diff options
author | John Terpstra <jht@samba.org> | 2003-04-14 12:23:26 +0000 |
---|---|---|
committer | John Terpstra <jht@samba.org> | 2003-04-14 12:23:26 +0000 |
commit | 4b44bbae35fb74194206adf920520b0bedbb713f (patch) | |
tree | 3b31cf0986040178ca20b7f271ca01aff574bf72 /docs/docbook/projdoc | |
parent | ee7f29a9f8c5705e66b1ca10babb46763d413657 (diff) | |
download | samba-4b44bbae35fb74194206adf920520b0bedbb713f.tar.gz samba-4b44bbae35fb74194206adf920520b0bedbb713f.tar.bz2 samba-4b44bbae35fb74194206adf920520b0bedbb713f.zip |
Merge of HEAD document updates to 3.0.0
(This used to be commit 17a10b40fe18602c14542923da522fb14026dac5)
Diffstat (limited to 'docs/docbook/projdoc')
-rw-r--r-- | docs/docbook/projdoc/Bugs.sgml | 2 | ||||
-rw-r--r-- | docs/docbook/projdoc/CUPS-printing.sgml | 16 | ||||
-rw-r--r-- | docs/docbook/projdoc/Compiling.sgml | 59 | ||||
-rw-r--r-- | docs/docbook/projdoc/DOMAIN_MEMBER.sgml | 2 | ||||
-rw-r--r-- | docs/docbook/projdoc/Diagnosis.sgml | 9 | ||||
-rw-r--r-- | docs/docbook/projdoc/InterdomainTrusts.sgml | 55 | ||||
-rw-r--r-- | docs/docbook/projdoc/PolicyMgmt.sgml | 5 | ||||
-rw-r--r-- | docs/docbook/projdoc/ProfileMgmt.sgml | 9 | ||||
-rw-r--r-- | docs/docbook/projdoc/Samba-PDC-HOWTO.sgml | 536 | ||||
-rw-r--r-- | docs/docbook/projdoc/UNIX_INSTALL.sgml | 14 | ||||
-rw-r--r-- | docs/docbook/projdoc/passdb.sgml | 18 | ||||
-rw-r--r-- | docs/docbook/projdoc/samba-doc.sgml | 44 | ||||
-rw-r--r-- | docs/docbook/projdoc/securing-samba.sgml | 2 | ||||
-rw-r--r-- | docs/docbook/projdoc/security_level.sgml | 4 | ||||
-rw-r--r-- | docs/docbook/projdoc/unicode.sgml | 17 |
15 files changed, 235 insertions, 557 deletions
diff --git a/docs/docbook/projdoc/Bugs.sgml b/docs/docbook/projdoc/Bugs.sgml index d3525f5f95..155ab353f4 100644 --- a/docs/docbook/projdoc/Bugs.sgml +++ b/docs/docbook/projdoc/Bugs.sgml @@ -62,7 +62,7 @@ file for correct syntax. </para> <para> -Have you run through the <link linkend="Diagnosis">diagnosis</link>? +Have you run through the <link linkend="diagnosis">diagnosis</link>? This is very important. </para> diff --git a/docs/docbook/projdoc/CUPS-printing.sgml b/docs/docbook/projdoc/CUPS-printing.sgml index fd954cc1c5..ea10ba0e75 100644 --- a/docs/docbook/projdoc/CUPS-printing.sgml +++ b/docs/docbook/projdoc/CUPS-printing.sgml @@ -23,7 +23,7 @@ a very mystical tool. There is a great deal of uncertainty regarding CUPS and ho it works. The result is seen in a large number of posting on the samba mailing lists expressing frustration when MS Windows printers appear not to work with a CUPS backr-end. -/para> +</para> <para> This is a good time to point out how CUPS can be used and what it does. CUPS is more @@ -112,8 +112,8 @@ do any print file format conversion work. The CUPS files that need to be correctly set for RAW mode printers to work are: <itemizedlist> - <listitem><para><filename>/etc/cups/mime.types</filename><para></listitem> - <listitem><para><filename>/etc/cups/mime.convs</filename><para></listitem> + <listitem><para><filename>/etc/cups/mime.types</filename></para></listitem> + <listitem><para><filename>/etc/cups/mime.convs</filename></para></listitem> </itemizedlist> Both contain entries that must be uncommented to allow <emphasis>RAW</emphasis> mode @@ -172,6 +172,7 @@ the process of determining proper treatment while in the print queue system. <listitem><para>* application/vnd.cups-postscript</para></listitem> </itemizedlist> </para> + </listitem> </itemizedlist> </para> @@ -186,14 +187,14 @@ the filtered file could possibly have an unwanted PJL header. <para> "application/postscript" will be all files with a ".ps", ".ai", ".eps" suffix or which -have as their first character string one of "%!" or "<04>%". +have as their first character string one of "%!" or ">04<%". </para> <para> "application/vnd.cups-postscript" will files which contain the string "LANGUAGE=POSTSCRIPT" (or similar variations with different capitalization) in the first 512 bytes, and also contain the "PJL super escape code" in the first 128 bytes -("<1B>%-12345X"). Very likely, most PostScript files generated on Windows using a CUPS +(">1B<%-12345X"). Very likely, most PostScript files generated on Windows using a CUPS or other PPD, will have to be auto-typed as "vnd.cups-postscript". A file produced with a "Generic PostScript driver" will just be tagged "application/postscript". </para> @@ -1072,7 +1073,7 @@ The recommended driver is "ljet4". It has a link to the page for the ljet4 driver too: </para> -<para><ulink url="http://www.linuxprinting.org/show_driver.cgi?driver=ljet4">http://www.linuxprinting.org/show_driver.cgi?driver=ljet4</ulink> +<para><ulink url="http://www.linuxprinting.org/show_driver.cgi?driver=ljet4">http://www.linuxprinting.org/show_driver.cgi?driver=ljet4</ulink></para> <para> On the driver's page, you'll find important and detailed info about how to use @@ -1173,6 +1174,7 @@ Summary - You need: <member>Ghostscript (because it is called and controlled by the PPD/cupsomatic combo in a way to fit your printermodel/driver combo.</member> <member>Ghostscript *must*, depending on the driver/model, contain support for a certain "device" (as shown by "gs -h")</member> </simplelist> +</para> <para> In the case of the "hpijs" driver, you need a Ghostscript version, which @@ -1227,6 +1229,8 @@ for the whereabouts of your Windows-originating printjobs: <member>are there "filter rules" defined in "/etc/cups/mime.convs" for this MIME type?</member> </simplelist> +</sect2> + </sect1> diff --git a/docs/docbook/projdoc/Compiling.sgml b/docs/docbook/projdoc/Compiling.sgml index 868ed52b74..15b5acc594 100644 --- a/docs/docbook/projdoc/Compiling.sgml +++ b/docs/docbook/projdoc/Compiling.sgml @@ -13,8 +13,10 @@ <title>How to compile SAMBA</title> -<para>You can obtain the samba source from the <ulink url="http://samba.org/">samba website</ulink>. To obtain a development version, -you can download samba from CVS or using rsync. </para> +<para> +You can obtain the samba source from the <ulink url="http://samba.org/">samba website</ulink>. To obtain a development version, +you can download samba from CVS or using rsync. +</para> <sect1> <title>Access Samba source code via CVS</title> @@ -178,6 +180,57 @@ on this system just substitute the correct package name </sect1> <sect1> +<title>Verifying Samba's PGP signature</title> + +<para> +In these days of insecurity, it's strongly recommended that you verify the PGP signature for any +source file before installing it. According to Jerry Carter of the Samba Team, only about 22% of +all Samba downloads have had a corresponding PGP signature download (a very low percentage, which +should be considered a bad thing). Even if you're not downloading from a mirror site, verifying PGP +signatures should be a standard reflex. +</para> + + +<para> +With that said, go ahead and download the following files: +</para> + +<para><programlisting> + $ wget http://us1.samba.org/samba/ftp/samba-2.2.8a.tar.asc + $ wget http://us1.samba.org/samba/ftp/samba-pubkey.asc +</programlisting></para> + +<para> +The first file is the PGP signature for the Samba source file; the other is the Samba public +PGP key itself. Import the public PGP key with: +</para> + +<programlisting> + $ gpg --import samba-pubkey.asc +</programlisting> + +<para> +And verify the Samba source code integrity with: +</para> + +<programlisting> + $ gzip -d samba-2.2.8a.tar.gz + $ gpg --verify samba-2.2.8a.tar.asc +</programlisting> + +<para> +If you receive a message like, "Good signature from Samba Distribution Verification Key..." +then all is well. The warnings about trust relationships can be ignored. An example of what +you would not want to see would be: +</para> + +<programlisting> + gpg: BAD signature from "Samba Distribution Verification Key" +</programlisting> + +</sect1> + +<sect1> <title>Building the Binaries</title> <para>To do this, first run the program <userinput>./configure @@ -227,7 +280,7 @@ on this system just substitute the correct package name <simplelist> <member>the MIT kerberos development libraries (either install from the sources or use a package). The heimdal libraries will not work.</member> <member>the OpenLDAP development libraries.</member> - </simplelist> +</simplelist></para> <para>If your kerberos libraries are in a non-standard location then remember to add the configure option --with-krb5=DIR.</para> diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml index dc5b7d6e8c..6f995af286 100644 --- a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml +++ b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml @@ -1,4 +1,4 @@ -<chapter id="domain-security"> +<chapter id="domain-member"> <chapterinfo> &author.jeremy; diff --git a/docs/docbook/projdoc/Diagnosis.sgml b/docs/docbook/projdoc/Diagnosis.sgml index d175eb15ba..9ab95dad86 100644 --- a/docs/docbook/projdoc/Diagnosis.sgml +++ b/docs/docbook/projdoc/Diagnosis.sgml @@ -483,13 +483,8 @@ set to "yes". <sect1> <title>Still having troubles?</title> -<para> -Try the mailing list or newsgroup, or use the ethereal utility to -sniff the problem. The official samba mailing list can be reached at -<ulink url="mailto:samba@samba.org">samba@samba.org</ulink>. To find -out more about samba and how to subscribe to the mailing list check -out the samba web page at -<ulink url="http://samba.org/samba">http://samba.org/samba/</ulink> +<para>Read the chapter on +<link linkend="problems">Analysing and Solving Problems</link>. </para> </sect1> diff --git a/docs/docbook/projdoc/InterdomainTrusts.sgml b/docs/docbook/projdoc/InterdomainTrusts.sgml index 0fc634c544..56b0dcc710 100644 --- a/docs/docbook/projdoc/InterdomainTrusts.sgml +++ b/docs/docbook/projdoc/InterdomainTrusts.sgml @@ -19,7 +19,7 @@ possible for Samba3 to NT4 trust (and vica versa), as well as Samba3 to Samba3 t <title>Trust Relationship Background</title> <para> -MS Windows NT3.x/4.0 type security domains employ a non-hierchical security structure. +MS Windows NT3.x/4.0 type security domains employ a non-hierarchical security structure. The limitations of this architecture as it affects the scalability of MS Windows networking in large organisations is well known. Additionally, the flat-name space that results from this design significantly impacts the delegation of administrative responsibilities in @@ -36,13 +36,13 @@ desire to go through a disruptive change to adopt ADS. <para> Microsoft introduced with MS Windows NT the ability to allow differing security domains -to affect a mechanism so that users from one domain may be given access rights and privilidges +to affect a mechanism so that users from one domain may be given access rights and privileges in another domain. The language that describes this capability is couched in terms of <emphasis>Trusts</emphasis>. Specifically, one domain will <emphasis>trust</emphasis> the users from another domain. The domain from which users are available to another security domain is -said to be a trusted domain. The domain in which those users have assigned rights and privilidges +said to be a trusted domain. The domain in which those users have assigned rights and privileges is the trusting domain. With NT3.x/4.0 all trust relationships are always in one direction only, -thus if users in both domains are to have privilidges and rights in each others' domain, then it is +thus if users in both domains are to have privileges and rights in each others' domain, then it is necessary to establish two (2) relationships, one in each direction. </para> @@ -64,13 +64,14 @@ an inherent feature of ADS domains. </sect1> <sect1> -<title>MS Windows NT4 Trust Configuration</title> +<title>Native MS Windows NT4 Trusts Configuration</title> <para> -There are two steps to creating an inter-domain trust relationship. +There are two steps to creating an interdomain trust relationship. +</para> <sect2> -<title>NT4 as the Trusting Domain</title> +<title>NT4 as the Trusting Domain (ie. creating the trusted account)</title> <para> For MS Windows NT4, all domain trust relationships are configured using the Domain User Manager. @@ -80,13 +81,14 @@ User Manager Policies entry on the menu bar. From the Policy menu, select Trust next to the lower box that is labelled "Permitted to Trust this Domain" are two buttons, "Add" and "Remove". The "Add" button will open a panel in which needs to be entered the remote domain that will be able to assign user rights to your domain. In addition it is necessary to enter a password -that is specific to this trust relationship. The password is added twice. +that is specific to this trust relationship. The password needs to be +typed twice (for standard confirmation). </para> </sect2> <sect2> -<title>NT4 as the Trusted Domain</title> +<title>NT4 as the Trusted Domain (ie. creating trusted account's password)</title> <para> A trust relationship will work only when the other (trusting) domain makes the appropriate connections @@ -94,38 +96,37 @@ with the trusted domain. To consumate the trust relationship the administrator w Domain User Manager, from the menu select Policies, then select Trust Relationships, then click on the "Add" button that is next to the box that is labelled "Trusted Domains". A panel will open in which must be entered the name of the remote domain as well as the password assigned to that trust. -<para> +</para> </sect2> </sect1> <sect1> -<title>Configuring Samba Domain Trusts</title> +<title>Configuring Samba NT-style Domain Trusts</title> <para> This descitpion is meant to be a fairly short introduction about how to set up a Samba server so that it could participate in interdomain trust relationships. Trust relationship support in Samba -is in its early stage, so lot of things don't work yet. Paricularly, the contents of this document -applies to NT4-style trusts. +is in its early stage, so lot of things doesn't work yet. </para> <para> Each of the procedures described below is treated as they were performed with Windows NT4 Server on -one end. The other end could just as well be another Samba3 domain. It can be clearly seen, after +one end. The remote end could just as well be another Samba-3 domain. It can be clearly seen, after reading this document, that combining Samba-specific parts of what's written below leads to trust between domains in purely Samba environment. </para> <sect2> -<title>Samba3 as the Trusting Domain</title> +<title>Samba-3 as the Trusting Domain</title> <para> In order to set Samba PDC to be trusted party of the relationship first you need to create special account for domain that will be the trusting party. To do that, you can use 'smbpasswd' utility. Creating the trusted domain account is very -similiar to creating the connection to the trusting machine's account. Suppose, -your domain is called SAMBA, and the remote domain is called RUMBA. Your first -step will be to issue this command from your favourite shell: +similiar to creating trusted machine account. Suppose, your domain is +called SAMBA, and the remote domain is called RUMBA. The first step +will be to issue this command from your favourite shell: </para> <para> @@ -136,7 +137,9 @@ step will be to issue this command from your favourite shell: Added user rumba$ </screen> -where <parameter>-a</parameter> means to add a new account into the passdb database and <parameter>-i</parameter> means create this account with the Inter-Domain trust flag. +where <parameter>-a</parameter> means to add a new account into the +passdb database and <parameter>-i</parameter> means: ''create this +account with the InterDomain trust flag'' </para> <para> @@ -144,7 +147,7 @@ The account name will be 'rumba$' (the name of the remote domain) </para> <para> -fter issuing this command you'll be asked for typing account's +After issuing this command you'll be asked for typing account's password. You can use any password you want, but be aware that Windows NT will not change this password until 7 days have passed since account creating. After command returns successfully, you can look at your new account's entry @@ -155,16 +158,16 @@ the trust by establishing it from Windows NT Server. <para> Open 'User Manager for Domains' and from menu 'Policies' select 'Trust Relationships...'. -Right beside 'Trusted domains' list press 'Add...' button. You'll be prompted for +Right beside 'Trusted domains' list box press 'Add...' button. You'll be prompted for trusted domain name and the relationship's password. Type in SAMBA, as this is -your domain name and the password you've just used during account creation. -Press OK and if everything went fine, you will see 'Trusted domain relationship +your domain name, and the password you've just used for account creation. +Press OK and, if everything went fine, you will see 'Trusted domain relationship successfully established' message. Well done. </para> </sect2> <sect2> -<title>Samba3 as the Trusted Domain</title> +<title>Samba-3 as the Trusted Domain</title> <para> This time activities are somewhat reversed. Again, we'll assume that your domain @@ -178,11 +181,11 @@ The very first thing is to add account for SAMBA domain on RUMBA's PDC. <para> Launch the Domain User Manager, then from the menu select 'Policies', 'Trust Relationships'. Now, next to 'Trusted Domains' box press the 'Add' button, and type in the name of the trusted -domein (SAMBA) and password securing the relationship. +domain (SAMBA) and password securing the relationship. </para> <para> -Password can be arbitrarily chosen the more, because it's easy to change it +Password can be arbitrarily chosen, the more because it's easy to change it from Samba server whenever you want. After confirming password your account is ready and waiting. Now it's Samba's turn. </para> diff --git a/docs/docbook/projdoc/PolicyMgmt.sgml b/docs/docbook/projdoc/PolicyMgmt.sgml index 35519d750c..7557d496a4 100644 --- a/docs/docbook/projdoc/PolicyMgmt.sgml +++ b/docs/docbook/projdoc/PolicyMgmt.sgml @@ -206,7 +206,8 @@ executable name poledit.exe), GPOs are created and managed using a Microsoft Man <para> Go to the Windows 200x / XP menu <filename>Start->Programs->Administrative Tools</filename> and select the MMC snap-in called "Active Directory Users and Computers" -<para></step> +</para> +</step> <step><para> Select the domain or organizational unit (OU) that you wish to manage, then right click @@ -241,6 +242,7 @@ use this powerful tool. Please refer to the resource kit manuals for specific us </para> </note> +</sect3> </sect2> </sect1> @@ -312,6 +314,7 @@ With a Samba Domain Controller, the new tools for managing of user account and p man pages for these tools and become familiar with their use. </para> +</sect2> </sect1> <sect1> diff --git a/docs/docbook/projdoc/ProfileMgmt.sgml b/docs/docbook/projdoc/ProfileMgmt.sgml index 13ec698384..bc0113baeb 100644 --- a/docs/docbook/projdoc/ProfileMgmt.sgml +++ b/docs/docbook/projdoc/ProfileMgmt.sgml @@ -84,7 +84,7 @@ meta-service name as part of the profile share path. <para> To support Windows 9x / Me clients, you must use the "logon home" parameter. Samba has now been fixed so that <userinput>net use /home</userinput> now works as well, and it, too, relies -on the <command>logon home</command< parameter. +on the <command>logon home</command> parameter. </para> <para> @@ -560,6 +560,8 @@ domain is not a member of a trust relationship with your NT4 PDC.</para></note> Follow the above for every profile you need to migrate. </para> +</sect3> + <sect3> <title>Side bar Notes</title> @@ -575,7 +577,6 @@ settings as well as all your users. </sect3> - <sect3> <title>moveuser.exe</title> @@ -682,7 +683,7 @@ is located on the Windows workstation, and knowing which registry keys affect th from which the default profile is created, it is possible to modify the default profile to one that has been optimised for the site. This has significant administrative advantages. -<para> +</para> <sect2> <title>MS Windows 9x/Me</title> @@ -1061,7 +1062,7 @@ A roaming profile will be cached locally unless the following registry key is cr In which case, the local cache copy will be deleted on logout. </para> -</sect2 +</sect2> </sect1> </chapter> diff --git a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml index a0927ec888..775e573aed 100644 --- a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml +++ b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml @@ -19,11 +19,6 @@ Samba as an NT4 or Win2k Primary Domain Controller </title> -<!-- ********************************************************** - - Prerequisite Reading - -*************************************************************** --> <sect1> <title>Prerequisite Reading</title> @@ -32,8 +27,7 @@ Before you continue reading in this chapter, please make sure that you are comfortable with configuring basic files services in smb.conf and how to enable and administer password encryption in Samba. Theses two topics are covered in the -<ulink url="smb.conf.5.html"><filename>smb.conf(5)</filename></ulink> -manpage. +&smb.conf; manpage. </para> @@ -41,11 +35,6 @@ manpage. -<!-- ********************************************************** - - Background Information - -*************************************************************** --> <sect1> <title> Background @@ -160,12 +149,6 @@ concepts. </sect1> -<!-- ********************************************************** - - Configuring the Samba PDC - -*************************************************************** --> - <sect1> <title>Configuring the Samba Domain Controller</title> @@ -173,12 +156,11 @@ concepts. The first step in creating a working Samba PDC is to understand the parameters necessary in smb.conf. Here we attempt to explain the parameters that are covered in -<ulink url="smb.conf.5.html"> the smb.conf -man page</ulink>. +the &smb.conf; man page. </para> <para> -Here is an example <filename>smb.conf</filename> for acting as a PDC: +Here is an example &smb.conf; for acting as a PDC: </para> <para><programlisting> @@ -234,7 +216,7 @@ There are a couple of points to emphasize in the above configuration. <itemizedlist> <listitem><para> Encrypted passwords must be enabled. For more details on how - to do this, refer to <link linkend="passdb">ENCRYPTION.html</link>. + to do this, refer to <link linkend="passdb">the User Database chapter</link>. </para></listitem> <listitem><para> @@ -518,457 +500,123 @@ version of Windows. (i.e., you must supply a Samba administrative account when prompted).</para> </listitem> + +<listitem><para><emphasis>Samba</emphasis</para> + <para>Joining a samba client to a domain is documented in + the <link linkend="domain-member">Domain Member</link> chapter. +</para></listitem> </itemizedlist> </sect2> </sect1> -<!-- ********************************************************** - - Common Problems - -*************************************************************** --> <sect1> <title>Common Problems and Errors</title> +<sect2> +<title>I cannot include a '$' in a machine name</title> <para> +A 'machine name' in (typically) <filename>/etc/passwd</filename> +of the machine name with a '$' appended. FreeBSD (and other BSD +systems?) won't create a user with a '$' in their name. </para> -<itemizedlist> -<listitem> - <para> - <emphasis>I cannot include a '$' in a machine name.</emphasis> - </para> - - <para> - A 'machine name' in (typically) <filename>/etc/passwd</filename> - of the machine name with a '$' appended. FreeBSD (and other BSD - systems?) won't create a user with a '$' in their name. - </para> - - <para> - The problem is only in the program used to make the entry, once - made, it works perfectly. So create a user without the '$' and - use <command>vipw</command> to edit the entry, adding the '$'. Or create - the whole entry with vipw if you like, make sure you use a - unique User ID ! - </para> -</listitem> - -<listitem> - <para> - <emphasis>I get told "You already have a connection to the Domain...." - or "Cannot join domain, the credentials supplied conflict with an - existing set.." when creating a machine trust account.</emphasis> - </para> - - <para> - This happens if you try to create a machine trust account from the - machine itself and already have a connection (e.g. mapped drive) - to a share (or IPC$) on the Samba PDC. The following command - will remove all network drive connections: - </para> - - <para> - <prompt>C:\WINNT\></prompt> <command>net use * /d</command> - </para> - - <para> - Further, if the machine is a already a 'member of a workgroup' that - is the same name as the domain you are joining (bad idea) you will - get this message. Change the workgroup name to something else, it - does not matter what, reboot, and try again. - </para> -</listitem> - -<listitem> - <para> - <emphasis>The system can not log you on (C000019B)....</emphasis> - </para> - - <para>I joined the domain successfully but after upgrading - to a newer version of the Samba code I get the message, "The system - can not log you on (C000019B), Please try again or consult your - system administrator" when attempting to logon. - </para> - - <para> - This occurs when the domain SID stored in the secrets.tdb database - is changed. The most common cause of a change in domain SID is when - the domain name and/or the server name (netbios name) is changed. - The only way to correct the problem is to restore the original domain - SID or remove the domain client from the domain and rejoin. The domain - SID may be reset using either the smbpasswd or rpcclient utilities. - </para> -</listitem> - -<listitem> - <para> - <emphasis>The machine trust account for this computer either does not - exist or is not accessible.</emphasis> - </para> - - <para> - When I try to join the domain I get the message "The machine account - for this computer either does not exist or is not accessible". What's - wrong? - </para> - - <para> - This problem is caused by the PDC not having a suitable machine trust account. - If you are using the <parameter>add user script</parameter> method to create - accounts then this would indicate that it has not worked. Ensure the domain - admin user system is working. - </para> - - <para> - Alternatively if you are creating account entries manually then they - have not been created correctly. Make sure that you have the entry - correct for the machine trust account in smbpasswd file on the Samba PDC. - If you added the account using an editor rather than using the smbpasswd - utility, make sure that the account name is the machine NetBIOS name - with a '$' appended to it ( i.e. computer_name$ ). There must be an entry - in both /etc/passwd and the smbpasswd file. Some people have reported - that inconsistent subnet masks between the Samba server and the NT - client have caused this problem. Make sure that these are consistent - for both client and server. - </para> -</listitem> - -<listitem> - <para> - <emphasis>When I attempt to login to a Samba Domain from a NT4/W2K workstation, - I get a message about my account being disabled.</emphasis> - </para> - - <para> - This problem is caused by a PAM related bug in Samba 2.2.0. This bug is - fixed in 2.2.1. Other symptoms could be unaccessible shares on - NT/W2K member servers in the domain or the following error in your smbd.log: - passdb/pampass.c:pam_account(268) PAM: UNKNOWN ERROR for User: %user% - </para> - - <para> - At first be ensure to enable the useraccounts with <command>smbpasswd -e - %user%</command>, this is normally done, when you create an account. - </para> - - <para> - In order to work around this problem in 2.2.0, configure the - <parameter>account</parameter> control flag in - <filename>/etc/pam.d/samba</filename> file as follows: - </para> - - <para><programlisting> - account required pam_permit.so - </programlisting></para> - - <para> - If you want to remain backward compatibility to samba 2.0.x use - <filename>pam_permit.so</filename>, it's also possible to use - <filename>pam_pwdb.so</filename>. There are some bugs if you try to - use <filename>pam_unix.so</filename>, if you need this, be ensure to use - the most recent version of this file. - </para> -</listitem> -</itemizedlist> - -</sect1> - -<!-- ********************************************************** - - Getting Help - -*************************************************************** --> - - -<sect1> -<title>What other help can I get? </title> <para> -There are many sources of information available in the form -of mailing lists, RFC's and documentation. The docs that come -with the samba distribution contain very good explanations of -general SMB topics such as browsing.</para> - -<itemizedlist> -<listitem> - <para> - <emphasis>What are some diagnostics tools I can use to debug the domain logon - process and where can I find them?</emphasis> - </para> - - <para> - One of the best diagnostic tools for debugging problems is Samba itself. - You can use the -d option for both smbd and nmbd to specify what - 'debug level' at which to run. See the man pages on smbd, nmbd and - smb.conf for more information on debugging options. The debug - level can range from 1 (the default) to 10 (100 for debugging passwords). - </para> - - <para> - Another helpful method of debugging is to compile samba using the - <command>gcc -g </command> flag. This will include debug - information in the binaries and allow you to attach gdb to the - running smbd / nmbd process. In order to attach gdb to an smbd - process for an NT workstation, first get the workstation to make the - connection. Pressing ctrl-alt-delete and going down to the domain box - is sufficient (at least, on the first time you join the domain) to - generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation - maintains an open connection, and therefore there will be an smbd - process running (assuming that you haven't set a really short smbd - idle timeout) So, in between pressing ctrl alt delete, and actually - typing in your password, you can gdb attach and continue. - </para> - - <para> - Some useful samba commands worth investigating: - </para> - - <itemizedlist> - <listitem><para>testparam | more</para></listitem> - <listitem><para>smbclient -L //{netbios name of server}</para></listitem> - </itemizedlist> - - <para> - An SMB enabled version of tcpdump is available from - <ulink url="http://www.tcpdump.org/">http://www.tcpdup.org/</ulink>. - Ethereal, another good packet sniffer for Unix and Win32 - hosts, can be downloaded from <ulink - url="http://www.ethereal.com/">http://www.ethereal.com</ulink>. - </para> - - <para> - For tracing things on the Microsoft Windows NT, Network Monitor - (aka. netmon) is available on the Microsoft Developer Network CD's, - the Windows NT Server install CD and the SMS CD's. The version of - netmon that ships with SMS allows for dumping packets between any two - computers (i.e. placing the network interface in promiscuous mode). - The version on the NT Server install CD will only allow monitoring - of network traffic directed to the local NT box and broadcasts on the - local subnet. Be aware that Ethereal can read and write netmon - formatted files. - </para> -</listitem> - - -<listitem> - <para> - <emphasis>How do I install 'Network Monitor' on an NT Workstation - or a Windows 9x box?</emphasis> - </para> - - <para> - Installing netmon on an NT workstation requires a couple - of steps. The following are for installing Netmon V4.00.349, which comes - with Microsoft Windows NT Server 4.0, on Microsoft Windows NT - Workstation 4.0. The process should be similar for other version of - Windows NT / Netmon. You will need both the Microsoft Windows - NT Server 4.0 Install CD and the Workstation 4.0 Install CD. - </para> - - <para> - Initially you will need to install 'Network Monitor Tools and Agent' - on the NT Server. To do this - </para> - - <itemizedlist> - <listitem><para>Goto Start - Settings - Control Panel - - Network - Services - Add </para></listitem> - - <listitem><para>Select the 'Network Monitor Tools and Agent' and - click on 'OK'.</para></listitem> - - <listitem><para>Click 'OK' on the Network Control Panel. - </para></listitem> - - <listitem><para>Insert the Windows NT Server 4.0 install CD - when prompted.</para></listitem> - </itemizedlist> - - <para> - At this point the Netmon files should exist in - <filename>%SYSTEMROOT%\System32\netmon\*.*</filename>. - Two subdirectories exist as well, <filename>parsers\</filename> - which contains the necessary DLL's for parsing the netmon packet - dump, and <filename>captures\</filename>. - </para> - - <para> - In order to install the Netmon tools on an NT Workstation, you will - first need to install the 'Network Monitor Agent' from the Workstation - install CD. - </para> - - <itemizedlist> - <listitem><para>Goto Start - Settings - Control Panel - - Network - Services - Add</para></listitem> - - <listitem><para>Select the 'Network Monitor Agent' and click - on 'OK'.</para></listitem> - - <listitem><para>Click 'OK' on the Network Control Panel. - </para></listitem> - - <listitem><para>Insert the Windows NT Workstation 4.0 install - CD when prompted.</para></listitem> - </itemizedlist> - - - <para> - Now copy the files from the NT Server in %SYSTEMROOT%\System32\netmon\*.* - to %SYSTEMROOT%\System32\netmon\*.* on the Workstation and set - permissions as you deem appropriate for your site. You will need - administrative rights on the NT box to run netmon. - </para> - - <para> - To install Netmon on a Windows 9x box install the network monitor agent - from the Windows 9x CD (\admin\nettools\netmon). There is a readme - file located with the netmon driver files on the CD if you need - information on how to do this. Copy the files from a working - Netmon installation. - </para> -</listitem> - - - - -<listitem> - <para> - The following is a list if helpful URLs and other links: - </para> - - <itemizedlist> - - <listitem><para>Home of Samba site <ulink url="http://samba.org"> - http://samba.org</ulink>. We have a mirror near you !</para></listitem> - - <listitem><para> The <emphasis>Development</emphasis> document - on the Samba mirrors might mention your problem. If so, - it might mean that the developers are working on it.</para></listitem> - - <listitem><para>See how Scott Merrill simulates a BDC behavior at - <ulink url="http://www.skippy.net/linux/smb-howto.html"> - http://www.skippy.net/linux/smb-howto.html</ulink>. </para></listitem> - - <listitem><para>Although 2.0.7 has almost had its day as a PDC, David Bannon will - keep the 2.0.7 PDC pages at <ulink url="http://bioserve.latrobe.edu.au/samba"> - http://bioserve.latrobe.edu.au/samba</ulink> going for a while yet.</para></listitem> - - <listitem><para>Misc links to CIFS information - <ulink url="http://samba.org/cifs/">http://samba.org/cifs/</ulink></para></listitem> - - <listitem><para>NT Domains for Unix <ulink url="http://mailhost.cb1.com/~lkcl/ntdom/"> - http://mailhost.cb1.com/~lkcl/ntdom/</ulink></para></listitem> - - <listitem><para>FTP site for older SMB specs: - <ulink url="ftp://ftp.microsoft.com/developr/drg/CIFS/"> - ftp://ftp.microsoft.com/developr/drg/CIFS/</ulink></para></listitem> - - </itemizedlist> -</listitem> -</itemizedlist> - - -<itemizedlist> -<listitem> - <para> - <emphasis>How do I get help from the mailing lists?</emphasis> - </para> - - <para> - There are a number of Samba related mailing lists. Go to <ulink - url="http://samba.org">http://samba.org</ulink>, click on your nearest mirror - and then click on <command>Support</command> and then click on <command> - Samba related mailing lists</command>. - </para> - - <para> - For questions relating to Samba TNG go to - <ulink url="http://www.samba-tng.org/">http://www.samba-tng.org/</ulink> - It has been requested that you don't post questions about Samba-TNG to the - main stream Samba lists.</para> - - <para> - If you post a message to one of the lists please observe the following guide lines : - </para> - - <itemizedlist> +The problem is only in the program used to make the entry, once +made, it works perfectly. So create a user without the '$' and +use <command>vipw</command> to edit the entry, adding the '$'. Or create +the whole entry with vipw if you like, make sure you use a +unique User ID ! +</para> +</sect2> - <listitem><para> Always remember that the developers are volunteers, they are - not paid and they never guarantee to produce a particular feature at - a particular time. Any time lines are 'best guess' and nothing more. - </para></listitem> +<sect2> +<title>I get told "You already have a connection to the Domain...." +or "Cannot join domain, the credentials supplied conflict with an +existing set.." when creating a machine trust account.</title> - <listitem><para> Always mention what version of samba you are using and what - operating system its running under. You should probably list the - relevant sections of your smb.conf file, at least the options - in [global] that affect PDC support.</para></listitem> +<para> +This happens if you try to create a machine trust account from the +machine itself and already have a connection (e.g. mapped drive) +to a share (or IPC$) on the Samba PDC. The following command +will remove all network drive connections: +</para> - <listitem><para>In addition to the version, if you obtained Samba via - CVS mention the date when you last checked it out.</para></listitem> +<para> +<prompt>C:\WINNT\></prompt> <command>net use * /d</command> +</para> - <listitem><para> Try and make your question clear and brief, lots of long, - convoluted questions get deleted before they are completely read ! - Don't post html encoded messages (if you can select colour or font - size its html).</para></listitem> +<para> +Further, if the machine is a already a 'member of a workgroup' that +is the same name as the domain you are joining (bad idea) you will +get this message. Change the workgroup name to something else, it +does not matter what, reboot, and try again. +</para> +</sect2> - <listitem><para> If you run one of those nifty 'I'm on holidays' things when - you are away, make sure its configured to not answer mailing lists. - </para></listitem> +<sect2> +<title>The system can not log you on (C000019B)....</title> - <listitem><para> Don't cross post. Work out which is the best list to post to - and see what happens, i.e. don't post to both samba-ntdom and samba-technical. - Many people active on the lists subscribe to more - than one list and get annoyed to see the same message two or more times. - Often someone will see a message and thinking it would be better dealt - with on another, will forward it on for you.</para></listitem> +<para>I joined the domain successfully but after upgrading +to a newer version of the Samba code I get the message, "The system +can not log you on (C000019B), Please try again or consult your +system administrator" when attempting to logon. +</para> - <listitem><para>You might include <emphasis>partial</emphasis> - log files written at a debug level set to as much as 20. - Please don't send the entire log but enough to give the context of the - error messages.</para></listitem> +<para> +This occurs when the domain SID stored in the secrets.tdb database +is changed. The most common cause of a change in domain SID is when +the domain name and/or the server name (netbios name) is changed. +The only way to correct the problem is to restore the original domain +SID or remove the domain client from the domain and rejoin. The domain +SID may be reset using either the smbpasswd or rpcclient utilities. +</para> +</sect2> - <listitem><para>(Possibly) If you have a complete netmon trace ( from the opening of - the pipe to the error ) you can send the *.CAP file as well.</para></listitem> +<sect2> +<title>The machine trust account for this computer either does not +exist or is not accessible.</title> - <listitem><para>Please think carefully before attaching a document to an email. - Consider pasting the relevant parts into the body of the message. The samba - mailing lists go to a huge number of people, do they all need a copy of your - smb.conf in their attach directory?</para></listitem> +<para> +When I try to join the domain I get the message "The machine account +for this computer either does not exist or is not accessible". What's +wrong? +</para> - </itemizedlist> -</listitem> +<para> +This problem is caused by the PDC not having a suitable machine trust account. +If you are using the <parameter>add user script</parameter> method to create +accounts then this would indicate that it has not worked. Ensure the domain +admin user system is working. +</para> +<para> +Alternatively if you are creating account entries manually then they +have not been created correctly. Make sure that you have the entry +correct for the machine trust account in smbpasswd file on the Samba PDC. +If you added the account using an editor rather than using the smbpasswd +utility, make sure that the account name is the machine NetBIOS name +with a '$' appended to it ( i.e. computer_name$ ). There must be an entry +in both /etc/passwd and the smbpasswd file. Some people have reported +that inconsistent subnet masks between the Samba server and the NT +client have caused this problem. Make sure that these are consistent +for both client and server. +</para> +</sect2> -<listitem> - <para> - <emphasis>How do I get off the mailing lists?</emphasis> - </para> +<sect2> +<title>When I attempt to login to a Samba Domain from a NT4/W2K workstation, +I get a message about my account being disabled.</title> - <para>To have your name removed from a samba mailing list, go to the - same place you went to to get on it. Go to <ulink - url="http://lists.samba.org/">http://lists.samba.org</ulink>, - click on your nearest mirror and then click on <command>Support</command> and - then click on <command> Samba related mailing lists</command>. Or perhaps see - <ulink url="http://lists.samba.org/mailman/roster/samba-ntdom">here</ulink> - </para> +<para> +At first be ensure to enable the useraccounts with <command>smbpasswd -e +%user%</command>, this is normally done, when you create an account. +</para> - <para> - Please don't post messages to the list asking to be removed, you will just - be referred to the above address (unless that process failed in some way...) - </para> -</listitem> -</itemizedlist> +</sect2> </sect1> - -<!-- ********************************************************** - - Windows 9x domain control - -*************************************************************** --> <sect1> <title>Domain Control for Windows 9x/ME</title> diff --git a/docs/docbook/projdoc/UNIX_INSTALL.sgml b/docs/docbook/projdoc/UNIX_INSTALL.sgml index 6deb0c915e..239ccd168b 100644 --- a/docs/docbook/projdoc/UNIX_INSTALL.sgml +++ b/docs/docbook/projdoc/UNIX_INSTALL.sgml @@ -167,16 +167,10 @@ <para>Then you might read the file chapter <link linkend="diagnosis">Diagnosis</link> and the - FAQ. If you are still stuck then try the mailing list or - newsgroup (look in the README for details). Samba has been - successfully installed at thousands of sites worldwide, so maybe - someone else has hit your problem and has overcome it. You could - also use the WWW site to scan back issues of the samba-digest.</para> - - <para>When you fix the problem <emphasis>please</emphasis> send some - updates of the documentation (or source code) to one of - the documentation maintainers or the list. - </para> + FAQ. If you are still stuck then try to follow + the <link linkend="problems">Analysing and Solving Problems chapter</link> + Samba has been successfully installed at thousands of sites worldwide, + so maybe someone else has hit your problem and has overcome it. </para> <sect2> <title>Scope IDs</title> diff --git a/docs/docbook/projdoc/passdb.sgml b/docs/docbook/projdoc/passdb.sgml index d7b54a38e8..762d77cd46 100644 --- a/docs/docbook/projdoc/passdb.sgml +++ b/docs/docbook/projdoc/passdb.sgml @@ -323,21 +323,11 @@ Identified (RID). As a result of these defeciencies, a more robust means of storing user attributes used by smbd was developed. The API which defines access to user accounts is commonly referred to as the samdb interface (previously this was called the passdb -API, and is still so named in the CVS trees). In Samba 2.2.3, enabling support -for a samdb backend (e.g. <parameter>--with-ldapsam</parameter> or -<parameter>--with-tdbsam</parameter>) requires compile time support. +API, and is still so named in the CVS trees). </para> <para> -When compiling Samba to include the <parameter>--with-ldapsam</parameter> autoconf -option, smbd (and associated tools) will store and lookup user accounts in -an LDAP directory. In reality, this is very easy to understand. If you are -comfortable with using an smbpasswd file, simply replace "smbpasswd" with -"LDAP directory" in all the documentation. -</para> - -<para> -There are a few points to stress about what the <parameter>--with-ldapsam</parameter> +There are a few points to stress about what the ldapsam does not provide. The LDAP support referred to in the this documentation does not include: </para> @@ -602,8 +592,8 @@ of sambaAccount entries in the directory. <para> These password hashes are clear text equivalents and can be used to impersonate the user without deriving the original clear text strings. For more information -on the details of LM/NT password hashes, refer to the <ulink -url="ENCRYPTION.html">ENCRYPTION chapter</ulink> of the Samba-HOWTO-Collection. +on the details of LM/NT password hashes, refer to the <link +linkend="passdb">User Database</link> of the Samba-HOWTO-Collection. </para> <para> diff --git a/docs/docbook/projdoc/samba-doc.sgml b/docs/docbook/projdoc/samba-doc.sgml index 6ed6e1a717..d096cb8a5b 100644 --- a/docs/docbook/projdoc/samba-doc.sgml +++ b/docs/docbook/projdoc/samba-doc.sgml @@ -1,38 +1,5 @@ <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook V4.1//EN" [ <!ENTITY % globalentities SYSTEM '../global.ent'> %globalentities; -<!ENTITY UNIX-INSTALL SYSTEM "UNIX_INSTALL.sgml"> -<!ENTITY MS-Dfs-Setup SYSTEM "msdfs_setup.sgml"> -<!ENTITY PRINTER-DRIVER2 SYSTEM "printer_driver2.sgml"> -<!ENTITY DOMAIN-MEMBER SYSTEM "DOMAIN_MEMBER.sgml"> -<!ENTITY WINBIND SYSTEM "winbind.sgml"> -<!ENTITY NT-Security SYSTEM "NT_Security.sgml"> -<!ENTITY ServerType SYSTEM "ServerType.sgml"> -<!ENTITY Samba-PDC-HOWTO SYSTEM "Samba-PDC-HOWTO.sgml"> -<!ENTITY Samba-BDC-HOWTO SYSTEM "Samba-BDC-HOWTO.sgml"> -<!ENTITY IntegratingWithWindows SYSTEM "Integrating-with-Windows.sgml"> -<!ENTITY Samba-PAM SYSTEM "PAM-Authentication-And-Samba.sgml"> -<!ENTITY Diagnosis SYSTEM "Diagnosis.sgml"> -<!ENTITY BUGS SYSTEM "Bugs.sgml"> -<!ENTITY SECURITY-LEVEL SYSTEM "security_level.sgml"> -<!ENTITY SPEED SYSTEM "Speed.sgml"> -<!ENTITY BROWSING SYSTEM "Browsing.sgml"> -<!ENTITY BROWSING-Quick SYSTEM "Browsing-Quickguide.sgml"> -<!ENTITY GROUP-MAPPING-HOWTO SYSTEM "GROUP-MAPPING-HOWTO.sgml"> -<!ENTITY Portability SYSTEM "Portability.sgml"> -<!ENTITY Other-Clients SYSTEM "Other-Clients.sgml"> -<!ENTITY ADS-HOWTO SYSTEM "ADS-HOWTO.sgml"> -<!ENTITY Passdb SYSTEM "passdb.sgml"> -<!ENTITY VFS SYSTEM "VFS.sgml"> -<!ENTITY SecuringSamba SYSTEM "securing-samba.sgml"> -<!ENTITY Compiling SYSTEM "Compiling.sgml"> -<!ENTITY unicode SYSTEM "unicode.sgml"> -<!ENTITY CUPS SYSTEM "CUPS-printing.sgml"> -<!ENTITY AdvancedNetworkAdmin SYSTEM "AdvancedNetworkAdmin.sgml"> -<!ENTITY PolicyMgmt SYSTEM "PolicyMgmt.sgml"> -<!ENTITY ProfileMgmt SYSTEM "ProfileMgmt.sgml"> -<!ENTITY NT4Migration SYSTEM "NT4Migration.sgml"> -<!ENTITY SWAT SYSTEM "SWAT.sgml"> -<!ENTITY Trusts SYSTEM "InterdomainTrusts.sgml"> ]> <book id="Samba-HOWTO-Collection"> @@ -81,6 +48,7 @@ url="http://www.fsf.org/licenses/gpl.txt">http://www.fsf.org/licenses/gpl.txt</u and how to configure the parts of samba you will most likely need. PLEASE read this.</para> </partintro> +&IntroSMB; &UNIX-INSTALL; &BROWSING-Quick; &Passdb; @@ -129,12 +97,14 @@ for various environments. <part id="Appendixes"> <title>Appendixes</title> -&SWAT; +&Compiling; &NT4Migration; -&SPEED; &Portability; &Other-Clients; -&Compiling; -&BUGS; +&SWAT; +&SPEED; &Diagnosis; +&problems; +&BUGS; </part> +</book> diff --git a/docs/docbook/projdoc/securing-samba.sgml b/docs/docbook/projdoc/securing-samba.sgml index 88e216ac58..e9e8c4f9f8 100644 --- a/docs/docbook/projdoc/securing-samba.sgml +++ b/docs/docbook/projdoc/securing-samba.sgml @@ -68,7 +68,7 @@ You can change this behaviour using options like the following: <para><programlisting> interfaces = eth* lo bind interfaces only = yes -</programlisting><para> +</programlisting></para> <para> This tells Samba to only listen for connections on interfaces with a diff --git a/docs/docbook/projdoc/security_level.sgml b/docs/docbook/projdoc/security_level.sgml index 99f21aec5d..4ce5955e35 100644 --- a/docs/docbook/projdoc/security_level.sgml +++ b/docs/docbook/projdoc/security_level.sgml @@ -3,7 +3,7 @@ &author.tridge; &author.jelmer; </chapterinfo> -<title>Samba as Stand-Alone Server</title +<title>Samba as Stand-Alone Server</title> <para> In this section the function and purpose of Samba's <emphasis>security</emphasis> @@ -11,7 +11,7 @@ modes are described. </para> <sect1> -<Title>User and Share security level</title> +<title>User and Share security level</title> <para> A SMB server tells the client at startup what "security level" it is diff --git a/docs/docbook/projdoc/unicode.sgml b/docs/docbook/projdoc/unicode.sgml index d44e8ea291..2f794aadc2 100644 --- a/docs/docbook/projdoc/unicode.sgml +++ b/docs/docbook/projdoc/unicode.sgml @@ -82,4 +82,21 @@ samba knows of three kinds of character sets: </variablelist> </sect1> + +<sect1> +<title>Conversion from old names</title> + +<para>Because previous samba versions did not do any charset conversion, +characters in filenames are usually not correct in the unix charset but only +for the local charset used by the DOS/Windows clients.</para> + +<para>The following script from Steve Langasek converts all +filenames from CP850 to the iso8859-15 charset.</para> + +<para> +<prompt>#</prompt><userinput>find <replaceable>/path/to/share</replaceable> -type f -exec bash -c 'CP="{}"; ISO=`echo -n "$CP" | iconv -f cp850 \ + -t iso8859-15`; if [ "$CP" != "$ISO" ]; then mv "$CP" "$ISO"; fi' \; +</userinput> +</para> +</sect1> </chapter> |