diff options
author | Jeremy Allison <jra@samba.org> | 2008-05-30 10:09:22 -0700 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2008-05-30 10:09:22 -0700 |
commit | a991c5a7c30253fa36e1ee65fb717d62acf3a806 (patch) | |
tree | f744dcbdef7864a1f5915564bde3e11e133a1ecd | |
parent | 2e9136e085f9a88741c594b44037b2f86474882f (diff) | |
parent | 3e20aeb18e418a5a1a7821fd8c3f0d0bc5169489 (diff) | |
download | samba-a991c5a7c30253fa36e1ee65fb717d62acf3a806.tar.gz samba-a991c5a7c30253fa36e1ee65fb717d62acf3a806.tar.bz2 samba-a991c5a7c30253fa36e1ee65fb717d62acf3a806.zip |
Merge branch 'v3-3-test' of ssh://jra@git.samba.org/data/git/samba into v3-3-test
(This used to be commit 3d01248f63d0d476c16236453983ffe759d0b2c2)
150 files changed, 26822 insertions, 314 deletions
diff --git a/docs-xml/Makefile b/docs-xml/Makefile index 70ffdc13bb..2acef3e243 100644 --- a/docs-xml/Makefile +++ b/docs-xml/Makefile @@ -61,7 +61,7 @@ clean:: $(patsubst %.svg,%.eps,$(foreach DOC,$(MAIN_DOCS),$($(DOC)-images-latex-svg))) rm -f *-attributions.xml *.d *.tpt *.tex *.loc *.toc *.lof *.glo *.idx *.aux rm -f *-images-html* - rm -f *-images-latex-* latexfigures + rm -f *-images-latex-* $(LATEX_FIGURES) rm -f xslt/figures/*pdf rm -f $(SMBDOTCONFDOC)/parameters.*.xml rm -f $(addsuffix .*,$(MAIN_DOCS)) @@ -145,13 +145,11 @@ $(TXTDIR)/%.txt: $(HTMLDIR)/%.html @mkdir -p $(@D) @$(XSLTPROC) $(DB2LATEX_ARGS) --stringparam latex.imagebasedir "$*/" --xinclude --output $@ xslt/latex.xsl $< -latexfigures:: $(LATEX_FIGURES) - $(PDFDIR)/%.pdf: %.pdf @mkdir -p $(@D) cp $< $@ -%.idx: %.tex latexfigures +%.idx: %.tex $(LATEX_FIGURES) -$(PDFLATEX) $< %.ind: %.idx @@ -193,7 +191,7 @@ endif endif # Adobe PDF files -%.pdf: %.tex %.ind latexfigures %-images-latex-png %-images-latex-pdf +%.pdf: %.tex %.ind $(LATEX_FIGURES) %-images-latex-png %-images-latex-pdf -$(PDFLATEX) $< -$(PDFLATEX) $< -$(PDFLATEX) $< @@ -328,5 +326,5 @@ distclean clobber:: clean # Always keep intermediate files if we can .SECONDARY: -.PHONY: clean clobber archive release everything all latexfigures +.PHONY: clean clobber archive release everything all diff --git a/docs-xml/smbdotconf/filename/maxstatcachesize.xml b/docs-xml/smbdotconf/filename/maxstatcachesize.xml index 607fe5840f..590b21615d 100644 --- a/docs-xml/smbdotconf/filename/maxstatcachesize.xml +++ b/docs-xml/smbdotconf/filename/maxstatcachesize.xml @@ -5,12 +5,13 @@ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> <para>This parameter limits the size in memory of any - <parameter moreinfo="none">stat cache</parameter> being used - to speed up case insensitive name mappings. This parameter is - the number of kilobyte (1024) units the stat cache can use. - A value of zero means unlimited which is not advised aŃ• it can - use a lot of memory. - You should not need to change this parameter.</para> + <parameter moreinfo="none">stat cache</parameter> being used + to speed up case insensitive name mappings. It represents + the number of kilobyte (1024) units the stat cache can use. + A value of zero, meaning unlimited, is not advisable due to + increased memory useage. You should not need to change this + parameter. + </para> </description> <related>stat cache</related> <value type="default">256</value> diff --git a/docs-xml/using_samba/appa.xml b/docs-xml/using_samba/appa.xml new file mode 100644 index 0000000000..825b818254 --- /dev/null +++ b/docs-xml/using_samba/appa.xml @@ -0,0 +1,1147 @@ +<appendix label="A" id="SAMBA-AP-A"> +<title>Configuring Samba with SSL</title> + + + + +<para> +<indexterm id="appa-idx-990325-0" class="startofrange"><primary>configuring Samba</primary><secondary sortas="SSL">with SSL</secondary></indexterm> +<indexterm id="appa-idx-990325-1" class="startofrange"><primary>SSL (Secure Sockets Layer) protocol</primary><secondary>configuring Samba with</secondary></indexterm>This appendix describes how to set up Samba to use secure connections between the Samba server and its clients. The protocol used here is Netscape's Secure Sockets Layer (SSL). For this example, we will establish a secure connection between a Samba server and a Windows NT workstation.</para> + + +<para>Before we begin, we will assume that you are familiar with the fundamentals of public-key cryptography and X.509 certificates. If not, we highly recommend Bruce Schneier's <filename>Applied Cryptography, 2nd Edition</filename> (Wiley) as the premiere source for learning the many secret faces of cryptography.</para> + + +<tip role="ora"> +<para>If you would like more information on Samba and SSL, be sure to look at the document <filename>SSLeay.txt</filename> in the <filename>docs/textdocs</filename> directory of the Samba distribution, which is the basis for this appendix.</para> + +</tip> + + + + + + + + + + + +<sect1 role="" label="A.1" id="appa-SECT-1"> +<title>About Certificates</title> + + +<para>Here are a few quick questions and answers from the <filename>SSLeay.txt</filename> file in the Samba documentation, regarding the benefits of SSL and certificates. This text was written by Christian Starkjohann for the Samba projects.</para> + + +<sect2 role="" label="A.1.1" id="appa-SECT-1.1"> +<title>What is a Certificate?</title> + + +<para>A certificate is issued by an issuer, usually a <emphasis>Certification Authority</emphasis> (CA), who confirms something by issuing the certificate. The subject of this confirmation depends on the CA's policy. CAs for secure web servers (used for shopping malls, etc.) usually attest only that the given public key belongs the given domain name. Company-wide CAs might attest that you are an employee of the company, that you have permissions to use a server, and so on.</para> +</sect2> + + + + + +<sect2 role="" label="A.1.2" id="appa-SECT-1.2"> +<title>What is an X.509 certificate, technically?</title> + + +<para>Technically, the certificate is a block of data signed by the certificate issuer (the CA). The relevant fields are:</para> + + +<itemizedlist> + +<listitem><para> +Unique identifier (name) of the certificate issuer</para></listitem> + +<listitem><para>Time range during which the certificate is valid</para></listitem> + +<listitem><para>Unique identifier (name) of the certified object</para></listitem> + +<listitem><para>Public key of the certified object</para></listitem> + +<listitem><para>The issuer's signature over all the above</para></listitem> + +</itemizedlist> + +<para>If this certificate is to be verified, the verifier must have a table of the names and public keys of trusted CAs. For simplicity, these tables should list certificates issued by the respective CAs for themselves (self-signed certificates).</para> +</sect2> + + + + + +<sect2 role="" label="A.1.3" id="appa-SECT-1.3"> +<title>What are the implications of this certificate structure?</title> + + +<para>Four implications follow:</para> + + +<itemizedlist> + +<listitem><para>Because the certificate contains the subjects's public key, the certificate and the private key together are all that is needed to encrypt and decrypt.</para></listitem> + +<listitem><para>To verify certificates, you need the certificates of all CAs you trust.</para></listitem> + +<listitem><para>The simplest form of a dummy-certificate is one that is signed by the subject.</para></listitem> + +<listitem><para>A CA is needed. The client can't simply issue local certificates for servers it trusts because the server determines which certificate it presents.</para></listitem> + +</itemizedlist> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="A.2" id="appa-SECT-2"> +<title>Requirements</title> + + +<para> +<indexterm id="appa-idx-990348-0"><primary>configuring Samba</primary><secondary sortas="SSL">with SSL</secondary><tertiary>requirements for</tertiary></indexterm> +<indexterm id="appa-idx-990348-1"><primary>SSL (Secure Sockets Layer) protocol</primary><secondary>configuring Samba with</secondary><tertiary>requirements for</tertiary></indexterm>To set up SSL connections, you will need to download two programs in addition to Samba:</para> + + +<variablelist> +<varlistentry><term> +<indexterm id="appa-idx-990613-0" class="startofrange"><primary>SSL (Secure Sockets Layer) protocol</primary><secondary>SSLeay</secondary></indexterm>SSLeay</term> +<listitem><para>Eric <indexterm id="appa-idx-990362-0"><primary>Young, Eric</primary></indexterm>Young's implementation of the Secure Socket's Layer (SSL) protocol as a series of Unix programming libraries</para></listitem> +</varlistentry> + + +<varlistentry><term> +<indexterm id="appa-idx-990357-0"><primary>SSL (Secure Sockets Layer) protocol</primary><secondary>SS Proxy</secondary></indexterm>SSL Proxy</term> +<listitem><para>A freeware SSL application from Objective Development, which can be used to proxy a secure link on Unix or Windows NT platforms</para></listitem> +</varlistentry> +</variablelist> + + +<para>These two products assist with the server and client side of the encrypted SSL connection. The SSLeay libraries are compiled and installed directly on the Unix system. SSL Proxy, on the other hand, can be downloaded and compiled (or downloaded in binary format) and located on the client side. If you intend to have a Windows NT client or a Samba client on the other end of the SSL connection, you will not require a special setup.</para> + + +<para>SSL Proxy, however, does not work on Windows 95/98 machines. Therefore, if you want to have a secure connection between a Samba server and Windows 95/98 client, you will need to place either a Unix server or a Windows NT machine on the same subnet with the Windows 9<emphasis>x</emphasis> clients and route all network connections through the SSL-Proxy-enabled machine. See <link linkend="appa-89929">Figure 1.1</link>.</para> + + +<figure label="A.1" id="appa-89929"> +<title>Two possible ways of proxying Windows 95/98 clients</title> + +<graphic width="502" depth="317" fileref="figs/sam.aa01.gif"></graphic> +</figure> + +<para>For the purposes of this chapter, we will create a simple SSL connection between the Samba server and a Windows NT client. This configuration can be used to set up more complex networks at the administrator's discretion.</para> +</sect1> + + + + + + + + + +<sect1 role="" label="A.3" id="appa-SECT-3"> +<title>Installing SSLeay</title> + + +<para>Samba uses the SSLeay package, written by Eric Young, to provide Secure Sockets Layer support on the server side. Because of U.S. export law, however, the SSLeay package cannot be shipped with Samba distributions that are based in the United States. For that reason, the Samba creators decided to leave it as a separate package entirely. You can download the SSLeay distribution from any of the following sites:</para> + + +<itemizedlist> + +<listitem><para><systemitem role="ftpurl">ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/</systemitem></para></listitem> + +<listitem><para><systemitem role="ftpurl">ftp://ftp.uni-mainz.de/pub/internet/security/ssl</systemitem></para></listitem> + +<listitem><para><systemitem role="ftpurl">ftp://ftp.cert.dfn.de/pub/tools/crypt/sslapps</systemitem></para></listitem> + +<listitem><para><systemitem role="ftpurl">ftp://ftp.funet.fi/pub/crypt/mirrors/ftp.psy.uq.oz.au</systemitem></para></listitem> + +<listitem><para><systemitem role="ftpurl">ftp://ftp.sunet.se/ftp/pub/security/tools/crypt/ssleay</systemitem></para></listitem> + +</itemizedlist> + +<para>The latest version as of this printing is 0.9.0b. Download it to the same server as the Samba distribution, then uncompress and untar it. You should be left with a directory entitled <filename>SSLeay-0.9.0b</filename>. After changing to that directory, you will need to configure and build the SSL encryption package in the same way that you did with Samba.</para> + + +<para>SSLeay uses a Perl-based <filename>configure</filename> script. This script modifies the Makefile that constructs the utilities and libraries of the SSLeay package. However, the default script is hardcoded to find Perl at <filename>/usr/local/bin/perl</filename>. You may need to change the <filename>configure</filename> script to point to the location of the Perl executable file on your Unix system. For example, you can type the following to locate the Perl executable:</para> + + +<programlisting># <userinput>which perl</userinput> +/usr/bin/perl</programlisting> + + +<para>Then modify the first line of the <filename>configure</filename> script to force it to use the correct Perl executable. For example, on our Red Hat Linux system:</para> + + +<programlisting>#!/usr/bin/perl +# +# see PROBLEMS for instructions on what sort of things to do +# when tracking a bug -tjh +...</programlisting> + + +<para>After that, you need to run the <filename>configure</filename> script by specifying a target platform for the distribution. This target platform can be any of the following:</para> + + +<programlisting>BC-16 BC-32 FreeBSD NetBSD-m86 +NetBSD-sparc NetBSD-x86 SINIX-N VC-MSDOS +VC-NT VC-W31-16 VC-W31-32 VC-WIN16 +VC-WIN32 aix-cc aix-gcc alpha-cc +alpha-gcc alpha400-cc cc cray-t90-cc +debug debug-irix-cc debug-linux-elf dgux-R3-gcc +dgux-R4-gcc dgux-R4-x86-gcc dist gcc +hpux-cc hpux-gcc hpux-kr-cc irix-cc +irix-gcc linux-aout linux-elf ncr-scde +nextstep purify sco5-cc solaris-sparc-cc +solaris-sparc-gcc solaris-sparc-sc4 solaris-usparc-sc4 solaris-x86-gcc +sunos-cc sunos-gcc unixware-2.0 unixware</programlisting> + + +<para>For our system, we would enter the following:</para> + + +<programlisting># <userinput>./Configure linux-elf</userinput> +CC =gcc +CFLAG =-DL_ENDIAN -DTERMIO -DBN_ASM -O3 -fomit-frame-pointer +EX_LIBS = +BN_MULW =asm/bn86-elf.o +DES_ENC =asm/dx86-elf.o asm/yx86-elf.o +BF_ENC =asm/bx86-elf.o +CAST_ENC =asm/cx86-elf.o +RC4_ENC =asm/rx86-elf.o +RC5_ENC =asm/r586-elf.o +MD5_OBJ_ASM =asm/mx86-elf.o +SHA1_OBJ_ASM =asm/sx86-elf.o +RMD160_OBJ_ASM=asm/rm86-elf.o +THIRTY_TWO_BIT mode +DES_PTR used +DES_RISC1 used +DES_UNROLL used +BN_LLONG mode +RC4_INDEX mode</programlisting> + + +<para>After the package has been configured, you can build it by typing <literal>make</literal>. If the build did not successfully complete, consult the documentation that comes with the distribution or the FAQ at <systemitem role="url">http://www.cryptsoft.com/ssleay/</systemitem> for more information on what may have happened. If the build did complete, type <literal>make</literal> <literal>install</literal> to install the libraries on the system. Note that the makefile installs the package in <filename>/usr/local/ssl</filename> by default. If you decide to install it in another directory, remember the directory when configuring Samba to use SSL.</para> + + +<sect2 role="" label="A.3.1" id="appa-SECT-3.1"> +<title>Configuring SSLeay for Your System</title> + + +<para>The first thing you need to do is to set the <literal>PATH</literal> environment variable on your system to include the <filename>/bin</filename> directory of the SSL distribution. This can be done with the following statement:</para> + + +<programlisting>PATH=$PATH:/usr/local/ssl/bin</programlisting> + + +<para>That's the easy part. Following that, you will need to create a random series of characters that will be used to prime SSLeay's random number generator. The random number generator will be used to create key pairs for both the clients and the server. You can create this random series by filling a text file of a long series of random characters. For example, you can use your favorite editor to create a text file with random characters, or use this command and enter arbitrary characters at the standard input:</para> + + +<programlisting>cat >/tmp/private.txt</programlisting> + + +<para>The Samba documentation recommends that you type characters for longer than a minute before interrupting the input stream by hitting Control-D. Try not to type only the characters that are under your fingers on the keyboard; throw in some symbols and numbers as well. Once you've completed the random file, you can prime the random number generator with the following command:</para> + + +<programlisting># ssleay genrsa -rand /tmp/private.txt >/dev/null +2451 semi-random bytes loaded +Generating RSA private key, 512 bit long modulus +..+++++ +.................................+++++ +e is 65537 (0x10001)</programlisting> + + +<para>You can safely ignore the output of this command. After it has completed, remove the series of characters used to create the key because this could be used to recreate any private keys that were generated from this random number generator:</para> + + +<programlisting>rm -f /tmp/private.txt</programlisting> + + +<para>The result of this command is the hidden file .<emphasis>rnd</emphasis>, which is stored in your home directory. SSLeay will use this file when creating key pairs in the future.</para> +</sect2> + + + + + +<sect2 role="" label="A.3.2" id="appa-SECT-3.2"> +<title>Configuring Samba to use SSL</title> + + +<para> +<indexterm id="appa-idx-990398-0"><primary>SSL (Secure Sockets Layer) protocol</primary><secondary>configuring Samba to use</secondary></indexterm>At this point, you can compile Samba to use SSL. Recall that in <link linkend="SAMBA-CH-2">Chapter 2</link>, we said you have to first run the configure script, which initializes the makefile, before you compile Samba. In order to use SSL with Samba, you will need to reconfigure the makefile:</para> + + +<programlisting>./configure --with-ssl</programlisting> + + +<para>After that, you can compile Samba with the following commands:</para> + + +<programlisting># <userinput>make clean</userinput> +# <userinput>make all</userinput></programlisting> + + +<para>If you encounter an error that says the <filename>smbd</filename> executable is missing the file <filename>ssl.h</filename>, you probably didn't install SSLeay in the default directory. Use the configure option <literal>--with-sslinc</literal> to point to the base directory of the SSL distribution—in this case, the directory that contains <emphasis>include/ssl.h</emphasis>.</para> + + +<para>On the other hand, if you have a clean compile, you're ready to move on to the next step: creating certificates.</para> +</sect2> + + + + + +<sect2 role="" label="A.3.3" id="appa-62097"> +<title>Becoming a Certificate Authority</title> + + +<para><firstterm></firstterm> +<indexterm id="appa-idx-990405-0" class="startofrange"><primary>certificate authority</primary></indexterm>The SSL protocol requires the use of X.509 certificates in the protocol handshake to ensure that either one or both parties involved in the communication are indeed who they say they are. Certificates in real life, such as those use for SSL connections on public web sites, can cost in the arena of $300 a year. This is because the certificate must have a digital signature placed on it by a <firstterm>certificate authority</firstterm>. A certificate authority is an entity that vouches for the authenticity of a digital certificate by signing it with its own private key. This way, anyone who wishes to check the authenticity of the certificate can simply use the certificate authority's public key to check the signature.</para> + + +<para>You are allowed to use a public certificate authority with SSLeay. However, you don't have to. Instead, SSLeay will allow you to declare yourself a trusted certificate authority—specifying which clients you choose to trust and which clients you do not. In order to do this, you will need to perform several tasks with the SSLeay distribution.</para> + + +<para>The first thing you need to do is specify a secure location where the certificates of the clients and potentially the server will be stored. We have chosen <filename>/etc/certificates</filename> as our default. Execute the following commands as <literal>root</literal>:</para> + + +<programlisting># <userinput>cd /etc</userinput> +# <userinput>mkdir certificates</userinput> +# <userinput>chmod 700 certificates</userinput></programlisting> + + +<para>Note that we shut out all access to users other than <literal>root</literal> for this directory. This is very important.</para> + + +<para>Next, you need to set up the SSLeay scripts and configuration files to use the certificates stored in this directory. In order to do this, first modify the <filename>CA.sh</filename> script located at <emphasis>/usr/local/ssl/bin/CA.sh</emphasis> to specify the location of the directory you just created. Find the line that contains the following entry:</para> + + +<programlisting>CATOP=./demoCA</programlisting> + + +<para>Then change it to:</para> + + +<programlisting>CATOP=/etc/certificates</programlisting> + + +<para>Next, you need to modify the <emphasis>/usr/local/ssl/lib/ssleay.cnf</emphasis> file to specify the same directory. Find the entry:</para> + + +<programlisting>[ CA_default ] +dir = ./demoCA # Where everything is kept</programlisting> + + +<para>Then change it to:</para> + + +<programlisting>[ CA_default ] +dir = /etc/certificates # Where everything is kept</programlisting> + + +<para>Next, run the certificate authority setup script, <filename>CA.sh</filename>, in order to create the certificates. Be sure to do this as the same user that you used to prime the random number generator above:</para> + + +<programlisting>/usr/local/ssl/bin/CA.sh -newca +mkdir: cannot make directory '/etc/certificates': File exists +CA certificate filename (or enter to create)</programlisting> + + +<para>Press the Enter key to create a certificate for the CA. You should then see:</para> + + +<programlisting>Making CA certificate ... +Using configuration from /usr/local/ssl/lib/ssleay.cnf +Generating a 1024 bit RSA private key +.............................+++++ +.....................+++++ +writing new private key to /etc/certificates/private/cakey.pem +Enter PEM pass phrase:</programlisting> + + +<para>Enter a new pass phrase for your certificate. You will need to enter it twice correctly before SSLeay will accept it:</para> + + +<programlisting>Enter PEM pass phrase: +Verifying password - Enter PEM pass phrase:</programlisting> + + +<para>Be sure to remember this pass phrase. You will need it to sign the client certificates in the future. Once SSLeay has accepted the pass phrase, it will continue on with a series of questions for each of the fields in the X509 certificate:</para> + + +<programlisting>You are about to be asked to enter information that will be +incorporated into your certificate request. +What you are about to enter is what is called a Distinguished +Name or a DN. +There are quite a few fields but you can leave some blank +For some fields there will be a default value, +If you enter '.', the field will be left blank.</programlisting> + + +<para>Fill out the remainder of the fields with information about your organization. For example, our certificate looks like this:</para> + + +<programlisting>Country Name (2 letter code) [AU]:<userinput>US</userinput> +State or Province Name (full name) [Some-State]:<userinput>California</userinput> +Locality Name (eg, city) []:<userinput>Sebastopol</userinput> +Organization Name (eg, company) []:<userinput>O'Reilly</userinput> +Organizational Unit Name (eg, section) []:<userinput>Books</userinput> +Common Name (eg, YOUR name) []:<userinput>John Doe</userinput> +Email Address []:<userinput>doe@ora.com</userinput></programlisting> + + +<para>After that, SSLeay will be configured as a certificate authority and can be used to sign certificates for client machines that will be connecting to the Samba server.</para> +</sect2> + + + + + +<sect2 role="" label="A.3.4" id="appa-SECT-3.4"> +<title>Creating Certificates for Clients</title> + + +<para>It's simple to create a certificate for a client machine. First, you need to generate a public/private key pair for each entity, create a certificate request file, and then use <emphasis>SSLeay</emphasis> to sign the file as a trusted authority.</para> + + +<para>For our example client <literal>phoenix</literal>, this boils down to three SSLeay commands. The first generates a key pair for the client and places it in the file <filename>phoenix.key</filename>. The private key will be encrypted, in this case using triple DES. Enter a pass phrase when requested below—you'll need it for the next step:</para> + + +<programlisting># ssleay genrsa -des3 1024 >phoenix.key +1112 semi-random bytes loaded +Generating RSA private key, 1024 bit long modulus +........................................+++++ +.............+++++ +e is 65537 (0x10001) +Enter PEM pass phrase: +Verifying password - Enter PEM pass phrase:</programlisting> + + +<para>After that command has completed, type in the following command:</para> + + +<programlisting># <userinput>ssleay req -new -key phoenix.key -out phoenix-csr</userinput> +Enter PEM pass phrase:</programlisting> + + +<para>Enter the pass phrase for the client certificate you just created (not the certificate authority). At this point, you will need to answer the questionnaire again, this time for the client machine. In addition, you must type in a challenge password and an optional company name—those do not matter here. When the command completes, you will have a certificate request in the file <emphasis>phoenix-csr.</emphasis></para> + + +<para>Then, you must sign the certificate request as the trusted certificate authority. Type in the following command:</para> + + +<programlisting># <userinput>ssleay ca -days 1000 -inflies phoenix-csr >phoenix.pem</userinput></programlisting> + + +<para>This command will prompt you to enter the PEM pass phrase of the <emphasis>certificate authority</emphasis>. Be sure that you do not enter the PEM pass phrase of the client certificate that you just created. After entering the correct pass phrase, you should see the following:</para> + + +<programlisting>Check that the request matches the signature +Signature ok +The Subjects Distinguished Name is as follows: +...</programlisting> + + +<para>This will be followed by the information that you just entered for the client certificate. If there is an error in the fields, the program will notify you. On the other hand, if everything is fine, SSLeay will confirm that it should sign the certificate and commit it to the database. This adds a record of the certificate to the <filename>/etc/certificates/newcerts</filename> directory.</para> + + +<para>The operative files at the end of this exercise are the <emphasis>phoenix.key</emphasis> and <emphasis>phoenix.pem</emphasis> files, which reside in the current directory. These files will be passed off to the client with whom the SSL-enabled Samba server will interact, and will be used by SSL Proxy.<firstterm></firstterm> +<indexterm id="appa-idx-990421-0" class="endofrange" startref="appa-idx-990405-0"/></para> +</sect2> + + + + + +<sect2 role="" label="A.3.5" id="appa-SECT-3.5"> +<title>Configuring the Samba Server</title> + + +<para>The next step is to modify the Samba configuration file to include the following setup options. These options assume that you created the certificates directory for the certificate authority at <filename>/etc/certificates </filename>:</para> + + +<programlisting>[global] + ssl = yes + ssl server cert = /etc/certificates/cacert.pem + ssl server key = /etc/certificates/private/cakey.pem + ssl CA certDir = /etc/certificates</programlisting> + + +<para>At this point, you will need to kill the Samba daemons and restart them manually:</para> + + +<programlisting># <userinput>nmbd -D</userinput> +# <userinput>smbd -D</userinput> +Enter PEM pass phrase:</programlisting> + + +<para>You will need to enter the PEM pass phrase of the certificate authority to start up the Samba daemons. Note that this may present a problem in terms of starting the program using ordinary means. However, you can get around this using advanced scripting languages, such as Expect or Python.</para> +</sect2> + + + + + +<sect2 role="" label="A.3.6" id="appa-SECT-3.6"> +<title>Testing with smbclient</title> + + +<para>A good way to test whether Samba is working properly is to use the <emphasis>smbclient</emphasis> program. On the Samba server, enter the following command, substituting the appropriate share and user for a connection:</para> + + +<programlisting># <userinput>smbclient //hydra/data -U tom</userinput></programlisting> + + +<para>You should see several debugging statements followed by a line indicating the negotiated cipher, such as:</para> + + +<programlisting>SSL: negotiated cipher: DES-CBC3-SHA</programlisting> + + +<para>After that, you can enter your password and connect to the share normally. If this works, you can be sure that Samba is correctly supporting SSL connections. Now, on to the client setup. <indexterm id="appa-idx-990386-0" class="endofrange" startref="appa-idx-990613-0"/></para> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="A.4" id="appa-SECT-4"> +<title>Setting Up SSL Proxy</title> + + +<para>The <indexterm id="appa-idx-990393-0"><primary>SSL (Secure Sockets Layer) protocol</primary><secondary>SS Proxy</secondary><tertiary>setting up</tertiary></indexterm>SSL Proxy program is available as a standalone binary or as source code. You can download it from <systemitem role="url">http://obdev.at/Products/sslproxy.html</systemitem>.</para> + + +<para>Once it is downloaded, you can configure and compile it like Samba. We will configure it on a Windows NT system. However, setting it up for a Unix system involves a nearly identical series of steps. Be sure that you are the superuser (administrator) for the next series of steps.</para> + + +<para>If you downloaded the binary for Windows NT, you should have the following files in a directory:</para> + + +<itemizedlist> + +<listitem><para><filename>cygwinb19.dll</filename></para></listitem> + +<listitem><para><filename>README.TXT</filename></para></listitem> + +<listitem><para><filename>sslproxy.exe</filename></para></listitem> + +<listitem><para><filename>dummyCert.pem</filename></para></listitem> + +</itemizedlist> + +<para>The only one that you will be interested in is the SSL Proxy executable. Copy over the <emphasis>phoenix.pem</emphasis> and <emphasis>phoenix.key</emphasis> files that you generated earlier for the client to the same directory as the SSL proxy executable. Make sure that the directory is secure from the prying eyes of other users.</para> + + +<para>The next step is to ensure that the Windows NT machine can resolve the NetBIOS name of the Samba server. This means that you should either have a WINS server up and running (the Samba server can perform this task with the <literal>wins</literal> <literal>support</literal> <literal>=</literal> <literal>yes</literal> option) or have it listed in the appropriate <emphasis>hosts</emphasis> file of the system. See <link linkend="SAMBA-CH-7">Chapter 7</link>, for more information on WINS server.<footnote label="1" id="appa-pgfId-986801"> + + +<para>If you are running SSL Proxy on a Unix server, you should ensure that the DNS name of the Samba server can be resolved.</para> + + +</footnote></para> + + +<para>Finally, start up SSL Proxy with the following command. Here, we assume that <literal>hydra</literal> is the name of the Samba server:</para> + + +<programlisting>#<userinput> C:\SSLProxy>sslproxy -l 139 -R hydra -r 139 -n -c phoenix.pem -k phoenix.key</userinput></programlisting> + + +<para>This tells SSL Proxy to listen for connections to port 139 and relay those requests to port 139 on the NetBIOS machine <literal>hydra</literal>. It also instructs SSL Proxy to use the <filename>phoenix.pem</filename> and <filename>phoenix.key</filename> files to generate the certificate and keys necessary to initiate the SSL connection. SSL Proxy responds with:</para> + + +<programlisting>Enter PEM pass phrase:</programlisting> + + +<para>Enter the PEM pass phrase of the client keypair that you generated, <emphasis>not</emphasis> the certificate authority. You should then see the following output:</para> + + +<programlisting>SSL: No verify locations, trying default +proxy ready, listening for connections</programlisting> + + +<para>That should take care of the client. You can place this command in a startup sequence on either Unix or Windows NT if you want this functionality available at all times. Be sure to set any clients you have connecting to the NT server (including the NT server itself) to point to this server instead of the Samba server.</para> + + +<para>After you've completed setting this up, try to connect using clients that proxy through the NT server. You should find that it works almost transparently.</para> +</sect1> + + + + + + + + + +<sect1 role="" label="A.5" id="appa-SECT-5"> +<title>SSL Configuration Options</title> + + +<para> +<indexterm id="appa-idx-990427-0" class="startofrange"><primary>SSL (Secure Sockets Layer) protocol</primary><secondary>configuration options for</secondary></indexterm><link linkend="appa-61150">Table 1.1</link> summarizes the configuration options introduced in the previous section for using SSL. Note that all of these options are global in scope; in other words, they must appear in the <literal>[global]</literal> section of the configuration file.</para> + + +<table label="A.1" id="appa-61150"> +<title>SSL Configuration Options </title> + +<tgroup cols="5"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<colspec colnum="4" colname="col4"/> +<colspec colnum="5" colname="col5"/> +<thead> +<row> + +<entry colname="col1"><para>Option</para></entry> + +<entry colname="col2"><para>Parameters</para></entry> + +<entry colname="col3"><para>Function</para></entry> + +<entry colname="col4"><para>Default</para></entry> + +<entry colname="col5"><para>Scope</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>ssl</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>Indicates whether SSL mode is enabled with Samba.</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>ssl hosts</literal></para></entry> + +<entry colname="col2"><para>string (list of addresses)</para></entry> + +<entry colname="col3"><para>Specifies a list of hosts that must always connect using SSL.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>ssl hosts resign</literal></para></entry> + +<entry colname="col2"><para>string (list of addresses)</para></entry> + +<entry colname="col3"><para>Specifies a list of hosts that never connect using SS.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>ssl CA certDir</literal></para></entry> + +<entry colname="col2"><para>string (fully-qualified pathname)</para></entry> + +<entry colname="col3"><para>Specifies the directory where the certificates are stored.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>ssl CA certFile</literal></para></entry> + +<entry colname="col2"><para>string (fully-qualified pathname)</para></entry> + +<entry colname="col3"><para>Specifies a file that contains all of the certificates for Samba.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>ssl server cert</literal></para></entry> + +<entry colname="col2"><para>string (fully-qualified pathname)</para></entry> + +<entry colname="col3"><para>Specifies the location of the server's certificate.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>ssl server key</literal></para></entry> + +<entry colname="col2"><para>string (fully-qualified pathname)</para></entry> + +<entry colname="col3"><para>Specifies the location of the server's private key.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>ssl client cert</literal></para></entry> + +<entry colname="col2"><para>string (fully-qualified pathname)</para></entry> + +<entry colname="col3"><para>Specifies the location of the client's certificate.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>ssl client key</literal></para></entry> + +<entry colname="col2"><para>string (fully-qualified pathname)</para></entry> + +<entry colname="col3"><para>Specifies the location of the client's private key.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>ssl require clientcert</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>Indicates whether Samba should require each client to have a certificate.</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>ssl require servercert</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>Indicates whether the server itself should have a certificate.</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>ssl ciphers</literal></para></entry> + +<entry colname="col2"><para>String</para></entry> + +<entry colname="col3"><para>Specifies the cipher suite to use during protocol negotiation.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>ssl version</literal></para></entry> + +<entry colname="col2"><para><literal>ssl2or3</literal>, <literal>ssl3</literal>, or <literal>tls1</literal></para></entry> + +<entry colname="col3"><para>Specifies the version of SSL to use.</para></entry> + +<entry colname="col4"><para><literal>ssl2or3</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>ssl compatibility</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>Indicates whether compatibility with other implementations of SSL should be activated.</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<sect2 role="" label="A.5.1" id="appa-SECT-5.0.1"> +<indexterm id="appa-idx-990620-0"><primary>ssl option</primary></indexterm> +<title> +ssl</title> + + +<para>This global option configures Samba to use SSL for communication between itself and clients. The default value of this option is <literal>no</literal>. You can reset it as follows:</para> + + +<programlisting>[global] + ssl = yes</programlisting> + + +<para>Note that in order to use this option, you must have a proxy for Windows 95/98 clients, such as in the model presented earlier in this chapter.</para> +</sect2> + + + + + +<sect2 role="" label="A.5.2" id="appa-SECT-5.0.2"> +<indexterm id="appa-idx-990625-0"><primary>ssl hosts option</primary></indexterm> +<title> +ssl hosts</title> + + +<para>This option specifies the hosts that will be forced into using SSL. The syntax for specifying hosts and addresses is the same as the <literal>hosts</literal> <literal>allow</literal> and the <literal>hosts</literal> <literal>deny</literal> configuration options. For example:</para> + + +<programlisting>[global] + ssl = yes + ssl hosts = 192.168.220.</programlisting> + + +<para>This example specifies that all hosts that fall into the 192.168.220 subnet must use SSL connections with the client. This type of structure is useful if you know that various connections will be made by a subnet that lies across an untrusted network, such as the Internet. If neither this option nor the <literal>ssl</literal> <literal>hosts</literal> <literal>resign</literal> option has been specified, and <literal>ssl</literal> is set to <literal>yes</literal>, Samba will allow only SSL connections from all clients.</para> +</sect2> + + + + + +<sect2 role="" label="A.5.3" id="appa-SECT-5.0.3"> +<indexterm id="appa-idx-990628-0"><primary>ssl hosts resign option</primary></indexterm> +<title> +ssl hosts resign</title> + + +<para>This option specifies the hosts that will <emphasis>not</emphasis> be forced into SSL mode. The syntax for specifying hosts and addresses is the same as the <literal>hosts</literal> <literal>allow</literal> and the <literal>hosts</literal> <literal>deny</literal> configuration options. For example:</para> + + +<programlisting>[global] + ssl = yes + ssl hosts resign = 160.2.310. 160.2.320.</programlisting> + + +<para>This example specifies that all hosts that fall into the 160.2.310 or 160.2.320 subnets will not use SSL connections with the client. If neither this option nor the <literal>ssl</literal> <literal>hosts</literal> option has been specified, and <literal>ssl</literal> is set to <literal>yes</literal>, Samba will allow only SSL connections from all clients.</para> +</sect2> + + + + + +<sect2 role="" label="A.5.4" id="appa-SECT-5.0.4"> +<indexterm id="appa-idx-990631-0"><primary>ssl CA certDir option</primary></indexterm> +<title> +ssl CA certDir</title> + + +<para>This option specifies the directory containing the certificate authority's certificates that Samba will use to authenticate clients. There must be one file in this directory for each certificate authority, named as specified earlier in this chapter. Any other files in this directory are ignored. For example:</para> + + +<programlisting>[global] + ssl = yes + ssl hosts = 192.168.220. + ssl CA certDir = /usr/local/samba/cert</programlisting> + + +<para>There is no default for this option. You can alternatively use the option <literal>ssl</literal> <literal>CA</literal> <literal>certFile</literal> if you wish to place all the certificate authority information in the same file.</para> +</sect2> + + + + + +<sect2 role="" label="A.5.5" id="appa-SECT-5.0.5"> +<indexterm id="appa-idx-990634-0"><primary>ssl CA certFile option</primary></indexterm> +<title> +ssl CA certFile</title> + + +<para>This option specifies a file that contains the certificate authority's certificates that Samba will use to authenticate clients. This option differs from <literal>ssl</literal> <literal>CA</literal> <literal>certDir</literal> in that there is only one file used for all the certificate authorities. An example of its usage follows:</para> + + +<programlisting>[global] + ssl = yes + ssl hosts = 192.168.220. + ssl CA certFile = /usr/local/samba/cert/certFile</programlisting> + + +<para>There is no default for this option. You can also use the option <literal>ssl</literal> <literal>CA</literal> <literal>certDir</literal> if you wish to have a separate file for each certificate authority that Samba trusts.</para> +</sect2> + + + + + +<sect2 role="" label="A.5.6" id="appa-SECT-5.0.6"> +<indexterm id="appa-idx-990637-0"><primary>ssl server cert option</primary></indexterm> +<title> +ssl server cert</title> + + +<para>This option specifies the location of the server's certificate. This option is mandatory; the server must have a certificate in order to use SSL. For example:</para> + + +<programlisting>[global] + ssl = yes + ssl hosts = 192.168.220. + ssl CA certFile = /usr/local/samba/cert/certFile + ssl server cert = /usr/local/samba/private/server.pem</programlisting> + + +<para>There is no default for this option. Note that the certificate may contain the private key for the server.</para> +</sect2> + + + + + +<sect2 role="" label="A.5.7" id="appa-SECT-5.0.7"> +<indexterm id="appa-idx-990640-0"><primary>ssl server key option</primary></indexterm> +<title> +ssl server key</title> + + +<para>This option specifies the location of the server's private key. You should ensure that the location of the file cannot be accessed by anyone other than <literal>root</literal>. For example:</para> + + +<programlisting>[global] + ssl = yes + ssl hosts = 192.168.220. + ssl CA certFile = /usr/local/samba/cert/certFile + ssl server key = /usr/local/samba/private/samba.pem</programlisting> + + +<para>There is no default for this option. Note that the private key may be contained in the certificate for the server.</para> +</sect2> + + + + + +<sect2 role="" label="A.5.8" id="appa-SECT-5.0.8"> +<indexterm id="appa-idx-990643-0"><primary>ssl client cert option</primary></indexterm> +<title> +ssl client cert</title> + + +<para>This option specifies the location of the client's certificate. The certificate may be requested by the Samba server with the <literal>ssl</literal> <literal>require</literal> <literal>clientcert</literal> option; the certificate is also used by <filename>smbclient</filename>. For example:</para> + + +<programlisting>[global] + ssl = yes + ssl hosts = 192.168.220. + ssl CA certFile = /usr/local/samba/cert/certFile + ssl server cert = /usr/local/ssl/private/server.pem + ssl client cert= /usr/local/ssl/private/clientcert.pem</programlisting> + + +<para>There is no default for this option.</para> +</sect2> + + + + + +<sect2 role="" label="A.5.9" id="appa-SECT-5.0.9"> +<indexterm id="appa-idx-990646-0"><primary>ssl client key option</primary></indexterm> +<title> +ssl client key</title> + + +<para>This option specifies the location of the client's private key. You should ensure that the location of the file cannot be accessed by anyone other than <literal>root</literal>. For example:</para> + + +<programlisting>[global] + ssl = yes + ssl hosts = 192.168.220. + ssl CA certDir = /usr/local/samba/cert/ + ssl server key = /usr/local/ssl/private/samba.pem + ssl client key = /usr/local/ssl/private/clients.pem</programlisting> + + +<para>There is no default for this option. This option is only needed if the client has a certificate.</para> +</sect2> + + + + + +<sect2 role="" label="A.5.10" id="appa-SECT-5.0.10"> +<indexterm id="appa-idx-990649-0"><primary>ssl require clientcert option</primary></indexterm> +<title> +ssl require clientcert</title> + + +<para>This option specifies whether the client is required to have a certificate. The certificates listed with either the <literal>ssl</literal> <literal>CA</literal> <literal>certDir</literal> or the <literal>ssl</literal> <literal>CA</literal> <literal>certFile</literal> will be searched to confirm that the client has a valid certificate and is authorized to connect to the Samba server. The value of this option is a simple boolean. For example:</para> + + +<programlisting>[global] + ssl = yes + ssl hosts = 192.168.220. + ssl CA certFile = /usr/local/samba/cert/certFile + ssl require clientcert = yes</programlisting> + + +<para>We recommend that you require certificates from all clients that could be connecting to the Samba server. The default value for this option is <literal>no</literal>.</para> +</sect2> + + + + + +<sect2 role="" label="A.5.11" id="appa-SECT-5.0.11"> +<indexterm id="appa-idx-990652-0"><primary>ssl require servercert option</primary></indexterm> +<title> +ssl require servercert</title> + + +<para>This option specifies whether the server is required to have a certificate. Again, this will be used by the <filename>smbclient</filename> program. The value of this option is a simple boolean. For example:</para> + + +<programlisting>[global] + ssl = yes + ssl hosts = 192.168.220. + ssl CA certFile = /usr/local/samba/cert/certFile + ssl require clientcert = yes + ssl require servercert = yes</programlisting> + + +<para>Although we recommend that you require certificates from all clients that could be connecting to the Samba server, a server certificate is not required. It is, however, recommended. The default value for this option is <literal>no</literal>.</para> +</sect2> + + + + + +<sect2 role="" label="A.5.12" id="appa-SECT-5.0.12"> +<indexterm id="appa-idx-990655-0"><primary>ssl ciphers option</primary></indexterm> +<title> +ssl ciphers</title> + + +<para>This option sets the ciphers on which SSL will decide during the negotiation phase of the SSL connection. Samba can use any of the following ciphers:</para> + + +<programlisting>DEFAULT +DES-CFB-M1 +NULL-MD5 +RC4-MD5 +EXP-RC4-MD5 +RC2-CBC-MD5 +EXP-RC2-CBC-MD5 +IDEA-CBC-MD5 +DES-CBC-MD5 +DES-CBC-SHA +DES-CBC3-MD5 +DES-CBC3-SHA +RC4-64-MD5 +NULL</programlisting> + + +<para>It is best not to set this option unless you are familiar with the SSL protocol and want to mandate a specific cipher suite.</para> +</sect2> + + + + + +<sect2 role="" label="A.5.13" id="appa-SECT-5.0.13"> +<indexterm id="appa-idx-990658-0"><primary>ssl version option</primary></indexterm> +<title> +ssl version</title> + + +<para>This global option specifies the version of SSL that Samba will use when handling encrypted connections. The default value is <literal>ssl2or3</literal>, which specifies that either version 2 or 3 of the SSL protocol can be used, depending on which version is negotiated in the handshake between the server and the client. However, if you want Samba to use only a specific version of the protocol, you can specify the following:</para> + + +<programlisting>[global] + ssl version = ssl3</programlisting> + + +<para>Again, it is best not to set this option unless you are familiar with the SSL protocol and want to mandate a specific version.</para> +</sect2> + + + + + +<sect2 role="" label="A.5.14" id="appa-SECT-5.0.14"> +<indexterm id="appa-idx-990661-0"><primary>ssl compatibility option</primary></indexterm> +<title> +ssl compatibility</title> + + +<para>This global option specifies whether Samba should be configured to use other versions of SSL. However, because no other versions exist at this writing, the issue is moot and the variable should always be left at the<indexterm id="appa-idx-990431-0" class="endofrange" startref="appa-idx-990427-0"/> default.<indexterm id="appa-idx-990339-0" class="endofrange" startref="appa-idx-990325-0"/> +<indexterm id="appa-idx-990339-1" class="endofrange" startref="appa-idx-990325-1"/></para> +</sect2> +</sect1> + + + + + + + + +</appendix> diff --git a/docs-xml/using_samba/appb.xml b/docs-xml/using_samba/appb.xml new file mode 100644 index 0000000000..c3e7b18ef0 --- /dev/null +++ b/docs-xml/using_samba/appb.xml @@ -0,0 +1,1702 @@ +<appendix label="B" id="SAMBA-AP-B"> +<title>Samba Performance Tuning</title> + + + + +<para> +<indexterm id="appb-idx-959725-0" class="startofrange"><primary>Samba</primary><secondary>performance tuning</secondary></indexterm> +<indexterm id="appb-idx-959725-1" class="startofrange"><primary>performance tuning</primary></indexterm> +<indexterm id="appb-idx-959725-2" class="startofrange"><primary>configuring Samba</primary><secondary>performance tuning</secondary></indexterm>This appendix discusses various ways of performance tuning and system sizing with Samba. <firstterm>Performance tuning</firstterm> is the art of finding bottlenecks and adjusting to eliminate them. <emphasis>Sizing</emphasis> is the practice of eliminating bottlenecks by spending money to avoid having them in the first place. Normally, you won't have to worry about either with Samba. On a completely untuned server, Samba will happily support a small community of users. However, on a properly tuned server, Samba will support at least twice as many users. This chapter is devoted to outlining various performance-tuning and sizing techniques that you can use if you want to stretch your Samba server to the limit.</para> + + + + + + + + + + + +<sect1 role="" label="B.1" id="appb-47134"> +<title>A Simple Benchmark</title> + + +<para> +<indexterm id="appb-idx-959739-0"><primary>Samba</primary><secondary>performance tuning</secondary><tertiary>benchmark for</tertiary></indexterm> +<indexterm id="appb-idx-959739-1"><primary>performance tuning</primary><secondary>benchmark for</secondary></indexterm> +<indexterm id="appb-idx-959739-2"><primary>configuring Samba</primary><secondary>performance tuning</secondary><tertiary>benchmark for</tertiary></indexterm>How do you know if you're getting reasonable performance? A simple benchmark is to compare Samba with FTP. <link linkend="appb-73167">Table 2.1</link> shows the throughput, in kilobytes per second, of a pair of servers: a medium-size Sun SPARC Ultra and a small Linux Pentium server. Numbers are reported in kilobytes per second (KB/s).</para> + + +<table label="B.1" id="appb-73167"> +<title>Sample Benchmark Benchmarks </title> + +<tgroup cols="4"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<colspec colnum="4" colname="col4"/> +<thead> +<row> + +<entry colname="col1"><para>Command</para></entry> + +<entry colname="col2"><para>FTP</para></entry> + +<entry colname="col3"><para>Untuned Samba</para></entry> + +<entry colname="col4"><para>Tuned Samba</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para>Sparc get</para></entry> + +<entry colname="col2"><para>1014.5</para></entry> + +<entry colname="col3"><para>645.3</para></entry> + +<entry colname="col4"><para>866.7</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Sparc put</para></entry> + +<entry colname="col2"><para>379.8</para></entry> + +<entry colname="col3"><para>386.1</para></entry> + +<entry colname="col4"><para>329.5</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Pentium get</para></entry> + +<entry colname="col2"><para>973.27</para></entry> + +<entry colname="col3"><para>N/A</para></entry> + +<entry colname="col4"><para>725</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Pentium put</para></entry> + +<entry colname="col2"><para>1014.5</para></entry> + +<entry colname="col3"><para>N/A</para></entry> + +<entry colname="col4"><para>1100</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<para>If you run the same tests on your server, you probably won't see the same numbers. However, you <emphasis>should</emphasis> see similar ratios of Samba to FTP, probably in the range of 68 to 80 percent. It's not a good idea to base <emphasis>all</emphasis> of Samba's throughput against FTP. The golden rule to remember is this: if Samba is much slower than FTP, it's time to tune it.</para> + + +<para>You might think that an equivalent test would be to compare Samba to NFS. In reality, however, it's much less useful to compare their speeds. Depending entirely on whose version of NFS you have and how well it's tuned, Samba can be slower or faster than NFS. We usually find that Samba is faster, but watch out; NFS uses a different algorithm from Samba, so tuning options that are optimal for NFS may be detrimental for Samba. If you run Samba on a well-tuned NFS server, Samba may perform rather badly.</para> + + +<para>A more popular benchmark is Ziff-Davis' <emphasis>NetBench,</emphasis> a simulation of many users on client machines running word processors and accessing data on the SMB server. It's not a prefect measure (each NetBench client does about ten times the work of a normal user on our site), but it is a fair comparison of similar servers. In tests performed by Jeremy Allison in November 1998, Samba 2.0 on a SGI multiprocessor outperformed NT Server 4.0 (Patch Level 2) on an equivalent high-end Compaq. This was confirmed and strengthened by a Sm@rt Reseller test of NT and Linux on identical hardware in February 1999.</para> + + +<para>In April 1999, the Mindcraft test lab released a report about a test showing that Samba on a four-processor Linux machine was significantly slower than native file serving on the same machine running Windows NT. While the original report was slammed by the Open Source community because it was commissioned by Microsoft and tuned the systems to favor Windows NT, a subsequent test was fairer and generally admitted to reveal some areas where Linux needed to improve its performance, especially on multiprocessors. Little was said about Samba itself. Samba is known to scale well on multiprocessors, and exceeds 440MB/s on a four-processor SGI O200, beating Mindcraft's 310MB/s.</para> + + +<para>Relative performance will probably change as NT and PC hardware get faster, of course, but Samba is improving as well. For example, Samba 1.9.18 was faster only with more than 35 clients. Samba 2.0, however, is faster regardless of the number of clients. In short, Samba is very competitive with the best networking software in the industry, and is only getting better.</para> + + +<para>As we went to press, Andrew Tridgell released the alpha-test version suite of benchmarking programs for Samba and SMB networks. Expect even more work on performance from the Samba team in the future.</para> +</sect1> + + + + + + + + + +<sect1 role="" label="B.2" id="appb-50295"> +<title>Samba Tuning</title> + + +<para> +<indexterm id="appb-idx-959765-0"><primary>tuning</primary><see>performance tuning</see></indexterm>That being said, let's discuss how you can take an already fast networking package and make it even faster.</para> + + +<sect2 role="" label="B.2.1" id="appb-SECT-2.1"> +<title>Benchmarking</title> + + +<para> +<indexterm id="appb-idx-959749-0"><primary>Samba</primary><secondary>performance tuning</secondary><tertiary>benchmark for</tertiary></indexterm> +<indexterm id="appb-idx-959749-1"><primary>performance tuning</primary><secondary>benchmark for</secondary></indexterm> +<indexterm id="appb-idx-959749-2"><primary>configuring Samba</primary><secondary>performance tuning</secondary><tertiary>benchmark for</tertiary></indexterm>Benchmarking is an arcane and somewhat black art, but the level of expertise needed for simple performance tuning is fairly low. Since the Samba server's goal in life is to transfer files, we will examine only throughput, not response time to particular events, under the benchmarking microscope. After all, it's relatively easy to measure file transfer speed, and Samba doesn't suffer too badly from response-time problems that would require more sophisticated techniques.</para> + + +<para>Our basic strategy for this work will be:</para> + + +<itemizedlist> + +<listitem><para>Find a reasonably-sized file to copy and a program that reports on copy speeds, such as <filename>smbclient</filename>.</para></listitem> + +<listitem><para>Find a quiet (or typical) time to do the test.</para></listitem> + +<listitem><para>Pre-run each test a few times to preload buffers.</para></listitem> + +<listitem><para>Run tests several times and watch for unusual results.</para></listitem> + +<listitem><para>Record each run in detail.</para></listitem> + +<listitem><para>Compare the average of the valid runs to expected values.</para></listitem> + +</itemizedlist> + +<para>After establishing a baseline using this method, we can adjust a single parameter and do the measurements all over again. An empty table for your tests is provided at the end of this chapter.</para> +</sect2> + + + + + +<sect2 role="" label="B.2.2" id="appb-SECT-2.2"> +<title>Things to Tweak</title> + + +<para>There are literally thousands of Samba setting combinations that you can use in search of that perfect server. Those of us with lives outside of system administration, however, can narrow down the number of options to those listed in this section, which are the most likely to affect overall throughput. They are presented roughly in order of impact.</para> + + +<sect3 role="" label="B.2.2.1" id="appb-SECT-2.2.1"> +<title>Log level</title> + + +<para> +<indexterm id="appb-idx-959753-0"><primary>log files/logging</primary><secondary>levels of</secondary><tertiary>tuning</tertiary></indexterm>This is an obvious one. Increasing the logging level (<literal>log</literal> +<indexterm id="appb-idx-960330-0"><primary>log level option</primary></indexterm> +<indexterm id="appb-idx-960330-1"><primary>debug level option</primary></indexterm> <literal>level</literal> or <literal>debug</literal> <literal>level</literal> configuration options) is a good way to debug a problem, unless you happen to be searching for a performance problem! As mentioned in <link linkend="ch04-21486">Chapter 4</link>, Samba produces a ton of debugging messages at level 3 and above, and writing them to disk or syslog is a slow operation. In our <filename>smbclient/ftp</filename> tests, raising the log level from 0 to 3 cut the untuned <literal>get</literal> <literal>speed</literal> from 645.3 to 622.2KB/s, or roughly 5 percent. Higher log levels were even worse.</para> +</sect3> + + + +<sect3 role="" label="B.2.2.2" id="appb-SECT-2.2.2"> +<title>Socket options</title> + + +<para>The next thing to look at are the <literal>socket</literal> +<indexterm id="appb-idx-960332-0"><primary>socket options configuration options</primary></indexterm> <literal>options</literal> configuration options. These are really host system tuning options, but they're set on a per-connection basis, and can be reset by Samba on the sockets it employs by adding <literal>socket</literal> <literal>options</literal> <literal>=</literal> <literal>option</literal> to the <literal>[global]</literal> section of your <filename>smb.conf </filename>file. Not all of these options are supported by all vendors; check your vendor's manual pages on <emphasis>setsockopt </emphasis>(1) or <emphasis>socket </emphasis>(5) for details.</para> + + +<para>The main options are:</para> + + +<variablelist> +<varlistentry><term><literal>TCP_NODELAY</literal></term> +<listitem><para>Have the server send as many packets as necessary to keep delay low. This is used on telnet connections to give good response time, and is used—somewhat counter-intuitively—to get good speed even when doing small requests or when acknowledgments are delayed (as seems to occur with Microsoft TCP/IP). This is worth a 30-50 percent speedup by itself. Incidentally, in Samba 2.0.4, <literal>socket</literal> <literal>options</literal> <literal>=</literal> <literal>TCP_NODELAY</literal> became the default value for that option.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>IPTOS_LOWDELAY</literal></term> +<listitem><para>This is another option that trades off throughput for lower delay, but which affects routers and other systems, not the server. All the IPTOS options are new; they're not supported by all operating systems and routers. If they are supported, set <literal>IPTOS_LOWDELAY</literal> whenever you set <literal>TCP_NODELAY</literal>.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>SO_SNDBUF</literal> <literal>and</literal> <literal>SO_RCVBUF</literal></term> +<listitem><para>The send and receive buffers can often be the reset to a value higher than that of the operating system. This yields a marginal increase of speed (until it reaches a point of diminishing returns).</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>SO_KEEPALIVE</literal></term> +<listitem><para>This initiates a periodic (four-hour) check to see if the client has disappeared. Expired connections are addressed somewhat better with Samba's <literal>keepalive</literal> and <literal>dead</literal> <literal>time</literal> options. All three eventually arrange to close dead connections, returning unused memory and process-table entries to the operating system.</para></listitem> +</varlistentry> +</variablelist> + + +<para>There are several other socket options you might look at, (e.g., <literal>SO_SNDLOWAT</literal>), but they vary in availability from vendor to vendor. You probably want to look at <citetitle>TCP/IP Illustrated</citetitle> if you're interested in exploring more of these options for performance tuning with Samba.</para> +</sect3> + + + +<sect3 role="" label="B.2.2.3" id="appb-SECT-2.2.3"> +<title>read raw and write raw</title> + + +<para> +<indexterm id="appb-idx-959754-0"><primary>read raw, tuning</primary></indexterm> +<indexterm id="appb-idx-959754-1"><primary>write raw, tuning</primary></indexterm>These are important performance configuration options; they enable Samba to use large reads and writes to the network, of up to 64KB in a single SMB request. They also require the largest SMB packet structures, <literal>SMBreadraw</literal> and <literal>SMBwriteraw</literal>, from which the options take their names. Note that this is not the same as a Unix <emphasis>raw read</emphasis>. This Unix term usually refers to reading disks without using the files system, quite a different sense from the one described here for Samba.</para> + + +<para>In the past, some client programs failed if you tried to use <literal>read</literal> <literal>raw</literal>. As far as we know, no client suffers from this problem any more. Read and write raw default to <literal>yes</literal>, and should be left on unless you find you have one of the buggy clients.</para> +</sect3> + + + +<sect3 role="" label="B.2.2.4" id="appb-SECT-2.2.4"> +<title>Opportunistic locking</title> + + +<para> +<indexterm id="appb-idx-959755-0"><primary>opportunistic locking</primary><secondary>tuning</secondary></indexterm> +<indexterm id="appb-idx-959755-1"><primary>locks/locking files</primary><secondary>opportunistic locking</secondary><tertiary>tuning of</tertiary></indexterm>Opportunistic locks, or <emphasis>oplocks</emphasis>, allow clients to cache files locally, improving performance on the order of 30 percent. This option is now enabled by default. For read-only files, the <literal>fake</literal> <literal>oplocks</literal> provides the same functionality without actually doing any caching. If you have files that cannot be cached, <emphasis>oplocks</emphasis> can be turned off.</para> + + +<para>Database files should never be cached, nor should any files that are updated both on the server and the client and whose changes must be immediately visible. For these files, the <literal>veto</literal> <literal>oplock</literal> +<indexterm id="appb-idx-960336-0"><primary>oplock files option</primary></indexterm> <literal>files</literal> option allows you to specify a list of individual files or a pattern containing wildcards to avoid caching. <emphasis>oplocks</emphasis> can be turned off on a share-by-share basis if you have large groups of files you don't want cached on clients. See <link linkend="SAMBA-CH-5">Chapter 5</link>, for more information on opportunistic locks.</para> +</sect3> + + + +<sect3 role="" label="B.2.2.5" id="appb-SECT-2.2.5"> +<title>IP packet size (MTU)</title> + + +<para> +<indexterm id="appb-idx-959756-0"><primary>IP packet size, tuning</primary></indexterm>Networks generally set a limit to the size of an individual transmission or packet This is called the Maximum Segment Size, or if the packet header size is included, the <indexterm id="appb-idx-959757-0"><primary>Maximum Transport Unit (MTU)</primary></indexterm> +<indexterm id="appb-idx-959757-1"><primary>MTU (Maximum Transport Unit)</primary></indexterm>Maximum Transport Unit (MTU). This MTU is not set by Samba, but Samba needs to use a <literal>max</literal> <literal>xmit</literal> (write size) bigger than the MTU, or throughput will be reduced. This is discussed in further detail in the following note. The MTU is normally preset to 1500 bytes on an Ethernet and 4098 bytes on FDDI. In general, having it too low cuts throughput, and having it too high causes a sudden performance dropoff due to fragmentation and retransmissions.</para> + + +<tip role="ora"> +<para>If you are communicating over a router, some systems will assume the router is a serial link (e.g., a T1) and set the MTU to more or less 536 bytes. Windows 95 makes this mistake, which causes nearby clients to perform well, but clients on the other side of the router to be noticeably slower. If the client makes the opposite error and uses a large MTU on a link which demands a small one, the packets will be broken up into fragments. This slows transfers slightly, and any networking errors will cause multiple fragments to be retransmitted, which slows Samba significantly. Fortunately, you can modify the Windows MTU size to prevent either error. To understand this in more detail, see "The Windows 95 Networking Frequently Asked Questions (FAQ)" at <systemitem role="url">http://www.stanford.edu/~llurch/win95netbugs/faq.html</systemitem>, which explains how to override the Windows MTU and Window Size.</para> + +</tip> +</sect3> + + + +<sect3 role="" label="B.2.2.6" id="appb-19919"> +<title>The TCP receive window</title> + + +<para> +<indexterm id="appb-idx-959758-0"><primary>TCP/IP networking protocol</primary><secondary>receive window, tuning</secondary></indexterm>TCP/IP works by breaking down data into small packets that can be transmitted from one machine to another. When each packet is transmitted, it contains a checksum that allows the receiver to check the packet data for potential errors in transmission. Theoretically, when a packet is received and verified, an acknowledgment packet should be sent back to the sender that essentially says, "Everything arrived intact: please continue."</para> + + +<para>In order to keep things moving, however, TCP accepts a range (window) of packets that allows a sender to keep transmitting without having to wait for an acknowledgment of every single packet. (It can then bundle a group of acknowledgments and transmit them back to the sender at the same time.) In other words, this receive window is the number of bytes that the sender can transmit before it has to stop and wait for a receiver's acknowledgment. Like the MTU, it is automatically set based on the type of connection. Having the window too small causes a lot of unnecessary waiting for acknowledgment messages. Various operating systems set moderate buffer sizes on a per-socket basis to keep one program from hogging all the memory.</para> + + +<para>The buffer sizes are assigned in bytes, such as <literal>SO_SNDBUF=8192</literal> in the <literal>socket</literal> <literal>options</literal> line. Thus, an example <literal>socket</literal> <literal>options</literal> configuration option is:</para> + + +<programlisting>socket options = SO_SNDBUF=8192</programlisting> + + +<para>Normally, one tries to set these socket options higher than the default: 4098 in SunOS 4.1.3 and SVR4, and 8192-16384 in AIX, Solaris, and BSD. 16384 has been suggested as a good starting point: in a non-Samba test mentioned in Stevens' book, it yielded a 40 percent improvement. You'll need to experiment, because performance will fall off again if you set the sizes too high. This is illustrated in <link linkend="appb-34738">Figure 2.1</link>, a test done on a particular Linux system.</para> + + +<figure label="B.1" id="appb-34738"> +<title>SO_SNDBUF size and performance</title> + +<graphic width="502" depth="263" fileref="figs/sam.ab01.gif"></graphic> +</figure> + +<para>Setting the socket options <literal>O_SNDBUF</literal> and <literal>SO_RCVBUF</literal> to less than the default is inadvisable. Setting them higher improves performance, up to a network-specific limit. However, once you exceed that limit, performance will abruptly level off.</para> +</sect3> + + + +<sect3 role="" label="B.2.2.7" id="appb-SECT-2.2.7"> +<indexterm id="appb-idx-960371-0"><primary>max xmit option</primary></indexterm> +<title> +max xmit</title> + + +<para> +<indexterm id="appb-idx-960373-0"><primary>write size, tuning</primary></indexterm>In Samba, the option that is directly related with the MTU and window size is <literal>max</literal> <literal>xmit</literal>. This option sets the largest block of data Samba will try to write at any one time. It's sometimes known as the <firstterm>write size</firstterm>, although that is not the name of the Samba configuration option.</para> + + +<para>Because the percentage of each block required for overhead falls as the blocks get larger, max xmit is conventionally set as large as possible. It defaults to the protocol's upper limit, which is 64 kilobytes. The smallest value that doesn't cause significant slowdowns is 2048. If it is set low enough, it will limit the largest packet size that Samba will be able to negotiate. This can be used to simulate a small MTU if you need to test an unreliable network connection. However, such a test should not be used in production for reducing the effective MTU.</para> +</sect3> + + + +<sect3 role="" label="B.2.2.8" id="appb-SECT-2.2.8"> +<title>read size</title> + + +<para> +<indexterm id="appb-idx-959760-0"><primary>read size, tuning</primary></indexterm>If <literal>max</literal> <literal>xmit</literal> is commonly called the write size, you'd expect <literal>read</literal> <literal>size</literal> to be the maximum amount of data that Samba would want to read from the client via the network. Actually, it's not. In fact, it's an option to trigger <firstterm>write ahead</firstterm> +<indexterm id="appb-idx-959764-0"><primary>write ahead, tuning</primary></indexterm>. This means that if Samba gets behind reading from the disk and writing to the network (or vice versa) by the specified amount, it will start overlapping network writes with disk reads (or vice versa).</para> + + +<para>The read size doesn't have a big performance effect on Unix, unless you set its value quite small. At that point, it causes a detectable slowdown. For this reason, it defaults to 2048 and can't be set lower than 1024.</para> +</sect3> + + + +<sect3 role="" label="B.2.2.9" id="appb-SECT-2.2.9"> +<title>read prediction </title> + + +<para> +<indexterm id="appb-idx-959766-0"><primary>read prediction, testing</primary></indexterm>Besides being counterintuitive, this option is also obsolete. It enables Samba to read ahead on files opened read only by the clients. The option is disabled in Samba 2.0 (and late 1.9) Because it interferes with opportunistic locking.</para> +</sect3> +</sect2> + + + + + +<sect2 role="" label="B.2.3" id="appb-SECT-2.3"> +<title>Other Samba Options</title> + + +<para> +<indexterm id="appb-idx-959775-0" class="startofrange"><primary>Samba</primary><secondary>performance tuning</secondary><tertiary>other options for</tertiary></indexterm> +<indexterm id="appb-idx-959775-1" class="startofrange"><primary>performance tuning</primary><secondary>other options for</secondary></indexterm> +<indexterm id="appb-idx-959775-2" class="startofrange"><primary>configuring Samba</primary><secondary>performance tuning</secondary><tertiary>other options for</tertiary></indexterm>The following Samba options will affect performance if they're set incorrectly, much like the debug level. They're mentioned here so you will know what to look out for:</para> + + +<variablelist> +<varlistentry><term> +<indexterm id="appb-idx-960358-0"><primary>hidden files</primary><secondary>options for</secondary></indexterm><literal>hide files</literal></term> +<listitem><para>Providing a pattern to identify files hidden by the Windows client <literal>hide</literal> <literal>files</literal> will result in any file matching the pattern being passed to the client with the DOS hidden attribute set. It requires a pattern match per file when listing directories, and slows the server noticeably.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>lpq cache time</literal> +<indexterm id="appb-idx-960359-0"><primary>lpq cache time option</primary></indexterm></term> +<listitem><para>If your <literal>lpq</literal> (printer queue contents) command takes a long time to complete, you should increase <literal>lpq</literal> <literal>cache</literal> <literal>time</literal> to a value higher than the actual time required for <literal>lpq</literal> to execute, so as to keep Samba from starting a new query when one's already running. The default is 10 seconds, which is reasonable.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>strict locking</literal> +<indexterm id="appb-idx-960360-0"><primary>strict locking option</primary></indexterm></term> +<listitem><para>Setting the <literal>strict</literal> <literal>locking</literal> option causes Samba to check for locks on every access, not just when asked to by the client. The option is primarily a bug-avoidance feature, and can prevent ill-behaved DOS and Windows applications from corrupting shared files. However, it is slow and should typically be avoided.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>strict sync</literal> +<indexterm id="appb-idx-960361-0"><primary>strict sync option</primary></indexterm></term> +<listitem><para>Setting <literal>strict</literal> <literal>sync</literal> will cause Samba to write each packet to disk and wait for the write to complete whenever the client sets the sync bit in a packet. Windows 98 Explorer sets the bit in all packets transmitted, so if you turn this on, anyone with Windows 98 will think Samba servers are horribly slow.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>sync always</literal> +<indexterm id="appb-idx-960362-0"><primary>sync always option</primary></indexterm></term> +<listitem><para>Setting <literal>sync</literal> <literal>always</literal> causes Samba to flush every write to disk. This is good if your server crashes constantly, but the performance costs are immense. SMB servers normally use oplocks and automatic reconnection to avoid the ill effects of crashes, so setting this option is not normally necessary.</para></listitem> +</varlistentry> + + +<varlistentry><term> +<indexterm id="appb-idx-960363-0"><primary>wide links option</primary></indexterm><literal>wide links</literal></term> +<listitem><para>Turning off <literal>wide</literal> <literal>links</literal> prevents Samba from following symbolic links in one file share to files that are not in the share. It is turned on by default, since following links in Unix is not a security problem. Turning it off requires extra processing on every file open. If you do turn off wide links, be sure to turn on <literal>getwd</literal> <literal>cache</literal> to cache some of the required data.</para> + + +<para>There is also a <literal>follow</literal> <literal>symlinks</literal> option that can be turned off to prevent following any symbolic links at all. However, this option does not pose a performance problem.</para></listitem> +</varlistentry> + + +<varlistentry><term> +<indexterm id="appb-idx-960364-0"><primary>getwd cache option</primary></indexterm><literal>getwd cache</literal></term> +<listitem><para>This option caches the path to the current directory, avoiding long tree-walks to discover it. It's a nice performance improvement on a printer server or if you've turned off <literal>wide</literal> <literal>links</literal>.</para></listitem> +</varlistentry> +</variablelist> +</sect2> + + + + + +<sect2 role="" label="B.2.4" id="appb-SECT-2.4"> +<title>Our Recommendations </title> + + +<para> +<indexterm id="appb-idx-959782-0"><primary>performance tuning</primary><secondary>recommended enhancements</secondary></indexterm>Here's an <filename>smb.conf</filename> file that incorporates the recommended performance enhancements so far. Comments have been added on the right side.</para> + + +<programlisting>[global] + log level = 1 # Default is 0 + socket options = TCP_NODELAY IPTOS_LOWDELAY + read raw = yes # Default + write raw = yes # Default + oplocks = yes # Default + max xmit = 65535 # Default + dead time = 15 # Default is 0 + getwd cache = yes + lpq cache = 30 +[okplace] + veto oplock files = this/that/theotherfile +[badplace] + oplocks = no</programlisting> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="B.3" id="appb-22511"> +<title>Sizing Samba Servers</title> + + +<para> +<indexterm id="appb-idx-959783-0" class="startofrange"><primary>Samba server</primary><secondary>sizing</secondary></indexterm> +<indexterm id="appb-idx-959783-1" class="startofrange"><primary>sizing Samba servers</primary></indexterm>Sizing is a way to prevent bottlenecks before they occur. The preferred way to do this is to know how many requests per second or how many kilobytes per second the clients will need, and ensure that all the components of the server provide at least that many.</para> + + +<sect2 role="" label="B.3.1" id="appb-SECT-3.1"> +<title>The Bottlenecks</title> + + +<para> +<indexterm id="appb-idx-959791-0" class="startofrange"><primary>bottlenecks</primary></indexterm>The <indexterm id="appb-idx-959799-0"><primary>bottlenecks</primary><secondary>types of</secondary></indexterm>three primary bottlenecks you should worry about are CPU, disk I/O, and the network. For most machines, CPUs are rarely a bottleneck. A single Sun SPARC 10 CPU can start (and complete) between 700 and 800 I/O operations a second, giving approximately 5,600 to 6,400KB/s of throughput when the data averages around 8KBs (a common buffer size). A single Intel Pentium 133 can do less only because of somewhat slower cache and bus interfaces, not due to lack of CPU power. Purpose-designed Pentium servers, like some Compaq servers, will be able to start 700 operations per CPUs, on up to four CPUs.</para> + + +<para>Too little memory, on the other hand, can easily be a bottleneck; each Samba process will use between 600 and 800KB on Intel Linux, and more on RISC CPUs. Having less will cause an increase in virtual memory paging and therefore a performance hit. On Solaris, where it has been measured, <emphasis>smbd</emphasis> will use 2.6 MB for program and shared libraries, plus 768KB for each connected client. <emphasis>nmbd</emphasis> occupies 2.1 MB, plus 496KB extra for its (single) auxiliary process.</para> + + +<para>Hard disks will always bottleneck at a specific number of I/O operations per second: for example, each 7200 RPM SCSI disk is capable of performing 70 operations per second, for a throughput of 560KB/s; a 4800 RPM disk will perform fewer than 50, for a throughput of 360KB/s. A single IDE disk will do still fewer. If the disks are independent, or striped together in a RAID 1 configuration, they will each peak out at 400 to 560KB/s and will scale linearly as you add more. Note that this is true only of RAID 1. RAID levels other than 1 (striping) add extra overhead.</para> + + +<para>Ethernets (and other networks) are obvious bottleneck: a 10 Mb/s (mega<emphasis>bits</emphasis>/second) Ethernet will handle around 1100KB/s (kilo<emphasis>bytes</emphasis>/s) using 1500-byte packets A 100 Mb/s Fast Ethernet will bottleneck below 65,000KB/s with the same packet size. FDDI, at 155 Mb/s will top out at approximately 6,250KB/s, but gives good service at even 100 percent load and transmits much larger packets (4KB).</para> + + +<para>ATM should be much better, but as of the writing of this book it was too new to live up to its potential; it seems to deliver around 7,125 Mb/s using 9KB packets.</para> + + +<para>Of course, there can be other bottlenecks: more than one IDE disk per controller is not good, as are more than three 3600 SCSI-I disks per slow/narrow controller, or more than three 7200 SCSI-II disks per SCSI-II fast/wide controller. RAID 5 is also slow, as it requires twice as many writes as independent disks or RAID 1.</para> + + +<para>After the second set of Ethernets and the second disk controller, start worrying about bus bandwidth, especially if you are using ISA/EISA buses.</para> +</sect2> + + + + + +<sect2 role="" label="B.3.2" id="appb-SECT-3.2"> +<title>Reducing Bottlenecks </title> + + +<para> +<indexterm id="appb-idx-959800-0" class="startofrange"><primary>bottlenecks</primary><secondary>reducing</secondary></indexterm>From the information above we can work out a model that will tell us the maximum capability of a given machine. The data is mostly taken from <indexterm id="appb-idx-959815-0"><primary>Wong, Brian</primary></indexterm> +<indexterm id="appb-idx-959815-1"><primary>resources for further information</primary><secondary>Solaris servers</secondary></indexterm>Brian Wong's <citetitle>Configuration and Capacity Planning for Solaris Servers</citetitle>,<citetitle> +<footnote label="1" id="appb-pgfId-951214"> + + +<para>See Wong. Brian L, <emphasis>Configuration and Capacity Planning for Solaris Servers</emphasis>, Englewood Cliffs, NJ (Sun/Prentice-Hall), 1997, ISBN 0-13-349952-9.</para> + + +</footnote></citetitle> so there is a slight Sun bias to our examples.</para> + + +<para>A word of warning: this is not a complete model. Don't assume that this model will predict every bottleneck or even be within 10 percent in its estimates. A model to predict performance instead of one to warn you of bottlenecks would be much more complex and would contain rules like "not more than three disks per SCSI chain". (A good book on real models is Raj Jain's <citetitle>The Art of Computer Systems Performance Analysis</citetitle>.<footnote label="2" id="appb-pgfId-951230"> + + +<para>See Jain, Raj, <emphasis>The Art of Computer Systems Performance Analysis</emphasis>, New York, NY (John Wiley and Sons), 1991, ISBN 0-47-150336-3.</para> + + +</footnote>) With that warning, we present the system in <link linkend="appb-98866">Figure 2.2</link>.</para> + + +<figure label="B.2" id="appb-98866"> +<title>Data flow through a Samba server, with possible bottlenecks</title> + +<graphic width="502" depth="185" fileref="figs/sam.ab02.gif"></graphic> +</figure> + +<para>The flow of data should be obvious. For example, on a read, data flows from the disk, across the bus, through or past the CPU, and to the network interface card (NIC). It is then broken up into packets and sent across the network. Our strategy here is to follow the data through the system and see what bottlenecks will choke it off. Believe it or not, it's rather easy to make a set of tables that list the maximum performance of common disks, CPUs, and network cards on a system. So that's exactly what we're going to do.</para> + + +<para>Let's take a concrete example: a Linux Pentium 133 MHz machine with a single 7200 RPM data disk, a PCI bus, and a 10-Mb/s Ethernet card. This is a perfectly reasonable server. We start with <link linkend="appb-78077">Table 2.2</link>, which describes the hard drive—the first potential bottleneck in the system.</para> + + +<table label="B.2" id="appb-78077"> +<title>Disk Throughput </title> + +<tgroup cols="3"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<thead> +<row> + +<entry colname="col1"><para>Disk RPM</para></entry> + +<entry colname="col2"><para>I/O Operations/second</para></entry> + +<entry colname="col3"><para>KB/second</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para>7200</para></entry> + +<entry colname="col2"><para>70</para></entry> + +<entry colname="col3"><para>560</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>4800</para></entry> + +<entry colname="col2"><para>60</para></entry> + +<entry colname="col3"><para>480</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>3600</para></entry> + +<entry colname="col2"><para>40</para></entry> + +<entry colname="col3"><para>320</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<para>Disk throughput is the number of kilobytes of data that a disk can transfer per second. It is computed from the number of 8KB I/O operations per second a disk can perform, which in turn is strongly influenced by disk RPM and bit density. In effect, the question is: how much data can pass below the drive heads in one second? With a single 7200 RPM disk, the example server will give us 70 I/O operations per second at roughly 560KB/s.</para> + + +<para>The second possible bottleneck is the CPU. The data doesn't actually flow through the CPU on any modern machines, so we have to compute throughput somewhat indirectly.</para> + + +<para>The CPU has to issue I/O requests and handle the interrupts coming back, then transfer the data across the bus to the network card. From much past experimentation, we know that the overhead that dominates the processing is consistently in the filesystem code, so we can ignore the other software being run. We compute the throughput by just multiplying the (measured) number of file I/O operations per second that a CPU can process by the same 8K average request size. This gives us the results shown in <link linkend="appb-42029">Table 2.3</link>.</para> + + +<table label="B.3" id="appb-42029"> +<title>CPU Throughput </title> + +<tgroup cols="3"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<thead> +<row> + +<entry colname="col1"><para>CPU</para></entry> + +<entry colname="col2"><para>I/O Operations/second</para></entry> + +<entry colname="col3"><para>KB/second</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para>Intel Pentium 133</para></entry> + +<entry colname="col2"><para>700</para></entry> + +<entry colname="col3"><para>5,600</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Dual Pentium 133</para></entry> + +<entry colname="col2"><para>1,200</para></entry> + +<entry colname="col3"><para>9,600</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Sun SPARC II</para></entry> + +<entry colname="col2"><para>660</para></entry> + +<entry colname="col3"><para>5,280</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Sun SPARC 10</para></entry> + +<entry colname="col2"><para>750</para></entry> + +<entry colname="col3"><para>6,000</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Sun Ultra 200</para></entry> + +<entry colname="col2"><para>2,650</para></entry> + +<entry colname="col3"><para>21,200</para></entry> +</row> + +</tbody> +</tgroup> +</table> + + +<para>Now we put the disk and the CPU together: in the Linux example, we have a single 7200 RPM disk, which can give us 560KB/s, and a CPU capable of starting 700 I/O operations, which could give us 5600KB/s. So far, as you would expect, our bottleneck is clearly going to be the hard disk.</para> + + +<para>The last potential bottleneck is the network. If the network speed is below 100 Mb/s, the bottleneck will be the network speed. After that, the design of the network card is more likely to slow us down. <link linkend="appb-67604">Table 2.4</link> shows us the average throughput of many types of data networks. Although network speed is conventionally measured in bits per second, <link linkend="appb-67604">Table 2.4</link> lists bytes per second to make comparison with the disk and CPU (<link linkend="appb-78077">Table 2.2</link> and <link linkend="appb-42029">Table 2.3</link>) easier.</para> + + + +<table label="B.4" id="appb-67604"> +<title>Network Throughput </title> + +<tgroup cols="2"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<thead> +<row> + +<entry colname="col1"><para>Network Type</para></entry> + +<entry colname="col2"><para>KB/second</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para> ISDN</para></entry> + +<entry colname="col2"><para> 16</para></entry> + +</row> + +<row> + +<entry colname="col1"><para> T1</para></entry> + +<entry colname="col2"><para> 197</para></entry> + +</row> + +<row> + +<entry colname="col1"><para> Ethernet 10m</para></entry> + +<entry colname="col2"><para> 1,113</para></entry> + +</row> + +<row> + +<entry colname="col1"><para> Token ring</para></entry> + +<entry colname="col2"><para> 1,500</para></entry> + +</row> + +<row> + +<entry colname="col1"><para> FDDI</para></entry> + +<entry colname="col2"><para> 6,250</para></entry> + +</row> + +<row> + +<entry colname="col1"><para> Ethernet 100m</para></entry> + +<entry colname="col2"><para> 6,500<footnote label="3" id="appb-pgfId-960131"> + + +<para>These will increase. For example, Crays, Sun Ultras, and DEC/Compaq Alphas already have bettered these figures.</para> + + +</footnote></para></entry> + +</row> + +<row> + +<entry colname="col1"><para> ATM 155</para></entry> + +<entry colname="col2"><para> 7,125a</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<para>In the running example, we have a bottleneck at 560KB/s due to the disk. <link linkend="appb-67604">Table 2.4</link> shows us that a standard 10 megabit per second Ethernet (1,113KB/s) is far faster than the disk. Therefore, the hard disk is still the limiting factor. (This scenario, by the way, is very common.) Just by looking at the tables, we can predict that small servers won't have CPU problems, and that large ones with multiple CPUs will support striping and multiple Ethernets long before they start running out of CPU power. This, in fact, is exactly what happens.</para> +</sect2> + + + + + +<sect2 role="" label="B.3.3" id="appb-SECT-3.3"> +<title>Practical Examples</title> + + +<para>An example from <emphasis>Configuration and Capacity Planning for Solaris Servers</emphasis> (Wong) shows that a dual-processor SPARCstation 20/712 with four Ethernets and six 2.1 GB disks will spend all its time waiting for the disks to return some data. If it was loaded with disks (Brian Wong suggests as many as 34 of them), it would still be held below 1,200KB/s by the Ethernet cards. To get the performance the machine is capable of, we would need to configure multiple Ethernets, 100 Mbps Fast Ethernet, or 155 Mbps FDDI.</para> + + +<para>The progression you'd work through to get that conclusion looks something like <link linkend="appb-26613">Table 2.5</link>.</para> + + +<table label="B.5" id="appb-26613"> +<title>Tuning a Medium-Sized Server </title> + +<tgroup cols="5"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<colspec colnum="4" colname="col4"/> +<colspec colnum="5" colname="col5"/> +<thead> +<row> + +<entry colname="col1"><para>Machine</para></entry> + +<entry colname="col2"><para>Disk Throughput</para></entry> + +<entry colname="col3"><para>CPU Throughput</para></entry> + +<entry colname="col4"><para>Network Throughput</para></entry> + +<entry colname="col5"><para>Actual Throughput</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para>Dual SPARC 10, 1 disk</para></entry> + +<entry colname="col2"><para>560</para></entry> + +<entry colname="col3"><para>6000</para></entry> + +<entry colname="col4"><para>1,113</para></entry> + +<entry colname="col5"><para>560</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Add 5 more disks</para></entry> + +<entry colname="col2"><para>3,360</para></entry> + +<entry colname="col3"><para>6000</para></entry> + +<entry colname="col4"><para>1,113</para></entry> + +<entry colname="col5"><para>1,113</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Add 3 more Ethernets</para></entry> + +<entry colname="col2"><para>3,360</para></entry> + +<entry colname="col3"><para>16000</para></entry> + +<entry colname="col4"><para>4,452</para></entry> + +<entry colname="col5"><para>3,360</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Change to using a 20-disk array</para></entry> + +<entry colname="col2"><para>11,200</para></entry> + +<entry colname="col3"><para>6000</para></entry> + +<entry colname="col4"><para>4,452</para></entry> + +<entry colname="col5"><para>4,452</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Use dual 100 Mbps ether</para></entry> + +<entry colname="col2"><para>11,200</para></entry> + +<entry colname="col3"><para>6000</para></entry> + +<entry colname="col4"><para>13,000</para></entry> + +<entry colname="col5"><para>11,200</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<para>Initially, the bottleneck is the disk with only 560 MB/s of throughput available. Our solution is to add five more disks. This gives us more throughput on the disks than on the Ethernet, so then the Ethernet becomes the problem. Consequently, as we continue to expand, we go back and forth several times between these two. As you add disks, CPUs, and network cards, the bottleneck moves. Essentially, the strategy is to add more equipment to try to avoid each bottleneck until you reach your target performance, or (unfortunately) you either can't add any more or run out of money.</para> + + +<para>Our experience bears out this kind of calculation; a large SPARC 10 file server that one author maintained was quite capable of saturating an Ethernet plus about a third of an FDDI ring when using two processors. It did nearly as well with a single processor, albeit with a fast operating system and judicious over-optimization.</para> + + +<para>The same process applies to other brands of purpose-designed servers. We found the same rules applied to DECstation 2100s as to the newest Alphas or Compaqs, old MIPS 3350s and new SGI O2s. In general, a machine offering multi-CPU server configurations will have enough bus bandwidth and CPU power to reliably bottleneck on hard disk I/O when doing file service. As one would hope, considering the cost!</para> +</sect2> + + + + + +<sect2 role="" label="B.3.4" id="appb-SECT-3.4"> +<title>How Many Clients can Samba Handle?</title> + + +<para>Well, that depends entirely on how much data each user consumes. A small server with three SCSI-1 disks, which can serve about 960KB/s of data, will support between 36 and 80 clients in an ordinary office environment where they are typically loading, and saving equal-sized spreadsheets or word processing documents (36 clients × 2.3 transfers/second × 12k file 1 MB/s).</para> + + +<para>On the same server in a development environment with programmers running a fairly heavy edit-compile-test cycle, one can easily see requests for 1 MB/s, limiting the server to 25 or fewer clients. To take this a bit further, an imaging system whose clients each require 10 MB/s will perform poorly no matter how big a server is if they're all on a 10 MB/s Ethernet. And so on.</para> + + +<para>If you don't know how much data an average user consumes, you can size your Samba servers by patterning them after existing NFS, Netware, or LAN Manager servers. You should be especially careful that the new servers have as many disks and disk controllers as the ones you've copied. This technique is appropriately called "punt and hope."</para> + + +<para>If you know how many clients an existing server can support, you're in <emphasis>much</emphasis> better shape. You can analyze the server to see what its maximum capacity is and use that to estimate how much data they must be demanding. For example, if serving home directories to 30 PCs from a PC server with two IDE disks is just too slow, and 25 clients is about right, then you can safely assume you're bottlenecked on Ethernet I/O (approximately 375KB) rather than disk I/O (up to 640KB). If so, you can then conclude that the clients are demanding 15 (that is, 375/25)KB/s on average.</para> + + +<para>Supporting a new lab of 75 clients will mean you'll need 1,125KB/s, spread over multiple (preferably three) Ethernets, and a server with at least three 7200 RPM disks and a CPU capable of keeping up. These requirements can be met by a Pentium 133 or above with the bus architecture to drive them all at full speed (e.g., PCI).</para> + + +<para>A custom-built PC server or a multiprocessor-capable workstation like a Sun Sparc, a DEC/Compaq Alpha, an SGI, or the like, would scale up easier, as would a machine with fast Ethernet, plus a switching hub to drive the client machines on individual 10 MB/s Ethernets.</para> + + +<sect3 role="" label="B.3.4.1" id="appb-SECT-3.4.1"> +<title>How to guess</title> + + +<para>If you have no idea at all what you need, the best thing is to try to guess based on someone else's experience. Each individual client machine can average from less than 1 I/O per second (normal PC or Mac used for sales/accounting) to as much as 4 (fast workstation using large applications). A fast workstation running a compiler can happily average 3-4 MB/s in data transfer requests, and an imaging system can demand even more.</para> + + +<para>Our recommendation? Spy on someone with a similar configuration and try to estimate their bandwidth requirements from their bottlenecks and the volume of the screams from their users. We also recommend Brian Wong's <citetitle>Configuration and Capacity Planning for Solaris Servers</citetitle>. While he uses Sun Solaris foremost in his examples, his bottlenecks are disks and network cards, which are common among all the major vendors. His tables for FTP servers also come very close to what we calculated for Samba servers, and make a good starting point.<indexterm id="appb-idx-959809-0" class="endofrange" startref="appb-idx-959800-0"/></para> +</sect3> +</sect2> + + + + + +<sect2 role="" label="B.3.5" id="appb-90359"> +<title>Measurement Forms</title> + + +<para> +<indexterm id="appb-idx-959816-0"><primary>measurement forms</primary></indexterm><link linkend="appb-82208">Table 2.6</link> and <link linkend="appb-34846">Table 2.7</link> are empty tables that you can use for copying and recording data. The bottleneck calculation in the previous example can be done in a spreadsheet, or manually with <link linkend="appb-51003">Table 2.8</link>. If Samba is as good as or better than FTP, and if there aren't any individual test runs that are much different from the average, you have a well-configured system. If loopback isn't much faster than anything else, you have a problem with your TCP/IP software. If both FTP and Samba are slow, you probably have a problem with your networking: a faulty Ethernet card will produce this, as will accidentally setting an Ethernet card to half-duplex when it's not connected to a half-duplex hub. Remember that CPU and disk speeds are commonly measured in bytes, network speeds in bits.</para> + + +<para>We've included columns for both bytes and bits in the tables. In the last column, we compare results to 10 Mb/s because that's the speed of a traditional Ethernet.</para> + + +<table label="B.6" id="appb-82208"> +<title>Ethernet Interface to Same Host: FTP </title> + +<tgroup cols="6"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<colspec colnum="4" colname="col4"/> +<colspec colnum="5" colname="col5"/> +<colspec colnum="6" colname="col6"/> +<thead> +<row> + +<entry colname="col1"><para>Run No</para></entry> + +<entry colname="col2"><para>Size in Bytes</para></entry> + +<entry colname="col3"><para>Time (sec)</para></entry> + +<entry colname="col4"><para>Bytes/sec</para></entry> + +<entry colname="col5"><para>Bits/sec</para></entry> + +<entry colname="col6"><para>% of 10 Mb/s</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para>1</para></entry> + +<entry colname="col2"></entry> + +<entry colname="col3"></entry> + +<entry colname="col4"></entry> + +<entry colname="col5"></entry> + +<entry colname="col6"></entry> + +</row> + +<row> + +<entry colname="col1"><para>2</para></entry> + +<entry colname="col2"></entry> + +<entry colname="col3"></entry> + +<entry colname="col4"></entry> + +<entry colname="col5"></entry> + +<entry colname="col6"></entry> + +</row> + +<row> + +<entry colname="col1"><para>3</para></entry> + +<entry colname="col2"></entry> + +<entry colname="col3"></entry> + +<entry colname="col4"></entry> + +<entry colname="col5"></entry> + +<entry colname="col6"></entry> + +</row> + +<row> + +<entry colname="col1"><para>4</para></entry> + +<entry colname="col2"></entry> + +<entry colname="col3"></entry> + +<entry colname="col4"></entry> + +<entry colname="col5"></entry> + +<entry colname="col6"></entry> + +</row> + +<row> + +<entry colname="col1"><para>5</para></entry> + +<entry colname="col2"></entry> + +<entry colname="col3"></entry> + +<entry colname="col4"></entry> + +<entry colname="col5"></entry> + +<entry colname="col6"></entry> + +</row> + +<row> + +<entry colname="col1"><para>Average:</para></entry> + +<entry colname="col2"></entry> + +<entry colname="col3"></entry> + +<entry colname="col4"></entry> + +<entry colname="col5"></entry> + +<entry colname="col6"></entry> + +</row> + +<row> + +<entry colname="col1"><para>Deviation:</para></entry> + +<entry colname="col2"></entry> + +<entry colname="col3"></entry> + +<entry colname="col4"></entry> + +<entry colname="col5"></entry> + +<entry colname="col6"></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<table label="B.7" id="appb-34846"> +<title>Ethernet Interface to Same Host: FTP </title> + +<tgroup cols="6"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<colspec colnum="4" colname="col4"/> +<colspec colnum="5" colname="col5"/> +<colspec colnum="6" colname="col6"/> +<thead> +<row> + +<entry colname="col1"><para>Run No</para></entry> + +<entry colname="col2"><para>Size in Bytes</para></entry> + +<entry colname="col3"><para>Time, sec</para></entry> + +<entry colname="col4"><para>Bytes/sec</para></entry> + +<entry colname="col5"><para>Bits/sec</para></entry> + +<entry colname="col6"><para>% of 10 Mb/s</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para>1</para></entry> + +<entry colname="col2"></entry> + +<entry colname="col3"></entry> + +<entry colname="col4"></entry> + +<entry colname="col5"></entry> + +<entry colname="col6"></entry> + +</row> + +<row> + +<entry colname="col1"><para>2</para></entry> + +<entry colname="col2"></entry> + +<entry colname="col3"></entry> + +<entry colname="col4"></entry> + +<entry colname="col5"></entry> + +<entry colname="col6"></entry> + +</row> + +<row> + +<entry colname="col1"><para>3</para></entry> + +<entry colname="col2"></entry> + +<entry colname="col3"></entry> + +<entry colname="col4"></entry> + +<entry colname="col5"></entry> + +<entry colname="col6"></entry> + +</row> + +<row> + +<entry colname="col1"><para>4</para></entry> + +<entry colname="col2"></entry> + +<entry colname="col3"></entry> + +<entry colname="col4"></entry> + +<entry colname="col5"></entry> + +<entry colname="col6"></entry> + +</row> + +<row> + +<entry colname="col1"><para>5</para></entry> + +<entry colname="col2"></entry> + +<entry colname="col3"></entry> + +<entry colname="col4"></entry> + +<entry colname="col5"></entry> + +<entry colname="col6"></entry> + +</row> + +<row> + +<entry colname="col1"><para>Average:</para></entry> + +<entry colname="col2"></entry> + +<entry colname="col3"></entry> + +<entry colname="col4"></entry> + +<entry colname="col5"></entry> + +<entry colname="col6"></entry> + +</row> + +<row> + +<entry colname="col1"><para>Deviation:</para></entry> + +<entry colname="col2"></entry> + +<entry colname="col3"></entry> + +<entry colname="col4"></entry> + +<entry colname="col5"></entry> + +<entry colname="col6"></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<table label="B.8" id="appb-51003"> +<title>Bottleneck Calculation Table</title> + +<tgroup cols="7"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<colspec colnum="4" colname="col4"/> +<colspec colnum="5" colname="col5"/> +<colspec colnum="6" colname="col6"/> +<colspec colnum="7" colname="col7"/> +<thead> +<row> + +<entry colname="col1"><para>CPU</para></entry> + +<entry colname="col2"><para>Throughput</para></entry> + +<entry colname="col3"><para>of Disks</para></entry> + +<entry colname="col4"><para>Disk Throughput</para></entry> + +<entry colname="col5"><para>Number of Networks</para></entry> + +<entry colname="col6"><para>Network Throughput</para></entry> + +<entry colname="col7"><para>Total Throughput</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"></entry> + +<entry colname="col2"></entry> + +<entry colname="col3"></entry> + +<entry colname="col4"></entry> + +<entry colname="col5"></entry> + +<entry colname="col6"></entry> + +<entry colname="col7"></entry> + +</row> + +<row> + +<entry colname="col1"></entry> + +<entry colname="col2"></entry> + +<entry colname="col3"></entry> + +<entry colname="col4"></entry> + +<entry colname="col5"></entry> + +<entry colname="col6"></entry> + +<entry colname="col7"></entry> + +</row> + +<row> + +<entry colname="col1"></entry> + +<entry colname="col2"></entry> + +<entry colname="col3"></entry> + +<entry colname="col4"></entry> + +<entry colname="col5"></entry> + +<entry colname="col6"></entry> + +<entry colname="col7"></entry> + +</row> + +<row> + +<entry colname="col1"></entry> + +<entry colname="col2"></entry> + +<entry colname="col3"></entry> + +<entry colname="col4"></entry> + +<entry colname="col5"></entry> + +<entry colname="col6"></entry> + +<entry colname="col7"></entry> + +</row> + +<row> + +<entry colname="col1"></entry> + +<entry colname="col2"></entry> + +<entry colname="col3"></entry> + +<entry colname="col4"></entry> + +<entry colname="col5"></entry> + +<entry colname="col6"></entry> + +<entry colname="col7"></entry> + +</row> + +<row> + +<entry colname="col1"></entry> + +<entry colname="col2"></entry> + +<entry colname="col3"></entry> + +<entry colname="col4"></entry> + +<entry colname="col5"></entry> + +<entry colname="col6"></entry> + +<entry colname="col7"></entry> + +</row> + +<row> + +<entry colname="col1"></entry> + +<entry colname="col2"></entry> + +<entry colname="col3"></entry> + +<entry colname="col4"></entry> + +<entry colname="col5"></entry> + +<entry colname="col6"></entry> + +<entry colname="col7"></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<para>In <link linkend="appb-51003">Table 2.8</link>:</para> + + +<itemizedlist> + +<listitem><para>CPU throughput = (KB/second from <link linkend="ch06-89804">Figure 6.5</link>) × (number of CPUs)</para></listitem> + +<listitem><para>Disk throughput = (KB/second from <link linkend="ch06-48609">Figure 6.4</link>) × (number of disks)</para></listitem> + +<listitem><para>Network throughput = (KB/second from <link linkend="ch06-71393">Figure 6.6</link>) × (number of networks)</para></listitem> + +<listitem><para>Total throughput = min (Disk, CPU, and Network throughput)</para></listitem> + +</itemizedlist> + +<para>A typical test, in this case for an FTP <literal>get</literal>, would be entered as in <link linkend="appb-37370">Table 2.9</link></para> + + +<table label="B.9" id="appb-37370"> +<title>Ethernet Interface to Same Host: FTP </title> + +<tgroup cols="6"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<colspec colnum="4" colname="col4"/> +<colspec colnum="5" colname="col5"/> +<colspec colnum="6" colname="col6"/> +<thead> +<row> + +<entry colname="col1"><para>Run No</para></entry> + +<entry colname="col2"><para>Size in Bytes</para></entry> + +<entry colname="col3"><para>Time, sec</para></entry> + +<entry colname="col4"><para>Bytes/sec</para></entry> + +<entry colname="col5"><para>Bits/sec</para></entry> + +<entry colname="col6"><para>% of 10 Mb/s</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para>1</para></entry> + +<entry colname="col2"><para>1812898</para></entry> + +<entry colname="col3"><para>2.3</para></entry> + +<entry colname="col4"><para>761580</para></entry> + +<entry colname="col5"></entry> + +<entry colname="col6"></entry> + +</row> + +<row> + +<entry colname="col1"><para>2</para></entry> + +<entry colname="col2"></entry> + +<entry colname="col3"><para>2.3</para></entry> + +<entry colname="col4"><para>767820</para></entry> + +<entry colname="col5"></entry> + +<entry colname="col6"></entry> + +</row> + +<row> + +<entry colname="col1"><para>3</para></entry> + +<entry colname="col2"></entry> + +<entry colname="col3"><para>2.4</para></entry> + +<entry colname="col4"><para>747420</para></entry> + +<entry colname="col5"></entry> + +<entry colname="col6"></entry> + +</row> + +<row> + +<entry colname="col1"><para>4</para></entry> + +<entry colname="col2"></entry> + +<entry colname="col3"><para>2.3</para></entry> + +<entry colname="col4"><para>760020</para></entry> + +<entry colname="col5"></entry> + +<entry colname="col6"></entry> + +</row> + +<row> + +<entry colname="col1"><para>5</para></entry> + +<entry colname="col2"></entry> + +<entry colname="col3"><para>2.3</para></entry> + +<entry colname="col4"><para>772700</para></entry> + +<entry colname="col5"></entry> + +<entry colname="col6"></entry> + +</row> + +<row> + +<entry colname="col1"><para>Average:</para></entry> + +<entry colname="col2"></entry> + +<entry colname="col3"><para>2.32</para></entry> + +<entry colname="col4"><para>777310</para></entry> + +<entry colname="col5"><para>6218480</para></entry> + +<entry colname="col6"><para>62</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Deviation:</para></entry> + +<entry colname="col2"></entry> + +<entry colname="col3"><para>0.04</para></entry> + +<entry colname="col4"></entry> + +<entry colname="col5"></entry> + +<entry colname="col6"></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<para>The Sparc example we used earlier would look like <link linkend="SAMBA-AP-B-TBL-10">Table 2.10</link>.</para> + + +<table label="B.10" id="SAMBA-AP-B-TBL-10"> +<title>Sparc 20 Example, Redux</title> + +<tgroup cols="7"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<colspec colnum="4" colname="col4"/> +<colspec colnum="5" colname="col5"/> +<colspec colnum="6" colname="col6"/> +<colspec colnum="7" colname="col7"/> +<thead> +<row> + +<entry colname="col1"><para>CPU</para></entry> + +<entry colname="col2"><para>CPU Throughput</para></entry> + +<entry colname="col3"><para>Number of Disks</para></entry> + +<entry colname="col4"><para>Disk Throughput</para></entry> + +<entry colname="col5"><para>Number of Networks</para></entry> + +<entry colname="col6"><para>Network Throughput</para></entry> + +<entry colname="col7"><para>Total Throughput</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para>2</para></entry> + +<entry colname="col2"><para>6,000</para></entry> + +<entry colname="col3"><para>1</para></entry> + +<entry colname="col4"><para>560</para></entry> + +<entry colname="col5"><para>1 10base2</para></entry> + +<entry colname="col6"><para>1,113</para></entry> + +<entry colname="col7"><para>560</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>2</para></entry> + +<entry colname="col2"><para>6,000</para></entry> + +<entry colname="col3"><para>6</para></entry> + +<entry colname="col4"><para>3,360</para></entry> + +<entry colname="col5"><para>1</para></entry> + +<entry colname="col6"><para>1,113</para></entry> + +<entry colname="col7"><para>1,113</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>2</para></entry> + +<entry colname="col2"><para>6,000</para></entry> + +<entry colname="col3"><para>6</para></entry> + +<entry colname="col4"><para>3,360</para></entry> + +<entry colname="col5"><para>4 10base2</para></entry> + +<entry colname="col6"><para>4,452</para></entry> + +<entry colname="col7"><para>3,360</para></entry> + +</row> + + +<row> + +<entry colname="col1"><para>2</para></entry> + +<entry colname="col2"><para>6,000</para></entry> + +<entry colname="col3"><para>20</para></entry> + +<entry colname="col4"><para>11,200</para></entry> + +<entry colname="col5"><para>4</para></entry> + +<entry colname="col6"><para>4,452</para></entry> + +<entry colname="col7"><para>4,452</para></entry> + +</row> + + +<row> + +<entry colname="col1"><para>2</para></entry> + +<entry colname="col2"><para>6,000</para></entry> + +<entry colname="col3"><para>20</para></entry> + +<entry colname="col4"><para>11,200</para></entry> + +<entry colname="col5"><para>2 100base2</para></entry> + +<entry colname="col6"><para>13,000</para></entry> + +<entry colname="col7"><para>11,200</para></entry> + +</row> + + +</tbody> +</tgroup> +</table> +</sect2> +</sect1> + + + + + + + + +</appendix> diff --git a/docs-xml/using_samba/appc.xml b/docs-xml/using_samba/appc.xml new file mode 100644 index 0000000000..76fc5e813d --- /dev/null +++ b/docs-xml/using_samba/appc.xml @@ -0,0 +1,3337 @@ +<appendix label="C" id="SAMBA-AP-C"> +<title>Samba Configuration Option Quick Reference</title> + + + + +<para>The following pages list each of the Samba configuration +options. If an option is applicable only to the global section, +"[global]" will appear before its name. Any lists mentioned are space +separated, except where noted. A glossary of terms follows the +options.</para> + + + + + + + + + + + +<sect1 role="" label="C.1" id="appc-SECT-1"> +<title>Configuration Options</title> + + +<refentry id="appc-refentry-1"> +<refmeta> +<refmiscinfo class="allowable values">user list</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>admin users = user list</refname> +</refnamediv> +<refsynopsisdiv> +<para>List of users who will be granted root permissions on the share by Samba.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-2"> +<refmeta> +<refmiscinfo class="allowable values">any</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>allow hosts = host list</refname> +</refnamediv> +<refsynopsisdiv> +<para>Synonym for <literal>hosts allow</literal>. List of machines that may connect to a share.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-3"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>alternate permissions = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Obsolete. Has no effect in Samba 2. Files will be shown as read-only if the owner can't write them. In Samba 1.9 and earlier, setting this option would set the DOS filesystem read-only attribute on any file the user couldn't read. This in turn required the <literal>delete readonly</literal> option.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-4"> +<refmeta> +<refmiscinfo class="allowable values">NT, Win95, WfW</refmiscinfo> +<refmiscinfo class="default">NT</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] announce as = system type</refname> +</refnamediv> +<refsynopsisdiv> +<para>Have Samba announce itself as something other than an NT server. Discouraged because it interferes with serving browse lists.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-5"> +<refmeta> +<refmiscinfo class="allowable values">any</refmiscinfo> +<refmiscinfo class="default">4.2</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] announce version = number.number</refname> +</refnamediv> +<refsynopsisdiv> +<para>Instructs Samba to announce itself as an older version SMB server. Discouraged.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-6"> +<refmeta> +<refmiscinfo class="allowable values">any shares</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] auto services = share list</refname> +</refnamediv> +<refsynopsisdiv> +<para>List of shares that will always appear in browse lists. A synonym is <literal>preload</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-7"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">YES</refmiscinfo> +</refmeta> +<refnamediv> +<refname>available = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>If set to NO, denies access to a share. Doesn't affect browsing.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-8"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] bind interfaces only = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>If set to YES, shares and browsing will be provided only on interfaces in an interfaces list (see <literal>interfaces</literal>). New in Samba 1.9.18. If you set this option to YES, be sure to add 127.0.0.1 to the interfaces list to allow <emphasis>smbpasswd</emphasis> to connect to the local machine to change passwords. This is a convienence option; it does not improve security.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-9"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">YES</refmiscinfo> +</refmeta> +<refnamediv> +<refname>browsable = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Allows a share to be announced in browse lists.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-10"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">YES</refmiscinfo> +</refmeta> +<refnamediv> +<refname>blocking locks = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>If YES, honors byte range lock requests with time limits for queuing the request and retrying it until the time period expires. New in Samba 2.0.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-11"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">YES</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] browse list = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Turns on/off <literal>browse</literal> <literal>list</literal> from this server. Avoid changing.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-12"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] case sensitive = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>If YES, uses exactly the case the client supplied when trying to resolve a filename. If NO, matches either upper- or lowercase name. Avoid changing.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-13"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] case sig names = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Synonym for <literal>case sensitive</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-14"> +<refmeta> +<refmiscinfo class="allowable values">positive number</refmiscinfo> +<refmiscinfo class="default">60</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] change notify timeout = number</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the number of seconds between checks when a client asks for notification of changes in a directory. Introduced in Samba 2.0 to limit the performance cost of the checks. Avoid lowering.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-15"> +<refmeta> +<refmiscinfo class="allowable values">ISO8859-1, ISO8859-2, ISO8859-5, KOI8-R</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>character set = name</refname> +</refnamediv> +<refsynopsisdiv> +<para>If set, translates from DOS code pages to the Western European (ISO8859-1), Eastern European (ISO8859-2), Russian Cyrillic (ISO8859-5), or Alternate Russian (KOI8-R) character set. The <literal>client code page</literal> must be set to 850.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-16"> +<refmeta> +<refmiscinfo class="allowable values">See <link linkend="ch08-20815">Table 8.4</link></refmiscinfo> +<refmiscinfo class="default">437 (US MS-DOS)</refmiscinfo> +</refmeta> +<refnamediv> +<refname>client code page = name</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the DOS code page explicitly, overriding any previous <literal>valid chars</literal> settings. Examples of values are 850 for European, 437 is the US standard, and 932 for Japanese Shift-JIS. Introduced in Samba 1.9.19.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-17"> +<refmeta> +<refmiscinfo class="allowable values">euc, cap, hex, hexN, sjis, j8bb, j8bj, jis8, j8bh, j8@b, j8@j, j8@h, j7bb, j7bj, jis7, j7bh, j7@b, j7@j, j7@h, jubb, jubj, junet, jubh, ju@b, ju@j, ju@h</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>coding system = code</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the coding system used, notably for Kanji. This is employed for filenames and should correspond to the code page in use. The <literal>client code page</literal> option must be set to 932 (Japanese Shift-JIS). Introduced in Samba 2.0.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-18"> +<refmeta> +<refmiscinfo class="allowable values">a text string or NULL</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>comment = text</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the comment that appears beside a share in a NET VIEW or the details list of a Microsoft directory window. See also the <literal>server string</literal> configuration option.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-19"> +<refmeta> +<refmiscinfo class="allowable values">Unix pathname</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] config file = pathname</refname> +</refnamediv> +<refsynopsisdiv> +<para>Selects an additional Samba configuration file to read instead of the current one. Used to relocate the configuration file, or used with %-variables to select custom configuration files for some users or machines.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-20"> +<refmeta> +<refmiscinfo class="allowable values">existing section's name</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>copy = section name</refname> +</refnamediv> +<refsynopsisdiv> +<para>Copies the configuration of a previously seen share into the share where it appears. Used with %-variables to select custom configurations for machines, architectures and users. The copied section must be earlier in the configuration file. Copied options are of lesser priority than those explicitly listed in the section.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-21"> +<refmeta> +<refmiscinfo class="allowable values">octal permission bits, 0-0777</refmiscinfo> +<refmiscinfo class="default">0744</refmiscinfo> +</refmeta> +<refnamediv> +<refname>create mask = octal value</refname> +</refnamediv> +<refsynopsisdiv> +<para>Also called <literal>create mode</literal>. Sets the maximum allowable permissions for new files (e.g., 0755). See also <literal>directory mask</literal>. To require certain permissions to be set, see <literal>force create mask/force directory mask</literal>. This option stopped affecting directories in Samba 1.9.17, and the default value changed in Samba 2.0.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-22"> +<refmeta> +<refmiscinfo class="allowable values">octal permission bits, 0-0777</refmiscinfo> +<refmiscinfo class="default">0744</refmiscinfo> +</refmeta> +<refnamediv> +<refname>create mode = octal permission bits</refname> +</refnamediv> +<refsynopsisdiv> +<para>Synonym for <literal>create mask</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-23"> +<refmeta> +<refmiscinfo class="allowable values">minutes</refmiscinfo> +<refmiscinfo class="default">0 </refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] deadtime = minutes</refname> +</refnamediv> +<refsynopsisdiv> +<para>The time in minutes before an unused connection will be terminated. Zero means forever. Used to keep clients from tying up server resources forever. If used, clients will have to auto-reconnect after minutes of inactivity. See also <literal>keepalive</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-24"> +<refmeta> +<refmiscinfo class="allowable values">number</refmiscinfo> +<refmiscinfo class="default">0</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] debug level = number</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the logging level used. Values of 3 or more slow Samba noticeably. A synonym is <literal>log level</literal>. Recommended value: 1.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-25"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">YES</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] debug timestamp = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Timestamps all log messages. Can be turned off when it's not useful (e.g., in debugging). New in Samba 2.0.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-26"> +<refmeta> +<refmiscinfo class="allowable values">share name</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] default = name</refname> +</refnamediv> +<refsynopsisdiv> +<para>Also called <literal>default service</literal>. The name of a service (share) to provide if someone requests a service they don't have permission to use or which doesn't exist. As of Samba 1.9.14, the path will be set from the name the client specified, with any "_" characters changed to "/" characters, allowing access to any directory on the Samba server. Use is strongly discouraged.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-27"> +<refmeta> +<refmiscinfo class="allowable values">LOWER, UPPER</refmiscinfo> +<refmiscinfo class="default">LOWER</refmiscinfo> +</refmeta> +<refnamediv> +<refname>default case = case</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the case in which to store new filenames. LOWER indicates mixed case, UPPER indicates uppercase letters.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-28"> +<refmeta> +<refmiscinfo class="allowable values">share name</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] default service = share name</refname> +</refnamediv> +<refsynopsisdiv> +<para>Synonym for <literal>default</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-29"> +<refmeta> +<refmiscinfo class="allowable values">NO, YES</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>delete readonly = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Allow delete requests to remove read-only files. This is not allowed in DOS/Windows, but is normal in Unix, which has separate directory permissions. Used with programs like RCS, or with the older <literal>alternate permissions</literal> option.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-30"> +<refmeta> +<refmiscinfo class="allowable values">NO, YES</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>delete veto files = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Allow delete requests for a directory containing files or subdirectories the user can't see due to the <literal>veto files</literal> option. If set to NO, the directory will not be deleted and will still contain invisible files.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-31"> +<refmeta> +<refmiscinfo class="allowable values">host list</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>deny hosts = host list</refname> +</refnamediv> +<refsynopsisdiv> +<para>A synonym is <literal>hosts deny</literal>. Specifies a list of machines from which to refuse connections or shares.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-32"> +<refmeta> +<refmiscinfo class="allowable values">shell command</refmiscinfo> +<refmiscinfo class="default">varies</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] dfree command = command</refname> +</refnamediv> +<refsynopsisdiv> +<para>A command to run on the server to return disk free space. Not needed unless the OS command does not work properly.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-33"> +<refmeta> +<refmiscinfo class="allowable values">pathname</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>directory = pathname</refname> +</refnamediv> +<refsynopsisdiv> +<para>Synonym for <literal>path</literal>. A directory provided by a file share, or used by a printer share. Set automatically in the <literal>[homes]</literal> share to user's home directory, otherwise defaults to<filename> /tmp</filename>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-34"> +<refmeta> +<refmiscinfo class="allowable values">octal value from 0 to 0777</refmiscinfo> +<refmiscinfo class="default">0755</refmiscinfo> +</refmeta> +<refnamediv> +<refname>directory mask = octal permission bits</refname> +</refnamediv> +<refsynopsisdiv> +<para>Also called <literal>directory mode</literal>. Sets the maximum allowable permissions for newly created directories. To require certain permissions be set, see the <literal>force create mask</literal> and <literal>force directory mask</literal> options.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-35"> +<refmeta> +<refmiscinfo class="allowable values">octal value from 0 to 0777</refmiscinfo> +<refmiscinfo class="default">0755</refmiscinfo> +</refmeta> +<refnamediv> +<refname>directory mode = octal permission bits</refname> +</refnamediv> +<refsynopsisdiv> +<para>Synonym for <literal>directory mask</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-36"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">YES</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] dns proxy = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>If set to YES, and if <literal>wins server = YES</literal>, look up hostnames in DNS if they are not found using WINS.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-37"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] domain logons = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Allow Windows 95/98 or NT clients to log on to an NT-like domain.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-38"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] domain master = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Become a domain master browser list collector if possible for the entire workgroup/domain.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-39"> +<refmeta> +<refmiscinfo class="allowable values">comma-separated list of paths</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>dont descend = comma-list</refname> +</refnamediv> +<refsynopsisdiv> +<para>Does not allow a change directory or search in the directories specified. This is a browsing convenience option; it doesn't provide any extra security.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-40"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>dos filetimes = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Allow non-owners to change file times if they can write to the file. See also <literal>dos filetime resolution</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-41"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>dos filetime resolution = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Set file times on Unix to match DOS standards (round to next even second). Recommended if using Visual C++ or a PC <emphasis>make</emphasis> program to avoid remaking the programs unnecesarily. Use with the <literal>dos filetimes</literal> option.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-42"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] encrypt passwords = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Uses Windows NT-style password encryption. Requires an <filename>smbpasswd</filename> on the Samba server.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-43"> +<refmeta> +<refmiscinfo class="allowable values">shell command</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>exec = command</refname> +</refnamediv> +<refsynopsisdiv> +<para>Synonym of <literal>preexec</literal>, a command to run as the user just before connecting to the share.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-44"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>fake directory create times = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Bug fix for users of Microsoft <emphasis>nmake</emphasis>. If set, Samba will set directory create times such that <emphasis>nmake</emphasis> won't remake all files every time.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-45"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>fake oplocks = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Return YES whenever a client asks if it can lock a file and cache it locally, but does not enforce lock on the server. Use only for read-only disks, as Samba now supports real <literal>oplocks</literal> and has per-file overrides. See also <literal>oplocks</literal> and <literal>veto oplock files</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-46"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">YES</refmiscinfo> +</refmeta> +<refnamediv> +<refname>follow symlinks = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>If YES, Samba will follow symlinks in a file share or shares. See the <literal>wide links</literal> option if you want to restrict symlinks to just the current share.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-47"> +<refmeta> +<refmiscinfo class="allowable values">octal value from 0 to 0777</refmiscinfo> +<refmiscinfo class="default">0</refmiscinfo> +</refmeta> +<refnamediv> +<refname>force create mask = octal permission bits</refname> +</refnamediv> +<refsynopsisdiv> +<para>Provides bits that will be <literal>OR</literal>ed into the permissions of newly created files. Used with the <literal>create mode</literal> configuration option.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-48"> +<refmeta> +<refmiscinfo class="allowable values">octal value from 0 to 0777</refmiscinfo> +<refmiscinfo class="default">0</refmiscinfo> +</refmeta> +<refnamediv> +<refname>force create mode = octal permission bits</refname> +</refnamediv> +<refsynopsisdiv> +<para>Synonym for <literal>force create mask</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-49"> +<refmeta> +<refmiscinfo class="allowable values">octal value from 0 to 0777</refmiscinfo> +<refmiscinfo class="default">0</refmiscinfo> +</refmeta> +<refnamediv> +<refname>force directory mask = octal permission bits</refname> +</refnamediv> +<refsynopsisdiv> +<para>Provides bits that will be <literal>OR</literal>ed into the permissions of newly created directories, forcing those bits to be set. Used with <literal>directory mode</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-50"> +<refmeta> +<refmiscinfo class="allowable values">octal value from 0 to 0777</refmiscinfo> +<refmiscinfo class="default">0</refmiscinfo> +</refmeta> +<refnamediv> +<refname>force directory mode = octal permission bits</refname> +</refnamediv> +<refsynopsisdiv> +<para>Synonym for <literal>force</literal> <literal>directory</literal> <literal>mask</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-51"> +<refmeta> +<refmiscinfo class="allowable values">group</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>force group = unix group</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the effective group name assigned to all users accessing a share. Used to override user's normal groups.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-52"> +<refmeta> +<refmiscinfo class="allowable values">username</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>force user = name</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the effective username assigned to all users accessing a share. Discouraged.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-53"> +<refmeta> +<refmiscinfo class="allowable values">NTFS, FAT, Samba</refmiscinfo> +<refmiscinfo class="default">NTFS</refmiscinfo> +</refmeta> +<refnamediv> +<refname>fstype = string</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the filesystem type reported to the client.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-54"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] getwd cache = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Cache current directory for performance. Recommended with the <literal>wide links</literal> option.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-55"> +<refmeta> +<refmiscinfo class="allowable values">unix group</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>group = group</refname> +</refnamediv> +<refsynopsisdiv> +<para>An obsolete form of <literal>force group</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-56"> +<refmeta> +<refmiscinfo class="allowable values">username</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>guest account = user</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the name of the unprivileged Unix account to use for tasks like printing and for accessing shares marked with <literal>guest ok</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-57"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>guest ok = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>If YES, passwords are not needed for this share. Synonym of <literal>public</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-58"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>guest only = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Forces user of a share to do so as the guest account. Requires <literal>guest</literal> <literal>ok</literal> or <literal>public</literal> to be <literal>yes</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-59"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">YES</refmiscinfo> +</refmeta> +<refnamediv> +<refname>hide dot files = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Treats files beginning with a dot in a share as if they had the DOS/Windows hidden attribute set.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-60"> +<refmeta> +<refmiscinfo class="allowable values">list of patterns, separated by <literal>/</literal> characters</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>hide files = slash-separated list</refname> +</refnamediv> +<refsynopsisdiv> +<para>List of file or directory names to set the DOS hidden attribute on. Names may contain <literal>?</literal> or <literal>*</literal> pattern-characters and <literal>%</literal>-variables. See also <literal>hide</literal> <literal>dot</literal> <literal>files</literal> and <literal>veto</literal> <literal>files</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-61"> +<refmeta> +<refmiscinfo class="allowable values">NIS map name</refmiscinfo> +<refmiscinfo class="default">auto.home</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] homedir map = NIS map name</refname> +</refnamediv> +<refsynopsisdiv> +<para>Used with <literal>nis homedir</literal> to locate user's Unix home directory from Sun NIS (not NIS+).</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-62"> +<refmeta> +<refmiscinfo class="allowable values">list of hostnames</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>hosts allow = host list</refname> +</refnamediv> +<refsynopsisdiv> +<para>Synonym of <literal>allow hosts</literal>, a list of machines that can access a share or shares. If NULL (the default) any machine can access the share unless there is a <literal>hosts deny</literal> option.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-63"> +<refmeta> +<refmiscinfo class="allowable values">list of hostnames</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>hosts deny = host list</refname> +</refnamediv> +<refsynopsisdiv> +<para>Synonym of <literal>deny hosts</literal>, a list of machines that cannot connect to a share or shares.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-64"> +<refmeta> +<refmiscinfo class="allowable values">pathname</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] hosts equiv = pathname</refname> +</refnamediv> +<refsynopsisdiv> +<para>Path to a file of trusted machines from which password-less logins are allowed. Strongly discouraged, because Windows/NT users can always override the user name, the only security in this scheme.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-65"> +<refmeta> +<refmiscinfo class="allowable values">pathname</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>include = pathname</refname> +</refnamediv> +<refsynopsisdiv> +<para>Include the named file in <filename>smb.conf</filename> at the line where it appears. This option does not understand the variables <literal>%u</literal> (user), <literal>%P</literal> (current share's root directory), or <literal>%S</literal> (current share name), because they are not set at the time the file is read.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-66"> +<refmeta> +<refmiscinfo class="allowable values">IP addresses separated by spaces</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] interfaces = interface list</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the interfaces to which Samba will respond. The default is the machine's primary interface only. Recommended on multihomed machines or to override erroneous addresses and netmasks.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-67"> +<refmeta> +<refmiscinfo class="allowable values">list of users</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>invalid users = user list</refname> +</refnamediv> +<refsynopsisdiv> +<para>List of users that will not be permitted access to a share or shares.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-68"> +<refmeta> +<refmiscinfo class="allowable values">number of seconds</refmiscinfo> +<refmiscinfo class="default">0</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] keepalive = number</refname> +</refnamediv> +<refsynopsisdiv> +<para>Number of seconds between checks for a crashed client. The default of 0 causes no checks to be performed. Recommended if you want checks more often than every four hours. 3600 (10 minutes) is reasonable. See also <literal>socket options</literal> for another approach.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-69"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">automatic</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] kernel oplocks = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Break oplock when a Unix process accesses an <emphasis>oplocked</emphasis> file, preventing corruption. Set to YES on operating systems supporting this, otherwise set to NO. New in Samba 2.0; supported on SGI, and hopefully soon on Linux and BSD. Avoid changing.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-70"> +<refmeta> +<refmiscinfo class="allowable values">various</refmiscinfo> +<refmiscinfo class="default">varies</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] ldap filter = various</refname> +</refnamediv> +<refsynopsisdiv> +<para>Options beginning with <literal>ldap</literal> are part of an experimental (circa Samba 2.0) use of the Lightweight Directory Access Protocol (LDAP) general directory/distributed database for user, name, and host information. This option is reserved for future use.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-71"> +<refmeta> +<refmiscinfo class="allowable values">various</refmiscinfo> +<refmiscinfo class="default">various</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] ldap port = various</refname> +</refnamediv> +<refsynopsisdiv> +<para>Options beginning with <literal>ldap</literal> are part of an experimental (circa Samba 2.0) use of the Lightweight Directory Access Protocol (LDAP) general directory/distributed database for user, name, and host information. This option is reserved for future use.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-72"> +<refmeta> +<refmiscinfo class="allowable values">various</refmiscinfo> +<refmiscinfo class="default">various</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] ldap root = various</refname> +</refnamediv> +<refsynopsisdiv> +<para>Options beginning with <literal>ldap</literal> are part of an experimental (circa Samba 2.0) use of the Lightweight Directory Access Protocol (LDAP) general directory/distributed database for user, name, and host information. This option is reserved for future use.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-73"> +<refmeta> +<refmiscinfo class="allowable values">various</refmiscinfo> +<refmiscinfo class="default">various</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] ldap server = various</refname> +</refnamediv> +<refsynopsisdiv> +<para>Options beginning with <literal>ldap</literal> are part of an experimental (circa Samba 2.0) use of the Lightweight Directory Access Protocol (LDAP) general directory/distributed database for user, name, and host information. This option is reserved for future use.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-74"> +<refmeta> +<refmiscinfo class="allowable values">various</refmiscinfo> +<refmiscinfo class="default">various</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] ldap suffix = various</refname> +</refnamediv> +<refsynopsisdiv> +<para>Options beginning with <literal>ldap</literal> are part of an experimental (circa Samba 2.0) use of the Lightweight Directory Access Protocol (LDAP) general directory/distributed database for user, name, and host information. This option is reserved for future use.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-75"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">YES</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] load printers = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Load all printer names from the system printer capabilities into browse list. Uses configuration options from the <literal>[printers]</literal> section.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-76"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">YES</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] local master = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Stands for election as the local master browser. See also <literal>domain master</literal> and <literal>os level</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-77"> +<refmeta> +<refmiscinfo class="allowable values">AUTO, YES, NO</refmiscinfo> +<refmiscinfo class="default">AUTO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] lm announce = value</refname> +</refnamediv> +<refsynopsisdiv> +<para>Produce OS/2 SMB broadcasts at an interval specified by the <literal>lm interval</literal> option. YES/NO turns them on/off unconditionally. AUTO causes the Samba server to wait for a LAN Manager announcement from another client before sending one out. Required for OS/2 client browsing.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-78"> +<refmeta> +<refmiscinfo class="allowable values">number</refmiscinfo> +<refmiscinfo class="default">60</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] lm interval = seconds</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the time period, in seconds, between OS/2 SMB broadcast announcements.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-79"> +<refmeta> +<refmiscinfo class="allowable values">pathname</refmiscinfo> +<refmiscinfo class="default"><emphasis>/usr/local/samba/var/locks</emphasis></refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] lock directory = pathname</refname> +</refnamediv> +<refsynopsisdiv> +<para>Set a directory to keep lock files in. The directory must be writable by Samba, readable by everyone.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-80"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">YES</refmiscinfo> +</refmeta> +<refnamediv> +<refname>locking = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Perform file locking. If set to NO, Samba will accept lock requests but will not actually lock resources. Recommended only for read-only file systems.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-81"> +<refmeta> +<refmiscinfo class="allowable values">pathname</refmiscinfo> +<refmiscinfo class="default">varies</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] log file = pathname</refname> +</refnamediv> +<refsynopsisdiv> +<para>Set name and location of the log file. Allows all %-variables.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-82"> +<refmeta> +<refmiscinfo class="allowable values">number</refmiscinfo> +<refmiscinfo class="default">0</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] log level = number</refname> +</refnamediv> +<refsynopsisdiv> +<para>A synonym of <literal>debug level</literal>. Sets the logging level used. Values of 3 or more slow the system noticeably.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-83"> +<refmeta> +<refmiscinfo class="allowable values">DOS drive name</refmiscinfo> +<refmiscinfo class="default">None</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] logon drive = drive</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the drive on Windows NT (only) of the <literal>logon path</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-84"> +<refmeta> +<refmiscinfo class="allowable values">Unix pathname</refmiscinfo> +<refmiscinfo class="default"><emphasis>\\</emphasis><replaceable>%N </replaceable><emphasis>\</emphasis><replaceable>%U</replaceable></refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] logon home = path</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the home directory of a Windows 95/98 or NT Workstation user. Allows <literal>NET</literal> <literal>USE</literal> <literal>H:/HOME</literal> from the command prompt.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-85"> +<refmeta> +<refmiscinfo class="allowable values">Windows pathname</refmiscinfo> +<refmiscinfo class="default"><emphasis>\\</emphasis><replaceable>%N </replaceable><emphasis>\</emphasis><replaceable>%U </replaceable><emphasis>\profile</emphasis></refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] logon path = pathname</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets path to Windows profile directory. This contains <emphasis>USER.MAN</emphasis> and/or <emphasis>USER.DAT</emphasis> profile files and the Windows 95 Desktop, Start Menu, Network Neighborhood, and programs folders.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-86"> +<refmeta> +<refmiscinfo class="allowable values">pathname</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] logon script = pathname</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets pathname relative to <literal>[netlogin]</literal> share of a DOS/NT script to run on the client at login time. Allows all %-variables.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-87"> +<refmeta> +<refmiscinfo class="allowable values">fully-qualfied Unix shell command</refmiscinfo> +<refmiscinfo class="default">varies</refmiscinfo> +</refmeta> +<refnamediv> +<refname>lppause command = /absolute_ path/command</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the command to pause a print job. Honors the <literal>%p</literal> (printer name) and <literal>%j</literal> (job number) variables.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-88"> +<refmeta> +<refmiscinfo class="allowable values">fully-qualified Unix shell command</refmiscinfo> +<refmiscinfo class="default">varies</refmiscinfo> +</refmeta> +<refnamediv> +<refname>lpresume command = /absolute_ path/command</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the command to resume a paused print job. Honors the <literal>%p</literal> (printer name) and <literal>%j</literal> ( job number) variables.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-89"> +<refmeta> +<refmiscinfo class="allowable values">number of seconds</refmiscinfo> +<refmiscinfo class="default">10</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] lpq cache time = seconds</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets how long to keep print queue (<literal>lpq </literal>) status is cached, in seconds.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-90"> +<refmeta> +<refmiscinfo class="allowable values">fully-qualfied Unix shell command</refmiscinfo> +<refmiscinfo class="default">varies</refmiscinfo> +</refmeta> +<refnamediv> +<refname>lpq command = /absolute_ path/command</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the command used to get printer status. Usually initialized to a default value by the <literal>printing</literal> option. Honors the <literal>%p</literal> (printer name) variable.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-91"> +<refmeta> +<refmiscinfo class="allowable values">fully-qualified Unix shell command</refmiscinfo> +<refmiscinfo class="default">varies</refmiscinfo> +</refmeta> +<refnamediv> +<refname>lprm command = /absolute_ path/command</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the command to delete a print job. Usually initialized to a default value by the <literal>printing</literal> option. Honors the <literal>%p</literal> (printer name) and <literal>%j</literal> (job number) variables.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-92"> +<refmeta> +<refmiscinfo class="allowable values">number of seconds</refmiscinfo> +<refmiscinfo class="default">604,800</refmiscinfo> +</refmeta> +<refnamediv> +<refname>machine password timeout = seconds</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the period between (NT domain) machine password changes. Default is 1 week, or 604,800 seconds.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-93"> +<refmeta> +<refmiscinfo class="allowable values">Unix pathname</refmiscinfo> +<refmiscinfo class="default"><emphasis>script.out</emphasis></refmiscinfo> +</refmeta> +<refnamediv> +<refname>magic output = pathname</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the output file for the discouraged <literal>magic scripts</literal> option. Default is the script name, followed by the extension <emphasis>.out</emphasis>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-94"> +<refmeta> +<refmiscinfo class="allowable values">Unix pathname</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>magic script = pathname</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets a filename for execution via a shell whenever the file is closed from the client, to allow clients to run commands on the server.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-95"> +<refmeta> +<refmiscinfo class="allowable values"><emphasis>allowable values:</emphasis> YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>mangle case = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Mangle a name if it is in mixed case.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-96"> +<refmeta> +<refmiscinfo class="allowable values">list of to-from pairs</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>mangled map = map list</refname> +</refnamediv> +<refsynopsisdiv> +<para>Set up a table of names to remap (e.g., <emphasis>.html</emphasis> to <emphasis>.htm</emphasis>).</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-97"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">YES</refmiscinfo> +</refmeta> +<refnamediv> +<refname>mangled names = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets Samba to abbreviate names that are too long or have unsupported characters to the DOS 8.3 style.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-98"> +<refmeta> +<refmiscinfo class="allowable values">character</refmiscinfo> +<refmiscinfo class="default">~</refmiscinfo> +</refmeta> +<refnamediv> +<refname>mangling char = character</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the unique mangling character used in all mangled names.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-99"> +<refmeta> +<refmiscinfo class="allowable values">number</refmiscinfo> +<refmiscinfo class="default">50</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] mangled stack = number</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the size of a cache of recently-mangled filenames.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-100"> +<refmeta> +<refmiscinfo class="allowable values">Unix pathname</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>map aliasname = pathname</refname> +</refnamediv> +<refsynopsisdiv> +<para>Points to a file of Unix group/NT group pairs, one per line. This is used to map NT aliases to Unix group names. See also the configuration options <literal>username</literal> <literal>map</literal> and <literal>map</literal> <literal>groupname</literal>. Introduced in Samba 2.0.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-101"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">YES</refmiscinfo> +</refmeta> +<refnamediv> +<refname>map archive = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>If YES, Samba sets the executable-by-user (0100) bit on Unix files if the DOS archive attribute is set. Recommended: if used, the <literal>create mask</literal> must contain the 0100 bit.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-102"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>map hidden = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>If YES, sets executable-by-other (0001) bit on Unix files if the DOS hidden attribute is set. If used, the <literal>create mask</literal> option must contain the 0001 bit.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-103"> +<refmeta> +<refmiscinfo class="allowable values">pathname</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>map groupname = pathname</refname> +</refnamediv> +<refsynopsisdiv> +<para>Points to a file of Unix group/NT group, one per line. This is used to map NT group names to Unix group names. See also the configuration options <literal>username</literal> <literal>map</literal> and <literal>map</literal> <literal>aliasname</literal>. Introduced in Samba 2.0.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-104"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>map system = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>If YES, Samba sets the executable-by-group (0010) bit on Unix files if the DOS system attribute is set. If used, the <literal>create mask</literal> must contain the 0010 bit.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-105"> +<refmeta> +<refmiscinfo class="allowable values">number</refmiscinfo> +<refmiscinfo class="default">0 (infinity)</refmiscinfo> +</refmeta> +<refnamediv> +<refname>max connections = number</refname> +</refnamediv> +<refsynopsisdiv> +<para>Set maximum number of connections allowed to a share from each individual client machine.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-106"> +<refmeta> +<refmiscinfo class="allowable values">size in MB</refmiscinfo> +<refmiscinfo class="default">0 (unchanged)</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] max disk size = number</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets maximum disk size/free-space size (in megabytes) to return to client. Some clients or applications can't understand large maximum disk sizes.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-107"> +<refmeta> +<refmiscinfo class="allowable values">size in KB</refmiscinfo> +<refmiscinfo class="default">5000</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] max log size = number</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the size (in kilobytes) at which Samba will start a new log file. The current log file will be renamed with an <emphasis>.old</emphasis> extension, replacing any previous file with that name.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-108"> +<refmeta> +<refmiscinfo class="allowable values">number</refmiscinfo> +<refmiscinfo class="default">50</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] max mux = number</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the number of simultaneous operations that Samba clients may make. Avoid changing.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-109"> +<refmeta> +<refmiscinfo class="allowable values">number</refmiscinfo> +<refmiscinfo class="default">N/A</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] max packet = number</refname> +</refnamediv> +<refsynopsisdiv> +<para>Synonym for <literal>packet size</literal>. Obsolete as of Samba 1.7. Use <literal>max xmit</literal> instead.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-110"> +<refmeta> +<refmiscinfo class="allowable values">number</refmiscinfo> +<refmiscinfo class="default">10,000</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] max open files = number</refname> +</refnamediv> +<refsynopsisdiv> +<para>Limits the number of files a Samba process will try to keep open at one time. Samba allows you to set this to less than the Unix maximum. This option is a workaround for a separate problem. Avoid changing. This option was introduced in Samba 2.0.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-111"> +<refmeta> +<refmiscinfo class="allowable values">time in seconds</refmiscinfo> +<refmiscinfo class="default">14400 (4 hrs)</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] max ttl = seconds</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the time to keep NetBIOS names in <emphasis>nmbd</emphasis> cache while trying to perform a lookup on it. Avoid changing.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-112"> +<refmeta> +<refmiscinfo class="allowable values">time in seconds</refmiscinfo> +<refmiscinfo class="default">259200 (3 days)</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] max wins ttl = seconds</refname> +</refnamediv> +<refsynopsisdiv> +<para>Limits time-to-live of a NetBIOS name in <emphasis>nmbd</emphasis> WINS cache, in seconds. Avoid changing.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-113"> +<refmeta> +<refmiscinfo class="allowable values">size in bytes</refmiscinfo> +<refmiscinfo class="default">65535</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] max xmit = bytes</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets maximum packet size that will be negotiated by Samba. Tuning parameter for slow links and older client bugs. Values less than 2048 are discouraged.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-114"> +<refmeta> +<refmiscinfo class="allowable values">shell command</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] message command = /absolute_ path/command</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the command on the server to run when a WinPopup message arrives from a client. The command must end in "<literal>&</literal>" to allow immediate return. Honors all %-variables except <literal>%u</literal> (user), and supports the extra variables <literal>%s</literal> (filename the message is in), <literal>%t</literal> (destination machine), and <literal>%f</literal> (from).</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-115"> +<refmeta> +<refmiscinfo class="allowable values">space in KB</refmiscinfo> +<refmiscinfo class="default">0 (unlimited)</refmiscinfo> +</refmeta> +<refnamediv> +<refname>min print space = kilobytes</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets minimum spool space required before accepting a print request.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-116"> +<refmeta> +<refmiscinfo class="allowable values">time in seconds</refmiscinfo> +<refmiscinfo class="default">21600 (6 hrs)</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] min wins ttl = seconds</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets minimum time-to-live of a NetBIOS name in <emphasis>nmbd</emphasis> WINS cache, in seconds. Avoid changing.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-117"> +<refmeta> +<refmiscinfo class="allowable values">list of lmhosts, wins, hosts and bcast</refmiscinfo> +<refmiscinfo class="default">lmhosts wins hosts bcast</refmiscinfo> +</refmeta> +<refnamediv> +<refname>name resolve order = list</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets order of lookup when trying to get IP address from names. The <literal>hosts</literal> parameter carrries out a regular name look up using the server's normal sources: <emphasis>/etc/hosts</emphasis>, DNS, NIS, or a combination of them. Introduced in Samba 1.9.18p4.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-118"> +<refmeta> +<refmiscinfo class="allowable values">list of netbios names</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] netbios aliases = list</refname> +</refnamediv> +<refsynopsisdiv> +<para>Adds additional NetBIOS names by which a Samba server will advertise itself.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-119"> +<refmeta> +<refmiscinfo class="allowable values">host name</refmiscinfo> +<refmiscinfo class="default">varies</refmiscinfo> +</refmeta> +<refnamediv> +<refname>netbios name = hostname</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the NetBIOS name by which a Samba server is known, or primary name if NetBIOS aliases exist.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-120"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">YES</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] networkstation user login = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>If set to NO, clients will not do a full login when <literal>security = server</literal>. Avoid changing. Turning it off is a temporary workaround (introduced in Samba 1.9.18p3) for NT trusted domains bug. Automatic correction was introduced in Samba 1.9.18p10; the parameter may eventually be removed.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-121"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] nis homedir = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>If YES, the <literal>homedir map</literal> will be used to look up the user's home-directory server name and return it to the client. The client will contact that machine to connect to the share. This avoids mounting from a machine that doesn't actually have the disk. The machine with the home directories must be an SMB server.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-122"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">YES</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] nt pipe support = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Allows turning off NT-specific pipe calls. This is a developer/benchmarking option and may be removed in the future. Avoid changing.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-123"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">YES</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] nt smb support = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>If YES, allow NT-specific SMBs to be used. This is a developer/benchmarking option and may be removed in the future. Avoid changing.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-124"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] null passwords = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>If YES, allows access to accounts that have null passwords. Strongly discouraged.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-125"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">YES</refmiscinfo> +</refmeta> +<refnamediv> +<refname>ole locking compatibility = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>If YES, locking ranges will be mapped to avoid Unix locks crashing when Windows uses locks above 32KB. You should avoid changing this option. Introduced in Samba 1.9.18p10.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-126"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>only guest = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>A synonym for <literal>guest only</literal>. Forces user of a share to login as the guest account.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-127"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>only user = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Requires that users of the share be on a <literal>username =</literal> list.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-128"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">YES</refmiscinfo> +</refmeta> +<refnamediv> +<refname>oplocks = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>If YES, support local caching of <emphasis>opportunistic</emphasis> locked files on client. This option is recommended because it improves performance by about 30%. See also <literal>fake</literal> <literal>oplocks</literal> and <literal>veto</literal> <literal>oplock</literal> <literal>files</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-129"> +<refmeta> +<refmiscinfo class="allowable values">number</refmiscinfo> +<refmiscinfo class="default">0</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] os level = number</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the candidacy of the server when electing a browse master. Used with the <literal>domain</literal> <literal>master</literal> or <literal>local</literal> <literal>master</literal> options. You can set a higher value than a competing operating system if you want Samba to win. Windows for Workgroups and Windows 95 use 1, Windows NT client uses 17, and Windows NT Server uses 33.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-130"> +<refmeta> +<refmiscinfo class="allowable values">number in bytes</refmiscinfo> +<refmiscinfo class="default">65535</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] packet size = bytes</refname> +</refnamediv> +<refsynopsisdiv> +<para>Obsolete. Discouraged synonym of <literal>max packet</literal>. See <literal>max xmit</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-131"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] passwd chat debug = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Logs an entire password chat, including passwords passed, with a log level of 100. For debugging only. Introduced in Samba 1.9.18p5.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-132"> +<refmeta> +<refmiscinfo class="allowable values">Unix server commands</refmiscinfo> +<refmiscinfo class="default">compiled-in value</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] passwd chat = command sequence</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the command used to change passwords on the server. Supports the variables <literal>%o</literal> (old password) and <literal>%n</literal> (new password) and allows <literal>\r</literal> <literal>\n</literal> <literal>\t</literal> and <literal>\s</literal> (space) escapes in the sequence.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-133"> +<refmeta> +<refmiscinfo class="allowable values">Unix server program</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] passwd program = program</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the command used to change user's password. Will be run as <literal>root</literal>. Supports <literal>%u</literal> (user).</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-134"> +<refmeta> +<refmiscinfo class="allowable values">number</refmiscinfo> +<refmiscinfo class="default">0</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] password level = number</refname> +</refnamediv> +<refsynopsisdiv> +<para>Specifies the number of uppercase letter permutations used to match passwords. Workaround for clients that change passwords to a single case before sending them to the Samba server. Causes repeated login attempts with passwords in different cases, which can trigger account lockouts.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-135"> +<refmeta> +<refmiscinfo class="allowable values">list of NetBIOS names</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] password server = netbios names</refname> +</refnamediv> +<refsynopsisdiv> +<para>A list of SMB servers that will validate passwords for you. Used with an NT password server (PDC or BDC) and the <literal>security</literal> <literal>=</literal> <literal>server</literal> or <literal>security</literal> <literal>=</literal> <literal>domain</literal> configuration options. Caution: an NT password server must allow logins from the Samba server.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-136"> +<refmeta> +<refmiscinfo class="allowable values">fully-qualfied Unix shell command</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>panic action = /absolute_ path/command</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the command to run when Samba panics. For Samba developers and testers, <literal>/usr/bin/X11/xterm -display :0 -e gdb /samba/bin/smbd %d</literal> is a possible value.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-137"> +<refmeta> +<refmiscinfo class="allowable values">pathname</refmiscinfo> +<refmiscinfo class="default">varies</refmiscinfo> +</refmeta> +<refnamediv> +<refname>path = pathname</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the path to the directory provided by a file share or used by a printer share. Set automatically in <literal>[homes]</literal> share to user's home directory, otherwise defaults to<filename> /tmp</filename>. Honors the <literal>%u</literal> (user) and <literal>%m</literal> (machine) variables.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-138"> +<refmeta> +<refmiscinfo class="allowable values">fully-qualified Unix shell command</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>postexec = /absolute_ path/command</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets a command to run as the user after disconnecting from the share. See also the options <literal>preexec</literal>, <literal>root preexec</literal>, and <literal>root postexec</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-139"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>postscript = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Flags a printer as PostScript to avoid a Windows bug by inserting <literal>%!</literal> as the first line. Works only if printer actually is PostScript compatible.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-140"> +<refmeta> +<refmiscinfo class="allowable values">fully-qualified Unix shell command</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>preexec = /absolute_ path/command</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets a command to run as the user before connecting to the share. See also the options <literal>postexec</literal>, <literal>root preexec</literal>, and <literal>root postexec</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-141"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] preferred master = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>If YES, Samba is preferred to become the master browser. Causes Samba to call a browsing election when it comes online.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-142"> +<refmeta> +<refmiscinfo class="allowable values">list of services</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>preload = share list</refname> +</refnamediv> +<refsynopsisdiv> +<para>Synonym of <literal>auto</literal> <literal>services</literal>. Specifies a list of shares that will always appear in browse lists.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-143"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>preserve case = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>If set to YES, this option leaves filenames in the case sent by client. If no, it forces filenames to the case specified by the <literal>default</literal> <literal>case</literal> option. See also <literal>short preserve case</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-144"> +<refmeta> +<refmiscinfo class="allowable values">fully-qualified Unix shell command</refmiscinfo> +<refmiscinfo class="default">varies</refmiscinfo> +</refmeta> +<refnamediv> +<refname>print command = /absolute_ path/command</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the command used to send a spooled file to the printer. Usually initialized to a default value by the <literal>printing</literal> option. This option honors the <literal>%p</literal> (printer name), <literal>%s</literal> (spool file) and <literal>%f</literal> (spool file as a relative path) variables. Note that the command in the value of the option must include file deletion of the spool file.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-145"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>print ok = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Synonym of <literal>printable</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-146"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>printable = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets a share to be a print share. Required for all printers.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-147"> +<refmeta> +<refmiscinfo class="allowable values">pathname</refmiscinfo> +<refmiscinfo class="default"><emphasis>/etc/printcap</emphasis></refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] printcap name = pathname</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the path to the printer capabilities file used by the <literal>[printers]</literal> share. The default value changes to <filename>/etc/qconfig</filename> under AIX and <filename>lpstat</filename> on System V.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-148"> +<refmeta> +<refmiscinfo class="allowable values">printer name</refmiscinfo> +<refmiscinfo class="default"><literal>lp</literal></refmiscinfo> +</refmeta> +<refnamediv> +<refname>printer = name</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the name of the Unix printer.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-149"> +<refmeta> +<refmiscinfo class="allowable values">exact printer driver string used by Windows</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>printer driver = printer driver name</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the string to pass to Windows when asked what driver to use to prepare files for a printer share. Note that the value is case sensitive.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-150"> +<refmeta> +<refmiscinfo class="allowable values">Unix pathname</refmiscinfo> +<refmiscinfo class="default"><emphasis>samba-lib/printers.def</emphasis></refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] printer driver file = path</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the location of a <emphasis>msprint.def</emphasis> file, usable by Windows 95/98.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-151"> +<refmeta> +<refmiscinfo class="allowable values">Windows network path</refmiscinfo> +<refmiscinfo class="default"><emphasis>\\</emphasis><replaceable>server</replaceable><emphasis>\PRINTER$</emphasis></refmiscinfo> +</refmeta> +<refnamediv> +<refname>printer driver location = path</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the location of the driver for a particular printer. The value is a pathname for a share that stores the printer driver files.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-152"> +<refmeta> +<refmiscinfo class="allowable values">name</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>printer name = name</refname> +</refnamediv> +<refsynopsisdiv> +<para>Synonym of <literal>printer</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-153"> +<refmeta> +<refmiscinfo class="allowable values">bsd, sysv, hpux, aix, qnx, plp, lprng</refmiscinfo> +<refmiscinfo class="default">bsd</refmiscinfo> +</refmeta> +<refnamediv> +<refname>printing = style</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets printing style to one of the above, instead of the compiled-in value. This sets initial values of at least the <literal>print</literal> <literal>command </literal>, <literal>print</literal> <literal>command </literal>, <literal>lpq</literal> <literal>command </literal>, and <literal>lprm</literal> <literal>command</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-154"> +<refmeta> +<refmiscinfo class="allowable values">NT1, LANMAN2, LANMAN1, COREPLUS, CORE</refmiscinfo> +<refmiscinfo class="default">NT1</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] protocol = protocol</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets SMB protocol version to one of the allowable +values. Resetting is highly discouraged. Only for backwards +compatibility with older-client bugs.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-155"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>public = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>If YES, passwords are not needed for this share. A synonym is <literal>guest ok</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-156"> +<refmeta> +<refmiscinfo class="allowable values">valid Unix command</refmiscinfo> +<refmiscinfo class="default">varies</refmiscinfo> +</refmeta> +<refnamediv> +<refname>queuepause command = /absolute_ path/command</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the command used to pause a print queue. Usually initialized to a default value by the <literal>printing</literal> option. Introduced in Samba 1.9.18p10.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-157"> +<refmeta> +<refmiscinfo class="allowable values">valid Unix command</refmiscinfo> +<refmiscinfo class="default">varies</refmiscinfo> +</refmeta> +<refnamediv> +<refname>queueresume command = /absolute_ path/command</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the command used to resume a print queue. Usually initialized to a default value by the <literal>printing</literal> option. Introduced in Samba 1.9.18p10.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-158"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>read bmpx = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Obsolete. Do not change.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-159"> +<refmeta> +<refmiscinfo class="allowable values">comma-separated list of users</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>read list = comma-separated list</refname> +</refnamediv> +<refsynopsisdiv> +<para>Specifies a list of users given read-only access to a writeable share.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-160"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>read only = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets a share to read-only. Antonym of <literal>writable</literal> and <literal>write ok</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-161"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] read prediction = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Reads ahead data for read-only files. Obsolete; removed in Samba 2.0.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-162"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">YES</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] read raw = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Allows fast streaming reads over TCP using 64K buffers. Recommended.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-163"> +<refmeta> +<refmiscinfo class="allowable values">size in bytes</refmiscinfo> +<refmiscinfo class="default">2048</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] read size = bytes</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets a buffering option for servers with mismatched disk and network speeds. Requires experimentation. Avoid changing. Should not exceed 65536.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-164"> +<refmeta> +<refmiscinfo class="allowable values">list of remote addresses</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] remote announce = remote list</refname> +</refnamediv> +<refsynopsisdiv> +<para>Adds workgroups to the list on which the Samba server will announce itself. Specified as IP address/workgroup (for instance, 192.168.220.215/SIMPLE) with multiple groups separated by spaces. Allows directed broadcasts. The server will appear on those workgroup's browse lists. Does not require WINS.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-165"> +<refmeta> +<refmiscinfo class="allowable values">IP-address list</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] remote browse sync = address list</refname> +</refnamediv> +<refsynopsisdiv> +<para>Enables Samba-only browse list synchronization with other Samba local master browsers. Addresses can be specific addresses or directed broadcasts (i.e., ###.###.###.255). The latter will cause Samba to hunt down the local master.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-166"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>revalidate = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>If set to YES, requires users to re-enter passwords even after a successful initial logon to a share with a password.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-167"> +<refmeta> +<refmiscinfo class="allowable values">Unix pathname</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] root = pathname</refname> +</refnamediv> +<refsynopsisdiv> +<para>Synonym for <literal>root directory</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-168"> +<refmeta> +<refmiscinfo class="allowable values">Unix pathname</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] root dir = pathname</refname> +</refnamediv> +<refsynopsisdiv> +<para>Synonym for <literal>root directory</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-169"> +<refmeta> +<refmiscinfo class="allowable values">Unix pathname</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] root directory = pathname</refname> +</refnamediv> +<refsynopsisdiv> +<para>Specifies a directory to <literal>chroot()</literal> to before starting daemons. Prevents any access below that directory tree. See also the <literal>wide links</literal> configuration option.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-170"> +<refmeta> +<refmiscinfo class="allowable values">fully-qualified Unix shell command</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>root postexec = /absolute_ path/command</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets a command to run as root after disconnecting from the share. See also <literal>preexec</literal>, <literal>postexec</literal>, and <literal>root</literal> <literal>preexec</literal> configuration options. Runs after the user's <literal>postexec</literal> command. Use with caution.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-171"> +<refmeta> +<refmiscinfo class="allowable values">fully-qualified Unix shell command</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>root preexec = /absolute_ path/command</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets a command to run as root before connecting to the share. See also <literal>preexec</literal>, <literal>postexec</literal>, and <literal>root</literal> <literal>postexec</literal> configuration options. Runs before the user's <literal>preexec</literal> command. Use with caution.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-172"> +<refmeta> +<refmiscinfo class="allowable values">share, user, server, domain</refmiscinfo> +<refmiscinfo class="default">share in Samba 1.0, user in 2.0</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] security = value</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets password-security policy. If <literal>security</literal> <literal>=</literal> <literal>share</literal>, services have a shared password, available to everyone. If <literal>security</literal> <literal>=</literal> <literal>user</literal>, users have (Unix) accounts and passwords. If <literal>security</literal> <literal>=</literal> <literal>server</literal>, users have accounts and passwords and a separate machine authenticates them for Samba. If <literal>security</literal> <literal>=</literal> <literal>domain</literal>, full NT-domain authentication is done. See also the <literal>password server</literal> and <literal>encrypted passwords</literal> configuration options.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-173"> +<refmeta> +<refmiscinfo class="allowable values">string</refmiscinfo> +<refmiscinfo class="default">Samba <literal>%v</literal> in 2.0</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] server string = text</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the name that appears beside a server in browse lists. Honors the <literal>%v</literal> (Samba version number) and <literal>%h</literal> (hostname) variables.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-174"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>set directory = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Allows DEC Pathworks client to use the <emphasis>set dir</emphasis> command.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-175"> +<refmeta> +<refmiscinfo class="allowable values">number</refmiscinfo> +<refmiscinfo class="default">113</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] shared file entries = number</refname> +</refnamediv> +<refsynopsisdiv> +<para>Obsolete; do not use.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-176"> +<refmeta> +<refmiscinfo class="allowable values">size in bytes</refmiscinfo> +<refmiscinfo class="default">102400</refmiscinfo> +</refmeta> +<refnamediv> +<refname>shared mem size = bytes</refname> +</refnamediv> +<refsynopsisdiv> +<para>If compiled with FAST_SHARE_MODES (mmap), sets the shared memory size in bytes. Avoid changing.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-177"> +<refmeta> +<refmiscinfo class="allowable values">Unix pathname</refmiscinfo> +<refmiscinfo class="default"><filename>/usr/local/samba/private/smbpasswd</filename></refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] smb passwd file = path</refname> +</refnamediv> +<refsynopsisdiv> +<para>Overrides compiled-in path to password file if <literal>encrypted passwords</literal> <literal>=</literal> <literal>yes</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-178"> +<refmeta> +<refmiscinfo class="allowable values">smbrun command</refmiscinfo> +<refmiscinfo class="default">compiled-in value</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] smbrun = /absolute_ path/command</refname> +</refnamediv> +<refsynopsisdiv> +<para>Overrides compiled-in path to <filename>smbrun</filename> binary. Avoid changing.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-179"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">YES</refmiscinfo> +</refmeta> +<refnamediv> +<refname>share modes = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>If set to YES, this option supports Windows-style whole-file (deny mode) locks.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-180"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>short preserve case = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>If set to YES, leaves mangled 8.3-style filenames in the case sent by client. If no, it forces the case to that specified by the <literal>default case</literal> option. See also <literal>preserve case</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-181"> +<refmeta> +<refmiscinfo class="allowable values">IP address</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] socket address = IP address</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets address on which to listen for connections. Default is to listen to all addresses. Used to support multiple virtual interfaces on one server. Highly discouraged.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-182"> +<refmeta> +<refmiscinfo class="allowable values">list</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] socket options = socket option list</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets OS-specific socket options. <literal>SO_KEEPALIVE</literal> has TCP check clients every 4 hours to see if they are still accessible. <literal>TCP_NODELAY</literal> sends even tiny packets to keep delay low. Recommended wherever the operating system supports them. See <link linkend="SAMBA-AP-B">Appendix B</link>, for more information.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-183"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">YES</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] status = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>If YES, logs connections to a file (or shared memory) accessible to <filename>smbstatus</filename>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-184"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>strict sync = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>If set to YES, Samba will synchronize to disk whenever the client sets the sync bit in a packet. If set to NO, Samba flushes data to disk whenever buffers fill. Defaults to NO because Windows 98 Explorer sets the bit (incorrectly) in all packets. Introduced in Samba 1.9.18p10.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-185"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>strict locking = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>If set to YES, Samba checks locks on every access, not just on demand and at open time. Not recommended.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-186"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] strip dot = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Removes trailing dots from filenames. Use <literal>mangled map</literal> instead.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-187"> +<refmeta> +<refmiscinfo class="allowable values">number</refmiscinfo> +<refmiscinfo class="default">1</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] syslog = number</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets number of Samba log messages to send to <filename>syslog</filename>. Higher is more verbose. The <filename>syslog.conf</filename> file must have suitable logging enabled.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-188"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] syslog only = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>If set to YES, log only to <emphasis>syslog,</emphasis> not standard Samba log files.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-189"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>sync always = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>If set to YES, Samba calls <emphasis>fsync</emphasis>(3) after every write. Avoid except for debugging crashing servers.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-190"> +<refmeta> +<refmiscinfo class="allowable values">minutes</refmiscinfo> +<refmiscinfo class="default">0</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] time offset = minutes</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets number of minutes to add to system time zone calculation. Provided to fix a client daylight-savings bug; not recommended.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-191"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] time server = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>If YES, <emphasis>nmbd</emphasis> will provide time service to its clients.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-192"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>unix password sync = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>If set, will attempt to change the user's Unix password whenever the user changes his or her SMB password. Used to ease synchronization of Unix and Microsoft password databases. Added in Samba 1.9.18p4. See also <literal>passwd chat</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-193"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>unix realname = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>If set, will provide the GCOS field of <filename>/etc/passwd</filename> to the client as the user's full name.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-194"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>update encrypted = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Updates the Microsoft-format password file when a user logs in with unencrypted passwords. Provided to ease conversion to encryped passwords for Windows 95/98 and NT. Added in Samba 1.9.18p5.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-195"> +<refmeta> +<refmiscinfo class="allowable values">comma-separated list of user names</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>user = comma-separated list</refname> +</refnamediv> +<refsynopsisdiv> +<para>Synonym for <literal>username</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-196"> +<refmeta> +<refmiscinfo class="allowable values">comma-separated list of user names</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>username = comma-separated list</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets a list of users to try to log in as for a share or shares with share-level security. Synonyms are <literal>user</literal> and <literal>users</literal>. Discouraged. Use <literal>NET USE \\</literal><replaceable>server</replaceable><literal>\</literal><replaceable>share </replaceable><literal>%</literal><replaceable>user</replaceable> from the client instead.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-197"> +<refmeta> +<refmiscinfo class="allowable values">number</refmiscinfo> +<refmiscinfo class="default">0</refmiscinfo> +</refmeta> +<refnamediv> +<refname>username level = number</refname> +</refnamediv> +<refsynopsisdiv> +<para>Number of uppercase letter permutations allowed to match Unix usernames. Workaround for Windows feature (single-case usernames). Use is discouraged.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-198"> +<refmeta> +<refmiscinfo class="allowable values">pathname</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] username map = pathname</refname> +</refnamediv> +<refsynopsisdiv> +<para>Names a file of Unix-to-Windows name pairs; used to map different spellings of account names and those Windows usernames longer than eight characters.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-199"> +<refmeta> +<refmiscinfo class="allowable values">list of numeric values</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>valid chars = list</refname> +</refnamediv> +<refsynopsisdiv> +<para>Semi-obsolete. Adds national characters to a character set map. Overridden by <literal>client code page</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-200"> +<refmeta> +<refmiscinfo class="allowable values">list of users</refmiscinfo> +<refmiscinfo class="default">NULL (everyone)</refmiscinfo> +</refmeta> +<refnamediv> +<refname>valid users = user list</refname> +</refnamediv> +<refsynopsisdiv> +<para>List of users that can log in to a share.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-201"> +<refmeta> +<refmiscinfo class="allowable values">slash-separated list of filenames</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>veto files = slash-list</refname> +</refnamediv> +<refsynopsisdiv> +<para>List of files not to allow the client to see when listing a directory's contents. See also <literal>delete veto files</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-202"> +<refmeta> +<refmiscinfo class="allowable values">slash-separated list of filenames</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>veto oplock files = slash-list</refname> +</refnamediv> +<refsynopsisdiv> +<para>List of files not to oplock (and cache on clients). See also <literal>oplocks</literal> and <literal>fake oplocks</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-203"> +<refmeta> +<refmiscinfo class="allowable values">string</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>volume = share name</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the volume label of a disk share, notably a CD-ROM.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-204"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">YES</refmiscinfo> +</refmeta> +<refnamediv> +<refname>wide links = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>If set to YES, Samba will follow symlinks out of the current disk share(s). See also the <literal>root dir</literal> and <literal>follow symlinks</literal> options.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-205"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] wins proxy = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>If set to YES, <emphasis>nmbd</emphasis> will proxy resolution requests to WINS servers on behalf of old clients, which use broadcasts. WINS server is typically on another subnet.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-206"> +<refmeta> +<refmiscinfo class="allowable values">hostname</refmiscinfo> +<refmiscinfo class="default">NULL</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] wins server = host</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the DNS name or IP address of the WINS server.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-207"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">NO</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] wins support = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>If set to YES, Samba activates WINS service. The <literal>wins server</literal> option must not be set if <literal>wins support = yes</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-208"> +<refmeta> +<refmiscinfo class="allowable values">workgroup name</refmiscinfo> +<refmiscinfo class="default">compiled-in</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] workgroup = name</refname> +</refnamediv> +<refsynopsisdiv> +<para>Sets the workgroup to which things will be served. Overrides compiled-in value. Choosing a name other than <literal>WORKGROUP</literal> is strongly recommended.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-209"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">YES</refmiscinfo> +</refmeta> +<refnamediv> +<refname>writable = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Antonym for <literal>read only</literal>; synonym of <literal>write ok</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-210"> +<refmeta> +<refmiscinfo class="allowable values">comma-separated list of users</refmiscinfo> +<refmiscinfo class="default">NULL (everyone)</refmiscinfo> +</refmeta> +<refnamediv> +<refname>write list = comma-separated list</refname> +</refnamediv> +<refsynopsisdiv> +<para>List of users that are given read-write access to a read-only share. See also <literal>read list</literal>.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-211"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">YES</refmiscinfo> +</refmeta> +<refnamediv> +<refname>write ok = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Synonym of the <literal>writable</literal> configuration option.</para> + +</refsynopsisdiv> +</refentry> + +<refentry id="appc-refentry-212"> +<refmeta> +<refmiscinfo class="allowable values">YES, NO</refmiscinfo> +<refmiscinfo class="default">YES</refmiscinfo> +</refmeta> +<refnamediv> +<refname>[global] write raw = boolean</refname> +</refnamediv> +<refsynopsisdiv> +<para>Allows fast streaming writes over TCP, using 64KB buffers. Recommended.</para> + +</refsynopsisdiv> +</refentry> +</sect1> + + + + + + + + + +<sect1 role="" label="C.2" id="appc-SECT-2"> +<title>Glossary of Configuration Values</title> + + +<variablelist> +<varlistentry><term> +<indexterm id="appc-idx-990655-0"><primary>glossary</primary></indexterm>Address list</term> +<listitem><para>A space-separated list of IP addresses in ###.###.###.### format.</para></listitem> +</varlistentry> + + +<varlistentry><term>Comma-separated list</term> +<listitem><para>A list of items separated by commas.</para></listitem> +</varlistentry> + + +<varlistentry><term>Command</term> +<listitem><para>A Unix command, with full path and parameters.</para></listitem> +</varlistentry> + + +<varlistentry><term>Host list</term> +<listitem><para>A space-separated list of hosts. Allows IP addresses, address masks, domain names, ALL, and EXCEPT</para></listitem> +</varlistentry> + + +<varlistentry><term>Interface list</term> +<listitem><para>A space-separated list of interfaces, in either address/netmask or address/n-bits format. For example, 192.168.2.10/24 or 192.168.2.10/255.255.255.0</para></listitem> +</varlistentry> + + +<varlistentry><term>Map list</term> +<listitem><para>A space-separated list of file-remapping strings such as <literal>(*.html</literal> <literal>*.htm)</literal>.</para></listitem> +</varlistentry> + + +<varlistentry><term>Remote list</term> +<listitem><para>A space-separated list of subnet-broadcast-address/workgroup pairs. For example, 192.168.2.255/SERVERS 192.168.4.255/STAFF.</para></listitem> +</varlistentry> + + +<varlistentry><term>Service (share) list</term> +<listitem><para>A space-separated list of share names, without the enclosing square brackets.</para></listitem> +</varlistentry> + + +<varlistentry><term>Slash-list</term> +<listitem><para>A list of filenames, separated by "/" characters to allow embedded spaces. For example, <literal>/.*/fred</literal> <literal>flintstone/*.frk/</literal>.</para></listitem> +</varlistentry> + + +<varlistentry><term>Text</term> +<listitem><para>One line of text.</para></listitem> +</varlistentry> + + +<varlistentry><term>User list</term> +<listitem><para>A space-separated list of usernames. In Samba 1.9, <literal>@group-name</literal> will include everyone in Unix group <literal>group-name</literal>. In Samba 2.0, <literal>@group-name</literal> includes whomever is in the NIS netgroup <literal>group_name</literal> if one exists, otherwise whomever is in the Unix group <literal>group_name</literal>. In addition, +<literal>group_name</literal> is a Unix group, &<literal>group_name</literal> is an NIS netgroup, and &+ and +& cause an ordered search of both Unix and NIS groups.</para></listitem> +</varlistentry> +</variablelist> +</sect1> + + + + + + + + + +<sect1 role="" label="C.3" id="appc-SECT-3"> +<title>Configuration File Variables</title> + + +<para><link linkend="appc-88529">Table 3.1</link> lists of Samba configuration file variables.</para> + + +<table label="C.1" id="appc-88529"> +<title>Variables in Alphabetic Order </title> + +<tgroup cols="2"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<thead> +<row> + +<entry colname="col1"><para>Name</para></entry> + +<entry colname="col2"><para>Meaning</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>%a</literal></para></entry> + +<entry colname="col2"><para>Client's architecture (one of Samba, WfWg, WinNT, Win95, or UNKNOWN)</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%d</literal></para></entry> + +<entry colname="col2"><para>Current server process's processID</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%f</literal></para></entry> + +<entry colname="col2"><para>Print-spool file as a relative path (printing only)</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%f</literal></para></entry> + +<entry colname="col2"><para>User from which a message was sent (messages only)</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%G</literal></para></entry> + +<entry colname="col2"><para>Primary group name of <literal>%U</literal> (requested username)</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%g</literal></para></entry> + +<entry colname="col2"><para>Primary group name of <literal>%u</literal> (actual username)</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%H</literal></para></entry> + +<entry colname="col2"><para>Home directory of <literal>%u</literal> (actual username)</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%h</literal></para></entry> + +<entry colname="col2"><para>Samba server's (Internet) hostname</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%I</literal></para></entry> + +<entry colname="col2"><para>Client's IP address</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%j</literal></para></entry> + +<entry colname="col2"><para>Print job number (printing only)</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%L</literal></para></entry> + +<entry colname="col2"><para>Samba server's NetBIOS name (virtual servers have multiple names)</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%M</literal></para></entry> + +<entry colname="col2"><para>Client's (Internet) hostname</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%m</literal></para></entry> + +<entry colname="col2"><para>Client's NetBIOS name</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%n</literal></para></entry> + +<entry colname="col2"><para>New password (password change only)</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%N</literal></para></entry> + +<entry colname="col2"><para>Name of the NIS home directory server (without NIS, same as <literal>%L</literal>)</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%o</literal></para></entry> + +<entry colname="col2"><para>Old password (password change only)</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%P</literal></para></entry> + +<entry colname="col2"><para>Current share's root directory (actual)</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%p</literal></para></entry> + +<entry colname="col2"><para>Current share's root directory (in an NIS homedir map)</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%p</literal></para></entry> + +<entry colname="col2"><para>Print filename (printing only)</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%R</literal></para></entry> + +<entry colname="col2"><para>Protocol level in use (one of CORE, COREPLUS, LANMAN1, LANMAN2, or NT1)</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%S</literal></para></entry> + +<entry colname="col2"><para>Current share's name</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%s</literal></para></entry> + +<entry colname="col2"><para>Filename the message is in (messages only)</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%s</literal></para></entry> + +<entry colname="col2"><para>Print-spool file name (printing only)</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%T</literal></para></entry> + +<entry colname="col2"><para>Current date and time</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%t</literal></para></entry> + +<entry colname="col2"><para>Destination machine (messages only)</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%u</literal></para></entry> + +<entry colname="col2"><para>Current share's username</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%U</literal></para></entry> + +<entry colname="col2"><para>Requested username for current share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%v</literal></para></entry> + +<entry colname="col2"><para>Samba version</para></entry> + +</row> + +</tbody> +</tgroup> +</table> +</sect1> + + + + + + + + +</appendix> diff --git a/docs-xml/using_samba/appd.xml b/docs-xml/using_samba/appd.xml new file mode 100644 index 0000000000..05a7dfae22 --- /dev/null +++ b/docs-xml/using_samba/appd.xml @@ -0,0 +1,1615 @@ +<appendix label="D" id="SAMBA-AP-D"> +<title>Summary of Samba Daemons and Commands</title> + + + + +<para>This appendix is a reference listing of command-line options and other information to help you use the executables that come with Samba distribution.</para> + + + + + + + + + + + +<sect1 role="" label="D.1" id="appd-SECT-1"> +<title>Samba Distribution Programs</title> + + +<para>The following sections provide information about the command-line parameters for Samba programs.</para> + + +<sect2 role="" label="D.1.1" id="appd-SECT-1.1"> +<title>smbd</title> + + +<para> +<indexterm id="appd-idx-993627-0" class="startofrange"><primary>smbd daemon</primary></indexterm> +<indexterm id="appd-idx-993627-1" class="startofrange"><primary>daemons</primary></indexterm>The <emphasis>smbd</emphasis> program provides Samba's file and printer services, using one TCP/IP stream and one daemon per client. It is controlled from the default configuration file, <replaceable>samba_dir</replaceable><emphasis>/lib/smb.conf</emphasis>, and can be overridden by command-line options.</para> + + +<para>The configuration file is automatically re-evaluated every minute. If it has changed, most new options are immediately effective. You can force Samba to immediately reload the configuration file if you send a SIGHUP to <emphasis>smbd</emphasis>. Reloading the configuration file, however, will not affect any clients that are already connected. To escape this "grandfather" configuration, a client would need to disconnect and reconnect, or the server itself would have to be restarted, forcing all clients to reconnect.</para> + + +<sect3 role="" label="D.1.1.1" id="appd-SECT-1.1.1"> +<title>Other signals</title> + + +<para>To shut down a <emphasis>smbd</emphasis> process, send it the termination signal SIGTERM (-15) which allows it to die gracefully instead of a SIGKILL (-9). To increment the debug logging level of <emphasis>smbd</emphasis> at runtime, send the program a SIGUSR1 signal. To decrement it at runtime, send the program a SIGUSR2 signal.</para> +</sect3> + + + +<sect3 role="" label="D.1.1.2" id="appd-SECT-1.1.2"> +<title>Command-line options</title> + + +<variablelist> +<varlistentry><term><literal>-D</literal></term> +<listitem><para>The <emphasis>smbd</emphasis> program is run as a daemon. This is the recommended way to use <emphasis>smbd</emphasis> (it is also the default action). In addition, <emphasis>smbd</emphasis> can also be run from <emphasis>inetd</emphasis>.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-d</literal> <replaceable>debuglevel</replaceable></term> +<listitem><para>Sets the debug (sometimes called logging) level. The level can range from 0 all the way to 10. Specifying the value on the command line overrides the value specified in the <filename>smb.conf</filename> file. Debug level 0 logs only the most important messages; level 1 is normal; levels 3 and above are primarily for debugging and slow <emphasis>smbd</emphasis> considerably.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-h</literal> </term> +<listitem><para>Prints command-line usage information for the <filename>smbd</filename> program.</para></listitem> +</varlistentry> +</variablelist> +</sect3> + + + +<sect3 role="" label="D.1.1.3" id="appd-SECT-1.1.3"> +<title>Testing/debugging options</title> + + +<variablelist> +<varlistentry><term><literal>-a</literal></term> +<listitem><para>If this is specified, each new connection to the Samba server will append all logging messages to the log file. This option is the opposite of <literal>-o</literal>, and is the default.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-i</literal> <replaceable>scope</replaceable></term> +<listitem><para>This sets a NetBIOS scope identifier. Only machines with the same identifier will communicate with the server. The scope identifier was a predecessor to workgroups, and this option is included only for backwards compatibility.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-l</literal> <replaceable>log_file</replaceable></term> +<listitem><para>Send the log messages to somewhere other than the location compiled in or specified in the <filename>smb.conf</filename> file. The default is often <filename>/usr/local/samba/var/log.smb</filename>, <filename>/usr/samba/var/log.smb,</filename> or <filename>/var/log/log.smb</filename>. The first two are strongly discouraged on Linux, where <filename>/usr</filename> may be a read-only filesystem.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-O</literal> <replaceable>socket_options</replaceable></term> +<listitem><para>This sets the TCP/IP socket options, using the same parameters as the <literal>socket</literal> <literal>options</literal> configuration option. It is often used for performance tuning and testing.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-o</literal></term> +<listitem><para>This option is the opposite of <literal>-a</literal>. It causes log files to be overwritten when opened. Using this option saves hunting for the right log entries if you are performing a series of tests and inspecting the log file each time.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-P</literal></term> +<listitem><para>This option forces <filename>smbd</filename> not to send any network data out. This option is typically used only by Samba developers.<indexterm id="appd-idx-994096-0" class="endofrange" startref="appd-idx-993627-0"/></para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-P</literal></term> +<listitem><para>This option forces <filename>smbd</filename> not to send any network data out. This option is typically used only by Samba developers. <indexterm id="appd-idx-994102-0" class="endofrange" startref="appd-idx-993627-0"/></para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-p</literal> <replaceable>port_number</replaceable></term> +<listitem><para>This sets the TCP/IP port number that the server will accept requests from. Currently, all Microsoft clients send only to the default port: 139.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-s</literal> <replaceable>configuration_file</replaceable></term> +<listitem><para>Specifies the location of the Samba configuration file. Although the file defaults to <filename>/usr/local/samba/lib/smb.conf</filename>, you can override it here on the command line, typically for debugging.</para></listitem> +</varlistentry> +</variablelist> +</sect3> +</sect2> + + + + + +<sect2 role="" label="D.1.2" id="appd-SECT-1.2"> +<title>nmbd</title> + + +<para> +<indexterm id="appd-idx-993645-0" class="startofrange"><primary>nmbd daemon</primary></indexterm>The <emphasis>nmbd</emphasis> program is Samba's NetBIOS name and browsing daemon. It replies to broadcast NetBIOS over TCP/IP (NBT) name-service requests from SMB clients and optionally to Microsoft's Windows Internet Name Service (WINS) requests. Both of these are versions of the name-to-address lookup required by SMB clients. The broadcast version uses UDP/IP broadcast on the local subnet only, while WINS uses TCP/IP, which may be routed. If running as a WINS server, <emphasis>nmbd</emphasis> keeps a current name and address database in the file <filename>wins.dat</filename> in the <literal>samba_dir</literal><filename>/var/locks</filename> directory.</para> + + +<para>An active <emphasis>nmbd</emphasis> program can also respond to browsing protocol requests used by the Windows Network Neighborhood. Browsing is a combined advertising, service announcement, and active directory protocol. This protocol provides a dynamic directory of servers and the disks and printers that the servers are providing. As with WINS, this was initially done by making UDP/IP broadcasts on the local subnet. Now, with the concept of a local master browser, it is done by making TCP/IP connections to a server. If <emphasis>nmbd</emphasis> is acting as a local master browser, it stores the browsing database in the file <filename>browse.dat</filename> in the <literal>samba_dir</literal><filename>/var/locks</filename> directory.</para> + + +<sect3 role="" label="D.1.2.1" id="appd-SECT-1.2.1"> +<title>Signals</title> + + +<para>Like <emphasis>smbd</emphasis>, the <emphasis>nmbd</emphasis> program responds to several Unix signals. Sending <emphasis>nmbd</emphasis> a SIGHUP signal will cause it to dump the names it knows about to the file <filename>namelist.debug</filename> in the <literal>samba_dir</literal>/<emphasis>locks</emphasis> directory and its browsing database to the <filename>browse.dat </filename>file in the same directory. To shut down a <emphasis>nmbd</emphasis> process send it a SIGTERM (-15) signal instead of a SIGKILL (-9) to allow it to die gracefully. You can increment the debug logging level of <emphasis>nmbd</emphasis> by sending it a SIGUSR1 signal; you can decrement it by sending a SIGUSR2 signal.</para> +</sect3> + + + +<sect3 role="" label="D.1.2.2" id="appd-SECT-1.2.2"> +<title>Command-line options</title> + + +<variablelist> +<varlistentry><term><literal>-D</literal></term> +<listitem><para>Instructs the <filename>nmbd</filename> program to run as a daemon. This is the recommended way to use <filename>nmbd</filename>. In addition, <filename>nmbd</filename> can also be run from <firstterm>inetd</firstterm>.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-d</literal> <replaceable>debuglevel</replaceable></term> +<listitem><para>Sets the debug (sometimes called logging) level. The level can range from 0, all the way to 10. Specifying the value on the command line overrides the value specified in the <filename>smb.conf</filename> file. Debug level 0 logs only the most important messages; level 1 is normal; level 3 and above are primarily for debugging, and slow <emphasis>nmbd</emphasis> considerably.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-h</literal> </term> +<listitem><para>Prints command-line usage information for the <filename>nmbd</filename> program (also <literal>-?</literal>).</para></listitem> +</varlistentry> +</variablelist> +</sect3> + + + +<sect3 role="" label="D.1.2.3" id="appd-SECT-1.2.3"> +<title>Testing/debugging options</title> + + +<variablelist> +<varlistentry><term><literal>-a</literal></term> +<listitem><para>If this is specified, each new connection to the Samba server will append all logging messages to the log file. This option is the opposite of <literal>-o</literal>, and is the default.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-H</literal> <replaceable>hosts_ file</replaceable></term> +<listitem><para>This option loads a standard <emphasis>hosts</emphasis> file for name resolution.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-i</literal> <replaceable>scope</replaceable></term> +<listitem><para>This sets a NetBIOS scope identifier. Only machines with the same identifier will communicate with the server. The scope identifier was a predecessor to workgroups, and this option is included only for backward<indexterm id="appd-idx-994134-0" class="endofrange" startref="appd-idx-993627-1"/> compatibility.<indexterm id="appd-idx-994135-0" class="endofrange" startref="appd-idx-993645-0"/></para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-l</literal> <replaceable>log_file</replaceable></term> +<listitem><para>Sends the log messages to somewhere other than the location compiled-in or specified in the <filename>smb.conf</filename> file. The default is often <filename>/usr/local/samba/var/log.nmb</filename>, <filename>/usr/samba/var/log.nmb,</filename> or <filename>/var/log/log.nmb</filename>. The first two are strongly discouraged on Linux, where <filename>/usr</filename> may be a read-only filesystem.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-n</literal> <replaceable>NetBIOS_name</replaceable></term> +<listitem><para>This option allows you to override the NetBIOS name by which the daemon will advertise itself. Specifying the option on the command line overrides the <literal>netbios</literal> <literal>name</literal> option in the Samba configuration file.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-O</literal> <replaceable>socket_options</replaceable></term> +<listitem><para>This sets the TCP/IP socket options, using the same parameters as the <literal>socket</literal> <literal>options</literal> configuration option. It is often used for performance tuning and testing.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-o</literal></term> +<listitem><para>This option is the opposite of <literal>-a</literal>. It causes log files to be overwritten when opened. Using this option saves hunting for the right log entries if you are performing a series of tests and inspecting the log file each time.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-p</literal> <replaceable>port_number</replaceable></term> +<listitem><para>This sets the UDP/IP port number from which the server will accept requests. Currently, all Microsoft clients send only to the default port: 137.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-s</literal> <replaceable>configuration_file</replaceable></term> +<listitem><para>Specifies the location of the Samba configuration file. Although the file defaults to <filename>/usr/local/samba/lib/smb.conf</filename>, you can override it here on the command line, typically for debugging.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-v</literal></term> +<listitem><para>This option prints the current version of Samba.</para></listitem> +</varlistentry> +</variablelist> +</sect3> +</sect2> + + + + + +<sect2 role="" label="D.1.3" id="appd-SECT-1.3"> +<title>Samba Startup File </title> + + +<para> +<indexterm id="appd-idx-993647-0"><primary>Samba</primary><secondary>startup file</secondary></indexterm> +<indexterm id="appd-idx-993647-1"><primary>scripts</primary><secondary sortas="Samba startup file">for Samba startup file</secondary></indexterm> +<indexterm id="appd-idx-993647-2"><primary>directories</primary><secondary sortas="Samba startup file">for Samba startup file</secondary></indexterm>Samba is normally started by running it from your Unix system's <filename>rc</filename> files at boot time. For systems with a System V-like set of <filename>/etc/rcN.d</filename> directories, this can be done by placing a suitably named script in the <filename>/rc</filename> directory. Usually, the script starting Samba is called <emphasis>S91samba</emphasis>, while the script stopping or "killing" Samba is called <emphasis>K91samba.</emphasis> On Linux, the usual subdirectory for the scripts is <filename>/etc/rc2.d.</filename> On Solaris, the directory is <filename>/etc/rc3.d</filename>. For machines with <filename>/etc/rc.local</filename> files, you would normally add the following lines to that file:</para> + + +<programlisting>/usr/local/samba/bin/smbd -D +/usr/local/samba/bin/nmbd -D</programlisting> + + +<para>The following example script supports two extra commands, <literal>status</literal> and <literal>restart</literal>, in addition to the normal <literal>start</literal> and <literal>stop</literal> for System V machines:</para> + + +<programlisting>#!/bin/sh +# +# /etc/rc2.d./S91Samba --manage the SMB server in a System V manner +# +OPTS="-D" +#DEBUG=-d3 +PS="ps ax" +SAMBA_DIR=/usr/local/samba +case "$1" in +'start') + echo "samba " + $SAMBA_DIR/bin/smbd $OPTS $DEBUG + $SAMBA_DIR/bin/nmbd $OPTS $DEBUG + ;; +'stop') + echo "Stopping samba" + $PS | awk '/usr.local.samba.bin/ { print $1}' |\ + xargs kill + ;; +'status') + x=`$PS | grep -v grep | grep '$SAMBA_DIR/bin'` + if [ ! "$x" ]; then + echo "No samba processes running" + else + echo " PID TT STAT TIME COMMAND" + echo "$x" + fi + ;; +'restart') + /etc/rc2.d/S91samba stop + /etc/rc2.d/S91samba start + /etc/rc2.d/S91samba status + ;; +*) + echo "$0: Usage error -- you must say $0 start, stop, status or restart ." + ;; +esac +exit</programlisting> + + +<para>You'll need to set the actual paths and <literal>ps</literal> options to suit the machine you're using. In addition, you might want to add additional commands to tell Samba to reload its <filename>smb.conf</filename> file or dump its <emphasis>nmbd</emphasis> tables, depending on your actual needs.</para> +</sect2> + + + + + +<sect2 role="" label="D.1.4" id="appd-SECT-1.4"> +<title>smbsh</title> + + +<para>The <emphasis>smbsh</emphasis> +<indexterm id="appd-idx-993744-0"><primary>smbsh program</primary></indexterm> program lets you use a remote Windows share on your Samba server as if the share was a regular Unix directory. When it's run, it provides an extra directory tree under <filename>/smb</filename>. Subdirectories of <filename>/smb</filename> are servers, and subdirectories of the servers are their individual disk and printer shares. Commands run by <emphasis>smbsh</emphasis> treat the <filename>/smb</filename> filesystem as if it were local to Unix. This means that you don't need <emphasis>smbmount</emphasis> in your kernel to mount Windows filesystems the way you mount with NFS filesystems. However, you do need to configure Samba with the <literal>--with-smbwrappers</literal> option to enable <filename>smbsh</filename>.</para> + + +<sect3 role="" label="D.1.4.1" id="appd-SECT-1.4.1"> +<title>Options</title> + + +<variablelist> +<varlistentry><term><literal>-d</literal> debuglevel</term> +<listitem><para>Sets the debug (sometimes called logging) level. The level can range from 0, the default, all the way to 10. Debug level 0 logs only the most important messages; level 1 is normal; level 3 and above are primarily for debugging, and slow <emphasis>smbsh</emphasis> considerably.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-l</literal> <replaceable>logfile</replaceable></term> +<listitem><para>Sets the name of the logfile to use.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-P</literal> <replaceable>prefix</replaceable></term> +<listitem><para>Sets the root directory to mount the SMB filesystem. The default is <filename>/smb</filename>.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-R</literal> <replaceable>resolve order</replaceable></term> +<listitem><para>Sets the resolve order of the name servers. This option is similar to the <literal>resolve order</literal> configuration option, and can take any of the four parameters, <literal>lmhosts</literal>, <literal>host</literal>, <literal>wins</literal>, and <literal>bcast</literal>, in any order.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-U</literal> <replaceable>user</replaceable></term> +<listitem><para>Supports <replaceable>user%password.</replaceable></para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-W</literal> <replaceable>workgroup</replaceable></term> +<listitem><para>Sets the NetBIOS workgroup to which the client will connect.</para></listitem> +</varlistentry> +</variablelist> +</sect3> +</sect2> + + + + + +<sect2 role="" label="D.1.5" id="appd-SECT-1.5"> +<title>smbclient</title> + + +<para>The <emphasis>smbclient</emphasis> +<indexterm id="appd-idx-993745-0" class="startofrange"><primary>smbclient program</primary></indexterm> +<indexterm id="appd-idx-993745-1" class="startofrange"><primary>testing</primary><secondary>smbclient program</secondary></indexterm> program is the maid-of-all-work of the Samba suite. Initially intended as a testing tool, it has become a full command-line Unix client, with an FTP-like interactive client. Some of its options are still used for testing and tuning, and it makes a simple tool for ensuring that Samba is running on a server.</para> + + +<para>It's convenient to look at <emphasis>smbclient</emphasis> as a suite of programs:</para> + + +<itemizedlist> +<listitem><para>FTP-like interactive file transfer program</para></listitem> +<listitem><para>Interactive printing program</para></listitem> +<listitem><para>Interactive tar program</para></listitem> +<listitem><para>Command-line message program</para></listitem> +<listitem><para>Command-line <emphasis>tar</emphasis> program (but see <emphasis>smbtar</emphasis> later)</para></listitem> +<listitem><para>"What services do you have" query program</para></listitem> +<listitem><para>Command-line debugging program</para></listitem> +</itemizedlist> + +<sect3 role="" label="D.1.5.1" id="appd-SECT-1.5.1"> +<title>General command-line options</title> + + +<para>The program has the usual set of <emphasis>smbd</emphasis>-like options, which apply to all the interactive and command-line use. The syntax is:</para> + + +<programlisting>smbclient //<replaceable>server_name</replaceable>/<replaceable>share_name</replaceable> [<replaceable>password</replaceable>] [-<replaceable>options</replaceable>]</programlisting> + + +<para>Here is an explanation of each of the command-line options:</para> + + +<variablelist> +<varlistentry><term><literal>-d</literal> <replaceable>debug_level</replaceable></term> +<listitem><para>Sets the debug (logging) level, from 0 to 10, with <literal>A</literal> for all. Overrides the value in <filename>smb.conf</filename>. Debug level 0 logs only the most important messages; level 1 is normal; debug level 3 and above are for debugging, and slow <emphasis>smbclient</emphasis> considerably.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-h</literal></term> +<listitem><para>Prints the command-line help information (usage) for smbclient.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-n</literal> <replaceable>NetBIOS_name</replaceable></term> +<listitem><para>Allows you to override the NetBIOS name by which the program will advertise itself.</para></listitem> +</varlistentry> +</variablelist> +</sect3> + + + +<sect3 role="" label="D.1.5.2" id="appd-SECT-1.5.2"> +<title>Smbclient operations</title> + + +<para>Running <literal>smbclient</literal> <literal>//</literal><replaceable>server_name</replaceable><literal>/</literal><replaceable>share</replaceable> will cause it to prompt you for a username and password. If the login is successful, it will connect to the share and give you a prompt much like an FTP prompt (the backslash in the prompt will be replaced by the current directory within the share as you move around the filesystem):</para> + + +<programlisting>smb:\></programlisting> + + +<para> +<indexterm id="appd-idx-994034-0" class="startofrange"><primary>commands for Samba</primary></indexterm>From this command line, you can use several FTP-like commands, as listed in <link linkend="appd-89417">Table 4.1</link>. Arguments in square brackets are optional.</para> + + +<table label="D.1" id="appd-89417"> +<title>smbclient Commands </title> + +<tgroup cols="2"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<thead> +<row> + +<entry colname="col1"><para>Command</para></entry> + +<entry colname="col2"><para>Description</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>?</literal> <replaceable>command</replaceable></para></entry> + +<entry colname="col2"><para>Provides list of commands or help on specified command.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>help</literal> [<replaceable>command</replaceable>]</para></entry> + +<entry colname="col2"><para>Provides list of commands or help on specified command.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>!</literal> [<replaceable>command</replaceable>]</para></entry> + +<entry colname="col2"><para>If a command is specified, it will be run in a local shell. If not, you will be placed into a local shell on the client.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>dir</literal> [<replaceable>filename</replaceable>]</para></entry> + +<entry colname="col2"><para>Displays any files matching <replaceable>filename</replaceable> in the current directory on the server, or all files if <replaceable>filename</replaceable> is omitted.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>ls</literal> [<replaceable>filename</replaceable>]</para></entry> + +<entry colname="col2"><para>Displays any files matching <replaceable>filename</replaceable> in the current directory on the server, or all files if <replaceable>filename</replaceable> is omitted.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>cd</literal> [<replaceable>directory</replaceable>]</para></entry> + +<entry colname="col2"><para>If <replaceable>directory</replaceable> is specified, changes to the specified directory on the remote server. If not, reports the current directory on the remote machine.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>lcd</literal> [<replaceable>director</replaceable><literal>y</literal>]</para></entry> + +<entry colname="col2"><para>If <replaceable>directory</replaceable> is specified, the current directory on the local machine will be changed. If not, the name of the current directory on the local machine will be reported.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>get</literal> <emphasis>remotefile</emphasis> [<replaceable>localfile</replaceable>]</para></entry> + +<entry colname="col2"><para>Copies the file <replaceable>remotefile</replaceable> to the local machine. If a <replaceable>localfile</replaceable> is specified, uses that name to copy the file to. Treats the file as binary; does <emphasis>not</emphasis> do LF to CR/LF conversions.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>put</literal> <emphasis>localfile</emphasis> [<replaceable>remotefile</replaceable>]</para></entry> + +<entry colname="col2"><para>Copies <replaceable>localfile</replaceable> to the remote machine. If a <replaceable>remotefile</replaceable> is specified, uses that as the name to copy to on the remote server. Treats the file as binary; does <emphasis>not</emphasis> do LF to CR/LF conversions.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>mget</literal> <replaceable>pattern</replaceable></para></entry> + +<entry colname="col2"><para>Gets all files matching <replaceable>pattern</replaceable> from the remote machine.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>mput</literal><replaceable> pattern</replaceable></para></entry> + +<entry colname="col2"><para>Places all local files matching <replaceable>pattern</replaceable> on the remote machine.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>prompt</literal></para></entry> + +<entry colname="col2"><para>Toggles interactive prompting on and off for <literal>mget</literal> and <literal>mput</literal>.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>lowercase ON </literal>(or<literal> OFF </literal>)</para></entry> + +<entry colname="col2"><para>If lowercase is on, <emphasis>smbclient</emphasis> will convert filenames to lowercase during an <literal>mget</literal> or <literal>get</literal> (but not a <literal>mput</literal> or <literal>put</literal>).</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>del</literal> <replaceable>filename</replaceable></para></entry> + +<entry colname="col2"><para>Delete a file on the remote machine.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>md</literal> <replaceable>directory</replaceable></para></entry> + +<entry colname="col2"><para>Create a directory on the remote machine.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>mkdir</literal> <replaceable>directory</replaceable></para></entry> + +<entry colname="col2"><para>Create a directory on the remote machine.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>rd</literal> <replaceable>directory</replaceable></para></entry> + +<entry colname="col2"><para>Remove the specified directory on the remote machine.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>rmdir</literal> <replaceable>directory</replaceable></para></entry> + +<entry colname="col2"><para>Remove the specified directory on the remote machine.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>setmode</literal> <replaceable>filename</replaceable> <literal>[+|-]rsha</literal></para></entry> + +<entry colname="col2"><para>Set DOS filesystem attribute bits, using Unix-like modes. <literal>r</literal> is read-only, <literal>s</literal> is system, <literal>h</literal> is hidden, and <literal>a</literal> is archive.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>exit</literal></para></entry> + +<entry colname="col2"><para>Exits <emphasis>smbclient</emphasis>.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>quit</literal></para></entry> + +<entry colname="col2"><para>Exits <emphasis>smbclient</emphasis>.</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<para>There are also mask and recursive commands for large copies; see the <filename>smbclient</filename> manual page for details on how to use these. With the exception of mask, recursive, and the lack of an ASCII transfer mode, <emphasis>smbclient</emphasis> works exactly the same as FTP. Note that because it does binary transfers, Windows files copied to Unix will have lines ending in carriage-return and linefeed (<literal>\r\n</literal>), not Unix's linefeed (<literal>\n</literal>).</para> +</sect3> + + + +<sect3 role="" label="D.1.5.3" id="appd-SECT-1.5.3"> +<title>Printing commands</title> + + +<para>The <emphasis>smbclient</emphasis> program can also be used for access to a printer by connecting to a print share. Once connected, the commands shown in <link linkend="appd-39300">Table 4.2</link> can be used to print.</para> + + +<table label="D.2" id="appd-39300"> +<title>smbclient Printing Commands </title> + +<tgroup cols="2"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<thead> +<row> + +<entry colname="col1"><para>Command</para></entry> + +<entry colname="col2"><para>Description</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>print</literal><replaceable> filename</replaceable></para></entry> + +<entry colname="col2"><para>Prints the file by copying it from the local machine to the remote one and then submitting it as a print job there.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>printmode</literal> <replaceable>text </replaceable>|<replaceable> graphics</replaceable></para></entry> + +<entry colname="col2"><para>Instructs the server that the following files will be plain text (ASCII) or the binary graphics format that the printer requires. It's up to the user to ensure that the file is indeed the right kind.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>queue</literal></para></entry> + +<entry colname="col2"><para>Displays the queue for the print share you're connected to, showing job ID, name, size, and status.</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<para>Finally, to print from the <emphasis>smbclient</emphasis>, use the <literal>-c</literal> option:</para> + + +<programlisting>cat <replaceable>printfile</replaceable> | smbclient //<replaceable>server</replaceable>/<replaceable>printer_name</replaceable> -c "print -"</programlisting> +</sect3> + + + +<sect3 role="" label="D.1.5.4" id="appd-SECT-1.5.4"> +<title>Tar commands</title> + + +<para><emphasis>smbclient</emphasis> can tar up files from a file share. This is normally done from the command line using the <emphasis>smbtar</emphasis> command, but the commands shown in <link linkend="appd-54517">Table 4.3</link> are also available interactively.</para> + + +<table label="D.3" id="appd-54517"> +<title>smbclient Printing Commands </title> + +<tgroup cols="2"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<thead> +<row> + +<entry colname="col1"><para>Command</para></entry> + +<entry colname="col2"><para>Description</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>tar c|x[IXbgNa]</literal> <replaceable>operands</replaceable></para></entry> + +<entry colname="col2"><para>Performs a creation or extraction <emphasis>tar</emphasis> similar to the command-line program.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>blocksize</literal> <replaceable>size</replaceable></para></entry> + +<entry colname="col2"><para>Sets the block size to be used by <emphasis>tar</emphasis>, in 512-byte blocks.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>noreset</literal></para></entry> + +<entry colname="col2"><para>Makes <emphasis>tar</emphasis> pay attention to DOS archive bit for all following commands. In <literal>full</literal> mode (the default), <emphasis>tar</emphasis> will back up everything. In <literal>inc</literal> (incremental) mode, <emphasis>tar</emphasis> will back up only those files with the archive bit set. In <literal>reset</literal> mode, <emphasis>tar</emphasis> will reset the archive bit on all files it backs up. (this requires the share to be writable), and in <literal>noreset</literal> mode the archive bit will not be reset even after the file has been backed up.</para></entry> + +</row> + +</tbody> +</tgroup> +</table> +</sect3> + + + +<sect3 role="" label="D.1.5.5" id="appd-SECT-1.5.5"> +<title>Command-line message program options</title> + + +<variablelist> +<varlistentry><term><literal>-M</literal> <replaceable>NetBIOS_machine_name</replaceable></term> +<listitem><para>This option allows you to send immediate messages using the WinPopup protocol to another computer. Once a connection is established, you can type your message, pressing control-D to end. If WinPopup is not running on the receiving machine, the program returns an error.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-U</literal> <replaceable>user</replaceable> </term> +<listitem><para>This<replaceable> </replaceable>option allows you to indirectly control the FROM part of the message.</para></listitem> +</varlistentry> +</variablelist> +</sect3> + + + +<sect3 role="" label="D.1.5.6" id="appd-SECT-1.5.6"> +<title>Command-line tar program options</title> + + +<para>The <literal>-T</literal> (tar), <literal>-D</literal> (starting directory), and <literal>-c</literal> (command) options are used together to tar up files interactively. This is better done with <filename>smbtar</filename>, which will be discussed shortly. We don't recommend using <emphasis>smbclient</emphasis> directly as a <emphasis>tar</emphasis> program.</para> + + +<variablelist> +<varlistentry><term><literal>-D</literal> <replaceable>initial_directory</replaceable></term> +<listitem><para>Changes to initial directory before starting.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-c</literal> <replaceable>command_string</replaceable> </term> +<listitem><para>Passes a command string to the <emphasis>smbclient</emphasis> command interpreter, which treats it as a semicolon-separated list of commands to be executed. This is handy to say things such as <literal>tarmode</literal> <literal>inc</literal>, for example, which forces <literal>smbclient</literal> <literal>-T</literal> to back up only files with the archive bit set.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-T</literal> <replaceable>command filename</replaceable></term> +<listitem><para>Runs the <emphasis>tar</emphasis> driver, which is <emphasis>gtar</emphasis> compatible. The two main commands are: <literal>c</literal> (create) and <literal>x</literal> (extract), which may be followed by any of:</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>a</literal></term> +<listitem><para>Resets archive bits once files are saved.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>b</literal> <replaceable>size</replaceable></term> +<listitem><para>Sets blocksize in 512-byte units.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>g</literal></term> +<listitem><para>Backs up only files with the archive bit set.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>I</literal> <replaceable>file</replaceable></term> +<listitem><para>Includes files and directories (this is the default). Does not do pattern-matching.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>N</literal> <replaceable>filename</replaceable></term> +<listitem><para>Backs up only those files newer than <replaceable>filename.</replaceable></para></listitem> +</varlistentry> + + +<varlistentry><term><literal>q</literal></term> +<listitem><para>Does not produce diagnostics.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>X</literal> <replaceable>file</replaceable></term> +<listitem><para>Excludes files.</para></listitem> +</varlistentry> +</variablelist> +</sect3> + + + +<sect3 role="" label="D.1.5.7" id="appd-SECT-1.5.7"> +<title>Command-line query program</title> + + +<para>If <filename>smbclient</filename> is run as:</para> + + +<programlisting>smbclient -L <replaceable>server_name</replaceable></programlisting> + + +<para>it will list the shares and other services that machine provides. This is handy if you don't have <filename>smbwrappers</filename>. It can also be helpful as a testing program in its own right.</para> +</sect3> + + + +<sect3 role="" label="D.1.5.8" id="appd-SECT-1.5.8"> +<title>Command-line debugging /diagnostic program options</title> + + +<para>Any of the various modes of operation of <emphasis>smbclient</emphasis> can be used with the debugging and testing command-line options:</para> + + +<variablelist> +<varlistentry><term><literal>-B</literal> <replaceable>IP_addr</replaceable></term> +<listitem><para>Sets the broadcast address.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-d</literal> <replaceable>debug_level</replaceable></term> +<listitem><para>Sets the debug (sometimes called logging) level. The level can range from 0 all the way to 10. In addition, you can specify <literal>A</literal> for all debugging options. Debug level 0 logs only the most important messages; level 1 is normal; level 3 and above are primarily for debugging and slow operations considerably.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-E</literal></term> +<listitem><para>Sends all messages to stderr instead of stdout.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-I</literal> <replaceable>IP_address</replaceable> </term> +<listitem><para>Sets the IP address of the server to which it connects.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-i</literal> <replaceable>scope</replaceable></term> +<listitem><para>This sets a NetBIOS scope identifier. Only machines with the same identifier will communicate with the server. The scope identifier was a predecessor to workgroups, and this option is included only for backward compatibility.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-l</literal> <replaceable>log_file</replaceable></term> +<listitem><para>Sends the log messages to the specified file.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-N</literal></term> +<listitem><para>Suppresses the password prompt. Unless a password is specified on the command line or this parameter is specified, the client will prompt for a password.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-n</literal> <replaceable>NetBIOS_name</replaceable></term> +<listitem><para>This option allows you to override the NetBIOS name by which the daemon will advertise itself.</para></listitem> +</varlistentry> +</variablelist> + + +<variablelist> +<varlistentry><term><literal>-O</literal> <replaceable>socket_options</replaceable></term> +<listitem><para>Sets the TCP/IP socket options using the same parameters as the <literal>socket</literal> <literal>options</literal> configuration option. It is often used for performance tuning and testing.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-p</literal> <replaceable>port_number</replaceable></term> +<listitem><para>Sets the port number from which the client will accept requests.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-R</literal> <replaceable>resolve_order</replaceable></term> +<listitem><para>Sets the resolve order of the name servers. This option is similar to the <literal>resolve</literal> <literal>order</literal> configuration option, and can take any of the four parameters, <literal>lmhosts</literal>, <literal>host</literal>, <literal>wins</literal>, and <literal>bcast</literal>, in any order .</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-s</literal> <replaceable>configuration_file</replaceable></term> +<listitem><para>Specifies the location of the Samba configuration file. Used for debugging.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-t</literal> <replaceable>terminal_code</replaceable></term> +<listitem><para>Sets the terminal code for Asian languages.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-U</literal> <replaceable>username</replaceable></term> +<listitem><para>Sets the username and optionally password (e.g., <literal>-U</literal> <literal>fred%secret</literal>).</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-W</literal> <replaceable>workgroup</replaceable></term> +<listitem><para>Specifies the workgroup that you want the client to connect as.</para></listitem> +</varlistentry> +</variablelist> + + +<para>If you want to test a particular name service, run <emphasis>smbclient</emphasis> with <literal>-R</literal> and just the name of the service. This will force <emphasis>smbclient</emphasis> to use only the service you gave.<emphasis></emphasis> +<indexterm id="appd-idx-993802-0" class="endofrange" startref="appd-idx-993745-0"/> +<indexterm id="appd-idx-993802-1" class="endofrange" startref="appd-idx-993745-1"/></para> +</sect3> +</sect2> + + + + + +<sect2 role="" label="D.1.6" id="appd-SECT-1.6"> +<title>smbstatus</title> + + +<para>The <filename>smbstatus</filename> +<indexterm id="appd-idx-993754-0"><primary>smbstatus program</primary></indexterm> +<indexterm id="appd-idx-993754-1"><primary>connections</primary><secondary>current, list of</secondary></indexterm> program lists the current connections on a Samba server. There are three separate sections. The first section lists various shares that are in use by specific users. The second section lists the locked files that Samba currently has on all of its shares. Finally, the third section lists the amount of memory usage for each of the shares. For example:</para> + + +<programlisting># <emphasis role="bold">smbstatus</emphasis> +Samba version 2.0.3 +Service uid gid pid machine +---------------------------------------------- +network davecb davecb 7470 phoenix (192.168.220.101) Sun May 16 +network davecb davecb 7589 chimaera (192.168.220.102) Sun May 16 + +Locked files: +Pid DenyMode R/W Oplock Name +-------------------------------------------------- +7589 DENY_NONE RDONLY EXCLUSIVE+BATCH /home/samba/quicken/inet/common/system/help.bmp +Sun May 16 21:23:40 1999 +7470 DENY_WRITE RDONLY NONE /home/samba/word/office/findfast.exe +Sun May 16 20:51:08 1999 +7589 DENY_WRITE RDONLY EXCLUSIVE+BATCH /home/samba/quicken/lfbmp70n.dll +Sun May 16 21:23:39 1999 +7589 DENY_WRITE RDWR EXCLUSIVE+BATCH /home/samba/quicken/inet/qdata/runtime.dat +Sun May 16 21:23:41 1999 +7470 DENY_WRITE RDONLY EXCLUSIVE+BATCH /home/samba/word/office/osa.exe +Sun May 16 20:51:09 1999 +7589 DENY_WRITE RDONLY NONE /home/samba/quicken/qversion.dll +Sun May 16 21:20:33 1999 +7470 DENY_WRITE RDONLY NONE /home/samba/quicken/qversion.dll +Sun May 16 20:51:11 1999 + +Share mode memory usage (bytes): + 1043432(99%) free + 4312(0%) used + 832(0%) overhead = 1048576(100%) total</programlisting> + + +<sect3 role="" label="D.1.6.1" id="appd-SECT-1.6.1"> +<title>Options</title> + + +<variablelist> +<varlistentry><term><literal>-b</literal></term> +<listitem><para>Forces <filename>smbstatus</filename> to produce brief output. This includes the version of Samba and auditing information about the users that have logged into the server.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-d</literal></term> +<listitem><para>Gives verbose output, including each of the three reporting sections listed in the previous example. This is the default.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-L</literal></term> +<listitem><para>Forces <filename>smbstatus</filename> to print only the current file locks it has. This corresponds to the second section in a verbose output.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-p</literal></term> +<listitem><para>Prints a list of <filename>smbd</filename> process IDs only. This is often used for scripts.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-S</literal></term> +<listitem><para>Prints only a list of shares and their connections. This corresponds to the first section in a verbose output.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-s</literal> <replaceable>configuration_file</replaceable></term> +<listitem><para>Sets the Samba configuration file to use when processing this command.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-u</literal> <replaceable>username</replaceable></term> +<listitem><para>Limits the <filename>smbstatus</filename> report to the activity of a single user.</para></listitem> +</varlistentry> +</variablelist> +</sect3> +</sect2> + + + + + +<sect2 role="" label="D.1.7" id="appd-SECT-1.7"> +<title>smbtar</title> + + +<para>The <emphasis>smbtar</emphasis> +<indexterm id="appd-idx-993755-0"><primary>smbtar program</primary><secondary>tar operations and</secondary></indexterm> +<indexterm id="appd-idx-993755-1"><primary>tar operations</primary></indexterm> program is a shell script on top of <emphasis>smbclient</emphasis> that gives the program more intelligible options when doing tar operations. Functionally, it is equivalent to the Unix <emphasis>tar</emphasis> program.</para> + + +<sect3 role="" label="D.1.7.1" id="appd-SECT-1.7.1"> +<title>Options</title> + + +<variablelist> +<varlistentry><term><literal>-a</literal></term> +<listitem><para>Resets the archive bit mode</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-b</literal> <replaceable>blocksize</replaceable></term> +<listitem><para>Blocking size. Defaults to 20.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-d</literal> <replaceable>directory</replaceable></term> +<listitem><para>Changes to initial directory before restoring or backing up files.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-i</literal></term> +<listitem><para>Incremental mode; tar files are backed up only if they have the DOS archive bit set. The archive bit is reset after each file is read.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-l</literal> <replaceable>log_level</replaceable></term> +<listitem><para> Sets the logging level.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-N</literal> <replaceable>filename</replaceable></term> +<listitem><para>Backs up only the files newer than the last modification date of <replaceable>filename</replaceable>. For incremental backups.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-p</literal> <replaceable>password</replaceable></term> +<listitem><para>Specifies the password to use to access a share.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-r</literal></term> +<listitem><para>Restores files to the share from the tar file.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-s</literal> <replaceable>server</replaceable></term> +<listitem><para>Specifies the SMB/CIFS server in which the share resides.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-t</literal> <replaceable>tape</replaceable></term> +<listitem><para>Tape device or file. Default is the value of the environment variable <literal>$TAPE</literal>, or <emphasis>tar.out</emphasis> if <literal>$TAPE</literal> isn't set.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-u</literal> <replaceable>user</replaceable></term> +<listitem><para>Specifies the user to connect to the share as. You can specify the password as well, in the format <replaceable>username</replaceable><literal>%</literal><replaceable>password</replaceable>.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-v</literal></term> +<listitem><para>Specifies the use of verbose mode.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-X</literal> <replaceable>file</replaceable></term> +<listitem><para>Tells <firstterm>smbtar</firstterm> to exclude the specified file from the <emphasis>tar</emphasis> create or restore.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-x</literal> <replaceable>share</replaceable></term> +<listitem><para>States the share name on the server to connect to. The default is <literal>backup</literal>, which is a common share name to perform backups with.</para></listitem> +</varlistentry> +</variablelist> + + +<para>For example, a trivial backup command to archive the data for user <literal>sue</literal> is:</para> + + +<programlisting># <emphasis role="bold">smbtar -s pc_name -x sue -u sue -p secret -t sue.tar</emphasis></programlisting> +</sect3> +</sect2> + + + + + +<sect2 role="" label="D.1.8" id="appd-SECT-1.8"> +<title>nmblookup</title> + + +<para>The <filename>nmblookup</filename> +<indexterm id="appd-idx-993756-0"><primary>nmblookup program</primary></indexterm> +<indexterm id="appd-idx-993756-1"><primary>name services</primary><secondary>nmblookup program</secondary></indexterm> program is a client program that exercises the NetBIOS-over-UDP/IP name service for resolving NBT machine names into IP addresses. The command works by broadcasting its queries on the local subnet until a machine with that name responds. You can think of it as a Windows <emphasis>nslookup(1)</emphasis> or <emphasis>dig(1)</emphasis>. This is useful for looking up both normal NetBIOS names, and the odd ones like <literal>_ _MSBROWSE_ _</literal> that the Windows name services use to provide directory-like services. If you wish to query for a particular type of NetBIOS name, add the NetBIOS <literal><type></literal> to the end of the name.</para> + + +<para>The command line is:</para> + + +<programlisting>nmblookup [-options] <replaceable>name</replaceable></programlisting> + + +<para>The options supported are:</para> + + +<variablelist> +<varlistentry><term><literal>-A</literal></term> +<listitem><para>Interprets <replaceable>name</replaceable> as an IP address and do a node-status query on this address.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-B</literal> <replaceable>broadcast _address</replaceable></term> +<listitem><para>Sends the query to the given broadcast address. The default is to send the query to the broadcast address of the primary network interface.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-d</literal> <replaceable>debuglevel</replaceable></term> +<listitem><para>Sets the debug (sometimes called logging) level. The level can range from 0 all the way to 10. Debug level 0 logs only the most important messages; level 1 is normal; level 3 and above are primarily for debugging and slow the program considerably.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-h</literal></term> +<listitem><para>Prints command-line usage information for the program.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-i</literal> <replaceable>scope</replaceable></term> +<listitem><para>Sets a NetBIOS scope identifier. Only machines with the same identifier will communicate with the server. The scope identifier was a predecessor to workgroups, and this option is included only for backward compatibility.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-M</literal></term> +<listitem><para>Searches for a local master browser. This is done with a broadcast searching for a machine that will respond to the special name <literal>_ _MSBROWSE_ _ </literal>, and then asking that machine for information, instead of broadcasting the query itself.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-R</literal></term> +<listitem><para>Sets the recursion desired bit in the packet. This will cause the machine that responds to try to do a WINS lookup and return the address and any other information the WINS server has saved.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-r</literal></term> +<listitem><para>Use the root port of 137 for Windows 95 machines.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-S</literal></term> +<listitem><para>Once the name query has returned an IP address, does a node status query as well. This returns all the resource types that the machine knows about, with their numeric attributes. For example:</para></listitem> +</varlistentry> +</variablelist> + + +<programlisting>% <emphasis role="bold">nmblookup -d 4 -S elsbeth</emphasis> +received 6 names + ELSBETH <00> - <GROUP> B <ACTIVE> + ELSBETH <03> - B <ACTIVE> + ELSBETH <1d> - B <ACTIVE> + ELSBETH <1e> - <GROUP> B <ACTIVE> + ELSBETH <20> - B <ACTIVE> + .._ _MSBROWSE_ _.. <01> - <GROUP> B <ACTIVE></programlisting> + + +<variablelist> +<varlistentry><term><literal>-s</literal> <replaceable>configuration_file</replaceable></term> +<listitem><para>Specifies the location of the Samba configuration file. Although the file defaults to <filename>/usr/local/samba/lib/smb.conf</filename>, you can override it here on the command-line, normally for debugging.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-T</literal></term> +<listitem><para>This option can be used to translate IP addresses into resolved names.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-U</literal> <replaceable>unicast_address</replaceable></term> +<listitem><para>Performs a unicast query to the specified address. Used with <literal>-R</literal> to query WINS servers.</para></listitem> +</varlistentry> +</variablelist> + + +<para>Note that there is no workgroup option for <emphasis>nmblookup</emphasis> ; you can get around this by putting <literal>workgroup</literal> <literal>=</literal> <replaceable>workgroup_name </replaceable>in a file and passing it to <emphasis>nmblookup</emphasis> with the <literal>-s</literal> <replaceable>smb.conf_file</replaceable> option.</para> +</sect2> + + + + + +<sect2 role="" label="D.1.9" id="appd-SECT-1.9"> +<title>smbpasswd</title> + + +<para>The <emphasis>smbpasswd</emphasis> +<indexterm id="appd-idx-993757-0"><primary>smbpasswd program</primary></indexterm> +<indexterm id="appd-idx-993757-1"><primary>passwords</primary><secondary>smbpasswd program </secondary></indexterm> password has two distinct sets of functions. When run by users, it changes their encrypted passwords. When run by <literal>root</literal>, it updates the encrypted password file. When run by an ordinary user with no options, it connects to the primary domain controller and changes his or her Windows password.</para> + + +<para>The program will fail if <emphasis>smbd</emphasis> is not operating, if the <literal>hosts</literal> <literal>allow</literal> or <literal>hosts</literal> <literal>deny</literal> configuration options will not permit connections from localhost (IP address 127.0.0.1), or the <literal>encrypted</literal> <literal>passwords</literal> <literal>=</literal> <literal>no</literal> option is set.</para> + + +<sect3 role="" label="D.1.9.1" id="appd-SECT-1.9.1"> +<title>Regular user options</title> + + +<variablelist> +<varlistentry><term><literal>-D</literal> <replaceable>debug_level</replaceable></term> +<listitem><para>Sets the debug (also called logging) level. The level can range from 0 to 10. Debug level 0 logs only the most important messages; level 1 is normal; level 3 and above are primarily for debugging and slow the program considerably.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-h</literal></term> +<listitem><para>Prints command-line usage information for the program.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-r</literal> <replaceable>remote_machine_name</replaceable></term> +<listitem><para>Specifies on which machine the password should change. The remote machine must be a primary domain controller (PDC).</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-R</literal> <replaceable>resolve_order</replaceable></term> +<listitem><para>Sets the resolve order of the name servers. This option is similar to the <literal>resolve</literal> <literal>order</literal> configuration option, and can take any of the four parameters, <literal>lmhosts</literal>, <literal>host</literal>, <literal>wins</literal>, and <literal>bcast</literal>,<literal> </literal>in any order.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-U</literal> <replaceable>username</replaceable></term> +<listitem><para>Used only with <literal>-r</literal>, to modify a username that is spelled differently on the remote machine.</para></listitem> +</varlistentry> +</variablelist> +</sect3> + + + +<sect3 role="" label="D.1.9.2" id="appd-SECT-1.9.2"> +<title>Root-only options</title> + + +<variablelist> +<varlistentry><term><literal>-a</literal> <replaceable>username</replaceable></term> +<listitem><para>Adds a user to the encrypted password file.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-d</literal> <replaceable>username</replaceable></term> +<listitem><para>Disables a user in the encrypted password file.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-e</literal> <replaceable>username</replaceable></term> +<listitem><para>Enables a disabled user in the encrypted password file.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-m</literal> <replaceable>machine_name</replaceable></term> +<listitem><para>Changes a machine account's password. The machine accounts are used to authenticate machines when they connect to a primary or backup domain controller.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-j</literal> <replaceable>domain_name</replaceable></term> +<listitem><para>Adds a Samba server to a Windows NT Domain.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-n</literal></term> +<listitem><para>Sets no password for the user.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-s</literal> <replaceable>username</replaceable></term> +<listitem><para>Causes <emphasis>smbpasswd</emphasis> to be silent and to read its old and new passwords from standard input, rather than from <filename>/dev/tty</filename>. This is useful for writing scripts.</para></listitem> +</varlistentry> +</variablelist> +</sect3> +</sect2> + + + + + +<sect2 role="" label="D.1.10" id="appd-SECT-1.10"> +<title>testparm</title> + + +<para>The <emphasis>testparm</emphasis> +<indexterm id="appd-idx-993999-0"><primary>testparm program</primary></indexterm> +<indexterm id="appd-idx-993999-1"><primary>smb.conf (Samba configuration) file</primary><secondary>testparm program for</secondary></indexterm> program checks an <filename>smb.conf</filename> file for obvious errors and self-consistency. Its command line is:</para> + + +<programlisting>testparm [options] <replaceable>configfile_name [hostname IP_addr]</replaceable></programlisting> + + +<para>If the configuration file is not specified, the file at <replaceable>samba_dir</replaceable><filename>/lib/smb.conf</filename> is checked by default. If you specify a hostname and an IP address, an extra check will be made to ensure that the specified machine would be allowed to connect to Samba. If a hostname is specified, an IP address should be present as well.</para> + + +<sect3 role="" label="D.1.10.1" id="appd-SECT-1.10.1"> +<title>Options</title> + + +<variablelist> +<varlistentry><term><literal>-h</literal></term> +<listitem><para>Prints command-line information for the program.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-L</literal> server_name</term> +<listitem><para>Resets the <literal>%L</literal> configuration variable to the specified server name.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-s</literal></term> +<listitem><para>This option prevents the <emphasis>testparm</emphasis> program from prompting the user to press the Enter key before printing a list of the configuration options for the server.</para></listitem> +</varlistentry> +</variablelist> +</sect3> +</sect2> + + + + + +<sect2 role="" label="D.1.11" id="appd-SECT-1.11"> +<title>testprns</title> + + +<para>The<indexterm id="appd-idx-993761-0"><primary>testprns program</primary></indexterm> +<indexterm id="appd-idx-993761-1"><primary>printers</primary><secondary>names</secondary><tertiary>checking</tertiary></indexterm> <emphasis>testprns</emphasis> program checks a specified printer name against the system printer capabilities (<filename>printcap</filename>) file. Its command line is:</para> + + +<programlisting>testprns <replaceable>printername</replaceable> [<replaceable>printcapname</replaceable>]</programlisting> + + +<para>If the <literal>printcapname</literal> isn't specified, Samba attempts to use one located in the <filename>smb.conf</filename> file. If one isn't specified there, Samba will try <filename>/etc/printcap</filename>. If that fails, the program will generate an error.</para> +</sect2> + + + + + +<sect2 role="" label="D.1.12" id="appd-SECT-1.12"> +<title>rpcclient</title> + + +<para>This is a new client that exercises the <indexterm id="appd-idx-993762-0"><primary>RPC (remote procedure call)</primary></indexterm> +<indexterm id="appd-idx-993762-1"><primary>remote procedure call (RPC)</primary></indexterm>RPC (remote procedure call) interfaces of an SMB server. Like <emphasis>smbclient</emphasis>, <emphasis>rpcclient</emphasis> +<indexterm id="appd-idx-993763-0"><primary>rpcclient program</primary></indexterm> started its life as a test program for the Samba developers and will likely stay that way for a while. Its command line is:</para> + + +<programlisting>rpcclient //<replaceable>server</replaceable>/<replaceable>share</replaceable></programlisting> + + +<para>The command-line options are the same as the Samba 2.0 <emphasis>smbclient</emphasis>, and the operations you can try are listed in <link linkend="appd-65243">Table 4.4</link>.</para> + + +<table label="D.4" id="appd-65243"> +<title>rpcclient commands </title> + +<tgroup cols="2"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<thead> +<row> + +<entry colname="col1"><para>Command</para></entry> + +<entry colname="col2"><para>Description</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>regenum keyname</literal></para></entry> + +<entry colname="col2"><para>Registry Enumeration (keys, values)</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>regdeletekey keyname </literal></para></entry> + +<entry colname="col2"><para>Registry Key Delete</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>regcreatekey keyname [keyvalue]</literal></para></entry> + +<entry colname="col2"><para>Registry Key Create</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>regquerykey keyname</literal></para></entry> + +<entry colname="col2"><para>Registry Key Query</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>regdeleteval valname</literal></para></entry> + +<entry colname="col2"><para>Registry Value Delete</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>regcreateval valname valtype value</literal></para></entry> + +<entry colname="col2"><para>Registry Key Create</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>reggetsec keyname</literal></para></entry> + +<entry colname="col2"><para>Registry Key Security</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>regtestsec keyname</literal></para></entry> + +<entry colname="col2"><para>Test Registry Key Security</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>ntlogin [username] [password]</literal></para></entry> + +<entry colname="col2"><para>NT Domain Login Test</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>wksinfo</literal></para></entry> + +<entry colname="col2"><para>Workstation Query Info</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>srvinfo</literal></para></entry> + +<entry colname="col2"><para>Server Query Info</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>srvsessions</literal></para></entry> + +<entry colname="col2"><para>List Sessions on a Server</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>srvshares</literal></para></entry> + +<entry colname="col2"><para>List shares on a server</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>srvconnections</literal></para></entry> + +<entry colname="col2"><para>List connections on a server</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>srvfiles</literal></para></entry> + +<entry colname="col2"><para>List files on a server</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>lsaquery</literal></para></entry> + +<entry colname="col2"><para>Query Info Policy (domain member or server)</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>lookupsids</literal></para></entry> + +<entry colname="col2"><para>Resolve names from SIDs</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>ntpass</literal></para></entry> + +<entry colname="col2"><para>NT SAM Password Change</para></entry> + +</row> + +</tbody> +</tgroup> +</table> +</sect2> + + + + + +<sect2 role="" label="D.1.13" id="appd-SECT-1.13"> +<title>tcpdump</title> + + +<para>The <emphasis>tcpdump</emphasis> +<indexterm id="appd-idx-993765-0"><primary>tcpdump utility</primary></indexterm> +<indexterm id="appd-idx-993765-1"><primary>packets</primary><secondary>headers for, tcpdump utility and</secondary></indexterm> utility, a classic system administration tool, dumps all the packet headers it sees on an interface that match an expression. The version included in the Samba distribution is enhanced to understand the SMB protocol. The <emphasis>expression</emphasis> is a logical expression with "and," "or," and "not," although sometimes it's very simple. For example, <literal>host</literal> <literal>escrime</literal> would select every packet going to or from <literal>escrime</literal>. The expression is normally one or more of:</para> + + +<itemizedlist> + +<listitem><para><literal>host</literal> <replaceable>name</replaceable></para></listitem> + +<listitem><para><literal>ne</literal>t <replaceable>network_number</replaceable></para></listitem> +<listitem><para><literal>port</literal> <replaceable>number</replaceable></para></listitem> +<listitem><para><literal>src</literal> <replaceable>name </replaceable></para></listitem> +<listitem><para><literal>dst</literal> <replaceable>name</replaceable></para></listitem> +</itemizedlist> + +<para>The most common options are <literal>src</literal> (source), <literal>dst</literal> (destination), and <literal>port</literal>. For example, in the book we used the command:</para> + + +<programlisting>tcpdump port not telnet</programlisting> + + +<para>This dumps all the packets except telnet; we were logged-in via telnet and wanted to see only the SMB packets.</para> + + +<para>Another <emphasis>tcpdump</emphasis> example is selecting traffic between server and either <literal>sue</literal> or <literal>joe</literal>:</para> + + +<programlisting>tcpdump host server and \( sue or joe \)</programlisting> + + +<para>We recommend using the <literal>-s</literal> <literal>1500</literal> option so that you capture all of the SMB messages sent, instead of just the header information.</para> + + +<sect3 role="" label="D.1.13.1" id="appd-SECT-1.13.1"> +<title>Options</title> + + +<para>There are many options, and many other kinds of expressions that can be used with <emphasis>tcpdump</emphasis>. See the manual page for details on the advanced options. The most common options are as follows:</para> + + +<variablelist> +<varlistentry><term><literal>-c</literal> <replaceable>count</replaceable></term> +<listitem><para>Forces the program to exit after receiving the specified number of packets.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-F</literal> <replaceable>file</replaceable></term> +<listitem><para>Reads the expression from the specified file and ignores expressions on the command line.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-i</literal> <replaceable>interface</replaceable></term> +<listitem><para>Forces the program to listen on the specified interface.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-r</literal> <replaceable>file</replaceable></term> +<listitem><para>Reads packets from the specified file (captured with <literal>-w</literal>).</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-s</literal> <replaceable>length</replaceable></term> +<listitem><para>Saves the specified number of bytes of data from each packet (rather than 68 bytes).</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>-w</literal> <replaceable>file</replaceable></term> +<listitem><para>Writes the packets to the specified file.<indexterm id="appd-idx-993743-0" class="endofrange" startref="appd-idx-994034-0"/></para></listitem> +</varlistentry> +</variablelist> +</sect3> +</sect2> +</sect1> + + + + + + + + +</appendix> diff --git a/docs-xml/using_samba/appe.xml b/docs-xml/using_samba/appe.xml new file mode 100644 index 0000000000..2e5863ad1f --- /dev/null +++ b/docs-xml/using_samba/appe.xml @@ -0,0 +1,46 @@ +<appendix label="E" id="SAMBA-AP-E"> +<title>Downloading Samba with CVS</title> + + + + +<para> +<indexterm id="appe-idx-992918-0"><primary>downloads</primary><secondary>Samba</secondary><tertiary sortas="obtainedusing CVS">obtained using CVS</tertiary></indexterm> +<indexterm id="appe-idx-992918-1"><primary>Samba</primary><secondary>downloading</secondary><tertiary>with CVS</tertiary></indexterm>This appendix contains information on how to download the latest source version of Samba using the C<indexterm id="appe-idx-992919-0"><primary>Concurrent Versions System (CVS)</primary></indexterm> +<indexterm id="appe-idx-992919-1"><primary>CVS (Concurrent Versions Systems)</primary></indexterm>oncurrent Versions System (CVS). CVS is a freely available configuration management tool available from <indexterm id="appe-idx-992920-0"><primary>Cyclic Software</primary></indexterm>Cyclic Software and is distributed under the<indexterm id="appe-idx-992921-0"><primary>GNU General Public License (GPL)</primary></indexterm> GNU General Public License. You can download the latest copy from <systemitem role="url">http://www.cyclic.com/</systemitem>.<indexterm id="appe-idx-992922-0"><primary>URLs (uniform resource locators)</primary><secondary>Cyclic Software</secondary></indexterm></para> + + +<para>CVS works on top of the GNU <indexterm id="appe-idx-992923-0"><primary>Revision Control System +(RCS)</primary></indexterm> +<indexterm id="appe-idx-992923-1"><primary>RCS (Revision Control +System)</primary></indexterm>Revision Control System (RCS). Many Unix +systems come preinstalled with RCS. However, if you want to download +the latest version of RCS, you can find it at <indexterm id="appe-idx-992936-0"><primary>URLs (uniform resource +locators)</primary><secondary>RCS (Revision Control +System)</secondary></indexterm><systemitem role="url">http://ftp.gnu.org/gnu/rcs/</systemitem>.</para> + + +<para>One of the nicest things about CVS is its ability to handle remote logins. This means that people across the globe on the Internet can download and update various source files for any project that uses a CVS repository. Such is the case with Samba. Once you have RCS and CVS installed on your system, you must first log in to the Samba source server with the following command:</para> + + +<programlisting>cvs -d :pserver:cvs@cvs.samba.org:/cvsroot login</programlisting> + + +<para>This tells CVS to connect to the CVS server at <filename>cvs.samba.org</filename>. Once you are connected, you can download the latest source tree with the following command:</para> + + +<programlisting>cvs -d :pserver:cvs@cvs.samba.org:/cvsroot co samba</programlisting> + + +<para>This will download the entire Samba distribution (file by file) into a directory entitled <filename>/samba</filename>, which it will create on your hard drive. This directory will have the same structure as the Samba source distribution described in <link linkend="SAMBA-CH-2">Chapter 2</link>. It includes source and header files, documentation, and sample configuration files to help get you started. After that is completed, you can follow the instructions in <link linkend="SAMBA-CH-2">Chapter 2</link> to configure and compile Samba on your server.</para> + + + + + + + + + + +</appendix> diff --git a/docs-xml/using_samba/appf.xml b/docs-xml/using_samba/appf.xml new file mode 100644 index 0000000000..b4965f0d13 --- /dev/null +++ b/docs-xml/using_samba/appf.xml @@ -0,0 +1,250 @@ +<appendix label="F" id="SAMBA-AP-F"> +<title>Sample Configuration File</title> + + + + +<para> +<indexterm id="appf-idx-993481-0" class="startofrange"><primary>configuration files</primary><secondary>sample of</secondary></indexterm>This appendix gives an example of a production <filename>smb.conf</filename> file and looks at how many of the options are used in practice. The following is a slightly disguised version of one we used at a corporation with five Linux servers, five Windows for Workgroups clients and three NT Workstation clients:</para> + + +<programlisting># smb.conf -- File Server System for: 1 Example.COM BSC & Management Office +[globals] + workgroup = 1EG_BSC + interfaces = 10.10.1.14/24</programlisting> + + +<para>We provide this service on only one of the machine's interfaces. The <literal>interfaces</literal> option sets its address and netmask, where <literal>/24</literal> is the same as using the netmask 255.255.255.0:</para> + + +<programlisting>comment = Samba ver. %v + preexec = csh -c `echo /usr/samba/bin/smbclient \ + -M %m -I %I` &</programlisting> + + +<para>We use the <command>preexec</command> command to log information about all connections by machine name (<literal>%m</literal>) and IP address (<literal>%I)</literal>:</para> + + +<programlisting># smbstatus will output various info on current status + status = yes + browseable = yes + printing = bsd + + # the username that will be used for access to services + # specified with 'guest = ok' + guest account = samba</programlisting> + + +<para>The default guest account was <literal>nobody</literal>, uid -1, which produced log messages on one of our machines saying "your server is being unfriendly," so we created a specific Samba guest account for browsing and printing:</para> + + +<programlisting># superuser account - admin privilages to shares, with no + # restrictions + # WARNING - use this with care: files can be modified, + # regardless of file permissions + admin users = root + + # who is NOT allowed to connect to ANY service + invalid users = @wheel, mail, deamon, adt</programlisting> + + +<para>Daemons can't use Samba, only people. The <literal>invalid</literal> <literal>users</literal> option closes a security hole; it prevents intruders from breaking in by pretending to be a daemon process.</para> + + +<programlisting># hosts that are ALLOWED or DENIED from connecting to ANY service + hosts allow = 10.10.1. + hosts deny = 10.10.1.6 + + # where the lock files will be located + lock directory = /var/lock/samba/locks + + # debug log files + # %m = separate log for each NetBIOS name (each machine) + log file = /var/log/samba/log.%m + + # We send priority 0, 1 and 2 messages to the system logs + syslog = 2 + + # If a WinPopup message is sent to the server, + # redirect it to a user via e-mail + + message command = /bin/mail -s 'message from #% on %m' \ + pkelly < %s; rm %s + +# --------------------------------------------------- +# [globals] Performance Tuning +# --------------------------------------------------- + + # caching algorithm to reduce time doing getwd() calls. + getwd cache = yes + + socket options = TCP_NODELAY + + # tell the server whether the client is present and + # responding in seconds + keep alive = 60 + + # num minutes of inactivity before a connection is + # considered dead + dead time = 30 + + read prediction = yes + share modes = yes + max xmit = 17384 + read size = 512</programlisting> + + +<para>The <literal>share</literal> <literal>modes</literal>, <literal>max</literal>, <literal>xinit</literal>, and <literal>read</literal> <literal>size</literal> options are machine-specific (see <link linkend="SAMBA-AP-B">Appendix B</link>):</para> + + +<programlisting># locking is done by the server + locking = yes + + # control whether dos style attributes should be mapped + # to unix execute bits + map hidden = yes + map archive = yes + map system = yes</programlisting> + + +<para>The three <literal>map</literal> options will work only on shares with a create mode that includes the execute bits (0111). Our <literal>homes</literal> and <literal>printers</literal> shares won't honor them, but the [<literal>www]</literal> share will:</para> + + +<programlisting># --------------------------------------------------------- +# [globals] Security and Domain Logon Services +# --------------------------------------------------------- +# connections are made with UID and GID, not as shares + security = user + +# boolean variable that controls whether passwords +# will be encrypted + encrypt passwords = yes + passwd chat = "*New password:*" %n\r "*New password (again):*" %n\r \ "*Password changed*" + passwd program = /usr/bin/passwd %u + +# Always become the local master browser + domain master = yes + preferred master = yes + os level = 34 + +# For domain logons to work correctly. Samba acts as a +# primary domain controller. + domain logons = yes + +# Logon script to run for user off the server each time +# username (%U) logs in. Set the time, connect to shares, +# virus checks, etc. + logon script = scripts\%U.bat + +[netlogon] + comment = "Domain Logon Services" + path = /u/netlogon + writable = yes + create mode = 444 + guest ok = no + volume = "Network"</programlisting> + + +<para>This share, discussed in <link linkend="SAMBA-CH-6">Chapter 6</link>, is required for Samba to work smoothly in a Windows NT domain:</para> + + +<programlisting># ----------------------------------------------------------- +# [homes] User Home Directories +# ----------------------------------------------------------- +[homes] + comment = "Home Directory for : %u " + path = /u/users/%u</programlisting> + + +<para>The password file of the Samba server specifies each person's home directory as <emphasis>/home/</emphasis><replaceable>machine_name</replaceable><emphasis>/</emphasis><replaceable>person</replaceable>, which NFS converts to point to the actual physicl location under <emphasis>/u/users</emphasis>. The <literal>path</literal> option in the <literal>[homes]</literal> share tells Samba the actual (non-NFS) location:</para> + + +<programlisting>guest ok = no + read only = no + create mode = 644 + writable = yes + browseable = no + +# ----------------------------------------------------------- +# [printers] System Printers +# ----------------------------------------------------------- +[printers] + comment = "Printers" + path = /var/spool/lpd/samba + printcap name = /etc/printcap + printable = yes + public = no + writable = no + + lpq command = /usr/bin/lpq -P%p + lprm command = /usr/bin/lprm -P%p %j + lppause command = /usr/sbin/lpc stop %p + lpresume command = /usr/sbin/lpc start %p + + create mode = 0700 + + browseable = no + load printers = yes + +# ----------------------------------------------------------- +# Specific Descriptions: [programs] [data] [retail] +# ----------------------------------------------------------- +[programs] + comment = "Shared Programs %T" + volume = "programs"</programlisting> + + +<para>Shared Programs shows up in the Network Neighborhood, and <literal>programs</literal> is the volume name you specify when an installation program wants to know the label of the CD-ROM from which it thinks it's loading:</para> + + +<programlisting>path = /u/programs + public = yes + writeable = yes + printable = no + create mode = 664 +[cdrom] + comment = "Unix CDROM" + path = /u/cdrom + public = no + writeable = no + printable = no + volume = "cdrom" + +[data] + comment = "Data Directories %T" + path = /u/data + public = no + create mode = 770 + writeable = yes + volume = "data" + +[nt4] + comment = "NT4 Server" + path = /u/systems/nt4 + public = yes + create mode = 770 + writeable = yes + volume = "nt4_server" + +[www] + comment = "WWW System" + path = /usr/www/http + public = yes + create mode = 775 + writeable = yes + volume = "www_system"</programlisting> + + +<para>The <literal>[www]</literal> share is the directory used on the Unix server to serve web pages. Samba makes the directory available to local PC users so the art department can update web pages.</para> + + + + + + + + + + + +</appendix> diff --git a/docs-xml/using_samba/book.xml b/docs-xml/using_samba/book.xml new file mode 100644 index 0000000000..fdcf36d64e --- /dev/null +++ b/docs-xml/using_samba/book.xml @@ -0,0 +1,51 @@ +<?xml version="1.0"?> +<!DOCTYPE book PUBLIC +"-//O'Reilly//DTD DBLite Safari 1.0 XML//EN" +"/usr/local/prod/sgml/dblite/safari_future.dtd" +[ +<!ENTITY metadata SYSTEM "metadata.xml"> +<!-- Declare external file entities --> +<!ENTITY appa SYSTEM "appa.xml"> +<!ENTITY appb SYSTEM "appb.xml"> +<!ENTITY appc SYSTEM "appc.xml"> +<!ENTITY appd SYSTEM "appd.xml"> +<!ENTITY appe SYSTEM "appe.xml"> +<!ENTITY appf SYSTEM "appf.xml"> +<!ENTITY ch00 SYSTEM "ch00.xml"> +<!ENTITY ch01 SYSTEM "ch01.xml"> +<!ENTITY ch02 SYSTEM "ch02.xml"> +<!ENTITY ch03 SYSTEM "ch03.xml"> +<!ENTITY ch04 SYSTEM "ch04.xml"> +<!ENTITY ch05 SYSTEM "ch05.xml"> +<!ENTITY ch06 SYSTEM "ch06.xml"> +<!ENTITY ch07 SYSTEM "ch07.xml"> +<!ENTITY ch08 SYSTEM "ch08.xml"> +<!ENTITY ch09 SYSTEM "ch09.xml"> +<!ENTITY colo1 SYSTEM "colo1.xml"> +<!ENTITY cpyrt SYSTEM "copy.xml"> +]> +<!-- Document type description --> +<book fpi="1565924495"> + <title>Using Samba</title> + <!-- Book metadata --> +&metadata; +<!-- Reference the file entities --> +&cpyrt; +&ch00; +&ch01; +&ch02; +&ch03; +&ch04; +&ch05; +&ch06; +&ch07; +&ch08; +&ch09; +&appa; +&appb; +&appc; +&appd; +&appe; +&appf; +&colo1; +</book> diff --git a/docs-xml/using_samba/ch00.xml b/docs-xml/using_samba/ch00.xml new file mode 100644 index 0000000000..79121b2cf2 --- /dev/null +++ b/docs-xml/using_samba/ch00.xml @@ -0,0 +1,330 @@ +<preface id="ch00"> +<title>Preface</title> + + + + +<para>It's nine in the morning and you've just arrived at the computer center after a refreshing night's sleep. Your pager hasn't gone off in months. Life is pretty good as a system administrator — and why shouldn't it be, with the network you're running? Two hundred identical machines, all running the same operating system. All of the printers are networked, accessible from anywhere in the building, and the auto-configuration scripts that the manufacturer supplied ensure that everyone in the company has a consistent view of the shared disks you've set up. Yes, this is the good life. You lean back and take that first delicious sip of morning coffee . . . .</para> + + +<para>And then, the alarm clock jolts you out of your blissful reverie. If you're like most system administrators, this could only be a dream. Your morning probably starts with a tireless struggle to get four different computer platforms running three different operating systems simply to talk to each other — that is, if the phone ever stops ringing. Most of your users don't understand why it's so hard to access a file on another computer or to send a job to a remote printer. The logs show that the backups are late. For some reason the PCs on the second floor can't find the tape server. With all these headaches, what's a network administrator to do?</para> + + +<para>Easy: take the day off, read this book, and learn Samba!</para> + + + + + + + + + + + +<sect1 role="" id="ch00-SECT-1"> +<title>The Samba Suite</title> + + +<para>Samba is a suite of tools for sharing resources such as printers and files across a network. This may be a bit of an oversimplification, but Samba is really designed to make your life easier. Samba uses the Server Message Block (SMB) protocol, which is endorsed jointly by Microsoft and IBM, to communicate low-level data between Windows clients and Unix servers on a TCP/IP network.</para> + + +<para> +<indexterm id="ch00-idx-941381-0"><primary>Samba</primary><secondary>features/uses</secondary></indexterm>Four features of Samba make it extremely attractive:</para> + + +<itemizedlist> +<listitem><para>Samba speaks the same SMB protocol that Microsoft and IBM operating systems have used as their standard since DOS 3.0. This means that almost all Windows machines already understand it and there is no extra client software to install.</para></listitem> +<listitem><para>Samba runs on a variety of platforms, including most variants of Unix, OpenVMS, OS/2, AmigaDOS, and NetWare. This means that you can use a single program on the server to provide files and printers to a community of PCs.</para></listitem> +<listitem><para>Samba is free. There are several commercial products that duplicate Samba's features, and some of them are quite expensive. Samba offers you an alternative to packages that could gobble up a significant portion of your IS budget. Samba is distributed under the GNU General Public License (GPL), and is considered by its authors to be <firstterm>Open Source</firstterm> software. In other words, you can freely download both the application and the accompanying source code to your computer, and even improve on the original Samba programs if you like.</para></listitem> +<listitem><para>Samba administration is centralized on the server. You don't have to visit every one of your machines, floppy or CD-ROM in hand, to upgrade the client software.</para></listitem> +</itemizedlist> + +<para>Samba is a complete solution for local area networks (LANs) of all sizes—everything from the two-computer home network to corporate installations with hundreds of nodes. Samba is simple to set up and to administer, and presents itself as a transparent network environment that offers users access to all of the resources they need to get their work done. Once you've set it up, Samba will let you:</para> + + +<itemizedlist> +<listitem><para>Serve Unix files to Windows, OS/2, and other OS clients</para></listitem> +<listitem><para>Allow Unix clients to access PC files</para></listitem> +<listitem><para>Serve network printers to Windows clients</para></listitem> +<listitem><para>Provide name services (broadcast and WINS)</para></listitem> +<listitem><para>Allow browsing of network resources from Windows clients</para></listitem> +<listitem><para>Create Windows workgroups or domains</para></listitem> +<listitem><para>Enforce username and password authentication of clients</para></listitem> +</itemizedlist> +</sect1> + + + + + + + + + +<sect1 role="" id="ch00-SECT-2"> +<title>Audience for this Book</title> + + +<para>The primary audience of this book is Unix administrators who need to support PCs on their network, and anyone who needs to provide a Unix server in a PC environment. But we don't want to burden you with an endless series of arcane system administration tools and vocabulary. While we assume you are familiar with basic Unix system administration, we will <emphasis>not</emphasis> assume you are a networking expert. We'll do our best along the way to help out with unusual definitions and terms.</para> + + +<para>Because we don't assume a tremendous amount of experience with Microsoft Windows, we will go through the PC side of the installation task in considerable detail and give examples for both Windows 95/98 and Windows NT, which are subtly different. For the Unix side, we will give examples for common Unix operating systems, such as Linux 2.0 or Solaris 2.6.</para> +</sect1> + + + + + + + + + +<sect1 role="" id="ch00-SECT-3"> +<title>Samba Installation Checklist</title> + + +<para>Before you get started, you should have:</para> + + +<itemizedlist> +<listitem><para><indexterm id="ch00-idx-941383-0"><primary>Samba</primary><secondary>version 2.0.5</secondary></indexterm><indexterm id="ch00-idx-941383-1"><primary>Samba</primary><secondary>distribution</secondary></indexterm><indexterm id="ch00-idx-941383-2"><primary>URLs (uniform resource locators)</primary><secondary>Samba</secondary><tertiary>distribution</tertiary></indexterm> + +<!-- CD-ROM REFERENCE COMMENTED OUT FOR SAFARI VERSION OF THIS TITLE. + +Either the CD-ROM from this book (which contains both source and binary distributions of Samba 2.0.5) or the latest Samba distribution, which you can download directly off the Internet at <systemitem role="url">http://www.samba.org/</systemitem>. </para> + +--> + +The latest Samba distribution, which you can download directly off the Internet at <systemitem role="url">http://www.samba.org/</systemitem>.</para></listitem> +<listitem><para>The names and IP addresses of the servers and client machines you plan to use, the netmask of your network, and the names and IP addresses of your domain name (DNS) servers.</para></listitem> +</itemizedlist> +</sect1> + + + + + + + + + +<sect1 role="" id="ch00-SECT-4"> +<title>Organization</title> + + +<para>The book can be roughly divided into two sections: Samba installation (<link linkend="ch01-48078">Chapter 1</link> through <link linkend="SAMBA-CH-3">Chapter 3</link>) and Samba configuration and optimization (<link linkend="ch04-21486">Chapter 4</link> through <link linkend="SAMBA-CH-9">Chapter 9</link>). Here is a detailed breakdown of each of the chapters:</para> + + +<variablelist> +<varlistentry><term><link linkend="ch01-48078">Chapter 1</link></term> +<listitem><para>This chapter introduces each of the Samba components and gives a brief overview of NetBIOS and Windows networking.</para></listitem> +</varlistentry> + + +<varlistentry><term><link linkend="SAMBA-CH-2">Chapter 2</link></term> +<listitem><para>This chapter covers configuring, compiling, installing, and testing the Samba server on a Unix platform.</para></listitem> +</varlistentry> + + +<varlistentry><term><link linkend="SAMBA-CH-3">Chapter 3</link></term> +<listitem><para>This chapter explains how to configure Microsoft Windows 95/98 and NT 4.0 clients to participate in an SMB network. It also gives a brief introduction to the SMB protocol in action.</para></listitem> +</varlistentry> + + +<varlistentry><term><link linkend="ch04-21486">Chapter 4</link></term> +<listitem><para>This chapter gets you up to speed with the individual parts of the Samba configuration file and shows you how to configure disk services.</para></listitem> +</varlistentry> + + +<varlistentry><term><link linkend="SAMBA-CH-5">Chapter 5</link></term> +<listitem><para>This chapter continues the discussion of disk options and examines browsing with Samba.</para></listitem> +</varlistentry> + + +<varlistentry><term><link linkend="SAMBA-CH-6">Chapter 6</link></term> +<listitem><para>This chapter discusses how to set up users, introduces you to Samba security, and shows you how to work with encrypted and non-encrypted passwords. We also discuss how to set up Samba as a primary domain controller for Windows 95/98 and NT clients.</para></listitem> +</varlistentry> + + +<varlistentry><term><link linkend="SAMBA-CH-7">Chapter 7</link></term> +<listitem><para>This chapter discusses printer and Windows Internet Naming Service (WINS) setup with Samba.</para></listitem> +</varlistentry> + + +<varlistentry><term><link linkend="SAMBA-CH-8">Chapter 8</link></term> +<listitem><para>This chapter bundles several miscellaneous activities associated with Samba, such as configuring Samba shares for programmers, internationalization issues, and backing up with <emphasis>smbtar</emphasis>.</para></listitem> +</varlistentry> + + +<varlistentry><term><link linkend="SAMBA-CH-9">Chapter 9</link></term> +<listitem><para>If you have problems installing Samba, this comparatively large chapter is packed with troubleshooting hints and strategies as to what might be going wrong.</para></listitem> +</varlistentry> + + +<varlistentry><term><link linkend="SAMBA-AP-A">Appendix A</link></term> +<listitem><para>This appendix shows you the nitty-gritty of setting up Samba with Secure Sockets Layers (SSL) connections between the server and its clients.</para></listitem> +</varlistentry> + + +<varlistentry><term><link linkend="SAMBA-AP-B">Appendix B</link></term> +<listitem><para>This appendix discusses various techniques to optimize Samba processing on your network.</para></listitem> +</varlistentry> + + +<varlistentry><term><link linkend="SAMBA-AP-C">Appendix C</link></term> +<listitem><para>This appendix covers each of the options used in the <filename>smb.conf</filename> file.</para></listitem> +</varlistentry> + + +<varlistentry><term><link linkend="SAMBA-AP-D">Appendix D</link></term> +<listitem><para>Each of the server daemons and tools that make up the Samba suite are covered in this appendix. In addition, we provide a list of mirror sites on the Internet from which Samba can be downloaded.</para></listitem> +</varlistentry> + + +<varlistentry><term><link linkend="SAMBA-AP-E">Appendix E</link></term> +<listitem><para>This appendix explains how to download the latest version of Samba with CVS.</para></listitem> +</varlistentry> + + +<varlistentry><term><link linkend="SAMBA-AP-F">Appendix F</link></term> +<listitem><para>This appendix provides a large-scale Samba configuration file, which you might find in place at a large corporation. We have embedded comments in the file to explain the more arcane options.</para></listitem> +</varlistentry> +</variablelist> +</sect1> + + + + + + + + + +<sect1 role="" id="ch00-SECT-5"> +<title>Conventions</title> + + +<para>The following font conventions are followed throughout this book:</para> + + +<variablelist> +<varlistentry><term>Italic </term> +<listitem><para>Filenames, file extensions, URLs, Internet addresses, executable files, commands, and emphasis.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>Constant Width</literal> </term> +<listitem><para>Samba configuration options and other code that appear in the text, and command-line information that should be typed verbatim on the screen.</para></listitem> +</varlistentry> + + +<varlistentry><term><userinput>Bold Constant Width</userinput> </term> +<listitem><para>Commands that are entered by the user, and new configuration options that we wish to bring to the attention of the reader.</para></listitem> +</varlistentry> + + +<varlistentry><term><replaceable>Constant Width Italic</replaceable></term> +<listitem><para>Replaceable content in code and command-line information.</para></listitem> +</varlistentry> +</variablelist> + + +<tip id="ch00-NOTE-0" role="ora"> +<para>This icon designates a note, which is an important aside to the nearby text.</para> + +</tip> + +<warning id="ch00-NOTE-1" role="ora"> +<para>This icon designates a warning related to the nearby text.</para> + +</warning> +</sect1> + + + + + + + + + +<sect1 role="" id="ch00-SECT-6"> +<title>Request for Comments</title> + + +<para>As a reader of this book, you can help us to improve the next edition. If you find errors, inaccuracies, or typographical errors anywhere in the book, please let us at O'Reilly know about them. Also, if you find any misleading statements or confusing explanations, let us know that as well. Send all correspondence to:</para> + + +<simplelist> + +<member>O'Reilly & Associates</member> + +<member>101 Morris Street</member> + +<member>Sebastopol, CA 95472</member> + +<member>1-800-998-9938 (in the U.S. or Canada)</member> + +<member>1-707-829-0515 (international/local)</member> + +<member>1-707-829-0104 (fax)</member> + +<member><email>bookquestions@ora.com</email></member> + +</simplelist> + + +<para>Please let us know what we can do to make the book more helpful to you. We take your comments seriously, and will do whatever we can to make this book as useful as it can be.</para> +</sect1> + + + + + + + + + +<sect1 role="" id="ch00-SECT-7"> +<title>Acknowledgments</title> + + +<para>Robert Eckstein</para> + + +<blockquote> +<para>I'd first like to recognize Dave Collier-Brown and Peter Kelly for all their help in the creation of this book. I'd also like to thank each of the technical reviewers that helped polish this book into shape on such short notice: Matthew Temple, Jeremy Allison, and of course Andrew Tridgell. Andrew and Jeremy deserve special recognition, not only for creating such a wonderful product, but for providing a tireless amount of support in the final phase of this book—hats off to you, guys! A warm hug goes out to my wife Michelle, who once again put up with a husband loaded down with too much caffeine on a tight schedule. Thanks to Dave Sifry and the people at LinuxCare, San Francisco, for hosting me on such short notice for Andrew Tridgell's visit. And finally, a huge amount of thanks to our editor, Andy Oram, who (very) patiently helped guide this book through its many stages until we got it right.</para> +</blockquote> + + +<para>David Collier-Brown</para> + + +<blockquote> +<para>I'd especially like to thank Joyce, who put up with me during the sometimes exciting development of the book. My thanks to Andy Oram, who was kind enough to provide the criticism that allowed me to contribute; the crew at Opcom who humored the obvious madman in their midst; and Ian MacMillan, who voluntarily translated several of my early drafts from nerd to English. I would also like to give special thanks to Perry Donham, Drew Sullivan, and Jerry DeRoo.</para> +</blockquote> + + +<para>Peter Kelly</para> + + +<blockquote> +<para>A few people really made this book possible, and I have to bow to them. Dave Collier-Brown, and then Bob Eckstein, took over my part of this project with style and professionalism and I can't explain how much I owe them for the great work that came out of it. Editor Andy Oram is by far the most patient and pleasant person I have met. Also, I don't think that I would have been involved in this book without the help of Xavier Cazin from O'Reilly, who originally came to me asking for a proposal after reading my Linux Journal article. I also would like to thank all of the JDP.COM consultants ( Jerry, Peggyann, Drew, Gord, Jerome, Mark, Rick—too many to list!) for allowing me to continue to work with them. I thank the O'Reilly staff that I have worked with as well; they are a great bunch of people. Also, thanks to the Samba Team for making Samba in the first place. And most importantly, Kate McKay, for staying with me this long!</para> +</blockquote> + + +<para>We would especially like to give thanks to Perry Donham for helping mold the first draft of this book. Although Perry was unable to contribute to subsequent drafts, his material was essential to getting this book off on the right foot. In addition, some of the browsing material came from text originally written by Dan Shearer for O'Reilly.</para> + + +<para>We are deeply indebted to the production department at O'Reilly for another fantastic job. Sarah Jane Shangraw worked long hours accommodating our seemingly endless edits, and Rob Romano tirelessly edited our images again and again until they were perfect. Special thanks also to Claire Cloutier LeBlanc, Rhon Porter, and Mike Sierra for their help—we couldn't have done it without any of them. It is largely through their collective efforts that this book arrived to you in November 1999 instead of November 2000.</para> +</sect1> + + + + + + + + +</preface> diff --git a/docs-xml/using_samba/ch01.xml b/docs-xml/using_samba/ch01.xml new file mode 100644 index 0000000000..d44e41bbb2 --- /dev/null +++ b/docs-xml/using_samba/ch01.xml @@ -0,0 +1,1544 @@ +<chapter label="1" id="ch01-48078"> +<title>Learning the Samba</title> + + + + +<para> +<indexterm id="ch01-idx-951466-0" class="startofrange"><primary>Samba</primary></indexterm>If you are a typical system administrator, then you know what it means to be <emphasis>swamped</emphasis> with work. Your daily routine is filled with endless hardware incompatibility issues, system outages, data backup problems, and a steady stream of angry users. So adding another program to the mix of tools that you have to maintain may sound a bit perplexing. However, if you're determined to reduce the complexity of your work environment, as well as the workload of keeping it running smoothly, Samba may be the tool you've been waiting for.</para> + + +<para>A case in point: one of the authors of this book used to look after 70 Unix developers sharing 5 Unix servers. His neighbor administered 20 Windows 3.1 users and 5 OS/2 and Windows NT servers. To put it mildly, the Windows 3.1 administrator was swamped. When he finally left—and the domain controller melted—Samba was brought to the rescue. Our author quickly replaced the Windows NT and OS/2 servers with Samba running on a Unix server, and eventually bought PCs for most of the company developers. However, he did the latter without hiring a new PC administrator; the administrator now manages one centralized Unix application instead of fifty distributed PCs.</para> + + +<para>If you know you're facing a problem with your network and you're sure there is a better way, we encourage you to start reading this book. Or, if you've heard about Samba and you want to see what it can do for you, this is also the place to start. We'll get you started on the path to understanding Samba and its potential. Before long, you can provide Unix services to all your Windows machines—all without spending tons of extra time or money. Sound enticing? Great, then let's get started.</para> + + + + + + + + + + + +<sect1 role="" label="1.1" id="ch01-28119"> +<title>What is Samba?</title> + + +<para>Samba is a suite of Unix applications that speak the <indexterm id="ch01-idx-951468-0"><primary>Server Message Block</primary><see>SMB</see></indexterm> +<indexterm id="ch01-idx-951468-1"><primary>SMB (Server Message Block)</primary></indexterm>SMB (Server Message Block) protocol. Many operating systems, including Windows and OS/2, use SMB to perform client-server networking. By supporting this protocol, Samba allows Unix servers to get in on the action, communicating with the same networking protocol as Microsoft Windows products. Thus, a Samba-enabled Unix machine can masquerade as a server on your Microsoft network and offer the following services:</para> + + +<itemizedlist> +<listitem><para> +<indexterm id="ch01-idx-951506-0"><primary>services</primary><secondary>performed by Samba</secondary></indexterm>Share one or more filesystems</para></listitem> +<listitem><para>Share printers installed on both the server and its clients</para></listitem> +<listitem><para>Assist clients with Network Neighborhood browsing</para></listitem> +<listitem><para>Authenticate clients logging onto a Windows domain</para></listitem> +<listitem><para>Provide or assist with WINS name server resolution</para></listitem> +</itemizedlist> + +<para>Samba is the brainchild of <indexterm id="ch01-idx-951508-0"><primary>Tridgell, Andrew</primary></indexterm>Andrew Tridgell, who currently heads the Samba development team from his home of Canberra, Australia. The project was born in 1991 when Andrew created a fileserver program for his local network that supported an odd DEC protocol from Digital Pathworks. Although he didn't know it at the time, that protocol later turned out to be SMB. A few years later, he expanded upon his custom-made SMB server and began distributing it as a product on the Internet under the name SMB Server. However, Andrew couldn't keep that name—it already belonged to another company's product—so he tried the following Unix renaming approach:</para> + +<programlisting>grep -i 's.*m.*b' /usr/dict/words<indexterm id="ch01-idx-951514-0"><primary>Samba</primary><secondary>origin of name</secondary></indexterm></programlisting> + + +<para>And the response was:</para> + + +<programlisting>salmonberry samba sawtimber scramble</programlisting> + + +<para>Thus, the name "Samba" was born.<footnote label="1" id="ch01-pgfId-946532"> + + +<para>Which is a good thing, because our marketing people highly doubt you would have picked up a book called "Using Salmonberry"!</para> + + +</footnote></para> + + +<para>Today, the Samba suite revolves around a pair of <indexterm id="ch01-idx-951515-0"><primary>Unix</primary><secondary>daemons</secondary></indexterm> +<indexterm id="ch01-idx-951515-1"><primary>daemons</primary><secondary>Unix</secondary></indexterm>Unix daemons that provide <indexterm id="ch01-idx-951518-0"><primary>shared resources</primary><see>shares</see></indexterm>shared resources—or <firstterm>shares</firstterm>—to SMB clients on the network. (Shares are sometimes called <indexterm id="ch01-idx-951527-0"><primary>services</primary><seealso>shares</seealso></indexterm>s<firstterm>ervices</firstterm> as well.) These daemons are:</para> + + +<variablelist> +<varlistentry><term>smbd</term> +<listitem><para> +<indexterm id="ch01-idx-951528-0"><primary>smbd daemon</primary></indexterm>A daemon that allows file and printer sharing on an SMB network and provides authentication and authorization for SMB clients.</para></listitem> +</varlistentry> + + +<varlistentry><term>nmbd</term> +<listitem><para> +<indexterm id="ch01-idx-951529-0"><primary>nmbd daemon</primary></indexterm>A daemon that looks after the <indexterm id="ch01-idx-951530-0"><primary>WINS (Windows Internet Name Service)</primary></indexterm>Windows Internet Name Service (WINS), and assists with browsing.</para></listitem> +</varlistentry> +</variablelist> + + +<para>Samba is currently maintained and extended by a group of volunteers under the active supervision of Andrew Tridgell. Like the Linux operating system, Samba is considered <firstterm>Open Source software </firstterm> +<indexterm id="ch01-idx-951531-0"><primary>Open Source Software (OSS)</primary></indexterm> +<indexterm id="ch01-idx-951531-1"><primary>OSS (Open Source Software)</primary></indexterm>(OSS) by its authors, and is distributed under the <indexterm id="ch01-idx-951532-0"><primary>GNU General Public License (GPL)</primary></indexterm>GNU General Public License (GPL). Since its inception, development of Samba has been sponsored in part by the <indexterm id="ch01-idx-951533-0"><primary>Australian National University</primary></indexterm>Australian National University, where Andrew Tridgell earned his Ph.D.<footnote label="2" id="ch01-pgfId-946542"> + + +<para>At the time of this printing, Andrew had completed his Ph.D. work and had joined San Francisco-based LinuxCare.</para> + + +</footnote> In addition, some development has been sponsored by independent vendors such as <indexterm id="ch01-idx-951534-0"><primary>Whistle</primary></indexterm>Whistle and <indexterm id="ch01-idx-951535-0"><primary>SGI</primary></indexterm>SGI. It is a true testament to Samba that both commercial and non-commercial entities are prepared to spend money to support an Open Source effort.</para> + + +<para> +<indexterm id="ch01-idx-951536-0"><primary>Microsoft</primary></indexterm>Microsoft has also contributed materially by putting forward its definition of SMB and the Internet-savvy <indexterm id="ch01-idx-951537-0"><primary>CIFS (Common Internet File System)</primary></indexterm> +<indexterm id="ch01-idx-951537-1"><primary>CIFS (Common Internet File System)</primary><seealso>SMB/CIFS protocol</seealso></indexterm>Common Internet File System (CIFS), as a public <indexterm id="ch01-idx-951538-0"><primary>Request for Comments (RFC)</primary></indexterm> +<indexterm id="ch01-idx-951538-1"><primary>RFC (Request for Comments)</primary></indexterm>Request for Comments (RFC), a standards document. The CIFS protocol is Microsoft's renaming of future versions of the SMB protocol that will be used in Windows products—the two terms can be used interchangeably in this book. Hence, you will often see the protocol written as "<indexterm id="ch01-idx-951539-0"><primary>SMB/CIFS protocol</primary></indexterm>SMB/CIFS."</para> +</sect1> + + + + + + + + + +<sect1 role="" label="1.2" id="ch01-SECT-2"> +<title>What Can Samba Do For Me?</title> + + +<para>As explained earlier, Samba can help Windows and Unix machines coexist in the same network. However, there are some specific reasons why you might want to set up a Samba server on your network:</para> + + +<itemizedlist> +<listitem><para> +<indexterm id="ch01-idx-951583-0"><primary>Samba</primary><secondary>reasons for using</secondary></indexterm>You don't want to pay for—or can't afford—a full-fledged Windows NT server, yet you still need the functionality that one provides.</para></listitem> +<listitem><para>You want to provide a common area for data or user directories in order to transition from a Windows server to a Unix one, or vice versa.</para></listitem> +<listitem><para>You want to be able to share printers across both Windows and Unix workstations.</para></listitem> +<listitem><para>You want to be able to access NT files from a Unix server.</para></listitem> +</itemizedlist> + +<para>Let's take a quick tour of Samba in action. Assume that we have the following basic network configuration: a Samba-enabled Unix machine, to which we will assign the name <literal>hydra</literal>, and a pair of Windows clients, to which we will assign the names <literal>phoenix</literal> and <literal>chimaera</literal>, all connected via a local area network (LAN). Let's also assume that <literal>hydra</literal> also has a local inkjet printer connected to it, <literal>lp</literal>, and a disk share named <literal>network</literal>—both of which it can offer to the other two machines. A graphic of this network is shown in <link linkend="ch01-45964">Figure 1.1</link>.</para> + + +<figure label="1.1" id="ch01-45964"> +<title>A simple network setup with a Samba server</title> + +<graphic width="502" depth="209" fileref="figs/sam.0101.gif"></graphic> +</figure> + +<para>In this network, each of the computers listed share the same <firstterm>workgroup</firstterm> +<indexterm id="ch01-idx-951584-0"><primary>workgroups</primary></indexterm>. A workgroup is simply a group nametag that identifies an arbitrary collection of computers and their resources on an <indexterm id="ch01-idx-951585-0"><primary>SMB (Server Message Block)</primary><secondary>networks</secondary></indexterm>SMB network. There can be several workgroups on the network at any time, but for our basic network example, we'll have only one: the SIMPLE workgroup.</para> + + +<sect2 role="" label="1.2.1" id="ch01-SECT-2.1"> +<title>Sharing a Disk Service</title> + + +<para> +<indexterm id="ch01-idx-951617-0" class="startofrange"><primary>disk shares</primary></indexterm>If <indexterm id="ch01-idx-951876-0"><primary>sharing</primary><secondary>disks</secondary><see>disk shares</see></indexterm> +<indexterm id="ch01-idx-951876-1"><primary>sharing</primary><secondary>printers</secondary><see>print shares</see></indexterm>everything is properly configured, we should be able to see the Samba server, <literal>hydra</literal>, through the Network Neighborhood of the <literal>phoenix</literal> Windows desktop. In fact, <link linkend="ch01-60493">Figure 1.2</link> shows the Network Neighborhood of the <literal>phoenix</literal> computer, including <literal>hydra</literal> and each of the computers that reside in the SIMPLE workgroup. Note the Entire Network icon at the top of the list. As we just mentioned, there can be more than one workgroup on an SMB network at any given time. If a user clicks on the <indexterm id="ch01-idx-951586-0"><primary>Entire Network icon</primary></indexterm>Entire Network icon, he or she will see a list of all the workgroups that currently exist on the network.</para> + + +<figure label="1.2" id="ch01-60493"> +<title>The Network Neighborhood directory</title> + +<graphic width="502" depth="174" fileref="figs/sam.0102.gif"></graphic> +</figure> + +<para>We can take a closer look at the <literal>hydra</literal> server by double-clicking on its icon. This contacts <literal>hydra</literal> itself and requests a list of its <firstterm>shares</firstterm>—the file and printer resources—that the machine provides. In this case, there is a printer entitled <literal>lp</literal> and a disk share entitled <literal>network</literal> on the server, as shown in <link linkend="ch01-76011">Figure 1.3</link>. Note that the Windows display shows hostnames in mixed case (Hydra). <indexterm id="ch01-idx-951589-0"><primary>case sensitivity</primary><secondary>hostnames and</secondary></indexterm>Case is irrelevant in <indexterm id="ch01-idx-951588-0"><primary>hostnames</primary><secondary>case sensitivity and</secondary></indexterm>hostnames, so you may see hydra, Hydra, and HYDRA in various displays or command output, but they all refer to a single system. Thanks to Samba, Windows 98 sees the Unix server as a valid SMB server, and can access the <literal>network</literal> folder as if it were just another system folder.</para> + + +<figure label="1.3" id="ch01-76011"> +<title>Shares available on the hydra sever as viewed from phoenix</title> + +<graphic width="502" depth="148" fileref="figs/sam.0103.gif"></graphic> +</figure> + +<para>One popular feature of Windows 95/98/NT is that you can map a letter-drive to a known network directory using the <indexterm id="ch01-idx-951590-0"><primary>Map Network Drive option</primary></indexterm> +<indexterm id="ch01-idx-951590-1"><primary>Windows Explorer, Map Network Drive option</primary></indexterm> +<indexterm id="ch01-idx-951590-2"><primary>network drives, mapping</primary></indexterm> +<indexterm id="ch01-idx-951590-3"><primary>mapping</primary><secondary>network drives</secondary></indexterm>Map Network Drive option in the Windows Explorer.<footnote label="3" id="ch01-pgfId-941061"> + + +<para>You can also right-click on the shared resource in the <indexterm id="ch01-idx-951603-0"><primary>Network Neighborhood window</primary><secondary> mapping network drives via</secondary></indexterm>Network Neighborhood, and then select the Map Network Drive menu item.</para> + + +</footnote> Once you do so, your applications can access the folder across the network with a standard <indexterm id="ch01-idx-951592-0"><primary>drive letters, mapping</primary></indexterm>drive letter. Hence, you can store data on it, install and run programs from it, and even password-protect it against unwanted visitors. See <link linkend="ch01-55465">Figure 1.4</link> for an example of mapping a letter-drive to a network directory.</para> + + +<figure label="1.4" id="ch01-55465"> +<title>Mapping a network drive to a Windows letter-drive</title> + +<graphic width="502" depth="336" fileref="figs/sam.0104.gif"></graphic> +</figure> + +<para>Take a look at the Path: entry in the dialog box of <link linkend="ch01-55465">Figure 1.4</link>. An equivalent way to represent a directory on a network machine is by using two <indexterm id="ch01-idx-951593-0"><primary>backslashes, two (\\) in directories</primary></indexterm> +<indexterm id="ch01-idx-951593-1"><primary>\\ (backslashes, two) in directories</primary></indexterm>backslashes, followed by the name of the networked machine, another backslash, and the networked directory of the machine, as shown below:</para> + + +<programlisting><emphasis>\\</emphasis><replaceable>network-machine</replaceable><emphasis>\</emphasis><replaceable>directory</replaceable></programlisting> + + +<para>This is known as the <firstterm>UNC</firstterm> +<indexterm id="ch01-idx-951594-0"><primary>UNC (Universal Naming Convention)</primary></indexterm> +<indexterm id="ch01-idx-951594-1"><primary>Universal Naming Convention (UNC)</primary></indexterm> (Universal Naming Convention) in the Windows world. For example, the dialog box in <link linkend="ch01-55465">Figure 1.4</link> represents the network directory on the <literal>hydra</literal> server as:</para> + + +<programlisting>\\HYDRA\<replaceable>network</replaceable></programlisting> + + +<para>If this looks somewhat familiar to you, you're probably thinking of <firstterm>uniform resource locators</firstterm> +<indexterm id="ch01-idx-951607-0"><primary>uniform resource locators (URLs)</primary></indexterm> +<indexterm id="ch01-idx-951607-1"><primary>URLs (uniform resource locators)</primary></indexterm> (URLs), which are addresses that web browsers such as Netscape Navigator and Internet Explorer use to resolve machines across the Internet. Be sure not to confuse the two: web browsers typically use <indexterm id="ch01-idx-951608-0"><primary>forward slashes in web browser addresses</primary></indexterm>forward slashes instead of back slashes, and they precede the initial slashes with the <indexterm id="ch01-idx-951611-0"><primary>data transfer protocol</primary></indexterm>data transfer protocol (i.e., <indexterm id="ch01-idx-951612-0"><primary>FTP (File Transfer Protocol)</primary></indexterm>ftp, <indexterm id="ch01-idx-951613-0"><primary>http</primary></indexterm>http) and a <indexterm id="ch01-idx-951610-0"><primary>colon (:) in web browser addresses</primary></indexterm> +<indexterm id="ch01-idx-951610-1"><primary>: (colon)</primary></indexterm>colon (:). In reality, URLs and UNCs are two completely separate things.</para> + + +<para>Once the network drive is set up, Windows and its programs will behave as if the networked directory was a fixed disk. If you have any applications that support <indexterm id="ch01-idx-952014-0"><primary>multi-user functionality, legal agreements and</primary></indexterm> +<indexterm id="ch01-idx-952014-1"><primary>legal agreements covering multi-user functionality</primary></indexterm>multiuser functionality on a network, you can install those programs on the network drive.<footnote label="4" id="ch01-pgfId-952017"> + + +<para>Be warned that many end-user license agreements forbid installing a program on a network such that multiple clients can access it. Check the legal agreements that accompany the product to be absolutely sure.</para> + + +</footnote> <link linkend="ch01-32686">Figure 1.5</link> shows the resulting network drive as it would appear with other storage devices in the Windows 98 client. Note the pipeline attachment in the icon for the G: drive; this indicates that it is a network drive instead of a fixed drive.</para> + + +<figure label="1.5" id="ch01-32686"> +<title>The Network directory mapped to the client letter-drive G</title> + +<graphic width="502" depth="224" fileref="figs/sam.0105.gif"></graphic> +</figure> + +<para>From our Windows NT Workstation machine, <literal>chimaera</literal>, Samba looks almost identical to Windows 98. <link linkend="ch01-29255">Figure 1.6</link> shows the same view of the <literal>hydra</literal> server from the Windows NT 4.0 Network Neighborhood. Setting up the network drive using the Map Network Drive option in Windows NT Workstation 4.0 would have identical results as well.</para> + + +<figure label="1.6" id="ch01-29255"> +<indexterm id="ch01-idx-951618-0" class="endofrange" startref="ch01-idx-951617-0"/><title>Shares available on hydra (viewed from chimaera) </title> + +<graphic width="502" depth="141" fileref="figs/sam.0106.gif"></graphic> +</figure> +</sect2> + + + + + +<sect2 role="" label="1.2.2" id="ch01-SECT-2.2"> +<title>Sharing a Printer</title> + + +<para> +<indexterm id="ch01-idx-951620-0" class="startofrange"><primary>print shares</primary></indexterm> +<indexterm id="ch01-idx-951620-1"><primary>printers</primary><secondary>sharing</secondary><see>print shares</see></indexterm>You probably noticed that the printer <literal>lp</literal> appeared under the available shares for <literal>hydra</literal> in <link linkend="ch01-76011">Figure 1.3</link>. This indicates that the Unix server has a printer that can be shared by the various SMB clients in the workgroup. Data sent to the printer from any of the clients will be spooled on the Unix server and printed in the order it is received.</para> + + +<para> +<indexterm id="ch01-idx-951636-0"><primary>print shares</primary><secondary>setting up on Windows client</secondary></indexterm>Setting up a Samba-enabled printer on the Windows side is even easier than setting up a disk share. By double-clicking on the printer and identifying the manufacturer and model, you can install a driver for this printer on the Windows client. Windows can then properly format any information sent to the network printer and access it as if it were a local printer (we show you how to do this later in the chapter). <link linkend="ch01-46265">Figure 1.7</link> shows the resulting network printer in the Printers window of Windows 98. Again, note the pipeline attachment below the printer, which identifies it as being on a network.</para> + + +<figure label="1.7" id="ch01-46265"> +<title>A network printer available on hydra (viewed from chimaera)</title> + +<graphic width="502" depth="223" fileref="figs/sam.0107.gif"></graphic> +</figure> + +<sect3 role="" label="1.2.2.1" id="ch01-SECT-2.2.1"> +<title>Seeing things from the Unix side</title> + + +<para>As mentioned earlier, Samba appears in Unix as a set of <indexterm id="ch01-idx-951638-0"><primary>daemons</primary><secondary>viewing</secondary></indexterm> +<indexterm id="ch01-idx-951638-1"><primary>viewing daemons</primary></indexterm> +<indexterm id="ch01-idx-951638-2"><primary>messages</primary><secondary sortas="daemons, reading">from daemons, reading</secondary></indexterm> +<indexterm id="ch01-idx-951638-3"><primary>daemons</primary><secondary>messages generated by, reading</secondary></indexterm>daemon programs. You can view them with the Unix <literal>ps</literal> and <literal>netstat</literal> commands, you can read any messages they generate through custom debug files or the Unix <literal>syslog</literal> (depending on how Samba is set up), and you can configure it from a single Samba properties file: <emphasis>smb.conf</emphasis> +<indexterm id="ch01-idx-951639-0"><primary>smb.conf (Samba configuration) file</primary></indexterm>. In addition, if you want to get an idea of what each of the <indexterm id="ch01-idx-951640-0"><primary>daemons</primary><secondary>status report</secondary></indexterm> +<indexterm id="ch01-idx-951640-1"><primary>status report on Samba</primary></indexterm>daemons are doing, Samba has a program called <emphasis>smbstatus</emphasis> +<indexterm id="ch01-idx-951641-0"><primary>smbstatus program</primary></indexterm> that will lay it all on the line. Here is how it works:</para> + + +<programlisting># <emphasis role="bold">smbstatus</emphasis> +Samba version 2.0.4 +Service uid gid pid machine +---------------------------------------------- +network davecb davecb 7470 phoenix (192.168.220.101) Sun May 16 +network davecb davecb 7589 chimaera (192.168.220.102) Sun May 16 + +Locked files: +Pid DenyMode R/W Oplock Name +-------------------------------------------------- +7589 DENY_NONE RDONLY EXCLUSIVE+BATCH /home/samba/quicken/inet/common/system/help.bmp Sun May 16 21:23:40 1999 +7470 DENY_WRITE RDONLY NONE /home/samba/word/office/findfast.exe +Sun May 16 20:51:08 1999 +7589 DENY_WRITE RDONLY EXCLUSIVE+BATCH /home/samba/quicken/lfbmp70n.dll Sun May 16 21:23:39 1999 +7589 DENY_WRITE RDWR EXCLUSIVE+BATCH /home/samba/quicken/inet/qdata/runtime.dat Sun May 16 21:23:41 1999 +7470 DENY_WRITE RDONLY EXCLUSIVE+BATCH /home/samba/word/office/osa.exe +Sun May 16 20:51:09 1999 +7589 DENY_WRITE RDONLY NONE /home/samba/quicken/qversion.dll Sun May 16 21:20:33 1999 +7470 DENY_WRITE RDONLY NONE /home/samba/quicken/qversion.dll Sun May 16 20:51:11 1999 + +Share mode memory usage (bytes): + 1043432(99%) free + 4312(0%) used + 832(0%) overhead = 1048576(100%) total</programlisting> + + +<para>The Samba status from this output provides three sets of data, each divided into separate sections. The first section tells which systems have <indexterm id="ch01-idx-951646-0"><primary>connected systems, status of</primary></indexterm>connected to the Samba server, identifying each client by its machine name (<literal>phoenix</literal> and <literal>chimaera</literal>) and IP address. The second section reports the name and status of the <indexterm id="ch01-idx-951647-0"><primary>files</primary><secondary sortas="use, status of">in use, status of</secondary></indexterm>files that are currently in use on a share on the server, including the read/write status and any <indexterm id="ch01-idx-951648-0"><primary>locks/locking files</primary></indexterm>locks on the files. Finally, Samba reports the amount of <indexterm id="ch01-idx-951649-0"><primary>memory, status of</primary></indexterm>memory it has currently allocated to the shares that it administers, including the amount actively used by the shares plus additional overhead. (Note that this is not the same as the total amount of memory that the <emphasis>smbd</emphasis> or <emphasis>nmbd</emphasis> processes are using.)</para> + + +<para>Don't worry if you don't understand these statistics; they will become easier to understand as you move through the<indexterm id="ch01-idx-951621-0" class="endofrange" startref="ch01-idx-951620-0"/> book.<indexterm id="ch01-idx-951467-0" class="endofrange" startref="ch01-idx-951466-0"/></para> +</sect3> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="1.3" id="ch01-88536"> +<title>Getting Familiar with a SMB/CIFS Network</title> + + +<para> +<indexterm id="ch01-idx-951651-0" class="startofrange"><primary>SMB/CIFS protocol</primary><secondary>network and</secondary></indexterm>Now that you have had a brief tour of Samba, let's take some time to get familiar with Samba's adopted environment: an SMB/CIFS network. Networking with SMB is significantly different from working with a Unix <indexterm id="ch01-idx-951650-0"><primary>TCP/IP networking protocol</primary></indexterm>TCP/IP network, because there are several new concepts to learn and a lot of information to cover. First, we will discuss the basic concepts behind an SMB network, followed by some Microsoft implementations of it, and finally we will show you where a Samba server can and cannot fit into the picture.</para> + + +<sect2 role="" label="1.3.1" id="ch01-SECT-3.1"> +<title>Understanding NetBIOS</title> + + +<para>To begin, let's step back in time. In 1984, IBM authored a simple <indexterm id="ch01-idx-951659-0"><primary>API (application programming interface)</primary></indexterm>application programming interface (API) for networking its computers called the <firstterm>Network Basic Input/Output System </firstterm> +<indexterm id="ch01-idx-951660-0"><primary>NetBIOS (Network Basic Input/Output System)</primary></indexterm> +<indexterm id="ch01-idx-951660-1"><primary>Network Basic Input/Output System</primary><see>NetBIOS</see></indexterm>(NetBIOS). The NetBIOS API provided a rudimentary design for an application to connect and share data with other computers.</para> + + +<para>It's helpful to think of the NetBIOS API as networking extensions to the standard BIOS API calls. With BIOS, each low-level call is confined to the hardware of the local machine and doesn't need any help traveling to its destination. NetBIOS, however, originally had to exchange instructions with computers across IBM PC or Token Ring networks. It therefore required a low-level transport protocol to carry its requests from one computer to the next.</para> + + +<para>In late 1985, IBM released one such protocol, which it merged with the NetBIOS API to become the <firstterm>NetBIOS Extended User Interface</firstterm> +<indexterm id="ch01-idx-951661-0"><primary>NetBIOS (Network Basic Input/Output System)</primary><secondary>Extended User Interface</secondary><see>NetBEUI</see></indexterm> +<indexterm id="ch01-idx-951661-1"><primary>NetBEUI (NetBIOS Extended User Interface)</primary></indexterm> (<emphasis>NetBEUI</emphasis>). NetBEUI was designed for small local area networks (LANs), and it let each machine claim a name (up to 15 characters) that wasn't already in use on the network. By a "small LAN," we mean fewer than 255 nodes on the network—which was considered a practical restriction in 1985!</para> + + +<para>The NetBEUI protocol was very popular with networking applications, including those running under Windows for Workgroups. Later, implementations of NetBIOS over Novell's IPX networking protocols also emerged, which competed with NetBEUI. However, the networking protocols of choice for the burgeoning Internet community were TCP/IP and UDP/IP, and implementing the NetBIOS APIs over those protocols soon became a necessity.</para> + + +<para>Recall that <indexterm id="ch01-idx-951666-0"><primary>TCP/IP networking protocol</primary><secondary>compared with NetBIOS</secondary></indexterm>TCP/IP uses numbers to represent computer addresses, such as 192.168.220.100, while <indexterm id="ch01-idx-951667-0"><primary>NetBIOS (Network Basic Input/Output System)</primary><secondary>compared with TCP/IP</secondary></indexterm> +<indexterm id="ch01-idx-951667-1"><primary>NetBIOS (Network Basic Input/Output System)</primary><secondary>name</secondary><see>NetBIOS name</see></indexterm>NetBIOS uses only names. This was a major issue when trying to mesh the two protocols together. In 1987, the Internet Engineering Task Force (IETF) published a series of standardization documents, titled RFC 1001 and 1002, that outlined how NetBIOS would work over a TCP/UDP network. This set of documents still governs each of the implementations that exist today, including those provided by Microsoft with their Windows operating systems as well as the Samba suite.</para> + + +<para>Since then, the standard this document governs has become known as <firstterm>NetBIOS over TCP/IP</firstterm> +<indexterm id="ch01-idx-951668-0"><primary>NetBIOS (Network Basic Input/Output System)</primary><secondary sortas="TCP/IP">over TCP/IP</secondary></indexterm> +<indexterm id="ch01-idx-951668-1"><primary>TCP/IP networking protocol</primary><secondary>NetBIOS over</secondary></indexterm> +<indexterm id="ch01-idx-951668-2"><primary>NBT standard</primary></indexterm>, or NBT for short. The NBT standard (RFC 1001/1002) currently outlines a trio of services on a network:</para> + + +<itemizedlist> +<listitem><para>A name service</para></listitem> +<listitem><para>Two communication services:</para> + +<itemizedlist> +<listitem><para>Datagrams</para></listitem> +<listitem><para>Sessions</para></listitem> +</itemizedlist></listitem> +</itemizedlist> + +<para>The <indexterm id="ch01-idx-951671-0"><primary>name services</primary></indexterm>name service solves the name-to-address problem mentioned earlier; it allows each computer to declare a specific name on the network that can be translated to a machine-readable IP address, much like today's DNS on the Internet. The <indexterm id="ch01-idx-951672-0"><primary>datagram service</primary></indexterm> +<indexterm id="ch01-idx-951672-1"><primary>session service</primary></indexterm>datagram and session services are both secondary communication protocols used to transmit data back and forth from NetBIOS machines across the network.</para> +</sect2> + + + + + +<sect2 role="" label="1.3.2" id="ch01-SECT-3.2"> +<title>Getting a Name</title> + + +<para> +<indexterm id="ch01-idx-951674-0" class="startofrange"><primary>naming</primary><secondary>machines on NetBIOS network</secondary></indexterm> +<indexterm id="ch01-idx-951674-1" class="startofrange"><primary>NetBIOS (Network Basic Input/Output System)</primary><secondary>network, naming machines on</secondary></indexterm>For a human being, getting a name is easy. However, for a machine on a NetBIOS network, it can be a little more complicated. Let's look at a few of the issues.</para> + + +<para>In the NetBIOS world, when each machine comes online, it wants to claim a name for itself; this is called <firstterm>name registration</firstterm> +<indexterm id="ch01-idx-951675-0"><primary>name registration</primary></indexterm>. However, no two machines in the same workgroup should be able to claim the same name; this would cause endless confusion for any machine that wanted to communicate with either machine. There are two different approaches to ensuring that this doesn't happen:</para> + + +<itemizedlist> +<listitem><para>Use a <firstterm>NetBIOS Name Server</firstterm> +<indexterm id="ch01-idx-951677-0"><primary>NetBIOS (Network Basic Input/Output System)</primary><secondary>name server (NBNS)</secondary></indexterm> +<indexterm id="ch01-idx-951677-1"><primary>NBNS</primary><see>NetBIOS, name server</see></indexterm> (NBNS) to keep track of which hosts have registered a NetBIOS name.</para></listitem> +<listitem><para>Allow each machine on the network to defend its name in the event that another machine attempts to use it.</para></listitem> +</itemizedlist> + +<para><link linkend="ch01-86658">Figure 1.8</link> illustrates a (failed) name registration, with and without a NetBIOS Name Server.</para> + + +<figure label="1.8" id="ch01-86658"> +<title>NBNS versus non-NBNS name registration</title> + +<graphic width="502" depth="391" fileref="figs/sam.0108.gif"></graphic> +</figure> + +<para>In addition, there must be a way to resolve a NetBIOS name to a specific IP address as mentioned earlier; this is known as <firstterm>name resolution</firstterm> +<indexterm id="ch01-idx-951679-0"><primary>name resolution</primary></indexterm>. There are two different approaches with NBT here as well:</para> + + +<itemizedlist> +<listitem><para>Have each machine report back its IP address when it "hears" a broadcast request for its NetBIOS name.</para></listitem> +<listitem><para>Use the NBNS to help resolve NetBIOS names to IP addresses.</para></listitem> +</itemizedlist> + +<para><link linkend="ch01-72484">Figure 1.9</link> illustrates the two types of name resolution.</para> + + +<figure label="1.9" id="ch01-72484"> +<title>NBNS versus non-NBNS name resolution</title> + +<graphic width="502" depth="391" fileref="figs/sam.0109.gif"></graphic> +</figure> + +<para>As you might expect, having an NBNS on your network can help out tremendously. To see exactly why, let's look at the non-NBNS method.</para> + + +<para>Here, when a client machine boots, it will broadcast a message declaring that it wishes to register a specified NetBIOS name as its own. If nobody objects to the use of the name after multiple registration attempts, it keeps the name. On the other hand, if another machine on the local <indexterm id="ch01-idx-951896-0"><primary>subnets</primary></indexterm>subnet is currently using the requested name, it will send a message back to the requesting client that the name is already taken. This is known as <firstterm>defending</firstterm> +<indexterm id="ch01-idx-951687-0"><primary>defending hostnames</primary></indexterm> the hostname. This type of system comes in handy when one client has unexpectedly dropped off the network—another can take its name unchallenged—but it does incur an inordinate amount of traffic on the network for something as simple as name registration.</para> + + +<para>With an NBNS, the same thing occurs, except that the communication is confined to the requesting machine and the NBNS server. No broadcasting occurs when the machine wishes to register the name; the registration message is simply sent directly from the client to NBNS server and the NBNS server replies whether or not the name is already taken. This is known as <firstterm>point-to-point communication</firstterm> +<indexterm id="ch01-idx-951688-0"><primary>point-to-point communication</primary></indexterm>, and is often beneficial on networks with more than one subnet. This is because routers are often preconfigured to block incoming packets that are broadcast to all machines in the subnet.</para> + + +<para>The same principles apply to name resolution. Without an NBNS, NetBIOS name resolution would also be done with a broadcast mechanism. All request packets would be sent to each computer in the network, with the hope that one machine that might be affected will respond directly back to the machine that asked. At this point, it's clear that using an NBNS server and point-to-point communication for this purpose is far less taxing on the network than flooding the network with broadcasts for every name resolution request.<indexterm id="ch01-idx-951682-0" class="endofrange" startref="ch01-idx-951674-0"/> +<indexterm id="ch01-idx-951682-1" class="endofrange" startref="ch01-idx-951674-1"/></para> +</sect2> + + + + + +<sect2 role="" label="1.3.3" id="ch01-SECT-3.3"> +<title>Node Types</title> + + +<para> +<indexterm id="ch01-idx-951690-0"><primary>node types</primary></indexterm>How can you tell what strategy each client on your network will use when performing name registration and resolution? Each machine on an NBT network earns one of the following designations, depending on how it handles name registration and resolution: <indexterm id="ch01-idx-951691-0"><primary>b-node</primary></indexterm> +<indexterm id="ch01-idx-951691-1"><primary>p-node</primary></indexterm> +<indexterm id="ch01-idx-951691-2"><primary>m-node</primary></indexterm> +<indexterm id="ch01-idx-951691-3"><primary>h-node</primary></indexterm>b-node, p-node, m-node, and h-node. The behaviors of each type of node are summarized in <link linkend="ch01-91681">Table 1.1</link>.</para> + + +<table label="1.1" id="ch01-91681"> +<title>NetBIOS Node Types </title> + +<tgroup cols="2"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<thead> +<row> + +<entry colname="col1"><para>Role</para></entry> + +<entry colname="col2"><para>Value</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para>b-node</para></entry> + +<entry colname="col2"><para>Uses<indexterm id="ch01-idx-951692-0"><primary>broadcast registration</primary></indexterm> +<indexterm id="ch01-idx-951692-1"><primary>broadcast resolution</primary></indexterm> broadcast registration and resolution only.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>p-node</para></entry> + +<entry colname="col2"><para>Uses <indexterm id="ch01-idx-951693-0"><primary>point-to-point registration/resolution</primary></indexterm>point-to-point registration and resolution only.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>m-node</para></entry> + +<entry colname="col2"><para>Uses broadcast for registration. If successful, it notifies the NBNS server of the result. Uses broadcast for resolution; uses NBNS server if broadcast is unsuccessful.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>h-node (hybrid)</para></entry> + +<entry colname="col2"><para>Uses NBNS server for registration and resolution; uses broadcast if the NBNS server is unresponsive or inoperative.</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<para>In the case of Windows clients, you will usually find them listed as <firstterm>h-nodes</firstterm> or <firstterm>hybrid nodes</firstterm>. Incidentally, h-nodes were invented later by Microsoft, as a more fault-tolerant route, and do not appear in RFC 1001/1002.</para> + + +<para>You can find out the node type of any Windows machine by typing the command <literal>ipconfig</literal> <literal>/all</literal> and searching for the line that says <literal>Node Type</literal>.</para> + + +<programlisting><emphasis role="bold">C:\>ipconfig /all</emphasis> +Windows 98 IP Configuration +... + Node Type . . . . . . . . . . : Hybrid +...</programlisting> +</sect2> + + + + + +<sect2 role="" label="1.3.4" id="ch01-SECT-3.4"> +<title>What's in a Name?</title> + + +<para>The <indexterm id="ch01-idx-951695-0" class="startofrange"><primary>NetBIOS name</primary></indexterm>names NetBIOS uses are quite different from the DNS hostnames you might be familiar with. First, NetBIOS names exist in a <indexterm id="ch01-idx-951696-0"><primary>flat namespaces</primary></indexterm>flat namespace. In other words, there are no qualifiers such as <emphasis>ora.com</emphasis> or <emphasis>samba.org</emphasis> to section off hostnames; there is only a single unique name to represent each computer. Second, NetBIOS names are allowed to be only 15 characters, may not begin with an asterisk (*), and can consist only of standard alphanumeric characters (a-z, A-Z, 0-9) and the following:</para> + + +<programlisting>! @ # $ % ^ & ( ) - ' { } . ~</programlisting> + + +<para>Although you are allowed to use a period (.) in a NetBIOS name, we recommend against it because those names are not guaranteed to work in future versions of NetBIOS over TCP/IP.</para> + + +<para>It's not a coincidence that all valid <indexterm id="ch01-idx-952041-0"><primary>DNS (Domain Name System)</primary><secondary>names</secondary><tertiary>NetBIOS names and</tertiary></indexterm>DNS names are also valid NetBIOS names. In fact, the DNS name for a Samba server is often reused as its NetBIOS name. For example, if you had a machine <literal>phoenix.ora.com </literal>, its NetBIOS name would likely be PHOENIX (followed by 8 blanks).</para> + + +<sect3 role="" label="1.3.4.1" id="ch01-SECT-3.4.1"> +<title>Resource names and types</title> + + +<para>With NetBIOS, a machine not only advertises its presence, but also tells others what types of services it offers. For example, <literal>phoenix</literal> can indicate that it's not just a workstation, but is also a file server and can receive WinPopup messages. This is done by adding a 16th byte to the end of the machine (<indexterm id="ch01-idx-951698-0"><primary>resource names</primary></indexterm>resource) name, called the <indexterm id="ch01-idx-951704-0"><primary>resource types</primary></indexterm><firstterm>resource type</firstterm>, and registering the name more than once. See <link linkend="ch01-74707">Figure 1.10</link>.</para> + + +<figure label="1.10" id="ch01-74707"> +<title>The structure of NetBIOS names</title> + +<graphic width="502" depth="153" fileref="figs/sam.0110.gif"></graphic> +</figure> + +<para>The one-byte resource type indicates a unique service the named machine provides. In this book, you will often see the resource type shown in <indexterm id="ch01-idx-951708-0"><primary>angled brackets (<>)</primary></indexterm>angled brackets (<indexterm id="ch01-idx-951709-0"><primary><\> (angled brackets)</primary></indexterm><>) after the NetBIOS name, such as:</para> + + +<programlisting>PHOENIX<00></programlisting> + + +<para>You can see which names are registered for a particular NBT machine using the Windows command-line <indexterm id="ch01-idx-951710-0"><primary>NBTSTAT utility</primary></indexterm>NBTSTAT utility. Because these services are unique (i.e., there cannot be more than one registered), you will see them listed as type UNIQUE in the output. For example, the following partial output describes the <literal>hydra</literal> server:</para> + + +<programlisting><emphasis role="bold">D:\>NBTSTAT -a hydra</emphasis> + + NetBIOS Remote Machine Name Table + Name Type Status +--------------------------------------------- +HYDRA <00> UNIQUE Registered +HYDRA <03> UNIQUE Registered +HYDRA <20> UNIQUE Registered +...</programlisting> + + +<para>This says the server has registered the NetBIOS name <literal>hydra</literal> as a <indexterm id="ch01-idx-951711-0"><primary>machine name, types</primary></indexterm> +<indexterm id="ch01-idx-951711-1"><primary>naming</primary><secondary>machine name, types</secondary></indexterm>machine (workstation) name, a recipient of WinPopup messages, and a file server. Some possible attributes a name can have are listed in <link linkend="ch01-11471">Table 1.2</link>.</para> + + +<table label="1.2" id="ch01-11471"> +<title>NetBIOS Unique Resource Types </title> + +<tgroup cols="2"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<thead> +<row> + +<entry colname="col1"><para> +<indexterm id="ch01-idx-951723-0"><primary>NetBIOS (Network Basic Input/Output System)</primary><secondary>Unique Resource Types</secondary></indexterm>Named Resource</para></entry> + +<entry colname="col2"><para> +<indexterm id="ch01-idx-951735-0"><primary>Hexidecimal byte value</primary><secondary>for NetBIOS unique resource types</secondary></indexterm>Hexidecimal Byte Value</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para>Standard Workstation Service</para></entry> + +<entry colname="col2"><para>00</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Messenger Service (WinPopup)</para></entry> + +<entry colname="col2"><para>03</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>RAS Server Service</para></entry> + +<entry colname="col2"><para>06</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Domain Master Browser Service (associated with primary domain controller)</para></entry> + +<entry colname="col2"><para>1B</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Master Browser name</para></entry> + +<entry colname="col2"><para>1D</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>NetDDE Service</para></entry> + +<entry colname="col2"><para>1F</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Fileserver (including printer server)</para></entry> + +<entry colname="col2"><para>20</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>RAS Client Service</para></entry> + +<entry colname="col2"><para>21</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Network Monitor Agent</para></entry> + +<entry colname="col2"><para>BE</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Network Monitor Utility</para></entry> + +<entry colname="col2"><para>BF</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<para>Note that because <indexterm id="ch01-idx-951737-0"><primary>DNS (Domain Name System)</primary><secondary>names</secondary><tertiary> resource types and</tertiary></indexterm>DNS names don't have resource types, the designers intentionally made hexidecimal value 20 (an ASCII space) default to the type for a file server.</para> +</sect3> + + + +<sect3 role="" label="1.3.4.2" id="ch01-SECT-3.4.2"> +<title>Group names and types</title> + + +<para> +<indexterm id="ch01-idx-951786-0"><primary>groups</primary><secondary>names of</secondary></indexterm> +<indexterm id="ch01-idx-951786-1"><primary>groups</primary><secondary>types of</secondary></indexterm>SMB also uses the concept of groups, with which machines can register themselves. Earlier, we mentioned that the machines in our example belonged to a <firstterm>workgroup</firstterm>, which is a partition of machines on the same network. For example, a business might very easily have an ACCOUNTING and a SALES workgroup, each with different servers and printers. In the Windows world, a workgroup and an SMB group are the same thing.</para> + + +<para>Continuing our NBTSTAT example, the <literal>hydra</literal> Samba server is also a member of the SIMPLE workgroup (the GROUP attribute hex 00), and will stand for election as a browse master (GROUP attribute 1E). Here is the remainder of the NBTSTAT utility output:</para> + + +<programlisting> NetBIOS Remote Machine Name Table, continued + Name Type Status +--------------------------------------------- +SIMPLE <00> GROUP Registered +SIMPLE <1E> GROUP Registered +.._ _MSBROWSE_ _.<01> GROUP Registered</programlisting> + + +<para>The possible group attributes a machine can have are illustrated in <link linkend="ch01-52395">Table 1.3</link>. More information is available in <indexterm id="ch01-idx-951787-0"><primary>resources for further information</primary><secondary>group attributes</secondary></indexterm><citetitle>Windows NT in a Nutshell</citetitle> by Eric Pearce, also published by O'Reilly.</para> + + +<table label="1.3" id="ch01-52395"> +<title>NetBIOS Group Resource Types </title> + +<tgroup cols="2"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<thead> +<row> + +<entry colname="col1"><para>Named Resource</para></entry> + +<entry colname="col2"><para> +<indexterm id="ch01-idx-951781-0"><primary>Hexidecimal byte value</primary><secondary>for NetBIOS group resource types</secondary></indexterm>Hexidecimal Byte Value</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para>Standard Workstation group</para></entry> + +<entry colname="col2"><para>00</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Logon Server</para></entry> + +<entry colname="col2"><para>1C</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Master Browser name</para></entry> + +<entry colname="col2"><para>1D</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Normal Group name (used in browser elections)</para></entry> + +<entry colname="col2"><para>1E</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Internet Group name (administrative)</para></entry> + +<entry colname="col2"><para>20</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal><01><02>_ _MSBROWSE_ _<02></literal></para></entry> + +<entry colname="col2"><para>01</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<para>The final entry, <literal>_ _ MSBROWSE _ _ </literal>, is used to announce a group to other master browsers. The nonprinting characters in the name show up as dots in a NBTSTAT printout. Don't worry if you don't understand all of the resource or group types. Some of them you will not need with Samba, and others you will pick up as you move through the rest of the chapter. The important thing to remember here is the logistics of the naming mechanism.<indexterm id="ch01-idx-951790-0" class="endofrange" startref="ch01-idx-951695-0"/></para> +</sect3> +</sect2> + + + + + +<sect2 role="" label="1.3.5" id="ch01-SECT-3.5"> +<title>Datagrams and Sessions</title> + + +<para><firstterm></firstterm> +<indexterm id="ch01-idx-951800-0" class="startofrange"><primary>session service</primary></indexterm> +<indexterm id="ch01-idx-951800-1" class="startofrange"><primary>datagram service</primary></indexterm>At this point, let's digress to introduce another responsibility of NBT: to provide connection services between two NetBIOS machines. There are actually two services offered by NetBIOS over TCP/IP: the <firstterm>session service</firstterm> and the <firstterm>datagram service</firstterm>. Understanding how these two services work is not essential to using Samba, but it does give you an idea of how NBT works and how to troubleshoot Samba when it doesn't work.</para> + + +<para>The datagram service has no stable connection between one machine and another. Packets of data are simply sent or broadcast from one machine to another, without regard for the order that they arrive at the destination, or even if they arrive at all. The use of datagrams is not as network intensive as sessions, although they can bog down a network if used unwisely (remember broadcast name resolution earlier?) Datagrams, therefore, are used for quickly sending simple blocks of data to one or more machines. The datagram service communicates using the simple primitives shown in <link linkend="ch01-29352">Table 1.4</link>.</para> + + +<table label="1.4" id="ch01-29352"> +<title>Datagram Primitives </title> + +<tgroup cols="2"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<thead> +<row> + +<entry colname="col1"><para>Primitive</para></entry> + +<entry colname="col2"><para>Description</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para>Send Datagram</para></entry> + +<entry colname="col2"><para>Send datagram packet to machine or groups of machines.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Send Broadcast Datagram</para></entry> + +<entry colname="col2"><para>Broadcast datagram to any machine waiting with a Receive Broadcast Datagram.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Receive Datagram</para></entry> + +<entry colname="col2"><para>Receive a datagram from a machine.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Receive Broadcast Datagram</para></entry> + +<entry colname="col2"><para>Wait for a broadcast datagram.</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<para>The session service is more complex. Sessions are a communication method that, in theory, offers the ability to detect problematic or inoperable connections between two NetBIOS applications. It helps to think of an NBT session in terms of a telephone call.<footnote label="5" id="ch01-pgfId-946249"> + + +<para>As you can see in RFC 1001, the telephone analogy was strongly evident in the creation of the NBT service.</para> + + +</footnote> A full-duplex connection is opened between a caller machine and a called machine, and it must remain open throughout the duration of their conversation. Each side knows who the caller and the called machine is, and can communicate with the simple primitives shown in <link linkend="ch01-75575">Table 1.5</link>.</para> + + +<table label="1.5" id="ch01-75575"> +<title>Session Primitives </title> + +<tgroup cols="2"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<thead> +<row> + +<entry colname="col1"><para>Primitive</para></entry> + +<entry colname="col2"><para>Description</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para>Call</para></entry> + +<entry colname="col2"><para>Initiate a session with a machine listening under a specified name.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Listen</para></entry> + +<entry colname="col2"><para>Wait for a call from a known caller or any caller.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Hang-up</para></entry> + +<entry colname="col2"><para>Exit a call.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Send</para></entry> + +<entry colname="col2"><para>Send data to the other machine.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Receive</para></entry> + +<entry colname="col2"><para>Receive data from the other machine.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Session Status</para></entry> + +<entry colname="col2"><para>Get information on requested sessions.</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<para>Sessions are the backbone of resource sharing on an NBT network. They are typically used for establishing stable connections from client machines to disk or printer shares on a server. The client "calls" the server and starts trading information such as which files it wishes to open, which data it wishes to exchange, etc. These calls can last a long time—hours, even days—and all of this occurs within the context of a single connection. If there is an error, the session software (TCP) will retransmit until the data is received properly, unlike the "punt-and-pray" approach of the datagram service (UDP).</para> + + +<para>In truth, while sessions are supposed to be able to handle problematic communications, they often don't. As you've probably already discovered when using Windows networks, this is a serious detriment to using NBT sessions. If the connection is interrupted for some reason, session information that is open between the two computers can easily become invalidated. If that happens, the only way to regain the session information is for the same two computers to call each other again and start over.</para> + + +<para>If you want more information on each of these services, we recommend you look at RFC 1001. However, there are two important things to remember here:</para> + + +<itemizedlist> +<listitem><para>Sessions always occur between <emphasis>two</emphasis> NetBIOS machines—no more and no less. If a session service is interrupted, the client is supposed to store sufficient state information for it to re-establish the connection. However, in practice, this is rarely the case.</para></listitem> +<listitem><para>Datagrams can be broadcast to multiple machines, but they are unreliable. In other words, there is no way for the source to know that the datagrams it sent have indeed arrived at their<firstterm></firstterm> +<indexterm id="ch01-idx-951807-0" class="endofrange" startref="ch01-idx-951800-0"/> +<indexterm id="ch01-idx-951807-1" class="endofrange" startref="ch01-idx-951800-1"/> destinations.<indexterm id="ch01-idx-951654-0" class="endofrange" startref="ch01-idx-951651-0"/></para></listitem> +</itemizedlist> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="1.4" id="ch01-43359"> +<title>Microsoft Implementations</title> + + +<para> +<indexterm id="ch01-idx-951821-0" class="startofrange"><primary>implementations, Microsoft</primary></indexterm> +<indexterm id="ch01-idx-951821-1" class="startofrange"><primary>Microsoft</primary><secondary>implementations</secondary></indexterm>With that amount of background, we can now talk about some of Microsoft's implementations of the preceding concepts in the CIFS/SMB networking world. And, as you might expect, there are some complex extensions to introduce as well.</para> + + +<sect2 role="" label="1.4.1" id="ch01-SECT-4.1"> +<title>Windows Domains</title> + + +<para> +<indexterm id="ch01-idx-951815-0" class="startofrange"><primary>domains</primary></indexterm>Recall that a workgroup is a collection of SMB computers that all reside on a subnet and subscribe to the same SMB group. A <firstterm>Windows domain</firstterm> goes a step further. It is a workgroup of SMB machines that has one addition: a server acting as a <firstterm>domain controller</firstterm>. You must have a domain controller in order to have a Windows domain.<footnote label="6" id="ch01-pgfId-947021"> + + +<para>Windows domains are called <indexterm id="ch01-idx-953044-0"><primary>domains</primary><secondary>Windows</secondary></indexterm> +<indexterm id="ch01-idx-953044-1"><primary>Windows NT</primary><secondary>domains</secondary></indexterm>"Windows NT domains" by Microsoft because they assume that Windows NT machines will take the role of the domain controller. However, because Samba can perform this function as well, we'll simply call them "Windows domains" to avoid confusion.</para> + + +</footnote> Otherwise, it is only a workgroup. See <link linkend="ch01-96972">Figure 1.11</link>.</para> + + +<figure label="1.11" id="ch01-96972"> +<title>A simple Windows domain</title> + +<graphic width="502" depth="209" fileref="figs/sam.0111.gif"></graphic> +</figure> + +<para> +<indexterm id="ch01-idx-951829-0" class="startofrange"><primary>domain controllers</primary><secondary sortas="Windows 95/98">for Windows 95/98</secondary></indexterm> +<indexterm id="ch01-idx-951829-1" class="startofrange"><primary>Windows 95/98</primary><secondary>domain controllers for</secondary></indexterm>There are currently two separate protocols used by a domain controller (logon server): one for communicating with Windows 95/98 machines and one for communicating with Windows NT machines. While Samba currently implements the domain controller protocol for Windows 95/98 (which allows it to act as a domain controller for Windows 9<emphasis>x</emphasis> machines), it still does not fully support the protocol for Windows NT computers. However, the Samba team promises that support for the Windows NT domain controller protocol is forthcoming in Samba 2.1.</para> + + +<tip id="ch01-NOTE-0" role="ora"> +<para>Why all the difficulty? The protocol that Windows domain controllers use to communicate with their clients and other domain controllers is proprietary and has not been released by Microsoft. This has forced the Samba development team to reverse-engineer the domain controller protocol to see which codes perform specific tasks.</para> + +</tip> + +<sect3 role="" label="1.4.1.1" id="ch01-SECT-4.1.1"> +<title>Domain controllers</title> + + +<para>The domain controller is the nerve center of a Windows domain, much like an NIS server is the nerve center of the Unix network information service. Domain controllers have a variety of responsibilities. One responsibility that you need to be concerned with is <firstterm>authentication</firstterm> +<indexterm id="ch01-idx-951839-0"><primary>authentication</primary></indexterm>. Authentication is the process of granting or denying a user access to a shared resource on another network machine, typically through the use of a password.</para> + + +<para>Each domain controller uses a <firstterm>security account manager</firstterm> +<indexterm id="ch01-idx-951840-0"><primary>security account manager (SAM)</primary></indexterm> +<indexterm id="ch01-idx-951840-1"><primary>SAM (security account manager)</primary></indexterm> (SAM) to maintain a list of username-password combinations. The domain controller then forms a central repository of passwords that are tied to usernames (one password per user), which is more efficient than each client machine maintaining hundreds of passwords for every network resource available.</para> + + +<para>On a Windows domain, when a non-authenticated client requests access to a server's shares, the server will turn around and ask the domain controller whether that user is authenticated. If it is, the server will establish a session connection with the access rights it has for that service and user. If not, the connection is denied. Once a user is authenticated by the domain controller, a special authenticated token will be returned to the client so that the user will not need to relogin to other resources on that domain. At this point, the user is considered "logged in" to the domain itself. See <link linkend="ch01-49344">Figure 1.12</link>.</para> + + +<figure label="1.12" id="ch01-49344"> +<title>Using a domain controller for authentication</title> + +<graphic width="502" depth="242" fileref="figs/sam.0112.gif"></graphic> +</figure> +</sect3> + + + +<sect3 role="" label="1.4.1.2" id="ch01-SECT-4.1.2"> +<title>Primary and backup domain controllers</title> + + +<para> +<indexterm id="ch01-idx-951842-0"><primary>domain controllers</primary></indexterm> +<indexterm id="ch01-idx-951842-1"><primary>backup domain controllers (BDCs)</primary></indexterm> +<indexterm id="ch01-idx-951842-2"><primary>PDC (primary domain controller)</primary></indexterm> +<indexterm id="ch01-idx-951842-3"><primary>BDCs (backup domain controllers)</primary></indexterm> +<indexterm id="ch01-idx-951842-4"><primary>primary domain controller</primary><see>PDC</see></indexterm>Redundancy is a key idea behind a Windows domain. The domain controller that is currently active on a domain is called the <firstterm>primary domain controller</firstterm> (PDC). There can be one or more <firstterm>backup domain controllers</firstterm> (BDCs) in the domain as well, which will take over in the event that the primary domain controller fails or becomes inaccessible. BDCs frequently synchronize their SAM data with the primary domain controller so that, if the need arises, any one of them can perform DC services transparently without impacting its clients. Note that BDCs, however, have only read-only copies of the SAM; they can update their data only by synchronizing with a PDC. A server in a Windows domain can use the SAM of any primary or backup domain controller to authenticate a user who attempts to access its resources and logon to the domain.</para> + + +<para>Note that in many aspects, the behaviors of a <indexterm id="ch01-idx-951844-0"><primary>workgroups</primary><secondary>Windows</secondary><tertiary>behaviors vs. Windows domain</tertiary></indexterm> +<indexterm id="ch01-idx-951844-1"><primary>domains</primary><secondary>behavior vs. Windows workgroups</secondary></indexterm>Windows workgroup and a Windows domain overlap. This is not accidental since the concept of Windows domains did not evolve until Windows NT 3.5 was introduced, and Windows domains were forced to remain <indexterm id="ch01-idx-951873-0"><primary>backwards compatibility</primary><secondary>Windows domains and</secondary></indexterm>backwards compatible with the workgroups present in Windows for Workgroups 3.1. The key thing to remember here is that a Windows domain is simply a Windows workgroup with one or more domain controllers added.</para> + + +<para>Samba can function as a primary domain controller for Windows 95/98 machines without any problems. However, <indexterm id="ch01-idx-951845-0"><primary>Samba</primary><secondary>version 2.0</secondary></indexterm> +<indexterm id="ch01-idx-951845-1"><primary>Samba</primary><secondary>version 2.1</secondary></indexterm>Samba 2.0 can act as a primary domain controller only for authentication purposes; it currently cannot assume any other PDC responsibilities. (By the time you read this, Samba 2.1 may be available so you can use Samba as a PDC for NT clients.) Also, because of the closed protocol used by Microsoft to synchronize SAM data, Samba currently cannot serve as a backup domain<indexterm id="ch01-idx-951832-0" class="endofrange" startref="ch01-idx-951829-0"/> +<indexterm id="ch01-idx-951832-1" class="endofrange" startref="ch01-idx-951829-1"/> controller.<indexterm id="ch01-idx-951820-0" class="endofrange" startref="ch01-idx-951815-0"/></para> +</sect3> +</sect2> + + + + + +<sect2 role="" label="1.4.2" id="ch01-SECT-4.2"> +<title>Browsing</title> + + +<para> +<indexterm id="ch01-idx-951846-0" class="startofrange"><primary>browsing</primary></indexterm>Browsing is a high-level answer to the user question: "What machines are out there on the Windows network?" Note that there is no connection with a World Wide Web browser, apart from the general idea of "discovering what's there." And, like the Web, what's out there can change without warning.</para> + + +<para>Before browsing, users had to know the name of the specific computer they wanted to connect to on the network, and then manually enter a UNC such as the following into an application or file manager to access resources:</para> + + +<programlisting>\\HYDRA\network\</programlisting> + + +<para>With browsing, however, you can examine the contents of a machine using a standard point-and-click GUI—in this case, the<indexterm id="ch01-idx-951848-0"><primary>Network Neighborhood window</primary></indexterm> Network Neighborhood window in a Windows client.</para> + + +<sect3 role="" label="1.4.2.1" id="ch01-SECT-4.2.1"> +<title>Levels of browsing</title> + + +<para>As we hinted at the beginning of the chapter, there are actually two types of browsing that you will encounter in an SMB/CIFS network:</para> + + +<itemizedlist> +<listitem><para>Browsing a list of machines (with shared resources)</para></listitem> +<listitem><para>Browsing the shared resources of a specific machine</para></listitem> +</itemizedlist> + +<para> +<indexterm id="ch01-idx-951851-0"><primary>browsing</primary><secondary>machines, list of</secondary></indexterm>Let's look at the first one. On each Windows workgroup (or domain) subnet, one computer has the responsibility of maintaining a list of the machines that are currently accessible through the network. This computer is called the <firstterm>local master browser</firstterm> +<indexterm id="ch01-idx-951850-0"><primary>local master browser</primary></indexterm> +<indexterm id="ch01-idx-951850-1"><primary>browse lists</primary></indexterm>, and the list that it maintains is called the <firstterm>browse list</firstterm>. Machines on a subnet use the browse list in order to cut down on the amount of network traffic generated while browsing. Instead of each computer dynamically polling to determine a list of the currently available machines, the computer can simply query the local master browser to obtain a complete, up-to-date list.</para> + + +<para> +<indexterm id="ch01-idx-951852-0" class="startofrange"><primary>browsing</primary><secondary>resources of a specific machine</secondary></indexterm>To browse the actual resources on a machine, a user must connect to the specific machine; this information cannot be obtained from the browse list. Browsing the list of resources on a machine can be done by clicking on the machine's icon when it is presented in the Network Neighborhood in Windows 95/98 or NT. As you saw at the opening of the chapter, the machine will respond with a list of shared resources that can be accessed if that user is successfully authenticated.</para> + + +<para>Each of the servers on a Windows workgroup is required to announce its presence to the local master browser after it has registered a NetBIOS name, and (theoretically) announce that it is leaving the workgroup when it is shut down. It is the local master browser's responsibility to record what the servers have announced. Note that the local master browser is not necessarily the same machine as a NetBIOS name server (NBNS), which we discussed earlier.</para> + + +<warning id="ch01-NOTE-1" role="ora"> +<para>The <indexterm id="ch01-idx-952154-0"><primary>Network Neighborhood window</primary></indexterm>Windows Network Neighborhood can behave oddly: until you select a particular machine to browse, the Network Neighborhood window may contain data that is not up-to-date. That means that the Network Neighborhood window can be showing machines that have crashed, or can be missing machines that haven't been noticed yet. Put succinctly, once you've selected a server and connected to it, you can be a lot more confident that the shares and printers really exist on the network.</para> + +</warning> + +<para>Unlike the roles you've seen earlier, almost any Windows machine (NT Server, NT Workstation, 98, 95, or Windows 3.1 for Workgroups) can act as a local master browser. As with the domain controller, the local master browser can have one or more <firstterm>backup browsers</firstterm> +<indexterm id="ch01-idx-952161-0"><primary>backup browsers</primary><secondary>local master browser</secondary></indexterm> on the local subnet that will take over in the event that the local master browser fails or becomes inaccessible. To ensure fluid operation, the local backup browsers will frequently synchronize their browse list with the local master browser. Let's update our Windows domain diagram to include both a local master and local backup browser. The result is shown in <link linkend="ch01-77521">Figure 1.13</link>.</para> + + +<figure label="1.13" id="ch01-77521"> +<title>A Windows domain with a local master and local backup browser</title> + +<graphic width="502" depth="209" fileref="figs/sam.0113.gif"></graphic> +</figure> + +<para>Here is how to calculate the minimum number of <indexterm id="ch01-idx-951868-0"><primary>backup browsers</primary><secondary>maximum number per workgroup</secondary></indexterm>backup browsers that will be allocated on a workgroup:</para> + + +<itemizedlist> +<listitem><para>If there are between 1 and 32 Windows NT workstations on the network, or between 1 and 16 Windows 95/98 machines on the network, the local master browser allocates one backup browser in addition to the local master browser.</para></listitem> +<listitem><para>If the number of Windows NT workstations falls between 33 and 64, or the number of Windows 95/98 workstations falls between 17 and 32, the local master browser allocates two backup browsers.</para></listitem> +<listitem><para>For each group of 32 NT workstations or 16 Windows 95/98 machines beyond this, the local master browser allocates another backup browser.</para></listitem> +</itemizedlist> + +<para>There is currently no upper limit on the number of <indexterm id="ch01-idx-951869-0"><primary>backup browsers</primary><secondary sortas="local master browser">per local master browser</secondary></indexterm> +<indexterm id="ch01-idx-951869-1"><primary>master browsers</primary><see>local master browser; DMB; preferred master browser</see></indexterm>backup browsers that can be allocated by the local master browser.<indexterm id="ch01-idx-951855-0" class="endofrange" startref="ch01-idx-951852-0"/></para> +</sect3> + + + +<sect3 role="" label="1.4.2.2" id="ch01-SECT-4.2.2"> +<title>Browsing elections</title> + + +<para>Browsing is a critical aspect of any Windows workgroup. However, not everything runs perfectly on any network. For example, let's say that the Windows NT Server on the desk of a small company's CEO is the local master browser—that is, until he switches it off while plugging in his massage chair. At this point the Windows NT Workstation in the spare parts department might agree to take over the job. However, that computer is currently running a large, poorly written program that has brought its processor to its knees. The moral: browsing has to be very tolerant of servers coming and going. Because nearly every Windows machine can serve as a browser, there has to be a way of deciding at any time who will take on the job. This decision-making process is called an <firstterm>election</firstterm> +<indexterm id="ch01-idx-951870-0"><primary>elections</primary></indexterm> +<indexterm id="ch01-idx-951870-1"><primary>browsing</primary><secondary>elections</secondary></indexterm>.</para> + + +<para>An election algorithm is built into nearly all Windows operating systems such that they can each agree who is going to be a local master browser and who will be local backup browsers. An election can be forced at any time. For example, let's assume that the CEO has finished his massage and reboots his server. As the server comes online, it will announce its presence and an election will take place to see if the PC in the spare parts department should still be the master browser.</para> + + +<para>When an election is performed, each machine broadcasts via datagrams information about itself. This information includes the following:</para> + + +<itemizedlist> +<listitem><para>The version of the election protocol used</para></listitem> +<listitem><para>The operating system on the machine</para></listitem> +<listitem><para>The amount of time the client has been on the network</para></listitem> +<listitem><para>The hostname of the client</para></listitem> +</itemizedlist> + +<para>These values determine which operating system has seniority and will fulfill the role of the local master browser. (<link linkend="SAMBA-CH-6">Chapter 6</link>, describes the election process in more detail.) The architecture developed to achieve this is not elegant and has built-in security problems. While a browsing domain can be integrated with domain security, the election algorithm does not take into consideration which computers become browsers. Thus it is possible for any machine running a browser service to register itself as participating in the browsing election, and (after winning) being able to change the browse list. Nevertheless, browsing is a key feature of Windows networking and <indexterm id="ch01-idx-951871-0"><primary>backwards compatibility</primary><secondary>elections and</secondary></indexterm>backwards compatibility requirements will ensure that it is in use for years to come.<indexterm id="ch01-idx-951847-0" class="endofrange" startref="ch01-idx-951846-0"/></para> +</sect3> +</sect2> + + + + + +<sect2 role="" label="1.4.3" id="ch01-SECT-4.3"> +<title>Can a Windows Workgroup Span Multiple Subnets?</title> + + +<para> +<indexterm id="ch01-idx-951886-0"><primary>workgroups</primary><secondary>Windows</secondary><tertiary>spanning multiple subnets</tertiary></indexterm> +<indexterm id="ch01-idx-951886-1"><primary>subnets</primary><secondary>multiple spanned by Windows workgroups</secondary></indexterm> +<indexterm id="ch01-idx-951886-2"><primary>Windows workgroups</primary><see>workgroups, Windows</see></indexterm>Yes, but most people who have done it have had their share of headaches. Spanning multiple subnets was not part of the initial design of Windows NT 3.5 or Windows for Workgroups. As a result, a Windows domain that spans two or more subnets is, in reality, the "gluing" together of two or more workgroups that share an identical name. The good news is that you can still use a primary domain controller to control authentication across each of the subnets. The bad news is that things are not as simple with browsing.</para> + + +<para>As mentioned previously, each subnet must have its own local master browser. When a Windows domain spans multiple subnets, a system administrator will have to assign one of the machines as the <firstterm>domain master browser</firstterm>. The domain master browser will keep a browse list for the entire Windows domain. This browse list is created by periodically synchronizing the browse lists of each of the local master browsers with the browse list of the domain master browser. After the synchronization, the local master browser and the domain master browser should contain identical entries. See <link linkend="ch01-52572">Figure 1.14</link> for an illustration.</para> + + +<figure label="1.14" id="ch01-52572"> +<title>A workgroup that spans more than one subnet</title> + +<graphic width="502" depth="438" fileref="figs/sam.0114.gif"></graphic> +</figure> + +<para>Sound good? Well, it's not quite nirvana for the following reasons:</para> + + +<itemizedlist> +<listitem><para>If it exists, a primary domain controller always plays the role of the domain master browser. By Microsoft design, the two always share the NetBIOS <indexterm id="ch01-idx-951898-0"><primary>resource types</primary><secondary sortas="primary domain controller vs. domain master browser">for primary domain controller vs. domain master browser</secondary></indexterm> +<indexterm id="ch01-idx-951898-1"><primary>DMB (domain master browser)</primary><secondary>resource type</secondary></indexterm>resource type <1B>, and (unfortunately) cannot be separated.</para></listitem> +<listitem><para>Windows 95/98 machines cannot become <emphasis>or</emphasis> <emphasis>even contact</emphasis> a domain master browser. The Samba group feels that this is a marketing decision from Microsoft that forces customers to have at least one Windows NT workstation (or Samba server) on each <indexterm id="ch01-idx-951900-0"><primary>subnets</primary><secondary>Windows NT workstations and</secondary></indexterm>subnet of a multi-subnet workgroup.</para></listitem> +</itemizedlist> + +<para>Each subnet's local master browser continues to maintain the browse list for its subnet, for which it becomes authoritative. So if a computer wants to see a list of servers within its own subnet, the local master browser of that subnet will be queried. If a computer wants to see a list of servers outside the subnet, it can still go only as far as the local master browser. This works because, at appointed intervals, the authoritative browse list of a subnet's local master browser is synchronized with the domain master browser, which is synchronized with the local master browser of the other subnets in the domain. This is called <firstterm>browse list propagation</firstterm> +<indexterm id="ch01-idx-951902-0"><primary>browse lists</primary><secondary>propagation</secondary></indexterm> +<indexterm id="ch01-idx-951902-1"><primary>propagation, browse list</primary></indexterm>.</para> + + +<para>Samba can act as a domain master browser on a Windows domain if required. In addition, it can also act as a local master browser for a Windows subnet, synchronizing its browse list with the domain master browser.</para> +</sect2> + + + + + +<sect2 role="" label="1.4.4" id="ch01-SECT-4.4"> +<title>The Windows Internet Name Service (WINS)</title> + + +<para>The <indexterm id="ch01-idx-951904-0"><primary>Windows Internet Name Service (see WINS)</primary></indexterm> +<indexterm id="ch01-idx-951904-1"><primary>WINS (Windows Internet Name Service)</primary></indexterm>Windows Internet Name Service (WINS) is Microsoft's implementation of a <indexterm id="ch01-idx-951906-0"><primary>NetBIOS (Network Basic Input/Output System)</primary><secondary>name server (NBNS)</secondary></indexterm>NetBIOS name server (NBNS). As such, WINS inherits much of NetBIOS's characteristics. First, WINS is <indexterm id="ch01-idx-951907-0"><primary>flat namespaces</primary></indexterm>flat; you can only have machines named <literal>fred</literal> or workgroups like CANADA or USA. In addition, WINS is dynamic: when a client first comes online, it is required to report its hostname, its address, and its workgroup to the local WINS server. This WINS server will retain the information so long as the client periodically refreshes its WINS registration, which indicates that it's still connected to the network. Note that <indexterm id="ch01-idx-951908-0"><primary>WINS (Windows Internet Name Service)</primary><secondary>servers</secondary></indexterm>WINS servers are not domain or workgroup specific; they can appear anywhere and serve anyone.</para> + + +<para>Multiple WINS servers can be set to synchronize with each other after a specified amount of time. This allows entries for machines that come online and offline on the network to propagate from one WINS server to another. While in theory this seems efficient, it can quickly become cumbersome if there are several WINS servers covering a network. Because WINS services can cross multiple subnets (you'll either hardcode the address of a WINS server in each of your clients or obtain it via DHCP), it is often more efficient to have each Windows client, no matter how many Windows domains there are, point themselves to the same WINS server. That way, there will only be one authoritative WINS server with the correct information, instead of several WINS servers continually struggling to synchronize themselves with the most recent changes.</para> + + +<para>The currently active WINS server is known as the <firstterm>primary WINS server</firstterm> +<indexterm id="ch01-idx-951910-0"><primary>primary WINS server</primary></indexterm> +<indexterm id="ch01-idx-951910-1"><primary>WINS (Windows Internet Name Service)</primary><secondary>WINS server</secondary><tertiary>primary/secondary</tertiary></indexterm> +<indexterm id="ch01-idx-951910-2"><primary>secondary WINS server</primary></indexterm>. You can also install a secondary WINS server, which will take over in the event that the primary WINS server fails or becomes inaccessible. Note that there is no <indexterm id="ch01-idx-951912-0"><primary>elections</primary><secondary>WINS servers and</secondary></indexterm>election to determine which machine becomes a primary or backup WINS server—the choice of WINS servers is static and must be predetermined by the <indexterm id="ch01-idx-951913-0"><primary>system administrator, WINS server and</primary></indexterm>system administrator. Both the primary and any backup WINS servers will synchronize their address databases on a periodic basis.</para> + + +<para>In the Windows family of operating systems, only an NT Workstation or an NT server can serve as a <firstterm></firstterm> +<indexterm id="ch01-idx-951916-0"><primary>WINS (Windows Internet Name Service)</primary><secondary>Windows operating systems and</secondary></indexterm>WINS server. Samba can also function as a primary WINS server, but not a secondary WINS server.</para> +</sect2> + + + + + +<sect2 role="" label="1.4.5" id="ch01-12452"> +<title>What Can Samba Do?</title> + + +<para> +<indexterm id="ch01-idx-951921-0"><primary>Samba</primary><secondary>roles in Windows domains/workgroups</secondary></indexterm> +<indexterm id="ch01-idx-951921-1"><primary>domains</primary><secondary>roles in assumed by Samba</secondary></indexterm> +<indexterm id="ch01-idx-951921-2"><primary>workgroups</primary><secondary>roles in assumed by Samba</secondary></indexterm>Whew! Bet you never thought Microsoft networks would be that complex, did you? Now, let's wrap up by showing where Samba can help out. <link linkend="ch01-14021">Table 1.6</link> summarizes which roles Samba can and cannot play in a Windows NT Domain or Windows workgroup. As you can see, because many of the NT domain protocols are proprietary and have not been documented by Microsoft, Samba cannot properly synchronize its data with a Microsoft server and cannot act as a backup in most roles. However, with version 2.0.<emphasis>x</emphasis>, Samba does have limited support for the primary domain controller's authentication protocols and is gaining more functionality every day.</para> + + +<table label="1.6" id="ch01-14021"> +<title>Samba Roles (as of 2.0.4b) </title> + +<tgroup cols="2"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<thead> +<row> + +<entry colname="col1"><para>Role</para></entry> + +<entry colname="col2"><para>Can Perform?</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para>File Server</para></entry> + +<entry colname="col2"><para>Yes</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Printer Server</para></entry> + +<entry colname="col2"><para>Yes</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Primary Domain Controller</para></entry> + +<entry colname="col2"><para>Yes (Samba 2.1 or higher recommended)</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Backup Domain Controller</para></entry> + +<entry colname="col2"><para>No</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Windows 95/98 Authentication</para></entry> + +<entry colname="col2"><para>Yes</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Local Master Browser</para></entry> + +<entry colname="col2"><para>Yes</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Local Backup Browser</para></entry> + +<entry colname="col2"><para>No</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Domain Master Browser</para></entry> + +<entry colname="col2"><para>Yes</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Primary WINS Server</para></entry> + +<entry colname="col2"><para>Yes</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Secondary WINS Server</para></entry> + +<entry colname="col2"><para>No<indexterm id="ch01-idx-951824-0" class="endofrange" startref="ch01-idx-951821-0"/> +<indexterm id="ch01-idx-951824-1" class="endofrange" startref="ch01-idx-951821-1"/></para></entry> + +</row> + +</tbody> +</tgroup> +</table> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="1.5" id="ch01-32691"> +<title>An Overview of the Samba Distribution</title> + + +<para>As mentioned earlier, Samba actually contains several programs that serve different but related purposes. Let's introduce each of them briefly, and show how they work together. The majority of the programs that come with the Samba distribution center on its two daemons. Let's take a refined look at the responsibilities of each daemon:</para> + + +<variablelist> +<varlistentry><term><emphasis>smbd</emphasis></term> +<listitem><para>The <emphasis>smbd</emphasis> daemon is responsible for managing the shared resources between the Samba server machine and its clients. It provides file, print, and browser services to <acronym>SMB</acronym> clients across one or more networks. <emphasis>smdb</emphasis> handles all notifications between the Samba server and the network clients. In addition, it is responsible for user authentication, resource locking, and data sharing through the <acronym>SMB</acronym> protocol.</para></listitem> +</varlistentry> + + +<varlistentry><term><emphasis>nmbd</emphasis></term> +<listitem><para>The <emphasis>nmbd</emphasis> daemon is a simple nameserver that mimics the WINS and NetBIOS name server functionality, as you might expect to encounter with the LAN Manager package. This daemon listens for nameserver requests and provides the appropriate information when called upon. It also provides browse lists for the Network Neighborhood and participates in browsing elections.</para></listitem> +</varlistentry> +</variablelist> + + +<para>The Samba distribution also comes with a small set of Unix command-line tools:</para> + + +<variablelist> +<varlistentry><term>smbclient</term> +<listitem><para>An FTP-like Unix client that can be used to connect to Samba shares</para></listitem> +</varlistentry> + + +<varlistentry><term>smbtar</term> +<listitem><para>A program for backing up data in shares, similar to the Unix <filename>tar</filename> command</para></listitem> +</varlistentry> + + +<varlistentry><term>nmblookup</term> +<listitem><para>A program that provides NetBIOS over TCP/IP name lookups</para></listitem> +</varlistentry> + + +<varlistentry><term>smbpasswd</term> +<listitem><para>A program that allows an administrator to change the encrypted passwords used by Samba</para></listitem> +</varlistentry> + + +<varlistentry><term>smbstatus</term> +<listitem><para>A program for reporting the current network connections to the shares on a Samba server</para></listitem> +</varlistentry> + + +<varlistentry><term>testparm</term> +<listitem><para>A simple program to validate the Samba configuration file</para></listitem> +</varlistentry> + + +<varlistentry><term>testprns</term> +<listitem><para>A program that tests whether various printers are recognized by the <filename>smbd</filename> daemon</para></listitem> +</varlistentry> +</variablelist> + + +<para>Each significant release of Samba goes through a significant exposure test before it's announced. In addition, it is quickly updated afterward if problems or unwanted side-effects are found. The latest stable distribution as of this writing is Samba 2.0.5, the long-awaited production version of Samba 2.0. This book focuses on the functionality supported in Samba 2.0, as opposed to the older 1.9.<emphasis>x</emphasis> versions of Samba, which are now obsolete.</para> +</sect1> + + + + + + + + + +<sect1 role="" label="1.6" id="ch01-SECT-6"> +<title>How Can I Get Samba?</title> + + +<para> +<indexterm id="ch01-idx-951923-0"><primary>Samba</primary><secondary>distribution</secondary></indexterm>Samba is available in both binary and source format from a set of <indexterm id="ch01-idx-951925-0"><primary>mirror sites for Samba distribution</primary></indexterm>mirror sites across the Internet. The primary home site for Samba is located at <indexterm id="ch01-idx-951924-0"><primary>URLs (uniform resource locators)</primary><secondary>Samba</secondary></indexterm> +<indexterm id="ch01-idx-951924-1"><primary>URLs (uniform resource locators)</primary><secondary>distribution</secondary></indexterm><systemitem role="url">http://www.samba.org/</systemitem>.</para> + + +<para>However, if you don't want to wait for packets to arrive all the way from Australia, mirror sites for Samba can be found at any of several locations on the Internet. A list of mirrors is given at the primary Samba home page.</para> + + +<!-- CD-ROM REFERENCE COMMENTED OUT FOR SAFARI VERSION OF THIS TITLE. + +<para>In addition, a <indexterm id="ch01-idx-951926-0"><primary>CD-ROM with this book</primary><secondary>Samba distribution</secondary></indexterm>CD-ROM distribution is available in the back of this book. We strongly encourage you to start with the CD-ROM if this is your first time using Samba. We've included source and binaries up to <indexterm id="ch01-idx-951927-0"><primary>Samba</primary><secondary>version 2.0.5</secondary></indexterm>Samba 2.0.5 with this book. In addition, several of the <indexterm id="ch01-idx-951928-0"><primary>CD-ROM with this book</primary><secondary>testing tools</secondary></indexterm> +<indexterm id="ch01-idx-951928-1"><primary>testing</primary><secondary>tools for (CD-ROM with this book)</secondary></indexterm>testing tools that we refer to through the book are conveniently packaged on the CD-ROM.</para> + +--> +</sect1> + + + + + + + + + +<sect1 role="" label="1.7" id="ch01-40528"> +<title>What's New in Samba 2.0?</title> + + +<para> +<indexterm id="ch01-idx-951929-0"><primary>Samba</primary><secondary> version 2.0</secondary></indexterm> +<indexterm id="ch01-idx-951929-1"><primary>software distribution</primary><see>Samba, distribution</see></indexterm>Samba 2.0 was an eagerly-awaited package. The big additions to Samba 2.0 are more concrete support for NT Domains and the new Samba Web Administration Tool (SWAT), a browser-based utility for configuring Samba. However, there are dozens of other improvements that were introduced in the summer and fall of 1998.</para> + + +<sect2 role="" label="1.7.1" id="ch01-SECT-7.1"> +<title>NT Domains</title> + + +<para>Samba's support for <indexterm id="ch01-idx-951930-0"><primary>domains</primary><secondary>Windows</secondary><tertiary>support for</tertiary></indexterm> +<indexterm id="ch01-idx-951930-1"><primary>Windows NT</primary><secondary>domains</secondary></indexterm>NT Domains (starting with version 2.0.<emphasis>x</emphasis>) produced a big improvement: it allows SMB servers to use its authentication mechanisms, which is essential for future NT compatibility, and to support <firstterm>NT domain logons</firstterm> +<indexterm id="ch01-idx-951931-0"><primary>domains</primary><secondary>Windows</secondary></indexterm> +<indexterm id="ch01-idx-951931-1"><primary>domain logons</primary></indexterm> +<indexterm id="ch01-idx-951931-2"><primary>domain logons</primary></indexterm> +<indexterm id="ch01-idx-951931-3"><primary>logons</primary><see>domain logons</see></indexterm>. Domain logons allow a user to log in to a Windows NT domain and use all the computers in the domain without logging into them individually. Previous to version 2.0.0, Samba supported Windows 95/98 logon services, but not NT domain logons. Although domain logons support is not complete is Samba 2.0, it is partially implemented.</para> +</sect2> + + + + + +<sect2 role="" label="1.7.2" id="ch01-SECT-7.2"> +<title>Ease of Administration</title> + + +<para> +<indexterm id="ch01-idx-951933-0"><primary>SWAT tool</primary></indexterm>SWAT, the <indexterm id="ch01-idx-951934-0"><primary>Samba Web Administration Tool</primary><see>SWAT tool</see></indexterm>Samba Web Administration Tool, makes it easy to set up a server and change its configuration, without giving up the simple text-based configuration file. SWAT provides a graphical interface to the resources that Samba shares with its clients. In addition, SWAT saves considerable experimentation and memory work in setting up or changing configurations across the network. You can even create an initial setup with SWAT and then modify the file later by hand, or vice versa. Samba will not complain.</para> + + +<para>On the <indexterm id="ch01-idx-951935-0"><primary>compiling Samba</primary><secondary>in version 2.0</secondary></indexterm>compilation side, <indexterm id="ch01-idx-951936-0"><primary>GNU autoconf</primary></indexterm>GNU <filename>autoconf</filename> is now used to make the task of initial compilation and setup easier so you can get to SWAT quicker.</para> +</sect2> + + + + + +<sect2 role="" label="1.7.3" id="ch01-SECT-7.3"> +<title>Performance</title> + + +<para>There are major performance and scalability increases in Samba: the code has been reorganized and <emphasis>nmbd</emphasis> +<indexterm id="ch01-idx-951937-0"><primary>nmbd daemon</primary></indexterm> (the Samba name service daemon) heavily rewritten:</para> + + +<itemizedlist> +<listitem><para>Name/browsing service now supports approximately 35,000 simultaneous clients.</para></listitem> +<listitem><para>File and print services support 500 concurrent users from a single medium-sized server without noticeable performance degradation.</para></listitem> +<listitem><para> +<indexterm id="ch01-idx-951938-0"><primary>performance</primary></indexterm>Linux/Samba on identical hardware now consistently performs better than NT Server. And best of all, Samba is improving.</para></listitem> +<listitem><para>Improved <indexterm id="ch01-idx-951939-0"><primary>opportunistic locking</primary></indexterm> +<indexterm id="ch01-idx-951939-1"><primary>locks/locking files</primary><secondary>opportunistic locking</secondary></indexterm> +<indexterm id="ch01-idx-951939-2"><primary>locks/locking files</primary><secondary>opportunistic locking</secondary><seealso>oplocks</seealso></indexterm>"opportunistic" locking allows client machines to cache entire files locally, greatly improving speed without running the risk of accidentally overwriting the cached files.</para></listitem> +</itemizedlist> +</sect2> + + + + + +<sect2 role="" label="1.7.4" id="ch01-SECT-7.4"> +<title>More Features</title> + + +<para>There are several additional features in Samba 2.0. You can now have multiple Samba <indexterm id="ch01-idx-951942-0"><primary>aliases</primary><secondary>multiple</secondary></indexterm>aliases on the same machine, each pretending to be a different server, a feature similar to <indexterm id="ch01-idx-951943-0"><primary>virtual hosts</primary></indexterm>virtual hosts in modern web servers. This allows a host to serve multiple departments and groups, or provide disk shares with normal username/password security while also providing printers to everyone without any security. Printing has been changed to make it easier for <indexterm id="ch01-idx-951944-0"><primary>Unix</primary><secondary>System V</secondary><tertiary>printing and</tertiary></indexterm>Unix System V owners: Samba can now find the available printers automatically, just as it does with Berkeley-style printing. In addition, Samba now has the capability to use <indexterm id="ch01-idx-951945-0"><primary>multiple code pages</primary></indexterm> +<indexterm id="ch01-idx-951945-1"><primary>code pages</primary><secondary>multiple</secondary></indexterm> +<indexterm id="ch01-idx-951945-2"><primary>non-European languages</primary></indexterm> +<indexterm id="ch01-idx-951945-3"><primary>languages, non-European</primary></indexterm>multiple code pages, so it can be used with non-European languages, and to use the <indexterm id="ch01-idx-951946-0"><primary>SSL (Secure Sockets Layer) protocol</primary></indexterm>Secure Sockets Layer protocol (SSL) to encrypt all the data it sends across the Internet, instead of just passwords.<footnote label="7" id="ch01-pgfId-938280"> + + +<para>If you reside in the United States, there are some federal rules and regulations dealing with strong cryptography. We'll talk about his later when we set up Samba and SSL in <link linkend="SAMBA-AP-A">Appendix A</link>.</para> + + +</footnote></para> +</sect2> + + + + + +<sect2 role="" label="1.7.5" id="ch01-SECT-7.5"> +<title>Compatibility Improvements</title> + + +<para>At the same time as it's becoming more capable, Samba is also becoming more <indexterm id="ch01-idx-951947-0"><primary>Samba</primary><secondary>compatibility with Windows NT</secondary></indexterm> +<indexterm id="ch01-idx-951947-1"><primary>compatibility, Samba with Windows NT</primary></indexterm>compatible with Windows NT. Samba has always supported Microsoft-style password encryption. It now provides tools and options for changing over to <indexterm id="ch01-idx-951948-0"><primary>Microsoft</primary><secondary>encryption</secondary></indexterm> +<indexterm id="ch01-idx-951948-1"><primary>Samba</primary><secondary>Microsoft encryption and</secondary></indexterm>Microsoft encryption, and for keeping the Unix and Microsoft password files synchronized while doing so. Finally, a Samba master browser can be instructed to hunt down and synchronize itself with other SMB servers on different LANs, allowing <indexterm id="ch01-idx-951950-0"><primary>SMB (Server Message Block)</primary><secondary>seamless operation across networks</secondary></indexterm>SMB to work seamlessly across multiple networks. Samba uses a different method of accomplishing this from the Microsoft method, which is undocumented.</para> +</sect2> + + + + + +<sect2 role="" label="1.7.6" id="ch01-SECT-7.6"> +<title>Smbwrapper</title> + + +<para>Finally, there is an entirely new version of the Unix client called <firstterm>smbwrapper</firstterm> +<indexterm id="ch01-idx-951955-0"><primary>smbwrapper client</primary></indexterm>. Instead of a kernel module that allows Linux to act as a Samba client, there is now a command-line entry to load the library that provides a complete SMB filesystem on some brands of Unix. Once loaded, the command <literal>ls</literal> <literal>/smb</literal> will list all the machines in your workgroup, and <literal>cd</literal> <literal>/smb/</literal><replaceable>server_name</replaceable><literal>/</literal><replaceable>share_name</replaceable> will take you to a particular <indexterm id="ch01-idx-951956-0"><primary>shares</primary></indexterm> +<indexterm id="ch01-idx-951956-1"><primary>shared directory/resources</primary><see>shares</see></indexterm>share (shared directory), similar to the <indexterm id="ch01-idx-951957-0"><primary>Network File System (NFS)</primary></indexterm> +<indexterm id="ch01-idx-951957-1"><primary>NFS (Network File System)</primary></indexterm>Network File System (NFS). As of this writing, <emphasis>smbwrapper</emphasis> currently runs on Linux, Solaris, SunOS 4, IRIX, and OSF/1, and is expected to run on several more operating systems in the near future.</para> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="1.8" id="ch01-99818"> +<title>And That's Not All...</title> + + +<para>Samba is a wonderful tool with potential for even the smallest SMB/CIFS network. This chapter presented you with a thorough introduction to what Samba is, and more importantly, how it fits into a Windows network. The next series of chapters will help you set up Samba on both the Unix server side, where its two daemons reside, as well as configure the Windows 95, 98, and NT clients to work with Samba. Before long, the aches and pains of your heterogeneous network may seem like a thing of the past. Welcome to the wonderful world of Samba!</para> +</sect1> +</chapter> diff --git a/docs-xml/using_samba/ch02.xml b/docs-xml/using_samba/ch02.xml new file mode 100644 index 0000000000..307f5f336b --- /dev/null +++ b/docs-xml/using_samba/ch02.xml @@ -0,0 +1,1091 @@ +<chapter label="2" id="SAMBA-CH-2"> +<title>Installing Samba on a Unix System</title> + + + + +<para> +<indexterm id="ch02-idx-947293-0" class="startofrange"><primary>installing Samba</primary></indexterm> +<indexterm id="ch02-idx-947293-1"><primary>Samba</primary><secondary>installing</secondary><see>installing Samba</see></indexterm>Now that you know what Samba can do for you and your users, it's time to get your own network set up. Let's start with the installation of Samba itself on a Unix system. When dancing the samba, one learns by taking small steps. It's just the same when installing Samba; we need to teach it step by step. This chapter will help you to start off on the right foot.</para> + + +<para>For illustrative purposes, we will be installing the 2.0.4 version of the Samba server on a <indexterm id="ch02-idx-947307-0"><primary>Linux</primary><secondary>installing Samba on Linux system</secondary></indexterm>Linux<footnote label="1" id="ch02-pgfId-939741"> + + +<para>If you haven't heard of Linux yet, then you're in for a treat. Linux is a freely distributed Unix-like operating system that runs on the Intel x86, Motorola PowerPC, and Sun Sparc platforms. The operating system is relatively easy to configure, extremely robust, and is gaining in popularity. You can get more information on the Linux operating system at <systemitem role="url">http://www.linux.org/</systemitem>.</para> + + +</footnote> system running version 2.0.31 of the kernel. However, the installation steps are the same for all of the platforms that Samba supports. A typical installation will take about an <indexterm id="ch02-idx-947305-0"><primary>installing Samba</primary><secondary>time required</secondary></indexterm>hour to complete, including downloading the source files and compiling them, setting up the configuration files, and testing the server.</para> + + +<para> +<indexterm id="ch02-idx-947306-0"><primary>installing Samba</primary><secondary>steps in</secondary></indexterm>Here is an overview of the steps:</para> + + +<orderedlist> +<listitem><para>Download the source or binary files.</para></listitem> +<listitem><para>Read the installation documentation.</para></listitem> +<listitem><para>Configure a makefile.</para></listitem> +<listitem><para>Compile the server code.</para></listitem> +<listitem><para>Install the server files.</para></listitem> +<listitem><para>Create a Samba configuration file.</para></listitem> +<listitem><para>Test the configuration file.</para></listitem> +<listitem><para>Start the Samba daemons.</para></listitem> +<listitem><para>Test the Samba daemons.</para></listitem> +</orderedlist> + + + + + + + + + + + +<sect1 role="" label="2.1" id="ch02-85028"> +<title>Downloading the Samba Distribution</title> + + +<para> +<indexterm id="ch02-idx-947308-0" class="startofrange"><primary>Samba</primary><secondary>downloading</secondary></indexterm> +<indexterm id="ch02-idx-947308-1" class="startofrange"><primary>Samba</primary><secondary>distribution</secondary></indexterm> + +<!-- CD-ROM REFERENCE COMMENTED OUT FOR SAFARI VERSION OF THIS TITLE. + +If +you want to get started quickly, the <indexterm +id="ch02-idx-947316-0" id="IXT-2-126769"><primary>CD-ROM with this +book</primary><secondary>Samba +distribution</secondary></indexterm>CD-ROM packaged with this book +contains both the sources and binaries of Samba that were available as +this book went to print. The CD is a mirror image of the files and +directories on the Samba download server: <systemitem +role="url">ftp.samba.org</systemitem> <indexterm +id="ch02-idx-947317-0" id="IXT-2-126770"><primary>FTP (File Transfer +Protocol)</primary><secondary>sites for Samba +downloads</secondary></indexterm> <indexterm +id="ch02-idx-947317-1" id="IXT-2-126771"><primary>downloads</primary><secondary>Samba</secondary></indexterm>.</para> + +<para>On the other hand, if + +--></para> + + +<para>If you want to download the latest version, the primary web site +for the Samba software is <indexterm id="ch02-idx-947318-0"><primary>URLs (uniform resource +locators)</primary><secondary>Samba</secondary></indexterm><systemitem role="url">http://www.samba.org</systemitem>. Once connected to this +page, you'll see links to several Samba mirror sites across the +world, both for the standard Samba web pages and sites devoted +exclusively to downloading Samba. For the best performance, choose a +site that is closest to your own geographic location.</para> + + +<para>The standard <indexterm id="ch02-idx-947320-0"><primary>Samba</primary><secondary>web +site</secondary></indexterm> <indexterm id="ch02-idx-947320-1"><primary>resources for further +information</primary><secondary>Samba</secondary></indexterm>Samba web +sites have Samba documentation and tutorials, mailing list archives, +and the latest Samba news, as well as source and binary distributions +of Samba. The download sites (sometimes called <emphasis>FTP +sites</emphasis>) have only the source and binary +distributions. Unless you specifically want an older version of the +Samba server or are going to install a binary distribution, download +the latest source distribution from the closest mirror site. This +distribution is always named:</para> + + +<programlisting>samba-latest.tar.gz</programlisting> + + +<!-- CD-ROM REFERENCE COMMENTED OUT FOR SAFARI VERSION OF THIS TITLE. + +<para>If you choose to use the version of Samba that is located on the +CD-ROM packaged with this book, you should find the latest Samba +distribution in the base directory.</para> + +--> + +<sect2 role="" label="2.1.1" id="ch02-SECT-1.1"> +<title>Binary or Source?</title> + + +<para> +<indexterm id="ch02-idx-947323-0"><primary>binary vs. source files</primary></indexterm> +<indexterm id="ch02-idx-947323-1"><primary>source vs. binary files</primary></indexterm>Precompiled packages are also available for a large number of Unix platforms. These packages contain binaries for each of the Samba executables as well as the standard Samba documentation. Note that while installing a binary distribution can save you a fair amount of trouble and time, there are a couple of issues that you should keep in mind when deciding whether to use the binary or compile the source yourself:</para> + + +<itemizedlist> +<listitem><para>The binary packages can lag behind the latest version +of the software by one or two (maybe more) minor releases, especially +after a series of small changes and for less popular +platforms. Compare the release notes for the source and binary +packages to make sure that there aren't any new features that +you need on your platform. + +<!-- CD-ROM REFERENCE COMMENTED OUT FOR SAFARI VERSION OF THIS TITLE. + +This is especially true of the sources and +binaries on the CD-ROM: at the time this book went to print, they were +from the latest production release of Samba. However, development is +ongoing, so the beta-test versions on the Internet will be +newer. + +--></para></listitem> +<listitem><para>If you use a precompiled binary, you will need to ensure that you have the correct libraries required by the executables. On some platforms the executables are statically linked so this isn't an issue, but on modern Unix operating systems (e.g., Linux, SGI Irix, Solaris, HP-UX, etc.), libraries are often <indexterm id="ch02-idx-947325-0"><primary>dynamically linked libraries</primary></indexterm>dynamically linked. This means that the binary looks for the right version of each library on your system, so you may have to install a new version of a library. The <filename>README</filename> file or <filename>makefile</filename> +<indexterm id="ch02-idx-947333-0"><primary>makefiles</primary></indexterm> that accompanies the binary distribution should list any special requirements.<footnote label="2" id="ch02-pgfId-943622"> + + +<para>This is especially true with programs that use <emphasis>glibc-2.1</emphasis> (which comes standard with Red Hat Linux 6). This library caused quite a consternation in the development community when it was released because it was incompatable with previous versions of <emphasis>g</emphasis><filename>libc</filename>.</para> + + +</footnote></para> + + +<para>Many machines with shared libraries come with a nifty tool called <emphasis>ldd</emphasis> +<indexterm id="ch02-idx-947322-0"><primary>ldd tool</primary></indexterm>. This tool will tell you which libraries a specific binary requires and which libraries on the system satisfy that requirement. For example, checking the <emphasis>smbd</emphasis> program on our test machine gave us:</para></listitem> +</itemizedlist> + +<programlisting>$ <emphasis role="bold">ldd smbd</emphasis> +libreadline.so.3 => /usr/lib/libreadline.so.3 +libdl.so.2 => /lib/libdl.so.2 +libcrypt.so.1 => /lib/libcrypt.so.1 +libc.so.6 => /lib/libc.so.6 +libtermcap.so.2 => /lib/libtermcap.so.2 +/lib/ld-linux.so.2 => /lib/ld-linux.so.2</programlisting> + + +<itemizedlist> +<listitem><para>If there are any incompatibilities between Samba and specific libraries on your machine, the distribution-specific documentation should highlight those.</para></listitem> +<listitem><para>Keep in mind that each binary distribution carries preset values about the target platform, such as default directories and configuration option values. Again, check the documentation and the makefile included in the source directory to see which directives and variables were used when the binary was compiled. In some cases, these will not be appropriate for your situation.</para> + + +<para>A few configuration items can be reset with command-line options at runtime instead of at compile time. For example, if your binary tries to place any log, lock, or status files in the "wrong" place (for example, in <filename>/usr/local</filename> ), you can override this without recompiling.</para></listitem> +</itemizedlist> + +<para>One point worth mentioning is that the Samba source requires an <indexterm id="ch02-idx-947324-0"><primary>ANSI C compilers</primary></indexterm> +<indexterm id="ch02-idx-947324-1"><primary>non-ANSI compilers</primary></indexterm> +<indexterm id="ch02-idx-947324-2"><primary>compilers</primary></indexterm>ANSI C compiler. If you are on a platform with a non-ANSI compiler, such as the <emphasis>cc</emphasis> compiler on SunOS version 4, you'll have to install an ANSI-compliant compiler such as <emphasis>gcc</emphasis> before you do anything else.<footnote label="3" id="ch02-pgfId-939049"> + + +<para><emphasis>gcc</emphasis> binaries are available for almost every modern machine. See <systemitem role="url">http://www.gnu.org/</systemitem> for a list of sites with <emphasis>gcc</emphasis> and other GNU software.</para> + + +</footnote> If installing a compiler isn't something you want to wrestle with, you can start off with a binary package. However, for the most flexibility and compatibility on your system, we always recommend compiling from the latest source.</para> +</sect2> + + + + + +<sect2 role="" label="2.1.2" id="ch02-SECT-1.2"> +<title>Read the Documentation</title> + + +<para> +<indexterm id="ch02-idx-947327-0"><primary>documentation for Samba</primary><secondary>importance of reading</secondary></indexterm> +<indexterm id="ch02-idx-947327-1"><primary>reading documentation, importance of</primary></indexterm> +<indexterm id="ch02-idx-947327-2"><primary>Samba</primary><secondary>documentation, importance of reading</secondary></indexterm>This sounds like an obvious thing to say, but there have probably been times where you have uncompressed a package, blindly typed <literal>configure</literal>, <literal>make</literal>, and <literal>make</literal> <literal>install</literal>, and walked away to get another cup of coffee. We'll be the first to admit that we do that, many more times than we should. It's a bad idea—especially when planning a network with Samba.</para> + + +<para>Samba 2.0 automatically configures itself prior to compilation. This reduces the likelihood of a machine-specific problem, but there may be an option mentioned in the <filename>README</filename> file that you end up wishing for after Samba's been installed. With both source and binary packages you'll find a large number of documents in the <filename>docs</filename> +<indexterm id="ch02-idx-947328-0"><primary>docs directory</primary></indexterm> directory, in a variety of formats. The most important files to look at in the distribution are:</para> + + +<programlisting><indexterm id="ch02-idx-947329-0"><primary>Samba</primary><secondary>new features file</secondary></indexterm> +<indexterm id="ch02-idx-947329-1"><primary>installing Samba</primary><secondary>common problems</secondary></indexterm>WHATSNEW.txt +docs/textdocs/UNIX_INSTALL.txt</programlisting> + + +<para>These files tell you what features you can expect in your Samba distribution, and will highlight common installation problems that you're likely to face. Be sure to look over both of them before you start the compilation process.<indexterm id="ch02-idx-947311-0" class="endofrange" startref="ch02-idx-947308-0"/></para> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="2.2" id="ch02-28558"> +<title>Configuring Samba</title> + + +<para> +<indexterm id="ch02-idx-947339-0" class="startofrange"><primary>configuring Samba</primary></indexterm> +<indexterm id="ch02-idx-947339-1"><primary>configuring Samba</primary><secondary>configuration file</secondary><seealso>smb.conf (Samba configuration) file</seealso></indexterm>The <indexterm id="ch02-idx-947330-0"><primary>Samba</primary><secondary>configuring</secondary><see>configuring Samba</see></indexterm>source distribution of Samba 2.0 and above doesn't initially have a <indexterm id="ch02-idx-947337-0"><primary>makefiles</primary></indexterm>makefile. Instead, one is generated through a GNU <filename>configure</filename> +<indexterm id="ch02-idx-947338-0"><primary>configuring Samba</primary><secondary>configure script</secondary><tertiary>GNU</tertiary></indexterm> +<indexterm id="ch02-idx-947338-1"><primary>GNU configure script</primary></indexterm> script, which is located in the <filename>samba-2.0.x /source/</filename> directory. The <firstterm>configure</firstterm> script, which must be run as root, takes care of the machine-specific issues of building Samba. However, you still may want to decide on some global options. Global options can be set by passing options on the command-line:</para> + + +<programlisting># ./configure --with-ssl</programlisting> + + +<para>For example, this will configure the Samba makefile with support for the<indexterm id="ch02-idx-947347-0"><primary>SSL (Secure Sockets Layer) protocol</primary><secondary>support for</secondary></indexterm> +<indexterm id="ch02-idx-947347-1"><primary>Secure Sockets Layer protocol</primary><see>SSL</see></indexterm> Secure Sockets Layer (SSL) encryption protocol. If you would like a complete list of <indexterm id="ch02-idx-947348-0" class="startofrange"><primary>configuring Samba</primary><secondary>options</secondary></indexterm>options, type the following:</para> + + +<programlisting>#./configure --help</programlisting> + + +<para> +<indexterm id="ch02-idx-947349-0"><primary>enabling/disabling features</primary></indexterm> +<indexterm id="ch02-idx-947349-1"><primary>disabling/enabling features</primary></indexterm>Each of these options enable or disable various features. You typically enable a feature by specifying the <literal>--with-</literal><replaceable>feature</replaceable> option, which will cause the feature to be compiled and installed. Likewise, if you specify a <literal>--without-</literal><replaceable>feature</replaceable> option, the feature will be disabled. As of Samba 2.0.5, each of the following features is disabled by default:</para> + + +<variablelist> +<varlistentry><term><literal>--with-smbwrapper</literal></term> +<listitem><para>Include SMB <indexterm id="ch02-idx-947350-0"><primary>SMB (Server Message Block)</primary><secondary>wrapper support</secondary></indexterm> +<indexterm id="ch02-idx-947350-1"><primary>wrapper support for SMB (Server Message Block)</primary></indexterm>wrapper support, which allows executables on the Unix side to access <indexterm id="ch02-idx-947351-0"><primary>SMB/CIFS protocol</primary><secondary>filesystems</secondary></indexterm>SMB/CIFS filesystems as if they were regular Unix filesystems. We recommend using this option. However, at this time this book went to press, there were several incompatibilities between the <filename>smbwrapper</filename> +<indexterm id="ch02-idx-947352-0"><primary>smbwrapper package</primary></indexterm> package and the GNU <filename>libc</filename> version 2.1, and it would not compile on Red Hat 6.0. Look for more information on these incompatibilities on the Samba home page.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>--with-afs</literal></term> +<listitem><para>Include support of the <indexterm id="ch02-idx-947353-0"><primary>Andrew Filesystem</primary><see>AFS files</see></indexterm>Andrew Filesystem from <indexterm id="ch02-idx-947354-0"><primary>Carnegie Mellon University</primary></indexterm>Carnegie Mellon University. If you're going to serve <indexterm id="ch02-idx-947355-0"><primary>AFS files, support for</primary></indexterm>AFS files via Samba, we recommend compiling Samba once first without enabling this feature to ensure that everything runs smoothly. Once that version is working smoothly, recompile Samba with this feature enabled and compare any errors you might receive against the previous setup.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>--with-dfs</literal></term> +<listitem><para>Include support for <indexterm id="ch02-idx-947356-0"><primary>DFS, support for</primary></indexterm>DFS, a later version of AFS, used by <indexterm id="ch02-idx-947357-0"><primary>OSF/1 (Digital Unix)</primary></indexterm>OSF/1 (Digital Unix). Note that this is <emphasis>not</emphasis> the same as Microsoft DFS, which is an entirely different filesystem. Again, we recommend compiling Samba once first without this feature to ensure that everything runs smoothly, then recompile with this feature to compare any errors against the previous setup.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>--with-krb4</literal>=<replaceable>base-directory</replaceable></term> +<listitem><para>Include support for <indexterm id="ch02-idx-947358-0"><primary>Kerberos, support for</primary></indexterm>Kerberos version 4.0, explicitly specifying the base directory of the distribution. Kerberos is a network security protocol from <indexterm id="ch02-idx-947359-0"><primary>MIT</primary></indexterm>MIT that uses <indexterm id="ch02-idx-947360-0"><primary>private key cryptography</primary></indexterm> +<indexterm id="ch02-idx-947360-1"><primary>cryptography, private key</primary></indexterm>private key cryptography to provide strong security between nodes. Incidentally, Microsoft has announced that Kerberos 5.0 will be the standard <indexterm id="ch02-idx-947362-0"><primary>authentication</primary><secondary>mechanisms for</secondary></indexterm>authentication mechanism for Microsoft Windows 2000 (NT 5.0). However, the Kerberos 5.0 authentication mechanisms are quite different from the Kerberos 4.0 <indexterm id="ch02-idx-947363-0"><primary>security</primary></indexterm>security mechanisms. If you have Kerberos version 4 on your system, the Samba team recommends that you upgrade and use the <literal>--with-krb5</literal> option (see the next item). You can find more information on <indexterm id="ch02-idx-947364-0"><primary>URLs (uniform resource locators)</primary><secondary>Kerberos</secondary></indexterm>Kerberos at <systemitem role="url">http://web.mit.edu/kerberos/www</systemitem>.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>--with-krb5</literal>=<replaceable>base-directory</replaceable></term> +<listitem><para>Include support for Kerberos version 5.0, explicitly specifying the base directory of the distribution. Microsoft has announced that Kerberos 5.0 will be the standard authentication mechanism for Microsoft Windows 2000 (NT 5.0). However, there is no guarantee that Microsoft will not extend Kerberos for their own needs in the future. Currently, Samba's Kerberos support only uses a plaintext password interface and not an encrypted one. You can find more information on Kerberos at its home page: <systemitem role="url">http://web.mit.edu/kerberos/www</systemitem>.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>--with-automount</literal></term> +<listitem><para>Include support for <indexterm id="ch02-idx-947365-0"><primary>automounter, support for</primary></indexterm>automounter, a feature often used on sites that offer NFS.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>--with-smbmount</literal></term> +<listitem><para>Include <emphasis>smbmount</emphasis> +<indexterm id="ch02-idx-947366-0"><primary>smbmount, support for</primary></indexterm> support, which is for <indexterm id="ch02-idx-947367-0"><primary>Linux</primary><secondary>submount and</secondary></indexterm>Linux only. This feature wasn't being maintained at the time the book was written, so the Samba team made it an optional feature and provided <emphasis>smbwrapper</emphasis> instead. The <emphasis>smbwrapper</emphasis> feature works on more Unix platforms than <emphasis>smbmount</emphasis>, so you'll usually want to use <literal>--with-smbwrapper</literal> instead of this option.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>--with-pam</literal></term> +<listitem><para>Include support for <indexterm id="ch02-idx-947368-0"><primary>pluggable authentication modules (PAM)</primary><secondary>support for</secondary></indexterm> +<indexterm id="ch02-idx-947368-1"><primary>PAM (pluggable authentication modules)</primary><secondary>support for</secondary></indexterm>pluggable authentication modules (PAM), an authentication feature common in the Linux operating system.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>--with-ldap</literal></term> +<listitem><para>Include support for the <indexterm id="ch02-idx-947369-0"><primary>Lightweight Directory Access Protocol</primary><see>LDAP</see></indexterm> +<indexterm id="ch02-idx-947369-1"><primary>LDAP (Lightweight Directory Access Protocol)</primary><secondary>support for</secondary></indexterm>Lightweight Directory Access Protocol (LDAP). A future version of LDAP will be used in the Windows 2000 (NT 5.0) operating system; this Samba support is experimental. LDAP is a flexible client-server directory protocol that can carry information such as certificates and group memberships.<footnote label="4" id="ch02-pgfId-943655"> + + +<para>By <emphasis>directory</emphasis>, we don't mean a directory in a file system, but instead an indexed directory (such as a phone directory). Information is stored and can be easily retrieved in a public LDAP system.</para> + + +</footnote></para></listitem> +</varlistentry> + + +<varlistentry><term><literal>--with-nis</literal></term> +<listitem><para>Include support for getting password-file information from <indexterm id="ch02-idx-947370-0"><primary>NIS/NIS+ protocol</primary></indexterm>NIS (network yellow pages).</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>--with-nisplus</literal></term> +<listitem><para>Include support for obtaining password-file information from NIS+, the successor to NIS.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>--with-ssl</literal></term> +<listitem><para>Include experimental support for the <indexterm id="ch02-idx-947374-0"><primary>SSL (Secure Sockets Layer) protocol</primary><secondary>support for</secondary></indexterm>Secure Sockets Layer (SSL), which is used to provide encrypted connections from client to server. <link linkend="SAMBA-AP-A">Appendix A</link>, describes setting up Samba with SSL support.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>--with-nisplus-home</literal></term> +<listitem><para>Include support for locating which server contains a particular user's <indexterm id="ch02-idx-947380-0"><primary>home directory, user's</primary></indexterm> +<indexterm id="ch02-idx-947380-1"><primary>users</primary><secondary>home directory</secondary></indexterm>home directory and telling the client to connect to it. Requires <literal>--with-nis</literal> and, usually, <literal>--with-automounter</literal>.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>--with-mmap</literal></term> +<listitem><para>Include experimental<indexterm id="ch02-idx-947381-0"><primary>mmap code</primary></indexterm> memory mapping code. This is not required for <indexterm id="ch02-idx-947382-0"><primary>fast locking</primary></indexterm>fast locking, which already uses mmap or System V shared memory.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>--with-syslog</literal></term> +<listitem><para>Include support for using the <indexterm id="ch02-idx-947383-0"><primary>SYSLOG utility</primary><secondary>support for</secondary></indexterm>SYSLOG utility for logging information generated from the Samba server. There are a couple of Samba configuration options that you can use to enable SYSLOG support; <link linkend="ch04-21486">Chapter 4</link>, discusses these options.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>--with-netatalk</literal></term> +<listitem><para>Include experimental support for interoperating with the (Macintosh) <indexterm id="ch02-idx-947412-0"><primary>Netatalk (Macintosh), support for interoperating with</primary></indexterm>Netatalk file server.</para></listitem> +</varlistentry> + + +<varlistentry><term><literal>--with-quotas</literal></term> +<listitem><para>Include <indexterm id="ch02-idx-947413-0"><primary>disk quotas, support for</primary></indexterm>disk-quota support.</para></listitem> +</varlistentry> +</variablelist> + + +<para>Because each of these options is disabled by default, none of these features are essential to Samba. However, you may want to come back and build a modified version of Samba if you discover that you need one at a later time.</para> + + +<para>In addition, <link linkend="ch02-85125">Table 2.1</link> shows some other parameters that you can give the <filename>configure</filename> script if you wish to store parts of the Samba distribution in different places, perhaps to make use of multiple disks or partitions. Note that the defaults sometimes refer to a prefix specified earlier in the table.</para> + + +<table label="2.1" id="ch02-85125"> +<title>Additional Configure Options </title> + +<tgroup cols="3"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<thead> +<row> + +<entry colname="col1"><para>Option</para></entry> + +<entry colname="col2"><para>Meaning</para></entry> + +<entry colname="col3"><para>Default</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>--prefix</literal>=<replaceable>directory</replaceable></para></entry> + +<entry colname="col2"><para>Install architecture-independent files at the base directory specified.</para></entry> + +<entry colname="col3"><para><filename>/usr/local/samba</filename></para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>--eprefix</literal>=<replaceable>directory</replaceable></para></entry> + +<entry colname="col2"><para>Install architecture-dependent files at the base directory specified.</para></entry> + +<entry colname="col3"><para><filename>/usr/local/samba</filename></para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>--bindir</literal>=<replaceable>directory</replaceable></para></entry> + +<entry colname="col2"><para>Install user executables in the directory specified.</para></entry> + +<entry colname="col3"><para><replaceable>eprefix</replaceable><filename>/bin</filename></para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>--sbindir</literal>=<replaceable>directory</replaceable></para></entry> + +<entry colname="col2"><para>Install administrator executables in the directory specified.</para></entry> + +<entry colname="col3"><para><replaceable>eprefix</replaceable><filename>/bin</filename></para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>--libexecdir</literal>=<replaceable>directory</replaceable></para></entry> + +<entry colname="col2"><para>Install program executables in the directory specified.</para></entry> + +<entry colname="col3"><para><replaceable>eprefix</replaceable><filename>/libexec</filename></para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>--datadir</literal>=<replaceable>directory</replaceable></para></entry> + +<entry colname="col2"><para>Install read-only architecture independent data in the directory specified.</para></entry> + +<entry colname="col3"><para><replaceable>prefix</replaceable><filename>/share</filename></para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>--libdir</literal>=<replaceable>directory</replaceable></para></entry> + +<entry colname="col2"><para>Install program libraries in the directory specified.</para></entry> + +<entry colname="col3"><para><replaceable>eprefix</replaceable><filename>/lib</filename></para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>--includedir</literal>=<replaceable>directory</replaceable></para></entry> + +<entry colname="col2"><para>Install package include files in the directory specified.</para></entry> + +<entry colname="col3"><para><replaceable>prefix</replaceable><filename>/include</filename></para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>--infodir</literal>=<replaceable>directory</replaceable></para></entry> + +<entry colname="col2"><para>Install additional information files in the directory specified.</para></entry> + +<entry colname="col3"><para><replaceable>prefix</replaceable><filename>/info</filename></para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>--mandir</literal>=<replaceable>directory</replaceable></para></entry> + +<entry colname="col2"><para>Install manual pages in the directory specified.<indexterm id="ch02-idx-947428-0" class="endofrange" startref="ch02-idx-947348-0"/></para></entry> + +<entry colname="col3"><para><replaceable>prefix</replaceable><filename>/man</filename></para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<para>Again, before running the <filename>configure</filename> script, it is important that you are the <indexterm id="ch02-idx-947433-0"><primary>root user</primary></indexterm>root user on the system. Otherwise, you may get a warning such as:</para> + + +<programlisting>configure: warning: running as non-root will disable some tests</programlisting> + + +<para>You don't want any test to be disabled when the Samba makefile is being created; this leaves the potential for errors down the road when compiling or running Samba on your system.</para> + + +<para>Here is a sample execution of the <filename>configure</filename> +<indexterm id="ch02-idx-947434-0"><primary>configuring Samba</primary><secondary>configure script</secondary><tertiary>sample execution</tertiary></indexterm> script, which creates a Samba 2.0.4 makefile for the Linux platform. Note that you must run the configure script in the <emphasis>source</emphasis> directory, and that several lines from the middle of the excerpt have been omitted:</para> + + +<programlisting># cd samba-2.0.4b/source/ +# ./configure | tee mylog + +loading cache ./config.cache +checking for gcc... (cached) gcc +checking whether the C compiler (gcc -O ) works... yes +checking whether the C compiler (gcc -O ) is a cross-compiler... no +checking whether we are using GNU C... (cached) yes +checking whether gcc accepts -g... (cached) yes +checking for a BSD compatible install... (cached) /usr/bin/install -c + +<emphasis>...(content omitted)...</emphasis> + +checking configure summary +configure OK +creating ./config.status +creating include/stamp-h +creating Makefile +creating include/config.h</programlisting> + + +<para>In general, any message from <filename>configure</filename> that doesn't begin with the words <literal>checking</literal> or <literal>creating</literal> is an error; it often helps to redirect the output of the configure script to a file so you can quickly search for <indexterm id="ch02-idx-947435-0"><primary>errors</primary><secondary>searching for</secondary></indexterm>errors, as we did with the <literal>tee</literal> command above. If there was an error during configuration, more detailed information about it can be found in the <filename>config.log</filename> file, which is written to the local directory by the <filename>configure</filename> script.</para> + + +<para>If the configuration works, you'll see a <literal>checking</literal> <literal>configure</literal> <literal>summary</literal> message followed by a <literal>configure</literal> <literal>OK</literal> message and four or five file creation messages. So far, so good.... Next step: compiling.<indexterm id="ch02-idx-947719-0" class="endofrange" startref="ch02-idx-947339-0"/></para> +</sect1> + + + + + + + + + +<sect1 role="" label="2.3" id="ch02-13217"> +<title>Compiling and Installing Samba</title> + + +<para> +<indexterm id="ch02-idx-947438-0" class="startofrange"><primary>compiling Samba</primary></indexterm>At <indexterm id="ch02-idx-947440-0"><primary>Samba</primary><secondary>compiling</secondary><see>compiling Samba</see></indexterm>this point you should be ready to build the Samba executables. Compiling is also easy: in the <filename>source</filename> directory, type <literal>make</literal> on the command line. The <filename>make</filename> +<indexterm id="ch02-idx-947436-0"><primary>make utility</primary></indexterm> utility will produce a stream of explanatory and success messages, beginning with:</para> + + +<programlisting>Using FLAGS = -O -Iinclude ...</programlisting> + + +<para>This build includes compiles for both <emphasis>smbd</emphasis> and <emphasis>nmbd</emphasis>, and ends in a linking command for <filename>bin/make_ printerdef</filename>. For example, here is a sample make of Samba version 2.0.4 on a Linux server:</para> + + +<programlisting># make +Using FLAGS = -O -Iinclude -I./include -I./ubiqx -I./smbwrapper -DSMBLOGFILE="/ +usr/local/samba/var/log.smb" -DNMBLOGFILE="/usr/local/samba/var/log.nmb" - +DCONFIGFILE="/usr/local/samba/lib/smb.conf" -DLMHOSTSFILE="/usr/local/samba/lib/ +lmhosts" -DSWATDIR="/usr/local/samba/swat" -DSBINDIR="/usr/local/samba/bin" - +DLOCKDIR="/usr/local/samba/var/locks" -DSMBRUN="/usr/local/samba/bin/smbrun" - +DCODEPAGEDIR="/usr/local/samba/lib/codepages" -DDRIVERFILE="/usr/local/samba/lib/ +printers.def" -DBINDIR="/usr/local/samba/bin" -DHAVE_INCLUDES_H -DPASSWD_ +PROGRAM="/bin/passwd" -DSMB_PASSWD_FILE="/usr/local/samba/private/smbpasswd" +Using FLAGS32 = -O -Iinclude -I./include -I./ubiqx -I./smbwrapper - +DSMBLOGFILE="/usr/local/samba/var/log.smb" -DNMBLOGFILE="/usr/local/samba/var/log. +nmb" -DCONFIGFILE="/usr/local/samba/lib/smb.conf" -DLMHOSTSFILE="/usr/local/samba/ +lib/lmhosts" -DSWATDIR="/usr/local/samba/swat" -DSBINDIR="/usr/local/samba/bin" +-DLOCKDIR="/usr/local/samba/var/locks" -DSMBRUN="/usr/local/samba/bin/smbrun" - +DCODEPAGEDIR="/usr/local/samba/lib/codepages" -DDRIVERFILE="/usr/local/samba/lib/ +printers.def" -DBINDIR="/usr/local/samba/bin" -DHAVE_INCLUDES_H -DPASSWD_ +PROGRAM="/bin/passwd" -DSMB_PASSWD_FILE="/usr/local/samba/private/smbpasswd" +Using LIBS = -lreadline -ldl -lcrypt -lpam +Compiling smbd/server.c +Compiling smbd/files.c +Compiling smbd/chgpasswd.c + +<emphasis>...(content omitted)...</emphasis> + +Compiling rpcclient/cmd_samr.c +Compiling rpcclient/cmd_reg.c +Compiling rpcclient/cmd_srvsvc.c +Compiling rpcclient/cmd_netlogon.c +Linking bin/rpcclient +Compiling utils/smbpasswd.c +Linking bin/smbpasswd +Compiling utils/make_smbcodepage.c +Linking bin/make_smbcodepage +Compiling utils/nmblookup.c +Linking bin/nmblookup +Compiling utils/make_printerdef.c +Linking bin/make_printerdef</programlisting> + + +<para>If you encounter problems when compiling, check the Samba documentation to see if it is easily fixable. Another possibility is to search or post to the <indexterm id="ch02-idx-947437-0"><primary>mailing lists</primary><secondary>posting to</secondary></indexterm>Samba mailing lists, which are given at the end of <link linkend="SAMBA-AP-D">Appendix D</link>, and on the Samba home page. Most compilation issues are system specific and almost always easy to overcome.</para> + + +<para>Now that the files have been compiled, you can install them into the directories you identified with the command:</para> + + +<programlisting>#<userinput> make install</userinput></programlisting> + + +<para>If you happen to be upgrading, your old Samba files will be saved with the extension <emphasis>.old</emphasis> <indexterm id="ch02-idx-947448-0"><primary sortas="old files">.old files</primary></indexterm>, and you can go back to that previous version with the command <literal>make</literal> <literal>revert</literal>. After doing a <literal>make</literal> <literal>install</literal>, you should copy the <emphasis>.old</emphasis> files (if they exist) to a new location or name. Otherwise, the next time you install Samba, the original <emphasis>.old</emphasis> will be overwritten without warning and you could lose your earlier version. If you configured Samba to use the default locations for files, the new files will be installed in the directories listed in <link linkend="SAMBA-CH-2-TBL-2.2">Table 2.2</link>. Remember that you need to perform the installation from an account that has <indexterm id="ch02-idx-947451-0"><primary>write privileges</primary></indexterm>write privileges on these target <indexterm id="ch02-idx-947452-0"><primary>directories</primary><secondary>target</secondary></indexterm>directories; this is typically the root account.</para> + + +<table label="2.2" id="SAMBA-CH-2-TBL-2.2"> +<title>Samba Installation Directories </title> + +<tgroup cols="2"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<thead> +<row> + +<entry colname="col1"><para>Directory</para></entry> + +<entry colname="col2"><para>Description</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><emphasis>/usr/local/samba</emphasis></para></entry> + +<entry colname="col2"><para> +<indexterm id="ch02-idx-947450-0"><primary>installing Samba</primary><secondary>installation directories</secondary></indexterm> +<indexterm id="ch02-idx-947450-1"><primary>directories</primary><secondary>installation</secondary></indexterm>Main tree</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><emphasis>/usr/local/samba/bin</emphasis></para></entry> + +<entry colname="col2"><para>Binaries</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><emphasis>/usr/local/samba/lib</emphasis></para></entry> + +<entry colname="col2"><para><emphasis>smb.conf</emphasis>, <emphasis>lmhosts</emphasis>, configuration files, etc.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><emphasis>/usr/local/samba/man</emphasis></para></entry> + +<entry colname="col2"><para>Samba documentation</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><emphasis>/usr/local/samba/private</emphasis></para></entry> + +<entry colname="col2"><para>Samba encrypted password file</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><emphasis>/usr/local/samba/swat</emphasis></para></entry> + +<entry colname="col2"><para>SWAT files</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><emphasis>/usr/local/samba/var</emphasis></para></entry> + +<entry colname="col2"><para>Samba log files, lock files, browse list info, shared memory files, process ID files</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<para>Throughout the remainder of the book, we occasionally refer to the location of the <indexterm id="ch02-idx-947454-0"><primary>main tree</primary></indexterm>main tree as <replaceable>samba_dir</replaceable>. In most configurations, this is the <indexterm id="ch02-idx-947479-0"><primary>base directory</primary></indexterm>base directory of the installed Samba package: <filename>/usr/local/samba </filename> +<indexterm id="ch02-idx-947455-0"><primary sortas="usr/local/samba file">/usr/local/samba file</primary></indexterm>.</para> + + +<warning role="ora"> +<para>Watch out if you've made <filename>/usr</filename> a <indexterm id="ch02-idx-947472-0"><primary>read-only partitions</primary></indexterm>read-only partition. You will want to put the logs, locks, and password files somewhere else.</para> + +</warning> + +<para>Here is the installation that we performed on our machine. You can see that we used <filename>/usr/local/samba</filename> as the base directory for the distribution (e.g., <replaceable>samba_dir</replaceable>):</para> + + +<programlisting># <userinput>make install</userinput> +Using FLAGS = -O -Iinclude -I./include -I./ubiqx -I./smbwrapper -DSMBLOGFILE="/ +usr/local/samba/var/log.smb" -DNMBLOGFILE="/usr/local/samba/var/log.nmb" - +DCONFIGFILE="/usr/local/samba/lib/smb.conf" - + +<lineannotation>...(content omitted)...</lineannotation> + +The binaries are installed. You may restore the old binaries +(if there were any) using the command "make revert". You may +uninstall the binaries using the command "make uninstallbin" +or "make uninstall" to uninstall binaries, man pages and shell +scripts. + +<lineannotation>...(content omitted)...</lineannotation> + +============================================================ +The SWAT files have been installed. Remember to read the +README for information on enabling and using SWAT. +============================================================</programlisting> + + +<para>If the last message is about SWAT, you've successfully installed all the files. Congratulations! You now have Samba on your system!</para> + + +<sect2 role="" label="2.3.1" id="ch02-SECT-3.1"> +<title>Final Installation Steps</title> + + +<para> +<indexterm id="ch02-idx-947480-0"><primary>installing Samba</primary><secondary>steps in</secondary><tertiary>final</tertiary></indexterm>There are a couple of final steps to perform. Specifically, add the <indexterm id="ch02-idx-947486-0"><primary>SWAT tool</primary><secondary>adding to configuration files</secondary></indexterm> +<indexterm id="ch02-idx-947486-1"><primary>Samba Web Administration Tool</primary><see>SWAT tool</see></indexterm>Samba Web Administration Tool (SWAT) to the <filename>/etc/services</filename> +<indexterm id="ch02-idx-947491-0"><primary sortas="etc.services configuration files">/etc/services configuration file, adding SWAT tool to</primary></indexterm> and <filename>/etc/inetd.conf</filename> +<indexterm id="ch02-idx-947493-0"><primary sortas="etc/inetd.conf configuration file">/etc/inetd.conf configuration files</primary><secondary>adding SWAT tool to</secondary></indexterm> configuration files. SWAT runs as a daemon under <emphasis>inetd</emphasis> and provides a forms-based editor in your web browser for creating and modifying SMB configuration files.</para> + + +<orderedlist> +<listitem><para>To add SWAT, add the following line to the end of the <filename>/etc/services</filename> file:</para> + +<programlisting>swat 901/tcp</programlisting></listitem> + +<listitem><para>Add these lines to <filename>/etc/inetd.conf.</filename> (Check your <filename>inetd.conf</filename> manual page to see the exact format of the<filename> inetd.conf</filename> file if it differs from the following example.) Don't forget to change the path to the SWAT binary if you installed it in a different location from the default <filename>/usr/local/samba</filename>.</para> + + +<programlisting>swat stream tcp nowait.400 root /usr/local/samba/bin/swat swat</programlisting></listitem> +</orderedlist> + +<para>And that's pretty much it for the installation. Before you can start up Samba, however, you need to create a configuration file for it.<indexterm id="ch02-idx-947442-0" class="endofrange" startref="ch02-idx-947438-0"/></para> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="2.4" id="ch02-13464"> +<title>A Basic Samba Configuration File</title> + + +<para>The <indexterm id="ch02-idx-947692-0" class="startofrange"><primary>configuring Samba</primary><secondary>configuration file</secondary><tertiary>creating</tertiary></indexterm>key to configuring Samba is its lone configuration file: <filename>smb.conf</filename> +<indexterm id="ch02-idx-947693-0"><primary>smb.conf (Samba configuration) file</primary></indexterm>. This configuration file can be very simple or extremely complex, and the rest of this book is devoted to helping you get deeply personal with this file. For now, however, we'll show you how to set up a single file service, which will allow you to fire up the Samba daemons and see that everything is running as it should be. In later chapters, you will see how to configure Samba for more complicated and interesting tasks.</para> + + +<para>The installation process does not automatically create an <filename>smb.conf</filename> configuration file, although several example files are included in the Samba distribution. <indexterm id="ch02-idx-947541-0" class="startofrange"><primary>testing</primary><secondary>Samba</secondary></indexterm>To test the server software, though, we'll use the following file. It should be named <filename>smb.conf</filename> and placed in the <emphasis>/usr/local/samba/lib</emphasis> directory.<footnote label="5" id="ch02-pgfId-943223"> + + +<para>If you did not compile Samba, but instead downloaded a binary, check with the documentation for the package to find out where it expects the <filename>smb.conf</filename> file. If Samba came preinstalled with your Unix system, there is probably already an <filename>smb.conf</filename> file somewhere on your system.</para> + + +</footnote></para> + + +<programlisting>[global] + workgroup = SIMPLE +[test] + comment = For testing only, please + path = /export/samba/test + read only = no + guest ok = yes</programlisting> + + +<para>This brief configuration file tells the Samba server to offer the directory <filename>/export/samba/test</filename> +<indexterm id="ch02-idx-947498-0"><primary sortas="export/samba/test directory">/export/samba/test directory</primary></indexterm> on the server as an SMB/CIFS share called <indexterm id="ch02-idx-947499-0"><primary>test share</primary></indexterm><literal>test</literal>. The server also becomes part of the named workgroup SIMPLE, which each of the clients must also be a part of. (Use your own workgroup here if you already know what it is.) We'll use the <literal>[test]</literal> share in the next chapter to set up the Windows clients. For now, you can complete the setup by performing the following commands as root on your Unix server:</para> + + +<programlisting># <userinput>mkdir /export/samba/test</userinput> +# <userinput>chmod 777 /export/samba/test</userinput></programlisting> + + +<para>We should point out that in terms of system security, this is the worst setup possible. For the moment, however, we only wish to test Samba, so we'll leave security out of the picture. In addition, there are some encrypted password issues that we will encounter with Windows clients later on, so this setup will afford us the least amount of headaches.</para> + + +<tip role="ora"> +<para>If you are using Windows 98 or Windows NT Service Pack 3 or above, you must add the following entry to the <literal>[global]</literal> section of the Samba configuration file: <literal>encrypt passwords = yes</literal>. In addition, you must use the <filename>smbpassword</filename> program (typically located in <filename>/usr/local/samba/bin/ </filename>) to reenter the username/password combinations of those users on the Unix server who should be able to access shares into Samba's encrypted client database. For example, if you wanted to allow Unix user <literal>steve</literal> to access shares from an SMB client, you could type: <literal>smbpassword -a steve</literal>. The first time a user is added, the program will output an error saying that the encrypted password database does not exist. Don't worry, it will then create the database for you. Make sure that the username/password combinations that you add to the encrypted database match the usernames and passwords that you intend to use on the Windows client side.</para> + +</tip> + +<sect2 role="" label="2.4.1" id="ch02-SECT-4.1"> +<title>Using SWAT</title> + + +<para> +<indexterm id="ch02-idx-947510-0" class="startofrange"><primary>SWAT tool</primary><secondary>creating configuration file with</secondary></indexterm>With Samba 2.0, creating a configuration file is even easier than writing a configuration file by hand. You can use your browser to connect to <emphasis>http://localhost:901</emphasis>, and log on as the root account, as shown in <link linkend="ch02-60915">Figure 2.1</link>.</para> + + +<figure label="2.1" id="ch02-60915"> +<title>SWAT login</title> + +<graphic width="502" depth="188" fileref="figs/sam.0201.gif"></graphic> +</figure> + +<para>After logging in, press the GLOBALS button at the top of the screen. You should see the Global Variables page shown in <link linkend="ch02-49138">Figure 2.2</link>.</para> + + +<figure label="2.2" id="ch02-49138"> +<title>SWAT Global Variables page</title> + +<graphic width="502" depth="455" fileref="figs/sam.0202.gif"></graphic> +</figure> + +<para>In this example, set the workgroup field to SIMPLE and the security field to USER. The only other option you need to change from the menu is one determining which system on the LAN resolves NetBIOS addresses; this system is called the <emphasis>WINS server</emphasis> +<indexterm id="ch02-idx-947528-0"><primary>WINS (Windows Internet Name Service)</primary><secondary>server</secondary></indexterm>. At the very bottom of the page, set the wins support field to Yes, unless you already have a WINS server on your network. If you do, put the WINS server's IP address in the wins server field instead. Then return to the top and press the Commit Changes button to write the changes out to the <emphasis>smb.conf</emphasis> file.</para> + + +<figure label="2.3" id="ch02-29175"> +<title>SWAT Share Creation screen</title> + +<graphic width="502" depth="392" fileref="figs/sam.0203.gif"></graphic> +</figure> + +<para>Next, press the Shares icon. You should see a page similar to <link linkend="ch02-29175">Figure 2.3</link>. Choose Test in the field beside the Choose Share button. You will see the Share Parameters screen, as shown in <link linkend="ch02-37186">Figure 2.4</link>. We added a comment to remind us that this is a test share in the <filename>smb.conf</filename> file. SWAT has copies of all that information here.</para> + + +<figure label="2.4" id="ch02-37186"> +<title>SWAT Share Parameters screen</title> + +<graphic width="502" depth="407" fileref="figs/sam.0204.gif"></graphic> +</figure> + +<para>If you press the View button, SWAT shows you the following <filename>smb.conf</filename> file:</para> + + +<programlisting># Samba config file created using SWAT +# from localhost (127.0.0.1) +# Date: 1998/11/27 15:42:40 + +# Global parameters + workgroup = SIMPLE +[test] + comment = For testing only, please + path = /export/samba/test + read only = no + guest ok = yes</programlisting> + + +<para>Once this configuration file is completed, you can skip the next step because the output of SWAT is guaranteed to be syntactically correct.<indexterm id="ch02-idx-947704-0" class="endofrange" startref="ch02-idx-947692-0"/></para> +</sect2> + + + + + +<sect2 role="" label="2.4.2" id="ch02-SECT-4.2"> +<title>Testing the Configuration File</title> + + +<para> +<indexterm id="ch02-idx-947573-0"><primary>configuring Samba</primary><secondary>configuration file</secondary><tertiary>testing</tertiary></indexterm> +<indexterm id="ch02-idx-947573-1"><primary>testing</primary><secondary>configuration file</secondary></indexterm>If you didn't use SWAT to create your configuration file, you should probably test it to ensure that it is syntactically correct. It may seem silly to run a test program against an eight-line configuration file, but it's good practice for the real ones that we'll be writing later on.</para> + + +<para>The<indexterm id="ch02-idx-947577-0"><primary>test parser</primary></indexterm> test parser, <filename>testparm</filename> +<indexterm id="ch02-idx-947578-0"><primary>testparm test parser</primary></indexterm>, examines an <filename>smb.conf</filename> file for <indexterm id="ch02-idx-947583-0"><primary>syntax errors</primary></indexterm> +<indexterm id="ch02-idx-947583-1"><primary>errors</primary><secondary>syntax</secondary></indexterm>syntax errors and reports any it finds along with a list of the <indexterm id="ch02-idx-947579-0"><primary>services</primary><secondary>list of enabled on machine</secondary></indexterm>services enabled on your machine. An example follows; you'll notice that in our haste to get the server running we mistyped <literal>workgroup</literal> as <literal>workgrp</literal> (the output is often lengthy, so we recommend capturing the last parts with the <literal>tee</literal> command):</para> + + +<programlisting>Load smb config files from smb.conf +Unknown parameter encountered: "workgrp" +Ignoring unknown parameter "workgrp" +Processing section "[test]" +Loaded services file OK. +Press enter to see a dump of your service definitions +# Global parameters +[global] + workgroup = WORKGROUP + netbios name = + netbios aliases = + server string = Samba 2.0.5a + interfaces = + bind interfaces only = No + +<lineannotation>...(content omitted)...</lineannotation> + +[test] + comment = For testing only, please + path = /export/samba/test + read only = No + guest ok = Yes</programlisting> + + +<para>The interesting parts are at the top and bottom. The top of the output will flag any syntax errors that you may have made, and the bottom lists the services that the server thinks it should offer. A word of advice: make sure that you and the server have the same expectations.<indexterm id="ch02-idx-947566-0" class="endofrange" startref="ch02-idx-947541-0"/></para> + + +<para>If everything looks good, then you are ready to fire up the server daemons!</para> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="2.5" id="ch02-29069"> +<title>Starting the Samba Daemons</title> + + +<para>There <indexterm id="ch02-idx-947584-0" class="startofrange"><primary>daemons</primary><secondary>starting</secondary></indexterm> +<indexterm id="ch02-idx-947584-1"><primary>Samba</primary><secondary>daemons</secondary><see>daemons</see></indexterm>are two Samba processes, <emphasis>smbd</emphasis> +<indexterm id="ch02-idx-947586-0"><primary>smbd daemon</primary><secondary>starting</secondary></indexterm> and <emphasis>nmbd</emphasis> +<indexterm id="ch02-idx-947587-0"><primary>nmbd daemon</primary><secondary>starting</secondary></indexterm>, that need to be running for Samba to work correctly. There are three ways to start:</para> + + +<itemizedlist> +<listitem><para>By hand</para></listitem> +<listitem><para>As stand-alone daemons</para></listitem> +<listitem><para>From <emphasis>inetd</emphasis></para></listitem> +</itemizedlist> + +<sect2 role="" label="2.5.1" id="ch02-SECT-5.1"> +<title>Starting the Daemons by Hand</title> + + +<para>If you're in a hurry, you can start the Samba daemons by hand. As root, simply enter the following commands:</para> + + +<programlisting>#<userinput> /usr/local/samba/bin/smbd -D</userinput> +#<userinput> /usr/local/samba/bin/nmbd -D</userinput></programlisting> + + +<para>At this point, Samba will be running on your system and will be ready to accept connections.</para> +</sect2> + + + + + +<sect2 role="" label="2.5.2" id="ch02-SECT-5.2"> +<title>Stand-alone Daemons</title> + + +<para>To run the Samba processes as <indexterm id="ch02-idx-947591-0"><primary>stand-alone daemons</primary></indexterm> +<indexterm id="ch02-idx-947591-1"><primary>daemons</primary><secondary>stand-alone</secondary></indexterm>stand-alone daemons, you need to add the commands listed in the previous section to your standard Unix startup scripts. This varies depending on whether you have a BSD-style <indexterm id="ch02-idx-947596-0"><primary>Unix</primary><secondary>System V</secondary></indexterm>Unix system or a System V Unix.</para> + + +<sect3 role="" label="2.5.2.1" id="ch02-SECT-5.2.1"> +<title>BSD Unix</title> + + +<para>WIth a <indexterm id="ch02-idx-947597-0"><primary>BSD-style Unix system</primary></indexterm>BSD-style Unix, you need to append the following code to the <filename>rc.local </filename> +<indexterm id="ch02-idx-947598-0"><primary>rc.local file</primary></indexterm>file, which is typically found in the <filename>/etc</filename> +<indexterm id="ch02-idx-947599-0"><primary sortas="etc directory">/etc directory</primary></indexterm> +<indexterm id="ch02-idx-947599-1"><primary sortas="etc/rc/d directory">/etc/rc.d directory</primary></indexterm> or <filename>/etc/rc.d</filename> directories:</para> + + +<programlisting>if [ -x /usr/local/samba/bin/smbd]; then + echo "Starting smbd..." + /usr/local/samba/bin/smbd -D + echo "Starting nmbd..." + /usr/local/samba/bin/nmbd -D +fi</programlisting> + + +<para>This code is very simple; it checks to see if the <filename>smbd</filename> +<indexterm id="ch02-idx-947600-0"><primary>smbd daemon</primary><secondary>file</secondary></indexterm> file has <indexterm id="ch02-idx-947601-0"><primary>execute permissions</primary></indexterm>execute permissions on it, and if it does, it starts up each of the Samba daemons on system boot.</para> +</sect3> + + + +<sect3 role="" label="2.5.2.2" id="ch02-SECT-5.2.2"> +<title>System V Unix</title> + + +<para>With<indexterm id="ch02-idx-947602-0"><primary>System V Unix</primary></indexterm> System V, things can get a little more complex. System V typically uses scripts to start and stop daemons on the system. Hence, you need to instruct Samba how to operate when it starts and when it stops. You can modify the contents of the <filename>/etc/rc.local</filename> directory and add something similar to the following program entitled <filename>smb </filename>:</para> + + +<programlisting>#!/bin/sh + +# Contains the "killproc" function on Red Hat Linux +./etc/rc.d/init.d/functions + +PATH="/usr/local/samba/bin:$PATH" + +case $1 in + 'start') + echo "Starting smbd..." + smbd -D + echo "Starting nmbd..." + nmbd -D + ;; + 'stop') + echo "Stopping smbd and nmbd..." + killproc smbd + killproc nmbd + rm -f /usr/local/samba/var/locks/smbd.pid + rm -f /usr/local/samba/var/locks/nmbd.pid + ;; + *) + echo "usage: smb {start|stop}" + ;; +esac</programlisting> + + +<para>With this script, you can start and stop the SMB service with the following commands:</para> + + +<programlisting># /etc/rc.local/smb start +Starting smbd... +Starting nmbd... +# /etc/rc.local/smb stop +Stopping smbd and nmbd...</programlisting> +</sect3> +</sect2> + + + + + +<sect2 role="" label="2.5.3" id="ch02-SECT-5.3"> +<title>Starting From Inetd</title> + + +<para>The <emphasis>inetd</emphasis> +<indexterm id="ch02-idx-947588-0"><primary>inetd daemon, starting other daemons from</primary></indexterm> daemon is a Unix system's Internet "super daemon." It listens on TCP ports defined in <filename>/etc/services</filename> +<indexterm id="ch02-idx-947610-0"><primary sortas="etc.services configuration files">/etc/services configuration file, adding SWAT tool to</primary></indexterm> and executes the appropriate program for each port, which is defined in <filename>/etc/inetd.conf</filename> +<indexterm id="ch02-idx-947618-0"><primary sortas="etc/inetd.conf configuration file">/etc/inetd.conf configuration files</primary></indexterm>. The advantage of this scheme is that you can have a large number of daemons ready to answer queries, but they don't all have to be running. Instead, the <emphasis>inetd</emphasis> daemon listens in places of all the others. The penalty is a small overhead cost of creating a new daemon process, and the fact that you need to edit two files rather than one to set things up. This is handy if you have only one or two users or your machine has too many daemons already. It's also easier to perform an upgrade without disturbing an existing connection.</para> + + +<para>If you wish to start from <filename>inetd</filename>, first open <filename>/etc/services</filename> in your text editor. If you don't already have them defined, add the following two lines:</para> + + +<programlisting>netbios-ssn 139/tcp +netbios-ns 137/udp</programlisting> + + +<para>Next, edit <filename>/etc/inetd.conf</filename>. Look for the following two lines and add them if they don't exist. If you already have <literal>smbd</literal> and <literal>nmbd</literal> lines in the file, edit them to point at the new <emphasis>smbd</emphasis> and <emphasis>nmbd</emphasis> you've installed. Your brand of Unix may use a slightly different syntax in this file; use the existing entries and the <filename>inetd.conf </filename><command> </command>manual page<command> </command>as a guide:</para> + + +<programlisting>netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd +netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd</programlisting> + + +<para>Finally, kill any <emphasis>smbd</emphasis> +<indexterm id="ch02-idx-947623-0"><primary>smbd daemon</primary><secondary>killing</secondary></indexterm> or <emphasis>nmbd</emphasis> +<indexterm id="ch02-idx-947634-0"><primary>nmbd daemon</primary><secondary>killing</secondary></indexterm> +<indexterm id="ch02-idx-947634-1"><primary>daemons</primary><secondary>killing</secondary></indexterm> processes and send the <emphasis>inetd</emphasis> process a <indexterm id="ch02-idx-947624-0"><primary>hangup (HUP) signal</primary></indexterm> +<indexterm id="ch02-idx-947624-1"><primary>HUP (hangup) signal</primary></indexterm>hangup (HUP) signal. (The <emphasis>inetd</emphasis> daemon rereads its configuration file on a HUP signal.) To do this, use the <literal>ps</literal> command to find its process ID, then signal it with the following command:</para> + + +<programlisting># <userinput>kill -HUP process_id</userinput></programlisting> + + +<para>After that, Samba should be up and running.<indexterm id="ch02-idx-947585-0" class="endofrange" startref="ch02-idx-947584-0"/></para> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="2.6" id="ch02-67898"> +<title>Testing the Samba Daemons</title> + + +<para> +<indexterm id="ch02-idx-947635-0"><primary>daemons</primary><secondary>testing</secondary></indexterm> +<indexterm id="ch02-idx-947635-1"><primary>testing</primary><secondary>daemons</secondary></indexterm>It's hard to believe, but we're nearly done with the Samba server setup. All that's left to do is to make sure that everything is working as we think it should. A convenient way to do this is to use the <filename>smbclient</filename> +<indexterm id="ch02-idx-947636-0"><primary>smbclient program</primary></indexterm> program to examine what the server is offering to the network. If everything is set up properly, you should be able to do the following:</para> + + +<programlisting><userinput># smbclient -U% -L localhost</userinput> + +Added interface ip=192.168.220.100 bcast=192.168.220.255 nmask=255.255.255.0 +Domain=[SIMPLE] OS=[Unix] Server=[Samba 2.0.5a] + + Sharename Type Comment + --------- ---- ------- + test Disk For testing only, please + IPC$ IPC IPC Service (Samba 2.0.5a) + + Server Comment + --------- ------- + HYDRA Samba 2.0.5a + + Workgroup Master + --------- ------- + SIMPLE HYDRA</programlisting> + + +<para>If there is a problem, don't panic! Try to start the daemons manually, and check the system output or the <indexterm id="ch02-idx-947637-0"><primary>debug files</primary></indexterm>debug files at <filename>/usr/local/samba/var/log.smb</filename> +<indexterm id="ch02-idx-947638-0"><primary sortas="usr/local/samba/var/log.smb file">/usr/local/samba/var/log.smb file</primary></indexterm> to see if you can determine what happened. If you think it may be a more serious problem, skip to <link linkend="SAMBA-CH-7">Chapter 7</link>, for help on troubleshooting the Samba daemons.</para> + + +<para>If it worked, congratulations! You now have successfully set up the Samba server with a <indexterm id="ch02-idx-947664-0"><primary>disk shares</primary></indexterm>disk share. It's a simple one, but we can use it to set up and test the Windows 95 and NT clients in the next chapter. Then we will start making it more interesting by adding services such as home directories, printers, and security, and seeing how to integrate the server into a larger Windows domain.<indexterm id="ch02-idx-947297-0" class="endofrange" startref="ch02-idx-947293-0"/></para> +</sect1> +</chapter> diff --git a/docs-xml/using_samba/ch03.xml b/docs-xml/using_samba/ch03.xml new file mode 100644 index 0000000000..64f95ef3ed --- /dev/null +++ b/docs-xml/using_samba/ch03.xml @@ -0,0 +1,1384 @@ +<chapter label="3" id="SAMBA-CH-3"> +<title>Configuring Windows Clients</title> + + + + +<para> +<indexterm id="ch03-idx-947918-0" class="startofrange"><primary>Windows clients</primary><secondary>configuring</secondary></indexterm> +<indexterm id="ch03-idx-947918-1" class="startofrange"><primary>configuring Windows clients</primary></indexterm>You'll be glad to know that configuring Windows to use your new Samba server is quite simple. SMB is Microsoft's native language for resource sharing on a local area network, so much of the installation and setup on the Windows client side has been taken care of already. The primary issues that we will cover in this chapter involve communication and coordination between Windows and Unix, two completely different operating systems.</para> + + +<para>Samba uses TCP/IP to talk to its clients on the network. If you aren't already using TCP/IP on your Windows computers, this chapter will show you how to install it. Then you'll need to configure your Windows machines to operate on a TCP/IP network. Once these two requirements have been taken care of, we can show how to access a shared disk on the Samba server.</para> + + +<para>This chapter is divided into three sections. The first section covers setting up Windows 95/98 computers while the second covers Windows NT 4.0 machines. The final section provides some prerequisite information on how SMB connections are made from Windows clients and servers, which is useful as we move into the later chapters of the book.</para> + + + + + + + + + + + +<sect1 role="" label="3.1" id="ch03-55770"> +<title>Setting Up Windows 95/98 Computers</title> + + +<para> +<indexterm id="ch03-idx-947927-0" class="startofrange"><primary>Windows clients</primary><secondary>configuring</secondary><tertiary>Windows95/98 computers</tertiary></indexterm> +<indexterm id="ch03-idx-947927-1" class="startofrange"><primary>configuring Windows clients</primary><secondary>Windows 95/98 computers</secondary></indexterm>Unfortunately, Windows 95/98 wasn't designed for a PC to have more than one user; that concept is more inherent to a Unix operating system or Windows NT. However, <indexterm id="ch03-idx-947953-0"><primary>Windows 95/98</primary><secondary>multiple users, support for</secondary></indexterm>Windows 95/98 does have <emphasis>limited</emphasis> support for multiple users: if you tell it, the operating system will keep a separate <indexterm id="ch03-idx-947955-0"><primary>user profiles (Windows 95/98)</primary></indexterm>profile (desktop layout) and password file for each user. This is a far cry from true multiuser security. In other words, Windows 95/98 won't try to keep one user from destroying the work of another on the local hard drive like Unix, but profiles are a place to start.</para> + + +<sect2 role="" label="3.1.1" id="ch03-SECT-1.1"> +<title>Accounts and Passwords</title> + + +<para> +<indexterm id="ch03-idx-947956-0" class="startofrange"><primary>accounts</primary></indexterm> +<indexterm id="ch03-idx-947956-1" class="startofrange"><primary>passwords</primary><secondary>Windows 95/98</secondary></indexterm> +<indexterm id="ch03-idx-947956-2" class="startofrange"><primary>usernames</primary><secondary>Windows 95/98</secondary></indexterm>The first thing we need to do is to tell Windows to keep user profiles separate, and to collect usernames and passwords to authenticate anyone trying to access a Samba share. We do so via the <indexterm id="ch03-idx-947957-0"><primary>Password settings (Windows 95/98)</primary></indexterm>Password settings in the Control Panel. If you are not familiar with the Windows Control Panel, you can access it by choosing the Settings menu item from the pop-up menu of the Start button in the lower-left corner of the screen. Alternatively, you'll find it as a folder under the icon in the upper-left corner that represents your computer and is typically labeled <indexterm id="ch03-idx-947958-0"><primary>My Computer (Windows 95/98)</primary></indexterm>My Computer.</para> + + +<para>After selecting the Passwords icon in the Control Panel, click on the User Profiles tab on the far right. You should see the dialog box shown in <link linkend="ch03-84319">Figure 3.1</link>. Then click the lower of the two radio buttons that starts "Users can customize their preferences...." This causes Windows to store a separate profile for each user, and saves the username and password you provide, which it will use later when it connects to an SMB/CIFS server. Finally, check <emphasis>both</emphasis> the options under the User Profile Settings border, as shown in the figure.</para> + + +<figure label="3.1" id="ch03-84319"> +<title>The Passwords Properties panel</title> + +<graphic width="502" depth="289" fileref="figs/sam.0301.gif"></graphic> +</figure> + +<para>The next step is to select the Change Passwords tab on the left side of the dialog box. In order for Samba to allow you access to its shares, the username and password you give to Windows must match the account and password on the Samba server. If you don't have this tab in your dialog box, don't worry; it's probably because you haven't given yourself a Windows username and password yet. Simply click the OK button at the bottom and respond Yes when Windows asks to reboot. Then, skip down to <link linkend="ch03-57581">Section 3.1.1.2</link>.</para> + + +<sect3 role="" label="3.1.1.1" id="ch03-SECT-1.1.1"> +<title>Changing the Windows password</title> + + +<para> +<indexterm id="ch03-idx-947966-0"><primary>passwords</primary><secondary>Windows 95/98</secondary><tertiary>changing</tertiary></indexterm>After selecting the Change Passwords tab, the dialog box in <link linkend="ch03-26778">Figure 3.2</link> will appear.</para> + + +<figure label="3.2" id="ch03-26778"> +<title>The Change Passwords tab</title> + +<graphic width="502" depth="306" fileref="figs/sam.0302.gif"></graphic> +</figure> + +<para>Select the Change Windows Password button. The <indexterm id="ch03-idx-947967-0"><primary>Change Windows Password dialog box</primary></indexterm>Change Windows Password dialog box should appear, as shown in <link linkend="ch03-97002">Figure 3.3</link>. From here, you can change your password to match the password of the account on the Samba server through which you intend to log in.</para> + + +<figure label="3.3" id="ch03-97002"> +<title>The Change Windows Password dialog box</title> + +<graphic width="502" depth="135" fileref="figs/sam.0303.gif"></graphic> +</figure> +</sect3> + + + +<sect3 role="" label="3.1.1.2" id="ch03-57581"> +<title>Logging in for the first time</title> + + +<para> +<indexterm id="ch03-idx-947969-0"><primary>log files/logging</primary><secondary>in for the first time (Samba)</secondary></indexterm> +<indexterm id="ch03-idx-947969-1"><primary>Samba</primary><secondary>logging in for the first time</secondary></indexterm>If you didn't have a Change Passwords tab in the Passwords Properties window, then after Windows has finished rebooting, it will ask you to log in with a username and a password. Give yourself the same username and password that you have on the Samba server. After confirming your new username and password, or if you already have one, Windows should ask you if you want to have a <indexterm id="ch03-idx-947970-0"><primary>profiles</primary><secondary>creating</secondary></indexterm>profile, using the dialog shown in <link linkend="ch03-48947">Figure 3.4</link>. <indexterm id="ch03-idx-947961-0" class="endofrange" startref="ch03-idx-947956-0"/> +<indexterm id="ch03-idx-947961-1" class="endofrange" startref="ch03-idx-947956-1"/> +<indexterm id="ch03-idx-947961-2" class="endofrange" startref="ch03-idx-947956-2"/></para> + + +<figure label="3.4" id="ch03-48947"> +<title>Windows Networking profiles</title> + +<graphic width="502" depth="121" fileref="figs/sam.0304.gif"></graphic> +</figure> + +<para>Answer Yes, upon which Windows will create a separate profile and password file for you and save a copy of your password in the file. Now when you connect to Samba, Windows will send its password, which will be used to authenticate you for each share. We won't worry about profiles for the moment; we'll cover them in <link linkend="SAMBA-CH-6">Chapter 6</link>. We should point out, however, that there is a small security risk: someone can steal the <indexterm id="ch03-idx-947972-0"><primary>password file, security and</primary></indexterm>password file and decrypt the passwords because it's weakly encrypted. Unfortunately, there isn't a solution to this with Windows 95/98. In Windows 2000 (NT 5.0), the password encryption should be replaced with a much better algorithm.</para> +</sect3> +</sect2> + + + + + +<sect2 role="" label="3.1.2" id="ch03-36280"> +<title>Setting Up the Network</title> + + +<para> +<indexterm id="ch03-idx-947983-0" class="startofrange"><primary>networking</primary><secondary>setting up</secondary></indexterm>The next thing we need to do is make sure we have the <indexterm id="ch03-idx-947973-0"><primary>TCP/IP networking protocol</primary><secondary>checking setup</secondary></indexterm>TCP/IP networking protocol set up correctly. To do this, double-click on the <indexterm id="ch03-idx-947975-0"><primary>Network icon</primary><secondary>Windows 95/98</secondary></indexterm>Network icon in the Control Panel. You should see the network configuration dialog box, as shown in <link linkend="ch03-15320">Figure 3.5</link>.</para> + + +<figure label="3.5" id="ch03-15320"> +<title>The Windows 95/98 Network panel</title> + +<graphic width="502" depth="371" fileref="figs/sam.0305.gif"></graphic> +</figure> + +<para>Microsoft networking works by binding specific protocols, such as IPX or TCP/IP, to a specific hardware device, such as an <indexterm id="ch03-idx-947977-0"><primary>Ethernet adaptor cards</primary></indexterm>Ethernet card or a <indexterm id="ch03-idx-948013-0"><primary>dialup connection</primary></indexterm>dialup connection. By routing a <indexterm id="ch03-idx-947976-0"><primary>protocols</primary><secondary>routed through a hardware device</secondary></indexterm>protocol through a hardware device, the machine can act as a client or server for a particular type of network. For Samba, we are interested in binding the TCP/IP protocol through a networking device, making the machine a client for Microsoft networks. Thus, when the dialog box appears, you should see at least the Client for Microsoft Networks component installed on the machine, and hopefully a networking device (preferably an Ethernet card) bound to the TCP/IP protocol. If there is only one networking hardware device, you'll see the TCP/IP protocol listed below that device. If it appears similar to <link linkend="ch03-15320">Figure 3.5</link>, the protocol is bound to the device.</para> + + +<para>You may also see <indexterm id="ch03-idx-947979-0"><primary sortas="File and Printer Sharing for Microsoft Networks">"File and Printer Sharing for Microsoft Networks"</primary></indexterm>"File and printer sharing for Microsoft Networks," which is useful. In addition, you might see <indexterm id="ch03-idx-947981-0"><primary>NetBEUI (NetBIOS Extended User Interface)</primary></indexterm>NetBEUI or <indexterm id="ch03-idx-947982-0"><primary>Novell Networking</primary></indexterm>Novell Networking, which are standard with Windows installations but undesirable when TCP/IP is running. Remove NetBEUI if you possibly can—it's unnecessary and makes debugging Windows browsing difficult. If you don't have any Novell servers on your network, you can remove Novell (IPX/SPX) as well.</para> + + +<sect3 role="" label="3.1.2.1" id="ch03-SECT-1.2.1"> +<title>Adding TCP/IP</title> + + +<para> +<indexterm id="ch03-idx-947991-0" class="startofrange"><primary>TCP/IP networking protocol</primary><secondary>adding/configuring</secondary></indexterm>If you don't see TCP/IP listed at all, you'll need to install the protocol. If you already have TCP/IP, skip this section, and continue with <link linkend="ch03-48802">Section 3.1.3</link>, later in this chapter.</para> + + +<para>Installing TCP/IP isn't difficult since Microsoft distributes its own version of TCP/IP for free on their installation CD-ROM. You can add the protocol by clicking on the Add button below the component window. Indicate that you wish to add a specific protocol by selecting Protocol and clicking Add... on the following dialog box, which should look similar to <link linkend="ch03-24245">Figure 3.6</link>.</para> + + +<figure label="3.6" id="ch03-24245"> +<title>Selecting a protocol to install</title> + +<graphic width="502" depth="195" fileref="figs/sam.0306.gif"></graphic> +</figure> + +<para>After that, select the protocol TCP/IP from manufacturer Microsoft, as shown in <link linkend="ch03-50801">Figure 3.7</link>, then click OK. After doing so, you will be returned to the network dialog. Click OK there to close the dialog box, upon which Windows will install the necessary components from disk and reboot the machine.</para> + + +<figure label="3.7" id="ch03-50801"> +<title>Selecting a protocol to install</title> + +<graphic width="502" depth="296" fileref="figs/sam.0307.gif"></graphic> +</figure> +</sect3> + + + +<sect3 role="" label="3.1.2.2" id="ch03-SECT-1.2.2"> +<title>Configuring TCP/IP</title> + + +<para> +<indexterm id="ch03-idx-948011-0"><primary>configuring TCP/IP networking protocol</primary></indexterm>If you have more than one networking device (for example, both an <indexterm id="ch03-idx-948014-0"><primary>Ethernet adaptor cards</primary><secondary>linking to TCP/IP networking protocol</secondary></indexterm>Ethernet card and a dialup networking <indexterm id="ch03-idx-948015-0"><primary>modem, linking to TCP/IP networking protocol</primary></indexterm>modem), each appropriate hardware device should be "linked" to the TCP/IP protocol with an arrow, as shown in <link linkend="ch03-61576">Figure 3.8</link>. Select the TCP/IP protocol linked to the networking device that will be accessing the Samba network. When it is highlighted, click the<indexterm id="ch03-idx-948019-0"><primary>Properties button (Windows 95/98)</primary></indexterm> Properties button.</para> + + +<figure label="3.8" id="ch03-61576"> +<title>Selecting the correct TCP/IP protocol</title> + +<graphic width="502" depth="389" fileref="figs/sam.0308.gif"></graphic> +</figure> + +<para>After doing so, the <indexterm id="ch03-idx-948028-0"><primary>TCP/IP Properties panel (Windows 95/98)</primary></indexterm>TCP/IP Properties panel for that device is displayed, as shown in <link linkend="ch03-73526">Figure 3.9</link>.</para> + + +<figure label="3.9" id="ch03-73526"> +<title>STCP/IP Properties panel</title> + +<graphic width="502" depth="303" fileref="figs/sam.0309.gif"></graphic> +</figure> + +<para>There are seven tabs near the top of this panel, and you will need to configure four of them:</para> + + +<itemizedlist> +<listitem><para>IP address</para></listitem> +<listitem><para>DNS configuration</para></listitem> +<listitem><para>WINS configuration</para></listitem> +<listitem><para>Bindings</para></listitem> +</itemizedlist> +</sect3> + + + +<sect3 role="" label="3.1.2.3" id="ch03-SECT-1.2.3"> +<title>IP Address tab </title> + + +<para>The <indexterm id="ch03-idx-948038-0"><primary>IP Address tab</primary><secondary>Windows 95/98</secondary></indexterm> +<indexterm id="ch03-idx-948038-1"><primary>DHCP (Dynamic Host Configuration Protocol)</primary></indexterm>IP Address tab is shown in <link linkend="ch03-73526">Figure 3.9</link>. Press the "Specify an IP address" radio button and enter the client's address and subnet <indexterm id="ch03-idx-948214-0"><primary>masks</primary><secondary>subnet</secondary></indexterm> +<indexterm id="ch03-idx-948214-1"><primary>subnets</primary><secondary>mask</secondary></indexterm>mask in the space provided. You or your network manager should have selected an address for the machine. The values should place the computer on the same subnet as the Samba server. For example, if the server's address is 192.168.236.86, and its network <indexterm id="ch03-idx-948217-0"><primary>masks</primary><secondary>netmasks</secondary></indexterm> +<indexterm id="ch03-idx-948217-1"><primary>netmasks</primary></indexterm> +<indexterm id="ch03-idx-948217-2"><primary>network masks</primary><see>netmasks</see></indexterm>mask 255.255.255.0, you might use address 192.168.236.10 (if it is available) for the Windows 98 computer, along with the same netmask as the server. If you already use DHCP on your network to provide IP addresses to Windows machines, select the "Obtain an IP address automatically" button.</para> +</sect3> + + + +<sect3 role="" label="3.1.2.4" id="ch03-SECT-1.2.4"> +<title>DNS Configuration tab</title> + + +<para> +<indexterm id="ch03-idx-948039-0"><primary>DNS Configuration tab</primary></indexterm>Domain Name Service (<indexterm id="ch03-idx-948040-0"><primary>DNS (Domain Name System)</primary></indexterm> +<indexterm id="ch03-idx-948040-1"><primary>Domain Name System</primary><see>DNS</see></indexterm>DNS) is responsible for translating Internet computer names such as <emphasis>hobbes.example.com</emphasis> into machine-readable IP addresses such as 192.168.236.10. There are two ways to accomplish this on a Windows 98 machine: you can specify a server to do the translation for you or you can keep a local list of name/address pairs to refer to.</para> + + +<para>Networks that are connected to the Internet typically use a server, since the hosts files required would otherwise be huge. For an unconnected LAN, the list of possible hosts is small and well-known and might be kept on a Unix machine in the <emphasis>/etc/hosts</emphasis> +<indexterm id="ch03-idx-948046-0"><primary sortas="etc/hosts file">/etc/hosts file</primary></indexterm> file. If you are in doubt as to whether a DNS server is being used, or what its address might be, look at the file <emphasis>/etc/resolv.conf</emphasis> +<indexterm id="ch03-idx-948047-0"><primary sortas="etc/resolv.conf file">/etc/resolv.conf file </primary></indexterm> on your Unix servers. Any machine using DNS will have this file, which looks like:</para> + + +<programlisting>#resolv.conf +domain example.com +nameserver 127.0.0.1 +nameserver 192.168.236.20</programlisting> + + +<para>In the example shown, the second <literal>nameserver</literal> line in the list contains the IP address of another machine on the local network: 192.168.236.20. It's a good candidate for a DNS server.<footnote label="1" id="ch03-pgfId-942097"> + + +<para>We can disqualify the other address because every Unix machine has a localhost address of 127.0.0.1 whether it is connected to a network or not. This address is required for some system tools to operate correctly.</para> + + +</footnote></para> + + +<para>You must type the correct IP address of one or more DNS servers (note that you <emphasis>cannot</emphasis> use its Internet name, such as <emphasis>dns.oreilly.com</emphasis>) into the appropriate field in <link linkend="ch03-86883">Figure 3.10</link>. Be sure not to use 127.0.0.1—that will never be the correct DNS server address!</para> + + +<para>Try to select addresses on your own network. Any name servers listed in <emphasis>/etc/resolv.conf</emphasis> should work, but you'll get better performance by using a server nearby. (If you don't find <emphasis>/etc/resolv.conf</emphasis> files on your Unix machines, just disable DNS until you can find the address of at least one DNS server.) Let's assume you only have one DNS server, and its address is 192.168.236.20. Click the Enable DNS radio button, as shown in <link linkend="ch03-86883">Figure 3.10</link>, and add the server's address to the top DNS Server Search Order field.</para> + + +<figure label="3.10" id="ch03-86883"> +<title>The DNS Configuration tab</title> + +<graphic width="502" depth="360" fileref="figs/sam.0310.gif"></graphic> +</figure> + +<para>Also, provide the name of the Windows 95/98 machine and the Internet domain you're in. You can safely ignore the Domain Suffix Search Order field for anything related to Samba.</para> +</sect3> + + + +<sect3 role="" label="3.1.2.5" id="ch03-SECT-1.2.5"> +<title>WINS Configuration tab</title> + + +<para> +<indexterm id="ch03-idx-948063-0"><primary>WINS Configuration tab</primary></indexterm>WINS is the <indexterm id="ch03-idx-948065-0"><primary>WINS (Windows Internet Name Service)</primary></indexterm> +<indexterm id="ch03-idx-948065-1"><primary>Windows Internet Name Service</primary><see>WINS</see></indexterm>Windows Internet Name Service, its version of a <indexterm id="ch03-idx-948066-0"><primary>NetBIOS (Network Basic Input/Output System)</primary><secondary>name server (NBNS)</secondary></indexterm>NetBIOS name server. If you've enabled WINS on Samba, you must tell Windows the Samba server's address. If you are using WINS servers that are entirely Windows NT, enter each of them here as well. The dialog box shown after selecting the WINS Configuration tab is shown in <link linkend="ch03-95608">Figure 3.11</link>.</para> + + +<figure label="3.11" id="ch03-95608"> +<title>The WINS Configuration tab</title> + +<graphic width="502" depth="389" fileref="figs/sam.0311.gif"></graphic> +</figure> + +<warning role="ora"> +<para>Do <emphasis>not</emphasis> mix a Samba WINS server and a Windows NT server as a primary/backup combination in the WINS dialog. Because the two cannot replicate their databases, this will cause name resolution to perform incorrectly.</para> + +</warning> + +<para>From here, select Enable WINS Resolution and enter the <indexterm id="ch03-idx-948058-0"><primary>WINS (Windows Internet Name Service)</primary><secondary>servers</secondary></indexterm>WINS server's address in the space provided, then press Add. Do not enter anything in the Scope ID field.</para> +</sect3> + + + +<sect3 role="" label="3.1.2.6" id="ch03-SECT-1.2.6"> +<title>Hosts files</title> + + +<para> +<indexterm id="ch03-idx-948067-0"><primary>hosts</primary><secondary>files (Windows 95/98)</secondary></indexterm>If you do not have either DNS or WINS, and you don't wish to use <indexterm id="ch03-idx-948070-0"><primary>broadcast resolution</primary></indexterm>broadcast resolution, you'll need to provide a table of IP addresses and hostnames, in the standard Unix <filename>/etc/hosts</filename> format. On a Windows machine, this goes in <indexterm id="ch03-idx-948075-0"><primary sortas="Windows/HOSTS directory">\WINDOWS\HOSTS directory</primary></indexterm>\WINDOWS\HOSTS under whichever drive you installed Windows on (typically C:\). A sample host file follows:</para> + + +<programlisting># 127.0.0.1 localhost +192.168.236.1 escrime.example.com escrime +192.168.236.2 riposte.example.com riposte +192.168.236.3 wizzin.example.com wizzin +192.168.236.4 touche.example.com touche +192.168.236.10 hobbes.example.com hobbes</programlisting> + + +<para>You can copy this file directly from any of your Unix machines' <emphasis>/etc/hosts</emphasis> <indexterm id="ch03-idx-948074-0"><primary sortas="etc/hosts file">/etc/hosts file</primary></indexterm>; the format is identical. However, <emphasis>you should only use hosts files in Windows as a last resort for name resolution</emphasis> +<indexterm id="ch03-idx-948069-0"><primary>name resolution</primary></indexterm>.</para> +</sect3> + + + +<sect3 role="" label="3.1.2.7" id="ch03-SECT-1.2.7"> +<title>Check the bindings</title> + + +<para>The final tab to look at is <indexterm id="ch03-idx-948076-0"><primary>Bindings tab</primary></indexterm>Bindings, as shown in <link linkend="ch03-42906">Figure 3.12</link>.</para> + + +<figure label="3.12" id="ch03-42906"> +<title>The Bindings tab</title> + +<graphic width="502" depth="249" fileref="figs/sam.0312.gif"></graphic> +</figure> + +<para>You should have a check beside Client for Microsoft Networks, indicating that it's using TCP/IP. If you have <indexterm id="ch03-idx-948077-0"><primary sortas="File and Printer Sharing for Microsoft Networks">"File and Printer Sharing for Microsoft Networks"</primary></indexterm>"File and printer sharing for Microsoft Networks" in the dialog, it should also be checked, as shown in the figure.<indexterm id="ch03-idx-947986-0" class="endofrange" startref="ch03-idx-947983-0"/></para> +</sect3> +</sect2> + + + + + +<sect2 role="" label="3.1.3" id="ch03-48802"> +<title>Setting Your Name and Workgroup </title> + + +<para> +<indexterm id="ch03-idx-948082-0"><primary>naming</primary><secondary>TCP/IP networking protocol, setting machine name for</secondary></indexterm> +<indexterm id="ch03-idx-948082-1"><primary>workgroups</primary><secondary>setting</secondary></indexterm>Finally, press the OK button in the TCP/IP configuration panel, and you'll be taken back to the Network Configuration screen. Then select the <indexterm id="ch03-idx-948078-0"><primary>Identification tab</primary></indexterm>Identification tab, which will take you to the dialog box shown in <link linkend="ch03-42408">Figure 3.13</link>.</para> + + +<figure label="3.13" id="ch03-42408"> +<title>The Identification tab</title> + +<graphic width="502" depth="285" fileref="figs/sam.0313.gif"></graphic> +</figure> + +<para>Here, for the second time, set your machine's name. This time, instead of your DNS hostname and domain, you're setting your <indexterm id="ch03-idx-948084-0"><primary>NetBIOS name</primary><secondary>setting</secondary><tertiary>Windows 95/98</tertiary></indexterm>NetBIOS name. However, it is best to make this the <emphasis>same</emphasis> as your hostname. Try not to make a <indexterm id="ch03-idx-948085-0"><primary>spelling, caution with</primary></indexterm>spelling mistake: it can be very confusing to configure a machine if TCP thinks it's <literal>fred</literal> and SMB thinks its <literal>ferd</literal> !</para> + + +<para>You also set your workgroup name here. In our case, it's SIMPLE, but if you used a different one in <link linkend="SAMBA-CH-2">Chapter 2</link>, when creating the Samba configuration file, use that here as well. Try to avoid calling it WORKGROUP or you'll be in the same workgroup as every unconfigured (or ill-configured) machine in the world.</para> +</sect2> + + + + + +<sect2 role="" label="3.1.4" id="ch03-13238"> +<title>Accessing the Samba Server</title> + + +<para> +<indexterm id="ch03-idx-948086-0"><primary>Samba server</primary><secondary>accessing</secondary></indexterm> +<indexterm id="ch03-idx-948086-1"><primary>accessing Samba server</primary></indexterm>Click on the OK button to complete the configuration; you will need to reboot in order for your changes to take effect.</para> + + +<para>Now for the big moment. Your Samba server is running, and you have set up your Windows 95/98 client to communicate with it. After rebooting, log in and double-click the <indexterm id="ch03-idx-948087-0"><primary>Network Neighborhood icon</primary></indexterm>Network Neighborhood icon on the desktop. You should see your Samba server listed as a member of the workgroup, as shown in <link linkend="ch03-88553">Figure 3.14</link>.</para> + + +<figure label="3.14" id="ch03-88553"> +<title>Windows Network Neighborhood</title> + +<graphic width="502" depth="139" fileref="figs/sam.0314.gif"></graphic> +</figure> + +<para>Double-clicking the server name will show the resources that the server is offering to the network, as shown in <link linkend="ch03-17463">Figure 3.15</link> (in this case a printer and the <emphasis>test</emphasis> directory).</para> + + +<figure label="3.15" id="ch03-17463"> +<title>Shares on Server</title> + +<graphic width="502" depth="152" fileref="figs/sam.0315.gif"></graphic> +</figure> + +<warning role="ora"> +<para>If you are presented with a dialog requesting the password for a user <literal>IPC$</literal>, then Samba did not accept the password that was sent from the client. In this case, the username and the password that were created on the client side <emphasis>must</emphasis> match the username/password combination on the Samba server. If you are using Windows 98 or Windows NT Service Pack 3 or above, this is probably because the client is sending encrypted passwords instead of plaintext passwords. You can remedy this situation by performing two steps on the Samba server. First, add the following entry to the <literal>[global]</literal> section of your Samba configuration file: <literal>encrypt password=yes</literal>. Second, find the <filename>smbpasswd</filename> program on the samba server (it is located in <filename>/usr/local/samba/bin</filename> by default) and use it to add an entry to Samba's encrypted password database. For example, to add user <literal>steve</literal> to Samba's encrypted password database, type <replaceable>smbpasswd -a steve</replaceable>. The first time you enter this password, the program will output an error message indicating that the password database does not exist; it will then create the database, which is typically stored in <filename>/usr/local/samba/private/smbpasswd</filename>.</para> + +</warning> + +<para>If you don't see the server listed, start Windows Explorer (not Internet Explorer!) and select <indexterm id="ch03-idx-948088-0"><primary>Map Network Drive option</primary></indexterm>Map Network Drive from the Tools menu. This will give you a dialog box into which you can type the name of your server and the share <literal>test </literal>in the <indexterm id="ch03-idx-948089-0"><primary>Windows UNC format</primary></indexterm>Windows UNC format: <filename>\\</filename><replaceable>server</replaceable><filename>\test</filename>, like we did in the first chapter. This should attempt to contact the Samba server and its temporary share. If things still aren't right, go to <link linkend="SAMBA-CH-9">Chapter 9</link>, for troubleshooting assistance.<indexterm id="ch03-idx-947933-0" class="endofrange" startref="ch03-idx-947927-0"/> +<indexterm id="ch03-idx-947933-1" class="endofrange" startref="ch03-idx-947927-1"/></para> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="3.2" id="ch03-23093"> +<title>Setting Up Windows NT 4.0 Computers</title> + + +<para> +<indexterm id="ch03-idx-947940-0" class="startofrange"><primary>Windows clients</primary><secondary>configuring</secondary><tertiary>Windows NT 4.0 computers</tertiary></indexterm> +<indexterm id="ch03-idx-947940-1" class="startofrange"><primary>configuring Windows clients</primary><secondary>Windows NT 4.0 computers</secondary></indexterm>Configuring Windows NT is a little different than configuring Windows 95/98. In order to use Samba with Windows NT, you will need both the Workstation service and the TCP/IP protocol. Both come standard with NT, but we'll work through installing and configuring them because they may not be configured correctly.</para> + + +<para>There are six basic steps:</para> + + +<orderedlist> +<listitem><para>Assign the machine a name.</para></listitem> +<listitem><para>Install the Workstation service.</para></listitem> +<listitem><para>Install the TCP/IP protocol.</para></listitem> +<listitem><para>Set the machine's name and IP address.</para></listitem> +<listitem><para>Configure the DNS and WINS name services.</para></listitem> +<listitem><para>Bind the protocol and service together.</para></listitem> +</orderedlist> + +<sect2 role="" label="3.2.1" id="ch03-SECT-2.1"> +<title>Basic Configuration</title> + + +<para> +<indexterm id="ch03-idx-948108-0" class="startofrange"><primary>configuring Windows clients</primary><secondary>Windows NT 4.0 computers</secondary><tertiary>basic configuration</tertiary></indexterm>This section presents an outline of the steps to follow for getting Windows NT to cooperate with Samba. If you need more details on Windows NT network administration, refer to Craig Hunt and Robert Bruce Thompsom's <citetitle>Windows NT TCP/IP Network Administration </citetitle>(O'Reilly), an excellent guide. You should perform these steps as the "Administrator" user.</para> + + +<sect3 role="" label="3.2.1.1" id="ch03-SECT-2.1.1"> +<title>Name the machine</title> + + +<para> +<indexterm id="ch03-idx-948120-0"><primary>naming</primary><secondary>NT computers</secondary></indexterm> +<indexterm id="ch03-idx-948120-1"><primary>Windows NT</primary><secondary>naming, caution with</secondary></indexterm>The first thing you need to do is to give the machine a <indexterm id="ch03-idx-948122-0"><primary>NetBIOS name</primary><secondary>setting</secondary><tertiary>Windows NT</tertiary></indexterm>NetBIOS name. From the Control Panel, double click on the <indexterm id="ch03-idx-948123-0"><primary>Network icon</primary><secondary>Windows NT</secondary></indexterm>Network icon. This will take you to the <indexterm id="ch03-idx-948124-0"><primary>Network dialog box (Windows NT)</primary></indexterm>Network dialog box for the machine. The first tab in this dialog box should be the Identification tab, as illustrated in <link linkend="ch03-82592">Figure 3.16</link>.</para> + + +<figure label="3.16" id="ch03-82592"> +<title>Network panel Identification tab</title> + +<graphic width="502" depth="260" fileref="figs/sam.0316.gif"></graphic> +</figure> + +<para>Here, you need to identify your machine with a name (we use the name Artish here) and change the default workgroup to the one you specified in the <emphasis>smb.conf</emphasis> +<indexterm id="ch03-idx-948125-0"><primary>smb.conf (Samba configuration) file</primary></indexterm> file of your Samba server. In this case, the workgroup name is SIMPLE. However, you cannot edit either name here (as you could in Windows 95/98), but instead must use the Change button below the two text fields. Pressing this button raises an <indexterm id="ch03-idx-948126-0"><primary>Identification Changes dialog box (Windows NT)</primary></indexterm>Identification Changes dialog box, where you can reset the workgroup and the machine name, as shown in <link linkend="ch03-67735">Figure 3.17</link>.</para> + + +<figure label="3.17" id="ch03-67735"> +<title>Changing the identification</title> + +<graphic width="502" depth="360" fileref="figs/sam.0317.gif"></graphic> +</figure> + +<para> +<indexterm id="ch03-idx-948129-0"><primary>naming</primary><secondary>NT computers</secondary><tertiary>caution with</tertiary></indexterm>A word of warning: you will have to set the machine name again later while configuring TCP/IP, so be sure that the two names match. The name you set here is the NetBIOS name. You're allowed to make it different from the TCP/IP hostname, but doing so is usually not a good thing. Don't worry that Windows NT forces the computer name and the workgroup to be all capital letters; it's smart enough to figure out what you mean when it connects to the network.</para> +</sect3> + + + +<sect3 role="" label="3.2.1.2" id="ch03-SECT-2.1.2"> +<title>Installing the TCP/IP protocol</title> + + +<para> +<indexterm id="ch03-idx-948143-0"><primary>TCP/IP networking protocol</primary><secondary>installing</secondary></indexterm> +<indexterm id="ch03-idx-948143-1"><primary>installing TCP/IP protocol</primary></indexterm>Next, select the <indexterm id="ch03-idx-948150-0"><primary>Protocols tab</primary></indexterm>Protocols tab in the Network dialog box, and look to see if you have the TCP/IP protocol installed, as shown in <link linkend="ch03-66055">Figure 3.18</link>.</para> + + +<figure label="3.18" id="ch03-66055"> +<title>The Protocols tab</title> + +<graphic width="502" depth="257" fileref="figs/sam.0318.gif"></graphic> +</figure> + +<para>If the protocol is not installed, you need to add it. Press the Add button, which will display the <indexterm id="ch03-idx-948148-0"><primary>Select Network Protocol dialog box</primary></indexterm>Select Network Protocol dialog box shown in <link linkend="ch03-22321">Figure 3.19</link>. Unlike Windows 95/98, you should immediately see the TCP/IP protocol as one of the last protocols listed.</para> + + +<figure label="3.19" id="ch03-22321"> +<title>Select Network Protocol dialog box</title> + +<graphic width="502" depth="285" fileref="figs/sam.0319.gif"></graphic> +</figure> + +<para>Select TCP/IP<emphasis></emphasis> as the protocol and confirm it. If possible, install only the TCP/IP protocol. You usually do not want <indexterm id="ch03-idx-948149-0"><primary>NetBEUI (NetBIOS Extended User Interface)</primary><secondary>Windows NT computers and</secondary></indexterm>NetBEUI installed because this causes the machine to look for services under two different protocols, only one of which is likely in use.<footnote label="2" id="ch03-pgfId-943371"> + + +<para>A common occurrence: after looking at the unused protocol for a while, the machine will time out and try the good one. This fruitless searching gives you terrible performance and mysterious delays.</para> + + +</footnote></para> +</sect3> + + + +<sect3 role="" label="3.2.1.3" id="ch03-SECT-2.1.3"> +<title>Installing the Workstation service</title> + + +<para> +<indexterm id="ch03-idx-948151-0"><primary>Workstation service, installing</primary></indexterm> +<indexterm id="ch03-idx-948151-1"><primary>installing Workstation service</primary></indexterm> +<indexterm id="ch03-idx-948151-2"><primary>services</primary><secondary>Workstation</secondary></indexterm>After installing TCP/IP, press the <indexterm id="ch03-idx-948152-0"><primary>Services tab</primary></indexterm>Services tab in the Network panel and check that you have a Workstation service, as shown at the end of the list in <link linkend="ch03-97222">Figure 3.20</link>.</para> + + +<figure label="3.20" id="ch03-97222"> +<title>Network Services panel dialog box</title> + +<graphic width="502" depth="289" fileref="figs/sam.0320.gif"></graphic> +</figure> + +<para>This service is actually the <indexterm id="ch03-idx-948153-0"><primary>Microsoft Networking Client</primary></indexterm>Microsoft Networking Client, which allows the machine to access SMB services. The Workstation service is mandatory. The service is installed by default on both <indexterm id="ch03-idx-948154-0"><primary>Windows NT Workstation 4.0</primary></indexterm> +<indexterm id="ch03-idx-948155-0"><primary>Windows NT Server 4.0</primary></indexterm>Windows NT Workstation 4.0 and <indexterm id="ch03-idx-948159-0"><primary>TCP/IP networking protocol</primary><secondary>installing</secondary></indexterm> +<indexterm id="ch03-idx-948159-1"><primary>installing TCP/IP protocol</primary></indexterm>Server 4.0. If it's not there, you can install it much like TCP/IP. In this case you need to press the Add button and then select Workstation Service, as shown in <link linkend="ch03-40000">Figure 3.21</link>.</para> + + +<figure label="3.21" id="ch03-40000"> +<indexterm id="ch03-idx-948115-0" class="endofrange" startref="ch03-idx-948108-0"/><title>Select Network Service dialog box </title> + +<graphic width="502" depth="285" fileref="figs/sam.0321.gif"></graphic> +</figure> +</sect3> +</sect2> + + + + + +<sect2 role="" label="3.2.2" id="ch03-85837"> +<title>Configuring TCP/IP</title> + + +<para> +<indexterm id="ch03-idx-948163-0" class="startofrange"><primary>TCP/IP networking protocol</primary><secondary>configuring</secondary></indexterm> +<indexterm id="ch03-idx-948163-1" class="startofrange"><primary>configuring TCP/IP networking protocol</primary></indexterm>After you've installed the Workstation service, return to the <indexterm id="ch03-idx-948172-0"><primary>Protocols tab</primary></indexterm>Protocols tab and select the TCP/IP Protocol entry in the window. Then click the Properties button below the window. The Microsoft TCP/IP Protocol panel will be displayed. There are five tabs on the Windows NT panel, and (like Windows 95/98) you will need to work on three of them:</para> + + +<itemizedlist> +<listitem><para>IP address</para></listitem> +<listitem><para>DNS</para></listitem> +<listitem><para>WINS address</para></listitem> +</itemizedlist> + +<sect3 role="" label="3.2.2.1" id="ch03-SECT-2.2.1"> +<title>IP Address tab</title> + + +<para> +<indexterm id="ch03-idx-948191-0"><primary>IP Address tab</primary><secondary>Windows NT</secondary></indexterm>The IP Address tab is shown in <link linkend="ch03-97098">Figure 3.22</link>.</para> + + +<figure label="3.22" id="ch03-97098"> +<title>Microsoft TCP/IP Properties for Windows NT</title> + +<graphic width="502" depth="380" fileref="figs/sam.0322.gif"></graphic> +</figure> + +<para> +<indexterm id="ch03-idx-948212-0"><primary>Windows NT</primary><secondary>IP address, setting</secondary></indexterm> +<indexterm id="ch03-idx-948212-1"><primary>IP address</primary><secondary>setting for Windows NT computers</secondary></indexterm>Select the "Specify an IP address" radio button and enter the computer's address and <indexterm id="ch03-idx-948231-0"><primary>subnets</primary><secondary>mask</secondary></indexterm> +<indexterm id="ch03-idx-948231-1"><primary>masks</primary><secondary>subnet</secondary></indexterm>subnet mask in the space provided for the proper adapter (Ethernet card). You or your network manager should have selected an address for the client on the same subnet (LAN) as the Samba server. For example, if the server's address is 192.168.236.86 and its network mask 255.255.255.0, you might use the address 192.168.236.10, if it is available, for the NT workstation, along with the same <indexterm id="ch03-idx-948235-0"><primary>netmasks</primary></indexterm>netmask. If you use <indexterm id="ch03-idx-948242-0"><primary>DHCP (Dynamic Host Configuration Protocol)</primary></indexterm>DHCP on your network, select the "Obtain an IP Address from a DHCP server" button.</para> + + +<tip role="ora"> +<para>If you don't have an IP address to use, and you are on a network by yourself, steal ours, as the 192.168.<emphasis>x.x</emphasis> subnet is specifically reserved by the Internic for LANs. If you're not by yourself, see your system administrator for some available addresses on your network.</para> + +</tip> + +<para>The<indexterm id="ch03-idx-948244-0"><primary>gateway field</primary></indexterm> gateway field refers to a machine typically known as a <emphasis>router</emphasis> +<indexterm id="ch03-idx-948243-0"><primary>routers, TCP/IP configuring and</primary></indexterm>. If you have routers connecting multiple networks, you should put in the IP address of the one on your subnet.</para> +</sect3> + + + +<sect3 role="" label="3.2.2.2" id="ch03-SECT-2.2.2"> +<title>DNS tab</title> + + +<para> +<indexterm id="ch03-idx-948199-0"><primary>DNS (Domain Name System)</primary><secondary>tab</secondary></indexterm>Next we go to the tab for DNS, as shown in <link linkend="ch03-61878">Figure 3.23</link>. This brings up the DNS panel.</para> + + +<figure label="3.23" id="ch03-61878"> +<title>The DNS panel</title> + +<graphic width="502" depth="407" fileref="figs/sam.0323.gif"></graphic> +</figure> + +<para>The <indexterm id="ch03-idx-948248-0"><primary>DNS (Domain Name System)</primary><secondary>configuring</secondary></indexterm> +<indexterm id="ch03-idx-948248-1"><primary>configuring DNS (Windows NT)</primary></indexterm>Domain Name System (DNS) is responsible for translating human-readable computer names such as <emphasis>atrish.example.com</emphasis> into IP addresses such as 192.168.236.10. There are two ways to accomplish this on a NT machine. First, you can specify a DNS server to do the translation for you, or you can keep a local list of name/address pairs for your workstation to refer to.</para> + + +<para>For a LAN that's not on the Internet, the list of possible hosts is typically small and well known, and may be kept in a file locally. Networks that are connected to the Internet typically use DNS service since it isn't possible to guess ahead of time what addresses you might be accessing out on the net. If you are in doubt as to whether a DNS server is being used, or what its address might be, look at the file <emphasis>/etc/resolv.conf</emphasis> on your Samba server: any machine using DNS will have this file. It looks like the following:</para> + + +<programlisting>#resolv.conf +domain example.com +nameserver 127.0.0.1 +nameserver 192.168.236.20</programlisting> + + +<para>In this example, the first nameserver in the list is 127.0.0.1, which indicates that the Samba server is also a DNS server for this LAN.<footnote label="3" id="ch03-pgfId-946587"> + + +<para>The address 127.0.0.1 is known as the <emphasis>localhost</emphasis> +<indexterm id="ch03-idx-948263-0"><primary>localhost</primary><secondary>address</secondary></indexterm> address, and always refers to itself. For example, if you type <literal>ping 127.0.0.1</literal> on a Unix server, you should always get a response, as you're pinging the host itself.</para> + + +</footnote> In that case, you would use its network IP address (not 127.0.0.1, its localhost address) when filling in the DNS Configuration dialog box. Otherwise, use the other addresses you find in the lines beginning with <literal>nameserver</literal>. Try to select ones on your own network. Any name servers listed in <emphasis>/etc/resolv.conf</emphasis> should work, but you'll get better performance by using a server nearby.</para> + + +<para>Finally, enter the machine name once more, making sure that it's the same one listed in the Identification tab of the Network dialog box (before the NetBIOS name). Also, enter the DNS domain on which this machine resides. For example, if your workstation has a domain name such as <emphasis>example.com</emphasis>, enter it here. You can safely ignore the other options.</para> +</sect3> + + + +<sect3 role="" label="3.2.2.3" id="ch03-SECT-2.2.3"> +<title>WINS Address tab</title> + + +<para> +<indexterm id="ch03-idx-948207-0"><primary>WINS Address tab (Windows NT panel)</primary></indexterm> +<indexterm id="ch03-idx-948207-1"><primary>WINS (Windows Internet Name Service)</primary><secondary>address, configuring</secondary></indexterm> +<indexterm id="ch03-idx-948207-2"><primary>configuring WINS address</primary></indexterm>If you are not using a DNS server, you still need a way of translating NetBIOS names to addresses and back again. We recommend that you configure both DNS and WINS; <indexterm id="ch03-idx-948268-0"><primary>Windows NT</primary><secondary>WINS address and</secondary></indexterm>NT has a preference for WINS and WINS can use DNS as a fallback if it cannot resolve any machine address. The WINS Address tab is shown in <link linkend="ch03-20855">Figure 3.24</link>.</para> + + +<figure label="3.24" id="ch03-20855"> +<title>The WINS Address tab</title> + +<graphic width="502" depth="342" fileref="figs/sam.0324.gif"></graphic> +</figure> + +<para>If you have a WINS server, enter its address in the space marked Primary WINS Server. If your Samba server is providing WINS service (in other words, you have the line <literal>wins</literal> <literal>service</literal> <literal>=</literal> <literal>yes</literal> in the <emphasis>smb.conf</emphasis> file of your Samba server), provide the Samba server's IP address here. Otherwise, provide the address of another WINS server on your network.</para> + + +<para>You probably noticed that there is a field here for the adaptor; this field must specify the <indexterm id="ch03-idx-948269-0"><primary>Ethernet adaptor cards</primary></indexterm>Ethernet adaptor that you're running TCP/IP on so that WINS will provide name service on the correct network. If you have both a LAN and a dialup adaptor, make sure you have the LAN's adaptor here.</para> + + +<para>Finally, select the "Enable DNS for Windows Resolution" checkbox, so WINS will try <indexterm id="ch03-idx-948270-0"><primary>DNS (Domain Name System)</primary><secondary sortas="fallback for WINS address">as fallback for WINS address</secondary></indexterm>DNS as a fallback if it can't find a name. You can safely ignore the other options.</para> +</sect3> + + + +<sect3 role="" label="3.2.2.4" id="ch03-SECT-2.2.4"> +<title>Hosts files</title> + + +<para> +<indexterm id="ch03-idx-948271-0"><primary>hosts</primary><secondary>files (Windows NT computers)</secondary></indexterm>If you don't have either DNS or WINS, and you don't wish to use broadcast name resolution, you'll need to provide a table of IP addresses and hosts names, in standard Unix <filename>/etc/hosts</filename> format. We recommend against this because maintenance of this file on any dynamic network is troublesome, but we will explain it just the same. The Windows host file should appear in the <emphasis>\WINDOWS\HOSTS</emphasis> +<indexterm id="ch03-idx-948273-0"><primary sortas="WINDOWS\HOSTS directory">\WINDOWS\HOSTS directory</primary></indexterm> directory of whatever local drive Windows is installed on. A sample follows:</para> + + +<programlisting>127.0.0.1 localhost +192.168.236.1 escrime escrime.example.com +192.168.236.2 riposte riposte.example.com +192.168.236.3 wizzin wizzin.example.com +192.168.236.4 touche touche.example.com +192.168.236.5 gurgi gurgi.example.com +192.168.236.6 jessiac jessiac.example.com +192.168.236.7 skyline skyline.example.com</programlisting> + + +<para>If you wish, you can copy the contents directly from the Samba server's<filename> /etc/hosts</filename>. The format is identical. This file will then serve the same purpose as the hosts file on the Unix server. Again, <emphasis>hosts</emphasis> files on Windows should only be used as a last resort.</para> +</sect3> + + + +<sect3 role="" label="3.2.2.5" id="ch03-SECT-2.2.5"> +<title>Bindings</title> + + +<para>The term <firstterm>bindings</firstterm> +<indexterm id="ch03-idx-948274-0"><primary>bindings</primary></indexterm> +<indexterm id="ch03-idx-948274-1"><primary>service bindings</primary></indexterm> is a way of saying "connected together at configuration time." It means that the TCP/IP protocol will channel through the Ethernet card (instead of, say, a dialup connection), and is actually connected properly. If you return to the Network dialog box and set the Show field to "all services" and click on all the + buttons in the tree, you should see a display similar to <link linkend="ch03-83060">Figure 3.25</link>.</para> + + +<figure label="3.25" id="ch03-83060"> +<title>Service bindings</title> + +<graphic width="502" depth="332" fileref="figs/sam.0325.gif"></graphic> +</figure> + +<para>This means that the Workstation, Server, and NetBIOS interface services are connected to the WINS client. This is the correct binding for Microsoft TCP/IP.<indexterm id="ch03-idx-948166-0" class="endofrange" startref="ch03-idx-948163-0"/> +<indexterm id="ch03-idx-948166-1" class="endofrange" startref="ch03-idx-948163-1"/></para> +</sect3> +</sect2> + + + + + +<sect2 role="" label="3.2.3" id="ch03-SECT-2.3"> +<title>Connecting to the Samba Server</title> + + +<para> +<indexterm id="ch03-idx-948286-0"><primary>Samba server</primary><secondary>connecting to</secondary></indexterm>You can safely leave the default values for the remainder of the tabs in the Network dialog box. Click on the OK button to complete the configuration. Once the proper files are loaded (if any), you will need to reboot in order for your changes to take effect.</para> + + +<para>Now for the big moment. Your Samba server is running and you have set up your NT client to communicate with it. After the machine reboots, login and double-click the <indexterm id="ch03-idx-948283-0"><primary>Network Neighborhood icon</primary><secondary>viewing Samba server</secondary></indexterm> +<indexterm id="ch03-idx-948283-1"><primary>Samba server</primary><secondary>viewing via Network Neighborhood icon</secondary></indexterm>Network Neighborhood icon on the desktop, and you should see your Samba server listed as a member of the workgroup, as shown in <link linkend="ch03-50785">Figure 3.26</link>.</para> + + +<figure label="3.26" id="ch03-50785"> +<title>Windows NT Network Neighborhood</title> + +<graphic width="502" depth="163" fileref="figs/sam.0326.gif"></graphic> +</figure> + +<para> +<indexterm id="ch03-idx-949153-0"><primary>Samba server</primary><secondary>resources offered</secondary></indexterm>Double-clicking the server name will show the resources that the server is offering to the network, as shown in <link linkend="ch03-89532">Figure 3.27</link>. In this case, the test and the default printer are offered to the Window NT workstation. For more information, see the warning under <link linkend="ch03-13238">Section 3.1.4</link> earlier in this chapter.</para> + + +<figure label="3.27" id="ch03-89532"> +<title>Server's shares</title> + +<graphic width="502" depth="152" fileref="figs/sam.0327.gif"></graphic> +</figure> + +<warning role="ora"> +<para>If you are presented with a dialog requesting the password for a user <literal>IPC$</literal>, then Samba did not accept the password that was sent from the client. In this case, the username and the password that were created on the client side <emphasis>must</emphasis> match the username/password combination on the Samba server. If you are using Windows 98 or Windows NT Service Pack 3 or above, this is probably because the client is sending encrypted passwords instead of plaintext passwords. You can remedy this situation by performing two steps on the Samba server. First, add the following entry to the <literal>[global]</literal> section of your Samba configuration file: <literal>encrypt password=yes</literal>. Second, find the <filename>smbpasswd</filename> program on the samba server (it is located in <filename>/usr/local/samba/bin</filename> by default) and use it to add an entry to Samba's encrypted password database. For example, to add user <literal>steve</literal> to Samba's encrypted password database, type <replaceable>smbpasswd -a steve</replaceable>. The first time you enter this password, the program will output an error message indicating that the password database does not exist; it will then create the database, which is typically stored in <filename>/usr/local/samba/private/smbpasswd</filename>.</para> + +</warning> + +<para>If you don't see the server listed, don't panic. Start the Windows NT Explorer (not Internet Explorer!) and select Map Network Drive from the Tools menu. A dialog box appears that allows you to type the name of your server and its share directory in Windows format. For example, you would enter <filename>\\</filename><replaceable>server</replaceable><filename>\temp</filename> if your server happened to be named "server." If things still aren't right, go directly to <link linkend="ch09-29538">Section 9.2</link> in <link linkend="SAMBA-CH-9">Chapter 9</link>, to see if you can troubleshoot what is wrong with the network.</para> + + +<para>If it works, congratulations! Try writing to the server and sending data to the network printer. You will be pleasantly surprised how seamlessly everything works! Now that you've finished setting up the Samba server and its clients, we can starting talking about how Samba works and how to configure it to your liking. <indexterm id="ch03-idx-947946-0" class="endofrange" startref="ch03-idx-947940-0"/> +<indexterm id="ch03-idx-947946-1" class="endofrange" startref="ch03-idx-947940-1"/></para> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="3.3" id="ch03-64069"> +<title>An Introduction to SMB/CIFS</title> + + +<para> +<indexterm id="ch03-idx-948288-0" class="startofrange"><primary>SMB (Server Message Block)</primary></indexterm>We'll wrap up this chapter with a short tutorial on SMB/CIFS. SMB/CIFS is the protocol that Windows 95/98 and NT machines use to communicate with the Samba server and each other. At a high level, the SMB protocol suite is relatively simple. It includes commands for all of the file and print operations that you might do on a local disk or printer, such as:</para> + + +<itemizedlist> +<listitem><para> Opening and closing a file</para></listitem> +<listitem><para> Creating and deleting files and directories</para></listitem> +<listitem><para> Reading and writing a file</para></listitem> +<listitem><para> Searching for files</para></listitem> +<listitem><para> Queueing and dequeueing files to a print spool</para></listitem> +</itemizedlist> + +<para>Each of these operations can be encoded into an SMB message and transmitted to and from a server. The original name SMB comes from their data format: these are versions of the standard DOS system-call data structures, or <firstterm>Server Message Blocks</firstterm>, redesigned for transmitting to another machine across a network.</para> + + +<sect2 role="" label="3.3.1" id="ch03-SECT-3.1"> +<title>SMB Format</title> + + +<para> +<indexterm id="ch03-idx-948317-0"><primary>SMB (Server Message Block)</primary><secondary>format of</secondary></indexterm>Richard <indexterm id="ch03-idx-948318-0"><primary>Sharpe, Richard</primary></indexterm>Sharpe of the Samba team defines SMB as a "request-response" protocol.<footnote label="4" id="ch03-pgfId-942928"> + + +<para>See <systemitem role="url">http://anu.samba.org/cifs/docs/what-is-smb.html</systemitem> for Richard's excellent summary of SMB.</para> + + +</footnote> In effect, this means that a client sends an SMB request to a server, and the server sends an <indexterm id="ch03-idx-948320-0"><primary>SMB (Server Message Block)</primary><secondary>resources for further information</secondary></indexterm> +<indexterm id="ch03-idx-948320-1"><primary>URLs (uniform resource locators)</primary><secondary>SMB (Server Message Block)</secondary></indexterm>SMB response back to the client. Rarely does a server send a message that is not in response to a client.</para> + + +<para>An SMB message is not as complex as you might think. Let's take a closer look at the internal structure of such a message. It can be broken down into two parts: the <firstterm>header</firstterm> +<indexterm id="ch03-idx-948321-0"><primary>header, SMB</primary></indexterm>, which is a fixed size, and the <firstterm>command string</firstterm>, whose size can vary dramatically based on the contents of the message.</para> + + +<sect3 role="" label="3.3.1.1" id="ch03-SECT-3.1.1"> +<title>SMB header format</title> + + +<para><link linkend="ch03-31015">Table 3.1</link> shows the format of an SMB header. SMB commands are not required to use all the fields in the SMB header. For example, when a client first attempts to connect to a server, it does not yet have a <indexterm id="ch03-idx-948332-0"><primary>tree identifier (TID)</primary></indexterm> +<indexterm id="ch03-idx-948332-1"><primary>TID (tree identifier)</primary></indexterm>tree identifier (TID) value—one is assigned after it successfully connects—so a <indexterm id="ch03-idx-948333-0"><primary>null TID</primary></indexterm>null TID (0xFFFF) is placed in its header field. Other fields may be padded with zeros when not used.</para> + + +<para>The fields of the SMB header are listed in <link linkend="ch03-31015">Table 3.1</link>.</para> + + +<table label="3.1" id="ch03-31015"> +<title>SMB Header Fields </title> + +<tgroup cols="3"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<thead> +<row> + +<entry colname="col1"><para>Field</para></entry> + +<entry colname="col2"><para>Size (bytes)</para></entry> + +<entry colname="col3"><para>Description</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>0xFF 'SMB'</literal></para></entry> + +<entry colname="col2"><para><literal>1</literal></para></entry> + +<entry colname="col3"><para> +<indexterm id="ch03-idx-948337-0"><primary>SMB (Server Message Block)</primary><secondary>header</secondary></indexterm>Protocol identifier</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>COM</literal></para></entry> + +<entry colname="col2"><para><literal>1</literal></para></entry> + +<entry colname="col3"><para>Command code, from 0x00 to 0xFF</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>RCLS</literal></para></entry> + +<entry colname="col2"><para><literal>1</literal></para></entry> + +<entry colname="col3"><para>Error class</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>REH</literal></para></entry> + +<entry colname="col2"><para><literal>1</literal></para></entry> + +<entry colname="col3"><para>Reserved</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>ERR</literal></para></entry> + +<entry colname="col2"><para><literal>2</literal></para></entry> + +<entry colname="col3"><para>Error code</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>REB</literal></para></entry> + +<entry colname="col2"><para><literal>1</literal></para></entry> + +<entry colname="col3"><para>Reserved</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>RES</literal></para></entry> + +<entry colname="col2"><para><literal>14</literal></para></entry> + +<entry colname="col3"><para>Reserved</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>TID</literal></para></entry> + +<entry colname="col2"><para><literal>2</literal></para></entry> + +<entry colname="col3"><para>Tree identifier; a unique ID for a resource in use by client</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>PID</literal></para></entry> + +<entry colname="col2"><para><literal>2</literal></para></entry> + +<entry colname="col3"><para>Caller process ID</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>UID</literal></para></entry> + +<entry colname="col2"><para><literal>2</literal></para></entry> + +<entry colname="col3"><para>User identifier</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>MID</literal></para></entry> + +<entry colname="col2"><para><literal>2</literal></para></entry> + +<entry colname="col3"><para>Multiplex identifier; used to route requests inside a process</para></entry> + +</row> + +</tbody> +</tgroup> +</table> +</sect3> + + + +<sect3 role="" label="3.3.1.2" id="ch03-SECT-3.1.2"> +<title>SMB command format</title> + + +<para><firstterm></firstterm> +<indexterm id="ch03-idx-948328-0"><primary>command string, SMB</primary></indexterm>Immediately after the header is a variable number of bytes that constitute an SMB command or reply. Each command, such as Open File (COM field identifier: <literal>SMBopen</literal>) or Get Print Queue (<literal>SMBsplretq </literal>), has its own set of parameters and data. Like the SMB header fields, not all of the command fields need to be filled, depending on the specific command. For example, the Get Server Attributes (<literal>SMBdskattr</literal>) command sets the WCT and BCC fields to zero. The fields of the command segment are shown in <link linkend="ch03-38178">Table 3.2</link>.</para> + + +<table label="3.2" id="ch03-38178"> +<title>SMB Command Contents </title> + +<tgroup cols="3"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<thead> +<row> + +<entry colname="col1"><para>Field</para></entry> + +<entry colname="col2"><para>Size in Bytes</para></entry> + +<entry colname="col3"><para>Description</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>WCT</literal></para></entry> + +<entry colname="col2"><para><literal>1</literal></para></entry> + +<entry colname="col3"><para><firstterm></firstterm> +<indexterm id="ch03-idx-948340-0"><primary>SMB (Server Message Block)</primary><secondary>command string</secondary></indexterm>Word count</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>VWV</literal></para></entry> + +<entry colname="col2"><para>Variable</para></entry> + +<entry colname="col3"><para>Parameter words (size given by WCT)</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>BCC</literal></para></entry> + +<entry colname="col2"><para><literal>2</literal></para></entry> + +<entry colname="col3"><para>Parameter byte count</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>DATA</literal></para></entry> + +<entry colname="col2"><para>Variable</para></entry> + +<entry colname="col3"><para>Data (size given by BCC)</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<para>Don't worry if you don't understand each of these fields; they are not necessary for using Samba at an administrator level. However, they do come in handy when debugging system messages. We will show you some of the more common SMB messages that clients and servers send using a modified version of <filename>tcpdump</filename> later in this section. (If you would like an SMB sniffer with a graphical interface, try "ethereal," which uses the GTK libraries; see the Samba homepage for more information on this tool.)</para> + + +<tip id="ch03-resources-for-further-information" role="ora"> +<para>If you would like more information on each of the commands for the SMB protocol, see the SMB/CIFS documentation at <systemitem role="ftpurl">ftp://ftp.microsoft.com/developr/drg/CIFS/</systemitem>.</para> + +</tip> +</sect3> + + + +<sect3 role="" label="3.3.1.3" id="ch03-SECT-3.1.3"> +<title>SMB variations</title> + + +<para>The SMB protocol has been extended with new commands several times since its inception. Each new version is backwards compatible with the previous versions. This makes it quite possible for a LAN to have various clients and servers running different versions of the SMB protocol at once.</para> + + +<para><link linkend="ch03-67366">Table 3.3</link> outlines the major versions of the SMB protocol. Within each "dialect" of SMB are many sub-versions that include commands supporting particular releases of major operating systems. The ID string is used by clients and servers to determine what level of the protocol they will speak to each other.</para> + + +<table label="3.3" id="ch03-67366"> +<title>SMB Protocol Dialects </title> + +<tgroup cols="3"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<thead> +<row> + +<entry colname="col1"><para>Protocol Name</para></entry> + +<entry colname="col2"><para>ID String</para></entry> + +<entry colname="col3"><para>Used By</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para>Core</para></entry> + +<entry colname="col2"><para><literal>PC NETWORK PROGRAM 1.0</literal></para></entry> + +<entry colname="col3"></entry> + +</row> + +<row> + +<entry colname="col1"><para>Core Plus</para></entry> + +<entry colname="col2"><para><literal>MICROSOFT NETWORKS 1.03 </literal></para></entry> + +<entry colname="col3"></entry> + +</row> + +<row> + +<entry colname="col1"><para>LAN Manager 1.0</para></entry> + +<entry colname="col2"><para><literal>LANMAN1.0</literal></para></entry> + +<entry colname="col3"></entry> + +</row> + +<row> + +<entry colname="col1"><para>LAN Manager 2.0</para></entry> + +<entry colname="col2"><para><literal>LM1.2X002</literal></para></entry> + +<entry colname="col3"></entry> + +</row> + +<row> + +<entry colname="col1"><para>LAN Manager 2.1</para></entry> + +<entry colname="col2"><para><literal>LANMAN2.1</literal></para></entry> + +<entry colname="col3"></entry> + +</row> + +<row> + +<entry colname="col1"><para>NT LAN Manager 1.0</para></entry> + +<entry colname="col2"><para><literal>NT LM 0.12</literal></para></entry> + +<entry colname="col3"><para>Windows NT 4.0</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Samba's NT LM 0.12</para></entry> + +<entry colname="col2"><para><literal>Samba</literal></para></entry> + +<entry colname="col3"><para>Samba</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Common Internet File System</para></entry> + +<entry colname="col2"><para><literal>CIFS 1.0</literal></para></entry> + +<entry colname="col3"><para>Windows 2000</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<para>Samba implements the <literal>NT</literal> <literal>LM</literal> <literal>0.12</literal> specification for NT LAN Manager 1.0. It is backwards compatible with all of the other SMB variants. The CIFS specification is, in reality, LAN Manager 0.12 with a few specific additions.</para> +</sect3> +</sect2> + + + + + +<sect2 role="" label="3.3.2" id="ch03-SECT-3.2"> +<title>SMB Clients and Servers</title> + + +<para>As mentioned earlier, SMB is a client/server protocol. In the purest sense, this means that a client sends a request to a server, which acts on the request and returns a reply. However, the client/server roles can often be reversed, sometimes within the context of a single SMB session. For example, consider the two Windows 95/98 computers in <link linkend="ch03-69480">Figure 3.28</link>. The computer named WIZZIN shares a printer to the network, and the computer named ESCRIME shares a disk directory. WIZZIN is in the client role when accessing ESCRIME's network drive, and in the server role when printing a job for ESCRIME.</para> + + +<figure label="3.28" id="ch03-69480"> +<title>Two computers that both have resources to share</title> + +<graphic width="502" depth="153" fileref="figs/sam.0328.gif"></graphic> +</figure> + +<para>This brings out an important point in Samba terminology:</para> + + +<itemizedlist> +<listitem><para>A <firstterm>server</firstterm> is a machine with a resource to share.</para></listitem> +<listitem><para>A <firstterm>client</firstterm> is a machine that wishes to use that resource.</para></listitem> +<listitem><para>A server can be a client (of another computer's resource) at any given time.</para></listitem> +</itemizedlist> + +<para>Note that there are no implications as to the amount of resources that make up a server, or whether it has a large disk space or fast processor. A server could be an old 486 with a printer attached to it, or it could be an UltraSparc station with a 10 gigabyte disk service.</para> + + +<para>Microsoft Windows products have both the SMB client and server built in to the operating system. <indexterm id="ch03-idx-948356-0"><primary>Windows NT</primary><secondary>client/server and</secondary></indexterm>Wndows NT 4.0 uses a newer SMB protocol than Windows for Workgroups, and it offers an enhanced form of network security which will be discussed in <link linkend="SAMBA-CH-6">Chapter 6</link>. In addition, there are a large number of commercial <indexterm id="ch03-idx-948361-0"><primary>SMB (Server Message Block)</primary><secondary>commercial products for</secondary></indexterm>SMB server products available from companies such as Sun, Compaq, SCO, Hewlett-Packard, Syntax, and IBM. Unfortunately, on the client side there are far fewer offerings, limited mainly to Digital Equipment's Pathworks product, and of course, Samba.</para> +</sect2> + + + + + +<sect2 role="" label="3.3.3" id="ch03-SECT-3.3"> +<title>A Simple SMB Connection</title> + + +<para> +<indexterm id="ch03-idx-948363-0"><primary>SMB (Server Message Block)</primary><secondary>making a simple connection</secondary></indexterm> +<indexterm id="ch03-idx-948363-1"><primary>connections</primary><secondary>SMB</secondary></indexterm>Before we close this chapter, let's take a look at a simple SMB connection. This is some pretty technical data—which isn't really necessary to administer Samba—so you can skip over it if you like. We present this information largely as a way to help you get familiar with how the SMB protocol negotiates connections with other computers on the network.</para> + + +<para>There are four steps that the client and server must complete in order to establish a connection to a resource:</para> + + +<orderedlist> +<listitem><para> Establish a virtual connection.</para></listitem> +<listitem><para> Negotiate the protocol variant to speak.</para></listitem> +<listitem><para> Set session parameters.</para></listitem> +<listitem><para> Make a tree connection to a resource.</para></listitem> +</orderedlist> + +<para>We will examine each of these steps through the eyes of a useful tool that we mentioned earlier: the modified <filename>tcpdump</filename> +<indexterm id="ch03-idx-948362-0"><primary>tcpdump utility</primary></indexterm> +<indexterm id="ch03-idx-948362-1"><primary>downloads</primary><secondary>tcpdump utility</secondary></indexterm> that is available from the Samba web site.</para> + + +<tip role="ora"> +<para>You can download this program at <filename>samba.org</filename> in the <filename>samba/ftp/tcpdump-smb</filename> directory; the latest version as of this writing is 3.4-5. Use this program as you would use the standard <filename>tcpdump</filename> application, but add the <literal>-s 1500</literal> switch to ensure that you get the whole packet and not just the first few bytes.</para> + +</tip> + +<sect3 role="" label="3.3.3.1" id="ch03-SECT-3.3.1"> +<title>Establishing a virtual connection</title> + + +<para> +<indexterm id="ch03-idx-948365-0"><primary>connections</primary><secondary>virtual</secondary></indexterm> +<indexterm id="ch03-idx-948365-1"><primary>virtual connection</primary></indexterm>When a user first makes a request to access a network disk or send a print job to a remote printer, NetBIOS takes care of making a connection at the <indexterm id="ch03-idx-948366-0"><primary>session layer, connection at</primary></indexterm>session layer. The result is a bidirectional virtual channel between the client and server. In reality, there are only two messages that the client and server need to establish this connection. This is shown in the following example session request and response, as captured by <filename>tcpdump</filename> :</para> + + +<programlisting>>>> NBT Packet +NBT Session Request +Flags=0x81000044 +Destination=ESCRIME NameType=0x20 (Server) +Source=WIZZIN NameType=0x00 (Workstation) + +>>> NBT Packet +NBT Session Granted +Flags=0x82000000</programlisting> +</sect3> +</sect2> + + + + + +<sect2 role="" label="3.3.4" id="ch03-SECT-3.4"> +<title>Negotiating the Protocol Variant</title> + + +<para> +<indexterm id="ch03-idx-948367-0"><primary>protocols</primary><secondary>variant, negotiating</secondary></indexterm>At this point, there is an open channel between the client and server. Next, the client sends a message to the server to negotiate an SMB protocol. As mentioned earlier, the client sets its <indexterm id="ch03-idx-948373-0"><primary>tree identifier (TID)</primary></indexterm> +<indexterm id="ch03-idx-948373-1"><primary>TID (tree identifier)</primary></indexterm>tree identifier (TID) field to zero, since it does not yet know what TID to use. A <emphasis>tree identifier</emphasis> is a number that represents a connection to a share on a server.</para> + + +<para>The command in the message is <literal>SMBnegprot</literal>, a request to negotiate a protocol variant that will be used for the entire session. Note that the client sends to the server a list of all of the variants that it can speak, not vice versa.</para> + + +<para>The server responds to the <literal>SMBnegprot</literal> request with an index into the list of variants that the client offered, starting with index 0, or with the value 0xFF if none of the protocol variants are acceptable. Continuing this example, the server responds with the value 5, which indicates that the <literal>NT</literal> <literal>LM</literal> <literal>0.12</literal> dialect will be used for the remainder of the session:</para> + + +<programlisting>>>> NBT Packet +NBT Session Packet +Flags=0x0 +Length=154 + +SMB PACKET: SMBnegprot (REQUEST) +SMB Command = 0x72 +Error class = 0x0 +Error code = 0 +Flags1 = 0x0 +Flags2 = 0x0 +Tree ID = 0 +Proc ID = 5371 +UID = 0 +MID = 385 +Word Count = 0 +Dialect=PC NETWORK PROGRAM 1.0 +Dialect=MICROSOFT NETWORKS 3.0 +Dialect=DOS LM1.2X002 +Dialect=DOS LANMAN2.1 +Dialect=Windows for Workgroups 3.1a +Dialect=NT LM 0.12 + +>>> NBT Packet +NBT Session Packet +Flags=0x0 +Length=69 + +SMB PACKET: SMBnegprot (REPLY) +SMB Command = 0x72 +Error class = 0x0 +Error code = 0 +Flags1 = 0x0 +Flags2 = 0x1 +Tree ID = 0 +Proc ID = 5371 +UID = 0 +MID = 385 +Word Count = 02 +[000] 05 00</programlisting> +</sect2> + + + + + +<sect2 role="" label="3.3.5" id="ch03-SECT-3.5"> +<title>Set Session and Login Parameters</title> + + +<para> +<indexterm id="ch03-idx-948377-0"><primary>session parameters, setting</primary></indexterm> +<indexterm id="ch03-idx-948377-1"><primary>login parameters, setting</primary></indexterm>The next step is to transmit session and login parameters for the session. This includes the account name and password (if there is one), the workgroup name, the maximum size of data that can be transferred, and the number of pending requests that may be in the queue at any one time.</para> + + +<para>In the following example, the Session Setup command presented allows for an additional SMB command to be piggybacked onto it. The letter X at the end of the command name indicates this, and the hexadecimal code of the second command is given in the <literal>Com2</literal> field. In this case the command is <literal>0x75</literal>, which is the Tree Connect and X command. The <literal>SMBtconX</literal> message looks for the name of the resource in the <command>smb_buf</command> buffer. (This is the last field listed in the following request.) In this example, <command>smb_buf</command> contains the string <literal>\\ESCRIME\PUBLIC</literal>, which is the full pathname to a shared directory on node ESCRIME. Using the "and X" commands like this speeds up each transaction, since the server doesn't have to wait on the client to make a second request.</para> + + +<para>Note that the <indexterm id="ch03-idx-948382-0"><primary>TID (tree identifier)</primary></indexterm> +<indexterm id="ch03-idx-948382-1"><primary>tree identifier (TID)</primary></indexterm>TID is still zero. The server will provide a TID to the client once the session has been established and a connection has been made to the requested resource. In addition, note that the password is sent in the open. We can change this later using encrypted passwords:</para> + + +<programlisting>>>> NBT Packet +NBT Session Packet +Flags=0x0 +Length=139 + +SMB PACKET: SMBsesssetupX (REQUEST) +SMB Command = 0x73 +Error class = 0x0 +Error code = 0 +Flags1 = 0x10 +Flags2 = 0x0 +Tree ID = 0 +Proc ID = 5371 +UID = 1 +MID = 385 +Word Count = 13 +Com2=0x75 +Res1=0x0 +Off2=106 +MaxBuffer=2920 +MaxMpx=2 +VcNumber=0 +SessionKey=0x1FF2 +CaseInsensitivePasswordLength=1 +CaseSensitivePasswordLength=1 +Res=0x0 +Capabilities=0x1 +Pass1&Pass2&Account&Domain&OS&LanMan= + KRISTIN PARKSTR Windows 4.0 Windows 4.0 +PassLen=2 +Passwd&Path&Device= +smb_bcc=22 +smb_buf[]=\\ESCRIME\PUBLIC</programlisting> +</sect2> + + + + + +<sect2 role="" label="3.3.6" id="ch03-SECT-3.6"> +<title>Making Connection to a Resource</title> + + +<para> +<indexterm id="ch03-idx-948383-0"><primary>connections</primary><secondary>resources, connecting to</secondary></indexterm> +<indexterm id="ch03-idx-948383-1"><primary>resources, connecting to</primary></indexterm>For the final step, the server returns a TID to the client, indicating that the user has been authorized access and that the resource is ready to be used. It also sets the <command>ServiceType</command> field to "A" to indicate that this is a file service. Available service types are:</para> + + +<itemizedlist> +<listitem><para> "A" for a disk or file</para></listitem> +<listitem><para> "LPT1" for a spooled output</para></listitem> +<listitem><para> "COMM" for a direct-connect printer or modem</para></listitem> +<listitem><para> "IPC" for a named pipe</para></listitem> +</itemizedlist> + +<para>The output is:</para> + + +<programlisting>>>> NBT Packet +NBT Session Packet +Flags=0x0 +Length=78 + +SMB PACKET: SMBsesssetupX (REPLY) +SMB Command = 0x73 +Error class = 0x0 +Error code = 0 +Flags1 = 0x80 +Flags2 = 0x1 +Tree ID = 121 +Proc ID = 5371 +UID = 1 +MID = 385 +Word Count = 3 +Com2=0x75 +Off2=68 +Action=0x1 +[000] Unix Samba 1.9.1 +[010] PARKSTR + +SMB PACKET: SMBtconX (REPLY) (CHAINED) +smbvwv[]= +Com2=0xFF +Off2=78 +smbbuf[]= +ServiceType=A:</programlisting> + + +<para>Now that a TID has been assigned, the client may issue any sort of command that it would use on a local disk drive. It can open files, read and write to them, delete them, create new files, search for filenames, and so<indexterm id="ch03-idx-948291-0" class="endofrange" startref="ch03-idx-948288-0"/> on.<indexterm id="ch03-idx-947921-0" class="endofrange" startref="ch03-idx-947918-0"/> +<indexterm id="ch03-idx-947921-1" class="endofrange" startref="ch03-idx-947918-1"/></para> +</sect2> +</sect1> +</chapter> diff --git a/docs-xml/using_samba/ch04.xml b/docs-xml/using_samba/ch04.xml new file mode 100644 index 0000000000..50f1d0e27b --- /dev/null +++ b/docs-xml/using_samba/ch04.xml @@ -0,0 +1,2182 @@ +<chapter label="4" id="ch04-21486"> +<title>Disk Shares </title> + + + + +<para> +<indexterm id="ch04-idx-967030-0" class="startofrange"><primary>disk shares</primary></indexterm>In the previous three chapters, we showed you how to install Samba on a Unix server and set up Windows clients to use a simple disk share. This chapter will show you how Samba can assume more productive roles on your network.</para> + + +<para>Samba's <indexterm id="ch04-idx-967124-0"><primary>daemons</primary></indexterm>daemons, <emphasis>smbd</emphasis> +<indexterm id="ch04-idx-967122-0"><primary>smbd daemon</primary></indexterm> and <emphasis>nmbd</emphasis> +<indexterm id="ch04-idx-967123-0"><primary>nmbd daemon</primary></indexterm>, are controlled through a single ASCII file, <filename>smb.conf</filename>, that can contain over 200 unique options. These options define how Samba reacts to the network around it, including everything from simple permissions to encrypted connections and NT domains. The next five chapters are designed to help you get familiar with this file and its options. Some of these options you will use and change frequently; others you may never use—it all depends on how much functionality you want Samba to offer its clients.</para> + + +<para>This chapter introduces the structure of the Samba configuration file and shows you how to use these options to create and modify disk shares. Subsequent chapters will discuss browsing, how to configure users, security, domains, and printers, and a host of other myriad topics that you can implement with Samba on your network.</para> + + + + + + + + + + + +<sect1 role="" label="4.1" id="ch04-76968"> +<title>Learning the Samba Configuration File</title> + + +<para><filename></filename> +<indexterm id="ch04-idx-968372-0" class="startofrange"><primary>smb.conf (Samba configuration) file</primary></indexterm>Here is an <filename></filename> +<indexterm id="ch04-idx-968374-0"><primary>smb.conf (Samba configuration) file</primary><secondary>example of</secondary></indexterm>example of a Samba configuration file. If you have worked with a Windows .INI file, the structure of the <filename>smb.conf </filename> file should look very familiar:</para> + + +<programlisting>[global] + log level = 1 + max log size = 1000 + socket options = TCP_NODELAY IPTOS_LOWDELAY + guest ok = no +[homes] + browseable = no + map archive = yes +[printers] + path = /usr/tmp + guest ok = yes + printable = yes +[test] + browseable = yes + read only = yes + guest ok = yes + path = /export/samba/test</programlisting> + + +<para>Although you may not understand the contents yet, this is a good configuration file to grab if you're in a hurry. (If you're not, we'll create a new one from scratch shortly.) In a nutshell, this configuration file sets up basic debug logging in a default log file not to exceed 1MB, optimizes TCP/IP socket connections between the Samba server and any SMB clients, and allows Samba to create a disk share for each user that has a standard Unix account on the server. In addition, each of the printers registered on the server will be publicly available, as will a single read-only share that maps to the <filename>/export/samba/test</filename> directory. The last part of this file is similar to the disk share you used to test Samba in <link linkend="SAMBA-CH-2">Chapter 2</link>.</para> + + +<sect2 role="" label="4.1.1" id="ch04-52415"> +<title>Configuration File Structure</title> + + +<para><filename></filename> +<indexterm id="ch04-idx-967054-0" class="startofrange"><primary>smb.conf (Samba configuration) file</primary><secondary>structure of</secondary></indexterm>Let's take another look at this configuration file, this time from a higher level:</para> + + +<programlisting>[global] + ... +[homes] + ... +[printers] + ... +[test] + ...</programlisting> + + +<para>The names inside the <indexterm id="ch04-idx-967103-0"><primary>square brackets</primary></indexterm>square brackets delineate unique sections of the <filename>smb.conf</filename> file; each <indexterm id="ch04-idx-967104-0"><primary>sections of smb.conf (Samba configuration) file</primary></indexterm>section names the <firstterm>share</firstterm> +<indexterm id="ch04-idx-967105-0"><primary>shares</primary></indexterm> (or <indexterm id="ch04-idx-967106-0"><primary>services</primary></indexterm>service) that the section refers to. For example, the <literal>[test]</literal> and <literal>[homes]</literal> sections are each unique disk shares; they contain options that map to specific directories on the Samba server. The <literal>[printers]</literal> share contains options that map to various printers on the server. All the sections defined in the <filename>smb.conf</filename> file, with the exception of the <literal>[global]</literal> section, will be available as a disk or printer share to clients connecting to the Samba server.</para> + + +<para>The remaining lines are individual configuration options unique to that share. These options will continue until a new bracketed section is encountered, or until the end of the file is reached. Each <indexterm id="ch04-idx-967107-0"><primary>configuration options</primary><secondary>format of</secondary></indexterm> +<indexterm id="ch04-idx-967107-1"><primary>smb.conf (Samba configuration) file</primary><secondary>options for</secondary><tertiary>format of</tertiary></indexterm>configuration option follows a simple format:</para> + + +<programlisting><replaceable>option</replaceable> = <replaceable>value</replaceable></programlisting> + + +<para>Options in the <filename>smb.conf</filename> file are set by assigning a value to them. We should warn you up front that some of the <indexterm id="ch04-idx-967109-0"><primary>option names</primary></indexterm>option names in Samba are poorly chosen. For example, <literal>read</literal> <literal>only</literal> is self-explanatory, and is typical of many recent Samba options. <literal>public</literal> is an older option, and is vague; it now has a less-confusing synonym <literal>guest</literal> <literal>ok</literal> (may be accessed by guests). We describe some of the more common historical names in this chapter in sections that highlight each major task. In addition, <link linkend="SAMBA-AP-C">Appendix C</link>, contains an alphabetical index of all the configuration options and their meanings.</para> + + +<sect3 role="" label="4.1.1.1" id="ch04-SECT-1.1.1"> +<title>Whitespaces, quotes, and commas</title> + + +<para>An important item to remember about configuration options is that all <indexterm id="ch04-idx-967110-0"><primary>whitespaces in values</primary></indexterm>whitespaces in the <replaceable>value</replaceable> are significant. For example, consider the following option:</para> + + +<programlisting>volume = The Big Bad Hard Drive Number 3543</programlisting> + + +<para>Samba strips away the spaces between the final <literal>e</literal> in <literal>volume</literal> and the first <literal>T</literal> in <literal>The</literal>. These whitespaces are insignificant. The rest of the whitespaces are significant and will be recognized and preserved by Samba when reading in the file. Space is not significant in option names (such as <literal>guest</literal> <literal>ok</literal>), but we recommend you follow convention and keep spaces between the words of options.</para> + + +<para>If you feel safer including <indexterm id="ch04-idx-967111-0"><primary>quotation marks in values</primary></indexterm>quotation marks at the beginning and ending of a configuration option's value, you may do so. Samba will ignore these quotation marks when it encounters them. Never use quotation marks around an option itself; Samba will treat this as an error.</para> + + +<para>Finally, you can use whitespaces to separate a series of values in a list, or you can use commas. These two options are equivalent:</para> + + +<programlisting>netbios aliases = sales, accounting, payroll +netbios aliases = sales accounting payroll</programlisting> + + +<para>In some values, however, you must use one form of separation—<indexterm id="ch04-idx-967367-0"><primary>spaces in values</primary></indexterm>spaces in some cases, <indexterm id="ch04-idx-967112-0"><primary>commas in values</primary></indexterm>commas in others.</para> +</sect3> + + + +<sect3 role="" label="4.1.1.2" id="ch04-SECT-1.1.2"> +<title>Capitalization</title> + + +<para> +<indexterm id="ch04-idx-967113-0"><primary>capitalization</primary></indexterm>Capitalization is not important in the Samba configuration file except in locations where it would confuse the underlying operating system. For example, let's assume that you included the following option in a share that pointed to <filename>/export/samba/simple </filename>:</para> + + +<programlisting>PATH = /EXPORT/SAMBA/SIMPLE</programlisting> + + +<para>Samba would have no problem with the <literal>path</literal> configuration option appearing entirely in capital letters. However, when it tries to connect to the given directory, it would be unsuccessful because the Unix filesystem in the underlying operating system <emphasis>is</emphasis> case sensitive. Consequently, the path listed would not be found and clients would be unable to connect to the share.</para> +</sect3> + + + +<sect3 role="" label="4.1.1.3" id="ch04-SECT-1.1.3"> +<title>Line continuation</title> + + +<para>You can continue a <indexterm id="ch04-idx-967114-0"><primary>line contiinuation</primary></indexterm>line in the Samba configuration file using the <indexterm id="ch04-idx-967115-0"><primary>\ (backslash) in smb.conf file</primary></indexterm> +<indexterm id="ch04-idx-967115-1"><primary>backslash (\) in smb.conf file</primary></indexterm>backslash, as follows:</para> + + +<programlisting>comment = The first share that has the primary copies \ + of the new Teamworks software product.</programlisting> + + +<para>Because of the backslash, these two lines will be treated as one line by Samba. The second line begins at the first non-whitespace character that Samba encounters; in this case, the <literal>o</literal> in <literal>of</literal>.</para> +</sect3> + + + +<sect3 role="" label="4.1.1.4" id="ch04-SECT-1.1.4"> +<title>Comments</title> + + +<para>You can insert <indexterm id="ch04-idx-967118-0"><primary>comments in smb.conf (Samba configuration) file</primary></indexterm>comments in the <filename>smb.conf</filename> configuration file by preceding a line with either a<indexterm id="ch04-idx-967119-0"><primary>hash mark (#) in comments</primary></indexterm> +<indexterm id="ch04-idx-967119-1"><primary># (hash mark)</primary></indexterm> hash mark (#) or a<indexterm id="ch04-idx-967120-0"><primary>semicolon (;) in configuration file comments</primary></indexterm> +<indexterm id="ch04-idx-967120-1"><primary>; (semicolon)</primary></indexterm> semicolon ( ; ). Both characters are equivalent. For example, the first three lines in the following example would be considered comments:</para> + + +<programlisting># This is the printers section. We have given a minimum print +; space of 2000 to prevent some errors that we've seen when +; the spooler runs out of space. + +[printers] + public = yes + min print space = 2000</programlisting> + + +<para>Samba will ignore all comment lines in its configuration file; there are no limitations to what can be placed on a comment line after the initial hash mark or semicolon. Note that the line <indexterm id="ch04-idx-967121-0"><primary>continuation character (\) in comments</primary></indexterm> +<indexterm id="ch04-idx-967121-1"><primary>\ (continuation character)</primary></indexterm>continuation character (<literal>\</literal>) will <emphasis>not</emphasis> be honored on a commented line. Like the rest of the line, it is ignored.</para> +</sect3> + + + +<sect3 role="" label="4.1.1.5" id="ch04-SECT-1.1.5"> +<title>Changes at runtime</title> + + +<para> +<indexterm id="ch04-idx-967126-0"><primary>changes at runtime</primary></indexterm>You can modify the <filename>smb.conf</filename> configuration file and any of its options at any time while the Samba daemons are running. By default, Samba checks the configuration file every 60 seconds for changes. If it finds any, the changes are immediately put into effect. If you don't wish to wait that long, you can force a reload by either sending a <indexterm id="ch04-idx-967127-0"><primary>SIGHUP signal</primary></indexterm>SIGHUP signal to the <emphasis>smbd</emphasis> and <emphasis>nmbd</emphasis> processes, or simply restarting the daemons.</para> + + +<para>For example, if the <emphasis>smbd</emphasis> <indexterm id="ch04-idx-967128-0"><primary>processes</primary><see>daemons</see></indexterm> +<indexterm id="ch04-idx-967128-1"><primary>daemons</primary><seealso>smbd daemon; nmbd daemon</seealso></indexterm> +<indexterm id="ch04-idx-967128-2"><primary>nmbd daemon</primary></indexterm>process was 893, you could force it to reread the configuration file with the following command:</para> + + +<programlisting># <emphasis role="bold">kill -SIGHUP 893</emphasis></programlisting> + + +<para>Not all changes will be immediately recognized by clients. For example, changes to a share that is currently in use will not be registered until the client disconnects and reconnects to that share. In addition, server-specific parameters such as the workgroup or NetBIOS name of the server will not register immediately either. This keeps active clients from being suddenly disconnected or encountering unexpected access problems while a session is open.<filename></filename> +<indexterm id="ch04-idx-967061-0" class="endofrange" startref="ch04-idx-967054-0"/></para> +</sect3> +</sect2> + + + + + +<sect2 role="" label="4.1.2" id="ch04-87365"> +<title>Variables</title> + + +<para><filename></filename> +<indexterm id="ch04-idx-967393-0" class="startofrange"><primary>smb.conf (Samba configuration) file</primary><secondary>variables for</secondary></indexterm> +<indexterm id="ch04-idx-967393-1" class="startofrange"><primary>variables</primary></indexterm>Samba includes a complete set of variables for determining characteristics of the Samba server and the clients to which it connects. Each of these variables begins with a <indexterm id="ch04-idx-967129-0"><primary>percent sign (%) in variables</primary></indexterm> +<indexterm id="ch04-idx-967129-1"><primary>% (percent sign)</primary></indexterm>percent sign, followed by a single uppercase or lowercase letter, and can be used only on the right side of a configuration option (e.g., after the equal sign):</para> + + +<programlisting>[pub] + path = /home/ftp/pub/%a</programlisting> + + +<para>The <literal>%a</literal> stands for the client machine's architecture (e.g., <literal>WinNT</literal> for Windows NT, <literal>Win95</literal> for Windows 95 or 98, or <literal>WfWg</literal> for Windows for Workgroups). Because of this, Samba will assign a unique <indexterm id="ch04-idx-967130-0"><primary>paths, architecture-specific</primary></indexterm>path for the <literal>[pub]</literal> share to client machines running Windows NT, a different path for client machines running Windows 95, and another path for Windows for Workgroups. In other words, the paths that each client would see as its share differ according to the client's architecture, as follows:</para> + + +<programlisting>/home/ftp/pub/WinNT +/home/ftp/pub/Win95 +/home/ftp/pub/WfWg</programlisting> + + +<para>Using variables in this manner comes in handy if you wish to have different users run custom configurations based on their own unique characteristics or conditions. Samba has 19 variables, as shown in <link linkend="ch04-10883">Table 4.1</link>.</para> + + +<table label="4.1" id="ch04-10883"> +<title>Samba Variables </title> + +<tgroup cols="2"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<thead> +<row> + +<entry colname="col1"><para>Variable</para></entry> + +<entry colname="col2"><para>Definition</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry namest="col1" nameend="col2"><para><emphasis role="bold"> +<indexterm id="ch04-idx-968086-0"><primary>client variables</primary></indexterm>Client variables</emphasis></para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%a</literal></para></entry> + +<entry colname="col2"><para><filename></filename> +<indexterm id="ch04-idx-968093-0"><primary>smb.conf (Samba configuration) file</primary><secondary>variables for</secondary><tertiary>list of</tertiary></indexterm>Client's architecture (e.g., Samba, WfWg, WinNT, Win95, or UNKNOWN)</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%I</literal></para></entry> + +<entry colname="col2"><para>Client's IP address (e.g., 192.168.220.100)</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%m</literal></para></entry> + +<entry colname="col2"><para>Client's NetBIOS name</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%M</literal></para></entry> + +<entry colname="col2"><para>Client's DNS name</para></entry> + +</row> + +<row> + +<entry namest="col1" nameend="col2"><para><emphasis role="bold"> +<indexterm id="ch04-idx-968108-0"><primary>user variables</primary></indexterm>User variables</emphasis></para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%g</literal></para></entry> + +<entry colname="col2"><para>Primary group of <literal>%u</literal></para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%G</literal></para></entry> + +<entry colname="col2"><para>Primary group of <literal>%U</literal></para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%H</literal></para></entry> + +<entry colname="col2"><para>Home directory of <literal>%u</literal></para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%u</literal></para></entry> + +<entry colname="col2"><para>Current Unix username</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%U</literal></para></entry> + +<entry colname="col2"><para>Requested client username (not always used by Samba)</para></entry> + +</row> + +<row> + +<entry namest="col1" nameend="col2"><para><emphasis role="bold">Share variables</emphasis></para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%p</literal></para></entry> + +<entry colname="col2"><para>Automounter's path to the share's root directory, if different from <literal>%P</literal></para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%P</literal></para></entry> + +<entry colname="col2"><para>Current share's root directory</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%S</literal></para></entry> + +<entry colname="col2"><para>Current share's name</para></entry> + +</row> + +<row> + +<entry namest="col1" nameend="col2"><para><emphasis role="bold">Server variables</emphasis></para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%d</literal></para></entry> + +<entry colname="col2"><para>Current server process ID</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%h</literal></para></entry> + +<entry colname="col2"><para>Samba server's DNS hostname</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%L</literal></para></entry> + +<entry colname="col2"><para>Samba server's NetBIOS name</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%N</literal></para></entry> + +<entry colname="col2"><para>Home directory server, from the automount map</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%v</literal></para></entry> + +<entry colname="col2"><para>Samba version</para></entry> + +</row> + +<row> + +<entry namest="col1" nameend="col2"><para><emphasis role="bold">Miscellaneous variables</emphasis></para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%R</literal></para></entry> + +<entry colname="col2"><para>The SMB protocol level that was negotiated</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%T</literal></para></entry> + +<entry colname="col2"><para>The current date and time</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<para> +<indexterm id="ch04-idx-967143-0"><primary>configuration files</primary><secondary>machine-specific</secondary></indexterm>Here's another example of using variables: let's say that there are five clients on your network, but one client, <literal>fred</literal>, requires a slightly different <literal>[homes]</literal> configuration loaded when it connects to the Samba server. With Samba, it's simple to attack such a problem:</para> + + +<programlisting>[homes] + ... + include = /usr/local/samba/lib/smb.conf.%m + ...</programlisting> + + +<para>The <literal>include</literal> option here causes a separate configuration file for each particular NetBIOS machine (<literal>%m</literal>) to be read in addition to the current file. If the hostname of the client machine is <literal>fred</literal>, and if a <filename>smb.conf.fred</filename> file exists in the <replaceable>samba_dir</replaceable><filename>/lib/</filename> directory (or whatever directory you've specified for your configuration files), Samba will insert that configuration file into the default one. If any configuration options are restated in <filename>smb.conf.fred</filename>, those values will override any options previously encountered in that share. Note that we say "previously." If any options are restated in the main configuration file after the <literal>include</literal> option, Samba will honor those restated values for the share in which they are defined.</para> + + +<para>Here's the important part: if there is no such file, Samba will not generate an error. In fact, it won't do anything at all. This allows you to create only one extra configuration file for <literal>fred</literal> when using this strategy, instead of one for each NetBIOS machine that is on the network.</para> + + +<para>Machine-specific configuration files can be used both to customize particular clients and to make debugging Samba easier. Consider the latter; if we have one client with a problem, we can use this approach to give it a private log file with a more verbose logging level. This allows us to see what Samba is doing without slowing down all the other clients or overflowing the disk with useless logs. Remember, with large networks you may not always have the option to restart the Samba server to perform debugging!</para> + + +<para>You can use each of the variables in <link linkend="ch04-10883">Table 4.1</link> to give custom values to a variety of Samba options. We will highlight several of these options as we move through the next few chapters.<filename></filename> +<indexterm id="ch04-idx-967084-0" class="endofrange" startref="ch04-idx-967393-0"/> +<indexterm id="ch04-idx-967084-1" class="endofrange" startref="ch04-idx-967393-1"/></para> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="4.2" id="ch04-81402"> +<title>Special Sections</title> + + +<para><filename></filename> +<indexterm id="ch04-idx-967091-0" class="startofrange"><primary>smb.conf (Samba configuration) file</primary><secondary>special sections of</secondary></indexterm> +<indexterm id="ch04-idx-967091-1" class="startofrange"><primary>special sections, smb.conf (Samba configuration) file</primary></indexterm>Now that we've gotten our feet wet with variables, there are a few special sections of the Samba configuration file that we should talk about. Again, don't worry if you do not understand each and every configuration options listed below; we'll go over each of them over the course of the upcoming chapters.</para> + + +<sect2 role="" label="4.2.1" id="ch04-SECT-2.1"> +<title>The [globals] Section</title> + + +<para>The <literal>[globals]</literal> +<indexterm id="ch04-idx-967171-0"><primary sortas="globals section">[globals] section</primary></indexterm> +<indexterm id="ch04-idx-967171-1"><primary>shares</primary><secondary sortas="globals section">[globals] section</secondary></indexterm> section appears in virtually every Samba configuration file, even though it is not mandatory to define one. Any option set in this section of the file will apply to all the other shares, as if the contents of the section were copied into the share itself. There is one catch: other sections can list the same option in their section with a new value; this has the effect of overriding the value specified in the <literal>[globals]</literal> section.</para> + + +<para>To illustrate this, let's again look at the opening example of the chapter:</para> + + +<programlisting>[global] + log level = 1 + max log size = 1000 + socket options = TCP_NODELAY IPTOS_LOWDELAY + guest ok = no +[homes] + browseable = no + map archive = yes +[printers] + path = /usr/tmp + guest ok = yes + printable = yes + min print space = 2000 +[test] + browseable = yes + read only = yes + guest ok = yes + path = /export/samba/test</programlisting> + + +<para>In the previous example, if we were going to connect a client to the <literal>[test]</literal> share, Samba would first read in the <literal>[globals]</literal> section. At that point, it would set the option <literal>guest</literal> <literal>ok</literal> <literal>=</literal> <literal>no</literal> as the global default for each share it encounters throughout the configuration file. This includes the <literal>[homes]</literal> and <literal>[printers]</literal> shares. When it reads in the <literal>[test]</literal> share, however, it would then find the configuration option <literal>guest</literal> <literal>ok</literal> <literal>=</literal> <literal>yes</literal>, and override the default from the <literal>[globals]</literal> section with the value <literal>yes</literal> in the context of the <literal>[pub]</literal> share.</para> + + +<para>Any option that appears outside of a section (before the first marked section) is also assumed to be a global option.</para> +</sect2> + + + + + +<sect2 role="" label="4.2.2" id="ch04-SECT-2.2"> +<title>The [ homes] Section</title> + + +<para>If a client attempts to connect to a share that doesn't appear in the <filename>smb.conf</filename> file, Samba will search for a <literal>[homes]</literal> +<indexterm id="ch04-idx-967172-0"><primary sortas="homes share">[homes] share</primary></indexterm> share in the configuration file. If one exists, the unidentified share name is assumed to be a Unix username, which is queried in the password database of the Samba server. If that username appears, Samba assumes the client is a Unix user trying to connect to his or her home directory on the server.</para> + + +<para>For example, assume a client machine is connecting to the Samba server <literal>hydra</literal> for the first time, and tries to connect to a share named [<literal>alice]</literal>. There is no <literal>[alice]</literal> share defined in the <filename>smb.conf</filename> file, but there is a <literal>[homes]</literal>, so Samba searches the password database file and finds an <literal>alice</literal> user account is present on the system. Samba then checks the password provided by the client against user <literal>alice</literal>'s Unix password—either with the password database file if it's using non-encrypted passwords, or Samba's <filename>smbpasswd</filename> file if encrypted passwords are in use. If the passwords match, then Samba knows it has guessed right: the user <literal>alice</literal> is trying to connect to her home directory. Samba will then create a share called <literal>[alice]</literal> for her.</para> + + +<para>The process of using the <literal>[homes]</literal> section to create <indexterm id="ch04-idx-967175-0"><primary>users</primary><secondary>creating</secondary></indexterm>users (and dealing with their passwords) is discussed in more detail in the <link linkend="SAMBA-CH-6">Chapter 6</link>.</para> +</sect2> + + + + + +<sect2 role="" label="4.2.3" id="ch04-SECT-2.3"> +<title>The [printers] Section</title> + + +<para>The third special section is called <literal>[printers]</literal> +<indexterm id="ch04-idx-967173-0"><primary>print shares</primary></indexterm> and is similar to <literal>[homes]</literal>. If a client attempts to connect to a share that isn't in the <filename>smb.conf</filename> file, and its name can't be found in the password file, Samba will check to see if it is a printer share. Samba does this by reading the <indexterm id="ch04-idx-967182-0"><primary>printer capabilities file</primary></indexterm>printer capabilities file (usually <filename>/etc/printcap</filename>) to see if the share name appears there.<footnote label="1" id="ch04-pgfId-960558"> + + +<para>Depending on your system, this file may not be <emphasis>/etc/printcap</emphasis>. You can use the <emphasis>testparm</emphasis> command that comes with Samba to determine the value of the <literal>printcap</literal> <literal>name</literal> configuration option; this was the default value chosen when Samba was compiled.</para> + + +</footnote> If it does, Samba creates a share named after the printer.</para> + + +<para>Like <literal>[homes]</literal>, this means you don't have to maintain a share for each of your system printers in the <filename>smb.conf</filename> file. Instead, Samba honors the Unix printer registry if you request it to, and provides the registered printers to the client machines. There is, however, an obvious limitation: if you have an account named <literal>fred</literal> and a printer named <literal>fred</literal>, Samba will always find the user account first, even if the client really needed to connect to the printer.</para> + + +<para>The process of setting up the <literal>[printers]</literal> +<indexterm id="ch04-idx-968220-0"><primary>print shares</primary></indexterm> share is discussed in more detail in <link linkend="SAMBA-CH-7">Chapter 7</link>.<filename></filename> +<indexterm id="ch04-idx-968225-0"><primary>configuration files</primary><secondary>smb.conf (Samba configuration) file</secondary><see>smb.conf file</see></indexterm></para> +</sect2> + + + + + +<sect2 role="" label="4.2.4" id="ch04-SECT-2.4"> +<title>Configuration Options</title> + + +<para><filename></filename> +<indexterm id="ch04-idx-967407-0" class="startofrange"><primary>smb.conf (Samba configuration) file</primary><secondary>options for</secondary></indexterm>Options in the Samba configuration files fall into one of two categories: <firstterm>global</firstterm> or <firstterm>share</firstterm>. Each category dictates where an option can appear in the configuration file.</para> + + +<variablelist> +<varlistentry><term>Global</term> +<listitem><para> +<indexterm id="ch04-idx-967207-0"><primary>global options</primary></indexterm>Global options <emphasis>must</emphasis> appear in the <literal>[global]</literal> section and nowhere else. These are options that typically apply to the behavior of the Samba server itself, and not to any of its shares.</para></listitem> +</varlistentry> + + +<varlistentry><term>Share</term> +<listitem><para> +<indexterm id="ch04-idx-967209-0"><primary>share options</primary></indexterm>Share options can appear in specific shares, or they can appear in the <literal>[global]</literal> section. If they appear in the <literal>[global]</literal> section, they will define a default behavior for all shares, unless a share overrides the option with a value of its own.</para></listitem> +</varlistentry> +</variablelist> + + +<para>In addition, the values that a configuration option can take can be divided into four categories. They are as follows:</para> + + +<variablelist> +<varlistentry><term>Boolean</term> +<listitem><para> +<indexterm id="ch04-idx-967210-0"><primary>boolean type</primary></indexterm>These are simply yes or no values, but can be represented by any of the following: <literal>yes</literal>, <literal>no</literal>, <literal>true</literal>, <literal>false</literal>, <literal>0</literal>, <literal>1</literal>. The values are case insensitive: <literal>YES</literal> is the same as <literal>yes</literal>.</para></listitem> +</varlistentry> + + +<varlistentry><term>Numerical</term> +<listitem><para> +<indexterm id="ch04-idx-967220-0"><primary>numerical type</primary></indexterm>An integer, hexidecimal, or octal number. The standard <literal>0x</literal><emphasis>nn</emphasis> syntax is used for hexadecimal and <literal>0</literal><emphasis>nnn</emphasis> for octal.</para></listitem> +</varlistentry> + + +<varlistentry><term>String</term> +<listitem><para>A <indexterm id="ch04-idx-967222-0"><primary>string types</primary></indexterm>string of case-sensitive characters, such as a filename or a username.</para></listitem> +</varlistentry> + + +<varlistentry><term>Enumerated list</term> +<listitem><para>A finite list of known values. In effect, a boolean is an <indexterm id="ch04-idx-967223-0"><primary>enumerated lists</primary></indexterm>enumerated list with only two values.<filename></filename> +<indexterm id="ch04-idx-967166-0" class="endofrange" startref="ch04-idx-967091-0"/> +<indexterm id="ch04-idx-967166-1" class="endofrange" startref="ch04-idx-967091-1"/></para></listitem> +</varlistentry> +</variablelist> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="4.3" id="ch04-46076"> +<title>Configuration File Options</title> + + +<para>Samba has well over 200 configuration options at its disposal. So let's start off easy by introducing some of the options you can use to modify the configuration file itself.</para> + + +<para>As we hinted earlier in the chapter, configuration files are by no means static. You can instruct Samba to include or even replace configuration options as it is processing them. The options to do this are summarized in <link linkend="ch04-94939">Table 4.2</link>.</para> + + +<table label="4.2" id="ch04-94939"> +<title>Configuration File Options </title> + +<tgroup cols="5"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<colspec colnum="4" colname="col4"/> +<colspec colnum="5" colname="col5"/> +<thead> +<row> + +<entry colname="col1"><para>Option</para></entry> + +<entry colname="col2"><para>Parameters</para></entry> + +<entry colname="col3"><para>Function</para></entry> + +<entry colname="col4"><para>Default</para></entry> + +<entry colname="col5"><para>Scope</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>config file</literal></para></entry> + +<entry colname="col2"><para>string (fully-qualified name)</para></entry> + +<entry colname="col3"><para>Sets the location of a configuration file to use instead of the current one.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>include</literal></para></entry> + +<entry colname="col2"><para>string (fully-qualified name)</para></entry> + +<entry colname="col3"><para>Specifies an additional segment of configuration options to be included at this point in the configuration file.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>copy</literal></para></entry> + +<entry colname="col2"><para>string (name of share)</para></entry> + +<entry colname="col3"><para>Allows you to clone the configuration options of another share in the current share.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<sect2 role="" label="4.3.1" id="ch04-SECT-3.0.1"> +<indexterm id="ch04-idx-968272-0"><primary>config file option</primary></indexterm> +<title> +config file</title> + + +<para>The global <literal>config</literal> <literal>file</literal> option specifies a replacement configuration file that will be loaded when the option is encountered. If the target file exists, the remainder of the current configuration file, as well as the options encounter so far, will be discarded; Samba will configure itself entirely with the options in the new file. The <literal>config</literal> <literal>file</literal> option takes advantage of the variables above, which is useful in the event that you want load a special configuration file based on the machine name or user of the client that it connecting.</para> + + +<para>For example, the following line instructs Samba to use a configuration file specified by the NetBIOS name of the client connecting, if such a file exists. If it does, options specified in the original configuration file are ignored. The following example attempts to lead a new configuration file based on the client's NetBIOS name:</para> + + +<programlisting>[global] + config file = /usr/local/samba/lib/smb.conf.%m</programlisting> + + +<para>If the configuration file specified does not exist, the option is ignored and Samba will continue to configure itself based on the current file.</para> +</sect2> + + + + + +<sect2 role="" label="4.3.2" id="ch04-SECT-3.0.2"> +<indexterm id="ch04-idx-968282-0"><primary>include option</primary></indexterm> +<title> +include</title> + + +<para>This option, discussed in greater detail earlier, copies the target file into the current configuration file at the point specified, as shown in <link linkend="ch04-97340">Figure 4.1</link>. This option also takes advantage of the variables specified earlier in the chapter, which is useful in the event that you want load configuration options based on the machine name or user of the client that it connecting. You can use this option as follows:</para> + + +<programlisting>[global] + include = /usr/local/samba/lib/smb.conf.%m</programlisting> + + +<para>If the configuration file specified does not exist, the option is ignored. Remember that any option specified previously is overridden. In <link linkend="ch04-97340">Figure 4.1</link>, all three options will override their previous values.</para> + + +<figure label="4.1" id="ch04-97340"> +<title>The include option in a Samba configuration file</title> + +<graphic width="502" depth="232" fileref="figs/sam.0401.gif"></graphic> +</figure> + +<para>The <literal>include</literal> option cannot understand the variables <literal>%u</literal> (user), <literal>%p</literal> (current share's rout directory), or <literal>%s</literal> (current share) because they are not set at the time the file is read.</para> +</sect2> + + + + + +<sect2 role="" label="4.3.3" id="ch04-SECT-3.0.3"> +<indexterm id="ch04-idx-968285-0"><primary>copy option</primary></indexterm> +<title> +copy</title> + + +<para>The <literal>copy</literal> configuration option allows you to clone the configuration options of the share name that you specify in the current share. The target share must appear earlier in the configuration file than the share that is performing the copy. For example:</para> + + +<programlisting>[template] + writable = yes + browsable = yes + valid users = andy, dave, peter + +[data] + path = /usr/local/samba + copy = template</programlisting> + + +<para>Note that any options in the share that invoked the <literal>copy</literal> directive will override those in the cloned share; it does not matter whether they appear before or after the <literal>copy</literal><filename></filename> +<indexterm id="ch04-idx-968230-0" class="endofrange" startref="ch04-idx-967407-0"/> directive.<filename></filename> +<indexterm id="ch04-idx-967416-0" class="endofrange" startref="ch04-idx-968372-0"/></para> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="4.4" id="ch04-71382"> +<title>Server Configuration</title> + + +<para> +<indexterm id="ch04-idx-967242-0" class="startofrange"><primary>configuring Samba</primary><secondary>server</secondary></indexterm>Now it's time to begin configuring your Samba server. Let's introduce three basic configuration options that can appear in the <literal>[global]</literal> section of your <filename>smb.conf</filename> file:</para> + + +<programlisting>[global] + # Server configuration parameters + netbios name = HYDRA + server string = Samba %v on (%L) + workgroup = SIMPLE</programlisting> + + +<para>This configuration file is pretty simple; it advertises the Samba server on a NBT network under the NetBIOS name <literal>hydra</literal>. In addition, the machine belongs to the workgroup SIMPLE and displays a description to clients that includes the Samba version number as well as the NetBIOS name of the Samba server.</para> + + +<tip role="ora"> +<para>If you had to enter <literal>encrypt passwords=yes</literal> in your earlier configuration file, you should do so here as well.</para> + +</tip> + +<para>Go ahead and try this configuration file. Create a file named <filename>smb.conf</filename> +<indexterm id="ch04-idx-967246-0"><primary>smb.conf (Samba configuration) file</primary><secondary>creating</secondary></indexterm> under the <filename>/usr/local/samba/lib</filename> directory with the text listed above. Then reset the Samba server and use a Windows client to verify the results. Be sure that your Windows clients are in the SIMPLE workgroup as well. After clicking on the <indexterm id="ch04-idx-967247-0"><primary>Network Neighborhood icon</primary></indexterm>Network Neighborhood on a Windows client, you should see a window similar to <link linkend="ch04-38915">Figure 4.2</link>. (In this figure, <literal>phoenix</literal> and <literal>chimaera</literal> are our Windows clients.)</para> + + +<figure label="4.2" id="ch04-38915"> +<title>Network Neighborhood showing the Samba server</title> + +<graphic width="502" depth="206" fileref="figs/sam.0402.gif"></graphic> +</figure> + +<para>You can verify the <literal>server</literal> <literal>string</literal> by listing the details of the Network Neighborhood window (select the Details menu item under the View menu), at which point you should see a window similar to <link linkend="ch04-50900">Figure 4.3</link>.</para> + + +<figure label="4.3" id="ch04-50900"> +<title>Network Neighborhood details listing</title> + +<graphic width="502" depth="220" fileref="figs/sam.0403.gif"></graphic> +</figure> + +<para>If you were to click on the Hydra icon, a window should appear that shows the services that it provides. In this case, the window would be completely empty because there are no shares on the server yet.</para> + + +<sect2 role="" label="4.4.1" id="ch04-SECT-4.1"> +<title>Server Configuration Options</title> + + +<para> +<indexterm id="ch04-idx-967248-0" class="startofrange"><primary>configuration options</primary><secondary>server</secondary></indexterm> +<indexterm id="ch04-idx-967248-1" class="startofrange"><primary>server configuration options</primary></indexterm><link linkend="ch04-61150">Table 4.3</link> summarizes the server configuration options introduced previously. Note that all three of these options are global in scope; in other words, they must appear in the <literal>[global]</literal> section of the configuration file.</para> + + +<table label="4.3" id="ch04-61150"> +<title>Server Configuration Options </title> + +<tgroup cols="5"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<colspec colnum="4" colname="col4"/> +<colspec colnum="5" colname="col5"/> +<thead> +<row> + +<entry colname="col1"><para>Option</para></entry> + +<entry colname="col2"><para>Parameters</para></entry> + +<entry colname="col3"><para>Function</para></entry> + +<entry colname="col4"><para>Default</para></entry> + +<entry colname="col5"><para>Scope</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>netbios name</literal></para></entry> + +<entry colname="col2"><para>string</para></entry> + +<entry colname="col3"><para>Sets the primary NetBIOS name of the Samba server.</para></entry> + +<entry colname="col4"><para>Server DNS hostname</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>server string</literal></para></entry> + +<entry colname="col2"><para>string</para></entry> + +<entry colname="col3"><para>Sets a descriptive string for the Samba server.</para></entry> + +<entry colname="col4"><para><literal>Samba %v</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>workgroup</literal></para></entry> + +<entry colname="col2"><para>string</para></entry> + +<entry colname="col3"><para>Sets the NetBIOS group of machines that the server belongs to.</para></entry> + +<entry colname="col4"><para>Defined at compile time</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<sect3 role="" label="4.4.1.1" id="ch04-SECT-4.1.1"> +<indexterm id="ch04-idx-968288-0"><primary>netbios name option</primary></indexterm> +<title> +netbios name</title> + + +<para>The <literal>netbios</literal> <literal>name</literal> option allows you to set the NetBIOS name of the server. For example:</para> + + +<programlisting>netbios name = YORKVM1</programlisting> + + +<para>The default value for this configuration option is the server's hostname; that is, the first part of its complete DNS machine name. For example, a machine with the DNS name <literal>ruby.ora.com</literal> would be given the NetBIOS name <literal>RUBY</literal> by default. While you can use this option to restate the machine's NetBIOS name in the configuration file (as we did previously), it is more commonly used to assign the Samba server a NetBIOS name other than its current DNS name. Remember that the name given must follow the rules for valid NetBIOS machine names as outlines in <link linkend="ch01-48078">Chapter 1</link>.</para> + + +<para>Changing the NetBIOS name of the server is not recommended unless you have a good reason. One such reason might be if the hostname of the machine is not unique because the LAN is divided over two or more DNS domains. For example, YORKVM1 is a good NetBIOS candidate for <emphasis>vm1.york.example.com</emphasis> to differentiate it from <emphasis>vm1.falkirk.example.com</emphasis>, which has the same hostname but resides in a different DNS domain.</para> + + +<para>Another use of this option is for relocating SMB services from a dead or retired machine. For example, if <literal>SALES</literal> is the SMB server for the department, and it suddenly dies, you could immediately reset <literal>netbios</literal> <literal>name</literal> <literal>=</literal> <literal>SALES</literal> on a backup Samba machine that's taking over for it. Users won't have to change their drive mappings to a different machine; new connections to <literal>SALES</literal> will simply go to the new machine.</para> +</sect3> + + + +<sect3 role="" label="4.4.1.2" id="ch04-SECT-4.1.2"> +<indexterm id="ch04-idx-968291-0"><primary>server string parameter</primary></indexterm> +<title> +server string</title> + + +<para>The <literal>server</literal> <literal>string</literal> parameter defines a comment string that will appear next to the server name in both the Network Neighborhood (when shown with the Details menu) and the comment entry of the Microsoft Windows print manager. You can use the standard variables to provide information in the description. For example, our entry earlier was:</para> + + +<programlisting>[global] + server string = Samba %v on (%h)</programlisting> + + +<para>The default for this option simply presents the current version of Samba and is equivalent to:</para> + + +<programlisting>server string = Samba %v</programlisting> +</sect3> + + + +<sect3 role="" label="4.4.1.3" id="ch04-SECT-4.1.3"> +<indexterm id="ch04-idx-968294-0"><primary>workgroup parameter</primary></indexterm> +<title> +workgroup</title> + + +<para>The <literal>workgroup</literal> parameter sets the current workgroup where the Samba server will advertise itself. Clients that wish to access shares on the Samba server should be on the same NetBIOS workgroup. Remember that workgroups are really just NetBIOS group names, and must follow the standard NetBIOS naming conventions outlined in <link linkend="ch01-48078">Chapter 1</link>. For example:</para> + + +<programlisting>[global] + workgroup = SIMPLE</programlisting> + + +<para>The default option for this parameter is set at compile time. If the entry is not changed in the makefile, it will be <literal>WORKGROUP</literal>. Because this tends to be the workgroup name of every unconfigured NetBIOS network, we recommend that you always set your workgroup name in the Samba configuration<indexterm id="ch04-idx-967252-0" class="endofrange" startref="ch04-idx-967248-0"/> +<indexterm id="ch04-idx-967252-1" class="endofrange" startref="ch04-idx-967248-1"/> file.<footnote label="2" id="ch04-pgfId-962322"> + + +<para>We should also mention that it is an inherently bad idea to have a workgroup that shares the same name as a server.</para> + + +</footnote> +<indexterm id="ch04-idx-967243-0" class="endofrange" startref="ch04-idx-967242-0"/></para> +</sect3> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="4.5" id="ch04-14274"> +<title>Disk Share Configuration</title> + + +<para> +<indexterm id="ch04-idx-967244-0" class="startofrange"><primary>configuring disk shares</primary></indexterm> +<indexterm id="ch04-idx-967244-1" class="startofrange"><primary>disk shares</primary><secondary>configuring</secondary></indexterm>We mentioned in the previous section that there were no disk shares on the <literal>hydra</literal> server. Let's continue with the configuration file and create an empty <indexterm id="ch04-idx-967268-0"><primary>disk shares</primary><secondary>creating</secondary></indexterm>disk share called [<literal>data</literal>]. Here are the additions that will do it:</para> + + +<programlisting>[global] + netbios name = HYDRA + server string = Samba %v on (%L) + workgroup = SIMPLE + +[data] + path = /export/samba/data + comment = Data Drive + volume = Sample-Data-Drive + writeable = yes + guest ok = yes</programlisting> + + +<para>The <literal>[data]</literal> share is typical for a Samba disk share. The share maps to a directory on the Samba server: <filename>/export/samba/data</filename>. We've also provided a comment that describes the share as a <literal>Data</literal> <literal>Drive</literal>, as well as a volume name for the share itself.</para> + + +<para>The share is set to writeable so that users can write data to it; the default with Samba is to create a read-only share. As a result, this option needs to be explicitly set for each disk share you wish to make writeable.</para> + + +<para>You may have noticed that we set the <literal>guest</literal> <literal>ok</literal> parameter to <literal>yes</literal>. While this isn't very security-conscious, there are some password issues that we need to understand before setting up individual users and authentication. For the moment, this will sidestep those issues and let anyone connect to the share.</para> + + +<para>Go ahead and make these additions to your configuration file. In addition, create the <filename>/export/samba/data</filename> directory as root on your Samba machine with the following commands:</para> + + +<programlisting># <emphasis role="bold">mkdir /export/samba/data</emphasis> +# <emphasis role="bold">chmod 777 /export/samba/data</emphasis></programlisting> + + +<para>Now, if you connect to the <literal>hydra</literal> server again (you can do this by clicking on its icon in the Windows Network Neighborhood), you should see a single share listed entitled <literal>data</literal>, as shown in <link linkend="ch04-13866">Figure 4.4</link>. This share should also have read/write access to it. Try creating or copying a file into the share. Or, if you're really feeling adventurous, you can even try mapping a network drive to it!</para> + + +<figure label="4.4" id="ch04-13866"> +<title>The initial data share on the Samba server</title> + +<graphic width="502" depth="175" fileref="figs/sam.0404.gif"></graphic> +</figure> + +<sect2 role="" label="4.5.1" id="ch04-SECT-5.1"> +<title>Disk Share Configuration Options</title> + + +<para> +<indexterm id="ch04-idx-967272-0" class="startofrange"><primary>configuration options</primary><secondary>disk share</secondary></indexterm>The basic Samba configuration options for disk shares previously introduced are listed in <link linkend="ch04-82964">Table 4.4</link>.</para> + + +<table label="4.4" id="ch04-82964"> +<title>Basic Share Configuration Options </title> + +<tgroup cols="5"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<colspec colnum="4" colname="col4"/> +<colspec colnum="5" colname="col5"/> +<thead> +<row> + +<entry colname="col1"><para>Option</para></entry> + +<entry colname="col2"><para>Parameters</para></entry> + +<entry colname="col3"><para>Function</para></entry> + +<entry colname="col4"><para>Default</para></entry> + +<entry colname="col5"><para>Scope</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>path (directory)</literal></para></entry> + +<entry colname="col2"><para>string (fully-qualified pathname)</para></entry> + +<entry colname="col3"><para>Sets the Unix directory that will be provided for a disk share or used for spooling by a printer share</para></entry> + +<entry colname="col4"><para><literal>/tmp</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>guest ok (public)</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>If set to <literal>yes</literal>, authentication is not needed to access this share</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>comment</literal></para></entry> + +<entry colname="col2"><para>string</para></entry> + +<entry colname="col3"><para>Sets the comment that appears with the share</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>volume</literal></para></entry> + +<entry colname="col2"><para>string</para></entry> + +<entry colname="col3"><para>Sets the volume name: the DOS name of the physical drive</para></entry> + +<entry colname="col4"><para>Share name</para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>read only</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>If <literal>yes</literal>, allows read only access to a share.</para></entry> + +<entry colname="col4"><para><literal>yes</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>writeable (write ok)</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>If <literal>no</literal>, allows read only access to a share.</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<sect3 role="" label="4.5.1.1" id="ch04-SECT-5.1.1"> +<title>path</title> + + +<para> +<indexterm id="ch04-idx-967257-0"><primary>pathnames</primary><secondary>option for</secondary></indexterm> +<indexterm id="ch04-idx-967257-1"><primary>shares</primary><secondary>file, path option for</secondary></indexterm> +<indexterm id="ch04-idx-967257-2"><primary>print shares</primary><secondary>path option</secondary></indexterm>This option, which has the synonym <literal>directory</literal>, indicates the pathname at the root of the file or printing share. You can choose any path on the Samba server, so long as the owner of the Samba process that is connecting has read and write access to that directory. If the path is for a printing share, it should point to a temporary directory where files can be written on the server before being spooled to the target printer ( <filename> /tmp</filename> and <filename>/var/spool</filename> are popular choices). If this path is for a <indexterm id="ch04-idx-967258-0"><primary>disk shares</primary><secondary>path option</secondary></indexterm>disk share, the contents of the folder representing the share name on the client will match the content of the directory on the Samba server. For example, if we have the following disk share listed in our configuration file:</para> + + +<programlisting>[network] + path = /export/samba/network + writable = yes + guest ok = yes</programlisting> + + +<para>And the contents of the directory <filename>/usr/local/network</filename> on the Unix side are:</para> + + +<programlisting>$ <emphasis role="bold">ls -al /export/samba/network</emphasis> +drwxrwxrwx 9 root nobody 1024 Feb 16 17:17 . +drwxr-xr-x 9 nobody nobody 1024 Feb 16 17:17 .. +drwxr-xr-x 9 nobody nobody 1024 Feb 16 17:17 quicken +drwxr-xr-x 9 nobody nobody 1024 Feb 16 17:17 tax98 +drwxr-xr-x 9 nobody nobody 1024 Feb 16 17:17 taxdocuments</programlisting> + + +<para>Then we should see the equivalent of <link linkend="ch04-88746">Figure 4.5</link> on the client side.</para> + + +<figure label="4.5" id="ch04-88746"> +<title>Windows client view of a network filesystem specified by path</title> + +<graphic width="502" depth="155" fileref="figs/sam.0405.gif"></graphic> +</figure> +</sect3> + + + +<sect3 role="" label="4.5.1.2" id="ch04-SECT-5.1.2"> +<indexterm id="ch04-idx-968300-0"><primary>guest ok option</primary></indexterm> +<title> +guest ok</title> + + +<para>This option (which has an older synonym <literal>public</literal>) allows or prohibits guest access to a share. The default value is <literal>no</literal>. If set to <literal>yes</literal>, it means that no username or password will be needed to connect to the share. When a user connects, the access rights will be equivalent to the designated guest user. The default account to which Samba offers the share is <literal>nobody</literal>. However, this can be reset with the <literal>guest</literal> <literal>account</literal> configuration option. For example, the following lines allow guest user access to the <literal>[accounting]</literal> share with the permissions of the <emphasis>ftp</emphasis> account:</para> + + +<programlisting>[global] + guest account = ftp +[accounting] + path = /usr/local/account + guest ok = yes</programlisting> + + +<para>Note that users can still connect to the share using a valid username/password combination. If successful, they will hold the access rights granted by their own account and not the guest account. If a user attempts to log in and fails, however, he or she will default to the access rights of the guest account. You can mandate that every user who attaches to the share will be using the guest account (and will have the permissions of the guest) by setting the option <literal>guest</literal> <literal>only</literal> <literal>=</literal> <literal>yes</literal>.</para> +</sect3> + + + +<sect3 role="" label="4.5.1.3" id="ch04-SECT-5.1.3"> +<indexterm id="ch04-idx-968303-0"><primary>comment option</primary></indexterm> +<title> +comment</title> + + +<para>The <literal>comment</literal> option allows you to enter a comment that will be sent to the client when it attempts to browse the share. The user can see the comment by listing Details on the share folder under the appropriate computer in the Windows Network Neighborhood, or type the command <literal>NET</literal> <literal>VIEW</literal> at an MS-DOS prompt. For example, here is how you might insert a comment for a <literal>[network]</literal> share:</para> + + +<programlisting>[network] + comment = Network Drive + path = /export/samba/network</programlisting> + + +<para>This yields a folder similar to <link linkend="ch04-34850">Figure 4.6</link> on the client side. Note that with the current configuration of Windows, this comment will not be shown once a share is mapped to a Windows network drive.</para> + + +<figure label="4.6" id="ch04-34850"> +<title>Windows client view of a share comment</title> + +<graphic width="502" depth="135" fileref="figs/sam.0406.gif"></graphic> +</figure> + +<para>Be sure not to confuse the <literal>comment</literal> option, which documents a Samba server's shares, with the <literal>server</literal> <literal>string</literal> option, which documents the server itself.</para> +</sect3> + + + +<sect3 role="" label="4.5.1.4" id="ch04-SECT-5.1.4"> +<indexterm id="ch04-idx-968306-0"><primary>volume option</primary></indexterm> +<title> +volume</title> + + +<para>This option allows you to specify the volume name of the share as reported by SMB. This normally resolves to the name of the share given in the <filename>smb.conf</filename> file. However, if you wish to name it something else (for whatever reason) you can do so with this option.</para> + + +<para>For example, an installer program may check the volume name of a CD-ROM to make sure the right CD-ROM is in the drive before attempting to install it. If you copy the contents of the CD-ROM into a network share, and wish to install from there, you can use this option to get around the issue:</para> + + +<programlisting>[network] + comment = Network Drive + volume = ASVP-102-RTYUIKA + path = /home/samba/network</programlisting> +</sect3> + + + +<sect3 role="" label="4.5.1.5" id="ch04-SECT-5.1.5"> +<indexterm id="ch04-idx-968309-0"><primary>read only option</primary></indexterm> +<indexterm id="ch04-idx-968309-1"><primary>writeable/write ok option</primary></indexterm> +<title> + +read only and writeable</title> + + +<para>The options <literal>read</literal> <literal>only</literal> and <literal>writeable</literal> (or <literal>write</literal> <literal>ok </literal>) are really two ways of saying the same thing, but approached from opposite ends. For example, you can set either of the following options in the <literal>[global]</literal> section or in an individual share:</para> + + +<programlisting>read only = yes +writeable = no</programlisting> + + +<para>If either option is set as shown, data can be read from a share, but cannot be written to it. You might think you would need this option only if you were creating a read-only share. However, note that this read-only behavior is the <emphasis>default</emphasis> action for shares; if you want to be able to write data to a share, you must explicitly specify one of the following options in the configuration file for each share:</para> + + +<programlisting>read only = no +writeable = yes</programlisting> + + +<para>Note that if you specify more than one occurrence of either option, Samba will adhere to the last value it encounters for the<indexterm id="ch04-idx-967387-0" class="endofrange" startref="ch04-idx-967272-0"/> share.<indexterm id="ch04-idx-967245-0" class="endofrange" startref="ch04-idx-967244-0"/> +<indexterm id="ch04-idx-967245-1" class="endofrange" startref="ch04-idx-967244-1"/></para> +</sect3> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="4.6" id="ch04-86705"> +<title>Networking Options with Samba</title> + + +<para> +<indexterm id="ch04-idx-967291-0" class="startofrange"><primary>networking</primary><secondary>options</secondary></indexterm>If you're running Samba on a multi-homed machine (that is, one on multiple subnets), or even if you want to implement a security policy on your own subnet, you should take a close look at the networking configuration options:</para> + + +<para>For the purposes of this exercise, let's assume that our Samba server is connected to a network with more than one subnet. Specifically, the machine can access both the 192.168.220.* and 134.213.233.* subnets. Here are our additions to the ongoing configuration file for the networking configuration options:</para> + + +<programlisting>[global] + netbios name = HYDRA + server string = Samba %v on (%L) + workgroup = SIMPLE + + # Networking configuration options + hosts allow = 192.168.220. 134.213.233. localhost + hosts deny = 192.168.220.102 + interfaces = 192.168.220.100/255.255.255.0 \ + 134.213.233.110/255.255.255.0 + bind interfaces only = yes + +[data] + path = /home/samba/data + guest ok = yes + comment = Data Drive + volume = Sample-Data-Drive + writeable = yes</programlisting> + + +<para> +<indexterm id="ch04-idx-967305-0"><primary>hosts</primary><secondary>networking option for connections</secondary></indexterm>Let's first talk about the <literal>hosts</literal> <literal>allow</literal> and <literal>hosts</literal> <literal>deny</literal> options. If these options sound familiar, you're probably thinking of the <filename>hosts.allow</filename> and <filename>hosts.deny</filename> files that are found in the <filename>/etc</filename> directories of many Unix systems. The purpose of these options is identical to those files; they provide a means of security by allowing or denying the connections of other hosts based on their IP addresses. Why not just use the <filename>hosts.allow</filename> and <filename>hosts.deny</filename> files themselves? Because there may be services on the server that you want others to access without giving them access Samba's disk or printer shares</para> + + +<para>With the <literal>hosts</literal> <literal>allow</literal> option above, we've specified a cropped IP address: 192.168.220. (Note that there is still a third period; it's just missing the fourth number.) This is equivalent to saying: "All hosts on the 192.168.220 subnet." However, we've explicitly specified in a hosts deny line that 192.168.220.102 is not to be allowed access.</para> + + +<para>You might be wondering: why will 192.168.220.102 be denied even though it is still in the subnet matched by the <literal>hosts</literal> <literal>allow</literal> option? Here is how Samba sorts out the rules specified by <literal>hosts</literal> <literal>allow</literal> and <literal>hosts</literal> <literal>deny </literal>:</para> + + +<orderedlist> +<listitem><para>If there are no <literal>allow</literal> or <literal>deny</literal> options defined anywhere in <filename>smb.conf</filename>, Samba will allow connections from any machine allowed by the system itself.</para></listitem> +<listitem><para>If there are <literal>hosts</literal> <literal>allow</literal> or <literal>hosts</literal> <literal>deny</literal> options defined in the <literal>[global]</literal> section of <filename>smb.conf</filename>, they will apply to all shares, even if the shares have an overriding option defined.</para></listitem> +<listitem><para>If there is only a <literal>hosts</literal> <literal>allow</literal> option defined for a share, only the hosts listed will be allowed to use the share. All others will be denied.</para></listitem> +<listitem><para>If there is only a <literal>hosts</literal> <literal>deny</literal> option defined for a share, any machine which is not on the list will be able to use the share.</para></listitem> +<listitem><para>If both a <literal>hosts</literal> <literal>allow</literal> and <literal>hosts</literal> <literal>deny</literal> option are defined, a host must appear in the allow list and not appear in the deny list (in any form) in order to access the share. Otherwise, the host will not be allowed.</para></listitem> +</orderedlist> + +<warning role="ora"> <para> +<indexterm id="ch04-idx-967307-0"><primary>hosts</primary><secondary>subnets and, +caution with</secondary></indexterm> +<indexterm id="ch04-idx-967307-1"><primary>subnets</primary><secondary>hosts and, +caution with</secondary></indexterm>Take care that you don't explicity +allow a host to access a share, but then deny access to the entire +subnet of which the host is part.</para> + +</warning> + +<para>Let's look at another example of that final item. Consider the following options:</para> + + +<programlisting>hosts allow = 111.222. +hosts deny = 111.222.333.</programlisting> + + +<para>In this case, only the hosts that belong to the subnet 111.222.*.* will be allowed access to the Samba shares. However, if a client belongs to the 111.222.333.* subnet, it will be denied access, even though it still matches the qualifications outlined by <literal>hosts</literal> <literal>allow</literal>. The client must appear on the <literal>hosts</literal> <literal>allow</literal> list and <emphasis>must not</emphasis> appear on the <literal>hosts</literal> <literal>deny</literal> list in order to gain access to a Samba share. If a computer attempts to access a share to which it is not allowed access, it will receive an error message.</para> + + +<para>The other two options that we've specified are the <literal>interfaces</literal> and the <literal>bind</literal> <literal>interface</literal> <literal>only</literal> address. Let's look at the <literal>interfaces</literal> option first. Samba, by default, sends data only from the primary network interface, which in our example is the 192.168.220.100 subnet. If we would like it to send data to more than that one <indexterm id="ch04-idx-967310-0"><primary>interfaces, networking options for</primary></indexterm>interface, we need to specify the complete list with the <literal>interfaces</literal> option. In the previous example, we've bound Samba to interface with both subnets (192.168.220 and 134.213.233) on which the machine is operating by specifying the other network interface address: 134.213.233.100. If you have more than one interface on your computer, you should always set this option as there is no guarantee that the primary interface that Samba chooses will be the right one.</para> + + +<para>Finally, the <literal>bind</literal> <literal>interfaces</literal> <literal>only</literal> option instructs the <filename>nmbd</filename> process not to accept any broadcast messages other than those subnets specified with the <literal>interfaces</literal> option. Note that this is different from the <literal>hosts</literal> <literal>allow</literal> and <literal>hosts</literal> <literal>deny</literal> options, which prevent machines from making connections to services, but not from receiving broadcast messages. Using the <literal>bind</literal> <literal>interfaces</literal> <literal>only</literal> option is a way to shut out even datagrams from foreign subnets from being received by the Samba server. In addition, it instructs the <emphasis>smbd</emphasis> process to bind to only the interface list given by the <emphasis>interfaces</emphasis> option. This restricts the networks that Samba will serve.</para> + + +<sect2 role="" label="4.6.1" id="ch04-SECT-6.1"> +<title>Networking Options</title> + + +<para> +<indexterm id="ch04-idx-967302-0"><primary>networking</primary><secondary>options</secondary><tertiary>list of</tertiary></indexterm>The networking options we introduced above are summarized in <link linkend="ch04-32963">Table 4.5</link>.</para> + + +<table label="4.5" id="ch04-32963"> +<title>Networking Configuration Options </title> + +<tgroup cols="5"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<colspec colnum="4" colname="col4"/> +<colspec colnum="5" colname="col5"/> +<thead> +<row> + +<entry colname="col1"><para>Option</para></entry> + +<entry colname="col2"><para>Parameters</para></entry> + +<entry colname="col3"><para>Function</para></entry> + +<entry colname="col4"><para>Default</para></entry> + +<entry colname="col5"><para>Scope</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>hosts allow (allow hosts)</literal></para></entry> + +<entry colname="col2"><para>string (list of hostnames)</para></entry> + +<entry colname="col3"><para>Specifies the machines that can connect to Samba.</para></entry> + +<entry colname="col4"><para>none</para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>hosts deny (deny hosts)</literal></para></entry> + +<entry colname="col2"><para>string (list of hostnames)</para></entry> + +<entry colname="col3"><para>Specifies the machines that cannot connect to Samba.</para></entry> + +<entry colname="col4"><para>none</para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>interfaces</literal></para></entry> + +<entry colname="col2"><para>string (list of IP/netmask combinations)</para></entry> + +<entry colname="col3"><para>Sets the network interfaces Samba will respond to. Allows correcting defaults.</para></entry> + +<entry colname="col4"><para>system-dependent</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>bind</literal></para> + +<para><literal>interfaces only</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>If set to <literal>yes</literal>, Samba will bind only to those interfaces specified by the <literal>interfaces</literal> option.</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>socket</literal></para> + +<para><literal>address</literal></para></entry> + +<entry colname="col2"><para>string (IP address)</para></entry> + +<entry colname="col3"><para>Sets IP address to listen on, for use with multiple virtual interfaces on a server.</para></entry> + +<entry colname="col4"><para>none</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<sect3 role="" label="4.6.1.1" id="ch04-SECT-6.1.1"> +<indexterm id="ch04-idx-968312-0"><primary>hosts allow option</primary></indexterm> +<title> +hosts allow</title> + + +<para> +<indexterm id="ch04-idx-967314-0"><primary>hosts</primary><secondary>networking option for connections</secondary></indexterm>The <literal>hosts</literal> <literal>allow</literal> option (sometimes written as <literal>allow</literal> <literal>hosts</literal>) specifies the machines that have permission to access shares on the Samba server, written as a comma- or space-separated list of names of machines or their IP addresses. You can gain quite a bit of security by simply placing your LAN's subnet address in this option. For example, we specified the following in our example:</para> + + +<programlisting>hosts allow = 192.168.220. localhost</programlisting> + + +<para>Note that we placed <literal>localhost</literal> after the subnet address. One of the most common mistakes when attempting to use the <literal>hosts</literal> <literal>allow</literal> option is to accidentally disallow the Samba server from communicating with itself. The <filename>smbpasswd</filename> program will occasionally need to connect to the Samba server as a client in order to change a user's encrypted password. In addition, local browsing propagation requires local host access. If this option is enabled and the localhost address is not specified, the locally-generated packets requesting the change of the encrypted password will be discarded by Samba, and browsing propagation will not work properly. To avoid this, explicitly allow the loopback address (either <literal>localhost</literal> or <literal>127.0.0.1</literal>) to be used.<footnote label="3" id="ch04-pgfId-965714"> + + +<para>Starting with Samba 2.0.5, <literal>localhost</literal> will automatically be allowed unless it is explicitly denied.</para> + + +</footnote></para> + + +<para>You can specify any of the following formats for this option:</para> + + +<itemizedlist> +<listitem><para>Hostnames, such as <literal>ftp.example.com </literal>.</para></listitem> +<listitem><para>IP addresses, like <literal>130.63.9.252</literal>.</para></listitem> +<listitem><para>Domain names, which can be differentiated from individual hostnames because they start with a dot. For example, <literal>.ora.com</literal> represents all machines within the <emphasis>ora.com</emphasis> domain.</para></listitem> +<listitem><para>Netgroups, which start with an at-sign, such as <literal>@printerhosts</literal>. Netgroups are available on systems running yellow pages/NIS or NIS+, but rarely otherwise. If netgroups are supported on your system, there should be a <literal>netgroups</literal> manual page that describes them in more detail.</para></listitem> +<listitem><para>Subnets, which end with a dot. For example, <literal>130.63.9.</literal> means all the machines whose IP addresses begin with 130.63.9.</para></listitem> +<listitem><para>The keyword <literal>ALL</literal>, which allows any client access.</para></listitem> +<listitem><para>The keyword <literal>EXCEPT</literal> followed by more one or more names, IP addresses, domain names, netgroups, or subnets. For example, you could specify that Samba allow all hosts except those on the 192.168.110 subnet with <literal>hosts</literal> <literal>allow</literal> <literal>=</literal> <literal>ALL</literal> <literal>EXCEPT</literal> <literal>192.168.110.</literal> (remember the trailing dot).</para></listitem> +</itemizedlist> + +<para>Using the <literal>ALL</literal> keyword is almost always a bad idea, since it means that anyone on any network can browse your files if they guess the name of your server.</para> + + +<para>Note that there is no default value for the <literal>hosts</literal> <literal>allow</literal> configuration option, although the default course of action in the event that neither option is specified is to allow access from all sources. In addition, if you specify this option in the <literal>[global]</literal> section of the configuration file, it will override any <literal>hosts</literal> <literal>allow</literal> options defined shares.</para> +</sect3> + + + +<sect3 role="" label="4.6.1.2" id="ch04-SECT-6.1.2"> +<indexterm id="ch04-idx-968319-0"><primary>hosts deny option</primary></indexterm> +<title> +hosts deny</title> + + +<para>The <literal>hosts</literal> <literal>deny</literal> option (also <literal>deny</literal> <literal>hosts</literal>) specifies machines that do not have permission to access a share, written as a comma- or space-separated list of machine names or their IP addresses. Use the same format as specifying clients as the <literal>hosts</literal> <literal>allow</literal> option above. For example, to restrict access to the server from everywhere but <filename>example.com</filename>, you could write:</para> + + +<programlisting>hosts deny = ALL EXCEPT .example.com</programlisting> + + +<para>Like <literal>hosts</literal> <literal>allow</literal>, there is no default value for the <literal>hosts</literal> <literal>deny</literal> configuration option, although the default course of action in the event that neither option is specified is to allow access from all sources. Also, if you specify this option in the <literal>[global]</literal> section of the configuration file, it will override any <literal>hosts</literal> <literal>deny</literal> options defined in shares. If you wish to deny <emphasis>hosts</emphasis> access to specific shares, omit both the <literal>hosts</literal> <literal>allow</literal> and <literal>hosts</literal> <literal>deny</literal> options in the <literal>[global]</literal> section of the configuration file.</para> +</sect3> + + + +<sect3 role="" label="4.6.1.3" id="ch04-SECT-6.1.3"> +<indexterm id="ch04-idx-968322-0"><primary>interfaces option</primary></indexterm> +<title> +interfaces</title> + + +<para> +<indexterm id="ch04-idx-967320-0"><primary>hosts</primary><secondary>networking option for connections</secondary></indexterm>The <literal>interfaces</literal> option outlines the network addresses to which you want the Samba server to recognize and respond. This option is handy if you have a computer that resides on more than one network subnet. If this option is not set, Samba searches for the primary network interface of the server (typically the first Ethernet card) upon startup and configures itself to operate on only that subnet. If the server is configured for more than one subnet and you do not specify this option, Samba will only work on the first subnet it encounters. You must use this option to force Samba to serve the other subnets on your network.</para> + + +<para>The value of this option is one or more sets of IP address/netmask pairs, such as the following:</para> + + +<programlisting>interfaces = 192.168.220.100/255.255.255.0 192.168.210.30/255.255.255.0</programlisting> + + +<para>You can optionally specify a CIDR format bitmask, as follows:</para> + + +<programlisting>interfaces = 192.168.220.100/24 192.168.210.30/24</programlisting> + + +<para>The bitmask number specifies the first number of bits that will be turned on in the netmask. For example, the number 24 means that the first 24 (of 32) bits will be activated in the bit mask, which is the same as saying 255.255.255.0. Likewise, 16 would be equal to 255.255.0.0, and 8 would be equal to 255.0.0.0.</para> + + +<tip role="ora"> +<para>This option may not work correctly if you are using DHCP.</para> + +</tip> +</sect3> + + + +<sect3 role="" label="4.6.1.4" id="ch04-SECT-6.1.4"> +<indexterm id="ch04-idx-968325-0"><primary>bind interfaces only option</primary></indexterm> +<title> +bind interfaces only</title> + + +<para>The <literal>bind</literal> <literal>interfaces</literal> <literal>only</literal> option can be used to force the <emphasis>smbd</emphasis> and <emphasis>nmbd</emphasis> processes to serve SMB requests to only those addresses specified by the <literal>interfaces</literal> option. The <emphasis>nmbd</emphasis> process normally binds to the all addresses interface (0.0.0.0.) on ports 137 and 138, allowing it to receive broadcasts from anywhere. However, you can override this behavior with the following:</para> + + +<programlisting>bind interfaces only = yes</programlisting> + + +<para>This will cause both Samba processes to ignore any packets whose origination address does not match the broadcast address(es) specified by the <literal>interfaces</literal> option, including broadcast packets. With <emphasis>smbd</emphasis>, this option will cause Samba to not serve file requests to subnets other than those listed in the <literal>interfaces</literal> option. You should avoid using this option if you want to allow temporary network connections, such as those created through SLIP or PPP. It's very rare that this option is needed, and it should only be used by experts.</para> + + +<tip role="ora"> +<para>If you set <literal>bind interfaces only</literal> to <literal>yes </literal>, you should add the localhost address (127.0.01) to the "interfaces" list. Otherwise, <emphasis>smbpasswd</emphasis> will be unable to connect to the server using its default mode in order to change a password.</para> + +</tip> +</sect3> + + + +<sect3 role="" label="4.6.1.5" id="ch04-SECT-6.1.5"> +<indexterm id="ch04-idx-968328-0"><primary>socket address option</primary></indexterm> +<title> +socket address</title> + + +<para> +<indexterm id="ch04-idx-967324-0"><primary>addresses, networking option for</primary></indexterm>The <literal>socket</literal> <literal>address</literal> option dictates which of the addresses specified with the <literal>interfaces</literal> parameter Samba should listen on for connections. Samba accepts connections on all addresses specified by default. When used in an <filename>smb.conf</filename> file, this option will force Samba to listen on only one IP address. For example:</para> + + +<programlisting>interfaces = 192.168.220.100/24 192.168.210.30/24 +socket address = 192.168.210.30</programlisting> + + +<para>This option is a programmer's tool and we recommend that you do not use it.<indexterm id="ch04-idx-967297-0" class="endofrange" startref="ch04-idx-967291-0"/></para> +</sect3> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="4.7" id="ch04-16899"> +<title>Virtual Servers</title> + + +<para> +<indexterm id="ch04-idx-967325-0" class="startofrange"><primary>servers</primary><secondary>virtual</secondary></indexterm> +<indexterm id="ch04-idx-967325-1" class="startofrange"><primary>virtual servers</primary></indexterm>Virtual servers are a technique for creating the illusion of multiple <indexterm id="ch04-idx-967337-0"><primary>NetBIOS (Network Basic Input/Output System)</primary><secondary>multiple servers</secondary><see>virtual servers</see></indexterm>NetBIOS servers on the network, when in reality there is only one. The technique is simple to implement: a machine simply registers more than one NetBIOS name in association with its IP address. There are tangible benefits to doing this.</para> + + +<para>The accounting department, for example, might have an <literal>accounting</literal> server, and clients of it would see just the accounting disks and printers. The marketing department could have their own server, <literal>marketing</literal>, with their own reports, and so on. However, all the services would be provided by one medium-sized Unix workstation (and one relaxed administrator), instead of having one small server and one administrator per department.</para> + + +<para>Samba will allow a Unix server to use more than one NetBIOS name with the <literal>netbios</literal> <literal>aliases</literal> option. See <link linkend="ch04-92259">Table 4.6</link>.</para> + + +<table label="4.6" id="ch04-92259"> +<title>Virtual Server Configuration Options </title> + +<tgroup cols="5"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<colspec colnum="4" colname="col4"/> +<colspec colnum="5" colname="col5"/> +<thead> +<row> + +<entry colname="col1"><para>Option</para></entry> + +<entry colname="col2"><para>Parameters</para></entry> + +<entry colname="col3"><para>Function</para></entry> + +<entry colname="col4"><para>Default</para></entry> + +<entry colname="col5"><para>Scope</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>netbios aliases</literal></para></entry> + +<entry colname="col2"><para> +<indexterm id="ch04-idx-967338-0"><primary>virtual servers</primary><secondary>options for</secondary></indexterm> +<indexterm id="ch04-idx-967338-1"><primary>servers</primary><secondary>virtual</secondary><tertiary>options for</tertiary></indexterm>List of NetBIOS names</para></entry> + +<entry colname="col3"><para>Additional NetBIOS names to respond to, for use with multiple "virtual" Samba servers.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<sect2 role="" label="4.7.1" id="ch04-SECT-7.0.1"> +<indexterm id="ch04-idx-968331-0"><primary>netbios aliases option</primary></indexterm> +<title> +netbios aliases</title> + + +<para>The <literal>netbios</literal> <literal>aliases</literal> option can be used to give the Samba server more than one <indexterm id="ch04-idx-967339-0"><primary>NetBIOS name</primary><secondary>option for aliases</secondary></indexterm> +<indexterm id="ch04-idx-967339-1"><primary>aliases</primary><secondary sortas="NetBIOS names">for NetBIOS names</secondary></indexterm>NetBIOS name. Each NetBIOS name listed as a value will be displayed in the Network Neighborhood of a browsing machine. When a connection is requested to any machine, however, it will connect to the same Samba server.</para> + + +<para>This might come in handy, for example, if you're transferring three departments' data to a single Unix server with modern large disks, and are retiring or reallocating the old NT servers. If the three servers are called <literal>sales</literal>, <literal>accounting</literal>, and <literal>admin</literal>, you can have Samba represent all three servers with the following options:</para> + + +<programlisting>[global] + netbios aliases = sales accounting admin + include = /usr/local/samba/lib/smb.conf.%L</programlisting> + + +<para>See <link linkend="ch04-28393">Figure 4.7</link> for what the Network Neighborhood would display from a client.When a client attempts to connect to Samba, it will specify the name of the server that it's trying to connect to, which you can access through the <literal>%L</literal> variable. If the requested server is <literal>sales</literal>, Samba will include the <filename>/usr/local/samba/lib/smb.conf.sales</filename> file. This file might contain global and share declarations exclusively for the sales team, such as the following:</para> + + +<programlisting>[global] + workgroup = SALES + hosts allow = 192.168.10.255 + +[sales1998] + path = /usr/local/samba/sales/sales1998/ +...</programlisting> + + +<para>This particular example would set the workgroup to SALES as well, and set the IP address to allow connections only from the SALES subnet (192.168.10). In addition, it would offer shares specific to the sales department.</para> + + +<figure label="4.7" id="ch04-28393"> +<indexterm id="ch04-idx-967332-0" class="endofrange" startref="ch04-idx-967325-0"/><indexterm id="ch04-idx-967332-1" class="endofrange" startref="ch04-idx-967325-1"/><title>Using NetBIOS aliases for a Samba server + </title> + +<graphic width="502" depth="196" fileref="figs/sam.0407.gif"></graphic> +</figure> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="4.8" id="ch04-29331"> +<title>Logging Configuration Options</title> + + +<para> +<indexterm id="ch04-idx-967340-0" class="startofrange"><primary>log files/logging</primary><secondary>configuration options</secondary></indexterm> +<indexterm id="ch04-idx-967340-1" class="startofrange"><primary>log files/logging</primary><secondary>checking</secondary></indexterm>Occasionally, we need to find out what Samba is up to. This is especially true when Samba is performing an unexpected action or is not performing at all. To find out this information, we need to check Samba's log files to see exactly why it did what it did.</para> + + +<para>Samba log files can be as brief or verbose as you like. Here is an example of what a Samba log file looks like:</para> + + +<programlisting>[1999/07/21 13:23:25, 3] smbd/service.c:close_cnum(514) + phoenix (192.168.220.101) closed connection to service IPC$ +[1999/07/21 13:23:25, 3] smbd/connection.c:yield_connection(40) + Yielding connection to IPC$ +[1999/07/21 13:23:25, 3] smbd/process.c:process_smb(615) + Transaction 923 of length 49 +[1999/07/21 13:23:25, 3] smbd/process.c:switch_message(448) + switch message SMBread (pid 467) +[1999/07/21 13:23:25, 3] lib/doscalls.c:dos_ChDir(336) + dos_ChDir to /home/samba +[1999/07/21 13:23:25, 3] smbd/reply.c:reply_read(2199) + read fnum=4207 num=2820 nread=2820 +[1999/07/21 13:23:25, 3] smbd/process.c:process_smb(615) + Transaction 924 of length 55 +[1999/07/21 13:23:25, 3] smbd/process.c:switch_message(448) + switch message SMBreadbraw (pid 467) +[1999/07/21 13:23:25, 3] smbd/reply.c:reply_readbraw(2053) + readbraw fnum=4207 start=130820 max=1276 min=0 nread=1276 +[1999/07/21 13:23:25, 3] smbd/process.c:process_smb(615) + Transaction 925 of length 55 +[1999/07/21 13:23:25, 3] smbd/process.c:switch_message(448) + switch message SMBreadbraw (pid 467)</programlisting> + + +<para>Many of these options are of use only to Samba programmers. However, we will go over the meaning of some of these entries in more detail in <link linkend="SAMBA-CH-9">Chapter 9</link>.</para> + + +<para>Samba contains six options that allow users to describe how and where logging information should be written. Each of these options are global options and cannot appear inside a share definition. Here is an up-to-date configuration file that covers each of the share and logging options that we've seen so far:</para> + + +<programlisting>[global] + netbios name = HYDRA + server string = Samba %v on (%I) + workgroup = SIMPLE + + # Networking configuration options + hosts allow = 192.168.220. 134.213.233. localhost + hosts deny = 192.168.220.102 + interfaces = 192.168.220.100/255.255.255.0 \ + 134.213.233.110/255.255.255.0 + bind interfaces only = yes + + # Debug logging information + log level = 2 + log file = /var/log/samba.log.%m + max log size = 50 + debug timestamp = yes + +[data] + path = /home/samba/data + browseable = yes + guest ok = yes + comment = Data Drive + volume = Sample-Data-Drive + writeable = yes</programlisting> + + +<para> Here, we've added a custom log file that reports information up to debug level 2. This is a relatively light debugging level. The logging level ranges from 1 to 10, where level 1 provides only a small amount of information and level 10 provides a plethora of low-level information. Level 2 will provide us with useful debugging information without wasting disk space on our server. In practice, you should avoid using log levels greater than 3 unless you are programming Samba.</para> + + +<para>This file is located in the <filename>/var/log</filename> directory thanks to the <literal>log</literal> <literal>file</literal> configuration option. However, we can use variable substitution to create log files specifically for individual users or clients, such as with the <literal>%m</literal> variable in the following line:</para> + + +<programlisting>log file = /usr/local/logs/samba.log.%m</programlisting> + + +<para>Isolating the log messages can be invaluable in tracking down a network error if you know the problem is coming from a specific machine or user.</para> + + +<para>We've added another precaution to the log files: no one log file can exceed 50 kilobytes in size, as specified by the <literal>max</literal> <literal>log</literal> <literal>size</literal> option. If a log file exceeds this size, the contents are moved to a file with the same name but with the suffix <emphasis>.old</emphasis> appended. If the <emphasis>.old</emphasis> file already exists, it is overwritten and its contents are lost. The original file is cleared, waiting to receive new logging information. This prevents the hard drive from being overwhelmed with Samba log files during the life of our daemons.</para> + + +<para>For convenience, we have decided to leave the debug timestamp in the logs with the <literal>debug</literal> <literal>timestamp</literal> option, which is the default behavior. This will place a timestamp next to each message in the logging file. If we were not interested in this information, we could specify <literal>no</literal> for this option instead.</para> + + +<sect2 role="" label="4.8.1" id="ch04-97929"> +<title>Using syslog</title> + + +<para>If you wish to use the system logger (<filename>syslog </filename> +<indexterm id="ch04-idx-967351-0"><primary>SYSLOG utility</primary></indexterm>) in addition to or in place of the standard Samba logging file, Samba provides options for this as well. However, to use <filename>syslog</filename>, the first thing you will have to do is make sure that Samba was built with the <literal>configure</literal> <literal>--with-syslog</literal> option. See <link linkend="SAMBA-CH-2">Chapter 2</link> for more information on configuring and compiling Samba.</para> + + +<para>Once that is done, you will need to configure your <filename>/etc/syslog.conf</filename> to accept logging information from Samba. If there is not already a <literal>daemon.*</literal> entry in the <replaceable>/etc/syslog.conf</replaceable> file, add the following:</para> + + +<programlisting>daemon.* /var/log/daemon.log</programlisting> + + +<para>This specifies that any logging information from system daemons will be stored in the <filename>/var/log/daemon.log</filename> file. This is where the Samba information will be stored as well. From there, you can specify the following global option in your configuration file:</para> + + +<programlisting>syslog = 2</programlisting> + + +<para>This specifies that any logging messages with a level of 1 will be sent to both the <filename>syslog</filename> and the Samba logging files. (The mappings to <filename>syslog</filename> priorities are described in the upcoming <link linkend="ch04-78696">Section 4.8.2.5</link>.) Let's assume that we set the regular <literal>log</literal> <literal>level</literal> option above to 4. Any logging messages with a level of 2, 3, or 4 will be sent to the Samba logging files, but not to the <filename>syslog</filename>. Only level 1 logging messages will be sent to both. If the <literal>syslog</literal> value exceeds the <literal>log</literal> <literal>level</literal> value, nothing will be written to the <filename>syslog</filename>.</para> + + +<para>If you want to specify that messages be sent only to <filename>syslog</filename>—and not to the standard Samba logging files—you can place this option in the configuration file:</para> + + +<programlisting>syslog only = yes</programlisting> + + +<para>If this is the case, any logging information above the number specified in the <literal>syslog</literal> option will be discarded, just like the <literal>log</literal> <literal>level</literal> option.</para> +</sect2> + + + + +<sect2 role="" label="4.8.2" id="ch04-SECT-8.1"> +<title>Logging Configuration Options</title> + + +<para><link linkend="ch04-92838">Table 4.7</link> lists each of the<indexterm id="ch04-idx-967341-0"><primary>log files/logging</primary><secondary>configuration options</secondary><tertiary>list of</tertiary></indexterm> logging configuration options that Samba can use.</para> + + +<table label="4.7" id="ch04-92838"> +<title>Global Configuration Options </title> + +<tgroup cols="5"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<colspec colnum="4" colname="col4"/> +<colspec colnum="5" colname="col5"/> +<thead> +<row> + +<entry colname="col1"><para>Option</para></entry> + +<entry colname="col2"><para>Parameters</para></entry> + +<entry colname="col3"><para>Function</para></entry> + +<entry colname="col4"><para>Default</para></entry> + +<entry colname="col5"><para>Scope</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>log file</literal></para></entry> + +<entry colname="col2"><para>string (fully-qualified filename)</para></entry> + +<entry colname="col3"><para>Sets the name and location of the log file that Samba is to use. Uses standard variables.</para></entry> + +<entry colname="col4"><para>Specified in Samba makefile</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>log level</literal></para> + +<para><literal>(debug level)</literal></para></entry> + +<entry colname="col2"><para>numerical (0-10)</para></entry> + +<entry colname="col3"><para>Sets the amount of log/debug messages that are sent to the log file. 0 is none, 3 is considerable.</para></entry> + +<entry colname="col4"><para><literal>1</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>max log size</literal></para></entry> + +<entry colname="col2"><para>numerical (size in KB)</para></entry> + +<entry colname="col3"><para>Sets the maximum size of log file. After the log exceeds this size, the file will be renamed to <emphasis>.bak</emphasis> and a new log file started.</para></entry> + +<entry colname="col4"><para><literal>5000</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>debug</literal></para> + +<para><literal>timestamp (timestamp logs)</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>If no, doesn't timestamp logs, making them easier to read during heavy debugging.</para></entry> + +<entry colname="col4"><para><literal>yes</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>syslog</literal></para></entry> + +<entry colname="col2"><para>numerical (0-10)</para></entry> + +<entry colname="col3"><para>Sets level of messages sent to <emphasis>syslog</emphasis>. Those levels below <literal>syslog level</literal> will be sent to the system logger.</para></entry> + +<entry colname="col4"><para><literal>1</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>syslog only</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>If yes, uses <emphasis>syslog</emphasis> entirely and sends no output to the standard Samba log files.</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<sect3 role="" label="4.8.2.1" id="ch04-log-file-option"> +<title>log file</title> + + +<para>On our server, Samba outputs log information to text files in the <filename>var</filename> subdirectory of the Samba home directory, as set by the makefile during the build. The <literal>log</literal> <literal>file</literal> option can be used to reset the name of the log file to another location. For example, to reset the name and location of the Samba log file to <filename>/usr/local/logs/samba.log</filename>, you could use the following:</para> + + +<programlisting>[global] + log file = /usr/local/logs/samba.log</programlisting> + + +<para>You may use variable substitution to create log files specifically for individual users or clients.</para> + + +<para>You can override the default log file location using the <literal>-l</literal> command-line switch when either daemon is started. However, this does not override the <literal>log</literal> <literal>file</literal> option. If you do specify this parameter, initial logging information will be sent to the file specified after <literal>-l</literal> (or the default specified in the Samba makefile) until the daemons have processed the <filename>smb.conf</filename> file and know to redirect it to a new log file.</para> +</sect3> + + + +<sect3 role="" label="4.8.2.2" id="ch04-SECT-8.1.2"> +<indexterm id="ch04-idx-968338-0"><primary>log level option</primary></indexterm> +<title> +log level</title> + + +<para>The <literal>log</literal> <literal>level</literal> option sets the amount of data to be logged. Normally this is left at 0 or 1. However, if you have a specific problem you may want to set it at 3, which provides the most useful debugging information you would need to track down a problem. Levels above 3 provide information that's primarily for the developers to use for chasing internal bugs, and slows down the server considerably. Therefore, we recommend that you avoid setting this option to anything above 3.</para> + + +<programlisting>[global] +log file = /usr/local/logs/samba.log.%m +log level = 3</programlisting> +</sect3> + + + +<sect3 role="" label="4.8.2.3" id="ch04-SECT-8.1.3"> +<indexterm id="ch04-idx-968341-0"><primary>max log size option</primary></indexterm> +<title> +max log size</title> + + +<para>The <literal>max</literal> <literal>log</literal> <literal>size</literal> option sets the maximum size, in kilobytes, of the debugging log file that Samba keeps. When the log file exceeds this size, the current log file is renamed to add an <emphasis>.old</emphasis> extension (erasing any previous file with that name) and a new debugging log file is started with the original name. For example:</para> + + +<programlisting>[global] +log file = /usr/local/logs/samba.log.%m +max log size = 1000</programlisting> + + +<para>Here, if the size of any log file exceeds one megabyte in size, Samba renames the log file <emphasis>samba.log.</emphasis> <replaceable>machine-name</replaceable><emphasis>.old</emphasis> and a new log file is generated. If there was a file there previously with the <emphasis>.old</emphasis> extension, Samba deletes it. We highly recommend setting this option in your configuration files because debug logging (even at lower levels) can covertly eat away at your available disk space. Using this option protects unwary administrators from suddenly discovering that most of their disk space has been swallowed up by a single Samba log file.</para> +</sect3> + + + +<sect3 role="" label="4.8.2.4" id="ch04-SECT-8.1.4"> +<indexterm id="ch04-idx-968344-0"><primary>debug timestamp option</primary></indexterm> +<indexterm id="ch04-idx-968344-1"><primary>timestamp logs option</primary></indexterm> +<title> + +;debug timestamp or timestamp logs</title> + + +<para>If you happen to be debugging a network problem and you find that the date-stamp and timestamp information within the Samba log lines gets in the way, you can turn it off by giving either the <literal>timestamp</literal> <literal>logs</literal> or the <literal>debug</literal> <literal>timestamp</literal> option (they're synonymous) a value of <literal>no</literal>. For example, a regular Samba log file presents its output in the following form:</para> + + +<programlisting>12/31/98 12:03:34 hydra (192.168.220.101) connect to server network as user davecb</programlisting> + + +<para>With a <literal>no</literal> value for this option, the output would appear without the datestamp or the timestamp:</para> + + +<programlisting>hydra (192.168.220.101) connect to server network as user davecb</programlisting> +</sect3> + + + +<sect3 role="" label="4.8.2.5" id="ch04-78696"> +<title>syslog</title> + + +<para> +<indexterm id="ch04-idx-967365-0"><primary>Unix</primary><secondary>options</secondary><tertiary sortas="system logger">for system logger</tertiary></indexterm>The <literal>syslog</literal> +<indexterm id="ch04-idx-968349-0"><primary>syslog option</primary></indexterm> option causes Samba log messages to be sent to the Unix system logger. The type of log information to be sent is specified as the parameter for this argument. Like the <literal>log</literal> <literal>level</literal> option, it can be a number from 0 to 10. Logging information with a level less than the number specified will be sent to the system logger. However, debug logs equal to or above the <literal>syslog</literal> level, but less than log level, will still be sent to the standard Samba log files. To get around this, use the <literal>syslog</literal> <literal>only</literal> option. For example:</para> + + +<programlisting>[global] + log level = 3 + syslog = 1</programlisting> + + +<para>With this, all logging information with a level of 0 would be sent to the standard Samba logs and the system logger, while information with levels 1, 2, and 3 would be sent only to the standard Samba logs. Levels above 3 are not logged at all. Note that all messages sent to the system logger are mapped to a priority level that the <emphasis>syslog</emphasis> process understands, as shown in <link linkend="ch04-80576">Table 4.8</link>. The default level is 1.</para> + + +<table label="4.8" id="ch04-80576"> +<title>Syslog Priority Conversion </title> + +<tgroup cols="2"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<thead> +<row> + +<entry colname="col1"><para>Log Level</para></entry> + +<entry colname="col2"><para>Syslog Priority</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para>0</para></entry> + +<entry colname="col2"><para><literal>LOG_ERR</literal></para></entry> + +</row> + +<row> + +<entry colname="col1"><para>1</para></entry> + +<entry colname="col2"><para><literal>LOG_WARNING</literal></para></entry> + +</row> + +<row> + +<entry colname="col1"><para>2</para></entry> + +<entry colname="col2"><para><literal>LOG_NOTICE</literal></para></entry> + +</row> + +<row> + +<entry colname="col1"><para>3</para></entry> + +<entry colname="col2"><para><literal>LOG_INFO</literal></para></entry> + +</row> + +<row> + +<entry colname="col1"><para>4 and above</para></entry> + +<entry colname="col2"><para><literal>LOG_DEBUG</literal></para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<para>If you wish to use <emphasis>syslog</emphasis>, you will have to run <literal>configure</literal> <literal>--with-syslog</literal> when compiling Samba, and you will need to configure your <filename>/etc/syslog.conf</filename> to suit. (See <link linkend="ch04-97929">Section 4.8.1</link> earlier in this chapter.)</para> +</sect3> + + + +<sect3 role="" label="4.8.2.6" id="ch04-SECT-8.1.6"> +<indexterm id="ch04-idx-968350-0"><primary>syslog only option</primary></indexterm> +<title> +syslog only</title> + + +<para>The <literal>syslog</literal> <literal>only</literal> option tells Samba not to use the regular logging files—the system logger only. To enable this, specify the following option in the global ection of the Samba configuration file:</para> + + +<programlisting>[global] + syslog only = <indexterm id="ch04-idx-967342-0" class="endofrange" startref="ch04-idx-967340-0"/> +<indexterm id="ch04-idx-967342-1" class="endofrange" startref="ch04-idx-967340-1"/>yes<indexterm id="ch04-idx-967031-0" class="endofrange" startref="ch04-idx-967030-0"/></programlisting> +</sect3> +</sect2> +</sect1> +</chapter> diff --git a/docs-xml/using_samba/ch05.xml b/docs-xml/using_samba/ch05.xml new file mode 100644 index 0000000000..8bf541cd2f --- /dev/null +++ b/docs-xml/using_samba/ch05.xml @@ -0,0 +1,2885 @@ +<chapter label="5" id="SAMBA-CH-5"> +<title>Browsing and Advanced Disk Shares </title> + + + + +<para> +<indexterm id="ch05-idx-969559-0" class="startofrange"><primary>browsing</primary></indexterm> +<indexterm id="ch05-idx-969559-1" class="startofrange"><primary>disk shares</primary><secondary>advanced</secondary></indexterm>This chapter continues our discussion of disk shares from the previous chapter. Here, we will discuss various differences between the Windows and Unix filesystems—and how Samba works to bridge the gap. There are a surprising number of inconsistencies between a DOS filesystem and a Unix filesystem. In addition, we will talk briefly about name mangling, file locking, and a relatively new feature for Samba: opportunistic locking, or oplocks. However, before we move into that territory, we should first discuss the somewhat arcane topic of browsing with Samba.</para> + + + + + + + + + + + +<sect1 role="" label="5.1" id="ch05-23763"> +<title>Browsing</title> + + +<para>Browsing is the ability to examine the servers and <indexterm id="ch05-idx-969575-0"><primary>shares</primary><secondary>viewing</secondary><see>browsing</see></indexterm>shares that are currently available on your network. On a Windows NT 4.0 or 95/98 client, a user can browse network servers through the Network Neighborhood folder. By double-clicking the icon representing the server, the user should be able to see the printer and disk share resources available on that machine as well. (If you have Windows NT 3.<emphasis>x</emphasis>, you can use the Disk-Connect Network Drive menu in the File Manager to display the available shares on a server.)</para> + + +<para>From the Windows command line, you can also use the <literal>net</literal> <literal>view</literal> option to see which servers are currently on the network. Here is an example of the <literal>net</literal> <literal>view</literal> command in action:</para> + + +<programlisting>C:\><userinput>net view</userinput> +Servers available in workgroup SIMPLE +Server name Remark +---------------------------------------------------------- +\\CHIMAERA Windows NT 4.0 +\\HYDRA Samba 2.0.4 on (hydra) +\\PHOENIX Windows 98</programlisting> + + +<sect2 role="" label="5.1.1" id="ch05-SECT-1.1"> +<title>Preventing Browsing</title> + + +<para> +<indexterm id="ch05-idx-969576-0"><primary>browsing</primary><secondary>preventing</secondary></indexterm> +<indexterm id="ch05-idx-969576-1"><primary>preventing browsing</primary></indexterm> +<indexterm id="ch05-idx-969576-2"><primary>browse lists</primary><secondary>restricting shares from</secondary></indexterm> +<indexterm id="ch05-idx-969576-3"><primary>shares</primary><secondary>contents, restricting view of</secondary></indexterm>You can restrict a share from being in a browse list by using the <literal>browseable</literal> option. This boolean option prevents a share from being seen in the Network Neighborhood at all. For example, to prevent the <literal>[data]</literal> share from the previous chapter from being visible, we could write:</para> + + +<programlisting>[data] + path = /home/samba/data + browseable = no + guest ok = yes + comment = Data Drive + volume = Sample-Data-Drive + writeable = yes</programlisting> + + +<para>Although you typically don't want to do this to an ordinary disk share, the browseable option is useful in the event that you need to create a share with contents that you do not want others to see, such as a <literal>[netlogin]</literal> share for storing logon scripts for Windows domain control (see <link linkend="SAMBA-CH-6">Chapter 6</link> for more information on logon scripts).</para> + + +<para>Another example is the <literal>[homes]</literal> share. This share is often marked non-browsable so that a share named <literal>[homes]</literal> won't appear when its machine's resources are browsed. However, if a user <literal>alice</literal> logs on and looks at the machine's shares, an <literal>[alice]</literal> share will appear under the machine. What if we wanted to make sure <literal>alice</literal>'s share appeared to everyone before she logs in? This could be done with the global <literal>auto</literal> <literal>services</literal> option. This option preloads shares into the browse list to ensure that they are always visible:</para> + + +<programlisting>[global] + ... + auto services = alice + ...</programlisting> +</sect2> + + + + + +<sect2 role="" label="5.1.2" id="ch05-SECT-1.2"> +<title>Default Services</title> + + +<para>In the event that a user cannot successfully connect to a share, you can specify a default <indexterm id="ch05-idx-969587-0"><primary>shares</primary><secondary>default</secondary></indexterm> +<indexterm id="ch05-idx-969587-1"><primary>default services</primary></indexterm>share to which they can connect. Since you do not know who will default to this share at any time, you will probably want to set the <literal>guest</literal> <literal>ok</literal> option to <literal>yes</literal> for this share. Specifying a <literal>default</literal> <literal>service</literal> can be useful when sending the utterly befuddled to a directory of help files. For example:</para> + + +<programlisting>[global] + ... + default service = helpshare + ... + +[helpshare] + path = /home/samba/helpshare/%S + browseable = yes + guest ok = yes + comment = Default Share for Unsuccessful Connections + volume = Sample-Data-Drive + writeable = no</programlisting> + + +<para>Note that we used the <literal>%S</literal> variable in the <literal>path</literal> option. If you use the <literal>%S</literal> variable, it will refer to the requested nonexistent share (the original share requested by the user), not the name of the resulting default share. This allows us to create different paths with the names of each server, which can provide more customized help files for users. In addition, any <indexterm id="ch05-idx-969588-0"><primary>underscore ( _ ) in shares</primary></indexterm> +<indexterm id="ch05-idx-969588-1"><primary>_ underscore</primary></indexterm>underscores ( _ ) specified in the requested share will be converted to<indexterm id="ch05-idx-969589-0"><primary>slash (/)</primary><secondary>in shares</secondary></indexterm> +<indexterm id="ch05-idx-969589-1"><primary>/ (slash) in shares</primary></indexterm> slashes ( / ) when the <literal>%S</literal> variable is used.</para> +</sect2> + + + + + +<sect2 role="" label="5.1.3" id="ch05-SECT-1.3"> +<title>Browsing Elections</title> + + +<para> +<indexterm id="ch05-idx-969892-0" class="startofrange"><primary>browsing</primary><secondary>elections</secondary></indexterm>As mentioned in <link linkend="ch01-48078">Chapter 1</link>, one machine in each subnet always keeps a list of the currently active <indexterm id="ch05-idx-969897-0"><primary>servers</primary><secondary>active, list of</secondary></indexterm>machines. This list is called the <firstterm>browse list</firstterm> +<indexterm id="ch05-idx-969898-0"><primary>browse lists</primary></indexterm> and the server that maintains it is called the <indexterm id="ch05-idx-970543-0" class="startofrange"><primary>local master browser</primary></indexterm><firstterm>local master browser</firstterm>. As machines come on and off the network, the local master browser continually updates the information in the browse list and provides it to any machine that requests it.</para> + + +<para>A computer becomes a local master browser by holding a browsing election on the local subnet. Browsing elections can be called at any time. Samba can rig a browsing election for a variety of outcomes, including always becoming the local master browser of the subnet or never becoming it. For example, the following options, which we've added to the configuration file from <link linkend="ch04-21486">Chapter 4</link>, will ensure that Samba always wins the election for local master browser no matter which machines are also present:</para> + + +<programlisting>[global] + netbios name = HYDRA + server string = Samba %v on (%L) + workgroup = SIMPLE + + # Browsing election options + os level = 34 + local master = yes + + # Networking configuration options + hosts allow = 192.168.220. 134.213.233. localhost + hosts deny = 192.168.220.102 + interfaces = 192.168.220.100/255.255.255.0 \ + 134.213.233.110/255.255.255.0 + + # Debug logging information + log level = 2 + log file = /var/log/samba.log.%m + max log size = 50 + debug timestamp = yes + +[data] + path = /home/samba/data + browseable = yes + guest ok = yes + comment = Data Drive + volume = Sample-Data-Drive + writable = yes</programlisting> + + +<para>However, what if we didn't always want to win the election? What if we wanted to yield browsing to a Windows NT Server if present? In order to do that, we need to learn how browsing elections work. As you already know, each machine that takes place in the election must broadcast information about itself. This information includes the following:</para> + + +<itemizedlist> +<listitem><para>The version of the election protocol used</para></listitem> +<listitem><para>The operating system on the machine</para></listitem> +<listitem><para>The amount of time the client has been on the network</para></listitem> +<listitem><para>The hostname of the client</para></listitem> +</itemizedlist> + +<para>Here is how the election is decided. Operating systems are assigned a binary value according to their version, as shown in <link linkend="ch05-51423">Table 5.1</link>.</para> + + +<table label="5.1" id="ch05-51423"> +<title>Operating System Values in an Election </title> + +<tgroup cols="2"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<thead> +<row> + +<entry colname="col1"><para>Operating System</para></entry> + +<entry colname="col2"><para>Value</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para> +<indexterm id="ch05-idx-969634-0"><primary>operating systems</primary><secondary>values in elections</secondary></indexterm> +<indexterm id="ch05-idx-969634-1"><primary>elections</primary><secondary>operating system values in</secondary></indexterm>Windows NT Server 4.0</para></entry> + +<entry colname="col2"><para>33</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Windows NT Server 3.51</para></entry> + +<entry colname="col2"><para>32</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Windows NT Workstation 4.0</para></entry> + +<entry colname="col2"><para>17</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Windows NT Workstation 3.51</para></entry> + +<entry colname="col2"><para>16</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Windows 98</para></entry> + +<entry colname="col2"><para>2</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Windows 95</para></entry> + +<entry colname="col2"><para>1</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Windows 3.1 for Workgroups</para></entry> + +<entry colname="col2"><para>1</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<para>Following that, each computer on the network is assigned a separate value according to its role, as shown in <link linkend="SAMBA-CH-5-TBL-5.2">Table 5.2</link>.</para> + + +<table label="5.2" id="SAMBA-CH-5-TBL-5.2"> +<title>Computer Role Settings in an Election </title> + +<tgroup cols="2"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<thead> +<row> + +<entry colname="col1"><para>Role</para></entry> + +<entry colname="col2"><para>Value</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para> +<indexterm id="ch05-idx-969635-0"><primary>Windows clients</primary><secondary>role settings in elections</secondary></indexterm> +<indexterm id="ch05-idx-969635-1"><primary>elections</primary><secondary>role settings in</secondary></indexterm> +<indexterm id="ch05-idx-969635-2"><primary>role settings in elections</primary></indexterm> +<indexterm id="ch05-idx-969635-3"><primary>role settings in elections</primary></indexterm>Primary Domain Controller</para></entry> + +<entry colname="col2"><para>128</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>WINS Client</para></entry> + +<entry colname="col2"><para>32</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Preferred Master Browser</para></entry> + +<entry colname="col2"><para>8</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Active Master Browser</para></entry> + +<entry colname="col2"><para>4</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Standby Browser</para></entry> + +<entry colname="col2"><para>2</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Active Backup Browser</para></entry> + +<entry colname="col2"><para>1</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<para> +<indexterm id="ch05-idx-969637-0"><primary>elections</primary><secondary>order of decisions in</secondary></indexterm>Elections are decided in the following order:</para> + + +<orderedlist> +<listitem><para>The machine with the highest version of the election protocol will win. (So far, this is meaningless, as all Windows clients have version 1 of the election protocol.)</para></listitem> +<listitem><para>The machine with the highest operating system value wins the election.</para></listitem> +<listitem><para>If there is a tie, the machine with the setting of Preferred Master Browser (role 8) wins the election.</para></listitem> +<listitem><para>If there is still a tie, the client who has been online the longest wins the election.</para></listitem> +<listitem><para>And finally, if there is still a tie, the client name that comes first alphabetically wins.</para></listitem> +<listitem><para>The machine that is the "runner-up" can become a backup browser.</para></listitem> +</orderedlist> + +<para>As a result, if you want Samba to take the role of a local master browser, but only if there isn't a Windows NT Server (4.0 or 3.51) on the network, you could change the <literal>os</literal> <literal>level</literal> parameter in the previous example to:</para> + + +<programlisting>os level = 31</programlisting> + + +<para>This will cause Samba to immediately lose the election to a Windows NT 4.0 or Windows NT 3.5 Server, both of which have a higher operating systems level. On the other hand, if you wanted to decide the local master browser on the basis of the network role, such as which machine is the primary domain controller, you could set the <literal>os</literal> <literal>level</literal> to match the highest type of operating system on the network and let the election protocol fall down to the next level.</para> + + +<para> +<indexterm id="ch05-idx-969646-0"><primary>local master browser</primary><secondary>checking machines for</secondary></indexterm>How can you can tell if a machine is a local master browser? By using the <literal>nbtstat</literal> command. Place the NetBIOS name of the machine you wish to check after the <literal>-a</literal> option:</para> + + +<programlisting>C:\><userinput>nbtstat -a hydra</userinput> + + NetBIOS Remote Machine Name Table + + Name Type Status +---------------------------------------------------------- + HYDRA <00> UNIQUE Registered + HYDRA <03> UNIQUE Registered + HYDRA <20> UNIQUE Registered + .._ _MSBROWSE_ _. <01> GROUP Registered + SIMPLE <00> GROUP Registered + SIMPLE <1D> UNIQUE Registered + SIMPLE <1E> GROUP Registered + + MAC Address = 00-00-00-00-00-00</programlisting> + + +<para>The resource entry that you're looking for is the <literal>.._ _MSBROWSE_ _.<01></literal>. This indicates that the server is currently acting as the local master browser for the current subnet. In addition, if the machine is a Samba server, you can check the Samba <filename>nmbd</filename> log file for an entry such as:</para> + + +<programlisting>nmbd/nmbd_become_lmb.c:become_local_master_stage2(406) +***** +Samba name server HYDRA is now a local master browser for +workgroup SIMPLE on subnet 192.168.220.100 +****</programlisting> + + +<para>Finally, Windows NT servers serving as primary domain controllers contain a sneak that allows them to assume the role of the local master browser in certain conditions; this is called the <emphasis>preferred</emphasis> +<indexterm id="ch05-idx-969647-0"><primary>preferred master browser</primary></indexterm> <emphasis>master browser</emphasis> bit. Earlier, we mentioned that Samba could set this bit on itself as well. You can enable it with the <literal>preferred</literal> <literal>master</literal> option:</para> + + +<programlisting># Browsing election options +os level = 33 +local master = yes +preferred master = yes</programlisting> + + +<para>If the preferred master bit is set, the machine will force a browsing election at startup. Of course, this is needed only if you set the <literal>os</literal> <literal>level</literal> option to match the Windows NT machine. We recommend that you don't use this option if another machine also has the role of preferred master, such as an NT server.<indexterm id="ch05-idx-969633-0" class="endofrange" startref="ch05-idx-969892-0"/></para> +</sect2> + + + + + +<sect2 role="" label="5.1.4" id="ch05-SECT-1.4"> +<title>Domain Master Browser</title> + + +<para> +<indexterm id="ch05-idx-969654-0" class="startofrange"><primary>DMB (domain master browser)</primary></indexterm> +<indexterm id="ch05-idx-969654-1"><primary>domain master browser</primary><see>DMB</see></indexterm> +<indexterm id="ch05-idx-969654-2"><primary>domains</primary><secondary>controllers</secondary><see>domain controllers</see></indexterm>In the opening chapter, we mentioned that in order for a Windows workgroup or domain to extend into multiple subnets, one machine would have to take the role of the <firstterm>domain master browser</firstterm>. The domain master browser propagates browse lists across each of the subnets in the workgroup. This works because each local master browser periodically synchronizes its browse list with the domain master browser. During this synchronization, the local master browser passes on any server that the domain master browser does not have in its browse list, and vice versa. In a perfect world, each local master browser would eventually have the browse list for the entire domain.</para> + + +<para>Unlike the local master browser, there is no election to determine which machine assumes the role of the domain master browser. Instead, the administrator has to set it manually. By Microsoft design, however, the domain master browser and the primary domain controller (PDC) both register a resource type of <1B>, so the roles—and the machines—are inseparable.</para> + + +<para>If you have a <indexterm id="ch05-idx-969663-0"><primary>Windows NT</primary><secondary>server, domain master browser and</secondary></indexterm>Windows NT server on the network acting as a PDC, we recommend that you do not use Samba to become the domain master browser. The reverse is true as well: if Samba is taking on the responsibilities of a <indexterm id="ch05-idx-969665-0"><primary>PDC (primary domain controller)</primary><secondary>domain master browser and</secondary></indexterm>PDC, we recommend making it the domain master browser as well. Although it is possible to split the roles with Samba, this is not a good idea. Using two different machines to serve as the PDC and the domain master browser can cause random errors to occur on a Windows workgroup.</para> + + +<para>Samba can assume the role of a domain master browser for all subnets in the workgroup with the following option:</para> + + +<programlisting>domain master = yes</programlisting> + + +<para>You can verify that a Samba machine is in fact the domain master browser by checking the <emphasis>nmbd</emphasis> log file:</para> + + +<programlisting>nmbd/nmbd_become_dmb.c:become_domain_master_stage2(118) +***** +Samba name server HYDRA is now a domain master browser for +workgroup SIMPLE on subnet 192.168.220.100 +*****</programlisting> + + +<para>Or you can use the <literal>nmblookup</literal> command that comes with the Samba distribution to query for a unique <1B> resource type in the workgroup:</para> + + +<programlisting># <userinput>nmblookup SIMPLE#1B</userinput> +Sending queries to 192.168.220.255 +192.168.220.100 SIMPLE<1b></programlisting> + + +<sect3 role="" label="5.1.4.1" id="ch05-SECT-1.4.1"> +<title>Multiple subnets</title> + + +<para> +<indexterm id="ch05-idx-969667-0"><primary>multiple subnets</primary></indexterm>There are three rules that you must remember when creating a workgroup/domain that spans more than one subnet:</para> + + +<itemizedlist> +<listitem><para>You must have either a Windows NT or Samba machine acting as a local master browser on each subnet in the workgroup/domain. (If you have a domain master browser in a subnet, a local master browser is not needed.)</para></listitem> +<listitem><para>You must have a Windows NT Server or a Samba machine acting as a domain master browser somewhere in the workgroup.</para></listitem> +<listitem><para>Each local master browser must be instructed to synchronize with the domain master browser.</para></listitem> +</itemizedlist> + +<para>Samba has a few other features in this arena in the event that you don't have or want a domain master browser on your network. Consider the subnets shown in <link linkend="ch05-15706">Figure 5.1</link>.</para> + + +<figure label="5.1" id="ch05-15706"> +<title>Multiple subnets with Samba servers</title> + +<graphic width="502" depth="325" fileref="figs/sam.0501.gif"></graphic> +</figure> + +<para>First, a Samba server that is a local master browser can use the <literal>remote</literal> <literal>announce</literal> configuration option to make sure that computers in different subnets are sent broadcast announcements about the server. This has the effect of ensuring that the Samba server appears in the browse lists of foreign subnets. To achieve this, however, the directed broadcasts must reach the local master browser on the other subnet. Be aware that many routers do not allow directed broadcasts by default; you may have to change this setting on the router for the directed broadcasts to get through to its subnet.</para> + + +<para>With the <literal>remote</literal> <literal>announce</literal> option, list the subnets and the workgroup that should receive the broadcast. For example, to ensure that machines in the 192.168.221 and 192.168.222 subnets and SIMPLE workgroup are sent broadcast information from our Samba server, we could specify the following:</para> + + +<programlisting># Browsing election options +os level = 34 +local master = yes +remote announce = 192.168.221.255/SIMPLE \ + 192.168.222.255/SIMPLE</programlisting> + + +<para>In addition, you are allowed to specify the exact address to send broadcasts to if the local master browser on the foreign subnet is guaranteed to always have a fixed IP address.</para> + + +<para>A Samba local master browser can synchronize its browse list directly with another Samba server acting as a local master browser on a different subnet. For example, let's assume that Samba is configured as a local master browser, and Samba local master browsers exist at 192.168.221.130 and 192.168.222.120. We can use the <literal>remote</literal> <literal>browse</literal> <literal>sync</literal> option to sync directly with the Samba servers, as follows:</para> + + +<programlisting># Browsing election options +os level = 34 +local master = yes +remote browse sync = 192.168.221.130 192.168.222.120</programlisting> + + +<para>In order for this to work, the other Samba machines must also be local master browsers. You can also use directed broadcasts with this option if you do not know specific IP addresses of local master browsers.<indexterm id="ch05-idx-969939-0" class="endofrange" startref="ch05-idx-969654-0"/> +<indexterm id="ch05-idx-969940-0" class="endofrange" startref="ch05-idx-970543-0"/></para> +</sect3> +</sect2> + + + + + +<sect2 role="" label="5.1.5" id="ch05-SECT-1.5"> +<title>Browsing Options</title> + + +<para> +<indexterm id="ch05-idx-969668-0" class="startofrange"><primary>browsing</primary><secondary>configuration options for</secondary></indexterm> +<indexterm id="ch05-idx-969668-1" class="startofrange"><primary>configuration options</primary><secondary>browsing</secondary></indexterm><link linkend="ch05-81028">Table 5.3</link> shows 14 options that define how Samba handles browsing tasks. We recommend the defaults for a site that prefers to be easy on its users with respect to locating shares and printers.</para> + + +<table label="5.3" id="ch05-81028"> +<title>Browsing Configuration Options </title> + +<tgroup cols="5"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<colspec colnum="4" colname="col4"/> +<colspec colnum="5" colname="col5"/> +<thead> +<row> + +<entry colname="col1"><para>Option</para></entry> + +<entry colname="col2"><para>Parameters</para></entry> + +<entry colname="col3"><para>Function</para></entry> + +<entry colname="col4"><para>Default</para></entry> + +<entry colname="col5"><para>Scope</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>announce as</literal></para></entry> + +<entry colname="col2"><para><literal>NT</literal> +<indexterm id="ch05-idx-969670-0"><primary>browsing</primary><secondary>options for, list of</secondary></indexterm> or <literal>Win95</literal> or <literal>Wf W</literal></para></entry> + +<entry colname="col3"><para>Sets the operating system that Samba will announce itself as.</para></entry> + +<entry colname="col4"><para><literal>N T</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>announce version</literal></para></entry> + +<entry colname="col2"><para>numerical</para></entry> + +<entry colname="col3"><para>Sets the version of the operating system that Samba will announce itself as.</para></entry> + +<entry colname="col4"><para><literal>4.2</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>browseable (browsable)</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>Allows share to be displayed in list of machine resources.</para></entry> + +<entry colname="col4"><para><literal>yes</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>browse list</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>If <literal>yes</literal>, Samba will provide a browse list on this server.</para></entry> + +<entry colname="col4"><para><literal>yes</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>auto services (preload)</literal></para></entry> + +<entry colname="col2"><para>string (share list)</para></entry> + +<entry colname="col3"><para>Sets a list of shares that will always appear in the browse list.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>default service (default)</literal></para></entry> + +<entry colname="col2"><para>string (share name)</para></entry> + +<entry colname="col3"><para>Names a share (service) that will be provided if the client requests a share not listed in <emphasis>smb.conf.</emphasis></para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>local master</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>If <literal>yes</literal>, Samba will try to become a master browser on the local subnet.</para></entry> + +<entry colname="col4"><para><literal>yes</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>lm announce</literal></para></entry> + +<entry colname="col2"><para><literal>yes</literal> or <literal>no</literal> or <literal>auto</literal></para></entry> + +<entry colname="col3"><para>Enables or disables LAN Manager style host announcements.</para></entry> + +<entry colname="col4"><para><literal>auto</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>lm interval</literal></para></entry> + +<entry colname="col2"><para>numerical</para></entry> + +<entry colname="col3"><para>Specifies the frequency in seconds that LAN Manager announcements will be made if activated.</para></entry> + +<entry colname="col4"><para><literal>60</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>preferred master (prefered master)</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>If <literal>yes</literal>, Samba will use the preferred master browser bit to attempt to become the local master browser.</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>domain master</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>If <literal>yes</literal>, Samba will try to become the main browser master for the workgroup.</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>os level</literal></para></entry> + +<entry colname="col2"><para>numerical</para></entry> + +<entry colname="col3"><para>Sets the operating system level of Samba in an election for local master browser.</para></entry> + +<entry colname="col4"><para><literal>0</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>remote browse sync</literal></para></entry> + +<entry colname="col2"><para>string (list of IP addresses)</para></entry> + +<entry colname="col3"><para>Lists Samba servers to synchronize browse lists with.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>remote announce</literal></para></entry> + +<entry colname="col2"><para>string (IP address/ workgroup pairs)</para></entry> + +<entry colname="col3"><para>Lists subnets and workgroups to send directed broadcast packets to, allowing Samba to appear to browse lists.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<sect3 role="" label="5.1.5.1" id="ch05-SECT-1.5.1"> +<indexterm id="ch05-idx-970552-0"><primary>announce as option</primary></indexterm> +<title> +announce as</title> + + +<para>This global configuration option specifies the type of operating system that Samba will announce to other machines on the network. The default value for this option is <literal>N T</literal>, which represents a Windows NT operating system. Other possible values are <literal>Win95</literal>, which represents a Windows 95 operating system, and <literal>W f W</literal> for a Windows for Workgroup operating system. You can override the default value with the following:</para> + + +<programlisting>[global] + announce as = Win95</programlisting> + + +<para>We recommend against changing the default value of this configuration option.</para> +</sect3> + + + +<sect3 role="" label="5.1.5.2" id="ch05-SECT-1.5.2"> +<indexterm id="ch05-idx-970555-0"><primary>announce version option</primary></indexterm> +<title> +announce version</title> + + +<para>This global option is frequently used with the <literal>announce</literal> <literal>as</literal> configuration option; it specifies the version of the operating system that Samba will announce to other machines on the network. The default value of this options is 4.2, which places itself above the current Windows NT version of 4.0. You can specify a new value with a global entry such as the following:</para> + + +<programlisting>[global] + announce version = 4.3</programlisting> + + +<para>We recommend against changing the default value of this configuration option.</para> +</sect3> + + + +<sect3 role="" label="5.1.5.3" id="ch05-38345"> +<title>browseable</title> + + +<para>The <literal>browseable</literal> option (also spelled <literal>browsable</literal>) indicates whether the share referenced should appear in the list of available resources of the machine on which it resides. This option is always set to <literal>yes</literal> by default. If you wish to prevent the share from being seen in a client's browser, you can reset this option to <literal>no</literal>.</para> + + +<para>Note that this does not prevent someone from accessing the share using other means, such as specifying a UNC location (<literal>//server/accounting)</literal> in Windows Explorer. It only prevents the share from being listed under the machine's resources when being browsed.</para> +</sect3> + + + +<sect3 role="" label="5.1.5.4" id="ch05-SECT-1.5.4"> +<title>browse list</title> + + +<para> +<indexterm id="ch05-idx-969674-0"><primary>browse lists</primary><secondary>options for</secondary></indexterm>You should never need to change this parameter from its default value of <literal>yes</literal>. If your Samba server is acting as a local master browser (i.e., it has won the browsing election), you can use the global <literal>browse</literal> <literal>list</literal> option to instruct Samba to provide or withhold its browse list to all clients. By default, Samba always provides a browse list. You can withhold this information by specifying the following:</para> + + +<programlisting>[global] + browse list = no</programlisting> + + +<para>If you disable the browse list, clients cannot browse the names of other machines, their services, and other domains currently available on the network. Note that this won't make any particular machine inaccessible; if someone knows a valid machine name/address and a share on that machine, they can still connect to it explicitly using NET USE or by mapping a drive letter to it using Windows Explorer. It simply prevents information in the browse list from being retrieved by any client that requests it.</para> +</sect3> + + + +<sect3 role="" label="5.1.5.5" id="ch05-SECT-1.5.5"> +<title>auto services</title> + + +<para>The global <literal>auto</literal> +<indexterm id="ch05-idx-970563-0"><primary>auto services option</primary></indexterm> <literal>services</literal> option, which is also called <literal>preload </literal>, ensures that the specified shares are always visible in the browse list. One common use for this option is to advertise specific user or printer shares that are created by the <literal>[homes]</literal> or <literal>[printers]</literal> shares, but are not otherwise browsable.</para> + + +<para>This option works best with disk shares. If you wish to force each of your system printers (i.e., those listed in the printer capabilities file) into the browse list using this option, we recommend using the <literal>load</literal> <literal>printers</literal> option instead. Any shares listed with the <literal>auto</literal> <literal>services</literal> option will not be displayed if the <literal>browse</literal> <literal>list</literal> option is set to <literal>no</literal>.</para> +</sect3> + + + +<sect3 role="" label="5.1.5.6" id="ch05-SECT-1.5.6"> +<title>default service</title> + + +<para>The global <literal>default</literal> +<indexterm id="ch05-idx-970564-0"><primary>default services</primary><secondary>option for</secondary></indexterm> <literal>service</literal> option (sometimes called <literal>default</literal>) names a "last-ditch" share. If set to an existing share name, and a client requests a nonexistent disk or printer share, Samba will attempt to connect the user to the share specified by this option instead. The option is specified as follows:</para> + + +<programlisting>default service = helpshare</programlisting> + + +<para>Note that there are no braces surrounding the share name <literal>helpshare</literal>, even though the definition of the share later in the Samba configuration file will have braces. Also, if you use the <literal>%S</literal> variable in the share specified by this option, it will represent the requested, nonexistent share, not the default service. Any underscores ( <literal>_ </literal> ) specified in the request share will be converted to slashes (<literal>/</literal>) when the variable is used.</para> +</sect3> + + + +<sect3 role="" label="5.1.5.7" id="ch05-SECT-1.5.7"> +<indexterm id="ch05-idx-970565-0"><primary>local master option</primary></indexterm> +<title> +local master</title> + + +<para> +<indexterm id="ch05-idx-969675-0"><primary>local master browser</primary><secondary>option for</secondary></indexterm>This global option specifies whether Samba will attempt to become the local master browser for the subnet when it starts up. If this option is set to <literal>yes</literal>, Samba will take place in elections. However, setting this option by itself does not guarantee victory. (Other parameters, such as <literal>preferred</literal> <literal>master</literal> and <literal>os</literal> <literal>level</literal> help Samba win browsing elections.) If this option is set to <literal>no</literal>, Samba will lose all browsing elections, no matter which values are specified by the other configuration options. The default value is <literal>yes</literal>.</para> +</sect3> + + + +<sect3 role="" label="5.1.5.8" id="ch05-SECT-1.5.8"> +<title>lm announce</title> + + +<para>The global <literal>lm</literal> +<indexterm id="ch05-idx-970566-0"><primary>lm announce option</primary></indexterm> <literal>announce</literal> option tells Samba's <emphasis>nmbd</emphasis> +<indexterm id="ch05-idx-969678-0"><primary>nmbd daemon</primary><secondary>browsing options for</secondary></indexterm> whether or not to send LAN Manager host announcements on behalf of the server. These host announcements may be required by older clients, such as IBM's OS/2 operating system. This announcement allows the server to be added to the browse lists of the client. If activated, Samba will announce itself repetitively at the number of seconds specified by the <literal>lm</literal> <literal>interval</literal> option.</para> + + +<para>This configuration option takes the standard boolean values, <literal>yes</literal> and <literal>no</literal>, which engage or disengage LAN Manager announcements, respectively. In addition, there is a third option, <literal>auto</literal>, which causes <emphasis>nmbd</emphasis> to passively listen for LAN Manager announcements, but not send any of its own initially. If LAN Manager announcements are detected for another machine on the network, <emphasis>nmbd</emphasis> will start sending its own LAN Manager announcements to ensure that it is visible. You can specify the option as follows:</para> + + +<programlisting>[global] + lm announce = yes</programlisting> + + +<para>The default value is <literal>auto</literal>. You probably won't need to change this value from its default.</para> +</sect3> + + + +<sect3 role="" label="5.1.5.9" id="ch05-SECT-1.5.9"> +<indexterm id="ch05-idx-970567-0"><primary>lm interval option</primary></indexterm> +<title> +lm interval</title> + + +<para>This option, which is used in conjunction with <literal>lm</literal> <literal>announce</literal>, indicates the number of seconds <emphasis>nmbd</emphasis> will wait before repeatedly broadcasting LAN Manager-style announcements. Remember that LAN Manager announcements must be activated in order for this option to be used. The default value is 60 seconds. If you set this value to 0, Samba will not send any LAN Manager host announcements, no matter what the value of the <literal>lm</literal> <literal>announce</literal> option. You can reset the value of this option as follows:</para> + + +<programlisting>[global] + lm interval = 90</programlisting> +</sect3> + + + +<sect3 role="" label="5.1.5.10" id="ch05-SECT-1.5.10"> +<title>preferred master</title> + + +<para>The <literal>preferred</literal> +<indexterm id="ch05-idx-970568-0"><primary>preferred master option</primary></indexterm> <literal>master</literal> option requests that Samba set the preferred master bit when participating in an election. This gives the server a higher preferred status in the workgroup than other machines at the same operating system level. If you are configuring your Samba machine to become the local master browser, it is wise to set the following value:</para> + + +<programlisting>[global] + preferred master = yes</programlisting> + + +<para>Otherwise, you should leave it set to its default, <literal>no</literal>. If Samba is configured as a preferred master browser, it will force an election when it first comes online.</para> +</sect3> + + + +<sect3 role="" label="5.1.5.11" id="ch05-SECT-1.5.11"> +<title>os level</title> + + +<para>The global <literal>os</literal> +<indexterm id="ch05-idx-970569-0"><primary>os level option</primary></indexterm> <literal>level</literal> option dictates the operating system level at which Samba will masquerade during a browser election. If you wish to have Samba win an election and become the master browser, you can set the level above that of the operating system on your network with the highest current value. The values are shown in <link linkend="ch05-51423">Table 5.1</link> . The default level is 0, which means that Samba will lose all elections. If you wish Samba to win all elections, you can reset its value as follows:</para> + + +<programlisting>os level = 34</programlisting> + + +<para>This means that the server will vote for itself 34 times each time an election is called, which ensures a victory.</para> +</sect3> + + + +<sect3 role="" label="5.1.5.12" id="ch05-SECT-1.5.12"> +<indexterm id="ch05-idx-970570-0"><primary>domain master option</primary></indexterm> +<title> +domain master</title> + + +<para>If Samba is the primary domain controller for your workgroup or NT domain, it should also be the <indexterm id="ch05-idx-969682-0"><primary>DMB (domain master browser)</primary><secondary>option for</secondary></indexterm> domain master browser. The domain master browser is a special machine that has the NetBIOS resource type <1B> and is used to propagate browse lists to and from each of the local master browsers in individual subnets across the domain. To force Samba to become the domain master browser, set the following in the <literal>[global]</literal> section of the <filename>smb.conf</filename>:</para> + + +<programlisting>[global] + domain master = yes</programlisting> + + +<para>If you have a Windows NT server on the network acting as a primary domain controller (PDC), we recommend that you do not use Samba to become the domain master browser. The reverse is true as well: if Samba is taking on the responsibilities of a PDC, we recommend making it the domain master browser. Splitting the PDC and the domain master browser will cause unpredictable errors to occur on the network.</para> +</sect3> + + + +<sect3 role="" label="5.1.5.13" id="ch05-SECT-1.5.13"> +<title>remote browse sync</title> + + +<para>The global <literal>remote</literal> +<indexterm id="ch05-idx-970571-0"><primary>remote browse sync option</primary></indexterm> <literal>browse</literal> <literal>sync</literal> option specifies that Samba should synchronize its <indexterm id="ch05-idx-969683-0"><primary>browse lists</primary><secondary>options for</secondary></indexterm>browse lists with local master browsers in other subnets. However, the synchronization can occur only with other Samba servers, and not with Windows computers. For example, if your Samba server was a master browser on the subnet 192.168.235, and Samba local master browsers existed on other subnets at 192.168.234.92 and 192.168.236.2, you could specify the following:</para> + + +<programlisting>remote browse sync = 192.168.234.92 192.168.236.2</programlisting> + + +<para>The Samba server would then directly contact the other machines on the address list and synchronize browse lists. You can also say:</para> + + +<programlisting>remote browse sync = 192.168.234.255 192.168.236.255</programlisting> + + +<para>This forces Samba to broadcast queries to determine the IP addresses of the local master browser on each subnet, with which it will then synchronize browse lists. This only works, however, if your router doesn't block directed broadcast requests ending in 255.</para> +</sect3> + + + +<sect3 role="" label="5.1.5.14" id="ch05-SECT-1.5.14"> +<title>remote announce</title> + + +<para>Samba servers are capable of providing browse lists to foreign subnets with the <literal>remote</literal> +<indexterm id="ch05-idx-970572-0"><primary>remote announce option</primary></indexterm> <literal>announce</literal> option. This is typically sent to the local master browser of the foreign subnet in question. However, if you do not know the address of the local master browser, you can do the following:</para> + + +<programlisting>[global] + remote announce = 192.168.234.255/ACCOUNTING \ + 192.168.236.255/ACCOUNTING</programlisting> + + +<para>With this, Samba will broadcast host announcements to all machines on subnets 192.168.234 and 192.168.236, which will hopefully reach the local master browser of the<indexterm id="ch05-idx-969669-0" class="endofrange" startref="ch05-idx-969668-0"/> +<indexterm id="ch05-idx-969669-1" class="endofrange" startref="ch05-idx-969668-1"/> subnet.<indexterm id="ch05-idx-969569-0" class="endofrange" startref="ch05-idx-969559-0"/> You can also specify exact IP addresses, if they are known.</para> +</sect3> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="5.2" id="ch05-34221"> +<title>Filesystem Differences</title> + + +<para> +<indexterm id="ch05-idx-969684-0" class="startofrange"><primary>filesystems</primary><secondary>differences between</secondary></indexterm>One <indexterm id="ch05-idx-969692-0"><primary>filesystems</primary><seealso>files</seealso></indexterm>of the biggest issues for which Samba has to correct is the difference between Unix and non-Unix filesystems. This includes items such as handling symbolic links, hidden files, and dot files. In addition, file permissions can also be a headache if not accounted for properly. This section describes how to use Samba to make up for some of those annoying differences, and even how to add some new functionality of its own.</para> + + +<sect2 role="" label="5.2.1" id="ch05-SECT-2.1"> +<title>Hiding and Vetoing Files</title> + + +<para> +<indexterm id="ch05-idx-969693-0"><primary>files</primary><secondary>hidden</secondary></indexterm> +<indexterm id="ch05-idx-969693-1"><primary>hidden files</primary></indexterm>There are some cases when we need to ensure that a user cannot see or access a file at all. Other times, we don't want to keep a user from accessing a file—we just want to hide it when they view the contents of the directory. On Windows systems, an attribute of files allows them to be hidden from a folder listing. With Unix, the traditional way of hiding files in a directory is to precede them with a <indexterm id="ch05-idx-969701-0"><primary>dot (.) in hidden files</primary></indexterm> +<indexterm id="ch05-idx-969701-1"><primary>. (dot)</primary></indexterm>dot (.). This prevents items such as configuration files or defaults from being seen when performing an ordinary <literal>ls</literal> command. Keeping a user from accessing a file at all, however, involves working with permissions on files and or directories.</para> + + +<para>The first option we should discuss is the boolean <literal>hide</literal> <literal>dot</literal> <literal>files</literal>. This option does exactly what it says. When set to <literal>yes</literal>, the option treats files beginning with a <indexterm id="ch05-idx-969702-0"><primary>period (.)</primary></indexterm> +<indexterm id="ch05-idx-969702-1"><primary>. (period)</primary></indexterm>period (.) as hidden. If set to <literal>no</literal>, those files are always shown. The important thing to remember is that the files are only hidden. If the user has chosen to show all hidden files while browsing (e.g., using the Folder Options menu item under the View menu in Windows 98), they will still be able to see the files, as shown in <link linkend="ch05-77260">Figure 5.2</link>.</para> + + +<figure label="5.2" id="ch05-77260"> +<title>Hidden files in the [data] share</title> + +<graphic width="502" depth="210" fileref="figs/sam.0502.gif"></graphic> +</figure> + +<para>Instead of simply hiding files beginning with a dot, you can also specify a string pattern to Samba for files to hide, using the <literal>hide</literal> <literal>files</literal> option. For example, let's assume that we specified the following in our example <literal>[data]</literal> share:</para> + + +<programlisting>[data] + path = /home/samba/data + browseable = yes + guest ok = yes + writeable = yes + case sensitive = no + hide files = /*.java/*README*/</programlisting> + + +<para>Each entry for this option must begin, end, or be separated from another with a <indexterm id="ch05-idx-969703-0"><primary>slash (/)</primary><secondary>character</secondary></indexterm> +<indexterm id="ch05-idx-969703-1"><primary>/ (slash character)</primary></indexterm>slash ( / ) character, even if there is only one pattern listed. This convention allows spaces to appear in filenames. In this example, the share directory would appear as shown in <link linkend="ch05-19743">Figure 5.3</link>. Again, note that we have set the Windows 98 option to view hidden files for the window.</para> + + +<figure label="5.3" id="ch05-19743"> +<title>Hiding files based on filename patterns</title> + +<graphic width="502" depth="210" fileref="figs/sam.0503.gif"></graphic> +</figure> + +<para> +<indexterm id="ch05-idx-969704-0" class="startofrange"><primary>veto files</primary></indexterm> +<indexterm id="ch05-idx-969704-1" class="startofrange"><primary>files</primary><secondary>veto</secondary></indexterm>If we want to prevent users from seeing files at all, we can instead use the <literal>veto</literal> <literal>files</literal> option. This option, which takes the same syntax as the <literal>hide</literal> <literal>files</literal> option, specifies a list of files that should never be seen by the user. For example, let's change the <literal>[data]</literal> share to the following:</para> + + +<programlisting>[data] + path = /home/samba/data + browseable = yes + guest ok = yes + writeable = yes + case sensitive = no + veto files = /*.java/*README*/</programlisting> + + +<para>The syntax of this option is identical to the <literal>hide</literal> <literal>files</literal> configuration option: each entry must begin, end, or be separated from another with a slash (<literal>/</literal>) character, even if there is only one pattern listed. By doing so, the files <literal>hello.java</literal> and <literal>README</literal> will simply disappear from the directory, and the user will not be able to access them through SMB.</para> + + +<para>There is one other question that we need to address. What happens if the user tries to delete a directory that contains vetoed files? This is where the <literal>delete</literal> +<indexterm id="ch05-idx-969711-0"><primary>files</primary><secondary>deleting, option for</secondary></indexterm> <literal>veto</literal> <literal>files</literal> option comes in. If this boolean option is set to <literal>yes</literal>, the user is allowed to delete both the regular files and the vetoed files in the directory, and the directory itself will be removed. If the option is set to <literal>no</literal>, the user will not be able to delete the vetoed files, and consequently the directory will not be deleted either. From the user's perspective, the directory will appear to be empty, but cannot be removed.</para> + + +<para>The <literal>dont</literal> <literal>descend</literal> directive specifies a list of <indexterm id="ch05-idx-969715-0"><primary>directories</primary><secondary>barring users from viewing contents</secondary></indexterm>directories whose contents Samba should not allow to be visible. Note that we say <emphasis>contents</emphasis>, not the directory itself. Users will be able to enter a directory marked as such, but they are prohibited from descending the directory tree any farther—they will always see an empty folder. For example, let's use this option with a more basic form of the share that we defined earlier in the chapter:</para> + + +<programlisting>[data] + path = /home/samba/data + browseable = yes + guest ok = yes + writeable = yes + case sensitive = no + dont descend = config defaults</programlisting> + + +<para>In addition, let's assume that the <filename>/home/samba/data</filename> directory has the following contents:</para> + + +<programlisting>drwxr-xr-x 6 tom users 1024 Jun 13 09:24 . +drwxr-xr-x 8 root root 1024 Jun 10 17:53 .. +-rw-r--r-- 2 tom users 1024 Jun 9 11:43 README +drwxr-xr-x 3 tom users 1024 Jun 13 09:28 config +drwxr-xr-x 3 tom users 1024 Jun 13 09:28 defaults +drwxr-xr-x 3 tom users 1024 Jun 13 09:28 market</programlisting> + + +<para>If the user then connects to the share, he or she would see the directories shown in <link linkend="ch05-62659">Figure 5.4</link>. However, the contents of the <filename>/config</filename> and <filename>/defaults</filename> directories would appear empty to the user, even if other folders or files existed in them. In addition, users cannot write any data to the folder (which prevents them from creating a file or folder with the same name as one that is already there but invisible). If a user attempts to do so, he or she will receive an "Access Denied" message. <literal>dont</literal> <literal>descend</literal> is an administrative option, not a security option, and is not a substitute for good file permissions.</para> + + +<figure label="5.4" id="ch05-62659"> +<indexterm id="ch05-idx-969696-0" class="endofrange" startref="ch05-idx-969684-0"/><indexterm id="ch05-idx-969696-1" class="endofrange" startref="ch05-idx-969704-0"/><indexterm id="ch05-idx-969696-2" class="endofrange" startref="ch05-idx-969704-1"/><title>Contents of the [data] share with dont descend + + </title> + +<graphic width="502" depth="210" fileref="figs/sam.0504.gif"></graphic> +</figure> +</sect2> + + + + + +<sect2 role="" label="5.2.2" id="ch05-SECT-2.2"> +<title>Links</title> + + +<para> +<indexterm id="ch05-idx-969716-0"><primary>links</primary></indexterm> +<indexterm id="ch05-idx-969716-1"><primary>filesystems</primary><secondary>links and</secondary></indexterm>DOS and NT filesystems don't have symbolic links; Windows 95/98/NT systems approximate this with "shortcuts" instead. Therefore, when a client tries to open a symbolic link on a Samba server share, Samba attempts to follow the link to find the real file and let the client open it, as if he or she were on a Unix machine. If you don't want to allow this, set the <literal>follow</literal> <literal>symlinks</literal> option:</para> + + +<programlisting>[data] + path = /home/samba/data + browseable = yes + guest ok = yes + writeable = yes + case sensitive = no + follow symlinks = no</programlisting> + + +<para>You can test this by creating a directory on the Unix server inside the share as the user that you are logging in with. Enter the following commands:</para> + + +<programlisting>% <userinput>mkdir hello; cd hello</userinput> +% <userinput>cat "This is a test" >hello.txt</userinput> +% <userinput>ln -s hello.txt "Link to hello"</userinput></programlisting> + + +<para>This results in the two files shown in the window in <link linkend="ch05-36377">Figure 5.5</link>. Normally, if you click on either one, you will receive a file which has the text "This is a test" inside of it. However, with the <literal>follow</literal> <literal>symlinks</literal> option set to <literal>no</literal>, you should receive an error similar to the dialog in <link linkend="ch05-36377">Figure 5.5</link> if you click on "Link to hello."</para> + + +<figure label="5.5" id="ch05-36377"> +<title>An error dialog trying to follow symbolic links when forbidden by Samba</title> + +<graphic width="502" depth="149" fileref="figs/sam.0505.gif"></graphic> +</figure> + +<para>Finally, let's discuss the <literal>wide</literal> <literal>links</literal> option. This option, if set to <literal>yes</literal>, allows the client user to follow symbolic links that point outside the shared directory tree, including files or directories at the other end of the link. For example, let's assume that we modified the <literal>[data]</literal> share as follows:</para> + + +<programlisting>[data] + path = /home/samba/data + browseable = yes + guest ok = yes + writeable = yes + case sensitive = no + follow symlinks = yes + wide links = yes</programlisting> + + +<para>As long as the <literal>follow</literal> <literal>symlinks</literal> option is enabled, this will cause Samba to follow all symbolic links outside the current share tree. If we create a file outside the share (for example, in someone's home directory) and then create a link to it in the share as follows:</para> + + +<programlisting>ln -s ~tom/datafile ./datafile</programlisting> + + +<para>then you will be able to open the file in Tom's directory as per the target file's permissions.</para> +</sect2> + + + + + +<sect2 role="" label="5.2.3" id="ch05-SECT-2.3"> +<title>Filesystem Options</title> + + +<para> +<indexterm id="ch05-idx-969717-0" class="startofrange"><primary>filesystems</primary><secondary>options for</secondary></indexterm><link linkend="ch05-48353">Table 5.4</link> shows a breakdown of the options we discussed earlier. We recommend the defaults for most, except those listed in the following descriptions.</para> + + +<table label="5.4" id="ch05-48353"> +<title>Filesystem Configuration Options </title> + +<tgroup cols="5"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<colspec colnum="4" colname="col4"/> +<colspec colnum="5" colname="col5"/> +<thead> +<row> + +<entry colname="col1"><para>Option</para></entry> + +<entry colname="col2"><para>Parameters</para></entry> + +<entry colname="col3"><para>Function</para></entry> + +<entry colname="col4"><para>Default</para></entry> + +<entry colname="col5"><para>Scope</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>unix realname</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>Provides Unix user's full name to client.</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>dont descend</literal></para></entry> + +<entry colname="col2"><para>string (list of directories)</para></entry> + +<entry colname="col3"><para>Indicates a list of directories whose contents Samba should make invisible to clients.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>follow symlinks</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>If set to <literal>no</literal>, Samba will not honor symbolic links.</para></entry> + +<entry colname="col4"><para><literal>yes</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>getwd cache</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>If set to <literal>yes</literal>, Samba will use a cache for <literal>getwd( )</literal> calls.</para></entry> + +<entry colname="col4"><para><literal>yes</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>wide links</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>If set to <literal>yes</literal>, Samba will follow symbolic links outside the share.</para></entry> + +<entry colname="col4"><para><literal>yes</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>hide dot files</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>If set to <literal>yes</literal>, treats Unix hidden files as hidden files in Windows.</para></entry> + +<entry colname="col4"><para><literal>yes</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>hide files</literal></para></entry> + +<entry colname="col2"><para>string (list of files)</para></entry> + +<entry colname="col3"><para>List of file patterns to treat as hidden.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>veto files</literal></para></entry> + +<entry colname="col2"><para>string (list of files)</para></entry> + +<entry colname="col3"><para>List of file patterns to never show.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>delete veto files</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>If set to <literal>yes</literal>, will delete files matched by <literal>veto files</literal> when the directory they reside in is deleted.</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<sect3 role="" label="5.2.3.1" id="ch05-SECT-2.3.1"> +<indexterm id="ch05-idx-970574-0"><primary>unix realname option</primary></indexterm> +<title> +unix realname</title> + + +<para>Some programs require a full username in order to operate. For example, a Windows email program often needs to associate a username with a given real name. If your system password file contains the real names of users in the GCOS field, the <literal>unix</literal> <literal>realname</literal> option instructs Samba to provide this information to clients. Without it, the name of the user will simply be his or her login ID. For example, if your Unix password file contains the following line:</para> + + +<programlisting>rcollins:/KaBfco47Rer5:500:500:Robert Collins: +/home/rcollins:/bin/ksh</programlisting> + + +<para>And the option in the configuration file is:</para> + + +<programlisting>[global] + unix realname = yes</programlisting> + + +<para>then the name Robert Collins will be provided to any client that requests the real name of user <literal>rcollins</literal>. You typically don't need to bother with this option.</para> +</sect3> + + + +<sect3 role="" label="5.2.3.2" id="ch05-SECT-2.3.2"> +<title>dont descend</title> + + +<para>The <literal>dont</literal> +<indexterm id="ch05-idx-970575-0"><primary>dont descend option</primary></indexterm> <literal>descend</literal> option can be used to specify various <indexterm id="ch05-idx-969728-0"><primary>directories</primary><secondary>barring users from viewing contents</secondary></indexterm>directories that should appear empty to the client. Note that the directory itself will still appear. However, Samba will not show any of the contents of the directory to the client user. This is not a good option to use as a security feature (a user could probably find a way around it); it really is meant only as a convenience to keep client users from browsing into directories that might have sensitive files. See our example earlier in this section.</para> +</sect3> + + + +<sect3 role="" label="5.2.3.3" id="ch05-SECT-2.3.3"> +<indexterm id="ch05-idx-970576-0"><primary>follow symlinks option</primary></indexterm> +<title> +follow symlinks</title> + + +<para> +<indexterm id="ch05-idx-969732-0"><primary>links</primary><secondary>option for</secondary></indexterm>This option, which is discussed in greater detail earlier, controls whether Samba will follow a symbolic link in the Unix operating system to the target, or if it should return an error to the client user. If the option is set to <literal>yes</literal>, the target of the link will be interpreted as the file.</para> +</sect3> + + + +<sect3 role="" label="5.2.3.4" id="ch05-SECT-2.3.4"> +<indexterm id="ch05-idx-970577-0"><primary>getwd cache option</primary></indexterm> +<title> +getwd cache</title> + + +<para>This global option specifies whether Samba should use a local cache for the Unix <literal>getwd()</literal> ( get current working directory) system call. You can override the default value of <literal>yes</literal> as follows:</para> + + +<programlisting>[global] + getwd cache = no</programlisting> + + +<para>Setting this option to <literal>yes</literal> can significantly increase the time it takes to resolve the <indexterm id="ch05-idx-969733-0"><primary>working directory, option for</primary></indexterm> +<indexterm id="ch05-idx-969733-1"><primary>directories</primary><secondary>working, option for</secondary></indexterm>working directory, especially if the <literal>wide</literal> <literal>links</literal> option is set to <literal>no</literal>. You should normally not need to alter this option.</para> +</sect3> + + + +<sect3 role="" label="5.2.3.5" id="ch05-SECT-2.3.5"> +<indexterm id="ch05-idx-970578-0"><primary>wide links option</primary></indexterm> +<title> +wide links</title> + + +<para>This option specifies whether the client user can follow symbolic links that point outside the shared directory tree. This includes any files or directories at the other end of the link, as long as the permissions are correct for the user. The default value for this option is <literal>yes</literal>. Note that this option will not be honored if the <literal>follow</literal> <literal>symlinks</literal> options is set to <literal>no</literal>. Setting this option to <literal>no</literal> slows <emphasis>smbd</emphasis> considerably.</para> +</sect3> + + + +<sect3 role="" label="5.2.3.6" id="ch05-SECT-2.3.6"> +<title>hide files</title> + + +<para> +<indexterm id="ch05-idx-969738-0"><primary>files</primary><secondary>hidden</secondary><tertiary>options for</tertiary></indexterm> +<indexterm id="ch05-idx-969738-1"><primary>hidden files</primary><secondary>options for</secondary></indexterm>The <literal>hide</literal> <literal>files</literal> option provides one or more directory or filename patterns to Samba. Any file matching this pattern will be treated as a hidden file from the perspective of the client. Note that this simply means that the DOS hidden attribute is set, which may or may not mean that the user can actually see it while browsing.</para> + + +<para>Each entry in the list must begin, end, or be separated from another entry with a <indexterm id="ch05-idx-969734-0"><primary>slash (/)</primary><secondary>character</secondary></indexterm> +<indexterm id="ch05-idx-969734-1"><primary>/ (slash character)</primary></indexterm>slash (<literal>/</literal>) character, even if there is only one pattern listed. This allows spaces to appear in the list. Asterisks can be used as a wildcard to represent zero or more characters. Questions marks can be used to represent exactly one character. For example:</para> + + +<programlisting>hide files = /.jav*/README.???/</programlisting> +</sect3> + + + +<sect3 role="" label="5.2.3.7" id="ch05-SECT-2.3.7"> +<title>hide dot files</title> + + +<para>The <literal>hide</literal> <literal>dot</literal> <literal>files</literal> option hides any files on the server that begin with a <indexterm id="ch05-idx-969735-0"><primary>dot (.) in hidden files</primary></indexterm> +<indexterm id="ch05-idx-969735-1"><primary>. (dot)</primary></indexterm>dot (.) character, in order to mimic the functionality behind several shell commands that are present on Unix systems. Like <literal>hide</literal> <literal>files</literal>, those files that begin with a dot have the DOS hidden attribute set, which doesn't necessarily guarantee that a client cannot view them. The default value for this option is <literal>yes</literal>.</para> +</sect3> + + + +<sect3 role="" label="5.2.3.8" id="ch05-SECT-2.3.8"> +<indexterm id="ch05-idx-970581-0"><primary>veto files option</primary></indexterm> +<title> +veto files</title> + + +<para>More stringent than the hidden files state is the state provided by the <literal>veto</literal> <literal>files</literal> configuration option. Samba won't even admit these files exist. You cannot list or open them from the client. In reality, this isn't a trustworthy security option. It is actually a mechanism to keep PC programs from deleting special files, such as ones used to store the resource fork of a Macintosh file on a Unix filesystem. If both Windows and Macs are sharing the same files, this can prevent ill-advised power users from removing files the Mac users need.</para> + + +<para>The syntax of this option is identical to that of the <literal>hide</literal> <literal>files</literal> configuration option: each entry must begin, end, or be separated from another with a <indexterm id="ch05-idx-969758-0"><primary>slash (/)</primary><secondary>character</secondary></indexterm> +<indexterm id="ch05-idx-969758-1"><primary>/ (slash character)</primary></indexterm>slash ( / ) character, even if only one pattern is listed. Asterisks can be used as a wildcard to represent zero or more characters. <indexterm id="ch05-idx-969762-0"><primary>question mark (?)</primary></indexterm> +<indexterm id="ch05-idx-969762-1"><primary>? (question mark)</primary></indexterm>Questions marks can be used to represent exactly one character. For example:</para> + + +<programlisting>veto files = /*config/*default?/</programlisting> + + +<para>This option is primarily administrative—not a substitute for good file permissions.</para> +</sect3> + + + +<sect3 role="" label="5.2.3.9" id="ch05-SECT-2.3.9"> +<indexterm id="ch05-idx-970582-0"><primary>delete veto files option</primary></indexterm> +<title> +delete veto files</title> + + +<para> +<indexterm id="ch05-idx-969768-0"><primary>veto files</primary><secondary>option for deleting</secondary></indexterm> +<indexterm id="ch05-idx-969768-1"><primary>files</primary><secondary>veto</secondary><tertiary>option for deleting</tertiary></indexterm>This option tells Samba to delete vetoed files when a user attempts to delete the directory in which they reside. The default value is <literal>no</literal>. This means if a user tries to delete a directory that contains a vetoed file, the file (and the directory) will not be deleted. Instead, the directory will remain and appear to be empty from the perspective of the user. If set to <literal>yes</literal>, the directory and the vetoed files will be<indexterm id="ch05-idx-969721-0" class="endofrange" startref="ch05-idx-969717-0"/> deleted.</para> +</sect3> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="5.3" id="ch05-34062"> +<title>File Permissions and Attributes on MS-DOS and Unix</title> + + +<para> +<indexterm id="ch05-idx-969769-0" class="startofrange"><primary>files</primary><secondary>permissions</secondary></indexterm> +<indexterm id="ch05-idx-969769-1" class="startofrange"><primary>files</primary><secondary>attributes</secondary></indexterm> +<indexterm id="ch05-idx-969769-2" class="startofrange"><primary>DOS file permissions and attributes</primary></indexterm> +<indexterm id="ch05-idx-969769-3" class="startofrange"><primary>Unix</primary><secondary>file permissions and attributes</secondary></indexterm>DOS was never intended to be a multiuser, networked operating system. Unix, on the other hand, was designed that way from the start. Consequently, there are inconsistencies and gaps in coverage between the two filesystems that Samba must not only be aware of, but also provide solutions for. One of the biggest gaps is how Unix and DOS handle permissions with files.</para> + + +<para>Let's take a look at how Unix assigns permissions. All Unix files have read, write, and execute bits for three classifications of users: <indexterm id="ch05-idx-969803-0"><primary>Unix</primary><secondary>user classifications</secondary></indexterm>owner, group, and world. These permissions can be seen at the extreme left-hand side when a <literal>ls</literal> <literal>-al</literal> command is issued in a Unix directory. For example:</para> + + +<programlisting>-rwxr--r-- 1 tom users 2014 Apr 13 14:11 access.conf</programlisting> + + +<para>Windows, on the other hand, has four principal bits that it uses with any file: read-only, system, hidden, and archive. You can view these bits by right-clicking on the file and choosing the Properties menu item. You should see a dialog similar to <link linkend="ch05-76568">Figure 5.6</link>.<footnote label="1" id="ch05-pgfId-964268"> + + +<para>The system checkbox will probably be greyed for your file. Don't worry about that—you should still be able to see when the box is checked and when it isn't.</para> + + +</footnote></para> + + +<figure label="5.6" id="ch05-76568"> +<title>DOS and Windows file properties</title> + +<graphic width="502" depth="435" fileref="figs/sam.0506.gif"></graphic> +</figure> + +<para>The definition of each of those bits follows:</para> + + +<variablelist> +<varlistentry><term> +<indexterm id="ch05-idx-969799-0"><primary>read-only files</primary></indexterm> +<indexterm id="ch05-idx-969799-1"><primary>files</primary><secondary>read-only</secondary></indexterm>Read-only</term> +<listitem><para>The file's contents can be read by a user but cannot be written to.</para></listitem> +</varlistentry> + + +<varlistentry><term> +<indexterm id="ch05-idx-969800-0"><primary>system files</primary></indexterm> +<indexterm id="ch05-idx-969800-1"><primary>files</primary><secondary>system</secondary></indexterm>System</term> +<listitem><para>This file has a specific purpose required by the operating system.</para></listitem> +</varlistentry> + + +<varlistentry><term> +<indexterm id="ch05-idx-969801-0"><primary>hidden files</primary></indexterm> +<indexterm id="ch05-idx-969801-1"><primary>files</primary><secondary>hidden</secondary></indexterm>Hidden</term> +<listitem><para>This file has been marked to be invisible to the user, unless the operating systems is explicitly set to show it.</para></listitem> +</varlistentry> + + +<varlistentry><term> +<indexterm id="ch05-idx-969802-0"><primary>archive files</primary></indexterm> +<indexterm id="ch05-idx-969802-1"><primary>files</primary><secondary>archive</secondary></indexterm>Archive</term> +<listitem><para>This file has been touched since the last DOS backup was performed on it.</para></listitem> +</varlistentry> +</variablelist> + + +<para>Note that there is no bit to specify that a file is executable. DOS and Windows NT filesystems identify executable files by giving them the extensions .EXE, .COM, .CMD, or .BAT.</para> + + +<para>Consequently, there is no use for any of the three Unix executable bits that are present on a file in a Samba disk share. DOS files, however, have their own attributes that need to be preserved when they are stored in a Unix environment: the archive, system, and hidden bits. Samba can preserve these bits by reusing the executable permission bits of the file on the Unix side—if it is instructed to do so. Mapping these bits, however, has an unfortunate side-effect: if a Windows user stores a file in a Samba share, and you view it on Unix with the <literal>ls</literal> <literal>-al</literal> command, some of the executable bits won't mean what you'd expect them to.</para> + + +<para>Three Samba options decide whether the bits are mapped: <literal>map</literal> <literal>archive</literal>, <literal>map</literal> <literal>system </literal>, and <literal>map</literal> <literal>hidden</literal>. These options map the archive, system, and hidden attributes to the owner, group, and world execute bits of the file, respectively. You can add these options to the <literal>[data]</literal> share, setting each of their values as follows:</para> + + +<programlisting>[data] + path = /home/samba/data + browseable = yes + guest ok = yes + writeable = yes + map archive = yes + map system = yes + map hidden = yes</programlisting> + + +<para>After that, try creating a file in the share under Unix—such as <literal>hello.java</literal>—and change the permissions of the file to 755. With these Samba options set, you should be able to check the permissions on the Windows side and see that each of the three values has been checked in the Properties dialog box. What about the read-only attribute? By default, Samba 2.0 sets this whenever a file does not have the Unix owner write permission bit set. In other words, you can set this bit by changing the permissions of the file to 555.</para> + + +<para>We should warn you that the default value of the <literal>map</literal> <literal>archive</literal> option is <literal>yes</literal>, while the other two options have a default value of <literal>no</literal>. This is because many programs do not work properly if the archive bit is not stored correctly for DOS and Windows files. The system and hidden attributes, however, are not critical for a program's operation and are left to the discretion of the administrator.</para> + + +<para><link linkend="ch05-56404">Figure 5.7</link> summarizes the Unix permission bits and illustrates how Samba maps those bits to DOS attributes. Note that the group read/write and world read/write bits do not directly translate to a DOS attribute, but they still retain their original Unix definitions on the Samba server.</para> + + +<figure label="5.7" id="ch05-56404"> +<title>How Samba and Unix view the permissions of a file</title> + +<graphic width="502" depth="211" fileref="figs/sam.0507.gif"></graphic> +</figure> + +<sect2 role="" label="5.3.1" id="ch05-SECT-3.0.1"> +<title>Creation masks</title> + + +<para>Samba has several options to help with file <indexterm id="ch05-idx-969796-0"><primary>creation masks</primary></indexterm> +<indexterm id="ch05-idx-969796-1"><primary>file creation masks</primary></indexterm> +<indexterm id="ch05-idx-969796-2"><primary>masks</primary><secondary>creation</secondary></indexterm> +<indexterm id="ch05-idx-969796-3"><primary>masks</primary><secondary>umasks</secondary></indexterm>creation masks. File creation masks (or <firstterm>umasks</firstterm> +<indexterm id="ch05-idx-969797-0"><primary>umasks</primary></indexterm>) help to define the permissions a file or directory will receive at the time it is created. In Unix, this means that you can control what permissions a file or directory does not have when it is created. For files accessed from Windows, this means you can disable the read-only, archive, system, and hidden attributes of a file as well.</para> + + +<para>For example, the <literal>create</literal> <literal>mask</literal> option will force the permissions of a file created by a Windows client to be at most 744:</para> + + +<programlisting>[data] + path = /home/samba/data + browseable = yes + guest ok = yes + writeable = yes + create mask = 744</programlisting> + + +<para>while the <literal>directory</literal> +<indexterm id="ch05-idx-970586-0"><primary>directory mask option</primary></indexterm> <literal>mask</literal> option shown here will force the permissions of a newly created directory to be at most 755:</para> + + +<programlisting>[data] + path = /home/samba/data + browseable = yes + guest ok = yes + writeable = yes + directory mask = 755</programlisting> + + +<para>Alternatively, you can also force various bits with the <literal>force</literal> <literal>create</literal> <literal>mode</literal> and <literal>force</literal> <literal>directory</literal> <literal>mode</literal> options. These options will perform a logical OR against the file and directory creation masks, ensuring that those bits that are specified will always be set. You would typically set these options globally in order to ensure that group and world read/write permissions have been set appropriately for new files or directories in each share.</para> + + +<para>In the same spirit, if you wish to explicitly set the Unix user and group attributes of a file that is created on the Windows side, you can use the <literal>force</literal> +<indexterm id="ch05-idx-970587-0"><primary>force user option</primary></indexterm> +<indexterm id="ch05-idx-970587-1"><primary>force group option</primary></indexterm> <literal>user</literal> and <literal>force</literal> <literal>group</literal> options. For example:</para> + + +<programlisting>[data] + path = /home/samba/data + browseable = yes + guest ok = yes + writeable = yes + + create mask = 744 + directory mask = 755 + force user = joe + force group = accounting</programlisting> + + +<para>These options actually assign a static Unix user and group to each connection that is made to a share. However, this occurs <emphasis>after</emphasis> the client authenticates; it does not allow free access to a share. These options are frequently used for their side effects of assigning a specific user and group to each new file or directory that is created in a share. Use these options with discretion.</para> + + +<para>Finally, one of the capabilities of Unix that DOS lacks is the ability to delete a read-only file from a writable directory. In Unix, if a directory is writable, a read-only file in that directory can still be removed. This could permit you to delete files in any of your directories, even if the file was left by someone else.</para> + + +<para>DOS filesystems are not designed for multiple users, and so its designers decided that <indexterm id="ch05-idx-969808-0"><primary>read-only files</primary><secondary>deleting</secondary></indexterm> +<indexterm id="ch05-idx-969808-1"><primary>files</primary><secondary>read-only</secondary><tertiary>deleting</tertiary></indexterm>read-only means "protected against accidental change, including deletion," rather than "protected against some other user on a single-user machine." So the designers of DOS prohibited removal of a read-only file. Even today, Windows file systems exhibit the same behavior.</para> + + +<para>Normally, this is harmless. Windows programs don't try to remove read-only files because they know it's a bad idea. However, a number of source-code control programs—which were first written for Unix—run on Windows and require the ability to delete read-only files. Samba permits this behavior with the <literal>delete</literal> +<indexterm id="ch05-idx-970588-0"><primary>delete readonly option</primary></indexterm> <literal>readonly</literal> option. In order to enable this functionality, set the option to <literal>yes</literal>:</para> + + +<programlisting>[data] + path = /home/samba/data + browseable = yes + guest ok = yes + writeable = yes + + create mask = 744 + directory mask = 755 + force user = joe + force group = accounting + delete readonly = yes</programlisting> +</sect2> + + + + +<sect2 role="" label="5.3.2" id="ch05-SECT-3.1"> +<title>File and Directory Permission Options</title> + + +<para> +<indexterm id="ch05-idx-969813-0" class="startofrange"><primary>files</primary><secondary>permissions</secondary><tertiary>options for</tertiary></indexterm> +<indexterm id="ch05-idx-969813-1" class="startofrange"><primary>directories</primary><secondary>permissions, options for</secondary></indexterm> +<indexterm id="ch05-idx-969813-2" class="startofrange"><primary>permissions</primary><secondary>options for</secondary></indexterm>The options for file and directory permissions are summarized in <link linkend="ch05-96508">Table 5.5</link>; each option is then described in detail.</para> + + +<table label="5.5" id="ch05-96508"> +<title>File and Directory Permission Options </title> + +<tgroup cols="5"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<colspec colnum="4" colname="col4"/> +<colspec colnum="5" colname="col5"/> +<thead> +<row> + +<entry colname="col1"><para>Option</para></entry> + +<entry colname="col2"><para>Parameters</para></entry> + +<entry colname="col3"><para>Function</para></entry> + +<entry colname="col4"><para>Default</para></entry> + +<entry colname="col5"><para>Scope</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>map archive</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>Preserve DOS archive attribute in user execute bit (0100).</para></entry> + +<entry colname="col4"><para><literal>yes</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>map system</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>Preserve DOS system attribute in group execute bit (0010).</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>map hidden</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>Preserve DOS hidden attribute in world execute bit (0001).</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>create mask (create mode)</literal></para></entry> + +<entry colname="col2"><para>numeric</para></entry> + +<entry colname="col3"><para>Sets the maximum permissions for files created by Samba.</para></entry> + +<entry colname="col4"><para><literal>0744</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>directory mask (directory mode)</literal></para></entry> + +<entry colname="col2"><para>numeric</para></entry> + +<entry colname="col3"><para>Sets the maximum permissions for directories created by Samba.</para></entry> + +<entry colname="col4"><para><literal>0755</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>force create mode</literal></para></entry> + +<entry colname="col2"><para>numeric</para></entry> + +<entry colname="col3"><para>Forces the specified permissions (bitwise or) for directories created by Samba.</para></entry> + +<entry colname="col4"><para><literal>0000</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>force directory mode</literal></para></entry> + +<entry colname="col2"><para>numeric</para></entry> + +<entry colname="col3"><para>Forces the specified permissions (bitwise or) for directories created by Samba.</para></entry> + +<entry colname="col4"><para><literal>0000</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>force group (group)</literal></para></entry> + +<entry colname="col2"><para>string ( group name)</para></entry> + +<entry colname="col3"><para>Sets the effective group for a user accessing this share.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>force user</literal></para></entry> + +<entry colname="col2"><para>string (username)</para></entry> + +<entry colname="col3"><para>Sets the effective username for a user accessing this share.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>delete readonly</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>Allows a user to delete a read-only file from a writable directory.</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<sect3 role="" label="5.3.2.1" id="ch05-SECT-3.1.1"> +<title>create mask</title> + + +<para>The argument for this option is an octal number indicating which permission flags may be set at file creation by a client in a share. The default is 0755, which means the Unix owner can at most read, write, and optionally execute his or her own files, while members of the user's group and others can only read or execute them. If you need to change it for non-executable files, we recommend 0644, or <literal>rw-r--r--</literal>. Keep in mind that the execute bits may be used by the server to map certain DOS file attributes, as described earlier. If you're altering the <indexterm id="ch05-idx-969816-0"><primary>creation masks</primary><secondary>option for</secondary></indexterm>create mask, those bits have to be part of the create mask as well.</para> +</sect3> + + + +<sect3 role="" label="5.3.2.2" id="ch05-SECT-3.1.2"> +<indexterm id="ch05-idx-970593-0"><primary>directory mask option</primary></indexterm> +<title> +directory mask</title> + + +<para>The argument for this option is an octal number indicating which permission flags may be set at directory creation by a client in a share. The default is 0755, which allows everyone on the Unix side to at most read and traverse the directories, but allows only you to modify them. We recommend the mask 0750, removing access by world users.</para> +</sect3> + + + +<sect3 role="" label="5.3.2.3" id="ch05-SECT-3.1.3"> +<indexterm id="ch05-idx-970594-0"><primary>force create mode option</primary></indexterm> +<title> +force create mode</title> + + +<para>This option sets the permission bits that Samba will force to be set when a file permission change is made. It's often used to force group permissions, mentioned previously. It can also be used to preset any of the DOS attributes we mentioned: archive (0100), system (0010), or hidden (0001). This option always takes effect after the <literal>map</literal> <literal>archive</literal>, <literal>map</literal> <literal>system </literal>, <literal>map</literal> <literal>hidden</literal>, and <literal>create</literal> <literal>mask</literal> options.</para> + + +<tip role="ora"> +<para>Many Windows applications rename their data files to <emphasis>datafile.bak</emphasis> and create new ones, thus changing their ownership and permissions so that members of the same Unix group can't edit them. Setting <literal>force create mask = 0660</literal> will keep the new file editable by members of the group.</para> + +</tip> +</sect3> + + + +<sect3 role="" label="5.3.2.4" id="ch05-SECT-3.1.4"> +<indexterm id="ch05-idx-970595-0"><primary>force directory mode option</primary></indexterm> +<title> +force directory mode</title> + + +<para>This option sets the permission bits which Samba will force when a directory permission change is made or a directory is created. It's often used to force group permissions, as mentioned previously. This option defaults to 0000, and can be used just like the <literal>force</literal> <literal>create</literal> <literal>mode</literal> to add group or other permissions if needed. This option always takes effect after the <literal>map</literal> <literal>archive</literal>, <literal>map</literal> <literal>system</literal>, <literal>map</literal> <literal>hidden</literal>, and <literal>directory</literal> <literal>mask</literal> options.</para> +</sect3> + + + +<sect3 role="" label="5.3.2.5" id="ch05-SECT-3.1.5"> +<indexterm id="ch05-idx-970596-0"><primary>force group option</primary></indexterm> +<title> +force group</title> + + +<para>This option, sometimes called <literal>group</literal>, assigns a static group ID that will be used on all connections to a service after the client has successfully authenticated. This assigns a specific group to each new file or directory created from an SMB client.</para> +</sect3> + + + +<sect3 role="" label="5.3.2.6" id="ch05-SECT-3.1.6"> +<indexterm id="ch05-idx-970597-0"><primary>force user option</primary></indexterm> +<title> +force user</title> + + +<para>The <literal>force</literal> <literal>user</literal> option assigns a static user ID that will be used on all connections to a service after the client has successfully authenticated. This assigns a specific user to each new file or directory created from an SMB client.</para> +</sect3> + + + +<sect3 role="" label="5.3.2.7" id="ch05-SECT-3.1.7"> +<indexterm id="ch05-idx-970598-0"><primary>delete readonly option</primary></indexterm> +<title> +delete readonly</title> + + +<para> +<indexterm id="ch05-idx-969827-0"><primary>files</primary><secondary>read-only</secondary><tertiary>deleting</tertiary></indexterm> +<indexterm id="ch05-idx-969827-1"><primary>read-only files</primary><secondary>deleting</secondary></indexterm>This option allows a user to delete a directory containing a read-only file. By default, DOS and Windows will not allow such an operation. You probably will want to leave this option turned off unless a program needs this capability; many Windows users would be appalled to find that they'd accidentally deleted a file which they had set read-only. In fact, even the Unix <literal>rm</literal> command will ask users if they really want to override the protection and delete read-only files. It's a good idea to have Samba be at least as cautious.</para> +</sect3> + + + +<sect3 role="" label="5.3.2.8" id="ch05-SECT-3.1.8"> +<indexterm id="ch05-idx-970600-0"><primary>map archive option</primary></indexterm> +<title> +map archive</title> + + +<para>The DOS archive bit is used to flag a file that has been changed since it was last archived (e.g., backed up with the DOS archive program.) Setting the Samba option <literal>map</literal> <literal>archive</literal> <literal>=</literal> <literal>yes</literal> causes the DOS archive flag to be mapped to the Unix execute-by-owner (0100) bit. It's best to leave this option on if your Windows users are doing their own backups, or are using programs that require the archive bit. Unix lacks the notion of an archive bit entirely. Backup programs typically keep a file that lists what files were backed up on what date, so comparing file modification dates serves the same purpose.</para> + + +<para>Setting this option to <literal>yes</literal> causes an occasional surprise on Unix when a user notices that a data file is marked as executable, but rarely causes harm. If a user tries to run it, he or she will normally get a string of error messages as the shell tries to execute the first few lines as commands. The reverse is also possible; an executable Unix program looks like it hasn't been backed up recently on Windows. But again, this is rare, and is usually harmless.</para> +</sect3> + + + +<sect3 role="" label="5.3.2.9" id="ch05-SECT-3.1.9"> +<indexterm id="ch05-idx-970601-0"><primary>map system option</primary></indexterm> +<title> +map system</title> + + +<para>The DOS system attribute is used to indicate files that are required by the operating system, and should not be deleted, renamed, or moved without special effort. Set this option only if you need to store Windows system files on the Unix file server. Executable Unix programs will appear to be non-removable special Windows files when viewed from Windows clients. This may prove mildly inconvenient if you want to move or remove one. For most sites, however, this is fairly harmless.</para> +</sect3> + + + +<sect3 role="" label="5.3.2.10" id="ch05-SECT-3.1.10"> +<indexterm id="ch05-idx-970602-0"><primary>map hidden option</primary></indexterm> +<title> +map hidden</title> + + +<para> +<indexterm id="ch05-idx-969828-0"><primary>hidden files</primary><secondary>options for</secondary></indexterm>DOS uses the hidden attribute to indicate that a file should not ordinarily be visible in directory listings. Unix doesn't have such a facility; it's up to individual programs (notably the shell) to decide what to display and what not to display. Normally, you won't have any DOS files that need to be hidden, so the best thing to do is to leave this option turned off.</para> + + +<para>Setting this option to <literal>yes</literal> causes the server to map the hidden flag onto the executable-by-others bit (0001). This feature can produce a rather startling effect. Any Unix program that is executable by world seems to vanish when you look for it from a Windows client. If this option is not set, however, and a Windows user attempts to mark a file hidden on a Samba share, it will not work—Samba has no place to store the hidden attribute!<indexterm id="ch05-idx-969791-0" class="endofrange" startref="ch05-idx-969769-0"/> +<indexterm id="ch05-idx-969791-1" class="endofrange" startref="ch05-idx-969769-1"/> +<indexterm id="ch05-idx-969791-2" class="endofrange" startref="ch05-idx-969769-2"/> +<indexterm id="ch05-idx-969791-3" class="endofrange" startref="ch05-idx-969769-3"/> +<indexterm id="ch05-idx-969791-4" class="endofrange" startref="ch05-idx-969813-2"/></para> +</sect3> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="5.4" id="ch05-30534"> +<title>Name Mangling and Case</title> + + +<para> +<indexterm id="ch05-idx-969835-0" class="startofrange"><primary>name mangling</primary></indexterm>Back in the days of DOS and Windows 3.1, every filename was limited to eight upper-case characters, followed by a dot, and three more uppercase characters. This was known as the <firstterm>8.3 format</firstterm> +<indexterm id="ch05-idx-969833-0"><primary>8.3 format</primary></indexterm> +<indexterm id="ch05-idx-969833-1"><primary>filenames</primary><secondary>8.3 format</secondary></indexterm>, and was a huge nuisance. Windows 95/98, Windows NT, and Unix have since relaxed this problem by allowing many more case-sensitive characters to make up a filename. <link linkend="ch05-24354">Table 5.6</link> shows the current naming state of several popular operating systems.</para> + + +<table label="5.6" id="ch05-24354"> +<title>Operating System Filename Limitations </title> + +<tgroup cols="2"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<thead> +<row> + +<entry colname="col1"><para>Operating System</para></entry> + +<entry colname="col2"><para>File Naming Rules</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para>DOS 6.22 or below</para></entry> + +<entry colname="col2"><para> +<indexterm id="ch05-idx-969834-0"><primary>filenames</primary><secondary>limitations on</secondary></indexterm>Eight characters followed by a dot followed by a three-letter extension (8.3 format); case insensitive</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Windows 3.1 for Workgroups</para></entry> + +<entry colname="col2"><para>Eight characters followed by a dot followed by a three-letter extension (8.3 format); case insensitive</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Windows 95/98</para></entry> + +<entry colname="col2"><para>127 characters; case sensitive</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Windows NT</para></entry> + +<entry colname="col2"><para>127 characters; case sensitive</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Unix</para></entry> + +<entry colname="col2"><para>255 characters; case sensitive</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<para> +<indexterm id="ch05-idx-969837-0"><primary>backwards compatibility</primary><secondary sortas="filenames">for filenames</secondary></indexterm>Samba still has to remain backwards compatible with network clients who store files only in the 8.3 format, such as Windows for Workgroups. If a user creates a file on a share called <emphasis>antidisestablishmentarianism.txt</emphasis>, a Windows for Workgroups client couldn't tell it apart from another file in the same directory called <emphasis>antidisease.txt</emphasis>. Like Windows 95/98 and Windows NT, Samba has to employ a special methodology of translating a long filename to an 8.3 filename in such a way that similar filenames will not cause collisions. This is called <firstterm>name mangling</firstterm>, and Samba deals with this in a manner that is similar, but not identical to, Windows 95 and its successors.</para> + + +<sect2 role="" label="5.4.1" id="ch05-SECT-4.1"> +<title>The Samba Mangling Operation</title> + + +<para> +<indexterm id="ch05-idx-969840-0"><primary>name mangling</primary><secondary>steps in</secondary></indexterm>Here is how Samba mangles a long filename into an 8.3 filename:</para> + + +<itemizedlist> +<listitem><para>If the original filename does not begin with a dot, up to the first five alphanumeric characters that occur before the last dot (if there is one) are converted to uppercase. These characters are used as the first five characters of the 8.3 mangled filename.</para></listitem> +<listitem><para>If the original filename begins with a dot, the dot is removed and up to the first five alphanumeric characters that occur before the last dot (if there is one) are converted to uppercase. These characters are used as the first five characters of the 8.3 mangled filename.</para></listitem> +<listitem><para>These characters are immediately followed a special mangling character: by default, a tilde (~), although Samba allows you to change this character.</para></listitem> +<listitem><para>The base of the long filename before the last period is hashed into a two-character code; parts of the name after the last dot may be used if necessary. This two character code is appended to the 8.3 filename after the mangling character.</para></listitem> +<listitem><para>The first three characters after the last dot (if there is one) of the original filename are converted to uppercase and appended onto the mangled name as the extension. If the original filename began with a dot, three underscores ( <literal>_ _ _ </literal>) are used as the extension instead.</para></listitem> +</itemizedlist> + +<para>Here are some examples:</para> + + +<programlisting>virtuosity.dat VIRTU~F1.DAT +.htaccess HTACC~U0._ _ _ +hello.java HELLO~1F.JAV +team.config.txt TEAMC~04.TXT +antidisestablishmentarianism.txt ANTID~E3.TXT +antidiseast.txt ANTID~9K.TXT</programlisting> + + +<para>Using these rules will allow Windows for Workgroups to differentiate the two files on behalf of the poor individual who is forced to see the network through the eyes of that operating system. Note that the same long filename should always hash to the same mangled name with Samba; this doesn't always happen with Windows. The downside of this approach is that there can still be collisions; however, the chances are greatly reduced.</para> + + +<para>You generally want to use the mangling configuration options with only the oldest clients. We recommend doing this without disrupting other clients by adding an <literal>include</literal> directive to the <filename>smb.conf</filename> file:</para> + + +<programlisting>[global] + include = /ucsr/local/samba/lib/smb.conf.%m</programlisting> + + +<para>This resolves to <filename>smb.conf.WfWg</filename> when a Window for Workgroups client attaches. Now you can create a file <filename>/usr/local/samba/lib/smb.conf.WfWg</filename> which might contain these options:</para> + + +<programlisting>[global] + case sensitive = no + default case = upper + preserve case = no + short preserve case = no + mangle case = yes + mangled names= yes</programlisting> + + +<para>If you are not using Windows for Workgroups 3.1, then you probably do not need to change any of these options from their defaults.</para> + + +<sect3 role="" label="5.4.1.1" id="ch05-SECT-4.1.1"> +<title>Representing and resolving filenames with Samba</title> + + +<para> +<indexterm id="ch05-idx-969841-0"><primary>representing/resolving filenames</primary></indexterm> +<indexterm id="ch05-idx-969841-1"><primary>filenames</primary><secondary>representing/resolving</secondary></indexterm>Another item that we should point out is that there is a difference between how an operating system <emphasis>represents</emphasis> a file and how it <emphasis>resolves</emphasis> it. For example, if you've used Windows 95/98/NT, you have likely run across a file called <filename>README.TXT</filename>. The file can be represented by the operating system entirely in uppercase letters. However, if you open an MS-DOS prompt and enter the command <literal>edit</literal> <literal>readme.txt</literal>, the all-caps file is loaded into the editing program, even though you typed the name in lowercase letters!</para> + + +<para>This is because the Windows 95/98/NT family of operating systems resolves files in a case-insensitive manner, even though the files are represented it in a case-sensitive manner. Unix-based operating systems, on the other hand, always resolve files in a case-sensitive manner; if you try to edit <filename>README.TXT</filename> with the command <literal>vi</literal> <literal>readme.txt</literal>, you will likely be editing the empty buffer of a new file.</para> + + +<para>Here is how Samba handles case: if the <literal>preserve</literal> <literal>case</literal> is set to <literal>yes</literal>, Samba will always use the case provided by the operating system for representing (not resolving) filenames. If it is set to <literal>no</literal>, it will use the case specified by the <literal>default</literal> <literal>case</literal> option. The same is true for <literal>short</literal> <literal>preserve</literal> <literal>case</literal>. If this option is set to <literal>yes</literal>, Samba will use the default case of the operating system for representing 8.3 filenames; otherwise it will use the case specified by the <literal>default</literal> <literal>case</literal> option. Finally, Samba will always resolve filenames in its shares based on the value of the <literal>case</literal> <literal>sensitive</literal> option.</para> +</sect3> +</sect2> + + + + + +<sect2 role="" label="5.4.2" id="ch05-SECT-4.2"> +<title>Mangling Options</title> + + +<para> +<indexterm id="ch05-idx-969842-0" class="startofrange"><primary>name mangling</primary><secondary>options for</secondary></indexterm>Samba allows you to give it more refined instructions on how it should perform name mangling, including those controlling the case sensitivity, the character inserted to form a mangled name, and the ability to manually map filenames from one format to another. These options are shown in <link linkend="ch05-47431">Table 5.7</link>.</para> + + +<table label="5.7" id="ch05-47431"> +<title>Name Mangling Options </title> + +<tgroup cols="5"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<colspec colnum="4" colname="col4"/> +<colspec colnum="5" colname="col5"/> +<thead> +<row> + +<entry colname="col1"><para>Option</para></entry> + +<entry colname="col2"><para>Parameters</para></entry> + +<entry colname="col3"><para>Function</para></entry> + +<entry colname="col4"><para>Default</para></entry> + +<entry colname="col5"><para>Scope</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>case sensitive</literal></para> + +<para><literal>(casesignames)</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>If <literal>yes</literal>, Samba will treat filenames as case-sensitive (Windows doesn't).</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>default case</literal></para></entry> + +<entry colname="col2"><para>(<literal>upper</literal> or <literal>lower</literal>)</para></entry> + +<entry colname="col3"><para>Case to assume as default (only used when preserve case is <literal>no</literal>).</para></entry> + +<entry colname="col4"><para>Lower</para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>preserve case</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>If <literal>yes</literal>, keep the case the client supplied (i.e., do not convert to <literal>default case</literal>).</para></entry> + +<entry colname="col4"><para><literal>yes</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>short preserve case</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>If <literal>yes</literal>, preserve case of 8.3-format names that the client provides.</para></entry> + +<entry colname="col4"><para><literal>yes</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>mangle case</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>Mangle a name if it is mixed case.</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>mangled names</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>8.3 DOS format.</para></entry> + +<entry colname="col4"><para><literal>yes</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>mangling char</literal></para></entry> + +<entry colname="col2"><para>string (single character)</para></entry> + +<entry colname="col3"><para>Gives mangling character.</para></entry> + +<entry colname="col4"><para><literal>~</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>mangled stack</literal></para></entry> + +<entry colname="col2"><para>numerical</para></entry> + +<entry colname="col3"><para>Number of mangled names to keep on the local mangling stack.</para></entry> + +<entry colname="col4"><para><literal>50</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>mangled map</literal></para></entry> + +<entry colname="col2"><para>string (list of patterns)</para></entry> + +<entry colname="col3"><para>Allows mapping of filenames from one format into another.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<sect3 role="" label="5.4.2.1" id="ch05-SECT-4.2.1"> +<title>case sensitive</title> + + +<para> +<indexterm id="ch05-idx-969856-0"><primary>case sensitivity</primary><secondary>options for</secondary></indexterm>This share-level option, which has the obtuse synonym <literal>casesignames</literal>, specifies whether Samba should preserve case when resolving filenames in a specific share. The default value for this option is <literal>no</literal>, which is how Windows handles file resolution. If clients are using an operating system that takes advantage of case-sensitive filenames, you can set this configuration option to <literal>yes</literal> as shown here:</para> + + +<programlisting>[accounting] + case sensitive = yes</programlisting> + + +<para>Otherwise, we recommend that you leave this option set to its default.</para> +</sect3> + + + +<sect3 role="" label="5.4.2.2" id="ch05-SECT-4.2.2"> +<title>default case</title> + + +<para>The <literal>default</literal> +<indexterm id="ch05-idx-970606-0"><primary>default case option</primary></indexterm> <literal>case</literal> option is used with <literal>preserve</literal> <literal>case</literal>. This specifies the default case (upper or lower) that Samba will use when it creates a file on one of its shares on behalf of a client. The default case is <literal>lower</literal>, which means that newly created files will use the mixed-case names given to them by the client. If you need to, you can override this global option by specifying the following:</para> + + +<programlisting>[global] + default case = upper</programlisting> + + +<para>If you specify this value, the names of newly created files will be translated into uppercase, and cannot be overridden in a program. We recommend that you use the default value unless you are dealing with a Windows for Workgroups or other 8.3 client, in which case it should be <literal>upper</literal>.</para> +</sect3> + + + +<sect3 role="" label="5.4.2.3" id="ch05-SECT-4.2.3"> +<indexterm id="ch05-idx-970607-0"><primary>preserve case option</primary></indexterm> +<title> +preserve case</title> + + +<para>This option specifies whether a file created by Samba on behalf of the client is created with the case provided by the client operating system, or the case specified by the <literal>default</literal> <literal>case</literal> configuration option above. The default value is <literal>yes</literal>, which uses the case provided by the client operating system. If it is set to <literal>no</literal>, the value of the <literal>default</literal> <literal>case</literal> option is used.</para> + + +<para>Note that this option does not handle 8.3 file requests sent from the client—see the <literal>short</literal> <literal>preserve</literal> <literal>case</literal> option below. You may want to set this option to <literal>yes</literal> if applications that create files on the Samba server are sensitive to the case used when creating the file. If you want to force Samba, for example, to mimic the behavior of a Windows NT filesystem, you can leave this option to its default, <literal>yes</literal>.</para> +</sect3> + + + +<sect3 role="" label="5.4.2.4" id="ch05-SECT-4.2.4"> +<indexterm id="ch05-idx-970608-0"><primary>hort preserve case option</primary></indexterm> +<title>short preserve case</title> + + +<para>This option specifies whether an 8.3 filename created by Samba on behalf of the client is created with the default case of the client operating system, or the case specified by the <literal>default</literal> <literal>case</literal> configuration option. The default value is <literal>yes</literal>, which uses the case provided by the client operating system. You can let Samba choose the case through the <literal>default</literal> <literal>case</literal> option by setting it as follows:</para> + + +<programlisting>[global] + short preserve case = no</programlisting> + + +<para>If you want to force Samba to mimic the behavior of a Windows NT filesystem, you can leave this option set to its default, <literal>yes</literal>.</para> +</sect3> + + + +<sect3 role="" label="5.4.2.5" id="ch05-SECT-4.2.5"> +<indexterm id="ch05-idx-970609-0"><primary>mangled names option</primary></indexterm> +<title> +mangled names</title> + + +<para>This share-level option specifies whether Samba will mangle filenames for 8.3 clients in that share. If the option is set to <literal>no</literal>, Samba will not mangle the names and (depending on the client), they will either be invisible or appear truncated to those using 8.3 operating systems. The default value is <literal>yes</literal>. You can override it per share as follows:</para> + + +<programlisting>[data] + mangled names = no</programlisting> +</sect3> + + + +<sect3 role="" label="5.4.2.6" id="ch05-SECT-4.2.6"> +<indexterm id="ch05-idx-970610-0"><primary>mangle case option</primary></indexterm> +<title> +mangle case</title> + + +<para>This option tells Samba whether it should mangle filenames that are not composed entirely of the case specified using the <literal>default</literal> <literal>case</literal> configuration option. The default for this option is <literal>no</literal>. If you set it to <literal>yes</literal>, you should be sure that all clients will be able to handle the mangled filenames that result. You can override it per share as follows:</para> + + +<programlisting>[data] + mangle case = yes</programlisting> + + +<para>We recommend that you leave this option alone unless you have a well-justified need to change it.</para> +</sect3> + + + +<sect3 role="" label="5.4.2.7" id="ch05-SECT-4.2.7"> +<indexterm id="ch05-idx-970611-0"><primary>mangling char option</primary></indexterm> +<title> +mangling char</title> + + +<para>This share-level option specifies the mangling character used when Samba mangles filenames into the 8.3 format. The default character used is a tilde (~). You can reset it to whatever character you wish, for instance:</para> + + +<programlisting>[data] + mangling char = #</programlisting> +</sect3> + + + +<sect3 role="" label="5.4.2.8" id="ch05-SECT-4.2.8"> +<indexterm id="ch05-idx-970612-0"><primary>mangled stack option</primary></indexterm> +<title> +mangled stack</title> + + +<para>Samba maintains a local stack of recently mangled 8.3 filenames; this stack can be used to reverse map mangled filenames back to their original state. This is often needed by applications that create and save a file, close it, and need to modify it later. The default number of long filename/mangled filename pairs stored on this stack is 50. However, if you want to cut down on the amount of processor time used to mangle filenames, you can increase the size of the stack to whatever you wish, at the expense of memory and slightly slower file access.</para> + + +<programlisting>[global] + mangled stack = 100</programlisting> +</sect3> + + + +<sect3 role="" label="5.4.2.9" id="ch05-SECT-4.2.9"> +<indexterm id="ch05-idx-970613-0"><primary>mangled map option</primary></indexterm> +<title> +mangled map</title> + + +<para>If the default behavior of name mangling is not sufficient, you can give Samba further instructions on how to behave using the <literal>mangled</literal> <literal>map</literal> option. This option allows you to specify mapping patterns that can be used before or even in place of name mangling performed by Samba. For example:</para> + + +<programlisting>[data] + mangled map =(*.database *.db) (*.class *.cls)</programlisting> + + +<para>Here, Samba is instructed to search each file it encounters for characters that match the first pattern specified in the parenthesis and convert them to the modified second pattern in the parenthesis for display on an 8.3 client. This is useful in the event that name mangling converts the filename incorrectly or to a format that the client cannot understand<indexterm id="ch05-idx-969851-0" class="endofrange" startref="ch05-idx-969842-0"/> readily. Patterns are separated by whitespaces.<indexterm id="ch05-idx-969845-0" class="endofrange" startref="ch05-idx-969835-0"/></para> +</sect3> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="5.5" id="ch05-75933"> +<title>Locks and Oplocks</title> + + +<para> +<indexterm id="ch05-idx-969857-0" class="startofrange"><primary>locks/locking files</primary></indexterm> +<indexterm id="ch05-idx-969857-1" class="startofrange"><primary>oplocks</primary></indexterm>Concurrent writes to a single file are not desirable in any operating system. To prevent this, most operating systems use <firstterm>locks</firstterm> to guarantee that only one process can write to a file at a time. Operating systems traditionally lock entire files, although newer ones allow a range of bytes within a file to be locked. If another process attempts to write to a file (or section of one) that is already locked, it will receive an error from the operating system and will wait until the lock is released.</para> + + +<para>Samba supports the standard DOS and NT filesystem (deny-mode) locking requests, which allow only one process to write to an entire file on a server at a give time, as well as byte-range locking. In addition, Samba supports a new locking mechanism known in the Windows NT world as <firstterm>opportunistic locking—</firstterm><emphasis>oplock</emphasis> for short.</para> + + +<sect2 role="" label="5.5.1" id="ch05-SECT-5.1"> +<title>Opportunistic Locking</title> + + +<para>Opportunistic locking allows a client to notify the Samba server that it will not only be the exclusive writer of a file, but will also cache its changes to that file on its own machine (and not on the Samba server) in order to speed up file access for that client. When Samba knows that a file has been opportunistically locked by a client, it marks its version as having an opportunistic lock and waits for the client to complete work on the file, at which point it expects the client to send the final changes back to the Samba server for synchronization.</para> + + +<para>If a second client requests access to that file before the first client has finished working on it, Samba can send an <firstterm>oplock break</firstterm> +<indexterm id="ch05-idx-969865-0"><primary>oplocks</primary><secondary>break requests</secondary></indexterm> request to the first client. This tells the client to stop caching its changes and return the current state of the file to the server so that the interrupting client can use it as it sees fit. An opportunistic lock, however, is not a replacement for a standard deny-mode lock. It is not unheard of for the interrupting process to be granted an oplock break only to discover that the original process also has a deny-mode lock on a file as well. <link linkend="ch05-74304">Figure 5.8</link> illustrates this opportunistic locking process.</para> + + +<figure label="5.8" id="ch05-74304"> +<title>Opportunistic locking</title> + +<graphic width="502" depth="314" fileref="figs/sam.0508.gif"></graphic> +</figure> + +<para>In terms of locks, we highly recommend using the defaults provided by Samba: standard DOS/Windows deny-mode locks for compatibility and oplocks for the extra performance that local caching allows. If your operating system can take advantage of oplocks, it should provide significant performance improvements. Unless you have a specific reason for changing any of these options, it's best to leave them as they are.</para> +</sect2> + + + + + +<sect2 role="" label="5.5.2" id="ch05-SECT-5.2"> +<title>Unix and Locking</title> + + +<para> +<indexterm id="ch05-idx-969866-0"><primary>locks/locking files</primary><secondary>Unix and</secondary></indexterm> +<indexterm id="ch05-idx-969866-1"><primary>Unix</primary><secondary>locks and</secondary></indexterm>Windows systems cooperate well to avoid overwriting each other's changes. But if a file stored on a Samba system is accessed by a Unix process, this process won't know a thing about Windows oplocks and could easily ride roughshod over a lock. Some Unix systems have been enhanced to understand the Windows oplocks maintained by Samba. Currently the support exists only in SGI Irix 6.5.2f and later; Linux and FreeBSD should soon follow.</para> + + +<para>If you have a system that understands oplocks, set <literal>kernel</literal> <literal>oplocks</literal> <literal>=</literal> <literal>yes</literal> in the Samba configuration file. That should eliminate conflicts between Unix processes and Windows users.</para> + + +<para>If your system does not support kernel oplocks, you could end up with corrupted data when somebody runs a Unix process that reads or writes a file that Windows users also access. However, Samba provides a rough protection mechanism in the absence of kernel oplocks: the <literal>veto</literal> <literal>oplock</literal> <literal>files</literal> option. If you can anticipate which Samba files are used by both Windows users and Unix users, set their names in a <literal>veto</literal> <literal>oplock</literal> <literal>files</literal> option. This will suppress the use of oplocks on matching filenames, which will supress client caching, and let the Windows and Unix programs use system locking or update times to detect competition for the same file. A sample option is:</para> + + +<programlisting>veto oplock files = /*.dbm/</programlisting> + + +<para>This option allows both Unix processes and Windows users to edit files ending in the suffix <emphasis>.dbm</emphasis>. Note that the syntax of this option is similar to <literal>veto</literal> <literal>files</literal>.</para> + + +<para>Samba's options for locks and oplocks are given in <link linkend="ch05-53407">Table 5.8</link>.</para> + + +<table label="5.8" id="ch05-53407"> +<title>Locks and Oplocks Configuration Options </title> + +<tgroup cols="5"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<colspec colnum="4" colname="col4"/> +<colspec colnum="5" colname="col5"/> +<thead> +<row> + +<entry colname="col1"><para>Option</para></entry> + +<entry colname="col2"><para>Parameters</para></entry> + +<entry colname="col3"><para>Function</para></entry> + +<entry colname="col4"><para>Default</para></entry> + +<entry colname="col5"><para>Scope</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>share modes</literal></para></entry> + +<entry colname="col2"><para> +<indexterm id="ch05-idx-969867-0" class="startofrange"><primary>locks/locking files</primary><secondary>options for</secondary></indexterm> +<indexterm id="ch05-idx-969867-1" class="startofrange"><primary>oplocks</primary><secondary>options for</secondary></indexterm>boolean</para></entry> + +<entry colname="col3"><para>If set to <literal>yes</literal>, turns on support for DOS-style whole-file locks.</para></entry> + +<entry colname="col4"><para><literal>yes</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>locking</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>If <literal>yes</literal>, turns on byte-range locks.</para></entry> + +<entry colname="col4"><para><literal>yes</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>strict locking</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>If <literal>yes</literal>, denies access to an entire file if a byte-range lock exists in it.</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>oplocks</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>If <literal>yes</literal>, turn on local caching of files on the client for this share.</para></entry> + +<entry colname="col4"><para><literal>yes</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>kernel oplocks</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>If <literal>yes</literal>, indicates that the kernel supports oplocks.</para></entry> + +<entry colname="col4"><para><literal>yes</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>fake oplocks</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>If <literal>yes</literal>, tells client the lock was obtained, but doesn't actually lock it.</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>blocking locks </literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>Allows lock requestor to wait for the lock to be granted.</para></entry> + +<entry colname="col4"><para><literal>yes</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>veto oplock files</literal></para></entry> + +<entry colname="col2"><para>string (list of filenames)</para></entry> + +<entry colname="col3"><para>Does not oplock specified files.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>lock directory</literal></para></entry> + +<entry colname="col2"><para>string (fully-qualified pathname)</para></entry> + +<entry colname="col3"><para>Sets the location where various Samba files, including locks, are stored.</para></entry> + +<entry colname="col4"><para>As specified in Samba makefile</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<sect3 role="" label="5.5.2.1" id="ch05-SECT-5.2.1"> +<title>share modes</title> + + +<para>The most primitive locks available to Samba are deny-mode locks, known as <firstterm>share modes</firstterm> +<indexterm id="ch05-idx-969868-0"><primary>share modes</primary></indexterm> +<indexterm id="ch05-idx-969868-1"><primary>SMB (Server Message Block)</primary><secondary>deny-mode locks</secondary></indexterm>, which are employed by programs such as text editors to avoid accidental overwriting of files. For reference, the deny-mode locks are listed in <link linkend="ch05-55885">Table 5.9</link>.</para> + + +<table label="5.9" id="ch05-55885"> +<title>SMB Deny-Mode Locks </title> + +<tgroup cols="2"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<thead> +<row> + +<entry colname="col1"><para>Lock</para></entry> + +<entry colname="col2"><para>Description</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>DENY_NONE</literal></para></entry> + +<entry colname="col2"><para>Do not deny any other file requests.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>DENY_ALL</literal></para></entry> + +<entry colname="col2"><para>Deny all open requests on the current file.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>DENY_READ</literal></para></entry> + +<entry colname="col2"><para>Deny any read-only open requests on the current file.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>DENY_WRITE</literal></para></entry> + +<entry colname="col2"><para>Deny any write-only open requests on the current file.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>DENY_DOS</literal></para></entry> + +<entry colname="col2"><para>If opened for reading, others can read but cannot write to the file. If opened for writing, others cannot open the file at all.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>DENY_FCB</literal></para></entry> + +<entry colname="col2"><para>Obsolete.</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<para>The <literal>share</literal> <literal>modes</literal> parameter, which enforces the use of these locks, is enabled by default. To disable it, use the following command:</para> + + +<programlisting>[accounting] + share modes = no</programlisting> + + +<para>We highly recommend against disabling the default locking mechanism unless you have a justifiable reason for doing so. Most Windows and DOS applications rely on these locking mechanisms in order to work correctly, and will complain bitterly if this functionality is taken away.</para> +</sect3> + + + +<sect3 role="" label="5.5.2.2" id="ch05-SECT-5.2.2"> +<title>locking</title> + + +<para>The<indexterm id="ch05-idx-970616-0"><primary>locking option</primary></indexterm> <literal>locking</literal> option can be used to tell Samba to engage or disengage server-side byte-range locks on behalf of the client. Samba implements byte-range locks on the server side with normal Unix advisory locks and will consequently prevent other properly-behaved Unix processes from overwriting a locked byte range.</para> + + +<para>This option can be specified per share as follows:</para> + + +<programlisting>[accounting] + locking = yes</programlisting> + + +<para>If the <literal>locking</literal> option is set to <literal>yes</literal>, the requestor will be delayed until the holder of either type of lock releases it (or crashes). If, however, the option is set to <literal>no</literal>, no byte-range locks will be kept for the files, although requests to lock and unlock files will appear to succeed. The option is set to <literal>yes</literal> by default; however, you can turn this option off if you have read-only media.</para> +</sect3> + + + +<sect3 role="" label="5.5.2.3" id="ch05-SECT-5.2.3"> +<indexterm id="ch05-idx-970617-0"><primary>strict locking option</primary></indexterm> +<title> +strict locking</title> + + +<para>This option checks every file access for a byte-range lock on the range of bytes being accessed. This is typically not needed if a client adheres to all the locking mechanisms in place. This option is set to <literal>no</literal> by default; however, you can reset it per share as follows:</para> + + +<programlisting>[accounting] + strict locking = yes</programlisting> + + +<para>If this option is set to <literal>yes</literal>, mandatory locks are enforced on any file with byte-range locks.</para> +</sect3> + + + +<sect3 role="" label="5.5.2.4" id="ch05-SECT-5.2.4"> +<indexterm id="ch05-idx-970618-0"><primary>blocking locks option</primary></indexterm> +<title> +blocking locks</title> + + +<para>Samba also supports <firstterm>blocking locks</firstterm>, a minor variant of range locks. Here, if the range of bytes is not available, the client specifies an amount of time that it's willing to wait. The server then caches the lock request, periodically checking to see if the file is available. If it is, it notifies the client; however, if time expires, Samba will tell the client that the request has failed. This strategy prevents the client from continually polling to see if the lock is available.</para> + + +<para>You can disable this option per share as follows:</para> + + +<programlisting>[accounting] + blocking locks = no</programlisting> + + +<para>When set to <literal>yes</literal>, blocking locks will be enforced on the file. If this option is set to <literal>no</literal>, Samba behaves as if normal locking mechanisms are in place on the file. The default is <literal>yes</literal>.</para> +</sect3> + + + +<sect3 role="" label="5.5.2.5" id="ch05-SECT-5.2.5"> +<indexterm id="ch05-idx-970619-0"><primary>oplocks option</primary></indexterm> +<title> +oplocks</title> + + +<para>This option enables or disables support for oplocks on the client. The option is enabled by default. However, you can disable it with the following command:</para> + + +<programlisting>[data] + oplocks = no</programlisting> + + +<para>If you are in an extremely unstable network environment or have many clients that cannot take advantage of opportunistic locking, it may be better to shut this Samba feature off. Oplocks should be disabled if you are accessing the same files from both Unix applications (such as <emphasis>vi</emphasis> ) and SMB clients (unless you are lucky enough to have an operating system that supports kernel oplocks as discussed earlier).</para> +</sect3> + + + +<sect3 role="" label="5.5.2.6" id="ch05-SECT-5.2.6"> +<indexterm id="ch05-idx-970620-0"><primary>fake oplocks option</primary></indexterm> +<title> +fake oplocks</title> + + +<para>Before opportunistic locking was available on Samba, the Samba daemons pretended to allow oplocks via the <literal>fake</literal> <literal>oplocks</literal> option. If this option was enabled, all clients were told that the file is available for opportunistic locking, and never warned of simultaneous access. This option is deprecated now that real oplocks are available on Samba.</para> +</sect3> + + + +<sect3 role="" label="5.5.2.7" id="ch05-SECT-5.2.7"> +<indexterm id="ch05-idx-970621-0"><primary>kernel oplocks option</primary></indexterm> +<title> +kernel oplocks</title> + + +<para>If a Unix application separate from Samba tries to update a file that Samba has oplocked to a Windows client, it will likely succeed (depending on the operating system) and both Samba and the client will never be aware of it. However, if the local Unix operating system supports it, Samba can warn it of oplocked files, which can suspend the Unix process, notify the client via Samba to write its copy back, and only then allow the open to complete. Essentially, this means that the operating system kernel on the Samba system has the ability to handle oplocks as well as Samba.</para> + + +<para>You can enable this behavior with the <literal>kernel</literal> <literal>oplocks</literal> option, as follows:</para> + + +<programlisting>[global] + kernel oplocks = yes</programlisting> + + +<para>Samba can automatically detect kernel oplocks and use them if present. At the time of this writing, this feature is supported only by SGI Irix 6.5.2f and later. However, Linux and FreeBSD support are expected in the near future. A system without kernel oplocks will allow the Unix process to update the file, but the client programs will notice the change only at a later time, if at all.</para> +</sect3> + + + +<sect3 role="" label="5.5.2.8" id="ch05-SECT-5.2.8"> +<indexterm id="ch05-idx-970622-0"><primary>veto oplock files option</primary></indexterm> +<title> +veto oplock files</title> + + +<para>You can provide a list of filenames that are never granted opportunistic locks with the <literal>veto</literal> <literal>oplock</literal> <literal>files</literal> option. This option can be set either globally or on a per-share basis. For example:</para> + + +<programlisting>veto oplock files = /*.bat/*.htm/</programlisting> + + +<para>The value of this option is a series of patterns. Each pattern entry must begin, end, or be separated from another with a slash ( / ) character, even if there is only one pattern listed. Asterisks can be used as a wildcard to represent zero or more characters. Questions marks can be used to represent exactly one character.</para> + + +<para>We recommend that you disable oplocks on any files that are meant to be updated by Unix or are intended to be shared by several processes simultaneously.</para> +</sect3> + + + +<sect3 role="" label="5.5.2.9" id="ch05-SECT-5.2.9"> +<indexterm id="ch05-idx-970623-0"><primary>lock directory option</primary></indexterm> +<title> +lock directory</title> + + +<para>This option (sometimes called <literal>lock</literal> <literal>dir</literal>) specifies the location of a directory where Samba will store SMB deny-mode lock files. Samba stores other files in this directory as well, such as browse lists and its shared memory file. If WINS is enabled, the WINS database is written to this directory as well. The default for this option is specified in the Samba makefile; it is typically <filename>/usr/local/samba/var/locks</filename>. You can override this location as follows:</para> + + +<programlisting>[global] + lock directory = /usr/local/samba/locks</programlisting> + + +<para>You typically would not need to override this option, unless you want to move the lock files to a more standardized location, such<indexterm id="ch05-idx-969871-0" class="endofrange" startref="ch05-idx-969867-0"/> +<indexterm id="ch05-idx-969871-1" class="endofrange" startref="ch05-idx-969867-1"/> as<indexterm id="ch05-idx-969860-0" class="endofrange" startref="ch05-idx-969857-0"/> +<indexterm id="ch05-idx-969860-1" class="endofrange" startref="ch05-idx-969857-1"/> +<indexterm id="ch05-idx-969860-2"><primary>opportunistic locking</primary><seealso>oplocks</seealso></indexterm> <filename>/var/spool/locks</filename>.<indexterm id="ch05-idx-969562-0" class="endofrange" startref="ch05-idx-969559-1"/></para> +</sect3> +</sect2> +</sect1> +</chapter> diff --git a/docs-xml/using_samba/ch06.xml b/docs-xml/using_samba/ch06.xml new file mode 100644 index 0000000000..e0973b6cc8 --- /dev/null +++ b/docs-xml/using_samba/ch06.xml @@ -0,0 +1,2927 @@ +<chapter label="6" id="SAMBA-CH-6"> +<title>Users, Security, and Domains </title> + + + + +<para>This chapter discusses how to configure users with the Samba server. This topic may seem straightforward at first, but you'll soon discover that there are several ancillary problems that can crop up. One issue that Samba administrators have difficulty with is user authentication—password and security problems are by far the most common support questions on the Samba mailing lists. Learning why various authentication mechanisms work on certain architectures (and don't on others) can save you a tremendous amount of time testing and debugging Samba users in the future.</para> + + + + + + + + + + + +<sect1 role="" label="6.1" id="ch06-92902"> +<title>Users and Groups</title> + + +<para> +<indexterm id="ch06-idx-967489-0" class="startofrange"><primary>users</primary></indexterm> +<indexterm id="ch06-idx-967489-1" class="startofrange"><primary>groups</primary></indexterm>Before we start, we need to warn you up front that if you are connecting to Samba with a Windows 98 or NT 4.0 Workstation SP3, you need to configure your server for encrypted passwords before you can make a connection; otherwise, the clients will refuse to connect to the Samba server. This is because each of those Windows clients sends encrypted passwords, and Samba needs to be configured to expect and decrypt them. We'll show you how to set up Samba for this task later in the chapter, assuming you haven't already tackled this problem in <link linkend="SAMBA-CH-2">Chapter 2</link>.</para> + + +<para> +<indexterm id="ch06-idx-967590-0"><primary>users</primary><secondary>setting up</secondary></indexterm> +<indexterm id="ch06-idx-967590-1"><primary>client users</primary><see>users</see></indexterm>Let's start with a single user. The easiest way to set up a client user is to create a Unix account (and <indexterm id="ch06-idx-967591-0"><primary>home directory, user's</primary></indexterm>home directory) for that individual on the server, and notify Samba of the user's existence. You can do the latter by creating a disk share that maps to the user's home directory in the Samba configuration file, and restricting access to that user with the <literal>valid</literal> <literal>users</literal> option. For example:</para> + + +<programlisting>[dave] + path = /home/dave + comment = Dave's home directory + writeable = yes +<emphasis role="bold"> valid users = dave</emphasis></programlisting> + + +<para>The <literal>valid</literal> <literal>users</literal> option lists the users that will be allowed to access the share. In this case, only the user <literal>dave</literal> is allowed to access the share. In the previous chapters, we specified that any user could access a disk share using the <literal>guest</literal> <literal>ok</literal> parameter. Because we don't wish to allow guest access, that option is absent here. We could grant both authenticated users and guest users access to a specific share if we wanted to. The difference between the two typically involves access rights for each of the files.</para> + + +<para>Remember that you can abbreviate the user's home directory by using the <literal>%H</literal> variable. In addition, you can use the Unix username variable <literal>%u</literal> and/or the client username variable <literal>%U</literal> in your options as well. For example:</para> + + +<programlisting>[dave] + comment = %U home directory + writeable = yes + valid users = dave + path = %H</programlisting> + + +<para>Both of these examples work as long as the Unix user that Samba uses to represent the client has read/write access to the directory referenced by the <literal>path</literal> option. In other words, a client must first pass Samba's security mechanisms (e.g., encrypted passwords, the <literal>valid users</literal> option, etc.) as well as the normal Unix file and directory permissions of its Unix-side user <emphasis>before</emphasis> it can gain read/write access to a share.</para> + + +<para>With a single user accessing a home directory, access permissions are taken care of when the operating system creates the user account. However, if you're creating a shared directory for group access, there are a few more steps you need to perform. Let's take a stab at a group share for the accounting department in the <emphasis>smb.conf</emphasis> file:</para> + + +<programlisting>[accounting] + comment = Accounting Department Directory + writeable = yes + valid users = @account + path = /home/samba/accounting + create mode = 0660 + directory mode = 0770</programlisting> + + +<para>The first thing that you might notice we did differently is to specify <literal>@account</literal> as the valid user instead of one or more individual usernames. This is shorthand for saying that the valid users are represented by the Unix group <literal>account</literal>. These users will need to be added to the group entry <literal>account</literal> in the system group file ( <filename>/etc/group</filename> or equivalent) to be recognized as part of the group. Once they are, Samba will recognize those users as valid users for the share.</para> + + +<para>In addition, you will need to create a <indexterm id="ch06-idx-967592-0"><primary>shares</primary><secondary>access to</secondary><tertiary>creating for groups</tertiary></indexterm>shared directory that the members of the group can access, which is pointed to by the <literal>path</literal> configuration option. Here are the Unix commands that create the shared directory for the accounting department (assuming <emphasis>/home/samba</emphasis> already exists):</para> + + +<programlisting># <emphasis role="bold">mkdir /home/samba/accounting</emphasis># <emphasis role="bold">chgrp account /home/samba/accounting</emphasis># <emphasis role="bold">chmod 770 /home/samba/accounting</emphasis></programlisting> + + +<para>There are two other options in this <filename>smb.conf</filename> example, both of which we saw in the previous chapter. These options are <literal>create</literal> <literal>mode</literal> and <literal>directory</literal> <literal>mode</literal>. These options set the maximum file and directory permissions that a new file or directory can have. In this case, we have denied all world access to the contents of this share. (This is reinforced by the <emphasis>chmod</emphasis> command, shown earlier.).</para> + + +<sect2 role="" label="6.1.1" id="ch06-SECT-1.1"> +<title>The [ homes] Share</title> + + +<para>Let's return to user shares for a moment. If we have several users to set up home directory shares for, we probably want to use the special <literal>[homes]</literal> share that we introduced in <link linkend="SAMBA-CH-5">Chapter 5</link>. With the <literal>[homes]</literal> +<indexterm id="ch06-idx-967594-0"><primary sortas="homes share">[homes] share</primary></indexterm> +<indexterm id="ch06-idx-967594-1"><primary>users</primary><secondary>shares for, setting up</secondary></indexterm> share, all we need to say is:</para> + + +<programlisting>[homes] + browsable = no + writable = yes</programlisting> + + +<para>The <literal>[homes]</literal> share is a special section of the Samba configuration file. If a user attempts to connect to an ordinary share that doesn't appear in the <filename>smb.conf</filename> file (such as specifying it with a UNC in Windows Explorer), Samba will search for a <literal>[homes]</literal> share. If one exists, the incoming share name is assumed to be a username and is queried as such in the password database ( <filename>/etc/passwd</filename> or equivalent) file of the Samba server. If it appears, Samba assumes the client is a Unix user trying to connect to his or her home directory.</para> + + +<para>As an illustration, let's assume that <literal>sofia</literal> is attempting to connect to a share called [<literal>sofia]</literal> on the Samba server. There is no share by that name in the configuration file, but a <literal>[homes]</literal> share exists and user <literal>sofia</literal> is present in the password database, so Samba takes the following steps:</para> + + +<orderedlist> +<listitem><para>Samba creates a new disk share called <literal>[sofia]</literal> with the <literal>path</literal> specified in the <literal>[homes]</literal> section. If there is no <literal>path</literal> option specified in <literal>[homes]</literal>, Samba initializes it to her home directory.</para></listitem> +<listitem><para>Samba initializes the new share's options from the defaults in <literal>[globals]</literal>, and any overriding options in <literal>[homes]</literal> with the exception of <literal>browseable</literal>.</para></listitem> +<listitem><para>Samba connects <literal>sofia</literal>'s client to that share.</para></listitem> +</orderedlist> + +<para>The <literal>[homes]</literal> share is a fast, painless way to create shares for your user community without having to duplicate the information from the password database file in the <filename>smb.conf</filename> file. It does have some peculiarities, however, that we need to point out:</para> + + +<itemizedlist> +<listitem><para>The <literal>[homes]</literal> section can represent any account on the machine, which isn't always desirable. For example, it can potentially create a share for <emphasis>root</emphasis>, <emphasis>bin</emphasis>, <emphasis>sys</emphasis>, <emphasis>uucp</emphasis>, and the like. (You can set a global <literal>invalid</literal> <literal>users</literal> option to protect against this.)</para></listitem> +<listitem><para>The meaning of the <literal>browseable</literal> configuration option is different from other shares; it indicates only that a <literal>[homes]</literal> section won't show up in the local browse list, not that the <literal>[alice]</literal> share won't. When the <literal>[alice]</literal> section is created (after the initial connection), it will use the browsable value from the <literal>[globals]</literal> section for that share, not the value from <literal>[homes]</literal>.</para></listitem> +</itemizedlist> + +<para>As we mentioned, there is no need for a path statement in <literal>[homes]</literal> if the users have Unix home directories in the server's <filename>/etc/passwd</filename> file. You should ensure that a valid home directory does exist, however, as Samba will not automatically create a home directory for a user, and will refuse a tree connect if the user's directory does not exist or is not accessible.<indexterm id="ch06-idx-967568-0" class="endofrange" startref="ch06-idx-967489-0"/> +<indexterm id="ch06-idx-967568-1" class="endofrange" startref="ch06-idx-967489-1"/></para> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="6.2" id="ch06-27678"> +<title>Controlling Access to Shares</title> + + +<para> +<indexterm id="ch06-idx-967497-0" class="startofrange"><primary>shares</primary><secondary>access to</secondary><tertiary>controlling</tertiary></indexterm> +<indexterm id="ch06-idx-967497-1" class="startofrange"><primary>security</primary><secondary>restricting access to shares</secondary></indexterm>Often you will need to restrict the users who can access a specific share for security reasons. This is very easy to do with Samba since it contains a wealth of options for creating practically any security configuration. Let's introduce a few configurations that you might want to use in your own Samba setup.</para> + + +<warning role="ora"> +<para>Again, if you are connecting with Windows 98 or NT 4.0 with Service Pack 3 (or above), those clients will send encrypted passwords to the Samba server. If Samba is not configured for this, it will continually refuse the connection. This chapter describes how to set up Samba for encrypted passwords. See <link linkend="ch06-61393">Section 6.4</link>.</para> + +</warning> + +<para>We've seen what happens when you specify valid users. However, you are also allowed to specify a list of invalid <indexterm id="ch06-idx-967599-0"><primary>users</primary><secondary>invalid, specifying</secondary></indexterm>users—users who should never be allowed access to Samba or its shares. This is done with the <literal>invalid</literal> <literal>users</literal> option. We hinted at one frequent use of this option earlier: a global default with the <literal>[homes]</literal> section to ensure that various system users and superusers cannot be forged for access. For example:</para> + + +<programlisting>[global] + invalid users = root bin daemon adm sync shutdown \ + halt mail news uucp operator gopher + auto services = dave peter bob + +[homes] + browsable = no + writeable = yes</programlisting> + + +<para>The <literal>invalid</literal> <literal>users</literal> option, like <literal>valid</literal> <literal>users</literal>, can take group names as well as usernames. In the event that a user or group appears in both lists, the <literal>invalid</literal> <literal>users</literal> option takes precedence and the user or group will be denied access to the share.</para> + + +<para>At the other end of the spectrum, you can explicitly specify users who will be allowed <indexterm id="ch06-idx-967600-0"><primary>root user</primary><secondary>access</secondary></indexterm> +<indexterm id="ch06-idx-967600-1"><primary>users</primary><secondary>allowing superuser (root) access to</secondary></indexterm> +<indexterm id="ch06-idx-967600-2"><primary>superuser</primary><see>root user</see></indexterm>superuser (root) access to a share with the <literal>admin</literal> <literal>users</literal> option. An example follows:</para> + + +<programlisting>[sales] + path = /home/sales + comment = Fiction Corp Sales Data + writeable = yes + valid users = tom dick harry + admin users = mike</programlisting> + + +<para>This option takes both group names and usernames. In addition, you can specify NIS netgroups by preceding them with an <literal>@</literal> as well; if the netgroup is not found, Samba will assume that you are referring to a standard Unix group.</para> + + +<para>Be careful if you assign an entire <indexterm id="ch06-idx-967601-0"><primary>groups</primary><secondary>administrative privileges for</secondary></indexterm>group administrative privileges to a share. The Samba team highly recommends you avoid using this option, as it essentially gives root access to the specified users or groups for that share.</para> + + +<para>If you wish to force <indexterm id="ch06-idx-967602-0"><primary>read-only/read-write access</primary></indexterm> +<indexterm id="ch06-idx-967602-1"><primary>users</primary><secondary>read-only/read-write access</secondary></indexterm>read-only or read-write access to users who access a share, you can do so with the <literal>read</literal> <literal>list</literal> and <literal>write</literal> <literal>list</literal> options, respectively. These options can be used on a per-share basis to restrict a writable share or grant write access to specific users in a read-only share, respectively. For example:</para> + + +<programlisting>[sales] + path = /home/sales + comment = Fiction Corp Sales Data + read only = yes + write list = tom dick</programlisting> + + +<para>The <literal>write</literal> <literal>list</literal> option cannot override <indexterm id="ch06-idx-968868-0"><primary>Unix</primary><secondary>permissions, share write access and</secondary></indexterm>Unix permissions. If you've created the share without giving the write-list user write permission on the Unix system, he or she will be denied write access regardless of the setting of <literal>write</literal> <literal>list</literal>.</para> + + +<sect2 role="" label="6.2.1" id="ch06-SECT-2.1"> +<title>Guest Access</title> + + +<para> +<indexterm id="ch06-idx-967606-0" class="startofrange"><primary>guest access</primary></indexterm>As mentioned earlier, you can specify users who have guest access to a share. The options that control guest access are easy to work with. The first option, <literal>guest</literal> <literal>account</literal>, specifies the Unix account that guest users should be assigned when connecting to the Samba server. The default value for this is set during compilation, and is typically <literal>nobody</literal>. However, you may want to reset the guest user to <literal>ftp</literal> if you have trouble accessing various system services.</para> + + +<para>If you wish to restrict access in a share only to guests—in other words, all clients connect as the guest account when accessing the share—you can use the <literal>guest</literal> <literal>only</literal> option in conjunction with the <literal>guest ok</literal> option, as shown in the following example:</para> + + +<programlisting>[sales] + path = /home/sales + comment = Fiction Corp Sales Data + writeable = yes + guest ok = yes + guest account = ftp + guest only = yes</programlisting> + + +<para>Make sure you specify <literal>yes</literal> for both <literal>guest only</literal> and <literal>guest ok</literal> in this scenario; otherwise, Samba will not use the guest acount that you specify.</para> +</sect2> + + + + + +<sect2 role="" label="6.2.2" id="ch06-SECT-2.2"> +<title>Access Control Options</title> + + +<para> +<indexterm id="ch06-idx-967608-0" class="startofrange"><primary>access-control options (shares)</primary></indexterm><link linkend="ch06-28077">Table 6.1</link> summarizes the options that you can use to control access to shares.</para> + + +<table label="6.1" id="ch06-28077"> +<title>Share-level Access Options </title> + +<tgroup cols="5"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<colspec colnum="4" colname="col4"/> +<colspec colnum="5" colname="col5"/> +<thead> +<row> + +<entry colname="col1"><para>Option</para></entry> + +<entry colname="col2"><para>Parameters</para></entry> + +<entry colname="col3"><para>Function</para></entry> + +<entry colname="col4"><para>Default</para></entry> + +<entry colname="col5"><para>Scope</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>admin users</literal></para></entry> + +<entry colname="col2"><para>string (list of usernames)</para></entry> + +<entry colname="col3"><para>Specifies a list of users who can perform operations as root.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>valid users</literal></para></entry> + +<entry colname="col2"><para>string (list of usernames)</para></entry> + +<entry colname="col3"><para>Specifies a list of users that can connect to a share.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>invalid users</literal></para></entry> + +<entry colname="col2"><para>string (list of usernames)</para></entry> + +<entry colname="col3"><para>Specifies a list of users that will be denied access to a share.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>read list</literal></para></entry> + +<entry colname="col2"><para>string (list of usernames)</para></entry> + +<entry colname="col3"><para>Specifies a list of users that have read-only access to a writable share.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>write list</literal></para></entry> + +<entry colname="col2"><para>string (list of usernames)</para></entry> + +<entry colname="col3"><para>Specifies a list of users that have read-write access to a read-only share.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>max connections</literal></para></entry> + +<entry colname="col2"><para>numerical</para></entry> + +<entry colname="col3"><para>Indicates the maximum number of connections for a share at a given time.</para></entry> + +<entry colname="col4"><para><literal>0</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>guest only (only guest)</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>Specifies that this share allows only guest access.</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>guest account</literal></para></entry> + +<entry colname="col2"><para>string (name of account)</para></entry> + +<entry colname="col3"><para>Names the Unix account that will be used for guest access.</para></entry> + +<entry colname="col4"><para><literal>nobody</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<sect3 role="" label="6.2.2.1" id="ch06-SECT-2.2.1"> +<indexterm id="ch06-idx-969448-0"><primary>admin users option</primary></indexterm> +<title> +admin users</title> + + +<para>This option specifies a list of users that perform file operations as if they were <literal>root</literal>. This means that they can modify or destroy any other user's work, no matter what the permissions. Any files that they create will have root ownership and will use the default group of the admin user. The <literal>admin</literal> <literal>users</literal> option is used to allow PC users to act as administrators for particular shares. We urge you to avoid this option.</para> +</sect3> + + + +<sect3 role="" label="6.2.2.2" id="ch06-SECT-2.2.2"> +<indexterm id="ch06-idx-969449-0"><primary>alid users option</primary></indexterm> +<indexterm id="ch06-idx-969449-1"><primary>invalid users option</primary></indexterm> +<title>v +alid users and invalid users</title> + + +<para>These two options let you enumerate the users and groups who are granted or denied access to a particular share. You can enter a list of comma-delimited users, or indicate an NIS or Unix group name by prefixing the name with an at-sign (<literal>@</literal>).</para> + + +<para>The important rule to remember with these options is that any name or group in the <literal>invalid</literal> <literal>users</literal> list will <emphasis>always</emphasis> be denied access, even if it is included (in any form) in the <literal>valid</literal> <literal>users</literal> list. By default, neither option has a value associated with it. If both options have no value, any user is allowed to access the share.</para> +</sect3> + + + +<sect3 role="" label="6.2.2.3" id="ch06-SECT-2.2.3"> +<indexterm id="ch06-idx-969450-0"><primary>read list option</primary></indexterm> +<indexterm id="ch06-idx-969450-1"><primary>write list option</primary></indexterm> +<title> + +read list and write list</title> + + +<para>Like the <literal>valid</literal> <literal>users</literal> <literal>and</literal> <literal>invalid</literal> <literal>users</literal> options, this pair of options specifies which users have read-only access to a writeable share and read-write access to a read-only share, respectively. The value of either options is a list of users. <literal>read</literal> <literal>list</literal> overrides any other Samba permissions granted—as well as Unix file permissions on the server system—to deny users write access. <literal>write</literal> <literal>list</literal> overrides other Samba permissions to grant write access, but cannot grant write access if the user lacks write permissions for the file on the Unix system. You can specify NIS or Unix group names by prefixing the name with an at sign (such as <literal>@users</literal>). Neither configuration option has a default value associated with it.</para> +</sect3> + + + +<sect3 role="" label="6.2.2.4" id="ch06-SECT-2.2.4"> +<indexterm id="ch06-idx-969451-0"><primary>max connections option</primary></indexterm> +<title> +max connections</title> + + +<para>This option specifies the maximum number of client connections that a share can have at any given time. Any connections that are attempted after the maximum is reached will be rejected. The default value is <literal>0</literal>, which means that an unlimited number of connections are allowed. You can override it per share as follows:</para> + + +<programlisting>[accounting] + max connections = 30</programlisting> + + +<para>This option is useful in the event that you need to limit the number of users who are accessing a licensed program or piece of data concurrently.</para> +</sect3> + + + +<sect3 role="" label="6.2.2.5" id="ch06-SECT-2.2.5"> +<indexterm id="ch06-idx-969452-0"><primary>guest only option</primary></indexterm> +<title> +guest only</title> + + +<para>This share-level option (sometimes called <literal>only</literal> <literal>guest</literal>) forces a connection to a share to be performed with the user specified by the <literal>guest</literal> <literal>account</literal> option. The share to which this is applied must explicitly specify <literal>guest</literal> <literal>ok</literal> <literal>=</literal> <literal>yes</literal> in order for this option to be recognized by Samba. The default value for this option is <literal>no</literal>.</para> +</sect3> + + + +<sect3 role="" label="6.2.2.6" id="ch06-SECT-2.2.6"> +<indexterm id="ch06-idx-969453-0"><primary>guest account option</primary></indexterm> +<title> +guest account</title> + + +<para>This option specifies the name of account to be used for guest access to shares in Samba. The default for this option varies from system to system, but it is often set to <literal>nobody</literal>. Some default user accounts have trouble connecting as guest users. If that occurs on your system, the Samba team recommends using the ftp account as the guest<indexterm id="ch06-idx-967617-0" class="endofrange" startref="ch06-idx-967608-0"/> user.<indexterm id="ch06-idx-967607-0" class="endofrange" startref="ch06-idx-967606-0"/></para> +</sect3> +</sect2> + + + + + +<sect2 role="" label="6.2.3" id="ch06-SECT-2.3"> +<title>Username Options</title> + + +<para> +<indexterm id="ch06-idx-967622-0" class="startofrange"><primary>usernames</primary><secondary>options for</secondary></indexterm><link linkend="ch06-82964">Table 6.2</link> shows two additional options that Samba can use to correct for incompatibilities in usernames between Windows and Unix.</para> + + +<table label="6.2" id="ch06-82964"> +<title>Username Options </title> + +<tgroup cols="5"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<colspec colnum="4" colname="col4"/> +<colspec colnum="5" colname="col5"/> +<thead> +<row> + +<entry colname="col1"><para>Option</para></entry> + +<entry colname="col2"><para>Parameters</para></entry> + +<entry colname="col3"><para>Function</para></entry> + +<entry colname="col4"><para>Default</para></entry> + +<entry colname="col5"><para>Scope</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>username map</literal></para></entry> + +<entry colname="col2"><para>string (fully-qualified pathname)</para></entry> + +<entry colname="col3"><para>Sets the name of the username mapping file.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>username level</literal></para></entry> + +<entry colname="col2"><para>numerical</para></entry> + +<entry colname="col3"><para>Indicates the number of capital letters to use when trying to match a username.</para></entry> + +<entry colname="col4"><para><literal>0</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<sect3 role="" label="6.2.3.1" id="ch06-SECT-2.3.1"> +<indexterm id="ch06-idx-969456-0"><primary>username map option</primary></indexterm> +<title> +username map</title> + + +<para> +<indexterm id="ch06-idx-967632-0"><primary>usernames</primary><secondary>SMB vs. Unix networks</secondary></indexterm> +<indexterm id="ch06-idx-967632-1"><primary>SMB (Server Message Block)</primary><secondary>networks</secondary><tertiary>usernames and</tertiary></indexterm> +<indexterm id="ch06-idx-967632-2"><primary>Unix</primary><secondary>networks, usernames and</secondary></indexterm>Client usernames on an SMB network can be relatively large (up to 255 characters), while usernames on a Unix network often cannot be larger than eight characters. This means that an individual user may have one username on a client and another (shorter) one on the Samba server. You can get past this issue by<firstterm> mapping</firstterm> a free-form client username to a Unix username of eight or fewer characters. It is placed in a standard text file, using a format that we'll describe shortly. You can then specify the pathname to Samba with the global <literal>username</literal> <literal>map</literal> option. Be sure to restrict access to this file; make the root user the file's owner and deny write access to others. Otherwise, an untrusted user who can access the file can easily map their client username to the root user of the Samba server.</para> + + +<para>You can specify this option as follows:</para> + + +<programlisting>[global] + username map = /etc/samba/usermap.txt</programlisting> + + +<para>Each of the entries in the username map file should be listed as follows: the Unix username, followed by an equal sign (<literal>=</literal>), followed by one or more whitespace-separated SMB client usernames. Note that unless instructed otherwise, (i.e., a guest connection), Samba will expect both the client and the server user to have the same password. You can also map NT groups to one or more specific Unix groups using the <literal>@</literal> sign. Here are some examples:</para> + + +<programlisting>jarwin = JosephArwin +manderso = MarkAnderson +users = @account</programlisting> + + +<para>Also, you can use the asterisk to specify a wildcard that matches any free-form client username as an entry in the username map file:</para> + + +<programlisting>nobody = *</programlisting> + + +<para>Comments in the file can be specified as lines beginning with (#) and (<literal>;</literal>).</para> + + +<para>Note that you can also use this file to redirect one Unix user to another user. Be careful if you do so because Samba and your client may not notify the user that the mapping has been made and Samba may be expecting a different password.</para> +</sect3> + + + +<sect3 role="" label="6.2.3.2" id="ch06-SECT-2.3.2"> +<indexterm id="ch06-idx-969459-0"><primary>username level option</primary></indexterm> +<title> +username level</title> + + +<para> +<indexterm id="ch06-idx-967633-0"><primary>usernames</primary><secondary>case sensitivity and</secondary></indexterm> +<indexterm id="ch06-idx-967633-1"><primary>case sensitivity</primary><secondary>usernames and</secondary></indexterm>SMB clients (such as Windows) will often send usernames in SMB connection requests entirely in capital letters; in other words, client usernames are not necessarily case sensitive. On a Unix server, however, usernames <emphasis>are</emphasis> case sensitive: the user <literal>ANDY</literal> is different from the user <literal>andy</literal>. By default, Samba attacks this problem by doing the following:</para> + + +<orderedlist> +<listitem><para>Checking for a user account with the exact name sent by the client</para></listitem> +<listitem><para>Testing the username in all lowercase letters</para></listitem> +<listitem><para>Testing the username in lowercase letters with only the first letter capitalized</para></listitem> +</orderedlist> + +<para>If you wish to have Samba attempt more combinations of uppercase and lowercase letters, you can use the <literal>username</literal> <literal>level</literal> global configuration option. This option takes an integer value that specifies how many letters in the username should be capitalized when attempting to connect to a share. You can specify this options as follows:</para> + + +<programlisting>[global] + username level = 3</programlisting> + + +<para>In this case, Samba will then attempt all permutations of usernames it can compute having three capital letters. The larger the number, the more computations Samba will have to perform to match the username and the longer the authentication wil<indexterm id="ch06-idx-967629-0" class="endofrange" startref="ch06-idx-967622-0"/>l take.<indexterm id="ch06-idx-967624-0" class="endofrange" startref="ch06-idx-967497-0"/> +<indexterm id="ch06-idx-967624-1" class="endofrange" startref="ch06-idx-967497-1"/></para> +</sect3> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="6.3" id="ch06-88596"> +<title>Authentication Security</title> + + +<para> +<indexterm id="ch06-idx-967505-0" class="startofrange"><primary>authentication</primary></indexterm> +<indexterm id="ch06-idx-967505-1" class="startofrange"><primary>security</primary></indexterm>At this point, we should discuss how Samba authenticates users. Each user who attempts to connect to a share that does not allow guest access must provide a password to make a successful connection. What Samba does with that password—and consequently the strategy Samba will use to handle user authentication—is the arena of the <literal>security</literal> configuration option. There are currently four <indexterm id="ch06-idx-967637-0"><primary>security</primary><secondary>levels of</secondary></indexterm>security levels that Samba supports on its network: <firstterm>share</firstterm>, <firstterm>user</firstterm>, <firstterm>server</firstterm>, and <firstterm>domain</firstterm>.</para> + + +<variablelist> +<varlistentry><term> +<indexterm id="ch06-idx-967638-0"><primary>share-level security</primary></indexterm>Share-level security</term> +<listitem><para>Each share in the workgroup has one or more passwords associated with it. Anyone who knows a valid password for the share can access it.</para></listitem> +</varlistentry> + + +<varlistentry><term> +<indexterm id="ch06-idx-967639-0"><primary>user-level security</primary></indexterm>User-level security</term> +<listitem><para>Each share in the workgroup is configured to allow access from certain users. With each initial tree connection, the Samba server verifies users and their passwords to allow them access to the share.</para></listitem> +</varlistentry> + + +<varlistentry><term>Server-level security</term> +<listitem><para>This is the same as user-level security, except that the Samba server uses a separate SMB server to validate users and their passwords before granting access to the share.</para></listitem> +</varlistentry> + + +<varlistentry><term> +<indexterm id="ch06-idx-967641-0"><primary>domain-level security</primary></indexterm>Domain-level security</term> +<listitem><para>Samba becomes a member of a Windows domain and uses the domain's <indexterm id="ch06-idx-967642-0"><primary>PDC (primary domain controller)</primary><secondary>domain-level security and</secondary></indexterm>primary domain controller (PDC) to perform authentication. Once authenticated, the user is given a special token that allows him or her access to any share with appropriate access rights. With this token, the PDC will not have to revalidate the user's password each time he or she attempts to access another share within the domain.</para></listitem> +</varlistentry> +</variablelist> + + +<para>Each of these security policies can be implemented with the global <literal>security</literal> option, as shown in <link linkend="ch06-73905">Table 6.3</link>.</para> + + +<table label="6.3" id="ch06-73905"> +<title>Security Option </title> + +<tgroup cols="5"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<colspec colnum="4" colname="col4"/> +<colspec colnum="5" colname="col5"/> +<thead> +<row> + +<entry colname="col1"><para>Option</para></entry> + +<entry colname="col2"><para>Parameters</para></entry> + +<entry colname="col3"><para>Function</para></entry> + +<entry colname="col4"><para>Default</para></entry> + +<entry colname="col5"><para>Scope</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>security</literal></para></entry> + +<entry colname="col2"><para> +<indexterm id="ch06-idx-968919-0"><primary>security</primary><secondary>options for</secondary></indexterm><literal>domain</literal>, <literal>server</literal>, <literal>share</literal>, or <literal>user</literal></para></entry> + +<entry colname="col3"><para>Indicates the type of security that the Samba server will use.</para></entry> + +<entry colname="col4"><para><literal>user</literal> (Samba 2.0) or <literal>share</literal> (Samba 1.9)</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<sect2 role="" label="6.3.1" id="ch06-SECT-3.1"> +<title>Share-level Security</title> + + +<para> +<indexterm id="ch06-idx-967644-0" class="startofrange"><primary>share-level security</primary></indexterm> +<indexterm id="ch06-idx-967644-1" class="startofrange"><primary>security</primary><secondary>share-level</secondary></indexterm>With share-level security, each share has one or more passwords associated with it. This differs from the other modes of security in that there are no restrictions as to whom can access a share, as long as that individual knows the correct password. Shares often have multiple passwords. For example, one password may grant read-only access, while another may grant read-write access, and so on. Security is maintained as long as unauthorized users do not discover the password for a share to which they shouldn't have access.</para> + + +<para> +<indexterm id="ch06-idx-967666-0"><primary>OS/2, support for share-level security</primary></indexterm> +<indexterm id="ch06-idx-967666-1"><primary>Windows 95/98</primary><secondary>share-level security, support for</secondary></indexterm>OS/2 and Window 95/98 both support share-level security on their resources. You can set up share-level security with Windows 95/98 by first enabling share-level security using the Access Control tab of the Network Control Panel dialog. Then select the Share-level Access Control radio button (which deselects the user-level access control radio button), as shown in <link linkend="ch06-33100">Figure 6.1</link>, and press the OK button.</para> + + +<figure label="6.1" id="ch06-33100"> +<title>Selecting share-level security on a Windows machine</title> + +<graphic width="502" depth="284" fileref="figs/sam.0601.gif"></graphic> +</figure> + +<para>Next, right click on a resource—such as a hard drive or a CD-ROM—and select the Properties menu item. This will bring up the Resource Properties dialog box. Select the Sharing tab at the top of the dialog box and enable the resource as Shared As. From here, you can configure how the shared resource will appear to individual users, as well as assigning whether the resource will appear as read-only, read-write, or a mix, depending on the password that is supplied.</para> + + +<para>You might be thinking that this security model is not a good fit for Samba—and you would be right. In fact, if you set the <literal>security</literal> <literal>=</literal> <literal>share</literal> option in the Samba configuration file, Samba will still reuse the username/passwords combinations in the system password files to authenticate access. More precisely, Samba will take the following steps when a client requests a connection using <indexterm id="ch06-idx-967667-0"><primary>share-level security</primary><secondary>steps in taken by Samba</secondary></indexterm>share-level security:</para> + + +<orderedlist> +<listitem><para>When a connection is requested, Samba will accept the password and (if sent) the username of the client.</para></listitem> +<listitem><para>If the share is <literal>guest</literal> <literal>only </literal>, the user is immediately granted access to the share with the rights of the user specified by the <literal>guest</literal> <literal>account</literal> parameter; no password checking is performed.</para></listitem> +<listitem><para>For other shares, Samba appends the username to a list of users who are allowed access to the share. It then attempts to validate the password given in association with that username. If successful, Samba grants the user access to the share with the rights assigned to that user. The user will not need to authenticate again unless a <literal>revalidate</literal> <literal>=</literal> <literal>yes</literal> option has been set inside the share.</para></listitem> +<listitem><para>If the authentication is unsuccessful, Samba will attempt to validate the password against the list of users it has previously compiled throughout the attempted connections, as well as any specified under the share in the configuration file. If the password does not match any usernames (as specified in the system password file, typically <filename>/etc/passwd </filename>), the user is not granted access to the share under that username.</para></listitem> +<listitem><para>However, if the share has a <literal>guest</literal> <literal>ok</literal> or <literal>public</literal> option set, the user will default to access with the rights of the user specified by the <literal>guest</literal> <literal>account</literal> option.</para></listitem> +</orderedlist> + +<para>You can indicate in the configuration file which users should be initially placed on the share-level security user list by using the <literal>username</literal> configuration option, as shown below:</para> + + +<programlisting>[global] + security = share +[accounting1] + path = /home/samba/accounting1 + guest ok = no + writable = yes + username = davecb, pkelly, andyo</programlisting> + + +<para>Here, when a user attempts to connect to a share, Samba will verify the password that was sent against each of the users in its own list, in addition to the passwords of users <literal>davecb</literal>, <literal>pkelly</literal>, and <literal>andyo</literal>. If any of the passwords match, the connection will be verified and the user will be allowed. Otherwise, connection to the specific share will fail.</para> + + +<sect3 role="" label="6.3.1.1" id="ch06-SECT-3.1.1"> +<indexterm id="ch06-idx-967668-0"><primary>share-level security</primary><secondary>options for</secondary></indexterm> +<indexterm id="ch06-idx-967668-1"><primary>security</primary><secondary>share-level</secondary><tertiary>options for</tertiary></indexterm> +<title> + +Share Level Security Options</title> + + +<para><link linkend="ch06-80998">Table 6.4</link> shows the options typically associated with share-level security.</para> + + +<table label="6.4" id="ch06-80998"> +<title>Share-Level Access Options </title> + +<tgroup cols="5"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<colspec colnum="4" colname="col4"/> +<colspec colnum="5" colname="col5"/> +<thead> +<row> + +<entry colname="col1"><para>Option</para></entry> + +<entry colname="col2"><para>Parameters</para></entry> + +<entry colname="col3"><para>Function</para></entry> + +<entry colname="col4"><para>Default</para></entry> + +<entry colname="col5"><para>Scope</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>only user</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>Indicates whether usernames specified by <literal>username</literal> will be the only ones allowed.</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>username </literal>(user or users)</para></entry> + +<entry colname="col2"><para>string (list of usernames)</para></entry> + +<entry colname="col3"><para>Specifies a list of users against which a client's password will be tested.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +</tbody> +</tgroup> +</table> +</sect3> + + + +<sect3 role="" label="6.3.1.2" id="ch06-SECT-3.1.2"> +<title>only user</title> + + +<para>This boolean option indicates whether Samba will allow connections to a share using share-level security based solely on the individuals specified in the <literal>username</literal> option, instead of those users compiled on Samba's internal list. The default value for this option is <literal>no</literal>. You can override it per share as follows:</para> + + +<programlisting>[global] + security = share +[data] + username = andy, peter, valerie + only user = yes</programlisting> +</sect3> + + + +<sect3 role="" label="6.3.1.3" id="ch06-SECT-3.1.3"> +<indexterm id="ch06-idx-969462-0"><primary>username option</primary></indexterm> +<title> +username</title> + + +<para>This option presents a list of users against which Samba will test a connection password to allow access. It is typically used with clients that have share-level security to allow connections to a particular service based solely on a qualifying password—in this case, one that matches a password set up for a specific user:</para> + + +<programlisting>[global] + security = share +[data] + username = andy, peter, terry</programlisting> + + +<para>We recommend against using this option unless you are implementing a Samba server with share-level security.<indexterm id="ch06-idx-967645-0" class="endofrange" startref="ch06-idx-967644-0"/> +<indexterm id="ch06-idx-967645-1" class="endofrange" startref="ch06-idx-967644-1"/></para> +</sect3> +</sect2> + + + + + +<sect2 role="" label="6.3.2" id="ch06-SECT-3.2"> +<title>User-level Security</title> + + +<para> +<indexterm id="ch06-idx-967646-0"><primary>user-level security</primary></indexterm> +<indexterm id="ch06-idx-967646-1"><primary>security</primary><secondary>user-level</secondary></indexterm>The preferred mode of security with Samba is <firstterm>user-level security</firstterm>. With this method, each share is assigned specific users that can access it. When a user requests a connection to a share, Samba authenticates by validating the given username and password with the authorized users in the configuration file and the passwords in the password database of the Samba server. As mentioned earlier in the chapter, one way to isolate which users are allowed access to a specific <indexterm id="ch06-idx-967676-0"><primary>shares</primary><secondary>option for identifying users allowed access to</secondary></indexterm>share is by using the <literal>valid</literal> <literal>users</literal> option for each share:</para> + + +<programlisting>[global] + security = user +[accounting1] + writable = yes + valid users = bob, joe, sandy</programlisting> + + +<para>Each of the users listed will be allowed to connect to the share if the password provided matches the password stored in the system password database on the server. Once the initial authentication succeeds, the user will not need to re-enter a password again to access that share unless the <literal>revalidate</literal> <literal>=</literal> <literal>yes</literal> option has been set.</para> + + +<para> +<indexterm id="ch06-idx-967677-0"><primary>passwords</primary><secondary>user-level security and</secondary></indexterm>Passwords can be sent to the Samba server in either an encrypted or a non-encrypted format. If you have both types of systems on your network, you should ensure that the passwords represented by each user are stored both in a traditional account database and Samba's encrypted password database. This way, authorized users can gain access to their shares from any type of client.<footnote label="1" id="ch06-pgfId-968956"> + + +<para>Having both encrypted and non-encrypted password clients on your network is another reason why Samba allows you to include (or not include) various options in the Samba configuration file based on the client operating system or machine name variables.</para> + + +</footnote> However, we recommend that you move your system to encrypted passwords and abandon non-encrypted passwords if security is an issue. <link linkend="ch06-61393">Section 6.4</link> in this chapter explains how to use encrypted as well as non-encrypted passwords.</para> +</sect2> + + + + + +<sect2 role="" label="6.3.3" id="ch06-SECT-3.3"> +<title>Server-level Security</title> + + +<para> +<indexterm id="ch06-idx-967648-0"><primary>server-level security</primary></indexterm> +<indexterm id="ch06-idx-967648-1"><primary>security</primary><secondary>server-level</secondary></indexterm>Server-level security is similar to user-level security. However, with server-level security, Samba delegates password authentication to another <indexterm id="ch06-idx-967679-0"><primary>SMB (Server Message Block)</primary><secondary>password server</secondary></indexterm>SMB password server, typically another Samba server or a Windows NT Server acting as a <indexterm id="ch06-idx-967680-0"><primary>PDC (primary domain controller)</primary><secondary>sever-level security and</secondary></indexterm>PDC on the network. Note that Samba still maintains its list of shares and their configuration in its <filename>smb.conf</filename> file. When a client attempts to make a connection to a particular share, Samba validates that the user is indeed authorized to connect to the share. Samba will then attempt to validate the password by contacting the SMB password server through a known protocol and presenting the username and password to the SMB password server. If the password is accepted, a session will be established with the client. See <link linkend="ch06-89929">Figure 6.2</link> for an illustration of this setup.</para> + + +<figure label="6.2" id="ch06-89929"> +<title>A typical system setup using server level security</title> + +<graphic width="502" depth="177" fileref="figs/sam.0602.gif"></graphic> +</figure> + +<para>You can configure Samba to use a separate password server under server-level security with the use of the <literal>password</literal> <literal>server</literal> global configuration option, as follows:</para> + + +<programlisting>[global] + security = server + password server = PHOENIX120 HYDRA134</programlisting> + + +<para>Note that you can specify more than one machine as the target of the <literal>password</literal> <literal>server </literal>; Samba will move down the list of servers in the event that its first choice is unreachable. The servers identified by the <literal>password</literal> <literal>server</literal> option are given as NetBIOS names, not their DNS names or equivalent IP addresses. Also, if any of the servers reject the given password, the connection will automatically fail—Samba will not attempt another server.</para> + + +<para>One caveat: when using this option, you will still need an account representing that user on the regular Samba server. This is because the Unix operating system needs a username to perform various I/O operations. The preferable method of handling this is to give the user an account on the Samba server but disable the account's password by replacing it in the system password file (e.g., <filename>/etc/passwd </filename>) with an <indexterm id="ch06-idx-967681-0"><primary>asterisk (*), in system password file</primary></indexterm> +<indexterm id="ch06-idx-967681-1"><primary>* (asterisk)</primary></indexterm>asterisk (*).</para> +</sect2> + + + + + +<sect2 role="" label="6.3.4" id="ch06-SECT-3.4"> +<title>Domain-level Security</title> + + +<para> +<indexterm id="ch06-idx-967649-0" class="startofrange"><primary>domain-level security</primary></indexterm> +<indexterm id="ch06-idx-967649-1" class="startofrange"><primary>security</primary><secondary>domain-level</secondary></indexterm>Domain-level security is similar to server-level security. However, with domainlevel security, the Samba server is acting as a member of a Windows domain. Recall from <link linkend="ch01-48078">Chapter 1</link> that each domain has a <firstterm>domain controller</firstterm> +<indexterm id="ch06-idx-967685-0"><primary>domain controllers</primary></indexterm>, which is usually a Windows NT server offering password authentication. Including these controllers provides the workgroup with a definitive password server. The domain controllers keep track of users and passwords in their own <indexterm id="ch06-idx-967688-0"><primary>SAM (security account manager)</primary></indexterm> +<indexterm id="ch06-idx-967688-1"><primary>security account manager (SAM)</primary></indexterm>security authentication module (SAM), and authenticates each user when he or she first logs on and wishes to access another machine's shares.</para> + + +<para>As mentioned earlier in this chapter, Samba has a similar ability to offer user-level security, but this option is Unix-centric and assumes that the authentication occurs via <indexterm id="ch06-idx-967689-0"><primary>Unix</primary><secondary>password files</secondary></indexterm>Unix password files. If the Unix machine is part of a <indexterm id="ch06-idx-967690-0"><primary>NIS/NIS+ protocol</primary></indexterm>NIS or NIS+ domain, Samba will authenticate the users transparently against a shared password file, in typical Unix fashion. Samba then provides access to the NIS or NIS+ domain from Windows. There is, of course, no relationship between the NIS concept of a domain and the Windows concept of a domain.</para> + + +<para> +<indexterm id="ch06-idx-967696-0"><primary>domains</primary><secondary>Windows</secondary><tertiary>authentication</tertiary></indexterm> +<indexterm id="ch06-idx-967696-1"><primary>authentication</primary><secondary>NT domain</secondary></indexterm>With domain-level security, we now have the option of using the native NT mechanism. This has a number of advantages:</para> + + +<itemizedlist> +<listitem><para>It provides far better integration with NT: there are fewer "kludges" in the <filename>smb.conf</filename> options dealing with domains than with most Windows features. This allows more extensive use of NT management tools, such as the User Manager for Domains tool allowing PC support individuals to treat Samba servers as if they were large NT machines.</para></listitem> +<listitem><para>With the better integration comes protocol and code cleanups, allowing the Samba team to track the evolving NT implementation. NT Service Pack 4 corrects several problems in the protocol, and Samba's better integration makes it easier to track and adapt to these changes.</para></listitem> +<listitem><para>There is less overhead on the PDC because there is one less permanent network connection between it and the Samba server. Unlike the protocol used by the <literal>security</literal> <literal>=</literal> <literal>server</literal> option, the Samba server can make a Remote Procedure Call (RPC) call only when it needs authentication information. It can not keep a connection permanently up just for that.</para></listitem> +<listitem><para>Finally, the NT domain authentication scheme returns the full set of user attributes, not just success or failure. The attributes include a longer, more network-oriented version of the Unix uid, NT groups, and other information. This includes:</para> + +<itemizedlist> +<listitem><para>Username</para></listitem> +<listitem><para>Full name</para></listitem> +<listitem><para>Description</para></listitem> +<listitem><para>Security identifier (a domain-wide extension of the Unix uid)</para></listitem> +<listitem><para>NT group memberships</para></listitem> +<listitem><para>Logon hours, and whether to force the user to log out immediately</para></listitem> +<listitem><para>Workstations the user is allowed to use</para></listitem> +<listitem><para>Account expiration date</para></listitem> +<listitem><para>Home directory</para></listitem> +<listitem><para>Login script</para></listitem> +<listitem><para>Profile</para></listitem> +<listitem><para>Account type</para></listitem> +</itemizedlist></listitem> +<listitem><para>The Samba developers used domain-level security in Samba version 2.0.4 to add and delete domain <indexterm id="ch06-idx-967702-0"><primary>users</primary><secondary>domain, semi-automatic deletion</secondary></indexterm>users on Samba servers semi-automatically. In addition, it adds room for other NT-like additions, such as supporting access control lists and changing permissions of files from the client.</para></listitem> +</itemizedlist> + +<para>The advantage to this approach is less administration; there is only one authentication database to keep synchronized. The only local administration required on the Samba server will be creating directories for users to work in and <filename>/etc/passwd</filename> entries to keep their UIDs and groups in.</para> + + +<sect3 role="" label="6.3.4.1" id="ch06-SECT-3.4.1"> +<title>Adding a Samba server to a Windows NT Domain</title> + + +<para>If you already have an NT <indexterm id="ch06-idx-967704-0"><primary>domains</primary><secondary>adding Samba server to Windows NT domain</secondary></indexterm>domain, you can easily add a Samba server to it. First, you will need to stop the Samba daemons. Then, add the Samba server to the NT domain on the PDC using the <indexterm id="ch06-idx-967706-0"><primary>Windows NT Server Manager for Domains tool</primary></indexterm>"Windows NT Server Manager for Domains" tool. When it asks for the computer type, choose "Windows NT Workstation or Server," and give it the NetBIOS name of the Samba server. This creates the machine account on the NT server.</para> + + +<para>Next, generate a Microsoft-format machine password using the <filename>smbpasswd</filename> +<indexterm id="ch06-idx-967707-0"><primary>smbpasswd program</primary></indexterm> tool, which is explained in further detail in the next section. For example, if our domain is SIMPLE and the Windows NT PDC is <literal>beowulf</literal>, we could use the following command on the Samba server to accomplish this:</para> + + +<programlisting>smbpasswd -j SIMPLE -r beowulf</programlisting> + + +<para>Finally, add the following options to the <literal>[global]</literal> section of your <filename>smb.conf</filename> and restart the Samba daemons.</para> + + +<programlisting>[global] + security = domain + domain logins = yes + workgroup = SIMPLE + password server = beowulf</programlisting> + + +<para>Samba should now be configured for domain-level security. The <literal>domain</literal> <literal>logins</literal> option is explained in more detail later in this<indexterm id="ch06-idx-967657-0" class="endofrange" startref="ch06-idx-967649-0"/> +<indexterm id="ch06-idx-967657-1" class="endofrange" startref="ch06-idx-967649-1"/> chapter.<indexterm id="ch06-idx-967506-0" class="endofrange" startref="ch06-idx-967505-0"/> +<indexterm id="ch06-idx-967506-1" class="endofrange" startref="ch06-idx-967505-1"/></para> +</sect3> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="6.4" id="ch06-61393"> +<title>Passwords</title> + + +<para> +<indexterm id="ch06-idx-967574-0" class="startofrange"><primary>passwords</primary></indexterm>Passwords are a thorny issue with Samba. So much so, in fact, that they are almost always the first major problem that users encounter when they install Samba, and generate by far the most questions sent to Samba support groups. In previous chapters, we've gotten around the need for passwords by placing the <literal>guest</literal> <literal>ok</literal> option in each of our configuration files, which allows connections without authenticating passwords. However, at this point, we need to delve deeper into Samba to discover what is happening on the network.</para> + + +<para> +<indexterm id="ch06-idx-967709-0"><primary>passwords</primary><secondary>encrypted</secondary><tertiary sortas="non-encrypted">vs. non-encrypted</tertiary></indexterm> +<indexterm id="ch06-idx-967709-1"><primary>encrypted passwords</primary></indexterm>Passwords sent from individual clients can be either encrypted or non-encrypted. Encrypted passwords are, of course, more secure. A <indexterm id="ch06-idx-967710-0"><primary>non-encrypted passwords</primary></indexterm>non-encrypted password can be easily read with a packet sniffing program, such as the modified <emphasis>tcpdump</emphasis> +<indexterm id="ch06-idx-967712-0"><primary>tcpdump utility</primary><secondary>passwords, reading</secondary></indexterm> program for Samba that we used in <link linkend="SAMBA-CH-3">Chapter 3</link>. Whether passwords are encrypted depends on the operating system that the client is using to connect to the Samba server. <link linkend="ch06-75183">Table 6.5</link> lists which Windows operating systems encrypt their passwords before sending them to the primary domain controller for authentication. If your client is not Windows, check the system documentation to see if SMB passwords are encrypted.</para> + + +<table label="6.5" id="ch06-75183"> +<title>Windows Operating Systems with Encrypted Passwords </title> + +<tgroup cols="2"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<thead> +<row> + +<entry colname="col1"><para>Operating System</para></entry> + +<entry colname="col2"><para>Encrypted or Non-encrypted</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal></literal> +<indexterm id="ch06-idx-967714-0"><primary>operating systems</primary><secondary>encrypted/non-encrypted passwords</secondary></indexterm>Windows 95</para></entry> + +<entry colname="col2"><para>Non-encrypted</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Windows 95 with SMB Update</para></entry> + +<entry colname="col2"><para>Encrypted</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Windows 98</para></entry> + +<entry colname="col2"><para>Encrypted</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Windows NT 3.<emphasis>x</emphasis></para></entry> + +<entry colname="col2"><para>Non-encrypted</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Windows NT 4.0 before SP 3</para></entry> + +<entry colname="col2"><para>Non-encrypted</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Windows NT 4.0 after SP 3</para></entry> + +<entry colname="col2"><para>Encrypted</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<para>There are actually two different encryption methods used: one for <indexterm id="ch06-idx-967715-0"><primary>Windows 95/98</primary><secondary>passwords, encrypted</secondary></indexterm>Windows 95 and 98 clients that reuses Microsoft's LAN Manager encryption style, and a separate one for <indexterm id="ch06-idx-967716-0"><primary>Windows NT</primary><secondary>passwords</secondary><tertiary>encrypted</tertiary></indexterm>Windows NT clients and servers. Windows 95 and 98 use an older encryption system inherited from the LAN Manager network software, while Windows NT clients and servers use a newer encryption system.</para> + + +<para>If encrypted passwords are supported, Samba stores the encrypted passwords in a file called <filename>smbpasswd</filename> +<indexterm id="ch06-idx-967717-0"><primary>smbpasswd file</primary></indexterm> +<indexterm id="ch06-idx-967717-1"><primary>passwords</primary><secondary>stored by Samba</secondary></indexterm>. By default, this file is located in the <filename>private</filename> +<indexterm id="ch06-idx-967719-0"><primary>private directory (Samba distribution)</primary></indexterm> directory of the Samba distribution (<filename>/usr/local/samba/private</filename>). At the same time, the client stores an encrypted version of a user's password on its own system. The plaintext password is never stored on either system. Each system encrypts the password automatically using a known algorithm when the password is set or changed.</para> + + +<para>When a client requests a connection to an SMB server that supports encrypted passwords (such as Samba or Windows NT), the two computers undergo the following negotiations:</para> + + +<orderedlist> +<listitem><para>The client attempts to negotiate a protocol with the server.</para></listitem> +<listitem><para>The server responds with a protocol and indicates that it supports encrypted passwords. At this time, it sends back a randomly-generated 8-byte challenge string.</para></listitem> +<listitem><para>The client uses the challenge string as a key to encrypt its already encrypted password using an algorithm predefined by the negotiated protocol. It then sends the result to the server.</para></listitem> +<listitem><para>The server does the same thing with the encrypted password stored in its database. If the results match, the passwords are equivalent and the user is authenticated.</para></listitem> +</orderedlist> + +<para>Note that even though the original passwords are not involved in the authentication process, you need to be very careful that the encrypted passwords located inside of the <filename>smbpasswd</filename> +<indexterm id="ch06-idx-967721-0"><primary>smbpasswd file</primary><secondary>caution with</secondary></indexterm> file are guarded from unauthorized users. If they are compromised, an unauthorized user can break into the system by replaying the steps of the previous algorithm. The <indexterm id="ch06-idx-967722-0"><primary>passwords</primary><secondary>encrypted</secondary><tertiary sortas="plaintext">vs. plaintext</tertiary></indexterm> +<indexterm id="ch06-idx-967722-1"><primary>plaintext passwords</primary></indexterm> +<indexterm id="ch06-idx-967722-2"><primary sortas="encryptes passwords">encrypted passwords</primary><secondary sortas="plaintext passwords">vs. plaintext passwords</secondary></indexterm>encrypted passwords are just as sensitive as the plaintext passwords—this is known as <firstterm>plaintext-equivalent</firstterm> data in the cryptography world. Of course, you should also ensure that the clients safeguard their plaintext-equivalent passwords as well.</para> + + +<para>You can configure Samba to accept encrypted passwords with the following global additions to <filename>smb.conf</filename>. Note that we explicitly name the location of the Samba password file:</para> + + +<programlisting>[global] + security = user + encrypt passwords = yes + smb passwd file = /usr/local/samba/private/smbpasswd</programlisting> + + +<para>Samba, however, will not accept any users until the <filename>smbpasswd</filename> file has been initialized.</para> + + +<sect2 role="" label="6.4.1" id="ch06-SECT-4.0.1"> +<title>Disabling encrypted passwords on the client</title> + + +<para> +<indexterm id="ch06-idx-967724-0"><primary>passwords</primary><secondary>encrypted</secondary><tertiary>disabling on Windows computers</tertiary></indexterm>While Unix authentication has been in use for decades, including the use of <emphasis>telnet</emphasis> and <emphasis>rlogin</emphasis> access across the Internet, it embodies well-known security risks. Plaintext passwords are sent over the Internet and can be retrieved from TCP packets by malicious snoopers. However, if you feel that your network is secure and you wish to use standard Unix <filename>/etc/passwd</filename> authentication for all clients, you can do so, but you must disable encrypted passwords on those Windows clients that default to using them.</para> + + +<para>In order to do this, you must modify the Windows registry by installing two files on each system. Depending on the platform involved, the files are either <filename>NT4_PlainPassword.reg</filename> or <filename>Win95_PlainPassword.reg</filename>. You can perform this installation by copying the appropriate <filename>.reg</filename> files from the Samba distribution's <filename>/docs</filename> directory to a DOS floppy, and running it from the Run menu item on the client's Start Menu button. Incidentally, the Windows 95 <filename>.reg</filename> file works fine on Windows 98 as well.</para> + + +<para>After you reboot the machine, the client will not encrypt its hashed passwords before sending them to the server. This means that the plaintext-equivalent passwords can been seen in the TCP packets that are broadcast across the network. Again, we encourage you not to do this unless you are absolutely sure that your network is secure.</para> + + +<para>If passwords are not encrypted, you can indicate as much in your Samba configuration file:</para> + + +<programlisting>[global] + security = user + encrypt passwords = no</programlisting> +</sect2> + + + + +<sect2 role="" label="6.4.2" id="ch06-17782"> +<title>The smbpasswd File</title> + + +<para><filename></filename> +<indexterm id="ch06-idx-967731-0" class="startofrange"><primary>smbpasswd file</primary></indexterm>Samba stores its encrypted passwords in a file called <filename>smbpasswd</filename>, which by default resides in the <filename>/usr/local/samba/private</filename> directory. The <filename>smbpasswd</filename> +<indexterm id="ch06-idx-967742-0"><primary>smbpasswd file</primary><secondary>caution with</secondary></indexterm> file should be guarded as closely as the <filename>passwd</filename> file; it should be placed in a directory to which only the root user has read/write access. All other users should not be able to read from the directory at all. In addition, the file should have all access closed off to all users except for root.</para> + + +<para>Before you can use encrypted passwords, you will need to create an entry for each Unix user in the <filename>smbpasswd</filename> file. The structure of the file is somewhat similar to a Unix <filename>passwd</filename> file, but has different fields. <link linkend="ch06-54128">Figure 6.3</link> illustrates the layout of the <filename>smbpasswd</filename> file; the entry shown is actually one line in the file.</para> + + +<figure label="6.3" id="ch06-54128"> +<title>Structure of the smbpasswd file entry (actually one line)</title> + +<graphic width="502" depth="177" fileref="figs/sam.0603.gif"></graphic> +</figure> + +<para>Here is a breakdown of the individual fields:</para> + + +<variablelist> +<varlistentry><term>Username</term> +<listitem><para>This is the username of the account. It is taken directly from the system password file.</para></listitem> +</varlistentry> + + +<varlistentry><term>UID</term> +<listitem><para>This is the user ID of the account. Like the username, it is taken directly from the system password file and must match the user it represents there.</para></listitem> +</varlistentry> + + +<varlistentry><term>LAN Manager Password Hash</term> +<listitem><para>This is a 32-bit hexadecimal sequence that represents the password Windows 95 and 98 clients will use. It is derived by encrypting the string <literal>KGS!@#$%</literal> with a 56-bit DES algorithm using the user's password (forced to 14 bytes and converted to capital letters) twice repeated as the key. If there is currently no password for this user, the first 11 characters of the hash will consist of the sequence <literal>NO</literal> <literal>PASSWORD</literal> followed by <literal>X</literal> characters for the remainder. Anyone can access the share with no password. On the other hand, if the password has been disabled, it will consist of 32 <literal>X</literal> characters. Samba will not grant access to a user without a password unless the <literal>null</literal> <literal>passwords</literal> option has been set.</para></listitem> +</varlistentry> + + +<varlistentry><term>NT Password Hash</term> +<listitem><para>This is a 32-bit hexadecimal sequence that represents the password Windows NT clients will use. It is derived by hashing the user's password (represented as a 16-bit little-endian Unicode sequence) with an MD4 hash. The password is not converted to uppercase letters first.</para></listitem> +</varlistentry> + + +<varlistentry><term>Account Flags</term> +<listitem><para>This field consists of 11 characters between two braces ( [ ] ). Any of the following characters can appear in any order; the remaining characters should be spaces:</para> + + +<variablelist> +<varlistentry><term>U</term> +<listitem><para>This account is a standard user account.</para></listitem> +</varlistentry> + + +<varlistentry><term>D</term> +<listitem><para>This account is currently disabled and Samba should not allow any logins.</para></listitem> +</varlistentry> + + +<varlistentry><term>N</term> +<listitem><para>This account has no password associated with it.</para></listitem> +</varlistentry> + + +<varlistentry><term>W</term> +<listitem><para>This is a workstation trust account that can be used to configure Samba as a primary domain controller (PDC) when allowing Windows NT machines to join its domain.</para></listitem> +</varlistentry> +</variablelist></listitem> +</varlistentry> + + +<varlistentry><term>Last Change Time</term> +<listitem><para>This code consists of the characters <literal>LCT-</literal> followed by a hexidecimal representation of the amount of seconds since the epoch (midnight on January 1, 1970) that the entry was last changed.</para></listitem> +</varlistentry> +</variablelist> + + +<sect3 role="" label="6.4.2.1" id="ch06-SECT-4.1.1"> +<title>Adding entries to smbpasswd</title> + + +<para><filename></filename> +<indexterm id="ch06-idx-967757-0"><primary>smbpasswd file</primary><secondary>adding entries to</secondary></indexterm>There are a few ways you can add a new entry to the <filename>smbpasswd</filename> file:</para> + + +<itemizedlist> +<listitem><para>You can use the <firstterm>smbpasswd</firstterm> program with the <literal>-a</literal> option to automatically add any user that currently has a standard Unix system account on the server. This program resides in the <filename>/usr/local/samba/bin</filename> directory.</para></listitem> +<listitem><para>You can use the <firstterm>addtosmbpass</firstterm> +<indexterm id="ch06-idx-967763-0"><primary>addtosmbpass executable</primary></indexterm> executable inside the <firstterm>/usr/local/samba/bin</firstterm> directory. This is actually a simple <emphasis>awk</emphasis> +<indexterm id="ch06-idx-967764-0"><primary>awk script</primary></indexterm> script that parses a system password file and extracts the username and UID of each entry you wish to add to the SMB password file. It then adds default fields for the remainder of the user's entry, which can be updated using the <filename>smbpasswd</filename> program later. In order to use this program, you will probably need to edit the first line of the file to correctly point to <emphasis>awk</emphasis> on your system.</para></listitem> +<listitem><para>In the event that the neither of those options work for you, you can create a default entry by hand in the <filename>smbpasswd</filename> file. The entry should be entirely on one line. Each field should be colon-separated and should look similar to the following:</para> + + +<programlisting>dave:500:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[U ]:LCT-00000000:</programlisting> + + +<para>This consists of the username and the UID as specified in the system password file, followed by two sets of exactly 32 <literal>X</literal> characters, followed by the account flags and last change time as it appears above. After you've added this entry, you must use the <firstterm>smbpasswd</firstterm> program to change the password for the user.</para></listitem> +</itemizedlist> +</sect3> + + + +<sect3 role="" label="6.4.2.2" id="ch06-SECT-4.1.2"> +<title>Changing the encrypted password</title> + + +<para> +<indexterm id="ch06-idx-967765-0"><primary>passwords</primary><secondary>encrypted</secondary><tertiary>changing</tertiary></indexterm>If you need to change the encrypted password in the <filename>smbpasswd</filename> file, you can also use the <filename>smbpasswd</filename> +<indexterm id="ch06-idx-967766-0"><primary>smbpasswd program</primary><secondary>changing encrypted passwords with</secondary></indexterm> program. Note that this program shares the same name as the encrypted password file itself, so be sure not to accidentally confuse the password file with the password-changing program.</para> + + +<para>The <filename>smbpasswd</filename> program is almost identical to the <filename>passwd</filename> program that is used to change Unix account passwords. The program simply asks you to enter your old password (unless you're the root user), and duplicate entries of your new password. No password characters are shown on the screen.</para> + + +<programlisting># <emphasis role="bold">smbpasswd dave</emphasis> +Old SMB password: +New SMB password: +Retype new SMB password: +Password changed for user dave</programlisting> + + +<para>You can look at the <filename>smbpasswd</filename> file after this command completes to verify that both the LAN Manager and the NT hashes of the passwords have been stored in their respective positions. Once users have encrypted password entries in the database, they should be able to connect to shares using encrypted passwords!<filename></filename> +<indexterm id="ch06-idx-967737-0" class="endofrange" startref="ch06-idx-967731-0"/></para> +</sect3> +</sect2> + + + + + +<sect2 role="" label="6.4.3" id="ch06-97004"> +<title>Password Synchronization</title> + + +<para> +<indexterm id="ch06-idx-967768-0" class="startofrange"><primary>passwords</primary><secondary>synchronizing</secondary></indexterm> +<indexterm id="ch06-idx-967768-1" class="startofrange"><primary>synchronizing</primary><secondary>passwords</secondary></indexterm>Having a regular password and an encrypted version of the same password can be troublesome when you need to change both of them. Luckily, Samba affords you a limited ability to keep your passwords synchronized. Samba has a pair of configuration options that can be used to automatically update a user's regular Unix password when the encrypted password is changed on the system. The feature can be activated by specifying the <literal>unix</literal> <literal>password</literal> <literal>sync</literal> global configuration option:</para> + + +<programlisting>[global] + encrypt passwords = yes + smb passwd file = /usr/local/samba/private/smbpasswd + + unix password sync = yes</programlisting> + + +<para>With this option enabled, Samba will attempt to change the user's regular password (as <literal>root</literal>) when the encrypted version is changed with <filename>smbpasswd</filename>. However, there are two other options that have to be set correctly in order for this to work.</para> + + +<para>The easier of the two is <literal>passwd</literal> <literal>program</literal>. This option simply specifies the Unix command used to change a user's standard system password. It is set to <literal>/bin/passw</literal>d <literal>%u</literal> by default. With some Unix systems, this is sufficient and you do not need to change anything. Others, such as Red Hat Linux, use <filename>/usr/bin/passwd</filename> instead. In addition, you may want to change this to another program or script at some point in the future. For example, let's assume that you want to use a script called <literal>changepass</literal> to change a user's password. Recall that you can use the variable <literal>%u</literal> to represent the current Unix username. So the example becomes:</para> + + +<programlisting>[global] + encrypt passwords = yes + smb passwd file = /usr/local/samba/private/smbpasswd + + unix password sync = yes + passwd program = changepass %u</programlisting> + + +<para>Note that this program will be called as the <literal>root</literal> user when the <literal>unix</literal> <literal>password</literal> <literal>sync</literal> option is set to <literal>yes</literal>. This is because Samba does not necessarily have the plaintext old password of the user.</para> + + +<para>The harder option to configure is <literal>passwd</literal> <literal>chat</literal>. The <literal>passwd</literal> <literal>chat</literal> option works like a Unix chat script. It specifies a series of strings to send as well as responses to expect from the program specified by the <literal>passwd</literal> <literal>program</literal> option. For example, this is what the default <literal>passwd</literal> <literal>chat</literal> looks like. The delimiters are the spaces between each groupings of characters:</para> + + +<programlisting>passwd chat = *old*password* %o\n *new*password* %n\n *new*password* %n\n *changed*</programlisting> + + +<para>The first grouping represents a response expected from the password-changing program. Note that it can contain <indexterm id="ch06-idx-967780-0"><primary>wildcards (*) in password changing program</primary></indexterm> +<indexterm id="ch06-idx-967780-1"><primary>* wildcards</primary></indexterm>wildcards (*), which help to generalize the chat programs to be able to handle a variety of similar outputs. Here, <literal>*old*password*</literal> indicates that Samba is expecting any line from the password program containing the letters <literal>old</literal> followed by the letters <literal>password</literal>, without regard for what comes on either side or between them. Once instructed to, Samba will wait indefinitely for such a match. Is Samba does not receive the expected response, the password will fail.</para> + + +<para>The second grouping indicates what Samba should send back once the data in the first grouping has been matched. In this case, you see <literal>%o\n</literal>. This response is actually two items: the variable <literal>%o</literal> represents the old password, while the <literal>\n</literal> is a newline character. So, in effect, this will "type" the old password into the standard input of the password changing program, and then "press" Enter.</para> + + +<para>Following that is another response grouping, followed by data that will be sent back to the password changing program. (In fact, this response/send pattern continues indefinitely in any standard Unix <emphasis>chat</emphasis> script.) The script continues until the final pattern is matched.<footnote label="2" id="ch06-pgfId-969009"> + + +<para>This may not work under Red Hat Linux, as the password program typically responds "All authentication tokens updated successfully," instead of "Password changed." We provide a fix for this later in this section.</para> + + +</footnote></para> + + +<para>You can help match the response strings sent from the password program with the characters listed in <link linkend="ch06-77246">Table 6.6</link>. In addition, you can use the characters listed in <link linkend="ch06-38512">Table 6.7</link> to help formulate your response.</para> + + +<table label="6.6" id="ch06-77246"> +<title>Password Chat Response Characters </title> + +<tgroup cols="2"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<thead> +<row> + +<entry colname="col1"><para>Character</para></entry> + +<entry colname="col2"><para>Definition</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>*</literal></para></entry> + +<entry colname="col2"><para> +<indexterm id="ch06-idx-967781-0"><primary>passwords</primary><secondary>chat characters for</secondary></indexterm> +<indexterm id="ch06-idx-967781-1"><primary>chat characters for passwords</primary></indexterm>Zero or more occurrences of any character.</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>" "</literal></para></entry> + +<entry colname="col2"><para>Allows you to include matching strings that contain spaces. Asterisks are still considered wildcards even inside of quotes, and you can represent a null response with empty quotes.</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<table label="6.7" id="ch06-38512"> +<title>Password Chat Send Characters </title> + +<tgroup cols="2"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<thead> +<row> + +<entry colname="col1"><para>Character</para></entry> + +<entry colname="col2"><para>Definition</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>%o</literal></para></entry> + +<entry colname="col2"><para>The user's old password</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%n</literal></para></entry> + +<entry colname="col2"><para>The user's new password</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>\n</literal></para></entry> + +<entry colname="col2"><para>The linefeed character</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>\r</literal></para></entry> + +<entry colname="col2"><para>The carriage-return character</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>\t</literal></para></entry> + +<entry colname="col2"><para>The tab character</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>\s</literal></para></entry> + +<entry colname="col2"><para>A space</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<para>For example, you may want to change your password chat to the following entry. This will handle scenarios in which you do not have to enter the old password. In addition, this will also handle the new <literal>all</literal> <literal>tokens</literal> <literal>updated</literal> <literal>successfully</literal> string that Red Hat Linux sends:</para> + + +<programlisting>passwd chat = *new password* %n\n *new password* %n\n *success*</programlisting> + + +<para>Again, the default chat should be sufficient for many Unix systems. If it isn't, you can use the <literal>passwd</literal> <literal>chat</literal> <literal>debug</literal> global option to set up a new chat script for the password change program. The <literal>passwd</literal> <literal>chat</literal> <literal>debug</literal> option logs everything during a password chat. This option is a simple boolean, as shown below:</para> + + +<programlisting>[global] + encrypted passwords = yes + smb passwd file = /usr/local/samba/private/smbpasswd + + unix password sync = yes + passwd chat debug = yes + log level = 100</programlisting> + + +<para>After you activate the password chat debug feature, all I/O received by Samba through the password chat will be sent to the Samba logs with a debug level of 100, which is why we entered a new log level option as well. As this can often generate multitudes of error logs, it may be more efficient to use your own script, by setting the <literal>passwd</literal> <literal>program</literal> option, in place of <filename>/bin/passwd</filename> to record what happens during the exchange. Also, make sure to protect your log files with strict file permissions and to delete them as soon as you've grabbed the information you need, because they contain the passwords in plaintext.</para> + + +<para>The operating system on which Samba is running may have strict requirements for valid passwords in order to make them more impervious to dictionary attacks and the like. Users should be made aware of these restrictions when changing their passwords.</para> + + +<para>Earlier we said that password synchronization is limited. This is because there is no reverse synchronization of the encrypted <filename>smbpasswd</filename> file when a standard Unix password is updated by a user. There are various strategies to get around this, including NIS and freely available implementations of the <indexterm id="ch06-idx-967787-0"><primary>PAM (pluggable authentication modules)</primary></indexterm> +<indexterm id="ch06-idx-967787-1"><primary>pluggable authentication modules (PAM)</primary></indexterm>pluggable authentication modules (PAM) standard, but none of them really solve all the problems yet. In the future, when Windows 2000 emerges, we will see more compliance with the <indexterm id="ch06-idx-967788-0"><primary>LDAP (Lightweight Directory Access Protocol)</primary><secondary>replacement for password snychronization</secondary></indexterm>Lightweight Directory Access Protocol (LDAP), which promises to make password synchronization a thing of the past.<indexterm id="ch06-idx-967772-0" class="endofrange" startref="ch06-idx-967768-0"/> +<indexterm id="ch06-idx-967772-1" class="endofrange" startref="ch06-idx-967768-1"/></para> +</sect2> + + + + + +<sect2 role="" label="6.4.4" id="ch06-SECT-4.3"> +<title>Password Configuration Options</title> + + +<para>The options in <link linkend="ch06-68460">Table 6.8</link> will help you work with passwords in Samba.</para> + + +<table label="6.8" id="ch06-68460"> +<title>Password Configuration Options </title> + +<tgroup cols="5"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<colspec colnum="4" colname="col4"/> +<colspec colnum="5" colname="col5"/> +<thead> +<row> + +<entry colname="col1"><para>Option</para></entry> + +<entry colname="col2"><para>Parameters</para></entry> + +<entry colname="col3"><para>Function</para></entry> + +<entry colname="col4"><para>Default</para></entry> + +<entry colname="col5"><para>Scope</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>encrypt passwords</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para> +<indexterm id="ch06-idx-969358-0" class="startofrange"><primary>passwords</primary><secondary>options for</secondary></indexterm>Turns on encrypted passwords.</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>unix password sync </literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>If <literal>yes</literal>, Samba updates the standard Unix password database when a user changes his or her encrypted password.</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>passwd chat</literal></para></entry> + +<entry colname="col2"><para>string (chat commands)</para></entry> + +<entry colname="col3"><para>Sets a sequence of commands that will be sent to the password program.</para></entry> + +<entry colname="col4"><para>See earlier section on this option</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>passwd chat debug</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>Sends debug logs of the password-change process to the log files with a level of 100.</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>passwd program</literal></para></entry> + +<entry colname="col2"><para>string (Unix command)</para></entry> + +<entry colname="col3"><para>Sets the program to be used to change passwords.</para></entry> + +<entry colname="col4"><para><literal>/bin/passwd %u</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>password level</literal></para></entry> + +<entry colname="col2"><para>numeric</para></entry> + +<entry colname="col3"><para>Sets the number of capital letter permutations to attempt when matching a client's password.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>update encrypted</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>If <literal>yes</literal>, Samba updates the encrypted password file when a client connects to a share with a plaintext password.</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>null passwords</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>If <literal>yes</literal>, Samba allows access for users with null passwords.</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>smb passwd file</literal></para></entry> + +<entry colname="col2"><para>string (fully-qualified pathname)</para></entry> + +<entry colname="col3"><para>Specifies the name of the encrypted password file.</para></entry> + +<entry colname="col4"><para><literal>/usr/local/samba/private/smbpasswd</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>hosts equiv</literal></para></entry> + +<entry colname="col2"><para>string (fully-qualified pathname)</para></entry> + +<entry colname="col3"><para>Specifies the name of a file that contains hosts and users that can connect without using a password.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>use rhosts</literal></para></entry> + +<entry colname="col2"><para>string (fully-qualified pathname)</para></entry> + +<entry colname="col3"><para>.<emphasis>rhosts</emphasis> file that allows users to connect without using a password.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<sect3 role="" label="6.4.4.1" id="ch06-SECT-4.3.1"> +<indexterm id="ch06-idx-969469-0"><primary>unix password sync option</primary></indexterm> +<title> +unix password sync</title> + + +<para>The <literal>unix</literal> <literal>password</literal> <literal>sync</literal> global option allows Samba to update the standard Unix password file when a user changes his or her encrypted password. The encrypted password is stored on a Samba server in the <filename>smbpasswd</filename> file, which is located in <filename>/usr/local/samba/private</filename> by default. You can activate this feature as follows:</para> + + +<programlisting>[global] + unix password sync = yes</programlisting> + + +<para>If this option is enabled, Samba changes the encrypted password and, in addition, attempts to change the standard Unix password by passing the username and new password to the program specified by the <literal>passwd</literal> <literal>program</literal> option (described earlier). Note that Samba does not necessarily have access to the plaintext password for this user, so the password changing program must be invoked as <literal>root</literal>.<footnote label="3" id="ch06-pgfId-959675"> + + +<para>This is because the Unix <emphasis>passwd</emphasis> program, which is the usual target for this operation, allows <literal>root</literal> to change a user's password without the security restriction that requests the old password of that user.</para> + + +</footnote> If the Unix password change does not succeed, for whatever reason, the SMB password will not be changed either.</para> +</sect3> + + + +<sect3 role="" label="6.4.4.2" id="ch06-SECT-4.3.2"> +<indexterm id="ch06-idx-969472-0"><primary>encrypt passwords option</primary></indexterm> +<title> +encrypt passwords</title> + + +<para> +<indexterm id="ch06-idx-967797-0"><primary>encrypted passwords</primary><secondary>option for</secondary></indexterm>The <literal>encrypt</literal> <literal>passwords</literal> global option switches Samba from using plaintext passwords to encrypted passwords for authentication. Encrypted passwords will be expected from clients if the option is set to <literal>yes</literal>:</para> + + +<programlisting>encrypt passwords = yes</programlisting> + + +<para>By default, Windows NT 4.0 with Service Pack 3 or above and Windows 98 transmit encrypted passwords over the network. If you are enabling encrypted passwords, you must have a valid <filename>smbpasswd</filename> file in place and populated with usernames that will authenticate with encrypted passwords. (See <link linkend="ch06-17782">Section 6.4.2</link> earlier in this chapter.) In addition, Samba must know the location of the <filename>smbpasswd</filename> file; if it is not in the default location (typically <filename>/usr/local/samba/private/smbpasswd</filename>), you can explicitly name it using the <literal>smb</literal> <literal>passwd</literal> <literal>file</literal> option.</para> + + +<para>If you wish, you can use the <literal>update</literal> <literal>encrypted</literal> to force Samba to update the <filename>smbpasswd</filename> file with encrypted passwords each time a client connects to a non-encrypted password.</para> + + +<para>A common strategy to ensure that hosts who need encrypted password authentication indeed receive it is with the <literal>include</literal> option. With this, you can create individual configuration files that will be read in based on OS-type (<literal>%a</literal>) or client name (<literal>%m</literal>). These host-specific or OS-specific configuration files can contain an <literal>encrypted</literal> <literal>passwords</literal> <literal>=</literal> <literal>yes</literal> option that will activate only when those clients are connecting to the server.</para> +</sect3> + + + +<sect3 role="" label="6.4.4.3" id="ch06-SECT-4.3.3"> +<indexterm id="ch06-idx-969475-0"><primary>passwd program option</primary></indexterm> +<title> +passwd program</title> + + +<para>The <literal>passwd</literal> +<indexterm id="ch06-idx-967798-0"><primary>passwords</primary><secondary>passwd program</secondary></indexterm> <literal>program</literal> is used to specify a program on the Unix Samba server that Samba can use to update the standard system password file when the encrypted password file is updated. This option defaults to the standard <emphasis>passwd</emphasis> program, usually located in the <filename>/bin</filename> directory. The <literal>%u</literal> variable is typically used here as the requesting user when the command is executed. The actual handling of input and output to this program during execution is handled through the <literal>passwd</literal> <literal>chat</literal> option. <link linkend="ch06-97004">Section 6.4.3</link>, earlier in this chapter, covers this option in detail.</para> +</sect3> + + + +<sect3 role="" label="6.4.4.4" id="ch06-SECT-4.3.4"> +<indexterm id="ch06-idx-969476-0"><primary>passwd chat option</primary></indexterm> +<title> +passwd chat</title> + + +<para>This option specifies a series of send/response strings similar to a Unix chat script, which are used to interface with the password-changing program on the Samba server. <link linkend="ch06-97004">Section 6.4.3</link>, earlier in this chapter, covers this option in detail.</para> +</sect3> + + + +<sect3 role="" label="6.4.4.5" id="ch06-SECT-4.3.5"> +<indexterm id="ch06-idx-969477-0"><primary>passwd chat debug option</primary></indexterm> +<title> +passwd chat debug</title> + + +<para>If set to <literal>yes</literal>, the <literal>passwd</literal> <literal>chat</literal> <literal>debug</literal> global option logs everything sent or received by Samba during a password chat. All the I/O received by Samba through the password chat is sent to the Samba logs with a debug level of 100; you will need to specify <literal>log</literal> <literal>level</literal> <literal>=</literal> <literal>100</literal> in order for the information to be recorded. <link linkend="ch06-97004">Section 6.4.3</link> earlier in this chapter, describes this option in more detail. Be aware that if you do set this option, the plaintext passwords will be visible in the debugging logs, which could be a security hazard if they are not properly secured.</para> +</sect3> + + + +<sect3 role="" label="6.4.4.6" id="ch06-SECT-4.3.6"> +<indexterm id="ch06-idx-969478-0"><primary>password level option</primary></indexterm> +<title> +password level</title> + + +<para>With SMB, non-encrypted (or plaintext) passwords are sent with capital letters, just like the usernames mentioned previously. Many Unix users, however, choose passwords with both uppercase and lowercase letters. Samba, by default, only attempts to match the password entirely in lowercase letters, and not capitalizing the first letter.</para> + + +<para>Like <literal>username</literal> <literal>level</literal>, there is a <literal>password</literal> <literal>level</literal> option that can be used to attempt various permutations of the password with capital letters. This option takes an integer value that specifies how many letters in the password should be capitalized when attempting to connect to a share. You can specify this options as follows:</para> + + +<programlisting>[global] + password level = 3</programlisting> + + +<para>In this case, Samba will then attempt all permutations of the password it can compute having three capital letters. The larger the number, the more computations Samba will have to perform to match the password, and the longer a connection to a specific share may take.</para> +</sect3> + + + +<sect3 role="" label="6.4.4.7" id="ch06-SECT-4.3.7"> +<indexterm id="ch06-idx-969481-0"><primary>pdate encrypted option</primary></indexterm> +<title>update encrypted</title> + + +<para>For sites switching over to the <indexterm id="ch06-idx-967799-0"><primary>encrypted passwords</primary><secondary>Microsoft format</secondary></indexterm>encrypted password format, Samba provides an option that should help with the transition. The <literal>update</literal> <literal>encrypted</literal> option allows a site to ease into using encrypted passwords from plaintext passwords. You can activate this option as follows:</para> + + +<programlisting>[global] + update encrypted = yes</programlisting> + + +<para>This instructs Samba to create an encrypted version of each user's Unix password in the <filename>smbpasswd</filename> file each time he or she connects to a share. When this option is enabled, you must have the <literal>encrypt</literal> <literal>passwords</literal> option set to <literal>no</literal> so that the client will pass plaintext passwords to Samba to use to update the files. Once each user has connected at least once, you can set <literal>encrypted</literal> <literal>passwords</literal> <literal>=</literal> <literal>yes</literal>, allowing you to use only the encrypted passwords. The user must already have a valid entry in the <filename>smbpasswd</filename> file for this option to work.</para> +</sect3> + + + +<sect3 role="" label="6.4.4.8" id="ch06-SECT-4.3.8"> +<title>null passwords</title> + + +<para>This global option tells Samba whether or not to allow access from users that have <indexterm id="ch06-idx-967801-0"><primary>null passwords</primary></indexterm> +<indexterm id="ch06-idx-967801-1"><primary>passwords</primary><secondary>null</secondary></indexterm>null passwords (encrypted or non-encrypted) set in their accounts. The default value is <literal>no</literal>. You can override it as follows:</para> + + +<programlisting>null passwords = yes</programlisting> + + +<para>We highly recommend against doing so unless you are familiar with the security risks this option can present to your system, including inadvertent access to system users (such as <filename>bin</filename>) in the system password file who have null passwords set.</para> +</sect3> + + + +<sect3 role="" label="6.4.4.9" id="ch06-SECT-4.3.9"> +<indexterm id="ch06-idx-969483-0"><primary>smb passwd file option</primary></indexterm> +<title> +smb passwd file</title> + + +<para> +<indexterm id="ch06-idx-968245-0"><primary>smbpasswd file</primary><secondary>option for location of</secondary></indexterm>This global option identifies the location of the encrypted password database. By default, it is set to <filename>/usr/local/samba/private/smbpasswd</filename>. You can override it as follows:</para> + + +<programlisting>[global] + smb passwd file = /etc/smbpasswd</programlisting> + + +<para>This location, for example, is common on many Red Hat distributions.</para> +</sect3> + + + +<sect3 role="" label="6.4.4.10" id="ch06-SECT-4.3.10"> +<indexterm id="ch06-idx-969486-0"><primary>hosts equiv option</primary></indexterm> +<title> +hosts equiv</title> + + +<para>This global option specifies the name of a standard Unix <filename>hosts.equiv</filename> file that will allow hosts or users to access shares without specifying a password. You can specify the location of such a file as follows:</para> + + +<programlisting>[global] + hosts equiv = /etc/hosts.equiv</programlisting> + + +<para>The default value for this option does not specify any <filename>hosts.equiv</filename> file. Because using such a file is essentially a huge security risk, we highly recommend that you do not use this option unless you are confident in the security of your network.</para> +</sect3> + + + +<sect3 role="" label="6.4.4.11" id="ch06-SECT-4.3.11"> +<indexterm id="ch06-idx-969487-0"><primary>use rhosts option</primary></indexterm> +<title> +use rhosts</title> + + +<para>This global option specifies the name of a standard Unix user's <filename>.rhosts</filename> file that will allow foreign hosts to access <indexterm id="ch06-idx-967803-0"><primary>shares</primary><secondary>access to</secondary><tertiary sortas="foreign hosts, option for">by foreign hosts, option for</tertiary></indexterm>shares without specifying a password. You can specify the location of such a file as follows:</para> + + +<programlisting>[global] + use rhosts = /home/dave/.rhosts</programlisting> + + +<para>The default value for this option does not specify any <filename>.rhosts</filename> file. Like the <literal>hosts</literal> <literal>equiv</literal> option above, using such a file is a security risk. We highly recommend that you do use this option unless you are confident in the security of<indexterm id="ch06-idx-968233-0" class="endofrange" startref="ch06-idx-969358-0"/> your network.<indexterm id="ch06-idx-968235-0" class="endofrange" startref="ch06-idx-967574-0"/></para> +</sect3> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="6.5" id="ch06-23084"> +<title>Windows Domains</title> + + +<para> +<indexterm id="ch06-idx-967533-0" class="startofrange"><primary>domains</primary><secondary>Windows</secondary></indexterm> +<indexterm id="ch06-idx-967533-1" class="startofrange"><primary>Windows 95/98</primary><secondary>domains</secondary></indexterm> +<indexterm id="ch06-idx-967533-2" class="startofrange"><primary>Windows NT</primary><secondary>domains</secondary></indexterm>Now that you are comfortable with users and passwords on a Samba server, we can show you how to set up Samba to become a <indexterm id="ch06-idx-967819-0"><primary>PDC (primary domain controller)</primary><secondary>Samba, setting up as</secondary></indexterm>primary domain controller for Windows 95/98 and NT machines. Why use domains? The answer probably isn't obvious until you look behind the scenes, especially with Windows 95/98.</para> + + +<para>Recall that with traditional workgroups, Windows 95/98 simply accepts each username and password that you enter when logging on to the system. There are no unauthorized users with Windows 95/98; if a new user logs on, the operating system simply asks for a new password and authenticates the user against that password from then on. The only time that Windows 95/98 attempts to use the password you entered is when connecting to another share.</para> + + +<para> +<indexterm id="ch06-idx-967805-0"><primary>domain logons</primary></indexterm>Domain logons, on the other hand, are similar to Unix systems. In order to log on to the domain, a valid username and password must be presented at startup, which is then authenticated against the primary domain controller's password database. If the password is invalid, the user is immediately notified and they cannot log on to the domain.</para> + + +<para>There's more good news: once you have successfully logged on to the domain, you can access any of the shares in the domain to which you have rights without having to reauthenticate yourself. More precisely, the primary domain controller returns a token to the client machine that allows it to access any share without consulting the PDC again. Although you probably won't notice the shift, this can be beneficial in cutting down network traffic. (You can disable this behavior if you wish by using the <literal>revalidate</literal> option.)</para> + + +<sect2 role="" label="6.5.1" id="ch06-36822"> +<title>Configuring Samba for Windows Domain Logons</title> + + +<para>If you wish to allow Samba to act as a domain controller, use the following sections to configure Samba and your clients to allow domain access.</para> + + +<tip role="ora"> +<para>If you would like more information on how to set up domains, see the <filename>DOMAINS.TXT</filename> file that comes with the Samba distribution.</para> + +</tip> + +<sect3 role="" label="6.5.1.1" id="ch06-SECT-5.1.1"> +<title>Windows 95/98 clients</title> + + +<para> +<indexterm id="ch06-idx-967815-0"><primary>Windows 95/98</primary><secondary>domain logons, configuring</secondary></indexterm>Setting up Samba as a PDC for Windows 95/98 clients is somewhat anticlimactic. All you really need to do on the server side is ensure that:</para> + + +<itemizedlist> +<listitem><para>Samba is the only primary domain controller for the current workgroup.</para></listitem> +<listitem><para>There is a <indexterm id="ch06-idx-967817-0"><primary>WINS (Windows Internet Name Service)</primary><secondary>server</secondary><tertiary>configuring Windows domain logons and</tertiary></indexterm>WINS server available on the network, either a Samba machine or a Windows NT server. (See <link linkend="SAMBA-CH-7">Chapter 7</link>, for more information on WINS.)</para></listitem> +<listitem><para>Samba is using user-level security (i.e., it doesn't hand off password authentication to anyone else). You do not want to use domain-level security if Samba itself is acting as the PDC.</para></listitem> +</itemizedlist> + +<para>At that point, you can insert the following options into your Samba configuration file:</para> + + +<programlisting>[global] + workgroup = SIMPLE + domain logons = yes + +# Be sure to set user-level security! + + security = user + +# Be sure to become the primary domain controller! + + os level = 34 + local master = yes + preferred master = yes + domain master = yes</programlisting> + + +<para>The <literal>domain</literal> <literal>logons</literal> option enables Samba to perform domain authentication on behalf of other clients that request it. The name of the domain will be the same as the workgroup listed in the Samba configuration file, in this case: SIMPLE.</para> + + +<para>After that, you need to create a non-writable, non-public, non-browesable disk share called <literal>[netlogon]</literal> (it does not matter where this share points to as long as each Windows client can connect to it):</para> + + +<programlisting>[netlogon] + comment = The domain logon service + path = /export/samba/logon + public = no + writeable = no + browsable = no</programlisting> +</sect3> + + + +<sect3 role="" label="6.5.1.2" id="ch06-SECT-5.1.2"> +<title>Windows NT clients</title> + + +<para> +<indexterm id="ch06-idx-967816-0"><primary>Windows NT</primary><secondary>configuring domain logons</secondary></indexterm>If you have Window NT clients on your system, there are a few more steps that need to be taken in order for Samba to act as their primary domain controller.</para> + + +<warning role="ora"> +<para>You will need to use at least <indexterm id="ch06-idx-967821-0"><primary>Samba</primary><secondary>version 2.1</secondary><tertiary>PDC functionality and</tertiary></indexterm> +<indexterm id="ch06-idx-967821-1"><primary>PDC (primary domain controller)</primary><secondary>Samba 2.1 and</secondary></indexterm> +<indexterm id="ch06-idx-967821-2"><primary>Windows NT</primary><secondary>user authentication and</secondary></indexterm>Samba 2.1 to ensure that PDC functionality for Windows NT clients is present. Prior to Samba 2.1, only limited user authentication for NT clients was present. At the time this book went to press, Samba 2.0.5 was the latest version, but Samba 2.1 was available through CVS download. Instructions on downloading alpha versions of Samba are given in <link linkend="SAMBA-AP-E">Appendix E</link>.</para> + +</warning> + +<para>As before, you need to ensure that Samba is a primary domain controller for the current workgroup and is using user-level security. However, you must also ensure that Samba is using encrypted passwords. In other words, alter the <literal>[global]</literal> options the previous example to include the <literal>encrypted</literal> <literal>passwords</literal> <literal>=</literal> <literal>yes</literal> option, as shown here:</para> + + +<programlisting>[global] + workgroup = SIMPLE + encrypted passwords = yes + domain logons = yes + + security = user</programlisting> +</sect3> + + + +<sect3 role="" label="6.5.1.3" id="ch06-SECT-5.1.3"> +<title>Creating trust accounts for NT clients</title> + + +<para>This step is exclusively for Windows NT clients. All NT clients that connect to a primary domain controller make use of <firstterm>trust accounts</firstterm> +<indexterm id="ch06-idx-967823-0"><primary>trust accounts, creating</primary></indexterm>. These accounts allow a machine to log in to the <indexterm id="ch06-idx-967824-0"><primary>PDC (primary domain controller)</primary><secondary>trust accounts and</secondary></indexterm>PDC itself (not one of its shares), which means that the PDC can trust any further connections from users on that client. For all intents and purposes, a trust account is identical to a user account. In fact, we will be using standard Unix user accounts to emulate trust accounts for the Samba server.</para> + + +<para>The login name of a machine's trust account is the name of the machine with a dollar sign appended to it. For example, if our Windows NT machine is named <literal>chimaera</literal>, the login account would be <literal>chimaera$</literal>. The initial password of the account is simply the name of the machine in lowercase letters. In order to forge the trust account on the Samba server, you need to create a Unix account with the appropriate machine name, as well as an encrypted password entry in the <filename>smbpasswd</filename> database.</para> + + +<para>Let's tackle the first part. Here, we only need to modify the <filename>/etc/passwd</filename> file to support the trust account; there is no need to create a home directory or assign a shell to the "user" because the only part we are interested in is whether a login is permitted. Therefore, we can create a "dummy" account with the following entry:</para> + + +<programlisting>chimaera$:*:1000:900:Trust Account:/dev/null:/dev/null</programlisting> + + +<para>Note that we have also disabled the password field by placing a <literal>*</literal> in it. This is because Samba will use the <filename>smbpasswd</filename> file to contain the password instead, and we don't want anyone to telnet into the machine using that account. In fact, the only value other than the account name that is used here is the UID of the account for the encrypted password database (1000). This number must map to a unique resource ID on the NT server and cannot conflict with any other resource IDs. Hence, no NT user or group should map to this number or a networking error will occur.</para> + + +<para>Next, add the encrypted password using the <filename>smbpasswd</filename> command, as follows:</para> + + +<programlisting># <userinput>smbpasswd -a -m chimaera</userinput> +Added user chimaera$ +Password changed for user chimaera$</programlisting> + + +<para>The <literal>-m</literal> option specifies that a machine trust account is being generated. The <filename>smbpasswd</filename> program will automatically set the initial encrypted password as the NetBIOS name of the machine in lowercase letters; you don't need to enter it. When specifying this option on the command line, do not put a dollar sign after the machine name—it will be appended automatically. Once the encrypted password has been added, Samba is ready to handle domain logins from a NT client.</para> +</sect3> +</sect2> + + + + + +<sect2 role="" label="6.5.2" id="ch06-SECT-5.2"> +<title>Configuring Windows Clients for Domain Logons</title> + + +<para>Once you have Samba configured for domain logons, you need to set up your Windows clients to log on to the domain at startup.</para> + + +<sect3 role="" label="6.5.2.1" id="ch06-SECT-5.2.1"> +<title>Windows 95/98</title> + + +<para> +<indexterm id="ch06-idx-969407-0"><primary>domain logons</primary><secondary>configuring Windows 95/98 for</secondary></indexterm> +<indexterm id="ch06-idx-969407-1"><primary>domains</primary><secondary>logons</secondary><see>domain logons</see></indexterm>With Windows 95/98, this can be done by raising the Network configuration dialog in the Windows Control Panel and selecting the Properties for "Client for Microsoft Networks." At this point, you should see a dialog box similar to <link linkend="ch06-48609">Figure 6.4</link>. Select the "Logon to Windows Domain" checkbox at the top of the dialog box, and enter the workgroup that is listed in the Samba configuration file as the Windows NT domain. Then click on OK and reboot the machine when asked.</para> + + +<figure label="6.4" id="ch06-48609"> +<title>Configuring a Windows 95/98 client for domain logons</title> + +<graphic width="502" depth="359" fileref="figs/sam.0604.gif"></graphic> +</figure> + +<warning role="ora"> +<para>If Windows complains that you are already logged into the domain, you probably have an active connection to a share in the workgroup (such as a mapped network drive). Simply disconnect the resource temporarily by right-clicking on its icon and choosing the Disconnect pop-up menu item.</para> + +</warning> + +<para>When Windows reboots, you should see the standard <indexterm id="ch06-idx-967825-0"><primary>login dialog box, domain logons</primary><secondary>Windows 95/98</secondary></indexterm>login dialog with an addition: a field for a domain. The domain name should already be filled in, so simply enter your password and click on the OK button. At this point, Windows should consult the primary domain controller (Samba) to see if the password is correct. (You can check the log files if you want to see this in action.) If it worked, congratulations! You have properly configured Samba to act as a domain controller for Windows 95/98 machines and your client is successfully connected.</para> +</sect3> + + + +<sect3 role="" label="6.5.2.2" id="ch06-SECT-5.2.2"> +<title>Windows NT 4.0</title> + + +<para> +<indexterm id="ch06-idx-967826-0"><primary>domain logons</primary><secondary>configuring Windows NT 4.0 for</secondary></indexterm>To configure Windows NT for domain logons, open the Network configuration dialog in the Windows NT Control Panel. The first tab that you see should list the identification of the machine.</para> + + +<para>Press the Change button and you should see the dialog box shown in <link linkend="ch06-89804">Figure 6.5</link>. In this dialog box, you can choose to have the Windows NT client become a member of the domain by selecting the radio button marked Domain in the "Member of " box. Then, type in the domain that you wish the client to login to; it should be the same as the workgroup that you specified in the Samba configuration file. Do not check the box marked "Create a Computer Account in the Domain"—Samba does not currently support this functionality.</para> + + +<figure label="6.5" id="ch06-89804"> +<title>Configuring a Windows NT client for domain logons</title> + +<graphic width="502" depth="359" fileref="figs/sam.0605.gif"></graphic> +</figure> + +<warning role="ora"> +<para>Like Windows 95/98, if NT complains that you are already logged in, you probably have an active connection to a share in the workgroup (such as a mapped network drive). Disconnect the resource temporarily by right-clicking on its icon and choosing the Disconnect pop-up menu item.</para> + +</warning> + +<para>After you press the OK button, Windows should present you with a small <indexterm id="ch06-idx-967838-0"><primary>login dialog box, domain logons</primary><secondary>Windows NT</secondary></indexterm>dialog box welcoming you to the domain. At this point, you will need to reset the Windows NT machine. Once it comes up again, the machine will automatically present you with a log on screen similar to the one for Windows 95/98 clients. You can now log in using any account that you have already on the Samba server that is configured to accept logins.</para> + + +<warning role="ora"> +<para>Be sure to select the correct domain in the <indexterm id="ch06-idx-967844-0"><primary>domains</primary><secondary>Windows</secondary><tertiary>caution when selecting</tertiary></indexterm> +<indexterm id="ch06-idx-967844-1"><primary>Windows NT</primary><secondary>domains</secondary><tertiary>caution when selecting</tertiary></indexterm>Windows NT logon dialog box. Once selected, it may take a moment for Windows NT to build the list of available domains.</para> + +</warning> + +<para>After you enter the password, Windows NT should consult the primary domain controller (Samba) to see if the password is correct. Again, you can check the log files if you want to see this in action. If it worked, you have successfully configured Samba to act as a domain controller for Windows NT machines.</para> +</sect3> +</sect2> + + + + + +<sect2 role="" label="6.5.3" id="ch06-SECT-5.3"> +<title>Domain Options</title> + + +<para><link linkend="ch06-53106">Table 6.9</link> shows the options that are commonly used in association with domain logons.</para> + + +<table label="6.9" id="ch06-53106"> +<title>Windows 95/98 Domain Logon Options </title> + +<tgroup cols="5"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<colspec colnum="4" colname="col4"/> +<colspec colnum="5" colname="col5"/> +<thead> +<row> + +<entry colname="col1"><para>Option</para></entry> + +<entry colname="col2"><para>Parameters</para></entry> + +<entry colname="col3"><para>Function</para></entry> + +<entry colname="col4"><para>Default</para></entry> + +<entry colname="col5"><para>Scope</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>domain logons</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>Indicates whether Windows domain logons are to be used.</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>domain group map</literal></para></entry> + +<entry colname="col2"><para>string (fully-qualified pathname)</para></entry> + +<entry colname="col3"><para>Name of the file used to map Unix to Windows NT domain groups.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>domain user map</literal></para></entry> + +<entry colname="col2"><para>string (fully-qualified pathname)</para></entry> + +<entry colname="col3"><para>Name of the file used to map Unix to Windows NT domain users.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>local group map</literal></para></entry> + +<entry colname="col2"><para>string (fully-qualified pathname)</para></entry> + +<entry colname="col3"><para>Name of the file used to map Unix to Windows NT local groups.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>revalidate</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>If <literal>yes</literal>, Samba forces users to authenticate themselves with each connection to a share.</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<sect3 role="" label="6.5.3.1" id="ch06-SECT-5.3.1"> +<indexterm id="ch06-idx-969495-0"><primary>domain logons option</primary></indexterm> +<title> +domain logons</title> + + +<para>This option configures Samba to accept domain logons as a <indexterm id="ch06-idx-968113-0"><primary>PDC (primary domain controller)</primary><secondary>domain option for</secondary></indexterm>primary domain controller. When a client successfully logs on to the domain, Samba will return a special token to the client that allows the client to access domain shares without consulting the PDC again for authentication. Note that the Samba machine must be in user-level security (<literal>security</literal> <literal>=</literal> <literal>user</literal>) and must be the PDC in order for this option to function. In addition, Windows machines will expect a <literal>[netlogon]</literal> share to exist on the Samba server (see <link linkend="ch06-36822">Section 6.5.1</link> earlier in this chapter).</para> +</sect3> + + + +<sect3 role="" label="6.5.3.2" id="ch06-SECT-5.3.2"> +<indexterm id="ch06-idx-969498-0"><primary>domain group map option</primary></indexterm> +<title> +domain group map</title> + + +<para>This option specifies the location of a <indexterm id="ch06-idx-968114-0"><primary>mapping</primary><secondary>files, options for location of</secondary></indexterm>mapping file designed to translate Windows NT domain group names to Unix group names. The file should reside on the Samba server. For example:</para> + + +<programlisting>/usr/local/samba/private/groups.mapping</programlisting> + + +<para>The file has a simple format:</para> + + +<programlisting><replaceable>UnixGroup = NTGroup</replaceable></programlisting> + + +<para>An example is:</para> + + +<programlisting>admin = Administrative</programlisting> + + +<para>The specified Unix group should be a valid group in the <filename>/etc/group</filename> file. The NT group should be the name to which you want the Unix group to map on an NT client. This option will work only with Windows NT clients.</para> +</sect3> + + + +<sect3 role="" label="6.5.3.3" id="ch06-SECT-5.3.3"> +<indexterm id="ch06-idx-969499-0"><primary>domain user map option</primary></indexterm> +<title> +domain user map</title> + + +<para>This option specifies the location of a mapping file designed to translate Unix usernames to Windows NT domain usernames. The file should reside on the Samba server. For example:</para> + + +<programlisting>/usr/local/samba/private/domainuser.mapping</programlisting> + + +<para>The file has a simple format:</para> + + +<programlisting><replaceable>UnixUsername</replaceable> = [\\<replaceable>Domain</replaceable>\\]<replaceable>NTUserName</replaceable></programlisting> + + +<para>An example entry is:</para> + + +<programlisting>joe = Joseph Miller</programlisting> + + +<para>The Unix name specified should be a valid username in the <filename>/etc/passwd</filename> file. The NT name should be the username to which you want to Unix username to map on an NT client. This option will work with Windows NT clients only.</para> + + +<tip role="ora"> +<para>If you would like more information on how Windows NT uses domain usernames and local groups, we recommend Eric Pearce's <citetitle>Windows NT in a Nutshell</citetitle>, published by O'Reilly.</para> + +</tip> +</sect3> + + + +<sect3 role="" label="6.5.3.4" id="ch06-SECT-5.3.4"> +<indexterm id="ch06-idx-969502-0"><primary>local group map option</primary></indexterm> +<title> +local group map</title> + + +<para>This option specifies the location of a mapping file designed to translate Windows NT local group names to Unix group names. Local group names include those such as Administrator and Users. The file should reside on the Samba server. For example:</para> + + +<programlisting>/usr/local/samba/private/localgroup.mapping</programlisting> + + +<para>The file has a simple format:</para> + + +<programlisting><replaceable>UnixGroup</replaceable> = [BUILTIN\]<replaceable>NTGroup</replaceable></programlisting> + + +<para>An example entry is:</para> + + +<programlisting>root = BUILTIN\Administrators</programlisting> + + +<para>This option will work with Windows NT clients only. For more information, see Eric Pearce's <citetitle>Windows NT in a Nutshell</citetitle> (O'Reilly).</para> +</sect3> + + + +<sect3 role="" label="6.5.3.5" id="ch06-SECT-5.3.5"> +<title>revalidate</title> + + +<para>This share-level option tells Samba to force users to authenticate with <indexterm id="ch06-idx-968116-0"><primary>passwords</primary><secondary>options for</secondary><tertiary>share-level</tertiary></indexterm> +<indexterm id="ch06-idx-968116-1"><primary>authentication</primary><secondary>share-level option for</secondary></indexterm> +<indexterm id="ch06-idx-968116-2"><primary>users</primary><secondary>share-level option for authentication of</secondary></indexterm> +<indexterm id="ch06-idx-968116-3"><primary>revalidation of users</primary></indexterm>passwords each time they connect to a different share on a machine, no matter what level of security is in place on the Samba server. The default value is <literal>no</literal>, which allows users to be trusted once they successfully authenticate themselves. You can override it as:</para> + + +<programlisting>revalidate = yes</programlisting> + + +<para>You can use this option to increase security on your system. However, you should weigh it against the inconvenience of having users revalidate themselves to every share.<indexterm id="ch06-idx-968204-0" class="endofrange" startref="ch06-idx-967533-0"/> +<indexterm id="ch06-idx-968204-1" class="endofrange" startref="ch06-idx-967533-1"/> +<indexterm id="ch06-idx-968204-2" class="endofrange" startref="ch06-idx-967533-2"/></para> +</sect3> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="6.6" id="ch06-38153"> +<title>Logon Scripts</title> + + +<para> +<indexterm id="ch06-idx-967542-0" class="startofrange"><primary>logon scripts</primary></indexterm> +<indexterm id="ch06-idx-967542-1" class="startofrange"><primary>scripts</primary><secondary>logon</secondary></indexterm> +<indexterm id="ch06-idx-967542-2" class="startofrange"><primary>domain logons</primary><secondary>scripts for</secondary></indexterm>Samba supports the execution of Windows logon scripts, which are scripts (<indexterm id="ch06-idx-968119-0"><primary sortas="BAT scripts">.BAT scripts</primary></indexterm> +<indexterm id="ch06-idx-968119-1"><primary sortas="CMD scripts"> .CMD scripts</primary></indexterm>.BAT or .CMD) that are executed on the client when a user logs on to a Windows domain. Note that these scripts are stored on the Unix side, but are transported across the network to the client side and executed once a user logs on. These scripts are invaluable for dynamically setting up network configurations for users when they log on. The downside is that because they run on Windows, they must use the <indexterm id="ch06-idx-968120-0"><primary>network configuration commands</primary></indexterm> +<indexterm id="ch06-idx-968120-1"><primary>resources for further information</primary><secondary>Windows network configuration commands</secondary></indexterm>Windows network configuration commands.</para> + + +<tip role="ora"> +<para>If you would like more information on NET commands, we recommend the following O'Reilly handbooks: <emphasis>Windows NT in a Nutshell</emphasis>, <emphasis>Windows 95 in a Nutshell</emphasis>, and <emphasis>Windows 98 in a Nutshell.</emphasis></para> + +</tip> + +<para>You can instruct Samba to use a logon script with the <literal>logon</literal> <literal>script</literal> option, as follows:</para> + + +<programlisting>[global] + domain logons = yes + security = user + workgroup = SIMPLE + + os level = 34 + local master = yes + preferred master = yes + domain master = yes + logon script = %U.bat + +[netlogon] + comment = The domain logon service + path = /export/samba/logon + public = no + writeable = no + browsable = no</programlisting> + + +<para>Note that this example uses the <literal>%U</literal> variable, which will individualize the script based on the user that is logging in. It is common to customize logon scripts based on the user or machine name that is logging onto the domain. These scripts can then be used to configure individual settings for users or clients.</para> + + +<para>Each logon script should be stored at the base of the <literal>[netlogon]</literal> share. For example, if the base of the <literal>[netlogon]</literal> share is <filename>/export/samba/logon</filename> and the logon script is <filename>jeff.bat</filename>, the file should be located at <filename>/export/samba/logon/jeff.bat</filename>. When a user logs on to a domain that contains a startup script, he or she will see a small dialog that informs them that the script is executing, as well as any output the script generates in an MS-DOS-like box.</para> + + +<para>One warning: because these scripts are loaded by Windows and executed on the Windows side, they must consist of DOS formatted <indexterm id="ch06-idx-968122-0"><primary>carriage-returns for scripts</primary></indexterm> +<indexterm id="ch06-idx-968122-1"><primary>DOS-formated carriage returns</primary></indexterm> +<indexterm id="ch06-idx-968122-2"><primary>Unix</primary><secondary> carriage returns</secondary></indexterm>carriage-return/linefeed characters instead of Unix carriage returns. It's best to use a DOS- or Windows-based editor to create them.</para> + + +<para>Here is an example of a logon script that sets the current time to match that of the Samba server and maps two network drives, <literal>h</literal> and <literal>i</literal>, to individual shares on the server:</para> + + +<programlisting># Reset the current time to that shown by the server. +# We must have the "time server = yes" option in the +# smb.conf for this to work. + +echo Setting Current Time... +net time \\hydra /set /yes + +# Here we map network drives to shares on the Samba +# server +echo Mapping Network Drives to Samba Server Hydra... +net use h: \\hydra\data +net use i: \\hydra\network</programlisting> + + +<sect2 role="" label="6.6.1" id="ch06-SECT-6.0.1"> +<title>Roaming profiles</title> + + +<para><firstterm></firstterm> +<indexterm id="ch06-idx-968132-0" class="startofrange"><primary>profiles</primary><secondary>roaming</secondary></indexterm> +<indexterm id="ch06-idx-968132-1" class="startofrange"><primary>roaming profiles</primary></indexterm>In Windows 95 and NT, each user can have his or her own <firstterm>profile</firstterm> +<indexterm id="ch06-idx-968123-0"><primary>profiles</primary></indexterm>. A profile bundles information such as: the appearance of a user's desktop, the applications that appear on the start menus, the background, and other miscellaneous items. If the profile is stored on a local disk, it's called a <firstterm>local profile</firstterm> +<indexterm id="ch06-idx-968124-0"><primary>profiles</primary><secondary>local</secondary></indexterm> +<indexterm id="ch06-idx-968124-1"><primary>local profiles</primary></indexterm>, since it describes what a user's environment is like on one machine. If the profile is stored on a server, on the other hand, the user can download the same profile to any client machine that is connected to the server. The latter is called a <firstterm>roaming profile</firstterm> because the user can roam around from machine to machine and still use the same profile. This makes it particularly convenient when someone might be logging in from his or her desk one day and from a portable in the field the next. <link linkend="ch06-71393">Figure 6.6</link> illustrates local and roaming profiles.</para> + + +<figure label="6.6" id="ch06-71393"> +<title>Local profiles versus roaming profiles</title> + +<graphic width="502" depth="303" fileref="figs/sam.0606.gif"></graphic> +</figure> + +<para>Samba will provide roaming profiles if it is configured for domain logons and you provide a tree of directories pointed to by the <literal>logon</literal> <literal>path</literal> option. This option is typically used with one of the user variables, as shown in this example:</para> + + +<programlisting>[global] + domain logons = yes + security = user + workgroup = SIMPLE + os level = 34 + local master = yes + preferred master = yes + domain master = yes + + logon path = \\hydra\profile\%U</programlisting> + + +<para>We need to create a new share to support the profiles, which is a basic disk share accessible only by the Samba process' user (<literal>root</literal>). This share must be writeable, but should not be browseable. In addition, we must create a directory for each user who wishes to log on (based on how we specified our <literal>logon</literal> <literal>path</literal> in the example above), which is accessible only by that user. For an added measure of security, we use the <literal>directory</literal> <literal>mode</literal> and <literal>create</literal> <literal>mode</literal> options to keep anyone who connects to it from viewing or altering the files created in those directories:</para> + + +<programlisting>[profile] + comment = User profiles + path = /export/samba/profile + create mode = 0600 + directory mode = 0700 + writable = yes + browsable = no</programlisting> + + +<para>Once a user initially logs on, the Windows client will create a <filename>user.dat</filename> or <filename>ntuser.dat</filename> file—depending on which operating system the client is running. The client then uploads the contents of the desktop, the Start Menu, the Network Neighborhood, and the programs folders in individual folders in the directory. When the user subsequently logs on, those contents will be downloaded from the server and activated for the client machine with which the user is logging on. When he or she logs off, those contents will be uploaded back on the server until the next time the user connects. If you look at the directory listing of a profile folder, you'll see the following:</para> + + +<programlisting># ls -al + +total 321 +drwxrwxr-x 9 root simple Jul 21 20:44 . +drwxrwxr-x 4 root simple Jul 22 14:32 .. +drwxrwx--- 3 fred develope Jul 12 07:15 Application Data +drwxrwx--- 3 fred develope Jul 12 07:15 Start Menu +drwxrwx--- 2 fred develope Jul 12 07:15 cookies +drwxrwx--- 2 fred develope Jul 12 07:15 desktop +drwxrwx--- 7 fred develope Jul 12 07:15 history +drwxrwx--- 2 fred develope Jul 12 07:15 nethood +drwxrwx--- 2 fred develope Jul 19 21:05 recent +-rw------- 1 fred develope Jul 21 21:59 user.dat</programlisting> + + +<para>The <filename>user.dat</filename> files are binary configuration files, created automatically by Windows. They can be edited with the Profile Editor on a Windows client, but they can be somewhat tricky to get correct. Samba supports them correctly for all clients up to NT 5.0 beta, but they're still relatively new<firstterm></firstterm> +<indexterm id="ch06-idx-968138-0" class="endofrange" startref="ch06-idx-968132-0"/> +<indexterm id="ch06-idx-968138-1" class="endofrange" startref="ch06-idx-968132-1"/>.</para> + + +<tip role="ora"> +<para>Hints and HOWTOs for handling logon scripts are available in the Samba documentation tree, in both <filename>docs/textdocs/DOMAIN.txt</filename> and <filename>docs/textdocs/PROFILES.txt</filename>.<firstterm></firstterm> +<indexterm id="ch06-idx-968148-0"><primary>profiles</primary><secondary>roaming</secondary></indexterm> +<indexterm id="ch06-idx-968148-1"><primary>roaming profiles</primary></indexterm></para> + +</tip> +</sect2> + + + + + +<sect2 role="" label="6.6.2" id="ch06-SECT-6.0.2"> +<title>Mandatory profiles</title> + + +<para> +<indexterm id="ch06-idx-968144-0"><primary>profiles</primary><secondary>mandatory</secondary></indexterm> +<indexterm id="ch06-idx-968144-1"><primary>mandatory profiles</primary></indexterm>Users can also have <firstterm>mandatory profiles</firstterm>, which are roaming profiles that they cannot change. For example, with a mandatory profile, if a user adds a command to the Start Menu on Tuesday, it will be gone when he or she logs in again on Wednesday. The mandatory profile is simply a <filename>user.dat</filename> file that has been renamed to <filename>user.man</filename> and made read-only on the Unix server. It normally contains settings that the administrator wishes to ensure the user always executes. For example, if an administrator wants to create a <indexterm id="ch06-idx-968145-0"><primary>fixed user configuration</primary></indexterm>fixed user configuration, he or she can do the following:</para> + + +<orderedlist> +<listitem><para>Create the read-write directory on the Samba server.</para></listitem> +<listitem><para>Set the <literal>logon</literal> <literal>path</literal> option in the <emphasis>smb.conf</emphasis> file to point to this directory.</para></listitem> +<listitem><para>Logon as the user from Windows 95/98 to have the client populate the directory.</para></listitem> +<listitem><para>Rename the resulting <filename>user.dat</filename> to <filename>user.man</filename>.</para></listitem> +<listitem><para>Make the directory and its contents read only.</para></listitem> +</orderedlist> + +<para>Mandatory profiles are fairly unusual. Roaming profiles, on the other hand, are one of the more desirable features of Windows that Samba can support.</para> +</sect2> + + + + +<sect2 role="" label="6.6.3" id="ch06-SECT-6.1"> +<title>Logon Script Options</title> + + +<para> +<indexterm id="ch06-idx-968152-0" class="startofrange"><primary>logon scripts</primary><secondary>options for</secondary></indexterm><link linkend="ch06-46661">Table 6.10</link> summarizes the options commonly used in association with Windows domain logon scripts.</para> + + +<table label="6.10" id="ch06-46661"> +<title>Logon Script Options </title> + +<tgroup cols="5"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<colspec colnum="4" colname="col4"/> +<colspec colnum="5" colname="col5"/> +<thead> +<row> + +<entry colname="col1"><para>Option</para></entry> + +<entry colname="col2"><para>Parameters</para></entry> + +<entry colname="col3"><para>Function</para></entry> + +<entry colname="col4"><para>Default</para></entry> + +<entry colname="col5"><para>Scope</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>logon script</literal></para></entry> + +<entry colname="col2"><para>string (DOS path)</para></entry> + +<entry colname="col3"><para>Name of DOS/NT batch file</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>logon path</literal></para></entry> + +<entry colname="col2"><para>string (UNC server and share name)</para></entry> + +<entry colname="col3"><para>Location of roaming profile for user</para></entry> + +<entry colname="col4"><para><literal>\\%N\%U\profile</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>logon drive</literal></para></entry> + +<entry colname="col2"><para>string (drive letter)</para></entry> + +<entry colname="col3"><para>Specifies the logon drive for a home directory (NT only)</para></entry> + +<entry colname="col4"><para><literal>Z</literal>:</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>logon home</literal></para></entry> + +<entry colname="col2"><para>string (UNC server and share name)</para></entry> + +<entry colname="col3"><para>Specifies a location for home directories for clients logging on to the domain</para></entry> + +<entry colname="col4"><para><literal>\\%N\%U</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<sect3 role="" label="6.6.3.1" id="ch06-SECT-6.1.1"> +<indexterm id="ch06-idx-969510-0"><primary>logon script option</primary></indexterm> +<title> +logon script</title> + + +<para>This option specifies a Windows .BAT or .CMD file with lines ending in carriage-return/line feed that will be executed on the client after a user has logged on to the domain. Each logon script should be stored at the base of a share entitled <literal>[netlogin]</literal> (see <link linkend="ch06-36822">Section 6.5.1</link> for details.) This option frequently uses the <literal>%U</literal> or <literal>%m</literal> variables (user or NetBIOS name) to point to an individual script. For example:</para> + + +<programlisting>logon script = %U.bat</programlisting> + + +<para>will execute a script based on the username located at the base of the <literal>[netlogin]</literal> share. If the user who is connecting is <literal>fred</literal> and the path of the <literal>[netlogin]</literal> share maps to the directory <filename>/export/samba/netlogin</filename>, the script should be <filename>/export/samba/netlogin/fred.bat</filename>. Because these scripts are downloaded to the client and executed on the Windows side, they must consist of DOS formatted carriage-return/linefeed characters instead of Unix carriage returns.</para> +</sect3> + + + +<sect3 role="" label="6.6.3.2" id="ch06-SECT-6.1.2"> +<indexterm id="ch06-idx-969513-0"><primary>logon path option</primary></indexterm> +<title> +logon path</title> + + +<para>This option provides a location for <indexterm id="ch06-idx-968161-0"><primary>roaming profiles</primary><secondary>option for location of</secondary></indexterm> +<indexterm id="ch06-idx-968161-1"><primary>profiles</primary><secondary>roaming</secondary><tertiary>option for location of</tertiary></indexterm>roaming profiles. When the user logs on, a roaming profile will be downloaded from the server to the client and activated for the user who is logging on. When the user logs off, those contents will be uploaded back on the server until the next time the user connects.</para> + + +<para>It is often more secure to create a separate share exclusively for storing user profiles:</para> + + +<programlisting>logon path = \\hydra\profile\%U</programlisting> + + +<para>For more informaiton on this option, see <link linkend="ch06-38153">Section 6.6</link> earlier in this chapter.</para> +</sect3> + + + +<sect3 role="" label="6.6.3.3" id="ch06-SECT-6.1.3"> +<indexterm id="ch06-idx-969514-0"><primary>logon drive option</primary></indexterm> +<title> +logon drive</title> + + +<para>This option specifies the drive letter on an NT client to which the home directory specified with the <literal>logon</literal> <literal>home</literal> option will be mapped. Note that this option will work with Windows NT clients only. For example:</para> + + +<programlisting>logon home = I:</programlisting> + + +<para>You should always use drive letters that will not conflict with fixed drives on the client machine. The default is Z:, which is a good choice because it is as far away from A:, C:, and D: as possible.</para> +</sect3> + + + +<sect3 role="" label="6.6.3.4" id="ch06-SECT-6.1.4"> +<indexterm id="ch06-idx-969517-0"><primary>logon home option</primary></indexterm> +<title> +logon home </title> + + +<para>This option specifies the location of a user's <indexterm id="ch06-idx-968162-0"><primary>home directory, user's</primary><secondary>logon script option for location of</secondary></indexterm> +<indexterm id="ch06-idx-968162-1"><primary>users</primary><secondary>home directory</secondary><tertiary>logon script option for location of</tertiary></indexterm>home directory for use by the DOS NET commands. For example, to specify a home directory as a share on a Samba server, use the following:</para> + + +<programlisting>logon home = \\hydra\%U</programlisting> + + +<para>Note that this works nicely with the <literal>[homes]</literal> service, although you can specify any directory you wish. Home directories can be mapped with a logon script using the following command:</para> + + +<programlisting>NET USE I: /HOME</programlisting> + + +<para>In addition, you can use the User Environment Profile under User Properties in the Windows NT User Manager to verify that the home directory has automatically been set.<indexterm id="ch06-idx-968155-0" class="endofrange" startref="ch06-idx-968152-0"/></para> +</sect3> +</sect2> + + + + + +<sect2 role="" label="6.6.4" id="ch06-SECT-6.2"> +<title>Other Connection Scripts</title> + + +<para> +<indexterm id="ch06-idx-968164-0"><primary>scripts</primary><secondary>connection</secondary></indexterm> +<indexterm id="ch06-idx-968164-1"><primary>connections</primary><secondary>scripts for</secondary></indexterm>After a user successfully makes a connection to any Samba share, you may want the Samba server to execute a program on its side to prepare the share for use. Samba allows scripts to be executed before and after someone connects to a share. You do not need to be using Windows domains to take advantage of the options. <link linkend="ch06-67528">Table 6.11</link> introduces some of the configuration options provided for setting up users.</para> + + +<table label="6.11" id="ch06-67528"> +<title>Connection Script Options </title> + +<tgroup cols="5"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<colspec colnum="4" colname="col4"/> +<colspec colnum="5" colname="col5"/> +<thead> +<row> + +<entry colname="col1"><para>Option</para></entry> + +<entry colname="col2"><para>Parameters</para></entry> + +<entry colname="col3"><para>Function</para></entry> + +<entry colname="col4"><para>Default</para></entry> + +<entry colname="col5"><para>Scope</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>root preexec</literal></para></entry> + +<entry colname="col2"><para>string (Unix command)</para></entry> + +<entry colname="col3"><para>Sets a command to run as <literal>root</literal>, before connecting to the share.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>preexec (exec)</literal></para></entry> + +<entry colname="col2"><para>string (Unix command)</para></entry> + +<entry colname="col3"><para>Sets a Unix command to run as the user before connecting to the share.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>postexec</literal></para></entry> + +<entry colname="col2"><para>string (Unix command)</para></entry> + +<entry colname="col3"><para>Sets a Unix command to run as the user after disconnecting from the share.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>root postexec</literal></para></entry> + +<entry colname="col2"><para>string (Unix command)</para></entry> + +<entry colname="col3"><para>Sets a Unix command to run as <literal>root</literal> after disconnecting from the share.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<sect3 role="" label="6.6.4.1" id="ch06-SECT-6.2.1"> +<indexterm id="ch06-idx-969520-0"><primary>root preexec option</primary></indexterm> +<title> +root preexec</title> + + +<para>The first form of the logon command is called <literal>root</literal> <literal>preexec</literal>. This option specifies a Unix command as its value that will be run <emphasis>as the root user</emphasis> before any connection to a share is completed. You should use this option specifically for performing actions that require <indexterm id="ch06-idx-968166-0"><primary>root user</primary></indexterm> +<indexterm id="ch06-idx-968166-1"><primary>privileges, option for</primary></indexterm>root privilege. For example, <literal>root</literal> <literal>preexec</literal> can be used to mount CD-ROMs for a share that makes them available to the clients, or to create necessary directories. If no <literal>root</literal> <literal>preexec</literal> option is specified, there is no default action. Here is an example of how you can use the command to mount a CD-ROM:</para> + + +<programlisting>[homes] + browseable = no + writeable = yes + root preexec = /etc/mount /dev/cdrom2</programlisting> + + +<para>Remember that these commands will be run as the root user. Therefore, in order to ensure security, users should never be able to modify the target of the <literal>root</literal> <literal>preexec</literal> command.</para> +</sect3> + + + +<sect3 role="" label="6.6.4.2" id="ch06-SECT-6.2.2"> +<indexterm id="ch06-idx-969523-0"><primary>preexec option</primary></indexterm> +<title> +preexec</title> + + +<para>The next option run before logon is the <literal>preexec</literal> option, sometimes just called <literal>exec</literal>. This is an ordinary unprivileged command run by Samba as the user specified by the variable <literal>%u</literal>. For example, a common use of this option is to perform <indexterm id="ch06-idx-968167-0"><primary>log files/logging</primary><secondary>options for</secondary></indexterm>logging, such as the following:</para> + + +<programlisting>[homes] +<userinput>preexec = echo "%u connected to %S from %m (%I)\" >>/tmp/.log</userinput></programlisting> + + +<para>Be warned that any information the command sends to standard output will not be seen by the user, but is instead thrown away. If you intend to use a <literal>preexec</literal> script, you should ensure that it will run correctly before having Samba invoke it.</para> +</sect3> + + + +<sect3 role="" label="6.6.4.3" id="ch06-SECT-6.2.3"> +<indexterm id="ch06-idx-969524-0"><primary>postexec option</primary></indexterm> +<title> +postexec</title> + + +<para>Once the user disconnects from the share, the command specified with <literal>postexec</literal> is run as the user on the Samba server to do any necessary cleanup. This option is essentially the same as the <literal>preexec</literal> option. Again, remember that the command is run as the user represented by <literal>%u</literal> and any information sent to standard output will be ignored.</para> +</sect3> + + + +<sect3 role="" label="6.6.4.4" id="ch06-SECT-6.2.4"> +<indexterm id="ch06-idx-969525-0"><primary>root postexec option</primary></indexterm> +<title> +root postexec</title> + + +<para>Following the <literal>postexec</literal> option, the <literal>root</literal> <literal>postexec</literal> command is run, if one has been specified. Again, this option specifies a Unix command as its value that will be run <emphasis>as the</emphasis> <indexterm id="ch06-idx-968179-0"><primary>root user</primary></indexterm> +<indexterm id="ch06-idx-968179-1"><primary>privileges, option for</primary></indexterm><emphasis>root user</emphasis> before disconnecting from a share. You should use this option specifically for performing actions that require root privilege.</para> +</sect3> +</sect2> + + + + + +<sect2 role="" label="6.6.5" id="ch06-SECT-6.3"> +<title>Working with NIS and NFS</title> + + +<para>Finally, Samba has the ability to work with <indexterm id="ch06-idx-968184-0"><primary>NIS/NIS+ protocol</primary><secondary>how Samba works with</secondary></indexterm>NIS and NIS+. If there is more than one file server, and each runs Samba, it may be desirable to have the SMB client connect to the server whose disks actually house the user's home directory. It isn't normally a good idea to ship files across the network once via NFS to a Samba server, only to be sent across the network once again to the client via SMB. (For one thing, it's slow—about 30 percent of normal Samba speed). Therefore, there are a pair of options to tell Samba that NIS knows the name of the right server and indicate in which NIS map the information lives.</para> + + +<para><link linkend="ch06-27466">Table 6.12</link> introduces some of the other configuration options specifically for setting up users.</para> + + +<table label="6.12" id="ch06-27466"> +<title>NIS Options </title> + +<tgroup cols="5"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<colspec colnum="4" colname="col4"/> +<colspec colnum="5" colname="col5"/> +<thead> +<row> + +<entry colname="col1"><para>Option</para></entry> + +<entry colname="col2"><para>Parameters</para></entry> + +<entry colname="col3"><para>Function</para></entry> + +<entry colname="col4"><para>Default</para></entry> + +<entry colname="col5"><para>Scope</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>nis homedir</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>If <literal>yes</literal>, use NIS instead of <filename>/etc/passwd</filename> to look up the path of a user's home directory</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>homedir map</literal></para></entry> + +<entry colname="col2"><para>string (NIS map name)</para></entry> + +<entry colname="col3"><para>Sets the NIS map to use to look up a user's home directory</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<sect3 role="" label="6.6.5.1" id="ch06-SECT-6.3.1"> +<title>nis homedir and homedir map</title> + + +<para>The <literal>nis</literal> +<indexterm id="ch06-idx-969528-0"><primary>nis homedir option</primary></indexterm> +<indexterm id="ch06-idx-969528-1"><primary>homedir map option</primary></indexterm> <literal>homedir</literal> and <literal>homedir</literal> <literal>map</literal> options are for Samba servers on network sites where Unix home directories are provided using NFS, the automounter, and NIS (Yellow Pages).</para> + + +<para>The <literal>nis</literal> <literal>homedir</literal> option indicates that the home directory server for the user needs to be looked up in NIS. The <literal>homedir</literal> <literal>map</literal> option tells Samba what NIS map to look in for the server that has the user's home directory. The server needs to be a Samba server, so the client can do an SMB connect to it, and the other Samba servers need to have NIS installed so they can do the lookup.</para> + + +<para>For example, if user <literal>joe</literal> asks for a share called <literal>[joe]</literal>, and the <literal>nis</literal> <literal>homedir</literal> option is set to <literal>yes</literal>, Samba will look in the file specified by <literal>homedir</literal> <literal>map</literal> for a home directory for <literal>joe</literal>. If it finds one, Samba will return the associated machine name to the client. The client will then try to connect to <emphasis>that</emphasis> machine and get the share from there. Enabling NIS lookups looks<indexterm id="ch06-idx-967545-0" class="endofrange" startref="ch06-idx-967542-0"/> +<indexterm id="ch06-idx-967545-1" class="endofrange" startref="ch06-idx-967542-1"/> +<indexterm id="ch06-idx-967545-2" class="endofrange" startref="ch06-idx-967542-2"/> like the following:</para> + + +<programlisting>[globals] + nis homedir = yes + homedir map = amd.map</programlisting> +</sect3> +</sect2> +</sect1> +</chapter> diff --git a/docs-xml/using_samba/ch07.xml b/docs-xml/using_samba/ch07.xml new file mode 100644 index 0000000000..9ecdae7049 --- /dev/null +++ b/docs-xml/using_samba/ch07.xml @@ -0,0 +1,1932 @@ +<chapter label="7" id="SAMBA-CH-7"> +<title>Printing and Name Resolution</title> + + + + +<para> +<indexterm id="ch07-idx-956351-0" class="startofrange"><primary>printing</primary></indexterm>This chapter tackles two Samba topics: setting up printers for use with a Samba server and configuring Samba to use or become a Windows Internet Name Service (WINS) server. Samba allows client machines to send documents to printers connected to the Samba server. In addition, Samba can also assist you with printing Unix documents to a printer on a Windows machine. In the first part of this chapter, we will discuss how to get printers configured to work on either side.</para> + + +<para>In the second half of the chapter, we will introduce the Windows Internet Name Service, Microsoft's implementation of a NetBIOS Name Server (NBNS). As mentioned in <link linkend="ch01-48078">Chapter 1</link>, an NBNS allows machines to perform name resolution on a NetBIOS network without having to rely on broadcasts. Instead, each machine knows exactly where the WINS server is and can query it for the IP addresses of other machines on the network.</para> + + + + + + + + + + + +<sect1 role="" label="7.1" id="ch07-61388"> +<title>Sending Print Jobs to Samba</title> + + +<para> +<indexterm id="ch07-idx-956360-0" class="startofrange"><primary>printing</primary><secondary sortas="Samba">through Samba</secondary></indexterm>A printer attached to the Samba server shows up in the list of shares offered in the Network Neighborhood. If the printer is registered on the client machine and the client has the correct printer driver installed, the client can effortlessly send print jobs to a printer attached to a Samba server. <link linkend="ch07-35075">Figure 7.1</link> shows a Samba printer as it appears in the Network Neighborhood of a Windows client.</para> + + +<para> +<indexterm id="ch07-idx-956377-0"><primary>printing</primary><secondary>on a network, steps in</secondary></indexterm> +<indexterm id="ch07-idx-956377-1"><primary>networking</primary><secondary>printing on a network, steps in</secondary></indexterm>To administer printers with Samba, you should understand the basic process by which printing takes place on a network. Sending a print job to a printer on a Samba server involves four steps:</para> + + +<orderedlist> +<listitem><para>Opening and authenticating a connection to the printer share</para></listitem> +<listitem><para>Copying the file over the network</para></listitem> +<listitem><para>Closing the connection</para></listitem> +<listitem><para>Printing and deleting the copy of the file</para> + + +<figure label="7.1" id="ch07-35075"> +<title>A Samba printer in the Network Neighborhood</title> + +<graphic width="502" depth="171" fileref="figs/sam.0701.gif"></graphic> +</figure></listitem> +</orderedlist> + +<para>When a print job arrives at a Samba server, the print data is temporarily written to disk in the directory specified by the <literal>path</literal> option of the printer share. Samba then executes a Unix print command to send that data file to the printer. The job is printed as the authenticated user of the share. Note that this may be the guest user, depending on how the share is configured.</para> + + +<sect2 role="" label="7.1.1" id="ch07-SECT-1.1"> +<title>Print Commands</title> + + +<para> +<indexterm id="ch07-idx-956378-0"><primary>printing</primary><secondary>commands</secondary></indexterm>In order to print the document, you'll need to tell Samba what the command is to print and delete a file. On Linux, such a command is:</para> + + +<programlisting>lpr -r -P<replaceable>printer</replaceable> <replaceable>file</replaceable></programlisting> + + +<para>This tells <literal>lpr</literal> to copy the document to a spool area, usually <filename>/var/spool</filename>, retrieve the name of the printer in the system configuration file (<filename>/etc/printcap</filename>), and interpret the rules it finds there to decide how to process the data and which physical device to send it to. Note that because the <literal>-r</literal> option has been listed, the file specified on the command line will be deleted after it has been printed. Of course, the file removed is just a copy stored on the Samba server; the original file on the client is unaffected.</para> + + +<para>Linux uses a Berkeley (BSD) style of printing. However, the process is similar on System V Unix. Here, printing and deleting becomes a compound command:</para> + + +<programlisting>lp -d<replaceable>printer</replaceable> -s <replaceable>file</replaceable>; rm <replaceable>file</replaceable></programlisting> + + +<para>With System V, the <filename>/etc/printcap</filename> file is replaced with different set of configuration files hiding in <filename>/usr/spool/lp</filename>, and there is no option to delete the file. You have to do it yourself, which is why we have added the <literal>rm</literal> command afterward.</para> +</sect2> + + + + + +<sect2 role="" label="7.1.2" id="ch07-SECT-1.2"> +<title>Printing Variables</title> + + +<para> +<indexterm id="ch07-idx-956380-0"><primary>printing</primary><secondary>variables for</secondary></indexterm>Samba provides four variables specifically for use with <indexterm id="ch07-idx-956450-0" class="startofrange"><primary>printing</primary><secondary>configuration options</secondary></indexterm>printing configuration options. They are shown in <link linkend="ch07-29758">Table 7.1</link>.</para> + + +<table label="7.1" id="ch07-29758"> +<title>Printing Variables </title> + +<tgroup cols="2"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<thead> +<row> + +<entry colname="col1"><para>Variable</para></entry> + +<entry colname="col2"><para>Definition</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>%s</literal></para></entry> + +<entry colname="col2"><para>The full pathname of the file on the Samba server to be printed</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%f</literal></para></entry> + +<entry colname="col2"><para>The name of the file itself (without the preceding path) on the Samba server to be printed</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%p</literal></para></entry> + +<entry colname="col2"><para>The name of the Unix printer to use</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%j</literal></para></entry> + +<entry colname="col2"><para>The number of the print job (for use with <literal>lprm</literal>, <literal>lppause</literal>, and <literal>lpresume</literal>)</para></entry> + +</row> + +</tbody> +</tgroup> +</table> +</sect2> + + + + + +<sect2 role="" label="7.1.3" id="ch07-SECT-1.3"> +<title>A Minimal Printing Setup</title> + + +<para> +<indexterm id="ch07-idx-956382-0" class="startofrange"><primary>printing</primary><secondary>configuration, minimal</secondary></indexterm>Let's start with a simple but illustrative printing share. Assuming that you're on a Linux system and you have a printer called <literal>lp</literal> listed in the printer capabilities file, the following addition to your <filename>smb.conf</filename> +<indexterm id="ch07-idx-956439-0"><primary>smb.conf (Samba configuration) file</primary><secondary>configuring printers</secondary></indexterm> file will make the printer accessible through the network:</para> + + +<programlisting>[printer1] + printable = yes + print command = /usr/bin/lpr -r %s + printer = lp + printing = BSD + read only = yes + guest ok = yes</programlisting> + + +<para>This configuration allows anyone to send data to the printer, something we may want to change later. For the moment, what's important to understand is that the variable <literal>%s</literal> in the <literal>print</literal> <literal>command</literal> option will be replaced with the name of the file to be printed when Samba executes the command. Changing the <literal>print command</literal> to reflect a different style of Unix machine typically involves only replacing the right side of the <literal>print</literal> <literal>command</literal> option with whatever command you need for your system and changing the target of the <literal>printing</literal> option.</para> + + +<para>Let's look at the commands for a <indexterm id="ch07-idx-956440-0"><primary>System V Unix</primary><secondary>printer configuration for</secondary></indexterm> +<indexterm id="ch07-idx-956440-1"><primary>Unix</primary><secondary>System V</secondary><tertiary>printer configuration for</tertiary></indexterm>System V Unix. With variable substitution, the System V Unix command becomes:</para> + + +<programlisting>print command = lp -d%p -s %s; rm %s</programlisting> + + +<para>As mentioned earlier, the <literal>%p</literal> variable resolves to the name of the printer, while the <literal>%s</literal> variable resolves to the name of the file. After that, you can change the <literal>printing</literal> option to reflect that you're using a System V architecture:</para> + + +<programlisting>printing = SYSV</programlisting> + + +<para>If you are using <indexterm id="ch07-idx-956441-0"><primary>share-level security</primary><secondary>printing and guest accounts</secondary></indexterm>share-level security, pay special attention to the guest account used by Samba. The typical setting, <literal>nobody</literal>, may not be allowed to print by the operating system. If that's true for your operating system, you should place a <literal>guest</literal> <literal>account</literal> option under the <indexterm id="ch07-idx-956445-0"><primary>print shares</primary></indexterm>printing share (or even perhaps the global share) specifying an account that can. A popular candidate with the Samba authors is the <literal>ftp</literal> account, which is often preconfigured to be safe for untrusted guest users. You can set it with the following command:</para> + + +<programlisting>guest account = ftp</programlisting> + + +<para>Another common printing issue is that clients may need to request the status of a <indexterm id="ch07-idx-956443-0"><primary>printing</primary><secondary>print jobs</secondary></indexterm>print job sent to the Samba server. Samba will not reject a document from being sent to an already busy printer share. Consequently, Samba needs the ability to communicate not only the status of the current printing job to the client, but also which documents are currently waiting to be printed on that printer. Samba also has to provide the client the ability to pause print jobs, resume print jobs, and remove print jobs from the printing queue. Samba provides options for each of these tasks. As you might expect, they borrow functionality from existing Unix commands. The options are:</para> + + +<itemizedlist> +<listitem><para><literal>lpq command</literal></para></listitem> +<listitem><para><literal>lprm command</literal></para></listitem> +<listitem><para><literal>lppause command</literal></para></listitem> +<listitem><para><literal>lpresume command</literal></para></listitem> +</itemizedlist> + +<para>We will cover these options in more detail below. For the most part, however, the value of the <literal>printing</literal> configuration option will determine their values, and you should not need to alter the default values of these options.</para> + + +<para>Here are a few important items to remember about printing shares:</para> + + +<itemizedlist> +<listitem><para>You must put <literal>printable</literal> <literal>=</literal> <literal>yes</literal> in all printer shares (even <literal>[printers]</literal>), so that Samba will know that they are printer shares. If you forget, the shares will not be usable for printing and will instead be treated as disk shares.</para></listitem> +<listitem><para>If you set the <literal>path</literal> configuration option in the printer section, any files sent to the printer(s) will be copied to the directory you specify instead of to the default location of <filename>/tmp</filename>. As the amount of disk space allocated to <filename>/tmp</filename> can be relatively small in some Unix operating systems, many administrators opt to use <filename>/var/spool</filename> or some other directory instead.</para></listitem> +<listitem><para>The <literal>read only</literal> option is ignored for printer shares.</para></listitem> +<listitem><para>If you set <literal>guest</literal> <literal>ok</literal> <literal>=</literal> <literal>yes</literal> in a printer share and Samba is configured for share-level security, it will allow anyone to send data to the printer as the <literal>guest</literal> <literal>account</literal> user.</para></listitem> +</itemizedlist> + +<para>Using one or more Samba machines as a print server gives you a great deal of flexibility on your LAN. You can easily partition your available printers, restricting some to members of one department, or you can maintain a bank of printers available to all. In addition, you can restrict a printer to a selected few by adding the trusty <literal>valid</literal> <literal>users</literal> option to its share definition:</para> + + +<programlisting>[deskjet] + printable = yes + path = /var/spool/samba/print + valid users = gail sam</programlisting> + + +<para>All of the other share accessibility options defined in the previous chapter should work for printing shares as well. Since the printers themselves are accessed through Samba by name, it's also simple to delegate print services among several servers using familiar Unix commands for tasks such as load balancing or maintenance.<indexterm id="ch07-idx-956385-0" class="endofrange" startref="ch07-idx-956382-0"/></para> +</sect2> + + + + + +<sect2 role="" label="7.1.4" id="ch07-SECT-1.4"> +<title>The [printers] Share</title> + + +<para> +<indexterm id="ch07-idx-956390-0"><primary>print shares</primary></indexterm><link linkend="ch04-21486">Chapter 4</link>, briefly introduced <literal>[printers]</literal>, a special share for automatically creating printing services. Let's review how it works: if you create a share named <literal>[printers]</literal> in the configuration file, Samba will automatically read in your printer capabilities file and create a printing share for each printer that appears in the file. For example, if the Samba server had <literal>lp</literal>, <literal>pcl</literal> and <literal>ps</literal> printers in its printer capabilities file, Samba would provide three printer shares with those names, each configured with the options in the <literal>[printers]</literal> share.</para> + + +<para> +<indexterm id="ch07-idx-956509-0"><primary>print shares</primary><secondary>created by Samba</secondary></indexterm>Recall that Samba obeys following rules when a client requests a share that has not been created through the <filename>smb.conf</filename> file:</para> + + +<itemizedlist> +<listitem><para>If the share name matches a username in the system password file and a <literal>[homes]</literal> share exists, a new share is created with the name of the user and is initialized using the values given in the <literal>[homes]</literal> and <literal>[global]</literal> sections.</para></listitem> +<listitem><para>Otherwise, if the name matches a printer in the system printer capabilities file, and a <literal>[printers]</literal> share exists, a new share is created with the name of the printer and initialized using the values given in the <literal>[printers]</literal> section. (Variables in the <literal>[global]</literal> section do not apply here.)</para></listitem> +<listitem><para>If neither of those succeed, Samba looks for a <literal>default</literal> <literal>service</literal> share. If none is found, it returns an error.</para></listitem> +</itemizedlist> + +<para>This brings to light an important point: be careful that you do not give a <indexterm id="ch07-idx-956508-0"><primary>printers</primary><secondary>names</secondary><tertiary>caution with</tertiary></indexterm>printer the same name as a user. Otherwise, you will end up connecting to a disk share when you may have wanted a printer share instead.</para> + + +<para>Here is an example <literal>[printers]</literal> share for a Linux (BSD) system. Some of these options are already defaults; however, we have listed them anyway for illustrative purposes:</para> + + +<programlisting>[global] + printing = BSD + print command = /usr/bin/lpr -P%p -r %s + printcap file = /etc/printcap + min print space = 2000 + +[printers] + path = /usr/spool/public + printable = true + guest ok = true + guest account = pcguest</programlisting> + + +<para>Here, we've given Samba global options that specify the printing type (BSD), a print command to send data to the printer and remove a temporary file, our default printer capabilities file, and a minimum printing space of 2 megabytes.</para> + + +<para>In addition, we've created a <literal>[printers]</literal> share for each of the system printers. Our temporary spooling directory is specified by the <literal>path</literal> option: <filename>/usr/spool/public</filename>. Each of the shares is marked as printable—this is necessary, even in the <literal>[printers]</literal> section. The two <literal>guest</literal> options are useful in the event that Samba is using share-level security: we allow guest access to the printer and we specify the guest user that Samba should use to execute print commands.</para> +</sect2> + + + + + +<sect2 role="" label="7.1.5" id="ch07-SECT-1.5"> +<title>Test Printing</title> + + +<para> +<indexterm id="ch07-idx-956391-0"><primary>printing</primary><secondary>test for</secondary></indexterm>Here is how you can test printing from the Samba server. Let's assume the most complex case and use a guest account. First, run the Samba <emphasis>testparm</emphasis> command on your configuration file that contains the print shares, as we did in <link linkend="SAMBA-CH-2">Chapter 2</link>. This will tell you if there are any syntactical problems with the configuration file. For example, here is what you would see if you left out the <literal>path</literal> configuration option in the previous example:</para> + + +<programlisting># testparm +Load smb config files from /usr/local/samba/lib/smb.conf +Processing configuration file "/usr/local/samba/lib/smb.conf" +Processing section "[global]" +Processing section "[homes]" +Processing section "[data]" +Processing section "[printers]" +No path in service printers - using /tmp +Loaded services file OK. +Press enter to see a dump of your service definitions +Global parameters: + load printers: Yes + printcap name: /etc/printcap +Default service parameters: + guest account: ftp + min print space: 0 + print command: lpr -r -P%p %s + lpq command: lpq -P%p + lprm command: lprm -P%p %j +lppause command: + lpresume command: + Service parameters [printers]: + path: /tmp + print ok: Yes + read only: true + public: true</programlisting> + + +<para>Second, try the command <literal>testprns</literal> <replaceable>printername</replaceable>. This is a simple program that verifies that the specified printer is available in your <emphasis>printcap</emphasis> file. If your <emphasis>printcap</emphasis> file is not in the usual place, you can specify its full pathname as the second argument to the <emphasis>testprns</emphasis> command:</para> + + +<programlisting># testprns lp /etc/printcap +Looking for printer lp in printcap file /etc/printcap +Printer name lp is valid.</programlisting> + + +<para>Next, log on as the guest user, go to the spooling directory, and ensure that you can print using the same command that <emphasis>testparm</emphasis> says Samba will use. As mentioned before, this will tell you if you need to change the guest account, as the default account may not be allowed to print.</para> + + +<para>Finally, print something to the Samba server via <literal>smbclient</literal>, and see if the following actions occur:</para> + + +<itemizedlist> +<listitem><para>The job appears (briefly) in the Samba spool directory specified by the path.</para></listitem> +<listitem><para>The job shows up in your print systems spool directory.</para></listitem> +<listitem><para>The job disappears from the spool directory that Samba used.</para></listitem> +</itemizedlist> + +<para>If <emphasis>smbclient</emphasis> cannot print, you can reset the <literal>print</literal> <literal>command</literal> option to collect debugging information:</para> + + +<programlisting>print command = /bin/cat %s >>/tmp/printlog; rm %s</programlisting> + + +<para>or:</para> + + +<programlisting>print command = echo "printed %s on %p" >>/tmp/printlog</programlisting> + + +<para>A common problem with Samba printer configuration is forgetting to use the full <indexterm id="ch07-idx-956511-0"><primary>pathnames</primary><secondary>printer configuration and</secondary></indexterm> +<indexterm id="ch07-idx-956511-1"><primary>printing</primary><secondary>pathnames used in comands for</secondary></indexterm>pathnames for commands; simple commands often don't work because the guest account's PATH doesn't include them. Another frequent problem is not having the correct <indexterm id="ch07-idx-956512-0"><primary>permissions</primary><secondary sortas="printing">for printing</secondary></indexterm> +<indexterm id="ch07-idx-956512-1"><primary>printing</primary><secondary>permissions for</secondary></indexterm>permissions on the spooling directory.<indexterm id="ch07-idx-956494-0" class="endofrange" startref="ch07-idx-956450-0"/></para> + + +<tip role="ora"> +<para> +<indexterm id="ch07-idx-956514-0"><primary>resources for further information</primary><secondary>printers, debuggiing</secondary></indexterm> +<indexterm id="ch07-idx-956514-1"><primary>printing</primary><secondary>resources for information on debugging</secondary></indexterm>There is more information on debugging printers in the Samba documentation (<filename>Printing.txt</filename>). In addition, the Unix print systems are covered in detail in AEleen Frisch's <emphasis>Essential Systems Administration</emphasis> (published by O'Reilly).</para> + +</tip> +</sect2> + + + + + +<sect2 role="" label="7.1.6" id="ch07-SECT-1.6"> +<title>Setting Up and Testing a Windows Client</title> + + +<para> +<indexterm id="ch07-idx-956392-0"><primary>printing</primary><secondary>Windows client printers</secondary><tertiary>setting up and testing</tertiary></indexterm> +<indexterm id="ch07-idx-956392-1"><primary>Windows clients</primary><secondary>printers for, setting up and testing</secondary></indexterm>Now that Samba is offering a workable printer, you need to set it up on a Windows client. Look at the Samba server in the Network Neighborhood. It should now show each of the printers that are available. For example, in <link linkend="ch07-35075">Figure 7.1</link>, we saw a printer called <literal>lp</literal>.</para> + + +<para>Next, you need to have the Windows client recognize the printer. Double-click on the printer icon to get started. If you try to select an uninstalled printer (as you just did), Windows will ask you if it should help configure it for the Windows system. Respond "Yes," which will open the Printer Wizard.</para> + + +<para>The first thing the wizard will ask is whether you need to print from DOS. Let's assume you don't, so choose No and press the Next button to get to the manufacturer/model window as shown in <link linkend="ch07-60084">Figure 7.2</link>.</para> + + +<figure label="7.2" id="ch07-60084"> +<title>A printer in the Network Neighborhood</title> + +<graphic width="502" depth="128" fileref="figs/sam.0702.gif"></graphic> +</figure> + +<para>In this dialog box, you should see a large list of manufacturers and models for almost every printer imaginable. If you don't see your printer on the list, but you know it's a PostScript printer, select Apple as the manufacturer and Apple LaserWriter as the model. This will give you the most basic Postscript printer setup, and arguably one of the most reliable. If you already have any Postscript printers attached, you will be asked about replacing or reusing the existing driver. Be aware that if you replace it with a new one, you may make your other printers fail. Therefore, we recommend you keep using your existing printer drivers as long as they're working properly.</para> + + +<para>Following that, the Printer Wizard will ask you to name the printer. <link linkend="ch07-69466">Figure 7.3</link> shows this example, where the name has defaulted to our second laserwriter. Here, you rename it from Apple Laserwriter (Copy 2) to "ps on Samba server," so you know where to look for the printouts. In reality, you can name the printer anything you want.</para> + + +<figure label="7.3" id="ch07-69466"> +<title>Printer manufacturers and models</title> + +<graphic width="502" depth="296" fileref="figs/sam.0703.gif"></graphic> +</figure> + +<para>Finally, the Printing Wizard asks if it should print a test page. Click on Yes, and you should be presented with the dialog in <link linkend="ch07-43374">Figure 7.4</link>.</para> + + +<figure label="7.4" id="ch07-43374"> +<title>Printing successfully completed</title> + +<graphic width="502" depth="232" fileref="figs/sam.0704.gif"></graphic> +</figure> + +<para>If the test printing was unsuccessful, press the No button in <link linkend="ch07-43374">Figure 7.4</link> and the Printing Wizard will walk you through some debugging steps for the client side of the process. If the test printing does work, congratulations! The remote printer will now be available to all your PC applications through the File and Print menu items.</para> +</sect2> + + + + + +<sect2 role="" label="7.1.7" id="ch07-30008"> +<title>Automatically Setting Up Printer Drivers</title> + + +<para> +<indexterm id="ch07-idx-956393-0" class="startofrange"><primary>printing</primary><secondary>drivers for, setting up</secondary></indexterm>The previous section described how to manually configure a printer driver for your Windows system. As a system administrator, however, you can't always guarantee that users can perform such a process without making mistakes. Luckily, however, you can ask Samba to automatically set up the printer drivers for a specific printer.</para> + + +<para>Samba has three options that can be used to automatically set up printer drivers for clients who are connecting for the first time. These options are <literal>printer</literal> <literal>driver</literal>, <literal>printer</literal> <literal>driver</literal> <literal>file</literal>, and <literal>printer</literal> <literal>driver</literal> <literal>location</literal>. This section explains how to use these options to allow users to skip over the Manufacturer dialog in the Add Printer Wizard above.</para> + + +<tip role="ora"> +<para>For more information on how to do this, see the <filename>PRINTER_DRIVER.TXT</filename> file in the Samba distribution documentation.</para> + +</tip> + +<para>There are four major steps:</para> + + +<orderedlist> +<listitem><para>Install the drivers for the printer on a Windows client (the printer need not be attached).</para></listitem> +<listitem><para>Create a printer definition file from the information on a Windows machine.</para></listitem> +<listitem><para>Create a <literal>PRINTER$</literal> share where the resulting driver files can be placed.</para></listitem> +<listitem><para>Modify the Samba configuration file accordingly.</para></listitem> +</orderedlist> + +<para>Let's go over each of the four steps in greater detail.</para> + + +<sect3 role="" label="7.1.7.1" id="ch07-SECT-1.7.1"> +<title>Install the drivers on a windows client</title> + + +<para>Use <indexterm id="ch07-idx-956517-0"><primary>Windows 95/98</primary><secondary>printer drivers, installing</secondary></indexterm>Windows 95/98 for this step. It doesn't matter which client you choose, as long as it has the ability to load the appropriate drivers for the printer. In fact, you don't even need to have the printer attached to the machine. All you're interested in here is getting the appropriate driver files into the Windows directory. First, go to the Printers window of My Computer and double-click on the Add Printer icon, as shown in <link linkend="ch07-52397">Figure 7.5</link>.</para> + + +<figure label="7.5" id="ch07-52397"> +<title>The Printers window</title> + +<graphic width="502" depth="223" fileref="figs/sam.0705.gif"></graphic> +</figure> + +<para>At this point, you can follow the Add Printer Wizard dialogs through to select the manufacturer and model of the printer in question. If it asks you if you want to print from MS-DOS, answer No. Windows should load the appropriate driver resources from its CD-ROM and ask you if you want to print a test page. Again, respond No and close the Add Printer Wizard dialog.</para> +</sect3> + + + +<sect3 role="" label="7.1.7.2" id="ch07-SECT-1.7.2"> +<title>Create a printer definition file</title> + + +<para>You can create a <indexterm id="ch07-idx-956518-0"><primary>printing</primary><secondary>printer definition file</secondary></indexterm>printer definition file by using the <filename>make_ printerdef</filename> script in the <filename>/usr/local/samba/bin</filename> directory. In order to use this script, you need to copy over the following four files from a Windows client:<footnote label="1" id="ch07-pgfId-951615"> + + +<para>Older Windows 95 clients may have only the first two files.</para> + + +</footnote></para> + + +<simplelist> + +<member><emphasis>C:\WINDOWS\INF\MSPRINT.INF</emphasis></member> + +<member><emphasis>C:\WINDOWS\INF\MSPRINT2.INF</emphasis></member> + +<member><emphasis>C:\WINDOWS\INF\MSPRINT3.INF</emphasis></member> + +<member><emphasis>C:\WINDOWS\INF\MSPRINT4.INF</emphasis></member> + +</simplelist> + + +<para>Once you have the four files, you can create a printer definition file using the appropriate printer driver and its .INF file. If the printer driver starts with the letters A-K, use either the <emphasis>MSPRINT.INF</emphasis> file or the <emphasis>MSPRINT3.INF</emphasis> file. If it begins with the letters L-Z, use the <emphasis>MSPRINT2.INF</emphasis> file or the <emphasis>MSPRINT4.INF</emphasis> file. You may need to <emphasis>grep</emphasis> through each of the files to see where your specific driver is. For the following example, we have located our driver in <emphasis>MSPRINT3.INF</emphasis> and created a printer definition file for a HP DeskJet 560C printer:</para> + + +<programlisting>$grep "HP DeskJet 560C Printer" MSPRINT.INF MSPRINT3.INF +MSPRINT3.INF: "HP DeskJet 560C Printer"=DESKJETC.DRV,HP_DeskJet_ ... + +$make_printerdef MSPRINT3.INF "HP DeskJet 560C Printer" >printers.def +FOUND:DESKJETC.DRV +End of section found +CopyFiles: DESKJETC,COLOR_DESKJETC +Datasection: (null) +Datafile: DESKJETC.DRV +Driverfile: DESKJETC.DRV +Helpfile: HPVDJC.HLP +LanguageMonitor: (null) + +Copy the following files to your printer$ share location: +DESKJETC.DRV +HPVCM.HPM +HPVIOL.DLL +HPVMON.DLL +HPVRES.DLL +HPCOLOR.DLL +HPVUI.DLL +HPVDJCC.HLP +color\HPDESK.ICM</programlisting> + + +<para>Note the files that the script asks you to copy. You'll need those for the next step.</para> +</sect3> + + + +<sect3 role="" label="7.1.7.3" id="ch07-SECT-1.7.3"> +<title>Create a PRINTER$ share</title> + + +<para> +<indexterm id="ch07-idx-956525-0"><primary>PRINTER$ share, creating</primary></indexterm>This part is relatively easy. Create a share called <literal>[PRINTER$]</literal> in your <filename>smb.conf</filename> that points to an empty directory on the Samba server. Once that is done, copy over the files that the <filename>make_ printerdef</filename> script requested of you into the location of the <literal>path</literal> configuration option for the <literal>[PRINTER$]</literal> share. For example, you can put the following in your configuration file:</para> + + +<programlisting>[PRINTER$] + path = /usr/local/samba/print + read only = yes + browsable = no + guest ok = yes</programlisting> + + +<para>The files requested by the <filename>make_ printerdef</filename> script are typically located in the <emphasis>C:\WINDOWS\SYSTEM</emphasis> directory, although you can use the following commands to find out exactly where they are:</para> + + +<programlisting>cd C:\WINDOWS +dir <replaceable>filename</replaceable> /s</programlisting> + + +<para>In this case, each of the files needs to be copied to the <filename>/usr/local/samba/print</filename> directory on the Samba server. In addition, copy the <filename>printers.def</filename> file that you created over to that share as well. Once you've done that, you're almost ready to go.</para> +</sect3> + + + +<sect3 role="" label="7.1.7.4" id="ch07-SECT-1.7.4"> +<title>Modify the Samba configuration file</title> + + +<para><filename></filename> +<indexterm id="ch07-idx-956532-0"><primary>smb.conf (Samba configuration) file</primary><secondary>modifying for printer drivers</secondary></indexterm>The last step is to modify the Samba configuration file by adding the following three options:</para> + + +<itemizedlist> +<listitem><para><literal>printer</literal> <literal>driver</literal></para></listitem> +<listitem><para><literal>printer</literal> <literal>driver</literal> <literal>file</literal></para></listitem> +<listitem><para><literal>printer</literal> <literal>driver</literal> <literal>location</literal></para></listitem> +</itemizedlist> + +<para>The <literal>printer</literal> <literal>driver</literal> <literal>file</literal> is a global option that points to the <filename>printers.def</filename> file; place that option in your <literal>[global]</literal> section. The other options should be set in the printer share for which you wish to automatically configure the drivers. The value for <literal>printer</literal> <literal>driver</literal> should match the string that shows up in the Printer Wizard on the Windows system. The value of the <literal>printer</literal> <literal>driver</literal> <literal>location</literal> is the pathname of the PRINTER$ share you set up, not the Unix pathname on the server. Thus, you could use the following:</para> + + +<programlisting>[global] + printer driver file = /usr/local/samba/print/printers.def +[hpdeskjet] + path = /var/spool/samba/printers + printable = yes + + printer driver = HP DeskJet 560C Printer + printer driver location = \\%L\PRINTER$</programlisting> + + +<para>Now you're ready to test it out. At this point, remove the Windows printer that you "set up" in the first step from the list of printers in the Printers window of My Computer. If Samba asks you to delete unneeded files, do so. These files will be replaced shortly on the client, as they now exist on the Samba server.</para> +</sect3> + + + +<sect3 role="" label="7.1.7.5" id="ch07-SECT-1.7.5"> +<title>Testing the configuration</title> + + +<para>Restart the Samba daemons and look for the <literal>[hpdeskjet]</literal> share under the machine name in the Network Neighborhood. At this point, if you click on the printer icon, you should begin the printer setup process and come to the dialog shown in <link linkend="ch07-60108">Figure 7.6</link>.</para> + + +<para>This is different from the dialog you saw earlier when setting up a printer. Essentially, the dialog is asking if you wish to accept the driver that is "already installed"—in other words, offered by Samba. Go ahead and keep the existing driver, and press the Next button. At this point, you can give the printer a name and print out a test page. If it works, the setup should be complete. You should be able to repeat the process now from any Windows<indexterm id="ch07-idx-956413-0" class="endofrange" startref="ch07-idx-956393-0"/> client. <indexterm id="ch07-idx-956407-0" class="endofrange" startref="ch07-idx-956360-0"/></para> + + +<figure label="7.6" id="ch07-60108"> +<title>Automatically configuring the printer driver</title> + +<graphic width="502" depth="296" fileref="figs/sam.0706.gif"></graphic> +</figure> +</sect3> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="7.2" id="ch07-31526"> +<title>Printing to Windows Client Printers</title> + + +<para> +<indexterm id="ch07-idx-956368-0" class="startofrange"><primary>printing</primary><secondary>Windows client printers</secondary><tertiary>printing to</tertiary></indexterm>If you have printers connected to clients running Windows 95/98 or NT 4.0, those printers can also be accessed from Samba. Samba comes equipped with a tool called <emphasis>smbprint</emphasis> +<indexterm id="ch07-idx-956539-0"><primary>smbprint tool, spooling print jobs</primary></indexterm> +<indexterm id="ch07-idx-956539-1"><primary>printing</primary><secondary>print jobs</secondary><tertiary>spooling with smbprint tool</tertiary></indexterm> that can be used to spool print jobs to Windows-based printers. In order to use this, however, you need to set up the printer as a shared resource on the client machine. If you haven't already done this, you can reset this from the Printers window, reached from the Start button, as shown in <link linkend="ch07-32814">Figure 7.7</link>.</para> + + +<figure label="7.7" id="ch07-32814"> +<title>The Printers window</title> + +<graphic width="502" depth="273" fileref="figs/sam.0707.gif"></graphic> +</figure> + +<para>Select a printer that's locally connected (for example, ours is the Canon printer), press the right mouse button to bring up a menu, and select Sharing. This will give you the Sharing tab of the Printer Properties frame, as shown in <link linkend="ch07-92021">Figure 7.8</link>. If you want it available to everybody on your LAN as the Windows guest user, enter a blank password.</para> + + +<figure label="7.8" id="ch07-92021"> +<title>The Sharing tab of the printer</title> + +<graphic width="502" depth="273" fileref="figs/sam.0708.gif"></graphic> +</figure> + +<para>Once you've got this working, you can add your printer to the list of standard printers and Samba can make it available to all the other PCs in the workgroup. To make installation on Unix easier, the Samba distribution provides two sample scripts: <filename>smbprint</filename> and <filename>smbprint.sysv</filename>. The first works with BSD-style printers; the second is designed for System V printers.</para> + + +<sect2 role="" label="7.2.1" id="ch07-SECT-2.0.1"> +<title>BSD printers</title> + + +<para> +<indexterm id="ch07-idx-956540-0"><primary>printers</primary><secondary>BSD</secondary></indexterm>There are two steps you need to have a BSD Unix recognize a remote printer:</para> + + +<orderedlist> +<listitem><para>Place an entry for the printer in the <filename>/etc/printcap</filename> file (or equivalent).</para></listitem> +<listitem><para>Place a configuration file in the <filename>/var/spool</filename> directory for the printer.</para></listitem> +</orderedlist> + +<para>First, edit your <filename>/etc/printcap</filename> file and add an entry for the remote printer. Note that the input filter (<literal>if</literal>) entry needs to point to the <emphasis>smbprint</emphasis> program if the machine is on Windows 95/98. The following set of lines will accomplish on a Linux machine, for example:</para> + + +<programlisting>laserjet:\ + :sd=/var/spool/lpd/laser:\ <replaceable># spool directory</replaceable> + :mx#0:\ <replaceable># maximum file size (none)</replaceable> + :sh:\ <replaceable># surpress burst header (no)</replaceable> + :if=/usr/local/samba/bin/smbprint: <replaceable># text filter</replaceable></programlisting> + + +<para>After that, you need to create a configuration file in the spool directory that you specified with the <literal>sd</literal> parameter above. (You may need to create that directory.) The file must have the name <emphasis>.config</emphasis> and should contain the following information:</para> + + +<itemizedlist> +<listitem><para>The NetBIOS name of the Windows machine with the printer</para></listitem> +<listitem><para>The service name that represents the printer</para></listitem> +<listitem><para>The password used to access that service</para></listitem> +</itemizedlist> + +<para>The last two parameters were set up in the Sharing dialog for the requested resource on the Windows machine. In this case, the <emphasis>.config</emphasis> file would have three lines:</para> + + +<programlisting>server = phoenix +service = CANON +password = ""</programlisting> + + +<para>After you've done that, reset the Samba server machine and try printing to it using any standard Unix program.</para> +</sect2> + + + + + +<sect2 role="" label="7.2.2" id="ch07-SECT-2.0.2"> +<title>System V printers</title> + + +<para> +<indexterm id="ch07-idx-956541-0"><primary>printers</primary><secondary>System V</secondary></indexterm>Sending print jobs from a System V Unix system is a little easier. Here, you need to get obtain the <filename>smbprint.sysv</filename> script in the <filename>/usr/local/samba/examples/printing</filename> directory and do the following:</para> + + +<orderedlist> +<listitem><para>Change the <literal>server</literal>, <literal>service</literal>, and <literal>password</literal> parameters in the script to match the NetBIOS machine, its shared printer service, and its password, respectively. For example, the following entries would be correct for the service in the previous example:</para> + + +<programlisting>server = phoenix +service = CANON +password = ""</programlisting></listitem> + +<listitem><para>Run the following commands, which create a reference for the printer in the printer capabilities file. Note that the new Unix printer entry <literal>canon_ printer</literal> is named:</para> + + +<programlisting># lpadmin -p canon_printer -v /dev/null -i./smbprint.sysv +# enable canon_printer +# accept canon_printer</programlisting></listitem> +</orderedlist> + +<para>After you've done that, restart the Samba daemons and try printing to it using any standard Unix program. You should now be able to send data to a printer on a Windows client across the network.</para> +</sect2> + + + + +<sect2 role="" label="7.2.3" id="ch07-SECT-2.1"> +<title>Samba Printing Options</title> + + +<para> +<indexterm id="ch07-idx-956419-0" class="startofrange"><primary>printing</primary><secondary>options for</secondary></indexterm><link linkend="ch07-19361">Table 7.2</link> summarizes the Samba printing options.</para> + + +<table label="7.2" id="ch07-19361"> +<title>Printing Configuration Options </title> + +<tgroup cols="5"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<colspec colnum="4" colname="col4"/> +<colspec colnum="5" colname="col5"/> +<thead> +<row> + +<entry colname="col1"><para>Option</para></entry> + +<entry colname="col2"><para>Parameters</para></entry> + +<entry colname="col3"><para>Function</para></entry> + +<entry colname="col4"><para>Default</para></entry> + +<entry colname="col5"><para>Scope</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>printing</literal></para></entry> + +<entry colname="col2"><para><literal>bsd</literal>, <literal>sysv</literal>, <literal>hpux</literal>, <literal>aix</literal>, <literal>qnx</literal>, <literal>plp</literal>, <literal>softq</literal>, or <literal>lprng</literal></para></entry> + +<entry colname="col3"><para>Sets the print system type for your Unix system.</para></entry> + +<entry colname="col4"><para>System dependent</para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>printable (print ok)</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>Marks a share as a printing share.</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>printer (printer name)</literal></para></entry> + +<entry colname="col2"><para>string (Unix printer name)</para></entry> + +<entry colname="col3"><para>Sets the name of the printer to be shown to clients.</para></entry> + +<entry colname="col4"><para>System dependent</para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>printer driver</literal></para></entry> + +<entry colname="col2"><para>string (printer driver name)</para></entry> + +<entry colname="col3"><para>Sets the driver name that should be used by the client to send data to the printer.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>printer driver file</literal></para></entry> + +<entry colname="col2"><para>string (fully-qualified pathname)</para></entry> + +<entry colname="col3"><para>Sets the name of the printer driver file.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>printer driver location</literal></para></entry> + +<entry colname="col2"><para>string (network pathname)</para></entry> + +<entry colname="col3"><para>Specifies the pathname of the share for the printer driver file.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>lpq cache time</literal></para></entry> + +<entry colname="col2"><para>numeric (time in seconds)</para></entry> + +<entry colname="col3"><para>Sets the amount of time in seconds that Samba will cache the lpq status.</para></entry> + +<entry colname="col4"><para><literal>10</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>postscript</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>Treats all print jobs sent as postscript by prepending <literal>%!</literal> at the beginning of each file.</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>load printers</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>Automatically loads each of the printers in the <emphasis>printcap</emphasis> file as printing shares.</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>print command</literal></para></entry> + +<entry colname="col2"><para>string (shell command)</para></entry> + +<entry colname="col3"><para>Sets the Unix command to perform printing.</para></entry> + +<entry colname="col4"><para>See below</para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>lpq command</literal></para></entry> + +<entry colname="col2"><para>string (shell command)</para></entry> + +<entry colname="col3"><para>Sets the Unix command to return the status of the printing queue.</para></entry> + +<entry colname="col4"><para>See below</para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>lprm command</literal></para></entry> + +<entry colname="col2"><para>string (shell command)</para></entry> + +<entry colname="col3"><para>Sets the Unix command to remove a job from the printing queue.</para></entry> + +<entry colname="col4"><para>See below</para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>lppause command</literal></para></entry> + +<entry colname="col2"><para>string (shell command)</para></entry> + +<entry colname="col3"><para>Sets the Unix command to pause a job on the printing queue.</para></entry> + +<entry colname="col4"><para>See below</para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>lpresume command</literal></para></entry> + +<entry colname="col2"><para>string (shell command)</para></entry> + +<entry colname="col3"><para>Sets the Unix command to resume a paused job on the printing queue.</para></entry> + +<entry colname="col4"><para>See below</para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>printcap name</literal></para> + +<para><literal>(printcap)</literal></para></entry> + +<entry colname="col2"><para>string (fully-qualified pathname)</para></entry> + +<entry colname="col3"><para>Specifies the location of the printer capabilities file.</para></entry> + +<entry colname="col4"><para>System dependent</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>min print space</literal></para></entry> + +<entry colname="col2"><para>numeric (size in kilobytes)</para></entry> + +<entry colname="col3"><para>Sets the minimum amount of disk free space that must be present to print.</para></entry> + +<entry colname="col4"><para><literal>0</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>queuepause command</literal></para></entry> + +<entry colname="col2"><para>string (shell command)</para></entry> + +<entry colname="col3"><para>Sets the Unix command to pause a queue.</para></entry> + +<entry colname="col4"><para>See below</para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>queueresume command</literal></para></entry> + +<entry colname="col2"><para>string (shell command)</para></entry> + +<entry colname="col3"><para>Sets the Unix command to resume a queue.</para></entry> + +<entry colname="col4"><para>See below</para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<sect3 role="" label="7.2.3.1" id="ch07-SECT-2.1.1"> +<title>printing</title> + + +<para>The <literal>printing</literal> +<indexterm id="ch07-idx-958423-0"><primary>printing configuration option</primary></indexterm> configuration option tells Samba a little about your Unix printing system, in this case which printing parser to use. With Unix, there are several different families of commands to control printing and print statusing. Samba supports seven different types, as shown in <link linkend="ch07-28758">Table 7.3</link>.</para> + + +<table label="7.3" id="ch07-28758"> +<title>Printing Types </title> + +<tgroup cols="2"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<thead> +<row> + +<entry colname="col1"><para>Variable</para></entry> + +<entry colname="col2"><para>Definition</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para>BSD</para></entry> + +<entry colname="col2"><para> +<indexterm id="ch07-idx-956545-0"><primary>printing</primary><secondary>types</secondary></indexterm>Berkeley Unix system</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>SYSV</para></entry> + +<entry colname="col2"><para>System V</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>AIX</para></entry> + +<entry colname="col2"><para>AIX Operating System (IBM)</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>HPUX</para></entry> + +<entry colname="col2"><para>Hewlett-Packard Unix</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>QNX</para></entry> + +<entry colname="col2"><para>QNX Realtime Operating System (QNX)</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>LPRNG</para></entry> + +<entry colname="col2"><para>LPR Next Generation (Powell)</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>SOFTQ</para></entry> + +<entry colname="col2"><para>SOFTQ system</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>PLP</para></entry> + +<entry colname="col2"><para>Portable Line Printer (Powell)</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<para>The value for this optio.n will be one of these seven options. For example:</para> + + +<programlisting>printing = SYSV</programlisting> + + +<para>The default value of this option is system dependent and is configured when Samba is first compiled. For most systems, the <filename>configure</filename> script will automatically detect the printing system to be used and configure it properly in the Samba makefile. However, if your system is a PLP, LPRNG, or QNX printing system, you will need to explicitly specify this in the makefile or the printing share.</para> + + +<para>The most common system types are BSD and SYSV. Each of the printers on a BSD Unix server are described in the printer capabilities file—normally <filename>/etc/printcap</filename>.</para> + + +<para>Setting the <literal>printing</literal> configuration option automatically sets at least three other printing options for the service in question: <literal>print</literal> <literal>command</literal>, <literal>lpq</literal> <literal>command</literal>, and <literal>lprm</literal> <literal>command</literal>. If you are running Samba on a system that doesn't support any of these printing styles, simply set the commands for each of these manually.</para> +</sect3> + + + +<sect3 role="" label="7.2.3.2" id="ch07-SECT-2.1.2"> +<title>printable</title> + + +<para>The <indexterm id="ch07-idx-958426-0"><primary>printable option</primary></indexterm>printable option must be set to <literal>yes</literal> in order to flag a share as a printing service. If this option is not set, the share will be treated as a disk share instead. You can set the option as follows:</para> + + +<programlisting>[printer1] + printable = yes</programlisting> +</sect3> + + + +<sect3 role="" label="7.2.3.3" id="ch07-SECT-2.1.3"> +<title>printer</title> + + +<para> +<indexterm id="ch07-idx-957248-0" class="startofrange"><primary>printers</primary><secondary>option for</secondary></indexterm>The <indexterm id="ch07-idx-958427-0"><primary>printer option</primary></indexterm>option, sometimes called <literal>printer</literal> <literal>name</literal>, specifies the name of the printer on the server to which the share points. This option has no default and should be set explicitly in the configuration file, even though Unix systems themselves often recognize a default name such as <literal>lp</literal> for a printer. For example:</para> + + +<programlisting>[deskjet] + printer = hpdkjet1</programlisting> +</sect3> + + + +<sect3 role="" label="7.2.3.4" id="ch07-SECT-2.1.4"> +<title>printer driver</title> + + +<para>The <literal>printer</literal> +<indexterm id="ch07-idx-958428-0"><primary>printer driver option</primary></indexterm> <literal>driver</literal> option sets the string that Samba uses to tell Windows what the printer is. If this option is set correctly, the Windows Printer Wizard will already know what the printer is, making installation easier for end users by giving them one less dialog to worry about. The string given should match the string that shows up in the Printer Wizard, as shown in <link linkend="ch07-46183">Figure 7.9</link>. For example, an Apple LaserWriter typically uses <literal>Apple</literal> <literal>LaserWriter</literal>; a Hewlett Packard Deskjet 560C uses <literal>HP</literal> <literal>DeskJet</literal> <literal>560C</literal> <literal>Printer</literal>.</para> + + +<figure label="7.9" id="ch07-46183"> +<title>The Add Printer Wizard dialog box in Windows 98</title> + +<graphic width="502" depth="296" fileref="figs/sam.0709.gif"></graphic> +</figure> + +<para>Automatically configuring printer drivers with Samba is explained in greater detail in <link linkend="ch07-30008">Section 7.1.7</link> earlier in this chapter.</para> +</sect3> + + + +<sect3 role="" label="7.2.3.5" id="ch07-SECT-2.1.5"> +<indexterm id="ch07-idx-958429-0"><primary>printer driver file option</primary></indexterm> +<title> +printer driver file</title> + + +<para>This global option gives the location of the Windows 95/98 printer driver definition file, which is needed to give printer drivers to clients using a Samba printer. The default value of this option is <filename>/usr/local/samba/lib/printers.def</filename>. You can override this default as shown below:</para> + + +<programlisting>[deskjet] + printer driver file = /var/printers/printers.def</programlisting> + + +<para>This option is explained in greater detail in <link linkend="ch07-30008">Section 7.1.7</link> earlier in this chapter.</para> +</sect3> + + + +<sect3 role="" label="7.2.3.6" id="ch07-SECT-2.1.6"> +<indexterm id="ch07-idx-958432-0"><primary>printer driver location option</primary></indexterm> +<title> +printer driver location</title> + + +<para>This option specifies a specific share that contains Windows 95 and 98 printer driver and definition files. There is no default parameter for this value. You can specify the location as a network pathname. A frequent approach is to use a share on your own machine, as shown here:</para> + + +<programlisting>[deskjet] + printer driver location = \\%L\PRINTER$</programlisting> + + +<para>This option is also explained in greater detail in <link linkend="ch07-30008">Section 7.1.7</link> earlier in this chapter.</para> +</sect3> + + + +<sect3 role="" label="7.2.3.7" id="ch07-SECT-2.1.7"> +<indexterm id="ch07-idx-958433-0"><primary>lpq cache time option</primary></indexterm> +<title> +lpq cache time</title> + + +<para> +<indexterm id="ch07-idx-956564-0"><primary>cache time (printers), option for</primary></indexterm>The global <literal>lpq</literal> <literal>cache</literal> <literal>time</literal> option allows you to set the number of seconds that Samba will remember the current printer status. After this time elapses, Samba will issue an <emphasis>lpq</emphasis> command (or whatever command you specify with the <literal>lpq</literal> <literal>command</literal> option) to get a more up-to-date status. This defaults to 10 seconds, but can be increased if your <literal>lpq</literal> <literal>command</literal> takes an unusually long time to run or you have lots of clients. The following example resets the time to 30 seconds:</para> + + +<programlisting>[deskjet] + lpq cache time = 30</programlisting> +</sect3> + + + +<sect3 role="" label="7.2.3.8" id="ch07-SECT-2.1.8"> +<title>postscript</title> + + +<para>The<indexterm id="ch07-idx-958438-0"><primary>postscript option</primary></indexterm> <literal>postscript</literal> option forces the printer to treat all data sent to it as Postscript. It does this by prepending the characters <literal>%!</literal> at the beginning of the first line of each job. It is normally used with PCs that insert a <literal>^D</literal> (control-D or "end-of-file mark) in front of the first line of a PostScript file. It will not, obviously, turn a non-PostScript printer into a PostScript one. The default value of this options is <literal>no</literal>. You can override it as follows:<indexterm id="ch07-idx-957258-0" class="endofrange" startref="ch07-idx-957248-0"/></para> + + +<programlisting>[deskjet] + postscript = yes</programlisting> +</sect3> + + + +<sect3 role="" label="7.2.3.9" id="ch07-SECT-2.1.9"> +<indexterm id="ch07-idx-958439-0"><primary>print command option</primary></indexterm> +<indexterm id="ch07-idx-958439-1"><primary>lpq command option</primary></indexterm> +<indexterm id="ch07-idx-958439-2"><primary>lprm command option</primary></indexterm> +<indexterm id="ch07-idx-958439-3"><primary>lppause command option</primary></indexterm> +<indexterm id="ch07-idx-958439-4"><primary>lpresume command option</primary></indexterm> +<title> + + + + +print command, lpq command, lprm command, lppause command, lpresume command</title> + + +<para> +<indexterm id="ch07-idx-956566-0"><primary>Unix</primary><secondary>options</secondary><tertiary sortas="print commands">for print commands</tertiary></indexterm>These options tell Samba which Unix commands used to control and send data to the printer. The Unix commands involved are: <emphasis>lpr</emphasis> (send to Line PRinter), <emphasis>lpq</emphasis> (List Printer Queue), <emphasis>lprm</emphasis> (Line printer ReMove), and optionally <emphasis>lppause</emphasis> and <emphasis>lpresume</emphasis>. Samba provides an option named after each of these commands, in case you need to override any of the system defaults. For example, consider:</para> + + +<programlisting>lpq command = /usr/ucb/lpq %p</programlisting> + + +<para>This would set the <literal>lpq command</literal> to use <filename>/usr/ucb/lpq</filename>. Similarly:</para> + + +<programlisting>lprm command = /usr/local/lprm -P%p %j</programlisting> + + +<para>would set the Samba printer remove command to <filename>/usr/local/lprm</filename>, and provide it the print job number using the <literal>%j</literal> variable.</para> + + +<para>The default values for each of these options are dependent on the value of the <literal>printing</literal> option. <link linkend="ch07-82964">Table 7.4</link> shows the default commands for each of the printing options. The most popular printing system is BSD.</para> + + +<table label="7.4" id="ch07-82964"> +<title>Default Commands for Various Printing Commands </title> + +<tgroup cols="5"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<colspec colnum="4" colname="col4"/> +<colspec colnum="5" colname="col5"/> +<thead> +<row> + +<entry colname="col1"><para>Option</para></entry> + +<entry colname="col2"><para>BSD, AIX, PLP, LPRNG</para></entry> + +<entry colname="col3"><para>SYSV, HPUX</para></entry> + +<entry colname="col4"><para>QNX</para></entry> + +<entry colname="col5"><para>SOFTQ</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>print command</literal></para></entry> + +<entry colname="col2"><para><literal>lpr -r -P%p %s</literal> +<indexterm id="ch07-idx-958518-0"><primary>printing</primary><secondary>commands</secondary><tertiary>default commands for</tertiary></indexterm></para></entry> + +<entry colname="col3"><para><literal>lp -c -d%p %s; rm %s</literal></para></entry> + +<entry colname="col4"><para><literal>lp -r -P%p %s</literal></para></entry> + +<entry colname="col5"><para><literal>lp -d%p -s %s; rm %s</literal></para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>lpq command</literal></para></entry> + +<entry colname="col2"><para><literal>lpq -P%p</literal></para></entry> + +<entry colname="col3"><para><literal>lpstat -o%p</literal></para></entry> + +<entry colname="col4"><para><literal>lpq -P%p</literal></para></entry> + +<entry colname="col5"><para><literal>lpstat -o%p</literal></para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>lprm command</literal></para></entry> + +<entry colname="col2"><para><literal>lprm -P%p %j</literal></para></entry> + +<entry colname="col3"><para><literal>cancel %p-%j</literal></para></entry> + +<entry colname="col4"><para><literal>cancel %p-%j</literal></para></entry> + +<entry colname="col5"><para><literal>cancel %p-%j</literal></para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>lppause command</literal></para></entry> + +<entry colname="col2"><para><literal>lp -i %p-%j -H hold </literal></para> + +<para>(SYSV only)</para></entry> + +<entry colname="col3"><para>None</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>None</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>lpresume command</literal></para></entry> + +<entry colname="col2"><para><literal>lp -i %p-%j -H resume</literal></para> + +<para>(SYSV only)</para></entry> + +<entry colname="col3"><para>None</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para><literal>qstat -s -j%j -r</literal></para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<para>It is typically not necessary to reset these options in Samba, with the possible exception of <literal>print</literal> <literal>command</literal>. This option may need to be explicitly set if your printing system doesn't have a <literal>-r</literal> (remove after printing) option on the printing command. For example:</para> + + +<programlisting>/usr/local/lpr -P%p %s; /bin/rm %s</programlisting> + + +<para>With a bit of judicious programming, these <filename>smb.conf</filename> options can also used for debugging:</para> + + +<programlisting>print command = cat %s >>/tmp/printlog; lpr -r -P%p %s</programlisting> + + +<para>For example, this configuration can verify that files are actually being delivered to the Samba server. If they are, their contents will show up in the <filename>/tmp/printlog</filename> file.</para> + + +<para>After BSD, the next most popular kind of printing system is SYSV (or System V) printing, plus some SYSV variants for IBM's AIX and Hewlett-Packard's HP-UX. These system do not have an <filename>/etc/printcap</filename> file. Instead, the <literal>printcap</literal> <literal>file</literal> option can be set to an appropriate <emphasis>lpstat</emphasis> command for the system. This tells Samba to get a list of printers from the <emphasis>lpstat</emphasis> command. Alternatively, you can set the global configuration option <literal>printcap</literal> <literal>name</literal> to the name of a dummy <filename>printcap</filename> file you provide. In the latter case, the file must contain a series of lines such as:</para> + + +<programlisting>lp|print1|My Printer 1 +print2|My Printer 2 +print3|My Printer 3</programlisting> + + +<para>Each line names a printer, and provides aliases for it. In this example, the first printer is called <literal>lp</literal>, <literal>print1</literal>, or <literal>My</literal> <literal>Printer</literal> <literal>1</literal>, whichever the user prefers to use. The first name will be used in place of <literal>%p</literal> in any command Samba executes for that printer.</para> + + +<para>Two additional printer types are also supported by Samba: LPRNG (LPR New Generation) and PLP (Public Line Printer). These are public domain and Open Source printing systems, and are used by many sites to overcome problems with vendor-supplied software. In addition, the SOFTQ and QNX realtime operating systems are supported by Samba.</para> +</sect3> + + + +<sect3 role="" label="7.2.3.10" id="ch07-SECT-2.1.10"> +<title>load printers</title> + + +<para> +<indexterm id="ch07-idx-956568-0"><primary>print shares</primary><secondary>options for</secondary></indexterm>The <literal>load</literal> +<indexterm id="ch07-idx-958440-0"><primary>load printers option</primary></indexterm> <literal>printers</literal> option tells Samba to create shares for all known printer names and load those shares into the browse list. Samba will create and list a printer share for each printer name in <filename>/etc/printcap</filename> (or system equivalent). For example, if your <filename>printcap</filename> file looks like this:<footnote label="2" id="ch07-pgfId-950654"> + + +<para>We have placed annotated comments off to the side in case you've never dealt with this file before.</para> + + +</footnote></para> + + +<programlisting>lp:\ + :sd=/var/spool/lpd/lp:\ <replaceable># spool directory</replaceable> + :mx#0:\ <replaceable># maximum file size (none)</replaceable> + :sh:\ <replaceable># surpress burst header (no)</replaceable> + :lp=/dev/lp1:\ <replaceable># device name for output</replaceable> + :if=/var/spool/lpd/lp/filter: <replaceable># text filter</replaceable> + +laser:\ + :sd=/var/spool/lpd/laser:\ <replaceable># spool directory</replaceable> + :mx#0:\ <replaceable># maximum file size (none)</replaceable> + :sh:\ <replaceable># surpress burst header (no)</replaceable> + :lp=/dev/laser:\ <replaceable># device name for output</replaceable> + :if=/var/spool/lpd/lp/filter: <replaceable># text filter</replaceable></programlisting> + + +<para>and you specify:</para> + + +<programlisting>load printers = yes</programlisting> + + +<para>the shares <literal>[lp]</literal> and <literal>[laser]</literal> will automatically be created as valid print shares when Samba is started. Both shares will borrow the configuration options specified in the <literal>[printers]</literal> section to configure themselves, and will be available in the browse list for the Samba server.</para> +</sect3> + + + +<sect3 role="" label="7.2.3.11" id="ch07-SECT-2.1.11"> +<title>printcap name</title> + + +<para>If the <literal>printcap</literal> +<indexterm id="ch07-idx-958442-0"><primary>printcap name option</primary></indexterm> <literal>name</literal> option (also called <literal>printcap</literal>) appears in a printing share, Samba will use the file specified as the system printer capabilities file. This is normally <filename>/etc/printcap</filename>. However, you can reset it to a file consisting of only the printers you want to share over the network. The value must be a fully-qualified filename of a printer capabilities file on the server:</para> + + +<programlisting>[deskjet] + printcap name = /usr/local/printcap</programlisting> +</sect3> + + + +<sect3 role="" label="7.2.3.12" id="ch07-SECT-2.1.12"> +<title>min print space</title> + + +<para>The <literal>min</literal> +<indexterm id="ch07-idx-958443-0"><primary>min print space option</primary></indexterm> <literal>print</literal> <literal>space</literal> option sets the amount of <indexterm id="ch07-idx-956570-0"><primary>spool space, options for</primary></indexterm>spool space that must be available on the disk before printing is allowed. Setting it to zero (the default) turns the check off; setting it to any other number sets the amount of free space in kilobytes required. This option helps avoid having print jobs fill up the remaining disk space on the server, which may cause other processes to fail:</para> + + +<programlisting>[deskjet] + min print space = 4000</programlisting> +</sect3> + + + +<sect3 role="" label="7.2.3.13" id="ch07-SECT-2.1.13"> +<indexterm id="ch07-idx-958444-0"><primary>queuepause command option</primary></indexterm> +<title> +queuepause command</title> + + +<para>This configuration option specifies a command that tells Samba how to pause a <indexterm id="ch07-idx-956571-0"><primary>print queue, options for</primary></indexterm>print queue entirely, as opposed to a single job on the queue. The default value depends on the printing type chosen. You should not need to alter this option.</para> +</sect3> + + + +<sect3 role="" label="7.2.3.14" id="ch07-SECT-2.1.14"> +<indexterm id="ch07-idx-958445-0"><primary>queueresume command option</primary></indexterm> +<title> +queueresume command</title> + + +<para>This configuration option specifies a command that tells Samba how to resume a paused print queue, as opposed to resuming a single job on the print queue. The default value depends on the printing type chosen. You should not need to alter<indexterm id="ch07-idx-956423-0" class="endofrange" startref="ch07-idx-956419-0"/> this<indexterm id="ch07-idx-956372-0" class="endofrange" startref="ch07-idx-956368-0"/> option.<indexterm id="ch07-idx-956352-0" class="endofrange" startref="ch07-idx-956351-0"/></para> +</sect3> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="7.3" id="ch07-12219"> +<title>Name Resolution with Samba</title> + + +<para> +<indexterm id="ch07-idx-956353-0" class="startofrange"><primary>name resolution</primary></indexterm>Before NetBIOS Name Servers (NBNS) came about, name resolution worked entirely by broadcast. If you needed a machine's address, you simply <indexterm id="ch07-idx-956574-0"><primary>broadcasting</primary><seealso>browsing; name resolution</seealso></indexterm>broadcast its name across the network and, in theory, the machine itself would reply. This approach is still possible: anyone looking for a machine named <literal>fred</literal> can still broadcast a query and find out if it exists and what its IP address is. (We use this capability to troubleshoot Samba name services with the <literal>nmblookup</literal> command in <link linkend="SAMBA-CH-9">Chapter 9</link>.)</para> + + +<para>As you saw in the first chapter, however, broadcasting—whether it be browsing or name registration and resolution—does not pass easily across multiple subnets. In addition, many broadcasts tend to bog down networks. To solve this problem, Microsoft now provides the <indexterm id="ch07-idx-956577-0"><primary>WINS (Windows Internet Name Service)</primary><secondary>name resolution and</secondary></indexterm>Windows Internet Naming Service (WINS), a cross-subnet NBNS, which Samba supports. With it, an administrator can designate a single machine to act as a WINS server, and can then provide each client that requires name resolution the address of the WINS server. Consequently, name registration and resolution requests can be directed to a single machine from any point on the network, instead of broadcast.</para> + + +<para>WINS and broadcasting are not the only means of name resolution, however. There are actually four mechanisms that can be used with Samba:</para> + + +<itemizedlist> +<listitem><para>WINS</para></listitem> +<listitem><para>Broadcasting</para></listitem> +<listitem><para>Unix <filename>/etc/hosts</filename> or NIS/NIS+ matches</para></listitem> +<listitem><para><emphasis>LMHOSTS</emphasis> file</para></listitem> +</itemizedlist> + +<para>Samba can use any or all of these name resolution methods in the order that you specify in the Samba configuration file using the <literal>name</literal> <literal>resolve</literal> <literal>order</literal> parameter. However, before delving into configuration options, let's discuss the one that you've probably not encountered before: the <filename>LMHOSTS</filename> file.</para> + + +<sect2 role="" label="7.3.1" id="ch07-SECT-3.1"> +<title>The LMHOSTS File</title> + + +<para><filename>LMHOSTS</filename> +<indexterm id="ch07-idx-956428-0"><primary>LMHOSTS file</primary></indexterm> is the standard LAN Manager <emphasis>hosts</emphasis> file used to resolve names into IP addresses on the system. It is the NBT equivalent of the <filename>/etc/hosts</filename> file that is standard on all Unix systems. By default, the file is usually stored as <filename>/usr/local/samba/lib/LMHOSTS</filename> and shares a format similar to <filename>/etc/hosts</filename>. For example:</para> + + +<programlisting>192.168.220.100 hydra +192.168.220.101 phoenix</programlisting> + + +<para>The only difference is that the names on the right side of the entries are NetBIOS names instead of DNS names. Because they are NetBIOS names, you can assign resource types to them as well:</para> + + +<programlisting>192.168.220.100 hydra#20 +192.168.220.100 simple#1b +192.168.220.101 phoenix#20</programlisting> + + +<para>Here, we've assigned the <literal>hydra</literal> machine to be the primary domain controller of the <literal>SIMPLE</literal> domain, as indicated by the resource type <1B> assigned to the name after <literal>hydra</literal>'s IP address in the second line. The other two are standard workstations.</para> + + +<para>If you wish to place an <emphasis>LMHOSTS</emphasis> file somewhere other than the default location, you will need to notify the <emphasis>nmbd</emphasis> process upon start up, as follows:</para> + + +<programlisting>nmbd -H /etc/samba/lmhosts -D</programlisting> +</sect2> + + + + + +<sect2 role="" label="7.3.2" id="ch07-SECT-3.2"> +<title>Setting Up Samba to Use Another WINS Server</title> + + +<para> +<indexterm id="ch07-idx-956595-0"><primary>Samba</primary><secondary>WINS server and</secondary></indexterm> +<indexterm id="ch07-idx-956595-1"><primary>WINS (Windows Internet Name Service) server</primary><secondary>setting up Sambato use</secondary></indexterm>You can set up Samba to use a WINS server somewhere else on the network by simply pointing it to the IP address of the WINS server. This is done with the global <literal>wins</literal> <literal>server</literal> configuration option, as shown here:</para> + + +<programlisting>[global] + wins server = 192.168.200.122</programlisting> + + +<para>With this option enabled, Samba will direct all WINS requests to the server at 192.168.200.122. Note that because the request is directed at a single machine, we don't have to worry about any of the problems inherent to broadcasting. However, though you have specified an IP address for a WINS server in the configuration file, Samba will not necessarily use the WINS server before other forms of name resolution. The order in which Samba attempts various name-resolution techniques is given with the <literal>name</literal> <literal>resolve</literal> <literal>order</literal> configuration option, which we will discuss shortly.</para> + + +<para>If you have a Samba server on a subnet that still uses broadcasting and the Samba server knows the correct location of a WINS server on another subnet, you can configure the Samba server to forward any name resolution requests with the <literal>wins</literal> <literal>proxy</literal> option:</para> + + +<programlisting>[global] + wins server = 192.168.200.12 + wins proxy = yes</programlisting> + + +<para>Use this only in situations where the WINS server resides on another subnet. Otherwise, the broadcast will reach the WINS server regardless of any proxying.</para> +</sect2> + + + + + +<sect2 role="" label="7.3.3" id="ch07-83429"> +<title>Setting Up Samba as a WINS Server</title> + + +<para> +<indexterm id="ch07-idx-956600-0"><primary>WINS (Windows Internet Name Service) server</primary><secondary>setting up Samba as</secondary></indexterm>You can set up Samba as a WINS server by setting two global options in the configuration file, as shown below:</para> + + +<programlisting>[global] + wins support = yes + name resolve order = wins lmhosts hosts bcast</programlisting> + + +<para>The <literal>wins</literal> <literal>support</literal> option turns Samba into a WINS server. Believe it or not, that's all you need to do! Samba handles the rest of the details behind the scenes, leaving you a relaxed administrator. The <literal>wins</literal> <literal>support=yes</literal> and the <literal>wins</literal> <literal>server</literal> option are mutually exclusive; you cannot simultaneously offer Samba as the WINS server and point to another system as the server.</para> + + +<para>If Samba is acting as a WINS server, you should probably get familiar with the <literal>name</literal> <literal>resolve</literal> <literal>order</literal> option mentioned earlier. This option tells Samba the order of methods in which it tries to resolve a NetBIOS name. It can take up to four values:</para> + + +<variablelist> +<varlistentry><term>lmhosts</term> +<listitem><para>Uses a LAN Manager <emphasis>LMHOSTS</emphasis> file</para></listitem> +</varlistentry> + + +<varlistentry><term>hosts</term> +<listitem><para>Uses the standard name resolution methods of the Unix system, <emphasis>/etc/hosts</emphasis>, DNS, NIS, or a combination (as configured for the system)</para></listitem> +</varlistentry> + + +<varlistentry><term>wins</term> +<listitem><para>Uses the WINS server</para></listitem> +</varlistentry> + + +<varlistentry><term>bcast</term> +<listitem><para>Uses a broadcast method</para></listitem> +</varlistentry> +</variablelist> + + +<para>The order in which you specify them in the value is the order in which Samba will attempt name resolution when acting as a WINS server. For example, let's look at the value specified previously:</para> + + +<programlisting>name resolve order = wins lmhosts hosts bcast</programlisting> + + +<para>This means that Samba will attempt to use its WINS entries first for name resolution, followed by the LAN Manager <emphasis>LMHOSTS</emphasis> file on its system. Next, the hosts value causes it to use Unix name resolution methods. The word <literal>hosts</literal> may be misleading; it covers not only the <filename>/etc/hosts</filename> file, but also the use of DNS or NIS (as configured on the Unix host). Finally, if those three do not work, it will use a broadcast to try to locate the correct machine.</para> + + +<para>Finally, you can instruct a Samba server that is acting as a WINS server to check with the system's DNS server if a requested host cannot be found in its WINS database. With a typical Linux system, for example, you can find the IP address of the DNS server by searching the <filename>/etc/resolv.conf</filename> file. In it, you might see an entry such as the following:</para> + + +<programlisting>nameserver 127.0.0.1 +nameserver 192.168.200.192</programlisting> + + +<para>This tells us that a DNS server is located at 192.168.220.192. (The 127.0.0.1 is the localhost address and is never a valid DNS server address.)</para> + + +<para>Use the global <literal>dns</literal> <literal>proxy</literal> option to alert Samba to use the configured DNS server:</para> + + +<programlisting>[global] + wins support = yes + name resolve order = wins lmhosts hosts bcast + dns proxy = yes</programlisting> +</sect2> + + + + + +<sect2 role="" label="7.3.4" id="ch07-SECT-3.4"> +<title>Name Resolution Configuration Options</title> + + +<para> +<indexterm id="ch07-idx-956430-0" class="startofrange"><primary>name resolution</primary><secondary>options for</secondary></indexterm>Samba's WINS options are shown in <link linkend="ch07-82331">Table 7.5</link>.</para> + + +<table label="7.5" id="ch07-82331"> +<title>WINS Options </title> + +<tgroup cols="5"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<colspec colnum="4" colname="col4"/> +<colspec colnum="5" colname="col5"/> +<thead> +<row> + +<entry colname="col1"><para>Option</para></entry> + +<entry colname="col2"><para>Parameters</para></entry> + +<entry colname="col3"><para>Function</para></entry> + +<entry colname="col4"><para>Default</para></entry> + +<entry colname="col5"><para>Scope</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>wins support</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>If set to <literal>yes</literal>, Samba will act as a WINS server.</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>wins server</literal></para></entry> + +<entry colname="col2"><para>string (IP address or DNS name)</para></entry> + +<entry colname="col3"><para>Identifies a WINS server for Samba to use for name registration and resolution.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>wins proxy</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>Allows Samba to act as a proxy to a WINS server on another subnet.</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>dns proxy</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>If set to <literal>yes</literal>, a Samba WINS server will search DNS if it cannot find a name in WINS.</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>name resolve order</literal></para></entry> + +<entry colname="col2"><para><literal>lmhosts</literal>, <literal>hosts</literal>, <literal>wins</literal>, or <literal>bcast</literal></para></entry> + +<entry colname="col3"><para>Specifies an order of the methods used to resolve NetBIOS names.</para></entry> + +<entry colname="col4"><para><literal>lmhosts hosts wins bcast</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>max ttl</literal></para></entry> + +<entry colname="col2"><para>numerical</para></entry> + +<entry colname="col3"><para>Specifies the maximum time-to-live in seconds for a requested NetBIOS names.</para></entry> + +<entry colname="col4"><para><literal>259200</literal>( 3 days)</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>max wins ttl</literal></para></entry> + +<entry colname="col2"><para>numerical</para></entry> + +<entry colname="col3"><para>Specifies the maximum time-to-live in seconds for NetBIOS names given out by Samba as a WINS server.</para></entry> + +<entry colname="col4"><para><literal>518400</literal>(6 days)</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>min wins ttl</literal></para></entry> + +<entry colname="col2"><para>numerical</para></entry> + +<entry colname="col3"><para>Specifies the minimum time-to-live in seconds for NetBIOS names given out by Samba as a WINS server.</para></entry> + +<entry colname="col4"><para><literal>21600</literal>(6 hours)</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<sect3 role="" label="7.3.4.1" id="ch07-SECT-3.4.1"> +<indexterm id="ch07-idx-958447-0"><primary>wins support option</primary></indexterm> +<title> +wins support</title> + + +<para>Samba will provide <indexterm id="ch07-idx-956607-0"><primary>WINS (Windows Internet Name Service)</primary><secondary>options for</secondary></indexterm>WINS name service to all machines in the network if you set the following in the <literal>[global]</literal> section of the <filename>smb.conf</filename> file:</para> + + +<programlisting>[global] + wins support = yes</programlisting> + + +<para>The default value is <literal>no</literal>, which is typically used to allow another Windows NT server to become a WINS server. If you do enable this option, remember that a Samba WINS server currently cannot exchange data with any backup WINS servers. If activated, this option is mutually exclusive with the <literal>wins</literal> <literal>server</literal> parameter; you cannot set both to <literal>yes</literal> at the same time or Samba will flag an error.</para> +</sect3> + + + +<sect3 role="" label="7.3.4.2" id="ch07-SECT-3.4.2"> +<indexterm id="ch07-idx-958448-0"><primary>wins server option</primary></indexterm> +<title> +wins server</title> + + +<para>Samba will use an existing WINS server on the network if you specify the <literal>wins</literal> <literal>server</literal> global option in your configuration file. The value of this option is either the IP address or DNS name (not NetBIOS name) of the WINS server. For example:</para> + + +<programlisting>[global] + wins server = 192.168.220.110</programlisting> + + +<para>or:</para> + + +<programlisting>[global] + wins server = wins.example.com</programlisting> + + +<para>In order for this option to work, the <literal>wins</literal> <literal>support</literal> option must be set to <literal>no</literal> (the default). Otherwise, Samba will report an error. You can specify only one WINS server using this option.</para> +</sect3> + + + +<sect3 role="" label="7.3.4.3" id="ch07-SECT-3.4.3"> +<indexterm id="ch07-idx-958449-0"><primary>wins proxy option</primary></indexterm> +<title> +wins proxy</title> + + +<para>This option allows Samba to act as a proxy to another WINS server, and thus relay name registration and resolution requests from itself to the real WINS server, often outside the current subnet. The WINS server can be indicated through the <literal>wins</literal> <literal>server</literal> option. The proxy will then return the WINS response back to the client. You can enable this option by specifying the following in the <literal>[global]</literal> section:</para> + + +<programlisting>[global] + wins proxy = yes</programlisting> +</sect3> + + + +<sect3 role="" label="7.3.4.4" id="ch07-SECT-3.4.4"> +<indexterm id="ch07-idx-958450-0"><primary>dns proxy option</primary></indexterm> +<title> +dns proxy</title> + + +<para>If you want the <indexterm id="ch07-idx-956608-0"><primary>DNS (Domain Name System)</primary><secondary>option for</secondary></indexterm>domain name service (DNS) to be used if a name isn't found in WINS, you can set the following option:</para> + + +<programlisting>[global] + dns proxy = yes</programlisting> + + +<para>This will cause <filename>nmbd</filename> to query for machine names using the server's standard domain name service. You may wish to deactivate this option if you do not have a permanent connection to your DNS server. Despite this option, we recommend using a WINS server. If you don't already have any WINS servers on your network, make one Samba machine a WINS server. Do not, however, make two Samba machines WINS servers (one primary and one backup) as they currently cannot exchange WINS databases.</para> +</sect3> + + + +<sect3 role="" label="7.3.4.5" id="ch07-SECT-3.4.5"> +<indexterm id="ch07-idx-958451-0"><primary>name resolve order option</primary></indexterm> +<title> +name resolve order</title> + + +<para>The global <literal>name</literal> <literal>resolve</literal> <literal>order</literal> option specifies the order of services that Samba will use in attempting name resolution. The default order is to use the <emphasis>LMHOSTS</emphasis> file, followed by standard Unix name resolution methods (some combination of <filename>/etc/hosts</filename>, DNS, and NIS), then query a WINS server, and finally use broadcasting to determine the address of a NetBIOS name. You can override this option by specifying something like the following:</para> + + +<programlisting>[global] + name resolve order = lmhosts wins hosts bcast</programlisting> + + +<para>This causes resolution to use the <emphasis>LMHOSTS</emphasis> file first, followed by a query to a WINS server, the system password file, and finally broadcasting. You need not use all four options if you don't want to. This option is covered in more detail in <link linkend="ch07-83429">Section 7.3.3</link> earlier in this chapter.</para> +</sect3> + + + +<sect3 role="" label="7.3.4.6" id="ch07-SECT-3.4.6"> +<indexterm id="ch07-idx-958452-0"><primary>max ttl option</primary></indexterm> +<title> +max ttl</title> + + +<para>This option gives the maximum t<indexterm id="ch07-idx-956610-0"><primary>TTL (time to live), options for</primary></indexterm> +<indexterm id="ch07-idx-956610-1"><primary>time to live (TTL), options for</primary></indexterm>ime to live (T T L) during which a NetBIOS name registered with the Samba server will remain active. You should never need to alter this value.</para> +</sect3> + + + +<sect3 role="" label="7.3.4.7" id="ch07-SECT-3.4.7"> +<indexterm id="ch07-idx-958453-0"><primary>max wins ttl option</primary></indexterm> +<title> +max wins ttl</title> + + +<para>This option give the maximum time to live (T T L) during which a NetBIOS name resolved from a WINS server will remain active. You should never need to change this value from its default.</para> +</sect3> + + + +<sect3 role="" label="7.3.4.8" id="ch07-SECT-3.4.8"> +<indexterm id="ch07-idx-958454-0"><primary>min wins ttl option</primary></indexterm> +<title> +min wins ttl</title> + + +<para>This option give the minimum time to live (T T L) during which a NetBIOS name resolved from a WINS server will remain active. You should never need to alter this value from its<indexterm id="ch07-idx-956431-0" class="endofrange" startref="ch07-idx-956430-0"/> default.<indexterm id="ch07-idx-956354-0" class="endofrange" startref="ch07-idx-956353-0"/></para> +</sect3> +</sect2> +</sect1> +</chapter> diff --git a/docs-xml/using_samba/ch08.xml b/docs-xml/using_samba/ch08.xml new file mode 100644 index 0000000000..91e216a25c --- /dev/null +++ b/docs-xml/using_samba/ch08.xml @@ -0,0 +1,1995 @@ +<chapter label="8" id="SAMBA-CH-8"> +<title>Additional Samba Information </title> + + + + +<para>This chapter wraps up our coverage of the <filename>smb.conf</filename> configuration file with some miscellaneous options that can perform a variety of tasks. We will talk briefly about options for supporting programmers, internationalization, messages, and common Windows bugs. For the most part, you will use these options only in isolated circumstances. We also cover performing automated backups with the <filename>smbtar</filename> command at the end of this chapter. So without further ado, let's jump into our first subject: options to help programmers.</para> + + + + + + + + + + + +<sect1 role="" label="8.1" id="ch08-56646"> +<title>Supporting Programmers</title> + + +<para> +<indexterm id="ch08-idx-965254-0" class="startofrange"><primary>programmers, support for</primary></indexterm>If <indexterm id="ch08-idx-965351-0" class="startofrange"><primary>smb.conf (Samba configuration) file</primary><secondary>options for</secondary><tertiary>supporting programmers</tertiary></indexterm>you have programmers accessing your Samba server, you'll want to be aware of the special options listed in <link linkend="ch08-73167">Table 8.1</link>.</para> + + +<table label="8.1" id="ch08-73167"> +<title>Programming Configuration Options </title> + +<tgroup cols="5"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<colspec colnum="4" colname="col4"/> +<colspec colnum="5" colname="col5"/> +<thead> +<row> + +<entry colname="col1"><para>Option</para></entry> + +<entry colname="col2"><para>Parameters</para></entry> + +<entry colname="col3"><para>Function</para></entry> + +<entry colname="col4"><para>Default</para></entry> + +<entry colname="col5"><para>Scope</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>time server</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>If <literal>yes</literal>, <emphasis>nmbd</emphasis> announces itself as a SMB time service to Windows clients.</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>time offset</literal></para></entry> + +<entry colname="col2"><para>numerical (number of minutes)</para></entry> + +<entry colname="col3"><para>Adds a specified number of minutes to the reported time.</para></entry> + +<entry colname="col4"><para><literal>0</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>dos filetimes</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>Allows non-owners of a file to change its time if they can write to it.</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>dos filetime</literal></para> + +<para><literal>resolution</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>Causes file times to be rounded to the next even second.</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>fake directory create times</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>Sets directory times to avoid a MS <emphasis>nmake</emphasis> bug.</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<sect2 role="" label="8.1.1" id="ch08-SECT-1.1"> +<title>Time Synchronization</title> + + +<para> +<indexterm id="ch08-idx-965360-0"><primary>synchronizing</primary><secondary>time, options for</secondary></indexterm> +<indexterm id="ch08-idx-965360-1"><primary>time snychronization, options for</primary></indexterm>Time synchronization can be very important to programmers. Consider the following options:</para> + + +<programlisting>time service = yes +dos filetimes = yes +fake directory create times = yes +dos filetime resolution = yes +delete readonly = yes</programlisting> + + +<para>If you set these options, Samba shares will provide the kind of compatible file times that Visual C++, <emphasis>nmake</emphasis>, and other Microsoft programming tools require. Otherwise, PC <emphasis>make</emphasis> programs will tend to think that all the files in a directory need to be recompiled every time. Obviously, this is not the behavior you want.</para> + + +<sect3 role="" label="8.1.1.1" id="ch08-SECT-1.1.1"> +<title>time server</title> + + +<para>If your Samba server has an accurate clock, or if it's a client of one of the Unix network time servers, you can instruct it to advertise itself as an SMB time server by setting the<indexterm id="ch08-idx-965946-0"><primary>time server option</primary></indexterm> <literal>time</literal> <literal>server</literal> option as follows:</para> + + +<programlisting>[global] + time service = yes</programlisting> + + +<para>The client will still have to request the correct time with the following DOS command, substituting the Samba server name in at the appropriate point:</para> + + +<programlisting>C:\NET TIME \\<replaceable>server</replaceable> /YES /SET</programlisting> + + +<para>This command can be placed in a Windows logon script (see <link linkend="SAMBA-CH-6">Chapter 6</link>).</para> + + +<para>By default, the <literal>time</literal> <literal>server</literal> option is normally set to <literal>no</literal>. If you turn this service on, you can use the command above to keep the client clocks from drifting. Time synchronization is important to clients using programs such as <emphasis>make</emphasis>, which compile based on the last time the file was changed. Incorrectly synchronized times can cause such programs to either remake all files in a directory, which wastes time, or not recompile a source file that was just modified because of a slight clock drift.</para> +</sect3> + + + +<sect3 role="" label="8.1.1.2" id="ch08-SECT-1.1.2"> +<title>time offset</title> + + +<para>To deal with clients that don't process daylight savings time properly, Samba provides the <literal>time</literal> <literal>offset</literal> option. If set, it adds the specified number of minutes to the current time. This is handy if you're in Newfoundland and Windows doesn't know about the 30-minute time difference there:</para> + + +<programlisting>[global] + time offset = 30</programlisting> +</sect3> + + + +<sect3 role="" label="8.1.1.3" id="ch08-SECT-1.1.3"> +<title>dos filetimes</title> + + +<para>Traditionally, only the root user and the owner of a file can change its last-modified date on a Unix system. The share-level <literal>dos</literal> <literal>filetimes</literal> option allows the Samba server to mimic the characteristics of a DOS/Windows machine: any user can change the last modified date on a file in that share if he or she has write permission to it. In order to do this, Samba uses its root privileges to modify the timestamp on the file.</para> + + +<para>By default, this option is disabled. Setting this option to <literal>yes</literal> is often necessary to allow PC <emphasis>make</emphasis> programs to work properly. Without it, they cannot change the last-modified date themselves. This often results in the program thinking <emphasis>all</emphasis> files need recompiling when they really don't.</para> +</sect3> + + + +<sect3 role="" label="8.1.1.4" id="ch08-SECT-1.1.4"> +<title>dos filetime resolution</title> + + +<para><literal>dos</literal> +<indexterm id="ch08-idx-965949-0"><primary>os filetime resolution option</primary></indexterm> <literal>filetime</literal> <literal>resolution</literal> is share-level option. If set to <literal>yes</literal>, Samba will arrange to have the file times rounded to the closest two-second boundary. This option exists primarily to satisfy a quirk in Windows that prevents Visual C++ from correctly recognizing that a file has not changed. You can enable it as follows:</para> + + +<programlisting>[data] + dos filetime resolution = yes</programlisting> + + +<para>We recommend using this option only if you are using Microsoft Visual C++ on a Samba share that supports opportunistic locking.</para> +</sect3> + + + +<sect3 role="" label="8.1.1.5" id="ch08-SECT-1.1.5"> +<title>fake directory create times</title> + + +<para>The <literal>fake</literal> +<indexterm id="ch08-idx-965950-0"><primary>fake directory create times option</primary></indexterm> <literal>directory</literal> <literal>create</literal> <literal>times</literal> option exists to keep PC <emphasis>make</emphasis> programs sane. VFAT and NTFS filesystems record the creation date of a specific directory while Unix does not. Without this option, Samba takes the earliest recorded date it has for the directory (often the last-modified date of a file) and returns it to the client. If this is not sufficient, set the following option under a share definition:</para> + + +<programlisting>[data] + fake directory create times = yes</programlisting> + + +<para>If set, Samba will adjust the directory create time it reports to the hardcoded value January 1st, 1980. This is primarily used to convince the Visual C++ <emphasis>nmake</emphasis> program that any object files in its build directories are indeed younger than the creation date of the directory itself and need to be recompiled.<indexterm id="ch08-idx-965924-0" class="endofrange" startref="ch08-idx-965351-0"/></para> +</sect3> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="8.2" id="ch08-79987"> +<title>Magic Scripts</title> + + +<para> +<indexterm id="ch08-idx-965216-0"><primary>magic scripts</primary></indexterm> +<indexterm id="ch08-idx-965216-1"><primary>scripts</primary><secondary>magic</secondary></indexterm>The following options deal with <firstterm>magic scripts</firstterm> on the Samba server. Magic scripts are a method of running programs on Unix and redirecting the output back to the <indexterm id="ch08-idx-965385-0"><primary>SMB (Server Message Block)</primary><secondary>magic scripts</secondary></indexterm>SMB client. These are essentially an experimental hack. However, some users and their programs still rely on these two options for their programs to function correctly. Magic scripts are not widely trusted and their use is highly discouraged by the Samba team. See <link linkend="ch08-33693">Table 8.2</link> for more information.</para> + + +<table label="8.2" id="ch08-33693"> +<title>Networking Configuration Options </title> + +<tgroup cols="5"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<colspec colnum="4" colname="col4"/> +<colspec colnum="5" colname="col5"/> +<thead> +<row> + +<entry colname="col1"><para>Option</para></entry> + +<entry colname="col2"><para>Parameters</para></entry> + +<entry colname="col3"><para>Function</para></entry> + +<entry colname="col4"><para>Default</para></entry> + +<entry colname="col5"><para>Scope</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>magic script</literal></para></entry> + +<entry colname="col2"><para> +<indexterm id="ch08-idx-965386-0"><primary>networking</primary><secondary>options</secondary><tertiary>magic script</tertiary></indexterm>string (fully-qualified filename)</para></entry> + +<entry colname="col3"><para>Sets the name of a file to be executed by Samba, as the logged-on user, when closed.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>magic output</literal></para></entry> + +<entry colname="col2"><para>string (fully-qualified filename)</para></entry> + +<entry colname="col3"><para>Sets a file to log output from the magic file.</para></entry> + +<entry colname="col4"><para><emphasis>scriptname.out</emphasis></para></entry> + +<entry colname="col5"><para>Share</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<sect2 role="" label="8.2.1" id="ch08-SECT-2.0.1"> +<title>magic script</title> + + +<para>If the <literal>magic</literal> +<indexterm id="ch08-idx-965952-0"><primary>magic script option</primary></indexterm> <literal>script</literal> option is set to a filename and the client creates a file by that name in that share, Samba will run the file as soon as the user has opened and closed it. For example, let's assume that the following option was created in the share <literal>[accounting]</literal>:</para> + + +<programlisting>[accounting] + magic script = tally.sh</programlisting> + + +<para>Samba continually monitors the files in that share. If one by the name of <emphasis>tally.sh</emphasis> is closed (after being opened) by a user, Samba will execute the contents of that file locally. The file will be passed to the shell to execute; it must therefore be a legal Unix shell script. This means that it must have newline characters as line endings instead of Windows CR/LFs. In addition, it helps if you use the <literal>#!</literal> directive at the beginning of the file to indicate under which shell the script should run.</para> +</sect2> + + + + + +<sect2 role="" label="8.2.2" id="ch08-SECT-2.0.2"> +<indexterm id="ch08-idx-965953-0"><primary>magic output option</primary></indexterm> +<title> +magic output</title> + + +<para>This option specifies an output file that the script specified by the <literal>magic</literal> <literal>script</literal> option will send output to. You must specify a filename in a writable directory:</para> + + +<programlisting>[accounting] + magic script = tally.sh + magic output = /var/log/magicoutput</programlisting> + + +<para>If this option is omitted, the default output file is the name of the script (as stated in the <literal>magic</literal> <literal>script</literal> option) with the extension <emphasis>.out</emphasis> appended onto it.<indexterm id="ch08-idx-965526-0" class="endofrange" startref="ch08-idx-965254-0"/></para> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="8.3" id="ch08-91233"> +<title>Internationalization</title> + + +<para> +<indexterm id="ch08-idx-965219-0" class="startofrange"><primary>internationalization</primary></indexterm> +<indexterm id="ch08-idx-965219-1" class="startofrange"><primary>foreign-language characters</primary></indexterm> +<indexterm id="ch08-idx-965219-2" class="startofrange"><primary>localization</primary></indexterm>Samba has a limited ability to speak foreign tongues: if you need to deal with characters that aren't in standard ASCII, some options that can help you are shown in <link linkend="ch08-40870">Table 8.3</link>. Otherwise, you can skip over this section.</para> + + +<table label="8.3" id="ch08-40870"> +<title>Networking Configuration Options </title> + +<tgroup cols="5"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<colspec colnum="4" colname="col4"/> +<colspec colnum="5" colname="col5"/> +<thead> +<row> + +<entry colname="col1"><para>Option</para></entry> + +<entry colname="col2"><para>Parameters</para></entry> + +<entry colname="col3"><para>Function</para></entry> + +<entry colname="col4"><para>Default</para></entry> + +<entry colname="col5"><para>Scope</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>client code page</literal></para></entry> + +<entry colname="col2"><para>Described in this section</para></entry> + +<entry colname="col3"><para>Sets a code page to expect from clients</para></entry> + +<entry colname="col4"><para>850</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>character set</literal></para></entry> + +<entry colname="col2"><para>Described in this section</para></entry> + +<entry colname="col3"><para>Translates code pages into alternate UNIX character sets</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>coding system</literal></para></entry> + +<entry colname="col2"><para>Described in this section</para></entry> + +<entry colname="col3"><para>Translates code page 932 into an Asian character set</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>valid chars</literal></para></entry> + +<entry colname="col2"><para>string (set of characters)</para></entry> + +<entry colname="col3"><para>Obsolete: formerly added individual characters to a code page, and had to be used after setting client code page</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<sect2 role="" label="8.3.1" id="ch08-17721"> +<indexterm id="ch08-idx-965956-0"><primary>client code page option</primary></indexterm> +<title> +client code page</title> + + +<para>The character sets on Windows platforms hark back to the original concept of a <emphasis>code page</emphasis> +<indexterm id="ch08-idx-965388-0"><primary>code pages</primary></indexterm>. These code pages are used by DOS and Windows clients to determine rules for mapping lowercase letters to uppercase letters. Samba can be instructed to use a variety of code pages through the use of the global <literal>client</literal> <literal>code</literal> <literal>page</literal> option in order to match the corresponding code page in use on the client. This option loads a code-page definition file, and can take the values specified in <link linkend="ch08-20815">Table 8.4</link>.</para> + + +<table label="8.4" id="ch08-20815"> +<title>Valid Code Pages with Samba 2.0 </title> + +<tgroup cols="2"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<thead> +<row> + +<entry colname="col1"><para>Code Page</para></entry> + +<entry colname="col2"><para>Definition</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>437</literal></para></entry> + +<entry colname="col2"><para> +<indexterm id="ch08-idx-965389-0"><primary>Samba</primary><secondary>version 2.0</secondary><tertiary>code pages for</tertiary></indexterm>MS-DOS Latin (United States)</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>737</literal></para></entry> + +<entry colname="col2"><para>Windows 95 Greek</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>850</literal></para></entry> + +<entry colname="col2"><para>MS-DOS Latin 1 (Western European)</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>852</literal></para></entry> + +<entry colname="col2"><para>MS-DOS Latin 2 (Eastern European)</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>861</literal></para></entry> + +<entry colname="col2"><para>MS-DOS Icelandic</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>866</literal></para></entry> + +<entry colname="col2"><para>MS-DOS Cyrillic (Russian)</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>932</literal></para></entry> + +<entry colname="col2"><para>MS-DOS Japanese Shift-JIS</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>936</literal></para></entry> + +<entry colname="col2"><para>MS-DOS Simplified Chinese</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>949</literal></para></entry> + +<entry colname="col2"><para>MS-DOS Korean Hangul</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>950</literal></para></entry> + +<entry colname="col2"><para>MS-DOS Traditional Chinese</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<para>You can set the client code page as follows:</para> + + +<programlisting>[global] + client code page = 852</programlisting> + + +<para>The default value of this option is 850. You can use the <emphasis>make_smbcodepage</emphasis> tool that comes with Samba (by default in <filename>/usr/local/samba/bin</filename> ) to create your own SMB code pages, in the event that those listed earlier are not sufficient.</para> +</sect2> + + + + + +<sect2 role="" label="8.3.2" id="ch08-SECT-3.0.2"> +<title>character set</title> + + +<para>The global <literal>character</literal> <literal>set</literal> option can be used to convert filenames offered through a DOS code page (see the previous section, <link linkend="ch08-17721">Section 8.3.1</link>) to equivalents that can be represented by Unix character sets other than those in the United States. For example, if you want to convert the Western European MS-DOS character set on the client to a Western European Unix character set on the server, you can use the following in your configuration file:</para> + + +<programlisting>[global] + client code page = 850 + character set = ISO8859-1</programlisting> + + +<para>Note that you must include a <literal>client</literal> <literal>code</literal> <literal>page</literal> option to specify the character set from which you are converting. The valid character sets (and their matching code pages) that Samba 2.0 accepts are listed in <link linkend="ch08-14126">Table 8.5</link>:</para> + + +<table label="8.5" id="ch08-14126"> +<title>Valid Character Sets with Samba 2.0 </title> + +<tgroup cols="3"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<thead> +<row> + +<entry colname="col1"><para>Character Set</para></entry> + +<entry colname="col2"><para>Matching Code Page</para></entry> + +<entry colname="col3"><para>Definition</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>ISO8859-1</literal></para></entry> + +<entry colname="col2"><para><literal>850</literal> +<indexterm id="ch08-idx-965390-0"><primary>Samba</primary><secondary>version 2.0</secondary><tertiary>character sets</tertiary></indexterm></para></entry> + +<entry colname="col3"><para>Western European Unix</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>ISO8859-2</literal></para></entry> + +<entry colname="col2"><para><literal>852</literal></para></entry> + +<entry colname="col3"><para>Eastern European Unix</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>ISO8859-5</literal></para></entry> + +<entry colname="col2"><para><literal>866</literal></para></entry> + +<entry colname="col3"><para>Russian Cyrillic Unix</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>KOI8-R</literal></para></entry> + +<entry colname="col2"><para><literal>866</literal></para></entry> + +<entry colname="col3"><para>Alternate Russian Cyrillic Unix</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<para>Normally, the <literal>character</literal> <literal>set</literal> option is disabled completely.</para> +</sect2> + + + + + +<sect2 role="" label="8.3.3" id="ch08-SECT-3.0.3"> +<title>coding system</title> + + +<para>The <literal>coding</literal> +<indexterm id="ch08-idx-965965-0"><primary>coding system option</primary></indexterm> <literal>system</literal> option is similar to the <literal>character</literal> <literal>set</literal> option. However, its purpose is to determine how to convert a Japanese Shift JIS code page into an appropriate Unix character set. In order to use this option, the <literal>client</literal> <literal>code</literal> <literal>page</literal> option described previously must be set to page 932. The valid coding systems that Samba 2.0 accepts are listed in <link linkend="ch08-57476">Table 8.6</link>.</para> + + +<table label="8.6" id="ch08-57476"> +<title>Valid Coding System Parameters with Samba 2.0 </title> + +<tgroup cols="2"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<thead> +<row> + +<entry colname="col1"><para>Character Set</para></entry> + +<entry colname="col2"><para>Definition</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>SJIS</literal></para></entry> + +<entry colname="col2"><para> +<indexterm id="ch08-idx-965393-0"><primary>Samba</primary><secondary>version 2.0</secondary><tertiary>coding system parameters</tertiary></indexterm>Standard Shift JIS</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>JIS8</literal></para></entry> + +<entry colname="col2"><para>Eight-bit JIS codes</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>J8BB</literal></para></entry> + +<entry colname="col2"><para>Eight-bit JIS codes</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>J8BH</literal></para></entry> + +<entry colname="col2"><para>Eight-bit JIS codes</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>J8@B</literal></para></entry> + +<entry colname="col2"><para>Eight-bit JIS codes</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>J8@J</literal></para></entry> + +<entry colname="col2"><para>Eight-bit JIS codes</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>J8@H</literal></para></entry> + +<entry colname="col2"><para>Eight-bit JIS codes</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>JIS7</literal></para></entry> + +<entry colname="col2"><para>Seven-bit JIS codes</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>J7BB</literal></para></entry> + +<entry colname="col2"><para>Seven-bit JIS codes</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>J7BH</literal></para></entry> + +<entry colname="col2"><para>Seven-bit JIS codes</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>J7@B</literal></para></entry> + +<entry colname="col2"><para>Seven-bit JIS codes</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>J7@J</literal></para></entry> + +<entry colname="col2"><para>Seven-bit JIS codes</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>J7@H</literal></para></entry> + +<entry colname="col2"><para>Seven-bit JIS codes</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>JUNET</literal></para></entry> + +<entry colname="col2"><para>JUNET codes</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>JUBB</literal></para></entry> + +<entry colname="col2"><para>JUNET codes</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>JUBH</literal></para></entry> + +<entry colname="col2"><para>JUNET codes</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>JU@B</literal></para></entry> + +<entry colname="col2"><para>JUNET codes</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>JU@J</literal></para></entry> + +<entry colname="col2"><para>JUNET codes</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>JU@H</literal></para></entry> + +<entry colname="col2"><para>JUNET codes</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>EUC</literal></para></entry> + +<entry colname="col2"><para>EUC codes</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>HEX</literal></para></entry> + +<entry colname="col2"><para>Three-byte hexidecimal code</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>CAP</literal></para></entry> + +<entry colname="col2"><para>Three-byte hexidecimal code (Columbia Appletalk Program)</para></entry> + +</row> + +</tbody> +</tgroup> +</table> +</sect2> + + + + + +<sect2 role="" label="8.3.4" id="ch08-SECT-3.0.4"> +<title>valid chars</title> + + +<para>The <literal>valid</literal> +<indexterm id="ch08-idx-965969-0"><primary>valid chars option</primary></indexterm> <literal>chars</literal> option is an older Samba feature that will add individual characters to a code page. However, this option is being phased out in favor of more modern coding systems. You can use this option as follows:</para> + + +<programlisting>valid chars = Î +valid chars = 0450:0420 0x0A20:0x0A00 +valid chars = A:a</programlisting> + + +<para>Each of the characters in the list specified should be separated by spaces. If there is a colon between two characters or their numerical equivalents, the data to the left of the colon is considered an uppercase character, while the data to the right is considered the lowercase character. You can represent characters both by literals (if you can type them) and by octal, hexidecimal, or decimal Unicode equivalents.</para> + + +<para>We recommend against using this option. Instead, go with one of the standard code pages listed earlier in this section. If you do use this option, however, it must be listed after the <literal>client</literal> <literal>code</literal> <literal>page</literal> to which you wish to add the character. Otherwise, the characters will not be added.<indexterm id="ch08-idx-965533-0" class="endofrange" startref="ch08-idx-965219-0"/> +<indexterm id="ch08-idx-965533-1" class="endofrange" startref="ch08-idx-965219-1"/> +<indexterm id="ch08-idx-965533-2" class="endofrange" startref="ch08-idx-965219-2"/></para> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="8.4" id="ch08-82569"> +<title>WinPopup Messages</title> + + +<para> +<indexterm id="ch08-idx-965227-0"><primary>WinPopup tool</primary></indexterm> +<indexterm id="ch08-idx-965227-1"><primary>Windows 95/98</primary><secondary>WinPopup tool</secondary></indexterm> +<indexterm id="ch08-idx-965227-2"><primary>messages</primary><secondary>WinPopup</secondary></indexterm>You can use the WinPopup tool (<filename>WINPOPUP.EXE </filename> ) in Windows to send messages to users, machines, or entire workgroups on the network. This tool is provided with Windows 95 OSR2 and comes standard with Windows 98. With either Windows 95 or 98, however, you need to be running WinPopup to receive and send WinPopup messages. With Windows NT, you can still receive messages without starting such a tool; they will automatically appear in a small dialog box on the screen when received. The WinPopup application is shown in <link linkend="ch08-66444">Figure 8.1</link>.</para> + + +<figure label="8.1" id="ch08-66444"> +<title>The WinPopup application</title> + +<graphic width="502" depth="360" fileref="figs/sam.0801.gif"></graphic> +</figure> + +<para>Samba has a single WinPopup messaging option, <literal>message</literal> <literal>command</literal>, as shown in <link linkend="ch08-18671">Table 8.7</link>.</para> + + +<table label="8.7" id="ch08-18671"> +<title>WinPopup Configuration Option </title> + +<tgroup cols="5"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<colspec colnum="4" colname="col4"/> +<colspec colnum="5" colname="col5"/> +<thead> +<row> + +<entry colname="col1"><para>Option</para></entry> + +<entry colname="col2"><para>Parameter</para></entry> + +<entry colname="col3"><para>Function</para></entry> + +<entry colname="col4"><para>Default</para></entry> + +<entry colname="col5"><para>Scope</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>message command</literal></para></entry> + +<entry colname="col2"><para> +<indexterm id="ch08-idx-965394-0"><primary>Unix</primary><secondary>options</secondary><tertiary sortas="messaging">for messaging</tertiary></indexterm> +<indexterm id="ch08-idx-965394-1"><primary>locks/locking files</primary><secondary>messaging option for</secondary></indexterm> +<indexterm id="ch08-idx-965394-2"><primary>oplocks</primary><secondary>messaging option for</secondary></indexterm>string (fully-qualified pathname)</para></entry> + +<entry colname="col3"><para>Sets a command to run on Unix when a WinPopup message is received.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<sect2 role="" label="8.4.1" id="ch08-SECT-4.0.1"> +<title>message command</title> + + +<para>Samba's <literal>message</literal> +<indexterm id="ch08-idx-965971-0"><primary>message command option</primary></indexterm> <literal>command</literal> option sets the path to a program that will run on the server when a Windows popup message arrives at the server. The command will be executed using the <literal>guest</literal> <literal>account</literal> user. What to do with one of these is questionable since it's probably for the Samba administrator, and Samba doesn't know his or her name. If you know there's a human using the console, the Samba team once suggested the following:</para> + + +<programlisting>[global] + message command = /bin/csh -c 'xedit %s; rm %s' &</programlisting> + + +<para>Note the use of variables here. The <literal>%s</literal> variable will become the file that the message is in. This file should be deleted when the command is finished with it; otherwise, there will be a buildup of pop-up files collecting on the Samba server. In addition, the command must fork its own process (note the & after the command); otherwise the client may suspend and wait for notification that the command was sent successfully before continuing.</para> + + +<para>In addition to the standard variables, <link linkend="ch08-29758">Table 8.8</link> shows the three unique variables that you can use in a <literal>message</literal> <literal>command</literal>.</para> + + +<table label="8.8" id="ch08-29758"> +<title>Message Command Variables </title> + +<tgroup cols="2"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<thead> +<row> + +<entry colname="col1"><para>Variable</para></entry> + +<entry colname="col2"><para>Definition</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>%s</literal></para></entry> + +<entry colname="col2"><para>The name of the file in which the message resides</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%</literal>f</para></entry> + +<entry colname="col2"><para>The name of the client that sent the message</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>%t</literal></para></entry> + +<entry colname="col2"><para>The name of the machine that is the destination of the message</para></entry> + +</row> + +</tbody> +</tgroup> +</table> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="8.5" id="ch08-SECT-5"> +<title>Recently Added Options</title> + + +<para> +<indexterm id="ch08-idx-965236-0"><primary>Samba</primary><secondary>version 2.0</secondary><tertiary>new options</tertiary></indexterm>Samba has several options that appeared around the time of Samba 2.0, but are not entirely supported. However, we will give you a brief overview of their workings in this section. These options are shown in <link linkend="ch08-72538">Table 8.9</link>.</para> + + +<table label="8.9" id="ch08-72538"> +<title>Recently Added Options </title> + +<tgroup cols="5"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<colspec colnum="4" colname="col4"/> +<colspec colnum="5" colname="col5"/> +<thead> +<row> + +<entry colname="col1"><para>Option</para></entry> + +<entry colname="col2"><para>Parameters</para></entry> + +<entry colname="col3"><para>Function</para></entry> + +<entry colname="col4"><para>Default</para></entry> + +<entry colname="col5"><para>Scope</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>change notify timeout</literal></para></entry> + +<entry colname="col2"><para>numerical (number of seconds)</para></entry> + +<entry colname="col3"><para>Sets the interval between checks when a client asks to wait for a change in a specified directory.</para></entry> + +<entry colname="col4"><para><literal>60</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>machine password timeout</literal></para></entry> + +<entry colname="col2"><para>numerical (number of seconds)</para></entry> + +<entry colname="col3"><para>Sets the renewal interval for NT domain machine passwords.</para></entry> + +<entry colname="col4"><para><literal>604,800</literal> (1 week )</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>stat cache</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>If <literal>yes</literal>, Samba will cache recent name mappings.</para></entry> + +<entry colname="col4"><para><literal>yes</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>stat cache size</literal></para></entry> + +<entry colname="col2"><para>numerical</para></entry> + +<entry colname="col3"><para>Sets the size of the stat cache.</para></entry> + +<entry colname="col4"><para><literal>50</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<sect2 role="" label="8.5.1" id="ch08-SECT-5.0.1"> +<title>change notify timeout</title> + + +<para>The <literal>change</literal> +<indexterm id="ch08-idx-965973-0"><primary>change notify timeout option</primary></indexterm> <literal>notify</literal> <literal>timeout</literal> global option emulates a Windows NT SMB feature called <firstterm>change notification</firstterm> +<indexterm id="ch08-idx-965415-0"><primary>change notification, new option for (Samba version 2.0)</primary></indexterm>. This allows a client to request that a Windows NT server periodically monitor a specific directory on a share for any changes. If any changes occur, the server will notify the client.</para> + + +<para>As of version 2.0, Samba will perform this function for its clients. However, performing these checks too often can slow the server down considerably. This option sets the time period that Samba should wait between such checks. The default is one minute (60 seconds); however, you can use this option to specify an alternate time that Samba should wait between performing checks:</para> + + +<programlisting>[global] + change notify timeout = 30</programlisting> +</sect2> + + + + + +<sect2 role="" label="8.5.2" id="ch08-SECT-5.0.2"> +<title>machine password timeout</title> + + +<para>The <literal>machine</literal> +<indexterm id="ch08-idx-965974-0"><primary>machine password timeout option</primary></indexterm> <literal>password</literal> <literal>timeout</literal> global option sets a retention period for NT <indexterm id="ch08-idx-965417-0"><primary>domains</primary><secondary>new option for password timeout (Samba version 2.0)</secondary></indexterm> +<indexterm id="ch08-idx-965417-1"><primary>Windows NT</primary><secondary>passwords</secondary><tertiary>new option for timeout (Samba version 2.0)</tertiary></indexterm>domain machine passwords. The default is currently set to the same time period that Windows NT 4.0 uses: 604,800 seconds (one week). Samba will periodically attempt to change the <firstterm>machine account password</firstterm>, which is a password used specifically by another server to report changes to it. This option specifies the number of seconds that Samba should wait before attempting to change that password. The following example changes it to a single day, by specifying the following:</para> + + +<programlisting>[global] + machine password timeout = 86400</programlisting> +</sect2> + + + + + +<sect2 role="" label="8.5.3" id="ch08-SECT-5.0.3"> +<title>stat cache</title> + + +<para>The <literal>stat</literal> +<indexterm id="ch08-idx-965977-0"><primary>stat cache option</primary></indexterm> <literal>cache</literal> global option turns on caching of recent case-insensitive name mappings. The default is <literal>yes</literal>. The Samba team recommends that you never change this parameter.</para> +</sect2> + + + + + +<sect2 role="" label="8.5.4" id="ch08-SECT-5.0.4"> +<title>stat cache size</title> + + +<para> +<indexterm id="ch08-idx-965418-0"><primary>cache size, new option for (Samba version 2.0)</primary></indexterm>The <literal>stat</literal> +<indexterm id="ch08-idx-965978-0"><primary>stat cache size option</primary></indexterm> <literal>cache</literal> <literal>size</literal> global option sets the size of the cache entries to be used for the <literal>stat</literal> <literal>cache</literal> option. The default here is 50. Again, the Samba team recommends that you never change this parameter.</para> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="8.6" id="ch08-70923"> +<title>Miscellaneous Options</title> + + +<para> +<indexterm id="ch08-idx-965426-0"><primary>operating systems</primary><secondary>miscellaneous options for</secondary></indexterm> +<indexterm id="ch08-idx-965426-1"><primary>Windows 95/98</primary><secondary>miscellaneous options for</secondary></indexterm> +<indexterm id="ch08-idx-965426-2"><primary>Unix</primary><secondary>options</secondary><tertiary>miscellaneous</tertiary></indexterm>Many Samba options are present to deal with operating system issues on either Unix or Windows. The options shown in <link linkend="ch08-83566">Table 8.10</link> deal specifically with some of these known problems. We usually don't change these and we recommend the same to you.</para> + + +<table label="8.10" id="ch08-83566"> +<title>Miscellaneous Options </title> + +<tgroup cols="5"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<colspec colnum="4" colname="col4"/> +<colspec colnum="5" colname="col5"/> +<thead> +<row> + +<entry colname="col1"><para>Option</para></entry> + +<entry colname="col2"><para>Parameters</para></entry> + +<entry colname="col3"><para>Function</para></entry> + +<entry colname="col4"><para>Default</para></entry> + +<entry colname="col5"><para>Scope</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><literal>deadtime</literal></para></entry> + +<entry colname="col2"><para> +<indexterm id="ch08-idx-965429-0" class="startofrange"><primary>bug avoidance options</primary></indexterm>numerical (<indexterm id="ch08-idx-965437-0" class="startofrange"><primary>bug avoidance options</primary><secondary>list of</secondary></indexterm>number of minutes)</para></entry> + +<entry colname="col3"><para>Specifies the number of minutes of inactivity before a connection should be terminated.</para></entry> + +<entry colname="col4"><para><literal>0</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>dfree command</literal></para></entry> + +<entry colname="col2"><para>string (command)</para></entry> + +<entry colname="col3"><para>Used to provide a command that returns disk free space in a format recognized by Samba.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>fstype</literal></para></entry> + +<entry colname="col2"><para><literal>NTFS</literal>, <literal>FAT</literal>, or <literal>Samba</literal></para></entry> + +<entry colname="col3"><para>Sets the filesystem type reported by the server to the client.</para></entry> + +<entry colname="col4"><para><literal>NTFS</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>keep alive</literal></para></entry> + +<entry colname="col2"><para>seconds</para></entry> + +<entry colname="col3"><para>Sets the number of seconds between checks for an inoperative client.</para></entry> + +<entry colname="col4"><para>(none)</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>max disk size</literal></para></entry> + +<entry colname="col2"><para>numerical (size in MB)</para></entry> + +<entry colname="col3"><para>Sets the largest disk size to return to a client, some of which have limits. Does not affect actual operations on the disk.</para></entry> + +<entry colname="col4"><para>(infinity)</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>max mux</literal></para></entry> + +<entry colname="col2"><para>numerical</para></entry> + +<entry colname="col3"><para>Sets the maximum number of simultaneous SMB operations that clients may make.</para></entry> + +<entry colname="col4"><para><literal>50</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>max open files</literal></para></entry> + +<entry colname="col2"><para>numerical</para></entry> + +<entry colname="col3"><para>Limits number of open files to be below Unix limits.</para></entry> + +<entry colname="col4"><para><literal>10,000</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>max xmit</literal></para></entry> + +<entry colname="col2"><para>numerical</para></entry> + +<entry colname="col3"><para>Specifies the maximum packet size that Samba will send.</para></entry> + +<entry colname="col4"><para><literal>65,535</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>nt pipe support</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>Turns off an experimental NT feature, for benchmarking or in case of an error.</para></entry> + +<entry colname="col4"><para><literal>yes</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>nt smb support</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>Turns off an experimental NT feature, for benchmarking or in case of an error.</para></entry> + +<entry colname="col4"><para><literal>yes</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>ole locking compatib-ility</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>Remaps out-of-range lock requests used on Windows to fit in allowable range on Unix. Turning it off causes Unix lock errors.</para></entry> + +<entry colname="col4"><para><literal>yes</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>panic action</literal></para></entry> + +<entry colname="col2"><para>command</para></entry> + +<entry colname="col3"><para>Program to run if Samba server fails; for debugging.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>set directory</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>If <literal>yes</literal>, allows VMS clients to issue <literal>set</literal> <literal>dir</literal> commands.</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>smbrun</literal></para></entry> + +<entry colname="col2"><para>string (fully-qualified command)</para></entry> + +<entry colname="col3"><para>Sets the command Samba uses as a wrapper for shell commands.</para></entry> + +<entry colname="col4"><para>None</para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>status</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>If <literal>yes</literal>, allows Samba to monitor status for <literal>smbstatus</literal> command.</para></entry> + +<entry colname="col4"><para><literal>yes</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>strict sync</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>If <literal>no</literal>, ignores Windows applications requests to perform a sync-to-disk.</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>sync always</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>If <literal>yes</literal>, forces all client writes to be committed to disk before returning from the call.</para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><literal>strip dot</literal></para></entry> + +<entry colname="col2"><para>boolean</para></entry> + +<entry colname="col3"><para>If <literal>yes</literal>, strips trailing dots from Unix filenames.<indexterm id="ch08-idx-965441-0" class="endofrange" startref="ch08-idx-965437-0"/></para></entry> + +<entry colname="col4"><para><literal>no</literal></para></entry> + +<entry colname="col5"><para>Global</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<sect2 role="" label="8.6.1" id="ch08-SECT-6.0.1"> +<indexterm id="ch08-idx-965979-0"><primary>deadtime option</primary></indexterm> +<title> +deadtime</title> + + +<para>This global option sets the number of minutes that Samba will wait for an inactive client before closing its session with the Samba server. A client is considered inactive when it has no open files and there is no data being sent from it. The default value for this option is 0, which means that Samba never closes any connections no matter how long they have been inactive. You can override it as follows:</para> + + +<programlisting>[global] + deadtime = 10</programlisting> + + +<para>This tells Samba to terminate any inactive client sessions after 10 minutes. For most networks, setting this option as such will work because reconnections from the client are generally performed transparently to the user.</para> +</sect2> + + + + + +<sect2 role="" label="8.6.2" id="ch08-SECT-6.0.2"> +<indexterm id="ch08-idx-965980-0"><primary>dfree command option</primary></indexterm> +<title> +dfree command</title> + + +<para> +<indexterm id="ch08-idx-965466-0"><primary>free space on disk, option for</primary></indexterm>This global option is used on systems that incorrectly determine the free space left on the disk. So far, the only confirmed system that needs this option set is Ultrix. There is no default value for this option, which means that Samba already knows how to compute the free disk space on its own and the results are considered reliable. You can override it as follows:</para> + + +<programlisting>[global] + dfree command = /usr/local/bin/dfree</programlisting> + + +<para>This option should point to a script that should return the total disk space in a block, and the number of available blocks. The Samba documentation recommends the following as a usable script:</para> + + +<programlisting>#!/bin/sh +df $1 | tail -1 | awk '{print $2" "$4}'</programlisting> + + +<para>On System V machines, the following will work:</para> + + +<programlisting>#!/bin/sh +/usr/bin/df $1 | tail -1 | awk '{print $3" "$5}'</programlisting> +</sect2> + + + + + +<sect2 role="" label="8.6.3" id="ch08-SECT-6.0.3"> +<indexterm id="ch08-idx-965983-0"><primary>fstype option</primary></indexterm> +<title> +fstype</title> + + +<para>This share-level option sets the type of <indexterm id="ch08-idx-965467-0"><primary>filesystems</primary><secondary>reporting on by Samba, option for</secondary></indexterm>filesystem that Samba reports when queried by the client. There are three strings that can be used as a value to this configuration option, as listed in <link linkend="ch08-80519">Table 8.11</link>.</para> + + +<table label="8.11" id="ch08-80519"> +<title>Filesystem Types </title> + +<tgroup cols="2"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<thead> +<row> + +<entry colname="col1"><para>Variable</para></entry> + +<entry colname="col2"><para>Definition</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para>NTFS</para></entry> + +<entry colname="col2"><para> +<indexterm id="ch08-idx-965468-0"><primary>filesystems</primary><secondary>types</secondary></indexterm>Microsoft Windows NT filesystem</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>FAT</para></entry> + +<entry colname="col2"><para>DOS FAT filesystem</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>Samba</para></entry> + +<entry colname="col2"><para>Samba filesystem</para></entry> + +</row> + +</tbody> +</tgroup> +</table> + + +<para>The default value for this option is <literal>NTFS</literal>, which represents a Windows NT filesystem. There probably isn't a need to specify any other type of filesystem. However, if you need to, you can override it per share as follows:</para> + + +<programlisting>[data] + fstype = FAT</programlisting> +</sect2> + + + + + +<sect2 role="" label="8.6.4" id="ch08-SECT-6.0.4"> +<title>keep alive</title> + + +<para> +<indexterm id="ch08-idx-965469-0"><primary>keep-alive packets, option for</primary></indexterm>This global option specifies the number of seconds that Samba waits between sending NetBIOS <emphasis>keep-alive packets</emphasis>. These packets are used to ping a client to detect whether it is still alive and on the network. The default value for this option is <literal>0</literal>, which means that Samba will not send any such packets at all. You can override it as follows:</para> + + +<programlisting>[global] + keep alive = 10</programlisting> +</sect2> + + + + + +<sect2 role="" label="8.6.5" id="ch08-SECT-6.0.5"> +<indexterm id="ch08-idx-965985-0"><primary>max disk size option</primary></indexterm> +<title> +max disk size</title> + + +<para> +<indexterm id="ch08-idx-965470-0"><primary>disk shares</primary><secondary>maximum size of, option for</secondary></indexterm>This global option specifies an illusory limit, in megabytes, for each of the shares that Samba is using. You would typically set this option to prevent clients with older operating systems from incorrectly processing large disk spaces, such as those over one gigabyte.</para> + + +<para>The default value for this option is <literal>0</literal>, which means there is no upper limit at all. You can override it as follows:</para> + + +<programlisting>[global] + max disk size = 1000</programlisting> +</sect2> + + + + + +<sect2 role="" label="8.6.6" id="ch08-SECT-6.0.6"> +<indexterm id="ch08-idx-965986-0"><primary>max mux option</primary></indexterm> +<title> +max mux</title> + + +<para> +<indexterm id="ch08-idx-965471-0"><primary>SMB (Server Message Block)</primary><secondary>maximum number of operations, option for</secondary></indexterm>This global option specifies the maximum number of concurrent SMB operations that Samba allows. The default value for this option is <literal>50</literal>. You can override it as follows:</para> + + +<programlisting>[global] + max mux = 100</programlisting> +</sect2> + + + + + +<sect2 role="" label="8.6.7" id="ch08-SECT-6.0.7"> +<indexterm id="ch08-idx-965987-0"><primary>max open files option</primary></indexterm> +<title> +max open files</title> + + +<para> +<indexterm id="ch08-idx-965478-0"><primary>files</primary><secondary>open, option for maximum number of</secondary></indexterm>This global option specifies the maximum number of open files that Samba should allow at any given time for all processes. This value must be equal to or less than the amount allowed by the operating system, which varies from system to system. The default value for this option is <literal>10,000</literal>. You can override it as follows:</para> + + +<programlisting>[global] + max open files = 8000</programlisting> +</sect2> + + + + + +<sect2 role="" label="8.6.8" id="ch08-SECT-6.0.8"> +<indexterm id="ch08-idx-965988-0"><primary>max xmit option</primary></indexterm> +<title> +max xmit</title> + + +<para> +<indexterm id="ch08-idx-965482-0"><primary>packets</primary><secondary>maximum size of, option for</secondary></indexterm>This global option sets the maximum size of packets that Samba exchanges with a client. In some cases, setting a smaller maximum packet size can increase performance, especially with Windows for Workgroups. The default value for this option is <literal>65535</literal>. You can override it as follows:</para> + + +<programlisting>[global] + max xmit = 4096</programlisting> + + +<para><link linkend="appb-19919">Section 2.2.2.6</link> in <link linkend="SAMBA-AP-B">Appendix B</link>," shows some uses for this option.</para> +</sect2> + + + + + +<sect2 role="" label="8.6.9" id="ch08-SECT-6.0.9"> +<indexterm id="ch08-idx-965989-0"><primary>nt pipe support option</primary></indexterm> +<title> +nt pipe support</title> + + +<para> +<indexterm id="ch08-idx-965483-0"><primary>Windows NT</primary><secondary>pipes, option for</secondary></indexterm>This global option is used by developers to allow or disallow Windows NT clients the ability to make connections to the NT SMB-specific IPC$ pipes. As a user, you should never need to override the default:</para> + + +<programlisting>[global] + nt pipe support = yes</programlisting> +</sect2> + + + + + +<sect2 role="" label="8.6.10" id="ch08-SECT-6.0.10"> +<indexterm id="ch08-idx-965990-0"><primary>nt smb support option</primary></indexterm> +<title> +nt smb support</title> + + +<para> +<indexterm id="ch08-idx-965484-0"><primary>Windows NT</primary><secondary>SMB, option for</secondary></indexterm> +<indexterm id="ch08-idx-965484-1"><primary>SMB (Server Message Block)</primary><secondary>option for NT-specific options</secondary></indexterm>This global option is used by developers to negotiate NT-specific SMB options with Windows NT clients. The Samba team has discovered that slightly better performance comes from setting this value to <literal>no</literal>. However, as a user, you should probably not override the default:</para> + + +<programlisting>[global] + nt smb support = yes</programlisting> +</sect2> + + + + + +<sect2 role="" label="8.6.11" id="ch08-SECT-6.0.11"> +<indexterm id="ch08-idx-965991-0"><primary>ole locking compatibility option</primary></indexterm> +<title> +ole locking compatibility</title> + + +<para>This global option turns off Samba's internal byte-range locking manipulation in files, which gives compatibility with Object Linking and Embedding (OLE) applications that use high byte-range locks as a method of interprocess communication. The default value for this option is <literal>yes</literal>. If you trust your Unix locking mechanisms, you can override it as follows:</para> + + +<programlisting>[global] + ole locking compatibility = no</programlisting> +</sect2> + + + + + +<sect2 role="" label="8.6.12" id="ch08-SECT-6.0.12"> +<indexterm id="ch08-idx-965992-0"><primary>panic action option</primary></indexterm> +<title> +panic action</title> + + +<para> +<indexterm id="ch08-idx-965492-0"><primary>fatal error, option for</primary></indexterm>This global option specifies a command to execute in the event that Samba itself encounters a fatal error when loading or running. There is no default value for this option. You can specify an action as follows:</para> + + +<programlisting>[global] + panic action = /bin/csh -c + 'xedit < "Samba has shutdown unexpectedly!'</programlisting> +</sect2> + + + + + +<sect2 role="" label="8.6.13" id="ch08-SECT-6.0.13"> +<indexterm id="ch08-idx-965993-0"><primary>set directory option</primary></indexterm> +<title> +set directory</title> + + +<para>This boolean share-level option allows <indexterm id="ch08-idx-965497-0"><primary>Digital Pathworks clients, option for</primary></indexterm>Digital Pathworks clients to use the <literal>setdir</literal> command to change directories on the server. If you are not using the Digital Pathworks client, you should not need to alter this option. The default value for this option is <literal>no</literal>. You can override it per share as follows:</para> + + +<programlisting>[data] + set directory = yes</programlisting> +</sect2> + + + + + +<sect2 role="" label="8.6.14" id="ch08-SECT-6.0.14"> +<indexterm id="ch08-idx-965994-0"><primary>smbrun option</primary></indexterm> +<title> +smbrun</title> + + +<para>This option sets the location of the <emphasis>smbrun</emphasis> executable, which Samba uses as a wrapper to run shell commands. The default value for this option is automatically configured by Samba when it is compiled. If you did not install Samba to the standard directory, you can specify where the binary is as follows:</para> + + +<programlisting>[global] + smbrun = /usr/local/bin/smbrun</programlisting> +</sect2> + + + + + +<sect2 role="" label="8.6.15" id="ch08-SECT-6.0.15"> +<indexterm id="ch08-idx-965995-0"><primary>status option</primary></indexterm> +<title> +status</title> + + +<para>This global option indicates whether Samba should log all <indexterm id="ch08-idx-965499-0"><primary>active connections, option for</primary></indexterm> +<indexterm id="ch08-idx-965499-1"><primary>connections</primary><secondary>active, option for</secondary></indexterm>active connections to a status file. This file is used only by the <emphasis>smbstatus</emphasis> command. If you have no intentions of using this command, you can set this option to <literal>no</literal>, which can result in a small increase of speed on the server. The default value for this option is <literal>yes</literal>. You can override it as follows:</para> + + +<programlisting>[global] + status = no</programlisting> +</sect2> + + + + + +<sect2 role="" label="8.6.16" id="ch08-SECT-6.0.16"> +<indexterm id="ch08-idx-965996-0"><primary>strict sync option</primary></indexterm> +<title> +strict sync</title> + + +<para>This share-level option determines whether Samba honors all requests to perform a <indexterm id="ch08-idx-965500-0"><primary>disk sync, options for</primary></indexterm>disk sync when requested to do so by a client. Many clients request a disk sync when they are really just trying to flush data to their own open files. As a result, this can substantially slow a Samba server down. The default value for this option is <literal>no</literal>. You can override it as follows:</para> + + +<programlisting>[data] + strict sync = yes</programlisting> +</sect2> + + + + + +<sect2 role="" label="8.6.17" id="ch08-SECT-6.0.17"> +<indexterm id="ch08-idx-965997-0"><primary>sync always option</primary></indexterm> +<title> +sync always</title> + + +<para>This share-level option decides whether every write to disk should be followed by a disk synchronization before the write call returns control to the client. Even if the value of this option is <literal>no</literal>, clients can request a disk synchronization; see the <literal>strict</literal> <literal>sync</literal> option above. The default value for this option is <literal>no</literal>. You can override it per share as follows:</para> + + +<programlisting>[data] + sync always = yes</programlisting> +</sect2> + + + + + +<sect2 role="" label="8.6.18" id="ch08-SECT-6.0.18"> +<indexterm id="ch08-idx-965998-0"><primary>strip dot option</primary></indexterm> +<title> +strip dot</title> + + +<para>This global option determines whether to remove the <indexterm id="ch08-idx-965502-0"><primary>trailing dot, option for</primary></indexterm> +<indexterm id="ch08-idx-965502-1"><primary>filenames</primary><secondary>Unix, option for</secondary></indexterm> +<indexterm id="ch08-idx-965502-2"><primary>Unix</primary><secondary>filenames, option for</secondary></indexterm>trailing dot from Unix filenames that are formatted with a dot at the end. The default value for this option is <literal>no</literal>. You can override it per share as follows:</para> + + +<programlisting>[global] + strip dot = yes</programlisting> + + +<para>This option is now considered obsolete; the user should use the <literal>mangled</literal> <literal>map</literal> option insead.<indexterm id="ch08-idx-965454-0" class="endofrange" startref="ch08-idx-965429-0"/></para> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="8.7" id="ch08-74829"> +<title>Backups with smbtar</title> + + +<para> +<indexterm id="ch08-idx-965244-0" class="startofrange"><primary>smbtar program</primary></indexterm> +<indexterm id="ch08-idx-965244-1" class="startofrange"><primary>backups, with smbtar program</primary></indexterm>Our final topic in this chapter is the <filename>smbtar</filename> tool. One common problem with modem PCs is that floppies and even CD-ROMs are often too small to use for backups. However, buying one tape drive per machine would also be silly. Consequently, many sites don't back up their PCs at all. Instead, they reinstall them using floppy disks and CD-ROMs when they fail.</para> + + +<para>Thankfully, Samba provides us with another option: you can back up PCs' data using the <filename>smbtar</filename> tool. This can be done on a regular basis if you keep user data on your Samba system, or only occasionally, to save the local applications and configuration files and thus make repairs and reinstallations quicker.</para> + + +<para>To back up PCs from a <indexterm id="ch08-idx-965519-0"><primary>Unix</primary><secondary>servers, backing up computers from</secondary></indexterm>Unix server, you need to do three things:</para> + + +<orderedlist> +<listitem><para>Ensure that File and Printer Sharing is installed on the PC and is bound to the TCP/IP protocol.</para></listitem> +<listitem><para>Explicitly share a disk on the PC so it can be read from the server.</para></listitem> +<listitem><para>Set up the backup scripts on the server.</para></listitem> +</orderedlist> + +<para>We'll use Windows 95/98 to illustrate the first two steps. Go to the Networking icon in the Control Panel window, and check that <indexterm id="ch08-idx-965520-0"><primary sortas="File and Printer Sharing for Microsoft Networks">"File and Printer Sharing for Microsoft Networks"</primary></indexterm>File and Printer Sharing for Microsoft Networks is currently listed in the top window, as shown in <link linkend="ch08-18303">Figure 8.2</link>.</para> + + +<figure label="8.2" id="ch08-18303"> +<title>The Networking window</title> + +<graphic width="502" depth="368" fileref="figs/sam.0802.gif"></graphic> +</figure> + +<para>If "File and printer sharing for Microsoft Networks" isn't installed, you can install it by clicking on the Add button on the Network panel. After pressing it, you will be asked what service to add. Select Service and move forward, and you will be asked for a vendor and a service to install. Finally, select "File and printer sharing for Microsoft Networks," and click on Done to install the service.</para> + + +<para>Once you've installed "File and printer sharing for Microsoft Networks," return to the Network panel and select the TCP/IP protocol that is tied to your Samba network adapter. Then, click on the Properties button and choose the Bindings tab at the top. You should see a dialog box similar to <link linkend="ch08-41042">Figure 8.3</link>. Here, you'll need to verify that the "File and Printer Sharing" checkbox is checked, giving it access to TCP/IP. At this point you can share disks with other machines on the net.</para> + + +<figure label="8.3" id="ch08-41042"> +<title>TCP/IP Bindings</title> + +<graphic width="502" depth="248" fileref="figs/sam.0803.gif"></graphic> +</figure> + +<para>The next step is to share the disk you want to back up with the tape server. Go to My Computer and select, for example, the My Documents directory. Then right-click on the icon and select its Properties. This should yield the dialog box in <link linkend="ch08-64918">Figure 8.4</link>.</para> + + +<figure label="8.4" id="ch08-64918"> +<title>My Documents Properties</title> + +<graphic width="502" depth="352" fileref="figs/sam.0804.gif"></graphic> +</figure> + +<para>Select the Sharing tab and turn file sharing on. You now have the choice to share the disk as read-only, read-write (Full), or either, each with separate password. This is the Windows 95/98 version, so it provides only share-level security. In this example, we made it read/write and set a password, as shown in <link linkend="ch08-29192">Figure 8.5</link>. When you enter the password and click on OK, you'll be prompted to re-enter it. After that, you have finished the second step.</para> + + +<figure label="8.5" id="ch08-29192"> +<title>MyFiles Properties as shared</title> + +<graphic width="502" depth="374" fileref="figs/sam.0805.gif"></graphic> +</figure> + +<para>Finally, the last step is to set up a backup script on the tape server, using the <filename>smbtar</filename> program. The simplest script might contain only a single line and would be something like the following:</para> + + +<programlisting>smbtar -s client -t /dev/rst0 -x "My Documents" -p <replaceable>password</replaceable></programlisting> + + +<para>This unconditionally backs up the <emphasis>//client/My Documents</emphasis> share to the device <filename>/dev/rst0</filename>. Of course, this is excessively simple and quite insecure. What you will want to do will depend on your existing backup scheme.</para> + + +<para>However, to whet your appetite, here are some possibilities of what <filename>smbtar</filename> can do:</para> + + +<itemizedlist> +<listitem><para>Back up files incrementally using the DOS archive bit (the <literal>-i</literal> option). This requires the client share to be accessed read-write so the bit can be cleared by <filename>smbtar</filename></para></listitem> +<listitem><para>Back up only files that have changed since a specified date (using the <literal>-N</literal> <replaceable>filename </replaceable>option)</para></listitem> +<listitem><para>Back up entire PC drives, by sharing all of C: or D:, for example, and backing that up</para></listitem> +</itemizedlist> + +<para>Except for the first example, each of these can be done with the PC sharing set to read-only, reducing the security risk of having passwords in scripts and passing them on the command line.<indexterm id="ch08-idx-965514-0" class="endofrange" startref="ch08-idx-965244-0"/> +<indexterm id="ch08-idx-965514-1" class="endofrange" startref="ch08-idx-965244-1"/></para> +</sect1> +</chapter> diff --git a/docs-xml/using_samba/ch09.xml b/docs-xml/using_samba/ch09.xml new file mode 100644 index 0000000000..7399acf011 --- /dev/null +++ b/docs-xml/using_samba/ch09.xml @@ -0,0 +1,2013 @@ +<chapter label="9" id="SAMBA-CH-9"> +<title>Troubleshooting Samba</title> + + + + +<para> +<indexterm id="ch09-idx-953453-0" class="startofrange"><primary>troubleshooting</primary></indexterm>Samba is extremely robust. Once you've got everything set up the way you want, you'll probably forget that it is running. When trouble occurs, it's typically during installation or when you're trying to add something new to the server. Fortunately, there are a wide variety of resources that you can use to diagnose these troubles. While we can't describe in detail the solution to every problem that you might encounter, you should be able to get a good start at a resolution by following the advice given in this chapter.</para> + + +<para>The first section of the chapter lists the tool bag, a collection of tools available for troubleshooting Samba; the second section is a detailed how-to, and the last section lists extra resources you may need to track down particularly stubborn problems.</para> + + + + + + + + + + + +<sect1 role="" label="9.1" id="ch09-36385"> +<title>The Tool Bag</title> + + +<para> +<indexterm id="ch09-idx-953455-0"><primary>troubleshooting</primary><secondary>where to start</secondary></indexterm>Sometimes Unix seems to be made up of a handful of applications and tools. There are tools to troubleshoot tools. And of course, there are several ways to accomplish the same task. When you are trying to solve a problem related to Samba, a good plan of attack is to check the following:</para> + + +<orderedlist> +<listitem><para>Samba logs</para></listitem> +<listitem><para>Fault tree</para></listitem> +<listitem><para>Unix utilities</para></listitem> +<listitem><para>Samba test utilities</para></listitem> +<listitem><para>Documentation and FAQs</para></listitem> +<listitem><para>Searchable archives</para></listitem> +<listitem><para>Samba newsgroups</para></listitem> +</orderedlist> + +<para>Let's go over each of these one by one in the following sections.</para> + + +<sect2 role="" label="9.1.1" id="ch09-SECT-1.1"> +<title>Samba Logs</title> + + +<para> +<indexterm id="ch09-idx-953456-0" class="startofrange"><primary>log files/logging</primary><secondary>troubleshooting from</secondary></indexterm>Your first line of attack should always be to check the log files. The Samba log files can help diagnose the vast majority of the problems that beginning to intermediate Samba administrators are likely to face. Samba is quite flexible when it comes to logging. You can set up the server to log as little or as much as you want. Substitution variables that allow you to isolate individual logs for each machine, share, or combination thereof.</para> + + +<para>By default, logs are placed in <replaceable>samba_directory</replaceable><emphasis>/var/smbd.log</emphasis> and <replaceable>samba_directory</replaceable><emphasis>/var/nmbd.log</emphasis>, where <literal>samba_directory</literal> is the location where Samba was installed (typically, <filename>/usr/local/samba</filename>). As we mentioned in <link linkend="ch04-21486">Chapter 4</link>, you can override the location and name using the <literal>log</literal> <literal>file</literal> configuration option in <filename>smb.conf</filename>. This option accepts all of the substitution variables mentioned in <link linkend="SAMBA-CH-2">Chapter 2</link>, so you could easily have the server keep a separate log for each connecting client by specifying the following in the <literal>[global]</literal> section of <filename>smb.conf </filename>:</para> + + +<programlisting>log file = %m.log</programlisting> + + +<para>Alternatively, you can specify a log directory to use with the <literal>-l</literal> flag on the command line. For example:</para> + + +<programlisting>smbd -l /usr/local/var/samba</programlisting> + + +<para>Another useful trick is to have the server keep a log for each service (share) that is offered, especially if you suspect a particular share is causing trouble. Use the <literal>%S</literal> variable to set this up in the <literal>[global]</literal> section of the configuration file:</para> + + +<programlisting>log file = %S.log</programlisting> + + +<sect3 role="" label="9.1.1.1" id="ch09-28969"> +<title>Log levels</title> + + +<para> +<indexterm id="ch09-idx-953457-0" class="startofrange"><primary>log files/logging</primary><secondary>levels of</secondary><tertiary>setting</tertiary></indexterm>The level of logging that Samba uses can be set in the <filename>smb.conf</filename> file using the global <literal>log</literal> +<indexterm id="ch09-idx-954135-0"><primary>log level option</primary></indexterm> +<indexterm id="ch09-idx-954135-1"><primary>debug level option</primary></indexterm> <literal>level</literal> or <literal>debug</literal> <literal>level</literal> option; they are equivalent. The logging level is an integer which ranges from 0 (no logging), and increases the logging to voluminous by <literal>log</literal> <literal>level</literal> <literal>=</literal> <literal>3</literal>. For example, let's assume that we are going to use a Windows client to browse a directory on a Samba server. For a small amount of log information, you can use <literal>log</literal> <literal>level</literal> <literal>=</literal> <literal>1</literal>, which instructs Samba to show only cursory information, in this case only the connection itself:</para> + + +<programlisting>105/25/98 22:02:11 server (192.168.236.86) connect to service public as user pcguest (uid=503,gid=100) (pid 3377)</programlisting> + + +<para>Higher debug levels produce more detailed information. Usually you won't need any more than level 3; this is more than adequate for most Samba administrators. Levels above 3 are for use by the developers and dump enormous amounts of cryptic information.</para> + + +<para>Here is example output at levels 2 and 3 for the same operation. Don't worry if you don't understand the intricacies of an SMB connection; the point is simply to show you what types of information are shown at the different logging levels:</para> + + +<programlisting>/* Level 2 */ +Got SIGHUP +Processing section "[homes]" +Processing section "[public]" +Processing section "[temp]" +Allowed connection from 192.168.236.86 (192.168.236.86) to IPC$ +Allowed connection from 192.168.236.86 (192.168.236.86) to IPC/ + + +/* Level 3 */ +05/25/98 22:15:09 Transaction 63 of length 67 +switch message SMBtconX (pid 3377) +Allowed connection from 192.168.236.86 (192.168.236.86) to IPC$ +ACCEPTED: guest account and guest ok +found free connection number 105 +Connect path is /tmp +chdir to /tmp +chdir to / +05/25/98 22:15:09 server (192.168.236.86) connect to service IPC$ as user pcguest (uid=503,gid=100) (pid 3377) +05/25/98 22:15:09 tconX service=ipc$ user=pcguest cnum=105 +05/25/98 22:15:09 Transaction 64 of length 99 +switch message SMBtrans (pid 3377) +chdir to /tmp +trans <\PIPE\LANMAN> data=0 params=19 setup=0 +Got API command 0 of form <WrLeh> <B13BWz> (tdscnt=0,tpscnt=19,mdrcnt=4096,mprcnt=8) +Doing RNetShareEnum +RNetShareEnum gave 4 entries of 4 (1 4096 126 4096) +05/25/98 22:15:11 Transaction 65 of length 99 +switch message SMBtrans (pid 3377) +chdir to / +chdir to /tmp +trans <\PIPE\LANMAN> data=0 params=19 setup=0 +Got API command 0 of form <WrLeh> <B13BWz> (tdscnt=0,tpscnt=19,mdrcnt=4096,mprcnt=8) +Doing RNetShareEnum +RNetShareEnum gave 4 entries of 4 (1 4096 126 4096) +05/25/98 22:15:11 Transaction 66 of length 95 +switch message SMBtrans2 (pid 3377) +chdir to / +chdir to /pcdisk/public +call_trans2findfirst: dirtype = 0, maxentries = 6, close_after_first=0, close_if_end = 0 requires_resume_key = 0 level = 260, max_data_bytes = 2432 +unix_clean_name [./DESKTOP.INI] +unix_clean_name [desktop.ini] +unix_clean_name [./] +creating new dirptr 1 for path ./, expect_close = 1 +05/25/98 22:15:11 Transaction 67 of length 53 +switch message SMBgetatr (pid 3377) +chdir to / + +[...]</programlisting> + + +<para>We cut off this listing after the first packet because it runs on for many pages. However, you should be aware that log levels above 3 will quickly fill your disk with megabytes of excruciating detail concerning Samba internal operations. Log level 3 is extremely useful for following exactly what the server is doing, and most of the time it will be obvious where an error is occurring by glancing through the log file.</para> + + +<para>A word of warning: using a high log level (3 or above) will <emphasis>seriously</emphasis> slow down the Samba server. Remember that every log message generated causes a write to disk (an inherently slow operation) and log levels greater than 2 produce massive amounts of data. Essentially, you should turn on logging level 3 only when you're actively tracking a problem in the Samba server.<indexterm id="ch09-idx-953461-0" class="endofrange" startref="ch09-idx-953457-0"/></para> +</sect3> + + + +<sect3 role="" label="9.1.1.2" id="ch09-SECT-1.1.2"> +<title>Activating and deactivating logging</title> + + +<para> +<indexterm id="ch09-idx-953474-0"><primary>log files/logging</primary><secondary>activating/deactivating</secondary></indexterm>To turn logging on and off, set the appropriate level in the <literal>[global]</literal> section of <filename>smb.conf</filename>. Then, you can either restart Samba, or force the current daemon to reprocess the configuration file. You also can send the <emphasis>smbd</emphasis> process a SIGUSR1 signal to increase its log level by one while it's running, and a SIGUSR2 signal to decrease it by one:</para> + + +<programlisting># Increase the logging level by 1 +kill -SIGUSR1 1234 + +# Decrease the logging level by 1 +kill -SIGUSR2 1234</programlisting> +</sect3> + + + +<sect3 role="" label="9.1.1.3" id="ch09-34448"> +<title>Logging by individual client machines or users</title> + + +<para> +<indexterm id="ch09-idx-953475-0"><primary>Windows clients</primary><secondary>individual configuration files for</secondary></indexterm> +<indexterm id="ch09-idx-953475-1"><primary>configuration files</primary><secondary sortas="individual clients">for individual clients</secondary></indexterm>An effective way to diagnose problems without hampering other users is to assign different log levels for different machines in <literal>[global]</literal> section of the <filename>smb.conf</filename> file. We can do this by building on the strategy we presented earlier:</para> + + +<programlisting>[global] + log level = 0 + log file = /usr/local/samba/lib/log.%m + include = /usr/local/samba/lib/smb.conf.%m</programlisting> + + +<para>These options instruct Samba to use unique configuration and log files for each client that connects. Now all you have to do is create an <filename>smb.conf</filename> +<indexterm id="ch09-idx-953477-0"><primary>smb.conf (Samba configuration) file</primary><secondary>creating</secondary><tertiary sortas="each client">for each client</tertiary></indexterm> file for a specific client machine with a <literal>log</literal> <literal>level</literal> <literal>=</literal> <literal>3</literal> entry in it (the others will pick up the default log level of 0) and use that log file to track down the problem.</para> + + +<para>Similarly, if only particular users are experiencing a problem, and it travels from machine to machine with them, you can isolate logging to a specific user by adding the following to the <filename>smb.conf</filename> file:</para> + + +<programlisting>[global] + log level = 0 + log file = /usr/local/samba/lib/log.%u + include = /usr/local/samba/lib/smb.conf.%u</programlisting> + + +<para>Then you can create a unique <filename>smb.conf</filename> file for each user (e.g., <filename>/usr/local/samba/lib/smb.conf.tim</filename>) files containing the configuration option <literal>log</literal> <literal>level</literal> <literal>=</literal> <literal>3</literal> and only those users will get more detailed logging.<indexterm id="ch09-idx-953469-0" class="endofrange" startref="ch09-idx-953456-0"/></para> +</sect3> +</sect2> + + + + + +<sect2 role="" label="9.1.2" id="ch09-SECT-1.2"> +<title>Samba Test Utilities</title> + + +<para> +<indexterm id="ch09-idx-953478-0" class="startofrange"><primary>Samba</primary><secondary>test utilities</secondary></indexterm> +<indexterm id="ch09-idx-953478-1" class="startofrange"><primary>testing</primary><secondary>test utilities for Samba</secondary></indexterm>A rigorous set of tests that exercise the major parts of Samba are described in various files in the <emphasis>/docs/textdocs</emphasis> +<indexterm id="ch09-idx-953497-0"><primary>docs directory</primary><secondary>test utilities</secondary></indexterm> directory of the Samba distribution kit, starting with <emphasis>DIAGNOSIS.TXT.</emphasis> The fault tree in this chapter is a more detailed version of the basic tests suggested by the Samba team, but covers only installation and reconfiguration diagnosis, like <emphasis>DIAGNOSIS.TXT.</emphasis> The other files in the <emphasis>/docs</emphasis> subdirectoryies address specific problems (such as Windows NT clients) and instruct you how to troubleshoot items not included in this book. If the fault tree doesn't suffice, be sure to look at <emphasis>DIAGNOSIS.TXT</emphasis> and its friends.</para> +</sect2> + + + + + +<sect2 role="" label="9.1.3" id="ch09-SECT-1.3"> +<title>Unix Utilities</title> + + +<para> +<indexterm id="ch09-idx-953505-0"><primary>Unix</primary><secondary>troubleshooting utilities</secondary></indexterm>Sometimes it's useful to use a tool outside of the Samba suite to examine what's happening inside the server. Unix has always been a "kitchen-sink" operating system. Two diagnostic tools can be of particular help in debugging Samba troubles: <emphasis>trace</emphasis> and <emphasis>tcpdump</emphasis>.</para> + + +<sect3 role="" label="9.1.3.1" id="ch09-SECT-1.3.1"> +<indexterm id="ch09-idx-953506-0"><primary>trace utility</primary></indexterm> +<title>Using trace</title> + + +<para>The <emphasis>trace</emphasis> command masquerades under several different names, depending on the operating system that you are using. On Linux it will be <emphasis>strace</emphasis>, on Solaris you'll use <emphasis>truss</emphasis>, and SGI will have <emphasis>padc</emphasis> and <emphasis>par</emphasis>. All have essentially the same function, which is to display each operating system function call as it is executed. This allows you to follow the execution of a program, such as the Samba server, and will often pinpoint the exact call that is causing the difficulty.</para> + + +<para>One problem that <emphasis>trace</emphasis> can highlight is the location of an incorrect version of a dynamically linked library. This can happen if you've downloaded prebuilt binaries of Samba. You'll typically see the offending call at the end of the <emphasis>trace</emphasis>, just before the program terminates.</para> + + +<para>A sample <literal>strace</literal> output for the Linux operating system follows. This is a small section of a larger file created during the opening of a directory on the Samba server. Each line is a system-call name, and includes its parameters and the return value. If there was an error, the error value (e.g., <literal>ENOENT</literal>) and its explanation are also shown. You can look up the parameter types and the errors that can occur in the appropriate <literal>trace</literal> manual page for the operating system that you are using.</para> + + +<programlisting>chdir("/pcdisk/public") = 0 +stat("mini/desktop.ini", 0xbffff7ec) = -1 ENOENT (No such file or directory) +stat("mini", {st_mode=S_IFDIR|0755, st_size=1024, ...}) = 0 +stat("mini/desktop.ini", 0xbffff7ec) = -1 ENOENT (No such file or directory) +open("mini", O_RDONLY) = 5 +fcntl(5, F_SETFD, FD_CLOEXEC) = 0 +fstat(5, {st_mode=S_IFDIR|0755, st_size=1024, ...}) = 0 +lseek(5, 0, SEEK_CUR) = 0 +SYS_141(0x5, 0xbfffdbbc, 0xedc, 0xbfffdbbc, 0x80ba708) = 196 +lseek(5, 0, SEEK_CUR) = 1024 +SYS_141(0x5, 0xbfffdbbc, 0xedc, 0xbfffdbbc, 0x80ba708) = 0 +close(5) = 0 +stat("mini/desktop.ini", 0xbffff86c) = -1 ENOENT (No such file or directory) +write(3, "\0\0\0#\377SMB\10\1\0\2\0\200\1\0"..., 39) = 39 +SYS_142(0xff, 0xbffffc3c, 0, 0, 0xbffffc08) = 1 +read(3, "\0\0\0?", 4) = 4 +read(3, "\377SMBu\0\0\0\0\0\0\0\0\0\0\0\0"..., 63) = 63 +time(NULL) = 896143871</programlisting> + + +<para>This example shows several <literal>stat</literal> calls failing to find the files they were expecting. You don't have to be a expert to see that the file <emphasis>desktop.ini</emphasis> is missing from that directory. In fact, many difficult problems can be identified by looking for obvious, repeatable errors with <emphasis>trace</emphasis>. Often, you need not look farther than the last message before a crash.</para> +</sect3> + + + +<sect3 role="" label="9.1.3.2" id="ch09-SECT-1.3.2"> +<title>Using tcpdump</title> + + +<para>The <emphasis>tcpdump</emphasis> +<indexterm id="ch09-idx-953802-0" class="startofrange"><primary>tcpdump utility</primary></indexterm> program, written by <indexterm id="ch09-idx-953803-0"><primary>Jacobson, Van</primary></indexterm> +<indexterm id="ch09-idx-953803-1"><primary>Leres, Craig</primary></indexterm> +<indexterm id="ch09-idx-953803-2"><primary>McCanne, Steven</primary></indexterm> +<indexterm id="ch09-idx-953803-3"><primary>Tridgell, Andrew</primary></indexterm>Van Jacobson, Craig Leres, and Steven McCanne, and extended by Andrew Tridgell, allows you to monitor network traffic in real time. A variety of output formats are available and you can filter the output to look at only a particular type of traffic. The <emphasis>tcpdump</emphasis> program lets you examine all conversations between client and server, including SMB and NMB <indexterm id="ch09-idx-953805-0"><primary>broadcasting</primary><secondary>troubleshooting with tcpdump utility</secondary></indexterm>broadcast messages. While its troubleshooting capabilities lie mainly at the OSI network layer, you can still use its output to get a general idea of what the server and client are attempting to accomplish.</para> + + +<para>A sample <emphasis>tcpdump</emphasis> log follows. In this instance, the client has requested a directory listing and the server has responded appropriately, giving the directory names <literal>homes</literal>, <literal>public</literal>, <literal>IPC$</literal>, and <literal>temp</literal> (we've added a few explanations on the right):</para> + + +<programlisting>$<userinput>tcpdump -v -s 255 -i eth0 port not telnet</userinput> +SMB PACKET: SMBtrans (REQUEST) <replaceable>Request packet</replaceable> +SMB Command = 0x25 <replaceable>Request was ls or dir</replaceable>. + +[000] 01 00 00 10 .... + + +>>> NBT Packet +<replaceable>Outer frame of SMB packe</replaceable>t +NBT Session Packet +Flags=0x0 +Length=226 +[lines skipped] + +SMB PACKET: SMBtrans (REPLY) <replaceable>Beginning of a reply to request </replaceable> +SMB Command = 0x25 <replaceable>Command was an ls or dir</replaceable> +Error class = 0x0 +Error code = 0 +<replaceable>No errors</replaceable> +Flags1 = 0x80 +Flags2 = 0x1 +Tree ID = 105 +Proc ID = 6075 +UID = 100 +MID = 30337 +Word Count = 10 +TotParamCnt=8 +TotDataCnt=163 +Res1=0 +ParamCnt=8 +ParamOff=55 +Res2=0 +DataCnt=163 +DataOff=63 +Res3=0 +Lsetup=0 +Param Data: (8 bytes) +[000] 00 00 00 00 05 00 05 00 ........ + +Data Data: (135 bytes) +<replaceable>Actual directory contents:</replaceable> +[000] 68 6F 6D 65 73 00 00 00 00 00 00 00 00 00 00 00 homes... ........ +[010] 64 00 00 00 70 75 62 6C 69 63 00 00 00 00 00 00 d...publ ic...... +[020] 00 00 00 00 75 00 00 00 74 65 6D 70 00 00 00 00 ....u... temp.... +[030] 00 00 00 00 00 00 00 00 76 00 00 00 49 50 43 24 ........ v...IPC$ +[040] 00 00 00 00 00 00 00 00 00 00 03 00 77 00 00 00 ........ ....w... +[050] 64 6F 6E 68 61 6D 00 00 00 00 00 00 00 00 00 00 donham.. ........ +[060] 92 00 00 00 48 6F 6D 65 20 44 69 72 65 63 74 6F ....Home Directo +[070] 72 69 65 73 00 00 00 49 50 43 20 53 65 72 76 69 ries...I PC Servi +[080] 63 65 20 28 53 61 6D ce (Sam</programlisting> + + +<para>This is more of the same debugging session as with the <emphasis>trace</emphasis> command; the listing of a directory. The options we used were <literal>-v</literal> (verbose), <literal>-i</literal> <literal>eth0</literal> to tell <emphasis>tcpdump</emphasis> the interface to listen on (an Ethernet port), and <literal>-s</literal> <literal>255</literal> to tell it to save the first 255 bytes of each packet instead of the default: the first 68. The option <literal>port</literal> +<indexterm id="ch09-idx-954174-0"><primary>port not telnet option</primary></indexterm> <literal>not</literal> <literal>telnet</literal> is used to avoid screens of telnet traffic, since we were logged in to the server remotely. The <emphasis>tcpdump</emphasis> program actually has quite a number of options to filter just the traffic you want to look at. If you've used <emphasis>snoop</emphasis> or <emphasis>etherdump</emphasis>, they'll look vaguely familiar.</para> + + +<para>You can download the modified <emphasis>tcpdump</emphasis> +<indexterm id="ch09-idx-953518-0"><primary>downloads</primary><secondary>tcpdump utility</secondary></indexterm> from the Samba FTP server at <systemitem role="ftpurl">ftp://samba.anu.edu.au/pub/samba/tcpdump-smb</systemitem>. Other versions don't include support for the SMB protocol; if you don't see output such as that shown in the example, you'll need to<emphasis></emphasis> +<indexterm id="ch09-idx-953513-0" class="endofrange" startref="ch09-idx-953802-0"/> use the SMB-enabled version.<indexterm id="ch09-idx-953481-0" class="endofrange" startref="ch09-idx-953478-0"/> +<indexterm id="ch09-idx-953481-1" class="endofrange" startref="ch09-idx-953478-1"/></para> +</sect3> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="9.2" id="ch09-29538"> +<title>The Fault Tree</title> + + +<para> +<indexterm id="ch09-idx-953543-0" class="startofrange"><primary>fault tree</primary></indexterm> +<indexterm id="ch09-idx-953543-1" class="startofrange"><primary>how-tos, fault tree</primary></indexterm>The fault tree is for diagnosing and fixing problems that occur when you're installing and reconfiguring Samba. It's an expanded form of a trouble and diagnostic document that is part of the Samba distribution.</para> + + +<para> +<indexterm id="ch09-idx-953548-0"><primary>troubleshooting</primary><secondary>information to have on hand</secondary></indexterm>Before you set out to troubleshoot any part of the Samba suite, you should know the following information:</para> + + +<itemizedlist> +<listitem><para> Your client IP address (we use 192.168.236.10)</para></listitem> +<listitem><para> Your server IP address (we use 192.168.236.86)</para></listitem> +<listitem><para> The netmask for your network (typically 255.255.255.0)</para></listitem> +<listitem><para> Whether the machines are all on the same subnet (ours are)</para></listitem> +</itemizedlist> + +<para>For clarity, we've renamed the server in the following examples to <emphasis>server.example.com</emphasis>, and the client machine to <emphasis>client.example.com</emphasis>.</para> + + +<sect2 role="" label="9.2.1" id="ch09-SECT-2.1"> +<title>How to use the fault tree</title> + + +<para> +<indexterm id="ch09-idx-953549-0"><primary>fault tree</primary><secondary>how to use</secondary></indexterm>Start the tests here, without skipping forward; it won't take long (about five minutes) and may actually save you time backtracking. Whenever a test succeeds, you will be given a section name and page number to which you can safely skip.</para> +</sect2> + + + + + +<sect2 role="" label="9.2.2" id="ch09-SECT-2.2"> +<title>Troubleshooting Low-level IP </title> + + +<para> +<indexterm id="ch09-idx-953556-0" class="startofrange"><primary>services</primary><secondary>testing low-level</secondary></indexterm>The first series of tests is that of the low-level services that Samba needs in order to run. The tests in this section will verify that:</para> + + +<itemizedlist> +<listitem><para> The IP software works</para></listitem> +<listitem><para> The Ethernet hardware works</para></listitem> +<listitem><para> Basic name service is in place</para></listitem> +</itemizedlist> + +<para>Subsequent sections will add TCP software, the Samba daemons <emphasis>smbd</emphasis> and <emphasis>nmbd</emphasis>, host-based access control, authentication and per-user access control, file services, and browsing. The tests are described in considerable detail in order to make them understandable by both technically oriented end users and experienced systems and network administrators.</para> + + +<sect3 role="" label="9.2.2.1" id="ch09-SECT-2.2.1"> +<title>Testing the networking software with ping </title> + + +<para>The first command to enter on both the server and the client is <literal>ping 127.0.0.1</literal>. This is the <firstterm>loopback</firstterm> <emphasis>address</emphasis> and testing it will indicate whether any networking support is functioning at all. On Unix, you can use <literal>ping</literal> <literal>127.0.0.1</literal> with the statistics option and interrupt it after a few lines. On Sun workstations, the command is typically <literal>/usr/etc/ping</literal> <literal>-s</literal> <literal>127.0.0.1</literal>; on Linux, just <literal>ping</literal> <literal>127.0.0.1</literal>. On Windows clients, run <literal>ping</literal> <literal>127.0.0.1</literal> in an MS-DOS window and it will stop by itself after four lines.</para> + + +<para>Here is an example on a Linux server:</para> + + +<programlisting>server% <emphasis role="bold">ping 127.0.0.1</emphasis> +PING localhost: 56 data bytes 64 bytes from localhost (127.0.0.1): +icmp-seq=0. time=1. ms 64 bytes from localhost (127.0.0.1): +icmp-seq=1. time=0. ms 64 bytes from localhost (127.0.0.1): +icmp-seq=2. time=1. ms ^C +----127.0.0.1 PING Statistics---- +3 packets transmitted, 3 packets received, 0% packet loss round-trip (ms) +min/avg/max = 0/0/1</programlisting> + + +<para>If you get "ping: no answer from..." or "100% packet loss," you have no IP networking at all installed on the machine. The address <literal>127.0.0.1</literal> is the internal loopback address and doesn't depend on the computer being physically connected to a network. If this test fails, you have a serious local problem. TCP/IP either isn't installed or is seriously misconfigured. See your operating system documentation if it is a Unix server. If it is a Windows client, follow the instructions in <link linkend="SAMBA-CH-3">Chapter 3</link>, to install networking support.</para> + + +<tip role="ora"> +<para>If <emphasis>you're</emphasis> the network manager, some good references are Craig Hunt's <emphasis>TCP/IP Network Administration</emphasis>, Chapter 11, and Craig Hunt & Robert Bruce Thompson's new book, <emphasis>Windows NT TCP/IP Network Administration,</emphasis> both published by O'Reilly.</para> + +</tip> +</sect3> + + + +<sect3 role="" label="9.2.2.2" id="ch09-20350"> +<title>Testing local name services with ping </title> + + +<para> +<indexterm id="ch09-idx-953658-0"><primary>name services</primary><secondary>testing</secondary></indexterm>Next, try to ping <literal>localhost</literal> on the Samba server. <literal>localhost</literal> is the conventional hostname for the 127.0.0.1 loopback, and it should resolve to that address. After typing <literal>ping</literal> <literal>localhost</literal>, you should see output similar to the following:</para> + + +<programlisting>server% <emphasis role="bold">ping localhost</emphasis> +PING localhost: 56 data bytes 64 bytes from localhost (127.0.0.1): +icmp-seq=0. time=0. ms 64 bytes from localhost (127.0.0.1): +icmp-seq=1. time=0. ms 64 bytes from localhost (127.0.0.1): +icmp-seq=2. time=0. ms ^C</programlisting> + + +<para>If this succeeds, try the same test on the client. Otherwise:</para> + + +<itemizedlist> +<listitem><para>If you get "unknown host: localhost," there is a problem resolving the host name localhost into a valid IP address. (This may be as simple as a missing entry in a local <emphasis>hosts</emphasis> file.) From here, skip down to <link linkend="ch09-23768">Section 9.2.8</link>.</para></listitem> +<listitem><para>If you get "ping: no answer," or "100% packet loss," but pinging 127.0.0.1 worked, then name services is resolving to an address, but it isn't the correct one. Check the file or database (typically <filename>/etc/hosts</filename> on a Unix system) that the name service is using to resolve addresses to ensure that the entry is corrected.</para></listitem> +</itemizedlist> +</sect3> + + + +<sect3 role="" label="9.2.2.3" id="ch09-SECT-2.2.3"> +<title>Testing the networking hardware with ping </title> + + +<para> +<indexterm id="ch09-idx-953666-0"><primary>networking</primary><secondary>hardware for, testing</secondary></indexterm>Next, ping the server's network IP address from itself. This should get you exactly the same results as pinging 127.0.0.1:</para> + + +<programlisting>server% <emphasis role="bold">ping 192.168.236.86</emphasis> +PING 192.168.236.86: 56 data bytes 64 bytes from 192.168.236.86 (192.168.236.86): +icmp-seq=0. time=1. ms 64 bytes from 192.168.236.86 (192.168.236.86): +icmp-seq=1. time=0. ms 64 bytes from 192.168.236.86 (192.168.236.86): +icmp-seq=2. time=1. ms ^C +----192.168.236.86 PING Statistics---- +3 packets transmitted, 3 packets received, 0% packet loss round-trip (ms) +min/avg/max = 0/0/1</programlisting> + + +<para>If this works on the server, repeat it for the client. Otherwise:</para> + + +<itemizedlist> +<listitem><para>If <literal>ping</literal> <replaceable>network_ip</replaceable> fails on either the server or client, but ping 127.0.0.1 works on that machine, you have a TCP/IP problem that is specific to the Ethernet network interface card on the computer. Check with the documentation for the network card or the host operating system to determine how to correctly configure it. However, be aware that on some operating systems, the <emphasis>ping</emphasis> command appears to work even if the network is disconnected, so this test doesn't always diagnose all hardware problems.</para></listitem> +</itemizedlist> +</sect3> + + + +<sect3 role="" label="9.2.2.4" id="ch09-84079"> +<title>Testing connections with ping</title> + + +<para> +<indexterm id="ch09-idx-953831-0" class="startofrange"><primary>connections</primary><secondary>testing</secondary></indexterm>Now, ping the server by name (instead of its IP address), once from the server and once from the client. This is the general test for working network hardware:</para> + + +<programlisting>server% <emphasis role="bold">ping server</emphasis> +PING server.example.com: 56 data bytes 64 bytes from server.example.com (192.168.236.86): +icmp-seq=0. time=1. ms 64 bytes from server.example.com (192.168.236.86): +icmp-seq=1. time=0. ms 64 bytes from server.example.com (192.168.236.86): +icmp-seq=2. time=1. ms ^C +----server.example.com PING Statistics---- +3 packets transmitted, 3 packets received, 0% packet loss round-trip (ms) +min/avg/max = 0/0/1</programlisting> + + +<para>On Microsoft Windows, a ping of the server would look like <link linkend="ch09-91668">Figure 9.1</link>.</para> + + +<figure label="9.1" id="ch09-91668"> +<title>Pinging the Samba server from a Windows client</title> + +<graphic width="502" depth="285" fileref="figs/sam.0901.gif"></graphic> +</figure> + +<para>If successful, this test tells us five things:</para> + + +<orderedlist> +<listitem><para>The hostname (e.g., "server") is being found by your local nameserver.</para></listitem> +<listitem><para>The hostname has been expanded to the full name (e.g., <emphasis>server.example.com</emphasis>).</para></listitem> +<listitem><para>Its address is being returned (192.168.236.86).</para></listitem> +<listitem><para>The client has sent the Samba server four 56-byte UDP/IP packets.</para></listitem> +<listitem><para>The Samba server has replied to all four packets.</para></listitem> +</orderedlist> + +<para>If this test isn't successful, there can be one of several things wrong with the network:</para> + + +<itemizedlist> +<listitem><para>First, if you get "ping: no answer," or "100% packet loss," you're not connecting to the network, the other machine isn't connecting, or one of the addresses is incorrect. Check the addresses that the <literal>ping</literal> command reports on each machine, and ensure that they match the ones you set up initially.</para> + + +<para>If not, there is at least one mismatched address between the two machines. Try entering the command <literal>arp</literal> <literal>-a</literal>, and see if there is an entry for the other machine. The <literal>arp</literal> command stands for the Address Resolution Protocol. The <literal>arp</literal> <literal>-a</literal> command lists all the addresses known on the local machine. Here are some things to try:</para> + + +<itemizedlist> +<listitem><para>If you receive a message like "192.168.236.86 at (incomplete)," the Ethernet address of 192.168.236.86 is unknown. This indicates a complete lack of connectivity, and you're likely having a problem at the very bottom of the TCP/IP Network Administration protocol stack, at the Ethernet-interface layer. This is discussed in Chapters 5 and 6 of <citetitle>TCP/IP Network Administration </citetitle>(O'Reilly).</para></listitem> +<listitem><para>If you receive a response similar to "server (192.168.236.86) at 8:0:20:12:7c:94," then the server has been reached at some time, or another machine is answering on its behalf. However, this means that <emphasis>ping</emphasis> should have worked: you may have an intermittent networking or ARP problem.</para></listitem> +<listitem><para>If the IP address from ARP doesn't match the addresses you expected, investigate and correct the addresses manually.</para></listitem> +</itemizedlist></listitem> +<listitem><para>If each machine can ping itself but not another, something is wrong on the network between them.</para></listitem> +<listitem><para>If you get "ping: network unreachable" or "ICMP Host Unreachable," then you're not receiving an answer and there is likely more than one network involved.</para> + + +<para>In principle, you shouldn't try to troubleshoot SMB clients and servers on different networks. Try to test a server and client on the same network. The three tests that follow assume you might be testing between two networks:</para> + + +<orderedlist> +<listitem><para>First, perform the tests for no answer described earlier in this section. If this doesn't identify the problem, the remaining possibilities are the following: an address is wrong, your netmask is wrong, a network is down, or just possibly you've been stopped by a firewall.</para></listitem> +<listitem><para>Check both the address and the netmasks on source and destination machines to see if something is obviously wrong. Assuming both machines really are on the same network, they both should have the same netmasks and <emphasis>ping</emphasis> should report the correct addresses. If the addresses are wrong, you'll need to correct them. If they're right, the programs may be confused by an incorrect netmask. See <link linkend="ch09-21203">Section 9.2.9.1</link>, later in this chapter.</para></listitem> +<listitem><para>If the commands are still reporting that the network is unreachable and neither of the previous two conditions is in error, one network really may be unreachable from the other. This, too, is a network manager issue.</para></listitem> +</orderedlist></listitem> + +<listitem><para>If you get "ICMP Administratively Prohibited," you've struck a firewall of some sort or a misconfigured router. You will need to speak to your network security officer.</para></listitem> +<listitem><para>If you get "ICMP Host redirect," and <emphasis>ping</emphasis> reports packets getting through, this is generally harmless: you're simply being rerouted over the network.</para></listitem> +<listitem><para>If you get a host redirect and no <emphasis>ping</emphasis> responses, you are being redirected, but no one is responding. Treat this just like the "Network unreachable" response and check your addresses and netmasks.</para></listitem> +<listitem><para>If you get "ICMP Host Unreachable from gateway <emphasis>gateway_name</emphasis>," ping packets are being routed to another network, but the other machine isn't responding and the router is reporting the problem on its behalf. Again, treat this like a "Network unreachable" response and start checking addresses and netmasks.</para></listitem> +<listitem><para>If you get "ping: unknown host <emphasis>hostname</emphasis>," your machine's name is not known. This tends to indicate a name-service problem, which didn't affect <literal>localhost</literal>. Have a look at <link linkend="ch09-23768">Section 9.2.8</link>," later in this chapter.</para></listitem> +<listitem><para>If you get a partial success, with some pings failing but others succeeding, you either have an intermittent problem between the machines or an overloaded network. Ping for longer, and see if more than about 3 percent of the packets fail. If so, check it with your network manager: a problem may just be starting. However, if only a few fail, or if you happen to know some massive network program is running, don't worry unduly. Ping's ICMP (and UDP) are designed to drop occasional packets.</para></listitem> +<listitem><para>If you get a response like "smtsvr.antares.net is alive" when you actually pinged <emphasis>client.example.com</emphasis>, you're either using someone else's address or the machine has multiple names and addresses. If the address is wrong, name service is clearly the culprit; you'll need to change the address in the name service database to refer to the right machine. This is discussed in <link linkend="ch09-23768">Section 9.2.8</link>," later in this chapter.</para> + + +<para>Server machines are often <emphasis>multihomed</emphasis> : connected to more than one network, with different names on each net. If you are getting a response from an unexpected name on a multihomed server, look at the address and see if it's on your network (see <link linkend="ch09-21203">Section 9.2.9.1</link> later in this chapter). If so, you should use that address, rather than one on a different network, for both performance and reliability reasons.</para> + + +<para>Servers may also have multiple names for a single Ethernet address, especially if they are web servers. This is harmless, if otherwise startling. You probably will want to use the official (and permanent) name, rather than an alias which may change.</para></listitem> +<listitem><para>If everything works, but the IP address reported is 127.0.0.1, you have a name service error. This typically occurs when a operating system installation program generates an <filename>/etc/hosts</filename> line similar to <literal>127.0.0.1</literal> <literal>localhost</literal> <emphasis>hostnamedomainname</emphasis>. The localhost line should say <literal>127.0.0.1</literal> <literal>localhost</literal> or <literal>127.0.0.1</literal> <literal>localhost</literal> <literal>loghost</literal>. Correct it, lest it cause failures to negotiate who is the master browse list holder and who is the master browser. It can, also cause (ambiguous) errors in later tests.</para></listitem> +</itemizedlist> + +<para>If this worked from the server, repeat it from the<indexterm id="ch09-idx-953672-0" class="endofrange" startref="ch09-idx-953831-0"/> client.<indexterm id="ch09-idx-953563-0" class="endofrange" startref="ch09-idx-953556-0"/></para> +</sect3> +</sect2> + + + + + +<sect2 role="" label="9.2.3" id="ch09-SECT-2.3"> +<title>Troubleshooting TCP</title> + + +<para> +<indexterm id="ch09-idx-953568-0"><primary>TCP/IP networking protocol</primary><secondary>TCP, troubleshooting</secondary></indexterm>Now that you've tested IP, UDP, and a name service with <emphasis>ping</emphasis>, it's time to test TCP. <emphasis>ping</emphasis> and browsing use ICMP and UDP; file and print services (shares) use TCP. Both depend on IP as a lower layer and all four depend on name services. Testing TCP is most conveniently done using the FTP (file transfer protocol) program.</para> + + +<sect3 role="" label="9.2.3.1" id="ch09-78512"> +<title>Testing TCP with FTP </title> + + +<para>Try connecting via FTP, once from the server to itself, and once from the client to the server:</para> + + +<programlisting>server% <userinput>ftp server</userinput> +Connected to server.example.com. +220 server.example.com FTP server (Version 6.2/OpenBSD/Linux-0.10) ready. + Name (server:davecb): +331 Password required for davecb. +Password: +230 User davecb logged in. + ftp><userinput> quit </userinput> +221 Goodbye.</programlisting> + + +<para>If this worked, skip to <link linkend="ch09-88968">Section 9.2.4</link>. Otherwise:</para> + + +<itemizedlist> +<listitem><para>If you received the message "server: unknown host," then nameservice has failed. Go back to the corresponding <emphasis>ping</emphasis> step, <link linkend="ch09-20350">Section 9.2.2.2</link>," and rerun those tests to see why name lookup failed.</para></listitem> +<listitem><para>If you received "ftp: connect: Connection refused," the machine isn't running an FTP daemon. This is mildly unusual on Unix servers. Optionally, you might try this test by connecting to the machine using telnet instead of FTP; the messages are very similar and telnet uses TCP as well.</para></listitem> +<listitem><para>If there was a long pause, then "ftp: connect: Connection timed out," the machine isn't reachable. Return to <link linkend="ch09-84079">Section 9.2.2.4</link>.</para></listitem> +<listitem><para>If you received "530 Logon Incorrect," you connected successfully, but you've just found a different problem. You likely provided an incorrect username or password. Try again, making sure you use your username from the Unix server and type your password correctly.</para></listitem> +</itemizedlist> +</sect3> +</sect2> + + + + + +<sect2 role="" label="9.2.4" id="ch09-88968"> +<title>Troubleshooting Server Daemons</title> + + +<para> +<indexterm id="ch09-idx-953569-0" class="startofrange"><primary>daemons</primary><secondary>troubleshooting</secondary></indexterm>Once you've confirmed that TCP networking is working properly, the next step is to make sure the daemons are running on the server. This takes three separate tests because no single one of the following will decisively prove that they're working correctly.</para> + + +<para>To be sure they're running, you need to find out if:</para> + + +<orderedlist> +<listitem><para>The daemon has started</para></listitem> +<listitem><para>The daemons are registered or bound to a TCP/IP port by the operating system</para></listitem> +<listitem><para>They're actually paying attention</para></listitem> +</orderedlist> + +<sect3 role="" label="9.2.4.1" id="ch09-SECT-2.4.1"> +<title>Before you start</title> + + +<para>First, check the logs. If you've started the daemons, the message "smbd version <emphasis>some_number</emphasis> started" should appear. If it doesn't, you will need to restart the Samba daemons.</para> + + +<para>If the daemon reports that it has indeed started, look out for "bind failed on port 139 socket_addr=0 (Address already in use)". This means another daemon has been started on port 139 (<emphasis>smbd</emphasis> ). Also, <emphasis>nmbd</emphasis> will report a similar failure if it cannot bind to port 137. Either you've started them twice, or the <emphasis>inetd</emphasis> server has tried to provide a daemon for you. If it's the latter, we'll diagnose that in a moment.</para> +</sect3> + + + +<sect3 role="" label="9.2.4.2" id="ch09-49239"> +<title>Looking for daemon processes with ps</title> + + +<para>Next, you need to see if the daemons have been started. Use the <literal>ps</literal> command on the server with the <literal>long</literal> option for your machine type (commonly <literal>ps</literal> <literal>ax</literal> or <literal>ps</literal> <literal>-ef</literal>), and see if you have either <emphasis>smbd</emphasis> and <emphasis>nmbd</emphasis> already running. This often looks like the following:</para> + + +<programlisting>server% <emphasis role="bold">ps ax</emphasis> + PID TTY STAT TIME COMMAND + 1 ? S 0:03 init [2] + 2 ? SW 0:00 (kflushd) +<emphasis>(...many lines of processes...)</emphasis> + 234 ? S 0:14 nmbd -D3 + 237 ? S 0:11 smbd -D3 +<emphasis>(...more lines, possibly including more smbd lines...)</emphasis></programlisting> + + +<para>This example illustrates that <emphasis>smbd</emphasis> and <emphasis>nmbd</emphasis> have already started as stand-alone daemons (the <literal>-D</literal> option) at log level 3.</para> +</sect3> + + + +<sect3 role="" label="9.2.4.3" id="ch09-SECT-2.4.3"> +<title>Looking for daemons bound to ports</title> + + +<para>Next, the daemons have to be registered with the operating system so they can get access to TCP/IP ports. The <literal>netstat</literal> command will tell you if this has been done. Run the command <literal>netstat</literal> <literal>-a</literal> on the server, and look for lines mentioning <literal>netbios</literal>, <literal>137</literal> or <literal>139</literal>:</para> + + +<programlisting>server% <emphasis role="bold">netstat -a</emphasis> +Active Internet connections (including servers) +Proto Recv-Q Send-Q Local Address Foreign Address (state) +udp 0 0 *.netbios- *.* +tcp 0 0 *.netbios- *.* +LISTEN +tcp 8370 8760 server.netbios- client.1439 +ESTABLISHED</programlisting> + + +<para>or:</para> + + +<programlisting>server% <emphasis role="bold">netstat -a</emphasis> +Active Internet connections (including servers) +Proto Recv-Q Send-Q Local Address Foreign Address (state) +udp 0 0 *.137 *.* +tcp 0 0 *.139 *.* +LISTEN +tcp 8370 8760 server.139 client.1439 +ESTABLISHED</programlisting> + + +<para>Among many similar lines, there should be at least one UDP line for <literal>*.netbios-</literal> or <literal>*.137</literal>. This indicates that the <emphasis>nmbd</emphasis> server is registered and (we hope) is waiting to answer requests. There should also be at least one TCP line mentioning <literal>*.netbios-</literal> or <literal>*.139</literal>, and it will probably be in the LISTENING state. This means that <emphasis>smbd</emphasis> is up and listening for connections.</para> + + +<para>There may be other TCP lines indicating connections from <emphasis>smbd</emphasis> to clients, one for each client. These are usually in the ESTABLISHED state. If there are <emphasis>smbd</emphasis> lines in the ESTABLISHED state, <emphasis>smbd</emphasis> is definitely running. If there is only one line in the LISTENING state, we're not sure yet. If both of the lines is missing, a daemon has not succeeded in starting, so it's time to check the logs and then go back to <link linkend="SAMBA-CH-2">Chapter 2</link>.</para> + + +<para>If there is a line for each client, it may be coming either from a Samba daemon or from the master IP daemon, <emphasis>inetd</emphasis>. It's quite possible that your <emphasis>inetd</emphasis> startup file contains lines that start Samba daemons without your realizing it; for instance, the lines may have been placed there if you installed Samba as part of a Linux distribution. The daemons started by <emphasis>inetd</emphasis> prevent ours from running. This problem typically produces log messages such as "bind failed on port 139 socket_addr=0 (Address already in use)."</para> + + +<para>Check your <filename>/etc/inetd.conf</filename> ; unless you're intentionally starting the daemons from there, there <emphasis>must not</emphasis> be any <literal>netbios-ns</literal> (udp port 137) or <literal>netbios-ssn</literal> (tcp port 139) servers mentioned there. <emphasis>inetd</emphasis> is a daemon that provides numerous services, controlled by entries in <emphasis>/etc/inetd.conf</emphasis>. If your system is providing an SMB daemon via <emphasis>inetd</emphasis>, there will be lines like the following in the file:</para> + + +<programlisting>netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd +netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd</programlisting> +</sect3> + + + +<sect3 role="" label="9.2.4.4" id="ch09-SECT-2.4.4"> +<title>Checking smbd with telnet</title> + + +<para>Ironically, the easiest way to test that the <emphasis>smbd</emphasis> +<indexterm id="ch09-idx-953678-0"><primary>smbd server, checking with telnet</primary></indexterm> server is actually working is to send it a meaningless message and see if it rejects it. Try something like the following:</para> + + +<programlisting><userinput>echo hello | telnet localhost 139</userinput></programlisting> + + +<para>This sends an erroneous but harmless message to <emphasis>smbd</emphasis>. The <literal>hello</literal> message is important. Don't try telneting to the port and typing just anything; you'll probably just hang your process. <literal>hello</literal>, however, is generally a harmless message.</para> + + +<programlisting>server% <emphasis role="bold">echo "hello" | telnet localhost 139</emphasis> +Trying +Trying 192.168.236.86 ... +Connected to localhost. Escape character is '^]'. +Connection closed by foreign host.</programlisting> + + +<para>If you get a "Connected" message followed by a "Connection closed" message, the test was a success. You have an <emphasis>smbd</emphasis> daemon listening on the port and rejecting improper connection messages. On the other hand, if you get "telnet: connect: Connection refused," there is probably no daemon present. Check the logs and go back to <link linkend="SAMBA-CH-2">Chapter 2</link>.</para> + + +<para>Regrettably, there isn't an easy test for <emphasis>nmbd</emphasis>. If the <literal>telnet</literal> test and the <literal>netstat</literal> test both say that there is an <emphasis>smbd</emphasis> running, there is a good chance that <literal>netstat</literal> will also be correct about <emphasis>nmbd</emphasis> running.</para> +</sect3> + + + +<sect3 role="" label="9.2.4.5" id="ch09-67494"> +<title>Testing daemons with testparm</title> + + +<para> +<indexterm id="ch09-idx-953679-0"><primary>daemons</primary><secondary>testing</secondary><tertiary>with testparm</tertiary></indexterm>Once you know there's a daemon, you should always run <literal>testparm</literal>, in hopes of getting:</para> + + +<programlisting>server% <emphasis role="bold">testparm</emphasis> +Load smb config files from /opt/samba/lib/smb.conf +Processing section "[homes]" +Processing section "[printers]" ... +Processing section "[tmp]" +Loaded services file OK. ...</programlisting> + + +<para>The <literal>testparm</literal> program normally reports processing a series of sections, and responds with "Loaded services file OK" if it succeeds. If not, it will report one or more of the following messages, which will also appear in the logs as noted:</para> + + +<variablelist> +<varlistentry><term><emphasis>"Allow/Deny connection from account (n) to service"</emphasis></term> +<listitem><para>A <emphasis>testparm</emphasis>-only message produced if you have valid/invalid user options set in your <emphasis>smb.conf</emphasis>. You will want to make sure that you are on the valid user list, and that root, bin, etc., are on the invalid user list. If you don't, you will not be able to connect, or folks who shouldn't <emphasis>will</emphasis> be able to.</para></listitem> +</varlistentry> + + +<varlistentry><term><emphasis>"Warning: You have some share names that are longer than eight chars"</emphasis></term> +<listitem><para>For anyone using Windows for Workgroups and older clients. They will fail to connect to shares with long names, producing an overflow message that sounds confusingly like a memory overflow.</para></listitem> +</varlistentry> + + +<varlistentry><term>"Warning: [name] service MUST be printable!"</term> +<listitem><para>A printer share lacks a <literal>printable</literal> <literal>=</literal> <literal>yes</literal> option.</para></listitem> +</varlistentry> + + +<varlistentry><term>"No path in service name using [name]"</term> +<listitem><para>A file share doesn't know which directory to provide to the user, or a print share doesn't know which directory to use for spooling. If no path is specified, the service will try to run with a path of <emphasis>/tmp</emphasis>, which may not be what you want.</para></listitem> +</varlistentry> + + +<varlistentry><term>"Note: Servicename is flagged unavailable"</term> +<listitem><para>Just a reminder that you have used the <literal>available</literal> <literal>=</literal> <literal>no</literal> option in a share.</para></listitem> +</varlistentry> + + +<varlistentry><term>"Can't find include file [name]" </term> +<listitem><para>A configuration file referred to by an <literal>include</literal> option did not exist. If you were including the file unconditionally, this is an error and probably a serious one: the share will not have the configuration you intended. If you were including it based one of the <literal>%</literal> variables, such as <literal>%a</literal> (architecture), you will need to decide if, for example, a missing Windows for Workgroups configuration file is a problem. It often isn't.</para></listitem> +</varlistentry> + + +<varlistentry><term>"Can't copy service name, unable to copy to itself"</term> +<listitem><para>You tried to copy a <filename>smb.conf</filename> section into itself.</para></listitem> +</varlistentry> + + +<varlistentry><term>"Unable to copy service—source not found: [name]"</term> +<listitem><para>Indicates a missing or misspelled section in a <literal>copy</literal> <literal>=</literal> option.</para></listitem> +</varlistentry> + + +<varlistentry><term>"Ignoring unknown parameter name" </term> +<listitem><para>Typically indicates an obsolete, misspelled or unsupported option.</para></listitem> +</varlistentry> + + +<varlistentry><term>"Global parameter name found in service section" </term> +<listitem><para>Indicates a global-only parameter has been used in an individual share. Samba will ignore the parameter.</para></listitem> +</varlistentry> +</variablelist> + + +<para>After the <literal>testparm</literal> test, repeat it with (exactly) three parameters: the name of your <filename>smb.conf</filename> file, the name of your client, and its IP address:</para> + + +<programlisting>testparm <replaceable>samba_directory</replaceable>/lib/smb.conf client 192.168.236.10</programlisting> + + +<para>This will run one more test that checks the host name and address against <literal>host</literal> <literal>allow</literal> and <literal>host</literal> <literal>deny</literal> options and may produce the "Allow/Deny connection from account account_name" to service message for the client machine. This message indicates you have valid/invalid host options in your <filename>smb.conf</filename>, and they prohibit access from the client machine. Entering <literal>testparm</literal> <literal>/usr/local/lib/experimental.conf</literal> is also an effective way to test an experimental <filename>smb.conf</filename> file before putting it into production.<indexterm id="ch09-idx-953573-0" class="endofrange" startref="ch09-idx-953569-0"/></para> +</sect3> +</sect2> + + + + + +<sect2 role="" label="9.2.5" id="ch09-SECT-2.5"> +<title>Troubleshooting SMB Connections</title> + + +<para> +<indexterm id="ch09-idx-953578-0" class="startofrange"><primary>SMB (Server Message Block)</primary><secondary>troubleshooting connections</secondary></indexterm>Now that you know the servers are up, you need to make sure that they're running properly. We start with the <filename>smb.conf</filename> file in the <replaceable>samba_directory</replaceable><filename>/lib</filename> directory.</para> + + +<sect3 role="" label="9.2.5.1" id="ch09-67928"> +<title>A minimal smb.conf file</title> + + +<para>In the following tests, we assume you have a <literal>[temp]</literal> share suitable for testing, plus at least one account. An <filename>smb.conf</filename> file that includes just these is:</para> + + +<programlisting>[global] + workgroup = <replaceable>EXAMPLE</replaceable> + security = user + browsable = yes + local master = yes +[homes] + guest ok = no + browseble = no +[temp] + path = /tmp + public = yes</programlisting> + + +<para>A word of warning: the <literal>public</literal> <literal>=</literal> <literal>yes</literal> option in the <literal>[temp]</literal> share is just for testing. You probably don't want people without accounts to be able to store things on your Samba server, so you should comment it out when you're done.</para> +</sect3> + + + +<sect3 role="" label="9.2.5.2" id="ch09-40595"> +<title>Testing locally with smbclient</title> + + +<para> +<indexterm id="ch09-idx-953682-0"><primary>SMB (Server Message Block)</primary><secondary>troubleshooting connections</secondary><tertiary>testing locally</tertiary></indexterm>The first test is to ensure the server can list its own services (shares). Run the command <literal>smbclient</literal> with a <literal>-L</literal> option of <literal>localhost</literal> to connect to itself, and a <literal>-U</literal> option of just <literal>%</literal> to specify the guest user. You should see the following:</para> + + +<programlisting>server% <userinput>smbclient -L localhost -U% </userinput> +Server time is Wed May 27 17:57:40 1998 Timezone is UTC-4.0 +Server=[localhost] +User=[davecb] +Workgroup=[EXAMPLE] +Domain=[EXAMPLE] + Sharename Type Comment + --------- ----- ---------- + temp Disk + IPC$ IPC IPC Service (Samba 1.9.18) + homes Disk Home directories +This machine does not have a browse list</programlisting> + + +<para>If you received this output, move on to the next test, <link linkend="ch09-77154">Section 9.2.5.3</link>." On the other hand, if you receive an error, check the following:</para> + + +<itemizedlist> +<listitem><para>If you get "Get_hostbyname: unknown host localhost," either you've spelled its name wrong or there actually is a problem (which should have been seen back in <link linkend="ch09-20350">Section 9.2.2.2</link>) In the latter case, move on to <link linkend="ch09-23768">Section 9.2.8</link>.</para></listitem> +<listitem><para>If you get "Connect error: Connection refused," the server machine was found, but it wasn't running an <emphasis>nmbd</emphasis> daemon. Skip back to <link linkend="ch09-88968">Section 9.2.4</link>," and retest the daemons.</para></listitem> +<listitem><para>If you get the message "Your server software is being unfriendly," the initial session request packet got a garbage response from the server. The server may have crashed or started improperly. The common causes of this can be discovered by scanning the logs for:</para> + + +<itemizedlist> +<listitem><para>Invalid command-line parameters to <emphasis>smbd</emphasis>; see the <emphasis>smbd</emphasis> manual page.</para></listitem> +<listitem><para>A fatal problem with the <filename>smb.conf</filename> file that prevents the startup of <emphasis>smbd</emphasis>. Always check your changes, as was done in <link linkend="ch09-67494">Section 9.2.4.5</link>.</para></listitem> +<listitem><para>The directories where Samba keeps its log and lock files are missing.</para></listitem> +<listitem><para>There is already a server on the port (139 for <emphasis>smbd</emphasis>, 137 for <emphasis>nmbd </emphasis>), preventing it from starting.</para></listitem> +</itemizedlist></listitem> +<listitem><para>If you're using <emphasis>inetd</emphasis> instead of stand-alone daemons, check your <filename>/etc/inetd.conf</filename> and <filename>/etc/services</filename> entries against their manual pages for errors as well.</para></listitem> +<listitem><para>If you get a <literal>Password:</literal> prompt, your guest account is not set up properly. The <literal>%U</literal> option tells <emphasis>smbclient</emphasis> to do a "null login," which requires that the guest account be present but does not require it to have any privileges.</para></listitem> +<listitem><para>If you get the message "SMBtconX failed. ERRSRV—ERRaccess," you aren't permitted access to the server. This normally means you have a <literal>valid</literal> <literal>hosts</literal> option that doesn't include the server, or an <literal>invalid</literal> <literal>hosts</literal> option that does. Recheck with the command <literal>testparm</literal> <literal>smb.conf</literal> <replaceable>your_hostname</replaceable> <replaceable>your_ip_address</replaceable> (see <link linkend="ch09-67494">Section 9.2.4.5</link>) and correct any unintended prohibitions.</para></listitem> +</itemizedlist> +</sect3> + + + +<sect3 role="" label="9.2.5.3" id="ch09-77154"> +<title>Testing connections with smbclient</title> + + +<para> +<indexterm id="ch09-idx-953689-0"><primary>SMB (Server Message Block)</primary><secondary>troubleshooting connections</secondary><tertiary>testing with smbclient</tertiary></indexterm>Run the command <literal>smbclient</literal> <literal>\\</literal><replaceable>server</replaceable><literal>\temp</literal>, which connects to your server's <filename>/tmp</filename> share, to see if you can connect to a file service. You should get the following response:</para> + + +<programlisting>server% <emphasis role="bold">smbclient '\\server\temp'</emphasis> +Server time is Tue May 5 09:49:32 1998 Timezone is UTC-4.0 Password: +smb: \> <emphasis role="bold">quit</emphasis></programlisting> + + +<itemizedlist> +<listitem><para>If you get "Get_Hostbyname: Unknown host name," "Connect error: Connection refused," or "Your server software is being unfriendly," see <link linkend="ch09-40595">Section 9.2.5.2</link> for the diagnoses.</para></listitem> +<listitem><para>If you get the message "servertemp: Not enough `\' characters in service," you likely didn't quote the address, so Unix stripped off backslashes. You can also write the command:</para> + + +<programlisting>smbclient \\\\<replaceable>server</replaceable>\\temp</programlisting> + + +<para>or:</para> + + +<programlisting>smbclient //<replaceable>server</replaceable>/temp</programlisting></listitem> +</itemizedlist> + +<para>Now, provide your Unix account password to the <literal>Password</literal> prompt. If you then get an <literal>smb\></literal> prompt, it worked. Enter <literal>quit</literal>, and continue on to <link linkend="ch09-97081">Section 9.2.5.4</link>." If you then get "SMBtconX failed. ERRSRV—ERRinvnetname," the problem can be any of the following:</para> + + +<itemizedlist> +<listitem><para>A wrong share name: you may have spelled it wrong, it may be too long, it may be in mixed case, or it may not be available. Check that it's what you expect with testparm (see <link linkend="ch09-67494">Section 9.2.4.5</link>.)</para></listitem> +<listitem><para><literal>security</literal> <literal>=</literal> <literal>share</literal>, in which you may have to add <replaceable>-U your_account</replaceable> to the <emphasis>smbclient</emphasis> command, or know the password of a Unix account named temp.</para></listitem> +<listitem><para>An erroneous username.</para></listitem> +<listitem><para>An erroneous password.</para></listitem> +<listitem><para>An <literal>invalid</literal> <literal>users</literal> or <literal>valid</literal> <literal>users</literal> option in your <emphasis>smb.conf</emphasis> file that doesn't allow your account to connect. Recheck with <literal>testparm</literal> <literal>smb.conf</literal> <replaceable>your_hostname your_ip_address</replaceable> (see <link linkend="ch09-67494">Section 9.2.4.5</link>).</para></listitem> +<listitem><para>A <literal>valid</literal> <literal>hosts</literal> option that doesn't include the server, or an <literal>invalid</literal> <literal>hosts</literal> option that does. Also test this with <emphasis>testparm</emphasis>.</para></listitem> +<listitem><para>A problem in authentication, such as if shadow passwords or the PAM (Password Authentication Module) is used on the server, but Samba is not compiled to use it. This is rare, but occasionally happens when a SunOS 4 Samba binary (no shadow passwords) is run without recompilation on a Solaris system (with shadow passwords).</para></listitem> +<listitem><para>The <literal>encrypted</literal> <literal>passwords</literal> <literal>=</literal> <literal>yes</literal> option in the configuration file, but no password for your account in the <emphasis>smbpasswd</emphasis> file.</para></listitem> +<listitem><para>You have a null password entry, either in Unix <filename>/etc/passwd</filename> or in the <emphasis>smbpasswd</emphasis> file.</para></listitem> +<listitem><para>You are connecting to <literal>[temp]</literal>, and you do not have the <literal>guest</literal> <literal>ok</literal> <literal>=</literal> <literal>yes</literal> option in the <literal>[temp]</literal> section of the <emphasis>smb.conf</emphasis> file.</para></listitem> +<listitem><para>You are connecting to <literal>[temp]</literal> before connecting to your home directory, and your guest account isn't set up correctly. If you can connect to your home directory and then connect to <literal>[temp]</literal>, that's the problem. See <link linkend="SAMBA-CH-2">Chapter 2</link> for more information on creating a basic Samba configuration file.</para> + + +<para>A bad guest account will also prevent you from printing or browsing until after you've logged in to your home directory.</para></listitem> +</itemizedlist> + +<para>There is one more reason for this failure that has nothing at all to do with passwords: the <literal>path</literal> <literal>=</literal> line in your <filename>smb.conf</filename> file may point somewhere that doesn't exist. This will not be diagnosed by <emphasis>testparm</emphasis>, and most SMB clients can't tell it from other types of bad user accounts. You will have to check it manually.</para> + + +<para>Once you have connected to <literal>[temp]</literal> successfully, repeat the test, this time logging in to your home directory (e.g., map network drive <replaceable>server</replaceable><literal>\davecb</literal>) looking for failures in doing that. If you have to change anything to get that to work, re-test <literal>[temp]</literal> again afterwards.</para> +</sect3> + + + +<sect3 role="" label="9.2.5.4" id="ch09-97081"> +<title>Testing connections with NET USE</title> + + +<para> +<indexterm id="ch09-idx-953696-0" class="startofrange"><primary>SMB (Server Message Block)</primary><secondary>troubleshooting connections</secondary><tertiary>testing with NET USE</tertiary></indexterm>Run the command <literal>net</literal> <literal>use</literal> <literal>*</literal> <literal>\</literal><replaceable>server</replaceable><literal>\temp</literal> on the DOS or Windows client to see if it can connect to the server. You should be prompted for a password, then receive the response "The command was completed successfully," as shown in <link linkend="ch09-99328">Figure 9.2</link>.</para> + + +<figure label="9.2" id="ch09-99328"> +<title>Results of the NET USE command</title> + +<graphic width="502" depth="471" fileref="figs/sam.0902.gif"></graphic> +</figure> + +<para>If that succeeded, continue with the steps in <link linkend="ch09-57065">Section 9.2.5.5</link>. Otherwise:</para> + + +<itemizedlist> +<listitem><para>If you get "The specified shared directory cannot be found," or "Cannot locate specified share name," the directory name is either misspelled or not in the <emphasis>smb.conf</emphasis> file. This message can also warn of a name in mixed case, including spaces, or is longer than eight characters.</para></listitem> +<listitem><para>If you get "The computer name specified in the network path cannot be located," or "Cannot locate specified computer," the directory name has been misspelled, the name service has failed, there is a networking problem, or the <literal>hosts</literal> <literal>deny</literal> <literal>=</literal> option includes your host.</para> + + +<itemizedlist> +<listitem><para>If it is not a spelling mistake, you need to double back to at least <link linkend="ch09-77154">Section 9.2.5.3</link>, to investigate why it doesn't connect.</para></listitem> +<listitem><para>If <emphasis>smbclient</emphasis> does work, it's a name service problem with the client name service, and you need to go forward to <link linkend="ch09-12446">Section 9.2.6.2</link>, and see if you can look up both client and server with <emphasis>nmblookup</emphasis>.</para></listitem> +</itemizedlist></listitem> +<listitem><para>If you get "The password is invalid for <literal>\</literal><replaceable>server</replaceable><literal>\</literal><replaceable>username</replaceable>," your locally cached copy on the client doesn't match the one on the server. You will be prompted for a replacement.</para></listitem> +</itemizedlist> + +<tip role="ora"> +<para>Windows 95 and 98 clients keep a local <emphasis>password</emphasis> file, but it's really just a cached copy of the password it sends to Samba and NT servers to authenticate you. That's what is being prompted for here. You can still log on to a Windows machine without a password (but not to NT).</para> + +</tip> + +<itemizedlist> +<listitem><para> +If you provide your password, and it still fails, your password is not being matched on the server, you have a <literal>valid</literal> <literal>users</literal> or <literal>invalid</literal> <literal>users</literal> list denying you permission, NetBEUI is interfering, or the encrypted password problem described in the next paragraph exists.</para></listitem> +<listitem><para>If your client is NT 4.0, NT 3.5 with Patch 3, Windows 95 with Patch 3, Windows 98 or any of these with Internet Explorer 4.0, these default to using Microsoft encryption for passwords (discussed in <link linkend="SAMBA-CH-6">Chapter 6</link>'s <link linkend="ch06-61393">Section 6.4</link>, along with the alternatives). In general, if you have installed a major Microsoft product recently, you may have applied an update and turned on encrypted passwords.</para></listitem> +</itemizedlist> + +<tip role="ora"> +<para>Because of Internet Explorer's willingness to honor URLs such as <filename>file://somehost/somefile</filename> by making SMB connections, clients up to and including Windows 95 Patch Level 2 would happily send your password, in plaintext, to SMB servers anywhere on the Internet. This was considered a bad idea, and Microsoft quite promptly switched to using only encrypted passwords in the SMB protocol. All subsequent releases of their products have included this correction. Encrypted passwords aren't actually needed unless you're using Internet Explorer 4.0 without a firewall, so it's reasonable to keep using unencrypted passwords on your own networks.</para> + +</tip> + +<itemizedlist> +<listitem><para>If you have a mixed-case password on Unix, the client is probably sending it in all one case. If changing your password to all one case works, this was the problem. Regrettably, all but the oldest clients support uppercase passwords, so Samba will try once with it in uppercase and once in lower case. If you wish to use mixed-case passwords, see the <literal>password</literal> <literal>level</literal> option in <link linkend="SAMBA-CH-6">Chapter 6</link> for a workaround.</para></listitem> +<listitem><para>You may have a <literal>valid</literal> <literal>users</literal> problem, as tested with <emphasis>smbclient</emphasis> (see <link linkend="ch09-77154">Section 9.2.5.3</link>).</para></listitem> +<listitem><para>You may have the NetBEUI protocol bound to the Microsoft client. This often produces long timeouts and erratic failures, and is known to have caused failures to accept passwords in the past.</para></listitem> +</itemizedlist> + +<tip role="ora"> +<para>The term "bind" is used to mean connecting a piece of software to another in this case. The Microsoft SMB client is "bound to" TCP/IP in the bindings section of the TCP/IP properties panel under the Windows 95/98 Network icon in the Control Panel. TCP/IP in turn is bound to an Ethernet card. This is not the same sense of the word as binding an SMB daemon to a TCP/IP port.<indexterm id="ch09-idx-953703-0" class="endofrange" startref="ch09-idx-953696-0"/></para> + +</tip> +</sect3> + + + +<sect3 role="" label="9.2.5.5" id="ch09-57065"> +<title>Testing connections with Windows Explorer</title> + + +<para> +<indexterm id="ch09-idx-953710-0" class="startofrange"><primary>SMB (Server Message Block)</primary><secondary>troubleshooting connections</secondary><tertiary>testing withWindows Explorer</tertiary></indexterm>Start Windows Explorer or NT Explorer (not Internet Explorer), select Tools→Map Network Drive and specify \\<replaceable>server</replaceable>\<literal>temp</literal> to see if you can make Explorer connect to the <filename>/tmp</filename> directory. You should see a screen similar to the one in <link linkend="ch09-74414">Figure 9.3</link>. If so, you've succeeded and can skip to <link linkend="ch09-23573">Section 9.2.6</link>."</para> + + +<figure label="9.3" id="ch09-74414"> +<title>Accessing the /tmp directory with Windows Explorer</title> + +<graphic width="502" depth="336" fileref="figs/sam.0903.gif"></graphic> +</figure> + +<para>A word of caution: Windows Explorer and NT Explorer are rather poor as diagnostic tools: they do tell you that something's wrong, but rarely what it is. If you get a failure, you'll need to track it down with the NET USE command, which has far superior error reporting:</para> + + +<itemizedlist> +<listitem><para>If you get "The password for this connection that is in your password file is no longer correct," you may have any of the following:</para> + + +<itemizedlist> +<listitem><para>Your locally cached copy on the client doesn't match the one on the server.</para></listitem> +<listitem><para>You didn't provide a username and password when logging on to the client. Most Explorers will continue to send a username and password of null, even if you provide a password.</para></listitem> +<listitem><para>You have misspelled the password.</para></listitem> +<listitem><para>You have an <literal>invalid</literal> <literal>users</literal> or <literal>valid</literal> <literal>users</literal> list denying permission.</para></listitem> +<listitem><para>Your client is NT 4.0, NT 3.5 with Patch 3, Windows 95 with Patch 3, Windows 98, or any of these with Internet Explorer 4. They will all want encrypted passwords.</para></listitem> +<listitem><para>You have a mixed-case password, which the client is supplying in all one case.</para></listitem> +</itemizedlist></listitem> +<listitem><para>If you get "The network name is either incorrect, or a network to which you do not have full access," or "Cannot locate specified computer," you may have any of the following:</para> + + +<itemizedlist> +<listitem><para> Misspelled name</para></listitem> +<listitem><para> Malfunctioning service</para></listitem> +<listitem><para> Failed share</para></listitem> +<listitem><para> Networking problem</para></listitem> +<listitem><para> Bad <literal>path</literal> line</para></listitem> +<listitem><para> <literal>hosts</literal> <literal>deny</literal> line that excludes you</para></listitem> +</itemizedlist></listitem> +<listitem><para>If you get "You must supply a password to make this connection," the password on the client is out of synchronization with the server, or this is the first time you've tried from this client machine and the client hasn't cached it locally yet.</para></listitem> +<listitem><para>If you get "Cannot locate specified share name," you have a wrong share name or a syntax error in specifying it, a share name longer than eight characters, or one containing spaces or in mixed case.</para></listitem> +</itemizedlist> + +<para>Once you can reliably connect to the <literal>[temp]</literal> directory, try once again, this time using your home directory. If you have to change something to get home directories working, then retest with <literal>[temp]</literal>, and vice versa, as we showed in <link linkend="ch09-97081">Section 9.2.5.4</link>. As always, if Explorer fails, drop back to that section and debug it<indexterm id="ch09-idx-953717-0" class="endofrange" startref="ch09-idx-953710-0"/> there.<indexterm id="ch09-idx-953581-0" class="endofrange" startref="ch09-idx-953578-0"/></para> +</sect3> +</sect2> + + + + + +<sect2 role="" label="9.2.6" id="ch09-23573"> +<title>Troubleshooting Browsing </title> + + +<para> +<indexterm id="ch09-idx-953586-0" class="startofrange"><primary>browsing</primary><secondary>troubleshooting</secondary></indexterm>Finally, we come to browsing. This was left to last, not because it is hardest, but because it's both optional and partially dependent on a protocol that doesn't guarantee delivery of a packet. Browsing is hard to diagnose if you don't already know all the other services are running.</para> + + +<para>Browsing is purely optional: it's just a way to find the servers on your net and the shares that they provide. Unix has nothing of the sort and happily does without. Browsing also assumes all your machines are on a local area network (LAN) where broadcasts are allowable.</para> + + +<para>First, the browsing mechanism identifies a machine using the unreliable UDP protocol; then it makes a normal (reliable) TCP/IP connection to list the shares the machine provides.</para> + + +<sect3 role="" label="9.2.6.1" id="ch09-96207"> +<title>Testing browsing with smbclient </title> + + +<para> +<indexterm id="ch09-idx-953724-0" class="startofrange"><primary>browsing</primary><secondary>troubleshooting</secondary><tertiary>with smbclient</tertiary></indexterm>We'll start with testing the reliable connection first. From the server, try listing its own shares via <emphasis>smbclient</emphasis> with a <literal>-L</literal> option of your server's name. You should get:</para> + + +<programlisting>server% <userinput>smbclient -L server</userinput> +Added interface ip=192.168.236.86 bcast=192.168.236.255 nmask=255.255.255.0 Server time is Tue Apr 28 09:57:28 1998 Timezone is UTC-4.0 +Password: +Domain=[EXAMPLE] +OS=[Unix] +Server=[Samba 1.9.18] +Server=[server] +User=[davecb] +Workgroup=[EXAMPLE] +Domain=[EXAMPLE] + Sharename Type Comment + --------- ---- ------- + cdrom Disk CD-ROM + cl Printer Color Printer 1 + davecb Disk Home Directories + + This machine has a browse list: + Server Comment + --------- ------- + SERVER Samba 1.9.18 + + This machine has a workgroup list: + Workgroup Master + --------- ------- + EXAMPLE SERVER</programlisting> + + +<itemizedlist> +<listitem><para>If you didn't get a Sharename list, the server is not allowing you to browse any shares. This should not be the case if you've tested any of the shares with Windows Explorer or the NET USE command. If you haven't done the <literal>smbclient</literal> <literal>-L</literal> <literal>localhost</literal> <literal>-U%</literal> test yet (see <link linkend="ch09-40595">Section 9.2.5.2</link>), do it now. An erroneous guest account can prevent the shares from being seen. Also, check the <filename>smb.conf</filename> file to make sure you do not have the option <literal>browsable</literal> <literal>=</literal> <literal>no</literal> anywhere in it: we suggest a minimal <filename>smb.conf</filename> file (see <link linkend="ch09-67928">Section 9.2.5.1</link>) for you to steal from. You need to have <literal>browseable</literal> enabled in order to be able to see at least the <literal>[temp]</literal> share.</para></listitem> +<listitem><para>If you didn't get a browse list, the server is not providing information about the machines on the network. At least one machine on the net must support browse lists. Make sure you have <literal>local</literal> <literal>master</literal> <literal>=</literal> <literal>yes</literal> in the <filename>smb.conf</filename> file if you want Samba be the local master browser.</para></listitem> +<listitem><para>If you got a browse list but didn't get <emphasis>/tmp</emphasis>, you probably have a <filename>smb.conf</filename> problem. Go back to <link linkend="ch09-67494">Section 9.2.4.5</link>."</para></listitem> +<listitem><para>If you didn't get a workgroup list with your workgroup name in it, it is possible that your workgroup is set incorrectly in the <filename>smb.conf</filename> file.</para></listitem> +<listitem><para>If you didn't get a workgroup list at all, ensure that <literal>workgroup</literal> <literal>=EXAMPLE</literal> is present in the <filename>smb.conf</filename> file.</para></listitem> +<listitem><para>If you get nothing, try once more with the options <literal>-I</literal> <replaceable>ip_address</replaceable> <literal>-n</literal> <replaceable>netbios_name</replaceable> <literal>-W</literal> <replaceable>workgroup</replaceable> <literal>-d3</literal> with the NetBIOS and workgroup name in uppercase. (The <literal>-d</literal> <literal>3</literal> option sets the log /debugging level to 3.)</para></listitem> +</itemizedlist> + +<para>If you're still getting nothing, you shouldn't have gotten this far. Double back to at least <link linkend="ch09-78512">Section 9.2.3.1</link>," or perhaps <link linkend="ch09-84079">Section 9.2.2.4</link>." On the other hand:</para> + + +<itemizedlist> +<listitem><para>If you get "SMBtconX failed. ERRSRV—ERRaccess," you aren't permitted access to the server. This normally means you have a <literal>valid</literal> <literal>hosts</literal> option that doesn't include the server, or an invalid hosts option that does.</para></listitem> +<listitem><para> If you get "Bad password," then you presumably have one of the following:</para> + + +<itemizedlist> + +<listitem><para> An incorrect <literal>hosts</literal> <literal>allow</literal> or <literal>hosts</literal> <literal>deny</literal> line</para></listitem> +<listitem><para> An incorrect <literal>invalid</literal> <literal>users</literal> or <literal>valid</literal> <literal>users</literal> line</para></listitem> +<listitem><para> A lowercase password and OS/2 or Windows for Workgroups clients</para></listitem> +<listitem><para> A missing or invalid guest account</para></listitem> +</itemizedlist> +<para>Check what your guest account is (see <link linkend="ch09-40595">Section 9.2.5.2</link>) and verify your <filename>smb.conf</filename> file with <literal>testparm</literal> <literal>smb.conf</literal> <replaceable>your_hostname your_ip_address</replaceable> (see <link linkend="ch09-67494">Section 9.2.4.5</link>) and change or comment out any <literal>hosts</literal> <literal>allow</literal>, <literal>hosts</literal> <literal>deny</literal>, <literal>valid</literal> <literal>users</literal> or <literal>invalid</literal> <literal>users</literal> lines.</para></listitem> +<listitem><para>If you get "Connection refused," the <emphasis>smbd</emphasis> server is not running or has crashed. Check that it's up, running, and listening to the network with <emphasis>netstat</emphasis>, see step <link linkend="ch09-67494">Section 9.2.4.5</link>."</para></listitem> +<listitem><para>If you get "Get_Hostbyname: Unknown host name," you've made a spelling error, there is a mismatch between Unix and NetBIOS hostname, or there is a name service problem. Start nameservice debugging with <link linkend="ch09-97081">Section 9.2.5.4</link>." If this works, suspect a name mismatch and go to step <link linkend="ch09-35552">Section 9.2.10</link>."</para></listitem> +<listitem><para>If you get "Session request failed," the server refused the connection. This usually indicates an internal error, such as insufficient memory to fork a process.</para></listitem> +<listitem><para>If you get "Your server software is being unfriendly," the initial session request packet received a garbage response from the server. The server may have crashed or started improperly. Go back to <link linkend="ch09-40595">Section 9.2.5.2</link>," where the problem is first analyzed.</para></listitem> +<listitem><para>If you suspect the server is not running, go back to <link linkend="ch09-49239">Section 9.2.4.2</link> to see why the server daemon isn't responding.<indexterm id="ch09-idx-953731-0" class="endofrange" startref="ch09-idx-953724-0"/></para></listitem> +</itemizedlist> +</sect3> + + + +<sect3 role="" label="9.2.6.2" id="ch09-12446"> +<title>Testing the server with nmblookup</title> + + +<para>This will test the "advertising" system used for Windows name services and browsing. Advertising works by broadcasting one's presence or willingness to provide services. It is the part of browsing that uses an unreliable protocol (UDP), and works only on broadcast networks like Ethernets. The <emphasis>nmblookup</emphasis> +<indexterm id="ch09-idx-953736-0"><primary>servers</primary><secondary>testing with nmblookup program</secondary></indexterm> program broadcasts name queries for the hostname you provide, and returns its IP address and the name of the machine, much like <emphasis>nslookup</emphasis> does with DNS. Here, the <literal>-d</literal> (debug- or log-level) option, and the <literal>-B</literal> (broadcast address) options direct queries to specific machines.</para> + + +<para>First, we check the server from itself. Run <emphasis>nmblookup</emphasis> with a <literal>-B</literal> option of your server's name to tell it to send the query to the Samba server, and a parameter of <literal>_ _SAMBA_ _</literal> as the symbolic name to look up. You should get:</para> + + +<programlisting>server% <emphasis role="bold">nmblookup -B</emphasis><replaceable>server</replaceable><emphasis role="bold"> _ _SAMBA_ _</emphasis> +Added interface ip=192.168.236.86 bcast=192.168.236.255 nmask=255.255.255.0 +Sending queries to 192.168.236.86 192.168.236.86 _ _SAMBA_ _</programlisting> + + +<para>You should get the IP address of the server, followed by the name <literal>_ _SAMBA_ _ </literal>, which means that the server has successfully advertised that it has a service called <literal>_ _SAMBA_ _ </literal>, and therefore at least part of NetBIOS nameservice works.</para> + + +<itemizedlist> +<listitem><para>If you get "Name_query failed to find name _ _SAMBA_ _" you may have specified the wrong address to the <literal>-B</literal> option, or <emphasis>nmbd</emphasis> is not running. The <literal>-B</literal> option actually takes a broadcast address: we're using a machine-name to get a unicast address, and to ask server if it has claimed <literal>_ _SAMBA_ _</literal>.</para></listitem> +<listitem><para>Try again with <literal>-B</literal><replaceable> ip_address</replaceable>, and if that fails too, <emphasis>nmbd</emphasis> isn't claiming the name. Go back briefly to "Testing daemons with testparm" to see if <emphasis>nmbd</emphasis> is running. If so, it may not claiming names; this means that Samba is not providing the browsing service—a configuratiuon problem. If that is the case, make sure that <filename>smb.conf</filename> doesn't contain the option <literal>browsing</literal> <literal>=</literal> <literal>no</literal>.</para></listitem> +</itemizedlist> +</sect3> + + + +<sect3 role="" label="9.2.6.3" id="ch09-32122"> +<title>Testing the client with nmblookup</title> + + +<para>Next, check the IP address of the client from the server with <emphasis>nmblookup</emphasis> +<indexterm id="ch09-idx-953737-0"><primary>clients, testing with nmblookup program</primary></indexterm> using <literal>-B</literal> option for the client's name and a parameter of <literal>'*'</literal> meaning "anything," as shown here:</para> + + +<programlisting>server% <emphasis role="bold">nmblookup -B client '*'</emphasis> +Sending queries to 192.168.236.10 192.168.236.10 * +Got a positive name query response from 192.168.236.10 (192.168.236.10)</programlisting> + + +<itemizedlist> +<listitem><para>If you receive "Name-query failed to find name *," you have made a spelling mistake, or the client software on the PC isn't installed, started, or bound to TCP/IP. Double back to <link linkend="SAMBA-CH-2">Chapter 2</link> or <link linkend="SAMBA-CH-3">Chapter 3</link> and ensure you have a client installed and listening to the network.</para></listitem> +</itemizedlist> + +<para>Repeat the command with the following options if you had any failures:</para> + + +<itemizedlist> +<listitem><para>If <literal>nmblookup</literal> <literal>-B</literal> <replaceable>client_IP_address</replaceable> succeeds but <literal>-B</literal> <replaceable>client_name</replaceable> fails, there is a name service problem with the client's name; go to <link linkend="ch09-23768">Section 9.2.8</link>."</para></listitem> +<listitem><para>If <literal>nmblookup</literal> <literal>-B</literal> <literal>127.0.0.1'*'</literal> succeeds, but <literal>-B</literal> <replaceable>client_IP_address</replaceable> fails, there is a hardware problem and ping should have failed. See your network manager.</para></listitem> +</itemizedlist> +</sect3> + + + +<sect3 role="" label="9.2.6.4" id="ch09-98123"> +<title>Testing the network with nmblookup</title> + + +<para>Run the command <emphasis>nmblookup</emphasis> +<indexterm id="ch09-idx-953741-0" class="startofrange"><primary>networking</primary><secondary>nmblookup program, testing with</secondary></indexterm> +<indexterm id="ch09-idx-953741-1" class="startofrange"><primary>nmblookup program</primary><secondary>networks, testing with</secondary></indexterm> again with a <literal>-d</literal> option (debug level) of 2 and a parameter of <literal>'*'</literal> again. This time we are testing the ability of programs (such as <emphasis>nmbd</emphasis> ) to use broadcast. It's essentially a connectivity test, done via a broadcast to the default broadcast address.</para> + + +<para>A number of NetBIOS/TCP-IP hosts on the network should respond with "got a positive name query response" messages. Samba may not catch all of the responses in the short time it listens, so you won't always see all the SMB clients on the network. However, you should see most of them:</para> + + +<programlisting>server% <emphasis role="bold">nmblookup -d 2 '*'</emphasis> +Added interface ip=192.168.236.86 bcast=192.168.236.255 nmask=255.255.255.0 Sending queries to 192.168.236.255 +Got a positive name query response from 192.168.236.191 (192.168.236.191) +Got a positive name query response from 192.168.236.228 (192.168.236.228) +Got a positive name query response from 192.168.236.75 (192.168.236.75) +Got a positive name query response from 192.168.236.79 (192.168.236.79) +Got a positive name query response from 192.168.236.206 (192.168.236.206) +Got a positive name query response from 192.168.236.207 (192.168.236.207) +Got a positive name query response from 192.168.236.217 (192.168.236.217) +Got a positive name query response from 192.168.236.72 (192.168.236.72) 192.168.236.86 *</programlisting> + + +<para>However:</para> + + +<itemizedlist> +<listitem><para>If this doesn't give at least the client address you previously tested, the default broadcast address is wrong. Try <literal>nmblookup</literal> <literal>-B</literal> <literal>255.255.255.255</literal> <literal>-d</literal> <literal>2</literal> <literal>'*'</literal>, which is a last-ditch variant (a broadcast address of all ones). If this draws responses, the broadcast address you've been using before is wrong. Troubleshooting these is discussed in the <link linkend="ch09-45060">Section 9.2.9.2</link>, later in this chapter.</para></listitem> +<listitem><para>If the address 255.255.255.255 fails too, check your notes to see if your PC and server are on different subnets, as discovered in <link linkend="ch09-84079">Section 9.2.2.4</link>." You should try to diagnose this with a server and client on the same subnet, but if you can't, you can try specifying the remote subnet's broadcast address with <literal>-B</literal>. Finding that address is discussed in the same place as troubleshooting broadcast addresses, in <link linkend="ch09-45060">Section 9.2.9.2</link>s," later in this chapter. The <literal>-B</literal> option will work if your router supports directed broadcasts; if it doesn't, you may be forced to test with a client on the same network.</para></listitem> +</itemizedlist> +</sect3> + + + +<sect3 role="" label="9.2.6.5" id="ch09-SECT-2.6.5"> +<title>Testing client browsing with net view</title> + + +<para> +<indexterm id="ch09-idx-953742-0"><primary>browsing</primary><secondary>client-side, testing with net view</secondary></indexterm>On the client, run the command <replaceable>net view \\server</replaceable> in a DOS window to see if you can connect to the client and ask what shares it provides. You should get back a list of available shares on the server, as shown in <link linkend="ch09-83710">Figure 9.4</link>.</para> + + +<figure label="9.4" id="ch09-83710"> +<title>Using the net view command</title> + +<graphic width="502" depth="206" fileref="figs/sam.0904.gif"></graphic> +</figure> + +<para>If you received this, continue with <link linkend="ch09-21713">Section 9.2.7</link>."</para> + + +<itemizedlist> +<listitem><para>If you get "Network name not found" for the name you just tested in <link linkend="ch09-32122">Section 9.2.6.3</link>," there is a problem with the client software itself. Double-check this by running <emphasis>nmblookup</emphasis> on the client; if it works and NET VIEW doesn't, the client is at fault.</para></listitem> +<listitem><para>Of course, if <emphasis>nmblookup</emphasis> fails, there is a NetBIOS nameservice problem, as discussed in <link linkend="ch09-35552">Section 9.2.10</link>."</para></listitem> +<listitem><para>If you get "You do not have the necessary access rights," or "This server is not configured to list shared resources," either your guest account is misconfigured (see <link linkend="ch09-40595">Section 9.2.5.2</link>), or you have a <literal>hosts</literal> <literal>allow</literal> or <literal>hosts</literal> <literal>deny</literal> line that prohibits connections from your machine. These problems should have been detected by the <emphasis>smbclient</emphasis> tests starting in <link linkend="ch09-96207">Section 9.2.6.1</link>."</para></listitem> +<listitem><para>If you get "The specified computer is not receiving requests," you have misspelled the name, the machine is unreachable by broadcast (tested in "Testing the network with nmblookup"), or it's not running <emphasis>nmbd</emphasis>.</para></listitem> +<listitem><para>If you get "Bad password error," you're probably encountering the Microsoft-encrypted password problem, as discussed in <link linkend="SAMBA-CH-6">Chapter 6</link>, with its corrections.</para></listitem> +</itemizedlist> +</sect3> + + + +<sect3 role="" label="9.2.6.6" id="ch09-SECT-2.6.6"> +<title>Browsing the server from the client</title> + + +<para> +<indexterm id="ch09-idx-953743-0"><primary>browsing</primary><secondary>server from client</secondary></indexterm>From the Network Neighborhood (File Manager in older releases), try to browse the server. Your Samba server should appear in the browse list of your local workgroup. You should be able to double click on the name of the server and get a list of shares, as illustrated in <link linkend="ch09-60004">Figure 9.5</link>.</para> + + +<figure label="9.5" id="ch09-60004"> +<title>List of shares on a server</title> + +<graphic width="502" depth="202" fileref="figs/sam.0905.gif"></graphic> +</figure> + +<itemizedlist> +<listitem><para>If you get an "Invalid password" error with NT 4.0, NT 3.5 with Patch 3, Windows 95 with Patch 3, Windows 98 or any of these with Internet Explorer 4.0, it's most likely the encryption problem again. All of these clients default to using Microsoft encryption for passwords (see <link linkend="SAMBA-CH-6">Chapter 6</link>).</para></listitem> +<listitem><para>If you receive an "Unable to browse the network" error, one of the following has ocurred:</para> + + +<itemizedlist> +<listitem><para>You have looked too soon, before the broadcasts and updates have completed; try waiting 30 seconds before re-attempting.</para></listitem> +<listitem><para>There is a network problem you've not yet diagnosed.</para></listitem> +<listitem><para>There is no browse master. Add the configuration option <literal>local</literal> <literal>master</literal> <literal>=</literal> <literal>yes</literal> to your <emphasis>smb.conf</emphasis> file.</para></listitem> +<listitem><para>No shares are marked <literal>browsable</literal> in the <emphasis>smb.conf</emphasis> file.</para></listitem> + +</itemizedlist></listitem> + +<listitem><para>If you receive the message "\\server is not accessible," then:</para> + + +<itemizedlist> +<listitem><para> You have the encrypted password problem</para></listitem> +<listitem><para> The machine really isn't accessible</para></listitem> +<listitem><para> The machine doesn't support browsing<indexterm id="ch09-idx-953589-0" class="endofrange" startref="ch09-idx-953586-0"/></para></listitem> +</itemizedlist></listitem> +</itemizedlist> +</sect3> +</sect2> + + + + + +<sect2 role="" label="9.2.7" id="ch09-21713"> +<title>Other Things that Fail </title> + + +<para>If you've made it here, either the problem is solved or it's not one we've seen. The next sections cover troubleshooting tasks that are required to have the infrastructure to run Samba, not Samba itself.</para> + + +<sect3 role="" label="9.2.7.1" id="ch09-SECT-2.7.1"> +<title>Not logging on</title> + + +<para> +<indexterm id="ch09-idx-953594-0"><primary>log files/logging</primary><secondary>troubleshooting</secondary></indexterm>An occasional problem is forgetting to log in to the client or logging in as a wrong (account-less) person. The former is not diagnosed at all: Windows tries to be friendly and lets you on. Locally! The only warning of the latter is that Windows welcomes you and asks about your new account. Either of these leads to repeated refusals to connect and endless requests for passwords. If nothing else seems to work, try logging out or shutting down and logging in again.</para> +</sect3> +</sect2> + + + + + +<sect2 role="" label="9.2.8" id="ch09-23768"> +<title>Troubleshooting Name Services</title> + + +<para> +<indexterm id="ch09-idx-953595-0" class="startofrange"><primary>name services</primary><secondary>troubleshooting</secondary></indexterm>This section looks at simple troubleshooting of all the name services that you will encounter, but only for the common problems that affect Samba.</para> + + +<para>There are several good references for troubleshooting particular name services: Paul Albitz and Cricket Liu's <emphasis>DNS and Bind</emphasis> covers the Domain Name Service (DNS), Hal Stern's <emphasis>NFS and NIS</emphasis> (both from O'Reilly) covers NIS ("Yellow pages") while WINS (Windows Internet Name Service), <filename>hosts/LMHOSTS</filename> files and NIS+ are best covered by their respective vendor's manuals.</para> + + +<para>The problems addressed in this section are:</para> + + +<itemizedlist> +<listitem><para>Identifying name services</para></listitem> +<listitem><para>A hostname can't be looked up</para></listitem> +<listitem><para>The long (FQDN) form of a hostname works but the short form doesn't</para></listitem> +<listitem><para>The short form of the name works, but the long form doesn't</para></listitem> +<listitem><para>A long delay ocurrs before the expected result</para></listitem> +</itemizedlist> + +<sect3 role="" label="9.2.8.1" id="ch09-SECT-2.8.1"> +<title>Identifying what's in use</title> + + +<para> +<indexterm id="ch09-idx-953744-0"><primary>name services</primary><secondary>identifying what is in use</secondary></indexterm>First, see if both the server and the client are using DNS, WINS, NIS, or <filename>hosts</filename> files to look up IP addresses when you give them a name. Each kind of machine will have a different preference:</para> + + +<itemizedlist> +<listitem><para>Windows 95 and 98 machines will look in WINS and <filename>LMHOSTS</filename> files first, then broadcast, and finally try DNS and <filename>hosts</filename> files.</para></listitem> +<listitem><para>NT will look in WINS, then broadcast, LMHOSTS files, and finally <filename>hosts</filename> and DNS.</para></listitem> +<listitem><para>Windows programs using the WINSOCK standard (like PC-NFSs) will use hosts files, DNS, WINS, and then broadcast. Don't assume that if a different program's name service works, the SMB client program's name service will!</para></listitem> +<listitem><para>Samba daemons will use <filename>LMHOSTS</filename>, WINS, the Unix host's preference, and then broadcast.</para></listitem> +<listitem><para>Unix hosts can be configured to use any combination of DNS, <filename>hosts</filename> files, and NIS and NIS+, generally in any order.</para></listitem> +</itemizedlist> + +<para>We recommend that the client machines be configured to use WINS and DNS, the Samba daemons to use WINS and DNS, and the Unix server to use DNS. You'll have to look at your notes and the actual machines to see which is in use.</para> + + +<para>On the clients, the name services are all set in the TCP/IP Properties panel of the Networking Control Panel, as discussed in <link linkend="SAMBA-CH-3">Chapter 3</link>. You may need to check there to see what you've actually turned on. On the server, see if an <filename>/etc/resolv.conf</filename> file exists. If it does, you're using DNS. You may be using the others as well, though. You'll need to check for NIS and combinations of services.</para> + + +<para>Check for an <filename>/etc/nsswitch.conf</filename> file on Solaris and other System V Unix operating systems. If you have one, look for a line that begins <literal>host</literal>:, followed by one or more of <literal>files</literal>, <literal>bind</literal>, <literal>nis</literal> or <literal>nis+</literal>. These are the name services to use, in order, with optional extra material in square brackets. <emphasis>files</emphasis> stands for using <emphasis>hosts</emphasis> files, while <emphasis>bind</emphasis> (the Berkeley Internet Name Daemon) stands for using DNS.</para> + + +<para>If the client and server differ, the first thing to do is to get them in sync. Clients can only use only DNS, WINS, <emphasis>hosts</emphasis> files and <emphasis>lmhosts</emphasis> files, not NIS or NIS+. Servers can use <emphasis>hosts</emphasis> files, DNS, and NIS or NIS+, but not WINS—even if your Samba server provides WINS services. If you can't get all the systems to use the same services, you'll have to carefully check the server and the client for the same data.</para> + + +<para>Samba 2.0 (and late 1.9 versions) added a <literal>-R</literal><option> </option>(resolve order) option to <emphasis>smbclient</emphasis>. If you want to troubleshoot WINS, for example, you'd say:</para> + + +<programlisting>smbclient -L <replaceable>server</replaceable> -R wins</programlisting> + + +<para>The possible settings are <literal>hosts</literal> (which means whatever the Unix machine is using, not just<filename> /etc/hosts</filename> files), <literal>lmhosts</literal>, <literal>wins</literal> and <literal>bcast</literal> (broadcast).</para> + + +<para>In the following sections, we use the term <emphasis>long name</emphasis> for a fully-qualified domain name (FQDN), like <literal>server.example.com </literal>, and the term <emphasis>short name</emphasis> for the host part of a FQDN, like <literal>server</literal>.</para> +</sect3> + + + +<sect3 role="" label="9.2.8.2" id="ch09-SECT-2.8.2"> +<title>Cannot look up hostnames</title> + + +<para> <indexterm id="ch09-idx-953745-0"><primary>hostnames</primary><secondary>troubleshooting</secondary><tertiary>lookup</tertiary></indexterm>Try the following:</para> + + +<itemizedlist> +<listitem><para>In DNS:</para> + + +<para>Run <literal>nslookup</literal> <replaceable>name</replaceable>. If this fails, look for a <filename>resolv.conf</filename> error, a downed DNS server, or a short/long name problem (see the next section). Try the following:</para> + + +<itemizedlist> +<listitem><para>Your <filename>/etc/resolv.conf</filename> should contain one or more name-server lines, each with an IP address. These are the addresses of your DNS servers.</para></listitem> +<listitem><para>ping each of the server addresses you find. If this fails for one, suspect the machine. If it fails for each, suspect your network.</para></listitem> +<listitem><para>Retry the lookup using the full domain name (e.g., <emphasis>server.example.com</emphasis>) if you tried the short name first, or the short name if you tried the long name first. If results differ, skip to the next section.</para></listitem> +</itemizedlist></listitem> +<listitem><para>In Broadcast/ WINS:</para> + + +<para>Broadcast/ WINS does only short names such as <literal>server</literal>, (not long ones, such as <literal>server.example.com)</literal>. Run <literal>nmblookup</literal> <literal>-S</literal> <replaceable>server</replaceable>.<replaceable> </replaceable>This reports everything broadcast has registered for the name. In our example, it looks like this:</para></listitem> +</itemizedlist> + +<programlisting>Looking up status of 192.168.236.86 +received 10 names + SERVER <00> - M <ACTIVE> + SERVER <03> - M <ACTIVE> + SERVER <1f> - M <ACTIVE> + SERVER <20> - M <ACTIVE> + .._ _MSBROWSE_ _.<01> - <GROUP> M <ACTIVE> + MYGROUP <00> - <GROUP> M <ACTIVE> + MYGROUP <1b> - M <ACTIVE> + MYGROUP <1c> - <GROUP> M <ACTIVE> + MYGROUP <1d> - M <ACTIVE> + MYGROUP <1e> - <GROUP> M <ACTIVE></programlisting> + + +<itemizedlist> +<listitem><para> +The required entry is <literal>SERVER</literal> <literal><00></literal>, which identifies <replaceable>server</replaceable> as being this machine's NetBIOS name. You should also see your workgroup mentioned one or more times. If these lines are missing, Broadcast/WINS cannot look up names and will need attention.</para></listitem> +</itemizedlist> + +<tip role="ora"> +<para>The numbers in angle brackets in the previous output identify NetBIOS names as being workgroups, workstations, and file users of the messenger service, master browsers, domain master browsers, domain controllers and a plethora of others. We primarily use <literal><00></literal> to identify machine and workgroup names and <literal><20></literal> to identify machines as servers. The complete list is available at <systemitem role="url">http://support.microsoft.com/support/kb/articles/q163/4/09.asp</systemitem>.</para> + +</tip> + +<itemizedlist> +<listitem><para>In NIS:</para> + + +<para>Try <literal>ypmatch</literal> <literal>name</literal> <literal>hosts</literal>. If this fails, NIS is down. Find out the NIS server's name by running <emphasis>ypwhich</emphasis>, and ping the machine it to see if it's accessible.</para></listitem> +<listitem><para>In NIS+:</para> + + +<para>If you're running NIS+, try <literal>nismatch</literal> <literal>name</literal> <literal>hosts</literal>. If this fails, NIS is down. Find out the NIS server's name by running <emphasis>niswhich</emphasis>, and ping that machine to see if it's accessible.</para></listitem> +<listitem><para>In <filename>hosts</filename> files:</para> + + +<para>Inspect <filename>/etc/hosts</filename> on the client (<literal>C:\WINDOWS\HOSTS</literal>). Each line should have an IP number and one or more names, the primary name first, then any optional aliases. An example follows:</para></listitem> +</itemizedlist> + +<programlisting>127.0.0.1 localhost + 192.168.236.1 dns.svc.example.com + 192.168.236.10 client.example.com client + 192.168.236.11 backup.example.com loghost + 192.168.236.86 server.example.com server + 192.168.236.254 router.svc.example.com</programlisting> + + +<itemizedlist> +<listitem><para> +On Unix, <literal>localhost</literal> should always be 127.0.0.1, although it may be just an alias for a hostname on the PC. On the client, check that there are no <literal>#XXX</literal> directives at the ends of the lines; these are LAN Manager/NetBIOS directives, and should appear only in <emphasis>LMHOSTS</emphasis> files (<literal>C:\WINDOWS\LMHOSTS</literal>).</para></listitem> +<listitem><para>In <emphasis>LMHOSTS</emphasis> files:</para> + + +<para>This file is a local source for LAN Manager (NetBIOS) names. It has a format very similar to <filename>/etc/hosts</filename> files, but does not support long-form domain names (e.g., <literal>server.example.com</literal>), and may have a number of optional <literal>#XXX</literal> directives following the names. Note there usually is a <emphasis>lmhosts.sam</emphasis> (for sample) file in <literal>C:\WINDOWS</literal>, but it's not used unless renamed to <literal>C:\WINDOWS\LMHOSTS</literal>.</para></listitem> +</itemizedlist> +</sect3> + + + +<sect3 role="" label="9.2.8.3" id="ch09-SECT-2.8.3"> +<title>Long and short hostnames</title> + + +<para> +<indexterm id="ch09-idx-953754-0"><primary>hostnames</primary><secondary>troubleshooting</secondary><tertiary>long/short</tertiary></indexterm>Where the long (FQDN) form of a hostname works but the short name doesn't (for example, <literal>client.example.com</literal> works but <literal>client</literal> doesn't), consider the following:</para> + + +<itemizedlist> +<listitem><para>DNS:</para> + + +<para>This usually indicates there is no default domain in which to look up the short names. Look for a <literal>default</literal> line in <filename>/etc/resolv.conf</filename> on the Samba server with your domain in it, or a <literal>search</literal> line with one or more domains in it. One or the other may need to be present to make short names usable; which one depends on vendor and version of the DNS resolver. Try adding <literal>domain</literal> <replaceable>your domain</replaceable> to <filename>resolv.conf</filename> and ask your network or DNS administrator what should have been in the file.</para></listitem> +<listitem><para>Broadcast/WINS:</para> + + +<para>Broadcast/WINS doesn't support long names; it won't suffer from this problem.</para></listitem> +<listitem><para>NIS:</para> + + +<para>Try the command <literal>ypmatch</literal> <literal>hostname</literal> <literal>hosts</literal>. If you don't get a match, your tables don't include short names. Speak to your network manager; short names may be missing by accident, or may be unsupported as a matter of policy. Some sites don't ever use (ambiguous) short names.</para></listitem> +<listitem><para>NIS+ :</para> + + +<para>Try <literal>nismatch</literal> <replaceable>hostname</replaceable> <literal>hosts</literal>, and treat failure exactly as with NIS above.</para></listitem> +<listitem><para><emphasis>hosts:</emphasis></para> + + +<para>If the short name is not in <filename>/etc/hosts</filename>, consider adding it as an alias. Avoid, if you can, short names as primary names (the first one on a line). Have them as aliases if your system permits.</para></listitem> +<listitem><para><filename>LMHOSTS</filename>:</para> + + +<para>LAN Manager doesn't support long names, so it won't suffer from this problem.</para></listitem> +</itemizedlist> + +<para>On the other hand, if the short form of the name works and the long doesn't, consider the following:</para> + + +<itemizedlist> +<listitem><para>DNS:</para> + + +<para>This is bizarre; see your network or DNS administrator, as this is probably a DNS setup bug.</para></listitem> +<listitem><para>Broadcast/WINS:</para> + + +<para>This is a normal bug; Broadcast/WINS can't use the long form. Optionally, consider DNS. Microsoft has stated that they will switch to DNS, though it's not providing name types like <00>.</para></listitem> +<listitem><para>NIS:</para> + + +<para>If you can use <literal>ypmatch</literal> to look up the short form but not the long, consider adding the long form to the table as at least an alias.</para></listitem> +<listitem><para>NIS+:</para> + + +<para>Same as NIS, except you use <literal>nismatch</literal> instead of <literal>ypmatch</literal> to look up names.</para></listitem> +<listitem><para><filename>hosts:</filename></para> + + +<para>Add the long name as at least an alias, and preferably as the primary form. Also consider using DNS if it's practical.</para></listitem> +<listitem><para><filename>LMHOSTS</filename>:</para> + + +<para>This is a normal bug. LAN Manager can't use the long form; consider switching to DNS or <filename>hosts</filename>.</para></listitem> +</itemizedlist> +</sect3> + + + +<sect3 role="" label="9.2.8.4" id="ch09-SECT-2.8.4"> +<title>Unusual delays</title> + + +<para> +<indexterm id="ch09-idx-953755-0"><primary>delays, troubleshooting</primary></indexterm>When there is a long delay before the expected result:</para> + + +<itemizedlist> +<listitem><para>DNS:</para> + + +<para>Test the same name with the <command>nslookup</command> command on the machine (client or server) that is slow. If <command>nslookup</command> is also slow, you have a DNS problem. If it's slower on a client, you have too many protocols bound to the Ethernet card. Eliminate NetBEUI, which is infamously slow, and optionally, Novel, assuming you don't need them. This is especially important on Windows 95, which is particularly sensitive to excess protocols.</para></listitem> +<listitem><para>Broadcast/ WINS:</para> + + +<para>Test the client using <literal>nmblookup</literal>, and if it's faster, you probably have the protocols problem as mentioned in the previous item.</para></listitem> +<listitem><para>NIS:</para> + + +<para>Try <literal>ypmatch</literal>, and if it's slow, report the problem to your network manager.</para></listitem> +<listitem><para>NIS+:</para> + + +<para>Try <literal>nismatch</literal>, similarly.</para></listitem> +<listitem><para><emphasis>hosts</emphasis>:</para> + + +<para><emphasis>hosts</emphasis> files, if of reasonable size, are always fast. You probably have the protocols problem mentioned under DNS, above.</para></listitem> +<listitem><para><emphasis>LMHOSTS</emphasis>:</para> + + +<para>This is not a name lookup problem; <emphasis>LMHOSTS</emphasis> files are as fast as <emphasis>hosts</emphasis> files.</para></listitem> +</itemizedlist> +</sect3> + + + +<sect3 role="" label="9.2.8.5" id="ch09-SECT-2.8.5"> +<title>Localhost issues</title> + + +<para> +<indexterm id="ch09-idx-953756-0"><primary>localhost</primary><secondary>troubleshooting</secondary></indexterm>When a localhost isn't 127.0.0.1, try the following:</para> + + +<itemizedlist> +<listitem><para>DNS:</para> + + +<para>There is probably no record for <literal>localhost.</literal> <literal>A</literal> <literal>127.0.0.1</literal>. Arrange to add one, and a reverse entry, <literal>1.0.0.127.IN-ADDR.ARPA</literal> <literal>PTR</literal> <literal>127.0.0.1</literal>.</para></listitem> +<listitem><para>Broadcast/WINS:</para> + + +<para>Not applicable.</para></listitem> +<listitem><para>NIS:</para> + + +<para>If <literal>localhost</literal> isn't in the table, add it.</para></listitem> +<listitem><para>NIS+:</para> + + +<para>If <literal>localhost</literal> isn't in the table, add it.</para></listitem> +<listitem><para><filename>hosts:</filename></para> + + +<para>Add a line is the <emphasis>hosts</emphasis> file that says <literal>127.0.0.1</literal> <literal>localhost</literal></para></listitem> +<listitem><para><filename>LMHOSTS</filename>:</para> + + +<para>Not applicable.<indexterm id="ch09-idx-953603-0" class="endofrange" startref="ch09-idx-953595-0"/></para></listitem> +</itemizedlist> +</sect3> +</sect2> + + + + + +<sect2 role="" label="9.2.9" id="ch09-SECT-2.9"> +<title>Troubleshooting Network Addresses</title> + + +<para>A number of common problems are caused by incorrect Internet address routing or the incorrect assignment of addresses. This section helps you determine what your addresses are.</para> + + +<sect3 role="" label="9.2.9.1" id="ch09-21203"> +<title>Netmasks</title> + + +<para> +<indexterm id="ch09-idx-953973-0" class="startofrange"><primary>network addresses</primary><secondary>troubleshooting</secondary></indexterm> +<indexterm id="ch09-idx-953973-1" class="startofrange"><primary>IP address</primary></indexterm> +<indexterm id="ch09-idx-953973-2" class="startofrange"><primary>troubleshooting</primary><secondary>network addresses</secondary></indexterm>The <indexterm id="ch09-idx-953974-0"><primary>netmasks</primary><secondary>troubleshooting</secondary></indexterm>netmasks tell each machine which addresses can be reached directly (are on your local network) and which addresses require forwarding packets through a router. If the netmask is wrong, the machines will make one of two mistakes. One is to try to route local packets via a router, which is an expensive way to waste time—it may work reasonably fast, it may run slowly, or it may fail utterly. The second mistake is to fail to send packets for a remote machine to the router, which will prevent them from being forwarded to the remote machine.</para> + + +<para>The netmask is a number like an IP address, with one-bits for the network part of an address and zero-bits for the host portion. The netmask is literally used to mask off parts of the address inside the TCP/IP code. If the mask is 255.255.0.0, the first 2 bytes are the network part and the last 2 are the host part. More common is 255.255.255.0, in which the first 3 bytes are the network part and the last one is the host part.</para> + + +<para>For example, let's say your IP address is 192.168.0.10 and the Samba server is 192.168.236.86. If your netmask happens to be 255.255.255.0, the network part of the addresses is the first 3 bytes and the host part is the last byte. In this case, the network parts are different, and the machines are on different networks:</para> + + +<informaltable> +<tgroup cols="2"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<thead> +<row> + +<entry colname="col1"><para>Network Part</para></entry> + +<entry colname="col2"><para>Host Part</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para>192 168 000</para></entry> + +<entry colname="col2"><para>10</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>192 168 235</para></entry> + +<entry colname="col2"><para>86</para></entry> + +</row> + +</tbody> +</tgroup> +</informaltable> + +<para>If your netmask happens to be 255.255.0.0, the network part is just the first two bytes. In this case, the network parts match and so the two machines are on the same network:</para> + + + +<informaltable> +<tgroup cols="2"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<thead> +<row> + +<entry colname="col1"><para>Network Part</para></entry> + +<entry colname="col2"><para>Host Part</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para>192 168</para></entry> + +<entry colname="col2"><para>000 10</para></entry> + +</row> + +<row> + +<entry colname="col1"><para>192 168</para></entry> + +<entry colname="col2"><para>236 86</para></entry> + +</row> + +</tbody> +</tgroup> +</informaltable> + +<para>Of course, if your netmask says one thing and your network manager says another, the netmask is wrong.</para> +</sect3> + + + +<sect3 role="" label="9.2.9.2" id="ch09-45060"> +<title>Broadcast addresses</title> + + +<para>The <indexterm id="ch09-idx-953758-0"><primary>broadcast addresses, troubleshooting</primary></indexterm>broadcast address is a normal address, with the hosts part all one-bits. It means "all hosts on your network." You can compute it easily from your netmask and address: take the address and put one-bits in it for all the bits that are zero at the end of the netmask (the host part). The following table illustrates this:</para> + + +<informaltable> +<tgroup cols="3"> +<colspec colnum="1" colname="col1"/> +<colspec colnum="2" colname="col2"/> +<colspec colnum="3" colname="col3"/> +<thead> +<row> + +<entry colname="col1"></entry> + +<entry colname="col2"><para>Network Part</para></entry> + +<entry colname="col3"><para>Host Part</para></entry> + +</row> + +</thead> + +<tbody> +<row> + +<entry colname="col1"><para><emphasis role="bold">IP address</emphasis></para></entry> + +<entry colname="col2"><para>192 168 236</para></entry> + +<entry colname="col3"><para>86</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><emphasis role="bold">Netmask</emphasis></para></entry> + +<entry colname="col2"><para>255 255 255</para></entry> + +<entry colname="col3"><para>000</para></entry> + +</row> + +<row> + +<entry colname="col1"><para><emphasis role="bold">Broadcast</emphasis></para></entry> + +<entry colname="col2"><para>192 168 236</para></entry> + +<entry colname="col3"><para>255</para></entry> + +</row> + +</tbody> +</tgroup> +</informaltable> + +<para>In this example, the broadcast address on the 192.168.236 network is 192.168.236.255. There is also an old "universal" broadcast address, 255.255.255.255. Routers are prohibited from forwarding these, but most machines on your local network will respond to broadcasts to this address.</para> +</sect3> + + + +<sect3 role="" label="9.2.9.3" id="ch09-SECT-2.9.3"> +<title>Network address ranges</title> + + +<para> +<indexterm id="ch09-idx-953762-0"><primary>networking</primary><secondary>network address ranges</secondary></indexterm>A number of address ranges have been reserved for testing and for non-connected networks; we use one of these for the book. If you don't have an address yet, feel free to use one of these to start with. They include one class A (large) network, 10.*.*.*, and 254 class C (smaller) networks, 192.168.1.* through to 192.168.254.*. In this book we use one of the latter, 192.168.236.*. The domain <filename>example.com</filename> is also reserved for unconnected networks, explanatory examples, and books.</para> + + +<para>If you're actually connecting to the Internet, you'll need to get a real network and a domain name, probably through the same company that provides your connection.</para> +</sect3> + + + +<sect3 role="" label="9.2.9.4" id="ch09-SECT-2.9.4"> +<title>Finding your network address</title> + + +<para> +<indexterm id="ch09-idx-953761-0"><primary>network addresses</primary><secondary>finding</secondary></indexterm>If you haven't recorded your IP address, it will be displayed by the <command>ifconfig</command> command on Unix or by the IPCONFIG command on Windows 95 and NT. (Check your manual pages for any options required by your brand of Unix: Sun wants <literal>ifconfig</literal> <literal>-a</literal>). You should see output similar to the following:</para> + + +<programlisting>server% ifconfig -a +le0: flags=63<UP,BROADCAST,NOTRAILERS,RUNNING > + inet 192.168.236.11 netmask ffffff00 broadcast 192.168.236.255 +lo0: flags=49<&lt>UP,LOOPBACK,RUNNING<&gt> + inet 127.0.0.1 netmask ff000000</programlisting> + + +<para>One of the interfaces will be loopback (in our examples <literal>lo0</literal>), and the other will be the regular IP interface. The flags should show that the interface is running, and Ethernet interfaces will also say they support broadcasts (PPP interfaces don't). The other places to look for IP addresses are <filename>/etc/hosts</filename> files, Windows <emphasis>HOSTS</emphasis> files, Windows <emphasis>LMHOSTS</emphasis> files, NIS, NIS+ and DNS.<indexterm id="ch09-idx-953611-0" class="endofrange" startref="ch09-idx-953973-0"/> +<indexterm id="ch09-idx-953611-1" class="endofrange" startref="ch09-idx-953973-1"/> +<indexterm id="ch09-idx-953611-2" class="endofrange" startref="ch09-idx-953973-2"/></para> +</sect3> +</sect2> + + + + + +<sect2 role="" label="9.2.10" id="ch09-35552"> +<title>Troubleshooting NetBIOS Names</title> + + +<para> +<indexterm id="ch09-idx-953616-0"><primary>NetBIOS name</primary><secondary>troubleshooting</secondary></indexterm>Historically, SMB protocols have depended on the NetBIOS name system, also called the LAN Manager name system. This was a simple scheme where each machine had a unique 20-character name and broadcast it on the LAN for everyone to know. With TCP/IP, we tend to use names like <emphasis>client.example.com</emphasis> stored in <filename>/etc/hosts</filename> files, through DNS or WINS.</para> + + +<para>The usual mapping to domain names such as <emphasis>server.example.com</emphasis> simply uses the <emphasis>server</emphasis> part as the NetBIOS name and converts it to uppercase. Alas, this doesn't always work, especially if you have a machine with a 21-character name; not everyone uses the same NetBIOS and DNS names. For example, <emphasis>corpvm1</emphasis> along with <emphasis>vm1.corp.com</emphasis> is not unusual.</para> + + +<para>A machine with a different NetBIOS name and domain name is confusing when you're troubleshooting; we recommend that you try to avoid this wherever possible. NetBIOS names are discoverable with <emphasis>smbclient</emphasis> :</para> + + +<itemizedlist> +<listitem><para>If you can list shares on your Samba server with <emphasis>smbclient</emphasis> and a <literal>-L</literal> option (list shares) of <replaceable>short_name_of_server</replaceable>, the short name is the NetBIOS name.</para></listitem> +<listitem><para>If you get "Get_Hostbyname: Unknown host name," there is probably a mismatch. Check in the <filename>smb.conf</filename> file to see if the NetBIOS name is explicitly set.</para></listitem> +<listitem><para>Try again, specifying <literal>-I</literal> and the IP address of the Samba server (e.g., <literal>smbclient</literal> <literal>-L</literal> <literal>server</literal> <literal>-I</literal> <literal>192.168.236.86</literal>). This overrides the name lookup and forces the packets to go to the IP address. If this works, there was a mismatch.</para></listitem> +<listitem><para>Try with <literal>-I</literal> and the full domain name of the server (e.g., <literal>smbclient</literal> <literal>-L</literal> <literal>server</literal> <literal>-I</literal> <literal>server.example.com</literal>). This tests the lookup of the domain name, using whatever scheme the Samba server uses (e.g., DNS). If it fails, you have a name service problem. You should reread <link linkend="ch09-23768">Section 9.2.8</link> after you finish troubleshooting the NetBIOS names.</para></listitem> +<listitem><para>Try with <literal>-n</literal> (NetBIOS name) and the name you expect to work (e.g., <literal>smbclient</literal> <literal>-n</literal> <literal>server</literal> <literal>-L</literal> <literal>server-12</literal>) but without overriding the IP address through <literal>-I</literal>. If this works, the name you specified with <literal>-n</literal> is the actual NetBIOS name of the server. If you receive "Get-Hostbyname: Unknown host MARY," it's not the right server yet.</para></listitem> +<listitem><para>If nothing is working so far, repeat the tests specifying <literal>-U</literal> <replaceable>username</replaceable> and <literal>-W</literal> <replaceable>workgroup</replaceable>, with the username and workgroup in uppercase, to make sure you're not being derailed by a user or workgroup mismatch.</para></listitem> +<listitem><para>If nothing works still and you had evidence of a name service problem, troubleshoot name service in <link linkend="ch09-23768">Section 9.2.8</link>," and then return to NetBIOS name<indexterm id="ch09-idx-953533-0" class="endofrange" startref="ch09-idx-953543-0"/> +<indexterm id="ch09-idx-953533-1" class="endofrange" startref="ch09-idx-953543-1"/> service.<indexterm id="ch09-idx-953526-0" class="endofrange" startref="ch09-idx-953453-0"/></para></listitem> +</itemizedlist> +</sect2> +</sect1> + + + + + + + + + +<sect1 role="" label="9.3" id="ch09-49719"> +<title>Extra Resources</title> + + +<para> +<indexterm id="ch09-idx-953618-0" class="startofrange"><primary>resources for further information</primary></indexterm> +<indexterm id="ch09-idx-953618-1" class="startofrange"><primary>Samba</primary><secondary>resources for further information</secondary></indexterm>At some point during your Samba career, you will want to turn to online or printed resources for news, updates, and aid.</para> + + +<sect2 role="" label="9.3.1" id="ch09-SECT-3.1"> +<title>Documentation and FAQs</title> + + +<para> +<indexterm id="ch09-idx-953626-0"><primary>documentation for Samba</primary></indexterm> +<indexterm id="ch09-idx-953626-1"><primary>FAQ, Samba</primary></indexterm>It's okay to read the documentation. Really. Nobody can see you, and we won't tell. In fact, Samba ships with a large set of documentation files, and it is well worth the effort to at least browse through them, either in the distribution directory on your computer under <filename>/docs</filename>, or online at the Samba web site: <indexterm id="ch09-idx-953628-0"><primary>URLs (uniform resource locators)</primary><secondary>Samba</secondary><tertiary>web site</tertiary></indexterm> +<indexterm id="ch09-idx-953628-1"><primary>Samba</primary><secondary>web site</secondary></indexterm><systemitem role="url">http://samba.anu.edu.au/samba/</systemitem>. The most current FAQ list, bug information, and distribution locations are located at the web site, with links to all of the Samba manual pages and HOW-TOs.</para> +</sect2> + + + + + +<sect2 role="" label="9.3.2" id="ch09-SECT-3.2"> +<title>Samba Newsgroups</title> + + +<para> +<indexterm id="ch09-idx-953634-0"><primary>newsgroups for Samba</primary></indexterm>Usenet newsgroups have always been a great place to get advice on just about any topic. In the past few years, though, this vast pool of knowledge has developed something that has made it into an invaluable resource: a memory. Archival and search sites such as DejaNews (<systemitem role="url">http://www.dejanews.com</systemitem>) have made sifting through years of valuable solutions on a topic as simple as a few mouse clicks.</para> + + +<para>The primary newsgroup for Samba is <emphasis>comp.protocols.smb</emphasis>. This should always be your first stop when there's a problem. More often than not, spending five minutes researching an error here will save hours of frustration while trying to debug something yourself.</para> + + +<para>When searching a newsgroup, try to be as specific as possible, but not too wordy. Searching on actual error messages is best. If you don't find an answer immediately in the newsgroup, resist the temptation to post a request for help until you've done a bit more work on the problem. You may find that the answer is in a FAQ or one of the many documentation files that ships with Samba, or a solution might become evident when you run one of Samba's diagnostic tools. If nothing works, post a request in <emphasis>comp.protocols.smb</emphasis>, and be as specific as possible about what you have tried and what you are seeing. Include any error messages that appear. It may be several days before you receive help, so be patient and keep trying things while you wait.</para> + + +<para>Once you post a request for help, keep poking at the problem yourself. Most of us have had the experience of posting a Usenet article containing hundreds of lines of intricate detail, only to solve the problem an hour later after the article has blazed its way across several continents. The rule of thumb goes something like this: the more folks who have read your request, the simpler the solution. Usually this means that once everyone in the Unix community has seen your article, the solution will be something simple like, "Plug the computer into the wall socket."</para> +</sect2> + + + + + +<sect2 role="" label="9.3.3" id="ch09-SECT-3.3"> +<title>Samba Mailing Lists</title> + + +<para> +<indexterm id="ch09-idx-953635-0"><primary>mailing lists</primary><secondary sortas="Samba">for Samba</secondary></indexterm>The following are mailing lists for support with Samba. See the Samba homepage, <systemitem role="url">http://www.samba.org/</systemitem> for information on subscribing and unsubscribing to these mailing lists:</para> + + +<variablelist> +<varlistentry><term><email>samba-binaries@samba.org</email></term> +<listitem><para>This mailing list has information on precompiled binaries for the Samba platform.</para></listitem> +</varlistentry> + + +<varlistentry><term><email>samba-bugs@samba.org</email></term> +<listitem><para>This mailing list is the place to report suspected bugs in Samba.</para></listitem> +</varlistentry> + + +<varlistentry><term><email>samba-ntdom@samba.org</email></term> +<listitem><para>This mailing list has information on support for domains (particularly Windows NT) with the Samba product.</para></listitem> +</varlistentry> + + +<varlistentry><term><email>samba-technical@samba.org</email></term> +<listitem><para>This mailing list maintains debate about where the future of Samba is headed.</para></listitem> +</varlistentry> + + +<varlistentry><term><email>samba@samba.org</email></term> +<listitem><para>This is the primary Samba mailing list that contains general questions and HOW-TO information on Samba.</para></listitem> +</varlistentry> +</variablelist> +</sect2> + + + + + +<sect2 role="" label="9.3.4" id="ch09-SECT-3.4"> +<title>Samba Discussion Archives</title> + + +<para> +<indexterm id="ch09-idx-953640-0"><primary>discussion archives for Samba</primary></indexterm>There is a search service for the primary Samba mailing list. At the time this book was written, it was listed under "searchable" in the Sources paragraph on the first page of the Samba site and its mirrors, <systemitem role="url">http://samba.anu.edu.au/listproc/ghindex.html</systemitem>.</para> +</sect2> + + + + + +<sect2 role="" label="9.3.5" id="ch09-SECT-3.5"> +<title>Further Reading</title> + + +<para> +<indexterm id="ch09-idx-953645-0"><primary>TCP/IP networking +protocol</primary><secondary>resources for further +information</secondary></indexterm>Hunt, Craig; <citetitle>TCP/IP +Network Administration: 2nd Edition</citetitle>. Sebastopol, CA: +O'Reilly and Associates, 1997 (ISBN 1-56592-322-7).</para> + + +<para>Hunt, Craig, and Robert Bruce Thompson; <citetitle>Windows NT +TCP/IP Network Administration</citetitle>. Sebastopol, CA: O'Reilly +and Associates, 1998 (ISBN 1-56592-377-4).</para> + + +<para> +<indexterm id="ch09-idx-953646-0"><primary>DNS (ISBN Domain Name +System)</primary><secondary>resources for further +information</secondary></indexterm>Albitz, Paul, and Cricket Liu; +<citetitle>DNS and Bind, 3rd Edition</citetitle>. Sebastopol, CA: +O'Reilly and Associates, 1998 (ISBN 1-56592-512-2).</para> + + +<para> +<indexterm id="ch09-idx-953653-0"><primary>NFS (Network File +System)</primary><secondary>resources for further +information</secondary></indexterm> +<indexterm id="ch09-idx-953653-1"><primary>Network File +System</primary><secondary>resources for further +information</secondary></indexterm> +<indexterm id="ch09-idx-953653-2"><primary>resources for further +information</primary><secondary>NFS (Network File +System)</secondary></indexterm> +<indexterm id="ch09-idx-953657-0"><primary>NIS/NIS+ +protocol</primary><secondary>resources for further +information</secondary></indexterm>Stern, Hal; <citetitle>Managing NFS +and NIS</citetitle>. Sebastopol, CA: O'Reilly and Associates, 1991 +(ISBN 0-937175-75-7).<indexterm id="ch09-idx-953621-0" class="endofrange" startref="ch09-idx-953618-0"/> <indexterm id="ch09-idx-953621-1" class="endofrange" startref="ch09-idx-953618-1"/></para> +</sect2> +</sect1> +</chapter> diff --git a/docs-xml/using_samba/colo1.xml b/docs-xml/using_samba/colo1.xml new file mode 100644 index 0000000000..d29edb4fc1 --- /dev/null +++ b/docs-xml/using_samba/colo1.xml @@ -0,0 +1,67 @@ +<colophon id="colophon"> +<title>Colophon</title> + + + + +<para>Our look is the result of reader comments, our own +experimentation, and feedback from distribution channels. Distinctive +covers complement our distinctive approach to technical topics, +breathing personality and life into potentially dry subjects.</para> + + +<para>The animal on the cover of <citetitle>Using Samba</citetitle> is +a African ground hornbill (<foreignphrase>Bucorvus +cafer</foreignphrase>). This type of bird is one of fifty hornbill +species. The African ground hornbill is a medium to large sized bird +characterized by a bright red waddle under a very long beak, +dark-colored body and wings, long eyelashes, and short legs. Like all +hornbills, it has a casque, a large but lightweight growth on the top +of its beak, which grows more folds as the bird ages. It is the only +ground-dwelling species of hornbill, though it is able to fly when +necessary. It lives in the grasslands of southern and eastern Africa, +and nests in the foliage of dense trees, not in nest holes in the +ground as other hornbills do. Its diet includes mostly fruit, as well +as large insects and small mammals. The African ground hornbill is +considered to be sacred by many Africans, and as such this bird is +part of many legends and superstitions.</para> + + +<para>Sarah Jane Shangraw was the production editor and proofreader +for <citetitle>Using Samba</citetitle>. Sarah Lemaire copyedited the +text. Maureen Dempsey and Claire Cloutier LeBlanc provided quality +control. Brenda Miller wrote the index.</para> + + +<para>Edie Freedman designed the cover of this book based on her own +series design. The cover image of an African ground hornbill is a +19th-century engraving from the Dover Pictorial Archive. Kathleen +Wilson produced the cover layout with QuarkXPress 3.32 using Adobe's +ITC Garamond font. Kathleen Wilson also created the CD design.</para> + + +<para>Alicia Cech designed the interior layout based on a series +design by Nancy Priest. Mike Sierra implemented the design in +FrameMaker 5.5. The text and heading fonts are ITC Garamond Light and +Garamond Book. The illustrations that appear in the book were produced +by Robert Romano and Rhon Porter using Macromedia FreeHand 8 and Adobe +Photoshop 5. Interior composition was done by Sarah Jane Shangraw, +Sebastian Banker, Jeff Holcolmb, and Abigail Myers. This colophon was +written by Nicole Arigo.</para> + + + + + + + + + + + +<para>The online edition of this book was created by the Safari +production group (John Chodacki, Becki Maisch, and Madeleine Newell) +using a set of Frame-to-XML conversion and cleanup tools written and +maintained by Erik Ray, Benn Salter, John Chodacki, and Jeff +Liggett.</para> +</colophon> diff --git a/docs-xml/using_samba/copy.xml b/docs-xml/using_samba/copy.xml new file mode 100644 index 0000000000..5d7524b1b5 --- /dev/null +++ b/docs-xml/using_samba/copy.xml @@ -0,0 +1,64 @@ +<preface id="copyright" role="copyrightpg"> + + + + +<para>Copyright © 2000 O'Reilly & Associates, Inc. All rights reserved. This material may be redistributed only under the terms of the Open Content +License. For information on the Open Content License under which the +contents of this book are licensed, see <systemitem role="url">http://www.oreilly.com/catalog/samba/</systemitem>.</para> + + +<para>Printed in the United States of America.</para> + + +<para>Published by O'Reilly & Associates, Inc., 101 Morris Street, +Sebastopol, CA 95472.</para> + + + + + + + + + + + + + +<para>The O'Reilly logo is a registered trademark of O'Reilly & +Associates, Inc. Many of the designations used by manufacturers and +sellers to distinguish their products are claimed as trademarks. +Where those designations appear in this book, and O'Reilly & +Associates, Inc. was aware of a trademark claim, the designations have +been printed in caps or initial caps. The association between the +image of the North African ground hornbill and the topic of Samba is +a trademark of O'Reilly & Associates, Inc.</para> + + + + + + + + + + + + + +<para>While every precaution has been taken in the preparation of this +book, the publisher assumes no responsibility for errors or omissions, +or for damages resulting from the use of the information contained +herein.</para> + + + + + + + + + + +</preface> diff --git a/docs-xml/using_samba/figs/sam.0101.gif b/docs-xml/using_samba/figs/sam.0101.gif Binary files differnew file mode 100644 index 0000000000..2fd7ffe480 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0101.gif diff --git a/docs-xml/using_samba/figs/sam.0102.gif b/docs-xml/using_samba/figs/sam.0102.gif Binary files differnew file mode 100644 index 0000000000..02f885b37c --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0102.gif diff --git a/docs-xml/using_samba/figs/sam.0103.gif b/docs-xml/using_samba/figs/sam.0103.gif Binary files differnew file mode 100644 index 0000000000..907f8b480a --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0103.gif diff --git a/docs-xml/using_samba/figs/sam.0104.gif b/docs-xml/using_samba/figs/sam.0104.gif Binary files differnew file mode 100644 index 0000000000..7629fddedb --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0104.gif diff --git a/docs-xml/using_samba/figs/sam.0105.gif b/docs-xml/using_samba/figs/sam.0105.gif Binary files differnew file mode 100644 index 0000000000..129fde33f8 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0105.gif diff --git a/docs-xml/using_samba/figs/sam.0106.gif b/docs-xml/using_samba/figs/sam.0106.gif Binary files differnew file mode 100644 index 0000000000..b424ef30ec --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0106.gif diff --git a/docs-xml/using_samba/figs/sam.0107.gif b/docs-xml/using_samba/figs/sam.0107.gif Binary files differnew file mode 100644 index 0000000000..325622a79f --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0107.gif diff --git a/docs-xml/using_samba/figs/sam.0108.gif b/docs-xml/using_samba/figs/sam.0108.gif Binary files differnew file mode 100644 index 0000000000..6e54912097 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0108.gif diff --git a/docs-xml/using_samba/figs/sam.0109.gif b/docs-xml/using_samba/figs/sam.0109.gif Binary files differnew file mode 100644 index 0000000000..ee281d6504 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0109.gif diff --git a/docs-xml/using_samba/figs/sam.0110.gif b/docs-xml/using_samba/figs/sam.0110.gif Binary files differnew file mode 100644 index 0000000000..5af69ba75e --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0110.gif diff --git a/docs-xml/using_samba/figs/sam.0111.gif b/docs-xml/using_samba/figs/sam.0111.gif Binary files differnew file mode 100644 index 0000000000..4c1ed81044 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0111.gif diff --git a/docs-xml/using_samba/figs/sam.0112.gif b/docs-xml/using_samba/figs/sam.0112.gif Binary files differnew file mode 100644 index 0000000000..4f559e0d0f --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0112.gif diff --git a/docs-xml/using_samba/figs/sam.0113.gif b/docs-xml/using_samba/figs/sam.0113.gif Binary files differnew file mode 100644 index 0000000000..16a884284c --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0113.gif diff --git a/docs-xml/using_samba/figs/sam.0114.gif b/docs-xml/using_samba/figs/sam.0114.gif Binary files differnew file mode 100644 index 0000000000..52f3416d9e --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0114.gif diff --git a/docs-xml/using_samba/figs/sam.0201.gif b/docs-xml/using_samba/figs/sam.0201.gif Binary files differnew file mode 100644 index 0000000000..9a601f47d3 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0201.gif diff --git a/docs-xml/using_samba/figs/sam.0202.gif b/docs-xml/using_samba/figs/sam.0202.gif Binary files differnew file mode 100644 index 0000000000..b6e687efa4 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0202.gif diff --git a/docs-xml/using_samba/figs/sam.0203.gif b/docs-xml/using_samba/figs/sam.0203.gif Binary files differnew file mode 100644 index 0000000000..2737654f30 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0203.gif diff --git a/docs-xml/using_samba/figs/sam.0204.gif b/docs-xml/using_samba/figs/sam.0204.gif Binary files differnew file mode 100644 index 0000000000..87c08e0b40 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0204.gif diff --git a/docs-xml/using_samba/figs/sam.0301.gif b/docs-xml/using_samba/figs/sam.0301.gif Binary files differnew file mode 100644 index 0000000000..cb3922ba5c --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0301.gif diff --git a/docs-xml/using_samba/figs/sam.0302.gif b/docs-xml/using_samba/figs/sam.0302.gif Binary files differnew file mode 100644 index 0000000000..9b9dd5d853 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0302.gif diff --git a/docs-xml/using_samba/figs/sam.0303.gif b/docs-xml/using_samba/figs/sam.0303.gif Binary files differnew file mode 100644 index 0000000000..b5cc6f08f1 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0303.gif diff --git a/docs-xml/using_samba/figs/sam.0304.gif b/docs-xml/using_samba/figs/sam.0304.gif Binary files differnew file mode 100644 index 0000000000..e5fdd94da9 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0304.gif diff --git a/docs-xml/using_samba/figs/sam.0305.gif b/docs-xml/using_samba/figs/sam.0305.gif Binary files differnew file mode 100644 index 0000000000..b297326a8e --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0305.gif diff --git a/docs-xml/using_samba/figs/sam.0306.gif b/docs-xml/using_samba/figs/sam.0306.gif Binary files differnew file mode 100644 index 0000000000..b7854c230c --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0306.gif diff --git a/docs-xml/using_samba/figs/sam.0307.gif b/docs-xml/using_samba/figs/sam.0307.gif Binary files differnew file mode 100644 index 0000000000..d8da9c2803 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0307.gif diff --git a/docs-xml/using_samba/figs/sam.0308.gif b/docs-xml/using_samba/figs/sam.0308.gif Binary files differnew file mode 100644 index 0000000000..e913cf164f --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0308.gif diff --git a/docs-xml/using_samba/figs/sam.0309.gif b/docs-xml/using_samba/figs/sam.0309.gif Binary files differnew file mode 100644 index 0000000000..f8bc5223e0 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0309.gif diff --git a/docs-xml/using_samba/figs/sam.0310.gif b/docs-xml/using_samba/figs/sam.0310.gif Binary files differnew file mode 100644 index 0000000000..38a8041f66 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0310.gif diff --git a/docs-xml/using_samba/figs/sam.0311.gif b/docs-xml/using_samba/figs/sam.0311.gif Binary files differnew file mode 100644 index 0000000000..097de50a00 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0311.gif diff --git a/docs-xml/using_samba/figs/sam.0312.gif b/docs-xml/using_samba/figs/sam.0312.gif Binary files differnew file mode 100644 index 0000000000..51dc80fc06 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0312.gif diff --git a/docs-xml/using_samba/figs/sam.0313.gif b/docs-xml/using_samba/figs/sam.0313.gif Binary files differnew file mode 100644 index 0000000000..b18999f496 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0313.gif diff --git a/docs-xml/using_samba/figs/sam.0314.gif b/docs-xml/using_samba/figs/sam.0314.gif Binary files differnew file mode 100644 index 0000000000..a49e7f403c --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0314.gif diff --git a/docs-xml/using_samba/figs/sam.0315.gif b/docs-xml/using_samba/figs/sam.0315.gif Binary files differnew file mode 100644 index 0000000000..68515e580d --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0315.gif diff --git a/docs-xml/using_samba/figs/sam.0316.gif b/docs-xml/using_samba/figs/sam.0316.gif Binary files differnew file mode 100644 index 0000000000..1febc01768 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0316.gif diff --git a/docs-xml/using_samba/figs/sam.0317.gif b/docs-xml/using_samba/figs/sam.0317.gif Binary files differnew file mode 100644 index 0000000000..638b7a3646 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0317.gif diff --git a/docs-xml/using_samba/figs/sam.0318.gif b/docs-xml/using_samba/figs/sam.0318.gif Binary files differnew file mode 100644 index 0000000000..2027e025d4 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0318.gif diff --git a/docs-xml/using_samba/figs/sam.0319.gif b/docs-xml/using_samba/figs/sam.0319.gif Binary files differnew file mode 100644 index 0000000000..aa2ead8c4a --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0319.gif diff --git a/docs-xml/using_samba/figs/sam.0320.gif b/docs-xml/using_samba/figs/sam.0320.gif Binary files differnew file mode 100644 index 0000000000..81bebab8a0 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0320.gif diff --git a/docs-xml/using_samba/figs/sam.0321.gif b/docs-xml/using_samba/figs/sam.0321.gif Binary files differnew file mode 100644 index 0000000000..65cee014f7 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0321.gif diff --git a/docs-xml/using_samba/figs/sam.0322.gif b/docs-xml/using_samba/figs/sam.0322.gif Binary files differnew file mode 100644 index 0000000000..0e1eca6cec --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0322.gif diff --git a/docs-xml/using_samba/figs/sam.0323.gif b/docs-xml/using_samba/figs/sam.0323.gif Binary files differnew file mode 100644 index 0000000000..a2531501bd --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0323.gif diff --git a/docs-xml/using_samba/figs/sam.0324.gif b/docs-xml/using_samba/figs/sam.0324.gif Binary files differnew file mode 100644 index 0000000000..eded928dd8 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0324.gif diff --git a/docs-xml/using_samba/figs/sam.0325.gif b/docs-xml/using_samba/figs/sam.0325.gif Binary files differnew file mode 100644 index 0000000000..7b6bd32b00 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0325.gif diff --git a/docs-xml/using_samba/figs/sam.0326.gif b/docs-xml/using_samba/figs/sam.0326.gif Binary files differnew file mode 100644 index 0000000000..a6384081b0 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0326.gif diff --git a/docs-xml/using_samba/figs/sam.0327.gif b/docs-xml/using_samba/figs/sam.0327.gif Binary files differnew file mode 100644 index 0000000000..270c8caf11 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0327.gif diff --git a/docs-xml/using_samba/figs/sam.0328.gif b/docs-xml/using_samba/figs/sam.0328.gif Binary files differnew file mode 100644 index 0000000000..e754a9ce13 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0328.gif diff --git a/docs-xml/using_samba/figs/sam.0401.gif b/docs-xml/using_samba/figs/sam.0401.gif Binary files differnew file mode 100644 index 0000000000..e7d7a9933f --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0401.gif diff --git a/docs-xml/using_samba/figs/sam.0402.gif b/docs-xml/using_samba/figs/sam.0402.gif Binary files differnew file mode 100644 index 0000000000..826ae22b02 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0402.gif diff --git a/docs-xml/using_samba/figs/sam.0403.gif b/docs-xml/using_samba/figs/sam.0403.gif Binary files differnew file mode 100644 index 0000000000..4cf6a17526 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0403.gif diff --git a/docs-xml/using_samba/figs/sam.0404.gif b/docs-xml/using_samba/figs/sam.0404.gif Binary files differnew file mode 100644 index 0000000000..9e3d744d5a --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0404.gif diff --git a/docs-xml/using_samba/figs/sam.0405.gif b/docs-xml/using_samba/figs/sam.0405.gif Binary files differnew file mode 100644 index 0000000000..2e567a4c25 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0405.gif diff --git a/docs-xml/using_samba/figs/sam.0406.gif b/docs-xml/using_samba/figs/sam.0406.gif Binary files differnew file mode 100644 index 0000000000..d1a7754f91 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0406.gif diff --git a/docs-xml/using_samba/figs/sam.0407.gif b/docs-xml/using_samba/figs/sam.0407.gif Binary files differnew file mode 100644 index 0000000000..d19dd4273a --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0407.gif diff --git a/docs-xml/using_samba/figs/sam.0501.gif b/docs-xml/using_samba/figs/sam.0501.gif Binary files differnew file mode 100644 index 0000000000..e973c784ea --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0501.gif diff --git a/docs-xml/using_samba/figs/sam.0502.gif b/docs-xml/using_samba/figs/sam.0502.gif Binary files differnew file mode 100644 index 0000000000..e6018918fc --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0502.gif diff --git a/docs-xml/using_samba/figs/sam.0503.gif b/docs-xml/using_samba/figs/sam.0503.gif Binary files differnew file mode 100644 index 0000000000..596db84611 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0503.gif diff --git a/docs-xml/using_samba/figs/sam.0504.gif b/docs-xml/using_samba/figs/sam.0504.gif Binary files differnew file mode 100644 index 0000000000..96893237cd --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0504.gif diff --git a/docs-xml/using_samba/figs/sam.0505.gif b/docs-xml/using_samba/figs/sam.0505.gif Binary files differnew file mode 100644 index 0000000000..de9c07baab --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0505.gif diff --git a/docs-xml/using_samba/figs/sam.0506.gif b/docs-xml/using_samba/figs/sam.0506.gif Binary files differnew file mode 100644 index 0000000000..c5bb495d67 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0506.gif diff --git a/docs-xml/using_samba/figs/sam.0507.gif b/docs-xml/using_samba/figs/sam.0507.gif Binary files differnew file mode 100644 index 0000000000..7c77c94c8d --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0507.gif diff --git a/docs-xml/using_samba/figs/sam.0508.gif b/docs-xml/using_samba/figs/sam.0508.gif Binary files differnew file mode 100644 index 0000000000..fc364d5d05 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0508.gif diff --git a/docs-xml/using_samba/figs/sam.0601.gif b/docs-xml/using_samba/figs/sam.0601.gif Binary files differnew file mode 100644 index 0000000000..aa9eb28baf --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0601.gif diff --git a/docs-xml/using_samba/figs/sam.0602.gif b/docs-xml/using_samba/figs/sam.0602.gif Binary files differnew file mode 100644 index 0000000000..1ee0ac78b8 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0602.gif diff --git a/docs-xml/using_samba/figs/sam.0603.gif b/docs-xml/using_samba/figs/sam.0603.gif Binary files differnew file mode 100644 index 0000000000..f23cdf877d --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0603.gif diff --git a/docs-xml/using_samba/figs/sam.0604.gif b/docs-xml/using_samba/figs/sam.0604.gif Binary files differnew file mode 100644 index 0000000000..75460ba4b4 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0604.gif diff --git a/docs-xml/using_samba/figs/sam.0605.gif b/docs-xml/using_samba/figs/sam.0605.gif Binary files differnew file mode 100644 index 0000000000..96f2bb56f3 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0605.gif diff --git a/docs-xml/using_samba/figs/sam.0606.gif b/docs-xml/using_samba/figs/sam.0606.gif Binary files differnew file mode 100644 index 0000000000..c47c4c9b51 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0606.gif diff --git a/docs-xml/using_samba/figs/sam.0701.gif b/docs-xml/using_samba/figs/sam.0701.gif Binary files differnew file mode 100644 index 0000000000..3c7693929b --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0701.gif diff --git a/docs-xml/using_samba/figs/sam.0702.gif b/docs-xml/using_samba/figs/sam.0702.gif Binary files differnew file mode 100644 index 0000000000..c1160e2838 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0702.gif diff --git a/docs-xml/using_samba/figs/sam.0703.gif b/docs-xml/using_samba/figs/sam.0703.gif Binary files differnew file mode 100644 index 0000000000..9967b58e0b --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0703.gif diff --git a/docs-xml/using_samba/figs/sam.0704.gif b/docs-xml/using_samba/figs/sam.0704.gif Binary files differnew file mode 100644 index 0000000000..5808a87530 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0704.gif diff --git a/docs-xml/using_samba/figs/sam.0705.gif b/docs-xml/using_samba/figs/sam.0705.gif Binary files differnew file mode 100644 index 0000000000..155498ca33 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0705.gif diff --git a/docs-xml/using_samba/figs/sam.0706.gif b/docs-xml/using_samba/figs/sam.0706.gif Binary files differnew file mode 100644 index 0000000000..536997665b --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0706.gif diff --git a/docs-xml/using_samba/figs/sam.0707.gif b/docs-xml/using_samba/figs/sam.0707.gif Binary files differnew file mode 100644 index 0000000000..6049b66752 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0707.gif diff --git a/docs-xml/using_samba/figs/sam.0708.gif b/docs-xml/using_samba/figs/sam.0708.gif Binary files differnew file mode 100644 index 0000000000..013674af64 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0708.gif diff --git a/docs-xml/using_samba/figs/sam.0709.gif b/docs-xml/using_samba/figs/sam.0709.gif Binary files differnew file mode 100644 index 0000000000..bae978dc86 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0709.gif diff --git a/docs-xml/using_samba/figs/sam.0801.gif b/docs-xml/using_samba/figs/sam.0801.gif Binary files differnew file mode 100644 index 0000000000..243c3bfa57 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0801.gif diff --git a/docs-xml/using_samba/figs/sam.0802.gif b/docs-xml/using_samba/figs/sam.0802.gif Binary files differnew file mode 100644 index 0000000000..ae8b40dd58 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0802.gif diff --git a/docs-xml/using_samba/figs/sam.0803.gif b/docs-xml/using_samba/figs/sam.0803.gif Binary files differnew file mode 100644 index 0000000000..375e1000dd --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0803.gif diff --git a/docs-xml/using_samba/figs/sam.0804.gif b/docs-xml/using_samba/figs/sam.0804.gif Binary files differnew file mode 100644 index 0000000000..0c17d6a6f6 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0804.gif diff --git a/docs-xml/using_samba/figs/sam.0805.gif b/docs-xml/using_samba/figs/sam.0805.gif Binary files differnew file mode 100644 index 0000000000..271291801d --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0805.gif diff --git a/docs-xml/using_samba/figs/sam.0901.gif b/docs-xml/using_samba/figs/sam.0901.gif Binary files differnew file mode 100644 index 0000000000..695b93786f --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0901.gif diff --git a/docs-xml/using_samba/figs/sam.0902.gif b/docs-xml/using_samba/figs/sam.0902.gif Binary files differnew file mode 100644 index 0000000000..d45787d245 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0902.gif diff --git a/docs-xml/using_samba/figs/sam.0903.gif b/docs-xml/using_samba/figs/sam.0903.gif Binary files differnew file mode 100644 index 0000000000..c28000d7fb --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0903.gif diff --git a/docs-xml/using_samba/figs/sam.0904.gif b/docs-xml/using_samba/figs/sam.0904.gif Binary files differnew file mode 100644 index 0000000000..f1fe5b4ecf --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0904.gif diff --git a/docs-xml/using_samba/figs/sam.0905.gif b/docs-xml/using_samba/figs/sam.0905.gif Binary files differnew file mode 100644 index 0000000000..f958389c42 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.0905.gif diff --git a/docs-xml/using_samba/figs/sam.aa01.gif b/docs-xml/using_samba/figs/sam.aa01.gif Binary files differnew file mode 100644 index 0000000000..78964348c3 --- /dev/null +++ b/docs-xml/using_samba/figs/sam.aa01.gif diff --git a/docs-xml/using_samba/figs/sam.ab01.gif b/docs-xml/using_samba/figs/sam.ab01.gif Binary files differnew file mode 100644 index 0000000000..8abcb431ee --- /dev/null +++ b/docs-xml/using_samba/figs/sam.ab01.gif diff --git a/docs-xml/using_samba/figs/sam.ab02.gif b/docs-xml/using_samba/figs/sam.ab02.gif Binary files differnew file mode 100644 index 0000000000..a2bce6399f --- /dev/null +++ b/docs-xml/using_samba/figs/sam.ab02.gif diff --git a/docs-xml/using_samba/metadata.xml b/docs-xml/using_samba/metadata.xml new file mode 100644 index 0000000000..e69de29bb2 --- /dev/null +++ b/docs-xml/using_samba/metadata.xml diff --git a/examples/libsmbclient/Makefile b/examples/libsmbclient/Makefile index a50e80a918..7415f4f07e 100644 --- a/examples/libsmbclient/Makefile +++ b/examples/libsmbclient/Makefile @@ -13,7 +13,7 @@ CFLAGS = -O0 -g $(SAMBA_INCL) $(EXTLIB_INCL) $(DEFS) LDFLAGS = -L/usr/local/samba/lib \ -lldap -lkrb5 -lgssapi_krb5 #LIBSMBCLIENT = /usr/local/samba/lib/libsmbclient.so -LIBSMBCLIENT = -lwbclient -lsmbclient -ldl -lresolv +LIBSMBCLIENT = -lwbclient -lsmbclient -ltalloc -ltdb -ldl -lresolv TESTS= testsmbc \ testacl \ diff --git a/examples/libsmbclient/smbwrapper/Makefile b/examples/libsmbclient/smbwrapper/Makefile index 726435319f..7f5c17c79f 100644 --- a/examples/libsmbclient/smbwrapper/Makefile +++ b/examples/libsmbclient/smbwrapper/Makefile @@ -1,4 +1,4 @@ -LIBS = -lwbclient -lsmbclient -ldl +LIBS = -lwbclient -lsmbclient -ltalloc -ltdb -ldl DEFS = -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE CFLAGS = -I$(SAMBA_INCL) $(EXTLIB_INCL) diff --git a/examples/libsmbclient/testacl.c b/examples/libsmbclient/testacl.c index 00e1c2c9da..a57dd4a499 100644 --- a/examples/libsmbclient/testacl.c +++ b/examples/libsmbclient/testacl.c @@ -24,6 +24,7 @@ int main(int argc, const char *argv[]) int flags; int debug = 0; int numeric = 0; + int stat_and_retry = 0; int full_time_names = 0; enum acl_mode mode = SMB_ACL_LIST; static char *the_acl = NULL; @@ -33,6 +34,7 @@ int main(int argc, const char *argv[]) char path[1024]; char value[1024]; poptContext pc; + struct stat st; struct poptOption long_options[] = { POPT_AUTOHELP @@ -78,6 +80,10 @@ int main(int argc, const char *argv[]) 'g', "Get a specific acl attribute", "ACL" }, { + "stat_and_retry", 'R', POPT_ARG_NONE, &stat_and_retry, + 1, "After 'get' do 'stat' and another 'get'" + }, + { NULL } }; @@ -175,26 +181,40 @@ int main(int argc, const char *argv[]) break; case SMB_ACL_GET: - if (the_acl == NULL) + do { - if (numeric) + if (the_acl == NULL) { - the_acl = "system.*"; + if (numeric) + { + the_acl = "system.*"; + } + else + { + the_acl = "system.*+"; + } } - else + ret = smbc_getxattr(path, the_acl, value, sizeof(value)); + if (ret < 0) { - the_acl = "system.*+"; + printf("Could not get attributes for [%s] %d: %s\n", + path, errno, strerror(errno)); + return 1; } - } - ret = smbc_getxattr(path, the_acl, value, sizeof(value)); - if (ret < 0) - { - printf("Could not get attributes for [%s] %d: %s\n", - path, errno, strerror(errno)); - return 1; - } - printf("Attributes for [%s] are:\n%s\n", path, value); + printf("Attributes for [%s] are:\n%s\n", path, value); + + if (stat_and_retry) + { + if (smbc_stat(path, &st) < 0) + { + perror("smbc_stat"); + return 1; + } + } + + --stat_and_retry; + } while (stat_and_retry >= 0); break; case SMB_ACL_ADD: diff --git a/release-scripts/build-docs b/release-scripts/build-docs new file mode 100755 index 0000000000..529a1c07f1 --- /dev/null +++ b/release-scripts/build-docs @@ -0,0 +1,25 @@ +#!/bin/sh + +DOCSRCDIR=`dirname $0`/../docs-xml + +cd $DOCSRCDIR || exit 1 + +git-clean -d -x -f +autoconf && ./configure --with-papersize=letter && make release + +if [ $? != 0 ]; then + echo "Docs build failed!" + exit 1 +fi + +mkdir ../docs +rsync -Ca --delete --exclude=.git output/ ../docs/ +rsync -Ca --exclude=.svn registry ../docs/ +rsync -Ca --exclude=.svn archives/ ../docs/ + +cd ../docs || exit 1 +/bin/rm -rf test.pdf Samba4*pdf htmldocs/Samba4* htmldocs/test +mv manpages-3 manpages +mv htmldocs/manpages-3 htmldocs/manpages + +exit
\ No newline at end of file diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index b07884c49b..31d1d37fbf 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -270,13 +270,15 @@ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context const auth_usersupplied_info *user_info, auth_serversupplied_info **server_info) { + struct server_security_state *state = talloc_get_type_abort( + my_private_data, struct server_security_state); struct cli_state *cli; static bool tested_password_server = False; static bool bad_password_server = False; NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED; bool locally_made_cli = False; - cli = (struct cli_state *)my_private_data; + cli = state->cli; if (cli) { } else { @@ -285,7 +287,7 @@ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context } if (!cli || !cli->initialised) { - DEBUG(1,("password server is not connected (cli not initilised)\n")); + DEBUG(1,("password server is not connected (cli not initialised)\n")); return NT_STATUS_LOGON_FAILURE; } diff --git a/source3/client/client.c b/source3/client/client.c index cc0da18d4d..8c939fc3ec 100644 --- a/source3/client/client.c +++ b/source3/client/client.c @@ -4382,7 +4382,7 @@ static void readline_callback(void) set_smb_read_error(&cli->smb_rw_error, SMB_READ_OK); - status = receive_smb_raw(cli->fd, cli->inbuf, 0, 0, &len); + status = receive_smb_raw(cli->fd, cli->inbuf, cli->bufsize, 0, 0, &len); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("Read from server failed, maybe it closed " diff --git a/source3/include/doserr.h b/source3/include/doserr.h index 44ce73973c..68dc0c13c0 100644 --- a/source3/include/doserr.h +++ b/source3/include/doserr.h @@ -206,6 +206,7 @@ #define WERR_INVALID_COMPUTER_NAME W_ERROR(1210) #define WERR_INVALID_DOMAINNAME W_ERROR(1212) #define WERR_MACHINE_LOCKED W_ERROR(1271) +#define WERR_REVISION_MISMATCH W_ERROR(1306) #define WERR_NO_LOGON_SERVERS W_ERROR(1311) #define WERR_NO_SUCH_LOGON_SESSION W_ERROR(1312) #define WERR_USER_ALREADY_EXISTS W_ERROR(1316) diff --git a/source3/include/messages.h b/source3/include/messages.h index 8f0112acc5..b3ac5e4d98 100644 --- a/source3/include/messages.h +++ b/source3/include/messages.h @@ -87,6 +87,10 @@ */ #define MSG_SMB_BRL_VALIDATE 0x0311 #define MSG_SMB_RELEASE_IP 0x0312 +/* + * Close a specific file given a share entry. + */ +#define MSG_SMB_CLOSE_FILE 0x0313 /* winbind messages */ #define MSG_WINBIND_FINISHED 0x0401 diff --git a/source3/include/proto.h b/source3/include/proto.h index f85b667c84..761c720497 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -1582,8 +1582,12 @@ NTSTATUS read_smb_length_return_keepalive(int fd, char *inbuf, size_t *len); NTSTATUS read_smb_length(int fd, char *inbuf, unsigned int timeout, size_t *len); -NTSTATUS receive_smb_raw(int fd, char *buffer, unsigned int timeout, - size_t maxlen, size_t *p_len); +NTSTATUS receive_smb_raw(int fd, + char *buffer, + size_t buflen, + unsigned int timeout, + size_t maxlen, + size_t *p_len); int open_socket_in(int type, uint16_t port, int dlevel, @@ -5270,7 +5274,7 @@ void locking_close_file(struct messaging_context *msg_ctx, bool locking_init(void); bool locking_init_readonly(void); bool locking_end(void); -char *share_mode_str(TALLOC_CTX *ctx, int num, struct share_mode_entry *e); +char *share_mode_str(TALLOC_CTX *ctx, int num, const struct share_mode_entry *e); struct share_mode_lock *get_share_mode_lock(TALLOC_CTX *mem_ctx, const struct file_id id, const char *servicepath, @@ -9462,6 +9466,11 @@ NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passw void set_close_write_time(struct files_struct *fsp, struct timespec ts); NTSTATUS close_file(files_struct *fsp, enum file_close_type close_type); +void msg_close_file(struct messaging_context *msg_ctx, + void *private_data, + uint32_t msg_type, + struct server_id server_id, + DATA_BLOB *data); /* The following definitions come from smbd/conn.c */ @@ -9937,7 +9946,7 @@ bool downgrade_oplock(files_struct *fsp); int oplock_notify_fd(void); void reply_to_oplock_break_requests(files_struct *fsp); void release_level_2_oplocks_on_change(files_struct *fsp); -void share_mode_entry_to_message(char *msg, struct share_mode_entry *e); +void share_mode_entry_to_message(char *msg, const struct share_mode_entry *e); void message_to_share_mode_entry(struct share_mode_entry *e, char *msg); bool init_oplocks(struct messaging_context *msg_ctx); diff --git a/source3/include/smb.h b/source3/include/smb.h index e7860b7903..76cc389a10 100644 --- a/source3/include/smb.h +++ b/source3/include/smb.h @@ -1709,7 +1709,8 @@ minimum length == 18. enum smbd_capability { KERNEL_OPLOCK_CAPABILITY, - DMAPI_ACCESS_CAPABILITY + DMAPI_ACCESS_CAPABILITY, + LEASE_CAPABILITY }; /* if a kernel does support oplocks then a structure of the following diff --git a/source3/lib/events.c b/source3/lib/events.c index 9decf213b4..8134a7ac1c 100644 --- a/source3/lib/events.c +++ b/source3/lib/events.c @@ -356,7 +356,7 @@ int event_loop_once(struct event_context *ev) struct event_context *event_context_init(TALLOC_CTX *mem_ctx) { - return TALLOC_ZERO_P(NULL, struct event_context); + return TALLOC_ZERO_P(mem_ctx, struct event_context); } int set_event_dispatch_time(struct event_context *event_ctx, diff --git a/source3/lib/system.c b/source3/lib/system.c index fa50955ef6..eabb6d6dc4 100644 --- a/source3/lib/system.c +++ b/source3/lib/system.c @@ -733,6 +733,11 @@ static bool set_process_capability(enum smbd_capability capability, cap_vals[num_cap_vals++] = CAP_MKNOD; #endif break; + case LEASE_CAPABILITY: +#ifdef CAP_LEASE + cap_vals[num_cap_vals++] = CAP_LEASE; +#endif + break; } SMB_ASSERT(num_cap_vals <= ARRAY_SIZE(cap_vals)); diff --git a/source3/lib/util_sock.c b/source3/lib/util_sock.c index f252377b7e..b2a1ece5db 100644 --- a/source3/lib/util_sock.c +++ b/source3/lib/util_sock.c @@ -1151,16 +1151,15 @@ NTSTATUS read_smb_length(int fd, char *inbuf, unsigned int timeout, } /**************************************************************************** - Read an smb from a fd. Note that the buffer *MUST* be of size - BUFFER_SIZE+SAFETY_MARGIN. + Read an smb from a fd. The timeout is in milliseconds. This function will return on receipt of a session keepalive packet. maxlen is the max number of bytes to return, not including the 4 byte - length. If zero it means BUFFER_SIZE+SAFETY_MARGIN limit. + length. If zero it means buflen limit. Doesn't check the MAC on signed packets. ****************************************************************************/ -NTSTATUS receive_smb_raw(int fd, char *buffer, unsigned int timeout, +NTSTATUS receive_smb_raw(int fd, char *buffer, size_t buflen, unsigned int timeout, size_t maxlen, size_t *p_len) { size_t len; @@ -1173,17 +1172,10 @@ NTSTATUS receive_smb_raw(int fd, char *buffer, unsigned int timeout, return status; } - /* - * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes - * of header. Don't print the error if this fits.... JRA. - */ - - if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) { + if (len > buflen) { DEBUG(0,("Invalid packet length! (%lu bytes).\n", (unsigned long)len)); - if (len > BUFFER_SIZE + (SAFETY_MARGIN/2)) { - return NT_STATUS_INVALID_PARAMETER; - } + return NT_STATUS_INVALID_PARAMETER; } if(len > 0) { diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index 2adf6a4700..c4135f24a1 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -649,6 +649,10 @@ bool kerberos_secrets_store_salting_principal(const char *service, SAFE_FREE(princ_s); SAFE_FREE(unparsed_name); + if (princ) { + krb5_free_principal(context, princ); + } + if (context) { krb5_free_context(context); } diff --git a/source3/libads/util.c b/source3/libads/util.c index af96c3e10a..72f5dee80c 100644 --- a/source3/libads/util.c +++ b/source3/libads/util.c @@ -64,6 +64,8 @@ ADS_STATUS ads_guess_service_principal(ADS_STRUCT *ads, server_realm = SMB_STRDUP(ads->server.realm); if (!server || !server_realm) { + SAFE_FREE(server); + SAFE_FREE(server_realm); return ADS_ERROR(LDAP_NO_MEMORY); } diff --git a/source3/librpc/gen_ndr/nbt.h b/source3/librpc/gen_ndr/nbt.h index b77b7c34dd..62ad524a91 100644 --- a/source3/librpc/gen_ndr/nbt.h +++ b/source3/librpc/gen_ndr/nbt.h @@ -469,7 +469,7 @@ struct nbt_netlogon_response_from_pdc { #define NBT_SERVER_FULL_SECRET_DOMAIN_6 ( 0x00001000 ) struct nbt_dc_sock_addr { - uint32_t sa_family; + uint32_t family; const char * pdc_ip;/* [flag(LIBNDR_FLAG_BIGENDIAN)] */ DATA_BLOB remaining;/* [flag(LIBNDR_FLAG_REMAINING)] */ }; diff --git a/source3/librpc/gen_ndr/ndr_nbt.c b/source3/librpc/gen_ndr/ndr_nbt.c index aa67d41fd5..240b58e1d9 100644 --- a/source3/librpc/gen_ndr/ndr_nbt.c +++ b/source3/librpc/gen_ndr/ndr_nbt.c @@ -1933,7 +1933,7 @@ static enum ndr_err_code ndr_push_nbt_dc_sock_addr(struct ndr_push *ndr, int ndr { if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_push_align(ndr, 4)); - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->sa_family)); + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->family)); { uint32_t _flags_save_ipv4address = ndr->flags; ndr_set_flags(&ndr->flags, LIBNDR_FLAG_BIGENDIAN); @@ -1956,7 +1956,7 @@ static enum ndr_err_code ndr_pull_nbt_dc_sock_addr(struct ndr_pull *ndr, int ndr { if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_pull_align(ndr, 4)); - NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->sa_family)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->family)); { uint32_t _flags_save_ipv4address = ndr->flags; ndr_set_flags(&ndr->flags, LIBNDR_FLAG_BIGENDIAN); @@ -1979,7 +1979,7 @@ _PUBLIC_ void ndr_print_nbt_dc_sock_addr(struct ndr_print *ndr, const char *name { ndr_print_struct(ndr, name, "nbt_dc_sock_addr"); ndr->depth++; - ndr_print_uint32(ndr, "sa_family", r->sa_family); + ndr_print_uint32(ndr, "family", r->family); ndr_print_ipv4address(ndr, "pdc_ip", r->pdc_ip); ndr_print_DATA_BLOB(ndr, "remaining", r->remaining); ndr->depth--; diff --git a/source3/librpc/idl/nbt.idl b/source3/librpc/idl/nbt.idl index 7e98aa7580..9f5c4a9a5f 100644 --- a/source3/librpc/idl/nbt.idl +++ b/source3/librpc/idl/nbt.idl @@ -412,7 +412,7 @@ interface nbt } nbt_server_type; typedef struct { - uint32 sa_family; + uint32 family; [flag(NDR_BIG_ENDIAN)] ipv4address pdc_ip; [flag(NDR_REMAINING)] DATA_BLOB remaining; } nbt_dc_sock_addr; diff --git a/source3/librpc/ndr/ndr_drsuapi.c b/source3/librpc/ndr/ndr_drsuapi.c index f12ac0ba61..8cd42b2cc1 100644 --- a/source3/librpc/ndr/ndr_drsuapi.c +++ b/source3/librpc/ndr/ndr_drsuapi.c @@ -144,7 +144,7 @@ enum ndr_err_code ndr_pull_drsuapi_DsReplicaOID(struct ndr_pull *ndr, int ndr_fl } else { _OID_PULL_CHECK(ber_read_OID_String(ndr, _oid_array, &_oid)); } - data_blob_free(&_oid_array); + TALLOC_FREE(_oid_array.data); talloc_steal(r->oid, _oid); r->oid = _oid; } diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c index e64b6fa278..60ec632b83 100644 --- a/source3/libsmb/clientgen.c +++ b/source3/libsmb/clientgen.c @@ -57,8 +57,7 @@ int cli_set_port(struct cli_state *cli, int port) } /**************************************************************************** - Read an smb from a fd ignoring all keepalive packets. Note that the buffer - *MUST* be of size BUFFER_SIZE+SAFETY_MARGIN. + Read an smb from a fd ignoring all keepalive packets. The timeout is in milliseconds This is exactly the same as receive_smb except that it never returns @@ -76,8 +75,8 @@ static ssize_t client_receive_smb(struct cli_state *cli, size_t maxlen) set_smb_read_error(&cli->smb_rw_error, SMB_READ_OK); - status = receive_smb_raw(cli->fd, cli->inbuf, cli->timeout, - maxlen, &len); + status = receive_smb_raw(cli->fd, cli->inbuf, cli->bufsize, + cli->timeout, maxlen, &len); if (!NT_STATUS_IS_OK(status)) { DEBUG(10,("client_receive_smb failed\n")); show_msg(cli->inbuf); @@ -225,93 +224,6 @@ ssize_t cli_receive_smb_data(struct cli_state *cli, char *buffer, size_t len) return -1; } -/**************************************************************************** - Read a smb readX header. - We can only use this if encryption and signing are off. -****************************************************************************/ - -bool cli_receive_smb_readX_header(struct cli_state *cli) -{ - ssize_t len, offset; - - if (cli->fd == -1) - return false; - - again: - - /* Read up to the size of a readX header reply. */ - len = client_receive_smb(cli, (smb_size - 4) + 24); - - if (len > 0) { - /* it might be an oplock break request */ - if (!(CVAL(cli->inbuf, smb_flg) & FLAG_REPLY) && - CVAL(cli->inbuf,smb_com) == SMBlockingX && - SVAL(cli->inbuf,smb_vwv6) == 0 && - SVAL(cli->inbuf,smb_vwv7) == 0) { - ssize_t total_len = smb_len(cli->inbuf); - - if (total_len > CLI_SAMBA_MAX_LARGE_READX_SIZE+SAFETY_MARGIN) { - goto read_err; - } - - /* Read the rest of the data. */ - if ((total_len - len > 0) && - !cli_receive_smb_data(cli,cli->inbuf+len,total_len - len)) { - goto read_err; - } - - if (cli->oplock_handler) { - int fnum = SVAL(cli->inbuf,smb_vwv2); - unsigned char level = CVAL(cli->inbuf,smb_vwv3+1); - if (!cli->oplock_handler(cli, fnum, level)) return false; - } - /* try to prevent loops */ - SCVAL(cli->inbuf,smb_com,0xFF); - goto again; - } - } - - /* If it's not the above size it probably was an error packet. */ - - if ((len == (smb_size - 4) + 24) && !cli_is_error(cli)) { - /* Check it's a non-chained readX reply. */ - if (!(CVAL(cli->inbuf, smb_flg) & FLAG_REPLY) || - (CVAL(cli->inbuf,smb_vwv0) != 0xFF) || - (CVAL(cli->inbuf,smb_com) != SMBreadX)) { - /* - * We're not coping here with asnyc replies to - * other calls. Punt here - we need async client - * libs for this. - */ - goto read_err; - } - - /* - * We know it's a readX reply - ensure we've read the - * padding bytes also. - */ - - offset = SVAL(cli->inbuf,smb_vwv6); - if (offset > len) { - ssize_t ret; - size_t padbytes = offset - len; - ret = cli_receive_smb_data(cli,smb_buf(cli->inbuf),padbytes); - if (ret != padbytes) { - goto read_err; - } - } - } - - return true; - - read_err: - - cli->smb_rw_error = SMB_READ_ERROR; - close(cli->fd); - cli->fd = -1; - return false; -} - static ssize_t write_socket(int fd, const char *buf, size_t len) { ssize_t ret=0; diff --git a/source3/libsmb/clireadwrite.c b/source3/libsmb/clireadwrite.c index 515471e003..057e647983 100644 --- a/source3/libsmb/clireadwrite.c +++ b/source3/libsmb/clireadwrite.c @@ -472,106 +472,6 @@ ssize_t cli_read(struct cli_state *cli, int fnum, char *buf, return ret; } -#if 0 /* relies on client_receive_smb(), now a static in libsmb/clientgen.c */ - -/* This call is INCOMPATIBLE with SMB signing. If you remove the #if 0 - you must fix ensure you don't attempt to sign the packets - data - *will* be currupted */ - -/**************************************************************************** -Issue a single SMBreadraw and don't wait for a reply. -****************************************************************************/ - -static bool cli_issue_readraw(struct cli_state *cli, int fnum, off_t offset, - size_t size, int i) -{ - - if (!cli->sign_info.use_smb_signing) { - DEBUG(0, ("Cannot use readraw and SMB Signing\n")); - return False; - } - - memset(cli->outbuf,'\0',smb_size); - memset(cli->inbuf,'\0',smb_size); - - cli_set_message(cli->outbuf,10,0,True); - - SCVAL(cli->outbuf,smb_com,SMBreadbraw); - SSVAL(cli->outbuf,smb_tid,cli->cnum); - cli_setup_packet(cli); - - SSVAL(cli->outbuf,smb_vwv0,fnum); - SIVAL(cli->outbuf,smb_vwv1,offset); - SSVAL(cli->outbuf,smb_vwv2,size); - SSVAL(cli->outbuf,smb_vwv3,size); - SSVAL(cli->outbuf,smb_mid,cli->mid + i); - - return cli_send_smb(cli); -} - -/**************************************************************************** - Tester for the readraw call. -****************************************************************************/ - -ssize_t cli_readraw(struct cli_state *cli, int fnum, char *buf, off_t offset, size_t size) -{ - char *p; - int size2; - size_t readsize; - ssize_t total = 0; - - if (size == 0) - return 0; - - /* - * Set readsize to the maximum size we can handle in one readraw. - */ - - readsize = 0xFFFF; - - while (total < size) { - readsize = MIN(readsize, size-total); - - /* Issue a read and receive a reply */ - - if (!cli_issue_readraw(cli, fnum, offset, readsize, 0)) - return -1; - - if (!client_receive_smb(cli->fd, cli->inbuf, cli->timeout)) - return -1; - - size2 = smb_len(cli->inbuf); - - if (size2 > readsize) { - DEBUG(5,("server returned more than we wanted!\n")); - return -1; - } else if (size2 < 0) { - DEBUG(5,("read return < 0!\n")); - return -1; - } - - /* Copy data into buffer */ - - if (size2) { - p = cli->inbuf + 4; - memcpy(buf + total, p, size2); - } - - total += size2; - offset += size2; - - /* - * If the server returned less than we asked for we're at EOF. - */ - - if (size2 < readsize) - break; - } - - return total; -} -#endif - /**************************************************************************** Issue a single SMBwrite and don't wait for a reply. ****************************************************************************/ diff --git a/source3/libsmb/doserr.c b/source3/libsmb/doserr.c index 450d6ee911..163656fb55 100644 --- a/source3/libsmb/doserr.c +++ b/source3/libsmb/doserr.c @@ -64,6 +64,7 @@ werror_code_struct dos_errs[] = { "WERR_DEST_NOT_FOUND", WERR_DEST_NOT_FOUND }, { "WERR_NOT_LOCAL_DOMAIN", WERR_NOT_LOCAL_DOMAIN }, { "WERR_USER_EXISTS", WERR_USER_EXISTS }, + { "WERR_REVISION_MISMATCH", WERR_REVISION_MISMATCH }, { "WERR_NO_LOGON_SERVERS", WERR_NO_LOGON_SERVERS }, { "WERR_NO_SUCH_LOGON_SESSION", WERR_NO_SUCH_LOGON_SESSION }, { "WERR_USER_ALREADY_EXISTS", WERR_USER_ALREADY_EXISTS }, diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c index be38db1a3a..8d75593ddc 100644 --- a/source3/libsmb/dsgetdcname.c +++ b/source3/libsmb/dsgetdcname.c @@ -205,7 +205,7 @@ static NTSTATUS map_logon29_from_cldap_reply(TALLOC_CTX *mem_ctx, /* FIXME */ p->dc_sock_addr_size = 0x10; /* the w32 winsock addr size */ - p->dc_sock_addr.sa_family = 2; /* AF_INET */ + p->dc_sock_addr.family = 2; /* AF_INET */ p->dc_sock_addr.pdc_ip = talloc_strdup(mem_ctx, addr); switch (nt_version & 0x0000001f) { diff --git a/source3/libsmb/smbencrypt.c b/source3/libsmb/smbencrypt.c index f339b6b9f6..a8a88a8a7e 100644 --- a/source3/libsmb/smbencrypt.c +++ b/source3/libsmb/smbencrypt.c @@ -181,6 +181,7 @@ bool ntv2_owf_gen(const uchar owf[16], if (!push_ucs2_allocate(&domain, domain_in, &domain_byte_len)) { DEBUG(0, ("push_uss2_allocate() for domain failed: %s\n", strerror(errno))); + SAFE_FREE(user); return False; } diff --git a/source3/locking/locking.c b/source3/locking/locking.c index 17131d9194..accd3f7014 100644 --- a/source3/locking/locking.c +++ b/source3/locking/locking.c @@ -443,7 +443,7 @@ static TDB_DATA locking_key(const struct file_id *id, struct file_id *tmp) Print out a share mode. ********************************************************************/ -char *share_mode_str(TALLOC_CTX *ctx, int num, struct share_mode_entry *e) +char *share_mode_str(TALLOC_CTX *ctx, int num, const struct share_mode_entry *e) { return talloc_asprintf(ctx, "share_mode_entry[%d]: %s " "pid = %s, share_access = 0x%x, private_options = 0x%x, " diff --git a/source3/nsswitch/libwbclient/wbc_pam.c b/source3/nsswitch/libwbclient/wbc_pam.c index 6385094235..c109625abf 100644 --- a/source3/nsswitch/libwbclient/wbc_pam.c +++ b/source3/nsswitch/libwbclient/wbc_pam.c @@ -309,7 +309,7 @@ wbcErr wbcAuthenticateUserEx(const struct wbcAuthUserParams *params, } strncpy(request.data.auth.pass, params->password.plaintext, - sizeof(request.data.auth.user)-1); + sizeof(request.data.auth.pass)-1); break; case WBC_AUTH_USER_LEVEL_HASH: diff --git a/source3/nsswitch/wbinfo.c b/source3/nsswitch/wbinfo.c index 7bb4abe9b2..2fb46c4a2f 100644 --- a/source3/nsswitch/wbinfo.c +++ b/source3/nsswitch/wbinfo.c @@ -958,7 +958,14 @@ static bool wbinfo_auth(char *username) p++; password = p; } else { - password = ""; + char *prompt; + asprintf(&prompt, "Enter %s's password:", username); + if (!prompt) { + return false; + } + + password = getpass(prompt); + SAFE_FREE(prompt); } name = s; @@ -1001,6 +1008,16 @@ static bool wbinfo_auth_crap(char *username) if (p) { *p = 0; fstrcpy(pass, p + 1); + } else { + char *prompt; + asprintf(&prompt, "Enter %s's password:", username); + if (!prompt) { + return false; + } + + fstrcpy(pass, getpass(prompt)); + SAFE_FREE(prompt); + } parse_wbinfo_domain_user(username, name_domain, name_user); diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index c272274837..a5623a25c0 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -6591,6 +6591,8 @@ static bool process_registry_shares(void) goto done; } + ret = true; + for (count = 0; count < num_shares; count++) { if (strequal(service[count]->name, GLOBAL_NAME)) { continue; diff --git a/source3/rpc_server/srv_srvsvc_nt.c b/source3/rpc_server/srv_srvsvc_nt.c index 9ffe9a569f..6f7b232071 100644 --- a/source3/rpc_server/srv_srvsvc_nt.c +++ b/source3/rpc_server/srv_srvsvc_nt.c @@ -2399,14 +2399,67 @@ WERROR _srvsvc_NetNameValidate(pipes_struct *p, return WERR_OK; } +/******************************************************************* +********************************************************************/ + +static void enum_file_close_fn( const struct share_mode_entry *e, + const char *sharepath, const char *fname, + void *private_data ) +{ + char msg[MSG_SMB_SHARE_MODE_ENTRY_SIZE]; + struct srvsvc_NetFileClose *r = + (struct srvsvc_NetFileClose *)private_data; + uint32_t fid = (((uint32_t)(procid_to_pid(&e->pid))<<16) | e->share_file_id); + + if (fid != r->in.fid) { + return; /* Not this file. */ + } + + if (!process_exists(e->pid) ) { + return; + } + + /* Ok - send the close message. */ + DEBUG(10,("enum_file_close_fn: request to close file %s, %s\n", + sharepath, + share_mode_str(talloc_tos(), 0, e) )); + + share_mode_entry_to_message(msg, e); + + r->out.result = ntstatus_to_werror( + messaging_send_buf(smbd_messaging_context(), + e->pid, MSG_SMB_CLOSE_FILE, + (uint8 *)msg, + MSG_SMB_SHARE_MODE_ENTRY_SIZE)); +} + /******************************************************************** + Close a file given a 32-bit file id. ********************************************************************/ WERROR _srvsvc_NetFileClose(pipes_struct *p, struct srvsvc_NetFileClose *r) { - return WERR_ACCESS_DENIED; -} + struct current_user user; + SE_PRIV se_diskop = SE_DISK_OPERATOR; + bool is_disk_op; + + DEBUG(5,("_srvsvc_NetFileClose: %d\n", __LINE__)); + + get_current_user(&user,p); + is_disk_op = user_has_privileges( p->pipe_user.nt_user_token, &se_diskop ); + + if (user.ut.uid != sec_initial_uid() && !is_disk_op) { + return WERR_ACCESS_DENIED; + } + + /* enum_file_close_fn sends the close message to + * the relevent smbd process. */ + + r->out.result = WERR_BADFILE; + share_mode_forall( enum_file_close_fn, (void *)r); + return r->out.result; +} /******************************************************************** ********************************************************************/ diff --git a/source3/smbd/close.c b/source3/smbd/close.c index df188bafe1..818b4c70a8 100644 --- a/source3/smbd/close.c +++ b/source3/smbd/close.c @@ -736,3 +736,37 @@ NTSTATUS close_file(files_struct *fsp, enum file_close_type close_type) return status; } + +/**************************************************************************** + Deal with an (authorized) message to close a file given the share mode + entry. +****************************************************************************/ + +void msg_close_file(struct messaging_context *msg_ctx, + void *private_data, + uint32_t msg_type, + struct server_id server_id, + DATA_BLOB *data) +{ + files_struct *fsp = NULL; + struct share_mode_entry e; + + message_to_share_mode_entry(&e, (char *)data->data); + + if(DEBUGLVL(10)) { + char *sm_str = share_mode_str(NULL, 0, &e); + if (!sm_str) { + smb_panic("talloc failed"); + } + DEBUG(10,("msg_close_file: got request to close share mode " + "entry %s\n", sm_str)); + TALLOC_FREE(sm_str); + } + + fsp = file_find_dif(e.id, e.share_file_id); + if (!fsp) { + DEBUG(10,("msg_close_file: failed to find file.\n")); + return; + } + close_file(fsp, NORMAL_CLOSE); +} diff --git a/source3/smbd/oplock.c b/source3/smbd/oplock.c index c3409547fe..23411294df 100644 --- a/source3/smbd/oplock.c +++ b/source3/smbd/oplock.c @@ -824,7 +824,7 @@ void release_level_2_oplocks_on_change(files_struct *fsp) Linearize a share mode entry struct to an internal oplock break message. ****************************************************************************/ -void share_mode_entry_to_message(char *msg, struct share_mode_entry *e) +void share_mode_entry_to_message(char *msg, const struct share_mode_entry *e) { SIVAL(msg,0,(uint32)e->pid.pid); SSVAL(msg,4,e->op_mid); diff --git a/source3/smbd/oplock_linux.c b/source3/smbd/oplock_linux.c index fa7cb42bc6..08df228f8f 100644 --- a/source3/smbd/oplock_linux.c +++ b/source3/smbd/oplock_linux.c @@ -22,22 +22,6 @@ #if HAVE_KERNEL_OPLOCKS_LINUX -/* these can be removed when they are in glibc headers */ -struct cap_user_header { - uint32 version; - int pid; -} header; -struct cap_user_data { - uint32 effective; - uint32 permitted; - uint32 inheritable; -} data; - -extern int capget(struct cap_user_header * hdrp, - struct cap_user_data * datap); -extern int capset(struct cap_user_header * hdrp, - const struct cap_user_data * datap); - static SIG_ATOMIC_T signals_received; #define FD_PENDING_SIZE 100 static SIG_ATOMIC_T fd_pending_array[FD_PENDING_SIZE]; @@ -75,40 +59,12 @@ static void signal_handler(int sig, siginfo_t *info, void *unused) sys_select_signal(RT_SIGNAL_LEASE); } -/**************************************************************************** - Try to gain a linux capability. -****************************************************************************/ - -static void set_capability(unsigned capability) -{ -#ifndef _LINUX_CAPABILITY_VERSION -#define _LINUX_CAPABILITY_VERSION 0x19980330 -#endif - header.version = _LINUX_CAPABILITY_VERSION; - header.pid = 0; - - if (capget(&header, &data) == -1) { - DEBUG(3,("Unable to get kernel capabilities (%s)\n", - strerror(errno))); - return; - } - - if (0 == (data.effective & (1<<capability))) { - data.effective |= (1<<capability); - - if (capset(&header, &data) == -1) { - DEBUG(3,("Unable to set %d capability (%s)\n", - capability, strerror(errno))); - } - } -} - /* * public function to get linux lease capability. Needed by some VFS modules (eg. gpfs.c) */ void linux_set_lease_capability(void) { - set_capability(CAP_LEASE); + set_effective_capability(LEASE_CAPABILITY); } /* @@ -136,7 +92,7 @@ int linux_setlease(int fd, int leasetype) ret = fcntl(fd, F_SETLEASE, leasetype); if (ret == -1 && errno == EACCES) { - set_capability(CAP_LEASE); + set_effective_capability(LEASE_CAPABILITY); ret = fcntl(fd, F_SETLEASE, leasetype); } diff --git a/source3/smbd/process.c b/source3/smbd/process.c index c8ad19dd15..71e38634b7 100644 --- a/source3/smbd/process.c +++ b/source3/smbd/process.c @@ -120,9 +120,7 @@ static bool valid_packet_size(size_t len) if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) { DEBUG(0,("Invalid packet length! (%lu bytes).\n", (unsigned long)len)); - if (len > BUFFER_SIZE + (SAFETY_MARGIN/2)) { - return false; - } + return false; } return true; } diff --git a/source3/smbd/server.c b/source3/smbd/server.c index cf02589864..035469cd62 100644 --- a/source3/smbd/server.c +++ b/source3/smbd/server.c @@ -1392,6 +1392,8 @@ extern void build_options(bool screen); MSG_SMB_FORCE_TDIS, msg_force_tdis); messaging_register(smbd_messaging_context(), NULL, MSG_SMB_RELEASE_IP, msg_release_ip); + messaging_register(smbd_messaging_context(), NULL, + MSG_SMB_CLOSE_FILE, msg_close_file); if ((lp_keepalive() != 0) && !(event_add_idle(smbd_event_context(), NULL, diff --git a/source3/utils/net_rap.c b/source3/utils/net_rap.c index f50b579ac2..449bec6744 100644 --- a/source3/utils/net_rap.c +++ b/source3/utils/net_rap.c @@ -221,6 +221,7 @@ static int rap_share_add(struct net_context *c, int argc, const char **argv) p = strchr(sharename, '='); if (p == NULL) { d_printf("Server path not specified\n"); + SAFE_FREE(sharename); return net_rap_share_usage(c, argc, argv); } *p = 0; @@ -237,6 +238,7 @@ static int rap_share_add(struct net_context *c, int argc, const char **argv) ret = cli_NetShareAdd(cli, &sinfo); cli_shutdown(cli); + SAFE_FREE(sharename); return ret; } diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c index 3779611d01..d6a3e486fb 100644 --- a/source3/utils/net_rpc.c +++ b/source3/utils/net_rpc.c @@ -3732,6 +3732,10 @@ static NTSTATUS rpc_share_migrate_files_internals(struct net_context *c, char *dst = NULL; dst = SMB_STRDUP(c->opt_destination?c->opt_destination:"127.0.0.1"); + if (dst == NULL) { + nt_status = NT_STATUS_NO_MEMORY; + goto done; + } result = get_share_info(c, pipe_hnd, mem_ctx, level, argc, argv, &ctr_src); @@ -3817,6 +3821,7 @@ done: if (got_dst_share) cli_shutdown(cp_clistate.cli_share_dst); + SAFE_FREE(dst); return nt_status; } diff --git a/source3/utils/smbfilter.c b/source3/utils/smbfilter.c index e128e1ce34..d274e09299 100644 --- a/source3/utils/smbfilter.c +++ b/source3/utils/smbfilter.c @@ -171,7 +171,8 @@ static void filter_child(int c, struct sockaddr_storage *dest_ss) if (c != -1 && FD_ISSET(c, &fds)) { size_t len; if (!NT_STATUS_IS_OK(receive_smb_raw( - c, packet, 0, 0, &len))) { + c, packet, sizeof(packet), + 0, 0, &len))) { d_printf("client closed connection\n"); exit(0); } @@ -184,7 +185,8 @@ static void filter_child(int c, struct sockaddr_storage *dest_ss) if (s != -1 && FD_ISSET(s, &fds)) { size_t len; if (!NT_STATUS_IS_OK(receive_smb_raw( - s, packet, 0, 0, &len))) { + s, packet, sizeof(packet), + 0, 0, &len))) { d_printf("server closed connection\n"); exit(0); } diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c index d46580155c..ae042563ed 100644 --- a/source3/winbindd/winbindd_dual.c +++ b/source3/winbindd/winbindd_dual.c @@ -1087,15 +1087,6 @@ static bool fork_domain_child(struct winbindd_child *child) child); } - /* Special case for Winbindd on a Samba DC, - * We want to make sure the child can connect to smbd - * but not the main daemon */ - - if (child->domain && child->domain->internal && IS_DC) { - child->domain->methods = &cache_methods; - child->domain->online = False; - } - while (1) { int ret; diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index ec97b49428..9008cf8122 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -82,6 +82,9 @@ static bool is_internal_domain(const DOM_SID *sid) if (sid == NULL) return False; + if ( IS_DC ) + return sid_check_is_builtin(sid); + return (sid_check_is_domain(sid) || sid_check_is_builtin(sid)); } @@ -90,6 +93,9 @@ static bool is_in_internal_domain(const DOM_SID *sid) if (sid == NULL) return False; + if ( IS_DC ) + return sid_check_is_in_builtin(sid); + return (sid_check_is_in_our_domain(sid) || sid_check_is_in_builtin(sid)); } |