mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
parent
77aa4181f1
commit
fa96398866
File diff suppressed because it is too large
Load Diff
@ -3,7 +3,7 @@
|
||||
<chapter id="AdvancedNetworkManagement">
|
||||
<chapterinfo>
|
||||
&author.jht;
|
||||
<pubdate>April 3 2003</pubdate>
|
||||
<pubdate>June 15 2005</pubdate>
|
||||
</chapterinfo>
|
||||
|
||||
<title>Advanced Network Management</title>
|
||||
@ -11,17 +11,16 @@
|
||||
<para>
|
||||
This section documents peripheral issues that are of great importance to network
|
||||
administrators who want to improve network resource access control, to automate the user
|
||||
environment and to make their lives a little easier.
|
||||
environment, and to make their lives a little easier.
|
||||
</para>
|
||||
|
||||
<sect1>
|
||||
<title>Features and Benefits</title>
|
||||
|
||||
<para>
|
||||
Often the difference between a working network environment and a well appreciated one can
|
||||
Often the difference between a working network environment and a well-appreciated one can
|
||||
best be measured by the <emphasis>little things</emphasis> that make everything work more
|
||||
harmoniously. A key part of every network environment solution is the
|
||||
ability to remotely
|
||||
harmoniously. A key part of every network environment solution is the ability to remotely
|
||||
manage MS Windows workstations, remotely access the Samba server, provide customized
|
||||
logon scripts, as well as other housekeeping activities that help to sustain more reliable
|
||||
network operations.
|
||||
@ -38,14 +37,14 @@ other chapters, for ease of reference.
|
||||
<title>Remote Server Administration</title>
|
||||
|
||||
|
||||
<para><quote>How do I get `User Manager' and `Server Manager'?</quote></para>
|
||||
<para><quote>How do I get User Manager and Server Manager?</quote></para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>User Manager</primary></indexterm>
|
||||
<indexterm><primary>Server Manager</primary></indexterm>
|
||||
<indexterm><primary>Event Viewer</primary></indexterm>
|
||||
Since I do not need to buy an <application>NT4 Server</application>, how do I get the `User Manager for Domains'
|
||||
and the `Server Manager'?
|
||||
Since I do not need to buy an <application>NT4 server</application>, how do I get the User Manager for Domains
|
||||
and the Server Manager?
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -61,13 +60,15 @@ on <application>Windows 9x/Me</application> systems. The tools set includes:
|
||||
</itemizedlist>
|
||||
|
||||
<para>
|
||||
Download the archived file at <ulink noescape="1" url="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE">ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE.</ulink>
|
||||
Download the archived file at the Microsoft <ulink noescape="1"
|
||||
url="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE">Nexus</ulink> link.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>SRVTOOLS.EXE</primary></indexterm>
|
||||
The <application>Windows NT 4.0</application> version of the `User Manager for
|
||||
Domains' and `Server Manager' are available from Microsoft <ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">via ftp</ulink>.
|
||||
The <application>Windows NT 4.0</application> version of the User Manager for
|
||||
Domains and Server Manager are available from Microsoft
|
||||
<ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">via ftp</ulink>.
|
||||
</para>
|
||||
|
||||
</sect1>
|
||||
@ -93,14 +94,14 @@ is the best tool in your network environment.
|
||||
</para>
|
||||
|
||||
<para><quote>
|
||||
I have a wonderful Linux/Samba server running as pdc for a network. Now I would like to add remote
|
||||
I have a wonderful Linux/Samba server running as PDC for a network. Now I would like to add remote
|
||||
desktop capabilities so users outside could login to the system and get their desktop up from home or
|
||||
another country.
|
||||
</quote></para>
|
||||
|
||||
<para><quote>
|
||||
Is there a way to accomplish this? Do I need a Windows Terminal Server? Do I need to configure it so
|
||||
it is a member of the domain or a BDC,PDC? Are there any hacks for MS Windows XP to enable remote login
|
||||
Is there a way to accomplish this? Do I need a Windows Terminal server? Do I need to configure it so
|
||||
it is a member of the domain or a BDC or PDC? Are there any hacks for MS Windows XP to enable remote login
|
||||
even if the computer is in a domain?
|
||||
</quote></para>
|
||||
|
||||
@ -122,17 +123,17 @@ is the best tool in your network environment.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
I could test drive their (public) Red Hat machine in Italy, over a loaded
|
||||
Internet connection, with enabled thumbnail previews in KDE konqueror
|
||||
I test drove their (public) Red Hat machine in Italy, over a loaded
|
||||
Internet connection, with enabled thumbnail previews in KDE konqueror,
|
||||
which popped up immediately on <quote>mouse-over</quote>. From inside that (remote X)
|
||||
session I started a rdesktop session on another, a Windows XP machine.
|
||||
To test the performance, I played Pinball. I am proud to announce
|
||||
that my score was 631750 points at first try.
|
||||
that my score was 631,750 points at first try.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
NX performs better on my local LAN than any of the other <quote>pure</quote>
|
||||
connection methods I am using from time to time: TightVNC, rdesktop or
|
||||
connection methods I use from time to time: TightVNC, rdesktop or
|
||||
Remote X. It is even faster than a direct crosslink connection between
|
||||
two nodes.
|
||||
</para>
|
||||
@ -145,20 +146,20 @@ is the best tool in your network environment.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
I recommend to test drive NX to anybody with a only a passing interest in remote computing
|
||||
<ulink noescape="1" url="http://www.nomachine.com/testdrive.php">http://www.nomachine.com/testdrive.php</ulink>.
|
||||
I recommend test driving NX to anybody with a only a passing interest in remote computing
|
||||
the <ulink noescape="1" url="http://www.nomachine.com/testdrive.php">NX</ulink> utility.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Just download the free of charge client software (available for Red Hat,
|
||||
SuSE, Debian and Windows) and be up and running within five minutes (they
|
||||
Just download the free-of-charge client software (available for Red Hat,
|
||||
SuSE, Debian and Windows) and be up and running within 5 minutes (they
|
||||
need to send you your account data, though, because you are assigned
|
||||
a real UNIX account on their testdrive.nomachine.com box.
|
||||
a real UNIX account on their testdrive.nomachine.com box).
|
||||
</para>
|
||||
|
||||
<para>
|
||||
They plan to get to the point were you can have NX application servers
|
||||
running as a cluster of nodes, and users simply start an NX session locally,
|
||||
running as a cluster of nodes, and users simply start an NX session locally
|
||||
and can select applications to run transparently (apps may even run on
|
||||
another NX node, but pretend to be on the same as used for initial login,
|
||||
because it displays in the same window. You also can run it
|
||||
@ -171,7 +172,7 @@ is the best tool in your network environment.
|
||||
technologies are released under the GPL and available as source code
|
||||
to anybody who wants to build on it! These technologies are working,
|
||||
albeit started from the command line only (and very inconvenient to
|
||||
use in order to get a fully running remote X session up and running.)
|
||||
use in order to get a fully running remote X session up and running).
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -198,14 +199,14 @@ is the best tool in your network environment.
|
||||
|
||||
<listitem><para>
|
||||
The NX core technologies are all Open Source and released under the GPL &smbmdash;
|
||||
you can now use a (very inconvenient) command-line at no cost,
|
||||
you can now use a (very inconvenient) command line at no cost,
|
||||
but you can buy a comfortable (proprietary) NX GUI front end for money.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
NoMachine are encouraging and offering help to OSS/Free Software implementations
|
||||
for such a front end too, even if it means competition to them (they have written
|
||||
to this effect even to the LTSP, KDE and GNOME developer mailing lists).
|
||||
NoMachine is encouraging and offering help to OSS/Free Software implementations
|
||||
for such a front-end too, even if it means competition to them (they have written
|
||||
to this effect even to the LTSP, KDE, and GNOME developer mailing lists).
|
||||
</para></listitem>
|
||||
</itemizedlist>
|
||||
|
||||
@ -223,7 +224,7 @@ There are several opportunities for creating a custom network startup configurat
|
||||
<itemizedlist>
|
||||
<listitem><para>No Logon Script.</para></listitem>
|
||||
<listitem><para>Simple universal Logon Script that applies to all users.</para></listitem>
|
||||
<listitem><para>Use of a conditional Logon Script that applies per user or per group attributes.</para></listitem>
|
||||
<listitem><para>Use of a conditional Logon Script that applies per-user or per-group attributes.</para></listitem>
|
||||
<listitem><para>Use of Samba's preexec and postexec functions on access to the NETLOGON share to create
|
||||
a custom logon script and then execute it.</para></listitem>
|
||||
<listitem><para>User of a tool such as KixStart.</para></listitem>
|
||||
@ -321,7 +322,7 @@ This is the <filename>genlogon.pl</filename> file:
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Those wishing to use more elaborate or capable logon processing system should check out these sites:
|
||||
Those wishing to use a more elaborate or capable logon processing system should check out these sites:
|
||||
</para>
|
||||
|
||||
<itemizedlist>
|
||||
@ -341,7 +342,7 @@ Printers may be added automatically during logon script processing through the u
|
||||
&dosprompt;<userinput>rundll32 printui.dll,PrintUIEntry /?</userinput>
|
||||
</screen>
|
||||
|
||||
See the documentation in the <ulink url="http://support.microsoft.com/default.asp?scid=kb;en-us;189105">Microsoft knowledgebase article 189105.</ulink>
|
||||
See the documentation in the <ulink url="http://support.microsoft.com/default.asp?scid=kb;en-us;189105">Microsoft Knowledge Base article 189105</ulink>.
|
||||
</para>
|
||||
</sect2>
|
||||
|
||||
@ -356,7 +357,7 @@ See the documentation in the <ulink url="http://support.microsoft.com/default.as
|
||||
|
||||
<para>
|
||||
The Samba <parameter>preexec script</parameter> parameter can be used to permit only one
|
||||
connection per user. Though this method is not fool-proof, and may have side-effects
|
||||
connection per user. Though this method is not foolproof and may have side effects,
|
||||
the following contributed method may inspire someone to provide a better solution.
|
||||
</para>
|
||||
|
||||
@ -368,18 +369,18 @@ See the documentation in the <ulink url="http://support.microsoft.com/default.as
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The following share configuration demonstrates use of the script shown in <link linkend="Tpees"/>:
|
||||
<programlisting>
|
||||
The following share configuration demonstrates use of the script shown in <link linkend="Tpees"/>.
|
||||
<programlisting>
|
||||
[myshare]
|
||||
...
|
||||
preexec script = /sbin/PermitSingleLogon.sh
|
||||
preexec close = Yes
|
||||
...
|
||||
</programlisting>
|
||||
</programlisting>
|
||||
</para>
|
||||
|
||||
<example id="Tpees">
|
||||
<title>Script to Enforce Single Resource Logon</title>
|
||||
<title>Script to Enforce Single Resource Logon</title>
|
||||
<screen>
|
||||
#!/bin/bash
|
||||
|
||||
|
@ -12,48 +12,48 @@
|
||||
|
||||
<para>
|
||||
Before you continue reading this section, please make sure that you are comfortable
|
||||
with configuring a Samba Domain Controller as described in <link linkend="samba-pdc">Domain Control</link>.
|
||||
with configuring a Samba domain controller as described in <link linkend="samba-pdc">Domain Control</link>.
|
||||
</para>
|
||||
|
||||
<sect1>
|
||||
<title>Features and Benefits</title>
|
||||
|
||||
<para>
|
||||
This is one of the most difficult chapters to summarize. It does not matter what we say here
|
||||
This is one of the most difficult chapters to summarize. It does not matter what we say here,
|
||||
for someone will still draw conclusions and/or approach the Samba Team with expectations
|
||||
that are either not yet capable of being delivered, or that can be achieved far more
|
||||
that are either not yet capable of being delivered or that can be achieved far more
|
||||
effectively using a totally different approach. In the event that you should have a persistent
|
||||
concern that is not addressed in this book, please email <ulink url="mailto:jht@samba.org">John H. Terpstra</ulink>
|
||||
clearly setting out your requirements and/or question and we will do our best to provide a solution.
|
||||
clearly setting out your requirements and/or question, and we will do our best to provide a solution.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>SAM backend</primary><secondary>LDAP</secondary></indexterm>
|
||||
Samba-3 is capable of acting as a Backup Domain Controller (BDC) to another Samba Primary Domain
|
||||
Controller (PDC). A Samba-3 PDC can operate with an LDAP Account backend. The LDAP backend can be
|
||||
either a common master LDAP server, or a slave server. The use of a slave LDAP server has the
|
||||
Samba-3 can act as a Backup Domain Controller (BDC) to another Samba Primary Domain
|
||||
Controller (PDC). A Samba-3 PDC can operate with an LDAP account backend. The LDAP backend can be
|
||||
either a common master LDAP server or a slave server. The use of a slave LDAP server has the
|
||||
benefit that when the master is down, clients may still be able to log onto the network.
|
||||
This effectively gives Samba a high degree of scalability and is an effective solution
|
||||
for large organizations. If you use an LDAP slave server for a PDC,
|
||||
you will need to ensure the master's continued availability - if the
|
||||
slave finds it's master down at the wrong time, you will have
|
||||
you will need to ensure the master's continued availability &smbmdash; if the
|
||||
slave finds its master down at the wrong time, you will have
|
||||
stability and operational problems.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>replication</primary><secondary>SAM</secondary></indexterm>
|
||||
While it is possible to run a Samba-3 BDC with non-LDAP backend, that
|
||||
backend must allow some form of 'two way' propagation, of changes
|
||||
from the BDC to the master. Only LDAP is capable of this at this stage.
|
||||
While it is possible to run a Samba-3 BDC with a non-LDAP backend, that
|
||||
backend must allow some form of "two-way" propagation of changes
|
||||
from the BDC to the master. Only LDAP has such capability at this stage.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>SAM backend</primary><secondary>non-LDAP</secondary></indexterm>
|
||||
The use of a non-LDAP backend SAM database is particularly problematic because Domain Member
|
||||
The use of a non-LDAP backend SAM database is particularly problematic because domain member
|
||||
servers and workstations periodically change the Machine Trust Account password. The new
|
||||
password is then stored only locally. This means that in the absence of a centrally stored
|
||||
accounts database (such as that provided with an LDAP-based solution) if Samba-3 is running
|
||||
as a BDC, the BDC instance of the Domain Member trust account password will not reach the
|
||||
as a BDC, the BDC instance of the domain member trust account password will not reach the
|
||||
PDC (master) copy of the SAM. If the PDC SAM is then replicated to BDCs, this results in
|
||||
overwriting the SAM that contains the updated (changed) trust account password with resulting
|
||||
breakage of the domain trust.
|
||||
@ -62,7 +62,8 @@ breakage of the domain trust.
|
||||
<para>
|
||||
Considering the number of comments and questions raised concerning how to configure a BDC,
|
||||
let's consider each possible option and look at the pros and cons for each possible solution.
|
||||
<link linkend="pdc-bdc-table">Following table</link> lists possible design configurations for a PDC/BDC infrastructure.
|
||||
<link linkend="pdc-bdc-table">The Domain Backend Account Distribution Options table below</link> lists
|
||||
possible design configurations for a PDC/BDC infrastructure.
|
||||
<indexterm><primary>net</primary><secondary>rpc</secondary></indexterm>
|
||||
<indexterm><primary>SAM backend</primary><secondary>ldapsam</secondary></indexterm>
|
||||
<indexterm><primary>SAM backend</primary><secondary>tdbsam</secondary></indexterm>
|
||||
@ -89,14 +90,14 @@ let's consider each possible option and look at the pros and cons for each possi
|
||||
<entry><para>Single Central LDAP Server</para></entry>
|
||||
<entry><para>Single Central LDAP Server</para></entry>
|
||||
<entry><para>
|
||||
A workable solution without fail-over ability. This is a usable solution, but not optimal.
|
||||
A workable solution without failover ability. This is a usable solution, but not optimal.
|
||||
</para></entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry><para>tdbsam</para></entry>
|
||||
<entry><para>tdbsam + <command>net rpc vampire</command></para></entry>
|
||||
<entry><para>
|
||||
Does not work with Samba-3.0; as Samba does not implement the
|
||||
Does not work with Samba-3.0; Samba does not implement the
|
||||
server-side protocols required.
|
||||
</para></entry>
|
||||
</row>
|
||||
@ -130,7 +131,7 @@ let's consider each possible option and look at the pros and cons for each possi
|
||||
<title>Essential Background Information</title>
|
||||
|
||||
<para>
|
||||
A Domain Controller is a machine that is able to answer logon requests from network
|
||||
A domain controller is a machine that is able to answer logon requests from network
|
||||
workstations. Microsoft LanManager and IBM LanServer were two early products that
|
||||
provided this capability. The technology has become known as the LanMan Netlogon service.
|
||||
</para>
|
||||
@ -147,19 +148,19 @@ services that are implemented over an intricate spectrum of technologies.
|
||||
<title>MS Windows NT4-style Domain Control</title>
|
||||
|
||||
<para>
|
||||
Whenever a user logs into a Windows NT4/200x/XP Professional Workstation,
|
||||
the workstation connects to a Domain Controller (authentication server) to validate that
|
||||
Whenever a user logs into a Windows NT4/200x/XP Professional workstation,
|
||||
the workstation connects to a domain controller (authentication server) to validate that
|
||||
the username and password the user entered are valid. If the information entered
|
||||
does not match account information that has been stored in the Domain
|
||||
Control database (the SAM, or Security Account Manager database), a set of error
|
||||
does not match account information that has been stored in the domain
|
||||
control database (the SAM, or Security Account Manager database), a set of error
|
||||
codes is returned to the workstation that has made the authentication request.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
When the username/password pair has been validated, the Domain Controller
|
||||
When the username/password pair has been validated, the domain controller
|
||||
(authentication server) will respond with full enumeration of the account information
|
||||
that has been stored regarding that user in the User and Machine Accounts database
|
||||
for that Domain. This information contains a complete network access profile for
|
||||
that has been stored regarding that user in the user and machine accounts database
|
||||
for that domain. This information contains a complete network access profile for
|
||||
the user but excludes any information that is particular to the user's desktop profile,
|
||||
or for that matter it excludes all desktop profiles for groups that the user may
|
||||
belong to. It does include password time limits, password uniqueness controls,
|
||||
@ -170,36 +171,36 @@ in all versions of MS Windows NT (3.10, 3.50, 3.51, 4.0).
|
||||
|
||||
<para>
|
||||
<indexterm><primary>replication</primary><secondary>SAM</secondary></indexterm>
|
||||
The account information (user and machine) on Domain Controllers is stored in two files,
|
||||
one containing the Security information and the other the SAM. These are stored in files
|
||||
The account information (user and machine) on domain controllers is stored in two files,
|
||||
one containing the security information and the other the SAM. These are stored in files
|
||||
by the same name in the <filename>%SystemRoot%\System32\config</filename> directory.
|
||||
This normally translates to the path <filename>C:\WinNT\System32\config</filename>. These
|
||||
are the files that are involved in replication of the SAM database where Backup Domain
|
||||
Controllers are present on the network.
|
||||
are the files that are involved in replication of the SAM database where BDCs are present
|
||||
on the network.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
There are two situations in which it is desirable to install Backup Domain Controllers:
|
||||
There are two situations in which it is desirable to install BDCs:
|
||||
</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem><para>
|
||||
On the local network that the Primary Domain Controller is on, if there are many
|
||||
On the local network that the PDC is on, if there are many
|
||||
workstations and/or where the PDC is generally very busy. In this case the BDCs
|
||||
will pick up network logon requests and help to add robustness to network services.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
At each remote site, to reduce wide area network traffic and to add stability to
|
||||
At each remote site, to reduce wide-area network traffic and to add stability to
|
||||
remote network operations. The design of the network, the strategic placement of
|
||||
Backup Domain Controllers, together with an implementation that localizes as much
|
||||
of network to client interchange as possible will help to minimize wide area network
|
||||
BDCs, together with an implementation that localizes as much
|
||||
of network to client interchange as possible will help to minimize wide-area network
|
||||
bandwidth needs (and thus costs).
|
||||
</para></listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>
|
||||
The inter-operation of a PDC and its BDCs in a true Windows NT4 environment is worth
|
||||
The interoperation of a PDC and its BDCs in a true Windows NT4 environment is worth
|
||||
mentioning here. The PDC contains the master copy of the SAM. In the event that an
|
||||
administrator makes a change to the user account database while physically present
|
||||
on the local network that has the PDC, the change will likely be made directly to
|
||||
@ -207,19 +208,19 @@ the PDC instance of the master copy of the SAM. In the event that this update ma
|
||||
be performed in a branch office, the change will likely be stored in a delta file
|
||||
on the local BDC. The BDC will then send a trigger to the PDC to commence the process
|
||||
of SAM synchronization. The PDC will then request the delta from the BDC and apply
|
||||
it to the master SAM. The PDC will then contact all the BDCs in the Domain and
|
||||
it to the master SAM. The PDC will then contact all the BDCs in the domain and
|
||||
trigger them to obtain the update and then apply that to their own copy of the SAM.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Samba-3 can not participate in true SAM replication and is therefore not able to
|
||||
Samba-3 cannot participate in true SAM replication and is therefore not able to
|
||||
employ precisely the same protocols used by MS Windows NT4. A Samba-3 BDC will
|
||||
not create SAM update delta files. It will not inter-operate with a PDC (NT4 or Samba)
|
||||
not create SAM update delta files. It will not interoperate with a PDC (NT4 or Samba)
|
||||
to synchronize the SAM from delta files that are held by BDCs.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Samba-3 cannot function as a BDC to an MS Windows NT4 PDC, and Samba-3 can not
|
||||
Samba-3 cannot function as a BDC to an MS Windows NT4 PDC, and Samba-3 cannot
|
||||
function correctly as a PDC to an MS Windows NT4 BDC. Both Samba-3 and MS Windows
|
||||
NT4 can function as a BDC to its own type of PDC.
|
||||
</para>
|
||||
@ -227,17 +228,17 @@ NT4 can function as a BDC to its own type of PDC.
|
||||
<para>
|
||||
The BDC is said to hold a <emphasis>read-only</emphasis> of the SAM from which
|
||||
it is able to process network logon requests and authenticate users. The BDC can
|
||||
continue to provide this service, particularly while, for example, the wide area
|
||||
continue to provide this service, particularly while, for example, the wide-area
|
||||
network link to the PDC is down. A BDC plays a very important role in both the
|
||||
maintenance of Domain Security as well as in network integrity.
|
||||
maintenance of domain security as well as in network integrity.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
In the event that the NT4 PDC should need to be taken out of service, or if it dies,
|
||||
one of the NT4 BDCs can be promoted to a PDC. If this happens while the original NT4 PDC is on
|
||||
line, it is automatically demoted to an NT4 BDC. This is an important aspect of Domain
|
||||
Controller management. The tool that is used to effect a promotion or a demotion is the
|
||||
Server Manager for Domains. It should be noted that Samba-3 BDCs can not be promoted
|
||||
one of the NT4 BDCs can be promoted to a PDC. If this happens while the original NT4 PDC
|
||||
is online, it is automatically demoted to an NT4 BDC. This is an important aspect of domain
|
||||
controller management. The tool that is used to effect a promotion or a demotion is the
|
||||
Server Manager for Domains. It should be noted that Samba-3 BDCs cannot be promoted
|
||||
in this manner because reconfiguration of Samba requires changes to the &smb.conf; file.
|
||||
</para>
|
||||
|
||||
@ -246,13 +247,14 @@ in this manner because reconfiguration of Samba requires changes to the &smb.con
|
||||
|
||||
<para>
|
||||
Beginning with Version 2.2, Samba officially supports domain logons for all current Windows clients,
|
||||
including Windows NT4, 2003 and XP Professional. For Samba to be enabled as a PDC, some
|
||||
parameters in the <smbconfsection name="[global]"/>-section of the &smb.conf; have to be set.
|
||||
Refer to <link linkend="minimalPDC">following configuration</link> for an example of the minimum required settings.
|
||||
including Windows NT4, 2003, and XP Professional. For Samba to be enabled as a PDC, some
|
||||
parameters in the <smbconfsection name="[global]"/> section of the &smb.conf; have to be set.
|
||||
Refer to <link linkend="minimalPDC">the Minimal smb.conf for a PDC in Use with a BDC &smbmdash; LDAP Server on
|
||||
PDC section</link> for an example of the minimum required settings.
|
||||
</para>
|
||||
|
||||
<example id="minimalPDC">
|
||||
<title>Minimal smb.conf for a PDC in Use With a BDC &smbmdash; LDAP Server on PDC.</title>
|
||||
<title>Minimal smb.conf for a PDC in Use with a BDC &smbmdash; LDAP Server on PDC</title>
|
||||
<smbconfblock>
|
||||
<smbconfoption name="workgroup">&example.workgroup;</smbconfoption>
|
||||
<smbconfoption name="passdb backend">ldapsam://localhost:389</smbconfoption>
|
||||
@ -276,7 +278,7 @@ chapter; for more information please refer to <link linkend="samba-pdc">Domain C
|
||||
|
||||
<para>
|
||||
When configuring a master and a slave LDAP server, it is advisable to use the master LDAP server
|
||||
for the PDC and slave LDAP servers for the BDCs. It is not essential to use slave LDAP servers, however,
|
||||
for the PDC and slave LDAP servers for the BDCs. It is not essential to use slave LDAP servers; however,
|
||||
many administrators will want to do so in order to provide redundant services. Of course, one or more BDCs
|
||||
may use any slave LDAP server. Then again, it is entirely possible to use a single LDAP server for the
|
||||
entire network.
|
||||
@ -292,12 +294,12 @@ subjectAltName certificate extension. More details on server certificate names a
|
||||
|
||||
<para>
|
||||
It does not really fit within the scope of this document, but a working LDAP installation is
|
||||
basic to LDAP enabled Samba operation. When using an OpenLDAP server with Transport Layer Security
|
||||
basic to LDAP-enabled Samba operation. When using an OpenLDAP server with Transport Layer Security
|
||||
(TLS), the machine name in <filename>/etc/ssl/certs/slapd.pem</filename> must be the
|
||||
same as in <filename>/etc/openldap/sldap.conf</filename>. The Red Hat Linux startup script
|
||||
creates the <filename>slapd.pem</filename> file with hostname <quote>localhost.localdomain.</quote>
|
||||
It is impossible to access this LDAP server from a slave LDAP server (i.e., a Samba BDC) unless the
|
||||
certificate is recreated with a correct hostname.
|
||||
certificate is re-created with a correct hostname.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -305,7 +307,7 @@ For preference, do not install a Samba PDC on a OpenLDAP slave server. Joining c
|
||||
will fail in this configuration because the change to the machine account in the LDAP tree
|
||||
must take place on the master LDAP server. This is not replicated rapidly enough to the slave
|
||||
server that the PDC queries. It therefore gives an error message on the client machine about
|
||||
not being able to set up account credentials. The machine account is created on the LDAP server
|
||||
not being able to set up account credentials. The machine account is created on the LDAP server,
|
||||
but the password fields will be empty. Unfortunately, some sites are
|
||||
unable to avoid such configurations, and these sites should review the
|
||||
<smbconfoption name="ldap replication sleep"/> parameter, intended to slow down Samba sufficiently
|
||||
@ -339,17 +341,15 @@ Possible PDC/BDC plus LDAP configurations include:
|
||||
</itemizedlist>
|
||||
|
||||
<para>
|
||||
In order to have a fall-back configuration (secondary) LDAP server one would specify
|
||||
the secondary LDAP server in the &smb.conf; file as shown in <link linkend="mulitldapcfg">following example</link>.
|
||||
In order to have a fallback configuration (secondary) LDAP server, you would specify
|
||||
the secondary LDAP server in the &smb.conf; file as shown in <link linkend="mulitldapcfg">the Multiple LDAP
|
||||
Servers in &smb.conf; example</link>.
|
||||
</para>
|
||||
|
||||
<example id="mulitldapcfg">
|
||||
<title>Multiple LDAP Servers in &smb.conf;</title>
|
||||
<smbconfblock>
|
||||
<member>...</member>
|
||||
<smbconfoption name="passdb backend"> </smbconfoption>
|
||||
<member><parameter>ldapsam:"ldap://master.quenya.org ldap://slave.quenya.org"</parameter></member>
|
||||
<member>...</member>
|
||||
<smbconfoption name="passdb backend">ldapsam:"ldap://master.quenya.org ldap://slave.quenya.org"</smbconfoption>
|
||||
</smbconfblock>
|
||||
</example>
|
||||
|
||||
@ -361,9 +361,9 @@ the secondary LDAP server in the &smb.conf; file as shown in <link linkend="muli
|
||||
<para>
|
||||
As of the release of MS Windows 2000 and Active Directory, this information is now stored
|
||||
in a directory that can be replicated and for which partial or full administrative control
|
||||
can be delegated. Samba-3 is not able to be a Domain Controller within an Active Directory
|
||||
can be delegated. Samba-3 is not able to be a domain controller within an Active Directory
|
||||
tree, and it cannot be an Active Directory server. This means that Samba-3 also cannot
|
||||
act as a Backup Domain Controller to an Active Directory Domain Controller.
|
||||
act as a BDC to an Active Directory domain controller.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
@ -372,27 +372,27 @@ act as a Backup Domain Controller to an Active Directory Domain Controller.
|
||||
<title>What Qualifies a Domain Controller on the Network?</title>
|
||||
|
||||
<para>
|
||||
Every machine that is a Domain Controller for the domain MIDEARTH has to register the NetBIOS
|
||||
Every machine that is a domain controller for the domain MIDEARTH has to register the NetBIOS
|
||||
group name MIDEARTH<#1c> with the WINS server and/or by broadcast on the local network.
|
||||
The PDC also registers the unique NetBIOS name MIDEARTH<#1b> with the WINS server.
|
||||
The name type <#1b> name is normally reserved for the Domain Master Browser, a role
|
||||
that has nothing to do with anything related to authentication, but the Microsoft Domain
|
||||
implementation requires the Domain Master Browser to be on the same machine as the PDC.
|
||||
The name type <#1b> name is normally reserved for the Domain Master Browser (DMB), a role
|
||||
that has nothing to do with anything related to authentication, but the Microsoft domain
|
||||
implementation requires the DMB to be on the same machine as the PDC.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Where a WINS server is not used, broadcast name registrations alone must suffice. Refer to
|
||||
<link linkend="netdiscuss">Network Browsing: Discussion</link> for more information regarding TCP/IP network protocols and how
|
||||
SMB/CIFS names are handled.
|
||||
<link linkend="NetworkBrwosing">Network Browsing</link>,<link linkend="netdiscuss">Discussion</link>
|
||||
for more information regarding TCP/IP network protocols and how SMB/CIFS names are handled.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>How does a Workstation find its Domain Controller?</title>
|
||||
<title>How Does a Workstation find its Domain Controller?</title>
|
||||
|
||||
<para>
|
||||
There are two different mechanisms to locate a domain controller, one method is used when
|
||||
There are two different mechanisms to locate a domain controller: one method is used when
|
||||
NetBIOS over TCP/IP is enabled and the other when it has been disabled in the TCP/IP
|
||||
network configuration.
|
||||
</para>
|
||||
@ -408,12 +408,12 @@ environment all machines require appropriate DNS entries. More information may b
|
||||
<title>NetBIOS Over TCP/IP Enabled</title>
|
||||
<para>
|
||||
An MS Windows NT4/200x/XP Professional workstation in the domain MIDEARTH that wants a
|
||||
local user to be authenticated has to find the Domain Controller for MIDEARTH. It does this
|
||||
local user to be authenticated has to find the domain controller for MIDEARTH. It does this
|
||||
by doing a NetBIOS name query for the group name MIDEARTH<#1c>. It assumes that each
|
||||
of the machines it gets back from the queries is a Domain Controller and can answer logon
|
||||
requests. To not open security holes, both the workstation and the selected Domain Controller
|
||||
of the machines it gets back from the queries is a domain controller and can answer logon
|
||||
requests. To not open security holes, both the workstation and the selected domain controller
|
||||
authenticate each other. After that the workstation sends the user's credentials (name and
|
||||
password) to the local Domain Controller for validation.
|
||||
password) to the local domain controller for validation.
|
||||
</para>
|
||||
|
||||
</sect3>
|
||||
@ -423,7 +423,7 @@ password) to the local Domain Controller for validation.
|
||||
|
||||
<para>
|
||||
An MS Windows NT4/200x/XP Professional workstation in the realm <constant>quenya.org</constant>
|
||||
that has a need to affect user logon authentication will locate the Domain Controller by
|
||||
that has a need to affect user logon authentication will locate the domain controller by
|
||||
re-querying DNS servers for the <constant>_ldap._tcp.pdc._msdcs.quenya.org</constant> record.
|
||||
More information regarding this subject may be found in <link linkend="adsdnstech">DNS and Active Directory</link>.
|
||||
</para>
|
||||
@ -437,7 +437,7 @@ More information regarding this subject may be found in <link linkend="adsdnstec
|
||||
|
||||
<para>
|
||||
The creation of a BDC requires some steps to prepare the Samba server before
|
||||
&smbd; is executed for the first time. These steps are outlines as follows:
|
||||
&smbd; is executed for the first time. These steps are as follows:
|
||||
<indexterm><primary>SID</primary></indexterm>
|
||||
</para>
|
||||
|
||||
@ -446,9 +446,9 @@ The creation of a BDC requires some steps to prepare the Samba server before
|
||||
The domain SID has to be the same on the PDC and the BDC. In Samba versions
|
||||
pre-2.2.5, the domain SID was stored in the file <filename>private/MACHINE.SID</filename>.
|
||||
The domain SID is now stored in the file <filename>private/secrets.tdb</filename>. This file
|
||||
is unique to each server and can not be copied from a PDC to a BDC, the BDC will generate
|
||||
a new SID at start-up. It will over-write the PDC domain SID with the newly created BDC SID.
|
||||
There is a procedure that will allow the BDC to aquire the Domain SID. This is described here.
|
||||
is unique to each server and cannot be copied from a PDC to a BDC; the BDC will generate
|
||||
a new SID at startup. It will overwrite the PDC domain SID with the newly created BDC SID.
|
||||
There is a procedure that will allow the BDC to aquire the domain SID. This is described here.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -508,11 +508,12 @@ The creation of a BDC requires some steps to prepare the Samba server before
|
||||
<title>Example Configuration</title>
|
||||
|
||||
<para> Finally, the BDC has to be found by the workstations. This can be
|
||||
done by setting Samba as shown in <link linkend="minim-bdc">the next example</link>.
|
||||
done by configuring the Samba &smb.conf; file <smbconfsection name="[global]"/> section
|
||||
as shown in <link linkend="minim-bdc">Minimal Setup for Being a BDC</link>.
|
||||
</para>
|
||||
|
||||
<example id="minim-bdc">
|
||||
<title>Minimal setup for being a BDC</title>
|
||||
<title>Minimal Setup for Being a BDC</title>
|
||||
<smbconfblock>
|
||||
<smbconfoption name="workgroup">&example.workgroup;</smbconfoption>
|
||||
<smbconfoption name="passdb backend">ldapsam:ldap://slave-ldap.quenya.org</smbconfoption>
|
||||
@ -523,13 +524,12 @@ done by setting Samba as shown in <link linkend="minim-bdc">the next example</li
|
||||
</example>
|
||||
|
||||
<para>
|
||||
In the <smbconfsection name="[global]"/>-section of the &smb.conf; of the BDC. This makes the BDC
|
||||
only register the name MIDEARTH<#1c> with the WINS server. This is no
|
||||
problem as the name MIDEARTH<#1c> is a NetBIOS group name that is meant to
|
||||
be registered by more than one machine. The parameter
|
||||
This configuration causes the BDC to register only the name MIDEARTH<#1c> with the
|
||||
WINS server. This is not a problem, as the name MIDEARTH<#1c> is a NetBIOS group name
|
||||
that is meant to be registered by more than one machine. The parameter
|
||||
<smbconfoption name="domain master">no</smbconfoption>
|
||||
forces the BDC not to register <?latex \linebreak ?>MIDEARTH<#1b> which as a unique NetBIOS
|
||||
name is reserved for the Primary Domain Controller.
|
||||
forces the BDC not to register MIDEARTH<#1b>, which is a unique NetBIOS name that
|
||||
is reserved for the PDC.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -542,19 +542,19 @@ use the LDAP database to resolve all UIDs and GIDs for UNIX accounts.
|
||||
<note><para>
|
||||
<indexterm><primary>Server Type</primary><secondary>Domain Member</secondary></indexterm>
|
||||
Samba-3 has introduced a new ID mapping facility. One of the features of this facility is that it
|
||||
allows greater flexibility in how user and group IDs are handled in respect to NT Domain User and Group
|
||||
allows greater flexibility in how user and group IDs are handled in respect to NT domain user and group
|
||||
SIDs. One of the new facilities provides for explicitly ensuring that UNIX/Linux UID and GID values
|
||||
will be consistent on the PDC, all BDCs and all Domain Member servers. The parameter that controls this
|
||||
will be consistent on the PDC, all BDCs, and all domain member servers. The parameter that controls this
|
||||
is called <parameter>idmap backend</parameter>. Please refer to the man page for &smb.conf; for more information
|
||||
regarding its behavior.
|
||||
</para></note>
|
||||
|
||||
<para>
|
||||
The use of the <smbconfoption name="idmap backend">ldap:ldap://master.quenya.org</smbconfoption>
|
||||
option on a BDC only make sense where ldapsam is used on a PDC. The purpose for an LDAP based idmap backend is
|
||||
also to allow a domain-member (without its own passdb backend) to use winbindd to resolve Windows network users
|
||||
and groups to common UID/GIDs. In other words, this option is generally intended for use on BDCs and on Domain
|
||||
Member servers.
|
||||
option on a BDC only makes sense where ldapsam is used on a PDC. The purpose of an LDAP-based idmap backend is
|
||||
also to allow a domain member (without its own passdb backend) to use winbindd to resolve Windows network users
|
||||
and groups to common UID/GIDs. In other words, this option is generally intended for use on BDCs and on domain
|
||||
member servers.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
@ -564,9 +564,9 @@ Member servers.
|
||||
<title>Common Errors</title>
|
||||
|
||||
<para>
|
||||
As this is a rather new area for Samba, there are not many examples that we may refer to.
|
||||
As domain control is a rather new area for Samba, there are not many examples that we may refer to.
|
||||
Updates will be published as they become available and may be found in later Samba releases or
|
||||
from the Samba web <ulink url="http://samba.org">site.</ulink>
|
||||
from the Samba Web <ulink url="http://samba.org">site</ulink>.
|
||||
</para>
|
||||
|
||||
<sect2>
|
||||
@ -575,18 +575,18 @@ from the Samba web <ulink url="http://samba.org">site.</ulink>
|
||||
<para>
|
||||
<indexterm><primary>Machine Trust Accounts</primary></indexterm>
|
||||
This problem will occur when the passdb (SAM) files are copied from a central
|
||||
server but the local Backup Domain Controller is acting as a PDC. This results in the application of
|
||||
server but the local BDC is acting as a PDC. This results in the application of
|
||||
Local Machine Trust Account password updates to the local SAM. Such updates
|
||||
are not copied back to the central server. The newer machine account password is then over
|
||||
written when the SAM is re-copied from the PDC. The result is that the Domain Member machine
|
||||
on start up will find that its passwords do not match the one now in the database and
|
||||
are not copied back to the central server. The newer machine account password is then
|
||||
overwritten when the SAM is recopied from the PDC. The result is that the domain member machine
|
||||
on startup will find that its passwords do not match the one now in the database, and
|
||||
since the startup security check will now fail, this machine will not allow logon attempts
|
||||
to proceed and the account expiry error will be reported.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The solution is to use a more robust passdb backend, such as the ldapsam backend, setting up
|
||||
a slave LDAP server for each BDC, and a master LDAP server for the PDC.
|
||||
a slave LDAP server for each BDC and a master LDAP server for the PDC.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
@ -619,7 +619,7 @@ has to be replicated to the BDC. So replicating the smbpasswd file very often is
|
||||
</para>
|
||||
|
||||
<para>
|
||||
As the smbpasswd file contains plain text password equivalents, it must not be
|
||||
As the smbpasswd file contains plaintext password equivalents, it must not be
|
||||
sent unencrypted over the wire. The best way to set up smbpasswd replication from
|
||||
the PDC to the BDC is to use the utility rsync. rsync can use ssh as a transport.
|
||||
<command>ssh</command> itself can be set up to accept <emphasis>only</emphasis>
|
||||
@ -639,8 +639,8 @@ accounts will go out of sync, resulting in a broken domain. This method is
|
||||
|
||||
<para>
|
||||
The simple answer is yes. Samba's pdb_ldap code supports binding to a replica
|
||||
LDAP server, and will also follow referrals and re-bind to the master if it ever
|
||||
needs to make a modification to the database. (Normally BDCs are read only, so
|
||||
LDAP server and will also follow referrals and rebind to the master if it ever
|
||||
needs to make a modification to the database. (Normally BDCs are read-only, so
|
||||
this will not occur often).
|
||||
</para>
|
||||
|
||||
|
@ -11,10 +11,10 @@
|
||||
<title>Features and Benefits</title>
|
||||
|
||||
<para>
|
||||
The Samba project is over ten years old. During the early history
|
||||
The Samba project is over 10 years old. During the early history
|
||||
of Samba, UNIX administrators were its key implementors. UNIX administrators
|
||||
will use UNIX system tools to backup UNIX system files. Over the past
|
||||
four years, an increasing number of Microsoft network administrators have
|
||||
use UNIX system tools to backup UNIX system files. Over the past
|
||||
4 years, an increasing number of Microsoft network administrators have
|
||||
taken an interest in Samba. This is reflected in the questions about backup
|
||||
in general on the Samba mailing lists.
|
||||
</para>
|
||||
@ -27,7 +27,7 @@ in general on the Samba mailing lists.
|
||||
<para>
|
||||
During discussions at a Microsoft Windows training course, one of
|
||||
the pro-UNIX delegates stunned the class when he pointed out that Windows
|
||||
NT4 is so limiting compared with UNIX. He likened UNIX to a Meccano set
|
||||
NT4 is limiting compared with UNIX. He likened UNIX to a Meccano set
|
||||
that has an unlimited number of tools that are simple, efficient,
|
||||
and, in combination, capable of achieving any desired outcome.
|
||||
</para>
|
||||
@ -42,7 +42,7 @@ intent is preferred by some like her.
|
||||
<para>
|
||||
Please note that all information here is provided as is and without recommendation
|
||||
of fitness or suitability. The network administrator is strongly encouraged to
|
||||
perform due-diligence research before implementing any backup solution, whether free
|
||||
perform due diligence research before implementing any backup solution, whether free
|
||||
software or commercial.
|
||||
</para>
|
||||
|
||||
@ -62,21 +62,21 @@ The following three free software projects might also merit consideration.
|
||||
|
||||
<para>
|
||||
<indexterm><primary>BackupPC</primary></indexterm>
|
||||
BackupPC version 2.0.0 has been released on <ulink url="http://backuppc.sourceforge.net">SourceForge.</ulink>
|
||||
BackupPC version 2.0.0 has been released on <ulink url="http://backuppc.sourceforge.net">SourceForge</ulink>.
|
||||
New features include support for <command>rsync/rsyncd</command> and internationalization of the CGI interface
|
||||
(including English, French, Spanish, and German).
|
||||
</para>
|
||||
|
||||
<para>
|
||||
BackupPC is a high-performance Perl-based package for backing up Linux,
|
||||
UNIX or Windows PCs and laptops to a server's disk. BackupPC is highly
|
||||
UNIX, and Windows PCs and laptops to a server's disk. BackupPC is highly
|
||||
configurable and easy to install and maintain. SMB (via smbclient),
|
||||
<command>tar</command> over <command>rsh/ssh</command> or <command>rsync/rsyncd</command>
|
||||
<command>tar</command> over <command>rsh/ssh</command>, or <command>rsync/rsyncd</command>
|
||||
are used to extract client data.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Given the ever decreasing cost of disks and raid systems, it is now
|
||||
Given the ever-decreasing cost of disks and RAID systems, it is now
|
||||
practical and cost effective to backup a large number of machines onto
|
||||
a server's local disk or network storage. This is what BackupPC does.
|
||||
</para>
|
||||
@ -89,8 +89,8 @@ The following three free software projects might also merit consideration.
|
||||
|
||||
<para>
|
||||
BackupPC is free software distributed under a GNU GPL license.
|
||||
BackupPC runs on Linux/UNIX/freenix servers, and has been tested
|
||||
on Linux, UNIX, Windows 9x/ME, Windows 98, Windows 200x, Windows XP, and Mac OSX clients.
|
||||
BackupPC runs on Linux/UNIX/freenix servers and has been tested
|
||||
on Linux, UNIX, Windows 9x/Me, Windows 98, Windows 200x, Windows XP, and Mac OSX clients.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
@ -175,7 +175,7 @@ The following three free software projects might also merit consideration.
|
||||
|
||||
<para>
|
||||
For more information regarding Amanda, please check the <ulink url="http://www.amanda.org/">
|
||||
www.amanda.org/ site.</ulink>
|
||||
www.amanda.org/ site</ulink>.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
@ -193,7 +193,7 @@ The following three free software projects might also merit consideration.
|
||||
|
||||
<para>
|
||||
The home page for BOBS is located at <ulink url="http://bobs.sourceforge.net/">
|
||||
bobs.sourceforge.net.</ulink>
|
||||
bobs.sourceforge.net</ulink>.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -14,19 +14,19 @@
|
||||
<title>Domain Membership</title>
|
||||
|
||||
<para>
|
||||
Domain Membership is a subject of vital concern. Samba must be able to
|
||||
participate as a member server in a Microsoft Domain Security context, and
|
||||
Samba must be capable of providing Domain machine member trust accounts,
|
||||
Domain membership is a subject of vital concern. Samba must be able to
|
||||
participate as a member server in a Microsoft domain security context, and
|
||||
Samba must be capable of providing domain machine member trust accounts;
|
||||
otherwise it would not be able to offer a viable option for many users.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
This chapter covers background information pertaining to Domain Membership,
|
||||
This chapter covers background information pertaining to domain membership,
|
||||
the Samba configuration for it, and MS Windows client procedures for joining a
|
||||
domain. Why is this necessary? Because both are areas in which there exists
|
||||
within the current MS Windows networking world and particularly in the
|
||||
within the current MS Windows networking world, and particularly in the
|
||||
UNIX/Linux networking and administration world, a considerable level of
|
||||
misinformation, incorrect understanding and a lack of knowledge. Hopefully
|
||||
misinformation, incorrect understanding, and lack of knowledge. Hopefully
|
||||
this chapter will fill the voids.
|
||||
</para>
|
||||
|
||||
@ -34,19 +34,19 @@ this chapter will fill the voids.
|
||||
<title>Features and Benefits</title>
|
||||
|
||||
<para>
|
||||
MS Windows workstations and servers that want to participate in Domain Security need to
|
||||
be made Domain Members. Participating in Domain Security is often called
|
||||
<emphasis>Single Sign On</emphasis> or <acronym>SSO</acronym> for short. This
|
||||
MS Windows workstations and servers that want to participate in domain security need to
|
||||
be made domain members. Participating in domain security is often called
|
||||
<emphasis>single sign-on</emphasis>, or <acronym>SSO</acronym> for short. This
|
||||
chapter describes the process that must be followed to make a workstation
|
||||
(or another server &smbmdash; be it an <application>MS Windows NT4 / 200x</application>
|
||||
server) or a Samba server a member of an MS Windows Domain Security context.
|
||||
(or another server &smbmdash; be it an <application>MS Windows NT4/200x</application>
|
||||
server) or a Samba server a member of an MS Windows domain security context.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>Server Type</primary><secondary>Domain Member</secondary></indexterm>
|
||||
Samba-3 can join an MS Windows NT4-style domain as a native member server, an
|
||||
MS Windows Active Directory Domain as a native member server, or a Samba Domain
|
||||
Control network. Domain Membership has many advantages:
|
||||
MS Windows Active Directory domain as a native member server, or a Samba domain
|
||||
control network. Domain membership has many advantages:
|
||||
</para>
|
||||
|
||||
<itemizedlist>
|
||||
@ -58,18 +58,18 @@ Control network. Domain Membership has many advantages:
|
||||
<listitem><para>
|
||||
Domain user access rights and file ownership/access controls can be set
|
||||
from the single Domain Security Account Manager (SAM) database
|
||||
(works with Domain Member servers as well as with MS Windows workstations
|
||||
that are Domain Members).
|
||||
(works with domain member servers as well as with MS Windows workstations
|
||||
that are domain members).
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
Only <application>MS Windows NT4/200x/XP Professional</application>
|
||||
workstations that are Domain Members can use network logon facilities.
|
||||
workstations that are domain members can use network logon facilities.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
Domain Member workstations can be better controlled through the use of
|
||||
Policy files (<filename>NTConfig.POL</filename>) and Desktop Profiles.
|
||||
Domain member workstations can be better controlled through the use of
|
||||
policy files (<filename>NTConfig.POL</filename>) and desktop profiles.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
@ -80,8 +80,8 @@ Control network. Domain Membership has many advantages:
|
||||
<listitem><para>
|
||||
Network administrators gain better application and user access management
|
||||
abilities because there is no need to maintain user accounts on any network
|
||||
client or server, other than the central Domain database
|
||||
(either NT4/Samba SAM style Domain, NT4 Domain that is backend-ed with an
|
||||
client or server other than the central domain database
|
||||
(either NT4/Samba SAM-style domain, NT4 domain that is backend-ed with an
|
||||
LDAP directory, or via an Active Directory infrastructure).
|
||||
</para></listitem>
|
||||
</itemizedlist>
|
||||
@ -94,22 +94,22 @@ Control network. Domain Membership has many advantages:
|
||||
<para>
|
||||
<indexterm><primary>Machine Trust Accounts</primary></indexterm>
|
||||
A Machine Trust Account is an account that is used to authenticate a client
|
||||
machine (rather than a user) to the Domain Controller server. In Windows terminology,
|
||||
this is known as a <quote>Computer Account.</quote> The purpose of the machine account
|
||||
is to prevent a rogue user and Domain Controller from colluding to gain access to a
|
||||
machine (rather than a user) to the domain controller server. In Windows terminology,
|
||||
this is known as a <quote>computer account.</quote> The purpose of the machine account
|
||||
is to prevent a rogue user and domain controller from colluding to gain access to a
|
||||
domain member workstation.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The password of a Machine Trust Account acts as the shared secret for
|
||||
secure communication with the Domain Controller. This is a security
|
||||
secure communication with the domain controller. This is a security
|
||||
feature to prevent an unauthorized machine with the same NetBIOS name
|
||||
from joining the domain and gaining access to domain user/group
|
||||
accounts. Windows NT/200x/XP Professional clients use machine trust
|
||||
accounts, but Windows 9x/Me/XP Home clients do not. Hence, a
|
||||
Windows 9x/Me/XP Home client is never a true member of a Domain
|
||||
Windows 9x/Me/XP Home client is never a true member of a domain
|
||||
because it does not possess a Machine Trust Account, and, thus, has no
|
||||
shared secret with the Domain Controller.
|
||||
shared secret with the domain controller.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -121,8 +121,8 @@ as follows:
|
||||
|
||||
<itemizedlist>
|
||||
<listitem><para>
|
||||
A Domain Security Account (stored in the
|
||||
<smbconfoption name="passdb backend"/> that has been configured in the
|
||||
A domain security account (stored in the
|
||||
<smbconfoption name="passdb backend"/>) that has been configured in the
|
||||
&smb.conf; file. The precise nature of the account information that is
|
||||
stored depends on the type of backend database that has been chosen.
|
||||
</para>
|
||||
@ -130,12 +130,12 @@ as follows:
|
||||
<para>
|
||||
The older format of this data is the <filename>smbpasswd</filename> database
|
||||
that contains the UNIX login ID, the UNIX user identifier (UID), and the
|
||||
LanMan and NT encrypted passwords. There is also some other information in
|
||||
LanMan and NT-encrypted passwords. There is also some other information in
|
||||
this file that we do not need to concern ourselves with here.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The two newer database types are called ldapsam, and
|
||||
The two newer database types are called ldapsam and
|
||||
tdbsam. Both store considerably more data than the
|
||||
older <filename>smbpasswd</filename> file did. The extra information
|
||||
enables new user account controls to be implemented.
|
||||
@ -163,8 +163,8 @@ There are three ways to create Machine Trust Accounts:
|
||||
|
||||
<listitem><para>
|
||||
<indexterm><primary>Server Manager</primary></indexterm>
|
||||
Using the MS Windows NT4 Server Manager, either from an NT4 Domain Member
|
||||
server, or using the Nexus toolkit available from the Microsoft Web site.
|
||||
Using the MS Windows NT4 Server Manager, either from an NT4 domain member
|
||||
server or using the Nexus toolkit available from the Microsoft Web site.
|
||||
This tool can be run from any MS Windows machine as long as the user is
|
||||
logged on as the administrator account.
|
||||
</para></listitem>
|
||||
@ -200,8 +200,8 @@ a Linux-based Samba server:
|
||||
</para>
|
||||
|
||||
<para>In the example above there is an existing system group <quote>machines</quote> which is used
|
||||
as the primary group for all machine accounts. In the following examples the <quote>machines</quote> group has
|
||||
numeric GID equal 100.</para>
|
||||
as the primary group for all machine accounts. In the following examples the <quote>machines</quote> group
|
||||
numeric GID is 100.</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>chpass</primary></indexterm>
|
||||
@ -217,7 +217,7 @@ On *BSD systems, this can be done using the <command>chpass</command> utility:
|
||||
|
||||
<para>
|
||||
The <filename>/etc/passwd</filename> entry will list the machine name
|
||||
with a <quote>$</quote> appended, will not have a password, will have a null shell and no
|
||||
with a <quote>$</quote> appended, and will not have a password, will have a null shell and no
|
||||
home directory. For example, a machine named <quote>doppy</quote> would have an
|
||||
<filename>/etc/passwd</filename> entry like this:
|
||||
</para>
|
||||
@ -227,8 +227,8 @@ doppy$:x:505:100:<replaceable>machine_nickname</replaceable>:/dev/null:/bin/fals
|
||||
</programlisting>
|
||||
|
||||
<para>
|
||||
Above, <replaceable>machine_nickname</replaceable> can be any
|
||||
descriptive name for the client, i.e., BasementComputer.
|
||||
in which <replaceable>machine_nickname</replaceable> can be any
|
||||
descriptive name for the client, such as BasementComputer.
|
||||
<replaceable>machine_name</replaceable> absolutely must be the NetBIOS
|
||||
name of the client to be joined to the domain. The <quote>$</quote> must be
|
||||
appended to the NetBIOS name of the client or Samba will not recognize
|
||||
@ -278,7 +278,7 @@ information to such clients. You have been warned!
|
||||
<para>
|
||||
A working <smbconfoption name="add machine script"/> is essential
|
||||
for machine trust accounts to be automatically created. This applies no matter whether
|
||||
one uses automatic account creation, or if one wishes to use the NT4 Domain Server Manager.
|
||||
you use automatic account creation or the NT4 Domain Server Manager.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -292,9 +292,9 @@ and <command>UsrMgr.exe</command> (both are domain management tools for MS Windo
|
||||
|
||||
<para>
|
||||
<indexterm><primary>Nexus.exe</primary></indexterm>
|
||||
If your workstation is a <application>Microsoft Windows 9x/Me</application> family product
|
||||
you should download the <command>Nexus.exe</command> package from the Microsoft web site.
|
||||
When executed from the target directory this will unpack the same tools but for use on
|
||||
If your workstation is a <application>Microsoft Windows 9x/Me</application> family product,
|
||||
you should download the <command>Nexus.exe</command> package from the Microsoft Web site.
|
||||
When executed from the target directory, it will unpack the same tools but for use on
|
||||
this platform.
|
||||
</para>
|
||||
|
||||
@ -304,8 +304,10 @@ Further information about these tools may be obtained from the following locatio
|
||||
|
||||
<para>
|
||||
<simplelist>
|
||||
<member><ulink noescape="1" url="http://support.microsoft.com/default.aspx?scid=kb;en-us;173673"/></member>
|
||||
<member><ulink noescape="1" url="http://support.microsoft.com/default.aspx?scid=kb;en-us;172540"/></member>
|
||||
<member><ulink noescape="1" url="http://support.microsoft.com/default.aspx?scid=kb;en-us;173673">Knowledge
|
||||
Base article 173673</ulink></member>
|
||||
<member><ulink noescape="1" url="http://support.microsoft.com/default.aspx?scid=kb;en-us;172540">Knowledge
|
||||
Base article 172540</ulink></member>
|
||||
</simplelist>
|
||||
</para>
|
||||
|
||||
@ -358,7 +360,7 @@ is joined to the domain.
|
||||
|
||||
<para>Since each Samba Machine Trust Account requires a corresponding UNIX account, a method
|
||||
for automatically creating the UNIX account is usually supplied; this requires configuration of the
|
||||
add machine script option in &smb.conf;. This method is not required, however, corresponding UNIX
|
||||
add machine script option in &smb.conf;. This method is not required; however, corresponding UNIX
|
||||
accounts may also be created manually.
|
||||
</para>
|
||||
|
||||
@ -367,11 +369,11 @@ accounts may also be created manually.
|
||||
Here is an example for a Red Hat Linux system.
|
||||
</para>
|
||||
|
||||
<para><smbconfblock>
|
||||
<smbconfblock>
|
||||
<smbconfsection name="[global]"/>
|
||||
<smbconfcomment><...remainder of parameters...></smbconfcomment>
|
||||
<smbconfoption name="add machine script">/usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u</smbconfoption>
|
||||
</smbconfblock></para>
|
||||
</smbconfblock>
|
||||
|
||||
|
||||
</sect2>
|
||||
@ -388,27 +390,27 @@ with the version of Windows.
|
||||
<title>Windows 200x/XP Professional Client</title>
|
||||
|
||||
<para>
|
||||
When the user elects to make the client a Domain Member, Windows 200x prompts for
|
||||
When the user elects to make the client a domain member, Windows 200x prompts for
|
||||
an account and password that has privileges to create machine accounts in the domain.
|
||||
A Samba Administrator Account (i.e., a Samba account that has <constant>root</constant> privileges on the
|
||||
A Samba administrator account (i.e., a Samba account that has <constant>root</constant> privileges on the
|
||||
Samba server) must be entered here; the operation will fail if an ordinary user
|
||||
account is given.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
For security reasons, the password for this Administrator Account should be set
|
||||
For security reasons, the password for this administrator account should be set
|
||||
to a password that is other than that used for the root user in <filename>/etc/passwd</filename>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The name of the account that is used to create Domain Member machine accounts can be
|
||||
anything the network administrator may choose. If it is other than <constant>root</constant>
|
||||
The name of the account that is used to create domain member machine accounts can be
|
||||
anything the network administrator may choose. If it is other than <constant>root</constant>,
|
||||
then this is easily mapped to <constant>root</constant> in the file named in the &smb.conf; parameter
|
||||
<smbconfoption name="username map">/etc/samba/smbusers</smbconfoption>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The session key of the Samba Administrator Account acts as an encryption key for setting the password of the machine trust
|
||||
The session key of the Samba administrator account acts as an encryption key for setting the password of the machine trust
|
||||
account. The Machine Trust Account will be created on-the-fly, or updated if it already exists.
|
||||
</para>
|
||||
</sect3>
|
||||
@ -425,9 +427,9 @@ with the version of Windows.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
If the Machine Trust Account is to be created on-the-fly, on the Identification Changes menu enter the domain
|
||||
If the Machine Trust Account is to be created on the fly, on the Identification Changes menu enter the domain
|
||||
name and check the box <guilabel>Create a Computer Account in the Domain</guilabel>. In this case, joining
|
||||
the domain proceeds as above for Windows 2000 (i.e., you must supply a Samba Administrator Account when
|
||||
the domain proceeds as above for Windows 2000 (i.e., you must supply a Samba administrator account when
|
||||
prompted).
|
||||
</para>
|
||||
</sect3>
|
||||
@ -436,7 +438,7 @@ with the version of Windows.
|
||||
<title>Samba Client</title>
|
||||
|
||||
<para>Joining a Samba client to a domain is documented in
|
||||
<link linkend="domain-member-server">Domain Member Server</link>.
|
||||
the next section<link linkend="domain-member-server"></link>.
|
||||
</para>
|
||||
</sect3>
|
||||
|
||||
@ -465,7 +467,7 @@ Server, and so on.
|
||||
</para>
|
||||
|
||||
<note><para>
|
||||
When Samba is configured to use an LDAP, or other identity management and/or
|
||||
When Samba is configured to use an LDAP or other identity management and/or
|
||||
directory service, it is Samba that continues to perform user and machine
|
||||
authentication. It should be noted that the LDAP server does not perform
|
||||
authentication handling in place of what Samba is designed to do.
|
||||
@ -473,15 +475,15 @@ authentication handling in place of what Samba is designed to do.
|
||||
|
||||
<para>
|
||||
Please refer to <link linkend="samba-pdc">Domain Control</link>, for more information regarding
|
||||
how to create a domain machine account for a Domain Member server as well as for
|
||||
information on how to enable the Samba Domain Member machine to join the domain
|
||||
how to create a domain machine account for a domain member server as well as for
|
||||
information on how to enable the Samba domain member machine to join the domain
|
||||
and be fully trusted by it.
|
||||
</para>
|
||||
|
||||
<sect2>
|
||||
<title>Joining an NT4-type Domain with Samba-3</title>
|
||||
|
||||
<para><link linkend="assumptions">Next table</link> lists names that have been used in the remainder of this chapter.</para>
|
||||
<para><link linkend="assumptions">Assumptions</link> lists names that have been used in the remainder of this chapter.</para>
|
||||
|
||||
<table frame="all" id="assumptions"><title>Assumptions</title>
|
||||
<tgroup cols="2">
|
||||
@ -509,27 +511,22 @@ First, you must edit your &smb.conf; file to tell Samba it should now use domain
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Change (or add) your
|
||||
<smbconfoption name="security"/> line in the [global] section
|
||||
Change (or add) your <smbconfoption name="security"/> line in the [global] section
|
||||
of your &smb.conf; to read:
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<smbconfblock>
|
||||
<smbconfoption name="security">domain</smbconfoption>
|
||||
</smbconfblock>
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Next change the <smbconfoption name="workgroup"/> line in the <smbconfsection name="[global]"/>
|
||||
section to read:
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<smbconfblock>
|
||||
<smbconfoption name="workgroup">&example.workgroup;</smbconfoption>
|
||||
</smbconfblock>
|
||||
</para>
|
||||
|
||||
<para>
|
||||
This is the name of the domain we are joining.
|
||||
@ -547,14 +544,12 @@ Finally, add (or modify) a <smbconfoption name="password server"/> line in the [
|
||||
section to read:
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<smbconfblock>
|
||||
<smbconfoption name="password server">DOMPDC DOMBDC1 DOMBDC2</smbconfoption>
|
||||
</smbconfblock>
|
||||
</para>
|
||||
|
||||
<para>
|
||||
These are the primary and backup Domain Controllers Samba
|
||||
These are the PDC and BDCs Samba
|
||||
will attempt to contact in order to authenticate users. Samba will
|
||||
try to contact each of these servers in order, so you may want to
|
||||
rearrange this list in order to spread out the authentication load
|
||||
@ -563,21 +558,19 @@ among Domain Controllers.
|
||||
|
||||
<para>
|
||||
Alternately, if you want smbd to automatically determine
|
||||
the list of Domain Controllers to use for authentication, you may
|
||||
the list of domain controllers to use for authentication, you may
|
||||
set this line to be:
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<smbconfblock>
|
||||
<smbconfoption name="password server">*</smbconfoption>
|
||||
</smbconfblock>
|
||||
</para>
|
||||
|
||||
<para>
|
||||
This method allows Samba to use exactly the same mechanism that NT does. The
|
||||
method either uses broadcast-based name resolution, performs a WINS database
|
||||
lookup in order to find a Domain Controller against which to authenticate,
|
||||
or locates the Domain Controller using DNS name resolution.
|
||||
lookup in order to find a domain controller against which to authenticate,
|
||||
or locates the domain controller using DNS name resolution.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -596,11 +589,11 @@ If the <option>-S DOMPDC</option> argument is not given, the domain name will be
|
||||
|
||||
<para>
|
||||
The machine is joining the domain DOM, and the PDC for that domain (the only machine
|
||||
that has write access to the domain SAM database) is DOMPDC, therefore use the <option>-S</option>
|
||||
that has write access to the domain SAM database) is DOMPDC; therefore, use the <option>-S</option>
|
||||
option. The <replaceable>Administrator%password</replaceable> is the login name and
|
||||
password for an account that has the necessary privilege to add machines to the
|
||||
domain. If this is successful, you will see the message in your terminal window the
|
||||
text shown below. Where the older NT4 style domain architecture is used:
|
||||
domain. If this is successful, you will see the following message in your terminal window.
|
||||
Where the older NT4-style domain architecture is used:
|
||||
<screen>
|
||||
<computeroutput>Joined domain DOM.</computeroutput>
|
||||
</screen>
|
||||
@ -635,7 +628,7 @@ or
|
||||
|
||||
<para>
|
||||
This file is created and owned by root and is not readable by any other user. It is
|
||||
the key to the Domain-level security for your system, and should be treated as carefully
|
||||
the key to the domain-level security for your system and should be treated as carefully
|
||||
as a shadow password file.
|
||||
</para>
|
||||
|
||||
@ -656,8 +649,8 @@ but in most cases the following will suffice:
|
||||
<para>
|
||||
Currently, domain security in Samba does not free you from
|
||||
having to create local UNIX users to represent the users attaching
|
||||
to your server. This means that if Domain user <constant>DOM\fred
|
||||
</constant> attaches to your Domain Security Samba server, there needs
|
||||
to your server. This means that if domain user <constant>DOM\fred
|
||||
</constant> attaches to your domain security Samba server, there needs
|
||||
to be a local UNIX user fred to represent that user in the UNIX
|
||||
file system. This is similar to the older Samba security mode
|
||||
<smbconfoption name="security">server</smbconfoption>,
|
||||
@ -666,13 +659,13 @@ NT server in the same way as a Windows 95 or Windows 98 server would.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Please refer to <link linkend="winbind">Winbind: Use of Domain Accounts</link> chapter, for information on a system
|
||||
to automatically assign UNIX UIDs and GIDs to Windows NT Domain users and groups.
|
||||
Please refer to <link linkend="winbind">Winbind: Use of Domain Accounts</link>, for information on a system
|
||||
to automatically assign UNIX UIDs and GIDs to Windows NT domain users and groups.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The advantage to Domain-level security is that the
|
||||
authentication in Domain-level security is passed down the authenticated
|
||||
The advantage of domain-level security is that the
|
||||
authentication in domain-level security is passed down the authenticated
|
||||
RPC channel in exactly the same way that an NT server would do it. This
|
||||
means Samba servers now participate in domain trust relationships in
|
||||
exactly the same way NT servers do (i.e., you can add Samba servers into
|
||||
@ -686,13 +679,13 @@ daemon on a server has to keep a connection open to the
|
||||
authenticating server for as long as that daemon lasts. This can drain
|
||||
the connection resources on a Microsoft NT server and cause it to run
|
||||
out of available connections. With <smbconfoption name="security">domain</smbconfoption>,
|
||||
however, the Samba daemons connect to the PDC/BDC only for as long
|
||||
however, the Samba daemons connect to the PDC or BDC only for as long
|
||||
as is necessary to authenticate the user and then drop the connection,
|
||||
thus conserving PDC connection resources.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
And finally, acting in the same manner as an NT server
|
||||
Finally, acting in the same manner as an NT server
|
||||
authenticating to a PDC means that as part of the authentication
|
||||
reply, the Samba server gets the user identification information such
|
||||
as the user SID, the list of NT groups the user belongs to, and so on.
|
||||
@ -701,7 +694,7 @@ as the user SID, the list of NT groups the user belongs to, and so on.
|
||||
<note>
|
||||
<para>
|
||||
Much of the text of this document was first published in the Web magazine
|
||||
<ulink url="http://www.linuxworld.com">LinuxWorld</ulink> as the article <ulink
|
||||
<ulink url="http://www.linuxworld.com"><emphasis>LinuxWorld</emphasis></ulink> as the article <ulink
|
||||
url="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html"/>
|
||||
<emphasis>Doing the NIS/NT Samba</emphasis>.
|
||||
</para>
|
||||
@ -729,24 +722,25 @@ Windows 200x KDC. A familiarity with Kerberos is assumed.
|
||||
You must use at least the following three options in &smb.conf;:
|
||||
</para>
|
||||
|
||||
<para><smbconfblock>
|
||||
<smbconfblock>
|
||||
<smbconfoption name="realm">your.kerberos.REALM</smbconfoption>
|
||||
<smbconfoption name="security">ADS</smbconfoption>
|
||||
<smbconfcomment>The following parameter need only be specified if present.</smbconfcomment>
|
||||
<smbconfcomment>The default setting is not present is Yes.</smbconfcomment>
|
||||
<smbconfoption name="encrypt passwords">yes</smbconfoption>
|
||||
</smbconfblock></para>
|
||||
</smbconfblock>
|
||||
|
||||
<para>
|
||||
In case samba cannot correctly identify the appropriate ADS server using the realm name, use the
|
||||
<smbconfoption name="password server"/> option in &smb.conf;:
|
||||
</para>
|
||||
|
||||
<smbconfblock>
|
||||
<smbconfoption name="password server">your.kerberos.server</smbconfoption>
|
||||
</smbconfblock>
|
||||
</para>
|
||||
|
||||
<note><para>
|
||||
You do <emphasis>not</emphasis> need a smbpasswd file, and older clients will be authenticated as
|
||||
You do <emphasis>not</emphasis> need an smbpasswd file, and older clients will be authenticated as
|
||||
if <smbconfoption name="security">domain</smbconfoption>, although it will not do any harm and
|
||||
allows you to have local users not in the domain.
|
||||
</para></note>
|
||||
@ -764,9 +758,9 @@ With both MIT and Heimdal Kerberos, it is unnecessary to configure the
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Microsoft Active Directory servers automatically create SRV records in the DNS zone
|
||||
Microsoft ADS automatically create SRV records in the DNS zone
|
||||
<parameter>_kerberos.REALM.NAME</parameter> for each KDC in the realm. This is part
|
||||
of the installation and configuration process used to create an Active Directory Domain.
|
||||
of the installation and configuration process used to create an Active Directory domain.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -778,10 +772,7 @@ libraries to use whichever KDCs are available.
|
||||
|
||||
<para>
|
||||
When manually configuring <filename>krb5.conf</filename>, the minimal configuration is:
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<programlisting>
|
||||
<screen>
|
||||
[libdefaults]
|
||||
default_realm = YOUR.KERBEROS.REALM
|
||||
|
||||
@ -792,10 +783,11 @@ When manually configuring <filename>krb5.conf</filename>, the minimal configurat
|
||||
|
||||
[domain_realms]
|
||||
.kerberos.server = YOUR.KERBEROS.REALM
|
||||
</programlisting></para>
|
||||
</screen>
|
||||
</para>
|
||||
|
||||
<para>
|
||||
When using Heimdal versions before 0.6 use the following configuration settings:
|
||||
When using Heimdal versions before 0.6, use the following configuration settings:
|
||||
<screen>
|
||||
[libdefaults]
|
||||
default_realm = YOUR.KERBEROS.REALM
|
||||
@ -820,16 +812,16 @@ making sure that your password is accepted by the Win2000 KDC.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
With Heimdal versions earlier than 0.6.x you only can use newly created accounts
|
||||
With Heimdal versions earlier than 0.6.x you can use only newly created accounts
|
||||
in ADS or accounts that have had the password changed once after migration, or
|
||||
in case of <constant>Administrator</constant> after installation. At the
|
||||
moment, a Windows 2003 KDC can only be used with a Heimdal releases later than 0.6
|
||||
(and no default etypes in krb5.conf). Unfortunately this whole area is still
|
||||
moment, a Windows 2003 KDC can only be used with Heimdal releases later than 0.6
|
||||
(and no default etypes in krb5.conf). Unfortunately, this whole area is still
|
||||
in a state of flux.
|
||||
</para>
|
||||
|
||||
<note><para>
|
||||
The realm must be in uppercase or you will get <quote><errorname>Cannot find KDC for
|
||||
The realm must be in uppercase or you will get a <quote><errorname>Cannot find KDC for
|
||||
requested realm while getting initial credentials</errorname></quote> error (Kerberos
|
||||
is case-sensitive!).
|
||||
</para></note>
|
||||
@ -849,18 +841,18 @@ five minutes.
|
||||
You also must ensure that you can do a reverse DNS lookup on the IP
|
||||
address of your KDC. Also, the name that this reverse lookup maps to
|
||||
must either be the NetBIOS name of the KDC (i.e., the hostname with no
|
||||
domain attached) or it can alternately be the NetBIOS name followed by the realm.
|
||||
domain attached) or it can be the NetBIOS name followed by the realm.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The easiest way to ensure you get this right is to add a
|
||||
<filename>/etc/hosts</filename> entry mapping the IP address of your KDC to
|
||||
its NetBIOS name. If you do not get this correct then you will get a
|
||||
its NetBIOS name. If you do not get this correct, then you will get a
|
||||
<errorname>local error</errorname> when you try to join the realm.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
If all you want is Kerberos support in &smbclient; then you can skip
|
||||
If all you want is Kerberos support in &smbclient;, then you can skip
|
||||
directly to <link linkend="ads-test-smbclient">Testing with &smbclient;</link> now.
|
||||
<link linkend="ads-create-machine-account">Create the Computer Account</link> and
|
||||
<link linkend="ads-test-server">Testing Server Setup</link>
|
||||
@ -891,14 +883,12 @@ this to be done using the following syntax:
|
||||
|
||||
<para>
|
||||
For example, you may want to create the machine account in a container called <quote>Servers</quote>
|
||||
under the organizational directory <quote>Computers\BusinessUnit\Department</quote> like this:
|
||||
under the organizational directory <quote>Computers\BusinessUnit\Department,</quote> like this:
|
||||
<screen>
|
||||
&rootprompt; <userinput>net ads join "Computers\BusinessUnit\Department\Servers"</userinput>
|
||||
</screen>
|
||||
</para>
|
||||
|
||||
<?latex \newpage ?>
|
||||
|
||||
<sect3>
|
||||
<title>Possible Errors</title>
|
||||
|
||||
@ -910,7 +900,7 @@ under the organizational directory <quote>Computers\BusinessUnit\Department</quo
|
||||
</para></listitem></varlistentry>
|
||||
|
||||
<varlistentry><term><errorname>net ads join prompts for user name</errorname></term>
|
||||
<listitem><para>You need to login to the domain using <userinput>kinit
|
||||
<listitem><para>You need to log in to the domain using <userinput>kinit
|
||||
<replaceable>USERNAME</replaceable>@<replaceable>REALM</replaceable></userinput>.
|
||||
<replaceable>USERNAME</replaceable> must be a user who has rights to add a machine
|
||||
to the domain. </para></listitem></varlistentry>
|
||||
@ -938,7 +928,7 @@ folder under Users and Computers.
|
||||
|
||||
<para>
|
||||
On a Windows 2000 client, try <userinput>net use * \\server\share</userinput>. You should
|
||||
be logged in with Kerberos without needing to know a password. If this fails then run
|
||||
be logged in with Kerberos without needing to know a password. If this fails, then run
|
||||
<userinput>klist tickets</userinput>. Did you get a ticket for the server? Does it have
|
||||
an encryption type of DES-CBC-MD5?
|
||||
</para>
|
||||
@ -955,7 +945,7 @@ Samba can use both DES-CBC-MD5 encryption as well as ARCFOUR-HMAC-MD5 encoding.
|
||||
|
||||
<para>
|
||||
<indexterm><primary>smbclient</primary></indexterm>
|
||||
On your Samba server try to login to a Win2000 server or your Samba
|
||||
On your Samba server try to log in to a Win2000 server or your Samba
|
||||
server using &smbclient; and Kerberos. Use &smbclient; as usual, but
|
||||
specify the <option>-k</option> option to choose Kerberos authentication.
|
||||
</para>
|
||||
@ -966,8 +956,8 @@ specify the <option>-k</option> option to choose Kerberos authentication.
|
||||
<title>Notes</title>
|
||||
|
||||
<para>
|
||||
You must change administrator password at least once after DC
|
||||
install, to create the right encryption types.
|
||||
You must change the administrator password at least once after installing a domain controller,
|
||||
to create the right encryption types.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -987,7 +977,7 @@ These mappings are done by the <parameter>idmap</parameter> subsystem of Samba.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
In some cases it is useful to share these mappings between Samba Domain Members,
|
||||
In some cases it is useful to share these mappings between Samba domain members,
|
||||
so <emphasis>name->id</emphasis> mapping is identical on all machines.
|
||||
This may be needed in particular when sharing files over both CIFS and NFS.
|
||||
</para>
|
||||
@ -1014,12 +1004,12 @@ and to make certain to set the LDAP administrative password into the <filename>s
|
||||
<title>Common Errors</title>
|
||||
|
||||
<para>
|
||||
In the process of adding/deleting/re-adding Domain Member machine accounts, there are
|
||||
In the process of adding/deleting/re-adding domain member machine accounts, there are
|
||||
many traps for the unwary player and many <quote>little</quote> things that can go wrong.
|
||||
It is particularly interesting how often subscribers on the Samba mailing list have concluded
|
||||
after repeated failed attempts to add a machine account that it is necessary to <quote>re-install</quote>
|
||||
after repeated failed attempts to add a machine account that it is necessary to <quote>reinstall</quote>
|
||||
MS Windows on the machine. In truth, it is seldom necessary to reinstall because of this type
|
||||
of problem. The real solution is often quite simple and with an understanding of how MS Windows
|
||||
of problem. The real solution is often quite simple, and with an understanding of how MS Windows
|
||||
networking functions, it is easy to overcome.
|
||||
</para>
|
||||
|
||||
@ -1027,7 +1017,7 @@ networking functions, it is easy to overcome.
|
||||
<title>Cannot Add Machine Back to Domain</title>
|
||||
|
||||
<para>
|
||||
<quote>A Windows workstation was re-installed. The original domain machine
|
||||
<quote>A Windows workstation was reinstalled. The original domain machine
|
||||
account was deleted and added immediately. The workstation will not join the domain if I use
|
||||
the same machine name. Attempts to add the machine fail with a message that the machine already
|
||||
exists on the network &smbmdash; I know it does not. Why is this failing?</quote>
|
||||
@ -1035,7 +1025,7 @@ exists on the network &smbmdash; I know it does not. Why is this failing?</quote
|
||||
|
||||
<para>
|
||||
The original name is still in the NetBIOS name cache and must expire after machine account
|
||||
deletion before adding that same name as a Domain Member again. The best advice is to delete
|
||||
deletion before adding that same name as a domain member again. The best advice is to delete
|
||||
the old account and then add the machine with a new name.
|
||||
</para>
|
||||
|
||||
@ -1046,8 +1036,8 @@ the old account and then add the machine with a new name.
|
||||
|
||||
<para>
|
||||
<quote>Adding a Windows 200x or XP Professional machine to the Samba PDC Domain fails with a
|
||||
message that, <errorname>`The machine could not be added at this time, there is a network problem.
|
||||
Please try again later.'</errorname> Why?</quote>
|
||||
message that says, <errorname>"The machine could not be added at this time, there is a network problem.
|
||||
Please try again later."</errorname> Why?</quote>
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -1080,14 +1070,14 @@ Possible causes include:
|
||||
<emphasis>Corrective action:</emphasis> Check that the machine name is a legal UNIX
|
||||
system account name. If the UNIX utility <command>useradd</command> is called,
|
||||
then make sure that the machine name you are trying to add can be added using this
|
||||
tool. <command>Useradd</command> on some systems will not allow any upper case characters
|
||||
tool. <command>Useradd</command> on some systems will not allow any uppercase characters
|
||||
nor will it allow spaces in the name.
|
||||
</para></listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>
|
||||
The <smbconfoption name="add machine script"/> does not create the
|
||||
machine account in the Samba backend database, it is there only to create a UNIX system
|
||||
machine account in the Samba backend database; it is there only to create a UNIX system
|
||||
account to which the Samba backend database account can be mapped.
|
||||
</para>
|
||||
|
||||
@ -1096,7 +1086,7 @@ account to which the Samba backend database account can be mapped.
|
||||
<sect2>
|
||||
<title>I Can't Join a Windows 2003 PDC</title>
|
||||
|
||||
<para>Windows 2003 requires SMB signing. Client side SMB signing has been implemented in Samba-3.0.
|
||||
<para>Windows 2003 requires SMB signing. Client-side SMB signing has been implemented in Samba-3.0.
|
||||
Set <smbconfoption name="client use spnego">yes</smbconfoption> when communicating
|
||||
with a Windows 2003 server.</para>
|
||||
</sect2>
|
||||
|
@ -10,7 +10,7 @@
|
||||
<para>
|
||||
When we first asked for suggestions for inclusion in the Samba HOWTO documentation,
|
||||
someone wrote asking for example configurations &smbmdash; and lots of them. That is remarkably
|
||||
difficult to do, without losing a lot of value that can be derived from presenting
|
||||
difficult to do without losing a lot of value that can be derived from presenting
|
||||
many extracts from working systems. That is what the rest of this document does.
|
||||
It does so with extensive descriptions of the configuration possibilities within the
|
||||
context of the chapter that covers it. We hope that this chapter is the medicine
|
||||
@ -19,21 +19,21 @@ that has been requested.
|
||||
|
||||
<para>
|
||||
The information in this chapter is very sparse compared with the book <quote>Samba-3 by Example</quote>
|
||||
that was written after the original version of this book was nearly complete. Samba-3 by Example
|
||||
that was written after the original version of this book was nearly complete. <quote>Samba-3 by Example</quote>
|
||||
was the result of feedback from reviewers during the final copy editing of the first edition. It
|
||||
was interesting to see that reader feedback mirrored that given be the original reviewers.
|
||||
was interesting to see that reader feedback mirrored that given by the original reviewers.
|
||||
In any case, a month and a half was spent in doing basic research to better understand what
|
||||
new as well as experienced network administrators would best benefit from. The book Samba-3 by Example
|
||||
new as well as experienced network administrators would best benefit from. The book <quote>Samba-3 by Example</quote>
|
||||
is the result of that research. What is presented in the few pages of this book is covered
|
||||
far more comprehensively in the second edition of Samba-3 by Example. The second edition
|
||||
far more comprehensively in the second edition of <quote>Samba-3 by Example</quote>. The second edition
|
||||
of both books will be released at the same time.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
So in summary, the book <quote>The Official Samba-3 HOWTO & Reference Guide</quote> is intended
|
||||
as the equivalent of a auto mechanics' repair guide. The book <quote>Samba-3 by Example</quote> is the
|
||||
equivalent of the drivers guide that explains how to drive the car. If you want complete network
|
||||
configuration examples go to <quote>Samba-3 by Example</quote>.
|
||||
as the equivalent of an auto mechanic's repair guide. The book <quote>Samba-3 by Example</quote> is the
|
||||
equivalent of the driver's guide that explains how to drive the car. If you want complete network
|
||||
configuration examples, go to <quote>Samba-3 by Example</quote>.
|
||||
</para>
|
||||
|
||||
<sect1>
|
||||
@ -50,7 +50,7 @@ features. These additional features are covered in the remainder of this documen
|
||||
<para>
|
||||
The examples used here have been obtained from a number of people who made
|
||||
requests for example configurations. All identities have been obscured to protect
|
||||
the guilty and any resemblance to unreal non-existent sites is deliberate.
|
||||
the guilty, and any resemblance to unreal nonexistent sites is deliberate.
|
||||
</para>
|
||||
|
||||
</sect1>
|
||||
@ -80,16 +80,15 @@ mirror of the system described in <link linkend="StandAloneServer"></link>, <lin
|
||||
<para>
|
||||
The next example is of a secure office file and print server that will be accessible only
|
||||
to users who have an account on the system. This server is meant to closely resemble a
|
||||
Workgroup file and print server, but has to be more secure than an anonymous access machine.
|
||||
workgroup file and print server, but has to be more secure than an anonymous access machine.
|
||||
This type of system will typically suit the needs of a small office. The server provides no
|
||||
network logon facilities, offers no Domain Control; instead it is just a network
|
||||
attached storage (NAS) device and a print server.
|
||||
network logon facilities, offers no domain control; instead it is just a network-attached storage (NAS) device and a print server.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Finally, we start looking at more complex systems that will either integrate into existing
|
||||
Microsoft Windows networks, or replace them entirely. The examples provided cover domain
|
||||
member servers as well as Samba Domain Control (PDC/BDC) and finally describes in detail
|
||||
MS Windows networks or replace them entirely. The examples provided cover domain
|
||||
member servers as well as Samba domain control (PDC/BDC) and finally describes in detail
|
||||
a large distributed network with branch offices in remote locations.
|
||||
</para>
|
||||
|
||||
@ -106,17 +105,17 @@ clearly beyond the scope of this text.
|
||||
|
||||
<para>
|
||||
It is also assumed that Samba has been correctly installed, either by way of installation
|
||||
of the packages that are provided by the operating system vendor, or through other means.
|
||||
of the packages that are provided by the operating system vendor or through other means.
|
||||
</para>
|
||||
|
||||
<sect2>
|
||||
<title>Stand-alone Server</title>
|
||||
<title>Standalone Server</title>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>Server Type</primary><secondary>Stand-alone</secondary></indexterm>
|
||||
A Stand-alone Server implies no more than the fact that it is not a Domain Controller
|
||||
and it does not participate in Domain Control. It can be a simple workgroup-like
|
||||
server, or it may be a complex server that is a member of a domain security context.
|
||||
A standalone server implies no more than the fact that it is not a domain controller
|
||||
and it does not participate in domain control. It can be a simple, workgroup-like
|
||||
server, or it can be a complex server that is a member of a domain security context.
|
||||
</para>
|
||||
|
||||
<sect3 id="anon-ro">
|
||||
@ -137,10 +136,13 @@ of the packages that are provided by the operating system vendor, or through oth
|
||||
change.
|
||||
</para>
|
||||
|
||||
<para>The configuration file is:</para>
|
||||
<para>
|
||||
The configuration file is presented in <link linkend="anon-example">Anonymous Read-Only Server
|
||||
Configuration</link>.
|
||||
</para>
|
||||
|
||||
<example id="anon-example">
|
||||
<title>Anonymous Read-Only Server Configuration</title>
|
||||
<title>Anonymous Read-Only Server Configuration</title>
|
||||
<smbconfblock>
|
||||
<smbconfcomment>Global parameters</smbconfcomment>
|
||||
<smbconfsection name="[global]"/>
|
||||
@ -171,9 +173,9 @@ of the packages that are provided by the operating system vendor, or through oth
|
||||
</itemizedlist>
|
||||
|
||||
<procedure>
|
||||
<title>Installation Procedure &smbmdash; Read-Only Server</title>
|
||||
<title>Installation Procedure: Read-Only Server</title>
|
||||
<step><para>
|
||||
Add user to system (with creation of the users' home directory):
|
||||
Add user to system (with creation of the user's home directory):
|
||||
<screen>
|
||||
&rootprompt;<userinput>useradd -c "Jack Baumbach" -m -g users -p m0r3pa1n jackb</userinput>
|
||||
</screen>
|
||||
@ -233,12 +235,12 @@ Press enter to see a dump of your service definitions
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
Configure your Microsoft Windows client for workgroup <emphasis>MIDEARTH</emphasis>,
|
||||
Configure your MS Windows client for workgroup <emphasis>MIDEARTH</emphasis>,
|
||||
set the machine name to ROBBINS, reboot, wait a few (2 - 5) minutes,
|
||||
then open Windows Explorer and visit the network neighborhood.
|
||||
then open Windows Explorer and visit the Network Neighborhood.
|
||||
The machine HOBBIT should be visible. When you click this machine
|
||||
icon, it should open up to reveal the <emphasis>data</emphasis> share. After
|
||||
clicking the share it, should open up to reveal the files previously
|
||||
you click the share, it should open up to reveal the files previously
|
||||
placed in the <filename>/export</filename> directory.
|
||||
</para></step>
|
||||
</procedure>
|
||||
@ -259,7 +261,7 @@ Press enter to see a dump of your service definitions
|
||||
The difference is that shared access is now forced to the user identity of jackb
|
||||
and to the primary group jackb belongs to. One other refinement we can make is to
|
||||
add the user <emphasis>jackb</emphasis> to the <filename>smbpasswd</filename> file.
|
||||
To do this execute:
|
||||
To do this, execute:
|
||||
<screen>
|
||||
&rootprompt;<userinput>smbpasswd -a jackb</userinput>
|
||||
New SMB password: <userinput>m0r3pa1n</userinput>
|
||||
@ -275,8 +277,9 @@ Added user jackb.
|
||||
The complete, modified &smb.conf; file is as shown in <link linkend="anon-rw"/>.
|
||||
</para>
|
||||
|
||||
<example id="anon-rw"><title>Modified Anonymous Read-Write smb.conf</title>
|
||||
<smbconfblock>
|
||||
<example id="anon-rw">
|
||||
<title>Modified Anonymous Read-Write smb.conf</title>
|
||||
<smbconfblock>
|
||||
<smbconfcomment>Global parameters</smbconfcomment>
|
||||
<smbconfsection name="[global]"/>
|
||||
<smbconfoption name="workgroup">MIDEARTH</smbconfoption>
|
||||
@ -323,12 +326,13 @@ Added user jackb.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
In this configuration it is undesirable to present the Add Printer Wizard and we do
|
||||
not want to have automatic driver download, so we will disable it in the following
|
||||
In this configuration, it is undesirable to present the Add Printer Wizard, and we do
|
||||
not want to have automatic driver download, so we disable it in the following
|
||||
configuration. <link linkend="anon-print"></link> is the resulting &smb.conf; file.
|
||||
</para>
|
||||
|
||||
<example id="anon-print"><title>Anonymous Print Server smb.conf</title>
|
||||
<example id="anon-print">
|
||||
<title>Anonymous Print Server smb.conf</title>
|
||||
<smbconfblock>
|
||||
<smbconfcomment>Global parameters</smbconfcomment>
|
||||
<smbconfsection name="[global]"/>
|
||||
@ -376,12 +380,12 @@ Added user jackb.
|
||||
|
||||
<listitem><para>
|
||||
Directory permissions should be set for public read-write with the
|
||||
sticky-bit set as shown:
|
||||
sticky bit set as shown:
|
||||
<screen>
|
||||
&rootprompt;<userinput>chmod a+trw TX /var/spool/samba</userinput>
|
||||
</screen>
|
||||
The purpose of setting the sticky bit is to prevent who does not own the temporary print file
|
||||
from being able to take control of it with the potential for devious mis-use.
|
||||
from being able to take control of it with the potential for devious misuse.
|
||||
</para></listitem>
|
||||
</itemizedlist>
|
||||
|
||||
@ -389,8 +393,8 @@ Added user jackb.
|
||||
<note><para>
|
||||
<indexterm><primary>MIME</primary><secondary>raw</secondary></indexterm>
|
||||
<indexterm><primary>raw printing</primary></indexterm>
|
||||
On CUPS enabled systems there is a facility to pass raw data directly to the printer without
|
||||
intermediate processing via CUPS print filters. Where use of this mode of operation is desired
|
||||
On CUPS-enabled systems there is a facility to pass raw data directly to the printer without
|
||||
intermediate processing via CUPS print filters. Where use of this mode of operation is desired,
|
||||
it is necessary to configure a raw printing device. It is also necessary to enable the raw mime
|
||||
handler in the <filename>/etc/mime.conv</filename> and <filename>/etc/mime.types</filename>
|
||||
files. Refer to <link linkend="cups-raw"></link>.
|
||||
@ -419,19 +423,19 @@ Added user jackb.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Site users will be: Jack Baumbach, Mary Orville and Amed Sehkah. Each will have
|
||||
Site users will be Jack Baumbach, Mary Orville, and Amed Sehkah. Each will have
|
||||
a password (not shown in further examples). Mary will be the printer administrator and will
|
||||
own all files in the public share.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
This configuration will be based on <emphasis>User Level Security</emphasis> that
|
||||
This configuration will be based on <emphasis>user-level security</emphasis> that
|
||||
is the default, and for which the default is to store Microsoft Windows-compatible
|
||||
encrypted passwords in a file called <filename>/etc/samba/smbpasswd</filename>.
|
||||
The default &smb.conf; entry that makes this happen is:
|
||||
<smbconfoption name="passdb backend">smbpasswd, guest</smbconfoption>. Since this is the default
|
||||
The default &smb.conf; entry that makes this happen is
|
||||
<smbconfoption name="passdb backend">smbpasswd, guest</smbconfoption>. Since this is the default,
|
||||
it is not necessary to enter it into the configuration file. Note that guest backend is
|
||||
added to the list of active passdb backends not matter was it specified directly in Samba configuration
|
||||
added to the list of active passdb backends no matter whether it specified directly in Samba configuration
|
||||
file or not.
|
||||
</para>
|
||||
|
||||
@ -440,7 +444,7 @@ Added user jackb.
|
||||
<title>Installing the Secure Office Server</title>
|
||||
<step><para>
|
||||
<indexterm><primary>office server</primary></indexterm>
|
||||
Add all users to the Operating System:
|
||||
Add all users to the operating system:
|
||||
<screen>
|
||||
&rootprompt;<userinput>useradd -c "Jack Baumbach" -m -g users -p m0r3pa1n jackb</userinput>
|
||||
&rootprompt;<userinput>useradd -c "Mary Orville" -m -g users -p secret maryo</userinput>
|
||||
@ -450,10 +454,11 @@ Added user jackb.
|
||||
|
||||
<step><para>
|
||||
Configure the Samba &smb.conf; file as shown in <link linkend="OfficeServer"/>.
|
||||
</para>
|
||||
</para></step>
|
||||
|
||||
<example id="OfficeServer">
|
||||
<title>Secure Office Server smb.conf</title>
|
||||
<smbconfblock>
|
||||
<title>Secure Office Server smb.conf</title>
|
||||
<smbconfblock>
|
||||
<smbconfcomment>Global parameters</smbconfcomment>
|
||||
<smbconfsection name="[global]"/>
|
||||
<smbconfoption name="workgroup">MIDEARTH</smbconfoption>
|
||||
@ -486,8 +491,8 @@ Added user jackb.
|
||||
<smbconfoption name="printable">Yes</smbconfoption>
|
||||
<smbconfoption name="use client driver">Yes</smbconfoption>
|
||||
<smbconfoption name="browseable">No</smbconfoption>
|
||||
</smbconfblock>
|
||||
</example></step>
|
||||
</smbconfblock>
|
||||
</example>
|
||||
|
||||
<step><para>
|
||||
Initialize the Microsoft Windows password database with the new users:
|
||||
@ -530,7 +535,7 @@ Added user ameds.
|
||||
<screen>
|
||||
&rootprompt;<userinput> nmbd; smbd;</userinput>
|
||||
</screen>
|
||||
Both applications automatically will execute as daemons. Those who are paranoid about
|
||||
Both applications automatically execute as daemons. Those who are paranoid about
|
||||
maintaining control can add the <constant>-D</constant> flag to coerce them to start
|
||||
up in daemon mode.
|
||||
</para></step>
|
||||
@ -592,8 +597,8 @@ smb: \> <userinput>q</userinput>
|
||||
|
||||
<para>
|
||||
By now you should be getting the hang of configuration basics. Clearly, it is time to
|
||||
explore slightly more complex examples. For the remainder of this chapter we will abbreviate
|
||||
instructions since there are previous examples.
|
||||
explore slightly more complex examples. For the remainder of this chapter we abbreviate
|
||||
instructions, since there are previous examples.
|
||||
</para>
|
||||
|
||||
</sect3>
|
||||
@ -603,10 +608,9 @@ smb: \> <userinput>q</userinput>
|
||||
<sect2>
|
||||
<title>Domain Member Server</title>
|
||||
|
||||
|
||||
<para>
|
||||
<indexterm><primary>Server Type</primary><secondary>Domain Member</secondary></indexterm>
|
||||
In this instance we will consider the simplest server configuration we can get away with
|
||||
In this instance we consider the simplest server configuration we can get away with
|
||||
to make an accounting department happy. Let's be warned, the users are accountants and they
|
||||
do have some nasty demands. There is a budget for only one server for this department.
|
||||
</para>
|
||||
@ -616,23 +620,23 @@ smb: \> <userinput>q</userinput>
|
||||
Internal politics are typical of a medium-sized organization; Human Resources is of the
|
||||
opinion that they run the ISG because they are always adding and disabling users. Also,
|
||||
departmental managers have to fight tooth and nail to gain basic network resources access for
|
||||
their staff. Accounting is different though, they get exactly what they want. So this should
|
||||
their staff. Accounting is different, though, they get exactly what they want. So this should
|
||||
set the scene.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
We will use the users from the last example. The accounting department
|
||||
has a general printer that all departmental users may. There is also a check printer
|
||||
that may be used only by the person who has authority to print checks. The Chief Financial
|
||||
Officer (CFO) wants that printer to be completely restricted and for it to be located in the
|
||||
We use the users from the last example. The accounting department
|
||||
has a general printer that all departmental users may use. There is also a check printer
|
||||
that may be used only by the person who has authority to print checks. The chief financial
|
||||
officer (CFO) wants that printer to be completely restricted and for it to be located in the
|
||||
private storage area in her office. It therefore must be a network printer.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Accounting department uses an accounting application called <emphasis>SpytFull</emphasis>
|
||||
The accounting department uses an accounting application called <emphasis>SpytFull</emphasis>
|
||||
that must be run from a central application server. The software is licensed to run only off
|
||||
one server, there are no workstation components, and it is run off a mapped share. The data
|
||||
store is in a UNIX-based SQL backend. The UNIX gurus look after that, so is not our
|
||||
store is in a UNIX-based SQL backend. The UNIX gurus look after that, so it is not our
|
||||
problem.
|
||||
</para>
|
||||
|
||||
@ -640,7 +644,7 @@ smb: \> <userinput>q</userinput>
|
||||
The accounting department manager (maryo) wants a general filing system as well as a separate
|
||||
file storage area for form letters (nastygrams). The form letter area should be read-only to
|
||||
all accounting staff except the manager. The general filing system has to have a structured
|
||||
layout with a general area for all staff to store general documents, as well as a separate
|
||||
layout with a general area for all staff to store general documents as well as a separate
|
||||
file area for each member of her team that is private to that person, but she wants full
|
||||
access to all areas. Users must have a private home share for personal work-related files
|
||||
and for materials not related to departmental operations.
|
||||
@ -651,7 +655,7 @@ smb: \> <userinput>q</userinput>
|
||||
|
||||
<para>
|
||||
The server <emphasis>valinor</emphasis> will be a member server of the company domain.
|
||||
Accounting will have only a local server. User accounts will be on the Domain Controllers
|
||||
Accounting will have only a local server. User accounts will be on the domain controllers,
|
||||
as will desktop profiles and all network policy files.
|
||||
</para>
|
||||
|
||||
@ -662,13 +666,14 @@ smb: \> <userinput>q</userinput>
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
Configure &smb.conf; according to <link linkend="fast-member-server"/>
|
||||
and <link linkend="fast-memberserver-shares"></link>.
|
||||
</para>
|
||||
Configure &smb.conf; according to <link linkend="fast-member-server">Member server smb.conf
|
||||
(globals)</link> and <link linkend="fast-memberserver-shares">Member server smb.conf (shares
|
||||
and services)</link>.
|
||||
</para></step>
|
||||
|
||||
<example id="fast-member-server">
|
||||
<title>Member server smb.conf (globals)</title>
|
||||
<smbconfblock>
|
||||
<example id="fast-member-server">
|
||||
<title>Member server smb.conf (globals)</title>
|
||||
<smbconfblock>
|
||||
<smbconfcomment>Global parameters</smbconfcomment>
|
||||
<smbconfsection name="[global]"/>
|
||||
<smbconfoption name="workgroup">MIDEARTH</smbconfoption>
|
||||
@ -681,11 +686,12 @@ smb: \> <userinput>q</userinput>
|
||||
<smbconfoption name="idmap gid">15000-20000</smbconfoption>
|
||||
<smbconfoption name="winbind use default domain">Yes</smbconfoption>
|
||||
<smbconfoption name="printing">cups</smbconfoption>
|
||||
</smbconfblock></example>
|
||||
</smbconfblock>
|
||||
</example>
|
||||
|
||||
<example id="fast-memberserver-shares">
|
||||
<title>Member server smb.conf (shares and services)</title>
|
||||
<smbconfblock>
|
||||
<example id="fast-memberserver-shares">
|
||||
<title>Member server smb.conf (shares and services)</title>
|
||||
<smbconfblock>
|
||||
<smbconfsection name="[homes]"/>
|
||||
<smbconfoption name="comment">Home Directories</smbconfoption>
|
||||
<smbconfoption name="valid users">%S</smbconfoption>
|
||||
@ -713,12 +719,11 @@ smb: \> <userinput>q</userinput>
|
||||
<smbconfoption name="printable">Yes</smbconfoption>
|
||||
<smbconfoption name="use client driver">Yes</smbconfoption>
|
||||
<smbconfoption name="browseable">No</smbconfoption>
|
||||
</smbconfblock>
|
||||
</example></step>
|
||||
|
||||
</smbconfblock>
|
||||
</example>
|
||||
|
||||
<step><para>
|
||||
<indexterm><primary>net</primary><secondary>rpc</secondary></indexterm>
|
||||
<indexterm><primary>net</primary><secondary>rpc</secondary></indexterm>
|
||||
Join the domain. Note: Do not start Samba until this step has been completed!
|
||||
<screen>
|
||||
&rootprompt;<userinput>net rpc join -Uroot%'bigsecret'</userinput>
|
||||
@ -733,7 +738,7 @@ Joined domain MIDEARTH.
|
||||
|
||||
<step><para>
|
||||
Start Samba following the normal method for your operating system platform.
|
||||
If you wish to this manually execute as root:
|
||||
If you wish to do this manually, execute as root:
|
||||
<indexterm><primary>smbd</primary></indexterm>
|
||||
<indexterm><primary>nmbd</primary></indexterm>
|
||||
<indexterm><primary>winbindd</primary></indexterm>
|
||||
@ -746,7 +751,7 @@ Joined domain MIDEARTH.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
Configure the name service switch control file on your system to resolve user and group names
|
||||
Configure the name service switch (NSS) control file on your system to resolve user and group names
|
||||
via winbind. Edit the following lines in <filename>/etc/nsswitch.conf</filename>:
|
||||
<programlisting>
|
||||
passwd: files winbind
|
||||
@ -825,25 +830,25 @@ maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false
|
||||
|
||||
<para>
|
||||
<indexterm><primary>Server Type</primary><secondary>Domain Controller</secondary></indexterm>
|
||||
For the remainder of this chapter the focus is on the configuration of Domain Control.
|
||||
For the remainder of this chapter the focus is on the configuration of domain control.
|
||||
The examples that follow are for two implementation strategies. Remember, our objective is
|
||||
to create a simple but working solution. The remainder of this book should help to highlight
|
||||
opportunity for greater functionality and the complexity that goes with it.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
A Domain Controller configuration can be achieved with a simple configuration using the new
|
||||
A domain controller configuration can be achieved with a simple configuration using the new
|
||||
tdbsam password backend. This type of configuration is good for small
|
||||
offices, but has limited scalability (cannot be replicated) and performance can be expected
|
||||
offices, but has limited scalability (cannot be replicated), and performance can be expected
|
||||
to fall as the size and complexity of the domain increases.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The use of tdbsam is best limited to sites that do not need
|
||||
more than a primary Domain Controller (PDC). As the size of a domain grows the need
|
||||
for additional Domain Controllers becomes apparent. Do not attempt to under-resource
|
||||
a Microsoft Windows network environment; Domain Controllers provide essential
|
||||
authentication services. The following are symptoms of an under-resourced Domain Control
|
||||
more than a Primary Domain Controller (PDC). As the size of a domain grows the need
|
||||
for additional domain controllers becomes apparent. Do not attempt to under-resource
|
||||
a Microsoft Windows network environment; domain controllers provide essential
|
||||
authentication services. The following are symptoms of an under-resourced domain control
|
||||
environment:
|
||||
</para>
|
||||
|
||||
@ -853,27 +858,27 @@ maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
File access on a Domain Member server intermittently fails, giving a permission denied
|
||||
File access on a domain member server intermittently fails, giving a permission denied
|
||||
error message.
|
||||
</para></listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>
|
||||
A more scalable Domain Control authentication backend option might use
|
||||
Microsoft Active Directory, or an LDAP-based backend. Samba-3 provides
|
||||
for both options as a Domain Member server. As a PDC Samba-3 is not able to provide
|
||||
A more scalable domain control authentication backend option might use
|
||||
Microsoft Active Directory or an LDAP-based backend. Samba-3 provides
|
||||
for both options as a domain member server. As a PDC, Samba-3 is not able to provide
|
||||
an exact alternative to the functionality that is available with Active Directory.
|
||||
Samba-3 can provide a scalable LDAP-based PDC/BDC solution.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The tdbsam authentication backend provides no facility to replicate
|
||||
the contents of the database, except by external means. (i.e., there is no self-contained protocol
|
||||
in Samba-3 for Security Account Manager database [SAM] replication.)
|
||||
the contents of the database, except by external means (i.e., there is no self-contained protocol
|
||||
in Samba-3 for Security Account Manager database [SAM] replication).
|
||||
</para>
|
||||
|
||||
<note><para>
|
||||
If you need more than one Domain Controller, do not use a tdbsam authentication backend.
|
||||
If you need more than one domain controller, do not use a tdbsam authentication backend.
|
||||
</para></note>
|
||||
|
||||
<sect3>
|
||||
@ -889,15 +894,15 @@ maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false
|
||||
<procedure>
|
||||
<step><para>
|
||||
A working PDC configuration using the tdbsam
|
||||
password backend can be found in <link linkend="fast-engoffice-global"></link> together with
|
||||
<link linkend="fast-engoffice-shares"></link>:
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>pdbedit</primary></indexterm>
|
||||
<example id="fast-engoffice-global">
|
||||
<title>Engineering Office smb.conf (globals)</title>
|
||||
<smbconfblock>
|
||||
password backend can be found in <link linkend="fast-engoffice-global">Engineering Office smb.conf
|
||||
(globals)</link> together with <link linkend="fast-engoffice-shares">Engineering Office smb.conf
|
||||
(shares and services)</link>:
|
||||
<indexterm><primary>pdbedit</primary></indexterm>
|
||||
</para></step>
|
||||
|
||||
<example id="fast-engoffice-global">
|
||||
<title>Engineering Office smb.conf (globals)</title>
|
||||
<smbconfblock>
|
||||
<smbconfsection name="[global]"/>
|
||||
<smbconfoption name="workgroup">MIDEARTH</smbconfoption>
|
||||
<smbconfoption name="netbios name">FRODO</smbconfoption>
|
||||
@ -924,13 +929,12 @@ maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false
|
||||
<smbconfoption name="idmap uid">15000-20000</smbconfoption>
|
||||
<smbconfoption name="idmap gid">15000-20000</smbconfoption>
|
||||
<smbconfoption name="printing">cups</smbconfoption>
|
||||
</smbconfblock>
|
||||
</example>
|
||||
</para>
|
||||
</smbconfblock>
|
||||
</example>
|
||||
|
||||
<example id="fast-engoffice-shares">
|
||||
<title>Engineering Office smb.conf (shares and services)</title>
|
||||
<smbconfblock>
|
||||
<example id="fast-engoffice-shares">
|
||||
<title>Engineering Office smb.conf (shares and services)</title>
|
||||
<smbconfblock>
|
||||
<smbconfsection name="[homes]"/>
|
||||
<smbconfoption name="comment">Home Directories</smbconfoption>
|
||||
<smbconfoption name="valid users">%S</smbconfoption>
|
||||
@ -970,8 +974,8 @@ maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false
|
||||
<smbconfoption name="profile acls">Yes</smbconfoption>
|
||||
|
||||
<smbconfcomment>Other resource (share/printer) definitions would follow below.</smbconfcomment>
|
||||
</smbconfblock>
|
||||
</example></step>
|
||||
</smbconfblock>
|
||||
</example>
|
||||
|
||||
<step><para>
|
||||
Create UNIX group accounts as needed using a suitable operating system tool:
|
||||
@ -993,13 +997,11 @@ maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false
|
||||
|
||||
|
||||
<step><para>
|
||||
<indexterm><primary>net</primary><secondary>groupmap</secondary></indexterm>
|
||||
<indexterm><primary>initGroups.sh</primary></indexterm>
|
||||
Assign each of the UNIX groups to NT groups:
|
||||
(It may be useful to copy this text to a shell script called
|
||||
<filename>initGroups.sh</filename>.)
|
||||
<title>Shell script for initializing group mappings</title>
|
||||
<programlisting>
|
||||
<indexterm><primary>net</primary><secondary>groupmap</secondary></indexterm>
|
||||
<indexterm><primary>initGroups.sh</primary></indexterm>
|
||||
Assign each of the UNIX groups to NT groups by executing this shell script
|
||||
(You could name the script <filename>initGroups.sh</filename>):
|
||||
<screen>
|
||||
#!/bin/bash
|
||||
#### Keep this as a shell script for future re-use
|
||||
|
||||
@ -1012,7 +1014,7 @@ net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
|
||||
net groupmap add ntgroup="Designers" unixgroup=designers type=d
|
||||
net groupmap add ntgroup="Engineers" unixgroup=engineers type=d
|
||||
net groupmap add ntgroup="QA Team" unixgroup=qateam type=d
|
||||
</programlisting>
|
||||
</screen>
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
@ -1027,7 +1029,7 @@ net groupmap add ntgroup="QA Team" unixgroup=qateam type=d
|
||||
</procedure>
|
||||
|
||||
<para>
|
||||
The above configuration provides a functional Primary Domain Control (PDC)
|
||||
The above configuration provides a functional PDC
|
||||
system to which must be added file shares and printers as required.
|
||||
</para>
|
||||
|
||||
@ -1038,7 +1040,7 @@ net groupmap add ntgroup="QA Team" unixgroup=qateam type=d
|
||||
|
||||
<para>
|
||||
In this section we finally get to review in brief a Samba-3 configuration that
|
||||
uses a Light Weight Directory Access (LDAP)-based authentication backend. The
|
||||
uses a Lightweight Directory Access (LDAP)-based authentication backend. The
|
||||
main reasons for this choice are to provide the ability to host primary
|
||||
and Backup Domain Control (BDC), as well as to enable a higher degree of
|
||||
scalability to meet the needs of a very distributed environment.
|
||||
@ -1054,7 +1056,7 @@ net groupmap add ntgroup="QA Team" unixgroup=qateam type=d
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The Idealx scripts (or equivalent) are needed to manage LDAP based Posix and/or
|
||||
The Idealx scripts (or equivalent) are needed to manage LDAP-based POSIX and/or
|
||||
SambaSamAccounts. The Idealx scripts may be downloaded from the <ulink url="http://www.idealx.org">
|
||||
Idealx</ulink> Web site. They may also be obtained from the Samba tarball. Linux
|
||||
distributions tend to install the Idealx scripts in the
|
||||
@ -1070,10 +1072,10 @@ net groupmap add ntgroup="QA Team" unixgroup=qateam type=d
|
||||
|
||||
<step><para>
|
||||
Set up the LDAP server. This example is suitable for OpenLDAP 2.1.x.
|
||||
The <filename>/etc/openldap/slapd.conf</filename> file:
|
||||
<indexterm><primary>/etc/openldap/slapd.conf</primary></indexterm>
|
||||
The <filename>/etc/openldap/slapd.conf</filename> file.
|
||||
<indexterm><primary>/etc/openldap/slapd.conf</primary></indexterm>
|
||||
<title>Example slapd.conf file</title>
|
||||
<programlisting>
|
||||
<screen>
|
||||
# Note commented out lines have been removed
|
||||
include /etc/openldap/schema/core.schema
|
||||
include /etc/openldap/schema/cosine.schema
|
||||
@ -1104,7 +1106,7 @@ index sambaSID eq
|
||||
index sambaPrimaryGroupSID eq
|
||||
index sambaDomainName eq
|
||||
index default sub
|
||||
</programlisting>
|
||||
</screen>
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
@ -1160,8 +1162,9 @@ userPassword: {SSHA}0jBHgQ1vp4EDX2rEMMfIudvRMJoGwjVb
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
The &smb.conf; file that drives this backend can be found in example <link linkend="fast-ldap"/>.
|
||||
</para>
|
||||
The &smb.conf; file that drives this backend can be found in example <link
|
||||
linkend="fast-ldap">LDAP backend smb.conf for PDC</link>.
|
||||
</para></step>
|
||||
|
||||
<example id="fast-ldap">
|
||||
<title>LDAP backend smb.conf for PDC</title>
|
||||
@ -1201,7 +1204,7 @@ userPassword: {SSHA}0jBHgQ1vp4EDX2rEMMfIudvRMJoGwjVb
|
||||
<smbconfoption name="idmap gid">15000-20000</smbconfoption>
|
||||
<smbconfoption name="printing">cups</smbconfoption>
|
||||
</smbconfblock>
|
||||
</example></step>
|
||||
</example>
|
||||
|
||||
<step><para>
|
||||
Add the LDAP password to the <filename>secrets.tdb</filename> file so Samba can update
|
||||
@ -1213,7 +1216,7 @@ userPassword: {SSHA}0jBHgQ1vp4EDX2rEMMfIudvRMJoGwjVb
|
||||
|
||||
<step><para>
|
||||
Add users and groups as required. Users and groups added using Samba tools
|
||||
will automatically be added to both the LDAP backend as well as to the operating
|
||||
will automatically be added to both the LDAP backend and the operating
|
||||
system as required.
|
||||
</para></step>
|
||||
|
||||
@ -1231,9 +1234,11 @@ userPassword: {SSHA}0jBHgQ1vp4EDX2rEMMfIudvRMJoGwjVb
|
||||
<procedure>
|
||||
<step><para>
|
||||
Decide if the BDC should have its own LDAP server or not. If the BDC is to be
|
||||
the LDAP server change the following &smb.conf; as indicated. The default
|
||||
configuration in <link linkend="fast-bdc"/> uses a central LDAP server.
|
||||
</para>
|
||||
the LDAP server, change the following &smb.conf; as indicated. The default
|
||||
configuration in <link linkend="fast-bdc">Remote LDAP BDC smb.conf</link>
|
||||
uses a central LDAP server.
|
||||
</para></step>
|
||||
|
||||
<example id="fast-bdc">
|
||||
<title>Remote LDAP BDC smb.conf</title>
|
||||
<smbconfblock>
|
||||
@ -1264,7 +1269,7 @@ userPassword: {SSHA}0jBHgQ1vp4EDX2rEMMfIudvRMJoGwjVb
|
||||
<smbconfoption name="idmap gid">15000-20000</smbconfoption>
|
||||
<smbconfoption name="printing">cups</smbconfoption>
|
||||
</smbconfblock>
|
||||
</example></step>
|
||||
</example>
|
||||
|
||||
<step><para>
|
||||
Configure the NETLOGON and PROFILES directory as for the PDC in <link linkend="fast-bdc"/>.
|
||||
|
@ -8,7 +8,7 @@
|
||||
</author>
|
||||
&author.jerry;
|
||||
</chapterinfo>
|
||||
<title>Group Mapping &smbmdash; MS Windows and UNIX</title>
|
||||
<title>Group Mapping: MS Windows and UNIX</title>
|
||||
|
||||
|
||||
<para>
|
||||
@ -19,8 +19,8 @@
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The new facility for mapping NT Groups to UNIX system groups allows the administrator to decide
|
||||
which NT Domain Groups are to be exposed to MS Windows clients. Only those NT Groups that map
|
||||
The new facility for mapping NT groups to UNIX system groups allows the administrator to decide
|
||||
which NT domain groups are to be exposed to MS Windows clients. Only those NT groups that map
|
||||
to a UNIX group that has a value other than the default (<constant>-1</constant>) will be exposed
|
||||
in group selection lists in tools that access domain users and groups.
|
||||
</para>
|
||||
@ -30,7 +30,7 @@
|
||||
<indexterm><primary>domain admin group</primary></indexterm>
|
||||
The <parameter>domain admin group</parameter> parameter has been removed in Samba-3 and should no longer
|
||||
be specified in &smb.conf;. In Samba-2.2.x, this parameter was used to give the listed users membership in the
|
||||
<constant>Domain Admins</constant> Windows group which gave local admin rights on their workstations
|
||||
<constant>Domain Admins</constant> Windows group, which gave local admin rights on their workstations
|
||||
(in default configurations).
|
||||
</para>
|
||||
</warning>
|
||||
@ -44,39 +44,39 @@
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>UID</primary></indexterm>
|
||||
<indexterm><primary>GID</primary></indexterm>
|
||||
<indexterm><primary>idmap uid</primary></indexterm>
|
||||
<indexterm><primary>UID</primary></indexterm>
|
||||
<indexterm><primary>GID</primary></indexterm>
|
||||
<indexterm><primary>idmap uid</primary></indexterm>
|
||||
Group accounts can be managed using the MS Windows NT4 or MS Windows 200x/XP Professional MMC tools.
|
||||
Appropriate interface scripts should be provided in &smb.conf; if it is desired that UNIX/Linux system
|
||||
accounts should be automatically created when these tools are used. In the absence of these scripts, and
|
||||
so long as <command>winbindd</command> is running, Samba group accounts that are created using these
|
||||
tools will be allocated UNIX UIDs/GIDs from the ID range specified by the
|
||||
tools will be allocated UNIX UIDs and GIDs from the ID range specified by the
|
||||
<smbconfoption name="idmap uid"/>/<smbconfoption name="idmap gid"/>
|
||||
parameters in the &smb.conf; file.
|
||||
</para>
|
||||
|
||||
<figure id="idmap-sid2gid">
|
||||
<title>IDMAP: group SID to GID resolution.</title>
|
||||
<title>IDMAP: Group SID-to-GID Resolution.</title>
|
||||
<imagefile scale="50">idmap-sid2gid</imagefile>
|
||||
</figure>
|
||||
|
||||
<figure id="idmap-gid2sid">
|
||||
<title>IDMAP: GID resolution to matching SID.</title>
|
||||
<title>IDMAP: GID Resolution to Matching SID.</title>
|
||||
<imagefile scale="50">idmap-gid2sid</imagefile>
|
||||
</figure>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>IDMAP</primary></indexterm>
|
||||
In both cases, when winbindd is not running, only locally resolvable groups can be recognized. Please refer to
|
||||
<link linkend="idmap-sid2gid">IDMAP: group SID to GID resolution</link> and
|
||||
<link linkend="idmap-gid2sid">IDMAP: GID resolution to matching SID</link>.
|
||||
The <command>net groupmap</command> is
|
||||
used to establish UNIX group to NT SID mappings as shown in <link linkend="idmap-store-gid2sid">IDMAP: storing group mappings</link>.
|
||||
<link linkend="idmap-sid2gid">IDMAP: Group SID-to-GID Resolution</link> and <link
|
||||
linkend="idmap-gid2sid">IDMAP: GID Resolution to Matching SID</link>. The <command>net groupmap</command> is
|
||||
used to establish UNIX group to NT SID mappings as shown in <link linkend="idmap-store-gid2sid">IDMAP: storing
|
||||
group mappings</link>.
|
||||
</para>
|
||||
|
||||
<figure id="idmap-store-gid2sid">
|
||||
<title>IDMAP storing group mappings.</title>
|
||||
<title>IDMAP Storing Group Mappings.</title>
|
||||
<imagefile scale="50">idmap-store-gid2sid</imagefile>
|
||||
</figure>
|
||||
|
||||
@ -86,8 +86,8 @@
|
||||
Administrators should be aware that where &smb.conf; group interface scripts make
|
||||
direct calls to the UNIX/Linux system tools (the shadow utilities, <command>groupadd</command>,
|
||||
<command>groupdel</command>, and <command>groupmod</command>), the resulting UNIX/Linux group names will be subject
|
||||
to any limits imposed by these tools. If the tool does not allow upper case characters
|
||||
or space characters, then the creation of an MS Windows NT4/200x style group of
|
||||
to any limits imposed by these tools. If the tool does not allow uppercase characters
|
||||
or space characters, then the creation of an MS Windows NT4/200x-style group of
|
||||
<literal>Engineering Managers</literal> will attempt to create an identically named
|
||||
UNIX/Linux group, an attempt that will of course fail.
|
||||
</para>
|
||||
@ -95,15 +95,15 @@
|
||||
<para>
|
||||
<indexterm><primary>GID</primary></indexterm>
|
||||
<indexterm><primary>SID</primary></indexterm>
|
||||
There are several possible work-arounds for the operating system tools limitation. One
|
||||
There are several possible workarounds for the operating system tools limitation. One
|
||||
method is to use a script that generates a name for the UNIX/Linux system group that
|
||||
fits the operating system limits, and that then just passes the UNIX/Linux group ID (GID)
|
||||
back to the calling Samba interface. This will provide a dynamic work-around solution.
|
||||
fits the operating system limits and that then just passes the UNIX/Linux group ID (GID)
|
||||
back to the calling Samba interface. This will provide a dynamic workaround solution.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Another work-around is to manually create a UNIX/Linux group, then manually create the
|
||||
MS Windows NT4/200x group on the Samba server and then use the <command>net groupmap</command>
|
||||
Another workaround is to manually create a UNIX/Linux group, then manually create the
|
||||
MS Windows NT4/200x group on the Samba server, and then use the <command>net groupmap</command>
|
||||
tool to connect the two to each other.
|
||||
</para>
|
||||
|
||||
@ -113,9 +113,9 @@
|
||||
<title>Discussion</title>
|
||||
|
||||
<para>
|
||||
When installing <application>MS Windows NT4/200x</application> on a computer, the installation
|
||||
When you install <application>MS Windows NT4/200x</application> on a computer, the installation
|
||||
program creates default users and groups, notably the <constant>Administrators</constant> group,
|
||||
and gives that group privileges necessary privileges to perform essential system tasks,
|
||||
and gives that group privileges necessary to perform essential system tasks,
|
||||
such as the ability to change the date and time or to kill (or close) any process running on the
|
||||
local machine.
|
||||
</para>
|
||||
@ -124,29 +124,29 @@
|
||||
<indexterm><primary>Administrator</primary></indexterm>
|
||||
The <constant>Administrator</constant> user is a member of the <constant>Administrators</constant> group, and thus inherits
|
||||
<constant>Administrators</constant> group privileges. If a <constant>joe</constant> user is created to be a member of the
|
||||
<constant>Administrators</constant> group, <constant>joe</constant> has exactly the same rights as the user,
|
||||
<constant>Administrators</constant> group, <constant>joe</constant> has exactly the same rights as the user
|
||||
<constant>Administrator</constant>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
When an MS Windows NT4/200x/XP machine is made a Domain Member, the <quote>Domain Admins</quote> group of the
|
||||
When an MS Windows NT4/200x/XP machine is made a domain member, the <quote>Domain Admins</quote> group of the
|
||||
PDC is added to the local <constant>Administrators</constant> group of the workstation. Every member of the
|
||||
<constant>Domain Administrators</constant> group inherits the rights of the local <constant>Administrators</constant> group when
|
||||
logging on the workstation.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The following steps describe how to make Samba PDC users members of the <constant>Domain Admins</constant> group?
|
||||
The following steps describe how to make Samba PDC users members of the <constant>Domain Admins</constant> group.
|
||||
</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem><para>
|
||||
Create a UNIX group (usually in <filename>/etc/group</filename>), let's call it <constant>domadm</constant>.
|
||||
Create a UNIX group (usually in <filename>/etc/group</filename>); let's call it <constant>domadm</constant>.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
Add to this group the users that must be <quote>Administrators</quote>. For example,
|
||||
if you want <constant>joe, john</constant> and <constant>mary</constant> to be administrators,
|
||||
if you want <constant>joe, john</constant>, and <constant>mary</constant> to be administrators,
|
||||
your entry in <filename>/etc/group</filename> will look like this:
|
||||
</para>
|
||||
|
||||
@ -168,18 +168,18 @@
|
||||
<para>
|
||||
<indexterm><primary>Domain Admins group</primary></indexterm>
|
||||
The quotes around <quote>Domain Admins</quote> are necessary due to the space in the group name.
|
||||
Also make sure to leave no white-space surrounding the equal character (=).
|
||||
Also make sure to leave no white space surrounding the equal character (=).
|
||||
</para></listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>
|
||||
Now <constant>joe, john</constant> and <constant>mary</constant> are domain administrators.
|
||||
Now <constant>joe, john</constant>, and <constant>mary</constant> are domain administrators.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>groups</primary><secondary>domain</secondary></indexterm>
|
||||
It is possible to map any arbitrary UNIX group to any Windows NT4/200x group as well as
|
||||
making any UNIX group a Windows domain group. For example, if you wanted to include a
|
||||
to make any UNIX group a Windows domain group. For example, if you wanted to include a
|
||||
UNIX group (e.g., acct) in an ACL on a local file or printer on a Domain Member machine,
|
||||
you would flag that group as a domain group by running the following on the Samba PDC:
|
||||
</para>
|
||||
@ -191,7 +191,7 @@
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Be aware that the RID parameter is a unsigned 32-bit integer that should
|
||||
Be aware that the RID parameter is an unsigned 32-bit integer that should
|
||||
normally start at 1000. However, this RID must not overlap with any RID assigned
|
||||
to a user. Verification for this is done differently depending on the passdb backend
|
||||
you are using. Future versions of the tools may perform the verification automatically,
|
||||
@ -199,18 +199,18 @@
|
||||
</para>
|
||||
|
||||
<sect2>
|
||||
<title>Warning &smbmdash; User Private Group Problems</title>
|
||||
<title>Warning: User Private Group Problems</title>
|
||||
|
||||
<para>
|
||||
Windows does not permit user and group accounts to have the same name.
|
||||
This has serious implications for all sites that use private group accounts.
|
||||
A private group account is an administrative practice whereby users are each
|
||||
given their own group account. Red Hat Linux, as well as several free distributions
|
||||
of Linux by default create private groups.
|
||||
of Linux, by default create private groups.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
When mapping a UNIX/Linux group to a Windows group account all conflict can
|
||||
When mapping a UNIX/Linux group to a Windows group account, all conflict can
|
||||
be avoided by assuring that the Windows domain group name does not overlap
|
||||
with any user account name.
|
||||
</para>
|
||||
@ -228,16 +228,16 @@
|
||||
</para>
|
||||
|
||||
<para>
|
||||
All Microsoft Windows products since the release of Windows NT 3.10 support the use of nested groups.
|
||||
Many Windows network administrators depend on this capability becasue it greatly simplifies security
|
||||
All MS Windows products since the release of Windows NT 3.10 support the use of nested groups.
|
||||
Many Windows network administrators depend on this capability because it greatly simplifies security
|
||||
administration.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The nested group architecture was designed with the premise that day-to-day user and group membership
|
||||
management should be performed on the domain security database. The application of group security
|
||||
should be implemented on domain member servers using only local groups. On the domain member server
|
||||
all file system security controls are then limited to use of the local groups which will contain
|
||||
should be implemented on domain member servers using only local groups. On the domain member server,
|
||||
all file system security controls are then limited to use of the local groups, which will contain
|
||||
domain global groups and domain global users.
|
||||
</para>
|
||||
|
||||
@ -245,13 +245,13 @@
|
||||
You may ask, What are the benefits of this arrangement? The answer is obvious to those who have plumbed
|
||||
the dark depths of Windows networking architecture. Consider for a moment a server on which are stored
|
||||
200,000 files, each with individual domain user and domain group settings. The company that owns the
|
||||
file server is bought by another company resulting in the server being moved to another location and then
|
||||
file server is bought by another company, resulting in the server being moved to another location, and then
|
||||
it is made a member of a different domain. Who would you think now owns all the files and directories?
|
||||
Answer: Account Unknown.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Unravelling the file ownership mess is an unenviable administrative task that can be avoided simply
|
||||
Unraveling the file ownership mess is an unenviable administrative task that can be avoided simply
|
||||
by using local groups to control all file and directory access control. In this case, only the members
|
||||
of the local groups will have been lost. The files and directories in the storage subsystem will still
|
||||
be owned by the local groups. The same goes for all ACLs on them. It is administratively much simpler
|
||||
@ -262,35 +262,35 @@
|
||||
<para>
|
||||
Another prominent example of the use of nested groups involves implementation of administrative privileges
|
||||
on domain member workstations and servers. Administrative privileges are given to all members of the
|
||||
builtin
|
||||
built-in
|
||||
local group <constant>Administrators</constant> on each domain member machine. To ensure that all domain
|
||||
administrators have full rights on the member server or workstation, on joining the domain the
|
||||
administrators have full rights on the member server or workstation, on joining the domain, the
|
||||
<constant>Domain Admins</constant> group is added to the local Administrators group. Thus everyone who is
|
||||
logged into the domain as a member of the Domain Admins group is also granted local adminitrative
|
||||
logged into the domain as a member of the Domain Admins group is also granted local administrative
|
||||
privileges on each domain member.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
UNIX/Linux has no concept of support for nested groups, and thus Samba has for a long time not supported
|
||||
them either. The problem is that you would have to enter unix groups as auxiliary members of a group in
|
||||
them either. The problem is that you would have to enter UNIX groups as auxiliary members of a group in
|
||||
<filename>/etc/group</filename>. This does not work because it was not a design requirement at the time
|
||||
the UNIX file system security model was implemented. Since Samba-2.2 the winbind daemon can provide
|
||||
<filename>/etc/group</filename> entries on demand by obtaining user and group information from the Domain
|
||||
Controller that the Samba server is a member of.
|
||||
the UNIX file system security model was implemented. Since Samba-2.2, the winbind daemon can provide
|
||||
<filename>/etc/group</filename> entries on demand by obtaining user and group information from the domain
|
||||
controller that the Samba server is a member of.
|
||||
</para>
|
||||
<para>
|
||||
In effect, Samba supplements the <filename>/etc/group</filename> data via the dynamic
|
||||
<command>libnss_winbind</command> mechanism. Beginning with Samba-3.0.3 this facility is used to provide
|
||||
<command>libnss_winbind</command> mechanism. Beginning with Samba-3.0.3, this facility is used to provide
|
||||
local groups in the same manner as Windows does it. It works by expanding the local groups on the
|
||||
fly as they are accessed. For example, the <constant>Domain Users</constant> group of the domain is made
|
||||
a member of the local group <constant>demo</constant>. Whenever Samba needs to resolve membership of the
|
||||
<constant>demo</constant> local (alias) group winbind asks the DC for demo members of the Domain Users
|
||||
group. By definition it can only contain user objects which can then be faked to be member of the
|
||||
<constant>demo</constant> local (alias) group, winbind asks the domain controller for demo members of the Domain Users
|
||||
group. By definition, it can only contain user objects, which can then be faked to be member of the
|
||||
UNIX/Linux group <constant>demo</constant>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
To enable the use of nested groups, <command>winbindd</command> must be used together with NSS winbind.
|
||||
To enable the use of nested groups, <command>winbindd</command> must be used with NSS winbind.
|
||||
Creation and administration of the local groups is done best via the Windows Domain User Manager or its
|
||||
Samba equivalent, the utility <command>net rpc group</command>. Creating the local group
|
||||
<constant>demo</constant> is achieved by executing:
|
||||
@ -298,16 +298,16 @@
|
||||
&rootprompt; net rpc group add demo -L -Uroot%not24get
|
||||
</screen>
|
||||
Here the -L switch means that you want to create a local group. It may be necessary to add -S and -U
|
||||
switches for accessing the correct host with appropriate user or root priviliges. Adding and removing
|
||||
switches for accessing the correct host with appropriate user or root privileges. Adding and removing
|
||||
group
|
||||
members can be done via the <constant>addmem</constant> and <constant>delmem</constant> subcommands of
|
||||
<command>net rpc group</command> command. For example addition of <quote>DOM\Domain Users</quote> to the
|
||||
<command>net rpc group</command> command. For example, addition of <quote>DOM\Domain Users</quote> to the
|
||||
local
|
||||
group <constant>demo</constant> would be done by executing:
|
||||
group <constant>demo</constant> is done by executing:
|
||||
<screen>
|
||||
net rpc group addmem demo "DOM\Domain Users"
|
||||
</screen>
|
||||
Having completed these two steps the execution of <command>getent group demo</command> will show demo
|
||||
Having completed these two steps, the execution of <command>getent group demo</command> will show demo
|
||||
members of the global <constant>Domain Users</constant> group as members of the group
|
||||
<constant>demo</constant>. This also works with any local or domain user. In case the domain DOM trusts
|
||||
another domain, it is also possible to add global users and groups of the trusted domain as members of
|
||||
@ -324,26 +324,26 @@
|
||||
</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem><para>For Samba-3 Domain Controllers and
|
||||
Domain Member Servers/Clients.</para></listitem>
|
||||
<listitem><para>To manage Domain Member Windows workstations.</para></listitem>
|
||||
<listitem><para>For Samba-3 domain controllers and
|
||||
domain member servers/clients.</para></listitem>
|
||||
<listitem><para>To manage domain member Windows workstations.</para></listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>
|
||||
Versions of Samba up to and including 3.0.10 do not provide a means for assigning rights and privileges
|
||||
that are necessary for system administration tasks from a Windows Domain Member Client machine so that
|
||||
domain administration tasks such as adding/deleting/changing user and group account information, and
|
||||
that are necessary for system administration tasks from a Windows domain Member client machine, so
|
||||
domain administration tasks such as adding, deleting, and changing user and group account information, and
|
||||
managing workstation domain membership accounts, can be handled by any account other than root.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Samba-3.0.11 introduced a new privilege management interface (see <link linkend="rights">Chapter on Rights and Privileges</link>)
|
||||
that permits these tasks to be delegated to non-root (i.e.: accounts other than the equivalent of the
|
||||
MS Windows Administrator) account.
|
||||
Samba-3.0.11 introduced a new privilege management interface (see <link linkend="rights">User Rights and Privileges</link>)
|
||||
that permits these tasks to be delegated to non-root (i.e., accounts other than the equivalent of the
|
||||
MS Windows Administrator) accounts.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Administrative tasks on a Windows Domain Member workstation, can be done by anyone who is a member of the
|
||||
Administrative tasks on a Windows domain member workstation can be done by anyone who is a member of the
|
||||
<constant>Domain Admins</constant> group. This group can be mapped to any convenient UNIX group.
|
||||
</para>
|
||||
|
||||
@ -351,25 +351,25 @@
|
||||
<title>Applicable Only to Versions Earlier than 3.0.11</title>
|
||||
|
||||
<para>
|
||||
Administrative tasks on UNIX/Linux systems, such as adding users or groups, requires <constant>root</constant>
|
||||
level privilege. The addition of a Windows client to a Samba Domain involves the addition of a user account
|
||||
for the Windows client.
|
||||
Administrative tasks on UNIX/Linux systems, such as adding users or groups, requires
|
||||
<constant>root</constant>-level privilege. The addition of a Windows client to a Samba domain involves the
|
||||
addition of a user account for the Windows client.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Many UNIX administrators continue to request the Samba Team make it possible to add Windows workstations, or
|
||||
to ability to add/delete or modify user accounts, without requiring <constant>root</constant> privileges.
|
||||
Many UNIX administrators continue to request that the Samba Team make it possible to add Windows workstations, or
|
||||
the ability to add, delete, or modify user accounts, without requiring <constant>root</constant> privileges.
|
||||
Such a request violates every understanding of basic UNIX system security.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
There is no safe way to provide access on a UNIX/Linux system without providing <constant>root</constant>
|
||||
level privilege. Provision of <constant>root</constant> privileges can be done either by logging onto
|
||||
the Domain as the user <constant>root</constant>, or by permitting particular users to use a UNIX account
|
||||
that has a UID=0 in the <filename>/etc/passwd</filename> database. Users of such accounts can use tools
|
||||
like the NT4 Domain User Manager, and the NT4 Domain Server Manager to manage user and group accounts as
|
||||
well as Domain Member server and client accounts. This level of privilege is also needed to manage share
|
||||
level ACLs.
|
||||
There is no safe way to provide access on a UNIX/Linux system without providing
|
||||
<constant>root</constant>-level privilege. Provision of <constant>root</constant> privileges can be done
|
||||
either by logging onto the Domain as the user <constant>root</constant> or by permitting particular users to
|
||||
use a UNIX account that has a UID=0 in the <filename>/etc/passwd</filename> database. Users of such accounts
|
||||
can use tools like the NT4 Domain User Manager and the NT4 Domain Server Manager to manage user and group
|
||||
accounts as well as domain member server and client accounts. This level of privilege is also needed to manage
|
||||
share-level ACLs.
|
||||
</para>
|
||||
|
||||
</sect3>
|
||||
@ -377,38 +377,38 @@
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>Default Users, Groups and Relative Identifiers</title>
|
||||
<title>Default Users, Groups, and Relative Identifiers</title>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>Relative Identifier</primary><see>RID</see></indexterm>
|
||||
<indexterm><primary>RID</primary></indexterm>
|
||||
When first installed, Microsoft Windows NT4/200x/XP are pre-configured with certain User, Group, and
|
||||
Alias entities. Each has a well-known Relative Identifier (RID). These must be preserved for continued
|
||||
integrity of operation. Samba must be provisioned with certain essential Domain Groups that require
|
||||
the appropriate RID value. When Samba-3 is configured to use <constant>tdbsam</constant> the essential
|
||||
Domain Groups are automatically created. It is the LDAP administrators' responsibility to create
|
||||
(provision) the default NT Groups.
|
||||
<indexterm><primary>Relative Identifier</primary><see>RID</see></indexterm>
|
||||
<indexterm><primary>RID</primary></indexterm>
|
||||
When first installed, Windows NT4/200x/XP are preconfigured with certain user, group, and
|
||||
alias entities. Each has a well-known RID. These must be preserved for continued
|
||||
integrity of operation. Samba must be provisioned with certain essential domain groups that require
|
||||
the appropriate RID value. When Samba-3 is configured to use <constant>tdbsam</constant>, the essential
|
||||
domain groups are automatically created. It is the LDAP administrator's responsibility to create
|
||||
(provision) the default NT groups.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Each essential Domain Group must be assigned its respective well-known RID. The default Users, Groups,
|
||||
Aliases, and RIDs are shown in <link linkend="WKURIDS">Well-Known User Default RIDs</link> table.
|
||||
Each essential domain group must be assigned its respective well-known RID. The default users, groups,
|
||||
aliases, and RIDs are shown in <link linkend="WKURIDS">Well-Known User Default RIDs</link>.
|
||||
</para>
|
||||
|
||||
<note><para>
|
||||
When the <parameter>passdb backend</parameter> uses LDAP (<constant>ldapsam</constant>) it is the
|
||||
administrators' responsibility to create the essential Domain Groups, and to assign each its default RID.
|
||||
When the <parameter>passdb backend</parameter> uses LDAP (<constant>ldapsam</constant>), it is the
|
||||
administrator's responsibility to create the essential domain groups and to assign each its default RID.
|
||||
</para></note>
|
||||
|
||||
<para>
|
||||
It is permissible to create any Domain Group that may be necessary, just make certain that the essential
|
||||
Domain Groups (well known) have been created and assigned its default RID. Other groups you create may
|
||||
It is permissible to create any domain group that may be necessary; just make certain that the essential
|
||||
domain groups (well known) have been created and assigned their default RIDs. Other groups you create may
|
||||
be assigned any arbitrary RID you care to use.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Be sure to map each Domain Group to a UNIX system group. That is the only way to ensure that the group
|
||||
will be available for use as an NT Domain Group.
|
||||
Be sure to map each domain group to a UNIX system group. That is the only way to ensure that the group
|
||||
will be available for use as an NT domain group.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -609,10 +609,10 @@ Domain Guests (S-1-5-21-2547222302-1596225915-2414751004-514) -> domguest
|
||||
<indexterm><primary>smbgrpadd.sh</primary></indexterm>
|
||||
<indexterm><primary>groupadd limitations</primary></indexterm>
|
||||
A script to create complying group names for use by the Samba group interfaces
|
||||
is provided in <link linkend="smbgrpadd.sh">smbgrpadd.sh</link>. This script will
|
||||
add a temporary entry in the <filename>/etc/group</filename> file and then rename
|
||||
it to to the desired name. This is an example of a method to get around operating
|
||||
system maintenance tool limititations such as that present in some version of the
|
||||
is provided in <link linkend="smbgrpadd.sh">smbgrpadd.sh</link>. This script
|
||||
adds a temporary entry in the <filename>/etc/group</filename> file and then renames
|
||||
it to the desired name. This is an example of a method to get around operating
|
||||
system maintenance tool limitations such as those present in some version of the
|
||||
<command>groupadd</command> tool.
|
||||
</para>
|
||||
|
||||
@ -641,9 +641,10 @@ exit 0
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The &smb.conf; entry for the above script would be something like that in <link linkend="smbgrpadd">the following example</link>.
|
||||
The &smb.conf; entry for the above script would be something like that in <link linkend="smbgrpadd">"smbgrpadd"</link>.
|
||||
|
||||
<example id="smbgrpadd">
|
||||
<title>Configuration of &smb.conf; for the add group script.</title>
|
||||
<title>Configuration of &smb.conf; for the add group Script</title>
|
||||
<smbconfblock>
|
||||
<smbconfsection name="[global]"/>
|
||||
<smbconfoption name="add group script">/path_to_tool/smbgrpadd.sh "%g"</smbconfoption>
|
||||
@ -659,7 +660,7 @@ exit 0
|
||||
<para>
|
||||
In our example we have created a UNIX/Linux group called <literal>ntadmin</literal>.
|
||||
Our script will create the additional groups <literal>Orks</literal>, <literal>Elves</literal>, and <literal>Gnomes</literal>.
|
||||
It is a good idea to save this shell script for later re-use just in case you ever need to rebuild your mapping database.
|
||||
It is a good idea to save this shell script for later use just in case you ever need to rebuild your mapping database.
|
||||
For the sake of convenience we elect to save this script as a file called <filename>initGroups.sh</filename>.
|
||||
This script is given in <link linkend="set-group-map">intGroups.sh</link>.
|
||||
</para>
|
||||
@ -701,8 +702,8 @@ net groupmap add ntgroup="Gnomes" unixgroup=Gnomes type=d
|
||||
|
||||
<para>
|
||||
At this time there are many little surprises for the unwary administrator. In a real sense
|
||||
it is imperative that every step of automated control scripts must be carefully tested
|
||||
manually before putting them into active service.
|
||||
it is imperative that every step of automated control scripts be carefully tested
|
||||
manually before putting it into active service.
|
||||
</para>
|
||||
|
||||
<sect2>
|
||||
@ -716,11 +717,11 @@ manually before putting them into active service.
|
||||
|
||||
<para>
|
||||
The most common cause of failure is an attempt to add an MS Windows group account
|
||||
that has either an upper case character and/or a space character in it.
|
||||
that has an uppercase character and/or a space character in it.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
There are three possible work-arounds. First, use only group names that comply
|
||||
There are three possible workarounds. First, use only group names that comply
|
||||
with the limitations of the UNIX/Linux <command>groupadd</command> system tool.
|
||||
Second, it involves the use of the script mentioned earlier in this chapter, and
|
||||
third is the option is to manually create a UNIX/Linux group account that can substitute
|
||||
@ -731,10 +732,10 @@ manually before putting them into active service.
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>Adding <emphasis>Domain Users</emphasis> to the <emphasis>Power Users</emphasis> Group</title>
|
||||
<title>Adding <emphasis>Domain Users</emphasis> to the <literal>Power Users</literal> Group</title>
|
||||
|
||||
<para><quote>
|
||||
What must I do to add Domain Users to the Power Users group?
|
||||
What must I do to add domain users to the Power Users group?
|
||||
</quote></para>
|
||||
|
||||
<indexterm><primary>Domain Users group</primary></indexterm>
|
||||
@ -764,8 +765,8 @@ manually before putting them into active service.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
Double click <constant>Power Users</constant>. This will launch the panel to add users or groups
|
||||
to the local machine <constant>Power Uses</constant> group.
|
||||
Double-click <constant>Power Users</constant>. This will launch the panel to add users or groups
|
||||
to the local machine <constant>Power Users</constant> group.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
@ -777,12 +778,12 @@ manually before putting them into active service.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
Double click the <constant>Domain Users</constant> group.
|
||||
Double-click the <constant>Domain Users</constant> group.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
Click the <guibutton>Ok</guibutton> button. If a logon box is presented during this process
|
||||
please remember to enter the connect as <constant>DOMAIN\UserName</constant>. i.e., For the
|
||||
Click the <guibutton>OK</guibutton> button. If a logon box is presented during this process,
|
||||
please remember to enter the connect as <constant>DOMAIN\UserName</constant>, that is, for the
|
||||
domain <constant>MIDEARTH</constant> and the user <constant>root</constant> enter
|
||||
<constant>MIDEARTH\root</constant>.
|
||||
</para></step>
|
||||
|
@ -16,23 +16,23 @@
|
||||
<indexterm><primary>UID</primary></indexterm>
|
||||
<indexterm><primary>GID</primary></indexterm>
|
||||
The Microsoft Windows operating system has a number of features that impose specific challenges
|
||||
to interoperability with operating system on which Samba is implemented. This chapter deals
|
||||
to interoperability with the operating system on which Samba is implemented. This chapter deals
|
||||
explicitly with the mechanisms Samba-3 (version 3.0.8 and later) uses to overcome one of the
|
||||
key challenges in the integration of Samba servers into an MS Windows networking environment.
|
||||
This chapter deals with Identify Mapping (IDMAP) of Windows Security Identifers (SIDs)
|
||||
This chapter deals with identity mapping (IDMAP) of Windows security identifiers (SIDs)
|
||||
to UNIX UIDs and GIDs.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
To ensure good sufficient coverage each possible Samba deployment type will be discussed.
|
||||
To ensure sufficient coverage, each possible Samba deployment type is discussed.
|
||||
This is followed by an overview of how the IDMAP facility may be implemented.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>network client</primary></indexterm>
|
||||
The IDMAP facility is usually of concern where more than one Samba server (or Samba network client)
|
||||
is installed in the one Domain. Where there is a single Samba server do not be too concerned regarding
|
||||
the IDMAP infrastructure - the default behavior of Samba is nearly always sufficient.
|
||||
is installed in one domain. Where there is a single Samba server, do not be too concerned regarding
|
||||
the IDMAP infrastructure &smbmdash; the default behavior of Samba is nearly always sufficient.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -44,7 +44,7 @@ of foreign SIDs to local UNIX UIDs and GIDs.
|
||||
|
||||
<para>
|
||||
<indexterm><primary>winbindd</primary></indexterm>
|
||||
The use of the IDMAP facility requires that the <command>winbindd</command> be executed on Samba start-up.
|
||||
The use of the IDMAP facility requires that the <command>winbindd</command> be executed on Samba startup.
|
||||
</para>
|
||||
|
||||
<sect1>
|
||||
@ -52,25 +52,25 @@ The use of the IDMAP facility requires that the <command>winbindd</command> be e
|
||||
|
||||
<para>
|
||||
<indexterm><primary>Server Types</primary></indexterm>
|
||||
There are four (4) basic server deployment types, as documented in <link linkend="ServerType">the chapter
|
||||
There are four basic server deployment types, as documented in <link linkend="ServerType">the chapter
|
||||
on Server Types and Security Modes</link>.
|
||||
</para>
|
||||
|
||||
<sect2>
|
||||
<title>Stand-Alone Samba Server</title>
|
||||
<title>Standalone Samba Server</title>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>stand-alone server</primary></indexterm>
|
||||
<indexterm><primary>Active Directory</primary></indexterm>
|
||||
<indexterm><primary>NT4 Domain</primary></indexterm>
|
||||
A stand-alone Samba server is an implementation that is not a member of a Windows NT4 Domain,
|
||||
a Windows 200X Active Directory Domain, or of a Samba Domain.
|
||||
A standalone Samba server is an implementation that is not a member of a Windows NT4 domain,
|
||||
a Windows 200X Active Directory domain, or a Samba domain.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>IDMAP</primary></indexterm>
|
||||
<indexterm><primary>identity</primary></indexterm>
|
||||
By definition, this means that users and groups will be created and controlled locally and
|
||||
By definition, this means that users and groups will be created and controlled locally, and
|
||||
the identity of a network user must match a local UNIX/Linux user login. The IDMAP facility
|
||||
is therefore of little to no interest, winbind will not be necessary, and the IDMAP facility
|
||||
will not be relevant or of interest.
|
||||
@ -87,17 +87,17 @@ on Server Types and Security Modes</link>.
|
||||
<indexterm><primary>NT4</primary></indexterm>
|
||||
<indexterm><primary>SID</primary></indexterm>
|
||||
<indexterm><primary>Active Directory</primary></indexterm>
|
||||
Samba-3 can act as a Windows NT4 PDC or BDC thereby providing domain control protocols that
|
||||
Samba-3 can act as a Windows NT4 PDC or BDC, thereby providing domain control protocols that
|
||||
are compatible with Windows NT4. Samba-3 file and print sharing protocols are compatible with
|
||||
all version of Microsoft Windows products. Windows NT4, as with Microsoft Active Directory,
|
||||
extensively makes use of Windows security identifiers (SIDs).
|
||||
all version of MS Windows products. Windows NT4, as with MS Active Directory,
|
||||
extensively makes use of Windows SIDs.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>MS Windows SID</primary></indexterm>
|
||||
<indexterm><primary>UID</primary></indexterm>
|
||||
<indexterm><primary>GID</primary></indexterm>
|
||||
Samba-3 Domain Member servers and clients must interact correctly with MS Windows SIDs. Incoming
|
||||
Samba-3 domain member servers and clients must interact correctly with MS Windows SIDs. Incoming
|
||||
Windows SIDs must be translated to local UNIX UIDs and GIDs. Outgoing information from the Samba
|
||||
server must provide to MS Windows clients and servers appropriate SIDs.
|
||||
</para>
|
||||
@ -106,21 +106,21 @@ on Server Types and Security Modes</link>.
|
||||
<indexterm><primary>ADS</primary></indexterm>
|
||||
<indexterm><primary>winbind</primary></indexterm>
|
||||
A Samba member of a Windows networking domain (NT4-style or ADS) can be configured to handle
|
||||
identity mapping in a variety of ways. The mechanism is will use depends on whether or not
|
||||
the <command>winbindd</command> daemon is used, and how the winbind functionality is configured.
|
||||
identity mapping in a variety of ways. The mechanism it uses depends on whether or not
|
||||
the <command>winbindd</command> daemon is used and how the winbind functionality is configured.
|
||||
The configuration options are briefly described here:
|
||||
</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry><term>Winbind is not used, users and groups are local: &smbmdash; </term>
|
||||
<varlistentry><term>Winbind is not used; users and groups are local: </term>
|
||||
<listitem>
|
||||
<para>
|
||||
Where <command>winbindd</command> is not used Samba (<command>smbd</command>)
|
||||
uses the underlying UNIX/Linux mechanisms to resolve the identity of incoming
|
||||
network traffic. This will be done using the LoginID (account name) in the
|
||||
network traffic. This is done using the LoginID (account name) in the
|
||||
session setup request and passing it to the getpwnam() system function call.
|
||||
This call is implemented using the name service switch (NSS) mechanism on
|
||||
modern UNIX/Linux systems. By saying <quote>users and groups are local</quote>
|
||||
modern UNIX/Linux systems. By saying "users and groups are local,"
|
||||
we are implying that they are stored only on the local system, in the
|
||||
<filename>/etc/passwd</filename> and <filename>/etc/group</filename> respectively.
|
||||
</para>
|
||||
@ -133,45 +133,45 @@ on Server Types and Security Modes</link>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
This configuration may be used with stand-alone Samba servers, Domain Member
|
||||
servers (NT4 or ADS), and may be used for a PDC that uses either an smbpasswd
|
||||
or a tdbsam based Samba passdb backend.
|
||||
This configuration may be used with standalone Samba servers, domain member
|
||||
servers (NT4 or ADS), and for a PDC that uses either an smbpasswd
|
||||
or a tdbsam-based Samba passdb backend.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry><term>Winbind is not used, users and groups resolved via NSS: &smbmdash; </term>
|
||||
<varlistentry><term>Winbind is not used; users and groups resolved via NSS: </term>
|
||||
<listitem>
|
||||
<para>
|
||||
In this situation user and group accounts are treated as if they are local
|
||||
accounts, the only way in which this differs from having local accounts is
|
||||
accounts. The only way in which this differs from having local accounts is
|
||||
that the accounts are stored in a repository that can be shared. In practice
|
||||
this means that they will reside in either a NIS type database or else in LDAP.
|
||||
this means that they will reside in either an NIS-type database or else in LDAP.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
This configuration may be used with stand-alone Samba servers, Domain Member
|
||||
servers (NT4 or ADS), and may be used for a PDC that uses either an smbpasswd
|
||||
or a tdbsam based Samba passdb backend.
|
||||
This configuration may be used with standalone Samba servers, domain member
|
||||
servers (NT4 or ADS), and for a PDC that uses either an smbpasswd
|
||||
or a tdbsam-based Samba passdb backend.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry><term>Winbind/NSS with the default local IDMAP table: &smbmdash; </term>
|
||||
<varlistentry><term>Winbind/NSS with the default local IDMAP table: </term>
|
||||
<listitem>
|
||||
<para>
|
||||
There are many sites that require only a simple Samba server, or a single Samba
|
||||
server that is a member of a Windows NT4 Domain or an ADS Domain. A typical example
|
||||
There are many sites that require only a simple Samba server or a single Samba
|
||||
server that is a member of a Windows NT4 domain or an ADS domain. A typical example
|
||||
is an appliance like file server on which no local accounts are configured and
|
||||
winbind is used to obtain account credentials from the domain controllers for the
|
||||
domain. The domain control can be provided by Samba-3, MS Windows NT4 or MS Windows
|
||||
domain. The domain control can be provided by Samba-3, MS Windows NT4, or MS Windows
|
||||
Active Directory.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Winbind is a great convenience in this situation. All that is needed is a range of
|
||||
UID numbers and GID numbers that can be defined in the &smb.conf; file, the
|
||||
<filename>/etc/nsswitch.conf</filename> file is configured to use <command>winbind</command>
|
||||
UID numbers and GID numbers that can be defined in the &smb.conf; file. The
|
||||
<filename>/etc/nsswitch.conf</filename> file is configured to use <command>winbind</command>,
|
||||
which does all the difficult work of mapping incoming SIDs to appropriate UIDs and GIDs.
|
||||
The SIDs are allocated a UID/GID in the order in which winbind receives them.
|
||||
</para>
|
||||
@ -180,15 +180,15 @@ on Server Types and Security Modes</link>.
|
||||
This configuration is not convenient or practical in sites that have more than one
|
||||
Samba server and that require the same UID or GID for the same user or group across
|
||||
all servers. One of the hazards of this method is that in the event that the winbind
|
||||
IDMAP file may become corrupted or lost, the repaired or rebuilt IDMAP file may allocate
|
||||
UIDs and GIDs to differing users and groups from what was there previously with the
|
||||
IDMAP file becomes corrupted or lost, the repaired or rebuilt IDMAP file may allocate
|
||||
UIDs and GIDs to different users and groups from what was there previously with the
|
||||
result that MS Windows files that are stored on the Samba server may now not belong to
|
||||
to rightful owner.
|
||||
the rightful owners.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry><term>Winbind/NSS uses RID based IDMAP: &smbmdash; </term>
|
||||
<varlistentry><term>Winbind/NSS uses RID based IDMAP: </term>
|
||||
<listitem>
|
||||
<para>
|
||||
<indexterm><primary>RID</primary></indexterm>
|
||||
@ -196,8 +196,8 @@ on Server Types and Security Modes</link>.
|
||||
<indexterm><primary>ADS</primary></indexterm>
|
||||
<indexterm><primary>LDAP</primary></indexterm>
|
||||
The IDMAP_RID facility is new to Samba version 3.0.8. It was added to make life easier
|
||||
for a number of sites that are committed to use of MS ADS, who do not want to apply
|
||||
an ADS schema extension, and who do not wish to install an LDAP directory server just for
|
||||
for a number of sites that are committed to use of MS ADS, that do not apply
|
||||
an ADS schema extension, and that do not have an installed an LDAP directory server just for
|
||||
the purpose of maintaining an IDMAP table. If you have a single ADS domain (not a forest of
|
||||
domains, and not multiple domain trees) and you want a simple cookie-cutter solution to the
|
||||
IDMAP table problem, then IDMAP_RID is an obvious choice.
|
||||
@ -213,7 +213,7 @@ on Server Types and Security Modes</link>.
|
||||
<indexterm><primary>idmap backend</primary></indexterm>
|
||||
This facility requires the allocation of the <parameter>idmap uid</parameter> and the
|
||||
<parameter>idmap gid</parameter> ranges, and within the <parameter>idmap uid</parameter>
|
||||
it is possible to allocate a sub-set of this range for automatic mapping of the relative
|
||||
it is possible to allocate a subset of this range for automatic mapping of the relative
|
||||
identifier (RID) portion of the SID directly to the base of the UID plus the RID value.
|
||||
For example, if the <parameter>idmap uid</parameter> range is <constant>1000-100000000</constant>
|
||||
and the <parameter>idmap backend = idmap_rid:DOMAIN_NAME=1000-50000000</parameter>, and
|
||||
@ -223,40 +223,40 @@ on Server Types and Security Modes</link>.
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry><term>Winbind with an NSS/LDAP backend based IDMAP facility: &smbmdash; </term>
|
||||
<varlistentry><term>Winbind with an NSS/LDAP backend-based IDMAP facility: </term>
|
||||
<listitem>
|
||||
<para>
|
||||
<indexterm><primary>Domain Member</primary></indexterm>
|
||||
In this configuration <command>winbind</command> resolved SIDs to UIDs and GIDs from
|
||||
the <parameter>idmap uid</parameter> and <parameter>idmap gid</parameter> ranges specified
|
||||
in the &smb.conf; file, but instead of using a local winbind IDMAP table it is stored
|
||||
in an LDAP directory so that all Domain Member machines (clients and servers) can share
|
||||
in the &smb.conf; file, but instead of using a local winbind IDMAP table, it is stored
|
||||
in an LDAP directory so that all domain member machines (clients and servers) can share
|
||||
a common IDMAP table.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>idmap backend</primary></indexterm>
|
||||
It is important that all LDAP IDMAP clients use only the master LDAP server as the
|
||||
It is important that all LDAP IDMAP clients use only the master LDAP server because the
|
||||
<parameter>idmap backend</parameter> facility in the &smb.conf; file does not correctly
|
||||
handle LDAP redirects.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry><term>Winbind with NSS to resolve UNIX/Linux user and group IDs: &smbmdash; </term>
|
||||
<varlistentry><term>Winbind with NSS to resolve UNIX/Linux user and group IDs: </term>
|
||||
<listitem>
|
||||
<para>
|
||||
The use of LDAP as the passdb backend is a smart solution for PDC, BDC as well as for
|
||||
Domain Member servers. It is a neat method for assuring that UIDs, GIDs and the matching
|
||||
SIDs will be consistent across all servers.
|
||||
The use of LDAP as the passdb backend is a smart solution for PDC, BDC, and
|
||||
domain member servers. It is a neat method for assuring that UIDs, GIDs, and the matching
|
||||
SIDs are consistent across all servers.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>LDAP</primary></indexterm>
|
||||
<indexterm><primary>PADL</primary></indexterm>
|
||||
The use of the LDAP based passdb backend requires use of the PADL nss_ldap utility, or
|
||||
an equivalent. In this situation winbind is used to handle foreign SIDs; ie: SIDs from
|
||||
stand-alone Windows clients (i.e.: not a member of our domain) as well as SIDs from
|
||||
The use of the LDAP-based passdb backend requires use of the PADL nss_ldap utility or
|
||||
an equivalent. In this situation winbind is used to handle foreign SIDs, that is, SIDs from
|
||||
standalone Windows clients (i.e., not a member of our domain) as well as SIDs from
|
||||
another domain. The foreign UID/GID is mapped from allocated ranges (idmap uid and idmap gid)
|
||||
in precisely the same manner as when using winbind with a local IDMAP table.
|
||||
</para>
|
||||
@ -266,12 +266,12 @@ on Server Types and Security Modes</link>.
|
||||
<indexterm><primary>AD4UNIX</primary></indexterm>
|
||||
<indexterm><primary>MMC</primary></indexterm>
|
||||
The nss_ldap tool set can be used to access UIDs and GIDs via LDAP as well as via Active
|
||||
Directory. In order to use Active Directory it is necessary to modify the ADS schema by
|
||||
installing either the AD4UNIX schema extension or else use the Microsoft Services for UNIX
|
||||
version 3.5 of later to extend the ADS schema so it maintains UNIX account credentials.
|
||||
Where the ADS schema is extended a Microsoft Management Console (MMC) snap-in in also
|
||||
Directory. In order to use Active Directory, it is necessary to modify the ADS schema by
|
||||
installing either the AD4UNIX schema extension or using the Microsoft Services for UNIX
|
||||
version 3.5 or later to extend the ADS schema so it maintains UNIX account credentials.
|
||||
Where the ADS schema is extended, a Microsoft Management Console (MMC) snap-in is also
|
||||
installed to permit the UNIX credentials to be set and managed from the ADS User and Computer
|
||||
management tool. Each account must be separately UNIX enabled before the UID and GID data can
|
||||
Management tool. Each account must be separately UNIX-enabled before the UID and GID data can
|
||||
be used by Samba.
|
||||
</para>
|
||||
</listitem>
|
||||
@ -289,17 +289,17 @@ on Server Types and Security Modes</link>.
|
||||
<indexterm><primary>SID</primary></indexterm>
|
||||
<indexterm><primary>RID</primary></indexterm>
|
||||
<indexterm><primary>algorithmic mapping</primary></indexterm>
|
||||
Microsoft Windows domain security systems generate the user and group security identifier (SID) as part
|
||||
of the process of creation of an account. Windows does not have a concept of the UNIX UID or a GID, rather
|
||||
it has its own type of security descriptor. When Samba is used as a Domain Controller, it provides a method
|
||||
Microsoft Windows domain security systems generate the user and group SID as part
|
||||
of the process of creation of an account. Windows does not have a concept of the UNIX UID or a GID; rather,
|
||||
it has its own type of security descriptor. When Samba is used as a domain controller, it provides a method
|
||||
of producing a unique SID for each user and group. Samba generates a machine and a domain SID to which it
|
||||
adds a relative identifier (RID) that is calculated algorithmically from a base value that can be specified
|
||||
in the &smb.conf; file, plus twice (2X) the UID or GID. This method is called <quote>algorithmic mapping</quote>.
|
||||
adds an RID that is calculated algorithmically from a base value that can be specified
|
||||
in the &smb.conf; file, plus twice (2x) the UID or GID. This method is called <quote>algorithmic mapping</quote>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>RID base</primary></indexterm>
|
||||
For example, a user has a UID of 4321, and the algorithmic RID base has a value of 1000, the RID will
|
||||
For example, ifa user has a UID of 4321, and the algorithmic RID base has a value of 1000, the RID will
|
||||
be <constant>1000 + (2 x 4321) = 9642</constant>. Thus, if the domain SID is
|
||||
<constant>S-1-5-21-89238497-92787123-12341112</constant>, the resulting SID is
|
||||
<constant>S-1-5-21-89238497-92787123-12341112-9642</constant>.
|
||||
@ -307,14 +307,14 @@ on Server Types and Security Modes</link>.
|
||||
|
||||
<para>
|
||||
<indexterm><primary>on-the-fly</primary></indexterm>
|
||||
The foregoing type SID is produced by Samba as an automatic function and is either produced on-the-fly
|
||||
(as in the case when using a <parameter>passdb backend = [tdbsam | smbpasswd]</parameter>, or may be stored
|
||||
as a permanent part of an account in an LDAP based ldapsam.
|
||||
The foregoing type of SID is produced by Samba as an automatic function and is either produced on the fly
|
||||
(as is the case when using a <parameter>passdb backend = [tdbsam | smbpasswd]</parameter>), or may be stored
|
||||
as a permanent part of an account in an LDAP-based ldapsam.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>SFU 3.5</primary></indexterm>
|
||||
MS Active Directory Server (ADS) uses a directory schema that can be extended to accommodate additional
|
||||
ADS uses a directory schema that can be extended to accommodate additional
|
||||
account attributes such as UIDs and GIDs. The installation of Microsoft Service for UNIX 3.5 will expand
|
||||
the normal ADS schema to include UNIX account attributes. These must of course be managed separately
|
||||
through a snap-in module to the normal ADS account management MMC interface.
|
||||
@ -323,7 +323,7 @@ on Server Types and Security Modes</link>.
|
||||
<para>
|
||||
<indexterm><primary>PDC</primary></indexterm>
|
||||
Security identifiers used within a domain must be managed to avoid conflict and to preserve itegrity.
|
||||
In an NT4 domain context that PDC manages the distribution of all security credentials to the backup
|
||||
In an NT4 domain context, that PDC manages the distribution of all security credentials to the backup
|
||||
domain controllers. At this time the only passdb backend for a Samba domain controller that is suitable
|
||||
for such information is an LDAP backend.
|
||||
</para>
|
||||
@ -335,13 +335,13 @@ on Server Types and Security Modes</link>.
|
||||
|
||||
<para>
|
||||
<indexterm><primary>BDC</primary></indexterm>
|
||||
Backup Domain Controllers (BDCs) have read-only access to security credentials that are stored in LDAP.
|
||||
BDCs have read-only access to security credentials that are stored in LDAP.
|
||||
Changes in user or group account information are passed by the BDC to the PDC. Only the PDC can write
|
||||
changes to the directory.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
IDMAP information can however be written directly to the LDAP server so long as all domain controllers
|
||||
IDMAP information can, however, be written directly to the LDAP server so long as all domain controllers
|
||||
have access to the master (writable) LDAP server. Samba-3 at this time does not handle LDAP redirects
|
||||
in the IDMAP backend. This means that it is is unsafe to use a slave (replicate) LDAP server with
|
||||
the IDMAP facility.
|
||||
@ -361,7 +361,7 @@ on Server Types and Security Modes</link>.
|
||||
<indexterm><primary>DMC</primary></indexterm>
|
||||
Anyone who wishes to use <command>winbind</command> will find the following example configurations helpful.
|
||||
Remember that in the majority of cases <command>winbind</command> is of primary interest for use with
|
||||
Domain Member Servers (DMSs) and Domain Member Clients (DMCs).
|
||||
domain member servers (DMSs) and domain member clients (DMCs).
|
||||
</para>
|
||||
|
||||
<sect2>
|
||||
@ -377,12 +377,12 @@ Domain Member Servers (DMSs) and Domain Member Clients (DMCs).
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
Networks that use MS Windows 200X ADS.
|
||||
Networks that use MS Windows 200x ADS.
|
||||
</para></listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<sect3>
|
||||
<title>NT4 Style Domains (includes Samba Domains)</title>
|
||||
<title>NT4-Style Domains (Includes Samba Domains)</title>
|
||||
|
||||
<para>
|
||||
The following is a simple example of an NT4 DMS &smb.conf; file that shows only the global section.
|
||||
@ -420,7 +420,7 @@ hosts: files wins
|
||||
|
||||
<procedure>
|
||||
<step><para>
|
||||
Create or install and &smb.conf; file with the above configuration.
|
||||
Create or install an &smb.conf; file with the above configuration.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
@ -456,7 +456,7 @@ Join to domain 'MEGANET2' is not valid
|
||||
|
||||
<para>
|
||||
<indexterm><primary>domain join</primary></indexterm>
|
||||
The procedure for joining and ADS domain is similar to the NT4 domain join, except the &smb.conf; file
|
||||
The procedure for joining an ADS domain is similar to the NT4 domain join, except the &smb.conf; file
|
||||
will have the following contents:
|
||||
<screen>
|
||||
# Global parameters
|
||||
@ -482,9 +482,9 @@ Join to domain 'MEGANET2' is not valid
|
||||
<indexterm><primary>MIT kerberos</primary></indexterm>
|
||||
<indexterm><primary>Heimdal</primary></indexterm>
|
||||
<indexterm><primary>Heimdal kerberos</primary></indexterm>
|
||||
ADS DMS operation requires use of kerberos (KRB). For this to work the <filename>krb5.conf</filename>
|
||||
must be configured. The exact requirements depends on which version of MIT or Heimdal kerberos is being
|
||||
used. It is sound advice to use only the latest version, which at this time are MIT kerberos version
|
||||
ADS DMS operation requires use of kerberos (KRB). For this to work, the <filename>krb5.conf</filename>
|
||||
must be configured. The exact requirements depends on which version of MIT or Heimdal Kerberos is being
|
||||
used. It is sound advice to use only the latest version, which at this time are MIT Kerberos version
|
||||
1.3.5 and Heimdal 0.61.
|
||||
</para>
|
||||
|
||||
@ -494,7 +494,7 @@ Join to domain 'MEGANET2' is not valid
|
||||
|
||||
<procedure>
|
||||
<step><para>
|
||||
Create or install and &smb.conf; file with the above configuration.
|
||||
Create or install an &smb.conf; file with the above configuration.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
@ -526,13 +526,13 @@ GARGOYLE$@'s password:
|
||||
Join to domain is not valid
|
||||
</screen>
|
||||
<indexterm><primary>error message</primary></indexterm>
|
||||
The specific error message may differ from the above as it depends on the type of failure that
|
||||
may have occured. Increase the <parameter>log level</parameter> to 10, repeat the above test
|
||||
The specific error message may differ from the above because it depends on the type of failure that
|
||||
may have occurred. Increase the <parameter>log level</parameter> to 10, repeat the test,
|
||||
and then examine the log files produced to identify the nature of the failure.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
Start the <command>nmbd, winbind,</command> and <command>smbd</command> daemons in the order shown.
|
||||
Start the <command>nmbd</command>, <command>winbind</command>, and <command>smbd</command> daemons in the order shown.
|
||||
</para></step>
|
||||
|
||||
</procedure>
|
||||
@ -551,7 +551,7 @@ Join to domain is not valid
|
||||
The <command>idmap_rid</command> facility is a new tool that, unlike native winbind, creates a
|
||||
predictable mapping of MS Windows SIDs to UNIX UIDs and GIDs. The key benefit of this method
|
||||
of implementing the Samba IDMAP facility is that it eliminates the need to store the IDMAP data
|
||||
in a central place. The down-side is that it can be used only within a single ADS Domain and
|
||||
in a central place. The downside is that it can be used only within a single ADS domain and
|
||||
is not compatible with trusted domain implementations.
|
||||
</para>
|
||||
|
||||
@ -560,10 +560,10 @@ Join to domain is not valid
|
||||
<indexterm><primary>allow trusted domains</primary></indexterm>
|
||||
<indexterm><primary>idmap uid</primary></indexterm>
|
||||
<indexterm><primary>idmap gid</primary></indexterm>
|
||||
This alternate method of SID to UID/GID mapping can be achieved uses the idmap_rid
|
||||
This alternate method of SID to UID/GID mapping can be achieved using the idmap_rid
|
||||
plug-in. This plug-in uses the RID of the user SID to derive the UID and GID by adding the
|
||||
RID to a base value specified. This utility requires that the parameter
|
||||
<quote>allow trusted domains = No</quote> must be specified, as it is not compatible
|
||||
<quote>allow trusted domains = No</quote> be specified, as it is not compatible
|
||||
with multiple domain environments. The <parameter>idmap uid</parameter> and
|
||||
<parameter>idmap gid</parameter> ranges must be specified.
|
||||
</para>
|
||||
@ -571,8 +571,8 @@ Join to domain is not valid
|
||||
<para>
|
||||
<indexterm><primary>idmap_rid</primary></indexterm>
|
||||
<indexterm><primary>realm</primary></indexterm>
|
||||
The idmap_rid facility can be used both for NT4/Samba style domains as well as with Active Directory.
|
||||
To use this with an NT4 Domain the <parameter>realm</parameter> is not used, additionally the
|
||||
The idmap_rid facility can be used both for NT4/Samba-style domains and Active Directory.
|
||||
To use this with an NT4 domain, the <parameter>realm</parameter> is not used; additionally, the
|
||||
method used to join the domain uses the <constant>net rpc join</constant> process.
|
||||
</para>
|
||||
|
||||
@ -605,13 +605,12 @@ Join to domain is not valid
|
||||
<indexterm><primary>response</primary></indexterm>
|
||||
<indexterm><primary>getent</primary></indexterm>
|
||||
In a large domain with many users it is imperative to disable enumeration of users and groups.
|
||||
For examplem, at a site that has 22,000 users in Active Directory the winbind based user and
|
||||
group resolution is unavailable for nearly 12 minutes following first start-up of
|
||||
<command>winbind</command>. Disabling of such enumeration resulted in instantaneous response.
|
||||
For example, at a site that has 22,000 users in Active Directory the winbind-based user and
|
||||
group resolution is unavailable for nearly 12 minutes following first startup of
|
||||
<command>winbind</command>. Disabling enumeration resulted in instantaneous response.
|
||||
The disabling of user and group enumeration means that it will not be possible to list users
|
||||
or groups using the <command>getent passwd</command> and <command>getent group</command>
|
||||
commands. It will be possible to perform the lookup for individual users, as shown in the procedure
|
||||
below.
|
||||
commands. It will be possible to perform the lookup for individual users, as shown in the following procedure.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -636,7 +635,7 @@ hosts: files wins
|
||||
|
||||
<procedure>
|
||||
<step><para>
|
||||
Create or install and &smb.conf; file with the above configuration.
|
||||
Create or install an &smb.conf; file with the above configuration.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
@ -662,13 +661,13 @@ BIGJOE$@'s password:
|
||||
ads_connect: No results returned
|
||||
Join to domain is not valid
|
||||
</screen>
|
||||
The specific error message may differ from the above as it depends on the type of failure that
|
||||
may have occured. Increase the <parameter>log level</parameter> to 10, repeat the above test
|
||||
The specific error message may differ from the above because it depends on the type of failure that
|
||||
may have occurred. Increase the <parameter>log level</parameter> to 10, repeat the test,
|
||||
and then examine the log files produced to identify the nature of the failure.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
Start the <command>nmbd, winbind,</command> and <command>smbd</command> daemons in the order shown.
|
||||
Start the <command>nmbd</command>, <command>winbind</command>, and <command>smbd</command> daemons in the order shown.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
@ -684,19 +683,20 @@ administrator:x:1000:1013:Administrator:/home/BE/administrator:/bin/bash
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>IDMAP Storage in LDAP using Winbind</title>
|
||||
<title>IDMAP Storage in LDAP Using Winbind</title>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>ADAM</primary></indexterm>
|
||||
<indexterm><primary>ADS</primary></indexterm>
|
||||
The storage of IDMAP information in LDAP can be used with both NT4/Samba-3 style domains as well as
|
||||
with ADS domains. OpenLDAP is a commonly used LDAP server for this purpose, although any standards
|
||||
complying LDAP server can be used. It is therefore possible to deploy this IDMAP configuration using
|
||||
the Sun iPlanet LDAP server, Novell eDirectory, Microsoft ADS plus ADAM, and so on.
|
||||
The storage of IDMAP information in LDAP can be used with both NT4/Samba-3-style domains and
|
||||
ADS domains. OpenLDAP is a commonly used LDAP server for this purpose, although any
|
||||
standards-complying LDAP server can be used. It is therefore possible to deploy this IDMAP
|
||||
configuration using the Sun iPlanet LDAP server, Novell eDirectory, Microsoft ADS plus ADAM,
|
||||
and so on.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The following example is for an ADS style domain:
|
||||
The following example is for an ADS domain:
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -722,17 +722,16 @@ administrator:x:1000:1013:Administrator:/home/BE/administrator:/bin/bash
|
||||
|
||||
<para>
|
||||
<indexterm><primary>realm</primary></indexterm>
|
||||
In the case of an NT4 or Samba-3 style Domain the <parameter>realm</parameter> is not used and the
|
||||
command used to join the domain is: <command>net rpc join</command>. The above example also demonstrates
|
||||
advanced error reporting techniques that are documented in <link linkend="dbglvl">the chapter called
|
||||
Reporting Bugs</link>.
|
||||
In the case of an NT4 or Samba-3-style domain the <parameter>realm</parameter> is not used, and the
|
||||
command used to join the domain is <command>net rpc join</command>. The above example also demonstrates
|
||||
advanced error-reporting techniques that are documented in <link linkend="dbglvl">Reporting Bugs</link>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>MIT kerberos</primary></indexterm>
|
||||
<indexterm><primary>Heimdal kerberos</primary></indexterm>
|
||||
<indexterm><primary>/etc/krb5.conf</primary></indexterm>
|
||||
Where MIT kerberos is installed (version 1.3.4 or later) edit the <filename>/etc/krb5.conf</filename>
|
||||
Where MIT kerberos is installed (version 1.3.4 or later), edit the <filename>/etc/krb5.conf</filename>
|
||||
file so it has the following contents:
|
||||
<screen>
|
||||
[logging]
|
||||
@ -757,8 +756,8 @@ administrator:x:1000:1013:Administrator:/home/BE/administrator:/bin/bash
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Where Heimdal kerberos is installed edit the <filename>/etc/krb5.conf</filename>
|
||||
file so it is either empty (i.e.: no contents) or it has the following contents:
|
||||
Where Heimdal kerberos is installed, edit the <filename>/etc/krb5.conf</filename>
|
||||
file so it is either empty (i.e., no contents) or it has the following contents:
|
||||
<screen>
|
||||
[libdefaults]
|
||||
default_realm = SNOWSHOW.COM
|
||||
@ -775,9 +774,9 @@ administrator:x:1000:1013:Administrator:/home/BE/administrator:/bin/bash
|
||||
</para>
|
||||
|
||||
<note><para>
|
||||
Samba can not use the Heimdal libraries if there is no <filename>/etc/krb5.conf</filename> file.
|
||||
So long as there is an empty file the Heimdal kerberos libraries will be usable. There is no
|
||||
need to specify any settings as Samba using the Heimdal libraries can figure this out automatically.
|
||||
Samba cannot use the Heimdal libraries if there is no <filename>/etc/krb5.conf</filename> file.
|
||||
So long as there is an empty file, the Heimdal kerberos libraries will be usable. There is no
|
||||
need to specify any settings because Samba, using the Heimdal libraries, can figure this out automatically.
|
||||
</para></note>
|
||||
|
||||
<para>
|
||||
@ -815,7 +814,7 @@ ssl no
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The following procedure may be followed to affect a working configuration:
|
||||
The following procedure may be followed to effect a working configuration:
|
||||
</para>
|
||||
|
||||
<procedure>
|
||||
@ -824,7 +823,7 @@ ssl no
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
Create the <filename>/etc/krb5.conf</filename> file following the indications above.
|
||||
Create the <filename>/etc/krb5.conf</filename> file as shown above.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
@ -832,13 +831,13 @@ ssl no
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
Download, build and install the PADL nss_ldap tool set. Configure the
|
||||
Download, build, and install the PADL nss_ldap tool set. Configure the
|
||||
<filename>/etc/ldap.conf</filename> file as shown above.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
Configure an LDAP server, initialize the directory with the top level entries needed by IDMAP
|
||||
as shown in the following LDIF file:
|
||||
Configure an LDAP server and initialize the directory with the top-level entries needed by IDMAP,
|
||||
shown in the following LDIF file:
|
||||
<screen>
|
||||
dn: dc=snowshow,dc=com
|
||||
objectClass: dcObject
|
||||
@ -859,7 +858,7 @@ ou: idmap
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
Execute the command to join the Samba Domain Member Server to the ADS domain as shown here:
|
||||
Execute the command to join the Samba DMS to the ADS domain as shown here:
|
||||
<screen>
|
||||
&rootprompt; net ads testjoin
|
||||
Using short domain name -- SNOWSHOW
|
||||
@ -875,7 +874,7 @@ Joined 'GOODELF' to realm 'SNOWSHOW.COM'
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
Start the <command>nmbd, winbind,</command> and <command>smbd</command> daemons in the order shown.
|
||||
Start the <command>nmbd</command>, <command>winbind</command>, and <command>smbd</command> daemons in the order shown.
|
||||
</para></step>
|
||||
</procedure>
|
||||
|
||||
@ -889,7 +888,7 @@ Joined 'GOODELF' to realm 'SNOWSHOW.COM'
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>IDMAP and NSS Using LDAP From ADS with RFC2307bis Schema Extension</title>
|
||||
<title>IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</title>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>rfc2307bis</primary></indexterm>
|
||||
@ -950,12 +949,12 @@ hosts: files wins
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The next step involves preparation on the ADS schema. This is briefly discussed in the remaining
|
||||
The next step involves preparation of the ADS schema. This is briefly discussed in the remaining
|
||||
part of this chapter.
|
||||
</para>
|
||||
|
||||
<sect3>
|
||||
<title>IDMAP, Active Directory and MS Services for UNIX 3.5</title>
|
||||
<title>IDMAP, Active Directory, and MS Services for UNIX 3.5</title>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>SFU</primary></indexterm>
|
||||
@ -973,7 +972,7 @@ hosts: files wins
|
||||
<para>
|
||||
Instructions for obtaining and installing the AD4UNIX tool set can be found from the
|
||||
<ulink url="http://www.geekcomix.com/cgi-bin/classnotes/wiki.pl?LDAP01/An_Alternative_Approach">
|
||||
Geekcomix</ulink> web site.
|
||||
Geekcomix</ulink> Web site.
|
||||
</para>
|
||||
|
||||
</sect3>
|
||||
|
@ -19,13 +19,13 @@
|
||||
<para>
|
||||
Binary packages of Samba are included in almost any Linux or
|
||||
UNIX distribution. There are also some packages available at
|
||||
<ulink url="http://samba.org/">the Samba home-page</ulink>. Refer to
|
||||
<ulink url="http://samba.org/">the Samba home page</ulink>. Refer to
|
||||
the manual of your operating system for details on installing packages
|
||||
for your specific operating system.
|
||||
</para>
|
||||
|
||||
<para>If you need to compile Samba from source, check
|
||||
<link linkend="compiling">How to compile Samba.</link>
|
||||
<link linkend="compiling">How to Compile Samba.</link>
|
||||
</para>
|
||||
|
||||
</sect1>
|
||||
@ -43,13 +43,13 @@
|
||||
</para>
|
||||
|
||||
<sect2>
|
||||
<title>Configuration file syntax</title>
|
||||
<title>Configuration File Syntax</title>
|
||||
|
||||
<para>The &smb.conf; file uses the same syntax as the various old
|
||||
.ini files in Windows 3.1: Each file consists of various sections,
|
||||
which are started by putting the section name between brackets ([])
|
||||
on a new line. Each contains zero or more key/value-pairs separated by an
|
||||
equality sign (=). The file is just a plain-text file, so you can
|
||||
on a new line. Each contains zero or more key/value pairs separated by an
|
||||
equality sign (=). The file is just a plaintext file, so you can
|
||||
open and edit it with your favorite editing tool.</para>
|
||||
|
||||
<para>Each section in the &smb.conf; file represents a share
|
||||
@ -57,7 +57,7 @@
|
||||
contains settings that apply to the whole Samba server and not
|
||||
to one share in particular.</para>
|
||||
|
||||
<para><link linkend="smbconfminimal">Following example</link> contains a very minimal &smb.conf;.
|
||||
<para><link linkend="smbconfminimal">A minimal smb.conf</link> contains a very minimal &smb.conf;.
|
||||
<indexterm><primary>minimal configuration</primary></indexterm>
|
||||
</para>
|
||||
|
||||
@ -98,8 +98,8 @@
|
||||
<indexterm><primary>smbd</primary></indexterm>
|
||||
<indexterm><primary>starting samba</primary><secondary>smbd</secondary></indexterm>
|
||||
This daemon handles all name registration and resolution requests. It is the primary vehicle involved
|
||||
in network browsing. It handles all UDP based protocols. The <command>nmbd</command> daemon should
|
||||
be the first command started as part of the Samba start-up process.
|
||||
in network browsing. It handles all UDP-based protocols. The <command>nmbd</command> daemon should
|
||||
be the first command started as part of the Samba startup process.
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -107,8 +107,8 @@
|
||||
<listitem><para>
|
||||
<indexterm><primary>nmbd</primary></indexterm>
|
||||
<indexterm><primary>starting samba</primary><secondary>nmbd</secondary></indexterm>
|
||||
This daemon handles all TCP/IP based connection services for file and print based operations. It also
|
||||
manages local authentication. It should be started immediately following the start-up of <command>nmbd</command>.
|
||||
This daemon handles all TCP/IP-based connection services for file- and print-based operations. It also
|
||||
manages local authentication. It should be started immediately following the startup of <command>nmbd</command>.
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -116,18 +116,18 @@
|
||||
<listitem><para>
|
||||
<indexterm><primary>winbindd</primary></indexterm>
|
||||
<indexterm><primary>starting samba</primary><secondary>winbindd</secondary></indexterm>
|
||||
This daemon should be started when Samba is a member of a Windows NT4 or ADS Domain. It is also needed when
|
||||
Samba has trust relationships with another Domain. The <command>winbindd</command> daemon will check the
|
||||
This daemon should be started when Samba is a member of a Windows NT4 or ADS domain. It is also needed when
|
||||
Samba has trust relationships with another domain. The <command>winbindd</command> daemon will check the
|
||||
&smb.conf; file for the presence of the <parameter>idmap uid</parameter> and <parameter>idmap gid</parameter>
|
||||
parameters. If they are not found <command>winbindd</command> will bail-out and refuse to start.
|
||||
parameters. If they are not found, <command>winbindd</command> will bail out and refuse to start.
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>
|
||||
When Samba has been packaged by an operating system vendor the start-up process is typically a custom feature of its
|
||||
When Samba has been packaged by an operating system vendor, the startup process is typically a custom feature of its
|
||||
integration into the platform as a whole. Please refer to your operating system platform administration manuals for
|
||||
specific information pertaining to correct management of Samba start-up.
|
||||
specific information pertaining to correct management of Samba startup.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
@ -145,24 +145,22 @@
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The simplest useful configuration file would contain something like shown in
|
||||
<link linkend="simple-example">the next example</link>.
|
||||
The simplest useful configuration file would contain something like that shown in
|
||||
<link linkend="simple-example">Another simple smb.conf File</link>.
|
||||
<indexterm><primary>simple configuration</primary></indexterm>
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>simple configuration</primary></indexterm>
|
||||
<example id="simple-example">
|
||||
<title>Another simple smb.conf File</title>
|
||||
<smbconfblock>
|
||||
<example id="simple-example">
|
||||
<title>Another simple smb.conf File</title>
|
||||
<smbconfblock>
|
||||
<smbconfsection name="[global]"/>
|
||||
<smbconfoption name="workgroup">&example.workgroup;</smbconfoption>
|
||||
|
||||
<smbconfsection name="[homes]"/>
|
||||
<smbconfoption name="guest ok">no</smbconfoption>
|
||||
<smbconfoption name="read only">no</smbconfoption>
|
||||
</smbconfblock>
|
||||
</smbconfblock>
|
||||
</example>
|
||||
</para>
|
||||
|
||||
<para>
|
||||
This will allow connections by anyone with an account on the server, using either
|
||||
@ -177,8 +175,8 @@
|
||||
|
||||
<para>
|
||||
For more information about security settings for the
|
||||
<smbconfsection name="[homes]"/> share please refer to
|
||||
<link linkend="securing-samba">Securing Samba</link> chapter.
|
||||
<smbconfsection name="[homes]"/> share, please refer to
|
||||
<link linkend="securing-samba">Securing Samba</link>.
|
||||
</para>
|
||||
|
||||
<sect3>
|
||||
@ -194,7 +192,7 @@
|
||||
&rootprompt; testparm /etc/samba/smb.conf
|
||||
</screen>
|
||||
|
||||
<para>Testparm will parse your configuration file and report
|
||||
<para>testparm will parse your configuration file and report
|
||||
any unknown parameters or incorrect syntax. </para>
|
||||
|
||||
|
||||
@ -214,7 +212,7 @@
|
||||
SWAT is a Web-based interface that can be used to facilitate the configuration of Samba.
|
||||
SWAT might not be available in the Samba package that shipped with your platform,
|
||||
but in a separate package. Please read the SWAT man page
|
||||
on compiling, installing and configuring SWAT from source.
|
||||
on compiling, installing, and configuring SWAT from source.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -226,10 +224,10 @@
|
||||
|
||||
<para>
|
||||
SWAT can be used from a browser on any IP-connected machine, but be aware that connecting from a remote
|
||||
machine leaves your connection open to password sniffing as passwords will be sent over the wire in the clear.
|
||||
machine leaves your connection open to password sniffing because passwords will be sent over the wire in the clear.
|
||||
</para>
|
||||
|
||||
<para>More information about SWAT can be found in <link linkend="SWAT">corresponding chapter</link>.</para>
|
||||
<para>More information about SWAT can be found in <link linkend="SWAT"></link>.</para>
|
||||
|
||||
</sect2>
|
||||
|
||||
@ -239,7 +237,7 @@
|
||||
<title>List Shares Available on the Server</title>
|
||||
|
||||
<para>
|
||||
To list shares that are available from the configured Samba server execute the
|
||||
To list shares that are available from the configured Samba server, execute the
|
||||
following command:
|
||||
</para>
|
||||
|
||||
@ -251,7 +249,7 @@
|
||||
something is incorrectly configured. This method can also be used to see what shares
|
||||
are available on other SMB servers, such as Windows 2000.</para>
|
||||
|
||||
<para>If you choose user-level security you may find that Samba requests a password
|
||||
<para>If you choose user-level security, you may find that Samba requests a password
|
||||
before it will list the shares. See the <command>smbclient</command> man page for details.
|
||||
You can force it to list the shares without a password by adding the option
|
||||
<option>-N</option> to the command line. </para>
|
||||
@ -268,7 +266,7 @@
|
||||
|
||||
<para>Typically <replaceable>yourhostname</replaceable> is the name of the host on which &smbd;
|
||||
has been installed. The <replaceable>aservice</replaceable> is any service that has been defined in the &smb.conf;
|
||||
file. Try your user name if you just have a <smbconfsection name="[homes]"/> section in the &smb.conf; file.</para>
|
||||
file. Try your username if you just have a <smbconfsection name="[homes]"/> section in the &smb.conf; file.</para>
|
||||
|
||||
<para>Example: If the UNIX host is called <replaceable>bambi</replaceable> and a valid login name
|
||||
is <replaceable>fred</replaceable>, you would type:</para>
|
||||
@ -285,15 +283,15 @@
|
||||
access it from other clients. Within a few minutes, the Samba host
|
||||
should be listed in the Network Neighborhood on all Windows
|
||||
clients of its subnet. Try browsing the server from another client
|
||||
or 'mounting' it.</para>
|
||||
or "mounting" it.</para>
|
||||
|
||||
<para>Mounting disks from a DOS, Windows or OS/2 client can be done by running a command such as:</para>
|
||||
<para>Mounting disks from a DOS, Windows, or OS/2 client can be done by running a command such as:</para>
|
||||
|
||||
<para><screen>
|
||||
&dosprompt;<userinput>net use d: \\servername\service</userinput>
|
||||
</screen></para>
|
||||
|
||||
<para>Try printing, e.g.</para>
|
||||
<para>Try printing, for example,</para>
|
||||
|
||||
<para>
|
||||
<screen>
|
||||
@ -308,12 +306,13 @@
|
||||
<sect1>
|
||||
<title>What If Things Don't Work?</title>
|
||||
|
||||
<para>You might want to read <link linkend="diagnosis">The Samba Checklist</link>.
|
||||
If you are still stuck, refer to <link linkend="problems">Analyzing and Solving Samba Problems</link> chapter.
|
||||
Samba has been successfully installed at thousands of sites worldwide.
|
||||
It is unlikely that your particular problem is unique, so it might be
|
||||
productive to perform an Internet search to see if someone else has encountered
|
||||
your problem and has found a way to overcome it.</para>
|
||||
<para>
|
||||
You might want to read <link linkend="diagnosis">The Samba Checklist</link>. If you are still
|
||||
stuck, refer to <link linkend="problems">Analyzing and Solving Samba Problems</link>. Samba has
|
||||
been successfully installed at thousands of sites worldwide. It is unlikely that your particular problem is
|
||||
unique, so it might be productive to perform an Internet search to see if someone else has encountered your
|
||||
problem and has found a way to overcome it.
|
||||
</para>
|
||||
|
||||
</sect1>
|
||||
|
||||
@ -329,12 +328,12 @@ The following questions and issues are raised repeatedly on the Samba mailing li
|
||||
|
||||
<para>
|
||||
Samba consists of three core programs: &nmbd;, &smbd;, and &winbindd;. &nmbd; is the name server message daemon,
|
||||
&smbd; is the server message daemon, and &winbindd; is the daemon that handles communication with Domain Controllers.
|
||||
&smbd; is the server message daemon, and &winbindd; is the daemon that handles communication with domain controllers.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
If Samba is <emphasis>not</emphasis> running as a WINS server, then there will be one single instance of
|
||||
&nmbd; running on your system. If it is running as a WINS server then there will be
|
||||
&nmbd; running on your system. If it is running as a WINS server, then there will be
|
||||
two instances &smbmdash; one to handle the WINS requests.
|
||||
</para>
|
||||
|
||||
@ -366,11 +365,11 @@ run in <emphasis>split mode</emphasis> (in which case there will be two instance
|
||||
<title><quote><errorname>The network name cannot be found</errorname></quote></title>
|
||||
|
||||
<para>
|
||||
This error can be caused by one of these mis-configurations:
|
||||
This error can be caused by one of these misconfigurations:
|
||||
</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem><para>You specified an non-existing path
|
||||
<listitem><para>You specified a nonexisting path
|
||||
for the share in &smb.conf;.</para></listitem>
|
||||
|
||||
<listitem><para>The user you are trying to access the share with does not
|
||||
|
@ -11,18 +11,18 @@
|
||||
|
||||
<para>
|
||||
<indexterm><primary>NetBIOS</primary></indexterm>
|
||||
This section deals with NetBIOS over TCP/IP name to IP address resolution. If
|
||||
This chapter deals with NetBIOS over TCP/IP name to IP address resolution. If
|
||||
your MS Windows clients are not configured to use NetBIOS over TCP/IP, then this
|
||||
section does not apply to your installation. If your installation
|
||||
involves the use of
|
||||
NetBIOS over TCP/IP then this section may help you to resolve networking problems.
|
||||
NetBIOS over TCP/IP, then this chapter may help you to resolve networking problems.
|
||||
</para>
|
||||
|
||||
<note>
|
||||
<para>
|
||||
NetBIOS over TCP/IP has nothing to do with NetBEUI. NetBEUI is NetBIOS
|
||||
over Logical Link Control (LLC). On modern networks it is highly advised
|
||||
to not run NetBEUI at all. Note also there is no such thing as
|
||||
to not run NetBEUI at all. Note also that there is no such thing as
|
||||
NetBEUI over TCP/IP &smbmdash; the existence of such a protocol is a complete
|
||||
and utter misapprehension.
|
||||
</para>
|
||||
@ -35,7 +35,7 @@ and utter misapprehension.
|
||||
Many MS Windows network administrators have never been exposed to basic TCP/IP
|
||||
networking as it is implemented in a UNIX/Linux operating system. Likewise, many UNIX and
|
||||
Linux administrators have not been exposed to the intricacies of MS Windows TCP/IP-based
|
||||
networking (and may have no desire to be either).
|
||||
networking (and may have no desire to be, either).
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -52,15 +52,15 @@ its IP address for each operating system environment.
|
||||
Since the introduction of MS Windows 2000, it is possible to run MS Windows networking
|
||||
without the use of NetBIOS over TCP/IP. NetBIOS over TCP/IP uses UDP port 137 for NetBIOS
|
||||
name resolution and uses TCP port 139 for NetBIOS session services. When NetBIOS over
|
||||
TCP/IP is disabled on MS Windows 2000 and later clients, then only the TCP port 445 will be
|
||||
used and the UDP port 137 and TCP port 139 will not.
|
||||
TCP/IP is disabled on MS Windows 2000 and later clients, then only the TCP port 445 is
|
||||
used, and the UDP port 137 and TCP port 139 are not.
|
||||
</para>
|
||||
|
||||
<note>
|
||||
<para>
|
||||
When using Windows 2000 or later clients, if NetBIOS over TCP/IP is not disabled, then
|
||||
the client will use UDP port 137 (NetBIOS Name Service, also known as the Windows Internet
|
||||
Name Service or WINS), TCP port 139 and TCP port 445 (for actual file and print traffic).
|
||||
Name Service, or WINS), TCP port 139, and TCP port 445 (for actual file and print traffic).
|
||||
</para>
|
||||
</note>
|
||||
|
||||
@ -68,7 +68,7 @@ Name Service or WINS), TCP port 139 and TCP port 445 (for actual file and print
|
||||
When NetBIOS over TCP/IP is disabled, the use of DNS is essential. Most installations that
|
||||
disable NetBIOS over TCP/IP today use MS Active Directory Service (ADS). ADS requires
|
||||
<indexterm><primary>DNS</primary><secondary>Dynamic</secondary></indexterm>
|
||||
Dynamic DNS with Service Resource Records (SRV RR) and with Incremental Zone Transfers (IXFR).
|
||||
dynamic DNS with Service Resource Records (SRV RR) and with Incremental Zone Transfers (IXFR).
|
||||
<indexterm><primary>DHCP</primary></indexterm>
|
||||
Use of DHCP with ADS is recommended as a further means of maintaining central control
|
||||
over the client workstation network configuration.
|
||||
@ -111,13 +111,13 @@ IP addresses.
|
||||
Network packets that are sent over the physical network transport
|
||||
layer communicate not via IP addresses but rather using the Media
|
||||
Access Control address, or MAC address. IP addresses are currently
|
||||
32 bits in length and are typically presented as four (4) decimal
|
||||
numbers that are separated by a dot (or period). For example, 168.192.1.1.
|
||||
32 bits in length and are typically presented as four decimal
|
||||
numbers that are separated by a dot (or period) &smbmdash; for example, 168.192.1.1.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>MAC Addresses</primary></indexterm>
|
||||
MAC Addresses use 48 bits (or 6 bytes) and are typically represented
|
||||
MAC addresses use 48 bits (or 6 bytes) and are typically represented
|
||||
as two-digit hexadecimal numbers separated by colons: 40:8e:0a:12:34:56.
|
||||
</para>
|
||||
|
||||
@ -132,7 +132,7 @@ any particular interface, the assignment of an IP address makes sense
|
||||
from a network management perspective. More than one IP address can
|
||||
be assigned per MAC address. One address must be the primary IP
|
||||
address &smbmdash;
|
||||
this is the address that will be returned in the ARP reply.
|
||||
this is the address that will be returned in the Address Resolution Protocol (ARP) reply.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -146,8 +146,8 @@ by the TCP/IP configuration control files. The file
|
||||
<para>
|
||||
When the IP address of the destination interface has been
|
||||
determined, a protocol called ARP/RARP is used to identify
|
||||
the MAC address of the target interface. ARP stands for Address
|
||||
Resolution Protocol and is a broadcast-oriented method that
|
||||
the MAC address of the target interface. ARP
|
||||
is a broadcast-oriented method that
|
||||
uses User Datagram Protocol (UDP) to send a request to all
|
||||
interfaces on the local network segment using the all 1s MAC
|
||||
address. Network interfaces are programmed to respond to two
|
||||
@ -188,8 +188,8 @@ This file tells the name resolution libraries:
|
||||
host names to their IP address.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>The name or IP address of available Domain
|
||||
Name Servers that may be asked to perform name-to-address
|
||||
<listitem><para>The name or IP address of available domain
|
||||
name servers that may be asked to perform name-to-address
|
||||
translation lookups.
|
||||
</para></listitem>
|
||||
</itemizedlist>
|
||||
@ -207,15 +207,12 @@ This file tells the name resolution libraries:
|
||||
which the setting in <filename>/etc/resolv.conf</filename> may be effected. It is a
|
||||
critical configuration file. This file controls the order by
|
||||
which name resolution may proceed. The typical structure is:
|
||||
</para>
|
||||
|
||||
<para><programlisting>
|
||||
<programlisting>
|
||||
order hosts,bind
|
||||
multi on
|
||||
</programlisting></para>
|
||||
|
||||
<para>
|
||||
then both addresses should be returned. Please refer to the
|
||||
<para>Both addresses should be returned. Please refer to the
|
||||
man page for <filename>host.conf</filename> for further details.
|
||||
</para>
|
||||
|
||||
@ -232,10 +229,7 @@ man page for <filename>host.conf</filename> for further details.
|
||||
<indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
|
||||
This file controls the actual name resolution targets. The
|
||||
file typically has resolver object specifications as follows:
|
||||
</para>
|
||||
|
||||
|
||||
<para><programlisting>
|
||||
<programlisting>
|
||||
# /etc/nsswitch.conf
|
||||
#
|
||||
# Name Service Switch configuration file.
|
||||
@ -275,10 +269,10 @@ principal of speaking only when necessary.
|
||||
Starting with version 2.2.0, Samba has Linux support for extensions to
|
||||
the name service switch infrastructure so Linux clients will
|
||||
be able to obtain resolution of MS Windows NetBIOS names to IP
|
||||
Addresses. To gain this functionality, Samba needs to be compiled
|
||||
addresses. To gain this functionality, Samba needs to be compiled
|
||||
with appropriate arguments to the make command (i.e., <userinput>make
|
||||
nsswitch/libnss_wins.so</userinput>). The resulting library should
|
||||
then be installed in the <filename>/lib</filename> directory and
|
||||
then be installed in the <filename>/lib</filename> directory, and
|
||||
the <parameter>wins</parameter> parameter needs to be added to the <quote>hosts:</quote> line in
|
||||
the <filename>/etc/nsswitch.conf</filename> file. At this point, it
|
||||
will be possible to ping any MS Windows machine by its NetBIOS
|
||||
@ -294,22 +288,22 @@ which both the Samba machine and the MS Windows machine belong.
|
||||
<title>Name Resolution as Used within MS Windows Networking</title>
|
||||
|
||||
<para>
|
||||
MS Windows networking is predicated about the name each machine
|
||||
MS Windows networking is predicated on the name each machine
|
||||
is given. This name is known variously (and inconsistently) as
|
||||
the <quote>computer name,</quote> <quote>machine name,</quote> <quote>networking name,</quote> <quote>netbios name,</quote>
|
||||
the <quote>computer name,</quote> <quote>machine name,</quote> <quote>networking name,</quote> <quote>NetBIOS name,</quote>
|
||||
or <quote>SMB name.</quote> All terms mean the same thing with the exception of
|
||||
<quote>netbios name</quote> that can also apply to the name of the workgroup or the
|
||||
<quote>NetBIOS name,</quote> which can also apply to the name of the workgroup or the
|
||||
domain name. The terms <quote>workgroup</quote> and <quote>domain</quote> are really just a
|
||||
simple name with which the machine is associated. All NetBIOS names
|
||||
are exactly 16 characters in length. The 16<superscript>th</superscript> character is reserved.
|
||||
It is used to store a one-byte value that indicates service level
|
||||
It is used to store a 1-byte value that indicates service level
|
||||
information for the NetBIOS name that is registered. A NetBIOS machine
|
||||
name is, therefore, registered for each service type that is provided by
|
||||
name is therefore registered for each service type that is provided by
|
||||
the client/server.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<link linkend="uniqnetbiosnames">Unique NetBIOS Names</link> and <link linkend="netbiosnamesgrp">Group Names</link> tables
|
||||
<link linkend="uniqnetbiosnames">Unique NetBIOS names</link> and <link linkend="netbiosnamesgrp">group names</link> tables
|
||||
list typical NetBIOS name/service type registrations.
|
||||
</para>
|
||||
|
||||
@ -320,9 +314,9 @@ list typical NetBIOS name/service type registrations.
|
||||
<colspec align="justify"/>
|
||||
<tbody>
|
||||
<row><entry>MACHINENAME<00></entry><entry>Server Service is running on MACHINENAME</entry></row>
|
||||
<row><entry>MACHINENAME<03></entry><entry>Generic Machine Name (NetBIOS name)</entry></row>
|
||||
<row><entry>MACHINENAME<20></entry><entry>LanMan Server service is running on MACHINENAME</entry></row>
|
||||
<row><entry>WORKGROUP<1b></entry><entry>Domain Master Browser</entry></row>
|
||||
<row><entry>MACHINENAME<03></entry><entry>Generic machine name (NetBIOS name)</entry></row>
|
||||
<row><entry>MACHINENAME<20></entry><entry>LanMan server service is running on MACHINENAME</entry></row>
|
||||
<row><entry>WORKGROUP<1b></entry><entry>Domain master browser</entry></row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
@ -333,10 +327,10 @@ list typical NetBIOS name/service type registrations.
|
||||
<colspec align="left"/>
|
||||
<colspec align="justify"/>
|
||||
<tbody>
|
||||
<row><entry>WORKGROUP<03></entry><entry>Generic Name registered by all members of WORKGROUP</entry></row>
|
||||
<row><entry>WORKGROUP<1c></entry><entry>Domain Controllers / Netlogon Servers</entry></row>
|
||||
<row><entry>WORKGROUP<1d></entry><entry>Local Master Browsers</entry></row>
|
||||
<row><entry>WORKGROUP<1e></entry><entry>Browser Election Service</entry></row>
|
||||
<row><entry>WORKGROUP<03></entry><entry>Generic name registered by all members of WORKGROUP</entry></row>
|
||||
<row><entry>WORKGROUP<1c></entry><entry>Domain cntrollers/netlogon servers</entry></row>
|
||||
<row><entry>WORKGROUP<1d></entry><entry>Local master browsers</entry></row>
|
||||
<row><entry>WORKGROUP<1e></entry><entry>Browser election service</entry></row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
@ -344,16 +338,17 @@ list typical NetBIOS name/service type registrations.
|
||||
<para>
|
||||
<indexterm><primary>NetBIOS</primary></indexterm>
|
||||
It should be noted that all NetBIOS machines register their own
|
||||
names as per the above. This is in vast contrast to TCP/IP
|
||||
installations where traditionally the system administrator will
|
||||
determine in the <filename>/etc/hosts</filename> or in the DNS database what names
|
||||
names as per <link linkend="uniqnetbiosnames">Unique NetBIOS names</link> and <link
|
||||
linkend="netbiosnamesgrp">group names</link>. This is in vast contrast to TCP/IP
|
||||
installations where the system administrator traditionally
|
||||
determines in the <filename>/etc/hosts</filename> or in the DNS database what names
|
||||
are associated with each IP address.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>NetBIOS</primary></indexterm>
|
||||
One further point of clarification should be noted. The <filename>/etc/hosts</filename>
|
||||
file and the DNS records do not provide the NetBIOS name type information
|
||||
file and the DNS records do not provide the NetBIOS name information
|
||||
that MS Windows clients depend on to locate the type of service that may
|
||||
be needed. An example of this is what happens when an MS Windows client
|
||||
wants to locate a domain logon server. It finds this service and the IP
|
||||
@ -365,27 +360,27 @@ Whichever machine first replies, it then ends up providing the logon services.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The name <quote>workgroup</quote> or <quote>domain</quote> really can be confusing since these
|
||||
The name <quote>workgroup</quote> or <quote>domain</quote> really can be confusing, since these
|
||||
have the added significance of indicating what is the security
|
||||
architecture of the MS Windows network. The term <quote>workgroup</quote> indicates
|
||||
that the primary nature of the network environment is that of a
|
||||
peer-to-peer design. In a WORKGROUP, all machines are responsible for
|
||||
peer-to-peer design. In a workgroup, all machines are responsible for
|
||||
their own security, and generally such security is limited to the use of
|
||||
just a password (known as Share Level security). In most situations
|
||||
just a password (known as share-level security). In most situations
|
||||
with peer-to-peer networking, the users who control their own machines
|
||||
will simply opt to have no security at all. It is possible to have
|
||||
User Level Security in a WORKGROUP environment, thus requiring the use
|
||||
of a user name and a matching password.
|
||||
user-level security in a workgroup environment, thus requiring the use
|
||||
of a username and a matching password.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
MS Windows networking is thus predetermined to use machine names
|
||||
for all local and remote machine message passing. The protocol used is
|
||||
called Server Message Block (SMB) and this is implemented using
|
||||
the NetBIOS protocol (Network Basic Input Output System). NetBIOS can
|
||||
called Server Message Block (SMB), and this is implemented using
|
||||
the NetBIOS protocol (Network Basic Input/Output System). NetBIOS can
|
||||
be encapsulated using LLC (Logical Link Control) protocol &smbmdash; in which case
|
||||
the resulting protocol is called NetBEUI (Network Basic Extended User
|
||||
Interface). NetBIOS can also be run over IPX (Inter-networking Packet
|
||||
Interface). NetBIOS can also be run over IPX (Internetworking Packet
|
||||
Exchange) protocol as used by Novell NetWare, and it can be run
|
||||
over TCP/IP protocols &smbmdash; in which case the resulting protocol is called
|
||||
NBT or NetBT, the NetBIOS over TCP/IP.
|
||||
@ -404,16 +399,16 @@ limited to this area.
|
||||
All MS Windows machines employ an in-memory buffer in which is
|
||||
stored the NetBIOS names and IP addresses for all external
|
||||
machines that machine has communicated with over the
|
||||
past 10-15 minutes. It is more efficient to obtain an IP address
|
||||
past 10 to 15 minutes. It is more efficient to obtain an IP address
|
||||
for a machine from the local cache than it is to go through all the
|
||||
configured name resolution mechanisms.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
If a machine whose name is in the local name cache has been shut
|
||||
down before the name had been expired and flushed from the cache, then
|
||||
If a machine whose name is in the local name cache is shut
|
||||
down before the name is expired and flushed from the cache, then
|
||||
an attempt to exchange a message with that machine will be subject
|
||||
to time-out delays. Its name is in the cache, so a name resolution
|
||||
to timeout delays. Its name is in the cache, so a name resolution
|
||||
lookup will succeed, but the machine cannot respond. This can be
|
||||
frustrating for users but is a characteristic of the protocol.
|
||||
</para>
|
||||
@ -422,7 +417,7 @@ frustrating for users but is a characteristic of the protocol.
|
||||
<indexterm><primary>nbtstat</primary></indexterm>
|
||||
<indexterm><primary>nmblookup</primary></indexterm>
|
||||
The MS Windows utility that allows examination of the NetBIOS
|
||||
name cache is called <quote>nbtstat</quote>. The Samba equivalent of this
|
||||
name cache is called <quote>nbtstat.</quote> The Samba equivalent
|
||||
is called <command>nmblookup</command>.
|
||||
</para>
|
||||
|
||||
@ -434,7 +429,7 @@ is called <command>nmblookup</command>.
|
||||
<para>
|
||||
<indexterm><primary>LMHOSTS</primary></indexterm>
|
||||
This file is usually located in MS Windows NT 4.0 or Windows 200x/XP in the directory
|
||||
<filename>%SystemRoot%\SYSTEM32\DRIVERS\ETC</filename> and contains the IP Address
|
||||
<filename>%SystemRoot%\SYSTEM32\DRIVERS\ETC</filename> and contains the IP address
|
||||
and the machine name in matched pairs. The <filename>LMHOSTS</filename> file
|
||||
performs NetBIOS name to IP address mapping.
|
||||
</para>
|
||||
@ -468,8 +463,8 @@ It typically looks like this:
|
||||
# \0xnn (non-printing character support)
|
||||
#
|
||||
# Following any entry in the file with the characters "#PRE" will cause
|
||||
# the entry to be pre-loaded into the name cache. By default, entries are
|
||||
# not pre-loaded, but are parsed only after dynamic name resolution fails.
|
||||
# the entry to be preloaded into the name cache. By default, entries are
|
||||
# not preloaded, but are parsed only after dynamic name resolution fails.
|
||||
#
|
||||
# Following an entry with the "#DOM:<domain>" tag will associate the
|
||||
# entry with the domain specified by <domain>. This effects how the
|
||||
@ -531,7 +526,7 @@ It typically looks like this:
|
||||
<para>
|
||||
This file is usually located in MS Windows NT 4.0 or Windows 200x/XP in
|
||||
the directory <filename>%SystemRoot%\SYSTEM32\DRIVERS\ETC</filename> and contains
|
||||
the IP Address and the IP hostname in matched pairs. It can be
|
||||
the IP address and the IP hostname in matched pairs. It can be
|
||||
used by the name resolution infrastructure in MS Windows, depending
|
||||
on how the TCP/IP environment is configured. This file is in
|
||||
every way the equivalent of the UNIX/Linux <filename>/etc/hosts</filename> file.
|
||||
@ -547,13 +542,13 @@ every way the equivalent of the UNIX/Linux <filename>/etc/hosts</filename> file.
|
||||
<indexterm><primary>DNS</primary></indexterm>
|
||||
This capability is configured in the TCP/IP setup area in the network
|
||||
configuration facility. If enabled, an elaborate name resolution sequence
|
||||
is followed, the precise nature of which is dependant on how the NetBIOS
|
||||
is followed, the precise nature of which is dependent on how the NetBIOS
|
||||
Node Type parameter is configured. A Node Type of 0 means that
|
||||
NetBIOS broadcast (over UDP broadcast) is used if the name
|
||||
that is the subject of a name lookup is not found in the NetBIOS name
|
||||
cache. If that fails then DNS, HOSTS and LMHOSTS are checked. If set to
|
||||
cache. If that fails, then DNS, HOSTS, and LMHOSTS are checked. If set to
|
||||
Node Type 8, then a NetBIOS Unicast (over UDP Unicast) is sent to the
|
||||
WINS Server to obtain a lookup before DNS, HOSTS, LMHOSTS, or broadcast
|
||||
WINS server to obtain a lookup before DNS, HOSTS, LMHOSTS, or broadcast
|
||||
lookup is used.
|
||||
</para>
|
||||
|
||||
@ -568,7 +563,7 @@ lookup is used.
|
||||
A WINS (Windows Internet Name Server) service is the equivalent of the
|
||||
rfc1001/1002 specified NBNS (NetBIOS Name Server). A WINS server stores
|
||||
the names and IP addresses that are registered by a Windows client
|
||||
if the TCP/IP setup has been given at least one WINS Server IP Address.
|
||||
if the TCP/IP setup has been given at least one WINS server IP address.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -606,12 +601,12 @@ of the WINS server.
|
||||
|
||||
<para>
|
||||
TCP/IP network configuration problems find every network administrator sooner or later.
|
||||
The cause can be anything from keyboard mishaps, forgetfulness, simple mistakes, and
|
||||
The cause can be anything from keyboard mishaps to forgetfulness to simple mistakes to
|
||||
carelessness. Of course, no one is ever deliberately careless!
|
||||
</para>
|
||||
|
||||
<sect2>
|
||||
<title>Pinging Works Only in One Way</title>
|
||||
<title>Pinging Works Only One Way</title>
|
||||
|
||||
<para>
|
||||
<quote>I can ping my Samba server from Windows, but I cannot ping my Windows
|
||||
@ -619,8 +614,8 @@ carelessness. Of course, no one is ever deliberately careless!
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<emphasis>Answer:</emphasis> The Windows machine was at IP Address 192.168.1.2 with netmask 255.255.255.0, the
|
||||
Samba server (Linux) was at IP Address 192.168.1.130 with netmask 255.255.255.128.
|
||||
The Windows machine was at IP address 192.168.1.2 with netmask 255.255.255.0, the
|
||||
Samba server (Linux) was at IP address 192.168.1.130 with netmask 255.255.255.128.
|
||||
The machines were on a local network with no external connections.
|
||||
</para>
|
||||
|
||||
@ -644,17 +639,17 @@ carelessness. Of course, no one is ever deliberately careless!
|
||||
remote connection is down.</para></listitem>
|
||||
<listitem><para>Client is configured to use a WINS server, but there is no WINS server.</para></listitem>
|
||||
<listitem><para>Client is not configured to use a WINS server, but there is a WINS server.</para></listitem>
|
||||
<listitem><para>Firewall is filtering our DNS or WINS traffic.</para></listitem>
|
||||
<listitem><para>Firewall is filtering out DNS or WINS traffic.</para></listitem>
|
||||
</itemizedlist>
|
||||
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>Samba Server Name Change Problem</title>
|
||||
<title>Samba Server Name-Change Problem</title>
|
||||
|
||||
<para>
|
||||
<quote>The name of the Samba server was changed, Samba was restarted, Samba server cannot be
|
||||
ping-ed by new name from MS Windows NT4 Workstation, but it does still respond to ping using
|
||||
<quote>The name of the Samba server was changed, Samba was restarted, and now the Samba server cannot be
|
||||
pinged by its new name from an MS Windows NT4 workstation, but it does still respond to pinging using
|
||||
the old name. Why?</quote>
|
||||
</para>
|
||||
|
||||
@ -663,9 +658,9 @@ carelessness. Of course, no one is ever deliberately careless!
|
||||
</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem><para>WINS is not in use, only broadcast-based name resolution is used.</para></listitem>
|
||||
<listitem><para>The Samba server was renamed and restarted within the last 10-15 minutes.</para></listitem>
|
||||
<listitem><para>The old Samba server name is still in the NetBIOS name cache on the MS Windows NT4 Workstation.</para></listitem>
|
||||
<listitem><para>WINS is not in use; only broadcast-based name resolution is used.</para></listitem>
|
||||
<listitem><para>The Samba server was renamed and restarted within the last 10 or 15 minutes.</para></listitem>
|
||||
<listitem><para>The old Samba server name is still in the NetBIOS name cache on the MS Windows NT4 workstation.</para></listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>
|
||||
@ -702,9 +697,9 @@ SARDON <00> GROUP Registered
|
||||
</para>
|
||||
|
||||
<para>
|
||||
In the above example, &example.server.samba; is the Samba server and &example.workstation.windows; is the MS Windows NT4 Workstation.
|
||||
The first listing shows the contents of the Local Name Table (i.e., Identity information on
|
||||
the MS Windows workstation) and the second shows the NetBIOS name in the NetBIOS name cache.
|
||||
In this example, &example.server.samba; is the Samba server and &example.workstation.windows; is the MS Windows NT4 workstation.
|
||||
The first listing shows the contents of the Local Name Table (i.e., identity information on
|
||||
the MS Windows workstation), and the second shows the NetBIOS name in the NetBIOS name cache.
|
||||
The name cache contains the remote machines known to this workstation.
|
||||
</para>
|
||||
|
||||
|
@ -25,7 +25,7 @@
|
||||
<indexterm><primary>Active Directory</primary></indexterm>
|
||||
Samba-3 supports NT4-style domain trust relationships. This is a feature that many sites
|
||||
will want to use if they migrate to Samba-3 from an NT4-style domain and do not want to
|
||||
adopt Active Directory or an LDAP-based authentication backend. This section explains
|
||||
adopt Active Directory or an LDAP-based authentication backend. This chapter explains
|
||||
some background information regarding trust relationships and how to create them. It is now
|
||||
possible for Samba-3 to trust NT4 (and vice versa), as well as to create Samba-to-Samba
|
||||
trusts.
|
||||
@ -35,17 +35,17 @@ trusts.
|
||||
<indexterm><primary>winbind</primary></indexterm>
|
||||
<indexterm><primary>UID range</primary></indexterm>
|
||||
<indexterm><primary>GID range</primary></indexterm>
|
||||
The use of interdomain trusts requires use of <command>winbind</command>. Thus the
|
||||
The use of interdomain trusts requires use of <command>winbind</command>, so the
|
||||
<command>winbindd</command> daemon must be running. Winbind operation in this mode is
|
||||
dependant on the specification of a valid UID range and a valid GID range in the &smb.conf; file.
|
||||
dependent on the specification of a valid UID range and a valid GID range in the &smb.conf; file.
|
||||
These are specified respectively using
|
||||
<smbconfoption name="idmap uid">10000-20000</smbconfoption> and
|
||||
<smbconfoption name="idmap gid">10000-20000</smbconfoption>.
|
||||
</para>
|
||||
|
||||
<note><para>
|
||||
The use of winbind is necessary only when Samba is the trusting Domain, not when it is the
|
||||
trusted Domain.
|
||||
The use of winbind is necessary only when Samba is the trusting domain, not when it is the
|
||||
trusted domain.
|
||||
</para></note>
|
||||
|
||||
<sect1>
|
||||
@ -53,14 +53,14 @@ trusted Domain.
|
||||
|
||||
<para>
|
||||
Samba-3 can participate in Samba-to-Samba as well as in Samba-to-MS Windows NT4-style
|
||||
trust relationships. This imparts to Samba similar scalability as with MS Windows NT4.
|
||||
trust relationships. This imparts to Samba scalability similar to that with MS Windows NT4.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Given that Samba-3 has the capability to function with a scalable backend authentication
|
||||
database such as LDAP, and given its ability to run in Primary as well as Backup Domain Control
|
||||
Given that Samba-3 can function with a scalable backend authentication
|
||||
database such as LDAP, and given its ability to run in primary as well as backup domain control
|
||||
modes, the administrator would be well advised to consider alternatives to the use of
|
||||
Interdomain trusts simply because by the very nature of how this works it is fragile.
|
||||
interdomain trusts simply because, by the very nature of how this works, it is fragile.
|
||||
That was, after all, a key reason for the development and adoption of Microsoft Active Directory.
|
||||
</para>
|
||||
|
||||
@ -70,7 +70,7 @@ That was, after all, a key reason for the development and adoption of Microsoft
|
||||
<title>Trust Relationship Background</title>
|
||||
|
||||
<para>
|
||||
MS Windows NT3/4 type security domains employ a non-hierarchical security structure.
|
||||
MS Windows NT3/4-type security domains employ a nonhierarchical security structure.
|
||||
The limitations of this architecture as it effects the scalability of MS Windows networking
|
||||
in large organizations is well known. Additionally, the flat namespace that results from
|
||||
this design significantly impacts the delegation of administrative responsibilities in
|
||||
@ -81,35 +81,35 @@ large and diverse organizations.
|
||||
Microsoft developed Active Directory Service (ADS), based on Kerberos and LDAP, as a means
|
||||
of circumventing the limitations of the older technologies. Not every organization is ready
|
||||
or willing to embrace ADS. For small companies the older NT4-style domain security paradigm
|
||||
is quite adequate, there remains an entrenched user base for whom there is no direct
|
||||
is quite adequate, so there remains an entrenched user base for whom there is no direct
|
||||
desire to go through a disruptive change to adopt ADS.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
With MS Windows NT, Microsoft introduced the ability to allow differing security domains
|
||||
With Windows NT, Microsoft introduced the ability to allow different security domains
|
||||
to effect a mechanism so users from one domain may be given access rights and privileges
|
||||
in another domain. The language that describes this capability is couched in terms of
|
||||
<emphasis>Trusts</emphasis>. Specifically, one domain will <emphasis>trust</emphasis> the users
|
||||
<emphasis>trusts</emphasis>. Specifically, one domain will <emphasis>trust</emphasis> the users
|
||||
from another domain. The domain from which users are available to another security domain is
|
||||
said to be a trusted domain. The domain in which those users have assigned rights and privileges
|
||||
is the trusting domain. With NT3.x/4.0 all trust relationships are always in one direction only,
|
||||
thus if users in both domains are to have privileges and rights in each others' domain, then it is
|
||||
so if users in both domains are to have privileges and rights in each others' domain, then it is
|
||||
necessary to establish two relationships, one in each direction.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
In an NT4-style MS security domain, all trusts are non-transitive. This means that if there
|
||||
are three domains (let's call them RED, WHITE and BLUE) where RED and WHITE have a trust
|
||||
relationship, and WHITE and BLUE have a trust relationship, then it holds that there is no
|
||||
implied trust between the RED and BLUE domains. Relationships are explicit and not
|
||||
In an NT4-style MS security domain, all trusts are nontransitive. This means that if there
|
||||
are three domains (let's call them red, white, and blue), where red and white have a trust
|
||||
relationship, and white and blue have a trust relationship, then it holds that there is no
|
||||
implied trust between the red and blue domains. Relationships are explicit and not
|
||||
transitive.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
New to MS Windows 2000 ADS security contexts is the fact that trust relationships are two-way
|
||||
by default. Also, all inter-ADS domain trusts are transitive. In the case of the RED, WHITE and BLUE
|
||||
domains above, with Windows 2000 and ADS the RED and BLUE domains can trust each other. This is
|
||||
an inherent feature of ADS domains. Samba-3 implements MS Windows NT4-style Interdomain trusts
|
||||
by default. Also, all inter-ADS domain trusts are transitive. In the case of the red, white, and blue
|
||||
domains, with Windows 2000 and ADS, the red and blue domains can trust each other. This is
|
||||
an inherent feature of ADS domains. Samba-3 implements MS Windows NT4-style interdomain trusts
|
||||
and interoperates with MS Windows 200x ADS security domains in similar manner to MS Windows NT4-style domains.
|
||||
</para>
|
||||
|
||||
@ -151,17 +151,17 @@ The password needs to be typed twice (for standard confirmation).
|
||||
<para>
|
||||
<indexterm><primary>Interdomain Trusts</primary><secondary>Completing</secondary></indexterm>
|
||||
A trust relationship will work only when the other (trusting) domain makes the appropriate connections
|
||||
with the trusted domain. To consummate the trust relationship, the administrator will launch the
|
||||
Domain User Manager from the menu select <guilabel>Policies</guilabel>, then select
|
||||
<guilabel>Trust Relationships</guilabel>, click on the <guibutton>Add</guibutton> button
|
||||
next to the box that is labeled <guilabel>Trusted Domains</guilabel>. A panel will open in which
|
||||
with the trusted domain. To consummate the trust relationship, the administrator launches the
|
||||
Domain User Manager from the menu selects <guilabel>Policies</guilabel>, then select
|
||||
<guilabel>Trust Relationships</guilabel>, and clicks on the <guibutton>Add</guibutton> button
|
||||
next to the box that is labeled <guilabel>Trusted Domains</guilabel>. A panel opens in which
|
||||
must be entered the name of the remote domain as well as the password assigned to that trust.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>Inter-Domain Trust Facilities</title>
|
||||
<title>Interdomain Trust Facilities</title>
|
||||
|
||||
|
||||
<para>
|
||||
@ -216,12 +216,12 @@ DomA and DomB), the following facilities are created:
|
||||
|
||||
<itemizedlist>
|
||||
<listitem><para>
|
||||
Users/Groups in a trusting domain cannot be granted rights, permissions or access
|
||||
Users and groups in a trusting domain cannot be granted rights, permissions, or access
|
||||
to a trusted domain.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
The trusting domain can access and use accounts (Users/Global Groups) in the
|
||||
The trusting domain can access and use accounts (users/global groups) in the
|
||||
trusted domain.
|
||||
</para></listitem>
|
||||
|
||||
@ -236,13 +236,13 @@ DomA and DomB), the following facilities are created:
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
Trusted domain Global Groups can be given rights and permissions in the trusting
|
||||
Trusted domain global groups can be given rights and permissions in the trusting
|
||||
domain.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
Global Groups from the trusted domain can be made members in Local Groups on
|
||||
MS Windows Domain Member machines.
|
||||
Global groups from the trusted domain can be made members in local groups on
|
||||
MS Windows domain member machines.
|
||||
</para></listitem>
|
||||
</itemizedlist>
|
||||
|
||||
@ -260,10 +260,10 @@ is at an early stage, so do not be surprised if something does not function as i
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Each of the procedures described below assumes the peer domain in the trust relationship is
|
||||
Each of the procedures described next assumes the peer domain in the trust relationship is
|
||||
controlled by a Windows NT4 server. However, the remote end could just as well be another
|
||||
Samba-3 domain. It can be clearly seen, after reading this document, that combining
|
||||
Samba-specific parts of what's written below leads to trust between domains in a purely Samba
|
||||
Samba-specific parts of what's written in the following sections leads to trust between domains in a purely Samba
|
||||
environment.
|
||||
</para>
|
||||
|
||||
@ -288,23 +288,23 @@ Added user rumba$
|
||||
</screen>
|
||||
|
||||
where <option>-a</option> means to add a new account into the
|
||||
passdb database and <option>-i</option> means: <quote>create this
|
||||
account with the Inter-Domain trust flag</quote>.
|
||||
passdb database and <option>-i</option> means to <quote>create this
|
||||
account with the Interdomain trust flag</quote>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The account name will be <quote>rumba$</quote> (the name of the remote domain).
|
||||
If this fails, you should check that the trust account has been added to the system
|
||||
password database (<filename>/etc/passwd</filename>). If it has not been added, you
|
||||
can add it manually and then repeat the step above.
|
||||
can add it manually and then repeat the previous step.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
After issuing this command, you will be asked to enter the password for
|
||||
the account. You can use any password you want, but be aware that Windows NT will
|
||||
not change this password until seven days following account creation.
|
||||
not change this password until 7 days following account creation.
|
||||
After the command returns successfully, you can look at the entry for the new account
|
||||
(in the standard way as appropriate for your configuration) and see that accounts name is
|
||||
(in the standard way as appropriate for your configuration) and see that the account's name is
|
||||
really RUMBA$ and it has the <quote>I</quote> flag set in the flags field. Now you are ready to confirm
|
||||
the trust by establishing it from Windows NT Server.
|
||||
</para>
|
||||
@ -314,13 +314,15 @@ the trust by establishing it from Windows NT Server.
|
||||
<indexterm><primary>User Manager</primary></indexterm>
|
||||
Open <application>User Manager for Domains</application> and from the
|
||||
<guimenu>Policies</guimenu> menu, select <guimenuitem>Trust Relationships...</guimenuitem>.
|
||||
Beside the <guilabel>Trusted domains</guilabel> list box click the
|
||||
Beside the <guilabel>Trusted domains</guilabel> list box, click the
|
||||
<guimenu>Add...</guimenu> button. You will be prompted for
|
||||
the trusted domain name and the relationship password. Type in SAMBA, as this is
|
||||
the name of the remote domain and the password used at the time of account creation.
|
||||
Click on <guibutton>OK</guibutton> and, if everything went without incident, you will see
|
||||
the <computeroutput>Trusted domain relationship successfully
|
||||
established</computeroutput> message.
|
||||
Click on <guibutton>OK</guibutton> and, if everything went without incident, you will see the
|
||||
<computeroutput>
|
||||
Trusted domain relationship successfully established
|
||||
</computeroutput>
|
||||
message.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
@ -341,19 +343,19 @@ The very first step is to add an account for the SAMBA domain on RUMBA's PDC.
|
||||
<indexterm><primary>User Manager</primary></indexterm>
|
||||
Launch the <application>Domain User Manager</application>, then from the menu select
|
||||
<guimenu>Policies</guimenu>, <guimenuitem>Trust Relationships</guimenuitem>.
|
||||
Now, next to the <guilabel>Trusted Domains</guilabel> box press the <guibutton>Add</guibutton>
|
||||
Now, next to the <guilabel>Trusted Domains</guilabel> box, press the <guibutton>Add</guibutton>
|
||||
button and type in the name of the trusted domain (SAMBA) and the password to use in securing
|
||||
the relationship.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The password can be arbitrarily chosen. It is easy to change the password
|
||||
from the Samba server whenever you want. After confirming the password your account is
|
||||
from the Samba server whenever you want. After you confirm the password, your account is
|
||||
ready for use. Now its Samba's turn.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Using your favorite shell while being logged in as root, issue this command:
|
||||
Using your favorite shell while logged in as root, issue this command:
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -362,12 +364,12 @@ Using your favorite shell while being logged in as root, issue this command:
|
||||
|
||||
<para>
|
||||
You will be prompted for the password you just typed on your Windows NT4 Server box.
|
||||
An error message <errorname>`NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT'</errorname>
|
||||
An error message, <errorname>"NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT,"</errorname>
|
||||
that may be reported periodically is of no concern and may safely be ignored.
|
||||
It means the password you gave is correct and the NT4 Server says the account is ready for
|
||||
It means the password you gave is correct and the NT4 server says the account is ready for
|
||||
interdomain connection and not for ordinary connection. After that, be patient;
|
||||
it can take a while (especially in large networks), but eventually you should see
|
||||
the <computeroutput>Success</computeroutput> message. Congratulations! Your trust
|
||||
the <literal>Success</literal> message. Congratulations! Your trust
|
||||
relationship has just been established.
|
||||
</para>
|
||||
|
||||
@ -385,25 +387,27 @@ the <filename>secrets.tdb</filename> file.
|
||||
Although <application>Domain User Manager</application> is not present in Windows 2000, it is
|
||||
also possible to establish an NT4-style trust relationship with a Windows 2000 domain
|
||||
controller running in mixed mode as the trusting server. It should also be possible for
|
||||
Samba to trust a Windows 2000 server, however, more testing is still needed in this area.
|
||||
Samba to trust a Windows 2000 server; however, more testing is still needed in this area.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
After <link linkend="samba-trusted-domain">creating the interdomain trust account on the
|
||||
Samba server</link> as described above, open <application>Active Directory Domains and
|
||||
Samba server</link> as described previously, open <application>Active Directory Domains and
|
||||
Trusts</application> on the AD controller of the domain whose resources you wish Samba users
|
||||
to have access to. Remember that since NT4-style trusts are not transitive, if you want
|
||||
your users to have access to multiple mixed-mode domains in your AD forest, you will need to
|
||||
repeat this process for each of those domains. With <application>Active Directory Domains
|
||||
and Trusts</application> open, right-click on the name of the Active Directory domain that
|
||||
repeat this process for each of those domains. With <application>Active Directory domains
|
||||
and trusts</application> open, right-click on the name of the Active Directory domain that
|
||||
will trust our Samba domain and choose <guimenuitem>Properties</guimenuitem>, then click on
|
||||
the <guilabel>Trusts</guilabel> tab. In the upper part of the panel, you will see a list box
|
||||
labeled <guilabel>Domains trusted by this domain:</guilabel>, and an
|
||||
<guilabel>Add...</guilabel> button next to it. Press this button and just as with NT4, you
|
||||
will be prompted for the trusted domain name and the relationship password. Press OK and
|
||||
after a moment, Active Directory will respond with <computeroutput>The trusted domain has
|
||||
been added and the trust has been verified.</computeroutput> Your Samba users can now be
|
||||
granted access to resources in the AD domain.
|
||||
labeled <guilabel>Domains trusted by this domain:</guilabel> and an
|
||||
<guilabel>Add...</guilabel> button next to it. Press this button and, just as with NT4, you
|
||||
will be prompted for the trusted domain name and the relationship password. Press <emphasis>OK</emphasis> and
|
||||
after a moment, Active Directory will respond with
|
||||
<computeroutput>
|
||||
The trusted domain has been added and the trust has been verified.
|
||||
</computeroutput>
|
||||
Your Samba users can now be granted access to resources in the AD domain.
|
||||
</para>
|
||||
</sect1>
|
||||
|
||||
@ -420,8 +424,8 @@ distributed trusted domains.
|
||||
<title>Browsing of Trusted Domain Fails</title>
|
||||
|
||||
<para>
|
||||
Browsing from a machine in a trusted Windows 200x Domain to a Windows 200x member of
|
||||
a trusting samba domain, I get the following error:
|
||||
<emphasis>Browsing from a machine in a trusted Windows 200x domain to a Windows 200x member of
|
||||
a trusting Samba domain, I get the following error:</emphasis>
|
||||
</para>
|
||||
|
||||
<screen>
|
||||
@ -430,34 +434,34 @@ you can contact the server that authenticated you.
|
||||
</screen>
|
||||
|
||||
<para>
|
||||
The event logs on the box I'm trying to connect to have entries regarding group
|
||||
policy not being applied because it is a member of a down-level domain.
|
||||
<emphasis>The event logs on the box I'm trying to connect to have entries regarding group
|
||||
policy not being applied because it is a member of a down-level domain.</emphasis>
|
||||
</para>
|
||||
|
||||
<para><emphasis>Answer: </emphasis> If there is a computer account in the Windows
|
||||
200x Domain for the machine in question, and it is disabled, this problem can
|
||||
<para>If there is a computer account in the Windows
|
||||
200x domain for the machine in question, and it is disabled, this problem can
|
||||
occur. If there is no computer account (removed or never existed), or if that
|
||||
account is still intact (i.e.: you just joined it to another domain) everything
|
||||
seems to be fine. By default, when you un-join a domain (the Windows 200x
|
||||
Domain), the computer tries to automatically disable the computer account in
|
||||
the domain. If you are running as an account which has privileges to do this
|
||||
when you un-join the machine, it is done, otherwise it is not done.
|
||||
account is still intact (i.e., you just joined it to another domain), everything
|
||||
seems to be fine. By default, when you unjoin a domain (the Windows 200x
|
||||
domain), the computer tries to automatically disable the computer account in
|
||||
the domain. If you are running as an account that has privileges to do this
|
||||
when you unjoin the machine, it is done; otherwise it is not done.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>Problems With LDAP ldapsam And The smbldap-tools</title>
|
||||
<title>Problems with LDAP ldapsam and the smbldap-tools</title>
|
||||
|
||||
<para>
|
||||
If you use the <command>smbldap-useradd</command> script to create a trust
|
||||
account to set up Interdomain trusts the process of setting up the trust will
|
||||
account to set up interdomain trusts, the process of setting up the trust will
|
||||
fail. The account that was created in the LDAP database will have an account
|
||||
flags field that has <constant>[W ]</constant>, when it must have
|
||||
<constant>[I ]</constant> for Interdomain trusts to work.
|
||||
flags field that has <literal>[W ]</literal>, when it must have
|
||||
<literal>[I ]</literal> for interdomain trusts to work.
|
||||
</para>
|
||||
|
||||
<para><emphasis>Answer: </emphasis>Here is a simple solution.
|
||||
<para>Here is a simple solution.
|
||||
Create a machine account as follows:
|
||||
<screen>
|
||||
&rootprompt; smbldap-useradd -w domain_name
|
||||
@ -485,8 +489,8 @@ Create a single-sided trust under the NT4 Domain User Manager, then execute:
|
||||
</para>
|
||||
|
||||
<para>
|
||||
It works with Samba-3 and NT4 Domains, and also with Samba-3 and Windows 200x ADS in mixed mode.
|
||||
Both DC's, samba and NT, must have the same WINS server otherwise
|
||||
It works with Samba-3 and NT4 domains, and also with Samba-3 and Windows 200x ADS in mixed mode.
|
||||
Both domain controllers, Samba and NT must have the same WINS server; otherwise,
|
||||
the trust will never work.
|
||||
</para>
|
||||
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -16,8 +16,8 @@
|
||||
|
||||
<para>
|
||||
This chapter should help you to deploy Winbind-based authentication on any PAM-enabled
|
||||
UNIX/Linux system. Winbind can be used to enable User-Level application access authentication
|
||||
from any MS Windows NT Domain, MS Windows 200x Active Directory-based
|
||||
UNIX/Linux system. Winbind can be used to enable user-level application access authentication
|
||||
from any MS Windows NT domain, MS Windows 200x Active Directory-based
|
||||
domain, or any Samba-based domain environment. It will also help you to configure PAM-based local host access
|
||||
controls that are appropriate to your Samba configuration.
|
||||
</para>
|
||||
@ -38,16 +38,16 @@ Please refer to <link linkend="winbind">Winbind: Use of Domain Accounts</link>,
|
||||
<para>
|
||||
A number of UNIX systems (e.g., Sun Solaris), as well as the xxxxBSD family and Linux,
|
||||
now utilize the Pluggable Authentication Modules (PAM) facility to provide all authentication,
|
||||
authorization and resource control services. Prior to the introduction of PAM, a decision
|
||||
authorization, and resource control services. Prior to the introduction of PAM, a decision
|
||||
to use an alternative to the system password database (<filename>/etc/passwd</filename>)
|
||||
would require the provision of alternatives for all programs that provide security services.
|
||||
Such a choice would involve provision of alternatives to programs such as: <command>login</command>,
|
||||
Such a choice would involve provision of alternatives to programs such as <command>login</command>,
|
||||
<command>passwd</command>, <command>chown</command>, and so on.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
PAM provides a mechanism that disconnects these security programs from the underlying
|
||||
authentication/authorization infrastructure. PAM is configured by making appropriate modifications to one file
|
||||
authentication/authorization infrastructure. PAM is configured by making appropriate modifications to one file,
|
||||
<filename>/etc/pam.conf</filename> (Solaris), or by editing individual control files that are
|
||||
located in <filename>/etc/pam.d</filename>.
|
||||
</para>
|
||||
@ -55,7 +55,7 @@ located in <filename>/etc/pam.d</filename>.
|
||||
<para>
|
||||
On PAM-enabled UNIX/Linux systems, it is an easy matter to configure the system to use any
|
||||
authentication backend so long as the appropriate dynamically loadable library modules
|
||||
are available for it. The backend may be local to the system, or may be centralized on a
|
||||
are available for it. The backend may be local to the system or may be centralized on a
|
||||
remote server.
|
||||
</para>
|
||||
|
||||
@ -67,14 +67,14 @@ PAM support modules are available for:
|
||||
<varlistentry><term><filename>/etc/passwd</filename></term><listitem>
|
||||
<para>
|
||||
There are several PAM modules that interact with this standard UNIX user
|
||||
database. The most common are called: <filename>pam_unix.so</filename>, <filename>pam_unix2.so</filename>, <filename>pam_pwdb.so</filename>
|
||||
database. The most common are called <filename>pam_unix.so</filename>, <filename>pam_unix2.so</filename>, <filename>pam_pwdb.so</filename>
|
||||
and <filename>pam_userdb.so</filename>.
|
||||
</para>
|
||||
</listitem></varlistentry>
|
||||
|
||||
<varlistentry><term>Kerberos</term><listitem>
|
||||
<para>
|
||||
The <filename>pam_krb5.so</filename> module allows the use of any Kerberos compliant server.
|
||||
The <filename>pam_krb5.so</filename> module allows the use of any Kerberos-compliant server.
|
||||
This tool is used to access MIT Kerberos, Heimdal Kerberos, and potentially
|
||||
Microsoft Active Directory (if enabled).
|
||||
</para>
|
||||
@ -82,9 +82,9 @@ PAM support modules are available for:
|
||||
|
||||
<varlistentry><term>LDAP</term><listitem>
|
||||
<para>
|
||||
The <filename>pam_ldap.so</filename> module allows the use of any LDAP v2 or v3 compatible backend
|
||||
server. Commonly used LDAP backend servers include: OpenLDAP v2.0 and v2.1,
|
||||
Sun ONE iDentity server, Novell eDirectory server, Microsoft Active Directory.
|
||||
The <filename>pam_ldap.so</filename> module allows the use of any LDAP v2- or v3-compatible backend
|
||||
server. Commonly used LDAP backend servers include OpenLDAP v2.0 and v2.1,
|
||||
Sun ONE iDentity server, Novell eDirectory server, and Microsoft Active Directory.
|
||||
</para>
|
||||
</listitem></varlistentry>
|
||||
|
||||
@ -97,7 +97,7 @@ PAM support modules are available for:
|
||||
|
||||
<varlistentry><term>SMB Password</term><listitem>
|
||||
<para>
|
||||
This module, called <filename>pam_smbpass.so</filename>, will allow user authentication off
|
||||
This module, called <filename>pam_smbpass.so</filename>, allows user authentication of
|
||||
the passdb backend that is configured in the Samba &smb.conf; file.
|
||||
</para>
|
||||
</listitem></varlistentry>
|
||||
@ -112,7 +112,7 @@ PAM support modules are available for:
|
||||
<varlistentry><term>Winbind</term><listitem>
|
||||
<para>
|
||||
The <filename>pam_winbind.so</filename> module allows Samba to obtain authentication from any
|
||||
MS Windows Domain Controller. It can just as easily be used to authenticate
|
||||
MS Windows domain controller. It can just as easily be used to authenticate
|
||||
users for access to any PAM-enabled application.
|
||||
</para>
|
||||
</listitem></varlistentry>
|
||||
@ -120,7 +120,7 @@ PAM support modules are available for:
|
||||
<varlistentry><term>RADIUS</term><listitem>
|
||||
<para>
|
||||
There is a PAM RADIUS (Remote Access Dial-In User Service) authentication
|
||||
module. In most cases, administrators will need to locate the source code
|
||||
module. In most cases, administrators need to locate the source code
|
||||
for this tool and compile and install it themselves. RADIUS protocols are
|
||||
used by many routers and terminal servers.
|
||||
</para>
|
||||
@ -128,12 +128,12 @@ PAM support modules are available for:
|
||||
</variablelist>
|
||||
|
||||
<para>
|
||||
Of the above, Samba provides the <filename>pam_smbpasswd.so</filename> and the <filename>pam_winbind.so</filename> modules alone.
|
||||
Of the modules listed, Samba provides the <filename>pam_smbpasswd.so</filename> and the <filename>pam_winbind.so</filename> modules alone.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Once configured, these permit a remarkable level of flexibility in the location and use
|
||||
of distributed Samba Domain Controllers that can provide wide area network bandwidth
|
||||
of distributed Samba domain controllers that can provide wide-area network bandwidth,
|
||||
efficient authentication services for PAM-capable systems. In effect, this allows the
|
||||
deployment of centrally managed and maintained distributed authentication from a
|
||||
single-user account database.
|
||||
@ -145,10 +145,10 @@ single-user account database.
|
||||
<title>Technical Discussion</title>
|
||||
|
||||
<para>
|
||||
PAM is designed to provide the system administrator with a great deal of flexibility in
|
||||
configuration of the privilege granting applications of their system. The local
|
||||
PAM is designed to provide system administrators with a great deal of flexibility in
|
||||
configuration of the privilege-granting applications of their system. The local
|
||||
configuration of system security controlled by PAM is contained in one of two places:
|
||||
either the single system file, <filename>/etc/pam.conf</filename>, or the
|
||||
either the single system file <filename>/etc/pam.conf</filename> or the
|
||||
<filename>/etc/pam.d/</filename> directory.
|
||||
</para>
|
||||
|
||||
@ -158,15 +158,15 @@ either the single system file, <filename>/etc/pam.conf</filename>, or the
|
||||
<para>
|
||||
In this section we discuss the correct syntax of and generic options respected by entries to these files.
|
||||
PAM-specific tokens in the configuration file are case insensitive. The module paths, however, are case
|
||||
sensitive since they indicate a file's name and reflect the case
|
||||
sensitive, since they indicate a file's name and reflect the case
|
||||
dependence of typical file systems.
|
||||
The case-sensitivity of the arguments to any given module is defined for each module in turn.
|
||||
The case sensitivity of the arguments to any given module is defined for each module in turn.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
In addition to the lines described below, there are two special characters provided for the convenience
|
||||
of the system administrator: comments are preceded by a <quote>#</quote> and extend to the next end-of-line; also,
|
||||
module specification lines may be extended with a <quote>\</quote> escaped newline.
|
||||
module specification lines may be extended with a <quote>\</quote>-escaped newline.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -188,7 +188,7 @@ auth required /other_path/pam_strange_module.so
|
||||
<para>
|
||||
The remaining information in this subsection was taken from the documentation of the Linux-PAM
|
||||
project. For more information on PAM, see
|
||||
<ulink url="http://ftp.kernel.org/pub/linux/libs/pam/">The Official Linux-PAM home page.</ulink>
|
||||
<ulink url="http://ftp.kernel.org/pub/linux/libs/pam/">the Official Linux-PAM home page</ulink>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -202,22 +202,22 @@ service-name module-type control-flag module-path args
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Below, we explain the meaning of each of these tokens. The second (and more recently adopted)
|
||||
We explain the meaning of each of these tokens. The second (and more recently adopted)
|
||||
way of configuring Linux-PAM is via the contents of the <filename>/etc/pam.d/</filename> directory.
|
||||
Once we have explained the meaning of the above tokens, we will describe this method.
|
||||
Once we have explained the meaning of the tokens, we describe this method.
|
||||
</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry><term>service-name</term><listitem>
|
||||
<para>
|
||||
The name of the service associated with this entry. Frequently, the service name is the conventional
|
||||
name of the given application. For example, <command>ftpd</command>, <command>rlogind</command> and
|
||||
The name of the service associated with this entry. Frequently, the service-name is the conventional
|
||||
name of the given application &smbmdash; for example, <command>ftpd</command>, <command>rlogind</command> and
|
||||
<command>su</command>, and so on.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
There is a special service-name reserved for defining a default authentication mechanism. It has
|
||||
the name <parameter>OTHER</parameter> and may be specified in either lower- or upper-case characters.
|
||||
the name <parameter>OTHER</parameter> and may be specified in either lower- or uppercase characters.
|
||||
Note, when there is a module specified for a named service, the <parameter>OTHER</parameter>
|
||||
entries are ignored.
|
||||
</para>
|
||||
@ -232,30 +232,30 @@ Once we have explained the meaning of the above tokens, we will describe this me
|
||||
<itemizedlist>
|
||||
<listitem><para>
|
||||
<parameter>auth:</parameter> This module type provides two aspects of authenticating the user.
|
||||
It establishes that the user is who he claims to be by instructing the application
|
||||
to prompt the user for a password or other means of identification. Secondly, the module can
|
||||
grant group membership (independently of the <filename>/etc/groups</filename> file discussed
|
||||
above) or other privileges through its credential granting properties.
|
||||
It establishes that the user is who he or she claims to be by instructing the application
|
||||
to prompt the user for a password or other means of identification. Second, the module can
|
||||
grant group membership (independently of the <filename>/etc/groups</filename> file)
|
||||
or other privileges through its credential-granting properties.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
<parameter>account:</parameter> This module performs non-authentication-based account management.
|
||||
It is typically used to restrict/permit access to a service based on the time of day, currently
|
||||
available system resources (maximum number of users) or perhaps the location of the applicant
|
||||
user <quote>root</quote> login only on the console.
|
||||
available system resources (maximum number of users), or perhaps the location of the user
|
||||
login. For example, the <quote>root</quote> login may be permitted only on the console.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
<parameter>session:</parameter> Primarily, this module is associated with doing things that need
|
||||
to be done for the user before and after they can be given service. Such things include the logging
|
||||
of information concerning the opening and closing of some data exchange with a user, mounting
|
||||
to be done for the user before and after he or she can be given service. Such things include logging
|
||||
information concerning the opening and closing of some data exchange with a user, mounting
|
||||
directories, and so on.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
<parameter>password:</parameter> This last module type is required for updating the authentication
|
||||
token associated with the user. Typically, there is one module for each <quote>challenge/response</quote>
|
||||
-based authentication <parameter>(auth)</parameter> module type.
|
||||
token associated with the user. Typically, there is one module for each
|
||||
<quote>challenge/response</quote>-based authentication <parameter>(auth)</parameter> module type.
|
||||
</para></listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
@ -276,7 +276,8 @@ Once we have explained the meaning of the above tokens, we will describe this me
|
||||
<para>
|
||||
The simpler (and historical) syntax for the control-flag is a single keyword defined to indicate the
|
||||
severity of concern associated with the success or failure of a specific module. There are four such
|
||||
keywords: <parameter>required, requisite, sufficient and optional</parameter>.
|
||||
keywords: <parameter>required</parameter>, <parameter>requisite</parameter>,
|
||||
<parameter>sufficient</parameter>, and <parameter>optional</parameter>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -291,7 +292,7 @@ Once we have explained the meaning of the above tokens, we will describe this me
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
<parameter>requisite:</parameter> Like required, however, in the case that such a module returns a
|
||||
<parameter>requisite:</parameter> Like required, except that if such a module returns a
|
||||
failure, control is directly returned to the application. The return value is that associated with
|
||||
the first required or requisite module to fail. This flag can be used to protect against the
|
||||
possibility of a user getting the opportunity to enter a password over an unsafe medium. It is
|
||||
@ -314,13 +315,13 @@ Once we have explained the meaning of the above tokens, we will describe this me
|
||||
Linux-PAM ignores such a module when determining if the module stack will succeed or fail.
|
||||
However, in the absence of any definite successes or failures of previous or subsequent stacked
|
||||
modules, this module will determine the nature of the response to the application. One example of
|
||||
this latter case, is when the other modules return something like PAM_IGNORE.
|
||||
this latter case is when the other modules return something like PAM_IGNORE.
|
||||
</para></listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>
|
||||
The more elaborate (newer) syntax is much more specific and gives the administrator a great deal of control
|
||||
over how the user is authenticated. This form of the control flag is delimited with square brackets and
|
||||
over how the user is authenticated. This form of the control-flag is delimited with square brackets and
|
||||
consists of a series of <parameter>value=action</parameter> tokens:
|
||||
</para>
|
||||
|
||||
@ -342,12 +343,13 @@ Once we have explained the meaning of the above tokens, we will describe this me
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The last of these <parameter>(default)</parameter> can be used to set the action for those return values that are not explicitly defined.
|
||||
The last of these (<parameter>default</parameter>) can be used to set the action for those return values that are not explicitly defined.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The <parameter>action1</parameter> can be a positive integer or one of the following tokens:
|
||||
<parameter>ignore; ok; done; bad; die;</parameter> and <parameter>reset</parameter>.
|
||||
<parameter>ignore</parameter>; <parameter>ok</parameter>; <parameter>done</parameter>;
|
||||
<parameter>bad</parameter>; <parameter>die</parameter>; and <parameter>reset</parameter>.
|
||||
A positive integer, J, when specified as the action, can be used to indicate that the next J modules of the
|
||||
current module-type will be skipped. In this way, the administrator can develop a moderately sophisticated
|
||||
stack of modules with a number of different paths of execution. Which path is taken can be determined by the
|
||||
@ -375,7 +377,7 @@ Once we have explained the meaning of the above tokens, we will describe this me
|
||||
<parameter>ok:</parameter> This tells PAM that the administrator thinks this return code should
|
||||
contribute directly to the return code of the full stack of modules. In other words, if the former
|
||||
state of the stack would lead to a return of PAM_SUCCESS, the module's return code will override
|
||||
this value. Note, if the former state of the stack holds some value that is indicative of a modules
|
||||
this value. Note, if the former state of the stack holds some value that is indicative of a module's
|
||||
failure, this <parameter>ok</parameter> value will not be used to override that value.
|
||||
</para></listitem>
|
||||
|
||||
@ -391,7 +393,7 @@ Once we have explained the meaning of the above tokens, we will describe this me
|
||||
</itemizedlist>
|
||||
|
||||
<para>
|
||||
Each of the four keywords: <parameter>required; requisite; sufficient;</parameter> and <parameter>optional</parameter>,
|
||||
Each of the four keywords, <parameter>required</parameter>; <parameter>requisite</parameter>; <parameter>sufficient</parameter>; and <parameter>optional</parameter>,
|
||||
have an equivalent expression in terms of the [...] syntax. They are as follows:
|
||||
</para>
|
||||
|
||||
@ -417,26 +419,26 @@ Once we have explained the meaning of the above tokens, we will describe this me
|
||||
|
||||
<para>
|
||||
Just to get a feel for the power of this new syntax, here is a taste of what you can do with it. With Linux-PAM-0.63,
|
||||
the notion of client plug-in agents was introduced. This is something that makes it possible for PAM to support
|
||||
the notion of client plug-in agents was introduced. This makes it possible for PAM to support
|
||||
machine-machine authentication using the transport protocol inherent to the client/server application. With the
|
||||
<parameter>[ ... value=action ... ]</parameter> control syntax, it is possible for an application to be configured
|
||||
to support binary prompts with compliant clients, but to gracefully fall over into an alternative authentication
|
||||
mode for older, legacy applications.
|
||||
to support binary prompts with compliant clients, but to gracefully fail over into an alternative authentication
|
||||
mode for legacy applications.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry><term>module-path</term><listitem>
|
||||
<para>
|
||||
The path-name of the dynamically loadable object file; the pluggable module itself. If the first character of the
|
||||
The pathname of the dynamically loadable object file; the pluggable module itself. If the first character of the
|
||||
module path is <quote>/</quote>, it is assumed to be a complete path. If this is not the case, the given module path is appended
|
||||
to the default module path: <filename>/lib/security</filename> (but see the notes above).
|
||||
to the default module path: <filename>/lib/security</filename> (but see the previous notes).
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The arguments are a list of tokens that are passed to the module when it is invoked, much like arguments to a typical
|
||||
Linux shell command. Generally, valid arguments are optional and are specific to any given module. Invalid arguments
|
||||
are ignored by a module, however, when encountering an invalid argument, the module is required to write an error
|
||||
are ignored by a module; however, when encountering an invalid argument, the module is required to write an error
|
||||
to syslog(3). For a list of generic options, see the next section.
|
||||
</para>
|
||||
|
||||
@ -452,7 +454,7 @@ user_name=<quote>%u</quote> and password=PASSWORD(<quote>%p</quote>) and service
|
||||
|
||||
<para>
|
||||
When using this convention, you can include <quote>[</quote> characters inside the string, and if you wish to have a <quote>]</quote>
|
||||
character inside the string that will survive the argument parsing, you should use <quote>\[</quote>. In other words:
|
||||
character inside the string that will survive the argument parsing, you should use <quote>\[</quote>. In other words,
|
||||
</para>
|
||||
|
||||
<para><programlisting>
|
||||
@ -479,7 +481,7 @@ user_name=<quote>%u</quote> and password=PASSWORD(<quote>%p</quote>) and service
|
||||
The following is an example <filename>/etc/pam.d/login</filename> configuration file.
|
||||
This example had all options uncommented and is probably not usable
|
||||
because it stacks many conditions before allowing successful completion
|
||||
of the login process. Essentially all conditions can be disabled
|
||||
of the login process. Essentially, all conditions can be disabled
|
||||
by commenting them out, except the calls to <filename>pam_pwdb.so</filename>.
|
||||
</para>
|
||||
|
||||
@ -536,10 +538,10 @@ the <filename>pam_pwdb.so</filename> module that uses the system
|
||||
password database (<filename>/etc/passwd</filename>,
|
||||
<filename>/etc/shadow</filename>, <filename>/etc/group</filename>) with
|
||||
the module <filename>pam_smbpass.so</filename>, which uses the Samba
|
||||
database which contains the Microsoft MD4 encrypted password
|
||||
hashes. This database is stored in either
|
||||
database containing the Microsoft MD4 encrypted password
|
||||
hashes. This database is stored either in
|
||||
<filename>/usr/local/samba/private/smbpasswd</filename>,
|
||||
<filename>/etc/samba/smbpasswd</filename>, or in
|
||||
<filename>/etc/samba/smbpasswd</filename> or in
|
||||
<filename>/etc/samba.d/smbpasswd</filename>, depending on the
|
||||
Samba implementation for your UNIX/Linux system. The
|
||||
<filename>pam_smbpass.so</filename> module is provided by
|
||||
@ -607,7 +609,7 @@ provide the <filename>pam_stack.so</filename> module that allows all
|
||||
authentication to be configured in a single central file. The
|
||||
<filename>pam_stack.so</filename> method has some devoted followers
|
||||
on the basis that it allows for easier administration. As with all issues in
|
||||
life though, every decision makes trade-offs, so you may want to examine the
|
||||
life, though, every decision has trade-offs, so you may want to examine the
|
||||
PAM documentation for further helpful information.
|
||||
</para></note>
|
||||
|
||||
@ -619,10 +621,11 @@ PAM documentation for further helpful information.
|
||||
<title>&smb.conf; PAM Configuration</title>
|
||||
|
||||
<para>
|
||||
There is an option in &smb.conf; called <smbconfoption name="obey pam restrictions"/>.
|
||||
The following is from the online help for this option in SWAT;
|
||||
There is an option in &smb.conf; called <smbconfoption name="obey pam restrictions"/>.
|
||||
The following is from the online help for this option in SWAT:
|
||||
</para>
|
||||
|
||||
<blockquote>
|
||||
<para>
|
||||
When Samba is configured to enable PAM support (i.e., <option>--with-pam</option>), this parameter will
|
||||
control whether or not Samba should obey PAM's account and session management directives. The default behavior
|
||||
@ -633,6 +636,7 @@ password encryption.
|
||||
</para>
|
||||
|
||||
<para>Default: <smbconfoption name="obey pam restrictions">no</smbconfoption></para>
|
||||
</blockquote>
|
||||
|
||||
</sect2>
|
||||
|
||||
@ -640,9 +644,9 @@ password encryption.
|
||||
<title>Remote CIFS Authentication Using <filename>winbindd.so</filename></title>
|
||||
|
||||
<para>
|
||||
All operating systems depend on the provision of users credentials acceptable to the platform.
|
||||
All operating systems depend on the provision of user credentials acceptable to the platform.
|
||||
UNIX requires the provision of a user identifier (UID) as well as a group identifier (GID).
|
||||
These are both simple integer type numbers that are obtained from a password backend such
|
||||
These are both simple integer numbers that are obtained from a password backend such
|
||||
as <filename>/etc/passwd</filename>.
|
||||
</para>
|
||||
|
||||
@ -654,7 +658,7 @@ is one of the jobs that winbind performs.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
As Winbind users and groups are resolved from a server, user and group IDs are allocated
|
||||
As winbind users and groups are resolved from a server, user and group IDs are allocated
|
||||
from a specified range. This is done on a first come, first served basis, although all
|
||||
existing users and groups will be mapped as soon as a client performs a user or group
|
||||
enumeration command. The allocated UNIX IDs are stored in a database file under the Samba
|
||||
@ -663,11 +667,11 @@ lock directory and will be remembered.
|
||||
|
||||
<para>
|
||||
The astute administrator will realize from this that the combination of <filename>pam_smbpass.so</filename>,
|
||||
<command>winbindd</command> and a distributed <smbconfoption name="passdb backend"></smbconfoption>,
|
||||
such as <parameter>ldap</parameter>, will allow the establishment of a centrally managed, distributed user/password
|
||||
<command>winbindd</command>, and a distributed <smbconfoption name="passdb backend"></smbconfoption>
|
||||
such as <parameter>ldap</parameter> will allow the establishment of a centrally managed, distributed user/password
|
||||
database that can also be used by all PAM-aware (e.g., Linux) programs and applications. This arrangement can have
|
||||
particularly potent advantages compared with the use of Microsoft Active Directory Service (ADS) in so far as
|
||||
the reduction of wide area network authentication traffic.
|
||||
particularly potent advantages compared with the use of Microsoft Active Directory Service (ADS) insofar as
|
||||
the reduction of wide-area network authentication traffic.
|
||||
</para>
|
||||
|
||||
<warning><para>
|
||||
@ -684,8 +688,8 @@ to determine which user and group IDs correspond to Windows NT user and group RI
|
||||
<para>
|
||||
<filename>pam_smbpass</filename> is a PAM module that can be used on conforming systems to
|
||||
keep the <filename>smbpasswd</filename> (Samba password) database in sync with the UNIX
|
||||
password file. PAM (Pluggable Authentication Modules) is an API supported
|
||||
under some UNIX operating systems, such as Solaris, HPUX and Linux, that provides a
|
||||
password file. PAM is an API supported
|
||||
under some UNIX operating systems, such as Solaris, HPUX, and Linux, that provides a
|
||||
generic interface to authentication mechanisms.
|
||||
</para>
|
||||
|
||||
@ -704,25 +708,25 @@ Options recognized by this module are shown in <link linkend="smbpassoptions">ne
|
||||
<colspec align="left"/>
|
||||
<colspec align="justify" colwidth="1*"/>
|
||||
<tbody>
|
||||
<row><entry>debug</entry><entry>log more debugging info.</entry></row>
|
||||
<row><entry>audit</entry><entry>like debug, but also logs unknown usernames.</entry></row>
|
||||
<row><entry>use_first_pass</entry><entry>do not prompt the user for passwords; take them from PAM_ items instead.</entry></row>
|
||||
<row><entry>try_first_pass</entry><entry>try to get the password from a previous PAM module fall back to prompting the user.</entry></row>
|
||||
<row><entry>debug</entry><entry>Log more debugging info.</entry></row>
|
||||
<row><entry>audit</entry><entry>Like debug, but also logs unknown usernames.</entry></row>
|
||||
<row><entry>use_first_pass</entry><entry>Do not prompt the user for passwords; take them from PAM_ items instead.</entry></row>
|
||||
<row><entry>try_first_pass</entry><entry>Try to get the password from a previous PAM module; fall back to prompting the user.</entry></row>
|
||||
<row><entry>use_authtok</entry>
|
||||
<entry>like try_first_pass, but *fail* if the new PAM_AUTHTOK has not been previously set (intended for stacking password modules only).</entry></row>
|
||||
<row><entry>not_set_pass</entry><entry>do not make passwords used by this module available to other modules.</entry></row>
|
||||
<row><entry>nodelay</entry><entry>do not insert ~1 second delays on authentication failure.</entry></row>
|
||||
<row><entry>nullok</entry><entry>null passwords are allowed.</entry></row>
|
||||
<row><entry>nonull</entry><entry>null passwords are not allowed. Used to override the Samba configuration.</entry></row>
|
||||
<row><entry>migrate</entry><entry>only meaningful in an <quote>auth</quote> context; used to update smbpasswd file with a password used for successful authentication.</entry></row>
|
||||
<row><entry>smbconf=<replaceable>file</replaceable></entry><entry>specify an alternate path to the &smb.conf; file.</entry></row>
|
||||
<entry>Like try_first_pass, but *fail* if the new PAM_AUTHTOK has not been previously set (intended for stacking password modules only).</entry></row>
|
||||
<row><entry>not_set_pass</entry><entry>Do not make passwords used by this module available to other modules.</entry></row>
|
||||
<row><entry>nodelay</entry><entry>dDo not insert ~1-second delays on authentication failure.</entry></row>
|
||||
<row><entry>nullok</entry><entry>nNull passwords are allowed.</entry></row>
|
||||
<row><entry>nonull</entry><entry>Null passwords are not allowed. Used to override the Samba configuration.</entry></row>
|
||||
<row><entry>migrate</entry><entry>oOnly meaningful in an <quote>auth</quote> context; used to update smbpasswd file with a password used for successful authentication.</entry></row>
|
||||
<row><entry>smbconf=<replaceable>file</replaceable></entry><entry>Specify an alternate path to the &smb.conf; file.</entry></row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The following are examples of the use of <filename>pam_smbpass.so</filename> in the format of Linux
|
||||
The following are examples of the use of <filename>pam_smbpass.so</filename> in the format of the Linux
|
||||
<filename>/etc/pam.d/</filename> files structure. Those wishing to implement this
|
||||
tool on other platforms will need to adapt this appropriately.
|
||||
</para>
|
||||
@ -731,9 +735,9 @@ tool on other platforms will need to adapt this appropriately.
|
||||
<title>Password Synchronization Configuration</title>
|
||||
|
||||
<para>
|
||||
A sample PAM configuration that shows the use of pam_smbpass to make
|
||||
The following is a sample PAM configuration that shows the use of pam_smbpass to make
|
||||
sure <filename>private/smbpasswd</filename> is kept in sync when <filename>/etc/passwd (/etc/shadow)</filename>
|
||||
is changed. Useful when an expired password might be changed by an
|
||||
is changed. It is useful when an expired password might be changed by an
|
||||
application (such as <command>ssh</command>).
|
||||
</para>
|
||||
|
||||
@ -756,7 +760,7 @@ session required pam_unix.so
|
||||
<title>Password Migration Configuration</title>
|
||||
|
||||
<para>
|
||||
A sample PAM configuration that shows the use of <filename>pam_smbpass</filename> to migrate
|
||||
The following PAM configuration shows the use of <filename>pam_smbpass</filename> to migrate
|
||||
from plaintext to encrypted passwords for Samba. Unlike other methods,
|
||||
this can be used for users who have never connected to Samba shares:
|
||||
password migration takes place when users <command>ftp</command> in, login using <command>ssh</command>, pop
|
||||
@ -784,7 +788,7 @@ session required pam_unix.so
|
||||
<title>Mature Password Configuration</title>
|
||||
|
||||
<para>
|
||||
A sample PAM configuration for a mature <filename>smbpasswd</filename> installation.
|
||||
The following is a sample PAM configuration for a mature <filename>smbpasswd</filename> installation.
|
||||
<filename>private/smbpasswd</filename> is fully populated, and we consider it an error if
|
||||
the SMB password does not exist or does not match the UNIX password.
|
||||
</para>
|
||||
@ -808,7 +812,7 @@ session required pam_unix.so
|
||||
<title>Kerberos Password Integration Configuration</title>
|
||||
|
||||
<para>
|
||||
A sample PAM configuration that shows <parameter>pam_smbpass</parameter> used together with
|
||||
The following is a sample PAM configuration that shows <parameter>pam_smbpass</parameter> used together with
|
||||
<parameter>pam_krb5</parameter>. This could be useful on a Samba PDC that is also a member of
|
||||
a Kerberos realm.
|
||||
</para>
|
||||
@ -842,12 +846,11 @@ PAM can be fickle and sensitive to configuration glitches. Here we look at a few
|
||||
the Samba mailing list.
|
||||
</para>
|
||||
|
||||
<!-- shouldn't this be in the Winbind chapter - Jelmer -->
|
||||
<sect2>
|
||||
<title>pam_winbind Problem</title>
|
||||
|
||||
<para>
|
||||
A user reported: I have the following PAM configuration:
|
||||
A user reported, <emphasis>I have the following PAM configuration</emphasis>:
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -864,17 +867,17 @@ password required /lib/security/pam_stack.so service=system-auth
|
||||
</para>
|
||||
|
||||
<para>
|
||||
When I open a new console with [ctrl][alt][F1], I can't log in with my user <quote>pitie</quote>.
|
||||
I have tried with user <quote>scienceu\pitie</quote> also.
|
||||
<emphasis>When I open a new console with [ctrl][alt][F1], I can't log in with my user <quote>pitie.</quote>
|
||||
I have tried with user <quote>scienceu\pitie</quote> also.</emphasis>
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<emphasis>Answer:</emphasis> The problem may lie with your inclusion of <parameter>pam_stack.so
|
||||
The problem may lie with the inclusion of <parameter>pam_stack.so
|
||||
service=system-auth</parameter>. That file often contains a lot of stuff that may
|
||||
duplicate what you are already doing. Try commenting out the <parameter>pam_stack</parameter> lines
|
||||
for <parameter>auth</parameter> and <parameter>account</parameter> and see if things work. If they do, look at
|
||||
<filename>/etc/pam.d/system-auth</filename> and copy only what you need from it into your
|
||||
<filename>/etc/pam.d/login</filename> file. Alternately, if you want all services to use
|
||||
<filename>/etc/pam.d/login</filename> file. Alternatively, if you want all services to use
|
||||
Winbind, you can put the Winbind-specific stuff in <filename>/etc/pam.d/system-auth</filename>.
|
||||
</para>
|
||||
|
||||
@ -886,8 +889,8 @@ password required /lib/security/pam_stack.so service=system-auth
|
||||
<para>
|
||||
<quote>
|
||||
My &smb.conf; file is correctly configured. I have specified
|
||||
<smbconfoption name="idmap uid">12000</smbconfoption>,
|
||||
and <smbconfoption name="idmap gid">3000-3500</smbconfoption>
|
||||
<smbconfoption name="idmap uid">12000</smbconfoption>
|
||||
and <smbconfoption name="idmap gid">3000-3500,</smbconfoption>
|
||||
and <command>winbind</command> is running. When I do the following it all works fine.
|
||||
</quote>
|
||||
</para>
|
||||
@ -926,7 +929,7 @@ chown: 'maryo': invalid user
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<emphasis>Answer:</emphasis> Your system is likely running <command>nscd</command>, the name service
|
||||
Your system is likely running <command>nscd</command>, the name service
|
||||
caching daemon. Shut it down, do not restart it! You will find your problem resolved.
|
||||
</para>
|
||||
|
||||
|
@ -14,22 +14,22 @@
|
||||
<para>
|
||||
There are many who approach MS Windows networking with incredible misconceptions.
|
||||
That's okay, because it gives the rest of us plenty of opportunity to be of assistance.
|
||||
Those who really want help would be well advised to become familiar with information
|
||||
Those who really want help are well advised to become familiar with information
|
||||
that is already available.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The reader is advised not to tackle this section without having first understood
|
||||
You are advised not to tackle this section without having first understood
|
||||
and mastered some basics. MS Windows networking is not particularly forgiving of
|
||||
mis-configuration. Users of MS Windows networking are likely to complain
|
||||
misconfiguration. Users of MS Windows networking are likely to complain
|
||||
of persistent niggles that may be caused by a broken network configuration.
|
||||
To a great many people, however, MS Windows networking starts with a Domain Controller
|
||||
To a great many people, however, MS Windows networking starts with a domain controller
|
||||
that in some magical way is expected to solve all network operational ills.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<link linkend="domain-example">The diagram</link> shows a typical MS Windows Domain Security
|
||||
network environment. Workstations A, B and C are representative of many physical MS Windows
|
||||
<link linkend="domain-example">The Example Domain illustration</link> shows a typical MS Windows domain security
|
||||
network environment. Workstations A, B, and C are representative of many physical MS Windows
|
||||
network clients.
|
||||
</para>
|
||||
|
||||
@ -38,10 +38,8 @@ network clients.
|
||||
<imagefile scale="50">domain</imagefile>
|
||||
</figure>
|
||||
|
||||
<?latex \newpage ?>
|
||||
|
||||
<para>
|
||||
From the Samba mailing list one can readily identify many common networking issues.
|
||||
From the Samba mailing list we can readily identify many common networking issues.
|
||||
If you are not clear on the following subjects, then it will do much good to read the
|
||||
sections of this HOWTO that deal with it. These are the most common causes of MS Windows
|
||||
networking problems:
|
||||
@ -69,7 +67,7 @@ organization.
|
||||
|
||||
<para>
|
||||
Where is the right place to make mistakes? Only out of harms way. If you are going to
|
||||
make mistakes, then please do it on a test network, away from users and in such a way as
|
||||
make mistakes, then please do it on a test network, away from users, and in such a way as
|
||||
to not inflict pain on others. Do your learning on a test network.
|
||||
</para>
|
||||
|
||||
@ -82,29 +80,29 @@ to not inflict pain on others. Do your learning on a test network.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
In a word, <emphasis>Single Sign On</emphasis>, or SSO for short. To many, this is the Holy
|
||||
In a word, <emphasis>single sign-on</emphasis>, or SSO for short. To many, this is the Holy
|
||||
Grail of MS Windows NT and beyond networking. SSO allows users in a well-designed network
|
||||
to log onto any workstation that is a member of the domain that their user account is in
|
||||
(or in a domain that has an appropriate trust relationship with the domain they are visiting)
|
||||
and they will be able to log onto the network and access resources (shares, files and printers)
|
||||
as if they are sitting at their home (personal) workstation. This is a feature of the Domain
|
||||
Security protocols.
|
||||
and they will be able to log onto the network and access resources (shares, files, and printers)
|
||||
as if they are sitting at their home (personal) workstation. This is a feature of the domain
|
||||
security protocols.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>SID</primary></indexterm>
|
||||
The benefits of Domain Security are available to those sites that deploy a Samba PDC.
|
||||
A Domain provides a unique network security identifier (SID). Domain user and group security
|
||||
The benefits of domain security are available to those sites that deploy a Samba PDC.
|
||||
A domain provides a unique network security identifier (SID). Domain user and group security
|
||||
identifiers are comprised of the network SID plus a relative identifier (RID) that is unique to
|
||||
the account. User and Group SIDs (the network SID plus the RID) can be used to create Access Control
|
||||
Lists (ACLs) attached to network resources to provide organizational access control. UNIX systems
|
||||
the account. User and group SIDs (the network SID plus the RID) can be used to create access control
|
||||
lists (ACLs) attached to network resources to provide organizational access control. UNIX systems
|
||||
recognize only local security identifiers.
|
||||
</para>
|
||||
|
||||
<note><para>
|
||||
Network clients of an MS Windows Domain Security Environment must be Domain Members to be
|
||||
able to gain access to the advanced features provided. Domain Membership involves more than just
|
||||
setting the workgroup name to the Domain name. It requires the creation of a Domain trust account
|
||||
Network clients of an MS Windows domain security environment must be domain members to be
|
||||
able to gain access to the advanced features provided. Domain membership involves more than just
|
||||
setting the workgroup name to the domain name. It requires the creation of a domain trust account
|
||||
for the workstation (called a machine account). Refer to <link linkend="domain-member">Domain Membership</link>
|
||||
for more information.
|
||||
</para></note>
|
||||
@ -129,12 +127,12 @@ The following functionalities are new to the Samba-3 release:
|
||||
<listitem><para>
|
||||
Introduces replaceable and multiple user account (authentication)
|
||||
backends. In the case where the backend is placed in an LDAP database,
|
||||
Samba-3 confers the benefits of a backend that can be distributed, replicated
|
||||
Samba-3 confers the benefits of a backend that can be distributed and replicated
|
||||
and is highly scalable.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
Implements full Unicode support. This simplifies cross locale internationalization
|
||||
Implements full Unicode support. This simplifies cross-locale internationalization
|
||||
support. It also opens up the use of protocols that Samba-2.2.x had but could not use due
|
||||
to the need to fully support Unicode.
|
||||
</para></listitem>
|
||||
@ -147,17 +145,17 @@ The following functionalities are not provided by Samba-3:
|
||||
<listitem><para>
|
||||
<indexterm><primary>SAM</primary></indexterm>
|
||||
<indexterm><primary>replication</primary></indexterm>
|
||||
SAM replication with Windows NT4 Domain Controllers
|
||||
(i.e., a Samba PDC and a Windows NT BDC or vice versa). This means Samba
|
||||
SAM replication with Windows NT4 domain controllers
|
||||
(i.e., a Samba PDC and a Windows NT BDC, or vice versa). This means Samba
|
||||
cannot operate as a BDC when the PDC is Microsoft-based or
|
||||
replicate account data to Windows BDCs.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
Acting as a Windows 2000 Domain Controller (i.e., Kerberos and
|
||||
Acting as a Windows 2000 domain controller (i.e., Kerberos and
|
||||
Active Directory). In point of fact, Samba-3 does have some
|
||||
Active Directory Domain Control ability that is at this time
|
||||
purely experimental that is certain to change as it becomes a
|
||||
Active Directory domain control ability that is at this time
|
||||
purely experimental. That is certain to change as it becomes a
|
||||
fully supported feature some time during the Samba-3 (or later)
|
||||
life cycle. However, Active Directory is more then just SMB &smbmdash;
|
||||
it's also LDAP, Kerberos, DHCP, and other protocols (with proprietary
|
||||
@ -165,34 +163,34 @@ The following functionalities are not provided by Samba-3:
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
The Windows 200x/XP MMC (Computer Management) Console can not be used
|
||||
The Windows 200x/XP Microsoft Management Console (MMC) cannot be used
|
||||
to manage a Samba-3 server. For this you can use only the MS Windows NT4
|
||||
Domain Server manager and the MS Windows NT4 Domain User Manager. Both are
|
||||
Domain Server Manager and the MS Windows NT4 Domain User Manager. Both are
|
||||
part of the SVRTOOLS.EXE package mentioned later.
|
||||
</para></listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>
|
||||
Windows 9x/Me/XP Home clients are not true members of a domain for reasons outlined
|
||||
in this chapter. The protocol for support of Windows 9x/Me style network (domain) logons
|
||||
is completely different from NT4/Windows 200x type domain logons and has been officially supported
|
||||
for some time. These clients use the old LanMan Network Logon facilities that are supported
|
||||
in this chapter. The protocol for support of Windows 9x/Me-style network (domain) logons
|
||||
is completely different from NT4/Windows 200x-type domain logons and has been officially supported
|
||||
for some time. These clients use the old LanMan network logon facilities that are supported
|
||||
in Samba since approximately the Samba-1.9.15 series.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Samba-3 implements group mapping between Windows NT groups
|
||||
and UNIX groups (this is really quite complicated to explain in a short space). This is
|
||||
discussed more fully in <link linkend="groupmapping">Group Mapping &smbmdash; MS Windows and UNIX</link>.
|
||||
discussed more fully in <link linkend="groupmapping">Group Mapping: MS Windows and UNIX</link>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>Machine Trust Accounts</primary></indexterm>
|
||||
Samba-3, like an MS Windows NT4 PDC or a Windows 200x Active Directory, needs to store
|
||||
user and Machine Trust Account information in a suitable backend data-store.
|
||||
Refer to <link linkend="machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</link>. With Samba-3 there can be multiple
|
||||
backends for this. A complete discussion of account database backends can be found in
|
||||
<link linkend="passdb">Account Information Databases</link>.
|
||||
Samba-3, like an MS Windows NT4 PDC or a Windows 200x Active Directory, needs to store user and Machine Trust
|
||||
Account information in a suitable backend data-store. Refer to <link linkend="machine-trust-accounts">MS
|
||||
Windows Workstation/Server Machine Trust Accounts</link>. With Samba-3 there can be multiple backends for
|
||||
this. A complete discussion of account database backends can be found in <link linkend="passdb">Account
|
||||
Information Databases</link>.
|
||||
</para>
|
||||
|
||||
</sect1>
|
||||
@ -201,9 +199,9 @@ backends for this. A complete discussion of account database backends can be fou
|
||||
<title>Basics of Domain Control</title>
|
||||
|
||||
<para>
|
||||
Over the years, public perceptions of what Domain Control really is has taken on an
|
||||
almost mystical nature. Before we branch into a brief overview of Domain Control,
|
||||
there are three basic types of Domain Controllers.
|
||||
Over the years, public perceptions of what domain control really is has taken on an
|
||||
almost mystical nature. Before we branch into a brief overview of domain control,
|
||||
there are three basic types of domain controllers.
|
||||
</para>
|
||||
|
||||
<sect2>
|
||||
@ -216,34 +214,34 @@ there are three basic types of Domain Controllers.
|
||||
</itemizedlist>
|
||||
|
||||
<para>
|
||||
The <emphasis>Primary Domain Controller</emphasis> or PDC plays an important role in MS
|
||||
Windows NT4. In Windows 200x Domain Control architecture, this role is held by Domain Controllers.
|
||||
Folklore dictates that because of its role in the MS Windows
|
||||
network, the Domain Controller should be the most powerful and most capable machine in the network.
|
||||
As strange as it may seem to say this here, good overall network performance dictates that
|
||||
the entire infrastructure needs to be balanced. It is advisable to invest more in Stand-alone
|
||||
(Domain Member) servers than in the Domain Controllers.
|
||||
The <emphasis>Primary Domain Controller</emphasis> or PDC plays an important role in MS Windows NT4. In
|
||||
Windows 200x domain control architecture, this role is held by domain controllers. Folklore dictates that
|
||||
because of its role in the MS Windows network, the domain controller should be the most powerful and most
|
||||
capable machine in the network. As strange as it may seem to say this here, good overall network performance
|
||||
dictates that the entire infrastructure needs to be balanced. It is advisable to invest more in standalone
|
||||
(domain member) servers than in the domain controllers.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>SAM</primary></indexterm>
|
||||
In the case of MS Windows NT4-style domains, it is the PDC that initiates a new Domain Control database.
|
||||
In the case of MS Windows NT4-style domains, it is the PDC that initiates a new domain control database.
|
||||
This forms a part of the Windows registry called the Security Account Manager (SAM). It plays a key
|
||||
part in NT4-type domain user authentication and in synchronization of the domain authentication
|
||||
database with Backup Domain Controllers.
|
||||
database with BDCs.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
With MS Windows 200x Server-based Active Directory domains, one Domain Controller initiates a potential
|
||||
hierarchy of Domain Controllers, each with their own area of delegated control. The master domain
|
||||
controller has the ability to override any downstream controller, but a down-line controller has
|
||||
control only over its down-line. With Samba-3, this functionality can be implemented using an
|
||||
With MS Windows 200x Server-based Active Directory domains, one domain controller initiates a potential
|
||||
hierarchy of domain controllers, each with its own area of delegated control. The master domain
|
||||
controller has the ability to override any downstream controller, but a downline controller has
|
||||
control only over its downline. With Samba-3, this functionality can be implemented using an
|
||||
LDAP-based user and machine account backend.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
New to Samba-3 is the ability to use a backend database that holds the same type of data as
|
||||
the NT4-style SAM database (one of the registry files)<footnote><para>See also <link linkend="passdb">Account Information Databases</link>.</para></footnote>.
|
||||
New to Samba-3 is the ability to use a backend database that holds the same type of data as the NT4-style SAM
|
||||
database (one of the registry files)<footnote><para>See also <link linkend="passdb">Account Information
|
||||
Databases</link>.</para>.</footnote>
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -253,51 +251,52 @@ On a network segment that has a BDC and a PDC, the BDC will most likely service
|
||||
logon requests. The PDC will answer network logon requests when the BDC is too busy (high load).
|
||||
A BDC can be promoted to a PDC. If the PDC is online at the time that a BDC is promoted to
|
||||
PDC, the previous PDC is automatically demoted to a BDC. With Samba-3, this is not an automatic
|
||||
operation; the PDC and BDC must be manually configured and changes also need to be made.
|
||||
operation; the PDC and BDC must be manually configured, and changes also need to be made.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
With MS Windows NT4, a decision is made at installation to determine what type of machine the server will be.
|
||||
It is possible to promote a BDC to a PDC and vice versa. The only way
|
||||
to convert a Domain Controller to a Domain Member server or a Stand-alone Server is to
|
||||
reinstall it. The install time choices offered are:
|
||||
It is possible to promote a BDC to a PDC, and vice versa. The only way to convert a domain controller to a
|
||||
domain member server or a standalone server is to reinstall it. The install time choices offered are:
|
||||
</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem><para><emphasis>Primary Domain Controller</emphasis> &smbmdash; the one that seeds the domain SAM.</para></listitem>
|
||||
<listitem><para><emphasis>Backup Domain Controller</emphasis> &smbmdash; one that obtains a copy of the domain SAM.</para></listitem>
|
||||
<listitem><para><emphasis>Domain Member Server</emphasis> &smbmdash; one that has no copy of the domain SAM, rather it obtains authentication from a Domain Controller for all access controls.</para></listitem>
|
||||
<listitem><para><emphasis>Stand-alone Server</emphasis> &smbmdash; one that plays no part is SAM synchronization, has its own authentication database and plays no role in Domain Security.</para></listitem>
|
||||
<listitem><para><emphasis>Domain Member Server</emphasis> &smbmdash; one that has no copy of the domain SAM; rather
|
||||
it obtains authentication from a domain controller for all access controls.</para></listitem>
|
||||
<listitem><para><emphasis>Standalone Server</emphasis> &smbmdash; one that plays no part in SAM synchronization,
|
||||
has its own authentication database, and plays no role in domain security.</para></listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>
|
||||
With MS Windows 2000, the configuration of Domain Control is done after the server has been
|
||||
With MS Windows 2000, the configuration of domain control is done after the server has been
|
||||
installed. Samba-3 is capable of acting fully as a native member of a Windows 200x server
|
||||
Active Directory domain.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>replication</primary><secondary>SAM</secondary></indexterm>
|
||||
New to Samba-3 is the ability to function fully as an MS Windows NT4-style Domain Controller,
|
||||
New to Samba-3 is the ability to function fully as an MS Windows NT4-style domain controller,
|
||||
excluding the SAM replication components. However, please be aware that Samba-3 also supports the
|
||||
MS Windows 200x Domain Control protocols.
|
||||
MS Windows 200x domain control protocols.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
At this time any appearance that Samba-3 is capable of acting as an
|
||||
<emphasis>Domain Controller</emphasis> in native ADS mode is limited and experimental in nature.
|
||||
At this time any appearance that Samba-3 is capable of acting as a
|
||||
<emphasis>domain controller</emphasis> in native ADS mode is limited and experimental in nature.
|
||||
This functionality should not be used until the Samba Team offers formal support for it.
|
||||
At such a time, the documentation will be revised to duly reflect all configuration and
|
||||
management requirements. Samba can act as a NT4-style DC in a Windows 2000/XP
|
||||
management requirements. Samba can act as a NT4-style domain controller in a Windows 2000/XP
|
||||
environment. However, there are certain compromises:
|
||||
|
||||
<itemizedlist>
|
||||
<listitem><para>No machine policy files.</para></listitem>
|
||||
<listitem><para>No Group Policy Objects.</para></listitem>
|
||||
<listitem><para>No synchronously executed AD logon scripts.</para></listitem>
|
||||
<listitem><para>No synchronously executed Active Directory logon scripts.</para></listitem>
|
||||
<listitem><para>Can't use Active Directory management tools to manage users and machines.</para></listitem>
|
||||
<listitem><para>Registry changes tattoo the main registry, while with AD they do not leave permanent changes in effect.</para></listitem>
|
||||
<listitem><para>Without AD you cannot perform the function of exporting specific applications to specific users or groups.</para></listitem>
|
||||
<listitem><para>Registry changes tattoo the main registry, while with Active Directory they do not leave permanent changes in effect.</para></listitem>
|
||||
<listitem><para>Without Active Directory you cannot perform the function of exporting specific applications to specific users or groups.</para></listitem>
|
||||
</itemizedlist>
|
||||
</para>
|
||||
|
||||
@ -307,36 +306,36 @@ environment. However, there are certain compromises:
|
||||
<title>Preparing for Domain Control</title>
|
||||
|
||||
<para>
|
||||
There are two ways that MS Windows machines may interact with each other, with other servers
|
||||
and with Domain Controllers: either as <emphasis>Stand-alone</emphasis> systems, more commonly
|
||||
called <emphasis>Workgroup</emphasis> members, or as full participants in a security system,
|
||||
more commonly called <emphasis>Domain</emphasis> members.
|
||||
There are two ways that MS Windows machines may interact with each other, with other servers,
|
||||
and with domain controllers: either as <emphasis>standalone</emphasis> systems, more commonly
|
||||
called <emphasis>workgroup</emphasis> members, or as full participants in a security system,
|
||||
more commonly called <emphasis>domain</emphasis> members.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
It should be noted that <emphasis>Workgroup</emphasis> membership involves no special configuration
|
||||
It should be noted that workgroup membership involves no special configuration
|
||||
other than the machine being configured so the network configuration has a commonly used name
|
||||
for its workgroup entry. It is not uncommon for the name WORKGROUP to be used for this. With this
|
||||
mode of configuration, there are no Machine Trust Accounts and any concept of membership as such
|
||||
mode of configuration, there are no Machine Trust Accounts, and any concept of membership as such
|
||||
is limited to the fact that all machines appear in the network neighborhood to be logically
|
||||
grouped together. Again, just to be clear: <emphasis>workgroup mode does not involve security machine
|
||||
accounts</emphasis>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Domain Member machines have a machine account in the Domain accounts database. A special procedure
|
||||
must be followed on each machine to effect Domain Membership. This procedure, which can be done
|
||||
only by the local machine Administrator account, will create the Domain machine account (if it does
|
||||
Domain member machines have a machine account in the domain accounts database. A special procedure
|
||||
must be followed on each machine to effect domain membership. This procedure, which can be done
|
||||
only by the local machine Administrator account, creates the domain machine account (if it does
|
||||
not exist), and then initializes that account. When the client first logs onto the
|
||||
Domain it triggers a machine password change.
|
||||
domain, it triggers a machine password change.
|
||||
</para>
|
||||
|
||||
<note><para>
|
||||
When Samba is configured as a Domain Controller, secure network operation demands that
|
||||
all MS Windows NT4/200x/XP Professional clients should be configured as Domain Members.
|
||||
If a machine is not made a member of the Domain, then it will operate like a workgroup
|
||||
(Stand-alone) machine. Please refer to <link linkend="domain-member">Domain Membership</link> chapter for
|
||||
information regarding Domain Membership.
|
||||
When Samba is configured as a domain controller, secure network operation demands that
|
||||
all MS Windows NT4/200x/XP Professional clients should be configured as domain members.
|
||||
If a machine is not made a member of the domain, then it will operate like a workgroup
|
||||
(standalone) machine. Please refer to <link linkend="domain-member">Domain Membership</link>, for
|
||||
information regarding domain membership.
|
||||
</para></note>
|
||||
|
||||
<para>
|
||||
@ -346,14 +345,14 @@ NT4/200x/XP clients:
|
||||
|
||||
<itemizedlist>
|
||||
<listitem><para>Configuration of basic TCP/IP and MS Windows networking.</para></listitem>
|
||||
<listitem><para>Correct designation of the Server Role (<smbconfoption name="security">user</smbconfoption>).</para></listitem>
|
||||
<listitem><para>Consistent configuration of Name Resolution<footnote><para>See <link linkend="NetworkBrowsing">Network Browsing</link>, and
|
||||
<link linkend="integrate-ms-networks">Integrating MS Windows Networks with Samba</link>.</para></footnote>.</para></listitem>
|
||||
<listitem><para>Correct designation of the server role (<smbconfoption name="security">user</smbconfoption>).</para></listitem>
|
||||
<listitem><para>Consistent configuration of name resolution.<footnote><para>See <link linkend="NetworkBrowsing">Network Browsing</link>, and
|
||||
<link linkend="integrate-ms-networks">Integrating MS Windows Networks with Samba</link>.</para></footnote></para></listitem>
|
||||
<listitem><para>Domain logons for Windows NT4/200x/XP Professional clients.</para></listitem>
|
||||
<listitem><para>Configuration of Roaming Profiles or explicit configuration to force local profile usage.</para></listitem>
|
||||
<listitem><para>Configuration of roaming profiles or explicit configuration to force local profile usage.</para></listitem>
|
||||
<listitem><para>Configuration of network/system policies.</para></listitem>
|
||||
<listitem><para>Adding and managing domain user accounts.</para></listitem>
|
||||
<listitem><para>Configuring MS Windows client machines to become Domain Members.</para></listitem>
|
||||
<listitem><para>Configuring MS Windows client machines to become domain members.</para></listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>
|
||||
@ -363,38 +362,38 @@ The following provisions are required to serve MS Windows 9x/Me clients:
|
||||
<itemizedlist>
|
||||
<listitem><para>Configuration of basic TCP/IP and MS Windows networking.</para></listitem>
|
||||
<listitem><para>Correct designation of the server role (<smbconfoption name="security">user</smbconfoption>).</para></listitem>
|
||||
<listitem><para>Network Logon Configuration (since Windows 9x/Me/XP Home are not technically domain
|
||||
<listitem><para>Network logon configuration (since Windows 9x/Me/XP Home are not technically domain
|
||||
members, they do not really participate in the security aspects of Domain logons as such).</para></listitem>
|
||||
<listitem><para>Roaming Profile Configuration.</para></listitem>
|
||||
<listitem><para>Configuration of System Policy handling.</para></listitem>
|
||||
<listitem><para>Roaming profile configuration.</para></listitem>
|
||||
<listitem><para>Configuration of system policy handling.</para></listitem>
|
||||
<listitem><para>Installation of the network driver <quote>Client for MS Windows Networks</quote> and configuration
|
||||
to log onto the domain.</para></listitem>
|
||||
<listitem><para>Placing Windows 9x/Me clients in User Level Security &smbmdash; if it is desired to allow
|
||||
all client share access to be controlled according to domain user/group identities.</para></listitem>
|
||||
<listitem><para>Placing Windows 9x/Me clients in user-level security &smbmdash; if it is desired to allow
|
||||
all client-share access to be controlled according to domain user/group identities.</para></listitem>
|
||||
<listitem><para>Adding and managing domain user accounts.</para></listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<note><para>
|
||||
Roaming Profiles and System/Network policies are advanced network administration topics
|
||||
that are covered in the <link linkend="ProfileMgmt">Desktop Profile Management</link> and
|
||||
<link linkend="PolicyMgmt">System and Account Policies</link> chapters of this document. However, these are not
|
||||
Roaming profiles and system/network policies are advanced network administration topics
|
||||
that are covered in <link linkend="ProfileMgmt">Desktop Profile Management</link> and
|
||||
<link linkend="PolicyMgmt">System and Account Policies</link> of this document. However, these are not
|
||||
necessarily specific to a Samba PDC as much as they are related to Windows NT networking concepts.
|
||||
</para></note>
|
||||
|
||||
<para>
|
||||
A Domain Controller is an SMB/CIFS server that:
|
||||
A domain controller is an SMB/CIFS server that:
|
||||
</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem><para>
|
||||
Registers and advertises itself as a Domain Controller (through NetBIOS broadcasts
|
||||
Registers and advertises itself as a domain controller (through NetBIOS broadcasts
|
||||
as well as by way of name registrations either by Mailslot Broadcasts over UDP broadcast,
|
||||
to a WINS server over UDP uni-cast, or via DNS and Active Directory).
|
||||
to a WINS server over UDP unicast, or via DNS and Active Directory).
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
Provides the NETLOGON service. (This is actually a collection of services that runs over
|
||||
multiple protocols. These include the LanMan Logon service, the Netlogon service,
|
||||
multiple protocols. These include the LanMan logon service, the Netlogon service,
|
||||
the Local Security Account service, and variations of them.)
|
||||
</para></listitem>
|
||||
|
||||
@ -404,26 +403,27 @@ A Domain Controller is an SMB/CIFS server that:
|
||||
</itemizedlist>
|
||||
|
||||
<para>
|
||||
It is rather easy to configure Samba to provide these. Each Samba Domain Controller must provide
|
||||
the NETLOGON service that Samba calls the <smbconfoption name="domain logons"/> functionality
|
||||
(after the name of the parameter in the &smb.conf; file). Additionally, one server in a Samba-3
|
||||
Domain must advertise itself as the Domain Master Browser<footnote><para>See <link linkend="NetworkBrowsing">Network Browsing</link>.</para></footnote>.
|
||||
This causes the Primary Domain Controller to claim a domain-specific NetBIOS name that identifies it as a
|
||||
Domain Master Browser for its given domain or workgroup. Local master browsers in the same domain or workgroup on
|
||||
broadcast-isolated subnets then ask for a complete copy of the browse list for the whole wide area network.
|
||||
Browser clients will then contact their Local Master Browser, and will receive the domain-wide browse list,
|
||||
instead of just the list for their broadcast-isolated subnet.
|
||||
It is rather easy to configure Samba to provide these. Each Samba domain controller must provide the NETLOGON
|
||||
service that Samba calls the <smbconfoption name="domain logons"/> functionality (after the name of the
|
||||
parameter in the &smb.conf; file). Additionally, one server in a Samba-3 domain must advertise itself as the
|
||||
domain master browser.<footnote><para>See <link linkend="NetworkBrowsing">Network
|
||||
Browsing</link>.</para></footnote> This causes the PDC to claim a domain-specific NetBIOS name that identifies
|
||||
it as a DMB for its given domain or workgroup. Local master browsers (LMBs) in the same domain or workgroup on
|
||||
broadcast-isolated subnets then ask for a complete copy of the browse list for the whole wide-area network.
|
||||
Browser clients then contact their LMB, and will receive the domain-wide browse list instead of just the list
|
||||
for their broadcast-isolated subnet.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
</sect1>
|
||||
|
||||
<sect1>
|
||||
<title>Domain Control &smbmdash; Example Configuration</title>
|
||||
<title>Domain Control: Example Configuration</title>
|
||||
|
||||
<para>
|
||||
The first step in creating a working Samba PDC is to understand the parameters necessary
|
||||
in &smb.conf;. An example &smb.conf; for acting as a PDC can be found in <link linkend="pdc-example">the next example</link>.
|
||||
in &smb.conf;. An example &smb.conf; for acting as a PDC can be found in <link linkend="pdc-example">the
|
||||
smb.conf for being a PDC</link>.
|
||||
</para>
|
||||
|
||||
<example id="pdc-example">
|
||||
@ -469,7 +469,7 @@ The basic options shown in <link linkend="pdc-example">this example</link> are e
|
||||
default accounts and is included by default, there is no need to add it explicitly.</para>
|
||||
|
||||
<para>
|
||||
Where use of backup Domain Controllers (BDCs) is intended, the only logical choice is
|
||||
Where use of BDCs is intended, the only logical choice is
|
||||
to use LDAP so the passdb backend can be distributed. The tdbsam and smbpasswd files
|
||||
cannot effectively be distributed and therefore should not be used.
|
||||
</para></listitem>
|
||||
@ -477,12 +477,12 @@ The basic options shown in <link linkend="pdc-example">this example</link> are e
|
||||
<varlistentry><term>Domain Control Parameters </term>
|
||||
<listitem><para>
|
||||
The parameters <emphasis>os level, preferred master, domain master, security,
|
||||
encrypt passwords, and domain logons</emphasis> play a central role in assuring domain
|
||||
encrypt passwords</emphasis>, and <emphasis>domain logons</emphasis> play a central role in assuring domain
|
||||
control and network logon support.</para>
|
||||
|
||||
<para>
|
||||
The <emphasis>os level</emphasis> must be set at or above a value of 32. A Domain Controller
|
||||
must be the Domain Master Browser, must be set in <emphasis>user</emphasis> mode security,
|
||||
The <emphasis>os level</emphasis> must be set at or above a value of 32. A domain controller
|
||||
must be the DMB, must be set in <emphasis>user</emphasis> mode security,
|
||||
must support Microsoft-compatible encrypted passwords, and must provide the network logon
|
||||
service (domain logons). Encrypted passwords must be enabled. For more details on how
|
||||
to do this, refer to <link linkend="passdb">Account Information Databases</link>.
|
||||
@ -490,7 +490,7 @@ The basic options shown in <link linkend="pdc-example">this example</link> are e
|
||||
</varlistentry>
|
||||
<varlistentry><term>Environment Parameters </term>
|
||||
<listitem><para>
|
||||
The parameters <emphasis>logon path, logon home, logon drive, and logon script</emphasis> are
|
||||
The parameters <emphasis>logon path, logon home, logon drive</emphasis>, and <emphasis>logon script</emphasis> are
|
||||
environment support settings that help to facilitate client logon operations and that help
|
||||
to provide automated control facilities to ease network management overheads. Please refer
|
||||
to the man page information for these parameters.
|
||||
@ -498,10 +498,10 @@ The basic options shown in <link linkend="pdc-example">this example</link> are e
|
||||
</varlistentry>
|
||||
<varlistentry><term>NETLOGON Share </term>
|
||||
<listitem><para>
|
||||
The NETLOGON share plays a central role in domain logon and Domain Membership support.
|
||||
This share is provided on all Microsoft Domain Controllers. It is used to provide logon
|
||||
scripts, to store Group Policy files (NTConfig.POL), as well as to locate other common
|
||||
tools that may be needed for logon processing. This is an essential share on a Domain Controller.
|
||||
The NETLOGON share plays a central role in domain logon and domain membership support.
|
||||
This share is provided on all Microsoft domain controllers. It is used to provide logon
|
||||
scripts, to store group policy files (NTConfig.POL), as well as to locate other common
|
||||
tools that may be needed for logon processing. This is an essential share on a domain controller.
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
<varlistentry><term>PROFILE Share </term>
|
||||
@ -531,7 +531,7 @@ of operation. The following &smb.conf; parameters are the essentials alone:
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The additional parameters shown in the longer listing above just makes for
|
||||
The additional parameters shown in the longer listing in this section just make for
|
||||
a more complete explanation.
|
||||
</para></note>
|
||||
|
||||
@ -541,21 +541,21 @@ a more complete explanation.
|
||||
<title>Samba ADS Domain Control</title>
|
||||
|
||||
<para>
|
||||
Samba-3 is not, and cannot act as, an Active Directory Server. It cannot truly function as
|
||||
an Active Directory Primary Domain Controller. The protocols for some of the functionality
|
||||
of Active Directory Domain Controllers has been partially implemented on an experimental
|
||||
Samba-3 is not, and cannot act as, an Active Directory server. It cannot truly function as
|
||||
an Active Directory PDC. The protocols for some of the functionality
|
||||
of Active Directory domain controllers has been partially implemented on an experimental
|
||||
only basis. Please do not expect Samba-3 to support these protocols. Do not depend
|
||||
on any such functionality either now or in the future. The Samba Team may remove these
|
||||
experimental features or may change their behavior. This is mentioned for the benefit of those
|
||||
who have discovered secret capabilities in Samba-3 and who have asked when this functionality will be
|
||||
completed. The answer is maybe or maybe never!
|
||||
completed. The answer is maybe someday or maybe never!
|
||||
</para>
|
||||
|
||||
<para>
|
||||
To be sure, Samba-3 is designed to provide most of the functionality that Microsoft Windows NT4-style
|
||||
Domain Controllers have. Samba-3 does not have all the capabilities of Windows NT4, but it does have
|
||||
domain controllers have. Samba-3 does not have all the capabilities of Windows NT4, but it does have
|
||||
a number of features that Windows NT4 domain controllers do not have. In short, Samba-3 is not NT4 and it
|
||||
is not Windows Server 200x, it is not an Active Directory server. We hope this is plain and simple
|
||||
is not Windows Server 200x: it is not an Active Directory server. We hope this is plain and simple
|
||||
enough for all to understand.
|
||||
</para>
|
||||
|
||||
@ -565,17 +565,17 @@ enough for all to understand.
|
||||
<title>Domain and Network Logon Configuration</title>
|
||||
|
||||
<para>
|
||||
The subject of Network or Domain Logons is discussed here because it forms
|
||||
an integral part of the essential functionality that is provided by a Domain Controller.
|
||||
The subject of network or domain logons is discussed here because it forms
|
||||
an integral part of the essential functionality that is provided by a domain controller.
|
||||
</para>
|
||||
|
||||
<sect2>
|
||||
<title>Domain Network Logon Service</title>
|
||||
|
||||
<para>
|
||||
All Domain Controllers must run the netlogon service (<emphasis>domain logons</emphasis>
|
||||
in Samba). One Domain Controller must be configured with <smbconfoption name="domain master">Yes</smbconfoption>
|
||||
(the Primary Domain Controller); on all Backup Domain Controllers <smbconfoption name="domain master">No</smbconfoption>
|
||||
All domain controllers must run the netlogon service (<emphasis>domain logons</emphasis>
|
||||
in Samba). One domain controller must be configured with <smbconfoption name="domain master">Yes</smbconfoption>
|
||||
(the PDC); on all BDCs <smbconfoption name="domain master">No</smbconfoption>
|
||||
must be set.
|
||||
</para>
|
||||
|
||||
@ -603,14 +603,14 @@ must be set.
|
||||
|
||||
<para>
|
||||
To be completely clear: If you want MS Windows XP Home Edition to integrate with your
|
||||
MS Windows NT4 or Active Directory Domain Security, understand it cannot be done.
|
||||
MS Windows NT4 or Active Directory domain security, understand it cannot be done.
|
||||
The only option is to purchase the upgrade from MS Windows XP Home Edition to
|
||||
MS Windows XP Professional.
|
||||
</para>
|
||||
|
||||
<note><para>
|
||||
MS Windows XP Home Edition does not have the ability to join any type of Domain
|
||||
Security facility. Unlike MS Windows 9x/Me, MS Windows XP Home Edition also completely
|
||||
MS Windows XP Home Edition does not have the ability to join any type of domain
|
||||
security facility. Unlike MS Windows 9x/Me, MS Windows XP Home Edition also completely
|
||||
lacks the ability to log onto a network.
|
||||
</para></note>
|
||||
|
||||
@ -645,26 +645,26 @@ It should be noted that browsing is totally orthogonal to logon support.
|
||||
|
||||
<para>
|
||||
Issues related to the single-logon network model are discussed in this
|
||||
section. Samba supports domain logons, network logon scripts and user
|
||||
profiles for MS Windows for workgroups and MS Windows 9X/ME clients,
|
||||
section. Samba supports domain logons, network logon scripts, and user
|
||||
profiles for MS Windows for Workgroups and MS Windows 9x/Me clients,
|
||||
which are the focus of this section.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
When an SMB client in a domain wishes to logon, it broadcasts requests for a
|
||||
logon server. The first one to reply gets the job, and validates its
|
||||
When an SMB client in a domain wishes to log on, it broadcasts requests for a
|
||||
logon server. The first one to reply gets the job and validates its
|
||||
password using whatever mechanism the Samba administrator has installed.
|
||||
It is possible (but ill advised ) to create a domain where the user
|
||||
database is not shared between servers, i.e., they are effectively workgroup
|
||||
It is possible (but ill advised) to create a domain where the user
|
||||
database is not shared between servers; that is, they are effectively workgroup
|
||||
servers advertising themselves as participating in a domain. This
|
||||
demonstrates how authentication is quite different from but closely
|
||||
involved with domains.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Using these features you can make your clients verify their logon via
|
||||
the Samba server; make clients run a batch file when they logon to
|
||||
the network and download their preferences, desktop and start menu.
|
||||
Using these features, you can make your clients verify their logon via
|
||||
the Samba server, make clients run a batch file when they log on to
|
||||
the network and download their preferences, desktop, and start menu.
|
||||
</para>
|
||||
|
||||
<para><emphasis>
|
||||
@ -745,7 +745,7 @@ The main difference between a PDC and a Windows 9x/Me logon server configuration
|
||||
<itemizedlist>
|
||||
<listitem><para>
|
||||
Password encryption is not required for a Windows 9x/Me logon server. But note
|
||||
that beginning with MS Windows 98 the default setting is that plain-text
|
||||
that beginning with MS Windows 98 the default setting is that plaintext
|
||||
password support is disabled. It can be re-enabled with the registry
|
||||
changes that are documented in <link linkend="PolicyMgmt">System and Account Policies</link>.
|
||||
</para></listitem>
|
||||
@ -761,7 +761,7 @@ network logon services that MS Windows 9x/Me expect to find.
|
||||
</para>
|
||||
|
||||
<note><para>
|
||||
Use of plain-text passwords is strongly discouraged. Where used they are easily detected
|
||||
Use of plaintext passwords is strongly discouraged. Where used they are easily detected
|
||||
using a sniffer tool to examine network traffic.
|
||||
</para></note>
|
||||
|
||||
@ -773,39 +773,37 @@ using a sniffer tool to examine network traffic.
|
||||
|
||||
<para>
|
||||
There are a few comments to make in order to tie up some loose ends. There has been
|
||||
much debate over the issue of whether it is okay to configure Samba as a Domain
|
||||
Controller in security modes other than user. The only security mode that will
|
||||
much debate over the issue of whether it is okay to configure Samba as a domain
|
||||
controller in security modes other than user. The only security mode that will
|
||||
not work due to technical reasons is share-mode security. Domain and server mode
|
||||
security are really just a variation on SMB User Level Security.
|
||||
security are really just a variation on SMB user-level security.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Actually, this issue is also closely tied to the debate on whether
|
||||
Samba must be the Domain Master Browser for its workgroup
|
||||
when operating as a DC. While it may technically be possible
|
||||
to configure a server as such (after all, browsing and domain logons
|
||||
are two distinctly different functions), it is not a good idea to do
|
||||
so. You should remember that the DC must register the DOMAIN<#1b> NetBIOS
|
||||
name. This is the name used by Windows clients to locate the DC.
|
||||
Windows clients do not distinguish between the DC and the DMB.
|
||||
A DMB is a Domain Master Browser &smbmdash; see <link linkend="DMB">Configuring WORKGROUP Browsing</link> section.
|
||||
For this reason, it is wise to configure the Samba DC as the DMB.
|
||||
Actually, this issue is also closely tied to the debate on whether Samba must be the DMB for its workgroup
|
||||
when operating as a domain controller. While it may technically be possible to configure a server as such
|
||||
(after all, browsing and domain logons are two distinctly different functions), it is not a good idea to do
|
||||
so. You should remember that the domain controller must register the DOMAIN<#1b> NetBIOS name. This is
|
||||
the name used by Windows clients to locate the domain controller. Windows clients do not distinguish between
|
||||
the domain controller and the DMB. A DMB is a Domain Master Browser &smbmdash; see <link
|
||||
linkend="NetworkBrowsing">The Network Browsing Chapter</link>, <link linkend="DMB">Configuring WORKGROUP
|
||||
Browsing</link> section. For this reason, it is wise to configure the Samba domain controller as the DMB.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Now back to the issue of configuring a Samba DC to use a mode other than
|
||||
Now back to the issue of configuring a Samba domain controller to use a mode other than
|
||||
<smbconfoption name="security">user</smbconfoption>. If a Samba host is
|
||||
configured to use another SMB server or DC in order to validate user connection requests,
|
||||
configured to use another SMB server or domain controller in order to validate user connection requests,
|
||||
it is a fact that some other machine on the network (the <smbconfoption name="password server"/>)
|
||||
knows more about the user than the Samba host. About 99% of the time, this other host is
|
||||
a Domain Controller. Now to operate in domain mode security, the <smbconfoption name="workgroup"/>
|
||||
parameter must be set to the name of the Windows NT domain (which already has a Domain Controller).
|
||||
If the domain does not already have a Domain Controller, you do not yet have a Domain.
|
||||
knows more about the user than the Samba host. About 99 percent of the time, this other host is
|
||||
a domain controller. Now to operate in domain mode security, the <smbconfoption name="workgroup"/>
|
||||
parameter must be set to the name of the Windows NT domain (which already has a domain controller).
|
||||
If the domain does not already have a domain controller, you do not yet have a domain.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Configuring a Samba box as a DC for a domain that already by definition has a
|
||||
PDC is asking for trouble. Therefore, you should always configure the Samba DC
|
||||
Configuring a Samba box as a domain controller for a domain that already by definition has a
|
||||
PDC is asking for trouble. Therefore, you should always configure the Samba domain controller
|
||||
to be the DMB for its domain and set <smbconfoption name="security">user</smbconfoption>.
|
||||
This is the only officially supported mode of operation.
|
||||
</para>
|
||||
@ -858,9 +856,9 @@ will remove all network drive connections:
|
||||
|
||||
<para>
|
||||
Further, if the machine is already a <quote>member of a workgroup</quote> that
|
||||
is the same name as the domain you are joining (bad idea) you will
|
||||
get this message. Change the workgroup name to something else, it
|
||||
does not matter what, reboot, and try again.
|
||||
is the same name as the domain you are joining (bad idea), you will
|
||||
get this message. Change the workgroup name to something else &smbmdash; it
|
||||
does not matter what &smbmdash; reboot, and try again.
|
||||
</para>
|
||||
</sect2>
|
||||
|
||||
@ -869,7 +867,7 @@ does not matter what, reboot, and try again.
|
||||
|
||||
<para><quote>I joined the domain successfully but after upgrading
|
||||
to a newer version of the Samba code I get the message, <errorname>`The system
|
||||
cannot log you on (C000019B), Please try again or consult your
|
||||
cannot log you on (C000019B). Please try again or consult your
|
||||
system administrator</errorname> when attempting to logon.'</quote>
|
||||
</para>
|
||||
|
||||
@ -893,9 +891,9 @@ To reset or change the domain SID you can use the net command as follows:
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Workstation Machine Trust Accounts work only with the Domain (or network) SID. If this SID changes
|
||||
Domain Members (workstations) will not be able to log onto the domain. The original Domain SID
|
||||
can be recovered from the secrets.tdb file. The alternative is to visit each workstation to re-join
|
||||
Workstation Machine Trust Accounts work only with the domain (or network) SID. If this SID changes,
|
||||
domain members (workstations) will not be able to log onto the domain. The original domain SID
|
||||
can be recovered from the secrets.tdb file. The alternative is to visit each workstation to rejoin
|
||||
it to the domain.
|
||||
</para>
|
||||
|
||||
@ -905,20 +903,20 @@ it to the domain.
|
||||
<title>The Machine Trust Account Is Not Accessible</title>
|
||||
|
||||
<para>
|
||||
<quote>When I try to join the domain I get the message, <errorname>`The machine account
|
||||
for this computer either does not exist or is not accessible'</errorname>. What's
|
||||
<quote>When I try to join the domain I get the message, <errorname>"The machine account
|
||||
for this computer either does not exist or is not accessible</errorname>." What's
|
||||
wrong?</quote>
|
||||
</para>
|
||||
|
||||
<para>
|
||||
This problem is caused by the PDC not having a suitable Machine Trust Account.
|
||||
If you are using the <smbconfoption name="add machine script"/> method to create
|
||||
accounts then this would indicate that it has not worked. Ensure the domain
|
||||
accounts, then this would indicate that it has not worked. Ensure the domain
|
||||
admin user system is working.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Alternately, if you are creating account entries manually then they
|
||||
Alternately, if you are creating account entries manually, then they
|
||||
have not been created correctly. Make sure that you have the entry
|
||||
correct for the Machine Trust Account in <filename>smbpasswd</filename> file on the Samba PDC.
|
||||
If you added the account using an editor rather than using the smbpasswd
|
||||
@ -936,7 +934,7 @@ client can cause this problem. Make sure that these are consistent for both cli
|
||||
<sect2>
|
||||
<title>Account Disabled</title>
|
||||
|
||||
<para><quote>When I attempt to login to a Samba Domain from a NT4/W200x workstation,
|
||||
<para><quote>When I attempt to log in to a Samba domain from a NT4/W200x workstation,
|
||||
I get a message about my account being disabled.</quote></para>
|
||||
|
||||
<para>
|
||||
@ -952,7 +950,7 @@ Enable the user accounts with <userinput>smbpasswd -e <replaceable>username</rep
|
||||
<para><quote>Until a few minutes after Samba has started, clients get the error `Domain Controller Unavailable'</quote></para>
|
||||
|
||||
<para>
|
||||
A Domain Controller has to announce its role on the network. This usually takes a while. Be patient for up to fifteen minutes,
|
||||
A domain controller has to announce its role on the network. This usually takes a while. Be patient for up to 15 minutes,
|
||||
then try again.
|
||||
</para>
|
||||
</sect2>
|
||||
@ -964,21 +962,21 @@ then try again.
|
||||
<indexterm><primary>schannel</primary></indexterm>
|
||||
<indexterm><primary>signing</primary></indexterm>
|
||||
After successfully joining the domain, user logons fail with one of two messages: one to the
|
||||
effect that the Domain Controller cannot be found; the other claims that the account does not
|
||||
effect that the domain controller cannot be found; the other claims that the account does not
|
||||
exist in the domain or that the password is incorrect. This may be due to incompatible
|
||||
settings between the Windows client and the Samba-3 server for <emphasis>schannel</emphasis>
|
||||
(secure channel) settings or <emphasis>smb signing</emphasis> settings. Check your Samba
|
||||
settings for <emphasis> client schannel, server schannel, client signing, server signing</emphasis>
|
||||
by executing:
|
||||
settings for <emphasis>client schannel</emphasis>, <emphasis>server schannel</emphasis>,
|
||||
<emphasis>client signing</emphasis>, <emphasis>server signing</emphasis> by executing:
|
||||
<screen>
|
||||
<command>testparm -v | more</command> and looking for the value of these parameters.
|
||||
</screen>
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Also use the Microsoft Management Console &smbmdash; Local Security Settings. This tool is available from the
|
||||
Also use the MMC &smbmdash; Local Security Settings. This tool is available from the
|
||||
Control Panel. The Policy settings are found in the Local Policies/Security Options area and are prefixed by
|
||||
<emphasis>Secure Channel: ..., and Digitally sign ....</emphasis>.
|
||||
<emphasis>Secure Channel:..., and Digitally sign...</emphasis>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
|
@ -37,23 +37,20 @@ as follows:
|
||||
<indexterm><primary>encrypted passwords</primary></indexterm>
|
||||
</para>
|
||||
|
||||
<?latex \newpage ?>
|
||||
|
||||
<sect2>
|
||||
<title>Backward Compatibility Backends</title>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry><term>Plain Text</term>
|
||||
<varlistentry><term>Plaintext</term>
|
||||
<listitem>
|
||||
<para>
|
||||
This isn't really a backend at all, but is listed here for simplicity. Samba can be
|
||||
configured to pass plaintext authentication requests to the traditional UNIX/Linux
|
||||
<filename>/etc/passwd</filename> and <filename>/etc/shadow</filename>
|
||||
style subsystems. On systems that have Pluggable Authentication Modules (PAM)
|
||||
support, all PAM modules are supported. The behavior is just as it was with
|
||||
Samba-2.2.x, and the protocol limitations imposed by MS Windows clients
|
||||
apply likewise. Please refer to <link linkend="passdbtech">Technical Information</link> for more information
|
||||
regarding the limitations of Plain Text password usage.
|
||||
This isn't really a backend at all, but is listed here for simplicity. Samba can be configured to pass
|
||||
plaintext authentication requests to the traditional UNIX/Linux <filename>/etc/passwd</filename> and
|
||||
<filename>/etc/shadow</filename>-style subsystems. On systems that have Pluggable Authentication Modules
|
||||
(PAM) support, all PAM modules are supported. The behavior is just as it was with Samba-2.2.x, and the
|
||||
protocol limitations imposed by MS Windows clients apply likewise. Please refer to <link
|
||||
linkend="passdbtech">Technical Information</link>, for more information regarding the limitations of plaintext
|
||||
password usage.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -63,11 +60,11 @@ as follows:
|
||||
<para>
|
||||
This option allows continued use of the <filename>smbpasswd</filename>
|
||||
file that maintains a plain ASCII (text) layout that includes the MS Windows
|
||||
LanMan and NT encrypted passwords as well as a field that stores some
|
||||
LanMan and NT-encrypted passwords as well as a field that stores some
|
||||
account information. This form of password backend does not store any of
|
||||
the MS Windows NT/200x SAM (Security Account Manager) information required to
|
||||
provide the extended controls that are needed for more comprehensive
|
||||
inter-operation with MS Windows NT4/200x servers.
|
||||
interoperation with MS Windows NT4/200x servers.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -108,13 +105,13 @@ Samba-3 introduces a number of new password backend capabilities.
|
||||
<listitem>
|
||||
<para>
|
||||
This backend provides a rich database backend for local servers. This
|
||||
backend is not suitable for multiple Domain Controllers (i.e., PDC + one
|
||||
backend is not suitable for multiple domain controllers (i.e., PDC + one
|
||||
or more BDC) installations.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The <emphasis>tdbsam</emphasis> password backend stores the old <emphasis>
|
||||
smbpasswd</emphasis> information plus the extended MS Windows NT / 200x
|
||||
smbpasswd</emphasis> information plus the extended MS Windows NT/200x
|
||||
SAM information into a binary format TDB (trivial database) file.
|
||||
The inclusion of the extended information makes it possible for Samba-3
|
||||
to implement the same account and system access controls that are possible
|
||||
@ -146,14 +143,14 @@ Samba-3 introduces a number of new password backend capabilities.
|
||||
<para>
|
||||
The new LDAP implementation significantly expands the control abilities that
|
||||
were possible with prior versions of Samba. It is now possible to specify
|
||||
<quote>per user</quote> profile settings, home directories, account access controls, and
|
||||
<quote>per-user</quote> profile settings, home directories, account access controls, and
|
||||
much more. Corporate sites will see that the Samba Team has listened to their
|
||||
requests both for capability and to allow greater scalability.
|
||||
requests both for capability and greater scalability.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry><term>mysqlsam (MySQL based backend)</term>
|
||||
<varlistentry><term>mysqlsam (MySQL-based backend)</term>
|
||||
<listitem>
|
||||
<para>
|
||||
It is expected that the MySQL-based SAM will be very popular in some corners.
|
||||
@ -163,18 +160,18 @@ Samba-3 introduces a number of new password backend capabilities.
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry><term>pgsqlsam (PostGreSQL based backend)</term>
|
||||
<varlistentry><term>pgsqlsam (PostGreSQL-based backend)</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Stores user information in a PostgreSQL database.
|
||||
This backend is largely undocumented at
|
||||
the moment, though it's configuration is very similar to
|
||||
the moment, though its configuration is very similar to
|
||||
that of the mysqlsam backend.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry><term>xmlsam (XML based datafile)</term>
|
||||
<varlistentry><term>xmlsam (XML-based datafile)</term>
|
||||
<listitem>
|
||||
<para>
|
||||
<indexterm><primary>pdbedit</primary></indexterm>
|
||||
@ -186,7 +183,7 @@ Samba-3 introduces a number of new password backend capabilities.
|
||||
|
||||
<para>
|
||||
The <parameter>xmlsam</parameter> option can be useful for account migration between database
|
||||
backends or backups. Use of this tool will allow the data to be edited before migration
|
||||
backends or backups. Use of this tool allows the data to be edited before migration
|
||||
into another backend format.
|
||||
</para>
|
||||
</listitem>
|
||||
@ -202,15 +199,14 @@ Samba-3 introduces a number of new password backend capabilities.
|
||||
<title>Technical Information</title>
|
||||
|
||||
<para>
|
||||
Old Windows clients send plain text passwords over the wire. Samba can check these
|
||||
Old Windows clients send plaintext passwords over the wire. Samba can check these
|
||||
passwords by encrypting them and comparing them to the hash stored in the UNIX user database.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>encrypted passwords</primary></indexterm>
|
||||
Newer Windows clients send encrypted passwords (so-called LanMan and NT hashes) over
|
||||
the wire, instead of plain text passwords. The newest clients will send only encrypted
|
||||
passwords and refuse to send plain text passwords, unless their registry is tweaked.
|
||||
Newer Windows clients send encrypted passwords (LanMan and NT hashes) instead of plaintext passwords over the wire. The newest clients will send only encrypted
|
||||
passwords and refuse to send plaintext passwords unless their registry is tweaked.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -221,7 +217,7 @@ Samba-3 introduces a number of new password backend capabilities.
|
||||
|
||||
<para>
|
||||
In addition to differently encrypted passwords, Windows also stores certain data for each
|
||||
user that is not stored in a UNIX user database. For example, workstations the user may logon from,
|
||||
user that is not stored in a UNIX user database: for example, workstations the user may logon from,
|
||||
the location where the user's profile is stored, and so on. Samba retrieves and stores this
|
||||
information using a <smbconfoption name="passdb backend"/>. Commonly available backends are LDAP, plain text
|
||||
file, and MySQL. For more information, see the man page for &smb.conf; regarding the
|
||||
@ -235,10 +231,11 @@ Samba-3 introduces a number of new password backend capabilities.
|
||||
</figure>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>SID</primary></indexterm>
|
||||
The resolution of SIDs to UIDs is fundamental to correct operation of Samba. In both cases shown, if winbindd is not running, or cannot
|
||||
be contacted, then only local SID/UID resolution is possible. See <link linkend="idmap-sid2uid">resolution of SIDs to UIDs</link> and
|
||||
<link linkend="idmap-uid2sid">resolution of UIDs to SIDs</link> diagrams.
|
||||
<indexterm><primary>SID</primary></indexterm>
|
||||
The resolution of SIDs to UIDs is fundamental to correct operation of Samba. In both cases shown, if winbindd
|
||||
is not running or cannot be contacted, then only local SID/UID resolution is possible. See <link
|
||||
linkend="idmap-sid2uid">resolution of SIDs to UIDs</link> and <link linkend="idmap-uid2sid">resolution of UIDs
|
||||
to SIDs</link> diagrams.
|
||||
</para>
|
||||
|
||||
<figure id="idmap-uid2sid">
|
||||
@ -253,20 +250,20 @@ Samba-3 introduces a number of new password backend capabilities.
|
||||
The UNIX and SMB password encryption techniques seem similar on the surface. This
|
||||
similarity is, however, only skin deep. The UNIX scheme typically sends clear-text
|
||||
passwords over the network when logging in. This is bad. The SMB encryption scheme
|
||||
never sends the clear-text password over the network but it does store the 16 byte
|
||||
never sends the clear-text password over the network, but it does store the 16-byte
|
||||
hashed values on disk. This is also bad. Why? Because the 16 byte hashed values
|
||||
are a <quote>password equivalent.</quote> You cannot derive the user's password from them, but
|
||||
they could potentially be used in a modified client to gain access to a server.
|
||||
This would require considerable technical knowledge on behalf of the attacker but
|
||||
is perfectly possible. You should thus treat the data stored in whatever passdb
|
||||
is perfectly possible. You should therefore treat the data stored in whatever passdb
|
||||
backend you use (smbpasswd file, LDAP, MYSQL) as though it contained the clear-text
|
||||
passwords of all your users. Its contents must be kept secret and the file should
|
||||
passwords of all your users. Its contents must be kept secret, and the file should
|
||||
be protected accordingly.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Ideally, we would like a password scheme that involves neither plain text passwords
|
||||
on the network nor on disk. Unfortunately, this is not available as Samba is stuck with
|
||||
Ideally, we would like a password scheme that involves neither plaintext passwords
|
||||
on the network nor plaintext passwords on disk. Unfortunately, this is not available because Samba is stuck with
|
||||
having to be compatible with other SMB systems (Windows NT, Windows for Workgroups, Windows 9x/Me).
|
||||
</para>
|
||||
|
||||
@ -290,7 +287,7 @@ Samba-3 introduces a number of new password backend capabilities.
|
||||
|
||||
<note>
|
||||
<para>
|
||||
MS Windows XP Home does not have facilities to become a Domain Member and it cannot participate in domain logons.
|
||||
MS Windows XP Home does not have facilities to become a domain member, and it cannot participate in domain logons.
|
||||
</para>
|
||||
</note>
|
||||
|
||||
@ -308,18 +305,18 @@ Samba-3 introduces a number of new password backend capabilities.
|
||||
|
||||
<para>
|
||||
All current releases of Microsoft SMB/CIFS clients support authentication via the
|
||||
SMB Challenge/Response mechanism described here. Enabling clear-text authentication
|
||||
SMB challenge/response mechanism described here. Enabling clear-text authentication
|
||||
does not disable the ability of the client to participate in encrypted authentication.
|
||||
Instead, it allows the client to negotiate either plain text or encrypted password
|
||||
Instead, it allows the client to negotiate either plaintext or encrypted password
|
||||
handling.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
MS Windows clients will cache the encrypted password alone. Where plain text passwords
|
||||
are re-enabled through the appropriate registry change, the plain text password is never
|
||||
MS Windows clients will cache the encrypted password alone. Where plaintext passwords
|
||||
are re-enabled through the appropriate registry change, the plaintext password is never
|
||||
cached. This means that in the event that a network connections should become disconnected
|
||||
(broken), only the cached (encrypted) password will be sent to the resource server to
|
||||
effect an auto-reconnect. If the resource server does not support encrypted passwords the
|
||||
effect an auto-reconnect. If the resource server does not support encrypted passwords, the
|
||||
auto-reconnect will fail. Use of encrypted passwords is strongly advised.
|
||||
</para>
|
||||
|
||||
@ -336,10 +333,10 @@ Samba-3 introduces a number of new password backend capabilities.
|
||||
|
||||
<listitem><para>Windows NT does not like talking to a server
|
||||
that does not support encrypted passwords. It will refuse
|
||||
to browse the server if the server is also in User Level
|
||||
to browse the server if the server is also in user-level
|
||||
security mode. It will insist on prompting the user for the
|
||||
password on each connection, which is very annoying. The
|
||||
only things you can do to stop this is to use SMB encryption.
|
||||
only thing you can do to stop this is to use SMB encryption.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>Encrypted password support allows automatic share
|
||||
@ -356,13 +353,13 @@ Samba-3 introduces a number of new password backend capabilities.
|
||||
|
||||
<itemizedlist>
|
||||
<listitem><para>Plaintext passwords are not kept
|
||||
on disk, and are not cached in memory. </para></listitem>
|
||||
on disk and are not cached in memory. </para></listitem>
|
||||
|
||||
<listitem><para>Uses same password file as other UNIX
|
||||
services such as Login and FTP.</para></listitem>
|
||||
<listitem><para>Plaintext passwords use the same password file as other UNIX
|
||||
services, such as Login and FTP.</para></listitem>
|
||||
|
||||
<listitem><para>Use of other services (such as Telnet and FTP) that
|
||||
send plain text passwords over the network, so sending them for SMB
|
||||
send plaintext passwords over the network makes sending them for SMB
|
||||
is not such a big deal.</para></listitem>
|
||||
</itemizedlist>
|
||||
</sect3>
|
||||
@ -373,12 +370,12 @@ Samba-3 introduces a number of new password backend capabilities.
|
||||
|
||||
<para>
|
||||
Every operation in UNIX/Linux requires a user identifier (UID), just as in
|
||||
MS Windows NT4/200x this requires a Security Identifier (SID). Samba provides
|
||||
MS Windows NT4/200x this requires a security identifier (SID). Samba provides
|
||||
two means for mapping an MS Windows user to a UNIX/Linux UID.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
First, all Samba SAM (Security Account Manager database) accounts require
|
||||
First, all Samba SAM database accounts require
|
||||
a UNIX/Linux UID that the account will map to. As users are added to the account
|
||||
information database, Samba will call the <smbconfoption name="add user script"/>
|
||||
interface to add the account to the Samba host OS. In essence all accounts in
|
||||
@ -388,7 +385,7 @@ Samba-3 introduces a number of new password backend capabilities.
|
||||
<para>
|
||||
<indexterm><primary>idmap uid</primary></indexterm>
|
||||
<indexterm><primary>idmap gid</primary></indexterm>
|
||||
The second way to effect Windows SID to UNIX UID mapping is via the
|
||||
The second way to map Windows SID to UNIX UID is via the
|
||||
<emphasis>idmap uid</emphasis> and <emphasis>idmap gid</emphasis> parameters in &smb.conf;.
|
||||
Please refer to the man page for information about these parameters.
|
||||
These parameters are essential when mapping users from a remote SAM server.
|
||||
@ -402,7 +399,7 @@ Samba-3 introduces a number of new password backend capabilities.
|
||||
<para>
|
||||
Samba-3 has a special facility that makes it possible to maintain identical UIDs and GIDs
|
||||
on all servers in a distributed network. A distributed network is one where there exists
|
||||
a PDC, one or more BDCs and/or one or more Domain Member servers. Why is this important?
|
||||
a PDC, one or more BDCs, and/or one or more domain member servers. Why is this important?
|
||||
This is important if files are being shared over more than one protocol (e.g., NFS) and where
|
||||
users are copying files across UNIX/Linux systems using tools such as <command>rsync</command>.
|
||||
</para>
|
||||
@ -411,23 +408,22 @@ Samba-3 introduces a number of new password backend capabilities.
|
||||
<indexterm><primary>idmap backend</primary></indexterm>
|
||||
The special facility is enabled using a parameter called <parameter>idmap backend</parameter>.
|
||||
The default setting for this parameter is an empty string. Technically it is possible to use
|
||||
an LDAP based idmap backend for UIDs and GIDs, but it makes most sense when this is done for
|
||||
network configurations that also use LDAP for the SAM backend. Following
|
||||
<link linkend="idmapbackendexample">example</link> shows that.
|
||||
an LDAP-based idmap backend for UIDs and GIDs, but it makes most sense when this is done for
|
||||
network configurations that also use LDAP for the SAM backend.
|
||||
<link linkend="idmapbackendexample">Example Configuration with the LDAP idmap Backend</link>
|
||||
shows that configuration.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>SAM backend</primary><secondary>ldapsam</secondary></indexterm>
|
||||
<example id="idmapbackendexample">
|
||||
<title>Example configuration with the LDAP idmap backend</title>
|
||||
<title>Example Configuration with the LDAP idmap Backend</title>
|
||||
<smbconfblock>
|
||||
<smbconfsection name="[global]"/>
|
||||
<smbconfoption name="idmap backend">ldap:ldap://ldap-server.quenya.org:636</smbconfoption>
|
||||
<smbconfcomment>Alternately, this could be specified as:</smbconfcomment>
|
||||
<smbconfcomment>Alternatively, this could be specified as:</smbconfcomment>
|
||||
<smbconfoption name="idmap backend">ldap:ldaps://ldap-server.quenya.org</smbconfoption>
|
||||
</smbconfblock>
|
||||
</example>
|
||||
</para>
|
||||
|
||||
<para>
|
||||
A network administrator who wants to make significant use of LDAP backends will sooner or later be
|
||||
@ -438,9 +434,9 @@ Samba-3 introduces a number of new password backend capabilities.
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
<emphasis>nss_ldap:</emphasis> An LDAP Name Service Switch module to provide native
|
||||
<emphasis>nss_ldap:</emphasis> An LDAP name service switch (NSS) module to provide native
|
||||
name service support for AIX, Linux, Solaris, and other operating systems. This tool
|
||||
can be used for centralized storage and retrieval of UIDs/GIDs.
|
||||
can be used for centralized storage and retrieval of UIDs and GIDs.
|
||||
</para>
|
||||
</listitem>
|
||||
|
||||
@ -453,7 +449,7 @@ Samba-3 introduces a number of new password backend capabilities.
|
||||
<listitem>
|
||||
<para>
|
||||
<emphasis>idmap_ad:</emphasis> An IDMAP backend that supports the Microsoft Services for
|
||||
UNIX RFC 2307 schema available from the PADL web
|
||||
UNIX RFC 2307 schema available from the PADL Web
|
||||
<ulink url="http://www.padl.com/download/xad_oss_plugins.tar.gz">site</ulink>.
|
||||
</para>
|
||||
</listitem>
|
||||
@ -467,7 +463,7 @@ Samba-3 introduces a number of new password backend capabilities.
|
||||
<para>
|
||||
Samba doesn't provide a turnkey solution to LDAP. It is best to deal with the design and configuration
|
||||
of an LDAP directory prior to integration with Samba. A working knowledge of LDAP makes Samba integration
|
||||
easy and the lack of a working knowledge of LDAP can make it one a frustrating experience.
|
||||
easy, and the lack of a working knowledge of LDAP can make it one a frustrating experience.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -476,32 +472,32 @@ Samba-3 introduces a number of new password backend capabilities.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The POSIX and SambaSAMAccount components of computer (machine) accounts are both used by Samba.
|
||||
i.e.: Machine accounts are treated inside Samba in the same way that Windows NT4/200X treats
|
||||
The POSIX and sambaSamAccount components of computer (machine) accounts are both used by Samba.
|
||||
That is, machine accounts are treated inside Samba in the same way that Windows NT4/200X treats
|
||||
them. A user account and a machine account are indistinquishable from each other, except that
|
||||
the machine account ends in a '$' character, as do trust accounts.
|
||||
the machine account ends in a $ character, as do trust accounts.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The need for Windows user, group, machine, trust, etc. accounts to be tied to a valid UNIX uid
|
||||
The need for Windows user, group, machine, trust, and other accounts to be tied to a valid UNIX UID
|
||||
is a design decision that was made a long way back in the history of Samba development. It is
|
||||
unlikely that this decision will be reversed of changed during the remaining life of the
|
||||
unlikely that this decision will be reversed or changed during the remaining life of the
|
||||
Samba-3.x series.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The resolution of a UID from the Windows SID is achieved within Samba through a mechanism that
|
||||
must refer back to the host operating system on which Samba is running. The Name Service
|
||||
Switcher (NSS) is the preferred mechanism that shields applications (like Samba) from the
|
||||
must refer back to the host operating system on which Samba is running. The
|
||||
NSS is the preferred mechanism that shields applications (like Samba) from the
|
||||
need to know everything about every host OS it runs on.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Samba asks the host OS to provide a UID via the <quote>passwd</quote>, <quote>shadow</quote>
|
||||
Samba asks the host OS to provide a UID via the <quote>passwd</quote>, <quote>shadow</quote>,
|
||||
and <quote>group</quote> facilities in the NSS control (configuration) file. The best tool
|
||||
for achieving this is left up to the UNIX administrator to determine. It is not imposed by
|
||||
Samba. Samba provides winbindd together with its support libraries as one method. It is
|
||||
possible to do this via LDAP - and for that Samba provides the appropriate hooks so that
|
||||
Samba. Samba provides winbindd with its support libraries as one method. It is
|
||||
possible to do this via LDAP, and for that Samba provides the appropriate hooks so that
|
||||
all account entities can be located in an LDAP directory.
|
||||
</para>
|
||||
|
||||
@ -522,15 +518,15 @@ Samba-3 introduces a number of new password backend capabilities.
|
||||
|
||||
<para>
|
||||
<indexterm><primary>pdbedit</primary></indexterm>
|
||||
Samba provides two tools for management of user and machine accounts. These tools are
|
||||
called <command>smbpasswd</command> and <command>pdbedit</command>.
|
||||
Samba provides two tools for management of user and machine accounts:
|
||||
<command>smbpasswd</command> and <command>pdbedit</command>.
|
||||
</para>
|
||||
<sect2>
|
||||
<title>The <emphasis>smbpasswd</emphasis> Command</title>
|
||||
|
||||
<para>
|
||||
The smbpasswd utility is similar to the <command>passwd</command>
|
||||
or <command>yppasswd</command> programs. It maintains the two 32 byte password
|
||||
and <command>yppasswd</command> programs. It maintains the two 32 byte password
|
||||
fields in the passdb backend.
|
||||
</para>
|
||||
|
||||
@ -541,8 +537,8 @@ called <command>smbpasswd</command> and <command>pdbedit</command>.
|
||||
|
||||
<para>
|
||||
<command>smbpasswd</command> has the capability to change passwords on Windows NT
|
||||
servers (this only works when the request is sent to the NT Primary Domain Controller
|
||||
if changing an NT Domain user's password).
|
||||
servers (this only works when the request is sent to the NT PDC
|
||||
if changing an NT domain user's password).
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -558,11 +554,11 @@ called <command>smbpasswd</command> and <command>pdbedit</command>.
|
||||
<listitem><para><emphasis>enable</emphasis> user or machine accounts.</para></listitem>
|
||||
<listitem><para><emphasis>disable</emphasis> user or machine accounts.</para></listitem>
|
||||
<listitem><para><emphasis>set to NULL</emphasis> user passwords.</para></listitem>
|
||||
<listitem><para><emphasis>manage interdomain trust accounts.</emphasis></para></listitem>
|
||||
<listitem><para><emphasis>manage</emphasis> interdomain trust accounts.</para></listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>
|
||||
To run smbpasswd as a normal user just type:
|
||||
To run smbpasswd as a normal user, just type:
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -570,7 +566,7 @@ called <command>smbpasswd</command> and <command>pdbedit</command>.
|
||||
&prompt;<userinput>smbpasswd</userinput>
|
||||
<prompt>Old SMB password: </prompt><userinput><replaceable>secret</replaceable></userinput>
|
||||
</screen>
|
||||
For <replaceable>secret</replaceable>, type old value here or press return if
|
||||
For <replaceable>secret</replaceable>, type the old value here or press return if
|
||||
there is no old password.
|
||||
<screen>
|
||||
<prompt>New SMB Password: </prompt><userinput><replaceable>new secret</replaceable></userinput>
|
||||
@ -584,13 +580,13 @@ called <command>smbpasswd</command> and <command>pdbedit</command>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
When invoked by an ordinary user, the command will only allow the user to change his or her own
|
||||
When invoked by an ordinary user, the command will allow only the user to change his or her own
|
||||
SMB password.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
When run by root, <command>smbpasswd</command> may take an optional argument specifying
|
||||
the user name whose SMB password you wish to change. When run as root, <command>smbpasswd</command>
|
||||
the username whose SMB password you wish to change. When run as root, <command>smbpasswd</command>
|
||||
does not prompt for or check the old password value, thus allowing root to set passwords
|
||||
for users who have forgotten their passwords.
|
||||
</para>
|
||||
@ -598,7 +594,7 @@ called <command>smbpasswd</command> and <command>pdbedit</command>.
|
||||
<para>
|
||||
<command>smbpasswd</command> is designed to work in the way familiar to UNIX
|
||||
users who use the <command>passwd</command> or <command>yppasswd</command> commands.
|
||||
While designed for administrative use, this tool provides essential User Level
|
||||
While designed for administrative use, this tool provides essential user-level
|
||||
password change capabilities.
|
||||
</para>
|
||||
|
||||
@ -621,7 +617,7 @@ called <command>smbpasswd</command> and <command>pdbedit</command>.
|
||||
</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem><para>add, remove or modify user accounts.</para></listitem>
|
||||
<listitem><para>add, remove, or modify user accounts.</para></listitem>
|
||||
<listitem><para>list user accounts.</para></listitem>
|
||||
<listitem><para>migrate user accounts.</para></listitem>
|
||||
</itemizedlist>
|
||||
@ -630,7 +626,7 @@ called <command>smbpasswd</command> and <command>pdbedit</command>.
|
||||
<indexterm><primary>pdbedit</primary></indexterm>
|
||||
The <command>pdbedit</command> tool is the only one that can manage the account
|
||||
security and policy settings. It is capable of all operations that smbpasswd can
|
||||
do as well as a super set of them.
|
||||
do as well as a superset of them.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -672,7 +668,7 @@ Password must change: Mon, 18 Jan 2038 20:14:07 GMT
|
||||
<para>
|
||||
<indexterm><primary>pdbedit</primary></indexterm>
|
||||
The <command>pdbedit</command> tool allows migration of authentication (account)
|
||||
databases from one backend to another. For example: To migrate accounts from an
|
||||
databases from one backend to another. For example, to migrate accounts from an
|
||||
old <filename>smbpasswd</filename> database to a <parameter>tdbsam</parameter>
|
||||
backend:
|
||||
</para>
|
||||
@ -690,7 +686,7 @@ Password must change: Mon, 18 Jan 2038 20:14:07 GMT
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
Now remove the <parameter>smbpasswd</parameter> from the passdb backend
|
||||
Remove the <parameter>smbpasswd</parameter> from the passdb backend
|
||||
configuration in &smb.conf;.
|
||||
</para></step>
|
||||
</procedure>
|
||||
@ -708,7 +704,7 @@ capability.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
It is possible to specify not only multiple different password backends, but even multiple
|
||||
It is possible to specify not only multiple password backends, but even multiple
|
||||
backends of the same type. For example, to use two different tdbsam databases:
|
||||
</para>
|
||||
|
||||
@ -726,15 +722,15 @@ backends of the same type. For example, to use two different tdbsam databases:
|
||||
Older versions of Samba retrieved user information from the UNIX user database
|
||||
and eventually some other fields from the file <filename>/etc/samba/smbpasswd</filename>
|
||||
or <filename>/etc/smbpasswd</filename>. When password encryption is disabled, no
|
||||
SMB specific data is stored at all. Instead all operations are conducted via the way
|
||||
SMB-specific data is stored at all. Instead, all operations are conducted via the way
|
||||
that the Samba host OS will access its <filename>/etc/passwd</filename> database.
|
||||
Linux systems For example, all operations are done via PAM.
|
||||
On Linux systems, for example, all operations are done via PAM.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>smbpasswd &smbmdash; Encrypted Password Database</title>
|
||||
<title>smbpasswd: Encrypted Password Database</title>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>SAM backend</primary><secondary>smbpasswd</secondary></indexterm>
|
||||
@ -755,29 +751,29 @@ backends of the same type. For example, to use two different tdbsam databases:
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
The second problem is that administrators who desire to replicate a smbpasswd file
|
||||
to more than one Samba server were left to use external tools such as
|
||||
<command>rsync(1)</command> and <command>ssh(1)</command> and wrote custom,
|
||||
The second problem is that administrators who desire to replicate an smbpasswd file
|
||||
to more than one Samba server are left to use external tools such as
|
||||
<command>rsync(1)</command> and <command>ssh(1)</command> and write custom,
|
||||
in-house scripts.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
Finally, the amount of information that is stored in an smbpasswd entry leaves
|
||||
no room for additional attributes such as a home directory, password expiration time,
|
||||
or even a Relative Identifier (RID).
|
||||
or even a relative identifier (RID).
|
||||
</para></listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>
|
||||
As a result of these deficiencies, a more robust means of storing user attributes
|
||||
used by smbd was developed. The API which defines access to user accounts
|
||||
is commonly referred to as the samdb interface (previously this was called the passdb
|
||||
API, and is still so named in the Samba CVS trees).
|
||||
used by smbd was developed. The API that defines access to user accounts
|
||||
is commonly referred to as the samdb interface (previously, this was called the passdb
|
||||
API and is still so named in the Samba CVS trees).
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Samba provides an enhanced set of passdb backends that overcome the deficiencies
|
||||
of the smbpasswd plain text database. These are tdbsam, ldapsam and xmlsam.
|
||||
of the smbpasswd plaintext database. These are tdbsam, ldapsam, and xmlsam.
|
||||
Of these, ldapsam will be of most interest to large corporate or enterprise sites.
|
||||
</para>
|
||||
|
||||
@ -788,7 +784,7 @@ backends of the same type. For example, to use two different tdbsam databases:
|
||||
|
||||
<para>
|
||||
<indexterm><primary>SAM backend</primary><secondary>tdbsam</secondary></indexterm>
|
||||
Samba can store user and machine account data in a <quote>TDB</quote> (Trivial Database).
|
||||
Samba can store user and machine account data in a <quote>TDB</quote> (trivial database).
|
||||
Using this backend does not require any additional configuration. This backend is
|
||||
recommended for new installations that do not require LDAP.
|
||||
</para>
|
||||
@ -801,10 +797,10 @@ backends of the same type. For example, to use two different tdbsam databases:
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The recommendation of a 250 user limit is purely based on the notion that this
|
||||
The recommendation of a 250-user limit is purely based on the notion that this
|
||||
would generally involve a site that has routed networks, possibly spread across
|
||||
more than one physical location. The Samba Team has not at this time established
|
||||
the performance based scalability limits of the tdbsam architecture.
|
||||
the performance-based scalability limits of the tdbsam architecture.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
@ -820,7 +816,7 @@ backends of the same type. For example, to use two different tdbsam databases:
|
||||
|
||||
<itemizedlist>
|
||||
<listitem><para>A means of retrieving user account information from
|
||||
an Windows 200x Active Directory server.</para></listitem>
|
||||
a Windows 200x Active Directory server.</para></listitem>
|
||||
<listitem><para>A means of replacing /etc/passwd.</para></listitem>
|
||||
</itemizedlist>
|
||||
|
||||
@ -828,9 +824,9 @@ backends of the same type. For example, to use two different tdbsam databases:
|
||||
The second item can be accomplished by using LDAP NSS and PAM modules. LGPL
|
||||
versions of these libraries can be obtained from
|
||||
<ulink url="http://www.padl.com/">PADL Software</ulink>.
|
||||
More information about the configuration of these packages may be found at
|
||||
More information about the configuration of these packages may be found in
|
||||
<ulink url="http://safari.oreilly.com/?XmlId=1-56592-491-6">
|
||||
<emphasis>LDAP, System Administration</emphasis>; Gerald Carter by O'Reilly; Chapter 6: Replacing NIS."</ulink>
|
||||
<emphasis>LDAP, System Administration</emphasis> by Gerald Carter, Chapter 6, Replacing NIS"</ulink>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -847,7 +843,7 @@ backends of the same type. For example, to use two different tdbsam databases:
|
||||
</itemizedlist>
|
||||
|
||||
<para>
|
||||
Two additional Samba resources which may prove to be helpful are:
|
||||
Two additional Samba resources that may prove to be helpful are:
|
||||
</para>
|
||||
|
||||
<itemizedlist>
|
||||
@ -855,7 +851,7 @@ backends of the same type. For example, to use two different tdbsam databases:
|
||||
maintained by Ignacio Coupeau.</para></listitem>
|
||||
|
||||
<listitem><para>The NT migration scripts from <ulink url="http://samba.idealx.org/">IDEALX</ulink> that are
|
||||
geared to manage users and group in such a Samba-LDAP Domain Controller configuration.
|
||||
geared to manage users and groups in such a Samba-LDAP domain controller configuration.
|
||||
</para></listitem>
|
||||
</itemizedlist>
|
||||
|
||||
@ -863,10 +859,10 @@ backends of the same type. For example, to use two different tdbsam databases:
|
||||
<title>Supported LDAP Servers</title>
|
||||
|
||||
<para>
|
||||
The LDAP ldapsam code has been developed and tested using the OpenLDAP 2.0 and 2.1 server and
|
||||
The LDAP ldapsam code was developed and tested using the OpenLDAP 2.0 and 2.1 server and
|
||||
client libraries. The same code should work with Netscape's Directory Server and client SDK.
|
||||
However, there are bound to be compile errors and bugs. These should not be hard to fix.
|
||||
Please submit fixes via the process outlined in <link linkend="bugreport">Reporting Bugs</link> chapter.
|
||||
Please submit fixes via the process outlined in <link linkend="bugreport">Reporting Bugs</link>.
|
||||
</para>
|
||||
|
||||
</sect3>
|
||||
@ -904,8 +900,8 @@ ObjectClass (1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY
|
||||
<para>
|
||||
Just as the smbpasswd file is meant to store information that provides information additional to a
|
||||
user's <filename>/etc/passwd</filename> entry, so is the sambaSamAccount object
|
||||
meant to supplement the UNIX user account information. A sambaSamAccount is a
|
||||
<constant>AUXILIARY</constant> ObjectClass so it can be used to augment existing
|
||||
meant to supplement the UNIX user account information. A sambaSamAccount is an
|
||||
<constant>AUXILIARY</constant> ObjectClass, so it can be used to augment existing
|
||||
user account information in the LDAP directory, thus providing information needed
|
||||
for Samba account handling. However, there are several fields (e.g., uid) that overlap
|
||||
with the posixAccount ObjectClass outlined in RFC2307. This is by design.
|
||||
@ -916,9 +912,9 @@ ObjectClass (1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY
|
||||
|
||||
<para>
|
||||
In order to store all user account information (UNIX and Samba) in the directory,
|
||||
it is necessary to use the sambaSamAccount and posixAccount ObjectClass es in
|
||||
it is necessary to use the sambaSamAccount and posixAccount ObjectClasses in
|
||||
combination. However, smbd will still obtain the user's UNIX account
|
||||
information via the standard C library calls (e.g., getpwnam(), et al).
|
||||
information via the standard C library calls, such as getpwnam().
|
||||
This means that the Samba server must also have the LDAP NSS library installed
|
||||
and functioning correctly. This division of information makes it possible to
|
||||
store all Samba account information in LDAP, but still maintain UNIX account
|
||||
@ -968,7 +964,7 @@ include /etc/openldap/schema/samba.schema
|
||||
|
||||
<para>
|
||||
It is recommended that you maintain some indices on some of the most useful attributes,
|
||||
as in the following example, to speed up searches made on sambaSamAccount objectclasses
|
||||
as in the following example, to speed up searches made on sambaSamAccount ObjectClasses
|
||||
(and possibly posixAccount and posixGroup as well):
|
||||
</para>
|
||||
|
||||
@ -1024,7 +1020,7 @@ index default sub
|
||||
<title>Initialize the LDAP Database</title>
|
||||
|
||||
<para>
|
||||
Before you can add accounts to the LDAP database you must create the account containers
|
||||
Before you can add accounts to the LDAP database, you must create the account containers
|
||||
that they will be stored in. The following LDIF file should be modified to match your
|
||||
needs (DNS entries, and so on):
|
||||
</para>
|
||||
@ -1111,8 +1107,8 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
|
||||
|
||||
<note>
|
||||
<para>
|
||||
Before Samba can access the LDAP server you need to store the LDAP admin password
|
||||
into the Samba-3 <filename>secrets.tdb</filename> database by:
|
||||
Before Samba can access the LDAP server, you need to store the LDAP admin password
|
||||
in the Samba-3 <filename>secrets.tdb</filename> database by:
|
||||
<screen>
|
||||
&rootprompt;<userinput>smbpasswd -w <replaceable>secret</replaceable></userinput>
|
||||
</screen>
|
||||
@ -1130,7 +1126,7 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
|
||||
LDAP libraries are found.
|
||||
</para>
|
||||
|
||||
<para>LDAP related smb.conf options:
|
||||
<para>LDAP-related smb.conf options are
|
||||
<smbconfoption name="passdb backend">ldapsam:url</smbconfoption>,
|
||||
<smbconfoption name="ldap admin dn"/>,
|
||||
<smbconfoption name="ldap delete dn"/>,
|
||||
@ -1146,8 +1142,8 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
|
||||
|
||||
<para>
|
||||
These are described in the &smb.conf; man
|
||||
page and so will not be repeated here. However, a <link linkend="confldapex">sample &smb.conf; file</link> for
|
||||
use with an LDAP directory could appear as shown below.
|
||||
page and so are not repeated here. However, a <link linkend="confldapex">sample &smb.conf; file</link> for
|
||||
use with an LDAP directory could appear as in Example 10.4.1.
|
||||
</para>
|
||||
|
||||
<example id="confldapex">
|
||||
@ -1204,13 +1200,13 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
|
||||
<indexterm><primary>User Management</primary></indexterm>
|
||||
<indexterm><primary>User Accounts</primary><secondary>Adding/Deleting</secondary></indexterm>
|
||||
|
||||
As user accounts are managed through the sambaSamAccount objectclass, you should
|
||||
Because user accounts are managed through the sambaSamAccount ObjectClass, you should
|
||||
modify your existing administration tools to deal with sambaSamAccount attributes.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Machine accounts are managed with the sambaSamAccount objectclass, just
|
||||
like users accounts. However, it is up to you to store those accounts
|
||||
Machine accounts are managed with the sambaSamAccount ObjectClass, just
|
||||
like user accounts. However, it is up to you to store those accounts
|
||||
in a different tree of your LDAP namespace. You should use
|
||||
<quote>ou=Groups,dc=quenya,dc=org</quote> to store groups and
|
||||
<quote>ou=People,dc=quenya,dc=org</quote> to store users. Just configure your
|
||||
@ -1220,7 +1216,7 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
|
||||
|
||||
<para>
|
||||
In Samba-3, the group management system is based on POSIX
|
||||
groups. This means that Samba makes use of the posixGroup objectclass.
|
||||
groups. This means that Samba makes use of the posixGroup ObjectClass.
|
||||
For now, there is no NT-like group system management (global and local
|
||||
groups). Samba-3 knows only about <constant>Domain Groups</constant>
|
||||
and, unlike MS Windows 2000 and Active Directory, Samba-3 does not
|
||||
@ -1248,8 +1244,8 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
|
||||
<para>
|
||||
These password hashes are clear-text equivalents and can be used to impersonate
|
||||
the user without deriving the original clear-text strings. For more information
|
||||
on the details of LM/NT password hashes, refer to the
|
||||
<link linkend="passdb">Account Information Database</link> section of this chapter.
|
||||
on the details of LM/NT password hashes, refer to <link linkend="passdb">the Account Information
|
||||
Database section</link>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -1288,44 +1284,44 @@ access to attrs=SambaLMPassword,SambaNTPassword
|
||||
<sect3>
|
||||
<title>LDAP Special Attributes for sambaSamAccounts</title>
|
||||
|
||||
<para> The sambaSamAccount objectclass is composed of the attributes shown in next tables: <link
|
||||
<para> The sambaSamAccount ObjectClass is composed of the attributes shown in next tables: <link
|
||||
linkend="attribobjclPartA">Part A</link>, and <link linkend="attribobjclPartB">Part B</link>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<table frame="all" id="attribobjclPartA">
|
||||
<title>Attributes in the sambaSamAccount objectclass (LDAP) &smbmdash; Part A</title>
|
||||
<title>Attributes in the sambaSamAccount ObjectClass (LDAP), Part A</title>
|
||||
<tgroup cols="2" align="justify">
|
||||
<colspec align="left"/>
|
||||
<colspec align="justify" colwidth="1*"/>
|
||||
<tbody>
|
||||
<row><entry><constant>sambaLMPassword</constant></entry><entry>The LANMAN password 16-byte hash stored as a character
|
||||
<row><entry><constant>sambaLMPassword</constant></entry><entry>The LanMan password 16-byte hash stored as a character
|
||||
representation of a hexadecimal string.</entry></row>
|
||||
<row><entry><constant>sambaNTPassword</constant></entry><entry>The NT password hash 16-byte stored as a character
|
||||
<row><entry><constant>sambaNTPassword</constant></entry><entry>The NT password 16-byte hash stored as a character
|
||||
representation of a hexadecimal string.</entry></row>
|
||||
<row><entry><constant>sambaPwdLastSet</constant></entry><entry>The integer time in seconds since 1970 when the
|
||||
<constant>sambaLMPassword</constant> and <constant>sambaNTPassword</constant> attributes were last set.
|
||||
</entry></row>
|
||||
|
||||
<row><entry><constant>sambaAcctFlags</constant></entry><entry>String of 11 characters surrounded by square brackets []
|
||||
<row><entry><constant>sambaAcctFlags</constant></entry><entry>String of 11 characters surrounded by square brackets [ ]
|
||||
representing account flags such as U (user), W (workstation), X (no password expiration),
|
||||
I (Domain trust account), H (Home dir required), S (Server trust account),
|
||||
I (domain trust account), H (home dir required), S (server trust account),
|
||||
and D (disabled).</entry></row>
|
||||
|
||||
<row><entry><constant>sambaLogonTime</constant></entry><entry>Integer value currently unused</entry></row>
|
||||
<row><entry><constant>sambaLogonTime</constant></entry><entry>Integer value currently unused.</entry></row>
|
||||
|
||||
<row><entry><constant>sambaLogoffTime</constant></entry><entry>Integer value currently unused</entry></row>
|
||||
<row><entry><constant>sambaLogoffTime</constant></entry><entry>Integer value currently unused.</entry></row>
|
||||
|
||||
<row><entry><constant>sambaKickoffTime</constant></entry><entry>Specifies the time (UNIX time format) when the user
|
||||
will be locked down and cannot login any longer. If this attribute is omitted, then the account will never expire.
|
||||
If you use this attribute together with `shadowExpire' of the `shadowAccount' objectClass, will enable accounts to
|
||||
Using this attribute together with shadowExpire of the shadowAccount ObjectClass will enable accounts to
|
||||
expire completely on an exact date.</entry></row>
|
||||
|
||||
<row><entry><constant>sambaPwdCanChange</constant></entry><entry>Specifies the time (UNIX time format) from which on the user is allowed to
|
||||
<row><entry><constant>sambaPwdCanChange</constant></entry><entry>Specifies the time (UNIX time format) after which the user is allowed to
|
||||
change his password. If attribute is not set, the user will be free to change his password whenever he wants.</entry></row>
|
||||
|
||||
<row><entry><constant>sambaPwdMustChange</constant></entry><entry>Specifies the time (UNIX time format) since when the user is
|
||||
forced to change his password. If this value is set to `0', the user will have to change his password at first login.
|
||||
<row><entry><constant>sambaPwdMustChange</constant></entry><entry>Specifies the time (UNIX time format) when the user is
|
||||
forced to change his password. If this value is set to 0, the user will have to change his password at first login.
|
||||
If this attribute is not set, then the password will never expire.</entry></row>
|
||||
|
||||
<row><entry><constant>sambaHomeDrive</constant></entry><entry>Specifies the drive letter to which to map the
|
||||
@ -1353,21 +1349,21 @@ access to attrs=SambaLMPassword,SambaNTPassword
|
||||
</para>
|
||||
<para>
|
||||
<table frame="all" id="attribobjclPartB">
|
||||
<title>Attributes in the sambaSamAccount objectclass (LDAP) &smbmdash; Part B</title>
|
||||
<title>Attributes in the sambaSamAccount ObjectClass (LDAP), Part B</title>
|
||||
<tgroup cols="2" align="justify">
|
||||
<colspec align="left"/>
|
||||
<colspec align="justify" colwidth="1*"/>
|
||||
<tbody>
|
||||
<row><entry><constant>sambaUserWorkstations</constant></entry><entry>Here you can give a comma-separated list of machines
|
||||
on which the user is allowed to login. You may observe problems when you try to connect to an Samba Domain Member.
|
||||
Because Domain Members are not in this list, the Domain Controllers will reject them. Where this attribute is omitted,
|
||||
on which the user is allowed to login. You may observe problems when you try to connect to a Samba domain member.
|
||||
Because domain members are not in this list, the domain controllers will reject them. Where this attribute is omitted,
|
||||
the default implies no restrictions.
|
||||
</entry></row>
|
||||
|
||||
<row><entry><constant>sambaSID</constant></entry><entry>The security identifier(SID) of the user.
|
||||
The Windows equivalent of UNIX UIDs.</entry></row>
|
||||
|
||||
<row><entry><constant>sambaPrimaryGroupSID</constant></entry><entry>The Security IDentifier (SID) of the primary group
|
||||
<row><entry><constant>sambaPrimaryGroupSID</constant></entry><entry>The security identifier (SID) of the primary group
|
||||
of the user.</entry></row>
|
||||
|
||||
<row><entry><constant>sambaDomainName</constant></entry><entry>Domain the user is part of.</entry></row>
|
||||
@ -1378,7 +1374,7 @@ access to attrs=SambaLMPassword,SambaNTPassword
|
||||
<para>
|
||||
The majority of these parameters are only used when Samba is acting as a PDC of
|
||||
a domain (refer to <link linkend="samba-pdc">Domain Control</link>, for details on
|
||||
how to configure Samba as a Primary Domain Controller). The following four attributes
|
||||
how to configure Samba as a PDC). The following four attributes
|
||||
are only stored with the sambaSamAccount entry if the values are non-default values:
|
||||
</para>
|
||||
|
||||
@ -1393,7 +1389,7 @@ access to attrs=SambaLMPassword,SambaNTPassword
|
||||
These attributes are only stored with the sambaSamAccount entry if
|
||||
the values are non-default values. For example, assume MORIA has now been
|
||||
configured as a PDC and that <smbconfoption name="logon home">\\%L\%u</smbconfoption> was defined in
|
||||
its &smb.conf; file. When a user named <quote>becky</quote> logons to the domain,
|
||||
its &smb.conf; file. When a user named <quote>becky</quote> logs on to the domain,
|
||||
the <smbconfoption name="logon home"/> string is expanded to \\MORIA\becky.
|
||||
If the smbHome attribute exists in the entry <quote>uid=becky,ou=People,dc=samba,dc=org</quote>,
|
||||
this value is used. However, if this attribute does not exist, then the value
|
||||
@ -1408,7 +1404,7 @@ access to attrs=SambaLMPassword,SambaNTPassword
|
||||
<title>Example LDIF Entries for a sambaSamAccount</title>
|
||||
|
||||
<para>
|
||||
The following is a working LDIF that demonstrates the use of the SambaSamAccount objectclass:
|
||||
The following is a working LDIF that demonstrates the use of the SambaSamAccount ObjectClass:
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -1432,7 +1428,7 @@ access to attrs=SambaLMPassword,SambaNTPassword
|
||||
|
||||
<para>
|
||||
The following is an LDIF entry for using both the sambaSamAccount and
|
||||
posixAccount objectclasses:
|
||||
posixAccount ObjectClasses:
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -1468,15 +1464,15 @@ access to attrs=SambaLMPassword,SambaNTPassword
|
||||
<title>Password Synchronization</title>
|
||||
|
||||
<para>
|
||||
Samba-3 and later can update the non-samba (LDAP) password stored with an account. When
|
||||
Samba-3 and later can update the non-Samba (LDAP) password stored with an account. When
|
||||
using pam_ldap, this allows changing both UNIX and Windows passwords at once.
|
||||
</para>
|
||||
|
||||
<para>The <smbconfoption name="ldap passwd sync"/> options can have the values shown in
|
||||
<link linkend="ldappwsync">the next table</link>.</para>
|
||||
<link linkend="ldappwsync">Table 10.3</link>.</para>
|
||||
|
||||
<table frame="all" id="ldappwsync">
|
||||
<title>Possible <emphasis>ldap passwd sync</emphasis> values</title>
|
||||
<title>Possible <emphasis>ldap passwd sync</emphasis> Values</title>
|
||||
<tgroup cols="2">
|
||||
<colspec align="left" colwidth="1*"/>
|
||||
<colspec align="justify" colwidth="4*"/>
|
||||
@ -1485,13 +1481,13 @@ access to attrs=SambaLMPassword,SambaNTPassword
|
||||
</thead>
|
||||
<tbody>
|
||||
<row><entry>yes</entry><entry><para>When the user changes his password, update
|
||||
<constant>SambaNTPassword</constant>, <constant>SambaLMPassword</constant>
|
||||
<constant>SambaNTPassword</constant>, <constant>SambaLMPassword</constant>,
|
||||
and the <constant>password</constant> fields.</para></entry></row>
|
||||
|
||||
<row><entry>no</entry><entry><para>Only update <constant>SambaNTPassword</constant> and <constant>SambaLMPassword</constant>.</para></entry></row>
|
||||
|
||||
<row><entry>only</entry><entry><para>Only update the LDAP password and let the LDAP server worry about the other fields.
|
||||
This option is only available on some LDAP servers. Only when the LDAP server
|
||||
This option is only available on some LDAP servers and only when the LDAP server
|
||||
supports LDAP_EXOP_X_MODIFY_PASSWD.</para></entry></row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
@ -1509,10 +1505,10 @@ access to attrs=SambaLMPassword,SambaNTPassword
|
||||
|
||||
<para>
|
||||
<indexterm><primary>SAM backend</primary><secondary>mysqlsam</secondary></indexterm>
|
||||
Every so often someone will come along with a great new idea. Storing user accounts in a
|
||||
Every so often someone comes along with a great new idea. Storing user accounts in a
|
||||
SQL backend is one of them. Those who want to do this are in the best position to know what the
|
||||
specific benefits are to them. This may sound like a cop-out, but in truth we cannot attempt
|
||||
to document every little detail why certain things of marginal utility to the bulk of
|
||||
to document every little detail of why certain things of marginal utility to the bulk of
|
||||
Samba users might make sense to the rest. In any case, the following instructions should help
|
||||
the determined SQL user to implement a working system.
|
||||
</para>
|
||||
@ -1521,10 +1517,11 @@ access to attrs=SambaLMPassword,SambaNTPassword
|
||||
<title>Creating the Database</title>
|
||||
|
||||
<para>
|
||||
You can set up your own table and specify the field names to pdb_mysql (see below
|
||||
for the column names) or use the default table. The file <filename>examples/pdb/mysql/mysql.dump</filename>
|
||||
contains the correct queries to create the required tables. Use the command:
|
||||
|
||||
You can set up your own table and specify the field names to pdb_mysql (see
|
||||
<link linkend="moremysqlpdbe">MySQL field names for MySQL passdb backend</link> for
|
||||
the column names) or use the default table. The file
|
||||
<filename>examples/pdb/mysql/mysql.dump</filename> contains the correct queries to
|
||||
create the required tables. Use the command:
|
||||
<screen>
|
||||
&prompt;<userinput>mysql -u<replaceable>username</replaceable> -h<replaceable>hostname</replaceable> -p<replaceable>password</replaceable> \
|
||||
<replaceable>databasename</replaceable> < <filename>/path/to/samba/examples/pdb/mysql/mysql.dump</filename></userinput>
|
||||
@ -1550,11 +1547,11 @@ access to attrs=SambaLMPassword,SambaNTPassword
|
||||
|
||||
<para>
|
||||
Additional options can be given through the &smb.conf; file in the <smbconfsection name="[global]"/> section.
|
||||
Refer to <link linkend="mysqlpbe">the following table</link>.
|
||||
Refer to <link linkend="mysqlpbe">Basic smb.conf Options for MySQL passdb Backend</link>.
|
||||
</para>
|
||||
|
||||
<table frame="all" id="mysqlpbe">
|
||||
<title>Basic smb.conf options for MySQL passdb backend</title>
|
||||
<title>Basic smb.conf Options for MySQL passdb Backend</title>
|
||||
<tgroup cols="2">
|
||||
<colspec align="left"/>
|
||||
<colspec align="justify" colwidth="1*"/>
|
||||
@ -1579,8 +1576,8 @@ access to attrs=SambaLMPassword,SambaNTPassword
|
||||
</para>
|
||||
</warning>
|
||||
|
||||
<para>Names of the columns are given in <link linkend="moremysqlpdbe">the next table</link>.
|
||||
The default column names can be found in the example table dump.
|
||||
<para>Names of the columns are given in <link linkend="moremysqlpdbe">MySQL field names for MySQL
|
||||
passdb backend</link>. The default column names can be found in the example table dump.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -1594,12 +1591,12 @@ access to attrs=SambaLMPassword,SambaNTPassword
|
||||
<row><entry>Field</entry><entry>Type</entry><entry>Contents</entry></row>
|
||||
</thead>
|
||||
<tbody>
|
||||
<row><entry>logon time column</entry><entry>int(9)</entry><entry>UNIX time stamp of last logon of user</entry></row>
|
||||
<row><entry>logoff time column</entry><entry>int(9)</entry><entry>UNIX time stamp of last logoff of user</entry></row>
|
||||
<row><entry>kickoff time column</entry><entry>int(9)</entry><entry>UNIX time stamp of moment user should be kicked off workstation (not enforced)</entry></row>
|
||||
<row><entry>pass last set time column</entry><entry>int(9)</entry><entry>UNIX time stamp of moment password was last set</entry></row>
|
||||
<row><entry>pass can change time column</entry><entry>int(9)</entry><entry>UNIX time stamp of moment from which password can be changed</entry></row>
|
||||
<row><entry>pass must change time column</entry><entry>int(9)</entry><entry>UNIX time stamp of moment on which password must be changed</entry></row>
|
||||
<row><entry>logon time column</entry><entry>int(9)</entry><entry>UNIX timestamp of last logon of user</entry></row>
|
||||
<row><entry>logoff time column</entry><entry>int(9)</entry><entry>UNIX timestamp of last logoff of user</entry></row>
|
||||
<row><entry>kickoff time column</entry><entry>int(9)</entry><entry>UNIX timestamp of moment user should be kicked off workstation (not enforced)</entry></row>
|
||||
<row><entry>pass last set time column</entry><entry>int(9)</entry><entry>UNIX timestamp of moment password was last set</entry></row>
|
||||
<row><entry>pass can change time column</entry><entry>int(9)</entry><entry>UNIX timestamp of moment from which password can be changed</entry></row>
|
||||
<row><entry>pass must change time column</entry><entry>int(9)</entry><entry>UNIX timestamp of moment on which password must be changed</entry></row>
|
||||
<row><entry>username column</entry><entry>varchar(255)</entry><entry>UNIX username</entry></row>
|
||||
<row><entry>domain column</entry><entry>varchar(255)</entry><entry>NT domain user belongs to</entry></row>
|
||||
<row><entry>nt username column</entry><entry>varchar(255)</entry><entry>NT username</entry></row>
|
||||
@ -1630,15 +1627,16 @@ access to attrs=SambaLMPassword,SambaNTPassword
|
||||
|
||||
<para>
|
||||
You can put a colon (:) after the name of each column, which
|
||||
should specify the column to update when updating the table. One can also specify nothing behind the colon, in which case the field data will not be updated. Setting a column name to <parameter>NULL</parameter> means the field should not be used.
|
||||
should specify the column to update when updating the table. You can also specify nothing behind the colon, in which case the field data will not be updated. Setting a column name to <parameter>NULL</parameter> means the field should not be used.
|
||||
</para>
|
||||
|
||||
<para><link linkend="mysqlsam">An example configuration</link> looks like:
|
||||
<para><link linkend="mysqlsam">An example configuration</link> is shown in <link
|
||||
linkend="mysqlsam">Example Configuration for the MySQL passdb Backend</link>.
|
||||
</para>
|
||||
|
||||
<example id="mysqlsam">
|
||||
<title>Example configuration for the MySQL passdb backend</title>
|
||||
<smbconfblock>
|
||||
<title>Example Configuration for the MySQL passdb Backend</title>
|
||||
<smbconfblock>
|
||||
<smbconfsection name="[global]"/>
|
||||
<smbconfoption name="passdb backend">mysql:foo</smbconfoption>
|
||||
<smbconfoption name="foo:mysql user">samba</smbconfoption>
|
||||
@ -1653,8 +1651,8 @@ access to attrs=SambaLMPassword,SambaNTPassword
|
||||
<smbconfoption name="foo:nt pass column">nt_pass:</smbconfoption>
|
||||
<smbconfcomment>The unknown 3 column is not stored</smbconfcomment>
|
||||
<smbconfoption name="foo:unknown 3 column">NULL</smbconfoption>
|
||||
</smbconfblock>
|
||||
</example>
|
||||
</smbconfblock>
|
||||
</example>
|
||||
</sect3>
|
||||
|
||||
<sect3>
|
||||
@ -1662,7 +1660,7 @@ access to attrs=SambaLMPassword,SambaNTPassword
|
||||
|
||||
<para>
|
||||
<indexterm><primary>encrypted passwords</primary></indexterm>
|
||||
I strongly discourage the use of plaintext passwords, however, you can use them.
|
||||
I strongly discourage the use of plaintext passwords; however, you can use them.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -1683,7 +1681,7 @@ access to attrs=SambaLMPassword,SambaNTPassword
|
||||
<title>Getting Non-Column Data from the Table</title>
|
||||
|
||||
<para>
|
||||
It is possible to have not all data in the database by making some `constant'.
|
||||
It is possible to have not all data in the database by making some "constant."
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -1693,7 +1691,7 @@ access to attrs=SambaLMPassword,SambaNTPassword
|
||||
|
||||
<para>
|
||||
Or, set `identifier:workstations column' to:
|
||||
<command>NULL</command></para>
|
||||
<command>NULL</command></para>.
|
||||
|
||||
<para>See the MySQL documentation for more language constructs.</para>
|
||||
|
||||
@ -1716,7 +1714,7 @@ access to attrs=SambaLMPassword,SambaNTPassword
|
||||
</para>
|
||||
|
||||
<para>
|
||||
(where filename is the name of the file to put the data in)
|
||||
where filename is the name of the file to put the data in.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -1735,7 +1733,7 @@ access to attrs=SambaLMPassword,SambaNTPassword
|
||||
<para><quote>I've installed Samba, but now I can't log on with my UNIX account! </quote></para>
|
||||
|
||||
<para>Make sure your user has been added to the current Samba <smbconfoption name="passdb backend"/>.
|
||||
Read the section <link linkend="acctmgmttools">Account Management Tools</link> for details.</para>
|
||||
Read the <link linkend="acctmgmttools">Account Management Tools,</link> for details.</para>
|
||||
|
||||
</sect2>
|
||||
|
||||
@ -1743,8 +1741,8 @@ access to attrs=SambaLMPassword,SambaNTPassword
|
||||
<title>Users Being Added to the Wrong Backend Database</title>
|
||||
|
||||
<para>
|
||||
A few complaints have been received from users that just moved to Samba-3. The following
|
||||
&smb.conf; file entries were causing problems, new accounts were being added to the old
|
||||
A few complaints have been received from users who just moved to Samba-3. The following
|
||||
&smb.conf; file entries were causing problems: new accounts were being added to the old
|
||||
smbpasswd file, not to the tdbsam passdb.tdb file:
|
||||
</para>
|
||||
|
||||
@ -1778,7 +1776,7 @@ access to attrs=SambaLMPassword,SambaNTPassword
|
||||
|
||||
<para>
|
||||
When explicitly setting an <smbconfoption name="auth methods"/> parameter,
|
||||
<parameter>guest</parameter> must be specified as the first entry on the line,
|
||||
<parameter>guest</parameter> must be specified as the first entry on the line &smbmdash;
|
||||
for example, <smbconfoption name="auth methods">guest sam</smbconfoption>.
|
||||
</para>
|
||||
|
||||
|
@ -12,7 +12,7 @@
|
||||
This chapter summarizes the current state of knowledge derived from personal
|
||||
practice and knowledge from Samba mailing list subscribers. Before reproduction
|
||||
of posted information, every effort has been made to validate the information given.
|
||||
Where additional information was uncovered through this validation it is provided
|
||||
Where additional information was uncovered through this validation, it is provided
|
||||
also.
|
||||
</para>
|
||||
|
||||
@ -35,7 +35,7 @@ got the message: Group Policies are a good thing! They can help reduce administr
|
||||
costs and actually make happier users. But adoption of the true
|
||||
potential of MS Windows 200x Active Directory and Group Policy Objects (GPOs) for users
|
||||
and machines were picked up on rather slowly. This was obvious from the Samba
|
||||
mailing list as in 2000 and 2001 when there were few postings regarding GPOs and
|
||||
mailing list back in 2000 and 2001 when there were few postings regarding GPOs and
|
||||
how to replicate them in a Samba environment.
|
||||
</para>
|
||||
|
||||
@ -49,7 +49,7 @@ network client workstations.
|
||||
<para>
|
||||
A tool new to Samba &smbmdash; the <command>editreg</command> tool
|
||||
&smbmdash; may become an important part of the future Samba administrators'
|
||||
arsenal is described in this document.
|
||||
arsenal and is described in this document.
|
||||
</para>
|
||||
|
||||
</sect1>
|
||||
@ -60,7 +60,7 @@ arsenal is described in this document.
|
||||
<para>
|
||||
Under MS Windows platforms, particularly those following the release of MS Windows
|
||||
NT4 and MS Windows 95, it is possible to create a type of file that would be placed
|
||||
in the NETLOGON share of a Domain Controller. As the client logs onto the network,
|
||||
in the NETLOGON share of a domain controller. As the client logs onto the network,
|
||||
this file is read and the contents initiate changes to the registry of the client
|
||||
machine. This file allows changes to be made to those parts of the registry that
|
||||
affect users, groups of users, or machines.
|
||||
@ -68,17 +68,17 @@ affect users, groups of users, or machines.
|
||||
|
||||
<para>
|
||||
<indexterm><primary>Config.POL</primary></indexterm>
|
||||
For MS Windows 9x/ME, this file must be called <filename>Config.POL</filename> and may
|
||||
For MS Windows 9x/Me, this file must be called <filename>Config.POL</filename> and may
|
||||
be generated using a tool called <filename>poledit.exe</filename>, better known as the
|
||||
Policy Editor. The policy editor was provided on the Windows 98 installation CD, but
|
||||
disappeared again with the introduction of MS Windows Me (Millennium Edition). From
|
||||
Policy Editor. The policy editor was provided on the Windows 98 installation CD-ROM, but
|
||||
disappeared again with the introduction of MS Windows Me. From
|
||||
comments of MS Windows network administrators, it would appear that this tool became
|
||||
a part of the MS Windows Me Resource Kit.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>System Policy Editor</primary></indexterm>
|
||||
MS Windows NT4 Server products include the <emphasis>System Policy Editor</emphasis>
|
||||
MS Windows NT4 server products include the <emphasis>System Policy Editor</emphasis>
|
||||
under <guimenu>Start -> Programs -> Administrative Tools</guimenu>.
|
||||
For MS Windows NT4 and later clients, this file must be called <filename>NTConfig.POL</filename>.
|
||||
</para>
|
||||
@ -96,7 +96,7 @@ be a step forward, but improved functionality comes at a great price.
|
||||
Before embarking on the configuration of network and system policies, it is highly
|
||||
advisable to read the documentation available from Microsoft's Web site regarding
|
||||
<ulink url="http://www.microsoft.com/ntserver/techresources/management/prof_policies.asp">
|
||||
Implementing Profiles and Policies in Windows NT 4.0</ulink> available from Microsoft.
|
||||
Implementing Profiles and Policies in Windows NT 4.0</ulink>.
|
||||
There are a large number of documents in addition to this old one that should also
|
||||
be read and understood. Try searching on the Microsoft Web site for <quote>Group Policies</quote>.
|
||||
</para>
|
||||
@ -110,10 +110,10 @@ here is incomplete &smbmdash; you are warned.
|
||||
<title>Windows 9x/ME Policies</title>
|
||||
|
||||
<para>
|
||||
You need the Windows 98 Group Policy Editor to set up Group Profiles under Windows 9x/ME.
|
||||
It can be found on the original full product Windows 98 installation CD under
|
||||
You need the Windows 98 Group Policy Editor to set up Group Profiles under Windows 9x/Me.
|
||||
It can be found on the original full-product Windows 98 installation CD-ROM under
|
||||
<filename>tools/reskit/netadmin/poledit</filename>. Install this using the
|
||||
Add/Remove Programs facility and then click on <guiicon>Have Disk</guiicon>.
|
||||
Add/Remove Programs facility, and then click on <guiicon>Have Disk</guiicon>.
|
||||
</para>
|
||||
|
||||
|
||||
@ -123,7 +123,7 @@ here is incomplete &smbmdash; you are warned.
|
||||
user profiles and/or <filename>My Documents</filename>, and so on. Then save these
|
||||
settings in a file called <filename>Config.POL</filename> that needs to be placed in the
|
||||
root of the <smbconfsection name="[NETLOGON]"/> share. If Windows 98 is configured to log onto
|
||||
the Samba Domain, it will automatically read this file and update the Windows 9x/Me registry
|
||||
the Samba domain, it will automatically read this file and update the Windows 9x/Me registry
|
||||
of the machine as it logs on.
|
||||
</para>
|
||||
|
||||
@ -132,16 +132,16 @@ here is incomplete &smbmdash; you are warned.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
If you do not take the correct steps, then every so often Windows 9x/ME will check the
|
||||
integrity of the registry and restore its settings from the back-up
|
||||
copy of the registry it stores on each Windows 9x/ME machine. So, you will
|
||||
If you do not take the correct steps, then every so often Windows 9x/Me will check the
|
||||
integrity of the registry and restore its settings from the backup
|
||||
copy of the registry it stores on each Windows 9x/Me machine. So, you will
|
||||
occasionally notice things changing back to the original settings.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Install the group policy handler for Windows 9x/Me to pick up Group Policies. Look on the
|
||||
Windows 98 CDROM in <filename>\tools\reskit\netadmin\poledit</filename>.
|
||||
Install group policies on a Windows 9x/Me client by double-clicking on
|
||||
Install the Group Policy handler for Windows 9x/Me to pick up Group Policies. Look on the
|
||||
Windows 98 CD-ROM in <filename>\tools\reskit\netadmin\poledit</filename>.
|
||||
Install Group Policies on a Windows 9x/Me client by double-clicking on
|
||||
<filename>grouppol.inf</filename>. Log off and on again a couple of times and see
|
||||
if Windows 98 picks up Group Policies. Unfortunately, this needs to be done on every
|
||||
Windows 9x/Me machine that uses Group Policies.
|
||||
@ -152,28 +152,28 @@ here is incomplete &smbmdash; you are warned.
|
||||
<title>Windows NT4-Style Policy Files</title>
|
||||
|
||||
<para>
|
||||
To create or edit <filename>ntconfig.pol</filename> you must use the NT Server
|
||||
To create or edit <filename>ntconfig.pol</filename>, you must use the NT Server
|
||||
Policy Editor, <command>poledit.exe</command>, which is included with NT4 Server
|
||||
but not with NT Workstation. There is a Policy Editor on an NT4
|
||||
but not with NT workstation. There is a Policy Editor on an NT4
|
||||
Workstation but it is not suitable for creating domain policies.
|
||||
Furthermore, although the Windows 95 Policy Editor can be installed on an NT4
|
||||
Workstation/Server, it will not work with NT clients. However, the files from
|
||||
the NT Server will run happily enough on an NT4 Workstation.
|
||||
workstation/server, it will not work with NT clients. However, the files from
|
||||
the NT Server will run happily enough on an NT4 workstation.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
You need <filename>poledit.exe</filename>, <filename>common.adm</filename> and <filename>winnt.adm</filename>.
|
||||
You need <filename>poledit.exe</filename>, <filename>common.adm</filename>, and <filename>winnt.adm</filename>.
|
||||
It is convenient to put the two <filename>*.adm</filename> files in the <filename>c:\winnt\inf</filename>
|
||||
directory, which is where the binary will look for them unless told otherwise. This
|
||||
directory is normally <quote>hidden.</quote>
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The Windows NT policy editor is also included with the Service Pack 3 (and
|
||||
later) for Windows NT 4.0. Extract the files using <command>servicepackname /x</command>,
|
||||
that's <command>Nt4sp6ai.exe /x</command> for service pack 6a. The Policy Editor,
|
||||
The Windows NT Policy Editor is also included with the Service Pack 3 (and
|
||||
later) for Windows NT 4.0. Extract the files using <command>servicepackname /x</command>
|
||||
&smbmdash; that's <command>Nt4sp6ai.exe /x</command> for service pack 6a. The Policy Editor,
|
||||
<command>poledit.exe</command>, and the associated template files (*.adm) should
|
||||
be extracted as well. It is also possible to downloaded the policy template
|
||||
be extracted as well. It is also possible to download the policy template
|
||||
files for Office97 and get a copy of the Policy Editor. Another possible
|
||||
location is with the Zero Administration Kit available for download from Microsoft.
|
||||
</para>
|
||||
@ -186,7 +186,7 @@ here is incomplete &smbmdash; you are warned.
|
||||
automatically reversed as the user logs off. The settings that were in the
|
||||
<filename>NTConfig.POL</filename> file were applied to the client machine registry and apply to the
|
||||
hive key HKEY_LOCAL_MACHINE are permanent until explicitly reversed. This is known
|
||||
as tattooing. It can have serious consequences downstream and the administrator must
|
||||
as tattooing. It can have serious consequences downstream, and the administrator must
|
||||
be extremely careful not to lock out the ability to manage the machine at a later date.
|
||||
</para>
|
||||
|
||||
@ -197,22 +197,22 @@ here is incomplete &smbmdash; you are warned.
|
||||
|
||||
<para>
|
||||
Windows NT4 system policies allow the setting of registry parameters specific to
|
||||
users, groups and computers (client workstations) that are members of the NT4-style
|
||||
users, groups, and computers (client workstations) that are members of the NT4-style
|
||||
domain. Such policy files will work with MS Windows 200x/XP clients also.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
New to MS Windows 2000, Microsoft recently introduced a style of group policy that confers
|
||||
New to MS Windows 2000, Microsoft recently introduced a style of Group Policy that confers
|
||||
a superset of capabilities compared with NT4-style policies. Obviously, the tool used
|
||||
to create them is different, and the mechanism for implementing them is much improved.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>GPOs</primary></indexterm>
|
||||
<indexterm><primary>GPOs</primary></indexterm>
|
||||
The older NT4-style registry-based policies are known as <emphasis>Administrative Templates</emphasis>
|
||||
in MS Windows 2000/XP Group Policy Objects (GPOs). The latter includes the ability to set various security
|
||||
in MS Windows 2000/XP GPOs. The latter includes the ability to set various security
|
||||
configurations, enforce Internet Explorer browser settings, change and redirect aspects of the
|
||||
users desktop (including the location of <filename>My Documents</filename> files (directory), as
|
||||
users desktop (including the location of <filename>My Documents</filename> files, as
|
||||
well as intrinsics of where menu items will appear in the Start menu). An additional new
|
||||
feature is the ability to make available particular software Windows applications to particular
|
||||
users and/or groups.
|
||||
@ -220,7 +220,7 @@ here is incomplete &smbmdash; you are warned.
|
||||
|
||||
<para>
|
||||
Remember, NT4 policy files are named <filename>NTConfig.POL</filename> and are stored in the root
|
||||
of the NETLOGON share on the Domain Controllers. A Windows NT4 user enters a username, password
|
||||
of the NETLOGON share on the domain controllers. A Windows NT4 user enters a username and password
|
||||
and selects the domain name to which the logon will attempt to take place. During the logon process,
|
||||
the client machine reads the <filename>NTConfig.POL</filename> file from the NETLOGON share on
|
||||
the authenticating server and modifies the local registry values according to the settings in this file.
|
||||
@ -230,7 +230,7 @@ here is incomplete &smbmdash; you are warned.
|
||||
Windows 200x GPOs are feature-rich. They are not stored in the NETLOGON share, but rather part of
|
||||
a Windows 200x policy file is stored in the Active Directory itself and the other part is stored
|
||||
in a shared (and replicated) volume called the SYSVOL folder. This folder is present on all Active
|
||||
Directory Domain Controllers. The part that is stored in the Active Directory itself is called the
|
||||
Directory domain controllers. The part that is stored in the Active Directory itself is called the
|
||||
Group Policy Container (GPC), and the part that is stored in the replicated share called SYSVOL is
|
||||
known as the Group Policy Template (GPT).
|
||||
</para>
|
||||
@ -238,7 +238,7 @@ here is incomplete &smbmdash; you are warned.
|
||||
<para>
|
||||
With NT4 clients, the policy file is read and executed only as each user logs onto the network.
|
||||
MS Windows 200x policies are much more complex &smbmdash; GPOs are processed and applied at client machine
|
||||
startup (machine specific part) and when the user logs onto the network, the user-specific part
|
||||
startup (machine specific part), and when the user logs onto the network, the user-specific part
|
||||
is applied. In MS Windows 200x-style policy management, each machine and/or user may be subject
|
||||
to any number of concurrently applicable (and applied) policy sets (GPOs). Active Directory allows
|
||||
the administrator to also set filters over the policy settings. No such equivalent capability
|
||||
@ -249,9 +249,9 @@ here is incomplete &smbmdash; you are warned.
|
||||
<title>Administration of Windows 200x/XP Policies</title>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>GPOs</primary></indexterm>
|
||||
<indexterm><primary>System Policy Editor</primary></indexterm>
|
||||
Instead of using the tool called <application>The System Policy Editor</application>, commonly called Poledit (from the
|
||||
<indexterm><primary>GPOs</primary></indexterm>
|
||||
<indexterm><primary>System Policy Editor</primary></indexterm>
|
||||
Instead of using the tool called <application>the System Policy Editor</application>, commonly called Poledit (from the
|
||||
executable name <command>poledit.exe</command>), <acronym>GPOs</acronym> are created and managed using a
|
||||
<application>Microsoft Management Console</application> <acronym>(MMC)</acronym> snap-in as follows:</para>
|
||||
<procedure>
|
||||
@ -281,8 +281,8 @@ here is incomplete &smbmdash; you are warned.
|
||||
templates. These files have an .adm extension, both in NT4 as well as in Windows 200x/XP.
|
||||
Beware, however, the .adm files are not interchangeable across NT4 and Windows 200x.
|
||||
The latter introduces many new features as well as extended definition capabilities. It is
|
||||
well beyond the scope of this documentation to explain how to program .adm files; for that
|
||||
the administrator is referred to the Microsoft Windows Resource Kit for your particular
|
||||
well beyond the scope of this documentation to explain how to program .adm files; for that,
|
||||
refer to the Microsoft Windows Resource Kit for your particular
|
||||
version of MS Windows.
|
||||
</para>
|
||||
|
||||
@ -309,7 +309,7 @@ the policy file. Separate policy files for each user, group, or computer are not
|
||||
|
||||
<para>
|
||||
<indexterm><primary>NTConfig.POL</primary></indexterm>
|
||||
If you create a policy that will be automatically downloaded from validating Domain Controllers,
|
||||
If you create a policy that will be automatically downloaded from validating domain controllers,
|
||||
you should name the file <filename>NTConfig.POL</filename>. As system administrator, you have the option of renaming the
|
||||
policy file and, by modifying the Windows NT-based workstation, directing the computer to update
|
||||
the policy from a manual path. You can do this by either manually changing the registry or by using
|
||||
@ -319,22 +319,22 @@ but if a change is necessary to all machines, it must be made individually to ea
|
||||
|
||||
<para>
|
||||
When a Windows NT4/200x/XP machine logs onto the network, the client looks in the NETLOGON share on
|
||||
the authenticating domain controller for the presence of the NTConfig.POL file. If one exists it is
|
||||
downloaded, parsed and then applied to the user's part of the registry.
|
||||
the authenticating domain controller for the presence of the NTConfig.POL file. If one exists, it is
|
||||
downloaded, parsed, and then applied to the user's part of the registry.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>GPOs</primary></indexterm>
|
||||
MS Windows 200x/XP clients that log onto an MS Windows Active Directory security domain may additionally
|
||||
acquire policy settings through Group Policy Objects (GPOs) that are defined and stored in Active Directory
|
||||
itself. The key benefit of using AS GPOs is that they impose no registry <emphasis>spoiling</emphasis> effect.
|
||||
acquire policy settings through GPOs that are defined and stored in Active Directory
|
||||
itself. The key benefit of using AD GPOs is that they impose no registry <emphasis>spoiling</emphasis> effect.
|
||||
This has considerable advantage compared with the use of <filename>NTConfig.POL</filename> (NT4) style policy updates.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
In addition to user access controls that may be imposed or applied via system and/or group policies
|
||||
in a manner that works in conjunction with user profiles, the user management environment under
|
||||
MS Windows NT4/200x/XP allows per domain as well as per user account restrictions to be applied.
|
||||
MS Windows NT4/200x/XP allows per-domain as well as per-user account restrictions to be applied.
|
||||
Common restrictions that are frequently used include:
|
||||
</para>
|
||||
|
||||
@ -363,17 +363,17 @@ parameter can be set using the NT4 Domain User Manager or in the <filename>NTCon
|
||||
|
||||
<para>
|
||||
Anyone who wishes to create or manage Group Policies will need to be familiar with a number of tools.
|
||||
The following sections describe a few key tools that will help you to create a low maintenance user
|
||||
The following sections describe a few key tools that will help you to create a low-maintenance user
|
||||
environment.
|
||||
</para>
|
||||
|
||||
<sect2>
|
||||
<title>Samba Editreg Tool-set</title>
|
||||
<title>Samba Editreg Toolset</title>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>editreg</primary></indexterm>
|
||||
<indexterm><primary>NTUser.DAT</primary></indexterm>
|
||||
<indexterm><primary>NTConfig.POL</primary></indexterm>
|
||||
<indexterm><primary>editreg</primary></indexterm>
|
||||
<indexterm><primary>NTUser.DAT</primary></indexterm>
|
||||
<indexterm><primary>NTConfig.POL</primary></indexterm>
|
||||
A new tool called <command>editreg</command> is under development. This tool can be used
|
||||
to edit registry files (called <filename>NTUser.DAT</filename>) that are stored in user
|
||||
and group profiles. <filename>NTConfig.POL</filename> files have the same structure as the
|
||||
@ -390,9 +390,9 @@ environment.
|
||||
<title>Windows NT4/200x</title>
|
||||
|
||||
<para>
|
||||
The tools that may be used to configure these types of controls from the MS Windows environment are:
|
||||
The tools that may be used to configure these types of controls from the MS Windows environment are
|
||||
the NT4 User Manager for Domains, the NT4 System and Group Policy Editor, and the Registry Editor (regedt32.exe).
|
||||
Under MS Windows 200x/XP, this is done using the Microsoft Management Console (MMC) with appropriate
|
||||
Under MS Windows 200x/XP, this is done using the MMC with appropriate
|
||||
<quote>snap-ins,</quote> the registry editor, and potentially also the NT4 System and Group Policy Editor.
|
||||
</para>
|
||||
</sect2>
|
||||
@ -401,8 +401,8 @@ environment.
|
||||
<title>Samba PDC</title>
|
||||
|
||||
<para>
|
||||
With a Samba Domain Controller, the new tools for managing user account and policy information include:
|
||||
<command>smbpasswd</command>, <command>pdbedit</command>, <command>net</command>, <command>rpcclient</command>.
|
||||
With a Samba domain controller, the new tools for managing user account and policy information include:
|
||||
<command>smbpasswd</command>, <command>pdbedit</command>, <command>net</command>, and <command>rpcclient</command>.
|
||||
The administrator should read the man pages for these tools and become familiar with their use.
|
||||
</para>
|
||||
|
||||
@ -419,15 +419,15 @@ reboot and as part of the user logon:
|
||||
|
||||
<orderedlist>
|
||||
<listitem><para>
|
||||
Network starts, then Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming
|
||||
Convention Provider (MUP) start.
|
||||
Network starts, then Remote Procedure Call System Service (RPCSS) and multiple universal naming
|
||||
convention provider (MUP) start.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
Where Active Directory is involved, an ordered list of Group Policy Objects (GPOs) is downloaded
|
||||
Where Active Directory is involved, an ordered list of GPOs is downloaded
|
||||
and applied. The list may include GPOs that:
|
||||
<itemizedlist>
|
||||
<listitem><para>Apply to the location of machines in a Directory.</para></listitem>
|
||||
<listitem><para>Apply to the location of machines in a directory.</para></listitem>
|
||||
<listitem><para>Apply only when settings have changed.</para></listitem>
|
||||
<listitem><para>Depend on configuration of the scope of applicability: local,
|
||||
site, domain, organizational unit, and so on.</para></listitem>
|
||||
@ -436,7 +436,7 @@ reboot and as part of the user logon:
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
Execution of start-up scripts (hidden and synchronous by default).
|
||||
Execution of startup scripts (hidden and synchronous by default).
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
@ -451,26 +451,26 @@ reboot and as part of the user logon:
|
||||
An ordered list of user GPOs is obtained. The list contents depends on what is configured in respect of:
|
||||
|
||||
<itemizedlist>
|
||||
<listitem><para>Is the user a Domain Member, thus subject to particular policies?</para></listitem>
|
||||
<listitem><para>Loopback enablement, and the state of the loopback policy (Merge or Replace).</para></listitem>
|
||||
<listitem><para>Is the user a domain member, thus subject to particular policies?</para></listitem>
|
||||
<listitem><para>Loopback enablement, and the state of the loopback policy (merge or replace).</para></listitem>
|
||||
<listitem><para>Location of the Active Directory itself.</para></listitem>
|
||||
<listitem><para>Has the list of GPOs changed? No processing is needed if not changed.</para></listitem>
|
||||
</itemizedlist>
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
User Policies are applied from Active Directory. Note: There are several types.
|
||||
User policies are applied from Active Directory. Note: There are several types.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
Logon scripts are run. New to Windows 200x and Active Directory, logon scripts may be obtained based on Group
|
||||
Policy objects (hidden and executed synchronously). NT4-style logon scripts are then run in a normal
|
||||
Logon scripts are run. New to Windows 200x and Active Directory, logon scripts may be obtained based on GPOs
|
||||
(hidden and executed synchronously). NT4-style logon scripts are then run in a normal
|
||||
window.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
The User Interface as determined from the GPOs is presented. Note: In a Samba domain (like an NT4
|
||||
Domain), machine (system) policies are applied at start-up; user policies are applied at logon.
|
||||
The user interface as determined from the GPOs is presented. Note: In a Samba domain (like an NT4
|
||||
domain), machine (system) policies are applied at startup; user policies are applied at logon.
|
||||
</para></listitem>
|
||||
</orderedlist>
|
||||
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -91,9 +91,10 @@ Ethereal User Guide.</para>
|
||||
|
||||
<figure id="ethereal1"><title>Starting a capture.</title><imagefile>ethereal1</imagefile></figure>
|
||||
|
||||
<para>Listen for data on ports 137, 138, 139, and 445. For example, use
|
||||
the filter <userinput>port 137, port 138, port 139, or port
|
||||
445</userinput> as seen in <link linkend="ethereal1">Starting a capture</link> snapshot.</para>
|
||||
<para>
|
||||
Listen for data on ports 137, 138, 139, and 445. For example, use the filter <userinput>port 137, port 138,
|
||||
port 139, or port 445</userinput> as seen in <link linkend="ethereal1">Starting a capture</link> snapshot.
|
||||
</para>
|
||||
|
||||
<para>A console version of ethereal is available as well and is called
|
||||
<command>tethereal</command>.</para>
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -9,11 +9,11 @@
|
||||
<title>User Rights and Privileges</title>
|
||||
|
||||
<para>
|
||||
The administration of Windows user, group and machine accounts in the Samba
|
||||
domain controlled network necessitates interfacing between the MS Windows
|
||||
The administration of Windows user, group, and machine accounts in the Samba
|
||||
domain-controlled network necessitates interfacing between the MS Windows
|
||||
networking environment and the UNIX operating system environment. The right
|
||||
(permission) to add machines to the Windows security domain can be assigned
|
||||
(set) to non-administrative users both in Windows NT4 domains as well as in
|
||||
(set) to non-administrative users both in Windows NT4 domains and
|
||||
Active Directory domains.
|
||||
</para>
|
||||
|
||||
@ -25,14 +25,12 @@ user logons.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Machine accounts are analogous to user accounts, and thus in implementing them
|
||||
on a UNIX machine that is hosting Samba (i.e.: On which Samba is running) it is
|
||||
necessary to create a special type of user account. Machine accounts differ from
|
||||
a normal user account in that the account name (login ID) is terminated with a $
|
||||
sign. An additional difference is that this type of account should not ever be able
|
||||
to log into the UNIX environment as a system user and therefore is set to have a
|
||||
shell of <command>/bin/false</command> and a home directory of
|
||||
<command>/dev/null.</command>
|
||||
Machine accounts are analogous to user accounts, and thus in implementing them on a UNIX machine that is
|
||||
hosting Samba (i.e., on which Samba is running) it is necessary to create a special type of user account.
|
||||
Machine accounts differ from a normal user account in that the account name (login ID) is terminated with a
|
||||
<literal>$</literal> sign. An additional difference is that this type of account should not ever be able to
|
||||
log into the UNIX environment as a system user and therefore is set to have a shell of
|
||||
<command>/bin/false</command> and a home directory of <command>/dev/null.</command>
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -45,13 +43,13 @@ same UID. Any UNIX user who has a UID=0 is inherently the same as the
|
||||
|
||||
<para>
|
||||
All versions of Samba call system interface scripts that permit CIFS function
|
||||
calls that are used to manage users, groups and machine accounts to be affected
|
||||
calls that are used to manage users, groups, and machine accounts
|
||||
in the UNIX environment. All versions of Samba up to and including version 3.0.10
|
||||
required the use of a Windows Administrator account that unambiguously maps to
|
||||
required the use of a Windows administrator account that unambiguously maps to
|
||||
the UNIX <constant>root</constant> account to permit the execution of these
|
||||
interface scripts. The reuqirement to do this has understandably met with some
|
||||
interface scripts. The requirement to do this has understandably met with some
|
||||
disdain and consternation among Samba administrators, particularly where it became
|
||||
necessary to permit people who should not posses <constant>root</constant> level
|
||||
necessary to permit people who should not possess <constant>root</constant>-level
|
||||
access to the UNIX host system.
|
||||
</para>
|
||||
|
||||
@ -66,7 +64,7 @@ must be defined in the <smbconfsection name="global"/> section of the &smb.conf;
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Currently, the rights supported in Samba 3 are listed in <link linkend="rp-privs"/>.
|
||||
Currently, the rights supported in Samba-3 are listed in <link linkend="rp-privs"/>.
|
||||
The remainder of this chapter explains how to manage and use these privileges on Samba servers.
|
||||
</para>
|
||||
|
||||
@ -112,35 +110,35 @@ The remainder of this chapter explains how to manage and use these privileges on
|
||||
<para>
|
||||
There are two primary means of managing the rights assigned to users and groups
|
||||
on a Samba server. The <command>NT4 User Manager for Domains</command> may be
|
||||
used from any Windows NT4, 2000 or XP Professional domain member client to
|
||||
used from any Windows NT4, 2000, or XP Professional domain member client to
|
||||
connect to a Samba domain controller and view/modify the rights assignments.
|
||||
This application, however, appears to have bugs when run on a client running
|
||||
Windows 2000 or later, therefore Samba provides a command line utility for
|
||||
Windows 2000 or later; therefore, Samba provides a command-line utility for
|
||||
performing the necessary administrative actions.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The <command>net rpc rights</command> utility in Samba 3.0.11 has 3 new subcommands:
|
||||
The <command>net rpc rights</command> utility in Samba 3.0.11 has three new subcommands:
|
||||
</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry><term>list [name|accounts]</term>
|
||||
<listitem><para>
|
||||
When called with no arguments, <command>net rpc list</command>
|
||||
will simply list the available rights on the server. When passed
|
||||
simply lists the available rights on the server. When passed
|
||||
a specific user or group name, the tool lists the privileges
|
||||
currently assigned to the specified account. When invoked using
|
||||
the special string <constant>accounts</constant>,
|
||||
<command>net rpc rights list</command> will return a list of all
|
||||
<command>net rpc rights list</command> returns a list of all
|
||||
privileged accounts on the server and the assigned rights.
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry><term>grant <user> <right [right ...]></term>
|
||||
<listitem><para>
|
||||
When called with no arguments, This function is used to assign
|
||||
When called with no arguments, this function is used to assign
|
||||
a list of rights to a specified user or group. For example,
|
||||
to grant the members of the Domain Admins group on a Samba DC
|
||||
to grant the members of the Domain Admins group on a Samba domain controller,
|
||||
the capability to add client machines to the domain, one would run:
|
||||
<screen>
|
||||
&rootprompt; net -S server -U domadmin rpc rights grant \
|
||||
@ -149,13 +147,13 @@ The <command>net rpc rights</command> utility in Samba 3.0.11 has 3 new subcomma
|
||||
More than one privilege can be assigned by specifying a
|
||||
list of rights separated by spaces. The parameter 'Domain\Domain Admins'
|
||||
must be quoted with single ticks or using double-quotes to prevent
|
||||
the back-slash and the space from being interpreted by the system shell.
|
||||
the backslash and the space from being interpreted by the system shell.
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry><term>revoke <user> <right [right ...]></term>
|
||||
<listitem><para>
|
||||
This command is similar in format to <command>net rpc rights grant</command>. It's
|
||||
This command is similar in format to <command>net rpc rights grant</command>. Its
|
||||
effect is to remove an assigned right (or list of rights) from a user or group.
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
@ -170,10 +168,10 @@ inherent to the Domain Admins group and is not configurable.
|
||||
|
||||
<para>
|
||||
By default, no privileges are initially assigned to any
|
||||
account. The reason for this is that certain actions will
|
||||
account because certain actions will
|
||||
be performed as root once smbd determines that a user has
|
||||
the necessary rights. For example, when joining a client to
|
||||
a Windows domain, the 'add machine script' must be executed
|
||||
a Windows domain, the `add machine script' must be executed
|
||||
with superuser rights in most cases. For this reason, you
|
||||
should be very careful about handing out privileges to
|
||||
accounts.
|
||||
@ -192,7 +190,7 @@ Access as the root user (UID=0) bypasses all privilege checks.
|
||||
The privileges that have been implemented in Samba-3.0.11 are shown below.
|
||||
It is possible, and likely, that additional privileges may be implemented in
|
||||
later releases of Samba. It is also likely that any privileges currently implemented
|
||||
but not used may be removed from future releases, thus it is important that
|
||||
but not used may be removed from future releases, so it is important that
|
||||
the successful as well as unsuccessful use of these facilities should be reported
|
||||
on the Samba mailing lists.
|
||||
</para>
|
||||
@ -209,7 +207,7 @@ on the Samba mailing lists.
|
||||
|
||||
<varlistentry><term>SeDiskOperatorPrivilege</term>
|
||||
<listitem><para>
|
||||
Accounts which posses this right will be able to execute
|
||||
Accounts that possess this right will be able to execute
|
||||
scripts defined by the <command>add/delete/change</command>
|
||||
share command in &smb.conf; file as root. Such users will
|
||||
also be able to modify the ACL associated with file shares
|
||||
@ -219,8 +217,8 @@ on the Samba mailing lists.
|
||||
|
||||
<varlistentry><term>SeMachineAccountPrivilege</term>
|
||||
<listitem><para>
|
||||
Controls whether or not the user is able join client
|
||||
machines to a Samba controlled domain.
|
||||
Controls whether or not the user can join client
|
||||
machines to a Samba-controlled domain.
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -229,7 +227,7 @@ on the Samba mailing lists.
|
||||
This privilege operates identically to the
|
||||
<smbconfoption name="printer admin"/>
|
||||
option in the &smb.conf; file (see section 5 man page for &smb.conf;)
|
||||
except that it is a global right (not on a per printer basis).
|
||||
except that it is a global right (not on a per-printer basis).
|
||||
Eventually the smb.conf option will be deprecated and administrative
|
||||
rights to printers will be controlled exclusively by this right and
|
||||
the security descriptor associated with the printer object in the
|
||||
@ -243,7 +241,7 @@ on the Samba mailing lists.
|
||||
the server and for aborting a previously issued shutdown
|
||||
command. Since this is an operation normally limited by
|
||||
the operating system to the root user, an account must possess this
|
||||
right to be able to execute either of these hooks to have any effect.
|
||||
right to be able to execute either of these hooks.
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -257,22 +255,34 @@ on the Samba mailing lists.
|
||||
<title>The Administrator Domain SID</title>
|
||||
|
||||
<para>
|
||||
Please note that when configured as a DC, it is now required
|
||||
that an account in the server's passdb backend be set to the
|
||||
domain SID of the default Administrator account. To obtain the
|
||||
domain SID on a Samba DC, run the following command:
|
||||
|
||||
Please note that every Windows NT4 and later server requires a domain Adminsitrator account. Samba version
|
||||
commencing with 3.0.11 permit the Administrative duties to be performed via assigned rights and privileges
|
||||
(see <link linkend="rights">User Rights and Privileges</link>). An account in the server's passdb backend can
|
||||
be set to the domain SID of the default administrator account. To obtain the domain SID on a Samba domain
|
||||
controller, run the following command:
|
||||
<screen>
|
||||
&rootprompt; net getlocalsid
|
||||
SID for domain FOO is: S-1-5-21-4294955119-3368514841-2087710299
|
||||
</screen>
|
||||
You may assign the Domain Administrator rid to an account using the <command>pdbedit</command>
|
||||
You may assign the domain administrator RID to an account using the <command>pdbedit</command>
|
||||
command as shown here:
|
||||
<screen>
|
||||
&rootprompt; pdbedit -U S-1-5-21-4294955119-3368514841-2087710299-500 -u root -r
|
||||
</screen>
|
||||
</para>
|
||||
|
||||
<note><para>
|
||||
The RID 500 is the well known standard value of the default Administrator account. It is the RID
|
||||
that confers the rights and privileges that the Administrator account has on a Windows machine
|
||||
or domain. Under UNIX/Linux the equivalent is UID=0 (the root account).
|
||||
</para></note>
|
||||
|
||||
<para>
|
||||
Commencing with Samba version 3.0.11 it is possible to operate without an Administrator account
|
||||
providing equivalent rights and privileges have been established for a Windows user or a Windows
|
||||
group account.
|
||||
</para>
|
||||
|
||||
</sect1>
|
||||
|
||||
</chapter>
|
||||
|
@ -13,7 +13,7 @@
|
||||
<sect1>
|
||||
<title>Introduction</title>
|
||||
<para>
|
||||
This note was attached to the Samba 2.2.8 release notes as it contained an
|
||||
This note was attached to the Samba 2.2.8 release notes because it contains an
|
||||
important security fix. The information contained here applies to Samba
|
||||
installations in general.
|
||||
</para>
|
||||
@ -38,9 +38,9 @@ of knowledge with which we may unlock the secrets of the masters.
|
||||
<title>Features and Benefits</title>
|
||||
|
||||
<para>
|
||||
There are three levels at which security principals must be observed in order to render a site
|
||||
There are three levels at which security principles must be observed in order to render a site
|
||||
at least moderately secure. They are the perimeter firewall, the configuration of the host
|
||||
server that is running Samba and Samba itself.
|
||||
server that is running Samba, and Samba itself.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -50,17 +50,18 @@ the latest protocols to permit more secure MS Windows file and print operations.
|
||||
|
||||
<para>
|
||||
Samba may be secured from connections that originate from outside the local network. This may be
|
||||
done using <emphasis>host-based protection</emphasis> (using Samba's implementation of a technology
|
||||
done using <emphasis>host-based protection</emphasis>, using Samba's implementation of a technology
|
||||
known as <quote>tcpwrappers,</quote> or it may be done be using <emphasis>interface-based exclusion</emphasis>
|
||||
so &smbd; will bind only to specifically permitted interfaces. It is also
|
||||
possible to set specific share or resource-based exclusions, for example on the <smbconfsection name="[IPC$]"/>
|
||||
auto-share. The <smbconfsection name="[IPC$]"/> share is used for browsing purposes as well as to establish
|
||||
possible to set specific share or resource-based exclusions, for example, on the <smbconfsection name="[IPC$]"/>
|
||||
autoshare. The <smbconfsection name="[IPC$]"/> share is used for browsing purposes as well as to establish
|
||||
TCP/IP connections.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Another method by which Samba may be secured is by setting Access Control Entries (ACEs) in an Access
|
||||
Control List (ACL) on the shares themselves. This is discussed in <link linkend="AccessControls">File, Directory and Share Access Controls</link>.
|
||||
Control List (ACL) on the shares themselves. This is discussed in
|
||||
<link linkend="AccessControls">File, Directory, and Share Access Controls</link>.
|
||||
</para>
|
||||
|
||||
</sect1>
|
||||
@ -69,9 +70,9 @@ Control List (ACL) on the shares themselves. This is discussed in <link linkend=
|
||||
<title>Technical Discussion of Protective Measures and Issues</title>
|
||||
|
||||
<para>
|
||||
The key challenge of security is the fact that protective measures suffice at best
|
||||
The key challenge of security is that protective measures suffice at best
|
||||
only to close the door on known exploits and breach techniques. Never assume that
|
||||
because you have followed these few measures that the Samba server is now an impenetrable
|
||||
because you have followed these few measures, the Samba server is now an impenetrable
|
||||
fortress! Given the history of information systems so far, it is only a matter of time
|
||||
before someone will find yet another vulnerability.
|
||||
</para>
|
||||
@ -81,16 +82,16 @@ before someone will find yet another vulnerability.
|
||||
|
||||
<para>
|
||||
In many installations of Samba, the greatest threat comes from outside
|
||||
your immediate network. By default, Samba will accept connections from
|
||||
your immediate network. By default, Samba accepts connections from
|
||||
any host, which means that if you run an insecure version of Samba on
|
||||
a host that is directly connected to the Internet you can be
|
||||
a host that is directly connected to the Internet, you can be
|
||||
especially vulnerable.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
One of the simplest fixes in this case is to use the <smbconfoption name="hosts allow"/> and
|
||||
<smbconfoption name="hosts deny"/> options in the Samba &smb.conf; configuration file to only
|
||||
allow access to your server from a specific range of hosts. An example might be:
|
||||
<smbconfoption name="hosts deny"/> options in the Samba &smb.conf; configuration file to
|
||||
allow access to your server only from a specific range of hosts. An example might be:
|
||||
</para>
|
||||
|
||||
<para><smbconfblock>
|
||||
@ -99,7 +100,7 @@ before someone will find yet another vulnerability.
|
||||
</smbconfblock></para>
|
||||
|
||||
<para>
|
||||
The above will only allow SMB connections from <constant>localhost</constant> (your own
|
||||
The above will allow SMB connections only from <constant>localhost</constant> (your own
|
||||
computer) and from the two private networks 192.168.2 and 192.168.3. All other
|
||||
connections will be refused as soon as the client sends its first packet. The refusal
|
||||
will be marked as <errorname>not listening on called name</errorname> error.
|
||||
@ -120,7 +121,7 @@ before someone will find yet another vulnerability.
|
||||
</smbconfblock></para>
|
||||
|
||||
<para>
|
||||
This restricts all server access to either the user <emphasis>jacko</emphasis>
|
||||
This restricts all server access either to the user <emphasis>jacko</emphasis>
|
||||
or to members of the system group <emphasis>smbusers</emphasis>.
|
||||
</para>
|
||||
|
||||
@ -131,8 +132,8 @@ before someone will find yet another vulnerability.
|
||||
<title>Using Interface Protection</title>
|
||||
|
||||
<para>
|
||||
By default, Samba will accept connections on any network interface that
|
||||
it finds on your system. That means if you have a ISDN line or a PPP
|
||||
By default, Samba accepts connections on any network interface that
|
||||
it finds on your system. That means if you have an ISDN line or a PPP
|
||||
connection to the Internet then Samba will accept connections on those
|
||||
links. This may not be what you want.
|
||||
</para>
|
||||
@ -148,7 +149,7 @@ before someone will find yet another vulnerability.
|
||||
|
||||
<para>
|
||||
This tells Samba to only listen for connections on interfaces with a
|
||||
name starting with <constant>eth</constant> such as <constant>eth0, eth1</constant> plus on the loopback
|
||||
name starting with <constant>eth</constant> such as <constant>eth0 or eth1</constant>, plus on the loopback
|
||||
interface called <constant>lo</constant>. The name you will need to use depends on what
|
||||
OS you are using. In the above, I used the common name for Ethernet
|
||||
adapters on Linux.
|
||||
@ -156,15 +157,15 @@ before someone will find yet another vulnerability.
|
||||
|
||||
<para>
|
||||
If you use the above and someone tries to make an SMB connection to
|
||||
your host over a PPP interface called <constant>ppp0,</constant> then they will get a TCP
|
||||
connection refused reply. In that case, no Samba code is run at all as
|
||||
your host over a PPP interface called <constant>ppp0,</constant> then he or she will get a TCP
|
||||
connection refused reply. In that case, no Samba code is run at all because
|
||||
the operating system has been told not to pass connections from that
|
||||
interface to any Samba process.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<sect2 id="firewallports">
|
||||
<title>Using a Firewall</title>
|
||||
|
||||
<para>
|
||||
@ -188,11 +189,18 @@ before someone will find yet another vulnerability.
|
||||
</simplelist>
|
||||
|
||||
<para>
|
||||
The last one is important as many older firewall setups may not be
|
||||
The last one is important because many older firewall setups may not be
|
||||
aware of it, given that this port was only added to the protocol in
|
||||
recent years.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
When configuring a firewall, the high order ports (1024-65535) are often
|
||||
used for outgoing connections and therefore should be permitted through the
|
||||
firewall. It is prudent to block incoming packets on the high order ports
|
||||
except for established connections.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
@ -202,7 +210,7 @@ before someone will find yet another vulnerability.
|
||||
If the above methods are not suitable, then you could also place a
|
||||
more specific deny on the IPC$ share that is used in the recently
|
||||
discovered security hole. This allows you to offer access to other
|
||||
shares while denying access to IPC$ from potentially un-trustworthy
|
||||
shares while denying access to IPC$ from potentially untrustworthy
|
||||
hosts.
|
||||
</para>
|
||||
|
||||
@ -218,18 +226,18 @@ before someone will find yet another vulnerability.
|
||||
|
||||
<para>
|
||||
This instructs Samba that IPC$ connections are not allowed from
|
||||
anywhere except from the two listed network addresses (localhost and the 192.168.115
|
||||
subnet). Connections to other shares are still allowed. As the
|
||||
anywhere except the two listed network addresses (localhost and the 192.168.115
|
||||
subnet). Connections to other shares are still allowed. Because the
|
||||
IPC$ share is the only share that is always accessible anonymously,
|
||||
this provides some level of protection against attackers that do not
|
||||
this provides some level of protection against attackers who do not
|
||||
know a valid username/password for your host.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
If you use this method, then clients will be given an <errorname>`access denied'</errorname>
|
||||
reply when they try to access the IPC$ share. Those clients will not be able to
|
||||
browse shares, and may also be unable to access some other resources. This is not
|
||||
recommended unless you cannot use one of the other methods listed above for some reason.
|
||||
browse shares and may also be unable to access some other resources. This is not
|
||||
recommended unless for some reason you cannot use one of the other methods just discussed.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
@ -249,9 +257,9 @@ before someone will find yet another vulnerability.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The value 0x00000003 means send NTLMv2 response only. Clients will use NTLMv2 authentication,
|
||||
use NTLMv2 session security if the server supports it. Domain Controllers accept LM,
|
||||
NTLM and NTLMv2 authentication.
|
||||
The value 0x00000003 means to send NTLMv2 response only. Clients will use NTLMv2 authentication;
|
||||
use NTLMv2 session security if the server supports it. Domain controllers accept LM,
|
||||
NTLM, and NTLMv2 authentication.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -264,7 +272,7 @@ before someone will find yet another vulnerability.
|
||||
<para>
|
||||
The value 0x00080000 means permit only NTLMv2 session security. If either NtlmMinClientSec or
|
||||
NtlmMinServerSec is set to 0x00080000, the connection will fail if NTLMv2
|
||||
session security is not negotiated.
|
||||
session security is negotiated.
|
||||
</para>
|
||||
</sect2>
|
||||
</sect1>
|
||||
@ -274,9 +282,9 @@ before someone will find yet another vulnerability.
|
||||
|
||||
<para>
|
||||
Please check regularly on <ulink noescape="1" url="http://www.samba.org/">http://www.samba.org/</ulink> for updates and
|
||||
important announcements. Occasionally security releases are made and
|
||||
important announcements. Occasionally security releases are made, and
|
||||
it is highly recommended to upgrade Samba when a security vulnerability
|
||||
is discovered. Check with your OS vendor for OS specific upgrades.
|
||||
is discovered. Check with your OS vendor for OS-specific upgrades.
|
||||
</para>
|
||||
|
||||
</sect1>
|
||||
@ -285,9 +293,9 @@ is discovered. Check with your OS vendor for OS specific upgrades.
|
||||
<title>Common Errors</title>
|
||||
|
||||
<para>
|
||||
If all of Samba and host platform configuration were really as intuitive as one might like them to be, this
|
||||
If all of Samba and host platform configurations were really as intuitive as one might like them to be, this
|
||||
section would not be necessary. Security issues are often vexing for a support person to resolve, not
|
||||
because of the complexity of the problem, but for the reason that most administrators who post what turns
|
||||
because of the complexity of the problem, but because most administrators who post what turns
|
||||
out to be a security problem request are totally convinced that the problem is with Samba.
|
||||
</para>
|
||||
|
||||
@ -302,7 +310,8 @@ out to be a security problem request are totally convinced that the problem is w
|
||||
|
||||
<para>
|
||||
The solution is either to remove the firewall (stop it) or modify the firewall script to
|
||||
allow SMB networking traffic through. See section above in this chapter.
|
||||
allow SMB networking traffic through. See <link linkend="firewallports">the Using a
|
||||
firewall</link> section.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
@ -320,7 +329,7 @@ out to be a security problem request are totally convinced that the problem is w
|
||||
</para>
|
||||
|
||||
<para><quote>
|
||||
User xyzzy can map his home directory. Once mapped user xyzzy can also map
|
||||
User xyzzy can map his home directory. Once mapped, user xyzzy can also map
|
||||
anyone else's home directory.
|
||||
</quote></para>
|
||||
|
||||
@ -333,12 +342,12 @@ out to be a security problem request are totally convinced that the problem is w
|
||||
|
||||
<para>
|
||||
If your UNIX home directories are set up so that one user can happily <command>cd</command>
|
||||
into another users directory and execute <command>ls</command>, the UNIX security solution is to change file
|
||||
permissions on the user's home directories such that the <command>cd</command> and <command>ls</command> are denied.
|
||||
into another user's directory and execute <command>ls</command>, the UNIX security solution is to change file
|
||||
permissions on the user's home directories so that the <command>cd</command> and <command>ls</command> are denied.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Samba tries very hard not to second guess the UNIX administrators security policies, and
|
||||
Samba tries very hard not to second guess the UNIX administrator's security policies and
|
||||
trusts the UNIX admin to set the policies and permissions he or she desires.
|
||||
</para>
|
||||
|
||||
@ -349,11 +358,11 @@ out to be a security problem request are totally convinced that the problem is w
|
||||
|
||||
<para>
|
||||
The <smbconfoption name="only user"></smbconfoption> works in conjunction with the <smbconfoption name="users">list</smbconfoption>,
|
||||
so to get the behavior you require, add the line :
|
||||
so to get the behavior you require, add the line:
|
||||
<smbconfblock>
|
||||
<smbconfoption name="users">%S</smbconfoption>
|
||||
</smbconfblock>
|
||||
this is equivalent to adding
|
||||
This is equivalent to adding
|
||||
<smbconfblock>
|
||||
<smbconfoption name="valid users">%S</smbconfoption>
|
||||
</smbconfblock>
|
||||
|
@ -12,7 +12,7 @@
|
||||
<para>
|
||||
This chapter provides information regarding the types of server that Samba may be
|
||||
configured to be. A Microsoft network administrator who wishes to migrate to or
|
||||
use Samba will want to know the meaning, within a Samba context, of terms familiar to MS Windows
|
||||
use Samba will want to know the meaning, within a Samba context, of terms familiar to an MS Windows
|
||||
administrator. This means that it is essential also to define how critical security
|
||||
modes function before we get into the details of how to configure the server itself.
|
||||
</para>
|
||||
@ -26,7 +26,7 @@ and how they relate to MS Windows servers and clients.
|
||||
A question often asked is, <quote>Why would I want to use Samba?</quote> Most chapters contain a section
|
||||
that highlights features and benefits. We hope that the information provided will help to
|
||||
answer this question. Be warned though, we want to be fair and reasonable, so not all
|
||||
features are positive towards Samba. The benefit may be on the side of our competition.
|
||||
features are positive toward Samba. The benefit may be on the side of our competition.
|
||||
</para>
|
||||
|
||||
<sect1>
|
||||
@ -49,8 +49,8 @@ a source of discomfort.
|
||||
<para>
|
||||
Samba started out as a project that sought to provide interoperability for MS Windows 3.x
|
||||
clients with a UNIX server. It has grown up a lot since its humble beginnings and now provides
|
||||
features and functionality fit for large scale deployment. It also has some warts. In sections
|
||||
like this one we tell of both.
|
||||
features and functionality fit for large-scale deployment. It also has some warts. In sections
|
||||
like this one, we tell of both.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -59,7 +59,7 @@ So, what are the benefits of features mentioned in this chapter?
|
||||
|
||||
<itemizedlist>
|
||||
<listitem><para>
|
||||
Samba-3 can replace an MS Windows NT4 Domain Controller.
|
||||
Samba-3 can replace an MS Windows NT4 domain controller.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
@ -68,12 +68,12 @@ So, what are the benefits of features mentioned in this chapter?
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
Samba-3 permits full NT4-style Interdomain Trusts.
|
||||
Samba-3 permits full NT4-style interdomain trusts.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
Samba has security modes that permit more flexible
|
||||
authentication than is possible with MS Windows NT4 Domain Controllers.
|
||||
authentication than is possible with MS Windows NT4 domain controllers.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
@ -103,8 +103,8 @@ different type of servers:</para>
|
||||
<itemizedlist>
|
||||
<listitem><para>Domain Controller</para>
|
||||
<itemizedlist>
|
||||
<listitem><para>Primary Domain Controller</para></listitem>
|
||||
<listitem><para>Backup Domain Controller</para></listitem>
|
||||
<listitem><para>Primary Domain Controller (PDC)</para></listitem>
|
||||
<listitem><para>Backup Domain Controller (BDC)</para></listitem>
|
||||
<listitem><para>ADS Domain Controller</para></listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
@ -114,13 +114,15 @@ different type of servers:</para>
|
||||
<listitem><para>NT4 Style Domain Domain Server</para></listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
<listitem><para>Stand-alone Server</para></listitem>
|
||||
<listitem><para>Standalone Server</para></listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>
|
||||
The chapters covering Domain Control, Backup Domain Control and Domain Membership provide
|
||||
The chapters covering domain control (<link linkend="samba-pdc">Domain Control</link>),
|
||||
backup domain control (<link linkend="samba-bdc">Backup Domain Control</link>), and
|
||||
domain membership (<link linkend="domain-member">Domain Membership</link>) provide
|
||||
pertinent information regarding Samba configuration for each of these server roles.
|
||||
The reader is strongly encouraged to become intimately familiar with the information
|
||||
You are strongly encouraged to become intimately familiar with the information
|
||||
presented.
|
||||
</para>
|
||||
|
||||
@ -140,20 +142,19 @@ reduce user complaints and administrator heartache.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
In the SMB/CIFS networking world, there are only two types of security: <emphasis>User Level</emphasis>
|
||||
and <emphasis>Share Level</emphasis>. We refer to these collectively as <emphasis>security levels</emphasis>.
|
||||
In implementing these two security levels, Samba provides flexibilities
|
||||
that are not available with Microsoft Windows NT4/200x servers. In actual fact, Samba implements
|
||||
<emphasis>Share Level</emphasis> security only one way, but has four ways of implementing
|
||||
<emphasis>User Level</emphasis> security. Collectively, we call the Samba implementations
|
||||
<emphasis>Security Modes</emphasis>. They are known as: <emphasis>SHARE</emphasis>, <emphasis>USER</emphasis>,
|
||||
<emphasis>DOMAIN</emphasis>, <emphasis>ADS</emphasis>, and <emphasis>SERVER</emphasis> modes.
|
||||
They are documented in this chapter.
|
||||
In the SMB/CIFS networking world, there are only two types of security: <emphasis>user level</emphasis> and
|
||||
<emphasis>share level</emphasis>. We refer to these collectively as <emphasis>security levels</emphasis>. In
|
||||
implementing these two security levels, Samba provides flexibilities that are not available with MS Windows
|
||||
NT4/200x servers. In actual fact, Samba implements <emphasis>share-level</emphasis> security only one way, but
|
||||
has four ways of implementing <emphasis>user-level</emphasis> security. Collectively, we call the Samba
|
||||
implementations <emphasis>security modes</emphasis>. They are known as <emphasis>share</emphasis>,
|
||||
<emphasis>user</emphasis>, <emphasis>domain</emphasis>, <emphasis>ADS</emphasis>, and
|
||||
<emphasis>server</emphasis> modes. They are documented in this chapter.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
An SMB server tells the client at startup what security level it is running. There are two options:
|
||||
Share Level and User Level. Which of these two the client receives affects the way the client then
|
||||
share level and user level. Which of these two the client receives affects the way the client then
|
||||
tries to authenticate itself. It does not directly affect (to any great extent) the way the Samba
|
||||
server does security. This may sound strange, but it fits in with the client/server approach of SMB.
|
||||
In SMB everything is initiated and controlled by the client, and the server can only tell the client
|
||||
@ -164,8 +165,8 @@ what is available and whether an action is allowed.
|
||||
<title>User Level Security</title>
|
||||
|
||||
<para>
|
||||
We will describe User Level Security first, as its simpler.
|
||||
In User Level Security, the client will send a
|
||||
We describe user-level security first because its simpler.
|
||||
In user-level security, the client sends a
|
||||
session setup request directly following protocol negotiation.
|
||||
This request provides a username and password. The server can either accept or reject that
|
||||
username/password combination. At this stage the server has no idea what
|
||||
@ -179,7 +180,7 @@ share the client will eventually try to connect to, so it can't base the
|
||||
</orderedlist>
|
||||
|
||||
<para>
|
||||
If the server accepts the username/password then the client expects to be able to
|
||||
If the server accepts the username/password, then the client expects to be able to
|
||||
mount shares (using a <emphasis>tree connection</emphasis>) without specifying a
|
||||
password. It expects that all access rights will be as the username/password
|
||||
specified in the <emphasis>session setup</emphasis>.
|
||||
@ -196,7 +197,7 @@ authentication contexts in this way (WinDD is an example of an application that
|
||||
<title>Example Configuration</title>
|
||||
|
||||
<para>
|
||||
The &smb.conf; parameter that sets user level security is:
|
||||
The &smb.conf; parameter that sets user-level security is:
|
||||
</para>
|
||||
|
||||
<para><smbconfblock>
|
||||
@ -211,33 +212,33 @@ This is the default setting since Samba-2.2.x.
|
||||
|
||||
</sect2>
|
||||
<sect2>
|
||||
<title>Share Level Security</title>
|
||||
<title>Share-Level Security</title>
|
||||
|
||||
<para>
|
||||
In Share Level security, the client authenticates
|
||||
In share-level security, the client authenticates
|
||||
itself separately for each share. It sends a password along with each
|
||||
tree connection (share mount). It does not explicitly send a
|
||||
username with this operation. The client expects a password to be associated
|
||||
with each share, independent of the user. This means that Samba has to work out what
|
||||
username the client probably wants to use. It is never explicitly sent the username.
|
||||
Some commercial SMB servers such as NT actually associate passwords directly with
|
||||
shares in Share Level security, but Samba always uses the UNIX authentication scheme
|
||||
shares in share-level security, but Samba always uses the UNIX authentication scheme
|
||||
where it is a username/password pair that is authenticated, not a share/password pair.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
To understand the MS Windows networking parallels, one should think
|
||||
in terms of MS Windows 9x/Me where one can create a shared folder that provides read-only
|
||||
To understand the MS Windows networking parallels, think
|
||||
in terms of MS Windows 9x/Me where you can create a shared folder that provides read-only
|
||||
or full access, with or without a password.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Many clients send a session setup even if the server is in Share Level security. They
|
||||
Many clients send a session setup even if the server is in share-level security. They
|
||||
normally send a valid username but no password. Samba records this username in a list
|
||||
of possible usernames. When the client then does a tree connection it also adds to this list the name
|
||||
of possible usernames. When the client then does a tree connection, it also adds to this list the name
|
||||
of the share they try to connect to (useful for home directories) and any users
|
||||
listed in the <smbconfoption name="user"/> parameter in the &smb.conf; file.
|
||||
The password is then checked in turn against these possible usernames. If a match is found
|
||||
The password is then checked in turn against these possible usernames. If a match is found,
|
||||
then the client is authenticated as that user.
|
||||
</para>
|
||||
|
||||
@ -245,7 +246,7 @@ then the client is authenticated as that user.
|
||||
<title>Example Configuration</title>
|
||||
|
||||
<para>
|
||||
The &smb.conf; parameter that sets Share Level security is:
|
||||
The &smb.conf; parameter that sets share-level security is:
|
||||
</para>
|
||||
|
||||
<para><smbconfblock>
|
||||
@ -256,14 +257,14 @@ The &smb.conf; parameter that sets Share Level security is:
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>Domain Security Mode (User Level Security)</title>
|
||||
<title>Domain Security Mode (User-Level Security)</title>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>Domain Member</primary></indexterm>
|
||||
When Samba is operating in <smbconfoption name="security">domain</smbconfoption> mode,
|
||||
the Samba server has a domain security trust account (a machine account) and causes
|
||||
all authentication requests to be passed through to the Domain Controllers.
|
||||
In other words, this configuration makes the Samba server a Domain Member server.
|
||||
all authentication requests to be passed through to the domain controllers.
|
||||
In other words, this configuration makes the Samba server a domain member server.
|
||||
</para>
|
||||
|
||||
<sect3>
|
||||
@ -292,7 +293,7 @@ security domain. This is done as follows:
|
||||
|
||||
|
||||
<procedure>
|
||||
<step><para>On the MS Windows NT Domain Controller, using
|
||||
<step><para>On the MS Windows NT domain controller, using
|
||||
the Server Manager, add a machine account for the Samba server.
|
||||
</para></step>
|
||||
|
||||
@ -303,7 +304,7 @@ security domain. This is done as follows:
|
||||
</procedure>
|
||||
|
||||
<note><para>
|
||||
Samba-2.2.4 and later can auto-join a Windows NT4-style Domain just by executing:
|
||||
Samba-2.2.4 and later can autojoin a Windows NT4-style domain just by executing:
|
||||
<screen>
|
||||
&rootprompt;<userinput>smbpasswd -j <replaceable>DOMAIN_NAME</replaceable> -r <replaceable>PDC_NAME</replaceable> \
|
||||
-U Administrator%<replaceable>password</replaceable></userinput>
|
||||
@ -314,38 +315,38 @@ Samba-3 can do the same by executing:
|
||||
&rootprompt;<userinput>net rpc join -U Administrator%<replaceable>password</replaceable></userinput>
|
||||
</screen>
|
||||
It is not necessary with Samba-3 to specify the <replaceable>DOMAIN_NAME</replaceable> or the
|
||||
<replaceable>PDC_NAME</replaceable> as it figures this out from the &smb.conf; file settings.
|
||||
<replaceable>PDC_NAME</replaceable>, as it figures this out from the &smb.conf; file settings.
|
||||
</para></note>
|
||||
|
||||
<para>
|
||||
Use of this mode of authentication does require there to be a standard UNIX account
|
||||
Use of this mode of authentication requires there to be a standard UNIX account
|
||||
for each user in order to assign a UID once the account has been authenticated by
|
||||
the remote Windows DC. This account can be blocked to prevent logons by clients other than
|
||||
the remote Windows domain controller. This account can be blocked to prevent logons by clients other than
|
||||
MS Windows through means such as setting an invalid shell in the
|
||||
<filename>/etc/passwd</filename> entry.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
An alternative to assigning UIDs to Windows users on a Samba member server is
|
||||
presented in <link linkend="winbind">Winbind: Use of Domain Accounts</link>.
|
||||
presented in <link linkend="winbind">Winbind</link>, <link linkend="winbind">Winbind: Use of Domain Accounts</link>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
For more information regarding Domain Membership, see <link linkend="domain-member">Domain Membership</link>.
|
||||
For more information regarding domain membership, <link linkend="domain-member">Domain Membership</link>.
|
||||
</para>
|
||||
|
||||
</sect3>
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>ADS Security Mode (User Level Security)</title>
|
||||
<title>ADS Security Mode (User-Level Security)</title>
|
||||
|
||||
<para>
|
||||
Both Samba-2.2, and Samba-3 can join an Active Directory domain. This is
|
||||
possible if the domain is run in native mode. Active Directory in
|
||||
native mode perfectly allows NT4-style Domain Members. This is contrary to
|
||||
native mode perfectly allows NT4-style domain members. This is contrary to
|
||||
popular belief. Active Directory in native mode prohibits only the use of
|
||||
Backup Domain Controllers running MS Windows NT4.
|
||||
BDCs running MS Windows NT4.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -353,8 +354,8 @@ If you are using Active Directory, starting with Samba-3 you can
|
||||
join as a native AD member. Why would you want to do that?
|
||||
Your security policy might prohibit the use of NT-compatible
|
||||
authentication protocols. All your machines are running Windows 2000
|
||||
and above and all use Kerberos. In this case Samba as an NT4-style
|
||||
domain would still require NT-compatible authentication data. Samba in
|
||||
and above and all use Kerberos. In this case Samba, as an NT4-style
|
||||
domain, would still require NT-compatible authentication data. Samba in
|
||||
AD-member mode can accept Kerberos tickets.
|
||||
</para>
|
||||
|
||||
@ -375,7 +376,7 @@ The following parameter may be required:
|
||||
</smbconfblock></para>
|
||||
|
||||
<para>
|
||||
Please refer to <link linkend="domain-member">Domain Membership</link> and <link linkend="ads-member">Samba ADS Domain Membership</link>
|
||||
Please refer to <link linkend="domain-member">Domain Membership</link>, and <link linkend="ads-member">Samba ADS Domain Membership</link>
|
||||
for more information regarding this configuration option.
|
||||
</para>
|
||||
|
||||
@ -386,32 +387,32 @@ for more information regarding this configuration option.
|
||||
<title>Server Security (User Level Security)</title>
|
||||
|
||||
<para>
|
||||
Server Security Mode is left over from the time when Samba was not capable of acting
|
||||
as a Domain Member server. It is highly recommended not to use this feature. Server
|
||||
Server security mode is left over from the time when Samba was not capable of acting
|
||||
as a domain member server. It is highly recommended not to use this feature. Server
|
||||
security mode has many drawbacks that include:
|
||||
</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem><para>Potential Account Lockout on MS Windows NT4/200x password servers.</para></listitem>
|
||||
<listitem><para>Potential account lockout on MS Windows NT4/200x password servers.</para></listitem>
|
||||
<listitem><para>Lack of assurance that the password server is the one specified.</para></listitem>
|
||||
<listitem><para>Does not work with Winbind, which is particularly needed when storing profiles remotely.</para></listitem>
|
||||
<listitem><para>This mode may open connections to the password server, and keep them open for extended periods.</para></listitem>
|
||||
<listitem><para>This mode may open connections to the password server and keep them open for extended periods.</para></listitem>
|
||||
<listitem><para>Security on the Samba server breaks badly when the remote password server suddenly shuts down.</para></listitem>
|
||||
<listitem><para>With this mode there is NO security account in the domain that the password server belongs to for the Samba server.</para></listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>
|
||||
In Server Security Mode the Samba server reports to the client that it is in User Level
|
||||
In server security mode the Samba server reports to the client that it is in user-level
|
||||
security. The client then does a session setup as described earlier.
|
||||
The Samba server takes the username/password that the client sends and attempts to login to the
|
||||
<smbconfoption name="password server"/> by sending exactly the same username/password that
|
||||
it got from the client. If that server is in User Level Security and accepts the password,
|
||||
it got from the client. If that server is in user-level security and accepts the password,
|
||||
then Samba accepts the client's connection. This allows the Samba server to use another SMB
|
||||
server as the <smbconfoption name="password server"/>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
You should also note that at the start of all this where the server tells the client
|
||||
You should also note that at the start of all this, when the server tells the client
|
||||
what security level it is in, it also tells the client if it supports encryption. If it
|
||||
does, it supplies the client with a random cryptkey. The client will then send all
|
||||
passwords in encrypted form. Samba supports this type of encryption by default.
|
||||
@ -420,19 +421,19 @@ passwords in encrypted form. Samba supports this type of encryption by default.
|
||||
<para>
|
||||
The parameter <smbconfoption name="security">server</smbconfoption> means that Samba reports to clients that
|
||||
it is running in <emphasis>user mode</emphasis> but actually passes off all authentication
|
||||
requests to another <emphasis>user mode</emphasis> server. This requires an additional
|
||||
requests to another user mode server. This requires an additional
|
||||
parameter <smbconfoption name="password server"/> that points to the real authentication server.
|
||||
The real authentication server can be another Samba server, or it can be a Windows NT server,
|
||||
the latter being natively capable of encrypted password support.
|
||||
</para>
|
||||
|
||||
<note><para>
|
||||
When Samba is running in <emphasis>Server Security Mode</emphasis> it is essential that
|
||||
When Samba is running in <emphasis>server security mode</emphasis>, it is essential that
|
||||
the parameter <emphasis>password server</emphasis> is set to the precise NetBIOS machine
|
||||
name of the target authentication server. Samba cannot determine this from NetBIOS name
|
||||
lookups because the choice of the target authentication server is arbitrary and cannot
|
||||
be determined from a domain name. In essence, a Samba server that is in
|
||||
<emphasis>Server Security Mode</emphasis> is operating in what used to be known as
|
||||
<emphasis>server security mode</emphasis> is operating in what used to be known as
|
||||
workgroup mode.
|
||||
</para></note>
|
||||
|
||||
@ -460,11 +461,11 @@ process, the other uses just an error code.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The downside of this mode of configuration is the fact that for security reasons Samba
|
||||
will send the password server a bogus username and a bogus password and if the remote
|
||||
server fails to reject the username and password pair then an alternative mode of
|
||||
identification of validation is used. Where a site uses password lock out after a
|
||||
certain number of failed authentication attempts this will result in user lockouts.
|
||||
The downside of this mode of configuration is that for security reasons Samba
|
||||
will send the password server a bogus username and a bogus password, and if the remote
|
||||
server fails to reject the username and password pair, then an alternative mode of
|
||||
identification or validation is used. Where a site uses password lockout, after a
|
||||
certain number of failed authentication attempts, this will result in user lockouts.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -484,7 +485,7 @@ This account can be blocked to prevent logons by non-SMB/CIFS clients.
|
||||
MS Windows clients may use encrypted passwords as part of a challenge/response
|
||||
authentication model (a.k.a. NTLMv1 and NTLMv2) or alone, or clear-text strings for simple
|
||||
password-based authentication. It should be realized that with the SMB protocol,
|
||||
the password is passed over the network either in plain-text or encrypted, but
|
||||
the password is passed over the network either in plaintext or encrypted, but
|
||||
not both in the same authentication request.
|
||||
</para>
|
||||
|
||||
@ -498,19 +499,18 @@ is encrypted in two ways:
|
||||
string. This is known as the NT hash.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>The password is converted to upper case,
|
||||
<listitem><para>The password is converted to uppercase,
|
||||
and then padded or truncated to 14 bytes. This string is
|
||||
then appended with 5 bytes of NULL characters and split to
|
||||
form two 56-bit DES keys to encrypt a <quote>magic</quote> 8-byte value.
|
||||
form two 56-bit DES keys to encrypt a "magic" 8-byte value.
|
||||
The resulting 16 bytes form the LanMan hash.
|
||||
</para></listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>
|
||||
MS Windows 95 pre-service pack 1, MS Windows NT versions 3.x and version 4.0
|
||||
MS Windows 95 pre-service pack 1 and MS Windows NT versions 3.x and version 4.0
|
||||
pre-service pack 3 will use either mode of password authentication. All
|
||||
versions of MS Windows that follow these versions no longer support plain
|
||||
text passwords by default.
|
||||
versions of MS Windows that follow these versions no longer support plain-text passwords by default.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -522,16 +522,16 @@ a cached copy of the password.
|
||||
|
||||
<para>
|
||||
When Microsoft changed the default password mode, support was dropped for caching
|
||||
of the plain-text password. This means that when the registry parameter is changed
|
||||
to re-enable use of plain-text passwords it appears to work, but when a dropped
|
||||
of the plaintext password. This means that when the registry parameter is changed
|
||||
to re-enable use of plaintext passwords, it appears to work, but when a dropped
|
||||
service connection mapping attempts to revalidate, this will fail if the remote
|
||||
authentication server does not support encrypted passwords. It is definitely not
|
||||
a good idea to re-enable plain-text password support in such clients.
|
||||
a good idea to re-enable plaintext password support in such clients.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The following parameters can be used to work around the issue of Windows 9x/Me clients
|
||||
upper-casing usernames and passwords before transmitting them to the SMB server
|
||||
uppercasing usernames and passwords before transmitting them to the SMB server
|
||||
when using clear-text authentication:
|
||||
</para>
|
||||
|
||||
@ -541,9 +541,9 @@ when using clear-text authentication:
|
||||
</smbconfblock></para>
|
||||
|
||||
<para>
|
||||
By default Samba will convert to lower case the username before attempting to lookup the user
|
||||
By default Samba will convert to lowercase the username before attempting to lookup the user
|
||||
in the database of local system accounts. Because UNIX usernames conventionally
|
||||
only contain lower-case characters, the <smbconfoption name="username level"/> parameter
|
||||
only contain lowercase characters, the <smbconfoption name="username-level"/> parameter
|
||||
is rarely needed.
|
||||
</para>
|
||||
|
||||
@ -551,17 +551,16 @@ is rarely needed.
|
||||
However, passwords on UNIX systems often make use of mixed-case characters.
|
||||
This means that in order for a user on a Windows 9x/Me client to connect to a Samba
|
||||
server using clear-text authentication, the <smbconfoption name="password level"/>
|
||||
must be set to the maximum number of upper case letters that <emphasis>could</emphasis>
|
||||
appear in a password. Note that if the server OS uses the traditional DES version
|
||||
of crypt(), a <smbconfoption name="password level"/> of 8 will result in case
|
||||
insensitive passwords as seen from Windows users. This will also result in longer
|
||||
login times as Samba has to compute the permutations of the password string and
|
||||
must be set to the maximum number of uppercase letters that <emphasis>could</emphasis>
|
||||
appear in a password. Note that if the Server OS uses the traditional DES version
|
||||
of crypt(), a <smbconfoption name="password level"/> of 8 will result in case-insensitive passwords as seen from Windows users. This will also result in longer
|
||||
login times because Samba has to compute the permutations of the password string and
|
||||
try them one by one until a match is located (or all combinations fail).
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The best option to adopt is to enable support for encrypted passwords wherever
|
||||
Samba is used. Most attempts to apply the registry change to re-enable plain-text
|
||||
Samba is used. Most attempts to apply the registry change to re-enable plaintext
|
||||
passwords will eventually lead to user complaints and unhappiness.
|
||||
</para>
|
||||
|
||||
@ -572,15 +571,15 @@ passwords will eventually lead to user complaints and unhappiness.
|
||||
|
||||
<para>
|
||||
We all make mistakes. It is okay to make mistakes, as long as they are made in the right places
|
||||
and at the right time. A mistake that causes lost productivity is seldom tolerated, however a mistake
|
||||
and at the right time. A mistake that causes lost productivity is seldom tolerated; however, a mistake
|
||||
made in a developmental test lab is expected.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Here we look at common mistakes and misapprehensions that have been the subject of discussions
|
||||
on the Samba mailing lists. Many of these are avoidable by doing your homework before attempting
|
||||
a Samba implementation. Some are the result of a misunderstanding of the English language. The
|
||||
English language, which has many phrases that are potentially vague and may be highly confusing
|
||||
a Samba implementation. Some are the result of a misunderstanding of the English language,
|
||||
which has many phrases that are potentially vague and may be highly confusing
|
||||
to those for whom English is not their native tongue.
|
||||
</para>
|
||||
|
||||
@ -588,7 +587,7 @@ to those for whom English is not their native tongue.
|
||||
<title>What Makes Samba a Server?</title>
|
||||
|
||||
<para>
|
||||
To some the nature of the Samba <emphasis>security</emphasis> mode is obvious, but entirely
|
||||
To some the nature of the Samba security mode is obvious, but entirely
|
||||
wrong all the same. It is assumed that <smbconfoption name="security">server</smbconfoption> means that Samba
|
||||
will act as a server. Not so! This setting means that Samba will <emphasis>try</emphasis>
|
||||
to use another SMB server as its source for user authentication alone.
|
||||
@ -601,7 +600,7 @@ to use another SMB server as its source for user authentication alone.
|
||||
|
||||
<para>
|
||||
The &smb.conf; parameter <smbconfoption name="security">domain</smbconfoption> does not really make Samba behave
|
||||
as a Domain Controller. This setting means we want Samba to be a Domain Member. See <link linkend="samba-pdc">Samba as a PDC</link> for more information.
|
||||
as a domain controller. This setting means we want Samba to be a domain member. See <link linkend="samba-pdc">Samba as a PDC</link> for more information.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
@ -611,8 +610,8 @@ as a Domain Controller. This setting means we want Samba to be a Domain Member.
|
||||
|
||||
<para>
|
||||
Guess! So many others do. But whatever you do, do not think that <smbconfoption name="security">user</smbconfoption>
|
||||
makes Samba act as a Domain Member. Read the manufacturer's manual before the warranty expires. See
|
||||
<link linkend="domain-member">Domain Membership</link> for more information.
|
||||
makes Samba act as a domain member. Read the manufacturer's manual before the warranty expires. See
|
||||
<link linkend="domain-member">Domain Membership</link>, for more information.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
|
@ -4,12 +4,12 @@
|
||||
<chapterinfo>
|
||||
&author.jht;
|
||||
</chapterinfo>
|
||||
<title>Stand-alone Servers</title>
|
||||
<title>Standalone Servers</title>
|
||||
|
||||
<para>
|
||||
Stand-alone Servers are independent of Domain Controllers on the network.
|
||||
They are not Domain Members and function more like workgroup servers. In many
|
||||
cases a Stand-alone Server is configured with a minimum of security control
|
||||
Standalone servers are independent of domain controllers on the network.
|
||||
They are not domain members and function more like workgroup servers. In many
|
||||
cases a standalone server is configured with a minimum of security control
|
||||
with the intent that all data served will be readily accessible to all users.
|
||||
</para>
|
||||
|
||||
@ -17,25 +17,25 @@ with the intent that all data served will be readily accessible to all users.
|
||||
<title>Features and Benefits</title>
|
||||
|
||||
<para>
|
||||
Stand-alone Servers can be as secure or as insecure as needs dictate. They can
|
||||
Standalone servers can be as secure or as insecure as needs dictate. They can
|
||||
have simple or complex configurations. Above all, despite the hoopla about
|
||||
Domain Security they remain a common installation.
|
||||
domain security, they remain a common installation.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
If all that is needed is a server for read-only files, or for
|
||||
printers alone, it may not make sense to effect a complex installation.
|
||||
For example: A drafting office needs to store old drawings and reference
|
||||
standards. No-one can write files to the server as it is legislatively
|
||||
important that all documents remain unaltered. A share mode read-only Stand-alone
|
||||
Server is an ideal solution.
|
||||
For example, a drafting office needs to store old drawings and reference
|
||||
standards. Noone can write files to the server because it is legislatively
|
||||
important that all documents remain unaltered. A share-mode read-only standalone
|
||||
server is an ideal solution.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Another situation that warrants simplicity is an office that has many printers
|
||||
that are queued off a single central server. Everyone needs to be able to print
|
||||
to the printers, there is no need to effect any access controls and no files will
|
||||
be served from the print server. Again, a share mode Stand-alone Server makes
|
||||
to the printers, there is no need to effect any access controls, and no files will
|
||||
be served from the print server. Again, a share-mode standalone server makes
|
||||
a great solution.
|
||||
</para>
|
||||
</sect1>
|
||||
@ -44,34 +44,34 @@ a great solution.
|
||||
<title>Background</title>
|
||||
|
||||
<para>
|
||||
The term <emphasis>Stand-alone Server</emphasis> means that it
|
||||
The term <emphasis>standalone server</emphasis> means that it
|
||||
will provide local authentication and access control for all resources
|
||||
that are available from it. In general this means that there will be a
|
||||
local user database. In more technical terms, it means resources
|
||||
on the machine will be made available in either SHARE mode or in
|
||||
USER mode.
|
||||
on the machine will be made available in either <emphasis>share</emphasis> mode or in
|
||||
<emphasis>user</emphasis> mode.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
No special action is needed other than to create user accounts. Stand-alone
|
||||
No special action is needed other than to create user accounts. Standalone
|
||||
servers do not provide network logon services. This means that machines that
|
||||
use this server do not perform a domain logon to it. Whatever logon facility
|
||||
the workstations are subject to is independent of this machine. It is, however,
|
||||
necessary to accommodate any network user so the logon name they use will
|
||||
be translated (mapped) locally on the Stand-alone Server to a locally known
|
||||
necessary to accommodate any network user so the logon name he or she uses will
|
||||
be translated (mapped) locally on the standalone server to a locally known
|
||||
user name. There are several ways this can be done.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Samba tends to blur the distinction a little in respect of what is
|
||||
a Stand-alone Server. This is because the authentication database may be
|
||||
Samba tends to blur the distinction a little in defining
|
||||
a standalone server. This is because the authentication database may be
|
||||
local or on a remote server, even if from the SMB protocol perspective
|
||||
the Samba server is not a member of a domain security context.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Through the use of Pluggable Authentication Modules (PAM) and the name service switcher (NSSWITCH),
|
||||
which maintains the UNIX-user database) the source of authentication may reside on
|
||||
Through the use of Pluggable Authentication Modules (PAM) and the name service switcher (NSSWITCH,
|
||||
which maintains the UNIX-user database), the source of authentication may reside on
|
||||
another server. We would be inclined to call this the authentication server.
|
||||
This means that the Samba server may use the local UNIX/Linux system password database
|
||||
(<filename>/etc/passwd</filename> or <filename>/etc/shadow</filename>), may use a
|
||||
@ -85,8 +85,7 @@ for authentication.
|
||||
<title>Example Configuration</title>
|
||||
|
||||
<para>
|
||||
The examples, <link linkend="simplynice">Reference Documentation Server</link>, and
|
||||
<link linkend="SimplePrintServer">Central Print Serving</link>,
|
||||
Examples 7.3.1 and 7.3.2
|
||||
are designed to inspire simplicity. It is too easy to attempt a high level of creativity
|
||||
and to introduce too much complexity in server and network design.
|
||||
</para>
|
||||
@ -96,7 +95,7 @@ and to introduce too much complexity in server and network design.
|
||||
|
||||
<para>
|
||||
Configuration of a read-only data server that everyone can access is very simple.
|
||||
<link linkend="simplynice">Following example</link> is the &smb.conf; file that will do this. Assume that all the reference documents
|
||||
<link linkend="simplynice">The following example (7.3.1)</link> is the &smb.conf; file that will do this. Assume that all the reference documents
|
||||
are stored in the directory <filename>/export</filename>, and the documents are owned by a user other than
|
||||
nobody. No home directories are shared, and there are no users in the <filename>/etc/passwd</filename>
|
||||
UNIX system database. This is a simple system to administer.
|
||||
@ -120,10 +119,10 @@ UNIX system database. This is a simple system to administer.
|
||||
</example>
|
||||
|
||||
<para>
|
||||
In <link linkend="simplynice">the example</link> above, the machine name is set to &example.server.samba;, the workgroup is set to the name
|
||||
In <link linkend="simplynice">this example</link>, the machine name is set to &example.server.samba;, and the workgroup is set to the name
|
||||
of the local workgroup (&example.workgroup;) so the machine will appear together with systems with
|
||||
which users are familiar. The only password backend required is the <quote>guest</quote> backend to allow default
|
||||
unprivileged account names to be used. As there is a WINS server on this network, we of obviously make use of it.
|
||||
unprivileged account names to be used. As there is a WINS server on this network, we of course make use of it.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
@ -137,14 +136,14 @@ on your system.
|
||||
</para>
|
||||
|
||||
<orderedlist>
|
||||
<title> Assumptions:</title>
|
||||
<title> Assumptions</title>
|
||||
<listitem><para>
|
||||
The print server must require no administration.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
The print spooling and processing system on our print server will be CUPS.
|
||||
(Please refer to <link linkend="CUPS-printing">CUPS Printing Support</link> for more information).
|
||||
(Please refer to <link linkend="CUPS-printing">CUPS Printing Support</link>, for more information).
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
@ -153,7 +152,7 @@ on your system.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
All workstations will use only postscript drivers. The printer driver
|
||||
All workstations will use only PostScript drivers. The printer driver
|
||||
of choice is the one shipped with the Windows OS for the Apple Color LaserWriter.
|
||||
</para></listitem>
|
||||
</orderedlist>
|
||||
@ -162,7 +161,7 @@ on your system.
|
||||
In this example our print server will spool all incoming print jobs to
|
||||
<filename>/var/spool/samba</filename> until the job is ready to be submitted by
|
||||
Samba to the CUPS print processor. Since all incoming connections will be as
|
||||
the anonymous (guest) user, two things will be required:
|
||||
the anonymous (guest) user, two things will be required to enable anonymous printing.
|
||||
</para>
|
||||
|
||||
<itemizedlist>
|
||||
@ -192,7 +191,7 @@ the anonymous (guest) user, two things will be required:
|
||||
</itemizedlist>
|
||||
|
||||
<para>
|
||||
The contents of the &smb.conf; file is shown in <link linkend="AnonPtrSvr">the next example</link>.
|
||||
The contents of the &smb.conf; file is shown in <link linkend="AnonPtrSvr">Example 7.3.2</link>.
|
||||
</para>
|
||||
|
||||
<example id="AnonPtrSvr">
|
||||
@ -226,8 +225,8 @@ On CUPS-enabled systems there is a facility to pass raw data directly to the pri
|
||||
intermediate processing via CUPS print filters. Where use of this mode of operation is desired,
|
||||
it is necessary to configure a raw printing device. It is also necessary to enable the raw mime
|
||||
handler in the <filename>/etc/mime.conv</filename> and <filename>/etc/mime.types</filename>
|
||||
files. Refer to <link linkend="cups-raw">Explicitly Enable <quote>raw</quote> Printing for
|
||||
<emphasis>application/octet-stream</emphasis></link>.
|
||||
files. Refer to <link linkend="CUPS-printing">CUPS Printing Support</link>, <link linkend="cups-raw">Explicitly Enable raw Printing for
|
||||
application/octet-stream</link>.
|
||||
</para></note>
|
||||
|
||||
</sect2>
|
||||
|
@ -9,46 +9,46 @@
|
||||
<pubdate>May 9, 2005</pubdate>
|
||||
</chapterinfo>
|
||||
|
||||
<title>Remote and Local Management &smbmdash; The Net Command</title>
|
||||
<title>Remote and Local Management: The Net Command</title>
|
||||
|
||||
<para>
|
||||
The <command>net</command> command is one of the new features of Samba-3 and is an attempt to provide a useful
|
||||
tool into which the majority of remote management operations necessary for common tasks. The
|
||||
<command>net</command> tool is flexible by design and is intended for command line use as well as for scripted
|
||||
tool for the majority of remote management operations necessary for common tasks. The
|
||||
<command>net</command> tool is flexible by design and is intended for command-line use as well as for scripted
|
||||
control application.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Originally introduced with the intent to mimic the Microsoft Windows command that has the same name, the
|
||||
<command>net</command> command has morphed into a very powerful instrument that has become an essential part
|
||||
of the Samba network administrator's toolbox. The Samba Team have introduced tools, such as
|
||||
<command>smbgroupedit, rpcclient</command> from which really useful have been integrated into the
|
||||
<command>net</command>. The <command>smbgroupedit</command> command was absorbed entirely into the
|
||||
<command>net</command>, while only some features of the <command>rpcclient</command> command have been
|
||||
ported to it. Anyone who finds older references to these utilities and to the functionality they provided
|
||||
should look at the <command>net</command> command before searching elsewhere.
|
||||
of the Samba network administrator's toolbox. The Samba Team has introduced tools, such as
|
||||
<command>smbgroupedit</command> and <command>rpcclient</command>, from which really useful capabilities have
|
||||
been integrated into the <command>net</command>. The <command>smbgroupedit</command> command was absorbed
|
||||
entirely into the <command>net</command>, while only some features of the <command>rpcclient</command> command
|
||||
have been ported to it. Anyone who finds older references to these utilities and to the functionality they
|
||||
provided should look at the <command>net</command> command before searching elsewhere.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
A Samba-3 administrator can not afford to gloss over this chapter because to do so will almost certainly cause
|
||||
the infliction of self induced pain, agony and desperation. Be warned, this is an important chapter.
|
||||
A Samba-3 administrator cannot afford to gloss over this chapter because to do so will almost certainly cause
|
||||
the infliction of self-induced pain, agony, and desperation. Be warned: this is an important chapter.
|
||||
</para>
|
||||
|
||||
<sect1>
|
||||
<title>Overview</title>
|
||||
|
||||
<para>
|
||||
The tasks that follow the installation of a Samba-3 server, whether Stand-Alone, Domain Member, of a
|
||||
Domain Controller (PDC or BDC) begins with the need to create administrative rights. Of course, the
|
||||
creation of user and group accounts is essential for both a Stand-Alone server as well as for a PDC.
|
||||
In the case of a BDC or a Domain Member server (DMS) Domain user and group accounts are obtained from
|
||||
The tasks that follow the installation of a Samba-3 server, whether standalone or domain member, of a
|
||||
domain controller (PDC or BDC) begins with the need to create administrative rights. Of course, the
|
||||
creation of user and group accounts is essential for both a standalone server and a PDC.
|
||||
In the case of a BDC or a Domain Member server (DMS), domain user and group accounts are obtained from
|
||||
the central domain authentication backend.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Regardless of the type of server being installed, local UNIX groups must be mapped to the Windows
|
||||
networking domain global group accounts. Do you ask, why? Because Samba always limits its access to
|
||||
the resources of the host server by way of traditional UNIX UID/GID controls. This means that local
|
||||
networking domain global group accounts. Do you ask why? Because Samba always limits its access to
|
||||
the resources of the host server by way of traditional UNIX UID and GID controls. This means that local
|
||||
groups must be mapped to domain global groups so that domain users who are members of the domain
|
||||
global groups can be given access rights based on UIDs and GIDs local to the server that is hosting
|
||||
Samba. Such mappings are implemented using the <command>net</command> command.
|
||||
@ -61,32 +61,32 @@ the infliction of self induced pain, agony and desperation. Be warned, this is a
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The establishment of inter-domain trusts is achieved using the <command>net</command> command also, as
|
||||
may a plethora of typical administrative duties such as: user management, group management, share and
|
||||
The establishment of interdomain trusts is achieved using the <command>net</command> command also, as
|
||||
may a plethora of typical administrative duties such as user management, group management, share and
|
||||
printer management, file and printer migration, security identifier management, and so on.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The over-all picture should be clear now, the <command>net</command> command plays a central role
|
||||
The overall picture should be clear now: the <command>net</command> command plays a central role
|
||||
on the Samba-3 stage. This role will continue to be developed. The inclusion of this chapter is
|
||||
evidence of its importance, one that has grown in complexity to the point that it is no longer considered
|
||||
prudent to cover its use fully in the on-line UNIX man pages.
|
||||
prudent to cover its use fully in the online UNIX man pages.
|
||||
</para>
|
||||
|
||||
</sect1>
|
||||
|
||||
<sect1>
|
||||
<title>Administrative Tasks And Methods</title>
|
||||
<title>Administrative Tasks and Methods</title>
|
||||
|
||||
<para>
|
||||
The basic operations of the <command>net</command> command are documented here. This documentation is not
|
||||
exhaustive, and thus it is incomplete. Since the primary focus is on migration from Windows servers to
|
||||
a Samba server the emphasis is on the use of the DCE RPC mode of operation. When used against a server
|
||||
that is a member of an Active Directory domain it is preferable (and often necessary) to use ADS mode
|
||||
operations. The <command>net</command> command supports both, but not for every operation. For most
|
||||
operations, if the mode is not specified <command>net</command> will automatically fall back via
|
||||
the <constant>ads, rpc, rap</constant> modes. Please refer to the man page for a more comprehensive
|
||||
overview of the capabilities of this utility.
|
||||
exhaustive, and thus it is incomplete. Since the primary focus is on migration from Windows servers to a Samba
|
||||
server, the emphasis is on the use of the DCE RPC mode of operation. When used against a server that is a
|
||||
member of an Active Directory domain, it is preferable (and often necessary) to use ADS mode operations. The
|
||||
<command>net</command> command supports both, but not for every operation. For most operations, if the mode is
|
||||
not specified, <command>net</command> will automatically fall back via the <constant>ads</constant>,
|
||||
<constant>rpc</constant>, and <constant>rap</constant> modes. Please refer to the man page for a more
|
||||
comprehensive overview of the capabilities of this utility.
|
||||
</para>
|
||||
|
||||
</sect1>
|
||||
@ -95,15 +95,15 @@ the infliction of self induced pain, agony and desperation. Be warned, this is a
|
||||
<title>UNIX and Windows Group Management</title>
|
||||
|
||||
<para>
|
||||
In repetition of what has been said, the focus in most of this chapter is on use of the <command>net
|
||||
As stated, the focus in most of this chapter is on use of the <command>net
|
||||
rpc</command> family of operations that are supported by Samba. Most of them are supported by the
|
||||
<command>net ads</command> mode when used in connection with MS Active Directory. The <command>net
|
||||
<command>net ads</command> mode when used in connection with Active Directory. The <command>net
|
||||
rap</command> operating mode is also supported for some of these operations. RAP protocols are used
|
||||
by IBM OS/2 and by several earlier SMB servers.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Sambas' <command>net</command> tool implements sufficient capability to permit all common administrative
|
||||
Samba's <command>net</command> tool implements sufficient capability to permit all common administrative
|
||||
tasks to be completed from the command line. In this section each of the essential user and group management
|
||||
facilities are explored.
|
||||
</para>
|
||||
@ -126,7 +126,7 @@ the infliction of self induced pain, agony and desperation. Be warned, this is a
|
||||
<title>Adding or Creating a New Group</title>
|
||||
|
||||
<para>
|
||||
Before attempting to add a Windows group account the currently available groups can be listed as shown
|
||||
Before attempting to add a Windows group account, the currently available groups can be listed as shown
|
||||
here:
|
||||
<screen>
|
||||
&rootprompt; net rpc group list -Uroot%not24get
|
||||
@ -145,7 +145,7 @@ command:
|
||||
<screen>
|
||||
&rootprompt; net rpc group add "SupportEngrs" -Uroot%not24get
|
||||
</screen>
|
||||
The addition will result in immediate availability of the new group account as validated by executing the
|
||||
The addition will result in immediate availability of the new group account as validated by executing
|
||||
this command:
|
||||
<screen>
|
||||
&rootprompt; net rpc group list -Uroot%not24get
|
||||
@ -209,14 +209,14 @@ SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -> SupportEngrs
|
||||
|
||||
<para>
|
||||
All file system (file and directory) access controls, within the file system of a UNIX/Linux server that is
|
||||
hosting a Samba server, is implemented using a UID/GID identity tuple. Samba does not in any way over-ride
|
||||
hosting a Samba server, are implemented using a UID/GID identity tuple. Samba does not in any way override
|
||||
or replace UNIX file system semantics. Thus it is necessary that all Windows networking operations that
|
||||
access the file system must provide a mechanism that maps a Windows user to a particular UNIX/Linux group
|
||||
access the file system provide a mechanism that maps a Windows user to a particular UNIX/Linux group
|
||||
account. The user account must also map to a locally known UID.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Samba depends on default mappings for the <constant>Domain Admins, Domain Users</constant> and
|
||||
Samba depends on default mappings for the <constant>Domain Admins, Domain Users</constant>, and
|
||||
<constant>Domain Guests</constant> global groups. Additional groups may be added as shown in the
|
||||
examples just given. There are times when it is necessary to map an existing UNIX group account
|
||||
to a Windows group. This operation, in effect, creates a Windows group account as a consequence
|
||||
@ -224,7 +224,7 @@ SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -> SupportEngrs
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The operations that are permitted includes: <constant>add, modify, delete</constant>. An example
|
||||
The operations that are permitted include: <constant>add</constant>, <constant>modify</constant>, and <constant>delete</constant>. An example
|
||||
of each operation is shown here.
|
||||
</para>
|
||||
|
||||
@ -246,8 +246,8 @@ SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -> SupportEngrs
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Two types of Windows groups can be created: <constant>domain (global),</constant> and <constant>local</constant>.
|
||||
In the above examples the Windows groups created were of type <constant>domain</constant>, or global. The
|
||||
Two types of Windows groups can be created: <constant>domain (global)</constant> and <constant>local</constant>.
|
||||
In the previous examples the Windows groups created were of type <constant>domain</constant> or global. The
|
||||
following command will create a Windows group of type <constant>local</constant>.
|
||||
<screen>
|
||||
&rootprompt; net groupmap add ntgroup=Pixies unixgroup=pixies type=l
|
||||
@ -277,13 +277,13 @@ SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -> SupportEngrs
|
||||
<title>Rename Group Accounts</title>
|
||||
|
||||
<note><para>
|
||||
This command is not documented in the man pages, it is implemented in the source code, but it does not
|
||||
This command is not documented in the man pages; it is implemented in the source code, but it does not
|
||||
work. The example given documents (from the source code) how it should work. Watch the release notes
|
||||
of a future release to see when this may have been be fixed.
|
||||
of a future release to see when this may have been fixed.
|
||||
</para></note>
|
||||
|
||||
<para>
|
||||
Sometimes it is necessary to rename a group account. Good administrators know how painful some managers
|
||||
Sometimes it is necessary to rename a group account. Good administrators know how painful some managers'
|
||||
demands can be if this simple request is ignored. The following command demonstrates how the Windows group
|
||||
<quote>SupportEngrs</quote> can be renamed to <quote>CustomerSupport</quote>:
|
||||
<screen>
|
||||
@ -300,13 +300,13 @@ SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -> SupportEngrs
|
||||
<title>Manipulating Group Memberships</title>
|
||||
|
||||
<para>
|
||||
Three operations can be performed in respect of group membership. It is possible to (1) add Windows users
|
||||
to Windows group, to (2) delete Windows users from Windows groups, and to (3) list the Windows users that are
|
||||
Three operations can be performed regarding group membership. It is possible to (1) add Windows users
|
||||
to a Windows group, to (2) delete Windows users from Windows groups, and to (3) list the Windows users that are
|
||||
members of a Windows group.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
So as to avoid confusion, it makes sense to check group membership before attempting to make and changes.
|
||||
To avoid confusion, it makes sense to check group membership before attempting to make any changes.
|
||||
The <command>getent group</command> will list UNIX/Linux group membership. UNIX/Linux group members are
|
||||
seen also as members of a Windows group that has been mapped using the <command>net groupmap</command>
|
||||
command (see <link linkend="groupmapping"/>). The following list of UNIX/Linux group membership shows
|
||||
@ -338,7 +338,7 @@ Engineers (S-1-5-21-72630-412605-116429-3001) -> Engineers
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Given that the user <constant>ajt</constant> is already a member of the UNIX/Linux group, and via the
|
||||
Given that the user <constant>ajt</constant> is already a member of the UNIX/Linux group and, via the
|
||||
group mapping, a member of the Windows group, an attempt to add this account again should fail. This is
|
||||
demonstrated here:
|
||||
<screen>
|
||||
@ -350,8 +350,8 @@ Could not add ajt to MIDEARTH\Engineers: NT_STATUS_MEMBER_IN_GROUP
|
||||
</para>
|
||||
|
||||
<para>
|
||||
To permit the user <constant>ajt</constant> to be added using the <command>net rpc group</command> utility
|
||||
this account must first be removed. The removal, and confirmation of its effect is shown here:
|
||||
To permit the user <constant>ajt</constant> to be added using the <command>net rpc group</command> utility,
|
||||
this account must first be removed. The removal and confirmation of its effect is shown here:
|
||||
<screen>
|
||||
&rootprompt; net rpc group delmem "MIDEARTH\Engineers" ajt -Uroot%not24get
|
||||
&rootprompt; getent group Engineers
|
||||
@ -376,9 +376,9 @@ MIDEARTH\ajt
|
||||
</para>
|
||||
|
||||
<para>
|
||||
In this example the members of the Windows <constant>Domain Users</constant> account is validated using
|
||||
the <command>net rpc group</command> utility. Note that this contents of the UNIX/Linux group was shown
|
||||
4 paragraphs earlier. The Windows (domain) group membership is shown here:
|
||||
In this example the members of the Windows <constant>Domain Users</constant> account are validated using
|
||||
the <command>net rpc group</command> utility. Note the this contents of the UNIX/Linux group was shown
|
||||
four paragraphs earlier. The Windows (domain) group membership is shown here:
|
||||
<screen>
|
||||
&rootprompt; net rpc group members "Domain Users" -Uroot%not24get
|
||||
MIDEARTH\jht
|
||||
@ -387,8 +387,8 @@ MIDEARTH\ajt
|
||||
MIDEARTH\met
|
||||
MIDEARTH\vlendecke
|
||||
</screen>
|
||||
The example shown here is an express example that Windows group names are treated by Samba (as with
|
||||
MS Windows) in a case insensitive manner:
|
||||
This express example shows that Windows group names are treated by Samba (as with
|
||||
MS Windows) in a case-insensitive manner:
|
||||
<screen>
|
||||
&rootprompt; net rpc group members "DomAiN USerS" -Uroot%not24get
|
||||
MIDEARTH\jht
|
||||
@ -413,8 +413,8 @@ MIDEARTH\vlendecke
|
||||
<title>Nested Group Support</title>
|
||||
|
||||
<para>
|
||||
It is possible in Windows (and now in Samba also) to great a local group that has members (contains)
|
||||
domain users and domain global groups. Creation of the local group <constant>demo</constant> is
|
||||
It is possible in Windows (and now in Samba also) to create a local group that has members (contains),
|
||||
domain users, and domain global groups. Creation of the local group <constant>demo</constant> is
|
||||
achieved by executing:
|
||||
<screen>
|
||||
&rootprompt; net rpc group add demo -L -S MORDON -Uroot%not24get
|
||||
@ -472,7 +472,7 @@ DOM\jht
|
||||
<para>
|
||||
Every Windows network user account must be translated to a UNIX/Linux user account. In actual fact,
|
||||
the only account information the UNIX/Linux Samba server needs is a UID. The UID is available either
|
||||
from a system (POSIX) account, or from a pool (range) of UID numbers that is set aside for the purpose
|
||||
from a system (POSIX) account or from a pool (range) of UID numbers that is set aside for the purpose
|
||||
of being allocated for use by Windows user accounts. In the case of the UID pool, the UID for a
|
||||
particular user will be allocated by <command>winbindd</command>.
|
||||
</para>
|
||||
@ -481,7 +481,7 @@ DOM\jht
|
||||
Although this is not the appropriate place to discuss the <smbconfoption name="username map"/> facility,
|
||||
this interface is an important method of mapping a Windows user account to a UNIX account that has a
|
||||
different name. Refer to the man page for the &smb.conf; file for more information regarding this
|
||||
facility. User name mappings can not be managed using the <command>net</command> utility.
|
||||
facility. User name mappings cannot be managed using the <command>net</command> utility.
|
||||
</para>
|
||||
|
||||
<sect2 id="sbeuseraddn">
|
||||
@ -537,7 +537,7 @@ Deleted user account
|
||||
<title>Managing User Accounts</title>
|
||||
|
||||
<para>
|
||||
Two basic user account operations are routinely used, change of password and querying which groups a user
|
||||
Two basic user account operations are routinely used: change of password and querying which groups a user
|
||||
is a member of. The change of password operation is shown in <link linkend="sbeuseraddn"/>.
|
||||
</para>
|
||||
|
||||
@ -562,7 +562,7 @@ Emergency Services
|
||||
<title>User Mapping</title>
|
||||
|
||||
<para>
|
||||
In some situations it is unavoidable that a users' Windows logon name will differ from the login ID
|
||||
In some situations it is unavoidable that a user's Windows logon name will differ from the login ID
|
||||
that user has on the Samba server. It is possible to create a special file on the Samba server that
|
||||
will permit the Windows user name to be mapped to a different UNIX/Linux user name. The &smb.conf;
|
||||
file must also be amended so that the <constant>[global]</constant> stanza contains the parameter:
|
||||
@ -587,21 +587,21 @@ marygee: geeringm
|
||||
<title>Administering User Rights and Privileges</title>
|
||||
|
||||
<para>
|
||||
With all versions of Samba earlier than 3.0.11 the only account on a Samba server that had the ability
|
||||
to manage users, groups, shares, printers, etc. is the <constant>root</constant> account. This caused
|
||||
immense problems for some users and was a frequent source of scorn over the necessity to hand out the
|
||||
credentials for the most security sensitive account on a UNIX/Linux system.
|
||||
With all versions of Samba earlier than 3.0.11 the only account on a Samba server that could
|
||||
manage users, groups, shares, printers, and such was the <constant>root</constant> account. This caused
|
||||
problems for some users and was a frequent source of scorn over the necessity to hand out the
|
||||
credentials for the most security-sensitive account on a UNIX/Linux system.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
New to Samba version 3.0.11 is the ability to delegate administrative privileges as necessary to either
|
||||
a normal user, or to groups of users. The significance of the administrative privileges is documented
|
||||
a normal user or to groups of users. The significance of the administrative privileges is documented
|
||||
in <link linkend="rights"/>. Examples of use of the <command>net</command> for user rights and privilege
|
||||
management is appropriate to this chapter.
|
||||
</para>
|
||||
|
||||
<note><para>
|
||||
When user rights and privileges are correctly set there is no longer a need for there to be a Windows
|
||||
When user rights and privileges are correctly set, there is no longer a need for a Windows
|
||||
network account for the <constant>root</constant> user (nor for any synonym of it) with a UNIX UID=0.
|
||||
Initial user rights and privileges can be assigned by any account that is a member of the <constant>
|
||||
Domain Admins</constant> group. Rights can be assigned to user as well as group accounts.
|
||||
@ -659,7 +659,7 @@ No privileges assigned
|
||||
SeDiskOperatorPrivilege -U root%not24get
|
||||
Successfully granted rights.
|
||||
</screen>
|
||||
Next, the domain user <constant>jht</constant> is given the privileges needed for day to day
|
||||
Next, the domain user <constant>jht</constant> is given the privileges needed for day-to-day
|
||||
administration:
|
||||
<screen>
|
||||
&rootprompt; net rpc rights grant "MIDEARTH\jht" \
|
||||
@ -713,10 +713,10 @@ SeDiskOperatorPrivilege
|
||||
<title>Managing Trust Relationships</title>
|
||||
|
||||
<para>
|
||||
There are essentially two types of trust relationships. The first between domain controllers and domain
|
||||
member machines (network clients), the second trusts between domains (called inter-domain trusts). All
|
||||
There are essentially two types of trust relationships: the first is between domain controllers and domain
|
||||
member machines (network clients), the second is between domains (called interdomain trusts). All
|
||||
Samba servers that participate in domain security require a domain membership trust account, as do like
|
||||
Windows NT/2KX/XPP workstations.
|
||||
Windows NT/200x/XP workstations.
|
||||
</para>
|
||||
|
||||
<sect2>
|
||||
@ -728,7 +728,7 @@ SeDiskOperatorPrivilege
|
||||
&rootprompt; net rpc testjoin
|
||||
Join to 'MIDEARTH' is OK
|
||||
</screen>
|
||||
Where there is no domain membership account, or when the account credentials are not valid the following
|
||||
Where there is no domain membership account, or when the account credentials are not valid, the following
|
||||
results will be observed:
|
||||
<screen>
|
||||
net rpc testjoin -S DOLPHIN
|
||||
@ -773,7 +773,7 @@ merlin$:1009:9B4489D6B90461FD6A3EC3AB96147E16:\
|
||||
Joined domain MIDEARTH.
|
||||
</screen>
|
||||
Note that the command-line parameter <constant>member</constant> makes this join specific. By default
|
||||
the type is deduced from the &smb.conf; file configuration. To specifically join as a PDC or BDC the
|
||||
the type is deduced from the &smb.conf; file configuration. To specifically join as a PDC or BDC, the
|
||||
command-line parameter will be <constant>[PDC | BDC]</constant>. For example:
|
||||
<screen>
|
||||
&rootprompt; net rpc join bdc -S FRODO -Uroot%not24get
|
||||
@ -792,15 +792,15 @@ Joined 'FRANDIMITZ' to realm 'GDANSK.ABMAS.BIZ'
|
||||
</para>
|
||||
|
||||
<para>
|
||||
There is no specific option to remove a machine account from ain NT4 domain. When a domain member that is a
|
||||
Windows machine is withdrawn from the domain the domain membership account is not automatically removed
|
||||
There is no specific option to remove a machine account from an NT4 domain. When a domain member that is a
|
||||
Windows machine is withdrawn from the domain, the domain membership account is not automatically removed
|
||||
either. Inactive domain member accounts can be removed using any convenient tool. If necessary, the
|
||||
machine account can be removed using the following <command>net</command> command:
|
||||
<screen>
|
||||
&rootprompt; net rpc user delete HERRING\$ -Uroot%not24get
|
||||
Deleted user account.
|
||||
</screen>
|
||||
The removal is made possible because machine account are just like user accounts with a trailing $
|
||||
The removal is made possible because machine accounts are just like user accounts with a trailing $
|
||||
character. The account management operations treat user and machine accounts in like manner.
|
||||
</para>
|
||||
|
||||
@ -819,22 +819,22 @@ Deleted user account.
|
||||
&rootprompt; net ads status
|
||||
</screen>
|
||||
The volume of information is extensive. Please refer to the book <quote>Samba-3 by Example</quote>,
|
||||
Chapter 7 for more information regarding its use. This book may be obtained either in print, or on line from
|
||||
Chapter 7 for more information regarding its use. This book may be obtained either in print or online from
|
||||
the <ulink url="http://www.samba.org/samba/docs/Samba-Guide.pdf">Samba-Guide</ulink>.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>Inter-Domain Trusts</title>
|
||||
<title>Interdomain Trusts</title>
|
||||
|
||||
<para>
|
||||
Inter-domain trust relationships form the primary mechanism by which users from one domain can be granted
|
||||
Interdomain trust relationships form the primary mechanism by which users from one domain can be granted
|
||||
access rights and privileges in another domain.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
To discover what trust relationships are in effect execute this command:
|
||||
To discover what trust relationships are in effect, execute this command:
|
||||
<screen>
|
||||
&rootprompt; net rpc trustdom list -Uroot%not24get
|
||||
Trusted domains list:
|
||||
@ -845,7 +845,7 @@ Trusting domains list:
|
||||
|
||||
none
|
||||
</screen>
|
||||
There are no inter-domain trusts at this time, the following steps will create them.
|
||||
There are no interdomain trusts at this time; the following steps will create them.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -865,7 +865,7 @@ damnation$:1016:9AC1F121DF897688AAD3B435B51404EE: \
|
||||
</para>
|
||||
|
||||
<para>
|
||||
If the trusting domain is not capable of being reached the following command will fail
|
||||
If the trusting domain is not capable of being reached, the following command will fail:
|
||||
<screen>
|
||||
&rootprompt; net rpc trustdom list -Uroot%not24get
|
||||
Trusted domains list:
|
||||
@ -892,7 +892,7 @@ DAMNATION domain controller is not responding
|
||||
<para>
|
||||
Where a trust account has been created on a foreign domain, Samba is able to establish the trust (connect with)
|
||||
the foreign account. In the process it creates a one-way trust to the resources on the remote domain. This
|
||||
command achieves the objective of enjoining the trust relationship:
|
||||
command achieves the objective of joining the trust relationship:
|
||||
<screen>
|
||||
&rootprompt; net rpc trustdom establish damnation
|
||||
Password: xxxxxxx == f00db4r
|
||||
@ -913,7 +913,7 @@ DAMNATION S-1-5-21-1385457007-882775198-1210191635
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Sometimes it is necessary to remove the ability for local uses to access a foreign domain. The trusting
|
||||
Sometimes it is necessary to remove the ability for local users to access a foreign domain. The trusting
|
||||
connection can be revoked as shown here:
|
||||
<screen>
|
||||
&rootprompt; net rpc trustdom revoke damnation -Uroot%not24get
|
||||
@ -934,21 +934,21 @@ DAMNATION S-1-5-21-1385457007-882775198-1210191635
|
||||
<title>Managing Security Identifiers (SIDS)</title>
|
||||
|
||||
<para>
|
||||
The basic security identifier that is used b y all Windows networking operations is the Windows security
|
||||
The basic security identifier that is used by all Windows networking operations is the Windows security
|
||||
identifier (SID). All Windows network machines (servers and workstations), users, and groups are
|
||||
identified by their respective SID. All desktop profiles are also encoded with user and group SIDs that
|
||||
are specific to the SID of the domain to which the user belongs.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
It is truly prudent to store the machine and/or domain SID in a file for safe-keeping. Why? Because
|
||||
It is truly prudent to store the machine and/or domain SID in a file for safekeeping. Why? Because
|
||||
a change in hostname or in the domain (workgroup) name may result in a change in the SID. When you
|
||||
have the SID on hand it is a simple matter to restore it. The alternative is to suffer the pain of
|
||||
having to recover user desktop profiles and perhaps re-join all member machines to the domain.
|
||||
have the SID on hand, it is a simple matter to restore it. The alternative is to suffer the pain of
|
||||
having to recover user desktop profiles and perhaps rejoin all member machines to the domain.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
First, do not forget to store the local sid in a file. It is a good idea to put this in the directory
|
||||
First, do not forget to store the local SID in a file. It is a good idea to put this in the directory
|
||||
in which the &smb.conf; file is also stored. Here is a simple action to achieve this:
|
||||
<screen>
|
||||
&rootprompt; net getlocalsid > /etc/samba/my-sid
|
||||
@ -968,18 +968,18 @@ SID for domain MERLIN is: S-1-5-21-726309263-4128913605-1168186429
|
||||
<para>
|
||||
If ever it becomes necessary to restore the SID that has been stored in the <filename>my-sid</filename>
|
||||
file, simply copy the SID (the string of characters that begins with <constant>S-1-5-21</constant>) to
|
||||
the command-line shown here:
|
||||
the command line shown here:
|
||||
<screen>
|
||||
&rootprompt; net setlocalsid S-1-5-21-1385457007-882775198-1210191635
|
||||
</screen>
|
||||
Restoration of a machine SID is a simple operation, but the absence of a back-up copy can be very
|
||||
Restoration of a machine SID is a simple operation, but the absence of a backup copy can be very
|
||||
problematic.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The following operation is useful only for machines that are being configured as a PDC or a BDC.
|
||||
Domain member servers (DMS) and workstation clients should have their own machine SID to avoid
|
||||
any potential name-space collision. Here is the way that the BDC SID can be synchronized to that
|
||||
DMS and workstation clients should have their own machine SID to avoid
|
||||
any potential namespace collision. Here is the way that the BDC SID can be synchronized to that
|
||||
of the PDC (this is the default NT4 domain practice also):
|
||||
<screen>
|
||||
&rootprompt; net rpc getsid -S FRODO -Uroot%not24get
|
||||
@ -1007,7 +1007,7 @@ Storing SID S-1-5-21-726309263-4128913605-1168186429 \
|
||||
</itemizedlist>
|
||||
|
||||
<para>
|
||||
Each of these are dealt with here in so far as they involve the use of the <command>net</command>
|
||||
Each of these are dealt with here insofar as they involve the use of the <command>net</command>
|
||||
command. Operations outside of this command are covered elsewhere in this document.
|
||||
</para>
|
||||
|
||||
@ -1018,7 +1018,7 @@ Storing SID S-1-5-21-726309263-4128913605-1168186429 \
|
||||
A share can be added using the <command>net rpc share</command> command capabilities.
|
||||
The target machine may be local or remote and is specified by the -S option. It must be noted
|
||||
that the addition and deletion of shares using this tool depends on the availability of a suitable
|
||||
interface script. The interface scripts Sambas <command>smbd</command> uses are called:
|
||||
interface script. The interface scripts Sambas <command>smbd</command> uses are called
|
||||
<smbconfoption name="add share script"/> and <smbconfoption name="delete share script"/>.
|
||||
A set of example scripts are provided in the Samba source code tarball in the directory
|
||||
<filename>~samba/examples/scripts</filename>.
|
||||
@ -1026,14 +1026,14 @@ Storing SID S-1-5-21-726309263-4128913605-1168186429 \
|
||||
|
||||
<para>
|
||||
The following steps demonstrate the use of the share management capabilities of the <command>net</command>
|
||||
utility. In the first step a share called <constant>Bulge</constant> is added. The share-point within the
|
||||
utility. In the first step a share called <constant>Bulge</constant> is added. The sharepoint within the
|
||||
file system is the directory <filename>/data</filename>. The command that can be executed to perform the
|
||||
addition of this share is shown here:
|
||||
<screen>
|
||||
&rootprompt; net rpc share add Bulge=/data -S MERLIN -Uroot%not24get
|
||||
</screen>
|
||||
Validation is an important process, and by executing the command <command>net rpc share</command>
|
||||
with no other operators a listing of available shares is shown here:
|
||||
with no other operators it is possible to obtain a listing of available shares, as shown here:
|
||||
<screen>
|
||||
&rootprompt; net rpc share -S MERLIN -Uroot%not24get
|
||||
profdata
|
||||
@ -1074,23 +1074,23 @@ kyocera
|
||||
<title>Creating and Changing Share ACLs</title>
|
||||
|
||||
<para>
|
||||
At this time the net tool can not be used to manage ACLs on Samba shares. In MS Windows
|
||||
language this is called: Share Permissions.
|
||||
At this time the <command>net</command> tool cannot be used to manage ACLs on Samba shares. In MS Windows
|
||||
language this is called Share Permissions.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
It is possible to set ACLs on Samba shares using either the SRVTOOLS NT4 Domain Server Manager,
|
||||
of using the Computer Management MMC snap-in. Neither will be covered here as this subject is
|
||||
covered in <link linkend="AccessControls"/>.
|
||||
It is possible to set ACLs on Samba shares using either the SRVTOOLS NT4 Domain Server Manager
|
||||
or using the Computer Management MMC snap-in. Neither is covered here,
|
||||
but see <link linkend="AccessControls"/>.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>Share, Directory and File Migration</title>
|
||||
<title>Share, Directory, and File Migration</title>
|
||||
|
||||
<para>
|
||||
Shares and files can be migrated in the same manner as user, machine and group accounts.
|
||||
Shares and files can be migrated in the same manner as user, machine, and group accounts.
|
||||
It is possible to preserve access control settings (ACLs) as well as security settings
|
||||
throughout the migration process. The <command>net rpc vampire</command> facility is used
|
||||
to migrate accounts from a Windows NT4 (or later) domain to a Samba server. This process
|
||||
@ -1099,26 +1099,26 @@ kyocera
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The <command>net rpc share</command> command may be used to migrate shares, directories
|
||||
The <command>net rpc share</command> command may be used to migrate shares, directories,
|
||||
files, printers, and all relevant data from a Windows server to a Samba server.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
A set of command-line switches permit the creation of almost direct clones of Windows file
|
||||
servers. For example, when migrating a file-server, file ACLs and DOS file attributes from
|
||||
the Windows server can be included in the migration process and will reappear, almost identically
|
||||
servers. For example, when migrating a fileserver, file ACLs and DOS file attributes from
|
||||
the Windows server can be included in the migration process and will reappear, almost identically,
|
||||
on the Samba server when the migration has been completed.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The migration process can be completed only with the Samba server already being fully operational.
|
||||
This means that the user and group accounts must be migrated before attempting to migrate data
|
||||
The user and group accounts must be migrated before attempting to migrate data
|
||||
share, files, and printers. The migration of files and printer configurations involves the use
|
||||
of both SMB and MS DCE RPC services. The benefit of the manner in which the migration process has
|
||||
been implemented, the possibility now exists to use a Samba server as a man-in-middle migration
|
||||
been implemented is that the possibility now exists to use a Samba server as a man-in-middle migration
|
||||
service that affects a transfer of data from one server to another. For example, if the Samba
|
||||
server is called MESSER, the source Windows NT4 server is called PEPPY, and the target Samba
|
||||
server is called GONZALES, the machine MESSER can be used to affect the migration of all data
|
||||
server is called GONZALES, the machine MESSER can be used to effect the migration of all data
|
||||
(files and shares) from PEPPY to GONZALES. If the target machine is not specified, the local
|
||||
server is assumed by default.
|
||||
</para>
|
||||
@ -1134,12 +1134,12 @@ kyocera
|
||||
|
||||
<orderedlist>
|
||||
<listitem><para>
|
||||
The <command>net</command> command requires that the user credentials provided exist both
|
||||
on the migration source and the migration target.
|
||||
The <command>net</command> command requires that the user credentials provided exist on both
|
||||
the migration source and the migration target.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
Printer settings may not be fully or incorrectly migrated. This might in particular happen
|
||||
Printer settings may not be fully or may be incorrectly migrated. This might in particular happen
|
||||
when migrating a Windows 2003 print server to Samba.
|
||||
</para></listitem>
|
||||
</orderedlist>
|
||||
@ -1157,7 +1157,7 @@ kyocera
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The shares are created on-the-fly as part of the migration process. The <command>smbd</command>
|
||||
The shares are created on the fly as part of the migration process. The <command>smbd</command>
|
||||
application does this by calling on the operating system to execute the script specified by the
|
||||
&smb.conf; parameter <parameter>add share command</parameter>.
|
||||
</para>
|
||||
@ -1167,7 +1167,7 @@ kyocera
|
||||
<filename>$SAMBA_SOURCES/examples/scripts</filename> directory. It should be noted that
|
||||
the account that is used to drive the migration must, of necessity, have appropriate file system
|
||||
access privileges and have the right to create shares and to set ACLs on them. Such rights are
|
||||
conferred by these rights: <parameter>SeAddUsersPrivilege, SeDiskOperatorPrivilege</parameter>.
|
||||
conferred by these rights: <parameter>SeAddUsersPrivilege</parameter> and <parameter>SeDiskOperatorPrivilege</parameter>.
|
||||
For more information regarding rights and privileges please refer to <link linkend="rights"/>.
|
||||
</para>
|
||||
|
||||
@ -1187,7 +1187,7 @@ net rpc share MIGRATE SHARES <share-name> -S <source>
|
||||
This will migrate the share <constant>myshare</constant> from the server <constant>win2k</constant>
|
||||
to the Samba Server using the permissions that are tied to the account <constant>administrator</constant>
|
||||
with the password <constant>secret</constant>. The account that is used must be the same on both the
|
||||
migration source server, as well as on the target Samba server. The use of the <command>net rpc
|
||||
migration source server and the target Samba server. The use of the <command>net rpc
|
||||
vampire</command>, prior to attempting the migration of shares, will ensure that accounts will be
|
||||
identical on both systems. One precaution worth taking before commencement of migration of shares is
|
||||
to validate that the migrated accounts (on the Samba server) have the needed rights and privileges.
|
||||
@ -1195,7 +1195,7 @@ net rpc share MIGRATE SHARES <share-name> -S <source>
|
||||
<screen>
|
||||
&rootprompt; net rpc right list accounts -Uroot%not24get
|
||||
</screen>
|
||||
The steps taken so far performs only the migration of shares. Directories and directory contents
|
||||
The steps taken so far perform only the migration of shares. Directories and directory contents
|
||||
are not migrated by the steps covered up to this point.
|
||||
</para>
|
||||
|
||||
@ -1207,20 +1207,20 @@ net rpc share MIGRATE SHARES <share-name> -S <source>
|
||||
<para>
|
||||
Everything covered to this point has been done in preparation for the migration of file and directory
|
||||
data. For many people preparation is potentially boring and the real excitement only begins when file
|
||||
data can be used. The next steps demonstrates the techniques that can be used to transfer (migrate)
|
||||
data can be used. The next steps demonstrate the techniques that can be used to transfer (migrate)
|
||||
data files using the <command>net</command> command.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Transfer of files from one server to another has always been a challenge for Microsoft Windows
|
||||
Transfer of files from one server to another has always been a challenge for MS Windows
|
||||
administrators because Windows NT and 200X servers do not include the tools needed. The
|
||||
<command>xcopy</command> is not capable of preserving file and directory ACLs. Microsoft do provide a
|
||||
<command>xcopy</command> is not capable of preserving file and directory ACLs. Microsoft does provide a
|
||||
utility that can copy ACLs (security settings) called <command>scopy</command>, but it is provided only
|
||||
as part of the Windows NT or 200X Server Resource Kit.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
There are several tools, both commercial and freeware, that can be used from Windows server to copy files
|
||||
There are several tools, both commercial and freeware, that can be used from a Windows server to copy files
|
||||
and directories with full preservation of security settings. One of the best known of the free tools is
|
||||
called <command>robocopy</command>.
|
||||
</para>
|
||||
@ -1228,9 +1228,9 @@ net rpc share MIGRATE SHARES <share-name> -S <source>
|
||||
<para>
|
||||
The <command>net</command> utility can be used to copy files and directories with full preservation of
|
||||
ACLs as well as DOS file attributes. Note that including ACLs makes sense only where the destination
|
||||
system will operate within the same security context as the source system. This applies to both a domain
|
||||
member server (DMS) as well as for domain controllers (DCs) that result from a vampired domain.
|
||||
Before file and directory migration all shares must already exist.
|
||||
system will operate within the same security context as the source system. This applies both to a
|
||||
DMS and to domain controllers that result from a vampired domain.
|
||||
Before file and directory migration, all shares must already exist.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -1247,20 +1247,20 @@ net rpc share MIGRATE FILES <share-name> -S <source>
|
||||
|
||||
<para>
|
||||
Where it is necessary to preserve all file ACLs, the <parameter>--acls</parameter> switch should be added
|
||||
to the above command line. Original file time stamps can be preserved by specifying the
|
||||
<parameter>--timestamps</parameter> switch, and the DOS file attributes (i.e.: hidden, archive, etc.) cab
|
||||
to the above command line. Original file timestamps can be preserved by specifying the
|
||||
<parameter>--timestamps</parameter> switch, and the DOS file attributes (i.e., hidden, archive, etc.) can
|
||||
be preserved by specifying the <parameter>--attrs</parameter> switch.
|
||||
</para>
|
||||
|
||||
<note><para>
|
||||
The ability to preserve ACLs depends on appropriate support for ACLs, as well as the general file system
|
||||
The ability to preserve ACLs depends on appropriate support for ACLs as well as the general file system
|
||||
semantics of the host operating system on the target server. A migration from one Windows file server to
|
||||
another will perfectly preserve all file attributes. Because of the difficulty of mapping Windows ACLs
|
||||
onto a POSIX ACLs supporting system, there can be no perfect migration of Windows ACLs to a Samba server.
|
||||
onto a POSIX ACLs-supporting system, there can be no perfect migration of Windows ACLs to a Samba server.
|
||||
</para></note>
|
||||
|
||||
<para>
|
||||
The ACLs that result on a Samba server will most probably not match the originating ACLs. Windows support
|
||||
The ACLs that result on a Samba server will most probably not match the originating ACLs. Windows supports
|
||||
the possibility of files that are owned only by a group. Group-alone file ownership is not possible under
|
||||
UNIX/Linux. Errors in migrating group-owned files can be avoided by using the &smb.conf; file
|
||||
<smbconfoption name="force unknown acl user">yes</smbconfoption> parameter. This facility will
|
||||
@ -1277,7 +1277,7 @@ net rpc share MIGRATE FILES <share-name> -S <source>
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The above command will migrate all files and directories from all file shares on the Windows server called
|
||||
This command will migrate all files and directories from all file shares on the Windows server called
|
||||
<constant>nt4box</constant> to the Samba server from which migration is initiated. Files that are group-owned
|
||||
will be owned by the user account <constant>administrator</constant>.
|
||||
</para>
|
||||
@ -1288,8 +1288,8 @@ net rpc share MIGRATE FILES <share-name> -S <source>
|
||||
<title>Simultaneous Share and File Migration</title>
|
||||
|
||||
<para>
|
||||
This operating mode shown here is just a combination of the two above. It first migrates
|
||||
share-definitions and then all shared files and directories afterwards:
|
||||
The operating mode shown here is just a combination of the previous two. It first migrates
|
||||
share definitions and then all shared files and directories:
|
||||
<screen>
|
||||
net rpc share MIGRATE ALL <share-name> -S <source>
|
||||
[--exclude=share1, share2] [--acls] [--attrs] [--timestamps] [-v]
|
||||
@ -1312,23 +1312,23 @@ net rpc share MIGRATE ALL <share-name> -S <source>
|
||||
<title>Printer Migration</title>
|
||||
|
||||
<para>
|
||||
The installation of a new server, as with the migration to a new network environment, often has similarity
|
||||
to the building of a house; progress is very rapid from the laying of foundations up to the stage at which
|
||||
the the house can be locked-up, but the finishing off appears to take longer and longer as building
|
||||
The installation of a new server, as with the migration to a new network environment, often is similar to
|
||||
building a house; progress is very rapid from the laying of foundations up to the stage at which
|
||||
the the house can be locked up, but the finishing off appears to take longer and longer as building
|
||||
approaches completion.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Printing needs vary greatly depending on the network environment, and may be very simple or complex. If
|
||||
the need is very simple the best solution to the implementation of printing support may well be to
|
||||
Printing needs vary greatly depending on the network environment and may be very simple or complex. If
|
||||
the need is very simple, the best solution to the implementation of printing support may well be to
|
||||
re-install everything from a clean slate instead of migrating older configurations. On the other hand,
|
||||
a complex network that is integrated with many international offices and a multiplexity of local branch
|
||||
offices, each of which form an inter-twined maze of printing possibilities, the ability to migrate all
|
||||
printer configurations is decidedly beneficial. To manually re-establish a complex printing network
|
||||
will take much time and frustration. Often-times it will not be possible to find driver files that are
|
||||
currently in use thus necessitating the installation of newer drivers. Newer drivers often implement
|
||||
will take much time and frustration. Often it will not be possible to find driver files that are
|
||||
currently in use, necessitating the installation of newer drivers. Newer drivers often implement
|
||||
printing features that will necessitate a change in the printer usage. Additionally, with very complex
|
||||
printer configurations it becomes almost impossible to re-create the same environment - not matter
|
||||
printer configurations it becomes almost impossible to re-create the same environment &smbmdash; no matter
|
||||
how extensively it has been documented.
|
||||
</para>
|
||||
|
||||
@ -1351,7 +1351,7 @@ net rpc share MIGRATE ALL <share-name> -S <source>
|
||||
<para>
|
||||
The Samba <command>net</command> utility permits printer migration from one Windows print server
|
||||
to another. When this tool is used to migrate printers to a Samba server <command>smbd</command>,
|
||||
the application the receives the network requests to create the necessary services, must call-out
|
||||
the application that receives the network requests to create the necessary services must call out
|
||||
to the operating system in order to create the underlying printers. The call-out is implemented
|
||||
by way of an interface script that can be specified by the &smb.conf; file parameter
|
||||
<smbconfoption id="add printer script"/>. This script is essential to the migration process.
|
||||
@ -1363,18 +1363,18 @@ net rpc share MIGRATE ALL <share-name> -S <source>
|
||||
<para>
|
||||
Each of the components listed above can be completed separately, or they can be completed as part of an
|
||||
automated operation. Many network administrators prefer to deal with migration issues in a manner that
|
||||
gives them the most control, particularly when things go wrong. The syntax for each operation will now
|
||||
be briefly described.
|
||||
gives them the most control, particularly when things go wrong. The syntax for each operation is now
|
||||
briefly described.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Printer migration from a Windows print server (NT4 or 200X) is shown. This instruction causes the
|
||||
Printer migration from a Windows print server (NT4 or 200x) is shown. This instruction causes the
|
||||
printer share to be created together with the underlying print queue:
|
||||
<screen>
|
||||
net rpc printer MIGRATE PRINTERS [printer] [misc. options] [targets]
|
||||
</screen>
|
||||
Printer drivers can be migrated from the Windows print server to the Samba server using this
|
||||
command line instruction:
|
||||
command-line instruction:
|
||||
<screen>
|
||||
net rpc printer MIGRATE DRIVERS [printer] [misc. options] [targets]
|
||||
</screen>
|
||||
@ -1386,7 +1386,7 @@ net rpc printer MIGRATE FORMS [printer] [misc. options] [targets]
|
||||
<screen>
|
||||
net rpc printer MIGRATE SECURITY [printer] [misc. options] [targets]
|
||||
</screen>
|
||||
Printer configuration settings include factors such as paper size, default paper orientation, etc.
|
||||
Printer configuration settings include factors such as paper size and default paper orientation.
|
||||
These can be migrated from the Windows print server to the Samba server with this command:
|
||||
<screen>
|
||||
net rpc printer MIGRATE SETTINGS [printer] [misc. options] [targets]
|
||||
@ -1394,7 +1394,7 @@ net rpc printer MIGRATE SETTINGS [printer] [misc. options] [targets]
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Migration of printers including all the above mentioned sets of information may be completed
|
||||
Migration of printers including the above-mentioned sets of information may be completed
|
||||
with a single command using this syntax:
|
||||
<screen>
|
||||
net rpc printer MIGRATE ALL [printer] [misc. options] [targets]
|
||||
@ -1409,7 +1409,7 @@ net rpc printer MIGRATE ALL [printer] [misc. options] [targets]
|
||||
<title>Controlling Open Files</title>
|
||||
|
||||
<para>
|
||||
The man page documents the <command>net file</command> function suite. These ability is provided to
|
||||
The man page documents the <command>net file</command> function suite, which provides the tools to
|
||||
close open files using either RAP or RPC function calls. Please refer to the man page for specific
|
||||
usage information.
|
||||
</para>
|
||||
@ -1446,8 +1446,8 @@ Computer User name Client Type Opens Idle time
|
||||
<title>Printers and ADS</title>
|
||||
|
||||
<para>
|
||||
When Samba-3 is used within as MS Windows ADS environment printers shared via Samba will not be browseable
|
||||
until they have been published to the ADS domain. Information regarding published printers my be obtained
|
||||
When Samba-3 is used within an MS Windows ADS environment, printers shared via Samba will not be browseable
|
||||
until they have been published to the ADS domain. Information regarding published printers may be obtained
|
||||
from the ADS server by executing the <command>net ads print info</command> command following this syntax:
|
||||
<screen>
|
||||
net ads printer info <printer_name> <server_name> -Uadministrator%secret
|
||||
@ -1457,7 +1457,7 @@ net ads printer info <printer_name> <server_name> -Uadministrator%se
|
||||
</para>
|
||||
|
||||
<para>
|
||||
To publish (make available) a printer to ADS execute the following command:
|
||||
To publish (make available) a printer to ADS, execute the following command:
|
||||
<screen>
|
||||
net ads printer publish <printer_name> -Uadministrator%secret
|
||||
</screen>
|
||||
@ -1484,17 +1484,17 @@ net ads printer search <printer_name> -Uadministrator%secret
|
||||
<title>Manipulating the Samba Cache</title>
|
||||
|
||||
<para>
|
||||
Please refer to the net command man page for information regarding cache management.
|
||||
Please refer to the <command>net</command> command man page for information regarding cache management.
|
||||
</para>
|
||||
|
||||
</sect1 id="netmisc1">
|
||||
</sect1>
|
||||
|
||||
<sect1>
|
||||
<sect1 id="netmisc1">
|
||||
<title>Other Miscellaneous Operations</title>
|
||||
|
||||
<para>
|
||||
The following command is useful for obtaining basic statistics regarding a Samba domain. This command does
|
||||
not work against current Windows XP Professional clients.
|
||||
not work with current Windows XP Professional clients.
|
||||
<screen>
|
||||
&rootprompt; net rpc info
|
||||
Domain Name: RAPIDFLY
|
||||
@ -1514,7 +1514,7 @@ Num local groups: 6
|
||||
Tue May 17 00:50:43 2005
|
||||
</screen>
|
||||
In the event that it is the intent to pass the time information obtained to the UNIX
|
||||
<command>/bin/time</command> it is a good idea to obtain the time from the target server in a format
|
||||
<command>/bin/time</command>, it is a good idea to obtain the time from the target server in a format
|
||||
that is ready to be passed through. This may be done by executing:
|
||||
<screen>
|
||||
&rootprompt; net time system -S FRODO
|
||||
@ -1525,7 +1525,7 @@ Tue May 17 00:50:43 2005
|
||||
&rootprompt; net time set -S MAGGOT -U Administrator%not24get
|
||||
Tue May 17 00:55:30 MDT 2005
|
||||
</screen>
|
||||
It is possible to obtain the time-zone a server is in by executing the following command against it:
|
||||
It is possible to obtain the time zone of a server by executing the following command against it:
|
||||
<screen>
|
||||
&rootprompt; net time zone -S SAURON
|
||||
-0600
|
||||
|
@ -22,8 +22,8 @@
|
||||
<para>
|
||||
Every industry eventually matures. One of the great areas of maturation is in
|
||||
the focus that has been given over the past decade to make it possible for anyone
|
||||
anywhere to use a computer. It has not always been that way, in fact, not so long
|
||||
ago it was common for software to be written for exclusive use in the country of
|
||||
anywhere to use a computer. It has not always been that way. In fact, not so long
|
||||
ago, it was common for software to be written for exclusive use in the country of
|
||||
origin.
|
||||
</para>
|
||||
|
||||
@ -36,8 +36,8 @@ is deserving of special mention.
|
||||
|
||||
<para>
|
||||
Samba-2.x supported a single locale through a mechanism called
|
||||
<emphasis>codepages</emphasis>. Samba-3 is destined to become a truly trans-global
|
||||
file and printer-sharing platform.
|
||||
<emphasis>codepages</emphasis>. Samba-3 is destined to become a truly transglobal
|
||||
file- and printer-sharing platform.
|
||||
</para>
|
||||
|
||||
</sect1>
|
||||
@ -46,7 +46,7 @@ file and printer-sharing platform.
|
||||
<title>What Are Charsets and Unicode?</title>
|
||||
|
||||
<para>
|
||||
Computers communicate in numbers. In texts, each number will be
|
||||
Computers communicate in numbers. In texts, each number is
|
||||
translated to a corresponding letter. The meaning that will be assigned
|
||||
to a certain number depends on the <emphasis>character set (charset)
|
||||
</emphasis> that is used.
|
||||
@ -58,21 +58,21 @@ letters. Not all computers use the same charset (there are charsets
|
||||
with German umlauts, Japanese characters, and so on). The American Standard Code
|
||||
for Information Interchange (ASCII) encoding system has been the normative character
|
||||
encoding scheme used by computers to date. This employs a charset that contains
|
||||
256 characters. Using this mode of encoding each character takes exactly one byte.
|
||||
256 characters. Using this mode of encoding, each character takes exactly one byte.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
There are also charsets that support extended characters, but those need at least
|
||||
twice as much storage space as does ASCII encoding. Such charsets can contain
|
||||
<command>256 * 256 = 65536</command> characters, which is more than all possible
|
||||
characters one could think of. They are called multi-byte charsets because they use
|
||||
characters one could think of. They are called multibyte charsets because they use
|
||||
more then one byte to store one character.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
One standardized multi-byte charset encoding scheme is known as
|
||||
One standardized multibyte charset encoding scheme is known as
|
||||
<ulink url="http://www.unicode.org/">unicode</ulink>. A big advantage of using a
|
||||
multi-byte charset is that you only need one. There is no need to make sure two
|
||||
multibyte charset is that you only need one. There is no need to make sure two
|
||||
computers use the same charset when they are communicating.
|
||||
</para>
|
||||
|
||||
@ -80,7 +80,7 @@ computers use the same charset when they are communicating.
|
||||
<parameter>codepages</parameter>, by Microsoft. However, there is no support for
|
||||
negotiating the charset to be used in the SMB/CIFS protocol. Thus, you
|
||||
have to make sure you are using the same charset when talking to an older client.
|
||||
Newer clients (Windows NT, 200x, XP) talk unicode over the wire.
|
||||
Newer clients (Windows NT, 200x, XP) talk Unicode over the wire.
|
||||
</para>
|
||||
</sect1>
|
||||
|
||||
@ -88,7 +88,7 @@ Newer clients (Windows NT, 200x, XP) talk unicode over the wire.
|
||||
<title>Samba and Charsets</title>
|
||||
|
||||
<para>
|
||||
As of Samba-3, Samba can (and will) talk unicode over the wire. Internally,
|
||||
As of Samba-3, Samba can (and will) talk Unicode over the wire. Internally,
|
||||
Samba knows of three kinds of character sets:
|
||||
</para>
|
||||
|
||||
@ -98,15 +98,15 @@ Samba knows of three kinds of character sets:
|
||||
<listitem><para>
|
||||
This is the charset used internally by your operating system.
|
||||
The default is <constant>UTF-8</constant>, which is fine for most
|
||||
systems, which covers all characters in all languages. The default
|
||||
systems and covers all characters in all languages. The default
|
||||
in previous Samba releases was to save filenames in the encoding of the
|
||||
clients, for example cp850 for western european countries.
|
||||
clients &smbmdash; for example, cp850 for Western European countries.
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><smbconfoption name="display charset"/></term>
|
||||
<listitem><para>This is the charset Samba will use to print messages
|
||||
<listitem><para>This is the charset Samba uses to print messages
|
||||
on your screen. It should generally be the same as the <parameter>unix charset</parameter>.
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
@ -114,7 +114,7 @@ Samba knows of three kinds of character sets:
|
||||
<varlistentry>
|
||||
<term><smbconfoption name="dos charset"/></term>
|
||||
<listitem><para>This is the charset Samba uses when communicating with
|
||||
DOS and Windows 9x/Me clients. It will talk unicode to all newer clients.
|
||||
DOS and Windows 9x/Me clients. It will talk Unicode to all newer clients.
|
||||
The default depends on the charsets you have installed on your system.
|
||||
Run <command>testparm -v | grep "dos charset"</command> to see
|
||||
what the default is on your system.
|
||||
@ -152,29 +152,29 @@ Setting up Japanese charsets is quite difficult. This is mainly because:
|
||||
|
||||
<listitem><para> Mainly for historical reasons, there are several encoding methods in
|
||||
Japanese, which are not fully compatible with each other. There are
|
||||
two major encoding methods. One is the Shift_JIS series, it is used in Windows
|
||||
and some UNIX's. The other is the EUC-JP series, used in most UNIX's
|
||||
two major encoding methods. One is the Shift_JIS series used in Windows
|
||||
and some UNIXes. The other is the EUC-JP series used in most UNIXes
|
||||
and Linux. Moreover, Samba previously also offered several unique encoding
|
||||
methods, named CAP and HEX, to keep interoperability with CAP/NetAtalk and
|
||||
UNIX's which can't use Japanese filenames. Some implementations of the
|
||||
UNIXes that can't use Japanese filenames. Some implementations of the
|
||||
EUC-JP series can't support the full Windows character set.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>There are some code conversion tables between Unicode and legacy
|
||||
Japanese character sets. One is compatible with Windows, another one
|
||||
is based on the reference of the Unicode consortium and others are
|
||||
is based on the reference of the Unicode consortium, and others are
|
||||
a mixed implementation. The Unicode consortium does not officially
|
||||
define any conversion tables between Unicode and legacy character
|
||||
sets so there cannot be standard one.
|
||||
sets, so there cannot be standard one.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>The character set and conversion tables available in iconv() depends
|
||||
<listitem><para>The character set and conversion tables available in iconv() depend
|
||||
on the iconv library that is available. Next to that, the Japanese locale
|
||||
names may be different on different systems. This means that the value of
|
||||
the charset parameters depends on the implementation of iconv() you are using.
|
||||
</para>
|
||||
|
||||
<para>Though 2 byte fixed UCS-2 encoding is used in Windows internally,
|
||||
<para>Though 2-byte fixed UCS-2 encoding is used in Windows internally,
|
||||
Shift_JIS series encoding is usually used in Japanese environments
|
||||
as ASCII encoding is in English environments.
|
||||
</para></listitem>
|
||||
@ -183,7 +183,7 @@ Setting up Japanese charsets is quite difficult. This is mainly because:
|
||||
<sect2><title>Basic Parameter Setting</title>
|
||||
|
||||
<para>
|
||||
<smbconfoption name="dos charset"/> and
|
||||
The <smbconfoption name="dos charset"/> and
|
||||
<smbconfoption name="display charset"/>
|
||||
should be set to the locale compatible with the character set
|
||||
and encoding method used on Windows. This is usually CP932
|
||||
@ -191,13 +191,13 @@ Setting up Japanese charsets is quite difficult. This is mainly because:
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<smbconfoption name="unix charset"/> can be either Shift_JIS series,
|
||||
EUC-JP series and UTF-8. UTF-8 is always available but the availability of other locales
|
||||
and its name itself depends on the system.
|
||||
The <smbconfoption name="unix charset"/> can be either Shift_JIS series,
|
||||
EUC-JP series, or UTF-8. UTF-8 is always available, but the availability of other locales
|
||||
and the name itself depends on the system.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Additionally, you can consider to use the Shift_JIS series as the
|
||||
Additionally, you can consider using the Shift_JIS series as the
|
||||
value of the <smbconfoption name="unix charset"/>
|
||||
parameter by using the vfs_cap module, which does the same thing as
|
||||
setting <quote>coding system = CAP</quote> in the Samba 2.2 series.
|
||||
@ -205,40 +205,40 @@ Setting up Japanese charsets is quite difficult. This is mainly because:
|
||||
|
||||
<para>
|
||||
Where to set <smbconfoption name="unix charset"/>
|
||||
to is a difficult question. Here is a list of details, advantages and
|
||||
to is a difficult question. Here is a list of details, advantages, and
|
||||
disadvantages of using a certain value.
|
||||
</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry><term>Shift_JIS series</term>
|
||||
<listitem><para>
|
||||
Shift_JIS series means a locale which is equivalent to <constant>Shift_JIS</constant>,
|
||||
Shift_JIS series means a locale that is equivalent to <constant>Shift_JIS</constant>,
|
||||
used as a standard on Japanese Windows. In the case of <constant>Shift_JIS</constant>,
|
||||
for example if a Japanese file name consist of 0x8ba4 and 0x974c
|
||||
(a 4 bytes Japanese character string meaning <quote>share</quote>) and <quote>.txt</quote>
|
||||
is written from Windows on Samba, the file name on UNIX becomes
|
||||
0x8ba4, 0x974c, <quote>.txt</quote> (a 8 bytes BINARY string), same as Windows.
|
||||
for example, if a Japanese filename consists of 0x8ba4 and 0x974c
|
||||
(a 4-bytes Japanese character string meaning <quote>share</quote>) and <quote>.txt</quote>
|
||||
is written from Windows on Samba, the filename on UNIX becomes
|
||||
0x8ba4, 0x974c, <quote>.txt</quote> (an 8-byte BINARY string), same as Windows.
|
||||
</para>
|
||||
|
||||
<para>Since Shift_JIS series is usually used on some commercial based
|
||||
UNIX's; hp-ux and AIX as Japanese locale (however, it is also possible
|
||||
to use the EUC-JP series), To use Shift_JIS series on these platforms,
|
||||
Japanese file names created from Windows can be referred to also on
|
||||
<para>Since Shift_JIS series is usually used on some commercial-based
|
||||
UNIXes; hp-ux and AIX as the Japanese locale (however, it is also possible
|
||||
to use the EUC-JP locale series). To use Shift_JIS series on these platforms,
|
||||
Japanese filenames created from Windows can be referred to also on
|
||||
UNIX.</para>
|
||||
|
||||
<para>
|
||||
If your UNIX is already working with Shift_JIS and there is a user
|
||||
who needs to use Japanese file names written from Windows, the
|
||||
Shift_JIS series is the best choice. However, broken file names
|
||||
may be displayed and some commands which cannot handle non-ASCII
|
||||
filenames may be aborted during parsing filenames. especially there
|
||||
may be <quote>\ (0x5c)</quote> in file names, which need to be handled carefully.
|
||||
So you had better not touch file names written from Windows on UNIX.
|
||||
who needs to use Japanese filenames written from Windows, the
|
||||
Shift_JIS series is the best choice. However, broken filenames
|
||||
may be displayed, and some commands that cannot handle non-ASCII
|
||||
filenames may be aborted during parsing filenames. Especially, there
|
||||
may be <quote>\ (0x5c)</quote> in filenames, which need to be handled carefully.
|
||||
It is best to not touch filenames written from Windows on UNIX.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Note that most Japanized free software actually works with EUC-JP
|
||||
only. You had better verify if the Japanized free software can work
|
||||
only. It is good practice to verify that the Japanized free software can work
|
||||
with Shift_JIS.
|
||||
</para>
|
||||
</listitem>
|
||||
@ -246,58 +246,51 @@ Setting up Japanese charsets is quite difficult. This is mainly because:
|
||||
|
||||
<varlistentry><term>EUC-JP series</term>
|
||||
<listitem><para>
|
||||
EUC-JP series means a locale which is equivalent to the industry
|
||||
EUC-JP series means a locale that is equivalent to the industry
|
||||
standard called EUC-JP, widely used in Japanese UNIX (although EUC
|
||||
contains specifications for languages other than Japanese, such as
|
||||
EUC-KR). In the case of EUC-JP series, for example if a Japanese
|
||||
file name consist of 0x8ba4 and 0x974c and <quote>.txt</quote> is written from
|
||||
Windows on Samba, the file name on UNIX becomes 0xb6a6, 0xcdad,
|
||||
<quote>.txt</quote> (a 8 bytes BINARY string).
|
||||
EUC-KR). In the case of EUC-JP series, for example, if a Japanese
|
||||
filename consists of 0x8ba4 and 0x974c and <quote>.txt</quote> is written from
|
||||
Windows on Samba, the filename on UNIX becomes 0xb6a6, 0xcdad,
|
||||
<quote>.txt</quote> (an 8-byte BINARY string).
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Since EUC-JP is usually used on Open source UNIX, Linux and FreeBSD,
|
||||
and on commercial based UNIX, Solaris, IRIX and Tru64 UNIX as
|
||||
Japanese locale (however, it is also possible on Solaris to use
|
||||
Shift_JIS and UTF-8, on Tru64 UNIX to use Shift_JIS). To use EUC-JP
|
||||
series, most Japanese file names created from Windows can be
|
||||
referred to also on UNIX. Also, most Japanized free software work
|
||||
mainly with EUC-JP only.
|
||||
Since EUC-JP is usually used on open source UNIX, Linux, and FreeBSD, and on commercial-based UNIX, Solaris,
|
||||
IRIX, and Tru64 UNIX as Japanese locale (however, it is also possible on Solaris to use Shift_JIS and UTF-8,
|
||||
and on Tru64 UNIX it is possible to use Shift_JIS). To use EUC-JP series, most Japanese filenames created from
|
||||
Windows can be referred to also on UNIX. Also, most Japanized free software work mainly with EUC-JP only.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
It is recommended to choose EUC-JP series when using Japanese file
|
||||
names on these UNIX.
|
||||
It is recommended to choose EUC-JP series when using Japanese filenames on UNIX.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Although there is no character which needs to be carefully treated
|
||||
like <quote>\ (0x5c)</quote>, broken file names may be displayed and some
|
||||
commands which cannot handle non-ASCII filenames may be aborted
|
||||
Although there is no character that needs to be carefully treated
|
||||
like <quote>\ (0x5c)</quote>, broken filenames may be displayed and some
|
||||
commands that cannot handle non-ASCII filenames may be aborted
|
||||
during parsing filenames.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Moreover, if you built Samba using differently installed libiconv,
|
||||
eucJP-ms locale included in libiconv and EUC-JP series locale
|
||||
included in OS may not be compatible. In this case, you may need to
|
||||
avoid using incompatible characters for file names.
|
||||
the eucJP-ms locale included in libiconv and EUC-JP series locale
|
||||
included in the operating system may not be compatible. In this case, you may need to
|
||||
avoid using incompatible characters for filenames.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry><term>UTF-8</term>
|
||||
<listitem><para>
|
||||
UTF-8 means a locale which is equivalent to UTF-8, the international
|
||||
standard defined by Unicode consortium. In UTF-8, a <parameter>character</parameter> is
|
||||
expressed using 1-3 bytes. In case of Japanese, most characters
|
||||
are expressed using 3 bytes. Since on Windows Shift_JIS, where a
|
||||
character is expressed with 1 or 2 bytes, is used to express
|
||||
Japanese, basically a byte length of a UTF-8 string grows 1.5 times
|
||||
the length of a original Shift_JIS string. In the case of UTF-8,
|
||||
for example if a Japanese file name consist of 0x8ba4 and 0x974c and
|
||||
<quote>.txt</quote> is written from Windows on Samba, the file name on UNIX
|
||||
becomes 0xe585, 0xb1e6, 0x9c89, <quote>.txt</quote> (a 10 bytes BINARY string).
|
||||
UTF-8 means a locale equivalent to UTF-8, the international standard defined by the Unicode consortium. In
|
||||
UTF-8, a <parameter>character</parameter> is expressed using 1 to 3 bytes. In case of the Japanese language,
|
||||
most characters are expressed using 3 bytes. Since on Windows Shift_JIS, where a character is expressed with 1
|
||||
or 2 bytes is used to express Japanese, basically a byte length of a UTF-8 string the length of the UTF-8
|
||||
string is 1.5 times that of the original Shift_JIS string. In the case of UTF-8, for example, if a Japanese
|
||||
filename consists of 0x8ba4 and 0x974c, and <quote>.txt</quote> is written from Windows on Samba, the filename
|
||||
on UNIX becomes 0xe585, 0xb1e6, 0x9c89, <quote>.txt</quote> (a 10-byte BINARY string).
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -306,28 +299,29 @@ Setting up Japanese charsets is quite difficult. This is mainly because:
|
||||
</para>
|
||||
|
||||
<para>
|
||||
There are no systems that use UTF-8 as default locale for Japanese.
|
||||
There are no systems that use UTF-8 as the default locale for Japanese.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Some broken file names may be displayed and some commands which
|
||||
Some broken filenames may be displayed, and some commands that
|
||||
cannot handle non-ASCII filenames may be aborted during parsing
|
||||
filenames. especially there may be <quote>\ (0x5c)</quote> in file names, which
|
||||
need to be handled carefully. So you had better not touch file names
|
||||
filenames. Especially, there may be <quote>\ (0x5c)</quote> in filenames, which
|
||||
must be handled carefully, so you had better not touch filenames
|
||||
written from Windows on UNIX.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
In addition, although it is not directly concerned with Samba, since
|
||||
there is a delicate difference between iconv() function, which is
|
||||
generally used on UNIX and the functions used on other platforms,
|
||||
such as Windows and Java about the conversion table between
|
||||
Shift_JIS and Unicode, you should be carefully to handle UTF-8.
|
||||
there is a delicate difference between the iconv() function, which is
|
||||
generally used on UNIX, and the functions used on other platforms,
|
||||
such as Windows and Java, so far is concerens the conversion between
|
||||
Shift_JIS and Unicode UTF-8 must be done with care and recognition
|
||||
of the limitations involved in the process.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Although Mac OS X uses UTF-8 as its encoding method for filenames,
|
||||
it uses an extended UTF-8 specification that Samba cannot handle so
|
||||
it uses an extended UTF-8 specification that Samba cannot handle, so
|
||||
UTF-8 locale is not available for Mac OS X.
|
||||
</para>
|
||||
</listitem>
|
||||
@ -335,43 +329,44 @@ Setting up Japanese charsets is quite difficult. This is mainly because:
|
||||
|
||||
<varlistentry><term>Shift_JIS series + vfs_cap (CAP encoding)</term>
|
||||
<listitem><para>
|
||||
CAP encoding means a specification using in CAP and NetAtalk, file
|
||||
CAP encoding means a specification used in CAP and NetAtalk, file
|
||||
server software for Macintosh. In the case of CAP encoding, for
|
||||
example if a Japanese file name consist of 0x8ba4 and 0x974c and
|
||||
<quote>.txt</quote> is written from Windows on Samba, the file name on UNIX
|
||||
example, if a Japanese filename consists of 0x8ba4 and 0x974c, and
|
||||
<quote>.txt</quote> is written from Windows on Samba, the filename on UNIX
|
||||
becomes <quote>:8b:a4:97L.txt</quote> (a 14 bytes ASCII string).
|
||||
</para>
|
||||
|
||||
<para>
|
||||
For CAP encoding a byte which cannot be expressed as an ASCII
|
||||
character (0x80 or above) is encoded as <quote>:xx</quote> form. You need to take
|
||||
care of containing a <quote>\(0x5c)</quote> in a filename but filenames are not
|
||||
broken in a system which cannot handle non-ASCII filenames.
|
||||
For CAP encoding, a byte that cannot be expressed as an ASCII
|
||||
character (0x80 or above) is encoded in an <quote>:xx</quote> form. You need to take
|
||||
care of containing a <quote>\(0x5c)</quote> in a filename, but filenames are not
|
||||
broken in a system that cannot handle non-ASCII filenames.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The greatest merit of CAP encoding is the compatibility of encoding
|
||||
filenames with CAP or NetAtalk, file server software of Macintosh.
|
||||
Since they usually write a file name on UNIX with CAP encoding, if a
|
||||
filenames with CAP or NetAtalk. These are respectively the Columbia Appletalk
|
||||
Protocol, and the NetAtalk Open Source software project.
|
||||
Since these software applications write a file name on UNIX with CAP encoding, if a
|
||||
directory is shared with both Samba and NetAtalk, you need to use
|
||||
CAP encoding to avoid non-ASCII filenames are broken.
|
||||
CAP encoding to avoid non-ASCII filenames from being broken.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
However, recently there are some systems where NetAtalk has been
|
||||
patched to write filenames with EUC-JP (i.e. Japanese original Vine Linux).
|
||||
Here you need to choose EUC-JP series instead of CAP encoding.
|
||||
However, recently, NetAtalk has been
|
||||
patched on some systems to write filenames with EUC-JP (e.g., Japanese original Vine Linux).
|
||||
In this case, you need to choose EUC-JP series instead of CAP encoding.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
vfs_cap itself is available for non Shift_JIS series locales for
|
||||
systems which cannot handle non-ASCII characters or systems which
|
||||
shares files with NetAtalk.
|
||||
vfs_cap itself is available for non-Shift_JIS series locales for
|
||||
systems that cannot handle non-ASCII characters or systems that
|
||||
share files with NetAtalk.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
To use CAP encoding on Samba-3, you should use the unix charset parameter and VFS
|
||||
as follows:
|
||||
as in Example 29.5.1:
|
||||
</para>
|
||||
|
||||
<example><title>VFS CAP</title>
|
||||
@ -387,7 +382,7 @@ Setting up Japanese charsets is quite difficult. This is mainly because:
|
||||
</example>
|
||||
|
||||
<para>
|
||||
You should set CP932 if using GNU libiconv for unix charset. Setting this,
|
||||
You should set CP932 if using GNU libiconv for unix charset. With this setting,
|
||||
filenames in the <quote>cap-share</quote> share are written with CAP encoding.
|
||||
</para>
|
||||
</listitem>
|
||||
@ -426,8 +421,8 @@ display charset = CP932
|
||||
</programlisting>
|
||||
|
||||
<para>
|
||||
Other Japanese locales (for example Shift_JIS and EUC-JP) should not
|
||||
be used for the lack of the compatibility with Windows.
|
||||
Other Japanese locales (for example, Shift_JIS and EUC-JP) should not
|
||||
be used because of the lack of the compatibility with Windows.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -449,8 +444,8 @@ display charset = CP932
|
||||
</smbconfblock>
|
||||
|
||||
<para>
|
||||
Other Japanese locales (for example Shift_JIS and EUC-JP) should not
|
||||
be used for the lack of the compatibility with Windows.
|
||||
Other Japanese locales (for example, Shift_JIS and EUC-JP) should not
|
||||
be used because of the lack of the compatibility with Windows.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -462,9 +457,10 @@ display charset = CP932
|
||||
<title>Migration from Samba-2.2 Series</title>
|
||||
|
||||
<para>
|
||||
Prior to Samba-2.2 series <quote>coding system</quote> parameter is used as
|
||||
<smbconfoption name="unix charset"/> parameter of the Samba-3 series.
|
||||
<link linkend="japancharsets">Next table</link> shows the mapping table when migrating from the Samba-2.2 series to Samba-3.
|
||||
Prior to Samba-2.2 series, the <quote>coding system</quote> parameter was used. The default codepage in Samba
|
||||
2.x was code page 850. In the Samba-3 series this has been replaced with the <smbconfoption name="unix
|
||||
charset"/> parameter. <link linkend="japancharsets">Japanese Character Sets in Samba-2.2 and Samba-3</link>
|
||||
shows the mapping table when migrating from the Samba-2.2 series to Samba-3.
|
||||
</para>
|
||||
|
||||
<table frame="all" id="japancharsets">
|
||||
@ -501,12 +497,16 @@ Prior to Samba-2.2 series <quote>coding system</quote> parameter is used as
|
||||
|
||||
<para><quote>Samba is complaining about a missing <filename>CP850.so</filename> file.</quote></para>
|
||||
|
||||
<para><emphasis>Answer:</emphasis> CP850 is the default <smbconfoption name="dos charset"/>.
|
||||
The <smbconfoption name="dos charset"/> is used to convert data to the codepage used by your dos clients.
|
||||
If you do not have any dos clients, you can safely ignore this message. </para>
|
||||
<para>
|
||||
CP850 is the default <smbconfoption name="dos charset"/>.
|
||||
The <smbconfoption name="dos charset"/> is used to convert data to the codepage used by your DOS clients.
|
||||
If you do not have any DOS clients, you can safely ignore this message. </para>
|
||||
|
||||
<para>CP850 should be supported by your local iconv implementation. Make sure you have all the required packages installed.
|
||||
If you compiled Samba from source, make sure to configure found iconv.</para>
|
||||
<para>
|
||||
CP850 should be supported by your local iconv implementation. Make sure you have all the required packages installed.
|
||||
If you compiled Samba from source, make sure that the configure process found iconv. This can be
|
||||
confirmed by checking the <filename>config.log</filename> file that is generated when
|
||||
<command>configure</command> is executed.</para>
|
||||
</sect2>
|
||||
</sect1>
|
||||
|
||||
|
@ -28,7 +28,7 @@
|
||||
|
||||
&author.jelmer;
|
||||
&author.jht;
|
||||
<pubdate>27 June 2002</pubdate>
|
||||
<pubdate>June 15, 2005</pubdate>
|
||||
</chapterinfo>
|
||||
|
||||
<title>Winbind: Use of Domain Accounts</title>
|
||||
@ -52,9 +52,9 @@
|
||||
<para>
|
||||
<emphasis>winbind</emphasis> is a component of the Samba suite of programs that
|
||||
solves the unified logon problem. Winbind uses a UNIX implementation of Microsoft
|
||||
RPC calls, Pluggable Authentication Modules, and the Name Service Switch to
|
||||
RPC calls, Pluggable Authentication Modules (PAMs), and the name service switch (NSS) to
|
||||
allow Windows NT domain users to appear and operate as UNIX users on a UNIX
|
||||
machine. This chapter describes the Winbind system, explaining the functionality
|
||||
machine. This chapter describes the Winbind system, the functionality
|
||||
it provides, how it is configured, and how it works internally.
|
||||
</para>
|
||||
|
||||
@ -75,11 +75,11 @@
|
||||
|
||||
<listitem><para>
|
||||
Winbind maintains a database called winbind_idmap.tdb in which it stores
|
||||
mappings between UNIX UIDs / GIDs and NT SIDs. This mapping is used only
|
||||
for users and groups that do not have a local UID/GID. It stored the UID/GID
|
||||
mappings between UNIX UIDs, GIDs, and NT SIDs. This mapping is used only
|
||||
for users and groups that do not have a local UID/GID. It stores the UID/GID
|
||||
allocated from the idmap uid/gid range that it has mapped to the NT SID.
|
||||
If <parameter>idmap backend</parameter> has been specified as <constant>ldap:ldap://hostname[:389]</constant>
|
||||
then instead of using a local mapping Winbind will obtain this information
|
||||
If <parameter>idmap backend</parameter> has been specified as <constant>ldap:ldap://hostname[:389]</constant>,
|
||||
then instead of using a local mapping, Winbind will obtain this information
|
||||
from the LDAP database.
|
||||
</para></listitem>
|
||||
</itemizedlist>
|
||||
@ -89,8 +89,8 @@
|
||||
<indexterm><primary>starting samba</primary><secondary>winbindd</secondary></indexterm>
|
||||
If <command>winbindd</command> is not running, smbd (which calls <command>winbindd</command>) will fall back to
|
||||
using purely local information from <filename>/etc/passwd</filename> and <filename>/etc/group</filename> and no dynamic
|
||||
mapping will be used. On an operating system that has beeb enabled with the name service switcher (NSS)
|
||||
the resoltion of user and group information will be accomplished via NSS.
|
||||
mapping will be used. On an operating system that has beeb enabled with the NSS,
|
||||
the resolution of user and group information will be accomplished via NSS.
|
||||
</para></note>
|
||||
|
||||
|
||||
@ -114,8 +114,8 @@
|
||||
<para>One common solution in use today has been to create
|
||||
identically named user accounts on both the UNIX and Windows systems
|
||||
and use the Samba suite of programs to provide file and print services
|
||||
between the two. This solution is far from perfect, however, as
|
||||
adding and deleting users on both sets of machines becomes a chore
|
||||
between the two. This solution is far from perfect, however, because
|
||||
adding and deleting users on both sets of machines becomes a chore,
|
||||
and two sets of passwords are required &smbmdash; both of which
|
||||
can lead to synchronization problems between the UNIX and Windows
|
||||
systems and confusion for users.</para>
|
||||
@ -150,18 +150,18 @@
|
||||
|
||||
<para>Winbind unifies UNIX and Windows NT account management by
|
||||
allowing a UNIX box to become a full member of an NT domain. Once
|
||||
this is done the UNIX box will see NT users and groups as if
|
||||
this is done, the UNIX box will see NT users and groups as if
|
||||
they were <quote>native</quote> UNIX users and groups, allowing the NT domain
|
||||
to be used in much the same manner that NIS+ is used within
|
||||
UNIX-only environments.</para>
|
||||
|
||||
<para>The end result is that whenever a
|
||||
program on the UNIX machine asks the operating system to lookup
|
||||
program on the UNIX machine asks the operating system to look up
|
||||
a user or group name, the query will be resolved by asking the
|
||||
NT Domain Controller for the specified domain to do the lookup.
|
||||
NT domain controller for the specified domain to do the lookup.
|
||||
Because Winbind hooks into the operating system at a low level
|
||||
(via the NSS name resolution modules in the C library), this
|
||||
redirection to the NT Domain Controller is completely
|
||||
redirection to the NT domain controller is completely
|
||||
transparent.</para>
|
||||
|
||||
<para>Users on the UNIX machine can then use NT user and group
|
||||
@ -171,16 +171,16 @@
|
||||
|
||||
<para>The only obvious indication that Winbind is being used is
|
||||
that user and group names take the form <constant>DOMAIN\user</constant> and
|
||||
<constant>DOMAIN\group</constant>. This is necessary as it allows Winbind to determine
|
||||
that redirection to a Domain Controller is wanted for a particular
|
||||
<constant>DOMAIN\group</constant>. This is necessary because it allows Winbind to determine
|
||||
that redirection to a domain controller is wanted for a particular
|
||||
lookup and which trusted domain is being referenced.</para>
|
||||
|
||||
<para>Additionally, Winbind provides an authentication service
|
||||
that hooks into the Pluggable Authentication Modules (PAM) system
|
||||
that hooks into the PAM system
|
||||
to provide authentication via an NT domain to any PAM-enabled
|
||||
applications. This capability solves the problem of synchronizing
|
||||
passwords between systems since all passwords are stored in a single
|
||||
location (on the Domain Controller).</para>
|
||||
passwords between systems, since all passwords are stored in a single
|
||||
location (on the domain controller).</para>
|
||||
|
||||
<sect2>
|
||||
<title>Target Uses</title>
|
||||
@ -216,9 +216,9 @@
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Response: <quote>Why? I've used samba with workstations that are not part of my domains
|
||||
lots of times without using winbind. I though winbind was for using samba as a memberserver
|
||||
in a domain controlled by another samba/windows PDC.</quote>
|
||||
Response: <quote>Why? I've used Samba with workstations that are not part of my domains
|
||||
lots of times without using winbind. I though winbind was for using Samba as a member server
|
||||
in a domain controlled by another Samba/Windows PDC.</quote>
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -229,9 +229,9 @@
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Which means that that winbind is eminently useful in cases where one just has a single
|
||||
Samba PDC on a local network combined of both domain member and non-domain member workstations.
|
||||
If winbind is not used, the user george on an windows workstation that is not a domain
|
||||
This means that winbind is eminently useful in cases where a single
|
||||
Samba PDC on a local network is combined with both domain member and non-domain member workstations.
|
||||
If winbind is not used, the user george on a Windows workstation that is not a domain
|
||||
member will be able to access the files of a user called george in the account database
|
||||
of the Samba server that is acting as a PDC. When winbind is used, the default condition
|
||||
is that the local user george will be treated as the account DOMAIN\george and the
|
||||
@ -248,10 +248,10 @@
|
||||
<title>How Winbind Works</title>
|
||||
|
||||
<para>The Winbind system is designed around a client/server
|
||||
architecture. A long running <command>winbindd</command> daemon
|
||||
architecture. A long-running <command>winbindd</command> daemon
|
||||
listens on a UNIX domain socket waiting for requests
|
||||
to arrive. These requests are generated by the NSS and PAM
|
||||
clients and is processed sequentially.</para>
|
||||
clients and are processed sequentially.</para>
|
||||
|
||||
<para>The technologies used to implement Winbind are described
|
||||
in detail below.</para>
|
||||
@ -263,7 +263,7 @@
|
||||
by various Samba Team members to decode various aspects of
|
||||
the Microsoft Remote Procedure Call (MSRPC) system. This
|
||||
system is used for most network-related operations between
|
||||
Windows NT machines including remote management, user authentication
|
||||
Windows NT machines, including remote management, user authentication,
|
||||
and print spooling. Although initially this work was done
|
||||
to aid the implementation of Primary Domain Controller (PDC)
|
||||
functionality in Samba, it has also yielded a body of code that
|
||||
@ -282,9 +282,9 @@
|
||||
|
||||
<para>
|
||||
Since late 2001, Samba has gained the ability to
|
||||
interact with Microsoft Windows 2000 using its <quote>Native
|
||||
Mode</quote> protocols, rather than the NT4 RPC services.
|
||||
Using LDAP and Kerberos, a Domain Member running
|
||||
interact with Microsoft Windows 2000 using its <quote>native
|
||||
mode</quote> protocols rather than the NT4 RPC services.
|
||||
Using LDAP and Kerberos, a domain member running
|
||||
Winbind can enumerate users and groups in exactly the
|
||||
same way as a Windows 200x client would, and in so doing
|
||||
provide a much more efficient and effective Winbind implementation.
|
||||
@ -294,32 +294,32 @@
|
||||
<sect2>
|
||||
<title>Name Service Switch</title>
|
||||
|
||||
<para>The Name Service Switch, or NSS, is a feature that is
|
||||
<para>The NSS is a feature that is
|
||||
present in many UNIX operating systems. It allows system
|
||||
information such as hostnames, mail aliases and user information
|
||||
information such as hostnames, mail aliases, and user information
|
||||
to be resolved from different sources. For example, a standalone
|
||||
UNIX workstation may resolve system information from a series of
|
||||
flat files stored on the local filesystem. A networked workstation
|
||||
flat files stored on the local file system. A networked workstation
|
||||
may first attempt to resolve system information from local files,
|
||||
and then consult an NIS database for user information or a DNS server
|
||||
for hostname information.</para>
|
||||
|
||||
<para>The NSS application programming interface allows Winbind
|
||||
to present itself as a source of system information when
|
||||
resolving UNIX usernames and groups. Winbind uses this interface,
|
||||
resolving UNIX usernames and groups. Winbind uses this interface
|
||||
and information obtained from a Windows NT server using MSRPC
|
||||
calls to provide a new source of account enumeration. Using standard
|
||||
UNIX library calls, one can enumerate the users and groups on
|
||||
UNIX library calls, you can enumerate the users and groups on
|
||||
a UNIX machine running Winbind and see all users and groups in
|
||||
a NT domain plus any trusted domain as though they were local
|
||||
an NT domain plus any trusted domain as though they were local
|
||||
users and groups.</para>
|
||||
|
||||
<para>The primary control file for NSS is
|
||||
<filename>/etc/nsswitch.conf</filename>.
|
||||
When a UNIX application makes a request to do a lookup,
|
||||
the C library looks in <filename>/etc/nsswitch.conf</filename>
|
||||
for a line that matches the service type being requested, for
|
||||
example the <quote>passwd</quote> service type is used when user or group names
|
||||
for a line that matches the service type being requested; for
|
||||
example, the <quote>passwd</quote> service type is used when user or group names
|
||||
are looked up. This config line specifies which implementations
|
||||
of that service should be tried and in what order. If the passwd
|
||||
config line is:</para>
|
||||
@ -347,22 +347,22 @@
|
||||
<sect2>
|
||||
<title>Pluggable Authentication Modules</title>
|
||||
|
||||
<para>Pluggable Authentication Modules, also known as PAM,
|
||||
is a system for abstracting authentication and authorization
|
||||
technologies. With a PAM module it is possible to specify different
|
||||
<para>PAMs provide
|
||||
a system for abstracting authentication and authorization
|
||||
technologies. With a PAM module, it is possible to specify different
|
||||
authentication methods for different system applications without
|
||||
having to recompile these applications. PAM is also useful
|
||||
for implementing a particular policy for authorization. For example,
|
||||
a system administrator may only allow console logins from users
|
||||
stored in the local password file but only allow users resolved from
|
||||
a NIS database to log in over the network.</para>
|
||||
an NIS database to log in over the network.</para>
|
||||
|
||||
<para>Winbind uses the authentication management and password
|
||||
management PAM interface to integrate Windows NT users into a
|
||||
UNIX system. This allows Windows NT users to log in to a UNIX
|
||||
machine and be authenticated against a suitable Primary Domain
|
||||
Controller. These users can also change their passwords and have
|
||||
this change take effect directly on the Primary Domain Controller.
|
||||
machine and be authenticated against a suitable PDC.
|
||||
These users can also change their passwords and have
|
||||
this change take effect directly on the PDC.
|
||||
</para>
|
||||
|
||||
<para>PAM is configured by providing control files in the directory
|
||||
@ -371,22 +371,22 @@
|
||||
by an application, the PAM code in the C library looks up this
|
||||
control file to determine what modules to load to do the
|
||||
authentication check and in what order. This interface makes adding
|
||||
a new authentication service for Winbind very easy. All that needs
|
||||
to be done is that the <filename>pam_winbind.so</filename> module
|
||||
is copied to <filename>/lib/security/</filename> and the PAM
|
||||
a new authentication service for Winbind very easy: simply copy
|
||||
the <filename>pam_winbind.so</filename> module
|
||||
to <filename>/lib/security/</filename>, and the PAM
|
||||
control files for relevant services are updated to allow
|
||||
authentication via Winbind. See the PAM documentation
|
||||
in <link linkend="pam">PAM-Based Distributed Authentication</link> for more information.</para>
|
||||
in <link linkend="pam">PAM-Based Distributed Authentication</link>, for more information.</para>
|
||||
</sect2>
|
||||
|
||||
|
||||
<sect2>
|
||||
<title>User and Group ID Allocation</title>
|
||||
|
||||
<para>When a user or group is created under Windows NT/200x
|
||||
<para>When a user or group is created under Windows NT/200x,
|
||||
it is allocated a numerical relative identifier (RID). This is
|
||||
slightly different from UNIX which has a range of numbers that are
|
||||
used to identify users, and the same range in which to identify
|
||||
slightly different from UNIX, which has a range of numbers that are
|
||||
used to identify users and the same range used to identify
|
||||
groups. It is Winbind's job to convert RIDs to UNIX ID numbers and
|
||||
vice versa. When Winbind is configured, it is given part of the UNIX
|
||||
user ID space and a part of the UNIX group ID space in which to
|
||||
@ -397,7 +397,7 @@
|
||||
to UNIX user IDs and group IDs.</para>
|
||||
|
||||
<para>The results of this mapping are stored persistently in
|
||||
an ID mapping database held in a tdb database). This ensures that
|
||||
an ID mapping database held in a tdb database. This ensures that
|
||||
RIDs are mapped to UNIX IDs in a consistent way.</para>
|
||||
</sect2>
|
||||
|
||||
@ -410,7 +410,7 @@
|
||||
An active system can generate a lot of user and group
|
||||
name lookups. To reduce the network cost of these lookups, Winbind
|
||||
uses a caching scheme based on the SAM sequence number supplied
|
||||
by NT Domain Controllers. User or group information returned
|
||||
by NT domain controllers. User or group information returned
|
||||
by a PDC is cached by Winbind along with a sequence number also
|
||||
returned by the PDC. This sequence number is incremented by
|
||||
Windows NT whenever any user or group information is modified. If
|
||||
@ -445,7 +445,7 @@ well for Samba services.
|
||||
|
||||
<para>This allows the Samba administrator to rely on the
|
||||
authentication mechanisms on the Windows NT/200x PDC for the authentication
|
||||
of Domain Members. Windows NT/200x users no longer need to have separate
|
||||
of domain members. Windows NT/200x users no longer need to have separate
|
||||
accounts on the Samba server.
|
||||
</para>
|
||||
</listitem>
|
||||
@ -477,14 +477,14 @@ contents!</emphasis> If you haven't already made a boot disk, <emphasis>MAKE ONE
|
||||
|
||||
<para>
|
||||
Messing with the PAM configuration files can make it nearly impossible to log in to your machine. That's
|
||||
why you want to be able to boot back into your machine in single user mode and restore your
|
||||
<filename>/etc/pam.d</filename> back to the original state they were in if you get frustrated with the
|
||||
why you want to be able to boot back into your machine in single-user mode and restore your
|
||||
<filename>/etc/pam.d</filename> to the original state it was in if you get frustrated with the
|
||||
way things are going.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The latest version of Samba-3 includes a functioning winbindd daemon. Please refer to the <ulink
|
||||
url="http://samba.org/">main Samba Web page</ulink> or, better yet, your closest Samba mirror site for
|
||||
url="http://samba.org/">main Samba Web page</ulink>, or better yet, your closest Samba mirror site for
|
||||
instructions on downloading the source code.
|
||||
</para>
|
||||
|
||||
@ -492,7 +492,7 @@ instructions on downloading the source code.
|
||||
To allow domain users the ability to access Samba shares and files, as well as potentially other services
|
||||
provided by your Samba machine, PAM must be set up properly on your
|
||||
machine. In order to compile the Winbind modules, you should have at least the PAM development libraries installed
|
||||
on your system. Please refer the PAM web site <ulink url="http://www.kernel.org/pub/linux/libs/pam/"/>.
|
||||
on your system. Please refer the PAM Web site <ulink url="http://www.kernel.org/pub/linux/libs/pam/"/>.
|
||||
</para>
|
||||
</sect2>
|
||||
|
||||
@ -503,8 +503,8 @@ on your system. Please refer the PAM web site <ulink url="http://www.kernel.org/
|
||||
Before starting, it is probably best to kill off all the Samba-related daemons running on your server.
|
||||
Kill off all &smbd;, &nmbd;, and &winbindd; processes that may be running. To use PAM,
|
||||
make sure that you have the standard PAM package that supplies the <filename>/etc/pam.d</filename>
|
||||
directory structure, including the PAM modules that are used by PAM-aware services, several pam libraries,
|
||||
and the <filename>/usr/doc</filename> and <filename>/usr/man</filename> entries for pam. Winbind built
|
||||
directory structure, including the PAM modules that are used by PAM-aware services, several PAM libraries,
|
||||
and the <filename>/usr/doc</filename> and <filename>/usr/man</filename> entries for PAM. Winbind is built
|
||||
better in Samba if the pam-devel package is also installed. This package includes the header files
|
||||
needed to compile PAM-aware applications.
|
||||
</para>
|
||||
@ -516,7 +516,7 @@ needed to compile PAM-aware applications.
|
||||
PAM is a standard component of most current generation UNIX/Linux systems. Unfortunately, few systems install
|
||||
the <filename>pam-devel</filename> libraries that are needed to build PAM-enabled Samba. Additionally, Samba-3
|
||||
may auto-install the Winbind files into their correct locations on your system, so before you get too far down
|
||||
the track be sure to check if the following configuration is really
|
||||
the track, be sure to check if the following configuration is really
|
||||
necessary. You may only need to configure
|
||||
<filename>/etc/nsswitch.conf</filename>.
|
||||
</para>
|
||||
@ -533,7 +533,7 @@ The libraries needed to run the &winbindd; daemon through nsswitch need to be co
|
||||
|
||||
<para>
|
||||
I also found it necessary to make the following symbolic link:
|
||||
ZZ</para>
|
||||
</para>
|
||||
|
||||
<para>
|
||||
&rootprompt; <userinput>ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</userinput>
|
||||
@ -547,9 +547,9 @@ ZZ</para>
|
||||
</screen>
|
||||
|
||||
<para>
|
||||
Now, as root you need to edit <filename>/etc/nsswitch.conf</filename> to
|
||||
Now, as root, you need to edit <filename>/etc/nsswitch.conf</filename> to
|
||||
allow user and group entries to be visible from the &winbindd;
|
||||
daemon. My <filename>/etc/nsswitch.conf</filename> file look like
|
||||
daemon. My <filename>/etc/nsswitch.conf</filename> file looked like
|
||||
this after editing:
|
||||
</para>
|
||||
|
||||
@ -585,27 +585,20 @@ and echos back a check to you.
|
||||
The Winbind AIX identification module gets built as <filename>libnss_winbind.so</filename> in the
|
||||
nsswitch directory of the Samba source. This file can be copied to <filename>/usr/lib/security</filename>,
|
||||
and the AIX naming convention would indicate that it should be named WINBIND. A stanza like the following:
|
||||
</para>
|
||||
|
||||
<para><programlisting>
|
||||
<programlisting>
|
||||
WINBIND:
|
||||
program = /usr/lib/security/WINBIND
|
||||
options = authonly
|
||||
</programlisting></para>
|
||||
|
||||
<para>
|
||||
</programlisting>
|
||||
can then be added to <filename>/usr/lib/security/methods.cfg</filename>. This module only supports
|
||||
identification, but there have been success reports using the standard Winbind PAM module for
|
||||
authentication. Use caution configuring loadable authentication
|
||||
modules since you can make
|
||||
it impossible to logon to the system. More information about the AIX authentication module API can
|
||||
be found at <quote>Kernel Extensions and Device Support Programming Concepts for AIX</quote><ulink
|
||||
url="http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixprggd/kernextc/sec_load_mod.htm">
|
||||
in Chapter 18(John, there is no section like this in 18). Loadable Authentication Module Programming
|
||||
Interface</ulink> and more information on administering the modules
|
||||
can be found at <ulink
|
||||
url="http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/baseadmn/iandaadmin.htm"> <quote>System
|
||||
Management Guide: Operating System and Devices.</quote></ulink>
|
||||
identification, but there have been reports of success using the standard Winbind PAM module for
|
||||
authentication. Use caution configuring loadable authentication modules, since misconfiguration can make
|
||||
it impossible to log on to the system. Information regarding the AIX authentication module API can
|
||||
be found in the <quote>Kernel Extensions and Device Support Programming Concepts for AIX</quote> document that
|
||||
describes the <ulink url="http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixprggd/kernextc/sec_load_mod.htm">
|
||||
Loadable Authentication Module Programming Interface</ulink> for AIX. Further information on administering the modules
|
||||
can be found in the <ulink url="http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/baseadmn/iandaadmin.htm">System
|
||||
Management Guide: Operating System and Devices.</ulink>
|
||||
</para>
|
||||
</sect3>
|
||||
|
||||
@ -616,12 +609,12 @@ Management Guide: Operating System and Devices.</quote></ulink>
|
||||
Several parameters are needed in the &smb.conf; file to control the behavior of &winbindd;. These
|
||||
are described in more detail in the <citerefentry><refentrytitle>winbindd</refentrytitle>
|
||||
<manvolnum>8</manvolnum></citerefentry> man page. My &smb.conf; file, as shown in <link
|
||||
linkend="winbindcfg">the next example</link>, was modified to include the necessary entries in the [global] section.
|
||||
linkend="winbindcfg">Example 23.5.1</link>, was modified to include the necessary entries in the [global] section.
|
||||
</para>
|
||||
|
||||
<example id="winbindcfg" fragment="1">
|
||||
<title>smb.conf for Winbind set-up</title>
|
||||
<smbconfblock>
|
||||
<example id="winbindcfg">
|
||||
<title>smb.conf for Winbind Setup</title>
|
||||
<smbconfblock>
|
||||
<smbconfsection name="[global]"/>
|
||||
<smbconfcomment> separate domain and username with '\', like DOMAIN\username</smbconfcomment>
|
||||
<smbconfoption name="winbind separator">\</smbconfoption>
|
||||
@ -653,7 +646,7 @@ the domain. This applies also to the PDC and all BDCs.
|
||||
The process of joining a domain requires the use of the <command>net rpc join</command>
|
||||
command. This process communicates with the domain controller it will register with
|
||||
(usually the PDC) via MS DCE RPC. This means, of course, that the <command>smbd</command>
|
||||
process must be running on the target DC. This means that it is necessary to temporarily
|
||||
process must be running on the target domain controller. It is therefore necessary to temporarily
|
||||
start Samba on a PDC so that it can join its own domain.
|
||||
</para>
|
||||
|
||||
@ -665,9 +658,9 @@ a domain user who has administrative privileges in the domain.
|
||||
</para>
|
||||
|
||||
<note><para>
|
||||
Before attempting to join a machine to the domain verify that Samba is running
|
||||
on the target DC (usually PDC) and that it is capable of being reached via ports
|
||||
137/udp, 135/tcp, 139/tcp, and 445/tcp (if Samba or Windows Server 2Kx.
|
||||
Before attempting to join a machine to the domain, verify that Samba is running
|
||||
on the target domain controller (usually PDC) and that it is capable of being reached via ports
|
||||
137/udp, 135/tcp, 139/tcp, and 445/tcp (if Samba or Windows Server 2Kx).
|
||||
</para></note>
|
||||
|
||||
<para>
|
||||
@ -675,9 +668,9 @@ on the target DC (usually PDC) and that it is capable of being reached via ports
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The proper response to the command should be: <quote>Joined the domain
|
||||
The proper response to the command should be <quote>Joined the domain
|
||||
<replaceable>DOMAIN</replaceable></quote> where <replaceable>DOMAIN</replaceable>
|
||||
is your DOMAIN name.
|
||||
is your domain name.
|
||||
</para>
|
||||
|
||||
</sect3>
|
||||
@ -698,7 +691,7 @@ command as root:
|
||||
</para>
|
||||
|
||||
<note><para>
|
||||
The above assumes that Samba has been installed in the <filename>/usr/local/samba</filename>
|
||||
The command to start up Winbind services assumes that Samba has been installed in the <filename>/usr/local/samba</filename>
|
||||
directory tree. You may need to search for the location of Samba files if this is not the
|
||||
location of <command>winbindd</command> on your system.
|
||||
</para></note>
|
||||
@ -707,9 +700,9 @@ location of <command>winbindd</command> on your system.
|
||||
Winbindd can now also run in <quote>dual daemon mode</quote>. This will make it
|
||||
run as two processes. The first will answer all requests from the cache,
|
||||
thus making responses to clients faster. The other will
|
||||
update the cache for the query that the first has just responded.
|
||||
update the cache for the query to which the first has just responded.
|
||||
The advantage of this is that responses stay accurate and are faster.
|
||||
You can enable dual daemon mode by adding <option>-B</option> to the command-line:
|
||||
You can enable dual daemon mode by adding <option>-B</option> to the command line:
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -724,8 +717,8 @@ I'm always paranoid and like to make sure the daemon is really running.
|
||||
&rootprompt;<userinput>ps -ae | grep winbindd</userinput>
|
||||
</para>
|
||||
<para>
|
||||
This command should produce output like this, if the daemon is running you would expect
|
||||
to see a report something like this:
|
||||
This command should produce output like the following if the daemon is running.
|
||||
|
||||
</para>
|
||||
<screen>
|
||||
3025 ? 00:00:00 winbindd
|
||||
@ -786,7 +779,7 @@ lists of both local and PDC users and groups. Try the following command:
|
||||
<para>
|
||||
You should get a list that looks like your <filename>/etc/passwd</filename>
|
||||
list followed by the domain users with their new UIDs, GIDs, home
|
||||
directories and default shells.
|
||||
directories, and default shells.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -809,7 +802,7 @@ The same thing can be done for groups with the command:
|
||||
<para>
|
||||
The &winbindd; daemon needs to start up after the &smbd; and &nmbd; daemons are running.
|
||||
To accomplish this task, you need to modify the startup scripts of your system.
|
||||
They are located at <filename>/etc/init.d/smb</filename> in Red Hat Linux and they are located in
|
||||
They are located at <filename>/etc/init.d/smb</filename> in Red Hat Linux and in
|
||||
<filename>/etc/init.d/samba</filename> in Debian Linux. Edit your
|
||||
script to add commands to invoke this daemon in the proper sequence. My
|
||||
startup script starts up &smbd;, &nmbd;, and &winbindd; from the
|
||||
@ -841,7 +834,7 @@ start() {
|
||||
</programlisting></para>
|
||||
|
||||
<para>If you would like to run winbindd in dual daemon mode, replace
|
||||
the line :
|
||||
the line:
|
||||
<programlisting>
|
||||
daemon /usr/local/samba/sbin/winbindd
|
||||
</programlisting>
|
||||
@ -886,7 +879,8 @@ stop() {
|
||||
<title>Solaris</title>
|
||||
|
||||
<para>
|
||||
Winbind does not work on Solaris 9, see <link linkend="winbind-solaris9">Winbind on Solaris 9</link> section for details.
|
||||
Winbind does not work on Solaris 9; see <link linkend="winbind-solaris9">Winbind on Solaris 9 section</link>
|
||||
for details.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -962,7 +956,7 @@ in the script above with:
|
||||
<title>Restarting</title>
|
||||
<para>
|
||||
If you restart the &smbd;, &nmbd;, and &winbindd; daemons at this point, you
|
||||
should be able to connect to the Samba server as a Domain Member just as
|
||||
should be able to connect to the Samba server as a domain member just as
|
||||
if you were a local user.
|
||||
</para>
|
||||
</sect4>
|
||||
@ -1002,7 +996,7 @@ modules reside in <filename>/usr/lib/security</filename>.
|
||||
</para>
|
||||
|
||||
<sect4>
|
||||
<title>Linux/FreeBSD-specific PAM configuration</title>
|
||||
<title>Linux/FreeBSD-Specific PAM Configuration</title>
|
||||
|
||||
<para>
|
||||
The <filename>/etc/pam.d/samba</filename> file does not need to be changed. I
|
||||
@ -1029,7 +1023,7 @@ and <filename>/etc/xinetd.d/wu-ftp</filename> from
|
||||
<para><programlisting>
|
||||
enable = no
|
||||
</programlisting>
|
||||
to:
|
||||
to
|
||||
<programlisting>
|
||||
enable = yes
|
||||
</programlisting></para>
|
||||
@ -1037,7 +1031,7 @@ to:
|
||||
<para>
|
||||
For ftp services to work properly, you will also need to either
|
||||
have individual directories for the domain users already present on
|
||||
the server, or change the home directory template to a general
|
||||
the server or change the home directory template to a general
|
||||
directory for all domain users. These can be easily set using
|
||||
the &smb.conf; global entry
|
||||
<smbconfoption name="template homedir"/>.
|
||||
@ -1055,9 +1049,7 @@ The <filename>/etc/pam.d/ftp</filename> file can be changed
|
||||
to allow Winbind ftp access in a manner similar to the
|
||||
samba file. My <filename>/etc/pam.d/ftp</filename> file was
|
||||
changed to look like this:
|
||||
</para>
|
||||
|
||||
<para><programlisting>
|
||||
<programlisting>
|
||||
auth required /lib/security/pam_listfile.so item=user sense=deny \
|
||||
file=/etc/ftpusers onerr=succeed
|
||||
auth sufficient /lib/security/pam_winbind.so
|
||||
@ -1069,11 +1061,9 @@ session required /lib/security/pam_stack.so service=system-auth
|
||||
</programlisting></para>
|
||||
|
||||
<para>
|
||||
The <filename>/etc/pam.d/login</filename> file can be changed nearly the
|
||||
The <filename>/etc/pam.d/login</filename> file can be changed in nearly the
|
||||
same way. It now looks like this:
|
||||
</para>
|
||||
|
||||
<para><programlisting>
|
||||
<programlisting>
|
||||
auth required /lib/security/pam_securetty.so
|
||||
auth sufficient /lib/security/pam_winbind.so
|
||||
auth sufficient /lib/security/pam_unix.so use_first_pass
|
||||
@ -1089,7 +1079,7 @@ session optional /lib/security/pam_console.so
|
||||
<para>
|
||||
In this case, I added the <programlisting>auth sufficient /lib/security/pam_winbind.so</programlisting>
|
||||
lines as before, but also added the <programlisting>required pam_securetty.so</programlisting>
|
||||
above it, to disallow root logins over the network. I also added a
|
||||
above it to disallow root logins over the network. I also added a
|
||||
<programlisting>sufficient /lib/security/pam_unix.so use_first_pass</programlisting>
|
||||
line after the <command>winbind.so</command> line to get rid of annoying
|
||||
double prompts for passwords.
|
||||
@ -1098,11 +1088,11 @@ double prompts for passwords.
|
||||
</sect4>
|
||||
|
||||
<sect4>
|
||||
<title>Solaris-specific configuration</title>
|
||||
<title>Solaris-Specific Configuration</title>
|
||||
|
||||
<para>
|
||||
The <filename>/etc/pam.conf</filename> needs to be changed. I changed this file so my Domain
|
||||
users can logon both locally as well as telnet. The following are the changes
|
||||
users can log on both locally as well as with telnet. The following are the changes
|
||||
that I made. You can customize the <filename>pam.conf</filename> file as per your requirements, but
|
||||
be sure of those changes because in the worst case it will leave your system
|
||||
nearly impossible to boot.
|
||||
@ -1191,9 +1181,9 @@ configured in the pam.conf.
|
||||
<sect1>
|
||||
<title>Conclusion</title>
|
||||
|
||||
<para>The Winbind system, through the use of the Name Service
|
||||
Switch, Pluggable Authentication Modules, and appropriate
|
||||
Microsoft RPC calls have allowed us to provide seamless
|
||||
<para>The Winbind system, through the use of the NSS,
|
||||
PAMs, and appropriate
|
||||
Microsoft RPC calls, have allowed us to provide seamless
|
||||
integration of Microsoft Windows NT domain users on a
|
||||
UNIX system. The result is a great reduction in the administrative
|
||||
cost of running a mixed UNIX and NT network.</para>
|
||||
@ -1212,20 +1202,20 @@ cost of running a mixed UNIX and NT network.</para>
|
||||
the Linux, Solaris, AIX, and IRIX operating systems, although ports to other operating
|
||||
systems are certainly possible. For such ports to be feasible,
|
||||
we require the C library of the target operating system to
|
||||
support the Name Service Switch and Pluggable Authentication
|
||||
Modules systems. This is becoming more common as NSS and
|
||||
support the NSS and PAM
|
||||
systems. This is becoming more common as NSS and
|
||||
PAM gain support among UNIX vendors.</para></listitem>
|
||||
|
||||
<listitem><para>The mappings of Windows NT RIDs to UNIX IDs
|
||||
is not made algorithmically and depends on the order in which
|
||||
unmapped users or groups are seen by Winbind. It may be difficult
|
||||
to recover the mappings of RID to UNIX ID mapping if the file
|
||||
to recover the mappings of RID to UNIX ID if the file
|
||||
containing this information is corrupted or destroyed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem><para>Currently the Winbind PAM module does not take
|
||||
into account possible workstation and logon time restrictions
|
||||
that may be set for Windows NT users, this is
|
||||
that may be set for Windows NT users; this is
|
||||
instead up to the PDC to enforce.</para></listitem>
|
||||
</itemizedlist>
|
||||
|
||||
@ -1241,7 +1231,7 @@ cost of running a mixed UNIX and NT network.</para>
|
||||
|
||||
<para>
|
||||
If <command>nscd</command> is running on the UNIX/Linux system, then
|
||||
even though NSSWITCH is correctly configured it will not be possible to resolve
|
||||
even though NSSWITCH is correctly configured, it will not be possible to resolve
|
||||
domain users and groups for file and directory controls.
|
||||
</para>
|
||||
|
||||
@ -1254,7 +1244,7 @@ cost of running a mixed UNIX and NT network.</para>
|
||||
My &smb.conf; file is correctly configured. I have specified
|
||||
<smbconfoption name="idmap uid">12000</smbconfoption>,
|
||||
and <smbconfoption name="idmap gid">3000-3500</smbconfoption>
|
||||
and <command>winbind</command> is running. When I do the following it all works fine.
|
||||
and <command>winbind</command> is running. When I do the following, it all works fine.
|
||||
</quote></para>
|
||||
|
||||
<para><screen>
|
||||
|
@ -11,9 +11,9 @@
|
||||
<title>Features and Benefits</title>
|
||||
|
||||
<para>
|
||||
Occasionally network administrators will report difficulty getting Microsoft Windows clients to interoperate
|
||||
correctly with Samba servers. It would appear that some folks just can not accept the fact that the right way
|
||||
to configure MS Windows network client is precisely as one would do when using Microsoft Windows NT4 or 200x
|
||||
Occasionally network administrators report difficulty getting Microsoft Windows clients to interoperate
|
||||
correctly with Samba servers. It seems that some folks just cannot accept the fact that the right way
|
||||
to configure MS Windows network client is precisely as one would do when using MS Windows NT4 or 200x
|
||||
servers. Yet there is repetitious need to provide detailed Windows client configuration instructions.
|
||||
</para>
|
||||
|
||||
@ -35,13 +35,13 @@ that are in common use today. These are:
|
||||
|
||||
<itemizedlist>
|
||||
<listitem><para>
|
||||
Microsoft Windows XP Professional.
|
||||
Microsoft Windows XP Professional
|
||||
</para></listitem>
|
||||
<listitem><para>
|
||||
Windows 2000 Professional.
|
||||
Windows 2000 Professional
|
||||
</para></listitem>
|
||||
<listitem><para>
|
||||
Windows Millennium edition (Me).
|
||||
Windows Millennium edition (Me)
|
||||
</para></listitem>
|
||||
</itemizedlist>
|
||||
|
||||
@ -50,12 +50,12 @@ that are in common use today. These are:
|
||||
|
||||
<para>
|
||||
The builder of a house must ensure that all construction takes place on a firm foundation.
|
||||
The same is true of TCP/IP-based networking. Fundamental network configuration problems
|
||||
The same is true for the builder of a TCP/IP-based networking system. Fundamental network configuration problems
|
||||
will plague all network users until they are resolved.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Microsoft Windows workstations and servers can be configured either with fixed
|
||||
MS Windows workstations and servers can be configured either with fixed
|
||||
IP addresses or via DHCP. The examples that follow demonstrate the use of DHCP
|
||||
and make only passing reference to those situations where fixed IP configuration
|
||||
settings can be effected.
|
||||
@ -75,12 +75,12 @@ that are in common use today. These are:
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Click <guimenu>Start -> Control Panel -> Network Connections</guimenu>
|
||||
Click <guimenu>Start -> Control Panel -> Network Connections</guimenu>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<emphasis>Alternately,</emphasis> click <guimenu>Start -></guimenu>, and right click <guimenu>My Network Places</guimenu>
|
||||
then select <guimenuitem>Properties</guimenuitem>
|
||||
<emphasis>Alternately,</emphasis> click <guimenu>Start -></guimenu>, and right-click <guimenu>My Network Places</guimenu>
|
||||
then select <guimenuitem>Properties</guimenuitem>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -91,7 +91,7 @@ that are in common use today. These are:
|
||||
<step><para>
|
||||
On some installations the interface will be called <guimenu>Local Area Connection</guimenu> and
|
||||
on others it will be called <guimenu>Network Bridge</guimenu>. On our system it is called <guimenu>Network Bridge</guimenu>.
|
||||
Right click on <guimenu>Network Bridge -> Properties</guimenu>. See <link linkend="WXPP002"/>.
|
||||
Right-click on <guimenu>Network Bridge -> Properties</guimenu>. See <link linkend="WXPP002"/>.
|
||||
<figure id="WXPP002"><title>Network Bridge Configuration.</title><imagefile>WXPP002</imagefile></figure>
|
||||
</para>
|
||||
</step>
|
||||
@ -99,11 +99,11 @@ that are in common use today. These are:
|
||||
<step><para>
|
||||
The Network Bridge Configuration, or Local Area Connection, panel is used to set TCP/IP protocol settings.
|
||||
In <guimenuitem>This connection uses the following items:</guimenuitem> box,
|
||||
click on <guimenu>Internet Protocol (TCP/IP)</guimenu>, then click the on <guibutton>Properties</guibutton>.
|
||||
click on <guimenu>Internet Protocol (TCP/IP)</guimenu>, then click on <guibutton>Properties</guibutton>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The default setting is DHCP enabled operation.
|
||||
The default setting is DHCP-enabled operation
|
||||
(i.e., <quote>Obtain an IP address automatically</quote>). See <link linkend="WXPP003"/>.
|
||||
<figure id="WXPP003">
|
||||
<title>Internet Protocol (TCP/IP) Properties.</title>
|
||||
@ -114,18 +114,19 @@ that are in common use today. These are:
|
||||
<para>
|
||||
Many network administrators will want to use DHCP to configure all client TCP/IP
|
||||
protocol stack settings. (For information on how to configure the ISC DHCP server
|
||||
for Microsoft Windows client support see, <link linkend="DHCP"></link>.
|
||||
for Windows client support see <link linkend="DHCP">the DNS and DHCP Configuration Guide</link>,
|
||||
<link linkend="DHCP">DHCP Server</link>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
If it is necessary to provide a fixed IP address, click on <quote>Use the following IP address</quote> and proceed to enter the
|
||||
If it is necessary to provide a fixed IP address, click on <quote>Use the following IP address</quote> and enter the
|
||||
IP Address, the subnet mask, and the default gateway address in the boxes provided.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
Click the <guibutton>Advanced</guibutton> button to proceed with TCP/IP configuration.
|
||||
This opens a panel in which it is possible to create additional IP Addresses for this interface.
|
||||
The technical name for the additional addresses is <emphasis>IP Aliases</emphasis>, and additionally this
|
||||
This opens a panel in which it is possible to create additional IP addresses for this interface.
|
||||
The technical name for the additional addresses is <emphasis>IP aliases</emphasis>, and additionally this
|
||||
panel permits the setting of more default gateways (routers). In most cases where DHCP is used, it will not be
|
||||
necessary to create additional settings. See <link linkend="WXPP005"></link> to see the appearance of this panel.
|
||||
<figure id="WXPP005"><title>Advanced Network Settings</title><imagefile>WXPP005</imagefile></figure>
|
||||
@ -145,7 +146,7 @@ that are in common use today. These are:
|
||||
<step><para>
|
||||
Click the <guibutton>WINS</guibutton> tab to add manual WINS server entries.
|
||||
This step demonstrates an example system that uses manually configured WINS settings.
|
||||
When finished making, changes click the <guibutton>OK</guibutton> to commit
|
||||
When finished making changes, click <guibutton>OK</guibutton> to commit
|
||||
the settings. See <link linkend="WXPP009"></link>.
|
||||
<figure id="WXPP009"><title>WINS Configuration</title><imagefile>WXPP009</imagefile></figure>
|
||||
</para></step>
|
||||
@ -161,11 +162,11 @@ that are in common use today. These are:
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Click <guimenu>Start -> Control Panel -> Network and Dial-up Connections</guimenu>
|
||||
Click <guimenu>Start -> Control Panel -> Network and Dial-up Connections</guimenu>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<emphasis>Alternately,</emphasis> click on <guimenu>Start</guimenu>, then right click <guimenu>My Network Places</guimenu> and
|
||||
<emphasis>Alternatively,</emphasis> click <guimenu>Start</guimenu>, then right-click <guimenu>My Network Places</guimenu>, and
|
||||
select <guimenuitem>Properties</guimenuitem>.
|
||||
</para>
|
||||
|
||||
@ -175,7 +176,7 @@ that are in common use today. These are:
|
||||
|
||||
<procedure>
|
||||
<step><para>
|
||||
Right click on <guimenu>Local Area Connection</guimenu>, now click the
|
||||
Right-click on <guimenu>Local Area Connection</guimenu>, then click
|
||||
<guimenuitem>Properties</guimenuitem>. See <link linkend="w2kp001"></link>.
|
||||
<figure id="w2kp001"><title>Local Area Connection Properties.</title><imagefile>w2kp001</imagefile></figure>
|
||||
</para></step>
|
||||
@ -186,7 +187,7 @@ that are in common use today. These are:
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
The default setting is DHCP enabled operation.
|
||||
The default setting is DHCP-enabled operation
|
||||
(i.e., <quote>Obtain an IP address automatically</quote>). See <link linkend="w2kp002"/>.
|
||||
<figure id="w2kp002"><title>Internet Protocol (TCP/IP) Properties.</title><imagefile>w2kp002</imagefile></figure>
|
||||
</para>
|
||||
@ -194,11 +195,11 @@ that are in common use today. These are:
|
||||
<para>
|
||||
Many network administrators will want to use DHCP to configure all client TCP/IP
|
||||
protocol stack settings. (For information on how to configure the ISC DHCP server
|
||||
for Microsoft Windows client support, see <link linkend="DHCP"></link>.
|
||||
for Windows client support, see, <link linkend="DHCP"></link>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
If it is necessary to provide a fixed IP address, click on <quote>Use the following IP address</quote> and proceed to enter the
|
||||
If it is necessary to provide a fixed IP address, click on <quote>Use the following IP address</quote> and enter the
|
||||
IP Address, the subnet mask, and the default gateway address in the boxes provided.
|
||||
For this example we are assuming that all network clients will be configured using DHCP.
|
||||
</para></step>
|
||||
@ -216,16 +217,18 @@ that are in common use today. These are:
|
||||
<step><para>
|
||||
Click the <guimenu>DNS</guimenu> tab to add DNS server settings.
|
||||
The example system uses manually configured DNS settings. When finished making changes,
|
||||
click on <guibutton>OK</guibutton> to commit the settings. See <link linkend="w2kp004"></link>.
|
||||
click <guibutton>OK</guibutton> to commit the settings. See <link linkend="w2kp004"></link>.
|
||||
<figure id="w2kp004"><title>DNS Configuration.</title><imagefile>w2kp004</imagefile></figure>
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
Click the <guibutton>WINS</guibutton> tab to add manual WINS server entries.
|
||||
This step demonstrates an example system that uses manually configured WINS settings.
|
||||
When finished making changes, click on <guibutton>OK</guibutton> to commit the settings.
|
||||
See <link linkend="w2kp005"/>.
|
||||
<figure id="w2kp005"><title>WINS Configuration.</title><imagefile>w2kp005</imagefile></figure>
|
||||
When finished making changes, click <guibutton>OK</guibutton> to commit the settings.
|
||||
See <link linkend="w2kp005"></link>.
|
||||
<figure id="w2kp005">
|
||||
<title>WINS Configuration.</title><imagefile>w2kp005</imagefile>
|
||||
</figure>
|
||||
</para></step>
|
||||
|
||||
</procedure>
|
||||
@ -240,11 +243,11 @@ that are in common use today. These are:
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Click <guimenu>Start -> Control Panel -> Network Connections</guimenu>
|
||||
Click <guimenu>Start -> Control Panel -> Network Connections</guimenu>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<emphasis>Alternately,</emphasis> click on <guimenu>Start -></guimenu>, and right click on <guimenu>My Network Places</guimenu>
|
||||
<emphasis>Alternatively,</emphasis> click on <guimenu>Start -></guimenu>, and right click on <guimenu>My Network Places</guimenu>
|
||||
then select <guimenuitem>Properties</guimenuitem>.
|
||||
</para>
|
||||
|
||||
@ -255,21 +258,25 @@ that are in common use today. These are:
|
||||
<procedure>
|
||||
<step><para>
|
||||
In the box labeled <guimenuitem>The following network components are installed:</guimenuitem>,
|
||||
click on <guimenu>Internet Protocol TCP/IP</guimenu>, now click on the <guibutton>Properties</guibutton> button. See <link linkend="WME001"/>.
|
||||
<figure id="WME001"><title>The Windows Me Network Configuration Panel.</title><imagefile>WME001</imagefile></figure>
|
||||
click on <guimenu>Internet Protocol TCP/IP</guimenu>, then click on the <guibutton>Properties</guibutton> button.
|
||||
See <link linkend="WME001"></link>.
|
||||
<figure id="WME001">
|
||||
<title>The Windows Me Network Configuration Panel.</title>
|
||||
<imagefile>WME001</imagefile>
|
||||
</figure>
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
Many network administrators will want to use DHCP to configure all client TCP/IP
|
||||
protocol stack settings. (For information on how to configure the ISC DHCP server
|
||||
for Microsoft Windows client support see, <link linkend="DHCP"/>.
|
||||
The default setting on Microsoft Windows Me workstations is for DHCP enabled operation,
|
||||
i.e., <guimenu>Obtain IP address automatically</guimenu> is enabled. See <link linkend="WME002"/>.
|
||||
for Windows client support see <link linkend="DHCP">the DNS and DHCP Configuration Guide</link>,
|
||||
<link linkend="DHCP">DHCP Server</link>. The default setting on Windows Me workstations is for DHCP-enabled operation
|
||||
(i.e., <guimenu>Obtain IP address automatically</guimenu> is enabled). See <link linkend="WME002"></link>.
|
||||
<figure id="WME002"><title>IP Address.</title><imagefile>WME002</imagefile></figure>
|
||||
</para>
|
||||
|
||||
<para>
|
||||
If it is necessary to provide a fixed IP address, click on <guimenuitem>Specify an IP address</guimenuitem> and proceed to enter the
|
||||
If it is necessary to provide a fixed IP address, click on <guimenuitem>Specify an IP address</guimenuitem> and enter the
|
||||
IP Address and the subnet mask in the boxes provided. For this example we are assuming that all network clients will be configured using DHCP.
|
||||
</para></step>
|
||||
|
||||
@ -286,8 +293,8 @@ that are in common use today. These are:
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
The following example uses manually configured WINS settings. See <link linkend="WME005"/>.
|
||||
When finished making changes, click on <guibutton>OK</guibutton> to commit the settings.
|
||||
The following example uses manually configured WINS settings. See <link linkend="WME005"></link>.
|
||||
When finished making changes, click <guibutton>OK</guibutton> to commit the settings.
|
||||
<figure id="WME005"><title>DNS Configuration.</title><imagefile>WME005</imagefile></figure>
|
||||
</para>
|
||||
|
||||
@ -308,9 +315,9 @@ that are in common use today. These are:
|
||||
<title>Joining a Domain: Windows 2000/XP Professional</title>
|
||||
|
||||
<para>
|
||||
Microsoft Windows NT/200x/XP Professional platforms can participate in Domain Security.
|
||||
Microsoft Windows NT/200x/XP Professional platforms can participate in domain security.
|
||||
This section steps through the process for making a Windows 200x/XP Professional machine a
|
||||
member of a Domain Security environment. It should be noted that this process is identical
|
||||
member of a domain security environment. It should be noted that this process is identical
|
||||
when joining a domain that is controlled by Windows NT4/200x as well as a Samba PDC.
|
||||
</para>
|
||||
|
||||
@ -320,7 +327,7 @@ that are in common use today. These are:
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
Right click <guimenu>My Computer</guimenu>, then select <guimenuitem>Properties</guimenuitem>.
|
||||
Right-click <guimenu>My Computer</guimenu>, then select <guimenuitem>Properties</guimenuitem>.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
@ -337,7 +344,7 @@ that are in common use today. These are:
|
||||
|
||||
<para>
|
||||
Clicking the <guimenu>Network ID</guimenu> button will launch the configuration wizard. Do not use this with
|
||||
Samba-3. If you wish to change the computer name, join or leave the domain, click the <guimenu>Change</guimenu> button.
|
||||
Samba-3. If you wish to change the computer name or join or leave the domain, click the <guimenu>Change</guimenu> button.
|
||||
See <link linkend="wxpp004"></link>.
|
||||
<figure id="wxpp004"><title>The Computer Name Panel.</title><imagefile>wxpp004</imagefile></figure>
|
||||
</para></step>
|
||||
@ -349,7 +356,7 @@ that are in common use today. These are:
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
Enter the name <guimenu>MIDEARTH</guimenu> in the field below the Domain radio button.
|
||||
Enter the name <guimenu>MIDEARTH</guimenu> in the field below the domain radio button.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -359,12 +366,12 @@ that are in common use today. These are:
|
||||
|
||||
<step><para>
|
||||
Now click the <guimenu>OK</guimenu> button. A dialog box should appear to allow you to provide the credentials (username and password)
|
||||
of a Domain administrative account that has the rights to add machines to the Domain.
|
||||
of a domain administrative account that has the rights to add machines to the domain.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Enter the name <quote>root</quote> and the root password from your Samba-3 server. See <link linkend="wxpp008"></link>.
|
||||
<figure id="wxpp008"><title>Computer Name Changes &smbmdash; User name and Password Panel.</title><imagefile>wxpp008</imagefile></figure>
|
||||
<figure id="wxpp008"><title>Computer Name Changes &smbmdash; Username and Password Panel.</title><imagefile>wxpp008</imagefile></figure>
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
@ -384,17 +391,17 @@ that are in common use today. These are:
|
||||
<title>Domain Logon Configuration: Windows 9x/Me</title>
|
||||
|
||||
<para>
|
||||
We follow the convention used by most in saying that Windows 9x/Me machines can participate in Domain logons. The truth is
|
||||
We follow the convention used by most in saying that Windows 9x/Me machines can participate in domain logons. The truth is
|
||||
that these platforms can use only the LanManager network logon protocols.
|
||||
</para>
|
||||
|
||||
<note><para>
|
||||
Windows XP Home edition cannot participate in Domain or LanManager network logons.
|
||||
Windows XP Home edition cannot participate in domain or LanManager network logons.
|
||||
</para></note>
|
||||
|
||||
<procedure>
|
||||
<step><para>
|
||||
Right click on the <guimenu>Network Neighborhood</guimenu> icon.
|
||||
Right-click on the <guimenu>Network Neighborhood</guimenu> icon.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
@ -417,7 +424,7 @@ that are in common use today. These are:
|
||||
|
||||
<para>
|
||||
Enter the Windows NT domain name, check the <guimenu>Log on to Windows NT domain</guimenu> box,
|
||||
click <guimenu>OK</guimenu>.
|
||||
and click <guimenu>OK</guimenu>.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
@ -430,7 +437,7 @@ that are in common use today. These are:
|
||||
Now click the <guimenu>Access Control</guimenu> button. If you want to be able to assign share access
|
||||
permissions using domain user and group accounts, it is necessary to enable
|
||||
<guimenu>User-level access control</guimenu> as shown in this panel. See <link linkend="WME014"></link>.
|
||||
<figure id="WME014"><title>Identification Panel.</title><imagefile>WME014</imagefile></figure>
|
||||
<figure id="WME014"><title>Access Control Panel.</title><imagefile>WME014</imagefile></figure>
|
||||
</para></step>
|
||||
|
||||
</procedure>
|
||||
@ -464,7 +471,7 @@ The most common reasons for which a Windows NT/200x/XP Professional client canno
|
||||
<listitem><para><quote>root</quote> account is not in password backend database.</para></listitem>
|
||||
<listitem><para>Attempt to use a user account instead of the <quote>root</quote> account to join a machine to the domain.</para></listitem>
|
||||
<listitem><para>Open connections from the workstation to the server.</para></listitem>
|
||||
<listitem><para>Firewall or filter configurations in place on either the client or on the Samba server.</para></listitem>
|
||||
<listitem><para>Firewall or filter configurations in place on either the client or the Samba server.</para></listitem>
|
||||
</itemizedlist>
|
||||
|
||||
</sect1>
|
||||
|
@ -233,4 +233,7 @@
|
||||
The UNC syntax was developed in the early days of MS DOS 3.x and is used internally by the SMB protocol.
|
||||
</para></glossdef>
|
||||
</glossentry>
|
||||
|
||||
|
||||
|
||||
</glossary>
|
||||
|
@ -30,7 +30,7 @@ a range of functions that are all categorized under this one term.
|
||||
<para>
|
||||
Opportunistic locking is a desirable feature when it can enhance the
|
||||
perceived performance of applications on a networked client. However, the
|
||||
opportunistic locking protocol is not robust and, therefore, can
|
||||
opportunistic locking protocol is not robust and therefore can
|
||||
encounter problems when invoked beyond a simplistic configuration or
|
||||
on extended slow or faulty networks. In these cases, operating
|
||||
system management of opportunistic locking and/or recovering from
|
||||
@ -46,7 +46,7 @@ settings on the MS Windows client.
|
||||
|
||||
<note>
|
||||
<para>
|
||||
Sometimes it is necessary to disable locking control settings on both the Samba
|
||||
Sometimes it is necessary to disable locking control settings on the Samba
|
||||
server as well as on each MS Windows client!
|
||||
</para>
|
||||
</note>
|
||||
@ -67,7 +67,7 @@ that are specified when a file is open.
|
||||
Record locking semantics under UNIX are very different from record locking under
|
||||
Windows. Versions of Samba before 2.2 have tried to use the native fcntl() UNIX
|
||||
system call to implement proper record locking between different Samba clients.
|
||||
This cannot be fully correct for several reasons. The simplest is the fact
|
||||
This cannot be fully correct for several reasons. The simplest is
|
||||
that a Windows client is allowed to lock a byte range up to 2^32 or 2^64,
|
||||
depending on the client OS. The UNIX locking only supports byte ranges up to 2^31.
|
||||
So it is not possible to correctly satisfy a lock request above 2^31. There are
|
||||
@ -75,16 +75,16 @@ many more differences, too many to be listed here.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Samba 2.2 and above implements record locking completely independent of the
|
||||
underlying UNIX system. If a byte range lock that the client requests happens
|
||||
to fall into the range of 0-2^31, Samba hands this request down to the UNIX system.
|
||||
All other locks cannot be seen by UNIX, anyway.
|
||||
Samba 2.2 and above implement record locking completely independent of the
|
||||
underlying UNIX system. If a byte-range lock that the client requests happens
|
||||
to fall into the range of 0 to 2^31, Samba hands this request down to the UNIX system.
|
||||
No other locks can be seen by UNIX, anyway.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Strictly speaking, an SMB server should check for locks before every read and write call on
|
||||
a file. Unfortunately with the way fcntl() works, this can be slow and may overstress
|
||||
the <command>rpc.lockd</command>. This is almost always unnecessary as clients are supposed to
|
||||
a file. Unfortunately, with the way fcntl() works, this can be slow and may overstress
|
||||
the <command>rpc.lockd</command>. This is almost always unnecessary because clients are supposed to
|
||||
independently make locking calls before reads and writes if locking is
|
||||
important to them. By default, Samba only makes locking calls when explicitly asked
|
||||
to by a client, but if you set <smbconfoption name="strict locking">yes</smbconfoption>, it
|
||||
@ -92,10 +92,10 @@ will make lock checking calls on <emphasis>every</emphasis> read and write call.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
You can also disable byte range locking completely by using
|
||||
You can also disable byte-range locking completely by using
|
||||
<smbconfoption name="locking">no</smbconfoption>.
|
||||
This is useful for those shares that do not support locking or do not need it
|
||||
(such as CDROMs). In this case, Samba fakes the return codes of locking calls to
|
||||
(such as CD-ROMs). In this case, Samba fakes the return codes of locking calls to
|
||||
tell clients that everything is okay.
|
||||
</para>
|
||||
|
||||
@ -112,11 +112,11 @@ modes called <constant>DENY_FCB</constant> and <constant>DENY_DOS</constant>.
|
||||
<title>Opportunistic Locking Overview</title>
|
||||
|
||||
<para>
|
||||
Opportunistic locking (Oplocks) is invoked by the Windows file system
|
||||
Opportunistic locking (oplocks) is invoked by the Windows file system
|
||||
(as opposed to an API) via registry entries (on the server and the client)
|
||||
for the purpose of enhancing network performance when accessing a file
|
||||
residing on a server. Performance is enhanced by caching the file
|
||||
locally on the client that allows:
|
||||
locally on the client that allows the following:
|
||||
</para>
|
||||
|
||||
<variablelist>
|
||||
@ -147,7 +147,7 @@ other processes.
|
||||
</para>
|
||||
|
||||
<variablelist>
|
||||
<title>Windows defines 4 kinds of Oplocks:</title>
|
||||
<title>Windows Defines Four Kinds of Oplocks:</title>
|
||||
|
||||
<varlistentry><term>Level1 Oplock</term>
|
||||
<listitem><para>
|
||||
@ -161,10 +161,10 @@ other processes.
|
||||
|
||||
<para>
|
||||
If a second process attempts to open the file, the open
|
||||
is deferred while the redirector <quote>breaks</quote> the original
|
||||
is deferred while the redirector "breaks" the original
|
||||
oplock. The oplock break signals the caching client to
|
||||
write the local file back to the server, flush the
|
||||
local locks and discard read-ahead data. The break is
|
||||
local locks, and discard read-ahead data. The break is
|
||||
then complete, the deferred open is granted, and the
|
||||
multiple processes can enjoy concurrent file access as
|
||||
dictated by mandatory or byte-range locking options.
|
||||
@ -209,7 +209,7 @@ preparation for the subsequent open by the second process.
|
||||
<emphasis>Opportunistic locking</emphasis> is actually an improper name for this feature.
|
||||
The true benefit of this feature is client-side data caching, and
|
||||
oplocks is merely a notification mechanism for writing data back to the
|
||||
networked storage disk. The limitation of opportunistic locking is the
|
||||
networked storage disk. The limitation of oplocks is the
|
||||
reliability of the mechanism to process an oplock break (notification)
|
||||
between the server and the caching client. If this exchange is faulty
|
||||
(usually due to timing out for any number of reasons), then the
|
||||
@ -221,29 +221,29 @@ The actual decision that a user or administrator should consider is
|
||||
whether it is sensible to share among multiple users data that will
|
||||
be cached locally on a client. In many cases the answer is no.
|
||||
Deciding when to cache or not cache data is the real question, and thus
|
||||
<quote>opportunistic locking</quote> should be treated as a toggle for client-side
|
||||
oplocks should be treated as a toggle for client-side
|
||||
caching. Turn it <quote>on</quote> when client-side caching is desirable and
|
||||
reliable. Turn it <quote>off</quote> when client-side caching is redundant,
|
||||
unreliable or counter-productive.
|
||||
unreliable, or counterproductive.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Opportunistic locking is by default set to <quote>on</quote> by Samba on all
|
||||
Oplocks is by default set to <quote>on</quote> by Samba on all
|
||||
configured shares, so careful attention should be given to each case to
|
||||
determine if the potential benefit is worth the potential for delays.
|
||||
The following recommendations will help to characterize the environment
|
||||
where opportunistic locking may be effectively configured.
|
||||
where oplocks may be effectively configured.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Windows opportunistic locking is a lightweight performance-enhancing
|
||||
Windows oplocks is a lightweight performance-enhancing
|
||||
feature. It is not a robust and reliable protocol. Every
|
||||
implementation of opportunistic locking should be evaluated as a
|
||||
tradeoff between perceived performance and reliability. Reliability
|
||||
implementation of oplocks should be evaluated as a
|
||||
trade-off between perceived performance and reliability. Reliability
|
||||
decreases as each successive rule above is not enforced. Consider a
|
||||
share with oplocks enabled, over a wide area network, to a client on a
|
||||
share with oplocks enabled, over a wide-area network, to a client on a
|
||||
South Pacific atoll, on a high-availability server, serving a
|
||||
mission-critical multi-user corporate database during a tropical
|
||||
mission-critical multiuser corporate database during a tropical
|
||||
storm. This configuration will likely encounter problems with oplocks.
|
||||
</para>
|
||||
|
||||
@ -251,43 +251,43 @@ storm. This configuration will likely encounter problems with oplocks.
|
||||
Oplocks can be beneficial to perceived client performance when treated
|
||||
as a configuration toggle for client-side data caching. If the data
|
||||
caching is likely to be interrupted, then oplock usage should be
|
||||
reviewed. Samba enables opportunistic locking by default on all
|
||||
reviewed. Samba enables oplocks by default on all
|
||||
shares. Careful attention should be given to the client usage of
|
||||
shared data on the server, the server network reliability and the
|
||||
opportunistic locking configuration of each share.
|
||||
In mission critical high availability environments, data integrity is
|
||||
shared data on the server, the server network reliability, and the
|
||||
oplocks configuration of each share.
|
||||
In mission-critical, high-availability environments, data integrity is
|
||||
often a priority. Complex and expensive configurations are implemented
|
||||
to ensure that if a client loses connectivity with a file server, a
|
||||
fail-over replacement will be available immediately to provide
|
||||
failover replacement will be available immediately to provide
|
||||
continuous data availability.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Windows client fail-over behavior is more at risk of application
|
||||
Windows client failover behavior is more at risk of application
|
||||
interruption than other platforms because it is dependent upon an
|
||||
established TCP transport connection. If the connection is interrupted
|
||||
&smbmdash; as in a file server fail-over &smbmdash; a new session must be established.
|
||||
&smbmdash; as in a file server failover &smbmdash; a new session must be established.
|
||||
It is rare for Windows client applications to be coded to recover
|
||||
correctly from a transport connection loss, therefore, most applications
|
||||
correctly from a transport connection loss; therefore, most applications
|
||||
will experience some sort of interruption &smbmdash; at worst, abort and
|
||||
require restarting.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
If a client session has been caching writes and reads locally due to
|
||||
opportunistic locking, it is likely that the data will be lost when the
|
||||
oplocks, it is likely that the data will be lost when the
|
||||
application restarts or recovers from the TCP interrupt. When the TCP
|
||||
connection drops, the client state is lost. When the file server
|
||||
recovers, an oplock break is not sent to the client. In this case, the
|
||||
work from the prior session is lost. Observing this scenario with
|
||||
oplocks disabled and with the client writing data to the file server
|
||||
real-time, the fail-over will provide the data on disk as it
|
||||
real-time, the failover will provide the data on disk as it
|
||||
existed at the time of the disconnect.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
In mission-critical high-availability environments, careful attention
|
||||
should be given to opportunistic locking. Ideally, comprehensive
|
||||
In mission-critical, high-availability environments, careful attention
|
||||
should be given to oplocks. Ideally, comprehensive
|
||||
testing should be done with all affected applications with oplocks
|
||||
enabled and disabled.
|
||||
</para>
|
||||
@ -296,16 +296,16 @@ enabled and disabled.
|
||||
<title>Exclusively Accessed Shares</title>
|
||||
|
||||
<para>
|
||||
Opportunistic locking is most effective when it is confined to shares
|
||||
Oplocks is most effective when it is confined to shares
|
||||
that are exclusively accessed by a single user, or by only one user at
|
||||
a time. Because the true value of opportunistic locking is the local
|
||||
a time. Because the true value of oplocks is the local
|
||||
client caching of data, any operation that interrupts the caching
|
||||
mechanism will cause a delay.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Home directories are the most obvious examples of where the performance
|
||||
benefit of opportunistic locking can be safely realized.
|
||||
benefit of oplocks can be safely realized.
|
||||
</para>
|
||||
|
||||
</sect3>
|
||||
@ -314,8 +314,8 @@ benefit of opportunistic locking can be safely realized.
|
||||
<title>Multiple-Accessed Shares or Files</title>
|
||||
|
||||
<para>
|
||||
As each additional user accesses a file in a share with opportunistic
|
||||
locking enabled, the potential for delays and resulting perceived poor
|
||||
As each additional user accesses a file in a share with oplocks
|
||||
enabled, the potential for delays and resulting perceived poor
|
||||
performance increases. When multiple users are accessing a file on a
|
||||
share that has oplocks enabled, the management impact of sending and
|
||||
receiving oplock breaks and the resulting latency while other clients
|
||||
@ -344,8 +344,8 @@ exposes the file to likely data corruption.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
If files are shared between Windows clients, and either local UNIX
|
||||
or NFS users, turn opportunistic locking off.
|
||||
If files are shared between Windows clients and either local UNIX
|
||||
or NFS users, turn oplocks off.
|
||||
</para>
|
||||
|
||||
</sect3>
|
||||
@ -354,7 +354,7 @@ or NFS users, turn opportunistic locking off.
|
||||
<title>Slow and/or Unreliable Networks</title>
|
||||
|
||||
<para>
|
||||
The biggest potential performance improvement for opportunistic locking
|
||||
The biggest potential performance improvement for oplocks
|
||||
occurs when the client-side caching of reads and writes delivers the
|
||||
most differential over sending those reads and writes over the wire.
|
||||
This is most likely to occur when the network is extremely slow,
|
||||
@ -363,28 +363,28 @@ has a high impact on the reliability of the oplock break
|
||||
mechanism, and thus increases the likelihood of encountering oplock
|
||||
problems that more than offset the potential perceived performance
|
||||
gain. Of course, if an oplock break never has to be sent, then this is
|
||||
the most advantageous scenario to utilize opportunistic locking.
|
||||
the most advantageous scenario in which to utilize oplocks.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
If the network is slow, unreliable, or a WAN, then do not configure
|
||||
opportunistic locking if there is any chance of multiple users
|
||||
oplocks if there is any chance of multiple users
|
||||
regularly opening the same file.
|
||||
</para>
|
||||
|
||||
</sect3>
|
||||
|
||||
<sect3>
|
||||
<title>Multi-User Databases</title>
|
||||
<title>Multiuser Databases</title>
|
||||
|
||||
<para>
|
||||
Multi-user databases clearly pose a risk due to their very nature &smbmdash;
|
||||
Multiuser databases clearly pose a risk due to their very nature &smbmdash;
|
||||
they are typically heavily accessed by numerous users at random
|
||||
intervals. Placing a multi-user database on a share with opportunistic
|
||||
locking enabled will likely result in a locking management bottleneck
|
||||
intervals. Placing a multi-user database on a share with oplocks
|
||||
enabled will likely result in a locking management bottleneck
|
||||
on the Samba server. Whether the database application is developed
|
||||
in-house or a commercially available product, ensure that the share
|
||||
has opportunistic locking disabled.
|
||||
has oplocks disabled.
|
||||
</para>
|
||||
|
||||
</sect3>
|
||||
@ -393,17 +393,17 @@ has opportunistic locking disabled.
|
||||
<title>PDM Data Shares</title>
|
||||
|
||||
<para>
|
||||
Process Data Management (PDM) applications such as IMAN, Enovia and
|
||||
Clearcase are increasing in usage with Windows client platforms, and
|
||||
therefore SMB data-stores. PDM applications manage multi-user
|
||||
Process data management (PDM) applications such as IMAN, Enovia, and
|
||||
Clearcase are increasing in usage with Windows client platforms and
|
||||
therefore with SMB datastores. PDM applications manage multiuser
|
||||
environments for critical data security and access. The typical PDM
|
||||
environment is usually associated with sophisticated client design
|
||||
applications that will load data locally as demanded. In addition, the
|
||||
PDM application will usually monitor the data-state of each client.
|
||||
PDM application will usually monitor the data state of each client.
|
||||
In this case, client-side data caching is best left to the local
|
||||
application and PDM server to negotiate and maintain. It is
|
||||
appropriate to eliminate the client OS from any caching tasks, and the
|
||||
server from any oplock management, by disabling opportunistic locking on
|
||||
server from any oplocks management, by disabling oplocks on
|
||||
the share.
|
||||
</para>
|
||||
|
||||
@ -416,7 +416,7 @@ the share.
|
||||
Samba includes an &smb.conf; parameter called
|
||||
<smbconfoption name="force user"/> that changes
|
||||
the user accessing a share from the incoming user to whatever user is
|
||||
defined by the smb.conf variable. If opportunistic locking is enabled
|
||||
defined by the smb.conf variable. If oplocks is enabled
|
||||
on a share, the change in user access causes an oplock break to be sent
|
||||
to the client, even if the user has not explicitly loaded a file. In
|
||||
cases where the network is slow or unreliable, an oplock break can
|
||||
@ -435,31 +435,31 @@ Avoid the combination of the following:
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
Slow or unreliable networks
|
||||
Slow or unreliable networks.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
Opportunistic locking enabled
|
||||
Oplocks enabled.
|
||||
</para></listitem>
|
||||
</itemizedlist>
|
||||
|
||||
</sect3>
|
||||
|
||||
<sect3>
|
||||
<title>Advanced Samba Opportunistic Locking Parameters</title>
|
||||
<title>Advanced Samba Oplocks Parameters</title>
|
||||
|
||||
<para>
|
||||
Samba provides opportunistic locking parameters that allow the
|
||||
Samba provides oplocks parameters that allow the
|
||||
administrator to adjust various properties of the oplock mechanism to
|
||||
account for timing and usage levels. These parameters provide good
|
||||
versatility for implementing oplocks in environments where they would
|
||||
likely cause problems. The parameters are:
|
||||
<smbconfoption name="oplock break wait time"/>,
|
||||
likely cause problems. The parameters are
|
||||
<smbconfoption name="oplock break wait time"/>, and
|
||||
<smbconfoption name="oplock contention limit"/>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
For most users, administrators and environments, if these parameters
|
||||
For most users, administrators, and environments, if these parameters
|
||||
are required, then the better option is to simply turn oplocks off.
|
||||
The Samba SWAT help text for both parameters reads: <quote>Do not change
|
||||
this parameter unless you have read and understood the Samba oplock code.</quote>
|
||||
@ -469,43 +469,43 @@ This is good advice.
|
||||
</sect3>
|
||||
|
||||
<sect3>
|
||||
<title>Mission-Critical High-Availability</title>
|
||||
<title>Mission-Critical, High-Availability</title>
|
||||
|
||||
<para>
|
||||
In mission-critical high-availability environments, data integrity is
|
||||
In mission-critical, high-availability environments, data integrity is
|
||||
often a priority. Complex and expensive configurations are implemented
|
||||
to ensure that if a client loses connectivity with a file server, a
|
||||
fail-over replacement will be available immediately to provide
|
||||
failover replacement will be available immediately to provide
|
||||
continuous data availability.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Windows client fail-over behavior is more at risk of application
|
||||
interruption than other platforms because it is dependant upon an
|
||||
Windows client failover behavior is more at risk of application
|
||||
interruption than other platforms because it is dependent upon an
|
||||
established TCP transport connection. If the connection is interrupted
|
||||
&smbmdash; as in a file server fail-over &smbmdash; a new session must be established.
|
||||
&smbmdash; as in a file server failover &smbmdash; a new session must be established.
|
||||
It is rare for Windows client applications to be coded to recover
|
||||
correctly from a transport connection loss, therefore, most applications
|
||||
correctly from a transport connection loss; therefore, most applications
|
||||
will experience some sort of interruption &smbmdash; at worst, abort and
|
||||
require restarting.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
If a client session has been caching writes and reads locally due to
|
||||
opportunistic locking, it is likely that the data will be lost when the
|
||||
application restarts, or recovers from the TCP interrupt. When the TCP
|
||||
oplocks, it is likely that the data will be lost when the
|
||||
application restarts or recovers from the TCP interrupt. When the TCP
|
||||
connection drops, the client state is lost. When the file server
|
||||
recovers, an oplock break is not sent to the client. In this case, the
|
||||
work from the prior session is lost. Observing this scenario with
|
||||
oplocks disabled, and the client was writing data to the file server
|
||||
real-time, then the fail-over will provide the data on disk as it
|
||||
oplocks disabled, if the client was writing data to the file server
|
||||
real-time, then the failover will provide the data on disk as it
|
||||
existed at the time of the disconnect.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
In mission-critical high-availability environments, careful attention
|
||||
should be given to opportunistic locking. Ideally, comprehensive
|
||||
testing should be done with all effected applications with oplocks
|
||||
In mission-critical, high-availability environments, careful attention
|
||||
should be given to oplocks. Ideally, comprehensive
|
||||
testing should be done with all affected applications with oplocks
|
||||
enabled and disabled.
|
||||
</para>
|
||||
|
||||
@ -514,30 +514,30 @@ enabled and disabled.
|
||||
</sect1>
|
||||
|
||||
<sect1>
|
||||
<title>Samba Opportunistic Locking Control</title>
|
||||
<title>Samba Oplocks Control</title>
|
||||
|
||||
<para>
|
||||
Opportunistic locking is a unique Windows file locking feature. It is
|
||||
Oplocks is a unique Windows file locking feature. It is
|
||||
not really file locking, but is included in most discussions of Windows
|
||||
file locking, so is considered a de facto locking feature.
|
||||
Opportunistic locking is actually part of the Windows client file
|
||||
Oplocks is actually part of the Windows client file
|
||||
caching mechanism. It is not a particularly robust or reliable feature
|
||||
when implemented on the variety of customized networks that exist in
|
||||
enterprise computing.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Like Windows, Samba implements opportunistic locking as a server-side
|
||||
Like Windows, Samba implements oplocks as a server-side
|
||||
component of the client caching mechanism. Because of the lightweight
|
||||
nature of the Windows feature design, effective configuration of
|
||||
opportunistic locking requires a good understanding of its limitations,
|
||||
oplocks requires a good understanding of its limitations,
|
||||
and then applying that understanding when configuring data access for
|
||||
each particular customized network and client usage state.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Opportunistic locking essentially means that the client is allowed to download and cache
|
||||
a file on their hard drive while making changes; if a second client wants to access the
|
||||
Oplocks essentially means that the client is allowed to download and cache
|
||||
a file on its hard drive while making changes; if a second client wants to access the
|
||||
file, the first client receives a break and must synchronize the file back to the server.
|
||||
This can give significant performance gains in some cases; some programs insist on
|
||||
synchronizing the contents of the entire file back to the server for a single change.
|
||||
@ -556,7 +556,7 @@ on files that the client has no initial intention to write to at time of opening
|
||||
<para>
|
||||
Kernel Oplocks are essentially a method that allows the Linux kernel to co-exist with
|
||||
Samba's oplocked files, although this has provided better integration of MS Windows network
|
||||
file locking with the underlying OS, SGI IRIX and Linux are the only two OSs that are
|
||||
file locking with the underlying OS. SGI IRIX and Linux are the only two OSs that are
|
||||
oplock-aware at this time.
|
||||
</para>
|
||||
|
||||
@ -564,7 +564,7 @@ oplock-aware at this time.
|
||||
Unless your system supports kernel oplocks, you should disable oplocks if you are
|
||||
accessing the same files from both UNIX/Linux and SMB clients. Regardless, oplocks should
|
||||
always be disabled if you are sharing a database file (e.g., Microsoft Access) between
|
||||
multiple clients, as any break the first client receives will affect synchronization of
|
||||
multiple clients, because any break the first client receives will affect synchronization of
|
||||
the entire file (not just the single record), which will result in a noticeable performance
|
||||
impairment and, more likely, problems accessing the database in the first place. Notably,
|
||||
Microsoft Outlook's personal folders (*.pst) react quite badly to oplocks. If in doubt,
|
||||
@ -622,7 +622,7 @@ Alternately, you could disable oplocks on a per-file basis within the share:
|
||||
</para>
|
||||
|
||||
<para>
|
||||
If you are experiencing problems with oplocks as apparent from Samba's log entries,
|
||||
If you are experiencing problems with oplocks, as apparent from Samba's log entries,
|
||||
you may want to play it safe and disable oplocks and Level2 oplocks.
|
||||
</para>
|
||||
|
||||
@ -653,21 +653,22 @@ The default is no.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Veto opLocks is an &smb.conf; parameter that identifies specific files for
|
||||
<emphasis>Veto oplocks</emphasis> is an &smb.conf; parameter that identifies specific files for
|
||||
which oplocks are disabled. When a Windows client opens a file that
|
||||
has been configured for veto oplocks, the client will not be granted
|
||||
the oplock, and all operations will be executed on the original file on
|
||||
disk instead of a client-cached file copy. By explicitly identifying
|
||||
files that are shared with UNIX processes and disabling oplocks for
|
||||
those files, the server-wide Oplock configuration can be enabled to
|
||||
those files, the server-wide oplock configuration can be enabled to
|
||||
allow Windows clients to utilize the performance benefit of file
|
||||
caching without the risk of data corruption. Veto Oplocks can be
|
||||
caching without the risk of data corruption. Veto oplocks can be
|
||||
enabled on a per-share basis, or globally for the entire server, in the
|
||||
&smb.conf; file as shown in <link linkend="far1"/>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<example id="far1">
|
||||
<title>Share with some files oplocked</title>
|
||||
<title>Share with Some Files Oplocked</title>
|
||||
<smbconfblock>
|
||||
<smbconfsection name="[global]"/>
|
||||
<smbconfoption name="veto oplock files">/filename.htm/*.txt/</smbconfoption>
|
||||
@ -676,12 +677,13 @@ enabled on a per-share basis, or globally for the entire server, in the
|
||||
<smbconfoption name="veto oplock files">/*.exe/filename.ext/</smbconfoption>
|
||||
</smbconfblock>
|
||||
</example>
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<smbconfoption name="oplock break wait time"/> is an &smb.conf; parameter
|
||||
that adjusts the time interval for Samba to reply to an oplock break request. Samba recommends:
|
||||
<quote>Do not change this parameter unless you have read and understood the Samba oplock code.</quote>
|
||||
Oplock break Wait Time can only be configured globally in the &smb.conf; file as shown below.
|
||||
Oplock break wait time can only be configured globally in the &smb.conf; file as shown:
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -695,13 +697,14 @@ Oplock break Wait Time can only be configured globally in the &smb.conf; file as
|
||||
response of the Samba server to grant an oplock if the configured
|
||||
number of contending clients reaches the limit specified by the parameter. Samba recommends
|
||||
<quote>Do not change this parameter unless you have read and understood the Samba oplock code.</quote>
|
||||
Oplock break Contention Limit can be enable on a per-share basis, or globally for
|
||||
Oplock break contention limit can be enabled on a per-share basis, or globally for
|
||||
the entire server, in the &smb.conf; file as shown in <link linkend="far3"/>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<example id="far3">
|
||||
<title>Configuration with oplock break contention limit</title>
|
||||
<smbconfblock>
|
||||
<title>Configuration with Oplock Break Contention Limit</title>
|
||||
<smbconfblock>
|
||||
<smbconfsection name="[global]"/>
|
||||
<smbconfoption name="oplock break contention limit"> 2 (default)</smbconfoption>
|
||||
|
||||
@ -709,6 +712,7 @@ the entire server, in the &smb.conf; file as shown in <link linkend="far3"/>.
|
||||
<smbconfoption name="oplock break contention limit"> 2 (default)</smbconfoption>
|
||||
</smbconfblock>
|
||||
</example>
|
||||
</para>
|
||||
|
||||
</sect3>
|
||||
</sect2>
|
||||
@ -716,13 +720,13 @@ the entire server, in the &smb.conf; file as shown in <link linkend="far3"/>.
|
||||
</sect1>
|
||||
|
||||
<sect1>
|
||||
<title>MS Windows Opportunistic Locking and Caching Controls</title>
|
||||
<title>MS Windows Oplocks and Caching Controls</title>
|
||||
|
||||
<para>
|
||||
There is a known issue when running applications (like Norton Anti-Virus) on a Windows 2000/ XP
|
||||
There is a known issue when running applications (like Norton Antivirus) on a Windows 2000/ XP
|
||||
workstation computer that can affect any application attempting to access shared database files
|
||||
across a network. This is a result of a default setting configured in the Windows 2000/XP
|
||||
operating system known as <emphasis>opportunistic locking</emphasis>. When a workstation
|
||||
operating system. When a workstation
|
||||
attempts to access shared data files located on another Windows 2000/XP computer,
|
||||
the Windows 2000/XP operating system will attempt to increase performance by locking the
|
||||
files and caching information locally. When this occurs, the application is unable to
|
||||
@ -733,14 +737,14 @@ properly function, which results in an <quote>Access Denied</quote>
|
||||
<para>
|
||||
All Windows operating systems in the NT family that act as database servers for data files
|
||||
(meaning that data files are stored there and accessed by other Windows PCs) may need to
|
||||
have opportunistic locking disabled in order to minimize the risk of data file corruption.
|
||||
have oplocks disabled in order to minimize the risk of data file corruption.
|
||||
This includes Windows 9x/Me, Windows NT, Windows 200x, and Windows XP.
|
||||
<footnote><para>Microsoft has documented this in Knowledge Base article 300216.</para></footnote>
|
||||
</para>
|
||||
|
||||
<para>
|
||||
If you are using a Windows NT family workstation in place of a server, you must also
|
||||
disable opportunistic locking (oplocks) on that workstation. For example, if you use a
|
||||
disable oplocks on that workstation. For example, if you use a
|
||||
PC with the Windows NT Workstation operating system instead of Windows NT Server, and you
|
||||
have data files located on it that are accessed from other Windows PCs, you may need to
|
||||
disable oplocks on that system.
|
||||
@ -759,7 +763,7 @@ to ensure that the new setting goes into effect.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The location of the client registry entry for opportunistic locking has changed in
|
||||
The location of the client registry entry for oplocks has changed in
|
||||
Windows 2000 from the earlier location in Microsoft Windows NT.
|
||||
</para>
|
||||
|
||||
@ -769,7 +773,7 @@ in earlier versions of Windows.
|
||||
</para></note>
|
||||
|
||||
<para>
|
||||
You can also deny the granting of opportunistic locks by changing the following registry entries:
|
||||
You can also deny the granting of oplocks by changing the following registry entries:
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -784,7 +788,7 @@ You can also deny the granting of opportunistic locks by changing the following
|
||||
|
||||
<note><para>
|
||||
The OplocksDisabled registry value configures Windows clients to either request or not
|
||||
request opportunistic locks on a remote file. To disable oplocks, the value of
|
||||
request oplocks on a remote file. To disable oplocks, the value of
|
||||
OplocksDisabled must be set to 1.
|
||||
</para></note>
|
||||
|
||||
@ -803,7 +807,7 @@ request opportunistic locks on a remote file. To disable oplocks, the value of
|
||||
|
||||
<note><para>
|
||||
The EnableOplocks value configures Windows-based servers (including Workstations sharing
|
||||
files) to allow or deny opportunistic locks on local files.
|
||||
files) to allow or deny oplocks on local files.
|
||||
</para></note>
|
||||
|
||||
<para>
|
||||
@ -811,7 +815,7 @@ To force closure of open oplocks on close or program exit, EnableOpLockForceClos
|
||||
</para>
|
||||
|
||||
<para>
|
||||
An illustration of how Level2 oplocks work:
|
||||
An illustration of how Level2 oplocks work follows:
|
||||
</para>
|
||||
|
||||
<itemizedlist>
|
||||
@ -832,7 +836,7 @@ An illustration of how Level2 oplocks work:
|
||||
Station 1 complies by flushing locally buffered lock information to the server.
|
||||
</para></listitem>
|
||||
<listitem><para>
|
||||
Station 1 informs the server that it has Broken to Level2 Oplock (alternately,
|
||||
Station 1 informs the server that it has broken to level2 Oplock (alternately,
|
||||
station 1 could have closed the file).
|
||||
</para></listitem>
|
||||
<listitem><para>
|
||||
@ -863,7 +867,7 @@ An illustration of how Level2 oplocks work:
|
||||
</programlisting></para>
|
||||
|
||||
<para>
|
||||
This indicates whether the redirector should use opportunistic-locking (oplock) performance
|
||||
This indicates whether the redirector should use oplocks performance
|
||||
enhancement. This parameter should be disabled only to isolate problems.
|
||||
</para>
|
||||
|
||||
@ -882,7 +886,7 @@ enhancement. This parameter should be disabled only to isolate problems.
|
||||
<para>
|
||||
This specifies whether the server allows clients to use oplocks on files. Oplocks are a
|
||||
significant performance enhancement, but have the potential to cause lost cached
|
||||
data on some networks, particularly wide area networks.
|
||||
data on some networks, particularly WANs.
|
||||
</para>
|
||||
|
||||
<para><programlisting>
|
||||
@ -892,7 +896,7 @@ data on some networks, particularly wide area networks.
|
||||
|
||||
<para>
|
||||
This specifies the minimum link throughput allowed by the server before it disables
|
||||
raw and opportunistic locks for this connection.
|
||||
raw I/O and oplocks for this connection.
|
||||
</para>
|
||||
|
||||
<para><programlisting>
|
||||
@ -902,7 +906,7 @@ raw and opportunistic locks for this connection.
|
||||
|
||||
<para>
|
||||
This specifies the maximum time allowed for a link delay. If delays exceed this number,
|
||||
the server disables raw I/O and opportunistic locking for this connection.
|
||||
the server disables raw I/O and oplocks for this connection.
|
||||
</para>
|
||||
|
||||
<para><programlisting>
|
||||
@ -934,7 +938,7 @@ If you see persistent data corruption even after repeated re-indexing, you may h
|
||||
rebuild the data files in question. This involves creating a new data file with the
|
||||
same definition as the file to be rebuilt and transferring the data from the old file
|
||||
to the new one. There are several known methods for doing this that can be found in
|
||||
our Knowledge Base.
|
||||
our knowledge base.
|
||||
</para>
|
||||
|
||||
</sect1>
|
||||
@ -943,9 +947,9 @@ our Knowledge Base.
|
||||
<title>Common Errors</title>
|
||||
|
||||
<para>
|
||||
In some sites, locking problems surface as soon as a server is installed; in other sites
|
||||
In some sites locking problems surface as soon as a server is installed; in other sites
|
||||
locking problems may not surface for a long time. Almost without exception, when a locking
|
||||
problem does surface it will cause embarrassment and potential data corruption.
|
||||
problem does surface, it will cause embarrassment and potential data corruption.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -956,8 +960,8 @@ so far:
|
||||
|
||||
<itemizedlist>
|
||||
<listitem><para>
|
||||
Incorrect configuration of opportunistic locking (incompatible with the application
|
||||
being used. This is a common problem even where MS Windows NT4 or MS Windows
|
||||
Incorrect configuration of oplocks (incompatible with the application
|
||||
being used). This is a common problem even where MS Windows NT4 or MS Windows
|
||||
200x-based servers were in use. It is imperative that the software application vendors'
|
||||
instructions for configuration of file locking should be followed. If in doubt,
|
||||
disable oplocks on both the server and the client. Disabling of all forms of file
|
||||
@ -965,21 +969,21 @@ so far:
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
Defective network cards, cables, or HUBs/Switched. This is generally a more
|
||||
prevalent factor with low cost networking hardware, although occasionally there
|
||||
Defective network cards, cables, or hubs/switches. This is generally a more
|
||||
prevalent factor with low-cost networking hardware, although occasionally there
|
||||
have also been problems with incompatibilities in more up-market hardware.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
There have been some random reports of Samba log files being written over data
|
||||
files. This has been reported by very few sites (about five in the past three years)
|
||||
files. This has been reported by very few sites (about five in the past 3 years)
|
||||
and all attempts to reproduce the problem have failed. The Samba Team has been
|
||||
unable to catch this happening and thus has not been able to isolate any particular
|
||||
unable to catch this happening and thus unable to isolate any particular
|
||||
cause. Considering the millions of systems that use Samba, for the sites that have
|
||||
been affected by this as well as for the Samba Team this is a frustrating and
|
||||
a vexing challenge. If you see this type of thing happening, please create a bug
|
||||
been affected by this as well as for the Samba Team, this is a frustrating and
|
||||
vexing challenge. If you see this type of thing happening, please create a bug
|
||||
report on Samba <ulink url="https://bugzilla.samba.org">Bugzilla</ulink> without delay.
|
||||
Make sure that you give as much information as you possibly can help isolate the
|
||||
Make sure that you give as much information as you possibly can to help isolate the
|
||||
cause and to allow replication of the problem (an essential step in problem isolation and correction).
|
||||
</para></listitem>
|
||||
</itemizedlist>
|
||||
@ -1002,7 +1006,7 @@ tdb(/usr/local/samba_2.2.7/var/locks/locking.tdb): rec_read bad magic
|
||||
</para>
|
||||
|
||||
<para>
|
||||
This error indicated a corrupted tdb. Stop all instances of smbd, delete locking.tdb, and restart smbd.
|
||||
This error indicates a corrupted tdb. Stop all instances of smbd, delete locking.tdb, and restart smbd.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
@ -1011,18 +1015,18 @@ tdb(/usr/local/samba_2.2.7/var/locks/locking.tdb): rec_read bad magic
|
||||
<title>Problems Saving Files in MS Office on Windows XP</title>
|
||||
|
||||
<para>This is a bug in Windows XP. More information can be
|
||||
found in <ulink url="http://support.microsoft.com/?id=812937">Microsoft Knowledge Base article 812937.</ulink></para>
|
||||
found in <ulink url="http://support.microsoft.com/?id=812937">Microsoft Knowledge Base article 812937</ulink></para>.
|
||||
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
|
||||
<title>Long Delays Deleting Files Over Network with XP SP1</title>
|
||||
<title>Long Delays Deleting Files over Network with XP SP1</title>
|
||||
|
||||
<para><quote>It sometimes takes approximately 35 seconds to delete files over the network after XP SP1 has been applied.</quote></para>
|
||||
|
||||
<para>This is a bug in Windows XP. More information can be found in <ulink url="http://support.microsoft.com/?id=811492">
|
||||
Microsoft Knowledge Base article 811492.</ulink></para>
|
||||
Microsoft Knowledge Base article 811492</ulink></para>.
|
||||
</sect2>
|
||||
|
||||
</sect1>
|
||||
@ -1043,24 +1047,24 @@ Section of the Microsoft MSDN Library on opportunistic locking:
|
||||
<para>
|
||||
Opportunistic Locks, Microsoft Developer Network (MSDN), Windows Development >
|
||||
Windows Base Services > Files and I/O > SDK Documentation > File Storage > File Systems
|
||||
> About File Systems > Opportunistic Locks, Microsoft Corporation.
|
||||
<ulink noescape="1" url="http://msdn.microsoft.com/library/en-us/fileio/storage_5yk3.asp">http://msdn.microsoft.com/library/en-us/fileio/storage_5yk3.asp</ulink>
|
||||
> About File Systems > Opportunistic Locks, Microsoft Corporation
|
||||
<ulink noescape="1" url="http://msdn.microsoft.com/library/en-us/fileio/storage_5yk3.asp">http://msdn.microsoft.com/library/en-us/fileio/storage_5yk3.asp</ulink>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Microsoft Knowledge Base Article Q224992 <?latex \linebreak ?><quote>Maintaining Transactional Integrity
|
||||
Microsoft Knowledge Base Article Q224992, <?latex \linebreak ?><quote>Maintaining Transactional Integrity
|
||||
with OPLOCKS</quote>,
|
||||
Microsoft Corporation, April 1999, <ulink noescape="1" url="http://support.microsoft.com/default.aspx?scid=kb;en-us;Q224992">http://support.microsoft.com/default.aspx?scid=kb;en-us;Q224992</ulink>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Microsoft Knowledge Base Article Q296264 <quote>Configuring Opportunistic Locking in Windows 2000</quote>,
|
||||
Microsoft Corporation, April 2001, <ulink noescape="1" url="http://support.microsoft.com/default.aspx?scid=kb;en-us;Q296264">http://support.microsoft.com/default.aspx?scid=kb;en-us;Q296264</ulink>.
|
||||
Microsoft Knowledge Base Article Q296264, <quote>Configuring Opportunistic Locking in Windows 2000</quote>,
|
||||
Microsoft Corporation, April 2001 <ulink noescape="1" url="http://support.microsoft.com/default.aspx?scid=kb;en-us;Q296264">http://support.microsoft.com/default.aspx?scid=kb;en-us;Q296264</ulink>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Microsoft Knowledge Base Article Q129202 <quote>PC Ext: Explanation of Opportunistic Locking on Windows NT</quote>,
|
||||
Microsoft Corporation, April 1995, <ulink noescape="1" url="http://support.microsoft.com/default.aspx?scid=kb;en-us;Q129202">http://support.microsoft.com/default.aspx?scid=kb;en-us;Q129202</ulink>.
|
||||
Microsoft Knowledge Base Article Q129202, <quote>PC Ext: Explanation of Opportunistic Locking on Windows NT</quote>,
|
||||
Microsoft Corporation, April 1995 <ulink noescape="1" url="http://support.microsoft.com/default.aspx?scid=kb;en-us;Q129202">http://support.microsoft.com/default.aspx?scid=kb;en-us;Q129202</ulink>.
|
||||
</para>
|
||||
|
||||
</sect1>
|
||||
|
@ -23,7 +23,7 @@
|
||||
<title>Features and Benefits</title>
|
||||
|
||||
<para>
|
||||
The Distributed File System (DFS) provides a means of separating the logical
|
||||
The distributed file system (DFS) provides a means of separating the logical
|
||||
view of files and directories that users see from the actual physical locations
|
||||
of these resources on the network. It allows for higher availability, smoother
|
||||
storage expansion, load balancing, and so on.
|
||||
@ -40,7 +40,7 @@
|
||||
A Samba server can be made a DFS server by setting the global
|
||||
Boolean <smbconfoption name="host msdfs"/>
|
||||
parameter in the &smb.conf; file. You designate a share as a DFS
|
||||
root using the Share Level Boolean <smbconfoption name="msdfs root"/> parameter. A DFS root directory on Samba hosts DFS
|
||||
root using the share-level Boolean <smbconfoption name="msdfs root"/> parameter. A DFS root directory on Samba hosts DFS
|
||||
links in the form of symbolic links that point to other servers. For example, a symbolic link
|
||||
<filename>junction->msdfs:storage1\share1</filename> in the share directory acts
|
||||
as the DFS junction. When DFS-aware clients attempt to access the junction link,
|
||||
@ -49,7 +49,7 @@
|
||||
|
||||
<para>
|
||||
DFS trees on Samba work with all DFS-aware clients ranging from Windows 95 to 200x.
|
||||
<link linkend="dfscfg">Following sample configuration</link> shows how to setup a DFS tree on a Samba server.
|
||||
<link linkend="dfscfg">The following sample configuration</link> shows how to setup a DFS tree on a Samba server.
|
||||
In the <filename>/export/dfsroot</filename> directory, you set up your DFS links to
|
||||
other servers on the network.
|
||||
<screen>
|
||||
@ -62,7 +62,7 @@
|
||||
</para>
|
||||
|
||||
<example id="dfscfg">
|
||||
<title>smb.conf with DFS configured</title>
|
||||
<title>smb.conf with DFS Configured</title>
|
||||
<smbconfblock>
|
||||
<smbconfsection name="[global]"/>
|
||||
<smbconfoption name="netbios name">&example.server.samba;</smbconfoption>
|
||||
@ -76,14 +76,14 @@
|
||||
|
||||
<para>You should set up the permissions and ownership of
|
||||
the directory acting as the DFS root so that only designated
|
||||
users can create, delete or modify the msdfs links. Also note
|
||||
users can create, delete, or modify the msdfs links. Also note
|
||||
that symlink names should be all lowercase. This limitation exists
|
||||
to have Samba avoid trying all the case combinations to get at
|
||||
the link name. Finally, set up the symbolic links to point to the
|
||||
network shares you want and start Samba.</para>
|
||||
|
||||
<para>Users on DFS-aware clients can now browse the DFS tree
|
||||
on the Samba server at \\samba\dfs. Accessing
|
||||
on the Samba server at <constant>\\samba\dfs</constant>. Accessing
|
||||
links linka or linkb (which appear as directories to the client)
|
||||
takes users directly to the appropriate shares on the network.</para>
|
||||
</sect1>
|
||||
@ -93,7 +93,7 @@
|
||||
<itemizedlist>
|
||||
<listitem><para>Windows clients need to be rebooted
|
||||
if a previously mounted non-DFS share is made a DFS
|
||||
root or vice versa. A better way is to introduce a
|
||||
root, or vice versa. A better way is to introduce a
|
||||
new share and make it the DFS root.</para>
|
||||
</listitem>
|
||||
|
||||
@ -113,20 +113,20 @@
|
||||
|
||||
<para>
|
||||
A network administrator sent advice to the Samba mailing list
|
||||
after a long sessions trying to determine why DFS was not working.
|
||||
after long sessions trying to determine why DFS was not working.
|
||||
His advice is worth noting.
|
||||
</para>
|
||||
|
||||
<para><quote>
|
||||
I spent some time trying to figure out why my particular
|
||||
dfs root wasn't working. I noted in the documentation that
|
||||
DFS root wasn't working. I noted in the documentation that
|
||||
the symlink should be in all lowercase. It should be
|
||||
amended that the entire path to the symlink should all be
|
||||
in lowercase as well.
|
||||
</quote></para>
|
||||
|
||||
<para>
|
||||
For example, I had a share defined as such:
|
||||
<quote>For example, I had a share defined as such:</quote>
|
||||
|
||||
<screen>
|
||||
[pub]
|
||||
@ -134,8 +134,8 @@
|
||||
msdfs root = yes
|
||||
</screen>
|
||||
|
||||
and I could not make my Windows 9x/Me (with the dfs client installed)
|
||||
follow this symlink:
|
||||
<quote>and I could not make my Windows 9x/Me (with the dfs client installed)
|
||||
follow this symlink:</quote>
|
||||
|
||||
<screen>
|
||||
damage1 -> msdfs:damage\test-share
|
||||
@ -143,15 +143,15 @@
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Running a debug level of 10 reveals:
|
||||
<quote>Running a debug level of 10 reveals:</quote>
|
||||
|
||||
<programlisting>
|
||||
[2003/08/20 11:40:33, 5] msdfs/msdfs.c:is_msdfs_link(176)
|
||||
is_msdfs_link: /export/home/shares/public_share/* does not exist.
|
||||
</programlisting>
|
||||
|
||||
Curious. So I changed the directory name from .../Shares/... to
|
||||
.../shares/... (along with my service definition) and it worked!
|
||||
<quote>Curious. So I changed the directory name from <constant>.../Shares/...</constant> to
|
||||
<constant>.../shares/...</constant> (along with my service definition) and it worked!</quote>
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
|
@ -16,7 +16,7 @@
|
||||
|
||||
<?latex \setcounter{page}{5} ?>
|
||||
|
||||
<xi:include href="../Samba3-HOWTO-attributions.xml">
|
||||
<xi:include href="../Samba-HOWTO-Collection-attributions.xml">
|
||||
<xi:fallback/>
|
||||
</xi:include>
|
||||
|
||||
@ -152,6 +152,7 @@ The chapters in this part each cover specific Samba features.
|
||||
<!-- Comment out the following line to include the manpages.
|
||||
*Please* do not commit with the line below enabled! -->
|
||||
<!-- <xi:include href="manpages.xml"/> -->
|
||||
<xi:include href="manpages.xml"/>
|
||||
<xi:include href="http://www.gnu.org/licenses/gpl.xml"/>
|
||||
|
||||
<xi:include href="TOSHARG-glossary.xml"/>
|
||||
|
Loading…
Reference in New Issue
Block a user