summaryrefslogtreecommitdiff
path: root/docs/htmldocs/Samba-HOWTO-Collection.html
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2001-04-24 19:09:42 +0000
committerGerald Carter <jerry@samba.org>2001-04-24 19:09:42 +0000
commitc8af938a0a7ec15c38076fc11d164f55737318f1 (patch)
tree20b734a400bfc37cbd7d648d0905e07a832e255d /docs/htmldocs/Samba-HOWTO-Collection.html
parent55d0bdbf4a656fe457d180940ad0e700375ffc15 (diff)
downloadsamba-c8af938a0a7ec15c38076fc11d164f55737318f1.tar.gz
samba-c8af938a0a7ec15c38076fc11d164f55737318f1.tar.bz2
samba-c8af938a0a7ec15c38076fc11d164f55737318f1.zip
syncing up changes in 2.2
(This used to be commit ffbbe67dbfde7f7ce4bb70becfc696c395dbf6b2)
Diffstat (limited to 'docs/htmldocs/Samba-HOWTO-Collection.html')
-rw-r--r--docs/htmldocs/Samba-HOWTO-Collection.html1203
1 files changed, 728 insertions, 475 deletions
diff --git a/docs/htmldocs/Samba-HOWTO-Collection.html b/docs/htmldocs/Samba-HOWTO-Collection.html
index a0d0573005..85ef2feb70 100644
--- a/docs/htmldocs/Samba-HOWTO-Collection.html
+++ b/docs/htmldocs/Samba-HOWTO-Collection.html
@@ -68,27 +68,27 @@ HREF="#AEN15"
><DD
><DL
><DT
-><A
+>1.1. <A
HREF="#AEN17"
>Step 0: Read the man pages</A
></DT
><DT
-><A
+>1.2. <A
HREF="#AEN25"
>Step 1: Building the Binaries</A
></DT
><DT
-><A
+>1.3. <A
HREF="#AEN53"
>Step 2: The all important step</A
></DT
><DT
-><A
+>1.4. <A
HREF="#AEN57"
>Step 3: Create the smb configuration file.</A
></DT
><DT
-><A
+>1.5. <A
HREF="#AEN71"
>Step 4: Test your config file with
<B
@@ -97,80 +97,80 @@ CLASS="COMMAND"
></A
></DT
><DT
-><A
+>1.6. <A
HREF="#AEN77"
>Step 5: Starting the smbd and nmbd</A
></DT
><DD
><DL
><DT
-><A
+>1.6.1. <A
HREF="#AEN87"
>Step 5a: Starting from inetd.conf</A
></DT
><DT
-><A
+>1.6.2. <A
HREF="#AEN116"
>Step 5b. Alternative: starting it as a daemon</A
></DT
></DL
></DD
><DT
-><A
+>1.7. <A
HREF="#AEN132"
>Step 6: Try listing the shares available on your
server</A
></DT
><DT
-><A
+>1.8. <A
HREF="#AEN141"
>Step 7: Try connecting with the unix client</A
></DT
><DT
-><A
+>1.9. <A
HREF="#AEN157"
>Step 8: Try connecting from a DOS, WfWg, Win9x, WinNT,
Win2k, OS/2, etc... client</A
></DT
><DT
-><A
+>1.10. <A
HREF="#AEN171"
>What If Things Don't Work?</A
></DT
><DD
><DL
><DT
-><A
+>1.10.1. <A
HREF="#AEN176"
>Diagnosing Problems</A
></DT
><DT
-><A
+>1.10.2. <A
HREF="#AEN180"
>Scope IDs</A
></DT
><DT
-><A
+>1.10.3. <A
HREF="#AEN183"
>Choosing the Protocol Level</A
></DT
><DT
-><A
+>1.10.4. <A
HREF="#AEN192"
>Printing from UNIX to a Client PC</A
></DT
><DT
-><A
+>1.10.5. <A
HREF="#AEN196"
>Locking</A
></DT
><DT
-><A
+>1.10.6. <A
HREF="#AEN206"
>Mapping Usernames</A
></DT
><DT
-><A
+>1.10.7. <A
HREF="#AEN209"
>Other Character Sets</A
></DT
@@ -186,36 +186,36 @@ HREF="#AEN212"
><DD
><DL
><DT
-><A
+>2.1. <A
HREF="#AEN223"
>Introduction</A
></DT
><DT
-><A
+>2.2. <A
HREF="#AEN227"
>How does it work?</A
></DT
><DT
-><A
+>2.3. <A
HREF="#AEN238"
>Important Notes About Security</A
></DT
><DD
><DL
><DT
-><A
+>2.3.1. <A
HREF="#AEN257"
>Advantages of SMB Encryption</A
></DT
><DT
-><A
+>2.3.2. <A
HREF="#AEN264"
>Advantages of non-encrypted passwords</A
></DT
></DL
></DD
><DT
-><A
+>2.4. <A
HREF="#AEN273"
><A
NAME="SMBPASSWDFILEFORMAT"
@@ -223,12 +223,12 @@ NAME="SMBPASSWDFILEFORMAT"
>The smbpasswd file</A
></DT
><DT
-><A
+>2.5. <A
HREF="#AEN325"
>The smbpasswd Command</A
></DT
><DT
-><A
+>2.6. <A
HREF="#AEN364"
>Setting up Samba to support LanManager Encryption</A
></DT
@@ -242,14 +242,14 @@ HREF="#AEN379"
><DD
><DL
><DT
-><A
+>3.1. <A
HREF="#AEN390"
>Instructions</A
></DT
><DD
><DL
><DT
-><A
+>3.1.1. <A
HREF="#AEN425"
>Notes</A
></DT
@@ -265,56 +265,76 @@ HREF="#AEN434"
><DD
><DL
><DT
-><A
+>4.1. <A
HREF="#AEN445"
>Introduction</A
></DT
><DT
-><A
+>4.2. <A
HREF="#AEN462"
>Configuration</A
></DT
><DD
><DL
><DT
-><A
-HREF="#AEN516"
+>4.2.1. <A
+HREF="#AEN472"
+>Creating [print$]</A
+></DT
+><DT
+>4.2.2. <A
+HREF="#AEN507"
+>Setting Drivers for Existing Printers</A
+></DT
+><DT
+>4.2.3. <A
+HREF="#AEN520"
>Support a large number of printers</A
></DT
+><DT
+>4.2.4. <A
+HREF="#AEN531"
+>Adding New Printers via the Windows NT APW</A
+></DT
+><DT
+>4.2.5. <A
+HREF="#AEN556"
+>Samba and Printer Ports</A
+></DT
></DL
></DD
><DT
-><A
-HREF="#AEN527"
+>4.3. <A
+HREF="#AEN564"
>The Imprints Toolset</A
></DT
><DD
><DL
><DT
-><A
-HREF="#AEN531"
+>4.3.1. <A
+HREF="#AEN568"
>What is Imprints?</A
></DT
><DT
-><A
-HREF="#AEN541"
+>4.3.2. <A
+HREF="#AEN578"
>Creating Printer Driver Packages</A
></DT
><DT
-><A
-HREF="#AEN544"
+>4.3.3. <A
+HREF="#AEN581"
>The Imprints server</A
></DT
><DT
-><A
-HREF="#AEN548"
+>4.3.4. <A
+HREF="#AEN585"
>The Installation Client</A
></DT
></DL
></DD
><DT
-><A
-HREF="#AEN570"
+>4.4. <A
+HREF="#AEN607"
><A
NAME="MIGRATION"
></A
@@ -325,225 +345,225 @@ NAME="MIGRATION"
></DD
><DT
>5. <A
-HREF="#AEN599"
+HREF="#AEN639"
>security = domain in Samba 2.x</A
></DT
><DD
><DL
><DT
-><A
-HREF="#AEN617"
+>5.1. <A
+HREF="#AEN657"
>Joining an NT Domain with Samba 2.2</A
></DT
><DT
-><A
-HREF="#AEN681"
+>5.2. <A
+HREF="#AEN721"
>Samba and Windows 2000 Domains</A
></DT
><DT
-><A
-HREF="#AEN686"
+>5.3. <A
+HREF="#AEN726"
>Why is this better than security = server?</A
></DT
></DL
></DD
><DT
>6. <A
-HREF="#AEN702"
+HREF="#AEN742"
>How to Configure Samba 2.2.x as a Primary Domain Controller</A
></DT
><DD
><DL
><DT
-><A
-HREF="#AEN713"
+>6.1. <A
+HREF="#AEN753"
>Background</A
></DT
><DT
-><A
-HREF="#AEN750"
+>6.2. <A
+HREF="#AEN790"
>Configuring the Samba Domain Controller</A
></DT
><DT
-><A
-HREF="#AEN793"
+>6.3. <A
+HREF="#AEN833"
>Creating Machine Trust Accounts and Joining Clients
to the Domain</A
></DT
><DT
-><A
-HREF="#AEN832"
+>6.4. <A
+HREF="#AEN872"
>Common Problems and Errors</A
></DT
><DT
-><A
-HREF="#AEN860"
+>6.5. <A
+HREF="#AEN900"
>System Policies and Profiles</A
></DT
><DT
-><A
-HREF="#AEN900"
+>6.6. <A
+HREF="#AEN940"
>What other help can I get ?</A
></DT
><DD
><DL
><DT
-><A
-HREF="#AEN947"
+>6.6.1. <A
+HREF="#AEN987"
>URLs and similar</A
></DT
><DT
-><A
-HREF="#AEN971"
+>6.6.2. <A
+HREF="#AEN1011"
>Mailing Lists</A
></DT
></DL
></DD
><DT
-><A
-HREF="#AEN1010"
+>6.7. <A
+HREF="#AEN1050"
>DOMAIN_CONTROL.txt : Windows NT Domain Control &#38; Samba</A
></DT
></DL
></DD
><DT
>7. <A
-HREF="#AEN1034"
+HREF="#AEN1074"
>Unifed Logons between Windows NT and UNIX using Winbind</A
></DT
><DD
><DL
><DT
-><A
-HREF="#AEN1052"
+>7.1. <A
+HREF="#AEN1092"
>Abstract</A
></DT
><DT
-><A
-HREF="#AEN1056"
+>7.2. <A
+HREF="#AEN1096"
>Introduction</A
></DT
><DT
-><A
-HREF="#AEN1069"
+>7.3. <A
+HREF="#AEN1109"
>What Winbind Provides</A
></DT
><DD
><DL
><DT
-><A
-HREF="#AEN1076"
+>7.3.1. <A
+HREF="#AEN1116"
>Target Uses</A
></DT
></DL
></DD
><DT
-><A
-HREF="#AEN1080"
+>7.4. <A
+HREF="#AEN1120"
>How Winbind Works</A
></DT
><DD
><DL
><DT
-><A
-HREF="#AEN1085"
+>7.4.1. <A
+HREF="#AEN1125"
>Microsoft Remote Procedure Calls</A
></DT
><DT
-><A
-HREF="#AEN1089"
+>7.4.2. <A
+HREF="#AEN1129"
>Name Service Switch</A
></DT
><DT
-><A
-HREF="#AEN1105"
+>7.4.3. <A
+HREF="#AEN1145"
>Pluggable Authentication Modules</A
></DT
><DT
-><A
-HREF="#AEN1113"
+>7.4.4. <A
+HREF="#AEN1153"
>User and Group ID Allocation</A
></DT
><DT
-><A
-HREF="#AEN1117"
+>7.4.5. <A
+HREF="#AEN1157"
>Result Caching</A
></DT
></DL
></DD
><DT
-><A
-HREF="#AEN1120"
+>7.5. <A
+HREF="#AEN1160"
>Installation and Configuration</A
></DT
><DT
-><A
-HREF="#AEN1126"
+>7.6. <A
+HREF="#AEN1166"
>Limitations</A
></DT
><DT
-><A
-HREF="#AEN1138"
+>7.7. <A
+HREF="#AEN1178"
>Conclusion</A
></DT
></DL
></DD
><DT
>8. <A
-HREF="#AEN1141"
+HREF="#AEN1181"
>UNIX Permission Bits and WIndows NT Access Control Lists</A
></DT
><DD
><DL
><DT
-><A
-HREF="#AEN1152"
+>8.1. <A
+HREF="#AEN1192"
>Viewing and changing UNIX permissions using the NT
security dialogs</A
></DT
><DT
-><A
-HREF="#AEN1161"
+>8.2. <A
+HREF="#AEN1201"
>How to view file security on a Samba share</A
></DT
><DT
-><A
-HREF="#AEN1172"
+>8.3. <A
+HREF="#AEN1212"
>Viewing file ownership</A
></DT
><DT
-><A
-HREF="#AEN1192"
+>8.4. <A
+HREF="#AEN1232"
>Viewing file or directory permissions</A
></DT
><DD
><DL
><DT
-><A
-HREF="#AEN1207"
+>8.4.1. <A
+HREF="#AEN1247"
>File Permissions</A
></DT
><DT
-><A
-HREF="#AEN1221"
+>8.4.2. <A
+HREF="#AEN1261"
>Directory Permissions</A
></DT
></DL
></DD
><DT
-><A
-HREF="#AEN1228"
+>8.5. <A
+HREF="#AEN1268"
>Modifying file or directory permissions</A
></DT
><DT
-><A
-HREF="#AEN1250"
+>8.6. <A
+HREF="#AEN1290"
>Interaction with the standard Samba create mask
parameters</A
></DT
><DT
-><A
-HREF="#AEN1314"
+>8.7. <A
+HREF="#AEN1354"
>Interaction with the standard Samba file attribute
mapping</A
></DT
@@ -551,39 +571,39 @@ HREF="#AEN1314"
></DD
><DT
>9. <A
-HREF="#AEN1324"
+HREF="#AEN1364"
>OS2 Client HOWTO</A
></DT
><DD
><DL
><DT
-><A
-HREF="#AEN1335"
+>9.1. <A
+HREF="#AEN1375"
>FAQs</A
></DT
><DD
><DL
><DT
-><A
-HREF="#AEN1337"
+>9.1.1. <A
+HREF="#AEN1377"
>How can I configure OS/2 Warp Connect or
OS/2 Warp 4 as a client for Samba?</A
></DT
><DT
-><A
-HREF="#AEN1352"
+>9.1.2. <A
+HREF="#AEN1392"
>How can I configure OS/2 Warp 3 (not Connect),
OS/2 1.2, 1.3 or 2.x for Samba?</A
></DT
><DT
-><A
-HREF="#AEN1361"
+>9.1.3. <A
+HREF="#AEN1401"
>Are there any other issues when OS/2 (any version)
is used as a client?</A
></DT
><DT
-><A
-HREF="#AEN1365"
+>9.1.4. <A
+HREF="#AEN1405"
>How do I get printer driver download working
for OS/2 clients?</A
></DT
@@ -606,7 +626,7 @@ CLASS="SECT1"
CLASS="SECT1"
><A
NAME="AEN17"
->Step 0: Read the man pages</A
+>1.1. Step 0: Read the man pages</A
></H1
><P
>The man pages distributed with SAMBA contain
@@ -638,7 +658,7 @@ CLASS="SECT1"
CLASS="SECT1"
><A
NAME="AEN25"
->Step 1: Building the Binaries</A
+>1.2. Step 1: Building the Binaries</A
></H1
><P
>To do this, first run the program <B
@@ -737,7 +757,7 @@ CLASS="SECT1"
CLASS="SECT1"
><A
NAME="AEN53"
->Step 2: The all important step</A
+>1.3. Step 2: The all important step</A
></H1
><P
>At this stage you must fetch yourself a
@@ -754,7 +774,7 @@ CLASS="SECT1"
CLASS="SECT1"
><A
NAME="AEN57"
->Step 3: Create the smb configuration file.</A
+>1.4. Step 3: Create the smb configuration file.</A
></H1
><P
>There are sample configuration files in the examples
@@ -765,6 +785,12 @@ NAME="AEN57"
>The simplest useful configuration file would be
something like this:</P
><P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
><PRE
CLASS="PROGRAMLISTING"
> [global]
@@ -774,6 +800,9 @@ CLASS="PROGRAMLISTING"
guest ok = no
read only = no
</PRE
+></TD
+></TR
+></TABLE
></P
><P
>which would allow connections by anyone with an
@@ -810,7 +839,7 @@ CLASS="SECT1"
CLASS="SECT1"
><A
NAME="AEN71"
->Step 4: Test your config file with
+>1.5. Step 4: Test your config file with
<B
CLASS="COMMAND"
>testparm</B
@@ -834,7 +863,7 @@ CLASS="SECT1"
CLASS="SECT1"
><A
NAME="AEN77"
->Step 5: Starting the smbd and nmbd</A
+>1.6. Step 5: Starting the smbd and nmbd</A
></H1
><P
>You must choose to start smbd and nmbd either
@@ -874,7 +903,7 @@ CLASS="SECT2"
CLASS="SECT2"
><A
NAME="AEN87"
->Step 5a: Starting from inetd.conf</A
+>1.6.1. Step 5a: Starting from inetd.conf</A
></H2
><P
>NOTE; The following will be different if
@@ -909,11 +938,20 @@ CLASS="FILENAME"
>
and add two lines something like this:</P
><P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
><PRE
CLASS="PROGRAMLISTING"
> netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd
netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd
</PRE
+></TD
+></TR
+></TABLE
></P
><P
>The exact syntax of <TT
@@ -978,7 +1016,7 @@ CLASS="SECT2"
CLASS="SECT2"
><A
NAME="AEN116"
->Step 5b. Alternative: starting it as a daemon</A
+>1.6.2. Step 5b. Alternative: starting it as a daemon</A
></H2
><P
>To start the server as a daemon you should create
@@ -988,12 +1026,21 @@ CLASS="FILENAME"
>startsmb</TT
>.</P
><P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
><PRE
CLASS="PROGRAMLISTING"
> #!/bin/sh
/usr/local/samba/bin/smbd -D
/usr/local/samba/bin/nmbd -D
</PRE
+></TD
+></TR
+></TABLE
></P
><P
>then make it executable with <B
@@ -1035,7 +1082,7 @@ CLASS="SECT1"
CLASS="SECT1"
><A
NAME="AEN132"
->Step 6: Try listing the shares available on your
+>1.7. Step 6: Try listing the shares available on your
server</A
></H1
><P
@@ -1076,7 +1123,7 @@ CLASS="SECT1"
CLASS="SECT1"
><A
NAME="AEN141"
->Step 7: Try connecting with the unix client</A
+>1.8. Step 7: Try connecting with the unix client</A
></H1
><P
><TT
@@ -1139,7 +1186,7 @@ CLASS="SECT1"
CLASS="SECT1"
><A
NAME="AEN157"
->Step 8: Try connecting from a DOS, WfWg, Win9x, WinNT,
+>1.9. Step 8: Try connecting from a DOS, WfWg, Win9x, WinNT,
Win2k, OS/2, etc... client</A
></H1
><P
@@ -1188,7 +1235,7 @@ CLASS="SECT1"
CLASS="SECT1"
><A
NAME="AEN171"
->What If Things Don't Work?</A
+>1.10. What If Things Don't Work?</A
></H1
><P
>If nothing works and you start to think "who wrote
@@ -1211,7 +1258,7 @@ CLASS="SECT2"
CLASS="SECT2"
><A
NAME="AEN176"
->Diagnosing Problems</A
+>1.10.1. Diagnosing Problems</A
></H2
><P
>If you have instalation problems then go to
@@ -1227,13 +1274,13 @@ CLASS="SECT2"
CLASS="SECT2"
><A
NAME="AEN180"
->Scope IDs</A
+>1.10.2. Scope IDs</A
></H2
><P
>By default Samba uses a blank scope ID. This means
all your windows boxes must also have a blank scope ID.
If you really want to use a non-blank scope ID then you will
- need to use the -i &lt;scope&gt; option to nmbd, smbd, and
+ need to use the -i &#60;scope&#62; option to nmbd, smbd, and
smbclient. All your PCs will need to have the same setting for
this to work. I do not recommend scope IDs.</P
></DIV
@@ -1243,7 +1290,7 @@ CLASS="SECT2"
CLASS="SECT2"
><A
NAME="AEN183"
->Choosing the Protocol Level</A
+>1.10.3. Choosing the Protocol Level</A
></H2
><P
>The SMB protocol has many dialects. Currently
@@ -1284,7 +1331,7 @@ CLASS="SECT2"
CLASS="SECT2"
><A
NAME="AEN192"
->Printing from UNIX to a Client PC</A
+>1.10.4. Printing from UNIX to a Client PC</A
></H2
><P
>To use a printer that is available via a smb-based
@@ -1302,7 +1349,7 @@ CLASS="SECT2"
CLASS="SECT2"
><A
NAME="AEN196"
->Locking</A
+>1.10.5. Locking</A
></H2
><P
>One area which sometimes causes trouble is locking.</P
@@ -1363,7 +1410,7 @@ CLASS="SECT2"
CLASS="SECT2"
><A
NAME="AEN206"
->Mapping Usernames</A
+>1.10.6. Mapping Usernames</A
></H2
><P
>If you have different usernames on the PCs and
@@ -1376,7 +1423,7 @@ CLASS="SECT2"
CLASS="SECT2"
><A
NAME="AEN209"
->Other Character Sets</A
+>1.10.7. Other Character Sets</A
></H2
><P
>If you have problems using filenames with accented
@@ -1400,7 +1447,7 @@ CLASS="SECT1"
CLASS="SECT1"
><A
NAME="AEN223"
->Introduction</A
+>2.1. Introduction</A
></H1
><P
>With the development of LanManager and Windows NT
@@ -1419,7 +1466,7 @@ CLASS="SECT1"
CLASS="SECT1"
><A
NAME="AEN227"
->How does it work?</A
+>2.2. How does it work?</A
></H1
><P
>LanManager encryption is somewhat similar to UNIX
@@ -1484,7 +1531,7 @@ CLASS="SECT1"
CLASS="SECT1"
><A
NAME="AEN238"
->Important Notes About Security</A
+>2.3. Important Notes About Security</A
></H1
><P
>The unix and SMB password encryption techniques seem similar
@@ -1526,9 +1573,8 @@ ALIGN="LEFT"
><P
>Note that Windows NT 4.0 Service pack 3 changed the
default for permissible authentication so that plaintext
- passwords are <I
-CLASS="EMPHASIS"
->never</I
+ passwords are <EM
+>never</EM
> sent over the wire.
The solution to this is either to switch to encrypted passwords
with Samba or edit the Windows NT registry to re-enable plaintext
@@ -1560,9 +1606,8 @@ CLASS="EMPHASIS"
></LI
></UL
><P
-><I
-CLASS="EMPHASIS"
->Note :</I
+><EM
+>Note :</EM
>All current release of
Microsoft SMB/CIFS clients support authentication via the
SMB Challenge/Response mechanism described here. Enabling
@@ -1578,7 +1623,7 @@ CLASS="SECT2"
CLASS="SECT2"
><A
NAME="AEN257"
->Advantages of SMB Encryption</A
+>2.3.1. Advantages of SMB Encryption</A
></H2
><P
></P
@@ -1607,7 +1652,7 @@ CLASS="SECT2"
CLASS="SECT2"
><A
NAME="AEN264"
->Advantages of non-encrypted passwords</A
+>2.3.2. Advantages of non-encrypted passwords</A
></H2
><P
></P
@@ -1638,7 +1683,7 @@ CLASS="SECT1"
CLASS="SECT1"
><A
NAME="AEN273"
-><A
+>2.4. <A
NAME="SMBPASSWDFILEFORMAT"
></A
>The smbpasswd file</A
@@ -1680,7 +1725,7 @@ CLASS="PROMPT"
CLASS="USERINPUT"
><B
>cat /etc/passwd | mksmbpasswd.sh
- &gt; /usr/local/samba/private/smbpasswd</B
+ &#62; /usr/local/samba/private/smbpasswd</B
></TT
></P
><P
@@ -1693,7 +1738,7 @@ CLASS="PROMPT"
CLASS="USERINPUT"
><B
>ypcat passwd | mksmbpasswd.sh
- &gt; /usr/local/samba/private/smbpasswd</B
+ &#62; /usr/local/samba/private/smbpasswd</B
></TT
></P
><P
@@ -1731,11 +1776,20 @@ CLASS="COMMAND"
wrapped here. It should appear as one entry per line in
your smbpasswd file.)</P
><P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
><PRE
CLASS="PROGRAMLISTING"
>username:uid:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:
- [Account type]:LCT-&lt;last-change-time&gt;:Long name
+ [Account type]:LCT-&#60;last-change-time&#62;:Long name
</PRE
+></TD
+></TR
+></TABLE
></P
><P
>Although only the <TT
@@ -1768,9 +1822,8 @@ CLASS="REPLACEABLE"
> sections are significant
and are looked at in the Samba code.</P
><P
->It is <I
-CLASS="EMPHASIS"
->VITALLY</I
+>It is <EM
+>VITALLY</EM
> important that there by 32
'X' characters between the two ':' characters in the XXX sections -
the smbpasswd and Samba code will fail to validate any entries that
@@ -1794,10 +1847,19 @@ CLASS="CONSTANT"
>For example, to clear the password for user bob, his smbpasswd file
entry would look like :</P
><P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
><PRE
CLASS="PROGRAMLISTING"
> bob:100:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[U ]:LCT-00000000:Bob's full name:/bobhome:/bobshell
</PRE
+></TD
+></TR
+></TABLE
></P
><P
>If you are allowing users to use the smbpasswd command to set
@@ -1824,9 +1886,8 @@ CLASS="COMMAND"
users a default password to begin with, so you do not have
to enable this on your server.</P
><P
-><I
-CLASS="EMPHASIS"
->Note : </I
+><EM
+>Note : </EM
>This file should be protected very
carefully. Anyone with access to this file can (with enough knowledge of
the protocols) gain access to your SMB server. The file is thus more
@@ -1841,7 +1902,7 @@ CLASS="SECT1"
CLASS="SECT1"
><A
NAME="AEN325"
->The smbpasswd Command</A
+>2.5. The smbpasswd Command</A
></H1
><P
>The smbpasswd command maintains the two 32 byte password fields
@@ -1859,10 +1920,9 @@ CLASS="FILENAME"
> (or your
main Samba binary directory).</P
><P
->Note that as of Samba 1.9.18p4 this program <I
-CLASS="EMPHASIS"
+>Note that as of Samba 1.9.18p4 this program <EM
>MUST NOT
- BE INSTALLED</I
+ BE INSTALLED</EM
> setuid root (the new <B
CLASS="COMMAND"
>smbpasswd</B
@@ -1915,8 +1975,8 @@ CLASS="PROMPT"
><TT
CLASS="USERINPUT"
><B
->&lt;type old value here -
- or hit return if there was no old password&gt;</B
+>&#60;type old value here -
+ or hit return if there was no old password&#62;</B
></TT
></P
><P
@@ -1926,7 +1986,7 @@ CLASS="PROMPT"
><TT
CLASS="USERINPUT"
><B
->&lt;type new value&gt;
+>&#60;type new value&#62;
</B
></TT
></P
@@ -1937,7 +1997,7 @@ CLASS="PROMPT"
><TT
CLASS="USERINPUT"
><B
->&lt;re-type new value
+>&#60;re-type new value
</B
></TT
></P
@@ -1980,7 +2040,7 @@ CLASS="SECT1"
CLASS="SECT1"
><A
NAME="AEN364"
->Setting up Samba to support LanManager Encryption</A
+>2.6. Setting up Samba to support LanManager Encryption</A
></H1
><P
>This is a very brief description on how to setup samba to
@@ -2011,7 +2071,7 @@ CLASS="FILENAME"
>smbpasswd</TT
>
password file in the place you specified in the Makefile
- (--prefix=&lt;dir&gt;). See the notes under the <A
+ (--prefix=&#60;dir&#62;). See the notes under the <A
HREF="#SMBPASSWDFILEFORMAT"
>The smbpasswd File</A
>
@@ -2035,7 +2095,7 @@ CLASS="SECT1"
CLASS="SECT1"
><A
NAME="AEN390"
->Instructions</A
+>3.1. Instructions</A
></H1
><P
>The Distributed File System (or Dfs) provides a means of
@@ -2087,7 +2147,7 @@ CLASS="PARAMETER"
to other servers. For example, a symbolic link
<TT
CLASS="FILENAME"
->junction-&gt;msdfs:storage1\share1</TT
+>junction-&#62;msdfs:storage1\share1</TT
> in
the share directory acts as the Dfs junction. When Dfs-aware
clients attempt to access the junction link, they are redirected
@@ -2099,6 +2159,12 @@ CLASS="FILENAME"
>Here's an example of setting up a Dfs tree on a Samba
server.</P
><P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
><PRE
CLASS="PROGRAMLISTING"
># The smb.conf file:
@@ -2110,6 +2176,9 @@ CLASS="PROGRAMLISTING"
path = /export/dfsroot
msdfs root = yes
</PRE
+></TD
+></TR
+></TABLE
></P
><P
>In the /export/dfsroot directory we set up our dfs links to
@@ -2183,7 +2252,7 @@ CLASS="SECT2"
CLASS="SECT2"
><A
NAME="AEN425"
->Notes</A
+>3.1.1. Notes</A
></H2
><P
></P
@@ -2224,7 +2293,7 @@ CLASS="SECT1"
CLASS="SECT1"
><A
NAME="AEN445"
->Introduction</A
+>4.1. Introduction</A
></H1
><P
>Beginning with the 2.2.0 release, Samba supports
@@ -2258,12 +2327,12 @@ TARGET="_top"
><P
>Support for the native MS-RPC printing
calls such as StartDocPrinter, EnumJobs(), etc... (See
- the <A
+ the MSDN documentation at <A
HREF="http://msdn.microsoft.com/"
TARGET="_top"
->MSDN documentation
- </A
-> at http://msdn.microsoft.com/ for more information on the Win32 printing API)
+>http://msdn.microsoft.com/</A
+>
+ for more information on the Win32 printing API)
</P
></LI
><LI
@@ -2285,82 +2354,75 @@ CLASS="SECT1"
CLASS="SECT1"
><A
NAME="AEN462"
->Configuration</A
+>4.2. Configuration</A
></H1
><P
->In order to support the uploading of printer driver
-files, you must first configure a file share named [print$].
-The name of this share is hard coded in Samba's internals so
-the name is very important (print$ is the service used by
-Windows NT print servers to provide support for printer driver
-download).</P
-><DIV
-CLASS="WARNING"
-><P
-></P
-><TABLE
-CLASS="WARNING"
-BORDER="1"
-WIDTH="100%"
-><TR
-><TD
-ALIGN="CENTER"
-><B
->Warning</B
-></TD
-></TR
-><TR
-><TD
-ALIGN="LEFT"
-><P
->Previous versions of Samba recommended using
- a share named [printer$]. This name was taken from the
- printer$ service created by Windows 9x clients when a
- printer was shared. Windows 9x printer servers always have
- a printer$ service which provides read-only access via no
- password in order to support printer driver downloads.</P
+><EM
+>WARNING!!!</EM
+> Previous versions of Samba
+recommended using a share named [printer$]. This name was taken from the
+printer$ service created by Windows 9x clients when a
+printer was shared. Windows 9x printer servers always have
+a printer$ service which provides read-only access via no
+password in order to support printer driver downloads.</P
><P
>However, the initial implementation allowed for a
- parameter named <TT
+parameter named <TT
CLASS="PARAMETER"
><I
>printer driver location</I
></TT
>
- to be used on a per share basis to specify the location of
- the driver files associated with that printer. Another
- parameter named <TT
+to be used on a per share basis to specify the location of
+the driver files associated with that printer. Another
+parameter named <TT
CLASS="PARAMETER"
><I
>printer driver</I
></TT
> provided
- a means of defining the printer driver name to be sent to
- the client.</P
+a means of defining the printer driver name to be sent to
+the client.</P
><P
>These parameters, including <TT
CLASS="PARAMETER"
><I
>printer driver
- file</I
+file</I
></TT
> parameter, are being depreciated and should not
- be used in new installations. For more information on this change,
- you should refer to the <A
+be used in new installations. For more information on this change,
+you should refer to the <A
HREF="#MIGRATION"
->Migration section
- </A
+>Migration section </A
>of this document.</P
-></TD
-></TR
-></TABLE
-></DIV
+><DIV
+CLASS="SECT2"
+><HR><H2
+CLASS="SECT2"
+><A
+NAME="AEN472"
+>4.2.1. Creating [print$]</A
+></H2
+><P
+>In order to support the uploading of printer driver
+files, you must first configure a file share named [print$].
+The name of this share is hard coded in Samba's internals so
+the name is very important (print$ is the service used by
+Windows NT print servers to provide support for printer driver
+download).</P
><P
>You should modify the server's smb.conf file to create the
following file share (of course, some of the parameter values,
such as 'path' are arbitrary and should be replaced with
appropriate values for your site):</P
><P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
><PRE
CLASS="PROGRAMLISTING"
>[print$]
@@ -2369,6 +2431,9 @@ CLASS="PROGRAMLISTING"
browseable = yes
read only = yes
write list = ntadmin</PRE
+></TD
+></TR
+></TABLE
></P
><P
>The <A
@@ -2399,13 +2464,15 @@ CLASS="COMMAND"
> depends upon how your
site is configured. If users will be guaranteed to have
an account on the Samba host, then this is a non-issue.</P
+><DIV
+CLASS="NOTE"
+><BLOCKQUOTE
+CLASS="NOTE"
><P
-><I
-CLASS="EMPHASIS"
->author's note: </I
->The non-issue is that
-if all your Windows NT users are guaranteed to be authenticated
-by the Samba server (such as a domain member server and the NT
+><B
+>Author's Note: </B
+>The non-issue is that if all your Windows NT users are guaranteed to be
+authenticated by the Samba server (such as a domain member server and the NT
user has already been validated by the Domain Controller in
order to logon to the Windows NT console), then guest access
is not necessary. Of course, in a workgroup environment where
@@ -2420,7 +2487,9 @@ CLASS="COMMAND"
></A
> in the [global] section as well. Make sure
you understand what this parameter does before using it
-though. --jerry]</P
+though. --jerry</P
+></BLOCKQUOTE
+></DIV
><P
>In order for a Windows NT print server to support
the downloading of driver files by multiple client architectures,
@@ -2431,6 +2500,12 @@ Samba follows this model as well.</P
>Next create the directory tree below the [print$] share
for each architecture you wish to support.</P
><P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
><PRE
CLASS="PROGRAMLISTING"
>[print$]-----
@@ -2439,6 +2514,9 @@ CLASS="PROGRAMLISTING"
|-W32ALPHA ; "Windows NT Alpha_AXP"
|-W32MIPS ; "Windows NT R4000"
|-W32PPC ; "Windows NT PowerPC"</PRE
+></TD
+></TR
+></TABLE
></P
><DIV
CLASS="WARNING"
@@ -2452,18 +2530,13 @@ WIDTH="100%"
><TD
ALIGN="CENTER"
><B
->Warning</B
+>ATTENTION! REQUIRED PERMISSIONS</B
></TD
></TR
><TR
><TD
ALIGN="LEFT"
><P
-><I
-CLASS="EMPHASIS"
->ATTENTION! REQUIRED PERMISSIONS</I
-></P
-><P
>In order to currently add a new driver to you Samba host,
one of two conditions must hold true:</P
><P
@@ -2478,12 +2551,13 @@ CLASS="EMPHASIS"
><P
>The account used to connect to the Samba host
must be a member of the <A
-HREF="smb.conf.5.html"
+HREF="smb.conf.5.html#PRINTERADMIN"
TARGET="_top"
><TT
CLASS="PARAMETER"
><I
-> printer admin</I
+>printer
+ admin</I
></TT
></A
> list.</P
@@ -2508,6 +2582,15 @@ CLASS="PARAMETER"
from a Windows NT 4.0 client. Navigate to the "Printers" folder
on the Samba server. You should see an initial listing of printers
that matches the printer shares defined on your Samba host.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H2
+CLASS="SECT2"
+><A
+NAME="AEN507"
+>4.2.2. Setting Drivers for Existing Printers</A
+></H2
><P
>The initial listing of printers in the Samba host's
Printers folder will have no printer driver assigned to them.
@@ -2553,13 +2636,14 @@ of course assumes that the printing client has the necessary
privileges on the remote host serving the printer. The default
permissions assigned by Windows NT to a printer gives the "Print"
permissions to the "Everyone" well-known group.</P
+></DIV
><DIV
CLASS="SECT2"
><HR><H2
CLASS="SECT2"
><A
-NAME="AEN516"
->Support a large number of printers</A
+NAME="AEN520"
+>4.2.3. Support a large number of printers</A
></H2
><P
>One issue that has arisen during the development
@@ -2578,6 +2662,12 @@ setdriver command</B
associated with an installed driver. The following is example
of how this could be accomplished:</P
><P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
><PRE
CLASS="PROGRAMLISTING"
>
@@ -2613,20 +2703,165 @@ CLASS="PROMPT"
>rpcclient pogo -U root%bleaK.er \
<TT
CLASS="PROMPT"
->&gt; </TT
+>&#62; </TT
> -c "setdriver hp-print \"HP LaserJet 4000 Series PS\""
Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
Successfully set hp-print to driver HP LaserJet 4000 Series PS.</PRE
+></TD
+></TR
+></TABLE
></P
></DIV
+><DIV
+CLASS="SECT2"
+><HR><H2
+CLASS="SECT2"
+><A
+NAME="AEN531"
+>4.2.4. Adding New Printers via the Windows NT APW</A
+></H2
+><P
+>By default, Samba offers all printer shares defined in <TT
+CLASS="FILENAME"
+>smb.conf</TT
+>
+in the "Printers..." folder. Also existing in this folder is the Windows NT
+Add Printer Wizard icon. The APW will be show only if</P
+><P
+></P
+><UL
+><LI
+><P
+>The connected user is able to successfully
+ execute an OpenPrinterEx(\\server) with administrative
+ priviledges (i.e. root or <TT
+CLASS="PARAMETER"
+><I
+>printer admin</I
+></TT
+>.
+ </P
+></LI
+><LI
+><P
+><A
+HREF="smb.conf.5.html#SHOWADDPRINTERWIZARD"
+TARGET="_top"
+><TT
+CLASS="PARAMETER"
+><I
+>show
+ add printer wizard = yes</I
+></TT
+></A
+> (the default).
+ </P
+></LI
+></UL
+><P
+>In order to be able to use the APW to successfully add a printer to a Samba
+server, the <A
+HREF="smb.conf.5.html#ADDPRINTERCOMMAND"
+TARGET="_top"
+><TT
+CLASS="PARAMETER"
+><I
+>addprinter
+command</I
+></TT
+></A
+> must have a defined value. The program
+hook must successfully add the printer to the system (i.e.
+<TT
+CLASS="FILENAME"
+>/etc/printcap</TT
+> or appropriate files) and
+<TT
+CLASS="FILENAME"
+>smb.conf</TT
+> if necessary.</P
+><P
+>When using the APW from a client, if the named printer share does
+not exist, <B
+CLASS="COMMAND"
+>smbd</B
+> will execute the <TT
+CLASS="PARAMETER"
+><I
+>add printer
+program</I
+></TT
+> and reparse to the <TT
+CLASS="FILENAME"
+>smb.conf</TT
+>
+to attempt to locate the new printer share. If the share is still not defined,
+an error of "Access Denied" is returned to the client. Note that the
+<TT
+CLASS="PARAMETER"
+><I
+>add printer program</I
+></TT
+> is executed undet the context
+of the connected user, not necessarily a root account.</P
+><P
+>There is a complementing <A
+HREF="smb.conf.5.html#DELETEPRINTERCOMMAND"
+TARGET="_top"
+><TT
+CLASS="PARAMETER"
+><I
+>deleteprinter
+command</I
+></TT
+></A
+> for removing entries from the "Printers..."
+folder.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H2
+CLASS="SECT2"
+><A
+NAME="AEN556"
+>4.2.5. Samba and Printer Ports</A
+></H2
+><P
+>Windows NT/2000 print servers associate a port with each printer. These normally
+take the form of LPT1:, COM1:, FILE:, etc... Samba must also support the
+concept of ports associated with a printer. By default, only one printer port,
+named "Samba Printer Port", exists on a system. Samba does not really a port in
+order to print, rather it is a requirement of Windows clients. </P
+><P
+>Note that Samba does not support the concept of "Printer Pooling" internally
+either. This is when a logical printer is assigned to multiple ports as
+a form of load balancing or fail over.</P
+><P
+>If you require that multiple ports be defined for some reason,
+<TT
+CLASS="FILENAME"
+>smb.conf</TT
+> possesses a <A
+HREF="smb.conf.5.html#ENUMPORTSCOMMAND"
+TARGET="_top"
+><TT
+CLASS="PARAMETER"
+><I
+>enumports
+command</I
+></TT
+></A
+> which can be used to define an external program
+that generates a listing of ports on a system.</P
+></DIV
></DIV
><DIV
CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
-NAME="AEN527"
->The Imprints Toolset</A
+NAME="AEN564"
+>4.3. The Imprints Toolset</A
></H1
><P
>The Imprints tool set provides a UNIX equivalent of the
@@ -2643,8 +2878,8 @@ CLASS="SECT2"
><HR><H2
CLASS="SECT2"
><A
-NAME="AEN531"
->What is Imprints?</A
+NAME="AEN568"
+>4.3.1. What is Imprints?</A
></H2
><P
>Imprints is a collection of tools for supporting the goals
@@ -2675,8 +2910,8 @@ CLASS="SECT2"
><HR><H2
CLASS="SECT2"
><A
-NAME="AEN541"
->Creating Printer Driver Packages</A
+NAME="AEN578"
+>4.3.2. Creating Printer Driver Packages</A
></H2
><P
>The process of creating printer driver packages is beyond
@@ -2691,8 +2926,8 @@ CLASS="SECT2"
><HR><H2
CLASS="SECT2"
><A
-NAME="AEN544"
->The Imprints server</A
+NAME="AEN581"
+>4.3.3. The Imprints server</A
></H2
><P
>The Imprints server is really a database server that
@@ -2701,9 +2936,8 @@ NAME="AEN544"
downloading of the package. Each package is digitally signed
via GnuPG which can be used to verify that package downloaded
is actually the one referred in the Imprints database. It is
- <I
-CLASS="EMPHASIS"
->not</I
+ <EM
+>not</EM
> recommended that this security check
be disabled.</P
></DIV
@@ -2712,8 +2946,8 @@ CLASS="SECT2"
><HR><H2
CLASS="SECT2"
><A
-NAME="AEN548"
->The Installation Client</A
+NAME="AEN585"
+>4.3.4. The Installation Client</A
></H2
><P
>More information regarding the Imprints installation client
@@ -2754,20 +2988,28 @@ CLASS="COMMAND"
>rpcclient</B
>.</P
><P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
><PRE
CLASS="PROGRAMLISTING"
>
- foreach (supported architecture for a given driver)
- {
- 1. rpcclient: Get the appropriate upload directory
- on the remote server
- 2. smbclient: Upload the driver files
- 3. rpcclient: Issues an AddPrinterDriver() MS-RPC
- }
+foreach (supported architecture for a given driver)
+{
+ 1. rpcclient: Get the appropriate upload directory
+ on the remote server
+ 2. smbclient: Upload the driver files
+ 3. rpcclient: Issues an AddPrinterDriver() MS-RPC
+}
- 4. rpcclient: Issue an AddPrinterEx() MS-RPC to actually
- create the printer
- </PRE
+4. rpcclient: Issue an AddPrinterEx() MS-RPC to actually
+ create the printer</PRE
+></TD
+></TR
+></TABLE
></P
><P
>One of the problems encountered when implementing
@@ -2807,8 +3049,8 @@ CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
-NAME="AEN570"
-><A
+NAME="AEN607"
+>4.4. <A
NAME="MIGRATION"
></A
>Migration to from Samba 2.0.x to
@@ -2831,7 +3073,7 @@ WIDTH="100%"
><TD
ALIGN="CENTER"
><B
->Warning</B
+>Achtung!</B
></TD
></TR
><TR
@@ -2917,15 +3159,24 @@ CLASS="COMMAND"
><P
>If you want to migrate an existing <TT
CLASS="FILENAME"
-> printers.def</TT
-> file into the new setup, the current only
+>printers.def</TT
+>
+ file into the new setup, the current only
solution is to use the Windows NT APW to install the NT drivers
- and the 9x drivers. This can be scripted using smbclient and
- rpcclient. See the <A
+ and the 9x drivers. This can be scripted using <B
+CLASS="COMMAND"
+>smbclient</B
+>
+ and <B
+CLASS="COMMAND"
+>rpcclient</B
+>. See the
+ Imprints installation client at <A
HREF="http://imprints.sourceforge.net/"
TARGET="_top"
-> Imprints installation client</A
-> for an example.
+>http://imprints.sourceforge.net/</A
+>
+ for an example.
</P
></LI
></UL
@@ -2935,7 +3186,7 @@ TARGET="_top"
CLASS="CHAPTER"
><HR><H1
><A
-NAME="AEN599"
+NAME="AEN639"
>Chapter 5. security = domain in Samba 2.x</A
></H1
><DIV
@@ -2943,8 +3194,8 @@ CLASS="SECT1"
><H1
CLASS="SECT1"
><A
-NAME="AEN617"
->Joining an NT Domain with Samba 2.2</A
+NAME="AEN657"
+>5.1. Joining an NT Domain with Samba 2.2</A
></H1
><P
>In order for a Samba-2 server to join an NT domain,
@@ -2952,9 +3203,8 @@ NAME="AEN617"
NT domain on the PDC using Server Manager for Domains. This creates
the machine account in the domain (PDC) SAM. Note that you should
add the Samba server as a "Windows NT Workstation or Server",
- <I
-CLASS="EMPHASIS"
->NOT</I
+ <EM
+>NOT</EM
> as a Primary or backup domain controller.</P
><P
>Assume you have a Samba-2 server with a NetBIOS name of
@@ -3031,13 +3281,13 @@ CLASS="FILENAME"
><TT
CLASS="REPLACEABLE"
><I
->&lt;NT DOMAIN NAME&gt;</I
+>&#60;NT DOMAIN NAME&#62;</I
></TT
>.<TT
CLASS="REPLACEABLE"
><I
->&lt;Samba
- Server Name&gt;</I
+>&#60;Samba
+ Server Name&#62;</I
></TT
>.mac</TT
></P
@@ -3171,8 +3421,8 @@ CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
-NAME="AEN681"
->Samba and Windows 2000 Domains</A
+NAME="AEN721"
+>5.2. Samba and Windows 2000 Domains</A
></H1
><P
>Many people have asked regarding the state of Samba's ability to participate in
@@ -3196,8 +3446,8 @@ CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
-NAME="AEN686"
->Why is this better than security = server?</A
+NAME="AEN726"
+>5.3. Why is this better than security = server?</A
></H1
><P
>Currently, domain security in Samba doesn't free you from
@@ -3262,9 +3512,8 @@ CLASS="COMMAND"
user is authenticated, making a Samba server truly plug and play
in an NT domain environment. Watch for this code soon.</P
><P
-><I
-CLASS="EMPHASIS"
->NOTE:</I
+><EM
+>NOTE:</EM
> Much of the text of this document
was first published in the Web magazine <A
HREF="http://www.linuxworld.com"
@@ -3283,7 +3532,7 @@ TARGET="_top"
CLASS="CHAPTER"
><HR><H1
><A
-NAME="AEN702"
+NAME="AEN742"
>Chapter 6. How to Configure Samba 2.2.x as a Primary Domain Controller</A
></H1
><DIV
@@ -3291,13 +3540,12 @@ CLASS="SECT1"
><H1
CLASS="SECT1"
><A
-NAME="AEN713"
->Background</A
+NAME="AEN753"
+>6.1. Background</A
></H1
><P
-><I
-CLASS="EMPHASIS"
->Author's Note :</I
+><EM
+>Author's Note :</EM
> This document
is a combination of David Bannon's Samba 2.2 PDC HOWTO
and the Samba NT Domain FAQ. Both documents are superceeded by this one.</P
@@ -3408,8 +3656,8 @@ CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
-NAME="AEN750"
->Configuring the Samba Domain Controller</A
+NAME="AEN790"
+>6.2. Configuring the Samba Domain Controller</A
></H1
><P
>The first step in creating a working Samba PDC is to
@@ -3425,6 +3673,12 @@ linked with the actual smb.conf description.</P
><P
>Here is an example smb.conf for acting as a PDC:</P
><P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
><PRE
CLASS="PROGRAMLISTING"
>[global]
@@ -3566,6 +3820,9 @@ HREF="smb.conf.5.html#DIRECTORYMASK"
TARGET="_top"
>directory mask</A
> = 0700</PRE
+></TD
+></TR
+></TABLE
></P
><P
>There are a couple of points to emphasize in the above
@@ -3619,8 +3876,8 @@ CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
-NAME="AEN793"
->Creating Machine Trust Accounts and Joining Clients
+NAME="AEN833"
+>6.3. Creating Machine Trust Accounts and Joining Clients
to the Domain</A
></H1
><P
@@ -3684,9 +3941,18 @@ CLASS="FILENAME"
>/etc/passwd</TT
> entry like this :</P
><P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
><PRE
CLASS="PROGRAMLISTING"
>doppy$:x:505:501:NTMachine:/dev/null:/bin/false</PRE
+></TD
+></TR
+></TABLE
></P
><P
>If you are manually creating the machine accounts, it is necessary
@@ -3719,10 +3985,9 @@ CLASS="REPLACEABLE"
> is the machine's netbios
name.</P
><P
-><I
-CLASS="EMPHASIS"
+><EM
>If you manually create a machine account, immediately join
-the client to the domain.</I
+the client to the domain.</EM
> An open account like this
can allow intruders to gain access to user account information
in your domain.</P
@@ -3737,23 +4002,29 @@ TARGET="_top"
>
parameter. Below is an example I use on a RedHat 6.2 Linux system.</P
><P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
><PRE
CLASS="PROGRAMLISTING"
>add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u </PRE
+></TD
+></TR
+></TABLE
></P
><P
->In Samba 2.2.0, <I
-CLASS="EMPHASIS"
->only the root account</I
+>In Samba 2.2.0, <EM
+>only the root account</EM
> can be used to create
machine accounts on the fly like this. Therefore, it is required
-to create an entry in smbpasswd for <I
-CLASS="EMPHASIS"
->root</I
+to create an entry in smbpasswd for <EM
+>root</EM
>.
-The password <I
-CLASS="EMPHASIS"
->SHOULD</I
+The password <EM
+>SHOULD</EM
> be set to s different
password that the associated <TT
CLASS="FILENAME"
@@ -3766,15 +4037,14 @@ CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
-NAME="AEN832"
->Common Problems and Errors</A
+NAME="AEN872"
+>6.4. Common Problems and Errors</A
></H1
><P
></P
><P
-><I
-CLASS="EMPHASIS"
->I cannot include a '$' in a machine name.</I
+><EM
+>I cannot include a '$' in a machine name.</EM
></P
><P
>A 'machine name' in (typically) <TT
@@ -3793,10 +4063,9 @@ CLASS="COMMAND"
the whole entry with vipw if you like, make sure you use a
unique uid !</P
><P
-><I
-CLASS="EMPHASIS"
+><EM
>I get told "You already have a connection to the Domain...."
-when creating a machine account.</I
+when creating a machine account.</EM
></P
><P
>This happens if you try to create a machine account from the
@@ -3810,18 +4079,16 @@ is the same name as the domain you are joining (bad idea) you will
get this message. Change the workgroup name to something else, it
does not matter what, reboot, and try again.</P
><P
-><I
-CLASS="EMPHASIS"
+><EM
>I get told "Cannot join domain, the credentials supplied
-conflict with an existing set.."</I
+conflict with an existing set.."</EM
></P
><P
>This is the same basic problem as mentioned above, "You already
have a connection..."</P
><P
-><I
-CLASS="EMPHASIS"
->"The system can not log you on (C000019B)...."</I
+><EM
+>"The system can not log you on (C000019B)...."</EM
></P
><P
>I joined the domain successfully but after upgrading
@@ -3843,10 +4110,9 @@ versions 2.0.7, TNG and the HEAD branch code (not recommended). The
only way to correct the problem is to restore the original domain
SID or remove the domain client from the domain and rejoin.</P
><P
-><I
-CLASS="EMPHASIS"
+><EM
>"The machine account for this computer either does not
-exist or is not accessible."</I
+exist or is not accessible."</EM
></P
><P
>When I try to join the domain I get the message "The machine account
@@ -3877,8 +4143,8 @@ CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
-NAME="AEN860"
->System Policies and Profiles</A
+NAME="AEN900"
+>6.5. System Policies and Profiles</A
></H1
><P
>Much of the information necessary to implement System Policies and
@@ -3893,9 +4159,8 @@ Profiles and Policies in Windows NT 4.0</A
><P
>Here are some additional details:</P
><P
-><I
-CLASS="EMPHASIS"
->What about Windows NT Policy Editor ?</I
+><EM
+>What about Windows NT Policy Editor ?</EM
></P
><P
>To create or edit <TT
@@ -3906,14 +4171,12 @@ the NT Server Policy Editor, <B
CLASS="COMMAND"
>poledit.exe</B
> which
-is included with NT Server but <I
-CLASS="EMPHASIS"
->not NT Workstation</I
+is included with NT Server but <EM
+>not NT Workstation</EM
>.
There is a Policy Editor on a NTws
-but it is not suitable for creating <I
-CLASS="EMPHASIS"
->Domain Policies</I
+but it is not suitable for creating <EM
+>Domain Policies</EM
>.
Further, although the Windows 95
Policy Editor can be installed on an NT Workstation/Server, it will not
@@ -3951,9 +4214,8 @@ be extracted as well. It is also possible to downloaded the policy template
files for Office97 and get a copy of the policy editor. Another possible
location is with the Zero Administration Kit available for download from Microsoft.</P
><P
-><I
-CLASS="EMPHASIS"
->Can Win95 do Policies ?</I
+><EM
+>Can Win95 do Policies ?</EM
></P
><P
>Install the group policy handler for Win9x to pick up group
@@ -3973,9 +4235,8 @@ to be done on every Win9x machine that uses group policies....</P
(read: working) grouppol.dll for Windows 9x. The group list is grabbed
from /etc/group.</P
><P
-><I
-CLASS="EMPHASIS"
->How do I get 'User Manager' and 'Server Manager'</I
+><EM
+>How do I get 'User Manager' and 'Server Manager'</EM
></P
><P
>Since I don't need to buy an NT Server CD now, how do I get
@@ -4020,8 +4281,8 @@ CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
-NAME="AEN900"
->What other help can I get ?</A
+NAME="AEN940"
+>6.6. What other help can I get ?</A
></H1
><P
>There are many sources of information available in the form
@@ -4029,10 +4290,9 @@ of mailing lists, RFC's and documentation. The docs that come
with the samba distribution contain very good explanations of
general SMB topics such as browsing.</P
><P
-><I
-CLASS="EMPHASIS"
+><EM
>What are some diagnostics tools I can use to debug the domain logon
-process and where can I find them?</I
+process and where can I find them?</EM
></P
><P
> One of the best diagnostic tools for debugging problems is Samba itself.
@@ -4099,10 +4359,9 @@ TARGET="_top"
formatted files.
</P
><P
-><I
-CLASS="EMPHASIS"
+><EM
>How do I install 'Network Monitor' on an NT Workstation
-or a Windows 9x box?</I
+or a Windows 9x box?</EM
></P
><P
> Installing netmon on an NT workstation requires a couple
@@ -4203,8 +4462,8 @@ CLASS="SECT2"
><HR><H2
CLASS="SECT2"
><A
-NAME="AEN947"
->URLs and similar</A
+NAME="AEN987"
+>6.6.1. URLs and similar</A
></H2
><P
></P
@@ -4219,9 +4478,8 @@ TARGET="_top"
></LI
><LI
><P
-> The <I
-CLASS="EMPHASIS"
->Development</I
+> The <EM
+>Development</EM
> document
on the Samba mirrors might mention your problem. If so,
it might mean that the developers are working on it.</P
@@ -4277,13 +4535,12 @@ CLASS="SECT2"
><HR><H2
CLASS="SECT2"
><A
-NAME="AEN971"
->Mailing Lists</A
+NAME="AEN1011"
+>6.6.2. Mailing Lists</A
></H2
><P
-><I
-CLASS="EMPHASIS"
->How do I get help from the mailing lists ?</I
+><EM
+>How do I get help from the mailing lists ?</EM
></P
><P
>There are a number of Samba related mailing lists. Go to <A
@@ -4355,9 +4612,8 @@ main stream Samba lists.</P
></LI
><LI
><P
->You might include <I
-CLASS="EMPHASIS"
->partial</I
+>You might include <EM
+>partial</EM
>
log files written at a debug level set to as much as 20.
Please don't send the entire log but enough to give the context of the
@@ -4377,9 +4633,8 @@ CLASS="EMPHASIS"
></LI
></UL
><P
-><I
-CLASS="EMPHASIS"
->How do I get off the mailing lists ?</I
+><EM
+>How do I get off the mailing lists ?</EM
></P
><P
>To have your name removed from a samba mailing list, go to the
@@ -4412,16 +4667,15 @@ CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
-NAME="AEN1010"
->DOMAIN_CONTROL.txt : Windows NT Domain Control &#38; Samba</A
+NAME="AEN1050"
+>6.7. DOMAIN_CONTROL.txt : Windows NT Domain Control &#38; Samba</A
></H1
><P
>This appendix was originally authored by John H Terpstra of the Samba Team
and is included here for posterity.</P
><P
-><I
-CLASS="EMPHASIS"
->NOTE :</I
+><EM
+>NOTE :</EM
>
The term "Domain Controller" and those related to it refer to one specific
method of authentication that can underly an SMB domain. Domain Controllers
@@ -4514,7 +4768,7 @@ within its registry.</P
CLASS="CHAPTER"
><HR><H1
><A
-NAME="AEN1034"
+NAME="AEN1074"
>Chapter 7. Unifed Logons between Windows NT and UNIX using Winbind</A
></H1
><DIV
@@ -4522,16 +4776,15 @@ CLASS="SECT1"
><H1
CLASS="SECT1"
><A
-NAME="AEN1052"
->Abstract</A
+NAME="AEN1092"
+>7.1. Abstract</A
></H1
><P
>Integration of UNIX and Microsoft Windows NT through
a unified logon has been considered a "holy grail" in heterogeneous
- computing environments for a long time. We present <I
-CLASS="EMPHASIS"
+ computing environments for a long time. We present <EM
>winbind
- </I
+ </EM
>, a component of the Samba suite of programs as a
solution to the unied logon problem. Winbind uses a UNIX implementation
of Microsoft RPC calls, Pluggable Authentication Modules, and the Name
@@ -4545,8 +4798,8 @@ CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
-NAME="AEN1056"
->Introduction</A
+NAME="AEN1096"
+>7.2. Introduction</A
></H1
><P
>It is well known that UNIX and Microsoft Windows NT have
@@ -4599,8 +4852,8 @@ CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
-NAME="AEN1069"
->What Winbind Provides</A
+NAME="AEN1109"
+>7.3. What Winbind Provides</A
></H1
><P
>Winbind unifies UNIX and Windows NT account management by
@@ -4641,8 +4894,8 @@ CLASS="SECT2"
><HR><H2
CLASS="SECT2"
><A
-NAME="AEN1076"
->Target Uses</A
+NAME="AEN1116"
+>7.3.1. Target Uses</A
></H2
><P
>Winbind is targeted at organizations that have an
@@ -4665,8 +4918,8 @@ CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
-NAME="AEN1080"
->How Winbind Works</A
+NAME="AEN1120"
+>7.4. How Winbind Works</A
></H1
><P
>The winbind system is designed around a client/server
@@ -4685,8 +4938,8 @@ CLASS="SECT2"
><HR><H2
CLASS="SECT2"
><A
-NAME="AEN1085"
->Microsoft Remote Procedure Calls</A
+NAME="AEN1125"
+>7.4.1. Microsoft Remote Procedure Calls</A
></H2
><P
>Over the last two years, efforts have been underway
@@ -4711,8 +4964,8 @@ CLASS="SECT2"
><HR><H2
CLASS="SECT2"
><A
-NAME="AEN1089"
->Name Service Switch</A
+NAME="AEN1129"
+>7.4.2. Name Service Switch</A
></H2
><P
>The Name Service Switch, or NSS, is a feature that is
@@ -4790,8 +5043,8 @@ CLASS="SECT2"
><HR><H2
CLASS="SECT2"
><A
-NAME="AEN1105"
->Pluggable Authentication Modules</A
+NAME="AEN1145"
+>7.4.3. Pluggable Authentication Modules</A
></H2
><P
>Pluggable Authentication Modules, also known as PAM,
@@ -4839,8 +5092,8 @@ CLASS="SECT2"
><HR><H2
CLASS="SECT2"
><A
-NAME="AEN1113"
->User and Group ID Allocation</A
+NAME="AEN1153"
+>7.4.4. User and Group ID Allocation</A
></H2
><P
>When a user or group is created under Windows NT
@@ -4865,8 +5118,8 @@ CLASS="SECT2"
><HR><H2
CLASS="SECT2"
><A
-NAME="AEN1117"
->Result Caching</A
+NAME="AEN1157"
+>7.4.5. Result Caching</A
></H2
><P
>An active system can generate a lot of user and group
@@ -4888,8 +5141,8 @@ CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
-NAME="AEN1120"
->Installation and Configuration</A
+NAME="AEN1160"
+>7.5. Installation and Configuration</A
></H1
><P
>The easiest way to install winbind is by using the packages
@@ -4919,8 +5172,8 @@ CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
-NAME="AEN1126"
->Limitations</A
+NAME="AEN1166"
+>7.6. Limitations</A
></H1
><P
>Winbind has a number of limitations in its current
@@ -4967,8 +5220,8 @@ CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
-NAME="AEN1138"
->Conclusion</A
+NAME="AEN1178"
+>7.7. Conclusion</A
></H1
><P
>The winbind system, through the use of the Name Service
@@ -4983,7 +5236,7 @@ NAME="AEN1138"
CLASS="CHAPTER"
><HR><H1
><A
-NAME="AEN1141"
+NAME="AEN1181"
>Chapter 8. UNIX Permission Bits and WIndows NT Access Control Lists</A
></H1
><DIV
@@ -4991,8 +5244,8 @@ CLASS="SECT1"
><H1
CLASS="SECT1"
><A
-NAME="AEN1152"
->Viewing and changing UNIX permissions using the NT
+NAME="AEN1192"
+>8.1. Viewing and changing UNIX permissions using the NT
security dialogs</A
></H1
><P
@@ -5007,7 +5260,7 @@ NAME="AEN1152"
><P
>In Samba 2.0.4 and above the default value of the
parameter <A
-HREF="smb.conf.5.html#NTACLSUPPOR"
+HREF="smb.conf.5.html#NTACLSUPPORT"
TARGET="_top"
><TT
CLASS="PARAMETER"
@@ -5030,37 +5283,31 @@ CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
-NAME="AEN1161"
->How to view file security on a Samba share</A
+NAME="AEN1201"
+>8.2. How to view file security on a Samba share</A
></H1
><P
>From an NT 4.0 client, single-click with the right
mouse button on any file or directory in a Samba mounted
drive letter or UNC path. When the menu pops-up, click
- on the <I
-CLASS="EMPHASIS"
->Properties</I
+ on the <EM
+>Properties</EM
> entry at the bottom of
the menu. This brings up the normal file properties dialog
box, but with Samba 2.0.4 this will have a new tab along the top
- marked <I
-CLASS="EMPHASIS"
->Security</I
+ marked <EM
+>Security</EM
>. Click on this tab and you
- will see three buttons, <I
-CLASS="EMPHASIS"
->Permissions</I
+ will see three buttons, <EM
+>Permissions</EM
>,
- <I
-CLASS="EMPHASIS"
->Auditing</I
->, and <I
-CLASS="EMPHASIS"
->Ownership</I
+ <EM
+>Auditing</EM
+>, and <EM
+>Ownership</EM
>.
- The <I
-CLASS="EMPHASIS"
->Auditing</I
+ The <EM
+>Auditing</EM
> button will cause either
an error message <SPAN
CLASS="ERRORNAME"
@@ -5082,8 +5329,8 @@ CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
-NAME="AEN1172"
->Viewing file ownership</A
+NAME="AEN1212"
+>8.3. Viewing file ownership</A
></H1
><P
>Clicking on the <B
@@ -5146,9 +5393,8 @@ CLASS="COMMAND"
it will display a dialog box complaining that the user you are
currently logged onto the NT client cannot be found). The reason
for this is that changing the ownership of a file is a privilaged
- operation in UNIX, available only to the <I
-CLASS="EMPHASIS"
->root</I
+ operation in UNIX, available only to the <EM
+>root</EM
>
user. As clicking on this button causes NT to attempt to change
the ownership of a file to the current user logged into the NT
@@ -5158,10 +5404,9 @@ CLASS="EMPHASIS"
and allow a user with Administrator privillage connected
to a Samba 2.0.4 server as root to change the ownership of
files on both a local NTFS filesystem or remote mounted NTFS
- or Samba drive. This is available as part of the <I
-CLASS="EMPHASIS"
+ or Samba drive. This is available as part of the <EM
>Seclib
- </I
+ </EM
> NT security library written by Jeremy Allison of
the Samba Team, available from the main Samba ftp site.</P
></DIV
@@ -5170,8 +5415,8 @@ CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
-NAME="AEN1192"
->Viewing file or directory permissions</A
+NAME="AEN1232"
+>8.4. Viewing file or directory permissions</A
></H1
><P
>The third button is the <B
@@ -5232,8 +5477,8 @@ CLASS="SECT2"
><HR><H2
CLASS="SECT2"
><A
-NAME="AEN1207"
->File Permissions</A
+NAME="AEN1247"
+>8.4.1. File Permissions</A
></H2
><P
>The standard UNIX user/group/world triple and
@@ -5294,8 +5539,8 @@ CLASS="SECT2"
><HR><H2
CLASS="SECT2"
><A
-NAME="AEN1221"
->Directory Permissions</A
+NAME="AEN1261"
+>8.4.2. Directory Permissions</A
></H2
><P
>Directories on an NT NTFS file system have two
@@ -5326,8 +5571,8 @@ CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
-NAME="AEN1228"
->Modifying file or directory permissions</A
+NAME="AEN1268"
+>8.5. Modifying file or directory permissions</A
></H1
><P
>Modifying file and directory permissions is as simple
@@ -5424,8 +5669,8 @@ CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
-NAME="AEN1250"
->Interaction with the standard Samba create mask
+NAME="AEN1290"
+>8.6. Interaction with the standard Samba create mask
parameters</A
></H1
><P
@@ -5486,9 +5731,8 @@ CLASS="PARAMETER"
>security mask</I
></TT
>
- mask may be treated as a set of bits the user is <I
-CLASS="EMPHASIS"
->not</I
+ mask may be treated as a set of bits the user is <EM
+>not</EM
>
allowed to change, and one bits are those the user is allowed to change.
</P
@@ -5698,8 +5942,8 @@ CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
-NAME="AEN1314"
->Interaction with the standard Samba file attribute
+NAME="AEN1354"
+>8.7. Interaction with the standard Samba file attribute
mapping</A
></H1
><P
@@ -5745,7 +5989,7 @@ CLASS="COMMAND"
CLASS="CHAPTER"
><HR><H1
><A
-NAME="AEN1324"
+NAME="AEN1364"
>Chapter 9. OS2 Client HOWTO</A
></H1
><DIV
@@ -5753,16 +5997,16 @@ CLASS="SECT1"
><H1
CLASS="SECT1"
><A
-NAME="AEN1335"
->FAQs</A
+NAME="AEN1375"
+>9.1. FAQs</A
></H1
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
-NAME="AEN1337"
->How can I configure OS/2 Warp Connect or
+NAME="AEN1377"
+>9.1.1. How can I configure OS/2 Warp Connect or
OS/2 Warp 4 as a client for Samba?</A
></H2
><P
@@ -5820,8 +6064,8 @@ CLASS="SECT2"
><HR><H2
CLASS="SECT2"
><A
-NAME="AEN1352"
->How can I configure OS/2 Warp 3 (not Connect),
+NAME="AEN1392"
+>9.1.2. How can I configure OS/2 Warp 3 (not Connect),
OS/2 1.2, 1.3 or 2.x for Samba?</A
></H2
><P
@@ -5841,12 +6085,21 @@ TARGET="_top"
a nutshell, edit the file \OS2VER in the root directory of
the OS/2 boot partition and add the lines:</P
><P
+><TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
><PRE
CLASS="PROGRAMLISTING"
> 20=setup.exe
20=netwksta.sys
20=netvdd.sys
</PRE
+></TD
+></TR
+></TABLE
></P
><P
>before you install the client. Also, don't use the
@@ -5864,8 +6117,8 @@ CLASS="SECT2"
><HR><H2
CLASS="SECT2"
><A
-NAME="AEN1361"
->Are there any other issues when OS/2 (any version)
+NAME="AEN1401"
+>9.1.3. Are there any other issues when OS/2 (any version)
is used as a client?</A
></H2
><P
@@ -5886,8 +6139,8 @@ CLASS="SECT2"
><HR><H2
CLASS="SECT2"
><A
-NAME="AEN1365"
->How do I get printer driver download working
+NAME="AEN1405"
+>9.1.4. How do I get printer driver download working
for OS/2 clients?</A
></H2
><P
@@ -5914,8 +6167,8 @@ CLASS="REPLACEABLE"
name of the NT driver name to the OS/2 driver name as
follows:</P
><P
->&lt;nt driver name&gt; = &lt;os2 driver
- name&gt;.&lt;device name&gt;, e.g.:
+>&#60;nt driver name&#62; = &#60;os2 driver
+ name&#62;.&#60;device name&#62;, e.g.:
HP LaserJet 5L = LASERJET.HP LaserJet 5L</P
><P
>You can have multiple drivers mapped in this file.</P