summaryrefslogtreecommitdiff
path: root/docs/htmldocs/Samba-HOWTO-Collection.html
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2003-01-15 22:29:27 +0000
committerGerald Carter <jerry@samba.org>2003-01-15 22:29:27 +0000
commit2a85f0cf33f303e091ce6f6bea7b7a072cd81c14 (patch)
tree0ab129510034a715a9c31ff1433db404ee1c1e26 /docs/htmldocs/Samba-HOWTO-Collection.html
parent3a5a4159882635800b57fc766c7d4e2ec0297bb9 (diff)
downloadsamba-2a85f0cf33f303e091ce6f6bea7b7a072cd81c14.tar.gz
samba-2a85f0cf33f303e091ce6f6bea7b7a072cd81c14.tar.bz2
samba-2a85f0cf33f303e091ce6f6bea7b7a072cd81c14.zip
syncing docs with HEAD
(This used to be commit d8fe70c3b4be548244e9d7b7ea533e64232df001)
Diffstat (limited to 'docs/htmldocs/Samba-HOWTO-Collection.html')
-rw-r--r--docs/htmldocs/Samba-HOWTO-Collection.html14862
1 files changed, 0 insertions, 14862 deletions
diff --git a/docs/htmldocs/Samba-HOWTO-Collection.html b/docs/htmldocs/Samba-HOWTO-Collection.html
deleted file mode 100644
index e5240ba658..0000000000
--- a/docs/htmldocs/Samba-HOWTO-Collection.html
+++ /dev/null
@@ -1,14862 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-<HTML
-><HEAD
-><TITLE
->SAMBA Project Documentation</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.77"></HEAD
-><BODY
-CLASS="BOOK"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><DIV
-CLASS="BOOK"
-><A
-NAME="SAMBA-PROJECT-DOCUMENTATION"
-></A
-><DIV
-CLASS="TITLEPAGE"
-><H1
-CLASS="TITLE"
-><A
-NAME="SAMBA-PROJECT-DOCUMENTATION"
-></A
->SAMBA Project Documentation</H1
-><H3
-CLASS="AUTHOR"
-><A
-NAME="AEN4"
-></A
->SAMBA Team</H3
-><HR></DIV
-><HR><H1
-><A
-NAME="AEN8"
-></A
->Abstract</H1
-><P
-><SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->Last Update</I
-></SPAN
-> : Thu Aug 15 12:48:45 CDT 2002</P
-><P
->This book is a collection of HOWTOs added to Samba documentation over the years.
-I try to ensure that all are current, but sometimes the is a larger job
-than one person can maintain. The most recent version of this document
-can be found at <A
-HREF="http://www.samba.org/"
-TARGET="_top"
->http://www.samba.org/</A
->
-on the "Documentation" page. Please send updates to <A
-HREF="mailto:jerry@samba.org"
-TARGET="_top"
->jerry@samba.org</A
->.</P
-><P
->This documentation is distributed under the GNU General Public License (GPL)
-version 2. A copy of the license is included with the Samba source
-distribution. A copy can be found on-line at <A
-HREF="http://www.fsf.org/licenses/gpl.txt"
-TARGET="_top"
->http://www.fsf.org/licenses/gpl.txt</A
-></P
-><P
->Cheers, jerry</P
-><DIV
-CLASS="TOC"
-><DL
-><DT
-><B
->Table of Contents</B
-></DT
-><DT
->1. <A
-HREF="#INSTALL"
->How to Install and Test SAMBA</A
-></DT
-><DD
-><DL
-><DT
->1.1. <A
-HREF="#AEN20"
->Step 0: Read the man pages</A
-></DT
-><DT
->1.2. <A
-HREF="#AEN28"
->Step 1: Building the Binaries</A
-></DT
-><DT
->1.3. <A
-HREF="#AEN56"
->Step 2: The all important step</A
-></DT
-><DT
->1.4. <A
-HREF="#AEN60"
->Step 3: Create the smb configuration file.</A
-></DT
-><DT
->1.5. <A
-HREF="#AEN74"
->Step 4: Test your config file with
- <B
-CLASS="COMMAND"
->testparm</B
-></A
-></DT
-><DT
->1.6. <A
-HREF="#AEN80"
->Step 5: Starting the smbd and nmbd</A
-></DT
-><DD
-><DL
-><DT
->1.6.1. <A
-HREF="#AEN90"
->Step 5a: Starting from inetd.conf</A
-></DT
-><DT
->1.6.2. <A
-HREF="#AEN119"
->Step 5b. Alternative: starting it as a daemon</A
-></DT
-></DL
-></DD
-><DT
->1.7. <A
-HREF="#AEN135"
->Step 6: Try listing the shares available on your
- server</A
-></DT
-><DT
->1.8. <A
-HREF="#AEN144"
->Step 7: Try connecting with the unix client</A
-></DT
-><DT
->1.9. <A
-HREF="#AEN160"
->Step 8: Try connecting from a DOS, WfWg, Win9x, WinNT,
- Win2k, OS/2, etc... client</A
-></DT
-><DT
->1.10. <A
-HREF="#AEN174"
->What If Things Don't Work?</A
-></DT
-><DD
-><DL
-><DT
->1.10.1. <A
-HREF="#AEN179"
->Diagnosing Problems</A
-></DT
-><DT
->1.10.2. <A
-HREF="#AEN183"
->Scope IDs</A
-></DT
-><DT
->1.10.3. <A
-HREF="#AEN186"
->Choosing the Protocol Level</A
-></DT
-><DT
->1.10.4. <A
-HREF="#AEN195"
->Printing from UNIX to a Client PC</A
-></DT
-><DT
->1.10.5. <A
-HREF="#AEN200"
->Locking</A
-></DT
-><DT
->1.10.6. <A
-HREF="#AEN209"
->Mapping Usernames</A
-></DT
-></DL
-></DD
-></DL
-></DD
-><DT
->2. <A
-HREF="#DIAGNOSIS"
->Diagnosing your samba server</A
-></DT
-><DD
-><DL
-><DT
->2.1. <A
-HREF="#AEN223"
->Introduction</A
-></DT
-><DT
->2.2. <A
-HREF="#AEN228"
->Assumptions</A
-></DT
-><DT
->2.3. <A
-HREF="#AEN238"
->Tests</A
-></DT
-><DD
-><DL
-><DT
->2.3.1. <A
-HREF="#AEN240"
->Test 1</A
-></DT
-><DT
->2.3.2. <A
-HREF="#AEN246"
->Test 2</A
-></DT
-><DT
->2.3.3. <A
-HREF="#AEN252"
->Test 3</A
-></DT
-><DT
->2.3.4. <A
-HREF="#AEN267"
->Test 4</A
-></DT
-><DT
->2.3.5. <A
-HREF="#AEN272"
->Test 5</A
-></DT
-><DT
->2.3.6. <A
-HREF="#AEN278"
->Test 6</A
-></DT
-><DT
->2.3.7. <A
-HREF="#AEN286"
->Test 7</A
-></DT
-><DT
->2.3.8. <A
-HREF="#AEN312"
->Test 8</A
-></DT
-><DT
->2.3.9. <A
-HREF="#AEN329"
->Test 9</A
-></DT
-><DT
->2.3.10. <A
-HREF="#AEN337"
->Test 10</A
-></DT
-><DT
->2.3.11. <A
-HREF="#AEN343"
->Test 11</A
-></DT
-></DL
-></DD
-><DT
->2.4. <A
-HREF="#AEN348"
->Still having troubles?</A
-></DT
-></DL
-></DD
-><DT
->3. <A
-HREF="#INTEGRATE-MS-NETWORKS"
->Integrating MS Windows networks with Samba</A
-></DT
-><DD
-><DL
-><DT
->3.1. <A
-HREF="#AEN365"
->Agenda</A
-></DT
-><DT
->3.2. <A
-HREF="#AEN387"
->Name Resolution in a pure Unix/Linux world</A
-></DT
-><DD
-><DL
-><DT
->3.2.1. <A
-HREF="#AEN403"
-><TT
-CLASS="FILENAME"
->/etc/hosts</TT
-></A
-></DT
-><DT
->3.2.2. <A
-HREF="#AEN419"
-><TT
-CLASS="FILENAME"
->/etc/resolv.conf</TT
-></A
-></DT
-><DT
->3.2.3. <A
-HREF="#AEN430"
-><TT
-CLASS="FILENAME"
->/etc/host.conf</TT
-></A
-></DT
-><DT
->3.2.4. <A
-HREF="#AEN438"
-><TT
-CLASS="FILENAME"
->/etc/nsswitch.conf</TT
-></A
-></DT
-></DL
-></DD
-><DT
->3.3. <A
-HREF="#AEN450"
->Name resolution as used within MS Windows networking</A
-></DT
-><DD
-><DL
-><DT
->3.3.1. <A
-HREF="#AEN462"
->The NetBIOS Name Cache</A
-></DT
-><DT
->3.3.2. <A
-HREF="#AEN467"
->The LMHOSTS file</A
-></DT
-><DT
->3.3.3. <A
-HREF="#AEN475"
->HOSTS file</A
-></DT
-><DT
->3.3.4. <A
-HREF="#AEN480"
->DNS Lookup</A
-></DT
-><DT
->3.3.5. <A
-HREF="#AEN483"
->WINS Lookup</A
-></DT
-></DL
-></DD
-><DT
->3.4. <A
-HREF="#AEN495"
->How browsing functions and how to deploy stable and
-dependable browsing using Samba</A
-></DT
-><DT
->3.5. <A
-HREF="#AEN505"
->MS Windows security options and how to configure
-Samba for seemless integration</A
-></DT
-><DD
-><DL
-><DT
->3.5.1. <A
-HREF="#AEN533"
->Use MS Windows NT as an authentication server</A
-></DT
-><DT
->3.5.2. <A
-HREF="#AEN541"
->Make Samba a member of an MS Windows NT security domain</A
-></DT
-><DT
->3.5.3. <A
-HREF="#AEN558"
->Configure Samba as an authentication server</A
-></DT
-></DL
-></DD
-><DT
->3.6. <A
-HREF="#AEN575"
->Conclusions</A
-></DT
-></DL
-></DD
-><DT
->4. <A
-HREF="#PAM"
->Configuring PAM for distributed but centrally
-managed authentication</A
-></DT
-><DD
-><DL
-><DT
->4.1. <A
-HREF="#AEN596"
->Samba and PAM</A
-></DT
-><DT
->4.2. <A
-HREF="#AEN640"
->Distributed Authentication</A
-></DT
-><DT
->4.3. <A
-HREF="#AEN647"
->PAM Configuration in smb.conf</A
-></DT
-></DL
-></DD
-><DT
->5. <A
-HREF="#MSDFS"
->Hosting a Microsoft Distributed File System tree on Samba</A
-></DT
-><DD
-><DL
-><DT
->5.1. <A
-HREF="#AEN667"
->Instructions</A
-></DT
-><DD
-><DL
-><DT
->5.1.1. <A
-HREF="#AEN702"
->Notes</A
-></DT
-></DL
-></DD
-></DL
-></DD
-><DT
->6. <A
-HREF="#UNIX-PERMISSIONS"
->UNIX Permission Bits and Windows NT Access Control Lists</A
-></DT
-><DD
-><DL
-><DT
->6.1. <A
-HREF="#AEN722"
->Viewing and changing UNIX permissions using the NT
- security dialogs</A
-></DT
-><DT
->6.2. <A
-HREF="#AEN731"
->How to view file security on a Samba share</A
-></DT
-><DT
->6.3. <A
-HREF="#AEN742"
->Viewing file ownership</A
-></DT
-><DT
->6.4. <A
-HREF="#AEN762"
->Viewing file or directory permissions</A
-></DT
-><DD
-><DL
-><DT
->6.4.1. <A
-HREF="#AEN777"
->File Permissions</A
-></DT
-><DT
->6.4.2. <A
-HREF="#AEN791"
->Directory Permissions</A
-></DT
-></DL
-></DD
-><DT
->6.5. <A
-HREF="#AEN798"
->Modifying file or directory permissions</A
-></DT
-><DT
->6.6. <A
-HREF="#AEN820"
->Interaction with the standard Samba create mask
- parameters</A
-></DT
-><DT
->6.7. <A
-HREF="#AEN884"
->Interaction with the standard Samba file attribute
- mapping</A
-></DT
-></DL
-></DD
-><DT
->7. <A
-HREF="#PRINTING"
->Printing Support in Samba 2.2.x</A
-></DT
-><DD
-><DL
-><DT
->7.1. <A
-HREF="#AEN905"
->Introduction</A
-></DT
-><DT
->7.2. <A
-HREF="#AEN927"
->Configuration</A
-></DT
-><DD
-><DL
-><DT
->7.2.1. <A
-HREF="#AEN938"
->Creating [print$]</A
-></DT
-><DT
->7.2.2. <A
-HREF="#AEN973"
->Setting Drivers for Existing Printers</A
-></DT
-><DT
->7.2.3. <A
-HREF="#AEN990"
->Support a large number of printers</A
-></DT
-><DT
->7.2.4. <A
-HREF="#AEN1001"
->Adding New Printers via the Windows NT APW</A
-></DT
-><DT
->7.2.5. <A
-HREF="#AEN1031"
->Samba and Printer Ports</A
-></DT
-></DL
-></DD
-><DT
->7.3. <A
-HREF="#AEN1039"
->The Imprints Toolset</A
-></DT
-><DD
-><DL
-><DT
->7.3.1. <A
-HREF="#AEN1043"
->What is Imprints?</A
-></DT
-><DT
->7.3.2. <A
-HREF="#AEN1053"
->Creating Printer Driver Packages</A
-></DT
-><DT
->7.3.3. <A
-HREF="#AEN1056"
->The Imprints server</A
-></DT
-><DT
->7.3.4. <A
-HREF="#AEN1060"
->The Installation Client</A
-></DT
-></DL
-></DD
-><DT
->7.4. <A
-HREF="#AEN1082"
-><A
-NAME="MIGRATION"
-></A
->Migration to from Samba 2.0.x to 2.2.x</A
-></DT
-></DL
-></DD
-><DT
->8. <A
-HREF="#PRINTINGDEBUG"
->Debugging Printing Problems</A
-></DT
-><DD
-><DL
-><DT
->8.1. <A
-HREF="#AEN1128"
->Introduction</A
-></DT
-><DT
->8.2. <A
-HREF="#AEN1144"
->Debugging printer problems</A
-></DT
-><DT
->8.3. <A
-HREF="#AEN1153"
->What printers do I have?</A
-></DT
-><DT
->8.4. <A
-HREF="#AEN1161"
->Setting up printcap and print servers</A
-></DT
-><DT
->8.5. <A
-HREF="#AEN1189"
->Job sent, no output</A
-></DT
-><DT
->8.6. <A
-HREF="#AEN1200"
->Job sent, strange output</A
-></DT
-><DT
->8.7. <A
-HREF="#AEN1212"
->Raw PostScript printed</A
-></DT
-><DT
->8.8. <A
-HREF="#AEN1215"
->Advanced Printing</A
-></DT
-><DT
->8.9. <A
-HREF="#AEN1218"
->Real debugging</A
-></DT
-></DL
-></DD
-><DT
->9. <A
-HREF="#SECURITYLEVELS"
->Security levels</A
-></DT
-><DD
-><DL
-><DT
->9.1. <A
-HREF="#AEN1231"
->Introduction</A
-></DT
-><DT
->9.2. <A
-HREF="#AEN1242"
->More complete description of security levels</A
-></DT
-></DL
-></DD
-><DT
->10. <A
-HREF="#DOMAIN-SECURITY"
->security = domain in Samba 2.x</A
-></DT
-><DD
-><DL
-><DT
->10.1. <A
-HREF="#AEN1275"
->Joining an NT Domain with Samba 2.2</A
-></DT
-><DT
->10.2. <A
-HREF="#AEN1339"
->Samba and Windows 2000 Domains</A
-></DT
-><DT
->10.3. <A
-HREF="#AEN1344"
->Why is this better than security = server?</A
-></DT
-></DL
-></DD
-><DT
->11. <A
-HREF="#WINBIND"
->Unified Logons between Windows NT and UNIX using Winbind</A
-></DT
-><DD
-><DL
-><DT
->11.1. <A
-HREF="#AEN1397"
->Abstract</A
-></DT
-><DT
->11.2. <A
-HREF="#AEN1401"
->Introduction</A
-></DT
-><DT
->11.3. <A
-HREF="#AEN1414"
->What Winbind Provides</A
-></DT
-><DD
-><DL
-><DT
->11.3.1. <A
-HREF="#AEN1421"
->Target Uses</A
-></DT
-></DL
-></DD
-><DT
->11.4. <A
-HREF="#AEN1425"
->How Winbind Works</A
-></DT
-><DD
-><DL
-><DT
->11.4.1. <A
-HREF="#AEN1430"
->Microsoft Remote Procedure Calls</A
-></DT
-><DT
->11.4.2. <A
-HREF="#AEN1434"
->Name Service Switch</A
-></DT
-><DT
->11.4.3. <A
-HREF="#AEN1450"
->Pluggable Authentication Modules</A
-></DT
-><DT
->11.4.4. <A
-HREF="#AEN1458"
->User and Group ID Allocation</A
-></DT
-><DT
->11.4.5. <A
-HREF="#AEN1462"
->Result Caching</A
-></DT
-></DL
-></DD
-><DT
->11.5. <A
-HREF="#AEN1465"
->Installation and Configuration</A
-></DT
-><DD
-><DL
-><DT
->11.5.1. <A
-HREF="#AEN1472"
->Introduction</A
-></DT
-><DT
->11.5.2. <A
-HREF="#AEN1485"
->Requirements</A
-></DT
-><DT
->11.5.3. <A
-HREF="#AEN1499"
->Testing Things Out</A
-></DT
-></DL
-></DD
-><DT
->11.6. <A
-HREF="#AEN1714"
->Limitations</A
-></DT
-><DT
->11.7. <A
-HREF="#AEN1724"
->Conclusion</A
-></DT
-></DL
-></DD
-><DT
->12. <A
-HREF="#SAMBA-PDC"
->How to Configure Samba 2.2 as a Primary Domain Controller</A
-></DT
-><DD
-><DL
-><DT
->12.1. <A
-HREF="#AEN1744"
->Prerequisite Reading</A
-></DT
-><DT
->12.2. <A
-HREF="#AEN1750"
->Background</A
-></DT
-><DT
->12.3. <A
-HREF="#AEN1789"
->Configuring the Samba Domain Controller</A
-></DT
-><DT
->12.4. <A
-HREF="#AEN1832"
->Creating Machine Trust Accounts and Joining Clients to the
-Domain</A
-></DT
-><DD
-><DL
-><DT
->12.4.1. <A
-HREF="#AEN1851"
->Manual Creation of Machine Trust Accounts</A
-></DT
-><DT
->12.4.2. <A
-HREF="#AEN1886"
->"On-the-Fly" Creation of Machine Trust Accounts</A
-></DT
-><DT
->12.4.3. <A
-HREF="#AEN1895"
->Joining the Client to the Domain</A
-></DT
-></DL
-></DD
-><DT
->12.5. <A
-HREF="#AEN1910"
->Common Problems and Errors</A
-></DT
-><DT
->12.6. <A
-HREF="#AEN1958"
->System Policies and Profiles</A
-></DT
-><DT
->12.7. <A
-HREF="#AEN2002"
->What other help can I get?</A
-></DT
-><DT
->12.8. <A
-HREF="#AEN2116"
->Domain Control for Windows 9x/ME</A
-></DT
-><DD
-><DL
-><DT
->12.8.1. <A
-HREF="#AEN2142"
->Configuration Instructions: Network Logons</A
-></DT
-><DT
->12.8.2. <A
-HREF="#AEN2161"
->Configuration Instructions: Setting up Roaming User Profiles</A
-></DT
-></DL
-></DD
-><DT
->12.9. <A
-HREF="#AEN2254"
->DOMAIN_CONTROL.txt : Windows NT Domain Control &#38; Samba</A
-></DT
-></DL
-></DD
-><DT
->13. <A
-HREF="#SAMBA-BDC"
->How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain</A
-></DT
-><DD
-><DL
-><DT
->13.1. <A
-HREF="#AEN2290"
->Prerequisite Reading</A
-></DT
-><DT
->13.2. <A
-HREF="#AEN2294"
->Background</A
-></DT
-><DT
->13.3. <A
-HREF="#AEN2302"
->What qualifies a Domain Controller on the network?</A
-></DT
-><DD
-><DL
-><DT
->13.3.1. <A
-HREF="#AEN2305"
->How does a Workstation find its domain controller?</A
-></DT
-><DT
->13.3.2. <A
-HREF="#AEN2308"
->When is the PDC needed?</A
-></DT
-></DL
-></DD
-><DT
->13.4. <A
-HREF="#AEN2311"
->Can Samba be a Backup Domain Controller?</A
-></DT
-><DT
->13.5. <A
-HREF="#AEN2315"
->How do I set up a Samba BDC?</A
-></DT
-><DD
-><DL
-><DT
->13.5.1. <A
-HREF="#AEN2332"
->How do I replicate the smbpasswd file?</A
-></DT
-></DL
-></DD
-></DL
-></DD
-><DT
->14. <A
-HREF="#SAMBA-LDAP-HOWTO"
->Storing Samba's User/Machine Account information in an LDAP Directory</A
-></DT
-><DD
-><DL
-><DT
->14.1. <A
-HREF="#AEN2353"
->Purpose</A
-></DT
-><DT
->14.2. <A
-HREF="#AEN2373"
->Introduction</A
-></DT
-><DT
->14.3. <A
-HREF="#AEN2402"
->Supported LDAP Servers</A
-></DT
-><DT
->14.4. <A
-HREF="#AEN2407"
->Schema and Relationship to the RFC 2307 posixAccount</A
-></DT
-><DT
->14.5. <A
-HREF="#AEN2419"
->Configuring Samba with LDAP</A
-></DT
-><DD
-><DL
-><DT
->14.5.1. <A
-HREF="#AEN2421"
->OpenLDAP configuration</A
-></DT
-><DT
->14.5.2. <A
-HREF="#AEN2438"
->Configuring Samba</A
-></DT
-></DL
-></DD
-><DT
->14.6. <A
-HREF="#AEN2466"
->Accounts and Groups management</A
-></DT
-><DT
->14.7. <A
-HREF="#AEN2471"
->Security and sambaAccount</A
-></DT
-><DT
->14.8. <A
-HREF="#AEN2491"
->LDAP specials attributes for sambaAccounts</A
-></DT
-><DT
->14.9. <A
-HREF="#AEN2561"
->Example LDIF Entries for a sambaAccount</A
-></DT
-><DT
->14.10. <A
-HREF="#AEN2569"
->Comments</A
-></DT
-></DL
-></DD
-><DT
->15. <A
-HREF="#ADS"
->Using samba 3.0 with ActiveDirectory support</A
-></DT
-><DD
-><DL
-><DT
->15.1. <A
-HREF="#AEN2587"
->Installing the required packages for Debian</A
-></DT
-><DT
->15.2. <A
-HREF="#AEN2593"
->Installing the required packages for RedHat</A
-></DT
-><DT
->15.3. <A
-HREF="#AEN2602"
->Compile Samba</A
-></DT
-><DT
->15.4. <A
-HREF="#AEN2614"
->Setup your /etc/krb5.conf</A
-></DT
-><DT
->15.5. <A
-HREF="#AEN2624"
->Create the computer account</A
-></DT
-><DD
-><DL
-><DT
->15.5.1. <A
-HREF="#AEN2628"
->Possible errors</A
-></DT
-></DL
-></DD
-><DT
->15.6. <A
-HREF="#AEN2640"
->Test your server setup</A
-></DT
-><DT
->15.7. <A
-HREF="#AEN2645"
->Testing with smbclient</A
-></DT
-><DT
->15.8. <A
-HREF="#AEN2648"
->Notes</A
-></DT
-></DL
-></DD
-><DT
->16. <A
-HREF="#IMPROVED-BROWSING"
->Improved browsing in samba</A
-></DT
-><DD
-><DL
-><DT
->16.1. <A
-HREF="#AEN2659"
->Overview of browsing</A
-></DT
-><DT
->16.2. <A
-HREF="#AEN2663"
->Browsing support in samba</A
-></DT
-><DT
->16.3. <A
-HREF="#AEN2672"
->Problem resolution</A
-></DT
-><DT
->16.4. <A
-HREF="#AEN2679"
->Browsing across subnets</A
-></DT
-><DD
-><DL
-><DT
->16.4.1. <A
-HREF="#AEN2684"
->How does cross subnet browsing work ?</A
-></DT
-></DL
-></DD
-><DT
->16.5. <A
-HREF="#AEN2719"
->Setting up a WINS server</A
-></DT
-><DT
->16.6. <A
-HREF="#AEN2738"
->Setting up Browsing in a WORKGROUP</A
-></DT
-><DT
->16.7. <A
-HREF="#AEN2756"
->Setting up Browsing in a DOMAIN</A
-></DT
-><DT
->16.8. <A
-HREF="#AEN2766"
->Forcing samba to be the master</A
-></DT
-><DT
->16.9. <A
-HREF="#AEN2775"
->Making samba the domain master</A
-></DT
-><DT
->16.10. <A
-HREF="#AEN2793"
->Note about broadcast addresses</A
-></DT
-><DT
->16.11. <A
-HREF="#AEN2796"
->Multiple interfaces</A
-></DT
-></DL
-></DD
-><DT
->17. <A
-HREF="#SPEED"
->Samba performance issues</A
-></DT
-><DD
-><DL
-><DT
->17.1. <A
-HREF="#AEN2814"
->Comparisons</A
-></DT
-><DT
->17.2. <A
-HREF="#AEN2820"
->Oplocks</A
-></DT
-><DD
-><DL
-><DT
->17.2.1. <A
-HREF="#AEN2822"
->Overview</A
-></DT
-><DT
->17.2.2. <A
-HREF="#AEN2830"
->Level2 Oplocks</A
-></DT
-><DT
->17.2.3. <A
-HREF="#AEN2836"
->Old 'fake oplocks' option - deprecated</A
-></DT
-></DL
-></DD
-><DT
->17.3. <A
-HREF="#AEN2840"
->Socket options</A
-></DT
-><DT
->17.4. <A
-HREF="#AEN2847"
->Read size</A
-></DT
-><DT
->17.5. <A
-HREF="#AEN2852"
->Max xmit</A
-></DT
-><DT
->17.6. <A
-HREF="#AEN2857"
->Locking</A
-></DT
-><DT
->17.7. <A
-HREF="#AEN2861"
->Share modes</A
-></DT
-><DT
->17.8. <A
-HREF="#AEN2866"
->Log level</A
-></DT
-><DT
->17.9. <A
-HREF="#AEN2869"
->Wide lines</A
-></DT
-><DT
->17.10. <A
-HREF="#AEN2872"
->Read raw</A
-></DT
-><DT
->17.11. <A
-HREF="#AEN2877"
->Write raw</A
-></DT
-><DT
->17.12. <A
-HREF="#AEN2881"
->Read prediction</A
-></DT
-><DT
->17.13. <A
-HREF="#AEN2888"
->Memory mapping</A
-></DT
-><DT
->17.14. <A
-HREF="#AEN2893"
->Slow Clients</A
-></DT
-><DT
->17.15. <A
-HREF="#AEN2897"
->Slow Logins</A
-></DT
-><DT
->17.16. <A
-HREF="#AEN2900"
->Client tuning</A
-></DT
-><DT
->17.17. <A
-HREF="#AEN2932"
->My Results</A
-></DT
-></DL
-></DD
-><DT
->18. <A
-HREF="#OTHER-CLIENTS"
->Samba and other CIFS clients</A
-></DT
-><DD
-><DL
-><DT
->18.1. <A
-HREF="#AEN2953"
->Macintosh clients?</A
-></DT
-><DT
->18.2. <A
-HREF="#AEN2962"
->OS2 Client</A
-></DT
-><DD
-><DL
-><DT
->18.2.1. <A
-HREF="#AEN2964"
->How can I configure OS/2 Warp Connect or
- OS/2 Warp 4 as a client for Samba?</A
-></DT
-><DT
->18.2.2. <A
-HREF="#AEN2979"
->How can I configure OS/2 Warp 3 (not Connect),
- OS/2 1.2, 1.3 or 2.x for Samba?</A
-></DT
-><DT
->18.2.3. <A
-HREF="#AEN2988"
->Are there any other issues when OS/2 (any version)
- is used as a client?</A
-></DT
-><DT
->18.2.4. <A
-HREF="#AEN2992"
->How do I get printer driver download working
- for OS/2 clients?</A
-></DT
-></DL
-></DD
-><DT
->18.3. <A
-HREF="#AEN3002"
->Windows for Workgroups</A
-></DT
-><DD
-><DL
-><DT
->18.3.1. <A
-HREF="#AEN3004"
->Use latest TCP/IP stack from Microsoft</A
-></DT
-><DT
->18.3.2. <A
-HREF="#AEN3009"
->Delete .pwl files after password change</A
-></DT
-><DT
->18.3.3. <A
-HREF="#AEN3014"
->Configure WfW password handling</A
-></DT
-><DT
->18.3.4. <A
-HREF="#AEN3018"
->Case handling of passwords</A
-></DT
-></DL
-></DD
-><DT
->18.4. <A
-HREF="#AEN3023"
->Windows '95/'98</A
-></DT
-><DT
->18.5. <A
-HREF="#AEN3039"
->Windows 2000 Service Pack 2</A
-></DT
-></DL
-></DD
-><DT
->19. <A
-HREF="#CVS-ACCESS"
->HOWTO Access Samba source code via CVS</A
-></DT
-><DD
-><DL
-><DT
->19.1. <A
-HREF="#AEN3063"
->Introduction</A
-></DT
-><DT
->19.2. <A
-HREF="#AEN3068"
->CVS Access to samba.org</A
-></DT
-><DD
-><DL
-><DT
->19.2.1. <A
-HREF="#AEN3071"
->Access via CVSweb</A
-></DT
-><DT
->19.2.2. <A
-HREF="#AEN3076"
->Access via cvs</A
-></DT
-></DL
-></DD
-></DL
-></DD
-><DT
->20. <A
-HREF="#BUGREPORT"
->Reporting Bugs</A
-></DT
-><DD
-><DL
-><DT
->20.1. <A
-HREF="#AEN3111"
->Introduction</A
-></DT
-><DT
->20.2. <A
-HREF="#AEN3118"
->General info</A
-></DT
-><DT
->20.3. <A
-HREF="#AEN3124"
->Debug levels</A
-></DT
-><DT
->20.4. <A
-HREF="#AEN3141"
->Internal errors</A
-></DT
-><DT
->20.5. <A
-HREF="#AEN3151"
->Attaching to a running process</A
-></DT
-><DT
->20.6. <A
-HREF="#AEN3154"
->Patches</A
-></DT
-></DL
-></DD
-><DT
->21. <A
-HREF="#GROUPMAPPING"
->Group mapping HOWTO</A
-></DT
-><DT
->22. <A
-HREF="#PORTABILITY"
->Portability</A
-></DT
-><DD
-><DL
-><DT
->22.1. <A
-HREF="#AEN3201"
->HPUX</A
-></DT
-><DT
->22.2. <A
-HREF="#AEN3206"
->SCO Unix</A
-></DT
-><DT
->22.3. <A
-HREF="#AEN3210"
->DNIX</A
-></DT
-></DL
-></DD
-></DL
-></DIV
-><DIV
-CLASS="CHAPTER"
-><HR><H1
-><A
-NAME="INSTALL"
-></A
->Chapter 1. How to Install and Test SAMBA</H1
-><DIV
-CLASS="SECT1"
-><H2
-CLASS="SECT1"
-><A
-NAME="AEN20"
-></A
->1.1. Step 0: Read the man pages</H2
-><P
->The man pages distributed with SAMBA contain
- lots of useful info that will help to get you started.
- If you don't know how to read man pages then try
- something like:</P
-><P
-><TT
-CLASS="PROMPT"
->$ </TT
-><TT
-CLASS="USERINPUT"
-><B
->nroff -man smbd.8 | more
- </B
-></TT
-></P
-><P
->Other sources of information are pointed to
- by the Samba web site,<A
-HREF="http://www.samba.org/"
-TARGET="_top"
-> http://www.samba.org</A
-></P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN28"
-></A
->1.2. Step 1: Building the Binaries</H2
-><P
->To do this, first run the program <B
-CLASS="COMMAND"
->./configure
- </B
-> in the source directory. This should automatically
- configure Samba for your operating system. If you have unusual
- needs then you may wish to run</P
-><P
-><TT
-CLASS="PROMPT"
->root# </TT
-><TT
-CLASS="USERINPUT"
-><B
->./configure --help
- </B
-></TT
-></P
-><P
->first to see what special options you can enable.
- Then executing</P
-><P
-><TT
-CLASS="PROMPT"
->root# </TT
-><TT
-CLASS="USERINPUT"
-><B
->make</B
-></TT
-></P
-><P
->will create the binaries. Once it's successfully
- compiled you can use </P
-><P
-><TT
-CLASS="PROMPT"
->root# </TT
-><TT
-CLASS="USERINPUT"
-><B
->make install</B
-></TT
-></P
-><P
->to install the binaries and manual pages. You can
- separately install the binaries and/or man pages using</P
-><P
-><TT
-CLASS="PROMPT"
->root# </TT
-><TT
-CLASS="USERINPUT"
-><B
->make installbin
- </B
-></TT
-></P
-><P
->and</P
-><P
-><TT
-CLASS="PROMPT"
->root# </TT
-><TT
-CLASS="USERINPUT"
-><B
->make installman
- </B
-></TT
-></P
-><P
->Note that if you are upgrading for a previous version
- of Samba you might like to know that the old versions of
- the binaries will be renamed with a ".old" extension. You
- can go back to the previous version with</P
-><P
-><TT
-CLASS="PROMPT"
->root# </TT
-><TT
-CLASS="USERINPUT"
-><B
->make revert
- </B
-></TT
-></P
-><P
->if you find this version a disaster!</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN56"
-></A
->1.3. Step 2: The all important step</H2
-><P
->At this stage you must fetch yourself a
- coffee or other drink you find stimulating. Getting the rest
- of the install right can sometimes be tricky, so you will
- probably need it.</P
-><P
->If you have installed samba before then you can skip
- this step.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN60"
-></A
->1.4. Step 3: Create the smb configuration file.</H2
-><P
->There are sample configuration files in the examples
- subdirectory in the distribution. I suggest you read them
- carefully so you can see how the options go together in
- practice. See the man page for all the options.</P
-><P
->The simplest useful configuration file would be
- something like this:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> [global]
- workgroup = MYGROUP
-
- [homes]
- guest ok = no
- read only = no
- </PRE
-></P
-><P
->which would allow connections by anyone with an
- account on the server, using either their login name or
- "homes" as the service name. (Note that I also set the
- workgroup that Samba is part of. See BROWSING.txt for details)</P
-><P
->Note that <B
-CLASS="COMMAND"
->make install</B
-> will not install
- a <TT
-CLASS="FILENAME"
->smb.conf</TT
-> file. You need to create it
- yourself. </P
-><P
->Make sure you put the smb.conf file in the same place
- you specified in the<TT
-CLASS="FILENAME"
->Makefile</TT
-> (the default is to
- look for it in <TT
-CLASS="FILENAME"
->/usr/local/samba/lib/</TT
->).</P
-><P
->For more information about security settings for the
- [homes] share please refer to the document UNIX_SECURITY.txt.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN74"
-></A
->1.5. Step 4: Test your config file with
- <B
-CLASS="COMMAND"
->testparm</B
-></H2
-><P
->It's important that you test the validity of your
- <TT
-CLASS="FILENAME"
->smb.conf</TT
-> file using the testparm program.
- If testparm runs OK then it will list the loaded services. If
- not it will give an error message.</P
-><P
->Make sure it runs OK and that the services look
- reasonable before proceeding. </P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN80"
-></A
->1.6. Step 5: Starting the smbd and nmbd</H2
-><P
->You must choose to start smbd and nmbd either
- as daemons or from <B
-CLASS="COMMAND"
->inetd</B
->. Don't try
- to do both! Either you can put them in <TT
-CLASS="FILENAME"
-> inetd.conf</TT
-> and have them started on demand
- by <B
-CLASS="COMMAND"
->inetd</B
->, or you can start them as
- daemons either from the command line or in <TT
-CLASS="FILENAME"
-> /etc/rc.local</TT
->. See the man pages for details
- on the command line options. Take particular care to read
- the bit about what user you need to be in order to start
- Samba. In many cases you must be root.</P
-><P
->The main advantage of starting <B
-CLASS="COMMAND"
->smbd</B
->
- and <B
-CLASS="COMMAND"
->nmbd</B
-> using the recommended daemon method
- is that they will respond slightly more quickly to an initial connection
- request.</P
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN90"
-></A
->1.6.1. Step 5a: Starting from inetd.conf</H3
-><P
->NOTE; The following will be different if
- you use NIS or NIS+ to distributed services maps.</P
-><P
->Look at your <TT
-CLASS="FILENAME"
->/etc/services</TT
->.
- What is defined at port 139/tcp. If nothing is defined
- then add a line like this:</P
-><P
-><TT
-CLASS="USERINPUT"
-><B
->netbios-ssn 139/tcp</B
-></TT
-></P
-><P
->similarly for 137/udp you should have an entry like:</P
-><P
-><TT
-CLASS="USERINPUT"
-><B
->netbios-ns 137/udp</B
-></TT
-></P
-><P
->Next edit your <TT
-CLASS="FILENAME"
->/etc/inetd.conf</TT
->
- and add two lines something like this:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd
- netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd
- </PRE
-></P
-><P
->The exact syntax of <TT
-CLASS="FILENAME"
->/etc/inetd.conf</TT
->
- varies between unixes. Look at the other entries in inetd.conf
- for a guide.</P
-><P
->NOTE: Some unixes already have entries like netbios_ns
- (note the underscore) in <TT
-CLASS="FILENAME"
->/etc/services</TT
->.
- You must either edit <TT
-CLASS="FILENAME"
->/etc/services</TT
-> or
- <TT
-CLASS="FILENAME"
->/etc/inetd.conf</TT
-> to make them consistent.</P
-><P
->NOTE: On many systems you may need to use the
- "interfaces" option in smb.conf to specify the IP address
- and netmask of your interfaces. Run <B
-CLASS="COMMAND"
->ifconfig</B
->
- as root if you don't know what the broadcast is for your
- net. <B
-CLASS="COMMAND"
->nmbd</B
-> tries to determine it at run
- time, but fails on some unixes. See the section on "testing nmbd"
- for a method of finding if you need to do this.</P
-><P
->!!!WARNING!!! Many unixes only accept around 5
- parameters on the command line in <TT
-CLASS="FILENAME"
->inetd.conf</TT
->.
- This means you shouldn't use spaces between the options and
- arguments, or you should use a script, and start the script
- from <B
-CLASS="COMMAND"
->inetd</B
->.</P
-><P
->Restart <B
-CLASS="COMMAND"
->inetd</B
->, perhaps just send
- it a HUP. If you have installed an earlier version of <B
-CLASS="COMMAND"
-> nmbd</B
-> then you may need to kill nmbd as well.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN119"
-></A
->1.6.2. Step 5b. Alternative: starting it as a daemon</H3
-><P
->To start the server as a daemon you should create
- a script something like this one, perhaps calling
- it <TT
-CLASS="FILENAME"
->startsmb</TT
->.</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> #!/bin/sh
- /usr/local/samba/bin/smbd -D
- /usr/local/samba/bin/nmbd -D
- </PRE
-></P
-><P
->then make it executable with <B
-CLASS="COMMAND"
->chmod
- +x startsmb</B
-></P
-><P
->You can then run <B
-CLASS="COMMAND"
->startsmb</B
-> by
- hand or execute it from <TT
-CLASS="FILENAME"
->/etc/rc.local</TT
->
- </P
-><P
->To kill it send a kill signal to the processes
- <B
-CLASS="COMMAND"
->nmbd</B
-> and <B
-CLASS="COMMAND"
->smbd</B
->.</P
-><P
->NOTE: If you use the SVR4 style init system then
- you may like to look at the <TT
-CLASS="FILENAME"
->examples/svr4-startup</TT
->
- script to make Samba fit into that system.</P
-></DIV
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN135"
-></A
->1.7. Step 6: Try listing the shares available on your
- server</H2
-><P
-><TT
-CLASS="PROMPT"
->$ </TT
-><TT
-CLASS="USERINPUT"
-><B
->smbclient -L
- <TT
-CLASS="REPLACEABLE"
-><I
->yourhostname</I
-></TT
-></B
-></TT
-></P
-><P
->You should get back a list of shares available on
- your server. If you don't then something is incorrectly setup.
- Note that this method can also be used to see what shares
- are available on other LanManager clients (such as WfWg).</P
-><P
->If you choose user level security then you may find
- that Samba requests a password before it will list the shares.
- See the <B
-CLASS="COMMAND"
->smbclient</B
-> man page for details. (you
- can force it to list the shares without a password by
- adding the option -U% to the command line. This will not work
- with non-Samba servers)</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN144"
-></A
->1.8. Step 7: Try connecting with the unix client</H2
-><P
-><TT
-CLASS="PROMPT"
->$ </TT
-><TT
-CLASS="USERINPUT"
-><B
->smbclient <TT
-CLASS="REPLACEABLE"
-><I
-> //yourhostname/aservice</I
-></TT
-></B
-></TT
-></P
-><P
->Typically the <TT
-CLASS="REPLACEABLE"
-><I
->yourhostname</I
-></TT
->
- would be the name of the host where you installed <B
-CLASS="COMMAND"
-> smbd</B
->. The <TT
-CLASS="REPLACEABLE"
-><I
->aservice</I
-></TT
-> is
- any service you have defined in the <TT
-CLASS="FILENAME"
->smb.conf</TT
->
- file. Try your user name if you just have a [homes] section
- in <TT
-CLASS="FILENAME"
->smb.conf</TT
->.</P
-><P
->For example if your unix host is bambi and your login
- name is fred you would type:</P
-><P
-><TT
-CLASS="PROMPT"
->$ </TT
-><TT
-CLASS="USERINPUT"
-><B
->smbclient //bambi/fred
- </B
-></TT
-></P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN160"
-></A
->1.9. Step 8: Try connecting from a DOS, WfWg, Win9x, WinNT,
- Win2k, OS/2, etc... client</H2
-><P
->Try mounting disks. eg:</P
-><P
-><TT
-CLASS="PROMPT"
->C:\WINDOWS\&#62; </TT
-><TT
-CLASS="USERINPUT"
-><B
->net use d: \\servername\service
- </B
-></TT
-></P
-><P
->Try printing. eg:</P
-><P
-><TT
-CLASS="PROMPT"
->C:\WINDOWS\&#62; </TT
-><TT
-CLASS="USERINPUT"
-><B
->net use lpt1:
- \\servername\spoolservice</B
-></TT
-></P
-><P
-><TT
-CLASS="PROMPT"
->C:\WINDOWS\&#62; </TT
-><TT
-CLASS="USERINPUT"
-><B
->print filename
- </B
-></TT
-></P
-><P
->Celebrate, or send me a bug report!</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN174"
-></A
->1.10. What If Things Don't Work?</H2
-><P
->If nothing works and you start to think "who wrote
- this pile of trash" then I suggest you do step 2 again (and
- again) till you calm down.</P
-><P
->Then you might read the file DIAGNOSIS.txt and the
- FAQ. If you are still stuck then try the mailing list or
- newsgroup (look in the README for details). Samba has been
- successfully installed at thousands of sites worldwide, so maybe
- someone else has hit your problem and has overcome it. You could
- also use the WWW site to scan back issues of the samba-digest.</P
-><P
->When you fix the problem PLEASE send me some updates to the
- documentation (or source code) so that the next person will find it
- easier. </P
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN179"
-></A
->1.10.1. Diagnosing Problems</H3
-><P
->If you have installation problems then go to
- <TT
-CLASS="FILENAME"
->DIAGNOSIS.txt</TT
-> to try to find the
- problem.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN183"
-></A
->1.10.2. Scope IDs</H3
-><P
->By default Samba uses a blank scope ID. This means
- all your windows boxes must also have a blank scope ID.
- If you really want to use a non-blank scope ID then you will
- need to use the 'netbios scope' smb.conf option.
- All your PCs will need to have the same setting for
- this to work. I do not recommend scope IDs.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN186"
-></A
->1.10.3. Choosing the Protocol Level</H3
-><P
->The SMB protocol has many dialects. Currently
- Samba supports 5, called CORE, COREPLUS, LANMAN1,
- LANMAN2 and NT1.</P
-><P
->You can choose what maximum protocol to support
- in the <TT
-CLASS="FILENAME"
->smb.conf</TT
-> file. The default is
- NT1 and that is the best for the vast majority of sites.</P
-><P
->In older versions of Samba you may have found it
- necessary to use COREPLUS. The limitations that led to
- this have mostly been fixed. It is now less likely that you
- will want to use less than LANMAN1. The only remaining advantage
- of COREPLUS is that for some obscure reason WfWg preserves
- the case of passwords in this protocol, whereas under LANMAN1,
- LANMAN2 or NT1 it uppercases all passwords before sending them,
- forcing you to use the "password level=" option in some cases.</P
-><P
->The main advantage of LANMAN2 and NT1 is support for
- long filenames with some clients (eg: smbclient, Windows NT
- or Win95). </P
-><P
->See the smb.conf(5) manual page for more details.</P
-><P
->Note: To support print queue reporting you may find
- that you have to use TCP/IP as the default protocol under
- WfWg. For some reason if you leave Netbeui as the default
- it may break the print queue reporting on some systems.
- It is presumably a WfWg bug.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN195"
-></A
->1.10.4. Printing from UNIX to a Client PC</H3
-><P
->To use a printer that is available via a smb-based
- server from a unix host with LPR you will need to compile the
- smbclient program. You then need to install the script
- "smbprint". Read the instruction in smbprint for more details.
- </P
-><P
->There is also a SYSV style script that does much
- the same thing called smbprint.sysv. It contains instructions.</P
-><P
->See the CUPS manual for information about setting up
- printing from a unix host with CUPS to a smb-based server. </P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN200"
-></A
->1.10.5. Locking</H3
-><P
->One area which sometimes causes trouble is locking.</P
-><P
->There are two types of locking which need to be
- performed by a SMB server. The first is "record locking"
- which allows a client to lock a range of bytes in a open file.
- The second is the "deny modes" that are specified when a file
- is open.</P
-><P
->Record locking semantics under Unix is very
- different from record locking under Windows. Versions
- of Samba before 2.2 have tried to use the native
- fcntl() unix system call to implement proper record
- locking between different Samba clients. This can not
- be fully correct due to several reasons. The simplest
- is the fact that a Windows client is allowed to lock a
- byte range up to 2^32 or 2^64, depending on the client
- OS. The unix locking only supports byte ranges up to
- 2^31. So it is not possible to correctly satisfy a
- lock request above 2^31. There are many more
- differences, too many to be listed here.</P
-><P
->Samba 2.2 and above implements record locking
- completely independent of the underlying unix
- system. If a byte range lock that the client requests
- happens to fall into the range 0-2^31, Samba hands
- this request down to the Unix system. All other locks
- can not be seen by unix anyway.</P
-><P
->Strictly a SMB server should check for locks before
- every read and write call on a file. Unfortunately with the
- way fcntl() works this can be slow and may overstress the
- rpc.lockd. It is also almost always unnecessary as clients
- are supposed to independently make locking calls before reads
- and writes anyway if locking is important to them. By default
- Samba only makes locking calls when explicitly asked
- to by a client, but if you set "strict locking = yes" then it will
- make lock checking calls on every read and write. </P
-><P
->You can also disable by range locking completely
- using "locking = no". This is useful for those shares that
- don't support locking or don't need it (such as cdroms). In
- this case Samba fakes the return codes of locking calls to
- tell clients that everything is OK.</P
-><P
->The second class of locking is the "deny modes". These
- are set by an application when it opens a file to determine
- what types of access should be allowed simultaneously with
- its open. A client may ask for DENY_NONE, DENY_READ, DENY_WRITE
- or DENY_ALL. There are also special compatibility modes called
- DENY_FCB and DENY_DOS.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN209"
-></A
->1.10.6. Mapping Usernames</H3
-><P
->If you have different usernames on the PCs and
- the unix server then take a look at the "username map" option.
- See the smb.conf man page for details.</P
-></DIV
-></DIV
-></DIV
-><DIV
-CLASS="CHAPTER"
-><HR><H1
-><A
-NAME="DIAGNOSIS"
-></A
->Chapter 2. Diagnosing your samba server</H1
-><DIV
-CLASS="SECT1"
-><H2
-CLASS="SECT1"
-><A
-NAME="AEN223"
-></A
->2.1. Introduction</H2
-><P
->This file contains a list of tests you can perform to validate your
-Samba server. It also tells you what the likely cause of the problem
-is if it fails any one of these steps. If it passes all these tests
-then it is probably working fine.</P
-><P
->You should do ALL the tests, in the order shown. I have tried to
-carefully choose them so later tests only use capabilities verified in
-the earlier tests.</P
-><P
->If you send me an email saying "it doesn't work" and you have not
-followed this test procedure then you should not be surprised if I
-ignore your email.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN228"
-></A
->2.2. Assumptions</H2
-><P
->In all of the tests I assume you have a Samba server called BIGSERVER
-and a PC called ACLIENT both in workgroup TESTGROUP. I also assume the
-PC is running windows for workgroups with a recent copy of the
-microsoft tcp/ip stack. Alternatively, your PC may be running Windows
-95 or Windows NT (Workstation or Server).</P
-><P
->The procedure is similar for other types of clients.</P
-><P
->I also assume you know the name of an available share in your
-smb.conf. I will assume this share is called "tmp". You can add a
-"tmp" share like by adding the following to smb.conf:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->&#13;[tmp]
- comment = temporary files
- path = /tmp
- read only = yes&#13;</PRE
-></P
-><P
->THESE TESTS ASSUME VERSION 2.0.6 OR LATER OF THE SAMBA SUITE. SOME
-COMMANDS SHOWN DID NOT EXIST IN EARLIER VERSIONS</P
-><P
->Please pay attention to the error messages you receive. If any error message
-reports that your server is being unfriendly you should first check that you
-IP name resolution is correctly set up. eg: Make sure your /etc/resolv.conf
-file points to name servers that really do exist.</P
-><P
->Also, if you do not have DNS server access for name resolution please check
-that the settings for your smb.conf file results in "dns proxy = no". The
-best way to check this is with "testparm smb.conf"</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN238"
-></A
->2.3. Tests</H2
-><DIV
-CLASS="SECT2"
-><H3
-CLASS="SECT2"
-><A
-NAME="AEN240"
-></A
->2.3.1. Test 1</H3
-><P
->In the directory in which you store your smb.conf file, run the command
-"testparm smb.conf". If it reports any errors then your smb.conf
-configuration file is faulty.</P
-><P
->Note: Your smb.conf file may be located in: <TT
-CLASS="FILENAME"
->/etc</TT
->
- Or in: <TT
-CLASS="FILENAME"
->/usr/local/samba/lib</TT
-></P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN246"
-></A
->2.3.2. Test 2</H3
-><P
->Run the command "ping BIGSERVER" from the PC and "ping ACLIENT" from
-the unix box. If you don't get a valid response then your TCP/IP
-software is not correctly installed. </P
-><P
->Note that you will need to start a "dos prompt" window on the PC to
-run ping.</P
-><P
->If you get a message saying "host not found" or similar then your DNS
-software or /etc/hosts file is not correctly setup. It is possible to
-run samba without DNS entries for the server and client, but I assume
-you do have correct entries for the remainder of these tests. </P
-><P
->Another reason why ping might fail is if your host is running firewall
-software. You will need to relax the rules to let in the workstation
-in question, perhaps by allowing access from another subnet (on Linux
-this is done via the ipfwadm program.)</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN252"
-></A
->2.3.3. Test 3</H3
-><P
->Run the command "smbclient -L BIGSERVER" on the unix box. You
-should get a list of available shares back. </P
-><P
->If you get a error message containing the string "Bad password" then
-you probably have either an incorrect "hosts allow", "hosts deny" or
-"valid users" line in your smb.conf, or your guest account is not
-valid. Check what your guest account is using "testparm" and
-temporarily remove any "hosts allow", "hosts deny", "valid users" or
-"invalid users" lines.</P
-><P
->If you get a "connection refused" response then the smbd server may
-not be running. If you installed it in inetd.conf then you probably edited
-that file incorrectly. If you installed it as a daemon then check that
-it is running, and check that the netbios-ssn port is in a LISTEN
-state using "netstat -a".</P
-><P
->If you get a "session request failed" then the server refused the
-connection. If it says "Your server software is being unfriendly" then
-its probably because you have invalid command line parameters to smbd,
-or a similar fatal problem with the initial startup of smbd. Also
-check your config file (smb.conf) for syntax errors with "testparm"
-and that the various directories where samba keeps its log and lock
-files exist.</P
-><P
->There are a number of reasons for which smbd may refuse or decline
-a session request. The most common of these involve one or more of
-the following smb.conf file entries:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> hosts deny = ALL
- hosts allow = xxx.xxx.xxx.xxx/yy
- bind interfaces only = Yes</PRE
-></P
-><P
->In the above, no allowance has been made for any session requests that
-will automatically translate to the loopback adaptor address 127.0.0.1.
-To solve this problem change these lines to:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> hosts deny = ALL
- hosts allow = xxx.xxx.xxx.xxx/yy 127.</PRE
-></P
-><P
->Do NOT use the "bind interfaces only" parameter where you may wish to
-use the samba password change facility, or where smbclient may need to
-access local service for name resolution or for local resource
-connections. (Note: the "bind interfaces only" parameter deficiency
-where it will not allow connections to the loopback address will be
-fixed soon).</P
-><P
->Another common cause of these two errors is having something already running
-on port 139, such as Samba (ie: smbd is running from inetd already) or
-something like Digital's Pathworks. Check your inetd.conf file before trying
-to start smbd as a daemon, it can avoid a lot of frustration!</P
-><P
->And yet another possible cause for failure of TEST 3 is when the subnet mask
-and / or broadcast address settings are incorrect. Please check that the
-network interface IP Address / Broadcast Address / Subnet Mask settings are
-correct and that Samba has correctly noted these in the log.nmb file.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN267"
-></A
->2.3.4. Test 4</H3
-><P
->Run the command "nmblookup -B BIGSERVER __SAMBA__". You should get the
-IP address of your Samba server back.</P
-><P
->If you don't then nmbd is incorrectly installed. Check your inetd.conf
-if you run it from there, or that the daemon is running and listening
-to udp port 137.</P
-><P
->One common problem is that many inetd implementations can't take many
-parameters on the command line. If this is the case then create a
-one-line script that contains the right parameters and run that from
-inetd.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN272"
-></A
->2.3.5. Test 5</H3
-><P
->run the command <B
-CLASS="COMMAND"
->nmblookup -B ACLIENT '*'</B
-></P
-><P
->You should get the PCs IP address back. If you don't then the client
-software on the PC isn't installed correctly, or isn't started, or you
-got the name of the PC wrong. </P
-><P
->If ACLIENT doesn't resolve via DNS then use the IP address of the
-client in the above test.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN278"
-></A
->2.3.6. Test 6</H3
-><P
->Run the command <B
-CLASS="COMMAND"
->nmblookup -d 2 '*'</B
-></P
-><P
->This time we are trying the same as the previous test but are trying
-it via a broadcast to the default broadcast address. A number of
-Netbios/TCPIP hosts on the network should respond, although Samba may
-not catch all of the responses in the short time it listens. You
-should see "got a positive name query response" messages from several
-hosts.</P
-><P
->If this doesn't give a similar result to the previous test then
-nmblookup isn't correctly getting your broadcast address through its
-automatic mechanism. In this case you should experiment use the
-"interfaces" option in smb.conf to manually configure your IP
-address, broadcast and netmask. </P
-><P
->If your PC and server aren't on the same subnet then you will need to
-use the -B option to set the broadcast address to the that of the PCs
-subnet.</P
-><P
->This test will probably fail if your subnet mask and broadcast address are
-not correct. (Refer to TEST 3 notes above).</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN286"
-></A
->2.3.7. Test 7</H3
-><P
->Run the command <B
-CLASS="COMMAND"
->smbclient //BIGSERVER/TMP</B
->. You should
-then be prompted for a password. You should use the password of the account
-you are logged into the unix box with. If you want to test with
-another account then add the -U &gt;accountname&lt; option to the end of
-the command line. eg:
-<B
-CLASS="COMMAND"
->smbclient //bigserver/tmp -Ujohndoe</B
-></P
-><P
->Note: It is possible to specify the password along with the username
-as follows:
-<B
-CLASS="COMMAND"
->smbclient //bigserver/tmp -Ujohndoe%secret</B
-></P
-><P
->Once you enter the password you should get the "smb&#62;" prompt. If you
-don't then look at the error message. If it says "invalid network
-name" then the service "tmp" is not correctly setup in your smb.conf.</P
-><P
->If it says "bad password" then the likely causes are:</P
-><P
-></P
-><OL
-TYPE="1"
-><LI
-><P
-> you have shadow passords (or some other password system) but didn't
- compile in support for them in smbd
- </P
-></LI
-><LI
-><P
-> your "valid users" configuration is incorrect
- </P
-></LI
-><LI
-><P
-> you have a mixed case password and you haven't enabled the "password
- level" option at a high enough level
- </P
-></LI
-><LI
-><P
-> the "path =" line in smb.conf is incorrect. Check it with testparm
- </P
-></LI
-><LI
-><P
-> you enabled password encryption but didn't create the SMB encrypted
- password file
- </P
-></LI
-></OL
-><P
->Once connected you should be able to use the commands
-<B
-CLASS="COMMAND"
->dir</B
-> <B
-CLASS="COMMAND"
->get</B
-> <B
-CLASS="COMMAND"
->put</B
-> etc.
-Type <B
-CLASS="COMMAND"
->help &gt;command&lt;</B
-> for instructions. You should
-especially check that the amount of free disk space shown is correct
-when you type <B
-CLASS="COMMAND"
->dir</B
->.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN312"
-></A
->2.3.8. Test 8</H3
-><P
->On the PC type the command <B
-CLASS="COMMAND"
->net view \\BIGSERVER</B
->. You will
-need to do this from within a "dos prompt" window. You should get back a
-list of available shares on the server.</P
-><P
->If you get a "network name not found" or similar error then netbios
-name resolution is not working. This is usually caused by a problem in
-nmbd. To overcome it you could do one of the following (you only need
-to choose one of them):</P
-><P
-></P
-><OL
-TYPE="1"
-><LI
-><P
-> fixup the nmbd installation</P
-></LI
-><LI
-><P
-> add the IP address of BIGSERVER to the "wins server" box in the
- advanced tcp/ip setup on the PC.</P
-></LI
-><LI
-><P
-> enable windows name resolution via DNS in the advanced section of
- the tcp/ip setup</P
-></LI
-><LI
-><P
-> add BIGSERVER to your lmhosts file on the PC.</P
-></LI
-></OL
-><P
->If you get a "invalid network name" or "bad password error" then the
-same fixes apply as they did for the "smbclient -L" test above. In
-particular, make sure your "hosts allow" line is correct (see the man
-pages)</P
-><P
->Also, do not overlook that fact that when the workstation requests the
-connection to the samba server it will attempt to connect using the
-name with which you logged onto your Windows machine. You need to make
-sure that an account exists on your Samba server with that exact same
-name and password.</P
-><P
->If you get "specified computer is not receiving requests" or similar
-it probably means that the host is not contactable via tcp services.
-Check to see if the host is running tcp wrappers, and if so add an entry in
-the hosts.allow file for your client (or subnet, etc.)</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN329"
-></A
->2.3.9. Test 9</H3
-><P
->Run the command <B
-CLASS="COMMAND"
->net use x: \\BIGSERVER\TMP</B
->. You should
-be prompted for a password then you should get a "command completed
-successfully" message. If not then your PC software is incorrectly
-installed or your smb.conf is incorrect. make sure your "hosts allow"
-and other config lines in smb.conf are correct.</P
-><P
->It's also possible that the server can't work out what user name to
-connect you as. To see if this is the problem add the line "user =
-USERNAME" to the [tmp] section of smb.conf where "USERNAME" is the
-username corresponding to the password you typed. If you find this
-fixes things you may need the username mapping option. </P
-><P
->It might also be the case that your client only sends encrypted passwords
-and you have <B
-CLASS="COMMAND"
->encrypt passwords = no</B
-> in <TT
-CLASS="FILENAME"
->smb.conf</TT
->.
-Turn it back on to fix.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN337"
-></A
->2.3.10. Test 10</H3
-><P
->Run the command <B
-CLASS="COMMAND"
->nmblookup -M TESTGROUP</B
-> where
-TESTGROUP is the name of the workgroup that your Samba server and
-Windows PCs belong to. You should get back the IP address of the
-master browser for that workgroup.</P
-><P
->If you don't then the election process has failed. Wait a minute to
-see if it is just being slow then try again. If it still fails after
-that then look at the browsing options you have set in smb.conf. Make
-sure you have <B
-CLASS="COMMAND"
->preferred master = yes</B
-> to ensure that
-an election is held at startup.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN343"
-></A
->2.3.11. Test 11</H3
-><P
->From file manager try to browse the server. Your samba server should
-appear in the browse list of your local workgroup (or the one you
-specified in smb.conf). You should be able to double click on the name
-of the server and get a list of shares. If you get a "invalid
-password" error when you do then you are probably running WinNT and it
-is refusing to browse a server that has no encrypted password
-capability and is in user level security mode. In this case either set
-<B
-CLASS="COMMAND"
->security = server</B
-> AND
-<B
-CLASS="COMMAND"
->password server = Windows_NT_Machine</B
-> in your
-smb.conf file, or enable encrypted passwords AFTER compiling in support
-for encrypted passwords (refer to the Makefile).</P
-></DIV
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN348"
-></A
->2.4. Still having troubles?</H2
-><P
->Try the mailing list or newsgroup, or use the ethereal utility to
-sniff the problem. The official samba mailing list can be reached at
-<A
-HREF="mailto:samba@samba.org"
-TARGET="_top"
->samba@samba.org</A
->. To find
-out more about samba and how to subscribe to the mailing list check
-out the samba web page at
-<A
-HREF="http://samba.org/samba"
-TARGET="_top"
->http://samba.org/samba</A
-></P
-><P
->Also look at the other docs in the Samba package!</P
-></DIV
-></DIV
-><DIV
-CLASS="CHAPTER"
-><HR><H1
-><A
-NAME="INTEGRATE-MS-NETWORKS"
-></A
->Chapter 3. Integrating MS Windows networks with Samba</H1
-><DIV
-CLASS="SECT1"
-><H2
-CLASS="SECT1"
-><A
-NAME="AEN365"
-></A
->3.1. Agenda</H2
-><P
->To identify the key functional mechanisms of MS Windows networking
-to enable the deployment of Samba as a means of extending and/or
-replacing MS Windows NT/2000 technology.</P
-><P
->We will examine:</P
-><P
-></P
-><OL
-TYPE="1"
-><LI
-><P
->Name resolution in a pure Unix/Linux TCP/IP
- environment
- </P
-></LI
-><LI
-><P
->Name resolution as used within MS Windows
- networking
- </P
-></LI
-><LI
-><P
->How browsing functions and how to deploy stable
- and dependable browsing using Samba
- </P
-></LI
-><LI
-><P
->MS Windows security options and how to
- configure Samba for seemless integration
- </P
-></LI
-><LI
-><P
->Configuration of Samba as:</P
-><P
-></P
-><OL
-TYPE="a"
-><LI
-><P
->A stand-alone server</P
-></LI
-><LI
-><P
->An MS Windows NT 3.x/4.0 security domain member
- </P
-></LI
-><LI
-><P
->An alternative to an MS Windows NT 3.x/4.0 Domain Controller
- </P
-></LI
-></OL
-></LI
-></OL
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN387"
-></A
->3.2. Name Resolution in a pure Unix/Linux world</H2
-><P
->The key configuration files covered in this section are:</P
-><P
-></P
-><UL
-><LI
-><P
-><TT
-CLASS="FILENAME"
->/etc/hosts</TT
-></P
-></LI
-><LI
-><P
-><TT
-CLASS="FILENAME"
->/etc/resolv.conf</TT
-></P
-></LI
-><LI
-><P
-><TT
-CLASS="FILENAME"
->/etc/host.conf</TT
-></P
-></LI
-><LI
-><P
-><TT
-CLASS="FILENAME"
->/etc/nsswitch.conf</TT
-></P
-></LI
-></UL
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN403"
-></A
->3.2.1. <TT
-CLASS="FILENAME"
->/etc/hosts</TT
-></H3
-><P
->Contains a static list of IP Addresses and names.
-eg:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> 127.0.0.1 localhost localhost.localdomain
- 192.168.1.1 bigbox.caldera.com bigbox alias4box</PRE
-></P
-><P
->The purpose of <TT
-CLASS="FILENAME"
->/etc/hosts</TT
-> is to provide a
-name resolution mechanism so that uses do not need to remember
-IP addresses.</P
-><P
->Network packets that are sent over the physical network transport
-layer communicate not via IP addresses but rather using the Media
-Access Control address, or MAC address. IP Addresses are currently
-32 bits in length and are typically presented as four (4) decimal
-numbers that are separated by a dot (or period). eg: 168.192.1.1</P
-><P
->MAC Addresses use 48 bits (or 6 bytes) and are typically represented
-as two digit hexadecimal numbers separated by colons. eg:
-40:8e:0a:12:34:56</P
-><P
->Every network interfrace must have an MAC address. Associated with
-a MAC address there may be one or more IP addresses. There is NO
-relationship between an IP address and a MAC address, all such assignments
-are arbitary or discretionary in nature. At the most basic level all
-network communications takes place using MAC addressing. Since MAC
-addresses must be globally unique, and generally remains fixed for
-any particular interface, the assignment of an IP address makes sense
-from a network management perspective. More than one IP address can
-be assigned per MAC address. One address must be the primary IP address,
-this is the address that will be returned in the ARP reply.</P
-><P
->When a user or a process wants to communicate with another machine
-the protocol implementation ensures that the "machine name" or "host
-name" is resolved to an IP address in a manner that is controlled
-by the TCP/IP configuration control files. The file
-<TT
-CLASS="FILENAME"
->/etc/hosts</TT
-> is one such file.</P
-><P
->When the IP address of the destination interface has been
-determined a protocol called ARP/RARP is used to identify
-the MAC address of the target interface. ARP stands for Address
-Resolution Protocol, and is a broadcast oriented method that
-uses UDP (User Datagram Protocol) to send a request to all
-interfaces on the local network segment using the all 1's MAC
-address. Network interfaces are programmed to respond to two
-MAC addresses only; their own unique address and the address
-ff:ff:ff:ff:ff:ff. The reply packet from an ARP request will
-contain the MAC address and the primary IP address for each
-interface.</P
-><P
->The <TT
-CLASS="FILENAME"
->/etc/hosts</TT
-> file is foundational to all
-Unix/Linux TCP/IP installations and as a minumum will contain
-the localhost and local network interface IP addresses and the
-primary names by which they are known within the local machine.
-This file helps to prime the pump so that a basic level of name
-resolution can exist before any other method of name resolution
-becomes available.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN419"
-></A
->3.2.2. <TT
-CLASS="FILENAME"
->/etc/resolv.conf</TT
-></H3
-><P
->This file tells the name resolution libraries:</P
-><P
-></P
-><UL
-><LI
-><P
->The name of the domain to which the machine
- belongs
- </P
-></LI
-><LI
-><P
->The name(s) of any domains that should be
- automatically searched when trying to resolve unqualified
- host names to their IP address
- </P
-></LI
-><LI
-><P
->The name or IP address of available Domain
- Name Servers that may be asked to perform name to address
- translation lookups
- </P
-></LI
-></UL
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN430"
-></A
->3.2.3. <TT
-CLASS="FILENAME"
->/etc/host.conf</TT
-></H3
-><P
-><TT
-CLASS="FILENAME"
->/etc/host.conf</TT
-> is the primary means by
-which the setting in /etc/resolv.conf may be affected. It is a
-critical configuration file. This file controls the order by
-which name resolution may procede. The typical structure is:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> order hosts,bind
- multi on</PRE
-></P
-><P
->then both addresses should be returned. Please refer to the
-man page for host.conf for further details.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN438"
-></A
->3.2.4. <TT
-CLASS="FILENAME"
->/etc/nsswitch.conf</TT
-></H3
-><P
->This file controls the actual name resolution targets. The
-file typically has resolver object specifications as follows:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> # /etc/nsswitch.conf
- #
- # Name Service Switch configuration file.
- #
-
- passwd: compat
- # Alternative entries for password authentication are:
- # passwd: compat files nis ldap winbind
- shadow: compat
- group: compat
-
- hosts: files nis dns
- # Alternative entries for host name resolution are:
- # hosts: files dns nis nis+ hesoid db compat ldap wins
- networks: nis files dns
-
- ethers: nis files
- protocols: nis files
- rpc: nis files
- services: nis files</PRE
-></P
-><P
->Of course, each of these mechanisms requires that the appropriate
-facilities and/or services are correctly configured.</P
-><P
->It should be noted that unless a network request/message must be
-sent, TCP/IP networks are silent. All TCP/IP communications assumes a
-principal of speaking only when necessary.</P
-><P
->Samba version 2.2.0 will add Linux support for extensions to
-the name service switch infrastructure so that linux clients will
-be able to obtain resolution of MS Windows NetBIOS names to IP
-Addresses. To gain this functionality Samba needs to be compiled
-with appropriate arguments to the make command (ie: <B
-CLASS="COMMAND"
->make
-nsswitch/libnss_wins.so</B
->). The resulting library should
-then be installed in the <TT
-CLASS="FILENAME"
->/lib</TT
-> directory and
-the "wins" parameter needs to be added to the "hosts:" line in
-the <TT
-CLASS="FILENAME"
->/etc/nsswitch.conf</TT
-> file. At this point it
-will be possible to ping any MS Windows machine by it's NetBIOS
-machine name, so long as that machine is within the workgroup to
-which both the samba machine and the MS Windows machine belong.</P
-></DIV
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN450"
-></A
->3.3. Name resolution as used within MS Windows networking</H2
-><P
->MS Windows networking is predicated about the name each machine
-is given. This name is known variously (and inconsistently) as
-the "computer name", "machine name", "networking name", "netbios name",
-"SMB name". All terms mean the same thing with the exception of
-"netbios name" which can apply also to the name of the workgroup or the
-domain name. The terms "workgroup" and "domain" are really just a
-simply name with which the machine is associated. All NetBIOS names
-are exactly 16 characters in length. The 16th character is reserved.
-It is used to store a one byte value that indicates service level
-information for the NetBIOS name that is registered. A NetBIOS machine
-name is therefore registered for each service type that is provided by
-the client/server.</P
-><P
->The following are typical NetBIOS name/service type registrations:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> Unique NetBIOS Names:
- MACHINENAME&#60;00&#62; = Server Service is running on MACHINENAME
- MACHINENAME&#60;03&#62; = Generic Machine Name (NetBIOS name)
- MACHINENAME&#60;20&#62; = LanMan Server service is running on MACHINENAME
- WORKGROUP&#60;1b&#62; = Domain Master Browser
-
- Group Names:
- WORKGROUP&#60;03&#62; = Generic Name registered by all members of WORKGROUP
- WORKGROUP&#60;1c&#62; = Domain Controllers / Netlogon Servers
- WORKGROUP&#60;1d&#62; = Local Master Browsers
- WORKGROUP&#60;1e&#62; = Internet Name Resolvers</PRE
-></P
-><P
->It should be noted that all NetBIOS machines register their own
-names as per the above. This is in vast contrast to TCP/IP
-installations where traditionally the system administrator will
-determine in the /etc/hosts or in the DNS database what names
-are associated with each IP address.</P
-><P
->One further point of clarification should be noted, the <TT
-CLASS="FILENAME"
->/etc/hosts</TT
->
-file and the DNS records do not provide the NetBIOS name type information
-that MS Windows clients depend on to locate the type of service that may
-be needed. An example of this is what happens when an MS Windows client
-wants to locate a domain logon server. It find this service and the IP
-address of a server that provides it by performing a lookup (via a
-NetBIOS broadcast) for enumeration of all machines that have
-registered the name type *&#60;1c&#62;. A logon request is then sent to each
-IP address that is returned in the enumerated list of IP addresses. Which
-ever machine first replies then ends up providing the logon services.</P
-><P
->The name "workgroup" or "domain" really can be confusing since these
-have the added significance of indicating what is the security
-architecture of the MS Windows network. The term "workgroup" indicates
-that the primary nature of the network environment is that of a
-peer-to-peer design. In a WORKGROUP all machines are responsible for
-their own security, and generally such security is limited to use of
-just a password (known as SHARE MODE security). In most situations
-with peer-to-peer networking the users who control their own machines
-will simply opt to have no security at all. It is possible to have
-USER MODE security in a WORKGROUP environment, thus requiring use
-of a user name and a matching password.</P
-><P
->MS Windows networking is thus predetermined to use machine names
-for all local and remote machine message passing. The protocol used is
-called Server Message Block (SMB) and this is implemented using
-the NetBIOS protocol (Network Basic Input Output System). NetBIOS can
-be encapsulated using LLC (Logical Link Control) protocol - in which case
-the resulting protocol is called NetBEUI (Network Basic Extended User
-Interface). NetBIOS can also be run over IPX (Internetworking Packet
-Exchange) protocol as used by Novell NetWare, and it can be run
-over TCP/IP protocols - in which case the resulting protocol is called
-NBT or NetBT, the NetBIOS over TCP/IP.</P
-><P
->MS Windows machines use a complex array of name resolution mechanisms.
-Since we are primarily concerned with TCP/IP this demonstration is
-limited to this area.</P
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN462"
-></A
->3.3.1. The NetBIOS Name Cache</H3
-><P
->All MS Windows machines employ an in memory buffer in which is
-stored the NetBIOS names and IP addresses for all external
-machines that that machine has communicated with over the
-past 10-15 minutes. It is more efficient to obtain an IP address
-for a machine from the local cache than it is to go through all the
-configured name resolution mechanisms.</P
-><P
->If a machine whose name is in the local name cache has been shut
-down before the name had been expired and flushed from the cache, then
-an attempt to exchange a message with that machine will be subject
-to time-out delays. i.e.: Its name is in the cache, so a name resolution
-lookup will succeed, but the machine can not respond. This can be
-frustrating for users - but it is a characteristic of the protocol.</P
-><P
->The MS Windows utility that allows examination of the NetBIOS
-name cache is called "nbtstat". The Samba equivalent of this
-is called "nmblookup".</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN467"
-></A
->3.3.2. The LMHOSTS file</H3
-><P
->This file is usually located in MS Windows NT 4.0 or
-2000 in <TT
-CLASS="FILENAME"
->C:\WINNT\SYSTEM32\DRIVERS\ETC</TT
-> and contains
-the IP Address and the machine name in matched pairs. The
-<TT
-CLASS="FILENAME"
->LMHOSTS</TT
-> file performs NetBIOS name
-to IP address mapping oriented.</P
-><P
->It typically looks like:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> # Copyright (c) 1998 Microsoft Corp.
- #
- # This is a sample LMHOSTS file used by the Microsoft Wins Client (NetBIOS
- # over TCP/IP) stack for Windows98
- #
- # This file contains the mappings of IP addresses to NT computernames
- # (NetBIOS) names. Each entry should be kept on an individual line.
- # The IP address should be placed in the first column followed by the
- # corresponding computername. The address and the comptername
- # should be separated by at least one space or tab. The "#" character
- # is generally used to denote the start of a comment (see the exceptions
- # below).
- #
- # This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts
- # files and offers the following extensions:
- #
- # #PRE
- # #DOM:&lt;domain&gt;
- # #INCLUDE &lt;filename&gt;
- # #BEGIN_ALTERNATE
- # #END_ALTERNATE
- # \0xnn (non-printing character support)
- #
- # Following any entry in the file with the characters "#PRE" will cause
- # the entry to be preloaded into the name cache. By default, entries are
- # not preloaded, but are parsed only after dynamic name resolution fails.
- #
- # Following an entry with the "#DOM:&lt;domain&gt;" tag will associate the
- # entry with the domain specified by &lt;domain&gt;. This affects how the
- # browser and logon services behave in TCP/IP environments. To preload
- # the host name associated with #DOM entry, it is necessary to also add a
- # #PRE to the line. The &lt;domain&gt; is always preloaded although it will not
- # be shown when the name cache is viewed.
- #
- # Specifying "#INCLUDE &lt;filename&gt;" will force the RFC NetBIOS (NBT)
- # software to seek the specified &lt;filename&gt; and parse it as if it were
- # local. &lt;filename&gt; is generally a UNC-based name, allowing a
- # centralized lmhosts file to be maintained on a server.
- # It is ALWAYS necessary to provide a mapping for the IP address of the
- # server prior to the #INCLUDE. This mapping must use the #PRE directive.
- # In addtion the share "public" in the example below must be in the
- # LanManServer list of "NullSessionShares" in order for client machines to
- # be able to read the lmhosts file successfully. This key is under
- # \machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares
- # in the registry. Simply add "public" to the list found there.
- #
- # The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE
- # statements to be grouped together. Any single successful include
- # will cause the group to succeed.
- #
- # Finally, non-printing characters can be embedded in mappings by
- # first surrounding the NetBIOS name in quotations, then using the
- # \0xnn notation to specify a hex value for a non-printing character.
- #
- # The following example illustrates all of these extensions:
- #
- # 102.54.94.97 rhino #PRE #DOM:networking #net group's DC
- # 102.54.94.102 "appname \0x14" #special app server
- # 102.54.94.123 popular #PRE #source server
- # 102.54.94.117 localsrv #PRE #needed for the include
- #
- # #BEGIN_ALTERNATE
- # #INCLUDE \\localsrv\public\lmhosts
- # #INCLUDE \\rhino\public\lmhosts
- # #END_ALTERNATE
- #
- # In the above example, the "appname" server contains a special
- # character in its name, the "popular" and "localsrv" server names are
- # preloaded, and the "rhino" server name is specified so it can be used
- # to later #INCLUDE a centrally maintained lmhosts file if the "localsrv"
- # system is unavailable.
- #
- # Note that the whole file is parsed including comments on each lookup,
- # so keeping the number of comments to a minimum will improve performance.
- # Therefore it is not advisable to simply add lmhosts file entries onto the
- # end of this file.</PRE
-></P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN475"
-></A
->3.3.3. HOSTS file</H3
-><P
->This file is usually located in MS Windows NT 4.0 or 2000 in
-<TT
-CLASS="FILENAME"
->C:\WINNT\SYSTEM32\DRIVERS\ETC</TT
-> and contains
-the IP Address and the IP hostname in matched pairs. It can be
-used by the name resolution infrastructure in MS Windows, depending
-on how the TCP/IP environment is configured. This file is in
-every way the equivalent of the Unix/Linux <TT
-CLASS="FILENAME"
->/etc/hosts</TT
-> file.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN480"
-></A
->3.3.4. DNS Lookup</H3
-><P
->This capability is configured in the TCP/IP setup area in the network
-configuration facility. If enabled an elaborate name resolution sequence
-is followed the precise nature of which isdependant on what the NetBIOS
-Node Type parameter is configured to. A Node Type of 0 means use
-NetBIOS broadcast (over UDP broadcast) is first used if the name
-that is the subject of a name lookup is not found in the NetBIOS name
-cache. If that fails then DNS, HOSTS and LMHOSTS are checked. If set to
-Node Type 8, then a NetBIOS Unicast (over UDP Unicast) is sent to the
-WINS Server to obtain a lookup before DNS, HOSTS, LMHOSTS, or broadcast
-lookup is used.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN483"
-></A
->3.3.5. WINS Lookup</H3
-><P
->A WINS (Windows Internet Name Server) service is the equivaent of the
-rfc1001/1002 specified NBNS (NetBIOS Name Server). A WINS server stores
-the names and IP addresses that are registered by a Windows client
-if the TCP/IP setup has been given at least one WINS Server IP Address.</P
-><P
->To configure Samba to be a WINS server the following parameter needs
-to be added to the <TT
-CLASS="FILENAME"
->smb.conf</TT
-> file:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> wins support = Yes</PRE
-></P
-><P
->To configure Samba to use a WINS server the following parameters are
-needed in the smb.conf file:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> wins support = No
- wins server = xxx.xxx.xxx.xxx</PRE
-></P
-><P
->where <TT
-CLASS="REPLACEABLE"
-><I
->xxx.xxx.xxx.xxx</I
-></TT
-> is the IP address
-of the WINS server.</P
-></DIV
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN495"
-></A
->3.4. How browsing functions and how to deploy stable and
-dependable browsing using Samba</H2
-><P
->As stated above, MS Windows machines register their NetBIOS names
-(i.e.: the machine name for each service type in operation) on start
-up. Also, as stated above, the exact method by which this name registration
-takes place is determined by whether or not the MS Windows client/server
-has been given a WINS server address, whether or not LMHOSTS lookup
-is enabled, or if DNS for NetBIOS name resolution is enabled, etc.</P
-><P
->In the case where there is no WINS server all name registrations as
-well as name lookups are done by UDP broadcast. This isolates name
-resolution to the local subnet, unless LMHOSTS is used to list all
-names and IP addresses. In such situations Samba provides a means by
-which the samba server name may be forcibly injected into the browse
-list of a remote MS Windows network (using the "remote announce" parameter).</P
-><P
->Where a WINS server is used, the MS Windows client will use UDP
-unicast to register with the WINS server. Such packets can be routed
-and thus WINS allows name resolution to function across routed networks.</P
-><P
->During the startup process an election will take place to create a
-local master browser if one does not already exist. On each NetBIOS network
-one machine will be elected to function as the domain master browser. This
-domain browsing has nothing to do with MS security domain control.
-Instead, the domain master browser serves the role of contacting each local
-master browser (found by asking WINS or from LMHOSTS) and exchanging browse
-list contents. This way every master browser will eventually obtain a complete
-list of all machines that are on the network. Every 11-15 minutes an election
-is held to determine which machine will be the master browser. By the nature of
-the election criteria used, the machine with the highest uptime, or the
-most senior protocol version, or other criteria, will win the election
-as domain master browser.</P
-><P
->Clients wishing to browse the network make use of this list, but also depend
-on the availability of correct name resolution to the respective IP
-address/addresses. </P
-><P
->Any configuration that breaks name resolution and/or browsing intrinsics
-will annoy users because they will have to put up with protracted
-inability to use the network services.</P
-><P
->Samba supports a feature that allows forced synchonisation
-of browse lists across routed networks using the "remote
-browse sync" parameter in the smb.conf file. This causes Samba
-to contact the local master browser on a remote network and
-to request browse list synchronisation. This effectively bridges
-two networks that are separated by routers. The two remote
-networks may use either broadcast based name resolution or WINS
-based name resolution, but it should be noted that the "remote
-browse sync" parameter provides browse list synchronisation - and
-that is distinct from name to address resolution, in other
-words, for cross subnet browsing to function correctly it is
-essential that a name to address resolution mechanism be provided.
-This mechanism could be via DNS, <TT
-CLASS="FILENAME"
->/etc/hosts</TT
->,
-and so on.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN505"
-></A
->3.5. MS Windows security options and how to configure
-Samba for seemless integration</H2
-><P
->MS Windows clients may use encrypted passwords as part of a
-challenege/response authentication model (a.k.a. NTLMv1) or
-alone, or clear text strings for simple password based
-authentication. It should be realized that with the SMB
-protocol the password is passed over the network either
-in plain text or encrypted, but not both in the same
-authentication requets.</P
-><P
->When encrypted passwords are used a password that has been
-entered by the user is encrypted in two ways:</P
-><P
-></P
-><UL
-><LI
-><P
->An MD4 hash of the UNICODE of the password
- string. This is known as the NT hash.
- </P
-></LI
-><LI
-><P
->The password is converted to upper case,
- and then padded or trucated to 14 bytes. This string is
- then appended with 5 bytes of NULL characters and split to
- form two 56 bit DES keys to encrypt a "magic" 8 byte value.
- The resulting 16 bytes for the LanMan hash.
- </P
-></LI
-></UL
-><P
->You should refer to the <A
-HREF="ENCRYPTION.html"
-TARGET="_top"
->Password Encryption</A
-> chapter in this HOWTO collection
-for more details on the inner workings</P
-><P
->MS Windows 95 pre-service pack 1, MS Windows NT versions 3.x
-and version 4.0 pre-service pack 3 will use either mode of
-password authentication. All versions of MS Windows that follow
-these versions no longer support plain text passwords by default.</P
-><P
->MS Windows clients have a habit of dropping network mappings that
-have been idle for 10 minutes or longer. When the user attempts to
-use the mapped drive connection that has been dropped, the client
-re-establishes the connection using
-a cached copy of the password.</P
-><P
->When Microsoft changed the default password mode, they dropped support for
-caching of the plain text password. This means that when the registry
-parameter is changed to re-enable use of plain text passwords it appears to
-work, but when a dropped mapping attempts to revalidate it will fail if
-the remote authentication server does not support encrypted passwords.
-This means that it is definitely not a good idea to re-enable plain text
-password support in such clients.</P
-><P
->The following parameters can be used to work around the
-issue of Windows 9x client upper casing usernames and
-password before transmitting them to the SMB server
-when using clear text authentication.</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> <A
-HREF="smb.conf.5.html#PASSWORDLEVEL"
-TARGET="_top"
->passsword level</A
-> = <TT
-CLASS="REPLACEABLE"
-><I
->integer</I
-></TT
->
- <A
-HREF="smb.conf.5.html#USERNAMELEVEL"
-TARGET="_top"
->username level</A
-> = <TT
-CLASS="REPLACEABLE"
-><I
->integer</I
-></TT
-></PRE
-></P
-><P
->By default Samba will lower case the username before attempting
-to lookup the user in the database of local system accounts.
-Because UNIX usernames conventionally only contain lower case
-character, the <TT
-CLASS="PARAMETER"
-><I
->username level</I
-></TT
-> parameter
-is rarely even needed.</P
-><P
->However, password on UNIX systems often make use of mixed case
-characters. This means that in order for a user on a Windows 9x
-client to connect to a Samba server using clear text authentication,
-the <TT
-CLASS="PARAMETER"
-><I
->password level</I
-></TT
-> must be set to the maximum
-number of upper case letter which <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->could</I
-></SPAN
-> appear
-is a password. Note that is the server OS uses the traditional
-DES version of crypt(), then a <TT
-CLASS="PARAMETER"
-><I
->password level</I
-></TT
->
-of 8 will result in case insensitive passwords as seen from Windows
-users. This will also result in longer login times as Samba
-hash to compute the permutations of the password string and
-try them one by one until a match is located (or all combinations fail).</P
-><P
->The best option to adopt is to enable support for encrypted passwords
-where ever Samba is used. There are three configuration possibilities
-for support of encrypted passwords:</P
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN533"
-></A
->3.5.1. Use MS Windows NT as an authentication server</H3
-><P
->This method involves the additions of the following parameters
-in the smb.conf file:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> encrypt passwords = Yes
- security = server
- password server = "NetBIOS_name_of_PDC"</PRE
-></P
-><P
->There are two ways of identifying whether or not a username and
-password pair was valid or not. One uses the reply information provided
-as part of the authentication messaging process, the other uses
-just and error code.</P
-><P
->The down-side of this mode of configuration is the fact that
-for security reasons Samba will send the password server a bogus
-username and a bogus password and if the remote server fails to
-reject the username and password pair then an alternative mode
-of identification of validation is used. Where a site uses password
-lock out after a certain number of failed authentication attempts
-this will result in user lockouts.</P
-><P
->Use of this mode of authentication does require there to be
-a standard Unix account for the user, this account can be blocked
-to prevent logons by other than MS Windows clients.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN541"
-></A
->3.5.2. Make Samba a member of an MS Windows NT security domain</H3
-><P
->This method involves additon of the following paramters in the smb.conf file:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> encrypt passwords = Yes
- security = domain
- workgroup = "name of NT domain"
- password server = *</PRE
-></P
-><P
->The use of the "*" argument to "password server" will cause samba
-to locate the domain controller in a way analogous to the way
-this is done within MS Windows NT.</P
-><P
->In order for this method to work the Samba server needs to join the
-MS Windows NT security domain. This is done as follows:</P
-><P
-></P
-><UL
-><LI
-><P
->On the MS Windows NT domain controller using
- the Server Manager add a machine account for the Samba server.
- </P
-></LI
-><LI
-><P
->Next, on the Linux system execute:
- <B
-CLASS="COMMAND"
->smbpasswd -r PDC_NAME -j DOMAIN_NAME</B
->
- </P
-></LI
-></UL
-><P
->Use of this mode of authentication does require there to be
-a standard Unix account for the user in order to assign
-a uid once the account has been authenticated by the remote
-Windows DC. This account can be blocked to prevent logons by
-other than MS Windows clients by things such as setting an invalid
-shell in the <TT
-CLASS="FILENAME"
->/etc/passwd</TT
-> entry.</P
-><P
->An alternative to assigning UIDs to Windows users on a
-Samba member server is presented in the <A
-HREF="winbind.html"
-TARGET="_top"
->Winbind Overview</A
-> chapter in
-this HOWTO collection.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN558"
-></A
->3.5.3. Configure Samba as an authentication server</H3
-><P
->This mode of authentication demands that there be on the
-Unix/Linux system both a Unix style account as well as an
-smbpasswd entry for the user. The Unix system account can be
-locked if required as only the encrypted password will be
-used for SMB client authentication.</P
-><P
->This method involves addition of the following parameters to
-the smb.conf file:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->## please refer to the Samba PDC HOWTO chapter later in
-## this collection for more details
-[global]
- encrypt passwords = Yes
- security = user
- domain logons = Yes
- ; an OS level of 33 or more is recommended
- os level = 33
-
-[NETLOGON]
- path = /somewhare/in/file/system
- read only = yes</PRE
-></P
-><P
->in order for this method to work a Unix system account needs
-to be created for each user, as well as for each MS Windows NT/2000
-machine. The following structure is required.</P
-><DIV
-CLASS="SECT3"
-><HR><H4
-CLASS="SECT3"
-><A
-NAME="AEN565"
-></A
->3.5.3.1. Users</H4
-><P
->A user account that may provide a home directory should be
-created. The following Linux system commands are typical of
-the procedure for creating an account.</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> # useradd -s /bin/bash -d /home/"userid" -m "userid"
- # passwd "userid"
- Enter Password: &lt;pw&gt;
-
- # smbpasswd -a "userid"
- Enter Password: &lt;pw&gt;</PRE
-></P
-></DIV
-><DIV
-CLASS="SECT3"
-><HR><H4
-CLASS="SECT3"
-><A
-NAME="AEN570"
-></A
->3.5.3.2. MS Windows NT Machine Accounts</H4
-><P
->These are required only when Samba is used as a domain
-controller. Refer to the Samba-PDC-HOWTO for more details.</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> # useradd -s /bin/false -d /dev/null "machine_name"\$
- # passwd -l "machine_name"\$
- # smbpasswd -a -m "machine_name"</PRE
-></P
-></DIV
-></DIV
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN575"
-></A
->3.6. Conclusions</H2
-><P
->Samba provides a flexible means to operate as...</P
-><P
-></P
-><UL
-><LI
-><P
->A Stand-alone server - No special action is needed
- other than to create user accounts. Stand-alone servers do NOT
- provide network logon services, meaning that machines that use this
- server do NOT perform a domain logon but instead make use only of
- the MS Windows logon which is local to the MS Windows
- workstation/server.
- </P
-></LI
-><LI
-><P
->An MS Windows NT 3.x/4.0 security domain member.
- </P
-></LI
-><LI
-><P
->An alternative to an MS Windows NT 3.x/4.0
- Domain Controller.
- </P
-></LI
-></UL
-></DIV
-></DIV
-><DIV
-CLASS="CHAPTER"
-><HR><H1
-><A
-NAME="PAM"
-></A
->Chapter 4. Configuring PAM for distributed but centrally
-managed authentication</H1
-><DIV
-CLASS="SECT1"
-><H2
-CLASS="SECT1"
-><A
-NAME="AEN596"
-></A
->4.1. Samba and PAM</H2
-><P
->A number of Unix systems (eg: Sun Solaris), as well as the
-xxxxBSD family and Linux, now utilize the Pluggable Authentication
-Modules (PAM) facility to provide all authentication,
-authorization and resource control services. Prior to the
-introduction of PAM, a decision to use an alternative to
-the system password database (<TT
-CLASS="FILENAME"
->/etc/passwd</TT
->)
-would require the provision of alternatives for all programs that provide
-security services. Such a choice would involve provision of
-alternatives to such programs as: <B
-CLASS="COMMAND"
->login</B
->,
-<B
-CLASS="COMMAND"
->passwd</B
->, <B
-CLASS="COMMAND"
->chown</B
->, etc.</P
-><P
->PAM provides a mechanism that disconnects these security programs
-from the underlying authentication/authorization infrastructure.
-PAM is configured either through one file <TT
-CLASS="FILENAME"
->/etc/pam.conf</TT
-> (Solaris),
-or by editing individual files that are located in <TT
-CLASS="FILENAME"
->/etc/pam.d</TT
->.</P
-><P
->The following is an example <TT
-CLASS="FILENAME"
->/etc/pam.d/login</TT
-> configuration file.
-This example had all options been uncommented is probably not usable
-as it stacks many conditions before allowing successful completion
-of the login process. Essentially all conditions can be disabled
-by commenting them out except the calls to <TT
-CLASS="FILENAME"
->pam_pwdb.so</TT
->.</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->#%PAM-1.0
-# The PAM configuration file for the `login' service
-#
-auth required pam_securetty.so
-auth required pam_nologin.so
-# auth required pam_dialup.so
-# auth optional pam_mail.so
-auth required pam_pwdb.so shadow md5
-# account requisite pam_time.so
-account required pam_pwdb.so
-session required pam_pwdb.so
-# session optional pam_lastlog.so
-# password required pam_cracklib.so retry=3
-password required pam_pwdb.so shadow md5</PRE
-></P
-><P
->PAM allows use of replacable modules. Those available on a
-sample system include:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->$ /bin/ls /lib/security
-pam_access.so pam_ftp.so pam_limits.so
-pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so
-pam_cracklib.so pam_group.so pam_listfile.so
-pam_nologin.so pam_rootok.so pam_tally.so
-pam_deny.so pam_issue.so pam_mail.so
-pam_permit.so pam_securetty.so pam_time.so
-pam_dialup.so pam_lastlog.so pam_mkhomedir.so
-pam_pwdb.so pam_shells.so pam_unix.so
-pam_env.so pam_ldap.so pam_motd.so
-pam_radius.so pam_smbpass.so pam_unix_acct.so
-pam_wheel.so pam_unix_auth.so pam_unix_passwd.so
-pam_userdb.so pam_warn.so pam_unix_session.so</PRE
-></P
-><P
->The following example for the login program replaces the use of
-the <TT
-CLASS="FILENAME"
->pam_pwdb.so</TT
-> module which uses the system
-password database (<TT
-CLASS="FILENAME"
->/etc/passwd</TT
->,
-<TT
-CLASS="FILENAME"
->/etc/shadow</TT
->, <TT
-CLASS="FILENAME"
->/etc/group</TT
->) with
-the module <TT
-CLASS="FILENAME"
->pam_smbpass.so</TT
-> which uses the Samba
-database which contains the Microsoft MD4 encrypted password
-hashes. This database is stored in either
-<TT
-CLASS="FILENAME"
->/usr/local/samba/private/smbpasswd</TT
->,
-<TT
-CLASS="FILENAME"
->/etc/samba/smbpasswd</TT
->, or in
-<TT
-CLASS="FILENAME"
->/etc/samba.d/smbpasswd</TT
->, depending on the
-Samba implementation for your Unix/Linux system. The
-<TT
-CLASS="FILENAME"
->pam_smbpass.so</TT
-> module is provided by
-Samba version 2.2.1 or later. It can be compiled by specifying the
-<B
-CLASS="COMMAND"
->--with-pam_smbpass</B
-> options when running Samba's
-<TT
-CLASS="FILENAME"
->configure</TT
-> script. For more information
-on the <TT
-CLASS="FILENAME"
->pam_smbpass</TT
-> module, see the documentation
-in the <TT
-CLASS="FILENAME"
->source/pam_smbpass</TT
-> directory of the Samba
-source distribution.</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->#%PAM-1.0
-# The PAM configuration file for the `login' service
-#
-auth required pam_smbpass.so nodelay
-account required pam_smbpass.so nodelay
-session required pam_smbpass.so nodelay
-password required pam_smbpass.so nodelay</PRE
-></P
-><P
->The following is the PAM configuration file for a particular
-Linux system. The default condition uses <TT
-CLASS="FILENAME"
->pam_pwdb.so</TT
->.</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->#%PAM-1.0
-# The PAM configuration file for the `samba' service
-#
-auth required /lib/security/pam_pwdb.so nullok nodelay shadow audit
-account required /lib/security/pam_pwdb.so audit nodelay
-session required /lib/security/pam_pwdb.so nodelay
-password required /lib/security/pam_pwdb.so shadow md5</PRE
-></P
-><P
->In the following example the decision has been made to use the
-smbpasswd database even for basic samba authentication. Such a
-decision could also be made for the passwd program and would
-thus allow the smbpasswd passwords to be changed using the passwd
-program.</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->#%PAM-1.0
-# The PAM configuration file for the `samba' service
-#
-auth required /lib/security/pam_smbpass.so nodelay
-account required /lib/security/pam_pwdb.so audit nodelay
-session required /lib/security/pam_pwdb.so nodelay
-password required /lib/security/pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf</PRE
-></P
-><P
->Note: PAM allows stacking of authentication mechanisms. It is
-also possible to pass information obtained within one PAM module through
-to the next module in the PAM stack. Please refer to the documentation for
-your particular system implementation for details regarding the specific
-capabilities of PAM in this environment. Some Linux implmentations also
-provide the <TT
-CLASS="FILENAME"
->pam_stack.so</TT
-> module that allows all
-authentication to be configured in a single central file. The
-<TT
-CLASS="FILENAME"
->pam_stack.so</TT
-> method has some very devoted followers
-on the basis that it allows for easier administration. As with all issues in
-life though, every decision makes trade-offs, so you may want examine the
-PAM documentation for further helpful information.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN640"
-></A
->4.2. Distributed Authentication</H2
-><P
->The astute administrator will realize from this that the
-combination of <TT
-CLASS="FILENAME"
->pam_smbpass.so</TT
->,
-<B
-CLASS="COMMAND"
->winbindd</B
->, and <B
-CLASS="COMMAND"
->rsync</B
-> (see
-<A
-HREF="http://rsync.samba.org/"
-TARGET="_top"
->http://rsync.samba.org/</A
->)
-will allow the establishment of a centrally managed, distributed
-user/password database that can also be used by all
-PAM (eg: Linux) aware programs and applications. This arrangement
-can have particularly potent advantages compared with the
-use of Microsoft Active Directory Service (ADS) in so far as
-reduction of wide area network authentication traffic.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN647"
-></A
->4.3. PAM Configuration in smb.conf</H2
-><P
->There is an option in smb.conf called <A
-HREF="smb.conf.5.html#OBEYPAMRESTRICTIONS"
-TARGET="_top"
->obey pam restrictions</A
->.
-The following is from the on-line help for this option in SWAT;</P
-><P
->When Samba 2.2 is configure to enable PAM support (i.e.
-<TT
-CLASS="CONSTANT"
->--with-pam</TT
->), this parameter will
-control whether or not Samba should obey PAM's account
-and session management directives. The default behavior
-is to use PAM for clear text authentication only and to
-ignore any account or session management. Note that Samba always
-ignores PAM for authentication in the case of
-<A
-HREF="smb.conf.5.html#ENCRYPTPASSWORDS"
-TARGET="_top"
->encrypt passwords = yes</A
->.
-The reason is that PAM modules cannot support the challenge/response
-authentication mechanism needed in the presence of SMB
-password encryption. </P
-><P
->Default: <B
-CLASS="COMMAND"
->obey pam restrictions = no</B
-></P
-></DIV
-></DIV
-><DIV
-CLASS="CHAPTER"
-><HR><H1
-><A
-NAME="MSDFS"
-></A
->Chapter 5. Hosting a Microsoft Distributed File System tree on Samba</H1
-><DIV
-CLASS="SECT1"
-><H2
-CLASS="SECT1"
-><A
-NAME="AEN667"
-></A
->5.1. Instructions</H2
-><P
->The Distributed File System (or Dfs) provides a means of
- separating the logical view of files and directories that users
- see from the actual physical locations of these resources on the
- network. It allows for higher availability, smoother storage expansion,
- load balancing etc. For more information about Dfs, refer to <A
-HREF="http://www.microsoft.com/NTServer/nts/downloads/winfeatures/NTSDistrFile/AdminGuide.asp"
-TARGET="_top"
-> Microsoft documentation</A
->. </P
-><P
->This document explains how to host a Dfs tree on a Unix
- machine (for Dfs-aware clients to browse) using Samba.</P
-><P
->To enable SMB-based DFS for Samba, configure it with the
- <TT
-CLASS="PARAMETER"
-><I
->--with-msdfs</I
-></TT
-> option. Once built, a
- Samba server can be made a Dfs server by setting the global
- boolean <A
-HREF="smb.conf.5.html#HOSTMSDFS"
-TARGET="_top"
-><TT
-CLASS="PARAMETER"
-><I
-> host msdfs</I
-></TT
-></A
-> parameter in the <TT
-CLASS="FILENAME"
->smb.conf
- </TT
-> file. You designate a share as a Dfs root using the share
- level boolean <A
-HREF="smb.conf.5.html#MSDFSROOT"
-TARGET="_top"
-><TT
-CLASS="PARAMETER"
-><I
-> msdfs root</I
-></TT
-></A
-> parameter. A Dfs root directory on
- Samba hosts Dfs links in the form of symbolic links that point
- to other servers. For example, a symbolic link
- <TT
-CLASS="FILENAME"
->junction-&gt;msdfs:storage1\share1</TT
-> in
- the share directory acts as the Dfs junction. When Dfs-aware
- clients attempt to access the junction link, they are redirected
- to the storage location (in this case, \\storage1\share1).</P
-><P
->Dfs trees on Samba work with all Dfs-aware clients ranging
- from Windows 95 to 2000.</P
-><P
->Here's an example of setting up a Dfs tree on a Samba
- server.</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-># The smb.conf file:
-[global]
- netbios name = SAMBA
- host msdfs = yes
-
-[dfs]
- path = /export/dfsroot
- msdfs root = yes
- </PRE
-></P
-><P
->In the /export/dfsroot directory we set up our dfs links to
- other servers on the network.</P
-><P
-><TT
-CLASS="PROMPT"
->root# </TT
-><TT
-CLASS="USERINPUT"
-><B
->cd /export/dfsroot</B
-></TT
-></P
-><P
-><TT
-CLASS="PROMPT"
->root# </TT
-><TT
-CLASS="USERINPUT"
-><B
->chown root /export/dfsroot</B
-></TT
-></P
-><P
-><TT
-CLASS="PROMPT"
->root# </TT
-><TT
-CLASS="USERINPUT"
-><B
->chmod 755 /export/dfsroot</B
-></TT
-></P
-><P
-><TT
-CLASS="PROMPT"
->root# </TT
-><TT
-CLASS="USERINPUT"
-><B
->ln -s msdfs:storageA\\shareA linka</B
-></TT
-></P
-><P
-><TT
-CLASS="PROMPT"
->root# </TT
-><TT
-CLASS="USERINPUT"
-><B
->ln -s msdfs:serverB\\share,serverC\\share linkb</B
-></TT
-></P
-><P
->You should set up the permissions and ownership of
- the directory acting as the Dfs root such that only designated
- users can create, delete or modify the msdfs links. Also note
- that symlink names should be all lowercase. This limitation exists
- to have Samba avoid trying all the case combinations to get at
- the link name. Finally set up the symbolic links to point to the
- network shares you want, and start Samba.</P
-><P
->Users on Dfs-aware clients can now browse the Dfs tree
- on the Samba server at \\samba\dfs. Accessing
- links linka or linkb (which appear as directories to the client)
- takes users directly to the appropriate shares on the network.</P
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN702"
-></A
->5.1.1. Notes</H3
-><P
-></P
-><UL
-><LI
-><P
->Windows clients need to be rebooted
- if a previously mounted non-dfs share is made a dfs
- root or vice versa. A better way is to introduce a
- new share and make it the dfs root.</P
-></LI
-><LI
-><P
->Currently there's a restriction that msdfs
- symlink names should all be lowercase.</P
-></LI
-><LI
-><P
->For security purposes, the directory
- acting as the root of the Dfs tree should have ownership
- and permissions set so that only designated users can
- modify the symbolic links in the directory.</P
-></LI
-></UL
-></DIV
-></DIV
-></DIV
-><DIV
-CLASS="CHAPTER"
-><HR><H1
-><A
-NAME="UNIX-PERMISSIONS"
-></A
->Chapter 6. UNIX Permission Bits and Windows NT Access Control Lists</H1
-><DIV
-CLASS="SECT1"
-><H2
-CLASS="SECT1"
-><A
-NAME="AEN722"
-></A
->6.1. Viewing and changing UNIX permissions using the NT
- security dialogs</H2
-><P
->New in the Samba 2.0.4 release is the ability for Windows
- NT clients to use their native security settings dialog box to
- view and modify the underlying UNIX permissions.</P
-><P
->Note that this ability is careful not to compromise
- the security of the UNIX host Samba is running on, and
- still obeys all the file permission rules that a Samba
- administrator can set.</P
-><P
->In Samba 2.0.4 and above the default value of the
- parameter <A
-HREF="smb.conf.5.html#NTACLSUPPORT"
-TARGET="_top"
-><TT
-CLASS="PARAMETER"
-><I
-> nt acl support</I
-></TT
-></A
-> has been changed from
- <TT
-CLASS="CONSTANT"
->false</TT
-> to <TT
-CLASS="CONSTANT"
->true</TT
->, so
- manipulation of permissions is turned on by default.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN731"
-></A
->6.2. How to view file security on a Samba share</H2
-><P
->From an NT 4.0 client, single-click with the right
- mouse button on any file or directory in a Samba mounted
- drive letter or UNC path. When the menu pops-up, click
- on the <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->Properties</I
-></SPAN
-> entry at the bottom of
- the menu. This brings up the normal file properties dialog
- box, but with Samba 2.0.4 this will have a new tab along the top
- marked <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->Security</I
-></SPAN
->. Click on this tab and you
- will see three buttons, <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->Permissions</I
-></SPAN
->,
- <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->Auditing</I
-></SPAN
->, and <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->Ownership</I
-></SPAN
->.
- The <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->Auditing</I
-></SPAN
-> button will cause either
- an error message <SPAN
-CLASS="ERRORNAME"
->A requested privilege is not held
- by the client</SPAN
-> to appear if the user is not the
- NT Administrator, or a dialog which is intended to allow an
- Administrator to add auditing requirements to a file if the
- user is logged on as the NT Administrator. This dialog is
- non-functional with a Samba share at this time, as the only
- useful button, the <B
-CLASS="COMMAND"
->Add</B
-> button will not currently
- allow a list of users to be seen.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN742"
-></A
->6.3. Viewing file ownership</H2
-><P
->Clicking on the <B
-CLASS="COMMAND"
->"Ownership"</B
-> button
- brings up a dialog box telling you who owns the given file. The
- owner name will be of the form :</P
-><P
-><B
-CLASS="COMMAND"
->"SERVER\user (Long name)"</B
-></P
-><P
->Where <TT
-CLASS="REPLACEABLE"
-><I
->SERVER</I
-></TT
-> is the NetBIOS name of
- the Samba server, <TT
-CLASS="REPLACEABLE"
-><I
->user</I
-></TT
-> is the user name of
- the UNIX user who owns the file, and <TT
-CLASS="REPLACEABLE"
-><I
->(Long name)</I
-></TT
->
- is the descriptive string identifying the user (normally found in the
- GECOS field of the UNIX password database). Click on the <B
-CLASS="COMMAND"
->Close
- </B
-> button to remove this dialog.</P
-><P
->If the parameter <TT
-CLASS="PARAMETER"
-><I
->nt acl support</I
-></TT
->
- is set to <TT
-CLASS="CONSTANT"
->false</TT
-> then the file owner will
- be shown as the NT user <B
-CLASS="COMMAND"
->"Everyone"</B
->.</P
-><P
->The <B
-CLASS="COMMAND"
->Take Ownership</B
-> button will not allow
- you to change the ownership of this file to yourself (clicking on
- it will display a dialog box complaining that the user you are
- currently logged onto the NT client cannot be found). The reason
- for this is that changing the ownership of a file is a privileged
- operation in UNIX, available only to the <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->root</I
-></SPAN
->
- user. As clicking on this button causes NT to attempt to change
- the ownership of a file to the current user logged into the NT
- client this will not work with Samba at this time.</P
-><P
->There is an NT chown command that will work with Samba
- and allow a user with Administrator privilege connected
- to a Samba 2.0.4 server as root to change the ownership of
- files on both a local NTFS filesystem or remote mounted NTFS
- or Samba drive. This is available as part of the <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->Seclib
- </I
-></SPAN
-> NT security library written by Jeremy Allison of
- the Samba Team, available from the main Samba ftp site.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN762"
-></A
->6.4. Viewing file or directory permissions</H2
-><P
->The third button is the <B
-CLASS="COMMAND"
->"Permissions"</B
->
- button. Clicking on this brings up a dialog box that shows both
- the permissions and the UNIX owner of the file or directory.
- The owner is displayed in the form :</P
-><P
-><B
-CLASS="COMMAND"
->"SERVER\user (Long name)"</B
-></P
-><P
->Where <TT
-CLASS="REPLACEABLE"
-><I
->SERVER</I
-></TT
-> is the NetBIOS name of
- the Samba server, <TT
-CLASS="REPLACEABLE"
-><I
->user</I
-></TT
-> is the user name of
- the UNIX user who owns the file, and <TT
-CLASS="REPLACEABLE"
-><I
->(Long name)</I
-></TT
->
- is the descriptive string identifying the user (normally found in the
- GECOS field of the UNIX password database).</P
-><P
->If the parameter <TT
-CLASS="PARAMETER"
-><I
->nt acl support</I
-></TT
->
- is set to <TT
-CLASS="CONSTANT"
->false</TT
-> then the file owner will
- be shown as the NT user <B
-CLASS="COMMAND"
->"Everyone"</B
-> and the
- permissions will be shown as NT "Full Control".</P
-><P
->The permissions field is displayed differently for files
- and directories, so I'll describe the way file permissions
- are displayed first.</P
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN777"
-></A
->6.4.1. File Permissions</H3
-><P
->The standard UNIX user/group/world triple and
- the corresponding "read", "write", "execute" permissions
- triples are mapped by Samba into a three element NT ACL
- with the 'r', 'w', and 'x' bits mapped into the corresponding
- NT permissions. The UNIX world permissions are mapped into
- the global NT group <B
-CLASS="COMMAND"
->Everyone</B
->, followed
- by the list of permissions allowed for UNIX world. The UNIX
- owner and group permissions are displayed as an NT
- <B
-CLASS="COMMAND"
->user</B
-> icon and an NT <B
-CLASS="COMMAND"
->local
- group</B
-> icon respectively followed by the list
- of permissions allowed for the UNIX user and group.</P
-><P
->As many UNIX permission sets don't map into common
- NT names such as <B
-CLASS="COMMAND"
->"read"</B
->, <B
-CLASS="COMMAND"
-> "change"</B
-> or <B
-CLASS="COMMAND"
->"full control"</B
-> then
- usually the permissions will be prefixed by the words <B
-CLASS="COMMAND"
-> "Special Access"</B
-> in the NT display list.</P
-><P
->But what happens if the file has no permissions allowed
- for a particular UNIX user group or world component ? In order
- to allow "no permissions" to be seen and modified then Samba
- overloads the NT <B
-CLASS="COMMAND"
->"Take Ownership"</B
-> ACL attribute
- (which has no meaning in UNIX) and reports a component with
- no permissions as having the NT <B
-CLASS="COMMAND"
->"O"</B
-> bit set.
- This was chosen of course to make it look like a zero, meaning
- zero permissions. More details on the decision behind this will
- be given below.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN791"
-></A
->6.4.2. Directory Permissions</H3
-><P
->Directories on an NT NTFS file system have two
- different sets of permissions. The first set of permissions
- is the ACL set on the directory itself, this is usually displayed
- in the first set of parentheses in the normal <B
-CLASS="COMMAND"
->"RW"</B
->
- NT style. This first set of permissions is created by Samba in
- exactly the same way as normal file permissions are, described
- above, and is displayed in the same way.</P
-><P
->The second set of directory permissions has no real meaning
- in the UNIX permissions world and represents the <B
-CLASS="COMMAND"
-> "inherited"</B
-> permissions that any file created within
- this directory would inherit.</P
-><P
->Samba synthesises these inherited permissions for NT by
- returning as an NT ACL the UNIX permission mode that a new file
- created by Samba on this share would receive.</P
-></DIV
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN798"
-></A
->6.5. Modifying file or directory permissions</H2
-><P
->Modifying file and directory permissions is as simple
- as changing the displayed permissions in the dialog box, and
- clicking the <B
-CLASS="COMMAND"
->OK</B
-> button. However, there are
- limitations that a user needs to be aware of, and also interactions
- with the standard Samba permission masks and mapping of DOS
- attributes that need to also be taken into account.</P
-><P
->If the parameter <TT
-CLASS="PARAMETER"
-><I
->nt acl support</I
-></TT
->
- is set to <TT
-CLASS="CONSTANT"
->false</TT
-> then any attempt to set
- security permissions will fail with an <B
-CLASS="COMMAND"
->"Access Denied"
- </B
-> message.</P
-><P
->The first thing to note is that the <B
-CLASS="COMMAND"
->"Add"</B
->
- button will not return a list of users in Samba 2.0.4 (it will give
- an error message of <B
-CLASS="COMMAND"
->"The remote procedure call failed
- and did not execute"</B
->). This means that you can only
- manipulate the current user/group/world permissions listed in
- the dialog box. This actually works quite well as these are the
- only permissions that UNIX actually has.</P
-><P
->If a permission triple (either user, group, or world)
- is removed from the list of permissions in the NT dialog box,
- then when the <B
-CLASS="COMMAND"
->"OK"</B
-> button is pressed it will
- be applied as "no permissions" on the UNIX side. If you then
- view the permissions again the "no permissions" entry will appear
- as the NT <B
-CLASS="COMMAND"
->"O"</B
-> flag, as described above. This
- allows you to add permissions back to a file or directory once
- you have removed them from a triple component.</P
-><P
->As UNIX supports only the "r", "w" and "x" bits of
- an NT ACL then if other NT security attributes such as "Delete
- access" are selected then they will be ignored when applied on
- the Samba server.</P
-><P
->When setting permissions on a directory the second
- set of permissions (in the second set of parentheses) is
- by default applied to all files within that directory. If this
- is not what you want you must uncheck the <B
-CLASS="COMMAND"
->"Replace
- permissions on existing files"</B
-> checkbox in the NT
- dialog before clicking <B
-CLASS="COMMAND"
->"OK"</B
->.</P
-><P
->If you wish to remove all permissions from a
- user/group/world component then you may either highlight the
- component and click the <B
-CLASS="COMMAND"
->"Remove"</B
-> button,
- or set the component to only have the special <B
-CLASS="COMMAND"
->"Take
- Ownership"</B
-> permission (displayed as <B
-CLASS="COMMAND"
->"O"
- </B
->) highlighted.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN820"
-></A
->6.6. Interaction with the standard Samba create mask
- parameters</H2
-><P
->Note that with Samba 2.0.5 there are four new parameters
- to control this interaction. These are :</P
-><P
-><TT
-CLASS="PARAMETER"
-><I
->security mask</I
-></TT
-></P
-><P
-><TT
-CLASS="PARAMETER"
-><I
->force security mode</I
-></TT
-></P
-><P
-><TT
-CLASS="PARAMETER"
-><I
->directory security mask</I
-></TT
-></P
-><P
-><TT
-CLASS="PARAMETER"
-><I
->force directory security mode</I
-></TT
-></P
-><P
->Once a user clicks <B
-CLASS="COMMAND"
->"OK"</B
-> to apply the
- permissions Samba maps the given permissions into a user/group/world
- r/w/x triple set, and then will check the changed permissions for a
- file against the bits set in the <A
-HREF="smb.conf.5.html#SECURITYMASK"
-TARGET="_top"
->
- <TT
-CLASS="PARAMETER"
-><I
->security mask</I
-></TT
-></A
-> parameter. Any bits that
- were changed that are not set to '1' in this parameter are left alone
- in the file permissions.</P
-><P
->Essentially, zero bits in the <TT
-CLASS="PARAMETER"
-><I
->security mask</I
-></TT
->
- mask may be treated as a set of bits the user is <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->not</I
-></SPAN
->
- allowed to change, and one bits are those the user is allowed to change.
- </P
-><P
->If not set explicitly this parameter is set to the same value as
- the <A
-HREF="smb.conf.5.html#CREATEMASK"
-TARGET="_top"
-><TT
-CLASS="PARAMETER"
-><I
->create mask
- </I
-></TT
-></A
-> parameter to provide compatibility with Samba 2.0.4
- where this permission change facility was introduced. To allow a user to
- modify all the user/group/world permissions on a file, set this parameter
- to 0777.</P
-><P
->Next Samba checks the changed permissions for a file against
- the bits set in the <A
-HREF="smb.conf.5.html#FORCESECURITYMODE"
-TARGET="_top"
-> <TT
-CLASS="PARAMETER"
-><I
->force security mode</I
-></TT
-></A
-> parameter. Any bits
- that were changed that correspond to bits set to '1' in this parameter
- are forced to be set.</P
-><P
->Essentially, bits set in the <TT
-CLASS="PARAMETER"
-><I
->force security mode
- </I
-></TT
-> parameter may be treated as a set of bits that, when
- modifying security on a file, the user has always set to be 'on'.</P
-><P
->If not set explicitly this parameter is set to the same value
- as the <A
-HREF="smb.conf.5.html#FORCECREATEMODE"
-TARGET="_top"
-><TT
-CLASS="PARAMETER"
-><I
->force
- create mode</I
-></TT
-></A
-> parameter to provide compatibility
- with Samba 2.0.4 where the permission change facility was introduced.
- To allow a user to modify all the user/group/world permissions on a file
- with no restrictions set this parameter to 000.</P
-><P
->The <TT
-CLASS="PARAMETER"
-><I
->security mask</I
-></TT
-> and <TT
-CLASS="PARAMETER"
-><I
->force
- security mode</I
-></TT
-> parameters are applied to the change
- request in that order.</P
-><P
->For a directory Samba will perform the same operations as
- described above for a file except using the parameter <TT
-CLASS="PARAMETER"
-><I
-> directory security mask</I
-></TT
-> instead of <TT
-CLASS="PARAMETER"
-><I
->security
- mask</I
-></TT
->, and <TT
-CLASS="PARAMETER"
-><I
->force directory security mode
- </I
-></TT
-> parameter instead of <TT
-CLASS="PARAMETER"
-><I
->force security mode
- </I
-></TT
->.</P
-><P
->The <TT
-CLASS="PARAMETER"
-><I
->directory security mask</I
-></TT
-> parameter
- by default is set to the same value as the <TT
-CLASS="PARAMETER"
-><I
->directory mask
- </I
-></TT
-> parameter and the <TT
-CLASS="PARAMETER"
-><I
->force directory security
- mode</I
-></TT
-> parameter by default is set to the same value as
- the <TT
-CLASS="PARAMETER"
-><I
->force directory mode</I
-></TT
-> parameter to provide
- compatibility with Samba 2.0.4 where the permission change facility
- was introduced.</P
-><P
->In this way Samba enforces the permission restrictions that
- an administrator can set on a Samba share, whilst still allowing users
- to modify the permission bits within that restriction.</P
-><P
->If you want to set up a share that allows users full control
- in modifying the permission bits on their files and directories and
- doesn't force any particular bits to be set 'on', then set the following
- parameters in the <A
-HREF="smb.conf.5.html"
-TARGET="_top"
-><TT
-CLASS="FILENAME"
->smb.conf(5)
- </TT
-></A
-> file in that share specific section :</P
-><P
-><TT
-CLASS="PARAMETER"
-><I
->security mask = 0777</I
-></TT
-></P
-><P
-><TT
-CLASS="PARAMETER"
-><I
->force security mode = 0</I
-></TT
-></P
-><P
-><TT
-CLASS="PARAMETER"
-><I
->directory security mask = 0777</I
-></TT
-></P
-><P
-><TT
-CLASS="PARAMETER"
-><I
->force directory security mode = 0</I
-></TT
-></P
-><P
->As described, in Samba 2.0.4 the parameters :</P
-><P
-><TT
-CLASS="PARAMETER"
-><I
->create mask</I
-></TT
-></P
-><P
-><TT
-CLASS="PARAMETER"
-><I
->force create mode</I
-></TT
-></P
-><P
-><TT
-CLASS="PARAMETER"
-><I
->directory mask</I
-></TT
-></P
-><P
-><TT
-CLASS="PARAMETER"
-><I
->force directory mode</I
-></TT
-></P
-><P
->were used instead of the parameters discussed here.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN884"
-></A
->6.7. Interaction with the standard Samba file attribute
- mapping</H2
-><P
->Samba maps some of the DOS attribute bits (such as "read
- only") into the UNIX permissions of a file. This means there can
- be a conflict between the permission bits set via the security
- dialog and the permission bits set by the file attribute mapping.
- </P
-><P
->One way this can show up is if a file has no UNIX read access
- for the owner it will show up as "read only" in the standard
- file attributes tabbed dialog. Unfortunately this dialog is
- the same one that contains the security info in another tab.</P
-><P
->What this can mean is that if the owner changes the permissions
- to allow themselves read access using the security dialog, clicks
- <B
-CLASS="COMMAND"
->"OK"</B
-> to get back to the standard attributes tab
- dialog, and then clicks <B
-CLASS="COMMAND"
->"OK"</B
-> on that dialog, then
- NT will set the file permissions back to read-only (as that is what
- the attributes still say in the dialog). This means that after setting
- permissions and clicking <B
-CLASS="COMMAND"
->"OK"</B
-> to get back to the
- attributes dialog you should always hit <B
-CLASS="COMMAND"
->"Cancel"</B
->
- rather than <B
-CLASS="COMMAND"
->"OK"</B
-> to ensure that your changes
- are not overridden.</P
-></DIV
-></DIV
-><DIV
-CLASS="CHAPTER"
-><HR><H1
-><A
-NAME="PRINTING"
-></A
->Chapter 7. Printing Support in Samba 2.2.x</H1
-><DIV
-CLASS="SECT1"
-><H2
-CLASS="SECT1"
-><A
-NAME="AEN905"
-></A
->7.1. Introduction</H2
-><P
->Beginning with the 2.2.0 release, Samba supports
-the native Windows NT printing mechanisms implemented via
-MS-RPC (i.e. the SPOOLSS named pipe). Previous versions of
-Samba only supported LanMan printing calls.</P
-><P
->The additional functionality provided by the new
-SPOOLSS support includes:</P
-><P
-></P
-><UL
-><LI
-><P
->Support for downloading printer driver
- files to Windows 95/98/NT/2000 clients upon demand.
- </P
-></LI
-><LI
-><P
->Uploading of printer drivers via the
- Windows NT Add Printer Wizard (APW) or the
- Imprints tool set (refer to <A
-HREF="http://imprints.sourceforge.net"
-TARGET="_top"
->http://imprints.sourceforge.net</A
->).
- </P
-></LI
-><LI
-><P
->Support for the native MS-RPC printing
- calls such as StartDocPrinter, EnumJobs(), etc... (See
- the MSDN documentation at <A
-HREF="http://msdn.microsoft.com/"
-TARGET="_top"
->http://msdn.microsoft.com/</A
->
- for more information on the Win32 printing API)
- </P
-></LI
-><LI
-><P
->Support for NT Access Control Lists (ACL)
- on printer objects</P
-></LI
-><LI
-><P
->Improved support for printer queue manipulation
- through the use of an internal databases for spooled job
- information</P
-></LI
-></UL
-><P
->There has been some initial confusion about what all this means
-and whether or not it is a requirement for printer drivers to be
-installed on a Samba host in order to support printing from Windows
-clients. A bug existed in Samba 2.2.0 which made Windows NT/2000 clients
-require that the Samba server possess a valid driver for the printer.
-This is fixed in Samba 2.2.1 and once again, Windows NT/2000 clients
-can use the local APW for installing drivers to be used with a Samba
-served printer. This is the same behavior exhibited by Windows 9x clients.
-As a side note, Samba does not use these drivers in any way to process
-spooled files. They are utilized entirely by the clients.</P
-><P
->The following MS KB article, may be of some help if you are dealing with
-Windows 2000 clients: <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->How to Add Printers with No User
-Interaction in Windows 2000</I
-></SPAN
-></P
-><P
-><A
-HREF="http://support.microsoft.com/support/kb/articles/Q189/1/05.ASP"
-TARGET="_top"
->http://support.microsoft.com/support/kb/articles/Q189/1/05.ASP</A
-></P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN927"
-></A
->7.2. Configuration</H2
-><DIV
-CLASS="WARNING"
-><P
-></P
-><TABLE
-CLASS="WARNING"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="/docbook-dsssl/warning.gif"
-HSPACE="5"
-ALT="Warning"></TD
-><TH
-ALIGN="LEFT"
-VALIGN="CENTER"
-><B
->[print$] vs. [printer$]</B
-></TH
-></TR
-><TR
-><TD
->&nbsp;</TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
->Previous versions of Samba recommended using a share named [printer$].
-This name was taken from the printer$ service created by Windows 9x
-clients when a printer was shared. Windows 9x printer servers always have
-a printer$ service which provides read-only access via no
-password in order to support printer driver downloads.</P
-><P
->However, the initial implementation allowed for a
-parameter named <TT
-CLASS="PARAMETER"
-><I
->printer driver location</I
-></TT
->
-to be used on a per share basis to specify the location of
-the driver files associated with that printer. Another
-parameter named <TT
-CLASS="PARAMETER"
-><I
->printer driver</I
-></TT
-> provided
-a means of defining the printer driver name to be sent to
-the client.</P
-><P
->These parameters, including <TT
-CLASS="PARAMETER"
-><I
->printer driver
-file</I
-></TT
-> parameter, are being deprecated and should not
-be used in new installations. For more information on this change,
-you should refer to the <A
-HREF="#MIGRATION"
->Migration section</A
->
-of this document.</P
-></TD
-></TR
-></TABLE
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN938"
-></A
->7.2.1. Creating [print$]</H3
-><P
->In order to support the uploading of printer driver
-files, you must first configure a file share named [print$].
-The name of this share is hard coded in Samba's internals so
-the name is very important (print$ is the service used by
-Windows NT print servers to provide support for printer driver
-download).</P
-><P
->You should modify the server's smb.conf file to add the global
-parameters and to create the
-following file share (of course, some of the parameter values,
-such as 'path' are arbitrary and should be replaced with
-appropriate values for your site):</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->[global]
- ; members of the ntadmin group should be able
- ; to add drivers and set printer properties
- ; root is implicitly a 'printer admin'
- printer admin = @ntadmin
-
-[print$]
- path = /usr/local/samba/printers
- guest ok = yes
- browseable = yes
- read only = yes
- ; since this share is configured as read only, then we need
- ; a 'write list'. Check the file system permissions to make
- ; sure this account can copy files to the share. If this
- ; is setup to a non-root account, then it should also exist
- ; as a 'printer admin'
- write list = @ntadmin,root</PRE
-></P
-><P
->The <A
-HREF="smb.conf.5.html#WRITELIST"
-TARGET="_top"
-><TT
-CLASS="PARAMETER"
-><I
->write list</I
-></TT
-></A
-> is used to allow administrative
-level user accounts to have write access in order to update files
-on the share. See the <A
-HREF="smb.conf.5.html"
-TARGET="_top"
->smb.conf(5)
-man page</A
-> for more information on configuring file shares.</P
-><P
->The requirement for <A
-HREF="smb.conf.5.html#GUESTOK"
-TARGET="_top"
-><B
-CLASS="COMMAND"
->guest
-ok = yes</B
-></A
-> depends upon how your
-site is configured. If users will be guaranteed to have
-an account on the Samba host, then this is a non-issue.</P
-><DIV
-CLASS="NOTE"
-><P
-></P
-><TABLE
-CLASS="NOTE"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="/docbook-dsssl/note.gif"
-HSPACE="5"
-ALT="Note"></TD
-><TH
-ALIGN="LEFT"
-VALIGN="CENTER"
-><B
->Author's Note</B
-></TH
-></TR
-><TR
-><TD
->&nbsp;</TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
->The non-issue is that if all your Windows NT users are guaranteed to be
-authenticated by the Samba server (such as a domain member server and the NT
-user has already been validated by the Domain Controller in
-order to logon to the Windows NT console), then guest access
-is not necessary. Of course, in a workgroup environment where
-you just want to be able to print without worrying about
-silly accounts and security, then configure the share for
-guest access. You'll probably want to add <A
-HREF="smb.conf.5.html#MAPTOGUEST"
-TARGET="_top"
-><B
-CLASS="COMMAND"
->map to guest = Bad User</B
-></A
-> in the [global] section as well. Make sure
-you understand what this parameter does before using it
-though. --jerry</P
-></TD
-></TR
-></TABLE
-></DIV
-><P
->In order for a Windows NT print server to support
-the downloading of driver files by multiple client architectures,
-it must create subdirectories within the [print$] service
-which correspond to each of the supported client architectures.
-Samba follows this model as well.</P
-><P
->Next create the directory tree below the [print$] share
-for each architecture you wish to support.</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->[print$]-----
- |-W32X86 ; "Windows NT x86"
- |-WIN40 ; "Windows 95/98"
- |-W32ALPHA ; "Windows NT Alpha_AXP"
- |-W32MIPS ; "Windows NT R4000"
- |-W32PPC ; "Windows NT PowerPC"</PRE
-></P
-><DIV
-CLASS="WARNING"
-><P
-></P
-><TABLE
-CLASS="WARNING"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="/docbook-dsssl/warning.gif"
-HSPACE="5"
-ALT="Warning"></TD
-><TH
-ALIGN="LEFT"
-VALIGN="CENTER"
-><B
->ATTENTION! REQUIRED PERMISSIONS</B
-></TH
-></TR
-><TR
-><TD
->&nbsp;</TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
->In order to currently add a new driver to you Samba host,
-one of two conditions must hold true:</P
-><P
-></P
-><UL
-><LI
-><P
->The account used to connect to the Samba host
- must have a uid of 0 (i.e. a root account)</P
-></LI
-><LI
-><P
->The account used to connect to the Samba host
- must be a member of the <A
-HREF="smb.conf.5.html#PRINTERADMIN"
-TARGET="_top"
-><TT
-CLASS="PARAMETER"
-><I
->printer
- admin</I
-></TT
-></A
-> list.</P
-></LI
-></UL
-><P
->Of course, the connected account must still possess access
-to add files to the subdirectories beneath [print$]. Remember
-that all file shares are set to 'read only' by default.</P
-></TD
-></TR
-></TABLE
-></DIV
-><P
->Once you have created the required [print$] service and
-associated subdirectories, simply log onto the Samba server using
-a root (or <TT
-CLASS="PARAMETER"
-><I
->printer admin</I
-></TT
->) account
-from a Windows NT 4.0/2k client. Open "Network Neighbourhood" or
-"My Network Places" and browse for the Samba host. Once you have located
-the server, navigate to the "Printers..." folder.
-You should see an initial listing of printers
-that matches the printer shares defined on your Samba host.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN973"
-></A
->7.2.2. Setting Drivers for Existing Printers</H3
-><P
->The initial listing of printers in the Samba host's
-Printers folder will have no real printer driver assigned
-to them. By default, in Samba 2.2.0 this driver name was set to
-<SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->NO PRINTER DRIVER AVAILABLE FOR THIS PRINTER</I
-></SPAN
->.
-Later versions changed this to a NULL string to allow the use
-tof the local Add Printer Wizard on NT/2000 clients.
-Attempting to view the printer properties for a printer
-which has this default driver assigned will result in
-the error message:</P
-><P
-><SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->Device settings cannot be displayed. The driver
-for the specified printer is not installed, only spooler
-properties will be displayed. Do you want to install the
-driver now?</I
-></SPAN
-></P
-><P
->Click "No" in the error dialog and you will be presented with
-the printer properties window. The way to assign a driver to a
-printer is to either</P
-><P
-></P
-><UL
-><LI
-><P
->Use the "New Driver..." button to install
- a new printer driver, or</P
-></LI
-><LI
-><P
->Select a driver from the popup list of
- installed drivers. Initially this list will be empty.</P
-></LI
-></UL
-><P
->If you wish to install printer drivers for client
-operating systems other than "Windows NT x86", you will need
-to use the "Sharing" tab of the printer properties dialog.</P
-><P
->Assuming you have connected with a root account, you
-will also be able modify other printer properties such as
-ACLs and device settings using this dialog box.</P
-><P
->A few closing comments for this section, it is possible
-on a Windows NT print server to have printers
-listed in the Printers folder which are not shared. Samba does
-not make this distinction. By definition, the only printers of
-which Samba is aware are those which are specified as shares in
-<TT
-CLASS="FILENAME"
->smb.conf</TT
->.</P
-><P
->Another interesting side note is that Windows NT clients do
-not use the SMB printer share, but rather can print directly
-to any printer on another Windows NT host using MS-RPC. This
-of course assumes that the printing client has the necessary
-privileges on the remote host serving the printer. The default
-permissions assigned by Windows NT to a printer gives the "Print"
-permissions to the "Everyone" well-known group.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN990"
-></A
->7.2.3. Support a large number of printers</H3
-><P
->One issue that has arisen during the development
-phase of Samba 2.2 is the need to support driver downloads for
-100's of printers. Using the Windows NT APW is somewhat
-awkward to say the list. If more than one printer are using the
-same driver, the <A
-HREF="rpcclient.1.html"
-TARGET="_top"
-><B
-CLASS="COMMAND"
->rpcclient's
-setdriver command</B
-></A
-> can be used to set the driver
-associated with an installed driver. The following is example
-of how this could be accomplished:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->
-<TT
-CLASS="PROMPT"
->$ </TT
->rpcclient pogo -U root%secret -c "enumdrivers"
-Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
-
-[Windows NT x86]
-Printer Driver Info 1:
- Driver Name: [HP LaserJet 4000 Series PS]
-
-Printer Driver Info 1:
- Driver Name: [HP LaserJet 2100 Series PS]
-
-Printer Driver Info 1:
- Driver Name: [HP LaserJet 4Si/4SiMX PS]
-
-<TT
-CLASS="PROMPT"
->$ </TT
->rpcclient pogo -U root%secret -c "enumprinters"
-Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
- flags:[0x800000]
- name:[\\POGO\hp-print]
- description:[POGO\\POGO\hp-print,NO DRIVER AVAILABLE FOR THIS PRINTER,]
- comment:[]
-
-<TT
-CLASS="PROMPT"
->$ </TT
->rpcclient pogo -U root%secret \
-<TT
-CLASS="PROMPT"
->&gt; </TT
-> -c "setdriver hp-print \"HP LaserJet 4000 Series PS\""
-Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
-Successfully set hp-print to driver HP LaserJet 4000 Series PS.</PRE
-></P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN1001"
-></A
->7.2.4. Adding New Printers via the Windows NT APW</H3
-><P
->By default, Samba offers all printer shares defined in <TT
-CLASS="FILENAME"
->smb.conf</TT
->
-in the "Printers..." folder. Also existing in this folder is the Windows NT
-Add Printer Wizard icon. The APW will be show only if</P
-><P
-></P
-><UL
-><LI
-><P
->The connected user is able to successfully
- execute an OpenPrinterEx(\\server) with administrative
- privileges (i.e. root or <TT
-CLASS="PARAMETER"
-><I
->printer admin</I
-></TT
->).
- </P
-></LI
-><LI
-><P
-><A
-HREF="smb.conf.5.html#SHOWADDPRINTERWIZARD"
-TARGET="_top"
-><TT
-CLASS="PARAMETER"
-><I
->show
- add printer wizard = yes</I
-></TT
-></A
-> (the default).
- </P
-></LI
-></UL
-><P
->In order to be able to use the APW to successfully add a printer to a Samba
-server, the <A
-HREF="smb.conf.5.html#ADDPRINTERCOMMAND"
-TARGET="_top"
-><TT
-CLASS="PARAMETER"
-><I
->add
-printer command</I
-></TT
-></A
-> must have a defined value. The program
-hook must successfully add the printer to the system (i.e.
-<TT
-CLASS="FILENAME"
->/etc/printcap</TT
-> or appropriate files) and
-<TT
-CLASS="FILENAME"
->smb.conf</TT
-> if necessary.</P
-><P
->When using the APW from a client, if the named printer share does
-not exist, <B
-CLASS="COMMAND"
->smbd</B
-> will execute the <TT
-CLASS="PARAMETER"
-><I
->add printer
-command</I
-></TT
-> and reparse to the <TT
-CLASS="FILENAME"
->smb.conf</TT
->
-to attempt to locate the new printer share. If the share is still not defined,
-an error of "Access Denied" is returned to the client. Note that the
-<TT
-CLASS="PARAMETER"
-><I
->add printer program</I
-></TT
-> is executed under the context
-of the connected user, not necessarily a root account.</P
-><P
->There is a complementary <A
-HREF="smb.conf.5.html#DELETEPRINTERCOMMAND"
-TARGET="_top"
-><TT
-CLASS="PARAMETER"
-><I
->delete
-printer command</I
-></TT
-></A
-> for removing entries from the "Printers..."
-folder.</P
-><P
->The following is an example <A
-HREF="smb.conf.5.html#ADDPRINTERCOMMAN"
-TARGET="_top"
-><TT
-CLASS="PARAMETER"
-><I
->add printer command</I
-></TT
-></A
-> script. It adds the appropriate entries to <TT
-CLASS="FILENAME"
->/etc/printcap.local</TT
-> (change that to what you need) and returns a line of 'Done' which is needed for the whole process to work.</P
-><PRE
-CLASS="PROGRAMLISTING"
->#!/bin/sh
-
-# Script to insert a new printer entry into printcap.local
-#
-# $1, printer name, used as the descriptive name
-# $2, share name, used as the printer name for Linux
-# $3, port name
-# $4, driver name
-# $5, location, used for the device file of the printer
-# $6, win9x location
-
-#
-# Make sure we use the location that RedHat uses for local printer defs
-PRINTCAP=/etc/printcap.local
-DATE=`date +%Y%m%d-%H%M%S`
-LP=lp
-RESTART="service lpd restart"
-
-# Keep a copy
-cp $PRINTCAP $PRINTCAP.$DATE
-# Add the printer to $PRINTCAP
-echo "" &#62;&#62; $PRINTCAP
-echo "$2|$1:\\" &#62;&#62; $PRINTCAP
-echo " :sd=/var/spool/lpd/$2:\\" &#62;&#62; $PRINTCAP
-echo " :mx=0:ml=0:sh:\\" &#62;&#62; $PRINTCAP
-echo " :lp=/usr/local/samba/var/print/$5.prn:" &#62;&#62; $PRINTCAP
-
-touch "/usr/local/samba/var/print/$5.prn" &#62;&#62; /tmp/printadd.$$ 2&#62;&#38;1
-chown $LP "/usr/local/samba/var/print/$5.prn" &#62;&#62; /tmp/printadd.$$ 2&#62;&#38;1
-
-mkdir /var/spool/lpd/$2
-chmod 700 /var/spool/lpd/$2
-chown $LP /var/spool/lpd/$2
-#echo $1 &#62;&#62; "/usr/local/samba/var/print/$5.prn"
-#echo $2 &#62;&#62; "/usr/local/samba/var/print/$5.prn"
-#echo $3 &#62;&#62; "/usr/local/samba/var/print/$5.prn"
-#echo $4 &#62;&#62; "/usr/local/samba/var/print/$5.prn"
-#echo $5 &#62;&#62; "/usr/local/samba/var/print/$5.prn"
-#echo $6 &#62;&#62; "/usr/local/samba/var/print/$5.prn"
-$RESTART &#62;&#62; "/usr/local/samba/var/print/$5.prn"
-# Not sure if this is needed
-touch /usr/local/samba/lib/smb.conf
-#
-# You need to return a value, but I am not sure what it means.
-#
-echo "Done"
-exit 0</PRE
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN1031"
-></A
->7.2.5. Samba and Printer Ports</H3
-><P
->Windows NT/2000 print servers associate a port with each printer. These normally
-take the form of LPT1:, COM1:, FILE:, etc... Samba must also support the
-concept of ports associated with a printer. By default, only one printer port,
-named "Samba Printer Port", exists on a system. Samba does not really a port in
-order to print, rather it is a requirement of Windows clients. </P
-><P
->Note that Samba does not support the concept of "Printer Pooling" internally
-either. This is when a logical printer is assigned to multiple ports as
-a form of load balancing or fail over.</P
-><P
->If you require that multiple ports be defined for some reason,
-<TT
-CLASS="FILENAME"
->smb.conf</TT
-> possesses a <A
-HREF="smb.conf.5.html#ENUMPORTSCOMMAND"
-TARGET="_top"
-><TT
-CLASS="PARAMETER"
-><I
->enumports
-command</I
-></TT
-></A
-> which can be used to define an external program
-that generates a listing of ports on a system.</P
-></DIV
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN1039"
-></A
->7.3. The Imprints Toolset</H2
-><P
->The Imprints tool set provides a UNIX equivalent of the
- Windows NT Add Printer Wizard. For complete information, please
- refer to the Imprints web site at <A
-HREF="http://imprints.sourceforge.net/"
-TARGET="_top"
-> http://imprints.sourceforge.net/</A
-> as well as the documentation
- included with the imprints source distribution. This section will
- only provide a brief introduction to the features of Imprints.</P
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN1043"
-></A
->7.3.1. What is Imprints?</H3
-><P
->Imprints is a collection of tools for supporting the goals
- of</P
-><P
-></P
-><UL
-><LI
-><P
->Providing a central repository information
- regarding Windows NT and 95/98 printer driver packages</P
-></LI
-><LI
-><P
->Providing the tools necessary for creating
- the Imprints printer driver packages.</P
-></LI
-><LI
-><P
->Providing an installation client which
- will obtain and install printer drivers on remote Samba
- and Windows NT 4 print servers.</P
-></LI
-></UL
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN1053"
-></A
->7.3.2. Creating Printer Driver Packages</H3
-><P
->The process of creating printer driver packages is beyond
- the scope of this document (refer to Imprints.txt also included
- with the Samba distribution for more information). In short,
- an Imprints driver package is a gzipped tarball containing the
- driver files, related INF files, and a control file needed by the
- installation client.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN1056"
-></A
->7.3.3. The Imprints server</H3
-><P
->The Imprints server is really a database server that
- may be queried via standard HTTP mechanisms. Each printer
- entry in the database has an associated URL for the actual
- downloading of the package. Each package is digitally signed
- via GnuPG which can be used to verify that package downloaded
- is actually the one referred in the Imprints database. It is
- <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->not</I
-></SPAN
-> recommended that this security check
- be disabled.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN1060"
-></A
->7.3.4. The Installation Client</H3
-><P
->More information regarding the Imprints installation client
- is available in the <TT
-CLASS="FILENAME"
->Imprints-Client-HOWTO.ps</TT
->
- file included with the imprints source package.</P
-><P
->The Imprints installation client comes in two forms.</P
-><P
-></P
-><UL
-><LI
-><P
->a set of command line Perl scripts</P
-></LI
-><LI
-><P
->a GTK+ based graphical interface to
- the command line perl scripts</P
-></LI
-></UL
-><P
->The installation client (in both forms) provides a means
- of querying the Imprints database server for a matching
- list of known printer model names as well as a means to
- download and install the drivers on remote Samba and Windows
- NT print servers.</P
-><P
->The basic installation process is in four steps and
- perl code is wrapped around <B
-CLASS="COMMAND"
->smbclient</B
->
- and <B
-CLASS="COMMAND"
->rpcclient</B
->.</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->
-foreach (supported architecture for a given driver)
-{
- 1. rpcclient: Get the appropriate upload directory
- on the remote server
- 2. smbclient: Upload the driver files
- 3. rpcclient: Issues an AddPrinterDriver() MS-RPC
-}
-
-4. rpcclient: Issue an AddPrinterEx() MS-RPC to actually
- create the printer</PRE
-></P
-><P
->One of the problems encountered when implementing
- the Imprints tool set was the name space issues between
- various supported client architectures. For example, Windows
- NT includes a driver named "Apple LaserWriter II NTX v51.8"
- and Windows 95 calls its version of this driver "Apple
- LaserWriter II NTX"</P
-><P
->The problem is how to know what client drivers have
- been uploaded for a printer. As astute reader will remember
- that the Windows NT Printer Properties dialog only includes
- space for one printer driver name. A quick look in the
- Windows NT 4.0 system registry at</P
-><P
-><TT
-CLASS="FILENAME"
->HKLM\System\CurrentControlSet\Control\Print\Environment
- </TT
-></P
-><P
->will reveal that Windows NT always uses the NT driver
- name. This is ok as Windows NT always requires that at least
- the Windows NT version of the printer driver is present.
- However, Samba does not have the requirement internally.
- Therefore, how can you use the NT driver name if is has not
- already been installed?</P
-><P
->The way of sidestepping this limitation is to require
- that all Imprints printer driver packages include both the Intel
- Windows NT and 95/98 printer drivers and that NT driver is
- installed first.</P
-></DIV
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN1082"
-></A
->7.4. <A
-NAME="MIGRATION"
-></A
->Migration to from Samba 2.0.x to 2.2.x</H2
-><P
->Given that printer driver management has changed (we hope improved) in
-2.2 over prior releases, migration from an existing setup to 2.2 can
-follow several paths. Here are the possible scenarios for
-migration:</P
-><P
-></P
-><UL
-><LI
-><P
->If you do not desire the new Windows NT
- print driver support, nothing needs to be done.
- All existing parameters work the same.</P
-></LI
-><LI
-><P
->If you want to take advantage of NT printer
- driver support but do not want to migrate the
- 9x drivers to the new setup, the leave the existing
- <TT
-CLASS="FILENAME"
->printers.def</TT
-> file. When smbd attempts
- to locate a
- 9x driver for the printer in the TDB and fails it
- will drop down to using the printers.def (and all
- associated parameters). The <B
-CLASS="COMMAND"
->make_printerdef</B
->
- tool will also remain for backwards compatibility but will
- be removed in the next major release.</P
-></LI
-><LI
-><P
->If you install a Windows 9x driver for a printer
- on your Samba host (in the printing TDB), this information will
- take precedence and the three old printing parameters
- will be ignored (including print driver location).</P
-></LI
-><LI
-><P
->If you want to migrate an existing <TT
-CLASS="FILENAME"
->printers.def</TT
->
- file into the new setup, the current only solution is to use the Windows
- NT APW to install the NT drivers and the 9x drivers. This can be scripted
- using <B
-CLASS="COMMAND"
->smbclient</B
-> and <B
-CLASS="COMMAND"
->rpcclient</B
->. See the
- Imprints installation client at <A
-HREF="http://imprints.sourceforge.net/"
-TARGET="_top"
->http://imprints.sourceforge.net/</A
->
- for an example.
- </P
-></LI
-></UL
-><DIV
-CLASS="WARNING"
-><P
-></P
-><TABLE
-CLASS="WARNING"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="/docbook-dsssl/warning.gif"
-HSPACE="5"
-ALT="Warning"></TD
-><TH
-ALIGN="LEFT"
-VALIGN="CENTER"
-><B
->Achtung!</B
-></TH
-></TR
-><TR
-><TD
->&nbsp;</TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
->The following <TT
-CLASS="FILENAME"
->smb.conf</TT
-> parameters are considered to
-be deprecated and will be removed soon. Do not use them in new
-installations</P
-><P
-></P
-><UL
-><LI
-><P
-><TT
-CLASS="PARAMETER"
-><I
->printer driver file (G)</I
-></TT
->
- </P
-></LI
-><LI
-><P
-><TT
-CLASS="PARAMETER"
-><I
->printer driver (S)</I
-></TT
->
- </P
-></LI
-><LI
-><P
-><TT
-CLASS="PARAMETER"
-><I
->printer driver location (S)</I
-></TT
->
- </P
-></LI
-></UL
-></TD
-></TR
-></TABLE
-></DIV
-><P
->The have been two new parameters add in Samba 2.2.2 to for
-better support of Samba 2.0.x backwards capability (<TT
-CLASS="PARAMETER"
-><I
->disable
-spoolss</I
-></TT
->) and for using local printers drivers on Windows
-NT/2000 clients (<TT
-CLASS="PARAMETER"
-><I
->use client driver</I
-></TT
->). Both of
-these options are described in the smb.coinf(5) man page and are
-disabled by default.</P
-></DIV
-></DIV
-><DIV
-CLASS="CHAPTER"
-><HR><H1
-><A
-NAME="PRINTINGDEBUG"
-></A
->Chapter 8. Debugging Printing Problems</H1
-><DIV
-CLASS="SECT1"
-><H2
-CLASS="SECT1"
-><A
-NAME="AEN1128"
-></A
->8.1. Introduction</H2
-><P
->This is a short description of how to debug printing problems with
-Samba. This describes how to debug problems with printing from a SMB
-client to a Samba server, not the other way around. For the reverse
-see the examples/printing directory.</P
-><P
->Ok, so you want to print to a Samba server from your PC. The first
-thing you need to understand is that Samba does not actually do any
-printing itself, it just acts as a middleman between your PC client
-and your Unix printing subsystem. Samba receives the file from the PC
-then passes the file to a external "print command". What print command
-you use is up to you.</P
-><P
->The whole things is controlled using options in smb.conf. The most
-relevant options (which you should look up in the smb.conf man page)
-are:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> [global]
- print command - send a file to a spooler
- lpq command - get spool queue status
- lprm command - remove a job
- [printers]
- path = /var/spool/lpd/samba</PRE
-></P
-><P
->The following are nice to know about:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> queuepause command - stop a printer or print queue
- queueresume command - start a printer or print queue</PRE
-></P
-><P
->Example:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> print command = /usr/bin/lpr -r -P%p %s
- lpq command = /usr/bin/lpq -P%p %s
- lprm command = /usr/bin/lprm -P%p %j
- queuepause command = /usr/sbin/lpc -P%p stop
- queuepause command = /usr/sbin/lpc -P%p start</PRE
-></P
-><P
->Samba should set reasonable defaults for these depending on your
-system type, but it isn't clairvoyant. It is not uncommon that you
-have to tweak these for local conditions. The commands should
-always have fully specified pathnames, as the smdb may not have
-the correct PATH values.</P
-><P
->When you send a job to Samba to be printed, it will make a temporary
-copy of it in the directory specified in the [printers] section.
-and it should be periodically cleaned out. The lpr -r option
-requests that the temporary copy be removed after printing; If
-printing fails then you might find leftover files in this directory,
-and it should be periodically cleaned out. Samba used the lpq
-command to determine the "job number" assigned to your print job
-by the spooler.</P
-><P
->The %&gt;letter&lt; are "macros" that get dynamically replaced with appropriate
-values when they are used. The %s gets replaced with the name of the spool
-file that Samba creates and the %p gets replaced with the name of the
-printer. The %j gets replaced with the "job number" which comes from
-the lpq output.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN1144"
-></A
->8.2. Debugging printer problems</H2
-><P
->One way to debug printing problems is to start by replacing these
-command with shell scripts that record the arguments and the contents
-of the print file. A simple example of this kind of things might
-be:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> print command = /tmp/saveprint %p %s
-
- #!/bin/saveprint
- # we make sure that we are the right user
- /usr/bin/id -p &#62;/tmp/tmp.print
- # we run the command and save the error messages
- # replace the command with the one appropriate for your system
- /usr/bin/lpr -r -P$1 $2 2&#62;&#62;&#38;/tmp/tmp.print</PRE
-></P
-><P
->Then you print a file and try removing it. You may find that the
-print queue needs to be stopped in order to see the queue status
-and remove the job:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->&#13;h4: {42} % echo hi &#62;/tmp/hi
-h4: {43} % smbclient //localhost/lw4
-added interface ip=10.0.0.4 bcast=10.0.0.255 nmask=255.255.255.0
-Password:
-Domain=[ASTART] OS=[Unix] Server=[Samba 2.0.7]
-smb: \&#62; print /tmp/hi
-putting file /tmp/hi as hi-17534 (0.0 kb/s) (average 0.0 kb/s)
-smb: \&#62; queue
-1049 3 hi-17534
-smb: \&#62; cancel 1049
-Error cancelling job 1049 : code 0
-smb: \&#62; cancel 1049
-Job 1049 cancelled
-smb: \&#62; queue
-smb: \&#62; exit</PRE
-></P
-><P
->The 'code 0' indicates that the job was removed. The comment
-by the smbclient is a bit misleading on this.
-You can observe the command output and then and look at the
-/tmp/tmp.print file to see what the results are. You can quickly
-find out if the problem is with your printing system. Often people
-have problems with their /etc/printcap file or permissions on
-various print queues.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN1153"
-></A
->8.3. What printers do I have?</H2
-><P
->You can use the 'testprns' program to check to see if the printer
-name you are using is recognized by Samba. For example, you can
-use:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> testprns printer /etc/printcap</PRE
-></P
-><P
->Samba can get its printcap information from a file or from a program.
-You can try the following to see the format of the extracted
-information:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> testprns -a printer /etc/printcap
-
- testprns -a printer '|/bin/cat printcap'</PRE
-></P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN1161"
-></A
->8.4. Setting up printcap and print servers</H2
-><P
->You may need to set up some printcaps for your Samba system to use.
-It is strongly recommended that you use the facilities provided by
-the print spooler to set up queues and printcap information.</P
-><P
->Samba requires either a printcap or program to deliver printcap
-information. This printcap information has the format:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> name|alias1|alias2...:option=value:...</PRE
-></P
-><P
->For almost all printing systems, the printer 'name' must be composed
-only of alphanumeric or underscore '_' characters. Some systems also
-allow hyphens ('-') as well. An alias is an alternative name for the
-printer, and an alias with a space in it is used as a 'comment'
-about the printer. The printcap format optionally uses a \ at the end of lines
-to extend the printcap to multiple lines.</P
-><P
->Here are some examples of printcap files:</P
-><P
-><P
-></P
-><OL
-TYPE="1"
-><LI
-><P
->pr just printer name</P
-></LI
-><LI
-><P
->pr|alias printer name and alias</P
-></LI
-><LI
-><P
->pr|My Printer printer name, alias used as comment</P
-></LI
-><LI
-><P
->pr:sh:\ Same as pr:sh:cm= testing
- :cm= \
- testing</P
-></LI
-><LI
-><P
->pr:sh Same as pr:sh:cm= testing
- :cm= testing</P
-></LI
-></OL
-></P
-><P
->Samba reads the printcap information when first started. If you make
-changes in the printcap information, then you must do the following:</P
-><P
-></P
-><OL
-TYPE="1"
-><LI
-><P
->make sure that the print spooler is aware of these changes.
-The LPRng system uses the 'lpc reread' command to do this.</P
-></LI
-><LI
-><P
->make sure that the spool queues, etc., exist and have the
-correct permissions. The LPRng system uses the 'checkpc -f'
-command to do this.</P
-></LI
-><LI
-><P
->You now should send a SIGHUP signal to the smbd server to have
-it reread the printcap information.</P
-></LI
-></OL
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN1189"
-></A
->8.5. Job sent, no output</H2
-><P
->This is the most frustrating part of printing. You may have sent the
-job, verified that the job was forwarded, set up a wrapper around
-the command to send the file, but there was no output from the printer.</P
-><P
->First, check to make sure that the job REALLY is getting to the
-right print queue. If you are using a BSD or LPRng print spooler,
-you can temporarily stop the printing of jobs. Jobs can still be
-submitted, but they will not be printed. Use:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> lpc -Pprinter stop</PRE
-></P
-><P
->Now submit a print job and then use 'lpq -Pprinter' to see if the
-job is in the print queue. If it is not in the print queue then
-you will have to find out why it is not being accepted for printing.</P
-><P
->Next, you may want to check to see what the format of the job really
-was. With the assistance of the system administrator you can view
-the submitted jobs files. You may be surprised to find that these
-are not in what you would expect to call a printable format.
-You can use the UNIX 'file' utitily to determine what the job
-format actually is:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> cd /var/spool/lpd/printer # spool directory of print jobs
- ls # find job files
- file dfA001myhost</PRE
-></P
-><P
->You should make sure that your printer supports this format OR that
-your system administrator has installed a 'print filter' that will
-convert the file to a format appropriate for your printer.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN1200"
-></A
->8.6. Job sent, strange output</H2
-><P
->Once you have the job printing, you can then start worrying about
-making it print nicely.</P
-><P
->The most common problem is extra pages of output: banner pages
-OR blank pages at the end.</P
-><P
->If you are getting banner pages, check and make sure that the
-printcap option or printer option is configured for no banners.
-If you have a printcap, this is the :sh (suppress header or banner
-page) option. You should have the following in your printer.</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> printer: ... :sh</PRE
-></P
-><P
->If you have this option and are still getting banner pages, there
-is a strong chance that your printer is generating them for you
-automatically. You should make sure that banner printing is disabled
-for the printer. This usually requires using the printer setup software
-or procedures supplied by the printer manufacturer.</P
-><P
->If you get an extra page of output, this could be due to problems
-with your job format, or if you are generating PostScript jobs,
-incorrect setting on your printer driver on the MicroSoft client.
-For example, under Win95 there is a option:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> Printers|Printer Name|(Right Click)Properties|Postscript|Advanced|</PRE
-></P
-><P
->that allows you to choose if a Ctrl-D is appended to all jobs.
-This is a very bad thing to do, as most spooling systems will
-automatically add a ^D to the end of the job if it is detected as
-PostScript. The multiple ^D may cause an additional page of output.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN1212"
-></A
->8.7. Raw PostScript printed</H2
-><P
->This is a problem that is usually caused by either the print spooling
-system putting information at the start of the print job that makes
-the printer think the job is a text file, or your printer simply
-does not support PostScript. You may need to enable 'Automatic
-Format Detection' on your printer.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN1215"
-></A
->8.8. Advanced Printing</H2
-><P
->Note that you can do some pretty magic things by using your
-imagination with the "print command" option and some shell scripts.
-Doing print accounting is easy by passing the %U option to a print
-command shell script. You could even make the print command detect
-the type of output and its size and send it to an appropriate
-printer.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN1218"
-></A
->8.9. Real debugging</H2
-><P
->If the above debug tips don't help, then maybe you need to bring in
-the bug guns, system tracing. See Tracing.txt in this directory.</P
-></DIV
-></DIV
-><DIV
-CLASS="CHAPTER"
-><HR><H1
-><A
-NAME="SECURITYLEVELS"
-></A
->Chapter 9. Security levels</H1
-><DIV
-CLASS="SECT1"
-><H2
-CLASS="SECT1"
-><A
-NAME="AEN1231"
-></A
->9.1. Introduction</H2
-><P
->Samba supports the following options to the global smb.conf parameter</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->[global]
-<A
-HREF="smb.conf.5.html#SECURITY"
-TARGET="_top"
-><TT
-CLASS="PARAMETER"
-><I
->security</I
-></TT
-></A
-> = [share|user(default)|domain|ads]</PRE
-></P
-><P
->Please refer to the smb.conf man page for usage information and to the document
-<A
-HREF="DOMAIN_MEMBER.html"
-TARGET="_top"
->DOMAIN_MEMBER.html</A
-> for further background details
-on domain mode security. The Windows 2000 Kerberos domain security model
-(security = ads) is described in the <A
-HREF="ADS-HOWTO.html"
-TARGET="_top"
->ADS-HOWTO.html</A
->.</P
-><P
->Of the above, "security = server" means that Samba reports to clients that
-it is running in "user mode" but actually passes off all authentication
-requests to another "user mode" server. This requires an additional
-parameter "password server =" that points to the real authentication server.
-That real authentication server can be another Samba server or can be a
-Windows NT server, the later natively capable of encrypted password support.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN1242"
-></A
->9.2. More complete description of security levels</H2
-><P
->A SMB server tells the client at startup what "security level" it is
-running. There are two options "share level" and "user level". Which
-of these two the client receives affects the way the client then tries
-to authenticate itself. It does not directly affect (to any great
-extent) the way the Samba server does security. I know this is
-strange, but it fits in with the client/server approach of SMB. In SMB
-everything is initiated and controlled by the client, and the server
-can only tell the client what is available and whether an action is
-allowed. </P
-><P
->I'll describe user level security first, as its simpler. In user level
-security the client will send a "session setup" command directly after
-the protocol negotiation. This contains a username and password. The
-server can either accept or reject that username/password
-combination. Note that at this stage the server has no idea what
-share the client will eventually try to connect to, so it can't base
-the "accept/reject" on anything other than:</P
-><P
-></P
-><OL
-TYPE="1"
-><LI
-><P
->the username/password</P
-></LI
-><LI
-><P
->the machine that the client is coming from</P
-></LI
-></OL
-><P
->If the server accepts the username/password then the client expects to
-be able to mount any share (using a "tree connection") without
-specifying a password. It expects that all access rights will be as
-the username/password specified in the "session setup". </P
-><P
->It is also possible for a client to send multiple "session setup"
-requests. When the server responds it gives the client a "uid" to use
-as an authentication tag for that username/password. The client can
-maintain multiple authentication contexts in this way (WinDD is an
-example of an application that does this)</P
-><P
->Ok, now for share level security. In share level security the client
-authenticates itself separately for each share. It will send a
-password along with each "tree connection" (share mount). It does not
-explicitly send a username with this operation. The client is
-expecting a password to be associated with each share, independent of
-the user. This means that samba has to work out what username the
-client probably wants to use. It is never explicitly sent the
-username. Some commercial SMB servers such as NT actually associate
-passwords directly with shares in share level security, but samba
-always uses the unix authentication scheme where it is a
-username/password that is authenticated, not a "share/password".</P
-><P
->Many clients send a "session setup" even if the server is in share
-level security. They normally send a valid username but no
-password. Samba records this username in a list of "possible
-usernames". When the client then does a "tree connection" it also adds
-to this list the name of the share they try to connect to (useful for
-home directories) and any users listed in the "user =" smb.conf
-line. The password is then checked in turn against these "possible
-usernames". If a match is found then the client is authenticated as
-that user.</P
-><P
->Finally "server level" security. In server level security the samba
-server reports to the client that it is in user level security. The
-client then does a "session setup" as described earlier. The samba
-server takes the username/password that the client sends and attempts
-to login to the "password server" by sending exactly the same
-username/password that it got from the client. If that server is in
-user level security and accepts the password then samba accepts the
-clients connection. This allows the samba server to use another SMB
-server as the "password server". </P
-><P
->You should also note that at the very start of all this, where the
-server tells the client what security level it is in, it also tells
-the client if it supports encryption. If it does then it supplies the
-client with a random "cryptkey". The client will then send all
-passwords in encrypted form. You have to compile samba with encryption
-enabled to support this feature, and you have to maintain a separate
-smbpasswd file with SMB style encrypted passwords. It is
-cryptographically impossible to translate from unix style encryption
-to SMB style encryption, although there are some fairly simple management
-schemes by which the two could be kept in sync.</P
-></DIV
-></DIV
-><DIV
-CLASS="CHAPTER"
-><HR><H1
-><A
-NAME="DOMAIN-SECURITY"
-></A
->Chapter 10. security = domain in Samba 2.x</H1
-><DIV
-CLASS="SECT1"
-><H2
-CLASS="SECT1"
-><A
-NAME="AEN1275"
-></A
->10.1. Joining an NT Domain with Samba 2.2</H2
-><P
->Assume you have a Samba 2.x server with a NetBIOS name of
- <TT
-CLASS="CONSTANT"
->SERV1</TT
-> and are joining an NT domain called
- <TT
-CLASS="CONSTANT"
->DOM</TT
->, which has a PDC with a NetBIOS name
- of <TT
-CLASS="CONSTANT"
->DOMPDC</TT
-> and two backup domain controllers
- with NetBIOS names <TT
-CLASS="CONSTANT"
->DOMBDC1</TT
-> and <TT
-CLASS="CONSTANT"
->DOMBDC2
- </TT
->.</P
-><P
->In order to join the domain, first stop all Samba daemons
- and run the command:</P
-><P
-><TT
-CLASS="PROMPT"
->root# </TT
-><TT
-CLASS="USERINPUT"
-><B
->smbpasswd -j DOM -r DOMPDC
- -U<TT
-CLASS="REPLACEABLE"
-><I
->Administrator%password</I
-></TT
-></B
-></TT
-></P
-><P
->as we are joining the domain DOM and the PDC for that domain
- (the only machine that has write access to the domain SAM database)
- is DOMPDC. The <TT
-CLASS="REPLACEABLE"
-><I
->Administrator%password</I
-></TT
-> is
- the login name and password for an account which has the necessary
- privilege to add machines to the domain. If this is successful
- you will see the message:</P
-><P
-><TT
-CLASS="COMPUTEROUTPUT"
->smbpasswd: Joined domain DOM.</TT
->
- </P
-><P
->in your terminal window. See the <A
-HREF="smbpasswd.8.html"
-TARGET="_top"
-> smbpasswd(8)</A
-> man page for more details.</P
-><P
->There is existing development code to join a domain
- without having to create the machine trust account on the PDC
- beforehand. This code will hopefully be available soon
- in release branches as well.</P
-><P
->This command goes through the machine account password
- change protocol, then writes the new (random) machine account
- password for this Samba server into a file in the same directory
- in which an smbpasswd file would be stored - normally :</P
-><P
-><TT
-CLASS="FILENAME"
->/usr/local/samba/private</TT
-></P
-><P
->In Samba 2.0.x, the filename looks like this:</P
-><P
-><TT
-CLASS="FILENAME"
-><TT
-CLASS="REPLACEABLE"
-><I
->&lt;NT DOMAIN NAME&gt;</I
-></TT
->.<TT
-CLASS="REPLACEABLE"
-><I
->&lt;Samba
- Server Name&gt;</I
-></TT
->.mac</TT
-></P
-><P
->The <TT
-CLASS="FILENAME"
->.mac</TT
-> suffix stands for machine account
- password file. So in our example above, the file would be called:</P
-><P
-><TT
-CLASS="FILENAME"
->DOM.SERV1.mac</TT
-></P
-><P
->In Samba 2.2, this file has been replaced with a TDB
- (Trivial Database) file named <TT
-CLASS="FILENAME"
->secrets.tdb</TT
->.
- </P
-><P
->This file is created and owned by root and is not
- readable by any other user. It is the key to the domain-level
- security for your system, and should be treated as carefully
- as a shadow password file.</P
-><P
->Now, before restarting the Samba daemons you must
- edit your <A
-HREF="smb.conf.5.html"
-TARGET="_top"
-><TT
-CLASS="FILENAME"
->smb.conf(5)</TT
->
- </A
-> file to tell Samba it should now use domain security.</P
-><P
->Change (or add) your <A
-HREF="smb.conf.5.html#SECURITY"
-TARGET="_top"
-> <TT
-CLASS="PARAMETER"
-><I
->security =</I
-></TT
-></A
-> line in the [global] section
- of your smb.conf to read:</P
-><P
-><B
-CLASS="COMMAND"
->security = domain</B
-></P
-><P
->Next change the <A
-HREF="smb.conf.5.html#WORKGROUP"
-TARGET="_top"
-><TT
-CLASS="PARAMETER"
-><I
-> workgroup =</I
-></TT
-></A
-> line in the [global] section to read: </P
-><P
-><B
-CLASS="COMMAND"
->workgroup = DOM</B
-></P
-><P
->as this is the name of the domain we are joining. </P
-><P
->You must also have the parameter <A
-HREF="smb.conf.5.html#ENCRYPTPASSWORDS"
-TARGET="_top"
-> <TT
-CLASS="PARAMETER"
-><I
->encrypt passwords</I
-></TT
-></A
-> set to <TT
-CLASS="CONSTANT"
->yes
- </TT
-> in order for your users to authenticate to the NT PDC.</P
-><P
->Finally, add (or modify) a <A
-HREF="smb.conf.5.html#PASSWORDSERVER"
-TARGET="_top"
-> <TT
-CLASS="PARAMETER"
-><I
->password server =</I
-></TT
-></A
-> line in the [global]
- section to read: </P
-><P
-><B
-CLASS="COMMAND"
->password server = DOMPDC DOMBDC1 DOMBDC2</B
-></P
-><P
->These are the primary and backup domain controllers Samba
- will attempt to contact in order to authenticate users. Samba will
- try to contact each of these servers in order, so you may want to
- rearrange this list in order to spread out the authentication load
- among domain controllers.</P
-><P
->Alternatively, if you want smbd to automatically determine
- the list of Domain controllers to use for authentication, you may
- set this line to be :</P
-><P
-><B
-CLASS="COMMAND"
->password server = *</B
-></P
-><P
->This method, which was introduced in Samba 2.0.6,
- allows Samba to use exactly the same mechanism that NT does. This
- method either broadcasts or uses a WINS database in order to
- find domain controllers to authenticate against.</P
-><P
->Finally, restart your Samba daemons and get ready for
- clients to begin using domain security!</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN1339"
-></A
->10.2. Samba and Windows 2000 Domains</H2
-><P
->Many people have asked regarding the state of Samba's ability to participate in
-a Windows 2000 Domain. Samba 2.2 is able to act as a member server of a Windows
-2000 domain operating in mixed or native mode.</P
-><P
->There is much confusion between the circumstances that require a "mixed" mode
-Win2k DC and a when this host can be switched to "native" mode. A "mixed" mode
-Win2k domain controller is only needed if Windows NT BDCs must exist in the same
-domain. By default, a Win2k DC in "native" mode will still support
-NetBIOS and NTLMv1 for authentication of legacy clients such as Windows 9x and
-NT 4.0. Samba has the same requirements as a Windows NT 4.0 member server.</P
-><P
->The steps for adding a Samba 2.2 host to a Win2k domain are the same as those
-for adding a Samba server to a Windows NT 4.0 domain. The only exception is that
-the "Server Manager" from NT 4 has been replaced by the "Active Directory Users and
-Computers" MMC (Microsoft Management Console) plugin.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN1344"
-></A
->10.3. Why is this better than security = server?</H2
-><P
->Currently, domain security in Samba doesn't free you from
- having to create local Unix users to represent the users attaching
- to your server. This means that if domain user <TT
-CLASS="CONSTANT"
->DOM\fred
- </TT
-> attaches to your domain security Samba server, there needs
- to be a local Unix user fred to represent that user in the Unix
- filesystem. This is very similar to the older Samba security mode
- <A
-HREF="smb.conf.5.html#SECURITYEQUALSSERVER"
-TARGET="_top"
->security = server</A
->,
- where Samba would pass through the authentication request to a Windows
- NT server in the same way as a Windows 95 or Windows 98 server would.
- </P
-><P
->Please refer to the <A
-HREF="winbind.html"
-TARGET="_top"
->Winbind
- paper</A
-> for information on a system to automatically
- assign UNIX uids and gids to Windows NT Domain users and groups.
- This code is available in development branches only at the moment,
- but will be moved to release branches soon.</P
-><P
->The advantage to domain-level security is that the
- authentication in domain-level security is passed down the authenticated
- RPC channel in exactly the same way that an NT server would do it. This
- means Samba servers now participate in domain trust relationships in
- exactly the same way NT servers do (i.e., you can add Samba servers into
- a resource domain and have the authentication passed on from a resource
- domain PDC to an account domain PDC.</P
-><P
->In addition, with <B
-CLASS="COMMAND"
->security = server</B
-> every Samba
- daemon on a server has to keep a connection open to the
- authenticating server for as long as that daemon lasts. This can drain
- the connection resources on a Microsoft NT server and cause it to run
- out of available connections. With <B
-CLASS="COMMAND"
->security = domain</B
->,
- however, the Samba daemons connect to the PDC/BDC only for as long
- as is necessary to authenticate the user, and then drop the connection,
- thus conserving PDC connection resources.</P
-><P
->And finally, acting in the same manner as an NT server
- authenticating to a PDC means that as part of the authentication
- reply, the Samba server gets the user identification information such
- as the user SID, the list of NT groups the user belongs to, etc. All
- this information will allow Samba to be extended in the future into
- a mode the developers currently call appliance mode. In this mode,
- no local Unix users will be necessary, and Samba will generate Unix
- uids and gids from the information passed back from the PDC when a
- user is authenticated, making a Samba server truly plug and play
- in an NT domain environment. Watch for this code soon.</P
-><P
-><SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->NOTE:</I
-></SPAN
-> Much of the text of this document
- was first published in the Web magazine <A
-HREF="http://www.linuxworld.com"
-TARGET="_top"
->
- LinuxWorld</A
-> as the article <A
-HREF="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html"
-TARGET="_top"
->Doing
- the NIS/NT Samba</A
->.</P
-></DIV
-></DIV
-><DIV
-CLASS="CHAPTER"
-><HR><H1
-><A
-NAME="WINBIND"
-></A
->Chapter 11. Unified Logons between Windows NT and UNIX using Winbind</H1
-><DIV
-CLASS="SECT1"
-><H2
-CLASS="SECT1"
-><A
-NAME="AEN1397"
-></A
->11.1. Abstract</H2
-><P
->Integration of UNIX and Microsoft Windows NT through
- a unified logon has been considered a "holy grail" in heterogeneous
- computing environments for a long time. We present
- <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->winbind</I
-></SPAN
->, a component of the Samba suite
- of programs as a solution to the unified logon problem. Winbind
- uses a UNIX implementation
- of Microsoft RPC calls, Pluggable Authentication Modules, and the Name
- Service Switch to allow Windows NT domain users to appear and operate
- as UNIX users on a UNIX machine. This paper describes the winbind
- system, explaining the functionality it provides, how it is configured,
- and how it works internally.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN1401"
-></A
->11.2. Introduction</H2
-><P
->It is well known that UNIX and Microsoft Windows NT have
- different models for representing user and group information and
- use different technologies for implementing them. This fact has
- made it difficult to integrate the two systems in a satisfactory
- manner.</P
-><P
->One common solution in use today has been to create
- identically named user accounts on both the UNIX and Windows systems
- and use the Samba suite of programs to provide file and print services
- between the two. This solution is far from perfect however, as
- adding and deleting users on both sets of machines becomes a chore
- and two sets of passwords are required both of which
- can lead to synchronization problems between the UNIX and Windows
- systems and confusion for users.</P
-><P
->We divide the unified logon problem for UNIX machines into
- three smaller problems:</P
-><P
-></P
-><UL
-><LI
-><P
->Obtaining Windows NT user and group information
- </P
-></LI
-><LI
-><P
->Authenticating Windows NT users
- </P
-></LI
-><LI
-><P
->Password changing for Windows NT users
- </P
-></LI
-></UL
-><P
->Ideally, a prospective solution to the unified logon problem
- would satisfy all the above components without duplication of
- information on the UNIX machines and without creating additional
- tasks for the system administrator when maintaining users and
- groups on either system. The winbind system provides a simple
- and elegant solution to all three components of the unified logon
- problem.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN1414"
-></A
->11.3. What Winbind Provides</H2
-><P
->Winbind unifies UNIX and Windows NT account management by
- allowing a UNIX box to become a full member of a NT domain. Once
- this is done the UNIX box will see NT users and groups as if
- they were native UNIX users and groups, allowing the NT domain
- to be used in much the same manner that NIS+ is used within
- UNIX-only environments.</P
-><P
->The end result is that whenever any
- program on the UNIX machine asks the operating system to lookup
- a user or group name, the query will be resolved by asking the
- NT domain controller for the specified domain to do the lookup.
- Because Winbind hooks into the operating system at a low level
- (via the NSS name resolution modules in the C library) this
- redirection to the NT domain controller is completely
- transparent.</P
-><P
->Users on the UNIX machine can then use NT user and group
- names as they would use "native" UNIX names. They can chown files
- so that they are owned by NT domain users or even login to the
- UNIX machine and run a UNIX X-Window session as a domain user.</P
-><P
->The only obvious indication that Winbind is being used is
- that user and group names take the form DOMAIN\user and
- DOMAIN\group. This is necessary as it allows Winbind to determine
- that redirection to a domain controller is wanted for a particular
- lookup and which trusted domain is being referenced.</P
-><P
->Additionally, Winbind provides an authentication service
- that hooks into the Pluggable Authentication Modules (PAM) system
- to provide authentication via a NT domain to any PAM enabled
- applications. This capability solves the problem of synchronizing
- passwords between systems since all passwords are stored in a single
- location (on the domain controller).</P
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN1421"
-></A
->11.3.1. Target Uses</H3
-><P
->Winbind is targeted at organizations that have an
- existing NT based domain infrastructure into which they wish
- to put UNIX workstations or servers. Winbind will allow these
- organizations to deploy UNIX workstations without having to
- maintain a separate account infrastructure. This greatly
- simplifies the administrative overhead of deploying UNIX
- workstations into a NT based organization.</P
-><P
->Another interesting way in which we expect Winbind to
- be used is as a central part of UNIX based appliances. Appliances
- that provide file and print services to Microsoft based networks
- will be able to use Winbind to provide seamless integration of
- the appliance into the domain.</P
-></DIV
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN1425"
-></A
->11.4. How Winbind Works</H2
-><P
->The winbind system is designed around a client/server
- architecture. A long running <B
-CLASS="COMMAND"
->winbindd</B
-> daemon
- listens on a UNIX domain socket waiting for requests
- to arrive. These requests are generated by the NSS and PAM
- clients and processed sequentially.</P
-><P
->The technologies used to implement winbind are described
- in detail below.</P
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN1430"
-></A
->11.4.1. Microsoft Remote Procedure Calls</H3
-><P
->Over the last two years, efforts have been underway
- by various Samba Team members to decode various aspects of
- the Microsoft Remote Procedure Call (MSRPC) system. This
- system is used for most network related operations between
- Windows NT machines including remote management, user authentication
- and print spooling. Although initially this work was done
- to aid the implementation of Primary Domain Controller (PDC)
- functionality in Samba, it has also yielded a body of code which
- can be used for other purposes.</P
-><P
->Winbind uses various MSRPC calls to enumerate domain users
- and groups and to obtain detailed information about individual
- users or groups. Other MSRPC calls can be used to authenticate
- NT domain users and to change user passwords. By directly querying
- a Windows PDC for user and group information, winbind maps the
- NT account information onto UNIX user and group names.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN1434"
-></A
->11.4.2. Name Service Switch</H3
-><P
->The Name Service Switch, or NSS, is a feature that is
- present in many UNIX operating systems. It allows system
- information such as hostnames, mail aliases and user information
- to be resolved from different sources. For example, a standalone
- UNIX workstation may resolve system information from a series of
- flat files stored on the local filesystem. A networked workstation
- may first attempt to resolve system information from local files,
- and then consult a NIS database for user information or a DNS server
- for hostname information.</P
-><P
->The NSS application programming interface allows winbind
- to present itself as a source of system information when
- resolving UNIX usernames and groups. Winbind uses this interface,
- and information obtained from a Windows NT server using MSRPC
- calls to provide a new source of account enumeration. Using standard
- UNIX library calls, one can enumerate the users and groups on
- a UNIX machine running winbind and see all users and groups in
- a NT domain plus any trusted domain as though they were local
- users and groups.</P
-><P
->The primary control file for NSS is
- <TT
-CLASS="FILENAME"
->/etc/nsswitch.conf</TT
->.
- When a UNIX application makes a request to do a lookup
- the C library looks in <TT
-CLASS="FILENAME"
->/etc/nsswitch.conf</TT
->
- for a line which matches the service type being requested, for
- example the "passwd" service type is used when user or group names
- are looked up. This config line species which implementations
- of that service should be tried and in what order. If the passwd
- config line is:</P
-><P
-><B
-CLASS="COMMAND"
->passwd: files example</B
-></P
-><P
->then the C library will first load a module called
- <TT
-CLASS="FILENAME"
->/lib/libnss_files.so</TT
-> followed by
- the module <TT
-CLASS="FILENAME"
->/lib/libnss_example.so</TT
->. The
- C library will dynamically load each of these modules in turn
- and call resolver functions within the modules to try to resolve
- the request. Once the request is resolved the C library returns the
- result to the application.</P
-><P
->This NSS interface provides a very easy way for Winbind
- to hook into the operating system. All that needs to be done
- is to put <TT
-CLASS="FILENAME"
->libnss_winbind.so</TT
-> in <TT
-CLASS="FILENAME"
->/lib/</TT
->
- then add "winbind" into <TT
-CLASS="FILENAME"
->/etc/nsswitch.conf</TT
-> at
- the appropriate place. The C library will then call Winbind to
- resolve user and group names.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN1450"
-></A
->11.4.3. Pluggable Authentication Modules</H3
-><P
->Pluggable Authentication Modules, also known as PAM,
- is a system for abstracting authentication and authorization
- technologies. With a PAM module it is possible to specify different
- authentication methods for different system applications without
- having to recompile these applications. PAM is also useful
- for implementing a particular policy for authorization. For example,
- a system administrator may only allow console logins from users
- stored in the local password file but only allow users resolved from
- a NIS database to log in over the network.</P
-><P
->Winbind uses the authentication management and password
- management PAM interface to integrate Windows NT users into a
- UNIX system. This allows Windows NT users to log in to a UNIX
- machine and be authenticated against a suitable Primary Domain
- Controller. These users can also change their passwords and have
- this change take effect directly on the Primary Domain Controller.
- </P
-><P
->PAM is configured by providing control files in the directory
- <TT
-CLASS="FILENAME"
->/etc/pam.d/</TT
-> for each of the services that
- require authentication. When an authentication request is made
- by an application the PAM code in the C library looks up this
- control file to determine what modules to load to do the
- authentication check and in what order. This interface makes adding
- a new authentication service for Winbind very easy, all that needs
- to be done is that the <TT
-CLASS="FILENAME"
->pam_winbind.so</TT
-> module
- is copied to <TT
-CLASS="FILENAME"
->/lib/security/</TT
-> and the PAM
- control files for relevant services are updated to allow
- authentication via winbind. See the PAM documentation
- for more details.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN1458"
-></A
->11.4.4. User and Group ID Allocation</H3
-><P
->When a user or group is created under Windows NT
- is it allocated a numerical relative identifier (RID). This is
- slightly different to UNIX which has a range of numbers that are
- used to identify users, and the same range in which to identify
- groups. It is winbind's job to convert RIDs to UNIX id numbers and
- vice versa. When winbind is configured it is given part of the UNIX
- user id space and a part of the UNIX group id space in which to
- store Windows NT users and groups. If a Windows NT user is
- resolved for the first time, it is allocated the next UNIX id from
- the range. The same process applies for Windows NT groups. Over
- time, winbind will have mapped all Windows NT users and groups
- to UNIX user ids and group ids.</P
-><P
->The results of this mapping are stored persistently in
- an ID mapping database held in a tdb database). This ensures that
- RIDs are mapped to UNIX IDs in a consistent way.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN1462"
-></A
->11.4.5. Result Caching</H3
-><P
->An active system can generate a lot of user and group
- name lookups. To reduce the network cost of these lookups winbind
- uses a caching scheme based on the SAM sequence number supplied
- by NT domain controllers. User or group information returned
- by a PDC is cached by winbind along with a sequence number also
- returned by the PDC. This sequence number is incremented by
- Windows NT whenever any user or group information is modified. If
- a cached entry has expired, the sequence number is requested from
- the PDC and compared against the sequence number of the cached entry.
- If the sequence numbers do not match, then the cached information
- is discarded and up to date information is requested directly
- from the PDC.</P
-></DIV
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN1465"
-></A
->11.5. Installation and Configuration</H2
-><P
->Many thanks to John Trostel <A
-HREF="mailto:jtrostel@snapserver.com"
-TARGET="_top"
->jtrostel@snapserver.com</A
->
-for providing the HOWTO for this section.</P
-><P
->This HOWTO describes how to get winbind services up and running
-to control access and authenticate users on your Linux box using
-the winbind services which come with SAMBA 2.2.2.</P
-><P
->There is also some Solaris specific information in
-<TT
-CLASS="FILENAME"
->docs/textdocs/Solaris-Winbind-HOWTO.txt</TT
->.
-Future revisions of this document will incorporate that
-information.</P
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN1472"
-></A
->11.5.1. Introduction</H3
-><P
->This HOWTO describes the procedures used to get winbind up and
-running on my RedHat 7.1 system. Winbind is capable of providing access
-and authentication control for Windows Domain users through an NT
-or Win2K PDC for 'regular' services, such as telnet a nd ftp, as
-well for SAMBA services.</P
-><P
->This HOWTO has been written from a 'RedHat-centric' perspective, so if
-you are using another distribution, you may have to modify the instructions
-somewhat to fit the way your distribution works.</P
-><P
-></P
-><UL
-><LI
-><P
-> <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->Why should I to this?</I
-></SPAN
->
- </P
-><P
->This allows the SAMBA administrator to rely on the
- authentication mechanisms on the NT/Win2K PDC for the authentication
- of domain members. NT/Win2K users no longer need to have separate
- accounts on the SAMBA server.
- </P
-></LI
-><LI
-><P
-> <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->Who should be reading this document?</I
-></SPAN
->
- </P
-><P
-> This HOWTO is designed for system administrators. If you are
- implementing SAMBA on a file server and wish to (fairly easily)
- integrate existing NT/Win2K users from your PDC onto the
- SAMBA server, this HOWTO is for you. That said, I am no NT or PAM
- expert, so you may find a better or easier way to accomplish
- these tasks.
- </P
-></LI
-></UL
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN1485"
-></A
->11.5.2. Requirements</H3
-><P
->If you have a samba configuration file that you are currently
-using... <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->BACK IT UP!</I
-></SPAN
-> If your system already uses PAM,
-<SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->back up the <TT
-CLASS="FILENAME"
->/etc/pam.d</TT
-> directory
-contents!</I
-></SPAN
-> If you haven't already made a boot disk,
-<SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->MAKE ONE NOW!</I
-></SPAN
-></P
-><P
->Messing with the pam configuration files can make it nearly impossible
-to log in to yourmachine. That's why you want to be able to boot back
-into your machine in single user mode and restore your
-<TT
-CLASS="FILENAME"
->/etc/pam.d</TT
-> back to the original state they were in if
-you get frustrated with the way things are going. ;-)</P
-><P
->The latest version of SAMBA (version 2.2.2 as of this writing), now
-includes a functioning winbindd daemon. Please refer to the
-<A
-HREF="http://samba.org/"
-TARGET="_top"
->main SAMBA web page</A
-> or,
-better yet, your closest SAMBA mirror site for instructions on
-downloading the source code.</P
-><P
->To allow Domain users the ability to access SAMBA shares and
-files, as well as potentially other services provided by your
-SAMBA machine, PAM (pluggable authentication modules) must
-be setup properly on your machine. In order to compile the
-winbind modules, you should have at least the pam libraries resident
-on your system. For recent RedHat systems (7.1, for instance), that
-means <TT
-CLASS="FILENAME"
->pam-0.74-22</TT
->. For best results, it is helpful to also
-install the development packages in <TT
-CLASS="FILENAME"
->pam-devel-0.74-22</TT
->.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN1499"
-></A
->11.5.3. Testing Things Out</H3
-><P
->Before starting, it is probably best to kill off all the SAMBA
-related daemons running on your server. Kill off all <B
-CLASS="COMMAND"
->smbd</B
->,
-<B
-CLASS="COMMAND"
->nmbd</B
->, and <B
-CLASS="COMMAND"
->winbindd</B
-> processes that may
-be running. To use PAM, you will want to make sure that you have the
-standard PAM package (for RedHat) which supplies the <TT
-CLASS="FILENAME"
->/etc/pam.d</TT
->
-directory structure, including the pam modules are used by pam-aware
-services, several pam libraries, and the <TT
-CLASS="FILENAME"
->/usr/doc</TT
->
-and <TT
-CLASS="FILENAME"
->/usr/man</TT
-> entries for pam. Winbind built better
-in SAMBA if the pam-devel package was also installed. This package includes
-the header files needed to compile pam-aware applications. For instance,
-my RedHat system has both <TT
-CLASS="FILENAME"
->pam-0.74-22</TT
-> and
-<TT
-CLASS="FILENAME"
->pam-devel-0.74-22</TT
-> RPMs installed.</P
-><DIV
-CLASS="SECT3"
-><HR><H4
-CLASS="SECT3"
-><A
-NAME="AEN1510"
-></A
->11.5.3.1. Configure and compile SAMBA</H4
-><P
->The configuration and compilation of SAMBA is pretty straightforward.
-The first three steps may not be necessary depending upon
-whether or not you have previously built the Samba binaries.</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-><TT
-CLASS="PROMPT"
->root#</TT
-> <B
-CLASS="COMMAND"
->autoconf</B
->
-<TT
-CLASS="PROMPT"
->root#</TT
-> <B
-CLASS="COMMAND"
->make clean</B
->
-<TT
-CLASS="PROMPT"
->root#</TT
-> <B
-CLASS="COMMAND"
->rm config.cache</B
->
-<TT
-CLASS="PROMPT"
->root#</TT
-> <B
-CLASS="COMMAND"
->./configure --with-winbind</B
->
-<TT
-CLASS="PROMPT"
->root#</TT
-> <B
-CLASS="COMMAND"
->make</B
->
-<TT
-CLASS="PROMPT"
->root#</TT
-> <B
-CLASS="COMMAND"
->make install</B
-></PRE
-></P
-><P
->This will, by default, install SAMBA in <TT
-CLASS="FILENAME"
->/usr/local/samba</TT
->.
-See the main SAMBA documentation if you want to install SAMBA somewhere else.
-It will also build the winbindd executable and libraries. </P
-></DIV
-><DIV
-CLASS="SECT3"
-><HR><H4
-CLASS="SECT3"
-><A
-NAME="AEN1529"
-></A
->11.5.3.2. Configure <TT
-CLASS="FILENAME"
->nsswitch.conf</TT
-> and the
-winbind libraries</H4
-><P
->The libraries needed to run the <B
-CLASS="COMMAND"
->winbindd</B
-> daemon
-through nsswitch need to be copied to their proper locations, so</P
-><P
-><TT
-CLASS="PROMPT"
->root#</TT
-> <B
-CLASS="COMMAND"
->cp ../samba/source/nsswitch/libnss_winbind.so /lib</B
-></P
-><P
->I also found it necessary to make the following symbolic link:</P
-><P
-><TT
-CLASS="PROMPT"
->root#</TT
-> <B
-CLASS="COMMAND"
->ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</B
-></P
-><P
->And, in the case of Sun solaris:</P
-><P
-><TT
-CLASS="PROMPT"
->root#</TT
-> <B
-CLASS="COMMAND"
->ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1</B
->
-<TT
-CLASS="PROMPT"
->root#</TT
-> <B
-CLASS="COMMAND"
->ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1</B
->
-<TT
-CLASS="PROMPT"
->root#</TT
-> <B
-CLASS="COMMAND"
->ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2</B
-></P
-><P
->Now, as root you need to edit <TT
-CLASS="FILENAME"
->/etc/nsswitch.conf</TT
-> to
-allow user and group entries to be visible from the <B
-CLASS="COMMAND"
->winbindd</B
->
-daemon. My <TT
-CLASS="FILENAME"
->/etc/nsswitch.conf</TT
-> file look like
-this after editing:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> passwd: files winbind
- shadow: files
- group: files winbind</PRE
-></P
-><P
->
-The libraries needed by the winbind daemon will be automatically
-entered into the <B
-CLASS="COMMAND"
->ldconfig</B
-> cache the next time
-your system reboots, but it
-is faster (and you don't need to reboot) if you do it manually:</P
-><P
-><TT
-CLASS="PROMPT"
->root#</TT
-> <B
-CLASS="COMMAND"
->/sbin/ldconfig -v | grep winbind</B
-></P
-><P
->This makes <TT
-CLASS="FILENAME"
->libnss_winbind</TT
-> available to winbindd
-and echos back a check to you.</P
-></DIV
-><DIV
-CLASS="SECT3"
-><HR><H4
-CLASS="SECT3"
-><A
-NAME="AEN1562"
-></A
->11.5.3.3. Configure smb.conf</H4
-><P
->Several parameters are needed in the smb.conf file to control
-the behavior of <B
-CLASS="COMMAND"
->winbindd</B
->. Configure
-<TT
-CLASS="FILENAME"
->smb.conf</TT
-> These are described in more detail in
-the <A
-HREF="winbindd.8.html"
-TARGET="_top"
->winbindd(8)</A
-> man page. My
-<TT
-CLASS="FILENAME"
->smb.conf</TT
-> file was modified to
-include the following entries in the [global] section:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->[global]
- &#60;...&#62;
- # separate domain and username with '+', like DOMAIN+username
- <A
-HREF="winbindd.8.html#WINBINDSEPARATOR"
-TARGET="_top"
->winbind separator</A
-> = +
- # use uids from 10000 to 20000 for domain users
- <A
-HREF="winbindd.8.html#WINBINDUID"
-TARGET="_top"
->winbind uid</A
-> = 10000-20000
- # use gids from 10000 to 20000 for domain groups
- <A
-HREF="winbindd.8.html#WINBINDGID"
-TARGET="_top"
->winbind gid</A
-> = 10000-20000
- # allow enumeration of winbind users and groups
- <A
-HREF="winbindd.8.html#WINBINDENUMUSERS"
-TARGET="_top"
->winbind enum users</A
-> = yes
- <A
-HREF="winbindd.8.html#WINBINDENUMGROUP"
-TARGET="_top"
->winbind enum groups</A
-> = yes
- # give winbind users a real shell (only needed if they have telnet access)
- <A
-HREF="winbindd.8.html#TEMPLATEHOMEDIR"
-TARGET="_top"
->template homedir</A
-> = /home/winnt/%D/%U
- <A
-HREF="winbindd.8.html#TEMPLATESHELL"
-TARGET="_top"
->template shell</A
-> = /bin/bash</PRE
-></P
-></DIV
-><DIV
-CLASS="SECT3"
-><HR><H4
-CLASS="SECT3"
-><A
-NAME="AEN1578"
-></A
->11.5.3.4. Join the SAMBA server to the PDC domain</H4
-><P
->Enter the following command to make the SAMBA server join the
-PDC domain, where <TT
-CLASS="REPLACEABLE"
-><I
->DOMAIN</I
-></TT
-> is the name of
-your Windows domain and <TT
-CLASS="REPLACEABLE"
-><I
->Administrator</I
-></TT
-> is
-a domain user who has administrative privileges in the domain.</P
-><P
-><TT
-CLASS="PROMPT"
->root#</TT
-> <B
-CLASS="COMMAND"
->/usr/local/samba/bin/net rpc join -s PDC -U Administrator</B
-></P
-><P
->The proper response to the command should be: "Joined the domain
-<TT
-CLASS="REPLACEABLE"
-><I
->DOMAIN</I
-></TT
->" where <TT
-CLASS="REPLACEABLE"
-><I
->DOMAIN</I
-></TT
->
-is your DOMAIN name.</P
-></DIV
-><DIV
-CLASS="SECT3"
-><HR><H4
-CLASS="SECT3"
-><A
-NAME="AEN1589"
-></A
->11.5.3.5. Start up the winbindd daemon and test it!</H4
-><P
->Eventually, you will want to modify your smb startup script to
-automatically invoke the winbindd daemon when the other parts of
-SAMBA start, but it is possible to test out just the winbind
-portion first. To start up winbind services, enter the following
-command as root:</P
-><P
-><TT
-CLASS="PROMPT"
->root#</TT
-> <B
-CLASS="COMMAND"
->/usr/local/samba/bin/winbindd</B
-></P
-><P
->I'm always paranoid and like to make sure the daemon
-is really running...</P
-><P
-><TT
-CLASS="PROMPT"
->root#</TT
-> <B
-CLASS="COMMAND"
->ps -ae | grep winbindd</B
-></P
-><P
->This command should produce output like this, if the daemon is running</P
-><P
->3025 ? 00:00:00 winbindd</P
-><P
->Now... for the real test, try to get some information about the
-users on your PDC</P
-><P
-><TT
-CLASS="PROMPT"
->root#</TT
-> <B
-CLASS="COMMAND"
->/usr/local/samba/bin/wbinfo -u</B
-></P
-><P
->
-This should echo back a list of users on your Windows users on
-your PDC. For example, I get the following response:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->CEO+Administrator
-CEO+burdell
-CEO+Guest
-CEO+jt-ad
-CEO+krbtgt
-CEO+TsInternetUser</PRE
-></P
-><P
->Obviously, I have named my domain 'CEO' and my <TT
-CLASS="PARAMETER"
-><I
->winbind
-separator</I
-></TT
-> is '+'.</P
-><P
->You can do the same sort of thing to get group information from
-the PDC:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-><TT
-CLASS="PROMPT"
->root#</TT
-> <B
-CLASS="COMMAND"
->/usr/local/samba/bin/wbinfo -g</B
->
-CEO+Domain Admins
-CEO+Domain Users
-CEO+Domain Guests
-CEO+Domain Computers
-CEO+Domain Controllers
-CEO+Cert Publishers
-CEO+Schema Admins
-CEO+Enterprise Admins
-CEO+Group Policy Creator Owners</PRE
-></P
-><P
->The function 'getent' can now be used to get unified
-lists of both local and PDC users and groups.
-Try the following command:</P
-><P
-><TT
-CLASS="PROMPT"
->root#</TT
-> <B
-CLASS="COMMAND"
->getent passwd</B
-></P
-><P
->You should get a list that looks like your <TT
-CLASS="FILENAME"
->/etc/passwd</TT
->
-list followed by the domain users with their new uids, gids, home
-directories and default shells.</P
-><P
->The same thing can be done for groups with the command</P
-><P
-><TT
-CLASS="PROMPT"
->root#</TT
-> <B
-CLASS="COMMAND"
->getent group</B
-></P
-></DIV
-><DIV
-CLASS="SECT3"
-><HR><H4
-CLASS="SECT3"
-><A
-NAME="AEN1625"
-></A
->11.5.3.6. Fix the init.d startup scripts</H4
-><DIV
-CLASS="SECT4"
-><H5
-CLASS="SECT4"
-><A
-NAME="AEN1627"
-></A
->11.5.3.6.1. Linux</H5
-><P
->The <B
-CLASS="COMMAND"
->winbindd</B
-> daemon needs to start up after the
-<B
-CLASS="COMMAND"
->smbd</B
-> and <B
-CLASS="COMMAND"
->nmbd</B
-> daemons are running.
-To accomplish this task, you need to modify the startup scripts of your system. They are located at <TT
-CLASS="FILENAME"
->/etc/init.d/smb</TT
-> in RedHat and
-<TT
-CLASS="FILENAME"
->/etc/init.d/samba</TT
-> in Debian.
-script to add commands to invoke this daemon in the proper sequence. My
-startup script starts up <B
-CLASS="COMMAND"
->smbd</B
->,
-<B
-CLASS="COMMAND"
->nmbd</B
->, and <B
-CLASS="COMMAND"
->winbindd</B
-> from the
-<TT
-CLASS="FILENAME"
->/usr/local/samba/bin</TT
-> directory directly. The 'start'
-function in the script looks like this:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->start() {
- KIND="SMB"
- echo -n $"Starting $KIND services: "
- daemon /usr/local/samba/bin/smbd $SMBDOPTIONS
- RETVAL=$?
- echo
- KIND="NMB"
- echo -n $"Starting $KIND services: "
- daemon /usr/local/samba/bin/nmbd $NMBDOPTIONS
- RETVAL2=$?
- echo
- KIND="Winbind"
- echo -n $"Starting $KIND services: "
- daemon /usr/local/samba/bin/winbindd
- RETVAL3=$?
- echo
- [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] &#38;&#38; touch /var/lock/subsys/smb || \
- RETVAL=1
- return $RETVAL
-}</PRE
-></P
-><P
->The 'stop' function has a corresponding entry to shut down the
-services and look s like this:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->stop() {
- KIND="SMB"
- echo -n $"Shutting down $KIND services: "
- killproc smbd
- RETVAL=$?
- echo
- KIND="NMB"
- echo -n $"Shutting down $KIND services: "
- killproc nmbd
- RETVAL2=$?
- echo
- KIND="Winbind"
- echo -n $"Shutting down $KIND services: "
- killproc winbindd
- RETVAL3=$?
- [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] &#38;&#38; rm -f /var/lock/subsys/smb
- echo ""
- return $RETVAL
-}</PRE
-></P
-></DIV
-><DIV
-CLASS="SECT4"
-><HR><H5
-CLASS="SECT4"
-><A
-NAME="AEN1644"
-></A
->11.5.3.6.2. Solaris</H5
-><P
->On solaris, you need to modify the
-<TT
-CLASS="FILENAME"
->/etc/init.d/samba.server</TT
-> startup script. It usually
-only starts smbd and nmbd but should now start winbindd too. If you
-have samba installed in <TT
-CLASS="FILENAME"
->/usr/local/samba/bin</TT
->,
-the file could contains something like this:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->##
-## samba.server
-##
-
-if [ ! -d /usr/bin ]
-then # /usr not mounted
- exit
-fi
-
-killproc() { # kill the named process(es)
- pid=`/usr/bin/ps -e |
- /usr/bin/grep -w $1 |
- /usr/bin/sed -e 's/^ *//' -e 's/ .*//'`
- [ "$pid" != "" ] &#38;&#38; kill $pid
-}
-
-# Start/stop processes required for samba server
-
-case "$1" in
-
-'start')
-#
-# Edit these lines to suit your installation (paths, workgroup, host)
-#
-echo Starting SMBD
- /usr/local/samba/bin/smbd -D -s \
- /usr/local/samba/smb.conf
-
-echo Starting NMBD
- /usr/local/samba/bin/nmbd -D -l \
- /usr/local/samba/var/log -s /usr/local/samba/smb.conf
-
-echo Starting Winbind Daemon
- /usr/local/samba/bin/winbindd
- ;;
-
-'stop')
- killproc nmbd
- killproc smbd
- killproc winbindd
- ;;
-
-*)
- echo "Usage: /etc/init.d/samba.server { start | stop }"
- ;;
-esac</PRE
-></P
-></DIV
-><DIV
-CLASS="SECT4"
-><HR><H5
-CLASS="SECT4"
-><A
-NAME="AEN1651"
-></A
->11.5.3.6.3. Restarting</H5
-><P
->If you restart the <B
-CLASS="COMMAND"
->smbd</B
->, <B
-CLASS="COMMAND"
->nmbd</B
->,
-and <B
-CLASS="COMMAND"
->winbindd</B
-> daemons at this point, you
-should be able to connect to the samba server as a domain member just as
-if you were a local user.</P
-></DIV
-></DIV
-><DIV
-CLASS="SECT3"
-><HR><H4
-CLASS="SECT3"
-><A
-NAME="AEN1657"
-></A
->11.5.3.7. Configure Winbind and PAM</H4
-><P
->If you have made it this far, you know that winbindd and samba are working
-together. If you want to use winbind to provide authentication for other
-services, keep reading. The pam configuration files need to be altered in
-this step. (Did you remember to make backups of your original
-<TT
-CLASS="FILENAME"
->/etc/pam.d</TT
-> files? If not, do it now.)</P
-><P
->You will need a pam module to use winbindd with these other services. This
-module will be compiled in the <TT
-CLASS="FILENAME"
->../source/nsswitch</TT
-> directory
-by invoking the command</P
-><P
-><TT
-CLASS="PROMPT"
->root#</TT
-> <B
-CLASS="COMMAND"
->make nsswitch/pam_winbind.so</B
-></P
-><P
->from the <TT
-CLASS="FILENAME"
->../source</TT
-> directory. The
-<TT
-CLASS="FILENAME"
->pam_winbind.so</TT
-> file should be copied to the location of
-your other pam security modules. On my RedHat system, this was the
-<TT
-CLASS="FILENAME"
->/lib/security</TT
-> directory. On Solaris, the pam security
-modules reside in <TT
-CLASS="FILENAME"
->/usr/lib/security</TT
->.</P
-><P
-><TT
-CLASS="PROMPT"
->root#</TT
-> <B
-CLASS="COMMAND"
->cp ../samba/source/nsswitch/pam_winbind.so /lib/security</B
-></P
-><DIV
-CLASS="SECT4"
-><HR><H5
-CLASS="SECT4"
-><A
-NAME="AEN1674"
-></A
->11.5.3.7.1. Linux/FreeBSD-specific PAM configuration</H5
-><P
->The <TT
-CLASS="FILENAME"
->/etc/pam.d/samba</TT
-> file does not need to be changed. I
-just left this fileas it was:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->auth required /lib/security/pam_stack.so service=system-auth
-account required /lib/security/pam_stack.so service=system-auth</PRE
-></P
-><P
->The other services that I modified to allow the use of winbind
-as an authentication service were the normal login on the console (or a terminal
-session), telnet logins, and ftp service. In order to enable these
-services, you may first need to change the entries in
-<TT
-CLASS="FILENAME"
->/etc/xinetd.d</TT
-> (or <TT
-CLASS="FILENAME"
->/etc/inetd.conf</TT
->).
-RedHat 7.1 uses the new xinetd.d structure, in this case you need
-to change the lines in <TT
-CLASS="FILENAME"
->/etc/xinetd.d/telnet</TT
->
-and <TT
-CLASS="FILENAME"
->/etc/xinetd.d/wu-ftp</TT
-> from </P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->enable = no</PRE
-></P
-><P
->to</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->enable = yes</PRE
-></P
-><P
->
-For ftp services to work properly, you will also need to either
-have individual directories for the domain users already present on
-the server, or change the home directory template to a general
-directory for all domain users. These can be easily set using
-the <TT
-CLASS="FILENAME"
->smb.conf</TT
-> global entry
-<B
-CLASS="COMMAND"
->template homedir</B
->.</P
-><P
->The <TT
-CLASS="FILENAME"
->/etc/pam.d/ftp</TT
-> file can be changed
-to allow winbind ftp access in a manner similar to the
-samba file. My <TT
-CLASS="FILENAME"
->/etc/pam.d/ftp</TT
-> file was
-changed to look like this:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
-auth sufficient /lib/security/pam_winbind.so
-auth required /lib/security/pam_stack.so service=system-auth
-auth required /lib/security/pam_shells.so
-account sufficient /lib/security/pam_winbind.so
-account required /lib/security/pam_stack.so service=system-auth
-session required /lib/security/pam_stack.so service=system-auth</PRE
-></P
-><P
->The <TT
-CLASS="FILENAME"
->/etc/pam.d/login</TT
-> file can be changed nearly the
-same way. It now looks like this:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->auth required /lib/security/pam_securetty.so
-auth sufficient /lib/security/pam_winbind.so
-auth sufficient /lib/security/pam_unix.so use_first_pass
-auth required /lib/security/pam_stack.so service=system-auth
-auth required /lib/security/pam_nologin.so
-account sufficient /lib/security/pam_winbind.so
-account required /lib/security/pam_stack.so service=system-auth
-password required /lib/security/pam_stack.so service=system-auth
-session required /lib/security/pam_stack.so service=system-auth
-session optional /lib/security/pam_console.so</PRE
-></P
-><P
->In this case, I added the <B
-CLASS="COMMAND"
->auth sufficient /lib/security/pam_winbind.so</B
->
-lines as before, but also added the <B
-CLASS="COMMAND"
->required pam_securetty.so</B
->
-above it, to disallow root logins over the network. I also added a
-<B
-CLASS="COMMAND"
->sufficient /lib/security/pam_unix.so use_first_pass</B
->
-line after the <B
-CLASS="COMMAND"
->winbind.so</B
-> line to get rid of annoying
-double prompts for passwords.</P
-></DIV
-><DIV
-CLASS="SECT4"
-><HR><H5
-CLASS="SECT4"
-><A
-NAME="AEN1707"
-></A
->11.5.3.7.2. Solaris-specific configuration</H5
-><P
->The /etc/pam.conf needs to be changed. I changed this file so that my Domain
-users can logon both locally as well as telnet.The following are the changes
-that I made.You can customize the pam.conf file as per your requirements,but
-be sure of those changes because in the worst case it will leave your system
-nearly impossible to boot.</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->#
-#ident "@(#)pam.conf 1.14 99/09/16 SMI"
-#
-# Copyright (c) 1996-1999, Sun Microsystems, Inc.
-# All Rights Reserved.
-#
-# PAM configuration
-#
-# Authentication management
-#
-login auth required /usr/lib/security/pam_winbind.so
-login auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
-login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1 try_first_pass
-#
-rlogin auth sufficient /usr/lib/security/pam_winbind.so
-rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
-rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
-#
-dtlogin auth sufficient /usr/lib/security/pam_winbind.so
-dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
-#
-rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1
-other auth sufficient /usr/lib/security/pam_winbind.so
-other auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass
-#
-# Account management
-#
-login account sufficient /usr/lib/security/pam_winbind.so
-login account requisite /usr/lib/security/$ISA/pam_roles.so.1
-login account required /usr/lib/security/$ISA/pam_unix.so.1
-#
-dtlogin account sufficient /usr/lib/security/pam_winbind.so
-dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1
-dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1
-#
-other account sufficient /usr/lib/security/pam_winbind.so
-other account requisite /usr/lib/security/$ISA/pam_roles.so.1
-other account required /usr/lib/security/$ISA/pam_unix.so.1
-#
-# Session management
-#
-other session required /usr/lib/security/$ISA/pam_unix.so.1
-#
-# Password management
-#
-#other password sufficient /usr/lib/security/pam_winbind.so
-other password required /usr/lib/security/$ISA/pam_unix.so.1
-dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1
-#
-# Support for Kerberos V5 authentication (uncomment to use Kerberos)
-#
-#rlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
-#login auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
-#dtlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
-#other auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
-#dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1
-#other account optional /usr/lib/security/$ISA/pam_krb5.so.1
-#other session optional /usr/lib/security/$ISA/pam_krb5.so.1
-#other password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass</PRE
-></P
-><P
->I also added a try_first_pass line after the winbind.so line to get rid of
-annoying double prompts for passwords.</P
-><P
->Now restart your Samba &#38; try connecting through your application that you
-configured in the pam.conf.</P
-></DIV
-></DIV
-></DIV
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN1714"
-></A
->11.6. Limitations</H2
-><P
->Winbind has a number of limitations in its current
- released version that we hope to overcome in future
- releases:</P
-><P
-></P
-><UL
-><LI
-><P
->Winbind is currently only available for
- the Linux operating system, although ports to other operating
- systems are certainly possible. For such ports to be feasible,
- we require the C library of the target operating system to
- support the Name Service Switch and Pluggable Authentication
- Modules systems. This is becoming more common as NSS and
- PAM gain support among UNIX vendors.</P
-></LI
-><LI
-><P
->The mappings of Windows NT RIDs to UNIX ids
- is not made algorithmically and depends on the order in which
- unmapped users or groups are seen by winbind. It may be difficult
- to recover the mappings of rid to UNIX id mapping if the file
- containing this information is corrupted or destroyed.</P
-></LI
-><LI
-><P
->Currently the winbind PAM module does not take
- into account possible workstation and logon time restrictions
- that may be been set for Windows NT users.</P
-></LI
-></UL
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN1724"
-></A
->11.7. Conclusion</H2
-><P
->The winbind system, through the use of the Name Service
- Switch, Pluggable Authentication Modules, and appropriate
- Microsoft RPC calls have allowed us to provide seamless
- integration of Microsoft Windows NT domain users on a
- UNIX system. The result is a great reduction in the administrative
- cost of running a mixed UNIX and NT network.</P
-></DIV
-></DIV
-><DIV
-CLASS="CHAPTER"
-><HR><H1
-><A
-NAME="SAMBA-PDC"
-></A
->Chapter 12. How to Configure Samba 2.2 as a Primary Domain Controller</H1
-><DIV
-CLASS="SECT1"
-><H2
-CLASS="SECT1"
-><A
-NAME="AEN1744"
-></A
->12.1. Prerequisite Reading</H2
-><P
->Before you continue reading in this chapter, please make sure
-that you are comfortable with configuring basic files services
-in smb.conf and how to enable and administer password
-encryption in Samba. Theses two topics are covered in the
-<A
-HREF="smb.conf.5.html"
-TARGET="_top"
-><TT
-CLASS="FILENAME"
->smb.conf(5)</TT
-></A
->
-manpage and the <A
-HREF="ENCRYPTION.html"
-TARGET="_top"
->Encryption chapter</A
->
-of this HOWTO Collection.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN1750"
-></A
->12.2. Background</H2
-><DIV
-CLASS="NOTE"
-><P
-></P
-><TABLE
-CLASS="NOTE"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="/docbook-dsssl/note.gif"
-HSPACE="5"
-ALT="Note"></TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
-><SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->Author's Note:</I
-></SPAN
-> This document is a combination
-of David Bannon's "Samba 2.2 PDC HOWTO" and "Samba NT Domain FAQ".
-Both documents are superseded by this one.</P
-></TD
-></TR
-></TABLE
-></DIV
-><P
->Versions of Samba prior to release 2.2 had marginal capabilities to act
-as a Windows NT 4.0 Primary Domain Controller
-
-(PDC). With Samba 2.2.0, we are proud to announce official support for
-Windows NT 4.0-style domain logons from Windows NT 4.0 and Windows
-2000 clients. This article outlines the steps
-necessary for configuring Samba as a PDC. It is necessary to have a
-working Samba server prior to implementing the PDC functionality. If
-you have not followed the steps outlined in <A
-HREF="UNIX_INSTALL.html"
-TARGET="_top"
-> UNIX_INSTALL.html</A
->, please make sure
-that your server is configured correctly before proceeding. Another
-good resource in the <A
-HREF="smb.conf.5.html"
-TARGET="_top"
->smb.conf(5) man
-page</A
->. The following functionality should work in 2.2:</P
-><P
-></P
-><UL
-><LI
-><P
-> domain logons for Windows NT 4.0/2000 clients.
- </P
-></LI
-><LI
-><P
-> placing a Windows 9x client in user level security
- </P
-></LI
-><LI
-><P
-> retrieving a list of users and groups from a Samba PDC to
- Windows 9x/NT/2000 clients
- </P
-></LI
-><LI
-><P
-> roving (roaming) user profiles
- </P
-></LI
-><LI
-><P
-> Windows NT 4.0-style system policies
- </P
-></LI
-></UL
-><P
->The following pieces of functionality are not included in the 2.2 release:</P
-><P
-></P
-><UL
-><LI
-><P
-> Windows NT 4 domain trusts
- </P
-></LI
-><LI
-><P
-> SAM replication with Windows NT 4.0 Domain Controllers
- (i.e. a Samba PDC and a Windows NT BDC or vice versa)
- </P
-></LI
-><LI
-><P
-> Adding users via the User Manager for Domains
- </P
-></LI
-><LI
-><P
-> Acting as a Windows 2000 Domain Controller (i.e. Kerberos and
- Active Directory)
- </P
-></LI
-></UL
-><P
->Please note that Windows 9x clients are not true members of a domain
-for reasons outlined in this article. Therefore the protocol for
-support Windows 9x-style domain logons is completely different
-from NT4 domain logons and has been officially supported for some
-time.</P
-><P
->Implementing a Samba PDC can basically be divided into 2 broad
-steps.</P
-><P
-></P
-><OL
-TYPE="1"
-><LI
-><P
-> Configuring the Samba PDC
- </P
-></LI
-><LI
-><P
-> Creating machine trust accounts and joining clients
- to the domain
- </P
-></LI
-></OL
-><P
->There are other minor details such as user profiles, system
-policies, etc... However, these are not necessarily specific
-to a Samba PDC as much as they are related to Windows NT networking
-concepts. They will be mentioned only briefly here.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN1789"
-></A
->12.3. Configuring the Samba Domain Controller</H2
-><P
->The first step in creating a working Samba PDC is to
-understand the parameters necessary in smb.conf. I will not
-attempt to re-explain the parameters here as they are more that
-adequately covered in <A
-HREF="smb.conf.5.html"
-TARGET="_top"
-> the smb.conf
-man page</A
->. For convenience, the parameters have been
-linked with the actual smb.conf description.</P
-><P
->Here is an example <TT
-CLASS="FILENAME"
->smb.conf</TT
-> for acting as a PDC:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->[global]
- ; Basic server settings
- <A
-HREF="smb.conf.5.html#NETBIOSNAME"
-TARGET="_top"
->netbios name</A
-> = <TT
-CLASS="REPLACEABLE"
-><I
->POGO</I
-></TT
->
- <A
-HREF="smb.conf.5.html#WORKGROUP"
-TARGET="_top"
->workgroup</A
-> = <TT
-CLASS="REPLACEABLE"
-><I
->NARNIA</I
-></TT
->
-
- ; we should act as the domain and local master browser
- <A
-HREF="smb.conf.5.html#OSLEVEL"
-TARGET="_top"
->os level</A
-> = 64
- <A
-HREF="smb.conf.5.html#PERFERREDMASTER"
-TARGET="_top"
->preferred master</A
-> = yes
- <A
-HREF="smb.conf.5.html#DOMAINMASTER"
-TARGET="_top"
->domain master</A
-> = yes
- <A
-HREF="smb.conf.5.html#LOCALMASTER"
-TARGET="_top"
->local master</A
-> = yes
-
- ; security settings (must user security = user)
- <A
-HREF="smb.conf.5.html#SECURITYEQUALSUSER"
-TARGET="_top"
->security</A
-> = user
-
- ; encrypted passwords are a requirement for a PDC
- <A
-HREF="smb.conf.5.html#ENCRYPTPASSWORDS"
-TARGET="_top"
->encrypt passwords</A
-> = yes
-
- ; support domain logons
- <A
-HREF="smb.conf.5.html#DOMAINLOGONS"
-TARGET="_top"
->domain logons</A
-> = yes
-
- ; where to store user profiles?
- <A
-HREF="smb.conf.5.html#LOGONPATH"
-TARGET="_top"
->logon path</A
-> = \\%N\profiles\%u
-
- ; where is a user's home directory and where should it
- ; be mounted at?
- <A
-HREF="smb.conf.5.html#LOGONDRIVE"
-TARGET="_top"
->logon drive</A
-> = H:
- <A
-HREF="smb.conf.5.html#LOGONHOME"
-TARGET="_top"
->logon home</A
-> = \\homeserver\%u
-
- ; specify a generic logon script for all users
- ; this is a relative **DOS** path to the [netlogon] share
- <A
-HREF="smb.conf.5.html#LOGONSCRIPT"
-TARGET="_top"
->logon script</A
-> = logon.cmd
-
-; necessary share for domain controller
-[netlogon]
- <A
-HREF="smb.conf.5.html#PATH"
-TARGET="_top"
->path</A
-> = /usr/local/samba/lib/netlogon
- <A
-HREF="smb.conf.5.html#READONLY"
-TARGET="_top"
->read only</A
-> = yes
- <A
-HREF="smb.conf.5.html#WRITELIST"
-TARGET="_top"
->write list</A
-> = <TT
-CLASS="REPLACEABLE"
-><I
->ntadmin</I
-></TT
->
-
-; share for storing user profiles
-[profiles]
- <A
-HREF="smb.conf.5.html#PATH"
-TARGET="_top"
->path</A
-> = /export/smb/ntprofile
- <A
-HREF="smb.conf.5.html#READONLY"
-TARGET="_top"
->read only</A
-> = no
- <A
-HREF="smb.conf.5.html#CREATEMASK"
-TARGET="_top"
->create mask</A
-> = 0600
- <A
-HREF="smb.conf.5.html#DIRECTORYMASK"
-TARGET="_top"
->directory mask</A
-> = 0700</PRE
-></P
-><P
->There are a couple of points to emphasize in the above configuration.</P
-><P
-></P
-><UL
-><LI
-><P
-> Encrypted passwords must be enabled. For more details on how
- to do this, refer to <A
-HREF="ENCRYPTION.html"
-TARGET="_top"
->ENCRYPTION.html</A
->.
- </P
-></LI
-><LI
-><P
-> The server must support domain logons and a
- <TT
-CLASS="FILENAME"
->[netlogon]</TT
-> share
- </P
-></LI
-><LI
-><P
-> The server must be the domain master browser in order for Windows
- client to locate the server as a DC. Please refer to the various
- Network Browsing documentation included with this distribution for
- details.
- </P
-></LI
-></UL
-><P
->As Samba 2.2 does not offer a complete implementation of group mapping
-between Windows NT groups and Unix groups (this is really quite
-complicated to explain in a short space), you should refer to the
-<A
-HREF="smb.conf.5.html#DOMAINADMINGROUP"
-TARGET="_top"
->domain admin
-group</A
-> smb.conf parameter for information of creating "Domain
-Admins" style accounts.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN1832"
-></A
->12.4. Creating Machine Trust Accounts and Joining Clients to the
-Domain</H2
-><P
->A machine trust account is a Samba account that is used to
-authenticate a client machine (rather than a user) to the Samba
-server. In Windows terminology, this is known as a "Computer
-Account."</P
-><P
->The password of a machine trust account acts as the shared secret for
-secure communication with the Domain Controller. This is a security
-feature to prevent an unauthorized machine with the same NetBIOS name
-from joining the domain and gaining access to domain user/group
-accounts. Windows NT and 2000 clients use machine trust accounts, but
-Windows 9x clients do not. Hence, a Windows 9x client is never a true
-member of a domain because it does not possess a machine trust
-account, and thus has no shared secret with the domain controller.</P
-><P
->A Windows PDC stores each machine trust account in the Windows
-Registry. A Samba PDC, however, stores each machine trust account
-in two parts, as follows:
-
-<P
-></P
-><UL
-><LI
-><P
->A Samba account, stored in the same location as user
- LanMan and NT password hashes (currently
- <TT
-CLASS="FILENAME"
->smbpasswd</TT
->). The Samba account
- possesses and uses only the NT password hash.</P
-></LI
-><LI
-><P
->A corresponding Unix account, typically stored in
- <TT
-CLASS="FILENAME"
->/etc/passwd</TT
->. (Future releases will alleviate the need to
- create <TT
-CLASS="FILENAME"
->/etc/passwd</TT
-> entries.) </P
-></LI
-></UL
-></P
-><P
->There are two ways to create machine trust accounts:</P
-><P
-></P
-><UL
-><LI
-><P
-> Manual creation. Both the Samba and corresponding
- Unix account are created by hand.</P
-></LI
-><LI
-><P
-> "On-the-fly" creation. The Samba machine trust
- account is automatically created by Samba at the time the client
- is joined to the domain. (For security, this is the
- recommended method.) The corresponding Unix account may be
- created automatically or manually. </P
-></LI
-></UL
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN1851"
-></A
->12.4.1. Manual Creation of Machine Trust Accounts</H3
-><P
->The first step in manually creating a machine trust account is to
-manually create the corresponding Unix account in
-<TT
-CLASS="FILENAME"
->/etc/passwd</TT
->. This can be done using
-<B
-CLASS="COMMAND"
->vipw</B
-> or other 'add user' command that is normally
-used to create new Unix accounts. The following is an example for a
-Linux based Samba server:</P
-><P
-> <TT
-CLASS="PROMPT"
->root# </TT
-><B
-CLASS="COMMAND"
->/usr/sbin/useradd -g 100 -d /dev/null -c <TT
-CLASS="REPLACEABLE"
-><I
->"machine
-nickname"</I
-></TT
-> -s /bin/false <TT
-CLASS="REPLACEABLE"
-><I
->machine_name</I
-></TT
->$ </B
-></P
-><P
-><TT
-CLASS="PROMPT"
->root# </TT
-><B
-CLASS="COMMAND"
->passwd -l <TT
-CLASS="REPLACEABLE"
-><I
->machine_name</I
-></TT
->$</B
-></P
-><P
->The <TT
-CLASS="FILENAME"
->/etc/passwd</TT
-> entry will list the machine name
-with a "$" appended, won't have a password, will have a null shell and no
-home directory. For example a machine named 'doppy' would have an
-<TT
-CLASS="FILENAME"
->/etc/passwd</TT
-> entry like this:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->doppy$:x:505:501:<TT
-CLASS="REPLACEABLE"
-><I
->machine_nickname</I
-></TT
->:/dev/null:/bin/false</PRE
-></P
-><P
->Above, <TT
-CLASS="REPLACEABLE"
-><I
->machine_nickname</I
-></TT
-> can be any
-descriptive name for the client, i.e., BasementComputer.
-<TT
-CLASS="REPLACEABLE"
-><I
->machine_name</I
-></TT
-> absolutely must be the NetBIOS
-name of the client to be joined to the domain. The "$" must be
-appended to the NetBIOS name of the client or Samba will not recognize
-this as a machine trust account.</P
-><P
->Now that the corresponding Unix account has been created, the next step is to create
-the Samba account for the client containing the well-known initial
-machine trust account password. This can be done using the <A
-HREF="smbpasswd.8.html"
-TARGET="_top"
-><B
-CLASS="COMMAND"
->smbpasswd(8)</B
-></A
-> command
-as shown here:</P
-><P
-><TT
-CLASS="PROMPT"
->root# </TT
-><B
-CLASS="COMMAND"
->smbpasswd -a -m <TT
-CLASS="REPLACEABLE"
-><I
->machine_name</I
-></TT
-></B
-></P
-><P
->where <TT
-CLASS="REPLACEABLE"
-><I
->machine_name</I
-></TT
-> is the machine's NetBIOS
-name. The RID of the new machine account is generated from the UID of
-the corresponding Unix account.</P
-><DIV
-CLASS="WARNING"
-><P
-></P
-><TABLE
-CLASS="WARNING"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="/docbook-dsssl/warning.gif"
-HSPACE="5"
-ALT="Warning"></TD
-><TH
-ALIGN="LEFT"
-VALIGN="CENTER"
-><B
->Join the client to the domain immediately</B
-></TH
-></TR
-><TR
-><TD
->&nbsp;</TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
-> Manually creating a machine trust account using this method is the
- equivalent of creating a machine trust account on a Windows NT PDC using
- the "Server Manager". From the time at which the account is created
- to the time which the client joins the domain and changes the password,
- your domain is vulnerable to an intruder joining your domain using a
- a machine with the same NetBIOS name. A PDC inherently trusts
- members of the domain and will serve out a large degree of user
- information to such clients. You have been warned!
- </P
-></TD
-></TR
-></TABLE
-></DIV
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN1886"
-></A
->12.4.2. "On-the-Fly" Creation of Machine Trust Accounts</H3
-><P
->The second (and recommended) way of creating machine trust accounts is
-simply to allow the Samba server to create them as needed when the client
-is joined to the domain. </P
-><P
->Since each Samba machine trust account requires a corresponding
-Unix account, a method for automatically creating the
-Unix account is usually supplied; this requires configuration of the
-<A
-HREF="smb.conf.5.html#ADDUSERSCRIPT"
-TARGET="_top"
->add user script</A
->
-option in <TT
-CLASS="FILENAME"
->smb.conf</TT
->. This
-method is not required, however; corresponding Unix accounts may also
-be created manually.</P
-><P
->Below is an example for a RedHat 6.2 Linux system.</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->[global]
- # &#60;...remainder of parameters...&#62;
- add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u </PRE
-></P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN1895"
-></A
->12.4.3. Joining the Client to the Domain</H3
-><P
->The procedure for joining a client to the domain varies with the
-version of Windows.</P
-><P
-></P
-><UL
-><LI
-><P
-><SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->Windows 2000</I
-></SPAN
-></P
-><P
-> When the user elects to join the client to a domain, Windows prompts for
- an account and password that is privileged to join the domain. A
- Samba administrative account (i.e., a Samba account that has root
- privileges on the Samba server) must be entered here; the
- operation will fail if an ordinary user account is given.
- The password for this account should be
- set to a different password than the associated
- <TT
-CLASS="FILENAME"
->/etc/passwd</TT
-> entry, for security
- reasons. </P
-><P
->The session key of the Samba administrative account acts as an
- encryption key for setting the password of the machine trust
- account. The machine trust account will be created on-the-fly, or
- updated if it already exists.</P
-></LI
-><LI
-><P
-><SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->Windows NT</I
-></SPAN
-></P
-><P
-> If the machine trust account was created manually, on the
- Identification Changes menu enter the domain name, but do not
- check the box "Create a Computer Account in the Domain." In this case,
- the existing machine trust account is used to join the machine to
- the domain.</P
-><P
-> If the machine trust account is to be created
- on-the-fly, on the Identification Changes menu enter the domain
- name, and check the box "Create a Computer Account in the Domain." In
- this case, joining the domain proceeds as above for Windows 2000
- (i.e., you must supply a Samba administrative account when
- prompted).</P
-></LI
-></UL
-></DIV
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN1910"
-></A
->12.5. Common Problems and Errors</H2
-><P
-></P
-><P
-></P
-><UL
-><LI
-><P
-> <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->I cannot include a '$' in a machine name.</I
-></SPAN
->
- </P
-><P
-> A 'machine name' in (typically) <TT
-CLASS="FILENAME"
->/etc/passwd</TT
->
- of the machine name with a '$' appended. FreeBSD (and other BSD
- systems?) won't create a user with a '$' in their name.
- </P
-><P
-> The problem is only in the program used to make the entry, once
- made, it works perfectly. So create a user without the '$' and
- use <B
-CLASS="COMMAND"
->vipw</B
-> to edit the entry, adding the '$'. Or create
- the whole entry with vipw if you like, make sure you use a
- unique User ID !
- </P
-></LI
-><LI
-><P
-> <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->I get told "You already have a connection to the Domain...."
- or "Cannot join domain, the credentials supplied conflict with an
- existing set.." when creating a machine trust account.</I
-></SPAN
->
- </P
-><P
-> This happens if you try to create a machine trust account from the
- machine itself and already have a connection (e.g. mapped drive)
- to a share (or IPC$) on the Samba PDC. The following command
- will remove all network drive connections:
- </P
-><P
-> <TT
-CLASS="PROMPT"
->C:\WINNT\&#62;</TT
-> <B
-CLASS="COMMAND"
->net use * /d</B
->
- </P
-><P
-> Further, if the machine is a already a 'member of a workgroup' that
- is the same name as the domain you are joining (bad idea) you will
- get this message. Change the workgroup name to something else, it
- does not matter what, reboot, and try again.
- </P
-></LI
-><LI
-><P
-> <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->The system can not log you on (C000019B)....</I
-></SPAN
->
- </P
-><P
->I joined the domain successfully but after upgrading
- to a newer version of the Samba code I get the message, "The system
- can not log you on (C000019B), Please try a gain or consult your
- system administrator" when attempting to logon.
- </P
-><P
-> This occurs when the domain SID stored in
- <TT
-CLASS="FILENAME"
->private/WORKGROUP.SID</TT
-> is
- changed. For example, you remove the file and <B
-CLASS="COMMAND"
->smbd</B
-> automatically
- creates a new one. Or you are swapping back and forth between
- versions 2.0.7, TNG and the HEAD branch code (not recommended). The
- only way to correct the problem is to restore the original domain
- SID or remove the domain client from the domain and rejoin.
- </P
-></LI
-><LI
-><P
-> <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->The machine trust account for this computer either does not
- exist or is not accessible.</I
-></SPAN
->
- </P
-><P
-> When I try to join the domain I get the message "The machine account
- for this computer either does not exist or is not accessible". What's
- wrong?
- </P
-><P
-> This problem is caused by the PDC not having a suitable machine trust account.
- If you are using the <TT
-CLASS="PARAMETER"
-><I
->add user script</I
-></TT
-> method to create
- accounts then this would indicate that it has not worked. Ensure the domain
- admin user system is working.
- </P
-><P
-> Alternatively if you are creating account entries manually then they
- have not been created correctly. Make sure that you have the entry
- correct for the machine trust account in smbpasswd file on the Samba PDC.
- If you added the account using an editor rather than using the smbpasswd
- utility, make sure that the account name is the machine NetBIOS name
- with a '$' appended to it ( i.e. computer_name$ ). There must be an entry
- in both /etc/passwd and the smbpasswd file. Some people have reported
- that inconsistent subnet masks between the Samba server and the NT
- client have caused this problem. Make sure that these are consistent
- for both client and server.
- </P
-></LI
-><LI
-><P
-> <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->When I attempt to login to a Samba Domain from a NT4/W2K workstation,
- I get a message about my account being disabled.</I
-></SPAN
->
- </P
-><P
-> This problem is caused by a PAM related bug in Samba 2.2.0. This bug is
- fixed in 2.2.1. Other symptoms could be unaccessible shares on
- NT/W2K member servers in the domain or the following error in your smbd.log:
- passdb/pampass.c:pam_account(268) PAM: UNKNOWN ERROR for User: %user%
- </P
-><P
-> At first be ensure to enable the useraccounts with <B
-CLASS="COMMAND"
->smbpasswd -e
- %user%</B
->, this is normally done, when you create an account.
- </P
-><P
-> In order to work around this problem in 2.2.0, configure the
- <TT
-CLASS="PARAMETER"
-><I
->account</I
-></TT
-> control flag in
- <TT
-CLASS="FILENAME"
->/etc/pam.d/samba</TT
-> file as follows:
- </P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> account required pam_permit.so
- </PRE
-></P
-><P
-> If you want to remain backward compatibility to samba 2.0.x use
- <TT
-CLASS="FILENAME"
->pam_permit.so</TT
->, it's also possible to use
- <TT
-CLASS="FILENAME"
->pam_pwdb.so</TT
->. There are some bugs if you try to
- use <TT
-CLASS="FILENAME"
->pam_unix.so</TT
->, if you need this, be ensure to use
- the most recent version of this file.
- </P
-></LI
-></UL
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN1958"
-></A
->12.6. System Policies and Profiles</H2
-><P
->Much of the information necessary to implement System Policies and
-Roving User Profiles in a Samba domain is the same as that for
-implementing these same items in a Windows NT 4.0 domain.
-You should read the white paper <A
-HREF="http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp"
-TARGET="_top"
->Implementing
-Profiles and Policies in Windows NT 4.0</A
-> available from Microsoft.</P
-><P
->Here are some additional details:</P
-><P
-></P
-><UL
-><LI
-><P
-> <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->What about Windows NT Policy Editor?</I
-></SPAN
->
- </P
-><P
-> To create or edit <TT
-CLASS="FILENAME"
->ntconfig.pol</TT
-> you must use
- the NT Server Policy Editor, <B
-CLASS="COMMAND"
->poledit.exe</B
-> which
- is included with NT Server but <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->not NT Workstation</I
-></SPAN
->.
- There is a Policy Editor on a NTws
- but it is not suitable for creating <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->Domain Policies</I
-></SPAN
->.
- Further, although the Windows 95
- Policy Editor can be installed on an NT Workstation/Server, it will not
- work with NT policies because the registry key that are set by the policy templates.
- However, the files from the NT Server will run happily enough on an NTws.
- You need <TT
-CLASS="FILENAME"
->poledit.exe, common.adm</TT
-> and <TT
-CLASS="FILENAME"
->winnt.adm</TT
->. It is convenient
- to put the two *.adm files in <TT
-CLASS="FILENAME"
->c:\winnt\inf</TT
-> which is where
- the binary will look for them unless told otherwise. Note also that that
- directory is 'hidden'.
- </P
-><P
-> The Windows NT policy editor is also included with the Service Pack 3 (and
- later) for Windows NT 4.0. Extract the files using <B
-CLASS="COMMAND"
->servicepackname /x</B
->,
- i.e. that's <B
-CLASS="COMMAND"
->Nt4sp6ai.exe /x</B
-> for service pack 6a. The policy editor,
- <B
-CLASS="COMMAND"
->poledit.exe</B
-> and the associated template files (*.adm) should
- be extracted as well. It is also possible to downloaded the policy template
- files for Office97 and get a copy of the policy editor. Another possible
- location is with the Zero Administration Kit available for download from Microsoft.
- </P
-></LI
-><LI
-><P
-> <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->Can Win95 do Policies?</I
-></SPAN
->
- </P
-><P
-> Install the group policy handler for Win9x to pick up group
- policies. Look on the Win98 CD in <TT
-CLASS="FILENAME"
->\tools\reskit\netadmin\poledit</TT
->.
- Install group policies on a Win9x client by double-clicking
- <TT
-CLASS="FILENAME"
->grouppol.inf</TT
->. Log off and on again a couple of
- times and see if Win98 picks up group policies. Unfortunately this needs
- to be done on every Win9x machine that uses group policies....
- </P
-><P
-> If group policies don't work one reports suggests getting the updated
- (read: working) grouppol.dll for Windows 9x. The group list is grabbed
- from /etc/group.
- </P
-></LI
-><LI
-><P
-> <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->How do I get 'User Manager' and 'Server Manager'</I
-></SPAN
->
- </P
-><P
-> Since I don't need to buy an NT Server CD now, how do I get
- the 'User Manager for Domains', the 'Server Manager'?
- </P
-><P
-> Microsoft distributes a version of these tools called nexus for
- installation on Windows 95 systems. The tools set includes
- </P
-><P
-></P
-><UL
-><LI
-><P
->Server Manager</P
-></LI
-><LI
-><P
->User Manager for Domains</P
-></LI
-><LI
-><P
->Event Viewer</P
-></LI
-></UL
-><P
-> Click here to download the archived file <A
-HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE"
-TARGET="_top"
->ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</A
->
- </P
-><P
-> The Windows NT 4.0 version of the 'User Manager for
- Domains' and 'Server Manager' are available from Microsoft via ftp
- from <A
-HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE"
-TARGET="_top"
->ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</A
->
- </P
-></LI
-></UL
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2002"
-></A
->12.7. What other help can I get?</H2
-><P
->There are many sources of information available in the form
-of mailing lists, RFC's and documentation. The docs that come
-with the samba distribution contain very good explanations of
-general SMB topics such as browsing.</P
-><P
-></P
-><UL
-><LI
-><P
-> <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->What are some diagnostics tools I can use to debug the domain logon
- process and where can I find them?</I
-></SPAN
->
- </P
-><P
-> One of the best diagnostic tools for debugging problems is Samba itself.
- You can use the -d option for both smbd and nmbd to specify what
- 'debug level' at which to run. See the man pages on smbd, nmbd and
- smb.conf for more information on debugging options. The debug
- level can range from 1 (the default) to 10 (100 for debugging passwords).
- </P
-><P
-> Another helpful method of debugging is to compile samba using the
- <B
-CLASS="COMMAND"
->gcc -g </B
-> flag. This will include debug
- information in the binaries and allow you to attach gdb to the
- running smbd / nmbd process. In order to attach gdb to an smbd
- process for an NT workstation, first get the workstation to make the
- connection. Pressing ctrl-alt-delete and going down to the domain box
- is sufficient (at least, on the first time you join the domain) to
- generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation
- maintains an open connection, and therefore there will be an smbd
- process running (assuming that you haven't set a really short smbd
- idle timeout) So, in between pressing ctrl alt delete, and actually
- typing in your password, you can gdb attach and continue.
- </P
-><P
-> Some useful samba commands worth investigating:
- </P
-><P
-></P
-><UL
-><LI
-><P
->testparam | more</P
-></LI
-><LI
-><P
->smbclient -L //{netbios name of server}</P
-></LI
-></UL
-><P
-> An SMB enabled version of tcpdump is available from
- <A
-HREF="http://www.tcpdump.org/"
-TARGET="_top"
->http://www.tcpdup.org/</A
->.
- Ethereal, another good packet sniffer for Unix and Win32
- hosts, can be downloaded from <A
-HREF="http://www.ethereal.com/"
-TARGET="_top"
->http://www.ethereal.com</A
->.
- </P
-><P
-> For tracing things on the Microsoft Windows NT, Network Monitor
- (aka. netmon) is available on the Microsoft Developer Network CD's,
- the Windows NT Server install CD and the SMS CD's. The version of
- netmon that ships with SMS allows for dumping packets between any two
- computers (i.e. placing the network interface in promiscuous mode).
- The version on the NT Server install CD will only allow monitoring
- of network traffic directed to the local NT box and broadcasts on the
- local subnet. Be aware that Ethereal can read and write netmon
- formatted files.
- </P
-></LI
-><LI
-><P
-> <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->How do I install 'Network Monitor' on an NT Workstation
- or a Windows 9x box?</I
-></SPAN
->
- </P
-><P
-> Installing netmon on an NT workstation requires a couple
- of steps. The following are for installing Netmon V4.00.349, which comes
- with Microsoft Windows NT Server 4.0, on Microsoft Windows NT
- Workstation 4.0. The process should be similar for other version of
- Windows NT / Netmon. You will need both the Microsoft Windows
- NT Server 4.0 Install CD and the Workstation 4.0 Install CD.
- </P
-><P
-> Initially you will need to install 'Network Monitor Tools and Agent'
- on the NT Server. To do this
- </P
-><P
-></P
-><UL
-><LI
-><P
->Goto Start - Settings - Control Panel -
- Network - Services - Add </P
-></LI
-><LI
-><P
->Select the 'Network Monitor Tools and Agent' and
- click on 'OK'.</P
-></LI
-><LI
-><P
->Click 'OK' on the Network Control Panel.
- </P
-></LI
-><LI
-><P
->Insert the Windows NT Server 4.0 install CD
- when prompted.</P
-></LI
-></UL
-><P
-> At this point the Netmon files should exist in
- <TT
-CLASS="FILENAME"
->%SYSTEMROOT%\System32\netmon\*.*</TT
->.
- Two subdirectories exist as well, <TT
-CLASS="FILENAME"
->parsers\</TT
->
- which contains the necessary DLL's for parsing the netmon packet
- dump, and <TT
-CLASS="FILENAME"
->captures\</TT
->.
- </P
-><P
-> In order to install the Netmon tools on an NT Workstation, you will
- first need to install the 'Network Monitor Agent' from the Workstation
- install CD.
- </P
-><P
-></P
-><UL
-><LI
-><P
->Goto Start - Settings - Control Panel -
- Network - Services - Add</P
-></LI
-><LI
-><P
->Select the 'Network Monitor Agent' and click
- on 'OK'.</P
-></LI
-><LI
-><P
->Click 'OK' on the Network Control Panel.
- </P
-></LI
-><LI
-><P
->Insert the Windows NT Workstation 4.0 install
- CD when prompted.</P
-></LI
-></UL
-><P
-> Now copy the files from the NT Server in %SYSTEMROOT%\System32\netmon\*.*
- to %SYSTEMROOT%\System32\netmon\*.* on the Workstation and set
- permissions as you deem appropriate for your site. You will need
- administrative rights on the NT box to run netmon.
- </P
-><P
-> To install Netmon on a Windows 9x box install the network monitor agent
- from the Windows 9x CD (\admin\nettools\netmon). There is a readme
- file located with the netmon driver files on the CD if you need
- information on how to do this. Copy the files from a working
- Netmon installation.
- </P
-></LI
-><LI
-><P
-> The following is a list if helpful URLs and other links:
- </P
-><P
-></P
-><UL
-><LI
-><P
->Home of Samba site <A
-HREF="http://samba.org"
-TARGET="_top"
-> http://samba.org</A
->. We have a mirror near you !</P
-></LI
-><LI
-><P
-> The <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->Development</I
-></SPAN
-> document
- on the Samba mirrors might mention your problem. If so,
- it might mean that the developers are working on it.</P
-></LI
-><LI
-><P
->See how Scott Merrill simulates a BDC behavior at
- <A
-HREF="http://www.skippy.net/linux/smb-howto.html"
-TARGET="_top"
-> http://www.skippy.net/linux/smb-howto.html</A
->. </P
-></LI
-><LI
-><P
->Although 2.0.7 has almost had its day as a PDC, David Bannon will
- keep the 2.0.7 PDC pages at <A
-HREF="http://bioserve.latrobe.edu.au/samba"
-TARGET="_top"
-> http://bioserve.latrobe.edu.au/samba</A
-> going for a while yet.</P
-></LI
-><LI
-><P
->Misc links to CIFS information
- <A
-HREF="http://samba.org/cifs/"
-TARGET="_top"
->http://samba.org/cifs/</A
-></P
-></LI
-><LI
-><P
->NT Domains for Unix <A
-HREF="http://mailhost.cb1.com/~lkcl/ntdom/"
-TARGET="_top"
-> http://mailhost.cb1.com/~lkcl/ntdom/</A
-></P
-></LI
-><LI
-><P
->FTP site for older SMB specs:
- <A
-HREF="ftp://ftp.microsoft.com/developr/drg/CIFS/"
-TARGET="_top"
-> ftp://ftp.microsoft.com/developr/drg/CIFS/</A
-></P
-></LI
-></UL
-></LI
-></UL
-><P
-></P
-><UL
-><LI
-><P
-> <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->How do I get help from the mailing lists?</I
-></SPAN
->
- </P
-><P
-> There are a number of Samba related mailing lists. Go to <A
-HREF="http://samba.org"
-TARGET="_top"
->http://samba.org</A
->, click on your nearest mirror
- and then click on <B
-CLASS="COMMAND"
->Support</B
-> and then click on <B
-CLASS="COMMAND"
-> Samba related mailing lists</B
->.
- </P
-><P
-> For questions relating to Samba TNG go to
- <A
-HREF="http://www.samba-tng.org/"
-TARGET="_top"
->http://www.samba-tng.org/</A
->
- It has been requested that you don't post questions about Samba-TNG to the
- main stream Samba lists.</P
-><P
-> If you post a message to one of the lists please observe the following guide lines :
- </P
-><P
-></P
-><UL
-><LI
-><P
-> Always remember that the developers are volunteers, they are
- not paid and they never guarantee to produce a particular feature at
- a particular time. Any time lines are 'best guess' and nothing more.
- </P
-></LI
-><LI
-><P
-> Always mention what version of samba you are using and what
- operating system its running under. You should probably list the
- relevant sections of your smb.conf file, at least the options
- in [global] that affect PDC support.</P
-></LI
-><LI
-><P
->In addition to the version, if you obtained Samba via
- CVS mention the date when you last checked it out.</P
-></LI
-><LI
-><P
-> Try and make your question clear and brief, lots of long,
- convoluted questions get deleted before they are completely read !
- Don't post html encoded messages (if you can select colour or font
- size its html).</P
-></LI
-><LI
-><P
-> If you run one of those nifty 'I'm on holidays' things when
- you are away, make sure its configured to not answer mailing lists.
- </P
-></LI
-><LI
-><P
-> Don't cross post. Work out which is the best list to post to
- and see what happens, i.e. don't post to both samba-ntdom and samba-technical.
- Many people active on the lists subscribe to more
- than one list and get annoyed to see the same message two or more times.
- Often someone will see a message and thinking it would be better dealt
- with on another, will forward it on for you.</P
-></LI
-><LI
-><P
->You might include <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->partial</I
-></SPAN
->
- log files written at a debug level set to as much as 20.
- Please don't send the entire log but enough to give the context of the
- error messages.</P
-></LI
-><LI
-><P
->(Possibly) If you have a complete netmon trace ( from the opening of
- the pipe to the error ) you can send the *.CAP file as well.</P
-></LI
-><LI
-><P
->Please think carefully before attaching a document to an email.
- Consider pasting the relevant parts into the body of the message. The samba
- mailing lists go to a huge number of people, do they all need a copy of your
- smb.conf in their attach directory?</P
-></LI
-></UL
-></LI
-><LI
-><P
-> <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->How do I get off the mailing lists?</I
-></SPAN
->
- </P
-><P
->To have your name removed from a samba mailing list, go to the
- same place you went to to get on it. Go to <A
-HREF="http://lists.samba.org/"
-TARGET="_top"
->http://lists.samba.org</A
->,
- click on your nearest mirror and then click on <B
-CLASS="COMMAND"
->Support</B
-> and
- then click on <B
-CLASS="COMMAND"
-> Samba related mailing lists</B
->. Or perhaps see
- <A
-HREF="http://lists.samba.org/mailman/roster/samba-ntdom"
-TARGET="_top"
->here</A
->
- </P
-><P
-> Please don't post messages to the list asking to be removed, you will just
- be referred to the above address (unless that process failed in some way...)
- </P
-></LI
-></UL
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2116"
-></A
->12.8. Domain Control for Windows 9x/ME</H2
-><DIV
-CLASS="NOTE"
-><P
-></P
-><TABLE
-CLASS="NOTE"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="/docbook-dsssl/note.gif"
-HSPACE="5"
-ALT="Note"></TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
->The following section contains much of the original
-DOMAIN.txt file previously included with Samba. Much of
-the material is based on what went into the book <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->Special
-Edition, Using Samba</I
-></SPAN
->, by Richard Sharpe.</P
-></TD
-></TR
-></TABLE
-></DIV
-><P
->A domain and a workgroup are exactly the same thing in terms of network
-browsing. The difference is that a distributable authentication
-database is associated with a domain, for secure login access to a
-network. Also, different access rights can be granted to users if they
-successfully authenticate against a domain logon server (NT server and
-other systems based on NT server support this, as does at least Samba TNG now).</P
-><P
->The SMB client logging on to a domain has an expectation that every other
-server in the domain should accept the same authentication information.
-Network browsing functionality of domains and workgroups is
-identical and is explained in BROWSING.txt. It should be noted, that browsing
-is totally orthogonal to logon support.</P
-><P
->Issues related to the single-logon network model are discussed in this
-section. Samba supports domain logons, network logon scripts, and user
-profiles for MS Windows for workgroups and MS Windows 9X/ME clients
-which will be the focus of this section.</P
-><P
->When an SMB client in a domain wishes to logon it broadcast requests for a
-logon server. The first one to reply gets the job, and validates its
-password using whatever mechanism the Samba administrator has installed.
-It is possible (but very stupid) to create a domain where the user
-database is not shared between servers, i.e. they are effectively workgroup
-servers advertising themselves as participating in a domain. This
-demonstrates how authentication is quite different from but closely
-involved with domains.</P
-><P
->Using these features you can make your clients verify their logon via
-the Samba server; make clients run a batch file when they logon to
-the network and download their preferences, desktop and start menu.</P
-><P
->Before launching into the configuration instructions, it is
-worthwhile lookingat how a Windows 9x/ME client performs a logon:</P
-><P
-></P
-><OL
-TYPE="1"
-><LI
-><P
-> The client broadcasts (to the IP broadcast address of the subnet it is in)
- a NetLogon request. This is sent to the NetBIOS name DOMAIN&#60;1c&#62; at the
- NetBIOS layer. The client chooses the first response it receives, which
- contains the NetBIOS name of the logon server to use in the format of
- \\SERVER.
- </P
-></LI
-><LI
-><P
-> The client then connects to that server, logs on (does an SMBsessetupX) and
- then connects to the IPC$ share (using an SMBtconX).
- </P
-></LI
-><LI
-><P
-> The client then does a NetWkstaUserLogon request, which retrieves the name
- of the user's logon script.
- </P
-></LI
-><LI
-><P
-> The client then connects to the NetLogon share and searches for this
- and if it is found and can be read, is retrieved and executed by the client.
- After this, the client disconnects from the NetLogon share.
- </P
-></LI
-><LI
-><P
-> The client then sends a NetUserGetInfo request to the server, to retrieve
- the user's home share, which is used to search for profiles. Since the
- response to the NetUserGetInfo request does not contain much more
- the user's home share, profiles for Win9X clients MUST reside in the user
- home directory.
- </P
-></LI
-><LI
-><P
-> The client then connects to the user's home share and searches for the
- user's profile. As it turns out, you can specify the user's home share as
- a sharename and path. For example, \\server\fred\.profile.
- If the profiles are found, they are implemented.
- </P
-></LI
-><LI
-><P
-> The client then disconnects from the user's home share, and reconnects to
- the NetLogon share and looks for CONFIG.POL, the policies file. If this is
- found, it is read and implemented.
- </P
-></LI
-></OL
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN2142"
-></A
->12.8.1. Configuration Instructions: Network Logons</H3
-><P
->The main difference between a PDC and a Windows 9x logon
-server configuration is that</P
-><P
-></P
-><UL
-><LI
-><P
->Password encryption is not required for a Windows 9x logon server.</P
-></LI
-><LI
-><P
->Windows 9x/ME clients do not possess machine trust accounts.</P
-></LI
-></UL
-><P
->Therefore, a Samba PDC will also act as a Windows 9x logon
-server.</P
-><DIV
-CLASS="WARNING"
-><P
-></P
-><TABLE
-CLASS="WARNING"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="/docbook-dsssl/warning.gif"
-HSPACE="5"
-ALT="Warning"></TD
-><TH
-ALIGN="LEFT"
-VALIGN="CENTER"
-><B
->security mode and master browsers</B
-></TH
-></TR
-><TR
-><TD
->&nbsp;</TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
->There are a few comments to make in order to tie up some
-loose ends. There has been much debate over the issue of whether
-or not it is ok to configure Samba as a Domain Controller in security
-modes other than <TT
-CLASS="CONSTANT"
->USER</TT
->. The only security mode
-which will not work due to technical reasons is <TT
-CLASS="CONSTANT"
->SHARE</TT
->
-mode security. <TT
-CLASS="CONSTANT"
->DOMAIN</TT
-> and <TT
-CLASS="CONSTANT"
->SERVER</TT
->
-mode security is really just a variation on SMB user level security.</P
-><P
->Actually, this issue is also closely tied to the debate on whether
-or not Samba must be the domain master browser for its workgroup
-when operating as a DC. While it may technically be possible
-to configure a server as such (after all, browsing and domain logons
-are two distinctly different functions), it is not a good idea to
-so. You should remember that the DC must register the DOMAIN#1b NetBIOS
-name. This is the name used by Windows clients to locate the DC.
-Windows clients do not distinguish between the DC and the DMB.
-For this reason, it is very wise to configure the Samba DC as the DMB.</P
-><P
->Now back to the issue of configuring a Samba DC to use a mode other
-than "security = user". If a Samba host is configured to use
-another SMB server or DC in order to validate user connection
-requests, then it is a fact that some other machine on the network
-(the "password server") knows more about user than the Samba host.
-99% of the time, this other host is a domain controller. Now
-in order to operate in domain mode security, the "workgroup" parameter
-must be set to the name of the Windows NT domain (which already
-has a domain controller, right?)</P
-><P
->Therefore configuring a Samba box as a DC for a domain that
-already by definition has a PDC is asking for trouble.
-Therefore, you should always configure the Samba DC to be the DMB
-for its domain.</P
-></TD
-></TR
-></TABLE
-></DIV
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN2161"
-></A
->12.8.2. Configuration Instructions: Setting up Roaming User Profiles</H3
-><DIV
-CLASS="WARNING"
-><P
-></P
-><TABLE
-CLASS="WARNING"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="/docbook-dsssl/warning.gif"
-HSPACE="5"
-ALT="Warning"></TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
-><SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->NOTE!</I
-></SPAN
-> Roaming profiles support is different
-for Win9X and WinNT.</P
-></TD
-></TR
-></TABLE
-></DIV
-><P
->Before discussing how to configure roaming profiles, it is useful to see how
-Win9X and WinNT clients implement these features.</P
-><P
->Win9X clients send a NetUserGetInfo request to the server to get the user's
-profiles location. However, the response does not have room for a separate
-profiles location field, only the user's home share. This means that Win9X
-profiles are restricted to being in the user's home directory.</P
-><P
->WinNT clients send a NetSAMLogon RPC request, which contains many fields,
-including a separate field for the location of the user's profiles.
-This means that support for profiles is different for Win9X and WinNT.</P
-><DIV
-CLASS="SECT3"
-><HR><H4
-CLASS="SECT3"
-><A
-NAME="AEN2169"
-></A
->12.8.2.1. Windows NT Configuration</H4
-><P
->To support WinNT clients, in the [global] section of smb.conf set the
-following (for example):</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath</PRE
-></P
-><P
->The default for this option is \\%N\%U\profile, namely
-\\sambaserver\username\profile. The \\N%\%U service is created
-automatically by the [homes] service.
-If you are using a samba server for the profiles, you _must_ make the
-share specified in the logon path browseable. </P
-><DIV
-CLASS="NOTE"
-><P
-></P
-><TABLE
-CLASS="NOTE"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="/docbook-dsssl/note.gif"
-HSPACE="5"
-ALT="Note"></TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
->[lkcl 26aug96 - we have discovered a problem where Windows clients can
-maintain a connection to the [homes] share in between logins. The
-[homes] share must NOT therefore be used in a profile path.]</P
-></TD
-></TR
-></TABLE
-></DIV
-></DIV
-><DIV
-CLASS="SECT3"
-><HR><H4
-CLASS="SECT3"
-><A
-NAME="AEN2177"
-></A
->12.8.2.2. Windows 9X Configuration</H4
-><P
->To support Win9X clients, you must use the "logon home" parameter. Samba has
-now been fixed so that "net use/home" now works as well, and it, too, relies
-on the "logon home" parameter.</P
-><P
->By using the logon home parameter, you are restricted to putting Win9X
-profiles in the user's home directory. But wait! There is a trick you
-can use. If you set the following in the [global] section of your
-smb.conf file:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->logon home = \\%L\%U\.profiles</PRE
-></P
-><P
->then your Win9X clients will dutifully put their clients in a subdirectory
-of your home directory called .profiles (thus making them hidden).</P
-><P
->Not only that, but 'net use/home' will also work, because of a feature in
-Win9X. It removes any directory stuff off the end of the home directory area
-and only uses the server and share portion. That is, it looks like you
-specified \\%L\%U for "logon home".</P
-></DIV
-><DIV
-CLASS="SECT3"
-><HR><H4
-CLASS="SECT3"
-><A
-NAME="AEN2185"
-></A
->12.8.2.3. Win9X and WinNT Configuration</H4
-><P
->You can support profiles for both Win9X and WinNT clients by setting both the
-"logon home" and "logon path" parameters. For example:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->logon home = \\%L\%U\.profiles
-logon path = \\%L\profiles\%U</PRE
-></P
-><DIV
-CLASS="NOTE"
-><P
-></P
-><TABLE
-CLASS="NOTE"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="/docbook-dsssl/note.gif"
-HSPACE="5"
-ALT="Note"></TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
->I have not checked what 'net use /home' does on NT when "logon home" is
-set as above.</P
-></TD
-></TR
-></TABLE
-></DIV
-></DIV
-><DIV
-CLASS="SECT3"
-><HR><H4
-CLASS="SECT3"
-><A
-NAME="AEN2192"
-></A
->12.8.2.4. Windows 9X Profile Setup</H4
-><P
->When a user first logs in on Windows 9X, the file user.DAT is created,
-as are folders "Start Menu", "Desktop", "Programs" and "Nethood".
-These directories and their contents will be merged with the local
-versions stored in c:\windows\profiles\username on subsequent logins,
-taking the most recent from each. You will need to use the [global]
-options "preserve case = yes", "short preserve case = yes" and
-"case sensitive = no" in order to maintain capital letters in shortcuts
-in any of the profile folders.</P
-><P
->The user.DAT file contains all the user's preferences. If you wish to
-enforce a set of preferences, rename their user.DAT file to user.MAN,
-and deny them write access to this file.</P
-><P
-></P
-><OL
-TYPE="1"
-><LI
-><P
-> On the Windows 95 machine, go to Control Panel | Passwords and
- select the User Profiles tab. Select the required level of
- roaming preferences. Press OK, but do _not_ allow the computer
- to reboot.
- </P
-></LI
-><LI
-><P
-> On the Windows 95 machine, go to Control Panel | Network |
- Client for Microsoft Networks | Preferences. Select 'Log on to
- NT Domain'. Then, ensure that the Primary Logon is 'Client for
- Microsoft Networks'. Press OK, and this time allow the computer
- to reboot.
- </P
-></LI
-></OL
-><P
->Under Windows 95, Profiles are downloaded from the Primary Logon.
-If you have the Primary Logon as 'Client for Novell Networks', then
-the profiles and logon script will be downloaded from your Novell
-Server. If you have the Primary Logon as 'Windows Logon', then the
-profiles will be loaded from the local machine - a bit against the
-concept of roaming profiles, if you ask me.</P
-><P
->You will now find that the Microsoft Networks Login box contains
-[user, password, domain] instead of just [user, password]. Type in
-the samba server's domain name (or any other domain known to exist,
-but bear in mind that the user will be authenticated against this
-domain and profiles downloaded from it, if that domain logon server
-supports it), user name and user's password.</P
-><P
->Once the user has been successfully validated, the Windows 95 machine
-will inform you that 'The user has not logged on before' and asks you
-if you wish to save the user's preferences? Select 'yes'.</P
-><P
->Once the Windows 95 client comes up with the desktop, you should be able
-to examine the contents of the directory specified in the "logon path"
-on the samba server and verify that the "Desktop", "Start Menu",
-"Programs" and "Nethood" folders have been created.</P
-><P
->These folders will be cached locally on the client, and updated when
-the user logs off (if you haven't made them read-only by then :-).
-You will find that if the user creates further folders or short-cuts,
-that the client will merge the profile contents downloaded with the
-contents of the profile directory already on the local client, taking
-the newest folders and short-cuts from each set.</P
-><P
->If you have made the folders / files read-only on the samba server,
-then you will get errors from the w95 machine on logon and logout, as
-it attempts to merge the local and the remote profile. Basically, if
-you have any errors reported by the w95 machine, check the Unix file
-permissions and ownership rights on the profile directory contents,
-on the samba server.</P
-><P
->If you have problems creating user profiles, you can reset the user's
-local desktop cache, as shown below. When this user then next logs in,
-they will be told that they are logging in "for the first time".</P
-><P
-></P
-><OL
-TYPE="1"
-><LI
-><P
-> instead of logging in under the [user, password, domain] dialog,
- press escape.
- </P
-></LI
-><LI
-><P
-> run the regedit.exe program, and look in:
- </P
-><P
-> HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList
- </P
-><P
-> you will find an entry, for each user, of ProfilePath. Note the
- contents of this key (likely to be c:\windows\profiles\username),
- then delete the key ProfilePath for the required user.
- </P
-><P
-> [Exit the registry editor].
- </P
-></LI
-><LI
-><P
-> <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->WARNING</I
-></SPAN
-> - before deleting the contents of the
- directory listed in
- the ProfilePath (this is likely to be c:\windows\profiles\username),
- ask them if they have any important files stored on their desktop
- or in their start menu. delete the contents of the directory
- ProfilePath (making a backup if any of the files are needed).
- </P
-><P
-> This will have the effect of removing the local (read-only hidden
- system file) user.DAT in their profile directory, as well as the
- local "desktop", "nethood", "start menu" and "programs" folders.
- </P
-></LI
-><LI
-><P
-> search for the user's .PWL password-caching file in the c:\windows
- directory, and delete it.
- </P
-></LI
-><LI
-><P
-> log off the windows 95 client.
- </P
-></LI
-><LI
-><P
-> check the contents of the profile path (see "logon path" described
- above), and delete the user.DAT or user.MAN file for the user,
- making a backup if required.
- </P
-></LI
-></OL
-><P
->If all else fails, increase samba's debug log levels to between 3 and 10,
-and / or run a packet trace program such as tcpdump or netmon.exe, and
-look for any error reports.</P
-><P
->If you have access to an NT server, then first set up roaming profiles
-and / or netlogons on the NT server. Make a packet trace, or examine
-the example packet traces provided with NT server, and see what the
-differences are with the equivalent samba trace.</P
-></DIV
-><DIV
-CLASS="SECT3"
-><HR><H4
-CLASS="SECT3"
-><A
-NAME="AEN2228"
-></A
->12.8.2.5. Windows NT Workstation 4.0</H4
-><P
->When a user first logs in to a Windows NT Workstation, the profile
-NTuser.DAT is created. The profile location can be now specified
-through the "logon path" parameter. </P
-><DIV
-CLASS="NOTE"
-><P
-></P
-><TABLE
-CLASS="NOTE"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="/docbook-dsssl/note.gif"
-HSPACE="5"
-ALT="Note"></TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
->[lkcl 10aug97 - i tried setting the path to
-\\samba-server\homes\profile, and discovered that this fails because
-a background process maintains the connection to the [homes] share
-which does _not_ close down in between user logins. you have to
-have \\samba-server\%L\profile, where user is the username created
-from the [homes] share].</P
-></TD
-></TR
-></TABLE
-></DIV
-><P
->There is a parameter that is now available for use with NT Profiles:
-"logon drive". This should be set to "h:" or any other drive, and
-should be used in conjunction with the new "logon home" parameter.</P
-><P
->The entry for the NT 4.0 profile is a _directory_ not a file. The NT
-help on profiles mentions that a directory is also created with a .PDS
-extension. The user, while logging in, must have write permission to
-create the full profile path (and the folder with the .PDS extension)
-[lkcl 10aug97 - i found that the creation of the .PDS directory failed,
-and had to create these manually for each user, with a shell script.
-also, i presume, but have not tested, that the full profile path must
-be browseable just as it is for w95, due to the manner in which they
-attempt to create the full profile path: test existence of each path
-component; create path component].</P
-><P
->In the profile directory, NT creates more folders than 95. It creates
-"Application Data" and others, as well as "Desktop", "Nethood",
-"Start Menu" and "Programs". The profile itself is stored in a file
-NTuser.DAT. Nothing appears to be stored in the .PDS directory, and
-its purpose is currently unknown.</P
-><P
->You can use the System Control Panel to copy a local profile onto
-a samba server (see NT Help on profiles: it is also capable of firing
-up the correct location in the System Control Panel for you). The
-NT Help file also mentions that renaming NTuser.DAT to NTuser.MAN
-turns a profile into a mandatory one.</P
-><DIV
-CLASS="NOTE"
-><P
-></P
-><TABLE
-CLASS="NOTE"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="/docbook-dsssl/note.gif"
-HSPACE="5"
-ALT="Note"></TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
->[lkcl 10aug97 - i notice that NT Workstation tells me that it is
-downloading a profile from a slow link. whether this is actually the
-case, or whether there is some configuration issue, as yet unknown,
-that makes NT Workstation _think_ that the link is a slow one is a
-matter to be resolved].</P
-><P
->[lkcl 20aug97 - after samba digest correspondence, one user found, and
-another confirmed, that profiles cannot be loaded from a samba server
-unless "security = user" and "encrypt passwords = yes" (see the file
-ENCRYPTION.txt) or "security = server" and "password server = ip.address.
-of.yourNTserver" are used. Either of these options will allow the NT
-workstation to access the samba server using LAN manager encrypted
-passwords, without the user intervention normally required by NT
-workstation for clear-text passwords].</P
-><P
->[lkcl 25aug97 - more comments received about NT profiles: the case of
-the profile _matters_. the file _must_ be called NTuser.DAT or, for
-a mandatory profile, NTuser.MAN].</P
-></TD
-></TR
-></TABLE
-></DIV
-></DIV
-><DIV
-CLASS="SECT3"
-><HR><H4
-CLASS="SECT3"
-><A
-NAME="AEN2241"
-></A
->12.8.2.6. Windows NT Server</H4
-><P
->There is nothing to stop you specifying any path that you like for the
-location of users' profiles. Therefore, you could specify that the
-profile be stored on a samba server, or any other SMB server, as long as
-that SMB server supports encrypted passwords.</P
-></DIV
-><DIV
-CLASS="SECT3"
-><HR><H4
-CLASS="SECT3"
-><A
-NAME="AEN2244"
-></A
->12.8.2.7. Sharing Profiles between W95 and NT Workstation 4.0</H4
-><DIV
-CLASS="WARNING"
-><P
-></P
-><TABLE
-CLASS="WARNING"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="/docbook-dsssl/warning.gif"
-HSPACE="5"
-ALT="Warning"></TD
-><TH
-ALIGN="LEFT"
-VALIGN="CENTER"
-><B
->Potentially outdated or incorrect material follows</B
-></TH
-></TR
-><TR
-><TD
->&nbsp;</TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
->I think this is all bogus, but have not deleted it. (Richard Sharpe)</P
-></TD
-></TR
-></TABLE
-></DIV
-><P
->The default logon path is \\%N\%U. NT Workstation will attempt to create
-a directory "\\samba-server\username.PDS" if you specify the logon path
-as "\\samba-server\username" with the NT User Manager. Therefore, you
-will need to specify (for example) "\\samba-server\username\profile".
-NT 4.0 will attempt to create "\\samba-server\username\profile.PDS", which
-is more likely to succeed.</P
-><P
->If you then want to share the same Start Menu / Desktop with W95, you will
-need to specify "logon path = \\samba-server\username\profile" [lkcl 10aug97
-this has its drawbacks: i created a shortcut to telnet.exe, which attempts
-to run from the c:\winnt\system32 directory. this directory is obviously
-unlikely to exist on a Win95-only host].</P
-><P
->&#13;If you have this set up correctly, you will find separate user.DAT and
-NTuser.DAT files in the same profile directory.</P
-><DIV
-CLASS="NOTE"
-><P
-></P
-><TABLE
-CLASS="NOTE"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="/docbook-dsssl/note.gif"
-HSPACE="5"
-ALT="Note"></TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
->[lkcl 25aug97 - there are some issues to resolve with downloading of
-NT profiles, probably to do with time/date stamps. i have found that
-NTuser.DAT is never updated on the workstation after the first time that
-it is copied to the local workstation profile directory. this is in
-contrast to w95, where it _does_ transfer / update profiles correctly].</P
-></TD
-></TR
-></TABLE
-></DIV
-></DIV
-></DIV
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2254"
-></A
->12.9. DOMAIN_CONTROL.txt : Windows NT Domain Control &#38; Samba</H2
-><DIV
-CLASS="WARNING"
-><P
-></P
-><TABLE
-CLASS="WARNING"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="/docbook-dsssl/warning.gif"
-HSPACE="5"
-ALT="Warning"></TD
-><TH
-ALIGN="LEFT"
-VALIGN="CENTER"
-><B
->Possibly Outdated Material</B
-></TH
-></TR
-><TR
-><TD
->&nbsp;</TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
-> This appendix was originally authored by John H Terpstra of
- the Samba Team and is included here for posterity.
- </P
-></TD
-></TR
-></TABLE
-></DIV
-><P
-><SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->NOTE :</I
-></SPAN
->
-The term "Domain Controller" and those related to it refer to one specific
-method of authentication that can underly an SMB domain. Domain Controllers
-prior to Windows NT Server 3.1 were sold by various companies and based on
-private extensions to the LAN Manager 2.1 protocol. Windows NT introduced
-Microsoft-specific ways of distributing the user authentication database.
-See DOMAIN.txt for examples of how Samba can participate in or create
-SMB domains based on shared authentication database schemes other than the
-Windows NT SAM.</P
-><P
->Windows NT Server can be installed as either a plain file and print server
-(WORKGROUP workstation or server) or as a server that participates in Domain
-Control (DOMAIN member, Primary Domain controller or Backup Domain controller).
-The same is true for OS/2 Warp Server, Digital Pathworks and other similar
-products, all of which can participate in Domain Control along with Windows NT.</P
-><P
->To many people these terms can be confusing, so let's try to clear the air.</P
-><P
->Every Windows NT system (workstation or server) has a registry database.
-The registry contains entries that describe the initialization information
-for all services (the equivalent of Unix Daemons) that run within the Windows
-NT environment. The registry also contains entries that tell application
-software where to find dynamically loadable libraries that they depend upon.
-In fact, the registry contains entries that describes everything that anything
-may need to know to interact with the rest of the system.</P
-><P
->The registry files can be located on any Windows NT machine by opening a
-command prompt and typing:</P
-><P
-><TT
-CLASS="PROMPT"
->C:\WINNT\&#62;</TT
-> dir %SystemRoot%\System32\config</P
-><P
->The environment variable %SystemRoot% value can be obtained by typing:</P
-><P
-><TT
-CLASS="PROMPT"
->C:\WINNT&#62;</TT
->echo %SystemRoot%</P
-><P
->The active parts of the registry that you may want to be familiar with are
-the files called: default, system, software, sam and security.</P
-><P
->In a domain environment, Microsoft Windows NT domain controllers participate
-in replication of the SAM and SECURITY files so that all controllers within
-the domain have an exactly identical copy of each.</P
-><P
->The Microsoft Windows NT system is structured within a security model that
-says that all applications and services must authenticate themselves before
-they can obtain permission from the security manager to do what they set out
-to do.</P
-><P
->The Windows NT User database also resides within the registry. This part of
-the registry contains the user's security identifier, home directory, group
-memberships, desktop profile, and so on.</P
-><P
->Every Windows NT system (workstation as well as server) will have its own
-registry. Windows NT Servers that participate in Domain Security control
-have a database that they share in common - thus they do NOT own an
-independent full registry database of their own, as do Workstations and
-plain Servers.</P
-><P
->The User database is called the SAM (Security Access Manager) database and
-is used for all user authentication as well as for authentication of inter-
-process authentication (i.e. to ensure that the service action a user has
-requested is permitted within the limits of that user's privileges).</P
-><P
->The Samba team have produced a utility that can dump the Windows NT SAM into
-smbpasswd format: see ENCRYPTION.txt for information on smbpasswd and
-/pub/samba/pwdump on your nearest Samba mirror for the utility. This
-facility is useful but cannot be easily used to implement SAM replication
-to Samba systems.</P
-><P
->Windows for Workgroups, Windows 95, and Windows NT Workstations and Servers
-can participate in a Domain security system that is controlled by Windows NT
-servers that have been correctly configured. Almost every domain will have
-ONE Primary Domain Controller (PDC). It is desirable that each domain will
-have at least one Backup Domain Controller (BDC).</P
-><P
->The PDC and BDCs then participate in replication of the SAM database so that
-each Domain Controlling participant will have an up to date SAM component
-within its registry.</P
-></DIV
-></DIV
-><DIV
-CLASS="CHAPTER"
-><HR><H1
-><A
-NAME="SAMBA-BDC"
-></A
->Chapter 13. How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain</H1
-><DIV
-CLASS="SECT1"
-><H2
-CLASS="SECT1"
-><A
-NAME="AEN2290"
-></A
->13.1. Prerequisite Reading</H2
-><P
->Before you continue reading in this chapter, please make sure
-that you are comfortable with configuring a Samba PDC
-as described in the <A
-HREF="Samba-PDC-HOWTO.html"
-TARGET="_top"
->Samba-PDC-HOWTO</A
->.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2294"
-></A
->13.2. Background</H2
-><P
->What is a Domain Controller? It is a machine that is able to answer
-logon requests from workstations in a Windows NT Domain. Whenever a
-user logs into a Windows NT Workstation, the workstation connects to a
-Domain Controller and asks him whether the username and password the
-user typed in is correct. The Domain Controller replies with a lot of
-information about the user, for example the place where the users
-profile is stored, the users full name of the user. All this
-information is stored in the NT user database, the so-called SAM.</P
-><P
->There are two kinds of Domain Controller in a NT 4 compatible Domain:
-A Primary Domain Controller (PDC) and one or more Backup Domain
-Controllers (BDC). The PDC contains the master copy of the
-SAM. Whenever the SAM has to change, for example when a user changes
-his password, this change has to be done on the PDC. A Backup Domain
-Controller is a machine that maintains a read-only copy of the
-SAM. This way it is able to reply to logon requests and authenticate
-users in case the PDC is not available. During this time no changes to
-the SAM are possible. Whenever changes to the SAM are done on the PDC,
-all BDC receive the changes from the PDC.</P
-><P
->Since version 2.2 Samba officially supports domain logons for all
-current Windows Clients, including Windows 2000 and XP. This text
-assumes the domain to be named SAMBA. To be able to act as a PDC, some
-parameters in the [global]-section of the smb.conf have to be set:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->workgroup = SAMBA
-domain master = yes
-domain logons = yes</PRE
-></P
-><P
->Several other things like a [homes] and a [netlogon] share also may be
-set along with settings for the profile path, the users home drive and
-others. This will not be covered in this document.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2302"
-></A
->13.3. What qualifies a Domain Controller on the network?</H2
-><P
->Every machine that is a Domain Controller for the domain SAMBA has to
-register the NetBIOS group name SAMBA#1c with the WINS server and/or
-by broadcast on the local network. The PDC also registers the unique
-NetBIOS name SAMBA#1b with the WINS server. The name type #1b is
-normally reserved for the domain master browser, a role that has
-nothing to do with anything related to authentication, but the
-Microsoft Domain implementation requires the domain master browser to
-be on the same machine as the PDC.</P
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN2305"
-></A
->13.3.1. How does a Workstation find its domain controller?</H3
-><P
->A NT workstation in the domain SAMBA that wants a local user to be
-authenticated has to find the domain controller for SAMBA. It does
-this by doing a NetBIOS name query for the group name SAMBA#1c. It
-assumes that each of the machines it gets back from the queries is a
-domain controller and can answer logon requests. To not open security
-holes both the workstation and the selected (TODO: How is the DC
-chosen) domain controller authenticate each other. After that the
-workstation sends the user's credentials (his name and password) to
-the domain controller, asking for approval.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN2308"
-></A
->13.3.2. When is the PDC needed?</H3
-><P
->Whenever a user wants to change his password, this has to be done on
-the PDC. To find the PDC, the workstation does a NetBIOS name query
-for SAMBA#1b, assuming this machine maintains the master copy of the
-SAM. The workstation contacts the PDC, both mutually authenticate and
-the password change is done.</P
-></DIV
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2311"
-></A
->13.4. Can Samba be a Backup Domain Controller?</H2
-><P
->With version 2.2, no. The native NT SAM replication protocols have
-not yet been fully implemented. The Samba Team is working on
-understanding and implementing the protocols, but this work has not
-been finished for version 2.2.</P
-><P
->Can I get the benefits of a BDC with Samba? Yes. The main reason for
-implementing a BDC is availability. If the PDC is a Samba machine,
-a second Samba machine can be set up to
-service logon requests whenever the PDC is down.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2315"
-></A
->13.5. How do I set up a Samba BDC?</H2
-><P
->Several things have to be done:</P
-><P
-></P
-><UL
-><LI
-><P
->The domain SID has to be the same on the PDC and the BDC. This used to
-be stored in the file private/MACHINE.SID. This file is not created
-anymore since Samba 2.2.5 or even earlier. Nowadays the domain SID is
-stored in the file private/secrets.tdb. Simply copying the secrets.tdb
-from the PDC to the BDC does not work, as the BDC would
-generate a new SID for itself and override the domain SID with this
-new BDC SID.</P
-><P
->To retrieve the domain SID from the PDC or an existing BDC and store it in the
-secrets.tdb, execute 'net rpc getsid' on the BDC.</P
-></LI
-><LI
-><P
->The Unix user database has to be synchronized from the PDC to the
-BDC. This means that both the /etc/passwd and /etc/group have to be
-replicated from the PDC to the BDC. This can be done manually
-whenever changes are made, or the PDC is set up as a NIS master
-server and the BDC as a NIS slave server. To set up the BDC as a
-mere NIS client would not be enough, as the BDC would not be able to
-access its user database in case of a PDC failure.</P
-></LI
-><LI
-><P
->The Samba password database in the file private/smbpasswd has to be
-replicated from the PDC to the BDC. This is a bit tricky, see the
-next section.</P
-></LI
-><LI
-><P
->Any netlogon share has to be replicated from the PDC to the
-BDC. This can be done manually whenever login scripts are changed,
-or it can be done automatically together with the smbpasswd
-synchronization.</P
-></LI
-></UL
-><P
->Finally, the BDC has to be found by the workstations. This can be done
-by setting</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->workgroup = samba
-domain master = no
-domain logons = yes</PRE
-></P
-><P
->in the [global]-section of the smb.conf of the BDC. This makes the BDC
-only register the name SAMBA#1c with the WINS server. This is no
-problem as the name SAMBA#1c is a NetBIOS group name that is meant to
-be registered by more than one machine. The parameter 'domain master =
-no' forces the BDC not to register SAMBA#1b which as a unique NetBIOS
-name is reserved for the Primary Domain Controller.</P
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN2332"
-></A
->13.5.1. How do I replicate the smbpasswd file?</H3
-><P
->Replication of the smbpasswd file is sensitive. It has to be done
-whenever changes to the SAM are made. Every user's password change is
-done in the smbpasswd file and has to be replicated to the BDC. So
-replicating the smbpasswd file very often is necessary.</P
-><P
->As the smbpasswd file contains plain text password equivalents, it
-must not be sent unencrypted over the wire. The best way to set up
-smbpasswd replication from the PDC to the BDC is to use the utility
-rsync. rsync can use ssh as a transport. ssh itself can be set up to
-accept *only* rsync transfer without requiring the user to type a
-password.</P
-></DIV
-></DIV
-></DIV
-><DIV
-CLASS="CHAPTER"
-><HR><H1
-><A
-NAME="SAMBA-LDAP-HOWTO"
-></A
->Chapter 14. Storing Samba's User/Machine Account information in an LDAP Directory</H1
-><DIV
-CLASS="SECT1"
-><H2
-CLASS="SECT1"
-><A
-NAME="AEN2353"
-></A
->14.1. Purpose</H2
-><P
->This document describes how to use an LDAP directory for storing Samba user
-account information traditionally stored in the smbpasswd(5) file. It is
-assumed that the reader already has a basic understanding of LDAP concepts
-and has a working directory server already installed. For more information
-on LDAP architectures and Directories, please refer to the following sites.</P
-><P
-></P
-><UL
-><LI
-><P
->OpenLDAP - <A
-HREF="http://www.openldap.org/"
-TARGET="_top"
->http://www.openldap.org/</A
-></P
-></LI
-><LI
-><P
->iPlanet Directory Server - <A
-HREF="http://iplanet.netscape.com/directory"
-TARGET="_top"
->http://iplanet.netscape.com/directory</A
-></P
-></LI
-></UL
-><P
->Note that <A
-HREF="http://www.ora.com/"
-TARGET="_top"
->O'Reilly Publishing</A
-> is working on
-a guide to LDAP for System Administrators which has a planned release date of
-early summer, 2002.</P
-><P
->Two additional Samba resources which may prove to be helpful are</P
-><P
-></P
-><UL
-><LI
-><P
->The <A
-HREF="http://www.unav.es/cti/ldap-smb/ldap-smb-2_2-howto.html"
-TARGET="_top"
->Samba-PDC-LDAP-HOWTO</A
->
- maintained by Ignacio Coupeau.</P
-></LI
-><LI
-><P
->The NT migration scripts from <A
-HREF="http://samba.idealx.org/"
-TARGET="_top"
->IDEALX</A
-> that are
- geared to manage users and group in such a Samba-LDAP Domain Controller configuration.
- </P
-></LI
-></UL
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2373"
-></A
->14.2. Introduction</H2
-><P
->Traditionally, when configuring <A
-HREF="smb.conf.5.html#ENCRYPTPASSWORDS"
-TARGET="_top"
->"encrypt
-passwords = yes"</A
-> in Samba's <TT
-CLASS="FILENAME"
->smb.conf</TT
-> file, user account
-information such as username, LM/NT password hashes, password change times, and account
-flags have been stored in the <TT
-CLASS="FILENAME"
->smbpasswd(5)</TT
-> file. There are several
-disadvantages to this approach for sites with very large numbers of users (counted
-in the thousands).</P
-><P
-></P
-><UL
-><LI
-><P
->The first is that all lookups must be performed sequentially. Given that
-there are approximately two lookups per domain logon (one for a normal
-session connection such as when mapping a network drive or printer), this
-is a performance bottleneck for lareg sites. What is needed is an indexed approach
-such as is used in databases.</P
-></LI
-><LI
-><P
->The second problem is that administrators who desired to replicate a
-smbpasswd file to more than one Samba server were left to use external
-tools such as <B
-CLASS="COMMAND"
->rsync(1)</B
-> and <B
-CLASS="COMMAND"
->ssh(1)</B
->
-and wrote custom, in-house scripts.</P
-></LI
-><LI
-><P
->And finally, the amount of information which is stored in an
-smbpasswd entry leaves no room for additional attributes such as
-a home directory, password expiration time, or even a Relative
-Identified (RID).</P
-></LI
-></UL
-><P
->As a result of these defeciencies, a more robust means of storing user attributes
-used by smbd was developed. The API which defines access to user accounts
-is commonly referred to as the samdb interface (previously this was called the passdb
-API, and is still so named in the CVS trees). In Samba 2.2.3, enabling support
-for a samdb backend (e.g. <TT
-CLASS="PARAMETER"
-><I
->--with-ldapsam</I
-></TT
-> or
-<TT
-CLASS="PARAMETER"
-><I
->--with-tdbsam</I
-></TT
->) requires compile time support.</P
-><P
->When compiling Samba to include the <TT
-CLASS="PARAMETER"
-><I
->--with-ldapsam</I
-></TT
-> autoconf
-option, smbd (and associated tools) will store and lookup user accounts in
-an LDAP directory. In reality, this is very easy to understand. If you are
-comfortable with using an smbpasswd file, simply replace "smbpasswd" with
-"LDAP directory" in all the documentation.</P
-><P
->There are a few points to stress about what the <TT
-CLASS="PARAMETER"
-><I
->--with-ldapsam</I
-></TT
->
-does not provide. The LDAP support referred to in the this documentation does not
-include:</P
-><P
-></P
-><UL
-><LI
-><P
->A means of retrieving user account information from
- an Windows 2000 Active Directory server.</P
-></LI
-><LI
-><P
->A means of replacing /etc/passwd.</P
-></LI
-></UL
-><P
->The second item can be accomplished by using LDAP NSS and PAM modules. LGPL
-versions of these libraries can be obtained from PADL Software
-(<A
-HREF="http://www.padl.com/"
-TARGET="_top"
->http://www.padl.com/</A
->). However,
-the details of configuring these packages are beyond the scope of this document.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2402"
-></A
->14.3. Supported LDAP Servers</H2
-><P
->The LDAP samdb code in 2.2.3 has been developed and tested using the OpenLDAP
-2.0 server and client libraries. The same code should be able to work with
-Netscape's Directory Server and client SDK. However, due to lack of testing
-so far, there are bound to be compile errors and bugs. These should not be
-hard to fix. If you are so inclined, please be sure to forward all patches to
-<A
-HREF="samba-patches@samba.org"
-TARGET="_top"
->samba-patches@samba.org</A
-> and
-<A
-HREF="jerry@samba.org"
-TARGET="_top"
->jerry@samba.org</A
->.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2407"
-></A
->14.4. Schema and Relationship to the RFC 2307 posixAccount</H2
-><P
->Samba 2.2.3 includes the necessary schema file for OpenLDAP 2.0 in
-<TT
-CLASS="FILENAME"
->examples/LDAP/samba.schema</TT
->. (Note that this schema
-file has been modified since the experimental support initially included
-in 2.2.2). The sambaAccount objectclass is given here:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->objectclass ( 1.3.1.5.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top STRUCTURAL
- DESC 'Samba Account'
- MUST ( uid $ rid )
- MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
- logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $
- displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $
- description $ userWorkstations $ primaryGroupID $ domain ))</PRE
-></P
-><P
->The samba.schema file has been formatted for OpenLDAP 2.0. The OID's are
-owned by the Samba Team and as such is legal to be openly published.
-If you translate the schema to be used with Netscape DS, please
-submit the modified schema file as a patch to <A
-HREF="jerry@samba.org"
-TARGET="_top"
->jerry@samba.org</A
-></P
-><P
->Just as the smbpasswd file is mean to store information which supplements a
-user's <TT
-CLASS="FILENAME"
->/etc/passwd</TT
-> entry, so is the sambaAccount object
-meant to supplement the UNIX user account information. A sambaAccount is a
-<TT
-CLASS="CONSTANT"
->STRUCTURAL</TT
-> objectclass so it can be stored individually
-in the directory. However, there are several fields (e.g. uid) which overlap
-with the posixAccount objectclass outlined in RFC2307. This is by design.</P
-><P
->In order to store all user account information (UNIX and Samba) in the directory,
-it is necessary to use the sambaAccount and posixAccount objectclasses in
-combination. However, smbd will still obtain the user's UNIX account
-information via the standard C library calls (e.g. getpwnam(), et. al.).
-This means that the Samba server must also have the LDAP NSS library installed
-and functioning correctly. This division of information makes it possible to
-store all Samba account information in LDAP, but still maintain UNIX account
-information in NIS while the network is transitioning to a full LDAP infrastructure.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2419"
-></A
->14.5. Configuring Samba with LDAP</H2
-><DIV
-CLASS="SECT2"
-><H3
-CLASS="SECT2"
-><A
-NAME="AEN2421"
-></A
->14.5.1. OpenLDAP configuration</H3
-><P
->To include support for the sambaAccount object in an OpenLDAP directory
-server, first copy the samba.schema file to slapd's configuration directory.</P
-><P
-><TT
-CLASS="PROMPT"
->root# </TT
-><B
-CLASS="COMMAND"
->cp samba.schema /etc/openldap/schema/</B
-></P
-><P
->Next, include the <TT
-CLASS="FILENAME"
->samba.schema</TT
-> file in <TT
-CLASS="FILENAME"
->slapd.conf</TT
->.
-The sambaAccount object contains two attributes which depend upon other schema
-files. The 'uid' attribute is defined in <TT
-CLASS="FILENAME"
->cosine.schema</TT
-> and
-the 'displayName' attribute is defined in the <TT
-CLASS="FILENAME"
->inetorgperson.schema</TT
->
-file. Both of these must be included before the <TT
-CLASS="FILENAME"
->samba.schema</TT
-> file.</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->## /etc/openldap/slapd.conf
-
-## schema files (core.schema is required by default)
-include /etc/openldap/schema/core.schema
-
-## needed for sambaAccount
-include /etc/openldap/schema/cosine.schema
-include /etc/openldap/schema/inetorgperson.schema
-include /etc/openldap/schema/samba.schema
-
-## uncomment this line if you want to support the RFC2307 (NIS) schema
-## include /etc/openldap/schema/nis.schema
-
-....</PRE
-></P
-><P
->It is recommended that you maintain some indices on some of the most usefull attributes,
-like in the following example, to speed up searches made on sambaAccount objectclasses
-(and possibly posixAccount and posixGroup as well).</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-># Indices to maintain
-## required by OpenLDAP 2.0
-index objectclass eq
-
-## support pb_getsampwnam()
-index uid pres,eq
-## support pdb_getsambapwrid()
-index rid eq
-
-## uncomment these if you are storing posixAccount and
-## posixGroup entries in the directory as well
-##index uidNumber eq
-##index gidNumber eq
-##index cn eq
-##index memberUid eq</PRE
-></P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN2438"
-></A
->14.5.2. Configuring Samba</H3
-><P
->The following parameters are available in smb.conf only with <TT
-CLASS="PARAMETER"
-><I
->--with-ldapsam</I
-></TT
->
-was included with compiling Samba.</P
-><P
-></P
-><UL
-><LI
-><P
-><A
-HREF="smb.conf.5.html#LDAPSSL"
-TARGET="_top"
->ldap ssl</A
-></P
-></LI
-><LI
-><P
-><A
-HREF="smb.conf.5.html#LDAPSERVER"
-TARGET="_top"
->ldap server</A
-></P
-></LI
-><LI
-><P
-><A
-HREF="smb.conf.5.html#LDAPADMINDN"
-TARGET="_top"
->ldap admin dn</A
-></P
-></LI
-><LI
-><P
-><A
-HREF="smb.conf.5.html#LDAPSUFFIX"
-TARGET="_top"
->ldap suffix</A
-></P
-></LI
-><LI
-><P
-><A
-HREF="smb.conf.5.html#LDAPFILTER"
-TARGET="_top"
->ldap filter</A
-></P
-></LI
-><LI
-><P
-><A
-HREF="smb.conf.5.html#LDAPPORT"
-TARGET="_top"
->ldap port</A
-></P
-></LI
-></UL
-><P
->These are described in the <A
-HREF="smb.conf.5.html"
-TARGET="_top"
->smb.conf(5)</A
-> man
-page and so will not be repeated here. However, a sample smb.conf file for
-use with an LDAP directory could appear as</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->## /usr/local/samba/lib/smb.conf
-[global]
- security = user
- encrypt passwords = yes
-
- netbios name = TASHTEGO
- workgroup = NARNIA
-
- # ldap related parameters
-
- # define the DN to use when binding to the directory servers
- # The password for this DN is not stored in smb.conf. Rather it
- # must be set by using 'smbpasswd -w <TT
-CLASS="REPLACEABLE"
-><I
->secretpw</I
-></TT
->' to store the
- # passphrase in the secrets.tdb file. If the "ldap admin dn" values
- # changes, this password will need to be reset.
- ldap admin dn = "cn=Samba Manager,ou=people,dc=samba,dc=org"
-
- # specify the LDAP server's hostname (defaults to locahost)
- ldap server = ahab.samba.org
-
- # Define the SSL option when connecting to the directory
- # ('off', 'start tls', or 'on' (default))
- ldap ssl = start tls
-
- # define the port to use in the LDAP session (defaults to 636 when
- # "ldap ssl = on")
- ldap port = 389
-
- # specify the base DN to use when searching the directory
- ldap suffix = "ou=people,dc=samba,dc=org"
-
- # generally the default ldap search filter is ok
- # ldap filter = "(&amp;(uid=%u)(objectclass=sambaAccount))"</PRE
-></P
-></DIV
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2466"
-></A
->14.6. Accounts and Groups management</H2
-><P
->As users accounts are managed thru the sambaAccount objectclass, you should
-modify you existing administration tools to deal with sambaAccount attributes.</P
-><P
->Machines accounts are managed with the sambaAccount objectclass, just
-like users accounts. However, it's up to you to stored thoses accounts
-in a different tree of you LDAP namespace: you should use
-"ou=Groups,dc=plainjoe,dc=org" to store groups and
-"ou=People,dc=plainjoe,dc=org" to store users. Just configure your
-NSS and PAM accordingly (usually, in the /etc/ldap.conf configuration
-file).</P
-><P
->In Samba release 2.2.3, the group management system is based on posix
-groups. This meand that Samba make usage of the posixGroup objectclass.
-For now, there is no NT-like group system management (global and local
-groups).</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2471"
-></A
->14.7. Security and sambaAccount</H2
-><P
->There are two important points to remember when discussing the security
-of sambaAccount entries in the directory.</P
-><P
-></P
-><UL
-><LI
-><P
-><SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->Never</I
-></SPAN
-> retrieve the lmPassword or
- ntPassword attribute values over an unencrypted LDAP session.</P
-></LI
-><LI
-><P
-><SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->Never</I
-></SPAN
-> allow non-admin users to
- view the lmPassword or ntPassword attribute values.</P
-></LI
-></UL
-><P
->These password hashes are clear text equivalents and can be used to impersonate
-the user without deriving the original clear text strings. For more information
-on the details of LM/NT password hashes, refer to the <A
-HREF="ENCRYPTION.html"
-TARGET="_top"
->ENCRYPTION chapter</A
-> of the Samba-HOWTO-Collection.</P
-><P
->To remedy the first security issue, the "ldap ssl" smb.conf parameter defaults
-to require an encrypted session (<B
-CLASS="COMMAND"
->ldap ssl = on</B
->) using
-the default port of 636
-when contacting the directory server. When using an OpenLDAP 2.0 server, it
-is possible to use the use the StartTLS LDAP extended operation in the place of
-LDAPS. In either case, you are strongly discouraged to disable this security
-(<B
-CLASS="COMMAND"
->ldap ssl = off</B
->).</P
-><P
->Note that the LDAPS protocol is deprecated in favor of the LDAPv3 StartTLS
-extended operation. However, the OpenLDAP library still provides support for
-the older method of securing communication between clients and servers.</P
-><P
->The second security precaution is to prevent non-administrative users from
-harvesting password hashes from the directory. This can be done using the
-following ACL in <TT
-CLASS="FILENAME"
->slapd.conf</TT
->:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->## allow the "ldap admin dn" access, but deny everyone else
-access to attrs=lmPassword,ntPassword
- by dn="cn=Samba Admin,ou=people,dc=plainjoe,dc=org" write
- by * none</PRE
-></P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2491"
-></A
->14.8. LDAP specials attributes for sambaAccounts</H2
-><P
->The sambaAccount objectclass is composed of the following attributes:</P
-><P
-></P
-><UL
-><LI
-><P
-><TT
-CLASS="CONSTANT"
->lmPassword</TT
->: the LANMAN password 16-byte hash stored as a character
- representation of a hexidecimal string.</P
-></LI
-><LI
-><P
-><TT
-CLASS="CONSTANT"
->ntPassword</TT
->: the NT password hash 16-byte stored as a character
- representation of a hexidecimal string.</P
-></LI
-><LI
-><P
-><TT
-CLASS="CONSTANT"
->pwdLastSet</TT
->: The integer time in seconds since 1970 when the
- <TT
-CLASS="CONSTANT"
->lmPassword</TT
-> and <TT
-CLASS="CONSTANT"
->ntPassword</TT
-> attributes were last set.
- </P
-></LI
-><LI
-><P
-><TT
-CLASS="CONSTANT"
->acctFlags</TT
->: string of 11 characters surrounded by square brackets []
- representing account flags such as U (user), W(workstation), X(no password expiration), and
- D(disabled).</P
-></LI
-><LI
-><P
-><TT
-CLASS="CONSTANT"
->logonTime</TT
->: Integer value currently unused</P
-></LI
-><LI
-><P
-><TT
-CLASS="CONSTANT"
->logoffTime</TT
->: Integer value currently unused</P
-></LI
-><LI
-><P
-><TT
-CLASS="CONSTANT"
->kickoffTime</TT
->: Integer value currently unused</P
-></LI
-><LI
-><P
-><TT
-CLASS="CONSTANT"
->pwdCanChange</TT
->: Integer value currently unused</P
-></LI
-><LI
-><P
-><TT
-CLASS="CONSTANT"
->pwdMustChange</TT
->: Integer value currently unused</P
-></LI
-><LI
-><P
-><TT
-CLASS="CONSTANT"
->homeDrive</TT
->: specifies the drive letter to which to map the
- UNC path specified by homeDirectory. The drive letter must be specified in the form "X:"
- where X is the letter of the drive to map. Refer to the "logon drive" parameter in the
- smb.conf(5) man page for more information.</P
-></LI
-><LI
-><P
-><TT
-CLASS="CONSTANT"
->scriptPath</TT
->: The scriptPath property specifies the path of
- the user's logon script, .CMD, .EXE, or .BAT file. The string can be null. The path
- is relative to the netlogon share. Refer to the "logon script" parameter in the
- smb.conf(5) man page for more information.</P
-></LI
-><LI
-><P
-><TT
-CLASS="CONSTANT"
->profilePath</TT
->: specifies a path to the user's profile.
- This value can be a null string, a local absolute path, or a UNC path. Refer to the
- "logon path" parameter in the smb.conf(5) man page for more information.</P
-></LI
-><LI
-><P
-><TT
-CLASS="CONSTANT"
->smbHome</TT
->: The homeDirectory property specifies the path of
- the home directory for the user. The string can be null. If homeDrive is set and specifies
- a drive letter, homeDirectory should be a UNC path. The path must be a network
- UNC path of the form \\server\share\directory. This value can be a null string.
- Refer to the "logon home" parameter in the smb.conf(5) man page for more information.
- </P
-></LI
-><LI
-><P
-><TT
-CLASS="CONSTANT"
->userWorkstation</TT
->: character string value currently unused.
- </P
-></LI
-><LI
-><P
-><TT
-CLASS="CONSTANT"
->rid</TT
->: the integer representation of the user's relative identifier
- (RID).</P
-></LI
-><LI
-><P
-><TT
-CLASS="CONSTANT"
->primaryGroupID</TT
->: the relative identifier (RID) of the primary group
- of the user.</P
-></LI
-></UL
-><P
->The majority of these parameters are only used when Samba is acting as a PDC of
-a domain (refer to the <A
-HREF="Samba-PDC-HOWTO.html"
-TARGET="_top"
->Samba-PDC-HOWTO</A
-> for details on
-how to configure Samba as a Primary Domain Controller). The following four attributes
-are only stored with the sambaAccount entry if the values are non-default values:</P
-><P
-></P
-><UL
-><LI
-><P
->smbHome</P
-></LI
-><LI
-><P
->scriptPath</P
-></LI
-><LI
-><P
->logonPath</P
-></LI
-><LI
-><P
->homeDrive</P
-></LI
-></UL
-><P
->These attributes are only stored with the sambaAccount entry if
-the values are non-default values. For example, assume TASHTEGO has now been
-configured as a PDC and that <B
-CLASS="COMMAND"
->logon home = \\%L\%u</B
-> was defined in
-its <TT
-CLASS="FILENAME"
->smb.conf</TT
-> file. When a user named "becky" logons to the domain,
-the <TT
-CLASS="PARAMETER"
-><I
->logon home</I
-></TT
-> string is expanded to \\TASHTEGO\becky.
-If the smbHome attribute exists in the entry "uid=becky,ou=people,dc=samba,dc=org",
-this value is used. However, if this attribute does not exist, then the value
-of the <TT
-CLASS="PARAMETER"
-><I
->logon home</I
-></TT
-> parameter is used in its place. Samba
-will only write the attribute value to the directory entry is the value is
-something other than the default (e.g. \\MOBY\becky).</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2561"
-></A
->14.9. Example LDIF Entries for a sambaAccount</H2
-><P
->The following is a working LDIF with the inclusion of the posixAccount objectclass:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->dn: uid=guest2, ou=people,dc=plainjoe,dc=org
-ntPassword: 878D8014606CDA29677A44EFA1353FC7
-pwdMustChange: 2147483647
-primaryGroupID: 1201
-lmPassword: 552902031BEDE9EFAAD3B435B51404EE
-pwdLastSet: 1010179124
-logonTime: 0
-objectClass: sambaAccount
-uid: guest2
-kickoffTime: 2147483647
-acctFlags: [UX ]
-logoffTime: 2147483647
-rid: 19006
-pwdCanChange: 0</PRE
-></P
-><P
->The following is an LDIF entry for using both the sambaAccount and
-posixAccount objectclasses:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->dn: uid=gcarter, ou=people,dc=plainjoe,dc=org
-logonTime: 0
-displayName: Gerald Carter
-lmPassword: 552902031BEDE9EFAAD3B435B51404EE
-primaryGroupID: 1201
-objectClass: posixAccount
-objectClass: sambaAccount
-acctFlags: [UX ]
-userPassword: {crypt}BpM2ej8Rkzogo
-uid: gcarter
-uidNumber: 9000
-cn: Gerald Carter
-loginShell: /bin/bash
-logoffTime: 2147483647
-gidNumber: 100
-kickoffTime: 2147483647
-pwdLastSet: 1010179230
-rid: 19000
-homeDirectory: /home/tashtego/gcarter
-pwdCanChange: 0
-pwdMustChange: 2147483647
-ntPassword: 878D8014606CDA29677A44EFA1353FC7</PRE
-></P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2569"
-></A
->14.10. Comments</H2
-><P
->Please mail all comments regarding this HOWTO to <A
-HREF="mailto:jerry@samba.org"
-TARGET="_top"
->jerry@samba.org</A
->. This documents was
-last updated to reflect the Samba 2.2.3 release.&#13;</P
-></DIV
-></DIV
-><DIV
-CLASS="CHAPTER"
-><HR><H1
-><A
-NAME="ADS"
-></A
->Chapter 15. Using samba 3.0 with ActiveDirectory support</H1
-><P
->This is a VERY ROUGH guide to setting up the current (November 2001)
-pre-alpha version of Samba 3.0 with kerberos authentication against a
-Windows2000 KDC. The procedures listed here are likely to change as
-the code develops.</P
-><P
->Pieces you need before you begin:
-<P
-></P
-><TABLE
-BORDER="0"
-><TBODY
-><TR
-><TD
->a Windows 2000 server.</TD
-></TR
-><TR
-><TD
->samba 3.0 or higher.</TD
-></TR
-><TR
-><TD
->the MIT kerberos development libraries (either install from the above sources or use a package). The heimdal libraries will not work.</TD
-></TR
-><TR
-><TD
->the OpenLDAP development libraries.</TD
-></TR
-></TBODY
-></TABLE
-><P
-></P
-></P
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2587"
-></A
->15.1. Installing the required packages for Debian</H2
-><P
->On Debian you need to install the following packages:
-<P
-></P
-><TABLE
-BORDER="0"
-><TBODY
-><TR
-><TD
->libkrb5-dev</TD
-></TR
-><TR
-><TD
->krb5-user</TD
-></TR
-></TBODY
-></TABLE
-><P
-></P
-></P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2593"
-></A
->15.2. Installing the required packages for RedHat</H2
-><P
->On RedHat this means you should have at least:
-<P
-></P
-><TABLE
-BORDER="0"
-><TBODY
-><TR
-><TD
->krb5-workstation (for kinit)</TD
-></TR
-><TR
-><TD
->krb5-libs (for linking with)</TD
-></TR
-><TR
-><TD
->krb5-devel (because you are compiling from source)</TD
-></TR
-></TBODY
-></TABLE
-><P
-></P
-></P
-><P
->in addition to the standard development environment.</P
-><P
->Note that these are not standard on a RedHat install, and you may need
-to get them off CD2.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2602"
-></A
->15.3. Compile Samba</H2
-><P
->If your kerberos libraries are in a non-standard location then
- remember to add the configure option --with-krb5=DIR.</P
-><P
->After you run configure make sure that include/config.h contains
- lines like this:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->#define HAVE_KRB5 1
-#define HAVE_LDAP 1</PRE
-></P
-><P
->If it doesn't then configure did not find your krb5 libraries or
- your ldap libraries. Look in config.log to figure out why and fix
- it.</P
-><P
->Then compile and install Samba as usual. You must use at least the
- following 3 options in smb.conf:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> realm = YOUR.KERBEROS.REALM
- ads server = your.kerberos.server
- security = ADS
- encrypt passwords = yes</PRE
-></P
-><P
->Strictly speaking, you can omit the realm name and you can use an IP
- address for the ads server. In that case Samba will auto-detect these.</P
-><P
->You do *not* need a smbpasswd file, although it won't do any harm
- and if you have one then Samba will be able to fall back to normal
- password security for older clients. I expect that the above
- required options will change soon when we get better active
- directory integration.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2614"
-></A
->15.4. Setup your /etc/krb5.conf</H2
-><P
->The minimal configuration for krb5.conf is:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> [realms]
- YOUR.KERBEROS.REALM = {
- kdc = your.kerberos.server
- }</PRE
-></P
-><P
->Test your config by doing a "kinit USERNAME@REALM" and making sure that
- your password is accepted by the Win2000 KDC. </P
-><P
->NOTE: The realm must be uppercase. </P
-><P
->You also must ensure that you can do a reverse DNS lookup on the IP
-address of your KDC. Also, the name that this reverse lookup maps to
-must either be the netbios name of the KDC (ie. the hostname with no
-domain attached) or it can alternatively be the netbios name
-followed by the realm. </P
-><P
->The easiest way to ensure you get this right is to add a /etc/hosts
-entry mapping the IP address of your KDC to its netbios name. If you
-don't get this right then you will get a "local error" when you try
-to join the realm.</P
-><P
->If all you want is kerberos support in smbclient then you can skip
-straight to step 5 now. Step 3 is only needed if you want kerberos
-support in smbd.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2624"
-></A
->15.5. Create the computer account</H2
-><P
->Do a "kinit" as a user that has authority to change arbitrary
-passwords on the KDC ("Administrator" is a good choice). Then as a
-user that has write permission on the Samba private directory
-(usually root) run:
-<B
-CLASS="COMMAND"
->net ads join</B
-></P
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN2628"
-></A
->15.5.1. Possible errors</H3
-><P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
->"bash: kinit: command not found"</DT
-><DD
-><P
->kinit is in the krb5-workstation RPM on RedHat systems, and is in /usr/kerberos/bin, so it won't be in the path until you log in again (or open a new terminal)</P
-></DD
-><DT
->"ADS support not compiled in"</DT
-><DD
-><P
->Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the kerberos libs and headers are installed.</P
-></DD
-></DL
-></DIV
-></P
-></DIV
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2640"
-></A
->15.6. Test your server setup</H2
-><P
->On a Windows 2000 client try <B
-CLASS="COMMAND"
->net use * \\server\share</B
->. You should
-be logged in with kerberos without needing to know a password. If
-this fails then run <B
-CLASS="COMMAND"
->klist tickets</B
->. Did you get a ticket for the
-server? Does it have an encoding type of DES-CBC-MD5 ? </P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2645"
-></A
->15.7. Testing with smbclient</H2
-><P
->On your Samba server try to login to a Win2000 server or your Samba
-server using smbclient and kerberos. Use smbclient as usual, but
-specify the -k option to choose kerberos authentication.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2648"
-></A
->15.8. Notes</H2
-><P
->You must change administrator password at least once after DC install,
- to create the right encoding types</P
-><P
->w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in
- their defaults DNS setup. Maybe fixed in service packs?</P
-></DIV
-></DIV
-><DIV
-CLASS="CHAPTER"
-><HR><H1
-><A
-NAME="IMPROVED-BROWSING"
-></A
->Chapter 16. Improved browsing in samba</H1
-><DIV
-CLASS="SECT1"
-><H2
-CLASS="SECT1"
-><A
-NAME="AEN2659"
-></A
->16.1. Overview of browsing</H2
-><P
->SMB networking provides a mechanism by which clients can access a list
-of machines in a network, a so-called "browse list". This list
-contains machines that are ready to offer file and/or print services
-to other machines within the network. Thus it does not include
-machines which aren't currently able to do server tasks. The browse
-list is heavily used by all SMB clients. Configuration of SMB
-browsing has been problematic for some Samba users, hence this
-document.</P
-><P
->Browsing will NOT work if name resolution from NetBIOS names to IP
-addresses does not function correctly. Use of a WINS server is highly
-recommended to aid the resolution of NetBIOS (SMB) names to IP addresses.
-WINS allows remote segment clients to obtain NetBIOS name_type information
-that can NOT be provided by any other means of name resolution.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2663"
-></A
->16.2. Browsing support in samba</H2
-><P
->Samba now fully supports browsing. The browsing is supported by nmbd
-and is also controlled by options in the smb.conf file (see smb.conf(5)).</P
-><P
->Samba can act as a local browse master for a workgroup and the ability
-for samba to support domain logons and scripts is now available. See
-DOMAIN.txt for more information on domain logons.</P
-><P
->Samba can also act as a domain master browser for a workgroup. This
-means that it will collate lists from local browse masters into a
-wide area network server list. In order for browse clients to
-resolve the names they may find in this list, it is recommended that
-both samba and your clients use a WINS server.</P
-><P
->Note that you should NOT set Samba to be the domain master for a
-workgroup that has the same name as an NT Domain: on each wide area
-network, you must only ever have one domain master browser per workgroup,
-regardless of whether it is NT, Samba or any other type of domain master
-that is providing this service.</P
-><P
->[Note that nmbd can be configured as a WINS server, but it is not
-necessary to specifically use samba as your WINS server. NTAS can
-be configured as your WINS server. In a mixed NT server and
-samba environment on a Wide Area Network, it is recommended that
-you use the NT server's WINS server capabilities. In a samba-only
-environment, it is recommended that you use one and only one nmbd
-as your WINS server].</P
-><P
->To get browsing to work you need to run nmbd as usual, but will need
-to use the "workgroup" option in smb.conf to control what workgroup
-Samba becomes a part of.</P
-><P
->Samba also has a useful option for a Samba server to offer itself for
-browsing on another subnet. It is recommended that this option is only
-used for 'unusual' purposes: announcements over the internet, for
-example. See "remote announce" in the smb.conf man page. </P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2672"
-></A
->16.3. Problem resolution</H2
-><P
->If something doesn't work then hopefully the log.nmb file will help
-you track down the problem. Try a debug level of 2 or 3 for finding
-problems. Also note that the current browse list usually gets stored
-in text form in a file called browse.dat.</P
-><P
->Note that if it doesn't work for you, then you should still be able to
-type the server name as \\SERVER in filemanager then hit enter and
-filemanager should display the list of available shares.</P
-><P
->Some people find browsing fails because they don't have the global
-"guest account" set to a valid account. Remember that the IPC$
-connection that lists the shares is done as guest, and thus you must
-have a valid guest account.</P
-><P
->Also, a lot of people are getting bitten by the problem of too many
-parameters on the command line of nmbd in inetd.conf. This trick is to
-not use spaces between the option and the parameter (eg: -d2 instead
-of -d 2), and to not use the -B and -N options. New versions of nmbd
-are now far more likely to correctly find your broadcast and network
-address, so in most cases these aren't needed.</P
-><P
->The other big problem people have is that their broadcast address,
-netmask or IP address is wrong (specified with the "interfaces" option
-in smb.conf)</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2679"
-></A
->16.4. Browsing across subnets</H2
-><P
->With the release of Samba 1.9.17(alpha1 and above) Samba has been
-updated to enable it to support the replication of browse lists
-across subnet boundaries. New code and options have been added to
-achieve this. This section describes how to set this feature up
-in different settings.</P
-><P
->To see browse lists that span TCP/IP subnets (ie. networks separated
-by routers that don't pass broadcast traffic) you must set up at least
-one WINS server. The WINS server acts as a DNS for NetBIOS names, allowing
-NetBIOS name to IP address translation to be done by doing a direct
-query of the WINS server. This is done via a directed UDP packet on
-port 137 to the WINS server machine. The reason for a WINS server is
-that by default, all NetBIOS name to IP address translation is done
-by broadcasts from the querying machine. This means that machines
-on one subnet will not be able to resolve the names of machines on
-another subnet without using a WINS server.</P
-><P
->Remember, for browsing across subnets to work correctly, all machines,
-be they Windows 95, Windows NT, or Samba servers must have the IP address
-of a WINS server given to them by a DHCP server, or by manual configuration
-(for Win95 and WinNT, this is in the TCP/IP Properties, under Network
-settings) for Samba this is in the smb.conf file.</P
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN2684"
-></A
->16.4.1. How does cross subnet browsing work ?</H3
-><P
->Cross subnet browsing is a complicated dance, containing multiple
-moving parts. It has taken Microsoft several years to get the code
-that achieves this correct, and Samba lags behind in some areas.
-However, with the 1.9.17 release, Samba is capable of cross subnet
-browsing when configured correctly.</P
-><P
->Consider a network set up as follows :</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> (DMB)
- N1_A N1_B N1_C N1_D N1_E
- | | | | |
- -------------------------------------------------------
- | subnet 1 |
- +---+ +---+
- |R1 | Router 1 Router 2 |R2 |
- +---+ +---+
- | |
- | subnet 2 subnet 3 |
- -------------------------- ------------------------------------
- | | | | | | | |
- N2_A N2_B N2_C N2_D N3_A N3_B N3_C N3_D
- (WINS)</PRE
-></P
-><P
->Consisting of 3 subnets (1, 2, 3) connected by two routers
-(R1, R2) - these do not pass broadcasts. Subnet 1 has 5 machines
-on it, subnet 2 has 4 machines, subnet 3 has 4 machines. Assume
-for the moment that all these machines are configured to be in the
-same workgroup (for simplicities sake). Machine N1_C on subnet 1
-is configured as Domain Master Browser (ie. it will collate the
-browse lists for the workgroup). Machine N2_D is configured as
-WINS server and all the other machines are configured to register
-their NetBIOS names with it.</P
-><P
->As all these machines are booted up, elections for master browsers
-will take place on each of the three subnets. Assume that machine
-N1_C wins on subnet 1, N2_B wins on subnet 2, and N3_D wins on
-subnet 3 - these machines are known as local master browsers for
-their particular subnet. N1_C has an advantage in winning as the
-local master browser on subnet 1 as it is set up as Domain Master
-Browser.</P
-><P
->On each of the three networks, machines that are configured to
-offer sharing services will broadcast that they are offering
-these services. The local master browser on each subnet will
-receive these broadcasts and keep a record of the fact that
-the machine is offering a service. This list of records is
-the basis of the browse list. For this case, assume that
-all the machines are configured to offer services so all machines
-will be on the browse list.</P
-><P
->For each network, the local master browser on that network is
-considered 'authoritative' for all the names it receives via
-local broadcast. This is because a machine seen by the local
-master browser via a local broadcast must be on the same
-network as the local master browser and thus is a 'trusted'
-and 'verifiable' resource. Machines on other networks that
-the local master browsers learn about when collating their
-browse lists have not been directly seen - these records are
-called 'non-authoritative'.</P
-><P
->At this point the browse lists look as follows (these are
-the machines you would see in your network neighborhood if
-you looked in it on a particular network right now).</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->Subnet Browse Master List
------- ------------- ----
-Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E
-
-Subnet2 N2_B N2_A, N2_B, N2_C, N2_D
-
-Subnet3 N3_D N3_A, N3_B, N3_C, N3_D</PRE
-></P
-><P
->Note that at this point all the subnets are separate, no
-machine is seen across any of the subnets.</P
-><P
->Now examine subnet 2. As soon as N2_B has become the local
-master browser it looks for a Domain master browser to synchronize
-its browse list with. It does this by querying the WINS server
-(N2_D) for the IP address associated with the NetBIOS name
-WORKGROUP&gt;1B&lt;. This name was registerd by the Domain master
-browser (N1_C) with the WINS server as soon as it was booted.</P
-><P
->Once N2_B knows the address of the Domain master browser it
-tells it that is the local master browser for subnet 2 by
-sending a MasterAnnouncement packet as a UDP port 138 packet.
-It then synchronizes with it by doing a NetServerEnum2 call. This
-tells the Domain Master Browser to send it all the server
-names it knows about. Once the domain master browser receives
-the MasterAnnouncement packet it schedules a synchronization
-request to the sender of that packet. After both synchronizations
-are done the browse lists look like :</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->Subnet Browse Master List
------- ------------- ----
-Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E,
- N2_A(*), N2_B(*), N2_C(*), N2_D(*)
-
-Subnet2 N2_B N2_A, N2_B, N2_C, N2_D
- N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)
-
-Subnet3 N3_D N3_A, N3_B, N3_C, N3_D
-
-Servers with a (*) after them are non-authoritative names.</PRE
-></P
-><P
->At this point users looking in their network neighborhood on
-subnets 1 or 2 will see all the servers on both, users on
-subnet 3 will still only see the servers on their own subnet.</P
-><P
->The same sequence of events that occured for N2_B now occurs
-for the local master browser on subnet 3 (N3_D). When it
-synchronizes browse lists with the domain master browser (N1_A)
-it gets both the server entries on subnet 1, and those on
-subnet 2. After N3_D has synchronized with N1_C and vica-versa
-the browse lists look like.</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->Subnet Browse Master List
------- ------------- ----
-Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E,
- N2_A(*), N2_B(*), N2_C(*), N2_D(*),
- N3_A(*), N3_B(*), N3_C(*), N3_D(*)
-
-Subnet2 N2_B N2_A, N2_B, N2_C, N2_D
- N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)
-
-Subnet3 N3_D N3_A, N3_B, N3_C, N3_D
- N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*),
- N2_A(*), N2_B(*), N2_C(*), N2_D(*)
-
-Servers with a (*) after them are non-authoritative names.</PRE
-></P
-><P
->At this point users looking in their network neighborhood on
-subnets 1 or 3 will see all the servers on all sunbets, users on
-subnet 2 will still only see the servers on subnets 1 and 2, but not 3.</P
-><P
->Finally, the local master browser for subnet 2 (N2_B) will sync again
-with the domain master browser (N1_C) and will recieve the missing
-server entries. Finally - and as a steady state (if no machines
-are removed or shut off) the browse lists will look like :</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->Subnet Browse Master List
------- ------------- ----
-Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E,
- N2_A(*), N2_B(*), N2_C(*), N2_D(*),
- N3_A(*), N3_B(*), N3_C(*), N3_D(*)
-
-Subnet2 N2_B N2_A, N2_B, N2_C, N2_D
- N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)
- N3_A(*), N3_B(*), N3_C(*), N3_D(*)
-
-Subnet3 N3_D N3_A, N3_B, N3_C, N3_D
- N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*),
- N2_A(*), N2_B(*), N2_C(*), N2_D(*)
-
-Servers with a (*) after them are non-authoritative names.</PRE
-></P
-><P
->Synchronizations between the domain master browser and local
-master browsers will continue to occur, but this should be a
-steady state situation.</P
-><P
->If either router R1 or R2 fails the following will occur:</P
-><P
-></P
-><OL
-TYPE="1"
-><LI
-><P
-> Names of computers on each side of the inaccessible network fragments
- will be maintained for as long as 36 minutes, in the network neighbourhood
- lists.
- </P
-></LI
-><LI
-><P
-> Attempts to connect to these inaccessible computers will fail, but the
- names will not be removed from the network neighbourhood lists.
- </P
-></LI
-><LI
-><P
-> If one of the fragments is cut off from the WINS server, it will only
- be able to access servers on its local subnet, by using subnet-isolated
- broadcast NetBIOS name resolution. The effects are similar to that of
- losing access to a DNS server.
- </P
-></LI
-></OL
-></DIV
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2719"
-></A
->16.5. Setting up a WINS server</H2
-><P
->Either a Samba machine or a Windows NT Server machine may be set up
-as a WINS server. To set a Samba machine to be a WINS server you must
-add the following option to the smb.conf file on the selected machine :
-in the [globals] section add the line </P
-><P
-><B
-CLASS="COMMAND"
-> wins support = yes</B
-></P
-><P
->Versions of Samba previous to 1.9.17 had this parameter default to
-yes. If you have any older versions of Samba on your network it is
-strongly suggested you upgrade to 1.9.17 or above, or at the very
-least set the parameter to 'no' on all these machines.</P
-><P
->Machines with "<B
-CLASS="COMMAND"
->wins support = yes</B
->" will keep a list of
-all NetBIOS names registered with them, acting as a DNS for NetBIOS names.</P
-><P
->You should set up only ONE wins server. Do NOT set the
-"<B
-CLASS="COMMAND"
->wins support = yes</B
->" option on more than one Samba
-server.</P
-><P
->To set up a Windows NT Server as a WINS server you need to set up
-the WINS service - see your NT documentation for details. Note that
-Windows NT WINS Servers can replicate to each other, allowing more
-than one to be set up in a complex subnet environment. As Microsoft
-refuse to document these replication protocols Samba cannot currently
-participate in these replications. It is possible in the future that
-a Samba-&#62;Samba WINS replication protocol may be defined, in which
-case more than one Samba machine could be set up as a WINS server
-but currently only one Samba server should have the "wins support = yes"
-parameter set.</P
-><P
->After the WINS server has been configured you must ensure that all
-machines participating on the network are configured with the address
-of this WINS server. If your WINS server is a Samba machine, fill in
-the Samba machine IP address in the "Primary WINS Server" field of
-the "Control Panel-&#62;Network-&#62;Protocols-&#62;TCP-&#62;WINS Server" dialogs
-in Windows 95 or Windows NT. To tell a Samba server the IP address
-of the WINS server add the following line to the [global] section of
-all smb.conf files :</P
-><P
-><B
-CLASS="COMMAND"
-> wins server = &gt;name or IP address&lt;</B
-></P
-><P
->where &gt;name or IP address&lt; is either the DNS name of the WINS server
-machine or its IP address.</P
-><P
->Note that this line MUST NOT BE SET in the smb.conf file of the Samba
-server acting as the WINS server itself. If you set both the
-"<B
-CLASS="COMMAND"
->wins support = yes</B
->" option and the
-"<B
-CLASS="COMMAND"
->wins server = &gt;name&lt;</B
->" option then
-nmbd will fail to start.</P
-><P
->There are two possible scenarios for setting up cross subnet browsing.
-The first details setting up cross subnet browsing on a network containing
-Windows 95, Samba and Windows NT machines that are not configured as
-part of a Windows NT Domain. The second details setting up cross subnet
-browsing on networks that contain NT Domains.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2738"
-></A
->16.6. Setting up Browsing in a WORKGROUP</H2
-><P
->To set up cross subnet browsing on a network containing machines
-in up to be in a WORKGROUP, not an NT Domain you need to set up one
-Samba server to be the Domain Master Browser (note that this is *NOT*
-the same as a Primary Domain Controller, although in an NT Domain the
-same machine plays both roles). The role of a Domain master browser is
-to collate the browse lists from local master browsers on all the
-subnets that have a machine participating in the workgroup. Without
-one machine configured as a domain master browser each subnet would
-be an isolated workgroup, unable to see any machines on any other
-subnet. It is the presense of a domain master browser that makes
-cross subnet browsing possible for a workgroup.</P
-><P
->In an WORKGROUP environment the domain master browser must be a
-Samba server, and there must only be one domain master browser per
-workgroup name. To set up a Samba server as a domain master browser,
-set the following option in the [global] section of the smb.conf file :</P
-><P
-><B
-CLASS="COMMAND"
-> domain master = yes</B
-></P
-><P
->The domain master browser should also preferrably be the local master
-browser for its own subnet. In order to achieve this set the following
-options in the [global] section of the smb.conf file :</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> domain master = yes
- local master = yes
- preferred master = yes
- os level = 65</PRE
-></P
-><P
->The domain master browser may be the same machine as the WINS
-server, if you require.</P
-><P
->Next, you should ensure that each of the subnets contains a
-machine that can act as a local master browser for the
-workgroup. Any NT machine should be able to do this, as will
-Windows 95 machines (although these tend to get rebooted more
-often, so it's not such a good idea to use these). To make a
-Samba server a local master browser set the following
-options in the [global] section of the smb.conf file :</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> domain master = no
- local master = yes
- preferred master = yes
- os level = 65</PRE
-></P
-><P
->Do not do this for more than one Samba server on each subnet,
-or they will war with each other over which is to be the local
-master browser.</P
-><P
->The "local master" parameter allows Samba to act as a local master
-browser. The "preferred master" causes nmbd to force a browser
-election on startup and the "os level" parameter sets Samba high
-enough so that it should win any browser elections.</P
-><P
->If you have an NT machine on the subnet that you wish to
-be the local master browser then you can disable Samba from
-becoming a local master browser by setting the following
-options in the [global] section of the smb.conf file :</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> domain master = no
- local master = no
- preferred master = no
- os level = 0</PRE
-></P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2756"
-></A
->16.7. Setting up Browsing in a DOMAIN</H2
-><P
->If you are adding Samba servers to a Windows NT Domain then
-you must not set up a Samba server as a domain master browser.
-By default, a Windows NT Primary Domain Controller for a Domain
-name is also the Domain master browser for that name, and many
-things will break if a Samba server registers the Domain master
-browser NetBIOS name (DOMAIN&gt;1B&lt;) with WINS instead of the PDC.</P
-><P
->For subnets other than the one containing the Windows NT PDC
-you may set up Samba servers as local master browsers as
-described. To make a Samba server a local master browser set
-the following options in the [global] section of the smb.conf
-file :</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> domain master = no
- local master = yes
- preferred master = yes
- os level = 65</PRE
-></P
-><P
->If you wish to have a Samba server fight the election with machines
-on the same subnet you may set the "os level" parameter to lower
-levels. By doing this you can tune the order of machines that
-will become local master browsers if they are running. For
-more details on this see the section "FORCING SAMBA TO BE THE MASTER"
-below.</P
-><P
->If you have Windows NT machines that are members of the domain
-on all subnets, and you are sure they will always be running then
-you can disable Samba from taking part in browser elections and
-ever becoming a local master browser by setting following options
-in the [global] section of the smb.conf file :</P
-><P
-><B
-CLASS="COMMAND"
-> domain master = no
- local master = no
- preferred master = no
- os level = 0</B
-></P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2766"
-></A
->16.8. Forcing samba to be the master</H2
-><P
->Who becomes the "master browser" is determined by an election process
-using broadcasts. Each election packet contains a number of parameters
-which determine what precedence (bias) a host should have in the
-election. By default Samba uses a very low precedence and thus loses
-elections to just about anyone else.</P
-><P
->If you want Samba to win elections then just set the "os level" global
-option in smb.conf to a higher number. It defaults to 0. Using 34
-would make it win all elections over every other system (except other
-samba systems!)</P
-><P
->A "os level" of 2 would make it beat WfWg and Win95, but not NTAS. A
-NTAS domain controller uses level 32.</P
-><P
->The maximum os level is 255</P
-><P
->If you want samba to force an election on startup, then set the
-"preferred master" global option in smb.conf to "yes". Samba will
-then have a slight advantage over other potential master browsers
-that are not preferred master browsers. Use this parameter with
-care, as if you have two hosts (whether they are windows 95 or NT or
-samba) on the same local subnet both set with "preferred master" to
-"yes", then periodically and continually they will force an election
-in order to become the local master browser.</P
-><P
->If you want samba to be a "domain master browser", then it is
-recommended that you also set "preferred master" to "yes", because
-samba will not become a domain master browser for the whole of your
-LAN or WAN if it is not also a local master browser on its own
-broadcast isolated subnet.</P
-><P
->It is possible to configure two samba servers to attempt to become
-the domain master browser for a domain. The first server that comes
-up will be the domain master browser. All other samba servers will
-attempt to become the domain master browser every 5 minutes. They
-will find that another samba server is already the domain master
-browser and will fail. This provides automatic redundancy, should
-the current domain master browser fail.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2775"
-></A
->16.9. Making samba the domain master</H2
-><P
->The domain master is responsible for collating the browse lists of
-multiple subnets so that browsing can occur between subnets. You can
-make samba act as the domain master by setting "domain master = yes"
-in smb.conf. By default it will not be a domain master.</P
-><P
->Note that you should NOT set Samba to be the domain master for a
-workgroup that has the same name as an NT Domain.</P
-><P
->When samba is the domain master and the master browser it will listen
-for master announcements (made roughly every twelve minutes) from local
-master browsers on other subnets and then contact them to synchronise
-browse lists.</P
-><P
->If you want samba to be the domain master then I suggest you also set
-the "os level" high enough to make sure it wins elections, and set
-"preferred master" to "yes", to get samba to force an election on
-startup.</P
-><P
->Note that all your servers (including samba) and clients should be
-using a WINS server to resolve NetBIOS names. If your clients are only
-using broadcasting to resolve NetBIOS names, then two things will occur:</P
-><P
-></P
-><OL
-TYPE="1"
-><LI
-><P
-> your local master browsers will be unable to find a domain master
- browser, as it will only be looking on the local subnet.
- </P
-></LI
-><LI
-><P
-> if a client happens to get hold of a domain-wide browse list, and
- a user attempts to access a host in that list, it will be unable to
- resolve the NetBIOS name of that host.
- </P
-></LI
-></OL
-><P
->If, however, both samba and your clients are using a WINS server, then:</P
-><P
-></P
-><OL
-TYPE="1"
-><LI
-><P
-> your local master browsers will contact the WINS server and, as long as
- samba has registered that it is a domain master browser with the WINS
- server, your local master browser will receive samba's ip address
- as its domain master browser.
- </P
-></LI
-><LI
-><P
-> when a client receives a domain-wide browse list, and a user attempts
- to access a host in that list, it will contact the WINS server to
- resolve the NetBIOS name of that host. as long as that host has
- registered its NetBIOS name with the same WINS server, the user will
- be able to see that host.
- </P
-></LI
-></OL
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2793"
-></A
->16.10. Note about broadcast addresses</H2
-><P
->If your network uses a "0" based broadcast address (for example if it
-ends in a 0) then you will strike problems. Windows for Workgroups
-does not seem to support a 0's broadcast and you will probably find
-that browsing and name lookups won't work.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2796"
-></A
->16.11. Multiple interfaces</H2
-><P
->Samba now supports machines with multiple network interfaces. If you
-have multiple interfaces then you will need to use the "interfaces"
-option in smb.conf to configure them. See smb.conf(5) for details.</P
-></DIV
-></DIV
-><DIV
-CLASS="CHAPTER"
-><HR><H1
-><A
-NAME="SPEED"
-></A
->Chapter 17. Samba performance issues</H1
-><DIV
-CLASS="SECT1"
-><H2
-CLASS="SECT1"
-><A
-NAME="AEN2814"
-></A
->17.1. Comparisons</H2
-><P
->The Samba server uses TCP to talk to the client. Thus if you are
-trying to see if it performs well you should really compare it to
-programs that use the same protocol. The most readily available
-programs for file transfer that use TCP are ftp or another TCP based
-SMB server.</P
-><P
->If you want to test against something like a NT or WfWg server then
-you will have to disable all but TCP on either the client or
-server. Otherwise you may well be using a totally different protocol
-(such as Netbeui) and comparisons may not be valid.</P
-><P
->Generally you should find that Samba performs similarly to ftp at raw
-transfer speed. It should perform quite a bit faster than NFS,
-although this very much depends on your system.</P
-><P
->Several people have done comparisons between Samba and Novell, NFS or
-WinNT. In some cases Samba performed the best, in others the worst. I
-suspect the biggest factor is not Samba vs some other system but the
-hardware and drivers used on the various systems. Given similar
-hardware Samba should certainly be competitive in speed with other
-systems.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2820"
-></A
->17.2. Oplocks</H2
-><DIV
-CLASS="SECT2"
-><H3
-CLASS="SECT2"
-><A
-NAME="AEN2822"
-></A
->17.2.1. Overview</H3
-><P
->Oplocks are the way that SMB clients get permission from a server to
-locally cache file operations. If a server grants an oplock
-(opportunistic lock) then the client is free to assume that it is the
-only one accessing the file and it will agressively cache file
-data. With some oplock types the client may even cache file open/close
-operations. This can give enormous performance benefits.</P
-><P
->With the release of Samba 1.9.18 we now correctly support opportunistic
-locks. This is turned on by default, and can be turned off on a share-
-by-share basis by setting the parameter :</P
-><P
-><B
-CLASS="COMMAND"
->oplocks = False</B
-></P
-><P
->We recommend that you leave oplocks on however, as current benchmark
-tests with NetBench seem to give approximately a 30% improvement in
-speed with them on. This is on average however, and the actual
-improvement seen can be orders of magnitude greater, depending on
-what the client redirector is doing.</P
-><P
->Previous to Samba 1.9.18 there was a 'fake oplocks' option. This
-option has been left in the code for backwards compatibility reasons
-but it's use is now deprecated. A short summary of what the old
-code did follows.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN2830"
-></A
->17.2.2. Level2 Oplocks</H3
-><P
->With Samba 2.0.5 a new capability - level2 (read only) oplocks is
-supported (although the option is off by default - see the smb.conf
-man page for details). Turning on level2 oplocks (on a share-by-share basis)
-by setting the parameter :</P
-><P
-><B
-CLASS="COMMAND"
->level2 oplocks = true</B
-></P
-><P
->should speed concurrent access to files that are not commonly written
-to, such as application serving shares (ie. shares that contain common
-.EXE files - such as a Microsoft Office share) as it allows clients to
-read-ahread cache copies of these files.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN2836"
-></A
->17.2.3. Old 'fake oplocks' option - deprecated</H3
-><P
->Samba can also fake oplocks, by granting a oplock whenever a client
-asks for one. This is controlled using the smb.conf option "fake
-oplocks". If you set "fake oplocks = yes" then you are telling the
-client that it may agressively cache the file data for all opens.</P
-><P
->Enabling 'fake oplocks' on all read-only shares or shares that you know
-will only be accessed from one client at a time you will see a big
-performance improvement on many operations. If you enable this option
-on shares where multiple clients may be accessing the files read-write
-at the same time you can get data corruption.</P
-></DIV
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2840"
-></A
->17.3. Socket options</H2
-><P
->There are a number of socket options that can greatly affect the
-performance of a TCP based server like Samba.</P
-><P
->The socket options that Samba uses are settable both on the command
-line with the -O option, or in the smb.conf file.</P
-><P
->The "socket options" section of the smb.conf manual page describes how
-to set these and gives recommendations.</P
-><P
->Getting the socket options right can make a big difference to your
-performance, but getting them wrong can degrade it by just as
-much. The correct settings are very dependent on your local network.</P
-><P
->The socket option TCP_NODELAY is the one that seems to make the
-biggest single difference for most networks. Many people report that
-adding "socket options = TCP_NODELAY" doubles the read performance of
-a Samba drive. The best explanation I have seen for this is that the
-Microsoft TCP/IP stack is slow in sending tcp ACKs.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2847"
-></A
->17.4. Read size</H2
-><P
->The option "read size" affects the overlap of disk reads/writes with
-network reads/writes. If the amount of data being transferred in
-several of the SMB commands (currently SMBwrite, SMBwriteX and
-SMBreadbraw) is larger than this value then the server begins writing
-the data before it has received the whole packet from the network, or
-in the case of SMBreadbraw, it begins writing to the network before
-all the data has been read from disk.</P
-><P
->This overlapping works best when the speeds of disk and network access
-are similar, having very little effect when the speed of one is much
-greater than the other.</P
-><P
->The default value is 16384, but very little experimentation has been
-done yet to determine the optimal value, and it is likely that the best
-value will vary greatly between systems anyway. A value over 65536 is
-pointless and will cause you to allocate memory unnecessarily.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2852"
-></A
->17.5. Max xmit</H2
-><P
->At startup the client and server negotiate a "maximum transmit" size,
-which limits the size of nearly all SMB commands. You can set the
-maximum size that Samba will negotiate using the "max xmit = " option
-in smb.conf. Note that this is the maximum size of SMB request that
-Samba will accept, but not the maximum size that the *client* will accept.
-The client maximum receive size is sent to Samba by the client and Samba
-honours this limit.</P
-><P
->It defaults to 65536 bytes (the maximum), but it is possible that some
-clients may perform better with a smaller transmit unit. Trying values
-of less than 2048 is likely to cause severe problems.</P
-><P
->In most cases the default is the best option.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2857"
-></A
->17.6. Locking</H2
-><P
->By default Samba does not implement strict locking on each read/write
-call (although it did in previous versions). If you enable strict
-locking (using "strict locking = yes") then you may find that you
-suffer a severe performance hit on some systems.</P
-><P
->The performance hit will probably be greater on NFS mounted
-filesystems, but could be quite high even on local disks.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2861"
-></A
->17.7. Share modes</H2
-><P
->Some people find that opening files is very slow. This is often
-because of the "share modes" code needed to fully implement the dos
-share modes stuff. You can disable this code using "share modes =
-no". This will gain you a lot in opening and closing files but will
-mean that (in some cases) the system won't force a second user of a
-file to open the file read-only if the first has it open
-read-write. For many applications that do their own locking this
-doesn't matter, but for some it may. Most Windows applications
-depend heavily on "share modes" working correctly and it is
-recommended that the Samba share mode support be left at the
-default of "on".</P
-><P
->The share mode code in Samba has been re-written in the 1.9.17
-release following tests with the Ziff-Davis NetBench PC Benchmarking
-tool. It is now believed that Samba 1.9.17 implements share modes
-similarly to Windows NT.</P
-><P
->NOTE: In the most recent versions of Samba there is an option to use
-shared memory via mmap() to implement the share modes. This makes
-things much faster. See the Makefile for how to enable this.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2866"
-></A
->17.8. Log level</H2
-><P
->If you set the log level (also known as "debug level") higher than 2
-then you may suffer a large drop in performance. This is because the
-server flushes the log file after each operation, which can be very
-expensive. </P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2869"
-></A
->17.9. Wide lines</H2
-><P
->The "wide links" option is now enabled by default, but if you disable
-it (for better security) then you may suffer a performance hit in
-resolving filenames. The performance loss is lessened if you have
-"getwd cache = yes", which is now the default.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2872"
-></A
->17.10. Read raw</H2
-><P
->The "read raw" operation is designed to be an optimised, low-latency
-file read operation. A server may choose to not support it,
-however. and Samba makes support for "read raw" optional, with it
-being enabled by default.</P
-><P
->In some cases clients don't handle "read raw" very well and actually
-get lower performance using it than they get using the conventional
-read operations. </P
-><P
->So you might like to try "read raw = no" and see what happens on your
-network. It might lower, raise or not affect your performance. Only
-testing can really tell.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2877"
-></A
->17.11. Write raw</H2
-><P
->The "write raw" operation is designed to be an optimised, low-latency
-file write operation. A server may choose to not support it,
-however. and Samba makes support for "write raw" optional, with it
-being enabled by default.</P
-><P
->Some machines may find "write raw" slower than normal write, in which
-case you may wish to change this option.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2881"
-></A
->17.12. Read prediction</H2
-><P
->Samba can do read prediction on some of the SMB commands. Read
-prediction means that Samba reads some extra data on the last file it
-read while waiting for the next SMB command to arrive. It can then
-respond more quickly when the next read request arrives.</P
-><P
->This is disabled by default. You can enable it by using "read
-prediction = yes".</P
-><P
->Note that read prediction is only used on files that were opened read
-only.</P
-><P
->Read prediction should particularly help for those silly clients (such
-as "Write" under NT) which do lots of very small reads on a file.</P
-><P
->Samba will not read ahead more data than the amount specified in the
-"read size" option. It always reads ahead on 1k block boundaries.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2888"
-></A
->17.13. Memory mapping</H2
-><P
->Samba supports reading files via memory mapping them. One some
-machines this can give a large boost to performance, on others it
-makes not difference at all, and on some it may reduce performance.</P
-><P
->To enable you you have to recompile Samba with the -DUSE_MMAP option
-on the FLAGS line of the Makefile.</P
-><P
->Note that memory mapping is only used on files opened read only, and
-is not used by the "read raw" operation. Thus you may find memory
-mapping is more effective if you disable "read raw" using "read raw =
-no".</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2893"
-></A
->17.14. Slow Clients</H2
-><P
->One person has reported that setting the protocol to COREPLUS rather
-than LANMAN2 gave a dramatic speed improvement (from 10k/s to 150k/s).</P
-><P
->I suspect that his PC's (386sx16 based) were asking for more data than
-they could chew. I suspect a similar speed could be had by setting
-"read raw = no" and "max xmit = 2048", instead of changing the
-protocol. Lowering the "read size" might also help.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2897"
-></A
->17.15. Slow Logins</H2
-><P
->Slow logins are almost always due to the password checking time. Using
-the lowest practical "password level" will improve things a lot. You
-could also enable the "UFC crypt" option in the Makefile.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2900"
-></A
->17.16. Client tuning</H2
-><P
->Often a speed problem can be traced to the client. The client (for
-example Windows for Workgroups) can often be tuned for better TCP
-performance.</P
-><P
->See your client docs for details. In particular, I have heard rumours
-that the WfWg options TCPWINDOWSIZE and TCPSEGMENTSIZE can have a
-large impact on performance.</P
-><P
->Also note that some people have found that setting DefaultRcvWindow in
-the [MSTCP] section of the SYSTEM.INI file under WfWg to 3072 gives a
-big improvement. I don't know why.</P
-><P
->My own experience wth DefaultRcvWindow is that I get much better
-performance with a large value (16384 or larger). Other people have
-reported that anything over 3072 slows things down enourmously. One
-person even reported a speed drop of a factor of 30 when he went from
-3072 to 8192. I don't know why.</P
-><P
->It probably depends a lot on your hardware, and the type of unix box
-you have at the other end of the link.</P
-><P
->Paul Cochrane has done some testing on client side tuning and come
-to the following conclusions:</P
-><P
->Install the W2setup.exe file from www.microsoft.com. This is an
-update for the winsock stack and utilities which improve performance.</P
-><P
->Configure the win95 TCPIP registry settings to give better
-perfomance. I use a program called MTUSPEED.exe which I got off the
-net. There are various other utilities of this type freely available.
-The setting which give the best performance for me are:</P
-><P
-></P
-><OL
-TYPE="1"
-><LI
-><P
->MaxMTU Remove</P
-></LI
-><LI
-><P
->RWIN Remove</P
-></LI
-><LI
-><P
->MTUAutoDiscover Disable</P
-></LI
-><LI
-><P
->MTUBlackHoleDetect Disable</P
-></LI
-><LI
-><P
->Time To Live Enabled</P
-></LI
-><LI
-><P
->Time To Live - HOPS 32</P
-></LI
-><LI
-><P
->NDI Cache Size 0</P
-></LI
-></OL
-><P
->I tried virtually all of the items mentioned in the document and
-the only one which made a difference to me was the socket options. It
-turned out I was better off without any!!!!!</P
-><P
->In terms of overall speed of transfer, between various win95 clients
-and a DX2-66 20MB server with a crappy NE2000 compatible and old IDE
-drive (Kernel 2.0.30). The transfer rate was reasonable for 10 baseT.</P
-><P
->FIXME
-The figures are: Put Get
-P166 client 3Com card: 420-440kB/s 500-520kB/s
-P100 client 3Com card: 390-410kB/s 490-510kB/s
-DX4-75 client NE2000: 370-380kB/s 330-350kB/s</P
-><P
->I based these test on transfer two files a 4.5MB text file and a 15MB
-textfile. The results arn't bad considering the hardware Samba is
-running on. It's a crap machine!!!!</P
-><P
->The updates mentioned in 1 and 2 brought up the transfer rates from
-just over 100kB/s in some clients.</P
-><P
->A new client is a P333 connected via a 100MB/s card and hub. The
-transfer rates from this were good: 450-500kB/s on put and 600+kB/s
-on get.</P
-><P
->Looking at standard FTP throughput, Samba is a bit slower (100kB/s
-upwards). I suppose there is more going on in the samba protocol, but
-if it could get up to the rate of FTP the perfomance would be quite
-staggering.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2932"
-></A
->17.17. My Results</H2
-><P
->Some people want to see real numbers in a document like this, so here
-they are. I have a 486sx33 client running WfWg 3.11 with the 3.11b
-tcp/ip stack. It has a slow IDE drive and 20Mb of ram. It has a SMC
-Elite-16 ISA bus ethernet card. The only WfWg tuning I've done is to
-set DefaultRcvWindow in the [MSTCP] section of system.ini to 16384. My
-server is a 486dx3-66 running Linux. It also has 20Mb of ram and a SMC
-Elite-16 card. You can see my server config in the examples/tridge/
-subdirectory of the distribution.</P
-><P
->I get 490k/s on reading a 8Mb file with copy.
-I get 441k/s writing the same file to the samba server.</P
-><P
->Of course, there's a lot more to benchmarks than 2 raw throughput
-figures, but it gives you a ballpark figure.</P
-><P
->I've also tested Win95 and WinNT, and found WinNT gave me the best
-speed as a samba client. The fastest client of all (for me) is
-smbclient running on another linux box. Maybe I'll add those results
-here someday ...</P
-></DIV
-></DIV
-><DIV
-CLASS="CHAPTER"
-><HR><H1
-><A
-NAME="OTHER-CLIENTS"
-></A
->Chapter 18. Samba and other CIFS clients</H1
-><P
->This chapter contains client-specific information.</P
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2953"
-></A
->18.1. Macintosh clients?</H2
-><P
->Yes. <A
-HREF="http://www.thursby.com/"
-TARGET="_top"
->Thursby</A
-> now have a CIFS Client / Server called DAVE - see</P
-><P
->They test it against Windows 95, Windows NT and samba for
-compatibility issues. At the time of writing, DAVE was at version
-1.0.1. The 1.0.0 to 1.0.1 update is available as a free download from
-the Thursby web site (the speed of finder copies has been greatly
-enhanced, and there are bug-fixes included).</P
-><P
->
-Alternatives - There are two free implementations of AppleTalk for
-several kinds of UNIX machnes, and several more commercial ones.
-These products allow you to run file services and print services
-natively to Macintosh users, with no additional support required on
-the Macintosh. The two free omplementations are
-<A
-HREF="http://www.umich.edu/~rsug/netatalk/"
-TARGET="_top"
->Netatalk</A
->, and
-<A
-HREF="http://www.cs.mu.oz.au/appletalk/atalk.html"
-TARGET="_top"
->CAP</A
->.
-What Samba offers MS
-Windows users, these packages offer to Macs. For more info on these
-packages, Samba, and Linux (and other UNIX-based systems) see
-<A
-HREF="http://www.eats.com/linux_mac_win.html"
-TARGET="_top"
->http://www.eats.com/linux_mac_win.html</A
-></P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2962"
-></A
->18.2. OS2 Client</H2
-><DIV
-CLASS="SECT2"
-><H3
-CLASS="SECT2"
-><A
-NAME="AEN2964"
-></A
->18.2.1. How can I configure OS/2 Warp Connect or
- OS/2 Warp 4 as a client for Samba?</H3
-><P
->A more complete answer to this question can be
- found on <A
-HREF="http://carol.wins.uva.nl/~leeuw/samba/warp.html"
-TARGET="_top"
-> http://carol.wins.uva.nl/~leeuw/samba/warp.html</A
->.</P
-><P
->Basically, you need three components:</P
-><P
-></P
-><UL
-><LI
-><P
->The File and Print Client ('IBM Peer')
- </P
-></LI
-><LI
-><P
->TCP/IP ('Internet support')
- </P
-></LI
-><LI
-><P
->The "NetBIOS over TCP/IP" driver ('TCPBEUI')
- </P
-></LI
-></UL
-><P
->Installing the first two together with the base operating
- system on a blank system is explained in the Warp manual. If Warp
- has already been installed, but you now want to install the
- networking support, use the "Selective Install for Networking"
- object in the "System Setup" folder.</P
-><P
->Adding the "NetBIOS over TCP/IP" driver is not described
- in the manual and just barely in the online documentation. Start
- MPTS.EXE, click on OK, click on "Configure LAPS" and click
- on "IBM OS/2 NETBIOS OVER TCP/IP" in 'Protocols'. This line
- is then moved to 'Current Configuration'. Select that line,
- click on "Change number" and increase it from 0 to 1. Save this
- configuration.</P
-><P
->If the Samba server(s) is not on your local subnet, you
- can optionally add IP names and addresses of these servers
- to the "Names List", or specify a WINS server ('NetBIOS
- Nameserver' in IBM and RFC terminology). For Warp Connect you
- may need to download an update for 'IBM Peer' to bring it on
- the same level as Warp 4. See the webpage mentioned above.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN2979"
-></A
->18.2.2. How can I configure OS/2 Warp 3 (not Connect),
- OS/2 1.2, 1.3 or 2.x for Samba?</H3
-><P
->You can use the free Microsoft LAN Manager 2.2c Client
- for OS/2 from
- <A
-HREF="ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/"
-TARGET="_top"
-> ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/</A
->.
- See <A
-HREF="http://carol.wins.uva.nl/~leeuw/lanman.html"
-TARGET="_top"
-> http://carol.wins.uva.nl/~leeuw/lanman.html</A
-> for
- more information on how to install and use this client. In
- a nutshell, edit the file \OS2VER in the root directory of
- the OS/2 boot partition and add the lines:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> 20=setup.exe
- 20=netwksta.sys
- 20=netvdd.sys
- </PRE
-></P
-><P
->before you install the client. Also, don't use the
- included NE2000 driver because it is buggy. Try the NE2000
- or NS2000 driver from
- <A
-HREF="ftp://ftp.cdrom.com/pub/os2/network/ndis/"
-TARGET="_top"
-> ftp://ftp.cdrom.com/pub/os2/network/ndis/</A
-> instead.
- </P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN2988"
-></A
->18.2.3. Are there any other issues when OS/2 (any version)
- is used as a client?</H3
-><P
->When you do a NET VIEW or use the "File and Print
- Client Resource Browser", no Samba servers show up. This can
- be fixed by a patch from <A
-HREF="http://carol.wins.uva.nl/~leeuw/samba/fix.html"
-TARGET="_top"
-> http://carol.wins.uva.nl/~leeuw/samba/fix.html</A
->.
- The patch will be included in a later version of Samba. It also
- fixes a couple of other problems, such as preserving long
- filenames when objects are dragged from the Workplace Shell
- to the Samba server. </P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN2992"
-></A
->18.2.4. How do I get printer driver download working
- for OS/2 clients?</H3
-><P
->First, create a share called [PRINTDRV] that is
- world-readable. Copy your OS/2 driver files there. Note
- that the .EA_ files must still be separate, so you will need
- to use the original install files, and not copy an installed
- driver from an OS/2 system.</P
-><P
->Install the NT driver first for that printer. Then,
- add to your smb.conf a parameter, os2 driver map =
- <TT
-CLASS="REPLACEABLE"
-><I
->filename</I
-></TT
->". Then, in the file
- specified by <TT
-CLASS="REPLACEABLE"
-><I
->filename</I
-></TT
->, map the
- name of the NT driver name to the OS/2 driver name as
- follows:</P
-><P
-><B
-CLASS="COMMAND"
->nt driver name = os2 "driver
- name"."device name"</B
->, e.g.:
- HP LaserJet 5L = LASERJET.HP LaserJet 5L</P
-><P
->You can have multiple drivers mapped in this file.</P
-><P
->If you only specify the OS/2 driver name, and not the
- device name, the first attempt to download the driver will
- actually download the files, but the OS/2 client will tell
- you the driver is not available. On the second attempt, it
- will work. This is fixed simply by adding the device name
- to the mapping, after which it will work on the first attempt.
- </P
-></DIV
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN3002"
-></A
->18.3. Windows for Workgroups</H2
-><DIV
-CLASS="SECT2"
-><H3
-CLASS="SECT2"
-><A
-NAME="AEN3004"
-></A
->18.3.1. Use latest TCP/IP stack from Microsoft</H3
-><P
->Use the latest TCP/IP stack from microsoft if you use Windows
-for workgroups.</P
-><P
->The early TCP/IP stacks had lots of bugs.</P
-><P
->
-Microsoft has released an incremental upgrade to their TCP/IP 32-Bit
-VxD drivers. The latest release can be found on their ftp site at
-ftp.microsoft.com, located in /peropsys/windows/public/tcpip/wfwt32.exe.
-There is an update.txt file there that describes the problems that were
-fixed. New files include WINSOCK.DLL, TELNET.EXE, WSOCK.386, VNBT.386,
-WSTCP.386, TRACERT.EXE, NETSTAT.EXE, and NBTSTAT.EXE.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN3009"
-></A
->18.3.2. Delete .pwl files after password change</H3
-><P
->WfWg does a lousy job with passwords. I find that if I change my
-password on either the unix box or the PC the safest thing to do is to
-delete the .pwl files in the windows directory. The PC will complain about not finding the files, but will soon get over it, allowing you to enter the new password.</P
-><P
->
-If you don't do this you may find that WfWg remembers and uses the old
-password, even if you told it a new one.</P
-><P
->
-Often WfWg will totally ignore a password you give it in a dialog box.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN3014"
-></A
->18.3.3. Configure WfW password handling</H3
-><P
->There is a program call admincfg.exe
-on the last disk (disk 8) of the WFW 3.11 disk set. To install it
-type EXPAND A:\ADMINCFG.EX_ C:\WINDOWS\ADMINCFG.EXE Then add an icon
-for it via the "Progam Manager" "New" Menu. This program allows you
-to control how WFW handles passwords. ie disable Password Caching etc
-for use with <B
-CLASS="COMMAND"
->security = user</B
-></P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN3018"
-></A
->18.3.4. Case handling of passwords</H3
-><P
->Windows for Workgroups uppercases the password before sending it to the server. Unix passwords can be case-sensitive though. Check the <A
-HREF="smb.conf.5.html"
-TARGET="_top"
->smb.conf(5)</A
-> information on <B
-CLASS="COMMAND"
->password level</B
-> to specify what characters samba should try to uppercase when checking.</P
-></DIV
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN3023"
-></A
->18.4. Windows '95/'98</H2
-><P
->When using Windows 95 OEM SR2 the following updates are recommended where Samba
-is being used. Please NOTE that the above change will affect you once these
-updates have been installed.</P
-><P
->
-There are more updates than the ones mentioned here. You are referred to the
-Microsoft Web site for all currently available updates to your specific version
-of Windows 95.</P
-><P
-></P
-><OL
-TYPE="1"
-><LI
-><P
->Kernel Update: KRNLUPD.EXE</P
-></LI
-><LI
-><P
->Ping Fix: PINGUPD.EXE</P
-></LI
-><LI
-><P
->RPC Update: RPCRTUPD.EXE</P
-></LI
-><LI
-><P
->TCP/IP Update: VIPUPD.EXE</P
-></LI
-><LI
-><P
->Redirector Update: VRDRUPD.EXE</P
-></LI
-></OL
-><P
->Also, if using MS OutLook it is desirable to install the OLEUPD.EXE fix. This
-fix may stop your machine from hanging for an extended period when exiting
-OutLook and you may also notice a significant speedup when accessing network
-neighborhood services.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN3039"
-></A
->18.5. Windows 2000 Service Pack 2</H2
-><P
->
-There are several annoyances with Windows 2000 SP2. One of which
-only appears when using a Samba server to host user profiles
-to Windows 2000 SP2 clients in a Windows domain. This assumes
-that Samba is a member of the domain, but the problem will
-likely occur if it is not.</P
-><P
->
-In order to server profiles successfully to Windows 2000 SP2
-clients (when not operating as a PDC), Samba must have
-<B
-CLASS="COMMAND"
->nt acl support = no</B
->
-added to the file share which houses the roaming profiles.
-If this is not done, then the Windows 2000 SP2 client will
-complain about not being able to access the profile (Access
-Denied) and create multiple copies of it on disk (DOMAIN.user.001,
-DOMAIN.user.002, etc...). See the
-<A
-HREF="smb.conf.5.html"
-TARGET="_top"
->smb.conf(5)</A
-> man page
-for more details on this option. Also note that the
-<B
-CLASS="COMMAND"
->nt acl support</B
-> parameter was formally a global parameter in
-releases prior to Samba 2.2.2.</P
-><P
->
-The following is a minimal profile share:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> [profile]
- path = /export/profile
- create mask = 0600
- directory mask = 0700
- nt acl support = no
- read only = no</PRE
-></P
-><P
->The reason for this bug is that the Win2k SP2 client copies
-the security descriptor for the profile which contains
-the Samba server's SID, and not the domain SID. The client
-compares the SID for SAMBA\user and realizes it is
-different that the one assigned to DOMAIN\user. Hence the reason
-for the "access denied" message.</P
-><P
->By disabling the <B
-CLASS="COMMAND"
->nt acl support</B
-> parameter, Samba will send
-the Win2k client a response to the QuerySecurityDescriptor
-trans2 call which causes the client to set a default ACL
-for the profile. This default ACL includes </P
-><P
-><B
-CLASS="COMMAND"
->DOMAIN\user "Full Control"</B
-></P
-><P
-><SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->NOTE : This bug does not occur when using winbind to
-create accounts on the Samba host for Domain users.</I
-></SPAN
-></P
-></DIV
-></DIV
-><DIV
-CLASS="CHAPTER"
-><HR><H1
-><A
-NAME="CVS-ACCESS"
-></A
->Chapter 19. HOWTO Access Samba source code via CVS</H1
-><DIV
-CLASS="SECT1"
-><H2
-CLASS="SECT1"
-><A
-NAME="AEN3063"
-></A
->19.1. Introduction</H2
-><P
->Samba is developed in an open environment. Developers use CVS
-(Concurrent Versioning System) to "checkin" (also known as
-"commit") new source code. Samba's various CVS branches can
-be accessed via anonymous CVS using the instructions
-detailed in this chapter.</P
-><P
->This document is a modified version of the instructions found at
-<A
-HREF="http://samba.org/samba/cvs.html"
-TARGET="_top"
->http://samba.org/samba/cvs.html</A
-></P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN3068"
-></A
->19.2. CVS Access to samba.org</H2
-><P
->The machine samba.org runs a publicly accessible CVS
-repository for access to the source code of several packages,
-including samba, rsync and jitterbug. There are two main ways of
-accessing the CVS server on this host.</P
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN3071"
-></A
->19.2.1. Access via CVSweb</H3
-><P
->You can access the source code via your
-favourite WWW browser. This allows you to access the contents of
-individual files in the repository and also to look at the revision
-history and commit logs of individual files. You can also ask for a diff
-listing between any two versions on the repository.</P
-><P
->Use the URL : <A
-HREF="http://samba.org/cgi-bin/cvsweb"
-TARGET="_top"
->http://samba.org/cgi-bin/cvsweb</A
-></P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN3076"
-></A
->19.2.2. Access via cvs</H3
-><P
->You can also access the source code via a
-normal cvs client. This gives you much more control over you can
-do with the repository and allows you to checkout whole source trees
-and keep them up to date via normal cvs commands. This is the
-preferred method of access if you are a developer and not
-just a casual browser.</P
-><P
->To download the latest cvs source code, point your
-browser at the URL : <A
-HREF="http://www.cyclic.com/"
-TARGET="_top"
->http://www.cyclic.com/</A
->.
-and click on the 'How to get cvs' link. CVS is free software under
-the GNU GPL (as is Samba). Note that there are several graphical CVS clients
-which provide a graphical interface to the sometimes mundane CVS commands.
-Links to theses clients are also available from http://www.cyclic.com.</P
-><P
->To gain access via anonymous cvs use the following steps.
-For this example it is assumed that you want a copy of the
-samba source code. For the other source code repositories
-on this system just substitute the correct package name</P
-><P
-></P
-><OL
-TYPE="1"
-><LI
-><P
-> Install a recent copy of cvs. All you really need is a
- copy of the cvs client binary.
- </P
-></LI
-><LI
-><P
-> Run the command
- </P
-><P
-> <B
-CLASS="COMMAND"
->cvs -d :pserver:cvs@samba.org:/cvsroot login</B
->
- </P
-><P
-> When it asks you for a password type <TT
-CLASS="USERINPUT"
-><B
->cvs</B
-></TT
->.
- </P
-></LI
-><LI
-><P
-> Run the command
- </P
-><P
-> <B
-CLASS="COMMAND"
->cvs -d :pserver:cvs@samba.org:/cvsroot co samba</B
->
- </P
-><P
-> This will create a directory called samba containing the
- latest samba source code (i.e. the HEAD tagged cvs branch). This
- currently corresponds to the 3.0 development tree.
- </P
-><P
-> CVS branches other HEAD can be obtained by using the <TT
-CLASS="PARAMETER"
-><I
->-r</I
-></TT
->
- and defining a tag name. A list of branch tag names can be found on the
- "Development" page of the samba web site. A common request is to obtain the
- latest 2.2 release code. This could be done by using the following command.
- </P
-><P
-> <B
-CLASS="COMMAND"
->cvs -d :pserver:cvs@samba.org:/cvsroot co -r SAMBA_2_2 samba</B
->
- </P
-></LI
-><LI
-><P
-> Whenever you want to merge in the latest code changes use
- the following command from within the samba directory:
- </P
-><P
-> <B
-CLASS="COMMAND"
->cvs update -d -P</B
->
- </P
-></LI
-></OL
-></DIV
-></DIV
-></DIV
-><DIV
-CLASS="CHAPTER"
-><HR><H1
-><A
-NAME="BUGREPORT"
-></A
->Chapter 20. Reporting Bugs</H1
-><DIV
-CLASS="SECT1"
-><H2
-CLASS="SECT1"
-><A
-NAME="AEN3111"
-></A
->20.1. Introduction</H2
-><P
->The email address for bug reports is samba@samba.org</P
-><P
->Please take the time to read this file before you submit a bug
-report. Also, please see if it has changed between releases, as we
-may be changing the bug reporting mechanism at some time.</P
-><P
->Please also do as much as you can yourself to help track down the
-bug. Samba is maintained by a dedicated group of people who volunteer
-their time, skills and efforts. We receive far more mail about it than
-we can possibly answer, so you have a much higher chance of an answer
-and a fix if you send us a "developer friendly" bug report that lets
-us fix it fast. </P
-><P
->Do not assume that if you post the bug to the comp.protocols.smb
-newsgroup or the mailing list that we will read it. If you suspect that your
-problem is not a bug but a configuration problem then it is better to send
-it to the Samba mailing list, as there are (at last count) 5000 other users on
-that list that may be able to help you.</P
-><P
->You may also like to look though the recent mailing list archives,
-which are conveniently accessible on the Samba web pages
-at http://samba.org/samba/ </P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN3118"
-></A
->20.2. General info</H2
-><P
->Before submitting a bug report check your config for silly
-errors. Look in your log files for obvious messages that tell you that
-you've misconfigured something and run testparm to test your config
-file for correct syntax.</P
-><P
->Have you run through the <A
-HREF="Diagnosis.html"
-TARGET="_top"
->diagnosis</A
->?
-This is very important.</P
-><P
->If you include part of a log file with your bug report then be sure to
-annotate it with exactly what you were doing on the client at the
-time, and exactly what the results were.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN3124"
-></A
->20.3. Debug levels</H2
-><P
->If the bug has anything to do with Samba behaving incorrectly as a
-server (like refusing to open a file) then the log files will probably
-be very useful. Depending on the problem a log level of between 3 and
-10 showing the problem may be appropriate. A higher level givesmore
-detail, but may use too much disk space.</P
-><P
->To set the debug level use <B
-CLASS="COMMAND"
->log level =</B
-> in your
-<TT
-CLASS="FILENAME"
->smb.conf</TT
->. You may also find it useful to set the log
-level higher for just one machine and keep separate logs for each machine.
-To do this use:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->log level = 10
-log file = /usr/local/samba/lib/log.%m
-include = /usr/local/samba/lib/smb.conf.%m</PRE
-></P
-><P
->then create a file
-<TT
-CLASS="FILENAME"
->/usr/local/samba/lib/smb.conf.machine</TT
-> where
-"machine" is the name of the client you wish to debug. In that file
-put any smb.conf commands you want, for example
-<B
-CLASS="COMMAND"
->log level=</B
-> may be useful. This also allows you to
-experiment with different security systems, protocol levels etc on just
-one machine.</P
-><P
->The <TT
-CLASS="FILENAME"
->smb.conf</TT
-> entry <B
-CLASS="COMMAND"
->log level =</B
->
-is synonymous with the entry <B
-CLASS="COMMAND"
->debuglevel =</B
-> that has been
-used in older versions of Samba and is being retained for backwards
-compatibility of smb.conf files.</P
-><P
->As the <B
-CLASS="COMMAND"
->log level =</B
-> value is increased you will record
-a significantly increasing level of debugging information. For most
-debugging operations you may not need a setting higher than 3. Nearly
-all bugs can be tracked at a setting of 10, but be prepared for a VERY
-large volume of log data.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN3141"
-></A
->20.4. Internal errors</H2
-><P
->If you get a "INTERNAL ERROR" message in your log files it means that
-Samba got an unexpected signal while running. It is probably a
-segmentation fault and almost certainly means a bug in Samba (unless
-you have faulty hardware or system software)</P
-><P
->If the message came from smbd then it will probably be accompanied by
-a message which details the last SMB message received by smbd. This
-info is often very useful in tracking down the problem so please
-include it in your bug report.</P
-><P
->You should also detail how to reproduce the problem, if
-possible. Please make this reasonably detailed.</P
-><P
->You may also find that a core file appeared in a "corefiles"
-subdirectory of the directory where you keep your samba log
-files. This file is the most useful tool for tracking down the bug. To
-use it you do this:</P
-><P
-><B
-CLASS="COMMAND"
->gdb smbd core</B
-></P
-><P
->adding appropriate paths to smbd and core so gdb can find them. If you
-don't have gdb then try "dbx". Then within the debugger use the
-command "where" to give a stack trace of where the problem
-occurred. Include this in your mail.</P
-><P
->If you known any assembly language then do a "disass" of the routine
-where the problem occurred (if its in a library routine then
-disassemble the routine that called it) and try to work out exactly
-where the problem is by looking at the surrounding code. Even if you
-don't know assembly then incuding this info in the bug report can be
-useful. </P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN3151"
-></A
->20.5. Attaching to a running process</H2
-><P
->Unfortunately some unixes (in particular some recent linux kernels)
-refuse to dump a core file if the task has changed uid (which smbd
-does often). To debug with this sort of system you could try to attach
-to the running process using "gdb smbd PID" where you get PID from
-smbstatus. Then use "c" to continue and try to cause the core dump
-using the client. The debugger should catch the fault and tell you
-where it occurred.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN3154"
-></A
->20.6. Patches</H2
-><P
->The best sort of bug report is one that includes a fix! If you send us
-patches please use <B
-CLASS="COMMAND"
->diff -u</B
-> format if your version of
-diff supports it, otherwise use <B
-CLASS="COMMAND"
->diff -c4</B
->. Make sure
-your do the diff against a clean version of the source and let me know
-exactly what version you used. </P
-></DIV
-></DIV
-><DIV
-CLASS="CHAPTER"
-><HR><H1
-><A
-NAME="GROUPMAPPING"
-></A
->Chapter 21. Group mapping HOWTO</H1
-><P
->
-Starting with Samba 3.0 alpha 2, a new group mapping function is available. The
-current method (likely to change) to manage the groups is a new command called
-<B
-CLASS="COMMAND"
->smbgroupedit</B
->.</P
-><P
->The first immediate reason to use the group mapping on a PDC, is that
-the <B
-CLASS="COMMAND"
->domain admin group</B
-> of <TT
-CLASS="FILENAME"
->smb.conf</TT
-> is
-now gone. This parameter was used to give the listed users local admin rights
-on their workstations. It was some magic stuff that simply worked but didn't
-scale very well for complex setups.</P
-><P
->Let me explain how it works on NT/W2K, to have this magic fade away.
-When installing NT/W2K on a computer, the installer program creates some users
-and groups. Notably the 'Administrators' group, and gives to that group some
-privileges like the ability to change the date and time or to kill any process
-(or close too) running on the local machine. The 'Administrator' user is a
-member of the 'Administrators' group, and thus 'inherit' the 'Administrators'
-group privileges. If a 'joe' user is created and become a member of the
-'Administrator' group, 'joe' has exactly the same rights as 'Administrator'.</P
-><P
->When a NT/W2K machine is joined to a domain, during that phase, the "Domain
-Administrators' group of the PDC is added to the 'Administrators' group of the
-workstation. Every members of the 'Domain Administrators' group 'inherit' the
-rights of the 'Administrators' group when logging on the workstation.</P
-><P
->You are now wondering how to make some of your samba PDC users members of the
-'Domain Administrators' ? That's really easy.</P
-><P
-></P
-><OL
-TYPE="1"
-><LI
-><P
->create a unix group (usually in <TT
-CLASS="FILENAME"
->/etc/group</TT
->), let's call it domadm</P
-></LI
-><LI
-><P
->add to this group the users that must be Administrators. For example if you want joe,john and mary, your entry in <TT
-CLASS="FILENAME"
->/etc/group</TT
-> will look like:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->domadm:x:502:joe,john,mary</PRE
-></P
-></LI
-><LI
-><P
->Map this domadm group to the <B
-CLASS="COMMAND"
->domain admins</B
-> group by running the command:</P
-><P
-><B
-CLASS="COMMAND"
->smbgroupedit -c "Domain Admins" -u domadm</B
-></P
-></LI
-></OL
-><P
->You're set, joe, john and mary are domain administrators !</P
-><P
->Like the Domain Admins group, you can map any arbitrary Unix group to any NT
-group. You can also make any Unix group a domain group. For example, on a domain
-member machine (an NT/W2K or a samba server running winbind), you would like to
-give access to a certain directory to some users who are member of a group on
-your samba PDC. Flag that group as a domain group by running:</P
-><P
-><B
-CLASS="COMMAND"
->smbgroupedit -a unixgroup -td</B
-></P
-><P
->You can list the various groups in the mapping database like this</P
-><P
-><B
-CLASS="COMMAND"
->smbgroupedit -v</B
-></P
-></DIV
-><DIV
-CLASS="CHAPTER"
-><HR><H1
-><A
-NAME="PORTABILITY"
-></A
->Chapter 22. Portability</H1
-><P
->Samba works on a wide range of platforms but the interface all the
-platforms provide is not always compatible. This chapter contains
-platform-specific information about compiling and using samba.</P
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN3201"
-></A
->22.1. HPUX</H2
-><P
->HP's implementation of supplementary groups is, er, non-standard (for
-hysterical reasons). There are two group files, /etc/group and
-/etc/logingroup; the system maps UIDs to numbers using the former, but
-initgroups() reads the latter. Most system admins who know the ropes
-symlink /etc/group to /etc/logingroup (hard link doesn't work for reasons
-too stupid to go into here). initgroups() will complain if one of the
-groups you're in in /etc/logingroup has what it considers to be an invalid
-ID, which means outside the range [0..UID_MAX], where UID_MAX is (I think)
-60000 currently on HP-UX. This precludes -2 and 65534, the usual 'nobody'
-GIDs.</P
-><P
->If you encounter this problem, make sure that the programs that are failing
-to initgroups() be run as users not in any groups with GIDs outside the
-allowed range.</P
-><P
->This is documented in the HP manual pages under setgroups(2) and passwd(4).</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN3206"
-></A
->22.2. SCO Unix</H2
-><P
->
-If you run an old version of SCO Unix then you may need to get important
-TCP/IP patches for Samba to work correctly. Without the patch, you may
-encounter corrupt data transfers using samba.</P
-><P
->The patch you need is UOD385 Connection Drivers SLS. It is available from
-SCO (ftp.sco.com, directory SLS, files uod385a.Z and uod385a.ltr.Z).</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN3210"
-></A
->22.3. DNIX</H2
-><P
->DNIX has a problem with seteuid() and setegid(). These routines are
-needed for Samba to work correctly, but they were left out of the DNIX
-C library for some reason.</P
-><P
->For this reason Samba by default defines the macro NO_EID in the DNIX
-section of includes.h. This works around the problem in a limited way,
-but it is far from ideal, some things still won't work right.</P
-><P
->
-To fix the problem properly you need to assemble the following two
-functions and then either add them to your C library or link them into
-Samba.</P
-><P
->
-put this in the file <TT
-CLASS="FILENAME"
->setegid.s</TT
->:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> .globl _setegid
-_setegid:
- moveq #47,d0
- movl #100,a0
- moveq #1,d1
- movl 4(sp),a1
- trap #9
- bccs 1$
- jmp cerror
-1$:
- clrl d0
- rts</PRE
-></P
-><P
->put this in the file <TT
-CLASS="FILENAME"
->seteuid.s</TT
->:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> .globl _seteuid
-_seteuid:
- moveq #47,d0
- movl #100,a0
- moveq #0,d1
- movl 4(sp),a1
- trap #9
- bccs 1$
- jmp cerror
-1$:
- clrl d0
- rts</PRE
-></P
-><P
->after creating the above files you then assemble them using</P
-><P
-><B
-CLASS="COMMAND"
->as seteuid.s</B
-></P
-><P
-><B
-CLASS="COMMAND"
->as setegid.s</B
-></P
-><P
->that should produce the files <TT
-CLASS="FILENAME"
->seteuid.o</TT
-> and
-<TT
-CLASS="FILENAME"
->setegid.o</TT
-></P
-><P
->then you need to add these to the LIBSM line in the DNIX section of
-the Samba Makefile. Your LIBSM line will then look something like this:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->LIBSM = setegid.o seteuid.o -ln</PRE
-></P
-><P
->
-You should then remove the line:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->#define NO_EID</PRE
-></P
-><P
->from the DNIX section of <TT
-CLASS="FILENAME"
->includes.h</TT
-></P
-></DIV
-></DIV
-></DIV
-></BODY
-></HTML
-> \ No newline at end of file