summaryrefslogtreecommitdiff
path: root/docs/docbook
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2001-04-19 21:41:01 +0000
committerGerald Carter <jerry@samba.org>2001-04-19 21:41:01 +0000
commit2cf8efffe2a8ff543eabe3c5975b15bc2c041885 (patch)
treea20bd5445da651591dda31e872d70083263a0f47 /docs/docbook
parentf95fb5fe3941a0ef916ac85c6ccf4aecf17aaf39 (diff)
downloadsamba-2cf8efffe2a8ff543eabe3c5975b15bc2c041885.tar.gz
samba-2cf8efffe2a8ff543eabe3c5975b15bc2c041885.tar.bz2
samba-2cf8efffe2a8ff543eabe3c5975b15bc2c041885.zip
another merge from 2.2
(This used to be commit f8e4876a04add168a17652431e85a9c2b5b6c619)
Diffstat (limited to 'docs/docbook')
-rw-r--r--docs/docbook/projdoc/DOMAIN_MEMBER.sgml228
-rw-r--r--docs/docbook/projdoc/ENCRYPTION.sgml378
-rw-r--r--docs/docbook/projdoc/NT_Security.sgml358
-rw-r--r--docs/docbook/projdoc/OS2-Client-HOWTO.sgml142
-rw-r--r--docs/docbook/projdoc/Samba-PDC-HOWTO.sgml964
-rw-r--r--docs/docbook/projdoc/UNIX_INSTALL.sgml446
-rw-r--r--docs/docbook/projdoc/msdfs_setup.sgml117
-rw-r--r--docs/docbook/projdoc/printer_driver2.sgml555
-rw-r--r--docs/docbook/projdoc/samba-doc.sgml39
-rw-r--r--docs/docbook/projdoc/winbind.sgml372
10 files changed, 3595 insertions, 4 deletions
diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml
new file mode 100644
index 0000000000..c6dbda15a3
--- /dev/null
+++ b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml
@@ -0,0 +1,228 @@
+<chapter>
+
+<chapterinfo>
+ <author>
+ <firstname>Jeremy</firstname><surname>Allison</surname>
+ <affiliation>
+ <orgname>Samba Team</orgname>
+ <address>
+ <email>samba@samba.org</email>
+ </address>
+ </affiliation>
+ </author>
+ <author>
+ <firstname>Jerry</firstname><surname>Carter</surname>
+ <affiliation>
+ <orgname>Samba Team</orgname>
+ <address>
+ <email>jerry@samba.org</email>
+ </address>
+ </affiliation>
+ </author>
+
+
+ <pubdate>16 Apr 2001</pubdate>
+</chapterinfo>
+
+
+<title>security = domain in Samba 2.x</title>
+
+<sect1>
+
+ <title>Joining an NT Domain with Samba 2.2</title>
+
+ <para>In order for a Samba-2 server to join an NT domain,
+ you must first add the NetBIOS name of the Samba server to the
+ NT domain on the PDC using Server Manager for Domains. This creates
+ the machine account in the domain (PDC) SAM. Note that you should
+ add the Samba server as a "Windows NT Workstation or Server",
+ <emphasis>NOT</emphasis> as a Primary or backup domain controller.</para>
+
+ <para>Assume you have a Samba-2 server with a NetBIOS name of
+ <constant>SERV1</constant> and are joining an NT domain called
+ <constant>DOM</constant>, which has a PDC with a NetBIOS name
+ of <constant>DOMPDC</constant> and two backup domain controllers
+ with NetBIOS names <constant>DOMBDC1</constant> and <constant>DOMBDC2
+ </constant>.</para>
+
+ <para>In order to join the domain, first stop all Samba daemons
+ and run the command:</para>
+
+ <para><prompt>root# </prompt><userinput>smbpasswd -j DOM -r DOMPDC
+ </userinput></para>
+
+ <para>as we are joining the domain DOM and the PDC for that domain
+ (the only machine that has write access to the domain SAM database)
+ is DOMPDC. If this is successful you will see the message:</para>
+
+ <para><computeroutput>smbpasswd: Joined domain DOM.</computeroutput>
+ </para>
+
+ <para>in your terminal window. See the <ulink url="smbpasswd.8.html">
+ smbpasswd(8)</ulink> man page for more details.</para>
+
+ <para>There is existing development code to join a domain
+ without having to create the machine trust account on the PDC
+ beforehand. This code will hopefully be available soon
+ in release branches as well.</para>
+
+ <para>This command goes through the machine account password
+ change protocol, then writes the new (random) machine account
+ password for this Samba server into a file in the same directory
+ in which an smbpasswd file would be stored - normally :</para>
+
+ <para><filename>/usr/local/samba/private</filename></para>
+
+ <para>In Samba 2.0.x, the filename looks like this:</para>
+
+ <para><filename><replaceable>&lt;NT DOMAIN NAME&gt;</replaceable>.<replaceable>&lt;Samba
+ Server Name&gt;</replaceable>.mac</filename></para>
+
+ <para>The <filename>.mac</filename> suffix stands for machine account
+ password file. So in our example above, the file would be called:</para>
+
+ <para><filename>DOM.SERV1.mac</filename></para>
+
+ <para>In Samba 2.2, this file has been replaced with a TDB
+ (Trivial Database) file named <filename>secrets.tdb</filename>.
+ </para>
+
+
+ <para>This file is created and owned by root and is not
+ readable by any other user. It is the key to the domain-level
+ security for your system, and should be treated as carefully
+ as a shadow password file.</para>
+
+ <para>Now, before restarting the Samba daemons you must
+ edit your <ulink url="smb.conf.5.html"><filename>smb.conf(5)</filename>
+ </ulink> file to tell Samba it should now use domain security.</para>
+
+ <para>Change (or add) your <ulink url="smb.conf.5.html#SECURITY">
+ <parameter>security =</parameter></ulink> line in the [global] section
+ of your smb.conf to read:</para>
+
+ <para><command>security = domain</command></para>
+
+ <para>Next change the <ulink url="smb.conf.5.html#WORKGROUP"><parameter>
+ workgroup =</parameter></ulink> line in the [global] section to read: </para>
+
+ <para><command>workgroup = DOM</command></para>
+
+ <para>as this is the name of the domain we are joining. </para>
+
+ <para>You must also have the parameter <ulink url="smb.conf.5.html#ENCRYPTPASSWORDS">
+ <parameter>encrypt passwords</parameter></ulink> set to <constant>yes
+ </constant> in order for your users to authenticate to the NT PDC.</para>
+
+ <para>Finally, add (or modify) a <ulink url="smb.conf.5.html#PASSWORDSERVER">
+ <parameter>password server =</parameter></ulink> line in the [global]
+ section to read: </para>
+
+ <para><command>password server = DOMPDC DOMBDC1 DOMBDC2</command></para>
+
+ <para>These are the primary and backup domain controllers Samba
+ will attempt to contact in order to authenticate users. Samba will
+ try to contact each of these servers in order, so you may want to
+ rearrange this list in order to spread out the authentication load
+ among domain controllers.</para>
+
+ <para>Alternatively, if you want smbd to automatically determine
+ the list of Domain controllers to use for authentication, you may
+ set this line to be :</para>
+
+ <para><command>password server = *</command></para>
+
+ <para>This method, which was introduced in Samba 2.0.6,
+ allows Samba to use exactly the same mechanism that NT does. This
+ method either broadcasts or uses a WINS database in order to
+ find domain controllers to authenticate against.</para>
+
+ <para>Finally, restart your Samba daemons and get ready for
+ clients to begin using domain security!</para>
+</sect1>
+
+<sect1>
+<title>Samba and Windows 2000 Domains</title>
+
+<para>
+Many people have asked regarding the state of Samba's ability to participate in
+a Windows 2000 Domain. Samba 2.2 is able to act as a member server of a Windows
+2000 domain operating in mixed or native mode.
+</para>
+
+<para>
+There is much confusion between the circumstances that require a "mixed" mode
+Win2k DC and a when this host can be switched to "native" mode. A "mixed" mode
+Win2k domain controller is only needed if Windows NT BDCs must exist in the same
+domain. By default, a Win2k DC in "native" mode will still support
+NetBIOS and NTLMv1 for authentication of legacy clients such as Windows 9x and
+NT 4.0. Samba has the same requirements as a Windows NT 4.0 member server.
+</para>
+
+<para>
+The steps for adding a Samba 2.2 host to a Win2k domain are the same as those
+for adding a Samba server to a Windows NT 4.0 domain. The only exception is that
+the "Server Manager" from NT 4 has been replaced by the "Active Directory Users and
+Computers" MMC (Microsoft Management Console) plugin.
+</para>
+
+</sect1>
+
+
+<sect1>
+ <title>Why is this better than security = server?</title>
+
+ <para>Currently, domain security in Samba doesn't free you from
+ having to create local Unix users to represent the users attaching
+ to your server. This means that if domain user <constant>DOM\fred
+ </constant> attaches to your domain security Samba server, there needs
+ to be a local Unix user fred to represent that user in the Unix
+ filesystem. This is very similar to the older Samba security mode
+ <ulink url="smb.conf.5.html#SECURITYEQUALSSERVER">security = server</ulink>,
+ where Samba would pass through the authentication request to a Windows
+ NT server in the same way as a Windows 95 or Windows 98 server would.
+ </para>
+
+ <para>Please refer to the <ulink url="winbind.html">Winbind
+ paper</ulink> for information on a system to automatically
+ assign UNIX uids and gids to Windows NT Domain users and groups.
+ This code is available in development branches only at the moment,
+ but will be moved to release branches soon.</para>
+
+ <para>The advantage to domain-level security is that the
+ authentication in domain-level security is passed down the authenticated
+ RPC channel in exactly the same way that an NT server would do it. This
+ means Samba servers now participate in domain trust relationships in
+ exactly the same way NT servers do (i.e., you can add Samba servers into
+ a resource domain and have the authentication passed on from a resource
+ domain PDC to an account domain PDC.</para>
+
+ <para>In addition, with <command>security = server</command> every Samba
+ daemon on a server has to keep a connection open to the
+ authenticating server for as long as that daemon lasts. This can drain
+ the connection resources on a Microsoft NT server and cause it to run
+ out of available connections. With <command>security = domain</command>,
+ however, the Samba daemons connect to the PDC/BDC only for as long
+ as is necessary to authenticate the user, and then drop the connection,
+ thus conserving PDC connection resources.</para>
+
+ <para>And finally, acting in the same manner as an NT server
+ authenticating to a PDC means that as part of the authentication
+ reply, the Samba server gets the user identification information such
+ as the user SID, the list of NT groups the user belongs to, etc. All
+ this information will allow Samba to be extended in the future into
+ a mode the developers currently call appliance mode. In this mode,
+ no local Unix users will be necessary, and Samba will generate Unix
+ uids and gids from the information passed back from the PDC when a
+ user is authenticated, making a Samba server truly plug and play
+ in an NT domain environment. Watch for this code soon.</para>
+
+ <para><emphasis>NOTE:</emphasis> Much of the text of this document
+ was first published in the Web magazine <ulink url="http://www.linuxworld.com">
+ LinuxWorld</ulink> as the article <ulink
+ url="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html">Doing
+ the NIS/NT Samba</ulink>.</para>
+
+</sect1>
+
+</chapter>
diff --git a/docs/docbook/projdoc/ENCRYPTION.sgml b/docs/docbook/projdoc/ENCRYPTION.sgml
new file mode 100644
index 0000000000..8b624bad1a
--- /dev/null
+++ b/docs/docbook/projdoc/ENCRYPTION.sgml
@@ -0,0 +1,378 @@
+<chapter>
+
+
+<chapterinfo>
+ <author>
+ <firstname>Jeremy</firstname><surname>Allison</surname>
+ <affiliation>
+ <orgname>Samba Team</orgname>
+ <address>
+ <email>samba@samba.org</email>
+ </address>
+ </affiliation>
+ </author>
+
+
+ <pubdate>19 Apr 1999</pubdate>
+</chapterinfo>
+
+<title>LanMan and NT Password Encryption in Samba 2.x</title>
+
+
+<sect1>
+ <title>Introduction</title>
+
+ <para>With the development of LanManager and Windows NT
+ compatible password encryption for Samba, it is now able
+ to validate user connections in exactly the same way as
+ a LanManager or Windows NT server.</para>
+
+ <para>This document describes how the SMB password encryption
+ algorithm works and what issues there are in choosing whether
+ you want to use it. You should read it carefully, especially
+ the part about security and the "PROS and CONS" section.</para>
+
+</sect1>
+
+<sect1>
+ <title>How does it work?</title>
+
+ <para>LanManager encryption is somewhat similar to UNIX
+ password encryption. The server uses a file containing a
+ hashed value of a user's password. This is created by taking
+ the user's plaintext password, capitalising it, and either
+ truncating to 14 bytes or padding to 14 bytes with null bytes.
+ This 14 byte value is used as two 56 bit DES keys to encrypt
+ a 'magic' eight byte value, forming a 16 byte value which is
+ stored by the server and client. Let this value be known as
+ the "hashed password".</para>
+
+ <para>Windows NT encryption is a higher quality mechanism,
+ consisting of doing an MD4 hash on a Unicode version of the user's
+ password. This also produces a 16 byte hash value that is
+ non-reversible.</para>
+
+ <para>When a client (LanManager, Windows for WorkGroups, Windows
+ 95 or Windows NT) wishes to mount a Samba drive (or use a Samba
+ resource), it first requests a connection and negotiates the
+ protocol that the client and server will use. In the reply to this
+ request the Samba server generates and appends an 8 byte, random
+ value - this is stored in the Samba server after the reply is sent
+ and is known as the "challenge". The challenge is different for
+ every client connection.</para>
+
+ <para>The client then uses the hashed password (16 byte values
+ described above), appended with 5 null bytes, as three 56 bit
+ DES keys, each of which is used to encrypt the challenge 8 byte
+ value, forming a 24 byte value known as the "response".</para>
+
+ <para>In the SMB call SMBsessionsetupX (when user level security
+ is selected) or the call SMBtconX (when share level security is
+ selected), the 24 byte response is returned by the client to the
+ Samba server. For Windows NT protocol levels the above calculation
+ is done on both hashes of the user's password and both responses are
+ returned in the SMB call, giving two 24 byte values.</para>
+
+ <para>The Samba server then reproduces the above calculation, using
+ its own stored value of the 16 byte hashed password (read from the
+ <filename>smbpasswd</filename> file - described later) and the challenge
+ value that it kept from the negotiate protocol reply. It then checks
+ to see if the 24 byte value it calculates matches the 24 byte value
+ returned to it from the client.</para>
+
+ <para>If these values match exactly, then the client knew the
+ correct password (or the 16 byte hashed value - see security note
+ below) and is thus allowed access. If not, then the client did not
+ know the correct password and is denied access.</para>
+
+ <para>Note that the Samba server never knows or stores the cleartext
+ of the user's password - just the 16 byte hashed values derived from
+ it. Also note that the cleartext password or 16 byte hashed values
+ are never transmitted over the network - thus increasing security.</para>
+</sect1>
+
+<sect1>
+ <title>Important Notes About Security</title>
+
+ <para>The unix and SMB password encryption techniques seem similar
+ on the surface. This similarity is, however, only skin deep. The unix
+ scheme typically sends clear text passwords over the nextwork when
+ logging in. This is bad. The SMB encryption scheme never sends the
+ cleartext password over the network but it does store the 16 byte
+ hashed values on disk. This is also bad. Why? Because the 16 byte hashed
+ values are a "password equivalent". You cannot derive the user's
+ password from them, but they could potentially be used in a modified
+ client to gain access to a server. This would require considerable
+ technical knowledge on behalf of the attacker but is perfectly possible.
+ You should thus treat the smbpasswd file as though it contained the
+ cleartext passwords of all your users. Its contents must be kept
+ secret, and the file should be protected accordingly.</para>
+
+ <para>Ideally we would like a password scheme which neither requires
+ plain text passwords on the net or on disk. Unfortunately this
+ is not available as Samba is stuck with being compatible with
+ other SMB systems (WinNT, WfWg, Win95 etc). </para>
+
+ <warning>
+ <para>Note that Windows NT 4.0 Service pack 3 changed the
+ default for permissible authentication so that plaintext
+ passwords are <emphasis>never</emphasis> sent over the wire.
+ The solution to this is either to switch to encrypted passwords
+ with Samba or edit the Windows NT registry to re-enable plaintext
+ passwords. See the document WinNT.txt for details on how to do
+ this.</para>
+
+ <para>Other Microsoft operating systems which also exhibit
+ this behavior includes</para>
+
+ <itemizedlist>
+ <listitem><para>MS DOS Network client 3.0 with
+ the basic network redirector installed</para></listitem>
+
+ <listitem><para>Windows 95 with the network redirector
+ update installed</para></listitem>
+
+ <listitem><para>Windows 98 [se]</para></listitem>
+
+ <listitem><para>Windows 2000</para></listitem>
+ </itemizedlist>
+
+ <para><emphasis>Note :</emphasis>All current release of
+ Microsoft SMB/CIFS clients support authentication via the
+ SMB Challenge/Response mechanism described here. Enabling
+ clear text authentication does not disable the ability
+ of the client to particpate in encrypted authentication.</para>
+ </warning>
+
+ <sect2>
+ <title>Advantages of SMB Encryption</title>
+
+ <itemizedlist>
+ <listitem><para>plain text passwords are not passed across
+ the network. Someone using a network sniffer cannot just
+ record passwords going to the SMB server.</para>
+ </listitem>
+
+ <listitem><para>WinNT doesn't like talking to a server
+ that isn't using SMB encrypted passwords. It will refuse
+ to browse the server if the server is also in user level
+ security mode. It will insist on prompting the user for the
+ password on each connection, which is very annoying. The
+ only things you can do to stop this is to use SMB encryption.
+ </para></listitem>
+ </itemizedlist>
+ </sect2>
+
+
+ <sect2>
+ <title>Advantages of non-encrypted passwords</title>
+
+ <itemizedlist>
+ <listitem><para>plain text passwords are not kept
+ on disk. </para></listitem>
+
+ <listitem><para>uses same password file as other unix
+ services such as login and ftp</para></listitem>
+
+ <listitem><para>you are probably already using other
+ services (such as telnet and ftp) which send plain text
+ passwords over the net, so sending them for SMB isn't
+ such a big deal.</para></listitem>
+ </itemizedlist>
+ </sect2>
+</sect1>
+
+
+<sect1>
+ <title><anchor id="SMBPASSWDFILEFORMAT">The smbpasswd file</title>
+
+ <para>In order for Samba to participate in the above protocol
+ it must be able to look up the 16 byte hashed values given a user name.
+ Unfortunately, as the UNIX password value is also a one way hash
+ function (ie. it is impossible to retrieve the cleartext of the user's
+ password given the UNIX hash of it), a separate password file
+ containing this 16 byte value must be kept. To minimise problems with
+ these two password files, getting out of sync, the UNIX <filename>
+ /etc/passwd</filename> and the <filename>smbpasswd</filename> file,
+ a utility, <command>mksmbpasswd.sh</command>, is provided to generate
+ a smbpasswd file from a UNIX <filename>/etc/passwd</filename> file.
+ </para
+
+
+ <para>To generate the smbpasswd file from your <filename>/etc/passwd
+ </filename> file use the following command :</para>
+
+ <para><prompt>$ </prompt><userinput>cat /etc/passwd | mksmbpasswd.sh
+ &gt; /usr/local/samba/private/smbpasswd</userinput></para>
+
+ <para>If you are running on a system that uses NIS, use</para>
+
+ <para><prompt>$ </prompt><userinput>ypcat passwd | mksmbpasswd.sh
+ &gt; /usr/local/samba/private/smbpasswd</userinput></para>
+
+ <para>The <command>mksmbpasswd.sh</command> program is found in
+ the Samba source directory. By default, the smbpasswd file is
+ stored in :</para>
+
+ <para><filename>/usr/local/samba/private/smbpasswd</filename></para>
+
+ <para>The owner of the <filename>/usr/local/samba/private/</filename>
+ directory should be set to root, and the permissions on it should
+ be set to 0500 (<command>chmod 500 /usr/local/samba/private</command>).
+ </para>
+
+ <para>Likewise, the smbpasswd file inside the private directory should
+ be owned by root and the permissions on is should be set to 0600
+ (<command>chmod 600 smbpasswd</command>).</para>
+
+
+ <para>The format of the smbpasswd file is (The line has been
+ wrapped here. It should appear as one entry per line in
+ your smbpasswd file.)</para>
+
+ <para><programlisting>
+username:uid:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:
+ [Account type]:LCT-&lt;last-change-time&gt;:Long name
+ </programlisting></para>
+
+ <para>Although only the <replaceable>username</replaceable>,
+ <replaceable>uid</replaceable>, <replaceable>
+ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</replaceable>,
+ [<replaceable>Account type</replaceable>] and <replaceable>
+ last-change-time</replaceable> sections are significant
+ and are looked at in the Samba code.</para>
+
+ <para>It is <emphasis>VITALLY</emphasis> important that there by 32
+ 'X' characters between the two ':' characters in the XXX sections -
+ the smbpasswd and Samba code will fail to validate any entries that
+ do not have 32 characters between ':' characters. The first XXX
+ section is for the Lanman password hash, the second is for the
+ Windows NT version.</para>
+
+ <para>When the password file is created all users have password entries
+ consisting of 32 'X' characters. By default this disallows any access
+ as this user. When a user has a password set, the 'X' characters change
+ to 32 ascii hexadecimal digits (0-9, A-F). These are an ascii
+ representation of the 16 byte hashed value of a user's password.</para>
+
+ <para>To set a user to have no password (not recommended), edit the file
+ using vi, and replace the first 11 characters with the ascii text
+ <constant>"NO PASSWORD"</constant> (minus the quotes).</para>
+
+ <para>For example, to clear the password for user bob, his smbpasswd file
+ entry would look like :</para>
+
+ <para><programlisting>
+ bob:100:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[U ]:LCT-00000000:Bob's full name:/bobhome:/bobshell
+ </programlisting></para>
+
+ <para>If you are allowing users to use the smbpasswd command to set
+ their own passwords, you may want to give users NO PASSWORD initially
+ so they do not have to enter a previous password when changing to their
+ new password (not recommended). In order for you to allow this the
+ <command>smbpasswd</command> program must be able to connect to the
+ <command>smbd</command> daemon as that user with no password. Enable this
+ by adding the line :</para>
+
+ <para><command>null passwords = yes</command></para>
+
+ <para>to the [global] section of the smb.conf file (this is why
+ the above scenario is not recommended). Preferably, allocate your
+ users a default password to begin with, so you do not have
+ to enable this on your server.</para>
+
+ <para><emphasis>Note : </emphasis>This file should be protected very
+ carefully. Anyone with access to this file can (with enough knowledge of
+ the protocols) gain access to your SMB server. The file is thus more
+ sensitive than a normal unix <filename>/etc/passwd</filename> file.</para>
+</sect1>
+
+
+<sect1>
+ <title>The smbpasswd Command</title>
+
+ <para>The smbpasswd command maintains the two 32 byte password fields
+ in the smbpasswd file. If you wish to make it similar to the unix
+ <command>passwd</command> or <command>yppasswd</command> programs,
+ install it in <filename>/usr/local/samba/bin/</filename> (or your
+ main Samba binary directory).</para>
+
+ <para>Note that as of Samba 1.9.18p4 this program <emphasis>MUST NOT
+ BE INSTALLED</emphasis> setuid root (the new <command>smbpasswd</command>
+ code enforces this restriction so it cannot be run this way by
+ accident).</para>
+
+ <para><command>smbpasswd</command> now works in a client-server mode
+ where it contacts the local smbd to change the user's password on its
+ behalf. This has enormous benefits - as follows.</para>
+
+ <itemizedlist>
+ <listitem><para>smbpasswd no longer has to be setuid root -
+ an enormous range of potential security problems is
+ eliminated.</para></listitem>
+
+ <listitem><para><command>smbpasswd</command> now has the capability
+ to change passwords on Windows NT servers (this only works when
+ the request is sent to the NT Primary Domain Controller if you
+ are changing an NT Domain user's password).</para></listitem>
+ </itemizedlist>
+
+ <para>To run smbpasswd as a normal user just type :</para>
+
+ <para><prompt>$ </prompt><userinput>smbpasswd</userinput></para>
+ <para><prompt>Old SMB password: </prompt><userinput>&lt;type old value here -
+ or hit return if there was no old password&gt;</userinput></para>
+ <para><prompt>New SMB Password: </prompt><userinput>&lt;type new value&gt;
+ </userinput></para>
+ <para><prompt>Repeat New SMB Password: </prompt><userinput>&lt;re-type new value
+ </userinput></para>
+
+ <para>If the old value does not match the current value stored for
+ that user, or the two new values do not match each other, then the
+ password will not be changed.</para>
+
+ <para>If invoked by an ordinary user it will only allow the user
+ to change his or her own Samba password.</para>
+
+ <para>If run by the root user smbpasswd may take an optional
+ argument, specifying the user name whose SMB password you wish to
+ change. Note that when run as root smbpasswd does not prompt for
+ or check the old password value, thus allowing root to set passwords
+ for users who have forgotten their passwords.</para>
+
+ <para><command>smbpasswd</command> is designed to work in the same way
+ and be familiar to UNIX users who use the <command>passwd</command> or
+ <command>yppasswd</command> commands.</para>
+
+ <para>For more details on using <command>smbpasswd</command> refer
+ to the man page which will always be the definitive reference.</para>
+</sect1>
+
+
+<sect1>
+ <title>Setting up Samba to support LanManager Encryption</title>
+
+ <para>This is a very brief description on how to setup samba to
+ support password encryption. </para>
+
+ <orderedlist numeration="Arabic">
+ <listitem><para>compile and install samba as usual</para>
+ </listitem>
+
+ <listitem><para>enable encrypted passwords in <filename>
+ smb.conf</filename> by adding the line <command>encrypt
+ passwords = yes</command> in the [global] section</para>
+ </listitem>
+
+ <listitem><para>create the initial <filename>smbpasswd</filename>
+ password file in the place you specified in the Makefile
+ (--prefix=&lt;dir&gt;). See the notes under the <link
+ linkend="SMBPASSWDFILEFORMAT">The smbpasswd File</link>
+ section earlier in the document for details.</para>
+ </listitem>
+ </orderedlist>
+
+ <para>Note that you can test things using smbclient.</para>
+</sect1>
+
+</chapter>
diff --git a/docs/docbook/projdoc/NT_Security.sgml b/docs/docbook/projdoc/NT_Security.sgml
new file mode 100644
index 0000000000..a6be4a0ffd
--- /dev/null
+++ b/docs/docbook/projdoc/NT_Security.sgml
@@ -0,0 +1,358 @@
+<chapter>
+
+<chapterinfo>
+ <author>
+ <firstname>Jeremy</firstname><surname>Allison</surname>
+ <affiliation>
+ <orgname>Samba Team</orgname>
+ <address>
+ <email>samba@samba.org</email>
+ </address>
+ </affiliation>
+ </author>
+
+
+ <pubdate>12 Apr 1999</pubdate>
+</chapterinfo>
+
+
+<title>UNIX Permission Bits and WIndows NT Access Control Lists</title>
+
+<sect1>
+ <title>Viewing and changing UNIX permissions using the NT
+ security dialogs</title>
+
+
+ <para>New in the Samba 2.0.4 release is the ability for Windows
+ NT clients to use their native security settings dialog box to
+ view and modify the underlying UNIX permissions.</para>
+
+ <para>Note that this ability is careful not to compromise
+ the security of the UNIX host Samba is running on, and
+ still obeys all the file permission rules that a Samba
+ administrator can set.</para>
+
+ <para>In Samba 2.0.4 and above the default value of the
+ parameter <ulink url="smb.conf.5.html#NTACLSUPPOR"><parameter>
+ nt acl support</parameter></ulink> has been changed from
+ <constant>false</constant> to <constant>true</constant>, so
+ manipulation of permissions is turned on by default.</para>
+</sect1>
+
+<sect1>
+ <title>How to view file security on a Samba share</title>
+
+ <para>From an NT 4.0 client, single-click with the right
+ mouse button on any file or directory in a Samba mounted
+ drive letter or UNC path. When the menu pops-up, click
+ on the <emphasis>Properties</emphasis> entry at the bottom of
+ the menu. This brings up the normal file properties dialog
+ box, but with Samba 2.0.4 this will have a new tab along the top
+ marked <emphasis>Security</emphasis>. Click on this tab and you
+ will see three buttons, <emphasis>Permissions</emphasis>,
+ <emphasis>Auditing</emphasis>, and <emphasis>Ownership</emphasis>.
+ The <emphasis>Auditing</emphasis> button will cause either
+ an error message <errorname>A requested privilege is not held
+ by the client</errorname> to appear if the user is not the
+ NT Administrator, or a dialog which is intended to allow an
+ Administrator to add auditing requirements to a file if the
+ user is logged on as the NT Administrator. This dialog is
+ non-functional with a Samba share at this time, as the only
+ useful button, the <command>Add</command> button will not currently
+ allow a list of users to be seen.</para>
+
+</sect1>
+
+<sect1>
+ <title>Viewing file ownership</title>
+
+ <para>Clicking on the <command>"Ownership"</command> button
+ brings up a dialog box telling you who owns the given file. The
+ owner name will be of the form :</para>
+
+ <para><command>"SERVER\user (Long name)"</command></para>
+
+ <para>Where <replaceable>SERVER</replaceable> is the NetBIOS name of
+ the Samba server, <replaceable>user</replaceable> is the user name of
+ the UNIX user who owns the file, and <replaceable>(Long name)</replaceable>
+ is the discriptive string identifying the user (normally found in the
+ GECOS field of the UNIX password database). Click on the <command>Close
+ </command> button to remove this dialog.</para>
+
+ <para>If the parameter <parameter>nt acl support</parameter>
+ is set to <constant>false</constant> then the file owner will
+ be shown as the NT user <command>"Everyone"</command>.</para>
+
+ <para>The <command>Take Ownership</command> button will not allow
+ you to change the ownership of this file to yourself (clicking on
+ it will display a dialog box complaining that the user you are
+ currently logged onto the NT client cannot be found). The reason
+ for this is that changing the ownership of a file is a privilaged
+ operation in UNIX, available only to the <emphasis>root</emphasis>
+ user. As clicking on this button causes NT to attempt to change
+ the ownership of a file to the current user logged into the NT
+ client this will not work with Samba at this time.</para>
+
+ <para>There is an NT chown command that will work with Samba
+ and allow a user with Administrator privillage connected
+ to a Samba 2.0.4 server as root to change the ownership of
+ files on both a local NTFS filesystem or remote mounted NTFS
+ or Samba drive. This is available as part of the <emphasis>Seclib
+ </emphasis> NT security library written by Jeremy Allison of
+ the Samba Team, available from the main Samba ftp site.</para>
+
+</sect1>
+
+<sect1>
+ <title>Viewing file or directory permissions</title>
+
+ <para>The third button is the <command>"Permissions"</command>
+ button. Clicking on this brings up a dialog box that shows both
+ the permissions and the UNIX owner of the file or directory.
+ The owner is displayed in the form :</para>
+
+ <para><command>"SERVER\user (Long name)"</command></para>
+
+ <para>Where <replaceable>SERVER</replaceable> is the NetBIOS name of
+ the Samba server, <replaceable>user</replaceable> is the user name of
+ the UNIX user who owns the file, and <replaceable>(Long name)</replaceable>
+ is the discriptive string identifying the user (normally found in the
+ GECOS field of the UNIX password database).</para>
+
+ <para>If the parameter <parameter>nt acl support</parameter>
+ is set to <constant>false</constant> then the file owner will
+ be shown as the NT user <command>"Everyone"</command> and the
+ permissions will be shown as NT "Full Control".</para>
+
+
+ <para>The permissions field is displayed differently for files
+ and directories, so I'll describe the way file permissions
+ are displayed first.</para>
+
+ <sect2>
+ <title>File Permissions</title>
+
+ <para>The standard UNIX user/group/world triple and
+ the correspinding "read", "write", "execute" permissions
+ triples are mapped by Samba into a three element NT ACL
+ with the 'r', 'w', and 'x' bits mapped into the corresponding
+ NT permissions. The UNIX world permissions are mapped into
+ the global NT group <command>Everyone</command>, followed
+ by the list of permissions allowed for UNIX world. The UNIX
+ owner and group permissions are displayed as an NT
+ <command>user</command> icon and an NT <command>local
+ group</command> icon respectively followed by the list
+ of permissions allowed for the UNIX user and group.</para>
+
+ <para>As many UNIX permission sets don't map into common
+ NT names such as <command>"read"</command>, <command>
+ "change"</command> or <command>"full control"</command> then
+ usually the permissions will be prefixed by the words <command>
+ "Special Access"</command> in the NT display list.</para>
+
+ <para>But what happens if the file has no permissions allowed
+ for a particular UNIX user group or world component ? In order
+ to allow "no permissions" to be seen and modified then Samba
+ overloads the NT <command>"Take Ownership"</command> ACL attribute
+ (which has no meaning in UNIX) and reports a component with
+ no permissions as having the NT <command>"O"</command> bit set.
+ This was chosen of course to make it look like a zero, meaning
+ zero permissions. More details on the decision behind this will
+ be given below.</para>
+ </sect2>
+
+ <sect2>
+ <title>Directory Permissions</title>
+
+ <para>Directories on an NT NTFS file system have two
+ different sets of permissions. The first set of permissions
+ is the ACL set on the directory itself, this is usually displayed
+ in the first set of parentheses in the normal <command>"RW"</command>
+ NT style. This first set of permissions is created by Samba in
+ exactly the same way as normal file permissions are, described
+ above, and is displayed in the same way.</para>
+
+ <para>The second set of directory permissions has no real meaning
+ in the UNIX permissions world and represents the <command>
+ "inherited"</command> permissions that any file created within
+ this directory would inherit.</para>
+
+ <para>Samba synthesises these inherited permissions for NT by
+ returning as an NT ACL the UNIX permission mode that a new file
+ created by Samba on this share would receive.</para>
+ </sect2>
+</sect1>
+
+<sect1>
+ <title>Modifying file or directory permissions</title>
+
+ <para>Modifying file and directory permissions is as simple
+ as changing the displayed permissions in the dialog box, and
+ clicking the <command>OK</command> button. However, there are
+ limitations that a user needs to be aware of, and also interactions
+ with the standard Samba permission masks and mapping of DOS
+ attributes that need to also be taken into account.</para>
+
+ <para>If the parameter <parameter>nt acl support</parameter>
+ is set to <constant>false</constant> then any attempt to set
+ security permissions will fail with an <command>"Access Denied"
+ </command> message.</para>
+
+ <para>The first thing to note is that the <command>"Add"</command>
+ button will not return a list of users in Samba 2.0.4 (it will give
+ an error message of <command>"The remote proceedure call failed
+ and did not execute"</command>). This means that you can only
+ manipulate the current user/group/world permissions listed in
+ the dialog box. This actually works quite well as these are the
+ only permissions that UNIX actually has.</para>
+
+ <para>If a permission triple (either user, group, or world)
+ is removed from the list of permissions in the NT dialog box,
+ then when the <command>"OK"</command> button is pressed it will
+ be applied as "no permissions" on the UNIX side. If you then
+ view the permissions again the "no permissions" entry will appear
+ as the NT <command>"O"</command> flag, as described above. This
+ allows you to add permissions back to a file or directory once
+ you have removed them from a triple component.</para>
+
+ <para>As UNIX supports only the "r", "w" and "x" bits of
+ an NT ACL then if other NT security attributes such as "Delete
+ access" are selected then they will be ignored when applied on
+ the Samba server.</para>
+
+ <para>When setting permissions on a directory the second
+ set of permissions (in the second set of parentheses) is
+ by default applied to all files within that directory. If this
+ is not what you want you must uncheck the <command>"Replace
+ permissions on existing files"</command> checkbox in the NT
+ dialog before clicking <command>"OK"</command>.</para>
+
+ <para>If you wish to remove all permissions from a
+ user/group/world component then you may either highlight the
+ component and click the <command>"Remove"</command> button,
+ or set the component to only have the special <command>"Take
+ Ownership"</command> permission (dsplayed as <command>"O"
+ </command>) highlighted.</para>
+</sect1>
+
+<sect1>
+ <title>Interaction with the standard Samba create mask
+ parameters</title>
+
+ <para>Note that with Samba 2.0.5 there are four new parameters
+ to control this interaction. These are :</para>
+
+ <para><parameter>security mask</parameter></para>
+ <para><parameter>force security mode</parameter></para>
+ <para><parameter>directory security mask</parameter></para>
+ <para><parameter>force directory security mode</parameter></para>
+
+ <para>Once a user clicks <command>"OK"</command> to apply the
+ permissions Samba maps the given permissions into a user/group/world
+ r/w/x triple set, and then will check the changed permissions for a
+ file against the bits set in the <ulink url="smb.conf.5.html#SECURITYMASK">
+ <parameter>security mask</parameter></ulink> parameter. Any bits that
+ were changed that are not set to '1' in this parameter are left alone
+ in the file permissions.</para>
+
+ <para>Essentially, zero bits in the <parameter>security mask</parameter>
+ mask may be treated as a set of bits the user is <emphasis>not</emphasis>
+ allowed to change, and one bits are those the user is allowed to change.
+ </para>
+
+ <para>If not set explicitly this parameter is set to the same value as
+ the <ulink url="smb.conf.5.html#CREATEMASK"><parameter>create mask
+ </parameter></ulink> parameter to provide compatibility with Samba 2.0.4
+ where this permission change facility was introduced. To allow a user to
+ modify all the user/group/world permissions on a file, set this parameter
+ to 0777.</para>
+
+ <para>Next Samba checks the changed permissions for a file against
+ the bits set in the <ulink url="smb.conf.5.html#FORCESECURITYMODE">
+ <parameter>force security mode</parameter></ulink> parameter. Any bits
+ that were changed that correspond to bits set to '1' in this parameter
+ are forced to be set.</para>
+
+ <para>Essentially, bits set in the <parameter>force security mode
+ </parameter> parameter may be treated as a set of bits that, when
+ modifying security on a file, the user has always set to be 'on'.</para>
+
+ <para>If not set explicitly this parameter is set to the same value
+ as the <ulink url="smb.conf.5.html#FORCECREATEMODE"><parameter>force
+ create mode</parameter></ulink> parameter to provide compatibility
+ with Samba 2.0.4 where the permission change facility was introduced.
+ To allow a user to modify all the user/group/world permissions on a file,
+ with no restrictions set this parameter to 000.</para>
+
+ <para>The <parameter>security mask</parameter> and <parameter>force
+ security mode</parameter> parameters are applied to the change
+ request in that order.</para>
+
+ <para>For a directory Samba will perform the same operations as
+ described above for a file except using the parameter <parameter>
+ directory security mask</parameter> instead of <parameter>security
+ mask</parameter>, and <parameter>force directory security mode
+ </parameter> parameter instead of <parameter>force security mode
+ </parameter>.</para>
+
+ <para>The <parameter>directory security mask</parameter> parameter
+ by default is set to the same value as the <parameter>directory mask
+ </parameter> parameter and the <parameter>force directory security
+ mode</parameter> parameter by default is set to the same value as
+ the <parameter>force directory mode</parameter> parameter to provide
+ compatibility with Samba 2.0.4 where the permission change facility
+ was introduced.</para>
+
+ <para>In this way Samba enforces the permission restrictions that
+ an administrator can set on a Samba share, whilst still allowing users
+ to modify the permission bits within that restriction.</para>
+
+ <para>If you want to set up a share that allows users full control
+ in modifying the permission bits on their files and directories and
+ doesn't force any particular bits to be set 'on', then set the following
+ parameters in the <ulink url="smb.conf.5.html"><filename>smb.conf(5)
+ </filename></ulink> file in that share specific section :</para>
+
+ <para><parameter>security mask = 0777</parameter></para>
+ <para><parameter>force security mode = 0</parameter></para>
+ <para><parameter>directory security mask = 0777</parameter></para>
+ <para><parameter>force directory security mode = 0</parameter></para>
+
+ <para>As described, in Samba 2.0.4 the parameters :</para>
+
+ <para><parameter>create mask</parameter></para>
+ <para><parameter>force create mode</parameter></para>
+ <para><parameter>directory mask</parameter></para>
+ <para><parameter>force directory mode</parameter></para>
+
+ <para>were used instead of the parameters discussed here.</para>
+</sect1>
+
+<sect1>
+ <title>Interaction with the standard Samba file attribute
+ mapping</title>
+
+ <para>Samba maps some of the DOS attribute bits (such as "read
+ only") into the UNIX permissions of a file. This means there can
+ be a conflict between the permission bits set via the security
+ dialog and the permission bits set by the file attribute mapping.
+ </para>
+
+ <para>One way this can show up is if a file has no UNIX read access
+ for the owner it will show up as "read only" in the standard
+ file attributes tabbed dialog. Unfortunately this dialog is
+ the same one that contains the security info in another tab.</para>
+
+ <para>What this can mean is that if the owner changes the permissions
+ to allow themselves read access using the security dialog, clicks
+ <command>"OK"</command> to get back to the standard attributes tab
+ dialog, and then clicks <command>"OK"</command> on that dialog, then
+ NT will set the file permissions back to read-only (as that is what
+ the attributes still say in the dialog). This means that after setting
+ permissions and clicking <command>"OK"</command> to get back to the
+ attributes dialog you should always hit <command>"Cancel"</command>
+ rather than <command>"OK"</command> to ensure that your changes
+ are not overridden.</para>
+</sect1>
+
+</chapter>
diff --git a/docs/docbook/projdoc/OS2-Client-HOWTO.sgml b/docs/docbook/projdoc/OS2-Client-HOWTO.sgml
new file mode 100644
index 0000000000..5db80cda3d
--- /dev/null
+++ b/docs/docbook/projdoc/OS2-Client-HOWTO.sgml
@@ -0,0 +1,142 @@
+<chapter>
+
+
+<chapterinfo>
+ <author>
+ <firstname>Jim</firstname><surname>McDonough</surname>
+ <affiliation>
+ <orgname>IBM</orgname>
+ <address>
+ <email>jerry@samba.org</email>
+ </address>
+ </affiliation>
+ </author>
+
+
+ <pubdate>5 Mar 2001</pubdate>
+</chapterinfo>
+
+<title>OS2 Client HOWTO</title>
+
+<sect1>
+ <title>FAQs</title>
+
+ <sect2>
+ <title>How can I configure OS/2 Warp Connect or
+ OS/2 Warp 4 as a client for Samba?</title>
+
+ <para>A more complete answer to this question can be
+ found on <ulink url="http://carol.wins.uva.nl/~leeuw/samba/warp.html">
+ http://carol.wins.uva.nl/~leeuw/samba/warp.html</ulink>.</para>
+
+ <para>Basically, you need three components:</para>
+
+ <itemizedlist>
+ <listitem><para>The File and Print Client ('IBM Peer')
+ </para></listitem>
+ <listitem><para>TCP/IP ('Internet support')
+ </para></listitem>
+ <listitem><para>The "NetBIOS over TCP/IP" driver ('TCPBEUI')
+ </para></listitem>
+ </itemizedlist>
+
+ <para>Installing the first two together with the base operating
+ system on a blank system is explained in the Warp manual. If Warp
+ has already been installed, but you now want to install the
+ networking support, use the "Selective Install for Networking"
+ object in the "System Setup" folder.</para>
+
+ <para>Adding the "NetBIOS over TCP/IP" driver is not described
+ in the manual and just barely in the online documentation. Start
+ MPTS.EXE, click on OK, click on "Configure LAPS" and click
+ on "IBM OS/2 NETBIOS OVER TCP/IP" in 'Protocols'. This line
+ is then moved to 'Current Configuration'. Select that line,
+ click on "Change number" and increase it from 0 to 1. Save this
+ configuration.</para>
+
+ <para>If the Samba server(s) is not on your local subnet, you
+ can optionally add IP names and addresses of these servers
+ to the "Names List", or specify a WINS server ('NetBIOS
+ Nameserver' in IBM and RFC terminology). For Warp Connect you
+ may need to download an update for 'IBM Peer' to bring it on
+ the same level as Warp 4. See the webpage mentioned above.</para>
+ </sect2>
+
+ <sect2>
+ <title>How can I configure OS/2 Warp 3 (not Connect),
+ OS/2 1.2, 1.3 or 2.x for Samba?</title>
+
+ <para>You can use the free Microsoft LAN Manager 2.2c Client
+ for OS/2 from
+ <ulink url="ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/">
+ ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/</ulink>.
+ See <ulink url="http://carol.wins.uva.nl/~leeuw/lanman.html">
+ http://carol.wins.uva.nl/~leeuw/lanman.html</ulink> for
+ more information on how to install and use this client. In
+ a nutshell, edit the file \OS2VER in the root directory of
+ the OS/2 boot partition and add the lines:</para>
+
+ <para><programlisting>
+ 20=setup.exe
+ 20=netwksta.sys
+ 20=netvdd.sys
+ </programlisting></para>
+
+ <para>before you install the client. Also, don't use the
+ included NE2000 driver because it is buggy. Try the NE2000
+ or NS2000 driver from
+ <ulink url="ftp://ftp.cdrom.com/pub/os2/network/ndis/">
+ ftp://ftp.cdrom.com/pub/os2/network/ndis/</ulink> instead.
+ </para>
+ </sect2>
+
+ <sect2>
+ <title>Are there any other issues when OS/2 (any version)
+ is used as a client?</title>
+
+ <para>When you do a NET VIEW or use the "File and Print
+ Client Resource Browser", no Samba servers show up. This can
+ be fixed by a patch from <ulink
+ url="http://carol.wins.uva.nl/~leeuw/samba/fix.html">
+ http://carol.wins.uva.nl/~leeuw/samba/fix.html</ulink>.
+ The patch will be included in a later version of Samba. It also
+ fixes a couple of other problems, such as preserving long
+ filenames when objects are dragged from the Workplace Shell
+ to the Samba server. </para>
+ </sect2>
+
+ <sect2>
+ <title>How do I get printer driver download working
+ for OS/2 clients?</title>
+
+ <para>First, create a share called [PRINTDRV] that is
+ world-readable. Copy your OS/2 driver files there. Note
+ that the .EA_ files must still be separate, so you will need
+ to use the original install files, and not copy an installed
+ driver from an OS/2 system.</para>
+
+ <para>Install the NT driver first for that printer. Then,
+ add to your smb.conf a paramater, "os2 driver map =
+ <replaceable>filename</replaceable>". Then, in the file
+ specified by <replaceable>filename</replaceable>, map the
+ name of the NT driver name to the OS/2 driver name as
+ follows:</para>
+
+ <para>&lt;nt driver name&gt; = &lt;os2 driver
+ name&gt;.&lt;device name&gt;, e.g.:
+ HP LaserJet 5L = LASERJET.HP LaserJet 5L</para>
+
+ <para>You can have multiple drivers mapped in this file.</para>
+
+ <para>If you only specify the OS/2 driver name, and not the
+ device name, the first attempt to download the driver will
+ actually download the files, but the OS/2 client will tell
+ you the driver is not available. On the second attempt, it
+ will work. This is fixed simply by adding the device name
+ to the mapping, after which it will work on the first attempt.
+ </para>
+ </sect2>
+</sect1>
+
+</chapter>
+
diff --git a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml
new file mode 100644
index 0000000000..699ba54a09
--- /dev/null
+++ b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml
@@ -0,0 +1,964 @@
+<chapter>
+
+
+<chapterinfo>
+ <author>
+ <firstname>Gerald (Jerry)</firstname><surname>Carter</surname>
+ <affiliation>
+ <orgname>VA Linux Systems/Samba Team</orgname>
+ <address><email>jerry@samba.org</email></address>
+ </affiliation>
+ </author>
+ <pubdate> (15 Apr 2001) </pubdate>
+</chapterinfo>
+
+<title>
+How to Configure Samba 2.2.x as a Primary Domain Controller
+</title>
+
+
+<!-- **********************************************************
+
+ Background Information
+
+*************************************************************** -->
+<sect1>
+<title>
+Background
+</title>
+
+<para><emphasis>Author's Note :</emphasis> This document
+is a combination of David Bannon's Samba 2.2 PDC HOWTO
+and the Samba NT Domain FAQ. Both documents are superceeded by this one.
+</para>
+
+<para>
+Version of Samba prior to release 2.2 had marginal capabilities to
+act as a Windows NT 4.0 Primary Domain Controller (PDC). The following
+functionality should work in 2.2.0:
+</para>
+
+<itemizedlist>
+ <listitem><para>domain logons for Windows NT 4.0/2000 clients</para></listitem>
+
+ <listitem><para>placing a Windows 9x client in user level security</para></listitem>
+
+ <listitem><para>retrieving a list of users and groups from a Samba PDC to
+ Windows 9x/NT/2000 clients </para></listitem>
+
+ <listitem><para>roving user profiles</para></listitem>
+
+ <listitem><para>Windows NT 4.0 style system policies</para></listitem>
+</itemizedlist>
+
+<para>
+The following pieces of functionality are not included in the 2.2 release:
+</para>
+
+<itemizedlist>
+ <listitem><para>Windows NT 4 domain trusts</para></listitem>
+
+ <listitem><para>Sam replication with Windows NT 4.0 Domain Controllers
+ (i.e. a Samba PDC and a Windows NT BDC or vice versa) </para></listitem>
+
+ <listitem><para>Adding users via the User Manager for Domains</para></listitem>
+
+ <listitem><para>Acting as a Windows 2000 Domain Controller (i.e. Kerberos
+ and Active Directory)</para></listitem>
+</itemizedlist>
+
+<para>
+Please note that Windows 9x clients are not true members of a domain
+for reasons outlined in this article. Therefore the protocol for
+support Windows 9x style domain logons is completely different
+from NT4 domain logons and has been officially supported for some
+time.
+</para>
+
+<para>
+Beginning with Samba 2.2.0, we are proud to announce official
+support for Windows NT 4.0 style domain logons from Windows NT
+4.0 and Windows 2000 (including SP1) clients. This article
+outlines the steps necessary for configuring Samba as a PDC.
+Note that it is necessary to have a working Samba server
+prior to implementing the PDC functionality. If you have not
+followed the steps outlined in <ulink url="UNIX_INSTALL.html">
+UNIX_INSTALL.html</ulink>, please make sure that your server
+is configured correctly before proceeding. Another good
+resource in the <ulink url="smb.conf.5.html">smb.conf(5) man
+page</ulink>.
+</para>
+
+<para>
+Implementing a Samba PDC can basically be divided into 2 broad
+steps.
+</para>
+
+<orderedlist numeration="Arabic">
+ <listitem><para>Configuring the Samba Domain Controller
+ </para></listitem>
+
+ <listitem><para>Creating machine trust accounts
+ and joining clients to the domain</para></listitem>
+</orderedlist>
+
+<para>
+There are other minor details such as user profiles, system
+policies, etc... However, these are not necessarily specific
+to a Samba PDC as much as they are related to Windows NT networking
+concepts. They will be mentioned only briefly here.
+</para>
+
+</sect1>
+
+
+<!-- **********************************************************
+
+ Configuring the Samba PDC
+
+*************************************************************** -->
+
+<sect1>
+<title>Configuring the Samba Domain Controller</title>
+
+<para>
+The first step in creating a working Samba PDC is to
+understand the parameters necessary in smb.conf. I will not
+attempt to re-explain the parameters here as they are more that
+adequately covered in <ulink url="smb.conf.5.html"> the smb.conf
+man page</ulink>. For convenience, the parameters have been
+linked with the actual smb.conf description.
+</para>
+
+<para>
+Here is an example smb.conf for acting as a PDC:
+</para>
+
+<para><programlisting>
+[global]
+ ; Basic server settings
+ <ulink url="smb.conf.5.html#NETBIOSNAME">netbios name</ulink> = <replaceable>POGO</replaceable>
+ <ulink url="smb.conf.5.html#WORKGROUP">workgroup</ulink> = <replaceable>NARNIA</replaceable>
+
+ ; we should act as the domain and local master browser
+ <ulink url="smb.conf.5.html#OSLEVEL">os level</ulink> = 64
+ <ulink url="smb.conf.5.html#PERFERREDMASTER">preferred master</ulink> = yes
+ <ulink url="smb.conf.5.html#DOMAINMASTER">domain master</ulink> = yes
+ <ulink url="smb.conf.5.html#LOCALMASTER">local master</ulink> = yes
+
+ ; security settings (must user security = user)
+ <ulink url="smb.conf.5.html#SECURITYEQUALSUSER">security</ulink> = user
+
+ ; encrypted passwords are a requirement for a PDC
+ <ulink url="smb.conf.5.html#ENCRYPTPASSWORDS">encrypt passwords</ulink> = yes
+
+ ; support domain logons
+ <ulink url="smb.conf.5.html#DOMAINLOGONS">domain logons</ulink> = yes
+
+ ; where to store user profiles?
+ <ulink url="smb.conf.5.html#LOGONPATH">logon path</ulink> = \\%N\profiles\%u
+
+ ; where is a user's home directory and where should it
+ ; be mounted at?
+ <ulink url="smb.conf.5.html#LOGONDRIVE">logon drive</ulink> = H:
+ <ulink url="smb.conf.5.html#LOGONHOME">logon home</ulink> = \\homeserver\%u
+
+ ; specify a generic logon script for all users
+ ; this is a relative path to the [netlogon] share
+ <ulink url="smb.conf.5.html#LOGONSCRIPT">logon script</ulink> = logon.cmd
+
+; necessary share for domain controller
+[netlogon]
+ <ulink url="smb.conf.5.html#PATH">path</ulink> = /usr/local/samba/lib/netlogon
+ <ulink url="smb.conf.5.html#WRITEABLE">writeable</ulink> = no
+ <ulink url="smb.conf.5.html#WRITELIST">write list</ulink> = <replaceable>ntadmin</replaceable>
+
+; share for storing user profiles
+[profiles]
+ <ulink url="smb.conf.5.html#PATH">path</ulink> = /export/smb/ntprofile
+ <ulink url="smb.conf.5.html#WRITEABLE">writeable</ulink> = yes
+ <ulink url="smb.conf.5.html#CREATEMASK">create mask</ulink> = 0600
+ <ulink url="smb.conf.5.html#DIRECTORYMASK">directory mask</ulink> = 0700
+</programlisting></para>
+
+<para>
+There are a couple of points to emphasize in the above
+configuration.
+</para>
+
+<itemizedlist>
+ <listitem><para>encrypted passwords must be enabled.
+ For more details on how to do this, refer to
+ <ulink url="ENCRYPTION.html">ENCRYPTION.html</ulink>.
+ </para></listitem>
+
+ <listitem><para>The server must support domain logons
+ and a <filename>[netlogon]</filename> share</para></listitem>
+
+ <listitem><para>The server must be the domain master browser
+ in order for Windows client to locate the server as a DC.</para>
+ </listitem>
+</itemizedlist>
+
+<para>
+As Samba 2.2 does not offer a complete implementation of group mapping between
+Windows NT groups and UNIX groups (this is really quite complicated to explain
+in a short space), you should refer to the <ulink url="smb.conf.5.html#DOMAINADMONUSERS">domain
+admin users</ulink> and <ulink url="smb.conf.5.html#DOMAINADMINGROUP">domain
+admin group</ulink> smb.conf parameters for information of creating a Domain Admins
+style accounts.
+</para>
+
+</sect1>
+
+
+<sect1>
+<title>Creating Machine Trust Accounts and Joining Clients
+to the Domain</title>
+
+<para>
+First you must understand what a machine trust account is and what
+it is used for.
+</para>
+
+<para>
+A machine trust account is a user account owned by a computer.
+The account password acts as the shared secret for secure
+communication with the Domain Controller. Hence the reason that
+a Windows 9x host is never a true member of a domain because
+it does not posses a machine trust account and thus has no shared
+secret with the DC.
+</para>
+
+<para>
+On a Windows NT PDC, these machine trust account passwords are stored
+in the registry. A Samba PDC stores these accounts in he same location
+as user LanMan and NT password hashes (currently <filename>smbpasswd</filename>).
+However, machine trust accounts only possess the NT password hash.
+</para>
+
+<para>
+There are two means of creating machine trust accounts.
+</para>
+
+<itemizedlist>
+ <listitem><para>Manual creation before joining the client
+ to the domain. In this case, the password is set to a known
+ value -- the lower case of the machine's netbios name.</para></listitem>
+
+ <listitem><para>Creation of the account at the time of
+ joining the domain. In this case, the session key of the
+ administrative account used to join the client to the domain acts
+ as an encryption key for setting the password to a random value.</para>
+ </listitem>
+</itemizedlist>
+
+<para>
+Because Samba requires machine accounts to possess a UNIX uid from
+which an Windows NT SID can be generated, all of these accounts
+will have an entry in <filename>/etc/passwd</filename> and smbpasswd.
+Future releases will alleviate the need to create
+<filename>/etc/passwd</filename> entries.
+</para>
+
+
+<para>
+The <filename>/etc/passwd</filename> entry will list the machine name
+with a $ appended, won't have a passwd, will have a null shell and no
+home directory. For example a machine called 'doppy' would have an
+<filename>/etc/passwd</filename> entry like this :
+</para>
+
+<para><programlisting>
+doppy$:x:505:501:NTMachine:/dev/null:/bin/false
+</programlisting></para>
+
+<para>
+If you are manually creating the machine accounts, it is necessary
+to add the <filename>/etc/passwd</filename> (or NIS passwd
+map) entry prior to adding the <filename>smbpasswd</filename>
+entry. The following command will create a new machine account
+ready for use.
+</para>
+
+<para>
+<prompt>root# </prompt> smbpasswd -a -m <replaceable>machine_name</replaceable>
+</para>
+
+<para>
+where <replaceable>machine_name</replaceable> is the machine's netbios
+name.
+</para>
+
+<para>
+<emphasis>If you manually create a machine account, immediately join
+the client to the domain.</emphasis> An open account like this
+can allow intruders to gain access to user account information
+in your domain.
+</para>
+
+<para>
+The second way of creating machine trust accounts is to add
+them on the fly at the time the client is joined to the domain.
+You will need to include a value for the
+<ulink url="smb.conf.5.html#ADDUSERSCRIPT">add user script</ulink>
+parameter. Below is an example I use on a RedHat 6.2 Linux system.
+</para>
+
+<para><programlisting>
+add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
+</programlisting></para>
+
+<para>
+In Samba 2.2.0, <emphasis>only the root account</emphasis> can be used to create
+machine accounts on the fly like this. Therefore, it is required
+to create an entry in smbpasswd for <emphasis>root</emphasis>.
+The password <emphasis>SHOULD</emphasis> be set to s different
+password that the associated <filename>/etc/passwd</filename>
+entry for security reasons.
+</para>
+</sect1>
+
+<!-- **********************************************************
+
+ Common Problems
+
+*************************************************************** -->
+
+<sect1>
+<title>Common Problems and Errors</title>
+
+<para>
+</para>
+
+<para>
+<emphasis>I cannot include a '$' in a machine name.</emphasis>
+</para>
+
+<para>
+A 'machine name' in (typically) <filename>/etc/passwd</>
+of the machine name with a '$' appended. FreeBSD (and other BSD
+systems ?) won't create a user with a '$' in their name.
+</para>
+
+<para>
+The problem is only in the program used to make the entry, once
+made, it works perfectly. So create a user without the '$' and
+use <command>vipw</> to edit the entry, adding the '$'. Or create
+the whole entry with vipw if you like, make sure you use a
+unique uid !
+</para>
+
+
+<para>
+<emphasis>I get told "You already have a connection to the Domain...."
+when creating a machine account.</emphasis>
+</para>
+
+<para>
+This happens if you try to create a machine account from the
+machine itself and use a user name that does not work (for whatever
+reason) and then try another (possibly valid) user name.
+Exit out of the network applet to close the initial connection
+and try again.
+</para>
+
+<para>
+Further, if the machine is a already a 'member of a workgroup' that
+is the same name as the domain you are joining (bad idea) you will
+get this message. Change the workgroup name to something else, it
+does not matter what, reboot, and try again.
+</para>
+
+<para>
+<emphasis>I get told "Cannot join domain, the credentials supplied
+conflict with an existing set.."</emphasis>
+</para>
+
+<para>
+This is the same basic problem as mentioned above, "You already
+have a connection..."
+</para>
+
+<para>
+<emphasis>
+"The system can not log you on (C000019B)...."</emphasis>
+</para>
+
+<para>I joined the domain successfully but after upgrading
+to a newer version of the Samba code I get the message, "The system
+can not log you on (C000019B), Please try a gain or consult your
+system administrator" when attempting to logon.
+</para>
+
+<para>
+This occurs when the domain SID stored in
+<filename>private/WORKGROUP.SID</filename> is
+changed. For example, you remove the file and <command>smbd</command> automatically
+creates a new one. Or you are swapping back and forth between
+versions 2.0.7, TNG and the HEAD branch code (not recommended). The
+only way to correct the problem is to restore the original domain
+SID or remove the domain client from the domain and rejoin.
+</para>
+
+
+<para>
+<emphasis>"The machine account for this computer either does not
+exist or is not accessible."</emphasis>
+</para>
+
+<para>
+When I try to join the domain I get the message "The machine account
+for this computer either does not exist or is not accessible". Whats
+wrong ?
+</para>
+
+<para>
+This problem is caused by the PDC not having a suitable machine account.
+If you are using the <command>add user script =</> method to create
+accounts then this would indicate that it has not worked. Ensure the domain
+admin user system is working.
+</para>
+
+<para>
+Alternatively if you are creating account entries manually then they
+have not been created correctly. Make sure that you have the entry
+correct for the machine account in smbpasswd file on the Samba PDC.
+If you added the account using an editor rather than using the smbpasswd
+utility, make sure that the account name is the machine netbios name
+with a '$' appended to it ( ie. computer_name$ ). There must be an entry
+in both /etc/passwd and the smbpasswd file. Some people have reported
+that inconsistent subnet masks between the Samba server and the NT
+client have caused this problem. Make sure that these are consistent
+for both client and server.
+</para>
+
+</sect1>
+
+
+
+<!-- **********************************************************
+
+ Policies and Profiles
+
+*************************************************************** -->
+
+<sect1>
+<title>
+System Policies and Profiles
+</title>
+
+<para>
+Much of the information necessary to implement System Policies and
+Roving User Profiles in a Samba domain is the same as that for
+implementing these same items in a Windows NT 4.0 domain.
+You should read the white paper <ulink url="http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp">Implementing
+Profiles and Policies in Windows NT 4.0</ulink> available from Microsoft.
+</para>
+
+<para>
+Here are some additional details:
+</para>
+
+<para>
+<emphasis>What about Windows NT Policy Editor ?</emphasis>
+</para>
+
+<para>
+To create or edit <filename>ntconfig.pol</filename> you must use
+the NT Server Policy Editor, <command>poledit.exe</command> which
+is included with NT Server but <emphasis>not NT Workstation</emphasis>.
+There is a Policy Editor on a NTws
+but it is not suitable for creating <emphasis>Domain Policies</emphasis>.
+Further, although the Windows 95
+Policy Editor can be installed on an NT Workstation/Server, it will not
+work with NT policies because the registry key that are set by the policy templates.
+However, the files from the NT Server will run happily enough on an NTws.
+You need <filename>poledit.exe, common.adm</> and <filename>winnt.adm</>. It is convenient
+to put the two *.adm files in <filename>c:\winnt\inf</> which is where
+the binary will look for them unless told otherwise. Note also that that
+directory is 'hidden'.
+</para>
+
+<para>The Windows NT policy editor is also included with the
+Service Pack 3 (and later) for Windows NT 4.0. Extract the files using
+<command>servicepackname /x</command>, ie thats <command>Nt4sp6ai.exe
+/x</command> for service pack 6a. The policy editor, <command>poledit.exe</command> and the
+associated template files (*.adm) should
+be extracted as well. It is also possible to downloaded the policy template
+files for Office97 and get a copy of the policy editor. Another possible
+location is with the Zero Administration Kit available for download from Microsoft.
+</para>
+
+
+<para>
+<emphasis>Can Win95 do Policies ?</emphasis>
+</para>
+
+<para>
+Install the group policy handler for Win9x to pick up group
+policies. Look on the Win98 CD in <filename>\tools\reskit\netadmin\poledit</filename>.
+Install group policies on a Win9x client by double-clicking
+<filename>grouppol.inf</filename>. Log off and on again a couple of
+times and see if Win98 picks up group policies. Unfortunately this needs
+to be done on every Win9x machine that uses group policies....
+</para>
+
+<para>
+If group policies don't work one reports suggests getting the updated
+(read: working) grouppol.dll for Windows 9x. The group list is grabbed
+from /etc/group.
+</para>
+
+<para>
+<emphasis>How do I get 'User Manager' and 'Server Manager'</emphasis>
+</para>
+
+<para>
+Since I don't need to buy an NT Server CD now, how do I get
+the 'User Manager for Domains', the 'Server Manager' ?
+</para>
+
+<para>
+Microsoft distributes a version of
+these tools called nexus for installation on Windows 95 systems. The
+tools set includes
+</para>
+
+<itemizedlist>
+ <listitem><para>Server Manager</para></listitem>
+
+ <listitem><para>User Manager for Domains</para></listitem>
+
+ <listitem><para>Event Viewer</para></listitem>
+</itemizedlist>
+
+<para>
+Click here to download the archived file <ulink
+url="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE">ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</ulink>
+</para>
+
+<para>
+The Windows NT 4.0 version of the 'User Manager for
+Domains' and 'Server Manager' are available from Microsoft via ftp
+from <ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</ulink>
+</para>
+
+</sect1>
+
+
+
+<!-- **********************************************************
+
+ Getting Help
+
+*************************************************************** -->
+
+
+<sect1>
+<title>What other help can I get ? </title>
+
+<para>
+There are many sources of information available in the form
+of mailing lists, RFC's and documentation. The docs that come
+with the samba distribution contain very good explanations of
+general SMB topics such as browsing.</para>
+
+<para>
+<emphasis>What are some diagnostics tools I can use to debug the domain logon
+process and where can I find them?</emphasis>
+</para>
+
+ <para>
+ One of the best diagnostic tools for debugging problems is Samba itself.
+ You can use the -d option for both smbd and nmbd to specifiy what
+ 'debug level' at which to run. See the man pages on smbd, nmbd and
+ smb.conf for more information on debugging options. The debug
+ level can range from 1 (the default) to 10 (100 for debugging passwords).
+ </para>
+
+ <para>
+ Another helpful method of debugging is to compile samba using the
+ <command>gcc -g </command> flag. This will include debug
+ information in the binaries and allow you to attach gdb to the
+ running smbd / nmbd process. In order to attach gdb to an smbd
+ process for an NT workstation, first get the workstation to make the
+ connection. Pressing ctrl-alt-delete and going down to the domain box
+ is sufficient (at least, on the first time you join the domain) to
+ generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation
+ maintains an open connection, and therefore there will be an smbd
+ process running (assuming that you haven't set a really short smbd
+ idle timeout) So, in between pressing ctrl alt delete, and actually
+ typing in your password, you can gdb attach and continue.
+ </para>
+
+ <para>
+ Some useful samba commands worth investigating:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>testparam | more</para></listitem>
+ <listitem><para>smbclient -L //{netbios name of server}</para></listitem>
+ </itemizedlist>
+
+ <para>
+ An SMB enabled version of tcpdump is available from
+ <ulink url="http://www.tcpdump.org/">http://www.tcpdup.org/</ulink>.
+ Ethereal, another good packet sniffer for UNIX and Win32
+ hosts, can be downloaded from <ulink
+ url="http://www.ethereal.com/">http://www.ethereal.com</ulink>.
+ </para>
+
+ <para>
+ For tracing things on the Microsoft Windows NT, Network Monitor
+ (aka. netmon) is available on the Microsoft Developer Network CD's,
+ the Windows NT Server install CD and the SMS CD's. The version of
+ netmon that ships with SMS allows for dumping packets between any two
+ computers (ie. placing the network interface in promiscuous mode).
+ The version on the NT Server install CD will only allow monitoring
+ of network traffic directed to the local NT box and broadcasts on the
+ local subnet. Be aware that Ethereal can read and write netmon
+ formatted files.
+ </para>
+
+<para>
+<emphasis>How do I install 'Network Monitor' on an NT Workstation
+or a Windows 9x box?</emphasis>
+</para>
+ <para>
+ Installing netmon on an NT workstation requires a couple
+ of steps. The following are for installing Netmon V4.00.349, which comes
+ with Microsoft Windows NT Server 4.0, on Microsoft Windows NT
+ Workstation 4.0. The process should be similar for other version of
+ Windows NT / Netmon. You will need both the Microsoft Windows
+ NT Server 4.0 Install CD and the Workstation 4.0 Install CD.
+ </para>
+
+ <para>
+ Initially you will need to install 'Network Monitor Tools and Agent'
+ on the NT Server. To do this
+ </para>
+
+ <itemizedlist>
+ <listitem><para>Goto Start - Settings - Control Panel -
+ Network - Services - Add </para></listitem>
+
+ <listitem><para>Select the 'Network Monitor Tools and Agent' and
+ click on 'OK'.</para></listitem>
+
+ <listitem><para>Click 'OK' on the Network Control Panel.
+ </para></listitem>
+
+ <listitem><para>Insert the Windows NT Server 4.0 install CD
+ when prompted.</para></listitem>
+ </itemizedlist>
+
+ <para>
+ At this point the Netmon files should exist in
+ <filename>%SYSTEMROOT%\System32\netmon\*.*</filename>.
+ Two subdirectories exist as well, <filename>parsers\</filename>
+ which contains the necessary DLL's for parsing the netmon packet
+ dump, and <filename>captures\</filename>.
+ </para>
+
+ <para>
+ In order to install the Netmon tools on an NT Workstation, you will
+ first need to install the 'Network Monitor Agent' from the Workstation
+ install CD.
+ </para>
+
+ <itemizedlist>
+ <listitem><para>Goto Start - Settings - Control Panel -
+ Network - Services - Add</para></listitem>
+
+ <listitem><para>Select the 'Network Monitor Agent' and click
+ on 'OK'.</para></listitem>
+
+ <listitem><para>Click 'OK' on the Network Control Panel.
+ </para></listitem>
+
+ <listitem><para>Insert the Windows NT Workstation 4.0 install
+ CD when prompted.</para></listitem>
+ </itemizedlist>
+
+
+ <para>
+ Now copy the files from the NT Server in %SYSTEMROOT%\System32\netmon\*.*
+ to %SYSTEMROOT%\System32\netmon\*.* on the Workstation and set
+ permissions as you deem appropriate for your site. You will need
+ administrative rights on the NT box to run netmon.
+ </para>
+
+ <para>
+ To install Netmon on a Windows 9x box install the network monitor agent
+ from the Windows 9x CD (\admin\nettools\netmon). There is a readme
+ file located with the netmon driver files on the CD if you need
+ information on how to do this. Copy the files from a working
+ Netmon installation.
+ </para>
+
+<sect2>
+<title>URLs and similar</title>
+
+
+<itemizedlist>
+
+ <listitem><para>Home of Samba site <ulink url="http://samba.org">
+ http://samba.org</ulink>. We have a mirror near you !</para></listitem>
+
+ <listitem><para> The <emphasis>Development</emphasis> document
+ on the Samba mirrors might mention your problem. If so,
+ it might mean that the developers are working on it.</para></listitem>
+
+ <listitem><para>See how Scott Merrill simulates a BDC behavior at
+ <ulink url="http://www.skippy.net/linux/smb-howto.html">
+ http://www.skippy.net/linux/smb-howto.html</>. </para></listitem>
+
+ <listitem><para>Although 2.0.7 has almost had its day as a PDC, David Bannon will
+ keep the 2.0.7 PDC pages at <ulink url="http://bioserve.latrobe.edu.au/samba">
+ http://bioserve.latrobe.edu.au/samba</ulink> going for a while yet.</para></listitem>
+
+ <listitem><para>Misc links to CIFS information
+ <ulink url="http://samba.org/cifs/">http://samba.org/cifs/</ulink></para></listitem>
+
+ <listitem><para>NT Domains for Unix <ulink url="http://mailhost.cb1.com/~lkcl/ntdom/">
+ http://mailhost.cb1.com/~lkcl/ntdom/</ulink></para></listitem>
+
+ <listitem><para>FTP site for older SMB specs:
+ <ulink url="ftp://ftp.microsoft.com/developr/drg/CIFS/">
+ ftp://ftp.microsoft.com/developr/drg/CIFS/</ulink></para></listitem>
+
+</itemizedlist>
+
+</sect2>
+
+
+<sect2>
+<title>Mailing Lists</title>
+
+<para>
+<emphasis>How do I get help from the mailing lists ?</emphasis>
+</para>
+
+<para>
+There are a number of Samba related mailing lists. Go to <ulink
+url="http://samba.org">http://samba.org</ulink>, click on your nearest mirror
+and then click on <command>Support</> and then click on <command>
+Samba related mailing lists</>.
+</para>
+
+<para>
+For questions relating to Samba TNG go to
+<ulink url="http://www.samba-tng.org/">http://www.samba-tng.org/</ulink>
+It has been requested that you don't post questions about Samba-TNG to the
+main stream Samba lists.</para>
+
+<para>
+If you post a message to one of the lists please observe the following guide lines :
+</para>
+
+<itemizedlist>
+
+ <listitem><para> Always remember that the developers are volunteers, they are
+ not paid and they never guarantee to produce a particular feature at
+ a particular time. Any time lines are 'best guess' and nothing more.
+ </para></listitem>
+
+ <listitem><para> Always mention what version of samba you are using and what
+ operating system its running under. You should probably list the
+ relevant sections of your smb.conf file, at least the options
+ in [global] that affect PDC support.</para></listitem>
+
+ <listitem><para>In addition to the version, if you obtained Samba via
+ CVS mention the date when you last checked it out.</para></listitem>
+
+ <listitem><para> Try and make your question clear and brief, lots of long,
+ convoluted questions get deleted before they are completely read !
+ Don't post html encoded messages (if you can select colour or font
+ size its html).</para></listitem>
+
+ <listitem><para> If you run one of those nifty 'I'm on holidays' things when
+ you are away, make sure its configured to not answer mailing lists.
+ </para></listitem>
+
+ <listitem><para> Don't cross post. Work out which is the best list to post to
+ and see what happens, ie don't post to both samba-ntdom and samba-technical.
+ Many people active on the lists subscribe to more
+ than one list and get annoyed to see the same message two or more times.
+ Often someone will see a message and thinking it would be better dealt
+ with on another, will forward it on for you.</para></listitem>
+
+ <listitem><para>You might include <emphasis>partial</emphasis>
+ log files written at a debug level set to as much as 20.
+ Please don't send the entire log but enough to give the context of the
+ error messages.</para></listitem>
+
+ <listitem><para>(Possibly) If you have a complete netmon trace ( from the opening of
+ the pipe to the error ) you can send the *.CAP file as well.</para></listitem>
+
+ <listitem><para>Please think carefully before attaching a document to an email.
+ Consider pasting the relevant parts into the body of the message. The samba
+ mailing lists go to a huge number of people, do they all need a copy of your
+ smb.conf in their attach directory ?</para></listitem>
+
+</itemizedlist>
+
+
+<para>
+<emphasis>How do I get off the mailing lists ?</emphasis>
+</para>
+
+ <para>To have your name removed from a samba mailing list, go to the
+ same place you went to to get on it. Go to <ulink url=
+ "http://lists.samba.org/">http://lists.samba.org</ulink>, click
+ on your nearest mirror and then click on <command>Support</> and
+ then click on <command> Samba related mailing lists</>. Or perhaps see
+ <ulink url="http://lists.samba.org/mailman/roster/samba-ntdom">here</ulink></para>
+
+ <para>
+ Please don't post messages to the list asking to be removed, you will just
+ be referred to the above address (unless that process failed in some way...)
+ </para>
+</sect2>
+</sect1>
+
+
+
+
+<!-- **********************************************************
+
+ Appendix - DOMAIN_CONTROL.txt
+
+*************************************************************** -->
+
+<sect1>
+<title>
+DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba
+</title>
+
+<para>
+This appendix was originally authored by John H Terpstra of the Samba Team
+and is included here for posterity.
+</para>
+
+
+<para>
+<emphasis>NOTE :</emphasis>
+The term "Domain Controller" and those related to it refer to one specific
+method of authentication that can underly an SMB domain. Domain Controllers
+prior to Windows NT Server 3.1 were sold by various companies and based on
+private extensions to the LAN Manager 2.1 protocol. Windows NT introduced
+Microsoft-specific ways of distributing the user authentication database.
+See DOMAIN.txt for examples of how Samba can participate in or create
+SMB domains based on shared authentication database schemes other than the
+Windows NT SAM.
+</para>
+
+<para>
+Windows NT Server can be installed as either a plain file and print server
+(WORKGROUP workstation or server) or as a server that participates in Domain
+Control (DOMAIN member, Primary Domain controller or Backup Domain controller).
+</para>
+
+<para>
+The same is true for OS/2 Warp Server, Digital Pathworks and other similar
+products, all of which can participate in Domain Control along with Windows NT.
+However only those servers which have licensed Windows NT code in them can be
+a primary Domain Controller (eg Windows NT Server, Advanced Server for Unix.)
+</para>
+
+<para>
+To many people these terms can be confusing, so let's try to clear the air.
+</para>
+
+<para>
+Every Windows NT system (workstation or server) has a registry database.
+The registry contains entries that describe the initialization information
+for all services (the equivalent of Unix Daemons) that run within the Windows
+NT environment. The registry also contains entries that tell application
+software where to find dynamically loadable libraries that they depend upon.
+In fact, the registry contains entries that describes everything that anything
+may need to know to interact with the rest of the system.
+</para>
+
+<para>
+The registry files can be located on any Windows NT machine by opening a
+command prompt and typing:
+</para>
+
+<para>
+<prompt>C:\WINNT\></prompt> dir %SystemRoot%\System32\config
+</para>
+
+<para>
+The environment variable %SystemRoot% value can be obtained by typing:
+</para>
+
+<para>
+<prompt>C:\WINNT></prompt>echo %SystemRoot%
+</para>
+
+<para>
+The active parts of the registry that you may want to be familiar with are
+the files called: default, system, software, sam and security.
+</para>
+
+<para>
+In a domain environment, Microsoft Windows NT domain controllers participate
+in replication of the SAM and SECURITY files so that all controllers within
+the domain have an exactly identical copy of each.
+</para>
+
+<para>
+The Microsoft Windows NT system is structured within a security model that
+says that all applications and services must authenticate themselves before
+they can obtain permission from the security manager to do what they set out
+to do.
+</para>
+
+<para>
+The Windows NT User database also resides within the registry. This part of
+the registry contains the user's security identifier, home directory, group
+memberships, desktop profile, and so on.
+</para>
+
+<para>
+Every Windows NT system (workstation as well as server) will have its own
+registry. Windows NT Servers that participate in Domain Security control
+have a database that they share in common - thus they do NOT own an
+independent full registry database of their own, as do Workstations and
+plain Servers.
+</para>
+
+<para>
+The User database is called the SAM (Security Access Manager) database and
+is used for all user authentication as well as for authentication of inter-
+process authentication (ie: to ensure that the service action a user has
+requested is permitted within the limits of that user's privileges).
+</para>
+
+<para>
+The Samba team have produced a utility that can dump the Windows NT SAM into
+smbpasswd format: see ENCRYPTION.txt for information on smbpasswd and
+/pub/samba/pwdump on your nearest Samba mirror for the utility. This
+facility is useful but cannot be easily used to implement SAM replication
+to Samba systems.
+</para>
+
+<para>
+Windows for Workgroups, Windows 95, and Windows NT Workstations and Servers
+can participate in a Domain security system that is controlled by Windows NT
+servers that have been correctly configured. At most every domain will have
+ONE Primary Domain Controller (PDC). It is desirable that each domain will
+have at least one Backup Domain Controller (BDC).
+</para>
+
+<para>
+The PDC and BDCs then participate in replication of the SAM database so that
+each Domain Controlling participant will have an up to date SAM component
+within its registry.
+</para>
+
+</sect1>
+
+</chapter>
diff --git a/docs/docbook/projdoc/UNIX_INSTALL.sgml b/docs/docbook/projdoc/UNIX_INSTALL.sgml
new file mode 100644
index 0000000000..41eb7a478c
--- /dev/null
+++ b/docs/docbook/projdoc/UNIX_INSTALL.sgml
@@ -0,0 +1,446 @@
+<chapter>
+
+<title>How to Install and Test SAMBA</title>
+
+<sect1>
+ <title>Step 0: Read the man pages</title>
+
+ <para>The man pages distributed with SAMBA contain
+ lots of useful info that will help to get you started.
+ If you don't know how to read man pages then try
+ something like:</para>
+
+ <para><prompt>$ </prompt><userinput>nroff -man smbd.8 | more
+ </userinput></para>
+
+ <para>Other sources of information are pointed to
+ by the Samba web site,<ulink url="http://www.samba.org/">
+ http://www.samba.org</ulink></para>
+</sect1>
+
+<sect1>
+ <title>Step 1: Building the Binaries</title>
+
+ <para>To do this, first run the program <command>./configure
+ </command> in the source directory. This should automatically
+ configure Samba for your operating system. If you have unusual
+ needs then you may wish to run</para>
+
+ <para><prompt>root# </prompt><userinput>./configure --help
+ </userinput></para>
+
+ <para>first to see what special options you can enable.
+ Then exectuting</para>
+
+ <para><prompt>root# </prompt><userinput>make</userinput></para>
+
+ <para>will create the binaries. Once it's successfully
+ compiled you can use </para>
+
+ <para><prompt>root# </prompt><userinput>make install</userinput></para>
+
+ <para>to install the binaries and manual pages. You can
+ separately install the binaries and/or man pages using</para>
+
+ <para><prompt>root# </prompt><userinput>make installbin
+ </userinput></para>
+
+ <para>and</para>
+
+ <para><prompt>root# </prompt><userinput>make installman
+ </userinput></para>
+
+ <para>Note that if you are upgrading for a previous version
+ of Samba you might like to know that the old versions of
+ the binaries will be renamed with a ".old" extension. You
+ can go back to the previous version with</para>
+
+ <para><prompt>root# </prompt><userinput>make revert
+ </userinput></para>
+
+ <para>if you find this version a disaster!</para>
+</sect1>
+
+<sect1>
+ <title>Step 2: The all important step</title>
+
+ <para>At this stage you must fetch yourself a
+ coffee or other drink you find stimulating. Getting the rest
+ of the install right can sometimes be tricky, so you will
+ probably need it.</para>
+
+ <para>If you have installed samba before then you can skip
+ this step.</para>
+</sect1>
+
+<sect1>
+ <title>Step 3: Create the smb configuration file. </title>
+
+ <para>There are sample configuration files in the examples
+ subdirectory in the distribution. I suggest you read them
+ carefully so you can see how the options go together in
+ practice. See the man page for all the options.</para>
+
+ <para>The simplest useful configuration file would be
+ something like this:</para>
+
+ <para><programlisting>
+ [global]
+ workgroup = MYGROUP
+
+ [homes]
+ guest ok = no
+ read only = no
+ </programlisting</para>
+
+ <para>which would allow connections by anyone with an
+ account on the server, using either their login name or
+ "homes" as the service name. (Note that I also set the
+ workgroup that Samba is part of. See BROWSING.txt for defails)</para>
+
+ <para>Note that <command>make install</command> will not install
+ a <filename>smb.conf</filename> file. You need to create it
+ yourself. </para>
+
+ <para>Make sure you put the smb.conf file in the same place
+ you specified in the<filename>Makefile</filename> (the default is to
+ look for it in <filename>/usr/local/samba/lib/</filename>).</para>
+
+ <para>For more information about security settings for the
+ [homes] share please refer to the document UNIX_SECURITY.txt.</para>
+</sect1>
+
+<sect1>
+ <title>Step 4: Test your config file with
+ <command>testparm</command></title>
+
+ <para>It's important that you test the validity of your
+ <filename>smb.conf</filename> file using the testparm program.
+ If testparm runs OK then it will list the loaded services. If
+ not it will give an error message.</para>
+
+ <para>Make sure it runs OK and that the services look
+ resonable before proceeding. </para>
+
+</sect1>
+
+<sect1>
+ <title>Step 5: Starting the smbd and nmbd</title>
+
+ <para>You must choose to start smbd and nmbd either
+ as daemons or from <command>inetd</command>. Don't try
+ to do both! Either you can put them in <filename>
+ inetd.conf</filename> and have them started on demand
+ by <command>inetd</command>, or you can start them as
+ daemons either from the command line or in <filename>
+ /etc/rc.local</filename>. See the man pages for details
+ on the command line options. Take particular care to read
+ the bit about what user you need to be in order to start
+ Samba. In many cases you must be root.</para>
+
+ <para>The main advantage of starting <command>smbd</command>
+ and <command>nmbd</command> as a daemon is that they will
+ respond slightly more quickly to an initial connection
+ request. This is, however, unlikely to be a problem.</para>
+
+ <sect2>
+ <title>Step 5a: Starting from inetd.conf</title>
+
+ <para>NOTE; The following will be different if
+ you use NIS or NIS+ to distributed services maps.</para>
+
+ <para>Look at your <filename>/etc/services</filename>.
+ What is defined at port 139/tcp. If nothing is defined
+ then add a line like this:</para>
+
+ <para><userinput>netbios-ssn 139/tcp</userinput></para>
+
+ <para>similarly for 137/udp you should have an entry like:</para>
+
+ <para><userinput>netbios-ns 137/udp</userinput></para>
+
+ <para>Next edit your <filename>/etc/inetd.conf</filename>
+ and add two lines something like this:</para>
+
+ <para><programlisting>
+ netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd
+ netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd
+ </programlisting></para>
+
+ <para>The exact syntax of <filename>/etc/inetd.conf</filename>
+ varies between unixes. Look at the other entries in inetd.conf
+ for a guide.</para>
+
+ <para>NOTE: Some unixes already have entries like netbios_ns
+ (note the underscore) in <filename>/etc/services</filename>.
+ You must either edit <filename>/etc/services</filename> or
+ <filename>/etc/inetd.conf</filename> to make them consistant.</para>
+
+ <para>NOTE: On many systems you may need to use the
+ "interfaces" option in smb.conf to specify the IP address
+ and netmask of your interfaces. Run <command>ifconfig</command>
+ as root if you don't know what the broadcast is for your
+ net. <command>nmbd</command> tries to determine it at run
+ time, but fails on somunixes. See the section on "testing nmbd"
+ for a method of finding if you need to do this.</para>
+
+ <para>!!!WARNING!!! Many unixes only accept around 5
+ parameters on the command line in <filename>inetd.conf</filename>.
+ This means you shouldn't use spaces between the options and
+ arguments, or you should use a script, and start the script
+ from <command>inetd</command>.</para>
+
+ <para>Restart <command>inetd</command>, perhaps just send
+ it a HUP. If you have installed an earlier version of <command>
+ nmbd</command> then you may need to kill nmbd as well.</para>
+ </sect2>
+
+ <sect2>
+ <title>Step 5b. Alternative: starting it as a daemon</title>
+
+ <para>To start the server as a daemon you should create
+ a script something like this one, perhaps calling
+ it <filename>startsmb</filename>.</para>
+
+ <para><programlisting>
+ #!/bin/sh
+ /usr/local/samba/bin/smbd -D
+ /usr/local/samba/bin/nmbd -D
+ </programlisting></para>
+
+ <para>then make it executable with <command>chmod
+ +x startsmb</command></para>
+
+ <para>You can then run <command>startsmb</command> by
+ hand or execute it from <filename>/etc/rc.local</filename>
+ </para>
+
+ <para>To kill it send a kill signal to the processes
+ <command>nmbd</command> and <command>smbd</command>.</para>
+
+ <para>NOTE: If you use the SVR4 style init system then
+ you may like to look at the <filename>examples/svr4-startup</filename>
+ script to make Samba fit into that system.</para>
+ </sect2>
+</sect1>
+
+<sect1>
+ <title>Step 6: Try listing the shares available on your
+ server</title>
+
+ <para><prompt>$ </prompt><userinput>smbclient -L
+ <replaceable>yourhostname</replaceable></userinput></para>
+
+ <para>Your should get back a list of shares available on
+ your server. If you don't then something is incorrectly setup.
+ Note that this method can also be used to see what shares
+ are available on other LanManager clients (such as WfWg).</para>
+
+ <para>If you choose user level security then you may find
+ that Samba requests a password before it will list the shares.
+ See the <command>smbclient</command> man page for details. (you
+ can force it to list the shares without a password by
+ adding the option -U% to the command line. This will not work
+ with non-Samba servers)</para>
+</sect1>
+
+<sect1>
+ <title>Step 7: Try connecting with the unix client</title>
+
+ <para><prompt>$ </prompt><userinput>smbclient <replaceable>
+ //yourhostname/aservice</replaceable></userinput></para>
+
+ <para>Typically the <replaceable>yourhostname</replaceable>
+ would be the name of the host where you installed <command>
+ smbd</command>. The <replaceable>aservice</replaceable> is
+ any service you have defined in the <filename>smb.conf</filename>
+ file. Try your user name if you just have a [homes] section
+ in <filename>smb.conf</filename>.</para>
+
+ <para>For example if your unix host is bambi and your login
+ name is fred you would type:</para>
+
+ <para><prompt>$ </prompt><userinput>smbclient //bambi/fred
+ </userinput></para>
+</sect1>
+
+<sect1>
+ <title>Step 8: Try connecting from a DOS, WfWg, Win9x, WinNT,
+ Win2k, OS/2, etc... client</title>
+
+ <para>Try mounting disks. eg:</para>
+
+ <para><prompt>C:\WINDOWS\> </prompt><userinput>net use d: \\servername\service
+ </userinput></para>
+
+ <para>Try printing. eg:</para>
+
+ <para><prompt>C:\WINDOWS\> </prompt><userinput>net use lpt1:
+ \\servername\spoolservice</userinput></para>
+
+ <para><prompt>C:\WINDOWS\> </prompt><userinput>print filename
+ </userinput></para>
+
+ <para>Celebrate, or send me a bug report!</para>
+</sect1>
+
+<sect1>
+ <title>What If Things Don't Work?</title>
+
+ <para>If nothing works and you start to think "who wrote
+ this pile of trash" then I suggest you do step 2 again (and
+ again) till you calm down.</para>
+
+ <para>Then you might read the file DIAGNOSIS.txt and the
+ FAQ. If you are still stuck then try the mailing list or
+ newsgroup (look in the README for details). Samba has been
+ successfully installed at thousands of sites worldwide, so maybe
+ someone else has hit your problem and has overcome it. You could
+ also use the WWW site to scan back issues of the samba-digest.</para>
+
+ <para>When you fix the problem PLEASE send me some updates to the
+ documentation (or source code) so that the next person will find it
+ easier. </para>
+
+ <sect2>
+ <title>Diagnosing Problems</title>
+
+ <para>If you have instalation problems then go to
+ <filename>DIAGNOSIS.txt</filename> to try to find the
+ problem.</para>
+ </sect2>
+
+ <sect2>
+ <title>Scope IDs</title>
+
+ <para>By default Samba uses a blank scope ID. This means
+ all your windows boxes must also have a blank scope ID.
+ If you really want to use a non-blank scope ID then you will
+ need to use the -i &lt;scope&gt; option to nmbd, smbd, and
+ smbclient. All your PCs will need to have the same setting for
+ this to work. I do not recommend scope IDs.</para>
+ </sect2>
+
+
+ <sect2>
+ <title>Choosing the Protocol Level</title>
+
+ <para>The SMB protocol has many dialects. Currently
+ Samba supports 5, called CORE, COREPLUS, LANMAN1,
+ LANMAN2 and NT1.</para>
+
+ <para>You can choose what maximum protocol to support
+ in the <filename>smb.conf</filename> file. The default is
+ NT1 and that is the best for the vast majority of sites.</para>
+
+ <para>In older versions of Samba you may have found it
+ necessary to use COREPLUS. The limitations that led to
+ this have mostly been fixed. It is now less likely that you
+ will want to use less than LANMAN1. The only remaining advantage
+ of COREPLUS is that for some obscure reason WfWg preserves
+ the case of passwords in this protocol, whereas under LANMAN1,
+ LANMAN2 or NT1 it uppercases all passwords before sending them,
+ forcing you to use the "password level=" option in some cases.</para>
+
+ <para>The main advantage of LANMAN2 and NT1 is support for
+ long filenames with some clients (eg: smbclient, Windows NT
+ or Win95). </para>
+
+ <para>See the smb.conf(5) manual page for more details.</para>
+
+ <para>Note: To support print queue reporting you may find
+ that you have to use TCP/IP as the default protocol under
+ WfWg. For some reason if you leave Netbeui as the default
+ it may break the print queue reporting on some systems.
+ It is presumably a WfWg bug.</para>
+ </sect2>
+
+ <sect2>
+ <title>Printing from UNIX to a Client PC</title>
+
+ <para>To use a printer that is available via a smb-based
+ server from a unix host you will need to compile the
+ smbclient program. You then need to install the script
+ "smbprint". Read the instruction in smbprint for more details.
+ </para>
+
+ <para>There is also a SYSV style script that does much
+ the same thing called smbprint.sysv. It contains instructions.</para>
+ </sect2>
+
+ <sect2>
+ <title>Locking</title>
+
+ <para>One area which sometimes causes trouble is locking.</para>
+
+ <para>There are two types of locking which need to be
+ performed by a SMB server. The first is "record locking"
+ which allows a client to lock a range of bytes in a open file.
+ The second is the "deny modes" that are specified when a file
+ is open.</para>
+
+ <para>Samba supports "record locking" using the fcntl() unix system
+ call. This is often implemented using rpc calls to a rpc.lockd process
+ running on the system that owns the filesystem. Unfortunately many
+ rpc.lockd implementations are very buggy, particularly when made to
+ talk to versions from other vendors. It is not uncommon for the
+ rpc.lockd to crash.</para>
+
+ <para>There is also a problem translating the 32 bit lock
+ requests generated by PC clients to 31 bit requests supported
+ by most unixes. Unfortunately many PC applications (typically
+ OLE2 applications) use byte ranges with the top bit set
+ as semaphore sets. Samba attempts translation to support
+ these types of applications, and the translation has proved
+ to be quite successful.</para>
+
+ <para>Strictly a SMB server should check for locks before
+ every read and write call on a file. Unfortunately with the
+ way fcntl() works this can be slow and may overstress the
+ rpc.lockd. It is also almost always unnecessary as clients
+ are supposed to independently make locking calls before reads
+ and writes anyway if locking is important to them. By default
+ Samba only makes locking calls when explicitly asked
+ to by a client, but if you set "strict locking = yes" then it will
+ make lock checking calls on every read and write. </para>
+
+ <para>You can also disable by range locking completely
+ using "locking = no". This is useful for those shares that
+ don't support locking or don't need it (such as cdroms). In
+ this case Samba fakes the return codes of locking calls to
+ tell clients that everything is OK.</para>
+
+ <para>The second class of locking is the "deny modes". These
+ are set by an application when it opens a file to determine
+ what types of access should be allowed simultaneously with
+ its open. A client may ask for DENY_NONE, DENY_READ, DENY_WRITE
+ or DENY_ALL. There are also special compatability modes called
+ DENY_FCB and DENY_DOS.</para>
+
+ <para>You can disable share modes using "share modes = no".
+ This may be useful on a heavily loaded server as the share
+ modes code is very slow. See also the FAST_SHARE_MODES
+ option in the Makefile for a way to do full share modes
+ very fast using shared memory (if your OS supports it).</para>
+ </sect2>
+
+ <sect2>
+ <title>Mapping Usernames</title>
+
+ <para>If you have different usernames on the PCs and
+ the unix server then take a look at the "username map" option.
+ See the smb.conf man page for details.</para>
+ </sect2>
+
+ <sect2>
+ <title>Other Character Sets</title>
+
+ <para>If you have problems using filenames with accented
+ characters in them (like the German, French or Scandinavian
+ character sets) then I recommmend you look at the "valid chars"
+ option in smb.conf and also take a look at the validchars
+ package in the examples directory.</para>
+ </sect2>
+
+</sect1>
+</chapter>
diff --git a/docs/docbook/projdoc/msdfs_setup.sgml b/docs/docbook/projdoc/msdfs_setup.sgml
new file mode 100644
index 0000000000..5853049d79
--- /dev/null
+++ b/docs/docbook/projdoc/msdfs_setup.sgml
@@ -0,0 +1,117 @@
+<chapter>
+
+<chapterinfo>
+ <author>
+ <firstname>Shirish</firstname><surname>Kalele</surname>
+ <affiliation>
+ <orgname>Samba Team & Veritas Software</orgname>
+ <address>
+ <email>samba@samba.org</email>
+ </address>
+ </affiliation>
+ </author>
+
+
+ <pubdate>12 Jul 200</pubdate>
+</chapterinfo>
+
+
+<title>Hosting a Microsoft Distributed File System tree on Samba</title>
+
+<sect1>
+
+ <title>Instructions</title>
+
+ <para>The Distributed File System (or Dfs) provides a means of
+ separating the logical view of files and directories that users
+ see from the actual physical locations of these resources on the
+ network. It allows for higher availability, smoother storage expansion,
+ load balancing etc. For more information about Dfs, refer to <ulink
+ url="http://www.microsoft.com/NTServer/nts/downloads/winfeatures/NTSDistrFile/AdminGuide.asp">
+ Microsoft documentation</ulink>. </para>
+
+ <para>This document explains how to host a Dfs tree on a Unix
+ machine (for Dfs-aware clients to browse) using Samba.</para>
+
+ <para>To enable SMB-based DFS for Samba, configure it with the
+ <parameter>--with-msdfs</parameter> option. Once built, a
+ Samba server can be made a Dfs server by setting the global
+ boolean <ulink url="smb.conf.5.html#HOSTMSDFS"><parameter>
+ host msdfs</parameter></ulink> parameter in the <filename>smb.conf
+ </filename> file. You designate a share as a Dfs root using the share
+ level boolean <ulink url="smb.conf.5.html#MSDFSROOT"><parameter>
+ msdfs root</parameter></ulink> parameter. A Dfs root directory on
+ Samba hosts Dfs links in the form of symbolic links that point
+ to other servers. For example, a symbolic link
+ <filename>junction-&gt;msdfs:storage1\share1</filename> in
+ the share directory acts as the Dfs junction. When Dfs-aware
+ clients attempt to access the junction link, they are redirected
+ to the storage location (in this case, \\storage1\share1).</para>
+
+ <para>Dfs trees on Samba work with all Dfs-aware clients ranging
+ from Windows 95 to 2000.</para>
+
+ <para>Here's an example of setting up a Dfs tree on a Samba
+ server.</para>
+
+ <para><programlisting>
+# The smb.conf file:
+[global]
+ netbios name = SAMBA
+ host msdfs = yes
+
+[dfs]
+ path = /export/dfsroot
+ msdfs root = yes
+ </programlisting></para>
+
+
+ <para>In the /export/dfsroot directory we set up our dfs links to
+ other servers on the network.</para>
+
+ <para><prompt>root# </prompt><userinput>cd /export/dfsroot</userinput></para>
+ <para><prompt>root# </prompt><userinput>chown root /export/dfsroot</userinput></para>
+ <para><prompt>root# </prompt><userinput>chmod 755 /export/dfsroot</userinput></para>
+ <para><prompt>root# </prompt><userinput>ln -s msdfs:storageA\\shareA linka</userinput></para>
+ <para><prompt>root# </prompt><userinput>ln -s msdfs:serverB\\share,serverC\\share linkb</userinput></para>
+
+
+ <para>You should set up the permissions and ownership of
+ the directory acting as the Dfs root such that only designated
+ users can create, delete or modify the msdfs links. Also note
+ that symlink names should be all lowercase. This limitation exists
+ to have Samba avoid trying all the case combinations to get at
+ the link name. Finally set up the symbolic links to point to the
+ network shares you want, and start Samba.</para>
+
+ <para>Users on Dfs-aware clients can now browse the Dfs tree
+ on the Samba server at \\samba\dfs. Accessing
+ links linka or linkb (which appear as directories to the client)
+ takes users directly to the appropriate shares on the network.</para>
+
+ <sect2>
+ <title>Notes</title>
+
+ <itemizedlist>
+ <listitem><para>Windows clients need to be rebooted
+ if a previously mounted non-dfs share is made a dfs
+ root or vice versa. A better way is to introduce a
+ new share and make it the dfs root.</para>
+ </listitem>
+
+ <listitem><para>Currently there's a restriction that msdfs
+ symlink names should all be lowercase.</para>
+ </listitem>
+
+ <listitem><para>For security purposes, the directory
+ acting as the root of the Dfs tree should have ownership
+ and permissions set so that only designated users can
+ modify the symbolic links in the directory.</para>
+ </listitem>
+ </itemizedlist>
+ </sect2>
+</sect1>
+
+
+
+</chapter>
diff --git a/docs/docbook/projdoc/printer_driver2.sgml b/docs/docbook/projdoc/printer_driver2.sgml
new file mode 100644
index 0000000000..7f0aebc45f
--- /dev/null
+++ b/docs/docbook/projdoc/printer_driver2.sgml
@@ -0,0 +1,555 @@
+<chapter>
+
+
+<chapterinfo>
+ <author>
+ <firstname>Gerald (Jerry)</firstname><surname>Carter</surname>
+ <affiliation>
+ <orgname>Samba Team</orgname>
+ <address>
+ <email>jerry@samba.org</email>
+ </address>
+ </affiliation>
+ </author>
+
+
+ <pubdate> (20 Apr 2001) </pubdate>
+</chapterinfo>
+
+<title>Printing Support in Samba 2.2.x</title>
+
+<sect1>
+<title>Introduction</title>
+
+<para>Beginning with the 2.2.0 release, Samba supports
+the native Windows NT printing mechanisms implemented via
+MS-RPC (i.e. the SPOOLSS named pipe). Previous versions of
+Samba only supported LanMan printing calls.</para>
+
+<para>The additional functionality provided by the new
+SPOOLSS support includes:</para>
+
+<itemizedlist>
+ <listitem><para>Support for downloading printer driver
+ files to Windows 95/98/NT/2000 clients upon demand.
+ </para></listitem>
+
+ <listitem><para>Uploading of printer drivers via the
+ Windows NT Add Printer Wizard (APW) or the
+ Imprints tool set (refer to <ulink
+ url="http://imprints.sourceforge.net">http://imprints.sourceforge.net</ulink>).
+ </para></listitem>
+
+ <listitem><para>Support for the native MS-RPC printing
+ calls such as StartDocPrinter, EnumJobs(), etc... (See
+ the MSDN documentation at <ulink
+ url="http://msdn.microsoft.com/">http://msdn.microsoft.com/</ulink>
+ for more information on the Win32 printing API)
+ </para></listitem>
+
+ <listitem><para>Support for NT Access Control Lists (ACL)
+ on printer objects</para></listitem>
+
+ <listitem><para>Improved support for printer queue manipulation
+ through the use of an internal databases for spooled job
+ information</para></listitem>
+</itemizedlist>
+
+</sect1>
+
+
+<sect1>
+<title>Configuration</title>
+
+<para>
+<emphasis>WARNING!!!</emphasis> Previous versions of Samba
+recommended using a share named [printer$]. This name was taken from the
+printer$ service created by Windows 9x clients when a
+printer was shared. Windows 9x printer servers always have
+a printer$ service which provides read-only access via no
+password in order to support printer driver downloads.
+</para>
+
+<para>
+However, the initial implementation allowed for a
+parameter named <parameter>printer driver location</parameter>
+to be used on a per share basis to specify the location of
+the driver files associated with that printer. Another
+parameter named <parameter>printer driver</parameter> provided
+a means of defining the printer driver name to be sent to
+the client.
+</para>
+
+<para>
+These parameters, including <parameter>printer driver
+file</parameter> parameter, are being depreciated and should not
+be used in new installations. For more information on this change,
+you should refer to the <link linkend="MIGRATION">Migration section
+</link>of this document.
+</para>
+
+
+<sect2>
+<title>Creating [print$]</title>
+
+<para>
+In order to support the uploading of printer driver
+files, you must first configure a file share named [print$].
+The name of this share is hard coded in Samba's internals so
+the name is very important (print$ is the service used by
+Windows NT print servers to provide support for printer driver
+download).
+</para>
+
+<para>You should modify the server's smb.conf file to create the
+following file share (of course, some of the parameter values,
+such as 'path' are arbitrary and should be replaced with
+appropriate values for your site):</para>
+
+<para><programlisting>
+[print$]
+ path = /usr/local/samba/printers
+ guest ok = yes
+ browseable = yes
+ read only = yes
+ write list = ntadmin
+</programlisting></para>
+
+<para>The <ulink url="smb.conf.5.html#WRITELIST"><parameter>
+write list</parameter></ulink> is used to allow administrative
+level user accounts to have write access in order to update files
+on the share. See the <ulink url="smb./conf.5.html">
+smb.conf(5) man page</ulink> for more information on
+configuring file shares.</para>
+
+<para>The requirement for <ulink url="smb.conf.5.html#GUESTOK"><command>
+guest ok = yes</command></ulink> depends upon how your
+site is configured. If users will be guaranteed to have
+an account on the Samba host, then this is a non-issue.</para>
+
+<note>
+<title>Author's Note</title>
+
+<para>
+The non-issue is that if all your Windows NT users are guaranteed to be
+authenticated by the Samba server (such as a domain member server and the NT
+user has already been validated by the Domain Controller in
+order to logon to the Windows NT console), then guest access
+is not necessary. Of course, in a workgroup environment where
+you just want to be able to print without worrying about
+silly accounts and security, then configure the share for
+guest access. You'll probably want to add <ulink
+url="smb.conf.5.html#MAPTOGUEST"><command>map to guest = Bad User
+</command></ulink> in the [global] section as well. Make sure
+you understand what this parameter does before using it
+though. --jerry
+</para>
+</note>
+
+<para>In order for a Windows NT print server to support
+the downloading of driver files by multiple client architectures,
+it must create subdirectories within the [print$] service
+which correspond to each of the supported client architectures.
+Samba follows this model as well.</para>
+
+<para>Next create the directory tree below the [print$] share
+for each architecture you wish to support.</para>
+
+<para><programlisting>
+[print$]-----
+ |-W32X86 ; "Windows NT x86"
+ |-WIN40 ; "Windows 95/98"
+ |-W32ALPHA ; "Windows NT Alpha_AXP"
+ |-W32MIPS ; "Windows NT R4000"
+ |-W32PPC ; "Windows NT PowerPC"
+</programlisting></para>
+
+<warning>
+ <title>ATTENTION! REQUIRED PERMISSIONS</title>
+
+ <para>In order to currently add a new driver to you Samba host,
+ one of two conditions must hold true:</para>
+
+ <itemizedlist>
+ <listitem><para>The account used to connect to the Samba host
+ must have a uid of 0 (i.e. a root account)</para></listitem>
+
+ <listitem><para>The account used to connect to the Samba host
+ must be a member of the <ulink
+ url="smb.conf.5.html#PRINTERADMIN"><parameter>printer
+ admin</parameter></ulink> list.</para></listitem>
+ </itemizedlist>
+
+ <para>Of course, the connected account must still possess access
+ to add files to the subdirectories beneath [print$].</para>
+</warning>
+
+
+<para>Once you have created the required [print$] service and
+associated subdirectories, simply log onto the Samba server using
+a root (or <parameter>printer admin</parameter>) account
+from a Windows NT 4.0 client. Navigate to the "Printers" folder
+on the Samba server. You should see an initial listing of printers
+that matches the printer shares defined on your Samba host.
+</para>
+</sect2>
+
+<sect2>
+<title>Setting Drivers for Existing Printers</title>
+
+<para>The initial listing of printers in the Samba host's
+Printers folder will have no printer driver assigned to them.
+The way assign a driver to a printer is to view the Properties
+of the printer and either</para>
+
+<itemizedlist>
+ <listitem><para>Use the "New Driver..." button to install
+ a new printer driver, or</para></listitem>
+
+ <listitem><para>Select a driver from the popup list of
+ installed drivers. Initially this list will be empty.</para>
+ </listitem>
+</itemizedlist>
+
+<para>If you wish to install printer drivers for client
+operating systems other than "Windows NT x86", you will need
+to use the "Sharing" tab of the printer properties dialog.</para>
+
+<para>Assuming you have connected with a root account, you
+will also be able modify other printer properties such as
+ACLs and device settings using this dialog box.</para>
+
+<para>A few closing comments for this section, it is possible
+on a Windows NT print server to have printers
+listed in the Printers folder which are not shared. Samba does
+not make this distinction. By definition, the only printers of
+which Samba is aware are those which are specified as shares in
+<filename>smb.conf</filename>.</para>
+
+<para>Another interesting side note is that Windows NT clients do
+not use the SMB printer share, but rather can print directly
+to any printer on another Windows NT host using MS-RPC. This
+of course assumes that the printing client has the necessary
+privileges on the remote host serving the printer. The default
+permissions assigned by Windows NT to a printer gives the "Print"
+permissions to the "Everyone" well-known group.
+</para>
+
+</sect2>
+
+
+<sect2>
+<title>Support a large number of printers</title>
+
+<para>One issue that has arisen during the development
+phase of Samba 2.2 is the need to support driver downloads for
+100's of printers. Using the Windows NT APW is somewhat
+awkward to say the list. If more than one printer are using the
+same driver, the <ulink url="rpcclient.1.html"><command>rpcclient's
+setdriver command</command></ulink> can be used to set the driver
+associated with an installed driver. The following is example
+of how this could be accomplished:</para>
+
+<para><programlisting>
+<prompt>$ </prompt>rpcclient pogo -U root%secret -c "enumdrivers"
+Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
+
+[Windows NT x86]
+Printer Driver Info 1:
+ Driver Name: [HP LaserJet 4000 Series PS]
+
+Printer Driver Info 1:
+ Driver Name: [HP LaserJet 2100 Series PS]
+
+Printer Driver Info 1:
+ Driver Name: [HP LaserJet 4Si/4SiMX PS]
+
+<prompt>$ </prompt>rpcclient pogo -U root%secret -c "enumprinters"
+Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
+ flags:[0x800000]
+ name:[\\POGO\hp-print]
+ description:[POGO\\POGO\hp-print,NO DRIVER AVAILABLE FOR THIS PRINTER,]
+ comment:[]
+
+<prompt>$ </prompt>rpcclient pogo -U root%bleaK.er \
+<prompt>&gt; </prompt> -c "setdriver hp-print \"HP LaserJet 4000 Series PS\""
+Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
+Successfully set hp-print to driver HP LaserJet 4000 Series PS.
+</programlisting></para>
+</sect2>
+
+
+
+<sect2>
+<title>Adding New Printers via the Windows NT APW</title>
+
+<para>
+By default, Samba offers all printer shares defined in <filename>smb.conf</filename>
+in the "Printers..." folder. Also existing in this folder is the Windows NT
+Add Printer Wizard icon. The APW will be show only if
+</para>
+
+<itemizedlist>
+ <listitem><para>The connected user is able to successfully
+ execute an OpenPrinterEx(\\server) with administrative
+ priviledges (i.e. root or <parameter>printer admin</parameter>.
+ </para></listitem>
+
+ <listitem><para><ulink url="smb.conf.5.html#SHOWADDPRINTERWIZARD"><parameter>show
+ add printer wizard = yes</parameter></ulink> (the default).
+ </para></listitem>
+</itemizedlist>
+
+<para>
+In order to be able to use the APW to successfully add a printer to a Samba
+server, the <ulink url="smb.conf.5.html#ADDPRINTERCOMMAND"><parameter>addprinter
+command</parameter></ulink> must have a defined value. The program
+hook must successfully add the printer to the system (i.e.
+<filename>/etc/printcap</filename> or appropriate files) and
+<filename>smb.conf</filename> if necessary.
+</para>
+
+<para>
+When using the APW from a client, if the named printer share does
+not exist, <command>smbd</command> will execute the <parameter>add printer
+program</parameter> and reparse to the <filename>smb.conf</filename>
+to attempt to locate the new printer share. If the share is still not defined,
+an error of "Access Denied" is returned to the client. Note that the
+<parameter>add printer program</parameter> is executed undet the context
+of the connected user, not necessarily a root account.
+</para>
+
+<para>
+There is a complementing <ulink url="smb.conf.5.html#DELETEPRINTERCOMMAND"><parameter>deleteprinter
+command</parameter></ulink> for removing entries from the "Printers..."
+folder.
+</para>
+
+</sect2>
+
+
+<sect2>
+<title>Samba and Printer Ports</title>
+
+<para>
+Windows NT/2000 print servers associate a port with each printer. These normally
+take the form of LPT1:, COM1:, FILE:, etc... Samba must also support the
+concept of ports associated with a printer. By default, only one printer port,
+named "Samba Printer Port", exists on a system. Samba does not really a port in
+order to print, rather it is a requirement of Windows clients.
+</para>
+
+<para>
+Note that Samba does not support the concept of "Printer Pooling" internally
+either. This is when a logical printer is assigned to multiple ports as
+a form of load balancing or fail over.
+</para>
+
+<para>
+If you require that multiple ports be defined for some reason,
+<filename>smb.conf</filename> possesses a <ulink
+url="smb.conf.5.html#ENUMPORTSCOMMAND"><parameter>enumports
+command</parameter></ulink> which can be used to define an external program
+that generates a listing of ports on a system.
+</para>
+
+</sect2>
+
+</sect1>
+
+
+<sect1>
+ <title>The Imprints Toolset</title>
+
+ <para>The Imprints tool set provides a UNIX equivalent of the
+ Windows NT Add Printer Wizard. For complete information, please
+ refer to the Imprints web site at <ulink url="http://imprints.sourceforge.net/">
+ http://imprints.sourceforge.net/</ulink> as well as the documentation
+ included with the imprints source distribution. This section will
+ only provide a brief introduction to the features of Imprints.</para>
+
+
+ <sect2>
+ <title>What is Imprints?</title>
+
+ <para>Imprints is a collection of tools for supporting the goals
+ of</para>
+
+ <itemizedlist>
+ <listitem><para>Providing a central repository information
+ regarding Windows NT and 95/98 printer driver packages</para>
+ </listitem>
+
+ <listitem><para>Providing the tools necessary for creating
+ the Imprints printer driver packages.</para></listitem>
+
+ <listitem><para>Providing an installation client which
+ will obtain and install printer drivers on remote Samba
+ and Windows NT 4 print servers.</para></listitem>
+ </itemizedlist>
+
+ </sect2>
+
+
+ <sect2>
+ <title>Creating Printer Driver Packages</title>
+
+ <para>The process of creating printer driver packages is beyond
+ the scope of this document (refer to Imprints.txt also included
+ with the Samba distribution for more information). In short,
+ an Imprints driver package is a gzipped tarball containing the
+ driver files, related INF files, and a control file needed by the
+ installation client.</para>
+ </sect2>
+
+
+ <sect2>
+ <title>The Imprints server</title>
+
+ <para>The Imprints server is really a database server that
+ may be queried via standard HTTP mechanisms. Each printer
+ entry in the database has an associated URL for the actual
+ downloading of the package. Each package is digitally signed
+ via GnuPG which can be used to verify that package downloaded
+ is actually the one referred in the Imprints database. It is
+ <emphasis>not</emphasis> recommended that this security check
+ be disabled.</para>
+ </sect2>
+
+ <sect2>
+ <title>The Installation Client</title>
+
+ <para>More information regarding the Imprints installation client
+ is available in the <filename>Imprints-Client-HOWTO.ps</filename>
+ file included with the imprints source package.</para>
+
+ <para>The Imprints installation client comes in two forms.</para>
+
+ <itemizedlist>
+ <listitem><para>a set of command line Perl scripts</para>
+ </listitem>
+
+ <listitem><para>a GTK+ based graphical interface to
+ the command line perl scripts</para></listitem>
+ </itemizedlist>
+
+ <para>The installation client (in both forms) provides a means
+ of querying the Imprints database server for a matching
+ list of known printer model names as well as a means to
+ download and install the drivers on remote Samba and Windows
+ NT print servers.</para>
+
+ <para>The basic installation process is in four steps and
+ perl code is wrapped around <command>smbclient</command>
+ and <command>rpcclient</command>.</para>
+
+<para><programlisting>
+foreach (supported architecture for a given driver)
+{
+ 1. rpcclient: Get the appropriate upload directory
+ on the remote server
+ 2. smbclient: Upload the driver files
+ 3. rpcclient: Issues an AddPrinterDriver() MS-RPC
+}
+
+4. rpcclient: Issue an AddPrinterEx() MS-RPC to actually
+ create the printer
+</programlisting></para>
+
+ <para>One of the problems encountered when implementing
+ the Imprints tool set was the name space issues between
+ various supported client architectures. For example, Windows
+ NT includes a driver named "Apple LaserWriter II NTX v51.8"
+ and Windows 95 callsits version of this driver "Apple
+ LaserWriter II NTX"</para>
+
+ <para>The problem is how to know what client drivers have
+ been uploaded for a printer. As astute reader will remember
+ that the Windows NT Printer Properties dialog only includes
+ space for one printer driver name. A quick look in the
+ Windows NT 4.0 system registry at</para>
+
+ <para><filename>HKLM\System\CurrentControlSet\Control\Print\Environment
+ </filename></para>
+
+ <para>will reveal that Windows NT always uses the NT driver
+ name. The is ok as Windows NT always requires that at least
+ the Windows NT version of the printer driver is present.
+ However, Samba does not have the requirement internally.
+ Therefore, how can you use the NT driver name if is has not
+ already been installed?</para>
+
+ <para>The way of sidestepping this limitation is to require
+ that all Imprints printer driver packages include both the Intel
+ Windows NT and 95/98 printer drivers and that NT driver is
+ installed first.</para>
+ </sect2>
+
+</sect1>
+
+
+<sect1>
+ <title><anchor id="MIGRATION">Migration to from Samba 2.0.x to
+ 2.2.x</title>
+
+ <para>Given that printer driver management has changed
+ (we hope improved :) ) in 2.2.0 over prior releases,
+ migration from an existing setup to 2.2.0 can follow
+ several paths.</para>
+
+ <warning>
+ <title>Achtung!</title>
+ <para>The following smb.conf parameters are considered to be
+ depreciated and will be removed soon. Do not use them
+ in new installations</para>
+
+ <itemizedlist>
+ <listitem><para><parameter>printer driver file (G)</parameter>
+ </para></listitem>
+
+ <listitem><para><parameter>printer driver (S)</parameter>
+ </para></listitem>
+
+ <listitem><para><parameter>printer driver location (S)</parameter>
+ </para></listitem>
+ </itemizedlist>
+ </warning>
+
+
+ <para>Here are the possible scenarios for supporting migration:</para>
+
+ <itemizedlist>
+ <listitem><para>If you do not desire the new Windows NT
+ print driver support, nothing needs to be done.
+ All existing parameters work the same.</para></listitem>
+
+ <listitem><para>If you want to take advantage of NT printer
+ driver support but do not want to migrate the
+ 9x drivers to the new setup, the leave the existing
+ printers.def file. When smbd attempts to locate a
+ 9x driver for the printer in the TDB and fails it
+ will drop down to using the printers.def (and all
+ associated parameters). The <command>make_printerdef</command>
+ tool will also remain for backwards compatibility but will
+ be moved to the "this tool is the old way of doing it"
+ pile.</para></listitem>
+
+ <listitem><para>If you install a Windows 9x driver for a printer
+ on your Samba host (in the printing TDB), this information will
+ take precedence and the three old printing parameters
+ will be ignored (including print driver location).</para></listitem>
+
+ <listitem><para>If you want to migrate an existing <filename>printers.def</filename>
+ file into the new setup, the current only
+ solution is to use the Windows NT APW to install the NT drivers
+ and the 9x drivers. This can be scripted using <command>smbclient</command>
+ and <command>rpcclient</command>. See the
+ Imprints installation client at <ulink
+ url="http://imprints.sourceforge.net/">http://imprints.sourceforge.net/</ulink>
+ for an example.
+ </para></listitem>
+ </itemizedlist>
+
+</sect1>
+
+</chapter>
diff --git a/docs/docbook/projdoc/samba-doc.sgml b/docs/docbook/projdoc/samba-doc.sgml
index 08499115be..b055477db7 100644
--- a/docs/docbook/projdoc/samba-doc.sgml
+++ b/docs/docbook/projdoc/samba-doc.sgml
@@ -1,5 +1,13 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook V4.1//EN" [
-<!ENTITY Chapter1 SYSTEM "chapter1.sgml">
+<!ENTITY UNIX-INSTALL SYSTEM "UNIX_INSTALL.sgml">
+<!ENTITY ENCRYPTION SYSTEM "ENCRYPTION.sgml">
+<!ENTITY MS-Dfs-Setup SYSTEM "msdfs_setup.sgml">
+<!ENTITY PRINTER-DRIVER2 SYSTEM "printer_driver2.sgml">
+<!ENTITY DOMAIN-MEMBER SYSTEM "DOMAIN_MEMBER.sgml">
+<!ENTITY WINBIND SYSTEM "winbind.sgml">
+<!ENTITY NT-Security SYSTEM "NT_Security.sgml">
+<!ENTITY OS2-Client SYSTEM "OS2-Client-HOWTO.sgml">
+<!ENTITY Samba-PDC-HOWTO SYSTEM "Samba-PDC-HOWTO.sgml">
]>
<book id="Samba-Project-Documentation">
@@ -10,13 +18,36 @@
<author>
<surname>SAMBA Team</surname>
</author>
- <address><email>samba&commat;samba.org</email></address>
+ <address><email>samba@samba.org</email></address>
<pubdate>$rcsId</pubdate>
</bookinfo>
-<toc></toc>
+<dedication>
+<title>Abstract</title>
+<para>
+This book is a collection of HOWTOs added to Samba documentation over the year.
+I try to ensure that all are current, but sometimes the is a larger job
+than one person can maintain. You can always find the later version of this
+PDF file at <ulink url="http://www.samba.org/">http://www.samba.org/</ulink>
+on the "Documentation" page. Please send updates to <ulink
+url="mailto:jerry@samba.org">jerry@samba.org</ulink>.
+</para>
-&Chapter1;
+<para>
+Cheers, jerry
+</para>
+
+</dedication>
+
+&UNIX-INSTALL;
+&ENCRYPTION;
+&MS-Dfs-Setup;
+&PRINTER-DRIVER2;
+&DOMAIN-MEMBER;
+&Samba-PDC-HOWTO;
+&WINBIND;
+&NT-Security;
+&OS2-Client;
</book>
diff --git a/docs/docbook/projdoc/winbind.sgml b/docs/docbook/projdoc/winbind.sgml
new file mode 100644
index 0000000000..8a380c206d
--- /dev/null
+++ b/docs/docbook/projdoc/winbind.sgml
@@ -0,0 +1,372 @@
+<chapter>
+
+
+<chapterinfo>
+ <author>
+ <firstname>Tim</firstname><surname>Potter</surname>
+ <affiliation>
+ <orgname>Samba Team</orgname>
+ <address><email>tpot@linuxcare.com.au</email></address>
+ </affiliation>
+ </author>
+ <author>
+ <firstname>Andrew</firstname><surname>Trigdell</surname>
+ <affiliation>
+ <orgname>Samba Team</orgname>
+ <address><email>tridge@linuxcare.com.au</email></address>
+ </affiliation>
+ </author>
+
+
+ <pubdate>16 Oct 2000</pubdate>
+</chapterinfo>
+
+<title>Unifed Logons between Windows NT and UNIX using Winbind</title>
+
+<sect1>
+ <title>Abstract</title>
+
+ <para>Integration of UNIX and Microsoft Windows NT through
+ a unified logon has been considered a "holy grail" in heterogeneous
+ computing environments for a long time. We present <emphasis>winbind
+ </emphasis>, a component of the Samba suite of programs as a
+ solution to the unied logon problem. Winbind uses a UNIX implementation
+ of Microsoft RPC calls, Pluggable Authentication Modules, and the Name
+ Service Switch to allow Windows NT domain users to appear and operate
+ as UNIX users on a UNIX machine. This paper describes the winbind
+ system, explaining the functionality it provides, how it is configured,
+ and how it works internally.</para>
+</sect1>
+
+
+<sect1>
+ <title>Introduction</title>
+
+ <para>It is well known that UNIX and Microsoft Windows NT have
+ different models for representing user and group information and
+ use different technologies for implementing them. This fact has
+ made it difficult to integrate the two systems in a satisfactory
+ manner.</para>
+
+ <para>One common solution in use today has been to create
+ identically named user accounts on both the UNIX and Windows systems
+ and use the Samba suite of programs to provide file and print services
+ between the two. This solution is far from perfect however, as
+ adding and deleting users on both sets of machines becomes a chore
+ and two sets of passwords are required both of which which
+ can lead to synchronization problems between the UNIX and Windows
+ systems and confusion for users.</para>
+
+ <para>We divide the unifed logon problem for UNIX machines into
+ three smaller problems:</para>
+
+ <itemizedlist>
+ <listitem><para>Obtaining Windows NT user and group information
+ </para></listitem>
+
+ <listitem><para>Authenticating Windows NT users
+ </para></listitem>
+
+ <listitem><para>Password changing for Windows NT users
+ </para></listitem>
+ </itemizedlist>
+
+
+ <para>Ideally, a prospective solution to the unified logon problem
+ would satisfy all the above components without duplication of
+ information on the UNIX machines and without creating additional
+ tasks for the system administrator when maintaining users and
+ groups on either system. The winbind system provides a simple
+ and elegant solution to all three components of the unifed logon
+ problem.</para>
+</sect1>
+
+
+<sect1>
+ <title>What Winbind Provides</title>
+
+ <para>Winbind unifies UNIX and Windows NT account management by
+ allowing a UNIX box to become a full member of a NT domain. Once
+ this is done the UNIX box will see NT users and groups as if
+ they were native UNIX users and groups, allowing the NT domain
+ to be used in much the same manner that NIS+ is used within
+ UNIX-only environments.</para>
+
+ <para>The end result is that whenever any
+ program on the UNIX machine asks the operating system to lookup
+ a user or group name, the query will be resolved by asking the
+ NT domain controller for the specied domain to do the lookup.
+ Because Winbind hooks into the operating system at a low level
+ (via the NSS name resolution modules in the C library) this
+ redirection to the NT domain controller is completely
+ transparent.</para>
+
+ <para>Users on the UNIX machine can then use NT user and group
+ names as they would use "native" UNIX names. They can chown files
+ so that they are owned by NT domain users or even login to the
+ UNIX machine and run a UNIX X-Window session as a domain user.</para>
+
+ <para>The only obvious indication that Winbind is being used is
+ that user and group names take the form DOMAIN\user and
+ DOMAIN\group. This is necessary as it allows Winbind to determine
+ that redirection to a domain controller is wanted for a particular
+ lookup and which trusted domain is being referenced.</para>
+
+ <para>Additionally, Winbind provides a authentication service
+ that hooks into the Pluggable Authentication Modules (PAM) system
+ to provide authentication via a NT domain to any PAM enabled
+ applications. This capability solves the problem of synchronizing
+ passwords between systems as all passwords are stored in a single
+ location (on the domain controller).</para>
+
+ <sect2>
+ <title>Target Uses</title>
+
+ <para>Winbind is targeted at organizations that have an
+ existing NT based domain infrastructure into which they wish
+ to put UNIX workstations or servers. Winbind will allow these
+ organizations to deploy UNIX workstations without having to
+ maintain a separate account infrastructure. This greatly simplies
+ the administrative overhead of deploying UNIX workstations into
+ a NT based organization.</para>
+
+ <para>Another interesting way in which we expect Winbind to
+ be used is as a central part of UNIX based appliances. Appliances
+ that provide file and print services to Microsoft based networks
+ will be able to use Winbind to provide seamless integration of
+ the appliance into the domain.</para>
+ </sect2>
+</sect1>
+
+
+
+<sect1>
+ <title>How Winbind Works</title>
+
+ <para>The winbind system is designed around a client/server
+ architecture. A long running <command>winbindd</command> daemon
+ listens on a UNIX domain socket waiting for requests
+ to arrive. These requests are generated by the NSS and PAM
+ clients and processed sequentially.</para>
+
+ <para>The technologies used to implement winbind are described
+ in detail below.</para>
+
+ <sect2>
+ <title>Microsoft Remote Procedure Calls</title>
+
+ <para>Over the last two years, efforts have been underway
+ by various Samba Team members to decode various aspects of
+ the Microsoft Remote Procedure Call (MSRPC) system. This
+ system is used for most network related operations between
+ Windows NT machines including remote management, user authentication
+ and print spooling. Although initially this work was done
+ to aid the implementation of Primary Domain Controller (PDC)
+ functionality in Samba, it has also yielded a body of code which
+ can be used for other purposes.</para>
+
+ <para>Winbind uses various MSRPC calls to enumerate domain users
+ and groups and to obtain detailed information about individual
+ users or groups. Other MSRPC calls can be used to authenticate
+ NT domain users and to change user passwords. By directly querying
+ a Windows PDC for user and group information, winbind maps the
+ NT account information onto UNIX user and group names.</para>
+ </sect2>
+
+ <sect2>
+ <title>Name Service Switch</title>
+
+ <para>The Name Service Switch, or NSS, is a feature that is
+ present in many UNIX operating systems. It allows system
+ information such as hostnames, mail aliases and user information
+ to be resolved from dierent sources. For example, a standalone
+ UNIX workstation may resolve system information from a series of
+ flat files stored on the local lesystem. A networked workstation
+ may first attempt to resolve system information from local files,
+ then consult a NIS database for user information or a DNS server
+ for hostname information.</para>
+
+ <para>The NSS application programming interface allows winbind
+ to present itself as a source of system information when
+ resolving UNIX usernames and groups. Winbind uses this interface,
+ and information obtained from a Windows NT server using MSRPC
+ calls to provide a new source of account enumeration. Using standard
+ UNIX library calls, one can enumerate the users and groups on
+ a UNIX machine running winbind and see all users and groups in
+ a NT domain plus any trusted domain as though they were local
+ users and groups.</para>
+
+ <para>The primary control le for NSS is <filename>/etc/nsswitch.conf
+ </filename>. When a UNIX application makes a request to do a lookup
+ the C library looks in <filename>/etc/nsswitch.conf</filename>
+ for a line which matches the service type being requested, for
+ example the "passwd" service type is used when user or group names
+ are looked up. This config line species which implementations
+ of that service should be tried andin what order. If the passwd
+ config line is:</para>
+
+ <para><command>passwd: files example</command></para>
+
+ <para>then the C library will first load a module called
+ <filename>/lib/libnss_files.so</filename> followed by
+ the module <filename>/lib/libnss_example.so</filename>. The
+ C library will dynamically load each of these modules in turn
+ and call resolver functions within the modules to try to resolve
+ the request. Once the request is resolved the C library returns the
+ result to the application.</para>
+
+ <para>This NSS interface provides a very easy way for Winbind
+ to hook into the operating system. All that needs to be done
+ is to put <filename>libnss_winbind.so</filename> in <filename>/lib/</filename>
+ then add "winbind" into <filename>/etc/nsswitch.conf</filename> at
+ the appropriate place. The C library will then call Winbind to
+ resolve user and group names.</para>
+ </sect2>
+
+ <sect2>
+ <title>Pluggable Authentication Modules</title>
+
+ <para>Pluggable Authentication Modules, also known as PAM,
+ is a system for abstracting authentication and authorization
+ technologies. With a PAM module it is possible to specify different
+ authentication methods for dierent system applications without
+ having to recompile these applications. PAM is also useful
+ for implementing a particular policy for authorization. For example,
+ a system administrator may only allow console logins from users
+ stored in the local password file but only allow users resolved from
+ a NIS database to log in over the network.</para>
+
+ <para>Winbind uses the authentication management and password
+ management PAM interface to integrate Windows NT users into a
+ UNIX system. This allows Windows NT users to log in to a UNIX
+ machine and be authenticated against a suitable Primary Domain
+ Controller. These users can also change their passwords and have
+ this change take eect directly on the Primary Domain Controller.
+ </para>
+
+ <para>PAM is congured by providing control files in the directory
+ <filename>/etc/pam.d/</filename> for each of the services that
+ require authentication. When an authentication request is made
+ by an application the PAM code in the C library looks up this
+ control file to determine what modules to load to do the
+ authentication check and in what order. This interface makes adding
+ a new authentication service for Winbind very easy, all that needs
+ to be done is that the <filename>pam_winbind.so</filename> module
+ is copied to <filename>/lib/security/</filename> and the pam
+ control files for relevant services are updated to allow
+ authentication via winbind. See the PAM documentation
+ for more details.</para>
+ </sect2>
+
+
+ <sect2>
+ <title>User and Group ID Allocation</title>
+
+ <para>When a user or group is created under Windows NT
+ is it allocated a numerical relative identier (RID). This is
+ slightly dierent to UNIX which has a range of numbers which are
+ used to identify users, and the same range in which to identify
+ groups. It is winbind's job to convert RIDs to UNIX id numbers and
+ vice versa. When winbind is congured it is given part of the UNIX
+ user id space and a part of the UNIX group id space in which to
+ store Windows NT users and groups. If a Windows NT user is
+ resolved for the first time, it is allocated the next UNIX id from
+ the range. The same process applies for Windows NT groups. Over
+ time, winbind will have mapped all Windows NT users and groups
+ to UNIX user ids and group ids.</para>
+
+ <para>The results of this mapping are stored persistently in
+ a ID mapping database held in a tdb database). This ensures that
+ RIDs are mapped to UNIX IDs in a consistent way.</para>
+ </sect2>
+
+
+ <sect2>
+ <title>Result Caching</title>
+
+ <para>An active system can generate a lot of user and group
+ name lookups. To reduce the network cost of these lookups winbind
+ uses a caching scheme based on the SAM sequence number supplied
+ by NT domain controllers. User or group information returned
+ by a PDC is cached by winbind along with a sequence number also
+ returned by the PDC. This sequence number is incremented by
+ Windows NT whenever any user or group information is modied. If
+ a cached entry has expired, the sequence number is requested from
+ the PDC and compared against the sequence number of the cached entry.
+ If the sequence numbers do not match, then the cached information
+ is discarded and up to date information is requested directly
+ from the PDC.</para>
+ </sect2>
+</sect1>
+
+
+<sect1>
+ <title>Installation and Configuration</title>
+
+ <para>The easiest way to install winbind is by using the packages
+ provided in the <filename>pub/samba/appliance/</filename>
+ directory on your nearest
+ Samba mirror. These packages provide snapshots of the Samba source
+ code and binaries already setup to provide the full functionality
+ of winbind. This setup is a little more complex than a normal Samba
+ build as winbind needs a small amount of functionality from a
+ development code branch called SAMBA_TNG.</para>
+
+ <para>Once you have installed the packages you should read
+ the <command>winbindd(8)</command> man page which will provide you
+ with conguration information and give you sample conguration files.
+ You may also wish to update the main Samba daemons smbd and nmbd)
+ with a more recent development release, such as the recently
+ announced Samba 2.2 alpha release.</para>
+</sect1>
+
+<sect1>
+ <title>Limitations</title>
+
+ <para>Winbind has a number of limitations in its current
+ released version which we hope to overcome in future
+ releases:</para>
+
+ <itemizedlist>
+ <listitem><para>Winbind is currently only available for
+ the Linux operating system, although ports to other operating
+ systems are certainly possible. For such ports to be feasible,
+ we require the C library of the target operating system to
+ support the Name Service Switch and Pluggable Authentication
+ Modules systems. This is becoming more common as NSS and
+ PAM gain support among UNIX vendors.</para></listitem>
+
+ <listitem><para>The mappings of Windows NT RIDs to UNIX ids
+ is not made algorithmically and depends on the order in which
+ unmapped users or groups are seen by winbind. It may be difficult
+ to recover the mappings of rid to UNIX id mapping if the file
+ containing this information is corrupted or destroyed.</para>
+ </listitem>
+
+ <listitem><para>Currently the winbind PAM module does not take
+ into account possible workstation and logon time restrictions
+ that may be been set for Windows NT users.</para></listitem>
+
+ <listitem><para>Building winbind from source is currently
+ quite tedious as it requires combining source code from two Samba
+ branches. Work is underway to solve this by providing all
+ the necessary functionality in the main Samba code branch.</para>
+ </listitem>
+ </itemizedlist>
+</sect1>
+
+
+<sect1>
+ <title>Conclusion</title>
+
+ <para>The winbind system, through the use of the Name Service
+ Switch, Pluggable Authentication Modules, and appropriate
+ Microsoft RPC calls have allowed us to provide seamless
+ integration of Microsoft Windows NT domain users on a
+ UNIX system. The result is a great reduction in the administrative
+ cost of running a mixed UNIX and NT network.</para>
+
+</sect1>
+
+</chapter>
+