
If you need more than one domain controller, do not use a tdbsam authentication backend.
</para></note>
<sect3>
@ -889,15 +894,15 @@ maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false
<procedure>
<step><para>
A working PDC configuration using the tdbsam
password backend can be found in <link linkend="fast-engoffice-global"></link> together with
<link linkend="fast-engoffice-shares"></link>:
</para>
<para>
<indexterm><primary>pdbedit</primary></indexterm>
<example id="fast-engoffice-global">
<title>Engineering Office smb.conf (globals)</title>
<smbconfblock>
password backend can be found in <link linkend="fast-engoffice-global">Engineering Office smb.conf
(globals)</link> together with <link linkend="fast-engoffice-shares">Engineering Office smb.conf
(shares and services)</link>:
<indexterm><primary>pdbedit</primary></indexterm>
</para></step>
<example id="fast-engoffice-global">
<title>Engineering Office smb.conf (globals)</title>
<smbconfblock>
<smbconfsection name="[global]"/>
<smbconfoption name="workgroup">MIDEARTH</smbconfoption>
<smbconfoption name="netbios name">FRODO</smbconfoption>
@ -924,13 +929,12 @@ maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false
<smbconfoption name="idmap uid">15000-20000</smbconfoption>
<smbconfoption name="idmap gid">15000-20000</smbconfoption>
<smbconfoption name="printing">cups</smbconfoption>
</smbconfblock>
</example>
</para>
</smbconfblock>
</example>
<example id="fast-engoffice-shares">
<title>Engineering Office smb.conf (shares and services)</title>
<smbconfblock>
<example id="fast-engoffice-shares">
<title>Engineering Office smb.conf (shares and services)</title>
<smbconfblock>
<smbconfsection name="[homes]"/>
<smbconfoption name="comment">Home Directories</smbconfoption>
<smbconfoption name="valid users">%S</smbconfoption>
@ -970,8 +974,8 @@ maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false
<smbconfoption name="profile acls">Yes</smbconfoption>
<smbconfcomment>Other resource (share/printer) definitions would follow below.</smbconfcomment>
</smbconfblock>
</example></step>
</smbconfblock>
</example>
<step><para>
Create UNIX group accounts as needed using a suitable operating system tool:
@ -993,13 +997,11 @@ maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false
<step><para>
<indexterm><primary>net</primary><secondary>groupmap</secondary></indexterm>
<indexterm><primary>initGroups.sh</primary></indexterm>
Assign each of the UNIX groups to NT groups:
(It may be useful to copy this text to a shell script called
<filename>initGroups.sh</filename>.)
<title>Shell script for initializing group mappings</title>
<programlisting>
<indexterm><primary>net</primary><secondary>groupmap</secondary></indexterm>
<indexterm><primary>initGroups.sh</primary></indexterm>
Assign each of the UNIX groups to NT groups by executing this shell script
(You could name the script <filename>initGroups.sh</filename>):
<screen>
#!/bin/bash
#### Keep this as a shell script for future re-use
@ -1012,7 +1014,7 @@ net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
net groupmap add ntgroup="Designers" unixgroup=designers type=d
net groupmap add ntgroup="Engineers" unixgroup=engineers type=d
net groupmap add ntgroup="QA Team" unixgroup=qateam type=d
</programlisting>
</screen>
</para></step>
<step><para>
@ -1027,7 +1029,7 @@ net groupmap add ntgroup="QA Team" unixgroup=qateam type=d
</procedure>
<para>
The above configuration provides a functional Primary Domain Control (PDC)
The above configuration provides a functional PDC
system to which must be added file shares and printers as required.
</para>
@ -1038,7 +1040,7 @@ net groupmap add ntgroup="QA Team" unixgroup=qateam type=d
<para>
In this section we finally get to review in brief a Samba-3 configuration that
uses a Light Weight Directory Access (LDAP)-based authentication backend. The
uses a Lightweight Directory Access (LDAP)-based authentication backend. The
main reasons for this choice are to provide the ability to host primary
and Backup Domain Control (BDC), as well as to enable a higher degree of
scalability to meet the needs of a very distributed environment.
@ -1054,7 +1056,7 @@ net groupmap add ntgroup="QA Team" unixgroup=qateam type=d
</para>
<para>
The Idealx scripts (or equivalent) are needed to manage LDAP based Posix and/or
The Idealx scripts (or equivalent) are needed to manage LDAP-based POSIX and/or
SambaSamAccounts. The Idealx scripts may be downloaded from the <ulink url="http://www.idealx.org">
Idealx</ulink> Web site. They may also be obtained from the Samba tarball. Linux
distributions tend to install the Idealx scripts in the
@ -1070,10 +1072,10 @@ net groupmap add ntgroup="QA Team" unixgroup=qateam type=d
<step><para>
Set up the LDAP server. This example is suitable for OpenLDAP 2.1.x.
The <filename>/etc/openldap/slapd.conf</filename> file:
<indexterm><primary>/etc/openldap/slapd.conf</primary></indexterm>
The <filename>/etc/openldap/slapd.conf</filename> file.
<indexterm><primary>/etc/openldap/slapd.conf</primary></indexterm>
<title>Example slapd.conf file</title>
<programlisting>
<screen>
# Note commented out lines have been removed
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
@ -1104,7 +1106,7 @@ index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
</programlisting>
</screen>
</para></step>
<step><para>
@ -1160,8 +1162,9 @@ userPassword: {SSHA}0jBHgQ1vp4EDX2rEMMfIudvRMJoGwjVb
</para></step>
<step><para>
The &smb.conf; file that drives this backend can be found in example <link linkend="fast-ldap"/>.
</para>
The &smb.conf; file that drives this backend can be found in example <link
linkend="fast-ldap">LDAP backend smb.conf for PDC</link>.
</para></step>
<example id="fast-ldap">
<title>LDAP backend smb.conf for PDC</title>
@ -1201,7 +1204,7 @@ userPassword: {SSHA}0jBHgQ1vp4EDX2rEMMfIudvRMJoGwjVb
<smbconfoption name="idmap gid">15000-20000</smbconfoption>
<smbconfoption name="printing">cups</smbconfoption>
</smbconfblock>
</example></step>
</example>
<step><para>
Add the LDAP password to the <filename>secrets.tdb</filename> file so Samba can update
@ -1213,7 +1216,7 @@ userPassword: {SSHA}0jBHgQ1vp4EDX2rEMMfIudvRMJoGwjVb
<step><para>
Add users and groups as required. Users and groups added using Samba tools
will automatically be added to both the LDAP backend as well as to the operating
will automatically be added to both the LDAP backend and the operating
system as required.
</para></step>
@ -1231,9 +1234,11 @@ userPassword: {SSHA}0jBHgQ1vp4EDX2rEMMfIudvRMJoGwjVb
<procedure>
<step><para>
Decide if the BDC should have its own LDAP server or not. If the BDC is to be
the LDAP server change the following &smb.conf; as indicated. The default
configuration in <link linkend="fast-bdc"/> uses a central LDAP server.
</para>
the LDAP server, change the following &smb.conf; as indicated. The default
configuration in <link linkend="fast-bdc">Remote LDAP BDC smb.conf</link>
uses a central LDAP server.
</para></step>
<example id="fast-bdc">
<title>Remote LDAP BDC smb.conf</title>
<smbconfblock>
@ -1264,7 +1269,7 @@ userPassword: {SSHA}0jBHgQ1vp4EDX2rEMMfIudvRMJoGwjVb
<smbconfoption name="idmap gid">15000-20000</smbconfoption>
<smbconfoption name="printing">cups</smbconfoption>
</smbconfblock>
</example></step>
</example>
<step><para>
Configure the NETLOGON and PROFILES directory as for the PDC in <link linkend="fast-bdc"/>.

View File

@ -8,7 +8,7 @@
</author>
&author.jerry;
</chapterinfo>
<title>Group Mapping &smbmdash; MS Windows and UNIX</title>
<title>Group Mapping: MS Windows and UNIX</title>
<para>
@ -19,8 +19,8 @@
</para>
<para>
The new facility for mapping NT Groups to UNIX system groups allows the administrator to decide
which NT Domain Groups are to be exposed to MS Windows clients. Only those NT Groups that map
The new facility for mapping NT groups to UNIX system groups allows the administrator to decide
which NT domain groups are to be exposed to MS Windows clients. Only those NT groups that map
to a UNIX group that has a value other than the default (<constant>-1</constant>) will be exposed
in group selection lists in tools that access domain users and groups.
</para>
@ -30,7 +30,7 @@
<indexterm><primary>domain admin group</primary></indexterm>
The <parameter>domain admin group</parameter> parameter has been removed in Samba-3 and should no longer
be specified in &smb.conf;. In Samba-2.2.x, this parameter was used to give the listed users membership in the
<constant>Domain Admins</constant> Windows group which gave local admin rights on their workstations
<constant>Domain Admins</constant> Windows group, which gave local admin rights on their workstations
(in default configurations).
</para>
</warning>
@ -44,39 +44,39 @@
</para>
<para>
<indexterm><primary>UID</primary></indexterm>
<indexterm><primary>GID</primary></indexterm>
<indexterm><primary>idmap uid</primary></indexterm>
<indexterm><primary>UID</primary></indexterm>
<indexterm><primary>GID</primary></indexterm>
<indexterm><primary>idmap uid</primary></indexterm>
Group accounts can be managed using the MS Windows NT4 or MS Windows 200x/XP Professional MMC tools.
Appropriate interface scripts should be provided in &smb.conf; if it is desired that UNIX/Linux system
accounts should be automatically created when these tools are used. In the absence of these scripts, and
so long as <command>winbindd</command> is running, Samba group accounts that are created using these
tools will be allocated UNIX UIDs/GIDs from the ID range specified by the
tools will be allocated UNIX UIDs and GIDs from the ID range specified by the
<smbconfoption name="idmap uid"/>/<smbconfoption name="idmap gid"/>
parameters in the &smb.conf; file.
</para>
<figure id="idmap-sid2gid">
<title>IDMAP: group SID to GID resolution.</title>
<title>IDMAP: Group SID-to-GID Resolution.</title>
<imagefile scale="50">idmap-sid2gid</imagefile>
</figure>
<figure id="idmap-gid2sid">
<title>IDMAP: GID resolution to matching SID.</title>
<title>IDMAP: GID Resolution to Matching SID.</title>
<imagefile scale="50">idmap-gid2sid</imagefile>
</figure>
<para>
<indexterm><primary>IDMAP</primary></indexterm>
In both cases, when winbindd is not running, only locally resolvable groups can be recognized. Please refer to
<link linkend="idmap-sid2gid">IDMAP: group SID to GID resolution</link> and
<link linkend="idmap-gid2sid">IDMAP: GID resolution to matching SID</link>.
The <command>net groupmap</command> is
used to establish UNIX group to NT SID mappings as shown in <link linkend="idmap-store-gid2sid">IDMAP: storing group mappings</link>.
<link linkend="idmap-sid2gid">IDMAP: Group SID-to-GID Resolution</link> and <link
linkend="idmap-gid2sid">IDMAP: GID Resolution to Matching SID</link>. The <command>net groupmap</command> is
used to establish UNIX group to NT SID mappings as shown in <link linkend="idmap-store-gid2sid">IDMAP: storing
group mappings</link>.
</para>
<figure id="idmap-store-gid2sid">
<title>IDMAP storing group mappings.</title>
<title>IDMAP Storing Group Mappings.</title>
<imagefile scale="50">idmap-store-gid2sid</imagefile>
</figure>
@ -86,8 +86,8 @@
Administrators should be aware that where &smb.conf; group interface scripts make
direct calls to the UNIX/Linux system tools (the shadow utilities, <command>groupadd</command>,
<command>groupdel</command>, and <command>groupmod</command>), the resulting UNIX/Linux group names will be subject
to any limits imposed by these tools. If the tool does not allow upper case characters
or space characters, then the creation of an MS Windows NT4/200x style group of
to any limits imposed by these tools. If the tool does not allow uppercase characters
or space characters, then the creation of an MS Windows NT4/200x-style group of
<literal>Engineering Managers</literal> will attempt to create an identically named
UNIX/Linux group, an attempt that will of course fail.
</para>
@ -95,15 +95,15 @@
<para>
<indexterm><primary>GID</primary></indexterm>
<indexterm><primary>SID</primary></indexterm>
There are several possible work-arounds for the operating system tools limitation. One
There are several possible workarounds for the operating system tools limitation. One
method is to use a script that generates a name for the UNIX/Linux system group that
fits the operating system limits, and that then just passes the UNIX/Linux group ID (GID)
back to the calling Samba interface. This will provide a dynamic work-around solution.
fits the operating system limits and that then just passes the UNIX/Linux group ID (GID)
back to the calling Samba interface. This will provide a dynamic workaround solution.
</para>
<para>
Another work-around is to manually create a UNIX/Linux group, then manually create the
MS Windows NT4/200x group on the Samba server and then use the <command>net groupmap</command>
Another workaround is to manually create a UNIX/Linux group, then manually create the
MS Windows NT4/200x group on the Samba server, and then use the <command>net groupmap</command>
tool to connect the two to each other.
</para>
@ -113,9 +113,9 @@
<title>Discussion</title>
<para>
When installing <application>MS Windows NT4/200x</application> on a computer, the installation
When you install <application>MS Windows NT4/200x</application> on a computer, the installation
program creates default users and groups, notably the <constant>Administrators</constant> group,
and gives that group privileges necessary privileges to perform essential system tasks,
and gives that group privileges necessary to perform essential system tasks,
such as the ability to change the date and time or to kill (or close) any process running on the
local machine.
</para>
@ -124,29 +124,29 @@
<indexterm><primary>Administrator</primary></indexterm>
The <constant>Administrator</constant> user is a member of the <constant>Administrators</constant> group, and thus inherits
<constant>Administrators</constant> group privileges. If a <constant>joe</constant> user is created to be a member of the
<constant>Administrators</constant> group, <constant>joe</constant> has exactly the same rights as the user,
<constant>Administrators</constant> group, <constant>joe</constant> has exactly the same rights as the user
<constant>Administrator</constant>.
</para>
<para>
When an MS Windows NT4/200x/XP machine is made a Domain Member, the <quote>Domain Admins</quote> group of the
When an MS Windows NT4/200x/XP machine is made a domain member, the <quote>Domain Admins</quote> group of the
PDC is added to the local <constant>Administrators</constant> group of the workstation. Every member of the
<constant>Domain Administrators</constant> group inherits the rights of the local <constant>Administrators</constant> group when
logging on the workstation.
</para>
<para>
The following steps describe how to make Samba PDC users members of the <constant>Domain Admins</constant> group?
The following steps describe how to make Samba PDC users members of the <constant>Domain Admins</constant> group.
</para>
<orderedlist>
<listitem><para>
Create a UNIX group (usually in <filename>/etc/group</filename>), let's call it <constant>domadm</constant>.
Create a UNIX group (usually in <filename>/etc/group</filename>); let's call it <constant>domadm</constant>.
</para></listitem>
<listitem><para>
Add to this group the users that must be <quote>Administrators</quote>. For example,
if you want <constant>joe, john</constant> and <constant>mary</constant> to be administrators,
if you want <constant>joe, john</constant>, and <constant>mary</constant> to be administrators,
your entry in <filename>/etc/group</filename> will look like this:
</para>
@ -168,18 +168,18 @@
<para>
<indexterm><primary>Domain Admins group</primary></indexterm>
The quotes around <quote>Domain Admins</quote> are necessary due to the space in the group name.
Also make sure to leave no white-space surrounding the equal character (=).
Also make sure to leave no white space surrounding the equal character (=).
</para></listitem>
</orderedlist>
<para>
Now <constant>joe, john</constant> and <constant>mary</constant> are domain administrators.
Now <constant>joe, john</constant>, and <constant>mary</constant> are domain administrators.
</para>
<para>
<indexterm><primary>groups</primary><secondary>domain</secondary></indexterm>
It is possible to map any arbitrary UNIX group to any Windows NT4/200x group as well as
making any UNIX group a Windows domain group. For example, if you wanted to include a
to make any UNIX group a Windows domain group. For example, if you wanted to include a
UNIX group (e.g., acct) in an ACL on a local file or printer on a Domain Member machine,
you would flag that group as a domain group by running the following on the Samba PDC:
</para>
@ -191,7 +191,7 @@
</para>
<para>
Be aware that the RID parameter is a unsigned 32-bit integer that should
Be aware that the RID parameter is an unsigned 32-bit integer that should
normally start at 1000. However, this RID must not overlap with any RID assigned
to a user. Verification for this is done differently depending on the passdb backend
you are using. Future versions of the tools may perform the verification automatically,
@ -199,18 +199,18 @@
</para>
<sect2>
<title>Warning &smbmdash; User Private Group Problems</title>
<title>Warning: User Private Group Problems</title>
<para>
Windows does not permit user and group accounts to have the same name.
This has serious implications for all sites that use private group accounts.
A private group account is an administrative practice whereby users are each
given their own group account. Red Hat Linux, as well as several free distributions
of Linux by default create private groups.
of Linux, by default create private groups.
</para>
<para>
When mapping a UNIX/Linux group to a Windows group account all conflict can
When mapping a UNIX/Linux group to a Windows group account, all conflict can
be avoided by assuring that the Windows domain group name does not overlap
with any user account name.
</para>
@ -228,16 +228,16 @@
</para>
<para>
All Microsoft Windows products since the release of Windows NT 3.10 support the use of nested groups.
Many Windows network administrators depend on this capability becasue it greatly simplifies security
All MS Windows products since the release of Windows NT 3.10 support the use of nested groups.
Many Windows network administrators depend on this capability because it greatly simplifies security
administration.
</para>
<para>
The nested group architecture was designed with the premise that day-to-day user and group membership
management should be performed on the domain security database. The application of group security
should be implemented on domain member servers using only local groups. On the domain member server
all file system security controls are then limited to use of the local groups which will contain
should be implemented on domain member servers using only local groups. On the domain member server,
all file system security controls are then limited to use of the local groups, which will contain
domain global groups and domain global users.
</para>
@ -245,13 +245,13 @@
You may ask, What are the benefits of this arrangement? The answer is obvious to those who have plumbed
the dark depths of Windows networking architecture. Consider for a moment a server on which are stored
200,000 files, each with individual domain user and domain group settings. The company that owns the
file server is bought by another company resulting in the server being moved to another location and then
file server is bought by another company, resulting in the server being moved to another location, and then
it is made a member of a different domain. Who would you think now owns all the files and directories?
Answer: Account Unknown.
</para>
<para>
Unravelling the file ownership mess is an unenviable administrative task that can be avoided simply
Unraveling the file ownership mess is an unenviable administrative task that can be avoided simply
by using local groups to control all file and directory access control. In this case, only the members
of the local groups will have been lost. The files and directories in the storage subsystem will still
be owned by the local groups. The same goes for all ACLs on them. It is administratively much simpler
@ -262,35 +262,35 @@
<para>
Another prominent example of the use of nested groups involves implementation of administrative privileges
on domain member workstations and servers. Administrative privileges are given to all members of the
builtin
built-in
local group <constant>Administrators</constant> on each domain member machine. To ensure that all domain
administrators have full rights on the member server or workstation, on joining the domain the
administrators have full rights on the member server or workstation, on joining the domain, the
<constant>Domain Admins</constant> group is added to the local Administrators group. Thus everyone who is
logged into the domain as a member of the Domain Admins group is also granted local adminitrative
logged into the domain as a member of the Domain Admins group is also granted local administrative
privileges on each domain member.
</para>
<para>
UNIX/Linux has no concept of support for nested groups, and thus Samba has for a long time not supported
them either. The problem is that you would have to enter unix groups as auxiliary members of a group in
them either. The problem is that you would have to enter UNIX groups as auxiliary members of a group in
<filename>/etc/group</filename>. This does not work because it was not a design requirement at the time
the UNIX file system security model was implemented. Since Samba-2.2 the winbind daemon can provide
<filename>/etc/group</filename> entries on demand by obtaining user and group information from the Domain
Controller that the Samba server is a member of.
the UNIX file system security model was implemented. Since Samba-2.2, the winbind daemon can provide
<filename>/etc/group</filename> entries on demand by obtaining user and group information from the domain
controller that the Samba server is a member of.
</para>
<para>
In effect, Samba supplements the <filename>/etc/group</filename> data via the dynamic
<command>libnss_winbind</command> mechanism. Beginning with Samba-3.0.3 this facility is used to provide
<command>libnss_winbind</command> mechanism. Beginning with Samba-3.0.3, this facility is used to provide
local groups in the same manner as Windows does it. It works by expanding the local groups on the
fly as they are accessed. For example, the <constant>Domain Users</constant> group of the domain is made
a member of the local group <constant>demo</constant>. Whenever Samba needs to resolve membership of the
<constant>demo</constant> local (alias) group winbind asks the DC for demo members of the Domain Users
group. By definition it can only contain user objects which can then be faked to be member of the
<constant>demo</constant> local (alias) group, winbind asks the domain controller for demo members of the Domain Users
group. By definition, it can only contain user objects, which can then be faked to be member of the
UNIX/Linux group <constant>demo</constant>.
</para>
<para>
To enable the use of nested groups, <command>winbindd</command> must be used together with NSS winbind.
To enable the use of nested groups, <command>winbindd</command> must be used with NSS winbind.
Creation and administration of the local groups is done best via the Windows Domain User Manager or its
Samba equivalent, the utility <command>net rpc group</command>. Creating the local group
<constant>demo</constant> is achieved by executing:
@ -298,16 +298,16 @@
&rootprompt; net rpc group add demo -L -Uroot%not24get
</screen>
Here the -L switch means that you want to create a local group. It may be necessary to add -S and -U
switches for accessing the correct host with appropriate user or root priviliges. Adding and removing
switches for accessing the correct host with appropriate user or root privileges. Adding and removing
group
members can be done via the <constant>addmem</constant> and <constant>delmem</constant> subcommands of
<command>net rpc group</command> command. For example addition of <quote>DOM\Domain Users</quote> to the
<command>net rpc group</command> command. For example, addition of <quote>DOM\Domain Users</quote> to the
local
group <constant>demo</constant> would be done by executing:
group <constant>demo</constant> is done by executing:
<screen>
net rpc group addmem demo "DOM\Domain Users"
</screen>
Having completed these two steps the execution of <command>getent group demo</command> will show demo
Having completed these two steps, the execution of <command>getent group demo</command> will show demo
members of the global <constant>Domain Users</constant> group as members of the group
<constant>demo</constant>. This also works with any local or domain user. In case the domain DOM trusts
another domain, it is also possible to add global users and groups of the trusted domain as members of
@ -324,26 +324,26 @@
</para>
<orderedlist>
<listitem><para>For Samba-3 Domain Controllers and
Domain Member Servers/Clients.</para></listitem>
<listitem><para>To manage Domain Member Windows workstations.</para></listitem>
<listitem><para>For Samba-3 domain controllers and
domain member servers/clients.</para></listitem>
<listitem><para>To manage domain member Windows workstations.</para></listitem>
</orderedlist>
<para>
Versions of Samba up to and including 3.0.10 do not provide a means for assigning rights and privileges
that are necessary for system administration tasks from a Windows Domain Member Client machine so that
domain administration tasks such as adding/deleting/changing user and group account information, and
that are necessary for system administration tasks from a Windows domain Member client machine, so
domain administration tasks such as adding, deleting, and changing user and group account information, and
managing workstation domain membership accounts, can be handled by any account other than root.
</para>
<para>
Samba-3.0.11 introduced a new privilege management interface (see <link linkend="rights">Chapter on Rights and Privileges</link>)
that permits these tasks to be delegated to non-root (i.e.: accounts other than the equivalent of the
MS Windows Administrator) account.
Samba-3.0.11 introduced a new privilege management interface (see <link linkend="rights">User Rights and Privileges</link>)
that permits these tasks to be delegated to non-root (i.e., accounts other than the equivalent of the
MS Windows Administrator) accounts.
</para>
<para>
Administrative tasks on a Windows Domain Member workstation, can be done by anyone who is a member of the
Administrative tasks on a Windows domain member workstation can be done by anyone who is a member of the
<constant>Domain Admins</constant> group. This group can be mapped to any convenient UNIX group.
</para>
@ -351,25 +351,25 @@
<title>Applicable Only to Versions Earlier than 3.0.11</title>
<para>
Administrative tasks on UNIX/Linux systems, such as adding users or groups, requires <constant>root</constant>
level privilege. The addition of a Windows client to a Samba Domain involves the addition of a user account
for the Windows client.
Administrative tasks on UNIX/Linux systems, such as adding users or groups, requires
<constant>root</constant>-level privilege. The addition of a Windows client to a Samba domain involves the
addition of a user account for the Windows client.
</para>
<para>
Many UNIX administrators continue to request the Samba Team make it possible to add Windows workstations, or
to ability to add/delete or modify user accounts, without requiring <constant>root</constant> privileges.
Many UNIX administrators continue to request that the Samba Team make it possible to add Windows workstations, or
the ability to add, delete, or modify user accounts, without requiring <constant>root</constant> privileges.
Such a request violates every understanding of basic UNIX system security.
</para>
<para>
There is no safe way to provide access on a UNIX/Linux system without providing <constant>root</constant>
level privilege. Provision of <constant>root</constant> privileges can be done either by logging onto
the Domain as the user <constant>root</constant>, or by permitting particular users to use a UNIX account
that has a UID=0 in the <filename>/etc/passwd</filename> database. Users of such accounts can use tools
like the NT4 Domain User Manager, and the NT4 Domain Server Manager to manage user and group accounts as
well as Domain Member server and client accounts. This level of privilege is also needed to manage share
level ACLs.
There is no safe way to provide access on a UNIX/Linux system without providing
<constant>root</constant>-level privilege. Provision of <constant>root</constant> privileges can be done
either by logging onto the Domain as the user <constant>root</constant> or by permitting particular users to
use a UNIX account that has a UID=0 in the <filename>/etc/passwd</filename> database. Users of such accounts
can use tools like the NT4 Domain User Manager and the NT4 Domain Server Manager to manage user and group
accounts as well as domain member server and client accounts. This level of privilege is also needed to manage
share-level ACLs.
</para>
</sect3>
@ -377,38 +377,38 @@
</sect2>
<sect2>
<title>Default Users, Groups and Relative Identifiers</title>
<title>Default Users, Groups, and Relative Identifiers</title>
<para>
<indexterm><primary>Relative Identifier</primary><see>RID</see></indexterm>
<indexterm><primary>RID</primary></indexterm>
When first installed, Microsoft Windows NT4/200x/XP are pre-configured with certain User, Group, and
Alias entities. Each has a well-known Relative Identifier (RID). These must be preserved for continued
integrity of operation. Samba must be provisioned with certain essential Domain Groups that require
the appropriate RID value. When Samba-3 is configured to use <constant>tdbsam</constant> the essential
Domain Groups are automatically created. It is the LDAP administrators' responsibility to create
(provision) the default NT Groups.
<indexterm><primary>Relative Identifier</primary><see>RID</see></indexterm>
<indexterm><primary>RID</primary></indexterm>
When first installed, Windows NT4/200x/XP are preconfigured with certain user, group, and
alias entities. Each has a well-known RID. These must be preserved for continued
integrity of operation. Samba must be provisioned with certain essential domain groups that require
the appropriate RID value. When Samba-3 is configured to use <constant>tdbsam</constant>, the essential
domain groups are automatically created. It is the LDAP administrator's responsibility to create
(provision) the default NT groups.
</para>
<para>
Each essential Domain Group must be assigned its respective well-known RID. The default Users, Groups,
Aliases, and RIDs are shown in <link linkend="WKURIDS">Well-Known User Default RIDs</link> table.
Each essential domain group must be assigned its respective well-known RID. The default users, groups,
aliases, and RIDs are shown in <link linkend="WKURIDS">Well-Known User Default RIDs</link>.
</para>
<note><para>
When the <parameter>passdb backend</parameter> uses LDAP (<constant>ldapsam</constant>) it is the
administrators' responsibility to create the essential Domain Groups, and to assign each its default RID.
When the <parameter>passdb backend</parameter> uses LDAP (<constant>ldapsam</constant>), it is the
administrator's responsibility to create the essential domain groups and to assign each its default RID.
</para></note>
<para>
It is permissible to create any Domain Group that may be necessary, just make certain that the essential
Domain Groups (well known) have been created and assigned its default RID. Other groups you create may
It is permissible to create any domain group that may be necessary; just make certain that the essential
domain groups (well known) have been created and assigned their default RIDs. Other groups you create may
be assigned any arbitrary RID you care to use.
</para>
<para>
Be sure to map each Domain Group to a UNIX system group. That is the only way to ensure that the group
will be available for use as an NT Domain Group.
Be sure to map each domain group to a UNIX system group. That is the only way to ensure that the group
will be available for use as an NT domain group.
</para>
<para>
@ -609,10 +609,10 @@ Domain Guests (S-1-5-21-2547222302-1596225915-2414751004-514) -> domguest
<indexterm><primary>smbgrpadd.sh</primary></indexterm>
<indexterm><primary>groupadd limitations</primary></indexterm>
A script to create complying group names for use by the Samba group interfaces
is provided in <link linkend="smbgrpadd.sh">smbgrpadd.sh</link>. This script will
add a temporary entry in the <filename>/etc/group</filename> file and then rename
it to to the desired name. This is an example of a method to get around operating
system maintenance tool limititations such as that present in some version of the
is provided in <link linkend="smbgrpadd.sh">smbgrpadd.sh</link>. This script
adds a temporary entry in the <filename>/etc/group</filename> file and then renames
it to the desired name. This is an example of a method to get around operating
system maintenance tool limitations such as those present in some version of the
<command>groupadd</command> tool.
</para>
@ -641,9 +641,10 @@ exit 0
</para>
<para>
The &smb.conf; entry for the above script would be something like that in <link linkend="smbgrpadd">the following example</link>.
The &smb.conf; entry for the above script would be something like that in <link linkend="smbgrpadd">"smbgrpadd"</link>.
<example id="smbgrpadd">
<title>Configuration of &smb.conf; for the add group script.</title>
<title>Configuration of &smb.conf; for the add group Script</title>
<smbconfblock>
<smbconfsection name="[global]"/>
<smbconfoption name="add group script">/path_to_tool/smbgrpadd.sh &quot;%g&quot;</smbconfoption>
@ -659,7 +660,7 @@ exit 0
<para>
In our example we have created a UNIX/Linux group called <literal>ntadmin</literal>.
Our script will create the additional groups <literal>Orks</literal>, <literal>Elves</literal>, and <literal>Gnomes</literal>.
It is a good idea to save this shell script for later re-use just in case you ever need to rebuild your mapping database.
It is a good idea to save this shell script for later use just in case you ever need to rebuild your mapping database.
For the sake of convenience we elect to save this script as a file called <filename>initGroups.sh</filename>.
This script is given in <link linkend="set-group-map">intGroups.sh</link>.
</para>
@ -701,8 +702,8 @@ net groupmap add ntgroup="Gnomes" unixgroup=Gnomes type=d
<para>
At this time there are many little surprises for the unwary administrator. In a real sense
it is imperative that every step of automated control scripts must be carefully tested
manually before putting them into active service.
it is imperative that every step of automated control scripts be carefully tested
manually before putting it into active service.
</para>
<sect2>
@ -716,11 +717,11 @@ manually before putting them into active service.
<para>
The most common cause of failure is an attempt to add an MS Windows group account
that has either an upper case character and/or a space character in it.
that has an uppercase character and/or a space character in it.
</para>
<para>
There are three possible work-arounds. First, use only group names that comply
There are three possible workarounds. First, use only group names that comply
with the limitations of the UNIX/Linux <command>groupadd</command> system tool.
Second, it involves the use of the script mentioned earlier in this chapter, and
third is the option is to manually create a UNIX/Linux group account that can substitute
@ -731,10 +732,10 @@ manually before putting them into active service.
</sect2>
<sect2>
<title>Adding <emphasis>Domain Users</emphasis> to the <emphasis>Power Users</emphasis> Group</title>
<title>Adding <emphasis>Domain Users</emphasis> to the <literal>Power Users</literal> Group</title>
<para><quote>
What must I do to add Domain Users to the Power Users group?
What must I do to add domain users to the Power Users group?
</quote></para>
<indexterm><primary>Domain Users group</primary></indexterm>
@ -764,8 +765,8 @@ manually before putting them into active service.
</para></step>
<step><para>
Double click <constant>Power Users</constant>. This will launch the panel to add users or groups
to the local machine <constant>Power Uses</constant> group.
Double-click <constant>Power Users</constant>. This will launch the panel to add users or groups
to the local machine <constant>Power Users</constant> group.
</para></step>
<step><para>
@ -777,12 +778,12 @@ manually before putting them into active service.
</para></step>
<step><para>
Double click the <constant>Domain Users</constant> group.
Double-click the <constant>Domain Users</constant> group.
</para></step>
<step><para>
Click the <guibutton>Ok</guibutton> button. If a logon box is presented during this process
please remember to enter the connect as <constant>DOMAIN\UserName</constant>. i.e., For the
Click the <guibutton>OK</guibutton> button. If a logon box is presented during this process,
please remember to enter the connect as <constant>DOMAIN\UserName</constant>, that is, for the
domain <constant>MIDEARTH</constant> and the user <constant>root</constant> enter
<constant>MIDEARTH\root</constant>.
</para></step>

View File

@ -16,23 +16,23 @@
<indexterm><primary>UID</primary></indexterm>
<indexterm><primary>GID</primary></indexterm>
The Microsoft Windows operating system has a number of features that impose specific challenges
to interoperability with operating system on which Samba is implemented. This chapter deals
to interoperability with the operating system on which Samba is implemented. This chapter deals
explicitly with the mechanisms Samba-3 (version 3.0.8 and later) uses to overcome one of the
key challenges in the integration of Samba servers into an MS Windows networking environment.
This chapter deals with Identify Mapping (IDMAP) of Windows Security Identifers (SIDs)
This chapter deals with identity mapping (IDMAP) of Windows security identifiers (SIDs)
to UNIX UIDs and GIDs.
</para>
<para>
To ensure good sufficient coverage each possible Samba deployment type will be discussed.
To ensure sufficient coverage, each possible Samba deployment type is discussed.
This is followed by an overview of how the IDMAP facility may be implemented.
</para>
<para>
<indexterm><primary>network client</primary></indexterm>
The IDMAP facility is usually of concern where more than one Samba server (or Samba network client)
is installed in the one Domain. Where there is a single Samba server do not be too concerned regarding
the IDMAP infrastructure - the default behavior of Samba is nearly always sufficient.
is installed in one domain. Where there is a single Samba server, do not be too concerned regarding
the IDMAP infrastructure &smbmdash; the default behavior of Samba is nearly always sufficient.
</para>
<para>
@ -44,7 +44,7 @@ of foreign SIDs to local UNIX UIDs and GIDs.
<para>
<indexterm><primary>winbindd</primary></indexterm>
The use of the IDMAP facility requires that the <command>winbindd</command> be executed on Samba start-up.
The use of the IDMAP facility requires that the <command>winbindd</command> be executed on Samba startup.
</para>
<sect1>
@ -52,25 +52,25 @@ The use of the IDMAP facility requires that the <command>winbindd</command> be e
<para>
<indexterm><primary>Server Types</primary></indexterm>
There are four (4) basic server deployment types, as documented in <link linkend="ServerType">the chapter
There are four basic server deployment types, as documented in <link linkend="ServerType">the chapter
on Server Types and Security Modes</link>.
</para>
<sect2>
<title>Stand-Alone Samba Server</title>
<title>Standalone Samba Server</title>
<para>
<indexterm><primary>stand-alone server</primary></indexterm>
<indexterm><primary>Active Directory</primary></indexterm>
<indexterm><primary>NT4 Domain</primary></indexterm>
A stand-alone Samba server is an implementation that is not a member of a Windows NT4 Domain,
a Windows 200X Active Directory Domain, or of a Samba Domain.
A standalone Samba server is an implementation that is not a member of a Windows NT4 domain,
a Windows 200X Active Directory domain, or a Samba domain.
</para>
<para>
<indexterm><primary>IDMAP</primary></indexterm>
<indexterm><primary>identity</primary></indexterm>
By definition, this means that users and groups will be created and controlled locally and
By definition, this means that users and groups will be created and controlled locally, and
the identity of a network user must match a local UNIX/Linux user login. The IDMAP facility
is therefore of little to no interest, winbind will not be necessary, and the IDMAP facility
will not be relevant or of interest.
@ -87,17 +87,17 @@ on Server Types and Security Modes</link>.
<indexterm><primary>NT4</primary></indexterm>
<indexterm><primary>SID</primary></indexterm>
<indexterm><primary>Active Directory</primary></indexterm>
Samba-3 can act as a Windows NT4 PDC or BDC thereby providing domain control protocols that
Samba-3 can act as a Windows NT4 PDC or BDC, thereby providing domain control protocols that
are compatible with Windows NT4. Samba-3 file and print sharing protocols are compatible with
all version of Microsoft Windows products. Windows NT4, as with Microsoft Active Directory,
extensively makes use of Windows security identifiers (SIDs).
all version of MS Windows products. Windows NT4, as with MS Active Directory,
extensively makes use of Windows SIDs.
</para>
<para>
<indexterm><primary>MS Windows SID</primary></indexterm>
<indexterm><primary>UID</primary></indexterm>
<indexterm><primary>GID</primary></indexterm>
Samba-3 Domain Member servers and clients must interact correctly with MS Windows SIDs. Incoming
Samba-3 domain member servers and clients must interact correctly with MS Windows SIDs. Incoming
Windows SIDs must be translated to local UNIX UIDs and GIDs. Outgoing information from the Samba
server must provide to MS Windows clients and servers appropriate SIDs.
</para>
@ -106,21 +106,21 @@ on Server Types and Security Modes</link>.
<indexterm><primary>ADS</primary></indexterm>
<indexterm><primary>winbind</primary></indexterm>
A Samba member of a Windows networking domain (NT4-style or ADS) can be configured to handle
identity mapping in a variety of ways. The mechanism is will use depends on whether or not
the <command>winbindd</command> daemon is used, and how the winbind functionality is configured.
identity mapping in a variety of ways. The mechanism it uses depends on whether or not
the <command>winbindd</command> daemon is used and how the winbind functionality is configured.
The configuration options are briefly described here:
</para>
<variablelist>
<varlistentry><term>Winbind is not used, users and groups are local: &smbmdash; </term>
<varlistentry><term>Winbind is not used; users and groups are local: </term>
<listitem>
<para>
Where <command>winbindd</command> is not used Samba (<command>smbd</command>)
uses the underlying UNIX/Linux mechanisms to resolve the identity of incoming
network traffic. This will be done using the LoginID (account name) in the
network traffic. This is done using the LoginID (account name) in the
session setup request and passing it to the getpwnam() system function call.
This call is implemented using the name service switch (NSS) mechanism on
modern UNIX/Linux systems. By saying <quote>users and groups are local</quote>
modern UNIX/Linux systems. By saying "users and groups are local,"
we are implying that they are stored only on the local system, in the
<filename>/etc/passwd</filename> and <filename>/etc/group</filename> respectively.
</para>
@ -133,45 +133,45 @@ on Server Types and Security Modes</link>.
</para>
<para>
This configuration may be used with stand-alone Samba servers, Domain Member
servers (NT4 or ADS), and may be used for a PDC that uses either an smbpasswd
or a tdbsam based Samba passdb backend.
This configuration may be used with standalone Samba servers, domain member
servers (NT4 or ADS), and for a PDC that uses either an smbpasswd
or a tdbsam-based Samba passdb backend.
</para>
</listitem>
</varlistentry>
<varlistentry><term>Winbind is not used, users and groups resolved via NSS: &smbmdash; </term>
<varlistentry><term>Winbind is not used; users and groups resolved via NSS: </term>
<listitem>
<para>
In this situation user and group accounts are treated as if they are local
accounts, the only way in which this differs from having local accounts is
accounts. The only way in which this differs from having local accounts is
that the accounts are stored in a repository that can be shared. In practice
this means that they will reside in either a NIS type database or else in LDAP.
this means that they will reside in either an NIS-type database or else in LDAP.
</para>
<para>
This configuration may be used with stand-alone Samba servers, Domain Member
servers (NT4 or ADS), and may be used for a PDC that uses either an smbpasswd
or a tdbsam based Samba passdb backend.
This configuration may be used with standalone Samba servers, domain member
servers (NT4 or ADS), and for a PDC that uses either an smbpasswd
or a tdbsam-based Samba passdb backend.
</para>
</listitem>
</varlistentry>
<varlistentry><term>Winbind/NSS with the default local IDMAP table: &smbmdash; </term>
<varlistentry><term>Winbind/NSS with the default local IDMAP table: </term>
<listitem>
<para>
There are many sites that require only a simple Samba server, or a single Samba
server that is a member of a Windows NT4 Domain or an ADS Domain. A typical example
There are many sites that require only a simple Samba server or a single Samba
server that is a member of a Windows NT4 domain or an ADS domain. A typical example
is an appliance like file server on which no local accounts are configured and
winbind is used to obtain account credentials from the domain controllers for the
domain. The domain control can be provided by Samba-3, MS Windows NT4 or MS Windows
domain. The domain control can be provided by Samba-3, MS Windows NT4, or MS Windows
Active Directory.
</para>
<para>
Winbind is a great convenience in this situation. All that is needed is a range of
UID numbers and GID numbers that can be defined in the &smb.conf; file, the
<filename>/etc/nsswitch.conf</filename> file is configured to use <command>winbind</command>
UID numbers and GID numbers that can be defined in the &smb.conf; file. The
<filename>/etc/nsswitch.conf</filename> file is configured to use <command>winbind</command>,
which does all the difficult work of mapping incoming SIDs to appropriate UIDs and GIDs.
The SIDs are allocated a UID/GID in the order in which winbind receives them.
</para>
@ -180,15 +180,15 @@ on Server Types and Security Modes</link>.
This configuration is not convenient or practical in sites that have more than one
Samba server and that require the same UID or GID for the same user or group across
all servers. One of the hazards of this method is that in the event that the winbind
IDMAP file may become corrupted or lost, the repaired or rebuilt IDMAP file may allocate
UIDs and GIDs to differing users and groups from what was there previously with the
IDMAP file becomes corrupted or lost, the repaired or rebuilt IDMAP file may allocate
UIDs and GIDs to different users and groups from what was there previously with the
result that MS Windows files that are stored on the Samba server may now not belong to
to rightful owner.
the rightful owners.
</para>
</listitem>
</varlistentry>
<varlistentry><term>Winbind/NSS uses RID based IDMAP: &smbmdash; </term>
<varlistentry><term>Winbind/NSS uses RID based IDMAP: </term>
<listitem>
<para>
<indexterm><primary>RID</primary></indexterm>
@ -196,8 +196,8 @@ on Server Types and Security Modes</link>.
<indexterm><primary>ADS</primary></indexterm>
<indexterm><primary>LDAP</primary></indexterm>
The IDMAP_RID facility is new to Samba version 3.0.8. It was added to make life easier
for a number of sites that are committed to use of MS ADS, who do not want to apply
an ADS schema extension, and who do not wish to install an LDAP directory server just for
for a number of sites that are committed to use of MS ADS, that do not apply
an ADS schema extension, and that do not have an installed an LDAP directory server just for
the purpose of maintaining an IDMAP table. If you have a single ADS domain (not a forest of
domains, and not multiple domain trees) and you want a simple cookie-cutter solution to the
IDMAP table problem, then IDMAP_RID is an obvious choice.
@ -213,7 +213,7 @@ on Server Types and Security Modes</link>.
<indexterm><primary>idmap backend</primary></indexterm>
This facility requires the allocation of the <parameter>idmap uid</parameter> and the
<parameter>idmap gid</parameter> ranges, and within the <parameter>idmap uid</parameter>
it is possible to allocate a sub-set of this range for automatic mapping of the relative
it is possible to allocate a subset of this range for automatic mapping of the relative
identifier (RID) portion of the SID directly to the base of the UID plus the RID value.
For example, if the <parameter>idmap uid</parameter> range is <constant>1000-100000000</constant>
and the <parameter>idmap backend = idmap_rid:DOMAIN_NAME=1000-50000000</parameter>, and
@ -223,40 +223,40 @@ on Server Types and Security Modes</link>.
</listitem>
</varlistentry>
<varlistentry><term>Winbind with an NSS/LDAP backend based IDMAP facility: &smbmdash; </term>
<varlistentry><term>Winbind with an NSS/LDAP backend-based IDMAP facility: </term>
<listitem>
<para>
<indexterm><primary>Domain Member</primary></indexterm>
In this configuration <command>winbind</command> resolved SIDs to UIDs and GIDs from
the <parameter>idmap uid</parameter> and <parameter>idmap gid</parameter> ranges specified
in the &smb.conf; file, but instead of using a local winbind IDMAP table it is stored
in an LDAP directory so that all Domain Member machines (clients and servers) can share
in the &smb.conf; file, but instead of using a local winbind IDMAP table, it is stored
in an LDAP directory so that all domain member machines (clients and servers) can share
a common IDMAP table.
</para>
<para>
<indexterm><primary>idmap backend</primary></indexterm>
It is important that all LDAP IDMAP clients use only the master LDAP server as the
It is important that all LDAP IDMAP clients use only the master LDAP server because the
<parameter>idmap backend</parameter> facility in the &smb.conf; file does not correctly
handle LDAP redirects.
</para>
</listitem>
</varlistentry>
<varlistentry><term>Winbind with NSS to resolve UNIX/Linux user and group IDs: &smbmdash; </term>
<varlistentry><term>Winbind with NSS to resolve UNIX/Linux user and group IDs: </term>
<listitem>
<para>
The use of LDAP as the passdb backend is a smart solution for PDC, BDC as well as for
Domain Member servers. It is a neat method for assuring that UIDs, GIDs and the matching
SIDs will be consistent across all servers.
The use of LDAP as the passdb backend is a smart solution for PDC, BDC, and
domain member servers. It is a neat method for assuring that UIDs, GIDs, and the matching
SIDs are consistent across all servers.
</para>
<para>
<indexterm><primary>LDAP</primary></indexterm>
<indexterm><primary>PADL</primary></indexterm>
The use of the LDAP based passdb backend requires use of the PADL nss_ldap utility, or
an equivalent. In this situation winbind is used to handle foreign SIDs; ie: SIDs from
stand-alone Windows clients (i.e.: not a member of our domain) as well as SIDs from
The use of the LDAP-based passdb backend requires use of the PADL nss_ldap utility or
an equivalent. In this situation winbind is used to handle foreign SIDs, that is, SIDs from
standalone Windows clients (i.e., not a member of our domain) as well as SIDs from
another domain. The foreign UID/GID is mapped from allocated ranges (idmap uid and idmap gid)
in precisely the same manner as when using winbind with a local IDMAP table.
</para>
@ -266,12 +266,12 @@ on Server Types and Security Modes</link>.
<indexterm><primary>AD4UNIX</primary></indexterm>
<indexterm><primary>MMC</primary></indexterm>
The nss_ldap tool set can be used to access UIDs and GIDs via LDAP as well as via Active
Directory. In order to use Active Directory it is necessary to modify the ADS schema by
installing either the AD4UNIX schema extension or else use the Microsoft Services for UNIX
version 3.5 of later to extend the ADS schema so it maintains UNIX account credentials.
Where the ADS schema is extended a Microsoft Management Console (MMC) snap-in in also
Directory. In order to use Active Directory, it is necessary to modify the ADS schema by
installing either the AD4UNIX schema extension or using the Microsoft Services for UNIX
version 3.5 or later to extend the ADS schema so it maintains UNIX account credentials.
Where the ADS schema is extended, a Microsoft Management Console (MMC) snap-in is also
installed to permit the UNIX credentials to be set and managed from the ADS User and Computer
management tool. Each account must be separately UNIX enabled before the UID and GID data can
Management tool. Each account must be separately UNIX-enabled before the UID and GID data can
be used by Samba.
</para>
</listitem>
@ -289,17 +289,17 @@ on Server Types and Security Modes</link>.
<indexterm><primary>SID</primary></indexterm>
<indexterm><primary>RID</primary></indexterm>
<indexterm><primary>algorithmic mapping</primary></indexterm>
Microsoft Windows domain security systems generate the user and group security identifier (SID) as part
of the process of creation of an account. Windows does not have a concept of the UNIX UID or a GID, rather
it has its own type of security descriptor. When Samba is used as a Domain Controller, it provides a method
Microsoft Windows domain security systems generate the user and group SID as part
of the process of creation of an account. Windows does not have a concept of the UNIX UID or a GID; rather,
it has its own type of security descriptor. When Samba is used as a domain controller, it provides a method
of producing a unique SID for each user and group. Samba generates a machine and a domain SID to which it
adds a relative identifier (RID) that is calculated algorithmically from a base value that can be specified
in the &smb.conf; file, plus twice (2X) the UID or GID. This method is called <quote>algorithmic mapping</quote>.
adds an RID that is calculated algorithmically from a base value that can be specified
in the &smb.conf; file, plus twice (2x) the UID or GID. This method is called <quote>algorithmic mapping</quote>.
</para>
<para>
<indexterm><primary>RID base</primary></indexterm>
For example, a user has a UID of 4321, and the algorithmic RID base has a value of 1000, the RID will
For example, ifa user has a UID of 4321, and the algorithmic RID base has a value of 1000, the RID will
be <constant>1000 + (2 x 4321) = 9642</constant>. Thus, if the domain SID is
<constant>S-1-5-21-89238497-92787123-12341112</constant>, the resulting SID is
<constant>S-1-5-21-89238497-92787123-12341112-9642</constant>.
@ -307,14 +307,14 @@ on Server Types and Security Modes</link>.
<para>
<indexterm><primary>on-the-fly</primary></indexterm>
The foregoing type SID is produced by Samba as an automatic function and is either produced on-the-fly
(as in the case when using a <parameter>passdb backend = [tdbsam | smbpasswd]</parameter>, or may be stored
as a permanent part of an account in an LDAP based ldapsam.
The foregoing type of SID is produced by Samba as an automatic function and is either produced on the fly
(as is the case when using a <parameter>passdb backend = [tdbsam | smbpasswd]</parameter>), or may be stored
as a permanent part of an account in an LDAP-based ldapsam.
</para>
<para>
<indexterm><primary>SFU 3.5</primary></indexterm>
MS Active Directory Server (ADS) uses a directory schema that can be extended to accommodate additional
ADS uses a directory schema that can be extended to accommodate additional
account attributes such as UIDs and GIDs. The installation of Microsoft Service for UNIX 3.5 will expand
the normal ADS schema to include UNIX account attributes. These must of course be managed separately
through a snap-in module to the normal ADS account management MMC interface.
@ -323,7 +323,7 @@ on Server Types and Security Modes</link>.
<para>
<indexterm><primary>PDC</primary></indexterm>
Security identifiers used within a domain must be managed to avoid conflict and to preserve itegrity.
In an NT4 domain context that PDC manages the distribution of all security credentials to the backup
In an NT4 domain context, that PDC manages the distribution of all security credentials to the backup
domain controllers. At this time the only passdb backend for a Samba domain controller that is suitable
for such information is an LDAP backend.
</para>
@ -335,13 +335,13 @@ on Server Types and Security Modes</link>.
<para>
<indexterm><primary>BDC</primary></indexterm>
Backup Domain Controllers (BDCs) have read-only access to security credentials that are stored in LDAP.
BDCs have read-only access to security credentials that are stored in LDAP.
Changes in user or group account information are passed by the BDC to the PDC. Only the PDC can write
changes to the directory.
</para>
<para>
IDMAP information can however be written directly to the LDAP server so long as all domain controllers
IDMAP information can, however, be written directly to the LDAP server so long as all domain controllers
have access to the master (writable) LDAP server. Samba-3 at this time does not handle LDAP redirects
in the IDMAP backend. This means that it is is unsafe to use a slave (replicate) LDAP server with
the IDMAP facility.
@ -361,7 +361,7 @@ on Server Types and Security Modes</link>.
<indexterm><primary>DMC</primary></indexterm>
Anyone who wishes to use <command>winbind</command> will find the following example configurations helpful.
Remember that in the majority of cases <command>winbind</command> is of primary interest for use with
Domain Member Servers (DMSs) and Domain Member Clients (DMCs).
domain member servers (DMSs) and domain member clients (DMCs).
</para>
<sect2>
@ -377,12 +377,12 @@ Domain Member Servers (DMSs) and Domain Member Clients (DMCs).
</para></listitem>
<listitem><para>
Networks that use MS Windows 200X ADS.
Networks that use MS Windows 200x ADS.
</para></listitem>
</itemizedlist>
<sect3>
<title>NT4 Style Domains (includes Samba Domains)</title>
<title>NT4-Style Domains (Includes Samba Domains)</title>
<para>
The following is a simple example of an NT4 DMS &smb.conf; file that shows only the global section.
@ -420,7 +420,7 @@ hosts: files wins
<procedure>
<step><para>
Create or install and &smb.conf; file with the above configuration.
Create or install an &smb.conf; file with the above configuration.
</para></step>
<step><para>
@ -456,7 +456,7 @@ Join to domain 'MEGANET2' is not valid
<para>
<indexterm><primary>domain join</primary></indexterm>
The procedure for joining and ADS domain is similar to the NT4 domain join, except the &smb.conf; file
The procedure for joining an ADS domain is similar to the NT4 domain join, except the &smb.conf; file
will have the following contents:
<screen>
# Global parameters
@ -482,9 +482,9 @@ Join to domain 'MEGANET2' is not valid
<indexterm><primary>MIT kerberos</primary></indexterm>
<indexterm><primary>Heimdal</primary></indexterm>
<indexterm><primary>Heimdal kerberos</primary></indexterm>
ADS DMS operation requires use of kerberos (KRB). For this to work the <filename>krb5.conf</filename>
must be configured. The exact requirements depends on which version of MIT or Heimdal kerberos is being
used. It is sound advice to use only the latest version, which at this time are MIT kerberos version
ADS DMS operation requires use of kerberos (KRB). For this to work, the <filename>krb5.conf</filename>
must be configured. The exact requirements depends on which version of MIT or Heimdal Kerberos is being
used. It is sound advice to use only the latest version, which at this time are MIT Kerberos version
1.3.5 and Heimdal 0.61.
</para>
@ -494,7 +494,7 @@ Join to domain 'MEGANET2' is not valid
<procedure>
<step><para>
Create or install and &smb.conf; file with the above configuration.
Create or install an &smb.conf; file with the above configuration.
</para></step>
<step><para>
@ -526,13 +526,13 @@ GARGOYLE$@'s password:
Join to domain is not valid
</screen>
<indexterm><primary>error message</primary></indexterm>
The specific error message may differ from the above as it depends on the type of failure that
may have occured. Increase the <parameter>log level</parameter> to 10, repeat the above test
The specific error message may differ from the above because it depends on the type of failure that
may have occurred. Increase the <parameter>log level</parameter> to 10, repeat the test,
and then examine the log files produced to identify the nature of the failure.
</para></step>
<step><para>
Start the <command>nmbd, winbind,</command> and <command>smbd</command> daemons in the order shown.
Start the <command>nmbd</command>, <command>winbind</command>, and <command>smbd</command> daemons in the order shown.
</para></step>
</procedure>
@ -551,7 +551,7 @@ Join to domain is not valid
The <command>idmap_rid</command> facility is a new tool that, unlike native winbind, creates a
predictable mapping of MS Windows SIDs to UNIX UIDs and GIDs. The key benefit of this method
of implementing the Samba IDMAP facility is that it eliminates the need to store the IDMAP data
in a central place. The down-side is that it can be used only within a single ADS Domain and
in a central place. The downside is that it can be used only within a single ADS domain and
is not compatible with trusted domain implementations.
</para>
@ -560,10 +560,10 @@ Join to domain is not valid
<indexterm><primary>allow trusted domains</primary></indexterm>
<indexterm><primary>idmap uid</primary></indexterm>
<indexterm><primary>idmap gid</primary></indexterm>
This alternate method of SID to UID/GID mapping can be achieved uses the idmap_rid
This alternate method of SID to UID/GID mapping can be achieved using the idmap_rid
plug-in. This plug-in uses the RID of the user SID to derive the UID and GID by adding the
RID to a base value specified. This utility requires that the parameter
<quote>allow trusted domains = No</quote> must be specified, as it is not compatible
<quote>allow trusted domains = No</quote> be specified, as it is not compatible
with multiple domain environments. The <parameter>idmap uid</parameter> and
<parameter>idmap gid</parameter> ranges must be specified.
</para>
@ -571,8 +571,8 @@ Join to domain is not valid
<para>
<indexterm><primary>idmap_rid</primary></indexterm>
<indexterm><primary>realm</primary></indexterm>
The idmap_rid facility can be used both for NT4/Samba style domains as well as with Active Directory.
To use this with an NT4 Domain the <parameter>realm</parameter> is not used, additionally the
The idmap_rid facility can be used both for NT4/Samba-style domains and Active Directory.
To use this with an NT4 domain, the <parameter>realm</parameter> is not used; additionally, the
method used to join the domain uses the <constant>net rpc join</constant> process.
</para>
@ -605,13 +605,12 @@ Join to domain is not valid
<indexterm><primary>response</primary></indexterm>
<indexterm><primary>getent</primary></indexterm>
In a large domain with many users it is imperative to disable enumeration of users and groups.
For examplem, at a site that has 22,000 users in Active Directory the winbind based user and
group resolution is unavailable for nearly 12 minutes following first start-up of
<command>winbind</command>. Disabling of such enumeration resulted in instantaneous response.
For example, at a site that has 22,000 users in Active Directory the winbind-based user and
group resolution is unavailable for nearly 12 minutes following first startup of
<command>winbind</command>. Disabling enumeration resulted in instantaneous response.
The disabling of user and group enumeration means that it will not be possible to list users
or groups using the <command>getent passwd</command> and <command>getent group</command>
commands. It will be possible to perform the lookup for individual users, as shown in the procedure
below.
commands. It will be possible to perform the lookup for individual users, as shown in the following procedure.
</para>
<para>
@ -636,7 +635,7 @@ hosts: files wins
<procedure>
<step><para>
Create or install and &smb.conf; file with the above configuration.
Create or install an &smb.conf; file with the above configuration.
</para></step>
<step><para>
@ -662,13 +661,13 @@ BIGJOE$@'s password:
ads_connect: No results returned
Join to domain is not valid
</screen>
The specific error message may differ from the above as it depends on the type of failure that
may have occured. Increase the <parameter>log level</parameter> to 10, repeat the above test
The specific error message may differ from the above because it depends on the type of failure that
may have occurred. Increase the <parameter>log level</parameter> to 10, repeat the test,
and then examine the log files produced to identify the nature of the failure.
</para></step>
<step><para>
Start the <command>nmbd, winbind,</command> and <command>smbd</command> daemons in the order shown.
Start the <command>nmbd</command>, <command>winbind</command>, and <command>smbd</command> daemons in the order shown.
</para></step>
<step><para>
@ -684,19 +683,20 @@ administrator:x:1000:1013:Administrator:/home/BE/administrator:/bin/bash
</sect2>
<sect2>
<title>IDMAP Storage in LDAP using Winbind</title>
<title>IDMAP Storage in LDAP Using Winbind</title>
<para>
<indexterm><primary>ADAM</primary></indexterm>
<indexterm><primary>ADS</primary></indexterm>
The storage of IDMAP information in LDAP can be used with both NT4/Samba-3 style domains as well as
with ADS domains. OpenLDAP is a commonly used LDAP server for this purpose, although any standards
complying LDAP server can be used. It is therefore possible to deploy this IDMAP configuration using
the Sun iPlanet LDAP server, Novell eDirectory, Microsoft ADS plus ADAM, and so on.
The storage of IDMAP information in LDAP can be used with both NT4/Samba-3-style domains and
ADS domains. OpenLDAP is a commonly used LDAP server for this purpose, although any
standards-complying LDAP server can be used. It is therefore possible to deploy this IDMAP
configuration using the Sun iPlanet LDAP server, Novell eDirectory, Microsoft ADS plus ADAM,
and so on.
</para>
<para>
The following example is for an ADS style domain:
The following example is for an ADS domain:
</para>
<para>
@ -722,17 +722,16 @@ administrator:x:1000:1013:Administrator:/home/BE/administrator:/bin/bash
<para>
<indexterm><primary>realm</primary></indexterm>
In the case of an NT4 or Samba-3 style Domain the <parameter>realm</parameter> is not used and the
command used to join the domain is: <command>net rpc join</command>. The above example also demonstrates
advanced error reporting techniques that are documented in <link linkend="dbglvl">the chapter called
Reporting Bugs</link>.
In the case of an NT4 or Samba-3-style domain the <parameter>realm</parameter> is not used, and the
command used to join the domain is <command>net rpc join</command>. The above example also demonstrates
advanced error-reporting techniques that are documented in <link linkend="dbglvl">Reporting Bugs</link>.
</para>
<para>
<indexterm><primary>MIT kerberos</primary></indexterm>
<indexterm><primary>Heimdal kerberos</primary></indexterm>
<indexterm><primary>/etc/krb5.conf</primary></indexterm>
Where MIT kerberos is installed (version 1.3.4 or later) edit the <filename>/etc/krb5.conf</filename>
Where MIT kerberos is installed (version 1.3.4 or later), edit the <filename>/etc/krb5.conf</filename>
file so it has the following contents:
<screen>
[logging]
@ -757,8 +756,8 @@ administrator:x:1000:1013:Administrator:/home/BE/administrator:/bin/bash
</para>
<para>
Where Heimdal kerberos is installed edit the <filename>/etc/krb5.conf</filename>
file so it is either empty (i.e.: no contents) or it has the following contents:
Where Heimdal kerberos is installed, edit the <filename>/etc/krb5.conf</filename>
file so it is either empty (i.e., no contents) or it has the following contents:
<screen>
[libdefaults]
default_realm = SNOWSHOW.COM
@ -775,9 +774,9 @@ administrator:x:1000:1013:Administrator:/home/BE/administrator:/bin/bash
</para>
<note><para>
Samba can not use the Heimdal libraries if there is no <filename>/etc/krb5.conf</filename> file.
So long as there is an empty file the Heimdal kerberos libraries will be usable. There is no
need to specify any settings as Samba using the Heimdal libraries can figure this out automatically.
Samba cannot use the Heimdal libraries if there is no <filename>/etc/krb5.conf</filename> file.
So long as there is an empty file, the Heimdal kerberos libraries will be usable. There is no
need to specify any settings because Samba, using the Heimdal libraries, can figure this out automatically.
</para></note>
<para>
@ -815,7 +814,7 @@ ssl no
</para>
<para>
The following procedure may be followed to affect a working configuration:
The following procedure may be followed to effect a working configuration:
</para>
<procedure>
@ -824,7 +823,7 @@ ssl no
</para></step>
<step><para>
Create the <filename>/etc/krb5.conf</filename> file following the indications above.
Create the <filename>/etc/krb5.conf</filename> file as shown above.
</para></step>
<step><para>
@ -832,13 +831,13 @@ ssl no
</para></step>
<step><para>
Download, build and install the PADL nss_ldap tool set. Configure the
Download, build, and install the PADL nss_ldap tool set. Configure the
<filename>/etc/ldap.conf</filename> file as shown above.
</para></step>
<step><para>
Configure an LDAP server, initialize the directory with the top level entries needed by IDMAP
as shown in the following LDIF file:
Configure an LDAP server and initialize the directory with the top-level entries needed by IDMAP,
shown in the following LDIF file:
<screen>
dn: dc=snowshow,dc=com
objectClass: dcObject
@ -859,7 +858,7 @@ ou: idmap
</para></step>
<step><para>
Execute the command to join the Samba Domain Member Server to the ADS domain as shown here:
Execute the command to join the Samba DMS to the ADS domain as shown here:
<screen>
&rootprompt; net ads testjoin
Using short domain name -- SNOWSHOW
@ -875,7 +874,7 @@ Joined 'GOODELF' to realm 'SNOWSHOW.COM'
</para></step>
<step><para>
Start the <command>nmbd, winbind,</command> and <command>smbd</command> daemons in the order shown.
Start the <command>nmbd</command>, <command>winbind</command>, and <command>smbd</command> daemons in the order shown.
</para></step>
</procedure>
@ -889,7 +888,7 @@ Joined 'GOODELF' to realm 'SNOWSHOW.COM'
</sect2>
<sect2>
<title>IDMAP and NSS Using LDAP From ADS with RFC2307bis Schema Extension</title>
<title>IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</title>
<para>
<indexterm><primary>rfc2307bis</primary></indexterm>
@ -950,12 +949,12 @@ hosts: files wins
</para>
<para>
The next step involves preparation on the ADS schema. This is briefly discussed in the remaining
The next step involves preparation of the ADS schema. This is briefly discussed in the remaining
part of this chapter.
</para>
<sect3>
<title>IDMAP, Active Directory and MS Services for UNIX 3.5</title>
<title>IDMAP, Active Directory, and MS Services for UNIX 3.5</title>
<para>
<indexterm><primary>SFU</primary></indexterm>
@ -973,7 +972,7 @@ hosts: files wins
<para>
Instructions for obtaining and installing the AD4UNIX tool set can be found from the
<ulink url="http://www.geekcomix.com/cgi-bin/classnotes/wiki.pl?LDAP01/An_Alternative_Approach">
Geekcomix</ulink> web site.
Geekcomix</ulink> Web site.
</para>
</sect3>

View File

@ -19,13 +19,13 @@
<para>
Binary packages of Samba are included in almost any Linux or
UNIX distribution. There are also some packages available at
<ulink url="http://samba.org/">the Samba home-page</ulink>. Refer to
<ulink url="http://samba.org/">the Samba home page</ulink>. Refer to
the manual of your operating system for details on installing packages
for your specific operating system.
</para>
<para>If you need to compile Samba from source, check
<link linkend="compiling">How to compile Samba.</link>
<link linkend="compiling">How to Compile Samba.</link>
</para>
</sect1>
@ -43,13 +43,13 @@
</para>
<sect2>
<title>Configuration file syntax</title>
<title>Configuration File Syntax</title>
<para>The &smb.conf; file uses the same syntax as the various old
.ini files in Windows 3.1: Each file consists of various sections,
which are started by putting the section name between brackets ([])
on a new line. Each contains zero or more key/value-pairs separated by an
equality sign (=). The file is just a plain-text file, so you can
on a new line. Each contains zero or more key/value pairs separated by an
equality sign (=). The file is just a plaintext file, so you can
open and edit it with your favorite editing tool.</para>
<para>Each section in the &smb.conf; file represents a share
@ -57,7 +57,7 @@
contains settings that apply to the whole Samba server and not
to one share in particular.</para>
<para><link linkend="smbconfminimal">Following example</link> contains a very minimal &smb.conf;.
<para><link linkend="smbconfminimal">A minimal smb.conf</link> contains a very minimal &smb.conf;.
<indexterm><primary>minimal configuration</primary></indexterm>
</para>
@ -98,8 +98,8 @@
<indexterm><primary>smbd</primary></indexterm>
<indexterm><primary>starting samba</primary><secondary>smbd</secondary></indexterm>
This daemon handles all name registration and resolution requests. It is the primary vehicle involved
in network browsing. It handles all UDP based protocols. The <command>nmbd</command> daemon should
be the first command started as part of the Samba start-up process.
in network browsing. It handles all UDP-based protocols. The <command>nmbd</command> daemon should
be the first command started as part of the Samba startup process.
</para></listitem>
</varlistentry>
@ -107,8 +107,8 @@
<listitem><para>
<indexterm><primary>nmbd</primary></indexterm>
<indexterm><primary>starting samba</primary><secondary>nmbd</secondary></indexterm>
This daemon handles all TCP/IP based connection services for file and print based operations. It also
manages local authentication. It should be started immediately following the start-up of <command>nmbd</command>.
This daemon handles all TCP/IP-based connection services for file- and print-based operations. It also
manages local authentication. It should be started immediately following the startup of <command>nmbd</command>.
</para></listitem>
</varlistentry>
@ -116,18 +116,18 @@
<listitem><para>
<indexterm><primary>winbindd</primary></indexterm>
<indexterm><primary>starting samba</primary><secondary>winbindd</secondary></indexterm>
This daemon should be started when Samba is a member of a Windows NT4 or ADS Domain. It is also needed when
Samba has trust relationships with another Domain. The <command>winbindd</command> daemon will check the
This daemon should be started when Samba is a member of a Windows NT4 or ADS domain. It is also needed when
Samba has trust relationships with another domain. The <command>winbindd</command> daemon will check the
&smb.conf; file for the presence of the <parameter>idmap uid</parameter> and <parameter>idmap gid</parameter>
parameters. If they are not found <command>winbindd</command> will bail-out and refuse to start.
parameters. If they are not found, <command>winbindd</command> will bail out and refuse to start.
</para></listitem>
</varlistentry>
</variablelist>
<para>
When Samba has been packaged by an operating system vendor the start-up process is typically a custom feature of its
When Samba has been packaged by an operating system vendor, the startup process is typically a custom feature of its
integration into the platform as a whole. Please refer to your operating system platform administration manuals for
specific information pertaining to correct management of Samba start-up.
specific information pertaining to correct management of Samba startup.
</para>
</sect2>
@ -145,24 +145,22 @@
</para>
<para>
The simplest useful configuration file would contain something like shown in
<link linkend="simple-example">the next example</link>.
The simplest useful configuration file would contain something like that shown in
<link linkend="simple-example">Another simple smb.conf File</link>.
<indexterm><primary>simple configuration</primary></indexterm>
</para>
<para>
<indexterm><primary>simple configuration</primary></indexterm>
<example id="simple-example">
<title>Another simple smb.conf File</title>
<smbconfblock>
<example id="simple-example">
<title>Another simple smb.conf File</title>
<smbconfblock>
<smbconfsection name="[global]"/>
<smbconfoption name="workgroup">&example.workgroup;</smbconfoption>
<smbconfsection name="[homes]"/>
<smbconfoption name="guest ok">no</smbconfoption>
<smbconfoption name="read only">no</smbconfoption>
</smbconfblock>
</smbconfblock>
</example>
</para>
<para>
This will allow connections by anyone with an account on the server, using either
@ -177,8 +175,8 @@
<para>
For more information about security settings for the
<smbconfsection name="[homes]"/> share please refer to
<link linkend="securing-samba">Securing Samba</link> chapter.
<smbconfsection name="[homes]"/> share, please refer to
<link linkend="securing-samba">Securing Samba</link>.
</para>
<sect3>
@ -194,7 +192,7 @@
&rootprompt; testparm /etc/samba/smb.conf
</screen>
<para>Testparm will parse your configuration file and report
<para>testparm will parse your configuration file and report
any unknown parameters or incorrect syntax. </para>
@ -214,7 +212,7 @@
SWAT is a Web-based interface that can be used to facilitate the configuration of Samba.
SWAT might not be available in the Samba package that shipped with your platform,
but in a separate package. Please read the SWAT man page
on compiling, installing and configuring SWAT from source.
on compiling, installing, and configuring SWAT from source.
</para>
<para>
@ -226,10 +224,10 @@
<para>
SWAT can be used from a browser on any IP-connected machine, but be aware that connecting from a remote
machine leaves your connection open to password sniffing as passwords will be sent over the wire in the clear.
machine leaves your connection open to password sniffing because passwords will be sent over the wire in the clear.
</para>
<para>More information about SWAT can be found in <link linkend="SWAT">corresponding chapter</link>.</para>
<para>More information about SWAT can be found in <link linkend="SWAT"></link>.</para>
</sect2>
@ -239,7 +237,7 @@
<title>List Shares Available on the Server</title>
<para>
To list shares that are available from the configured Samba server execute the
To list shares that are available from the configured Samba server, execute the
following command:
</para>
@ -251,7 +249,7 @@
something is incorrectly configured. This method can also be used to see what shares
are available on other SMB servers, such as Windows 2000.</para>
<para>If you choose user-level security you may find that Samba requests a password
<para>If you choose user-level security, you may find that Samba requests a password
before it will list the shares. See the <command>smbclient</command> man page for details.
You can force it to list the shares without a password by adding the option
<option>-N</option> to the command line. </para>
@ -268,7 +266,7 @@
<para>Typically <replaceable>yourhostname</replaceable> is the name of the host on which &smbd;
has been installed. The <replaceable>aservice</replaceable> is any service that has been defined in the &smb.conf;
file. Try your user name if you just have a <smbconfsection name="[homes]"/> section in the &smb.conf; file.</para>
file. Try your username if you just have a <smbconfsection name="[homes]"/> section in the &smb.conf; file.</para>
<para>Example: If the UNIX host is called <replaceable>bambi</replaceable> and a valid login name
is <replaceable>fred</replaceable>, you would type:</para>
@ -285,15 +283,15 @@
access it from other clients. Within a few minutes, the Samba host
should be listed in the Network Neighborhood on all Windows
clients of its subnet. Try browsing the server from another client
or 'mounting' it.</para>
or "mounting" it.</para>
<para>Mounting disks from a DOS, Windows or OS/2 client can be done by running a command such as:</para>
<para>Mounting disks from a DOS, Windows, or OS/2 client can be done by running a command such as:</para>
<para><screen>
&dosprompt;<userinput>net use d: \\servername\service</userinput>
</screen></para>
<para>Try printing, e.g.</para>
<para>Try printing, for example,</para>
<para>
<screen>
@ -308,12 +306,13 @@
<sect1>
<title>What If Things Don't Work?</title>
<para>You might want to read <link linkend="diagnosis">The Samba Checklist</link>.
If you are still stuck, refer to <link linkend="problems">Analyzing and Solving Samba Problems</link> chapter.
Samba has been successfully installed at thousands of sites worldwide.
It is unlikely that your particular problem is unique, so it might be
productive to perform an Internet search to see if someone else has encountered
your problem and has found a way to overcome it.</para>
<para>
You might want to read <link linkend="diagnosis">The Samba Checklist</link>. If you are still
stuck, refer to <link linkend="problems">Analyzing and Solving Samba Problems</link>. Samba has
been successfully installed at thousands of sites worldwide. It is unlikely that your particular problem is
unique, so it might be productive to perform an Internet search to see if someone else has encountered your
problem and has found a way to overcome it.
</para>
</sect1>
@ -329,12 +328,12 @@ The following questions and issues are raised repeatedly on the Samba mailing li
<para>
Samba consists of three core programs: &nmbd;, &smbd;, and &winbindd;. &nmbd; is the name server message daemon,
&smbd; is the server message daemon, and &winbindd; is the daemon that handles communication with Domain Controllers.
&smbd; is the server message daemon, and &winbindd; is the daemon that handles communication with domain controllers.
</para>
<para>
If Samba is <emphasis>not</emphasis> running as a WINS server, then there will be one single instance of
&nmbd; running on your system. If it is running as a WINS server then there will be
&nmbd; running on your system. If it is running as a WINS server, then there will be
two instances &smbmdash; one to handle the WINS requests.
</para>
@ -366,11 +365,11 @@ run in <emphasis>split mode</emphasis> (in which case there will be two instance
<title><quote><errorname>The network name cannot be found</errorname></quote></title>
<para>
This error can be caused by one of these mis-configurations:
This error can be caused by one of these misconfigurations:
</para>
<itemizedlist>
<listitem><para>You specified an non-existing path
<listitem><para>You specified a nonexisting path
for the share in &smb.conf;.</para></listitem>
<listitem><para>The user you are trying to access the share with does not

View File

@ -11,18 +11,18 @@
<para>
<indexterm><primary>NetBIOS</primary></indexterm>
This section deals with NetBIOS over TCP/IP name to IP address resolution. If
This chapter deals with NetBIOS over TCP/IP name to IP address resolution. If
your MS Windows clients are not configured to use NetBIOS over TCP/IP, then this
section does not apply to your installation. If your installation
involves the use of
NetBIOS over TCP/IP then this section may help you to resolve networking problems.
NetBIOS over TCP/IP, then this chapter may help you to resolve networking problems.
</para>
<note>
<para>
NetBIOS over TCP/IP has nothing to do with NetBEUI. NetBEUI is NetBIOS
over Logical Link Control (LLC). On modern networks it is highly advised
to not run NetBEUI at all. Note also there is no such thing as
to not run NetBEUI at all. Note also that there is no such thing as
NetBEUI over TCP/IP &smbmdash; the existence of such a protocol is a complete
and utter misapprehension.
</para>
@ -35,7 +35,7 @@ and utter misapprehension.
Many MS Windows network administrators have never been exposed to basic TCP/IP
networking as it is implemented in a UNIX/Linux operating system. Likewise, many UNIX and
Linux administrators have not been exposed to the intricacies of MS Windows TCP/IP-based
networking (and may have no desire to be either).
networking (and may have no desire to be, either).
</para>
<para>
@ -52,15 +52,15 @@ its IP address for each operating system environment.
Since the introduction of MS Windows 2000, it is possible to run MS Windows networking
without the use of NetBIOS over TCP/IP. NetBIOS over TCP/IP uses UDP port 137 for NetBIOS
name resolution and uses TCP port 139 for NetBIOS session services. When NetBIOS over
TCP/IP is disabled on MS Windows 2000 and later clients, then only the TCP port 445 will be
used and the UDP port 137 and TCP port 139 will not.
TCP/IP is disabled on MS Windows 2000 and later clients, then only the TCP port 445 is
used, and the UDP port 137 and TCP port 139 are not.
</para>
<note>
<para>
When using Windows 2000 or later clients, if NetBIOS over TCP/IP is not disabled, then
the client will use UDP port 137 (NetBIOS Name Service, also known as the Windows Internet
Name Service or WINS), TCP port 139 and TCP port 445 (for actual file and print traffic).
Name Service, or WINS), TCP port 139, and TCP port 445 (for actual file and print traffic).
</para>
</note>
@ -68,7 +68,7 @@ Name Service or WINS), TCP port 139 and TCP port 445 (for actual file and print
When NetBIOS over TCP/IP is disabled, the use of DNS is essential. Most installations that
disable NetBIOS over TCP/IP today use MS Active Directory Service (ADS). ADS requires
<indexterm><primary>DNS</primary><secondary>Dynamic</secondary></indexterm>
Dynamic DNS with Service Resource Records (SRV RR) and with Incremental Zone Transfers (IXFR).
dynamic DNS with Service Resource Records (SRV RR) and with Incremental Zone Transfers (IXFR).
<indexterm><primary>DHCP</primary></indexterm>
Use of DHCP with ADS is recommended as a further means of maintaining central control
over the client workstation network configuration.
@ -111,13 +111,13 @@ IP addresses.
Network packets that are sent over the physical network transport
layer communicate not via IP addresses but rather using the Media
Access Control address, or MAC address. IP addresses are currently
32 bits in length and are typically presented as four (4) decimal
numbers that are separated by a dot (or period). For example, 168.192.1.1.
32 bits in length and are typically presented as four decimal
numbers that are separated by a dot (or period) &smbmdash; for example, 168.192.1.1.
</para>
<para>
<indexterm><primary>MAC Addresses</primary></indexterm>
MAC Addresses use 48 bits (or 6 bytes) and are typically represented
MAC addresses use 48 bits (or 6 bytes) and are typically represented
as two-digit hexadecimal numbers separated by colons: 40:8e:0a:12:34:56.
</para>
@ -132,7 +132,7 @@ any particular interface, the assignment of an IP address makes sense
from a network management perspective. More than one IP address can
be assigned per MAC address. One address must be the primary IP
address &smbmdash;
this is the address that will be returned in the ARP reply.
this is the address that will be returned in the Address Resolution Protocol (ARP) reply.
</para>
<para>
@ -146,8 +146,8 @@ by the TCP/IP configuration control files. The file
<para>
When the IP address of the destination interface has been
determined, a protocol called ARP/RARP is used to identify
the MAC address of the target interface. ARP stands for Address
Resolution Protocol and is a broadcast-oriented method that
the MAC address of the target interface. ARP
is a broadcast-oriented method that
uses User Datagram Protocol (UDP) to send a request to all
interfaces on the local network segment using the all 1s MAC
address. Network interfaces are programmed to respond to two
@ -188,8 +188,8 @@ This file tells the name resolution libraries:
host names to their IP address.
</para></listitem>
<listitem><para>The name or IP address of available Domain
Name Servers that may be asked to perform name-to-address
<listitem><para>The name or IP address of available domain
name servers that may be asked to perform name-to-address
translation lookups.
</para></listitem>
</itemizedlist>
@ -207,15 +207,12 @@ This file tells the name resolution libraries:
which the setting in <filename>/etc/resolv.conf</filename> may be effected. It is a
critical configuration file. This file controls the order by
which name resolution may proceed. The typical structure is:
</para>
<para><programlisting>
<programlisting>
order hosts,bind
multi on
</programlisting></para>
<para>
then both addresses should be returned. Please refer to the
<para>Both addresses should be returned. Please refer to the
man page for <filename>host.conf</filename> for further details.
</para>
@ -232,10 +229,7 @@ man page for <filename>host.conf</filename> for further details.
<indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
This file controls the actual name resolution targets. The
file typically has resolver object specifications as follows:
</para>
<para><programlisting>
<programlisting>
# /etc/nsswitch.conf
#
# Name Service Switch configuration file.
@ -275,10 +269,10 @@ principal of speaking only when necessary.
Starting with version 2.2.0, Samba has Linux support for extensions to
the name service switch infrastructure so Linux clients will
be able to obtain resolution of MS Windows NetBIOS names to IP
Addresses. To gain this functionality, Samba needs to be compiled
addresses. To gain this functionality, Samba needs to be compiled
with appropriate arguments to the make command (i.e., <userinput>make
nsswitch/libnss_wins.so</userinput>). The resulting library should
then be installed in the <filename>/lib</filename> directory and
then be installed in the <filename>/lib</filename> directory, and
the <parameter>wins</parameter> parameter needs to be added to the <quote>hosts:</quote> line in
the <filename>/etc/nsswitch.conf</filename> file. At this point, it
will be possible to ping any MS Windows machine by its NetBIOS
@ -294,22 +288,22 @@ which both the Samba machine and the MS Windows machine belong.
<title>Name Resolution as Used within MS Windows Networking</title>
<para>
MS Windows networking is predicated about the name each machine
MS Windows networking is predicated on the name each machine
is given. This name is known variously (and inconsistently) as
the <quote>computer name,</quote> <quote>machine name,</quote> <quote>networking name,</quote> <quote>netbios name,</quote>
the <quote>computer name,</quote> <quote>machine name,</quote> <quote>networking name,</quote> <quote>NetBIOS name,</quote>
or <quote>SMB name.</quote> All terms mean the same thing with the exception of
<quote>netbios name</quote> that can also apply to the name of the workgroup or the
<quote>NetBIOS name,</quote> which can also apply to the name of the workgroup or the
domain name. The terms <quote>workgroup</quote> and <quote>domain</quote> are really just a
simple name with which the machine is associated. All NetBIOS names
are exactly 16 characters in length. The 16<superscript>th</superscript> character is reserved.
It is used to store a one-byte value that indicates service level
It is used to store a 1-byte value that indicates service level
information for the NetBIOS name that is registered. A NetBIOS machine
name is, therefore, registered for each service type that is provided by
name is therefore registered for each service type that is provided by
the client/server.
</para>
<para>
<link linkend="uniqnetbiosnames">Unique NetBIOS Names</link> and <link linkend="netbiosnamesgrp">Group Names</link> tables
<link linkend="uniqnetbiosnames">Unique NetBIOS names</link> and <link linkend="netbiosnamesgrp">group names</link> tables
list typical NetBIOS name/service type registrations.
</para>
@ -320,9 +314,9 @@ list typical NetBIOS name/service type registrations.
<colspec align="justify"/>
<tbody>
<row><entry>MACHINENAME&lt;00&gt;</entry><entry>Server Service is running on MACHINENAME</entry></row>
<row><entry>MACHINENAME&lt;03&gt;</entry><entry>Generic Machine Name (NetBIOS name)</entry></row>
<row><entry>MACHINENAME&lt;20&gt;</entry><entry>LanMan Server service is running on MACHINENAME</entry></row>
<row><entry>WORKGROUP&lt;1b&gt;</entry><entry>Domain Master Browser</entry></row>
<row><entry>MACHINENAME&lt;03&gt;</entry><entry>Generic machine name (NetBIOS name)</entry></row>
<row><entry>MACHINENAME&lt;20&gt;</entry><entry>LanMan server service is running on MACHINENAME</entry></row>
<row><entry>WORKGROUP&lt;1b&gt;</entry><entry>Domain master browser</entry></row>
</tbody>
</tgroup>
</table>
@ -333,10 +327,10 @@ list typical NetBIOS name/service type registrations.
<colspec align="left"/>
<colspec align="justify"/>
<tbody>
<row><entry>WORKGROUP&lt;03&gt;</entry><entry>Generic Name registered by all members of WORKGROUP</entry></row>
<row><entry>WORKGROUP&lt;1c&gt;</entry><entry>Domain Controllers / Netlogon Servers</entry></row>
<row><entry>WORKGROUP&lt;1d&gt;</entry><entry>Local Master Browsers</entry></row>
<row><entry>WORKGROUP&lt;1e&gt;</entry><entry>Browser Election Service</entry></row>
<row><entry>WORKGROUP&lt;03&gt;</entry><entry>Generic name registered by all members of WORKGROUP</entry></row>
<row><entry>WORKGROUP&lt;1c&gt;</entry><entry>Domain cntrollers/netlogon servers</entry></row>
<row><entry>WORKGROUP&lt;1d&gt;</entry><entry>Local master browsers</entry></row>
<row><entry>WORKGROUP&lt;1e&gt;</entry><entry>Browser election service</entry></row>
</tbody>
</tgroup>
</table>
@ -344,16 +338,17 @@ list typical NetBIOS name/service type registrations.
<para>
<indexterm><primary>NetBIOS</primary></indexterm>
It should be noted that all NetBIOS machines register their own
names as per the above. This is in vast contrast to TCP/IP
installations where traditionally the system administrator will
determine in the <filename>/etc/hosts</filename> or in the DNS database what names
names as per <link linkend="uniqnetbiosnames">Unique NetBIOS names</link> and <link
linkend="netbiosnamesgrp">group names</link>. This is in vast contrast to TCP/IP
installations where the system administrator traditionally
determines in the <filename>/etc/hosts</filename> or in the DNS database what names
are associated with each IP address.
</para>
<para>
<indexterm><primary>NetBIOS</primary></indexterm>
One further point of clarification should be noted. The <filename>/etc/hosts</filename>
file and the DNS records do not provide the NetBIOS name type information
file and the DNS records do not provide the NetBIOS name information
that MS Windows clients depend on to locate the type of service that may
be needed. An example of this is what happens when an MS Windows client
wants to locate a domain logon server. It finds this service and the IP
@ -365,27 +360,27 @@ Whichever machine first replies, it then ends up providing the logon services.
</para>
<para>
The name <quote>workgroup</quote> or <quote>domain</quote> really can be confusing since these
The name <quote>workgroup</quote> or <quote>domain</quote> really can be confusing, since these
have the added significance of indicating what is the security
architecture of the MS Windows network. The term <quote>workgroup</quote> indicates
that the primary nature of the network environment is that of a
peer-to-peer design. In a WORKGROUP, all machines are responsible for
peer-to-peer design. In a workgroup, all machines are responsible for
their own security, and generally such security is limited to the use of
just a password (known as Share Level security). In most situations
just a password (known as share-level security). In most situations
with peer-to-peer networking, the users who control their own machines
will simply opt to have no security at all. It is possible to have
User Level Security in a WORKGROUP environment, thus requiring the use
of a user name and a matching password.
user-level security in a workgroup environment, thus requiring the use
of a username and a matching password.
</para>
<para>
MS Windows networking is thus predetermined to use machine names
for all local and remote machine message passing. The protocol used is
called Server Message Block (SMB) and this is implemented using
the NetBIOS protocol (Network Basic Input Output System). NetBIOS can
called Server Message Block (SMB), and this is implemented using
the NetBIOS protocol (Network Basic Input/Output System). NetBIOS can
be encapsulated using LLC (Logical Link Control) protocol &smbmdash; in which case
the resulting protocol is called NetBEUI (Network Basic Extended User
Interface). NetBIOS can also be run over IPX (Inter-networking Packet
Interface). NetBIOS can also be run over IPX (Internetworking Packet
Exchange) protocol as used by Novell NetWare, and it can be run
over TCP/IP protocols &smbmdash; in which case the resulting protocol is called
NBT or NetBT, the NetBIOS over TCP/IP.
@ -404,16 +399,16 @@ limited to this area.
All MS Windows machines employ an in-memory buffer in which is
stored the NetBIOS names and IP addresses for all external
machines that machine has communicated with over the
past 10-15 minutes. It is more efficient to obtain an IP address
past 10 to 15 minutes. It is more efficient to obtain an IP address
for a machine from the local cache than it is to go through all the
configured name resolution mechanisms.
</para>
<para>
If a machine whose name is in the local name cache has been shut
down before the name had been expired and flushed from the cache, then
If a machine whose name is in the local name cache is shut
down before the name is expired and flushed from the cache, then
an attempt to exchange a message with that machine will be subject
to time-out delays. Its name is in the cache, so a name resolution
to timeout delays. Its name is in the cache, so a name resolution
lookup will succeed, but the machine cannot respond. This can be
frustrating for users but is a characteristic of the protocol.
</para>
@ -422,7 +417,7 @@ frustrating for users but is a characteristic of the protocol.
<indexterm><primary>nbtstat</primary></indexterm>
<indexterm><primary>nmblookup</primary></indexterm>
The MS Windows utility that allows examination of the NetBIOS
name cache is called <quote>nbtstat</quote>. The Samba equivalent of this
name cache is called <quote>nbtstat.</quote> The Samba equivalent
is called <command>nmblookup</command>.
</para>
@ -434,7 +429,7 @@ is called <command>nmblookup</command>.
<para>
<indexterm><primary>LMHOSTS</primary></indexterm>
This file is usually located in MS Windows NT 4.0 or Windows 200x/XP in the directory
<filename>%SystemRoot%\SYSTEM32\DRIVERS\ETC</filename> and contains the IP Address
<filename>%SystemRoot%\SYSTEM32\DRIVERS\ETC</filename> and contains the IP address
and the machine name in matched pairs. The <filename>LMHOSTS</filename> file
performs NetBIOS name to IP address mapping.
</para>
@ -468,8 +463,8 @@ It typically looks like this:
# \0xnn (non-printing character support)
#
# Following any entry in the file with the characters "#PRE" will cause
# the entry to be pre-loaded into the name cache. By default, entries are
# not pre-loaded, but are parsed only after dynamic name resolution fails.
# the entry to be preloaded into the name cache. By default, entries are
# not preloaded, but are parsed only after dynamic name resolution fails.
#
# Following an entry with the "#DOM:&lt;domain&gt;" tag will associate the
# entry with the domain specified by &lt;domain&gt;. This effects how the
@ -531,7 +526,7 @@ It typically looks like this:
<para>
This file is usually located in MS Windows NT 4.0 or Windows 200x/XP in
the directory <filename>%SystemRoot%\SYSTEM32\DRIVERS\ETC</filename> and contains
the IP Address and the IP hostname in matched pairs. It can be
the IP address and the IP hostname in matched pairs. It can be
used by the name resolution infrastructure in MS Windows, depending
on how the TCP/IP environment is configured. This file is in
every way the equivalent of the UNIX/Linux <filename>/etc/hosts</filename> file.
@ -547,13 +542,13 @@ every way the equivalent of the UNIX/Linux <filename>/etc/hosts</filename> file.
<indexterm><primary>DNS</primary></indexterm>
This capability is configured in the TCP/IP setup area in the network
configuration facility. If enabled, an elaborate name resolution sequence
is followed, the precise nature of which is dependant on how the NetBIOS
is followed, the precise nature of which is dependent on how the NetBIOS
Node Type parameter is configured. A Node Type of 0 means that
NetBIOS broadcast (over UDP broadcast) is used if the name
that is the subject of a name lookup is not found in the NetBIOS name
cache. If that fails then DNS, HOSTS and LMHOSTS are checked. If set to
cache. If that fails, then DNS, HOSTS, and LMHOSTS are checked. If set to
Node Type 8, then a NetBIOS Unicast (over UDP Unicast) is sent to the
WINS Server to obtain a lookup before DNS, HOSTS, LMHOSTS, or broadcast
WINS server to obtain a lookup before DNS, HOSTS, LMHOSTS, or broadcast
lookup is used.
</para>
@ -568,7 +563,7 @@ lookup is used.
A WINS (Windows Internet Name Server) service is the equivalent of the
rfc1001/1002 specified NBNS (NetBIOS Name Server). A WINS server stores
the names and IP addresses that are registered by a Windows client
if the TCP/IP setup has been given at least one WINS Server IP Address.
if the TCP/IP setup has been given at least one WINS server IP address.
</para>
<para>
@ -606,12 +601,12 @@ of the WINS server.
<para>
TCP/IP network configuration problems find every network administrator sooner or later.
The cause can be anything from keyboard mishaps, forgetfulness, simple mistakes, and
The cause can be anything from keyboard mishaps to forgetfulness to simple mistakes to
carelessness. Of course, no one is ever deliberately careless!
</para>
<sect2>
<title>Pinging Works Only in One Way</title>
<title>Pinging Works Only One Way</title>
<para>
<quote>I can ping my Samba server from Windows, but I cannot ping my Windows
@ -619,8 +614,8 @@ carelessness. Of course, no one is ever deliberately careless!
</para>
<para>
<emphasis>Answer:</emphasis> The Windows machine was at IP Address 192.168.1.2 with netmask 255.255.255.0, the
Samba server (Linux) was at IP Address 192.168.1.130 with netmask 255.255.255.128.
The Windows machine was at IP address 192.168.1.2 with netmask 255.255.255.0, the
Samba server (Linux) was at IP address 192.168.1.130 with netmask 255.255.255.128.
The machines were on a local network with no external connections.
</para>
@ -644,17 +639,17 @@ carelessness. Of course, no one is ever deliberately careless!
remote connection is down.</para></listitem>
<listitem><para>Client is configured to use a WINS server, but there is no WINS server.</para></listitem>
<listitem><para>Client is not configured to use a WINS server, but there is a WINS server.</para></listitem>
<listitem><para>Firewall is filtering our DNS or WINS traffic.</para></listitem>
<listitem><para>Firewall is filtering out DNS or WINS traffic.</para></listitem>
</itemizedlist>
</sect2>
<sect2>
<title>Samba Server Name Change Problem</title>
<title>Samba Server Name-Change Problem</title>
<para>
<quote>The name of the Samba server was changed, Samba was restarted, Samba server cannot be
ping-ed by new name from MS Windows NT4 Workstation, but it does still respond to ping using
<quote>The name of the Samba server was changed, Samba was restarted, and now the Samba server cannot be
pinged by its new name from an MS Windows NT4 workstation, but it does still respond to pinging using
the old name. Why?</quote>
</para>
@ -663,9 +658,9 @@ carelessness. Of course, no one is ever deliberately careless!
</para>
<itemizedlist>
<listitem><para>WINS is not in use, only broadcast-based name resolution is used.</para></listitem>
<listitem><para>The Samba server was renamed and restarted within the last 10-15 minutes.</para></listitem>
<listitem><para>The old Samba server name is still in the NetBIOS name cache on the MS Windows NT4 Workstation.</para></listitem>
<listitem><para>WINS is not in use; only broadcast-based name resolution is used.</para></listitem>
<listitem><para>The Samba server was renamed and restarted within the last 10 or 15 minutes.</para></listitem>
<listitem><para>The old Samba server name is still in the NetBIOS name cache on the MS Windows NT4 workstation.</para></listitem>
</itemizedlist>
<para>
@ -702,9 +697,9 @@ SARDON &lt;00&gt; GROUP Registered
</para>
<para>
In the above example, &example.server.samba; is the Samba server and &example.workstation.windows; is the MS Windows NT4 Workstation.
The first listing shows the contents of the Local Name Table (i.e., Identity information on
the MS Windows workstation) and the second shows the NetBIOS name in the NetBIOS name cache.
In this example, &example.server.samba; is the Samba server and &example.workstation.windows; is the MS Windows NT4 workstation.
The first listing shows the contents of the Local Name Table (i.e., identity information on
the MS Windows workstation), and the second shows the NetBIOS name in the NetBIOS name cache.
The name cache contains the remote machines known to this workstation.
</para>

View File

@ -25,7 +25,7 @@
<indexterm><primary>Active Directory</primary></indexterm>
Samba-3 supports NT4-style domain trust relationships. This is a feature that many sites
will want to use if they migrate to Samba-3 from an NT4-style domain and do not want to
adopt Active Directory or an LDAP-based authentication backend. This section explains
adopt Active Directory or an LDAP-based authentication backend. This chapter explains
some background information regarding trust relationships and how to create them. It is now
possible for Samba-3 to trust NT4 (and vice versa), as well as to create Samba-to-Samba
trusts.
@ -35,17 +35,17 @@ trusts.
<indexterm><primary>winbind</primary></indexterm>
<indexterm><primary>UID range</primary></indexterm>
<indexterm><primary>GID range</primary></indexterm>
The use of interdomain trusts requires use of <command>winbind</command>. Thus the
The use of interdomain trusts requires use of <command>winbind</command>, so the
<command>winbindd</command> daemon must be running. Winbind operation in this mode is
dependant on the specification of a valid UID range and a valid GID range in the &smb.conf; file.
dependent on the specification of a valid UID range and a valid GID range in the &smb.conf; file.
These are specified respectively using
<smbconfoption name="idmap uid">10000-20000</smbconfoption> and
<smbconfoption name="idmap gid">10000-20000</smbconfoption>.
</para>
<note><para>
The use of winbind is necessary only when Samba is the trusting Domain, not when it is the
trusted Domain.
The use of winbind is necessary only when Samba is the trusting domain, not when it is the
trusted domain.
</para></note>
<sect1>
@ -53,14 +53,14 @@ trusted Domain.
<para>
Samba-3 can participate in Samba-to-Samba as well as in Samba-to-MS Windows NT4-style
trust relationships. This imparts to Samba similar scalability as with MS Windows NT4.
trust relationships. This imparts to Samba scalability similar to that with MS Windows NT4.
</para>
<para>
Given that Samba-3 has the capability to function with a scalable backend authentication
database such as LDAP, and given its ability to run in Primary as well as Backup Domain Control
Given that Samba-3 can function with a scalable backend authentication
database such as LDAP, and given its ability to run in primary as well as backup domain control
modes, the administrator would be well advised to consider alternatives to the use of
Interdomain trusts simply because by the very nature of how this works it is fragile.
interdomain trusts simply because, by the very nature of how this works, it is fragile.
That was, after all, a key reason for the development and adoption of Microsoft Active Directory.
</para>
@ -70,7 +70,7 @@ That was, after all, a key reason for the development and adoption of Microsoft
<title>Trust Relationship Background</title>
<para>
MS Windows NT3/4 type security domains employ a non-hierarchical security structure.
MS Windows NT3/4-type security domains employ a nonhierarchical security structure.
The limitations of this architecture as it effects the scalability of MS Windows networking
in large organizations is well known. Additionally, the flat namespace that results from
this design significantly impacts the delegation of administrative responsibilities in
@ -81,35 +81,35 @@ large and diverse organizations.
Microsoft developed Active Directory Service (ADS), based on Kerberos and LDAP, as a means
of circumventing the limitations of the older technologies. Not every organization is ready
or willing to embrace ADS. For small companies the older NT4-style domain security paradigm
is quite adequate, there remains an entrenched user base for whom there is no direct
is quite adequate, so there remains an entrenched user base for whom there is no direct
desire to go through a disruptive change to adopt ADS.
</para>
<para>
With MS Windows NT, Microsoft introduced the ability to allow differing security domains
With Windows NT, Microsoft introduced the ability to allow different security domains
to effect a mechanism so users from one domain may be given access rights and privileges
in another domain. The language that describes this capability is couched in terms of
<emphasis>Trusts</emphasis>. Specifically, one domain will <emphasis>trust</emphasis> the users
<emphasis>trusts</emphasis>. Specifically, one domain will <emphasis>trust</emphasis> the users
from another domain. The domain from which users are available to another security domain is
said to be a trusted domain. The domain in which those users have assigned rights and privileges
is the trusting domain. With NT3.x/4.0 all trust relationships are always in one direction only,
thus if users in both domains are to have privileges and rights in each others' domain, then it is
so if users in both domains are to have privileges and rights in each others' domain, then it is
necessary to establish two relationships, one in each direction.
</para>
<para>
In an NT4-style MS security domain, all trusts are non-transitive. This means that if there
are three domains (let's call them RED, WHITE and BLUE) where RED and WHITE have a trust
relationship, and WHITE and BLUE have a trust relationship, then it holds that there is no
implied trust between the RED and BLUE domains. Relationships are explicit and not
In an NT4-style MS security domain, all trusts are nontransitive. This means that if there
are three domains (let's call them red, white, and blue), where red and white have a trust
relationship, and white and blue have a trust relationship, then it holds that there is no
implied trust between the red and blue domains. Relationships are explicit and not
transitive.
</para>
<para>
New to MS Windows 2000 ADS security contexts is the fact that trust relationships are two-way
by default. Also, all inter-ADS domain trusts are transitive. In the case of the RED, WHITE and BLUE
domains above, with Windows 2000 and ADS the RED and BLUE domains can trust each other. This is
an inherent feature of ADS domains. Samba-3 implements MS Windows NT4-style Interdomain trusts
by default. Also, all inter-ADS domain trusts are transitive. In the case of the red, white, and blue
domains, with Windows 2000 and ADS, the red and blue domains can trust each other. This is
an inherent feature of ADS domains. Samba-3 implements MS Windows NT4-style interdomain trusts
and interoperates with MS Windows 200x ADS security domains in similar manner to MS Windows NT4-style domains.
</para>
@ -151,17 +151,17 @@ The password needs to be typed twice (for standard confirmation).
<para>
<indexterm><primary>Interdomain Trusts</primary><secondary>Completing</secondary></indexterm>
A trust relationship will work only when the other (trusting) domain makes the appropriate connections
with the trusted domain. To consummate the trust relationship, the administrator will launch the
Domain User Manager from the menu select <guilabel>Policies</guilabel>, then select
<guilabel>Trust Relationships</guilabel>, click on the <guibutton>Add</guibutton> button
next to the box that is labeled <guilabel>Trusted Domains</guilabel>. A panel will open in which
with the trusted domain. To consummate the trust relationship, the administrator launches the
Domain User Manager from the menu selects <guilabel>Policies</guilabel>, then select
<guilabel>Trust Relationships</guilabel>, and clicks on the <guibutton>Add</guibutton> button
next to the box that is labeled <guilabel>Trusted Domains</guilabel>. A panel opens in which
must be entered the name of the remote domain as well as the password assigned to that trust.
</para>
</sect2>
<sect2>
<title>Inter-Domain Trust Facilities</title>
<title>Interdomain Trust Facilities</title>
<para>
@ -216,12 +216,12 @@ DomA and DomB), the following facilities are created:
<itemizedlist>
<listitem><para>
Users/Groups in a trusting domain cannot be granted rights, permissions or access
Users and groups in a trusting domain cannot be granted rights, permissions, or access
to a trusted domain.
</para></listitem>
<listitem><para>
The trusting domain can access and use accounts (Users/Global Groups) in the
The trusting domain can access and use accounts (users/global groups) in the
trusted domain.
</para></listitem>
@ -236,13 +236,13 @@ DomA and DomB), the following facilities are created:
</para></listitem>
<listitem><para>
Trusted domain Global Groups can be given rights and permissions in the trusting
Trusted domain global groups can be given rights and permissions in the trusting
domain.
</para></listitem>
<listitem><para>
Global Groups from the trusted domain can be made members in Local Groups on
MS Windows Domain Member machines.
Global groups from the trusted domain can be made members in local groups on
MS Windows domain member machines.
</para></listitem>
</itemizedlist>
@ -260,10 +260,10 @@ is at an early stage, so do not be surprised if something does not function as i
</para>
<para>
Each of the procedures described below assumes the peer domain in the trust relationship is
Each of the procedures described next assumes the peer domain in the trust relationship is
controlled by a Windows NT4 server. However, the remote end could just as well be another
Samba-3 domain. It can be clearly seen, after reading this document, that combining
Samba-specific parts of what's written below leads to trust between domains in a purely Samba
Samba-specific parts of what's written in the following sections leads to trust between domains in a purely Samba
environment.
</para>
@ -288,23 +288,23 @@ Added user rumba$
</screen>
where <option>-a</option> means to add a new account into the
passdb database and <option>-i</option> means: <quote>create this
account with the Inter-Domain trust flag</quote>.
passdb database and <option>-i</option> means to <quote>create this
account with the Interdomain trust flag</quote>.
</para>
<para>
The account name will be <quote>rumba$</quote> (the name of the remote domain).
If this fails, you should check that the trust account has been added to the system
password database (<filename>/etc/passwd</filename>). If it has not been added, you
can add it manually and then repeat the step above.
can add it manually and then repeat the previous step.
</para>
<para>
After issuing this command, you will be asked to enter the password for
the account. You can use any password you want, but be aware that Windows NT will
not change this password until seven days following account creation.
not change this password until 7 days following account creation.
After the command returns successfully, you can look at the entry for the new account
(in the standard way as appropriate for your configuration) and see that accounts name is
(in the standard way as appropriate for your configuration) and see that the account's name is
really RUMBA$ and it has the <quote>I</quote> flag set in the flags field. Now you are ready to confirm
the trust by establishing it from Windows NT Server.
</para>
@ -314,13 +314,15 @@ the trust by establishing it from Windows NT Server.
<indexterm><primary>User Manager</primary></indexterm>
Open <application>User Manager for Domains</application> and from the
<guimenu>Policies</guimenu> menu, select <guimenuitem>Trust Relationships...</guimenuitem>.
Beside the <guilabel>Trusted domains</guilabel> list box click the
Beside the <guilabel>Trusted domains</guilabel> list box, click the
<guimenu>Add...</guimenu> button. You will be prompted for
the trusted domain name and the relationship password. Type in SAMBA, as this is
the name of the remote domain and the password used at the time of account creation.
Click on <guibutton>OK</guibutton> and, if everything went without incident, you will see
the <computeroutput>Trusted domain relationship successfully
established</computeroutput> message.
Click on <guibutton>OK</guibutton> and, if everything went without incident, you will see the
<computeroutput>
Trusted domain relationship successfully established
</computeroutput>
message.
</para>
</sect2>
@ -341,19 +343,19 @@ The very first step is to add an account for the SAMBA domain on RUMBA's PDC.
<indexterm><primary>User Manager</primary></indexterm>
Launch the <application>Domain User Manager</application>, then from the menu select
<guimenu>Policies</guimenu>, <guimenuitem>Trust Relationships</guimenuitem>.
Now, next to the <guilabel>Trusted Domains</guilabel> box press the <guibutton>Add</guibutton>
Now, next to the <guilabel>Trusted Domains</guilabel> box, press the <guibutton>Add</guibutton>
button and type in the name of the trusted domain (SAMBA) and the password to use in securing
the relationship.
</para>
<para>
The password can be arbitrarily chosen. It is easy to change the password
from the Samba server whenever you want. After confirming the password your account is
from the Samba server whenever you want. After you confirm the password, your account is
ready for use. Now its Samba's turn.
</para>
<para>
Using your favorite shell while being logged in as root, issue this command:
Using your favorite shell while logged in as root, issue this command:
</para>
<para>
@ -362,12 +364,12 @@ Using your favorite shell while being logged in as root, issue this command:
<para>
You will be prompted for the password you just typed on your Windows NT4 Server box.
An error message <errorname>`NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT'</errorname>
An error message, <errorname>"NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT,"</errorname>
that may be reported periodically is of no concern and may safely be ignored.
It means the password you gave is correct and the NT4 Server says the account is ready for
It means the password you gave is correct and the NT4 server says the account is ready for
interdomain connection and not for ordinary connection. After that, be patient;
it can take a while (especially in large networks), but eventually you should see
the <computeroutput>Success</computeroutput> message. Congratulations! Your trust
the <literal>Success</literal> message. Congratulations! Your trust
relationship has just been established.
</para>
@ -385,25 +387,27 @@ the <filename>secrets.tdb</filename> file.
Although <application>Domain User Manager</application> is not present in Windows 2000, it is
also possible to establish an NT4-style trust relationship with a Windows 2000 domain
controller running in mixed mode as the trusting server. It should also be possible for
Samba to trust a Windows 2000 server, however, more testing is still needed in this area.
Samba to trust a Windows 2000 server; however, more testing is still needed in this area.
</para>
<para>
After <link linkend="samba-trusted-domain">creating the interdomain trust account on the
Samba server</link> as described above, open <application>Active Directory Domains and
Samba server</link> as described previously, open <application>Active Directory Domains and
Trusts</application> on the AD controller of the domain whose resources you wish Samba users
to have access to. Remember that since NT4-style trusts are not transitive, if you want
your users to have access to multiple mixed-mode domains in your AD forest, you will need to
repeat this process for each of those domains. With <application>Active Directory Domains
and Trusts</application> open, right-click on the name of the Active Directory domain that
repeat this process for each of those domains. With <application>Active Directory domains
and trusts</application> open, right-click on the name of the Active Directory domain that
will trust our Samba domain and choose <guimenuitem>Properties</guimenuitem>, then click on
the <guilabel>Trusts</guilabel> tab. In the upper part of the panel, you will see a list box
labeled <guilabel>Domains trusted by this domain:</guilabel>, and an
<guilabel>Add...</guilabel> button next to it. Press this button and just as with NT4, you
will be prompted for the trusted domain name and the relationship password. Press OK and
after a moment, Active Directory will respond with <computeroutput>The trusted domain has
been added and the trust has been verified.</computeroutput> Your Samba users can now be
granted access to resources in the AD domain.
labeled <guilabel>Domains trusted by this domain:</guilabel> and an
<guilabel>Add...</guilabel> button next to it. Press this button and, just as with NT4, you
will be prompted for the trusted domain name and the relationship password. Press <emphasis>OK</emphasis> and
after a moment, Active Directory will respond with
<computeroutput>
The trusted domain has been added and the trust has been verified.
</computeroutput>
Your Samba users can now be granted access to resources in the AD domain.
</para>
</sect1>
@ -420,8 +424,8 @@ distributed trusted domains.
<title>Browsing of Trusted Domain Fails</title>
<para>
Browsing from a machine in a trusted Windows 200x Domain to a Windows 200x member of
a trusting samba domain, I get the following error:
<emphasis>Browsing from a machine in a trusted Windows 200x domain to a Windows 200x member of
a trusting Samba domain, I get the following error:</emphasis>
</para>
<screen>
@ -430,34 +434,34 @@ you can contact the server that authenticated you.
</screen>
<para>
The event logs on the box I'm trying to connect to have entries regarding group
policy not being applied because it is a member of a down-level domain.
<emphasis>The event logs on the box I'm trying to connect to have entries regarding group
policy not being applied because it is a member of a down-level domain.</emphasis>
</para>
<para><emphasis>Answer: </emphasis> If there is a computer account in the Windows
200x Domain for the machine in question, and it is disabled, this problem can
<para>If there is a computer account in the Windows
200x domain for the machine in question, and it is disabled, this problem can
occur. If there is no computer account (removed or never existed), or if that
account is still intact (i.e.: you just joined it to another domain) everything
seems to be fine. By default, when you un-join a domain (the Windows 200x
Domain), the computer tries to automatically disable the computer account in
the domain. If you are running as an account which has privileges to do this
when you un-join the machine, it is done, otherwise it is not done.
account is still intact (i.e., you just joined it to another domain), everything
seems to be fine. By default, when you unjoin a domain (the Windows 200x
domain), the computer tries to automatically disable the computer account in
the domain. If you are running as an account that has privileges to do this
when you unjoin the machine, it is done; otherwise it is not done.
</para>
</sect2>
<sect2>
<title>Problems With LDAP ldapsam And The smbldap-tools</title>
<title>Problems with LDAP ldapsam and the smbldap-tools</title>
<para>
If you use the <command>smbldap-useradd</command> script to create a trust
account to set up Interdomain trusts the process of setting up the trust will
account to set up interdomain trusts, the process of setting up the trust will
fail. The account that was created in the LDAP database will have an account
flags field that has <constant>[W ]</constant>, when it must have
<constant>[I ]</constant> for Interdomain trusts to work.
flags field that has <literal>[W ]</literal>, when it must have
<literal>[I ]</literal> for interdomain trusts to work.
</para>
<para><emphasis>Answer: </emphasis>Here is a simple solution.
<para>Here is a simple solution.
Create a machine account as follows:
<screen>
&rootprompt; smbldap-useradd -w domain_name
@ -485,8 +489,8 @@ Create a single-sided trust under the NT4 Domain User Manager, then execute:
</para>
<para>
It works with Samba-3 and NT4 Domains, and also with Samba-3 and Windows 200x ADS in mixed mode.
Both DC's, samba and NT, must have the same WINS server otherwise
It works with Samba-3 and NT4 domains, and also with Samba-3 and Windows 200x ADS in mixed mode.
Both domain controllers, Samba and NT must have the same WINS server; otherwise,
the trust will never work.
</para>

File diff suppressed because it is too large Load Diff

View File

@ -16,8 +16,8 @@
<para>
This chapter should help you to deploy Winbind-based authentication on any PAM-enabled
UNIX/Linux system. Winbind can be used to enable User-Level application access authentication
from any MS Windows NT Domain, MS Windows 200x Active Directory-based
UNIX/Linux system. Winbind can be used to enable user-level application access authentication
from any MS Windows NT domain, MS Windows 200x Active Directory-based
domain, or any Samba-based domain environment. It will also help you to configure PAM-based local host access
controls that are appropriate to your Samba configuration.
</para>
@ -38,16 +38,16 @@ Please refer to <link linkend="winbind">Winbind: Use of Domain Accounts</link>,
<para>
A number of UNIX systems (e.g., Sun Solaris), as well as the xxxxBSD family and Linux,
now utilize the Pluggable Authentication Modules (PAM) facility to provide all authentication,
authorization and resource control services. Prior to the introduction of PAM, a decision
authorization, and resource control services. Prior to the introduction of PAM, a decision
to use an alternative to the system password database (<filename>/etc/passwd</filename>)
would require the provision of alternatives for all programs that provide security services.
Such a choice would involve provision of alternatives to programs such as: <command>login</command>,
Such a choice would involve provision of alternatives to programs such as <command>login</command>,
<command>passwd</command>, <command>chown</command>, and so on.
</para>
<para>
PAM provides a mechanism that disconnects these security programs from the underlying
authentication/authorization infrastructure. PAM is configured by making appropriate modifications to one file
authentication/authorization infrastructure. PAM is configured by making appropriate modifications to one file,
<filename>/etc/pam.conf</filename> (Solaris), or by editing individual control files that are
located in <filename>/etc/pam.d</filename>.
</para>
@ -55,7 +55,7 @@ located in <filename>/etc/pam.d</filename>.
<para>
On PAM-enabled UNIX/Linux systems, it is an easy matter to configure the system to use any
authentication backend so long as the appropriate dynamically loadable library modules
are available for it. The backend may be local to the system, or may be centralized on a
are available for it. The backend may be local to the system or may be centralized on a
remote server.
</para>
@ -67,14 +67,14 @@ PAM support modules are available for:
<varlistentry><term><filename>/etc/passwd</filename></term><listitem>
<para>
There are several PAM modules that interact with this standard UNIX user
database. The most common are called: <filename>pam_unix.so</filename>, <filename>pam_unix2.so</filename>, <filename>pam_pwdb.so</filename>
database. The most common are called <filename>pam_unix.so</filename>, <filename>pam_unix2.so</filename>, <filename>pam_pwdb.so</filename>
and <filename>pam_userdb.so</filename>.
</para>
</listitem></varlistentry>
<varlistentry><term>Kerberos</term><listitem>
<para>
The <filename>pam_krb5.so</filename> module allows the use of any Kerberos compliant server.
The <filename>pam_krb5.so</filename> module allows the use of any Kerberos-compliant server.
This tool is used to access MIT Kerberos, Heimdal Kerberos, and potentially
Microsoft Active Directory (if enabled).
</para>
@ -82,9 +82,9 @@ PAM support modules are available for:
<varlistentry><term>LDAP</term><listitem>
<para>
The <filename>pam_ldap.so</filename> module allows the use of any LDAP v2 or v3 compatible backend
server. Commonly used LDAP backend servers include: OpenLDAP v2.0 and v2.1,
Sun ONE iDentity server, Novell eDirectory server, Microsoft Active Directory.
The <filename>pam_ldap.so</filename> module allows the use of any LDAP v2- or v3-compatible backend
server. Commonly used LDAP backend servers include OpenLDAP v2.0 and v2.1,
Sun ONE iDentity server, Novell eDirectory server, and Microsoft Active Directory.
</para>
</listitem></varlistentry>
@ -97,7 +97,7 @@ PAM support modules are available for:
<varlistentry><term>SMB Password</term><listitem>
<para>
This module, called <filename>pam_smbpass.so</filename>, will allow user authentication off
This module, called <filename>pam_smbpass.so</filename>, allows user authentication of
the passdb backend that is configured in the Samba &smb.conf; file.
</para>
</listitem></varlistentry>
@ -112,7 +112,7 @@ PAM support modules are available for:
<varlistentry><term>Winbind</term><listitem>
<para>
The <filename>pam_winbind.so</filename> module allows Samba to obtain authentication from any
MS Windows Domain Controller. It can just as easily be used to authenticate
MS Windows domain controller. It can just as easily be used to authenticate
users for access to any PAM-enabled application.
</para>
</listitem></varlistentry>
@ -120,7 +120,7 @@ PAM support modules are available for:
<varlistentry><term>RADIUS</term><listitem>
<para>
There is a PAM RADIUS (Remote Access Dial-In User Service) authentication
module. In most cases, administrators will need to locate the source code
module. In most cases, administrators need to locate the source code
for this tool and compile and install it themselves. RADIUS protocols are
used by many routers and terminal servers.
</para>
@ -128,12 +128,12 @@ PAM support modules are available for:
</variablelist>
<para>
Of the above, Samba provides the <filename>pam_smbpasswd.so</filename> and the <filename>pam_winbind.so</filename> modules alone.
Of the modules listed, Samba provides the <filename>pam_smbpasswd.so</filename> and the <filename>pam_winbind.so</filename> modules alone.
</para>
<para>
Once configured, these permit a remarkable level of flexibility in the location and use
of distributed Samba Domain Controllers that can provide wide area network bandwidth
of distributed Samba domain controllers that can provide wide-area network bandwidth,
efficient authentication services for PAM-capable systems. In effect, this allows the
deployment of centrally managed and maintained distributed authentication from a
single-user account database.
@ -145,10 +145,10 @@ single-user account database.
<title>Technical Discussion</title>
<para>
PAM is designed to provide the system administrator with a great deal of flexibility in
configuration of the privilege granting applications of their system. The local
PAM is designed to provide system administrators with a great deal of flexibility in
configuration of the privilege-granting applications of their system. The local
configuration of system security controlled by PAM is contained in one of two places:
either the single system file, <filename>/etc/pam.conf</filename>, or the
either the single system file <filename>/etc/pam.conf</filename> or the
<filename>/etc/pam.d/</filename> directory.
</para>
@ -158,15 +158,15 @@ either the single system file, <filename>/etc/pam.conf</filename>, or the
<para>
In this section we discuss the correct syntax of and generic options respected by entries to these files.
PAM-specific tokens in the configuration file are case insensitive. The module paths, however, are case
sensitive since they indicate a file's name and reflect the case
sensitive, since they indicate a file's name and reflect the case
dependence of typical file systems.
The case-sensitivity of the arguments to any given module is defined for each module in turn.
The case sensitivity of the arguments to any given module is defined for each module in turn.
</para>
<para>
In addition to the lines described below, there are two special characters provided for the convenience
of the system administrator: comments are preceded by a <quote>#</quote> and extend to the next end-of-line; also,
module specification lines may be extended with a <quote>\</quote> escaped newline.
module specification lines may be extended with a <quote>\</quote>-escaped newline.
</para>
<para>
@ -188,7 +188,7 @@ auth required /other_path/pam_strange_module.so
<para>
The remaining information in this subsection was taken from the documentation of the Linux-PAM
project. For more information on PAM, see
<ulink url="http://ftp.kernel.org/pub/linux/libs/pam/">The Official Linux-PAM home page.</ulink>
<ulink url="http://ftp.kernel.org/pub/linux/libs/pam/">the Official Linux-PAM home page</ulink>.
</para>
<para>
@ -202,22 +202,22 @@ service-name module-type control-flag module-path args
</para>
<para>
Below, we explain the meaning of each of these tokens. The second (and more recently adopted)
We explain the meaning of each of these tokens. The second (and more recently adopted)
way of configuring Linux-PAM is via the contents of the <filename>/etc/pam.d/</filename> directory.
Once we have explained the meaning of the above tokens, we will describe this method.
Once we have explained the meaning of the tokens, we describe this method.
</para>
<variablelist>
<varlistentry><term>service-name</term><listitem>
<para>
The name of the service associated with this entry. Frequently, the service name is the conventional
name of the given application. For example, <command>ftpd</command>, <command>rlogind</command> and
The name of the service associated with this entry. Frequently, the service-name is the conventional
name of the given application &smbmdash; for example, <command>ftpd</command>, <command>rlogind</command> and
<command>su</command>, and so on.
</para>
<para>
There is a special service-name reserved for defining a default authentication mechanism. It has
the name <parameter>OTHER</parameter> and may be specified in either lower- or upper-case characters.
the name <parameter>OTHER</parameter> and may be specified in either lower- or uppercase characters.
Note, when there is a module specified for a named service, the <parameter>OTHER</parameter>
entries are ignored.
</para>
@ -232,30 +232,30 @@ Once we have explained the meaning of the above tokens, we will describe this me
<itemizedlist>
<listitem><para>
<parameter>auth:</parameter> This module type provides two aspects of authenticating the user.
It establishes that the user is who he claims to be by instructing the application
to prompt the user for a password or other means of identification. Secondly, the module can
grant group membership (independently of the <filename>/etc/groups</filename> file discussed
above) or other privileges through its credential granting properties.
It establishes that the user is who he or she claims to be by instructing the application
to prompt the user for a password or other means of identification. Second, the module can
grant group membership (independently of the <filename>/etc/groups</filename> file)
or other privileges through its credential-granting properties.
</para></listitem>
<listitem><para>
<parameter>account:</parameter> This module performs non-authentication-based account management.
It is typically used to restrict/permit access to a service based on the time of day, currently
available system resources (maximum number of users) or perhaps the location of the applicant
user <quote>root</quote> login only on the console.
available system resources (maximum number of users), or perhaps the location of the user
login. For example, the <quote>root</quote> login may be permitted only on the console.
</para></listitem>
<listitem><para>
<parameter>session:</parameter> Primarily, this module is associated with doing things that need
to be done for the user before and after they can be given service. Such things include the logging
of information concerning the opening and closing of some data exchange with a user, mounting
to be done for the user before and after he or she can be given service. Such things include logging
information concerning the opening and closing of some data exchange with a user, mounting
directories, and so on.
</para></listitem>
<listitem><para>
<parameter>password:</parameter> This last module type is required for updating the authentication
token associated with the user. Typically, there is one module for each <quote>challenge/response</quote>
-based authentication <parameter>(auth)</parameter> module type.
token associated with the user. Typically, there is one module for each
<quote>challenge/response</quote>-based authentication <parameter>(auth)</parameter> module type.
</para></listitem>
</itemizedlist>
</listitem>
@ -276,7 +276,8 @@ Once we have explained the meaning of the above tokens, we will describe this me
<para>
The simpler (and historical) syntax for the control-flag is a single keyword defined to indicate the
severity of concern associated with the success or failure of a specific module. There are four such
keywords: <parameter>required, requisite, sufficient and optional</parameter>.
keywords: <parameter>required</parameter>, <parameter>requisite</parameter>,
<parameter>sufficient</parameter>, and <parameter>optional</parameter>.
</para>
<para>
@ -291,7 +292,7 @@ Once we have explained the meaning of the above tokens, we will describe this me
</para></listitem>
<listitem><para>
<parameter>requisite:</parameter> Like required, however, in the case that such a module returns a
<parameter>requisite:</parameter> Like required, except that if such a module returns a
failure, control is directly returned to the application. The return value is that associated with
the first required or requisite module to fail. This flag can be used to protect against the
possibility of a user getting the opportunity to enter a password over an unsafe medium. It is
@ -314,13 +315,13 @@ Once we have explained the meaning of the above tokens, we will describe this me
Linux-PAM ignores such a module when determining if the module stack will succeed or fail.
However, in the absence of any definite successes or failures of previous or subsequent stacked
modules, this module will determine the nature of the response to the application. One example of
this latter case, is when the other modules return something like PAM_IGNORE.
this latter case is when the other modules return something like PAM_IGNORE.
</para></listitem>
</itemizedlist>
<para>
The more elaborate (newer) syntax is much more specific and gives the administrator a great deal of control
over how the user is authenticated. This form of the control flag is delimited with square brackets and
over how the user is authenticated. This form of the control-flag is delimited with square brackets and
consists of a series of <parameter>value=action</parameter> tokens:
</para>
@ -342,12 +343,13 @@ Once we have explained the meaning of the above tokens, we will describe this me
</para>
<para>
The last of these <parameter>(default)</parameter> can be used to set the action for those return values that are not explicitly defined.
The last of these (<parameter>default</parameter>) can be used to set the action for those return values that are not explicitly defined.
</para>
<para>
The <parameter>action1</parameter> can be a positive integer or one of the following tokens:
<parameter>ignore; ok; done; bad; die;</parameter> and <parameter>reset</parameter>.
<parameter>ignore</parameter>; <parameter>ok</parameter>; <parameter>done</parameter>;
<parameter>bad</parameter>; <parameter>die</parameter>; and <parameter>reset</parameter>.
A positive integer, J, when specified as the action, can be used to indicate that the next J modules of the
current module-type will be skipped. In this way, the administrator can develop a moderately sophisticated
stack of modules with a number of different paths of execution. Which path is taken can be determined by the
@ -375,7 +377,7 @@ Once we have explained the meaning of the above tokens, we will describe this me
<parameter>ok:</parameter> This tells PAM that the administrator thinks this return code should
contribute directly to the return code of the full stack of modules. In other words, if the former
state of the stack would lead to a return of PAM_SUCCESS, the module's return code will override
this value. Note, if the former state of the stack holds some value that is indicative of a modules
this value. Note, if the former state of the stack holds some value that is indicative of a module's
failure, this <parameter>ok</parameter> value will not be used to override that value.
</para></listitem>
@ -391,7 +393,7 @@ Once we have explained the meaning of the above tokens, we will describe this me
</itemizedlist>
<para>
Each of the four keywords: <parameter>required; requisite; sufficient;</parameter> and <parameter>optional</parameter>,
Each of the four keywords, <parameter>required</parameter>; <parameter>requisite</parameter>; <parameter>sufficient</parameter>; and <parameter>optional</parameter>,
have an equivalent expression in terms of the [...] syntax. They are as follows:
</para>
@ -417,26 +419,26 @@ Once we have explained the meaning of the above tokens, we will describe this me
<para>
Just to get a feel for the power of this new syntax, here is a taste of what you can do with it. With Linux-PAM-0.63,
the notion of client plug-in agents was introduced. This is something that makes it possible for PAM to support
the notion of client plug-in agents was introduced. This makes it possible for PAM to support
machine-machine authentication using the transport protocol inherent to the client/server application. With the
<parameter>[ ... value=action ... ]</parameter> control syntax, it is possible for an application to be configured
to support binary prompts with compliant clients, but to gracefully fall over into an alternative authentication
mode for older, legacy applications.
to support binary prompts with compliant clients, but to gracefully fail over into an alternative authentication
mode for legacy applications.
</para>
</listitem>
</varlistentry>
<varlistentry><term>module-path</term><listitem>
<para>
The path-name of the dynamically loadable object file; the pluggable module itself. If the first character of the
The pathname of the dynamically loadable object file; the pluggable module itself. If the first character of the
module path is <quote>/</quote>, it is assumed to be a complete path. If this is not the case, the given module path is appended
to the default module path: <filename>/lib/security</filename> (but see the notes above).
to the default module path: <filename>/lib/security</filename> (but see the previous notes).
</para>
<para>
The arguments are a list of tokens that are passed to the module when it is invoked, much like arguments to a typical
Linux shell command. Generally, valid arguments are optional and are specific to any given module. Invalid arguments
are ignored by a module, however, when encountering an invalid argument, the module is required to write an error
are ignored by a module; however, when encountering an invalid argument, the module is required to write an error
to syslog(3). For a list of generic options, see the next section.
</para>
@ -452,7 +454,7 @@ user_name=<quote>%u</quote> and password=PASSWORD(<quote>%p</quote>) and service
<para>
When using this convention, you can include <quote>[</quote> characters inside the string, and if you wish to have a <quote>]</quote>
character inside the string that will survive the argument parsing, you should use <quote>\[</quote>. In other words:
character inside the string that will survive the argument parsing, you should use <quote>\[</quote>. In other words,
</para>
<para><programlisting>
@ -479,7 +481,7 @@ user_name=<quote>%u</quote> and password=PASSWORD(<quote>%p</quote>) and service
The following is an example <filename>/etc/pam.d/login</filename> configuration file.
This example had all options uncommented and is probably not usable
because it stacks many conditions before allowing successful completion
of the login process. Essentially all conditions can be disabled
of the login process. Essentially, all conditions can be disabled
by commenting them out, except the calls to <filename>pam_pwdb.so</filename>.
</para>
@ -536,10 +538,10 @@ the <filename>pam_pwdb.so</filename> module that uses the system
password database (<filename>/etc/passwd</filename>,
<filename>/etc/shadow</filename>, <filename>/etc/group</filename>) with
the module <filename>pam_smbpass.so</filename>, which uses the Samba
database which contains the Microsoft MD4 encrypted password
hashes. This database is stored in either
database containing the Microsoft MD4 encrypted password
hashes. This database is stored either in
<filename>/usr/local/samba/private/smbpasswd</filename>,
<filename>/etc/samba/smbpasswd</filename>, or in
<filename>/etc/samba/smbpasswd</filename> or in
<filename>/etc/samba.d/smbpasswd</filename>, depending on the
Samba implementation for your UNIX/Linux system. The
<filename>pam_smbpass.so</filename> module is provided by
@ -607,7 +609,7 @@ provide the <filename>pam_stack.so</filename> module that allows all
authentication to be configured in a single central file. The
<filename>pam_stack.so</filename> method has some devoted followers
on the basis that it allows for easier administration. As with all issues in
life though, every decision makes trade-offs, so you may want to examine the
life, though, every decision has trade-offs, so you may want to examine the
PAM documentation for further helpful information.
</para></note>
@ -619,10 +621,11 @@ PAM documentation for further helpful information.
<title>&smb.conf; PAM Configuration</title>
<para>
There is an option in &smb.conf; called <smbconfoption name="obey pam restrictions"/>.
The following is from the online help for this option in SWAT;
There is an option in &smb.conf; called <smbconfoption name="obey pam restrictions"/>.
The following is from the online help for this option in SWAT:
</para>
<blockquote>
<para>
When Samba is configured to enable PAM support (i.e., <option>--with-pam</option>), this parameter will
control whether or not Samba should obey PAM's account and session management directives. The default behavior
@ -633,6 +636,7 @@ password encryption.
</para>
<para>Default: <smbconfoption name="obey pam restrictions">no</smbconfoption></para>
</blockquote>
</sect2>
@ -640,9 +644,9 @@ password encryption.
<title>Remote CIFS Authentication Using <filename>winbindd.so</filename></title>
<para>
All operating systems depend on the provision of users credentials acceptable to the platform.
All operating systems depend on the provision of user credentials acceptable to the platform.
UNIX requires the provision of a user identifier (UID) as well as a group identifier (GID).
These are both simple integer type numbers that are obtained from a password backend such
These are both simple integer numbers that are obtained from a password backend such
as <filename>/etc/passwd</filename>.
</para>
@ -654,7 +658,7 @@ is one of the jobs that winbind performs.
</para>
<para>
As Winbind users and groups are resolved from a server, user and group IDs are allocated
As winbind users and groups are resolved from a server, user and group IDs are allocated
from a specified range. This is done on a first come, first served basis, although all
existing users and groups will be mapped as soon as a client performs a user or group
enumeration command. The allocated UNIX IDs are stored in a database file under the Samba
@ -663,11 +667,11 @@ lock directory and will be remembered.
<para>
The astute administrator will realize from this that the combination of <filename>pam_smbpass.so</filename>,
<command>winbindd</command> and a distributed <smbconfoption name="passdb backend"></smbconfoption>,
such as <parameter>ldap</parameter>, will allow the establishment of a centrally managed, distributed user/password
<command>winbindd</command>, and a distributed <smbconfoption name="passdb backend"></smbconfoption>
such as <parameter>ldap</parameter> will allow the establishment of a centrally managed, distributed user/password
database that can also be used by all PAM-aware (e.g., Linux) programs and applications. This arrangement can have
particularly potent advantages compared with the use of Microsoft Active Directory Service (ADS) in so far as
the reduction of wide area network authentication traffic.
particularly potent advantages compared with the use of Microsoft Active Directory Service (ADS) insofar as
the reduction of wide-area network authentication traffic.
</para>
<warning><para>
@ -684,8 +688,8 @@ to determine which user and group IDs correspond to Windows NT user and group RI
<para>
<filename>pam_smbpass</filename> is a PAM module that can be used on conforming systems to
keep the <filename>smbpasswd</filename> (Samba password) database in sync with the UNIX
password file. PAM (Pluggable Authentication Modules) is an API supported
under some UNIX operating systems, such as Solaris, HPUX and Linux, that provides a
password file. PAM is an API supported
under some UNIX operating systems, such as Solaris, HPUX, and Linux, that provides a
generic interface to authentication mechanisms.
</para>
@ -704,25 +708,25 @@ Options recognized by this module are shown in <link linkend="smbpassoptions">ne
<colspec align="left"/>
<colspec align="justify" colwidth="1*"/>
<tbody>
<row><entry>debug</entry><entry>log more debugging info.</entry></row>
<row><entry>audit</entry><entry>like debug, but also logs unknown usernames.</entry></row>
<row><entry>use_first_pass</entry><entry>do not prompt the user for passwords; take them from PAM_ items instead.</entry></row>
<row><entry>try_first_pass</entry><entry>try to get the password from a previous PAM module fall back to prompting the user.</entry></row>
<row><entry>debug</entry><entry>Log more debugging info.</entry></row>
<row><entry>audit</entry><entry>Like debug, but also logs unknown usernames.</entry></row>
<row><entry>use_first_pass</entry><entry>Do not prompt the user for passwords; take them from PAM_ items instead.</entry></row>
<row><entry>try_first_pass</entry><entry>Try to get the password from a previous PAM module; fall back to prompting the user.</entry></row>
<row><entry>use_authtok</entry>
<entry>like try_first_pass, but *fail* if the new PAM_AUTHTOK has not been previously set (intended for stacking password modules only).</entry></row>
<row><entry>not_set_pass</entry><entry>do not make passwords used by this module available to other modules.</entry></row>
<row><entry>nodelay</entry><entry>do not insert ~1 second delays on authentication failure.</entry></row>
<row><entry>nullok</entry><entry>null passwords are allowed.</entry></row>
<row><entry>nonull</entry><entry>null passwords are not allowed. Used to override the Samba configuration.</entry></row>
<row><entry>migrate</entry><entry>only meaningful in an <quote>auth</quote> context; used to update smbpasswd file with a password used for successful authentication.</entry></row>
<row><entry>smbconf=<replaceable>file</replaceable></entry><entry>specify an alternate path to the &smb.conf; file.</entry></row>
<entry>Like try_first_pass, but *fail* if the new PAM_AUTHTOK has not been previously set (intended for stacking password modules only).</entry></row>
<row><entry>not_set_pass</entry><entry>Do not make passwords used by this module available to other modules.</entry></row>
<row><entry>nodelay</entry><entry>dDo not insert ~1-second delays on authentication failure.</entry></row>
<row><entry>nullok</entry><entry>nNull passwords are allowed.</entry></row>
<row><entry>nonull</entry><entry>Null passwords are not allowed. Used to override the Samba configuration.</entry></row>
<row><entry>migrate</entry><entry>oOnly meaningful in an <quote>auth</quote> context; used to update smbpasswd file with a password used for successful authentication.</entry></row>
<row><entry>smbconf=<replaceable>file</replaceable></entry><entry>Specify an alternate path to the &smb.conf; file.</entry></row>
</tbody>
</tgroup>
</table>
</para>
<para>
The following are examples of the use of <filename>pam_smbpass.so</filename> in the format of Linux
The following are examples of the use of <filename>pam_smbpass.so</filename> in the format of the Linux
<filename>/etc/pam.d/</filename> files structure. Those wishing to implement this
tool on other platforms will need to adapt this appropriately.
</para>
@ -731,9 +735,9 @@ tool on other platforms will need to adapt this appropriately.
<title>Password Synchronization Configuration</title>
<para>
A sample PAM configuration that shows the use of pam_smbpass to make
The following is a sample PAM configuration that shows the use of pam_smbpass to make
sure <filename>private/smbpasswd</filename> is kept in sync when <filename>/etc/passwd (/etc/shadow)</filename>
is changed. Useful when an expired password might be changed by an
is changed. It is useful when an expired password might be changed by an
application (such as <command>ssh</command>).
</para>
@ -756,7 +760,7 @@ session required pam_unix.so
<title>Password Migration Configuration</title>
<para>
A sample PAM configuration that shows the use of <filename>pam_smbpass</filename> to migrate
The following PAM configuration shows the use of <filename>pam_smbpass</filename> to migrate
from plaintext to encrypted passwords for Samba. Unlike other methods,
this can be used for users who have never connected to Samba shares:
password migration takes place when users <command>ftp</command> in, login using <command>ssh</command>, pop
@ -784,7 +788,7 @@ session required pam_unix.so
<title>Mature Password Configuration</title>
<para>
A sample PAM configuration for a mature <filename>smbpasswd</filename> installation.
The following is a sample PAM configuration for a mature <filename>smbpasswd</filename> installation.
<filename>private/smbpasswd</filename> is fully populated, and we consider it an error if
the SMB password does not exist or does not match the UNIX password.
</para>
@ -808,7 +812,7 @@ session required pam_unix.so
<title>Kerberos Password Integration Configuration</title>
<para>
A sample PAM configuration that shows <parameter>pam_smbpass</parameter> used together with
The following is a sample PAM configuration that shows <parameter>pam_smbpass</parameter> used together with
<parameter>pam_krb5</parameter>. This could be useful on a Samba PDC that is also a member of
a Kerberos realm.
</para>
@ -842,12 +846,11 @@ PAM can be fickle and sensitive to configuration glitches. Here we look at a few
the Samba mailing list.
</para>
<!-- shouldn't this be in the Winbind chapter - Jelmer -->
<sect2>
<title>pam_winbind Problem</title>
<para>
A user reported: I have the following PAM configuration:
A user reported, <emphasis>I have the following PAM configuration</emphasis>:
</para>
<para>
@ -864,17 +867,17 @@ password required /lib/security/pam_stack.so service=system-auth
</para>
<para>
When I open a new console with [ctrl][alt][F1], I can't log in with my user <quote>pitie</quote>.
I have tried with user <quote>scienceu\pitie</quote> also.
<emphasis>When I open a new console with [ctrl][alt][F1], I can't log in with my user <quote>pitie.</quote>
I have tried with user <quote>scienceu\pitie</quote> also.</emphasis>
</para>
<para>
<emphasis>Answer:</emphasis> The problem may lie with your inclusion of <parameter>pam_stack.so
The problem may lie with the inclusion of <parameter>pam_stack.so
service=system-auth</parameter>. That file often contains a lot of stuff that may
duplicate what you are already doing. Try commenting out the <parameter>pam_stack</parameter> lines
for <parameter>auth</parameter> and <parameter>account</parameter> and see if things work. If they do, look at
<filename>/etc/pam.d/system-auth</filename> and copy only what you need from it into your
<filename>/etc/pam.d/login</filename> file. Alternately, if you want all services to use
<filename>/etc/pam.d/login</filename> file. Alternatively, if you want all services to use
Winbind, you can put the Winbind-specific stuff in <filename>/etc/pam.d/system-auth</filename>.
</para>
@ -886,8 +889,8 @@ password required /lib/security/pam_stack.so service=system-auth
<para>
<quote>
My &smb.conf; file is correctly configured. I have specified
<smbconfoption name="idmap uid">12000</smbconfoption>,
and <smbconfoption name="idmap gid">3000-3500</smbconfoption>
<smbconfoption name="idmap uid">12000</smbconfoption>
and <smbconfoption name="idmap gid">3000-3500,</smbconfoption>
and <command>winbind</command> is running. When I do the following it all works fine.
</quote>
</para>
@ -926,7 +929,7 @@ chown: 'maryo': invalid user
</para>
<para>
<emphasis>Answer:</emphasis> Your system is likely running <command>nscd</command>, the name service
Your system is likely running <command>nscd</command>, the name service
caching daemon. Shut it down, do not restart it! You will find your problem resolved.
</para>

View File

@ -14,22 +14,22 @@
<para>
There are many who approach MS Windows networking with incredible misconceptions.
That's okay, because it gives the rest of us plenty of opportunity to be of assistance.
Those who really want help would be well advised to become familiar with information
Those who really want help are well advised to become familiar with information
that is already available.
</para>
<para>
The reader is advised not to tackle this section without having first understood
You are advised not to tackle this section without having first understood
and mastered some basics. MS Windows networking is not particularly forgiving of
mis-configuration. Users of MS Windows networking are likely to complain
misconfiguration. Users of MS Windows networking are likely to complain
of persistent niggles that may be caused by a broken network configuration.
To a great many people, however, MS Windows networking starts with a Domain Controller
To a great many people, however, MS Windows networking starts with a domain controller
that in some magical way is expected to solve all network operational ills.
</para>
<para>
<link linkend="domain-example">The diagram</link> shows a typical MS Windows Domain Security
network environment. Workstations A, B and C are representative of many physical MS Windows
<link linkend="domain-example">The Example Domain illustration</link> shows a typical MS Windows domain security
network environment. Workstations A, B, and C are representative of many physical MS Windows
network clients.
</para>
@ -38,10 +38,8 @@ network clients.
<imagefile scale="50">domain</imagefile>
</figure>
<?latex \newpage ?>
<para>
From the Samba mailing list one can readily identify many common networking issues.
From the Samba mailing list we can readily identify many common networking issues.
If you are not clear on the following subjects, then it will do much good to read the
sections of this HOWTO that deal with it. These are the most common causes of MS Windows
networking problems:
@ -69,7 +67,7 @@ organization.
<para>
Where is the right place to make mistakes? Only out of harms way. If you are going to
make mistakes, then please do it on a test network, away from users and in such a way as
make mistakes, then please do it on a test network, away from users, and in such a way as
to not inflict pain on others. Do your learning on a test network.
</para>
@ -82,29 +80,29 @@ to not inflict pain on others. Do your learning on a test network.
</para>
<para>
In a word, <emphasis>Single Sign On</emphasis>, or SSO for short. To many, this is the Holy
In a word, <emphasis>single sign-on</emphasis>, or SSO for short. To many, this is the Holy
Grail of MS Windows NT and beyond networking. SSO allows users in a well-designed network
to log onto any workstation that is a member of the domain that their user account is in
(or in a domain that has an appropriate trust relationship with the domain they are visiting)
and they will be able to log onto the network and access resources (shares, files and printers)
as if they are sitting at their home (personal) workstation. This is a feature of the Domain
Security protocols.
and they will be able to log onto the network and access resources (shares, files, and printers)
as if they are sitting at their home (personal) workstation. This is a feature of the domain
security protocols.
</para>
<para>
<indexterm><primary>SID</primary></indexterm>
The benefits of Domain Security are available to those sites that deploy a Samba PDC.
A Domain provides a unique network security identifier (SID). Domain user and group security
The benefits of domain security are available to those sites that deploy a Samba PDC.
A domain provides a unique network security identifier (SID). Domain user and group security
identifiers are comprised of the network SID plus a relative identifier (RID) that is unique to
the account. User and Group SIDs (the network SID plus the RID) can be used to create Access Control
Lists (ACLs) attached to network resources to provide organizational access control. UNIX systems
the account. User and group SIDs (the network SID plus the RID) can be used to create access control
lists (ACLs) attached to network resources to provide organizational access control. UNIX systems
recognize only local security identifiers.
</para>
<note><para>
Network clients of an MS Windows Domain Security Environment must be Domain Members to be
able to gain access to the advanced features provided. Domain Membership involves more than just
setting the workgroup name to the Domain name. It requires the creation of a Domain trust account
Network clients of an MS Windows domain security environment must be domain members to be
able to gain access to the advanced features provided. Domain membership involves more than just
setting the workgroup name to the domain name. It requires the creation of a domain trust account
for the workstation (called a machine account). Refer to <link linkend="domain-member">Domain Membership</link>
for more information.
</para></note>
@ -129,12 +127,12 @@ The following functionalities are new to the Samba-3 release:
<listitem><para>
Introduces replaceable and multiple user account (authentication)
backends. In the case where the backend is placed in an LDAP database,
Samba-3 confers the benefits of a backend that can be distributed, replicated
Samba-3 confers the benefits of a backend that can be distributed and replicated
and is highly scalable.
</para></listitem>
<listitem><para>
Implements full Unicode support. This simplifies cross locale internationalization
Implements full Unicode support. This simplifies cross-locale internationalization
support. It also opens up the use of protocols that Samba-2.2.x had but could not use due
to the need to fully support Unicode.
</para></listitem>
@ -147,17 +145,17 @@ The following functionalities are not provided by Samba-3:
<listitem><para>
<indexterm><primary>SAM</primary></indexterm>
<indexterm><primary>replication</primary></indexterm>
SAM replication with Windows NT4 Domain Controllers
(i.e., a Samba PDC and a Windows NT BDC or vice versa). This means Samba
SAM replication with Windows NT4 domain controllers
(i.e., a Samba PDC and a Windows NT BDC, or vice versa). This means Samba
cannot operate as a BDC when the PDC is Microsoft-based or
replicate account data to Windows BDCs.
</para></listitem>
<listitem><para>
Acting as a Windows 2000 Domain Controller (i.e., Kerberos and
Acting as a Windows 2000 domain controller (i.e., Kerberos and
Active Directory). In point of fact, Samba-3 does have some
Active Directory Domain Control ability that is at this time
purely experimental that is certain to change as it becomes a
Active Directory domain control ability that is at this time
purely experimental. That is certain to change as it becomes a
fully supported feature some time during the Samba-3 (or later)
life cycle. However, Active Directory is more then just SMB &smbmdash;
it's also LDAP, Kerberos, DHCP, and other protocols (with proprietary
@ -165,34 +163,34 @@ The following functionalities are not provided by Samba-3:
</para></listitem>
<listitem><para>
The Windows 200x/XP MMC (Computer Management) Console can not be used
The Windows 200x/XP Microsoft Management Console (MMC) cannot be used
to manage a Samba-3 server. For this you can use only the MS Windows NT4
Domain Server manager and the MS Windows NT4 Domain User Manager. Both are
Domain Server Manager and the MS Windows NT4 Domain User Manager. Both are
part of the SVRTOOLS.EXE package mentioned later.
</para></listitem>
</itemizedlist>
<para>
Windows 9x/Me/XP Home clients are not true members of a domain for reasons outlined
in this chapter. The protocol for support of Windows 9x/Me style network (domain) logons
is completely different from NT4/Windows 200x type domain logons and has been officially supported
for some time. These clients use the old LanMan Network Logon facilities that are supported
in this chapter. The protocol for support of Windows 9x/Me-style network (domain) logons
is completely different from NT4/Windows 200x-type domain logons and has been officially supported
for some time. These clients use the old LanMan network logon facilities that are supported
in Samba since approximately the Samba-1.9.15 series.
</para>
<para>
Samba-3 implements group mapping between Windows NT groups
and UNIX groups (this is really quite complicated to explain in a short space). This is
discussed more fully in <link linkend="groupmapping">Group Mapping &smbmdash; MS Windows and UNIX</link>.
discussed more fully in <link linkend="groupmapping">Group Mapping: MS Windows and UNIX</link>.
</para>
<para>
<indexterm><primary>Machine Trust Accounts</primary></indexterm>
Samba-3, like an MS Windows NT4 PDC or a Windows 200x Active Directory, needs to store
user and Machine Trust Account information in a suitable backend data-store.
Refer to <link linkend="machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</link>. With Samba-3 there can be multiple
backends for this. A complete discussion of account database backends can be found in
<link linkend="passdb">Account Information Databases</link>.
Samba-3, like an MS Windows NT4 PDC or a Windows 200x Active Directory, needs to store user and Machine Trust
Account information in a suitable backend data-store. Refer to <link linkend="machine-trust-accounts">MS
Windows Workstation/Server Machine Trust Accounts</link>. With Samba-3 there can be multiple backends for
this. A complete discussion of account database backends can be found in <link linkend="passdb">Account
Information Databases</link>.
</para>
</sect1>
@ -201,9 +199,9 @@ backends for this. A complete discussion of account database backends can be fou
<title>Basics of Domain Control</title>
<para>
Over the years, public perceptions of what Domain Control really is has taken on an
almost mystical nature. Before we branch into a brief overview of Domain Control,
there are three basic types of Domain Controllers.
Over the years, public perceptions of what domain control really is has taken on an
almost mystical nature. Before we branch into a brief overview of domain control,
there are three basic types of domain controllers.
</para>
<sect2>
@ -216,34 +214,34 @@ there are three basic types of Domain Controllers.
</itemizedlist>
<para>
The <emphasis>Primary Domain Controller</emphasis> or PDC plays an important role in MS
Windows NT4. In Windows 200x Domain Control architecture, this role is held by Domain Controllers.
Folklore dictates that because of its role in the MS Windows
network, the Domain Controller should be the most powerful and most capable machine in the network.
As strange as it may seem to say this here, good overall network performance dictates that
the entire infrastructure needs to be balanced. It is advisable to invest more in Stand-alone
(Domain Member) servers than in the Domain Controllers.
The <emphasis>Primary Domain Controller</emphasis> or PDC plays an important role in MS Windows NT4. In
Windows 200x domain control architecture, this role is held by domain controllers. Folklore dictates that
because of its role in the MS Windows network, the domain controller should be the most powerful and most
capable machine in the network. As strange as it may seem to say this here, good overall network performance
dictates that the entire infrastructure needs to be balanced. It is advisable to invest more in standalone
(domain member) servers than in the domain controllers.
</para>
<para>
<indexterm><primary>SAM</primary></indexterm>
In the case of MS Windows NT4-style domains, it is the PDC that initiates a new Domain Control database.
In the case of MS Windows NT4-style domains, it is the PDC that initiates a new domain control database.
This forms a part of the Windows registry called the Security Account Manager (SAM). It plays a key
part in NT4-type domain user authentication and in synchronization of the domain authentication
database with Backup Domain Controllers.
database with BDCs.
</para>
<para>
With MS Windows 200x Server-based Active Directory domains, one Domain Controller initiates a potential
hierarchy of Domain Controllers, each with their own area of delegated control. The master domain
controller has the ability to override any downstream controller, but a down-line controller has
control only over its down-line. With Samba-3, this functionality can be implemented using an
With MS Windows 200x Server-based Active Directory domains, one domain controller initiates a potential
hierarchy of domain controllers, each with its own area of delegated control. The master domain
controller has the ability to override any downstream controller, but a downline controller has
control only over its downline. With Samba-3, this functionality can be implemented using an
LDAP-based user and machine account backend.
</para>
<para>
New to Samba-3 is the ability to use a backend database that holds the same type of data as
the NT4-style SAM database (one of the registry files)<footnote><para>See also <link linkend="passdb">Account Information Databases</link>.</para></footnote>.
New to Samba-3 is the ability to use a backend database that holds the same type of data as the NT4-style SAM
database (one of the registry files)<footnote><para>See also <link linkend="passdb">Account Information
Databases</link>.</para>.</footnote>
</para>
<para>
@ -253,51 +251,52 @@ On a network segment that has a BDC and a PDC, the BDC will most likely service
logon requests. The PDC will answer network logon requests when the BDC is too busy (high load).
A BDC can be promoted to a PDC. If the PDC is online at the time that a BDC is promoted to
PDC, the previous PDC is automatically demoted to a BDC. With Samba-3, this is not an automatic
operation; the PDC and BDC must be manually configured and changes also need to be made.
operation; the PDC and BDC must be manually configured, and changes also need to be made.
</para>
<para>
With MS Windows NT4, a decision is made at installation to determine what type of machine the server will be.
It is possible to promote a BDC to a PDC and vice versa. The only way
to convert a Domain Controller to a Domain Member server or a Stand-alone Server is to
reinstall it. The install time choices offered are:
It is possible to promote a BDC to a PDC, and vice versa. The only way to convert a domain controller to a
domain member server or a standalone server is to reinstall it. The install time choices offered are:
</para>
<itemizedlist>
<listitem><para><emphasis>Primary Domain Controller</emphasis> &smbmdash; the one that seeds the domain SAM.</para></listitem>
<listitem><para><emphasis>Backup Domain Controller</emphasis> &smbmdash; one that obtains a copy of the domain SAM.</para></listitem>
<listitem><para><emphasis>Domain Member Server</emphasis> &smbmdash; one that has no copy of the domain SAM, rather it obtains authentication from a Domain Controller for all access controls.</para></listitem>
<listitem><para><emphasis>Stand-alone Server</emphasis> &smbmdash; one that plays no part is SAM synchronization, has its own authentication database and plays no role in Domain Security.</para></listitem>
<listitem><para><emphasis>Domain Member Server</emphasis> &smbmdash; one that has no copy of the domain SAM; rather
it obtains authentication from a domain controller for all access controls.</para></listitem>
<listitem><para><emphasis>Standalone Server</emphasis> &smbmdash; one that plays no part in SAM synchronization,
has its own authentication database, and plays no role in domain security.</para></listitem>
</itemizedlist>
<para>
With MS Windows 2000, the configuration of Domain Control is done after the server has been
With MS Windows 2000, the configuration of domain control is done after the server has been
installed. Samba-3 is capable of acting fully as a native member of a Windows 200x server
Active Directory domain.
</para>
<para>
<indexterm><primary>replication</primary><secondary>SAM</secondary></indexterm>
New to Samba-3 is the ability to function fully as an MS Windows NT4-style Domain Controller,
New to Samba-3 is the ability to function fully as an MS Windows NT4-style domain controller,
excluding the SAM replication components. However, please be aware that Samba-3 also supports the
MS Windows 200x Domain Control protocols.
MS Windows 200x domain control protocols.
</para>
<para>
At this time any appearance that Samba-3 is capable of acting as an
<emphasis>Domain Controller</emphasis> in native ADS mode is limited and experimental in nature.
At this time any appearance that Samba-3 is capable of acting as a
<emphasis>domain controller</emphasis> in native ADS mode is limited and experimental in nature.
This functionality should not be used until the Samba Team offers formal support for it.
At such a time, the documentation will be revised to duly reflect all configuration and
management requirements. Samba can act as a NT4-style DC in a Windows 2000/XP
management requirements. Samba can act as a NT4-style domain controller in a Windows 2000/XP
environment. However, there are certain compromises:
<itemizedlist>
<listitem><para>No machine policy files.</para></listitem>
<listitem><para>No Group Policy Objects.</para></listitem>
<listitem><para>No synchronously executed AD logon scripts.</para></listitem>
<listitem><para>No synchronously executed Active Directory logon scripts.</para></listitem>
<listitem><para>Can't use Active Directory management tools to manage users and machines.</para></listitem>
<listitem><para>Registry changes tattoo the main registry, while with AD they do not leave permanent changes in effect.</para></listitem>
<listitem><para>Without AD you cannot perform the function of exporting specific applications to specific users or groups.</para></listitem>
<listitem><para>Registry changes tattoo the main registry, while with Active Directory they do not leave permanent changes in effect.</para></listitem>
<listitem><para>Without Active Directory you cannot perform the function of exporting specific applications to specific users or groups.</para></listitem>
</itemizedlist>
</para>
@ -307,36 +306,36 @@ environment. However, there are certain compromises:
<title>Preparing for Domain Control</title>
<para>
There are two ways that MS Windows machines may interact with each other, with other servers
and with Domain Controllers: either as <emphasis>Stand-alone</emphasis> systems, more commonly
called <emphasis>Workgroup</emphasis> members, or as full participants in a security system,
more commonly called <emphasis>Domain</emphasis> members.
There are two ways that MS Windows machines may interact with each other, with other servers,
and with domain controllers: either as <emphasis>standalone</emphasis> systems, more commonly
called <emphasis>workgroup</emphasis> members, or as full participants in a security system,
more commonly called <emphasis>domain</emphasis> members.
</para>
<para>
It should be noted that <emphasis>Workgroup</emphasis> membership involves no special configuration
It should be noted that workgroup membership involves no special configuration
other than the machine being configured so the network configuration has a commonly used name
for its workgroup entry. It is not uncommon for the name WORKGROUP to be used for this. With this
mode of configuration, there are no Machine Trust Accounts and any concept of membership as such
mode of configuration, there are no Machine Trust Accounts, and any concept of membership as such
is limited to the fact that all machines appear in the network neighborhood to be logically
grouped together. Again, just to be clear: <emphasis>workgroup mode does not involve security machine
accounts</emphasis>.
</para>
<para>
Domain Member machines have a machine account in the Domain accounts database. A special procedure
must be followed on each machine to effect Domain Membership. This procedure, which can be done
only by the local machine Administrator account, will create the Domain machine account (if it does
Domain member machines have a machine account in the domain accounts database. A special procedure
must be followed on each machine to effect domain membership. This procedure, which can be done
only by the local machine Administrator account, creates the domain machine account (if it does
not exist), and then initializes that account. When the client first logs onto the
Domain it triggers a machine password change.
domain, it triggers a machine password change.
</para>
<note><para>
When Samba is configured as a Domain Controller, secure network operation demands that
all MS Windows NT4/200x/XP Professional clients should be configured as Domain Members.
If a machine is not made a member of the Domain, then it will operate like a workgroup
(Stand-alone) machine. Please refer to <link linkend="domain-member">Domain Membership</link> chapter for
information regarding Domain Membership.
When Samba is configured as a domain controller, secure network operation demands that
all MS Windows NT4/200x/XP Professional clients should be configured as domain members.
If a machine is not made a member of the domain, then it will operate like a workgroup
(standalone) machine. Please refer to <link linkend="domain-member">Domain Membership</link>, for
information regarding domain membership.
</para></note>
<para>
@ -346,14 +345,14 @@ NT4/200x/XP clients:
<itemizedlist>
<listitem><para>Configuration of basic TCP/IP and MS Windows networking.</para></listitem>
<listitem><para>Correct designation of the Server Role (<smbconfoption name="security">user</smbconfoption>).</para></listitem>
<listitem><para>Consistent configuration of Name Resolution<footnote><para>See <link linkend="NetworkBrowsing">Network Browsing</link>, and
<link linkend="integrate-ms-networks">Integrating MS Windows Networks with Samba</link>.</para></footnote>.</para></listitem>
<listitem><para>Correct designation of the server role (<smbconfoption name="security">user</smbconfoption>).</para></listitem>
<listitem><para>Consistent configuration of name resolution.<footnote><para>See <link linkend="NetworkBrowsing">Network Browsing</link>, and
<link linkend="integrate-ms-networks">Integrating MS Windows Networks with Samba</link>.</para></footnote></para></listitem>
<listitem><para>Domain logons for Windows NT4/200x/XP Professional clients.</para></listitem>
<listitem><para>Configuration of Roaming Profiles or explicit configuration to force local profile usage.</para></listitem>
<listitem><para>Configuration of roaming profiles or explicit configuration to force local profile usage.</para></listitem>
<listitem><para>Configuration of network/system policies.</para></listitem>
<listitem><para>Adding and managing domain user accounts.</para></listitem>
<listitem><para>Configuring MS Windows client machines to become Domain Members.</para></listitem>
<listitem><para>Configuring MS Windows client machines to become domain members.</para></listitem>
</itemizedlist>
<para>
@ -363,38 +362,38 @@ The following provisions are required to serve MS Windows 9x/Me clients:
<itemizedlist>
<listitem><para>Configuration of basic TCP/IP and MS Windows networking.</para></listitem>
<listitem><para>Correct designation of the server role (<smbconfoption name="security">user</smbconfoption>).</para></listitem>
<listitem><para>Network Logon Configuration (since Windows 9x/Me/XP Home are not technically domain
<listitem><para>Network logon configuration (since Windows 9x/Me/XP Home are not technically domain
members, they do not really participate in the security aspects of Domain logons as such).</para></listitem>
<listitem><para>Roaming Profile Configuration.</para></listitem>
<listitem><para>Configuration of System Policy handling.</para></listitem>
<listitem><para>Roaming profile configuration.</para></listitem>
<listitem><para>Configuration of system policy handling.</para></listitem>
<listitem><para>Installation of the network driver <quote>Client for MS Windows Networks</quote> and configuration
to log onto the domain.</para></listitem>
<listitem><para>Placing Windows 9x/Me clients in User Level Security &smbmdash; if it is desired to allow
all client share access to be controlled according to domain user/group identities.</para></listitem>
<listitem><para>Placing Windows 9x/Me clients in user-level security &smbmdash; if it is desired to allow
all client-share access to be controlled according to domain user/group identities.</para></listitem>
<listitem><para>Adding and managing domain user accounts.</para></listitem>
</itemizedlist>
<note><para>
Roaming Profiles and System/Network policies are advanced network administration topics
that are covered in the <link linkend="ProfileMgmt">Desktop Profile Management</link> and
<link linkend="PolicyMgmt">System and Account Policies</link> chapters of this document. However, these are not
Roaming profiles and system/network policies are advanced network administration topics
that are covered in <link linkend="ProfileMgmt">Desktop Profile Management</link> and
<link linkend="PolicyMgmt">System and Account Policies</link> of this document. However, these are not
necessarily specific to a Samba PDC as much as they are related to Windows NT networking concepts.
</para></note>
<para>
A Domain Controller is an SMB/CIFS server that:
A domain controller is an SMB/CIFS server that:
</para>
<itemizedlist>
<listitem><para>
Registers and advertises itself as a Domain Controller (through NetBIOS broadcasts
Registers and advertises itself as a domain controller (through NetBIOS broadcasts
as well as by way of name registrations either by Mailslot Broadcasts over UDP broadcast,
to a WINS server over UDP uni-cast, or via DNS and Active Directory).
to a WINS server over UDP unicast, or via DNS and Active Directory).
</para></listitem>
<listitem><para>
Provides the NETLOGON service. (This is actually a collection of services that runs over
multiple protocols. These include the LanMan Logon service, the Netlogon service,
multiple protocols. These include the LanMan logon service, the Netlogon service,
the Local Security Account service, and variations of them.)
</para></listitem>
@ -404,26 +403,27 @@ A Domain Controller is an SMB/CIFS server that:
</itemizedlist>
<para>
It is rather easy to configure Samba to provide these. Each Samba Domain Controller must provide
the NETLOGON service that Samba calls the <smbconfoption name="domain logons"/> functionality
(after the name of the parameter in the &smb.conf; file). Additionally, one server in a Samba-3
Domain must advertise itself as the Domain Master Browser<footnote><para>See <link linkend="NetworkBrowsing">Network Browsing</link>.</para></footnote>.
This causes the Primary Domain Controller to claim a domain-specific NetBIOS name that identifies it as a
Domain Master Browser for its given domain or workgroup. Local master browsers in the same domain or workgroup on
broadcast-isolated subnets then ask for a complete copy of the browse list for the whole wide area network.
Browser clients will then contact their Local Master Browser, and will receive the domain-wide browse list,
instead of just the list for their broadcast-isolated subnet.
It is rather easy to configure Samba to provide these. Each Samba domain controller must provide the NETLOGON
service that Samba calls the <smbconfoption name="domain logons"/> functionality (after the name of the
parameter in the &smb.conf; file). Additionally, one server in a Samba-3 domain must advertise itself as the
domain master browser.<footnote><para>See <link linkend="NetworkBrowsing">Network
Browsing</link>.</para></footnote> This causes the PDC to claim a domain-specific NetBIOS name that identifies
it as a DMB for its given domain or workgroup. Local master browsers (LMBs) in the same domain or workgroup on
broadcast-isolated subnets then ask for a complete copy of the browse list for the whole wide-area network.
Browser clients then contact their LMB, and will receive the domain-wide browse list instead of just the list
for their broadcast-isolated subnet.
</para>
</sect2>
</sect1>
<sect1>
<title>Domain Control &smbmdash; Example Configuration</title>
<title>Domain Control: Example Configuration</title>
<para>
The first step in creating a working Samba PDC is to understand the parameters necessary
in &smb.conf;. An example &smb.conf; for acting as a PDC can be found in <link linkend="pdc-example">the next example</link>.
in &smb.conf;. An example &smb.conf; for acting as a PDC can be found in <link linkend="pdc-example">the
smb.conf for being a PDC</link>.
</para>
<example id="pdc-example">
@ -469,7 +469,7 @@ The basic options shown in <link linkend="pdc-example">this example</link> are e
default accounts and is included by default, there is no need to add it explicitly.</para>
<para>
Where use of backup Domain Controllers (BDCs) is intended, the only logical choice is
Where use of BDCs is intended, the only logical choice is
to use LDAP so the passdb backend can be distributed. The tdbsam and smbpasswd files
cannot effectively be distributed and therefore should not be used.
</para></listitem>
@ -477,12 +477,12 @@ The basic options shown in <link linkend="pdc-example">this example</link> are e
<varlistentry><term>Domain Control Parameters </term>
<listitem><para>
The parameters <emphasis>os level, preferred master, domain master, security,
encrypt passwords, and domain logons</emphasis> play a central role in assuring domain
encrypt passwords</emphasis>, and <emphasis>domain logons</emphasis> play a central role in assuring domain
control and network logon support.</para>
<para>
The <emphasis>os level</emphasis> must be set at or above a value of 32. A Domain Controller
must be the Domain Master Browser, must be set in <emphasis>user</emphasis> mode security,
The <emphasis>os level</emphasis> must be set at or above a value of 32. A domain controller
must be the DMB, must be set in <emphasis>user</emphasis> mode security,
must support Microsoft-compatible encrypted passwords, and must provide the network logon
service (domain logons). Encrypted passwords must be enabled. For more details on how
to do this, refer to <link linkend="passdb">Account Information Databases</link>.
@ -490,7 +490,7 @@ The basic options shown in <link linkend="pdc-example">this example</link> are e
</varlistentry>
<varlistentry><term>Environment Parameters </term>
<listitem><para>
The parameters <emphasis>logon path, logon home, logon drive, and logon script</emphasis> are
The parameters <emphasis>logon path, logon home, logon drive</emphasis>, and <emphasis>logon script</emphasis> are
environment support settings that help to facilitate client logon operations and that help
to provide automated control facilities to ease network management overheads. Please refer
to the man page information for these parameters.
@ -498,10 +498,10 @@ The basic options shown in <link linkend="pdc-example">this example</link> are e
</varlistentry>
<varlistentry><term>NETLOGON Share </term>
<listitem><para>
The NETLOGON share plays a central role in domain logon and Domain Membership support.
This share is provided on all Microsoft Domain Controllers. It is used to provide logon
scripts, to store Group Policy files (NTConfig.POL), as well as to locate other common
tools that may be needed for logon processing. This is an essential share on a Domain Controller.
The NETLOGON share plays a central role in domain logon and domain membership support.
This share is provided on all Microsoft domain controllers. It is used to provide logon
scripts, to store group policy files (NTConfig.POL), as well as to locate other common
tools that may be needed for logon processing. This is an essential share on a domain controller.
</para></listitem>
</varlistentry>
<varlistentry><term>PROFILE Share </term>
@ -531,7 +531,7 @@ of operation. The following &smb.conf; parameters are the essentials alone:
</para>
<para>
The additional parameters shown in the longer listing above just makes for
The additional parameters shown in the longer listing in this section just make for
a more complete explanation.
</para></note>
@ -541,21 +541,21 @@ a more complete explanation.
<title>Samba ADS Domain Control</title>
<para>
Samba-3 is not, and cannot act as, an Active Directory Server. It cannot truly function as
an Active Directory Primary Domain Controller. The protocols for some of the functionality
of Active Directory Domain Controllers has been partially implemented on an experimental
Samba-3 is not, and cannot act as, an Active Directory server. It cannot truly function as
an Active Directory PDC. The protocols for some of the functionality
of Active Directory domain controllers has been partially implemented on an experimental
only basis. Please do not expect Samba-3 to support these protocols. Do not depend
on any such functionality either now or in the future. The Samba Team may remove these
experimental features or may change their behavior. This is mentioned for the benefit of those
who have discovered secret capabilities in Samba-3 and who have asked when this functionality will be
completed. The answer is maybe or maybe never!
completed. The answer is maybe someday or maybe never!
</para>
<para>
To be sure, Samba-3 is designed to provide most of the functionality that Microsoft Windows NT4-style
Domain Controllers have. Samba-3 does not have all the capabilities of Windows NT4, but it does have
domain controllers have. Samba-3 does not have all the capabilities of Windows NT4, but it does have
a number of features that Windows NT4 domain controllers do not have. In short, Samba-3 is not NT4 and it
is not Windows Server 200x, it is not an Active Directory server. We hope this is plain and simple
is not Windows Server 200x: it is not an Active Directory server. We hope this is plain and simple
enough for all to understand.
</para>
@ -565,17 +565,17 @@ enough for all to understand.
<title>Domain and Network Logon Configuration</title>
<para>
The subject of Network or Domain Logons is discussed here because it forms
an integral part of the essential functionality that is provided by a Domain Controller.
The subject of network or domain logons is discussed here because it forms
an integral part of the essential functionality that is provided by a domain controller.
</para>
<sect2>
<title>Domain Network Logon Service</title>
<para>
All Domain Controllers must run the netlogon service (<emphasis>domain logons</emphasis>
in Samba). One Domain Controller must be configured with <smbconfoption name="domain master">Yes</smbconfoption>
(the Primary Domain Controller); on all Backup Domain Controllers <smbconfoption name="domain master">No</smbconfoption>
All domain controllers must run the netlogon service (<emphasis>domain logons</emphasis>
in Samba). One domain controller must be configured with <smbconfoption name="domain master">Yes</smbconfoption>
(the PDC); on all BDCs <smbconfoption name="domain master">No</smbconfoption>
must be set.
</para>
@ -603,14 +603,14 @@ must be set.
<para>
To be completely clear: If you want MS Windows XP Home Edition to integrate with your
MS Windows NT4 or Active Directory Domain Security, understand it cannot be done.
MS Windows NT4 or Active Directory domain security, understand it cannot be done.
The only option is to purchase the upgrade from MS Windows XP Home Edition to
MS Windows XP Professional.
</para>
<note><para>
MS Windows XP Home Edition does not have the ability to join any type of Domain
Security facility. Unlike MS Windows 9x/Me, MS Windows XP Home Edition also completely
MS Windows XP Home Edition does not have the ability to join any type of domain
security facility. Unlike MS Windows 9x/Me, MS Windows XP Home Edition also completely
lacks the ability to log onto a network.
</para></note>
@ -645,26 +645,26 @@ It should be noted that browsing is totally orthogonal to logon support.
<para>
Issues related to the single-logon network model are discussed in this
section. Samba supports domain logons, network logon scripts and user
profiles for MS Windows for workgroups and MS Windows 9X/ME clients,
section. Samba supports domain logons, network logon scripts, and user
profiles for MS Windows for Workgroups and MS Windows 9x/Me clients,
which are the focus of this section.
</para>
<para>
When an SMB client in a domain wishes to logon, it broadcasts requests for a
logon server. The first one to reply gets the job, and validates its
When an SMB client in a domain wishes to log on, it broadcasts requests for a
logon server. The first one to reply gets the job and validates its
password using whatever mechanism the Samba administrator has installed.
It is possible (but ill advised ) to create a domain where the user
database is not shared between servers, i.e., they are effectively workgroup
It is possible (but ill advised) to create a domain where the user
database is not shared between servers; that is, they are effectively workgroup
servers advertising themselves as participating in a domain. This
demonstrates how authentication is quite different from but closely
involved with domains.
</para>
<para>
Using these features you can make your clients verify their logon via
the Samba server; make clients run a batch file when they logon to
the network and download their preferences, desktop and start menu.
Using these features, you can make your clients verify their logon via
the Samba server, make clients run a batch file when they log on to
the network and download their preferences, desktop, and start menu.
</para>
<para><emphasis>
@ -745,7 +745,7 @@ The main difference between a PDC and a Windows 9x/Me logon server configuration
<itemizedlist>
<listitem><para>
Password encryption is not required for a Windows 9x/Me logon server. But note
that beginning with MS Windows 98 the default setting is that plain-text
that beginning with MS Windows 98 the default setting is that plaintext
password support is disabled. It can be re-enabled with the registry
changes that are documented in <link linkend="PolicyMgmt">System and Account Policies</link>.
</para></listitem>
@ -761,7 +761,7 @@ network logon services that MS Windows 9x/Me expect to find.
</para>
<note><para>
Use of plain-text passwords is strongly discouraged. Where used they are easily detected
Use of plaintext passwords is strongly discouraged. Where used they are easily detected
using a sniffer tool to examine network traffic.
</para></note>
@ -773,39 +773,37 @@ using a sniffer tool to examine network traffic.
<para>
There are a few comments to make in order to tie up some loose ends. There has been
much debate over the issue of whether it is okay to configure Samba as a Domain
Controller in security modes other than user. The only security mode that will
much debate over the issue of whether it is okay to configure Samba as a domain
controller in security modes other than user. The only security mode that will
not work due to technical reasons is share-mode security. Domain and server mode
security are really just a variation on SMB User Level Security.
security are really just a variation on SMB user-level security.
</para>
<para>
Actually, this issue is also closely tied to the debate on whether
Samba must be the Domain Master Browser for its workgroup
when operating as a DC. While it may technically be possible
to configure a server as such (after all, browsing and domain logons
are two distinctly different functions), it is not a good idea to do
so. You should remember that the DC must register the DOMAIN&lt;#1b&gt; NetBIOS
name. This is the name used by Windows clients to locate the DC.
Windows clients do not distinguish between the DC and the DMB.
A DMB is a Domain Master Browser &smbmdash; see <link linkend="DMB">Configuring WORKGROUP Browsing</link> section.
For this reason, it is wise to configure the Samba DC as the DMB.
Actually, this issue is also closely tied to the debate on whether Samba must be the DMB for its workgroup
when operating as a domain controller. While it may technically be possible to configure a server as such
(after all, browsing and domain logons are two distinctly different functions), it is not a good idea to do
so. You should remember that the domain controller must register the DOMAIN&lt;#1b&gt; NetBIOS name. This is
the name used by Windows clients to locate the domain controller. Windows clients do not distinguish between
the domain controller and the DMB. A DMB is a Domain Master Browser &smbmdash; see <link
linkend="NetworkBrowsing">The Network Browsing Chapter</link>, <link linkend="DMB">Configuring WORKGROUP
Browsing</link> section. For this reason, it is wise to configure the Samba domain controller as the DMB.
</para>
<para>
Now back to the issue of configuring a Samba DC to use a mode other than
Now back to the issue of configuring a Samba domain controller to use a mode other than
<smbconfoption name="security">user</smbconfoption>. If a Samba host is
configured to use another SMB server or DC in order to validate user connection requests,
configured to use another SMB server or domain controller in order to validate user connection requests,
it is a fact that some other machine on the network (the <smbconfoption name="password server"/>)
knows more about the user than the Samba host. About 99% of the time, this other host is
a Domain Controller. Now to operate in domain mode security, the <smbconfoption name="workgroup"/>
parameter must be set to the name of the Windows NT domain (which already has a Domain Controller).
If the domain does not already have a Domain Controller, you do not yet have a Domain.
knows more about the user than the Samba host. About 99 percent of the time, this other host is
a domain controller. Now to operate in domain mode security, the <smbconfoption name="workgroup"/>
parameter must be set to the name of the Windows NT domain (which already has a domain controller).
If the domain does not already have a domain controller, you do not yet have a domain.
</para>
<para>
Configuring a Samba box as a DC for a domain that already by definition has a
PDC is asking for trouble. Therefore, you should always configure the Samba DC
Configuring a Samba box as a domain controller for a domain that already by definition has a
PDC is asking for trouble. Therefore, you should always configure the Samba domain controller
to be the DMB for its domain and set <smbconfoption name="security">user</smbconfoption>.
This is the only officially supported mode of operation.
</para>
@ -858,9 +856,9 @@ will remove all network drive connections:
<para>
Further, if the machine is already a <quote>member of a workgroup</quote> that
is the same name as the domain you are joining (bad idea) you will
get this message. Change the workgroup name to something else, it
does not matter what, reboot, and try again.
is the same name as the domain you are joining (bad idea), you will
get this message. Change the workgroup name to something else &smbmdash; it
does not matter what &smbmdash; reboot, and try again.
</para>
</sect2>
@ -869,7 +867,7 @@ does not matter what, reboot, and try again.
<para><quote>I joined the domain successfully but after upgrading
to a newer version of the Samba code I get the message, <errorname>`The system
cannot log you on (C000019B), Please try again or consult your
cannot log you on (C000019B). Please try again or consult your
system administrator</errorname> when attempting to logon.'</quote>
</para>
@ -893,9 +891,9 @@ To reset or change the domain SID you can use the net command as follows:
</para>
<para>
Workstation Machine Trust Accounts work only with the Domain (or network) SID. If this SID changes
Domain Members (workstations) will not be able to log onto the domain. The original Domain SID
can be recovered from the secrets.tdb file. The alternative is to visit each workstation to re-join
Workstation Machine Trust Accounts work only with the domain (or network) SID. If this SID changes,
domain members (workstations) will not be able to log onto the domain. The original domain SID
can be recovered from the secrets.tdb file. The alternative is to visit each workstation to rejoin
it to the domain.
</para>
@ -905,20 +903,20 @@ it to the domain.
<title>The Machine Trust Account Is Not Accessible</title>
<para>
<quote>When I try to join the domain I get the message, <errorname>`The machine account
for this computer either does not exist or is not accessible'</errorname>. What's
<quote>When I try to join the domain I get the message, <errorname>"The machine account
for this computer either does not exist or is not accessible</errorname>." What's
wrong?</quote>
</para>
<para>
This problem is caused by the PDC not having a suitable Machine Trust Account.
If you are using the <smbconfoption name="add machine script"/> method to create
accounts then this would indicate that it has not worked. Ensure the domain
accounts, then this would indicate that it has not worked. Ensure the domain
admin user system is working.
</para>
<para>
Alternately, if you are creating account entries manually then they
Alternately, if you are creating account entries manually, then they
have not been created correctly. Make sure that you have the entry
correct for the Machine Trust Account in <filename>smbpasswd</filename> file on the Samba PDC.
If you added the account using an editor rather than using the smbpasswd
@ -936,7 +934,7 @@ client can cause this problem. Make sure that these are consistent for both cli
<sect2>
<title>Account Disabled</title>
<para><quote>When I attempt to login to a Samba Domain from a NT4/W200x workstation,
<para><quote>When I attempt to log in to a Samba domain from a NT4/W200x workstation,
I get a message about my account being disabled.</quote></para>
<para>
@ -952,7 +950,7 @@ Enable the user accounts with <userinput>smbpasswd -e <replaceable>username</rep
<para><quote>Until a few minutes after Samba has started, clients get the error `Domain Controller Unavailable'</quote></para>
<para>
A Domain Controller has to announce its role on the network. This usually takes a while. Be patient for up to fifteen minutes,
A domain controller has to announce its role on the network. This usually takes a while. Be patient for up to 15 minutes,
then try again.
</para>
</sect2>
@ -964,21 +962,21 @@ then try again.
<indexterm><primary>schannel</primary></indexterm>
<indexterm><primary>signing</primary></indexterm>
After successfully joining the domain, user logons fail with one of two messages: one to the
effect that the Domain Controller cannot be found; the other claims that the account does not
effect that the domain controller cannot be found; the other claims that the account does not
exist in the domain or that the password is incorrect. This may be due to incompatible
settings between the Windows client and the Samba-3 server for <emphasis>schannel</emphasis>
(secure channel) settings or <emphasis>smb signing</emphasis> settings. Check your Samba
settings for <emphasis> client schannel, server schannel, client signing, server signing</emphasis>
by executing:
settings for <emphasis>client schannel</emphasis>, <emphasis>server schannel</emphasis>,
<emphasis>client signing</emphasis>, <emphasis>server signing</emphasis> by executing:
<screen>
<command>testparm -v | more</command> and looking for the value of these parameters.
</screen>
</para>
<para>
Also use the Microsoft Management Console &smbmdash; Local Security Settings. This tool is available from the
Also use the MMC &smbmdash; Local Security Settings. This tool is available from the
Control Panel. The Policy settings are found in the Local Policies/Security Options area and are prefixed by
<emphasis>Secure Channel: ..., and Digitally sign ....</emphasis>.
<emphasis>Secure Channel:..., and Digitally sign...</emphasis>.
</para>
<para>

View File

@ -37,23 +37,20 @@ as follows:
<indexterm><primary>encrypted passwords</primary></indexterm>
</para>
<?latex \newpage ?>
<sect2>
<title>Backward Compatibility Backends</title>
<variablelist>
<varlistentry><term>Plain Text</term>
<varlistentry><term>Plaintext</term>
<listitem>
<para>
This isn't really a backend at all, but is listed here for simplicity. Samba can be
configured to pass plaintext authentication requests to the traditional UNIX/Linux
<filename>/etc/passwd</filename> and <filename>/etc/shadow</filename>
style subsystems. On systems that have Pluggable Authentication Modules (PAM)
support, all PAM modules are supported. The behavior is just as it was with
Samba-2.2.x, and the protocol limitations imposed by MS Windows clients
apply likewise. Please refer to <link linkend="passdbtech">Technical Information</link> for more information
regarding the limitations of Plain Text password usage.
This isn't really a backend at all, but is listed here for simplicity. Samba can be configured to pass
plaintext authentication requests to the traditional UNIX/Linux <filename>/etc/passwd</filename> and
<filename>/etc/shadow</filename>-style subsystems. On systems that have Pluggable Authentication Modules
(PAM) support, all PAM modules are supported. The behavior is just as it was with Samba-2.2.x, and the
protocol limitations imposed by MS Windows clients apply likewise. Please refer to <link
linkend="passdbtech">Technical Information</link>, for more information regarding the limitations of plaintext
password usage.
</para>
</listitem>
</varlistentry>
@ -63,11 +60,11 @@ as follows:
<para>
This option allows continued use of the <filename>smbpasswd</filename>
file that maintains a plain ASCII (text) layout that includes the MS Windows
LanMan and NT encrypted passwords as well as a field that stores some
LanMan and NT-encrypted passwords as well as a field that stores some
account information. This form of password backend does not store any of
the MS Windows NT/200x SAM (Security Account Manager) information required to
provide the extended controls that are needed for more comprehensive
inter-operation with MS Windows NT4/200x servers.
interoperation with MS Windows NT4/200x servers.
</para>
<para>
@ -108,13 +105,13 @@ Samba-3 introduces a number of new password backend capabilities.
<listitem>
<para>
This backend provides a rich database backend for local servers. This
backend is not suitable for multiple Domain Controllers (i.e., PDC + one
backend is not suitable for multiple domain controllers (i.e., PDC + one
or more BDC) installations.
</para>
<para>
The <emphasis>tdbsam</emphasis> password backend stores the old <emphasis>
smbpasswd</emphasis> information plus the extended MS Windows NT / 200x
smbpasswd</emphasis> information plus the extended MS Windows NT/200x
SAM information into a binary format TDB (trivial database) file.
The inclusion of the extended information makes it possible for Samba-3
to implement the same account and system access controls that are possible
@ -146,14 +143,14 @@ Samba-3 introduces a number of new password backend capabilities.
<para>
The new LDAP implementation significantly expands the control abilities that
were possible with prior versions of Samba. It is now possible to specify
<quote>per user</quote> profile settings, home directories, account access controls, and
<quote>per-user</quote> profile settings, home directories, account access controls, and
much more. Corporate sites will see that the Samba Team has listened to their
requests both for capability and to allow greater scalability.
requests both for capability and greater scalability.
</para>
</listitem>
</varlistentry>
<varlistentry><term>mysqlsam (MySQL based backend)</term>
<varlistentry><term>mysqlsam (MySQL-based backend)</term>
<listitem>
<para>
It is expected that the MySQL-based SAM will be very popular in some corners.
@ -163,18 +160,18 @@ Samba-3 introduces a number of new password backend capabilities.
</listitem>
</varlistentry>
<varlistentry><term>pgsqlsam (PostGreSQL based backend)</term>
<varlistentry><term>pgsqlsam (PostGreSQL-based backend)</term>
<listitem>
<para>
Stores user information in a PostgreSQL database.
This backend is largely undocumented at
the moment, though it's configuration is very similar to
the moment, though its configuration is very similar to
that of the mysqlsam backend.
</para>
</listitem>
</varlistentry>
<varlistentry><term>xmlsam (XML based datafile)</term>
<varlistentry><term>xmlsam (XML-based datafile)</term>
<listitem>
<para>
<indexterm><primary>pdbedit</primary></indexterm>
@ -186,7 +183,7 @@ Samba-3 introduces a number of new password backend capabilities.
<para>
The <parameter>xmlsam</parameter> option can be useful for account migration between database
backends or backups. Use of this tool will allow the data to be edited before migration
backends or backups. Use of this tool allows the data to be edited before migration
into another backend format.
</para>
</listitem>
@ -202,15 +199,14 @@ Samba-3 introduces a number of new password backend capabilities.
<title>Technical Information</title>
<para>
Old Windows clients send plain text passwords over the wire. Samba can check these
Old Windows clients send plaintext passwords over the wire. Samba can check these
passwords by encrypting them and comparing them to the hash stored in the UNIX user database.
</para>
<para>
<indexterm><primary>encrypted passwords</primary></indexterm>
Newer Windows clients send encrypted passwords (so-called LanMan and NT hashes) over
the wire, instead of plain text passwords. The newest clients will send only encrypted
passwords and refuse to send plain text passwords, unless their registry is tweaked.
Newer Windows clients send encrypted passwords (LanMan and NT hashes) instead of plaintext passwords over the wire. The newest clients will send only encrypted
passwords and refuse to send plaintext passwords unless their registry is tweaked.
</para>
<para>
@ -221,7 +217,7 @@ Samba-3 introduces a number of new password backend capabilities.
<para>
In addition to differently encrypted passwords, Windows also stores certain data for each
user that is not stored in a UNIX user database. For example, workstations the user may logon from,
user that is not stored in a UNIX user database: for example, workstations the user may logon from,
the location where the user's profile is stored, and so on. Samba retrieves and stores this
information using a <smbconfoption name="passdb backend"/>. Commonly available backends are LDAP, plain text
file, and MySQL. For more information, see the man page for &smb.conf; regarding the
@ -235,10 +231,11 @@ Samba-3 introduces a number of new password backend capabilities.
</figure>
<para>
<indexterm><primary>SID</primary></indexterm>
The resolution of SIDs to UIDs is fundamental to correct operation of Samba. In both cases shown, if winbindd is not running, or cannot
be contacted, then only local SID/UID resolution is possible. See <link linkend="idmap-sid2uid">resolution of SIDs to UIDs</link> and
<link linkend="idmap-uid2sid">resolution of UIDs to SIDs</link> diagrams.
<indexterm><primary>SID</primary></indexterm>
The resolution of SIDs to UIDs is fundamental to correct operation of Samba. In both cases shown, if winbindd
is not running or cannot be contacted, then only local SID/UID resolution is possible. See <link
linkend="idmap-sid2uid">resolution of SIDs to UIDs</link> and <link linkend="idmap-uid2sid">resolution of UIDs
to SIDs</link> diagrams.
</para>
<figure id="idmap-uid2sid">
@ -253,20 +250,20 @@ Samba-3 introduces a number of new password backend capabilities.
The UNIX and SMB password encryption techniques seem similar on the surface. This
similarity is, however, only skin deep. The UNIX scheme typically sends clear-text
passwords over the network when logging in. This is bad. The SMB encryption scheme
never sends the clear-text password over the network but it does store the 16 byte
never sends the clear-text password over the network, but it does store the 16-byte
hashed values on disk. This is also bad. Why? Because the 16 byte hashed values
are a <quote>password equivalent.</quote> You cannot derive the user's password from them, but
they could potentially be used in a modified client to gain access to a server.
This would require considerable technical knowledge on behalf of the attacker but
is perfectly possible. You should thus treat the data stored in whatever passdb
is perfectly possible. You should therefore treat the data stored in whatever passdb
backend you use (smbpasswd file, LDAP, MYSQL) as though it contained the clear-text
passwords of all your users. Its contents must be kept secret and the file should
passwords of all your users. Its contents must be kept secret, and the file should
be protected accordingly.
</para>
<para>
Ideally, we would like a password scheme that involves neither plain text passwords
on the network nor on disk. Unfortunately, this is not available as Samba is stuck with
Ideally, we would like a password scheme that involves neither plaintext passwords
on the network nor plaintext passwords on disk. Unfortunately, this is not available because Samba is stuck with
having to be compatible with other SMB systems (Windows NT, Windows for Workgroups, Windows 9x/Me).
</para>
@ -290,7 +287,7 @@ Samba-3 introduces a number of new password backend capabilities.
<note>
<para>
MS Windows XP Home does not have facilities to become a Domain Member and it cannot participate in domain logons.
MS Windows XP Home does not have facilities to become a domain member, and it cannot participate in domain logons.
</para>
</note>
@ -308,18 +305,18 @@ Samba-3 introduces a number of new password backend capabilities.
<para>
All current releases of Microsoft SMB/CIFS clients support authentication via the
SMB Challenge/Response mechanism described here. Enabling clear-text authentication
SMB challenge/response mechanism described here. Enabling clear-text authentication
does not disable the ability of the client to participate in encrypted authentication.
Instead, it allows the client to negotiate either plain text or encrypted password
Instead, it allows the client to negotiate either plaintext or encrypted password
handling.
</para>
<para>
MS Windows clients will cache the encrypted password alone. Where plain text passwords
are re-enabled through the appropriate registry change, the plain text password is never
MS Windows clients will cache the encrypted password alone. Where plaintext passwords
are re-enabled through the appropriate registry change, the plaintext password is never
cached. This means that in the event that a network connections should become disconnected
(broken), only the cached (encrypted) password will be sent to the resource server to
effect an auto-reconnect. If the resource server does not support encrypted passwords the
effect an auto-reconnect. If the resource server does not support encrypted passwords, the
auto-reconnect will fail. Use of encrypted passwords is strongly advised.
</para>
@ -336,10 +333,10 @@ Samba-3 introduces a number of new password backend capabilities.
<listitem><para>Windows NT does not like talking to a server
that does not support encrypted passwords. It will refuse
to browse the server if the server is also in User Level
to browse the server if the server is also in user-level
security mode. It will insist on prompting the user for the
password on each connection, which is very annoying. The
only things you can do to stop this is to use SMB encryption.
only thing you can do to stop this is to use SMB encryption.
</para></listitem>
<listitem><para>Encrypted password support allows automatic share
@ -356,13 +353,13 @@ Samba-3 introduces a number of new password backend capabilities.
<itemizedlist>
<listitem><para>Plaintext passwords are not kept
on disk, and are not cached in memory. </para></listitem>
on disk and are not cached in memory. </para></listitem>
<listitem><para>Uses same password file as other UNIX
services such as Login and FTP.</para></listitem>
<listitem><para>Plaintext passwords use the same password file as other UNIX
services, such as Login and FTP.</para></listitem>
<listitem><para>Use of other services (such as Telnet and FTP) that
send plain text passwords over the network, so sending them for SMB
send plaintext passwords over the network makes sending them for SMB
is not such a big deal.</para></listitem>
</itemizedlist>
</sect3>
@ -373,12 +370,12 @@ Samba-3 introduces a number of new password backend capabilities.
<para>
Every operation in UNIX/Linux requires a user identifier (UID), just as in
MS Windows NT4/200x this requires a Security Identifier (SID). Samba provides
MS Windows NT4/200x this requires a security identifier (SID). Samba provides
two means for mapping an MS Windows user to a UNIX/Linux UID.
</para>
<para>
First, all Samba SAM (Security Account Manager database) accounts require
First, all Samba SAM database accounts require
a UNIX/Linux UID that the account will map to. As users are added to the account
information database, Samba will call the <smbconfoption name="add user script"/>
interface to add the account to the Samba host OS. In essence all accounts in
@ -388,7 +385,7 @@ Samba-3 introduces a number of new password backend capabilities.
<para>
<indexterm><primary>idmap uid</primary></indexterm>
<indexterm><primary>idmap gid</primary></indexterm>
The second way to effect Windows SID to UNIX UID mapping is via the
The second way to map Windows SID to UNIX UID is via the
<emphasis>idmap uid</emphasis> and <emphasis>idmap gid</emphasis> parameters in &smb.conf;.
Please refer to the man page for information about these parameters.
These parameters are essential when mapping users from a remote SAM server.
@ -402,7 +399,7 @@ Samba-3 introduces a number of new password backend capabilities.
<para>
Samba-3 has a special facility that makes it possible to maintain identical UIDs and GIDs
on all servers in a distributed network. A distributed network is one where there exists
a PDC, one or more BDCs and/or one or more Domain Member servers. Why is this important?
a PDC, one or more BDCs, and/or one or more domain member servers. Why is this important?
This is important if files are being shared over more than one protocol (e.g., NFS) and where
users are copying files across UNIX/Linux systems using tools such as <command>rsync</command>.
</para>
@ -411,23 +408,22 @@ Samba-3 introduces a number of new password backend capabilities.
<indexterm><primary>idmap backend</primary></indexterm>
The special facility is enabled using a parameter called <parameter>idmap backend</parameter>.
The default setting for this parameter is an empty string. Technically it is possible to use
an LDAP based idmap backend for UIDs and GIDs, but it makes most sense when this is done for
network configurations that also use LDAP for the SAM backend. Following
<link linkend="idmapbackendexample">example</link> shows that.
an LDAP-based idmap backend for UIDs and GIDs, but it makes most sense when this is done for
network configurations that also use LDAP for the SAM backend.
<link linkend="idmapbackendexample">Example Configuration with the LDAP idmap Backend</link>
shows that configuration.
</para>
<para>
<indexterm><primary>SAM backend</primary><secondary>ldapsam</secondary></indexterm>
<example id="idmapbackendexample">
<title>Example configuration with the LDAP idmap backend</title>
<title>Example Configuration with the LDAP idmap Backend</title>
<smbconfblock>
<smbconfsection name="[global]"/>
<smbconfoption name="idmap backend">ldap:ldap://ldap-server.quenya.org:636</smbconfoption>
<smbconfcomment>Alternately, this could be specified as:</smbconfcomment>
<smbconfcomment>Alternatively, this could be specified as:</smbconfcomment>
<smbconfoption name="idmap backend">ldap:ldaps://ldap-server.quenya.org</smbconfoption>
</smbconfblock>
</example>
</para>
<para>
A network administrator who wants to make significant use of LDAP backends will sooner or later be
@ -438,9 +434,9 @@ Samba-3 introduces a number of new password backend capabilities.
<itemizedlist>
<listitem>
<para>
<emphasis>nss_ldap:</emphasis> An LDAP Name Service Switch module to provide native
<emphasis>nss_ldap:</emphasis> An LDAP name service switch (NSS) module to provide native
name service support for AIX, Linux, Solaris, and other operating systems. This tool
can be used for centralized storage and retrieval of UIDs/GIDs.
can be used for centralized storage and retrieval of UIDs and GIDs.
</para>
</listitem>
@ -453,7 +449,7 @@ Samba-3 introduces a number of new password backend capabilities.
<listitem>
<para>
<emphasis>idmap_ad:</emphasis> An IDMAP backend that supports the Microsoft Services for
UNIX RFC 2307 schema available from the PADL web
UNIX RFC 2307 schema available from the PADL Web
<ulink url="http://www.padl.com/download/xad_oss_plugins.tar.gz">site</ulink>.
</para>
</listitem>
@ -467,7 +463,7 @@ Samba-3 introduces a number of new password backend capabilities.
<para>
Samba doesn't provide a turnkey solution to LDAP. It is best to deal with the design and configuration
of an LDAP directory prior to integration with Samba. A working knowledge of LDAP makes Samba integration
easy and the lack of a working knowledge of LDAP can make it one a frustrating experience.
easy, and the lack of a working knowledge of LDAP can make it one a frustrating experience.
</para>
<para>
@ -476,32 +472,32 @@ Samba-3 introduces a number of new password backend capabilities.
</para>
<para>
The POSIX and SambaSAMAccount components of computer (machine) accounts are both used by Samba.
i.e.: Machine accounts are treated inside Samba in the same way that Windows NT4/200X treats
The POSIX and sambaSamAccount components of computer (machine) accounts are both used by Samba.
That is, machine accounts are treated inside Samba in the same way that Windows NT4/200X treats
them. A user account and a machine account are indistinquishable from each other, except that
the machine account ends in a '$' character, as do trust accounts.
the machine account ends in a $ character, as do trust accounts.
</para>
<para>
The need for Windows user, group, machine, trust, etc. accounts to be tied to a valid UNIX uid
The need for Windows user, group, machine, trust, and other accounts to be tied to a valid UNIX UID
is a design decision that was made a long way back in the history of Samba development. It is
unlikely that this decision will be reversed of changed during the remaining life of the
unlikely that this decision will be reversed or changed during the remaining life of the
Samba-3.x series.
</para>
<para>
The resolution of a UID from the Windows SID is achieved within Samba through a mechanism that
must refer back to the host operating system on which Samba is running. The Name Service
Switcher (NSS) is the preferred mechanism that shields applications (like Samba) from the
must refer back to the host operating system on which Samba is running. The
NSS is the preferred mechanism that shields applications (like Samba) from the
need to know everything about every host OS it runs on.
</para>
<para>
Samba asks the host OS to provide a UID via the <quote>passwd</quote>, <quote>shadow</quote>
Samba asks the host OS to provide a UID via the <quote>passwd</quote>, <quote>shadow</quote>,
and <quote>group</quote> facilities in the NSS control (configuration) file. The best tool
for achieving this is left up to the UNIX administrator to determine. It is not imposed by
Samba. Samba provides winbindd together with its support libraries as one method. It is
possible to do this via LDAP - and for that Samba provides the appropriate hooks so that
Samba. Samba provides winbindd with its support libraries as one method. It is
possible to do this via LDAP, and for that Samba provides the appropriate hooks so that
all account entities can be located in an LDAP directory.
</para>
@ -522,15 +518,15 @@ Samba-3 introduces a number of new password backend capabilities.
<para>
<indexterm><primary>pdbedit</primary></indexterm>
Samba provides two tools for management of user and machine accounts. These tools are
called <command>smbpasswd</command> and <command>pdbedit</command>.
Samba provides two tools for management of user and machine accounts:
<command>smbpasswd</command> and <command>pdbedit</command>.
</para>
<sect2>
<title>The <emphasis>smbpasswd</emphasis> Command</title>
<para>
The smbpasswd utility is similar to the <command>passwd</command>
or <command>yppasswd</command> programs. It maintains the two 32 byte password
and <command>yppasswd</command> programs. It maintains the two 32 byte password
fields in the passdb backend.
</para>
@ -541,8 +537,8 @@ called <command>smbpasswd</command> and <command>pdbedit</command>.
<para>
<command>smbpasswd</command> has the capability to change passwords on Windows NT
servers (this only works when the request is sent to the NT Primary Domain Controller
if changing an NT Domain user's password).
servers (this only works when the request is sent to the NT PDC
if changing an NT domain user's password).
</para>
<para>
@ -558,11 +554,11 @@ called <command>smbpasswd</command> and <command>pdbedit</command>.
<listitem><para><emphasis>enable</emphasis> user or machine accounts.</para></listitem>
<listitem><para><emphasis>disable</emphasis> user or machine accounts.</para></listitem>
<listitem><para><emphasis>set to NULL</emphasis> user passwords.</para></listitem>
<listitem><para><emphasis>manage interdomain trust accounts.</emphasis></para></listitem>
<listitem><para><emphasis>manage</emphasis> interdomain trust accounts.</para></listitem>
</itemizedlist>
<para>
To run smbpasswd as a normal user just type:
To run smbpasswd as a normal user, just type:
</para>
<para>
@ -570,7 +566,7 @@ called <command>smbpasswd</command> and <command>pdbedit</command>.
&prompt;<userinput>smbpasswd</userinput>
<prompt>Old SMB password: </prompt><userinput><replaceable>secret</replaceable></userinput>
</screen>
For <replaceable>secret</replaceable>, type old value here or press return if
For <replaceable>secret</replaceable>, type the old value here or press return if
there is no old password.
<screen>
<prompt>New SMB Password: </prompt><userinput><replaceable>new secret</replaceable></userinput>
@ -584,13 +580,13 @@ called <command>smbpasswd</command> and <command>pdbedit</command>.
</para>
<para>
When invoked by an ordinary user, the command will only allow the user to change his or her own
When invoked by an ordinary user, the command will allow only the user to change his or her own
SMB password.
</para>
<para>
When run by root, <command>smbpasswd</command> may take an optional argument specifying
the user name whose SMB password you wish to change. When run as root, <command>smbpasswd</command>
the username whose SMB password you wish to change. When run as root, <command>smbpasswd</command>
does not prompt for or check the old password value, thus allowing root to set passwords
for users who have forgotten their passwords.
</para>
@ -598,7 +594,7 @@ called <command>smbpasswd</command> and <command>pdbedit</command>.
<para>
<command>smbpasswd</command> is designed to work in the way familiar to UNIX
users who use the <command>passwd</command> or <command>yppasswd</command> commands.
While designed for administrative use, this tool provides essential User Level
While designed for administrative use, this tool provides essential user-level
password change capabilities.
</para>
@ -621,7 +617,7 @@ called <command>smbpasswd</command> and <command>pdbedit</command>.
</para>
<itemizedlist>
<listitem><para>add, remove or modify user accounts.</para></listitem>
<listitem><para>add, remove, or modify user accounts.</para></listitem>
<listitem><para>list user accounts.</para></listitem>
<listitem><para>migrate user accounts.</para></listitem>
</itemizedlist>
@ -630,7 +626,7 @@ called <command>smbpasswd</command> and <command>pdbedit</command>.
<indexterm><primary>pdbedit</primary></indexterm>
The <command>pdbedit</command> tool is the only one that can manage the account
security and policy settings. It is capable of all operations that smbpasswd can
do as well as a super set of them.
do as well as a superset of them.
</para>
<para>
@ -672,7 +668,7 @@ Password must change: Mon, 18 Jan 2038 20:14:07 GMT
<para>
<indexterm><primary>pdbedit</primary></indexterm>
The <command>pdbedit</command> tool allows migration of authentication (account)
databases from one backend to another. For example: To migrate accounts from an
databases from one backend to another. For example, to migrate accounts from an
old <filename>smbpasswd</filename> database to a <parameter>tdbsam</parameter>
backend:
</para>
@ -690,7 +686,7 @@ Password must change: Mon, 18 Jan 2038 20:14:07 GMT
</para></step>
<step><para>
Now remove the <parameter>smbpasswd</parameter> from the passdb backend
Remove the <parameter>smbpasswd</parameter> from the passdb backend
configuration in &smb.conf;.
</para></step>
</procedure>
@ -708,7 +704,7 @@ capability.
</para>
<para>
It is possible to specify not only multiple different password backends, but even multiple
It is possible to specify not only multiple password backends, but even multiple
backends of the same type. For example, to use two different tdbsam databases:
</para>
@ -726,15 +722,15 @@ backends of the same type. For example, to use two different tdbsam databases:
Older versions of Samba retrieved user information from the UNIX user database
and eventually some other fields from the file <filename>/etc/samba/smbpasswd</filename>
or <filename>/etc/smbpasswd</filename>. When password encryption is disabled, no
SMB specific data is stored at all. Instead all operations are conducted via the way
SMB-specific data is stored at all. Instead, all operations are conducted via the way
that the Samba host OS will access its <filename>/etc/passwd</filename> database.
Linux systems For example, all operations are done via PAM.
On Linux systems, for example, all operations are done via PAM.
</para>
</sect2>
<sect2>
<title>smbpasswd &smbmdash; Encrypted Password Database</title>
<title>smbpasswd: Encrypted Password Database</title>
<para>
<indexterm><primary>SAM backend</primary><secondary>smbpasswd</secondary></indexterm>
@ -755,29 +751,29 @@ backends of the same type. For example, to use two different tdbsam databases:
</para></listitem>
<listitem><para>
The second problem is that administrators who desire to replicate a smbpasswd file
to more than one Samba server were left to use external tools such as
<command>rsync(1)</command> and <command>ssh(1)</command> and wrote custom,
The second problem is that administrators who desire to replicate an smbpasswd file
to more than one Samba server are left to use external tools such as
<command>rsync(1)</command> and <command>ssh(1)</command> and write custom,
in-house scripts.
</para></listitem>
<listitem><para>
Finally, the amount of information that is stored in an smbpasswd entry leaves
no room for additional attributes such as a home directory, password expiration time,
or even a Relative Identifier (RID).
or even a relative identifier (RID).
</para></listitem>
</itemizedlist>
<para>
As a result of these deficiencies, a more robust means of storing user attributes
used by smbd was developed. The API which defines access to user accounts
is commonly referred to as the samdb interface (previously this was called the passdb
API, and is still so named in the Samba CVS trees).
used by smbd was developed. The API that defines access to user accounts
is commonly referred to as the samdb interface (previously, this was called the passdb
API and is still so named in the Samba CVS trees).
</para>
<para>
Samba provides an enhanced set of passdb backends that overcome the deficiencies
of the smbpasswd plain text database. These are tdbsam, ldapsam and xmlsam.
of the smbpasswd plaintext database. These are tdbsam, ldapsam, and xmlsam.
Of these, ldapsam will be of most interest to large corporate or enterprise sites.
</para>
@ -788,7 +784,7 @@ backends of the same type. For example, to use two different tdbsam databases:
<para>
<indexterm><primary>SAM backend</primary><secondary>tdbsam</secondary></indexterm>
Samba can store user and machine account data in a <quote>TDB</quote> (Trivial Database).
Samba can store user and machine account data in a <quote>TDB</quote> (trivial database).
Using this backend does not require any additional configuration. This backend is
recommended for new installations that do not require LDAP.
</para>
@ -801,10 +797,10 @@ backends of the same type. For example, to use two different tdbsam databases:
</para>
<para>
The recommendation of a 250 user limit is purely based on the notion that this
The recommendation of a 250-user limit is purely based on the notion that this
would generally involve a site that has routed networks, possibly spread across
more than one physical location. The Samba Team has not at this time established
the performance based scalability limits of the tdbsam architecture.
the performance-based scalability limits of the tdbsam architecture.
</para>
</sect2>
@ -820,7 +816,7 @@ backends of the same type. For example, to use two different tdbsam databases:
<itemizedlist>
<listitem><para>A means of retrieving user account information from
an Windows 200x Active Directory server.</para></listitem>
a Windows 200x Active Directory server.</para></listitem>
<listitem><para>A means of replacing /etc/passwd.</para></listitem>
</itemizedlist>
@ -828,9 +824,9 @@ backends of the same type. For example, to use two different tdbsam databases:
The second item can be accomplished by using LDAP NSS and PAM modules. LGPL
versions of these libraries can be obtained from
<ulink url="http://www.padl.com/">PADL Software</ulink>.
More information about the configuration of these packages may be found at
More information about the configuration of these packages may be found in
<ulink url="http://safari.oreilly.com/?XmlId=1-56592-491-6">
<emphasis>LDAP, System Administration</emphasis>; Gerald Carter by O'Reilly; Chapter 6: Replacing NIS."</ulink>
<emphasis>LDAP, System Administration</emphasis> by Gerald Carter, Chapter 6, Replacing NIS"</ulink>.
</para>
<para>
@ -847,7 +843,7 @@ backends of the same type. For example, to use two different tdbsam databases:
</itemizedlist>
<para>
Two additional Samba resources which may prove to be helpful are:
Two additional Samba resources that may prove to be helpful are:
</para>
<itemizedlist>
@ -855,7 +851,7 @@ backends of the same type. For example, to use two different tdbsam databases:
maintained by Ignacio Coupeau.</para></listitem>
<listitem><para>The NT migration scripts from <ulink url="http://samba.idealx.org/">IDEALX</ulink> that are
geared to manage users and group in such a Samba-LDAP Domain Controller configuration.
geared to manage users and groups in such a Samba-LDAP domain controller configuration.
</para></listitem>
</itemizedlist>
@ -863,10 +859,10 @@ backends of the same type. For example, to use two different tdbsam databases:
<title>Supported LDAP Servers</title>
<para>
The LDAP ldapsam code has been developed and tested using the OpenLDAP 2.0 and 2.1 server and
The LDAP ldapsam code was developed and tested using the OpenLDAP 2.0 and 2.1 server and
client libraries. The same code should work with Netscape's Directory Server and client SDK.
However, there are bound to be compile errors and bugs. These should not be hard to fix.
Please submit fixes via the process outlined in <link linkend="bugreport">Reporting Bugs</link> chapter.
Please submit fixes via the process outlined in <link linkend="bugreport">Reporting Bugs</link>.
</para>
</sect3>
@ -904,8 +900,8 @@ ObjectClass (1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY
<para>
Just as the smbpasswd file is meant to store information that provides information additional to a
user's <filename>/etc/passwd</filename> entry, so is the sambaSamAccount object
meant to supplement the UNIX user account information. A sambaSamAccount is a
<constant>AUXILIARY</constant> ObjectClass so it can be used to augment existing
meant to supplement the UNIX user account information. A sambaSamAccount is an
<constant>AUXILIARY</constant> ObjectClass, so it can be used to augment existing
user account information in the LDAP directory, thus providing information needed
for Samba account handling. However, there are several fields (e.g., uid) that overlap
with the posixAccount ObjectClass outlined in RFC2307. This is by design.
@ -916,9 +912,9 @@ ObjectClass (1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY
<para>
In order to store all user account information (UNIX and Samba) in the directory,
it is necessary to use the sambaSamAccount and posixAccount ObjectClass es in
it is necessary to use the sambaSamAccount and posixAccount ObjectClasses in
combination. However, smbd will still obtain the user's UNIX account
information via the standard C library calls (e.g., getpwnam(), et al).
information via the standard C library calls, such as getpwnam().
This means that the Samba server must also have the LDAP NSS library installed
and functioning correctly. This division of information makes it possible to
store all Samba account information in LDAP, but still maintain UNIX account
@ -968,7 +964,7 @@ include /etc/openldap/schema/samba.schema
<para>
It is recommended that you maintain some indices on some of the most useful attributes,
as in the following example, to speed up searches made on sambaSamAccount objectclasses
as in the following example, to speed up searches made on sambaSamAccount ObjectClasses
(and possibly posixAccount and posixGroup as well):
</para>
@ -1024,7 +1020,7 @@ index default sub
<title>Initialize the LDAP Database</title>
<para>
Before you can add accounts to the LDAP database you must create the account containers
Before you can add accounts to the LDAP database, you must create the account containers
that they will be stored in. The following LDIF file should be modified to match your
needs (DNS entries, and so on):
</para>
@ -1111,8 +1107,8 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
<note>
<para>
Before Samba can access the LDAP server you need to store the LDAP admin password
into the Samba-3 <filename>secrets.tdb</filename> database by:
Before Samba can access the LDAP server, you need to store the LDAP admin password
in the Samba-3 <filename>secrets.tdb</filename> database by:
<screen>
&rootprompt;<userinput>smbpasswd -w <replaceable>secret</replaceable></userinput>
</screen>
@ -1130,7 +1126,7 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
LDAP libraries are found.
</para>
<para>LDAP related smb.conf options:
<para>LDAP-related smb.conf options are
<smbconfoption name="passdb backend">ldapsam:url</smbconfoption>,
<smbconfoption name="ldap admin dn"/>,
<smbconfoption name="ldap delete dn"/>,
@ -1146,8 +1142,8 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
<para>
These are described in the &smb.conf; man
page and so will not be repeated here. However, a <link linkend="confldapex">sample &smb.conf; file</link> for
use with an LDAP directory could appear as shown below.
page and so are not repeated here. However, a <link linkend="confldapex">sample &smb.conf; file</link> for
use with an LDAP directory could appear as in Example 10.4.1.
</para>
<example id="confldapex">
@ -1204,13 +1200,13 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
<indexterm><primary>User Management</primary></indexterm>
<indexterm><primary>User Accounts</primary><secondary>Adding/Deleting</secondary></indexterm>
As user accounts are managed through the sambaSamAccount objectclass, you should
Because user accounts are managed through the sambaSamAccount ObjectClass, you should
modify your existing administration tools to deal with sambaSamAccount attributes.
</para>
<para>
Machine accounts are managed with the sambaSamAccount objectclass, just
like users accounts. However, it is up to you to store those accounts
Machine accounts are managed with the sambaSamAccount ObjectClass, just
like user accounts. However, it is up to you to store those accounts
in a different tree of your LDAP namespace. You should use
<quote>ou=Groups,dc=quenya,dc=org</quote> to store groups and
<quote>ou=People,dc=quenya,dc=org</quote> to store users. Just configure your
@ -1220,7 +1216,7 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
<para>
In Samba-3, the group management system is based on POSIX
groups. This means that Samba makes use of the posixGroup objectclass.
groups. This means that Samba makes use of the posixGroup ObjectClass.
For now, there is no NT-like group system management (global and local
groups). Samba-3 knows only about <constant>Domain Groups</constant>
and, unlike MS Windows 2000 and Active Directory, Samba-3 does not
@ -1248,8 +1244,8 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
<para>
These password hashes are clear-text equivalents and can be used to impersonate
the user without deriving the original clear-text strings. For more information
on the details of LM/NT password hashes, refer to the
<link linkend="passdb">Account Information Database</link> section of this chapter.
on the details of LM/NT password hashes, refer to <link linkend="passdb">the Account Information
Database section</link>.
</para>
<para>
@ -1288,44 +1284,44 @@ access to attrs=SambaLMPassword,SambaNTPassword
<sect3>
<title>LDAP Special Attributes for sambaSamAccounts</title>
<para> The sambaSamAccount objectclass is composed of the attributes shown in next tables: <link
<para> The sambaSamAccount ObjectClass is composed of the attributes shown in next tables: <link
linkend="attribobjclPartA">Part A</link>, and <link linkend="attribobjclPartB">Part B</link>.
</para>
<para>
<table frame="all" id="attribobjclPartA">
<title>Attributes in the sambaSamAccount objectclass (LDAP) &smbmdash; Part A</title>
<title>Attributes in the sambaSamAccount ObjectClass (LDAP), Part A</title>
<tgroup cols="2" align="justify">
<colspec align="left"/>
<colspec align="justify" colwidth="1*"/>
<tbody>
<row><entry><constant>sambaLMPassword</constant></entry><entry>The LANMAN password 16-byte hash stored as a character
<row><entry><constant>sambaLMPassword</constant></entry><entry>The LanMan password 16-byte hash stored as a character
representation of a hexadecimal string.</entry></row>
<row><entry><constant>sambaNTPassword</constant></entry><entry>The NT password hash 16-byte stored as a character
<row><entry><constant>sambaNTPassword</constant></entry><entry>The NT password 16-byte hash stored as a character
representation of a hexadecimal string.</entry></row>
<row><entry><constant>sambaPwdLastSet</constant></entry><entry>The integer time in seconds since 1970 when the
<constant>sambaLMPassword</constant> and <constant>sambaNTPassword</constant> attributes were last set.
</entry></row>
<row><entry><constant>sambaAcctFlags</constant></entry><entry>String of 11 characters surrounded by square brackets []
<row><entry><constant>sambaAcctFlags</constant></entry><entry>String of 11 characters surrounded by square brackets [ ]
representing account flags such as U (user), W (workstation), X (no password expiration),
I (Domain trust account), H (Home dir required), S (Server trust account),
I (domain trust account), H (home dir required), S (server trust account),
and D (disabled).</entry></row>
<row><entry><constant>sambaLogonTime</constant></entry><entry>Integer value currently unused</entry></row>
<row><entry><constant>sambaLogonTime</constant></entry><entry>Integer value currently unused.</entry></row>
<row><entry><constant>sambaLogoffTime</constant></entry><entry>Integer value currently unused</entry></row>
<row><entry><constant>sambaLogoffTime</constant></entry><entry>Integer value currently unused.</entry></row>
<row><entry><constant>sambaKickoffTime</constant></entry><entry>Specifies the time (UNIX time format) when the user
will be locked down and cannot login any longer. If this attribute is omitted, then the account will never expire.
If you use this attribute together with `shadowExpire' of the `shadowAccount' objectClass, will enable accounts to
Using this attribute together with shadowExpire of the shadowAccount ObjectClass will enable accounts to
expire completely on an exact date.</entry></row>
<row><entry><constant>sambaPwdCanChange</constant></entry><entry>Specifies the time (UNIX time format) from which on the user is allowed to
<row><entry><constant>sambaPwdCanChange</constant></entry><entry>Specifies the time (UNIX time format) after which the user is allowed to
change his password. If attribute is not set, the user will be free to change his password whenever he wants.</entry></row>
<row><entry><constant>sambaPwdMustChange</constant></entry><entry>Specifies the time (UNIX time format) since when the user is
forced to change his password. If this value is set to `0', the user will have to change his password at first login.
<row><entry><constant>sambaPwdMustChange</constant></entry><entry>Specifies the time (UNIX time format) when the user is
forced to change his password. If this value is set to 0, the user will have to change his password at first login.
If this attribute is not set, then the password will never expire.</entry></row>
<row><entry><constant>sambaHomeDrive</constant></entry><entry>Specifies the drive letter to which to map the
@ -1353,21 +1349,21 @@ access to attrs=SambaLMPassword,SambaNTPassword
</para>
<para>
<table frame="all" id="attribobjclPartB">
<title>Attributes in the sambaSamAccount objectclass (LDAP) &smbmdash; Part B</title>
<title>Attributes in the sambaSamAccount ObjectClass (LDAP), Part B</title>
<tgroup cols="2" align="justify">
<colspec align="left"/>
<colspec align="justify" colwidth="1*"/>
<tbody>
<row><entry><constant>sambaUserWorkstations</constant></entry><entry>Here you can give a comma-separated list of machines
on which the user is allowed to login. You may observe problems when you try to connect to an Samba Domain Member.
Because Domain Members are not in this list, the Domain Controllers will reject them. Where this attribute is omitted,
on which the user is allowed to login. You may observe problems when you try to connect to a Samba domain member.
Because domain members are not in this list, the domain controllers will reject them. Where this attribute is omitted,
the default implies no restrictions.
</entry></row>
<row><entry><constant>sambaSID</constant></entry><entry>The security identifier(SID) of the user.
The Windows equivalent of UNIX UIDs.</entry></row>
<row><entry><constant>sambaPrimaryGroupSID</constant></entry><entry>The Security IDentifier (SID) of the primary group
<row><entry><constant>sambaPrimaryGroupSID</constant></entry><entry>The security identifier (SID) of the primary group
of the user.</entry></row>
<row><entry><constant>sambaDomainName</constant></entry><entry>Domain the user is part of.</entry></row>
@ -1378,7 +1374,7 @@ access to attrs=SambaLMPassword,SambaNTPassword
<para>
The majority of these parameters are only used when Samba is acting as a PDC of
a domain (refer to <link linkend="samba-pdc">Domain Control</link>, for details on
how to configure Samba as a Primary Domain Controller). The following four attributes
how to configure Samba as a PDC). The following four attributes
are only stored with the sambaSamAccount entry if the values are non-default values:
</para>
@ -1393,7 +1389,7 @@ access to attrs=SambaLMPassword,SambaNTPassword
These attributes are only stored with the sambaSamAccount entry if
the values are non-default values. For example, assume MORIA has now been
configured as a PDC and that <smbconfoption name="logon home">\\%L\%u</smbconfoption> was defined in
its &smb.conf; file. When a user named <quote>becky</quote> logons to the domain,
its &smb.conf; file. When a user named <quote>becky</quote> logs on to the domain,
the <smbconfoption name="logon home"/> string is expanded to \\MORIA\becky.
If the smbHome attribute exists in the entry <quote>uid=becky,ou=People,dc=samba,dc=org</quote>,
this value is used. However, if this attribute does not exist, then the value
@ -1408,7 +1404,7 @@ access to attrs=SambaLMPassword,SambaNTPassword
<title>Example LDIF Entries for a sambaSamAccount</title>
<para>
The following is a working LDIF that demonstrates the use of the SambaSamAccount objectclass:
The following is a working LDIF that demonstrates the use of the SambaSamAccount ObjectClass:
</para>
<para>
@ -1432,7 +1428,7 @@ access to attrs=SambaLMPassword,SambaNTPassword
<para>
The following is an LDIF entry for using both the sambaSamAccount and
posixAccount objectclasses:
posixAccount ObjectClasses:
</para>
<para>
@ -1468,15 +1464,15 @@ access to attrs=SambaLMPassword,SambaNTPassword
<title>Password Synchronization</title>
<para>
Samba-3 and later can update the non-samba (LDAP) password stored with an account. When
Samba-3 and later can update the non-Samba (LDAP) password stored with an account. When
using pam_ldap, this allows changing both UNIX and Windows passwords at once.
</para>
<para>The <smbconfoption name="ldap passwd sync"/> options can have the values shown in
<link linkend="ldappwsync">the next table</link>.</para>
<link linkend="ldappwsync">Table 10.3</link>.</para>
<table frame="all" id="ldappwsync">
<title>Possible <emphasis>ldap passwd sync</emphasis> values</title>
<title>Possible <emphasis>ldap passwd sync</emphasis> Values</title>
<tgroup cols="2">
<colspec align="left" colwidth="1*"/>
<colspec align="justify" colwidth="4*"/>
@ -1485,13 +1481,13 @@ access to attrs=SambaLMPassword,SambaNTPassword
</thead>
<tbody>
<row><entry>yes</entry><entry><para>When the user changes his password, update
<constant>SambaNTPassword</constant>, <constant>SambaLMPassword</constant>
<constant>SambaNTPassword</constant>, <constant>SambaLMPassword</constant>,
and the <constant>password</constant> fields.</para></entry></row>
<row><entry>no</entry><entry><para>Only update <constant>SambaNTPassword</constant> and <constant>SambaLMPassword</constant>.</para></entry></row>
<row><entry>only</entry><entry><para>Only update the LDAP password and let the LDAP server worry about the other fields.
This option is only available on some LDAP servers. Only when the LDAP server
This option is only available on some LDAP servers and only when the LDAP server
supports LDAP_EXOP_X_MODIFY_PASSWD.</para></entry></row>
</tbody>
</tgroup>
@ -1509,10 +1505,10 @@ access to attrs=SambaLMPassword,SambaNTPassword
<para>
<indexterm><primary>SAM backend</primary><secondary>mysqlsam</secondary></indexterm>
Every so often someone will come along with a great new idea. Storing user accounts in a
Every so often someone comes along with a great new idea. Storing user accounts in a
SQL backend is one of them. Those who want to do this are in the best position to know what the
specific benefits are to them. This may sound like a cop-out, but in truth we cannot attempt
to document every little detail why certain things of marginal utility to the bulk of
to document every little detail of why certain things of marginal utility to the bulk of
Samba users might make sense to the rest. In any case, the following instructions should help
the determined SQL user to implement a working system.
</para>
@ -1521,10 +1517,11 @@ access to attrs=SambaLMPassword,SambaNTPassword
<title>Creating the Database</title>
<para>
You can set up your own table and specify the field names to pdb_mysql (see below
for the column names) or use the default table. The file <filename>examples/pdb/mysql/mysql.dump</filename>
contains the correct queries to create the required tables. Use the command:
You can set up your own table and specify the field names to pdb_mysql (see
<link linkend="moremysqlpdbe">MySQL field names for MySQL passdb backend</link> for
the column names) or use the default table. The file
<filename>examples/pdb/mysql/mysql.dump</filename> contains the correct queries to
create the required tables. Use the command:
<screen>
&prompt;<userinput>mysql -u<replaceable>username</replaceable> -h<replaceable>hostname</replaceable> -p<replaceable>password</replaceable> \
<replaceable>databasename</replaceable> &lt; <filename>/path/to/samba/examples/pdb/mysql/mysql.dump</filename></userinput>
@ -1550,11 +1547,11 @@ access to attrs=SambaLMPassword,SambaNTPassword
<para>
Additional options can be given through the &smb.conf; file in the <smbconfsection name="[global]"/> section.
Refer to <link linkend="mysqlpbe">the following table</link>.
Refer to <link linkend="mysqlpbe">Basic smb.conf Options for MySQL passdb Backend</link>.
</para>
<table frame="all" id="mysqlpbe">
<title>Basic smb.conf options for MySQL passdb backend</title>
<title>Basic smb.conf Options for MySQL passdb Backend</title>
<tgroup cols="2">
<colspec align="left"/>
<colspec align="justify" colwidth="1*"/>
@ -1579,8 +1576,8 @@ access to attrs=SambaLMPassword,SambaNTPassword
</para>
</warning>
<para>Names of the columns are given in <link linkend="moremysqlpdbe">the next table</link>.
The default column names can be found in the example table dump.
<para>Names of the columns are given in <link linkend="moremysqlpdbe">MySQL field names for MySQL
passdb backend</link>. The default column names can be found in the example table dump.
</para>
<para>
@ -1594,12 +1591,12 @@ access to attrs=SambaLMPassword,SambaNTPassword
<row><entry>Field</entry><entry>Type</entry><entry>Contents</entry></row>
</thead>
<tbody>
<row><entry>logon time column</entry><entry>int(9)</entry><entry>UNIX time stamp of last logon of user</entry></row>
<row><entry>logoff time column</entry><entry>int(9)</entry><entry>UNIX time stamp of last logoff of user</entry></row>
<row><entry>kickoff time column</entry><entry>int(9)</entry><entry>UNIX time stamp of moment user should be kicked off workstation (not enforced)</entry></row>
<row><entry>pass last set time column</entry><entry>int(9)</entry><entry>UNIX time stamp of moment password was last set</entry></row>
<row><entry>pass can change time column</entry><entry>int(9)</entry><entry>UNIX time stamp of moment from which password can be changed</entry></row>
<row><entry>pass must change time column</entry><entry>int(9)</entry><entry>UNIX time stamp of moment on which password must be changed</entry></row>
<row><entry>logon time column</entry><entry>int(9)</entry><entry>UNIX timestamp of last logon of user</entry></row>
<row><entry>logoff time column</entry><entry>int(9)</entry><entry>UNIX timestamp of last logoff of user</entry></row>
<row><entry>kickoff time column</entry><entry>int(9)</entry><entry>UNIX timestamp of moment user should be kicked off workstation (not enforced)</entry></row>
<row><entry>pass last set time column</entry><entry>int(9)</entry><entry>UNIX timestamp of moment password was last set</entry></row>
<row><entry>pass can change time column</entry><entry>int(9)</entry><entry>UNIX timestamp of moment from which password can be changed</entry></row>
<row><entry>pass must change time column</entry><entry>int(9)</entry><entry>UNIX timestamp of moment on which password must be changed</entry></row>
<row><entry>username column</entry><entry>varchar(255)</entry><entry>UNIX username</entry></row>
<row><entry>domain column</entry><entry>varchar(255)</entry><entry>NT domain user belongs to</entry></row>
<row><entry>nt username column</entry><entry>varchar(255)</entry><entry>NT username</entry></row>
@ -1630,15 +1627,16 @@ access to attrs=SambaLMPassword,SambaNTPassword
<para>
You can put a colon (:) after the name of each column, which
should specify the column to update when updating the table. One can also specify nothing behind the colon, in which case the field data will not be updated. Setting a column name to <parameter>NULL</parameter> means the field should not be used.
should specify the column to update when updating the table. You can also specify nothing behind the colon, in which case the field data will not be updated. Setting a column name to <parameter>NULL</parameter> means the field should not be used.
</para>
<para><link linkend="mysqlsam">An example configuration</link> looks like:
<para><link linkend="mysqlsam">An example configuration</link> is shown in <link
linkend="mysqlsam">Example Configuration for the MySQL passdb Backend</link>.
</para>
<example id="mysqlsam">
<title>Example configuration for the MySQL passdb backend</title>
<smbconfblock>
<title>Example Configuration for the MySQL passdb Backend</title>
<smbconfblock>
<smbconfsection name="[global]"/>
<smbconfoption name="passdb backend">mysql:foo</smbconfoption>
<smbconfoption name="foo:mysql user">samba</smbconfoption>
@ -1653,8 +1651,8 @@ access to attrs=SambaLMPassword,SambaNTPassword
<smbconfoption name="foo:nt pass column">nt_pass:</smbconfoption>
<smbconfcomment>The unknown 3 column is not stored</smbconfcomment>
<smbconfoption name="foo:unknown 3 column">NULL</smbconfoption>
</smbconfblock>
</example>
</smbconfblock>
</example>
</sect3>
<sect3>
@ -1662,7 +1660,7 @@ access to attrs=SambaLMPassword,SambaNTPassword
<para>
<indexterm><primary>encrypted passwords</primary></indexterm>
I strongly discourage the use of plaintext passwords, however, you can use them.
I strongly discourage the use of plaintext passwords; however, you can use them.
</para>
<para>
@ -1683,7 +1681,7 @@ access to attrs=SambaLMPassword,SambaNTPassword
<title>Getting Non-Column Data from the Table</title>
<para>
It is possible to have not all data in the database by making some `constant'.
It is possible to have not all data in the database by making some "constant."
</para>
<para>
@ -1693,7 +1691,7 @@ access to attrs=SambaLMPassword,SambaNTPassword
<para>
Or, set `identifier:workstations column' to:
<command>NULL</command></para>
<command>NULL</command></para>.
<para>See the MySQL documentation for more language constructs.</para>
@ -1716,7 +1714,7 @@ access to attrs=SambaLMPassword,SambaNTPassword
</para>
<para>
(where filename is the name of the file to put the data in)
where filename is the name of the file to put the data in.
</para>
<para>
@ -1735,7 +1733,7 @@ access to attrs=SambaLMPassword,SambaNTPassword
<para><quote>I've installed Samba, but now I can't log on with my UNIX account! </quote></para>
<para>Make sure your user has been added to the current Samba <smbconfoption name="passdb backend"/>.
Read the section <link linkend="acctmgmttools">Account Management Tools</link> for details.</para>
Read the <link linkend="acctmgmttools">Account Management Tools,</link> for details.</para>
</sect2>
@ -1743,8 +1741,8 @@ access to attrs=SambaLMPassword,SambaNTPassword
<title>Users Being Added to the Wrong Backend Database</title>
<para>
A few complaints have been received from users that just moved to Samba-3. The following
&smb.conf; file entries were causing problems, new accounts were being added to the old
A few complaints have been received from users who just moved to Samba-3. The following
&smb.conf; file entries were causing problems: new accounts were being added to the old
smbpasswd file, not to the tdbsam passdb.tdb file:
</para>
@ -1778,7 +1776,7 @@ access to attrs=SambaLMPassword,SambaNTPassword
<para>
When explicitly setting an <smbconfoption name="auth methods"/> parameter,
<parameter>guest</parameter> must be specified as the first entry on the line,
<parameter>guest</parameter> must be specified as the first entry on the line &smbmdash;
for example, <smbconfoption name="auth methods">guest sam</smbconfoption>.
</para>

View File

@ -12,7 +12,7 @@
This chapter summarizes the current state of knowledge derived from personal
practice and knowledge from Samba mailing list subscribers. Before reproduction
of posted information, every effort has been made to validate the information given.
Where additional information was uncovered through this validation it is provided
Where additional information was uncovered through this validation, it is provided
also.
</para>
@ -35,7 +35,7 @@ got the message: Group Policies are a good thing! They can help reduce administr
costs and actually make happier users. But adoption of the true
potential of MS Windows 200x Active Directory and Group Policy Objects (GPOs) for users
and machines were picked up on rather slowly. This was obvious from the Samba
mailing list as in 2000 and 2001 when there were few postings regarding GPOs and
mailing list back in 2000 and 2001 when there were few postings regarding GPOs and
how to replicate them in a Samba environment.
</para>
@ -49,7 +49,7 @@ network client workstations.
<para>
A tool new to Samba &smbmdash; the <command>editreg</command> tool
&smbmdash; may become an important part of the future Samba administrators'
arsenal is described in this document.
arsenal and is described in this document.
</para>
</sect1>
@ -60,7 +60,7 @@ arsenal is described in this document.
<para>
Under MS Windows platforms, particularly those following the release of MS Windows
NT4 and MS Windows 95, it is possible to create a type of file that would be placed
in the NETLOGON share of a Domain Controller. As the client logs onto the network,
in the NETLOGON share of a domain controller. As the client logs onto the network,
this file is read and the contents initiate changes to the registry of the client
machine. This file allows changes to be made to those parts of the registry that
affect users, groups of users, or machines.
@ -68,17 +68,17 @@ affect users, groups of users, or machines.
<para>
<indexterm><primary>Config.POL</primary></indexterm>
For MS Windows 9x/ME, this file must be called <filename>Config.POL</filename> and may
For MS Windows 9x/Me, this file must be called <filename>Config.POL</filename> and may
be generated using a tool called <filename>poledit.exe</filename>, better known as the
Policy Editor. The policy editor was provided on the Windows 98 installation CD, but
disappeared again with the introduction of MS Windows Me (Millennium Edition). From
Policy Editor. The policy editor was provided on the Windows 98 installation CD-ROM, but
disappeared again with the introduction of MS Windows Me. From
comments of MS Windows network administrators, it would appear that this tool became
a part of the MS Windows Me Resource Kit.
</para>
<para>
<indexterm><primary>System Policy Editor</primary></indexterm>
MS Windows NT4 Server products include the <emphasis>System Policy Editor</emphasis>
MS Windows NT4 server products include the <emphasis>System Policy Editor</emphasis>
under <guimenu>Start -> Programs -> Administrative Tools</guimenu>.
For MS Windows NT4 and later clients, this file must be called <filename>NTConfig.POL</filename>.
</para>
@ -96,7 +96,7 @@ be a step forward, but improved functionality comes at a great price.
Before embarking on the configuration of network and system policies, it is highly
advisable to read the documentation available from Microsoft's Web site regarding
<ulink url="http://www.microsoft.com/ntserver/techresources/management/prof_policies.asp">
Implementing Profiles and Policies in Windows NT 4.0</ulink> available from Microsoft.
Implementing Profiles and Policies in Windows NT 4.0</ulink>.
There are a large number of documents in addition to this old one that should also
be read and understood. Try searching on the Microsoft Web site for <quote>Group Policies</quote>.
</para>
@ -110,10 +110,10 @@ here is incomplete &smbmdash; you are warned.
<title>Windows 9x/ME Policies</title>
<para>
You need the Windows 98 Group Policy Editor to set up Group Profiles under Windows 9x/ME.
It can be found on the original full product Windows 98 installation CD under
You need the Windows 98 Group Policy Editor to set up Group Profiles under Windows 9x/Me.
It can be found on the original full-product Windows 98 installation CD-ROM under
<filename>tools/reskit/netadmin/poledit</filename>. Install this using the
Add/Remove Programs facility and then click on <guiicon>Have Disk</guiicon>.
Add/Remove Programs facility, and then click on <guiicon>Have Disk</guiicon>.
</para>
@ -123,7 +123,7 @@ here is incomplete &smbmdash; you are warned.
user profiles and/or <filename>My Documents</filename>, and so on. Then save these
settings in a file called <filename>Config.POL</filename> that needs to be placed in the
root of the <smbconfsection name="[NETLOGON]"/> share. If Windows 98 is configured to log onto
the Samba Domain, it will automatically read this file and update the Windows 9x/Me registry
the Samba domain, it will automatically read this file and update the Windows 9x/Me registry
of the machine as it logs on.
</para>
@ -132,16 +132,16 @@ here is incomplete &smbmdash; you are warned.
</para>
<para>
If you do not take the correct steps, then every so often Windows 9x/ME will check the
integrity of the registry and restore its settings from the back-up
copy of the registry it stores on each Windows 9x/ME machine. So, you will
If you do not take the correct steps, then every so often Windows 9x/Me will check the
integrity of the registry and restore its settings from the backup
copy of the registry it stores on each Windows 9x/Me machine. So, you will
occasionally notice things changing back to the original settings.
</para>
<para>
Install the group policy handler for Windows 9x/Me to pick up Group Policies. Look on the
Windows 98 CDROM in <filename>\tools\reskit\netadmin\poledit</filename>.
Install group policies on a Windows 9x/Me client by double-clicking on
Install the Group Policy handler for Windows 9x/Me to pick up Group Policies. Look on the
Windows 98 CD-ROM in <filename>\tools\reskit\netadmin\poledit</filename>.
Install Group Policies on a Windows 9x/Me client by double-clicking on
<filename>grouppol.inf</filename>. Log off and on again a couple of times and see
if Windows 98 picks up Group Policies. Unfortunately, this needs to be done on every
Windows 9x/Me machine that uses Group Policies.
@ -152,28 +152,28 @@ here is incomplete &smbmdash; you are warned.
<title>Windows NT4-Style Policy Files</title>
<para>
To create or edit <filename>ntconfig.pol</filename> you must use the NT Server
To create or edit <filename>ntconfig.pol</filename>, you must use the NT Server
Policy Editor, <command>poledit.exe</command>, which is included with NT4 Server
but not with NT Workstation. There is a Policy Editor on an NT4
but not with NT workstation. There is a Policy Editor on an NT4
Workstation but it is not suitable for creating domain policies.
Furthermore, although the Windows 95 Policy Editor can be installed on an NT4
Workstation/Server, it will not work with NT clients. However, the files from
the NT Server will run happily enough on an NT4 Workstation.
workstation/server, it will not work with NT clients. However, the files from
the NT Server will run happily enough on an NT4 workstation.
</para>
<para>
You need <filename>poledit.exe</filename>, <filename>common.adm</filename> and <filename>winnt.adm</filename>.
You need <filename>poledit.exe</filename>, <filename>common.adm</filename>, and <filename>winnt.adm</filename>.
It is convenient to put the two <filename>*.adm</filename> files in the <filename>c:\winnt\inf</filename>
directory, which is where the binary will look for them unless told otherwise. This
directory is normally <quote>hidden.</quote>
</para>
<para>
The Windows NT policy editor is also included with the Service Pack 3 (and
later) for Windows NT 4.0. Extract the files using <command>servicepackname /x</command>,
that's <command>Nt4sp6ai.exe /x</command> for service pack 6a. The Policy Editor,
The Windows NT Policy Editor is also included with the Service Pack 3 (and
later) for Windows NT 4.0. Extract the files using <command>servicepackname /x</command>
&smbmdash; that's <command>Nt4sp6ai.exe /x</command> for service pack 6a. The Policy Editor,
<command>poledit.exe</command>, and the associated template files (*.adm) should
be extracted as well. It is also possible to downloaded the policy template
be extracted as well. It is also possible to download the policy template
files for Office97 and get a copy of the Policy Editor. Another possible
location is with the Zero Administration Kit available for download from Microsoft.
</para>
@ -186,7 +186,7 @@ here is incomplete &smbmdash; you are warned.
automatically reversed as the user logs off. The settings that were in the
<filename>NTConfig.POL</filename> file were applied to the client machine registry and apply to the
hive key HKEY_LOCAL_MACHINE are permanent until explicitly reversed. This is known
as tattooing. It can have serious consequences downstream and the administrator must
as tattooing. It can have serious consequences downstream, and the administrator must
be extremely careful not to lock out the ability to manage the machine at a later date.
</para>
@ -197,22 +197,22 @@ here is incomplete &smbmdash; you are warned.
<para>
Windows NT4 system policies allow the setting of registry parameters specific to
users, groups and computers (client workstations) that are members of the NT4-style
users, groups, and computers (client workstations) that are members of the NT4-style
domain. Such policy files will work with MS Windows 200x/XP clients also.
</para>
<para>
New to MS Windows 2000, Microsoft recently introduced a style of group policy that confers
New to MS Windows 2000, Microsoft recently introduced a style of Group Policy that confers
a superset of capabilities compared with NT4-style policies. Obviously, the tool used
to create them is different, and the mechanism for implementing them is much improved.
</para>
<para>
<indexterm><primary>GPOs</primary></indexterm>
<indexterm><primary>GPOs</primary></indexterm>
The older NT4-style registry-based policies are known as <emphasis>Administrative Templates</emphasis>
in MS Windows 2000/XP Group Policy Objects (GPOs). The latter includes the ability to set various security
in MS Windows 2000/XP GPOs. The latter includes the ability to set various security
configurations, enforce Internet Explorer browser settings, change and redirect aspects of the
users desktop (including the location of <filename>My Documents</filename> files (directory), as
users desktop (including the location of <filename>My Documents</filename> files, as
well as intrinsics of where menu items will appear in the Start menu). An additional new
feature is the ability to make available particular software Windows applications to particular
users and/or groups.
@ -220,7 +220,7 @@ here is incomplete &smbmdash; you are warned.
<para>
Remember, NT4 policy files are named <filename>NTConfig.POL</filename> and are stored in the root
of the NETLOGON share on the Domain Controllers. A Windows NT4 user enters a username, password
of the NETLOGON share on the domain controllers. A Windows NT4 user enters a username and password
and selects the domain name to which the logon will attempt to take place. During the logon process,
the client machine reads the <filename>NTConfig.POL</filename> file from the NETLOGON share on
the authenticating server and modifies the local registry values according to the settings in this file.
@ -230,7 +230,7 @@ here is incomplete &smbmdash; you are warned.
Windows 200x GPOs are feature-rich. They are not stored in the NETLOGON share, but rather part of
a Windows 200x policy file is stored in the Active Directory itself and the other part is stored
in a shared (and replicated) volume called the SYSVOL folder. This folder is present on all Active
Directory Domain Controllers. The part that is stored in the Active Directory itself is called the
Directory domain controllers. The part that is stored in the Active Directory itself is called the
Group Policy Container (GPC), and the part that is stored in the replicated share called SYSVOL is
known as the Group Policy Template (GPT).
</para>
@ -238,7 +238,7 @@ here is incomplete &smbmdash; you are warned.
<para>
With NT4 clients, the policy file is read and executed only as each user logs onto the network.
MS Windows 200x policies are much more complex &smbmdash; GPOs are processed and applied at client machine
startup (machine specific part) and when the user logs onto the network, the user-specific part
startup (machine specific part), and when the user logs onto the network, the user-specific part
is applied. In MS Windows 200x-style policy management, each machine and/or user may be subject
to any number of concurrently applicable (and applied) policy sets (GPOs). Active Directory allows
the administrator to also set filters over the policy settings. No such equivalent capability
@ -249,9 +249,9 @@ here is incomplete &smbmdash; you are warned.
<title>Administration of Windows 200x/XP Policies</title>
<para>
<indexterm><primary>GPOs</primary></indexterm>
<indexterm><primary>System Policy Editor</primary></indexterm>
Instead of using the tool called <application>The System Policy Editor</application>, commonly called Poledit (from the
<indexterm><primary>GPOs</primary></indexterm>
<indexterm><primary>System Policy Editor</primary></indexterm>
Instead of using the tool called <application>the System Policy Editor</application>, commonly called Poledit (from the
executable name <command>poledit.exe</command>), <acronym>GPOs</acronym> are created and managed using a
<application>Microsoft Management Console</application> <acronym>(MMC)</acronym> snap-in as follows:</para>
<procedure>
@ -281,8 +281,8 @@ here is incomplete &smbmdash; you are warned.
templates. These files have an .adm extension, both in NT4 as well as in Windows 200x/XP.
Beware, however, the .adm files are not interchangeable across NT4 and Windows 200x.
The latter introduces many new features as well as extended definition capabilities. It is
well beyond the scope of this documentation to explain how to program .adm files; for that
the administrator is referred to the Microsoft Windows Resource Kit for your particular
well beyond the scope of this documentation to explain how to program .adm files; for that,
refer to the Microsoft Windows Resource Kit for your particular
version of MS Windows.
</para>
@ -309,7 +309,7 @@ the policy file. Separate policy files for each user, group, or computer are not
<para>
<indexterm><primary>NTConfig.POL</primary></indexterm>
If you create a policy that will be automatically downloaded from validating Domain Controllers,
If you create a policy that will be automatically downloaded from validating domain controllers,
you should name the file <filename>NTConfig.POL</filename>. As system administrator, you have the option of renaming the
policy file and, by modifying the Windows NT-based workstation, directing the computer to update
the policy from a manual path. You can do this by either manually changing the registry or by using
@ -319,22 +319,22 @@ but if a change is necessary to all machines, it must be made individually to ea
<para>
When a Windows NT4/200x/XP machine logs onto the network, the client looks in the NETLOGON share on
the authenticating domain controller for the presence of the NTConfig.POL file. If one exists it is
downloaded, parsed and then applied to the user's part of the registry.
the authenticating domain controller for the presence of the NTConfig.POL file. If one exists, it is
downloaded, parsed, and then applied to the user's part of the registry.
</para>
<para>
<indexterm><primary>GPOs</primary></indexterm>
MS Windows 200x/XP clients that log onto an MS Windows Active Directory security domain may additionally
acquire policy settings through Group Policy Objects (GPOs) that are defined and stored in Active Directory
itself. The key benefit of using AS GPOs is that they impose no registry <emphasis>spoiling</emphasis> effect.
acquire policy settings through GPOs that are defined and stored in Active Directory
itself. The key benefit of using AD GPOs is that they impose no registry <emphasis>spoiling</emphasis> effect.
This has considerable advantage compared with the use of <filename>NTConfig.POL</filename> (NT4) style policy updates.
</para>
<para>
In addition to user access controls that may be imposed or applied via system and/or group policies
in a manner that works in conjunction with user profiles, the user management environment under
MS Windows NT4/200x/XP allows per domain as well as per user account restrictions to be applied.
MS Windows NT4/200x/XP allows per-domain as well as per-user account restrictions to be applied.
Common restrictions that are frequently used include:
</para>
@ -363,17 +363,17 @@ parameter can be set using the NT4 Domain User Manager or in the <filename>NTCon
<para>
Anyone who wishes to create or manage Group Policies will need to be familiar with a number of tools.
The following sections describe a few key tools that will help you to create a low maintenance user
The following sections describe a few key tools that will help you to create a low-maintenance user
environment.
</para>
<sect2>
<title>Samba Editreg Tool-set</title>
<title>Samba Editreg Toolset</title>
<para>
<indexterm><primary>editreg</primary></indexterm>
<indexterm><primary>NTUser.DAT</primary></indexterm>
<indexterm><primary>NTConfig.POL</primary></indexterm>
<indexterm><primary>editreg</primary></indexterm>
<indexterm><primary>NTUser.DAT</primary></indexterm>
<indexterm><primary>NTConfig.POL</primary></indexterm>
A new tool called <command>editreg</command> is under development. This tool can be used
to edit registry files (called <filename>NTUser.DAT</filename>) that are stored in user
and group profiles. <filename>NTConfig.POL</filename> files have the same structure as the
@ -390,9 +390,9 @@ environment.
<title>Windows NT4/200x</title>
<para>
The tools that may be used to configure these types of controls from the MS Windows environment are:
The tools that may be used to configure these types of controls from the MS Windows environment are
the NT4 User Manager for Domains, the NT4 System and Group Policy Editor, and the Registry Editor (regedt32.exe).
Under MS Windows 200x/XP, this is done using the Microsoft Management Console (MMC) with appropriate
Under MS Windows 200x/XP, this is done using the MMC with appropriate
<quote>snap-ins,</quote> the registry editor, and potentially also the NT4 System and Group Policy Editor.
</para>
</sect2>
@ -401,8 +401,8 @@ environment.
<title>Samba PDC</title>
<para>
With a Samba Domain Controller, the new tools for managing user account and policy information include:
<command>smbpasswd</command>, <command>pdbedit</command>, <command>net</command>, <command>rpcclient</command>.
With a Samba domain controller, the new tools for managing user account and policy information include:
<command>smbpasswd</command>, <command>pdbedit</command>, <command>net</command>, and <command>rpcclient</command>.
The administrator should read the man pages for these tools and become familiar with their use.
</para>
@ -419,15 +419,15 @@ reboot and as part of the user logon:
<orderedlist>
<listitem><para>
Network starts, then Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming
Convention Provider (MUP) start.
Network starts, then Remote Procedure Call System Service (RPCSS) and multiple universal naming
convention provider (MUP) start.
</para></listitem>
<listitem><para>
Where Active Directory is involved, an ordered list of Group Policy Objects (GPOs) is downloaded
Where Active Directory is involved, an ordered list of GPOs is downloaded
and applied. The list may include GPOs that:
<itemizedlist>
<listitem><para>Apply to the location of machines in a Directory.</para></listitem>
<listitem><para>Apply to the location of machines in a directory.</para></listitem>
<listitem><para>Apply only when settings have changed.</para></listitem>
<listitem><para>Depend on configuration of the scope of applicability: local,
site, domain, organizational unit, and so on.</para></listitem>
@ -436,7 +436,7 @@ reboot and as part of the user logon:
</para></listitem>
<listitem><para>
Execution of start-up scripts (hidden and synchronous by default).
Execution of startup scripts (hidden and synchronous by default).
</para></listitem>
<listitem><para>
@ -451,26 +451,26 @@ reboot and as part of the user logon:
An ordered list of user GPOs is obtained. The list contents depends on what is configured in respect of:
<itemizedlist>
<listitem><para>Is the user a Domain Member, thus subject to particular policies?</para></listitem>
<listitem><para>Loopback enablement, and the state of the loopback policy (Merge or Replace).</para></listitem>
<listitem><para>Is the user a domain member, thus subject to particular policies?</para></listitem>
<listitem><para>Loopback enablement, and the state of the loopback policy (merge or replace).</para></listitem>
<listitem><para>Location of the Active Directory itself.</para></listitem>
<listitem><para>Has the list of GPOs changed? No processing is needed if not changed.</para></listitem>
</itemizedlist>
</para></listitem>
<listitem><para>
User Policies are applied from Active Directory. Note: There are several types.
User policies are applied from Active Directory. Note: There are several types.
</para></listitem>
<listitem><para>
Logon scripts are run. New to Windows 200x and Active Directory, logon scripts may be obtained based on Group
Policy objects (hidden and executed synchronously). NT4-style logon scripts are then run in a normal
Logon scripts are run. New to Windows 200x and Active Directory, logon scripts may be obtained based on GPOs
(hidden and executed synchronously). NT4-style logon scripts are then run in a normal
window.
</para></listitem>
<listitem><para>
The User Interface as determined from the GPOs is presented. Note: In a Samba domain (like an NT4
Domain), machine (system) policies are applied at start-up; user policies are applied at logon.
The user interface as determined from the GPOs is presented. Note: In a Samba domain (like an NT4
domain), machine (system) policies are applied at startup; user policies are applied at logon.
</para></listitem>
</orderedlist>

File diff suppressed because it is too large Load Diff

View File

@ -91,9 +91,10 @@ Ethereal User Guide.</para>
<figure id="ethereal1"><title>Starting a capture.</title><imagefile>ethereal1</imagefile></figure>
<para>Listen for data on ports 137, 138, 139, and 445. For example, use
the filter <userinput>port 137, port 138, port 139, or port
445</userinput> as seen in <link linkend="ethereal1">Starting a capture</link> snapshot.</para>
<para>
Listen for data on ports 137, 138, 139, and 445. For example, use the filter <userinput>port 137, port 138,
port 139, or port 445</userinput> as seen in <link linkend="ethereal1">Starting a capture</link> snapshot.
</para>
<para>A console version of ethereal is available as well and is called
<command>tethereal</command>.</para>

File diff suppressed because it is too large Load Diff

View File

@ -9,11 +9,11 @@
<title>User Rights and Privileges</title>
<para>
The administration of Windows user, group and machine accounts in the Samba
domain controlled network necessitates interfacing between the MS Windows
The administration of Windows user, group, and machine accounts in the Samba
domain-controlled network necessitates interfacing between the MS Windows
networking environment and the UNIX operating system environment. The right
(permission) to add machines to the Windows security domain can be assigned
(set) to non-administrative users both in Windows NT4 domains as well as in
(set) to non-administrative users both in Windows NT4 domains and
Active Directory domains.
</para>
@ -25,14 +25,12 @@ user logons.
</para>
<para>
Machine accounts are analogous to user accounts, and thus in implementing them
on a UNIX machine that is hosting Samba (i.e.: On which Samba is running) it is
necessary to create a special type of user account. Machine accounts differ from
a normal user account in that the account name (login ID) is terminated with a $
sign. An additional difference is that this type of account should not ever be able
to log into the UNIX environment as a system user and therefore is set to have a
shell of <command>/bin/false</command> and a home directory of
<command>/dev/null.</command>
Machine accounts are analogous to user accounts, and thus in implementing them on a UNIX machine that is
hosting Samba (i.e., on which Samba is running) it is necessary to create a special type of user account.
Machine accounts differ from a normal user account in that the account name (login ID) is terminated with a
<literal>$</literal> sign. An additional difference is that this type of account should not ever be able to
log into the UNIX environment as a system user and therefore is set to have a shell of
<command>/bin/false</command> and a home directory of <command>/dev/null.</command>
</para>
<para>
@ -45,13 +43,13 @@ same UID. Any UNIX user who has a UID=0 is inherently the same as the
<para>
All versions of Samba call system interface scripts that permit CIFS function
calls that are used to manage users, groups and machine accounts to be affected
calls that are used to manage users, groups, and machine accounts
in the UNIX environment. All versions of Samba up to and including version 3.0.10
required the use of a Windows Administrator account that unambiguously maps to
required the use of a Windows administrator account that unambiguously maps to
the UNIX <constant>root</constant> account to permit the execution of these
interface scripts. The reuqirement to do this has understandably met with some
interface scripts. The requirement to do this has understandably met with some
disdain and consternation among Samba administrators, particularly where it became
necessary to permit people who should not posses <constant>root</constant> level
necessary to permit people who should not possess <constant>root</constant>-level
access to the UNIX host system.
</para>
@ -66,7 +64,7 @@ must be defined in the <smbconfsection name="global"/> section of the &smb.conf;
</para>
<para>
Currently, the rights supported in Samba 3 are listed in <link linkend="rp-privs"/>.
Currently, the rights supported in Samba-3 are listed in <link linkend="rp-privs"/>.
The remainder of this chapter explains how to manage and use these privileges on Samba servers.
</para>
@ -112,35 +110,35 @@ The remainder of this chapter explains how to manage and use these privileges on
<para>
There are two primary means of managing the rights assigned to users and groups
on a Samba server. The <command>NT4 User Manager for Domains</command> may be
used from any Windows NT4, 2000 or XP Professional domain member client to
used from any Windows NT4, 2000, or XP Professional domain member client to
connect to a Samba domain controller and view/modify the rights assignments.
This application, however, appears to have bugs when run on a client running
Windows 2000 or later, therefore Samba provides a command line utility for
Windows 2000 or later; therefore, Samba provides a command-line utility for
performing the necessary administrative actions.
</para>
<para>
The <command>net rpc rights</command> utility in Samba 3.0.11 has 3 new subcommands:
The <command>net rpc rights</command> utility in Samba 3.0.11 has three new subcommands:
</para>
<variablelist>
<varlistentry><term>list [name|accounts]</term>
<listitem><para>
When called with no arguments, <command>net rpc list</command>
will simply list the available rights on the server. When passed
simply lists the available rights on the server. When passed
a specific user or group name, the tool lists the privileges
currently assigned to the specified account. When invoked using
the special string <constant>accounts</constant>,
<command>net rpc rights list</command> will return a list of all
<command>net rpc rights list</command> returns a list of all
privileged accounts on the server and the assigned rights.
</para></listitem>
</varlistentry>
<varlistentry><term>grant &lt;user&gt; &lt;right [right ...]&gt;</term>
<listitem><para>
When called with no arguments, This function is used to assign
When called with no arguments, this function is used to assign
a list of rights to a specified user or group. For example,
to grant the members of the Domain Admins group on a Samba DC
to grant the members of the Domain Admins group on a Samba domain controller,
the capability to add client machines to the domain, one would run:
<screen>
&rootprompt; net -S server -U domadmin rpc rights grant \
@ -149,13 +147,13 @@ The <command>net rpc rights</command> utility in Samba 3.0.11 has 3 new subcomma
More than one privilege can be assigned by specifying a
list of rights separated by spaces. The parameter 'Domain\Domain Admins'
must be quoted with single ticks or using double-quotes to prevent
the back-slash and the space from being interpreted by the system shell.
the backslash and the space from being interpreted by the system shell.
</para></listitem>
</varlistentry>
<varlistentry><term>revoke &lt;user&gt; &lt;right [right ...]&gt;</term>
<listitem><para>
This command is similar in format to <command>net rpc rights grant</command>. It's
This command is similar in format to <command>net rpc rights grant</command>. Its
effect is to remove an assigned right (or list of rights) from a user or group.
</para></listitem>
</varlistentry>
@ -170,10 +168,10 @@ inherent to the Domain Admins group and is not configurable.
<para>
By default, no privileges are initially assigned to any
account. The reason for this is that certain actions will
account because certain actions will
be performed as root once smbd determines that a user has
the necessary rights. For example, when joining a client to
a Windows domain, the 'add machine script' must be executed
a Windows domain, the `add machine script' must be executed
with superuser rights in most cases. For this reason, you
should be very careful about handing out privileges to
accounts.
@ -192,7 +190,7 @@ Access as the root user (UID=0) bypasses all privilege checks.
The privileges that have been implemented in Samba-3.0.11 are shown below.
It is possible, and likely, that additional privileges may be implemented in
later releases of Samba. It is also likely that any privileges currently implemented
but not used may be removed from future releases, thus it is important that
but not used may be removed from future releases, so it is important that
the successful as well as unsuccessful use of these facilities should be reported
on the Samba mailing lists.
</para>
@ -209,7 +207,7 @@ on the Samba mailing lists.
<varlistentry><term>SeDiskOperatorPrivilege</term>
<listitem><para>
Accounts which posses this right will be able to execute
Accounts that possess this right will be able to execute
scripts defined by the <command>add/delete/change</command>
share command in &smb.conf; file as root. Such users will
also be able to modify the ACL associated with file shares
@ -219,8 +217,8 @@ on the Samba mailing lists.
<varlistentry><term>SeMachineAccountPrivilege</term>
<listitem><para>
Controls whether or not the user is able join client
machines to a Samba controlled domain.
Controls whether or not the user can join client
machines to a Samba-controlled domain.
</para></listitem>
</varlistentry>
@ -229,7 +227,7 @@ on the Samba mailing lists.
This privilege operates identically to the
<smbconfoption name="printer admin"/>
option in the &smb.conf; file (see section 5 man page for &smb.conf;)
except that it is a global right (not on a per printer basis).
except that it is a global right (not on a per-printer basis).
Eventually the smb.conf option will be deprecated and administrative
rights to printers will be controlled exclusively by this right and
the security descriptor associated with the printer object in the
@ -243,7 +241,7 @@ on the Samba mailing lists.
the server and for aborting a previously issued shutdown
command. Since this is an operation normally limited by
the operating system to the root user, an account must possess this
right to be able to execute either of these hooks to have any effect.
right to be able to execute either of these hooks.
</para></listitem>
</varlistentry>
@ -257,22 +255,34 @@ on the Samba mailing lists.
<title>The Administrator Domain SID</title>
<para>
Please note that when configured as a DC, it is now required
that an account in the server's passdb backend be set to the
domain SID of the default Administrator account. To obtain the
domain SID on a Samba DC, run the following command:
Please note that every Windows NT4 and later server requires a domain Adminsitrator account. Samba version
commencing with 3.0.11 permit the Administrative duties to be performed via assigned rights and privileges
(see <link linkend="rights">User Rights and Privileges</link>). An account in the server's passdb backend can
be set to the domain SID of the default administrator account. To obtain the domain SID on a Samba domain
controller, run the following command:
<screen>
&rootprompt; net getlocalsid
SID for domain FOO is: S-1-5-21-4294955119-3368514841-2087710299
</screen>
You may assign the Domain Administrator rid to an account using the <command>pdbedit</command>
You may assign the domain administrator RID to an account using the <command>pdbedit</command>
command as shown here:
<screen>
&rootprompt; pdbedit -U S-1-5-21-4294955119-3368514841-2087710299-500 -u root -r
</screen>
</para>
<note><para>
The RID 500 is the well known standard value of the default Administrator account. It is the RID
that confers the rights and privileges that the Administrator account has on a Windows machine
or domain. Under UNIX/Linux the equivalent is UID=0 (the root account).
</para></note>
<para>
Commencing with Samba version 3.0.11 it is possible to operate without an Administrator account
providing equivalent rights and privileges have been established for a Windows user or a Windows
group account.
</para>
</sect1>
</chapter>

View File

@ -13,7 +13,7 @@
<sect1>
<title>Introduction</title>
<para>
This note was attached to the Samba 2.2.8 release notes as it contained an
This note was attached to the Samba 2.2.8 release notes because it contains an
important security fix. The information contained here applies to Samba
installations in general.
</para>
@ -38,9 +38,9 @@ of knowledge with which we may unlock the secrets of the masters.
<title>Features and Benefits</title>
<para>
There are three levels at which security principals must be observed in order to render a site
There are three levels at which security principles must be observed in order to render a site
at least moderately secure. They are the perimeter firewall, the configuration of the host
server that is running Samba and Samba itself.
server that is running Samba, and Samba itself.
</para>
<para>
@ -50,17 +50,18 @@ the latest protocols to permit more secure MS Windows file and print operations.
<para>
Samba may be secured from connections that originate from outside the local network. This may be
done using <emphasis>host-based protection</emphasis> (using Samba's implementation of a technology
done using <emphasis>host-based protection</emphasis>, using Samba's implementation of a technology
known as <quote>tcpwrappers,</quote> or it may be done be using <emphasis>interface-based exclusion</emphasis>
so &smbd; will bind only to specifically permitted interfaces. It is also
possible to set specific share or resource-based exclusions, for example on the <smbconfsection name="[IPC$]"/>
auto-share. The <smbconfsection name="[IPC$]"/> share is used for browsing purposes as well as to establish
possible to set specific share or resource-based exclusions, for example, on the <smbconfsection name="[IPC$]"/>
autoshare. The <smbconfsection name="[IPC$]"/> share is used for browsing purposes as well as to establish
TCP/IP connections.
</para>
<para>
Another method by which Samba may be secured is by setting Access Control Entries (ACEs) in an Access
Control List (ACL) on the shares themselves. This is discussed in <link linkend="AccessControls">File, Directory and Share Access Controls</link>.
Control List (ACL) on the shares themselves. This is discussed in
<link linkend="AccessControls">File, Directory, and Share Access Controls</link>.
</para>
</sect1>
@ -69,9 +70,9 @@ Control List (ACL) on the shares themselves. This is discussed in <link linkend=
<title>Technical Discussion of Protective Measures and Issues</title>
<para>
The key challenge of security is the fact that protective measures suffice at best
The key challenge of security is that protective measures suffice at best
only to close the door on known exploits and breach techniques. Never assume that
because you have followed these few measures that the Samba server is now an impenetrable
because you have followed these few measures, the Samba server is now an impenetrable
fortress! Given the history of information systems so far, it is only a matter of time
before someone will find yet another vulnerability.
</para>
@ -81,16 +82,16 @@ before someone will find yet another vulnerability.
<para>
In many installations of Samba, the greatest threat comes from outside
your immediate network. By default, Samba will accept connections from
your immediate network. By default, Samba accepts connections from
any host, which means that if you run an insecure version of Samba on
a host that is directly connected to the Internet you can be
a host that is directly connected to the Internet, you can be
especially vulnerable.
</para>
<para>
One of the simplest fixes in this case is to use the <smbconfoption name="hosts allow"/> and
<smbconfoption name="hosts deny"/> options in the Samba &smb.conf; configuration file to only
allow access to your server from a specific range of hosts. An example might be:
<smbconfoption name="hosts deny"/> options in the Samba &smb.conf; configuration file to
allow access to your server only from a specific range of hosts. An example might be:
</para>
<para><smbconfblock>
@ -99,7 +100,7 @@ before someone will find yet another vulnerability.
</smbconfblock></para>
<para>
The above will only allow SMB connections from <constant>localhost</constant> (your own
The above will allow SMB connections only from <constant>localhost</constant> (your own
computer) and from the two private networks 192.168.2 and 192.168.3. All other
connections will be refused as soon as the client sends its first packet. The refusal
will be marked as <errorname>not listening on called name</errorname> error.
@ -120,7 +121,7 @@ before someone will find yet another vulnerability.
</smbconfblock></para>
<para>
This restricts all server access to either the user <emphasis>jacko</emphasis>
This restricts all server access either to the user <emphasis>jacko</emphasis>
or to members of the system group <emphasis>smbusers</emphasis>.
</para>
@ -131,8 +132,8 @@ before someone will find yet another vulnerability.
<title>Using Interface Protection</title>
<para>
By default, Samba will accept connections on any network interface that
it finds on your system. That means if you have a ISDN line or a PPP
By default, Samba accepts connections on any network interface that
it finds on your system. That means if you have an ISDN line or a PPP
connection to the Internet then Samba will accept connections on those
links. This may not be what you want.
</para>
@ -148,7 +149,7 @@ before someone will find yet another vulnerability.
<para>
This tells Samba to only listen for connections on interfaces with a
name starting with <constant>eth</constant> such as <constant>eth0, eth1</constant> plus on the loopback
name starting with <constant>eth</constant> such as <constant>eth0 or eth1</constant>, plus on the loopback
interface called <constant>lo</constant>. The name you will need to use depends on what
OS you are using. In the above, I used the common name for Ethernet
adapters on Linux.
@ -156,15 +157,15 @@ before someone will find yet another vulnerability.
<para>
If you use the above and someone tries to make an SMB connection to
your host over a PPP interface called <constant>ppp0,</constant> then they will get a TCP
connection refused reply. In that case, no Samba code is run at all as
your host over a PPP interface called <constant>ppp0,</constant> then he or she will get a TCP
connection refused reply. In that case, no Samba code is run at all because
the operating system has been told not to pass connections from that
interface to any Samba process.
</para>
</sect2>
<sect2>
<sect2 id="firewallports">
<title>Using a Firewall</title>
<para>
@ -188,11 +189,18 @@ before someone will find yet another vulnerability.
</simplelist>
<para>
The last one is important as many older firewall setups may not be
The last one is important because many older firewall setups may not be
aware of it, given that this port was only added to the protocol in
recent years.
</para>
<para>
When configuring a firewall, the high order ports (1024-65535) are often
used for outgoing connections and therefore should be permitted through the
firewall. It is prudent to block incoming packets on the high order ports
except for established connections.
</para>
</sect2>
<sect2>
@ -202,7 +210,7 @@ before someone will find yet another vulnerability.
If the above methods are not suitable, then you could also place a
more specific deny on the IPC$ share that is used in the recently
discovered security hole. This allows you to offer access to other
shares while denying access to IPC$ from potentially un-trustworthy
shares while denying access to IPC$ from potentially untrustworthy
hosts.
</para>
@ -218,18 +226,18 @@ before someone will find yet another vulnerability.
<para>
This instructs Samba that IPC$ connections are not allowed from
anywhere except from the two listed network addresses (localhost and the 192.168.115
subnet). Connections to other shares are still allowed. As the
anywhere except the two listed network addresses (localhost and the 192.168.115
subnet). Connections to other shares are still allowed. Because the
IPC$ share is the only share that is always accessible anonymously,
this provides some level of protection against attackers that do not
this provides some level of protection against attackers who do not
know a valid username/password for your host.
</para>
<para>
If you use this method, then clients will be given an <errorname>`access denied'</errorname>
reply when they try to access the IPC$ share. Those clients will not be able to
browse shares, and may also be unable to access some other resources. This is not
recommended unless you cannot use one of the other methods listed above for some reason.
browse shares and may also be unable to access some other resources. This is not
recommended unless for some reason you cannot use one of the other methods just discussed.
</para>
</sect2>
@ -249,9 +257,9 @@ before someone will find yet another vulnerability.
</para>
<para>
The value 0x00000003 means send NTLMv2 response only. Clients will use NTLMv2 authentication,
use NTLMv2 session security if the server supports it. Domain Controllers accept LM,
NTLM and NTLMv2 authentication.
The value 0x00000003 means to send NTLMv2 response only. Clients will use NTLMv2 authentication;
use NTLMv2 session security if the server supports it. Domain controllers accept LM,
NTLM, and NTLMv2 authentication.
</para>
<para>
@ -264,7 +272,7 @@ before someone will find yet another vulnerability.
<para>
The value 0x00080000 means permit only NTLMv2 session security. If either NtlmMinClientSec or
NtlmMinServerSec is set to 0x00080000, the connection will fail if NTLMv2
session security is not negotiated.
session security is negotiated.
</para>
</sect2>
</sect1>
@ -274,9 +282,9 @@ before someone will find yet another vulnerability.
<para>
Please check regularly on <ulink noescape="1" url="http://www.samba.org/">http://www.samba.org/</ulink> for updates and
important announcements. Occasionally security releases are made and
important announcements. Occasionally security releases are made, and
it is highly recommended to upgrade Samba when a security vulnerability
is discovered. Check with your OS vendor for OS specific upgrades.
is discovered. Check with your OS vendor for OS-specific upgrades.
</para>
</sect1>
@ -285,9 +293,9 @@ is discovered. Check with your OS vendor for OS specific upgrades.
<title>Common Errors</title>
<para>
If all of Samba and host platform configuration were really as intuitive as one might like them to be, this
If all of Samba and host platform configurations were really as intuitive as one might like them to be, this
section would not be necessary. Security issues are often vexing for a support person to resolve, not
because of the complexity of the problem, but for the reason that most administrators who post what turns
because of the complexity of the problem, but because most administrators who post what turns
out to be a security problem request are totally convinced that the problem is with Samba.
</para>
@ -302,7 +310,8 @@ out to be a security problem request are totally convinced that the problem is w
<para>
The solution is either to remove the firewall (stop it) or modify the firewall script to
allow SMB networking traffic through. See section above in this chapter.
allow SMB networking traffic through. See <link linkend="firewallports">the Using a
firewall</link> section.
</para>
</sect2>
@ -320,7 +329,7 @@ out to be a security problem request are totally convinced that the problem is w
</para>
<para><quote>
User xyzzy can map his home directory. Once mapped user xyzzy can also map
User xyzzy can map his home directory. Once mapped, user xyzzy can also map
anyone else's home directory.
</quote></para>
@ -333,12 +342,12 @@ out to be a security problem request are totally convinced that the problem is w
<para>
If your UNIX home directories are set up so that one user can happily <command>cd</command>
into another users directory and execute <command>ls</command>, the UNIX security solution is to change file
permissions on the user's home directories such that the <command>cd</command> and <command>ls</command> are denied.
into another user's directory and execute <command>ls</command>, the UNIX security solution is to change file
permissions on the user's home directories so that the <command>cd</command> and <command>ls</command> are denied.
</para>
<para>
Samba tries very hard not to second guess the UNIX administrators security policies, and
Samba tries very hard not to second guess the UNIX administrator's security policies and
trusts the UNIX admin to set the policies and permissions he or she desires.
</para>
@ -349,11 +358,11 @@ out to be a security problem request are totally convinced that the problem is w
<para>
The <smbconfoption name="only user"></smbconfoption> works in conjunction with the <smbconfoption name="users">list</smbconfoption>,
so to get the behavior you require, add the line :
so to get the behavior you require, add the line:
<smbconfblock>
<smbconfoption name="users">%S</smbconfoption>
</smbconfblock>
this is equivalent to adding
This is equivalent to adding
<smbconfblock>
<smbconfoption name="valid users">%S</smbconfoption>
</smbconfblock>

View File

@ -12,7 +12,7 @@
<para>
This chapter provides information regarding the types of server that Samba may be
configured to be. A Microsoft network administrator who wishes to migrate to or
use Samba will want to know the meaning, within a Samba context, of terms familiar to MS Windows
use Samba will want to know the meaning, within a Samba context, of terms familiar to an MS Windows
administrator. This means that it is essential also to define how critical security
modes function before we get into the details of how to configure the server itself.
</para>
@ -26,7 +26,7 @@ and how they relate to MS Windows servers and clients.
A question often asked is, <quote>Why would I want to use Samba?</quote> Most chapters contain a section
that highlights features and benefits. We hope that the information provided will help to
answer this question. Be warned though, we want to be fair and reasonable, so not all
features are positive towards Samba. The benefit may be on the side of our competition.
features are positive toward Samba. The benefit may be on the side of our competition.
</para>
<sect1>
@ -49,8 +49,8 @@ a source of discomfort.
<para>
Samba started out as a project that sought to provide interoperability for MS Windows 3.x
clients with a UNIX server. It has grown up a lot since its humble beginnings and now provides
features and functionality fit for large scale deployment. It also has some warts. In sections
like this one we tell of both.
features and functionality fit for large-scale deployment. It also has some warts. In sections
like this one, we tell of both.
</para>
<para>
@ -59,7 +59,7 @@ So, what are the benefits of features mentioned in this chapter?
<itemizedlist>
<listitem><para>
Samba-3 can replace an MS Windows NT4 Domain Controller.
Samba-3 can replace an MS Windows NT4 domain controller.
</para></listitem>
<listitem><para>
@ -68,12 +68,12 @@ So, what are the benefits of features mentioned in this chapter?
</para></listitem>
<listitem><para>
Samba-3 permits full NT4-style Interdomain Trusts.
Samba-3 permits full NT4-style interdomain trusts.
</para></listitem>
<listitem><para>
Samba has security modes that permit more flexible
authentication than is possible with MS Windows NT4 Domain Controllers.
authentication than is possible with MS Windows NT4 domain controllers.
</para></listitem>
<listitem><para>
@ -103,8 +103,8 @@ different type of servers:</para>
<itemizedlist>
<listitem><para>Domain Controller</para>
<itemizedlist>
<listitem><para>Primary Domain Controller</para></listitem>
<listitem><para>Backup Domain Controller</para></listitem>
<listitem><para>Primary Domain Controller (PDC)</para></listitem>
<listitem><para>Backup Domain Controller (BDC)</para></listitem>
<listitem><para>ADS Domain Controller</para></listitem>
</itemizedlist>
</listitem>
@ -114,13 +114,15 @@ different type of servers:</para>
<listitem><para>NT4 Style Domain Domain Server</para></listitem>
</itemizedlist>
</listitem>
<listitem><para>Stand-alone Server</para></listitem>
<listitem><para>Standalone Server</para></listitem>
</itemizedlist>
<para>
The chapters covering Domain Control, Backup Domain Control and Domain Membership provide
The chapters covering domain control (<link linkend="samba-pdc">Domain Control</link>),
backup domain control (<link linkend="samba-bdc">Backup Domain Control</link>), and
domain membership (<link linkend="domain-member">Domain Membership</link>) provide
pertinent information regarding Samba configuration for each of these server roles.
The reader is strongly encouraged to become intimately familiar with the information
You are strongly encouraged to become intimately familiar with the information
presented.
</para>
@ -140,20 +142,19 @@ reduce user complaints and administrator heartache.
</para>
<para>
In the SMB/CIFS networking world, there are only two types of security: <emphasis>User Level</emphasis>
and <emphasis>Share Level</emphasis>. We refer to these collectively as <emphasis>security levels</emphasis>.
In implementing these two security levels, Samba provides flexibilities
that are not available with Microsoft Windows NT4/200x servers. In actual fact, Samba implements
<emphasis>Share Level</emphasis> security only one way, but has four ways of implementing
<emphasis>User Level</emphasis> security. Collectively, we call the Samba implementations
<emphasis>Security Modes</emphasis>. They are known as: <emphasis>SHARE</emphasis>, <emphasis>USER</emphasis>,
<emphasis>DOMAIN</emphasis>, <emphasis>ADS</emphasis>, and <emphasis>SERVER</emphasis> modes.
They are documented in this chapter.
In the SMB/CIFS networking world, there are only two types of security: <emphasis>user level</emphasis> and
<emphasis>share level</emphasis>. We refer to these collectively as <emphasis>security levels</emphasis>. In
implementing these two security levels, Samba provides flexibilities that are not available with MS Windows
NT4/200x servers. In actual fact, Samba implements <emphasis>share-level</emphasis> security only one way, but
has four ways of implementing <emphasis>user-level</emphasis> security. Collectively, we call the Samba
implementations <emphasis>security modes</emphasis>. They are known as <emphasis>share</emphasis>,
<emphasis>user</emphasis>, <emphasis>domain</emphasis>, <emphasis>ADS</emphasis>, and
<emphasis>server</emphasis> modes. They are documented in this chapter.
</para>
<para>
An SMB server tells the client at startup what security level it is running. There are two options:
Share Level and User Level. Which of these two the client receives affects the way the client then
share level and user level. Which of these two the client receives affects the way the client then
tries to authenticate itself. It does not directly affect (to any great extent) the way the Samba
server does security. This may sound strange, but it fits in with the client/server approach of SMB.
In SMB everything is initiated and controlled by the client, and the server can only tell the client
@ -164,8 +165,8 @@ what is available and whether an action is allowed.
<title>User Level Security</title>
<para>
We will describe User Level Security first, as its simpler.
In User Level Security, the client will send a
We describe user-level security first because its simpler.
In user-level security, the client sends a
session setup request directly following protocol negotiation.
This request provides a username and password. The server can either accept or reject that
username/password combination. At this stage the server has no idea what
@ -179,7 +180,7 @@ share the client will eventually try to connect to, so it can't base the
</orderedlist>
<para>
If the server accepts the username/password then the client expects to be able to
If the server accepts the username/password, then the client expects to be able to
mount shares (using a <emphasis>tree connection</emphasis>) without specifying a
password. It expects that all access rights will be as the username/password
specified in the <emphasis>session setup</emphasis>.
@ -196,7 +197,7 @@ authentication contexts in this way (WinDD is an example of an application that
<title>Example Configuration</title>
<para>
The &smb.conf; parameter that sets user level security is:
The &smb.conf; parameter that sets user-level security is:
</para>
<para><smbconfblock>
@ -211,33 +212,33 @@ This is the default setting since Samba-2.2.x.
</sect2>
<sect2>
<title>Share Level Security</title>
<title>Share-Level Security</title>
<para>
In Share Level security, the client authenticates
In share-level security, the client authenticates
itself separately for each share. It sends a password along with each
tree connection (share mount). It does not explicitly send a
username with this operation. The client expects a password to be associated
with each share, independent of the user. This means that Samba has to work out what
username the client probably wants to use. It is never explicitly sent the username.
Some commercial SMB servers such as NT actually associate passwords directly with
shares in Share Level security, but Samba always uses the UNIX authentication scheme
shares in share-level security, but Samba always uses the UNIX authentication scheme
where it is a username/password pair that is authenticated, not a share/password pair.
</para>
<para>
To understand the MS Windows networking parallels, one should think
in terms of MS Windows 9x/Me where one can create a shared folder that provides read-only
To understand the MS Windows networking parallels, think
in terms of MS Windows 9x/Me where you can create a shared folder that provides read-only
or full access, with or without a password.
</para>
<para>
Many clients send a session setup even if the server is in Share Level security. They
Many clients send a session setup even if the server is in share-level security. They
normally send a valid username but no password. Samba records this username in a list
of possible usernames. When the client then does a tree connection it also adds to this list the name
of possible usernames. When the client then does a tree connection, it also adds to this list the name
of the share they try to connect to (useful for home directories) and any users
listed in the <smbconfoption name="user"/> parameter in the &smb.conf; file.
The password is then checked in turn against these possible usernames. If a match is found
The password is then checked in turn against these possible usernames. If a match is found,
then the client is authenticated as that user.
</para>
@ -245,7 +246,7 @@ then the client is authenticated as that user.
<title>Example Configuration</title>
<para>
The &smb.conf; parameter that sets Share Level security is:
The &smb.conf; parameter that sets share-level security is:
</para>
<para><smbconfblock>
@ -256,14 +257,14 @@ The &smb.conf; parameter that sets Share Level security is:
</sect2>
<sect2>
<title>Domain Security Mode (User Level Security)</title>
<title>Domain Security Mode (User-Level Security)</title>
<para>
<indexterm><primary>Domain Member</primary></indexterm>
When Samba is operating in <smbconfoption name="security">domain</smbconfoption> mode,
the Samba server has a domain security trust account (a machine account) and causes
all authentication requests to be passed through to the Domain Controllers.
In other words, this configuration makes the Samba server a Domain Member server.
all authentication requests to be passed through to the domain controllers.
In other words, this configuration makes the Samba server a domain member server.
</para>
<sect3>
@ -292,7 +293,7 @@ security domain. This is done as follows:
<procedure>
<step><para>On the MS Windows NT Domain Controller, using
<step><para>On the MS Windows NT domain controller, using
the Server Manager, add a machine account for the Samba server.
</para></step>
@ -303,7 +304,7 @@ security domain. This is done as follows:
</procedure>
<note><para>
Samba-2.2.4 and later can auto-join a Windows NT4-style Domain just by executing:
Samba-2.2.4 and later can autojoin a Windows NT4-style domain just by executing:
<screen>
&rootprompt;<userinput>smbpasswd -j <replaceable>DOMAIN_NAME</replaceable> -r <replaceable>PDC_NAME</replaceable> \
-U Administrator%<replaceable>password</replaceable></userinput>
@ -314,38 +315,38 @@ Samba-3 can do the same by executing:
&rootprompt;<userinput>net rpc join -U Administrator%<replaceable>password</replaceable></userinput>
</screen>
It is not necessary with Samba-3 to specify the <replaceable>DOMAIN_NAME</replaceable> or the
<replaceable>PDC_NAME</replaceable> as it figures this out from the &smb.conf; file settings.
<replaceable>PDC_NAME</replaceable>, as it figures this out from the &smb.conf; file settings.
</para></note>
<para>
Use of this mode of authentication does require there to be a standard UNIX account
Use of this mode of authentication requires there to be a standard UNIX account
for each user in order to assign a UID once the account has been authenticated by
the remote Windows DC. This account can be blocked to prevent logons by clients other than
the remote Windows domain controller. This account can be blocked to prevent logons by clients other than
MS Windows through means such as setting an invalid shell in the
<filename>/etc/passwd</filename> entry.
</para>
<para>
An alternative to assigning UIDs to Windows users on a Samba member server is
presented in <link linkend="winbind">Winbind: Use of Domain Accounts</link>.
presented in <link linkend="winbind">Winbind</link>, <link linkend="winbind">Winbind: Use of Domain Accounts</link>.
</para>
<para>
For more information regarding Domain Membership, see <link linkend="domain-member">Domain Membership</link>.
For more information regarding domain membership, <link linkend="domain-member">Domain Membership</link>.
</para>
</sect3>
</sect2>
<sect2>
<title>ADS Security Mode (User Level Security)</title>
<title>ADS Security Mode (User-Level Security)</title>
<para>
Both Samba-2.2, and Samba-3 can join an Active Directory domain. This is
possible if the domain is run in native mode. Active Directory in
native mode perfectly allows NT4-style Domain Members. This is contrary to
native mode perfectly allows NT4-style domain members. This is contrary to
popular belief. Active Directory in native mode prohibits only the use of
Backup Domain Controllers running MS Windows NT4.
BDCs running MS Windows NT4.
</para>
<para>
@ -353,8 +354,8 @@ If you are using Active Directory, starting with Samba-3 you can
join as a native AD member. Why would you want to do that?
Your security policy might prohibit the use of NT-compatible
authentication protocols. All your machines are running Windows 2000
and above and all use Kerberos. In this case Samba as an NT4-style
domain would still require NT-compatible authentication data. Samba in
and above and all use Kerberos. In this case Samba, as an NT4-style
domain, would still require NT-compatible authentication data. Samba in
AD-member mode can accept Kerberos tickets.
</para>
@ -375,7 +376,7 @@ The following parameter may be required:
</smbconfblock></para>
<para>
Please refer to <link linkend="domain-member">Domain Membership</link> and <link linkend="ads-member">Samba ADS Domain Membership</link>
Please refer to <link linkend="domain-member">Domain Membership</link>, and <link linkend="ads-member">Samba ADS Domain Membership</link>
for more information regarding this configuration option.
</para>
@ -386,32 +387,32 @@ for more information regarding this configuration option.
<title>Server Security (User Level Security)</title>
<para>
Server Security Mode is left over from the time when Samba was not capable of acting
as a Domain Member server. It is highly recommended not to use this feature. Server
Server security mode is left over from the time when Samba was not capable of acting
as a domain member server. It is highly recommended not to use this feature. Server
security mode has many drawbacks that include:
</para>
<itemizedlist>
<listitem><para>Potential Account Lockout on MS Windows NT4/200x password servers.</para></listitem>
<listitem><para>Potential account lockout on MS Windows NT4/200x password servers.</para></listitem>
<listitem><para>Lack of assurance that the password server is the one specified.</para></listitem>
<listitem><para>Does not work with Winbind, which is particularly needed when storing profiles remotely.</para></listitem>
<listitem><para>This mode may open connections to the password server, and keep them open for extended periods.</para></listitem>
<listitem><para>This mode may open connections to the password server and keep them open for extended periods.</para></listitem>
<listitem><para>Security on the Samba server breaks badly when the remote password server suddenly shuts down.</para></listitem>
<listitem><para>With this mode there is NO security account in the domain that the password server belongs to for the Samba server.</para></listitem>
</itemizedlist>
<para>
In Server Security Mode the Samba server reports to the client that it is in User Level
In server security mode the Samba server reports to the client that it is in user-level
security. The client then does a session setup as described earlier.
The Samba server takes the username/password that the client sends and attempts to login to the
<smbconfoption name="password server"/> by sending exactly the same username/password that
it got from the client. If that server is in User Level Security and accepts the password,
it got from the client. If that server is in user-level security and accepts the password,
then Samba accepts the client's connection. This allows the Samba server to use another SMB
server as the <smbconfoption name="password server"/>.
</para>
<para>
You should also note that at the start of all this where the server tells the client
You should also note that at the start of all this, when the server tells the client
what security level it is in, it also tells the client if it supports encryption. If it
does, it supplies the client with a random cryptkey. The client will then send all
passwords in encrypted form. Samba supports this type of encryption by default.
@ -420,19 +421,19 @@ passwords in encrypted form. Samba supports this type of encryption by default.
<para>
The parameter <smbconfoption name="security">server</smbconfoption> means that Samba reports to clients that
it is running in <emphasis>user mode</emphasis> but actually passes off all authentication
requests to another <emphasis>user mode</emphasis> server. This requires an additional
requests to another user mode server. This requires an additional
parameter <smbconfoption name="password server"/> that points to the real authentication server.
The real authentication server can be another Samba server, or it can be a Windows NT server,
the latter being natively capable of encrypted password support.
</para>
<note><para>
When Samba is running in <emphasis>Server Security Mode</emphasis> it is essential that
When Samba is running in <emphasis>server security mode</emphasis>, it is essential that
the parameter <emphasis>password server</emphasis> is set to the precise NetBIOS machine
name of the target authentication server. Samba cannot determine this from NetBIOS name
lookups because the choice of the target authentication server is arbitrary and cannot
be determined from a domain name. In essence, a Samba server that is in
<emphasis>Server Security Mode</emphasis> is operating in what used to be known as
<emphasis>server security mode</emphasis> is operating in what used to be known as
workgroup mode.
</para></note>
@ -460,11 +461,11 @@ process, the other uses just an error code.
</para>
<para>
The downside of this mode of configuration is the fact that for security reasons Samba
will send the password server a bogus username and a bogus password and if the remote
server fails to reject the username and password pair then an alternative mode of
identification of validation is used. Where a site uses password lock out after a
certain number of failed authentication attempts this will result in user lockouts.
The downside of this mode of configuration is that for security reasons Samba
will send the password server a bogus username and a bogus password, and if the remote
server fails to reject the username and password pair, then an alternative mode of
identification or validation is used. Where a site uses password lockout, after a
certain number of failed authentication attempts, this will result in user lockouts.
</para>
<para>
@ -484,7 +485,7 @@ This account can be blocked to prevent logons by non-SMB/CIFS clients.
MS Windows clients may use encrypted passwords as part of a challenge/response
authentication model (a.k.a. NTLMv1 and NTLMv2) or alone, or clear-text strings for simple
password-based authentication. It should be realized that with the SMB protocol,
the password is passed over the network either in plain-text or encrypted, but
the password is passed over the network either in plaintext or encrypted, but
not both in the same authentication request.
</para>
@ -498,19 +499,18 @@ is encrypted in two ways:
string. This is known as the NT hash.
</para></listitem>
<listitem><para>The password is converted to upper case,
<listitem><para>The password is converted to uppercase,
and then padded or truncated to 14 bytes. This string is
then appended with 5 bytes of NULL characters and split to
form two 56-bit DES keys to encrypt a <quote>magic</quote> 8-byte value.
form two 56-bit DES keys to encrypt a "magic" 8-byte value.
The resulting 16 bytes form the LanMan hash.
</para></listitem>
</itemizedlist>
<para>
MS Windows 95 pre-service pack 1, MS Windows NT versions 3.x and version 4.0
MS Windows 95 pre-service pack 1 and MS Windows NT versions 3.x and version 4.0
pre-service pack 3 will use either mode of password authentication. All
versions of MS Windows that follow these versions no longer support plain
text passwords by default.
versions of MS Windows that follow these versions no longer support plain-text passwords by default.
</para>
<para>
@ -522,16 +522,16 @@ a cached copy of the password.
<para>
When Microsoft changed the default password mode, support was dropped for caching
of the plain-text password. This means that when the registry parameter is changed
to re-enable use of plain-text passwords it appears to work, but when a dropped
of the plaintext password. This means that when the registry parameter is changed
to re-enable use of plaintext passwords, it appears to work, but when a dropped
service connection mapping attempts to revalidate, this will fail if the remote
authentication server does not support encrypted passwords. It is definitely not
a good idea to re-enable plain-text password support in such clients.
a good idea to re-enable plaintext password support in such clients.
</para>
<para>
The following parameters can be used to work around the issue of Windows 9x/Me clients
upper-casing usernames and passwords before transmitting them to the SMB server
uppercasing usernames and passwords before transmitting them to the SMB server
when using clear-text authentication:
</para>
@ -541,9 +541,9 @@ when using clear-text authentication:
</smbconfblock></para>
<para>
By default Samba will convert to lower case the username before attempting to lookup the user
By default Samba will convert to lowercase the username before attempting to lookup the user
in the database of local system accounts. Because UNIX usernames conventionally
only contain lower-case characters, the <smbconfoption name="username level"/> parameter
only contain lowercase characters, the <smbconfoption name="username-level"/> parameter
is rarely needed.
</para>
@ -551,17 +551,16 @@ is rarely needed.
However, passwords on UNIX systems often make use of mixed-case characters.
This means that in order for a user on a Windows 9x/Me client to connect to a Samba
server using clear-text authentication, the <smbconfoption name="password level"/>
must be set to the maximum number of upper case letters that <emphasis>could</emphasis>
appear in a password. Note that if the server OS uses the traditional DES version
of crypt(), a <smbconfoption name="password level"/> of 8 will result in case
insensitive passwords as seen from Windows users. This will also result in longer
login times as Samba has to compute the permutations of the password string and
must be set to the maximum number of uppercase letters that <emphasis>could</emphasis>
appear in a password. Note that if the Server OS uses the traditional DES version
of crypt(), a <smbconfoption name="password level"/> of 8 will result in case-insensitive passwords as seen from Windows users. This will also result in longer
login times because Samba has to compute the permutations of the password string and
try them one by one until a match is located (or all combinations fail).
</para>
<para>
The best option to adopt is to enable support for encrypted passwords wherever
Samba is used. Most attempts to apply the registry change to re-enable plain-text
Samba is used. Most attempts to apply the registry change to re-enable plaintext
passwords will eventually lead to user complaints and unhappiness.
</para>
@ -572,15 +571,15 @@ passwords will eventually lead to user complaints and unhappiness.
<para>
We all make mistakes. It is okay to make mistakes, as long as they are made in the right places
and at the right time. A mistake that causes lost productivity is seldom tolerated, however a mistake
and at the right time. A mistake that causes lost productivity is seldom tolerated; however, a mistake
made in a developmental test lab is expected.
</para>
<para>
Here we look at common mistakes and misapprehensions that have been the subject of discussions
on the Samba mailing lists. Many of these are avoidable by doing your homework before attempting
a Samba implementation. Some are the result of a misunderstanding of the English language. The
English language, which has many phrases that are potentially vague and may be highly confusing
a Samba implementation. Some are the result of a misunderstanding of the English language,
which has many phrases that are potentially vague and may be highly confusing
to those for whom English is not their native tongue.
</para>
@ -588,7 +587,7 @@ to those for whom English is not their native tongue.
<title>What Makes Samba a Server?</title>
<para>
To some the nature of the Samba <emphasis>security</emphasis> mode is obvious, but entirely
To some the nature of the Samba security mode is obvious, but entirely
wrong all the same. It is assumed that <smbconfoption name="security">server</smbconfoption> means that Samba
will act as a server. Not so! This setting means that Samba will <emphasis>try</emphasis>
to use another SMB server as its source for user authentication alone.
@ -601,7 +600,7 @@ to use another SMB server as its source for user authentication alone.
<para>
The &smb.conf; parameter <smbconfoption name="security">domain</smbconfoption> does not really make Samba behave
as a Domain Controller. This setting means we want Samba to be a Domain Member. See <link linkend="samba-pdc">Samba as a PDC</link> for more information.
as a domain controller. This setting means we want Samba to be a domain member. See <link linkend="samba-pdc">Samba as a PDC</link> for more information.
</para>
</sect2>
@ -611,8 +610,8 @@ as a Domain Controller. This setting means we want Samba to be a Domain Member.
<para>
Guess! So many others do. But whatever you do, do not think that <smbconfoption name="security">user</smbconfoption>
makes Samba act as a Domain Member. Read the manufacturer's manual before the warranty expires. See
<link linkend="domain-member">Domain Membership</link> for more information.
makes Samba act as a domain member. Read the manufacturer's manual before the warranty expires. See
<link linkend="domain-member">Domain Membership</link>, for more information.
</para>
</sect2>

View File

@ -4,12 +4,12 @@
<chapterinfo>
&author.jht;
</chapterinfo>
<title>Stand-alone Servers</title>
<title>Standalone Servers</title>
<para>
Stand-alone Servers are independent of Domain Controllers on the network.
They are not Domain Members and function more like workgroup servers. In many
cases a Stand-alone Server is configured with a minimum of security control
Standalone servers are independent of domain controllers on the network.
They are not domain members and function more like workgroup servers. In many
cases a standalone server is configured with a minimum of security control
with the intent that all data served will be readily accessible to all users.
</para>
@ -17,25 +17,25 @@ with the intent that all data served will be readily accessible to all users.
<title>Features and Benefits</title>
<para>
Stand-alone Servers can be as secure or as insecure as needs dictate. They can
Standalone servers can be as secure or as insecure as needs dictate. They can
have simple or complex configurations. Above all, despite the hoopla about
Domain Security they remain a common installation.
domain security, they remain a common installation.
</para>
<para>
If all that is needed is a server for read-only files, or for
printers alone, it may not make sense to effect a complex installation.
For example: A drafting office needs to store old drawings and reference
standards. No-one can write files to the server as it is legislatively
important that all documents remain unaltered. A share mode read-only Stand-alone
Server is an ideal solution.
For example, a drafting office needs to store old drawings and reference
standards. Noone can write files to the server because it is legislatively
important that all documents remain unaltered. A share-mode read-only standalone
server is an ideal solution.
</para>
<para>
Another situation that warrants simplicity is an office that has many printers
that are queued off a single central server. Everyone needs to be able to print
to the printers, there is no need to effect any access controls and no files will
be served from the print server. Again, a share mode Stand-alone Server makes
to the printers, there is no need to effect any access controls, and no files will
be served from the print server. Again, a share-mode standalone server makes
a great solution.
</para>
</sect1>
@ -44,34 +44,34 @@ a great solution.
<title>Background</title>
<para>
The term <emphasis>Stand-alone Server</emphasis> means that it
The term <emphasis>standalone server</emphasis> means that it
will provide local authentication and access control for all resources
that are available from it. In general this means that there will be a
local user database. In more technical terms, it means resources
on the machine will be made available in either SHARE mode or in
USER mode.
on the machine will be made available in either <emphasis>share</emphasis> mode or in
<emphasis>user</emphasis> mode.
</para>
<para>
No special action is needed other than to create user accounts. Stand-alone
No special action is needed other than to create user accounts. Standalone
servers do not provide network logon services. This means that machines that
use this server do not perform a domain logon to it. Whatever logon facility
the workstations are subject to is independent of this machine. It is, however,
necessary to accommodate any network user so the logon name they use will
be translated (mapped) locally on the Stand-alone Server to a locally known
necessary to accommodate any network user so the logon name he or she uses will
be translated (mapped) locally on the standalone server to a locally known
user name. There are several ways this can be done.
</para>
<para>
Samba tends to blur the distinction a little in respect of what is
a Stand-alone Server. This is because the authentication database may be
Samba tends to blur the distinction a little in defining
a standalone server. This is because the authentication database may be
local or on a remote server, even if from the SMB protocol perspective
the Samba server is not a member of a domain security context.
</para>
<para>
Through the use of Pluggable Authentication Modules (PAM) and the name service switcher (NSSWITCH),
which maintains the UNIX-user database) the source of authentication may reside on
Through the use of Pluggable Authentication Modules (PAM) and the name service switcher (NSSWITCH,
which maintains the UNIX-user database), the source of authentication may reside on
another server. We would be inclined to call this the authentication server.
This means that the Samba server may use the local UNIX/Linux system password database
(<filename>/etc/passwd</filename> or <filename>/etc/shadow</filename>), may use a
@ -85,8 +85,7 @@ for authentication.
<title>Example Configuration</title>
<para>
The examples, <link linkend="simplynice">Reference Documentation Server</link>, and
<link linkend="SimplePrintServer">Central Print Serving</link>,
Examples 7.3.1 and 7.3.2
are designed to inspire simplicity. It is too easy to attempt a high level of creativity
and to introduce too much complexity in server and network design.
</para>
@ -96,7 +95,7 @@ and to introduce too much complexity in server and network design.
<para>
Configuration of a read-only data server that everyone can access is very simple.
<link linkend="simplynice">Following example</link> is the &smb.conf; file that will do this. Assume that all the reference documents
<link linkend="simplynice">The following example (7.3.1)</link> is the &smb.conf; file that will do this. Assume that all the reference documents
are stored in the directory <filename>/export</filename>, and the documents are owned by a user other than
nobody. No home directories are shared, and there are no users in the <filename>/etc/passwd</filename>
UNIX system database. This is a simple system to administer.
@ -120,10 +119,10 @@ UNIX system database. This is a simple system to administer.
</example>
<para>
In <link linkend="simplynice">the example</link> above, the machine name is set to &example.server.samba;, the workgroup is set to the name
In <link linkend="simplynice">this example</link>, the machine name is set to &example.server.samba;, and the workgroup is set to the name
of the local workgroup (&example.workgroup;) so the machine will appear together with systems with
which users are familiar. The only password backend required is the <quote>guest</quote> backend to allow default
unprivileged account names to be used. As there is a WINS server on this network, we of obviously make use of it.
unprivileged account names to be used. As there is a WINS server on this network, we of course make use of it.
</para>
</sect2>
@ -137,14 +136,14 @@ on your system.
</para>
<orderedlist>
<title> Assumptions:</title>
<title> Assumptions</title>
<listitem><para>
The print server must require no administration.
</para></listitem>
<listitem><para>
The print spooling and processing system on our print server will be CUPS.
(Please refer to <link linkend="CUPS-printing">CUPS Printing Support</link> for more information).
(Please refer to <link linkend="CUPS-printing">CUPS Printing Support</link>, for more information).
</para></listitem>
<listitem><para>
@ -153,7 +152,7 @@ on your system.
</para></listitem>
<listitem><para>
All workstations will use only postscript drivers. The printer driver
All workstations will use only PostScript drivers. The printer driver
of choice is the one shipped with the Windows OS for the Apple Color LaserWriter.
</para></listitem>
</orderedlist>
@ -162,7 +161,7 @@ on your system.
In this example our print server will spool all incoming print jobs to
<filename>/var/spool/samba</filename> until the job is ready to be submitted by
Samba to the CUPS print processor. Since all incoming connections will be as
the anonymous (guest) user, two things will be required:
the anonymous (guest) user, two things will be required to enable anonymous printing.
</para>
<itemizedlist>
@ -192,7 +191,7 @@ the anonymous (guest) user, two things will be required:
</itemizedlist>
<para>
The contents of the &smb.conf; file is shown in <link linkend="AnonPtrSvr">the next example</link>.
The contents of the &smb.conf; file is shown in <link linkend="AnonPtrSvr">Example 7.3.2</link>.
</para>
<example id="AnonPtrSvr">
@ -226,8 +225,8 @@ On CUPS-enabled systems there is a facility to pass raw data directly to the pri
intermediate processing via CUPS print filters. Where use of this mode of operation is desired,
it is necessary to configure a raw printing device. It is also necessary to enable the raw mime
handler in the <filename>/etc/mime.conv</filename> and <filename>/etc/mime.types</filename>
files. Refer to <link linkend="cups-raw">Explicitly Enable <quote>raw</quote> Printing for
<emphasis>application/octet-stream</emphasis></link>.
files. Refer to <link linkend="CUPS-printing">CUPS Printing Support</link>, <link linkend="cups-raw">Explicitly Enable raw Printing for
application/octet-stream</link>.
</para></note>
</sect2>

View File

@ -9,46 +9,46 @@
<pubdate>May 9, 2005</pubdate>
</chapterinfo>
<title>Remote and Local Management &smbmdash; The Net Command</title>
<title>Remote and Local Management: The Net Command</title>
<para>
The <command>net</command> command is one of the new features of Samba-3 and is an attempt to provide a useful
tool into which the majority of remote management operations necessary for common tasks. The
<command>net</command> tool is flexible by design and is intended for command line use as well as for scripted
tool for the majority of remote management operations necessary for common tasks. The
<command>net</command> tool is flexible by design and is intended for command-line use as well as for scripted
control application.
</para>
<para>
Originally introduced with the intent to mimic the Microsoft Windows command that has the same name, the
<command>net</command> command has morphed into a very powerful instrument that has become an essential part
of the Samba network administrator's toolbox. The Samba Team have introduced tools, such as
<command>smbgroupedit, rpcclient</command> from which really useful have been integrated into the
<command>net</command>. The <command>smbgroupedit</command> command was absorbed entirely into the
<command>net</command>, while only some features of the <command>rpcclient</command> command have been
ported to it. Anyone who finds older references to these utilities and to the functionality they provided
should look at the <command>net</command> command before searching elsewhere.
of the Samba network administrator's toolbox. The Samba Team has introduced tools, such as
<command>smbgroupedit</command> and <command>rpcclient</command>, from which really useful capabilities have
been integrated into the <command>net</command>. The <command>smbgroupedit</command> command was absorbed
entirely into the <command>net</command>, while only some features of the <command>rpcclient</command> command
have been ported to it. Anyone who finds older references to these utilities and to the functionality they
provided should look at the <command>net</command> command before searching elsewhere.
</para>
<para>
A Samba-3 administrator can not afford to gloss over this chapter because to do so will almost certainly cause
the infliction of self induced pain, agony and desperation. Be warned, this is an important chapter.
A Samba-3 administrator cannot afford to gloss over this chapter because to do so will almost certainly cause
the infliction of self-induced pain, agony, and desperation. Be warned: this is an important chapter.
</para>
<sect1>
<title>Overview</title>
<para>
The tasks that follow the installation of a Samba-3 server, whether Stand-Alone, Domain Member, of a
Domain Controller (PDC or BDC) begins with the need to create administrative rights. Of course, the
creation of user and group accounts is essential for both a Stand-Alone server as well as for a PDC.
In the case of a BDC or a Domain Member server (DMS) Domain user and group accounts are obtained from
The tasks that follow the installation of a Samba-3 server, whether standalone or domain member, of a
domain controller (PDC or BDC) begins with the need to create administrative rights. Of course, the
creation of user and group accounts is essential for both a standalone server and a PDC.
In the case of a BDC or a Domain Member server (DMS), domain user and group accounts are obtained from
the central domain authentication backend.
</para>
<para>
Regardless of the type of server being installed, local UNIX groups must be mapped to the Windows
networking domain global group accounts. Do you ask, why? Because Samba always limits its access to
the resources of the host server by way of traditional UNIX UID/GID controls. This means that local
networking domain global group accounts. Do you ask why? Because Samba always limits its access to
the resources of the host server by way of traditional UNIX UID and GID controls. This means that local
groups must be mapped to domain global groups so that domain users who are members of the domain
global groups can be given access rights based on UIDs and GIDs local to the server that is hosting
Samba. Such mappings are implemented using the <command>net</command> command.
@ -61,32 +61,32 @@ the infliction of self induced pain, agony and desperation. Be warned, this is a
</para>
<para>
The establishment of inter-domain trusts is achieved using the <command>net</command> command also, as
may a plethora of typical administrative duties such as: user management, group management, share and
The establishment of interdomain trusts is achieved using the <command>net</command> command also, as
may a plethora of typical administrative duties such as user management, group management, share and
printer management, file and printer migration, security identifier management, and so on.
</para>
<para>
The over-all picture should be clear now, the <command>net</command> command plays a central role
The overall picture should be clear now: the <command>net</command> command plays a central role
on the Samba-3 stage. This role will continue to be developed. The inclusion of this chapter is
evidence of its importance, one that has grown in complexity to the point that it is no longer considered
prudent to cover its use fully in the on-line UNIX man pages.
prudent to cover its use fully in the online UNIX man pages.
</para>
</sect1>
<sect1>
<title>Administrative Tasks And Methods</title>
<title>Administrative Tasks and Methods</title>
<para>
The basic operations of the <command>net</command> command are documented here. This documentation is not
exhaustive, and thus it is incomplete. Since the primary focus is on migration from Windows servers to
a Samba server the emphasis is on the use of the DCE RPC mode of operation. When used against a server
that is a member of an Active Directory domain it is preferable (and often necessary) to use ADS mode
operations. The <command>net</command> command supports both, but not for every operation. For most
operations, if the mode is not specified <command>net</command> will automatically fall back via
the <constant>ads, rpc, rap</constant> modes. Please refer to the man page for a more comprehensive
overview of the capabilities of this utility.
exhaustive, and thus it is incomplete. Since the primary focus is on migration from Windows servers to a Samba
server, the emphasis is on the use of the DCE RPC mode of operation. When used against a server that is a
member of an Active Directory domain, it is preferable (and often necessary) to use ADS mode operations. The
<command>net</command> command supports both, but not for every operation. For most operations, if the mode is
not specified, <command>net</command> will automatically fall back via the <constant>ads</constant>,
<constant>rpc</constant>, and <constant>rap</constant> modes. Please refer to the man page for a more
comprehensive overview of the capabilities of this utility.
</para>
</sect1>
@ -95,15 +95,15 @@ the infliction of self induced pain, agony and desperation. Be warned, this is a
<title>UNIX and Windows Group Management</title>
<para>
In repetition of what has been said, the focus in most of this chapter is on use of the <command>net
As stated, the focus in most of this chapter is on use of the <command>net
rpc</command> family of operations that are supported by Samba. Most of them are supported by the
<command>net ads</command> mode when used in connection with MS Active Directory. The <command>net
<command>net ads</command> mode when used in connection with Active Directory. The <command>net
rap</command> operating mode is also supported for some of these operations. RAP protocols are used
by IBM OS/2 and by several earlier SMB servers.
</para>
<para>
Sambas' <command>net</command> tool implements sufficient capability to permit all common administrative
Samba's <command>net</command> tool implements sufficient capability to permit all common administrative
tasks to be completed from the command line. In this section each of the essential user and group management
facilities are explored.
</para>
@ -126,7 +126,7 @@ the infliction of self induced pain, agony and desperation. Be warned, this is a
<title>Adding or Creating a New Group</title>
<para>
Before attempting to add a Windows group account the currently available groups can be listed as shown
Before attempting to add a Windows group account, the currently available groups can be listed as shown
here:
<screen>
&rootprompt; net rpc group list -Uroot%not24get
@ -145,7 +145,7 @@ command:
<screen>
&rootprompt; net rpc group add "SupportEngrs" -Uroot%not24get
</screen>
The addition will result in immediate availability of the new group account as validated by executing the
The addition will result in immediate availability of the new group account as validated by executing
this command:
<screen>
&rootprompt; net rpc group list -Uroot%not24get
@ -209,14 +209,14 @@ SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -> SupportEngrs
<para>
All file system (file and directory) access controls, within the file system of a UNIX/Linux server that is
hosting a Samba server, is implemented using a UID/GID identity tuple. Samba does not in any way over-ride
hosting a Samba server, are implemented using a UID/GID identity tuple. Samba does not in any way override
or replace UNIX file system semantics. Thus it is necessary that all Windows networking operations that
access the file system must provide a mechanism that maps a Windows user to a particular UNIX/Linux group
access the file system provide a mechanism that maps a Windows user to a particular UNIX/Linux group
account. The user account must also map to a locally known UID.
</para>
<para>
Samba depends on default mappings for the <constant>Domain Admins, Domain Users</constant> and
Samba depends on default mappings for the <constant>Domain Admins, Domain Users</constant>, and
<constant>Domain Guests</constant> global groups. Additional groups may be added as shown in the
examples just given. There are times when it is necessary to map an existing UNIX group account
to a Windows group. This operation, in effect, creates a Windows group account as a consequence
@ -224,7 +224,7 @@ SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -> SupportEngrs
</para>
<para>
The operations that are permitted includes: <constant>add, modify, delete</constant>. An example
The operations that are permitted include: <constant>add</constant>, <constant>modify</constant>, and <constant>delete</constant>. An example
of each operation is shown here.
</para>
@ -246,8 +246,8 @@ SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -> SupportEngrs
</para>
<para>
Two types of Windows groups can be created: <constant>domain (global),</constant> and <constant>local</constant>.
In the above examples the Windows groups created were of type <constant>domain</constant>, or global. The
Two types of Windows groups can be created: <constant>domain (global)</constant> and <constant>local</constant>.
In the previous examples the Windows groups created were of type <constant>domain</constant> or global. The
following command will create a Windows group of type <constant>local</constant>.
<screen>
&rootprompt; net groupmap add ntgroup=Pixies unixgroup=pixies type=l
@ -277,13 +277,13 @@ SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -> SupportEngrs
<title>Rename Group Accounts</title>
<note><para>
This command is not documented in the man pages, it is implemented in the source code, but it does not
This command is not documented in the man pages; it is implemented in the source code, but it does not
work. The example given documents (from the source code) how it should work. Watch the release notes
of a future release to see when this may have been be fixed.
of a future release to see when this may have been fixed.
</para></note>
<para>
Sometimes it is necessary to rename a group account. Good administrators know how painful some managers
Sometimes it is necessary to rename a group account. Good administrators know how painful some managers'
demands can be if this simple request is ignored. The following command demonstrates how the Windows group
<quote>SupportEngrs</quote> can be renamed to <quote>CustomerSupport</quote>:
<screen>
@ -300,13 +300,13 @@ SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -> SupportEngrs
<title>Manipulating Group Memberships</title>
<para>
Three operations can be performed in respect of group membership. It is possible to (1) add Windows users
to Windows group, to (2) delete Windows users from Windows groups, and to (3) list the Windows users that are
Three operations can be performed regarding group membership. It is possible to (1) add Windows users
to a Windows group, to (2) delete Windows users from Windows groups, and to (3) list the Windows users that are
members of a Windows group.
</para>
<para>
So as to avoid confusion, it makes sense to check group membership before attempting to make and changes.
To avoid confusion, it makes sense to check group membership before attempting to make any changes.
The <command>getent group</command> will list UNIX/Linux group membership. UNIX/Linux group members are
seen also as members of a Windows group that has been mapped using the <command>net groupmap</command>
command (see <link linkend="groupmapping"/>). The following list of UNIX/Linux group membership shows
@ -338,7 +338,7 @@ Engineers (S-1-5-21-72630-412605-116429-3001) -> Engineers
</para>
<para>
Given that the user <constant>ajt</constant> is already a member of the UNIX/Linux group, and via the
Given that the user <constant>ajt</constant> is already a member of the UNIX/Linux group and, via the
group mapping, a member of the Windows group, an attempt to add this account again should fail. This is
demonstrated here:
<screen>
@ -350,8 +350,8 @@ Could not add ajt to MIDEARTH\Engineers: NT_STATUS_MEMBER_IN_GROUP
</para>
<para>
To permit the user <constant>ajt</constant> to be added using the <command>net rpc group</command> utility
this account must first be removed. The removal, and confirmation of its effect is shown here:
To permit the user <constant>ajt</constant> to be added using the <command>net rpc group</command> utility,
this account must first be removed. The removal and confirmation of its effect is shown here:
<screen>
&rootprompt; net rpc group delmem "MIDEARTH\Engineers" ajt -Uroot%not24get
&rootprompt; getent group Engineers
@ -376,9 +376,9 @@ MIDEARTH\ajt
</para>
<para>
In this example the members of the Windows <constant>Domain Users</constant> account is validated using
the <command>net rpc group</command> utility. Note that this contents of the UNIX/Linux group was shown
4 paragraphs earlier. The Windows (domain) group membership is shown here:
In this example the members of the Windows <constant>Domain Users</constant> account are validated using
the <command>net rpc group</command> utility. Note the this contents of the UNIX/Linux group was shown
four paragraphs earlier. The Windows (domain) group membership is shown here:
<screen>
&rootprompt; net rpc group members "Domain Users" -Uroot%not24get
MIDEARTH\jht
@ -387,8 +387,8 @@ MIDEARTH\ajt
MIDEARTH\met
MIDEARTH\vlendecke
</screen>
The example shown here is an express example that Windows group names are treated by Samba (as with
MS Windows) in a case insensitive manner:
This express example shows that Windows group names are treated by Samba (as with
MS Windows) in a case-insensitive manner:
<screen>
&rootprompt; net rpc group members "DomAiN USerS" -Uroot%not24get
MIDEARTH\jht
@ -413,8 +413,8 @@ MIDEARTH\vlendecke
<title>Nested Group Support</title>
<para>
It is possible in Windows (and now in Samba also) to great a local group that has members (contains)
domain users and domain global groups. Creation of the local group <constant>demo</constant> is
It is possible in Windows (and now in Samba also) to create a local group that has members (contains),
domain users, and domain global groups. Creation of the local group <constant>demo</constant> is
achieved by executing:
<screen>
&rootprompt; net rpc group add demo -L -S MORDON -Uroot%not24get
@ -472,7 +472,7 @@ DOM\jht
<para>
Every Windows network user account must be translated to a UNIX/Linux user account. In actual fact,
the only account information the UNIX/Linux Samba server needs is a UID. The UID is available either
from a system (POSIX) account, or from a pool (range) of UID numbers that is set aside for the purpose
from a system (POSIX) account or from a pool (range) of UID numbers that is set aside for the purpose
of being allocated for use by Windows user accounts. In the case of the UID pool, the UID for a
particular user will be allocated by <command>winbindd</command>.
</para>
@ -481,7 +481,7 @@ DOM\jht
Although this is not the appropriate place to discuss the <smbconfoption name="username map"/> facility,
this interface is an important method of mapping a Windows user account to a UNIX account that has a
different name. Refer to the man page for the &smb.conf; file for more information regarding this
facility. User name mappings can not be managed using the <command>net</command> utility.
facility. User name mappings cannot be managed using the <command>net</command> utility.
</para>
<sect2 id="sbeuseraddn">
@ -537,7 +537,7 @@ Deleted user account
<title>Managing User Accounts</title>
<para>
Two basic user account operations are routinely used, change of password and querying which groups a user
Two basic user account operations are routinely used: change of password and querying which groups a user
is a member of. The change of password operation is shown in <link linkend="sbeuseraddn"/>.
</para>
@ -562,7 +562,7 @@ Emergency Services
<title>User Mapping</title>
<para>
In some situations it is unavoidable that a users' Windows logon name will differ from the login ID
In some situations it is unavoidable that a user's Windows logon name will differ from the login ID
that user has on the Samba server. It is possible to create a special file on the Samba server that
will permit the Windows user name to be mapped to a different UNIX/Linux user name. The &smb.conf;
file must also be amended so that the <constant>[global]</constant> stanza contains the parameter:
@ -587,21 +587,21 @@ marygee: geeringm
<title>Administering User Rights and Privileges</title>
<para>
With all versions of Samba earlier than 3.0.11 the only account on a Samba server that had the ability
to manage users, groups, shares, printers, etc. is the <constant>root</constant> account. This caused
immense problems for some users and was a frequent source of scorn over the necessity to hand out the
credentials for the most security sensitive account on a UNIX/Linux system.
With all versions of Samba earlier than 3.0.11 the only account on a Samba server that could
manage users, groups, shares, printers, and such was the <constant>root</constant> account. This caused
problems for some users and was a frequent source of scorn over the necessity to hand out the
credentials for the most security-sensitive account on a UNIX/Linux system.
</para>
<para>
New to Samba version 3.0.11 is the ability to delegate administrative privileges as necessary to either
a normal user, or to groups of users. The significance of the administrative privileges is documented
a normal user or to groups of users. The significance of the administrative privileges is documented
in <link linkend="rights"/>. Examples of use of the <command>net</command> for user rights and privilege
management is appropriate to this chapter.
</para>
<note><para>
When user rights and privileges are correctly set there is no longer a need for there to be a Windows
When user rights and privileges are correctly set, there is no longer a need for a Windows
network account for the <constant>root</constant> user (nor for any synonym of it) with a UNIX UID=0.
Initial user rights and privileges can be assigned by any account that is a member of the <constant>
Domain Admins</constant> group. Rights can be assigned to user as well as group accounts.
@ -659,7 +659,7 @@ No privileges assigned
SeDiskOperatorPrivilege -U root%not24get
Successfully granted rights.
</screen>
Next, the domain user <constant>jht</constant> is given the privileges needed for day to day
Next, the domain user <constant>jht</constant> is given the privileges needed for day-to-day
administration:
<screen>
&rootprompt; net rpc rights grant "MIDEARTH\jht" \
@ -713,10 +713,10 @@ SeDiskOperatorPrivilege
<title>Managing Trust Relationships</title>
<para>
There are essentially two types of trust relationships. The first between domain controllers and domain
member machines (network clients), the second trusts between domains (called inter-domain trusts). All
There are essentially two types of trust relationships: the first is between domain controllers and domain
member machines (network clients), the second is between domains (called interdomain trusts). All
Samba servers that participate in domain security require a domain membership trust account, as do like
Windows NT/2KX/XPP workstations.
Windows NT/200x/XP workstations.
</para>
<sect2>
@ -728,7 +728,7 @@ SeDiskOperatorPrivilege
&rootprompt; net rpc testjoin
Join to 'MIDEARTH' is OK
</screen>
Where there is no domain membership account, or when the account credentials are not valid the following
Where there is no domain membership account, or when the account credentials are not valid, the following
results will be observed:
<screen>
net rpc testjoin -S DOLPHIN
@ -773,7 +773,7 @@ merlin$:1009:9B4489D6B90461FD6A3EC3AB96147E16:\
Joined domain MIDEARTH.
</screen>
Note that the command-line parameter <constant>member</constant> makes this join specific. By default
the type is deduced from the &smb.conf; file configuration. To specifically join as a PDC or BDC the
the type is deduced from the &smb.conf; file configuration. To specifically join as a PDC or BDC, the
command-line parameter will be <constant>[PDC | BDC]</constant>. For example:
<screen>
&rootprompt; net rpc join bdc -S FRODO -Uroot%not24get
@ -792,15 +792,15 @@ Joined 'FRANDIMITZ' to realm 'GDANSK.ABMAS.BIZ'
</para>
<para>
There is no specific option to remove a machine account from ain NT4 domain. When a domain member that is a
Windows machine is withdrawn from the domain the domain membership account is not automatically removed
There is no specific option to remove a machine account from an NT4 domain. When a domain member that is a
Windows machine is withdrawn from the domain, the domain membership account is not automatically removed
either. Inactive domain member accounts can be removed using any convenient tool. If necessary, the
machine account can be removed using the following <command>net</command> command:
<screen>
&rootprompt; net rpc user delete HERRING\$ -Uroot%not24get
Deleted user account.
</screen>
The removal is made possible because machine account are just like user accounts with a trailing $
The removal is made possible because machine accounts are just like user accounts with a trailing $
character. The account management operations treat user and machine accounts in like manner.
</para>
@ -819,22 +819,22 @@ Deleted user account.
&rootprompt; net ads status
</screen>
The volume of information is extensive. Please refer to the book <quote>Samba-3 by Example</quote>,
Chapter 7 for more information regarding its use. This book may be obtained either in print, or on line from
Chapter 7 for more information regarding its use. This book may be obtained either in print or online from
the <ulink url="http://www.samba.org/samba/docs/Samba-Guide.pdf">Samba-Guide</ulink>.
</para>
</sect2>
<sect2>
<title>Inter-Domain Trusts</title>
<title>Interdomain Trusts</title>
<para>
Inter-domain trust relationships form the primary mechanism by which users from one domain can be granted
Interdomain trust relationships form the primary mechanism by which users from one domain can be granted
access rights and privileges in another domain.
</para>
<para>
To discover what trust relationships are in effect execute this command:
To discover what trust relationships are in effect, execute this command:
<screen>
&rootprompt; net rpc trustdom list -Uroot%not24get
Trusted domains list:
@ -845,7 +845,7 @@ Trusting domains list:
none
</screen>
There are no inter-domain trusts at this time, the following steps will create them.
There are no interdomain trusts at this time; the following steps will create them.
</para>
<para>
@ -865,7 +865,7 @@ damnation$:1016:9AC1F121DF897688AAD3B435B51404EE: \
</para>
<para>
If the trusting domain is not capable of being reached the following command will fail
If the trusting domain is not capable of being reached, the following command will fail:
<screen>
&rootprompt; net rpc trustdom list -Uroot%not24get
Trusted domains list:
@ -892,7 +892,7 @@ DAMNATION domain controller is not responding
<para>
Where a trust account has been created on a foreign domain, Samba is able to establish the trust (connect with)
the foreign account. In the process it creates a one-way trust to the resources on the remote domain. This
command achieves the objective of enjoining the trust relationship:
command achieves the objective of joining the trust relationship:
<screen>
&rootprompt; net rpc trustdom establish damnation
Password: xxxxxxx == f00db4r
@ -913,7 +913,7 @@ DAMNATION S-1-5-21-1385457007-882775198-1210191635
</para>
<para>
Sometimes it is necessary to remove the ability for local uses to access a foreign domain. The trusting
Sometimes it is necessary to remove the ability for local users to access a foreign domain. The trusting
connection can be revoked as shown here:
<screen>
&rootprompt; net rpc trustdom revoke damnation -Uroot%not24get
@ -934,21 +934,21 @@ DAMNATION S-1-5-21-1385457007-882775198-1210191635
<title>Managing Security Identifiers (SIDS)</title>
<para>
The basic security identifier that is used b y all Windows networking operations is the Windows security
The basic security identifier that is used by all Windows networking operations is the Windows security
identifier (SID). All Windows network machines (servers and workstations), users, and groups are
identified by their respective SID. All desktop profiles are also encoded with user and group SIDs that
are specific to the SID of the domain to which the user belongs.
</para>
<para>
It is truly prudent to store the machine and/or domain SID in a file for safe-keeping. Why? Because
It is truly prudent to store the machine and/or domain SID in a file for safekeeping. Why? Because
a change in hostname or in the domain (workgroup) name may result in a change in the SID. When you
have the SID on hand it is a simple matter to restore it. The alternative is to suffer the pain of
having to recover user desktop profiles and perhaps re-join all member machines to the domain.
have the SID on hand, it is a simple matter to restore it. The alternative is to suffer the pain of
having to recover user desktop profiles and perhaps rejoin all member machines to the domain.
</para>
<para>
First, do not forget to store the local sid in a file. It is a good idea to put this in the directory
First, do not forget to store the local SID in a file. It is a good idea to put this in the directory
in which the &smb.conf; file is also stored. Here is a simple action to achieve this:
<screen>
&rootprompt; net getlocalsid > /etc/samba/my-sid
@ -968,18 +968,18 @@ SID for domain MERLIN is: S-1-5-21-726309263-4128913605-1168186429
<para>
If ever it becomes necessary to restore the SID that has been stored in the <filename>my-sid</filename>
file, simply copy the SID (the string of characters that begins with <constant>S-1-5-21</constant>) to
the command-line shown here:
the command line shown here:
<screen>
&rootprompt; net setlocalsid S-1-5-21-1385457007-882775198-1210191635
</screen>
Restoration of a machine SID is a simple operation, but the absence of a back-up copy can be very
Restoration of a machine SID is a simple operation, but the absence of a backup copy can be very
problematic.
</para>
<para>
The following operation is useful only for machines that are being configured as a PDC or a BDC.
Domain member servers (DMS) and workstation clients should have their own machine SID to avoid
any potential name-space collision. Here is the way that the BDC SID can be synchronized to that
DMS and workstation clients should have their own machine SID to avoid
any potential namespace collision. Here is the way that the BDC SID can be synchronized to that
of the PDC (this is the default NT4 domain practice also):
<screen>
&rootprompt; net rpc getsid -S FRODO -Uroot%not24get
@ -1007,7 +1007,7 @@ Storing SID S-1-5-21-726309263-4128913605-1168186429 \
</itemizedlist>
<para>
Each of these are dealt with here in so far as they involve the use of the <command>net</command>
Each of these are dealt with here insofar as they involve the use of the <command>net</command>
command. Operations outside of this command are covered elsewhere in this document.
</para>
@ -1018,7 +1018,7 @@ Storing SID S-1-5-21-726309263-4128913605-1168186429 \
A share can be added using the <command>net rpc share</command> command capabilities.
The target machine may be local or remote and is specified by the -S option. It must be noted
that the addition and deletion of shares using this tool depends on the availability of a suitable
interface script. The interface scripts Sambas <command>smbd</command> uses are called:
interface script. The interface scripts Sambas <command>smbd</command> uses are called
<smbconfoption name="add share script"/> and <smbconfoption name="delete share script"/>.
A set of example scripts are provided in the Samba source code tarball in the directory
<filename>~samba/examples/scripts</filename>.
@ -1026,14 +1026,14 @@ Storing SID S-1-5-21-726309263-4128913605-1168186429 \
<para>
The following steps demonstrate the use of the share management capabilities of the <command>net</command>
utility. In the first step a share called <constant>Bulge</constant> is added. The share-point within the
utility. In the first step a share called <constant>Bulge</constant> is added. The sharepoint within the
file system is the directory <filename>/data</filename>. The command that can be executed to perform the
addition of this share is shown here:
<screen>
&rootprompt; net rpc share add Bulge=/data -S MERLIN -Uroot%not24get
</screen>
Validation is an important process, and by executing the command <command>net rpc share</command>
with no other operators a listing of available shares is shown here:
with no other operators it is possible to obtain a listing of available shares, as shown here:
<screen>
&rootprompt; net rpc share -S MERLIN -Uroot%not24get
profdata
@ -1074,23 +1074,23 @@ kyocera
<title>Creating and Changing Share ACLs</title>
<para>
At this time the net tool can not be used to manage ACLs on Samba shares. In MS Windows
language this is called: Share Permissions.
At this time the <command>net</command> tool cannot be used to manage ACLs on Samba shares. In MS Windows
language this is called Share Permissions.
</para>
<para>
It is possible to set ACLs on Samba shares using either the SRVTOOLS NT4 Domain Server Manager,
of using the Computer Management MMC snap-in. Neither will be covered here as this subject is
covered in <link linkend="AccessControls"/>.
It is possible to set ACLs on Samba shares using either the SRVTOOLS NT4 Domain Server Manager
or using the Computer Management MMC snap-in. Neither is covered here,
but see <link linkend="AccessControls"/>.
</para>
</sect2>
<sect2>
<title>Share, Directory and File Migration</title>
<title>Share, Directory, and File Migration</title>
<para>
Shares and files can be migrated in the same manner as user, machine and group accounts.
Shares and files can be migrated in the same manner as user, machine, and group accounts.
It is possible to preserve access control settings (ACLs) as well as security settings
throughout the migration process. The <command>net rpc vampire</command> facility is used
to migrate accounts from a Windows NT4 (or later) domain to a Samba server. This process
@ -1099,26 +1099,26 @@ kyocera
</para>
<para>
The <command>net rpc share</command> command may be used to migrate shares, directories
The <command>net rpc share</command> command may be used to migrate shares, directories,
files, printers, and all relevant data from a Windows server to a Samba server.
</para>
<para>
A set of command-line switches permit the creation of almost direct clones of Windows file
servers. For example, when migrating a file-server, file ACLs and DOS file attributes from
the Windows server can be included in the migration process and will reappear, almost identically
servers. For example, when migrating a fileserver, file ACLs and DOS file attributes from
the Windows server can be included in the migration process and will reappear, almost identically,
on the Samba server when the migration has been completed.
</para>
<para>
The migration process can be completed only with the Samba server already being fully operational.
This means that the user and group accounts must be migrated before attempting to migrate data
The user and group accounts must be migrated before attempting to migrate data
share, files, and printers. The migration of files and printer configurations involves the use
of both SMB and MS DCE RPC services. The benefit of the manner in which the migration process has
been implemented, the possibility now exists to use a Samba server as a man-in-middle migration
been implemented is that the possibility now exists to use a Samba server as a man-in-middle migration
service that affects a transfer of data from one server to another. For example, if the Samba
server is called MESSER, the source Windows NT4 server is called PEPPY, and the target Samba
server is called GONZALES, the machine MESSER can be used to affect the migration of all data
server is called GONZALES, the machine MESSER can be used to effect the migration of all data
(files and shares) from PEPPY to GONZALES. If the target machine is not specified, the local
server is assumed by default.
</para>
@ -1134,12 +1134,12 @@ kyocera
<orderedlist>
<listitem><para>
The <command>net</command> command requires that the user credentials provided exist both
on the migration source and the migration target.
The <command>net</command> command requires that the user credentials provided exist on both
the migration source and the migration target.
</para></listitem>
<listitem><para>
Printer settings may not be fully or incorrectly migrated. This might in particular happen
Printer settings may not be fully or may be incorrectly migrated. This might in particular happen
when migrating a Windows 2003 print server to Samba.
</para></listitem>
</orderedlist>
@ -1157,7 +1157,7 @@ kyocera
</para>
<para>
The shares are created on-the-fly as part of the migration process. The <command>smbd</command>
The shares are created on the fly as part of the migration process. The <command>smbd</command>
application does this by calling on the operating system to execute the script specified by the
&smb.conf; parameter <parameter>add share command</parameter>.
</para>
@ -1167,7 +1167,7 @@ kyocera
<filename>$SAMBA_SOURCES/examples/scripts</filename> directory. It should be noted that
the account that is used to drive the migration must, of necessity, have appropriate file system
access privileges and have the right to create shares and to set ACLs on them. Such rights are
conferred by these rights: <parameter>SeAddUsersPrivilege, SeDiskOperatorPrivilege</parameter>.
conferred by these rights: <parameter>SeAddUsersPrivilege</parameter> and <parameter>SeDiskOperatorPrivilege</parameter>.
For more information regarding rights and privileges please refer to <link linkend="rights"/>.
</para>
@ -1187,7 +1187,7 @@ net rpc share MIGRATE SHARES &lt;share-name&gt; -S &lt;source&gt;
This will migrate the share <constant>myshare</constant> from the server <constant>win2k</constant>
to the Samba Server using the permissions that are tied to the account <constant>administrator</constant>
with the password <constant>secret</constant>. The account that is used must be the same on both the
migration source server, as well as on the target Samba server. The use of the <command>net rpc
migration source server and the target Samba server. The use of the <command>net rpc
vampire</command>, prior to attempting the migration of shares, will ensure that accounts will be
identical on both systems. One precaution worth taking before commencement of migration of shares is
to validate that the migrated accounts (on the Samba server) have the needed rights and privileges.
@ -1195,7 +1195,7 @@ net rpc share MIGRATE SHARES &lt;share-name&gt; -S &lt;source&gt;
<screen>
&rootprompt; net rpc right list accounts -Uroot%not24get
</screen>
The steps taken so far performs only the migration of shares. Directories and directory contents
The steps taken so far perform only the migration of shares. Directories and directory contents
are not migrated by the steps covered up to this point.
</para>
@ -1207,20 +1207,20 @@ net rpc share MIGRATE SHARES &lt;share-name&gt; -S &lt;source&gt;
<para>
Everything covered to this point has been done in preparation for the migration of file and directory
data. For many people preparation is potentially boring and the real excitement only begins when file
data can be used. The next steps demonstrates the techniques that can be used to transfer (migrate)
data can be used. The next steps demonstrate the techniques that can be used to transfer (migrate)
data files using the <command>net</command> command.
</para>
<para>
Transfer of files from one server to another has always been a challenge for Microsoft Windows
Transfer of files from one server to another has always been a challenge for MS Windows
administrators because Windows NT and 200X servers do not include the tools needed. The
<command>xcopy</command> is not capable of preserving file and directory ACLs. Microsoft do provide a
<command>xcopy</command> is not capable of preserving file and directory ACLs. Microsoft does provide a
utility that can copy ACLs (security settings) called <command>scopy</command>, but it is provided only
as part of the Windows NT or 200X Server Resource Kit.
</para>
<para>
There are several tools, both commercial and freeware, that can be used from Windows server to copy files
There are several tools, both commercial and freeware, that can be used from a Windows server to copy files
and directories with full preservation of security settings. One of the best known of the free tools is
called <command>robocopy</command>.
</para>
@ -1228,9 +1228,9 @@ net rpc share MIGRATE SHARES &lt;share-name&gt; -S &lt;source&gt;
<para>
The <command>net</command> utility can be used to copy files and directories with full preservation of
ACLs as well as DOS file attributes. Note that including ACLs makes sense only where the destination
system will operate within the same security context as the source system. This applies to both a domain
member server (DMS) as well as for domain controllers (DCs) that result from a vampired domain.
Before file and directory migration all shares must already exist.
system will operate within the same security context as the source system. This applies both to a
DMS and to domain controllers that result from a vampired domain.
Before file and directory migration, all shares must already exist.
</para>
<para>
@ -1247,20 +1247,20 @@ net rpc share MIGRATE FILES &lt;share-name&gt; -S &lt;source&gt;
<para>
Where it is necessary to preserve all file ACLs, the <parameter>--acls</parameter> switch should be added
to the above command line. Original file time stamps can be preserved by specifying the
<parameter>--timestamps</parameter> switch, and the DOS file attributes (i.e.: hidden, archive, etc.) cab
to the above command line. Original file timestamps can be preserved by specifying the
<parameter>--timestamps</parameter> switch, and the DOS file attributes (i.e., hidden, archive, etc.) can
be preserved by specifying the <parameter>--attrs</parameter> switch.
</para>
<note><para>
The ability to preserve ACLs depends on appropriate support for ACLs, as well as the general file system
The ability to preserve ACLs depends on appropriate support for ACLs as well as the general file system
semantics of the host operating system on the target server. A migration from one Windows file server to
another will perfectly preserve all file attributes. Because of the difficulty of mapping Windows ACLs
onto a POSIX ACLs supporting system, there can be no perfect migration of Windows ACLs to a Samba server.
onto a POSIX ACLs-supporting system, there can be no perfect migration of Windows ACLs to a Samba server.
</para></note>
<para>
The ACLs that result on a Samba server will most probably not match the originating ACLs. Windows support
The ACLs that result on a Samba server will most probably not match the originating ACLs. Windows supports
the possibility of files that are owned only by a group. Group-alone file ownership is not possible under
UNIX/Linux. Errors in migrating group-owned files can be avoided by using the &smb.conf; file
<smbconfoption name="force unknown acl user">yes</smbconfoption> parameter. This facility will
@ -1277,7 +1277,7 @@ net rpc share MIGRATE FILES &lt;share-name&gt; -S &lt;source&gt;
</para>
<para>
The above command will migrate all files and directories from all file shares on the Windows server called
This command will migrate all files and directories from all file shares on the Windows server called
<constant>nt4box</constant> to the Samba server from which migration is initiated. Files that are group-owned
will be owned by the user account <constant>administrator</constant>.
</para>
@ -1288,8 +1288,8 @@ net rpc share MIGRATE FILES &lt;share-name&gt; -S &lt;source&gt;
<title>Simultaneous Share and File Migration</title>
<para>
This operating mode shown here is just a combination of the two above. It first migrates
share-definitions and then all shared files and directories afterwards:
The operating mode shown here is just a combination of the previous two. It first migrates
share definitions and then all shared files and directories:
<screen>
net rpc share MIGRATE ALL &lt;share-name&gt; -S &lt;source&gt;
[--exclude=share1, share2] [--acls] [--attrs] [--timestamps] [-v]
@ -1312,23 +1312,23 @@ net rpc share MIGRATE ALL &lt;share-name&gt; -S &lt;source&gt;
<title>Printer Migration</title>
<para>
The installation of a new server, as with the migration to a new network environment, often has similarity
to the building of a house; progress is very rapid from the laying of foundations up to the stage at which
the the house can be locked-up, but the finishing off appears to take longer and longer as building
The installation of a new server, as with the migration to a new network environment, often is similar to
building a house; progress is very rapid from the laying of foundations up to the stage at which
the the house can be locked up, but the finishing off appears to take longer and longer as building
approaches completion.
</para>
<para>
Printing needs vary greatly depending on the network environment, and may be very simple or complex. If
the need is very simple the best solution to the implementation of printing support may well be to
Printing needs vary greatly depending on the network environment and may be very simple or complex. If
the need is very simple, the best solution to the implementation of printing support may well be to
re-install everything from a clean slate instead of migrating older configurations. On the other hand,
a complex network that is integrated with many international offices and a multiplexity of local branch
offices, each of which form an inter-twined maze of printing possibilities, the ability to migrate all
printer configurations is decidedly beneficial. To manually re-establish a complex printing network
will take much time and frustration. Often-times it will not be possible to find driver files that are
currently in use thus necessitating the installation of newer drivers. Newer drivers often implement
will take much time and frustration. Often it will not be possible to find driver files that are
currently in use, necessitating the installation of newer drivers. Newer drivers often implement
printing features that will necessitate a change in the printer usage. Additionally, with very complex
printer configurations it becomes almost impossible to re-create the same environment - not matter
printer configurations it becomes almost impossible to re-create the same environment &smbmdash; no matter
how extensively it has been documented.
</para>
@ -1351,7 +1351,7 @@ net rpc share MIGRATE ALL &lt;share-name&gt; -S &lt;source&gt;
<para>
The Samba <command>net</command> utility permits printer migration from one Windows print server
to another. When this tool is used to migrate printers to a Samba server <command>smbd</command>,
the application the receives the network requests to create the necessary services, must call-out
the application that receives the network requests to create the necessary services must call out
to the operating system in order to create the underlying printers. The call-out is implemented
by way of an interface script that can be specified by the &smb.conf; file parameter
<smbconfoption id="add printer script"/>. This script is essential to the migration process.
@ -1363,18 +1363,18 @@ net rpc share MIGRATE ALL &lt;share-name&gt; -S &lt;source&gt;
<para>
Each of the components listed above can be completed separately, or they can be completed as part of an
automated operation. Many network administrators prefer to deal with migration issues in a manner that
gives them the most control, particularly when things go wrong. The syntax for each operation will now
be briefly described.
gives them the most control, particularly when things go wrong. The syntax for each operation is now
briefly described.
</para>
<para>
Printer migration from a Windows print server (NT4 or 200X) is shown. This instruction causes the
Printer migration from a Windows print server (NT4 or 200x) is shown. This instruction causes the
printer share to be created together with the underlying print queue:
<screen>
net rpc printer MIGRATE PRINTERS [printer] [misc. options] [targets]
</screen>
Printer drivers can be migrated from the Windows print server to the Samba server using this
command line instruction:
command-line instruction:
<screen>
net rpc printer MIGRATE DRIVERS [printer] [misc. options] [targets]
</screen>
@ -1386,7 +1386,7 @@ net rpc printer MIGRATE FORMS [printer] [misc. options] [targets]
<screen>
net rpc printer MIGRATE SECURITY [printer] [misc. options] [targets]
</screen>
Printer configuration settings include factors such as paper size, default paper orientation, etc.
Printer configuration settings include factors such as paper size and default paper orientation.
These can be migrated from the Windows print server to the Samba server with this command:
<screen>
net rpc printer MIGRATE SETTINGS [printer] [misc. options] [targets]
@ -1394,7 +1394,7 @@ net rpc printer MIGRATE SETTINGS [printer] [misc. options] [targets]
</para>
<para>
Migration of printers including all the above mentioned sets of information may be completed
Migration of printers including the above-mentioned sets of information may be completed
with a single command using this syntax:
<screen>
net rpc printer MIGRATE ALL [printer] [misc. options] [targets]
@ -1409,7 +1409,7 @@ net rpc printer MIGRATE ALL [printer] [misc. options] [targets]
<title>Controlling Open Files</title>
<para>
The man page documents the <command>net file</command> function suite. These ability is provided to
The man page documents the <command>net file</command> function suite, which provides the tools to
close open files using either RAP or RPC function calls. Please refer to the man page for specific
usage information.
</para>
@ -1446,8 +1446,8 @@ Computer User name Client Type Opens Idle time
<title>Printers and ADS</title>
<para>
When Samba-3 is used within as MS Windows ADS environment printers shared via Samba will not be browseable
until they have been published to the ADS domain. Information regarding published printers my be obtained
When Samba-3 is used within an MS Windows ADS environment, printers shared via Samba will not be browseable
until they have been published to the ADS domain. Information regarding published printers may be obtained
from the ADS server by executing the <command>net ads print info</command> command following this syntax:
<screen>
net ads printer info &lt;printer_name&gt; &lt;server_name&gt; -Uadministrator%secret
@ -1457,7 +1457,7 @@ net ads printer info &lt;printer_name&gt; &lt;server_name&gt; -Uadministrator%se
</para>
<para>
To publish (make available) a printer to ADS execute the following command:
To publish (make available) a printer to ADS, execute the following command:
<screen>
net ads printer publish &lt;printer_name&gt; -Uadministrator%secret
</screen>
@ -1484,17 +1484,17 @@ net ads printer search &lt;printer_name&gt; -Uadministrator%secret
<title>Manipulating the Samba Cache</title>
<para>
Please refer to the net command man page for information regarding cache management.
Please refer to the <command>net</command> command man page for information regarding cache management.
</para>
</sect1 id="netmisc1">
</sect1>
<sect1>
<sect1 id="netmisc1">
<title>Other Miscellaneous Operations</title>
<para>
The following command is useful for obtaining basic statistics regarding a Samba domain. This command does
not work against current Windows XP Professional clients.
not work with current Windows XP Professional clients.
<screen>
&rootprompt; net rpc info
Domain Name: RAPIDFLY
@ -1514,7 +1514,7 @@ Num local groups: 6
Tue May 17 00:50:43 2005
</screen>
In the event that it is the intent to pass the time information obtained to the UNIX
<command>/bin/time</command> it is a good idea to obtain the time from the target server in a format
<command>/bin/time</command>, it is a good idea to obtain the time from the target server in a format
that is ready to be passed through. This may be done by executing:
<screen>
&rootprompt; net time system -S FRODO
@ -1525,7 +1525,7 @@ Tue May 17 00:50:43 2005
&rootprompt; net time set -S MAGGOT -U Administrator%not24get
Tue May 17 00:55:30 MDT 2005
</screen>
It is possible to obtain the time-zone a server is in by executing the following command against it:
It is possible to obtain the time zone of a server by executing the following command against it:
<screen>
&rootprompt; net time zone -S SAURON
-0600

View File

@ -22,8 +22,8 @@
<para>
Every industry eventually matures. One of the great areas of maturation is in
the focus that has been given over the past decade to make it possible for anyone
anywhere to use a computer. It has not always been that way, in fact, not so long
ago it was common for software to be written for exclusive use in the country of
anywhere to use a computer. It has not always been that way. In fact, not so long
ago, it was common for software to be written for exclusive use in the country of
origin.
</para>
@ -36,8 +36,8 @@ is deserving of special mention.
<para>
Samba-2.x supported a single locale through a mechanism called
<emphasis>codepages</emphasis>. Samba-3 is destined to become a truly trans-global
file and printer-sharing platform.
<emphasis>codepages</emphasis>. Samba-3 is destined to become a truly transglobal
file- and printer-sharing platform.
</para>
</sect1>
@ -46,7 +46,7 @@ file and printer-sharing platform.
<title>What Are Charsets and Unicode?</title>
<para>
Computers communicate in numbers. In texts, each number will be
Computers communicate in numbers. In texts, each number is
translated to a corresponding letter. The meaning that will be assigned
to a certain number depends on the <emphasis>character set (charset)
</emphasis> that is used.
@ -58,21 +58,21 @@ letters. Not all computers use the same charset (there are charsets
with German umlauts, Japanese characters, and so on). The American Standard Code
for Information Interchange (ASCII) encoding system has been the normative character
encoding scheme used by computers to date. This employs a charset that contains
256 characters. Using this mode of encoding each character takes exactly one byte.
256 characters. Using this mode of encoding, each character takes exactly one byte.
</para>
<para>
There are also charsets that support extended characters, but those need at least
twice as much storage space as does ASCII encoding. Such charsets can contain
<command>256 * 256 = 65536</command> characters, which is more than all possible
characters one could think of. They are called multi-byte charsets because they use
characters one could think of. They are called multibyte charsets because they use
more then one byte to store one character.
</para>
<para>
One standardized multi-byte charset encoding scheme is known as
One standardized multibyte charset encoding scheme is known as
<ulink url="http://www.unicode.org/">unicode</ulink>. A big advantage of using a
multi-byte charset is that you only need one. There is no need to make sure two
multibyte charset is that you only need one. There is no need to make sure two
computers use the same charset when they are communicating.
</para>
@ -80,7 +80,7 @@ computers use the same charset when they are communicating.
<parameter>codepages</parameter>, by Microsoft. However, there is no support for
negotiating the charset to be used in the SMB/CIFS protocol. Thus, you
have to make sure you are using the same charset when talking to an older client.
Newer clients (Windows NT, 200x, XP) talk unicode over the wire.
Newer clients (Windows NT, 200x, XP) talk Unicode over the wire.
</para>
</sect1>
@ -88,7 +88,7 @@ Newer clients (Windows NT, 200x, XP) talk unicode over the wire.
<title>Samba and Charsets</title>
<para>
As of Samba-3, Samba can (and will) talk unicode over the wire. Internally,
As of Samba-3, Samba can (and will) talk Unicode over the wire. Internally,
Samba knows of three kinds of character sets:
</para>
@ -98,15 +98,15 @@ Samba knows of three kinds of character sets:
<listitem><para>
This is the charset used internally by your operating system.
The default is <constant>UTF-8</constant>, which is fine for most
systems, which covers all characters in all languages. The default
systems and covers all characters in all languages. The default
in previous Samba releases was to save filenames in the encoding of the
clients, for example cp850 for western european countries.
clients &smbmdash; for example, cp850 for Western European countries.
</para></listitem>
</varlistentry>
<varlistentry>
<term><smbconfoption name="display charset"/></term>
<listitem><para>This is the charset Samba will use to print messages
<listitem><para>This is the charset Samba uses to print messages
on your screen. It should generally be the same as the <parameter>unix charset</parameter>.
</para></listitem>
</varlistentry>
@ -114,7 +114,7 @@ Samba knows of three kinds of character sets:
<varlistentry>
<term><smbconfoption name="dos charset"/></term>
<listitem><para>This is the charset Samba uses when communicating with
DOS and Windows 9x/Me clients. It will talk unicode to all newer clients.
DOS and Windows 9x/Me clients. It will talk Unicode to all newer clients.
The default depends on the charsets you have installed on your system.
Run <command>testparm -v | grep &quot;dos charset&quot;</command> to see
what the default is on your system.
@ -152,29 +152,29 @@ Setting up Japanese charsets is quite difficult. This is mainly because:
<listitem><para> Mainly for historical reasons, there are several encoding methods in
Japanese, which are not fully compatible with each other. There are
two major encoding methods. One is the Shift_JIS series, it is used in Windows
and some UNIX's. The other is the EUC-JP series, used in most UNIX's
two major encoding methods. One is the Shift_JIS series used in Windows
and some UNIXes. The other is the EUC-JP series used in most UNIXes
and Linux. Moreover, Samba previously also offered several unique encoding
methods, named CAP and HEX, to keep interoperability with CAP/NetAtalk and
UNIX's which can't use Japanese filenames. Some implementations of the
UNIXes that can't use Japanese filenames. Some implementations of the
EUC-JP series can't support the full Windows character set.
</para></listitem>
<listitem><para>There are some code conversion tables between Unicode and legacy
Japanese character sets. One is compatible with Windows, another one
is based on the reference of the Unicode consortium and others are
is based on the reference of the Unicode consortium, and others are
a mixed implementation. The Unicode consortium does not officially
define any conversion tables between Unicode and legacy character
sets so there cannot be standard one.
sets, so there cannot be standard one.
</para></listitem>
<listitem><para>The character set and conversion tables available in iconv() depends
<listitem><para>The character set and conversion tables available in iconv() depend
on the iconv library that is available. Next to that, the Japanese locale
names may be different on different systems. This means that the value of
the charset parameters depends on the implementation of iconv() you are using.
</para>
<para>Though 2 byte fixed UCS-2 encoding is used in Windows internally,
<para>Though 2-byte fixed UCS-2 encoding is used in Windows internally,
Shift_JIS series encoding is usually used in Japanese environments
as ASCII encoding is in English environments.
</para></listitem>
@ -183,7 +183,7 @@ Setting up Japanese charsets is quite difficult. This is mainly because:
<sect2><title>Basic Parameter Setting</title>
<para>
<smbconfoption name="dos charset"/> and
The <smbconfoption name="dos charset"/> and
<smbconfoption name="display charset"/>
should be set to the locale compatible with the character set
and encoding method used on Windows. This is usually CP932
@ -191,13 +191,13 @@ Setting up Japanese charsets is quite difficult. This is mainly because:
</para>
<para>
<smbconfoption name="unix charset"/> can be either Shift_JIS series,
EUC-JP series and UTF-8. UTF-8 is always available but the availability of other locales
and its name itself depends on the system.
The <smbconfoption name="unix charset"/> can be either Shift_JIS series,
EUC-JP series, or UTF-8. UTF-8 is always available, but the availability of other locales
and the name itself depends on the system.
</para>
<para>
Additionally, you can consider to use the Shift_JIS series as the
Additionally, you can consider using the Shift_JIS series as the
value of the <smbconfoption name="unix charset"/>
parameter by using the vfs_cap module, which does the same thing as
setting <quote>coding system = CAP</quote> in the Samba 2.2 series.
@ -205,40 +205,40 @@ Setting up Japanese charsets is quite difficult. This is mainly because:
<para>
Where to set <smbconfoption name="unix charset"/>
to is a difficult question. Here is a list of details, advantages and
to is a difficult question. Here is a list of details, advantages, and
disadvantages of using a certain value.
</para>
<variablelist>
<varlistentry><term>Shift_JIS series</term>
<listitem><para>
Shift_JIS series means a locale which is equivalent to <constant>Shift_JIS</constant>,
Shift_JIS series means a locale that is equivalent to <constant>Shift_JIS</constant>,
used as a standard on Japanese Windows. In the case of <constant>Shift_JIS</constant>,
for example if a Japanese file name consist of 0x8ba4 and 0x974c
(a 4 bytes Japanese character string meaning <quote>share</quote>) and <quote>.txt</quote>
is written from Windows on Samba, the file name on UNIX becomes
0x8ba4, 0x974c, <quote>.txt</quote> (a 8 bytes BINARY string), same as Windows.
for example, if a Japanese filename consists of 0x8ba4 and 0x974c
(a 4-bytes Japanese character string meaning <quote>share</quote>) and <quote>.txt</quote>
is written from Windows on Samba, the filename on UNIX becomes
0x8ba4, 0x974c, <quote>.txt</quote> (an 8-byte BINARY string), same as Windows.
</para>
<para>Since Shift_JIS series is usually used on some commercial based
UNIX's; hp-ux and AIX as Japanese locale (however, it is also possible
to use the EUC-JP series), To use Shift_JIS series on these platforms,
Japanese file names created from Windows can be referred to also on
<para>Since Shift_JIS series is usually used on some commercial-based
UNIXes; hp-ux and AIX as the Japanese locale (however, it is also possible
to use the EUC-JP locale series). To use Shift_JIS series on these platforms,
Japanese filenames created from Windows can be referred to also on
UNIX.</para>
<para>
If your UNIX is already working with Shift_JIS and there is a user
who needs to use Japanese file names written from Windows, the
Shift_JIS series is the best choice. However, broken file names
may be displayed and some commands which cannot handle non-ASCII
filenames may be aborted during parsing filenames. especially there
may be <quote>\ (0x5c)</quote> in file names, which need to be handled carefully.
So you had better not touch file names written from Windows on UNIX.
who needs to use Japanese filenames written from Windows, the
Shift_JIS series is the best choice. However, broken filenames
may be displayed, and some commands that cannot handle non-ASCII
filenames may be aborted during parsing filenames. Especially, there
may be <quote>\ (0x5c)</quote> in filenames, which need to be handled carefully.
It is best to not touch filenames written from Windows on UNIX.
</para>
<para>
Note that most Japanized free software actually works with EUC-JP
only. You had better verify if the Japanized free software can work
only. It is good practice to verify that the Japanized free software can work
with Shift_JIS.
</para>
</listitem>
@ -246,58 +246,51 @@ Setting up Japanese charsets is quite difficult. This is mainly because:
<varlistentry><term>EUC-JP series</term>
<listitem><para>
EUC-JP series means a locale which is equivalent to the industry
EUC-JP series means a locale that is equivalent to the industry
standard called EUC-JP, widely used in Japanese UNIX (although EUC
contains specifications for languages other than Japanese, such as
EUC-KR). In the case of EUC-JP series, for example if a Japanese
file name consist of 0x8ba4 and 0x974c and <quote>.txt</quote> is written from
Windows on Samba, the file name on UNIX becomes 0xb6a6, 0xcdad,
<quote>.txt</quote> (a 8 bytes BINARY string).
EUC-KR). In the case of EUC-JP series, for example, if a Japanese
filename consists of 0x8ba4 and 0x974c and <quote>.txt</quote> is written from
Windows on Samba, the filename on UNIX becomes 0xb6a6, 0xcdad,
<quote>.txt</quote> (an 8-byte BINARY string).
</para>
<para>
Since EUC-JP is usually used on Open source UNIX, Linux and FreeBSD,
and on commercial based UNIX, Solaris, IRIX and Tru64 UNIX as
Japanese locale (however, it is also possible on Solaris to use
Shift_JIS and UTF-8, on Tru64 UNIX to use Shift_JIS). To use EUC-JP
series, most Japanese file names created from Windows can be
referred to also on UNIX. Also, most Japanized free software work
mainly with EUC-JP only.
Since EUC-JP is usually used on open source UNIX, Linux, and FreeBSD, and on commercial-based UNIX, Solaris,
IRIX, and Tru64 UNIX as Japanese locale (however, it is also possible on Solaris to use Shift_JIS and UTF-8,
and on Tru64 UNIX it is possible to use Shift_JIS). To use EUC-JP series, most Japanese filenames created from
Windows can be referred to also on UNIX. Also, most Japanized free software work mainly with EUC-JP only.
</para>
<para>
It is recommended to choose EUC-JP series when using Japanese file
names on these UNIX.
It is recommended to choose EUC-JP series when using Japanese filenames on UNIX.
</para>
<para>
Although there is no character which needs to be carefully treated
like <quote>\ (0x5c)</quote>, broken file names may be displayed and some
commands which cannot handle non-ASCII filenames may be aborted
Although there is no character that needs to be carefully treated
like <quote>\ (0x5c)</quote>, broken filenames may be displayed and some
commands that cannot handle non-ASCII filenames may be aborted
during parsing filenames.
</para>
<para>
Moreover, if you built Samba using differently installed libiconv,
eucJP-ms locale included in libiconv and EUC-JP series locale
included in OS may not be compatible. In this case, you may need to
avoid using incompatible characters for file names.
the eucJP-ms locale included in libiconv and EUC-JP series locale
included in the operating system may not be compatible. In this case, you may need to
avoid using incompatible characters for filenames.
</para>
</listitem>
</varlistentry>
<varlistentry><term>UTF-8</term>
<listitem><para>
UTF-8 means a locale which is equivalent to UTF-8, the international
standard defined by Unicode consortium. In UTF-8, a <parameter>character</parameter> is
expressed using 1-3 bytes. In case of Japanese, most characters
are expressed using 3 bytes. Since on Windows Shift_JIS, where a
character is expressed with 1 or 2 bytes, is used to express
Japanese, basically a byte length of a UTF-8 string grows 1.5 times
the length of a original Shift_JIS string. In the case of UTF-8,
for example if a Japanese file name consist of 0x8ba4 and 0x974c and
<quote>.txt</quote> is written from Windows on Samba, the file name on UNIX
becomes 0xe585, 0xb1e6, 0x9c89, <quote>.txt</quote> (a 10 bytes BINARY string).
UTF-8 means a locale equivalent to UTF-8, the international standard defined by the Unicode consortium. In
UTF-8, a <parameter>character</parameter> is expressed using 1 to 3 bytes. In case of the Japanese language,
most characters are expressed using 3 bytes. Since on Windows Shift_JIS, where a character is expressed with 1
or 2 bytes is used to express Japanese, basically a byte length of a UTF-8 string the length of the UTF-8
string is 1.5 times that of the original Shift_JIS string. In the case of UTF-8, for example, if a Japanese
filename consists of 0x8ba4 and 0x974c, and <quote>.txt</quote> is written from Windows on Samba, the filename
on UNIX becomes 0xe585, 0xb1e6, 0x9c89, <quote>.txt</quote> (a 10-byte BINARY string).
</para>
<para>
@ -306,28 +299,29 @@ Setting up Japanese charsets is quite difficult. This is mainly because:
</para>
<para>
There are no systems that use UTF-8 as default locale for Japanese.
There are no systems that use UTF-8 as the default locale for Japanese.
</para>
<para>
Some broken file names may be displayed and some commands which
Some broken filenames may be displayed, and some commands that
cannot handle non-ASCII filenames may be aborted during parsing
filenames. especially there may be <quote>\ (0x5c)</quote> in file names, which
need to be handled carefully. So you had better not touch file names
filenames. Especially, there may be <quote>\ (0x5c)</quote> in filenames, which
must be handled carefully, so you had better not touch filenames
written from Windows on UNIX.
</para>
<para>
In addition, although it is not directly concerned with Samba, since
there is a delicate difference between iconv() function, which is
generally used on UNIX and the functions used on other platforms,
such as Windows and Java about the conversion table between
Shift_JIS and Unicode, you should be carefully to handle UTF-8.
there is a delicate difference between the iconv() function, which is
generally used on UNIX, and the functions used on other platforms,
such as Windows and Java, so far is concerens the conversion between
Shift_JIS and Unicode UTF-8 must be done with care and recognition
of the limitations involved in the process.
</para>
<para>
Although Mac OS X uses UTF-8 as its encoding method for filenames,
it uses an extended UTF-8 specification that Samba cannot handle so
it uses an extended UTF-8 specification that Samba cannot handle, so
UTF-8 locale is not available for Mac OS X.
</para>
</listitem>
@ -335,43 +329,44 @@ Setting up Japanese charsets is quite difficult. This is mainly because:
<varlistentry><term>Shift_JIS series + vfs_cap (CAP encoding)</term>
<listitem><para>
CAP encoding means a specification using in CAP and NetAtalk, file
CAP encoding means a specification used in CAP and NetAtalk, file
server software for Macintosh. In the case of CAP encoding, for
example if a Japanese file name consist of 0x8ba4 and 0x974c and
<quote>.txt</quote> is written from Windows on Samba, the file name on UNIX
example, if a Japanese filename consists of 0x8ba4 and 0x974c, and
<quote>.txt</quote> is written from Windows on Samba, the filename on UNIX
becomes <quote>:8b:a4:97L.txt</quote> (a 14 bytes ASCII string).
</para>
<para>
For CAP encoding a byte which cannot be expressed as an ASCII
character (0x80 or above) is encoded as <quote>:xx</quote> form. You need to take
care of containing a <quote>\(0x5c)</quote> in a filename but filenames are not
broken in a system which cannot handle non-ASCII filenames.
For CAP encoding, a byte that cannot be expressed as an ASCII
character (0x80 or above) is encoded in an <quote>:xx</quote> form. You need to take
care of containing a <quote>\(0x5c)</quote> in a filename, but filenames are not
broken in a system that cannot handle non-ASCII filenames.
</para>
<para>
The greatest merit of CAP encoding is the compatibility of encoding
filenames with CAP or NetAtalk, file server software of Macintosh.
Since they usually write a file name on UNIX with CAP encoding, if a
filenames with CAP or NetAtalk. These are respectively the Columbia Appletalk
Protocol, and the NetAtalk Open Source software project.
Since these software applications write a file name on UNIX with CAP encoding, if a
directory is shared with both Samba and NetAtalk, you need to use
CAP encoding to avoid non-ASCII filenames are broken.
CAP encoding to avoid non-ASCII filenames from being broken.
</para>
<para>
However, recently there are some systems where NetAtalk has been
patched to write filenames with EUC-JP (i.e. Japanese original Vine Linux).
Here you need to choose EUC-JP series instead of CAP encoding.
However, recently, NetAtalk has been
patched on some systems to write filenames with EUC-JP (e.g., Japanese original Vine Linux).
In this case, you need to choose EUC-JP series instead of CAP encoding.
</para>
<para>
vfs_cap itself is available for non Shift_JIS series locales for
systems which cannot handle non-ASCII characters or systems which
shares files with NetAtalk.
vfs_cap itself is available for non-Shift_JIS series locales for
systems that cannot handle non-ASCII characters or systems that
share files with NetAtalk.
</para>
<para>
To use CAP encoding on Samba-3, you should use the unix charset parameter and VFS
as follows:
as in Example 29.5.1:
</para>
<example><title>VFS CAP</title>
@ -387,7 +382,7 @@ Setting up Japanese charsets is quite difficult. This is mainly because:
</example>
<para>
You should set CP932 if using GNU libiconv for unix charset. Setting this,
You should set CP932 if using GNU libiconv for unix charset. With this setting,
filenames in the <quote>cap-share</quote> share are written with CAP encoding.
</para>
</listitem>
@ -426,8 +421,8 @@ display charset = CP932
</programlisting>
<para>
Other Japanese locales (for example Shift_JIS and EUC-JP) should not
be used for the lack of the compatibility with Windows.
Other Japanese locales (for example, Shift_JIS and EUC-JP) should not
be used because of the lack of the compatibility with Windows.
</para>
</listitem>
</varlistentry>
@ -449,8 +444,8 @@ display charset = CP932
</smbconfblock>
<para>
Other Japanese locales (for example Shift_JIS and EUC-JP) should not
be used for the lack of the compatibility with Windows.
Other Japanese locales (for example, Shift_JIS and EUC-JP) should not
be used because of the lack of the compatibility with Windows.
</para>
</listitem>
</varlistentry>
@ -462,9 +457,10 @@ display charset = CP932
<title>Migration from Samba-2.2 Series</title>
<para>
Prior to Samba-2.2 series <quote>coding system</quote> parameter is used as
<smbconfoption name="unix charset"/> parameter of the Samba-3 series.
<link linkend="japancharsets">Next table</link> shows the mapping table when migrating from the Samba-2.2 series to Samba-3.
Prior to Samba-2.2 series, the <quote>coding system</quote> parameter was used. The default codepage in Samba
2.x was code page 850. In the Samba-3 series this has been replaced with the <smbconfoption name="unix
charset"/> parameter. <link linkend="japancharsets">Japanese Character Sets in Samba-2.2 and Samba-3</link>
shows the mapping table when migrating from the Samba-2.2 series to Samba-3.
</para>
<table frame="all" id="japancharsets">
@ -501,12 +497,16 @@ Prior to Samba-2.2 series <quote>coding system</quote> parameter is used as
<para><quote>Samba is complaining about a missing <filename>CP850.so</filename> file.</quote></para>
<para><emphasis>Answer:</emphasis> CP850 is the default <smbconfoption name="dos charset"/>.
The <smbconfoption name="dos charset"/> is used to convert data to the codepage used by your dos clients.
If you do not have any dos clients, you can safely ignore this message. </para>
<para>
CP850 is the default <smbconfoption name="dos charset"/>.
The <smbconfoption name="dos charset"/> is used to convert data to the codepage used by your DOS clients.
If you do not have any DOS clients, you can safely ignore this message. </para>
<para>CP850 should be supported by your local iconv implementation. Make sure you have all the required packages installed.
If you compiled Samba from source, make sure to configure found iconv.</para>
<para>
CP850 should be supported by your local iconv implementation. Make sure you have all the required packages installed.
If you compiled Samba from source, make sure that the configure process found iconv. This can be
confirmed by checking the <filename>config.log</filename> file that is generated when
<command>configure</command> is executed.</para>
</sect2>
</sect1>

View File

@ -28,7 +28,7 @@
&author.jelmer;
&author.jht;
<pubdate>27 June 2002</pubdate>
<pubdate>June 15, 2005</pubdate>
</chapterinfo>
<title>Winbind: Use of Domain Accounts</title>
@ -52,9 +52,9 @@
<para>
<emphasis>winbind</emphasis> is a component of the Samba suite of programs that
solves the unified logon problem. Winbind uses a UNIX implementation of Microsoft
RPC calls, Pluggable Authentication Modules, and the Name Service Switch to
RPC calls, Pluggable Authentication Modules (PAMs), and the name service switch (NSS) to
allow Windows NT domain users to appear and operate as UNIX users on a UNIX
machine. This chapter describes the Winbind system, explaining the functionality
machine. This chapter describes the Winbind system, the functionality
it provides, how it is configured, and how it works internally.
</para>
@ -75,11 +75,11 @@
<listitem><para>
Winbind maintains a database called winbind_idmap.tdb in which it stores
mappings between UNIX UIDs / GIDs and NT SIDs. This mapping is used only
for users and groups that do not have a local UID/GID. It stored the UID/GID
mappings between UNIX UIDs, GIDs, and NT SIDs. This mapping is used only
for users and groups that do not have a local UID/GID. It stores the UID/GID
allocated from the idmap uid/gid range that it has mapped to the NT SID.
If <parameter>idmap backend</parameter> has been specified as <constant>ldap:ldap://hostname[:389]</constant>
then instead of using a local mapping Winbind will obtain this information
If <parameter>idmap backend</parameter> has been specified as <constant>ldap:ldap://hostname[:389]</constant>,
then instead of using a local mapping, Winbind will obtain this information
from the LDAP database.
</para></listitem>
</itemizedlist>
@ -89,8 +89,8 @@
<indexterm><primary>starting samba</primary><secondary>winbindd</secondary></indexterm>
If <command>winbindd</command> is not running, smbd (which calls <command>winbindd</command>) will fall back to
using purely local information from <filename>/etc/passwd</filename> and <filename>/etc/group</filename> and no dynamic
mapping will be used. On an operating system that has beeb enabled with the name service switcher (NSS)
the resoltion of user and group information will be accomplished via NSS.
mapping will be used. On an operating system that has beeb enabled with the NSS,
the resolution of user and group information will be accomplished via NSS.
</para></note>
@ -114,8 +114,8 @@
<para>One common solution in use today has been to create
identically named user accounts on both the UNIX and Windows systems
and use the Samba suite of programs to provide file and print services
between the two. This solution is far from perfect, however, as
adding and deleting users on both sets of machines becomes a chore
between the two. This solution is far from perfect, however, because
adding and deleting users on both sets of machines becomes a chore,
and two sets of passwords are required &smbmdash; both of which
can lead to synchronization problems between the UNIX and Windows
systems and confusion for users.</para>
@ -150,18 +150,18 @@
<para>Winbind unifies UNIX and Windows NT account management by
allowing a UNIX box to become a full member of an NT domain. Once
this is done the UNIX box will see NT users and groups as if
this is done, the UNIX box will see NT users and groups as if
they were <quote>native</quote> UNIX users and groups, allowing the NT domain
to be used in much the same manner that NIS+ is used within
UNIX-only environments.</para>
<para>The end result is that whenever a
program on the UNIX machine asks the operating system to lookup
program on the UNIX machine asks the operating system to look up
a user or group name, the query will be resolved by asking the
NT Domain Controller for the specified domain to do the lookup.
NT domain controller for the specified domain to do the lookup.
Because Winbind hooks into the operating system at a low level
(via the NSS name resolution modules in the C library), this
redirection to the NT Domain Controller is completely
redirection to the NT domain controller is completely
transparent.</para>
<para>Users on the UNIX machine can then use NT user and group
@ -171,16 +171,16 @@
<para>The only obvious indication that Winbind is being used is
that user and group names take the form <constant>DOMAIN\user</constant> and
<constant>DOMAIN\group</constant>. This is necessary as it allows Winbind to determine
that redirection to a Domain Controller is wanted for a particular
<constant>DOMAIN\group</constant>. This is necessary because it allows Winbind to determine
that redirection to a domain controller is wanted for a particular
lookup and which trusted domain is being referenced.</para>
<para>Additionally, Winbind provides an authentication service
that hooks into the Pluggable Authentication Modules (PAM) system
that hooks into the PAM system
to provide authentication via an NT domain to any PAM-enabled
applications. This capability solves the problem of synchronizing
passwords between systems since all passwords are stored in a single
location (on the Domain Controller).</para>
passwords between systems, since all passwords are stored in a single
location (on the domain controller).</para>
<sect2>
<title>Target Uses</title>
@ -216,9 +216,9 @@
</para>
<para>
Response: <quote>Why? I've used samba with workstations that are not part of my domains
lots of times without using winbind. I though winbind was for using samba as a memberserver
in a domain controlled by another samba/windows PDC.</quote>
Response: <quote>Why? I've used Samba with workstations that are not part of my domains
lots of times without using winbind. I though winbind was for using Samba as a member server
in a domain controlled by another Samba/Windows PDC.</quote>
</para>
<para>
@ -229,9 +229,9 @@
</para>
<para>
Which means that that winbind is eminently useful in cases where one just has a single
Samba PDC on a local network combined of both domain member and non-domain member workstations.
If winbind is not used, the user george on an windows workstation that is not a domain
This means that winbind is eminently useful in cases where a single
Samba PDC on a local network is combined with both domain member and non-domain member workstations.
If winbind is not used, the user george on a Windows workstation that is not a domain
member will be able to access the files of a user called george in the account database
of the Samba server that is acting as a PDC. When winbind is used, the default condition
is that the local user george will be treated as the account DOMAIN\george and the
@ -248,10 +248,10 @@
<title>How Winbind Works</title>
<para>The Winbind system is designed around a client/server
architecture. A long running <command>winbindd</command> daemon
architecture. A long-running <command>winbindd</command> daemon
listens on a UNIX domain socket waiting for requests
to arrive. These requests are generated by the NSS and PAM
clients and is processed sequentially.</para>
clients and are processed sequentially.</para>
<para>The technologies used to implement Winbind are described
in detail below.</para>
@ -263,7 +263,7 @@
by various Samba Team members to decode various aspects of
the Microsoft Remote Procedure Call (MSRPC) system. This
system is used for most network-related operations between
Windows NT machines including remote management, user authentication
Windows NT machines, including remote management, user authentication,
and print spooling. Although initially this work was done
to aid the implementation of Primary Domain Controller (PDC)
functionality in Samba, it has also yielded a body of code that
@ -282,9 +282,9 @@
<para>
Since late 2001, Samba has gained the ability to
interact with Microsoft Windows 2000 using its <quote>Native
Mode</quote> protocols, rather than the NT4 RPC services.
Using LDAP and Kerberos, a Domain Member running
interact with Microsoft Windows 2000 using its <quote>native
mode</quote> protocols rather than the NT4 RPC services.
Using LDAP and Kerberos, a domain member running
Winbind can enumerate users and groups in exactly the
same way as a Windows 200x client would, and in so doing
provide a much more efficient and effective Winbind implementation.
@ -294,32 +294,32 @@
<sect2>
<title>Name Service Switch</title>
<para>The Name Service Switch, or NSS, is a feature that is
<para>The NSS is a feature that is
present in many UNIX operating systems. It allows system
information such as hostnames, mail aliases and user information
information such as hostnames, mail aliases, and user information
to be resolved from different sources. For example, a standalone
UNIX workstation may resolve system information from a series of
flat files stored on the local filesystem. A networked workstation
flat files stored on the local file system. A networked workstation
may first attempt to resolve system information from local files,
and then consult an NIS database for user information or a DNS server
for hostname information.</para>
<para>The NSS application programming interface allows Winbind
to present itself as a source of system information when
resolving UNIX usernames and groups. Winbind uses this interface,
resolving UNIX usernames and groups. Winbind uses this interface
and information obtained from a Windows NT server using MSRPC
calls to provide a new source of account enumeration. Using standard
UNIX library calls, one can enumerate the users and groups on
UNIX library calls, you can enumerate the users and groups on
a UNIX machine running Winbind and see all users and groups in
a NT domain plus any trusted domain as though they were local
an NT domain plus any trusted domain as though they were local
users and groups.</para>
<para>The primary control file for NSS is
<filename>/etc/nsswitch.conf</filename>.
When a UNIX application makes a request to do a lookup,
the C library looks in <filename>/etc/nsswitch.conf</filename>
for a line that matches the service type being requested, for
example the <quote>passwd</quote> service type is used when user or group names
for a line that matches the service type being requested; for
example, the <quote>passwd</quote> service type is used when user or group names
are looked up. This config line specifies which implementations
of that service should be tried and in what order. If the passwd
config line is:</para>
@ -347,22 +347,22 @@
<sect2>
<title>Pluggable Authentication Modules</title>
<para>Pluggable Authentication Modules, also known as PAM,
is a system for abstracting authentication and authorization
technologies. With a PAM module it is possible to specify different
<para>PAMs provide
a system for abstracting authentication and authorization
technologies. With a PAM module, it is possible to specify different
authentication methods for different system applications without
having to recompile these applications. PAM is also useful
for implementing a particular policy for authorization. For example,
a system administrator may only allow console logins from users
stored in the local password file but only allow users resolved from
a NIS database to log in over the network.</para>
an NIS database to log in over the network.</para>
<para>Winbind uses the authentication management and password
management PAM interface to integrate Windows NT users into a
UNIX system. This allows Windows NT users to log in to a UNIX
machine and be authenticated against a suitable Primary Domain
Controller. These users can also change their passwords and have
this change take effect directly on the Primary Domain Controller.
machine and be authenticated against a suitable PDC.
These users can also change their passwords and have
this change take effect directly on the PDC.
</para>
<para>PAM is configured by providing control files in the directory
@ -371,22 +371,22 @@
by an application, the PAM code in the C library looks up this
control file to determine what modules to load to do the
authentication check and in what order. This interface makes adding
a new authentication service for Winbind very easy. All that needs
to be done is that the <filename>pam_winbind.so</filename> module
is copied to <filename>/lib/security/</filename> and the PAM
a new authentication service for Winbind very easy: simply copy
the <filename>pam_winbind.so</filename> module
to <filename>/lib/security/</filename>, and the PAM
control files for relevant services are updated to allow
authentication via Winbind. See the PAM documentation
in <link linkend="pam">PAM-Based Distributed Authentication</link> for more information.</para>
in <link linkend="pam">PAM-Based Distributed Authentication</link>, for more information.</para>
</sect2>
<sect2>
<title>User and Group ID Allocation</title>
<para>When a user or group is created under Windows NT/200x
<para>When a user or group is created under Windows NT/200x,
it is allocated a numerical relative identifier (RID). This is
slightly different from UNIX which has a range of numbers that are
used to identify users, and the same range in which to identify
slightly different from UNIX, which has a range of numbers that are
used to identify users and the same range used to identify
groups. It is Winbind's job to convert RIDs to UNIX ID numbers and
vice versa. When Winbind is configured, it is given part of the UNIX
user ID space and a part of the UNIX group ID space in which to
@ -397,7 +397,7 @@
to UNIX user IDs and group IDs.</para>
<para>The results of this mapping are stored persistently in
an ID mapping database held in a tdb database). This ensures that
an ID mapping database held in a tdb database. This ensures that
RIDs are mapped to UNIX IDs in a consistent way.</para>
</sect2>
@ -410,7 +410,7 @@
An active system can generate a lot of user and group
name lookups. To reduce the network cost of these lookups, Winbind
uses a caching scheme based on the SAM sequence number supplied
by NT Domain Controllers. User or group information returned
by NT domain controllers. User or group information returned
by a PDC is cached by Winbind along with a sequence number also
returned by the PDC. This sequence number is incremented by
Windows NT whenever any user or group information is modified. If
@ -445,7 +445,7 @@ well for Samba services.
<para>This allows the Samba administrator to rely on the
authentication mechanisms on the Windows NT/200x PDC for the authentication
of Domain Members. Windows NT/200x users no longer need to have separate
of domain members. Windows NT/200x users no longer need to have separate
accounts on the Samba server.
</para>
</listitem>
@ -477,14 +477,14 @@ contents!</emphasis> If you haven't already made a boot disk, <emphasis>MAKE ONE
<para>
Messing with the PAM configuration files can make it nearly impossible to log in to your machine. That's
why you want to be able to boot back into your machine in single user mode and restore your
<filename>/etc/pam.d</filename> back to the original state they were in if you get frustrated with the
why you want to be able to boot back into your machine in single-user mode and restore your
<filename>/etc/pam.d</filename> to the original state it was in if you get frustrated with the
way things are going.
</para>
<para>
The latest version of Samba-3 includes a functioning winbindd daemon. Please refer to the <ulink
url="http://samba.org/">main Samba Web page</ulink> or, better yet, your closest Samba mirror site for
url="http://samba.org/">main Samba Web page</ulink>, or better yet, your closest Samba mirror site for
instructions on downloading the source code.
</para>
@ -492,7 +492,7 @@ instructions on downloading the source code.
To allow domain users the ability to access Samba shares and files, as well as potentially other services
provided by your Samba machine, PAM must be set up properly on your
machine. In order to compile the Winbind modules, you should have at least the PAM development libraries installed
on your system. Please refer the PAM web site <ulink url="http://www.kernel.org/pub/linux/libs/pam/"/>.
on your system. Please refer the PAM Web site <ulink url="http://www.kernel.org/pub/linux/libs/pam/"/>.
</para>
</sect2>
@ -503,8 +503,8 @@ on your system. Please refer the PAM web site <ulink url="http://www.kernel.org/
Before starting, it is probably best to kill off all the Samba-related daemons running on your server.
Kill off all &smbd;, &nmbd;, and &winbindd; processes that may be running. To use PAM,
make sure that you have the standard PAM package that supplies the <filename>/etc/pam.d</filename>
directory structure, including the PAM modules that are used by PAM-aware services, several pam libraries,
and the <filename>/usr/doc</filename> and <filename>/usr/man</filename> entries for pam. Winbind built
directory structure, including the PAM modules that are used by PAM-aware services, several PAM libraries,
and the <filename>/usr/doc</filename> and <filename>/usr/man</filename> entries for PAM. Winbind is built
better in Samba if the pam-devel package is also installed. This package includes the header files
needed to compile PAM-aware applications.
</para>
@ -516,7 +516,7 @@ needed to compile PAM-aware applications.
PAM is a standard component of most current generation UNIX/Linux systems. Unfortunately, few systems install
the <filename>pam-devel</filename> libraries that are needed to build PAM-enabled Samba. Additionally, Samba-3
may auto-install the Winbind files into their correct locations on your system, so before you get too far down
the track be sure to check if the following configuration is really
the track, be sure to check if the following configuration is really
necessary. You may only need to configure
<filename>/etc/nsswitch.conf</filename>.
</para>
@ -533,7 +533,7 @@ The libraries needed to run the &winbindd; daemon through nsswitch need to be co
<para>
I also found it necessary to make the following symbolic link:
ZZ</para>
</para>
<para>
&rootprompt; <userinput>ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</userinput>
@ -547,9 +547,9 @@ ZZ</para>
</screen>
<para>
Now, as root you need to edit <filename>/etc/nsswitch.conf</filename> to
Now, as root, you need to edit <filename>/etc/nsswitch.conf</filename> to
allow user and group entries to be visible from the &winbindd;
daemon. My <filename>/etc/nsswitch.conf</filename> file look like
daemon. My <filename>/etc/nsswitch.conf</filename> file looked like
this after editing:
</para>
@ -585,27 +585,20 @@ and echos back a check to you.
The Winbind AIX identification module gets built as <filename>libnss_winbind.so</filename> in the
nsswitch directory of the Samba source. This file can be copied to <filename>/usr/lib/security</filename>,
and the AIX naming convention would indicate that it should be named WINBIND. A stanza like the following:
</para>
<para><programlisting>
<programlisting>
WINBIND:
program = /usr/lib/security/WINBIND
options = authonly
</programlisting></para>
<para>
</programlisting>
can then be added to <filename>/usr/lib/security/methods.cfg</filename>. This module only supports
identification, but there have been success reports using the standard Winbind PAM module for
authentication. Use caution configuring loadable authentication
modules since you can make
it impossible to logon to the system. More information about the AIX authentication module API can
be found at <quote>Kernel Extensions and Device Support Programming Concepts for AIX</quote><ulink
url="http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixprggd/kernextc/sec_load_mod.htm">
in Chapter 18(John, there is no section like this in 18). Loadable Authentication Module Programming
Interface</ulink> and more information on administering the modules
can be found at <ulink
url="http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/baseadmn/iandaadmin.htm"> <quote>System
Management Guide: Operating System and Devices.</quote></ulink>
identification, but there have been reports of success using the standard Winbind PAM module for
authentication. Use caution configuring loadable authentication modules, since misconfiguration can make
it impossible to log on to the system. Information regarding the AIX authentication module API can
be found in the <quote>Kernel Extensions and Device Support Programming Concepts for AIX</quote> document that
describes the <ulink url="http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixprggd/kernextc/sec_load_mod.htm">
Loadable Authentication Module Programming Interface</ulink> for AIX. Further information on administering the modules
can be found in the <ulink url="http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/baseadmn/iandaadmin.htm">System
Management Guide: Operating System and Devices.</ulink>
</para>
</sect3>
@ -616,12 +609,12 @@ Management Guide: Operating System and Devices.</quote></ulink>
Several parameters are needed in the &smb.conf; file to control the behavior of &winbindd;. These
are described in more detail in the <citerefentry><refentrytitle>winbindd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> man page. My &smb.conf; file, as shown in <link
linkend="winbindcfg">the next example</link>, was modified to include the necessary entries in the [global] section.
linkend="winbindcfg">Example 23.5.1</link>, was modified to include the necessary entries in the [global] section.
</para>
<example id="winbindcfg" fragment="1">
<title>smb.conf for Winbind set-up</title>
<smbconfblock>
<example id="winbindcfg">
<title>smb.conf for Winbind Setup</title>
<smbconfblock>
<smbconfsection name="[global]"/>
<smbconfcomment> separate domain and username with '\', like DOMAIN\username</smbconfcomment>
<smbconfoption name="winbind separator">\</smbconfoption>
@ -653,7 +646,7 @@ the domain. This applies also to the PDC and all BDCs.
The process of joining a domain requires the use of the <command>net rpc join</command>
command. This process communicates with the domain controller it will register with
(usually the PDC) via MS DCE RPC. This means, of course, that the <command>smbd</command>
process must be running on the target DC. This means that it is necessary to temporarily
process must be running on the target domain controller. It is therefore necessary to temporarily
start Samba on a PDC so that it can join its own domain.
</para>
@ -665,9 +658,9 @@ a domain user who has administrative privileges in the domain.
</para>
<note><para>
Before attempting to join a machine to the domain verify that Samba is running
on the target DC (usually PDC) and that it is capable of being reached via ports
137/udp, 135/tcp, 139/tcp, and 445/tcp (if Samba or Windows Server 2Kx.
Before attempting to join a machine to the domain, verify that Samba is running
on the target domain controller (usually PDC) and that it is capable of being reached via ports
137/udp, 135/tcp, 139/tcp, and 445/tcp (if Samba or Windows Server 2Kx).
</para></note>
<para>
@ -675,9 +668,9 @@ on the target DC (usually PDC) and that it is capable of being reached via ports
</para>
<para>
The proper response to the command should be: <quote>Joined the domain
The proper response to the command should be <quote>Joined the domain
<replaceable>DOMAIN</replaceable></quote> where <replaceable>DOMAIN</replaceable>
is your DOMAIN name.
is your domain name.
</para>
</sect3>
@ -698,7 +691,7 @@ command as root:
</para>
<note><para>
The above assumes that Samba has been installed in the <filename>/usr/local/samba</filename>
The command to start up Winbind services assumes that Samba has been installed in the <filename>/usr/local/samba</filename>
directory tree. You may need to search for the location of Samba files if this is not the
location of <command>winbindd</command> on your system.
</para></note>
@ -707,9 +700,9 @@ location of <command>winbindd</command> on your system.
Winbindd can now also run in <quote>dual daemon mode</quote>. This will make it
run as two processes. The first will answer all requests from the cache,
thus making responses to clients faster. The other will
update the cache for the query that the first has just responded.
update the cache for the query to which the first has just responded.
The advantage of this is that responses stay accurate and are faster.
You can enable dual daemon mode by adding <option>-B</option> to the command-line:
You can enable dual daemon mode by adding <option>-B</option> to the command line:
</para>
<para>
@ -724,8 +717,8 @@ I'm always paranoid and like to make sure the daemon is really running.
&rootprompt;<userinput>ps -ae | grep winbindd</userinput>
</para>
<para>
This command should produce output like this, if the daemon is running you would expect
to see a report something like this:
This command should produce output like the following if the daemon is running.
</para>
<screen>
3025 ? 00:00:00 winbindd
@ -786,7 +779,7 @@ lists of both local and PDC users and groups. Try the following command:
<para>
You should get a list that looks like your <filename>/etc/passwd</filename>
list followed by the domain users with their new UIDs, GIDs, home
directories and default shells.
directories, and default shells.
</para>
<para>
@ -809,7 +802,7 @@ The same thing can be done for groups with the command:
<para>
The &winbindd; daemon needs to start up after the &smbd; and &nmbd; daemons are running.
To accomplish this task, you need to modify the startup scripts of your system.
They are located at <filename>/etc/init.d/smb</filename> in Red Hat Linux and they are located in
They are located at <filename>/etc/init.d/smb</filename> in Red Hat Linux and in
<filename>/etc/init.d/samba</filename> in Debian Linux. Edit your
script to add commands to invoke this daemon in the proper sequence. My
startup script starts up &smbd;, &nmbd;, and &winbindd; from the
@ -841,7 +834,7 @@ start() {
</programlisting></para>
<para>If you would like to run winbindd in dual daemon mode, replace
the line :
the line:
<programlisting>
daemon /usr/local/samba/sbin/winbindd
</programlisting>
@ -886,7 +879,8 @@ stop() {
<title>Solaris</title>
<para>
Winbind does not work on Solaris 9, see <link linkend="winbind-solaris9">Winbind on Solaris 9</link> section for details.
Winbind does not work on Solaris 9; see <link linkend="winbind-solaris9">Winbind on Solaris 9 section</link>
for details.
</para>
<para>
@ -962,7 +956,7 @@ in the script above with:
<title>Restarting</title>
<para>
If you restart the &smbd;, &nmbd;, and &winbindd; daemons at this point, you
should be able to connect to the Samba server as a Domain Member just as
should be able to connect to the Samba server as a domain member just as
if you were a local user.
</para>
</sect4>
@ -1002,7 +996,7 @@ modules reside in <filename>/usr/lib/security</filename>.
</para>
<sect4>
<title>Linux/FreeBSD-specific PAM configuration</title>
<title>Linux/FreeBSD-Specific PAM Configuration</title>
<para>
The <filename>/etc/pam.d/samba</filename> file does not need to be changed. I
@ -1029,7 +1023,7 @@ and <filename>/etc/xinetd.d/wu-ftp</filename> from
<para><programlisting>
enable = no
</programlisting>
to:
to
<programlisting>
enable = yes
</programlisting></para>
@ -1037,7 +1031,7 @@ to:
<para>
For ftp services to work properly, you will also need to either
have individual directories for the domain users already present on
the server, or change the home directory template to a general
the server or change the home directory template to a general
directory for all domain users. These can be easily set using
the &smb.conf; global entry
<smbconfoption name="template homedir"/>.
@ -1055,9 +1049,7 @@ The <filename>/etc/pam.d/ftp</filename> file can be changed
to allow Winbind ftp access in a manner similar to the
samba file. My <filename>/etc/pam.d/ftp</filename> file was
changed to look like this:
</para>
<para><programlisting>
<programlisting>
auth required /lib/security/pam_listfile.so item=user sense=deny \
file=/etc/ftpusers onerr=succeed
auth sufficient /lib/security/pam_winbind.so
@ -1069,11 +1061,9 @@ session required /lib/security/pam_stack.so service=system-auth
</programlisting></para>
<para>
The <filename>/etc/pam.d/login</filename> file can be changed nearly the
The <filename>/etc/pam.d/login</filename> file can be changed in nearly the
same way. It now looks like this:
</para>
<para><programlisting>
<programlisting>
auth required /lib/security/pam_securetty.so
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so use_first_pass
@ -1089,7 +1079,7 @@ session optional /lib/security/pam_console.so
<para>
In this case, I added the <programlisting>auth sufficient /lib/security/pam_winbind.so</programlisting>
lines as before, but also added the <programlisting>required pam_securetty.so</programlisting>
above it, to disallow root logins over the network. I also added a
above it to disallow root logins over the network. I also added a
<programlisting>sufficient /lib/security/pam_unix.so use_first_pass</programlisting>
line after the <command>winbind.so</command> line to get rid of annoying
double prompts for passwords.
@ -1098,11 +1088,11 @@ double prompts for passwords.
</sect4>
<sect4>
<title>Solaris-specific configuration</title>
<title>Solaris-Specific Configuration</title>
<para>
The <filename>/etc/pam.conf</filename> needs to be changed. I changed this file so my Domain
users can logon both locally as well as telnet. The following are the changes
users can log on both locally as well as with telnet. The following are the changes
that I made. You can customize the <filename>pam.conf</filename> file as per your requirements, but
be sure of those changes because in the worst case it will leave your system
nearly impossible to boot.
@ -1191,9 +1181,9 @@ configured in the pam.conf.
<sect1>
<title>Conclusion</title>
<para>The Winbind system, through the use of the Name Service
Switch, Pluggable Authentication Modules, and appropriate
Microsoft RPC calls have allowed us to provide seamless
<para>The Winbind system, through the use of the NSS,
PAMs, and appropriate
Microsoft RPC calls, have allowed us to provide seamless
integration of Microsoft Windows NT domain users on a
UNIX system. The result is a great reduction in the administrative
cost of running a mixed UNIX and NT network.</para>
@ -1212,20 +1202,20 @@ cost of running a mixed UNIX and NT network.</para>
the Linux, Solaris, AIX, and IRIX operating systems, although ports to other operating
systems are certainly possible. For such ports to be feasible,
we require the C library of the target operating system to
support the Name Service Switch and Pluggable Authentication
Modules systems. This is becoming more common as NSS and
support the NSS and PAM
systems. This is becoming more common as NSS and
PAM gain support among UNIX vendors.</para></listitem>
<listitem><para>The mappings of Windows NT RIDs to UNIX IDs
is not made algorithmically and depends on the order in which
unmapped users or groups are seen by Winbind. It may be difficult
to recover the mappings of RID to UNIX ID mapping if the file
to recover the mappings of RID to UNIX ID if the file
containing this information is corrupted or destroyed.</para>
</listitem>
<listitem><para>Currently the Winbind PAM module does not take
into account possible workstation and logon time restrictions
that may be set for Windows NT users, this is
that may be set for Windows NT users; this is
instead up to the PDC to enforce.</para></listitem>
</itemizedlist>
@ -1241,7 +1231,7 @@ cost of running a mixed UNIX and NT network.</para>
<para>
If <command>nscd</command> is running on the UNIX/Linux system, then
even though NSSWITCH is correctly configured it will not be possible to resolve
even though NSSWITCH is correctly configured, it will not be possible to resolve
domain users and groups for file and directory controls.
</para>
@ -1254,7 +1244,7 @@ cost of running a mixed UNIX and NT network.</para>
My &smb.conf; file is correctly configured. I have specified
<smbconfoption name="idmap uid">12000</smbconfoption>,
and <smbconfoption name="idmap gid">3000-3500</smbconfoption>
and <command>winbind</command> is running. When I do the following it all works fine.
and <command>winbind</command> is running. When I do the following, it all works fine.
</quote></para>
<para><screen>

View File

@ -11,9 +11,9 @@
<title>Features and Benefits</title>
<para>
Occasionally network administrators will report difficulty getting Microsoft Windows clients to interoperate
correctly with Samba servers. It would appear that some folks just can not accept the fact that the right way
to configure MS Windows network client is precisely as one would do when using Microsoft Windows NT4 or 200x
Occasionally network administrators report difficulty getting Microsoft Windows clients to interoperate
correctly with Samba servers. It seems that some folks just cannot accept the fact that the right way
to configure MS Windows network client is precisely as one would do when using MS Windows NT4 or 200x
servers. Yet there is repetitious need to provide detailed Windows client configuration instructions.
</para>
@ -35,13 +35,13 @@ that are in common use today. These are:
<itemizedlist>
<listitem><para>
Microsoft Windows XP Professional.
Microsoft Windows XP Professional
</para></listitem>
<listitem><para>
Windows 2000 Professional.
Windows 2000 Professional
</para></listitem>
<listitem><para>
Windows Millennium edition (Me).
Windows Millennium edition (Me)
</para></listitem>
</itemizedlist>
@ -50,12 +50,12 @@ that are in common use today. These are:
<para>
The builder of a house must ensure that all construction takes place on a firm foundation.
The same is true of TCP/IP-based networking. Fundamental network configuration problems
The same is true for the builder of a TCP/IP-based networking system. Fundamental network configuration problems
will plague all network users until they are resolved.
</para>
<para>
Microsoft Windows workstations and servers can be configured either with fixed
MS Windows workstations and servers can be configured either with fixed
IP addresses or via DHCP. The examples that follow demonstrate the use of DHCP
and make only passing reference to those situations where fixed IP configuration
settings can be effected.
@ -75,12 +75,12 @@ that are in common use today. These are:
</para>
<para>
Click <guimenu>Start -> Control Panel -> Network Connections</guimenu>
Click <guimenu>Start -> Control Panel -> Network Connections</guimenu>.
</para>
<para>
<emphasis>Alternately,</emphasis> click <guimenu>Start -></guimenu>, and right click <guimenu>My Network Places</guimenu>
then select <guimenuitem>Properties</guimenuitem>
<emphasis>Alternately,</emphasis> click <guimenu>Start -></guimenu>, and right-click <guimenu>My Network Places</guimenu>
then select <guimenuitem>Properties</guimenuitem>.
</para>
<para>
@ -91,7 +91,7 @@ that are in common use today. These are:
<step><para>
On some installations the interface will be called <guimenu>Local Area Connection</guimenu> and
on others it will be called <guimenu>Network Bridge</guimenu>. On our system it is called <guimenu>Network Bridge</guimenu>.
Right click on <guimenu>Network Bridge -> Properties</guimenu>. See <link linkend="WXPP002"/>.
Right-click on <guimenu>Network Bridge -> Properties</guimenu>. See <link linkend="WXPP002"/>.
<figure id="WXPP002"><title>Network Bridge Configuration.</title><imagefile>WXPP002</imagefile></figure>
</para>
</step>
@ -99,11 +99,11 @@ that are in common use today. These are:
<step><para>
The Network Bridge Configuration, or Local Area Connection, panel is used to set TCP/IP protocol settings.
In <guimenuitem>This connection uses the following items:</guimenuitem> box,
click on <guimenu>Internet Protocol (TCP/IP)</guimenu>, then click the on <guibutton>Properties</guibutton>.
click on <guimenu>Internet Protocol (TCP/IP)</guimenu>, then click on <guibutton>Properties</guibutton>.
</para>
<para>
The default setting is DHCP enabled operation.
The default setting is DHCP-enabled operation
(i.e., <quote>Obtain an IP address automatically</quote>). See <link linkend="WXPP003"/>.
<figure id="WXPP003">
<title>Internet Protocol (TCP/IP) Properties.</title>
@ -114,18 +114,19 @@ that are in common use today. These are:
<para>
Many network administrators will want to use DHCP to configure all client TCP/IP
protocol stack settings. (For information on how to configure the ISC DHCP server
for Microsoft Windows client support see, <link linkend="DHCP"></link>.
for Windows client support see <link linkend="DHCP">the DNS and DHCP Configuration Guide</link>,
<link linkend="DHCP">DHCP Server</link>.
</para>
<para>
If it is necessary to provide a fixed IP address, click on <quote>Use the following IP address</quote> and proceed to enter the
If it is necessary to provide a fixed IP address, click on <quote>Use the following IP address</quote> and enter the
IP Address, the subnet mask, and the default gateway address in the boxes provided.
</para></step>
<step><para>
Click the <guibutton>Advanced</guibutton> button to proceed with TCP/IP configuration.
This opens a panel in which it is possible to create additional IP Addresses for this interface.
The technical name for the additional addresses is <emphasis>IP Aliases</emphasis>, and additionally this
This opens a panel in which it is possible to create additional IP addresses for this interface.
The technical name for the additional addresses is <emphasis>IP aliases</emphasis>, and additionally this
panel permits the setting of more default gateways (routers). In most cases where DHCP is used, it will not be
necessary to create additional settings. See <link linkend="WXPP005"></link> to see the appearance of this panel.
<figure id="WXPP005"><title>Advanced Network Settings</title><imagefile>WXPP005</imagefile></figure>
@ -145,7 +146,7 @@ that are in common use today. These are:
<step><para>
Click the <guibutton>WINS</guibutton> tab to add manual WINS server entries.
This step demonstrates an example system that uses manually configured WINS settings.
When finished making, changes click the <guibutton>OK</guibutton> to commit
When finished making changes, click <guibutton>OK</guibutton> to commit
the settings. See <link linkend="WXPP009"></link>.
<figure id="WXPP009"><title>WINS Configuration</title><imagefile>WXPP009</imagefile></figure>
</para></step>
@ -161,11 +162,11 @@ that are in common use today. These are:
</para>
<para>
Click <guimenu>Start -> Control Panel -> Network and Dial-up Connections</guimenu>
Click <guimenu>Start -> Control Panel -> Network and Dial-up Connections</guimenu>.
</para>
<para>
<emphasis>Alternately,</emphasis> click on <guimenu>Start</guimenu>, then right click <guimenu>My Network Places</guimenu> and
<emphasis>Alternatively,</emphasis> click <guimenu>Start</guimenu>, then right-click <guimenu>My Network Places</guimenu>, and
select <guimenuitem>Properties</guimenuitem>.
</para>
@ -175,7 +176,7 @@ that are in common use today. These are:
<procedure>
<step><para>
Right click on <guimenu>Local Area Connection</guimenu>, now click the
Right-click on <guimenu>Local Area Connection</guimenu>, then click
<guimenuitem>Properties</guimenuitem>. See <link linkend="w2kp001"></link>.
<figure id="w2kp001"><title>Local Area Connection Properties.</title><imagefile>w2kp001</imagefile></figure>
</para></step>
@ -186,7 +187,7 @@ that are in common use today. These are:
</para></step>
<step><para>
The default setting is DHCP enabled operation.
The default setting is DHCP-enabled operation
(i.e., <quote>Obtain an IP address automatically</quote>). See <link linkend="w2kp002"/>.
<figure id="w2kp002"><title>Internet Protocol (TCP/IP) Properties.</title><imagefile>w2kp002</imagefile></figure>
</para>
@ -194,11 +195,11 @@ that are in common use today. These are:
<para>
Many network administrators will want to use DHCP to configure all client TCP/IP
protocol stack settings. (For information on how to configure the ISC DHCP server
for Microsoft Windows client support, see <link linkend="DHCP"></link>.
for Windows client support, see, <link linkend="DHCP"></link>.
</para>
<para>
If it is necessary to provide a fixed IP address, click on <quote>Use the following IP address</quote> and proceed to enter the
If it is necessary to provide a fixed IP address, click on <quote>Use the following IP address</quote> and enter the
IP Address, the subnet mask, and the default gateway address in the boxes provided.
For this example we are assuming that all network clients will be configured using DHCP.
</para></step>
@ -216,16 +217,18 @@ that are in common use today. These are:
<step><para>
Click the <guimenu>DNS</guimenu> tab to add DNS server settings.
The example system uses manually configured DNS settings. When finished making changes,
click on <guibutton>OK</guibutton> to commit the settings. See <link linkend="w2kp004"></link>.
click <guibutton>OK</guibutton> to commit the settings. See <link linkend="w2kp004"></link>.
<figure id="w2kp004"><title>DNS Configuration.</title><imagefile>w2kp004</imagefile></figure>
</para></step>
<step><para>
Click the <guibutton>WINS</guibutton> tab to add manual WINS server entries.
This step demonstrates an example system that uses manually configured WINS settings.
When finished making changes, click on <guibutton>OK</guibutton> to commit the settings.
See <link linkend="w2kp005"/>.
<figure id="w2kp005"><title>WINS Configuration.</title><imagefile>w2kp005</imagefile></figure>
When finished making changes, click <guibutton>OK</guibutton> to commit the settings.
See <link linkend="w2kp005"></link>.
<figure id="w2kp005">
<title>WINS Configuration.</title><imagefile>w2kp005</imagefile>
</figure>
</para></step>
</procedure>
@ -240,11 +243,11 @@ that are in common use today. These are:
</para>
<para>
Click <guimenu>Start -> Control Panel -> Network Connections</guimenu>
Click <guimenu>Start -> Control Panel -> Network Connections</guimenu>.
</para>
<para>
<emphasis>Alternately,</emphasis> click on <guimenu>Start -></guimenu>, and right click on <guimenu>My Network Places</guimenu>
<emphasis>Alternatively,</emphasis> click on <guimenu>Start -></guimenu>, and right click on <guimenu>My Network Places</guimenu>
then select <guimenuitem>Properties</guimenuitem>.
</para>
@ -255,21 +258,25 @@ that are in common use today. These are:
<procedure>
<step><para>
In the box labeled <guimenuitem>The following network components are installed:</guimenuitem>,
click on <guimenu>Internet Protocol TCP/IP</guimenu>, now click on the <guibutton>Properties</guibutton> button. See <link linkend="WME001"/>.
<figure id="WME001"><title>The Windows Me Network Configuration Panel.</title><imagefile>WME001</imagefile></figure>
click on <guimenu>Internet Protocol TCP/IP</guimenu>, then click on the <guibutton>Properties</guibutton> button.
See <link linkend="WME001"></link>.
<figure id="WME001">
<title>The Windows Me Network Configuration Panel.</title>
<imagefile>WME001</imagefile>
</figure>
</para></step>
<step><para>
Many network administrators will want to use DHCP to configure all client TCP/IP
protocol stack settings. (For information on how to configure the ISC DHCP server
for Microsoft Windows client support see, <link linkend="DHCP"/>.
The default setting on Microsoft Windows Me workstations is for DHCP enabled operation,
i.e., <guimenu>Obtain IP address automatically</guimenu> is enabled. See <link linkend="WME002"/>.
for Windows client support see <link linkend="DHCP">the DNS and DHCP Configuration Guide</link>,
<link linkend="DHCP">DHCP Server</link>. The default setting on Windows Me workstations is for DHCP-enabled operation
(i.e., <guimenu>Obtain IP address automatically</guimenu> is enabled). See <link linkend="WME002"></link>.
<figure id="WME002"><title>IP Address.</title><imagefile>WME002</imagefile></figure>
</para>
<para>
If it is necessary to provide a fixed IP address, click on <guimenuitem>Specify an IP address</guimenuitem> and proceed to enter the
If it is necessary to provide a fixed IP address, click on <guimenuitem>Specify an IP address</guimenuitem> and enter the
IP Address and the subnet mask in the boxes provided. For this example we are assuming that all network clients will be configured using DHCP.
</para></step>
@ -286,8 +293,8 @@ that are in common use today. These are:
</para></step>
<step><para>
The following example uses manually configured WINS settings. See <link linkend="WME005"/>.
When finished making changes, click on <guibutton>OK</guibutton> to commit the settings.
The following example uses manually configured WINS settings. See <link linkend="WME005"></link>.
When finished making changes, click <guibutton>OK</guibutton> to commit the settings.
<figure id="WME005"><title>DNS Configuration.</title><imagefile>WME005</imagefile></figure>
</para>
@ -308,9 +315,9 @@ that are in common use today. These are:
<title>Joining a Domain: Windows 2000/XP Professional</title>
<para>
Microsoft Windows NT/200x/XP Professional platforms can participate in Domain Security.
Microsoft Windows NT/200x/XP Professional platforms can participate in domain security.
This section steps through the process for making a Windows 200x/XP Professional machine a
member of a Domain Security environment. It should be noted that this process is identical
member of a domain security environment. It should be noted that this process is identical
when joining a domain that is controlled by Windows NT4/200x as well as a Samba PDC.
</para>
@ -320,7 +327,7 @@ that are in common use today. These are:
</para></step>
<step><para>
Right click <guimenu>My Computer</guimenu>, then select <guimenuitem>Properties</guimenuitem>.
Right-click <guimenu>My Computer</guimenu>, then select <guimenuitem>Properties</guimenuitem>.
</para></step>
<step><para>
@ -337,7 +344,7 @@ that are in common use today. These are:
<para>
Clicking the <guimenu>Network ID</guimenu> button will launch the configuration wizard. Do not use this with
Samba-3. If you wish to change the computer name, join or leave the domain, click the <guimenu>Change</guimenu> button.
Samba-3. If you wish to change the computer name or join or leave the domain, click the <guimenu>Change</guimenu> button.
See <link linkend="wxpp004"></link>.
<figure id="wxpp004"><title>The Computer Name Panel.</title><imagefile>wxpp004</imagefile></figure>
</para></step>
@ -349,7 +356,7 @@ that are in common use today. These are:
</para></step>
<step><para>
Enter the name <guimenu>MIDEARTH</guimenu> in the field below the Domain radio button.
Enter the name <guimenu>MIDEARTH</guimenu> in the field below the domain radio button.
</para>
<para>
@ -359,12 +366,12 @@ that are in common use today. These are:
<step><para>
Now click the <guimenu>OK</guimenu> button. A dialog box should appear to allow you to provide the credentials (username and password)
of a Domain administrative account that has the rights to add machines to the Domain.
of a domain administrative account that has the rights to add machines to the domain.
</para>
<para>
Enter the name <quote>root</quote> and the root password from your Samba-3 server. See <link linkend="wxpp008"></link>.
<figure id="wxpp008"><title>Computer Name Changes &smbmdash; User name and Password Panel.</title><imagefile>wxpp008</imagefile></figure>
<figure id="wxpp008"><title>Computer Name Changes &smbmdash; Username and Password Panel.</title><imagefile>wxpp008</imagefile></figure>
</para></step>
<step><para>
@ -384,17 +391,17 @@ that are in common use today. These are:
<title>Domain Logon Configuration: Windows 9x/Me</title>
<para>
We follow the convention used by most in saying that Windows 9x/Me machines can participate in Domain logons. The truth is
We follow the convention used by most in saying that Windows 9x/Me machines can participate in domain logons. The truth is
that these platforms can use only the LanManager network logon protocols.
</para>
<note><para>
Windows XP Home edition cannot participate in Domain or LanManager network logons.
Windows XP Home edition cannot participate in domain or LanManager network logons.
</para></note>
<procedure>
<step><para>
Right click on the <guimenu>Network Neighborhood</guimenu> icon.
Right-click on the <guimenu>Network Neighborhood</guimenu> icon.
</para></step>
<step><para>
@ -417,7 +424,7 @@ that are in common use today. These are:
<para>
Enter the Windows NT domain name, check the <guimenu>Log on to Windows NT domain</guimenu> box,
click <guimenu>OK</guimenu>.
and click <guimenu>OK</guimenu>.
</para></step>
<step><para>
@ -430,7 +437,7 @@ that are in common use today. These are:
Now click the <guimenu>Access Control</guimenu> button. If you want to be able to assign share access
permissions using domain user and group accounts, it is necessary to enable
<guimenu>User-level access control</guimenu> as shown in this panel. See <link linkend="WME014"></link>.
<figure id="WME014"><title>Identification Panel.</title><imagefile>WME014</imagefile></figure>
<figure id="WME014"><title>Access Control Panel.</title><imagefile>WME014</imagefile></figure>
</para></step>
</procedure>
@ -464,7 +471,7 @@ The most common reasons for which a Windows NT/200x/XP Professional client canno
<listitem><para><quote>root</quote> account is not in password backend database.</para></listitem>
<listitem><para>Attempt to use a user account instead of the <quote>root</quote> account to join a machine to the domain.</para></listitem>
<listitem><para>Open connections from the workstation to the server.</para></listitem>
<listitem><para>Firewall or filter configurations in place on either the client or on the Samba server.</para></listitem>
<listitem><para>Firewall or filter configurations in place on either the client or the Samba server.</para></listitem>
</itemizedlist>
</sect1>

View File

@ -233,4 +233,7 @@
The UNC syntax was developed in the early days of MS DOS 3.x and is used internally by the SMB protocol.
</para></glossdef>
</glossentry>
</glossary>

View File

@ -30,7 +30,7 @@ a range of functions that are all categorized under this one term.
<para>
Opportunistic locking is a desirable feature when it can enhance the
perceived performance of applications on a networked client. However, the
opportunistic locking protocol is not robust and, therefore, can
opportunistic locking protocol is not robust and therefore can
encounter problems when invoked beyond a simplistic configuration or
on extended slow or faulty networks. In these cases, operating
system management of opportunistic locking and/or recovering from
@ -46,7 +46,7 @@ settings on the MS Windows client.
<note>
<para>
Sometimes it is necessary to disable locking control settings on both the Samba
Sometimes it is necessary to disable locking control settings on the Samba
server as well as on each MS Windows client!
</para>
</note>
@ -67,7 +67,7 @@ that are specified when a file is open.
Record locking semantics under UNIX are very different from record locking under
Windows. Versions of Samba before 2.2 have tried to use the native fcntl() UNIX
system call to implement proper record locking between different Samba clients.
This cannot be fully correct for several reasons. The simplest is the fact
This cannot be fully correct for several reasons. The simplest is
that a Windows client is allowed to lock a byte range up to 2^32 or 2^64,
depending on the client OS. The UNIX locking only supports byte ranges up to 2^31.
So it is not possible to correctly satisfy a lock request above 2^31. There are
@ -75,16 +75,16 @@ many more differences, too many to be listed here.
</para>
<para>
Samba 2.2 and above implements record locking completely independent of the
underlying UNIX system. If a byte range lock that the client requests happens
to fall into the range of 0-2^31, Samba hands this request down to the UNIX system.
All other locks cannot be seen by UNIX, anyway.
Samba 2.2 and above implement record locking completely independent of the
underlying UNIX system. If a byte-range lock that the client requests happens
to fall into the range of 0 to 2^31, Samba hands this request down to the UNIX system.
No other locks can be seen by UNIX, anyway.
</para>
<para>
Strictly speaking, an SMB server should check for locks before every read and write call on
a file. Unfortunately with the way fcntl() works, this can be slow and may overstress
the <command>rpc.lockd</command>. This is almost always unnecessary as clients are supposed to
a file. Unfortunately, with the way fcntl() works, this can be slow and may overstress
the <command>rpc.lockd</command>. This is almost always unnecessary because clients are supposed to
independently make locking calls before reads and writes if locking is
important to them. By default, Samba only makes locking calls when explicitly asked
to by a client, but if you set <smbconfoption name="strict locking">yes</smbconfoption>, it
@ -92,10 +92,10 @@ will make lock checking calls on <emphasis>every</emphasis> read and write call.
</para>
<para>
You can also disable byte range locking completely by using
You can also disable byte-range locking completely by using
<smbconfoption name="locking">no</smbconfoption>.
This is useful for those shares that do not support locking or do not need it
(such as CDROMs). In this case, Samba fakes the return codes of locking calls to
(such as CD-ROMs). In this case, Samba fakes the return codes of locking calls to
tell clients that everything is okay.
</para>
@ -112,11 +112,11 @@ modes called <constant>DENY_FCB</constant> and <constant>DENY_DOS</constant>.
<title>Opportunistic Locking Overview</title>
<para>
Opportunistic locking (Oplocks) is invoked by the Windows file system
Opportunistic locking (oplocks) is invoked by the Windows file system
(as opposed to an API) via registry entries (on the server and the client)
for the purpose of enhancing network performance when accessing a file
residing on a server. Performance is enhanced by caching the file
locally on the client that allows:
locally on the client that allows the following:
</para>
<variablelist>
@ -147,7 +147,7 @@ other processes.
</para>
<variablelist>
<title>Windows defines 4 kinds of Oplocks:</title>
<title>Windows Defines Four Kinds of Oplocks:</title>
<varlistentry><term>Level1 Oplock</term>
<listitem><para>
@ -161,10 +161,10 @@ other processes.
<para>
If a second process attempts to open the file, the open
is deferred while the redirector <quote>breaks</quote> the original
is deferred while the redirector "breaks" the original
oplock. The oplock break signals the caching client to
write the local file back to the server, flush the
local locks and discard read-ahead data. The break is
local locks, and discard read-ahead data. The break is
then complete, the deferred open is granted, and the
multiple processes can enjoy concurrent file access as
dictated by mandatory or byte-range locking options.
@ -209,7 +209,7 @@ preparation for the subsequent open by the second process.
<emphasis>Opportunistic locking</emphasis> is actually an improper name for this feature.
The true benefit of this feature is client-side data caching, and
oplocks is merely a notification mechanism for writing data back to the
networked storage disk. The limitation of opportunistic locking is the
networked storage disk. The limitation of oplocks is the
reliability of the mechanism to process an oplock break (notification)
between the server and the caching client. If this exchange is faulty
(usually due to timing out for any number of reasons), then the
@ -221,29 +221,29 @@ The actual decision that a user or administrator should consider is
whether it is sensible to share among multiple users data that will
be cached locally on a client. In many cases the answer is no.
Deciding when to cache or not cache data is the real question, and thus
<quote>opportunistic locking</quote> should be treated as a toggle for client-side
oplocks should be treated as a toggle for client-side
caching. Turn it <quote>on</quote> when client-side caching is desirable and
reliable. Turn it <quote>off</quote> when client-side caching is redundant,
unreliable or counter-productive.
unreliable, or counterproductive.
</para>
<para>
Opportunistic locking is by default set to <quote>on</quote> by Samba on all
Oplocks is by default set to <quote>on</quote> by Samba on all
configured shares, so careful attention should be given to each case to
determine if the potential benefit is worth the potential for delays.
The following recommendations will help to characterize the environment
where opportunistic locking may be effectively configured.
where oplocks may be effectively configured.
</para>
<para>
Windows opportunistic locking is a lightweight performance-enhancing
Windows oplocks is a lightweight performance-enhancing
feature. It is not a robust and reliable protocol. Every
implementation of opportunistic locking should be evaluated as a
tradeoff between perceived performance and reliability. Reliability
implementation of oplocks should be evaluated as a
trade-off between perceived performance and reliability. Reliability
decreases as each successive rule above is not enforced. Consider a
share with oplocks enabled, over a wide area network, to a client on a
share with oplocks enabled, over a wide-area network, to a client on a
South Pacific atoll, on a high-availability server, serving a
mission-critical multi-user corporate database during a tropical
mission-critical multiuser corporate database during a tropical
storm. This configuration will likely encounter problems with oplocks.
</para>
@ -251,43 +251,43 @@ storm. This configuration will likely encounter problems with oplocks.
Oplocks can be beneficial to perceived client performance when treated
as a configuration toggle for client-side data caching. If the data
caching is likely to be interrupted, then oplock usage should be
reviewed. Samba enables opportunistic locking by default on all
reviewed. Samba enables oplocks by default on all
shares. Careful attention should be given to the client usage of
shared data on the server, the server network reliability and the
opportunistic locking configuration of each share.
In mission critical high availability environments, data integrity is
shared data on the server, the server network reliability, and the
oplocks configuration of each share.
In mission-critical, high-availability environments, data integrity is
often a priority. Complex and expensive configurations are implemented
to ensure that if a client loses connectivity with a file server, a
fail-over replacement will be available immediately to provide
failover replacement will be available immediately to provide
continuous data availability.
</para>
<para>
Windows client fail-over behavior is more at risk of application
Windows client failover behavior is more at risk of application
interruption than other platforms because it is dependent upon an
established TCP transport connection. If the connection is interrupted
&smbmdash; as in a file server fail-over &smbmdash; a new session must be established.
&smbmdash; as in a file server failover &smbmdash; a new session must be established.
It is rare for Windows client applications to be coded to recover
correctly from a transport connection loss, therefore, most applications
correctly from a transport connection loss; therefore, most applications
will experience some sort of interruption &smbmdash; at worst, abort and
require restarting.
</para>
<para>
If a client session has been caching writes and reads locally due to
opportunistic locking, it is likely that the data will be lost when the
oplocks, it is likely that the data will be lost when the
application restarts or recovers from the TCP interrupt. When the TCP
connection drops, the client state is lost. When the file server
recovers, an oplock break is not sent to the client. In this case, the
work from the prior session is lost. Observing this scenario with
oplocks disabled and with the client writing data to the file server
real-time, the fail-over will provide the data on disk as it
real-time, the failover will provide the data on disk as it
existed at the time of the disconnect.
</para>
<para>
In mission-critical high-availability environments, careful attention
should be given to opportunistic locking. Ideally, comprehensive
In mission-critical, high-availability environments, careful attention
should be given to oplocks. Ideally, comprehensive
testing should be done with all affected applications with oplocks
enabled and disabled.
</para>
@ -296,16 +296,16 @@ enabled and disabled.
<title>Exclusively Accessed Shares</title>
<para>
Opportunistic locking is most effective when it is confined to shares
Oplocks is most effective when it is confined to shares
that are exclusively accessed by a single user, or by only one user at
a time. Because the true value of opportunistic locking is the local
a time. Because the true value of oplocks is the local
client caching of data, any operation that interrupts the caching
mechanism will cause a delay.
</para>
<para>
Home directories are the most obvious examples of where the performance
benefit of opportunistic locking can be safely realized.
benefit of oplocks can be safely realized.
</para>
</sect3>
@ -314,8 +314,8 @@ benefit of opportunistic locking can be safely realized.
<title>Multiple-Accessed Shares or Files</title>
<para>
As each additional user accesses a file in a share with opportunistic
locking enabled, the potential for delays and resulting perceived poor
As each additional user accesses a file in a share with oplocks
enabled, the potential for delays and resulting perceived poor
performance increases. When multiple users are accessing a file on a
share that has oplocks enabled, the management impact of sending and
receiving oplock breaks and the resulting latency while other clients
@ -344,8 +344,8 @@ exposes the file to likely data corruption.
</para>
<para>
If files are shared between Windows clients, and either local UNIX
or NFS users, turn opportunistic locking off.
If files are shared between Windows clients and either local UNIX
or NFS users, turn oplocks off.
</para>
</sect3>
@ -354,7 +354,7 @@ or NFS users, turn opportunistic locking off.
<title>Slow and/or Unreliable Networks</title>
<para>
The biggest potential performance improvement for opportunistic locking
The biggest potential performance improvement for oplocks
occurs when the client-side caching of reads and writes delivers the
most differential over sending those reads and writes over the wire.
This is most likely to occur when the network is extremely slow,
@ -363,28 +363,28 @@ has a high impact on the reliability of the oplock break
mechanism, and thus increases the likelihood of encountering oplock
problems that more than offset the potential perceived performance
gain. Of course, if an oplock break never has to be sent, then this is
the most advantageous scenario to utilize opportunistic locking.
the most advantageous scenario in which to utilize oplocks.
</para>
<para>
If the network is slow, unreliable, or a WAN, then do not configure
opportunistic locking if there is any chance of multiple users
oplocks if there is any chance of multiple users
regularly opening the same file.
</para>
</sect3>
<sect3>
<title>Multi-User Databases</title>
<title>Multiuser Databases</title>
<para>
Multi-user databases clearly pose a risk due to their very nature &smbmdash;
Multiuser databases clearly pose a risk due to their very nature &smbmdash;
they are typically heavily accessed by numerous users at random
intervals. Placing a multi-user database on a share with opportunistic
locking enabled will likely result in a locking management bottleneck
intervals. Placing a multi-user database on a share with oplocks
enabled will likely result in a locking management bottleneck
on the Samba server. Whether the database application is developed
in-house or a commercially available product, ensure that the share
has opportunistic locking disabled.
has oplocks disabled.
</para>
</sect3>
@ -393,17 +393,17 @@ has opportunistic locking disabled.
<title>PDM Data Shares</title>
<para>
Process Data Management (PDM) applications such as IMAN, Enovia and
Clearcase are increasing in usage with Windows client platforms, and
therefore SMB data-stores. PDM applications manage multi-user
Process data management (PDM) applications such as IMAN, Enovia, and
Clearcase are increasing in usage with Windows client platforms and
therefore with SMB datastores. PDM applications manage multiuser
environments for critical data security and access. The typical PDM
environment is usually associated with sophisticated client design
applications that will load data locally as demanded. In addition, the
PDM application will usually monitor the data-state of each client.
PDM application will usually monitor the data state of each client.
In this case, client-side data caching is best left to the local
application and PDM server to negotiate and maintain. It is
appropriate to eliminate the client OS from any caching tasks, and the
server from any oplock management, by disabling opportunistic locking on
server from any oplocks management, by disabling oplocks on
the share.
</para>
@ -416,7 +416,7 @@ the share.
Samba includes an &smb.conf; parameter called
<smbconfoption name="force user"/> that changes
the user accessing a share from the incoming user to whatever user is
defined by the smb.conf variable. If opportunistic locking is enabled
defined by the smb.conf variable. If oplocks is enabled
on a share, the change in user access causes an oplock break to be sent
to the client, even if the user has not explicitly loaded a file. In
cases where the network is slow or unreliable, an oplock break can
@ -435,31 +435,31 @@ Avoid the combination of the following:
</para></listitem>
<listitem><para>
Slow or unreliable networks
Slow or unreliable networks.
</para></listitem>
<listitem><para>
Opportunistic locking enabled
Oplocks enabled.
</para></listitem>
</itemizedlist>
</sect3>
<sect3>
<title>Advanced Samba Opportunistic Locking Parameters</title>
<title>Advanced Samba Oplocks Parameters</title>
<para>
Samba provides opportunistic locking parameters that allow the
Samba provides oplocks parameters that allow the
administrator to adjust various properties of the oplock mechanism to
account for timing and usage levels. These parameters provide good
versatility for implementing oplocks in environments where they would
likely cause problems. The parameters are:
<smbconfoption name="oplock break wait time"/>,
likely cause problems. The parameters are
<smbconfoption name="oplock break wait time"/>, and
<smbconfoption name="oplock contention limit"/>.
</para>
<para>
For most users, administrators and environments, if these parameters
For most users, administrators, and environments, if these parameters
are required, then the better option is to simply turn oplocks off.
The Samba SWAT help text for both parameters reads: <quote>Do not change
this parameter unless you have read and understood the Samba oplock code.</quote>
@ -469,43 +469,43 @@ This is good advice.
</sect3>
<sect3>
<title>Mission-Critical High-Availability</title>
<title>Mission-Critical, High-Availability</title>
<para>
In mission-critical high-availability environments, data integrity is
In mission-critical, high-availability environments, data integrity is
often a priority. Complex and expensive configurations are implemented
to ensure that if a client loses connectivity with a file server, a
fail-over replacement will be available immediately to provide
failover replacement will be available immediately to provide
continuous data availability.
</para>
<para>
Windows client fail-over behavior is more at risk of application
interruption than other platforms because it is dependant upon an
Windows client failover behavior is more at risk of application
interruption than other platforms because it is dependent upon an
established TCP transport connection. If the connection is interrupted
&smbmdash; as in a file server fail-over &smbmdash; a new session must be established.
&smbmdash; as in a file server failover &smbmdash; a new session must be established.
It is rare for Windows client applications to be coded to recover
correctly from a transport connection loss, therefore, most applications
correctly from a transport connection loss; therefore, most applications
will experience some sort of interruption &smbmdash; at worst, abort and
require restarting.
</para>
<para>
If a client session has been caching writes and reads locally due to
opportunistic locking, it is likely that the data will be lost when the
application restarts, or recovers from the TCP interrupt. When the TCP
oplocks, it is likely that the data will be lost when the
application restarts or recovers from the TCP interrupt. When the TCP
connection drops, the client state is lost. When the file server
recovers, an oplock break is not sent to the client. In this case, the
work from the prior session is lost. Observing this scenario with
oplocks disabled, and the client was writing data to the file server
real-time, then the fail-over will provide the data on disk as it
oplocks disabled, if the client was writing data to the file server
real-time, then the failover will provide the data on disk as it
existed at the time of the disconnect.
</para>
<para>
In mission-critical high-availability environments, careful attention
should be given to opportunistic locking. Ideally, comprehensive
testing should be done with all effected applications with oplocks
In mission-critical, high-availability environments, careful attention
should be given to oplocks. Ideally, comprehensive
testing should be done with all affected applications with oplocks
enabled and disabled.
</para>
@ -514,30 +514,30 @@ enabled and disabled.
</sect1>
<sect1>
<title>Samba Opportunistic Locking Control</title>
<title>Samba Oplocks Control</title>
<para>
Opportunistic locking is a unique Windows file locking feature. It is
Oplocks is a unique Windows file locking feature. It is
not really file locking, but is included in most discussions of Windows
file locking, so is considered a de facto locking feature.
Opportunistic locking is actually part of the Windows client file
Oplocks is actually part of the Windows client file
caching mechanism. It is not a particularly robust or reliable feature
when implemented on the variety of customized networks that exist in
enterprise computing.
</para>
<para>
Like Windows, Samba implements opportunistic locking as a server-side
Like Windows, Samba implements oplocks as a server-side
component of the client caching mechanism. Because of the lightweight
nature of the Windows feature design, effective configuration of
opportunistic locking requires a good understanding of its limitations,
oplocks requires a good understanding of its limitations,
and then applying that understanding when configuring data access for
each particular customized network and client usage state.
</para>
<para>
Opportunistic locking essentially means that the client is allowed to download and cache
a file on their hard drive while making changes; if a second client wants to access the
Oplocks essentially means that the client is allowed to download and cache
a file on its hard drive while making changes; if a second client wants to access the
file, the first client receives a break and must synchronize the file back to the server.
This can give significant performance gains in some cases; some programs insist on
synchronizing the contents of the entire file back to the server for a single change.
@ -556,7 +556,7 @@ on files that the client has no initial intention to write to at time of opening
<para>
Kernel Oplocks are essentially a method that allows the Linux kernel to co-exist with
Samba's oplocked files, although this has provided better integration of MS Windows network
file locking with the underlying OS, SGI IRIX and Linux are the only two OSs that are
file locking with the underlying OS. SGI IRIX and Linux are the only two OSs that are
oplock-aware at this time.
</para>
@ -564,7 +564,7 @@ oplock-aware at this time.
Unless your system supports kernel oplocks, you should disable oplocks if you are
accessing the same files from both UNIX/Linux and SMB clients. Regardless, oplocks should
always be disabled if you are sharing a database file (e.g., Microsoft Access) between
multiple clients, as any break the first client receives will affect synchronization of
multiple clients, because any break the first client receives will affect synchronization of
the entire file (not just the single record), which will result in a noticeable performance
impairment and, more likely, problems accessing the database in the first place. Notably,
Microsoft Outlook's personal folders (*.pst) react quite badly to oplocks. If in doubt,
@ -622,7 +622,7 @@ Alternately, you could disable oplocks on a per-file basis within the share:
</para>
<para>
If you are experiencing problems with oplocks as apparent from Samba's log entries,
If you are experiencing problems with oplocks, as apparent from Samba's log entries,
you may want to play it safe and disable oplocks and Level2 oplocks.
</para>
@ -653,21 +653,22 @@ The default is no.
</para>
<para>
Veto opLocks is an &smb.conf; parameter that identifies specific files for
<emphasis>Veto oplocks</emphasis> is an &smb.conf; parameter that identifies specific files for
which oplocks are disabled. When a Windows client opens a file that
has been configured for veto oplocks, the client will not be granted
the oplock, and all operations will be executed on the original file on
disk instead of a client-cached file copy. By explicitly identifying
files that are shared with UNIX processes and disabling oplocks for
those files, the server-wide Oplock configuration can be enabled to
those files, the server-wide oplock configuration can be enabled to
allow Windows clients to utilize the performance benefit of file
caching without the risk of data corruption. Veto Oplocks can be
caching without the risk of data corruption. Veto oplocks can be
enabled on a per-share basis, or globally for the entire server, in the
&smb.conf; file as shown in <link linkend="far1"/>.
</para>
<para>
<example id="far1">
<title>Share with some files oplocked</title>
<title>Share with Some Files Oplocked</title>
<smbconfblock>
<smbconfsection name="[global]"/>
<smbconfoption name="veto oplock files">/filename.htm/*.txt/</smbconfoption>
@ -676,12 +677,13 @@ enabled on a per-share basis, or globally for the entire server, in the
<smbconfoption name="veto oplock files">/*.exe/filename.ext/</smbconfoption>
</smbconfblock>
</example>
</para>
<para>
<smbconfoption name="oplock break wait time"/> is an &smb.conf; parameter
that adjusts the time interval for Samba to reply to an oplock break request. Samba recommends:
<quote>Do not change this parameter unless you have read and understood the Samba oplock code.</quote>
Oplock break Wait Time can only be configured globally in the &smb.conf; file as shown below.
Oplock break wait time can only be configured globally in the &smb.conf; file as shown:
</para>
<para>
@ -695,13 +697,14 @@ Oplock break Wait Time can only be configured globally in the &smb.conf; file as
response of the Samba server to grant an oplock if the configured
number of contending clients reaches the limit specified by the parameter. Samba recommends
<quote>Do not change this parameter unless you have read and understood the Samba oplock code.</quote>
Oplock break Contention Limit can be enable on a per-share basis, or globally for
Oplock break contention limit can be enabled on a per-share basis, or globally for
the entire server, in the &smb.conf; file as shown in <link linkend="far3"/>.
</para>
<para>
<example id="far3">
<title>Configuration with oplock break contention limit</title>
<smbconfblock>
<title>Configuration with Oplock Break Contention Limit</title>
<smbconfblock>
<smbconfsection name="[global]"/>
<smbconfoption name="oplock break contention limit"> 2 (default)</smbconfoption>
@ -709,6 +712,7 @@ the entire server, in the &smb.conf; file as shown in <link linkend="far3"/>.
<smbconfoption name="oplock break contention limit"> 2 (default)</smbconfoption>
</smbconfblock>
</example>
</para>
</sect3>
</sect2>
@ -716,13 +720,13 @@ the entire server, in the &smb.conf; file as shown in <link linkend="far3"/>.
</sect1>
<sect1>
<title>MS Windows Opportunistic Locking and Caching Controls</title>
<title>MS Windows Oplocks and Caching Controls</title>
<para>
There is a known issue when running applications (like Norton Anti-Virus) on a Windows 2000/ XP
There is a known issue when running applications (like Norton Antivirus) on a Windows 2000/ XP
workstation computer that can affect any application attempting to access shared database files
across a network. This is a result of a default setting configured in the Windows 2000/XP
operating system known as <emphasis>opportunistic locking</emphasis>. When a workstation
operating system. When a workstation
attempts to access shared data files located on another Windows 2000/XP computer,
the Windows 2000/XP operating system will attempt to increase performance by locking the
files and caching information locally. When this occurs, the application is unable to
@ -733,14 +737,14 @@ properly function, which results in an <quote>Access Denied</quote>
<para>
All Windows operating systems in the NT family that act as database servers for data files
(meaning that data files are stored there and accessed by other Windows PCs) may need to
have opportunistic locking disabled in order to minimize the risk of data file corruption.
have oplocks disabled in order to minimize the risk of data file corruption.
This includes Windows 9x/Me, Windows NT, Windows 200x, and Windows XP.
<footnote><para>Microsoft has documented this in Knowledge Base article 300216.</para></footnote>
</para>
<para>
If you are using a Windows NT family workstation in place of a server, you must also
disable opportunistic locking (oplocks) on that workstation. For example, if you use a
disable oplocks on that workstation. For example, if you use a
PC with the Windows NT Workstation operating system instead of Windows NT Server, and you
have data files located on it that are accessed from other Windows PCs, you may need to
disable oplocks on that system.
@ -759,7 +763,7 @@ to ensure that the new setting goes into effect.
</para>
<para>
The location of the client registry entry for opportunistic locking has changed in
The location of the client registry entry for oplocks has changed in
Windows 2000 from the earlier location in Microsoft Windows NT.
</para>
@ -769,7 +773,7 @@ in earlier versions of Windows.
</para></note>
<para>
You can also deny the granting of opportunistic locks by changing the following registry entries:
You can also deny the granting of oplocks by changing the following registry entries:
</para>
<para>
@ -784,7 +788,7 @@ You can also deny the granting of opportunistic locks by changing the following
<note><para>
The OplocksDisabled registry value configures Windows clients to either request or not
request opportunistic locks on a remote file. To disable oplocks, the value of
request oplocks on a remote file. To disable oplocks, the value of
OplocksDisabled must be set to 1.
</para></note>
@ -803,7 +807,7 @@ request opportunistic locks on a remote file. To disable oplocks, the value of
<note><para>
The EnableOplocks value configures Windows-based servers (including Workstations sharing
files) to allow or deny opportunistic locks on local files.
files) to allow or deny oplocks on local files.
</para></note>
<para>
@ -811,7 +815,7 @@ To force closure of open oplocks on close or program exit, EnableOpLockForceClos
</para>
<para>
An illustration of how Level2 oplocks work:
An illustration of how Level2 oplocks work follows:
</para>
<itemizedlist>
@ -832,7 +836,7 @@ An illustration of how Level2 oplocks work:
Station 1 complies by flushing locally buffered lock information to the server.
</para></listitem>
<listitem><para>
Station 1 informs the server that it has Broken to Level2 Oplock (alternately,
Station 1 informs the server that it has broken to level2 Oplock (alternately,
station 1 could have closed the file).
</para></listitem>
<listitem><para>
@ -863,7 +867,7 @@ An illustration of how Level2 oplocks work:
</programlisting></para>
<para>
This indicates whether the redirector should use opportunistic-locking (oplock) performance
This indicates whether the redirector should use oplocks performance
enhancement. This parameter should be disabled only to isolate problems.
</para>
@ -882,7 +886,7 @@ enhancement. This parameter should be disabled only to isolate problems.
<para>
This specifies whether the server allows clients to use oplocks on files. Oplocks are a
significant performance enhancement, but have the potential to cause lost cached
data on some networks, particularly wide area networks.
data on some networks, particularly WANs.
</para>
<para><programlisting>
@ -892,7 +896,7 @@ data on some networks, particularly wide area networks.
<para>
This specifies the minimum link throughput allowed by the server before it disables
raw and opportunistic locks for this connection.
raw I/O and oplocks for this connection.
</para>
<para><programlisting>
@ -902,7 +906,7 @@ raw and opportunistic locks for this connection.
<para>
This specifies the maximum time allowed for a link delay. If delays exceed this number,
the server disables raw I/O and opportunistic locking for this connection.
the server disables raw I/O and oplocks for this connection.
</para>
<para><programlisting>
@ -934,7 +938,7 @@ If you see persistent data corruption even after repeated re-indexing, you may h
rebuild the data files in question. This involves creating a new data file with the
same definition as the file to be rebuilt and transferring the data from the old file
to the new one. There are several known methods for doing this that can be found in
our Knowledge Base.
our knowledge base.
</para>
</sect1>
@ -943,9 +947,9 @@ our Knowledge Base.
<title>Common Errors</title>
<para>
In some sites, locking problems surface as soon as a server is installed; in other sites
In some sites locking problems surface as soon as a server is installed; in other sites
locking problems may not surface for a long time. Almost without exception, when a locking
problem does surface it will cause embarrassment and potential data corruption.
problem does surface, it will cause embarrassment and potential data corruption.
</para>
<para>
@ -956,8 +960,8 @@ so far:
<itemizedlist>
<listitem><para>
Incorrect configuration of opportunistic locking (incompatible with the application
being used. This is a common problem even where MS Windows NT4 or MS Windows
Incorrect configuration of oplocks (incompatible with the application
being used). This is a common problem even where MS Windows NT4 or MS Windows
200x-based servers were in use. It is imperative that the software application vendors'
instructions for configuration of file locking should be followed. If in doubt,
disable oplocks on both the server and the client. Disabling of all forms of file
@ -965,21 +969,21 @@ so far:
</para></listitem>
<listitem><para>
Defective network cards, cables, or HUBs/Switched. This is generally a more
prevalent factor with low cost networking hardware, although occasionally there
Defective network cards, cables, or hubs/switches. This is generally a more
prevalent factor with low-cost networking hardware, although occasionally there
have also been problems with incompatibilities in more up-market hardware.
</para></listitem>
<listitem><para>
There have been some random reports of Samba log files being written over data
files. This has been reported by very few sites (about five in the past three years)
files. This has been reported by very few sites (about five in the past 3 years)
and all attempts to reproduce the problem have failed. The Samba Team has been
unable to catch this happening and thus has not been able to isolate any particular
unable to catch this happening and thus unable to isolate any particular
cause. Considering the millions of systems that use Samba, for the sites that have
been affected by this as well as for the Samba Team this is a frustrating and
a vexing challenge. If you see this type of thing happening, please create a bug
been affected by this as well as for the Samba Team, this is a frustrating and
vexing challenge. If you see this type of thing happening, please create a bug
report on Samba <ulink url="https://bugzilla.samba.org">Bugzilla</ulink> without delay.
Make sure that you give as much information as you possibly can help isolate the
Make sure that you give as much information as you possibly can to help isolate the
cause and to allow replication of the problem (an essential step in problem isolation and correction).
</para></listitem>
</itemizedlist>
@ -1002,7 +1006,7 @@ tdb(/usr/local/samba_2.2.7/var/locks/locking.tdb): rec_read bad magic
</para>
<para>
This error indicated a corrupted tdb. Stop all instances of smbd, delete locking.tdb, and restart smbd.
This error indicates a corrupted tdb. Stop all instances of smbd, delete locking.tdb, and restart smbd.
</para>
</sect2>
@ -1011,18 +1015,18 @@ tdb(/usr/local/samba_2.2.7/var/locks/locking.tdb): rec_read bad magic
<title>Problems Saving Files in MS Office on Windows XP</title>
<para>This is a bug in Windows XP. More information can be
found in <ulink url="http://support.microsoft.com/?id=812937">Microsoft Knowledge Base article 812937.</ulink></para>
found in <ulink url="http://support.microsoft.com/?id=812937">Microsoft Knowledge Base article 812937</ulink></para>.
</sect2>
<sect2>
<title>Long Delays Deleting Files Over Network with XP SP1</title>
<title>Long Delays Deleting Files over Network with XP SP1</title>
<para><quote>It sometimes takes approximately 35 seconds to delete files over the network after XP SP1 has been applied.</quote></para>
<para>This is a bug in Windows XP. More information can be found in <ulink url="http://support.microsoft.com/?id=811492">
Microsoft Knowledge Base article 811492.</ulink></para>
Microsoft Knowledge Base article 811492</ulink></para>.
</sect2>
</sect1>
@ -1043,24 +1047,24 @@ Section of the Microsoft MSDN Library on opportunistic locking:
<para>
Opportunistic Locks, Microsoft Developer Network (MSDN), Windows Development &gt;
Windows Base Services &gt; Files and I/O &gt; SDK Documentation &gt; File Storage &gt; File Systems
&gt; About File Systems &gt; Opportunistic Locks, Microsoft Corporation.
<ulink noescape="1" url="http://msdn.microsoft.com/library/en-us/fileio/storage_5yk3.asp">http://msdn.microsoft.com/library/en-us/fileio/storage_5yk3.asp</ulink>
&gt; About File Systems &gt; Opportunistic Locks, Microsoft Corporation
<ulink noescape="1" url="http://msdn.microsoft.com/library/en-us/fileio/storage_5yk3.asp">http://msdn.microsoft.com/library/en-us/fileio/storage_5yk3.asp</ulink>.
</para>
<para>
Microsoft Knowledge Base Article Q224992 <?latex \linebreak ?><quote>Maintaining Transactional Integrity
Microsoft Knowledge Base Article Q224992, <?latex \linebreak ?><quote>Maintaining Transactional Integrity
with OPLOCKS</quote>,
Microsoft Corporation, April 1999, <ulink noescape="1" url="http://support.microsoft.com/default.aspx?scid=kb;en-us;Q224992">http://support.microsoft.com/default.aspx?scid=kb;en-us;Q224992</ulink>.
</para>
<para>
Microsoft Knowledge Base Article Q296264 <quote>Configuring Opportunistic Locking in Windows 2000</quote>,
Microsoft Corporation, April 2001, <ulink noescape="1" url="http://support.microsoft.com/default.aspx?scid=kb;en-us;Q296264">http://support.microsoft.com/default.aspx?scid=kb;en-us;Q296264</ulink>.
Microsoft Knowledge Base Article Q296264, <quote>Configuring Opportunistic Locking in Windows 2000</quote>,
Microsoft Corporation, April 2001 <ulink noescape="1" url="http://support.microsoft.com/default.aspx?scid=kb;en-us;Q296264">http://support.microsoft.com/default.aspx?scid=kb;en-us;Q296264</ulink>.
</para>
<para>
Microsoft Knowledge Base Article Q129202 <quote>PC Ext: Explanation of Opportunistic Locking on Windows NT</quote>,
Microsoft Corporation, April 1995, <ulink noescape="1" url="http://support.microsoft.com/default.aspx?scid=kb;en-us;Q129202">http://support.microsoft.com/default.aspx?scid=kb;en-us;Q129202</ulink>.
Microsoft Knowledge Base Article Q129202, <quote>PC Ext: Explanation of Opportunistic Locking on Windows NT</quote>,
Microsoft Corporation, April 1995 <ulink noescape="1" url="http://support.microsoft.com/default.aspx?scid=kb;en-us;Q129202">http://support.microsoft.com/default.aspx?scid=kb;en-us;Q129202</ulink>.
</para>
</sect1>

View File

@ -23,7 +23,7 @@
<title>Features and Benefits</title>
<para>
The Distributed File System (DFS) provides a means of separating the logical
The distributed file system (DFS) provides a means of separating the logical
view of files and directories that users see from the actual physical locations
of these resources on the network. It allows for higher availability, smoother
storage expansion, load balancing, and so on.
@ -40,7 +40,7 @@
A Samba server can be made a DFS server by setting the global
Boolean <smbconfoption name="host msdfs"/>
parameter in the &smb.conf; file. You designate a share as a DFS
root using the Share Level Boolean <smbconfoption name="msdfs root"/> parameter. A DFS root directory on Samba hosts DFS
root using the share-level Boolean <smbconfoption name="msdfs root"/> parameter. A DFS root directory on Samba hosts DFS
links in the form of symbolic links that point to other servers. For example, a symbolic link
<filename>junction-&gt;msdfs:storage1\share1</filename> in the share directory acts
as the DFS junction. When DFS-aware clients attempt to access the junction link,
@ -49,7 +49,7 @@
<para>
DFS trees on Samba work with all DFS-aware clients ranging from Windows 95 to 200x.
<link linkend="dfscfg">Following sample configuration</link> shows how to setup a DFS tree on a Samba server.
<link linkend="dfscfg">The following sample configuration</link> shows how to setup a DFS tree on a Samba server.
In the <filename>/export/dfsroot</filename> directory, you set up your DFS links to
other servers on the network.
<screen>
@ -62,7 +62,7 @@
</para>
<example id="dfscfg">
<title>smb.conf with DFS configured</title>
<title>smb.conf with DFS Configured</title>
<smbconfblock>
<smbconfsection name="[global]"/>
<smbconfoption name="netbios name">&example.server.samba;</smbconfoption>
@ -76,14 +76,14 @@
<para>You should set up the permissions and ownership of
the directory acting as the DFS root so that only designated
users can create, delete or modify the msdfs links. Also note
users can create, delete, or modify the msdfs links. Also note
that symlink names should be all lowercase. This limitation exists
to have Samba avoid trying all the case combinations to get at
the link name. Finally, set up the symbolic links to point to the
network shares you want and start Samba.</para>
<para>Users on DFS-aware clients can now browse the DFS tree
on the Samba server at \\samba\dfs. Accessing
on the Samba server at <constant>\\samba\dfs</constant>. Accessing
links linka or linkb (which appear as directories to the client)
takes users directly to the appropriate shares on the network.</para>
</sect1>
@ -93,7 +93,7 @@
<itemizedlist>
<listitem><para>Windows clients need to be rebooted
if a previously mounted non-DFS share is made a DFS
root or vice versa. A better way is to introduce a
root, or vice versa. A better way is to introduce a
new share and make it the DFS root.</para>
</listitem>
@ -113,20 +113,20 @@
<para>
A network administrator sent advice to the Samba mailing list
after a long sessions trying to determine why DFS was not working.
after long sessions trying to determine why DFS was not working.
His advice is worth noting.
</para>
<para><quote>
I spent some time trying to figure out why my particular
dfs root wasn't working. I noted in the documentation that
DFS root wasn't working. I noted in the documentation that
the symlink should be in all lowercase. It should be
amended that the entire path to the symlink should all be
in lowercase as well.
</quote></para>
<para>
For example, I had a share defined as such:
<quote>For example, I had a share defined as such:</quote>
<screen>
[pub]
@ -134,8 +134,8 @@
msdfs root = yes
</screen>
and I could not make my Windows 9x/Me (with the dfs client installed)
follow this symlink:
<quote>and I could not make my Windows 9x/Me (with the dfs client installed)
follow this symlink:</quote>
<screen>
damage1 -> msdfs:damage\test-share
@ -143,15 +143,15 @@
</para>
<para>
Running a debug level of 10 reveals:
<quote>Running a debug level of 10 reveals:</quote>
<programlisting>
[2003/08/20 11:40:33, 5] msdfs/msdfs.c:is_msdfs_link(176)
is_msdfs_link: /export/home/shares/public_share/* does not exist.
</programlisting>
Curious. So I changed the directory name from .../Shares/... to
.../shares/... (along with my service definition) and it worked!
<quote>Curious. So I changed the directory name from <constant>.../Shares/...</constant> to
<constant>.../shares/...</constant> (along with my service definition) and it worked!</quote>
</para>
</sect2>

View File

@ -16,7 +16,7 @@
<?latex \setcounter{page}{5} ?>
<xi:include href="../Samba3-HOWTO-attributions.xml">
<xi:include href="../Samba-HOWTO-Collection-attributions.xml">
<xi:fallback/>
</xi:include>
@ -152,6 +152,7 @@ The chapters in this part each cover specific Samba features.
<!-- Comment out the following line to include the manpages.
*Please* do not commit with the line below enabled! -->
<!-- <xi:include href="manpages.xml"/> -->
<xi:include href="manpages.xml"/>
<xi:include href="http://www.gnu.org/licenses/gpl.xml"/>
<xi:include href="TOSHARG-glossary.xml"/>