summaryrefslogtreecommitdiff
path: root/docs/htmldocs/Samba-HOWTO-Collection.html
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2001-04-19 21:33:44 +0000
committerGerald Carter <jerry@samba.org>2001-04-19 21:33:44 +0000
commitf95fb5fe3941a0ef916ac85c6ccf4aecf17aaf39 (patch)
tree7ae84ac676262759cdbfbe8260e650050dc2722b /docs/htmldocs/Samba-HOWTO-Collection.html
parente3fc10eab22443376ac3312447874607810dbc6b (diff)
downloadsamba-f95fb5fe3941a0ef916ac85c6ccf4aecf17aaf39.tar.gz
samba-f95fb5fe3941a0ef916ac85c6ccf4aecf17aaf39.tar.bz2
samba-f95fb5fe3941a0ef916ac85c6ccf4aecf17aaf39.zip
large sync up with 2.2
(This used to be commit 96523293da19df201703fed6130f1ff9ba25324b)
Diffstat (limited to 'docs/htmldocs/Samba-HOWTO-Collection.html')
-rw-r--r--docs/htmldocs/Samba-HOWTO-Collection.html5936
1 files changed, 5936 insertions, 0 deletions
diff --git a/docs/htmldocs/Samba-HOWTO-Collection.html b/docs/htmldocs/Samba-HOWTO-Collection.html
new file mode 100644
index 0000000000..a0d0573005
--- /dev/null
+++ b/docs/htmldocs/Samba-HOWTO-Collection.html
@@ -0,0 +1,5936 @@
+<HTML
+><HEAD
+><TITLE
+>SAMBA Project Documentation</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD
+><BODY
+CLASS="BOOK"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="BOOK"
+><A
+NAME="SAMBA-PROJECT-DOCUMENTATION"
+></A
+><DIV
+CLASS="TITLEPAGE"
+><H1
+CLASS="TITLE"
+><A
+NAME="SAMBA-PROJECT-DOCUMENTATION"
+>SAMBA Project Documentation</A
+></H1
+><H3
+CLASS="AUTHOR"
+><A
+NAME="AEN4"
+>SAMBA Team</A
+></H3
+><HR></DIV
+><HR><H1
+><A
+NAME="AEN9"
+>Abstract</A
+></H1
+><P
+>This book is a collection of HOWTOs added to Samba documentation over the year.
+I try to ensure that all are current, but sometimes the is a larger job
+than one person can maintain. You can always find the later version of this
+PDF file at <A
+HREF="http://www.samba.org/"
+TARGET="_top"
+>http://www.samba.org/</A
+>
+on the "Documentation" page. Please send updates to <A
+HREF="mailto:jerry@samba.org"
+TARGET="_top"
+>jerry@samba.org</A
+>.</P
+><P
+>Cheers, jerry</P
+><DIV
+CLASS="TOC"
+><DL
+><DT
+><B
+>Table of Contents</B
+></DT
+><DT
+>1. <A
+HREF="#AEN15"
+>How to Install and Test SAMBA</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="#AEN17"
+>Step 0: Read the man pages</A
+></DT
+><DT
+><A
+HREF="#AEN25"
+>Step 1: Building the Binaries</A
+></DT
+><DT
+><A
+HREF="#AEN53"
+>Step 2: The all important step</A
+></DT
+><DT
+><A
+HREF="#AEN57"
+>Step 3: Create the smb configuration file.</A
+></DT
+><DT
+><A
+HREF="#AEN71"
+>Step 4: Test your config file with
+ <B
+CLASS="COMMAND"
+>testparm</B
+></A
+></DT
+><DT
+><A
+HREF="#AEN77"
+>Step 5: Starting the smbd and nmbd</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="#AEN87"
+>Step 5a: Starting from inetd.conf</A
+></DT
+><DT
+><A
+HREF="#AEN116"
+>Step 5b. Alternative: starting it as a daemon</A
+></DT
+></DL
+></DD
+><DT
+><A
+HREF="#AEN132"
+>Step 6: Try listing the shares available on your
+ server</A
+></DT
+><DT
+><A
+HREF="#AEN141"
+>Step 7: Try connecting with the unix client</A
+></DT
+><DT
+><A
+HREF="#AEN157"
+>Step 8: Try connecting from a DOS, WfWg, Win9x, WinNT,
+ Win2k, OS/2, etc... client</A
+></DT
+><DT
+><A
+HREF="#AEN171"
+>What If Things Don't Work?</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="#AEN176"
+>Diagnosing Problems</A
+></DT
+><DT
+><A
+HREF="#AEN180"
+>Scope IDs</A
+></DT
+><DT
+><A
+HREF="#AEN183"
+>Choosing the Protocol Level</A
+></DT
+><DT
+><A
+HREF="#AEN192"
+>Printing from UNIX to a Client PC</A
+></DT
+><DT
+><A
+HREF="#AEN196"
+>Locking</A
+></DT
+><DT
+><A
+HREF="#AEN206"
+>Mapping Usernames</A
+></DT
+><DT
+><A
+HREF="#AEN209"
+>Other Character Sets</A
+></DT
+></DL
+></DD
+></DL
+></DD
+><DT
+>2. <A
+HREF="#AEN212"
+>LanMan and NT Password Encryption in Samba 2.x</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="#AEN223"
+>Introduction</A
+></DT
+><DT
+><A
+HREF="#AEN227"
+>How does it work?</A
+></DT
+><DT
+><A
+HREF="#AEN238"
+>Important Notes About Security</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="#AEN257"
+>Advantages of SMB Encryption</A
+></DT
+><DT
+><A
+HREF="#AEN264"
+>Advantages of non-encrypted passwords</A
+></DT
+></DL
+></DD
+><DT
+><A
+HREF="#AEN273"
+><A
+NAME="SMBPASSWDFILEFORMAT"
+></A
+>The smbpasswd file</A
+></DT
+><DT
+><A
+HREF="#AEN325"
+>The smbpasswd Command</A
+></DT
+><DT
+><A
+HREF="#AEN364"
+>Setting up Samba to support LanManager Encryption</A
+></DT
+></DL
+></DD
+><DT
+>3. <A
+HREF="#AEN379"
+>Hosting a Microsoft Distributed File System tree on Samba</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="#AEN390"
+>Instructions</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="#AEN425"
+>Notes</A
+></DT
+></DL
+></DD
+></DL
+></DD
+><DT
+>4. <A
+HREF="#AEN434"
+>Printing Support in Samba 2.2.x</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="#AEN445"
+>Introduction</A
+></DT
+><DT
+><A
+HREF="#AEN462"
+>Configuration</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="#AEN516"
+>Support a large number of printers</A
+></DT
+></DL
+></DD
+><DT
+><A
+HREF="#AEN527"
+>The Imprints Toolset</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="#AEN531"
+>What is Imprints?</A
+></DT
+><DT
+><A
+HREF="#AEN541"
+>Creating Printer Driver Packages</A
+></DT
+><DT
+><A
+HREF="#AEN544"
+>The Imprints server</A
+></DT
+><DT
+><A
+HREF="#AEN548"
+>The Installation Client</A
+></DT
+></DL
+></DD
+><DT
+><A
+HREF="#AEN570"
+><A
+NAME="MIGRATION"
+></A
+>Migration to from Samba 2.0.x to
+ 2.2.x</A
+></DT
+></DL
+></DD
+><DT
+>5. <A
+HREF="#AEN599"
+>security = domain in Samba 2.x</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="#AEN617"
+>Joining an NT Domain with Samba 2.2</A
+></DT
+><DT
+><A
+HREF="#AEN681"
+>Samba and Windows 2000 Domains</A
+></DT
+><DT
+><A
+HREF="#AEN686"
+>Why is this better than security = server?</A
+></DT
+></DL
+></DD
+><DT
+>6. <A
+HREF="#AEN702"
+>How to Configure Samba 2.2.x as a Primary Domain Controller</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="#AEN713"
+>Background</A
+></DT
+><DT
+><A
+HREF="#AEN750"
+>Configuring the Samba Domain Controller</A
+></DT
+><DT
+><A
+HREF="#AEN793"
+>Creating Machine Trust Accounts and Joining Clients
+to the Domain</A
+></DT
+><DT
+><A
+HREF="#AEN832"
+>Common Problems and Errors</A
+></DT
+><DT
+><A
+HREF="#AEN860"
+>System Policies and Profiles</A
+></DT
+><DT
+><A
+HREF="#AEN900"
+>What other help can I get ?</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="#AEN947"
+>URLs and similar</A
+></DT
+><DT
+><A
+HREF="#AEN971"
+>Mailing Lists</A
+></DT
+></DL
+></DD
+><DT
+><A
+HREF="#AEN1010"
+>DOMAIN_CONTROL.txt : Windows NT Domain Control &#38; Samba</A
+></DT
+></DL
+></DD
+><DT
+>7. <A
+HREF="#AEN1034"
+>Unifed Logons between Windows NT and UNIX using Winbind</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="#AEN1052"
+>Abstract</A
+></DT
+><DT
+><A
+HREF="#AEN1056"
+>Introduction</A
+></DT
+><DT
+><A
+HREF="#AEN1069"
+>What Winbind Provides</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="#AEN1076"
+>Target Uses</A
+></DT
+></DL
+></DD
+><DT
+><A
+HREF="#AEN1080"
+>How Winbind Works</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="#AEN1085"
+>Microsoft Remote Procedure Calls</A
+></DT
+><DT
+><A
+HREF="#AEN1089"
+>Name Service Switch</A
+></DT
+><DT
+><A
+HREF="#AEN1105"
+>Pluggable Authentication Modules</A
+></DT
+><DT
+><A
+HREF="#AEN1113"
+>User and Group ID Allocation</A
+></DT
+><DT
+><A
+HREF="#AEN1117"
+>Result Caching</A
+></DT
+></DL
+></DD
+><DT
+><A
+HREF="#AEN1120"
+>Installation and Configuration</A
+></DT
+><DT
+><A
+HREF="#AEN1126"
+>Limitations</A
+></DT
+><DT
+><A
+HREF="#AEN1138"
+>Conclusion</A
+></DT
+></DL
+></DD
+><DT
+>8. <A
+HREF="#AEN1141"
+>UNIX Permission Bits and WIndows NT Access Control Lists</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="#AEN1152"
+>Viewing and changing UNIX permissions using the NT
+ security dialogs</A
+></DT
+><DT
+><A
+HREF="#AEN1161"
+>How to view file security on a Samba share</A
+></DT
+><DT
+><A
+HREF="#AEN1172"
+>Viewing file ownership</A
+></DT
+><DT
+><A
+HREF="#AEN1192"
+>Viewing file or directory permissions</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="#AEN1207"
+>File Permissions</A
+></DT
+><DT
+><A
+HREF="#AEN1221"
+>Directory Permissions</A
+></DT
+></DL
+></DD
+><DT
+><A
+HREF="#AEN1228"
+>Modifying file or directory permissions</A
+></DT
+><DT
+><A
+HREF="#AEN1250"
+>Interaction with the standard Samba create mask
+ parameters</A
+></DT
+><DT
+><A
+HREF="#AEN1314"
+>Interaction with the standard Samba file attribute
+ mapping</A
+></DT
+></DL
+></DD
+><DT
+>9. <A
+HREF="#AEN1324"
+>OS2 Client HOWTO</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="#AEN1335"
+>FAQs</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="#AEN1337"
+>How can I configure OS/2 Warp Connect or
+ OS/2 Warp 4 as a client for Samba?</A
+></DT
+><DT
+><A
+HREF="#AEN1352"
+>How can I configure OS/2 Warp 3 (not Connect),
+ OS/2 1.2, 1.3 or 2.x for Samba?</A
+></DT
+><DT
+><A
+HREF="#AEN1361"
+>Are there any other issues when OS/2 (any version)
+ is used as a client?</A
+></DT
+><DT
+><A
+HREF="#AEN1365"
+>How do I get printer driver download working
+ for OS/2 clients?</A
+></DT
+></DL
+></DD
+></DL
+></DD
+></DL
+></DIV
+><DIV
+CLASS="CHAPTER"
+><HR><H1
+><A
+NAME="AEN15"
+>Chapter 1. How to Install and Test SAMBA</A
+></H1
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN17"
+>Step 0: Read the man pages</A
+></H1
+><P
+>The man pages distributed with SAMBA contain
+ lots of useful info that will help to get you started.
+ If you don't know how to read man pages then try
+ something like:</P
+><P
+><TT
+CLASS="PROMPT"
+>$ </TT
+><TT
+CLASS="USERINPUT"
+><B
+>nroff -man smbd.8 | more
+ </B
+></TT
+></P
+><P
+>Other sources of information are pointed to
+ by the Samba web site,<A
+HREF="http://www.samba.org/"
+TARGET="_top"
+> http://www.samba.org</A
+></P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN25"
+>Step 1: Building the Binaries</A
+></H1
+><P
+>To do this, first run the program <B
+CLASS="COMMAND"
+>./configure
+ </B
+> in the source directory. This should automatically
+ configure Samba for your operating system. If you have unusual
+ needs then you may wish to run</P
+><P
+><TT
+CLASS="PROMPT"
+>root# </TT
+><TT
+CLASS="USERINPUT"
+><B
+>./configure --help
+ </B
+></TT
+></P
+><P
+>first to see what special options you can enable.
+ Then exectuting</P
+><P
+><TT
+CLASS="PROMPT"
+>root# </TT
+><TT
+CLASS="USERINPUT"
+><B
+>make</B
+></TT
+></P
+><P
+>will create the binaries. Once it's successfully
+ compiled you can use </P
+><P
+><TT
+CLASS="PROMPT"
+>root# </TT
+><TT
+CLASS="USERINPUT"
+><B
+>make install</B
+></TT
+></P
+><P
+>to install the binaries and manual pages. You can
+ separately install the binaries and/or man pages using</P
+><P
+><TT
+CLASS="PROMPT"
+>root# </TT
+><TT
+CLASS="USERINPUT"
+><B
+>make installbin
+ </B
+></TT
+></P
+><P
+>and</P
+><P
+><TT
+CLASS="PROMPT"
+>root# </TT
+><TT
+CLASS="USERINPUT"
+><B
+>make installman
+ </B
+></TT
+></P
+><P
+>Note that if you are upgrading for a previous version
+ of Samba you might like to know that the old versions of
+ the binaries will be renamed with a ".old" extension. You
+ can go back to the previous version with</P
+><P
+><TT
+CLASS="PROMPT"
+>root# </TT
+><TT
+CLASS="USERINPUT"
+><B
+>make revert
+ </B
+></TT
+></P
+><P
+>if you find this version a disaster!</P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN53"
+>Step 2: The all important step</A
+></H1
+><P
+>At this stage you must fetch yourself a
+ coffee or other drink you find stimulating. Getting the rest
+ of the install right can sometimes be tricky, so you will
+ probably need it.</P
+><P
+>If you have installed samba before then you can skip
+ this step.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN57"
+>Step 3: Create the smb configuration file.</A
+></H1
+><P
+>There are sample configuration files in the examples
+ subdirectory in the distribution. I suggest you read them
+ carefully so you can see how the options go together in
+ practice. See the man page for all the options.</P
+><P
+>The simplest useful configuration file would be
+ something like this:</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+> [global]
+ workgroup = MYGROUP
+
+ [homes]
+ guest ok = no
+ read only = no
+ </PRE
+></P
+><P
+>which would allow connections by anyone with an
+ account on the server, using either their login name or
+ "homes" as the service name. (Note that I also set the
+ workgroup that Samba is part of. See BROWSING.txt for defails)</P
+><P
+>Note that <B
+CLASS="COMMAND"
+>make install</B
+> will not install
+ a <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> file. You need to create it
+ yourself. </P
+><P
+>Make sure you put the smb.conf file in the same place
+ you specified in the<TT
+CLASS="FILENAME"
+>Makefile</TT
+> (the default is to
+ look for it in <TT
+CLASS="FILENAME"
+>/usr/local/samba/lib/</TT
+>).</P
+><P
+>For more information about security settings for the
+ [homes] share please refer to the document UNIX_SECURITY.txt.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN71"
+>Step 4: Test your config file with
+ <B
+CLASS="COMMAND"
+>testparm</B
+></A
+></H1
+><P
+>It's important that you test the validity of your
+ <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> file using the testparm program.
+ If testparm runs OK then it will list the loaded services. If
+ not it will give an error message.</P
+><P
+>Make sure it runs OK and that the services look
+ resonable before proceeding. </P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN77"
+>Step 5: Starting the smbd and nmbd</A
+></H1
+><P
+>You must choose to start smbd and nmbd either
+ as daemons or from <B
+CLASS="COMMAND"
+>inetd</B
+>. Don't try
+ to do both! Either you can put them in <TT
+CLASS="FILENAME"
+> inetd.conf</TT
+> and have them started on demand
+ by <B
+CLASS="COMMAND"
+>inetd</B
+>, or you can start them as
+ daemons either from the command line or in <TT
+CLASS="FILENAME"
+> /etc/rc.local</TT
+>. See the man pages for details
+ on the command line options. Take particular care to read
+ the bit about what user you need to be in order to start
+ Samba. In many cases you must be root.</P
+><P
+>The main advantage of starting <B
+CLASS="COMMAND"
+>smbd</B
+>
+ and <B
+CLASS="COMMAND"
+>nmbd</B
+> as a daemon is that they will
+ respond slightly more quickly to an initial connection
+ request. This is, however, unlikely to be a problem.</P
+><DIV
+CLASS="SECT2"
+><HR><H2
+CLASS="SECT2"
+><A
+NAME="AEN87"
+>Step 5a: Starting from inetd.conf</A
+></H2
+><P
+>NOTE; The following will be different if
+ you use NIS or NIS+ to distributed services maps.</P
+><P
+>Look at your <TT
+CLASS="FILENAME"
+>/etc/services</TT
+>.
+ What is defined at port 139/tcp. If nothing is defined
+ then add a line like this:</P
+><P
+><TT
+CLASS="USERINPUT"
+><B
+>netbios-ssn 139/tcp</B
+></TT
+></P
+><P
+>similarly for 137/udp you should have an entry like:</P
+><P
+><TT
+CLASS="USERINPUT"
+><B
+>netbios-ns 137/udp</B
+></TT
+></P
+><P
+>Next edit your <TT
+CLASS="FILENAME"
+>/etc/inetd.conf</TT
+>
+ and add two lines something like this:</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+> netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd
+ netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd
+ </PRE
+></P
+><P
+>The exact syntax of <TT
+CLASS="FILENAME"
+>/etc/inetd.conf</TT
+>
+ varies between unixes. Look at the other entries in inetd.conf
+ for a guide.</P
+><P
+>NOTE: Some unixes already have entries like netbios_ns
+ (note the underscore) in <TT
+CLASS="FILENAME"
+>/etc/services</TT
+>.
+ You must either edit <TT
+CLASS="FILENAME"
+>/etc/services</TT
+> or
+ <TT
+CLASS="FILENAME"
+>/etc/inetd.conf</TT
+> to make them consistant.</P
+><P
+>NOTE: On many systems you may need to use the
+ "interfaces" option in smb.conf to specify the IP address
+ and netmask of your interfaces. Run <B
+CLASS="COMMAND"
+>ifconfig</B
+>
+ as root if you don't know what the broadcast is for your
+ net. <B
+CLASS="COMMAND"
+>nmbd</B
+> tries to determine it at run
+ time, but fails on somunixes. See the section on "testing nmbd"
+ for a method of finding if you need to do this.</P
+><P
+>!!!WARNING!!! Many unixes only accept around 5
+ parameters on the command line in <TT
+CLASS="FILENAME"
+>inetd.conf</TT
+>.
+ This means you shouldn't use spaces between the options and
+ arguments, or you should use a script, and start the script
+ from <B
+CLASS="COMMAND"
+>inetd</B
+>.</P
+><P
+>Restart <B
+CLASS="COMMAND"
+>inetd</B
+>, perhaps just send
+ it a HUP. If you have installed an earlier version of <B
+CLASS="COMMAND"
+> nmbd</B
+> then you may need to kill nmbd as well.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H2
+CLASS="SECT2"
+><A
+NAME="AEN116"
+>Step 5b. Alternative: starting it as a daemon</A
+></H2
+><P
+>To start the server as a daemon you should create
+ a script something like this one, perhaps calling
+ it <TT
+CLASS="FILENAME"
+>startsmb</TT
+>.</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+> #!/bin/sh
+ /usr/local/samba/bin/smbd -D
+ /usr/local/samba/bin/nmbd -D
+ </PRE
+></P
+><P
+>then make it executable with <B
+CLASS="COMMAND"
+>chmod
+ +x startsmb</B
+></P
+><P
+>You can then run <B
+CLASS="COMMAND"
+>startsmb</B
+> by
+ hand or execute it from <TT
+CLASS="FILENAME"
+>/etc/rc.local</TT
+>
+ </P
+><P
+>To kill it send a kill signal to the processes
+ <B
+CLASS="COMMAND"
+>nmbd</B
+> and <B
+CLASS="COMMAND"
+>smbd</B
+>.</P
+><P
+>NOTE: If you use the SVR4 style init system then
+ you may like to look at the <TT
+CLASS="FILENAME"
+>examples/svr4-startup</TT
+>
+ script to make Samba fit into that system.</P
+></DIV
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN132"
+>Step 6: Try listing the shares available on your
+ server</A
+></H1
+><P
+><TT
+CLASS="PROMPT"
+>$ </TT
+><TT
+CLASS="USERINPUT"
+><B
+>smbclient -L
+ <TT
+CLASS="REPLACEABLE"
+><I
+>yourhostname</I
+></TT
+></B
+></TT
+></P
+><P
+>Your should get back a list of shares available on
+ your server. If you don't then something is incorrectly setup.
+ Note that this method can also be used to see what shares
+ are available on other LanManager clients (such as WfWg).</P
+><P
+>If you choose user level security then you may find
+ that Samba requests a password before it will list the shares.
+ See the <B
+CLASS="COMMAND"
+>smbclient</B
+> man page for details. (you
+ can force it to list the shares without a password by
+ adding the option -U% to the command line. This will not work
+ with non-Samba servers)</P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN141"
+>Step 7: Try connecting with the unix client</A
+></H1
+><P
+><TT
+CLASS="PROMPT"
+>$ </TT
+><TT
+CLASS="USERINPUT"
+><B
+>smbclient <TT
+CLASS="REPLACEABLE"
+><I
+> //yourhostname/aservice</I
+></TT
+></B
+></TT
+></P
+><P
+>Typically the <TT
+CLASS="REPLACEABLE"
+><I
+>yourhostname</I
+></TT
+>
+ would be the name of the host where you installed <B
+CLASS="COMMAND"
+> smbd</B
+>. The <TT
+CLASS="REPLACEABLE"
+><I
+>aservice</I
+></TT
+> is
+ any service you have defined in the <TT
+CLASS="FILENAME"
+>smb.conf</TT
+>
+ file. Try your user name if you just have a [homes] section
+ in <TT
+CLASS="FILENAME"
+>smb.conf</TT
+>.</P
+><P
+>For example if your unix host is bambi and your login
+ name is fred you would type:</P
+><P
+><TT
+CLASS="PROMPT"
+>$ </TT
+><TT
+CLASS="USERINPUT"
+><B
+>smbclient //bambi/fred
+ </B
+></TT
+></P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN157"
+>Step 8: Try connecting from a DOS, WfWg, Win9x, WinNT,
+ Win2k, OS/2, etc... client</A
+></H1
+><P
+>Try mounting disks. eg:</P
+><P
+><TT
+CLASS="PROMPT"
+>C:\WINDOWS\&#62; </TT
+><TT
+CLASS="USERINPUT"
+><B
+>net use d: \\servername\service
+ </B
+></TT
+></P
+><P
+>Try printing. eg:</P
+><P
+><TT
+CLASS="PROMPT"
+>C:\WINDOWS\&#62; </TT
+><TT
+CLASS="USERINPUT"
+><B
+>net use lpt1:
+ \\servername\spoolservice</B
+></TT
+></P
+><P
+><TT
+CLASS="PROMPT"
+>C:\WINDOWS\&#62; </TT
+><TT
+CLASS="USERINPUT"
+><B
+>print filename
+ </B
+></TT
+></P
+><P
+>Celebrate, or send me a bug report!</P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN171"
+>What If Things Don't Work?</A
+></H1
+><P
+>If nothing works and you start to think "who wrote
+ this pile of trash" then I suggest you do step 2 again (and
+ again) till you calm down.</P
+><P
+>Then you might read the file DIAGNOSIS.txt and the
+ FAQ. If you are still stuck then try the mailing list or
+ newsgroup (look in the README for details). Samba has been
+ successfully installed at thousands of sites worldwide, so maybe
+ someone else has hit your problem and has overcome it. You could
+ also use the WWW site to scan back issues of the samba-digest.</P
+><P
+>When you fix the problem PLEASE send me some updates to the
+ documentation (or source code) so that the next person will find it
+ easier. </P
+><DIV
+CLASS="SECT2"
+><HR><H2
+CLASS="SECT2"
+><A
+NAME="AEN176"
+>Diagnosing Problems</A
+></H2
+><P
+>If you have instalation problems then go to
+ <TT
+CLASS="FILENAME"
+>DIAGNOSIS.txt</TT
+> to try to find the
+ problem.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H2
+CLASS="SECT2"
+><A
+NAME="AEN180"
+>Scope IDs</A
+></H2
+><P
+>By default Samba uses a blank scope ID. This means
+ all your windows boxes must also have a blank scope ID.
+ If you really want to use a non-blank scope ID then you will
+ need to use the -i &lt;scope&gt; option to nmbd, smbd, and
+ smbclient. All your PCs will need to have the same setting for
+ this to work. I do not recommend scope IDs.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H2
+CLASS="SECT2"
+><A
+NAME="AEN183"
+>Choosing the Protocol Level</A
+></H2
+><P
+>The SMB protocol has many dialects. Currently
+ Samba supports 5, called CORE, COREPLUS, LANMAN1,
+ LANMAN2 and NT1.</P
+><P
+>You can choose what maximum protocol to support
+ in the <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> file. The default is
+ NT1 and that is the best for the vast majority of sites.</P
+><P
+>In older versions of Samba you may have found it
+ necessary to use COREPLUS. The limitations that led to
+ this have mostly been fixed. It is now less likely that you
+ will want to use less than LANMAN1. The only remaining advantage
+ of COREPLUS is that for some obscure reason WfWg preserves
+ the case of passwords in this protocol, whereas under LANMAN1,
+ LANMAN2 or NT1 it uppercases all passwords before sending them,
+ forcing you to use the "password level=" option in some cases.</P
+><P
+>The main advantage of LANMAN2 and NT1 is support for
+ long filenames with some clients (eg: smbclient, Windows NT
+ or Win95). </P
+><P
+>See the smb.conf(5) manual page for more details.</P
+><P
+>Note: To support print queue reporting you may find
+ that you have to use TCP/IP as the default protocol under
+ WfWg. For some reason if you leave Netbeui as the default
+ it may break the print queue reporting on some systems.
+ It is presumably a WfWg bug.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H2
+CLASS="SECT2"
+><A
+NAME="AEN192"
+>Printing from UNIX to a Client PC</A
+></H2
+><P
+>To use a printer that is available via a smb-based
+ server from a unix host you will need to compile the
+ smbclient program. You then need to install the script
+ "smbprint". Read the instruction in smbprint for more details.
+ </P
+><P
+>There is also a SYSV style script that does much
+ the same thing called smbprint.sysv. It contains instructions.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H2
+CLASS="SECT2"
+><A
+NAME="AEN196"
+>Locking</A
+></H2
+><P
+>One area which sometimes causes trouble is locking.</P
+><P
+>There are two types of locking which need to be
+ performed by a SMB server. The first is "record locking"
+ which allows a client to lock a range of bytes in a open file.
+ The second is the "deny modes" that are specified when a file
+ is open.</P
+><P
+>Samba supports "record locking" using the fcntl() unix system
+ call. This is often implemented using rpc calls to a rpc.lockd process
+ running on the system that owns the filesystem. Unfortunately many
+ rpc.lockd implementations are very buggy, particularly when made to
+ talk to versions from other vendors. It is not uncommon for the
+ rpc.lockd to crash.</P
+><P
+>There is also a problem translating the 32 bit lock
+ requests generated by PC clients to 31 bit requests supported
+ by most unixes. Unfortunately many PC applications (typically
+ OLE2 applications) use byte ranges with the top bit set
+ as semaphore sets. Samba attempts translation to support
+ these types of applications, and the translation has proved
+ to be quite successful.</P
+><P
+>Strictly a SMB server should check for locks before
+ every read and write call on a file. Unfortunately with the
+ way fcntl() works this can be slow and may overstress the
+ rpc.lockd. It is also almost always unnecessary as clients
+ are supposed to independently make locking calls before reads
+ and writes anyway if locking is important to them. By default
+ Samba only makes locking calls when explicitly asked
+ to by a client, but if you set "strict locking = yes" then it will
+ make lock checking calls on every read and write. </P
+><P
+>You can also disable by range locking completely
+ using "locking = no". This is useful for those shares that
+ don't support locking or don't need it (such as cdroms). In
+ this case Samba fakes the return codes of locking calls to
+ tell clients that everything is OK.</P
+><P
+>The second class of locking is the "deny modes". These
+ are set by an application when it opens a file to determine
+ what types of access should be allowed simultaneously with
+ its open. A client may ask for DENY_NONE, DENY_READ, DENY_WRITE
+ or DENY_ALL. There are also special compatability modes called
+ DENY_FCB and DENY_DOS.</P
+><P
+>You can disable share modes using "share modes = no".
+ This may be useful on a heavily loaded server as the share
+ modes code is very slow. See also the FAST_SHARE_MODES
+ option in the Makefile for a way to do full share modes
+ very fast using shared memory (if your OS supports it).</P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H2
+CLASS="SECT2"
+><A
+NAME="AEN206"
+>Mapping Usernames</A
+></H2
+><P
+>If you have different usernames on the PCs and
+ the unix server then take a look at the "username map" option.
+ See the smb.conf man page for details.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H2
+CLASS="SECT2"
+><A
+NAME="AEN209"
+>Other Character Sets</A
+></H2
+><P
+>If you have problems using filenames with accented
+ characters in them (like the German, French or Scandinavian
+ character sets) then I recommmend you look at the "valid chars"
+ option in smb.conf and also take a look at the validchars
+ package in the examples directory.</P
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="CHAPTER"
+><HR><H1
+><A
+NAME="AEN212"
+>Chapter 2. LanMan and NT Password Encryption in Samba 2.x</A
+></H1
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN223"
+>Introduction</A
+></H1
+><P
+>With the development of LanManager and Windows NT
+ compatible password encryption for Samba, it is now able
+ to validate user connections in exactly the same way as
+ a LanManager or Windows NT server.</P
+><P
+>This document describes how the SMB password encryption
+ algorithm works and what issues there are in choosing whether
+ you want to use it. You should read it carefully, especially
+ the part about security and the "PROS and CONS" section.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN227"
+>How does it work?</A
+></H1
+><P
+>LanManager encryption is somewhat similar to UNIX
+ password encryption. The server uses a file containing a
+ hashed value of a user's password. This is created by taking
+ the user's plaintext password, capitalising it, and either
+ truncating to 14 bytes or padding to 14 bytes with null bytes.
+ This 14 byte value is used as two 56 bit DES keys to encrypt
+ a 'magic' eight byte value, forming a 16 byte value which is
+ stored by the server and client. Let this value be known as
+ the "hashed password".</P
+><P
+>Windows NT encryption is a higher quality mechanism,
+ consisting of doing an MD4 hash on a Unicode version of the user's
+ password. This also produces a 16 byte hash value that is
+ non-reversible.</P
+><P
+>When a client (LanManager, Windows for WorkGroups, Windows
+ 95 or Windows NT) wishes to mount a Samba drive (or use a Samba
+ resource), it first requests a connection and negotiates the
+ protocol that the client and server will use. In the reply to this
+ request the Samba server generates and appends an 8 byte, random
+ value - this is stored in the Samba server after the reply is sent
+ and is known as the "challenge". The challenge is different for
+ every client connection.</P
+><P
+>The client then uses the hashed password (16 byte values
+ described above), appended with 5 null bytes, as three 56 bit
+ DES keys, each of which is used to encrypt the challenge 8 byte
+ value, forming a 24 byte value known as the "response".</P
+><P
+>In the SMB call SMBsessionsetupX (when user level security
+ is selected) or the call SMBtconX (when share level security is
+ selected), the 24 byte response is returned by the client to the
+ Samba server. For Windows NT protocol levels the above calculation
+ is done on both hashes of the user's password and both responses are
+ returned in the SMB call, giving two 24 byte values.</P
+><P
+>The Samba server then reproduces the above calculation, using
+ its own stored value of the 16 byte hashed password (read from the
+ <TT
+CLASS="FILENAME"
+>smbpasswd</TT
+> file - described later) and the challenge
+ value that it kept from the negotiate protocol reply. It then checks
+ to see if the 24 byte value it calculates matches the 24 byte value
+ returned to it from the client.</P
+><P
+>If these values match exactly, then the client knew the
+ correct password (or the 16 byte hashed value - see security note
+ below) and is thus allowed access. If not, then the client did not
+ know the correct password and is denied access.</P
+><P
+>Note that the Samba server never knows or stores the cleartext
+ of the user's password - just the 16 byte hashed values derived from
+ it. Also note that the cleartext password or 16 byte hashed values
+ are never transmitted over the network - thus increasing security.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN238"
+>Important Notes About Security</A
+></H1
+><P
+>The unix and SMB password encryption techniques seem similar
+ on the surface. This similarity is, however, only skin deep. The unix
+ scheme typically sends clear text passwords over the nextwork when
+ logging in. This is bad. The SMB encryption scheme never sends the
+ cleartext password over the network but it does store the 16 byte
+ hashed values on disk. This is also bad. Why? Because the 16 byte hashed
+ values are a "password equivalent". You cannot derive the user's
+ password from them, but they could potentially be used in a modified
+ client to gain access to a server. This would require considerable
+ technical knowledge on behalf of the attacker but is perfectly possible.
+ You should thus treat the smbpasswd file as though it contained the
+ cleartext passwords of all your users. Its contents must be kept
+ secret, and the file should be protected accordingly.</P
+><P
+>Ideally we would like a password scheme which neither requires
+ plain text passwords on the net or on disk. Unfortunately this
+ is not available as Samba is stuck with being compatible with
+ other SMB systems (WinNT, WfWg, Win95 etc). </P
+><DIV
+CLASS="WARNING"
+><P
+></P
+><TABLE
+CLASS="WARNING"
+BORDER="1"
+WIDTH="100%"
+><TR
+><TD
+ALIGN="CENTER"
+><B
+>Warning</B
+></TD
+></TR
+><TR
+><TD
+ALIGN="LEFT"
+><P
+>Note that Windows NT 4.0 Service pack 3 changed the
+ default for permissible authentication so that plaintext
+ passwords are <I
+CLASS="EMPHASIS"
+>never</I
+> sent over the wire.
+ The solution to this is either to switch to encrypted passwords
+ with Samba or edit the Windows NT registry to re-enable plaintext
+ passwords. See the document WinNT.txt for details on how to do
+ this.</P
+><P
+>Other Microsoft operating systems which also exhibit
+ this behavior includes</P
+><P
+></P
+><UL
+><LI
+><P
+>MS DOS Network client 3.0 with
+ the basic network redirector installed</P
+></LI
+><LI
+><P
+>Windows 95 with the network redirector
+ update installed</P
+></LI
+><LI
+><P
+>Windows 98 [se]</P
+></LI
+><LI
+><P
+>Windows 2000</P
+></LI
+></UL
+><P
+><I
+CLASS="EMPHASIS"
+>Note :</I
+>All current release of
+ Microsoft SMB/CIFS clients support authentication via the
+ SMB Challenge/Response mechanism described here. Enabling
+ clear text authentication does not disable the ability
+ of the client to particpate in encrypted authentication.</P
+></TD
+></TR
+></TABLE
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H2
+CLASS="SECT2"
+><A
+NAME="AEN257"
+>Advantages of SMB Encryption</A
+></H2
+><P
+></P
+><UL
+><LI
+><P
+>plain text passwords are not passed across
+ the network. Someone using a network sniffer cannot just
+ record passwords going to the SMB server.</P
+></LI
+><LI
+><P
+>WinNT doesn't like talking to a server
+ that isn't using SMB encrypted passwords. It will refuse
+ to browse the server if the server is also in user level
+ security mode. It will insist on prompting the user for the
+ password on each connection, which is very annoying. The
+ only things you can do to stop this is to use SMB encryption.
+ </P
+></LI
+></UL
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H2
+CLASS="SECT2"
+><A
+NAME="AEN264"
+>Advantages of non-encrypted passwords</A
+></H2
+><P
+></P
+><UL
+><LI
+><P
+>plain text passwords are not kept
+ on disk. </P
+></LI
+><LI
+><P
+>uses same password file as other unix
+ services such as login and ftp</P
+></LI
+><LI
+><P
+>you are probably already using other
+ services (such as telnet and ftp) which send plain text
+ passwords over the net, so sending them for SMB isn't
+ such a big deal.</P
+></LI
+></UL
+></DIV
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN273"
+><A
+NAME="SMBPASSWDFILEFORMAT"
+></A
+>The smbpasswd file</A
+></H1
+><P
+>In order for Samba to participate in the above protocol
+ it must be able to look up the 16 byte hashed values given a user name.
+ Unfortunately, as the UNIX password value is also a one way hash
+ function (ie. it is impossible to retrieve the cleartext of the user's
+ password given the UNIX hash of it), a separate password file
+ containing this 16 byte value must be kept. To minimise problems with
+ these two password files, getting out of sync, the UNIX <TT
+CLASS="FILENAME"
+> /etc/passwd</TT
+> and the <TT
+CLASS="FILENAME"
+>smbpasswd</TT
+> file,
+ a utility, <B
+CLASS="COMMAND"
+>mksmbpasswd.sh</B
+>, is provided to generate
+ a smbpasswd file from a UNIX <TT
+CLASS="FILENAME"
+>/etc/passwd</TT
+> file.
+ </P
+><P
+>To generate the smbpasswd file from your <TT
+CLASS="FILENAME"
+>/etc/passwd
+ </TT
+> file use the following command :</P
+><P
+><TT
+CLASS="PROMPT"
+>$ </TT
+><TT
+CLASS="USERINPUT"
+><B
+>cat /etc/passwd | mksmbpasswd.sh
+ &gt; /usr/local/samba/private/smbpasswd</B
+></TT
+></P
+><P
+>If you are running on a system that uses NIS, use</P
+><P
+><TT
+CLASS="PROMPT"
+>$ </TT
+><TT
+CLASS="USERINPUT"
+><B
+>ypcat passwd | mksmbpasswd.sh
+ &gt; /usr/local/samba/private/smbpasswd</B
+></TT
+></P
+><P
+>The <B
+CLASS="COMMAND"
+>mksmbpasswd.sh</B
+> program is found in
+ the Samba source directory. By default, the smbpasswd file is
+ stored in :</P
+><P
+><TT
+CLASS="FILENAME"
+>/usr/local/samba/private/smbpasswd</TT
+></P
+><P
+>The owner of the <TT
+CLASS="FILENAME"
+>/usr/local/samba/private/</TT
+>
+ directory should be set to root, and the permissions on it should
+ be set to 0500 (<B
+CLASS="COMMAND"
+>chmod 500 /usr/local/samba/private</B
+>).
+ </P
+><P
+>Likewise, the smbpasswd file inside the private directory should
+ be owned by root and the permissions on is should be set to 0600
+ (<B
+CLASS="COMMAND"
+>chmod 600 smbpasswd</B
+>).</P
+><P
+>The format of the smbpasswd file is (The line has been
+ wrapped here. It should appear as one entry per line in
+ your smbpasswd file.)</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+>username:uid:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:
+ [Account type]:LCT-&lt;last-change-time&gt;:Long name
+ </PRE
+></P
+><P
+>Although only the <TT
+CLASS="REPLACEABLE"
+><I
+>username</I
+></TT
+>,
+ <TT
+CLASS="REPLACEABLE"
+><I
+>uid</I
+></TT
+>, <TT
+CLASS="REPLACEABLE"
+><I
+> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</I
+></TT
+>,
+ [<TT
+CLASS="REPLACEABLE"
+><I
+>Account type</I
+></TT
+>] and <TT
+CLASS="REPLACEABLE"
+><I
+> last-change-time</I
+></TT
+> sections are significant
+ and are looked at in the Samba code.</P
+><P
+>It is <I
+CLASS="EMPHASIS"
+>VITALLY</I
+> important that there by 32
+ 'X' characters between the two ':' characters in the XXX sections -
+ the smbpasswd and Samba code will fail to validate any entries that
+ do not have 32 characters between ':' characters. The first XXX
+ section is for the Lanman password hash, the second is for the
+ Windows NT version.</P
+><P
+>When the password file is created all users have password entries
+ consisting of 32 'X' characters. By default this disallows any access
+ as this user. When a user has a password set, the 'X' characters change
+ to 32 ascii hexadecimal digits (0-9, A-F). These are an ascii
+ representation of the 16 byte hashed value of a user's password.</P
+><P
+>To set a user to have no password (not recommended), edit the file
+ using vi, and replace the first 11 characters with the ascii text
+ <TT
+CLASS="CONSTANT"
+>"NO PASSWORD"</TT
+> (minus the quotes).</P
+><P
+>For example, to clear the password for user bob, his smbpasswd file
+ entry would look like :</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+> bob:100:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[U ]:LCT-00000000:Bob's full name:/bobhome:/bobshell
+ </PRE
+></P
+><P
+>If you are allowing users to use the smbpasswd command to set
+ their own passwords, you may want to give users NO PASSWORD initially
+ so they do not have to enter a previous password when changing to their
+ new password (not recommended). In order for you to allow this the
+ <B
+CLASS="COMMAND"
+>smbpasswd</B
+> program must be able to connect to the
+ <B
+CLASS="COMMAND"
+>smbd</B
+> daemon as that user with no password. Enable this
+ by adding the line :</P
+><P
+><B
+CLASS="COMMAND"
+>null passwords = yes</B
+></P
+><P
+>to the [global] section of the smb.conf file (this is why
+ the above scenario is not recommended). Preferably, allocate your
+ users a default password to begin with, so you do not have
+ to enable this on your server.</P
+><P
+><I
+CLASS="EMPHASIS"
+>Note : </I
+>This file should be protected very
+ carefully. Anyone with access to this file can (with enough knowledge of
+ the protocols) gain access to your SMB server. The file is thus more
+ sensitive than a normal unix <TT
+CLASS="FILENAME"
+>/etc/passwd</TT
+> file.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN325"
+>The smbpasswd Command</A
+></H1
+><P
+>The smbpasswd command maintains the two 32 byte password fields
+ in the smbpasswd file. If you wish to make it similar to the unix
+ <B
+CLASS="COMMAND"
+>passwd</B
+> or <B
+CLASS="COMMAND"
+>yppasswd</B
+> programs,
+ install it in <TT
+CLASS="FILENAME"
+>/usr/local/samba/bin/</TT
+> (or your
+ main Samba binary directory).</P
+><P
+>Note that as of Samba 1.9.18p4 this program <I
+CLASS="EMPHASIS"
+>MUST NOT
+ BE INSTALLED</I
+> setuid root (the new <B
+CLASS="COMMAND"
+>smbpasswd</B
+>
+ code enforces this restriction so it cannot be run this way by
+ accident).</P
+><P
+><B
+CLASS="COMMAND"
+>smbpasswd</B
+> now works in a client-server mode
+ where it contacts the local smbd to change the user's password on its
+ behalf. This has enormous benefits - as follows.</P
+><P
+></P
+><UL
+><LI
+><P
+>smbpasswd no longer has to be setuid root -
+ an enormous range of potential security problems is
+ eliminated.</P
+></LI
+><LI
+><P
+><B
+CLASS="COMMAND"
+>smbpasswd</B
+> now has the capability
+ to change passwords on Windows NT servers (this only works when
+ the request is sent to the NT Primary Domain Controller if you
+ are changing an NT Domain user's password).</P
+></LI
+></UL
+><P
+>To run smbpasswd as a normal user just type :</P
+><P
+><TT
+CLASS="PROMPT"
+>$ </TT
+><TT
+CLASS="USERINPUT"
+><B
+>smbpasswd</B
+></TT
+></P
+><P
+><TT
+CLASS="PROMPT"
+>Old SMB password: </TT
+><TT
+CLASS="USERINPUT"
+><B
+>&lt;type old value here -
+ or hit return if there was no old password&gt;</B
+></TT
+></P
+><P
+><TT
+CLASS="PROMPT"
+>New SMB Password: </TT
+><TT
+CLASS="USERINPUT"
+><B
+>&lt;type new value&gt;
+ </B
+></TT
+></P
+><P
+><TT
+CLASS="PROMPT"
+>Repeat New SMB Password: </TT
+><TT
+CLASS="USERINPUT"
+><B
+>&lt;re-type new value
+ </B
+></TT
+></P
+><P
+>If the old value does not match the current value stored for
+ that user, or the two new values do not match each other, then the
+ password will not be changed.</P
+><P
+>If invoked by an ordinary user it will only allow the user
+ to change his or her own Samba password.</P
+><P
+>If run by the root user smbpasswd may take an optional
+ argument, specifying the user name whose SMB password you wish to
+ change. Note that when run as root smbpasswd does not prompt for
+ or check the old password value, thus allowing root to set passwords
+ for users who have forgotten their passwords.</P
+><P
+><B
+CLASS="COMMAND"
+>smbpasswd</B
+> is designed to work in the same way
+ and be familiar to UNIX users who use the <B
+CLASS="COMMAND"
+>passwd</B
+> or
+ <B
+CLASS="COMMAND"
+>yppasswd</B
+> commands.</P
+><P
+>For more details on using <B
+CLASS="COMMAND"
+>smbpasswd</B
+> refer
+ to the man page which will always be the definitive reference.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN364"
+>Setting up Samba to support LanManager Encryption</A
+></H1
+><P
+>This is a very brief description on how to setup samba to
+ support password encryption. </P
+><P
+></P
+><OL
+TYPE="1"
+><LI
+><P
+>compile and install samba as usual</P
+></LI
+><LI
+><P
+>enable encrypted passwords in <TT
+CLASS="FILENAME"
+> smb.conf</TT
+> by adding the line <B
+CLASS="COMMAND"
+>encrypt
+ passwords = yes</B
+> in the [global] section</P
+></LI
+><LI
+><P
+>create the initial <TT
+CLASS="FILENAME"
+>smbpasswd</TT
+>
+ password file in the place you specified in the Makefile
+ (--prefix=&lt;dir&gt;). See the notes under the <A
+HREF="#SMBPASSWDFILEFORMAT"
+>The smbpasswd File</A
+>
+ section earlier in the document for details.</P
+></LI
+></OL
+><P
+>Note that you can test things using smbclient.</P
+></DIV
+></DIV
+><DIV
+CLASS="CHAPTER"
+><HR><H1
+><A
+NAME="AEN379"
+>Chapter 3. Hosting a Microsoft Distributed File System tree on Samba</A
+></H1
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN390"
+>Instructions</A
+></H1
+><P
+>The Distributed File System (or Dfs) provides a means of
+ separating the logical view of files and directories that users
+ see from the actual physical locations of these resources on the
+ network. It allows for higher availability, smoother storage expansion,
+ load balancing etc. For more information about Dfs, refer to <A
+HREF="http://www.microsoft.com/NTServer/nts/downloads/winfeatures/NTSDistrFile/AdminGuide.asp"
+TARGET="_top"
+> Microsoft documentation</A
+>. </P
+><P
+>This document explains how to host a Dfs tree on a Unix
+ machine (for Dfs-aware clients to browse) using Samba.</P
+><P
+>To enable SMB-based DFS for Samba, configure it with the
+ <TT
+CLASS="PARAMETER"
+><I
+>--with-msdfs</I
+></TT
+> option. Once built, a
+ Samba server can be made a Dfs server by setting the global
+ boolean <A
+HREF="smb.conf.5.html#HOSTMSDFS"
+TARGET="_top"
+><TT
+CLASS="PARAMETER"
+><I
+> host msdfs</I
+></TT
+></A
+> parameter in the <TT
+CLASS="FILENAME"
+>smb.conf
+ </TT
+> file. You designate a share as a Dfs root using the share
+ level boolean <A
+HREF="smb.conf.5.html#MSDFSROOT"
+TARGET="_top"
+><TT
+CLASS="PARAMETER"
+><I
+> msdfs root</I
+></TT
+></A
+> parameter. A Dfs root directory on
+ Samba hosts Dfs links in the form of symbolic links that point
+ to other servers. For example, a symbolic link
+ <TT
+CLASS="FILENAME"
+>junction-&gt;msdfs:storage1\share1</TT
+> in
+ the share directory acts as the Dfs junction. When Dfs-aware
+ clients attempt to access the junction link, they are redirected
+ to the storage location (in this case, \\storage1\share1).</P
+><P
+>Dfs trees on Samba work with all Dfs-aware clients ranging
+ from Windows 95 to 2000.</P
+><P
+>Here's an example of setting up a Dfs tree on a Samba
+ server.</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+># The smb.conf file:
+[global]
+ netbios name = SAMBA
+ host msdfs = yes
+
+[dfs]
+ path = /export/dfsroot
+ msdfs root = yes
+ </PRE
+></P
+><P
+>In the /export/dfsroot directory we set up our dfs links to
+ other servers on the network.</P
+><P
+><TT
+CLASS="PROMPT"
+>root# </TT
+><TT
+CLASS="USERINPUT"
+><B
+>cd /export/dfsroot</B
+></TT
+></P
+><P
+><TT
+CLASS="PROMPT"
+>root# </TT
+><TT
+CLASS="USERINPUT"
+><B
+>chown root /export/dfsroot</B
+></TT
+></P
+><P
+><TT
+CLASS="PROMPT"
+>root# </TT
+><TT
+CLASS="USERINPUT"
+><B
+>chmod 755 /export/dfsroot</B
+></TT
+></P
+><P
+><TT
+CLASS="PROMPT"
+>root# </TT
+><TT
+CLASS="USERINPUT"
+><B
+>ln -s msdfs:storageA\\shareA linka</B
+></TT
+></P
+><P
+><TT
+CLASS="PROMPT"
+>root# </TT
+><TT
+CLASS="USERINPUT"
+><B
+>ln -s msdfs:serverB\\share,serverC\\share linkb</B
+></TT
+></P
+><P
+>You should set up the permissions and ownership of
+ the directory acting as the Dfs root such that only designated
+ users can create, delete or modify the msdfs links. Also note
+ that symlink names should be all lowercase. This limitation exists
+ to have Samba avoid trying all the case combinations to get at
+ the link name. Finally set up the symbolic links to point to the
+ network shares you want, and start Samba.</P
+><P
+>Users on Dfs-aware clients can now browse the Dfs tree
+ on the Samba server at \\samba\dfs. Accessing
+ links linka or linkb (which appear as directories to the client)
+ takes users directly to the appropriate shares on the network.</P
+><DIV
+CLASS="SECT2"
+><HR><H2
+CLASS="SECT2"
+><A
+NAME="AEN425"
+>Notes</A
+></H2
+><P
+></P
+><UL
+><LI
+><P
+>Windows clients need to be rebooted
+ if a previously mounted non-dfs share is made a dfs
+ root or vice versa. A better way is to introduce a
+ new share and make it the dfs root.</P
+></LI
+><LI
+><P
+>Currently there's a restriction that msdfs
+ symlink names should all be lowercase.</P
+></LI
+><LI
+><P
+>For security purposes, the directory
+ acting as the root of the Dfs tree should have ownership
+ and permissions set so that only designated users can
+ modify the symbolic links in the directory.</P
+></LI
+></UL
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="CHAPTER"
+><HR><H1
+><A
+NAME="AEN434"
+>Chapter 4. Printing Support in Samba 2.2.x</A
+></H1
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN445"
+>Introduction</A
+></H1
+><P
+>Beginning with the 2.2.0 release, Samba supports
+the native Windows NT printing mechanisms implemented via
+MS-RPC (i.e. the SPOOLSS named pipe). Previous versions of
+Samba only supported LanMan printing calls.</P
+><P
+>The additional functionality provided by the new
+SPOOLSS support includes:</P
+><P
+></P
+><UL
+><LI
+><P
+>Support for downloading printer driver
+ files to Windows 95/98/NT/2000 clients upon demand.
+ </P
+></LI
+><LI
+><P
+>Uploading of printer drivers via the
+ Windows NT Add Printer Wizard (APW) or the
+ Imprints tool set (refer to <A
+HREF="http://imprints.sourceforge.net"
+TARGET="_top"
+>http://imprints.sourceforge.net</A
+>).
+ </P
+></LI
+><LI
+><P
+>Support for the native MS-RPC printing
+ calls such as StartDocPrinter, EnumJobs(), etc... (See
+ the <A
+HREF="http://msdn.microsoft.com/"
+TARGET="_top"
+>MSDN documentation
+ </A
+> at http://msdn.microsoft.com/ for more information on the Win32 printing API)
+ </P
+></LI
+><LI
+><P
+>Support for NT Access Control Lists (ACL)
+ on printer objects</P
+></LI
+><LI
+><P
+>Improved support for printer queue manipulation
+ through the use of an internal databases for spooled job
+ information</P
+></LI
+></UL
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN462"
+>Configuration</A
+></H1
+><P
+>In order to support the uploading of printer driver
+files, you must first configure a file share named [print$].
+The name of this share is hard coded in Samba's internals so
+the name is very important (print$ is the service used by
+Windows NT print servers to provide support for printer driver
+download).</P
+><DIV
+CLASS="WARNING"
+><P
+></P
+><TABLE
+CLASS="WARNING"
+BORDER="1"
+WIDTH="100%"
+><TR
+><TD
+ALIGN="CENTER"
+><B
+>Warning</B
+></TD
+></TR
+><TR
+><TD
+ALIGN="LEFT"
+><P
+>Previous versions of Samba recommended using
+ a share named [printer$]. This name was taken from the
+ printer$ service created by Windows 9x clients when a
+ printer was shared. Windows 9x printer servers always have
+ a printer$ service which provides read-only access via no
+ password in order to support printer driver downloads.</P
+><P
+>However, the initial implementation allowed for a
+ parameter named <TT
+CLASS="PARAMETER"
+><I
+>printer driver location</I
+></TT
+>
+ to be used on a per share basis to specify the location of
+ the driver files associated with that printer. Another
+ parameter named <TT
+CLASS="PARAMETER"
+><I
+>printer driver</I
+></TT
+> provided
+ a means of defining the printer driver name to be sent to
+ the client.</P
+><P
+>These parameters, including <TT
+CLASS="PARAMETER"
+><I
+>printer driver
+ file</I
+></TT
+> parameter, are being depreciated and should not
+ be used in new installations. For more information on this change,
+ you should refer to the <A
+HREF="#MIGRATION"
+>Migration section
+ </A
+>of this document.</P
+></TD
+></TR
+></TABLE
+></DIV
+><P
+>You should modify the server's smb.conf file to create the
+following file share (of course, some of the parameter values,
+such as 'path' are arbitrary and should be replaced with
+appropriate values for your site):</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+>[print$]
+ path = /usr/local/samba/printers
+ guest ok = yes
+ browseable = yes
+ read only = yes
+ write list = ntadmin</PRE
+></P
+><P
+>The <A
+HREF="smb.conf.5.html#WRITELIST"
+TARGET="_top"
+><TT
+CLASS="PARAMETER"
+><I
+>write list</I
+></TT
+></A
+> is used to allow administrative
+level user accounts to have write access in order to update files
+on the share. See the <A
+HREF="smb./conf.5.html"
+TARGET="_top"
+>smb.conf(5) man page</A
+> for more information on
+configuring file shares.</P
+><P
+>The requirement for <A
+HREF="smb.conf.5.html#GUESTOK"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>guest ok = yes</B
+></A
+> depends upon how your
+site is configured. If users will be guaranteed to have
+an account on the Samba host, then this is a non-issue.</P
+><P
+><I
+CLASS="EMPHASIS"
+>author's note: </I
+>The non-issue is that
+if all your Windows NT users are guaranteed to be authenticated
+by the Samba server (such as a domain member server and the NT
+user has already been validated by the Domain Controller in
+order to logon to the Windows NT console), then guest access
+is not necessary. Of course, in a workgroup environment where
+you just want to be able to print without worrying about
+silly accounts and security, then configure the share for
+guest access. You'll probably want to add <A
+HREF="smb.conf.5.html#MAPTOGUEST"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>map to guest = Bad User</B
+></A
+> in the [global] section as well. Make sure
+you understand what this parameter does before using it
+though. --jerry]</P
+><P
+>In order for a Windows NT print server to support
+the downloading of driver files by multiple client architectures,
+it must create subdirectories within the [print$] service
+which correspond to each of the supported client architectures.
+Samba follows this model as well.</P
+><P
+>Next create the directory tree below the [print$] share
+for each architecture you wish to support.</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+>[print$]-----
+ |-W32X86 ; "Windows NT x86"
+ |-WIN40 ; "Windows 95/98"
+ |-W32ALPHA ; "Windows NT Alpha_AXP"
+ |-W32MIPS ; "Windows NT R4000"
+ |-W32PPC ; "Windows NT PowerPC"</PRE
+></P
+><DIV
+CLASS="WARNING"
+><P
+></P
+><TABLE
+CLASS="WARNING"
+BORDER="1"
+WIDTH="100%"
+><TR
+><TD
+ALIGN="CENTER"
+><B
+>Warning</B
+></TD
+></TR
+><TR
+><TD
+ALIGN="LEFT"
+><P
+><I
+CLASS="EMPHASIS"
+>ATTENTION! REQUIRED PERMISSIONS</I
+></P
+><P
+>In order to currently add a new driver to you Samba host,
+ one of two conditions must hold true:</P
+><P
+></P
+><UL
+><LI
+><P
+>The account used to connect to the Samba host
+ must have a uid of 0 (i.e. a root account)</P
+></LI
+><LI
+><P
+>The account used to connect to the Samba host
+ must be a member of the <A
+HREF="smb.conf.5.html"
+TARGET="_top"
+><TT
+CLASS="PARAMETER"
+><I
+> printer admin</I
+></TT
+></A
+> list.</P
+></LI
+></UL
+><P
+>Of course, the connected account must still possess access
+ to add files to the subdirectories beneath [print$].</P
+></TD
+></TR
+></TABLE
+></DIV
+><P
+>Once you have created the required [print$] service and
+associated subdirectories, simply log onto the Samba server using
+a root (or <TT
+CLASS="PARAMETER"
+><I
+>printer admin</I
+></TT
+>) account
+from a Windows NT 4.0 client. Navigate to the "Printers" folder
+on the Samba server. You should see an initial listing of printers
+that matches the printer shares defined on your Samba host.</P
+><P
+>The initial listing of printers in the Samba host's
+Printers folder will have no printer driver assigned to them.
+The way assign a driver to a printer is to view the Properties
+of the printer and either</P
+><P
+></P
+><UL
+><LI
+><P
+>Use the "New Driver..." button to install
+ a new printer driver, or</P
+></LI
+><LI
+><P
+>Select a driver from the popup list of
+ installed drivers. Initially this list will be empty.</P
+></LI
+></UL
+><P
+>If you wish to install printer drivers for client
+operating systems other than "Windows NT x86", you will need
+to use the "Sharing" tab of the printer properties dialog.</P
+><P
+>Assuming you have connected with a root account, you
+will also be able modify other printer properties such as
+ACLs and device settings using this dialog box.</P
+><P
+>A few closing comments for this section, it is possible
+on a Windows NT print server to have printers
+listed in the Printers folder which are not shared. Samba does
+not make this distinction. By definition, the only printers of
+which Samba is aware are those which are specified as shares in
+<TT
+CLASS="FILENAME"
+>smb.conf</TT
+>.</P
+><P
+>Another interesting side note is that Windows NT clients do
+not use the SMB printer share, but rather can print directly
+to any printer on another Windows NT host using MS-RPC. This
+of course assumes that the printing client has the necessary
+privileges on the remote host serving the printer. The default
+permissions assigned by Windows NT to a printer gives the "Print"
+permissions to the "Everyone" well-known group.</P
+><DIV
+CLASS="SECT2"
+><HR><H2
+CLASS="SECT2"
+><A
+NAME="AEN516"
+>Support a large number of printers</A
+></H2
+><P
+>One issue that has arisen during the development
+phase of Samba 2.2 is the need to support driver downloads for
+100's of printers. Using the Windows NT APW is somewhat
+awkward to say the list. If more than one printer are using the
+same driver, the <A
+HREF="rpcclient.1.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>rpcclient's
+setdriver command</B
+></A
+> can be used to set the driver
+associated with an installed driver. The following is example
+of how this could be accomplished:</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+>
+<TT
+CLASS="PROMPT"
+>$ </TT
+>rpcclient pogo -U root%secret -c "enumdrivers"
+Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
+
+[Windows NT x86]
+Printer Driver Info 1:
+ Driver Name: [HP LaserJet 4000 Series PS]
+
+Printer Driver Info 1:
+ Driver Name: [HP LaserJet 2100 Series PS]
+
+Printer Driver Info 1:
+ Driver Name: [HP LaserJet 4Si/4SiMX PS]
+
+<TT
+CLASS="PROMPT"
+>$ </TT
+>rpcclient pogo -U root%secret -c "enumprinters"
+Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
+ flags:[0x800000]
+ name:[\\POGO\hp-print]
+ description:[POGO\\POGO\hp-print,NO DRIVER AVAILABLE FOR THIS PRINTER,]
+ comment:[]
+
+<TT
+CLASS="PROMPT"
+>$ </TT
+>rpcclient pogo -U root%bleaK.er \
+<TT
+CLASS="PROMPT"
+>&gt; </TT
+> -c "setdriver hp-print \"HP LaserJet 4000 Series PS\""
+Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
+Successfully set hp-print to driver HP LaserJet 4000 Series PS.</PRE
+></P
+></DIV
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN527"
+>The Imprints Toolset</A
+></H1
+><P
+>The Imprints tool set provides a UNIX equivalent of the
+ Windows NT Add Printer Wizard. For complete information, please
+ refer to the Imprints web site at <A
+HREF="http://imprints.sourceforge.net/"
+TARGET="_top"
+> http://imprints.sourceforge.net/</A
+> as well as the documentation
+ included with the imprints source distribution. This section will
+ only provide a brief introduction to the features of Imprints.</P
+><DIV
+CLASS="SECT2"
+><HR><H2
+CLASS="SECT2"
+><A
+NAME="AEN531"
+>What is Imprints?</A
+></H2
+><P
+>Imprints is a collection of tools for supporting the goals
+ of</P
+><P
+></P
+><UL
+><LI
+><P
+>Providing a central repository information
+ regarding Windows NT and 95/98 printer driver packages</P
+></LI
+><LI
+><P
+>Providing the tools necessary for creating
+ the Imprints printer driver packages.</P
+></LI
+><LI
+><P
+>Providing an installation client which
+ will obtain and install printer drivers on remote Samba
+ and Windows NT 4 print servers.</P
+></LI
+></UL
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H2
+CLASS="SECT2"
+><A
+NAME="AEN541"
+>Creating Printer Driver Packages</A
+></H2
+><P
+>The process of creating printer driver packages is beyond
+ the scope of this document (refer to Imprints.txt also included
+ with the Samba distribution for more information). In short,
+ an Imprints driver package is a gzipped tarball containing the
+ driver files, related INF files, and a control file needed by the
+ installation client.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H2
+CLASS="SECT2"
+><A
+NAME="AEN544"
+>The Imprints server</A
+></H2
+><P
+>The Imprints server is really a database server that
+ may be queried via standard HTTP mechanisms. Each printer
+ entry in the database has an associated URL for the actual
+ downloading of the package. Each package is digitally signed
+ via GnuPG which can be used to verify that package downloaded
+ is actually the one referred in the Imprints database. It is
+ <I
+CLASS="EMPHASIS"
+>not</I
+> recommended that this security check
+ be disabled.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H2
+CLASS="SECT2"
+><A
+NAME="AEN548"
+>The Installation Client</A
+></H2
+><P
+>More information regarding the Imprints installation client
+ is available in the <TT
+CLASS="FILENAME"
+>Imprints-Client-HOWTO.ps</TT
+>
+ file included with the imprints source package.</P
+><P
+>The Imprints installation client comes in two forms.</P
+><P
+></P
+><UL
+><LI
+><P
+>a set of command line Perl scripts</P
+></LI
+><LI
+><P
+>a GTK+ based graphical interface to
+ the command line perl scripts</P
+></LI
+></UL
+><P
+>The installation client (in both forms) provides a means
+ of querying the Imprints database server for a matching
+ list of known printer model names as well as a means to
+ download and install the drivers on remote Samba and Windows
+ NT print servers.</P
+><P
+>The basic installation process is in four steps and
+ perl code is wrapped around <B
+CLASS="COMMAND"
+>smbclient</B
+>
+ and <B
+CLASS="COMMAND"
+>rpcclient</B
+>.</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+>
+ foreach (supported architecture for a given driver)
+ {
+ 1. rpcclient: Get the appropriate upload directory
+ on the remote server
+ 2. smbclient: Upload the driver files
+ 3. rpcclient: Issues an AddPrinterDriver() MS-RPC
+ }
+
+ 4. rpcclient: Issue an AddPrinterEx() MS-RPC to actually
+ create the printer
+ </PRE
+></P
+><P
+>One of the problems encountered when implementing
+ the Imprints tool set was the name space issues between
+ various supported client architectures. For example, Windows
+ NT includes a driver named "Apple LaserWriter II NTX v51.8"
+ and Windows 95 callsits version of this driver "Apple
+ LaserWriter II NTX"</P
+><P
+>The problem is how to know what client drivers have
+ been uploaded for a printer. As astute reader will remember
+ that the Windows NT Printer Properties dialog only includes
+ space for one printer driver name. A quick look in the
+ Windows NT 4.0 system registry at</P
+><P
+><TT
+CLASS="FILENAME"
+>HKLM\System\CurrentControlSet\Control\Print\Environment
+ </TT
+></P
+><P
+>will reveal that Windows NT always uses the NT driver
+ name. The is ok as Windows NT always requires that at least
+ the Windows NT version of the printer driver is present.
+ However, Samba does not have the requirement internally.
+ Therefore, how can you use the NT driver name if is has not
+ already been installed?</P
+><P
+>The way of sidestepping this limitation is to require
+ that all Imprints printer driver packages include both the Intel
+ Windows NT and 95/98 printer drivers and that NT driver is
+ installed first.</P
+></DIV
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN570"
+><A
+NAME="MIGRATION"
+></A
+>Migration to from Samba 2.0.x to
+ 2.2.x</A
+></H1
+><P
+>Given that printer driver management has changed
+ (we hope improved :) ) in 2.2.0 over prior releases,
+ migration from an existing setup to 2.2.0 can follow
+ several paths.</P
+><DIV
+CLASS="WARNING"
+><P
+></P
+><TABLE
+CLASS="WARNING"
+BORDER="1"
+WIDTH="100%"
+><TR
+><TD
+ALIGN="CENTER"
+><B
+>Warning</B
+></TD
+></TR
+><TR
+><TD
+ALIGN="LEFT"
+><P
+>The following smb.conf parameters are considered to be
+ depreciated and will be removed soon. Do not use them
+ in new installations</P
+><P
+></P
+><UL
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>printer driver file (G)</I
+></TT
+>
+ </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>printer driver (S)</I
+></TT
+>
+ </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>printer driver location (S)</I
+></TT
+>
+ </P
+></LI
+></UL
+></TD
+></TR
+></TABLE
+></DIV
+><P
+>Here are the possible scenarios for supporting migration:</P
+><P
+></P
+><UL
+><LI
+><P
+>If you do not desire the new Windows NT
+ print driver support, nothing needs to be done.
+ All existing parameters work the same.</P
+></LI
+><LI
+><P
+>If you want to take advantage of NT printer
+ driver support but do not want to migrate the
+ 9x drivers to the new setup, the leave the existing
+ printers.def file. When smbd attempts to locate a
+ 9x driver for the printer in the TDB and fails it
+ will drop down to using the printers.def (and all
+ associated parameters). The <B
+CLASS="COMMAND"
+>make_printerdef</B
+>
+ tool will also remain for backwards compatibility but will
+ be moved to the "this tool is the old way of doing it"
+ pile.</P
+></LI
+><LI
+><P
+>If you install a Windows 9x driver for a printer
+ on your Samba host (in the printing TDB), this information will
+ take precedence and the three old printing parameters
+ will be ignored (including print driver location).</P
+></LI
+><LI
+><P
+>If you want to migrate an existing <TT
+CLASS="FILENAME"
+> printers.def</TT
+> file into the new setup, the current only
+ solution is to use the Windows NT APW to install the NT drivers
+ and the 9x drivers. This can be scripted using smbclient and
+ rpcclient. See the <A
+HREF="http://imprints.sourceforge.net/"
+TARGET="_top"
+> Imprints installation client</A
+> for an example.
+ </P
+></LI
+></UL
+></DIV
+></DIV
+><DIV
+CLASS="CHAPTER"
+><HR><H1
+><A
+NAME="AEN599"
+>Chapter 5. security = domain in Samba 2.x</A
+></H1
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN617"
+>Joining an NT Domain with Samba 2.2</A
+></H1
+><P
+>In order for a Samba-2 server to join an NT domain,
+ you must first add the NetBIOS name of the Samba server to the
+ NT domain on the PDC using Server Manager for Domains. This creates
+ the machine account in the domain (PDC) SAM. Note that you should
+ add the Samba server as a "Windows NT Workstation or Server",
+ <I
+CLASS="EMPHASIS"
+>NOT</I
+> as a Primary or backup domain controller.</P
+><P
+>Assume you have a Samba-2 server with a NetBIOS name of
+ <TT
+CLASS="CONSTANT"
+>SERV1</TT
+> and are joining an NT domain called
+ <TT
+CLASS="CONSTANT"
+>DOM</TT
+>, which has a PDC with a NetBIOS name
+ of <TT
+CLASS="CONSTANT"
+>DOMPDC</TT
+> and two backup domain controllers
+ with NetBIOS names <TT
+CLASS="CONSTANT"
+>DOMBDC1</TT
+> and <TT
+CLASS="CONSTANT"
+>DOMBDC2
+ </TT
+>.</P
+><P
+>In order to join the domain, first stop all Samba daemons
+ and run the command:</P
+><P
+><TT
+CLASS="PROMPT"
+>root# </TT
+><TT
+CLASS="USERINPUT"
+><B
+>smbpasswd -j DOM -r DOMPDC
+ </B
+></TT
+></P
+><P
+>as we are joining the domain DOM and the PDC for that domain
+ (the only machine that has write access to the domain SAM database)
+ is DOMPDC. If this is successful you will see the message:</P
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>smbpasswd: Joined domain DOM.</TT
+>
+ </P
+><P
+>in your terminal window. See the <A
+HREF="smbpasswd.8.html"
+TARGET="_top"
+> smbpasswd(8)</A
+> man page for more details.</P
+><P
+>There is existing development code to join a domain
+ without having to create the machine trust account on the PDC
+ beforehand. This code will hopefully be available soon
+ in release branches as well.</P
+><P
+>This command goes through the machine account password
+ change protocol, then writes the new (random) machine account
+ password for this Samba server into a file in the same directory
+ in which an smbpasswd file would be stored - normally :</P
+><P
+><TT
+CLASS="FILENAME"
+>/usr/local/samba/private</TT
+></P
+><P
+>In Samba 2.0.x, the filename looks like this:</P
+><P
+><TT
+CLASS="FILENAME"
+><TT
+CLASS="REPLACEABLE"
+><I
+>&lt;NT DOMAIN NAME&gt;</I
+></TT
+>.<TT
+CLASS="REPLACEABLE"
+><I
+>&lt;Samba
+ Server Name&gt;</I
+></TT
+>.mac</TT
+></P
+><P
+>The <TT
+CLASS="FILENAME"
+>.mac</TT
+> suffix stands for machine account
+ password file. So in our example above, the file would be called:</P
+><P
+><TT
+CLASS="FILENAME"
+>DOM.SERV1.mac</TT
+></P
+><P
+>In Samba 2.2, this file has been replaced with a TDB
+ (Trivial Database) file named <TT
+CLASS="FILENAME"
+>secrets.tdb</TT
+>.
+ </P
+><P
+>This file is created and owned by root and is not
+ readable by any other user. It is the key to the domain-level
+ security for your system, and should be treated as carefully
+ as a shadow password file.</P
+><P
+>Now, before restarting the Samba daemons you must
+ edit your <A
+HREF="smb.conf.5.html"
+TARGET="_top"
+><TT
+CLASS="FILENAME"
+>smb.conf(5)</TT
+>
+ </A
+> file to tell Samba it should now use domain security.</P
+><P
+>Change (or add) your <A
+HREF="smb.conf.5.html#SECURITY"
+TARGET="_top"
+> <TT
+CLASS="PARAMETER"
+><I
+>security =</I
+></TT
+></A
+> line in the [global] section
+ of your smb.conf to read:</P
+><P
+><B
+CLASS="COMMAND"
+>security = domain</B
+></P
+><P
+>Next change the <A
+HREF="smb.conf.5.html#WORKGROUP"
+TARGET="_top"
+><TT
+CLASS="PARAMETER"
+><I
+> workgroup =</I
+></TT
+></A
+> line in the [global] section to read: </P
+><P
+><B
+CLASS="COMMAND"
+>workgroup = DOM</B
+></P
+><P
+>as this is the name of the domain we are joining. </P
+><P
+>You must also have the parameter <A
+HREF="smb.conf.5.html#ENCRYPTPASSWORDS"
+TARGET="_top"
+> <TT
+CLASS="PARAMETER"
+><I
+>encrypt passwords</I
+></TT
+></A
+> set to <TT
+CLASS="CONSTANT"
+>yes
+ </TT
+> in order for your users to authenticate to the NT PDC.</P
+><P
+>Finally, add (or modify) a <A
+HREF="smb.conf.5.html#PASSWORDSERVER"
+TARGET="_top"
+> <TT
+CLASS="PARAMETER"
+><I
+>password server =</I
+></TT
+></A
+> line in the [global]
+ section to read: </P
+><P
+><B
+CLASS="COMMAND"
+>password server = DOMPDC DOMBDC1 DOMBDC2</B
+></P
+><P
+>These are the primary and backup domain controllers Samba
+ will attempt to contact in order to authenticate users. Samba will
+ try to contact each of these servers in order, so you may want to
+ rearrange this list in order to spread out the authentication load
+ among domain controllers.</P
+><P
+>Alternatively, if you want smbd to automatically determine
+ the list of Domain controllers to use for authentication, you may
+ set this line to be :</P
+><P
+><B
+CLASS="COMMAND"
+>password server = *</B
+></P
+><P
+>This method, which was introduced in Samba 2.0.6,
+ allows Samba to use exactly the same mechanism that NT does. This
+ method either broadcasts or uses a WINS database in order to
+ find domain controllers to authenticate against.</P
+><P
+>Finally, restart your Samba daemons and get ready for
+ clients to begin using domain security!</P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN681"
+>Samba and Windows 2000 Domains</A
+></H1
+><P
+>Many people have asked regarding the state of Samba's ability to participate in
+a Windows 2000 Domain. Samba 2.2 is able to act as a member server of a Windows
+2000 domain operating in mixed or native mode.</P
+><P
+>There is much confusion between the circumstances that require a "mixed" mode
+Win2k DC and a when this host can be switched to "native" mode. A "mixed" mode
+Win2k domain controller is only needed if Windows NT BDCs must exist in the same
+domain. By default, a Win2k DC in "native" mode will still support
+NetBIOS and NTLMv1 for authentication of legacy clients such as Windows 9x and
+NT 4.0. Samba has the same requirements as a Windows NT 4.0 member server.</P
+><P
+>The steps for adding a Samba 2.2 host to a Win2k domain are the same as those
+for adding a Samba server to a Windows NT 4.0 domain. The only exception is that
+the "Server Manager" from NT 4 has been replaced by the "Active Directory Users and
+Computers" MMC (Microsoft Management Console) plugin.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN686"
+>Why is this better than security = server?</A
+></H1
+><P
+>Currently, domain security in Samba doesn't free you from
+ having to create local Unix users to represent the users attaching
+ to your server. This means that if domain user <TT
+CLASS="CONSTANT"
+>DOM\fred
+ </TT
+> attaches to your domain security Samba server, there needs
+ to be a local Unix user fred to represent that user in the Unix
+ filesystem. This is very similar to the older Samba security mode
+ <A
+HREF="smb.conf.5.html#SECURITYEQUALSSERVER"
+TARGET="_top"
+>security = server</A
+>,
+ where Samba would pass through the authentication request to a Windows
+ NT server in the same way as a Windows 95 or Windows 98 server would.
+ </P
+><P
+>Please refer to the <A
+HREF="winbind.html"
+TARGET="_top"
+>Winbind
+ paper</A
+> for information on a system to automatically
+ assign UNIX uids and gids to Windows NT Domain users and groups.
+ This code is available in development branches only at the moment,
+ but will be moved to release branches soon.</P
+><P
+>The advantage to domain-level security is that the
+ authentication in domain-level security is passed down the authenticated
+ RPC channel in exactly the same way that an NT server would do it. This
+ means Samba servers now participate in domain trust relationships in
+ exactly the same way NT servers do (i.e., you can add Samba servers into
+ a resource domain and have the authentication passed on from a resource
+ domain PDC to an account domain PDC.</P
+><P
+>In addition, with <B
+CLASS="COMMAND"
+>security = server</B
+> every Samba
+ daemon on a server has to keep a connection open to the
+ authenticating server for as long as that daemon lasts. This can drain
+ the connection resources on a Microsoft NT server and cause it to run
+ out of available connections. With <B
+CLASS="COMMAND"
+>security = domain</B
+>,
+ however, the Samba daemons connect to the PDC/BDC only for as long
+ as is necessary to authenticate the user, and then drop the connection,
+ thus conserving PDC connection resources.</P
+><P
+>And finally, acting in the same manner as an NT server
+ authenticating to a PDC means that as part of the authentication
+ reply, the Samba server gets the user identification information such
+ as the user SID, the list of NT groups the user belongs to, etc. All
+ this information will allow Samba to be extended in the future into
+ a mode the developers currently call appliance mode. In this mode,
+ no local Unix users will be necessary, and Samba will generate Unix
+ uids and gids from the information passed back from the PDC when a
+ user is authenticated, making a Samba server truly plug and play
+ in an NT domain environment. Watch for this code soon.</P
+><P
+><I
+CLASS="EMPHASIS"
+>NOTE:</I
+> Much of the text of this document
+ was first published in the Web magazine <A
+HREF="http://www.linuxworld.com"
+TARGET="_top"
+>
+ LinuxWorld</A
+> as the article <A
+HREF="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html"
+TARGET="_top"
+>Doing
+ the NIS/NT Samba</A
+>.</P
+></DIV
+></DIV
+><DIV
+CLASS="CHAPTER"
+><HR><H1
+><A
+NAME="AEN702"
+>Chapter 6. How to Configure Samba 2.2.x as a Primary Domain Controller</A
+></H1
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN713"
+>Background</A
+></H1
+><P
+><I
+CLASS="EMPHASIS"
+>Author's Note :</I
+> This document
+is a combination of David Bannon's Samba 2.2 PDC HOWTO
+and the Samba NT Domain FAQ. Both documents are superceeded by this one.</P
+><P
+>Version of Samba prior to release 2.2 had marginal capabilities to
+act as a Windows NT 4.0 Primary Domain Controller (PDC). The following
+functionality should work in 2.2.0:</P
+><P
+></P
+><UL
+><LI
+><P
+>domain logons for Windows NT 4.0/2000 clients</P
+></LI
+><LI
+><P
+>placing a Windows 9x client in user level security</P
+></LI
+><LI
+><P
+>retrieving a list of users and groups from a Samba PDC to
+ Windows 9x/NT/2000 clients </P
+></LI
+><LI
+><P
+>roving user profiles</P
+></LI
+><LI
+><P
+>Windows NT 4.0 style system policies</P
+></LI
+></UL
+><P
+>The following pieces of functionality are not included in the 2.2 release:</P
+><P
+></P
+><UL
+><LI
+><P
+>Windows NT 4 domain trusts</P
+></LI
+><LI
+><P
+>Sam replication with Windows NT 4.0 Domain Controllers
+ (i.e. a Samba PDC and a Windows NT BDC or vice versa) </P
+></LI
+><LI
+><P
+>Adding users via the User Manager for Domains</P
+></LI
+><LI
+><P
+>Acting as a Windows 2000 Domain Controller (i.e. Kerberos
+ and Active Directory)</P
+></LI
+></UL
+><P
+>Please note that Windows 9x clients are not true members of a domain
+for reasons outlined in this article. Therefore the protocol for
+support Windows 9x style domain logons is completely different
+from NT4 domain logons and has been officially supported for some
+time.</P
+><P
+>Beginning with Samba 2.2.0, we are proud to announce official
+support for Windows NT 4.0 style domain logons from Windows NT
+4.0 and Windows 2000 (including SP1) clients. This article
+outlines the steps necessary for configuring Samba as a PDC.
+Note that it is necessary to have a working Samba server
+prior to implementing the PDC functionality. If you have not
+followed the steps outlined in <A
+HREF="UNIX_INSTALL.html"
+TARGET="_top"
+>UNIX_INSTALL.html</A
+>, please make sure that your server
+is configured correctly before proceeding. Another good
+resource in the <A
+HREF="smb.conf.5.html"
+TARGET="_top"
+>smb.conf(5) man
+page</A
+>.</P
+><P
+>Implementing a Samba PDC can basically be divided into 2 broad
+steps.</P
+><P
+></P
+><OL
+TYPE="1"
+><LI
+><P
+>Configuring the Samba Domain Controller
+ </P
+></LI
+><LI
+><P
+>Creating machine trust accounts
+ and joining clients to the domain</P
+></LI
+></OL
+><P
+>There are other minor details such as user profiles, system
+policies, etc... However, these are not necessarily specific
+to a Samba PDC as much as they are related to Windows NT networking
+concepts. They will be mentioned only briefly here.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN750"
+>Configuring the Samba Domain Controller</A
+></H1
+><P
+>The first step in creating a working Samba PDC is to
+understand the parameters necessary in smb.conf. I will not
+attempt to re-explain the parameters here as they are more that
+adequately covered in <A
+HREF="smb.conf.5.html"
+TARGET="_top"
+> the smb.conf
+man page</A
+>. For convenience, the parameters have been
+linked with the actual smb.conf description.</P
+><P
+>Here is an example smb.conf for acting as a PDC:</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+>[global]
+ ; Basic server settings
+ <A
+HREF="smb.conf.5.html#NETBIOSNAME"
+TARGET="_top"
+>netbios name</A
+> = <TT
+CLASS="REPLACEABLE"
+><I
+>POGO</I
+></TT
+>
+ <A
+HREF="smb.conf.5.html#WORKGROUP"
+TARGET="_top"
+>workgroup</A
+> = <TT
+CLASS="REPLACEABLE"
+><I
+>NARNIA</I
+></TT
+>
+
+ ; we should act as the domain and local master browser
+ <A
+HREF="smb.conf.5.html#OSLEVEL"
+TARGET="_top"
+>os level</A
+> = 64
+ <A
+HREF="smb.conf.5.html#PERFERREDMASTER"
+TARGET="_top"
+>preferred master</A
+> = yes
+ <A
+HREF="smb.conf.5.html#DOMAINMASTER"
+TARGET="_top"
+>domain master</A
+> = yes
+ <A
+HREF="smb.conf.5.html#LOCALMASTER"
+TARGET="_top"
+>local master</A
+> = yes
+
+ ; security settings (must user security = user)
+ <A
+HREF="smb.conf.5.html#SECURITYEQUALSUSER"
+TARGET="_top"
+>security</A
+> = user
+
+ ; encrypted passwords are a requirement for a PDC
+ <A
+HREF="smb.conf.5.html#ENCRYPTPASSWORDS"
+TARGET="_top"
+>encrypt passwords</A
+> = yes
+
+ ; support domain logons
+ <A
+HREF="smb.conf.5.html#DOMAINLOGONS"
+TARGET="_top"
+>domain logons</A
+> = yes
+
+ ; where to store user profiles?
+ <A
+HREF="smb.conf.5.html#LOGONPATH"
+TARGET="_top"
+>logon path</A
+> = \\%N\profiles\%u
+
+ ; where is a user's home directory and where should it
+ ; be mounted at?
+ <A
+HREF="smb.conf.5.html#LOGONDRIVE"
+TARGET="_top"
+>logon drive</A
+> = H:
+ <A
+HREF="smb.conf.5.html#LOGONHOME"
+TARGET="_top"
+>logon home</A
+> = \\homeserver\%u
+
+ ; specify a generic logon script for all users
+ ; this is a relative path to the [netlogon] share
+ <A
+HREF="smb.conf.5.html#LOGONSCRIPT"
+TARGET="_top"
+>logon script</A
+> = logon.cmd
+
+; necessary share for domain controller
+[netlogon]
+ <A
+HREF="smb.conf.5.html#PATH"
+TARGET="_top"
+>path</A
+> = /usr/local/samba/lib/netlogon
+ <A
+HREF="smb.conf.5.html#WRITEABLE"
+TARGET="_top"
+>writeable</A
+> = no
+ <A
+HREF="smb.conf.5.html#WRITELIST"
+TARGET="_top"
+>write list</A
+> = <TT
+CLASS="REPLACEABLE"
+><I
+>ntadmin</I
+></TT
+>
+
+; share for storing user profiles
+[profiles]
+ <A
+HREF="smb.conf.5.html#PATH"
+TARGET="_top"
+>path</A
+> = /export/smb/ntprofile
+ <A
+HREF="smb.conf.5.html#WRITEABLE"
+TARGET="_top"
+>writeable</A
+> = yes
+ <A
+HREF="smb.conf.5.html#CREATEMASK"
+TARGET="_top"
+>create mask</A
+> = 0600
+ <A
+HREF="smb.conf.5.html#DIRECTORYMASK"
+TARGET="_top"
+>directory mask</A
+> = 0700</PRE
+></P
+><P
+>There are a couple of points to emphasize in the above
+configuration.</P
+><P
+></P
+><UL
+><LI
+><P
+>encrypted passwords must be enabled.
+ For more details on how to do this, refer to
+ <A
+HREF="ENCRYPTION.html"
+TARGET="_top"
+>ENCRYPTION.html</A
+>.
+ </P
+></LI
+><LI
+><P
+>The server must support domain logons
+ and a <TT
+CLASS="FILENAME"
+>[netlogon]</TT
+> share</P
+></LI
+><LI
+><P
+>The server must be the domain master browser
+ in order for Windows client to locate the server as a DC.</P
+></LI
+></UL
+><P
+>As Samba 2.2 does not offer a complete implementation of group mapping between
+Windows NT groups and UNIX groups (this is really quite complicated to explain
+in a short space), you should refer to the <A
+HREF="smb.conf.5.html#DOMAINADMONUSERS"
+TARGET="_top"
+>domain
+admin users</A
+> and <A
+HREF="smb.conf.5.html#DOMAINADMINGROUP"
+TARGET="_top"
+>domain
+admin group</A
+> smb.conf parameters for information of creating a Domain Admins
+style accounts.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN793"
+>Creating Machine Trust Accounts and Joining Clients
+to the Domain</A
+></H1
+><P
+>First you must understand what a machine trust account is and what
+it is used for.</P
+><P
+>A machine trust account is a user account owned by a computer.
+The account password acts as the shared secret for secure
+communication with the Domain Controller. Hence the reason that
+a Windows 9x host is never a true member of a domain because
+it does not posses a machine trust account and thus has no shared
+secret with the DC.</P
+><P
+>On a Windows NT PDC, these machine trust account passwords are stored
+in the registry. A Samba PDC stores these accounts in he same location
+as user LanMan and NT password hashes (currently <TT
+CLASS="FILENAME"
+>smbpasswd</TT
+>).
+However, machine trust accounts only possess the NT password hash.</P
+><P
+>There are two means of creating machine trust accounts.</P
+><P
+></P
+><UL
+><LI
+><P
+>Manual creation before joining the client
+ to the domain. In this case, the password is set to a known
+ value -- the lower case of the machine's netbios name.</P
+></LI
+><LI
+><P
+>Creation of the account at the time of
+ joining the domain. In this case, the session key of the
+ administrative account used to join the client to the domain acts
+ as an encryption key for setting the password to a random value.</P
+></LI
+></UL
+><P
+>Because Samba requires machine accounts to possess a UNIX uid from
+which an Windows NT SID can be generated, all of these accounts
+will have an entry in <TT
+CLASS="FILENAME"
+>/etc/passwd</TT
+> and smbpasswd.
+Future releases will alleviate the need to create
+<TT
+CLASS="FILENAME"
+>/etc/passwd</TT
+> entries.</P
+><P
+>The <TT
+CLASS="FILENAME"
+>/etc/passwd</TT
+> entry will list the machine name
+with a $ appended, won't have a passwd, will have a null shell and no
+home directory. For example a machine called 'doppy' would have an
+<TT
+CLASS="FILENAME"
+>/etc/passwd</TT
+> entry like this :</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+>doppy$:x:505:501:NTMachine:/dev/null:/bin/false</PRE
+></P
+><P
+>If you are manually creating the machine accounts, it is necessary
+to add the <TT
+CLASS="FILENAME"
+>/etc/passwd</TT
+> (or NIS passwd
+map) entry prior to adding the <TT
+CLASS="FILENAME"
+>smbpasswd</TT
+>
+entry. The following command will create a new machine account
+ready for use.</P
+><P
+><TT
+CLASS="PROMPT"
+>root# </TT
+> smbpasswd -a -m <TT
+CLASS="REPLACEABLE"
+><I
+>machine_name</I
+></TT
+></P
+><P
+>where <TT
+CLASS="REPLACEABLE"
+><I
+>machine_name</I
+></TT
+> is the machine's netbios
+name.</P
+><P
+><I
+CLASS="EMPHASIS"
+>If you manually create a machine account, immediately join
+the client to the domain.</I
+> An open account like this
+can allow intruders to gain access to user account information
+in your domain.</P
+><P
+>The second way of creating machine trust accounts is to add
+them on the fly at the time the client is joined to the domain.
+You will need to include a value for the
+<A
+HREF="smb.conf.5.html#ADDUSERSCRIPT"
+TARGET="_top"
+>add user script</A
+>
+parameter. Below is an example I use on a RedHat 6.2 Linux system.</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+>add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u </PRE
+></P
+><P
+>In Samba 2.2.0, <I
+CLASS="EMPHASIS"
+>only the root account</I
+> can be used to create
+machine accounts on the fly like this. Therefore, it is required
+to create an entry in smbpasswd for <I
+CLASS="EMPHASIS"
+>root</I
+>.
+The password <I
+CLASS="EMPHASIS"
+>SHOULD</I
+> be set to s different
+password that the associated <TT
+CLASS="FILENAME"
+>/etc/passwd</TT
+>
+entry for security reasons.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN832"
+>Common Problems and Errors</A
+></H1
+><P
+></P
+><P
+><I
+CLASS="EMPHASIS"
+>I cannot include a '$' in a machine name.</I
+></P
+><P
+>A 'machine name' in (typically) <TT
+CLASS="FILENAME"
+>/etc/passwd</TT
+>
+of the machine name with a '$' appended. FreeBSD (and other BSD
+systems ?) won't create a user with a '$' in their name.</P
+><P
+>The problem is only in the program used to make the entry, once
+made, it works perfectly. So create a user without the '$' and
+use <B
+CLASS="COMMAND"
+>vipw</B
+> to edit the entry, adding the '$'. Or create
+the whole entry with vipw if you like, make sure you use a
+unique uid !</P
+><P
+><I
+CLASS="EMPHASIS"
+>I get told "You already have a connection to the Domain...."
+when creating a machine account.</I
+></P
+><P
+>This happens if you try to create a machine account from the
+machine itself and use a user name that does not work (for whatever
+reason) and then try another (possibly valid) user name.
+Exit out of the network applet to close the initial connection
+and try again.</P
+><P
+>Further, if the machine is a already a 'member of a workgroup' that
+is the same name as the domain you are joining (bad idea) you will
+get this message. Change the workgroup name to something else, it
+does not matter what, reboot, and try again.</P
+><P
+><I
+CLASS="EMPHASIS"
+>I get told "Cannot join domain, the credentials supplied
+conflict with an existing set.."</I
+></P
+><P
+>This is the same basic problem as mentioned above, "You already
+have a connection..."</P
+><P
+><I
+CLASS="EMPHASIS"
+>"The system can not log you on (C000019B)...."</I
+></P
+><P
+>I joined the domain successfully but after upgrading
+to a newer version of the Samba code I get the message, "The system
+can not log you on (C000019B), Please try a gain or consult your
+system administrator" when attempting to logon.</P
+><P
+>This occurs when the domain SID stored in
+<TT
+CLASS="FILENAME"
+>private/WORKGROUP.SID</TT
+> is
+changed. For example, you remove the file and <B
+CLASS="COMMAND"
+>smbd</B
+> automatically
+creates a new one. Or you are swapping back and forth between
+versions 2.0.7, TNG and the HEAD branch code (not recommended). The
+only way to correct the problem is to restore the original domain
+SID or remove the domain client from the domain and rejoin.</P
+><P
+><I
+CLASS="EMPHASIS"
+>"The machine account for this computer either does not
+exist or is not accessible."</I
+></P
+><P
+>When I try to join the domain I get the message "The machine account
+for this computer either does not exist or is not accessible". Whats
+wrong ?</P
+><P
+>This problem is caused by the PDC not having a suitable machine account.
+If you are using the <B
+CLASS="COMMAND"
+>add user script =</B
+> method to create
+accounts then this would indicate that it has not worked. Ensure the domain
+admin user system is working.</P
+><P
+>Alternatively if you are creating account entries manually then they
+have not been created correctly. Make sure that you have the entry
+correct for the machine account in smbpasswd file on the Samba PDC.
+If you added the account using an editor rather than using the smbpasswd
+utility, make sure that the account name is the machine netbios name
+with a '$' appended to it ( ie. computer_name$ ). There must be an entry
+in both /etc/passwd and the smbpasswd file. Some people have reported
+that inconsistent subnet masks between the Samba server and the NT
+client have caused this problem. Make sure that these are consistent
+for both client and server.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN860"
+>System Policies and Profiles</A
+></H1
+><P
+>Much of the information necessary to implement System Policies and
+Roving User Profiles in a Samba domain is the same as that for
+implementing these same items in a Windows NT 4.0 domain.
+You should read the white paper <A
+HREF="http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp"
+TARGET="_top"
+>Implementing
+Profiles and Policies in Windows NT 4.0</A
+> available from Microsoft.</P
+><P
+>Here are some additional details:</P
+><P
+><I
+CLASS="EMPHASIS"
+>What about Windows NT Policy Editor ?</I
+></P
+><P
+>To create or edit <TT
+CLASS="FILENAME"
+>ntconfig.pol</TT
+> you must use
+the NT Server Policy Editor, <B
+CLASS="COMMAND"
+>poledit.exe</B
+> which
+is included with NT Server but <I
+CLASS="EMPHASIS"
+>not NT Workstation</I
+>.
+There is a Policy Editor on a NTws
+but it is not suitable for creating <I
+CLASS="EMPHASIS"
+>Domain Policies</I
+>.
+Further, although the Windows 95
+Policy Editor can be installed on an NT Workstation/Server, it will not
+work with NT policies because the registry key that are set by the policy templates.
+However, the files from the NT Server will run happily enough on an NTws.
+You need <TT
+CLASS="FILENAME"
+>poledit.exe, common.adm</TT
+> and <TT
+CLASS="FILENAME"
+>winnt.adm</TT
+>. It is convenient
+to put the two *.adm files in <TT
+CLASS="FILENAME"
+>c:\winnt\inf</TT
+> which is where
+the binary will look for them unless told otherwise. Note also that that
+directory is 'hidden'.</P
+><P
+>The Windows NT policy editor is also included with the
+Service Pack 3 (and later) for Windows NT 4.0. Extract the files using
+<B
+CLASS="COMMAND"
+>servicepackname /x</B
+>, ie thats <B
+CLASS="COMMAND"
+>Nt4sp6ai.exe
+/x</B
+> for service pack 6a. The policy editor, <B
+CLASS="COMMAND"
+>poledit.exe</B
+> and the
+associated template files (*.adm) should
+be extracted as well. It is also possible to downloaded the policy template
+files for Office97 and get a copy of the policy editor. Another possible
+location is with the Zero Administration Kit available for download from Microsoft.</P
+><P
+><I
+CLASS="EMPHASIS"
+>Can Win95 do Policies ?</I
+></P
+><P
+>Install the group policy handler for Win9x to pick up group
+policies. Look on the Win98 CD in <TT
+CLASS="FILENAME"
+>\tools\reskit\netadmin\poledit</TT
+>.
+Install group policies on a Win9x client by double-clicking
+<TT
+CLASS="FILENAME"
+>grouppol.inf</TT
+>. Log off and on again a couple of
+times and see if Win98 picks up group policies. Unfortunately this needs
+to be done on every Win9x machine that uses group policies....</P
+><P
+>If group policies don't work one reports suggests getting the updated
+(read: working) grouppol.dll for Windows 9x. The group list is grabbed
+from /etc/group.</P
+><P
+><I
+CLASS="EMPHASIS"
+>How do I get 'User Manager' and 'Server Manager'</I
+></P
+><P
+>Since I don't need to buy an NT Server CD now, how do I get
+the 'User Manager for Domains', the 'Server Manager' ?</P
+><P
+>Microsoft distributes a version of
+these tools called nexus for installation on Windows 95 systems. The
+tools set includes</P
+><P
+></P
+><UL
+><LI
+><P
+>Server Manager</P
+></LI
+><LI
+><P
+>User Manager for Domains</P
+></LI
+><LI
+><P
+>Event Viewer</P
+></LI
+></UL
+><P
+>Click here to download the archived file <A
+HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE"
+TARGET="_top"
+>ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</A
+></P
+><P
+>The Windows NT 4.0 version of the 'User Manager for
+Domains' and 'Server Manager' are available from Microsoft via ftp
+from <A
+HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE"
+TARGET="_top"
+>ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</A
+></P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN900"
+>What other help can I get ?</A
+></H1
+><P
+>There are many sources of information available in the form
+of mailing lists, RFC's and documentation. The docs that come
+with the samba distribution contain very good explanations of
+general SMB topics such as browsing.</P
+><P
+><I
+CLASS="EMPHASIS"
+>What are some diagnostics tools I can use to debug the domain logon
+process and where can I find them?</I
+></P
+><P
+> One of the best diagnostic tools for debugging problems is Samba itself.
+ You can use the -d option for both smbd and nmbd to specifiy what
+ 'debug level' at which to run. See the man pages on smbd, nmbd and
+ smb.conf for more information on debugging options. The debug
+ level can range from 1 (the default) to 10 (100 for debugging passwords).
+ </P
+><P
+> Another helpful method of debugging is to compile samba using the
+ <B
+CLASS="COMMAND"
+>gcc -g </B
+> flag. This will include debug
+ information in the binaries and allow you to attach gdb to the
+ running smbd / nmbd process. In order to attach gdb to an smbd
+ process for an NT workstation, first get the workstation to make the
+ connection. Pressing ctrl-alt-delete and going down to the domain box
+ is sufficient (at least, on the first time you join the domain) to
+ generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation
+ maintains an open connection, and therefore there will be an smbd
+ process running (assuming that you haven't set a really short smbd
+ idle timeout) So, in between pressing ctrl alt delete, and actually
+ typing in your password, you can gdb attach and continue.
+ </P
+><P
+> Some useful samba commands worth investigating:
+ </P
+><P
+></P
+><UL
+><LI
+><P
+>testparam | more</P
+></LI
+><LI
+><P
+>smbclient -L //{netbios name of server}</P
+></LI
+></UL
+><P
+> An SMB enabled version of tcpdump is available from
+ <A
+HREF="http://www.tcpdump.org/"
+TARGET="_top"
+>http://www.tcpdup.org/</A
+>.
+ Ethereal, another good packet sniffer for UNIX and Win32
+ hosts, can be downloaded from <A
+HREF="http://www.ethereal.com/"
+TARGET="_top"
+>http://www.ethereal.com</A
+>.
+ </P
+><P
+> For tracing things on the Microsoft Windows NT, Network Monitor
+ (aka. netmon) is available on the Microsoft Developer Network CD's,
+ the Windows NT Server install CD and the SMS CD's. The version of
+ netmon that ships with SMS allows for dumping packets between any two
+ computers (ie. placing the network interface in promiscuous mode).
+ The version on the NT Server install CD will only allow monitoring
+ of network traffic directed to the local NT box and broadcasts on the
+ local subnet. Be aware that Ethereal can read and write netmon
+ formatted files.
+ </P
+><P
+><I
+CLASS="EMPHASIS"
+>How do I install 'Network Monitor' on an NT Workstation
+or a Windows 9x box?</I
+></P
+><P
+> Installing netmon on an NT workstation requires a couple
+ of steps. The following are for installing Netmon V4.00.349, which comes
+ with Microsoft Windows NT Server 4.0, on Microsoft Windows NT
+ Workstation 4.0. The process should be similar for other version of
+ Windows NT / Netmon. You will need both the Microsoft Windows
+ NT Server 4.0 Install CD and the Workstation 4.0 Install CD.
+ </P
+><P
+> Initially you will need to install 'Network Monitor Tools and Agent'
+ on the NT Server. To do this
+ </P
+><P
+></P
+><UL
+><LI
+><P
+>Goto Start - Settings - Control Panel -
+ Network - Services - Add </P
+></LI
+><LI
+><P
+>Select the 'Network Monitor Tools and Agent' and
+ click on 'OK'.</P
+></LI
+><LI
+><P
+>Click 'OK' on the Network Control Panel.
+ </P
+></LI
+><LI
+><P
+>Insert the Windows NT Server 4.0 install CD
+ when prompted.</P
+></LI
+></UL
+><P
+> At this point the Netmon files should exist in
+ <TT
+CLASS="FILENAME"
+>%SYSTEMROOT%\System32\netmon\*.*</TT
+>.
+ Two subdirectories exist as well, <TT
+CLASS="FILENAME"
+>parsers\</TT
+>
+ which contains the necessary DLL's for parsing the netmon packet
+ dump, and <TT
+CLASS="FILENAME"
+>captures\</TT
+>.
+ </P
+><P
+> In order to install the Netmon tools on an NT Workstation, you will
+ first need to install the 'Network Monitor Agent' from the Workstation
+ install CD.
+ </P
+><P
+></P
+><UL
+><LI
+><P
+>Goto Start - Settings - Control Panel -
+ Network - Services - Add</P
+></LI
+><LI
+><P
+>Select the 'Network Monitor Agent' and click
+ on 'OK'.</P
+></LI
+><LI
+><P
+>Click 'OK' on the Network Control Panel.
+ </P
+></LI
+><LI
+><P
+>Insert the Windows NT Workstation 4.0 install
+ CD when prompted.</P
+></LI
+></UL
+><P
+> Now copy the files from the NT Server in %SYSTEMROOT%\System32\netmon\*.*
+ to %SYSTEMROOT%\System32\netmon\*.* on the Workstation and set
+ permissions as you deem appropriate for your site. You will need
+ administrative rights on the NT box to run netmon.
+ </P
+><P
+> To install Netmon on a Windows 9x box install the network monitor agent
+ from the Windows 9x CD (\admin\nettools\netmon). There is a readme
+ file located with the netmon driver files on the CD if you need
+ information on how to do this. Copy the files from a working
+ Netmon installation.
+ </P
+><DIV
+CLASS="SECT2"
+><HR><H2
+CLASS="SECT2"
+><A
+NAME="AEN947"
+>URLs and similar</A
+></H2
+><P
+></P
+><UL
+><LI
+><P
+>Home of Samba site <A
+HREF="http://samba.org"
+TARGET="_top"
+> http://samba.org</A
+>. We have a mirror near you !</P
+></LI
+><LI
+><P
+> The <I
+CLASS="EMPHASIS"
+>Development</I
+> document
+ on the Samba mirrors might mention your problem. If so,
+ it might mean that the developers are working on it.</P
+></LI
+><LI
+><P
+>See how Scott Merrill simulates a BDC behavior at
+ <A
+HREF="http://www.skippy.net/linux/smb-howto.html"
+TARGET="_top"
+> http://www.skippy.net/linux/smb-howto.html</A
+>. </P
+></LI
+><LI
+><P
+>Although 2.0.7 has almost had its day as a PDC, David Bannon will
+ keep the 2.0.7 PDC pages at <A
+HREF="http://bioserve.latrobe.edu.au/samba"
+TARGET="_top"
+> http://bioserve.latrobe.edu.au/samba</A
+> going for a while yet.</P
+></LI
+><LI
+><P
+>Misc links to CIFS information
+ <A
+HREF="http://samba.org/cifs/"
+TARGET="_top"
+>http://samba.org/cifs/</A
+></P
+></LI
+><LI
+><P
+>NT Domains for Unix <A
+HREF="http://mailhost.cb1.com/~lkcl/ntdom/"
+TARGET="_top"
+> http://mailhost.cb1.com/~lkcl/ntdom/</A
+></P
+></LI
+><LI
+><P
+>FTP site for older SMB specs:
+ <A
+HREF="ftp://ftp.microsoft.com/developr/drg/CIFS/"
+TARGET="_top"
+> ftp://ftp.microsoft.com/developr/drg/CIFS/</A
+></P
+></LI
+></UL
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H2
+CLASS="SECT2"
+><A
+NAME="AEN971"
+>Mailing Lists</A
+></H2
+><P
+><I
+CLASS="EMPHASIS"
+>How do I get help from the mailing lists ?</I
+></P
+><P
+>There are a number of Samba related mailing lists. Go to <A
+HREF="http://samba.org"
+TARGET="_top"
+>http://samba.org</A
+>, click on your nearest mirror
+and then click on <B
+CLASS="COMMAND"
+>Support</B
+> and then click on <B
+CLASS="COMMAND"
+>Samba related mailing lists</B
+>.</P
+><P
+>For questions relating to Samba TNG go to
+<A
+HREF="http://www.samba-tng.org/"
+TARGET="_top"
+>http://www.samba-tng.org/</A
+>
+It has been requested that you don't post questions about Samba-TNG to the
+main stream Samba lists.</P
+><P
+>If you post a message to one of the lists please observe the following guide lines :</P
+><P
+></P
+><UL
+><LI
+><P
+> Always remember that the developers are volunteers, they are
+ not paid and they never guarantee to produce a particular feature at
+ a particular time. Any time lines are 'best guess' and nothing more.
+ </P
+></LI
+><LI
+><P
+> Always mention what version of samba you are using and what
+ operating system its running under. You should probably list the
+ relevant sections of your smb.conf file, at least the options
+ in [global] that affect PDC support.</P
+></LI
+><LI
+><P
+>In addition to the version, if you obtained Samba via
+ CVS mention the date when you last checked it out.</P
+></LI
+><LI
+><P
+> Try and make your question clear and brief, lots of long,
+ convoluted questions get deleted before they are completely read !
+ Don't post html encoded messages (if you can select colour or font
+ size its html).</P
+></LI
+><LI
+><P
+> If you run one of those nifty 'I'm on holidays' things when
+ you are away, make sure its configured to not answer mailing lists.
+ </P
+></LI
+><LI
+><P
+> Don't cross post. Work out which is the best list to post to
+ and see what happens, ie don't post to both samba-ntdom and samba-technical.
+ Many people active on the lists subscribe to more
+ than one list and get annoyed to see the same message two or more times.
+ Often someone will see a message and thinking it would be better dealt
+ with on another, will forward it on for you.</P
+></LI
+><LI
+><P
+>You might include <I
+CLASS="EMPHASIS"
+>partial</I
+>
+ log files written at a debug level set to as much as 20.
+ Please don't send the entire log but enough to give the context of the
+ error messages.</P
+></LI
+><LI
+><P
+>(Possibly) If you have a complete netmon trace ( from the opening of
+ the pipe to the error ) you can send the *.CAP file as well.</P
+></LI
+><LI
+><P
+>Please think carefully before attaching a document to an email.
+ Consider pasting the relevant parts into the body of the message. The samba
+ mailing lists go to a huge number of people, do they all need a copy of your
+ smb.conf in their attach directory ?</P
+></LI
+></UL
+><P
+><I
+CLASS="EMPHASIS"
+>How do I get off the mailing lists ?</I
+></P
+><P
+>To have your name removed from a samba mailing list, go to the
+ same place you went to to get on it. Go to <A
+HREF="http://lists.samba.org/"
+TARGET="_top"
+>http://lists.samba.org</A
+>, click
+ on your nearest mirror and then click on <B
+CLASS="COMMAND"
+>Support</B
+> and
+ then click on <B
+CLASS="COMMAND"
+> Samba related mailing lists</B
+>. Or perhaps see
+ <A
+HREF="http://lists.samba.org/mailman/roster/samba-ntdom"
+TARGET="_top"
+>here</A
+></P
+><P
+> Please don't post messages to the list asking to be removed, you will just
+ be referred to the above address (unless that process failed in some way...)
+ </P
+></DIV
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN1010"
+>DOMAIN_CONTROL.txt : Windows NT Domain Control &#38; Samba</A
+></H1
+><P
+>This appendix was originally authored by John H Terpstra of the Samba Team
+and is included here for posterity.</P
+><P
+><I
+CLASS="EMPHASIS"
+>NOTE :</I
+>
+The term "Domain Controller" and those related to it refer to one specific
+method of authentication that can underly an SMB domain. Domain Controllers
+prior to Windows NT Server 3.1 were sold by various companies and based on
+private extensions to the LAN Manager 2.1 protocol. Windows NT introduced
+Microsoft-specific ways of distributing the user authentication database.
+See DOMAIN.txt for examples of how Samba can participate in or create
+SMB domains based on shared authentication database schemes other than the
+Windows NT SAM.</P
+><P
+>Windows NT Server can be installed as either a plain file and print server
+(WORKGROUP workstation or server) or as a server that participates in Domain
+Control (DOMAIN member, Primary Domain controller or Backup Domain controller).</P
+><P
+>The same is true for OS/2 Warp Server, Digital Pathworks and other similar
+products, all of which can participate in Domain Control along with Windows NT.
+However only those servers which have licensed Windows NT code in them can be
+a primary Domain Controller (eg Windows NT Server, Advanced Server for Unix.)</P
+><P
+>To many people these terms can be confusing, so let's try to clear the air.</P
+><P
+>Every Windows NT system (workstation or server) has a registry database.
+The registry contains entries that describe the initialization information
+for all services (the equivalent of Unix Daemons) that run within the Windows
+NT environment. The registry also contains entries that tell application
+software where to find dynamically loadable libraries that they depend upon.
+In fact, the registry contains entries that describes everything that anything
+may need to know to interact with the rest of the system.</P
+><P
+>The registry files can be located on any Windows NT machine by opening a
+command prompt and typing:</P
+><P
+><TT
+CLASS="PROMPT"
+>C:\WINNT\&#62;</TT
+> dir %SystemRoot%\System32\config</P
+><P
+>The environment variable %SystemRoot% value can be obtained by typing:</P
+><P
+><TT
+CLASS="PROMPT"
+>C:\WINNT&#62;</TT
+>echo %SystemRoot%</P
+><P
+>The active parts of the registry that you may want to be familiar with are
+the files called: default, system, software, sam and security.</P
+><P
+>In a domain environment, Microsoft Windows NT domain controllers participate
+in replication of the SAM and SECURITY files so that all controllers within
+the domain have an exactly identical copy of each.</P
+><P
+>The Microsoft Windows NT system is structured within a security model that
+says that all applications and services must authenticate themselves before
+they can obtain permission from the security manager to do what they set out
+to do.</P
+><P
+>The Windows NT User database also resides within the registry. This part of
+the registry contains the user's security identifier, home directory, group
+memberships, desktop profile, and so on.</P
+><P
+>Every Windows NT system (workstation as well as server) will have its own
+registry. Windows NT Servers that participate in Domain Security control
+have a database that they share in common - thus they do NOT own an
+independent full registry database of their own, as do Workstations and
+plain Servers.</P
+><P
+>The User database is called the SAM (Security Access Manager) database and
+is used for all user authentication as well as for authentication of inter-
+process authentication (ie: to ensure that the service action a user has
+requested is permitted within the limits of that user's privileges).</P
+><P
+>The Samba team have produced a utility that can dump the Windows NT SAM into
+smbpasswd format: see ENCRYPTION.txt for information on smbpasswd and
+/pub/samba/pwdump on your nearest Samba mirror for the utility. This
+facility is useful but cannot be easily used to implement SAM replication
+to Samba systems.</P
+><P
+>Windows for Workgroups, Windows 95, and Windows NT Workstations and Servers
+can participate in a Domain security system that is controlled by Windows NT
+servers that have been correctly configured. At most every domain will have
+ONE Primary Domain Controller (PDC). It is desirable that each domain will
+have at least one Backup Domain Controller (BDC).</P
+><P
+>The PDC and BDCs then participate in replication of the SAM database so that
+each Domain Controlling participant will have an up to date SAM component
+within its registry.</P
+></DIV
+></DIV
+><DIV
+CLASS="CHAPTER"
+><HR><H1
+><A
+NAME="AEN1034"
+>Chapter 7. Unifed Logons between Windows NT and UNIX using Winbind</A
+></H1
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN1052"
+>Abstract</A
+></H1
+><P
+>Integration of UNIX and Microsoft Windows NT through
+ a unified logon has been considered a "holy grail" in heterogeneous
+ computing environments for a long time. We present <I
+CLASS="EMPHASIS"
+>winbind
+ </I
+>, a component of the Samba suite of programs as a
+ solution to the unied logon problem. Winbind uses a UNIX implementation
+ of Microsoft RPC calls, Pluggable Authentication Modules, and the Name
+ Service Switch to allow Windows NT domain users to appear and operate
+ as UNIX users on a UNIX machine. This paper describes the winbind
+ system, explaining the functionality it provides, how it is configured,
+ and how it works internally.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN1056"
+>Introduction</A
+></H1
+><P
+>It is well known that UNIX and Microsoft Windows NT have
+ different models for representing user and group information and
+ use different technologies for implementing them. This fact has
+ made it difficult to integrate the two systems in a satisfactory
+ manner.</P
+><P
+>One common solution in use today has been to create
+ identically named user accounts on both the UNIX and Windows systems
+ and use the Samba suite of programs to provide file and print services
+ between the two. This solution is far from perfect however, as
+ adding and deleting users on both sets of machines becomes a chore
+ and two sets of passwords are required both of which which
+ can lead to synchronization problems between the UNIX and Windows
+ systems and confusion for users.</P
+><P
+>We divide the unifed logon problem for UNIX machines into
+ three smaller problems:</P
+><P
+></P
+><UL
+><LI
+><P
+>Obtaining Windows NT user and group information
+ </P
+></LI
+><LI
+><P
+>Authenticating Windows NT users
+ </P
+></LI
+><LI
+><P
+>Password changing for Windows NT users
+ </P
+></LI
+></UL
+><P
+>Ideally, a prospective solution to the unified logon problem
+ would satisfy all the above components without duplication of
+ information on the UNIX machines and without creating additional
+ tasks for the system administrator when maintaining users and
+ groups on either system. The winbind system provides a simple
+ and elegant solution to all three components of the unifed logon
+ problem.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN1069"
+>What Winbind Provides</A
+></H1
+><P
+>Winbind unifies UNIX and Windows NT account management by
+ allowing a UNIX box to become a full member of a NT domain. Once
+ this is done the UNIX box will see NT users and groups as if
+ they were native UNIX users and groups, allowing the NT domain
+ to be used in much the same manner that NIS+ is used within
+ UNIX-only environments.</P
+><P
+>The end result is that whenever any
+ program on the UNIX machine asks the operating system to lookup
+ a user or group name, the query will be resolved by asking the
+ NT domain controller for the specied domain to do the lookup.
+ Because Winbind hooks into the operating system at a low level
+ (via the NSS name resolution modules in the C library) this
+ redirection to the NT domain controller is completely
+ transparent.</P
+><P
+>Users on the UNIX machine can then use NT user and group
+ names as they would use "native" UNIX names. They can chown files
+ so that they are owned by NT domain users or even login to the
+ UNIX machine and run a UNIX X-Window session as a domain user.</P
+><P
+>The only obvious indication that Winbind is being used is
+ that user and group names take the form DOMAIN\user and
+ DOMAIN\group. This is necessary as it allows Winbind to determine
+ that redirection to a domain controller is wanted for a particular
+ lookup and which trusted domain is being referenced.</P
+><P
+>Additionally, Winbind provides a authentication service
+ that hooks into the Pluggable Authentication Modules (PAM) system
+ to provide authentication via a NT domain to any PAM enabled
+ applications. This capability solves the problem of synchronizing
+ passwords between systems as all passwords are stored in a single
+ location (on the domain controller).</P
+><DIV
+CLASS="SECT2"
+><HR><H2
+CLASS="SECT2"
+><A
+NAME="AEN1076"
+>Target Uses</A
+></H2
+><P
+>Winbind is targeted at organizations that have an
+ existing NT based domain infrastructure into which they wish
+ to put UNIX workstations or servers. Winbind will allow these
+ organizations to deploy UNIX workstations without having to
+ maintain a separate account infrastructure. This greatly simplies
+ the administrative overhead of deploying UNIX workstations into
+ a NT based organization.</P
+><P
+>Another interesting way in which we expect Winbind to
+ be used is as a central part of UNIX based appliances. Appliances
+ that provide file and print services to Microsoft based networks
+ will be able to use Winbind to provide seamless integration of
+ the appliance into the domain.</P
+></DIV
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN1080"
+>How Winbind Works</A
+></H1
+><P
+>The winbind system is designed around a client/server
+ architecture. A long running <B
+CLASS="COMMAND"
+>winbindd</B
+> daemon
+ listens on a UNIX domain socket waiting for requests
+ to arrive. These requests are generated by the NSS and PAM
+ clients and processed sequentially.</P
+><P
+>The technologies used to implement winbind are described
+ in detail below.</P
+><DIV
+CLASS="SECT2"
+><HR><H2
+CLASS="SECT2"
+><A
+NAME="AEN1085"
+>Microsoft Remote Procedure Calls</A
+></H2
+><P
+>Over the last two years, efforts have been underway
+ by various Samba Team members to decode various aspects of
+ the Microsoft Remote Procedure Call (MSRPC) system. This
+ system is used for most network related operations between
+ Windows NT machines including remote management, user authentication
+ and print spooling. Although initially this work was done
+ to aid the implementation of Primary Domain Controller (PDC)
+ functionality in Samba, it has also yielded a body of code which
+ can be used for other purposes.</P
+><P
+>Winbind uses various MSRPC calls to enumerate domain users
+ and groups and to obtain detailed information about individual
+ users or groups. Other MSRPC calls can be used to authenticate
+ NT domain users and to change user passwords. By directly querying
+ a Windows PDC for user and group information, winbind maps the
+ NT account information onto UNIX user and group names.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H2
+CLASS="SECT2"
+><A
+NAME="AEN1089"
+>Name Service Switch</A
+></H2
+><P
+>The Name Service Switch, or NSS, is a feature that is
+ present in many UNIX operating systems. It allows system
+ information such as hostnames, mail aliases and user information
+ to be resolved from dierent sources. For example, a standalone
+ UNIX workstation may resolve system information from a series of
+ flat files stored on the local lesystem. A networked workstation
+ may first attempt to resolve system information from local files,
+ then consult a NIS database for user information or a DNS server
+ for hostname information.</P
+><P
+>The NSS application programming interface allows winbind
+ to present itself as a source of system information when
+ resolving UNIX usernames and groups. Winbind uses this interface,
+ and information obtained from a Windows NT server using MSRPC
+ calls to provide a new source of account enumeration. Using standard
+ UNIX library calls, one can enumerate the users and groups on
+ a UNIX machine running winbind and see all users and groups in
+ a NT domain plus any trusted domain as though they were local
+ users and groups.</P
+><P
+>The primary control le for NSS is <TT
+CLASS="FILENAME"
+>/etc/nsswitch.conf
+ </TT
+>. When a UNIX application makes a request to do a lookup
+ the C library looks in <TT
+CLASS="FILENAME"
+>/etc/nsswitch.conf</TT
+>
+ for a line which matches the service type being requested, for
+ example the "passwd" service type is used when user or group names
+ are looked up. This config line species which implementations
+ of that service should be tried andin what order. If the passwd
+ config line is:</P
+><P
+><B
+CLASS="COMMAND"
+>passwd: files example</B
+></P
+><P
+>then the C library will first load a module called
+ <TT
+CLASS="FILENAME"
+>/lib/libnss_files.so</TT
+> followed by
+ the module <TT
+CLASS="FILENAME"
+>/lib/libnss_example.so</TT
+>. The
+ C library will dynamically load each of these modules in turn
+ and call resolver functions within the modules to try to resolve
+ the request. Once the request is resolved the C library returns the
+ result to the application.</P
+><P
+>This NSS interface provides a very easy way for Winbind
+ to hook into the operating system. All that needs to be done
+ is to put <TT
+CLASS="FILENAME"
+>libnss_winbind.so</TT
+> in <TT
+CLASS="FILENAME"
+>/lib/</TT
+>
+ then add "winbind" into <TT
+CLASS="FILENAME"
+>/etc/nsswitch.conf</TT
+> at
+ the appropriate place. The C library will then call Winbind to
+ resolve user and group names.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H2
+CLASS="SECT2"
+><A
+NAME="AEN1105"
+>Pluggable Authentication Modules</A
+></H2
+><P
+>Pluggable Authentication Modules, also known as PAM,
+ is a system for abstracting authentication and authorization
+ technologies. With a PAM module it is possible to specify different
+ authentication methods for dierent system applications without
+ having to recompile these applications. PAM is also useful
+ for implementing a particular policy for authorization. For example,
+ a system administrator may only allow console logins from users
+ stored in the local password file but only allow users resolved from
+ a NIS database to log in over the network.</P
+><P
+>Winbind uses the authentication management and password
+ management PAM interface to integrate Windows NT users into a
+ UNIX system. This allows Windows NT users to log in to a UNIX
+ machine and be authenticated against a suitable Primary Domain
+ Controller. These users can also change their passwords and have
+ this change take eect directly on the Primary Domain Controller.
+ </P
+><P
+>PAM is congured by providing control files in the directory
+ <TT
+CLASS="FILENAME"
+>/etc/pam.d/</TT
+> for each of the services that
+ require authentication. When an authentication request is made
+ by an application the PAM code in the C library looks up this
+ control file to determine what modules to load to do the
+ authentication check and in what order. This interface makes adding
+ a new authentication service for Winbind very easy, all that needs
+ to be done is that the <TT
+CLASS="FILENAME"
+>pam_winbind.so</TT
+> module
+ is copied to <TT
+CLASS="FILENAME"
+>/lib/security/</TT
+> and the pam
+ control files for relevant services are updated to allow
+ authentication via winbind. See the PAM documentation
+ for more details.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H2
+CLASS="SECT2"
+><A
+NAME="AEN1113"
+>User and Group ID Allocation</A
+></H2
+><P
+>When a user or group is created under Windows NT
+ is it allocated a numerical relative identier (RID). This is
+ slightly dierent to UNIX which has a range of numbers which are
+ used to identify users, and the same range in which to identify
+ groups. It is winbind's job to convert RIDs to UNIX id numbers and
+ vice versa. When winbind is congured it is given part of the UNIX
+ user id space and a part of the UNIX group id space in which to
+ store Windows NT users and groups. If a Windows NT user is
+ resolved for the first time, it is allocated the next UNIX id from
+ the range. The same process applies for Windows NT groups. Over
+ time, winbind will have mapped all Windows NT users and groups
+ to UNIX user ids and group ids.</P
+><P
+>The results of this mapping are stored persistently in
+ a ID mapping database held in a tdb database). This ensures that
+ RIDs are mapped to UNIX IDs in a consistent way.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H2
+CLASS="SECT2"
+><A
+NAME="AEN1117"
+>Result Caching</A
+></H2
+><P
+>An active system can generate a lot of user and group
+ name lookups. To reduce the network cost of these lookups winbind
+ uses a caching scheme based on the SAM sequence number supplied
+ by NT domain controllers. User or group information returned
+ by a PDC is cached by winbind along with a sequence number also
+ returned by the PDC. This sequence number is incremented by
+ Windows NT whenever any user or group information is modied. If
+ a cached entry has expired, the sequence number is requested from
+ the PDC and compared against the sequence number of the cached entry.
+ If the sequence numbers do not match, then the cached information
+ is discarded and up to date information is requested directly
+ from the PDC.</P
+></DIV
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN1120"
+>Installation and Configuration</A
+></H1
+><P
+>The easiest way to install winbind is by using the packages
+ provided in the <TT
+CLASS="FILENAME"
+>pub/samba/appliance/</TT
+>
+ directory on your nearest
+ Samba mirror. These packages provide snapshots of the Samba source
+ code and binaries already setup to provide the full functionality
+ of winbind. This setup is a little more complex than a normal Samba
+ build as winbind needs a small amount of functionality from a
+ development code branch called SAMBA_TNG.</P
+><P
+>Once you have installed the packages you should read
+ the <B
+CLASS="COMMAND"
+>winbindd(8)</B
+> man page which will provide you
+ with conguration information and give you sample conguration files.
+ You may also wish to update the main Samba daemons smbd and nmbd)
+ with a more recent development release, such as the recently
+ announced Samba 2.2 alpha release.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN1126"
+>Limitations</A
+></H1
+><P
+>Winbind has a number of limitations in its current
+ released version which we hope to overcome in future
+ releases:</P
+><P
+></P
+><UL
+><LI
+><P
+>Winbind is currently only available for
+ the Linux operating system, although ports to other operating
+ systems are certainly possible. For such ports to be feasible,
+ we require the C library of the target operating system to
+ support the Name Service Switch and Pluggable Authentication
+ Modules systems. This is becoming more common as NSS and
+ PAM gain support among UNIX vendors.</P
+></LI
+><LI
+><P
+>The mappings of Windows NT RIDs to UNIX ids
+ is not made algorithmically and depends on the order in which
+ unmapped users or groups are seen by winbind. It may be difficult
+ to recover the mappings of rid to UNIX id mapping if the file
+ containing this information is corrupted or destroyed.</P
+></LI
+><LI
+><P
+>Currently the winbind PAM module does not take
+ into account possible workstation and logon time restrictions
+ that may be been set for Windows NT users.</P
+></LI
+><LI
+><P
+>Building winbind from source is currently
+ quite tedious as it requires combining source code from two Samba
+ branches. Work is underway to solve this by providing all
+ the necessary functionality in the main Samba code branch.</P
+></LI
+></UL
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN1138"
+>Conclusion</A
+></H1
+><P
+>The winbind system, through the use of the Name Service
+ Switch, Pluggable Authentication Modules, and appropriate
+ Microsoft RPC calls have allowed us to provide seamless
+ integration of Microsoft Windows NT domain users on a
+ UNIX system. The result is a great reduction in the administrative
+ cost of running a mixed UNIX and NT network.</P
+></DIV
+></DIV
+><DIV
+CLASS="CHAPTER"
+><HR><H1
+><A
+NAME="AEN1141"
+>Chapter 8. UNIX Permission Bits and WIndows NT Access Control Lists</A
+></H1
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN1152"
+>Viewing and changing UNIX permissions using the NT
+ security dialogs</A
+></H1
+><P
+>New in the Samba 2.0.4 release is the ability for Windows
+ NT clients to use their native security settings dialog box to
+ view and modify the underlying UNIX permissions.</P
+><P
+>Note that this ability is careful not to compromise
+ the security of the UNIX host Samba is running on, and
+ still obeys all the file permission rules that a Samba
+ administrator can set.</P
+><P
+>In Samba 2.0.4 and above the default value of the
+ parameter <A
+HREF="smb.conf.5.html#NTACLSUPPOR"
+TARGET="_top"
+><TT
+CLASS="PARAMETER"
+><I
+> nt acl support</I
+></TT
+></A
+> has been changed from
+ <TT
+CLASS="CONSTANT"
+>false</TT
+> to <TT
+CLASS="CONSTANT"
+>true</TT
+>, so
+ manipulation of permissions is turned on by default.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN1161"
+>How to view file security on a Samba share</A
+></H1
+><P
+>From an NT 4.0 client, single-click with the right
+ mouse button on any file or directory in a Samba mounted
+ drive letter or UNC path. When the menu pops-up, click
+ on the <I
+CLASS="EMPHASIS"
+>Properties</I
+> entry at the bottom of
+ the menu. This brings up the normal file properties dialog
+ box, but with Samba 2.0.4 this will have a new tab along the top
+ marked <I
+CLASS="EMPHASIS"
+>Security</I
+>. Click on this tab and you
+ will see three buttons, <I
+CLASS="EMPHASIS"
+>Permissions</I
+>,
+ <I
+CLASS="EMPHASIS"
+>Auditing</I
+>, and <I
+CLASS="EMPHASIS"
+>Ownership</I
+>.
+ The <I
+CLASS="EMPHASIS"
+>Auditing</I
+> button will cause either
+ an error message <SPAN
+CLASS="ERRORNAME"
+>A requested privilege is not held
+ by the client</SPAN
+> to appear if the user is not the
+ NT Administrator, or a dialog which is intended to allow an
+ Administrator to add auditing requirements to a file if the
+ user is logged on as the NT Administrator. This dialog is
+ non-functional with a Samba share at this time, as the only
+ useful button, the <B
+CLASS="COMMAND"
+>Add</B
+> button will not currently
+ allow a list of users to be seen.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN1172"
+>Viewing file ownership</A
+></H1
+><P
+>Clicking on the <B
+CLASS="COMMAND"
+>"Ownership"</B
+> button
+ brings up a dialog box telling you who owns the given file. The
+ owner name will be of the form :</P
+><P
+><B
+CLASS="COMMAND"
+>"SERVER\user (Long name)"</B
+></P
+><P
+>Where <TT
+CLASS="REPLACEABLE"
+><I
+>SERVER</I
+></TT
+> is the NetBIOS name of
+ the Samba server, <TT
+CLASS="REPLACEABLE"
+><I
+>user</I
+></TT
+> is the user name of
+ the UNIX user who owns the file, and <TT
+CLASS="REPLACEABLE"
+><I
+>(Long name)</I
+></TT
+>
+ is the discriptive string identifying the user (normally found in the
+ GECOS field of the UNIX password database). Click on the <B
+CLASS="COMMAND"
+>Close
+ </B
+> button to remove this dialog.</P
+><P
+>If the parameter <TT
+CLASS="PARAMETER"
+><I
+>nt acl support</I
+></TT
+>
+ is set to <TT
+CLASS="CONSTANT"
+>false</TT
+> then the file owner will
+ be shown as the NT user <B
+CLASS="COMMAND"
+>"Everyone"</B
+>.</P
+><P
+>The <B
+CLASS="COMMAND"
+>Take Ownership</B
+> button will not allow
+ you to change the ownership of this file to yourself (clicking on
+ it will display a dialog box complaining that the user you are
+ currently logged onto the NT client cannot be found). The reason
+ for this is that changing the ownership of a file is a privilaged
+ operation in UNIX, available only to the <I
+CLASS="EMPHASIS"
+>root</I
+>
+ user. As clicking on this button causes NT to attempt to change
+ the ownership of a file to the current user logged into the NT
+ client this will not work with Samba at this time.</P
+><P
+>There is an NT chown command that will work with Samba
+ and allow a user with Administrator privillage connected
+ to a Samba 2.0.4 server as root to change the ownership of
+ files on both a local NTFS filesystem or remote mounted NTFS
+ or Samba drive. This is available as part of the <I
+CLASS="EMPHASIS"
+>Seclib
+ </I
+> NT security library written by Jeremy Allison of
+ the Samba Team, available from the main Samba ftp site.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN1192"
+>Viewing file or directory permissions</A
+></H1
+><P
+>The third button is the <B
+CLASS="COMMAND"
+>"Permissions"</B
+>
+ button. Clicking on this brings up a dialog box that shows both
+ the permissions and the UNIX owner of the file or directory.
+ The owner is displayed in the form :</P
+><P
+><B
+CLASS="COMMAND"
+>"SERVER\user (Long name)"</B
+></P
+><P
+>Where <TT
+CLASS="REPLACEABLE"
+><I
+>SERVER</I
+></TT
+> is the NetBIOS name of
+ the Samba server, <TT
+CLASS="REPLACEABLE"
+><I
+>user</I
+></TT
+> is the user name of
+ the UNIX user who owns the file, and <TT
+CLASS="REPLACEABLE"
+><I
+>(Long name)</I
+></TT
+>
+ is the discriptive string identifying the user (normally found in the
+ GECOS field of the UNIX password database).</P
+><P
+>If the parameter <TT
+CLASS="PARAMETER"
+><I
+>nt acl support</I
+></TT
+>
+ is set to <TT
+CLASS="CONSTANT"
+>false</TT
+> then the file owner will
+ be shown as the NT user <B
+CLASS="COMMAND"
+>"Everyone"</B
+> and the
+ permissions will be shown as NT "Full Control".</P
+><P
+>The permissions field is displayed differently for files
+ and directories, so I'll describe the way file permissions
+ are displayed first.</P
+><DIV
+CLASS="SECT2"
+><HR><H2
+CLASS="SECT2"
+><A
+NAME="AEN1207"
+>File Permissions</A
+></H2
+><P
+>The standard UNIX user/group/world triple and
+ the correspinding "read", "write", "execute" permissions
+ triples are mapped by Samba into a three element NT ACL
+ with the 'r', 'w', and 'x' bits mapped into the corresponding
+ NT permissions. The UNIX world permissions are mapped into
+ the global NT group <B
+CLASS="COMMAND"
+>Everyone</B
+>, followed
+ by the list of permissions allowed for UNIX world. The UNIX
+ owner and group permissions are displayed as an NT
+ <B
+CLASS="COMMAND"
+>user</B
+> icon and an NT <B
+CLASS="COMMAND"
+>local
+ group</B
+> icon respectively followed by the list
+ of permissions allowed for the UNIX user and group.</P
+><P
+>As many UNIX permission sets don't map into common
+ NT names such as <B
+CLASS="COMMAND"
+>"read"</B
+>, <B
+CLASS="COMMAND"
+> "change"</B
+> or <B
+CLASS="COMMAND"
+>"full control"</B
+> then
+ usually the permissions will be prefixed by the words <B
+CLASS="COMMAND"
+> "Special Access"</B
+> in the NT display list.</P
+><P
+>But what happens if the file has no permissions allowed
+ for a particular UNIX user group or world component ? In order
+ to allow "no permissions" to be seen and modified then Samba
+ overloads the NT <B
+CLASS="COMMAND"
+>"Take Ownership"</B
+> ACL attribute
+ (which has no meaning in UNIX) and reports a component with
+ no permissions as having the NT <B
+CLASS="COMMAND"
+>"O"</B
+> bit set.
+ This was chosen of course to make it look like a zero, meaning
+ zero permissions. More details on the decision behind this will
+ be given below.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H2
+CLASS="SECT2"
+><A
+NAME="AEN1221"
+>Directory Permissions</A
+></H2
+><P
+>Directories on an NT NTFS file system have two
+ different sets of permissions. The first set of permissions
+ is the ACL set on the directory itself, this is usually displayed
+ in the first set of parentheses in the normal <B
+CLASS="COMMAND"
+>"RW"</B
+>
+ NT style. This first set of permissions is created by Samba in
+ exactly the same way as normal file permissions are, described
+ above, and is displayed in the same way.</P
+><P
+>The second set of directory permissions has no real meaning
+ in the UNIX permissions world and represents the <B
+CLASS="COMMAND"
+> "inherited"</B
+> permissions that any file created within
+ this directory would inherit.</P
+><P
+>Samba synthesises these inherited permissions for NT by
+ returning as an NT ACL the UNIX permission mode that a new file
+ created by Samba on this share would receive.</P
+></DIV
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN1228"
+>Modifying file or directory permissions</A
+></H1
+><P
+>Modifying file and directory permissions is as simple
+ as changing the displayed permissions in the dialog box, and
+ clicking the <B
+CLASS="COMMAND"
+>OK</B
+> button. However, there are
+ limitations that a user needs to be aware of, and also interactions
+ with the standard Samba permission masks and mapping of DOS
+ attributes that need to also be taken into account.</P
+><P
+>If the parameter <TT
+CLASS="PARAMETER"
+><I
+>nt acl support</I
+></TT
+>
+ is set to <TT
+CLASS="CONSTANT"
+>false</TT
+> then any attempt to set
+ security permissions will fail with an <B
+CLASS="COMMAND"
+>"Access Denied"
+ </B
+> message.</P
+><P
+>The first thing to note is that the <B
+CLASS="COMMAND"
+>"Add"</B
+>
+ button will not return a list of users in Samba 2.0.4 (it will give
+ an error message of <B
+CLASS="COMMAND"
+>"The remote proceedure call failed
+ and did not execute"</B
+>). This means that you can only
+ manipulate the current user/group/world permissions listed in
+ the dialog box. This actually works quite well as these are the
+ only permissions that UNIX actually has.</P
+><P
+>If a permission triple (either user, group, or world)
+ is removed from the list of permissions in the NT dialog box,
+ then when the <B
+CLASS="COMMAND"
+>"OK"</B
+> button is pressed it will
+ be applied as "no permissions" on the UNIX side. If you then
+ view the permissions again the "no permissions" entry will appear
+ as the NT <B
+CLASS="COMMAND"
+>"O"</B
+> flag, as described above. This
+ allows you to add permissions back to a file or directory once
+ you have removed them from a triple component.</P
+><P
+>As UNIX supports only the "r", "w" and "x" bits of
+ an NT ACL then if other NT security attributes such as "Delete
+ access" are selected then they will be ignored when applied on
+ the Samba server.</P
+><P
+>When setting permissions on a directory the second
+ set of permissions (in the second set of parentheses) is
+ by default applied to all files within that directory. If this
+ is not what you want you must uncheck the <B
+CLASS="COMMAND"
+>"Replace
+ permissions on existing files"</B
+> checkbox in the NT
+ dialog before clicking <B
+CLASS="COMMAND"
+>"OK"</B
+>.</P
+><P
+>If you wish to remove all permissions from a
+ user/group/world component then you may either highlight the
+ component and click the <B
+CLASS="COMMAND"
+>"Remove"</B
+> button,
+ or set the component to only have the special <B
+CLASS="COMMAND"
+>"Take
+ Ownership"</B
+> permission (dsplayed as <B
+CLASS="COMMAND"
+>"O"
+ </B
+>) highlighted.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN1250"
+>Interaction with the standard Samba create mask
+ parameters</A
+></H1
+><P
+>Note that with Samba 2.0.5 there are four new parameters
+ to control this interaction. These are :</P
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>security mask</I
+></TT
+></P
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>force security mode</I
+></TT
+></P
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>directory security mask</I
+></TT
+></P
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>force directory security mode</I
+></TT
+></P
+><P
+>Once a user clicks <B
+CLASS="COMMAND"
+>"OK"</B
+> to apply the
+ permissions Samba maps the given permissions into a user/group/world
+ r/w/x triple set, and then will check the changed permissions for a
+ file against the bits set in the <A
+HREF="smb.conf.5.html#SECURITYMASK"
+TARGET="_top"
+>
+ <TT
+CLASS="PARAMETER"
+><I
+>security mask</I
+></TT
+></A
+> parameter. Any bits that
+ were changed that are not set to '1' in this parameter are left alone
+ in the file permissions.</P
+><P
+>Essentially, zero bits in the <TT
+CLASS="PARAMETER"
+><I
+>security mask</I
+></TT
+>
+ mask may be treated as a set of bits the user is <I
+CLASS="EMPHASIS"
+>not</I
+>
+ allowed to change, and one bits are those the user is allowed to change.
+ </P
+><P
+>If not set explicitly this parameter is set to the same value as
+ the <A
+HREF="smb.conf.5.html#CREATEMASK"
+TARGET="_top"
+><TT
+CLASS="PARAMETER"
+><I
+>create mask
+ </I
+></TT
+></A
+> parameter to provide compatibility with Samba 2.0.4
+ where this permission change facility was introduced. To allow a user to
+ modify all the user/group/world permissions on a file, set this parameter
+ to 0777.</P
+><P
+>Next Samba checks the changed permissions for a file against
+ the bits set in the <A
+HREF="smb.conf.5.html#FORCESECURITYMODE"
+TARGET="_top"
+> <TT
+CLASS="PARAMETER"
+><I
+>force security mode</I
+></TT
+></A
+> parameter. Any bits
+ that were changed that correspond to bits set to '1' in this parameter
+ are forced to be set.</P
+><P
+>Essentially, bits set in the <TT
+CLASS="PARAMETER"
+><I
+>force security mode
+ </I
+></TT
+> parameter may be treated as a set of bits that, when
+ modifying security on a file, the user has always set to be 'on'.</P
+><P
+>If not set explicitly this parameter is set to the same value
+ as the <A
+HREF="smb.conf.5.html#FORCECREATEMODE"
+TARGET="_top"
+><TT
+CLASS="PARAMETER"
+><I
+>force
+ create mode</I
+></TT
+></A
+> parameter to provide compatibility
+ with Samba 2.0.4 where the permission change facility was introduced.
+ To allow a user to modify all the user/group/world permissions on a file,
+ with no restrictions set this parameter to 000.</P
+><P
+>The <TT
+CLASS="PARAMETER"
+><I
+>security mask</I
+></TT
+> and <TT
+CLASS="PARAMETER"
+><I
+>force
+ security mode</I
+></TT
+> parameters are applied to the change
+ request in that order.</P
+><P
+>For a directory Samba will perform the same operations as
+ described above for a file except using the parameter <TT
+CLASS="PARAMETER"
+><I
+> directory security mask</I
+></TT
+> instead of <TT
+CLASS="PARAMETER"
+><I
+>security
+ mask</I
+></TT
+>, and <TT
+CLASS="PARAMETER"
+><I
+>force directory security mode
+ </I
+></TT
+> parameter instead of <TT
+CLASS="PARAMETER"
+><I
+>force security mode
+ </I
+></TT
+>.</P
+><P
+>The <TT
+CLASS="PARAMETER"
+><I
+>directory security mask</I
+></TT
+> parameter
+ by default is set to the same value as the <TT
+CLASS="PARAMETER"
+><I
+>directory mask
+ </I
+></TT
+> parameter and the <TT
+CLASS="PARAMETER"
+><I
+>force directory security
+ mode</I
+></TT
+> parameter by default is set to the same value as
+ the <TT
+CLASS="PARAMETER"
+><I
+>force directory mode</I
+></TT
+> parameter to provide
+ compatibility with Samba 2.0.4 where the permission change facility
+ was introduced.</P
+><P
+>In this way Samba enforces the permission restrictions that
+ an administrator can set on a Samba share, whilst still allowing users
+ to modify the permission bits within that restriction.</P
+><P
+>If you want to set up a share that allows users full control
+ in modifying the permission bits on their files and directories and
+ doesn't force any particular bits to be set 'on', then set the following
+ parameters in the <A
+HREF="smb.conf.5.html"
+TARGET="_top"
+><TT
+CLASS="FILENAME"
+>smb.conf(5)
+ </TT
+></A
+> file in that share specific section :</P
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>security mask = 0777</I
+></TT
+></P
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>force security mode = 0</I
+></TT
+></P
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>directory security mask = 0777</I
+></TT
+></P
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>force directory security mode = 0</I
+></TT
+></P
+><P
+>As described, in Samba 2.0.4 the parameters :</P
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>create mask</I
+></TT
+></P
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>force create mode</I
+></TT
+></P
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>directory mask</I
+></TT
+></P
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>force directory mode</I
+></TT
+></P
+><P
+>were used instead of the parameters discussed here.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN1314"
+>Interaction with the standard Samba file attribute
+ mapping</A
+></H1
+><P
+>Samba maps some of the DOS attribute bits (such as "read
+ only") into the UNIX permissions of a file. This means there can
+ be a conflict between the permission bits set via the security
+ dialog and the permission bits set by the file attribute mapping.
+ </P
+><P
+>One way this can show up is if a file has no UNIX read access
+ for the owner it will show up as "read only" in the standard
+ file attributes tabbed dialog. Unfortunately this dialog is
+ the same one that contains the security info in another tab.</P
+><P
+>What this can mean is that if the owner changes the permissions
+ to allow themselves read access using the security dialog, clicks
+ <B
+CLASS="COMMAND"
+>"OK"</B
+> to get back to the standard attributes tab
+ dialog, and then clicks <B
+CLASS="COMMAND"
+>"OK"</B
+> on that dialog, then
+ NT will set the file permissions back to read-only (as that is what
+ the attributes still say in the dialog). This means that after setting
+ permissions and clicking <B
+CLASS="COMMAND"
+>"OK"</B
+> to get back to the
+ attributes dialog you should always hit <B
+CLASS="COMMAND"
+>"Cancel"</B
+>
+ rather than <B
+CLASS="COMMAND"
+>"OK"</B
+> to ensure that your changes
+ are not overridden.</P
+></DIV
+></DIV
+><DIV
+CLASS="CHAPTER"
+><HR><H1
+><A
+NAME="AEN1324"
+>Chapter 9. OS2 Client HOWTO</A
+></H1
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN1335"
+>FAQs</A
+></H1
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN1337"
+>How can I configure OS/2 Warp Connect or
+ OS/2 Warp 4 as a client for Samba?</A
+></H2
+><P
+>A more complete answer to this question can be
+ found on <A
+HREF="http://carol.wins.uva.nl/~leeuw/samba/warp.html"
+TARGET="_top"
+> http://carol.wins.uva.nl/~leeuw/samba/warp.html</A
+>.</P
+><P
+>Basically, you need three components:</P
+><P
+></P
+><UL
+><LI
+><P
+>The File and Print Client ('IBM Peer')
+ </P
+></LI
+><LI
+><P
+>TCP/IP ('Internet support')
+ </P
+></LI
+><LI
+><P
+>The "NetBIOS over TCP/IP" driver ('TCPBEUI')
+ </P
+></LI
+></UL
+><P
+>Installing the first two together with the base operating
+ system on a blank system is explained in the Warp manual. If Warp
+ has already been installed, but you now want to install the
+ networking support, use the "Selective Install for Networking"
+ object in the "System Setup" folder.</P
+><P
+>Adding the "NetBIOS over TCP/IP" driver is not described
+ in the manual and just barely in the online documentation. Start
+ MPTS.EXE, click on OK, click on "Configure LAPS" and click
+ on "IBM OS/2 NETBIOS OVER TCP/IP" in 'Protocols'. This line
+ is then moved to 'Current Configuration'. Select that line,
+ click on "Change number" and increase it from 0 to 1. Save this
+ configuration.</P
+><P
+>If the Samba server(s) is not on your local subnet, you
+ can optionally add IP names and addresses of these servers
+ to the "Names List", or specify a WINS server ('NetBIOS
+ Nameserver' in IBM and RFC terminology). For Warp Connect you
+ may need to download an update for 'IBM Peer' to bring it on
+ the same level as Warp 4. See the webpage mentioned above.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H2
+CLASS="SECT2"
+><A
+NAME="AEN1352"
+>How can I configure OS/2 Warp 3 (not Connect),
+ OS/2 1.2, 1.3 or 2.x for Samba?</A
+></H2
+><P
+>You can use the free Microsoft LAN Manager 2.2c Client
+ for OS/2 from
+ <A
+HREF="ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/"
+TARGET="_top"
+> ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/</A
+>.
+ See <A
+HREF="http://carol.wins.uva.nl/~leeuw/lanman.html"
+TARGET="_top"
+> http://carol.wins.uva.nl/~leeuw/lanman.html</A
+> for
+ more information on how to install and use this client. In
+ a nutshell, edit the file \OS2VER in the root directory of
+ the OS/2 boot partition and add the lines:</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+> 20=setup.exe
+ 20=netwksta.sys
+ 20=netvdd.sys
+ </PRE
+></P
+><P
+>before you install the client. Also, don't use the
+ included NE2000 driver because it is buggy. Try the NE2000
+ or NS2000 driver from
+ <A
+HREF="ftp://ftp.cdrom.com/pub/os2/network/ndis/"
+TARGET="_top"
+> ftp://ftp.cdrom.com/pub/os2/network/ndis/</A
+> instead.
+ </P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H2
+CLASS="SECT2"
+><A
+NAME="AEN1361"
+>Are there any other issues when OS/2 (any version)
+ is used as a client?</A
+></H2
+><P
+>When you do a NET VIEW or use the "File and Print
+ Client Resource Browser", no Samba servers show up. This can
+ be fixed by a patch from <A
+HREF="http://carol.wins.uva.nl/~leeuw/samba/fix.html"
+TARGET="_top"
+> http://carol.wins.uva.nl/~leeuw/samba/fix.html</A
+>.
+ The patch will be included in a later version of Samba. It also
+ fixes a couple of other problems, such as preserving long
+ filenames when objects are dragged from the Workplace Shell
+ to the Samba server. </P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H2
+CLASS="SECT2"
+><A
+NAME="AEN1365"
+>How do I get printer driver download working
+ for OS/2 clients?</A
+></H2
+><P
+>First, create a share called [PRINTDRV] that is
+ world-readable. Copy your OS/2 driver files there. Note
+ that the .EA_ files must still be separate, so you will need
+ to use the original install files, and not copy an installed
+ driver from an OS/2 system.</P
+><P
+>Install the NT driver first for that printer. Then,
+ add to your smb.conf a paramater, "os2 driver map =
+ <TT
+CLASS="REPLACEABLE"
+><I
+>filename</I
+></TT
+>". Then, in the file
+ specified by <TT
+CLASS="REPLACEABLE"
+><I
+>filename</I
+></TT
+>, map the
+ name of the NT driver name to the OS/2 driver name as
+ follows:</P
+><P
+>&lt;nt driver name&gt; = &lt;os2 driver
+ name&gt;.&lt;device name&gt;, e.g.:
+ HP LaserJet 5L = LASERJET.HP LaserJet 5L</P
+><P
+>You can have multiple drivers mapped in this file.</P
+><P
+>If you only specify the OS/2 driver name, and not the
+ device name, the first attempt to download the driver will
+ actually download the files, but the OS/2 client will tell
+ you the driver is not available. On the second attempt, it
+ will work. This is fixed simply by adding the device name
+ to the mapping, after which it will work on the first attempt.
+ </P
+></DIV
+></DIV
+></DIV
+></DIV
+></BODY
+></HTML
+> \ No newline at end of file