diff options
author | Gerald Carter <jerry@samba.org> | 2001-12-06 07:37:58 +0000 |
---|---|---|
committer | Gerald Carter <jerry@samba.org> | 2001-12-06 07:37:58 +0000 |
commit | e4840f0db911eaf3aee1195030c6efca70d78f14 (patch) | |
tree | 118d89347f96394e4db9a8cb8b1a260d35a8930b /docs/docbook | |
parent | f68a08f1f96a669e940fa52edfe6f8d7d3305cac (diff) | |
download | samba-e4840f0db911eaf3aee1195030c6efca70d78f14.tar.gz samba-e4840f0db911eaf3aee1195030c6efca70d78f14.tar.bz2 samba-e4840f0db911eaf3aee1195030c6efca70d78f14.zip |
merge from 2.2
(This used to be commit c5ee06b7c8fc9f1fec679acc7d7f47f333707456)
Diffstat (limited to 'docs/docbook')
-rw-r--r-- | docs/docbook/.cvsignore | 3 | ||||
-rw-r--r-- | docs/docbook/faq/samba-pdc-faq.sgml | 1083 | ||||
-rw-r--r-- | docs/docbook/howto/DOMAIN_MEMBER.sgml | 163 | ||||
-rw-r--r-- | docs/docbook/howto/NT_Security.sgml | 342 | ||||
-rw-r--r-- | docs/docbook/howto/samba-pdc-howto.sgml | 778 | ||||
-rw-r--r-- | docs/docbook/manpages/nmbd.8.sgml | 21 | ||||
-rw-r--r-- | docs/docbook/manpages/rpcclient.1.sgml | 2 | ||||
-rw-r--r-- | docs/docbook/manpages/smb.conf.5.sgml | 413 | ||||
-rw-r--r-- | docs/docbook/manpages/smbcontrol.1.sgml | 2 | ||||
-rw-r--r-- | docs/docbook/manpages/smbd.8.sgml | 19 | ||||
-rw-r--r-- | docs/docbook/manpages/smbpasswd.8.sgml | 17 | ||||
-rw-r--r-- | docs/docbook/manpages/winbindd.8.sgml | 9 | ||||
-rw-r--r-- | docs/docbook/projdoc/DOMAIN_MEMBER.sgml | 16 | ||||
-rw-r--r-- | docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml | 9 | ||||
-rw-r--r-- | docs/docbook/projdoc/Samba-PDC-HOWTO.sgml | 443 | ||||
-rw-r--r-- | docs/docbook/projdoc/chapter1.sgml | 446 | ||||
-rw-r--r-- | docs/docbook/projdoc/winbind.sgml | 162 |
17 files changed, 649 insertions, 3279 deletions
diff --git a/docs/docbook/.cvsignore b/docs/docbook/.cvsignore index e3c1273375..04290fcd2e 100644 --- a/docs/docbook/.cvsignore +++ b/docs/docbook/.cvsignore @@ -1,3 +1,4 @@ -confdefs.h +Makefile config.cache config.log +config.status diff --git a/docs/docbook/faq/samba-pdc-faq.sgml b/docs/docbook/faq/samba-pdc-faq.sgml deleted file mode 100644 index 3dae096f04..0000000000 --- a/docs/docbook/faq/samba-pdc-faq.sgml +++ /dev/null @@ -1,1083 +0,0 @@ -<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> -<book id="samba-pdc-faq"> - -<title>The Samba 2.2 PDC FAQ</title> - -<bookinfo> - <author> - <firstname>David</firstname><surname>Bannon</surname> - <affiliation><orgname>La Trobe University</orgname></affiliation> - </author> - <address><email>dbannon@samba.org</email></address> - <pubdate>November 2000</pubdate> -</bookinfo> - - -<dedication><title></title> - - <para> - This is the FAQ for Samba 2.2 as an NTDomain controller. - This document is derived from the origional FAQ that was built and - maintained by Gerald Carter from the early days of Samba NTDomain development - up until recently. It is now being updated as significent changes are - made to 2.2.0. - </para> - - <para> - Please note it does not apply to the SAMBA_TNG nor the HEAD branch. - </para> - - <para> - Also available is a Samba 2.2 PDC <ulink url="samba-pdc-howto.html">HOWTO</ulink> - that takes you, step by step, over the process of setting up a very basic Samba - 2.2 Primary Domain Controller - </para> - -</dedication> - -<toc></toc> - -<!-- ================ I N T R O D U C T I O N ==================== --> - - -<chapter> - -<title>Introduction</title> - -<sect1> -<title id=stateofplay>State of Play</title> - - <para>Much of the related code does work. For example, if an NT is removed from the - domain and then rejoins, the <filename>Create a Computer Account in the Domain</> dialog - will let you reset the smbpasswd. That is you don't need to do it from - the unix box. However, at the present, you do need to have root as an - administrator and use the root user name and password.</para> - - <para><command>Policies</command> do work on a W2K machine. MS says that recent - builds of W2K dont observe an NT policy but it appears it does in 'legacy' - mode.</para> - -</sect1> - -<sect1> -<title>Introduction</title> - - <para> - This FAQ was origionally compiled by Jerry Carter (gc) chiefly dealing - with the 'old HEAD' version of Samba and its NTDomain facilities. It is - being rewritten by David Bannon (drb) so that it addresses more - accurately the Samba 2.2.x release. - </para> - - <para> - This document probably still contains some material that does not apply - to Samba 2.2 but most (all?) of the really misleading stuff has been - removed. Some issues are not dealt with or are dealt with badly. Please - send corrections and additions to <ulink - url="mailto:D.Bannon@latrobe.edu.au">David Bannon</ulink>. - </para> - - <para>Hopefully, as we all become familiar with the Samba 2.2 as a - PDC this document will become much more usefull.</para> - -</sect1> - -</chapter> - -<!-- ============== G E N E R A L I N F O R M A T I O N ============== --> - -<chapter><title>General Information</> - - -<sect1><title>What can we do ?</title> - -<sect2> -<title>What can Samba 2.2.x Primary Domain Controller (PDC) do ?</title> - - <para> - If you wish to have Samba act as a PDC for Windows NT 4.0/2000 client, - then you will need to obtain the 2.2.0 version. Release of a stable, - full featured Samba PDC is currently slated for version 3.0. - </para> - - <para> - The following is a list of included features currently in - Samba 2.2: - </para> - - <itemizedlist> - <listitem><para>The ability to act as a limited PDC for - Windows NT and W2000 clients. This includes adding NT and - W2K machines to the domain and authenticating users logging - into the domain.</para></listitem> - - <listitem><para>Domain account can be viewed using the User - Manager for Domains</para></listitem> - - <listitem><para>Viewing/adding/deleting resources on the Samba - PDC via the Server Manager for Domains from the NT client. - </para></listitem> - - <listitem><para>Windows 95/98/ME clients will allow user - level security to be set and browsing of domain accounts. - </para></listitem> - - <listitem><para>Machine account password updates.</para></listitem> - - <listitem><para>Changing of user passwords from an NT client. - </para></listitem> - - <listitem><para>Partial support for Windows NT username mapping. - Group name mapping is slated for a later release.</para></listitem> - </itemizedlist> - - - <para> - These things are note expected to work in the forseeable future: - </para> - - <itemizedlist> - <listitem><para>Trust relationships</para></listitem> - <listitem><para>PDC and BDC integration</para></listitem> - </itemizedlist> -</sect2> - -<sect2> -<title>Can I have a Windows 2000 client logon to a Samba -controlled domain?</title> - - <para> - The 2.2 release branch of Samba supports Windows 2000 domain - clients in legacy mode, ie as if the PDC is a NTServer, not a - W2K server. - </para> -</sect2> - -</sect1> - -<sect1> -<title>CVS</title> - - <para> - CVS is a programme (publically available) that the Samba developers - use to maintain the central source code. Non developers can get - access to the source in a read only capacity. Many flavours of unix - now arrive with cvs installed.</> - -<sect2> -<title>What are the different Samba branches available in CVS ?</title> - - <para>You can find out more about obtaining Samba's via anonymous - CVS from <ulink url="http://pserver.samba.org/samba/cvs.html"> - http://pserver.samba.org/samba/cvs.html</ulink>. - </para> - - <para> - There are basically four branches to watch at the moment : - </para> - - <variablelist> - <varlistentry> - <term>HEAD</term> - <listitem><para>Samba 3.0 ? This code boasts all the main - development work in Samba. Due to its developmental - nature, its not really suitable for production work. - </para></listitem></varlistentry> - - <varlistentry> - <term>SAMBA_2_0</term> - <listitem><para>This branch contains the previous stable - release. At the moment it contains 2.0.8, a version that - will do some limited PDC stuff. If you are really going to - do PDC things, you consider 2.2 instead. - </para></listitem></varlistentry> - - <varlistentry> - <term>SAMBA_2_2</term> - <listitem><para>The 2.2.x release branch which is a subset - of the features of the HEAD branch. This document addresses - only SAMBA_2_2. - </para></listitem></varlistentry> - - <varlistentry> - <term>SAMBA_TNG</term> - <listitem><para>This branch is no longer maintained from the Samba - sites. Please see <ulink url="http://www.samba-tng.org/"> - http://www.samba-tng.org/</ulink>. It has been requested - that questions about TNG are not posted to the regular Samba - mailing lists including samba-ntdom and samba-technical. - </para></listitem></varlistentry> - </variablelist> -</sect2> - -<sect2> -<title>What are the CVS commands ?</title> - - <para> - See <ulink url="http://pserver.samba.org/samba/cvs.html"> - http://pserver.samba.org/samba/cvs.html</ulink> for instructions - on obtaining the SAMBA_2_2 or HEAD cvs code. - </para> -</sect2> -</sect1> -</chapter> - - -<chapter> -<title>Establishing Connections</title> - -<sect1> -<title></title> - -<sect2> -<title>How do I get my NT4 or W2000 Workstation to login to the Samba -controlled Domain?</> - - <para> - There is a comprehensive Samba PDC <ulink - url="samba-pdc-howto.html">HOWTO</ulink> accessable from the samba web - site under 'Documentation'. Read it. - </para> -</sect2> - -<sect2> -<title>What is a 'machine account' ?</title> - - <para> - Every NT, W2K or Samba machine that joins a Samba controlled - domain must be known to the Samba PDC. There are two entries - required, one in (typically) <filename>/etc/passwd</filename> - and the other in (typically) <filename>/usr/local/samba/private/smbpasswd</filename>. - Under some circumstances these entries are made - <link linkend=machineaccounts>manually</link>, the <ulink - url="samba-pdc-howto.html">HOWTO</ulink> - discusses ways of creating them automatically.</para> -</sect2> - - -<sect2> -<title>"The machine account for this computer either does not -exist or is not accessable."</> - - <para> - When I try to join the domain I get the message "The machine account - for this computer either does not exist or is not accessable". Whats - wrong ? - </para> - - <para> - This problem is caused by the PDC not having a suitable machine account. - If you are using the <command>add user script =</> method to create - accounts then this would indicate that it has not worked. Ensure the domain - admin user system is working. - </para> - - <para> - Alternatively if you are creating account entries manually then they - have not been created correctly. Make sure that you have the entry - correct for the machine account in smbpasswd file on the Samba PDC. - If you added the account using an editor rather than using the smbpasswd - utility, make sure that the account name is the machine netbios name - with a '$' appended to it ( ie. computer_name$ ). There must be an entry - in both /etc/passwd and the smbpasswd file. Some people have reported - that inconsistent subnet masks between the Samba server and the NT - client have caused this problem. Make sure that these are consistent - for both client and server. - </para> -</sect2> - -<sect2> -<title id=machineaccounts>How do I create machine accounts manually ?</title> - - <para> - This was the only option until recently, now in version 2.2 better - means are available. You might still need to do it manually for a - couple of reasons. A machine account consists of two entries (assuming - a standard install and /etc/passwd use), one in /etc/passwd and the - other in /usr/local/samba/private/smbpasswd. The /etc/passwd - entry will list the machine name with a $ appended, won't have a - passwd, will have a null shell and no home directory. For example - a machine called 'doppy' would have an /etc/passwd entry like this :</para> - - <para> - <command>doppy$:x:505:501:NTMachine:/dev/null:/bin/false</command> - </para> - - <para> - On a linux system for example, you would typically add it like - this : - </para> - - <para> - <command>adduser -g machines -c NTMachine -d /dev/null -s /bin/false -n - doppy$</command> - </para> - - <para> - Then you need to add that entry to smbpasswd, assuming you have a suitable - path to the <command>smbpasswd</> programme, do this : - </para> - - <para> - <command>smbpasswd -a -m doppy$</command> - </para> - - <para> - The entry will be created with a well known password, so any machine that - says its doppy could join the domain as long as it gets in first. So - don't create the accounts any earlier than you need them. - </para> -</sect2> - -<sect2> -<title>I cannot include a '$' in a machine name.</title> - - <para> - A 'machine name' in (typically) <filename>/etc/passwd</> consists - of the machine name with a '$' appended. FreeBSD (and other BSD - systems ?) won't create a user with a '$' in their name. - </para> - - <para> - The problem is only in the program used to make the entry, once - made, it works perfectly. So create a user without the '$' and - use <command>vipw</> to edit the entry, adding the '$'. Or create - the whole entry with vipw if you like, make sure you use a - unique uid !</para> -</sect2> - -<sect2> -<title id=alreadyhaveconnection>I get told "You already have a connection to the Domain...." -when creating a machine account.</title> - - <para> - This happens if you try to create a machine account from the - machine itself and use a user name that does not work (for whatever - reason) and then try another (possibly valid) user name. - Exit out of the network applet to close the initial connection - and try again. - </para> - - <para> - Further, if the machine is a already a 'member of a workgroup' that - is the same name as the domain you are joining (bad idea) you will - get this message. Change the workgroup name to something else, it - does not matter what, reboot, and try again.</para> -</sect2> - -<sect2> -<title>I get told "Cannot join domain, the credentials supplied -conflict with an existing set.."</title> - - <para> - This is the same basic problem as mentioned above, <link - linkend=alreadyhaveconnection> "You already have a connection..."</link> - </para> -</sect2> - -<sect2> -<title>"The system can not log you on (C000019B)...."</title> - - <para>I joined the domain successfully but after upgrading - to a newer version of the Samba code I get the message, "The system - can not log you on (C000019B), Please try a gain or consult your - system administrator" when attempting to logon. - </para> - - <para> - This occurs when the domain SID stored in private/WORKGROUP.SID is - changed. For example, you remove the file and smbd automatically - creates a new one. Or you are swapping back and forth between - versions 2.0.7, TNG and the HEAD branch code (not recommended). The - only way to correct the problem is to restore the original domain - SID or remove the domain client from the domain and rejoin. - </para> -</sect2> - -</sect1> - -</chapter> - - -<!-- ============ U S E R A C C O U N T M A N A G M E N T ============= --> - -<chapter> -<title>User Account Management</title> - -<sect1> -<title>Domain Admins</title> - -<sect2> -<title>How do I configure an account as a domain administrator?</title> - - <para> - See the NTDom <ulink url="samba-pdc-howto.html">HowTo</ulink>. - </para> -</sect2> -</sect1> - -<sect1> -<title>Profiles</title> - -<sect2> -<title>Why is it bad to set "logon path = \\%N\%U\profile" in -smb.conf?</title> - - <para> - Sometimes Windows clients will maintain a connection to - the \\homes\ ( or [%U] ) share even after the user has logged out. - Consider the following scenario. - </para> - - <itemizedlist> - <listitem><para> user1 logs into the Windows NT machine. - Therefore the [homes] share is set to \\server\user1. - </para></listitem> - - <listitem><para> user1 works for a while and then logs - out. </para></listitem> - - <listitem><para> user2 logs into the same Windows NT - machine.</para></listitem> - </itemizedlist> - - <para> - However, since the NT box has maintained a connection to [homes] - which was previously set to \\server\user1, when the operating system - attempts to get the profile and if it can read users1's profile, will - get it otherwise it will return an error. You get the picture. - </para> - - <para> - A better solution is to use a separate [profiles] share and - set the "logon path = \\%N\profiles\%U" - </para> -</sect2> - - -<sect2> -<title>Why are all the users listed in the "domain admin users" using the -same profile?</title> - - <para> - You are using a very very old development version of Samba. - Upgrade. - </para> -</sect2> - - - -<sect2> -<title>The roaming profiles do not seem to be updating on the -server.</title> - - <para> - There can be several reasons for this. - </para> - - <para> - Make sure that the time on the client and the PDC are synchronized. You - can accomplish this by executing a <command>net time \\server /set /yes</command> - replacing server with the name of your PDC (or another synchronized SMB server). - See <link linkend="SettingTime"> about Setting Time</link> - </para> - - <para> - Make sure that the "logon path" is writeable by the user and make sure - that the connection to the logon path location is by the current user. - Sometimes Windows client do not drop the connection immediately upon - logoff. - </para> - - <para> - Some people have reported that the logon path location should - also be browseable. I (GC) have yet to emperically verify this, - but you can try.</para> -</sect2> -</sect1> - -<sect1><title>Policies</title> - -<sect2> -<title>What are 'Policies' ?.</title> - - <para> - When a user logs onto the domain via a client machine, the PDC - sends the client machine a list of things contained in the - 'policy' (if it exists). This list may do things like suppress - a splach screen, format the dates the way you like them or perhaps - remove locally stored profiles. - </para> - - <para> - On a samba PDC this list is obtained from a file called - <filename>ntconfig.pol</filename> and located in the [netlogon] - share. The file is created with a policy editor and must be readable - by anyone and writeable by only root. See <link linkend=policyeditor> - below</link> for how to get a suitable editor. - </para> -</sect2> - -<sect2> -<title>I can't get system policies to work.</title> - - <para> - There are two possible reasons for system policies not - functioning correctly. Make sure that you have the following - parameters set in smb.conf - </para> - - <para><programlisting> - [netlogon] - .... - locking = no - public = no - browseable = yes - .... - </programlisting></para> - - <para> - A policy file must be in the [netlogon] share and must be - readable by everyone and writeable by only root. The file - must be created by an NTServer <link linkend=policyeditor>Policy - Editor</link>. - </para> - - <para> - Last time I (drb) looked in the source, it was looking for - <filename>ntconfig.pol</filename> first then several other - combinations of upper and lower case. People have reported - success using <filename>NTconfig.pol</filename>, <filename>NTconfig.POL</filename> - and <filename>ntconfig.pol</filename>. These are the case settings that - I (GC) use with the filename <filename>ntconfig.pol</filename>: - </para> - - <para><programlisting> - case sensitive = no - case preserve = yes - short preserve case = no - default case = yes - </programlisting></para> - -</sect2> - -<sect2> -<title id=policyeditor>What about Windows NT Policy Editor ?</title> - - <para> - To create or edit <filename>ntconfig.pol</filename> you must use - the NT Server Policy Editor, <command>poledit.exe</command> which - is included with NT Server but <emphasis>not NT Workstation</emphasis>. - There is a Policy Editor on a NTws - but it is not suitable for creating <emphasis>Domain Policies</emphasis>. - Further, although the Windows 95 - Policy Editor can be installed on an NT Workstation/Server, it will not - work with NT policies because the registry key that are set by the policy templates. - However, the files from the NT Server will run happily enough on an NTws. - You need <filename>poledit.exe, common.adm</> and <filename>winnt.adm</>. It is convenient - to put the two *.adm files in <filename>c:\winnt\inf</> which is where - the binary will look for them unless told otherwise. Note also that that - directory is 'hidden'. - </para> - - <para>The Windows NT policy editor is also included with the - Service Pack 3 (and later) for Windows NT 4.0. Extract the files using - <command>servicepackname /x</command>, ie thats <command>Nt4sp6ai.exe - /x</command> for service pack 6a. The policy editor, <command>poledt.exe</command> and the - associated template files (*.adm) should - be extracted as well. It is also possible to downloaded the policy template - files for Office97 and get a copy of the policy editor. Another possible - location is with the Zero Administration Kit available for download from Microsoft. - </para> -</sect2> - - -<sect2> -<title>Can Win95 do Policies ?</title> - - <para> - Install the group policy handler for Win9x to pick up group - policies. Look on the Win98 CD in <filename>\tools\reskit\netadmin\poledit</filename>. - Install group policies on a Win9x client by double-clicking - <filename>grouppol.inf</filename>. Log off and on again a couple of - times and see if Win98 picks up group policies. Unfortunately this needs - to be done on every Win9x machine that uses group policies.... - </para> - - <para> - If group policies don't work one reports suggests getting the updated - (read: working) grouppol.dll for Windows 9x. The group list is grabbed - from /etc/group. - </para> - -</sect2> - -</sect1> - -<sect1> -<title>Passwords</title> - -<sect2> -<title>What is password sync and should I use it ?</title> - - <para> - NTws users can change their domain password by pressing Ctrl-Alt-Del - and choosing 'Change Password'. By default however, this does not change the unix password - (typically in <filename>/etc/passwd</filename> or <filename>/etc/shadow</filename>). - In lots of situations thats OK, for example : - </para> - - <itemizedlist> - <listitem><para>The server is only accessible to the user via - samba.</para></listitem> - - <listitem><para>Pam_smb or similar is installed so other applications - still refer to the samba password.</para></listitem> - </itemizedlist> - - <para> - But sometimes you really do need to maintain two seperate password - databases and there are good reasons to keep then in sync. Trying - to explain to users that they need to change their passwords in two - seperate places or use two seperate passwords is not fun. - </para> - - <para> - However do understand that setting up password sync is not without - problems either. The chief difficulty is the interface between Samba - and the <command>passwd</command> command, it can be a fiddle to set - up and if the password the user has entered fails, the resulting errors - are ambiguously reported and the user is confused. Further, you need - to take steps to ensure that users only ever change their passwords - via samba (or use <command>smbpasswd</command>), otherwise they will - only be changing the unix password.</para> - - -</sect2> - -<sect2> -<title>How do I get remote password (unix and SMB) changing working ?</title> - - <para> - Have a practice changing a user's password (as root) to see - what discussion takes place and change the text in the 'passwd chat' - line below as necessary. The line as shown works for recent RH Linux - but most other systems seem to like to do something different. The '*' is - a wild card and will match anything (or nothing). - </para> - - <para> - Add these lines to smb.conf under [Global] - </para> - - <para><programlisting> - - unix password sync = true - passwd program = /usr/bin/passwd %u - passwd chat = *password* %n\n *password* %n\n *successful* - </programlisting></para> - - <para> - As mentioned above, the change to the unix password happens as root, - not as the user, as is indicated in ~/smbd/chgpasswd.c If - you are using NIS, the Samba server must be running on the NIS - master machine. - </para> -</sect2> - -</sect1> - -</chapter> - -<!-- =================== M I S C E L L A N E O U S ================= --> - -<chapter> -<title>Miscellaneous</title> - -<sect1> -<title></title> - -<sect2> -<title>What editor can I use in DOS/Windows that won't -mess with my unix EOF</title> - - <para>There are a number of Windows or DOS based editors that will - understand, and leave intact, the unix eof (as opposed to a DOS CL/LF). - List members suggested : - </para> - - <itemizedlist> - <listitem><para>UltraEdit at <ulink url="http://www.ultraedit.com">www.ultraedit.com</ulink></para></listitem> - - <listitem><para>VI for windows at <ulink url="http://home.snafu.de/ramo/WinViEn.htm"> - home.snafu.de/ramo/WinViEn.htm</ulink></para></listitem> - - <listitem><para>The author prefers PFE at <ulink url="http://www.lancs.ac.uk/people/cpaap/pfe/"> - www.lancs.ac.uk/people/cpaap/pfe/</ulink> but its no longer being developed...</para></listitem> - </itemizedlist> -</sect2> - - - - -<sect2> -<title>How do I get 'User Manager' and 'Server Manager'</title> - - <para> - Since I don't need to buy an NT Server CD now, how do I get - the 'User Manager for Domains', the 'Server Manager' ? - </para> - - <para> - Microsoft distributes a version of - these tools called nexus for installation on Windows 95 systems. The - tools set includes - </para> - - <itemizedlist> - <listitem><para>Server Manager</para></listitem> - - <listitem><para>User Manager for Domains</para></listitem> - - <listitem><para>Event Viewer</para></listitem> - </itemizedlist> - - <para> - Click here to download the archived file <ulink - url="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE">ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</ulink> - </para> - - <para> - The Windows NT 4.0 version of the 'User Manager for - Domains' and 'Server Manager' are available from Microsoft via ftp - from <ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</ulink> - </para> -</sect2> - - -<sect2><title id="SettingTime">The time setting from a Samba server does not work.</title> - <para>If it works OK when you log on as Domain Admin then the problem is that ordinary users - don't have permission to change the time. (The system is running with their permission - at logon time.) This is not a Samba problem, you will have the same problem where ever - you connect. You can give 'everyone' permission to change the time from the User Manager. - </para> - - <para>Anyone know what the registry settings are so this could be done with a Policy ?</para> -</sect2> - -<sect2><title>"trust account xxx should be in DOMAIN_GROUP_RID_USERS"</> - <para>I keep getting the message "trust account xxx should be in DOMAIN_GROUP_RID_USERS." - in the logs. What do I need to do?</para> - - <para>You are using one of the old development versions. Upgrade. - (The message is unimportant, was a reminder to a developer)</para> - -</sect2> - -<sect2><title>How do I get my samba server to become a member ( not PDC ) of an NT domain?</title> - - - <para> - Please refer to the <ulink url="DOMAIN_MEMBER.html">Domain Member - HOWTO</ulink> for more information on this. - </para> - -</sect2> -</sect1> -</chapter> - - -<!-- ======== T R O U B L E S H O O T I N G and B U G R E P O R T I N G ======== --> - - - -<chapter><title>Troubleshooting and Bug Reporting</title> - -<sect1><title>Diagnostic tools</title> - -<sect2><title>What are some diagnostics tools I can use to debug the domain logon process and where can I - find them? </title> - - <para> - One of the best diagnostic tools for debugging problems is Samba itself. - You can use the -d option for both smbd and nmbd to specifiy what - 'debug level' at which to run. See the man pages on smbd, nmbd and - smb.conf for more information on debugging options. The debug - level can range from 1 (the default) to 10 (100 for debugging passwords). - </para> - - <para> - Another helpful method of debugging is to compile samba using the - <command>gcc -g </command> flag. This will include debug - information in the binaries and allow you to attch gdb to the - running smbd / nmbd process. In order to attach gdb to an smbd - process for an NT workstation, first get the workstation to make the - connection. Pressing ctrl-alt-delete and going down to the domain box - is sufficient (at least, on the first time you join the domain) to - generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation - maintains an open connection, and therefore there will be an smbd - process running (assuming that you haven't set a really short smbd - idle timeout) So, in between pressing ctrl alt delete, and actually - typing in your password, you can gdb attach and continue. - </para> - - <para> - Some usefull samba commands worth investigating: - </para> - - <itemizedlist> - <listitem><para>testparam | more</para></listitem> - <listitem><para>smbclient -L //{netbios name of server}</para></listitem> - </itemizedlist> - - <para> - An SMB enabled version of tcpdump is available from - <ulink url="http://www.tcpdump.org/">http://www.tcpdump.org/</ulink>. - Ethereal, another good packet sniffer for UNIX and Win32 - hosts, can be downloaded from <ulink - url="http://www.ethereal.com/">http://www.ethereal.com</ulink>. - </para> - - <para> - For tracing things on the Microsoft Windows NT, Network Monitor - (aka. netmon) is available on the Microsoft Developer Network CD's, - the Windows NT Server install CD and the SMS CD's. The version of - netmon that ships with SMS allows for dumping packets between any two - computers (ie. placing the network interface in promiscuous mode). - The version on the NT Server install CD will only allow monitoring - of network traffic directed to the local NT box and broadcasts on the - local subnet. Be aware that Ethereal can read and write netmon - formatted files. - </para> - -</sect2> - -<sect2> -<title>How do I install 'Network Monitor' on an NT Workstation -or a Windows 9x box?</title> - - <para> - Installing netmon on an NT workstation requires a couple - of steps. The following are for installing Netmon V4.00.349, which comes - with Microsoft Windows NT Server 4.0, on Microsoft Windows NT - Workstation 4.0. The process should be similar for other version of - Windows NT / Netmon. You will need both the Microsoft Windows - NT Server 4.0 Install CD and the Workstation 4.0 Install CD. - </para> - - <para> - Initially you will need to install 'Network Monitor Tools and Agent' - on the NT Server. To do this - </para> - - <itemizedlist> - <listitem><para>Goto Start - Settings - Control Panel - - Network - Services - Add </para></listitem> - - <listitem><para>Select the 'Network Monitor Tools and Agent' and - click on 'OK'.</para></listitem> - - <listitem><para>Click 'OK' on the Network Control Panel. - </para></listitem> - - <listitem><para>Insert the Windows NT Server 4.0 install CD - when prompted.</para></listitem> - </itemizedlist> - - <para> - At this point the Netmon files should exist in - <filename>%SYSTEMROOT%\System32\netmon\*.*</filename>. - Two subdirectories exist as well, <filename>parsers\</filename> - which contains the necessary DLL's for parsing the netmon packet - dump, and <filename>captures\</filename>. - </para> - - <para> - In order to install the Netmon tools on an NT Workstation, you will - first need to install the 'Network Monitor Agent' from the Workstation - install CD. - </para> - - <itemizedlist> - <listitem><para>Goto Start - Settings - Control Panel - - Network - Services - Add</para></listitem> - - <listitem><para>Select the 'Network Monitor Agent' and click - on 'OK'.</para></listitem> - - <listitem><para>Click 'OK' on the Network Control Panel. - </para></listitem> - - <listitem><para>Insert the Windows NT Workstation 4.0 install - CD when prompted.</para></listitem> - </itemizedlist> - - - <para> - Now copy the files from the NT Server in %SYSTEMROOT%\System32\netmon\*.* - to %SYSTEMROOT%\System32\netmon\*.* on the Workstation and set - permissions as you deem appropriate for your site. You will need - administrative rights on the NT box to run netmon. - </para> - - <para> - To install Netmon on a Windows 9x box install the network monitor agent - from the Windows 9x CD (\admin\nettools\netmon). There is a readme - file located with the netmon driver files on the CD if you need - information on how to do this. Copy the files from a working - Netmon installation. - </para> -</sect2> - -</sect1> - -<sect1> -<title>What other help can I get ? </title> - - <para> - There are many sources of information available in the form - of mailing lists, RFC's and documentation. The docs that come - with the samba distribution contain very good explanations of - general SMB topics such as browsing.</para> - -<sect2> -<title id=urls>URLs and similar</title> - - - <itemizedlist> - - <listitem><para>Home of Samba site <ulink url="http://samba.org"> - http://samba.org</ulink>. We have a mirror near you !</para></listitem> - - <listitem><para> The <emphasis role=strong>Development</emphasis> document - on the Samba mirrors might mention your problem. If so, - it might mean that the developers are working on it.</para></listitem> - - <listitem><para> Ignacio Coupeau has a very comprehesive look at LDAP with Samba at - <ulink url="http://www.unav.es/cti/ldap-smb-howto.html"> - http://www.unav.es/cti/ldap-smb-howto.html</ulink> - Be a little carefull however, I suspect that it does not specificly - address samba 2.2.x. The HEAD pre-2.1 may possibly be the best - stream to look at.</para></listitem> - - <listitem><para> Lars Kneschke's site covers <ulink url="http://www.samba-tng.org"> - Samba-TNG</ulink> at - <ulink url="http://www.kneschke.de/projekte/samba_tng"> - http://www.kneschke.de/projekte/samba_tng</ulink>, but again, a - lot of it does not apply to the main stream Samba.</para></listitem> - - <listitem><para>See how Scott Merrill simulates a BDC behaviour at - <ulink url="http://www.skippy.net/linux/smb-howto.html"> - http://www.skippy.net/linux/smb-howto.html</>. </para></listitem> - - <listitem><para>Although 2.0.7 has almost had its day as a PDC, I (drb) will - keep the 2.0.7 PDC pages at <ulink url="http://bioserve.latrobe.edu.au/samba"> - http://bioserve.latrobe.edu.au/samba</ulink> going for a while yet.</para></listitem> - - <listitem><para>Misc links to CIFS information - <ulink url="http://samba.org/cifs/">http://samba.org/cifs/</ulink></para></listitem> - - <listitem><para>NT Domains for Unix <ulink url="http://mailhost.cb1.com/~lkcl/ntdom/"> - http://mailhost.cb1.com/~lkcl/ntdom/</ulink></para></listitem> - - <listitem><para>FTP site for older SMB specs: - <ulink url="ftp://ftp.microsoft.com/developr/drg/CIFS/"> - ftp://ftp.microsoft.com/developr/drg/CIFS/</ulink></para></listitem> - - </itemizedlist> - - - <para> - You should also refer to the MS archives at - <ulink url="ftp://ftp.microsoft.com/developr/drg/CIFS/">ftp://ftp.microsoft.com/developr/drg/CIFS/"</ulink> - </para> - -</sect2> - - -<sect2> -<title>How do I get help from the mailing lists ?</title> - - <para> There are a number of Samba related mailing lists. Go to <ulink url= - "http://samba.org">http://samba.org</ulink>, click on your nearest mirror - and then click on <command>Support</> and then click on <command> - Samba related mailing lists</>.</para> - - <para>For questions relating to Samba TNG go to - <ulink url="http://www.samba-tng.org/">http://www.samba-tng.org/</ulink> - It has been requested that you don't post questions about Samba-TNG to the - main stream Samba lists.</para> - -<itemizedlist><title>If you post a message to one of the lists please - observe the following guide lines :</title> - - <listitem><para> Always remember that the developers are volunteers, they are - not paid and they never guarantee to produce a particular feature at - a particular time. Any time lines are 'best guess' and nothing more. - </para></listitem> - - <listitem><para> Always mention what version of samba you are using and what - operating system its running under. You should probably list the - relevant sections of your smb.conf file, at least the options - in [global] that affect PDC support.</para></listitem> - - <listitem><para>In addition to the version, if you obtained Samba via - CVS mention the date when you last checked it out.</para></listitem> - - <listitem><para> Try and make your question clear and brief, lots of long, - convoluted questions get deleted before they are completely read ! - Don't post html encoded messages (if you can select colour or font - size its html).</para></listitem> - - <listitem><para> If you run one of those niffy 'I'm on holidays' things when - you are away, make sure its configured to not answer mailing lists. - </para></listitem> - - <listitem><para> Don't cross post. Work out which is the best list to post to - and see what happens, ie don't post to both samba-ntdom and samba-technical. - Many people active on the lists subscribe to more - than one list and get annoyed to see the same message two or more times. - Often someone will see a message and thinking it would be better dealt - with on another, will forward it on for you.</para></listitem> - - <listitem><para>You might include <emphasis>partial</emphasis> - log files written at a debug level set to as much as 20. - Please don't send the entire log but enough to give the context of the - error messages.</para></listitem> - - <listitem><para>(Possibly) If you have a complete netmon trace ( from the opening of - the pipe to the error ) you can send the *.CAP file as well.</para></listitem> - - <listitem><para>Please think carefully before attaching a document to an email. - Consider pasting the relevant parts into the body of the message. The samba - mailing lists go to a huge number of people, do they all need a copy of your - smb.conf in their attach directory ?</para></listitem> - -</itemizedlist> -</sect2> - - -<sect2> -<title>How do I get off the mailing lists ?</title> - - <para>To have your name removed from a samba mailing list, go to the - same place you went to to get on it. Go to <ulink url= - "http://lists.samba.org/">http://lists.samba.org</ulink>, click - on your nearest mirror and then click on <command>Support</> and - then click on <command> Samba related mailing lists</>. Or perhaps see - <ulink url="http://lists.samba.org/mailman/roster/samba-ntdom">here</ulink></para> - - <para> - Please don't post messages to the list asking to be removed, you will just - be refered to the above address (unless that process failed in some way...) - </para> -</sect2> - -</sect1> - -</chapter> - - - - -</book> diff --git a/docs/docbook/howto/DOMAIN_MEMBER.sgml b/docs/docbook/howto/DOMAIN_MEMBER.sgml deleted file mode 100644 index 888b801742..0000000000 --- a/docs/docbook/howto/DOMAIN_MEMBER.sgml +++ /dev/null @@ -1,163 +0,0 @@ -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> - -<article> - -<sect1> - - <title>Joining an NT Domain with Samba 2.2</title> - - <para>In order for a Samba-2 server to join an NT domain, - you must first add the NetBIOS name of the Samba server to the - NT domain on the PDC using Server Manager for Domains. This creates - the machine account in the domain (PDC) SAM. Note that you should - add the Samba server as a "Windows NT Workstation or Server", - <emphasis>NOT</emphasis> as a Primary or backup domain controller.</para> - - <para>Assume you have a Samba-2 server with a NetBIOS name of - <constant>SERV1</constant> and are joining an NT domain called - <constant>DOM</constant>, which has a PDC with a NetBIOS name - of <constant>DOMPDC</constant> and two backup domain controllers - with NetBIOS names <constant>DOMBDC1</constant> and <constant>DOMBDC2 - </constant>.</para> - - <para>In order to join the domain, first stop all Samba daemons - and run the command:</para> - - <para><prompt>root# </prompt><userinput>smbpasswd -j DOM -r DOMPDC - </userinput></para> - - <para>as we are joining the domain DOM and the PDC for that domain - (the only machine that has write access to the domain SAM database) - is DOMPDC. If this is successful you will see the message:</para> - - <para><computeroutput>smbpasswd: Joined domain DOM.</computeroutput> - </para> - - <para>in your terminal window. See the <ulink url="smbpasswd.8.html"> - smbpasswd(8)</ulink> man page for more details.</para> - - <para>This command goes through the machine account password - change protocol, then writes the new (random) machine account - password for this Samba server into a file in the same directory - in which an smbpasswd file would be stored - normally :</para> - - <para><filename>/usr/local/samba/private</filename></para> - - <para>In Samba 2.0.x, the filename looks like this:</para> - - <para><filename><replaceable><NT DOMAIN NAME></replaceable>. - <replaceable><Samba Server Name></replaceable>.mac</filename></para> - - <para>The <filename>.mac</filename> suffix stands for machine account - password file. So in our example above, the file would be called:</para> - - <para><filename>DOM.SERV1.mac</filename></para> - - <para>In Samba 2.2, this file has been replaced with a TDB - (Trivial Database) file named <filename>secrets.tdb</filename>. - </para> - - - <para>This file is created and owned by root and is not - readable by any other user. It is the key to the domain-level - security for your system, and should be treated as carefully - as a shadow password file.</para> - - <para>Now, before restarting the Samba daemons you must - edit your <ulink url="smb.conf.5.html"><filename>smb.conf(5)</filename> - </ulink> file to tell Samba it should now use domain security.</para> - - <para>Change (or add) your <ulink url="smb.conf.5.html#SECURITY"> - <parameter>security =</parameter></ulink> line in the [global] section - of your smb.conf to read:</para> - - <para><command>security = domain</command></para> - - <para>Next change the <ulink url="smb.conf.5.html#WORKGROUP"><parameter> - workgroup =</parameter></ulink> line in the [global] section to read: </para> - - <para><command>workgroup = DOM</command></para> - - <para>as this is the name of the domain we are joining. </para> - - <para>You must also have the parameter <ulink url="smb.conf.5.html#ENCRYPTPASSWORDS"> - <parameter>encrypt passwords</parameter></ulink> set to <constant>yes - </constant> in order for your users to authenticate to the NT PDC.</para> - - <para>Finally, add (or modify) a <ulink url="smb.conf.5.html#PASSWORDSERVER"> - <parameter>password server =</parameter></ulink> line in the [global] - section to read: </para> - - <para><command>password server = DOMPDC DOMBDC1 DOMBDC2</command></para> - - <para>These are the primary and backup domain controllers Samba - will attempt to contact in order to authenticate users. Samba will - try to contact each of these servers in order, so you may want to - rearrange this list in order to spread out the authentication load - among domain controllers.</para> - - <para>Alternatively, if you want smbd to automatically determine - the list of Domain controllers to use for authentication, you may - set this line to be :</para> - - <para><command>password server = *</command></para> - - <para>This method, which was introduced in Samba 2.0.6, - allows Samba to use exactly the same mechanism that NT does. This - method either broadcasts or uses a WINS database in order to - find domain controllers to authenticate against.</para> - - <para>Finally, restart your Samba daemons and get ready for - clients to begin using domain security!</para> -</sect1> - -<sect1> - <title>Why is this better than security = server?</title> - - <para>Currently, domain security in Samba doesn't free you from - having to create local Unix users to represent the users attaching - to your server. This means that if domain user <constant>DOM\fred - </constant> attaches to your domain security Samba server, there needs - to be a local Unix user fred to represent that user in the Unix - filesystem. This is very similar to the older Samba security mode - <ulink url="smb.conf.5.html#SECURITYEQUALSERVER">security = server</ulink>, - where Samba would pass through the authentication request to a Windows - NT server in the same way as a Windows 95 or Windows 98 server would. - </para> - - <para>The advantage to domain-level security is that the - authentication in domain-level security is passed down the authenticated - RPC channel in exactly the same way that an NT server would do it. This - means Samba servers now participate in domain trust relationships in - exactly the same way NT servers do (i.e., you can add Samba servers into - a resource domain and have the authentication passed on from a resource - domain PDC to an account domain PDC.</para> - - <para>In addition, with <command>security = server</command> every Samba - daemon on a server has to keep a connection open to the - authenticating server for as long as that daemon lasts. This can drain - the connection resources on a Microsoft NT server and cause it to run - out of available connections. With <command>security = domain</command>, - however, the Samba daemons connect to the PDC/BDC only for as long - as is necessary to authenticate the user, and then drop the connection, - thus conserving PDC connection resources.</para> - - <para>And finally, acting in the same manner as an NT server - authenticating to a PDC means that as part of the authentication - reply, the Samba server gets the user identification information such - as the user SID, the list of NT groups the user belongs to, etc. All - this information will allow Samba to be extended in the future into - a mode the developers currently call appliance mode. In this mode, - no local Unix users will be necessary, and Samba will generate Unix - uids and gids from the information passed back from the PDC when a - user is authenticated, making a Samba server truly plug and play - in an NT domain environment. Watch for this code soon.</para> - - <para><emphasis>NOTE:</emphasis> Much of the text of this document - was first published in the Web magazine <ulink url="http://www.linuxworld.com"> - LinuxWorld</ulink> as the article <ulink - url="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html">Doing - the NIS/NT Samba</ulink>.</para> - -</sect1> -</article> diff --git a/docs/docbook/howto/NT_Security.sgml b/docs/docbook/howto/NT_Security.sgml deleted file mode 100644 index 62550bfaa6..0000000000 --- a/docs/docbook/howto/NT_Security.sgml +++ /dev/null @@ -1,342 +0,0 @@ -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> - -<article> - - -<sect1> - <title>Viewing and changing UNIX permissions using the NT - security dialogs</title> - - - <para>New in the Samba 2.0.4 release is the ability for Windows - NT clients to use their native security settings dialog box to - view and modify the underlying UNIX permissions.</para> - - <para>Note that this ability is careful not to compromise - the security of the UNIX host Samba is running on, and - still obeys all the file permission rules that a Samba - administrator can set.</para> - - <para>In Samba 2.0.4 and above the default value of the - parameter <ulink url="smb.conf.5.html#NTACLSUPPOR"><parameter> - nt acl support</parameter></ulink> has been changed from - <constant>false</constant> to <constant>true</constant>, so - manipulation of permissions is turned on by default.</para> -</sect1> - -<sect1> - <title>How to view file security on a Samba share</title> - - <para>From an NT 4.0 client, single-click with the right - mouse button on any file or directory in a Samba mounted - drive letter or UNC path. When the menu pops-up, click - on the <emphasis>Properties</emphasis> entry at the bottom of - the menu. This brings up the normal file properties dialog - box, but with Samba 2.0.4 this will have a new tab along the top - marked <emphasis>Security</emphasis>. Click on this tab and you - will see three buttons, <emphasis>Permissions</emphasis>, - <emphasis>Auditing</emphasis>, and <emphasis>Ownership</emphasis>. - The <emphasis>Auditing</emphasis> button will cause either - an error message <errorname>A requested privilege is not held - by the client</errorname> to appear if the user is not the - NT Administrator, or a dialog which is intended to allow an - Administrator to add auditing requirements to a file if the - user is logged on as the NT Administrator. This dialog is - non-functional with a Samba share at this time, as the only - useful button, the <command>Add</command> button will not currently - allow a list of users to be seen.</para> - -</sect1> -<sect1> - <title>Viewing file ownership</title> - - <para>Clicking on the <command>"Ownership"</command> button - brings up a dialog box telling you who owns the given file. The - owner name will be of the form :</para> - - <para><command>"SERVER\user (Long name)"</command></para> - - <para>Where <replaceable>SERVER</replaceable> is the NetBIOS name of - the Samba server, <replaceable>user</replaceable> is the user name of - the UNIX user who owns the file, and <replaceable>(Long name)</replaceable> - is the discriptive string identifying the user (normally found in the - GECOS field of the UNIX password database). Click on the <command>Close - </command> button to remove this dialog.</para> - - <para>If the parameter <parameter>nt acl support</parameter> - is set to <constant>false</constant> then the file owner will - be shown as the NT user <command>"Everyone"</command>.</para> - - <para>The <command>Take Ownership</command> button will not allow - you to change the ownership of this file to yourself (clicking on - it will display a dialog box complaining that the user you are - currently logged onto the NT client cannot be found). The reason - for this is that changing the ownership of a file is a privilaged - operation in UNIX, available only to the <emphasis>root</emphasis> - user. As clicking on this button causes NT to attempt to change - the ownership of a file to the current user logged into the NT - client this will not work with Samba at this time.</para> - - <para>There is an NT chown command that will work with Samba - and allow a user with Administrator privillage connected - to a Samba 2.0.4 server as root to change the ownership of - files on both a local NTFS filesystem or remote mounted NTFS - or Samba drive. This is available as part of the <emphasis>Seclib - </emphasis> NT security library written by Jeremy Allison of - the Samba Team, available from the main Samba ftp site.</para> - -</sect1> - -<sect1> - <title>Viewing file or directory permissions</title> - - <para>The third button is the <command>"Permissions"</command> - button. Clicking on this brings up a dialog box that shows both - the permissions and the UNIX owner of the file or directory. - The owner is displayed in the form :</para> - - <para><command>"SERVER\user (Long name)"</command></para> - - <para>Where <replaceable>SERVER</replaceable> is the NetBIOS name of - the Samba server, <replaceable>user</replaceable> is the user name of - the UNIX user who owns the file, and <replaceable>(Long name)</replaceable> - is the discriptive string identifying the user (normally found in the - GECOS field of the UNIX password database).</para> - - <para>If the parameter <parameter>nt acl support</parameter> - is set to <constant>false</constant> then the file owner will - be shown as the NT user <command>"Everyone"</command> and the - permissions will be shown as NT "Full Control".</para> - - - <para>The permissions field is displayed differently for files - and directories, so I'll describe the way file permissions - are displayed first.</para> - - <sect2> - <title>File Permissions</title> - - <para>The standard UNIX user/group/world triple and - the correspinding "read", "write", "execute" permissions - triples are mapped by Samba into a three element NT ACL - with the 'r', 'w', and 'x' bits mapped into the corresponding - NT permissions. The UNIX world permissions are mapped into - the global NT group <command>Everyone</command>, followed - by the list of permissions allowed for UNIX world. The UNIX - owner and group permissions are displayed as an NT - <command>user</command> icon and an NT <command>local - group</command> icon respectively followed by the list - of permissions allowed for the UNIX user and group.</para> - - <para>As many UNIX permission sets don't map into common - NT names such as <command>"read"</command>, <command> - "change"</command> or <command>"full control"</command> then - usually the permissions will be prefixed by the words <command> - "Special Access"</command> in the NT display list.</para> - - <para>But what happens if the file has no permissions allowed - for a particular UNIX user group or world component ? In order - to allow "no permissions" to be seen and modified then Samba - overloads the NT <command>"Take Ownership"</command> ACL attribute - (which has no meaning in UNIX) and reports a component with - no permissions as having the NT <command>"O"</command> bit set. - This was chosen of course to make it look like a zero, meaning - zero permissions. More details on the decision behind this will - be given below.</para> - </sect2> - - <sect2> - <title>Directory Permissions</title> - - <para>Directories on an NT NTFS file system have two - different sets of permissions. The first set of permissions - is the ACL set on the directory itself, this is usually displayed - in the first set of parentheses in the normal <command>"RW"</command> - NT style. This first set of permissions is created by Samba in - exactly the same way as normal file permissions are, described - above, and is displayed in the same way.</para> - - <para>The second set of directory permissions has no real meaning - in the UNIX permissions world and represents the <command> - "inherited"</command> permissions that any file created within - this directory would inherit.</para> - - <para>Samba synthesises these inherited permissions for NT by - returning as an NT ACL the UNIX permission mode that a new file - created by Samba on this share would receive.</para> - </sect2> -</sect1> - -<sect1> - <title>Modifying file or directory permissions</title> - - <para>Modifying file and directory permissions is as simple - as changing the displayed permissions in the dialog box, and - clicking the <command>OK</command> button. However, there are - limitations that a user needs to be aware of, and also interactions - with the standard Samba permission masks and mapping of DOS - attributes that need to also be taken into account.</para> - - <para>If the parameter <parameter>nt acl support</parameter> - is set to <constant>false</constant> then any attempt to set - security permissions will fail with an <command>"Access Denied" - </command> message.</para> - - <para>The first thing to note is that the <command>"Add"</command> - button will not return a list of users in Samba 2.0.4 (it will give - an error message of <command>"The remote proceedure call failed - and did not execute"</command>). This means that you can only - manipulate the current user/group/world permissions listed in - the dialog box. This actually works quite well as these are the - only permissions that UNIX actually has.</para> - - <para>If a permission triple (either user, group, or world) - is removed from the list of permissions in the NT dialog box, - then when the <command>"OK"</command> button is pressed it will - be applied as "no permissions" on the UNIX side. If you then - view the permissions again the "no permissions" entry will appear - as the NT <command>"O"</command> flag, as described above. This - allows you to add permissions back to a file or directory once - you have removed them from a triple component.</para> - - <para>As UNIX supports only the "r", "w" and "x" bits of - an NT ACL then if other NT security attributes such as "Delete - access" are selected then they will be ignored when applied on - the Samba server.</para> - - <para>When setting permissions on a directory the second - set of permissions (in the second set of parentheses) is - by default applied to all files within that directory. If this - is not what you want you must uncheck the <command>"Replace - permissions on existing files"</command> checkbox in the NT - dialog before clicking <command>"OK"</command>.</para> - - <para>If you wish to remove all permissions from a - user/group/world component then you may either highlight the - component and click the <command>"Remove"</command> button, - or set the component to only have the special <command>"Take - Ownership"</command> permission (dsplayed as <command>"O" - </command>) highlighted.</para> -</sect1> - -<sect1> - <title>Interaction with the standard Samba create mask - parameters</title> - - <para>Note that with Samba 2.0.5 there are four new parameters - to control this interaction. These are :</para> - - <para><parameter>security mask</parameter></para> - <para><parameter>force security mode</parameter></para> - <para><parameter>directory security mask</parameter></para> - <para><parameter>force directory security mode</parameter></para> - - <para>Once a user clicks <command>"OK"</command> to apply the - permissions Samba maps the given permissions into a user/group/world - r/w/x triple set, and then will check the changed permissions for a - file against the bits set in the <ulink url="smb.conf.5.html#SECURITYMASK"> - <parameter>security mask</parameter></ulink> parameter. Any bits that - were changed that are not set to '1' in this parameter are left alone - in the file permissions.</para> - - <para>Essentially, zero bits in the <parameter>security mask</parameter> - mask may be treated as a set of bits the user is <emphasis>not</emphasis> - allowed to change, and one bits are those the user is allowed to change. - </para> - - <para>If not set explicitly this parameter is set to the same value as - the <ulink url="smb.conf.5.html#CREATEMASK"><parameter>create mask - </parameter></ulink> parameter to provide compatibility with Samba 2.0.4 - where this permission change facility was introduced. To allow a user to - modify all the user/group/world permissions on a file, set this parameter - to 0777.</para> - - <para>Next Samba checks the changed permissions for a file against - the bits set in the <ulink url="smb.conf.5.html#FORCESECURITYMODE"> - <parameter>force security mode</parameter></ulink> parameter. Any bits - that were changed that correspond to bits set to '1' in this parameter - are forced to be set.</para> - - <para>Essentially, bits set in the <parameter>force security mode - </parameter> parameter may be treated as a set of bits that, when - modifying security on a file, the user has always set to be 'on'.</para> - - <para>If not set explicitly this parameter is set to the same value - as the <ulink url="smb.conf.5.html#FORCECREATEMODE"><parameter>force - create mode</parameter></ulink> parameter to provide compatibility - with Samba 2.0.4 where the permission change facility was introduced. - To allow a user to modify all the user/group/world permissions on a file, - with no restrictions set this parameter to 000.</para> - - <para>The <parameter>security mask</parameter> and <parameter>force - security mode</parameter> parameters are applied to the change - request in that order.</para> - - <para>For a directory Samba will perform the same operations as - described above for a file except using the parameter <parameter> - directory security mask</parameter> instead of <parameter>security - mask</parameter>, and <parameter>force directory security mode - </parameter> parameter instead of <parameter>force security mode - </parameter>.</para> - - <para>The <parameter>directory security mask</parameter> parameter - by default is set to the same value as the <parameter>directory mask - </parameter> parameter and the <parameter>force directory security - mode</parameter> parameter by default is set to the same value as - the <parameter>force directory mode</parameter> parameter to provide - compatibility with Samba 2.0.4 where the permission change facility - was introduced.</para> - - <para>In this way Samba enforces the permission restrictions that - an administrator can set on a Samba share, whilst still allowing users - to modify the permission bits within that restriction.</para> - - <para>If you want to set up a share that allows users full control - in modifying the permission bits on their files and directories and - doesn't force any particular bits to be set 'on', then set the following - parameters in the <ulink url="smb.conf.5.html"><filename>smb.conf(5) - </filename></ulink> file in that share specific section :</para> - - <para><parameter>security mask = 0777</parameter></para> - <para><parameter>force security mode = 0</parameter></para> - <para><parameter>directory security mask = 0777</parameter></para> - <para><parameter>force directory security mode = 0</parameter></para> - - <para>As described, in Samba 2.0.4 the parameters :</para> - - <para><parameter>create mask</parameter></para> - <para><parameter>force create mode</parameter></para> - <para><parameter>directory mask</parameter></para> - <para><parameter>force directory mode</parameter></para> - - <para>were used instead of the parameters discussed here.</para> -</sect1> - -<sect1> - <title>Interaction with the standard Samba file attribute - mapping</title> - - <para>Samba maps some of the DOS attribute bits (such as "read - only") into the UNIX permissions of a file. This means there can - be a conflict between the permission bits set via the security - dialog and the permission bits set by the file attribute mapping. - </para> - - <para>One way this can show up is if a file has no UNIX read access - for the owner it will show up as "read only" in the standard - file attributes tabbed dialog. Unfortunately this dialog is - the same one that contains the security info in another tab.</para> - - <para>What this can mean is that if the owner changes the permissions - to allow themselves read access using the security dialog, clicks - <command>"OK"</command> to get back to the standard attributes tab - dialog, and then clicks <command>"OK"</command> on that dialog, then - NT will set the file permissions back to read-only (as that is what - the attributes still say in the dialog). This means that after setting - permissions and clicking <command>"OK"</command> to get back to the - attributes dialog you should always hit <command>"Cancel"</command> - rather than <command>"OK"</command> to ensure that your changes - are not overridden.</para> -</sect1> - -</article> diff --git a/docs/docbook/howto/samba-pdc-howto.sgml b/docs/docbook/howto/samba-pdc-howto.sgml deleted file mode 100644 index 4b8380dd9e..0000000000 --- a/docs/docbook/howto/samba-pdc-howto.sgml +++ /dev/null @@ -1,778 +0,0 @@ - -<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> -<book id="samba-pdc-howto"> - -<title>The Samba 2.2 PDC HowTo </title> - -<!-- ======================================================== - - To produce html from this file - - jade -E10 -t sgml -d html.dsl ntdom.sgml - - This assumes that html.dsl is present in the current dir, it includes - a couple of defines and then refers to the DSSSL html stylesheet. - - =========================================================== --> - - -<bookinfo> - <author><firstname>David</><surname>Bannon</> - <affiliation><orgname>La Trobe University</orgname></affiliation> - </author> - <pubdate>November 2000</pubdate> -</bookinfo> - -<dedication><title></title> - - <para>Comments, corrections and additions to <email>dbannon@samba.org</email></para> - - <para> - This document explains how to setup Samba as a Primary Domain Controller and - applies to version 2.2.0. - Before - using these functions make sure you understand what the controller can and cannot do. - Please read the sections below in the Introduction. - As 2.2.0 is incrementally updated - this document will change or become out of date very quickly, make sure you are - reading the most current version. - </para> - - <para>Please note this document does not apply to Samba2.2alpha0, Samba2.2alpha1, - Samba 2.0.7, TNG nor HEAD branch.</para> - - <para>It does apply to the current (post November 27th) cvs.</para> - - <para> - Also available is an updated version of Jerry Carter's NTDom <ulink url="samba-pdc-faq.html"> - FAQ</> that will answer lots of - the special 'tuning' questions that are not covered here. Over the next couple of weeks - some of the items here will be moved to the FAQ. - </para> - - -</dedication> - -<toc> </toc> - -<!-- ================ I N T R O D U C T I O N ==================== --> - -<chapter><title>Introduction</title> - -<para> -This document will show you one way of making Version 2.2.0 -of Samba perform some of the tasks of a -NT Primary Domain Controller. The facilities described are built into Samba as a result of -development work done over a number of years by a large number of people. These facilities -are only just beginning to be officially supported and although they do appear to work reliably, -if you use them then you take the risks upon your self. This document does not cover the -developmental versions of Samba, particularly -<ulink url="http://www.samba-tng.org/"><citetitle>Samba-TNG</citetitle></ulink> - - -</para> - - -<para>Note that <ulink url="http://bioserve.latrobe.edu.au/samba">Samba 2.0.7</> - supports significently less of the NT Domain facilities compared with 2.2.0 - </para> - -<para> - This document does not replace the text files DOMAIN_CONTROL.txt, DOMAIN.txt (by - John H Terpstra) or NTDOMAIN.txt (by Luke Kenneth Casson Leighton). Those documents provide - more detail and an insight to the development - cycle and should be considered 'further reading'. - -</para> - - -<sect1><title>What can we do ?</title> -<itemizedlist> - <listitem><para>Permit 'domain logons' for Win95/98, NT4 and W2K workstations from one central - password database. WRT W2K, please see the section about adding machine - accounts and the Intro in the <ulink url="samba-pdc-faq.html">FAQ</>.</para></listitem> - <listitem><para>Grant Administrator privileges to particular domain users on an - NT or W2K workstation.</para></listitem> - <listitem><para>Apply policies from a domain policy file to NT and W2K (?) - workstation.</para></listitem> - <listitem><para>Run the appropriate logon script when a user logs on to the domain - .</para></listitem> - <listitem><para>Maintain a user's local profile on the server.</para></listitem> - <listitem><para>Validate a user using another system via smb (such as smb_pam) and - soon winbind (?).</para></listitem> -</itemizedlist> -</sect1> - - -<sect1><title>What can't we do ?</title> -<itemizedlist> - <listitem><para> Become or work with a Backup Domain Controller (a BDC).</para></listitem> - <listitem><para> Participate in any sort of trust relationship (with either Samba or NT - Servers).</para></listitem> - <listitem><para> Offer a list of domain users to User Manager for Domains - on the Security Tab etc).</para></listitem> - <listitem><para>Be a W2K type of Domain Controller. Samba PDC will behave like - an NT PDC, W2K workstations connect in legacy mode.</para></listitem> -</itemizedlist> -</sect1> - -</chapter> - - -<!-- ================== I N S T A L L I N G ===================== --> - -<chapter><title>Installing</title> - - <para>Installing consists of the usual download, configure, make and make - install process. These steps are well documented elsewhere. - The <ulink url="samba-pdc-faq.html">FAQ</> discusses getting pre-release versions via CVS. - Then you need to configure the server.</para> - -<sect1><title>Start Up Script</title> - <para>Skip this section if you have a working Samba already. - Everyone has their own favourite startup script. Here is mine, offered with no warrantee - at all !</para> - -<programlisting> - - #!/bin/sh - # Script to control Samba server, David Bannon, 14-6-96 - # - # - PATH=/bin:/usr/sbin:/usr/bin - export PATH - case "$1" in - 'start') - if [ -f /usr/local/samba/bin/smbd ] - then - /usr/local/samba/bin/smbd -D - /usr/local/samba/bin/nmbd -D - echo "Starting Samba Server" - fi - ;; - 'conf') - if [ -f /usr/local/samba/lib/smb.conf ] - then - vi /usr/local/samba/lib/smb.conf - fi - ;; - 'pw') - if [ -f /usr/local/samba/private/smbpasswd ] - then - vi /usr/local/samba/private/smbpasswd - fi - ;; - 'who') - /usr/local/samba/bin/smbstatus -b - ;; - 'restart') - psline=`/bin/ps x | grep smbd | grep -v grep` - - if [ "$psline" != "" ] - then - while [ "$psline" != "" ] - do - psline=`/bin/ps x | fgrep smbd | grep -v grep` - if [ "$psline" ] - then - set -- $psline - pid=$1 - /bin/kill -HUP $pid - echo "Stopped $pid line = $psline" - sleep 2 - fi - done - fi - echo "Stopped Samba servers" - ;; - 'stop') - psline=`/bin/ps x | grep smbd | grep -v grep` - - if [ "$psline" != "" ] - then - while [ "$psline" != "" ] - do - psline=`/bin/ps x | fgrep smbd | grep -v grep` - if [ "$psline" ] - then - set -- $psline - pid=$1 - /bin/kill -9 $pid - echo "Stopped $pid line = $psline" - sleep 2 - fi - done - fi - echo "Stopped Samba servers" - psline=`/bin/ps x | grep nmbd | grep -v grep` - if [ "$psline" ] - then - set -- $psline - pid=$1 - /bin/kill -9 $pid - echo "Stopped Name Server " - fi - echo "Stopped Name Servers" - ;; - *) - echo "usage: samba {start | restart |stop | conf | pw | who}" - ;; - esac - -</programlisting> - -<para> Use this script, or some other one, you will need to ensure its used while the machine - is booting. (This typically involves <filename>/etc/rc.d</filename>, we'll be - assuming that there is a script called - samba in <filename>/etc/rc.d/init.d</filename> further down in this document.) -</para> -</sect1> - -<sect1><title>Config File</title> - -<sect2><title id=configfile>A sample conf file</title> - <para>Here is a fairly minimal config file to do PDC. It will also make the server - become the browse master for the - specified domain (not necessary but usually desirable). You will need to change only - two parameters to make this - file work, <filename>wins server</filename> and <filename>workgroup</filename>, plus - you will need to put your own name (not mine!) in the <filename>domain admin users</> fields. - Some of the parameters are discussed further down this document.</para> - - <para>Assuming you have used the default install directories, this file should appear as - <filename>/usr/local/samba/lib/smb.conf</filename>. It should not be - writable by anyone except root.</para> - - <note><para>The 'add user script' parameter is a work-around, watch for changes !</></> - - <programlisting> - - [global] - security = user - status = yes - workgroup = { Your domain name here } - wins server = { ip of a wins server if you have one } - encrypt passwords = yes - domain logons =yes - logon script = scripts\%U.bat - domain admin group = @adm - add user script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %m$ - guest account = ftp - share modes=no - os level=65 - [homes] - guest ok = no - read only = no - create mask = 0700 - directory mask = 0700 - oplocks = false - locking = no - [netlogon] - path = /usr/local/samba/netlogon - writeable = no - guest ok = no - -</programlisting> - -</sect2> - -<sect2><title>PDC Config Parameters</title> - - -<variablelist><title>There are a huge range of parameters that may appear in a smb.conf file. Some - that may be of interest to a PDC are :</title> - -<varlistentry><term>add user script</term> - <listitem><para>This parameter specifies a script (or program) that will be run - to add a user to the system. Here it is being used to add a machine, not a user. - This is probably not very nice and may change. But it does work !</para> - - <para>For this example, I have a group called 'machines', entries can be added to - <filename>/etc/passwd</> using a programme called <filename>/usr/adduser</> and - the other parameters are chosen as suitable for a machine account. Works for - RH Linux, your system may require changes.</para> - </listitem> -</varlistentry> - - -<varlistentry><term>domain admin group = @adm</term> - <listitem><para>This parameter specifies a unix group whose members will be granted - admin privileges on a NT workstation when - logged onto that workstation. See the section called <link linkend=domainadmin> - Domain Admin</> Accounts.</para> - </listitem> -</varlistentry> - -<varlistentry><term>domain admin users = user1 users2</term> - <listitem><para>It appears that this parameter does not funtion correctly at present. - Use the 'domain admin group' instread. This parameter specifies a unix user who will - be granted admin privileges - on a NT workstation when - logged onto that workstation. See the section called <link linkend=domainadmin> - Domain Admin</> Accounts.</para> - </listitem> -</varlistentry> - -<varlistentry><term>encrypt passwords = yes</term> - <listitem><para>This parameter must be 'yes' to allow any of the recent service pack NTs to logon. There are some reg hacks that - turn off encrypted passwords on the NTws itself but if you are going to use the smbpasswd system (and you - should) you must use encrypted passwords.</para> - </listitem> -</varlistentry> - -<varlistentry><term>logon script = scripts\%U.bat</term> - <listitem><para>This will make samba look for a logon script named after the user - (eg joeblow.bat). - See the section further on called <link linkend=logonscript>Logon Scripts</></para> - <note><para>Note that the slash is like this '\', not like this '/'. - NT is happy with both, win95 is not !</para></note> - </listitem> -</varlistentry> - -<varlistentry><term>logon path</term> - <listitem><para>Lets you specify where you would like users profiles kept. The default, that is in the users - home directory, does encourage a bit of fiddling.</para> - </listitem> -</varlistentry> - - -</variablelist> - - -</sect2> -</sect1> - -<sect1><title>Special directories</title> - <para>You need to create a couple of special files and directories. Its nice - to have some of the binaries handy too, so I create links to them. Assuming - you have used the default samba location and have not - changed the locations mentioned in the sample config file, do the following :</para> - - <programlisting> - - mkdir /usr/local/samba/netlogon - mkdir /usr/local/samba/netlogon/scripts - mkdir /usr/local/samba/private - touch /usr/local/samba/private/smbpasswd - chmod go-rwx /usr/local/samba/private/smbpasswd - cd /usr/local/sbin - ln -s /usr/local/samba/bin/smbpasswd - ln -s /usr/local/samba/bin/smbclient - ln -s /etc/rc.d/init.d/samba -</programlisting> - - <para>Make sure permissions are appropriate !</para> - - <para>OK, if you have used the scripts above and have a path to where the links are do this to start up - the Samba Server :</para> - - <para><command>samba start</command></para> - - <para>Instead, you might like to reboot the machine to make sure that you - got the init stuff right. Any way, a quick look in the logs - <filename>/usr/local/samba/var/log.smbd</filename> and <filename> - /usr/local/samba/var/log/nmbd</filename> - will give you an idea of what's happening. Assuming all is well, lets create - some accounts...</para> -</sect1> -</chapter> - - <!-- ================== U S E R and M A C H I N E A C C O U N T S ================ --> - -<chapter><title>User and Machine Accounts</title> -<sect1><title>Logon Accounts</title> - - <para><emphasis role=bold>This section is very nearly out of date already !</emphasis> It - appears that while you are reading it, Jean Francois Micou is making it - redundant ! Jean Francois is adding facilities to add users - (via User Manager) and machines (when joining the domain) and it looks like these facilities will - make it into the official release of 2.2.</para> - - - <para>Every user and NTws (and other samba servers) that will be on the domain - must have its own passwd entry in both <filename>/etc/passwd</filename> and - <filename>/usr/local/samba/private/smbpasswd</filename> . - The <filename>/etc/passwd</filename> entry is really - only to reserve a user ID. The NT encrypted password is stored in - <filename>/usr/local/samba/private/smbpasswd</filename>. - (Note that win95/98 machines don't need an account as they don't do - any security aware things.)</para> - - <para>Samba 2.2 will now create these entries for us. Carefull set up is required - and there may well be some changes to this system before its released. - </para> -</sect1> - -<sect1 id=machineaccount><title>Machine Accounts</title> - - <note><para>There is an entry in the ntdom <ulink url="samba-pdc-faq.html">FAQ</> explaining how to create - machine entries manually.</para></note> - - -<variablelist><title><emphasis>At present</> to have the machine accounts created when a machine joins - the domain a number of conditions must be met :</title> - -<varlistentry><term>Only root can do it !</term> - <listitem><para>There must be an entry in <filename>/usr/local/samba/private/smbpasswd</filename> - for root and root must be mentioned in <filename>domain admins</filename>. This may - be fixed some time in the future so any 'domain admin' can do it. If you don't - like having root as a windows logon account, make the machine - entries manually (both of them).</para> - </listitem> -</varlistentry> - -<varlistentry><term>Use the <filename>add user script</></term> - <listitem><para>Again, this looks a bit like a 'work around'. Use a suitable - command line to add a machine account <link linkend=configfile>see above</link>, - and pass it %m$, that is %m to get machine name plus the '$'. Now, this - means you cannot use the <filename>add user script</> to really add users .... </para> - </listitem> -</varlistentry> - -<varlistentry><term>Only for W2K</term> - <listitem><para>This automatic creation of machine accounts does not work for - NT4ws at present. Watch this space.</para></listitem></varlistentry> -</variablelist> - -</sect1> - -<sect1><title>Joining the Domain</title> - - <para>You must have either added the machine account entries manually (NT4 ws) - or set up the automatic system (W2K), <link linkend=machineaccount>see Machine Accounts</link> - before proceeding.</para> - -<variablelist> -<varlistentry><term><command>Windows NT</></term><listitem> -<itemizedlist> - <listitem><para> (<emphasis>this step may not be necessary some time in the near future</>). - On the samba server that is the PDC, add a machine account manually - as per the instructions in the <ulink url="samba-pdc-faq.html">FAQ</> - Then give the command <command>smbpasswd -a -m {machine}</> substituting in the - client machine name.</para></listitem> - <listitem><para> Logon to the NTws in question as a local admin, go to the - <command>Control Panel, Network IdentificationTag</command>.</para></listitem> - <listitem><para> Press the <command>Change</> button.</para></listitem> - <listitem><para> Enter the Domain name (from the 'Workgroup' parameter, smb.conf) - in the Domain Field.</para></listitem> -<!-- <listitem><para> Now enter a user name - and password for a Domain Admin <emphasis>(Who must be root - until a pre-release bug is fixed)</emphasis> and press - 'OK'.</para></listitem> --> - <listitem><para> Press OK and after a few seconds you will get a 'Welcome to Whatever Domain'. - Allow to reboot.</para></listitem> -</itemizedlist> -</listitem></varlistentry> - -<varlistentry><term><command>Windows 2000</></term><listitem> -<itemizedlist> - <listitem><para>Logon to the W2k machine as Administrator, go to the Control - Panel and double click on <command>Network and Dialup Connections</>. - </para></listitem> - <listitem><para>Pull down the <command>Advanced</> menu and choose - <command>Network Identification</>. Press <command>Properties - </>. </para></listitem> - <listitem><para>Choose <command>Domain</> and enter the domain name. Press 'OK'.</para></listitem> - <listitem><para>Now enter a user name and password for a Domain Admin - <emphasis>(Who must be root until a pre-release bug is fixed)</emphasis> and press - 'OK'.</para></listitem> - <listitem><para>Wait for the confirmation, reboot when prompted.</para></listitem> -</itemizedlist> - <para>To remove a W2K machine from the domain, follow the first two steps then - choose <command>Workgroup</>, enter a work group name (or just WORKGROUP) and follow - the prompts.</para> -</listitem></varlistentry> - - -</variablelist> - -</sect1> - -<sect1><title id=useraccount>User Accounts</title> - - <para><emphasis>Again, doing it manually (cos' the auto way is not working pre-release). - </emphasis> - In our simple case every domain user should have an account on the PDC. The - account may have a null shell if they are not allowed to log on to the unix - prompt. Again they need an entry in both the <filename>/etc/passwd</filename> and - <filename>/usr/local/samba/private/smbpasswd</filename>. Again a password is - not necessary in <filename>/etc/passwd</filename> but the location - of the home directory is honoured. - To make an entry for a user called Joe Blow you would typically do the following :</para> - - <para><command>adduser -g users -c 'Joe Blow' -s /bin/false -n joeblow</command></para> - - <para><command>smbpasswd -a joeblow</command></para> - - <para>And you will prompted to enter a password for Joe. Ideally he will be - hovering over your shoulder and will, when asked, type in a password of - his choice. There are a number of scripts and systems to ease the migration of users - from somewhere to samba. Better start looking !</para> -</sect1> - -<sect1><title id=domainadmin>Domain Admin Accounts</title> - - <para>Certain operations demand that the logged on user has Administrator - privileges, typically installing software and - doing maintenance tasks. It is very simple to appoint some users as Domain Admins, - most likely yourself. Make - sure you trust the appointee !</para> - - <para>Samba 2.2 recognizes particular users as being - domain admins and tells the NTws when it thinks that it has got one logged on. - In the smb.conf file we declare - that the <filename>Domain Admin group = @adm</filename>. - Any user who is a menber of the unix group 'adm' is treated as a Domain Admin by a NTws when - logged onto the Domain. They will have full Administrator rights - including the rights to change permissions on files and run the system - utilities such as Disk Administrator. Add users to the group by editing <filename> - /etc/group/</>. You do not need to use the 'adm' group, choose any one you like.</para> - - <para>Further, and this is very new, they will be allowed to create a - new machine account when first connecting a new NT or W2K machine to - the domain. <emphasis>However, at present, ie pre-release, only a Domain Admin who - also happens to be root can do so. </emphasis></para> -</sect1> -</chapter> - - -<!-- ======== P R O F I L E S P O L I C I E S and L O G O N S C R I P T S ======= --> - -<chapter><title>Profiles, Policies and Logon Scripts</title> - -<sect1><title>Profiles</title> - - <para>NT Profiles should work if you have followed the setup so far. - A user's profile contains a whole lot of their personal settings, - the contents of their desktop, personal 'My Documents' and so on. - When they log off, all of the profile is copied to their directory - on the server and is downloaded again when they logon on again, possibly - on another client machine.</para> - - <para>Sounds great but can be a bit of a bug bear sometimes. Users let - their profiles get too big and then complain about how long it takes - to log on each time. This sample setup only supports NT profiles, - rumor has it that it is also possible to do the same on Win95, my - users don't know and I'm not telling them.</para> - - <note><para>There is more info about Profiles (including for W95/98) - in the <ulink url="samba-pdc-faq.html">FAQ</>.</para></note> -</sect1> - -<sect1><title>Policies</title> - - <para>Policies are an easy way to make or enforce specific characteristics across your network. You create a ntconfig.pol - file and every time someone logs on with their NTws, the settings you put in ntconfig.pol are applied to the NTws. - Typical setting are things like making the date appear the way you want it (none of these 2 figure years here) or - maybe suppressing one of the splash screens. Perhaps you want to set the NTws so it does not keep users profiles - on the local machine. Cool. The only problem is making the ntconfig.pol file itself. You cannot use the policy editor - that comes with NTws.</para> - - <note><para>See the <ulink url="samba-pdc-faq.html">FAQ</> for pointers on how to get a suitable Policy Editor.</para></note> - - <para>The Policy Editor (and associated files) will create a - <filename>ntconfig.pol</filename> file using the - parameters Microsoft thought of and parameters you specify by making your own - template file.</para> - - <para>In our example configuration here, Samba will expect to find - the <filename>ntconfig.pol</filename> file in - <filename>/usr/local/samba/netlogon</filename>. Needless to say (I hope !), - it is vitally important that ordinary users don't have - write permission to the Policy files.</para> -</sect1> - -<sect1><title id=logonscript>Logon Scripts</title> - - <para>In the sample config file above there is a line - <filename>logon script = scripts\%U.bat</filename></para> - - <note><para>Note that the slash is like this '\' not like this '/'. - NT is happy with both, win95 is not !</para></note> - - <para>This allows you to run a dos batch file every time someone logs on. The batch - file is located on the server, in the sample install mentioned here, - its in <filename>/usr/local/samba/netlogon/scripts</filename> and - is named after the user with <filename>.bat</filename> appended, eg Joe - Blow's script is called <filename>/usr/local/samba/netlogon/scripts/joeblow.bat</filename>.</para> - - <note><para>There is a suggestion that user names longer than 8 characters may cause - problems with some systems being unable to run logon scripts. This is confirmed in earlier - versions when connecting using W95, comments about other combinations ??</para></note> - - <para>You could use a line like this <filename>logon script = default.bat</> and samba - will supply <filename>/usr/local/samba/netlogon/default.bat</> for any client and every - user. Maybe you could use %m and get a client machine dependant logon script. - You get the idea...</para> - - <para>Note that the file is a dos batch file not a Unix script. It runs dos commands on the client - computer with the logon user's permissions. It must be a dos file with each line ending with - the dos cr/lf not a nice clean newline. Generally, - its best to create the initial file on a DOS system and copy it across.</para> - - <para>There is lots of very clever uses of the Samba replaceable variables such - ( %U = user, %G = primary group, %H = client machine, see the 'man 5 smb.conf') to - give you control over which script runs when a particular person logs - on. (Gee, it would be nice to have a default.bat run when nothing else is available.)</para> - - <para>Again, it is vitally important that ordinary users don't have write - permission to other peoples, or even probably their own, logon script files.</para> - - <para>A typical logon script is reproduced below. Note that it runs separate - commands for win95 and NT, that's because NT has slightly different behaviour - when using the <filename>net use ..</filename> command. Its useful for lots of - other situations too. I don't know what syntax to use for win98, I don't use it - here.</para> - -<programlisting> - - rem Default logon script, create links to this file. - - net time \\bioserve /set /yes - @echo off - if %OS%.==Windows_NT. goto WinNT - - :Win95 - net use k: \\trillion\bio_prog - net use p: \\bcfile\homes - goto end - :WinNT - net use k: \\trillion\bio_prog /persistent:no - net use p: \\bcfile\homes /persistent:no - - :end - -</programlisting> -</sect1> -</chapter> - -<chapter><title>Passwords and Authentication</title> - - <para>So far our configuration assumes that ordinary users don't have unix logon access. A change - to the <link linkend=useraccount><filename>adduser</></> line above would allow unix logon - but it would be with passwords that may - be different from the NT logon. Clearly that won't suit everyone. Trying to explain to users - that they need to change their passwords in two seperate places is not fun. - Further, even if they cannot do a unix logon there are other processes that - might require authentication. We have a nice securely encrypted password in - <filename>/usr/local/samba/private/smbpasswd</filename>, why not use it ?</para> - -<sect1><title></> -<sect2><title>Syncing Passwords</title> - - <para>Yes, its possible and seems the easiest way (initially anyway). - The <ulink url="samba-pdc-faq.html">FAQ</> details how to - do so in the sections <emphasis>What is password sync and should I use it ?</> and <emphasis> - How do I get remote password (unix and SMB) changing working ?</></para> - -</sect2> - -<sect2><title>Using PAM</title> - <para>Pam enabled systems have a much better solution available. The Samba - PDC server will offer to authenticate domain users to other processes - (either on this server or on the domain). With a suitable pam stack - such as <ulink url="http://www.csn.ul.ie/~airlied/pam_smb/"> Pam_smb</ulink> - you can get any pam aware application looking to the samba password and - can leave the password field in <filename>/etc/shadow</filename> - or <filename>/etc/passwd</filename> invalid.</para> -</sect2> - -<sect2><title>Authenticating other Samba Servers</title> - <para>In a domain that has a number of servers you only need one password database. - The machines that don't have their own ask the PDC to check for them. - This will work fine for a domain controlled by either a Samba or NT machine.</para> - - <para>To do so the Samba machine must be told to refer to the PDC and where the PDC is. - See the section in the NTDom <ulink url="samba-pdc-faq.html">FAQ</> called <emphasis>How do I get my samba server to - become a member ( not PDC ) of an NT domain?</></para> - - -</sect2> -</sect1> -</chapter> - - -<chapter><title>Background</title> - -<sect1><title></title> -<sect2><title>History</title> - - <para>It might help you understand the limitations of the PDC in Samba if you - read something of its history. Well, the history as I understand it anyway.</para> - - <para>For many years the Samba team have been developing Samba, some time ago - a number of people, possibly lead by Luke Leighton started contributing NT - PDC stuff. This was added to the 'head' stream (that would eventually - become the next version) and later to a seperate stream (NTDom). They did so - much that eventually this development stream was so mutated that it could not - be merged back into the main stream and was abandoned towards the end of 1999. - And that was very sad because many users, myself include had become heavily - dependant on the NTController facilities it offered. Oh well...</para> - - <para>The NTDom team continued on with their new found knowledge however and - built the TNG stream. Intended to be carefully controlled so that it can be - merged back into the main stream and benefiting from what they learnt, it is - a very different product to the origional NTDom product. However, for a - number of reasons, the merge did not take place and now TNG is being developed - at <ulink url="http://www.samba-tng.org">http://www.samba-tng.org</>.</para> - - <para>Now, the NTDom things that the main strean 2.0.x version does is based more - on the old (initial version) abandoned code than on the TNG ideas. It appears - that version 2.2.0 will also include an improved version of the 2.0.7 domain - controller charactistics, not the TNG ways. The developers have indicated - that 2.2.0 will be further developed incrementally and the ideas from TNG - incorporated into it.</para> - - <para>One more little wriggle is worth mentioning. At one stage the NTDom - stream was called Samba 2.1.0-prealpha and similar names. This is most - unfortunate because at least one book published advises people who want to - use NTDom Samba to get version 2.1.0 or later. As main stream Samba will soon - be called 2.2.0 and NOT officially supporting NTDom Controlling functions, - the potential for confusion is certainly there.</para> -</sect2> - -<sect2><title>The Future</title> - - <para>There is a document on the Samba mirrors called <emphasis>'Development' - </emphasis>. It offers the 'best guess' of what is planned for future releases - of Samba.</para> - - <para>The future of Samba as a Primary Domain Controller appears rosie, however - be aware that its the future, not the present. The developers are strongly committed - to building a full featured PDC into Samba but it will take time. If this - version does not meet your requirements then you should consider (in no particular - order) :</para> - - <itemizedlist> - <listitem><para> Wait. No, we don't know how long. Repeated asking won't help.</para></listitem> - <listitem><para>Investigate the development versions, TNG perhaps or HEAD where new code is being added - all the time. Realise that development code is often unstable, poorly documented and subject to change. - You will need to use cvs to download development versions.</para></listitem> - <listitem><para>Join one of the Samba mailing lists so that you can find out - what is happening on the 'bleeding edge'.</para></listitem> - </itemizedlist> -</sect2> - -<sect2><title>Getting further help</title> - - <para>This document cannot possibly answer all your questions. Please understand that its very - likely that someone has been confrounted by the same problem that you have. The - <ulink url="samba-pdc-faq.html">FAQ</> - discusses a number of possible paths to take to get further help :</para> - - - <itemizedlist> - <listitem><para>Documents on the Samba Sites.</para></listitem> - <listitem><para>Other web sites.</para></listitem> - <listitem><para>Mailing list.</para></listitem> - </itemizedlist> - - <para>There is some discussion about guide lines for using the Mailing Lists on the - accompanying <ulink url="samba-pdc-faq.html">FAQ</>, - please read them before posting.</para> - -</sect2> -</sect1> -</chapter> - -</book> diff --git a/docs/docbook/manpages/nmbd.8.sgml b/docs/docbook/manpages/nmbd.8.sgml index 2d873a1e40..edfa9b4fca 100644 --- a/docs/docbook/manpages/nmbd.8.sgml +++ b/docs/docbook/manpages/nmbd.8.sgml @@ -24,7 +24,7 @@ <arg choice="opt">-V</arg> <arg choice="opt">-d <debug level></arg> <arg choice="opt">-H <lmhosts file></arg> - <arg choice="opt">-l <log file></arg> + <arg choice="opt">-l <log directory></arg> <arg choice="opt">-n <primary netbios name></arg> <arg choice="opt">-p <port number></arg> <arg choice="opt">-s <configuration file></arg> @@ -162,17 +162,14 @@ </varlistentry> <varlistentry> - <term>-l <log file></term> - <listitem><para>The -l parameter specifies a path - and base filename into which operational data from - the running <command>nmbd</command> server will - be logged. The actual log file name is generated by - appending the extension ".nmb" to the specified base - name. For example, if the name specified was "log" - then the file log.nmb would contain the debugging data.</para> - - <para>The default log file path is compiled into Samba as - part of the build process. Common defaults are <filename> + <term>-l <log directory></term> + <listitem><para>The -l parameter specifies a directory + into which the "log.nmbd" log file will be created + for operational data from the running + <command>nmbd</command> server.</para> + + <para>The default log directory is compiled into Samba + as part of the build process. Common defaults are <filename> /usr/local/samba/var/log.nmb</filename>, <filename> /usr/samba/var/log.nmb</filename> or <filename>/var/log/log.nmb</filename>.</para></listitem> diff --git a/docs/docbook/manpages/rpcclient.1.sgml b/docs/docbook/manpages/rpcclient.1.sgml index 6093d6dc42..f32e2f9ece 100644 --- a/docs/docbook/manpages/rpcclient.1.sgml +++ b/docs/docbook/manpages/rpcclient.1.sgml @@ -135,7 +135,7 @@ <term>-U username[%password]</term> <listitem><para>Sets the SMB username or username and password. </para> - <para>If %password is not specified, The user will be prompted. The + <para>If %password is not specified, the user will be prompted. The client will first check the <envar>USER</envar> environment variable, then the <envar>LOGNAME</envar> variable and if either exists, the string is uppercased. If these environmental variables are not diff --git a/docs/docbook/manpages/smb.conf.5.sgml b/docs/docbook/manpages/smb.conf.5.sgml index b3be01677b..a7328e7cf6 100644 --- a/docs/docbook/manpages/smb.conf.5.sgml +++ b/docs/docbook/manpages/smb.conf.5.sgml @@ -436,8 +436,8 @@ <term>%a</term> <listitem><para>the architecture of the remote machine. Only some are recognized, and those may not be - 100% reliable. It currently recognizes Samba, WfWg, - WinNT and Win95. Anything else will be known as + 100% reliable. It currently recognizes Samba, WfWg, Win95, + WinNT and Win2k. Anything else will be known as "UNKNOWN". If it gets it wrong then sending a level 3 log to <ulink url="mailto:samba@samba.org">samba@samba.org </ulink> should allow it to be fixed.</para></listitem> @@ -636,6 +636,14 @@ <listitem><para><link linkend="KERNELOPLOCKS"><parameter>kernel oplocks</parameter></link></para></listitem> <listitem><para><link linkend="LANMANAUTH"><parameter>lanman auth</parameter></link></para></listitem> <listitem><para><link linkend="LARGEREADWRITE"><parameter>large readwrite</parameter></link></para></listitem> + + <listitem><para><link linkend="LDAPADMINDN"><parameter>ldap admin dn</parameter></link></para></listitem> + <listitem><para><link linkend="LDAPFILTER"><parameter>ldap filter</parameter></link></para></listitem> + <listitem><para><link linkend="LDAPPORT"><parameter>ldap port</parameter></link></para></listitem> + <listitem><para><link linkend="LDAPSERVER"><parameter>ldap server</parameter></link></para></listitem> + <listitem><para><link linkend="LDAPSSL"><parameter>ldap ssl</parameter></link></para></listitem> + <listitem><para><link linkend="LDAPSUFFIX"><parameter>ldap suffix</parameter></link></para></listitem> + <listitem><para><link linkend="LMANNOUNCE"><parameter>lm announce</parameter></link></para></listitem> <listitem><para><link linkend="LMINTERVAL"><parameter>lm interval</parameter></link></para></listitem> <listitem><para><link linkend="LOADPRINTERS"><parameter>load printers</parameter></link></para></listitem> @@ -671,7 +679,6 @@ <listitem><para><link linkend="NETBIOSNAME"><parameter>netbios name</parameter></link></para></listitem> <listitem><para><link linkend="NETBIOSSCOPE"><parameter>netbios scope</parameter></link></para></listitem> <listitem><para><link linkend="NISHOMEDIR"><parameter>nis homedir</parameter></link></para></listitem> - <listitem><para><link linkend="NTACLSUPPORT"><parameter>nt acl support</parameter></link></para></listitem> <listitem><para><link linkend="NTPIPESUPPORT"><parameter>nt pipe support</parameter></link></para></listitem> <listitem><para><link linkend="NTSMBSUPPORT"><parameter>nt smb support</parameter></link></para></listitem> <listitem><para><link linkend="NULLPASSWORDS"><parameter>null passwords</parameter></link></para></listitem> @@ -710,6 +717,7 @@ <listitem><para><link linkend="SOCKETADDRESS"><parameter>socket address</parameter></link></para></listitem> <listitem><para><link linkend="SOCKETOPTIONS"><parameter>socket options</parameter></link></para></listitem> <listitem><para><link linkend="SOURCEENVIRONMENT"><parameter>source environment</parameter></link></para></listitem> + <listitem><para><link linkend="SSL"><parameter>ssl</parameter></link></para></listitem> <listitem><para><link linkend="SSLCACERTDIR"><parameter>ssl CA certDir</parameter></link></para></listitem> <listitem><para><link linkend="SSLCACERTFILE"><parameter>ssl CA certFile</parameter></link></para></listitem> @@ -717,6 +725,9 @@ <listitem><para><link linkend="SSLCLIENTCERT"><parameter>ssl client cert</parameter></link></para></listitem> <listitem><para><link linkend="SSLCLIENTKEY"><parameter>ssl client key</parameter></link></para></listitem> <listitem><para><link linkend="SSLCOMPATIBILITY"><parameter>ssl compatibility</parameter></link></para></listitem> + <listitem><para><link linkend="SSLEGDSOCKET"><parameter>ssl egd socket</parameter></link></para></listitem> + <listitem><para><link linkend="SSLENTROPYBYTES"><parameter>ssl entropy bytes</parameter></link></para></listitem> + <listitem><para><link linkend="SSLENTROPYFILE"><parameter>ssl entropy file</parameter></link></para></listitem> <listitem><para><link linkend="SSLHOSTS"><parameter>ssl hosts</parameter></link></para></listitem> <listitem><para><link linkend="SSLHOSTSRESIGN"><parameter>ssl hosts resign</parameter></link></para></listitem> <listitem><para><link linkend="SSLREQUIRECLIENTCERT"><parameter>ssl require clientcert</parameter></link></para></listitem> @@ -724,6 +735,7 @@ <listitem><para><link linkend="SSLSERVERCERT"><parameter>ssl server cert</parameter></link></para></listitem> <listitem><para><link linkend="SSLSERVERKEY"><parameter>ssl server key</parameter></link></para></listitem> <listitem><para><link linkend="SSLVERSION"><parameter>ssl version</parameter></link></para></listitem> + <listitem><para><link linkend="STATCACHE"><parameter>stat cache</parameter></link></para></listitem> <listitem><para><link linkend="STATCACHESIZE"><parameter>stat cache size</parameter></link></para></listitem> <listitem><para><link linkend="STRIPDOT"><parameter>strip dot</parameter></link></para></listitem> @@ -737,6 +749,7 @@ <listitem><para><link linkend="TOTALPRINTJOBS"><parameter>total print jobs</parameter></link></para></listitem> <listitem><para><link linkend="UNIXPASSWORDSYNC"><parameter>unix password sync</parameter></link></para></listitem> <listitem><para><link linkend="UPDATEENCRYPTED"><parameter>update encrypted</parameter></link></para></listitem> + <listitem><para><link linkend="USEMMAP"><parameter>use mmap</parameter></link></para></listitem> <listitem><para><link linkend="USERHOSTS"><parameter>use rhosts</parameter></link></para></listitem> <listitem><para><link linkend="USERNAMELEVEL"><parameter>username level</parameter></link></para></listitem> <listitem><para><link linkend="USERNAMEMAP"><parameter>username map</parameter></link></para></listitem> @@ -831,6 +844,7 @@ <listitem><para><link linkend="MAXPRINTJOBS"><parameter>max print jobs</parameter></link></para></listitem> <listitem><para><link linkend="MINPRINTSPACE"><parameter>min print space</parameter></link></para></listitem> <listitem><para><link linkend="MSDFSROOT"><parameter>msdfs root</parameter></link></para></listitem> + <listitem><para><link linkend="NTACLSUPPORT"><parameter>nt acl support</parameter></link></para></listitem> <listitem><para><link linkend="ONLYGUEST"><parameter>only guest</parameter></link></para></listitem> <listitem><para><link linkend="ONLYUSER"><parameter>only user</parameter></link></para></listitem> <listitem><para><link linkend="OPLOCKCONTENTIONLIMIT"><parameter>oplock contention limit</parameter></link></para></listitem> @@ -863,6 +877,7 @@ <listitem><para><link linkend="SETDIRECTORY"><parameter>set directory</parameter></link></para></listitem> <listitem><para><link linkend="SHORTPRESERVECASE"><parameter>short preserve case</parameter></link></para></listitem> <listitem><para><link linkend="STATUS"><parameter>status</parameter></link></para></listitem> + <listitem><para><link linkend="STRICTALLOCATE"><parameter>strict allocate</parameter></link></para></listitem> <listitem><para><link linkend="STRICTLOCKING"><parameter>strict locking</parameter></link></para></listitem> <listitem><para><link linkend="STRICTSYNC"><parameter>strict sync</parameter></link></para></listitem> <listitem><para><link linkend="SYNCALWAYS"><parameter>sync always</parameter></link></para></listitem> @@ -2331,8 +2346,8 @@ <parameter>workgroup</parameter></link> it is in. Samba 2.2 also has limited capability to act as a domain controller for Windows NT 4 Domains. For more details on setting up this feature see - the file DOMAINS.txt in the Samba documentation directory <filename>docs/ - </filename> shipped with the source code.</para> + the Samba-PDC-HOWTO included in the <filename>htmldocs/</filename> + directory shipped with the source code.</para> <para>Default: <command>domain logons = no</command></para></listitem> </varlistentry> @@ -2636,12 +2651,6 @@ mode after the mask set in the <parameter>create mask</parameter> parameter is applied.</para> - <para>Note that by default this parameter does not apply to permissions - set by Windows NT/2000 ACL editors. If the administrator wishes to enforce - this mask on access control lists also, they need to set the <link - linkend="RESTRICTACLWITHMASK"><parameter>restrict acl with - mask</parameter></link> to <constant>true</constant>.</para> - <para>See also the parameter <link linkend="CREATEMASK"><parameter>create mask</parameter></link> for details on masking mode bits on files.</para> @@ -2670,12 +2679,6 @@ mask in the parameter <parameter>directory mask</parameter> is applied.</para> - <para>Note that by default this parameter does not apply to permissions - set by Windows NT/2000 ACL editors. If the administrator wishes to enforce - this mask on access control lists also, they need to set the <link - linkend="RESTRICTACLWITHMASK"><parameter>restrict acl with - mask</parameter></link> to <constant>true</constant>.</para> - <para>See also the parameter <link linkend="DIRECTORYMASK"><parameter> directory mask</parameter></link> for details on masking mode bits on created directories.</para> @@ -3388,6 +3391,150 @@ + <varlistentry> + <term><anchor id="LDAPADMINDN">ldap admin dn (G)</term> + <listitem><para>This parameter is only available if Samba has been + configure to include the <command>--with-ldapsam</command> option + at compile time. This option should be considered experimental and + under active development. + </para> + + <para> + The <parameter>ldap admin dn</parameter> defines the Distinguished + Name (DN) name used by Samba to contact the <link linkend="LDAPSERVER">ldap + server</link> when retreiving user account information. The <parameter>ldap + admin dn</parameter> is used in conjunction with the admin dn password + stored in the <filename>private/secrets.tdb</filename> file. See the + <ulink url="smbpasswd.8.html"><command>smbpasswd(8)</command></ulink> man + page for more information on how to accmplish this. + </para> + + + <para>Default : <emphasis>none</emphasis></para> + </listitem> + </varlistentry> + + + + + <varlistentry> + <term><anchor id="LDAPFILTER">ldap filter (G)</term> + <listitem><para>This parameter is only available if Samba has been + configure to include the <command>--with-ldapsam</command> option + at compile time. This option should be considered experimental and + under active development. + </para> + + <para> + This parameter specifies the RFC 2254 compliant LDAP search filter. + The default is to match the login name with the <constant>uid</constant> + attribute for all entries matching the <constant>sambaAccount</constant> + objectclass. Note that this filter should only return one entry. + </para> + + + <para>Default : <command>ldap filter = (&(uid=%u)(objectclass=sambaAccount))</command></para> + </listitem> + </varlistentry> + + + + + <varlistentry> + <term><anchor id="LDAPPORT">ldap port (G)</term> + <listitem><para>This parameter is only available if Samba has been + configure to include the <command>--with-ldapsam</command> option + at compile time. This option should be considered experimental and + under active development. + </para> + + <para> + This option is used to control the tcp port number used to contact + the <link linkend="LDAPSERVER"><parameter>ldap server</parameter></link>. + The default is to use the stand LDAP port 389. + </para> + + <para>Default : <command>ldap port = 389</command></para> + </listitem> + </varlistentry> + + + + + <varlistentry> + <term><anchor id="LDAPSERVER">ldap server (G)</term> + <listitem><para>This parameter is only available if Samba has been + configure to include the <command>--with-ldapsam</command> option + at compile time. This option should be considered experimental and + under active development. + </para> + + <para> + This parameter should contains the FQDN of the ldap directory + server which should be queried to locate user account information. + </para> + + + + <para>Default : <command>ldap server = localhost</command></para> + </listitem> + </varlistentry> + + + + + <varlistentry> + <term><anchor id="LDAPSSL">ldap ssl (G)</term> + <listitem><para>This parameter is only available if Samba has been + configure to include the <command>--with-ldapsam</command> option + at compile time. This option should be considered experimental and + under active development. + </para> + + <para> + This option is used to define whether or not Samba should + use SSL when connecting to the <link linkend="LDAPSERVER"><parameter>ldap + server</parameter></link>. This is <emphasis>NOT</emphasis> related to + Samba SSL support which is enabled by specifying the + <command>--with-ssl</command> option to the <filename>configure</filename> + script (see <link linkend="SSL"><parameter>ssl</parameter></link>). + </para> + + <para> + The <parameter>ldap ssl</parameter> can be set to one of three values: + (a) <command>on</command> - Always use SSL when contacting the + <parameter>ldap server</parameter>, (b) <command>off</command> - + Never use SSL when querying the directory, or (c) <command>start + tls</command> - Use the LDAPv3 StartTLS extended operation + (RFC2830) for communicating with the directory server. + </para> + + + <para>Default : <command>ldap ssl = off</command></para> + </listitem> + </varlistentry> + + + + + <varlistentry> + <term><anchor id="LDAPSUFFIX">ldap suffix (G)</term> + <listitem><para>This parameter is only available if Samba has been + configure to include the <command>--with-ldapsam</command> option + at compile time. This option should be considered experimental and + under active development. + </para> + + + + <para>Default : <emphasis>none</emphasis></para> + </listitem> + </varlistentry> + + + + + <varlistentry> @@ -4615,7 +4762,7 @@ <term><anchor id="MSDFSROOT">msdfs root (S)</term> <listitem><para>This boolean parameter is only available if Samba is configured and compiled with the <command> - --with-msdfs</command> option. If set to <constant>yes></constant>, + --with-msdfs</command> option. If set to <constant>yes</constant>, Samba treats the share as a Dfs root and allows clients to browse the distributed file system tree rooted at the share directory. Dfs links are specified in the share directory by symbolic @@ -4654,7 +4801,7 @@ </filename>, NIS, or DNS lookups. This method of name resolution is operating system depended for instance on IRIX or Solaris this may be controlled by the <filename>/etc/nsswitch.conf</filename> - file). Note that this method is only used if the NetBIOS name + file. Note that this method is only used if the NetBIOS name type being queried is the 0x20 (server) name type, otherwise it is ignored.</para></listitem> @@ -4768,10 +4915,12 @@ <varlistentry> - <term><anchor id="NTACLSUPPORT">nt acl support (G)</term> + <term><anchor id="NTACLSUPPORT">nt acl support (S)</term> <listitem><para>This boolean parameter controls whether <ulink url="smbd.8.html">smbd(8)</ulink> will attempt to map - UNIX permissions into Windows NT access control lists.</para> + UNIX permissions into Windows NT access control lists. + This parameter was formally a global parameter in releases + prior to 2.2.2.</para> <para>Default: <command>nt acl support = yes</command></para> </listitem> @@ -5080,7 +5229,7 @@ <para>If the <link linkend="PAMPASSWORDCHANGE"><parameter>pam password change</parameter></link> parameter is set to true, the chat pairs - may be matched in any order, and sucess is determined by the PAM result, + may be matched in any order, and success is determined by the PAM result, not any particular output. The \n macro is ignored for PAM conversions. </para> @@ -5202,7 +5351,7 @@ made - the password as is and the password in all-lower case.</para> <para>Default: <command>password level = 0</command></para> - <para>Example: <command>password level = 4</command</para> + <para>Example: <command>password level = 4</command></para> </listitem> </varlistentry> @@ -5511,8 +5660,9 @@ </parameter> and <parameter>%f</parameter> will be replaced by the appropriate spool file name, and all occurrences of <parameter>%p </parameter> will be replaced by the appropriate printer name. The - spool file name is generated automatically by the server, the printer - name is discussed below.</para> + spool file name is generated automatically by the server. The + <parameter>%J</parameter> macro can be used to access the job + name as transmitted by the client.</para> <para>The print command <emphasis>MUST</emphasis> contain at least one occurrence of <parameter>%s</parameter> or <parameter>%f @@ -5551,7 +5701,7 @@ or PLP :</command></para> <para><command>print command = lpr -r -P%p %s</command></para> - <para>For <command>printing = SYS or HPUX :</command></para> + <para>For <command>printing = SYSV or HPUX :</command></para> <para><command>print command = lp -c -d%p %s; rm %s</command></para> <para>For <command>printing = SOFTQ :</command></para> @@ -5803,7 +5953,7 @@ <parameter>lprm command</parameter> if specified in the [global] section.</para> - <para>Currently eight printing styles are supported. They are + <para>Currently nine printing styles are supported. They are <constant>BSD</constant>, <constant>AIX</constant>, <constant>LPRNG</constant>, <constant>PLP</constant>, <constant>SYSV</constant>, <constant>HPUX</constant>, @@ -6076,34 +6226,6 @@ - <varlistentry> - <term><anchor id="RESTRICTACLWITHMASK">restrict acl with mask (S)</term> - <listitem><para>This is a boolean parameter. If set to <constant>false</constant> (default), then - creation of files with access control lists (ACLS) and modification of ACLs - using the Windows NT/2000 ACL editor will be applied directly to the file - or directory.</para> - - <para>If set to <constant>true</constant>, then all requests to set an ACL on a file will have the - parameters <link linkend="CREATEMASK"><parameter>create mask</parameter></link>, - <link linkend="FORCECREATEMODE"><parameter>force create mode</parameter></link> - applied before setting the ACL, and all requests to set an ACL on a directory will - have the parameters <link linkend="DIRECTORYMASK"><parameter>directory - mask</parameter></link>, <link linkend="FORCEDIRECTORYMODE"><parameter>force - directory mode</parameter></link> applied before setting the ACL. - </para> - - <para>See also <link linkend="CREATEMASK"><parameter>create mask</parameter></link>, - <link linkend="FORCECREATEMODE"><parameter>force create mode</parameter></link>, - <link linkend="DIRECTORYMASK"><parameter>directory mask</parameter></link>, - <link linkend="FORCEDIRECTORYMODE"><parameter>force directory mode</parameter></link> - </para> - - <para>Default: <command>restrict acl with mask = no</command></para> - </listitem> - </varlistentry> - - - <varlistentry> <term><anchor id="RESTRICTANONYMOUS">restrict anonymous (G)</term> @@ -6253,7 +6375,7 @@ <command>security = server</command> or <command>security = domain </command>.</para> - <para>In versions of Samba prior to 2..0, the default was + <para>In versions of Samba prior to 2.0.0, the default was <command>security = share</command> mainly because that was the only option at one stage.</para> @@ -6787,10 +6909,6 @@ system and the configure option <command>--with-ssl</command> was given at configure time.</para> - <para><emphasis>Note</emphasis> that for export control reasons - this code is <emphasis>NOT</emphasis> enabled by default in any - current binary version of Samba.</para> - <para>This variable enables or disables the entire SSL mode. If it is set to <constant>no</constant>, the SSL-enabled Samba behaves exactly like the non-SSL Samba. If set to <constant>yes</constant>, @@ -6812,10 +6930,6 @@ system and the configure option <command>--with-ssl</command> was given at configure time.</para> - <para><emphasis>Note</emphasis> that for export control reasons - this code is <emphasis>NOT</emphasis> enabled by default in any - current binary version of Samba.</para> - <para>This variable defines where to look up the Certification Authorities. The given directory should contain one file for each CA that Samba will trust. The file name must be the hash @@ -6838,10 +6952,6 @@ system and the configure option <command>--with-ssl</command> was given at configure time.</para> - <para><emphasis>Note</emphasis> that for export control reasons - this code is <emphasis>NOT</emphasis> enabled by default in any - current binary version of Samba.</para> - <para>This variable is a second way to define the trusted CAs. The certificates of the trusted CAs are collected in one big file and this variable points to the file. You will probably @@ -6865,10 +6975,6 @@ system and the configure option <command>--with-ssl</command> was given at configure time.</para> - <para><emphasis>Note</emphasis> that for export control reasons - this code is <emphasis>NOT</emphasis> enabled by default in any - current binary version of Samba.</para> - <para>This variable defines the ciphers that should be offered during SSL negotiation. You should not set this variable unless you know what you are doing.</para> @@ -6883,10 +6989,6 @@ system and the configure option <command>--with-ssl</command> was given at configure time.</para> - <para><emphasis>Note</emphasis> that for export control reasons - this code is <emphasis>NOT</emphasis> enabled by default in any - current binary version of Samba.</para> - <para>The certificate in this file is used by <ulink url="smbclient.1.html"> <command>smbclient(1)</command></ulink> if it exists. It's needed if the server requires a client certificate.</para> @@ -6905,10 +7007,6 @@ system and the configure option <command>--with-ssl</command> was given at configure time.</para> - <para><emphasis>Note</emphasis> that for export control reasons - this code is <emphasis>NOT</emphasis> enabled by default in any - current binary version of Samba.</para> - <para>This is the private key for <ulink url="smbclient.1.html"> <command>smbclient(1)</command></ulink>. It's only needed if the client should have a certificate. </para> @@ -6927,18 +7025,77 @@ system and the configure option <command>--with-ssl</command> was given at configure time.</para> - <para><emphasis>Note</emphasis> that for export control reasons - this code is <emphasis>NOT</emphasis> enabled by default in any - current binary version of Samba.</para> - - <para>This variable defines whether SSLeay should be configured + <para>This variable defines whether OpenSSL should be configured for bug compatibility with other SSL implementations. This is probably not desirable because currently no clients with SSL - implementations other than SSLeay exist.</para> + implementations other than OpenSSL exist.</para> <para>Default: <command>ssl compatibility = no</command></para> </listitem> </varlistentry> + + + <varlistentry> + <term><anchor id="SSLEGDSOCKET">ssl egd socket (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para> + This option is used to define the location of the communiation socket of + an EGD or PRNGD daemon, from which entropy can be retrieved. This option + can be used instead of or together with the <link + linkend="SSLENTROPYFILE"><parameter>ssl entropy file</parameter></link> + directive. 255 bytes of entropy will be retrieved from the daemon. + </para> + + <para>Default: <emphasis>none</emphasis></para> + </listitem> + </varlistentry> + + + <varlistentry> + <term><anchor id="SSLENTROPYBYTES">ssl entropy bytes (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para> + This parameter is used to define the number of bytes which should + be read from the <link linkend="SSLENTROPYFILE"><parameter>ssl entropy + file</parameter></link> If a -1 is specified, the entire file will + be read. + </para> + + <para>Default: <command>ssl entropy bytes = 255</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term><anchor id="SSLENTROPYFILE">ssl entropy file (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para> + This parameter is used to specify a file from which processes will + read "random bytes" on startup. In order to seed the internal pseudo + random number generator, entropy must be provided. On system with a + <filename>/dev/urandom</filename> device file, the processes + will retrieve its entropy from the kernel. On systems without kernel + entropy support, a file can be supplied that will be read on startup + and that will be used to seed the PRNG. + </para> + + <para>Default: <emphasis>none</emphasis></para> + </listitem> + </varlistentry> + <varlistentry> @@ -6956,10 +7113,6 @@ system and the configure option <command>--with-ssl</command> was given at configure time.</para> - <para><emphasis>Note</emphasis> that for export control reasons - this code is <emphasis>NOT</emphasis> enabled by default in any - current binary version of Samba.</para> - <para>These two variables define whether Samba will go into SSL mode or not. If none of them is defined, Samba will allow only SSL connections. If the <link linkend="SSLHOSTS"> @@ -6993,10 +7146,6 @@ system and the configure option <command>--with-ssl</command> was given at configure time.</para> - <para><emphasis>Note</emphasis> that for export control reasons - this code is <emphasis>NOT</emphasis> enabled by default in any - current binary version of Samba.</para> - <para>If this variable is set to <constant>yes</constant>, the server will not tolerate connections from clients that don't have a valid certificate. The directory/file given in <link @@ -7025,10 +7174,6 @@ system and the configure option <command>--with-ssl</command> was given at configure time.</para> - <para><emphasis>Note</emphasis> that for export control reasons - this code is <emphasis>NOT</emphasis> enabled by default in any - current binary version of Samba.</para> - <para>If this variable is set to <constant>yes</constant>, the <ulink url="smbclient.1.html"><command>smbclient(1)</command> </ulink> will request a certificate from the server. Same as @@ -7047,10 +7192,6 @@ system and the configure option <command>--with-ssl</command> was given at configure time.</para> - <para><emphasis>Note</emphasis> that for export control reasons - this code is <emphasis>NOT</emphasis> enabled by default in any - current binary version of Samba.</para> - <para>This is the file containing the server's certificate. The server <emphasis>must</emphasis> have a certificate. The file may also contain the server's private key. See later for @@ -7069,10 +7210,6 @@ system and the configure option <command>--with-ssl</command> was given at configure time.</para> - <para><emphasis>Note</emphasis> that for export control reasons - this code is <emphasis>NOT</emphasis> enabled by default in any - current binary version of Samba.</para> - <para>This file contains the private key of the server. If this variable is not defined, the key is looked up in the certificate file (it may be appended to the certificate). @@ -7093,10 +7230,6 @@ system and the configure option <command>--with-ssl</command> was given at configure time.</para> - <para><emphasis>Note</emphasis> that for export control reasons - this code is <emphasis>NOT</emphasis> enabled by default in any - current binary version of Samba.</para> - <para>This enumeration variable defines the versions of the SSL protocol that will be used. <constant>ssl2or3</constant> allows dynamic negotiation of SSL v2 or v3, <constant>ssl2</constant> results @@ -7150,6 +7283,30 @@ <varlistentry> + <term><anchor id="STRICTALLOCATE">strict allocate (S)</term> + <listitem><para>This is a boolean that controls the handling of + disk space allocation in the server. When this is set to <constant>yes</constant> + the server will change from UNIX behaviour of not committing real + disk storage blocks when a file is extended to the Windows behaviour + of actually forcing the disk system to allocate real storage blocks + when a file is created or extended to be a given size. In UNIX + terminology this means that Samba will stop creating sparse files. + This can be slow on some systems.</para> + + <para>When strict allocate is <constant>no</constant> the server does sparse + disk block allocation when a file is extended.</para> + + <para>Setting this to <constant>yes</constant> can help Samba return + out of quota messages on systems that are restricting the disk quota + of users.</para> + + <para>Default: <command>strict allocate = no</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> <term><anchor id="STRICTLOCKING">strict locking (S)</term> <listitem><para>This is a boolean that controls the handling of file locking in the server. When this is set to <constant>yes</constant> @@ -7435,6 +7592,24 @@ <varlistentry> + <term><anchor id="USEMMAP">use mmap (G)</term> + <listitem><para>This global parameter determines if the tdb internals of Samba can + depend on mmap working correctly on the running system. Samba requires a coherent + mmap/read-write system memory cache. Currently only HPUX does not have such a + coherent cache, and so this parameter is set to <constant>false</constant> by + default on HPUX. On all other systems this parameter should be left alone. This + parameter is provided to help the Samba developers track down problems with + the tdb internal code. + </para> + + <para>Default: <command>use mmap = yes</command></para> + </listitem> + </varlistentry> + + + + + <varlistentry> <term><anchor id="USERHOSTS">use rhosts (G)</term> <listitem><para>If this global parameter is <constant>true</constant>, it specifies that the UNIX user's <filename>.rhosts</filename> file in their home directory @@ -7811,16 +7986,16 @@ <para>Default: <emphasis>No files or directories are vetoed. </emphasis></para> - <para>Examples:<programlisting> - ; Veto any files containing the word Security, - ; any ending in .tmp, and any directory containing the - ; word root. - veto files = /*Security*/*.tmp/*root*/ +<para>Examples:<programlisting> +; Veto any files containing the word Security, +; any ending in .tmp, and any directory containing the +; word root. +veto files = /*Security*/*.tmp/*root*/ - ; Veto the Apple specific files that a NetAtalk server - ; creates. - veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ - </programlisting></para> +; Veto the Apple specific files that a NetAtalk server +; creates. +veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ +</programlisting></para> </listitem> </varlistentry> diff --git a/docs/docbook/manpages/smbcontrol.1.sgml b/docs/docbook/manpages/smbcontrol.1.sgml index 7904634ab2..05e05f4a6a 100644 --- a/docs/docbook/manpages/smbcontrol.1.sgml +++ b/docs/docbook/manpages/smbcontrol.1.sgml @@ -70,7 +70,7 @@ <varlistentry> <term>message-type</term> - <listitem><para>One of: <constand>close-share</constant>, + <listitem><para>One of: <constant>close-share</constant>, <constant>debug</constant>, <constant>force-election</constant>, <constant>ping </constant>, <constant>profile</constant>, <constant> diff --git a/docs/docbook/manpages/smbd.8.sgml b/docs/docbook/manpages/smbd.8.sgml index 05958b83de..cdb3d51fa8 100644 --- a/docs/docbook/manpages/smbd.8.sgml +++ b/docs/docbook/manpages/smbd.8.sgml @@ -22,7 +22,7 @@ <arg choice="opt">-h</arg> <arg choice="opt">-V</arg> <arg choice="opt">-d <debug level></arg> - <arg choice="opt">-l <log file></arg> + <arg choice="opt">-l <log directory></arg> <arg choice="opt">-p <port number></arg> <arg choice="opt">-O <socket option></arg> <arg choice="opt">-s <configuration file></arg> @@ -148,16 +148,21 @@ </varlistentry> <varlistentry> - <term>-l <log file></term> - <listitem><para>If specified, <replaceable>log file</replaceable> - specifies a log filename into which informational and debug - messages from the running server will be logged. The log + <term>-l <log directory></term> + <listitem><para>If specified, + <replaceable>log directory</replaceable> + specifies a log directory into which the "log.smbd" log + file will be created for informational and debug + messages from the running server. The log file generated is never removed by the server although its size may be controlled by the <ulink url="smb.conf.5.html#maxlogsize">max log size</ulink> option in the <ulink url="smb.conf.5.html"><filename> - smb.conf(5)</filename></ulink> file. The default log - file name is specified at compile time.</para></listitem> + smb.conf(5)</filename></ulink> file. + </para> + + <para>The default log directory is specified at + compile time.</para></listitem> </varlistentry> <varlistentry> diff --git a/docs/docbook/manpages/smbpasswd.8.sgml b/docs/docbook/manpages/smbpasswd.8.sgml index e757a0c67c..098e874cc8 100644 --- a/docs/docbook/manpages/smbpasswd.8.sgml +++ b/docs/docbook/manpages/smbpasswd.8.sgml @@ -28,6 +28,7 @@ <arg choice="opt">-U username[%password]</arg> <arg choice="opt">-h</arg> <arg choice="opt">-s</arg> + <arg choice="opt">-w pass</arg> <arg choice="opt">username</arg> </cmdsynopsis> </refsynopsisdiv> @@ -342,6 +343,22 @@ </listitem> </varlistentry> + + <varlistentry> + <term>-w password</term> + <listitem><para>This parameter is only available is Samba + has been configured to use the experiemental + <command>--with-ldapsam</command> option. The <parameter>-w</parameter> + switch is used to specify the password to be used with the + <ulink url="smb.conf.5.html#LDAPADMINDN"><parameter>ldap admin + dn</parameter></ulink>. Note that the password is stored in + the <filename>private/secrets.tdb</filename> and is keyed off + of the admin's DN. This means that if the value of <parameter>ldap + admin dn</parameter> ever changes, the password will beed to be + manually updated as well. + </para> + </listitem> + </varlistentry> <varlistentry> diff --git a/docs/docbook/manpages/winbindd.8.sgml b/docs/docbook/manpages/winbindd.8.sgml index 6a1ecd59fd..af851657f3 100644 --- a/docs/docbook/manpages/winbindd.8.sgml +++ b/docs/docbook/manpages/winbindd.8.sgml @@ -42,6 +42,15 @@ can be used to resolve user and group information from a Windows NT server. The service can also provide authentication services via an associated PAM module. </para> + + <para> + The <filename>pam_winbind</filename> module in the 2.2.2 release only + supports the <parameter>auth</parameter> and <parameter>account</parameter> + module-types. The latter is simply + performs a getpwnam() to verify that the system can obtain a uid for the + user. If the <filename>libnss_winbind</filename> library has been correctly + installed, this should always suceed. + </para> <para>The following nsswitch databases are implemented by the winbindd service: </para> diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml index 0b1db84b20..6d0b36eafc 100644 --- a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml +++ b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml @@ -31,14 +31,7 @@ <title>Joining an NT Domain with Samba 2.2</title> - <para>In order for a Samba-2 server to join an NT domain, - you must first add the NetBIOS name of the Samba server to the - NT domain on the PDC using Server Manager for Domains. This creates - the machine account in the domain (PDC) SAM. Note that you should - add the Samba server as a "Windows NT Workstation or Server", - <emphasis>NOT</emphasis> as a Primary or backup domain controller.</para> - - <para>Assume you have a Samba-2 server with a NetBIOS name of + <para>Assume you have a Samba 2.x server with a NetBIOS name of <constant>SERV1</constant> and are joining an NT domain called <constant>DOM</constant>, which has a PDC with a NetBIOS name of <constant>DOMPDC</constant> and two backup domain controllers @@ -49,11 +42,14 @@ and run the command:</para> <para><prompt>root# </prompt><userinput>smbpasswd -j DOM -r DOMPDC - </userinput></para> + -U<replaceable>Administrator%password</replaceable></userinput></para> <para>as we are joining the domain DOM and the PDC for that domain (the only machine that has write access to the domain SAM database) - is DOMPDC. If this is successful you will see the message:</para> + is DOMPDC. The <replaceable>Administrator%password</replaceable> is + the login name and password for an account which has the necessary + privilege to add machines to the domain. If this is successful + you will see the message:</para> <para><computeroutput>smbpasswd: Joined domain DOM.</computeroutput> </para> diff --git a/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml b/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml index 6c866acecd..594516640d 100644 --- a/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml +++ b/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml @@ -101,9 +101,12 @@ hashes. This database is stored in either <filename>/etc/samba.d/smbpasswd</filename>, depending on the Samba implementation for your Unix/Linux system. The <filename>pam_smbpass.so</filename> module is provided by -Samba version 2.2.1 or later. It can be compiled only if the -<constant>--with-pam --with-pam_smbpass</constant> options are both -provided to the Samba <command>configure</command> program. +Samba version 2.2.1 or later. It can be compiled by specifying the +<command>--with-pam_smbpass</command> options when running Samba's +<filename>configure</filename> script. For more information +on the <filename>pam_smbpass</filename> module, see the documentation +in the <filename>source/pam_smbpass</filename> directory of the Samba +source distribution. </para> <para><programlisting> diff --git a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml index b980b99e22..475b66598c 100644 --- a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml +++ b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml @@ -58,25 +58,26 @@ Background <note> <para> -<emphasis>Author's Note :</emphasis> This document is a combination -of David Bannon's Samba 2.2 PDC HOWTO and the Samba NT Domain FAQ. +<emphasis>Author's Note:</emphasis> This document is a combination +of David Bannon's "Samba 2.2 PDC HOWTO" and "Samba NT Domain FAQ". Both documents are superseded by this one. </para> </note> <para> -Version of Samba prior to release 2.2 had marginal capabilities to -act as a Windows NT 4.0 Primary DOmain Controller <indexterm><primary>Primary -Domain Controller</primary></indexterm> (PDC). Beginning with -Samba 2.2.0, we are proud to announce official support for Windows NT 4.0 -style domain logons from Windows NT 4.0 (through SP6) and Windows 2000 (through -SP1) clients. This article outlines the steps necessary for configuring Samba -as a PDC. It is necessary to have a working Samba server prior to implementing the -PDC functionality. If you have not followed the steps outlined in -<ulink url="UNIX_INSTALL.html"> UNIX_INSTALL.html</ulink>, please make sure -that your server is configured correctly before proceeding. Another good -resource in the <ulink url="smb.conf.5.html">smb.conf(5) man -page</ulink>. The following functionality should work in 2.2: +Versions of Samba prior to release 2.2 had marginal capabilities to act +as a Windows NT 4.0 Primary Domain Controller +<indexterm><primary>Primary Domain Controller</primary></indexterm> +(PDC). With Samba 2.2.0, we are proud to announce official support for +Windows NT 4.0-style domain logons from Windows NT 4.0 and Windows +2000 clients. This article outlines the steps +necessary for configuring Samba as a PDC. It is necessary to have a +working Samba server prior to implementing the PDC functionality. If +you have not followed the steps outlined in <ulink +url="UNIX_INSTALL.html"> UNIX_INSTALL.html</ulink>, please make sure +that your server is configured correctly before proceeding. Another +good resource in the <ulink url="smb.conf.5.html">smb.conf(5) man +page</ulink>. The following functionality should work in 2.2: </para> <itemizedlist> @@ -98,18 +99,10 @@ page</ulink>. The following functionality should work in 2.2: </para></listitem> <listitem><para> - Windows NT 4.0 style system policies + Windows NT 4.0-style system policies </para></listitem> </itemizedlist> -<warning> - <title>Windows 2000 Service Pack 2 Clients</title> - <para> - Samba 2.2.1 is required for PDC functionality when using Windows 2000 - SP2 clients. - </para> -</warning> - <para> The following pieces of functionality are not included in the 2.2 release: @@ -138,7 +131,7 @@ The following pieces of functionality are not included in the 2.2 release: <para> Please note that Windows 9x clients are not true members of a domain for reasons outlined in this article. Therefore the protocol for -support Windows 9x style domain logons is completely different +support Windows 9x-style domain logons is completely different from NT4 domain logons and has been officially supported for some time. </para> @@ -189,7 +182,7 @@ linked with the actual smb.conf description. </para> <para> -Here is an example smb.conf for acting as a PDC: +Here is an example <filename>smb.conf</filename> for acting as a PDC: </para> <para><programlisting> @@ -228,13 +221,13 @@ Here is an example smb.conf for acting as a PDC: ; necessary share for domain controller [netlogon] <ulink url="smb.conf.5.html#PATH">path</ulink> = /usr/local/samba/lib/netlogon - <ulink url="smb.conf.5.html#WRITEABLE">writeable</ulink> = no + <ulink url="smb.conf.5.html#READONLY">read only</ulink> = yes <ulink url="smb.conf.5.html#WRITELIST">write list</ulink> = <replaceable>ntadmin</replaceable> ; share for storing user profiles [profiles] <ulink url="smb.conf.5.html#PATH">path</ulink> = /export/smb/ntprofile - <ulink url="smb.conf.5.html#WRITEABLE">writeable</ulink> = yes + <ulink url="smb.conf.5.html#READONLY">read only</ulink> = no <ulink url="smb.conf.5.html#CREATEMASK">create mask</ulink> = 0600 <ulink url="smb.conf.5.html#DIRECTORYMASK">directory mask</ulink> = 0700 </programlisting></para> @@ -263,88 +256,96 @@ There are a couple of points to emphasize in the above configuration. </itemizedlist> <para> -As Samba 2.2 does not offer a complete implementation of group mapping between -Windows NT groups and UNIX groups (this is really quite complicated to explain -in a short space), you should refer to the <ulink url="smb.conf.5.html#DOMAINADMINGROUP">domain -admin group</ulink> smb.conf parameter for information of creating "Domain Admins" -style accounts. +As Samba 2.2 does not offer a complete implementation of group mapping +between Windows NT groups and Unix groups (this is really quite +complicated to explain in a short space), you should refer to the +<ulink url="smb.conf.5.html#DOMAINADMINGROUP">domain admin +group</ulink> smb.conf parameter for information of creating "Domain +Admins" style accounts. </para> </sect1> <sect1> -<title>Creating Machine Trust Accounts and Joining Clients -to the Domain</title> +<title>Creating Machine Trust Accounts and Joining Clients to the +Domain</title> <para> -A machine trust account is a samba user account owned by a computer. -The account password acts as the shared secret for secure -communication with the Domain Controller. This is a security feature -to prevent an unauthorized machine with the same NetBIOS name from -joining the domain and gaining access to domain user/group accounts. -Hence a Windows 9x host is never a true member of a domain because it does -not posses a machine trust account, and thus has no shared secret with the DC. -</para> +A machine trust account is a Samba account that is used to +authenticate a client machine (rather than a user) to the Samba +server. In Windows terminology, this is known as a "Computer +Account."</para> <para> -On a Windows NT PDC, these machine trust account passwords are stored -in the registry. A Samba PDC stores these accounts in the same location -as user LanMan and NT password hashes (currently <filename>smbpasswd</filename>). -However, machine trust accounts only possess and use the NT password hash. +The password of a machine trust account acts as the shared secret for +secure communication with the Domain Controller. This is a security +feature to prevent an unauthorized machine with the same NetBIOS name +from joining the domain and gaining access to domain user/group +accounts. Windows NT and 2000 clients use machine trust accounts, but +Windows 9x clients do not. Hence, a Windows 9x client is never a true +member of a domain because it does not possess a machine trust +account, and thus has no shared secret with the domain controller. </para> -<para> -Because Samba requires machine accounts to possess a UNIX uid from -which an Windows NT SID can be generated, all of these accounts -must have an entry in <filename>/etc/passwd</filename> and smbpasswd. -Future releases will alleviate the need to create -<filename>/etc/passwd</filename> entries. +<para>A Windows PDC stores each machine trust account in the Windows +Registry. A Samba PDC, however, stores each machine trust account +in two parts, as follows: + +<itemizedlist> + <listitem><para>A Samba account, stored in the same location as user + LanMan and NT password hashes (currently + <filename>smbpasswd</filename>). The Samba account + possesses and uses only the NT password hash.</para></listitem> + + <listitem><para>A corresponding Unix account, typically stored in + <filename>/etc/passwd</filename>. (Future releases will alleviate the need to + create <filename>/etc/passwd</filename> entries.) </para></listitem> +</itemizedlist> </para> <para> -There are two means of creating machine trust accounts. +There are two ways to create machine trust accounts: </para> <itemizedlist> - <listitem><para> - Manual creation before joining the client to the domain. In this case, - the password is set to a known value -- the lower case of the - machine's NetBIOS name. - </para></listitem> + <listitem><para> Manual creation. Both the Samba and corresponding + Unix account are created by hand.</para></listitem> - <listitem><para> - Creation of the account at the time of joining the domain. In - this case, the session key of the administrative account used to join - the client to the domain acts as an encryption key for setting the - password to a random value (This is the recommended method). - </para></listitem> + <listitem><para> "On-the-fly" creation. The Samba machine trust + account is automatically created by Samba at the time the client + is joined to the domain. (For security, this is the + recommended method.) The corresponding Unix account may be + created automatically or manually. </para> + </listitem> + </itemizedlist> <sect2> -<title>Manually creating machine trust accounts</title> +<title>Manual Creation of Machine Trust Accounts</title> <para> -The first step in creating a machine trust account by hand is to -create an entry for the machine in /etc/passwd. This can be done -using <command>vipw</command> or any 'add userr' command which is normally -used to create new UNIX accounts. The following is an example for a Linux -based Samba server: +The first step in manually creating a machine trust account is to +manually create the corresponding Unix account in +<filename>/etc/passwd</filename>. This can be done using +<command>vipw</command> or other 'add user' command that is normally +used to create new Unix accounts. The following is an example for a +Linux based Samba server: </para> <para> -<prompt>root# </prompt>/usr/sbin/useradd -g 100 -d /dev/null -c <replaceable>"machine -nickname"</replaceable> -s /bin/false <replaceable>machine_name</replaceable>$ + <prompt>root# </prompt><command>/usr/sbin/useradd -g 100 -d /dev/null -c <replaceable>"machine +nickname"</replaceable> -s /bin/false <replaceable>machine_name</replaceable>$ </command> </para> <para> -<prompt>root# </prompt>passwd -l <replaceable>machine_name</replaceable>$ +<prompt>root# </prompt><command>passwd -l <replaceable>machine_name</replaceable>$</command> </para> <para> The <filename>/etc/passwd</filename> entry will list the machine name -with a $ appended, won't have a passwd, will have a null shell and no -home directory. For example a machine called 'doppy' would have an -<filename>/etc/passwd</filename> entry like this : +with a "$" appended, won't have a password, will have a null shell and no +home directory. For example a machine named 'doppy' would have an +<filename>/etc/passwd</filename> entry like this: </para> <para><programlisting> @@ -352,28 +353,31 @@ doppy$:x:505:501:<replaceable>machine_nickname</replaceable>:/dev/null:/bin/fals </programlisting></para> <para> -Above, <replaceable>machine_nickname</replaceable> can be any descriptive name for the -pc i.e. BasementComputer. The <replaceable>machine_name</replaceable> absolutely must be -the NetBIOS name of the pc to be added to the domain. The "$" must append the NetBIOS -name of the pc or samba will not recognize this as a machine account +Above, <replaceable>machine_nickname</replaceable> can be any +descriptive name for the client, i.e., BasementComputer. +<replaceable>machine_name</replaceable> absolutely must be the NetBIOS +name of the client to be joined to the domain. The "$" must be +appended to the NetBIOS name of the client or Samba will not recognize +this as a machine trust account. </para> <para> -Now that the UNIX account has been created, the next step is to create -the smbpasswd entry for the machine containing the well known initial -trust account password. This can be done using the <ulink -url="smbpasswd.6.html"><command>smbpasswd(8)</command></ulink> command +Now that the corresponding Unix account has been created, the next step is to create +the Samba account for the client containing the well-known initial +machine trust account password. This can be done using the <ulink +url="smbpasswd.8.html"><command>smbpasswd(8)</command></ulink> command as shown here: </para> <para> -<prompt>root# </prompt> smbpasswd -a -m <replaceable>machine_name</replaceable> +<prompt>root# </prompt><command>smbpasswd -a -m <replaceable>machine_name</replaceable></command> </para> <para> where <replaceable>machine_name</replaceable> is the machine's NetBIOS -name. +name. The RID of the new machine account is generated from the UID of +the corresponding Unix account. </para> <warning> @@ -381,9 +385,9 @@ name. <para> Manually creating a machine trust account using this method is the - equivalent of creating a machine account on a Windows NT PDC using + equivalent of creating a machine trust account on a Windows NT PDC using the "Server Manager". From the time at which the account is created - to the time which th client joins the domain and changes the password, + to the time which the client joins the domain and changes the password, your domain is vulnerable to an intruder joining your domain using a a machine with the same NetBIOS name. A PDC inherently trusts members of the domain and will serve out a large degree of user @@ -394,30 +398,80 @@ name. <sect2> -<title>Creating machine trust accounts "on the fly"</title> +<title>"On-the-Fly" Creation of Machine Trust Accounts</title> <para> -The second, and most recommended way of creating machine trust accounts -is to create them as needed at the time the client is joined to -the domain. You will need to include a value for the <ulink -url="smb.conf.5.html#ADDUSERSCRIPT">add user script</ulink> -parameter. Below is an example from a RedHat 6.2 Linux system. +The second (and recommended) way of creating machine trust accounts is +simply to allow the Samba server to create them as needed when the client +is joined to the domain. </para> + +<para>Since each Samba machine trust account requires a corresponding +Unix account, a method for automatically creating the +Unix account is usually supplied; this requires configuration of the +<ulink url="smb.conf.5.html#ADDUSERSCRIPT">add user script</ulink> +option in <filename>smb.conf</filename>. This +method is not required, however; corresponding Unix accounts may also +be created manually. +</para> + + +<para>Below is an example for a RedHat 6.2 Linux system. </para> <para><programlisting> -add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u +[global] + # <...remainder of parameters...> + add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u </programlisting></para> +</sect2> + + +<sect2><title>Joining the Client to the Domain</title> + <para> -In Samba 2.2.1, <emphasis>only the root account</emphasis> can be used to create -machine accounts like this. Therefore, it is required to create -an entry in smbpasswd for <emphasis>root</emphasis>. The password -<emphasis>SHOULD</emphasis> be set to a different password that the -associated <filename>/etc/passwd</filename> entry for security reasons. +The procedure for joining a client to the domain varies with the +version of Windows. </para> + +<itemizedlist> +<listitem><para><emphasis>Windows 2000</emphasis></para> + + <para> When the user elects to join the client to a domain, Windows prompts for + an account and password that is privileged to join the domain. A + Samba administrative account (i.e., a Samba account that has root + privileges on the Samba server) must be entered here; the + operation will fail if an ordinary user account is given. + The password for this account should be + set to a different password than the associated + <filename>/etc/passwd</filename> entry, for security + reasons. </para> + + <para>The session key of the Samba administrative account acts as an + encryption key for setting the password of the machine trust + account. The machine trust account will be created on-the-fly, or + updated if it already exists.</para> +</listitem> + +<listitem><para><emphasis>Windows NT</emphasis></para> + + <para> If the machine trust account was created manually, on the + Identification Changes menu enter the domain name, but do not + check the box "Create a Computer Account in the Domain." In this case, + the existing machine trust account is used to join the machine to + the domain.</para> + + <para> If the machine trust account is to be created + on-the-fly, on the Identification Changes menu enter the domain + name, and check the box "Create a Computer Account in the Domain." In + this case, joining the domain proceeds as above for Windows 2000 + (i.e., you must supply a Samba administrative account when + prompted).</para> +</listitem> +</itemizedlist> + </sect2> </sect1> - <!-- ********************************************************** Common Problems @@ -438,7 +492,7 @@ associated <filename>/etc/passwd</filename> entry for security reasons. <para> A 'machine name' in (typically) <filename>/etc/passwd</> of the machine name with a '$' appended. FreeBSD (and other BSD - systems ?) won't create a user with a '$' in their name. + systems?) won't create a user with a '$' in their name. </para> <para> @@ -446,7 +500,7 @@ associated <filename>/etc/passwd</filename> entry for security reasons. made, it works perfectly. So create a user without the '$' and use <command>vipw</> to edit the entry, adding the '$'. Or create the whole entry with vipw if you like, make sure you use a - unique uid ! + unique User ID ! </para> </listitem> @@ -454,11 +508,11 @@ associated <filename>/etc/passwd</filename> entry for security reasons. <para> <emphasis>I get told "You already have a connection to the Domain...." or "Cannot join domain, the credentials supplied conflict with an - existing set.." when creating a machine account.</emphasis> + existing set.." when creating a machine trust account.</emphasis> </para> <para> - This happens if you try to create a machine account from the + This happens if you try to create a machine trust account from the machine itself and already have a connection (e.g. mapped drive) to a share (or IPC$) on the Samba PDC. The following command will remove all network drive connections: @@ -500,18 +554,18 @@ associated <filename>/etc/passwd</filename> entry for security reasons. <listitem> <para> - <emphasis>The machine account for this computer either does not + <emphasis>The machine trust account for this computer either does not exist or is not accessible.</emphasis> </para> <para> When I try to join the domain I get the message "The machine account - for this computer either does not exist or is not accessible". Whats + for this computer either does not exist or is not accessible". What's wrong? </para> <para> - This problem is caused by the PDC not having a suitable machine account. + This problem is caused by the PDC not having a suitable machine trust account. If you are using the <parameter>add user script</parameter> method to create accounts then this would indicate that it has not worked. Ensure the domain admin user system is working. @@ -520,7 +574,7 @@ associated <filename>/etc/passwd</filename> entry for security reasons. <para> Alternatively if you are creating account entries manually then they have not been created correctly. Make sure that you have the entry - correct for the machine account in smbpasswd file on the Samba PDC. + correct for the machine trust account in smbpasswd file on the Samba PDC. If you added the account using an editor rather than using the smbpasswd utility, make sure that the account name is the machine NetBIOS name with a '$' appended to it ( i.e. computer_name$ ). There must be an entry @@ -600,7 +654,7 @@ Here are some additional details: <listitem> <para> - <emphasis>What about Windows NT Policy Editor ?</emphasis> + <emphasis>What about Windows NT Policy Editor?</emphasis> </para> <para> @@ -633,7 +687,7 @@ Here are some additional details: <listitem> <para> - <emphasis>Can Win95 do Policies ?</emphasis> + <emphasis>Can Win95 do Policies?</emphasis> </para> <para> @@ -660,7 +714,7 @@ Here are some additional details: <para> Since I don't need to buy an NT Server CD now, how do I get - the 'User Manager for Domains', the 'Server Manager' ? + the 'User Manager for Domains', the 'Server Manager'? </para> <para> @@ -701,7 +755,7 @@ Here are some additional details: <sect1> -<title>What other help can I get ? </title> +<title>What other help can I get? </title> <para> There are many sources of information available in the form @@ -751,7 +805,7 @@ general SMB topics such as browsing.</para> <para> An SMB enabled version of tcpdump is available from <ulink url="http://www.tcpdump.org/">http://www.tcpdup.org/</ulink>. - Ethereal, another good packet sniffer for UNIX and Win32 + Ethereal, another good packet sniffer for Unix and Win32 hosts, can be downloaded from <ulink url="http://www.ethereal.com/">http://www.ethereal.com</ulink>. </para> @@ -892,7 +946,7 @@ general SMB topics such as browsing.</para> <itemizedlist> <listitem> <para> - <emphasis>How do I get help from the mailing lists ?</emphasis> + <emphasis>How do I get help from the mailing lists?</emphasis> </para> <para> @@ -954,7 +1008,7 @@ general SMB topics such as browsing.</para> <listitem><para>Please think carefully before attaching a document to an email. Consider pasting the relevant parts into the body of the message. The samba mailing lists go to a huge number of people, do they all need a copy of your - smb.conf in their attach directory ?</para></listitem> + smb.conf in their attach directory?</para></listitem> </itemizedlist> </listitem> @@ -962,7 +1016,7 @@ general SMB topics such as browsing.</para> <listitem> <para> - <emphasis>How do I get off the mailing lists ?</emphasis> + <emphasis>How do I get off the mailing lists?</emphasis> </para> <para>To have your name removed from a samba mailing list, go to the @@ -995,8 +1049,8 @@ general SMB topics such as browsing.</para> <para> The following section contains much of the original DOMAIN.txt file previously included with Samba. Much of -the material is based on what went into the book Special -Edition, Using Samba. (Richard Sharpe) +the material is based on what went into the book <emphasis>Special +Edition, Using Samba</emphasis>, by Richard Sharpe. </para> </note> @@ -1014,13 +1068,14 @@ The SMB client logging on to a domain has an expectation that every other server in the domain should accept the same authentication information. Network browsing functionality of domains and workgroups is identical and is explained in BROWSING.txt. It should be noted, that browsing -is total orthogonal to logon support. +is totally orthogonal to logon support. </para> <para> Issues related to the single-logon network model are discussed in this -document. Samba supports domain logons, network logon scripts, and user -profiles for MS Windows for workgroups and MS Windows 9X clients. +section. Samba supports domain logons, network logon scripts, and user +profiles for MS Windows for workgroups and MS Windows 9X/ME clients +which will be the focus of this section. </para> @@ -1035,40 +1090,6 @@ demonstrates how authentication is quite different from but closely involved with domains. </para> -<para> -Another thing commonly associated with single-logon domains is remote -administration over the SMB protocol. Again, there is no reason why this -cannot be implemented with an underlying username database which is -different from the Windows NT SAM. Support for the Remote Administration -Protocol is planned for a future release of Samba. -</para> - -<para> -Network logon support as discussed in this section is aimed at Window for -Workgroups, and Windows 9X clients. -</para> - -<para> -Support for profiles is confirmed as working for Win95, NT 4.0 and NT 3.51. -It is possible to specify: the profile location; script file to be loaded -on login; the user's home directory; and for NT a kick-off time could also -now easily be supported. However, there are some differences between Win9X -profile support and WinNT profile support. These are discussed below. -</para> - -<para> -With NT Workstations, all this does not require the use or intervention of -an NT 4.0 or NT 3.51 server: Samba can now replace the logon services -provided by an NT server, to a limited and experimental degree (for example, -running "User Manager for Domains" will not provide you with access to -a domain created by a Samba Server). -</para> - -<para> -With Win95, the help of an NT server can be enlisted, both for profile storage -and for user authentication. For details on user authentication, see -security_level.txt. For details on profile storage, see below. -</para> <para> Using these features you can make your clients verify their logon via @@ -1077,15 +1098,15 @@ the network and download their preferences, desktop and start menu. </para> <para> -Before launching into the configuration instructions, it is worthwhile looking -at how a Win9X client performs a logon: +Before launching into the configuration instructions, it is +worthwhile lookingat how a Windows 9x/ME client performs a logon: </para> <orderedlist> <listitem> <para> The client broadcasts (to the IP broadcast address of the subnet it is in) - a NetLogon request. This is sent to the NetBIOS address DOMAIN<00> at the + a NetLogon request. This is sent to the NetBIOS name DOMAIN<1c> at the NetBIOS layer. The client chooses the first response it receives, which contains the NetBIOS name of the logon server to use in the format of \\SERVER. @@ -1147,97 +1168,27 @@ at how a Win9X client performs a logon: <title>Configuration Instructions: Network Logons</title> <para> -To use domain logons and profiles you need to do the following: +The main difference between a PDC and a Windows 9x logon +server configuration is that </para> +<itemizedlist> -<orderedlist> -<listitem> - <para> - Create a share called [netlogon] in your smb.conf. This share should - be readable by all users, and probably should not be writeable. This - share will hold your network logon scripts, and the CONFIG.POL file - (Note: for details on the CONFIG.POL file, how to use it, what it is, - refer to the Microsoft Windows NT Administration documentation. - The format of these files is not known, so you will need to use - Microsoft tools). - </para> - - <para> - For example I have used: - </para> - - <para><programlisting> -[netlogon] - path = /data/dos/netlogon - writeable = no - guest ok = no -</programlisting></para> - - <para> - Note that it is important that this share is not writeable by ordinary - users, in a secure environment: ordinary users should not be allowed - to modify or add files that another user's computer would then download - when they log in. - </para> -</listitem> - - - -<listitem> - <para> - in the [global] section of smb.conf set the following: - </para> - - <para><programlisting> -domain logons = yes -logon script = %U.bat - </programlisting></para> - - <para> - The choice of batch file is, of course, up to you. The above would - give each user a separate batch file as the %U will be changed to - their username automatically. The other standard % macros may also be - used. You can make the batch files come from a subdirectory by using - something like: - </para> - - <para><programlisting> -logon script = scripts\%U.bat - </programlisting></para> -</listitem> - -<listitem> - <para> - create the batch files to be run when the user logs in. If the batch - file doesn't exist then no batch file will be run. - </para> +<listitem><para> +Password encryption is not required for a Windows 9x logon server. +</para></listitem> - <para> - In the batch files you need to be careful to use DOS style cr/lf line - endings. If you don't then DOS may get confused. I suggest you use a - DOS editor to remotely edit the files if you don't know how to produce - DOS style files under unix. - </para> -</listitem> +<listitem><para> +Windows 9x/ME clients do not possess machine trust accounts. +</para></listitem> +</itemizedlist> -<listitem> - <para> - Use smbclient with the -U option for some users to make sure that - the \\server\NETLOGON share is available, the batch files are - visible and they are readable by the users. - </para> -</listitem> +<para> +Therefore, a Samba PDC will also act as a Windows 9x logon +server. +</para> -<listitem> - <para> - you will probably find that your clients automatically mount the - \\SERVER\NETLOGON share as drive z: while logging in. You can put - some useful programs there to execute from the batch files. - </para> -</listitem> -</orderedlist> <warning> <title>security mode and master browsers</title> @@ -1253,7 +1204,7 @@ mode security is really just a variation on SMB user level security. </para> <para> -Actually, this issue is also closer tied to the debate on whether +Actually, this issue is also closely tied to the debate on whether or not Samba must be the domain master browser for its workgroup when operating as a DC. While it may technically be possible to configure a server as such (after all, browsing and domain logons @@ -1322,7 +1273,7 @@ This means that support for profiles is different for Win9X and WinNT. <title>Windows NT Configuration</title> <para> -To support WinNT clients, inn the [global] section of smb.conf set the +To support WinNT clients, in the [global] section of smb.conf set the following (for example): </para> @@ -1496,7 +1447,7 @@ the newest folders and short-cuts from each set. If you have made the folders / files read-only on the samba server, then you will get errors from the w95 machine on logon and logout, as it attempts to merge the local and the remote profile. Basically, if -you have any errors reported by the w95 machine, check the unix file +you have any errors reported by the w95 machine, check the Unix file permissions and ownership rights on the profile directory contents, on the samba server. </para> diff --git a/docs/docbook/projdoc/chapter1.sgml b/docs/docbook/projdoc/chapter1.sgml deleted file mode 100644 index 71589b5d60..0000000000 --- a/docs/docbook/projdoc/chapter1.sgml +++ /dev/null @@ -1,446 +0,0 @@ -<chapter> - -<title>How to Install and Test SAMBA</title> - -<sect1> - <title>Step 0: Read the man pages</title> - - <para>The man pages distributed with SAMBA contain - lots of useful info that will help to get you started. - If you don't know how to read man pages then try - something like:</para> - - <para><prompt>$ </prompt><userinput>nroff -man smbd.8 | more - </userinput></para> - - <para>Other sources of information are pointed to - by the Samba web site,<ulink url="http://www.samba.org/"> - http://www.samba.org</ulink></para> -</sect1> - -<sect1> - <title>Building the Binaries</title> - - <para>To do this, first run the program <command>./configure - </command> in the source directory. This should automatically - configure Samba for your operating system. If you have unusual - needs then you may wish to run</para> - - <para><prompt>root# </prompt><userinput>./configure --help - </userinput></para> - - <para>first to see what special options you can enable. - Then exectuting</para> - - <para><prompt>root# </prompt><userinput>make</userinput></para> - - <para>will create the binaries. Once it's successfully - compiled you can use </para> - - <para><prompt>root# </prompt><userinput>make install</userinput></para> - - <para>to install the binaries and manual pages. You can - separately install the binaries and/or man pages using</para> - - <para><prompt>root# </prompt><userinput>make installbin - </userinput></para> - - <para>and</para> - - <para><prompt>root# </prompt><userinput>make installman - </userinput></para> - - <para>Note that if you are upgrading for a previous version - of Samba you might like to know that the old versions of - the binaries will be renamed with a ".old" extension. You - can go back to the previous version with</para> - - <para><prompt>root# </prompt><userinput>make revert - </userinput></para> - - <para>if you find this version a disaster!</para> -</sect1> - -<sect1> - <title>Step 2: The all important step</title> - - <para>At this stage you must fetch yourself a - coffee or other drink you find stimulating. Getting the rest - of the install right can sometimes be tricky, so you will - probably need it.</para> - - <para>If you have installed samba before then you can skip - this step.</para> -</sect1> - -<sect1> - <title>Step 3: Create the smb configuration file. </title> - - <para>There are sample configuration files in the examples - subdirectory in the distribution. I suggest you read them - carefully so you can see how the options go together in - practice. See the man page for all the options.</para> - - <para>The simplest useful configuration file would be - something like this:</para> - - <para><programlisting> - [global] - workgroup = MYGROUP - - [homes] - guest ok = no - read only = no - </programlisting</para> - - <para>which would allow connections by anyone with an - account on the server, using either their login name or - "homes" as the service name. (Note that I also set the - workgroup that Samba is part of. See BROWSING.txt for defails)</para> - - <para>Note that <command>make install</command> will not install - a <filename>smb.conf</filename> file. You need to create it - yourself. </para> - - <para>Make sure you put the smb.conf file in the same place - you specified in the<filename>Makefile</filename> (the default is to - look for it in <filename>/usr/local/samba/lib/</filename>).</para> - - <para>For more information about security settings for the - [homes] share please refer to the document UNIX_SECURITY.txt.</para> -</sect1> - -<sect1> - <title>Step 4: Test your config file with - <command>testparm</command></title> - - <para>It's important that you test the validity of your - <filename>smb.conf</filename> file using the testparm program. - If testparm runs OK then it will list the loaded services. If - not it will give an error message.</para> - - <para>Make sure it runs OK and that the services look - resonable before proceeding. </para> - -</sect1> - -<sect1> - <title>Step 5: Starting the smbd and nmbd</title> - - <para>You must choose to start smbd and nmbd either - as daemons or from <command>inetd</command>. Don't try - to do both! Either you can put them in <filename> - inetd.conf</filename> and have them started on demand - by <command>inetd</command>, or you can start them as - daemons either from the command line or in <filename> - /etc/rc.local</filename>. See the man pages for details - on the command line options. Take particular care to read - the bit about what user you need to be in order to start - Samba. In many cases you must be root.</para> - - <para>The main advantage of starting <command>smbd</command> - and <command>nmbd</command> as a daemon is that they will - respond slightly more quickly to an initial connection - request. This is, however, unlikely to be a problem.</para> - - <sect2> - <title>Step 5a: Starting from inetd.conf</title> - - <para>NOTE; The following will be different if - you use NIS or NIS+ to distributed services maps.</para> - - <para>Look at your <filename>/etc/services</filename>. - What is defined at port 139/tcp. If nothing is defined - then add a line like this:</para> - - <para><userinput>netbios-ssn 139/tcp</userinput></para> - - <para>similarly for 137/udp you should have an entry like:</para> - - <para><userinput>netbios-ns 137/udp</userinput></para> - - <para>Next edit your <filename>/etc/inetd.conf</filename> - and add two lines something like this:</para> - - <para><programlisting> - netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd - netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd - </programlisting></para> - - <para>The exact syntax of <filename>/etc/inetd.conf</filename> - varies between unixes. Look at the other entries in inetd.conf - for a guide.</para> - - <para>NOTE: Some unixes already have entries like netbios_ns - (note the underscore) in <filename>/etc/services</filename>. - You must either edit <filename>/etc/services</filename> or - <filename>/etc/inetd.conf</filename> to make them consistant.</para> - - <para>NOTE: On many systems you may need to use the - "interfaces" option in smb.conf to specify the IP address - and netmask of your interfaces. Run <command>ifconfig</command> - as root if you don't know what the broadcast is for your - net. <command>nmbd</command> tries to determine it at run - time, but fails on somunixes. See the section on "testing nmbd" - for a method of finding if you need to do this.</para> - - <para>!!!WARNING!!! Many unixes only accept around 5 - parameters on the command line in <filename>inetd.conf</filename>. - This means you shouldn't use spaces between the options and - arguments, or you should use a script, and start the script - from <command>inetd</command>.</para> - - <para>Restart <command>inetd</command>, perhaps just send - it a HUP. If you have installed an earlier version of <command> - nmbd</command> then you may need to kill nmbd as well.</para> - </sect2> - - <sect2> - <title>Step 5b. Alternative: starting it as a daemon</title> - - <para>To start the server as a daemon you should create - a script something like this one, perhaps calling - it <filename>startsmb</filename>.</para> - - <para><programlisting> - #!/bin/sh - /usr/local/samba/bin/smbd -D - /usr/local/samba/bin/nmbd -D - </programlisting></para> - - <para>then make it executable with <command>chmod - +x startsmb</command></para> - - <para>You can then run <command>startsmb</command> by - hand or execute it from <filename>/etc/rc.local</filename> - </para> - - <para>To kill it send a kill signal to the processes - <command>nmbd</command> and <command>smbd</command>.</para> - - <para>NOTE: If you use the SVR4 style init system then - you may like to look at the <filename>examples/svr4-startup</filename> - script to make Samba fit into that system.</para> - </sect2> -</sect1> - -<sect1> - <title>Step 6: Try listing the shares available on your - server</title> - - <para><prompt>$ </prompt><userinput>smbclient -L - <replaceable>yourhostname</replaceable></userinput></para> - - <para>Your should get back a list of shares available on - your server. If you don't then something is incorrectly setup. - Note that this method can also be used to see what shares - are available on other LanManager clients (such as WfWg).</para> - - <para>If you choose user level security then you may find - that Samba requests a password before it will list the shares. - See the <command>smbclient</command> man page for details. (you - can force it to list the shares without a password by - adding the option -U% to the command line. This will not work - with non-Samba servers)</para> -</sect1> - -<sect1> - <title>Step 7: Try connecting with the unix client</title> - - <para><prompt>$ </prompt><userinput>smbclient <replaceable> - //yourhostname/aservice</replaceable></userinput></para> - - <para>Typically the <replaceable>yourhostname</replaceable> - would be the name of the host where you installed <command> - smbd</command>. The <replaceable>aservice</replaceable> is - any service you have defined in the <filename>smb.conf</filename> - file. Try your user name if you just have a [homes] section - in <filename>smb.conf</filename>.</para> - - <para>For example if your unix host is bambi and your login - name is fred you would type:</para> - - <para><prompt>$ </prompt><userinput>smbclient //bambi/fred - </userinput></para> -</sect1> - -<sect1> - <title>Step 8: Try connecting from a DOS, WfWg, Win9x, WinNT, - Win2k, OS/2, etc... client</title> - - <para>Try mounting disks. eg:</para> - - <para><prompt>C:\WINDOWS\> </prompt><userinput>net use d: \\servername\service - </userinput></para> - - <para>Try printing. eg:</para> - - <para><prompt>C:\WINDOWS\> </prompt><userinput>net use lpt1: - \\servername\spoolservice</userinput></para> - - <para><prompt>C:\WINDOWS\> </prompt><userinput>print filename - </userinput></para> - - <para>Celebrate, or send me a bug report!</para> -</sect1> - -<sect1> - <title>What If Things Don't Work?</title> - - <para>If nothing works and you start to think "who wrote - this pile of trash" then I suggest you do step 2 again (and - again) till you calm down.</para> - - <para>Then you might read the file DIAGNOSIS.txt and the - FAQ. If you are still stuck then try the mailing list or - newsgroup (look in the README for details). Samba has been - successfully installed at thousands of sites worldwide, so maybe - someone else has hit your problem and has overcome it. You could - also use the WWW site to scan back issues of the samba-digest.</para> - - <para>When you fix the problem PLEASE send me some updates to the - documentation (or source code) so that the next person will find it - easier. </para> - - <sect2> - <title>DIAGNOSING PROBLEMS</title> - - <para>If you have instalation problems then go to - <filename>DIAGNOSIS.txt</filename> to try to find the - problem.</para> - </sect2> - - <sect2> - <title>SCOPE IDs</title> - - <para>By default Samba uses a blank scope ID. This means - all your windows boxes must also have a blank scope ID. - If you really want to use a non-blank scope ID then you will - need to use the -i <scope> option to nmbd, smbd, and - smbclient. All your PCs will need to have the same setting for - this to work. I do not recommend scope IDs.</para> - </sect2> - - - <sect2> - <title>CHOOSING THE PROTOCOL LEVEL</title> - - <para>The SMB protocol has many dialects. Currently - Samba supports 5, called CORE, COREPLUS, LANMAN1, - LANMAN2 and NT1.</para> - - <para>You can choose what maximum protocol to support - in the <filename>smb.conf</filename> file. The default is - NT1 and that is the best for the vast majority of sites.</para> - - <para>In older versions of Samba you may have found it - necessary to use COREPLUS. The limitations that led to - this have mostly been fixed. It is now less likely that you - will want to use less than LANMAN1. The only remaining advantage - of COREPLUS is that for some obscure reason WfWg preserves - the case of passwords in this protocol, whereas under LANMAN1, - LANMAN2 or NT1 it uppercases all passwords before sending them, - forcing you to use the "password level=" option in some cases.</para> - - <para>The main advantage of LANMAN2 and NT1 is support for - long filenames with some clients (eg: smbclient, Windows NT - or Win95). </para> - - <para>See the smb.conf(5) manual page for more details.</para> - - <para>Note: To support print queue reporting you may find - that you have to use TCP/IP as the default protocol under - WfWg. For some reason if you leave Netbeui as the default - it may break the print queue reporting on some systems. - It is presumably a WfWg bug.</para> - </sect2> - - <sect2> - <title>PRINTING FROM UNIX TO A CLIENT PC</title> - - <para>To use a printer that is available via a smb-based - server from a unix host you will need to compile the - smbclient program. You then need to install the script - "smbprint". Read the instruction in smbprint for more details. - </para> - - <para>There is also a SYSV style script that does much - the same thing called smbprint.sysv. It contains instructions.</para> - </sect2> - - <sect2> - <title>LOCKING</title> - - <para>One area which sometimes causes trouble is locking.</para> - - <para>There are two types of locking which need to be - performed by a SMB server. The first is "record locking" - which allows a client to lock a range of bytes in a open file. - The second is the "deny modes" that are specified when a file - is open.</para> - - <para>Samba supports "record locking" using the fcntl() unix system - call. This is often implemented using rpc calls to a rpc.lockd process - running on the system that owns the filesystem. Unfortunately many - rpc.lockd implementations are very buggy, particularly when made to - talk to versions from other vendors. It is not uncommon for the - rpc.lockd to crash.</para> - - <para>There is also a problem translating the 32 bit lock - requests generated by PC clients to 31 bit requests supported - by most unixes. Unfortunately many PC applications (typically - OLE2 applications) use byte ranges with the top bit set - as semaphore sets. Samba attempts translation to support - these types of applications, and the translation has proved - to be quite successful.</para> - - <para>Strictly a SMB server should check for locks before - every read and write call on a file. Unfortunately with the - way fcntl() works this can be slow and may overstress the - rpc.lockd. It is also almost always unnecessary as clients - are supposed to independently make locking calls before reads - and writes anyway if locking is important to them. By default - Samba only makes locking calls when explicitly asked - to by a client, but if you set "strict locking = yes" then it will - make lock checking calls on every read and write. </para> - - <para>You can also disable by range locking completely - using "locking = no". This is useful for those shares that - don't support locking or don't need it (such as cdroms). In - this case Samba fakes the return codes of locking calls to - tell clients that everything is OK.</para> - - <para>The second class of locking is the "deny modes". These - are set by an application when it opens a file to determine - what types of access should be allowed simultaneously with - its open. A client may ask for DENY_NONE, DENY_READ, DENY_WRITE - or DENY_ALL. There are also special compatability modes called - DENY_FCB and DENY_DOS.</para> - - <para>You can disable share modes using "share modes = no". - This may be useful on a heavily loaded server as the share - modes code is very slow. See also the FAST_SHARE_MODES - option in the Makefile for a way to do full share modes - very fast using shared memory (if your OS supports it).</para> - </sect2> - - <sect2> - <title>MAPPING USERNAMES</title> - - <para>If you have different usernames on the PCs and - the unix server then take a look at the "username map" option. - See the smb.conf man page for details.</para> - </sect2> - - <sect2> - <title>OTHER CHARACTER SETS</title> - - <para>If you have problems using filenames with accented - characters in them (like the German, French or Scandinavian - character sets) then I recommmend you look at the "valid chars" - option in smb.conf and also take a look at the validchars - package in the examples directory.</para> - </sect2> - -</sect1> -</chapter> diff --git a/docs/docbook/projdoc/winbind.sgml b/docs/docbook/projdoc/winbind.sgml index b496f30dd7..8ea419d758 100644 --- a/docs/docbook/projdoc/winbind.sgml +++ b/docs/docbook/projdoc/winbind.sgml @@ -16,6 +16,13 @@ <address><email>tridge@linuxcare.com.au</email></address> </affiliation> </author> + <author> + <firstname>John</firstname><surname>Trostel</surname> + <affiliation> + <orgname>Snapserver</orgname> + <address><email>jtrostel@snapserver.com</email></address> + </affiliation> + </author> <pubdate>16 Oct 2000</pubdate> @@ -372,9 +379,10 @@ somewhat to fit the way your distribution works. <para> If you have a samba configuration file that you are currently -using... BACK IT UP! If your system already uses PAM, BACK UP -THE <filename>/etc/pam.d</filename> directory contents! If you -haven't already made a boot disk, MAKE ON NOW! +using... <emphasis>BACK IT UP!</emphasis> If your system already uses PAM, +<emphasis>back up the <filename>/etc/pam.d</filename> directory +contents!</emphasis> If you haven't already made a boot disk, +<emphasis>MAKE ONE NOW!</emphasis> </para> <para> @@ -386,10 +394,11 @@ you get frustrated with the way things are going. ;-) </para> <para> -The newest version of SAMBA (version 2.2.2), available from -cvs.samba.org, now include a functioning winbindd daemon. Please refer -to the main SAMBA web page or, better yet, your closest SAMBA mirror -site for instructions on downloading the source code. +The latest version of SAMBA (version 2.2.2 as of this writing), now +includes a functioning winbindd daemon. Please refer to the +<ulink url="http://samba.org/">main SAMBA web page</ulink> or, +better yet, your closest SAMBA mirror site for instructions on +downloading the source code. </para> <para> @@ -399,8 +408,8 @@ SAMBA machine, PAM (pluggable authentication modules) must be setup properly on your machine. In order to compile the winbind modules, you should have at least the pam libraries resident on your system. For recent RedHat systems (7.1, for instance), that -means 'pam-0.74-22'. For best results, it is helpful to also -install the development packages in 'pam-devel-0.74-22'. +means <filename>pam-0.74-22</filename>. For best results, it is helpful to also +install the development packages in <filename>pam-devel-0.74-22</filename>. </para> </sect2> @@ -419,8 +428,9 @@ directory structure, including the pam modules are used by pam-aware services, several pam libraries, and the <filename>/usr/doc</filename> and <filename>/usr/man</filename> entries for pam. Winbind built better in SAMBA if the pam-devel package was also installed. This package includes -the header files needed to compile pam-aware applications. For instance, my RedHat -system has both 'pam-0.74-22' and 'pam-devel-0.74-22' RPMs installed. +the header files needed to compile pam-aware applications. For instance, +my RedHat system has both <filename>pam-0.74-22</filename> and +<filename>pam-devel-0.74-22</filename> RPMs installed. </para> <sect3> @@ -428,38 +438,39 @@ system has both 'pam-0.74-22' and 'pam-devel-0.74-22' RPMs installed. <para> The configuration and compilation of SAMBA is pretty straightforward. -The first three steps maynot be necessary depending upon +The first three steps may not be necessary depending upon whether or not you have previously built the Samba binaries. </para> <para><programlisting> -<prompt>root# </prompt> autoconf -<prompt>root# </prompt> make clean -<prompt>root# </prompt> rm config.cache -<prompt>root# </prompt> ./configure --with-winbind -<prompt>root# </prompt> make -<prompt>root# </prompt> make install +<prompt>root#</prompt> <command>autoconf</command> +<prompt>root#</prompt> <command>make clean</command> +<prompt>root#</prompt> <command>rm config.cache</command> +<prompt>root#</prompt> <command>./configure --with-winbind</command> +<prompt>root#</prompt> <command>make</command> +<prompt>root#</prompt> <command>make install</command> </programlisting></para> <para> -This will, by default, install SAMBA in /usr/local/samba. See the -main SAMBA documentation if you want to install SAMBA somewhere else. +This will, by default, install SAMBA in <filename>/usr/local/samba</filename>. +See the main SAMBA documentation if you want to install SAMBA somewhere else. It will also build the winbindd executable and libraries. </para> </sect3> <sect3> -<title>Configure nsswitch.conf and the winbind libraries</title> +<title>Configure <filename>nsswitch.conf</filename> and the +winbind libraries</title> <para> -The libraries needed to run the winbind daemon through nsswitch -need to be copied to their proper locations, so +The libraries needed to run the <command>winbindd</command> daemon +through nsswitch need to be copied to their proper locations, so </para> <para> -<prompt>root# </prompt> cp ../samba/source/nsswitch/libnss_winbind.so /lib +<prompt>root#</prompt> <command>cp ../samba/source/nsswitch/libnss_winbind.so /lib</command> </para> <para> @@ -467,30 +478,31 @@ I also found it necessary to make the following symbolic link: </para> <para> -<prompt>root# </prompt> ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 +<prompt>root#</prompt> <command>ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</command> </para> <para> Now, as root you need to edit <filename>/etc/nsswitch.conf</filename> to allow user and group entries to be visible from the <command>winbindd</command> -daemon, as well as from your /etc/hosts files and NIS servers. My -<filename>/etc/nsswitch.conf</filename> file look like this after editing: +daemon. My <filename>/etc/nsswitch.conf</filename> file look like +this after editing: </para> <para><programlisting> passwd: files winbind - shadow: files winbind + shadow: files group: files winbind </programlisting></para> <para> The libraries needed by the winbind daemon will be automatically -entered into the ldconfig cache the next time your system reboots, but it +entered into the <command>ldconfig</command> cache the next time +your system reboots, but it is faster (and you don't need to reboot) if you do it manually: </para> <para> -<prompt>root# </prompt> /sbin/ldconfig -v | grep winbind +<prompt>root#</prompt> <command>/sbin/ldconfig -v | grep winbind</command> </para> <para> @@ -517,16 +529,17 @@ include the following entries in the [global] section: [global] <...> # separate domain and username with '+', like DOMAIN+username - winbind separator = + + <ulink url="winbindd.8.html#WINBINDSEPARATOR">winbind separator</ulink> = + # use uids from 10000 to 20000 for domain users - winbind uid = 10000-20000 + <ulink url="winbindd.8.html#WINBINDUID">winbind uid</ulink> = 10000-20000 # use gids from 10000 to 20000 for domain groups - winbind gid = 10000-20000 + <ulink url="winbindd.8.html#WINBINDGID">winbind gid</ulink> = 10000-20000 # allow enumeration of winbind users and groups - winbind enum users = yes - winbind enum groups = yes + <ulink url="winbindd.8.html#WINBINDENUMUSERS">winbind enum users</ulink> = yes + <ulink url="winbindd.8.html#WINBINDENUMGROUP">winbind enum groups</ulink> = yes # give winbind users a real shell (only needed if they have telnet access) - template shell = /bin/bash + <ulink url="winbindd.8.html#TEMPLATEHOMEDIR">template homedir</ulink> = /home/winnt/%D/%U + <ulink url="winbindd.8.html#TEMPLATESHELL">template shell</ulink> = /bin/bash </programlisting></para> </sect3> @@ -544,7 +557,7 @@ a domain user who has administrative privileges in the domain. <para> -<prompt>root# </prompt>/usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U Administrator +<prompt>root#</prompt> <command>/usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U Administrator</command> </para> @@ -569,7 +582,7 @@ command as root: </para> <para> -<prompt>root# </prompt>/usr/local/samba/bin/winbindd +<prompt>root#</prompt> <command>/usr/local/samba/bin/winbindd</command> </para> <para> @@ -578,7 +591,12 @@ is really running... </para> <para> -<prompt>root# </prompt> ps -ae | grep winbindd +<prompt>root#</prompt> <command>ps -ae | grep winbindd</command> +</para> +<para> +This command should produce output like this, if the daemon is running +</para> +<para> 3025 ? 00:00:00 winbindd </para> @@ -588,7 +606,7 @@ users on your PDC </para> <para> -<prompt>root# </prompt> # /usr/local/samba/bin/wbinfo -u +<prompt>root#</prompt> <command>/usr/local/samba/bin/wbinfo -u</command> </para> <para> @@ -606,7 +624,8 @@ CEO+TsInternetUser </programlisting></para> <para> -Obviously, I have named my domain 'CEO' and my winbindd separator is '+'. +Obviously, I have named my domain 'CEO' and my <parameter>winbindd +separator</parameter> is '+'. </para> <para> @@ -615,7 +634,7 @@ the PDC: </para> <para><programlisting> -<prompt>root# </prompt>/usr/local/samba/bin/wbinfo -g +<prompt>root#</prompt> <command>/usr/local/samba/bin/wbinfo -g</command> CEO+Domain Admins CEO+Domain Users CEO+Domain Guests @@ -634,7 +653,7 @@ Try the following command: </para> <para> -<prompt>root# </prompt> getent passwd +<prompt>root#</prompt> <command>getent passwd</command> </para> <para> @@ -648,14 +667,14 @@ The same thing can be done for groups with the command </para> <para> -<prompt>root# </prompt> getent group +<prompt>root#</prompt> <command>getent group</command> </para> </sect3> <sect3> -<title>Fix the /etc/rc.d/init.d/smb startup files</title> +<title>Fix the <filename>/etc/rc.d/init.d/smb</filename> startup files</title> <para> The <command>winbindd</command> daemon needs to start up after the @@ -718,6 +737,13 @@ stop() { } </programlisting></para> +<para> +If you restart the <command>smbd</command>, <command>nmbd</command>, +and <command>winbindd</command> daemons at this point, you +should be able to connect to the samba server as a domain member just as +if you were a local user. +</para> + </sect3> @@ -726,32 +752,42 @@ stop() { <title>Configure Winbind and PAM</title> <para> -If you have made it this far, you know that winbindd is working. -Now it is time to integrate it into the operation of samba and other -services. The pam configuration files need to be altered in +If you have made it this far, you know that winbindd and samba are working +together. If you want to use winbind to provide authentication for other +services, keep reading. The pam configuration files need to be altered in this step. (Did you remember to make backups of your original <filename>/etc/pam.d</filename> files? If not, do it now.) </para> <para> -To get samba to allow domain users and groups, I modified the -<filename>/etc/pam.d/samba</filename> file from +You will need a pam module to use winbindd with these other services. This +module will be compiled in the <filename>../source/nsswitch</filename> directory +by invoking the command </para> +<para> +<prompt>root#</prompt> <command>make nsswitch/pam_winbind.so</command> +</para> -<para><programlisting> -auth required /lib/security/pam_stack.so service=system-auth -account required /lib/security/pam_stack.so service=system-auth -</programlisting></para> +<para> +from the <filename>../source</filename> directory. The +<filename>pam_winbind.so</filename> file should be copied to the location of +your other pam security modules. On my RedHat system, this was the +<filename>/lib/security</filename> directory. +</para> <para> -to +<prompt>root#</prompt> <command>cp ../samba/source/nsswitch/pam_winbind.so /lib/security</command> </para> +<para> +The <filename>/etc/pam.d/samba</filename> file does not need to be changed. I +just left this fileas it was: +</para> + + <para><programlisting> -auth required /lib/security/pam_winbind.so auth required /lib/security/pam_stack.so service=system-auth -account required /lib/security/pam_winbind.so account required /lib/security/pam_stack.so service=system-auth </programlisting></para> @@ -795,10 +831,11 @@ changed to look like this: </para> <para><programlisting> -auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed +auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_shells.so +account sufficient /lib/security/pam_winbind.so account required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth </programlisting></para> @@ -830,15 +867,6 @@ line after the <command>winbind.so</command> line to get rid of annoying double prompts for passwords. </para> -<para> -Finally, don't forget to copy the winbind pam modules from -the source directory in which you originally compiled the new -SAMBA up to the /lib/security directory so that pam can use it: -</para> - -<para> -<prompt>root# </prompt> cp ../samba/source/nsswitch/pam_winbind.so /lib/security -</para> </sect3> |