diff options
| author | Gerald Carter <jerry@samba.org> | 2003-07-16 05:42:34 +0000 |
|---|---|---|
| committer | Gerald Carter <jerry@samba.org> | 2003-07-16 05:42:34 +0000 |
| commit | 1caa6b23e417f77e7b38ecdfa47d9abe8c7b7d0e (patch) | |
| tree | 8bdf608593fc37227886691b0a12190dd1e8ba66 /docs/htmldocs | |
| parent | 4a090ba06a54f5da179ac02bb307cc03d08831bf (diff) | |
| download | samba-1caa6b23e417f77e7b38ecdfa47d9abe8c7b7d0e.tar.gz samba-1caa6b23e417f77e7b38ecdfa47d9abe8c7b7d0e.tar.bz2 samba-1caa6b23e417f77e7b38ecdfa47d9abe8c7b7d0e.zip | |
ading new files from 3.0
(This used to be commit 99feae7b5b1c229a925367b87c0c0f636d9a2d75)
Diffstat (limited to 'docs/htmldocs')
29 files changed, 9092 insertions, 0 deletions
diff --git a/docs/htmldocs/AccessControls.html b/docs/htmldocs/AccessControls.html new file mode 100644 index 0000000000..044d347107 --- /dev/null +++ b/docs/htmldocs/AccessControls.html @@ -0,0 +1,660 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 13. File, Directory and Share Access Controls</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="groupmapping.html" title="Chapter 12. Mapping MS Windows and Unix Groups"><link rel="next" href="locking.html" title="Chapter 14. File and Record Locking"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 13. File, Directory and Share Access Controls</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="groupmapping.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="locking.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="AccessControls"></a>Chapter 13. File, Directory and Share Access Controls</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jra@samba.org">jra@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">May 10, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="AccessControls.html#id2920271">Features and Benefits</a></dt><dt><a href="AccessControls.html#id2920308">File System Access Controls</a></dt><dd><dl><dt><a href="AccessControls.html#id2920326">MS Windows NTFS Comparison with Unix File Systems</a></dt><dt><a href="AccessControls.html#id2920583">Managing Directories</a></dt><dt><a href="AccessControls.html#id2920678">File and Directory Access Control</a></dt></dl></dd><dt><a href="AccessControls.html#id2920894">Share Definition Access Controls</a></dt><dd><dl><dt><a href="AccessControls.html#id2922074">User and Group Based Controls</a></dt><dt><a href="AccessControls.html#id2922346">File and Directory Permissions Based Controls</a></dt><dt><a href="AccessControls.html#id2922591">Miscellaneous Controls</a></dt></dl></dd><dt><a href="AccessControls.html#id2922807">Access Controls on Shares</a></dt><dd><dl><dt><a href="AccessControls.html#id2922879">Share Permissions Management</a></dt></dl></dd><dt><a href="AccessControls.html#id2923178">MS Windows Access Control Lists and Unix Interoperability</a></dt><dd><dl><dt><a href="AccessControls.html#id2923186">Managing UNIX permissions Using NT Security Dialogs</a></dt><dt><a href="AccessControls.html#id2923224">Viewing File Security on a Samba Share</a></dt><dt><a href="AccessControls.html#id2923303">Viewing file ownership</a></dt><dt><a href="AccessControls.html#id2923425">Viewing File or Directory Permissions</a></dt><dt><a href="AccessControls.html#id2923653">Modifying file or directory permissions</a></dt><dt><a href="AccessControls.html#id2923805">Interaction with the standard Samba create mask + parameters</a></dt><dt><a href="AccessControls.html#id2924134">Interaction with the standard Samba file attribute + mapping</a></dt></dl></dd><dt><a href="AccessControls.html#id2924210">Common Errors</a></dt><dd><dl><dt><a href="AccessControls.html#id2924224">Users can not write to a public share</a></dt><dt><a href="AccessControls.html#id2924604">I have set force user and Samba still makes root the owner of all the files + I touch!</a></dt></dl></dd></dl></div><p> +Advanced MS Windows users are frequently perplexed when file, directory and share manipulation of +resources shared via Samba do not behave in the manner they might expect. MS Windows network +administrators are often confused regarding network access controls and what is the best way to +provide users with the type of access they need while protecting resources from the consequences +of untoward access capabilities. +</p><p> +Unix administrators frequently are not familiar with the MS Windows environment and in particular +have difficulty in visualizing what the MS Windows user wishes to achieve in attempts to set file +and directory access permissions. +</p><p> +The problem lies in the differences in how file and directory permissions and controls work +between the two environments. This difference is one that Samba can not completely hide, even +though it does try to make the chasm transparent. +</p><p> +POSIX Access Control List technology has been available (along with Extended Attributes) +for Unix for many years, yet there is little evidence today of any significant use. This +explains to some extent the slow adoption of ACLs into commercial Linux products. MS Windows +administrators are astounded at this given that ACLs were a foundational capability of the now +decade old MS Windows NT operating system. +</p><p> +The purpose of this chapter is to present each of the points of control that are possible with +Samba-3 in the hope that this will help the network administrator to find the optimum method +for delivering the best environment for MS Windows desktop users. +</p><p> +This is an opportune point to mention that it should be borne in mind that Samba was created to +provide a means of interoperability and interchange of data between two operating environments +that are quite different. It was never the intent to make Unix/Linux like MS Windows NT. Instead +the purpose was an is to provide a sufficient level of exchange of data between the two environments. +What is available today extends well beyond early plans and expectations, yet the gap continues to +shrink. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2920271"></a>Features and Benefits</h2></div></div><div></div></div><p> + Samba offers a lot of flexibility in file system access management. These are the key access control + facilities present in Samba today: + </p><div class="itemizedlist"><p class="title"><b>Samba Access Control Facilities</b></p><ul type="disc"><li><p> + <span class="emphasis"><em>Unix File and Directory Permissions</em></span> + </p><p> + Samba honours and implements Unix file system access controls. Users + who access a Samba server will do so as a particular MS Windows user. + This information is passed to the Samba server as part of the logon or + connection setup process. Samba uses this user identity to validate + whether or not the user should be given access to file system resources + (files and directories). This chapter provides an overview for those + to whom the Unix permissions and controls are a little strange or unknown. + </p></li><li><p> + <span class="emphasis"><em>Samba Share Definitions</em></span> + </p><p> + In configuring share settings and controls in the <tt class="filename">smb.conf</tt> file + the network administrator can exercise over-rides to native file + system permissions and behaviours. This can be handy and convenient + to affect behaviour that is more like what MS Windows NT users expect + but it is seldom the <span class="emphasis"><em>best</em></span> way to achieve this. + The basic options and techniques are described herein. + </p></li><li><p> + <span class="emphasis"><em>Samba Share ACLs</em></span> + </p><p> + Just like it is possible in MS Windows NT to set ACLs on shares + themselves, so it is possible to do this in Samba. + Very few people make use of this facility, yet it remains on of the + easiest ways to affect access controls (restrictions) and can often + do so with minimum invasiveness compared with other methods. + </p></li><li><p> + <span class="emphasis"><em>MS Windows ACLs through Unix POSIX ACLs</em></span> + </p><p> + The use of POSIX ACLs on Unix/Linux is possible ONLY if the underlying + operating system supports them. If not, then this option will not be + available to you. Current Unix technology platforms have native support + for POSIX ACLs. There are patches for the Linux kernel that provide + this also. Sadly, few Linux platforms ship today with native ACLs and + Extended Attributes enabled. This chapter has pertinent information + for users of platforms that support them. + </p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2920308"></a>File System Access Controls</h2></div></div><div></div></div><p> +Perhaps the most important recognition to be made is the simple fact that MS Windows NT4 / 200x / XP +implement a totally divergent file system technology from what is provided in the Unix operating system +environment. Firstly we should consider what the most significant differences are, then we shall look +at how Samba helps to bridge the differences. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2920326"></a>MS Windows NTFS Comparison with Unix File Systems</h3></div></div><div></div></div><p> + Samba operates on top of the Unix file system. This means it is subject to Unix file system conventions + and permissions. It also means that if the MS Windows networking environment requires file system + behaviour that differs from unix file system behaviour then somehow Samba is responsible for emulating + that in a transparent and consistent manner. + </p><p> + It is good news that Samba does this to a very large extent and on top of that provides a high degree + of optional configuration to over-ride the default behaviour. We will look at some of these over-rides, + but for the greater part we will stay within the bounds of default behaviour. Those wishing to explore + to depths of control ability should review the <tt class="filename">smb.conf</tt> man page. + </p><div class="variablelist"><p class="title"><b>File System Feature Comparison</b></p><dl><dt><span class="term">Name Space</span></dt><dd><p> + MS Windows NT4 / 200x/ XP files names may be up to 254 characters long, Unix file names + may be 1023 characters long. In MS Windows file extensions indicate particular file types, + in Unix this is not so rigorously observed as all names are considered arbitrary. + </p><p> + What MS Windows calls a Folder, Unix calls a directory, + </p></dd><dt><span class="term">Case Sensitivity</span></dt><dd><p> + MS Windows file names are generally Upper Case if made up of 8.3 (ie: 8 character file name + and 3 character extension. If longer than 8.3 file names are Case Preserving, and Case + Insensitive. + </p><p> + Unix file and directory names are Case Sensitive and Case Preserving. Samba implements the + MS Windows file name behaviour, but it does so as a user application. The Unix file system + provides no mechanism to perform case insensitive file name lookups. MS Windows does this + by default. This means that Samba has to carry the processing overhead to provide features + that are NOT native to the Unix operating system environment. + </p><p> + Consider the following, all are unique Unix names but one single MS Windows file name: + <tt class="computeroutput"> + MYFILE.TXT + MyFile.txt + myfile.txt + </tt> + So clearly, In an MS Windows file name space these three files CAN NOT co-exist! But in Unix + they can. So what should Samba do if all three are present? Answer, the one that is lexically + first will be accessible to MS Windows users, the others are invisible and unaccessible - any + other solution would be suicidal. + </p></dd><dt><span class="term">Directory Separators</span></dt><dd><p> + MS Windows and DOS uses the back-slash '\' as a directory delimiter, Unix uses the forward-slash '/' + as it's directory delimiter. This is transparently handled by Samba. + </p></dd><dt><span class="term">Drive Identification</span></dt><dd><p> + MS Windows products support a notion of drive letters, like <b class="command">C:</b> to represent + disk partitions. Unix has NO concept if separate identifiers for file partitions since each + such file system is <tt class="filename">mounted</tt> to become part of the over-all directory tree. + The Unix directory tree begins at '/', just like the root of a DOS drive is specified like + <b class="command">C:\</b>. + </p></dd><dt><span class="term">File Naming Conventions</span></dt><dd><p> + MS Windows generally never experiences file names that begin with a '.', while in Unix these + are commonly found in a user's home directory. Files that begin with a '.' are typically + either start up files for various Unix applications, or they may be files that contain + start-up configuration data. + </p></dd><dt><span class="term">Links and Short-Cuts</span></dt><dd><p> + MS Windows make use of "links and Short-Cuts" that are actually special types of files that will + redirect an attempt to execute the file to the real location of the file. Unix knows of file and directory + links, but they are entirely different from what MS Windows users are used to. + </p><p> + Symbolic links are files in Unix that contain the actual location of the data (file OR directory). An + operation (like read or write) will operate directly on the file referenced. Symbolic links are also + referred to as 'soft links'. A hard link is something that MS Windows is NOT familiar with. It allows + one physical file to be known simultaneously by more than one file name. + </p></dd></dl></div><p> + There are many other subtle differences that may cause the MS Windows administrator some temporary discomfort + in the process of becoming familiar with Unix/Linux. These are best left for a text that is dedicated to the + purpose of Unix/Linux training/education. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2920583"></a>Managing Directories</h3></div></div><div></div></div><p> + There are three basic operations for managing directories, <b class="command">create, delete, rename</b>. + </p><div class="table"><a name="id2920603"></a><p class="title"><b>Table 13.1. Managing directories with unix and windows</b></p><table summary="Managing directories with unix and windows" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="center">Action</th><th align="center">MS Windows Command</th><th align="center">Unix Command</th></tr></thead><tbody><tr><td align="center">create</td><td align="center">md folder</td><td align="center">mkdir folder</td></tr><tr><td align="center">delete</td><td align="center">rd folder</td><td align="center">rmdir folder</td></tr><tr><td align="center">rename</td><td align="center">rename oldname newname</td><td align="center">mv oldname newname</td></tr></tbody></table></div><p> + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2920678"></a>File and Directory Access Control</h3></div></div><div></div></div><p> + The network administrator is strongly advised to read foundational training manuals and reference materials + regarding file and directory permissions maintenance. Much can be achieved with the basic Unix permissions + without having to resort to more complex facilities like POSIX Access Control Lists (ACLs) or Extended + Attributes (EAs). + </p><p> + Unix/Linux file and directory access permissions involves setting three (3) primary sets of data and one (1) control set. + A Unix file listing looks as follows:- + + </p><pre class="screen"> + <tt class="prompt">jht@frodo:~/stuff> </tt><b class="userinput"><tt>ls -la</tt></b> + total 632 + drwxr-xr-x 13 jht users 816 2003-05-12 22:56 . + drwxr-xr-x 37 jht users 3800 2003-05-12 22:29 .. + d--------- 2 jht users 48 2003-05-12 22:29 muchado00 + d--x--x--x 2 jht users 48 2003-05-12 22:29 muchado01 + dr-xr-xr-x 2 jht users 48 2003-05-12 22:29 muchado02 + drwxrwxrwx 2 jht users 48 2003-05-12 22:29 muchado03 + drw-rw-rw- 2 jht users 48 2003-05-12 22:29 muchado04 + d-w--w--w- 2 jht users 48 2003-05-12 22:29 muchado05 + dr--r--r-- 2 jht users 48 2003-05-12 22:29 muchado06 + drwxrwxrwt 2 jht users 48 2003-05-12 22:29 muchado07 + drwsrwsrwx 2 jht users 48 2003-05-12 22:29 muchado08 + ---------- 1 jht users 1242 2003-05-12 22:31 mydata00.lst + ---x--x--x 1 jht users 1674 2003-05-12 22:33 mydata01.lst + --w--w--w- 1 jht users 7754 2003-05-12 22:33 mydata02.lst + --wx-wx-wx 1 jht users 260179 2003-05-12 22:33 mydata03.lst + -r--r--r-- 1 jht users 21017 2003-05-12 22:32 mydata04.lst + -r-xr-xr-x 1 jht users 206339 2003-05-12 22:32 mydata05.lst + -rw-rw-rw- 1 jht users 41105 2003-05-12 22:32 mydata06.lst + -rwxrwxrwx 1 jht users 19312 2003-05-12 22:32 mydata07.lst + <tt class="prompt">jht@frodo:~/stuff></tt> + </pre><p> + </p><p> + The columns above represent (from left to right): permissions, no blocks used, owner, group, size (bytes), access date, access time, file name. + </p><p> + The permissions field is made up of: + + </p><pre class="programlisting"> + <i><span class="comment"> JRV: Put this into a diagram of some sort</span></i> + [ type ] [ users ] [ group ] [ others ] [File, Directory Permissions] + [ d | l ] [ r w x ] [ r w x ] [ r w x ] + | | | | | | | | | | | + | | | | | | | | | | |-----> Can Execute, List files + | | | | | | | | | |-------> Can Write, Create files + | | | | | | | | |---------> Can Read, Read files + | | | | | | | |---------------> Can Execute, List files + | | | | | | |-----------------> Can Write, Create files + | | | | | |-------------------> Can Read, Read files + | | | | |-------------------------> Can Execute, List files + | | | |---------------------------> Can Write, Create files + | | |-----------------------------> Can Read, Read files + | |-----------------------------------> Is a symbolic Link + |---------------------------------------> Is a directory + </pre><p> + </p><p> + Any bit flag may be unset. An unset bit flag is the equivalent of 'Can NOT' and is represented as a '-' character. + + </p><div class="example"><a name="id2920816"></a><p class="title"><b>Example 13.1. Example File</b></p><pre class="programlisting"> + -rwxr-x--- Means: The owner (user) can read, write, execute + the group can read and execute + everyone else can NOT do anything with it + </pre></div><p> + + </p><p> + Additional possibilities in the [type] field are: c = character device, b = block device, p = pipe device, s = Unix Domain Socket. + </p><p> + The letters `rwxXst' set permissions for the user, group and others as: read (r), write (w), execute (or access for directories) (x), + execute only if the file is a directory or already has execute permission for some user (X), set user or group ID on execution (s), + sticky (t). + </p><p> + When the sticky bit is set on a directory, files in that directory may be unlinked (deleted) or renamed only by root or their owner. + Without the sticky bit, anyone able to write to the directory can delete or rename files. The sticky bit is commonly found on + directories, such as /tmp, that are world-writable. + </p><p> + When the set user or group ID bit (s) is set on a directory, then all files created within it will be owned by the user and/or + group whose 'set user or group' bit is set. This can be very helpful in setting up directories that for which it is desired that + all users who are in a group should be able to write to and read from a file, particularly when it is undesirable for that file + to be exclusively owned by a user who's primary group is not the group that all such users belong to. + </p><p> + When a directory is set <tt class="constant">drw-r-----</tt> this means that the owner can read and create (write) files in it, but because + the (x) execute flags are not set files can not be listed (seen) in the directory by anyone. The group can read files in the + directory but can NOT create new files. NOTE: If files in the directory are set to be readable and writable for the group, then + group members will be able to write to (or delete) them. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2920894"></a>Share Definition Access Controls</h2></div></div><div></div></div><p> +The following parameters in the <tt class="filename">smb.conf</tt> file sections that define a share control or affect access controls. +Before using any of the following options please refer to the man page for <tt class="filename">smb.conf</tt>. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2922074"></a>User and Group Based Controls</h3></div></div><div></div></div><p> + User and group based controls can prove very useful. In some situations it is distinctly desirable to affect all + file system operations as if a single user is doing this, the use of the <i class="parameter"><tt>force user</tt></i> and + <i class="parameter"><tt>force group</tt></i> behaviour will achieve this. In other situations it may be necessary to affect a + paranoia level of control to ensure that only particular authorised persons will be able to access a share or + it's contents, here the use of the <i class="parameter"><tt>valid users</tt></i> or the <i class="parameter"><tt>invalid users</tt></i> may + be most useful. + </p><p> + As always, it is highly advisable to use the least difficult to maintain and the least ambiguous method for + controlling access. Remember, that when you leave the scene someone else will need to provide assistance and + if that person finds too great a mess, or if they do not understand what you have done then there is risk of + Samba being removed and an alternative solution being adopted. + </p><div class="table"><a name="id2922134"></a><p class="title"><b>Table 13.2. User and Group Based Controls</b></p><table summary="User and Group Based Controls" border="1"><colgroup><col><col></colgroup><thead><tr><th align="center">Control Parameter</th><th align="center">Description - Action - Notes</th></tr></thead><tbody><tr><td>admin users</td><td><p> + List of users who will be granted administrative privileges on the share. + They will do all file operations as the super-user (root). + Any user in this list will be able to do anything they like on the share, + irrespective of file permissions. + </p></td></tr><tr><td>force group</td><td><p> + Specifies a UNIX group name that will be assigned as the default primary group + for all users connecting to this service. + </p></td></tr><tr><td>force user</td><td><p> + Specifies a UNIX user name that will be assigned as the default user for all users connecting to this service. + This is useful for sharing files. Incorrect use can cause security problems. + </p></td></tr><tr><td>guest ok</td><td><p> + If this parameter is set for a service, then no password is required to connect to the service. Privileges will be + those of the guest account. + </p></td></tr><tr><td>invalid users</td><td><p> + List of users that should not be allowed to login to this service. + </p></td></tr><tr><td>only user</td><td><p> + Controls whether connections with usernames not in the user list will be allowed. + </p></td></tr><tr><td>read list</td><td><p> + List of users that are given read-only access to a service. Users in this list + will not be given write access, no matter what the read only option is set to. + </p></td></tr><tr><td>username</td><td><p> + Refer to the <tt class="filename">smb.conf</tt> man page for more information - this is a complex and potentially misused parameter. + </p></td></tr><tr><td>valid users</td><td><p> + List of users that should be allowed to login to this service. + </p></td></tr><tr><td>write list</td><td><p> + List of users that are given read-write access to a service. + </p></td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2922346"></a>File and Directory Permissions Based Controls</h3></div></div><div></div></div><p> + The following file and directory permission based controls, if misused, can result in considerable difficulty to + diagnose the cause of mis-configuration. Use them sparingly and carefully. By gradually introducing each one by one + undesirable side-effects may be detected. In the event of a problem, always comment all of them out and then gradually + re-introduce them in a controlled fashion. + </p><div class="table"><a name="id2922367"></a><p class="title"><b>Table 13.3. File and Directory Permission Based Controls</b></p><table summary="File and Directory Permission Based Controls" border="1"><colgroup><col><col></colgroup><thead><tr><th align="center">Control Parameter</th><th align="center">Description - Action - Notes</th></tr></thead><tbody><tr><td>create mask</td><td><p> + Refer to the <tt class="filename">smb.conf</tt> man page. + </p></td></tr><tr><td>directory mask</td><td><p> + The octal modes used when converting DOS modes to UNIX modes when creating UNIX directories. + See also: directory security mask. + </p></td></tr><tr><td>dos filemode</td><td><p> + Enabling this parameter allows a user who has write access to the file to modify the permissions on it. + </p></td></tr><tr><td>force create mode</td><td><p> + This parameter specifies a set of UNIX mode bit permissions that will always be set on a file created by Samba. + </p></td></tr><tr><td>force directory mode</td><td><p> + This parameter specifies a set of UNIX mode bit permissions that will always be set on a directory created by Samba. + </p></td></tr><tr><td>force directory security mode</td><td><p> + Controls UNIX permission bits modified when a Windows NT client is manipulating UNIX permissions on a directory + </p></td></tr><tr><td>force security mode</td><td><p> + Controls UNIX permission bits modified when a Windows NT client manipulates UNIX permissions. + </p></td></tr><tr><td>hide unreadable</td><td><p> + Prevents clients from seeing the existence of files that cannot be read. + </p></td></tr><tr><td>hide unwriteable files</td><td><p> + Prevents clients from seeing the existence of files that cannot be written to. Unwriteable directories are shown as usual. + </p></td></tr><tr><td>nt acl support</td><td><p> + This parameter controls whether smbd will attempt to map UNIX permissions into Windows NT access control lists. + </p></td></tr><tr><td>security mask</td><td><p> + Controls UNIX permission bits modified when a Windows NT client is manipulating the UNIX permissions on a file. + </p></td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2922591"></a>Miscellaneous Controls</h3></div></div><div></div></div><p> + The following are documented because of the prevalence of administrators creating inadvertant barriers to file + access by not understanding the full implications of <tt class="filename">smb.conf</tt> file settings. + </p><div class="table"><a name="id2922614"></a><p class="title"><b>Table 13.4. Other Controls</b></p><table summary="Other Controls" border="1"><colgroup><col><col></colgroup><thead><tr><th align="center">Control Parameter</th><th align="center">Description - Action - Notes</th></tr></thead><tbody><tr><td>case sensitive, default case, short preserve case</td><td><p> + This means that all file name lookup will be done in a case sensitive manner. + Files will be created with the precise filename Samba received from the MS Windows client. + </p></td></tr><tr><td>csc policy</td><td><p> + Client Side Caching Policy - parallels MS Windows client side file caching capabilities. + </p></td></tr><tr><td>dont descend</td><td><p> + Allows to specify a comma-delimited list of directories that the server should always show as empty. + </p></td></tr><tr><td>dos filetime resolution</td><td><p> + This option is mainly used as a compatibility option for Visual C++ when used against Samba shares. + </p></td></tr><tr><td>dos filetimes</td><td><p> + DOS and Windows allows users to change file time stamps if they can write to the file. POSIX semantics prevent this. + This options allows DOS and Windows behaviour. + </p></td></tr><tr><td>fake oplocks</td><td><p> + Oplocks are the way that SMB clients get permission from a server to locally cache file operations. If a server grants an + oplock then the client is free to assume that it is the only one accessing the file and it will aggressively cache file data. + </p></td></tr><tr><td>hide dot files, hide files, veto files</td><td><p> + Note: MS Windows Explorer allows over-ride of files marked as hidden so they will still be visible. + </p></td></tr><tr><td>read only</td><td><p> + If this parameter is yes, then users of a service may not create or modify files in the service's directory. + </p></td></tr><tr><td>veto files</td><td><p> + List of files and directories that are neither visible nor accessible. + </p></td></tr></tbody></table></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2922807"></a>Access Controls on Shares</h2></div></div><div></div></div><p> + This section deals with how to configure Samba per share access control restrictions. + By default, Samba sets no restrictions on the share itself. Restrictions on the share itself + can be set on MS Windows NT4/200x/XP shares. This can be a very effective way to limit who can + connect to a share. In the absence of specific restrictions the default setting is to allow + the global user <tt class="constant">Everyone</tt> Full Control (ie: Full control, Change and Read). + </p><p> + At this time Samba does NOT provide a tool for configuring access control setting on the Share + itself. Samba does have the capacity to store and act on access control settings, but the only + way to create those settings is to use either the NT4 Server Manager or the Windows 200x MMC for + Computer Management. + </p><p> + Samba stores the per share access control settings in a file called <tt class="filename">share_info.tdb</tt>. + The location of this file on your system will depend on how samba was compiled. The default location + for Samba's tdb files is under <tt class="filename">/usr/local/samba/var</tt>. If the <tt class="filename">tdbdump</tt> + utility has been compiled and installed on your system, then you can examine the contents of this file + by: <b class="userinput"><tt>tdbdump share_info.tdb</tt></b>. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2922879"></a>Share Permissions Management</h3></div></div><div></div></div><p> + The best tool for the task is platform dependant. Choose the best tool for your environment. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2922892"></a>Windows NT4 Workstation/Server</h4></div></div><div></div></div><p> + The tool you need to use to manage share permissions on a Samba server is the NT Server Manager. + Server Manager is shipped with Windows NT4 Server products but not with Windows NT4 Workstation. + You can obtain the NT Server Manager for MS Windows NT4 Workstation from Microsoft - see details below. + </p><div class="procedure"><p class="title"><b>Procedure 13.1. Instructions</b></p><ol type="1"><li><p> + Launch the <span class="application">NT4 Server Manager</span>, click on the Samba server you want to administer, then from the menu + select <span class="guimenu">Computer</span>, then click on the <span class="guimenuitem">Shared Directories</span> entry. + </p></li><li><p> + Now click on the share that you wish to manage, then click on the <span class="guilabel">Properties</span> tab, next click on + the <span class="guilabel">Permissions</span> tab. Now you can add or change access control settings as you wish. + </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2922975"></a>Windows 200x/XP</h4></div></div><div></div></div><p> + On <span class="application">MS Windows NT4/200x/XP</span> system access control lists on the share itself are set using native + tools, usually from filemanager. For example, in Windows 200x: right click on the shared folder, + then select <span class="guimenuitem">Sharing</span>, then click on <span class="guilabel">Permissions</span>. The default + Windows NT4/200x permission allows <span class="emphasis"><em>Everyone</em></span> Full Control on the Share. + </p><p> + MS Windows 200x and later all comes with a tool called the <span class="application">Computer Management</span> snap-in for the + Microsoft Management Console (MMC). This tool is located by clicking on <tt class="filename">Control Panel -> + Administrative Tools -> Computer Management</tt>. + </p><div class="procedure"><p class="title"><b>Procedure 13.2. Instructions</b></p><ol type="1"><li><p> + After launching the MMC with the Computer Management snap-in, click on the menu item <span class="guimenuitem">Action</span>, + select <span class="guilabel">Connect to another computer</span>. If you are not logged onto a domain you will be prompted + to enter a domain login user identifier and a password. This will authenticate you to the domain. + If you where already logged in with administrative privilege this step is not offered. + </p></li><li><p> + If the Samba server is not shown in the <span class="guilabel">Select Computer</span> box, then type in the name of the target + Samba server in the field <span class="guilabel">Name:</span>. Now click on the <span class="guibutton">[+]</span> next to + <span class="guilabel">System Tools</span>, then on the <span class="guibutton">[+]</span> next to <span class="guilabel">Shared Folders</span> in the + left panel. + </p></li><li><p> + Now in the right panel, double-click on the share you wish to set access control permissions on. + Then click on the tab <span class="guilabel">Share Permissions</span>. It is now possible to add access control entities + to the shared folder. Do NOT forget to set what type of access (full control, change, read) you + wish to assign for each entry. + </p></li></ol></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> + Be careful. If you take away all permissions from the <tt class="constant">Everyone</tt> user without removing this user + then effectively no user will be able to access the share. This is a result of what is known as + ACL precedence. ie: Everyone with <span class="emphasis"><em>no access</em></span> means that MaryK who is part of the group + <tt class="constant">Everyone</tt> will have no access even if this user is given explicit full control access. + </p></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2923178"></a>MS Windows Access Control Lists and Unix Interoperability</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923186"></a>Managing UNIX permissions Using NT Security Dialogs</h3></div></div><div></div></div><p>Windows NT clients can use their native security settings + dialog box to view and modify the underlying UNIX permissions.</p><p>Note that this ability is careful not to compromise + the security of the UNIX host Samba is running on, and + still obeys all the file permission rules that a Samba + administrator can set.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + All access to Unix/Linux system file via Samba is controlled at + the operating system file access control level. When trying to + figure out file access problems it is vitally important to identify + the identity of the Windows user as it is presented by Samba at + the point of file access. This can best be determined from the + Samba log files. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923224"></a>Viewing File Security on a Samba Share</h3></div></div><div></div></div><p>From an NT4/2000/XP client, single-click with the right + mouse button on any file or directory in a Samba mounted + drive letter or UNC path. When the menu pops-up, click + on the <span class="guilabel">Properties</span> entry at the bottom of + the menu. This brings up the file properties dialog + box. Click on the tab <span class="guilabel">Security</span> and you + will see three buttons, <span class="guibutton">Permissions</span>, + <span class="guibutton">Auditing</span>, and <span class="guibutton">Ownership</span>. + The <span class="guibutton">Auditing</span> button will cause either + an error message <span class="errorname">A requested privilege is not held + by the client</span> to appear if the user is not the + NT Administrator, or a dialog which is intended to allow an + Administrator to add auditing requirements to a file if the + user is logged on as the NT Administrator. This dialog is + non-functional with a Samba share at this time, as the only + useful button, the <span class="guibutton">Add</span> button will not currently + allow a list of users to be seen.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923303"></a>Viewing file ownership</h3></div></div><div></div></div><p>Clicking on the <span class="guibutton">Ownership</span> button + brings up a dialog box telling you who owns the given file. The + owner name will be of the form :</p><p><b class="command">"SERVER\user (Long name)"</b></p><p>Where <i class="replaceable"><tt>SERVER</tt></i> is the NetBIOS name of + the Samba server, <i class="replaceable"><tt>user</tt></i> is the user name of + the UNIX user who owns the file, and <i class="replaceable"><tt>(Long name)</tt></i> + is the descriptive string identifying the user (normally found in the + GECOS field of the UNIX password database). Click on the + <span class="guibutton">Close </span> button to remove this dialog.</p><p>If the parameter <i class="parameter"><tt>nt acl support</tt></i> + is set to <tt class="constant">false</tt> then the file owner will + be shown as the NT user <tt class="constant">"Everyone"</tt>.</p><p>The <span class="guibutton">Take Ownership</span> button will not allow + you to change the ownership of this file to yourself (clicking on + it will display a dialog box complaining that the user you are + currently logged onto the NT client cannot be found). The reason + for this is that changing the ownership of a file is a privileged + operation in UNIX, available only to the <span class="emphasis"><em>root</em></span> + user. As clicking on this button causes NT to attempt to change + the ownership of a file to the current user logged into the NT + client this will not work with Samba at this time.</p><p>There is an NT chown command that will work with Samba + and allow a user with Administrator privilege connected + to a Samba server as root to change the ownership of + files on both a local NTFS filesystem or remote mounted NTFS + or Samba drive. This is available as part of the <span class="application">Seclib + </span> NT security library written by Jeremy Allison of + the Samba Team, available from the main Samba ftp site.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923425"></a>Viewing File or Directory Permissions</h3></div></div><div></div></div><p>The third button is the <span class="guibutton">Permissions</span> + button. Clicking on this brings up a dialog box that shows both + the permissions and the UNIX owner of the file or directory. + The owner is displayed in the form :</p><p><b class="command">"<i class="replaceable"><tt>SERVER</tt></i>\ + <i class="replaceable"><tt>user</tt></i> + <i class="replaceable"><tt>(Long name)</tt></i>"</b></p><p>Where <i class="replaceable"><tt>SERVER</tt></i> is the NetBIOS name of + the Samba server, <i class="replaceable"><tt>user</tt></i> is the user name of + the UNIX user who owns the file, and <i class="replaceable"><tt>(Long name)</tt></i> + is the descriptive string identifying the user (normally found in the + GECOS field of the UNIX password database).</p><p>If the parameter <i class="parameter"><tt>nt acl support</tt></i> + is set to <tt class="constant">false</tt> then the file owner will + be shown as the NT user <tt class="constant">"Everyone"</tt> and the + permissions will be shown as NT "Full Control".</p><p>The permissions field is displayed differently for files + and directories, so I'll describe the way file permissions + are displayed first.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2923516"></a>File Permissions</h4></div></div><div></div></div><p>The standard UNIX user/group/world triplet and + the corresponding "read", "write", "execute" permissions + triplets are mapped by Samba into a three element NT ACL + with the 'r', 'w', and 'x' bits mapped into the corresponding + NT permissions. The UNIX world permissions are mapped into + the global NT group <tt class="constant">Everyone</tt>, followed + by the list of permissions allowed for UNIX world. The UNIX + owner and group permissions are displayed as an NT + <span class="guiicon">user</span> icon and an NT <span class="guiicon">local + group</span> icon respectively followed by the list + of permissions allowed for the UNIX user and group.</p><p>As many UNIX permission sets don't map into common + NT names such as <tt class="constant">read</tt>, <tt class="constant"> + "change"</tt> or <tt class="constant">full control</tt> then + usually the permissions will be prefixed by the words <tt class="constant"> + "Special Access"</tt> in the NT display list.</p><p>But what happens if the file has no permissions allowed + for a particular UNIX user group or world component ? In order + to allow "no permissions" to be seen and modified then Samba + overloads the NT <b class="command">"Take Ownership"</b> ACL attribute + (which has no meaning in UNIX) and reports a component with + no permissions as having the NT <b class="command">"O"</b> bit set. + This was chosen of course to make it look like a zero, meaning + zero permissions. More details on the decision behind this will + be given below.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2923608"></a>Directory Permissions</h4></div></div><div></div></div><p>Directories on an NT NTFS file system have two + different sets of permissions. The first set of permissions + is the ACL set on the directory itself, this is usually displayed + in the first set of parentheses in the normal <tt class="constant">"RW"</tt> + NT style. This first set of permissions is created by Samba in + exactly the same way as normal file permissions are, described + above, and is displayed in the same way.</p><p>The second set of directory permissions has no real meaning + in the UNIX permissions world and represents the <tt class="constant"> + inherited</tt> permissions that any file created within + this directory would inherit.</p><p>Samba synthesises these inherited permissions for NT by + returning as an NT ACL the UNIX permission mode that a new file + created by Samba on this share would receive.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923653"></a>Modifying file or directory permissions</h3></div></div><div></div></div><p>Modifying file and directory permissions is as simple + as changing the displayed permissions in the dialog box, and + clicking the <span class="guibutton">OK</span> button. However, there are + limitations that a user needs to be aware of, and also interactions + with the standard Samba permission masks and mapping of DOS + attributes that need to also be taken into account.</p><p>If the parameter <i class="parameter"><tt>nt acl support</tt></i> + is set to <tt class="constant">false</tt> then any attempt to set + security permissions will fail with an <span class="errorname">"Access Denied" + </span> message.</p><p>The first thing to note is that the <span class="guibutton">"Add"</span> + button will not return a list of users in Samba (it will give + an error message of <span class="errorname">The remote procedure call failed + and did not execute</span>). This means that you can only + manipulate the current user/group/world permissions listed in + the dialog box. This actually works quite well as these are the + only permissions that UNIX actually has.</p><p>If a permission triplet (either user, group, or world) + is removed from the list of permissions in the NT dialog box, + then when the <span class="guibutton">OK</span> button is pressed it will + be applied as "no permissions" on the UNIX side. If you then + view the permissions again the "no permissions" entry will appear + as the NT <b class="command">"O"</b> flag, as described above. This + allows you to add permissions back to a file or directory once + you have removed them from a triplet component.</p><p>As UNIX supports only the "r", "w" and "x" bits of + an NT ACL then if other NT security attributes such as "Delete + access" are selected then they will be ignored when applied on + the Samba server.</p><p>When setting permissions on a directory the second + set of permissions (in the second set of parentheses) is + by default applied to all files within that directory. If this + is not what you want you must uncheck the <span class="guilabel">Replace + permissions on existing files</span> checkbox in the NT + dialog before clicking <span class="guibutton">OK</span>.</p><p>If you wish to remove all permissions from a + user/group/world component then you may either highlight the + component and click the <span class="guibutton">Remove</span> button, + or set the component to only have the special <tt class="constant">Take + Ownership</tt> permission (displayed as <b class="command">"O" + </b>) highlighted.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923805"></a>Interaction with the standard Samba create mask + parameters</h3></div></div><div></div></div><p>There are four parameters + to control interaction with the standard Samba create mask parameters. + These are : + + </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>security mask</tt></i></td></tr><tr><td><i class="parameter"><tt>force security mode</tt></i></td></tr><tr><td><i class="parameter"><tt>directory security mask</tt></i></td></tr><tr><td><i class="parameter"><tt>force directory security mode</tt></i></td></tr></table><p> + + </p><p>Once a user clicks <span class="guibutton">OK</span> to apply the + permissions Samba maps the given permissions into a user/group/world + r/w/x triplet set, and then will check the changed permissions for a + file against the bits set in the <a href="smb.conf.5.html#SECURITYMASK" target="_top"> + <i class="parameter"><tt>security mask</tt></i></a> parameter. Any bits that + were changed that are not set to '1' in this parameter are left alone + in the file permissions.</p><p>Essentially, zero bits in the <i class="parameter"><tt>security mask</tt></i> + mask may be treated as a set of bits the user is <span class="emphasis"><em>not</em></span> + allowed to change, and one bits are those the user is allowed to change. + </p><p>If not set explicitly this parameter is set to the same value as + the <a href="smb.conf.5.html#CREATEMASK" target="_top"><i class="parameter"><tt>create mask + </tt></i></a> parameter. To allow a user to modify all the + user/group/world permissions on a file, set this parameter + to 0777.</p><p>Next Samba checks the changed permissions for a file against + the bits set in the <a href="smb.conf.5.html#FORCESECURITYMODE" target="_top"> + <i class="parameter"><tt>force security mode</tt></i></a> parameter. Any bits + that were changed that correspond to bits set to '1' in this parameter + are forced to be set.</p><p>Essentially, bits set in the <i class="parameter"><tt>force security mode + </tt></i> parameter may be treated as a set of bits that, when + modifying security on a file, the user has always set to be 'on'.</p><p>If not set explicitly this parameter is set to the same value + as the <a href="smb.conf.5.html#FORCECREATEMODE" target="_top"><i class="parameter"><tt>force + create mode</tt></i></a> parameter. + To allow a user to modify all the user/group/world permissions on a file + with no restrictions set this parameter to 000.</p><p>The <i class="parameter"><tt>security mask</tt></i> and <i class="parameter"><tt>force + security mode</tt></i> parameters are applied to the change + request in that order.</p><p>For a directory Samba will perform the same operations as + described above for a file except using the parameter <i class="parameter"><tt> + directory security mask</tt></i> instead of <i class="parameter"><tt>security + mask</tt></i>, and <i class="parameter"><tt>force directory security mode + </tt></i> parameter instead of <i class="parameter"><tt>force security mode + </tt></i>.</p><p>The <i class="parameter"><tt>directory security mask</tt></i> parameter + by default is set to the same value as the <i class="parameter"><tt>directory mask + </tt></i> parameter and the <i class="parameter"><tt>force directory security + mode</tt></i> parameter by default is set to the same value as + the <i class="parameter"><tt>force directory mode</tt></i> parameter. </p><p>In this way Samba enforces the permission restrictions that + an administrator can set on a Samba share, whilst still allowing users + to modify the permission bits within that restriction.</p><p>If you want to set up a share that allows users full control + in modifying the permission bits on their files and directories and + doesn't force any particular bits to be set 'on', then set the following + parameters in the <tt class="filename">smb.conf</tt> file in that share specific section : + </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>security mask = 0777</tt></i></td></tr><tr><td><i class="parameter"><tt>force security mode = 0</tt></i></td></tr><tr><td><i class="parameter"><tt>directory security mask = 0777</tt></i></td></tr><tr><td><i class="parameter"><tt>force directory security mode = 0</tt></i></td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2924134"></a>Interaction with the standard Samba file attribute + mapping</h3></div></div><div></div></div><p>Samba maps some of the DOS attribute bits (such as "read + only") into the UNIX permissions of a file. This means there can + be a conflict between the permission bits set via the security + dialog and the permission bits set by the file attribute mapping. + </p><p>One way this can show up is if a file has no UNIX read access + for the owner it will show up as "read only" in the standard + file attributes tabbed dialog. Unfortunately this dialog is + the same one that contains the security info in another tab.</p><p>What this can mean is that if the owner changes the permissions + to allow themselves read access using the security dialog, clicks + <span class="guibutton">OK</span> to get back to the standard attributes tab + dialog, and then clicks <span class="guibutton">OK</span> on that dialog, then + NT will set the file permissions back to read-only (as that is what + the attributes still say in the dialog). This means that after setting + permissions and clicking <span class="guibutton">OK</span> to get back to the + attributes dialog you should always hit <span class="guibutton">Cancel</span> + rather than <span class="guibutton">OK</span> to ensure that your changes + are not overridden.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2924210"></a>Common Errors</h2></div></div><div></div></div><p> +File, Directory and Share access problems are very common on the mailing list. The following +are examples taken from the mailing list in recent times. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2924224"></a>Users can not write to a public share</h3></div></div><div></div></div><p> + “<span class="quote"> + We are facing some troubles with file / directory permissions. I can log on the domain as admin user(root), + and there's a public share, on which everyone needs to have permission to create / modify files, but only + root can change the file, no one else can. We need to constantly go to server to + <b class="userinput"><tt>chgrp -R users *</tt></b> and <b class="userinput"><tt>chown -R nobody *</tt></b> to allow others users to change the file. + </span>” + </p><p> + There are many ways to solve this problem, here are a few hints: + </p><div class="procedure"><p class="title"><b>Procedure 13.3. Example Solution:</b></p><ol type="1"><li><p> + Go to the top of the directory that is shared + </p></li><li><p> + Set the ownership to what ever public owner and group you want + </p><pre class="programlisting"> + find 'directory_name' -type d -exec chown user.group {}\; + find 'directory_name' -type d -exec chmod 6775 'directory_name' + find 'directory_name' -type f -exec chmod 0775 {} \; + find 'directory_name' -type f -exec chown user.group {}\; + </pre><p> + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + The above will set the 'sticky bit' on all directories. Read your + Unix/Linux man page on what that does. It causes the OS to assign + to all files created in the directories the ownership of the + directory. + </p></div></li><li><p> + + Directory is: <i class="replaceable"><tt>/foodbar</tt></i> + </p><pre class="screen"> + <tt class="prompt">$ </tt><b class="userinput"><tt>chown jack.engr /foodbar</tt></b> + </pre><p> + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + </p><p>This is the same as doing:</p><p> + </p><pre class="screen"> + <tt class="prompt">$ </tt><b class="userinput"><tt>chown jack /foodbar</tt></b> + <tt class="prompt">$ </tt><b class="userinput"><tt>chgrp engr /foodbar</tt></b> + </pre><p> + </p></div></li><li><p>Now do: + + </p><pre class="screen"> + <tt class="prompt">$ </tt><b class="userinput"><tt>chmod 6775 /foodbar</tt></b> + <tt class="prompt">$ </tt><b class="userinput"><tt>ls -al /foodbar/..</tt></b> + </pre><p> + + </p><p>You should see: + </p><pre class="screen"> + drwsrwsr-x 2 jack engr 48 2003-02-04 09:55 foodbar + </pre><p> + </p></li><li><p>Now do: + </p><pre class="screen"> + <tt class="prompt">$ </tt><b class="userinput"><tt>su - jill</tt></b> + <tt class="prompt">$ </tt><b class="userinput"><tt>cd /foodbar</tt></b> + <tt class="prompt">$ </tt><b class="userinput"><tt>touch Afile</tt></b> + <tt class="prompt">$ </tt><b class="userinput"><tt>ls -al</tt></b> + </pre><p> + </p><p> + You should see that the file <tt class="filename">Afile</tt> created by Jill will have ownership + and permissions of Jack, as follows: + </p><pre class="screen"> + -rw-r--r-- 1 jack engr 0 2003-02-04 09:57 Afile + </pre><p> + </p></li><li><p> + Now in your <tt class="filename">smb.conf</tt> for the share add: + </p><pre class="programlisting"> + force create mode = 0775 + force directory mode = 6775 + </pre><p> + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + The above are only needed <span class="emphasis"><em>if</em></span> your users are <span class="emphasis"><em>not</em></span> members of the group + you have used. ie: Within the OS do not have write permission on the directory. + </p></div><p> + An alternative is to set in the <tt class="filename">smb.conf</tt> entry for the share: + </p><pre class="programlisting"> + force user = jack + force group = engr + </pre><p> + </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2924604"></a>I have set force user and Samba still makes <span class="emphasis"><em>root</em></span> the owner of all the files + I touch!</h3></div></div><div></div></div><p> + When you have a user in 'admin users', Samba will always do file operations for + this user as <span class="emphasis"><em>root</em></span>, even if <i class="parameter"><tt>force user</tt></i> has been set. + </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="groupmapping.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="locking.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 12. Mapping MS Windows and Unix Groups </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 14. File and Record Locking</td></tr></table></div></body></html> diff --git a/docs/htmldocs/AdvancedNetworkManagement.html b/docs/htmldocs/AdvancedNetworkManagement.html new file mode 100644 index 0000000000..296c684e24 --- /dev/null +++ b/docs/htmldocs/AdvancedNetworkManagement.html @@ -0,0 +1,224 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 22. Advanced Network Management</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="winbind.html" title="Chapter 21. Integrated Logon Support using Winbind"><link rel="next" href="PolicyMgmt.html" title="Chapter 23. System and Account Policies"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 22. Advanced Network Management</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="winbind.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="PolicyMgmt.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="AdvancedNetworkManagement"></a>Chapter 22. Advanced Network Management</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">April 3 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="AdvancedNetworkManagement.html#id2984570">Features and Benefits</a></dt><dt><a href="AdvancedNetworkManagement.html#id2984759">Remote Server Administration</a></dt><dt><a href="AdvancedNetworkManagement.html#id2984858">Remote Desktop Management</a></dt><dd><dl><dt><a href="AdvancedNetworkManagement.html#id2984876">Remote Management from NoMachines.Com</a></dt></dl></dd><dt><a href="AdvancedNetworkManagement.html#id2985087">Network Logon Script Magic</a></dt><dd><dl><dt><a href="AdvancedNetworkManagement.html#id2985283">Adding printers without user intervention</a></dt></dl></dd><dt><a href="AdvancedNetworkManagement.html#id2985316">Common Errors</a></dt></dl></div><p> +This section documents peripheral issues that are of great importance to network +administrators who want to improve network resource access control, to automate the user +environment, and to make their lives a little easier. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2984570"></a>Features and Benefits</h2></div></div><div></div></div><p> +Often the difference between a working network environment and a well appreciated one can +best be measured by the <span class="emphasis"><em>little things</em></span> that makes everything work more +harmoniously. A key part of every network environment solution is the ability to remotely +manage MS Windows workstations, to remotely access the Samba server, to provide customised +logon scripts, as well as other house keeping activities that help to sustain more reliable +network operations. +</p><p> +This chapter presents information on each of these area. They are placed here, and not in +other chapters, for ease of reference. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2984759"></a>Remote Server Administration</h2></div></div><div></div></div><p> +<span class="emphasis"><em>How do I get 'User Manager' and 'Server Manager'?</em></span> +</p><p> + Since I don't need to buy an <span class="application">NT4 Server</span>, how do I get the 'User Manager for Domains', +the 'Server Manager'? +</p><p> +Microsoft distributes a version of these tools called nexus for installation +on <span class="application">Windows 9x / Me</span> systems. The tools set includes: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Server Manager</td></tr><tr><td>User Manager for Domains</td></tr><tr><td>Event Viewer</td></tr></table><p> +Click here to download the archived file <a href="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE" target="_top">ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</a> +</p><p> +The <span class="application">Windows NT 4.0</span> version of the 'User Manager for +Domains' and 'Server Manager' are available from Microsoft via ftp +from <a href="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" target="_top">ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</a> +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2984858"></a>Remote Desktop Management</h2></div></div><div></div></div><p> +There are a number of possible remote desktop management solutions that range from free +through costly. Do not let that put you off. Sometimes the most costly solutions is the +most cost effective. In any case, you will need to draw your own conclusions as to which +is the best tool in your network environment. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2984876"></a>Remote Management from NoMachines.Com</h3></div></div><div></div></div><p> + The following information was posted to the Samba mailing list at Apr 3 23:33:50 GMT 2003. + It is presented in slightly edited form (with author details omitted for privacy reasons). + The entire answer is reproduced below with some comments removed. + </p><p> +</p><pre class="screen"> +> I have a wonderful linux/samba server running as PDC for a network. +> Now I would like to add remote desktop capabilities so that +> users outside could login to the system and get their desktop up from +> home or another country.. +> +> Is there a way to accomplish this? Do I need a windows terminal server? +> Do I need to configure it so that it is a member of the domain or a +> BDC,PDC? Are there any hacks for MS Windows XP to enable remote login +> even if the computer is in a domain? +> +> Any ideas/experience would be appreciated :) +</pre><p> +</p><p> + Answer provided: Check out the new offer from NoMachine, "NX" software: + <a href="http://www.nomachine.com/" target="_top">http://www.nomachine.com/</a>. + </p><p> + It implements a very easy-to-use interface to the remote X protocol as + well as incorporating VNC/RFB and rdesktop/RDP into it, but at a speed + performance much better than anything you may have ever seen... + </p><p> + Remote X is not new at all -- but what they did achieve successfully is + a new way of compression and caching technologies which makes the thing + fast enough to run even over slow modem/ISDN connections. + </p><p> + I could test drive their (public) RedHat machine in Italy, over a loaded + internet connection, with enabled thumbnail previews in KDE konqueror + which popped up immediately on "mouse-over". From inside that (remote X) + session I started a rdesktop session on another, a Windows XP machine. + To test the performance, I played Pinball. I am proud to announce here + that my score was 631750 points at first try... + </p><p> + NX performs better on my local LAN than any of the other "pure" + connection methods I am using from time to time: TightVNC, rdesktop or + remote X. It is even faster than a direct crosslink connection between + two nodes. + </p><p> + I even got sound playing from the remote X app to my local boxes, and + had a working "copy'n'paste" from an NX window (running a KDE session + in Italy) to my Mozilla mailing agent... These guys are certainly doing + something right! + </p><p> + I recommend to test drive NX to anybody with a only a remote interest + in remote computing + <a href="http://www.nomachine.com/testdrive.php" target="_top">http://www.nomachine.com/testdrive.php</a>. + </p><p> + Just download the free of charge client software (available for RedHat, + SuSE, Debian and Windows) and be up and running within 5 minutes (they + need to send you your account data, though, because you are assigned + a real Unix account on their testdrive.nomachine.com box... + </p><p> + They plan to get to the point were you can have NX application servers + running as a cluster of nodes, and users simply start an NX session locally, + and can select applications to run transparently (apps may even run on + another NX node, but pretend to be on the same as used for initial login, + because it displays in the same window.... well, you also can run it + fullscreen, and after a short time you forget that it is a remote session + at all). + </p><p> + Now the best thing at the end: all the core compression and caching + technologies are released under the GPL and available as source code + to anybody who wants to build on it! These technologies are working, + albeit started from the command line only (and very inconvenient to + use in order to get a fully running remote X session up and running....) + </p><p> + To answer your questions: + </p><div class="itemizedlist"><ul type="disc"><li><p> + You don't need to install a terminal server; XP has RDP support built in. + </p></li><li><p> + NX is much cheaper than Citrix -- and comparable in performance, probably faster + </p></li><li><p> + You don't need to hack XP -- it just works + </p></li><li><p> + You log into the XP box from remote transparently (and I think there is no + need to change anything to get a connection, even if authentication is against a domain) + </p></li><li><p> + The NX core technologies are all Open Source and released under the GPL -- + you can today use a (very inconvenient) commandline to use it at no cost, + but you can buy a comfortable (proprietary) NX GUI frontend for money + </p></li><li><p> + NoMachine are encouraging and offering help to OSS/Free Software implementations + for such a frontend too, even if it means competition to them (they have written + to this effect even to the LTSP, KDE and GNOME developer mailing lists) + </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2985087"></a>Network Logon Script Magic</h2></div></div><div></div></div><p> +This section needs work. Volunteer contributions most welcome. Please send your patches or updates +to <a href="mailto:jht@samba.org" target="_top">John Terpstra</a>. +</p><p> +There are several opportunities for creating a custom network startup configuration environment. +</p><table class="simplelist" border="0" summary="Simple list"><tr><td>No Logon Script</td></tr><tr><td>Simple universal Logon Script that applies to all users</td></tr><tr><td>Use of a conditional Logon Script that applies per user or per group attributes</td></tr><tr><td>Use of Samba's Preexec and Postexec functions on access to the NETLOGON share to create + a custom Logon Script and then execute it.</td></tr><tr><td>User of a tool such as KixStart</td></tr></table><p> +The Samba source code tree includes two logon script generation/execution tools. +See <tt class="filename">examples</tt> directory <tt class="filename">genlogon</tt> and +<tt class="filename">ntlogon</tt> subdirectories. +</p><p> +The following listings are from the genlogon directory. +</p><p> +This is the <tt class="filename">genlogon.pl</tt> file: + +</p><pre class="programlisting"> + #!/usr/bin/perl + # + # genlogon.pl + # + # Perl script to generate user logon scripts on the fly, when users + # connect from a Windows client. This script should be called from smb.conf + # with the %U, %G and %L parameters. I.e: + # + # root preexec = genlogon.pl %U %G %L + # + # The script generated will perform + # the following: + # + # 1. Log the user connection to /var/log/samba/netlogon.log + # 2. Set the PC's time to the Linux server time (which is maintained + # daily to the National Institute of Standard's Atomic clock on the + # internet. + # 3. Connect the user's home drive to H: (H for Home). + # 4. Connect common drives that everyone uses. + # 5. Connect group-specific drives for certain user groups. + # 6. Connect user-specific drives for certain users. + # 7. Connect network printers. + + # Log client connection + #($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time); + ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time); + open LOG, ">>/var/log/samba/netlogon.log"; + print LOG "$mon/$mday/$year $hour:$min:$sec - User $ARGV[0] logged into $ARGV[1]\n"; + close LOG; + + # Start generating logon script + open LOGON, ">/shared/netlogon/$ARGV[0].bat"; + print LOGON "\@ECHO OFF\r\n"; + + # Connect shares just use by Software Development group + if ($ARGV[1] eq "SOFTDEV" || $ARGV[0] eq "softdev") + { + print LOGON "NET USE M: \\\\$ARGV[2]\\SOURCE\r\n"; + } + + # Connect shares just use by Technical Support staff + if ($ARGV[1] eq "SUPPORT" || $ARGV[0] eq "support") + { + print LOGON "NET USE S: \\\\$ARGV[2]\\SUPPORT\r\n"; + } + + # Connect shares just used by Administration staff + If ($ARGV[1] eq "ADMIN" || $ARGV[0] eq "admin") + { + print LOGON "NET USE L: \\\\$ARGV[2]\\ADMIN\r\n"; + print LOGON "NET USE K: \\\\$ARGV[2]\\MKTING\r\n"; + } + + # Now connect Printers. We handle just two or three users a little + # differently, because they are the exceptions that have desktop + # printers on LPT1: - all other user's go to the LaserJet on the + # server. + if ($ARGV[0] eq 'jim' + || $ARGV[0] eq 'yvonne') + { + print LOGON "NET USE LPT2: \\\\$ARGV[2]\\LJET3\r\n"; + print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n"; + } + else + { + print LOGON "NET USE LPT1: \\\\$ARGV[2]\\LJET3\r\n"; + print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n"; + } + + # All done! Close the output file. + close LOGON; +</pre><p> +</p><p> +Those wishing to use more elaborate or capable logon processing system should check out the following sites: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a href="http://www.craigelachie.org/rhacer/ntlogon" target="_top">http://www.craigelachie.org/rhacer/ntlogon</a></td></tr><tr><td><a href="http://www.kixtart.org" target="_top">http://www.kixtart.org</a></td></tr><tr><td><a href="http://support.microsoft.com/default.asp?scid=kb;en-us;189105" target="_top">http://support.microsoft.com/default.asp?scid=kb;en-us;189105</a></td></tr></table><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2985283"></a>Adding printers without user intervention</h3></div></div><div></div></div><p> +Printers may be added automatically during logon script processing through the use of: + +</p><pre class="programlisting"> + rundll32 printui.dll,PrintUIEntry /? +</pre><p> + +See the documentation in the <a href="http://support.microsoft.com/default.asp?scid=kb;en-us;189105" target="_top">Microsoft knowledgebase article no: 189105</a>. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2985316"></a>Common Errors</h2></div></div><div></div></div><p> +The information provided in this chapter has been reproduced from postings on the samba@samba.org +mailing list. No implied endorsement or recommendation is offered. Administrators should conduct +their own evaluation of alternatives and are encouraged to draw their own conclusions. +</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="winbind.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="PolicyMgmt.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 21. Integrated Logon Support using Winbind </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 23. System and Account Policies</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Appendixes.html b/docs/htmldocs/Appendixes.html new file mode 100644 index 0000000000..854437acde --- /dev/null +++ b/docs/htmldocs/Appendixes.html @@ -0,0 +1,4 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part VI. Appendixes</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="index.html" title="SAMBA Project Documentation"><link rel="previous" href="bugreport.html" title="Chapter 35. Reporting Bugs"><link rel="next" href="compiling.html" title="Chapter 36. How to compile SAMBA"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part VI. Appendixes</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="bugreport.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="compiling.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="Appendixes"></a>Appendixes</h1></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt>36. <a href="compiling.html">How to compile SAMBA</a></dt><dd><dl><dt><a href="compiling.html#id3012145">Access Samba source code via CVS</a></dt><dd><dl><dt><a href="compiling.html#id3012152">Introduction</a></dt><dt><a href="compiling.html#id3012182">CVS Access to samba.org</a></dt></dl></dd><dt><a href="compiling.html#id3013701">Accessing the samba sources via rsync and ftp</a></dt><dt><a href="compiling.html#id3013750">Verifying Samba's PGP signature</a></dt><dt><a href="compiling.html#id3013886">Building the Binaries</a></dt><dd><dl><dt><a href="compiling.html#id3014023">Compiling samba with Active Directory support</a></dt></dl></dd><dt><a href="compiling.html#id3014188">Starting the smbd and nmbd</a></dt><dd><dl><dt><a href="compiling.html#id3014280">Starting from inetd.conf</a></dt><dt><a href="compiling.html#id3014484">Alternative: starting it as a daemon</a></dt></dl></dd><dt><a href="compiling.html#id3014579">Common Errors</a></dt></dl></dd><dt>37. <a href="Portability.html">Portability</a></dt><dd><dl><dt><a href="Portability.html#id3013478">HPUX</a></dt><dt><a href="Portability.html#id3016009">SCO Unix</a></dt><dt><a href="Portability.html#id3016039">DNIX</a></dt><dt><a href="Portability.html#id3016210">RedHat Linux Rembrandt-II</a></dt><dt><a href="Portability.html#id3016254">AIX</a></dt><dd><dl><dt><a href="Portability.html#id3016261">Sequential Read Ahead</a></dt></dl></dd><dt><a href="Portability.html#id3016287">Solaris</a></dt><dd><dl><dt><a href="Portability.html#id3016294">Locking improvements</a></dt><dt><a href="Portability.html#winbind-solaris9">Winbind on Solaris 9</a></dt></dl></dd></dl></dd><dt>38. <a href="Other-Clients.html">Samba and other CIFS clients</a></dt><dd><dl><dt><a href="Other-Clients.html#id3015663">Macintosh clients?</a></dt><dt><a href="Other-Clients.html#id3017016">OS2 Client</a></dt><dd><dl><dt><a href="Other-Clients.html#id3017023">How can I configure OS/2 Warp Connect or + OS/2 Warp 4 as a client for Samba?</a></dt><dt><a href="Other-Clients.html#id3017102">How can I configure OS/2 Warp 3 (not Connect), + OS/2 1.2, 1.3 or 2.x for Samba?</a></dt><dt><a href="Other-Clients.html#id3017164">How do I get printer driver download working + for OS/2 clients?</a></dt></dl></dd><dt><a href="Other-Clients.html#id3017260">Windows for Workgroups</a></dt><dd><dl><dt><a href="Other-Clients.html#id3017268">Use latest TCP/IP stack from Microsoft</a></dt><dt><a href="Other-Clients.html#id3017357">Delete .pwl files after password change</a></dt><dt><a href="Other-Clients.html#id3017388">Configure WfW password handling</a></dt><dt><a href="Other-Clients.html#id3017433">Case handling of passwords</a></dt><dt><a href="Other-Clients.html#id3017464">Use TCP/IP as default protocol</a></dt><dt><a href="Other-Clients.html#id3017481">Speed improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id3017528">Windows '95/'98</a></dt><dd><dl><dt><a href="Other-Clients.html#id3017601">Speed improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id3017625">Windows 2000 Service Pack 2</a></dt><dt><a href="Other-Clients.html#id3017736">Windows NT 3.1</a></dt></dl></dd><dt>39. <a href="speed.html">Samba Performance Tuning</a></dt><dd><dl><dt><a href="speed.html#id3018768">Comparisons</a></dt><dt><a href="speed.html#id3018812">Socket options</a></dt><dt><a href="speed.html#id3018887">Read size</a></dt><dt><a href="speed.html#id3018931">Max xmit</a></dt><dt><a href="speed.html#id3018984">Log level</a></dt><dt><a href="speed.html#id3019007">Read raw</a></dt><dt><a href="speed.html#id3019064">Write raw</a></dt><dt><a href="speed.html#id3019106">Slow Logins</a></dt><dt><a href="speed.html#id3019127">Client tuning</a></dt><dt><a href="speed.html#id3019154">Samba performance problem due changing kernel</a></dt><dt><a href="speed.html#id3019185">Corrupt tdb Files</a></dt></dl></dd><dt>40. <a href="DNSDHCP.html">DNS and DHCP Configuration Guide</a></dt><dd><dl><dt><a href="DNSDHCP.html#id3018605">Note</a></dt></dl></dd><dt>41. <a href="Further-Resources.html">Further Resources</a></dt><dd><dl><dt><a href="Further-Resources.html#id3018765">Websites</a></dt><dt><a href="Further-Resources.html#id3020416">Related updates from Microsoft</a></dt><dt><a href="Further-Resources.html#id3020431">Books</a></dt></dl></dd></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="bugreport.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="compiling.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 35. Reporting Bugs </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 36. How to compile SAMBA</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Backup.html b/docs/htmldocs/Backup.html new file mode 100644 index 0000000000..9fac452023 --- /dev/null +++ b/docs/htmldocs/Backup.html @@ -0,0 +1,13 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 28. Samba Backup Techniques</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="unicode.html" title="Chapter 27. Unicode/Charsets"><link rel="next" href="SambaHA.html" title="Chapter 29. High Availability Options"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 28. Samba Backup Techniques</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="unicode.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="SambaHA.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Backup"></a>Chapter 28. Samba Backup Techniques</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="Backup.html#id3001533">Note</a></dt><dt><a href="Backup.html#id3001557">Features and Benefits</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3001533"></a>Note</h2></div></div><div></div></div><p> +This chapter did not make it into this release. +It is planned for the published release of this document. +If you have something to contribute for this section please email it to +<a href="">jht@samba.org</a>/ +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3001557"></a>Features and Benefits</h2></div></div><div></div></div><p> +We need feedback from people who are backing up samba servers. +We would like to know what software tools you are using to backup +your samba server/s. +</p><p> +In particular, if you have any success and / or failure stories you could +share with other users this would be appreciated. +</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="unicode.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="SambaHA.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 27. Unicode/Charsets </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 29. High Availability Options</td></tr></table></div></body></html> diff --git a/docs/htmldocs/CUPS-printing.html b/docs/htmldocs/CUPS-printing.html new file mode 100644 index 0000000000..46ca8e15f7 --- /dev/null +++ b/docs/htmldocs/CUPS-printing.html @@ -0,0 +1,3733 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 19. CUPS Printing Support in Samba 3.0</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="printing.html" title="Chapter 18. Classical Printing Support"><link rel="next" href="VFS.html" title="Chapter 20. Stackable VFS modules"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 19. CUPS Printing Support in Samba 3.0</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="printing.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="VFS.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="CUPS-printing"></a>Chapter 19. CUPS Printing Support in Samba 3.0</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Kurt</span> <span class="surname">Pfeifle</span></h3><div class="affiliation"><span class="orgname"> Danka Deutschland GmbH <br></span><div class="address"><p><tt class="email"><<a href="mailto:kpfeifle@danka.de">kpfeifle@danka.de</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Ciprian</span> <span class="surname">Vizitiu</span></h3><span class="contrib">drawings</span><div class="affiliation"><div class="address"><p><tt class="email"><<a href="mailto:CVizitiu@gbif.org">CVizitiu@gbif.org</a>></tt></p></div></div></div></div><div><p class="pubdate"> (3 June 2003) </p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="CUPS-printing.html#id2953785">Introduction</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2953792">Features and Benefits</a></dt><dt><a href="CUPS-printing.html#id2953845">Overview</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2953900">Basic Configuration of CUPS support</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2953979">Linking of smbd with libcups.so</a></dt><dt><a href="CUPS-printing.html#id2954122">Simple smb.conf Settings for CUPS</a></dt><dt><a href="CUPS-printing.html#id2954205">More complex smb.conf Settings for +CUPS</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2954322">Advanced Configuration</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2954343">Central spooling vs. "Peer-to-Peer" printing</a></dt><dt><a href="CUPS-printing.html#id2954370">CUPS/Samba as a "spooling-only" Print Server; "raw" printing +with Vendor Drivers on Windows Clients</a></dt><dt><a href="CUPS-printing.html#id2954406">Driver Installation Methods on Windows Clients</a></dt><dt><a href="CUPS-printing.html#id2954465">Explicitly enable "raw" printing for +application/octet-stream!</a></dt><dt><a href="CUPS-printing.html#id2954626">Three familiar Methods for driver upload plus a new one</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2954719">Using CUPS/Samba in an advanced Way -- intelligent printing +with PostScript Driver Download</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2954794">GDI on Windows -- PostScript on Unix</a></dt><dt><a href="CUPS-printing.html#id2954839">Windows Drivers, GDI and EMF</a></dt><dt><a href="CUPS-printing.html#id2954940">Unix Printfile Conversion and GUI Basics</a></dt><dt><a href="CUPS-printing.html#id2955028">PostScript and Ghostscript</a></dt><dt><a href="CUPS-printing.html#id2955125">Ghostscript -- the Software RIP for non-PostScript Printers</a></dt><dt><a href="CUPS-printing.html#id2955238">PostScript Printer Description (PPD) Specification</a></dt><dt><a href="CUPS-printing.html#id2955308">CUPS can use all Windows-formatted Vendor PPDs</a></dt><dt><a href="CUPS-printing.html#id2955397">CUPS also uses PPDs for non-PostScript Printers</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2955420">The CUPS Filtering Architecture</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2955560">MIME types and CUPS Filters</a></dt><dt><a href="CUPS-printing.html#id2955747">MIME type Conversion Rules</a></dt><dt><a href="CUPS-printing.html#id2955864">Filter Requirements</a></dt><dt><a href="CUPS-printing.html#id2956034">Prefilters</a></dt><dt><a href="CUPS-printing.html#id2956120">pstops</a></dt><dt><a href="CUPS-printing.html#id2956222">pstoraster</a></dt><dt><a href="CUPS-printing.html#id2956377">imagetops and imagetoraster</a></dt><dt><a href="CUPS-printing.html#id2956434">rasterto [printers specific]</a></dt><dt><a href="CUPS-printing.html#id2956519">CUPS Backends</a></dt><dt><a href="CUPS-printing.html#id2956831">cupsomatic/Foomatic -- how do they fit into the Picture?</a></dt><dt><a href="CUPS-printing.html#id2956944">The Complete Picture</a></dt><dt><a href="CUPS-printing.html#id2956960">mime.convs</a></dt><dt><a href="CUPS-printing.html#id2957012">"Raw" printing</a></dt><dt><a href="CUPS-printing.html#id2957066">"application/octet-stream" printing</a></dt><dt><a href="CUPS-printing.html#id2957282">PostScript Printer Descriptions (PPDs) for non-PS Printers</a></dt><dt><a href="CUPS-printing.html#id2957510">Difference between cupsomatic/foomatic-rip and +native CUPS printing</a></dt><dt><a href="CUPS-printing.html#id2957666">Examples for filtering Chains</a></dt><dt><a href="CUPS-printing.html#id2957897">Sources of CUPS drivers / PPDs</a></dt><dt><a href="CUPS-printing.html#id2958024">Printing with Interface Scripts</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2958100">Network printing (purely Windows)</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2958116">From Windows Clients to an NT Print Server</a></dt><dt><a href="CUPS-printing.html#id2958155">Driver Execution on the Client</a></dt><dt><a href="CUPS-printing.html#id2958227">Driver Execution on the Server</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2958289">Network Printing (Windows clients -- UNIX/Samba Print +Servers)</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2958310">From Windows Clients to a CUPS/Samba Print Server</a></dt><dt><a href="CUPS-printing.html#id2958474">Samba receiving Jobfiles and passing them to CUPS</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2958550">Network PostScript RIP: CUPS Filters on Server -- clients use +PostScript Driver with CUPS-PPDs</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2958605">PPDs for non-PS Printers on UNIX</a></dt><dt><a href="CUPS-printing.html#id2958646">PPDs for non-PS Printers on Windows</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2958712">Windows Terminal Servers (WTS) as CUPS Clients</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2958729">Printer Drivers running in "Kernel Mode" cause many +Problems</a></dt><dt><a href="CUPS-printing.html#id2958763">Workarounds impose Heavy Limitations</a></dt><dt><a href="CUPS-printing.html#id2958784">CUPS: a "Magical Stone"?</a></dt><dt><a href="CUPS-printing.html#id2958811">PostScript Drivers with no major problems -- even in Kernel +Mode</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2958865"> Setting up CUPS for driver Download</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2958884">cupsaddsmb: the unknown Utility</a></dt><dt><a href="CUPS-printing.html#id2958976">Prepare your smb.conf for +cupsaddsmb</a></dt><dt><a href="CUPS-printing.html#id2959022">CUPS Package of "PostScript Driver for WinNT/2k/XP"</a></dt><dt><a href="CUPS-printing.html#id2959220">Recognize the different Driver Files</a></dt><dt><a href="CUPS-printing.html#id2959278">Acquiring the Adobe Driver Files</a></dt><dt><a href="CUPS-printing.html#id2959310">ESP Print Pro Package of "PostScript Driver for +WinNT/2k/XP"</a></dt><dt><a href="CUPS-printing.html#id2959360">Caveats to be considered</a></dt><dt><a href="CUPS-printing.html#id2959582">What are the Benefits of using the "CUPS PostScript Driver for +Windows NT/2k/XP" as compared to the Adobe Driver?</a></dt><dt><a href="CUPS-printing.html#id2959764">Run "cupsaddsmb" (quiet Mode)</a></dt><dt><a href="CUPS-printing.html#id2959865">Run "cupsaddsmb" with verbose Output</a></dt><dt><a href="CUPS-printing.html#id2960092">Understanding cupsaddsmb</a></dt><dt><a href="CUPS-printing.html#id2960186">How to recognize if cupsaddsm completed successfully</a></dt><dt><a href="CUPS-printing.html#id2960273">cupsaddsmb with a Samba PDC</a></dt><dt><a href="CUPS-printing.html#id2960308">cupsaddsmb Flowchart</a></dt><dt><a href="CUPS-printing.html#id2960361">Installing the PostScript Driver on a Client</a></dt><dt><a href="CUPS-printing.html#id2960474">Avoiding critical PostScript Driver Settings on the +Client</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2960608">Installing PostScript Driver Files manually (using +rpcclient)</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2960723">A Check of the rpcclient man Page</a></dt><dt><a href="CUPS-printing.html#id2960836">Understanding the rpcclient man Page</a></dt><dt><a href="CUPS-printing.html#id2960925">Producing an Example by querying a Windows Box</a></dt><dt><a href="CUPS-printing.html#id2961015">What is required for adddriver and setdriver to succeed</a></dt><dt><a href="CUPS-printing.html#id2961177">Manual Commandline Driver Installation in 15 little Steps</a></dt><dt><a href="CUPS-printing.html#id2961830">Troubleshooting revisited</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2961930">The printing *.tdb Files</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2962033">Trivial DataBase Files</a></dt><dt><a href="CUPS-printing.html#id2962103">Binary Format</a></dt><dt><a href="CUPS-printing.html#id2962165">Losing *.tdb Files</a></dt><dt><a href="CUPS-printing.html#id2962224">Using tdbbackup</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2962290">CUPS Print Drivers from Linuxprinting.org</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2962398">foomatic-rip and Foomatic explained</a></dt><dt><a href="CUPS-printing.html#id2963027">foomatic-rip and Foomatic-PPD Download and Installation</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2963488">Page Accounting with CUPS</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2963519">Setting up Quotas</a></dt><dt><a href="CUPS-printing.html#id2963551">Correct and incorrect Accounting</a></dt><dt><a href="CUPS-printing.html#id2963592">Adobe and CUPS PostScript Drivers for Windows Clients</a></dt><dt><a href="CUPS-printing.html#id2963663">The page_log File Syntax</a></dt><dt><a href="CUPS-printing.html#id2963765">Possible Shortcomings</a></dt><dt><a href="CUPS-printing.html#id2963836">Future Developments</a></dt><dt><a href="CUPS-printing.html#id2963884">Other Accounting Tools</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2963899">Additional Material</a></dt><dt><a href="CUPS-printing.html#id2964092">Auto-Deletion or Preservation of CUPS Spool Files</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2964138">CUPS Configuration Settings explained</a></dt><dt><a href="CUPS-printing.html#id2964221">Pre-conditions</a></dt><dt><a href="CUPS-printing.html#id2964281">Manual Configuration</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2964299">When not to use Samba to print to +CUPS</a></dt><dt><a href="CUPS-printing.html#id2964316">In Case of Trouble.....</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2964352">Where to find Documentation</a></dt><dt><a href="CUPS-printing.html#id2964364">How to ask for Help</a></dt><dt><a href="CUPS-printing.html#id2964377">Where to find Help</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2964391">Appendix</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2964398">Printing from CUPS to Windows attached +Printers</a></dt><dt><a href="CUPS-printing.html#id2964612">More CUPS filtering Chains</a></dt><dt><a href="CUPS-printing.html#id2964919">Trouble Shooting Guidelines to fix typical Samba printing +Problems</a></dt><dt><a href="CUPS-printing.html#id2966041">An Overview of the CUPS Printing Processes</a></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2953785"></a>Introduction</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2953792"></a>Features and Benefits</h3></div></div><div></div></div><p> + The Common Unix Print System (<a href="http://www.cups.org/" target="_top">CUPS</a>) has become very popular. All + big Linux distributions now ship it as their default printing + system. But to many it is still a very mystical tool. Normally it + "just works" (TM). People tend to regard it as a sort of "black box", + which they don't want to look into, as long as it works OK. But once + there is a little problem, they are in trouble to find out where to + start debugging it. Also, even the most recent and otherwise excellent + printed Samba documentation has only limited attention paid to CUPS + printing, leaving out important pieces or even writing plain wrong + things about it. This demands rectification. But before you dive into + this chapter, make sure that you don't forget to refer to the + "Classical Printing" chapter also. It contains a lot of information + that is relevant for CUPS too. + </p><p> + CUPS sports quite a few unique and powerful features. While their + basic functions may be grasped quite easily, they are also + new. Because they are different from other, more traditional printing + systems, it is best to try and not apply any prior knowledge about + printing upon this new system. Rather try to start understand CUPS + from the beginning. This documentation will lead you here to a + complete understanding of CUPS, if you study all of the material + contained. But lets start with the most basic things first. Maybe this + is all you need for now. Then you can skip most of the other + paragraphs. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2953845"></a>Overview</h3></div></div><div></div></div><p> + CUPS is more than just a print spooling system. It is a complete + printer management system that complies with the new IPP + (<span class="emphasis"><em>Internet Printing Protocol</em></span>). IPP is an industry + and IETF (<span class="emphasis"><em>Internet Engineering Task Force</em></span>) + standard for network printing. Many of its functions can be managed + remotely (or locally) via a web browser (giving you a + platform-independent access to the CUPS print server). In addition it + has the traditional commandline and several more modern GUI interfaces + (GUI interfaces developed by 3rd parties, like KDE's + overwhelming <a href="http://printing.kde.org/" target="_top">KDEPrint</a>). + </p><p> + CUPS allows creation of "raw" printers (ie: NO print file + format translation) as well as "smart" printers (i.e. CUPS does + file format conversion as required for the printer). In many ways + this gives CUPS similar capabilities to the MS Windows print + monitoring system. Of course, if you are a CUPS advocate, you would + argue that CUPS is better! In any case, let us now move on to + explore how one may configure CUPS for interfacing with MS Windows + print clients via Samba. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2953900"></a>Basic Configuration of CUPS support</h2></div></div><div></div></div><p> + Printing with CUPS in the most basic <tt class="filename">smb.conf</tt> + setup in Samba 3.0 (as was true for 2.2.x) only needs two + settings: <i class="parameter"><tt>printing = cups</tt></i> and <i class="parameter"><tt>printcap + = cups</tt></i>. CUPS itself doesn't need a printcap file + anymore. However, the <tt class="filename">cupsd.conf</tt> configuration + file knows two related directives: they control if such a file should + be automatically created and maintained by CUPS for the convenience of + third party applications (example: <i class="parameter"><tt>Printcap + /etc/printcap</tt></i> and <i class="parameter"><tt>PrintcapFormat + BSD</tt></i>). These legacy programs often require the existence of + printcap file containing printernames or they will refuse to + print. Make sure CUPS is set to generate and maintain a printcap! For + details see <b class="command">man cupsd.conf</b> and other CUPS-related + documentation, like the wealth of documents on your CUPS server + itself: <a href="http://localhost:631/documentation.html" target="_top">http://localhost:631/documentation.html</a>. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2953979"></a>Linking of smbd with libcups.so</h3></div></div><div></div></div><p> + Samba has a very special relationship to CUPS. The reason is: Samba + can be compiled with CUPS library support. Most recent installations + have this support enabled, and per default CUPS linking is compiled + into smbd and other Samba binaries. Of course, you can use CUPS even + if Samba is not linked against <tt class="filename">libcups.so</tt> -- but + there are some differences in required or supported configuration + then. + </p><p> + If SAMBA is compiled against libcups, then <i class="parameter"><tt>printcap = + cups</tt></i> uses the CUPS API to list printers, submit jobs, + query queues, etc. Otherwise it maps to the System V commands with an + additional <b class="command">-oraw</b> option for printing. On a Linux + system, you can use the <b class="command">ldd</b> utility to find out + details (ldd may not be present on other OS platforms, or its function + may be embodied by a different command): + </p><pre class="screen"> + transmeta:/home/kurt # ldd `which smbd` + libssl.so.0.9.6 => /usr/lib/libssl.so.0.9.6 (0x4002d000) + libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x4005a000) + libcups.so.2 => /usr/lib/libcups.so.2 (0x40123000) + [....] + </pre><p> + The line <tt class="computeroutput">libcups.so.2 => /usr/lib/libcups.so.2 + (0x40123000)</tt> shows there is CUPS support compiled + into this version of Samba. If this is the case, and printing = cups + is set, then <span class="emphasis"><em>any otherwise manually set print command in + <tt class="filename">smb.conf</tt> is ignored</em></span>. This is an + important point to remember! + </p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p> Should you require -- for any reason -- to set your own + print commands, you can still do this by setting <i class="parameter"><tt>printing = + sysv</tt></i>. However, you'll loose all the benefits from the + close CUPS/Samba integration. You are on your own then to manually + configure the rest of the printing system commands (most important: + <i class="parameter"><tt>print command</tt></i>; other commands are + <i class="parameter"><tt>lppause command, lpresume command, lpq command, lprm + command, queuepause command </tt></i> and <i class="parameter"><tt>queue resume + command</tt></i>).</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2954122"></a>Simple <tt class="filename">smb.conf</tt> Settings for CUPS</h3></div></div><div></div></div><p> + To summarize, here is the simplest printing-related setup + for <tt class="filename">smb.conf</tt> to enable basic CUPS support: + </p><pre class="screen"> + + [global] + load printers = yes + printing = cups + printcap name = cups + + [printers] + comment = All Printers + path = /var/spool/samba + browseable = no + public = yes + guest ok = yes + writable = no + printable = yes + printer admin = root, @ntadmins + + </pre><p> + This is all you need for basic printing setup for CUPS. It will print + all Graphic, Text, PDF and PostScript file submitted from Windows + clients. However, most of your Windows users would not know how to + send these kind of files to print without opening a GUI + application. Windows clients tend to have local printer drivers + installed. And the GUI application's print buttons start a printer + driver. Your users also very rarely send files from the command + line. Unlike UNIX clients, they hardly submit graphic, text or PDF + formatted files directly to the spooler. They nearly exclusively print + from GUI applications, with a "printer driver" hooked in between the + applications native format and the print data stream. If the backend + printer is not a PostScript device, the print data stream is "binary", + sensible only for the target printer. Read on to learn which problem + this may cause and how to avoid it. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2954205"></a>More complex <tt class="filename">smb.conf</tt> Settings for +CUPS</h3></div></div><div></div></div><p> +Here is a slightly more complex printing-related setup +for <tt class="filename">smb.conf</tt>. It enables general CUPS printing +support for all printers, but defines one printer share which is set +up differently. +</p><pre class="screen"> + + [global] + printing = cups + printcap name = cups + load printers = yes + + [printers] + comment = All Printers + path = /var/spool/samba + public = yes + guest ok = yes + writable = no + printable = yes + printer admin = root, @ntadmins + + [special_printer] + comment = A special printer with his own settings + path = /var/spool/samba-special + printing = sysv + printcap = lpstat + print command = echo "NEW: `date`: printfile %f" >> /tmp/smbprn.log ;\ + echo " `date`: p-%p s-%s f-%f" >> /tmp/smbprn.log ;\ + echo " `date`: j-%j J-%J z-%z c-%c" >> /tmp/smbprn.log :\ + rm %f + public = no + guest ok = no + writeable = no + printable = yes + printer admin = kurt + hosts deny = 0.0.0.0 + hosts allow = turbo_xp, 10.160.50.23, 10.160.51.60 + +</pre><p> +This special share is only there for my testing purposes. It doesn't +even write the print job to a file. It just logs the job parameters +known to Samba into the <tt class="filename">/tmp/smbprn.log</tt> file and +deletes the jobfile. Moreover, the <i class="parameter"><tt>printer +admin</tt></i> of this share is "kurt" (not the "@ntadmins" group); +guest access is not allowed; the share isn't announced in Network +Neighbourhood (so you need to know it is there), and it is only +allowing access from three hosts. To prevent CUPS kicking in and +taking over the print jobs for that share, we need to set +<i class="parameter"><tt>printing = sysv</tt></i> and <i class="parameter"><tt>printcap = +lpstat</tt></i>. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2954322"></a>Advanced Configuration</h2></div></div><div></div></div><p> +Before we dive into all the configuration options, let's clarify a few +points. <span class="emphasis"><em>Network printing needs to be organized and setup +correctly</em></span>. Often this is not done correctly. Legacy systems +or small LANs in business environments often lack a clear design and +good housekeeping. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2954343"></a>Central spooling vs. "Peer-to-Peer" printing</h3></div></div><div></div></div><p> +Many small office or home networks, as well as badly organized larger +environments, allow each client a direct access to available network +printers. Generally, this is a bad idea. It often blocks one client's +access to the printer when another client's job is printing. It also +might freeze the first client's application while it is waiting to get +rid of the job. Also, there are frequent complaints about various jobs +being printed with their pages mixed with each other. A better concept +is the usage of a "print server": it routes all jobs through one +central system, which responds immediately, takes jobs from multiple +concurrent clients at the same time and in turn transfers them to the +printer(s) in the correct order. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2954370"></a>CUPS/Samba as a "spooling-only" Print Server; "raw" printing +with Vendor Drivers on Windows Clients</h3></div></div><div></div></div><p> +Most traditionally configured Unix print servers acting on behalf of +Samba's Windows clients represented a really simple setup. Their only +task was to manage the "raw" spooling of all jobs handed to them by +Samba. This approach meant that the Windows clients were expected to +prepare the print job file in such a way that it became fit to be fed to +the printing device. Here a native (vendor-supplied) Windows printer +driver for the target device needed to be installed on each and every +client. +</p><p> +Of course you can setup CUPS, Samba and your Windows clients in the +same, traditional and simple way. When CUPS printers are configured +for RAW print-through mode operation it is the responsibility of the +Samba client to fully render the print job (file). The file must be +sent in a format that is suitable for direct delivery to the +printer. Clients need to run the vendor-provided drivers to do +this. In this case CUPS will NOT do any print file format conversion +work. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2954406"></a>Driver Installation Methods on Windows Clients</h3></div></div><div></div></div><p> +The printer drivers on the Windows clients may be installed +in two functionally different ways: +</p><div class="itemizedlist"><ul type="disc"><li><p>manually install the drivers locally on each client, +one by one; this yields the old <span class="emphasis"><em>LanMan</em></span> style +printing; it uses a <tt class="filename">\\sambaserver\printershare</tt> +type of connection.</p></li><li><p>deposit and prepare the drivers (for later download) on +the print server (Samba); this enables the clients to use +"Point'n'Print" to get drivers semi-automatically installed the +first time they access the printer; with this method NT/2K/XP +clients use the <span class="emphasis"><em>SPOOLSS/MS-RPC</em></span> +type printing calls.</p></li></ul></div><p> +The second method is recommended for use over the first. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2954465"></a>Explicitly enable "raw" printing for +<span class="emphasis"><em>application/octet-stream</em></span>!</h3></div></div><div></div></div><p> +If you use the first option (drivers are installed on the client +side), there is one setting to take care of: CUPS needs to be told +that it should allow "raw" printing of deliberate (binary) file +formats. The CUPS files that need to be correctly set for RAW mode +printers to work are: +</p><div class="itemizedlist"><ul type="disc"><li><p>/etc/cups/mime.types +</p></li><li><p>/etc/cups/mime.convs</p></li></ul></div><p> +Both contain entries (at the end of the respective files) which must +be uncommented to allow RAW mode operation. +In<tt class="filename">/etc/cups/mime.types</tt> make sure this line is +present: +</p><pre class="screen"> + + application/octet-stream + +</pre><p> +In <tt class="filename">/etc/cups/mime.convs</tt>, +have this line: +</p><pre class="screen"> + + application/octet-stream application/vnd.cups-raw 0 - + +</pre><p> +If these two files are not set up correctly for raw Windows client +printing, you may encounter the dreaded <tt class="computeroutput">Unable to +convert file 0</tt> in your CUPS error_log file. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>editing the <tt class="filename">mime.convs</tt> and the +<tt class="filename">mime.types</tt> file does not +<span class="emphasis"><em>enforce</em></span> "raw" printing, it only +<span class="emphasis"><em>allows</em></span> it. +</p></div><p><b>Background. </b> +CUPS being a more security-aware printing system than traditional ones +does not by default allow a user to send deliberate (possibly binary) +data to printing devices. This could be easily abused to launch a +"Denial of Service" attack on your printer(s), causing at the least +the loss of a lot of paper and ink. "Unknown" data are tagged by CUPS +as <span class="emphasis"><em>MIME type: application/octet-stream</em></span> and not +allowed to go to the printer. By default, you can only send other +(known) MIME types "raw". Sending data "raw" means that CUPS does not +try to convert them and passes them to the printer untouched (see next +chapter for even more background explanations). +</p><p> +This is all you need to know to get the CUPS/Samba combo printing +"raw" files prepared by Windows clients, which have vendor drivers +locally installed. If you are not interested in background information about +more advanced CUPS/Samba printing, simply skip the remaining sections +of this chapter. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2954626"></a>Three familiar Methods for driver upload plus a new one</h3></div></div><div></div></div><p> +If you want to use the MS-RPC type printing, you must upload the +drivers onto the Samba server first (<i class="parameter"><tt>[print$]</tt></i> +share). For a discussion on how to deposit printer drivers on the +Samba host (so that the Windows clients can download and use them via +"Point'n'Print") please also refer to the previous chapter of this +HOWTO Collection. There you will find a description or reference to +three methods of preparing the client drivers on the Samba server: +</p><div class="itemizedlist"><ul type="disc"><li><p>the GUI, "Add Printer Wizard" +<span class="emphasis"><em>upload-from-a-Windows-client</em></span> +method;</p></li><li><p>the commandline, "smbclient/rpcclient" +<span class="emphasis"><em>upload-from-a-UNIX-workstation</em></span> +method;</p></li><li><p>the <span class="emphasis"><em>Imprints</em></span> Toolset +method.</p></li></ul></div><p> +These 3 methods apply to CUPS all the same. A new and more +convenient way to load the Windows drivers into Samba is provided +provided if you use CUPS: +</p><div class="itemizedlist"><ul type="disc"><li><p>the <span class="emphasis"><em>cupsaddsmb</em></span> +utility.</p></li></ul></div><p> +cupsaddsmb is discussed in much detail further below. But we will +first explore the CUPS filtering system and compare the Windows and +UNIX printing architectures. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2954719"></a>Using CUPS/Samba in an advanced Way -- intelligent printing +with PostScript Driver Download</h2></div></div><div></div></div><p> +Still reading on? Good. Let's go into more detail then. We now know +how to set up a "dump" printserver, that is, a server which is spooling +printjobs "raw", leaving the print data untouched. +</p><p> +Possibly you need to setup CUPS in a more smart way. The reasons could +be manifold: +</p><div class="itemizedlist"><ul type="disc"><li><p>Maybe your boss wants to get monthly statistics: Which +printer did how many pages? What was the average data size of a job? +What was the average print run per day? What are the typical hourly +peaks in printing? Which departments prints how +much?</p></li><li><p>Maybe you are asked to setup a print quota system: +users should not be able to print more jobs, once they have surpassed +a given limit per period?</p></li><li><p>Maybe your previous network printing setup is a mess +and shall be re-organized from a clean beginning?</p></li><li><p>Maybe you have experiencing too many "Blue Screens", +originating from poorly debugged printer drivers running in NT "kernel +mode"?</p></li></ul></div><p> +These goals cannot be achieved by a raw print server. To build a +server meeting these requirements, you'll first need to learn about +how CUPS works and how you can enable its features. +</p><p> +What follows is the comparison of some fundamental concepts for +Windows and Unix printing; then is the time for a description of the +CUPS filtering system, how it works and how you can tweak it. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2954794"></a>GDI on Windows -- PostScript on Unix</h3></div></div><div></div></div><p> +Network printing is one of the most complicated and error-prone +day-to-day tasks any user or an administrator may encounter. This is +true for all OS platforms. And there are reasons for this. +</p><p> +You can't expect for most file formats to just throw them towards +printers and they get printed. There needs to be a file format +conversion in between. The problem is: there is no common standard for +print file formats across all manufacturers and printer types. While +<span class="emphasis"><em>PostScript</em></span> (trademark held by Adobe), and, to an +extent, <span class="emphasis"><em>PCL</em></span> (trademark held by HP), have developed +into semi-official "standards", by being the most widely used PDLs +(<span class="emphasis"><em>Page Description Languages</em></span>), there are still +many manufacturers who "roll their own" (their reasons may be +unacceptable license fees for using printer-embedded PostScript +interpreters, etc.). +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2954839"></a>Windows Drivers, GDI and EMF</h3></div></div><div></div></div><p> +In Windows OS, the format conversion job is done by the printer +drivers. On MS Windows OS platforms all application programmers have +at their disposal a built-in API, the GDI (<span class="emphasis"><em>Graphical Device +Interface</em></span>), as part and parcel of the OS itself, to base +themselves on. This GDI core is used as one common unified ground, for +all Windows programs, to draw pictures, fonts and documents +<span class="emphasis"><em>on screen</em></span> as well as <span class="emphasis"><em>on +paper</em></span> (=print). Therefore printer driver developers can +standardize on a well-defined GDI output for their own driver +input. Achieving WYSIWYG ("What You See Is What You Get") is +relatively easy, because the on-screen graphic primitives, as well as +the on-paper drawn objects, come from one common source. This source, +the GDI, produces often a file format called EMF (<span class="emphasis"><em>Enhanced +MetaFile</em></span>). The EMF is processed by the printer driver and +converted to the printer-specific file format. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +To the GDI foundation in MS Windows, Apple has chosen to +put paper and screen output on a common foundation for their +(BSD-Unix-based, did you know??) Mac OS X and Darwin Operating +Systems.Their <span class="emphasis"><em>Core Graphic Engine</em></span> uses a +<span class="emphasis"><em>PDF</em></span> derivate for all display work. +</p></div><p> + +</p><div class="figure"><a name="id2954904"></a><p class="title"><b>Figure 19.1. Windows Printing to a local Printer</b></p><div class="mediaobject"><img src="projdoc/imagefiles/1small.png" alt="Windows Printing to a local Printer"></div></div><p> +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2954940"></a>Unix Printfile Conversion and GUI Basics</h3></div></div><div></div></div><p> +In Unix and Linux, there is no comparable layer built into the OS +kernel(s) or the X (screen display) server. Every application is +responsible for itself to create its print output. Fortunately, most +use PostScript. That gives at least some common ground. Unfortunately, +there are many different levels of quality for this PostScript. And +worse: there is a huge difference (and no common root) in the way how +the same document is displayed on screen and how it is presented on +paper. WYSIWYG is more difficult to achieve. This goes back to the +time decades ago, when the predecessors of <span class="emphasis"><em>X.org</em></span>, +designing the UNIX foundations and protocols for Graphical User +Interfaces refused to take over responsibility for "paper output" +also, as some had demanded at the time, and restricted itself to +"on-screen only". (For some years now, the "Xprint" project has been +under development, attempting to build printing support into the X +framework, including a PostScript and a PCL driver, but it is not yet +ready for prime time.) You can see this unfavorable inheritance up to +the present day by looking into the various "font" directories on your +system; there are separate ones for fonts used for X display and fonts +to be used on paper. +</p><p><b>Background. </b> +The PostScript programming language is an "invention" by Adobe Inc., +but its specifications have been published to the full. Its strength +lies in its powerful abilities to describe graphical objects (fonts, +shapes, patterns, lines, curves, dots...), their attributes (color, +linewidth...) and the way to manipulate (scale, distort, rotate, +shift...) them. Because of its open specification, anybody with the +skill can start writing his own implementation of a PostScript +interpreter and use it to display PostScript files on screen or on +paper. Most graphical output devices are based on the concept of +"raster images" or "pixels" (one notable exception are pen +plotters). Of course, you can look at a PostScript file in its textual +form and you will be reading its PostScript code, the language +instructions which need to be interpreted by a rasterizer. Rasterizers +produce pixel images, which may be displayed on screen by a viewer +program or on paper by a printer. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2955028"></a>PostScript and Ghostscript</h3></div></div><div></div></div><p> +So, Unix is lacking a common ground for printing on paper and +displaying on screen. Despite this unfavorable legacy for Unix, basic +printing is fairly easy: if you have PostScript printers at your +disposal! The reason is: these devices have a built-in PostScript +language "interpreter", also called a <span class="emphasis"><em>Raster Image +Processor</em></span> (RIP), (which makes them more expensive than +other types of printers); throw PostScript towards them, and they will +spit out your printed pages. Their RIP is doing all the hard work of +converting the PostScript drawing commands into a bitmap picture as +you see it on paper, in a resolution as done by your printer. This is +no different to PostScript printing of a file from a Windows origin. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Traditional Unix programs and printing systems -- while +using PostScript -- are largely not PPD-aware. PPDs are "PostScript +Printer Description" files. They enable you to specify and control all +options a printer supports: duplexing, stapling, punching... Therefore +Unix users for a long time couldn't choose many of the supported +device and job options, unlike Windows or Apple users. But now there +is CUPS.... ;-) +</p></div><p> +</p><div class="figure"><a name="id2955075"></a><p class="title"><b>Figure 19.2. Printing to a Postscript Printer</b></p><div class="mediaobject"><img src="projdoc/imagefiles/2small.png" alt="Printing to a Postscript Printer"></div></div><p> +</p><p> +However, there are other types of printers out there. These don't know +how to print PostScript. They use their own <span class="emphasis"><em>Page Description +Language</em></span> (PDL, often proprietary). To print to them is much +more demanding. Since your Unix applications mostly produce +PostScript, and since these devices don't understand PostScript, you +need to convert the printfiles to a format suitable for your printer +on the host, before you can send it away. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2955125"></a>Ghostscript -- the Software RIP for non-PostScript Printers</h3></div></div><div></div></div><p> +Here is where <span class="emphasis"><em>Ghostscript</em></span> kicks in. Ghostscript is +the traditional (and quite powerful) PostScript interpreter used on +Unix platforms. It is a RIP in software, capable to do a +<span class="emphasis"><em>lot</em></span> of file format conversions, for a very broad +spectrum of hardware devices as well as software file formats. +Ghostscript technology and drivers is what enables PostScript printing +to non-PostScript hardware. +</p><p> +</p><div class="figure"><a name="id2955155"></a><p class="title"><b>Figure 19.3. Ghostscript as a RIP for non-postscript printers</b></p><div class="mediaobject"><img src="projdoc/imagefiles/3small.png" alt="Ghostscript as a RIP for non-postscript printers"></div></div><p> +</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p> +Use the "gs -h" command to check for all built-in "devices" of your +Ghostscript version. If you specify e.g. a parameter of +<i class="parameter"><tt>-sDEVICE=png256</tt></i> on your Ghostscript command +line, you are asking Ghostscript to convert the input into a PNG +file. Naming a "device" on the commandline is the most important +single parameter to tell Ghostscript how exactly it should render the +input. New Ghostscript versions are released at fairly regular +intervals, now by artofcode LLC. They are initially put under the +"AFPL" license, but re-released under the GNU GPL as soon as the next +AFPL version appears. GNU Ghostscript is probably the version +installed on most Samba systems. But it has got some +deficiencies. Therefore ESP Ghostscript was developed as an +enhancement over GNU Ghostscript, with lots of bug-fixes, additional +devices and improvements. It is jointly maintained by developers from +CUPS, Gimp-Print, MandrakeSoft, SuSE, RedHat and Debian. It includes +the "cups" device (essential to print to non-PS printers from CUPS). +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2955238"></a>PostScript Printer Description (PPD) Specification</h3></div></div><div></div></div><p> +While PostScript in essence is a <span class="emphasis"><em>Page Description +Language</em></span> (PDL) to represent the page layout in a +<span class="emphasis"><em>device independent</em></span> way, real world print jobs are +always ending up to be output on a hardware with device-specific +features. To take care of all the differences in hardware, and to +allow for innovations, Adobe has specified a syntax and file format +for <span class="emphasis"><em>PostScript Printer Description</em></span> (PPD) +files. Every PostScript printer ships with one of these files. +</p><p> +PPDs contain all information about general and special features of the +given printer model: Which different resolutions can it handle? Does +it have a Duplexing Unit? How many paper trays are there? What media +types and sizes does it take? For each item it also names the special +command string to be sent to the printer (mostly inside the PostScript +file) in order to enable it. +</p><p> +Information from these PPDs is meant to be taken into account by the +printer drivers. Therefore, installed as part of the Windows +PostScript driver for a given printer is the printer's PPD. Where it +makes sense, the PPD features are presented in the drivers' UI dialogs +to display to the user as choice of print options. In the end, the +user selections are somehow written (in the form of special +PostScript, PJL, JCL or vendor-dependent commands) into the PostScript +file created by the driver. +</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> +A PostScript file that was created to contain device-specific commands +for achieving a certain print job output (e.g. duplexed, stapled and +punched) on a specific target machine, may not print as expected, or +may not be printable at all on other models; it also may not be fit +for further processing by software (e.g. by a PDF distilling program). +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2955308"></a>CUPS can use all Windows-formatted Vendor PPDs</h3></div></div><div></div></div><p> +CUPS can handle all spec-compliant PPDs as supplied by the +manufacturers for their PostScript models. Even if a +Unix/Linux-illiterate vendor might not have mentioned our favorite +OS in his manuals and brochures -- you can safely trust this: +<span class="emphasis"><em>if you get hold of the Windows NT version of the PPD, you +can use it unchanged in CUPS</em></span> and thus access the full +power of your printer just like a Windows NT user could! +</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p> +To check the spec compliance of any PPD online, go to <a href="http://www.cups.org/testppd.php" target="_top">http://www.cups.org/testppd.php</a> +and upload your PPD. You will see the results displayed +immediately. CUPS in all versions after 1.1.19 has a much more strict +internal PPD parsing and checking code enabled; in case of printing +trouble this online resource should be one of your first pitstops. +</p></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> +For real PostScript printers <span class="emphasis"><em>don't</em></span> use the +<span class="emphasis"><em>Foomatic</em></span> or <span class="emphasis"><em>cupsomatic</em></span> +PPDs from Linuxprinting.org. With these devices the original +vendor-provided PPDs are always the first choice! +</p></div><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p> +If you are looking for an original vendor-provided PPD of a specific +device, and you know that an NT4 box (or any other Windows box) on +your LAN has the PostScript driver installed, just use +<b class="command">smbclient //NT4-box/print\$ -U username</b> to +access the Windows directory where all printer driver files are +stored. First look in the <tt class="filename">W32X86/2</tt> subdir for +the PPD you are seeking. +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2955397"></a>CUPS also uses PPDs for non-PostScript Printers</h3></div></div><div></div></div><p> +CUPS also uses specially crafted PPDs to handle non-PostScript +printers. These PPDs are usually not available from the vendors (and +no, you can't just take the PPD of a Postscript printer with the same +model name and hope it works for the non-PostScript version too). To +understand how these PPDs work for non-PS printers we first need to +dive deeply into the CUPS filtering and file format conversion +architecture. Stay tuned. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2955420"></a>The CUPS Filtering Architecture</h2></div></div><div></div></div><p> +The core of the CUPS filtering system is based on +<span class="emphasis"><em>Ghostscript</em></span>. In addition to Ghostscript, CUPS +uses some other filters of its own. You (or your OS vendor) may have +plugged in even more filters. CUPS handles all data file formats under +the label of various <span class="emphasis"><em>MIME types</em></span>. Every incoming +printfile is subjected to an initial +<span class="emphasis"><em>auto-typing</em></span>. The auto-typing determines its given +MIME type. A given MIME type implies zero or more possible filtering +chains relevant to the selected target printer. This section discusses +how MIME types recognition and conversion rules interact. They are +used by CUPS to automatically setup a working filtering chain for any +given input data format. +</p><p> +If CUPS rasterizes a PostScript file <span class="emphasis"><em>natively</em></span> to +a bitmap, this is done in 2 stages: +</p><div class="itemizedlist"><ul type="disc"><li><p>the first stage uses a Ghostscript device named "cups" +(this is since version 1.1.15) and produces a generic raster format +called "CUPS raster". +</p></li><li><p>the second stage uses a "raster driver" which converts +the generic CUPS raster to a device specific raster.</p></li></ul></div><p> +Make sure your Ghostscript version has the "cups" device compiled in +(check with <b class="command">gs -h | grep cups</b>). Otherwise you +may encounter the dreaded <tt class="computeroutput">Unable to convert file +0</tt> in your CUPS error_log file. To have "cups" as a +device in your Ghostscript, you either need to <span class="emphasis"><em>patch GNU +Ghostscript</em></span> and re-compile or use <a href="http://www.cups.org/ghostscript.php" target="_top">ESP Ghostscript</a>. The +superior alternative is ESP Ghostscript: it supports not just CUPS, +but 300 other devices too (while GNU Ghostscript supports only about +180). Because of this broad output device support, ESP Ghostscript is +the first choice for non-CUPS spoolers too. It is now recommended by +Linuxprinting.org for all spoolers. +</p><p> +CUPS printers may be setup to use <span class="emphasis"><em>external</em></span> +rendering paths. One of the most common ones is provided by the +<span class="emphasis"><em>Foomatic/cupsomatic</em></span> concept, from <a href="http://www.linuxprinting.org/" target="_top">Linuxprinting.org</a>. This +uses the classical Ghostscript approach, doing everything in one +step. It doesn't use the "cups" device, but one of the many +others. However, even for Foomatic/cupsomatic usage, best results and +broadest printer model support is provided by ESP Ghostscript (more +about cupsomatic/Foomatic, particularly the new version called now +<span class="emphasis"><em>foomatic-rip</em></span>, follows below). +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2955560"></a>MIME types and CUPS Filters</h3></div></div><div></div></div><p> +CUPS reads the file <tt class="filename">/etc/cups/mime.types</tt> +(and all other files carrying a <tt class="filename">*.types</tt> suffix +in the same directory) upon startup. These files contain the MIME +type recognition rules which are applied when CUPS runs its +auto-typing routines. The rule syntax is explained in the man page +for <tt class="filename">mime.types</tt> and in the comments section of the +<tt class="filename">mime.types</tt> file itself. A simple rule reads +like this: +</p><pre class="screen"> + + application/pdf pdf string(0,%PDF) + +</pre><p> +This means: if a filename has either a +<tt class="filename">.pdf</tt> suffix, or if the magic +string <span class="emphasis"><em>%PDF</em></span> is right at the +beginning of the file itself (offset 0 from the start), then it is +a PDF file (<span class="emphasis"><em>application/pdf</em></span>). +Another rule is this: +</p><pre class="screen"> + + application/postscript ai eps ps string(0,%!) string(0,<04>%!) + +</pre><p> +Its meaning: if the filename has one of the suffixes +<tt class="filename">.ai</tt>, <tt class="filename">.eps</tt>, +<tt class="filename">.ps</tt> or if the file itself starts with one of the +strings <span class="emphasis"><em>%!</em></span> or <span class="emphasis"><em><04>%!</em></span>, it +is a generic PostScript file +(<span class="emphasis"><em>application/postscript</em></span>). +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +There is a very important difference between two similar MIME type in +CUPS: one is <span class="emphasis"><em>application/postscript</em></span>, the other is +<span class="emphasis"><em>application/vnd.cups-postscript</em></span>. While +<span class="emphasis"><em>application/postscript</em></span> is meant to be device +independent (job options for the file are still outside the PS file +content, embedded in commandline or environment variables by CUPS), +<span class="emphasis"><em>application/vnd.cups-postscript</em></span> may have the job +options inserted into the PostScript data itself (were +applicable). The transformation of the generic PostScript +(application/postscript) to the device-specific version +(application/vnd.cups-postscript) is the responsibility of the +CUPS <span class="emphasis"><em>pstops</em></span> filter. pstops uses information +contained in the PPD to do the transformation. +</p></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> +Don't confuse the other mime.types file your system might be using +with the one in the <tt class="filename">/etc/cups/</tt> directory. +</p></div><p> +CUPS can handle ASCII text, HP-GL, PDF, PostScript, DVI and a +lot of image formats (GIF. PNG, TIFF, JPEG, Photo-CD, SUN-Raster, +PNM, PBM, SGI-RGB and some more) and their associated MIME types +with its filters. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2955747"></a>MIME type Conversion Rules</h3></div></div><div></div></div><p> +CUPS reads the file <tt class="filename">/etc/cups/mime.convs</tt> +(and all other files named with a <tt class="filename">*.convs</tt> +suffix in the same directory) upon startup. These files contain +lines naming an input MIME type, an output MIME type, a format +conversion filter which can produce the output from the input type +and virtual costs associated with this conversion. One example line +reads like this: +</p><pre class="screen"> + + application/pdf application/postscript 33 pdftops + +</pre><p> +This means that the <span class="emphasis"><em>pdftops</em></span> filter will take +<span class="emphasis"><em>application/pdf</em></span> as input and produce +<span class="emphasis"><em>application/postscript</em></span> as output, the virtual +cost of this operation is 33 CUPS-$. The next filter is more +expensive, costing 66 CUPS-$: +</p><pre class="screen"> + + application/vnd.hp-HPGL application/postscript 66 hpgltops + +</pre><p> +This is the <span class="emphasis"><em>hpgltops</em></span>, which processes HP-GL +plotter files to PostScript. +</p><pre class="screen"> + + application/octet-stream + +</pre><p> +Here are two more examples: +</p><pre class="screen"> + + application/x-shell application/postscript 33 texttops + text/plain application/postscript 33 texttops + +</pre><p> +The last two examples name the <span class="emphasis"><em>texttops</em></span> filter +to work on "text/plain" as well as on "application/x-shell". (Hint: +this differentiation is needed for the syntax highlighting feature of +"texttops"). +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2955864"></a>Filter Requirements</h3></div></div><div></div></div><p> +There are many more combinations named in mime.convs. However, you +are not limited to use the ones pre-defined there. You can plug in any +filter you like into the CUPS framework. It must meet, or must be made +to meet some minimal requirements. If you find (or write) a cool +conversion filter of some kind, make sure it complies to what CUPS +needs, and put in the right lines in <tt class="filename">mime.types</tt> +and <tt class="filename">mime.convs</tt>, then it will work seamlessly +inside CUPS! +</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p> +The mentioned "CUPS requirements" for filters are simple. Take +filenames or <tt class="filename">stdin</tt> as input and write to +<tt class="filename">stdout</tt>. They should take these 5 or 6 arguments: +<span class="emphasis"><em>printer job user title copies options [filename]</em></span> +</p><div class="variablelist"><dl><dt><span class="term">Printer</span></dt><dd><p>The name of the printer queue (normally this is the +name of the filter being run)</p></dd><dt><span class="term">job</span></dt><dd><p>The numeric job ID for the job being +printed</p></dd><dt><span class="term">Printer</span></dt><dd><p>The string from the originating-user-name +attribute</p></dd><dt><span class="term">Printer</span></dt><dd><p>The string from the job-name attribute</p></dd><dt><span class="term">Printer</span></dt><dd><p>The numeric value from the number-copies +attribute</p></dd><dt><span class="term">Printer</span></dt><dd><p>The job options</p></dd><dt><span class="term">Printer</span></dt><dd><p>(Optionally) The print request file (if missing, +filters expected data fed through <tt class="filename">stdin</tt>). In most +cases it is very easy to write a simple wrapper script around existing +filters to make them work with CUPS.</p></dd></dl></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2956034"></a>Prefilters</h3></div></div><div></div></div><p> +As was said, PostScript is the central file format to any Unix based +printing system. From PostScript, CUPS generates raster data to feed +non-PostScript printers. +</p><p> +But what is happening if you send one of the supported non-PS formats +to print? Then CUPS runs "pre-filters" on these input formats to +generate PostScript first. There are pre-filters to create PS from +ASCII text, PDF, DVI or HP-GL. The outcome of these filters is always +of MIME type <span class="emphasis"><em>application/postscript</em></span> (meaning that +any device-specific print options are not yet embedded into the +PostScript by CUPS, and that the next filter to be called is +pstops). Another pre-filter is running on all supported image formats, +the <span class="emphasis"><em>imagetops</em></span> filter. Its outcome is always of +MIME type <span class="emphasis"><em>application/vnd.cups-postscript</em></span> +(<span class="emphasis"><em>not</em></span> application/postscript), meaning it has the +print options already embedded into the file. +</p><p> +</p><div class="figure"><a name="id2956084"></a><p class="title"><b>Figure 19.4. Prefiltering in CUPS to form Postscript</b></p><div class="mediaobject"><img src="projdoc/imagefiles/4small.png" alt="Prefiltering in CUPS to form Postscript"></div></div><p> +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2956120"></a>pstops</h3></div></div><div></div></div><p> +<span class="emphasis"><em>pstops</em></span>is the filter to convert +<span class="emphasis"><em>application/postscript</em></span> to +<span class="emphasis"><em>application/vnd.cups-postscript</em></span>. It was said +above that this filter inserts all device-specific print options +(commands to the printer to ask for the duplexing of output, or +stapling an punching it, etc.) into the PostScript file. +</p><p> +</p><div class="figure"><a name="id2956149"></a><p class="title"><b>Figure 19.5. Adding Device-specific Print Options</b></p><div class="mediaobject"><img src="projdoc/imagefiles/5small.png" alt="Adding Device-specific Print Options"></div></div><p> +</p><p> +This is not all: other tasks performed by it are: +</p><div class="itemizedlist"><ul type="disc"><li><p> +selecting the range of pages to be printed (if you choose to +print only pages "3, 6, 8-11, 16, 19-21", or only the odd numbered +ones) +</p></li><li><p> +putting 2 or more logical pages on one sheet of paper (the +so-called "number-up" function) +</p></li><li><p>counting the pages of the job to insert the accounting +information into the <tt class="filename">/var/log/cups/page_log</tt> +</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2956222"></a>pstoraster</h3></div></div><div></div></div><p> +<span class="emphasis"><em>pstoraster</em></span> is at the core of the CUPS filtering +system. It is responsible for the first stage of the rasterization +process. Its input is of MIME type application/vnd.cups-postscript; +its output is application/vnd.cups-raster. This output format is not +yet meant to be printable. Its aim is to serve as a general purpose +input format for more specialized <span class="emphasis"><em>raster drivers</em></span>, +that are able to generate device-specific printer data. +</p><p> +</p><div class="figure"><a name="id2956251"></a><p class="title"><b>Figure 19.6. Postscript to intermediate Raster format</b></p><div class="mediaobject"><img src="projdoc/imagefiles/6small.png" alt="Postscript to intermediate Raster format"></div></div><p> +</p><p> +CUPS raster is a generic raster format with powerful features. It is +able to include per-page information, color profiles and more to be +used by the following downstream raster drivers. Its MIME type is +registered with IANA and its specification is of course completely +open. It is designed to make it very easy and inexpensive for +manufacturers to develop Linux and Unix raster drivers for their +printer models, should they choose to do so. CUPS always takes care +for the first stage of rasterization so these vendors don't need to care +about Ghostscript complications (in fact, there is currently more +than one vendor financing the development of CUPS raster drivers). +</p><p> +</p><div class="figure"><a name="id2956304"></a><p class="title"><b>Figure 19.7. CUPS-raster production using Ghostscript</b></p><div class="mediaobject"><img src="projdoc/imagefiles/7small.png" alt="CUPS-raster production using Ghostscript"></div></div><p> +</p><p> +CUPS versions before version 1.1.15 were shipping a binary (or source +code) standalone filter, named "pstoraster". pstoraster was derived +from GNU Ghostscript 5.50, and could be installed besides and in +addition to any GNU or AFPL Ghostscript package without conflicting. +</p><p> +From version 1.1.15, this has changed. The functions for this has been +integrated back into Ghostscript (now based on GNU Ghostscript version +7.05). The "pstoraster" filter is now a simple shell script calling +<b class="command">gs</b> with the <b class="command">-sDEVICE=cups</b> +parameter. If your Ghostscript doesn't show a success on asking for +<b class="command">gs -h |grep cups</b>, you might not be able to +print. Update your Ghostscript then! +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2956377"></a>imagetops and imagetoraster</h3></div></div><div></div></div><p> +Above in the section about prefilters, we mentioned the prefilter +that generates PostScript from image formats. The imagetoraster +filter is used to convert directly from image to raster, without the +intermediate PostScript stage. It is used more often than the above +mentioned prefilters. Here is a summarizing flowchart of image file +filtering: +</p><p> +</p><div class="figure"><a name="id2956398"></a><p class="title"><b>Figure 19.8. Image format to CUPS-raster format conversion</b></p><div class="mediaobject"><img src="projdoc/imagefiles/8small.png" alt="Image format to CUPS-raster format conversion"></div></div><p> +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2956434"></a>rasterto [printers specific]</h3></div></div><div></div></div><p> +CUPS ships with quite some different raster drivers processing CUPS +raster. On my system I find in /usr/lib/cups/filter/ these: +<i class="parameter"><tt>rastertoalps, rastertobj, rastertoepson, rastertoescp, +rastertopcl, rastertoturboprint, rastertoapdk, rastertodymo, +rastertoescp, rastertohp</tt></i> and +<i class="parameter"><tt>rastertoprinter</tt></i>. Don't worry if you have less +than this; some of these are installed by commercial add-ons to CUPS +(like <i class="parameter"><tt>rastertoturboprint</tt></i>), others (like +<i class="parameter"><tt>rastertoprinter</tt></i>) by 3rd party driver +development projects (such as Gimp-Print) wanting to cooperate as +closely as possible with CUPS. +</p><p> +</p><div class="figure"><a name="id2956484"></a><p class="title"><b>Figure 19.9. Raster to Printer Specific formats</b></p><div class="mediaobject"><img src="projdoc/imagefiles/9small.png" alt="Raster to Printer Specific formats"></div></div><p> +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2956519"></a>CUPS Backends</h3></div></div><div></div></div><p> +The last part of any CUPS filtering chain is a "backend". Backends +are special programs that send the print-ready file to the final +device. There is a separate backend program for any transfer +"protocol" of sending printjobs over the network, or for every local +interface. Every CUPS printqueue needs to have a CUPS "device-URI" +associated with it. The device URI is the way to encode the backend +used to send the job to its destination. Network device-URIs are using +two slashes in their syntax, local device URIs only one, as you can +see from the following list. Keep in mind that local interface names +may vary much from my examples, if your OS is not Linux: +</p><div class="variablelist"><dl><dt><span class="term">usb</span></dt><dd><p> +This backend sends printfiles to USB-connected printers. An +example for the CUPS device-URI to use is: +<tt class="filename">usb:/dev/usb/lp0</tt> +</p></dd><dt><span class="term">serial</span></dt><dd><p> +This backend sends printfiles to serially connected printers. +An example for the CUPS device-URI to use is: +<tt class="filename">serial:/dev/ttyS0?baud=11500</tt> +</p></dd><dt><span class="term">parallel</span></dt><dd><p> +This backend sends printfiles to printers connected to the +parallel port. An example for the CUPS device-URI to use is: +<tt class="filename">parallel:/dev/lp0</tt> +</p></dd><dt><span class="term">scsi</span></dt><dd><p> +This backend sends printfiles to printers attached to the +SCSI interface. An example for the CUPS device-URI to use is: +<tt class="filename">scsi:/dev/sr1</tt> +</p></dd><dt><span class="term">lpd</span></dt><dd><p> +This backend sends printfiles to LPR/LPD connected network +printers. An example for the CUPS device-URI to use is: +<tt class="filename">lpd://remote_host_name/remote_queue_name</tt> +</p></dd><dt><span class="term">AppSocket/HP JetDirect</span></dt><dd><p> +This backend sends printfiles to AppSocket (a.k.a. "HP +JetDirect") connected network printers. An example for the CUPS +device-URI to use is: +<tt class="filename">socket://10.11.12.13:9100</tt> +</p></dd><dt><span class="term">ipp</span></dt><dd><p> +This backend sends printfiles to IPP connected network +printers (or to other CUPS servers). Examples for CUPS device-URIs +to use are: +<tt class="filename">ipp:://192.193.194.195/ipp</tt> +(for many HP printers) or +<tt class="filename">ipp://remote_cups_server/printers/remote_printer_name</tt> +</p></dd><dt><span class="term">http</span></dt><dd><p> +This backend sends printfiles to HTTP connected printers. +(The http:// CUPS backend is only a symlink to the ipp:// backend.) +Examples for the CUPS device-URIs to use are: +<tt class="filename">http:://192.193.194.195:631/ipp</tt> +(for many HP printers) or +<tt class="filename">http://remote_cups_server:631/printers/remote_printer_name</tt> +</p></dd><dt><span class="term">smb</span></dt><dd><p> +This backend sends printfiles to printers shared by a Windows +host. An example for CUPS device-URIs to use are: +<tt class="filename">smb://workgroup/server/printersharename</tt> +Or +<tt class="filename">Smb://server/printersharename</tt> +or +<tt class="filename">smb://username:password@workgroup/server/printersharename</tt> +or +<tt class="filename">smb://username:password@server/printersharename</tt>. +The smb:// backend is a symlink to the Samba utility +<span class="emphasis"><em>smbspool</em></span> (doesn't ship with CUPS). If the +symlink is not present in your CUPS backend directory, have your +root user create it: <b class="command">ln -s `which smbspool` +/usr/lib/cups/backend/smb</b>. +</p></dd></dl></div><p> +It is easy to write your own backends as Shell or Perl scripts, if you +need any modification or extension to the CUPS print system. One +reason could be that you want to create "special" printers which send +the printjobs as email (through a "mailto:/" backend), convert them to +PDF (through a "pdfgen:/" backend) or dump them to "/dev/null" (In +fact I have the system-wide default printer set up to be connected to +a "devnull:/" backend: there are just too many people sending jobs +without specifying a printer, or scripts and programs which don't name +a printer. The system-wide default deletes the job and sends a polite +mail back to the $USER asking him to always specify a correct +printername). +</p><p> +Not all of the mentioned backends may be present on your system or +usable (depending on your hardware configuration). One test for all +available CUPS backends is provided by the <span class="emphasis"><em>lpinfo</em></span> +utility. Used with the <i class="parameter"><tt>-v</tt></i> parameter, it lists +all available backends: +</p><pre class="screen"> + + lpinfo -v + +</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2956831"></a>cupsomatic/Foomatic -- how do they fit into the Picture?</h3></div></div><div></div></div><p> +"cupsomatic" filters may be the most widely used on CUPS +installations. You must be clear about the fact that these were not +developed by the CUPS people. They are a "Third Party" add-on to +CUPS. They utilize the traditional Ghostscript devices to render jobs +for CUPS. When troubleshooting, you should know about the +difference. Here the whole rendering process is done in one stage, +inside Ghostscript, using an appropriate "device" for the target +printer. cupsomatic uses PPDs which are generated from the "Foomatic" +Printer & Driver Database at Linuxprinting.org. +</p><p> +You can recognize these PPDs from the line calling the +<span class="emphasis"><em>cupsomatic</em></span> filter: +</p><pre class="screen"> + + *cupsFilter: "application/vnd.cups-postscript 0 cupsomatic" + +</pre><p> +This line you may find amongst the first 40 or so lines of the PPD +file. If you have such a PPD installed, the printer shows up in the +CUPS web interface with a <span class="emphasis"><em>foomatic</em></span> namepart for +the driver description. cupsomatic is a Perl script that runs +Ghostscript, with all the complicated commandline options +auto-constructed from the selected PPD and commandline options give to +the printjob. +</p><p> +However, cupsomatic is now deprecated. Its PPDs (especially the first +generation of them, still in heavy use out there) are not meeting the +Adobe specifications. You might also suffer difficulties when you try +to download them with "Point'n'Print" to Windows clients. A better, +and more powerful successor is now in a very stable Beta-version +available: it is called <span class="emphasis"><em>foomatic-rip</em></span>. To use +foomatic-rip as a filter with CUPS, you need the new-type PPDs. These +have a similar, but different line: +</p><pre class="screen"> + + *cupsFilter: "application/vnd.cups-postscript 0 foomatic-rip" + +</pre><p> +The PPD generating engine at Linuxprinting.org has been revamped. +The new PPDs comply to the Adobe spec. On top, they also provide a +new way to specify different quality levels (hi-res photo, normal +color, grayscale, draft...) with a single click (whereas before you +could have required 5 or more different selections (media type, +resolution, inktype, dithering algorithm...). There is support for +custom-size media built in. There is support to switch +print-options from page to page, in the middle of a job. And the +best thing is: the new foomatic-rip now works seamlessly with all +legacy spoolers too (like LPRng, BSD-LPD, PDQ, PPR etc.), providing +for them access to use PPDs for their printing! +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2956944"></a>The Complete Picture</h3></div></div><div></div></div><p> +If you want to see an overview over all the filters and how they +relate to each other, the complete picture of the puzzle is at the end +of this document. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2956960"></a><tt class="filename">mime.convs</tt></h3></div></div><div></div></div><p> +CUPS auto-constructs all possible filtering chain paths for any given +MIME type, and every printer installed. But how does it decide in +favor or against a specific alternative? (There may often be cases, +where there is a choice of two or more possible filtering chains for +the same target printer). Simple: you may have noticed the figures in +the 3rd column of the mime.convs file. They represent virtual costs +assigned to this filter. Every possible filtering chain will sum up to +a total "filter cost". CUPS decides for the most "inexpensive" route. +</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p> +The setting of <i class="parameter"><tt>FilterLimit 1000</tt></i> in +<tt class="filename">cupsd.conf</tt> will not allow more filters to +run concurrently than will consume a total of 1000 virtual filter +cost. This is a very efficient way to limit the load of any CUPS +server by setting an appropriate "FilterLimit" value. A FilterLimit of +200 allows roughly 1 job at a time, while a FilterLimit of 1000 allows +approximately 5 jobs maximum at a time. +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2957012"></a>"Raw" printing</h3></div></div><div></div></div><p> +You can tell CUPS to print (nearly) any file "raw". "Raw" means it +will not be filtered. CUPS will send the file to the printer "as is" +without bothering if the printer is able to digest it. Users need to +take care themselves that they send sensible data formats only. Raw +printing can happen on any queue if the "-o raw" option is specified +on the command line. You can also set up raw-only queues by simply not +associating any PPD with it. This command: +</p><pre class="screen"> + + lpadmin -P rawprinter -v socket://11.12.13.14:9100 -E + +</pre><p> +sets up a queue named "rawprinter", connected via the "socket" +protocol (a.k.a. "HP JetDirect") to the device at IP address +11.12.1.3.14, using port 9100. (If you had added a PPD with +<b class="command">-P /path/to/PPD</b> to this command line, you would +have installed a "normal" printqueue. +</p><p> +CUPS will automatically treat each job sent to a queue as a "raw" one, +if it can't find a PPD associated with the queue. However, CUPS will +only send known MIME types (as defined in its own mime.types file) and +refuse others. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2957066"></a>"application/octet-stream" printing</h3></div></div><div></div></div><p> +Any MIME type with no rule in the +<tt class="filename">/etc/cups/mime.types</tt> file is regarded as unknown +or <span class="emphasis"><em>application/octet-stream</em></span> and will not be +sent. Because CUPS refuses to print unknown MIME types per default, +you will probably have experienced the fact that printjobs originating +from Windows clients were not printed. You may have found an error +message in your CUPS logs like: +</p><pre class="screen"> + + Unable to convert file 0 to printable format for job + +</pre><p> +To enable the printing of "application/octet-stream" files, edit +these two files: +</p><div class="itemizedlist"><ul type="disc"><li><p><tt class="filename">/etc/cups/mime.convs</tt></p></li><li><p><tt class="filename">/etc/cups/mime.types</tt></p></li></ul></div><p> +Both contain entries (at the end of the respective files) which must +be uncommented to allow RAW mode operation for +application/octet-stream. In <tt class="filename">/etc/cups/mime.types</tt> +make sure this line is present: +</p><pre class="screen"> + + application/octet-stream + +</pre><p> +This line (with no specific auto-typing rule set) makes all files +not otherwise auto-typed a member of application/octet-stream. In +<tt class="filename">/etc/cups/mime.convs</tt>, have this +line: +</p><pre class="screen"> + + application/octet-stream application/vnd.cups-raw 0 - + +</pre><p> +This line tells CUPS to use the <span class="emphasis"><em>Null Filter</em></span> +(denoted as "-", doing... nothing at all) on +<span class="emphasis"><em>application/octet-stream</em></span>, and tag the result as +<span class="emphasis"><em>application/vnd.cups-raw</em></span>. This last one is +always a green light to the CUPS scheduler to now hand the file over +to the "backend" connecting to the printer and sending it over. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> Editing the <tt class="filename">mime.convs</tt> and the +<tt class="filename">mime.types</tt> file does not +<span class="emphasis"><em>enforce</em></span> "raw" printing, it only +<span class="emphasis"><em>allows</em></span> it. +</p></div><p><b>Background. </b> +CUPS being a more security-aware printing system than traditional ones +does not by default allow one to send deliberate (possibly binary) +data to printing devices. (This could be easily abused to launch a +Denial of Service attack on your printer(s), causing at least the loss +of a lot of paper and ink...) "Unknown" data are regarded by CUPS +as <span class="emphasis"><em>MIME type</em></span> +<span class="emphasis"><em>application/octet-stream</em></span>. While you +<span class="emphasis"><em>can</em></span> send data "raw", the MIME type for these must +be one that is known to CUPS and an allowed one. The file +<tt class="filename">/etc/cups/mime.types</tt> defines the "rules" how CUPS +recognizes MIME types. The file +<tt class="filename">/etc/cups/mime.convs</tt> decides which file +conversion filter(s) may be applied to which MIME types. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2957282"></a>PostScript Printer Descriptions (PPDs) for non-PS Printers</h3></div></div><div></div></div><p> +Originally PPDs were meant to be used for PostScript printers +only. Here, they help to send device-specific commands and settings +to the RIP which processes the jobfile. CUPS has extended this +scope for PPDs to cover non-PostScript printers too. This was not +very difficult, because it is a standardized file format. In a way +it was logical too: CUPS handles PostScript and uses a PostScript +RIP (=Ghostscript) to process the jobfiles. The only difference is: +a PostScript printer has the RIP built-in, for other types of +printers the Ghostscript RIP runs on the host computer. +</p><p> +PPDs for a non-PS printer have a few lines that are unique to +CUPS. The most important one looks similar to this: +</p><pre class="screen"> + + *cupsFilter: application/vnd.cups-raster 66 rastertoprinter + +</pre><p> +It is the last piece in the CUPS filtering puzzle. This line tells the +CUPS daemon to use as a last filter "rastertoprinter". This filter +should be served as input an "application/vnd.cups-raster" MIME type +file. Therefore CUPS should auto-construct a filtering chain, which +delivers as its last output the specified MIME type. This is then +taken as input to the specified "rastertoprinter" filter. After this +the last filter has done its work ("rastertoprinter" is a Gimp-Print +filter), the file should go to the backend, which sends it to the +output device. +</p><p> +CUPS by default ships only a few generic PPDs, but they are good for +several hundred printer models. You may not be able to control +different paper trays, or you may get larger margins than your +specific model supports): +</p><div class="variablelist"><dl><dt><span class="term">deskjet.ppd</span></dt><dd><p>older HP inkjet printers and compatible +</p></dd><dt><span class="term">deskjet2.ppd</span></dt><dd><p>newer HP inkjet printers and compatible +</p></dd><dt><span class="term">dymo.ppd</span></dt><dd><p>label printers +</p></dd><dt><span class="term">epson9.ppd</span></dt><dd><p>Epson 24pin impact printers and compatible +</p></dd><dt><span class="term">epson24.ppd</span></dt><dd><p>Epson 24pin impact printers and compatible +</p></dd><dt><span class="term">okidata9.ppd</span></dt><dd><p>Okidata 9pin impact printers and compatible +</p></dd><dt><span class="term">okidat24.ppd</span></dt><dd><p>Okidata 24pin impact printers and compatible +</p></dd><dt><span class="term">stcolor.ppd</span></dt><dd><p>older Epson Stylus Color printers +</p></dd><dt><span class="term">stcolor2.ppd</span></dt><dd><p>newer Epson Stylus Color printers +</p></dd><dt><span class="term">stphoto.ppd</span></dt><dd><p>older Epson Stylus Photo printers +</p></dd><dt><span class="term">stphoto2.ppd</span></dt><dd><p>newer Epson Stylus Photo printers +</p></dd><dt><span class="term">laserjet.ppd</span></dt><dd><p>all PCL printers. Further below is a discussion +of several other driver/PPD-packages suitable fur use with CUPS. +</p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2957510"></a>Difference between <span class="emphasis"><em>cupsomatic/foomatic-rip</em></span> and +<span class="emphasis"><em>native CUPS</em></span> printing</h3></div></div><div></div></div><p> +Native CUPS rasterization works in two steps. +</p><div class="itemizedlist"><ul type="disc"><li><p> +First is the "pstoraster" step. It uses the special "cups" +device from ESP Ghostscript 7.05.x as its tool +</p></li><li><p> +Second comes the "rasterdriver" step. It uses various +device-specific filters; there are several vendors who provide good +quality filters for this step, some are Free Software, some are +Shareware/Non-Free, some are proprietary.</p></li></ul></div><p> +Often this produces better quality (and has several more +advantages) than other methods. +</p><p> +</p><div class="figure"><a name="id2957561"></a><p class="title"><b>Figure 19.10. cupsomatic/foomatic processing versus Native CUPS</b></p><div class="mediaobject"><img src="projdoc/imagefiles/10small.png" alt="cupsomatic/foomatic processing versus Native CUPS"></div></div><p> +</p><p> +One other method is the <span class="emphasis"><em>cupsomatic/foomatic-rip</em></span> +way. Note that cupsomatic is <span class="emphasis"><em>not</em></span> made by the CUPS +developers. It is an independent contribution to printing development, +made by people from Linuxprinting.org (see also <a href="http://www.cups.org/cups-help.html" target="_top">http://www.cups.org/cups-help.html</a>). +cupsomatic is no longer developed and maintained and is no longer +supported. It has now been replaced by +<span class="emphasis"><em>foomatic-rip</em></span>. foomatic-rip is a complete re-write +of the old cupsomatic idea, but very much improved and generalized to +other (non-CUPS) spoolers. An upgrade to foomatic-rip is strongly +advised, especially if you are upgrading to a recent version of CUPS +too. +</p><p> +Both the cupsomatic (old) and the foomatic-rip (new) methods from +Linuxprinting.org use the traditional Ghostscript print file +processing, doing everything in a single step. It therefore relies on +all the other devices built-in into Ghostscript. The quality is as +good (or bad) as Ghostscript rendering is in other spoolers. The +advantage is that this method supports many printer models not +supported (yet) by the more modern CUPS method. +</p><p> +Of course, you can use both methods side by side on one system (and +even for one printer, if you set up different queues), and find out +which works best for you. +</p><p> +cupsomatic "kidnaps" the printfile after the +<span class="emphasis"><em>application/vnd.cups-postscript</em></span> stage and +deviates it through the CUPS-external, system wide Ghostscript +installation: Therefore the printfile bypasses the "pstoraster" filter +(and thus also bypasses the CUPS-raster-drivers +"rastertosomething"). After Ghostscript finished its rasterization, +cupsomatic hands the rendered file directly to the CUPS backend. The +flowchart above illustrates the difference between native CUPS +rendering and the Foomatic/cupsomatic method. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2957666"></a>Examples for filtering Chains</h3></div></div><div></div></div><p> +Here are a few examples of commonly occurring filtering chains to +illustrate the workings of CUPS. +</p><p> +Assume you want to print a PDF file to a HP JetDirect-connected +PostScript printer, but you want to print the pages 3-5, 7, 11-13 +only, and you want to print them "2-up" and "duplex": +</p><div class="itemizedlist"><ul type="disc"><li><p>your print options (page selection as required, 2-up, +duplex) are passed to CUPS on the commandline;</p></li><li><p>the (complete) PDF file is sent to CUPS and autotyped as +<span class="emphasis"><em>application/pdf</em></span>;</p></li><li><p>the file therefore first must pass the +<span class="emphasis"><em>pdftops</em></span> pre-filter, which produces PostScript +MIME type <span class="emphasis"><em>application/postscript</em></span> (a preview here +would still show all pages of the original PDF);</p></li><li><p>the file then passes the <span class="emphasis"><em>pstops</em></span> +filter which applies the commandline options: it selects the pages +2-5, 7 and 11-13, creates and imposed layout "2 pages on 1 sheet" and +inserts the correct "duplex" command (as is defined in the printer's +PPD) into the new PostScript file; the file now is of PostScript MIME +type +<span class="emphasis"><em>application/vnd.cups-postscript</em></span>;</p></li><li><p>the file goes to the <span class="emphasis"><em>socket</em></span> +backend, which transfers the job to the printers.</p></li></ul></div><p> +The resulting filter chain therefore is: +</p><pre class="screen"> +pdftops --> pstops --> socket +</pre><p> +Assume your want to print the same filter to an USB-connected +Epson Stylus Photo printer, installed with the CUPS +<tt class="filename">stphoto2.ppd</tt>. The first few filtering stages +are nearly the same: +</p><div class="itemizedlist"><ul type="disc"><li><p>your print options (page selection as required, 2-up, +duplex) are passed to CUPS on the commandline;</p></li><li><p>the (complete) PDF file is sent to CUPS and autotyped as +<span class="emphasis"><em>application/pdf</em></span>;</p></li><li><p>the file therefore first must pass the +<span class="emphasis"><em>pdftops</em></span> pre-filter, which produces PostScript +MIME type <span class="emphasis"><em>application/postscript</em></span> (a preview here +would still show all pages of the original PDF);</p></li><li><p>the file then passes the "pstops" filter which applies +the commandline options: it selects the pages 2-5, 7 and 11-13, +creates and imposed layout "2 pages on 1 sheet" and inserts the +correct "duplex" command... (OOoops -- this printer and his PPD +don't support duplex printing at all -- this option will be ignored +then) into the new PostScript file; the file now is of PostScript +MIME type +<span class="emphasis"><em>application/vnd.cups-postscript</em></span>;</p></li><li><p>the file then passes the +<span class="emphasis"><em>pstoraster</em></span> stage and becomes MIME type +<span class="emphasis"><em>application/cups-raster</em></span>;</p></li><li><p>finally, the <span class="emphasis"><em>rastertoepson</em></span> filter +does its work (as is indicated in the printer's PPD), creating the +printer-specific raster data and embedding any user-selected +print-options into the print data stream;</p></li><li><p>the file goes to the <span class="emphasis"><em>usb</em></span> backend, +which transfers the job to the printers.</p></li></ul></div><p> +The resulting filter chain therefore is: +</p><pre class="screen"> +pdftops --> pstops --> pstoraster --> rastertoepson --> usb +</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2957897"></a>Sources of CUPS drivers / PPDs</h3></div></div><div></div></div><p> +On the internet you can find now many thousand CUPS-PPD files +(with their companion filters), in many national languages, +supporting more than 1000 non-PostScript models. +</p><div class="itemizedlist"><ul type="disc"><li><p><a href="http://wwwl.easysw.com/printpro/" target="_top">ESP +PrintPro (http://wwwl.easysw.com/printpro/)</a> (commercial, +non-Free) is packaged with more than 3000 PPDs, ready for +successful use "out of the box" on Linux, Mac OS X, IBM-AIX, +HP-UX, Sun-Solaris, SGI-IRIX, Compaq Tru64, Digital Unix and some +more commercial Unices (it is written by the CUPS developers +themselves and its sales help finance the further development of +CUPS, as they feed their creators).</p></li><li><p>the <a href="http://gimp-print.sourceforge.net/" target="_top">Gimp-Print-Project +(http://gimp-print.sourceforge.net/)</a> (GPL, Free Software) +provides around 140 PPDs (supporting nearly 400 printers, many driven +to photo quality output), to be used alongside the Gimp-Print CUPS +filters;</p></li><li><p><a href="http://www.turboprint.com/" target="_top">TurboPrint +(http://www.turboprint.com/)</a> (Shareware, non-Free) supports +roughly the same amount of printers in excellent +quality;</p></li><li><p><a href="http://www-124.ibm.com/developerworks/oss/linux/projects/omni/" target="_top">OMNI +(http://www-124.ibm.com/developerworks/oss/linux/projects/omni/)</a> +(LPGL, Free) is a package made by IBM, now containing support for more +than 400 printers, stemming from the inheritance of IBM OS/2 Know-How +ported over to Linux (CUPS support is in a Beta-stage at +present);</p></li><li><p><a href="http://hpinkjet.sourceforge.net/" target="_top">HPIJS +(http://hpinkjet.sourceforge.net/)</a> (BSD-style licenses, Free) +supports around 150 of HP's own printers and is also providing +excellent print quality now (currently available only via the Foomatic +path);</p></li><li><p><a href="http://www.linuxprinting.org/" target="_top">Foomatic/cupsomatic +(http://www.linuxprinting.org/)</a> (LPGL, Free) from +Linuxprinting.org are providing PPDs for practically every Ghostscript +filter known to the world (including Omni, Gimp-Print and +HPIJS).</p></li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +The cupsomatic/Foomatic trick from Linuxprinting.org works +differently from the other drivers. This is explained elsewhere in this +document. +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2958024"></a>Printing with Interface Scripts</h3></div></div><div></div></div><p> +CUPS also supports the usage of "interface scripts" as known from +System V AT&T printing systems. These are often used for PCL +printers, from applications that generate PCL print jobs. Interface +scripts are specific to printer models. They have a similar role as +PPDs for PostScript printers. Interface scripts may inject the Escape +sequences as required into the print data stream, if the user has +chosen to select a certain paper tray, or print landscape, or use A3 +paper, etc. Interfaces scripts are practically unknown in the Linux +realm. On HP-UX platforms they are more often used. You can use any +working interface script on CUPS too. Just install the printer with +the <b class="command">-i</b> option: +</p><pre class="screen"> + + lpadmin -p pclprinter -v socket://11.12.13.14:9100 -i /path/to/interface-script + +</pre><p> +Interface scripts might be the "unknown animal" to many. However, +with CUPS they provide the most easy way to plug in your own +custom-written filtering script or program into one specific print +queue (some information about the traditional usage of interface scripts is +to be found at <a href="http://playground.sun.com/printing/documentation/interface.html" target="_top">http://playground.sun.com/printing/documentation/interface.html</a>). +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2958100"></a>Network printing (purely Windows)</h2></div></div><div></div></div><p> +Network printing covers a lot of ground. To understand what exactly +goes on with Samba when it is printing on behalf of its Windows +clients, let's first look at a "purely Windows" setup: Windows clients +with a Windows NT print server. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2958116"></a>From Windows Clients to an NT Print Server</h3></div></div><div></div></div><p> +Windows clients printing to an NT-based print server have two +options. They may +</p><div class="itemizedlist"><ul type="disc"><li><p>execute the driver locally and render the GDI output +(EMF) into the printer specific format on their own, +or</p></li><li><p>send the GDI output (EMF) to the server, where the +driver is executed to render the printer specific +output.</p></li></ul></div><p> +Both print paths are shown in the flowcharts below. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2958155"></a>Driver Execution on the Client</h3></div></div><div></div></div><p> +In the first case the print server must spool the file as "raw", +meaning it shouldn't touch the jobfile and try to convert it in any +way. This is what traditional Unix-based print server can do too; and +at a better performance and more reliably than NT print server. This +is what most Samba administrators probably are familiar with. One +advantage of this setup is that this "spooling-only" print server may +be used even if no driver(s) for Unix are available it is sufficient +to have the Windows client drivers available and installed on the +clients. +</p><p> +</p><div class="figure"><a name="id2958191"></a><p class="title"><b>Figure 19.11. Print Driver execution on the Client</b></p><div class="mediaobject"><img src="projdoc/imagefiles/11small.png" alt="Print Driver execution on the Client"></div></div><p> +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2958227"></a>Driver Execution on the Server</h3></div></div><div></div></div><p> +The other path executes the printer driver on the server. The clients +transfers print files in EMF format to the server. The server uses the +PostScript, PCL, ESC/P or other driver to convert the EMF file into +the printer-specific language. It is not possible for Unix to do the +same. Currently there is no program or method to convert a Windows +client's GDI output on a Unix server into something a printer could +understand. +</p><p> +</p><div class="figure"><a name="id2958249"></a><p class="title"><b>Figure 19.12. Print Driver execution on the Server</b></p><div class="mediaobject"><img src="projdoc/imagefiles/12small.png" alt="Print Driver execution on the Server"></div></div><p> +</p><p> +However, there is something similar possible with CUPS. Read on... +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2958289"></a>Network Printing (Windows clients -- UNIX/Samba Print +Servers)</h2></div></div><div></div></div><p> +Since UNIX print servers <span class="emphasis"><em>cannot</em></span> execute the Win32 +program code on their platform, the picture is somewhat +different. However, this doesn't limit your options all that +much. In the contrary, you may have a way here to implement printing +features which are not possible otherwise. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2958310"></a>From Windows Clients to a CUPS/Samba Print Server</h3></div></div><div></div></div><p> +Here is a simple recipe showing how you can take advantage of CUPS +powerful features for the benefit of your Windows network printing +clients: +</p><div class="itemizedlist"><ul type="disc"><li><p>Let the Windows clients send PostScript to the CUPS +server.</p></li><li><p>Let the CUPS server render the PostScript into device +specific raster format.</p></li></ul></div><p> +This requires the clients to use a PostScript driver (even if the +printer is a non-PostScript model. It also requires that you have a +"driver" on the CUPS server. +</p><p> +Firstly, to enable CUPS based printing through Samba the +following options should be set in your <tt class="filename">smb.conf</tt> file [globals] +section: +</p><div class="itemizedlist"><ul type="disc"><li><p><i class="parameter"><tt>printing = CUPS</tt></i></p></li><li><p><i class="parameter"><tt>printcap = CUPS</tt></i></p></li></ul></div><p> +When these parameters are specified, all manually set print directives +(like <i class="parameter"><tt>print command =...</tt></i>, or <i class="parameter"><tt>lppause +command =...</tt></i>) in <tt class="filename">smb.conf</tt> (as well as +in samba itself) will be ignored. Instead, Samba will directly +interface with CUPS through it's application program interface (API) - +as long as Samba has been compiled with CUPS library (libcups) +support. If Samba has NOT been compiled with CUPS support, and if no +other print commands are set up, then printing will use the +<span class="emphasis"><em>System V</em></span> AT&T command set, with the -oraw +option automatically passing through (if you want your own defined +print commands to work with a Samba that has CUPS support compiled in, +simply use <i class="parameter"><tt>printing = sysv</tt></i>). +</p><p> +</p><div class="figure"><a name="id2958439"></a><p class="title"><b>Figure 19.13. Printing via CUPS/samba server</b></p><div class="mediaobject"><img src="projdoc/imagefiles/13small.png" alt="Printing via CUPS/samba server"></div></div><p> +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2958474"></a>Samba receiving Jobfiles and passing them to CUPS</h3></div></div><div></div></div><p> +Samba <span class="emphasis"><em>must</em></span> use its own spool directory (it is set +by a line similar to <i class="parameter"><tt>path = /var/spool/samba</tt></i>, +in the <i class="parameter"><tt>[printers]</tt></i> or +<i class="parameter"><tt>[printername]</tt></i> section of +<tt class="filename">smb.conf</tt>). Samba receives the job in its own +spool space and passes it into the spool directory of CUPS (the CUPS +spooling directory is set by the <i class="parameter"><tt>RequestRoot</tt></i> +directive, in a line that defaults to <i class="parameter"><tt>RequestRoot +/var/spool/cups</tt></i>). CUPS checks the access rights of its +spool dir and resets it to healthy values with every re-start. We have +seen quite some people who had used a common spooling space for Samba +and CUPS, and were struggling for weeks with this "problem". +</p><p> +A Windows user authenticates only to Samba (by whatever means is +configured). If Samba runs on the same host as CUPS, you only need to +allow "localhost" to print. If they run on different machines, you +need to make sure the Samba host gets access to printing on CUPS. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2958550"></a>Network PostScript RIP: CUPS Filters on Server -- clients use +PostScript Driver with CUPS-PPDs</h2></div></div><div></div></div><p> +PPDs can control all print device options. They are usually provided +by the manufacturer; if you own a PostScript printer, that is. PPD +files (PostScript Printer Descriptions) are always a component of +PostScript printer drivers on MS Windows or Apple Mac OS systems. They +are ASCII files containing user-selectable print options, mapped to +appropriate PostScript, PCL or PJL commands for the target +printer. Printer driver GUI dialogs translate these options +"on-the-fly" into buttons and drop-down lists for the user to select. +</p><p> +CUPS can load, without any conversions, the PPD file from any Windows +(NT is recommended) PostScript driver and handle the options. There is +a web browser interface to the print options (select <a href="http://localhost:631/printers/" target="_top">http://localhost:631/printers/</a> +and click on one <span class="emphasis"><em>Configure Printer</em></span> button to see +it), or a commandline interface (see <b class="command">man lpoptions</b> +or see if you have lphelp on your system). There are also some +different GUI frontends on Linux/UNIX, which can present PPD options +to users. PPD options are normally meant to be evaluated by the +PostScript RIP on the real PostScript printer. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2958605"></a>PPDs for non-PS Printers on UNIX</h3></div></div><div></div></div><p> +CUPS doesn't limit itself to "real" PostScript printers in its usage +of PPDs. The CUPS developers have extended the scope of the PPD +concept, to also describe available device and driver options for +non-PostScript printers through CUPS-PPDs. +</p><p> +This is logical, as CUPS includes a fully featured PostScript +interpreter (RIP). This RIP is based on Ghostscript. It can process +all received PostScript (and additionally many other file formats) +from clients. All CUPS-PPDs geared to non-PostScript printers contain +an additional line, starting with the keyword +<i class="parameter"><tt>*cupsFilter</tt></i> . This line tells the CUPS print +system which printer-specific filter to use for the interpretation of +the supplied PostScript. Thus CUPS lets all its printers appear as +PostScript devices to its clients, because it can act as a PostScript +RIP for those printers, processing the received PostScript code into a +proper raster print format. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2958646"></a>PPDs for non-PS Printers on Windows</h3></div></div><div></div></div><p> +CUPS-PPDs can also be used on Windows-Clients, on top of a +"core" PostScript driver (now recommended is the "CUPS PostScript +Driver for WindowsNT/2K/XP"; you can also use the Adobe one, with +limitations). This feature enables CUPS to do a few tricks no other +spooler can do: +</p><div class="itemizedlist"><ul type="disc"><li><p>act as a networked PostScript RIP (Raster Image +Processor), handling printfiles from all client platforms in a uniform +way;</p></li><li><p>act as a central accounting and billing server, since +all files are passed through the pstops filter and are therefore +logged in the CUPS <tt class="filename">page_log</tt> file. +<span class="emphasis"><em>NOTE:</em></span> this can not happen with "raw" print jobs, +which always remain unfiltered per definition;</p></li><li><p>enable clients to consolidate on a single PostScript +driver, even for many different target printers.</p></li></ul></div><p> +Using CUPS PPDs on Windows clients enables these to control +all print job settings just as a UNIX client can do too. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2958712"></a>Windows Terminal Servers (WTS) as CUPS Clients</h2></div></div><div></div></div><p> +This setup may be of special interest to people experiencing major +problems in WTS environments. WTS need often a multitude of +non-PostScript drivers installed to run their clients' variety of +different printer models. This often imposes the price of much +increased instability. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2958729"></a>Printer Drivers running in "Kernel Mode" cause many +Problems</h3></div></div><div></div></div><p> +The reason is that in Win NT printer drivers run in "Kernel +Mode", this introduces a high risk for the stability of the system +if the driver is not really stable and well-tested. And there are a +lot of bad drivers out there! Especially notorious is the example +of the PCL printer driver that had an additional sound module +running, to notify users via soundcard of their finished jobs. Do I +need to say that this one was also reliably causing "Blue Screens +of Death" on a regular basis? +</p><p> +PostScript drivers generally are very well tested. They are not known +to cause any problems, even though they run in Kernel Mode too. This +might be because there have so far only been 2 different PostScript +drivers the ones from Adobe and the one from Microsoft. Both are +very well tested and are as stable as you ever can imagine on +Windows. The CUPS driver is derived from the Microsoft one. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2958763"></a>Workarounds impose Heavy Limitations</h3></div></div><div></div></div><p> +In many cases, in an attempt to work around this problem, site +administrators have resorted to restrict the allowed drivers installed +on their WTS to one generic PCL- and one PostScript driver. This +however restricts the clients in the amount of printer options +available for them; often they can't get out more than simplex +prints from one standard paper tray, while their devices could do much +better, if driven by a different driver! ) +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2958784"></a>CUPS: a "Magical Stone"?</h3></div></div><div></div></div><p> +Using a PostScript driver, enabled with a CUPS-PPD, seems to be a very +elegant way to overcome all these shortcomings. There are, depending +on the version of Windows OS you use, up to 3 different PostScript +drivers available: Adobe, Microsoft and CUPS PostScript drivers. None +of them is known to cause major stability problems on WTS (even if +used with many different PPDs). The clients will be able to (again) +chose paper trays, duplex printing and other settings. However, there +is a certain price for this too: a CUPS server acting as a PostScript +RIP for its clients requires more CPU and RAM than when just acting as +a "raw spooling" device. Plus, this setup is not yet widely tested, +although the first feedbacks look very promising. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2958811"></a>PostScript Drivers with no major problems -- even in Kernel +Mode</h3></div></div><div></div></div><p> +More recent printer drivers on W2K and XP don't run in Kernel mode +(unlike Win NT) any more. However, both operating systems can still +use the NT drivers, running in Kernel mode (you can roughly tell which +is which as the drivers in subdirectory "2" of "W32X86" are "old" +ones). As was said before, the Adobe as well as the Microsoft +PostScript drivers are not known to cause any stability problems. The +CUPS driver is derived from the Microsoft one. There is a simple +reason for this: The MS DDK (Device Development Kit) for Win NT (which +used to be available at no cost to licensees of Visual Studio) +includes the source code of the Microsoft driver, and licensees of +Visual Studio are allowed to use and modify it for their own driver +development efforts. This is what the CUPS people have done. The +license doesn't allow them to publish the whole of the source code. +However, they have released the "diff" under the GPL, and if you are +owner of an "MS DDK for Win NT", you can check the driver yourself. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2958865"></a> Setting up CUPS for driver Download</h2></div></div><div></div></div><p> +As we have said before: all previously known methods to prepare client +printer drivers on the Samba server for download and "Point'n'Print" +convenience of Windows workstations are working with CUPS too. These +methods were described in the previous chapter. In reality, this is a +pure Samba business, and only relates to the Samba/Win client +relationship. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2958884"></a><span class="emphasis"><em>cupsaddsmb</em></span>: the unknown Utility</h3></div></div><div></div></div><p> +The cupsaddsmb utility (shipped with all current CUPS versions) is an +alternative method to transfer printer drivers into the Samba +<i class="parameter"><tt>[print$]</tt></i> share. Remember, this share is where +clients expect drivers deposited and setup for download and +installation. It makes the sharing of any (or all) installed CUPS +printers very easy. cupsaddsmb can use the Adobe PostScript driver as +well as the newly developed <span class="emphasis"><em>CUPS PostScript Driver for +WinNT/2K/XP</em></span>. Note, that cupsaddsmb does +<span class="emphasis"><em>not</em></span> work with arbitrary vendor printer drivers, +but only with the <span class="emphasis"><em>exact</em></span> driver files that are +named in its man page. +</p><p> +The CUPS printer driver is available from the CUPS download site. Its +package name is <tt class="filename">cups-samba-[version].tar.gz</tt> . It +is preferred over the Adobe drivers since it has a number of +advantages: +</p><div class="itemizedlist"><ul type="disc"><li><p>it supports a much more accurate page +accounting;</p></li><li><p>it supports banner pages, and page labels on all +printers;</p></li><li><p>it supports the setting of a number of job IPP +attributes (such as job-priority, page-label and +job-billing)</p></li></ul></div><p> +However, currently only Windows NT, 2000, and XP are supported by the +CUPS drivers. You will need to get the respective part of Adobe driver +too if you need to support Windows 95, 98, and ME clients. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2958976"></a>Prepare your <tt class="filename">smb.conf</tt> for +cupsaddsmb</h3></div></div><div></div></div><p> +Prior to running cupsaddsmb, you need the following settings in +<tt class="filename">smb.conf</tt>: +</p><pre class="screen"> + + [global] + load printers = yes + printing = cups + printcap name = cups + + [printers] + comment = All Printers + path = /var/spool/samba + browseable = no + public = yes + guest ok = yes # setting depends on your requirements + writable = no + printable = yes + printer admin = root + + [print$] + comment = Printer Drivers + path = /etc/samba/drivers + browseable = yes + guest ok = no + read only = yes + write list = root + +</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2959022"></a>CUPS Package of "PostScript Driver for WinNT/2k/XP"</h3></div></div><div></div></div><p> +CUPS users may get the exactly same packages from<a href="http://www.cups.org/software.html" target="_top"><span class="emphasis"><em>http://www.cups.org/software.html</em></span></a>. +It is a separate package from the CUPS base software files, tagged as +<span class="emphasis"><em>CUPS 1.1.x Windows NT/2k/XP Printer Driver for SAMBA +(tar.gz, 192k)</em></span>. The filename to download is +<tt class="filename">cups-samba-1.1.x.tar.gz</tt>. Upon untar-/unzip-ing, +it will reveal these files: +</p><pre class="screen"> + +# tar xvzf cups-samba-1.1.19.tar.gz + + cups-samba.install + cups-samba.license + cups-samba.readme + cups-samba.remove + cups-samba.ss + +</pre><p> +These have been packaged with the ESP meta packager software +"EPM". The <tt class="filename">*.install</tt> and +<tt class="filename">*.remove</tt> files are simple shell scripts, which +untars the <tt class="filename">*.ss</tt> (the <tt class="filename">*.ss</tt> is +nothing else but a tar-archive, which can be untar-ed by "tar" +too). Then it puts the content into +<tt class="filename">/usr/share/cups/drivers/</tt>. This content includes 3 +files: +</p><pre class="screen"> + +# tar tv cups-samba.ss + + cupsdrvr.dll + cupsui.dll + cups.hlp + +</pre><p> +The <span class="emphasis"><em>cups-samba.install</em></span> shell scripts is easy to +handle: +</p><pre class="screen"> + +# ./cups-samba.install + + [....] + Installing software... + Updating file permissions... + Running post-install commands... + Installation is complete. + +</pre><p> +The script should automatically put the driver files into the +<tt class="filename">/usr/share/cups/drivers/</tt> directory. +</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> +Due to a bug, one recent CUPS release puts the +<tt class="filename">cups.hlp</tt> driver file +into<tt class="filename">/usr/share/drivers/</tt> instead of +<tt class="filename">/usr/share/cups/drivers/</tt>. To work around this, +copy/move the file (after running the +<b class="command">./cups-samba.install</b> script) manually to the +right place. +</p></div><pre class="screen"> + + cp /usr/share/drivers/cups.hlp /usr/share/cups/drivers/ + +</pre><p> +This new CUPS PostScript driver is currently binary-only, but free of +charge. No complete source code is provided (yet). The reason is this: +it has been developed with the help of the <span class="emphasis"><em>Microsoft Driver +Developer Kit</em></span> (DDK) and compiled with Microsoft Visual +Studio 6. Driver developers are not allowed to distribute the whole of +the source code as Free Software. However, CUPS developers released +the "diff" in source code under the GPL, so anybody with a license of +Visual Studio and a DDK will be able to compile for him/herself. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2959220"></a>Recognize the different Driver Files</h3></div></div><div></div></div><p> +The CUPS drivers don't support the "older" Windows 95/98/ME, but only +the Windows NT/2000/XP client: +</p><pre class="screen"> + + [Windows NT, 2000, and XP are supported by:] + cups.hlp + cupsdrvr.dll + cupsui.dll + +</pre><p> +Adobe drivers are available for the older Windows 95/98/ME as well as +the Windows NT/2000/XP clients. The set of files is different for the +different platforms. +</p><pre class="screen"> + + [Windows 95, 98, and Me are supported by:] + ADFONTS.MFM + ADOBEPS4.DRV + ADOBEPS4.HLP + DEFPRTR2.PPD + ICONLIB.DLL + PSMON.DLL + + [Windows NT, 2000, and XP are supported by:] + ADOBEPS5.DLL + ADOBEPSU.DLL + ADOBEPSU.HLP + +</pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +If both, the Adobe driver files and the CUPS driver files for the +support of WinNT/2k/XP are present in , the Adobe ones will be ignored +and the CUPS ones will be used. If you prefer -- for whatever reason +-- to use Adobe-only drivers, move away the 3 CUPS driver files. The +Win95/98/ME clients use the Adobe drivers in any case. +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2959278"></a>Acquiring the Adobe Driver Files</h3></div></div><div></div></div><p> +Acquiring the Adobe driver files seems to be unexpectedly difficult +for many users. They are not available on the Adobe website as single +files and the self-extracting and/or self-installing Windows-exe is +not easy to locate either. Probably you need to use the included +native installer and run the installation process on one client +once. This will install the drivers (and one Generic PostScript +printer) locally on the client. When they are installed, share the +Generic PostScript printer. After this, the client's +<i class="parameter"><tt>[print$]</tt></i> share holds the Adobe files, from +where you can get them with smbclient from the CUPS host. A more +detailed description about this is in the next (the CUPS printing) +chapter. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2959310"></a>ESP Print Pro Package of "PostScript Driver for +WinNT/2k/XP"</h3></div></div><div></div></div><p> +Users of the ESP Print Pro software are able to install their "Samba +Drivers" package for this purpose with no problem. Retrieve the driver +files from the normal download area of the ESP Print Pro software +at<a href="http://www.easysw.com/software.html" target="_top">http://www.easysw.com/software.html</a>. +You need to locate the link labelled "SAMBA" amongst the +<span class="emphasis"><em>Download Printer Drivers for ESP Print Pro 4.x</em></span> +area and download the package. Once installed, you can prepare any +driver by simply highlighting the printer in the Printer Manager GUI +and select <span class="emphasis"><em>Export Driver...</em></span> from the menu. Of +course you need to have prepared Samba beforehand too to handle the +driver files; i.e. mainly setup the <i class="parameter"><tt>[print$]</tt></i> +share, etc. The ESP Print Pro package includes the CUPS driver files +as well as a (licensed) set of Adobe drivers for the Windows 95/98/ME +client family. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2959360"></a>Caveats to be considered</h3></div></div><div></div></div><p> +Once you have run the install script (and possibly manually +moved the <tt class="filename">cups.hlp</tt> file to +<tt class="filename">/usr/share/cups/drivers/</tt>), the driver is +ready to be put into Samba's <i class="parameter"><tt>[print$]</tt></i> share (which often maps to +<tt class="filename">/etc/samba/drivers/</tt> and contains a subdir +tree with <span class="emphasis"><em>WIN40</em></span> and +<span class="emphasis"><em>W32X86</em></span> branches): You do this by running +"cupsaddsmb" (see also <b class="command">man cupsaddsmb</b> for +CUPS since release 1.1.16). +</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p> +You may need to put root into the smbpasswd file by running +<b class="command">smbpasswd</b>; this is especially important if you +should run this whole procedure for the first time, and are not +working in an environment where everything is configured for +<span class="emphasis"><em>Single Sign On</em></span> to a Windows Domain Controller. +</p></div><p> +Once the driver files are in the <i class="parameter"><tt>[print$]</tt></i> share +and are initialized, they are ready to be downloaded and installed by +the Win NT/2k/XP clients. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +</p><div class="orderedlist"><ol type="1"><li><p> +Win 9x/ME clients won't work with the CUPS PostScript driver. For +these you'd still need to use the <tt class="filename">ADOBE*.*</tt> +drivers as previously. +</p></li><li><p> +It is not harmful if you still have the +<tt class="filename">ADOBE*.*</tt> driver files from previous +installations in the <tt class="filename">/usr/share/cups/drivers/</tt> +directory. The new <span class="emphasis"><em>cupsaddsmb</em></span> (from 1.1.16) will +automatically prefer "its own" drivers if it finds both. +</p></li><li><p> +Should your Win clients have had the old <tt class="filename">ADOBE*.*</tt> +files for the Adobe PostScript driver installed, the download and +installation of the new CUPS PostScript driver for Windows NT/2k/XP +will fail at first. You need to wipe the old driver from the clients +first. It is not enough to "delete" the printer, as the driver files +will still be kept by the clients and re-used if you try to re-install +the printer. To really get rid of the Adobe driver files on the +clients, open the "Printers" folder (possibly via <span class="emphasis"><em>Start +--> Settings --> Control Panel --> Printers</em></span>), +right-click onto the folder background and select <span class="emphasis"><em>Server +Properties</em></span>. When the new dialog opens, select the +<span class="emphasis"><em>Drivers</em></span> tab. On the list select the driver you +want to delete and click on the <span class="emphasis"><em>Delete</em></span> +button. This will only work if there is not one single printer left +which uses that particular driver. You need to "delete" all printers +using this driver in the "Printers" folder first. You will need +Administrator privileges to do this. +</p></li><li><p> +Once you have successfully downloaded the CUPS PostScript driver to a +client, you can easily switch all printers to this one by proceeding +as described elsewhere in the "Samba HOWTO Collection": either change +a driver for an existing printer by running the "Printer Properties" +dialog, or use <b class="command">rpcclient</b> with the +<b class="command">setdriver</b> sub-command. +</p></li></ol></div><p> +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2959582"></a>What are the Benefits of using the "CUPS PostScript Driver for +Windows NT/2k/XP" as compared to the Adobe Driver?</h3></div></div><div></div></div><p> +You are interested in a comparison between the CUPS and the Adobe +PostScript drivers? For our purposes these are the most important +items which weigh in favor of the CUPS ones: +</p><div class="itemizedlist"><ul type="disc"><li><p>no hassle with the Adobe EULA</p></li><li><p>no hassle with the question “<span class="quote">Where do I +get the ADOBE*.* driver files from?</span>”</p></li><li><p>the Adobe drivers (on request of the printer PPD +associated with them) often put a PJL header in front of the main +PostScript part of the print file. Thus the printfile starts with +<i class="parameter"><tt><1B >%-12345X</tt></i> or +<i class="parameter"><tt><escape>%-12345X</tt></i> instead +of <i class="parameter"><tt>%!PS</tt></i>). This leads to the +CUPS daemon auto-typing the incoming file as a print-ready file, +not initiating a pass through the "pstops" filter (to speak more +technically, it is not regarded as the generic MIME type +<span class="emphasis"><em>application/postscript</em></span>, but as +the more special MIME type +<span class="emphasis"><em>application/cups.vnd-postscript</em></span>), +which therefore also leads to the page accounting in +<span class="emphasis"><em>/var/log/cups/page_log</em></span> not +receiving the exact number of pages; instead the dummy page number +of "1" is logged in a standard setup)</p></li><li><p>the Adobe driver has more options to "mis-configure" the +PostScript generated by it (like setting it inadvertently to +<span class="emphasis"><em>Optimize for Speed</em></span>, instead of +<span class="emphasis"><em>Optimize for Portability</em></span>, which +could lead to CUPS being unable to process it)</p></li><li><p>the CUPS PostScript driver output sent by Windows +clients to the CUPS server will be guaranteed to be auto-typed always +as generic MIME type <span class="emphasis"><em>application/postscript</em></span>, +thusly passing through the CUPS "pstops" filter and logging the +correct number of pages in the <tt class="filename">page_log</tt> for +accounting and quota purposes</p></li><li><p>the CUPS PostScript driver supports the sending of +additional standard (IPP) print options by Win NT/2k/XP clients. Such +additional print options are: naming the CUPS standard +<span class="emphasis"><em>banner pages</em></span> (or the custom ones, should they be +installed at the time of driver download), using the CUPS +<span class="emphasis"><em>page-label</em></span> option, setting a +<span class="emphasis"><em>job-priority</em></span> and setting the <span class="emphasis"><em>scheduled +time of printing</em></span> (with the option to support additional +useful IPP job attributes in the future).</p></li><li><p>the CUPS PostScript driver supports the inclusion of +the new <span class="emphasis"><em>*cupsJobTicket</em></span> comments at the +beginning of the PostScript file (which could be used in the future +for all sort of beneficial extensions on the CUPS side, but which will +not disturb any other applications as they will regard it as a comment +and simply ignore it).</p></li><li><p>the CUPS PostScript driver will be the heart of the +fully fledged CUPS IPP client for Windows NT/2K/XP to be released soon +(probably alongside the first Beta release for CUPS +1.2).</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2959764"></a>Run "cupsaddsmb" (quiet Mode)</h3></div></div><div></div></div><p> +The cupsaddsmb command copies the needed files into your +<i class="parameter"><tt>[print$]</tt></i> share. Additionally, the PPD +associated with this printer is copied from +<tt class="filename">/etc/cups/ppd/</tt> to +<i class="parameter"><tt>[print$]</tt></i>. There the files wait for convenient +Windows client installations via Point'n'Print. Before we can run the +command successfully, we need to be sure that we can authenticate +towards Samba. If you have a small network you are probably using user +level security (<i class="parameter"><tt>security = user</tt></i>). Probably your +root has already a Samba account. Otherwise, create it now, using +<b class="command">smbpasswd</b>: +</p><pre class="screen"> + + # smbpasswd -a root + New SMB password: [type in password 'secret'] + Retype new SMB password: [type in password 'secret'] + +</pre><p> +Here is an example of a successfully run cupsaddsmb command. +</p><pre class="screen"> + + # cupsaddsmb -U root infotec_IS2027 + Password for root required to access localhost via SAMBA: [type in password 'secret'] + +</pre><p> +To share <span class="emphasis"><em>all</em></span> printers and drivers, use the +<i class="parameter"><tt>-a</tt></i> parameter instead of a printer name. Since +cupsaddsmb "exports" the printer drivers to Samba, it should be +obvious that it only works for queues with a CUPS driver associated. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2959865"></a>Run "cupsaddsmb" with verbose Output</h3></div></div><div></div></div><p> +Probably you want to see what's going on. Use the +<i class="parameter"><tt>-v</tt></i> parameter to get a more verbose output. The +output below was edited for better readability: all "\" at the end of +a line indicate that I inserted an artificial line break plus some +indentation here: +</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> +You will see the root password for the Samba account printed on +screen. If you use remote access, the password will go over the wire +unencrypted! +</p></div><pre class="screen"> + + # cupsaddsmb -U root -v infotec_2105 + Password for root required to access localhost via SAMBA: + Running command: smbclient //localhost/print\$ -N -U'root%secret' -c 'mkdir W32X86;put \ + /var/spool/cups/tmp/3e98bf2d333b5 W32X86/infotec_2105.ppd;put \ + /usr/share/cups/drivers/cupsdrvr.dll W32X86/cupsdrvr.dll;put \ + /usr/share/cups/drivers/cupsui.dll W32X86/cupsui.dll;put \ + /usr/share/cups/drivers/cups.hlp W32X86/cups.hlp' + added interface ip=10.160.51.60 bcast=10.160.51.255 nmask=255.255.252.0 + Domain=[CUPS-PRINT] OS=[Unix] Server=[Samba 2.2.7a] + NT_STATUS_OBJECT_NAME_COLLISION making remote directory \W32X86 + putting file /var/spool/cups/tmp/3e98bf2d333b5 as \W32X86/infotec_2105.ppd (2328.8 kb/s) \ + (average 2328.8 kb/s) + putting file /usr/share/cups/drivers/cupsdrvr.dll as \W32X86/cupsdrvr.dll (9374.3 kb/s) \ + (average 5206.6 kb/s) + putting file /usr/share/cups/drivers/cupsui.dll as \W32X86/cupsui.dll (8107.2 kb/s) \ + (average 5984.1 kb/s) + putting file /usr/share/cups/drivers/cups.hlp as \W32X86/cups.hlp (3475.0 kb/s) \ + (average 5884.7 kb/s) + + Running command: rpcclient localhost -N -U'root%secret' -c 'adddriver "Windows NT x86" \ + "infotec_2105:cupsdrvr.dll:infotec_2105.ppd:cupsui.dll:cups.hlp:NULL: \ + RAW:NULL"' + cmd = adddriver "Windows NT x86" "infotec_2105:cupsdrvr.dll:infotec_2105.ppd:cupsui.dll: \ + cups.hlp:NULL:RAW:NULL" + Printer Driver infotec_2105 successfully installed. + + Running command: smbclient //localhost/print\$ -N -U'root%secret' -c 'mkdir WIN40;put \ + /var/spool/cups/tmp/3e98bf2d333b5 WIN40/infotec_2105.PPD; put \ + /usr/share/cups/drivers/ADFONTS.MFM WIN40/ADFONTS.MFM;put \ + /usr/share/cups/drivers/ADOBEPS4.DRV WIN40/ADOBEPS4.DRV;put \ + /usr/share/cups/drivers/ADOBEPS4.HLP WIN40/ADOBEPS4.HLP;put \ + /usr/share/cups/drivers/DEFPRTR2.PPD WIN40/DEFPRTR2.PPD;put \ + /usr/share/cups/drivers/ICONLIB.DLL + WIN40/ICONLIB.DLL;put /usr/share/cups/drivers/PSMON.DLL WIN40/PSMON.DLL;' + added interface ip=10.160.51.60 bcast=10.160.51.255 nmask=255.255.252.0 + Domain=[CUPS-PRINT] OS=[Unix] Server=[Samba 2.2.7a] + NT_STATUS_OBJECT_NAME_COLLISION making remote directory \WIN40 + putting file /var/spool/cups/tmp/3e98bf2d333b5 as \WIN40/infotec_2105.PPD (2328.8 kb/s) \ + (average 2328.8 kb/s) + putting file /usr/share/cups/drivers/ADFONTS.MFM as \WIN40/ADFONTS.MFM (9368.0 kb/s) \ + (average 6469.6 kb/s) + putting file /usr/share/cups/drivers/ADOBEPS4.DRV as \WIN40/ADOBEPS4.DRV (9958.2 kb/s) \ + (average 8404.3 kb/s) + putting file /usr/share/cups/drivers/ADOBEPS4.HLP as \WIN40/ADOBEPS4.HLP (8341.5 kb/s) \ + (average 8398.6 kb/s) + putting file /usr/share/cups/drivers/DEFPRTR2.PPD as \WIN40/DEFPRTR2.PPD (2195.9 kb/s) \ + (average 8254.3 kb/s) + putting file /usr/share/cups/drivers/ICONLIB.DLL as \WIN40/ICONLIB.DLL (8239.9 kb/s) \ + (average 8253.6 kb/s) + putting file /usr/share/cups/drivers/PSMON.DLL as \WIN40/PSMON.DLL (6222.2 kb/s) \ + (average 8188.5 kb/s) + + Running command: rpcclient localhost -N -U'root%secret' -c 'adddriver "Windows 4.0" \ + "infotec_2105:ADOBEPS4.DRV:infotec_2105.PPD:NULL:ADOBEPS4.HLP: \ + PSMON.DLL:RAW:ADOBEPS4.DRV,infotec_2105.PPD,ADOBEPS4.HLP,PSMON.DLL, \ + ADFONTS.MFM,DEFPRTR2.PPD,ICONLIB.DLL"' + cmd = adddriver "Windows 4.0" "infotec_2105:ADOBEPS4.DRV:infotec_2105.PPD:NULL: \ + ADOBEPS4.HLP:PSMON.DLL:RAW:ADOBEPS4.DRV,infotec_2105.PPD,ADOBEPS4.HLP, \ + PSMON.DLL,ADFONTS.MFM,DEFPRTR2.PPD,ICONLIB.DLL" + Printer Driver infotec_2105 successfully installed. + + Running command: rpcclient localhost -N -U'root%secret' \ + -c 'setdriver infotec_2105 infotec_2105' + cmd = setdriver infotec_2105 infotec_2105 + Successfully set infotec_2105 to driver infotec_2105. + +</pre><p> +If you look closely, you'll discover your root password was transfered +unencrypted over the wire, so beware! Also, if you look further her, +you'll discover error messages like NT_STATUS_OBJECT_NAME_COLLISION in +between. They occur, because the directories WIN40 and W32X86 already +existed in the <i class="parameter"><tt>[print$]</tt></i> driver download share +(from a previous driver installation). They are harmless here. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2960092"></a>Understanding cupsaddsmb</h3></div></div><div></div></div><p> +What has happened? What did cupsaddsmb do? There are five stages of +the procedure +</p><div class="orderedlist"><ol type="1"><li><p>call the CUPS server via IPP and request the +driver files and the PPD file for the named printer;</p></li><li><p>store the files temporarily in the local +TEMPDIR (as defined in +<tt class="filename">cupsd.conf</tt>);</p></li><li><p>connect via smbclient to the Samba server's + <i class="parameter"><tt>[print$]</tt></i> share and put the files into the + share's WIN40 (for Win95/98/ME) and W32X86/ (for WinNT/2k/XP) sub + directories;</p></li><li><p>connect via rpcclient to the Samba server and +execute the "adddriver" command with the correct +parameters;</p></li><li><p>connect via rpcclient to the Samba server a second +time and execute the "setdriver" command.</p></li></ol></div><p> +Note, that you can run the cupsaddsmb utility with parameters to +specify one remote host as Samba host and a second remote host as CUPS +host. Especially if you want to get a deeper understanding, it is a +good idea try it and see more clearly what is going on (though in real +life most people will have their CUPS and Samba servers run on the +same host): +</p><pre class="screen"> + + # cupsaddsmb -H sambaserver -h cupsserver -v printername + +</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2960186"></a>How to recognize if cupsaddsm completed successfully</h3></div></div><div></div></div><p> +You <span class="emphasis"><em>must</em></span> always check if the utility completed +successfully in all fields. You need as a minimum these 3 messages +amongst the output: +</p><div class="orderedlist"><ol type="1"><li><p><span class="emphasis"><em>Printer Driver infotec_2105 successfully +installed.</em></span> # (for the W32X86 == WinNT/2K/XP +architecture...)</p></li><li><p><span class="emphasis"><em>Printer Driver infotec_2105 successfully +installed.</em></span> # (for the WIN40 == Win9x/ME +architecture...)</p></li><li><p><span class="emphasis"><em>Successfully set [printerXPZ] to driver +[printerXYZ].</em></span></p></li></ol></div><p> +These messages probably not easily recognized in the general +output. If you run cupsaddsmb with the <i class="parameter"><tt>-a</tt></i> +parameter (which tries to prepare <span class="emphasis"><em>all</em></span> active CUPS +printer drivers for download), you might miss if individual printers +drivers had problems to install properly. Here a redirection of the +output will help you analyze the results in retrospective. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +It is impossible to see any diagnostic output if you don't run +cupsaddsmb in verbose mode. Therefore we strongly recommend to not +use the default quiet mode. It will hide any problems from you which +might occur. +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2960273"></a>cupsaddsmb with a Samba PDC</h3></div></div><div></div></div><p> +You can't get the standard cupsaddsmb command to run on a Samba PDC? +You are asked for the password credential all over again and again and +the command just will not take off at all? Try one of these +variations: +</p><pre class="screen"> + + # cupsaddsmb -U DOMAINNAME\\root -v printername + # cupsaddsmb -H SAMBA-PDC -U DOMAINNAME\\root -v printername + # cupsaddsmb -H SAMBA-PDC -U DOMAINNAME\\root -h cups-server -v printername + +</pre><p> +(Note the two backslashes: the first one is required to +"escape" the second one). +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2960308"></a>cupsaddsmb Flowchart</h3></div></div><div></div></div><p> +Here is a chart about the procedures, commandflows and +dataflows of the "cupaddsmb" command. Note again: cupsaddsmb is +not intended to, and does not work with, "raw" queues! +</p><p> +</p><div class="figure"><a name="id2960326"></a><p class="title"><b>Figure 19.14. cupsaddsmb flowchart</b></p><div class="mediaobject"><img src="projdoc/imagefiles/1small.png" alt="cupsaddsmb flowchart"></div></div><p> +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2960361"></a>Installing the PostScript Driver on a Client</h3></div></div><div></div></div><p> +After cupsaddsmb completed, your driver is prepared for the clients to +use. Here are the steps you must perform to download and install it +via "Point'n'Print". From a Windows client, browse to the CUPS/Samba +server; +</p><div class="itemizedlist"><ul type="disc"><li><p>open the <span class="emphasis"><em>Printers</em></span> +share of Samba in Network Neighbourhood;</p></li><li><p>right-click on the printer in +question;</p></li><li><p>from the opening context-menu select +<span class="emphasis"><em>Install...</em></span> or +<span class="emphasis"><em>Connect...</em></span> (depending on the Windows version you +use).</p></li></ul></div><p> +After a few seconds, there should be a new printer in your +client's <span class="emphasis"><em>local</em></span> "Printers" folder: On Windows +XP it will follow a naming convention of <span class="emphasis"><em>PrinterName on +SambaServer</em></span>. (In my current case it is "infotec_2105 on +kde-bitshop"). If you want to test it and send your first job from +an application like Winword, the new printer will appears in a +<tt class="filename">\\SambaServer\PrinterName</tt> entry in the +dropdown list of available printers. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +cupsaddsmb will only reliably work with CUPS version 1.1.15 or higher +and Samba from 2.2.4. If it doesn't work, or if the automatic printer +driver download to the clients doesn't succeed, you can still manually +install the CUPS printer PPD on top of the Adobe PostScript driver on +clients. Then point the client's printer queue to the Samba printer +share for a UNC type of connection: +</p></div><pre class="screen"> + + net use lpt1: \\sambaserver\printershare /user:ntadmin + +</pre><p> +should you desire to use the CUPS networked PostScript RIP +functions. (Note that user "ntadmin" needs to be a valid Samba user +with the required privileges to access the printershare) This would +set up the printer connection in the traditional +<span class="emphasis"><em>LanMan</em></span> way (not using MS-RPC). +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2960474"></a>Avoiding critical PostScript Driver Settings on the +Client</h3></div></div><div></div></div><p> +Soooo: printing works, but there are still problems. Most jobs print +well, some don't print at all. Some jobs have problems with fonts, +which don't look very good. Some jobs print fast, and some are +dead-slow. Many of these problems can be greatly reduced or even +completely eliminated if you follow a few guidelines. Remember, if +your print device is not PostScript-enabled, you are treating your +Ghostscript installation on your CUPS host with the output your client +driver settings produce. Treat it well: +</p><div class="itemizedlist"><ul type="disc"><li><p>Avoid the <span class="emphasis"><em>PostScript Output Option: Optimize +for Speed</em></span> setting. Rather use the <span class="emphasis"><em>Optimize for +Portability</em></span> instead (Adobe PostScript +driver).</p></li><li><p>Don't use the <span class="emphasis"><em>Page Independence: +NO</em></span> setting. Instead use <span class="emphasis"><em>Page Independence +YES</em></span> (CUPS PostScript Driver)</p></li><li><p>Recommended is the <span class="emphasis"><em>True Type Font +Downloading Option: Native True Type</em></span> over +<span class="emphasis"><em>Automatic</em></span> and <span class="emphasis"><em>Outline</em></span>; you +should by all means avoid <span class="emphasis"><em>Bitmap</em></span> (Adobe +PostScript Driver)</p></li><li><p>Choose <span class="emphasis"><em>True Type Font: Download as Softfont +into Printer</em></span> over the default <span class="emphasis"><em>Replace by Device +Font</em></span> (for exotic fonts you may need to change it back to +get a printout at all) (Adobe)</p></li><li><p>Sometimes you can choose <span class="emphasis"><em>PostScript Language +Level</em></span>: in case of problems try <span class="emphasis"><em>2</em></span> +instead of <span class="emphasis"><em>3</em></span> (the latest ESP Ghostscript package +handles Level 3 PostScript very well) (Adobe).</p></li><li><p>Say <span class="emphasis"><em>Yes</em></span> to <span class="emphasis"><em>PostScript +Error Handler</em></span> (Adobe)</p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2960608"></a>Installing PostScript Driver Files manually (using +rpcclient)</h2></div></div><div></div></div><p> +Of course you can run all the commands which are embedded into the +cupsaddsmb convenience utility yourself, one by one, and hereby upload +and prepare the driver files for future client downloads. +</p><div class="orderedlist"><ol type="1"><li><p>prepare Samba (a CUPS printqueue with the name of the +printer should be there. We are providing the driver +now);</p></li><li><p>copy all files to +<i class="parameter"><tt>[print$]:</tt></i></p></li><li><p>run <b class="command">rpcclient adddriver</b> +(for each client architecture you want to support):</p></li><li><p>run <b class="command">rpcclient +setdriver.</b></p></li></ol></div><p> +We are going to do this now. First, read the man page on "rpcclient" +to get a first idea. Look at all the printing related +sub-commands. <b class="command">enumprinters</b>, +<b class="command">enumdrivers</b>, <b class="command">enumports</b>, +<b class="command">adddriver</b>, <b class="command">setdriver</b> are amongst +the most interesting ones. rpcclient implements an important part of +the MS-RPC protocol. You can use it to query (and command) a Win NT +(or 2K/XP) PC too. MS-RPC is used by Windows clients, amongst other +things, to benefit from the "Point'n'Print" features. Samba can now +mimic this too. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2960723"></a>A Check of the rpcclient man Page</h3></div></div><div></div></div><p> +First let's have a little check of the rpcclient man page. Here are +two relevant passages: +</p><p> +<b class="command">adddriver <arch> <config></b> Execute an +AddPrinterDriver() RPC to install the printer driver information on +the server. Note that the driver files should already exist in the +directory returned by <b class="command">getdriverdir</b>. Possible +values for <i class="parameter"><tt>arch</tt></i> are the same as those for the +<b class="command">getdriverdir</b> command. The +<i class="parameter"><tt>config</tt></i> parameter is defined as follows: +</p><pre class="screen"> +Long Printer Name:\ +Driver File Name:\ +Data File Name:\ +Config File Name:\ +Help File Name:\ +Language Monitor Name:\ +Default Data Type:\ +Comma Separated list of Files +</pre><p>Any empty fields should be enter as the string "NULL". </p><p>Samba does not need to support the concept of Print Monitors +since these only apply to local printers whose driver can make use of +a bi-directional link for communication. This field should be "NULL". +On a remote NT print server, the Print Monitor for a driver must +already be installed prior to adding the driver or else the RPC will +fail +</p><p> +<b class="command">setdriver <printername> <drivername></b> +Execute a <b class="command">SetPrinter()</b> command to update the +printer driver associated with an installed printer. The printer +driver must already be correctly installed on the print server. +</p><p> See also the enumprinters and enumdrivers commands for +obtaining a list of installed printers and drivers. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2960836"></a>Understanding the rpcclient man Page</h3></div></div><div></div></div><p> +The <span class="emphasis"><em>exact</em></span> format isn't made too clear by the man +page, since you have to deal with some parameters containing +spaces. Here is a better description for it. We have line-broken the +command and indicated the breaks with "\". Usually you would type the +command in one line without the linebreaks: +</p><pre class="screen"> + + adddriver "Architecture" \ + "LongPrinterName:DriverFile:DataFile:ConfigFile:HelpFile:\ + LanguageMonitorFile:DataType:ListOfFiles,Comma-separated" + +</pre><p> +What the man pages denotes as a simple <config> +keyword, does in reality consist of 8 colon-separated fields. The +last field may take multiple (in some, very insane, cases, even +20 different additional files. This might sound confusing at first. +Note, that what the man pages names the "LongPrinterName" in +reality should rather be called the "Driver Name". You can name it +anything you want, as long as you use this name later in the +<span class="emphasis"><em>rpcclient ... setdriver</em></span> command. For +practical reasons, many name the driver the same as the +printer. +</p><p> +True: it isn't simple at all. I hear you asking: +<span class="emphasis"><em>How do I know which files are "Driver +File", "Data File", "Config File", "Help File" and "Language +Monitor File" in each case?</em></span> -- For an answer you may +want to have a look at how a Windows NT box with a shared printer +presents the files to us. Remember, that this whole procedure has +to be developed by the Samba Team by overhearing the traffic caused +by Windows computers on the wire. We may as well turn to a Windows +box now, and access it from a UNIX workstation. We will query it +with <b class="command">rpcclient</b> to see what it tells us and +try to understand the man page more clearly which we've read just +now. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2960925"></a>Producing an Example by querying a Windows Box</h3></div></div><div></div></div><p> +We could run <b class="command">rpcclient</b> with a +<b class="command">getdriver</b> or a <b class="command">getprinter</b> +subcommand (in level 3 verbosity) against it. Just sit down at UNIX or +Linux workstation with the Samba utilities installed. Then type the +following command: +</p><pre class="screen"> + + rpcclient -U'USERNAME%PASSWORD' NT-SERVER-NAME -c 'getdriver printername 3' + +</pre><p> +From the result it should become clear which is which. Here is an +example from my installation: +</p><pre class="screen"> + +# rpcclient -U'Danka%xxxx' W2KSERVER -c'getdriver "DANKA InfoStream Virtual Printer" 3' + cmd = getdriver "DANKA InfoStream Virtual Printer" 3 + + [Windows NT x86] + Printer Driver Info 3: + Version: [2] + Driver Name: [DANKA InfoStream] + Architecture: [Windows NT x86] + Driver Path: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\PSCRIPT.DLL] + Datafile: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\INFOSTRM.PPD] + Configfile: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\PSCRPTUI.DLL] + Helpfile: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\PSCRIPT.HLP] + + Dependentfiles: [] + Dependentfiles: [] + Dependentfiles: [] + Dependentfiles: [] + Dependentfiles: [] + Dependentfiles: [] + Dependentfiles: [] + + Monitorname: [] + Defaultdatatype: [] + +</pre><p> +Some printer drivers list additional files under the label +"Dependentfiles": these would go into the last field +<span class="emphasis"><em>ListOfFiles,Comma-separated</em></span>. For the CUPS +PostScript drivers we don't need any (nor would we for the Adobe +PostScript driver): therefore the field will get a "NULL" entry. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2961015"></a>What is required for adddriver and setdriver to succeed</h3></div></div><div></div></div><p> +From the manpage (and from the quoted output +of <span class="emphasis"><em>cupsaddsmb</em></span>, above) it becomes clear that you +need to have certain conditions in order to make the manual uploading +and initializing of the driver files succeed. The two rpcclient +subcommands (<b class="command">adddriver</b> and +<b class="command">setdriver</b>) need to encounter the following +pre-conditions to complete successfully: +</p><div class="itemizedlist"><ul type="disc"><li><p>you are connected as "printer admin", or root (note, +that this is <span class="emphasis"><em>not</em></span> the "Printer Operators" group in +NT, but the <span class="emphasis"><em>printer admin</em></span> group, as defined in +the <i class="parameter"><tt>[global]</tt></i> section of +<tt class="filename">smb.conf</tt>);</p></li><li><p>copy all required driver files to +<tt class="filename">\\sambaserver\print$\w32x86</tt> and +<tt class="filename">\\sambaserver\print$\win40</tt> as appropriate. They +will end up in the "0" respective "2" subdirectories later -- for now +<span class="emphasis"><em>don't</em></span> put them there, they'll be automatically +used by the <b class="command">adddriver</b> subcommand.! (if you use +"smbclient" to put the driver files into the share, note that you need +to escape the "$": <b class="command">smbclient //sambaserver/print\$ -U +root</b>);</p></li><li><p>the user you're connecting as must be able to write to +the <i class="parameter"><tt>[print$]</tt></i> share and create +subdirectories;</p></li><li><p>the printer you are going to setup for the Windows +clients, needs to be installed in CUPS already;</p></li><li><p>the CUPS printer must be known to Samba, otherwise the +<b class="command">setdriver</b> subcommand fails with an +NT_STATUS_UNSUCCESSFUL error. To check if the printer is known by +Samba you may use the <b class="command">enumprinters</b> subcommand to +rpcclient. A long-standing bug prevented a proper update of the +printer list until every smbd process had received a SIGHUP or was +restarted. Remember this in case you've created the CUPS printer just +shortly ago and encounter problems: try restarting +Samba.</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2961177"></a>Manual Commandline Driver Installation in 15 little Steps</h3></div></div><div></div></div><p> +We are going to install a printer driver now by manually executing all +required commands. As this may seem a rather complicated process at +first, we go through the procedure step by step, explaining every +single action item as it comes up. +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961194"></a>First Step: Install the Printer on CUPS</h4></div></div><div></div></div><pre class="screen"> + +# lpadmin -p mysmbtstprn -v socket://10.160.51.131:9100 -E -P /home/kurt/canonIR85.ppd + +</pre><p> +This installs printer with the name <span class="emphasis"><em>mysmbtstprn</em></span> +to the CUPS system. The printer is accessed via a socket +(a.k.a. JetDirect or Direct TCP/IP) connection. You need to be root +for this step +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961224"></a>Second Step (optional): Check if the Printer is recognized by +Samba</h4></div></div><div></div></div><pre class="screen"> + + # rpcclient -Uroot%xxxx -c 'enumprinters' localhost | grep -C2 mysmbtstprn + + flags:[0x800000] + name:[\\kde-bitshop\mysmbtstprn] + description:[\\kde-bitshop\mysmbtstprn,,mysmbtstprn] + comment:[mysmbtstprn] + +</pre><p> +This should show the printer in the list. If not, stop and re-start +the Samba daemon (smbd), or send a HUP signal: <b class="command">kill -HUP +`pidof smbd`</b>. Check again. Troubleshoot and repeat until +success. Note the "empty" field between the two commas in the +"description" line. Here would the driver name appear if there was one +already. You need to know root's Samba password (as set by the +<b class="command">smbpasswd</b> command) for this step and most of the +following steps. Alternatively you can authenticate as one of the +users from the "write list" as defined in <tt class="filename">smb.conf</tt> for +<i class="parameter"><tt>[print$]</tt></i>. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961288"></a>Third Step (optional): Check if Samba knows a Driver for the +Printer</h4></div></div><div></div></div><pre class="screen"> + +# rpcclient -Uroot%xxxx -c 'getprinter mysmbtstprn 2' localhost | grep driver + drivername:[] + +# rpcclient -Uroot%xxxx -c 'getprinter mysmbtstprn 2' localhost | grep -C4 driv + servername:[\\kde-bitshop] + printername:[\\kde-bitshop\mysmbtstprn] + sharename:[mysmbtstprn] + portname:[Samba Printer Port] + drivername:[] + comment:[mysmbtstprn] + location:[] + sepfile:[] + printprocessor:[winprint] + +# rpcclient -U root%xxxx -c 'getdriver mysmbtstprn' localhost + result was WERR_UNKNOWN_PRINTER_DRIVER + +</pre><p> +Neither method of the three commands shown above should show a driver. +This step was done for the purpose of demonstrating this condition. An +attempt to connect to the printer at this stage will prompt the +message along the lines: "The server has not the required printer +driver installed". +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961326"></a>Fourth Step: Put all required Driver Files into Samba's +[print$]</h4></div></div><div></div></div><pre class="screen"> + +# smbclient //localhost/print\$ -U 'root%xxxx' \ + -c 'cd W32X86; \ + put /etc/cups/ppd/mysmbtstprn.ppd mysmbtstprn.PPD; \ + put /usr/share/cups/drivers/cupsui.dll cupsui.dll; \ + put /usr/share/cups/drivers/cupsdrvr.dll cupsdrvr.dll; \ + put /usr/share/cups/drivers/cups.hlp cups.hlp' + +</pre><p> +(Note that this command should be entered in one long single +line. Line-breaks and the line-end indicating "\" has been inserted +for readability reasons.) This step is <span class="emphasis"><em>required</em></span> +for the next one to succeed. It makes the driver files physically +present in the <i class="parameter"><tt>[print$]</tt></i> share. However, clients +would still not be able to install them, because Samba does not yet +treat them as driver files. A client asking for the driver would still +be presented with a "not installed here" message. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961377"></a>Fifth Step: Verify where the Driver Files are now</h4></div></div><div></div></div><pre class="screen"> + +# ls -l /etc/samba/drivers/W32X86/ + total 669 + drwxr-sr-x 2 root ntadmin 532 May 25 23:08 2 + drwxr-sr-x 2 root ntadmin 670 May 16 03:15 3 + -rwxr--r-- 1 root ntadmin 14234 May 25 23:21 cups.hlp + -rwxr--r-- 1 root ntadmin 278380 May 25 23:21 cupsdrvr.dll + -rwxr--r-- 1 root ntadmin 215848 May 25 23:21 cupsui.dll + -rwxr--r-- 1 root ntadmin 169458 May 25 23:21 mysmbtstprn.PPD + +</pre><p> +The driver files now are in the W32X86 architecture "root" of +<i class="parameter"><tt>[print$]</tt></i>. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961415"></a>Sixth Step: Tell Samba that these are +<span class="emphasis"><em>Driver</em></span> Files +(<b class="command">adddriver</b>)</h4></div></div><div></div></div><pre class="screen"> + +# rpcclient -Uroot%xxxx -c `adddriver "Windows NT x86" "mydrivername: \ + cupsdrvr.dll:mysmbtstprn.PPD: \ + cupsui.dll:cups.hlp:NULL:RAW[<span class="citation">:</span>]NULL" \ + localhost + + Printer Driver mydrivername successfully installed. + +</pre><p> +Note that your cannot repeat this step if it fails. It could fail even +as a result of a simple typo. It will most likely have moved a part of +the driver files into the "2" subdirectory. If this step fails, you +need to go back to the fourth step and repeat it, before you can try +this one again. In this step you need to choose a name for your +driver. It is normally a good idea to use the same name as is used for +the printername; however, in big installations you may use this driver +for a number of printers which have obviously different names. So the +name of the driver is not fixed. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961469"></a>Seventh Step: Verify where the Driver Files are now</h4></div></div><div></div></div><pre class="screen"> + +# ls -l /etc/samba/drivers/W32X86/ + total 1 + drwxr-sr-x 2 root ntadmin 532 May 25 23:22 2 + drwxr-sr-x 2 root ntadmin 670 May 16 03:15 3 + + +# ls -l /etc/samba/drivers/W32X86/2 + total 5039 + [....] + -rwxr--r-- 1 root ntadmin 14234 May 25 23:21 cups.hlp + -rwxr--r-- 1 root ntadmin 278380 May 13 13:53 cupsdrvr.dll + -rwxr--r-- 1 root ntadmin 215848 May 13 13:53 cupsui.dll + -rwxr--r-- 1 root ntadmin 169458 May 25 23:21 mysmbtstprn.PPD + +</pre><p> +Notice how step 6 did also move the driver files to the appropriate +subdirectory. Compare with the situation after step 5. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961503"></a>Eighth Step (optional): Verify if Samba now recognizes the +Driver</h4></div></div><div></div></div><pre class="screen"> + +# rpcclient -Uroot%xxxx -c 'enumdrivers 3' localhost | grep -B2 -A5 mydrivername + + Printer Driver Info 3: + Version: [2] + Driver Name: [mydrivername] + Architecture: [Windows NT x86] + Driver Path: [\\kde-bitshop\print$\W32X86\2\cupsdrvr.dll] + Datafile: [\\kde-bitshop\print$\W32X86\2\mysmbtstprn.PPD] + Configfile: [\\kde-bitshop\print$\W32X86\2\cupsui.dll] + Helpfile: [\\kde-bitshop\print$\W32X86\2\cups.hlp] + +</pre><p> +Remember, this command greps for the name you did choose for the +driver in step Six. This command must succeed before you can proceed. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961536"></a>Ninth Step: Tell Samba which Printer should use these Driver +Files (<b class="command">setdriver</b>)</h4></div></div><div></div></div><pre class="screen"> + +# rpcclient -Uroot%xxxx -c 'setdriver mysmbtstprn mydrivername' localhost + + Successfully set mysmbtstprn to driver mydrivername + +</pre><p> +Since you can bind any printername (=printqueue) to any driver, this +is a very convenient way to setup many queues which use the same +driver. You don't need to repeat all the previous steps for the +setdriver command to succeed. The only pre-conditions are: +<b class="command">enumdrivers</b> must find the driver and +<b class="command">enumprinters</b> must find the printer. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961586"></a>Tenth Step (optional): Verify if Samba has this Association +recognized</h4></div></div><div></div></div><pre class="screen"> + +# rpcclient -Uroot%xxxx -c 'getprinter mysmbtstprn 2' localhost | grep driver + drivername:[mydrivername] + +# rpcclient -Uroot%xxxx -c 'getprinter mysmbtstprn 2' localhost | grep -C4 driv + servername:[\\kde-bitshop] + printername:[\\kde-bitshop\mysmbtstprn] + sharename:[mysmbtstprn] + portname:[Done] + drivername:[mydrivername] + comment:[mysmbtstprn] + location:[] + sepfile:[] + printprocessor:[winprint] + +# rpcclient -U root%xxxx -c 'getdriver mysmbtstprn' localhost + [Windows NT x86] + Printer Driver Info 3: + Version: [2] + Driver Name: [mydrivername] + Architecture: [Windows NT x86] + Driver Path: [\\kde-bitshop\print$\W32X86\2\cupsdrvr.dll] + Datafile: [\\kde-bitshop\print$\W32X86\2\mysmbtstprn.PPD] + Configfile: [\\kde-bitshop\print$\W32X86\2\cupsui.dll] + Helpfile: [\\kde-bitshop\print$\W32X86\2\cups.hlp] + Monitorname: [] + Defaultdatatype: [RAW] + Monitorname: [] + Defaultdatatype: [RAW] + +# rpcclient -Uroot%xxxx -c 'enumprinters' localhost | grep mysmbtstprn + name:[\\kde-bitshop\mysmbtstprn] + description:[\\kde-bitshop\mysmbtstprn,mydrivername,mysmbtstprn] + comment:[mysmbtstprn] + +</pre><p> +Compare these results with the ones from steps 2 and 3. Note that +every single of these commands show the driver is installed. Even +the <b class="command">enumprinters</b> command now lists the driver +on the "description" line. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961666"></a>Eleventh Step (optional): Tickle the Driver into a correct +Device Mode</h4></div></div><div></div></div><p> +You certainly know how to install the driver on the client. In case +you are not particularly familiar with Windows, here is a short +recipe: browse the Network Neighbourhood, go to the Samba server, look +for the shares. You should see all shared Samba printers. +Double-click on the one in question. The driver should get +installed, and the network connection set up. An alternative way is to +open the "Printers (and Faxes)" folder, right-click on the printer in +question and select "Connect" or "Install". As a result, a new printer +should have appeared in your client's local "Printers (and Faxes)" +folder, named something like "printersharename on Sambahostname". +</p><p> +It is important that you execute this step as a Samba printer admin +(as defined in <tt class="filename">smb.conf</tt>). Here is another method +to do this on Windows XP. It uses a commandline, which you may type +into the "DOS box" (type root's smbpassword when prompted): +</p><pre class="screen"> + + C:\> runas /netonly /user:root "rundll32 printui.dll,PrintUIEntry /in /n \\sambacupsserver\mysmbtstprn" + +</pre><p> +Change any printer setting once (like <span class="emphasis"><em>"portrait" +--> "landscape"</em></span>), click "Apply"; change the setting +back. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961731"></a>Twelfth Step: Install the Printer on a Client +("Point'n'Print")</h4></div></div><div></div></div><pre class="screen"> + + C:\> rundll32 printui.dll,PrintUIEntry /in /n "\\sambacupsserver\mysmbtstprn" + +</pre><p> +If it doesn't work it could be a permission problem with the +<i class="parameter"><tt>[print$]</tt></i> share. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961764"></a>Thirteenth Step (optional): Print a Test Page</h4></div></div><div></div></div><pre class="screen"> + + C:\> rundll32 printui.dll,PrintUIEntry /p /n "\\sambacupsserver\mysmbtstprn" + +</pre><p> +Then hit [TAB] 5 times, [ENTER] twice, [TAB] once and [ENTER] again +and march to the printer. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961790"></a>Fourteenth Step (recommended): Study the Test Page</h4></div></div><div></div></div><p> +Hmmm.... just kidding! By now you know everything about printer +installations and you don't need to read a word. Just put it in a +frame and bolt it to the wall with the heading "MY FIRST +RPCCLIENT-INSTALLED PRINTER" - why not just throw it away! +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961808"></a>Fifteenth Step (obligatory): Enjoy. Jump. Celebrate your +Success</h4></div></div><div></div></div><pre class="screen"> + +# echo "Cheeeeerioooooo! Success..." >> /var/log/samba/log.smbd + +</pre></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2961830"></a>Troubleshooting revisited</h3></div></div><div></div></div><p> +The setdriver command will fail, if in Samba's mind the queue is not +already there. You had promising messages about the: +</p><pre class="screen"> + + Printer Driver ABC successfully installed. + +</pre><p> +after the "adddriver" parts of the procedure? But you are also seeing +a disappointing message like this one beneath? +</p><pre class="screen"> + + result was NT_STATUS_UNSUCCESSFUL + +</pre><p> +It is not good enough that <span class="emphasis"><em>you</em></span> +can see the queue <span class="emphasis"><em>in CUPS</em></span>, using +the <b class="command">lpstat -p ir85wm</b> command. A +bug in most recent versions of Samba prevents the proper update of +the queuelist. The recognition of newly installed CUPS printers +fails unless you re-start Samba or send a HUP to all smbd +processes. To verify if this is the reason why Samba doesn't +execute the setdriver command successfully, check if Samba "sees" +the printer: +</p><pre class="screen"> + +# rpcclient transmeta -N -U'root%secret' -c 'enumprinters 0'| grep ir85wm + printername:[ir85wm] + +</pre><p> +An alternative command could be this: +</p><pre class="screen"> + +# rpcclient transmeta -N -U'root%secret' -c 'getprinter ir85wm' + cmd = getprinter ir85wm + flags:[0x800000] + name:[\\transmeta\ir85wm] + description:[\\transmeta\ir85wm,ir85wm,DPD] + comment:[CUPS PostScript-Treiber for WinNT/2K/XP] + +</pre><p> +BTW, you can use these commands, plus a few more, of course, +to install drivers on remote Windows NT print servers too! +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2961930"></a>The printing <tt class="filename">*.tdb</tt> Files</h2></div></div><div></div></div><p> +Some mystery is associated with the series of files with a +tdb-suffix appearing in every Samba installation. They are +<tt class="filename">connections.tdb</tt>, +<tt class="filename">printing.tdb</tt>, +<tt class="filename">share_info.tdb</tt> , +<tt class="filename">ntdrivers.tdb</tt>, +<tt class="filename">unexpected.tdb</tt>, +<tt class="filename">brlock.tdb</tt> , +<tt class="filename">locking.tdb</tt>, +<tt class="filename">ntforms.tdb</tt>, +<tt class="filename">messages.tdb</tt> , +<tt class="filename">ntprinters.tdb</tt>, +<tt class="filename">sessionid.tdb</tt> and +<tt class="filename">secrets.tdb</tt>. What is their purpose? +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2962033"></a>Trivial DataBase Files</h3></div></div><div></div></div><p> +A Windows NT (Print) Server keeps track of all information needed to serve +its duty toward its clients by storing entries in the Windows +"Registry". Client queries are answered by reading from the registry, +Administrator or user configuration settings are saved by writing into +the Registry. Samba and Unix obviously don't have such a kind of +Registry. Samba instead keeps track of all client related information in a +series of <tt class="filename">*.tdb</tt> files. (TDB = Trivial Data +Base). These are often located in <tt class="filename">/var/lib/samba/</tt> +or <tt class="filename">/var/lock/samba/</tt> . The printing related files +are <tt class="filename">ntprinters.tdb</tt>, +<tt class="filename">printing.tdb</tt>,<tt class="filename">ntforms.tdb</tt> and +<tt class="filename">ntdrivers.tdb</tt>. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2962103"></a>Binary Format</h3></div></div><div></div></div><p> +<tt class="filename">*.tdb</tt> files are not human readable. They are +written in a binary format. "Why not ASCII?", you may ask. "After all, +ASCII configuration files are a good and proofed tradition on UNIX." +-- The reason for this design decision by the Samba Team is mainly +performance. Samba needs to be fast; it runs a separate +<b class="command">smbd</b> process for each client connection, in some +environments many thousand of them. Some of these smbds might need to +write-access the same <tt class="filename">*.tdb</tt> file <span class="emphasis"><em>at the +same time</em></span>. The file format of Samba's +<tt class="filename">*.tdb</tt> files allows for this provision. Many smbd +processes may write to the same <tt class="filename">*.tdb</tt> file at the +same time. This wouldn't be possible with pure ASCII files. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2962165"></a>Losing <tt class="filename">*.tdb</tt> Files</h3></div></div><div></div></div><p> +It is very important that all <tt class="filename">*.tdb</tt> files remain +consistent over all write and read accesses. However, it may happen +that these files <span class="emphasis"><em>do</em></span> get corrupted. (A +<b class="command">kill -9 `pidof smbd`</b> while a write access is in +progress could do the damage as well as a power interruption, +etc.). In cases of trouble, a deletion of the old printing-related +<tt class="filename">*.tdb</tt> files may be the only option. You need to +re-create all print related setup after that. Or you have made a +backup of the <tt class="filename">*.tdb</tt> files in time. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2962224"></a>Using <span class="emphasis"><em>tdbbackup</em></span></h3></div></div><div></div></div><p> +Samba ships with a little utility which helps the root user of your +system to back up your <tt class="filename">*.tdb</tt> files. If you run it +with no argument, it prints a little usage message: +</p><pre class="screen"> + +# tdbbackup + Usage: tdbbackup [options] <fname...> + + Version:3.0a + -h this help message + -s suffix set the backup suffix + -v verify mode (restore if corrupt) + +</pre><p> +Here is how I backed up my printing.tdb file: +</p><pre class="screen"> + +# ls + . browse.dat locking.tdb ntdrivers.tdb printing.tdb share_info.tdb + .. connections.tdb messages.tdb ntforms.tdb printing.tdbkp unexpected.tdb + brlock.tdb gmon.out namelist.debug ntprinters.tdb sessionid.tdb + + kde-bitshop:/var/lock/samba # tdbbackup -s .bak printing.tdb + printing.tdb : 135 records + + kde-bitshop:/var/lock/samba # ls -l printing.tdb* + -rw------- 1 root root 40960 May 2 03:44 printing.tdb + -rw------- 1 root root 40960 May 2 03:44 printing.tdb.bak + +</pre></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2962290"></a>CUPS Print Drivers from Linuxprinting.org</h2></div></div><div></div></div><p> +CUPS ships with good support for HP LaserJet type printers. You can +install the generic driver as follows: +</p><pre class="screen"> + +lpadmin -p laserjet4plus -v parallel:/dev/lp0 -E -m laserjet.ppd + +</pre><p> +The <i class="parameter"><tt>-m</tt></i> switch will retrieve the +<tt class="filename">laserjet.ppd</tt> from the standard repository for +not-yet-installed-PPDs, which CUPS typically stores in +<tt class="filename">/usr/share/cups/model</tt>. Alternatively, you may use +<i class="parameter"><tt>-P /path/to/your.ppd</tt></i>. +</p><p> +The generic laserjet.ppd however does not support every special option +for every LaserJet-compatible model. It constitutes a sort of "least +denominator" of all the models. If for some reason it is ruled out to +you to pay for the commercially available ESP Print Pro drivers, your +first move should be to consult the database on <a href="http://www.linuxprinting.org/printer_list.cgi" target="_top">http://www.linuxprinting.org/printer_list.cgi</a>. +Linuxprinting.org has excellent recommendations about which driver is +best used for each printer. Its database is kept current by the +tireless work of Till Kamppeter from MandrakeSoft, who is also the +principal author of the foomatic-rip utility. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +The former "cupsomatic" concept is now be replaced by the new, much +more powerful "foomatic-rip". foomatic-rip is the successor of +cupsomatic. cupsomatic is no longer maintained. Here is the new URL +to the Foomatic-3.0 database:<a href="http://www.linuxprinting.org/driver_list.cgi" target="_top">http://www.linuxprinting.org/driver_list.cgi</a>. +If you upgrade to foomatic-rip, don't forget to also upgrade to the +new-style PPDs for your foomatic-driven printers. foomatic-rip will +not work with PPDs generated for the old cupsomatic. The new-style +PPDs are 100% compliant to the Adobe PPD specification. They are +intended to be used by Samba and the cupsaddsmb utility also, to +provide the driver files for the Windows clients also! +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2962398"></a>foomatic-rip and Foomatic explained</h3></div></div><div></div></div><p> +Nowadays most Linux distros rely on the utilities of Linuxprinting.org +to create their printing related software (which, BTW, works on all +UNIXes and on Mac OS X or Darwin too). It is not known as well as it +should be, that it also has a very end-user friendly interface which +allows for an easy update of drivers and PPDs, for all supported +models, all spoolers, all operating systems and all package formats +(because there is none). Its history goes back a few years. +</p><p> +Recently Foomatic has achieved the astonishing milestone of <a href="http://www.linuxprinting.org/printer_list.cgi?make=Anyone" target="_top">1000 +listed</a> printer models. Linuxprinting.org keeps all the +important facts about printer drivers, supported models and which +options are available for the various driver/printer combinations in +its <a href="http://www.linuxprinting.org/foomatic.html" target="_top">Foomatic</a> +database. Currently there are <a href="http://www.linuxprinting.org/driver_list.cgi" target="_top">245 drivers</a> +in the database: many drivers support various models, and many models +may be driven by different drivers; it's your choice! +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2962453"></a>690 "perfect" Printers</h4></div></div><div></div></div><p> +At present there are 690 devices dubbed as working "perfectly", 181 +"mostly", 96 "partially" and 46 are "Paperweights". Keeping in mind +that most of these are non-PostScript models (PostScript printers are +automatically supported supported by CUPS to perfection, by using +their own manufacturer-provided Windows-PPD...), and that a +multifunctional device never qualifies as working "perfectly" if it +doesn't also scan and copy and fax under GNU/Linux: then this is a +truly astonishing achievement. Three years ago the number was not +more than 500, and Linux or UNIX "printing" at the time wasn't +anywhere near the quality it is today! +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2962477"></a>How the "Printing HOWTO" started it all</h4></div></div><div></div></div><p> +A few years ago <a href="http://www2.picante.com:81/~gtaylor/" target="_top">Grant Taylor</a> +started it all. The roots of today's Linuxprinting.org are in the +first <a href="http://www.linuxprinting.org/foomatic2.9/howto/" target="_top">Linux Printing +HOWTO</a> which he authored. As a side-project to this document, +which served many Linux users and admins to guide their first steps in +this complicated and delicate setup (to a scientist, printing is +"applying a structured deposition of distinct patterns of ink or toner +particles on paper substrates" <span class="emphasis"><em>;-)</em></span>, he started to +build in a little Postgres database with information about the +hardware and driver zoo that made up Linux printing of the time. This +database became the core component of today's Foomatic collection of +tools and data. In the meantime it has moved to an XML representation +of the data. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2962522"></a>Foomatic's strange Name</h4></div></div><div></div></div><p> +"Why the funny name?", you ask. When it really took off, around spring +2000, CUPS was far less popular than today, and most systems used LPD, +LPRng or even PDQ to print. CUPS shipped with a few generic "drivers" +(good for a few hundred different printer models). These didn't +support many device-specific options. CUPS also shipped with its own +built-in rasterization filter ("pstoraster", derived from +Ghostscript). On the other hand, CUPS provided brilliant support for +<span class="emphasis"><em>controlling</em></span> all printer options through +standardized and well-defined "PPD files" (PostScript Printers +Description files). Plus, CUPS was designed to be easily extensible. +</p><p> +Grant already had in his database a respectable compilation +of facts about a many more printers, and the Ghostscript "drivers" +they run with. His idea, to generate PPDs from the database info +and use them to make standard Ghostscript filters work within CUPS, +proved to work very well. It also "killed several birds with one +stone": +</p><div class="itemizedlist"><ul type="disc"><li><p>It made all current and future Ghostscript filter +developments available for CUPS;</p></li><li><p>It made available a lot of additional printer models +to CUPS users (because often the "traditional" Ghostscript way of +printing was the only one available);</p></li><li><p>It gave all the advanced CUPS options (web interface, +GUI driver configurations) to users wanting (or needing) to use +Ghostscript filters.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2962589"></a>cupsomatic, pdqomatic, lpdomatic, directomatic</h4></div></div><div></div></div><p> +CUPS worked through a quickly-hacked up filter script named <a href="http://www.linuxprinting.org/download.cgi?filename=cupsomatic&show=0" target="_top">cupsomatic</a>. +cupsomatic ran the printfile through Ghostscript, constructing +automatically the rather complicated command line needed. It just +required to be copied into the CUPS system to make it work. To +"configure" the way cupsomatic controls the Ghostscript rendering +process, it needs a CUPS-PPD. This PPD is generated directly from the +contents of the database. For CUPS and the respective printer/filter +combo another Perl script named "CUPS-O-Matic" did the PPD +generation. After that was working, Grant implemented within a few +days a similar thing for two other spoolers. Names chosen for the +config-generator scripts were <a href="http://www.linuxprinting.org/download.cgi?filename=lpdomatic&show=0" target="_top">PDQ-O-Matic</a> +(for PDQ) and <a href="http://www.linuxprinting.org/download.cgi?filename=lpdomatic&show=0" target="_top">LPD-O-Matic</a> +(for - you guessed it - LPD); the configuration here didn't use PPDs +but other spooler-specific files. +</p><p> +From late summer of that year, <a href="http://www.linuxprinting.org/till/" target="_top">Till Kamppeter</a> +started to put work into the database. Till had been newly employed by +<a href="http://www.mandrakesoft.com/" target="_top">MandrakeSoft</a> to +convert their printing system over to CUPS, after they had seen his +<a href="http://www.fltk.org/" target="_top">FLTK</a>-based <a href="http://cups.sourceforge.net/xpp/" target="_top">XPP</a> (a GUI frontend to +the CUPS lp-command). He added a huge amount of new information and new +printers. He also developed the support for other spoolers, like +<a href="http://ppr.sourceforge.net/" target="_top">PPR</a> (via ppromatic), +<a href="http://sourceforge.net/projects/lpr/" target="_top">GNUlpr</a> and +<a href="http://www.lprng.org/" target="_top">LPRng</a> (both via an extended +lpdomatic) and "spoolerless" printing (<a href="http://www.linuxprinting.org/download.cgi?filename=directomatic&show=0" target="_top">directomatic</a>).... +</p><p> +So, to answer your question: "Foomatic" is the general name for all +the overlapping code and data behind the "*omatic" scripts.... -- +Foomatic up to versions 2.0.x required (ugly) Perl data structures +attached the Linuxprinting.org PPDs for CUPS. It had a different +"*omatic" script for every spooler, as well as different printer +configuration files.. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2962725"></a>7.13.1.5.The <span class="emphasis"><em>Grand Unification</em></span> +achieved...</h4></div></div><div></div></div><p> +This all has changed in Foomatic versions 2.9 (Beta) and released as +"stable" 3.0. This has now achieved the convergence of all *omatic +scripts: it is called the <a href="http://www.linuxprinting.org/foomatic2.9/download.cgi?filename=foomatic-rip&show=0" target="_top">foomatic-rip</a>. +This single script is the unification of the previously different +spooler-specific *omatic scripts. foomatic-rip is used by all the +different spoolers alike. Because foomatic-rip can read PPDs (both the +original PostScript printer PPDs and the Linuxprinting.org-generated +ones), all of a sudden all supported spoolers can have the power of +PPDs at their disposal; users only need to plug "foomatic-rip" into +their system.... For users there is improved media type and source +support; paper sizes and trays are easier to configure. +</p><p> +Also, the New Generation of Linuxprinting.org PPDs doesn't contain +Perl data structures any more. If you are a distro maintainer and have +used the previous version of Foomatic, you may want to give the new +one a spin: but don't forget to generate a new-version set of PPDs, +via the new <a href="http://www.linuxprinting.org/download/foomatic/foomatic-db-engine-3.0.0beta1.tar.gz" target="_top">foomatic-db-engine</a>! +Individual users just need to generate a single new PPD specific to +their model by <a href="http://www.linuxprinting.org/kpfeifle/LinuxKongress2002/Tutorial/II.Foomatic-User/II.tutorial-handout-foomatic-user.html" target="_top">following +the steps</a> outlined in the Foomatic tutorial or further +below. This new development is truly amazing. +</p><p> +foomatic-rip is a very clever wrapper around the need to run +Ghostscript with a different syntax, different options, different +device selections and/or different filters for each different printer +or different spooler. At the same time it can read the PPD associated +with a print queue and modify the print job according to the user +selections. Together with this comes the 100% compliance of the new +Foomatic PPDs with the Adobe spec. Some really innovative features of +the Foomatic concept will surprise users: it will support custom paper +sizes for many printers; and it will support printing on media drawn +from different paper trays within the same job (in both cases: even +where there is no support for this from Windows-based vendor printer +drivers). +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2962810"></a>Driver Development outside</h4></div></div><div></div></div><p> +Most driver development itself does not happen within +Linuxprinting.org. Drivers are written by independent maintainers. +Linuxprinting.org just pools all the information, and stores it in its +database. In addition, it also provides the Foomatic glue to integrate +the many drivers into any modern (or legacy) printing system known to +the world. +</p><p> +Speaking of the different driver development groups: most of +the work is currently done in three projects. These are: +</p><div class="itemizedlist"><ul type="disc"><li><p><a href="http://www-124.ibm.com/developerworks/oss/linux/projects/omni/" target="_top">Omni</a> +-- a Free Software project by IBM which tries to convert their printer +driver knowledge from good-ol' OS/2 times into a modern, modular, +universal driver architecture for Linux/Unix (still Beta). This +currently supports 437 models.</p></li><li><p><a href="http://hpinkjet.sf.net/" target="_top">HPIJS</a> -- +a Free Software project by HP to provide the support for their own +range of models (very mature, printing in most cases is perfect and +provides true photo quality). This currently supports 369 +models.</p></li><li><p><a href="http://gimp-print.sf.net/" target="_top">Gimp-Print</a> -- a Free software +effort, started by Michael Sweet (also lead developer for CUPS), now +directed by Robert Krawitz, which has achieved an amazing level of +photo print quality (many Epson users swear that its quality is +better than the vendor drivers provided by Epson for the Microsoft +platforms). This currently supports 522 models.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2962892"></a>Forums, Downloads, Tutorials, Howtos -- also for Mac OS X and +commercial Unix</h4></div></div><div></div></div><p> +Linuxprinting.org today is the one-stop "shop" to download printer +drivers. Look for printer information and <a href="http://www.linuxprinting.org//kpfeifle/LinuxKongress2002/Tutorial/" target="_top">tutorials</a> +or solve printing problems in its popular <a href="http://www.linuxprinting.org/newsportal/" target="_top">forums</a>. But +it's not just for GNU/Linux: users and admins of <a href="http://www.linuxprinting.org/macosx/" target="_top">commercial UNIX +systems</a> are also going there, and the relatively new <a href="http://www.linuxprinting.org/newsportal/thread.php3?name=linuxprinting.macosx.general" target="_top">Mac +OS X forum</a> has turned out to be one of the most frequented +fora after only a few weeks. +</p><p> +Linuxprinting.org and the Foomatic driver wrappers around Ghostscript +are now a standard toolchain for printing on all the important +distros. Most of them also have CUPS underneath. While in recent years +most printer data had been added by Till (who works at Mandrake), many +additional contributions came from engineers with SuSE, RedHat, +Connectiva, Debian and others. Vendor-neutrality is an important goal +of the Foomatic project. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +Till Kamppeter from MandrakeSoft is doing an excellent job in his +spare time to maintain Linuxprinting.org and Foomatic. So if you use +it often, please send him a note showing your appreciation. +</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2962963"></a>Foomatic Database generated PPDs</h4></div></div><div></div></div><p> +The Foomatic database is an amazing piece of ingenuity in itself. Not +only does it keep the printer and driver information, but it is +organized in a way that it can generate "PPD" files "on the fly" from +its internal XML-based datasets. While these PPDs are modelled to the +Adobe specification of "PostScript Printer Descriptions" (PPDs), the +Linuxprinting.org/Foomatic-PPDs don't normally drive PostScript +printers: they are used to describe all the bells and whistles you +could ring or blow on an Epson Stylus inkjet, or a HP Photosmart or +what-have-you. The main "trick" is one little additional line, not +envisaged by the PPD specification, starting with the "*cupsFilter" +keyword: it tells the CUPS daemon how to proceed with the PostScript +print file (old-style Foomatic-PPDs named the +<span class="emphasis"><em>cupsomatic</em></span> filter script, while the new-style +PPDs now call <span class="emphasis"><em>foomatic-rip</em></span>). This filter +script calls Ghostscript on the host system (the recommended variant +is ESP Ghostscript) to do the rendering work. foomatic-rip knows which +filter or internal device setting it should ask from Ghostscript to +convert the PostScript printjob into a raster format ready for the +target device. This usage of PPDs to describe the options of non-PS +printers was the invention of the CUPS developers. The rest is easy: +GUI tools (like KDE's marvellous <a href="http://printing.kde.org/overview/kprinter.phtml" target="_top">"kprinter"</a>, +or the GNOME <a href="http://gtklp.sourceforge.net/" target="_top">"gtklp"</a>, "xpp" and the CUPS +web interface) read the PPD too and use this information to present +the available settings to the user as an intuitive menu selection. +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2963027"></a>foomatic-rip and Foomatic-PPD Download and Installation</h3></div></div><div></div></div><p> +Here are the steps to install a foomatic-rip driven "LaserJet 4 Plus" +compatible printer in CUPS (note that recent distributions of SuSE, +UnitedLinux and Mandrake may ship with a complete package of +Foomatic-PPDs plus the foomatic-rip utility. going directly to +Linuxprinting.org ensures you to get the latest driver/PPD files): +</p><div class="itemizedlist"><ul type="disc"><li><p>Surf to <a href="http://www.linuxprinting.org/printer_list.cgi" target="_top">http://www.linuxprinting.org/printer_list.cgi</a> +</p></li><li><p>Check the complete list of printers in the database: +<a href="http://www.linuxprinting.org/printer_list.cgi?make=Anyone" target="_top">http://www.linuxprinting.org/printer_list.cgi?make=Anyone</a> +</p></li><li><p>There select your model and click on the +link.</p></li><li><p>You'll arrive at a page listing all drivers working +with this model (for all printers, there will always be +<span class="emphasis"><em>one</em></span> recommended driver. Try this one +first).</p></li><li><p>In our case ("HP LaserJet 4 Plus"), we'll arrive here: +<a href="http://www.linuxprinting.org/show_printer.cgi?recnum=HP-LaserJet_4_Plus" target="_top">http://www.linuxprinting.org/show_printer.cgi?recnum=HP-LaserJet_4_Plus</a> +</p></li><li><p>The recommended driver is "ljet4".</p></li><li><p>There are several links provided here. You should +visit them all, if you are not familiar with the Linuxprinting.org +database.</p></li><li><p>There is a link to the database page for the "ljet4": +<a href="http://www.linuxprinting.org/show_driver.cgi?driver=ljet4" target="_top">http://www.linuxprinting.org/show_driver.cgi?driver=ljet4</a> +On the driver's page, you'll find important and detailed information +about how to use that driver within the various available +spoolers.</p></li><li><p>Another link may lead you to the homepage of the +driver author or the driver.</p></li><li><p>Important links are the ones which provide hints with +setup instructions for CUPS (<a href="http://www.linuxprinting.org/cups-doc.html" target="_top">http://www.linuxprinting.org/cups-doc.html</a>), +PDQ (<a href="http://www.linuxprinting.org/pdq-doc.html" target="_top">http://www.linuxprinting.org/pdq-doc.html</a>), +LPD, LPRng and GNUlpr (<a href="http://www.linuxprinting.org/lpd-doc.html" target="_top">http://www.linuxprinting.org/lpd-doc.html</a>) +as well as PPR (<a href="http://www.linuxprinting.org/ppr-doc.html" target="_top">http://www.linuxprinting.org/ppr-doc.html)</a> +or "spooler-less" printing (<a href="http://www.linuxprinting.org/direct-doc.html" target="_top">http://www.linuxprinting.org/direct-doc.html</a> +).</p></li><li><p>You can view the PPD in your browser through this +link: <a href="http://www.linuxprinting.org/ppd-o-matic.cgi?driver=ljet4&printer=HP-LaserJet_4_Plus&show=1" target="_top">http://www.linuxprinting.org/ppd-o-matic.cgi?driver=ljet4&printer=HP-LaserJet_4_Plus&show=1</a> +</p></li><li><p>You can also (most importantly) +generate and download the PPD: <a href="http://www.linuxprinting.org/ppd-o-matic.cgi?driver=ljet4&printer=HP-LaserJet_4_Plus&show=0" target="_top">http://www.linuxprinting.org/ppd-o-matic.cgi?driver=ljet4&printer=HP-LaserJet_4_Plus&show=0</a> +</p></li><li><p>The PPD contains all the information needed to use our +model and the driver; this is, once installed, working transparently +for the user. Later you'll only need to choose resolution, paper size +etc. from the web-based menu, or from the print dialog GUI, or from +the commandline.</p></li><li><p>Should you have ended up on the driver's page (<a href="http://www.linuxprinting.org/show_driver.cgi?driver=ljet4" target="_top">http://www.linuxprinting.org/show_driver.cgi?driver=ljet4</a>), +you can choose to use the "PPD-O-Matic" online PPD generator +program.</p></li><li><p>Select the exact model and check either "download" or +"display PPD file" and click on "Generate PPD file".</p></li><li><p>If you save the PPD file from the browser view, please +don't use "cut'n'past" (since it could possibly damage line endings +and tabs, which makes the PPD likely to fail its duty), but use "Save +as..." in your browser's menu. (Best is to use the "download" option +from the web page directly).</p></li><li><p>Another very interesting part on each driver page is +the <span class="emphasis"><em>Show execution details</em></span> button. If you +select your printer model and click that button, you will get +displayed a complete Ghostscript command line, enumerating all options +available for that driver/printermodel combo. This is a great way to +"Learn Ghostscript By Doing". It is also an excellent "cheat sheet" +for all experienced users who need to re-construct a good command line +for that damn printing script, but can't remember the exact +syntax. ;-)</p></li><li><p>Some time during your visit to Linuxprinting.org, save +the PPD to a suitable place on your harddisk, say +<tt class="filename">/path/to/my-printer.ppd</tt> (if you prefer to install +your printers with the help of the CUPS web interface, save the PPD to +the <tt class="filename">/usr/share/cups/model/</tt> path and re-start +cupsd).</p></li><li><p>Then install the printer with a suitable commandline, +e.g.: +</p><pre class="screen"> + +lpadmin -p laserjet4plus -v parallel:/dev/lp0 -E -P path/to/my-printer.ppd + +</pre></li><li><p>Note again this: for all the new-style "Foomatic-PPDs" +from Linuxprinting.org, you also need a special "CUPS filter" named +"foomatic-rip".Get the latest version of "foomatic-rip" from: <a href="http://www.linuxprinting.org/foomatic2.9/download.cgi?filename=foomatic-rip&show=0" target="_top">http://www.linuxprinting.org/foomatic2.9/download.cgi?filename=foomatic-rip&show=0</a> +</p></li><li><p>The foomatic-rip Perlscript itself also makes some +interesting reading (<a href="http://www.linuxprinting.org/foomatic2.9/download.cgi?filename=foomatic-rip&show=1" target="_top">http://www.linuxprinting.org/foomatic2.9/download.cgi?filename=foomatic-rip&show=1</a>), +because it is very well documented by Till's inline comments (even +non-Perl hackers will learn quite a bit about printing by reading +it... ;-)</p></li><li><p>Save foomatic-rip either directly in +<tt class="filename">/usr/lib/cups/filter/foomatic-rip</tt> or somewhere in +your $PATH (and don't forget to make it world-executable). Again, +don't save by "copy'n'paste" but use the appropriate link, or the +"Save as..." menu item in your browser.</p></li><li><p>If you save foomatic-rip in your $PATH, create a symlink: +<b class="command">cd /usr/lib/cups/filter/ ; ln -s `which +foomatic-rip`</b>. For CUPS to discover this new +available filter at startup, you need to re-start +cupsd.</p></li></ul></div><p> +Once you print to a printqueue set up with the Foomatic-PPD, CUPS will +insert the appropriate commands and comments into the resulting +PostScript jobfile. foomatic-rip is able to read and act upon +these. foomatic-rip uses some specially encoded Foomatic comments, +embedded in the jobfile. These in turn are used to construct +(transparently for you, the user) the complicated ghostscript command +line telling for the printer driver how exactly the resulting raster +data should look like and which printer commands to embed into the +data stream. +</p><p> +You need: +</p><div class="itemizedlist"><ul type="disc"><li><p>A "foomatic+something" PPD -- but it this not enough +to print with CUPS (it is only <span class="emphasis"><em>one</em></span> important +component)</p></li><li><p>The "foomatic-rip" filter script (Perl) in +/usr/lib/cups/filters/</p></li><li><p>Perl to make foomatic-rip run</p></li><li><p>Ghostscript (because it is doing the main work, +controlled by the PPD/foomatic-rip combo) to produce the raster data +fit for your printermodel's consumption</p></li><li><p>Ghostscript <span class="emphasis"><em>must</em></span> (depending on +the driver/model) contain support for a certain "device", representing +the selected "driver" for your model (as shown by "gs +-h")</p></li><li><p>foomatic-rip needs a new version of PPDs (PPD versions +produced for cupsomatic don't work with +foomatic-rip).</p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2963488"></a>Page Accounting with CUPS</h2></div></div><div></div></div><p> +Often there are questions regarding "print quotas" wherein Samba users +(that is, Windows clients) should not be able to print beyond a +certain amount of pages or data volume per day, week or month. This +feature is dependent on the real print subsystem you're using. +Samba's part is always to receive the job files from the clients +(filtered <span class="emphasis"><em>or</em></span> unfiltered) and hand it over to this +printing subsystem. +</p><p> +Of course one could "hack" things with one's own scripts. But then +there is CUPS. CUPS supports "quotas" which can be based on sizes of +jobs or on the number of pages or both, and are spanning any time +period you want. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2963519"></a>Setting up Quotas</h3></div></div><div></div></div><p> +This is an example command how root would set a print quota in CUPS, +assuming an existing printer named "quotaprinter": +</p><pre class="screen"> + + lpadmin -p quotaprinter -o job-quota-period=604800 -o job-k-limit=1024 -o job-page-limit=100 + +</pre><p> +This would limit every single user to print 100 pages or 1024 KB of +data (whichever comes first) within the last 604,800 seconds ( = 1 +week). +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2963551"></a>Correct and incorrect Accounting</h3></div></div><div></div></div><p> +For CUPS to count correctly, the printfile needs to pass the CUPS +"pstops" filter, otherwise it uses a "dummy" count of "1". Some +printfiles don't pass it (eg: image files) but then those are mostly 1 +page jobs anyway. This also means that proprietary drivers for the +target printer running on the client computers and CUPS/Samba, which +then spool these files as "raw" (i.e. leaving them untouched, not +filtering them), will be counted as "1-pagers" too! +</p><p> +You need to send PostScript from the clients (i.e. run a PostScript +driver there) to have the chance to get accounting done. If the +printer is a non-PostScript model, you need to let CUPS do the job to +convert the file to a print-ready format for the target printer. This +will be working for currently about 1,000 different printer models, +see <a href="http://www.linuxprinting.org/printer_list.cgi" target="_top">http://www.linuxprinting.org/printer_list.cgi</a>). +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2963592"></a>Adobe and CUPS PostScript Drivers for Windows Clients</h3></div></div><div></div></div><p> +Before CUPS-1.1.16 your only option was to use the Adobe PostScript +Driver on the Windows clients. The output of this driver was not +always passed through the "pstops" filter on the CUPS/Samba side, and +therefore was not counted correctly (the reason is that it often, +depending on the "PPD" being used, wrote a "PJL"-header in front of +the real PostScript which caused CUPS to skip pstops and go directly +to the "pstoraster" stage). +</p><p> +From CUPS-1.1.16 onward you can use the "CUPS PostScript Driver for +Windows NT/2K/XP clients" (which is tagged in the download area of +http://www.cups.org/ as the "cups-samba-1.1.16.tar.gz" package). It does +<span class="emphasis"><em>not</em></span> work for Win9x/ME clients. But it guarantees: +</p><div class="itemizedlist"><ul type="disc"><li><p>to not write an PJL-header</p></li><li><p>to still read and support all PJL-options named in the +driver PPD with its own means</p></li><li><p> that the file will pass through the "pstops" filter +on the CUPS/Samba server</p></li><li><p>to page-count correctly the +printfile</p></li></ul></div><p> +You can read more about the setup of this combination in the manpage +for "cupsaddsmb" (which is only present with CUPS installed, and only +current from CUPS 1.1.16). +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2963663"></a>The page_log File Syntax</h3></div></div><div></div></div><p> +These are the items CUPS logs in the "page_log" for every +single <span class="emphasis"><em>page</em></span> of a job: +</p><div class="itemizedlist"><ul type="disc"><li><p>Printer name</p></li><li><p>User name</p></li><li><p>Job ID</p></li><li><p>Time of printing</p></li><li><p>the page number</p></li><li><p>the number of copies</p></li><li><p>a billing information string +(optional)</p></li><li><p>the host which sent the job (included since version +1.1.19)</p></li></ul></div><p> +Here is an extract of my CUPS server's page_log file to illustrate the +format and included items: +</p><pre class="screen"> + + infotec_IS2027 kurt 401 [22/Apr/2003:10:28:43 +0100] 1 3 #marketing 10.160.50.13 + infotec_IS2027 kurt 401 [22/Apr/2003:10:28:43 +0100] 2 3 #marketing 10.160.50.13 + infotec_IS2027 kurt 401 [22/Apr/2003:10:28:43 +0100] 3 3 #marketing 10.160.50.13 + infotec_IS2027 kurt 401 [22/Apr/2003:10:28:43 +0100] 4 3 #marketing 10.160.50.13 + DigiMaster9110 boss 402 [22/Apr/2003:10:33:22 +0100] 1 440 finance-dep 10.160.51.33 + +</pre><p> +This was job ID "401", printed on "infotec_IS2027" by user "kurt", a +64-page job printed in 3 copies and billed to "#marketing", sent +from IP address 10.160.50.13. The next job had ID "402", was sent by +user "boss" from IP address 10.160.51.33,printed from one page 440 +copies and is set to be billed to "finance-dep". +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2963765"></a>Possible Shortcomings</h3></div></div><div></div></div><p> +What flaws or shortcomings are there with this quota system? +</p><div class="itemizedlist"><ul type="disc"><li><p>the ones named above (wrongly logged job in case of +printer hardware failure, etc.)</p></li><li><p>in reality, CUPS counts the job pages that are being +processed in <span class="emphasis"><em>software</em></span> (that is, going through the +"RIP") rather than the physical sheets successfully leaving the +printing device. Thus if there is a jam while printing the 5th sheet out +of 1000 and the job is aborted by the printer, the "page count" will +still show the figure of 1000 for that job</p></li><li><p>all quotas are the same for all users (no flexibility +to give the boss a higher quota than the clerk) no support for +groups</p></li><li><p>no means to read out the current balance or the +"used-up" number of current quota</p></li><li><p>a user having used up 99 sheets of 100 quota will +still be able to send and print a 1,000 sheet job</p></li><li><p>a user being denied a job because of a filled-up quota +doesn't get a meaningful error message from CUPS other than +"client-error-not-possible".</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2963836"></a>Future Developments</h3></div></div><div></div></div><p> +This is the best system currently available, and there are huge +improvements under development for CUPS 1.2: +</p><div class="itemizedlist"><ul type="disc"><li><p>page counting will go into the "backends" (these talk +directly to the printer and will increase the count in sync with the +actual printing process: thus a jam at the 5th sheet will lead to a +stop in the counting)</p></li><li><p>quotas will be handled more flexibly</p></li><li><p>probably there will be support for users to inquire +their "accounts" in advance</p></li><li><p>probably there will be support for some other tools +around this topic</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2963884"></a>Other Accounting Tools</h3></div></div><div></div></div><p> +PrintAnalyzer, pyKota, printbill, LogReport. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2963899"></a>Additional Material</h2></div></div><div></div></div><p> +A printer queue with <span class="emphasis"><em>no</em></span> PPD associated to it is a +"raw" printer and all files will go directly there as received by the +spooler. The exceptions are file types "application/octet-stream" +which need "passthrough feature" enabled. "Raw" queues don't do any +filtering at all, they hand the file directly to the CUPS backend. +This backend is responsible for the sending of the data to the device +(as in the "device URI" notation: <tt class="filename">lpd://, socket://, +smb://, ipp://, http://, parallel:/, serial:/, usb:/</tt> etc.) +</p><p> +"cupsomatic"/Foomatic are <span class="emphasis"><em>not</em></span> native CUPS drivers +and they don't ship with CUPS. They are a Third Party add-on, +developed at Linuxprinting.org. As such, they are a brilliant hack to +make all models (driven by Ghostscript drivers/filters in traditional +spoolers) also work via CUPS, with the same (good or bad!) quality as +in these other spoolers. "cupsomatic" is only a vehicle to execute a +ghostscript commandline at that stage in the CUPS filtering chain, +where "normally" the native CUPS "pstoraster" filter would kick +in. cupsomatic by-passes pstoraster, "kidnaps" the printfile from CUPS +away and re-directs it to go through Ghostscript. CUPS accepts this, +because the associated CUPS-O-Matic-/Foomatic-PPD specifies: +</p><pre class="screen"> + + *cupsFilter: "application/vnd.cups-postscript 0 cupsomatic" + +</pre><p> +This line persuades CUPS to hand the file to cupsomatic, once it has +successfully converted it to the MIME type +"application/vnd.cups-postscript". This conversion will not happen for +Jobs arriving from Windows which are auto-typed +"application/octet-stream", with the according changes in +<tt class="filename">/etc/cups/mime.types</tt> in place. +</p><p> +CUPS is widely configurable and flexible, even regarding its filtering +mechanism. Another workaround in some situations would be to have in +<tt class="filename">/etc/cups/mime.types</tt> entries as follows: +</p><pre class="screen"> + + application/postscript application/vnd.cups-raw 0 - + application/vnd.cups-postscript application/vnd.cups-raw 0 - + +</pre><p> +This would prevent all Postscript files from being filtered (rather, +they will through the virtual <span class="emphasis"><em>nullfilter</em></span> +denoted with "-"). This could only be useful for PS printers. If you +want to print PS code on non-PS printers (provided they support ASCII +text printing) an entry as follows could be useful: +</p><pre class="screen"> + + */* application/vnd.cups-raw 0 - + +</pre><p> +and would effectively send <span class="emphasis"><em>all</em></span> files to the +backend without further processing. +</p><p> +Lastly, you could have the following entry: +</p><pre class="screen"> + + application/vnd.cups-postscript application/vnd.cups-raw 0 my_PJL_stripping_filter + +</pre><p> +You will need to write a <span class="emphasis"><em>my_PJL_stripping_filter</em></span> +(could be a shellscript) that parses the PostScript and removes the +unwanted PJL. This would need to conform to CUPS filter design +(mainly, receive and pass the parameters printername, job-id, +username, jobtitle, copies, print options and possibly the +filename). It would be installed as world executable into +<tt class="filename">/usr/lib/cups/filters/</tt> and will be called by CUPS +if it encounters a MIME type "application/vnd.cups-postscript". +</p><p> +CUPS can handle <span class="emphasis"><em>-o job-hold-until=indefinite</em></span>. +This keeps the job in the queue "on hold". It will only be printed +upon manual release by the printer operator. This is a requirement in +many "central reproduction departments", where a few operators manage +the jobs of hundreds of users on some big machine, where no user is +allowed to have direct access (such as when the operators often need +to load the proper paper type before running the 10,000 page job +requested by marketing for the mailing, etc.). +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2964092"></a>Auto-Deletion or Preservation of CUPS Spool Files</h2></div></div><div></div></div><p> +Samba print files pass through two "spool" directories. One is the +incoming directory managed by Samba, (set in the <span class="emphasis"><em>path = +/var/spool/samba</em></span> directive in the +<span class="emphasis"><em>[printers]</em></span> section of +<tt class="filename">smb.conf</tt>). The other is the spool directory of +your UNIX print subsystem. For CUPS it is normally +<tt class="filename">/var/spool/cups/</tt>, as set by the cupsd.conf +directive <tt class="filename">RequestRoot /var/spool/cups</tt>. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2964138"></a>CUPS Configuration Settings explained</h3></div></div><div></div></div><p> +Some important parameter settings in the CUPS configuration file +<tt class="filename">cupsd.conf</tt> are: +</p><div class="variablelist"><dl><dt><span class="term">PreserveJobHistory Yes</span></dt><dd><p> +This keeps some details of jobs in cupsd's mind (well it keeps the +"c12345", "c12346" etc. files in the CUPS spool directory, which do a +similar job as the old-fashioned BSD-LPD control files). This is set +to "Yes" as a default. +</p></dd><dt><span class="term">PreserveJobFiles Yes</span></dt><dd><p> +This keeps the job files themselves in cupsd's mind +(well it keeps the "d12345", "d12346" etc. files in the CUPS spool +directory...). This is set to "No" as the CUPS +default. +</p></dd><dt><span class="term"><span class="emphasis"><em>"MaxJobs 500"</em></span></span></dt><dd><p> +This directive controls the maximum number of jobs +that are kept in memory. Once the number of jobs reaches the limit, +the oldest completed job is automatically purged from the system to +make room for the new one. If all of the known jobs are still +pending or active then the new job will be rejected. Setting the +maximum to 0 disables this functionality. The default setting is +0. +</p></dd></dl></div><p> +(There are also additional settings for "MaxJobsPerUser" and +"MaxJobsPerPrinter"...) +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2964221"></a>Pre-conditions</h3></div></div><div></div></div><p> +For everything to work as announced, you need to have three +things: +</p><div class="itemizedlist"><ul type="disc"><li><p>a Samba-smbd which is compiled against "libcups" (Check +on Linux by running "ldd `which smbd`")</p></li><li><p>a Samba-<tt class="filename">smb.conf</tt> setting of +"printing = cups"</p></li><li><p>another Samba-<tt class="filename">smb.conf</tt> setting of +"printcap = cups"</p></li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +In this case all other manually set printing-related commands (like +"print command", "lpq command", "lprm command", "lppause command" or +"lpresume command") are ignored and they should normally have no +influence what-so-ever on your printing. +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2964281"></a>Manual Configuration</h3></div></div><div></div></div><p> +If you want to do things manually, replace the "printing = +cups" by "printing = bsd". Then your manually set commands may work +(haven't tested this), and a "print command = lp -d %P %s; rm %s" +may do what you need. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2964299"></a>When <span class="emphasis"><em>not</em></span> to use Samba to print to +CUPS</h2></div></div><div></div></div><p> +[TO BE DONE] +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2964316"></a>In Case of Trouble.....</h2></div></div><div></div></div><p> +If you have more problems, post the output of these commands +to the CUPS or Samba mailing lists (choose the one which seems more +relevant to your problem): +</p><pre class="screen"> + + grep -v ^# /etc/cups/cupsd.conf | grep -v ^$ + grep -v ^# /etc/samba/smb.conf | grep -v ^$ | grep -v "^;" + +</pre><p> +(adapt paths as needed). These commands leave out the empty +lines and lines with comments, providing the "naked settings" in a +compact way. Don't forget to name the CUPS and Samba versions you +are using! This saves bandwidth and makes for easier readability +for experts (and you are expecting experts to read them, right? +;-) +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2964352"></a>Where to find Documentation</h3></div></div><div></div></div><p> +[TO BE DONE] +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2964364"></a>How to ask for Help</h3></div></div><div></div></div><p> +[TO BE DONE] +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2964377"></a>Where to find Help</h3></div></div><div></div></div><p> +[TO BE DONE] +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2964391"></a>Appendix</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2964398"></a>Printing <span class="emphasis"><em>from</em></span> CUPS to Windows attached +Printers</h3></div></div><div></div></div><p> +From time to time the question arises, how you can print +<span class="emphasis"><em>to</em></span> a Windows attached printer +<span class="emphasis"><em>from</em></span> Samba. Normally the local connection +"Windows host <--> printer" would be done by USB or parallel +cable, but this doesn't matter to Samba. From here only an SMB +connection needs to be opened to the Windows host. Of course, this +printer must be "shared" first. As you have learned by now, CUPS uses +<span class="emphasis"><em>backends</em></span> to talk to printers and other +servers. To talk to Windows shared printers you need to use the +<span class="emphasis"><em>smb</em></span> (surprise, surprise!) backend. Check if this +is in the CUPS backend directory. This resides usually in +<tt class="filename">/usr/lib/cups/backend/</tt>. You need to find a "smb" +file there. It should be a symlink to <tt class="filename">smbspool</tt> +which file must exist and be executable: +</p><pre class="screen"> + + # ls -l /usr/lib/cups/backend/ + total 253 + drwxr-xr-x 3 root root 720 Apr 30 19:04 . + drwxr-xr-x 6 root root 125 Dec 19 17:13 .. + -rwxr-xr-x 1 root root 10692 Feb 16 21:29 canon + -rwxr-xr-x 1 root root 10692 Feb 16 21:29 epson + lrwxrwxrwx 1 root root 3 Apr 17 22:50 http -> ipp + -rwxr-xr-x 1 root root 17316 Apr 17 22:50 ipp + -rwxr-xr-x 1 root root 15420 Apr 20 17:01 lpd + -rwxr-xr-x 1 root root 8656 Apr 20 17:01 parallel + -rwxr-xr-x 1 root root 2162 Mar 31 23:15 pdfdistiller + lrwxrwxrwx 1 root root 25 Apr 30 19:04 ptal -> /usr/local/sbin/ptal-cups + -rwxr-xr-x 1 root root 6284 Apr 20 17:01 scsi + lrwxrwxrwx 1 root root 17 Apr 2 03:11 smb -> /usr/bin/smbspool + -rwxr-xr-x 1 root root 7912 Apr 20 17:01 socket + -rwxr-xr-x 1 root root 9012 Apr 20 17:01 usb + +# ls -l `which smbspool` + -rwxr-xr-x 1 root root 563245 Dec 28 14:49 /usr/bin/smbspool + +</pre><p> +If this symlink doesn't exist, create it: +</p><pre class="screen"> + +# ln -s `which smbspool` /usr/lib/cups/backend/smb + +</pre><p> +smbspool has been written by Mike Sweet from the CUPS folks. It is +included and ships with Samba. It may also be used with print +subsystems other than CUPS, to spool jobs to Windows printer shares. To +set up printer "winprinter" on CUPS, you need to have a "driver" for +it. Essentially this means to convert the print data on the CUPS/Samba +host to a format that the printer can digest (the Windows host is +unable to convert any files you may send). This also means you should +be able to print to the printer if it were hooked directly at your +Samba/CUPS host. For troubleshooting purposes, this is what you +should do, to determine if that part of the process chain is in +order. Then proceed to fix the network connection/authentication to +the Windows host, etc. +</p><p> +To install a printer with the smb backend on CUPS, use this command: +</p><pre class="screen"> + +# lpadmin -p winprinter -v smb://WINDOWSNETBIOSNAME/printersharename -P /path/to/PPD + +</pre><p> +The <span class="emphasis"><em>PPD</em></span> must be able to direct CUPS to generate +the print data for the target model. For PostScript printers just use +the PPD that would be used with the Windows NT PostScript driver. But +what can you do if the printer is only accessible with a password? Or +if the printer's host is part of another workgroup? This is provided +for: you can include the required parameters as part of the +<tt class="filename">smb://</tt> device-URI. Like this: +</p><pre class="screen"> + + smb://WORKGROUP/WINDOWSNETBIOSNAME/printersharename + smb://username:password@WORKGROUP/WINDOWSNETBIOSNAME/printersharename + smb://username:password@WINDOWSNETBIOSNAME/printersharename + +</pre><p> +Note that the device-URI will be visible in the process list of the +Samba server (e.g. when someone uses the <b class="command">ps -aux</b> +command on Linux), even if the username and passwords are sanitized +before they get written into the log files. So this is an inherently +insecure option. However it is the only one. Don't use it if you want +to protect your passwords. Better share the printer in a way that +doesn't require a password! Printing will only work if you have a +working netbios name resolution up and running. Note that this is a +feature of CUPS and you don't necessarily need to have smbd running +(but who wants that? :-). +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2964612"></a>More CUPS filtering Chains</h3></div></div><div></div></div><p> +The following diagrams reveal how CUPS handles print jobs. +</p><pre class="screen"> +######################################################################### +# +# CUPS in and of itself has this (general) filter chain (CAPITAL +# letters are FILE-FORMATS or MIME types, other are filters (this is +# true for pre-1.1.15 of pre-4.3 versions of CUPS and ESP PrintPro): +# +# SOMETHNG-FILEFORMAT +# | +# V +# somethingtops +# | +# V +# APPLICATION/POSTSCRIPT +# | +# V +# pstops +# | +# V +# APPLICATION/VND.CUPS-POSTSCRIPT +# | +# V +# pstoraster # as shipped with CUPS, independent from any Ghostscipt +# | # installation on the system +# | (= "postscipt interpreter") +# V +# APPLICATION/VND.CUPS-RASTER +# | +# V +# rastertosomething (e.g. Gimp-Print filters may be plugged in here) +# | (= "raster driver") +# V +# SOMETHING-DEVICE-SPECIFIC +# | +# V +# backend +# +# +# ESP PrintPro has some enhanced "rastertosomething" filters as compared to +# CUPS, and also a somewhat improved "pstoraster" filter. +# +# NOTE: Gimp-Print and some other 3rd-Party-Filters (like TurboPrint) to +# CUPS and ESP PrintPro plug-in where rastertosomething is noted. +# +######################################################################### +</pre><pre class="screen"> +######################################################################### +# +# This is how "cupsomatic" comes into play: +# ========================================= +# +# SOMETHNG-FILEFORMAT +# | +# V +# somethingtops +# | +# V +# APPLICATION/POSTSCRIPT +# | +# V +# pstops +# | +# V +# APPLICATION/VND.CUPS-POSTSCRIPT ----------------+ +# | V +# V cupsomatic +# pstoraster (constructs complicated +# | (= "postscipt interpreter") Ghostscript commandline +# | to let the file be +# V processed by a +# APPLICATION/VND.CUPS-RASTER "-sDEVICE=s.th." +# | call...) +# V | +# rastertosomething V +# | (= "raster driver") +-------------------------+ +# | | Ghostscript at work.... | +# V | | +# SOMETHING-DEVICE-SPECIFIC *-------------------------+ +# | | +# V | +# backend <------------------------------------+ +# | +# V +# THE PRINTER +# +# +# Note, that cupsomatic "kidnaps" the printfile after the +# "APPLICATION/VND.CUPS-POSTSCRPT" stage and deviates it gh +# the CUPS-external, systemwide Ghostscript installation, bypassing the +# "pstoraster" filter (therefore also bypassing the CUPS-raster-drivers +# "rastertosomething", and hands the rasterized file directly to the CUPS +# backend... +# +# cupsomatic is not made by the CUPS developers. It is an independent +# contribution to printing development, made by people from +# Linuxprinting.org. (see also http://www.cups.org/cups-help.html) +# +# NOTE: Gimp-Print and some other 3rd-Party-Filters (like TurboPrint) to +# CUPS and ESP PrintPro plug-in where rastertosomething is noted. +# +######################################################################### +</pre><pre class="screen"> +######################################################################### +# +# And this is how it works for ESP PrintPro from 4.3: +# =================================================== +# +# SOMETHNG-FILEFORMAT +# | +# V +# somethingtops +# | +# V +# APPLICATION/POSTSCRIPT +# | +# V +# pstops +# | +# V +# APPLICATION/VND.CUPS-POSTSCRIPT +# | +# V +# gsrip +# | (= "postscipt interpreter") +# V +# APPLICATION/VND.CUPS-RASTER +# | +# V +# rastertosomething (e.g. Gimp-Print filters may be plugged in here) +# | (= "raster driver") +# V +# SOMETHING-DEVICE-SPECIFIC +# | +# V +# backend +# +# NOTE: Gimp-Print and some other 3rd-Party-Filters (like TurboPrint) to +# CUPS and ESP PrintPro plug-in where rastertosomething is noted. +# +######################################################################### +</pre><pre class="screen"> +######################################################################### +# +# This is how "cupsomatic" would come into play with ESP PrintPro: +# ================================================================ +# +# +# SOMETHNG-FILEFORMAT +# | +# V +# somethingtops +# | +# V +# APPLICATION/POSTSCRIPT +# | +# V +# pstops +# | +# V +# APPLICATION/VND.CUPS-POSTSCRIPT ----------------+ +# | V +# V cupsomatic +# gsrip (constructs complicated +# | (= "postscipt interpreter") Ghostscript commandline +# | to let the file be +# V processed by a +# APPLICATION/VND.CUPS-RASTER "-sDEVICE=s.th." +# | call...) +# V | +# rastertosomething V +# | (= "raster driver") +-------------------------+ +# | | Ghostscript at work.... | +# V | | +# SOMETHING-DEVICE-SPECIFIC *-------------------------+ +# | | +# V | +# backend <------------------------------------+ +# | +# V +# THE PRINTER +# +# NOTE: Gimp-Print and some other 3rd-Party-Filters (like TurboPrint) to +# CUPS and ESP PrintPro plug-in where rastertosomething is noted. +# +######################################################################### +</pre><pre class="screen"> +######################################################################### +# +# And this is how it works for CUPS from 1.1.15: +# ============================================== +# +# SOMETHNG-FILEFORMAT +# | +# V +# somethingtops +# | +# V +# APPLICATION/POSTSCRIPT +# | +# V +# pstops +# | +# V +# APPLICATION/VND.CUPS-POSTSCRIPT-----+ +# +------------------v------------------------------+ +# | Ghostscript | +# | at work... | +# | (with | +# | "-sDEVICE=cups") | +# | | +# | (= "postscipt interpreter") | +# | | +# +------------------v------------------------------+ +# | +# APPLICATION/VND.CUPS-RASTER >-------+ +# | +# V +# rastertosomething +# | (= "raster driver") +# V +# SOMETHING-DEVICE-SPECIFIC +# | +# V +# backend +# +# +# NOTE: since version 1.1.15 CUPS "outsourced" the pstoraster process to +# Ghostscript. GNU Ghostscript needs to be patched to handle the +# CUPS requirement; ESP Ghostscript has this builtin. In any case, +# "gs -h" needs to show up a "cups" device. pstoraster is now a +# calling an appropriate "gs -sDEVICE=cups..." commandline to do +# the job. It will output "application/vnd.cup-raster", which will +# be finally processed by a CUPS raster driver "rastertosomething" +# Note the difference to "cupsomatic", which will <span class="emphasis"><em>not</em></span> output +# CUPS-raster, but a final version of the printfile, ready to be +# sent to the printer. cupsomatic also doesn't use the "cups" +# devicemode in Ghostscript, but one of the classical devicemodes.... +# +# NOTE: Gimp-Print and some other 3rd-Party-Filters (like TurboPrint) to +# CUPS and ESP PrintPro plug-in where rastertosomething is noted. +# +######################################################################### +</pre><pre class="screen"> +######################################################################### +# +# And this is how it works for CUPS from 1.1.15, with cupsomatic included: +# ======================================================================== +# +# SOMETHNG-FILEFORMAT +# | +# V +# somethingtops +# | +# V +# APPLICATION/POSTSCRIPT +# | +# V +# pstops +# | +# V +# APPLICATION/VND.CUPS-POSTSCRIPT-----+ +# +------------------v------------------------------+ +# | Ghostscript . Ghostscript at work.... | +# | at work... . (with "-sDEVICE= | +# | (with . s.th." | +# | "-sDEVICE=cups") . | +# | . | +# | (CUPS standard) . (cupsomatic) | +# | . | +# | (= "postscript interpreter") | +# | . | +# +------------------v--------------v---------------+ +# | | +# APPLICATION/VND.CUPS-RASTER >-------+ | +# | | +# V | +# rastertosomething | +# | (= "raster driver") | +# V | +# SOMETHING-DEVICE-SPECIFIC >------------------------+ +# | +# V +# backend +# +# +# NOTE: Gimp-Print and some other 3rd-Party-Filters (like TurboPrint) to +# CUPS and ESP PrintPro plug-in where rastertosomething is noted. +# +########################################################################## +</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2964919"></a>Trouble Shooting Guidelines to fix typical Samba printing +Problems</h3></div></div><div></div></div><p> +This is a short description of how to debug printing problems +with Samba. This describes how to debug problems with printing from +a SMB client to a Samba server, not the other way around. +</p><div class="variablelist"><dl><dt><span class="term">Win9x client can't install driver</span></dt><dd><p>For Win9x clients require the printer names to be 8 +chars (or "8 plus 3 chars suffix") max; otherwise the driver files +won't get transferred when you want to download them from +Samba.</p></dd><dt><span class="term">testparm</span></dt><dd><p>Run <b class="command">testparm</b>: It will tell you if +<tt class="filename">smb.conf</tt> parameters are in the wrong +section. Many people have had the "printer admin" parameter in the +<i class="parameter"><tt>[printers]</tt></i> section and experienced +problems. "testparm" will tell you if it sees +this.</p></dd><dt><span class="term">"cupsaddsmb" keeps asking for a root password in a +neverending loop</span></dt><dd><p>Have you <i class="parameter"><tt>security = user</tt></i>? Have +you used <b class="command">smbpasswd</b> to give root a Samba account? +You can do 2 things: open another terminal and execute +<b class="command">smbpasswd -a root</b> to create the account, and +continue with entering the password into the first terminal. Or break +out of the loop by hitting ENTER twice (without trying to type a +password).</p></dd><dt><span class="term">"cupsaddsmb" gives "No PPD file for printer..." +message (but I swear there is one!)</span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Have you enabled printer sharing on CUPS? This means: +do you have a <i class="parameter"><tt><Location +/printers>....</Location></tt></i> section in CUPS +server's <tt class="filename">cupsd.conf</tt> which doesn't deny access to +the host you run "cupsaddsmb" from? It <span class="emphasis"><em>could</em></span> be +an issue if you use cupsaddsmb remotely, or if you use it with a +<i class="parameter"><tt>-h</tt></i> parameter: <b class="command">cupsaddsmb -H +sambaserver -h cupsserver -v printername</b>. +</p></li><li><p>Is your +"TempDir" directive in +<span class="emphasis"><em>cupsd.conf</em></span> +set to a valid value and is it writeable? +</p></li></ul></div></dd><dt><span class="term">I can't connect client to Samba printer.</span></dt><dd><p>Use <b class="command">smbstatus</b> to check which user +you are from Samba's point of view. Do you have the privileges to +write into the <i class="parameter"><tt>[print$]</tt></i> +share?</p></dd><dt><span class="term">I can't reconnect to Samba under a new account +from Win2K/XP</span></dt><dd><p>Once you are connected as the "wrong" user (for +example as "nobody", which often occurs if you have <i class="parameter"><tt>map to +guest = bad user</tt></i>), Windows Explorer will not accept an +attempt to connect again as a different user. There won't be any byte +transfered on the wire to Samba, but still you'll see a stupid error +message which makes you think that Samba has denied access. Use +<b class="command">smbstatus</b> to check for active connections. Kill the +PIDs. You still can't re-connect and get the dreaded +<tt class="computeroutput">You can't connect with a second account from the same +machine</tt> message, as soon as you are trying? And you +don't see any single byte arriving at Samba (see logs; use "ethereal") +indicating a renewed connection attempt? Shut all Explorer Windows. +This makes Windows forget what it has cached in its memory as +established connections. Then re-connect as the right user. Best +method is to use a DOS terminal window and <span class="emphasis"><em>first</em></span> +do <b class="command">net use z: \\SAMBAHOST\print$ /user:root</b>. Check +with <b class="command">smbstatus</b> that you are connected under a +different account. Now open the "Printers" folder (on the Samba server +in the <span class="emphasis"><em>Network Neighbourhood</em></span>), right-click the +printer in question and select +<span class="emphasis"><em>Connect...</em></span></p></dd><dt><span class="term">Avoid being connected to the Samba server as the +"wrong" user</span></dt><dd><p>You see per <b class="command">smbstatus</b> that you are +connected as user "nobody"; while you wanted to be "root" or +"printeradmin"? This is probably due to <i class="parameter"><tt>map to guest = bad +user</tt></i>, which silently connects you under the guest account, +when you gave (maybe by accident) an incorrect username. Remove +<i class="parameter"><tt>map to guest</tt></i>, if you want to prevent +this.</p></dd><dt><span class="term">Upgrading to CUPS drivers from Adobe drivers on +NT/2K/XP clients gives problems</span></dt><dd><p>First delete all "old" Adobe-using printers. Then +delete all "old" Adobe drivers. (On Win2K/XP, right-click in +background of "Printers" folder, select "Server Properties...", select +tab "Drivers" and delete here).</p></dd><dt><span class="term">I can't use "cupsaddsmb"on a Samba server which is +a PDC</span></dt><dd><p>Do you use the "naked" root user name? Try to do it +this way: <span class="emphasis"><em>cupsaddsmb -U DOMAINNAME\\root -v +printername</em></span> (note the two backslashes: the first one is +required to "escape" the second one).</p></dd><dt><span class="term">I deleted a printer on Win2K; but I still see +its driver</span></dt><dd><p>Deleting a printer on the client won't delete the +driver too (to verify, right-click on the white background of the +"Printers" folder, select "Server Properties" and click on the +"Drivers" tab). These same old drivers will be re-used when you try to +install a printer with the same name. If you want to update to a new +driver, delete the old ones first. Deletion is only possible if no +other printer uses the same driver.</p></dd><dt><span class="term">Win2K/XP "Local Security +Policies"</span></dt><dd><p><span class="emphasis"><em>Local Security Policies</em></span> may not +allow the installation of unsigned drivers. "Local Security Policies" +may not allow the installation of printer drivers at +all.</p></dd><dt><span class="term">WinXP clients: "Administrator can not install +printers for all local users"</span></dt><dd><p>Windows XP handles SMB printers on a "per-user" basis. +This means every user needs to install the printer himself. To have a +printer available for everybody, you might want to use the built-in +IPP client capabilities of WinXP. Add a printer with the print path of +<span class="emphasis"><em>http://cupsserver:631/printers/printername</em></span>. +Still looking into this one: maybe a "logon script" could +automatically install printers for all +users.</p></dd><dt><span class="term">"Print Change Notify" functions on +NT-clients</span></dt><dd><p>For "print change notify" functions on NT++ clients, +these need to run the "Server" service first (re-named to +<span class="emphasis"><em>File & Print Sharing for MS Networks</em></span> in +XP).</p></dd><dt><span class="term">WinXP-SP1</span></dt><dd><p>WinXP-SP1 introduced a <span class="emphasis"><em>Point and Print +Restriction Policy</em></span> (this restriction doesn't apply to +"Administrator" or "Power User" groups of users). In Group Policy +Object Editor: go to <span class="emphasis"><em>User Configuration --> +Administrative Templates --> Control Panel --> +Printers</em></span>. The policy is automatically set to +<span class="emphasis"><em>Enabled</em></span> and the <span class="emphasis"><em>Users can only Point +and Print to machines in their Forest</em></span> . You probably need +to change it to <span class="emphasis"><em>Disabled</em></span> or <span class="emphasis"><em>Users can +only Point and Print to these servers</em></span> in order to make +driver downloads from Samba possible.</p></dd><dt><span class="term">I can't set and save default print options for all +users on Win2K/XP</span></dt><dd><p>How are you doing it? I bet the wrong way (it is not +very easy to find out, though). There are 3 different ways to bring +you to a dialog that <span class="emphasis"><em>seems</em></span> to set everything. All +three dialogs <span class="emphasis"><em>look</em></span> the same. Only one of them +<span class="emphasis"><em>does</em></span> what you intend. You need to be +Administrator or Print Administrator to do this for all users. Here +is how I do in on XP: +</p><div class="orderedlist"><ol type="A"><li><p>The first "wrong" way: + +</p><div class="orderedlist"><ol type="1"><li><p>Open the <span class="emphasis"><em>Printers</em></span> +folder.</p></li><li><p>Right-click on the printer +(<span class="emphasis"><em>remoteprinter on cupshost</em></span>) and +select in context menu <span class="emphasis"><em>Printing +Preferences...</em></span></p></li><li><p>Look at this dialog closely and remember what it looks +like.</p></li></ol></div><p> +</p></li><li><p>The second "wrong" way: + +</p><div class="orderedlist"><ol type="1"><li><p>Open the <span class="emphasis"><em>Printers</em></span> +folder.</p></li><li><p>Right-click on the printer (<span class="emphasis"><em>remoteprinter on +cupshost</em></span>) and select in the context menu +<span class="emphasis"><em>Properties</em></span></p></li><li><p>Click on the <span class="emphasis"><em>General</em></span> +tab</p></li><li><p>Click on the button <span class="emphasis"><em>Printing +Preferences...</em></span></p></li><li><p>A new dialog opens. Keep this dialog open and go back +to the parent dialog.</p></li></ol></div><p> +</p></li><li><p>The third, the "correct" way: (should you do +this from the beginning, just carry out steps 1. and 2. from second +"way" above) + +</p><div class="orderedlist"><ol type="1"><li><p>Click on the <span class="emphasis"><em>Advanced</em></span> +tab. (Hmmm... if everything is "Grayed Out", then you are not logged +in as a user with enough privileges).</p></li><li><p>Click on the <span class="emphasis"><em>Printing +Defaults...</em></span> button.</p></li><li><p>On any of the two new tabs, click on the +<span class="emphasis"><em>Advanced...</em></span> +button.</p></li><li><p>A new dialog opens. Compare this one to the other, +identical looking one from "B.5" or A.3".</p></li></ol></div><p> +</p></li></ol></div><p> +Do you see any difference? I don't either... However, only the last +one, which you arrived at with steps "C.1.-6." will save any settings +permanently and be the defaults for new users. If you want all clients +to get the same defaults, you need to conduct these steps <span class="emphasis"><em>as +Administrator</em></span> (<i class="parameter"><tt>printer admin</tt></i> in +<tt class="filename">smb.conf</tt>) <span class="emphasis"><em>before</em></span> a client +downloads the driver (the clients can later set their own +<span class="emphasis"><em>per-user defaults</em></span> by following the +procedures <span class="emphasis"><em>A.</em></span> or <span class="emphasis"><em>B.</em></span> +above).</p></dd><dt><span class="term">What are the most common blunders in driver +settings on Windows clients?</span></dt><dd><p>Don't use <span class="emphasis"><em>Optimize for +Speed</em></span>: use <span class="emphasis"><em>Optimize for +Portability</em></span> instead (Adobe PS Driver) Don't use +<span class="emphasis"><em>Page Independence: No</em></span>: always +settle with <span class="emphasis"><em>Page Independence: +Yes</em></span> (Microsoft PS Driver and CUPS PS Driver for +WinNT/2K/XP) If there are problems with fonts: use +<span class="emphasis"><em>Download as Softfont into +printer</em></span> (Adobe PS Driver). For +<span class="emphasis"><em>TrueType Download Options</em></span> +choose <span class="emphasis"><em>Outline</em></span>. Use PostScript +Level 2, if you are having trouble with a non-PS printer, and if +there is a choice.</p></dd><dt><span class="term">I can't make <b class="command">cupsaddsmb</b> work +with newly installed printer</span></dt><dd><p>Symptom: the last command of +<b class="command">cupsaddsmb</b> doesn't complete successfully: +<b class="command">cmd = setdriver printername printername</b> result was +NT_STATUS_UNSUCCESSFUL then possibly the printer was not yet +"recognized" by Samba. Did it show up in <span class="emphasis"><em>Network +Neighbourhood</em></span>? Did it show up in <b class="command">rpcclient +hostname -c 'enumprinters'</b>? Restart smbd (or send a +<b class="command">kill -HUP</b> to all processes listed by +<b class="command">smbstatus</b> and try +again.</p></dd><dt><span class="term">My permissions on +<tt class="filename">/var/spool/samba/</tt> get reset after each +reboot</span></dt><dd><p>Have you by accident set the CUPS spool directory to +the same location? (<i class="parameter"><tt>RequestRoot +/var/spool/samba/</tt></i> in <tt class="filename">cupsd.conf</tt> or +the other way round: <tt class="filename">/var/spool/cups/</tt> is set as +<i class="parameter"><tt>path</tt></i> in the <i class="parameter"><tt>[printers]</tt></i> +section). These <span class="emphasis"><em>must</em></span> be different. Set +<i class="parameter"><tt>RequestRoot /var/spool/cups/</tt></i> in +<tt class="filename">cupsd.conf</tt> and <i class="parameter"><tt>path = +/var/spool/samba</tt></i> in the <i class="parameter"><tt>[printers]</tt></i> +section of <tt class="filename">smb.conf</tt>. Otherwise cupsd will +sanitize permissions to its spool directory with each restart, and +printing will not work reliably.</p></dd><dt><span class="term">My printers work fine: just the printer named "lp" +intermittently swallows jobs and spits out completely different +ones</span></dt><dd><p>It is a very bad idea to name any printer "lp". This +is the traditional Unix name for the default printer. CUPS may be set +up to do an automatic creation of "Implicit Classes". This means, to +group all printers with the same name to a pool of devices, and +loadbalancing the jobs across them in a round-robin fashion. Chances +are high that someone else has an "lp" named printer too. You may +receive his jobs and send your own to his device unwittingly. To have +tight control over the printer names, set <i class="parameter"><tt>BrowseShortNames +No</tt></i>. It will present any printer as "printername@cupshost" +then, giving you a better control over what may happen in a large +networked environment.</p></dd><dt><span class="term">How do I "watch" my Samba server?</span></dt><dd><p>You can use <b class="command">tail -f +/var/log/samba/log.smbd</b> (you may need a different path) to +see a live scrolling of all log messages. <b class="command">smbcontrol smbd +debuglevel</b> tells you which verbosity goes into the +logs. <b class="command">smbcontrol smbd debug 3</b> sets the verbosity to +a quite high level (you can choose from 0 to 10 or 100). This works +"on the fly", without the need to restart the smbd daemon. Don't use +more than 3 initially; or you'll drown in an ocean of +messages.</p></dd><dt><span class="term">I can't use Samba from my WinXP Home box, while +access from WinXP Prof works flawlessly</span></dt><dd><p>You have our condolences! WinXP home has been +completely neutered by Microsoft as compared to WinXP Prof: you can +not log into a WinNT domain. It cannot join a Win NT domain as a +member server. While it is possible to access domain resources, users +don't have "single sign-on". They need to supply username and password +each time they connect to a resource. Logon scripts and roaming +profiles are not supported. It can serve file and print shares; but +only in "share-mode security" level. It can not use "user-mode +security" (what Windows 95/98/ME still can +do).</p></dd><dt><span class="term">Where do I find the Adobe PostScript driver files +I need for "cupsaddsmb"?</span></dt><dd><p>Use <b class="command">smbclient</b> to connect to any +Windows box with a shared PostScript printer: <b class="command">smbclient +//windowsbox/print\$ -U guest</b>. You can navigate to the +<tt class="filename">W32X86/2</tt> subdir to <b class="command">mget ADOBE*</b> +and other files or to <tt class="filename">WIN40/0</tt> to do the same. -- +Another option is to download the <tt class="filename">*.exe</tt> packaged +files from the Adobe website.</p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2966041"></a>An Overview of the CUPS Printing Processes</h3></div></div><div></div></div><p> +</p><div class="figure"><a name="id2966052"></a><p class="title"><b>Figure 19.15. CUPS Printing Overview</b></p><div class="mediaobject"><img src="projdoc/imagefiles/a_small.png" alt="CUPS Printing Overview"></div></div><p> +</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="printing.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="VFS.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 18. Classical Printing Support </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 20. Stackable VFS modules</td></tr></table></div></body></html> diff --git a/docs/htmldocs/ClientConfig.html b/docs/htmldocs/ClientConfig.html new file mode 100644 index 0000000000..395be92345 --- /dev/null +++ b/docs/htmldocs/ClientConfig.html @@ -0,0 +1,4 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 9. MS Windows Network Configuration Guide</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="previous" href="StandAloneServer.html" title="Chapter 8. Stand-Alone Servers"><link rel="next" href="optional.html" title="Part III. Advanced Configuration"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 9. MS Windows Network Configuration Guide</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="StandAloneServer.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="optional.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ClientConfig"></a>Chapter 9. MS Windows Network Configuration Guide</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="ClientConfig.html#id2901966">Note</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2901966"></a>Note</h2></div></div><div></div></div><p> +This chapter did not make it into this release. +It is planned for the published release of this document. +</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="StandAloneServer.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="optional.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 8. Stand-Alone Servers </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part III. Advanced Configuration</td></tr></table></div></body></html> diff --git a/docs/htmldocs/DNSDHCP.html b/docs/htmldocs/DNSDHCP.html new file mode 100644 index 0000000000..dadf6b989a --- /dev/null +++ b/docs/htmldocs/DNSDHCP.html @@ -0,0 +1,4 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 40. DNS and DHCP Configuration Guide</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="speed.html" title="Chapter 39. Samba Performance Tuning"><link rel="next" href="Further-Resources.html" title="Chapter 41. Further Resources"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 40. DNS and DHCP Configuration Guide</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="speed.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="Further-Resources.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="DNSDHCP"></a>Chapter 40. DNS and DHCP Configuration Guide</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="DNSDHCP.html#id3018605">Note</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3018605"></a>Note</h2></div></div><div></div></div><p> +This chapter did not make it into this release. +It is planned for the published release of this document. +</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="speed.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendixes.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="Further-Resources.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 39. Samba Performance Tuning </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 41. Further Resources</td></tr></table></div></body></html> diff --git a/docs/htmldocs/FastStart.html b/docs/htmldocs/FastStart.html new file mode 100644 index 0000000000..dbb85dea6e --- /dev/null +++ b/docs/htmldocs/FastStart.html @@ -0,0 +1,4 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 3. Fast Start for the Impatient</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="introduction.html" title="Part I. General Installation"><link rel="previous" href="install.html" title="Chapter 2. How to Install and Test SAMBA"><link rel="next" href="type.html" title="Part II. Server Configuration Basics"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 3. Fast Start for the Impatient</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="install.html">Prev</a> </td><th width="60%" align="center">Part I. General Installation</th><td width="20%" align="right"> <a accesskey="n" href="type.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="FastStart"></a>Chapter 3. Fast Start for the Impatient</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="FastStart.html#id2886744">Note</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2886744"></a>Note</h2></div></div><div></div></div><p> +This chapter did not make it into this release. +It is planned for the published release of this document. +</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="install.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="introduction.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="type.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 2. How to Install and Test SAMBA </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part II. Server Configuration Basics</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Further-Resources.html b/docs/htmldocs/Further-Resources.html new file mode 100644 index 0000000000..8030190ed4 --- /dev/null +++ b/docs/htmldocs/Further-Resources.html @@ -0,0 +1,100 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 41. Further Resources</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="DNSDHCP.html" title="Chapter 40. DNS and DHCP Configuration Guide"><link rel="next" href="ix01.html" title="Index"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 41. Further Resources</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="DNSDHCP.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="ix01.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Further-Resources"></a>Chapter 41. Further Resources</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">Lechnyr</span></h3><div class="affiliation"><span class="orgname">Unofficial HOWTO<br></span><div class="address"><p><tt class="email"><<a href="mailto:david@lechnyr.com">david@lechnyr.com</a>></tt></p></div></div></div></div><div><p class="pubdate">May 1, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="Further-Resources.html#id3018765">Websites</a></dt><dt><a href="Further-Resources.html#id3020416">Related updates from Microsoft</a></dt><dt><a href="Further-Resources.html#id3020431">Books</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3018765"></a>Websites</h2></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p> + <a href="http://hr.uoregon.edu/davidrl/cifs.txt" target="_top"> + <span class="emphasis"><em>CIFS: Common Insecurities Fail Scrutiny</em></span> by "Hobbit"</a> + </p></li><li><p> + <a href="http://afr.com/it/2002/10/01/FFXDF43AP6D.html" target="_top"> + <span class="emphasis"><em>Doing the Samba on Windows</em></span> by Financial Review + </a> + </p></li><li><p> + <a href="http://ubiqx.org/cifs/" target="_top"> + <span class="emphasis"><em>Implementing CIFS</em></span> by Christopher R. Hertel + </a> + </p></li><li><p> + <a href="http://samba.anu.edu.au/cifs/docs/what-is-smb.html" target="_top"> + <span class="emphasis"><em>Just What Is SMB?</em></span> by Richard Sharpe + </a> + </p></li><li><p> + <a href="http://www.linux-mag.com/1999-05/samba_01.html" target="_top"> + <span class="emphasis"><em>Opening Windows Everywhere</em></span> by Mike Warfield + </a> + </p></li><li><p> + <a href="http://www.tldp.org/HOWTO/SMB-HOWTO.html" target="_top"> + <span class="emphasis"><em>SMB HOWTO</em></span> by David Wood + </a> + </p></li><li><p> + <a href="http://www.phrack.org/phrack/60/p60-0x0b.txt" target="_top"> + <span class="emphasis"><em>SMB/CIFS by The Root</em></span> by "ledin" + </a> + </p></li><li><p> + <a href="http://www.linux-mag.com/1999-09/samba_01.html" target="_top"> + <span class="emphasis"><em>The Story of Samba</em></span> by Christopher R. Hertel + </a> + </p></li><li><p> + <a href="http://hr.uoregon.edu/davidrl/samba/" target="_top"> + <span class="emphasis"><em>The Unofficial Samba HOWTO</em></span> by David Lechnyr + </a> + </p></li><li><p> + <a href="http://www.linux-mag.com/2001-05/smb_01.html" target="_top"> + <span class="emphasis"><em>Understanding the Network Neighborhood</em></span> by Christopher R. Hertel + </a> + </p></li><li><p> + <a href="http://www.linux-mag.com/2002-02/samba_01.html" target="_top"> + <span class="emphasis"><em>Using Samba as a PDC</em></span> by Andrew Bartlett + </a> + </p></li><li><p> + <a href="http://ru.samba.org/samba/ftp/docs/Samba24Hc13.pdf" target="_top"> + <span class="emphasis"><em>PDF version of the Troubleshooting Techniques chapter</em></span> + from the second edition of Sam's Teach Yourself Samba in 24 Hours + (publishing date of Dec. 12, 2001)</a> + </p></li><li><p> + <a href="http://ru.samba.org/samba/ftp/slides/" target="_top"> + <span class="emphasis"><em>Slide presentations</em></span> by Samba Team members + </a> + </p></li><li><p> + <a href="http://www.atmarkit.co.jp/flinux/special/samba3/samba3a.html" target="_top"> + <span class="emphasis"><em>Introduction to Samba 3.0</em></span> by Motonobu Takahashi + (written in Japanese). </a> + </p></li><li><p> + <a href="http://www.linux-mag.com/2001-05/smb_01.html" target="_top"> + <span class="emphasis"><em>Understanding the Network Neighborhood</em></span>, by team member + Chris Hertel. This article appeared in the May 2001 issue of + Linux Magazine. + </a> + </p></li><li><p> + <a href="ftp://ftp.stratus.com/pub/vos/customers/samba/" target="_top"> + <span class="emphasis"><em>Samba 2.0.x Troubleshooting guide</em></span> from Paul Green + </a> + </p></li><li><p> + <a href="http://samba.org/samba/docs/10years.html" target="_top"> + <span class="emphasis"><em>Ten Years of Samba</em></span> + </a> + </p></li><li><p> + <a href="http://tldp.org/HOWTO/Samba-Authenticated-Gateway-HOWTO.html" target="_top"> + <span class="emphasis"><em>Samba Authenticated Gateway HOWTO</em></span> + </a> + </p></li><li><p> + <a href="http://samba.org/samba/docs/SambaIntro.html" target="_top"> + <span class="emphasis"><em>An Introduction to Samba</em></span> + </a> + </p></li><li><p> + <a href="http://www.samba.org/cifs/" target="_top"> + <span class="emphasis"><em>What is CIFS?</em></span> + </a> + </p></li><li><p> + <a href="http://support.microsoft.com/support/kb/articles/q92/5/88.asp" target="_top"> + <span class="emphasis"><em>WFWG: Password Caching and How It Affects LAN Manager + Security</em></span> at Microsoft Knowledge Base + </a> + </p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3020416"></a>Related updates from Microsoft</h2></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p> + <a href="http://support.microsoft.com/support/kb/articles/q92/5/88.asp" target="_top"> + <span class="emphasis"><em>Enhanced Encryption for Windows 95 Password Cache</em></span> + </a> + </p></li><li><p> + <a href="http://support.microsoft.com/support/kb/articles/q136/4/18.asp" target="_top"> + <span class="emphasis"><em>Windows '95 File Sharing Updates</em></span> + </a> + </p></li><li><p> + <a href="http://support.microsoft.com/support/kb/articles/q136/4/18.asp" target="_top"> + <span class="emphasis"><em>Windows for Workgroups Sharing Updates</em></span> + </a> + </p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3020431"></a>Books</h2></div></div><div></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="DNSDHCP.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendixes.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ix01.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 40. DNS and DHCP Configuration Guide </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Index</td></tr></table></div></body></html> diff --git a/docs/htmldocs/InterdomainTrusts.html b/docs/htmldocs/InterdomainTrusts.html new file mode 100644 index 0000000000..8938b84c42 --- /dev/null +++ b/docs/htmldocs/InterdomainTrusts.html @@ -0,0 +1,175 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 16. Interdomain Trust Relationships</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="securing-samba.html" title="Chapter 15. Securing Samba"><link rel="next" href="msdfs.html" title="Chapter 17. Hosting a Microsoft Distributed File System tree on Samba"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 16. Interdomain Trust Relationships</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="securing-samba.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="msdfs.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="InterdomainTrusts"></a>Chapter 16. Interdomain Trust Relationships</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Rafal</span> <span class="surname">Szczesniak</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:mimir@samba.org">mimir@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">April 3, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="InterdomainTrusts.html#id2933376">Features and Benefits</a></dt><dt><a href="InterdomainTrusts.html#id2933404">Trust Relationship Background</a></dt><dt><a href="InterdomainTrusts.html#id2933488">Native MS Windows NT4 Trusts Configuration</a></dt><dd><dl><dt><a href="InterdomainTrusts.html#id2933501">NT4 as the Trusting Domain (ie. creating the trusted account)</a></dt><dt><a href="InterdomainTrusts.html#id2933586">NT4 as the Trusted Domain (ie. creating trusted account's password)</a></dt></dl></dd><dt><a href="InterdomainTrusts.html#id2933622">Configuring Samba NT-style Domain Trusts</a></dt><dd><dl><dt><a href="InterdomainTrusts.html#id2933649">Samba-3 as the Trusting Domain</a></dt><dt><a href="InterdomainTrusts.html#id2933790">Samba-3 as the Trusted Domain</a></dt></dl></dd><dt><a href="InterdomainTrusts.html#id2933922">Common Errors</a></dt><dd><dl><dt><a href="InterdomainTrusts.html#id2933937">Tell me about Trust Relationships using Samba</a></dt></dl></dd></dl></div><p> +Samba-3 supports NT4 style domain trust relationships. This is feature that many sites +will want to use if they migrate to Samba-3 from and NT4 style domain and do NOT want to +adopt Active Directory or an LDAP based authentication back end. This section explains +some background information regarding trust relationships and how to create them. It is now +possible for Samba-3 to NT4 trust (and vice versa), as well as Samba3 to Samba3 trusts. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2933376"></a>Features and Benefits</h2></div></div><div></div></div><p> +Samba-3 can participate in Samba-to-Samba as well as in Samba-to-MS Windows NT4 style +trust relationships. This imparts to Samba similar scalability as is possible with +MS Windows NT4. +</p><p> +Given that Samba-3 has the capability to function with a scalable backend authentication +database such as LDAP, and given it's ability to run in Primary as well as Backup Domain control +modes, the administrator would be well advised to consider alternatives to the use of +Interdomain trusts simply because by the very nature of how this works it is fragile. +That was, after all, a key reason for the development and adoption of Microsoft Active Directory. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2933404"></a>Trust Relationship Background</h2></div></div><div></div></div><p> +MS Windows NT3.x/4.0 type security domains employ a non-hierarchical security structure. +The limitations of this architecture as it affects the scalability of MS Windows networking +in large organisations is well known. Additionally, the flat-name space that results from +this design significantly impacts the delegation of administrative responsibilities in +large and diverse organisations. +</p><p> +Microsoft developed Active Directory Service (ADS), based on Kerberos and LDAP, as a means +of circumventing the limitations of the older technologies. Not every organisation is ready +or willing to embrace ADS. For small companies the older NT4 style domain security paradigm +is quite adequate, there thus remains an entrenched user base for whom there is no direct +desire to go through a disruptive change to adopt ADS. +</p><p> +Microsoft introduced with MS Windows NT the ability to allow differing security domains +to affect a mechanism so that users from one domain may be given access rights and privileges +in another domain. The language that describes this capability is couched in terms of +<span class="emphasis"><em>Trusts</em></span>. Specifically, one domain will <span class="emphasis"><em>trust</em></span> the users +from another domain. The domain from which users are available to another security domain is +said to be a trusted domain. The domain in which those users have assigned rights and privileges +is the trusting domain. With NT3.x/4.0 all trust relationships are always in one direction only, +thus if users in both domains are to have privileges and rights in each others' domain, then it is +necessary to establish two (2) relationships, one in each direction. +</p><p> +In an NT4 style MS security domain, all trusts are non-transitive. This means that if there +are three (3) domains (let's call them RED, WHITE, and BLUE) where RED and WHITE have a trust +relationship, and WHITE and BLUE have a trust relationship, then it holds that there is no +implied trust between the RED and BLUE domains. ie: Relationships are explicit and not +transitive. +</p><p> +New to MS Windows 2000 ADS security contexts is the fact that trust relationships are two-way +by default. Also, all inter-ADS domain trusts are transitive. In the case of the RED, WHITE and BLUE +domains above, with Windows 2000 and ADS the RED and BLUE domains CAN trust each other. This is +an inherent feature of ADS domains. Samba-3 implements MS Windows NT4 +style Interdomain trusts and interoperates with MS Windows 200x ADS +security domains in similar manner to MS Windows NT4 style domains. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2933488"></a>Native MS Windows NT4 Trusts Configuration</h2></div></div><div></div></div><p> +There are two steps to creating an interdomain trust relationship. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2933501"></a>NT4 as the Trusting Domain (ie. creating the trusted account)</h3></div></div><div></div></div><p> +For MS Windows NT4, all domain trust relationships are configured using the +<span class="application">Domain User Manager</span>. To affect a two way trust relationship it is +necessary for each domain administrator to make available (for use by an external domain) it's +security resources. This is done from the Domain User Manager Policies entry on the menu bar. +From the <span class="guimenu">Policy</span> menu, select <span class="guimenuitem">Trust Relationships</span>, then +next to the lower box that is labelled <span class="guilabel">Permitted to Trust this Domain</span> are two +buttons, <span class="guibutton">Add</span> and <span class="guibutton">Remove</span>. The <span class="guibutton">Add</span> +button will open a panel in which needs to be entered the remote domain that will be able to assign +user rights to your domain. In addition it is necessary to enter a password +that is specific to this trust relationship. The password needs to be +typed twice (for standard confirmation). +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2933586"></a>NT4 as the Trusted Domain (ie. creating trusted account's password)</h3></div></div><div></div></div><p> +A trust relationship will work only when the other (trusting) domain makes the appropriate connections +with the trusted domain. To consummate the trust relationship the administrator will launch the +Domain User Manager, from the menu select Policies, then select Trust Relationships, then click on the +<span class="guibutton">Add</span> button that is next to the box that is labelled +<span class="guilabel">Trusted Domains</span>. A panel will open in which must be entered the name of the remote +domain as well as the password assigned to that trust. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2933622"></a>Configuring Samba NT-style Domain Trusts</h2></div></div><div></div></div><p> +This description is meant to be a fairly short introduction about how to set up a Samba server so +that it could participate in interdomain trust relationships. Trust relationship support in Samba +is in its early stage, so lot of things don't work yet. +</p><p> +Each of the procedures described below is treated as they were performed with Windows NT4 Server on +one end. The remote end could just as well be another Samba-3 domain. It can be clearly seen, after +reading this document, that combining Samba-specific parts of what's written below leads to trust +between domains in purely Samba environment. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2933649"></a>Samba-3 as the Trusting Domain</h3></div></div><div></div></div><p> +In order to set the Samba PDC to be the trusted party of the relationship first you need +to create special account for the domain that will be the trusting party. To do that, +you can use the 'smbpasswd' utility. Creating the trusted domain account is very +similar to creating a trusted machine account. Suppose, your domain is +called SAMBA, and the remote domain is called RUMBA. The first step +will be to issue this command from your favourite shell: +</p><p> +</p><pre class="screen"> +<tt class="prompt">root# </tt> <b class="userinput"><tt>smbpasswd -a -i rumba</tt></b> + New SMB password: XXXXXXXX + Retype SMB password: XXXXXXXX + Added user rumba$ +</pre><p> + +where <tt class="option">-a</tt> means to add a new account into the +passdb database and <tt class="option">-i</tt> means: ''create this +account with the InterDomain trust flag'' +</p><p> +The account name will be 'rumba$' (the name of the remote domain) +</p><p> +After issuing this command you'll be asked to enter the password for +the account. You can use any password you want, but be aware that Windows NT will +not change this password until 7 days following account creation. +After the command returns successfully, you can look at the entry for the new account +(in the standard way depending on your configuration) and see that account's name is +really RUMBA$ and it has 'I' flag in the flags field. Now you're ready to confirm +the trust by establishing it from Windows NT Server. +</p><p> +Open <span class="application">User Manager for Domains</span> and from menu +<span class="guimenu">Policies</span> select <span class="guimenuitem">Trust Relationships...</span>. +Right beside <span class="guilabel">Trusted domains</span> list box press the +<span class="guimenu">Add...</span> button. You will be prompted for +the trusted domain name and the relationship password. Type in SAMBA, as this is +your domain name, and the password used at the time of account creation. +Press OK and, if everything went without incident, you will see +<tt class="computeroutput">Trusted domain relationship successfully +established</tt> message. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2933790"></a>Samba-3 as the Trusted Domain</h3></div></div><div></div></div><p> +This time activities are somewhat reversed. Again, we'll assume that your domain +controlled by the Samba PDC is called SAMBA and NT-controlled domain is called RUMBA. +</p><p> +The very first thing requirement is to add an account for the SAMBA domain on RUMBA's PDC. +</p><p> +Launch the <span class="application">Domain User Manager</span>, then from the menu select +<span class="guimenu">Policies</span>, <span class="guimenuitem">Trust Relationships</span>. +Now, next to <span class="guilabel">Trusted Domains</span> box press the <span class="guibutton">Add</span> +button, and type in the name of the trusted domain (SAMBA) and password securing +the relationship. +</p><p> +The password can be arbitrarily chosen. It is easy to change the password +from the Samba server whenever you want. After confirming the password your account is +ready for use. Now it's Samba's turn. +</p><p> +Using your favourite shell while being logged in as root, issue this command: +</p><p> +<tt class="prompt">root# </tt><b class="userinput"><tt>net rpc trustdom establish rumba</tt></b> +</p><p> +You will be prompted for the password you just typed on your Windows NT4 Server box. +Do not worry if you see an error message that mentions a returned code of +<span class="errorname">NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT</span>. It means the +password you gave is correct and the NT4 Server says the account is +ready for interdomain connection and not for ordinary +connection. After that, be patient it can take a while (especially +in large networks), you should see the <tt class="computeroutput">Success</tt> message. +Congratulations! Your trust relationship has just been established. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +Note that you have to run this command as root because you must have write access to +the <tt class="filename">secrets.tdb</tt> file. +</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2933922"></a>Common Errors</h2></div></div><div></div></div><p> +Interdomain trust relationships should NOT be attempted on networks that are unstable +or that suffer regular outages. Network stability and integrity are key concerns with +distributed trusted domains. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2933937"></a>Tell me about Trust Relationships using Samba</h3></div></div><div></div></div><p> + Like many, I administer multiple LANs connected together using NT trust + relationships. This was implemented about 4 years ago. I now have the + occasion to consider performing this same task again, but this time, I + would like to implement it solely through samba - no Microsoft PDCs + anywhere. + </p><p> + I have read documentation on samba.org regarding NT-style trust + relationships and am now wondering, can I do what I want to? I already + have successfully implemented 2 samba servers, but they are not PDCs. + They merely act as file servers. I seem to remember, and it appears to + be true (according to samba.org) that trust relationships are a + challenge. + </p><p> + Please provide any helpful feedback that you may have. + </p><p> + These are almost complete in Samba 3.0 snapshots. The main catch + is getting winbindd to be able to allocate UID/GIDs for trusted + users/groups. See the updated Samba HOWTO collection for more + details. + </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="securing-samba.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="msdfs.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 15. Securing Samba </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 17. Hosting a Microsoft Distributed File System tree on Samba</td></tr></table></div></body></html> diff --git a/docs/htmldocs/IntroSMB.html b/docs/htmldocs/IntroSMB.html new file mode 100644 index 0000000000..f9c2539112 --- /dev/null +++ b/docs/htmldocs/IntroSMB.html @@ -0,0 +1,174 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 1. Introduction to Samba</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="introduction.html" title="Part I. General Installation"><link rel="previous" href="introduction.html" title="Part I. General Installation"><link rel="next" href="install.html" title="Chapter 2. How to Install and Test SAMBA"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 1. Introduction to Samba</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="introduction.html">Prev</a> </td><th width="60%" align="center">Part I. General Installation</th><td width="20%" align="right"> <a accesskey="n" href="install.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="IntroSMB"></a>Chapter 1. Introduction to Samba</h2></div><div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">Lechnyr</span></h3><div class="affiliation"><span class="orgname">Unofficial HOWTO<br></span><div class="address"><p><tt class="email"><<a href="mailto:david@lechnyr.com">david@lechnyr.com</a>></tt></p></div></div></div></div><div><p class="pubdate">April 14, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="IntroSMB.html#id2885613">Background</a></dt><dt><a href="IntroSMB.html#id2885824">Terminology</a></dt><dt><a href="IntroSMB.html#id2885978">Related Projects</a></dt><dt><a href="IntroSMB.html#id2886047">SMB Methodology</a></dt><dt><a href="IntroSMB.html#id2886135">Epilogue</a></dt><dt><a href="IntroSMB.html#id2886209">Miscellaneous</a></dt></dl></div><p>“<span class="quote"> +"If you understand what you're doing, you're not learning anything." +-- Anonymous +</span>”</p><p> +Samba is a file and print server for Windows-based clients using TCP/IP as the underlying +transport protocol. In fact, it can support any SMB/CIFS-enabled client. One of Samba's big +strengths is that you can use it to blend your mix of Windows and Linux machines together +without requiring a separate Windows NT/2000/2003 Server. Samba is actively being developed +by a global team of about 30 active programmers and was originally developed by Andrew Tridgell. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2885613"></a>Background</h2></div></div><div></div></div><p> +Once long ago, there was a buzzword referred to as DCE/RPC. This stood for Distributed +Computing Environment/Remote Procedure Calls and conceptually was a good idea. It was +originally developed by Apollo/HP as NCA 1.0 (Network Computing Architecture) and only +ran over UDP. When there was a need to run it over TCP so that it would be compatible +with DECnet 3.0, it was redesigned, submitted to The Open Group, and officially became +known as DCE/RPC. Microsoft came along and decided, rather than pay $20 per seat to +license this technology, to reimplement DCE/RPC themselves as MSRPC. From this, the +concept continued in the form of SMB (Server Message Block, or the "what") using the +NetBIOS (Network Basic Input/Output System, or the "how") compatibility layer. You can +run SMB (i.e., transport) over several different protocols; many different implementations +arose as a result, including NBIPX (NetBIOS over IPX, NwLnkNb, or NWNBLink) and NBT +(NetBIOS over TCP/IP, or NetBT). As the years passed, NBT became the most common form +of implementation until the advance of "Direct-Hosted TCP" -- the Microsoft marketing +term for eliminating NetBIOS entirely and running SMB by itself across TCP port 445 +only. As of yet, direct-hosted TCP has yet to catch on. +</p><p> +Perhaps the best summary of the origins of SMB are voiced in the 1997 article titled, CIFS: +Common Insecurities Fail Scrutiny: +</p><p><span class="emphasis"><em> +Several megabytes of NT-security archives, random whitepapers, RFCs, the CIFS spec, the Samba +stuff, a few MS knowledge-base articles, strings extracted from binaries, and packet dumps have +been dutifully waded through during the information-gathering stages of this project, and there +are *still* many missing pieces... While often tedious, at least the way has been generously +littered with occurrences of clapping hand to forehead and muttering 'crikey, what are they +thinking? +</em></span></p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2885824"></a>Terminology</h2></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p> + SMB: Acronym for "Server Message Block". This is Microsoft's file and printer sharing protocol. + </p></li><li><p> + CIFS: Acronym for "Common Internet File System". Around 1996, Microsoft apparently + decided that SMB needed the word "Internet" in it, so they changed it to CIFS. + </p></li><li><p> + Direct-Hosted: A method of providing file/printer sharing services over port 445/tcp + only using DNS for name resolution instead of WINS. + </p></li><li><p> + IPC: Acronym for "Inter-Process Communication". A method to communicate specific + information between programs. + </p></li><li><p> + Marshalling: - A method of serializing (i.e., sequential ordering of) variable data + suitable for transmission via a network connection or storing in a file. The source + data can be re-created using a similar process called unmarshalling. + </p></li><li><p> + NetBIOS: Acronym for "Network Basic Input/Output System". This is not a protocol; + it is a method of communication across an existing protocol. This is a standard which + was originally developed for IBM by Sytek in 1983. To exaggerate the analogy a bit, + it can help to think of this in comparison your computer's BIOS -- it controls the + essential functions of your input/output hardware -- whereas NetBIOS controls the + essential functions of your input/output traffic via the network. Again, this is a bit + of an exaggeration but it should help that paradigm shift. What is important to realize + is that NetBIOS is a transport standard, not a protocol. Unfortunately, even technically + brilliant people tend to interchange NetBIOS with terms like NetBEUI without a second + thought; this will cause no end (and no doubt) of confusion. + </p></li><li><p> + NetBEUI: Acronym for the "NetBIOS Extended User Interface". Unlike NetBIOS, NetBEUI + is a protocol, not a standard. It is also not routable, so traffic on one side of a + router will be unable to communicate with the other side. Understanding NetBEUI is + not essential to deciphering SMB; however it helps to point out that it is not the + same as NetBIOS and to improve your score in trivia at parties. NetBEUI was originally + referred to by Microsoft as "NBF", or "The Windows NT NetBEUI Frame protocol driver". + It is not often heard from these days. + </p></li><li><p> + NBT: Acronym for "NetBIOS over TCP"; also known as "NetBT". Allows the continued use + of NetBIOS traffic proxied over TCP/IP. As a result, NetBIOS names are made + to IP addresses and NetBIOS name types are conceptually equivalent to TCP/IP ports. + This is how file and printer sharing are accomplished in Windows 95/98/ME. They + traditionally rely on three ports: NetBIOS Name Service (nbname) via UDP port 137, + NetBIOS Datagram Service (nbdatagram) via UDP port 138, and NetBIOS Session Service + (nbsession) via TCP port 139. All name resolution is done via WINS, NetBIOS broadcasts, + and DNS. NetBIOS over TCP is documented in RFC 1001 (Concepts and methods) and RFC 1002 + (Detailed specifications). + </p></li><li><p> + W2K: Acronym for Windows 2000 Professional or Server + </p></li><li><p> + W3K: Acronym for Windows 2003 Server + </p></li></ul></div><p>If you plan on getting help, make sure to subscribe to the Samba Mailing List (available at +<a href="http://www.samba.org/" target="_top">http://www.samba.org</a>). +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2885978"></a>Related Projects</h2></div></div><div></div></div><p> +There are currently two network filesystem client projects for Linux that are directly +related to Samba: SMBFS and CIFS VFS. These are both available in the Linux kernel itself. +</p><div class="itemizedlist"><ul type="disc"><li><p> + SMBFS (Server Message Block File System) allows you to mount SMB shares (the protocol + that Microsoft Windows and OS/2 Lan Manager use to share files and printers + over local networks) and access them just like any other Unix directory. This is useful + if you just want to mount such filesystems without being a SMBFS server. + </p></li><li><p> + CIFS VFS (Common Internet File System Virtual File System) is the successor to SMBFS, and + is being actively developed for the upcoming version of the Linux kernel. The intent of this module + is to provide advanced network file system functionality including support for dfs (hierarchical + name space), secure per-user session establishment, safe distributed caching (oplock), + optional packet signing, Unicode and other internationalization improvements, and optional + Winbind (nsswitch) integration. + </p></li></ul></div><p> +Again, it's important to note that these are implementations for client filesystems, and have +nothing to do with acting as a file and print server for SMB/CIFS clients. +</p><p> +There are other Open Source CIFS client implementations, such as the +<a href="http://jcifs.samba.org/" target="_top">jCIFS project</a> +which provides an SMB client toolkit written in Java. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2886047"></a>SMB Methodology</h2></div></div><div></div></div><p> +Traditionally, SMB uses UDP port 137 (NetBIOS name service, or netbios-ns), +UDP port 138 (NetBIOS datagram service, or netbios-dgm), and TCP port 139 (NetBIOS +session service, or netbios-ssn). Anyone looking at their network with a good +packet sniffer will be amazed at the amount of traffic generated by just opening +up a single file. In general, SMB sessions are established in the following order: +</p><div class="itemizedlist"><ul type="disc"><li><p> + "TCP Connection" - establish 3-way handshake (connection) to port 139/tcp + or 445/tcp. + </p></li><li><p> + "NetBIOS Session Request" - using the following "Calling Names": The local + machine's NetBIOS name plus the 16th character 0x00; The server's NetBIOS + name plus the 16th character 0x20 + </p></li><li><p> + "SMB Negotiate Protocol" - determine the protocol dialect to use, which will + be one of the following: PC Network Program 1.0 (Core) - share level security + mode only; Microsoft Networks 1.03 (Core Plus) - share level security + mode only; Lanman1.0 (LAN Manager 1.0) - uses Challenge/Response + Authentication; Lanman2.1 (LAN Manager 2.1) - uses Challenge/Response + Authentication; NT LM 0.12 (NT LM 0.12) - uses Challenge/Response + Authentication + </p></li><li><p> + SMB Session Startup. Passwords are encrypted (or not) according to one of + the following methods: Null (no encryption); Cleartext (no encryption); LM + and NTLM; NTLM; NTLMv2 + </p></li><li><p> + SMB Tree Connect: Connect to a share name (e.g., \\servername\share); Connect + to a service type (e.g., IPC$ named pipe) + </p></li></ul></div><p> +A good way to examine this process in depth is to try out +<a href="http://www.securityfriday.com/ToolDownload/SWB/swb_doc.html" target="_top">SecurityFriday's SWB program</a>. +It allows you to walk through the establishment of a SMB/CIFS session step by step. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2886135"></a>Epilogue</h2></div></div><div></div></div><p>“<span class="quote"> +What's fundamentally wrong is that nobody ever had any taste when they +did it. Microsoft has been very much into making the user interface look good, +but internally it's just a complete mess. And even people who program for Microsoft +and who have had years of experience, just don't know how it works internally. +Worse, nobody dares change it. Nobody dares to fix bugs because it's such a +mess that fixing one bug might just break a hundred programs that depend on +that bug. And Microsoft isn't interested in anyone fixing bugs -- they're interested +in making money. They don't have anybody who takes pride in Windows 95 as an +operating system. +</span>”</p><p>“<span class="quote"> +People inside Microsoft know it's a bad operating system and they still +continue obviously working on it because they want to get the next version out +because they want to have all these new features to sell more copies of the +system. +</span>”</p><p>“<span class="quote"> +The problem with that is that over time, when you have this kind of approach, +and because nobody understands it, because nobody REALLY fixes bugs (other than +when they're really obvious), the end result is really messy. You can't trust +it because under certain circumstances it just spontaneously reboots or just +halts in the middle of something that shouldn't be strange. Normally it works +fine and then once in a blue moon for some completely unknown reason, it's dead, +and nobody knows why. Not Microsoft, not the experienced user and certainly +not the completely clueless user who probably sits there shivering thinking +"What did I do wrong?" when they didn't do anything wrong at all. +</span>”</p><p>“<span class="quote"> +That's what's really irritating to me." +</span>”</p><p>-- +<a href="http://hr.uoregon.edu/davidrl/boot.txt" target="_top">Linus Torvalds, from an interview with BOOT Magazine, Sept 1998</a> +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2886209"></a>Miscellaneous</h2></div></div><div></div></div><p> +This chapter is Copyright 2003 David Lechnyr (david at lechnyr dot com). +Permission is granted to copy, distribute and/or modify this document under the terms +of the GNU Free Documentation License, Version 1.2 or any later version published by the Free +Software Foundation. A copy of the license is available at http://www.gnu.org/licenses/fdl.txt. +</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="introduction.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="introduction.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="install.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part I. General Installation </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 2. How to Install and Test SAMBA</td></tr></table></div></body></html> diff --git a/docs/htmldocs/NT4Migration.html b/docs/htmldocs/NT4Migration.html new file mode 100644 index 0000000000..72c6269f0e --- /dev/null +++ b/docs/htmldocs/NT4Migration.html @@ -0,0 +1,202 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 31. Migration from NT4 PDC to Samba-3 PDC</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="migration.html" title="Part IV. Migration and Updating"><link rel="previous" href="upgrading-to-3.0.html" title="Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0"><link rel="next" href="SWAT.html" title="Chapter 32. SWAT - The Samba Web Administration Tool"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 31. Migration from NT4 PDC to Samba-3 PDC</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="upgrading-to-3.0.html">Prev</a> </td><th width="60%" align="center">Part IV. Migration and Updating</th><td width="20%" align="right"> <a accesskey="n" href="SWAT.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="NT4Migration"></a>Chapter 31. Migration from NT4 PDC to Samba-3 PDC</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">April 3, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="NT4Migration.html#id3001339">Planning and Getting Started</a></dt><dd><dl><dt><a href="NT4Migration.html#id3001368">Objectives</a></dt><dt><a href="NT4Migration.html#id3004043">Steps In Migration Process</a></dt></dl></dd><dt><a href="NT4Migration.html#id3004381">Migration Options</a></dt><dd><dl><dt><a href="NT4Migration.html#id3004462">Planning for Success</a></dt><dt><a href="NT4Migration.html#id3004704">Samba Implementation Choices</a></dt></dl></dd></dl></div><p> +This is a rough guide to assist those wishing to migrate from NT4 domain control to +Samba-3 based domain control. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3001339"></a>Planning and Getting Started</h2></div></div><div></div></div><p> +In the IT world there is often a saying that all problems are encountered because of +poor planning. The corollary to this saying is that not all problems can be anticipated +and planned for. Then again, good planning will anticipate most show stopper type situations. +</p><p> +Those wishing to migrate from MS Windows NT4 domain control to a Samba-3 domain control +environment would do well to develop a detailed migration plan. So here are a few pointers to +help migration get under way. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3001368"></a>Objectives</h3></div></div><div></div></div><p> +The key objective for most organisations will be to make the migration from MS Windows NT4 +to Samba-3 domain control as painless as possible. One of the challenges you may experience +in your migration process may well be one of convincing management that the new environment +should remain in place. Many who have introduced open source technologies have experienced +pressure to return to a Microsoft based platform solution at the first sign of trouble. +</p><p> +It is strongly advised that before attempting a migration to a Samba-3 controlled network +that every possible effort be made to gain all-round commitment to the change. Firstly, you +should know precisely <span class="emphasis"><em>why</em></span> the change is important for the organisation. +Possible motivations to make a change include: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Improve network manageability</td></tr><tr><td>Obtain better user level functionality</td></tr><tr><td>Reduce network operating costs</td></tr><tr><td>Reduce exposure caused by Microsoft withdrawal of NT4 support</td></tr><tr><td>Avoid MS License 6 implications</td></tr><tr><td>Reduce organisation's dependency on Microsoft</td></tr></table><p> +It is vital that it be well recognised that Samba-3 is NOT MS Windows NT4. Samba-3 offers +an alternative solution that is both different from MS Windows NT4 and that offers some +advantages compared with it. It should also be recognised that Samba-3 lacks many of the +features that Microsoft has promoted as core values in migration from MS Windows NT4 to +MS Windows 2000 and beyond (with or without Active Directory services). +</p><p> +What are the features that Samba-3 can NOT provide? +</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Active Directory Server</td></tr><tr><td>Group Policy Objects (in Active Directory)</td></tr><tr><td>Machine Policy objects</td></tr><tr><td>Logon Scripts in Active Directory</td></tr><tr><td>Software Application and Access Controls in Active Directory</td></tr></table><p> +The features that Samba-3 DOES provide and that may be of compelling interest to your site +includes: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Lower Cost of Ownership</td></tr><tr><td>Global availability of support with no strings attached</td></tr><tr><td>Dynamic SMB Servers (ie:Can run more than one server per Unix/Linux system)</td></tr><tr><td>Creation of on-the-fly logon scripts</td></tr><tr><td>Creation of on-the-fly Policy Files</td></tr><tr><td>Greater Stability, Reliability, Performance and Availability</td></tr><tr><td>Manageability via an ssh connection</td></tr><tr><td>Flexible choices of back-end authentication technologies (tdbsam, ldapsam, mysqlsam)</td></tr><tr><td>Ability to implement a full single-sign-on architecture</td></tr><tr><td>Ability to distribute authentication systems for absolute minimum wide area network bandwidth demand</td></tr></table><p> +Before migrating a network from MS Windows NT4 to Samba-3 it is vital that all necessary factors are +considered. Users should be educated about changes they may experience so that the change will be a +welcome one and not become an obstacle to the work they need to do. The following are some of the +factors that will go into a successful migration: +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id3002882"></a>Domain Layout</h4></div></div><div></div></div><p> +Samba-3 can be configured as a domain controller, a back-up domain controller (probably best called +a secondary controller), a domain member, or as a stand-alone server. The Windows network security +domain context should be sized and scoped before implementation. Particular attention needs to be +paid to the location of the primary domain controller (PDC) as well as backup controllers (BDCs). +It should be noted that one way in which Samba-3 differs from Microsoft technology is that if one +chooses to use an LDAP authentication backend then the same database can be used by several different +domains. This means that in a complex organisation there can be a single LDAP database, that itself +can be distributed, that can simultaneously serve multiple domains (that can also be widely distributed). +</p><p> +It is recommended that from a design perspective, the number of users per server, as well as the number +of servers, per domain should be scaled according to needs and should also consider server capacity +and network bandwidth. +</p><p> +A physical network segment may house several domains, each of which may span multiple network segments. +Where domains span routed network segments it is most advisable to consider and test the performance +implications of the design and layout of a network. A Centrally located domain controller that is being +designed to serve multiple routed network segments may result in severe performance problems if the +response time (eg: ping timing) between the remote segment and the PDC is more than 100 ms. In situations +where the delay is too long it is highly recommended to locate a backup controller (BDC) to serve as +the local authentication and access control server. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id3002935"></a>Server Share and Directory Layout</h4></div></div><div></div></div><p> +There are few cardinal rules to effective network design that can be broken with impunity. +The most important rule of effective network management is that simplicity is king in every +well controlled network. Every part of the infrastructure must be managed, the more complex +it is, the greater will be the demand of keeping systems secure and functional. +</p><p> +The nature of the data that must be stored needs to be born in mind when deciding how many +shares must be created. The physical disk space layout should also be taken into account +when designing where share points will be created. Keep in mind that all data needs to be +backed up, thus the simpler the disk layout the easier it will be to keep track of what must +be backed up to tape or other off-line storage medium. Always plan and implement for minimum +maintenance. Leave nothing to chance in your design, above all, do not leave backups to chance: +Backup and test, validate every backup, create a disaster recovery plan and prove that it works. +</p><p> +Users should be grouped according to data access control needs. File and directory access +is best controlled via group permissions and the use of the "sticky bit" on group controlled +directories may substantially avoid file access complaints from samba share users. +</p><p> +Many network administrators who are new to the game will attempt to use elaborate techniques +to set access controls, on files, directories, shares, as well as in share definitions. +There is the ever present danger that that administrator's successor will not understand the +complex mess that has been inherited. Remember, apparent job security through complex design +and implementation may ultimately cause loss of operations and downtime to users as the new +administrator learns to untangle your web. Keep access controls simple and effective and +make sure that users will never be interrupted by the stupidity of complexity. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id3002997"></a>Logon Scripts</h4></div></div><div></div></div><p> +Please refer to the section of this document on Advanced Network Administration for information +regarding the network logon script options for Samba-3. Logon scripts can help to ensure that +all users gain share and printer connections they need. +</p><p> +Logon scripts can be created on-the-fly so that all commands executed are specific to the +rights and privileges granted to the user. The preferred controls should be affected through +group membership so that group information can be used to custom create a logon script using +the <i class="parameter"><tt>root preexec</tt></i> parameters to the <tt class="filename">NETLOGON</tt> share. +</p><p> +Some sites prefer to use a tool such as <b class="command">kixstart</b> to establish a controlled +user environment. In any case you may wish to do a google search for logon script process controls. +In particular, you may wish to explore the use of the Microsoft knowledgebase article KB189105 that +deals with how to add printers without user intervention via the logon script process. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id3003055"></a>Profile Migration/Creation</h4></div></div><div></div></div><p> +User and Group Profiles may be migrated using the tools described in the section titled Desktop Profile +Management. +</p><p> +Profiles may also be managed using the Samba-3 tool <b class="command">profiles</b>. This tool allows +the MS Windows NT style security identifiers (SIDs) that are stored inside the profile NTuser.DAT file +to be changed to the SID of the Samba-3 domain. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id3004018"></a>User and Group Accounts</h4></div></div><div></div></div><p> +It is possible to migrate all account settings from an MS Windows NT4 domain to Samba-3. Before +attempting to migrate user and group accounts it is STRONGLY advised to create in Samba-3 the +groups that are present on the MS Windows NT4 domain <span class="emphasis"><em>AND</em></span> to connect these to +suitable Unix/Linux groups. Following this simple advice will mean that all user and group attributes +should migrate painlessly. +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3004043"></a>Steps In Migration Process</h3></div></div><div></div></div><p> +The approximate migration process is described below. +</p><div class="itemizedlist"><ul type="disc"><li><p> +You will have an NT4 PDC that has the users, groups, policies and profiles to be migrated +</p></li><li><p> +Samba-3 set up as a DC with netlogon share, profile share, etc. +</p></li></ul></div><div class="procedure"><p class="title"><b>Procedure 31.1. The Account Migration Process</b></p><ol type="1"><li><p>Create a BDC account for the samba server using NT Server Manager</p><ol type="a"><li><p>Samba must NOT be running</p></li></ol></li><li><p><b class="userinput"><tt>rpcclient <i class="replaceable"><tt>NT4PDC</tt></i> -U Administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p><ol type="a"><li><p>lsaquery</p></li><li><p>Note the SID returned</p></li></ol></li><li><p><b class="userinput"><tt>net getsid -S <i class="replaceable"><tt>NT4PDC</tt></i> -w <i class="replaceable"><tt>DOMNAME</tt></i> -U Administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p><ol type="a"><li><p>Note the SID</p></li></ol></li><li><p><b class="userinput"><tt>net getlocalsid</tt></b></p><ol type="a"><li><p>Note the SID, now check that all three SIDS reported are the same!</p></li></ol></li><li><p><b class="userinput"><tt>net rpc join -S <i class="replaceable"><tt>NT4PDC</tt></i> -w <i class="replaceable"><tt>DOMNAME</tt></i> -U Administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p></li><li><p><b class="userinput"><tt>net rpc vampire -S <i class="replaceable"><tt>NT4PDC</tt></i> -U administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p></li><li><p><b class="userinput"><tt>pdbedit -L</tt></b></p><ol type="a"><li><p>Note - did the users migrate?</p></li></ol></li><li><p><b class="userinput"><tt>initGrps.sh <i class="replaceable"><tt>DOMNAME</tt></i></tt></b></p></li><li><p><b class="userinput"><tt>net groupmap list</tt></b></p><ol type="a"><li><p>Now check that all groups are recognised</p></li></ol></li><li><p><b class="userinput"><tt>net rpc vampire -S <i class="replaceable"><tt>NT4PDC</tt></i> -U administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p></li><li><p><b class="userinput"><tt>pdbedit -Lv</tt></b></p><ol type="a"><li><p>Note - check that all group membership has been migrated</p></li></ol></li></ol></div><p> +Now it is time to migrate all the profiles, then migrate all policy files. +More later. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3004381"></a>Migration Options</h2></div></div><div></div></div><p> +Based on feedback from many sites as well as from actual installation and maintenance +experience sites that wish to migrate from MS Windows NT4 Domain Control to a Samba +based solution fit into three basic categories. +</p><div class="table"><a name="id3004398"></a><p class="title"><b>Table 31.1. The 3 Major Site Types</b></p><table summary="The 3 Major Site Types" border="1"><colgroup><col><col></colgroup><thead><tr><th>Number of Users</th><th>Description</th></tr></thead><tbody><tr><td>< 50</td><td><p>Want simple conversion with NO pain</p></td></tr><tr><td>50 - 250</td><td><p>Want new features, can manage some in-house complexity</p></td></tr><tr><td>> 250</td><td><p>Solution/Implementation MUST scale well, complex needs. Cross departmental decision process. Local expertise in most areas</p></td></tr></tbody></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3004462"></a>Planning for Success</h3></div></div><div></div></div><p> +There are three basic choices for sites that intend to migrate from MS Windows NT4 +to Samba-3. +</p><div class="itemizedlist"><ul type="disc"><li><p> + Simple Conversion (total replacement) + </p></li><li><p> + Upgraded Conversion (could be one of integration) + </p></li><li><p> + Complete Redesign (completely new solution) + </p></li></ul></div><p> +No matter what choice you make, the following rules will minimise down-stream problems: +</p><div class="itemizedlist"><ul type="disc"><li><p> + Take sufficient time + </p></li><li><p> + Avoid Panic + </p></li><li><p> + Test ALL assumptions + </p></li><li><p> + Test full roll-out program, including workstation deployment + </p></li></ul></div><div class="table"><a name="id3004535"></a><p class="title"><b>Table 31.2. Nature of the Conversion Choices</b></p><table summary="Nature of the Conversion Choices" border="1"><colgroup><col><col><col></colgroup><thead><tr><th>Simple</th><th>Upgraded</th><th>Redesign</th></tr></thead><tbody><tr><td><p>Make use of minimal OS specific features</p></td><td><p>Translate NT4 features to new host OS features</p></td><td><p>Decide:</p></td></tr><tr><td><p>Suck all accounts from NT4 into Samba-3</p></td><td><p>Copy and improve:</p></td><td><p>Authentication Regime (database location and access)</p></td></tr><tr><td><p>Make least number of operational changes</p></td><td><p>Make progressive improvements</p></td><td><p>Desktop Management Methods</p></td></tr><tr><td><p>Take least amount of time to migrate</p></td><td><p>Minimise user impact</p></td><td><p>Better Control of Desktops / Users</p></td></tr><tr><td><p>Live versus Isolated Conversion</p></td><td><p>Maximise functionality</p></td><td><p>Identify Needs for: Manageability, Scalability, Security, Availability</p></td></tr><tr><td><p>Integrate Samba-3 then migrate while users are active, then Change of control (ie: swap out)</p></td><td><p>Take advantage of lower maintenance opportunity</p></td><td><p></p></td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3004704"></a>Samba Implementation Choices</h3></div></div><div></div></div><pre class="programlisting"> +Authentication database back end + Winbind (external Samba or NT4/200x server) + Can use pam_mkhomedir.so to auto-create home dirs + External server could use Active Directory or NT4 Domain + +Database type + smbpasswd, tdbsam, ldapsam, mysqlsam + +Access Control Points + On the Share itself (Use NT4 Server Manager) + On the file system + Unix permissions on files and directories + Enable Posix ACLs in file system? + Through Samba share parameters + Not recommended - except as only resort + +Policies (migrate or create new ones) + Group Policy Editor (NT4) + Watch out for Tattoo effect + +User and Group Profiles + Platform specific so use platform tool to change from a Local + to a Roaming profile Can use new profiles tool to change SIDs + (NTUser.DAT) + +Logon Scripts (Know how they work) + +User and Group mapping to Unix/Linux + username map facility may be needed + Use 'net groupmap' to connect NT4 groups to Unix groups + Use pdbedit to set/change user configuration +NOTE: +If migrating to LDAP back end it may be easier to dump initial LDAP database +to LDIF, then edit, then reload into LDAP + + OS specific scripts / programs may be needed + Add / delete Users + Note OS limits on size of name (Linux 8 chars) + NT4 up to 254 chars + Add / delete machines + Applied only to domain members (note up to 16 chars) + Add / delete Groups + Note OS limits on size and nature + Linux limit is 16 char, + no spaces and no upper case chars (groupadd) + +Migration Tools + Domain Control (NT4 Style) + Profiles, Policies, Access Controls, Security + +Migration Tools + Samba: net, rpcclient, smbpasswd, pdbedit, profiles + Windows: NT4 Domain User Manager, Server Manager (NEXUS) + +Authentication + New SAM back end (smbpasswd, tdbsam, ldapsam, mysqlsam) +</pre><p> +</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="upgrading-to-3.0.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="migration.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="SWAT.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0 </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 32. SWAT - The Samba Web Administration Tool</td></tr></table></div></body></html> diff --git a/docs/htmldocs/NetworkBrowsing.html b/docs/htmldocs/NetworkBrowsing.html new file mode 100644 index 0000000000..eb4d9858ca --- /dev/null +++ b/docs/htmldocs/NetworkBrowsing.html @@ -0,0 +1,957 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 10. Samba / MS Windows Network Browsing Guide</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="optional.html" title="Part III. Advanced Configuration"><link rel="next" href="passdb.html" title="Chapter 11. Account Information Databases"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 10. Samba / MS Windows Network Browsing Guide</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="optional.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="passdb.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="NetworkBrowsing"></a>Chapter 10. Samba / MS Windows Network Browsing Guide</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">July 5, 1998</p></div><div><p class="pubdate">Updated: April 21, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="NetworkBrowsing.html#id2903558">Features and Benefits</a></dt><dt><a href="NetworkBrowsing.html#id2903637">What is Browsing?</a></dt><dt><a href="NetworkBrowsing.html#id2903747">Discussion</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2903764">NetBIOS over TCP/IP</a></dt><dt><a href="NetworkBrowsing.html#id2903926">TCP/IP - without NetBIOS</a></dt><dt><a href="NetworkBrowsing.html#id2904058">DNS and Active Directory</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2904194">How Browsing Functions</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2904320">Setting up WORKGROUP Browsing</a></dt><dt><a href="NetworkBrowsing.html#id2904541">Setting up DOMAIN Browsing</a></dt><dt><a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to be the master</a></dt><dt><a href="NetworkBrowsing.html#id2904811">Making Samba the domain master</a></dt><dt><a href="NetworkBrowsing.html#id2904967">Note about broadcast addresses</a></dt><dt><a href="NetworkBrowsing.html#id2904984">Multiple interfaces</a></dt><dt><a href="NetworkBrowsing.html#id2905013">Use of the Remote Announce parameter</a></dt><dt><a href="NetworkBrowsing.html#id2905122">Use of the Remote Browse Sync parameter</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2905183">WINS - The Windows Internetworking Name Server</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2905341">Setting up a WINS server</a></dt><dt><a href="NetworkBrowsing.html#id2905540">WINS Replication</a></dt><dt><a href="NetworkBrowsing.html#id2905565">Static WINS Entries</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2905650">Helpful Hints</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2905663">Windows Networking Protocols</a></dt><dt><a href="NetworkBrowsing.html#id2905730">Name Resolution Order</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2905867">Technical Overview of browsing</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2905914">Browsing support in Samba</a></dt><dt><a href="NetworkBrowsing.html#id2906021">Problem resolution</a></dt><dt><a href="NetworkBrowsing.html#id2906100">Browsing across subnets</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2906720">Common Errors</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2906735">How can one flush the Samba NetBIOS name cache without restarting Samba?</a></dt><dt><a href="NetworkBrowsing.html#id2906764">My client reports "This server is not configured to list shared resources"</a></dt></dl></dd></dl></div><p> +This document contains detailed information as well as a fast track guide to +implementing browsing across subnets and / or across workgroups (or domains). +WINS is the best tool for resolution of NetBIOS names to IP addresses. WINS is +NOT involved in browse list handling except by way of name to address resolution. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +MS Windows 2000 and later can be configured to operate with NO NetBIOS +over TCP/IP. Samba-3 and later also supports this mode of operation. +When the use of NetBIOS over TCP/IP has been disabled then the primary +means for resolution of MS Windows machine names is via DNS and Active Directory. +The following information assumes that your site is running NetBIOS over TCP/IP. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2903558"></a>Features and Benefits</h2></div></div><div></div></div><p> +Someone once referred to the past in terms of: <span class="emphasis"><em>They were the worst of times, +they were the best of times. The more we look back, them more we long for what was and +hope it never returns!</em></span>. +</p><p> +For many MS Windows network administrators, that statement sums up their feelings about +NetBIOS networking precisely. For those who mastered NetBIOS networking, its fickle +nature was just par for the course. For those who never quite managed to tame its +lusty features, NetBIOS is like Paterson's Curse. +</p><p> +For those not familiar with botanical problems in Australia: Paterson's curse, +Echium plantagineum, was introduced to Australia from Europe during the mid-nineteenth +century. Since then it has spread rapidly. The high seed production, with densities of +thousands of seeds per square metre, a seed longevity of more than seven years, and an +ability to germinate at any time of year, given the right conditions, are some of the +features which make it such a persistent weed. +</p><p> +In this chapter we explore vital aspects of SMB (Server Message Block) networking with +a particular focus on SMB as implemented through running NetBIOS (Network Basic +Input / Output System) over TCP/IP. Since Samba does NOT implement SMB or NetBIOS over +any other protocols we need to know how to configure our network environment and simply +remember to use nothing but TCP/IP on all our MS Windows network clients. +</p><p> +Samba provides the ability to implement a WINS (Windows Internetworking Name Server) +and implements extensions to Microsoft's implementation of WINS. These extensions +help Samba to affect stable WINS operations beyond the normal scope of MS WINS. +</p><p> +Please note that WINS is exclusively a service that applies only to those systems +that run NetBIOS over TCP/IP. MS Windows 200x / XP have the capacity to turn off +support for NetBIOS, in which case WINS is of no relevance. Samba-3 supports this also. +</p><p> +For those networks on which NetBIOS has been disabled (ie: WINS is NOT required) +the use of DNS is necessary for host name resolution. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2903637"></a>What is Browsing?</h2></div></div><div></div></div><p> +To most people browsing means that they can see the MS Windows and Samba servers +in the Network Neighborhood, and when the computer icon for a particular server is +clicked, it opens up and shows the shares and printers available on the target server. +</p><p> +What seems so simple is in fact a very complex interaction of different technologies. +The technologies (or methods) employed in making all of this work includes: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td>MS Windows machines register their presence to the network</td></tr><tr><td>Machines announce themselves to other machines on the network</td></tr><tr><td>One or more machine on the network collates the local announcements</td></tr><tr><td>The client machine finds the machine that has the collated list of machines</td></tr><tr><td>The client machine is able to resolve the machine names to IP addresses</td></tr><tr><td>The client machine is able to connect to a target machine</td></tr></table><p> +The Samba application that controls browse list management and name resolution is +called <tt class="filename">nmbd</tt>. The configuration parameters involved in nmbd's operation are: +</p><pre class="programlisting"> + + Browsing options: + ----------------- + * os level + lm announce + lm interval + * preferred master + * local master + * domain master + browse list + enhanced browsing + + Name Resolution Method: + ----------------------- + * name resolve order + + WINS options: + ------------- + dns proxy + wins proxy + * wins server + * wins support + wins hook +</pre><p> +For Samba, the WINS Server and WINS Support are mutually exclusive options. Those marked with +an '*' are the only options that commonly MAY need to be modified. Even if not one of these +parameters is set <tt class="filename">nmbd</tt> will still do it's job. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2903747"></a>Discussion</h2></div></div><div></div></div><p> +Firstly, all MS Windows networking uses SMB (Server Message Block) based messaging. +SMB messaging may be implemented with or without NetBIOS. MS Windows 200x supports +NetBIOS over TCP/IP for backwards compatibility. Microsoft is intent on phasing out NetBIOS +support. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2903764"></a>NetBIOS over TCP/IP</h3></div></div><div></div></div><p> +Samba implements NetBIOS, as does MS Windows NT / 200x / XP, by encapsulating it over TCP/IP. +MS Windows products can do likewise. NetBIOS based networking uses broadcast messaging to +affect browse list management. When running NetBIOS over TCP/IP, this uses UDP based messaging. +UDP messages can be broadcast or unicast. +</p><p> +Normally, only unicast UDP messaging can be forwarded by routers. The +<b class="command">remote announce</b> parameter to smb.conf helps to project browse announcements +to remote network segments via unicast UDP. Similarly, the +<b class="command">remote browse sync</b> parameter of <tt class="filename">smb.conf</tt> +implements browse list collation using unicast UDP. +</p><p> +Secondly, in those networks where Samba is the only SMB server technology, +wherever possible <tt class="filename">nmbd</tt> should be configured on one (1) machine as the WINS +server. This makes it easy to manage the browsing environment. If each network +segment is configured with it's own Samba WINS server, then the only way to +get cross segment browsing to work is by using the +<b class="command">remote announce</b> and the <b class="command">remote browse sync</b> +parameters to your <tt class="filename">smb.conf</tt> file. +</p><p> +If only one WINS server is used for an entire multi-segment network then +the use of the <b class="command">remote announce</b> and the +<b class="command">remote browse sync</b> parameters should NOT be necessary. +</p><p> +As of Samba 3 WINS replication is being worked on. The bulk of the code has +been committed, but it still needs maturation. This is NOT a supported feature +of the Samba-3.0.0 release. Hopefully, this will become a supported feature +of one of the Samba-3 release series. +</p><p> +Right now Samba WINS does not support MS-WINS replication. This means that +when setting up Samba as a WINS server there must only be one <tt class="filename">nmbd</tt> +configured as a WINS server on the network. Some sites have used multiple Samba WINS +servers for redundancy (one server per subnet) and then used +<b class="command">remote browse sync</b> and <b class="command">remote announce</b> +to affect browse list collation across all segments. Note that this means clients +will only resolve local names, and must be configured to use DNS to resolve names +on other subnets in order to resolve the IP addresses of the servers they can see +on other subnets. This setup is not recommended, but is mentioned as a practical +consideration (ie: an 'if all else fails' scenario). +</p><p> +Lastly, take note that browse lists are a collection of unreliable broadcast +messages that are repeated at intervals of not more than 15 minutes. This means +that it will take time to establish a browse list and it can take up to 45 +minutes to stabilise, particularly across network segments. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2903926"></a>TCP/IP - without NetBIOS</h3></div></div><div></div></div><p> +All TCP/IP using systems use various forms of host name resolution. The primary +methods for TCP/IP hostname resolutions involves either a static file (<tt class="filename">/etc/hosts +</tt>) or DNS (the Domain Name System). DNS is the technology that makes +the Internet usable. DNS based host name resolution is supported by nearly all TCP/IP +enabled systems. Only a few embedded TCP/IP systems do not support DNS. +</p><p> +When an MS Windows 200x / XP system attempts to resolve a host name to an IP address +it follows a defined path: +</p><div class="orderedlist"><ol type="1"><li><p> + Checks the <tt class="filename">hosts</tt> file. It is located in + <tt class="filename">C:\WinNT\System32\Drivers\etc</tt>. + </p></li><li><p> + Does a DNS lookup + </p></li><li><p> + Checks the NetBIOS name cache + </p></li><li><p> + Queries the WINS server + </p></li><li><p> + Does a broadcast name lookup over UDP + </p></li><li><p> + Looks up entries in LMHOSTS. It is located in + <tt class="filename">C:\WinNT\System32\Drivers\etc</tt>. + </p></li></ol></div><p> +Windows 200x / XP can register it's host name with a Dynamic DNS server. You can +force register with a Dynamic DNS server in Windows 200x / XP using: +<b class="command">ipconfig /registerdns</b> +</p><p> +With Active Directory (ADS), a correctly functioning DNS server is absolutely +essential. In the absence of a working DNS server that has been correctly configured, +MS Windows clients and servers will be totally unable to locate each other, +consequently network services will be severely impaired. +</p><p> +The use of Dynamic DNS is highly recommended with Active Directory, in which case +the use of BIND9 is preferred for it's ability to adequately support the SRV (service) +records that are needed for Active Directory. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2904058"></a>DNS and Active Directory</h3></div></div><div></div></div><p> +Occasionally we hear from Unix network administrators who want to use a Unix based Dynamic +DNS server in place of the Microsoft DNS server. While this might be desirable to some, the +MS Windows 200x DNS server is auto-configured to work with Active Directory. It is possible +to use BIND version 8 or 9, but it will almost certainly be necessary to create service records +so that MS Active Directory clients can resolve host names to locate essential network services. +The following are some of the default service records that Active Directory requires: +</p><div class="itemizedlist"><ul type="disc"><li><p>_ldap._tcp.pdc.ms-dcs.<span class="emphasis"><em>Domain</em></span></p><p> + This provides the address of the Windows NT PDC for the Domain. + </p></li><li><p>_ldap._tcp.pdc.ms-dcs.<span class="emphasis"><em>DomainTree</em></span></p><p> + Resolves the addresses of Global Catalog servers in the domain. + </p></li><li><p>_ldap._tcp.<span class="emphasis"><em>site</em></span>.sites.writable.ms-dcs.<span class="emphasis"><em>Domain</em></span></p><p> + Provides list of domain controllers based on sites. + </p></li><li><p>_ldap._tcp.writable.ms-dcs.<span class="emphasis"><em>Domain</em></span></p><p> + Enumerates list of domain controllers that have the writable + copies of the Active Directory data store. + </p></li><li><p>_ldap._tcp.<span class="emphasis"><em>GUID</em></span>.domains.ms-dcs.<span class="emphasis"><em>DomainTree</em></span></p><p> + Entry used by MS Windows clients to locate machines using the + Global Unique Identifier. + </p></li><li><p>_ldap._tcp.<span class="emphasis"><em>Site</em></span>.gc.ms-dcs.<span class="emphasis"><em>DomainTree</em></span></p><p> + Used by MS Windows clients to locate site configuration dependent + Global Catalog server. + </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2904194"></a>How Browsing Functions</h2></div></div><div></div></div><p> +MS Windows machines register their NetBIOS names +(ie: the machine name for each service type in operation) on start +up. The exact method by which this name registration +takes place is determined by whether or not the MS Windows client/server +has been given a WINS server address, whether or not LMHOSTS lookup +is enabled, or if DNS for NetBIOS name resolution is enabled, etc. +</p><p> +In the case where there is no WINS server, all name registrations as +well as name lookups are done by UDP broadcast. This isolates name +resolution to the local subnet, unless LMHOSTS is used to list all +names and IP addresses. In such situations Samba provides a means by +which the Samba server name may be forcibly injected into the browse +list of a remote MS Windows network (using the +<b class="command">remote announce</b> parameter). +</p><p> +Where a WINS server is used, the MS Windows client will use UDP +unicast to register with the WINS server. Such packets can be routed +and thus WINS allows name resolution to function across routed networks. +</p><p> +During the startup process an election will take place to create a +local master browser if one does not already exist. On each NetBIOS network +one machine will be elected to function as the domain master browser. This +domain browsing has nothing to do with MS security domain control. +Instead, the domain master browser serves the role of contacting each local +master browser (found by asking WINS or from LMHOSTS) and exchanging browse +list contents. This way every master browser will eventually obtain a complete +list of all machines that are on the network. Every 11-15 minutes an election +is held to determine which machine will be the master browser. By the nature of +the election criteria used, the machine with the highest uptime, or the +most senior protocol version, or other criteria, will win the election +as domain master browser. +</p><p> +Clients wishing to browse the network make use of this list, but also depend +on the availability of correct name resolution to the respective IP +address/addresses. +</p><p> +Any configuration that breaks name resolution and/or browsing intrinsics +will annoy users because they will have to put up with protracted +inability to use the network services. +</p><p> +Samba supports a feature that allows forced synchronisation +of browse lists across routed networks using the <b class="command">remote +browse sync</b> parameter in the <tt class="filename">smb.conf</tt> file. +This causes Samba to contact the local master browser on a remote network and +to request browse list synchronisation. This effectively bridges +two networks that are separated by routers. The two remote +networks may use either broadcast based name resolution or WINS +based name resolution, but it should be noted that the <b class="command">remote +browse sync</b> parameter provides browse list synchronisation - and +that is distinct from name to address resolution, in other +words, for cross subnet browsing to function correctly it is +essential that a name to address resolution mechanism be provided. +This mechanism could be via DNS, <tt class="filename">/etc/hosts</tt>, +and so on. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2904320"></a>Setting up WORKGROUP Browsing</h3></div></div><div></div></div><p> +To set up cross subnet browsing on a network containing machines +in up to be in a WORKGROUP, not an NT Domain you need to set up one +Samba server to be the Domain Master Browser (note that this is *NOT* +the same as a Primary Domain Controller, although in an NT Domain the +same machine plays both roles). The role of a Domain master browser is +to collate the browse lists from local master browsers on all the +subnets that have a machine participating in the workgroup. Without +one machine configured as a domain master browser each subnet would +be an isolated workgroup, unable to see any machines on any other +subnet. It is the presence of a domain master browser that makes +cross subnet browsing possible for a workgroup. +</p><p> +In an WORKGROUP environment the domain master browser must be a +Samba server, and there must only be one domain master browser per +workgroup name. To set up a Samba server as a domain master browser, +set the following option in the <i class="parameter"><tt>[global]</tt></i> section +of the <tt class="filename">smb.conf</tt> file : +</p><p> +</p><pre class="programlisting"> + domain master = yes +</pre><p> +</p><p> +The domain master browser should also preferrably be the local master +browser for its own subnet. In order to achieve this set the following +options in the <i class="parameter"><tt>[global]</tt></i> section of the <tt class="filename">smb.conf</tt> file : +</p><p> +</p><pre class="programlisting"> + domain master = yes + local master = yes + preferred master = yes + os level = 65 +</pre><p> +</p><p> +The domain master browser may be the same machine as the WINS +server, if you require. +</p><p> +Next, you should ensure that each of the subnets contains a +machine that can act as a local master browser for the +workgroup. Any MS Windows NT/2K/XP/2003 machine should be +able to do this, as will Windows 9x machines (although these +tend to get rebooted more often, so it's not such a good idea +to use these). To make a Samba server a local master browser +set the following options in the <i class="parameter"><tt>[global]</tt></i> section of the +<tt class="filename">smb.conf</tt> file : +</p><p> +</p><pre class="programlisting"> + domain master = no + local master = yes + preferred master = yes + os level = 65 +</pre><p> +</p><p> +Do not do this for more than one Samba server on each subnet, +or they will war with each other over which is to be the local +master browser. +</p><p> +The <i class="parameter"><tt>local master</tt></i> parameter allows Samba to act as a +local master browser. The <i class="parameter"><tt>preferred master</tt></i> causes nmbd +to force a browser election on startup and the <i class="parameter"><tt>os level</tt></i> +parameter sets Samba high enough so that it should win any browser elections. +</p><p> +If you have an NT machine on the subnet that you wish to +be the local master browser then you can disable Samba from +becoming a local master browser by setting the following +options in the <i class="parameter"><tt>[global]</tt></i> section of the +<tt class="filename">smb.conf</tt> file : +</p><p> +</p><pre class="programlisting"> + domain master = no + local master = no + preferred master = no + os level = 0 +</pre><p> +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2904541"></a>Setting up DOMAIN Browsing</h3></div></div><div></div></div><p> +If you are adding Samba servers to a Windows NT Domain then +you must not set up a Samba server as a domain master browser. +By default, a Windows NT Primary Domain Controller for a domain +is also the Domain master browser for that domain, and many +things will break if a Samba server registers the Domain master +browser NetBIOS name (<i class="replaceable"><tt>DOMAIN</tt></i><1B>) +with WINS instead of the PDC. +</p><p> +For subnets other than the one containing the Windows NT PDC +you may set up Samba servers as local master browsers as +described. To make a Samba server a local master browser set +the following options in the <b class="command">[global]</b> section +of the <tt class="filename">smb.conf</tt> file : +</p><p> +</p><pre class="programlisting"> + domain master = no + local master = yes + preferred master = yes + os level = 65 +</pre><p> +</p><p> +If you wish to have a Samba server fight the election with machines +on the same subnet you may set the <i class="parameter"><tt>os level</tt></i> parameter +to lower levels. By doing this you can tune the order of machines that +will become local master browsers if they are running. For +more details on this see the section <a href="NetworkBrowsing.html#browse-force-master" title="Forcing Samba to be the master"> +Forcing Samba to be the master browser</a> +below. +</p><p> +If you have Windows NT machines that are members of the domain +on all subnets, and you are sure they will always be running then +you can disable Samba from taking part in browser elections and +ever becoming a local master browser by setting following options +in the <i class="parameter"><tt>[global]</tt></i> section of the <tt class="filename">smb.conf</tt> +file : +</p><p> +</p><pre class="programlisting"> + domain master = no + local master = no + preferred master = no + os level = 0 +</pre><p> +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="browse-force-master"></a>Forcing Samba to be the master</h3></div></div><div></div></div><p> +Who becomes the <i class="parameter"><tt>master browser</tt></i> is determined by an election +process using broadcasts. Each election packet contains a number of parameters +which determine what precedence (bias) a host should have in the +election. By default Samba uses a very low precedence and thus loses +elections to just about anyone else. +</p><p> +If you want Samba to win elections then just set the <i class="parameter"><tt>os level</tt></i> global +option in <tt class="filename">smb.conf</tt> to a higher number. It defaults to 0. Using 34 +would make it win all elections over every other system (except other +samba systems!) +</p><p> +A <i class="parameter"><tt>os level</tt></i> of 2 would make it beat WfWg and Win95, but not MS Windows +NT/2K Server. A MS Windows NT/2K Server domain controller uses level 32. +</p><p>The maximum os level is 255</p><p> +If you want Samba to force an election on startup, then set the +<i class="parameter"><tt>preferred master</tt></i> global option in <tt class="filename">smb.conf</tt> to <tt class="constant">yes</tt>. Samba will +then have a slight advantage over other potential master browsers +that are not preferred master browsers. Use this parameter with +care, as if you have two hosts (whether they are Windows 95 or NT or +Samba) on the same local subnet both set with <i class="parameter"><tt>preferred master</tt></i> to +<tt class="constant">yes</tt>, then periodically and continually they will force an election +in order to become the local master browser. +</p><p> +If you want Samba to be a <i class="parameter"><tt>domain master browser</tt></i>, then it is +recommended that you also set <i class="parameter"><tt>preferred master</tt></i> to <tt class="constant">yes</tt>, because +Samba will not become a domain master browser for the whole of your +LAN or WAN if it is not also a local master browser on its own +broadcast isolated subnet. +</p><p> +It is possible to configure two Samba servers to attempt to become +the domain master browser for a domain. The first server that comes +up will be the domain master browser. All other Samba servers will +attempt to become the domain master browser every 5 minutes. They +will find that another Samba server is already the domain master +browser and will fail. This provides automatic redundancy, should +the current domain master browser fail. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2904811"></a>Making Samba the domain master</h3></div></div><div></div></div><p> +The domain master is responsible for collating the browse lists of +multiple subnets so that browsing can occur between subnets. You can +make Samba act as the domain master by setting <i class="parameter"><tt>domain master = yes</tt></i> +in <tt class="filename">smb.conf</tt>. By default it will not be a domain master. +</p><p> +Note that you should <span class="emphasis"><em>not</em></span> set Samba to be the domain master for a +workgroup that has the same name as an NT Domain. +</p><p> +When Samba is the domain master and the master browser, it will listen +for master announcements (made roughly every twelve minutes) from local +master browsers on other subnets and then contact them to synchronise +browse lists. +</p><p> +If you want Samba to be the domain master then I suggest you also set +the <i class="parameter"><tt>os level</tt></i> high enough to make sure it wins elections, and set +<i class="parameter"><tt>preferred master</tt></i> to <tt class="constant">yes</tt>, to get Samba to force an election on +startup. +</p><p> +Note that all your servers (including Samba) and clients should be +using a WINS server to resolve NetBIOS names. If your clients are only +using broadcasting to resolve NetBIOS names, then two things will occur: +</p><div class="orderedlist"><ol type="1"><li><p> + your local master browsers will be unable to find a domain master + browser, as it will only be looking on the local subnet. + </p></li><li><p> + if a client happens to get hold of a domain-wide browse list, and + a user attempts to access a host in that list, it will be unable to + resolve the NetBIOS name of that host. + </p></li></ol></div><p> +If, however, both Samba and your clients are using a WINS server, then: +</p><div class="orderedlist"><ol type="1"><li><p> + your local master browsers will contact the WINS server and, as long as + Samba has registered that it is a domain master browser with the WINS + server, your local master browser will receive Samba's IP address + as its domain master browser. + </p></li><li><p> + when a client receives a domain-wide browse list, and a user attempts + to access a host in that list, it will contact the WINS server to + resolve the NetBIOS name of that host. as long as that host has + registered its NetBIOS name with the same WINS server, the user will + be able to see that host. + </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2904967"></a>Note about broadcast addresses</h3></div></div><div></div></div><p> +If your network uses a "0" based broadcast address (for example if it +ends in a 0) then you will strike problems. Windows for Workgroups +does not seem to support a 0's broadcast and you will probably find +that browsing and name lookups won't work. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2904984"></a>Multiple interfaces</h3></div></div><div></div></div><p> +Samba now supports machines with multiple network interfaces. If you +have multiple interfaces then you will need to use the <b class="command">interfaces</b> +option in <tt class="filename">smb.conf</tt> to configure them. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905013"></a>Use of the Remote Announce parameter</h3></div></div><div></div></div><p> +The <i class="parameter"><tt>remote announce</tt></i> parameter of +<tt class="filename">smb.conf</tt> can be used to forcibly ensure +that all the NetBIOS names on a network get announced to a remote network. +The syntax of the <i class="parameter"><tt>remote announce</tt></i> parameter is: +</p><pre class="programlisting"> + remote announce = a.b.c.d [e.f.g.h] ... +</pre><p> +<span class="emphasis"><em>or</em></span> +</p><pre class="programlisting"> + remote announce = a.b.c.d/WORKGROUP [e.f.g.h/WORKGROUP] ... +</pre><p> + +where: +</p><div class="variablelist"><dl><dt><span class="term"><i class="replaceable"><tt>a.b.c.d</tt></i> and +<i class="replaceable"><tt>e.f.g.h</tt></i></span></dt><dd><p>is either the LMB (Local Master Browser) IP address +or the broadcast address of the remote network. +ie: the LMB is at 192.168.1.10, or the address +could be given as 192.168.1.255 where the netmask +is assumed to be 24 bits (255.255.255.0). +When the remote announcement is made to the broadcast +address of the remote network, every host will receive +our announcements. This is noisy and therefore +undesirable but may be necessary if we do NOT know +the IP address of the remote LMB.</p></dd><dt><span class="term"><i class="replaceable"><tt>WORKGROUP</tt></i></span></dt><dd><p>is optional and can be either our own workgroup +or that of the remote network. If you use the +workgroup name of the remote network then our +NetBIOS machine names will end up looking like +they belong to that workgroup, this may cause +name resolution problems and should be avoided. +</p></dd></dl></div><p> +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905122"></a>Use of the Remote Browse Sync parameter</h3></div></div><div></div></div><p> +The <i class="parameter"><tt>remote browse sync</tt></i> parameter of +<tt class="filename">smb.conf</tt> is used to announce to +another LMB that it must synchronise its NetBIOS name list with our +Samba LMB. It works ONLY if the Samba server that has this option is +simultaneously the LMB on its network segment. +</p><p> +The syntax of the <i class="parameter"><tt>remote browse sync</tt></i> parameter is: + +</p><pre class="programlisting"> +remote browse sync = <i class="replaceable"><tt>a.b.c.d</tt></i> +</pre><p> + +where <i class="replaceable"><tt>a.b.c.d</tt></i> is either the IP address of the +remote LMB or else is the network broadcast address of the remote segment. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2905183"></a>WINS - The Windows Internetworking Name Server</h2></div></div><div></div></div><p> +Use of WINS (either Samba WINS <span class="emphasis"><em>or</em></span> MS Windows NT Server WINS) is highly +recommended. Every NetBIOS machine registers its name together with a +name_type value for each of several types of service it has available. +eg: It registers its name directly as a unique (the type 0x03) name. +It also registers its name if it is running the LanManager compatible +server service (used to make shares and printers available to other users) +by registering the server (the type 0x20) name. +</p><p> +All NetBIOS names are up to 15 characters in length. The name_type variable +is added to the end of the name - thus creating a 16 character name. Any +name that is shorter than 15 characters is padded with spaces to the 15th +character. ie: All NetBIOS names are 16 characters long (including the +name_type information). +</p><p> +WINS can store these 16 character names as they get registered. A client +that wants to log onto the network can ask the WINS server for a list +of all names that have registered the NetLogon service name_type. This saves +broadcast traffic and greatly expedites logon processing. Since broadcast +name resolution can not be used across network segments this type of +information can only be provided via WINS <span class="emphasis"><em>or</em></span> via statically configured +<tt class="filename">lmhosts</tt> files that must reside on all clients in the +absence of WINS. +</p><p> +WINS also serves the purpose of forcing browse list synchronisation by all +LMB's. LMB's must synchronise their browse list with the DMB (domain master +browser) and WINS helps the LMB to identify it's DMB. By definition this +will work only within a single workgroup. Note that the domain master browser +has NOTHING to do with what is referred to as an MS Windows NT Domain. The +later is a reference to a security environment while the DMB refers to the +master controller for browse list information only. +</p><p> +Use of WINS will work correctly only if EVERY client TCP/IP protocol stack +has been configured to use the WINS server/s. Any client that has not been +configured to use the WINS server will continue to use only broadcast based +name registration so that WINS may NEVER get to know about it. In any case, +machines that have not registered with a WINS server will fail name to address +lookup attempts by other clients and will therefore cause workstation access +errors. +</p><p> +To configure Samba as a WINS server just add +<i class="parameter"><tt>wins support = yes</tt></i> to the <tt class="filename">smb.conf</tt> +file [globals] section. +</p><p> +To configure Samba to register with a WINS server just add +<i class="parameter"><tt>wins server = a.b.c.d</tt></i> to your <tt class="filename">smb.conf</tt> file <i class="parameter"><tt>[globals]</tt></i> section. +</p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p> +Never use both <i class="parameter"><tt>wins support = yes</tt></i> together +with <i class="parameter"><tt>wins server = a.b.c.d</tt></i> +particularly not using it's own IP address. +Specifying both will cause <span class="application">nmbd</span> to refuse to start! +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905341"></a>Setting up a WINS server</h3></div></div><div></div></div><p> +Either a Samba machine or a Windows NT Server machine may be set up +as a WINS server. To set a Samba machine to be a WINS server you must +add the following option to the <tt class="filename">smb.conf</tt> file on the selected machine : +in the <i class="parameter"><tt>[globals]</tt></i> section add the line +</p><p> +</p><pre class="programlisting"> + wins support = yes +</pre><p> +</p><p> +Versions of Samba prior to 1.9.17 had this parameter default to +yes. If you have any older versions of Samba on your network it is +strongly suggested you upgrade to a recent version, or at the very +least set the parameter to 'no' on all these machines. +</p><p> +Machines with <i class="parameter"><tt>wins support = yes</tt></i> will keep a list of +all NetBIOS names registered with them, acting as a DNS for NetBIOS names. +</p><p> +You should set up only ONE WINS server. Do NOT set the +<i class="parameter"><tt>wins support = yes</tt></i> option on more than one Samba +server. +</p><p> +To set up a Windows NT Server as a WINS server you need to set up +the WINS service - see your NT documentation for details. Note that +Windows NT WINS Servers can replicate to each other, allowing more +than one to be set up in a complex subnet environment. As Microsoft +refuses to document these replication protocols, Samba cannot currently +participate in these replications. It is possible in the future that +a Samba->Samba WINS replication protocol may be defined, in which +case more than one Samba machine could be set up as a WINS server +but currently only one Samba server should have the +<i class="parameter"><tt>wins support = yes</tt></i> parameter set. +</p><p> +After the WINS server has been configured you must ensure that all +machines participating on the network are configured with the address +of this WINS server. If your WINS server is a Samba machine, fill in +the Samba machine IP address in the <span class="guilabel">Primary WINS Server</span> field of +the <span class="guilabel">Control Panel->Network->Protocols->TCP->WINS Server</span> dialogs +in Windows 95 or Windows NT. To tell a Samba server the IP address +of the WINS server add the following line to the <i class="parameter"><tt>[global]</tt></i> section of +all <tt class="filename">smb.conf</tt> files : +</p><p> +</p><pre class="programlisting"> + wins server = <name or IP address> +</pre><p> +</p><p> +where <name or IP address> is either the DNS name of the WINS server +machine or its IP address. +</p><p> +Note that this line MUST NOT BE SET in the <tt class="filename">smb.conf</tt> file of the Samba +server acting as the WINS server itself. If you set both the +<i class="parameter"><tt>wins support = yes</tt></i> option and the +<i class="parameter"><tt>wins server = <name></tt></i> option then +nmbd will fail to start. +</p><p> +There are two possible scenarios for setting up cross subnet browsing. +The first details setting up cross subnet browsing on a network containing +Windows 95, Samba and Windows NT machines that are not configured as +part of a Windows NT Domain. The second details setting up cross subnet +browsing on networks that contain NT Domains. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905540"></a>WINS Replication</h3></div></div><div></div></div><p> +Samba-3 permits WINS replication through the use of the <tt class="filename">wrepld</tt> utility. +This tool is not currently capable of being used as it is still in active development. +As soon as this tool becomes moderately functional we will prepare man pages and enhance this +section of the documentation to provide usage and technical details. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905565"></a>Static WINS Entries</h3></div></div><div></div></div><p> +Adding static entries to your Samba-3 WINS server is actually fairly easy. +All you have to do is add a line to <tt class="filename">wins.dat</tt>, typically +located in <tt class="filename">/usr/local/samba/var/locks</tt>. +</p><p> +Entries in <tt class="filename">wins.dat</tt> take the form of + +</p><pre class="programlisting"> +"NAME#TYPE" TTL ADDRESS+ FLAGS +</pre><p> + +where NAME is the NetBIOS name, TYPE is the NetBIOS type, TTL is the +time-to-live as an absolute time in seconds, ADDRESS+ is one or more +addresses corresponding to the registration and FLAGS are the NetBIOS +flags for the registration. +</p><p> +A typical dynamic entry looks like: +</p><pre class="programlisting"> +"MADMAN#03" 1055298378 192.168.1.2 66R +</pre><p> + +To make it static, all that has to be done is set the TTL to 0: + +</p><pre class="programlisting"> +"MADMAN#03" 0 192.168.1.2 66R +</pre><p> +</p><p> +Though this method works with early Samba-3 versions, there's a +possibility that it may change in future versions if WINS replication +is added. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2905650"></a>Helpful Hints</h2></div></div><div></div></div><p> +The following hints should be carefully considered as they are stumbling points +for many new network administrators. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905663"></a>Windows Networking Protocols</h3></div></div><div></div></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> +Do NOT use more than one (1) protocol on MS Windows machines +</p></div><p> +A very common cause of browsing problems results from installing more than +one protocol on an MS Windows machine. +</p><p> +Every NetBIOS machine takes part in a process of electing the LMB (and DMB) +every 15 minutes. A set of election criteria is used to determine the order +of precedence for winning this election process. A machine running Samba or +Windows NT will be biased so that the most suitable machine will predictably +win and thus retain it's role. +</p><p> +The election process is "fought out" so to speak over every NetBIOS network +interface. In the case of a Windows 9x machine that has both TCP/IP and IPX +installed and has NetBIOS enabled over both protocols the election will be +decided over both protocols. As often happens, if the Windows 9x machine is +the only one with both protocols then the LMB may be won on the NetBIOS +interface over the IPX protocol. Samba will then lose the LMB role as Windows +9x will insist it knows who the LMB is. Samba will then cease to function +as an LMB and thus browse list operation on all TCP/IP only machines will +fail. +</p><p><span class="emphasis"><em> +Windows 95, 98, 98se, Me are referred to generically as Windows 9x. +The Windows NT4, 2000, XP and 2003 use common protocols. These are roughly +referred to as the WinNT family, but it should be recognised that 2000 and +XP/2003 introduce new protocol extensions that cause them to behave +differently from MS Windows NT4. Generally, where a server does NOT support +the newer or extended protocol, these will fall back to the NT4 protocols. +</em></span></p><p> +The safest rule of all to follow it this - USE ONLY ONE PROTOCOL! +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905730"></a>Name Resolution Order</h3></div></div><div></div></div><p> +Resolution of NetBIOS names to IP addresses can take place using a number +of methods. The only ones that can provide NetBIOS name_type information +are: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td>WINS: the best tool!</td></tr><tr><td>LMHOSTS: is static and hard to maintain.</td></tr><tr><td>Broadcast: uses UDP and can not resolve names across remote segments.</td></tr></table><p> +Alternative means of name resolution includes: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><tt class="filename">/etc/hosts</tt>: is static, hard to maintain, and lacks name_type info</td></tr><tr><td>DNS: is a good choice but lacks essential name_type info.</td></tr></table><p> +Many sites want to restrict DNS lookups and want to avoid broadcast name +resolution traffic. The <i class="parameter"><tt>name resolve order</tt></i> parameter is +of great help here. The syntax of the <i class="parameter"><tt>name resolve order</tt></i> +parameter is: +</p><pre class="programlisting"> +name resolve order = wins lmhosts bcast host +</pre><p> +<span class="emphasis"><em>or</em></span> +</p><pre class="programlisting"> +name resolve order = wins lmhosts (eliminates bcast and host) +</pre><p> +The default is: +</p><pre class="programlisting"> +name resolve order = host lmhost wins bcast +</pre><p> +where "host" refers the the native methods used by the Unix system +to implement the gethostbyname() function call. This is normally +controlled by <tt class="filename">/etc/host.conf</tt>, <tt class="filename">/etc/nsswitch.conf</tt> and <tt class="filename">/etc/resolv.conf</tt>. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2905867"></a>Technical Overview of browsing</h2></div></div><div></div></div><p> +SMB networking provides a mechanism by which clients can access a list +of machines in a network, a so-called <i class="parameter"><tt>browse list</tt></i>. This list +contains machines that are ready to offer file and/or print services +to other machines within the network. Thus it does not include +machines which aren't currently able to do server tasks. The browse +list is heavily used by all SMB clients. Configuration of SMB +browsing has been problematic for some Samba users, hence this +document. +</p><p> +MS Windows 2000 and later, as with Samba 3 and later, can be +configured to not use NetBIOS over TCP/IP. When configured this way, +it is imperative that name resolution (using DNS/LDAP/ADS) be correctly +configured and operative. Browsing will NOT work if name resolution +from SMB machine names to IP addresses does not function correctly. +</p><p> +Where NetBIOS over TCP/IP is enabled use of a WINS server is highly +recommended to aid the resolution of NetBIOS (SMB) names to IP addresses. +WINS allows remote segment clients to obtain NetBIOS name_type information +that can NOT be provided by any other means of name resolution. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905914"></a>Browsing support in Samba</h3></div></div><div></div></div><p> +Samba facilitates browsing. The browsing is supported by <span class="application">nmbd</span> +and is also controlled by options in the <tt class="filename">smb.conf</tt> file. +Samba can act as a local browse master for a workgroup and the ability +to support domain logons and scripts is now available. +</p><p> +Samba can also act as a domain master browser for a workgroup. This +means that it will collate lists from local browse masters into a +wide area network server list. In order for browse clients to +resolve the names they may find in this list, it is recommended that +both Samba and your clients use a WINS server. +</p><p> +Note that you should NOT set Samba to be the domain master for a +workgroup that has the same name as an NT Domain: on each wide area +network, you must only ever have one domain master browser per workgroup, +regardless of whether it is NT, Samba or any other type of domain master +that is providing this service. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +Nmbd can be configured as a WINS server, but it is not +necessary to specifically use Samba as your WINS server. MS Windows +NT4, Server or Advanced Server 2000 or 2003 can be configured as +your WINS server. In a mixed NT/2000/2003 server and Samba environment on +a Wide Area Network, it is recommended that you use the Microsoft +WINS server capabilities. In a Samba-only environment, it is +recommended that you use one and only one Samba server as your WINS server. +</p></div><p> +To get browsing to work you need to run nmbd as usual, but will need +to use the <i class="parameter"><tt>workgroup</tt></i> option in <tt class="filename">smb.conf</tt> +to control what workgroup Samba becomes a part of. +</p><p> +Samba also has a useful option for a Samba server to offer itself for +browsing on another subnet. It is recommended that this option is only +used for 'unusual' purposes: announcements over the internet, for +example. See <i class="parameter"><tt>remote announce</tt></i> in the +<tt class="filename">smb.conf</tt> man page. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906021"></a>Problem resolution</h3></div></div><div></div></div><p> +If something doesn't work then hopefully the log.nmbd file will help +you track down the problem. Try a debug level of 2 or 3 for finding +problems. Also note that the current browse list usually gets stored +in text form in a file called <tt class="filename">browse.dat</tt>. +</p><p> +Note that if it doesn't work for you, then you should still be able to +type the server name as <tt class="filename">\\SERVER</tt> in filemanager then +hit enter and filemanager should display the list of available shares. +</p><p> +Some people find browsing fails because they don't have the global +<i class="parameter"><tt>guest account</tt></i> set to a valid account. Remember that the +IPC$ connection that lists the shares is done as guest, and thus you must +have a valid guest account. +</p><p><span class="emphasis"><em> +MS Windows 2000 and upwards (as with Samba) can be configured to disallow +anonymous (ie: Guest account) access to the IPC$ share. In that case, the +MS Windows 2000/XP/2003 machine acting as an SMB/CIFS client will use the +name of the currently logged in user to query the IPC$ share. MS Windows +9X clients are not able to do this and thus will NOT be able to browse +server resources. +</em></span></p><p> +The other big problem people have is that their broadcast address, +netmask or IP address is wrong (specified with the "interfaces" option +in <tt class="filename">smb.conf</tt>) +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906100"></a>Browsing across subnets</h3></div></div><div></div></div><p> +Since the release of Samba 1.9.17(alpha1), Samba has supported the +replication of browse lists across subnet boundaries. This section +describes how to set this feature up in different settings. +</p><p> +To see browse lists that span TCP/IP subnets (ie. networks separated +by routers that don't pass broadcast traffic), you must set up at least +one WINS server. The WINS server acts as a DNS for NetBIOS names, allowing +NetBIOS name to IP address translation to be done by doing a direct +query of the WINS server. This is done via a directed UDP packet on +port 137 to the WINS server machine. The reason for a WINS server is +that by default, all NetBIOS name to IP address translation is done +by broadcasts from the querying machine. This means that machines +on one subnet will not be able to resolve the names of machines on +another subnet without using a WINS server. +</p><p> +Remember, for browsing across subnets to work correctly, all machines, +be they Windows 95, Windows NT, or Samba servers must have the IP address +of a WINS server given to them by a DHCP server, or by manual configuration +(for Win95 and WinNT, this is in the TCP/IP Properties, under Network +settings) for Samba this is in the <tt class="filename">smb.conf</tt> file. +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2906150"></a>How does cross subnet browsing work ?</h4></div></div><div></div></div><p> +Cross subnet browsing is a complicated dance, containing multiple +moving parts. It has taken Microsoft several years to get the code +that achieves this correct, and Samba lags behind in some areas. +Samba is capable of cross subnet browsing when configured correctly. +</p><p> +Consider a network set up as follows : +</p><p> + +</p><pre class="programlisting"> + (DMB) + N1_A N1_B N1_C N1_D N1_E + | | | | | + ------------------------------------------------------- + | subnet 1 | + +---+ +---+ + |R1 | Router 1 Router 2 |R2 | + +---+ +---+ + | | + | subnet 2 subnet 3 | + -------------------------- ------------------------------------ + | | | | | | | | + N2_A N2_B N2_C N2_D N3_A N3_B N3_C N3_D + (WINS) +</pre><p> +</p><p> +Consisting of 3 subnets (1, 2, 3) connected by two routers +(R1, R2) - these do not pass broadcasts. Subnet 1 has 5 machines +on it, subnet 2 has 4 machines, subnet 3 has 4 machines. Assume +for the moment that all these machines are configured to be in the +same workgroup (for simplicity's sake). Machine N1_C on subnet 1 +is configured as Domain Master Browser (ie. it will collate the +browse lists for the workgroup). Machine N2_D is configured as +WINS server and all the other machines are configured to register +their NetBIOS names with it. +</p><p> +As all these machines are booted up, elections for master browsers +will take place on each of the three subnets. Assume that machine +N1_C wins on subnet 1, N2_B wins on subnet 2, and N3_D wins on +subnet 3 - these machines are known as local master browsers for +their particular subnet. N1_C has an advantage in winning as the +local master browser on subnet 1 as it is set up as Domain Master +Browser. +</p><p> +On each of the three networks, machines that are configured to +offer sharing services will broadcast that they are offering +these services. The local master browser on each subnet will +receive these broadcasts and keep a record of the fact that +the machine is offering a service. This list of records is +the basis of the browse list. For this case, assume that +all the machines are configured to offer services so all machines +will be on the browse list. +</p><p> +For each network, the local master browser on that network is +considered 'authoritative' for all the names it receives via +local broadcast. This is because a machine seen by the local +master browser via a local broadcast must be on the same +network as the local master browser and thus is a 'trusted' +and 'verifiable' resource. Machines on other networks that +the local master browsers learn about when collating their +browse lists have not been directly seen - these records are +called 'non-authoritative'. +</p><p> +At this point the browse lists look as follows (these are +the machines you would see in your network neighborhood if +you looked in it on a particular network right now). +</p><p> +</p><div class="table"><a name="id2906267"></a><p class="title"><b>Table 10.1. Browse subnet example 1</b></p><table summary="Browse subnet example 1" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="left">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="left">N1_A, N1_B, N1_C, N1_D, N1_E</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="left">N2_A, N2_B, N2_C, N2_D</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="left">N3_A, N3_B, N3_C, N3_D</td></tr></tbody></table></div><p> +</p><p> +Note that at this point all the subnets are separate, no +machine is seen across any of the subnets. +</p><p> +Now examine subnet 2. As soon as N2_B has become the local +master browser it looks for a Domain master browser to synchronize +its browse list with. It does this by querying the WINS server +(N2_D) for the IP address associated with the NetBIOS name +WORKGROUP<1B>. This name was registered by the Domain master +browser (N1_C) with the WINS server as soon as it was booted. +</p><p> +Once N2_B knows the address of the Domain master browser it +tells it that is the local master browser for subnet 2 by +sending a MasterAnnouncement packet as a UDP port 138 packet. +It then synchronizes with it by doing a NetServerEnum2 call. This +tells the Domain Master Browser to send it all the server +names it knows about. Once the domain master browser receives +the MasterAnnouncement packet it schedules a synchronization +request to the sender of that packet. After both synchronizations +are done the browse lists look like : +</p><p> +</p><div class="table"><a name="id2906382"></a><p class="title"><b>Table 10.2. Browse subnet example 2</b></p><table summary="Browse subnet example 2" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="left">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="left">N1_A, N1_B, N1_C, N1_D, N1_E, N2_A(*), N2_B(*), N2_C(*), N2_D(*)</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="left">N2_A, N2_B, N2_C, N2_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="left">N3_A, N3_B, N3_C, N3_D</td></tr></tbody></table></div><p> + +Servers with a (*) after them are non-authoritative names. +</p><p> +At this point users looking in their network neighborhood on +subnets 1 or 2 will see all the servers on both, users on +subnet 3 will still only see the servers on their own subnet. +</p><p> +The same sequence of events that occured for N2_B now occurs +for the local master browser on subnet 3 (N3_D). When it +synchronizes browse lists with the domain master browser (N1_A) +it gets both the server entries on subnet 1, and those on +subnet 2. After N3_D has synchronized with N1_C and vica-versa +the browse lists look like. +</p><p> +</p><div class="table"><a name="id2906481"></a><p class="title"><b>Table 10.3. Browse subnet example 3</b></p><table summary="Browse subnet example 3" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="left">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="left">N1_A, N1_B, N1_C, N1_D, N1_E, N2_A(*), N2_B(*), N2_C(*), N2_D(*), N3_A(*), N3_B(*), N3_C(*), N3_D(*)</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="left">N2_A, N2_B, N2_C, N2_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="left">N3_A, N3_B, N3_C, N3_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), N2_A(*), N2_B(*), N2_C(*), N2_D(*)</td></tr></tbody></table></div><p> + +Servers with a (*) after them are non-authoritative names. +</p><p> +At this point users looking in their network neighborhood on +subnets 1 or 3 will see all the servers on all subnets, users on +subnet 2 will still only see the servers on subnets 1 and 2, but not 3. +</p><p> +Finally, the local master browser for subnet 2 (N2_B) will sync again +with the domain master browser (N1_C) and will receive the missing +server entries. Finally - and as a steady state (if no machines +are removed or shut off) the browse lists will look like : +</p><p> +</p><div class="table"><a name="id2906581"></a><p class="title"><b>Table 10.4. Browse subnet example 4</b></p><table summary="Browse subnet example 4" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="left">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="left">N1_A, N1_B, N1_C, N1_D, N1_E, N2_A(*), N2_B(*), N2_C(*), N2_D(*), N3_A(*), N3_B(*), N3_C(*), N3_D(*)</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="left">N2_A, N2_B, N2_C, N2_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), N3_A(*), N3_B(*), N3_C(*), N3_D(*)</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="left">N3_A, N3_B, N3_C, N3_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), N2_A(*), N2_B(*), N2_C(*), N2_D(*)</td></tr></tbody></table></div><p> + +Servers with a (*) after them are non-authoritative names. +</p><p> +Synchronizations between the domain master browser and local +master browsers will continue to occur, but this should be a +steady state situation. +</p><p> +If either router R1 or R2 fails the following will occur: +</p><div class="orderedlist"><ol type="1"><li><p> + Names of computers on each side of the inaccessible network fragments + will be maintained for as long as 36 minutes, in the network neighbourhood + lists. + </p></li><li><p> + Attempts to connect to these inaccessible computers will fail, but the + names will not be removed from the network neighbourhood lists. + </p></li><li><p> + If one of the fragments is cut off from the WINS server, it will only + be able to access servers on its local subnet, by using subnet-isolated + broadcast NetBIOS name resolution. The effects are similar to that of + losing access to a DNS server. + </p></li></ol></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2906720"></a>Common Errors</h2></div></div><div></div></div><p> +Many questions are asked on the mailing lists regarding browsing. The majority of browsing +problems originate out of incorrect configuration of NetBIOS name resolution. Some are of +particular note. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906735"></a>How can one flush the Samba NetBIOS name cache without restarting Samba?</h3></div></div><div></div></div><p> +Samba's nmbd process controls all browse list handling. Under normal circumstances it is +safe to restart nmbd. This will effectively flush the Samba NetBIOS name cache and cause it +to be rebuilt. Note that this does NOT make certain that a rogue machine name will not re-appear +in the browse list. When nmbd is taken out of service another machine on the network will +become the browse master. This new list may still have the rogue entry in it. If you really +want to clear a rogue machine from the list then every machine on the network will need to be +shut down and restarted at after all machines are down. Failing a complete restart, the only +other thing you can do is wait until the entry times out and is then flushed from the list. +This may take a long time on some networks (months). +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906764"></a>My client reports "This server is not configured to list shared resources"</h3></div></div><div></div></div><p> +Your guest account is probably invalid for some reason. Samba uses the +guest account for browsing in smbd. Check that your guest account is +valid. +</p><p>See also <i class="parameter"><tt>guest account</tt></i> in the <tt class="filename">smb.conf</tt> man page.</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="optional.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="passdb.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part III. Advanced Configuration </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 11. Account Information Databases</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Other-Clients.html b/docs/htmldocs/Other-Clients.html new file mode 100644 index 0000000000..a5e7740cf0 --- /dev/null +++ b/docs/htmldocs/Other-Clients.html @@ -0,0 +1,186 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 38. Samba and other CIFS clients</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="Portability.html" title="Chapter 37. Portability"><link rel="next" href="speed.html" title="Chapter 39. Samba Performance Tuning"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 38. Samba and other CIFS clients</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Portability.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="speed.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Other-Clients"></a>Chapter 38. Samba and other CIFS clients</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jim</span> <span class="surname">McDonough</span></h3><div class="affiliation"><span class="orgname">IBM<br></span><div class="address"><p><tt class="email"><<a href="mailto:jmcd@us.ibm.com">jmcd@us.ibm.com</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">5 Mar 2001</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="Other-Clients.html#id3015663">Macintosh clients?</a></dt><dt><a href="Other-Clients.html#id3017016">OS2 Client</a></dt><dd><dl><dt><a href="Other-Clients.html#id3017023">How can I configure OS/2 Warp Connect or + OS/2 Warp 4 as a client for Samba?</a></dt><dt><a href="Other-Clients.html#id3017102">How can I configure OS/2 Warp 3 (not Connect), + OS/2 1.2, 1.3 or 2.x for Samba?</a></dt><dt><a href="Other-Clients.html#id3017164">How do I get printer driver download working + for OS/2 clients?</a></dt></dl></dd><dt><a href="Other-Clients.html#id3017260">Windows for Workgroups</a></dt><dd><dl><dt><a href="Other-Clients.html#id3017268">Use latest TCP/IP stack from Microsoft</a></dt><dt><a href="Other-Clients.html#id3017357">Delete .pwl files after password change</a></dt><dt><a href="Other-Clients.html#id3017388">Configure WfW password handling</a></dt><dt><a href="Other-Clients.html#id3017433">Case handling of passwords</a></dt><dt><a href="Other-Clients.html#id3017464">Use TCP/IP as default protocol</a></dt><dt><a href="Other-Clients.html#id3017481">Speed improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id3017528">Windows '95/'98</a></dt><dd><dl><dt><a href="Other-Clients.html#id3017601">Speed improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id3017625">Windows 2000 Service Pack 2</a></dt><dt><a href="Other-Clients.html#id3017736">Windows NT 3.1</a></dt></dl></div><p>This chapter contains client-specific information.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3015663"></a>Macintosh clients?</h2></div></div><div></div></div><p> +Yes. <a href="http://www.thursby.com/" target="_top">Thursby</a> now has a CIFS Client / Server called <a href="http://www.thursby.com/products/dave.html" target="_top">DAVE</a> +</p><p> +They test it against Windows 95, Windows NT and samba for +compatibility issues. At the time of writing, DAVE was at version +1.0.1. The 1.0.0 to 1.0.1 update is available as a free download from +the Thursby web site (the speed of finder copies has been greatly +enhanced, and there are bug-fixes included). +</p><p> +Alternatives - There are two free implementations of AppleTalk for +several kinds of UNIX machines, and several more commercial ones. +These products allow you to run file services and print services +natively to Macintosh users, with no additional support required on +the Macintosh. The two free implementations are +<a href="http://www.umich.edu/~rsug/netatalk/" target="_top">Netatalk</a>, and +<a href="http://www.cs.mu.oz.au/appletalk/atalk.html" target="_top">CAP</a>. +What Samba offers MS +Windows users, these packages offer to Macs. For more info on these +packages, Samba, and Linux (and other UNIX-based systems) see +<a href="http://www.eats.com/linux_mac_win.html" target="_top">http://www.eats.com/linux_mac_win.html</a> +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3017016"></a>OS2 Client</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017023"></a>How can I configure OS/2 Warp Connect or + OS/2 Warp 4 as a client for Samba?</h3></div></div><div></div></div><p>A more complete answer to this question can be + found on <a href="http://carol.wins.uva.nl/~leeuw/samba/warp.html" target="_top"> + http://carol.wins.uva.nl/~leeuw/samba/warp.html</a>.</p><p>Basically, you need three components:</p><table class="simplelist" border="0" summary="Simple list"><tr><td>The File and Print Client ('IBM Peer')</td></tr><tr><td>TCP/IP ('Internet support') </td></tr><tr><td>The "NetBIOS over TCP/IP" driver ('TCPBEUI')</td></tr></table><p>Installing the first two together with the base operating + system on a blank system is explained in the Warp manual. If Warp + has already been installed, but you now want to install the + networking support, use the "Selective Install for Networking" + object in the "System Setup" folder.</p><p>Adding the "NetBIOS over TCP/IP" driver is not described + in the manual and just barely in the online documentation. Start + MPTS.EXE, click on OK, click on "Configure LAPS" and click + on "IBM OS/2 NETBIOS OVER TCP/IP" in 'Protocols'. This line + is then moved to 'Current Configuration'. Select that line, + click on "Change number" and increase it from 0 to 1. Save this + configuration.</p><p>If the Samba server(s) is not on your local subnet, you + can optionally add IP names and addresses of these servers + to the "Names List", or specify a WINS server ('NetBIOS + Nameserver' in IBM and RFC terminology). For Warp Connect you + may need to download an update for 'IBM Peer' to bring it on + the same level as Warp 4. See the webpage mentioned above.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017102"></a>How can I configure OS/2 Warp 3 (not Connect), + OS/2 1.2, 1.3 or 2.x for Samba?</h3></div></div><div></div></div><p>You can use the free Microsoft LAN Manager 2.2c Client + for OS/2 from + <a href="ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/" target="_top"> + ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/</a>. + See <a href="http://carol.wins.uva.nl/~leeuw/lanman.html" target="_top"> + http://carol.wins.uva.nl/~leeuw/lanman.html</a> for + more information on how to install and use this client. In + a nutshell, edit the file \OS2VER in the root directory of + the OS/2 boot partition and add the lines:</p><pre class="programlisting"> + 20=setup.exe + 20=netwksta.sys + 20=netvdd.sys + </pre><p>before you install the client. Also, don't use the + included NE2000 driver because it is buggy. Try the NE2000 + or NS2000 driver from + <a href="ftp://ftp.cdrom.com/pub/os2/network/ndis/" target="_top"> + ftp://ftp.cdrom.com/pub/os2/network/ndis/</a> instead. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017164"></a>How do I get printer driver download working + for OS/2 clients?</h3></div></div><div></div></div><p>First, create a share called <i class="parameter"><tt>[PRINTDRV]</tt></i> that is + world-readable. Copy your OS/2 driver files there. Note + that the .EA_ files must still be separate, so you will need + to use the original install files, and not copy an installed + driver from an OS/2 system.</p><p>Install the NT driver first for that printer. Then, + add to your <tt class="filename">smb.conf</tt> a parameter, <i class="parameter"><tt>os2 driver map = + <i class="replaceable"><tt>filename</tt></i></tt></i>. Then, in the file + specified by <i class="replaceable"><tt>filename</tt></i>, map the + name of the NT driver name to the OS/2 driver name as + follows:</p><p><i class="parameter"><tt><i class="replaceable"><tt>nt driver name</tt></i> = <i class="replaceable"><tt>os2 driver name</tt></i>.<i class="replaceable"><tt>device name</tt></i></tt></i>, e.g.:</p><p><i class="parameter"><tt> + HP LaserJet 5L = LASERJET.HP LaserJet 5L</tt></i></p><p>You can have multiple drivers mapped in this file.</p><p>If you only specify the OS/2 driver name, and not the + device name, the first attempt to download the driver will + actually download the files, but the OS/2 client will tell + you the driver is not available. On the second attempt, it + will work. This is fixed simply by adding the device name + to the mapping, after which it will work on the first attempt. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3017260"></a>Windows for Workgroups</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017268"></a>Use latest TCP/IP stack from Microsoft</h3></div></div><div></div></div><p>Use the latest TCP/IP stack from Microsoft if you use Windows +for Workgroups. +</p><p>The early TCP/IP stacks had lots of bugs.</p><p> +Microsoft has released an incremental upgrade to their TCP/IP 32-Bit +VxD drivers. The latest release can be found on their ftp site at +ftp.microsoft.com, located in <tt class="filename">/peropsys/windows/public/tcpip/wfwt32.exe</tt>. +There is an update.txt file there that describes the problems that were +fixed. New files include <tt class="filename">WINSOCK.DLL</tt>, +<tt class="filename">TELNET.EXE</tt>, +<tt class="filename">WSOCK.386</tt>, +<tt class="filename">VNBT.386</tt>, +<tt class="filename">WSTCP.386</tt>, +<tt class="filename">TRACERT.EXE</tt>, +<tt class="filename">NETSTAT.EXE</tt>, and +<tt class="filename">NBTSTAT.EXE</tt>. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017357"></a>Delete .pwl files after password change</h3></div></div><div></div></div><p> +WfWg does a lousy job with passwords. I find that if I change my +password on either the unix box or the PC the safest thing to do is to +delete the .pwl files in the windows directory. The PC will complain about not finding the files, but will soon get over it, allowing you to enter the new password. +</p><p> +If you don't do this you may find that WfWg remembers and uses the old +password, even if you told it a new one. +</p><p> +Often WfWg will totally ignore a password you give it in a dialog box. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017388"></a>Configure WfW password handling</h3></div></div><div></div></div><p> +There is a program call admincfg.exe +on the last disk (disk 8) of the WFW 3.11 disk set. To install it +type <b class="userinput"><tt>EXPAND A:\ADMINCFG.EX_ C:\WINDOWS\ADMINCFG.EXE</tt></b>. +Then add an icon +for it via the <span class="application">Program Manager</span> <span class="guimenu">New</span> Menu. +This program allows you to control how WFW handles passwords. ie disable Password Caching etc +for use with <i class="parameter"><tt>security = user</tt></i> +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017433"></a>Case handling of passwords</h3></div></div><div></div></div><p>Windows for Workgroups uppercases the password before sending it to the server. Unix passwords can be case-sensitive though. Check the <a href="smb.conf.5.html" target="_top">smb.conf(5)</a> information on <i class="parameter"><tt>password level</tt></i> to specify what characters samba should try to uppercase when checking.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017464"></a>Use TCP/IP as default protocol</h3></div></div><div></div></div><p>To support print queue reporting you may find +that you have to use TCP/IP as the default protocol under +WfWg. For some reason if you leave NetBEUI as the default +it may break the print queue reporting on some systems. +It is presumably a WfWg bug.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017481"></a>Speed improvement</h3></div></div><div></div></div><p> +Note that some people have found that setting <i class="parameter"><tt>DefaultRcvWindow</tt></i> in +the <i class="parameter"><tt>[MSTCP]</tt></i> section of the +<tt class="filename">SYSTEM.INI</tt> file under WfWg to 3072 gives a +big improvement. I don't know why. +</p><p> +My own experience with DefaultRcvWindow is that I get much better +performance with a large value (16384 or larger). Other people have +reported that anything over 3072 slows things down enormously. One +person even reported a speed drop of a factor of 30 when he went from +3072 to 8192. I don't know why. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3017528"></a>Windows '95/'98</h2></div></div><div></div></div><p> +When using Windows 95 OEM SR2 the following updates are recommended where Samba +is being used. Please NOTE that the above change will affect you once these +updates have been installed. +</p><p> +There are more updates than the ones mentioned here. You are referred to the +Microsoft Web site for all currently available updates to your specific version +of Windows 95. +</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Kernel Update: KRNLUPD.EXE</td></tr><tr><td>Ping Fix: PINGUPD.EXE</td></tr><tr><td>RPC Update: RPCRTUPD.EXE</td></tr><tr><td>TCP/IP Update: VIPUPD.EXE</td></tr><tr><td>Redirector Update: VRDRUPD.EXE</td></tr></table><p> +Also, if using <span class="application">MS Outlook</span> it is desirable to +install the <b class="command">OLEUPD.EXE</b> fix. This +fix may stop your machine from hanging for an extended period when exiting +Outlook and you may also notice a significant speedup when accessing network +neighborhood services. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017601"></a>Speed improvement</h3></div></div><div></div></div><p> +Configure the win95 TCPIP registry settings to give better +performance. I use a program called <b class="command">MTUSPEED.exe</b> which I got off the +net. There are various other utilities of this type freely available. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3017625"></a>Windows 2000 Service Pack 2</h2></div></div><div></div></div><p> +There are several annoyances with Windows 2000 SP2. One of which +only appears when using a Samba server to host user profiles +to Windows 2000 SP2 clients in a Windows domain. This assumes +that Samba is a member of the domain, but the problem will +likely occur if it is not. +</p><p> +In order to serve profiles successfully to Windows 2000 SP2 +clients (when not operating as a PDC), Samba must have +<i class="parameter"><tt>nt acl support = no</tt></i> +added to the file share which houses the roaming profiles. +If this is not done, then the Windows 2000 SP2 client will +complain about not being able to access the profile (Access +Denied) and create multiple copies of it on disk (DOMAIN.user.001, +DOMAIN.user.002, etc...). See the +<a href="smb.conf.5.html" target="_top">smb.conf(5)</a> man page +for more details on this option. Also note that the +<i class="parameter"><tt>nt acl support</tt></i> parameter was formally a global parameter in +releases prior to Samba 2.2.2. +</p><p> +The following is a minimal profile share: +</p><pre class="programlisting"> + [profile] + path = /export/profile + create mask = 0600 + directory mask = 0700 + nt acl support = no + read only = no +</pre><p> +The reason for this bug is that the Win2k SP2 client copies +the security descriptor for the profile which contains +the Samba server's SID, and not the domain SID. The client +compares the SID for SAMBA\user and realizes it is +different that the one assigned to DOMAIN\user. Hence the reason +for the <span class="errorname">access denied</span> message. +</p><p> +By disabling the <i class="parameter"><tt>nt acl support</tt></i> parameter, Samba will send +the Win2k client a response to the QuerySecurityDescriptor +trans2 call which causes the client to set a default ACL +for the profile. This default ACL includes +</p><p><span class="emphasis"><em>DOMAIN\user "Full Control"</em></span>></p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This bug does not occur when using winbind to +create accounts on the Samba host for Domain users.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3017736"></a>Windows NT 3.1</h2></div></div><div></div></div><p>If you have problems communicating across routers with Windows +NT 3.1 workstations, read <a href="http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;Q103765" target="_top">this Microsoft Knowledge Base article</a>. + +</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Portability.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendixes.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="speed.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 37. Portability </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 39. Samba Performance Tuning</td></tr></table></div></body></html> diff --git a/docs/htmldocs/PolicyMgmt.html b/docs/htmldocs/PolicyMgmt.html new file mode 100644 index 0000000000..775cd6cc16 --- /dev/null +++ b/docs/htmldocs/PolicyMgmt.html @@ -0,0 +1,260 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 23. System and Account Policies</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="AdvancedNetworkManagement.html" title="Chapter 22. Advanced Network Management"><link rel="next" href="ProfileMgmt.html" title="Chapter 24. Desktop Profile Management"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 23. System and Account Policies</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="AdvancedNetworkManagement.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="ProfileMgmt.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="PolicyMgmt"></a>Chapter 23. System and Account Policies</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">April 3 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="PolicyMgmt.html#id2984380">Features and Benefits</a></dt><dt><a href="PolicyMgmt.html#id2984435">Creating and Managing System Policies</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2986217">Windows 9x/Me Policies</a></dt><dt><a href="PolicyMgmt.html#id2986312">Windows NT4 Style Policy Files</a></dt><dt><a href="PolicyMgmt.html#id2986445">MS Windows 200x / XP Professional Policies</a></dt></dl></dd><dt><a href="PolicyMgmt.html#id2986697">Managing Account/User Policies</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2986798">Samba Editreg Toolset</a></dt><dt><a href="PolicyMgmt.html#id2986819">Windows NT4/200x</a></dt><dt><a href="PolicyMgmt.html#id2986839">Samba PDC</a></dt></dl></dd><dt><a href="PolicyMgmt.html#id2986883">System Startup and Logon Processing Overview</a></dt><dt><a href="PolicyMgmt.html#id2987030">Common Errors</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2987044">Policy Does Not Work</a></dt></dl></dd></dl></div><p> +This chapter summarises the current state of knowledge derived from personal +practice and knowledge from samba mailing list subscribers. Before reproduction +of posted information effort has been made to validate the information provided. +Where additional information was uncovered through this validation it is provided +also. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2984380"></a>Features and Benefits</h2></div></div><div></div></div><p> +When MS Windows NT3.5 was introduced the hot new topic was the ability to implement +Group Policies for users and group. Then along came MS Windows NT4 and a few sites +started to adopt this capability. How do we know that? By way of the number of "booboos" +(or mistakes) administrators made and then requested help to resolve. +</p><p> +By the time that MS Windows 2000 and Active Directory was released, administrators +got the message: Group Policies are a good thing! They can help reduce administrative +costs and actually can help to create happier users. But adoption of the true +potential of MS Windows 200x Active Directory and Group Policy Objects (GPOs) for users +and machines were picked up on rather slowly. This was very obvious from the samba +mailing list as in 2000 and 2001 there were very few postings regarding GPOs and +how to replicate them in a Samba environment. +</p><p> +Judging by the traffic volume since mid 2002, GPOs have become a standard part of +the deployment in many sites. This chapter reviews techniques and methods that can +be used to exploit opportunities for automation of control over user desktops and +network client workstations. +</p><p> +A tool new to Samba-3 may become an important part of the future Samba Administrators' +arsenal. The <b class="command">editreg</b> tool is described in this document. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2984435"></a>Creating and Managing System Policies</h2></div></div><div></div></div><p> +Under MS Windows platforms, particularly those following the release of MS Windows +NT4 and MS Windows 95) it is possible to create a type of file that would be placed +in the NETLOGON share of a domain controller. As the client logs onto the network +this file is read and the contents initiate changes to the registry of the client +machine. This file allows changes to be made to those parts of the registry that +affect users, groups of users, or machines. +</p><p> +For MS Windows 9x/Me this file must be called <tt class="filename">Config.POL</tt> and may +be generated using a tool called <tt class="filename">poledit.exe</tt>, better known as the +Policy Editor. The policy editor was provided on the Windows 98 installation CD, but +disappeared again with the introduction of MS Windows Me (Millennium Edition). From +comments from MS Windows network administrators it would appear that this tool became +a part of the MS Windows Me Resource Kit. +</p><p> +MS Windows NT4 Server products include the <span class="emphasis"><em>System Policy Editor</em></span> +under the <tt class="filename">Start -> Programs -> Administrative Tools</tt> menu item. +For MS Windows NT4 and later clients this file must be called <tt class="filename">NTConfig.POL</tt>. +</p><p> +New with the introduction of MS Windows 2000 was the Microsoft Management Console +or MMC. This tool is the new wave in the ever changing landscape of Microsoft +methods for management of network access and security. Every new Microsoft product +or technology seems to obsolete the old rules and to introduce newer and more +complex tools and methods. To Microsoft's credit though, the MMC does appear to +be a step forward, but improved functionality comes at a great price. +</p><p> +Before embarking on the configuration of network and system policies it is highly +advisable to read the documentation available from Microsoft's web site regarding +<a href="http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp" target="_top"> +Implementing Profiles and Policies in Windows NT 4.0 from http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp</a> available from Microsoft. +There are a large number of documents in addition to this old one that should also +be read and understood. Try searching on the Microsoft web site for "Group Policies". +</p><p> +What follows is a very brief discussion with some helpful notes. The information provided +here is incomplete - you are warned. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2986217"></a>Windows 9x/Me Policies</h3></div></div><div></div></div><p> + You need the Win98 Group Policy Editor to set Group Profiles up under Windows 9x/Me. + It can be found on the Original full product Win98 installation CD under + <tt class="filename">tools/reskit/netadmin/poledit</tt>. Install this using the + Add/Remove Programs facility and then click on the 'Have Disk' tab. + </p><p> + Use the Group Policy Editor to create a policy file that specifies the location of + user profiles and/or the <tt class="filename">My Documents</tt> etc. Then save these + settings in a file called <tt class="filename">Config.POL</tt> that needs to be placed in the + root of the <i class="parameter"><tt>[NETLOGON]</tt></i> share. If Win98 is configured to log onto + the Samba Domain, it will automatically read this file and update the Win9x/Me registry + of the machine as it logs on. + </p><p> + Further details are covered in the Win98 Resource Kit documentation. + </p><p> + If you do not take the right steps, then every so often Win9x/Me will check the + integrity of the registry and will restore it's settings from the back-up + copy of the registry it stores on each Win9x/Me machine. Hence, you will + occasionally notice things changing back to the original settings. + </p><p> + Install the group policy handler for Win9x to pick up group policies. Look on the + Win98 CD in <tt class="filename">\tools\reskit\netadmin\poledit</tt>. + Install group policies on a Win9x client by double-clicking + <tt class="filename">grouppol.inf</tt>. Log off and on again a couple of times and see + if Win98 picks up group policies. Unfortunately this needs to be done on every + Win9x/Me machine that uses group policies. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2986312"></a>Windows NT4 Style Policy Files</h3></div></div><div></div></div><p> + To create or edit <tt class="filename">ntconfig.pol</tt> you must use the NT Server + Policy Editor, <b class="command">poledit.exe</b> which is included with NT4 Server + but <span class="emphasis"><em>not NT Workstation</em></span>. There is a Policy Editor on a NT4 + Workstation but it is not suitable for creating <span class="emphasis"><em>Domain Policies</em></span>. + Further, although the Windows 95 Policy Editor can be installed on an NT4 + Workstation/Server, it will not work with NT clients. However, the files from + the NT Server will run happily enough on an NT4 Workstation. + </p><p> + You need <tt class="filename">poledit.exe</tt>, <tt class="filename">common.adm</tt> and <tt class="filename">winnt.adm</tt>. + It is convenient to put the two *.adm files in the <tt class="filename">c:\winnt\inf</tt> + directory which is where the binary will look for them unless told otherwise. Note also that that + directory is normally 'hidden'. + </p><p> + The Windows NT policy editor is also included with the Service Pack 3 (and + later) for Windows NT 4.0. Extract the files using <b class="command">servicepackname /x</b>, + i.e. that's <b class="command">Nt4sp6ai.exe /x</b> for service pack 6a. The policy editor, + <b class="command">poledit.exe</b> and the associated template files (*.adm) should + be extracted as well. It is also possible to downloaded the policy template + files for Office97 and get a copy of the policy editor. Another possible + location is with the Zero Administration Kit available for download from Microsoft. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2986421"></a>Registry Spoiling</h4></div></div><div></div></div><p> + With NT4 style registry based policy changes, a large number of settings are not + automatically reversed as the user logs off. Since the settings that were in the + NTConfig.POL file were applied to the client machine registry and that apply to the + hive key HKEY_LOCAL_MACHINE are permanent until explicitly reversed. This is known + as tattooing. It can have serious consequences down-stream and the administrator must + be extremely careful not to lock out the ability to manage the machine at a later date. + </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2986445"></a>MS Windows 200x / XP Professional Policies</h3></div></div><div></div></div><p> + Windows NT4 System policies allows setting of registry parameters specific to + users, groups and computers (client workstations) that are members of the NT4 + style domain. Such policy file will work with MS Windows 2000 / XP clients also. + </p><p> + New to MS Windows 2000 Microsoft introduced a new style of group policy that confers + a superset of capabilities compared with NT4 style policies. Obviously, the tool used + to create them is different, and the mechanism for implementing them is much changed. + </p><p> + The older NT4 style registry based policies are known as <span class="emphasis"><em>Administrative Templates</em></span> + in MS Windows 2000/XP Group Policy Objects (GPOs). The later includes ability to set various security + configurations, enforce Internet Explorer browser settings, change and redirect aspects of the + users' desktop (including: the location of <tt class="filename">My Documents</tt> files (directory), as + well as intrinsics of where menu items will appear in the Start menu). An additional new + feature is the ability to make available particular software Windows applications to particular + users and/or groups. + </p><p> + Remember: NT4 policy files are named <tt class="filename">NTConfig.POL</tt> and are stored in the root + of the NETLOGON share on the domain controllers. A Windows NT4 user enters a username, a password + and selects the domain name to which the logon will attempt to take place. During the logon + process the client machine reads the NTConfig.POL file from the NETLOGON share on the authenticating + server, modifies the local registry values according to the settings in this file. + </p><p> + Windows 2K GPOs are very feature rich. They are NOT stored in the NETLOGON share, rather part of + a Windows 200x policy file is stored in the Active Directory itself and the other part is stored + in a shared (and replicated) volume called the SYSVOL folder. This folder is present on all Active + Directory domain controllers. The part that is stored in the Active Directory itself is called the + group policy container (GPC), and the part that is stored in the replicated share called SYSVOL is + known as the group policy template (GPT). + </p><p> + With NT4 clients the policy file is read and executed upon only as each user logs onto the network. + MS Windows 200x policies are much more complex - GPOs are processed and applied at client machine + startup (machine specific part) and when the user logs onto the network the user specific part + is applied. In MS Windows 200x style policy management each machine and/or user may be subject + to any number of concurrently applicable (and applied) policy sets (GPOs). Active Directory allows + the administrator to also set filters over the policy settings. No such equivalent capability + exists with NT4 style policy files. + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2986546"></a>Administration of Win2K / XP Policies</h4></div></div><div></div></div><p> + Instead of using the tool called <span class="application">The System Policy Editor</span>, commonly called Poledit (from the + executable name <b class="command">poledit.exe</b>), <span class="acronym">GPOs</span> are created and managed using a + <span class="application">Microsoft Management Console</span> <span class="acronym">(MMC)</span> snap-in as follows:</p><div class="procedure"><ol type="1"><li><p> + Go to the Windows 200x / XP menu <span class="guimenu">Start->Programs->Administrative Tools</span> + and select the MMC snap-in called <span class="guimenuitem">Active Directory Users and Computers</span> + </p></li><li><p> + Select the domain or organizational unit (OU) that you wish to manage, then right click + to open the context menu for that object, select the properties item. + </p></li><li><p> + Now left click on the <span class="guilabel">Group Policy</span> tab, then left click on the New tab. Type a name + for the new policy you will create. + </p></li><li><p> + Now left click on the <span class="guilabel">Edit</span> tab to commence the steps needed to create the GPO. + </p></li></ol></div><p> + All policy configuration options are controlled through the use of policy administrative + templates. These files have a .adm extension, both in NT4 as well as in Windows 200x / XP. + Beware however, since the .adm files are NOT interchangeable across NT4 and Windows 200x. + The later introduces many new features as well as extended definition capabilities. It is + well beyond the scope of this documentation to explain how to program .adm files, for that + the administrator is referred to the Microsoft Windows Resource Kit for your particular + version of MS Windows. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + The MS Windows 2000 Resource Kit contains a tool called gpolmig.exe. This tool can be used + to migrate an NT4 NTConfig.POL file into a Windows 200x style GPO. Be VERY careful how you + use this powerful tool. Please refer to the resource kit manuals for specific usage information. + </p></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2986697"></a>Managing Account/User Policies</h2></div></div><div></div></div><p> +Policies can define a specific user's settings or the settings for a group of users. The resulting +policy file contains the registry settings for all users, groups, and computers that will be using +the policy file. Separate policy files for each user, group, or computer are not not necessary. +</p><p> +If you create a policy that will be automatically downloaded from validating domain controllers, +you should name the file NTconfig.POL. As system administrator, you have the option of renaming the +policy file and, by modifying the Windows NT-based workstation, directing the computer to update +the policy from a manual path. You can do this by either manually changing the registry or by using +the System Policy Editor. This path can even be a local path such that each machine has its own policy file, +but if a change is necessary to all machines, this change must be made individually to each workstation. +</p><p> +When a Windows NT4/200x/XP machine logs onto the network the NETLOGON share on the authenticating domain +controller for the presence of the NTConfig.POL file. If one exists it is downloaded, parsed and then +applied to the user's part of the registry. +</p><p> +MS Windows 200x/XP clients that log onto an MS Windows Active Directory security domain may additionally, +acquire policy settings through Group Policy Objects (GPOs) that are defined and stored in Active Directory +itself. The key benefit of using AS GPOs is that they impose no registry <span class="emphasis"><em>spoiling</em></span> effect. +This has considerable advantage compared with the use of NTConfig.POL (NT4) style policy updates. +</p><p> +In addition to user access controls that may be imposed or applied via system and/or group policies +in a manner that works in conjunction with user profiles, the user management environment under +MS Windows NT4/200x/XP allows per domain as well as per user account restrictions to be applied. +Common restrictions that are frequently used includes: +</p><p> +</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Logon Hours</td></tr><tr><td>Password Aging</td></tr><tr><td>Permitted Logon from certain machines only</td></tr><tr><td>Account type (Local or Global)</td></tr><tr><td>User Rights</td></tr></table><p> +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2986798"></a>Samba Editreg Toolset</h3></div></div><div></div></div><p> + Describe in detail the benefits of <b class="command">editreg</b> and how to use it. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2986819"></a>Windows NT4/200x</h3></div></div><div></div></div><p> + The tools that may be used to configure these types of controls from the MS Windows environment are: + The NT4 User Manager for domains, the NT4 System and Group Policy Editor, the registry editor (regedt32.exe). + Under MS Windows 200x/XP this is done using the Microsoft Management Console (MMC) with appropriate + "snap-ins", the registry editor, and potentially also the NT4 System and Group Policy Editor. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2986839"></a>Samba PDC</h3></div></div><div></div></div><p> + With a Samba Domain Controller, the new tools for managing of user account and policy information includes: + <b class="command">smbpasswd</b>, <b class="command">pdbedit</b>, <b class="command">net</b>, <b class="command">rpcclient</b>. + The administrator should read the + man pages for these tools and become familiar with their use. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2986883"></a>System Startup and Logon Processing Overview</h2></div></div><div></div></div><p> +The following attempts to document the order of processing of system and user policies following a system +reboot and as part of the user logon: +</p><div class="orderedlist"><ol type="1"><li><p> + Network starts, then Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming + Convention Provider (MUP) start + </p></li><li><p> + Where Active Directory is involved, an ordered list of Group Policy Objects (GPOs) is downloaded + and applied. The list may include GPOs that: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Apply to the location of machines in a Directory</td></tr><tr><td>Apply only when settings have changed</td></tr><tr><td>Depend on configuration of scope of applicability: local, site, domain, organizational unit, etc.</td></tr></table><p> + No desktop user interface is presented until the above have been processed. + </p></li><li><p> + Execution of start-up scripts (hidden and synchronous by default). + </p></li><li><p> + A keyboard action to affect start of logon (Ctrl-Alt-Del). + </p></li><li><p> + User credentials are validated, User profile is loaded (depends on policy settings). + </p></li><li><p> + An ordered list of User GPOs is obtained. The list contents depends on what is configured in respect of: + +</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Is user a domain member, thus subject to particular policies</td></tr><tr><td>Loopback enablement, and the state of the loopback policy (Merge or Replace)</td></tr><tr><td>Location of the Active Directory itself</td></tr><tr><td>Has the list of GPOs changed. No processing is needed if not changed.</td></tr></table><p> + </p></li><li><p> + User Policies are applied from Active Directory. Note: There are several types. + </p></li><li><p> + Logon scripts are run. New to Win2K and Active Directory, logon scripts may be obtained based on Group + Policy objects (hidden and executed synchronously). NT4 style logon scripts are then run in a normal + window. + </p></li><li><p> + The User Interface as determined from the GPOs is presented. Note: In a Samba domain (like and NT4 + Domain) machine (system) policies are applied at start-up, User policies are applied at logon. + </p></li></ol></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2987030"></a>Common Errors</h2></div></div><div></div></div><p> +Policy related problems can be very difficult to diagnose and even more difficult to rectify. The following +collection demonstrates only basic issues. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2987044"></a>Policy Does Not Work</h3></div></div><div></div></div><p> +Question: We have created the <tt class="filename">config.pol</tt> file and put it in the <span class="emphasis"><em>NETLOGON</em></span> share. +It has made no difference to our Win XP Pro machines, they just don't see it. IT worked fine with Win 98 but does not +work any longer since we upgraded to Win XP Pro. Any hints? +</p><p> +<span class="emphasis"><em>ANSWER:</em></span> Policy files are NOT portable between Windows 9x / Me and MS Windows NT4 / 200x / XP based +platforms. You need to use the NT4 Group Policy Editor to create a file called <tt class="filename">NTConfig.POL</tt> so that +it is in the correct format for your MS Windows XP Pro clients. +</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="AdvancedNetworkManagement.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ProfileMgmt.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 22. Advanced Network Management </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 24. Desktop Profile Management</td></tr></table></div></body></html> diff --git a/docs/htmldocs/Portability.html b/docs/htmldocs/Portability.html new file mode 100644 index 0000000000..bb2c20ac9f --- /dev/null +++ b/docs/htmldocs/Portability.html @@ -0,0 +1,128 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 37. Portability</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="compiling.html" title="Chapter 36. How to compile SAMBA"><link rel="next" href="Other-Clients.html" title="Chapter 38. Samba and other CIFS clients"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 37. Portability</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="compiling.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="Other-Clients.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Portability"></a>Chapter 37. Portability</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="Portability.html#id3013478">HPUX</a></dt><dt><a href="Portability.html#id3016009">SCO Unix</a></dt><dt><a href="Portability.html#id3016039">DNIX</a></dt><dt><a href="Portability.html#id3016210">RedHat Linux Rembrandt-II</a></dt><dt><a href="Portability.html#id3016254">AIX</a></dt><dd><dl><dt><a href="Portability.html#id3016261">Sequential Read Ahead</a></dt></dl></dd><dt><a href="Portability.html#id3016287">Solaris</a></dt><dd><dl><dt><a href="Portability.html#id3016294">Locking improvements</a></dt><dt><a href="Portability.html#winbind-solaris9">Winbind on Solaris 9</a></dt></dl></dd></dl></div><p>Samba works on a wide range of platforms but the interface all the +platforms provide is not always compatible. This chapter contains +platform-specific information about compiling and using samba.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3013478"></a>HPUX</h2></div></div><div></div></div><p> +HP's implementation of supplementary groups is, er, non-standard (for +hysterical reasons). There are two group files, <tt class="filename">/etc/group</tt> and +<tt class="filename">/etc/logingroup</tt>; the system maps UIDs to numbers using the former, but +initgroups() reads the latter. Most system admins who know the ropes +symlink <tt class="filename">/etc/group</tt> to <tt class="filename">/etc/logingroup</tt> +(hard link doesn't work for reasons too stupid to go into here). initgroups() will complain if one of the +groups you're in in <tt class="filename">/etc/logingroup</tt> has what it considers to be an invalid +ID, which means outside the range <tt class="constant">[0..UID_MAX]</tt>, where <tt class="constant">UID_MAX</tt> is (I think) +60000 currently on HP-UX. This precludes -2 and 65534, the usual <tt class="constant">nobody</tt> +GIDs. +</p><p> +If you encounter this problem, make sure that the programs that are failing +to initgroups() be run as users not in any groups with GIDs outside the +allowed range. +</p><p>This is documented in the HP manual pages under setgroups(2) and passwd(4). +</p><p> +On HPUX you must use gcc or the HP ANSI compiler. The free compiler +that comes with HP-UX is not ANSI compliant and cannot compile +Samba. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3016009"></a>SCO Unix</h2></div></div><div></div></div><p> +If you run an old version of SCO Unix then you may need to get important +TCP/IP patches for Samba to work correctly. Without the patch, you may +encounter corrupt data transfers using samba. +</p><p> +The patch you need is UOD385 Connection Drivers SLS. It is available from +SCO (<a href="ftp://ftp.sco.com/" target="_top">ftp.sco.com</a>, directory SLS, +files uod385a.Z and uod385a.ltr.Z). +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3016039"></a>DNIX</h2></div></div><div></div></div><p> +DNIX has a problem with seteuid() and setegid(). These routines are +needed for Samba to work correctly, but they were left out of the DNIX +C library for some reason. +</p><p> +For this reason Samba by default defines the macro NO_EID in the DNIX +section of includes.h. This works around the problem in a limited way, +but it is far from ideal, some things still won't work right. +</p><p> +To fix the problem properly you need to assemble the following two +functions and then either add them to your C library or link them into +Samba. +</p><p> +put this in the file <tt class="filename">setegid.s</tt>: +</p><pre class="programlisting"> + .globl _setegid +_setegid: + moveq #47,d0 + movl #100,a0 + moveq #1,d1 + movl 4(sp),a1 + trap #9 + bccs 1$ + jmp cerror +1$: + clrl d0 + rts +</pre><p> +put this in the file <tt class="filename">seteuid.s</tt>: +</p><pre class="programlisting"> + .globl _seteuid +_seteuid: + moveq #47,d0 + movl #100,a0 + moveq #0,d1 + movl 4(sp),a1 + trap #9 + bccs 1$ + jmp cerror +1$: + clrl d0 + rts +</pre><p> +after creating the above files you then assemble them using +</p><pre class="screen"> + <tt class="prompt">$ </tt><b class="userinput"><tt>as seteuid.s</tt></b> + <tt class="prompt">$ </tt><b class="userinput"><tt>as setegid.s</tt></b> +</pre><p> +that should produce the files <tt class="filename">seteuid.o</tt> and +<tt class="filename">setegid.o</tt> +</p><p> +then you need to add these to the LIBSM line in the DNIX section of +the Samba Makefile. Your LIBSM line will then look something like this: +</p><pre class="programlisting"> +LIBSM = setegid.o seteuid.o -ln +</pre><p> +You should then remove the line: +</p><pre class="programlisting"> +#define NO_EID +</pre><p>from the DNIX section of <tt class="filename">includes.h</tt></p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3016210"></a>RedHat Linux Rembrandt-II</h2></div></div><div></div></div><p> +By default RedHat Rembrandt-II during installation adds an +entry to <tt class="filename">/etc/hosts</tt> as follows: +</p><pre class="programlisting"> + 127.0.0.1 loopback "hostname"."domainname" +</pre><p> +</p><p> +This causes Samba to loop back onto the loopback interface. +The result is that Samba fails to communicate correctly with +the world and therefor may fail to correctly negotiate who +is the master browse list holder and who is the master browser. +</p><p> +Corrective Action: Delete the entry after the word loopback + in the line starting 127.0.0.1 +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3016254"></a>AIX</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3016261"></a>Sequential Read Ahead</h3></div></div><div></div></div><p> +Disabling Sequential Read Ahead using <b class="userinput"><tt>vmtune -r 0</tt></b> improves +Samba performance significantly. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3016287"></a>Solaris</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3016294"></a>Locking improvements</h3></div></div><div></div></div><p>Some people have been experiencing problems with F_SETLKW64/fcntl +when running Samba on Solaris. The built in file locking mechanism was +not scalable. Performance would degrade to the point where processes would +get into loops of trying to lock a file. It would try a lock, then fail, +then try again. The lock attempt was failing before the grant was +occurring. So the visible manifestation of this would be a handful of +processes stealing all of the CPU, and when they were trussed they would +be stuck if F_SETLKW64 loops. +</p><p> +Sun released patches for Solaris 2.6, 8, and 9. The patch for Solaris 7 +has not been released yet. +</p><p> +The patch revision for 2.6 is 105181-34 +for 8 is 108528-19 and for 9 is 112233-04 +</p><p> +After the install of these patches it is recommended to reconfigure +and rebuild samba. +</p><p>Thanks to Joe Meslovich for reporting</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="winbind-solaris9"></a>Winbind on Solaris 9</h3></div></div><div></div></div><p> +Nsswitch on Solaris 9 refuses to use the winbind nss module. This behavior +is fixed by Sun in patch 113476-05 which as of March 2003 is not in any +roll-up packages. +</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="compiling.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendixes.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="Other-Clients.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 36. How to compile SAMBA </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 38. Samba and other CIFS clients</td></tr></table></div></body></html> diff --git a/docs/htmldocs/ProfileMgmt.html b/docs/htmldocs/ProfileMgmt.html new file mode 100644 index 0000000000..0b9a40df62 --- /dev/null +++ b/docs/htmldocs/ProfileMgmt.html @@ -0,0 +1,680 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 24. Desktop Profile Management</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="PolicyMgmt.html" title="Chapter 23. System and Account Policies"><link rel="next" href="pam.html" title="Chapter 25. PAM based Distributed Authentication"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 24. Desktop Profile Management</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="PolicyMgmt.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="pam.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ProfileMgmt"></a>Chapter 24. Desktop Profile Management</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">April 3 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="ProfileMgmt.html#id2988251">Features and Benefits</a></dt><dt><a href="ProfileMgmt.html#id2988285">Roaming Profiles</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2988326">Samba Configuration for Profile Handling</a></dt><dt><a href="ProfileMgmt.html#id2988731">Windows Client Profile Configuration Information</a></dt><dt><a href="ProfileMgmt.html#id2989902">Sharing Profiles between W9x/Me and NT4/200x/XP workstations</a></dt><dt><a href="ProfileMgmt.html#id2989967">Profile Migration from Windows NT4/200x Server to Samba</a></dt></dl></dd><dt><a href="ProfileMgmt.html#id2990232">Mandatory profiles</a></dt><dt><a href="ProfileMgmt.html#id2990290">Creating/Managing Group Profiles</a></dt><dt><a href="ProfileMgmt.html#id2990336">Default Profile for Windows Users</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2990356">MS Windows 9x/Me</a></dt><dt><a href="ProfileMgmt.html#id2990504">MS Windows NT4 Workstation</a></dt><dt><a href="ProfileMgmt.html#id2991058">MS Windows 200x/XP</a></dt></dl></dd><dt><a href="ProfileMgmt.html#id2991562">Common Errors</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2991575">How does one set up roaming profiles for just one (or a few) user/s or group/s?</a></dt><dt><a href="ProfileMgmt.html#id2991638">Can NOT use Roaming Profiles</a></dt><dt><a href="ProfileMgmt.html#id2991859">Changing the default profile</a></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2988251"></a>Features and Benefits</h2></div></div><div></div></div><p> +Roaming Profiles are feared by some, hated by a few, loved by many, and a Godsend for +some administrators. +</p><p> +Roaming Profiles allow an administrator to make available a consistent user desktop +as the user moves from one machine to another. This chapter provides much information +regarding how to configure and manage Roaming Profiles. +</p><p> +While Roaming Profiles might sound like nirvana to some, they are a real and tangible +problem to others. In particular, users of mobile computing tools, where often there may not +be a sustained network connection, are often better served by purely Local Profiles. +This chapter provides information to help the Samba administrator to deal with those +situations also. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2988285"></a>Roaming Profiles</h2></div></div><div></div></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> +Roaming profiles support is different for Win9x / Me and Windows NT4/200x. +</p></div><p> +Before discussing how to configure roaming profiles, it is useful to see how +Windows 9x / Me and Windows NT4/200x clients implement these features. +</p><p> +Windows 9x / Me clients send a NetUserGetInfo request to the server to get the user's +profiles location. However, the response does not have room for a separate +profiles location field, only the user's home share. This means that Win9X/Me +profiles are restricted to being stored in the user's home directory. +</p><p> +Windows NT4/200x clients send a NetSAMLogon RPC request, which contains many fields, +including a separate field for the location of the user's profiles. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2988326"></a>Samba Configuration for Profile Handling</h3></div></div><div></div></div><p> +This section documents how to configure Samba for MS Windows client profile support. +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2988340"></a>NT4/200x User Profiles</h4></div></div><div></div></div><p> +To support Windows NT4/200x clients, in the [global] section of smb.conf set the +following (for example): +</p><p> +</p><pre class="programlisting"> + logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath +</pre><p> + + This is typically implemented like: + +</p><pre class="programlisting"> + logon path = \\%L\Profiles\%u +</pre><p> +where %L translates to the name of the Samba server and %u translates to the user name +</p><p> +The default for this option is <tt class="filename">\\%N\%U\profile</tt>, +namely <tt class="filename">\\sambaserver\username\profile</tt>. +The <tt class="filename">\\N%\%U</tt> service is created automatically by the [homes] service. If you are using +a samba server for the profiles, you _must_ make the share specified in the logon path +browseable. Please refer to the man page for <tt class="filename">smb.conf</tt> in respect of the different +semantics of %L and %N, as well as %U and %u. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +MS Windows NT/2K clients at times do not disconnect a connection to a server +between logons. It is recommended to NOT use the <i class="parameter"><tt>homes</tt></i> +meta-service name as part of the profile share path. +</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2988432"></a>Windows 9x / Me User Profiles</h4></div></div><div></div></div><p> + To support Windows 9x / Me clients, you must use the <i class="parameter"><tt>logon home</tt></i> parameter. Samba has +now been fixed so that <b class="userinput"><tt>net use /home</tt></b> now works as well, and it, too, relies +on the <b class="command">logon home</b> parameter. +</p><p> +By using the logon home parameter, you are restricted to putting Win9x / Me +profiles in the user's home directory. But wait! There is a trick you +can use. If you set the following in the <i class="parameter"><tt>[global]</tt></i> section of your <tt class="filename">smb.conf</tt> file: +</p><pre class="programlisting"> + logon home = \\%L\%U\.profiles +</pre><p> +then your Windows 9x / Me clients will dutifully put their clients in a subdirectory +of your home directory called <tt class="filename">.profiles</tt> (thus making them hidden). +</p><p> +Not only that, but <b class="userinput"><tt>net use /home</tt></b> will also work, because of a feature in +Windows 9x / Me. It removes any directory stuff off the end of the home directory area +and only uses the server and share portion. That is, it looks like you +specified <tt class="filename">\\%L\%U</tt> for <i class="parameter"><tt>logon home</tt></i>. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2988541"></a>Mixed Windows 9x / Me and Windows NT4/200x User Profiles</h4></div></div><div></div></div><p> +You can support profiles for both Win9X and WinNT clients by setting both the +<i class="parameter"><tt>logon home</tt></i> and <i class="parameter"><tt>logon path</tt></i> parameters. For example: +</p><pre class="programlisting"> + logon home = \\%L\%u\.profiles + logon path = \\%L\profiles\%u +</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2988580"></a>Disabling Roaming Profile Support</h4></div></div><div></div></div><p> + A question often asked is “<span class="quote">How may I enforce use of local profiles?</span>” or + “<span class="quote">How do I disable Roaming Profiles?</span>” +</p><p> +There are three ways of doing this: +</p><div class="variablelist"><dl><dt><span class="term">In <tt class="filename">smb.conf</tt></span></dt><dd><p> + Affect the following settings and ALL clients + will be forced to use a local profile: + </p><pre class="programlisting"> + logon home = + logon path = + </pre><p> + </p></dd><dt><span class="term">MS Windows Registry:</span></dt><dd><p> + By using the Microsoft Management Console gpedit.msc to instruct your MS Windows XP machine to use only a local profile. This of course modifies registry settings. The full path to the option is: + + </p><pre class="programlisting"> + Local Computer Policy\ + Computer Configuration\ + Administrative Templates\ + System\ + User Profiles\ + + Disable: Only Allow Local User Profiles + Disable: Prevent Roaming Profile Change from Propagating to the Server + </pre><p> + </p></dd><dt><span class="term">Change of Profile Type:</span></dt><dd><p> + From the start menu right click on the + My Computer icon, select <span class="guimenuitem">Properties</span>, click on the <span class="guilabel">User Profiles</span> + tab, select the profile you wish to change from Roaming type to Local, click <span class="guibutton">Change Type</span>. + </p></dd></dl></div><p> +Consult the MS Windows registry guide for your particular MS Windows version for more +information about which registry keys to change to enforce use of only local user +profiles. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +The specifics of how to convert a local profile to a roaming profile, or a roaming profile +to a local one vary according to the version of MS Windows you are running. Consult the +Microsoft MS Windows Resource Kit for your version of Windows for specific information. +</p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2988731"></a>Windows Client Profile Configuration Information</h3></div></div><div></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2988739"></a>Windows 9x / Me Profile Setup</h4></div></div><div></div></div><p> +When a user first logs in on Windows 9X, the file user.DAT is created, +as are folders <tt class="filename">Start Menu</tt>, <tt class="filename">Desktop</tt>, +<tt class="filename">Programs</tt> and <tt class="filename">Nethood</tt>. +These directories and their contents will be merged with the local +versions stored in <tt class="filename">c:\windows\profiles\username</tt> on subsequent logins, +taking the most recent from each. You will need to use the <i class="parameter"><tt>[global]</tt></i> +options <i class="parameter"><tt>preserve case = yes</tt></i>, <i class="parameter"><tt>short preserve case = yes</tt></i> and +<i class="parameter"><tt>case sensitive = no</tt></i> in order to maintain capital letters in shortcuts +in any of the profile folders. +</p><p> +The user.DAT file contains all the user's preferences. If you wish to +enforce a set of preferences, rename their user.DAT file to user.MAN, +and deny them write access to this file. +</p><div class="orderedlist"><ol type="1"><li><p> + On the Windows 9x / Me machine, go to <span class="guimenu">Control Panel</span> -> <span class="guimenuitem">Passwords</span> and + select the <span class="guilabel">User Profiles</span> tab. Select the required level of + roaming preferences. Press <span class="guibutton">OK</span>, but do _not_ allow the computer + to reboot. + </p></li><li><p> + On the Windows 9x / Me machine, go to <span class="guimenu">Control Panel</span> -> <span class="guimenuitem">Network</span> -> + <span class="guimenuitem">Client for Microsoft Networks</span> -> <span class="guilabel">Preferences</span>. Select <span class="guilabel">Log on to + NT Domain</span>. Then, ensure that the Primary Logon is <span class="guilabel">Client for + Microsoft Networks</span>. Press <span class="guibutton">OK</span>, and this time allow the computer + to reboot. + </p></li></ol></div><p> +Under Windows 9x / Me Profiles are downloaded from the Primary Logon. +If you have the Primary Logon as 'Client for Novell Networks', then +the profiles and logon script will be downloaded from your Novell +Server. If you have the Primary Logon as 'Windows Logon', then the +profiles will be loaded from the local machine - a bit against the +concept of roaming profiles, it would seem! +</p><p> +You will now find that the Microsoft Networks Login box contains +[user, password, domain] instead of just [user, password]. Type in +the samba server's domain name (or any other domain known to exist, +but bear in mind that the user will be authenticated against this +domain and profiles downloaded from it, if that domain logon server +supports it), user name and user's password. +</p><p> +Once the user has been successfully validated, the Windows 9x / Me machine +will inform you that <tt class="computeroutput">The user has not logged on before' and asks you + if you wish to save the user's preferences?</tt> Select <span class="guibutton">yes</span>. +</p><p> +Once the Windows 9x / Me client comes up with the desktop, you should be able +to examine the contents of the directory specified in the <i class="parameter"><tt>logon path</tt></i> +on the samba server and verify that the <tt class="filename">Desktop</tt>, <tt class="filename">Start Menu</tt>, +<tt class="filename">Programs</tt> and <tt class="filename">Nethood</tt> folders have been created. +</p><p> +These folders will be cached locally on the client, and updated when +the user logs off (if you haven't made them read-only by then). +You will find that if the user creates further folders or short-cuts, +that the client will merge the profile contents downloaded with the +contents of the profile directory already on the local client, taking +the newest folders and short-cuts from each set. +</p><p> +If you have made the folders / files read-only on the samba server, +then you will get errors from the Windows 9x / Me machine on logon and logout, as +it attempts to merge the local and the remote profile. Basically, if +you have any errors reported by the Windows 9x / Me machine, check the Unix file +permissions and ownership rights on the profile directory contents, +on the samba server. +</p><p> +If you have problems creating user profiles, you can reset the user's +local desktop cache, as shown below. When this user then next logs in, +they will be told that they are logging in "for the first time". +</p><div class="orderedlist"><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> + Before deleting the contents of the + directory listed in the ProfilePath (this is likely to be + <tt class="filename">c:\windows\profiles\username)</tt>, ask them if they + have any important files stored on their desktop or in their start menu. + Delete the contents of the directory ProfilePath (making a backup if any + of the files are needed). + </p><p> + This will have the effect of removing the local (read-only hidden + system file) user.DAT in their profile directory, as well as the + local "desktop", "nethood", "start menu" and "programs" folders. + </p></div><ol type="1"><li><p> + instead of logging in under the [user, password, domain] dialog, + press <span class="guibutton">escape</span>. + </p></li><li><p> + run the <b class="command">regedit.exe</b> program, and look in: + </p><p> + <tt class="filename">HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList</tt> + </p><p> + you will find an entry, for each user, of ProfilePath. Note the + contents of this key (likely to be <tt class="filename">c:\windows\profiles\username</tt>), + then delete the key ProfilePath for the required user. + </p><p>[Exit the registry editor].</p></li><li><p> + search for the user's .PWL password-caching file in the <tt class="filename">c:\windows</tt> + directory, and delete it. + </p></li><li><p> + log off the windows 9x / Me client. + </p></li><li><p> + check the contents of the profile path (see <i class="parameter"><tt>logon path</tt></i> described + above), and delete the <tt class="filename">user.DAT</tt> or <tt class="filename">user.MAN</tt> file for the user, + making a backup if required. + </p></li></ol></div><p> +If all else fails, increase samba's debug log levels to between 3 and 10, +and / or run a packet trace program such as ethereal or <b class="command">netmon.exe</b>, and +look for error messages. +</p><p> +If you have access to an Windows NT4/200x server, then first set up roaming profiles +and / or netlogons on the Windows NT4/200x server. Make a packet trace, or examine +the example packet traces provided with Windows NT4/200x server, and see what the +differences are with the equivalent samba trace. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2989233"></a>Windows NT4 Workstation</h4></div></div><div></div></div><p> +When a user first logs in to a Windows NT Workstation, the profile +NTuser.DAT is created. The profile location can be now specified +through the <i class="parameter"><tt>logon path</tt></i> parameter. +</p><p> +There is a parameter that is now available for use with NT Profiles: +<i class="parameter"><tt>logon drive</tt></i>. This should be set to <tt class="filename">H:</tt> or any other drive, and +should be used in conjunction with the new "logon home" parameter. +</p><p> +The entry for the NT4 profile is a _directory_ not a file. The NT +help on profiles mentions that a directory is also created with a .PDS +extension. The user, while logging in, must have write permission to +create the full profile path (and the folder with the .PDS extension +for those situations where it might be created.) +</p><p> +In the profile directory, Windows NT4 creates more folders than Windows 9x / Me. +It creates <tt class="filename">Application Data</tt> and others, as well as <tt class="filename">Desktop</tt>, <tt class="filename">Nethood</tt>, +<tt class="filename">Start Menu</tt> and <tt class="filename">Programs</tt>. The profile itself is stored in a file +<tt class="filename">NTuser.DAT</tt>. Nothing appears to be stored in the .PDS directory, and +its purpose is currently unknown. +</p><p> +You can use the <span class="application">System Control Panel</span> to copy a local profile onto +a samba server (see NT Help on profiles: it is also capable of firing +up the correct location in the <span class="application">System Control Panel</span> for you). The +NT Help file also mentions that renaming <tt class="filename">NTuser.DAT</tt> to <tt class="filename">NTuser.MAN</tt> +turns a profile into a mandatory one. +</p><p> +The case of the profile is significant. The file must be called +<tt class="filename">NTuser.DAT</tt> or, for a mandatory profile, <tt class="filename">NTuser.MAN</tt>. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2989391"></a>Windows 2000/XP Professional</h4></div></div><div></div></div><p> +You must first convert the profile from a local profile to a domain +profile on the MS Windows workstation as follows: +</p><div class="procedure"><ol type="1"><li><p> + Log on as the <span class="emphasis"><em>LOCAL</em></span> workstation administrator. + </p></li><li><p> + Right click on the <span class="guiicon">My Computer</span> Icon, select <span class="guimenuitem">Properties</span> + </p></li><li><p> + Click on the <span class="guilabel">User Profiles</span> tab + </p></li><li><p> + Select the profile you wish to convert (click on it once) + </p></li><li><p> + Click on the button <span class="guibutton">Copy To</span> + </p></li><li><p> + In the <span class="guilabel">Permitted to use</span> box, click on the <span class="guibutton">Change</span> button. + </p></li><li><p> + Click on the 'Look in" area that lists the machine name, when you click + here it will open up a selection box. Click on the domain to which the + profile must be accessible. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>You will need to log on if a logon box opens up. Eg: In the connect + as: <i class="replaceable"><tt>MIDEARTH</tt></i>\root, password: <i class="replaceable"><tt>mypassword</tt></i>.</p></div></li><li><p> + To make the profile capable of being used by anyone select 'Everyone' + </p></li><li><p> + Click <span class="guibutton">OK</span>. The Selection box will close. + </p></li><li><p> + Now click on the <span class="guibutton">Ok</span> button to create the profile in the path you + nominated. + </p></li></ol></div><p> +Done. You now have a profile that can be edited using the samba-3.0.0 +<b class="command">profiles</b> tool. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +Under NT/2K the use of mandatory profiles forces the use of MS Exchange +storage of mail data. That keeps desktop profiles usable. +</p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><div class="procedure"><ol type="1"><li><p> +This is a security check new to Windows XP (or maybe only +Windows XP service pack 1). It can be disabled via a group policy in +Active Directory. The policy is:</p><p><tt class="filename">Computer Configuration\Administrative Templates\System\User +Profiles\Do not check for user ownership of Roaming Profile Folders</tt></p><p>...and it should be set to <tt class="constant">Enabled</tt>. +Does the new version of samba have an Active Directory analogue? If so, +then you may be able to set the policy through this. +</p><p> +If you cannot set group policies in samba, then you may be able to set +the policy locally on each machine. If you want to try this, then do +the following (N.B. I don't know for sure that this will work in the +same way as a domain group policy): +</p></li><li><p> +On the XP workstation log in with an Administrator account. +</p></li><li><p>Click: <span class="guimenu">Start</span>, <span class="guimenuitem">Run</span></p></li><li><p>Type: <b class="userinput"><tt>mmc</tt></b></p></li><li><p>Click: <span class="guibutton">OK</span></p></li><li><p>A Microsoft Management Console should appear.</p></li><li><p>Click: <span class="guimenu">File</span>, <span class="guimenuitem">Add/Remove Snap-in...</span>, <span class="guimenuitem">Add</span></p></li><li><p>Double-Click: <span class="guiicon">Group Policy</span></p></li><li><p>Click: <span class="guibutton">Finish</span>, <span class="guibutton">Close</span></p></li><li><p>Click: <span class="guibutton">OK</span></p></li><li><p>In the "Console Root" window:</p></li><li><p>Expand: <span class="guiicon">Local Computer Policy</span>, <span class="guiicon">Computer Configuration</span>, + <span class="guiicon">Administrative Templates</span>, <span class="guiicon">System</span>, <span class="guiicon">User Profiles</span></p></li><li><p>Double-Click: <span class="guilabel">Do not check for user ownership of Roaming Profile Folders</span></p></li><li><p>Select: <span class="guilabel">Enabled</span></p></li><li><p>Click: <span class="guibutton">OK</span></p></li><li><p>Close the whole console. You do not need to save the settings (this + refers to the console settings rather than the policies you have + changed).</p></li><li><p>Reboot</p></li></ol></div></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2989902"></a>Sharing Profiles between W9x/Me and NT4/200x/XP workstations</h3></div></div><div></div></div><p> +Sharing of desktop profiles between Windows versions is NOT recommended. +Desktop profiles are an evolving phenomenon and profiles for later versions +of MS Windows clients add features that may interfere with earlier versions +of MS Windows clients. Probably the more salient reason to NOT mix profiles +is that when logging off an earlier version of MS Windows the older format +of profile contents may overwrite information that belongs to the newer +version resulting in loss of profile information content when that user logs +on again with the newer version of MS Windows. +</p><p> +If you then want to share the same Start Menu / Desktop with W9x/Me, you will +need to specify a common location for the profiles. The smb.conf parameters +that need to be common are <i class="parameter"><tt>logon path</tt></i> and +<i class="parameter"><tt>logon home</tt></i>. +</p><p> +If you have this set up correctly, you will find separate <tt class="filename">user.DAT</tt> and +<tt class="filename">NTuser.DAT</tt> files in the same profile directory. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2989967"></a>Profile Migration from Windows NT4/200x Server to Samba</h3></div></div><div></div></div><p> +There is nothing to stop you specifying any path that you like for the +location of users' profiles. Therefore, you could specify that the +profile be stored on a samba server, or any other SMB server, as long as +that SMB server supports encrypted passwords. +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2989984"></a>Windows NT4 Profile Management Tools</h4></div></div><div></div></div><p> +Unfortunately, the Resource Kit information is specific to the version of MS Windows +NT4/200x. The correct resource kit is required for each platform. +</p><p> +Here is a quick guide: +</p><div class="procedure"><ol type="1"><li><p> +On your NT4 Domain Controller, right click on <span class="guiicon">My Computer</span>, then +select the tab labelled <span class="guilabel">User Profiles</span>. +</p></li><li><p> +Select a user profile you want to migrate and click on it. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>I am using the term "migrate" loosely. You can copy a profile to +create a group profile. You can give the user 'Everyone' rights to the +profile you copy this to. That is what you need to do, since your samba +domain is not a member of a trust relationship with your NT4 PDC.</p></div></li><li><p>Click the <span class="guibutton">Copy To</span> button.</p></li><li><p>In the box labelled <span class="guilabel">Copy Profile to</span> add your new path, eg: + <tt class="filename">c:\temp\foobar</tt></p></li><li><p>Click on the button <span class="guibutton">Change</span> in the <span class="guilabel">Permitted to use</span> box.</p></li><li><p>Click on the group 'Everyone' and then click <span class="guibutton">OK</span>. This closes the + 'choose user' box.</p></li><li><p>Now click <span class="guibutton">OK</span>.</p></li></ol></div><p> +Follow the above for every profile you need to migrate. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2990153"></a>Side bar Notes</h4></div></div><div></div></div><p> +You should obtain the SID of your NT4 domain. You can use smbpasswd to do +this. Read the man page.</p><p> +With Samba-3.0.0 alpha code you can import all you NT4 domain accounts +using the net samsync method. This way you can retain your profile +settings as well as all your users. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2990175"></a>moveuser.exe</h4></div></div><div></div></div><p> +The W2K professional resource kit has moveuser.exe. moveuser.exe changes +the security of a profile from one user to another. This allows the account +domain to change, and/or the user name to change. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2990191"></a>Get SID</h4></div></div><div></div></div><p> +You can identify the SID by using GetSID.exe from the Windows NT Server 4.0 +Resource Kit. +</p><p> +Windows NT 4.0 stores the local profile information in the registry under +the following key: +<tt class="filename">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList</tt> +</p><p> +Under the ProfileList key, there will be subkeys named with the SIDs of the +users who have logged on to this computer. (To find the profile information +for the user whose locally cached profile you want to move, find the SID for +the user with the GetSID.exe utility.) Inside of the appropriate user's +subkey, you will see a string value named ProfileImagePath. +</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2990232"></a>Mandatory profiles</h2></div></div><div></div></div><p> +A Mandatory Profile is a profile that the user does NOT have the ability to overwrite. +During the user's session it may be possible to change the desktop environment, but +as the user logs out all changes made will be lost. If it is desired to NOT allow the +user any ability to change the desktop environment then this must be done through +policy settings. See previous chapter. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +Under NO circumstances should the profile directory (or it's contents) be made read-only +as this may render the profile un-usable. +</p></div><p> +For MS Windows NT4/200x/XP the above method can be used to create mandatory profiles +also. To convert a group profile into a mandatory profile simply locate the NTUser.DAT +file in the copied profile and rename it to NTUser.MAN. +</p><p> +For MS Windows 9x / Me it is the <tt class="filename">User.DAT</tt> file that must be renamed to <tt class="filename">User.MAN</tt> to +affect a mandatory profile. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2990290"></a>Creating/Managing Group Profiles</h2></div></div><div></div></div><p> +Most organisations are arranged into departments. There is a nice benefit in +this fact since usually most users in a department will require the same desktop +applications and the same desktop layout. MS Windows NT4/200x/XP will allow the +use of Group Profiles. A Group Profile is a profile that is created firstly using +a template (example) user. Then using the profile migration tool (see above) the +profile is assigned access rights for the user group that needs to be given access +to the group profile. +</p><p> +The next step is rather important. <span class="emphasis"><em>Please note:</em></span> Instead of assigning a group profile +to users (ie: Using User Manager) on a "per user" basis, the group itself is assigned +the now modified profile. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + Be careful with group profiles, if the user who is a member of a group also + has a personal profile, then the result will be a fusion (merge) of the two. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2990336"></a>Default Profile for Windows Users</h2></div></div><div></div></div><p> +MS Windows 9x / Me and NT4/200x/XP will use a default profile for any user for whom +a profile does not already exist. Armed with a knowledge of where the default profile +is located on the Windows workstation, and knowing which registry keys affect the path +from which the default profile is created, it is possible to modify the default profile +to one that has been optimised for the site. This has significant administrative +advantages. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2990356"></a>MS Windows 9x/Me</h3></div></div><div></div></div><p> +To enable default per use profiles in Windows 9x / Me you can either use the <span class="application">Windows 98 System +Policy Editor</span> or change the registry directly. +</p><p> +To enable default per user profiles in Windows 9x / Me, launch the <span class="application">System Policy Editor</span>, then +select <span class="guimenu">File</span> -> <span class="guimenuitem">Open Registry</span>, then click on the +<span class="guiicon">Local Computer</span> icon, click on <span class="guilabel">Windows 98 System</span>, +select <span class="guilabel">User Profiles</span>, click on the enable box. Do not forget to save the registry changes. +</p><p> +To modify the registry directly, launch the <span class="application">Registry Editor</span> (<b class="command">regedit.exe</b>), select the hive +<tt class="filename">HKEY_LOCAL_MACHINE\Network\Logon</tt>. Now add a DWORD type key with the name +"User Profiles", to enable user profiles set the value to 1, to disable user profiles set it to 0. +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2990454"></a>How User Profiles Are Handled in Windows 9x / Me?</h4></div></div><div></div></div><p> +When a user logs on to a Windows 9x / Me machine, the local profile path, +<tt class="filename">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProfileList</tt>, is checked +for an existing entry for that user: +</p><p> +If the user has an entry in this registry location, Windows 9x / Me checks for a locally cached +version of the user profile. Windows 9x / Me also checks the user's home directory (or other +specified directory if the location has been modified) on the server for the User Profile. +If a profile exists in both locations, the newer of the two is used. If the User Profile exists +on the server, but does not exist on the local machine, the profile on the server is downloaded +and used. If the User Profile only exists on the local machine, that copy is used. +</p><p> +If a User Profile is not found in either location, the Default User Profile from the Windows 9x / Me +machine is used and is copied to a newly created folder for the logged on user. At log off, any +changes that the user made are written to the user's local profile. If the user has a roaming +profile, the changes are written to the user's profile on the server. +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2990504"></a>MS Windows NT4 Workstation</h3></div></div><div></div></div><p> +On MS Windows NT4 the default user profile is obtained from the location +<tt class="filename">%SystemRoot%\Profiles</tt> which in a default installation will translate to +<tt class="filename">C:\WinNT\Profiles</tt>. Under this directory on a clean install there will be +three (3) directories: <tt class="filename">Administrator</tt>, <tt class="filename">All Users</tt>, <tt class="filename">Default User</tt>. +</p><p> +The <tt class="filename">All Users</tt> directory contains menu settings that are common across all +system users. The <tt class="filename">Default User</tt> directory contains menu entries that are +customisable per user depending on the profile settings chosen/created. +</p><p> +When a new user first logs onto an MS Windows NT4 machine a new profile is created from: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td>All Users settings</td></tr><tr><td>Default User settings (contains the default NTUser.DAT file)</td></tr></table><p> +When a user logs onto an MS Windows NT4 machine that is a member of a Microsoft security domain +the following steps are followed in respect of profile handling: +</p><div class="procedure"><ol type="1"><li><p> + The users' account information which is obtained during the logon process contains + the location of the users' desktop profile. The profile path may be local to the + machine or it may be located on a network share. If there exists a profile at the location + of the path from the user account, then this profile is copied to the location + <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt>. This profile then inherits the + settings in the <tt class="filename">All Users</tt> profile in the <tt class="filename">%SystemRoot%\Profiles</tt> + location. + </p></li><li><p> + If the user account has a profile path, but at it's location a profile does not exist, + then a new profile is created in the <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt> + directory from reading the <tt class="filename">Default User</tt> profile. + </p></li><li><p> + If the NETLOGON share on the authenticating server (logon server) contains a policy file + (<tt class="filename">NTConfig.POL</tt>) then it's contents are applied to the <tt class="filename">NTUser.DAT</tt> + which is applied to the <tt class="filename">HKEY_CURRENT_USER</tt> part of the registry. + </p></li><li><p> + When the user logs out, if the profile is set to be a roaming profile it will be written + out to the location of the profile. The <tt class="filename">NTuser.DAT</tt> file is then + re-created from the contents of the <tt class="filename">HKEY_CURRENT_USER</tt> contents. + Thus, should there not exist in the NETLOGON share an <tt class="filename">NTConfig.POL</tt> at the + next logon, the effect of the previous <tt class="filename">NTConfig.POL</tt> will still be held + in the profile. The effect of this is known as <span class="emphasis"><em>tatooing</em></span>. + </p></li></ol></div><p> +MS Windows NT4 profiles may be <span class="emphasis"><em>Local</em></span> or <span class="emphasis"><em>Roaming</em></span>. A Local profile +will stored in the <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt> location. A roaming profile will +also remain stored in the same way, unless the following registry key is created: +</p><p> +</p><pre class="programlisting"> + HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\ + "DeleteRoamingCache"=dword:00000001 +</pre><p> + +In which case, the local copy (in <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt>) will be +deleted on logout. +</p><p> +Under MS Windows NT4 default locations for common resources (like <tt class="filename">My Documents</tt> +may be redirected to a network share by modifying the following registry keys. These changes may be affected +via use of the System Policy Editor (to do so may require that you create your owns template extension +for the policy editor to allow this to be done through the GUI. Another way to do this is by way of first +creating a default user profile, then while logged in as that user, run regedt32 to edit the key settings. +</p><p> +The Registry Hive key that affects the behaviour of folders that are part of the default user profile +are controlled by entries on Windows NT4 is: +</p><p> +<tt class="filename">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\</tt> +</p><p> +The above hive key contains a list of automatically managed folders. The default entries are: +</p><p> +</p><div class="table"><a name="id2990854"></a><p class="title"><b>Table 24.1. User Shell Folder registry keys default values</b></p><table summary="User Shell Folder registry keys default values" border="1"><colgroup><col><col></colgroup><thead><tr><th>Name</th><th>Default Value</th></tr></thead><tbody><tr><td>AppData</td><td>%USERPROFILE%\Application Data</td></tr><tr><td>Desktop</td><td>%USERPROFILE%\Desktop</td></tr><tr><td>Favorites</td><td>%USERPROFILE%\Favorites</td></tr><tr><td>NetHood</td><td>%USERPROFILE%\NetHood</td></tr><tr><td>PrintHood</td><td>%USERPROFILE%\PrintHood</td></tr><tr><td>Programs</td><td>%USERPROFILE%\Start Menu\Programs</td></tr><tr><td>Recent</td><td>%USERPROFILE%\Recent</td></tr><tr><td>SendTo</td><td>%USERPROFILE%\SendTo</td></tr><tr><td>Start Menu </td><td>%USERPROFILE%\Start Menu</td></tr><tr><td>Startup</td><td>%USERPROFILE%\Start Menu\Programs\Startup</td></tr></tbody></table></div><p> +</p><p> +The registry key that contains the location of the default profile settings is: +</p><p> +<tt class="filename">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</tt> +</p><p> +The default entries are: + +</p><div class="table"><a name="id2990998"></a><p class="title"><b>Table 24.2. Defaults of profile settings registry keys</b></p><table summary="Defaults of profile settings registry keys" border="1"><colgroup><col><col></colgroup><tbody><tr><td>Common Desktop</td><td>%SystemRoot%\Profiles\All Users\Desktop</td></tr><tr><td>Common Programs</td><td>%SystemRoot%\Profiles\All Users\Programs</td></tr><tr><td>Common Start Menu</td><td>%SystemRoot%\Profiles\All Users\Start Menu</td></tr><tr><td>Common Startup</td><td>%SystemRoot%\Profiles\All Users\Start Menu\Programs\Startup</td></tr></tbody></table></div><p> +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2991058"></a>MS Windows 200x/XP</h3></div></div><div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + MS Windows XP Home Edition does use default per user profiles, but can not participate + in domain security, can not log onto an NT/ADS style domain, and thus can obtain the profile + only from itself. While there are benefits in doing this the beauty of those MS Windows + clients that CAN participate in domain logon processes allows the administrator to create + a global default profile and to enforce it through the use of Group Policy Objects (GPOs). + </p></div><p> +When a new user first logs onto MS Windows 200x/XP machine the default profile is obtained from +<tt class="filename">C:\Documents and Settings\Default User</tt>. The administrator can modify (or change +the contents of this location and MS Windows 200x/XP will gladly use it. This is far from the optimum +arrangement since it will involve copying a new default profile to every MS Windows 200x/XP client +workstation. +</p><p> +When MS Windows 200x/XP participate in a domain security context, and if the default user +profile is not found, then the client will search for a default profile in the NETLOGON share +of the authenticating server. ie: In MS Windows parlance: +<tt class="filename">%LOGONSERVER%\NETLOGON\Default User</tt> and if one exits there it will copy this +to the workstation to the <tt class="filename">C:\Documents and Settings\</tt> under the Windows +login name of the user. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + This path translates, in Samba parlance, to the <tt class="filename">smb.conf</tt> <i class="parameter"><tt>[NETLOGON]</tt></i> share. The directory + should be created at the root of this share and must be called <tt class="filename">Default Profile</tt>. + </p></div><p> +If a default profile does not exist in this location then MS Windows 200x/XP will use the local +default profile. +</p><p> +On logging out, the users' desktop profile will be stored to the location specified in the registry +settings that pertain to the user. If no specific policies have been created, or passed to the client +during the login process (as Samba does automatically), then the user's profile will be written to +the local machine only under the path <tt class="filename">C:\Documents and Settings\%USERNAME%</tt>. +</p><p> +Those wishing to modify the default behaviour can do so through three methods: +</p><div class="itemizedlist"><ul type="disc"><li><p> + Modify the registry keys on the local machine manually and place the new default profile in the + NETLOGON share root - NOT recommended as it is maintenance intensive. + </p></li><li><p> + Create an NT4 style NTConfig.POL file that specified this behaviour and locate this file + in the root of the NETLOGON share along with the new default profile. + </p></li><li><p> + Create a GPO that enforces this through Active Directory, and place the new default profile + in the NETLOGON share. + </p></li></ul></div><p> +The Registry Hive key that affects the behaviour of folders that are part of the default user profile +are controlled by entries on Windows 200x/XP is: +</p><p> +<tt class="filename">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\</tt> +</p><p> +The above hive key contains a list of automatically managed folders. The default entries are: +</p><p> +</p><div class="table"><a name="id2991253"></a><p class="title"><b>Table 24.3. Defaults of default user profile paths registry keys</b></p><table summary="Defaults of default user profile paths registry keys" border="1"><colgroup><col><col></colgroup><thead><tr><th>Name</th><th>Default Value</th></tr></thead><tbody><tr><td>AppData</td><td>%USERPROFILE%\Application Data</td></tr><tr><td>Cache</td><td>%USERPROFILE%\Local Settings\Temporary Internet Files</td></tr><tr><td>Cookies</td><td>%USERPROFILE%\Cookies</td></tr><tr><td>Desktop</td><td>%USERPROFILE%\Desktop</td></tr><tr><td>Favorites</td><td>%USERPROFILE%\Favorites</td></tr><tr><td>History</td><td>%USERPROFILE%\Local Settings\History</td></tr><tr><td>Local AppData</td><td>%USERPROFILE%\Local Settings\Application Data</td></tr><tr><td>Local Settings</td><td>%USERPROFILE%\Local Settings</td></tr><tr><td>My Pictures</td><td>%USERPROFILE%\My Documents\My Pictures</td></tr><tr><td>NetHood</td><td>%USERPROFILE%\NetHood</td></tr><tr><td>Personal</td><td>%USERPROFILE%\My Documents</td></tr><tr><td>PrintHood</td><td>%USERPROFILE%\PrintHood</td></tr><tr><td>Programs</td><td>%USERPROFILE%\Start Menu\Programs</td></tr><tr><td>Recent</td><td>%USERPROFILE%\Recent</td></tr><tr><td>SendTo</td><td>%USERPROFILE%\SendTo</td></tr><tr><td>Start Menu</td><td>%USERPROFILE%\Start Menu</td></tr><tr><td>Startup</td><td>%USERPROFILE%\Start Menu\Programs\Startup</td></tr><tr><td>Templates</td><td>%USERPROFILE%\Templates</td></tr></tbody></table></div><p> +</p><p> +There is also an entry called "Default" that has no value set. The default entry is of type <tt class="constant">REG_SZ</tt>, all +the others are of type <tt class="constant">REG_EXPAND_SZ</tt>. +</p><p> +It makes a huge difference to the speed of handling roaming user profiles if all the folders are +stored on a dedicated location on a network server. This means that it will NOT be necessary to +write the Outlook PST file over the network for every login and logout. +</p><p> +To set this to a network location you could use the following examples: +</p><p><tt class="filename">%LOGONSERVER%\%USERNAME%\Default Folders</tt></p><p> +This would store the folders in the user's home directory under a directory called <tt class="filename">Default Folders</tt> +You could also use: +</p><p><tt class="filename">\\<i class="replaceable"><tt>SambaServer</tt></i>\<i class="replaceable"><tt>FolderShare</tt></i>\%USERNAME%</tt></p><p> + in which case the default folders will be stored in the server named <i class="replaceable"><tt>SambaServer</tt></i> +in the share called <i class="replaceable"><tt>FolderShare</tt></i> under a directory that has the name of the MS Windows +user as seen by the Linux/Unix file system. +</p><p> +Please note that once you have created a default profile share, you MUST migrate a user's profile +(default or custom) to it. +</p><p> +MS Windows 200x/XP profiles may be <span class="emphasis"><em>Local</em></span> or <span class="emphasis"><em>Roaming</em></span>. +A roaming profile will be cached locally unless the following registry key is created: +</p><p><tt class="filename">HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\"DeleteRoamingCache"=dword:00000001</tt></p><p> +In which case, the local cache copy will be deleted on logout. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2991562"></a>Common Errors</h2></div></div><div></div></div><p> +The following are some typical errors/problems/questions that have been asked. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2991575"></a>How does one set up roaming profiles for just one (or a few) user/s or group/s?</h3></div></div><div></div></div><p> +With samba-2.2.x the choice you have is to enable or disable roaming +profiles support. It is a global only setting. The default is to have +roaming profiles and the default path will locate them in the user's home +directory. +</p><p> +If disabled globally then no-one will have roaming profile ability. +If enabled and you want it to apply only to certain machines, then on +those machines on which roaming profile support is NOT wanted it is then +necessary to disable roaming profile handling in the registry of each such +machine. +</p><p> +With samba-3.0.0 (soon to be released) you can have a global profile +setting in smb.conf _AND_ you can over-ride this by per-user settings +using the Domain User Manager (as with MS Windows NT4/ Win 2Kx). +</p><p> +In any case, you can configure only one profile per user. That profile can +be either: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td>A profile unique to that user</td></tr><tr><td>A mandatory profile (one the user can not change)</td></tr><tr><td>A group profile (really should be mandatory ie:unchangable)</td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2991638"></a>Can NOT use Roaming Profiles</h3></div></div><div></div></div><p> +“<span class="quote"> + I dont want Roaming profile to be implemented, I just want to give users + local profiles only. +... + Please help me I am totally lost with this error from past two days I tried + everything and googled around quite a bit but of no help. Please help me. +</span>”</p><p> +Your choices are: + + +</p><div class="variablelist"><dl><dt><span class="term">Local profiles</span></dt><dd><p> + I know of no registry keys that will allow auto-deletion of LOCAL profiles on log out + </p></dd><dt><span class="term">Roaming profiles</span></dt><dd><p> + </p><table class="simplelist" border="0" summary="Simple list"><tr><td>can use auto-delete on logout option</td></tr><tr><td>requires a registry key change on workstation</td></tr></table><p> + + Your choices are: + + </p><div class="variablelist"><dl><dt><span class="term">Personal Roaming profiles</span></dt><dd><p> + - should be preserved on a central server + - workstations 'cache' (store) a local copy + - used in case the profile can not be downloaded + at next logon + </p></dd><dt><span class="term">Group profiles</span></dt><dd><p>- loaded from a central place</p></dd><dt><span class="term">Mandatory profiles</span></dt><dd><p> + - can be personal or group + - can NOT be changed (except by an administrator + </p></dd></dl></div><p> + </p></dd></dl></div><p> + +</p><p> +A WinNT4/2K/XP profile can vary in size from 130KB to off the scale. +Outlook PST files are most often part of the profile and can be many GB in +size. On average (in a well controlled environment) roaming profile size of +2MB is a good rule of thumb to use for planning purposes. In an +undisciplined environment I have seen up to 2GB profiles. Users tend to +complain when it take an hour to log onto a workstation but they harvest +the fruits of folly (and ignorance). +</p><p> +The point of all the above is to show that roaming profiles and good +controls of how they can be changed as well as good discipline make up for +a problem free site. +</p><p> +Microsoft's answer to the PST problem is to store all email in an MS +Exchange Server back-end. But this is another story ...! +</p><p> +So, having LOCAL profiles means: + +</p><table class="simplelist" border="0" summary="Simple list"><tr><td>If lots of users user each machine - lot's of local disk storage needed for local profiles</td></tr><tr><td>Every workstation the user logs into has it's own profile - can be very different from machine to machine</td></tr></table><p> + +On the other hand, having roaming profiles means: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td>The network administrator can control EVERY aspect of user profiles</td></tr><tr><td>With the use of mandatory profiles - a drastic reduction in network management overheads</td></tr><tr><td>User unhappiness about not being able to change their profiles soon fades as they get used to being able to work reliably</td></tr></table><p> + +</p><p> +I have managed and installed MANY NT/2K networks and have NEVER found one +where users who move from machine to machine are happy with local +profiles. In the long run local profiles bite them. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2991859"></a>Changing the default profile</h3></div></div><div></div></div><p>“<span class="quote"> +When the client tries to logon to the PDC it looks for a profile to download +where do I put this default profile. +</span>”</p><p> +Firstly, your samba server need to be configured as a domain controller. +</p><pre class="programlisting"> + server = user + os level = 32 (or more) + domain logons = Yes +</pre><p> +Plus you need to have a <i class="parameter"><tt>[netlogon]</tt></i> share that is world readable. +It is a good idea to add a logon script to pre-set printer and +drive connections. There is also a facility for automatically +synchronizing the workstation time clock with that of the logon +server (another good thing to do). +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +To invoke auto-deletion of roaming profile from the local +workstation cache (disk storage) you need to use the <span class="application">Group Policy Editor</span> +to create a file called <tt class="filename">NTConfig.POL</tt> with the appropriate entries. This +file needs to be located in the <i class="parameter"><tt>netlogon</tt></i> share root directory.</p></div><p> +Oh, of course the windows clients need to be members of the domain. +Workgroup machines do NOT do network logons - so they never see domain +profiles. +</p><p> +Secondly, for roaming profiles you need: + + logon path = \\%N\profiles\%U (with some such path) + logon drive = H: (Z: is the default) + + Plus you need a PROFILES share that is world writable. +</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="PolicyMgmt.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="pam.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 23. System and Account Policies </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 25. PAM based Distributed Authentication</td></tr></table></div></body></html> diff --git a/docs/htmldocs/SWAT.html b/docs/htmldocs/SWAT.html new file mode 100644 index 0000000000..b4067d75d8 --- /dev/null +++ b/docs/htmldocs/SWAT.html @@ -0,0 +1,200 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 32. SWAT - The Samba Web Administration Tool</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="migration.html" title="Part IV. Migration and Updating"><link rel="previous" href="NT4Migration.html" title="Chapter 31. Migration from NT4 PDC to Samba-3 PDC"><link rel="next" href="troubleshooting.html" title="Part V. Troubleshooting"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 32. SWAT - The Samba Web Administration Tool</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="NT4Migration.html">Prev</a> </td><th width="60%" align="center">Part IV. Migration and Updating</th><td width="20%" align="right"> <a accesskey="n" href="troubleshooting.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SWAT"></a>Chapter 32. SWAT - The Samba Web Administration Tool</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">April 21, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="SWAT.html#id3003929">Features and Benefits</a></dt><dd><dl><dt><a href="SWAT.html#id3003963">Enabling SWAT for use</a></dt><dt><a href="SWAT.html#id3006322">Securing SWAT through SSL</a></dt><dt><a href="SWAT.html#id3006435">The SWAT Home Page</a></dt><dt><a href="SWAT.html#id3006499">Global Settings</a></dt><dt><a href="SWAT.html#id3006604">Share Settings</a></dt><dt><a href="SWAT.html#id3006669">Printers Settings</a></dt><dt><a href="SWAT.html#id3006733">The SWAT Wizard</a></dt><dt><a href="SWAT.html#id3006781">The Status Page</a></dt><dt><a href="SWAT.html#id3006833">The View Page</a></dt><dt><a href="SWAT.html#id3006856">The Password Change Page</a></dt></dl></dd></dl></div><p> +There are many and varied opinions regarding the usefulness or otherwise of SWAT. +No matter how hard one tries to produce the perfect configuration tool it remains +an object of personal taste. SWAT is a tool that will allow web based configuration +of samba. It has a wizard that may help to get samba configured quickly, it has context +sensitive help on each smb.conf parameter, it provides for monitoring of current state +of connection information, and it allows network wide MS Windows network password +management. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3003929"></a>Features and Benefits</h2></div></div><div></div></div><p> +There are network administrators who believe that it is a good idea to write systems +documentation inside configuration files, for them SWAT will aways be a nasty tool. SWAT +does not store the configuration file in any intermediate form, rather, it stores only the +parameter settings, so when SWAT writes the smb.conf file to disk it will write only +those parameters that are at other than the default settings. The result is that all comments +will be lost from the <tt class="filename">smb.conf</tt> file. Additionally, the parameters will be written back in +internal ordering. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +So before using SWAT please be warned - SWAT will completely replace your smb.conf with +a fully optimised file that has been stripped of all comments you might have placed there +and only non-default settings will be written to the file. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3003963"></a>Enabling SWAT for use</h3></div></div><div></div></div><p> +SWAT should be installed to run via the network super daemon. Depending on which system +your Unix/Linux system has you will have either an <b class="command">inetd</b> or +<b class="command">xinetd</b> based system. +</p><p> +The nature and location of the network super-daemon varies with the operating system +implementation. The control file (or files) can be located in the file +<tt class="filename">/etc/inetd.conf</tt> or in the directory <tt class="filename">/etc/[x]inet.d</tt> +or similar. +</p><p> +The control entry for the older style file might be: +</p><pre class="programlisting"> + # swat is the Samba Web Administration Tool + swat stream tcp nowait.400 root /usr/sbin/swat swat +</pre><p> +A control file for the newer style xinetd could be: +</p><p> +</p><pre class="programlisting"> + # default: off + # description: SWAT is the Samba Web Admin Tool. Use swat \ + # to configure your Samba server. To use SWAT, \ + # connect to port 901 with your favorite web browser. + service swat + { + port = 901 + socket_type = stream + wait = no + only_from = localhost + user = root + server = /usr/sbin/swat + log_on_failure += USERID + disable = yes + } +</pre><p> + +</p><p> +Both the above examples assume that the <b class="command">swat</b> binary has been +located in the <tt class="filename">/usr/sbin</tt> directory. In addition to the above +SWAT will use a directory access point from which it will load it's help files +as well as other control information. The default location for this on most Linux +systems is in the directory <tt class="filename">/usr/share/samba/swat</tt>. The default +location using samba defaults will be <tt class="filename">/usr/local/samba/swat</tt>. +</p><p> +Access to SWAT will prompt for a logon. If you log onto SWAT as any non-root user +the only permission allowed is to view certain aspects of configuration as well as +access to the password change facility. The buttons that will be exposed to the non-root +user are: <span class="guibutton">HOME</span>, <span class="guibutton">STATUS</span>, <span class="guibutton">VIEW</span>, +<span class="guibutton">PASSWORD</span>. The only page that allows +change capability in this case is <span class="guibutton">PASSWORD</span>. +</p><p> +So long as you log onto SWAT as the user <span class="emphasis"><em>root</em></span> you should obtain +full change and commit ability. The buttons that will be exposed includes: +<span class="guibutton">HOME</span>, <span class="guibutton">GLOBALS</span>, <span class="guibutton">SHARES</span>, <span class="guibutton">PRINTERS</span>, +<span class="guibutton">WIZARD</span>, <span class="guibutton">STATUS</span>, <span class="guibutton">VIEW</span>, <span class="guibutton">PASSWORD</span>. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3006322"></a>Securing SWAT through SSL</h3></div></div><div></div></div><p> +Lots of people have asked about how to setup SWAT with SSL to allow for secure remote +administration of Samba. Here is a method that works, courtesy of Markus Krieger +</p><p> +Modifications to the swat setup are as following: +</p><div class="procedure"><ol type="1"><li><p> + install OpenSSL + </p></li><li><p> + generate certificate and private key + + </p><pre class="screen"> +<tt class="prompt">root# </tt><b class="userinput"><tt>/usr/bin/openssl req -new -x509 -days 365 -nodes -config \ + /usr/share/doc/packages/stunnel/stunnel.cnf \ + -out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem</tt></b> + </pre></li><li><p> + remove swat-entry from [x]inetd + </p></li><li><p> + start stunnel + + </p><pre class="screen"> +<tt class="prompt">root# </tt><b class="userinput"><tt>stunnel -p /etc/stunnel/stunnel.pem -d 901 \ + -l /usr/local/samba/bin/swat swat </tt></b> + </pre></li></ol></div><p> +afterwords simply contact to swat by using the URL <a href="https://myhost:901" target="_top">https://myhost:901</a>, accept the certificate +and the SSL connection is up. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3006435"></a>The SWAT Home Page</h3></div></div><div></div></div><p> +The SWAT title page provides access to the latest Samba documentation. The manual page for +each samba component is accessible from this page as are the Samba-HOWTO-Collection (this +document) as well as the O'Reilly book "Using Samba". +</p><p> +Administrators who wish to validate their samba configuration may obtain useful information +from the man pages for the diagnostic utilities. These are available from the SWAT home page +also. One diagnostic tool that is NOT mentioned on this page, but that is particularly +useful is <b class="command">ethereal</b>, available from <a href="http://www.ethereal.com" target="_top"> +http://www.ethereal.com</a>. +</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> +SWAT can be configured to run in <span class="emphasis"><em>demo</em></span> mode. This is NOT recommended +as it runs SWAT without authentication and with full administrative ability. ie: Allows +changes to smb.conf as well as general operation with root privileges. The option that +creates this ability is the <tt class="option">-a</tt> flag to swat. <span class="emphasis"><em>Do not use this in any +production environment.</em></span> +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3006499"></a>Global Settings</h3></div></div><div></div></div><p> +The Globals button will expose a page that allows configuration of the global parameters +in smb.conf. There are three levels of exposure of the parameters: +</p><div class="itemizedlist"><ul type="disc"><li><p> + <span class="emphasis"><em>Basic</em></span> - exposes common configuration options. + </p></li><li><p> + <span class="emphasis"><em>Advanced</em></span> - exposes configuration options needed in more + complex environments. + </p></li><li><p> + <span class="emphasis"><em>Developer</em></span> - exposes configuration options that only the brave + will want to tamper with. + </p></li></ul></div><p> +To switch to other than <span class="emphasis"><em>Basic</em></span> editing ability click on either the +<span class="emphasis"><em>Advanced</em></span> or the <span class="emphasis"><em>Developer</em></span> dial, then click the +<span class="guibutton">Commit Changes</span> button. +</p><p> +After making any changes to configuration parameters make sure that you click on the +<span class="guibutton">Commit Changes</span> button before moving to another area otherwise +your changes will be immediately lost. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +SWAT has context sensitive help. To find out what each parameter is for simply click the +<span class="guibutton">Help</span> link to the left of the configuration parameter. +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3006604"></a>Share Settings</h3></div></div><div></div></div><p> +To affect a currently configured share, simply click on the pull down button between the +<span class="guibutton">Choose Share</span> and the <span class="guibutton">Delete Share</span> buttons, +select the share you wish to operate on, then to edit the settings click on the +<span class="guibutton">Choose Share</span> button, to delete the share simply press the +<span class="guibutton">Delete Share</span> button. +</p><p> +To create a new share, next to the button labelled <span class="guibutton">Create Share</span> enter +into the text field the name of the share to be created, then click on the +<span class="guibutton">Create Share</span> button. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3006669"></a>Printers Settings</h3></div></div><div></div></div><p> +To affect a currently configured printer, simply click on the pull down button between the +<span class="guibutton">Choose Printer</span> and the <span class="guibutton">Delete Printer</span> buttons, +select the printer you wish to operate on, then to edit the settings click on the +<span class="guibutton">Choose Printer</span> button, to delete the share simply press the +<span class="guibutton">Delete Printer</span> button. +</p><p> +To create a new printer, next to the button labelled <span class="guibutton">Create Printer</span> enter +into the text field the name of the share to be created, then click on the +<span class="guibutton">Create Printer</span> button. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3006733"></a>The SWAT Wizard</h3></div></div><div></div></div><p> +The purpose if the SWAT Wizard is to help the Microsoft knowledgeable network administrator +to configure Samba with a minimum of effort. +</p><p> +The Wizard page provides a tool for rewriting the smb.conf file in fully optimised format. +This will also happen if you press the commit button. The two differ in the the rewrite button +ignores any changes that may have been made, while the Commit button causes all changes to be +affected. +</p><p> +The <span class="guibutton">Edit</span> button permits the editing (setting) of the minimal set of +options that may be necessary to create a working Samba server. +</p><p> +Finally, there are a limited set of options that will determine what type of server Samba +will be configured for, whether it will be a WINS server, participate as a WINS client, or +operate with no WINS support. By clicking on one button you can elect to expose (or not) user +home directories. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3006781"></a>The Status Page</h3></div></div><div></div></div><p> +The status page serves a limited purpose. Firstly, it allows control of the samba daemons. +The key daemons that create the samba server environment are: <span class="application">smbd</span>, <span class="application">nmbd</span>, <span class="application">winbindd</span>. +</p><p> +The daemons may be controlled individually or as a total group. Additionally, you may set +an automatic screen refresh timing. As MS Windows clients interact with Samba new smbd processes +will be continually spawned. The auto-refresh facility will allow you to track the changing +conditions with minimal effort. +</p><p> +Lastly, the Status page may be used to terminate specific smbd client connections in order to +free files that may be locked. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3006833"></a>The View Page</h3></div></div><div></div></div><p> +This page allows the administrator to view the optimised <tt class="filename">smb.conf</tt> file and, if you are +particularly masochistic, will permit you also to see all possible global configuration +parameters and their settings. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3006856"></a>The Password Change Page</h3></div></div><div></div></div><p> +The Password Change page is a popular tool. This tool allows the creation, deletion, deactivation +and reactivation of MS Windows networking users on the local machine. Alternatively, you can use +this tool to change a local password for a user account. +</p><p> +When logged in as a non-root account the user will have to provide the old password as well as +the new password (twice). When logged in as <span class="emphasis"><em>root</em></span> only the new password is +required. +</p><p> +One popular use for this tool is to change user passwords across a range of remote MS Windows +servers. +</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="NT4Migration.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="migration.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="troubleshooting.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 31. Migration from NT4 PDC to Samba-3 PDC </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part V. Troubleshooting</td></tr></table></div></body></html> diff --git a/docs/htmldocs/SambaHA.html b/docs/htmldocs/SambaHA.html new file mode 100644 index 0000000000..ba82f6ad0f --- /dev/null +++ b/docs/htmldocs/SambaHA.html @@ -0,0 +1,4 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 29. High Availability Options</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="Backup.html" title="Chapter 28. Samba Backup Techniques"><link rel="next" href="migration.html" title="Part IV. Migration and Updating"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 29. High Availability Options</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Backup.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="migration.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SambaHA"></a>Chapter 29. High Availability Options</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="SambaHA.html#id3003099">Note</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3003099"></a>Note</h2></div></div><div></div></div><p> +This chapter did not make it into this release. +It is planned for the published release of this document. +</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Backup.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="migration.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 28. Samba Backup Techniques </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part IV. Migration and Updating</td></tr></table></div></body></html> diff --git a/docs/htmldocs/ServerType.html b/docs/htmldocs/ServerType.html new file mode 100644 index 0000000000..01f03662ae --- /dev/null +++ b/docs/htmldocs/ServerType.html @@ -0,0 +1,343 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 4. Server Types and Security Modes</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="previous" href="type.html" title="Part II. Server Configuration Basics"><link rel="next" href="samba-pdc.html" title="Chapter 5. Domain Control"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 4. Server Types and Security Modes</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="type.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="samba-pdc.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ServerType"></a>Chapter 4. Server Types and Security Modes</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:tridge@samba.org">tridge@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="ServerType.html#id2888767">Features and Benefits</a></dt><dt><a href="ServerType.html#id2888862">Server Types</a></dt><dt><a href="ServerType.html#id2888947">Samba Security Modes</a></dt><dd><dl><dt><a href="ServerType.html#id2889062">User Level Security</a></dt><dt><a href="ServerType.html#id2889195">Share Level Security</a></dt><dt><a href="ServerType.html#id2889317">Domain Security Mode (User Level Security)</a></dt><dt><a href="ServerType.html#id2889568">ADS Security Mode (User Level Security)</a></dt><dt><a href="ServerType.html#id2889655">Server Security (User Level Security)</a></dt></dl></dd><dt><a href="ServerType.html#id2889880">Seamless Windows Network Integration</a></dt><dt><a href="ServerType.html#id2890056">Common Errors</a></dt><dd><dl><dt><a href="ServerType.html#id2890084">What makes Samba a SERVER?</a></dt><dt><a href="ServerType.html#id2890117">What makes Samba a Domain Controller?</a></dt><dt><a href="ServerType.html#id2890146">What makes Samba a Domain Member?</a></dt><dt><a href="ServerType.html#id2890179">Constantly Losing Connections to Password Server</a></dt></dl></dd></dl></div><p> +This chapter provides information regarding the types of server that Samba may be +configured to be. A Microsoft network administrator who wishes to migrate to or to +use Samba will want to know what, within a Samba context, terms familiar to MS Windows +administrator mean. This means that it is essential also to define how critical security +modes function BEFORE we get into the details of how to configure the server itself. +</p><p> +The chapter provides an overview of the security modes of which Samba is capable +and how these relate to MS Windows servers and clients. +</p><p> +Firstly we should recognise the question so often asked, "Why would I want to use Samba?" +So, in those chapters where the answer may be important you will see a section that highlights +features and benefits. These may be for or against Samba. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2888767"></a>Features and Benefits</h2></div></div><div></div></div><p> +Two men were walking down a dusty road, when one suddenly kicked up a small red stone. It +hurt his toe and lodged in his sandal. He took the stone out and cursed it with a passion +and fury fitting his anguish. The other looked at the stone and said, that is a garnet - I +can turn that into a precious gem and some day it will make a princess very happy! +</p><p> +The moral of this tale: Two men, two very different perspectives regarding the same stone. +Like it or not, Samba is like that stone. Treat it the right way and it can bring great +pleasure, but if you are forced upon it and have no time for its secrets then it can be +a source of discomfort. +</p><p> +Samba started out as a project that sought to provide interoperability for MS Windows 3.x +clients with a Unix server. It has grown up a lot since its humble beginnings and now provides +features and functionality fit for large scale deployment. It also has some warts. In sections +like this one we will tell of both. +</p><p> +So now, what are the benefits of features mentioned in this chapter? +</p><div class="itemizedlist"><ul type="disc"><li><p> + Samba-3 can replace an MS Windows NT4 Domain Controller + </p></li><li><p> + Samba-3 offers excellent interoperability with MS Windows NT4 + style domains as well as natively with Microsoft Active + Directory domains. + </p></li><li><p> + Samba-3 permits full NT4 style Interdomain Trusts + </p></li><li><p> + Samba has security modes that permit more flexible + authentication than is possible with MS Windows NT4 Domain Controllers. + </p></li><li><p> + Samba-3 permits use of multiple account database backends + </p></li><li><p> + The account (password) database backends can be distributed + and replicated using multiple methods. This gives Samba-3 + greater flexibility than MS Windows NT4 and in many cases a + significantly higher utility than Active Directory domains + with MS Windows 200x. + </p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2888862"></a>Server Types</h2></div></div><div></div></div><p>Administrators of Microsoft networks often refer to three +different type of servers:</p><div class="itemizedlist"><ul type="disc"><li><p>Domain Controller</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Primary Domain Controller</td></tr><tr><td>Backup Domain Controller</td></tr><tr><td>ADS Domain Controller</td></tr></table></li><li><p>Domain Member Server</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Active Directory Member Server</td></tr><tr><td>NT4 Style Domain Member Server</td></tr></table></li><li><p>Stand Alone Server</p></li></ul></div><p> +The chapters covering Domain Control, Backup Domain Control and Domain Membership provide +pertinent information regarding Samba-3 configuration for each of these server roles. +The reader is strongly encouraged to become intimately familiar with the information +presented. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2888947"></a>Samba Security Modes</h2></div></div><div></div></div><p> +In this section the function and purpose of Samba's <i class="parameter"><tt>security</tt></i> +modes are described. An accurate understanding of how Samba implements each security +mode as well as how to configure MS Windows clients for each mode will significantly +reduce user complaints and administrator heartache. +</p><p> +In the SMB/CIFS networking world, there are only two types of security: <span class="emphasis"><em>USER Level</em></span> +and <span class="emphasis"><em>SHARE Level</em></span>. We refer to these collectively as <span class="emphasis"><em>security levels</em></span>. In implementing these two <span class="emphasis"><em>security levels</em></span> Samba provides flexibilities +that are not available with Microsoft Windows NT4 / 200x servers. Samba knows of five (5) +ways that allow the security levels to be implemented. In actual fact, Samba implements +<span class="emphasis"><em>SHARE Level</em></span> security only one way, but has four ways of implementing +<span class="emphasis"><em>USER Level</em></span> security. Collectively, we call the Samba implementations +<span class="emphasis"><em>Security Modes</em></span>. These are: <span class="emphasis"><em>SHARE</em></span>, <span class="emphasis"><em>USER</em></span>, <span class="emphasis"><em>DOMAIN</em></span>, +<span class="emphasis"><em>ADS</em></span>, and <span class="emphasis"><em>SERVER</em></span> +modes. They are documented in this chapter. +</p><p> +A SMB server tells the client at startup what <i class="parameter"><tt>security level</tt></i> +it is running. There are two options: <span class="emphasis"><em>share level</em></span> and +<span class="emphasis"><em>user level</em></span>. Which of these two the client receives affects +the way the client then tries to authenticate itself. It does not directly affect +(to any great extent) the way the Samba server does security. This may sound strange, +but it fits in with the client/server approach of SMB. In SMB everything is initiated +and controlled by the client, and the server can only tell the client what is +available and whether an action is allowed. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889062"></a>User Level Security</h3></div></div><div></div></div><p> +We will describe <i class="parameter"><tt>user level</tt></i> security first, as it's simpler. +In <span class="emphasis"><em>user level</em></span> security, the client will send a +<span class="emphasis"><em>session setup</em></span> command directly after the protocol negotiation. +This contains a username and password. The server can either accept or reject that +username/password combination. Note that at this stage the server has no idea what +share the client will eventually try to connect to, so it can't base the +<span class="emphasis"><em>accept/reject</em></span> on anything other than: +</p><div class="orderedlist"><ol type="1"><li><p>The username/password</p></li><li><p>The name of the client machine</p></li></ol></div><p> +If the server accepts the username/password then the client expects to be able to +mount shares (using a <span class="emphasis"><em>tree connection</em></span>) without specifying a +password. It expects that all access rights will be as the username/password +specified in the <span class="emphasis"><em>session setup</em></span>. +</p><p> +It is also possible for a client to send multiple <span class="emphasis"><em>session setup</em></span> +requests. When the server responds, it gives the client a <span class="emphasis"><em>uid</em></span> to use +as an authentication tag for that username/password. The client can maintain multiple +authentication contexts in this way (WinDD is an example of an application that does this). +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2889156"></a>Example Configuration</h4></div></div><div></div></div><p> +The <tt class="filename">smb.conf</tt> parameter that sets <span class="emphasis"><em>User Level Security</em></span> is: +</p><pre class="programlisting"> + security = user +</pre><p> +This is the default setting since samba-2.2.x. +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889195"></a>Share Level Security</h3></div></div><div></div></div><p> +Ok, now for share level security. In share level security, the client authenticates +itself separately for each share. It will send a password along with each +<span class="emphasis"><em>tree connection</em></span> (share mount). It does not explicitly send a +username with this operation. The client expects a password to be associated +with each share, independent of the user. This means that Samba has to work out what +username the client probably wants to use. It is never explicitly sent the username. +Some commercial SMB servers such as NT actually associate passwords directly with +shares in share level security, but Samba always uses the unix authentication scheme +where it is a username/password pair that is authenticated, not a share/password pair. +</p><p> +To gain understanding of the MS Windows networking parallels to this, one should think +in terms of MS Windows 9x/Me where one can create a shared folder that provides read-only +or full access, with or without a password. +</p><p> +Many clients send a <span class="emphasis"><em>session setup</em></span> even if the server is in share +level security. They normally send a valid username but no password. Samba records +this username in a list of <span class="emphasis"><em>possible usernames</em></span>. When the client +then does a <span class="emphasis"><em>tree connection</em></span> it also adds to this list the name +of the share they try to connect to (useful for home directories) and any users +listed in the <i class="parameter"><tt>user =</tt></i> <tt class="filename">smb.conf</tt> line. The password is then checked +in turn against these <span class="emphasis"><em>possible usernames</em></span>. If a match is found +then the client is authenticated as that user. +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2889275"></a>Example Configuration</h4></div></div><div></div></div><p> +The <tt class="filename">smb.conf</tt> parameter that sets <span class="emphasis"><em>Share Level Security</em></span> is: +</p><pre class="programlisting"> + security = share +</pre><p> +Please note that there are reports that recent MS Windows clients do not like to work +with share mode security servers. You are strongly discouraged from using share level security. +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889317"></a>Domain Security Mode (User Level Security)</h3></div></div><div></div></div><p> +When Samba is operating in <i class="parameter"><tt>security = domain</tt></i> mode, +the Samba server has a domain security trust account (a machine account) and will cause +all authentication requests to be passed through to the domain controllers. +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2889339"></a>Example Configuration</h4></div></div><div></div></div><p><span class="emphasis"><em> +Samba as a Domain Member Server +</em></span></p><p> +This method involves addition of the following parameters in the <tt class="filename">smb.conf</tt> file: +</p><pre class="programlisting"> + security = domain + workgroup = "name_of_NT_domain" +</pre><p> +In order for this method to work, the Samba server needs to join the MS Windows NT +security domain. This is done as follows: +</p><div class="procedure"><ol type="1"><li><p>On the MS Windows NT domain controller, using + the Server Manager, add a machine account for the Samba server. + </p></li><li><p>Next, on the Unix/Linux system execute:</p><p><tt class="prompt">root# </tt><b class="userinput"><tt>smbpasswd -j DOMAIN_NAME -r PDC_NAME</tt></b> (samba-2.x)</p><p><tt class="prompt">root# </tt><b class="userinput"><tt>net join -U administrator%password</tt></b> (samba-3)</p></li></ol></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +As of Samba-2.2.4 the Samba 2.2.x series can auto-join a Windows NT4 style Domain just +by executing: +</p><pre class="screen"> +<tt class="prompt">root# </tt><b class="userinput"><tt>smbpasswd -j <i class="replaceable"><tt>DOMAIN_NAME</tt></i> -r <i class="replaceable"><tt>PDC_NAME</tt></i> -U Administrator%<i class="replaceable"><tt>password</tt></i></tt></b> +</pre><p> + +As of Samba-3 the same can be done by executing: +</p><pre class="screen"> +<tt class="prompt">root# </tt><b class="userinput"><tt>net join -U Administrator%<i class="replaceable"><tt>password</tt></i></tt></b> +</pre><p> +It is not necessary with Samba-3 to specify the <i class="replaceable"><tt>DOMAIN_NAME</tt></i> or the <i class="replaceable"><tt>PDC_NAME</tt></i> as it +figures this out from the <tt class="filename">smb.conf</tt> file settings. +</p></div><p> +Use of this mode of authentication does require there to be a standard Unix account +for each user in order to assign a uid once the account has been authenticated by +the remote Windows DC. This account can be blocked to prevent logons by clients other than +MS Windows through things such as setting an invalid shell in the +<tt class="filename">/etc/passwd</tt> entry. +</p><p> +An alternative to assigning UIDs to Windows users on a Samba member server is +presented in the <a href="winbind.html" title="Chapter 21. Integrated Logon Support using Winbind">Winbind Overview</a> chapter +in this HOWTO collection. +</p><p> +For more information of being a domain member, see the <a href="domain-member.html" title="Chapter 7. Domain Membership">Domain +Member</a> section of this Howto. +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889568"></a>ADS Security Mode (User Level Security)</h3></div></div><div></div></div><p> +Both Samba 2.2 and 3.0 can join an Active Directory domain. This is +possible even if the domain is run in native mode. Active Directory in +native mode perfectly allows NT4-style domain members, contrary to +popular belief. The only thing that Active Directory in native mode +prohibits is Backup Domain Controllers running NT4. +</p><p> +If you are running Active Directory starting with Samba 3.0 you can +however join as a native AD member. Why would you want to do that? +Your security policy might prohibit the use of NT-compatible +authentication protocols. All your machines are running Windows 2000 +and above and all use full Kerberos. In this case Samba as a NT4-style +domain would still require NT-compatible authentication data. Samba in +AD-member mode can accept Kerberos. +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2889598"></a>Example Configuration</h4></div></div><div></div></div><pre class="programlisting"> + realm = your.kerberos.REALM + security = ADS +</pre><p> + The following parameter may be required: +</p><pre class="programlisting"> + ads server = your.kerberos.server +</pre><p> +Please refer to the <a href="domain-member.html" title="Chapter 7. Domain Membership">Domain Membership</a> and <a href="domain-member.html#ads-member" title="Samba ADS Domain Membership">Active Directory +Membership</a> sections for more information regarding this configuration option. +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889655"></a>Server Security (User Level Security)</h3></div></div><div></div></div><p> +Server security mode is a left over from the time when Samba was not capable of acting +as a domain member server. It is highly recommended NOT to use this feature. Server +security mode has many draw backs. The draw backs include: +</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Potential Account Lockout on MS Windows NT4/200x password servers</td></tr><tr><td>Lack of assurance that the password server is the one specified</td></tr><tr><td>Does not work with Winbind, particularly needed when storing profiles remotely</td></tr><tr><td>This mode may open connections to the password server, and keep them open for extended periods.</td></tr><tr><td>Security on the Samba server breaks badly when the remote password server suddenly shuts down</td></tr><tr><td>With this mode there is NO security account in the domain that the password server belongs to for the Samba server.</td></tr></table><p> +In server security mode the Samba server reports to the client that it is in user level +security. The client then does a <span class="emphasis"><em>session setup</em></span> as described earlier. +The Samba server takes the username/password that the client sends and attempts to login to the +<i class="parameter"><tt>password server</tt></i> by sending exactly the same username/password that +it got from the client. If that server is in user level security and accepts the password, +then Samba accepts the clients connection. This allows the Samba server to use another SMB +server as the <i class="parameter"><tt>password server</tt></i>. +</p><p> +You should also note that at the very start of all this, where the server tells the client +what security level it is in, it also tells the client if it supports encryption. If it +does then it supplies the client with a random cryptkey. The client will then send all +passwords in encrypted form. Samba supports this type of encryption by default. +</p><p> +The parameter <i class="parameter"><tt>security = server</tt></i> means that Samba reports to clients that +it is running in <span class="emphasis"><em>user mode</em></span> but actually passes off all authentication +requests to another <span class="emphasis"><em>user mode</em></span> server. This requires an additional +parameter <i class="parameter"><tt>password server</tt></i> that points to the real authentication server. +That real authentication server can be another Samba server or can be a Windows NT server, +the later natively capable of encrypted password support. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +When Samba is running in <span class="emphasis"><em>server security mode</em></span> it is essential that +the parameter <span class="emphasis"><em>password server</em></span> is set to the precise NetBIOS machine +name of the target authentication server. Samba can NOT determine this from NetBIOS name +lookups because the choice of the target authentication server is arbitrary and can not +be determined from a domain name. In essence, a Samba server that is in +<span class="emphasis"><em>server security mode</em></span> is operating in what used to be known as +workgroup mode. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2889811"></a>Example Configuration</h4></div></div><div></div></div><p><span class="emphasis"><em> +Using MS Windows NT as an authentication server +</em></span></p><p> +This method involves the additions of the following parameters in the <tt class="filename">smb.conf</tt> file: +</p><pre class="programlisting"> + encrypt passwords = Yes + security = server + password server = "NetBIOS_name_of_a_DC" +</pre><p> +There are two ways of identifying whether or not a username and password pair was valid +or not. One uses the reply information provided as part of the authentication messaging +process, the other uses just an error code. +</p><p> +The down-side of this mode of configuration is the fact that for security reasons Samba +will send the password server a bogus username and a bogus password and if the remote +server fails to reject the username and password pair then an alternative mode of +identification of validation is used. Where a site uses password lock out after a +certain number of failed authentication attempts this will result in user lockouts. +</p><p> +Use of this mode of authentication does require there to be a standard Unix account +for the user, though this account can be blocked to prevent logons by non-SMB/CIFS clients. +</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2889880"></a>Seamless Windows Network Integration</h2></div></div><div></div></div><p> +MS Windows clients may use encrypted passwords as part of a challenge/response +authentication model (a.k.a. NTLMv1 and NTLMv2) or alone, or clear text strings for simple +password based authentication. It should be realized that with the SMB protocol, +the password is passed over the network either in plain text or encrypted, but +not both in the same authentication request. +</p><p> +When encrypted passwords are used, a password that has been entered by the user +is encrypted in two ways: +</p><div class="itemizedlist"><ul type="disc"><li><p>An MD4 hash of the UNICODE of the password + string. This is known as the NT hash. + </p></li><li><p>The password is converted to upper case, + and then padded or truncated to 14 bytes. This string is + then appended with 5 bytes of NULL characters and split to + form two 56 bit DES keys to encrypt a "magic" 8 byte value. + The resulting 16 bytes form the LanMan hash. + </p></li></ul></div><p> +MS Windows 95 pre-service pack 1, MS Windows NT versions 3.x and version 4.0 +pre-service pack 3 will use either mode of password authentication. All +versions of MS Windows that follow these versions no longer support plain +text passwords by default. +</p><p> +MS Windows clients have a habit of dropping network mappings that have been idle +for 10 minutes or longer. When the user attempts to use the mapped drive +connection that has been dropped, the client re-establishes the connection using +a cached copy of the password. +</p><p> +When Microsoft changed the default password mode, support was dropped for caching +of the plain text password. This means that when the registry parameter is changed +to re-enable use of plain text passwords it appears to work, but when a dropped +service connection mapping attempts to revalidate it will fail if the remote +authentication server does not support encrypted passwords. This means that it +is definitely not a good idea to re-enable plain text password support in such clients. +</p><p> +The following parameters can be used to work around the issue of Windows 9x clients +upper casing usernames and password before transmitting them to the SMB server +when using clear text authentication. +</p><pre class="programlisting"> + <a href="smb.conf.5.html#PASSWORDLEVEL" target="_top">password level</a> = <i class="replaceable"><tt>integer</tt></i> + <a href="smb.conf.5.html#USERNAMELEVEL" target="_top">username level</a> = <i class="replaceable"><tt>integer</tt></i> +</pre><p> +By default Samba will lower case the username before attempting to lookup the user +in the database of local system accounts. Because UNIX usernames conventionally +only contain lower case character, the <i class="parameter"><tt>username level</tt></i> parameter +is rarely needed. +</p><p> +However, passwords on UNIX systems often make use of mixed case characters. +This means that in order for a user on a Windows 9x client to connect to a Samba +server using clear text authentication, the <i class="parameter"><tt>password level</tt></i> +must be set to the maximum number of upper case letter which <span class="emphasis"><em>could</em></span> +appear is a password. Note that the server OS uses the traditional DES version +of crypt(), a <i class="parameter"><tt>password level</tt></i> of 8 will result in case +insensitive passwords as seen from Windows users. This will also result in longer +login times as Samba has to compute the permutations of the password string and +try them one by one until a match is located (or all combinations fail). +</p><p> +The best option to adopt is to enable support for encrypted passwords where ever +Samba is used. Most attempts to apply the registry change to re-enable plain text +passwords will eventually lead to user complaints and unhappiness. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2890056"></a>Common Errors</h2></div></div><div></div></div><p> +We all make mistakes. It is Ok to make mistakes, so long as they are made in the right places +and at the right time. A mistake that causes lost productivity is seldom tolerated. A mistake +made in a developmental test lab is expected. +</p><p> +Here we look at common mistakes and misapprehensions that have been the subject of discussions +on the Samba mailing lists. Many of these are avoidable by doing you homework before attempting +a Samba implementation. Some are the result of misunderstanding of the English language. The +English language has many turns of phrase that are potentially vague and may be highly confusing +to those for whom English is not their native tongue. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2890084"></a>What makes Samba a SERVER?</h3></div></div><div></div></div><p> +To some the nature of the Samba <span class="emphasis"><em>security</em></span> mode is very obvious, but entirely +wrong all the same. It is assumed that <i class="parameter"><tt>security = server</tt></i> means that Samba +will act as a server. Not so! See above - this setting means that Samba will <span class="emphasis"><em>try</em></span> +to use another SMB server as its source of user authentication alone. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2890117"></a>What makes Samba a Domain Controller?</h3></div></div><div></div></div><p> +The <tt class="filename">smb.conf</tt> parameter <i class="parameter"><tt>security = domain</tt></i> does NOT really make Samba behave +as a Domain Controller! This setting means we want Samba to be a domain member! +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2890146"></a>What makes Samba a Domain Member?</h3></div></div><div></div></div><p> +Guess! So many others do. But whatever you do, do NOT think that <i class="parameter"><tt>security = user</tt></i> +makes Samba act as a domain member. Read the manufacturers manual before the warranty expires! See +the <a href="domain-member.html" title="Chapter 7. Domain Membership">Domain Member</a> section of this Howto for more information. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2890179"></a>Constantly Losing Connections to Password Server</h3></div></div><div></div></div><p> +Why does server_validate() simply give up rather than re-establishing its connection to the +password server? Though I am not fluent in the SMB protocol, perhaps the cluster server +process passes along to its client workstation the session key it receives from the password +server, which means the password hashes submitted by the client would not work on a subsequent +connection, whose session key would be different. So server_validate() must give up. +</p><p> +Indeed. That's why security = server is at best a nasty hack. Please use security = domain. +<i class="parameter"><tt>security = server</tt></i> mode is also known as pass-through authentication. +</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="type.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="samba-pdc.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part II. Server Configuration Basics </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 5. Domain Control</td></tr></table></div></body></html> diff --git a/docs/htmldocs/StandAloneServer.html b/docs/htmldocs/StandAloneServer.html new file mode 100644 index 0000000000..a3bdf439af --- /dev/null +++ b/docs/htmldocs/StandAloneServer.html @@ -0,0 +1,143 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 8. Stand-Alone Servers</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="previous" href="domain-member.html" title="Chapter 7. Domain Membership"><link rel="next" href="ClientConfig.html" title="Chapter 9. MS Windows Network Configuration Guide"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 8. Stand-Alone Servers</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="domain-member.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="ClientConfig.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="StandAloneServer"></a>Chapter 8. Stand-Alone Servers</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="StandAloneServer.html#id2902304">Features and Benefits</a></dt><dt><a href="StandAloneServer.html#id2902501">Background</a></dt><dt><a href="StandAloneServer.html#id2902573">Example Configuration</a></dt><dd><dl><dt><a href="StandAloneServer.html#id2902588">Reference Documentation Server</a></dt><dt><a href="StandAloneServer.html#id2902638">Central Print Serving</a></dt></dl></dd><dt><a href="StandAloneServer.html#id2902852">Common Errors</a></dt></dl></div><p> +Stand-Alone servers are independent of Domain Controllers on the network. +They are NOT domain members and function more like workgroup servers. In many +cases a stand-alone server is configured with a minimum of security control +with the intent that all data served will be readily accessible to all users. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2902304"></a>Features and Benefits</h2></div></div><div></div></div><p> +Stand-Alone servers can be as secure or as insecure as needs dictate. They can +have simple or complex configurations. Above all, despite the hoopla about +Domain security they remain a very common installation. +</p><p> +If all that is needed is a server for read-only files, or for +printers alone, it may not make sense to affect a complex installation. +For example: A drafting office needs to store old drawings and reference +standards. No-one can write files to the server as it is legislatively +important that all documents remain unaltered. A share mode read-only stand-alone +server is an ideal solution. +</p><p> +Another situation that warrants simplicity is an office that has many printers +that are queued off a single central server. Everyone needs to be able to print +to the printers, there is no need to affect any access controls and no files will +be served from the print server. Again a share mode stand-alone server makes +a great solution. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2902501"></a>Background</h2></div></div><div></div></div><p> +The term <span class="emphasis"><em>stand-alone server</em></span> means that the server +will provide local authentication and access control for all resources +that are available from it. In general this means that there will be a +local user database. In more technical terms, it means that resources +on the machine will be made available in either SHARE mode or in +USER mode. +</p><p> +No special action is needed other than to create user accounts. Stand-alone +servers do NOT provide network logon services. This means that machines that +use this server do NOT perform a domain logon to it. Whatever logon facility +the workstations are subject to is independent of this machine. It is however +necessary to accommodate any network user so that the logon name they use will +be translated (mapped) locally on the stand-alone server to a locally known +user name. There are several ways this can be done. +</p><p> +Samba tends to blur the distinction a little in respect of what is +a stand-alone server. This is because the authentication database may be +local or on a remote server, even if from the Samba protocol perspective +the Samba server is NOT a member of a domain security context. +</p><p> +Through the use of PAM (Pluggable Authentication Modules) and nsswitch +(the name service switcher) the source of authentication may reside on +another server. We would be inclined to call this the authentication server. +This means that the Samba server may use the local Unix/Linux system password database +(<tt class="filename">/etc/passwd</tt> or <tt class="filename">/etc/shadow</tt>), may use a +local smbpasswd file, or may use +an LDAP back end, or even via PAM and Winbind another CIFS/SMB server +for authentication. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2902573"></a>Example Configuration</h2></div></div><div></div></div><p> +The following examples are designed to inspire simplicity. It is too easy to +attempt a high level of creativity and to introduce too much complexity in +server and network design. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2902588"></a>Reference Documentation Server</h3></div></div><div></div></div><p> +Configuration of a read-only data server that EVERYONE can access is very simple. +Here is the smb.conf file that will do this. Assume that all the reference documents +are stored in the directory /export, that the documents are owned by a user other than +nobody. No home directories are shared, that are no users in the <tt class="filename">/etc/passwd</tt> +Unix system database. This is a very simple system to administer. +</p><pre class="programlisting"> + # Global parameters + [global] + workgroup = MYGROUP + netbios name = REFDOCS + security = SHARE + passdb backend = guest + wins server = 192.168.1.1 + + [data] + comment = Data + path = /export + guest only = Yes +</pre><p> +In the above example the machine name is set to REFDOCS, the workgroup is set to the name +of the local workgroup so that the machine will appear in with systems users are familiar +with. The only password backend required is the "guest" backend so as to allow default +unprivileged account names to be used. Given that there is a WINS server on this network +we do use it. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2902638"></a>Central Print Serving</h3></div></div><div></div></div><p> +Configuration of a simple print server is very simple if you have all the right tools +on your system. +</p><div class="orderedlist"><p class="title"><b> Assumptions:</b></p><ol type="1"><li><p> + The print server must require no administration + </p></li><li><p> + The print spooling and processing system on our print server will be CUPS. + (Please refer to the <a href="CUPS-printing.html" title="Chapter 19. CUPS Printing Support in Samba 3.0">CUPS Printing</a> chapter for more information). + </p></li><li><p> + All printers that the print server will service will be network + printers. They will be correctly configured, by the administrator, + in the CUPS environment. + </p></li><li><p> + All workstations will be installed using postscript drivers. The printer + of choice is the Apple Color LaserWriter. + </p></li></ol></div><p> +In this example our print server will spool all incoming print jobs to +<tt class="filename">/var/spool/samba</tt> until the job is ready to be submitted by +Samba to the CUPS print processor. Since all incoming connections will be as +the anonymous (guest) user, two things will be required: +</p><div class="itemizedlist"><p class="title"><b>Enabling Anonymous Printing</b></p><ul type="disc"><li><p> + The Unix/Linux system must have a <b class="command">guest</b> account. + The default for this is usually the account <b class="command">nobody</b>. + To find the correct name to use for your version of Samba do the + following: + </p><pre class="screen"> +<tt class="prompt">$ </tt><b class="userinput"><tt>testparm -s -v | grep "guest account"</tt></b> + </pre><p> + Then make sure that this account exists in your system password + database (<tt class="filename">/etc/passwd</tt>). + </p></li><li><p> + The directory into which Samba will spool the file must have write + access for the guest account. The following commands will ensure that + this directory is available for use: + </p><pre class="screen"> +<tt class="prompt">root# </tt><b class="userinput"><tt>mkdir /var/spool/samba</tt></b> +<tt class="prompt">root# </tt><b class="userinput"><tt>chown nobody.nobody /var/spool/samba</tt></b> +<tt class="prompt">root# </tt><b class="userinput"><tt>chmod a+rwt /var/spool/samba</tt></b> + </pre><p> + </p></li></ul></div><p> +</p><pre class="programlisting"> + # Global parameters + [global] + workgroup = MYGROUP + netbios name = PTRSVR1 + security = SHARE + passdb backend = guest + wins server = 192.168.1.1 + + [printers] + comment = All Printers + path = /var/spool/samba + printer admin = root + guest ok = Yes + printable = Yes + printing = cups + use client driver = Yes + browseable = No +</pre><p> +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2902852"></a>Common Errors</h2></div></div><div></div></div><p> +The greatest mistake so often made is to make a network configuration too complex. +It pays to use the simplest solution that will meet the needs of the moment. +</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="domain-member.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ClientConfig.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 7. Domain Membership </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 9. MS Windows Network Configuration Guide</td></tr></table></div></body></html> diff --git a/docs/htmldocs/VFS.html b/docs/htmldocs/VFS.html new file mode 100644 index 0000000000..6b520d792a --- /dev/null +++ b/docs/htmldocs/VFS.html @@ -0,0 +1,105 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 20. Stackable VFS modules</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="CUPS-printing.html" title="Chapter 19. CUPS Printing Support in Samba 3.0"><link rel="next" href="winbind.html" title="Chapter 21. Integrated Logon Support using Winbind"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 20. Stackable VFS modules</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="CUPS-printing.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="winbind.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="VFS"></a>Chapter 20. Stackable VFS modules</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Tim</span> <span class="surname">Potter</span></h3></div></div><div><div class="author"><h3 class="author"><span class="firstname">Simo</span> <span class="surname">Sorce</span></h3><span class="contrib">original vfs_skel README</span></div></div><div><div class="author"><h3 class="author"><span class="firstname">Alexander</span> <span class="surname">Bokovoy</span></h3><span class="contrib">original vfs_netatalk docs</span></div></div><div><div class="author"><h3 class="author"><span class="firstname">Stefan</span> <span class="surname">Metzmacher</span></h3><span class="contrib">Update for multiple modules</span></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="VFS.html#id2978211">Features and Benefits</a></dt><dt><a href="VFS.html#id2978229">Discussion</a></dt><dt><a href="VFS.html#id2978320">Included modules</a></dt><dd><dl><dt><a href="VFS.html#id2978327">audit</a></dt><dt><a href="VFS.html#id2978365">extd_audit</a></dt><dt><a href="VFS.html#id2978489">fake_perms</a></dt><dt><a href="VFS.html#id2978508">recycle</a></dt><dt><a href="VFS.html#id2978645">netatalk</a></dt></dl></dd><dt><a href="VFS.html#id2978690">VFS modules available elsewhere</a></dt><dd><dl><dt><a href="VFS.html#id2978712">DatabaseFS</a></dt><dt><a href="VFS.html#id2978768">vscan</a></dt></dl></dd><dt><a href="VFS.html#id2978797">Common Errors</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2978211"></a>Features and Benefits</h2></div></div><div></div></div><p> +Since Samba-3, there is support for stackable VFS(Virtual File System) modules. +Samba passes each request to access the unix file system thru the loaded VFS modules. +This chapter covers all the modules that come with the samba source and references to +some external modules. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2978229"></a>Discussion</h2></div></div><div></div></div><p> +If not supplied with your platform distribution binary Samba package you may have problems +to compile these modules, as shared libraries are compiled and linked in different ways +on different systems. They currently have been tested against GNU/Linux and IRIX. +</p><p> +To use the VFS modules, create a share similar to the one below. The +important parameter is the <b class="command">vfs objects</b> parameter where +you can list one or more VFS modules by name. For example, to log all access +to files and put deleted files in a recycle bin: + +</p><pre class="programlisting"> +[audit] + comment = Audited /data directory + path = /data + vfs objects = audit recycle + writeable = yes + browseable = yes +</pre><p> +</p><p> +The modules are used in the order in which they are specified. +</p><p> +Samba will attempt to load modules from the <span class="emphasis"><em>lib</em></span> +directory in the root directory of the samba installation (usually +<tt class="filename">/usr/lib/samba/vfs</tt> or <tt class="filename">/usr/local/samba/lib/vfs +</tt>). +</p><p> +Some modules can be used twice for the same share. +This can be done using a configuration similar to the one below. + +</p><pre class="programlisting"> +[test] + comment = VFS TEST + path = /data + writeable = yes + browseable = yes + vfs objects = example:example1 example example:test + example1: parameter = 1 + example: parameter = 5 + test: parameter = 7 +</pre><p> +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2978320"></a>Included modules</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2978327"></a>audit</h3></div></div><div></div></div><p> + A simple module to audit file access to the syslog + facility. The following operations are logged: + </p><table class="simplelist" border="0" summary="Simple list"><tr><td>share</td></tr><tr><td>connect/disconnect</td></tr><tr><td>directory opens/create/remove</td></tr><tr><td>file open/close/rename/unlink/chmod</td></tr></table><p> + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2978365"></a>extd_audit</h3></div></div><div></div></div><p> + This module is identical with the <span class="emphasis"><em>audit</em></span> module above except + that it sends audit logs to both syslog as well as the smbd log file/s. The + loglevel for this module is set in the smb.conf file. + </p><p> + The logging information that will be written to the smbd log file is controlled by + the <i class="parameter"><tt>log level</tt></i> parameter in <tt class="filename">smb.conf</tt>. The + following information will be recorded: + </p><div class="table"><a name="id2978406"></a><p class="title"><b>Table 20.1. Extended Auditing Log Information</b></p><table summary="Extended Auditing Log Information" border="1"><colgroup><col><col></colgroup><thead><tr><th align="center">Log Level</th><th align="center">Log Details - File and Directory Operations</th></tr></thead><tbody><tr><td align="center">0</td><td align="left">Creation / Deletion</td></tr><tr><td align="center">1</td><td align="left">Create / Delete / Rename / Permission Changes</td></tr><tr><td align="center">2</td><td align="left">Create / Delete / Rename / Perm Change / Open / Close</td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2978489"></a>fake_perms</h3></div></div><div></div></div><p> + This module was created to allow Roaming Profile files and directories to be set (on the Samba server + under Unix) as read only. This module will if installed on the Profiles share will report to the client + that the Profile files and directories are writable. This satisfies the client even though the files + will never be overwritten as the client logs out or shuts down. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2978508"></a>recycle</h3></div></div><div></div></div><p> + A recycle-bin like module. When used any unlink call + will be intercepted and files moved to the recycle + directory instead of being deleted. + </p><p>Supported options: + </p><div class="variablelist"><dl><dt><span class="term">recycle:repository</span></dt><dd><p>FIXME</p></dd><dt><span class="term">recycle:keeptree</span></dt><dd><p>FIXME</p></dd><dt><span class="term">recycle:versions</span></dt><dd><p>FIXME</p></dd><dt><span class="term">recycle:touch</span></dt><dd><p>FIXME</p></dd><dt><span class="term">recycle:maxsize</span></dt><dd><p>FIXME</p></dd><dt><span class="term">recycle:exclude</span></dt><dd><p>FIXME</p></dd><dt><span class="term">recycle:exclude_dir</span></dt><dd><p>FIXME</p></dd><dt><span class="term">recycle:noversions</span></dt><dd><p>FIXME</p></dd></dl></div><p> + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2978645"></a>netatalk</h3></div></div><div></div></div><p> + A netatalk module, that will ease co-existence of samba and + netatalk file sharing services. + </p><p>Advantages compared to the old netatalk module: + </p><table class="simplelist" border="0" summary="Simple list"><tr><td>it doesn't care about creating of .AppleDouble forks, just keeps them in sync</td></tr><tr><td>if a share in <tt class="filename">smb.conf</tt> doesn't contain .AppleDouble item in hide or veto list, it will be added automatically</td></tr></table><p> + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2978690"></a>VFS modules available elsewhere</h2></div></div><div></div></div><p> +This section contains a listing of various other VFS modules that +have been posted but don't currently reside in the Samba CVS +tree for one reason or another (e.g. it is easy for the maintainer +to have his or her own CVS tree). +</p><p> +No statements about the stability or functionality of any module +should be implied due to its presence here. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2978712"></a>DatabaseFS</h3></div></div><div></div></div><p> + URL: <a href="http://www.css.tayloru.edu/~elorimer/databasefs/index.php" target="_top">http://www.css.tayloru.edu/~elorimer/databasefs/index.php</a> + </p><p>By <a href="mailto:elorimer@css.tayloru.edu" target="_top">Eric Lorimer</a>.</p><p> + I have created a VFS module which implements a fairly complete read-only + filesystem. It presents information from a database as a filesystem in + a modular and generic way to allow different databases to be used + (originally designed for organizing MP3s under directories such as + "Artists," "Song Keywords," etc... I have since applied it to a student + roster database very easily). The directory structure is stored in the + database itself and the module makes no assumptions about the database + structure beyond the table it requires to run. + </p><p> + Any feedback would be appreciated: comments, suggestions, patches, + etc... If nothing else, hopefully it might prove useful for someone + else who wishes to create a virtual filesystem. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2978768"></a>vscan</h3></div></div><div></div></div><p>URL: <a href="http://www.openantivirus.org/" target="_top">http://www.openantivirus.org/</a></p><p> + samba-vscan is a proof-of-concept module for Samba, which + uses the VFS (virtual file system) features of Samba 2.2.x/3.0 + alphaX. Of course, Samba has to be compiled with VFS support. + samba-vscan supports various virus scanners and is maintained + by Rainer Link. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2978797"></a>Common Errors</h2></div></div><div></div></div><p> +There must be some gotchas we should record here! Jelmer??? +</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="CUPS-printing.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="winbind.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 19. CUPS Printing Support in Samba 3.0 </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 21. Integrated Logon Support using Winbind</td></tr></table></div></body></html> diff --git a/docs/htmldocs/index.html b/docs/htmldocs/index.html new file mode 100755 index 0000000000..f7bc47b7c8 --- /dev/null +++ b/docs/htmldocs/index.html @@ -0,0 +1,76 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>SAMBA Project Documentation</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><meta name="description" content=" +This book is a collection of HOWTOs added to Samba documentation over the years. +Samba is always under development, and so is its' documentation. This release of the +documentation represents a major revision or layout as well as contents. +The most recent version of this document can be found at +http://www.samba.org/ +on the "Documentation" page. Please send updates to +Jelmer Vernooij, +John H. Terpstra or +Gerald (Jerry) Carter. + +The Samba-Team would like to express sincere thanks to the many people who have with +or without their knowledge contributed to this update. The size and scope of this +project would not have been possible without significant community contribution. A not +insignificant number of ideas for inclusion (if not content itself) has been obtained +from a number of Unofficial HOWTOs - to each such author a big "Thank-you" is also offered. +Please keep publishing your Unofficial HOWTOs - they are a source of inspiration and +application knowledge that is most to be desired by many Samba users and administrators. +"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="next" href="introduction.html" title="Part I. General Installation"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">SAMBA Project Documentation</th></tr><tr><td width="20%" align="left"> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="introduction.html">Next</a></td></tr></table><hr></div><div class="book" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="Samba-HOWTO-Collection"></a>SAMBA Project Documentation</h1></div><div><div class="authorgroup"><h4 class="editedby">Edited by</h4><h3 class="editor"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><h3 class="editor"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><h3 class="editor"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3></div></div><div><div class="legalnotice"><p> +This documentation is distributed under the GNU General Public License (GPL) +version 2. A copy of the license is included with the Samba source +distribution. A copy can be found on-line at <a href="http://www.fsf.org/licenses/gpl.txt" target="_top">http://www.fsf.org/licenses/gpl.txt</a> +</p><p><b>Attributions. </b> + </p><div class="variablelist"><dl><dt><span class="term"><a href="IntroSMB.html" title="Chapter 1. Introduction to Samba">Introduction to Samba</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>David Lechnyr <<a href="mailto:david@lechnyr.com" target="_top">david@lechnyr.com</a>></p></li></ul></div></dd><dt><span class="term"><a href="install.html" title="Chapter 2. How to Install and Test SAMBA">How to Install and Test SAMBA</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Andrew Tridgell <<a href="mailto:tridge@samba.org" target="_top">tridge@samba.org</a>></p></li><li><p>Jelmer Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Karl Auer</p></li></ul></div></dd><dt><span class="term"><a href="FastStart.html" title="Chapter 3. Fast Start for the Impatient">Fast Start for the Impatient</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="ServerType.html" title="Chapter 4. Server Types and Security Modes">Server Types and Security Modes</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Andrew Tridgell <<a href="mailto:tridge@samba.org" target="_top">tridge@samba.org</a>></p></li><li><p>Jelmer Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="samba-pdc.html" title="Chapter 5. Domain Control">Domain Control</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Gerald Carter <<a href="mailto:jerry@samba.org" target="_top">jerry@samba.org</a>></p></li><li><p>David Bannon <<a href="mailto:dbannon@samba.org" target="_top">dbannon@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="samba-bdc.html" title="Chapter 6. Backup Domain Control">Backup Domain Control</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Volker Lendecke <<a href="mailto:Volker.Lendecke@SerNet.DE" target="_top">Volker.Lendecke@SerNet.DE</a>></p></li></ul></div></dd><dt><span class="term"><a href="domain-member.html" title="Chapter 7. Domain Membership">Domain Membership</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Jeremy Allison <<a href="mailto:jra@samba.org" target="_top">jra@samba.org</a>></p></li><li><p>Gerald Carter <<a href="mailto:jerry@samba.org" target="_top">jerry@samba.org</a>></p></li><li><p>Andrew Tridgell <<a href="mailto:tridge@samba.org" target="_top">tridge@samba.org</a>></p></li><li><p>Jelmer Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="StandAloneServer.html" title="Chapter 8. Stand-Alone Servers">Stand-Alone Servers</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="ClientConfig.html" title="Chapter 9. MS Windows Network Configuration Guide">MS Windows Network Configuration Guide</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="NetworkBrowsing.html" title="Chapter 10. Samba / MS Windows Network Browsing Guide">Samba / MS Windows Network Browsing Guide</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="passdb.html" title="Chapter 11. Account Information Databases">Account Information Databases</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Jelmer Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>Gerald Carter <<a href="mailto:jerry@samba.org" target="_top">jerry@samba.org</a>></p></li><li><p>Jeremy Allison <<a href="mailto:jra@samba.org" target="_top">jra@samba.org</a>></p></li><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Olivier (lem) Lemaire <<a href="mailto:olem@IDEALX.org" target="_top">olem@IDEALX.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="groupmapping.html" title="Chapter 12. Mapping MS Windows and Unix Groups">Mapping MS Windows and Unix Groups</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Jean François Micouleau</p></li><li><p>Gerald Carter <<a href="mailto:jerry@samba.org" target="_top">jerry@samba.org</a>></p></li><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="AccessControls.html" title="Chapter 13. File, Directory and Share Access Controls">File, Directory and Share Access Controls</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Jeremy Allison <<a href="mailto:jra@samba.org" target="_top">jra@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="locking.html" title="Chapter 14. File and Record Locking">File and Record Locking</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Jeremy Allison <<a href="mailto:jra@samba.org" target="_top">jra@samba.org</a>></p></li><li><p>Jelmer Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Eric Roseme <<a href="mailto:eric.roseme@hp.com" target="_top">eric.roseme@hp.com</a>></p></li></ul></div></dd><dt><span class="term"><a href="securing-samba.html" title="Chapter 15. Securing Samba">Securing Samba</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Andrew Tridgell <<a href="mailto:tridge@samba.org" target="_top">tridge@samba.org</a>></p></li><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="InterdomainTrusts.html" title="Chapter 16. Interdomain Trust Relationships">Interdomain Trust Relationships</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Rafal Szczesniak <<a href="mailto:mimir@samba.org" target="_top">mimir@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="msdfs.html" title="Chapter 17. Hosting a Microsoft Distributed File System tree on Samba">Hosting a Microsoft Distributed File System tree on Samba</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Shirish Kalele <<a href="mailto:samba@samba.org" target="_top">samba@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="printing.html" title="Chapter 18. Classical Printing Support">Classical Printing Support</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Kurt Pfeifle <<a href="mailto:kpfeifle@danka.de" target="_top">kpfeifle@danka.de</a>></p></li><li><p>Gerald Carter <<a href="mailto:jerry@samba.org" target="_top">jerry@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="CUPS-printing.html" title="Chapter 19. CUPS Printing Support in Samba 3.0">CUPS Printing Support in Samba 3.0</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Kurt Pfeifle <<a href="mailto:kpfeifle@danka.de" target="_top">kpfeifle@danka.de</a>></p></li><li><p>Ciprian Vizitiu <<a href="mailto:CVizitiu@gbif.org" target="_top">CVizitiu@gbif.org</a>> (drawings) </p></li></ul></div></dd><dt><span class="term"><a href="VFS.html" title="Chapter 20. Stackable VFS modules">Stackable VFS modules</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Jelmer Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Tim Potter</p></li><li><p>Simo Sorce (original vfs_skel README) </p></li><li><p>Alexander Bokovoy (original vfs_netatalk docs) </p></li><li><p>Stefan Metzmacher (Update for multiple modules) </p></li></ul></div></dd><dt><span class="term"><a href="winbind.html" title="Chapter 21. Integrated Logon Support using Winbind">Integrated Logon Support using Winbind</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Tim Potter <<a href="mailto:tpot@linuxcare.com.au" target="_top">tpot@linuxcare.com.au</a>></p></li><li><p>Andrew Tridgell <<a href="mailto:tridge@samba.org" target="_top">tridge@samba.org</a>></p></li><li><p>Naag Mummaneni <<a href="mailto:getnag@rediffmail.com" target="_top">getnag@rediffmail.com</a>></p></li><li><p>Jelmer Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="AdvancedNetworkManagement.html" title="Chapter 22. Advanced Network Management">Advanced Network Management</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="PolicyMgmt.html" title="Chapter 23. System and Account Policies">System and Account Policies</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="ProfileMgmt.html" title="Chapter 24. Desktop Profile Management">Desktop Profile Management</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="pam.html" title="Chapter 25. PAM based Distributed Authentication">PAM based Distributed Authentication</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Stephen Langasek <<a href="mailto:vorlon@netexpress.net" target="_top">vorlon@netexpress.net</a>></p></li></ul></div></dd><dt><span class="term"><a href="integrate-ms-networks.html" title="Chapter 26. Integrating MS Windows networks with Samba">Integrating MS Windows networks with Samba</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="unicode.html" title="Chapter 27. Unicode/Charsets">Unicode/Charsets</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Jelmer Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>TAKAHASHI Motonobu <<a href="mailto:monyo@home.monyo.com" target="_top">monyo@home.monyo.com</a>></p></li></ul></div></dd><dt><span class="term"><a href="Backup.html" title="Chapter 28. Samba Backup Techniques">Samba Backup Techniques</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="SambaHA.html" title="Chapter 29. High Availability Options">High Availability Options</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="upgrading-to-3.0.html" title="Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0">Upgrading from Samba-2.x to Samba-3.0.0</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Jelmer Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="NT4Migration.html" title="Chapter 31. Migration from NT4 PDC to Samba-3 PDC">Migration from NT4 PDC to Samba-3 PDC</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="SWAT.html" title="Chapter 32. SWAT - The Samba Web Administration Tool">SWAT - The Samba Web Administration Tool</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="diagnosis.html" title="Chapter 33. The Samba checklist">The Samba checklist</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Andrew Tridgell <<a href="mailto:tridge@samba.org" target="_top">tridge@samba.org</a>></p></li><li><p>Jelmer Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="problems.html" title="Chapter 34. Analysing and solving samba problems">Analysing and solving samba problems</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Gerald Carter <<a href="mailto:jerry@samba.org" target="_top">jerry@samba.org</a>></p></li><li><p>Jelmer Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>David Bannon <<a href="mailto:dbannon@samba.org" target="_top">dbannon@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="bugreport.html" title="Chapter 35. Reporting Bugs">Reporting Bugs</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Jelmer Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p> Someone; Tridge or Karl Auer perhaps?</p></li></ul></div></dd><dt><span class="term"><a href="compiling.html" title="Chapter 36. How to compile SAMBA">How to compile SAMBA</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Jelmer Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p> Someone; Jerry perhaps?</p></li></ul></div></dd><dt><span class="term"><a href="Portability.html" title="Chapter 37. Portability">Portability</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Jelmer Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="Other-Clients.html" title="Chapter 38. Samba and other CIFS clients">Samba and other CIFS clients</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Jim McDonough <<a href="mailto:jmcd@us.ibm.com" target="_top">jmcd@us.ibm.com</a>></p></li><li><p>Jelmer Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="speed.html" title="Chapter 39. Samba Performance Tuning">Samba Performance Tuning</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Paul Cochrane <<a href="mailto:paulc@dth.scot.nhs.uk" target="_top">paulc@dth.scot.nhs.uk</a>></p></li><li><p>Jelmer Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="DNSDHCP.html" title="Chapter 40. DNS and DHCP Configuration Guide">DNS and DHCP Configuration Guide</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="Further-Resources.html" title="Chapter 41. Further Resources">Further Resources</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Jelmer Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>David Lechnyr <<a href="mailto:david@lechnyr.com" target="_top">david@lechnyr.com</a>></p></li></ul></div></dd></dl></div><p> + + </p></div></div><div><p class="pubdate">Monday April 21, 2003</p></div><div><div class="abstract"><p class="title"><b>Abstract</b></p><p> +This book is a collection of HOWTOs added to Samba documentation over the years. +Samba is always under development, and so is its' documentation. This release of the +documentation represents a major revision or layout as well as contents. +The most recent version of this document can be found at +<a href="http://www.samba.org/" target="_top">http://www.samba.org/</a> +on the "Documentation" page. Please send updates to +<a href="mailto:jelmer@samba.org" target="_top">Jelmer Vernooij</a>, +<a href="mailto:jht@samba.org" target="_top">John H. Terpstra</a> or +<a href="mailto:jerry@samba.org" target="_top">Gerald (Jerry) Carter</a>. +</p><p> +The Samba-Team would like to express sincere thanks to the many people who have with +or without their knowledge contributed to this update. The size and scope of this +project would not have been possible without significant community contribution. A not +insignificant number of ideas for inclusion (if not content itself) has been obtained +from a number of Unofficial HOWTOs - to each such author a big "Thank-you" is also offered. +Please keep publishing your Unofficial HOWTOs - they are a source of inspiration and +application knowledge that is most to be desired by many Samba users and administrators. +</p></div></div></div><div></div><hr></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt>I. <a href="introduction.html">General Installation</a></dt><dd><dl><dt>1. <a href="IntroSMB.html">Introduction to Samba</a></dt><dd><dl><dt><a href="IntroSMB.html#id2885613">Background</a></dt><dt><a href="IntroSMB.html#id2885824">Terminology</a></dt><dt><a href="IntroSMB.html#id2885978">Related Projects</a></dt><dt><a href="IntroSMB.html#id2886047">SMB Methodology</a></dt><dt><a href="IntroSMB.html#id2886135">Epilogue</a></dt><dt><a href="IntroSMB.html#id2886209">Miscellaneous</a></dt></dl></dd><dt>2. <a href="install.html">How to Install and Test SAMBA</a></dt><dd><dl><dt><a href="install.html#id2886868">Obtaining and installing samba</a></dt><dt><a href="install.html#id2886909">Configuring samba (smb.conf)</a></dt><dd><dl><dt><a href="install.html#id2886946">Example Configuration</a></dt><dt><a href="install.html#id2887096">SWAT</a></dt></dl></dd><dt><a href="install.html#id2887140">Try listing the shares available on your + server</a></dt><dt><a href="install.html#id2887191">Try connecting with the unix client</a></dt><dt><a href="install.html#id2887292">Try connecting from a DOS, WfWg, Win9x, WinNT, + Win2k, OS/2, etc... client</a></dt><dt><a href="install.html#id2887355">What If Things Don't Work?</a></dt><dt><a href="install.html#id2887388">Common Errors</a></dt><dd><dl><dt><a href="install.html#id2887401">Why are so many smbd processes eating memory?</a></dt><dt><a href="install.html#id2887617">I'm getting "open_oplock_ipc: Failed to get local UDP socket for address 100007f. Error was Cannot assign requested" in the logs</a></dt></dl></dd></dl></dd><dt>3. <a href="FastStart.html">Fast Start for the Impatient</a></dt><dd><dl><dt><a href="FastStart.html#id2886744">Note</a></dt></dl></dd></dl></dd><dt>II. <a href="type.html">Server Configuration Basics</a></dt><dd><dl><dt>4. <a href="ServerType.html">Server Types and Security Modes</a></dt><dd><dl><dt><a href="ServerType.html#id2888767">Features and Benefits</a></dt><dt><a href="ServerType.html#id2888862">Server Types</a></dt><dt><a href="ServerType.html#id2888947">Samba Security Modes</a></dt><dd><dl><dt><a href="ServerType.html#id2889062">User Level Security</a></dt><dt><a href="ServerType.html#id2889195">Share Level Security</a></dt><dt><a href="ServerType.html#id2889317">Domain Security Mode (User Level Security)</a></dt><dt><a href="ServerType.html#id2889568">ADS Security Mode (User Level Security)</a></dt><dt><a href="ServerType.html#id2889655">Server Security (User Level Security)</a></dt></dl></dd><dt><a href="ServerType.html#id2889880">Seamless Windows Network Integration</a></dt><dt><a href="ServerType.html#id2890056">Common Errors</a></dt><dd><dl><dt><a href="ServerType.html#id2890084">What makes Samba a SERVER?</a></dt><dt><a href="ServerType.html#id2890117">What makes Samba a Domain Controller?</a></dt><dt><a href="ServerType.html#id2890146">What makes Samba a Domain Member?</a></dt><dt><a href="ServerType.html#id2890179">Constantly Losing Connections to Password Server</a></dt></dl></dd></dl></dd><dt>5. <a href="samba-pdc.html">Domain Control</a></dt><dd><dl><dt><a href="samba-pdc.html#id2891986">Features and Benefits</a></dt><dt><a href="samba-pdc.html#id2892290">Basics of Domain Control</a></dt><dd><dl><dt><a href="samba-pdc.html#id2892306">Domain Controller Types</a></dt><dt><a href="samba-pdc.html#id2892517">Preparing for Domain Control</a></dt></dl></dd><dt><a href="samba-pdc.html#id2892837">Domain Control - Example Configuration</a></dt><dt><a href="samba-pdc.html#id2893136">Samba ADS Domain Control</a></dt><dt><a href="samba-pdc.html#id2893157">Domain and Network Logon Configuration</a></dt><dd><dl><dt><a href="samba-pdc.html#id2893173">Domain Network Logon Service</a></dt><dt><a href="samba-pdc.html#id2893499">Security Mode and Master Browsers</a></dt></dl></dd><dt><a href="samba-pdc.html#id2893607">Common Problems and Errors</a></dt><dd><dl><dt><a href="samba-pdc.html#id2893614">I cannot include a '$' in a machine name</a></dt><dt><a href="samba-pdc.html#id2893653">I get told "You already have a connection to the Domain...." +or "Cannot join domain, the credentials supplied conflict with an +existing set.." when creating a machine trust account.</a></dt><dt><a href="samba-pdc.html#id2893703">The system can not log you on (C000019B)....</a></dt><dt><a href="samba-pdc.html#id2893773">The machine trust account for this computer either does not +exist or is not accessible.</a></dt><dt><a href="samba-pdc.html#id2893836">When I attempt to login to a Samba Domain from a NT4/W2K workstation, +I get a message about my account being disabled.</a></dt><dt><a href="samba-pdc.html#id2893863">Until a few minutes after Samba has started, clients get the error "Domain Controller Unavailable"</a></dt></dl></dd></dl></dd><dt>6. <a href="samba-bdc.html">Backup Domain Control</a></dt><dd><dl><dt><a href="samba-bdc.html#id2896028">Features And Benefits</a></dt><dt><a href="samba-bdc.html#id2896201">Essential Background Information</a></dt><dd><dl><dt><a href="samba-bdc.html#id2896230">MS Windows NT4 Style Domain Control</a></dt><dt><a href="samba-bdc.html#id2896450">Active Directory Domain Control</a></dt><dt><a href="samba-bdc.html#id2896471">What qualifies a Domain Controller on the network?</a></dt><dt><a href="samba-bdc.html#id2896497">How does a Workstation find its domain controller?</a></dt></dl></dd><dt><a href="samba-bdc.html#id2896542">Backup Domain Controller Configuration</a></dt><dd><dl><dt><a href="samba-bdc.html#id2896645">Example Configuration</a></dt></dl></dd><dt><a href="samba-bdc.html#id2896706">Common Errors</a></dt><dd><dl><dt><a href="samba-bdc.html#id2896719">Machine Accounts keep expiring, what can I do?</a></dt><dt><a href="samba-bdc.html#id2896750">Can Samba be a Backup Domain Controller to an NT4 PDC?</a></dt><dt><a href="samba-bdc.html#id2896783">How do I replicate the smbpasswd file?</a></dt><dt><a href="samba-bdc.html#id2896828">Can I do this all with LDAP?</a></dt></dl></dd></dl></dd><dt>7. <a href="domain-member.html">Domain Membership</a></dt><dd><dl><dt><a href="domain-member.html#id2897897">Features and Benefits</a></dt><dt><a href="domain-member.html#id2898012">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dd><dl><dt><a href="domain-member.html#id2898188">Manual Creation of Machine Trust Accounts</a></dt><dt><a href="domain-member.html#id2898440">Using NT4 Server Manager to Add Machine Accounts to the Domain</a></dt><dt><a href="domain-member.html#id2898636">"On-the-Fly" Creation of Machine Trust Accounts</a></dt><dt><a href="domain-member.html#id2898699">Making an MS Windows Workstation or Server a Domain Member</a></dt></dl></dd><dt><a href="domain-member.html#domain-member-server">Domain Member Server</a></dt><dd><dl><dt><a href="domain-member.html#id2898901">Joining an NT4 type Domain with Samba-3</a></dt><dt><a href="domain-member.html#id2899283">Why is this better than security = server?</a></dt></dl></dd><dt><a href="domain-member.html#ads-member">Samba ADS Domain Membership</a></dt><dd><dl><dt><a href="domain-member.html#id2899424">Setup your smb.conf</a></dt><dt><a href="domain-member.html#id2899508">Setup your /etc/krb5.conf</a></dt><dt><a href="domain-member.html#ads-create-machine-account">Create the computer account</a></dt><dt><a href="domain-member.html#ads-test-server">Test your server setup</a></dt><dt><a href="domain-member.html#ads-test-smbclient">Testing with smbclient</a></dt><dt><a href="domain-member.html#id2899872">Notes</a></dt></dl></dd><dt><a href="domain-member.html#id2899892">Common Errors</a></dt><dd><dl><dt><a href="domain-member.html#id2899919">Can Not Add Machine Back to Domain</a></dt><dt><a href="domain-member.html#id2899951">Adding Machine to Domain Fails</a></dt></dl></dd></dl></dd><dt>8. <a href="StandAloneServer.html">Stand-Alone Servers</a></dt><dd><dl><dt><a href="StandAloneServer.html#id2902304">Features and Benefits</a></dt><dt><a href="StandAloneServer.html#id2902501">Background</a></dt><dt><a href="StandAloneServer.html#id2902573">Example Configuration</a></dt><dd><dl><dt><a href="StandAloneServer.html#id2902588">Reference Documentation Server</a></dt><dt><a href="StandAloneServer.html#id2902638">Central Print Serving</a></dt></dl></dd><dt><a href="StandAloneServer.html#id2902852">Common Errors</a></dt></dl></dd><dt>9. <a href="ClientConfig.html">MS Windows Network Configuration Guide</a></dt><dd><dl><dt><a href="ClientConfig.html#id2901966">Note</a></dt></dl></dd></dl></dd><dt>III. <a href="optional.html">Advanced Configuration</a></dt><dd><dl><dt>10. <a href="NetworkBrowsing.html">Samba / MS Windows Network Browsing Guide</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2903558">Features and Benefits</a></dt><dt><a href="NetworkBrowsing.html#id2903637">What is Browsing?</a></dt><dt><a href="NetworkBrowsing.html#id2903747">Discussion</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2903764">NetBIOS over TCP/IP</a></dt><dt><a href="NetworkBrowsing.html#id2903926">TCP/IP - without NetBIOS</a></dt><dt><a href="NetworkBrowsing.html#id2904058">DNS and Active Directory</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2904194">How Browsing Functions</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2904320">Setting up WORKGROUP Browsing</a></dt><dt><a href="NetworkBrowsing.html#id2904541">Setting up DOMAIN Browsing</a></dt><dt><a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to be the master</a></dt><dt><a href="NetworkBrowsing.html#id2904811">Making Samba the domain master</a></dt><dt><a href="NetworkBrowsing.html#id2904967">Note about broadcast addresses</a></dt><dt><a href="NetworkBrowsing.html#id2904984">Multiple interfaces</a></dt><dt><a href="NetworkBrowsing.html#id2905013">Use of the Remote Announce parameter</a></dt><dt><a href="NetworkBrowsing.html#id2905122">Use of the Remote Browse Sync parameter</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2905183">WINS - The Windows Internetworking Name Server</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2905341">Setting up a WINS server</a></dt><dt><a href="NetworkBrowsing.html#id2905540">WINS Replication</a></dt><dt><a href="NetworkBrowsing.html#id2905565">Static WINS Entries</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2905650">Helpful Hints</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2905663">Windows Networking Protocols</a></dt><dt><a href="NetworkBrowsing.html#id2905730">Name Resolution Order</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2905867">Technical Overview of browsing</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2905914">Browsing support in Samba</a></dt><dt><a href="NetworkBrowsing.html#id2906021">Problem resolution</a></dt><dt><a href="NetworkBrowsing.html#id2906100">Browsing across subnets</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2906720">Common Errors</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2906735">How can one flush the Samba NetBIOS name cache without restarting Samba?</a></dt><dt><a href="NetworkBrowsing.html#id2906764">My client reports "This server is not configured to list shared resources"</a></dt></dl></dd></dl></dd><dt>11. <a href="passdb.html">Account Information Databases</a></dt><dd><dl><dt><a href="passdb.html#id2910308">Features and Benefits</a></dt><dt><a href="passdb.html#id2910636">Technical Information</a></dt><dd><dl><dt><a href="passdb.html#id2910700">Important Notes About Security</a></dt><dt><a href="passdb.html#id2910954">Mapping User Identifiers between MS Windows and Unix</a></dt></dl></dd><dt><a href="passdb.html#id2911009">Account Management Tools</a></dt><dd><dl><dt><a href="passdb.html#id2911041">The smbpasswd Command</a></dt><dt><a href="passdb.html#id2911306">The pdbedit Command</a></dt></dl></dd><dt><a href="passdb.html#id2911458">Password Backends</a></dt><dd><dl><dt><a href="passdb.html#id2911494">Plain Text</a></dt><dt><a href="passdb.html#id2911534">smbpasswd - Encrypted Password Database</a></dt><dt><a href="passdb.html#id2911641">tdbsam</a></dt><dt><a href="passdb.html#id2911668">ldapsam</a></dt><dt><a href="passdb.html#id2913185">MySQL</a></dt><dt><a href="passdb.html#XMLpassdb">XML</a></dt></dl></dd><dt><a href="passdb.html#id2913989">Common Errors</a></dt><dd><dl><dt><a href="passdb.html#id2913997">Users can not logon - Users not in Samba SAM</a></dt><dt><a href="passdb.html#id2914012">Users are being added to the wrong backend database</a></dt><dt><a href="passdb.html#id2914072">auth methods does not work</a></dt></dl></dd></dl></dd><dt>12. <a href="groupmapping.html">Mapping MS Windows and Unix Groups</a></dt><dd><dl><dt><a href="groupmapping.html#id2921449">Features and Benefits</a></dt><dt><a href="groupmapping.html#id2921551">Discussion</a></dt><dd><dl><dt><a href="groupmapping.html#id2921742">Example Configuration</a></dt></dl></dd><dt><a href="groupmapping.html#id2921806">Configuration Scripts</a></dt><dd><dl><dt><a href="groupmapping.html#id2921820">Sample smb.conf add group script</a></dt><dt><a href="groupmapping.html#id2921889">Script to configure Group Mapping</a></dt></dl></dd><dt><a href="groupmapping.html#id2921981">Common Errors</a></dt><dd><dl><dt><a href="groupmapping.html#id2921997">Adding Groups Fails</a></dt><dt><a href="groupmapping.html#id2922057">Adding MS Windows Groups to MS Windows Groups Fails</a></dt></dl></dd></dl></dd><dt>13. <a href="AccessControls.html">File, Directory and Share Access Controls</a></dt><dd><dl><dt><a href="AccessControls.html#id2920271">Features and Benefits</a></dt><dt><a href="AccessControls.html#id2920308">File System Access Controls</a></dt><dd><dl><dt><a href="AccessControls.html#id2920326">MS Windows NTFS Comparison with Unix File Systems</a></dt><dt><a href="AccessControls.html#id2920583">Managing Directories</a></dt><dt><a href="AccessControls.html#id2920678">File and Directory Access Control</a></dt></dl></dd><dt><a href="AccessControls.html#id2920894">Share Definition Access Controls</a></dt><dd><dl><dt><a href="AccessControls.html#id2922074">User and Group Based Controls</a></dt><dt><a href="AccessControls.html#id2922346">File and Directory Permissions Based Controls</a></dt><dt><a href="AccessControls.html#id2922591">Miscellaneous Controls</a></dt></dl></dd><dt><a href="AccessControls.html#id2922807">Access Controls on Shares</a></dt><dd><dl><dt><a href="AccessControls.html#id2922879">Share Permissions Management</a></dt></dl></dd><dt><a href="AccessControls.html#id2923178">MS Windows Access Control Lists and Unix Interoperability</a></dt><dd><dl><dt><a href="AccessControls.html#id2923186">Managing UNIX permissions Using NT Security Dialogs</a></dt><dt><a href="AccessControls.html#id2923224">Viewing File Security on a Samba Share</a></dt><dt><a href="AccessControls.html#id2923303">Viewing file ownership</a></dt><dt><a href="AccessControls.html#id2923425">Viewing File or Directory Permissions</a></dt><dt><a href="AccessControls.html#id2923653">Modifying file or directory permissions</a></dt><dt><a href="AccessControls.html#id2923805">Interaction with the standard Samba create mask + parameters</a></dt><dt><a href="AccessControls.html#id2924134">Interaction with the standard Samba file attribute + mapping</a></dt></dl></dd><dt><a href="AccessControls.html#id2924210">Common Errors</a></dt><dd><dl><dt><a href="AccessControls.html#id2924224">Users can not write to a public share</a></dt><dt><a href="AccessControls.html#id2924604">I have set force user and Samba still makes root the owner of all the files + I touch!</a></dt></dl></dd></dl></dd><dt>14. <a href="locking.html">File and Record Locking</a></dt><dd><dl><dt><a href="locking.html#id2928216">Features and Benefits</a></dt><dt><a href="locking.html#id2928272">Discussion</a></dt><dd><dl><dt><a href="locking.html#id2928403">Opportunistic Locking Overview</a></dt></dl></dd><dt><a href="locking.html#id2929049">Samba Opportunistic Locking Control</a></dt><dd><dl><dt><a href="locking.html#id2929159">Example Configuration</a></dt></dl></dd><dt><a href="locking.html#id2929419">MS Windows Opportunistic Locking and Caching Controls</a></dt><dd><dl><dt><a href="locking.html#id2929649">Workstation Service Entries</a></dt><dt><a href="locking.html#id2929676">Server Service Entries</a></dt></dl></dd><dt><a href="locking.html#id2929755">Persistent Data Corruption</a></dt><dt><a href="locking.html#id2929785">Common Errors</a></dt><dd><dl><dt><a href="locking.html#id2929859">locking.tdb error messages</a></dt></dl></dd><dt><a href="locking.html#id2929890">Additional Reading</a></dt></dl></dd><dt>15. <a href="securing-samba.html">Securing Samba</a></dt><dd><dl><dt><a href="securing-samba.html#id2931943">Introduction</a></dt><dt><a href="securing-samba.html#id2931976">Features and Benefits</a></dt><dt><a href="securing-samba.html#id2932050">Technical Discussion of Protective Measures and Issues</a></dt><dd><dl><dt><a href="securing-samba.html#id2932069">Using host based protection</a></dt><dt><a href="securing-samba.html#id2932140">User based protection</a></dt><dt><a href="securing-samba.html#id2932191">Using interface protection</a></dt><dt><a href="securing-samba.html#id2932244">Using a firewall</a></dt><dt><a href="securing-samba.html#id2932300">Using a IPC$ share deny</a></dt><dt><a href="securing-samba.html#id2932362">NTLMv2 Security</a></dt></dl></dd><dt><a href="securing-samba.html#id2932402">Upgrading Samba</a></dt><dt><a href="securing-samba.html#id2932426">Common Errors</a></dt><dd><dl><dt><a href="securing-samba.html#id2932444">Smbclient works on localhost, but the network is dead</a></dt><dt><a href="securing-samba.html#id2932469">Why can users access home directories of other users?</a></dt></dl></dd></dl></dd><dt>16. <a href="InterdomainTrusts.html">Interdomain Trust Relationships</a></dt><dd><dl><dt><a href="InterdomainTrusts.html#id2933376">Features and Benefits</a></dt><dt><a href="InterdomainTrusts.html#id2933404">Trust Relationship Background</a></dt><dt><a href="InterdomainTrusts.html#id2933488">Native MS Windows NT4 Trusts Configuration</a></dt><dd><dl><dt><a href="InterdomainTrusts.html#id2933501">NT4 as the Trusting Domain (ie. creating the trusted account)</a></dt><dt><a href="InterdomainTrusts.html#id2933586">NT4 as the Trusted Domain (ie. creating trusted account's password)</a></dt></dl></dd><dt><a href="InterdomainTrusts.html#id2933622">Configuring Samba NT-style Domain Trusts</a></dt><dd><dl><dt><a href="InterdomainTrusts.html#id2933649">Samba-3 as the Trusting Domain</a></dt><dt><a href="InterdomainTrusts.html#id2933790">Samba-3 as the Trusted Domain</a></dt></dl></dd><dt><a href="InterdomainTrusts.html#id2933922">Common Errors</a></dt><dd><dl><dt><a href="InterdomainTrusts.html#id2933937">Tell me about Trust Relationships using Samba</a></dt></dl></dd></dl></dd><dt>17. <a href="msdfs.html">Hosting a Microsoft Distributed File System tree on Samba</a></dt><dd><dl><dt><a href="msdfs.html#id2933279">Features and Benefits</a></dt><dt><a href="msdfs.html#id2934931">Common Errors</a></dt></dl></dd><dt>18. <a href="printing.html">Classical Printing Support</a></dt><dd><dl><dt><a href="printing.html#id2934522">Features and Benefits</a></dt><dt><a href="printing.html#id2934590">Technical Introduction</a></dt><dd><dl><dt><a href="printing.html#id2934627">What happens if you send a Job from a Client</a></dt><dt><a href="printing.html#id2934698">Printing Related Configuration Parameters</a></dt><dt><a href="printing.html#id2935615">Parameters Recommended for Use</a></dt><dt><a href="printing.html#id2935946">Parameters for Backwards Compatibility</a></dt><dt><a href="printing.html#id2936054">Parameters no longer in use</a></dt></dl></dd><dt><a href="printing.html#id2936147">A simple Configuration to Print with Samba-3</a></dt><dd><dl><dt><a href="printing.html#id2936216">Verification of "Settings in Use" with testparm</a></dt><dt><a href="printing.html#id2936305">A little Experiment to warn you</a></dt></dl></dd><dt><a href="printing.html#id2936612">Extended Sample Configuration to Print with Samba-3</a></dt><dt><a href="printing.html#id2936715">Detailed Explanation of the Example's Settings</a></dt><dd><dl><dt><a href="printing.html#id2936728">The [global] Section</a></dt><dt><a href="printing.html#id2937111">The [printers] Section</a></dt><dt><a href="printing.html#id2937440">Any [my_printer_name] Section</a></dt><dt><a href="printing.html#id2937660">Print Commands</a></dt><dt><a href="printing.html#id2937711">Default Print Commands for various Unix Print Subsystems</a></dt><dt><a href="printing.html#id2938236">Setting up your own Print Commands</a></dt></dl></dd><dt><a href="printing.html#id2938516">Innovations in Samba Printing since 2.2</a></dt><dd><dl><dt><a href="printing.html#id2938681">Client Drivers on Samba Server for Point'n'Print</a></dt><dt><a href="printing.html#id2938833">The [printer$] Section is removed from Samba-3</a></dt><dt><a href="printing.html#id2938945">Creating the [print$] Share</a></dt><dt><a href="printing.html#id2939016">Parameters in the [print$] Section</a></dt><dt><a href="printing.html#id2939247">Subdirectory Structure in [print$]</a></dt></dl></dd><dt><a href="printing.html#id2939408">Installing Drivers into [print$]</a></dt><dd><dl><dt><a href="printing.html#id2939503">Setting Drivers for existing Printers with a Client GUI</a></dt><dt><a href="printing.html#id2939686">Setting Drivers for existing Printers with +rpcclient</a></dt></dl></dd><dt><a href="printing.html#id2941408">"The Proof of the Pudding lies in the Eating" (Client Driver Install +Procedure)</a></dt><dd><dl><dt><a href="printing.html#id2941428">The first Client Driver Installation</a></dt><dt><a href="printing.html#id2941626">IMPORTANT! Setting Device Modes on new Printers</a></dt><dt><a href="printing.html#id2941915">Further Client Driver Install Procedures</a></dt><dt><a href="printing.html#id2942010">Always make first Client Connection as root or "printer admin"</a></dt></dl></dd><dt><a href="printing.html#id2942152">Other Gotchas</a></dt><dd><dl><dt><a href="printing.html#id2942185">Setting Default Print Options for the Client Drivers</a></dt><dt><a href="printing.html#id2942622">Supporting large Numbers of Printers</a></dt><dt><a href="printing.html#id2942924">Adding new Printers with the Windows NT APW</a></dt><dt><a href="printing.html#id2943168">Weird Error Message Cannot connect under a +different Name</a></dt><dt><a href="printing.html#id2943267">Be careful when assembling Driver Files</a></dt><dt><a href="printing.html#id2943612">Samba and Printer Ports</a></dt><dt><a href="printing.html#id2943683">Avoiding the most common Misconfigurations of the Client Driver</a></dt></dl></dd><dt><a href="printing.html#id2943705">The Imprints Toolset</a></dt><dd><dl><dt><a href="printing.html#id2943751">What is Imprints?</a></dt><dt><a href="printing.html#id2943792">Creating Printer Driver Packages</a></dt><dt><a href="printing.html#id2943811">The Imprints Server</a></dt><dt><a href="printing.html#id2943835">The Installation Client</a></dt></dl></dd><dt><a href="printing.html#id2943987">Add Network Printers at Logon without User Interaction</a></dt><dt><a href="printing.html#id2944316">The addprinter command</a></dt><dt><a href="printing.html#id2944362">Migration of "Classical" printing to Samba-3</a></dt><dt><a href="printing.html#id2944531">Publishing Printer Information in Active Directory or LDAP</a></dt><dt><a href="printing.html#id2944545">Common Errors and Problems</a></dt><dd><dl><dt><a href="printing.html#id2944558">I give my root password but I don't get access</a></dt><dt><a href="printing.html#id2944591">My printjobs get spooled into the spooling directory, but then get lost</a></dt></dl></dd></dl></dd><dt>19. <a href="CUPS-printing.html">CUPS Printing Support in Samba 3.0</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2953785">Introduction</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2953792">Features and Benefits</a></dt><dt><a href="CUPS-printing.html#id2953845">Overview</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2953900">Basic Configuration of CUPS support</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2953979">Linking of smbd with libcups.so</a></dt><dt><a href="CUPS-printing.html#id2954122">Simple smb.conf Settings for CUPS</a></dt><dt><a href="CUPS-printing.html#id2954205">More complex smb.conf Settings for +CUPS</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2954322">Advanced Configuration</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2954343">Central spooling vs. "Peer-to-Peer" printing</a></dt><dt><a href="CUPS-printing.html#id2954370">CUPS/Samba as a "spooling-only" Print Server; "raw" printing +with Vendor Drivers on Windows Clients</a></dt><dt><a href="CUPS-printing.html#id2954406">Driver Installation Methods on Windows Clients</a></dt><dt><a href="CUPS-printing.html#id2954465">Explicitly enable "raw" printing for +application/octet-stream!</a></dt><dt><a href="CUPS-printing.html#id2954626">Three familiar Methods for driver upload plus a new one</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2954719">Using CUPS/Samba in an advanced Way -- intelligent printing +with PostScript Driver Download</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2954794">GDI on Windows -- PostScript on Unix</a></dt><dt><a href="CUPS-printing.html#id2954839">Windows Drivers, GDI and EMF</a></dt><dt><a href="CUPS-printing.html#id2954940">Unix Printfile Conversion and GUI Basics</a></dt><dt><a href="CUPS-printing.html#id2955028">PostScript and Ghostscript</a></dt><dt><a href="CUPS-printing.html#id2955125">Ghostscript -- the Software RIP for non-PostScript Printers</a></dt><dt><a href="CUPS-printing.html#id2955238">PostScript Printer Description (PPD) Specification</a></dt><dt><a href="CUPS-printing.html#id2955308">CUPS can use all Windows-formatted Vendor PPDs</a></dt><dt><a href="CUPS-printing.html#id2955397">CUPS also uses PPDs for non-PostScript Printers</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2955420">The CUPS Filtering Architecture</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2955560">MIME types and CUPS Filters</a></dt><dt><a href="CUPS-printing.html#id2955747">MIME type Conversion Rules</a></dt><dt><a href="CUPS-printing.html#id2955864">Filter Requirements</a></dt><dt><a href="CUPS-printing.html#id2956034">Prefilters</a></dt><dt><a href="CUPS-printing.html#id2956120">pstops</a></dt><dt><a href="CUPS-printing.html#id2956222">pstoraster</a></dt><dt><a href="CUPS-printing.html#id2956377">imagetops and imagetoraster</a></dt><dt><a href="CUPS-printing.html#id2956434">rasterto [printers specific]</a></dt><dt><a href="CUPS-printing.html#id2956519">CUPS Backends</a></dt><dt><a href="CUPS-printing.html#id2956831">cupsomatic/Foomatic -- how do they fit into the Picture?</a></dt><dt><a href="CUPS-printing.html#id2956944">The Complete Picture</a></dt><dt><a href="CUPS-printing.html#id2956960">mime.convs</a></dt><dt><a href="CUPS-printing.html#id2957012">"Raw" printing</a></dt><dt><a href="CUPS-printing.html#id2957066">"application/octet-stream" printing</a></dt><dt><a href="CUPS-printing.html#id2957282">PostScript Printer Descriptions (PPDs) for non-PS Printers</a></dt><dt><a href="CUPS-printing.html#id2957510">Difference between cupsomatic/foomatic-rip and +native CUPS printing</a></dt><dt><a href="CUPS-printing.html#id2957666">Examples for filtering Chains</a></dt><dt><a href="CUPS-printing.html#id2957897">Sources of CUPS drivers / PPDs</a></dt><dt><a href="CUPS-printing.html#id2958024">Printing with Interface Scripts</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2958100">Network printing (purely Windows)</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2958116">From Windows Clients to an NT Print Server</a></dt><dt><a href="CUPS-printing.html#id2958155">Driver Execution on the Client</a></dt><dt><a href="CUPS-printing.html#id2958227">Driver Execution on the Server</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2958289">Network Printing (Windows clients -- UNIX/Samba Print +Servers)</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2958310">From Windows Clients to a CUPS/Samba Print Server</a></dt><dt><a href="CUPS-printing.html#id2958474">Samba receiving Jobfiles and passing them to CUPS</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2958550">Network PostScript RIP: CUPS Filters on Server -- clients use +PostScript Driver with CUPS-PPDs</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2958605">PPDs for non-PS Printers on UNIX</a></dt><dt><a href="CUPS-printing.html#id2958646">PPDs for non-PS Printers on Windows</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2958712">Windows Terminal Servers (WTS) as CUPS Clients</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2958729">Printer Drivers running in "Kernel Mode" cause many +Problems</a></dt><dt><a href="CUPS-printing.html#id2958763">Workarounds impose Heavy Limitations</a></dt><dt><a href="CUPS-printing.html#id2958784">CUPS: a "Magical Stone"?</a></dt><dt><a href="CUPS-printing.html#id2958811">PostScript Drivers with no major problems -- even in Kernel +Mode</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2958865"> Setting up CUPS for driver Download</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2958884">cupsaddsmb: the unknown Utility</a></dt><dt><a href="CUPS-printing.html#id2958976">Prepare your smb.conf for +cupsaddsmb</a></dt><dt><a href="CUPS-printing.html#id2959022">CUPS Package of "PostScript Driver for WinNT/2k/XP"</a></dt><dt><a href="CUPS-printing.html#id2959220">Recognize the different Driver Files</a></dt><dt><a href="CUPS-printing.html#id2959278">Acquiring the Adobe Driver Files</a></dt><dt><a href="CUPS-printing.html#id2959310">ESP Print Pro Package of "PostScript Driver for +WinNT/2k/XP"</a></dt><dt><a href="CUPS-printing.html#id2959360">Caveats to be considered</a></dt><dt><a href="CUPS-printing.html#id2959582">What are the Benefits of using the "CUPS PostScript Driver for +Windows NT/2k/XP" as compared to the Adobe Driver?</a></dt><dt><a href="CUPS-printing.html#id2959764">Run "cupsaddsmb" (quiet Mode)</a></dt><dt><a href="CUPS-printing.html#id2959865">Run "cupsaddsmb" with verbose Output</a></dt><dt><a href="CUPS-printing.html#id2960092">Understanding cupsaddsmb</a></dt><dt><a href="CUPS-printing.html#id2960186">How to recognize if cupsaddsm completed successfully</a></dt><dt><a href="CUPS-printing.html#id2960273">cupsaddsmb with a Samba PDC</a></dt><dt><a href="CUPS-printing.html#id2960308">cupsaddsmb Flowchart</a></dt><dt><a href="CUPS-printing.html#id2960361">Installing the PostScript Driver on a Client</a></dt><dt><a href="CUPS-printing.html#id2960474">Avoiding critical PostScript Driver Settings on the +Client</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2960608">Installing PostScript Driver Files manually (using +rpcclient)</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2960723">A Check of the rpcclient man Page</a></dt><dt><a href="CUPS-printing.html#id2960836">Understanding the rpcclient man Page</a></dt><dt><a href="CUPS-printing.html#id2960925">Producing an Example by querying a Windows Box</a></dt><dt><a href="CUPS-printing.html#id2961015">What is required for adddriver and setdriver to succeed</a></dt><dt><a href="CUPS-printing.html#id2961177">Manual Commandline Driver Installation in 15 little Steps</a></dt><dt><a href="CUPS-printing.html#id2961830">Troubleshooting revisited</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2961930">The printing *.tdb Files</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2962033">Trivial DataBase Files</a></dt><dt><a href="CUPS-printing.html#id2962103">Binary Format</a></dt><dt><a href="CUPS-printing.html#id2962165">Losing *.tdb Files</a></dt><dt><a href="CUPS-printing.html#id2962224">Using tdbbackup</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2962290">CUPS Print Drivers from Linuxprinting.org</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2962398">foomatic-rip and Foomatic explained</a></dt><dt><a href="CUPS-printing.html#id2963027">foomatic-rip and Foomatic-PPD Download and Installation</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2963488">Page Accounting with CUPS</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2963519">Setting up Quotas</a></dt><dt><a href="CUPS-printing.html#id2963551">Correct and incorrect Accounting</a></dt><dt><a href="CUPS-printing.html#id2963592">Adobe and CUPS PostScript Drivers for Windows Clients</a></dt><dt><a href="CUPS-printing.html#id2963663">The page_log File Syntax</a></dt><dt><a href="CUPS-printing.html#id2963765">Possible Shortcomings</a></dt><dt><a href="CUPS-printing.html#id2963836">Future Developments</a></dt><dt><a href="CUPS-printing.html#id2963884">Other Accounting Tools</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2963899">Additional Material</a></dt><dt><a href="CUPS-printing.html#id2964092">Auto-Deletion or Preservation of CUPS Spool Files</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2964138">CUPS Configuration Settings explained</a></dt><dt><a href="CUPS-printing.html#id2964221">Pre-conditions</a></dt><dt><a href="CUPS-printing.html#id2964281">Manual Configuration</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2964299">When not to use Samba to print to +CUPS</a></dt><dt><a href="CUPS-printing.html#id2964316">In Case of Trouble.....</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2964352">Where to find Documentation</a></dt><dt><a href="CUPS-printing.html#id2964364">How to ask for Help</a></dt><dt><a href="CUPS-printing.html#id2964377">Where to find Help</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2964391">Appendix</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2964398">Printing from CUPS to Windows attached +Printers</a></dt><dt><a href="CUPS-printing.html#id2964612">More CUPS filtering Chains</a></dt><dt><a href="CUPS-printing.html#id2964919">Trouble Shooting Guidelines to fix typical Samba printing +Problems</a></dt><dt><a href="CUPS-printing.html#id2966041">An Overview of the CUPS Printing Processes</a></dt></dl></dd></dl></dd><dt>20. <a href="VFS.html">Stackable VFS modules</a></dt><dd><dl><dt><a href="VFS.html#id2978211">Features and Benefits</a></dt><dt><a href="VFS.html#id2978229">Discussion</a></dt><dt><a href="VFS.html#id2978320">Included modules</a></dt><dd><dl><dt><a href="VFS.html#id2978327">audit</a></dt><dt><a href="VFS.html#id2978365">extd_audit</a></dt><dt><a href="VFS.html#id2978489">fake_perms</a></dt><dt><a href="VFS.html#id2978508">recycle</a></dt><dt><a href="VFS.html#id2978645">netatalk</a></dt></dl></dd><dt><a href="VFS.html#id2978690">VFS modules available elsewhere</a></dt><dd><dl><dt><a href="VFS.html#id2978712">DatabaseFS</a></dt><dt><a href="VFS.html#id2978768">vscan</a></dt></dl></dd><dt><a href="VFS.html#id2978797">Common Errors</a></dt></dl></dd><dt>21. <a href="winbind.html">Integrated Logon Support using Winbind</a></dt><dd><dl><dt><a href="winbind.html#id2979695">Features and Benefits</a></dt><dt><a href="winbind.html#id2979724">Introduction</a></dt><dt><a href="winbind.html#id2979795">What Winbind Provides</a></dt><dd><dl><dt><a href="winbind.html#id2979856">Target Uses</a></dt></dl></dd><dt><a href="winbind.html#id2979886">How Winbind Works</a></dt><dd><dl><dt><a href="winbind.html#id2979914">Microsoft Remote Procedure Calls</a></dt><dt><a href="winbind.html#id2979949">Microsoft Active Directory Services</a></dt><dt><a href="winbind.html#id2979971">Name Service Switch</a></dt><dt><a href="winbind.html#id2980108">Pluggable Authentication Modules</a></dt><dt><a href="winbind.html#id2980179">User and Group ID Allocation</a></dt><dt><a href="winbind.html#id2980214">Result Caching</a></dt></dl></dd><dt><a href="winbind.html#id2980242">Installation and Configuration</a></dt><dd><dl><dt><a href="winbind.html#id2980271">Introduction</a></dt><dt><a href="winbind.html#id2980346">Requirements</a></dt><dt><a href="winbind.html#id2980438">Testing Things Out</a></dt></dl></dd><dt><a href="winbind.html#id2982058">Conclusion</a></dt><dt><a href="winbind.html#id2982077">Common Errors</a></dt></dl></dd><dt>22. <a href="AdvancedNetworkManagement.html">Advanced Network Management</a></dt><dd><dl><dt><a href="AdvancedNetworkManagement.html#id2984570">Features and Benefits</a></dt><dt><a href="AdvancedNetworkManagement.html#id2984759">Remote Server Administration</a></dt><dt><a href="AdvancedNetworkManagement.html#id2984858">Remote Desktop Management</a></dt><dd><dl><dt><a href="AdvancedNetworkManagement.html#id2984876">Remote Management from NoMachines.Com</a></dt></dl></dd><dt><a href="AdvancedNetworkManagement.html#id2985087">Network Logon Script Magic</a></dt><dd><dl><dt><a href="AdvancedNetworkManagement.html#id2985283">Adding printers without user intervention</a></dt></dl></dd><dt><a href="AdvancedNetworkManagement.html#id2985316">Common Errors</a></dt></dl></dd><dt>23. <a href="PolicyMgmt.html">System and Account Policies</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2984380">Features and Benefits</a></dt><dt><a href="PolicyMgmt.html#id2984435">Creating and Managing System Policies</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2986217">Windows 9x/Me Policies</a></dt><dt><a href="PolicyMgmt.html#id2986312">Windows NT4 Style Policy Files</a></dt><dt><a href="PolicyMgmt.html#id2986445">MS Windows 200x / XP Professional Policies</a></dt></dl></dd><dt><a href="PolicyMgmt.html#id2986697">Managing Account/User Policies</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2986798">Samba Editreg Toolset</a></dt><dt><a href="PolicyMgmt.html#id2986819">Windows NT4/200x</a></dt><dt><a href="PolicyMgmt.html#id2986839">Samba PDC</a></dt></dl></dd><dt><a href="PolicyMgmt.html#id2986883">System Startup and Logon Processing Overview</a></dt><dt><a href="PolicyMgmt.html#id2987030">Common Errors</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2987044">Policy Does Not Work</a></dt></dl></dd></dl></dd><dt>24. <a href="ProfileMgmt.html">Desktop Profile Management</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2988251">Features and Benefits</a></dt><dt><a href="ProfileMgmt.html#id2988285">Roaming Profiles</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2988326">Samba Configuration for Profile Handling</a></dt><dt><a href="ProfileMgmt.html#id2988731">Windows Client Profile Configuration Information</a></dt><dt><a href="ProfileMgmt.html#id2989902">Sharing Profiles between W9x/Me and NT4/200x/XP workstations</a></dt><dt><a href="ProfileMgmt.html#id2989967">Profile Migration from Windows NT4/200x Server to Samba</a></dt></dl></dd><dt><a href="ProfileMgmt.html#id2990232">Mandatory profiles</a></dt><dt><a href="ProfileMgmt.html#id2990290">Creating/Managing Group Profiles</a></dt><dt><a href="ProfileMgmt.html#id2990336">Default Profile for Windows Users</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2990356">MS Windows 9x/Me</a></dt><dt><a href="ProfileMgmt.html#id2990504">MS Windows NT4 Workstation</a></dt><dt><a href="ProfileMgmt.html#id2991058">MS Windows 200x/XP</a></dt></dl></dd><dt><a href="ProfileMgmt.html#id2991562">Common Errors</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2991575">How does one set up roaming profiles for just one (or a few) user/s or group/s?</a></dt><dt><a href="ProfileMgmt.html#id2991638">Can NOT use Roaming Profiles</a></dt><dt><a href="ProfileMgmt.html#id2991859">Changing the default profile</a></dt></dl></dd></dl></dd><dt>25. <a href="pam.html">PAM based Distributed Authentication</a></dt><dd><dl><dt><a href="pam.html#id2995804">Features and Benefits</a></dt><dt><a href="pam.html#id2996071">Technical Discussion</a></dt><dd><dl><dt><a href="pam.html#id2996089">PAM Configuration Syntax</a></dt><dt><a href="pam.html#id2996760">Example System Configurations</a></dt><dt><a href="pam.html#id2997062">smb.conf PAM Configuration</a></dt><dt><a href="pam.html#id2997119">Remote CIFS Authentication using winbindd.so</a></dt><dt><a href="pam.html#id2997203">Password Synchronization using pam_smbpass.so</a></dt></dl></dd><dt><a href="pam.html#id2997570">Common Errors</a></dt><dd><dl><dt><a href="pam.html#id2997583">pam_winbind problem</a></dt></dl></dd></dl></dd><dt>26. <a href="integrate-ms-networks.html">Integrating MS Windows networks with Samba</a></dt><dd><dl><dt><a href="integrate-ms-networks.html#id2999705">Features and Benefits</a></dt><dt><a href="integrate-ms-networks.html#id2999730">Background Information</a></dt><dt><a href="integrate-ms-networks.html#id2999775">Name Resolution in a pure Unix/Linux world</a></dt><dd><dl><dt><a href="integrate-ms-networks.html#id2999831">/etc/hosts</a></dt><dt><a href="integrate-ms-networks.html#id2999956">/etc/resolv.conf</a></dt><dt><a href="integrate-ms-networks.html#id3000000">/etc/host.conf</a></dt><dt><a href="integrate-ms-networks.html#id3000042">/etc/nsswitch.conf</a></dt></dl></dd><dt><a href="integrate-ms-networks.html#id3000130">Name resolution as used within MS Windows networking</a></dt><dd><dl><dt><a href="integrate-ms-networks.html#id3000278">The NetBIOS Name Cache</a></dt><dt><a href="integrate-ms-networks.html#id3000323">The LMHOSTS file</a></dt><dt><a href="integrate-ms-networks.html#id3000567">HOSTS file</a></dt><dt><a href="integrate-ms-networks.html#id3000600">DNS Lookup</a></dt><dt><a href="integrate-ms-networks.html#id3000624">WINS Lookup</a></dt></dl></dd><dt><a href="integrate-ms-networks.html#id3000695">Common Errors</a></dt><dd><dl><dt><a href="integrate-ms-networks.html#id3000711">My Boomerang Won't Come Back</a></dt><dt><a href="integrate-ms-networks.html#id3000742">Very Slow Network Connections</a></dt><dt><a href="integrate-ms-networks.html#id3000794">Samba server name change problem</a></dt></dl></dd></dl></dd><dt>27. <a href="unicode.html">Unicode/Charsets</a></dt><dd><dl><dt><a href="unicode.html#id3001913">Features and Benefits</a></dt><dt><a href="unicode.html#id3002114">What are charsets and unicode?</a></dt><dt><a href="unicode.html#id3002184">Samba and charsets</a></dt><dt><a href="unicode.html#id3002284">Conversion from old names</a></dt><dt><a href="unicode.html#id3002329">Japanese charsets</a></dt></dl></dd><dt>28. <a href="Backup.html">Samba Backup Techniques</a></dt><dd><dl><dt><a href="Backup.html#id3001533">Note</a></dt><dt><a href="Backup.html#id3001557">Features and Benefits</a></dt></dl></dd><dt>29. <a href="SambaHA.html">High Availability Options</a></dt><dd><dl><dt><a href="SambaHA.html#id3003099">Note</a></dt></dl></dd></dl></dd><dt>IV. <a href="migration.html">Migration and Updating</a></dt><dd><dl><dt>30. <a href="upgrading-to-3.0.html">Upgrading from Samba-2.x to Samba-3.0.0</a></dt><dd><dl><dt><a href="upgrading-to-3.0.html#id3001684">Charsets</a></dt><dt><a href="upgrading-to-3.0.html#id3001709">Obsolete configuration options</a></dt><dt><a href="upgrading-to-3.0.html#id3003319">Password Backend</a></dt></dl></dd><dt>31. <a href="NT4Migration.html">Migration from NT4 PDC to Samba-3 PDC</a></dt><dd><dl><dt><a href="NT4Migration.html#id3001339">Planning and Getting Started</a></dt><dd><dl><dt><a href="NT4Migration.html#id3001368">Objectives</a></dt><dt><a href="NT4Migration.html#id3004043">Steps In Migration Process</a></dt></dl></dd><dt><a href="NT4Migration.html#id3004381">Migration Options</a></dt><dd><dl><dt><a href="NT4Migration.html#id3004462">Planning for Success</a></dt><dt><a href="NT4Migration.html#id3004704">Samba Implementation Choices</a></dt></dl></dd></dl></dd><dt>32. <a href="SWAT.html">SWAT - The Samba Web Administration Tool</a></dt><dd><dl><dt><a href="SWAT.html#id3003929">Features and Benefits</a></dt><dd><dl><dt><a href="SWAT.html#id3003963">Enabling SWAT for use</a></dt><dt><a href="SWAT.html#id3006322">Securing SWAT through SSL</a></dt><dt><a href="SWAT.html#id3006435">The SWAT Home Page</a></dt><dt><a href="SWAT.html#id3006499">Global Settings</a></dt><dt><a href="SWAT.html#id3006604">Share Settings</a></dt><dt><a href="SWAT.html#id3006669">Printers Settings</a></dt><dt><a href="SWAT.html#id3006733">The SWAT Wizard</a></dt><dt><a href="SWAT.html#id3006781">The Status Page</a></dt><dt><a href="SWAT.html#id3006833">The View Page</a></dt><dt><a href="SWAT.html#id3006856">The Password Change Page</a></dt></dl></dd></dl></dd></dl></dd><dt>V. <a href="troubleshooting.html">Troubleshooting</a></dt><dd><dl><dt>33. <a href="diagnosis.html">The Samba checklist</a></dt><dd><dl><dt><a href="diagnosis.html#id3006072">Introduction</a></dt><dt><a href="diagnosis.html#id3007931">Assumptions</a></dt><dt><a href="diagnosis.html#id3008108">The tests</a></dt><dt><a href="diagnosis.html#id3009283">Still having troubles?</a></dt></dl></dd><dt>34. <a href="problems.html">Analysing and solving samba problems</a></dt><dd><dl><dt><a href="problems.html#id3010907">Diagnostics tools</a></dt><dt><a href="problems.html#id3011048">Installing 'Network Monitor' on an NT Workstation or a Windows 9x box</a></dt><dt><a href="problems.html#id3011333">Useful URLs</a></dt><dt><a href="problems.html#id3011378">Getting help from the mailing lists</a></dt><dt><a href="problems.html#id3011530">How to get off the mailing lists</a></dt></dl></dd><dt>35. <a href="bugreport.html">Reporting Bugs</a></dt><dd><dl><dt><a href="bugreport.html#id3012269">Introduction</a></dt><dt><a href="bugreport.html#id3012491">General info</a></dt><dt><a href="bugreport.html#id3012528">Debug levels</a></dt><dt><a href="bugreport.html#id3012670">Internal errors</a></dt><dt><a href="bugreport.html#id3012778">Attaching to a running process</a></dt><dt><a href="bugreport.html#id3012825">Patches</a></dt></dl></dd></dl></dd><dt>VI. <a href="Appendixes.html">Appendixes</a></dt><dd><dl><dt>36. <a href="compiling.html">How to compile SAMBA</a></dt><dd><dl><dt><a href="compiling.html#id3012145">Access Samba source code via CVS</a></dt><dd><dl><dt><a href="compiling.html#id3012152">Introduction</a></dt><dt><a href="compiling.html#id3012182">CVS Access to samba.org</a></dt></dl></dd><dt><a href="compiling.html#id3013701">Accessing the samba sources via rsync and ftp</a></dt><dt><a href="compiling.html#id3013750">Verifying Samba's PGP signature</a></dt><dt><a href="compiling.html#id3013886">Building the Binaries</a></dt><dd><dl><dt><a href="compiling.html#id3014023">Compiling samba with Active Directory support</a></dt></dl></dd><dt><a href="compiling.html#id3014188">Starting the smbd and nmbd</a></dt><dd><dl><dt><a href="compiling.html#id3014280">Starting from inetd.conf</a></dt><dt><a href="compiling.html#id3014484">Alternative: starting it as a daemon</a></dt></dl></dd><dt><a href="compiling.html#id3014579">Common Errors</a></dt></dl></dd><dt>37. <a href="Portability.html">Portability</a></dt><dd><dl><dt><a href="Portability.html#id3013478">HPUX</a></dt><dt><a href="Portability.html#id3016009">SCO Unix</a></dt><dt><a href="Portability.html#id3016039">DNIX</a></dt><dt><a href="Portability.html#id3016210">RedHat Linux Rembrandt-II</a></dt><dt><a href="Portability.html#id3016254">AIX</a></dt><dd><dl><dt><a href="Portability.html#id3016261">Sequential Read Ahead</a></dt></dl></dd><dt><a href="Portability.html#id3016287">Solaris</a></dt><dd><dl><dt><a href="Portability.html#id3016294">Locking improvements</a></dt><dt><a href="Portability.html#winbind-solaris9">Winbind on Solaris 9</a></dt></dl></dd></dl></dd><dt>38. <a href="Other-Clients.html">Samba and other CIFS clients</a></dt><dd><dl><dt><a href="Other-Clients.html#id3015663">Macintosh clients?</a></dt><dt><a href="Other-Clients.html#id3017016">OS2 Client</a></dt><dd><dl><dt><a href="Other-Clients.html#id3017023">How can I configure OS/2 Warp Connect or + OS/2 Warp 4 as a client for Samba?</a></dt><dt><a href="Other-Clients.html#id3017102">How can I configure OS/2 Warp 3 (not Connect), + OS/2 1.2, 1.3 or 2.x for Samba?</a></dt><dt><a href="Other-Clients.html#id3017164">How do I get printer driver download working + for OS/2 clients?</a></dt></dl></dd><dt><a href="Other-Clients.html#id3017260">Windows for Workgroups</a></dt><dd><dl><dt><a href="Other-Clients.html#id3017268">Use latest TCP/IP stack from Microsoft</a></dt><dt><a href="Other-Clients.html#id3017357">Delete .pwl files after password change</a></dt><dt><a href="Other-Clients.html#id3017388">Configure WfW password handling</a></dt><dt><a href="Other-Clients.html#id3017433">Case handling of passwords</a></dt><dt><a href="Other-Clients.html#id3017464">Use TCP/IP as default protocol</a></dt><dt><a href="Other-Clients.html#id3017481">Speed improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id3017528">Windows '95/'98</a></dt><dd><dl><dt><a href="Other-Clients.html#id3017601">Speed improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id3017625">Windows 2000 Service Pack 2</a></dt><dt><a href="Other-Clients.html#id3017736">Windows NT 3.1</a></dt></dl></dd><dt>39. <a href="speed.html">Samba Performance Tuning</a></dt><dd><dl><dt><a href="speed.html#id3018768">Comparisons</a></dt><dt><a href="speed.html#id3018812">Socket options</a></dt><dt><a href="speed.html#id3018887">Read size</a></dt><dt><a href="speed.html#id3018931">Max xmit</a></dt><dt><a href="speed.html#id3018984">Log level</a></dt><dt><a href="speed.html#id3019007">Read raw</a></dt><dt><a href="speed.html#id3019064">Write raw</a></dt><dt><a href="speed.html#id3019106">Slow Logins</a></dt><dt><a href="speed.html#id3019127">Client tuning</a></dt><dt><a href="speed.html#id3019154">Samba performance problem due changing kernel</a></dt><dt><a href="speed.html#id3019185">Corrupt tdb Files</a></dt></dl></dd><dt>40. <a href="DNSDHCP.html">DNS and DHCP Configuration Guide</a></dt><dd><dl><dt><a href="DNSDHCP.html#id3018605">Note</a></dt></dl></dd><dt>41. <a href="Further-Resources.html">Further Resources</a></dt><dd><dl><dt><a href="Further-Resources.html#id3018765">Websites</a></dt><dt><a href="Further-Resources.html#id3020416">Related updates from Microsoft</a></dt><dt><a href="Further-Resources.html#id3020431">Books</a></dt></dl></dd></dl></dd><dt><a href="ix01.html">Index</a></dt></dl></div><div class="list-of-figures"><p><b>List of Figures</b></p><dl><dt>19.1. <a href="CUPS-printing.html#id2954904">Windows Printing to a local Printer</a></dt><dt>19.2. <a href="CUPS-printing.html#id2955075">Printing to a Postscript Printer</a></dt><dt>19.3. <a href="CUPS-printing.html#id2955155">Ghostscript as a RIP for non-postscript printers</a></dt><dt>19.4. <a href="CUPS-printing.html#id2956084">Prefiltering in CUPS to form Postscript</a></dt><dt>19.5. <a href="CUPS-printing.html#id2956149">Adding Device-specific Print Options</a></dt><dt>19.6. <a href="CUPS-printing.html#id2956251">Postscript to intermediate Raster format</a></dt><dt>19.7. <a href="CUPS-printing.html#id2956304">CUPS-raster production using Ghostscript</a></dt><dt>19.8. <a href="CUPS-printing.html#id2956398">Image format to CUPS-raster format conversion</a></dt><dt>19.9. <a href="CUPS-printing.html#id2956484">Raster to Printer Specific formats</a></dt><dt>19.10. <a href="CUPS-printing.html#id2957561">cupsomatic/foomatic processing versus Native CUPS</a></dt><dt>19.11. <a href="CUPS-printing.html#id2958191">Print Driver execution on the Client</a></dt><dt>19.12. <a href="CUPS-printing.html#id2958249">Print Driver execution on the Server</a></dt><dt>19.13. <a href="CUPS-printing.html#id2958439">Printing via CUPS/samba server</a></dt><dt>19.14. <a href="CUPS-printing.html#id2960326">cupsaddsmb flowchart</a></dt><dt>19.15. <a href="CUPS-printing.html#id2966052">CUPS Printing Overview</a></dt></dl></div><div class="list-of-tables"><p><b>List of Tables</b></p><dl><dt>7.1. <a href="domain-member.html#id2898912">Assumptions</a></dt><dt>10.1. <a href="NetworkBrowsing.html#id2906267">Browse subnet example 1</a></dt><dt>10.2. <a href="NetworkBrowsing.html#id2906382">Browse subnet example 2</a></dt><dt>10.3. <a href="NetworkBrowsing.html#id2906481">Browse subnet example 3</a></dt><dt>10.4. <a href="NetworkBrowsing.html#id2906581">Browse subnet example 4</a></dt><dt>11.1. <a href="passdb.html#id2912659">Attributes in the sambaSamAccount objectclass (LDAP)</a></dt><dt>11.2. <a href="passdb.html#id2913346">Basic smb.conf options for MySQL passdb backend</a></dt><dt>11.3. <a href="passdb.html#id2913471">MySQL field names for MySQL passdb backend</a></dt><dt>13.1. <a href="AccessControls.html#id2920603">Managing directories with unix and windows</a></dt><dt>13.2. <a href="AccessControls.html#id2922134">User and Group Based Controls</a></dt><dt>13.3. <a href="AccessControls.html#id2922367">File and Directory Permission Based Controls</a></dt><dt>13.4. <a href="AccessControls.html#id2922614">Other Controls</a></dt><dt>20.1. <a href="VFS.html#id2978406">Extended Auditing Log Information</a></dt><dt>24.1. <a href="ProfileMgmt.html#id2990854">User Shell Folder registry keys default values</a></dt><dt>24.2. <a href="ProfileMgmt.html#id2990998">Defaults of profile settings registry keys</a></dt><dt>24.3. <a href="ProfileMgmt.html#id2991253">Defaults of default user profile paths registry keys</a></dt><dt>25.1. <a href="pam.html#id2997236">Options recognized by pam_smbpass</a></dt><dt>31.1. <a href="NT4Migration.html#id3004398">The 3 Major Site Types</a></dt><dt>31.2. <a href="NT4Migration.html#id3004535">Nature of the Conversion Choices</a></dt></dl></div><div class="list-of-examples"><p><b>List of Examples</b></p><dl><dt>12.1. <a href="groupmapping.html#id2921843">smbgrpadd.sh</a></dt><dt>13.1. <a href="AccessControls.html#id2920816">Example File</a></dt></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="introduction.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top"> </td><td width="20%" align="center"> </td><td width="40%" align="right" valign="top"> Part I. General Installation</td></tr></table></div></body></html> diff --git a/docs/htmldocs/ix01.html b/docs/htmldocs/ix01.html new file mode 100644 index 0000000000..4f706aed70 --- /dev/null +++ b/docs/htmldocs/ix01.html @@ -0,0 +1 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Index</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="index.html" title="SAMBA Project Documentation"><link rel="previous" href="Further-Resources.html" title="Chapter 41. Further Resources"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Index</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Further-Resources.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> </td></tr></table><hr></div><div class="index"><div class="titlepage"><div><div><h2 class="title"><a name="id3018533"></a>Index</h2></div></div><div></div></div><div class="index"></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Further-Resources.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right"> </td></tr><tr><td width="40%" align="left" valign="top">Chapter 41. Further Resources </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> </td></tr></table></div></body></html> diff --git a/docs/htmldocs/locking.html b/docs/htmldocs/locking.html new file mode 100644 index 0000000000..a128cac7ce --- /dev/null +++ b/docs/htmldocs/locking.html @@ -0,0 +1,656 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 14. File and Record Locking</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="AccessControls.html" title="Chapter 13. File, Directory and Share Access Controls"><link rel="next" href="securing-samba.html" title="Chapter 15. Securing Samba"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 14. File and Record Locking</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="AccessControls.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="securing-samba.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="locking"></a>Chapter 14. File and Record Locking</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jra@samba.org">jra@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Eric</span> <span class="surname">Roseme</span></h3><div class="affiliation"><span class="orgname">HP Oplocks Usage Recommendations Whitepaper<br></span><div class="address"><p><tt class="email"><<a href="mailto:eric.roseme@hp.com">eric.roseme@hp.com</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="locking.html#id2928216">Features and Benefits</a></dt><dt><a href="locking.html#id2928272">Discussion</a></dt><dd><dl><dt><a href="locking.html#id2928403">Opportunistic Locking Overview</a></dt></dl></dd><dt><a href="locking.html#id2929049">Samba Opportunistic Locking Control</a></dt><dd><dl><dt><a href="locking.html#id2929159">Example Configuration</a></dt></dl></dd><dt><a href="locking.html#id2929419">MS Windows Opportunistic Locking and Caching Controls</a></dt><dd><dl><dt><a href="locking.html#id2929649">Workstation Service Entries</a></dt><dt><a href="locking.html#id2929676">Server Service Entries</a></dt></dl></dd><dt><a href="locking.html#id2929755">Persistent Data Corruption</a></dt><dt><a href="locking.html#id2929785">Common Errors</a></dt><dd><dl><dt><a href="locking.html#id2929859">locking.tdb error messages</a></dt></dl></dd><dt><a href="locking.html#id2929890">Additional Reading</a></dt></dl></div><p> +One area which causes trouble for many network administrators is locking. +The extent of the problem is readily evident from searches over the internet. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2928216"></a>Features and Benefits</h2></div></div><div></div></div><p> +Samba provides all the same locking semantics that MS Windows clients expect +and that MS Windows NT4 / 200x servers provide also. +</p><p> +The term <span class="emphasis"><em>locking</em></span> has exceptionally broad meaning and covers +a range of functions that are all categorized under this one term. +</p><p> +Opportunistic locking is a desirable feature when it can enhance the +perceived performance of applications on a networked client. However, the +opportunistic locking protocol is not robust, and therefore can +encounter problems when invoked beyond a simplistic configuration, or +on extended, slow, or faulty networks. In these cases, operating +system management of opportunistic locking and/or recovering from +repetitive errors can offset the perceived performance advantage that +it is intended to provide. +</p><p> +The MS Windows network administrator needs to be aware that file and record +locking semantics (behaviour) can be controlled either in Samba or by way of registry +settings on the MS Windows client. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +Sometimes it is necessary to disable locking control settings BOTH on the Samba +server as well as on each MS Windows client! +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2928272"></a>Discussion</h2></div></div><div></div></div><p> +There are two types of locking which need to be performed by a SMB server. +The first is <span class="emphasis"><em>record locking</em></span> which allows a client to lock +a range of bytes in a open file. The second is the <span class="emphasis"><em>deny modes</em></span> +that are specified when a file is open. +</p><p> +Record locking semantics under Unix is very different from record locking under +Windows. Versions of Samba before 2.2 have tried to use the native fcntl() unix +system call to implement proper record locking between different Samba clients. +This can not be fully correct due to several reasons. The simplest is the fact +that a Windows client is allowed to lock a byte range up to 2^32 or 2^64, +depending on the client OS. The unix locking only supports byte ranges up to 2^31. +So it is not possible to correctly satisfy a lock request above 2^31. There are +many more differences, too many to be listed here. +</p><p> +Samba 2.2 and above implements record locking completely independent of the +underlying unix system. If a byte range lock that the client requests happens +to fall into the range 0-2^31, Samba hands this request down to the Unix system. +All other locks can not be seen by unix anyway. +</p><p> +Strictly a SMB server should check for locks before every read and write call on +a file. Unfortunately with the way fcntl() works this can be slow and may overstress +the <b class="command">rpc.lockd</b>. It is also almost always unnecessary as clients are supposed to +independently make locking calls before reads and writes anyway if locking is +important to them. By default Samba only makes locking calls when explicitly asked +to by a client, but if you set <i class="parameter"><tt>strict locking = yes</tt></i> then it +will make lock checking calls on every read and write. +</p><p> +You can also disable by range locking completely using <i class="parameter"><tt>locking = no</tt></i>. +This is useful for those shares that don't support locking or don't need it +(such as cdroms). In this case Samba fakes the return codes of locking calls to +tell clients that everything is OK. +</p><p> +The second class of locking is the <i class="parameter"><tt>deny modes</tt></i>. These +are set by an application when it opens a file to determine what types of +access should be allowed simultaneously with its open. A client may ask for +<tt class="constant">DENY_NONE</tt>, <tt class="constant">DENY_READ</tt>, +<tt class="constant">DENY_WRITE</tt> or <tt class="constant">DENY_ALL</tt>. There are also special compatibility +modes called <tt class="constant">DENY_FCB</tt> and <tt class="constant">DENY_DOS</tt>. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2928403"></a>Opportunistic Locking Overview</h3></div></div><div></div></div><p> +Opportunistic locking (Oplocks) is invoked by the Windows file system +(as opposed to an API) via registry entries (on the server AND client) +for the purpose of enhancing network performance when accessing a file +residing on a server. Performance is enhanced by caching the file +locally on the client which allows: +</p><div class="variablelist"><dl><dt><span class="term">Read-ahead:</span></dt><dd><p> + The client reads the local copy of the file, eliminating network latency + </p></dd><dt><span class="term">Write caching:</span></dt><dd><p> + The client writes to the local copy of the file, eliminating network latency + </p></dd><dt><span class="term">Lock caching:</span></dt><dd><p> + The client caches application locks locally, eliminating network latency + </p></dd></dl></div><p> +The performance enhancement of oplocks is due to the opportunity of +exclusive access to the file - even if it is opened with deny-none - +because Windows monitors the file's status for concurrent access from +other processes. +</p><div class="variablelist"><p class="title"><b>Windows defines 4 kinds of Oplocks:</b></p><dl><dt><span class="term">Level1 Oplock:</span></dt><dd><p> + The redirector sees that the file was opened with deny + none (allowing concurrent access), verifies that no + other process is accessing the file, checks that + oplocks are enabled, then grants deny-all/read-write/exclusive + access to the file. The client now performs + operations on the cached local file. + </p><p> + If a second process attempts to open the file, the open + is deferred while the redirector "breaks" the original + oplock. The oplock break signals the caching client to + write the local file back to the server, flush the + local locks, and discard read-ahead data. The break is + then complete, the deferred open is granted, and the + multiple processes can enjoy concurrent file access as + dictated by mandatory or byte-range locking options. + However, if the original opening process opened the + file with a share mode other than deny-none, then the + second process is granted limited or no access, despite + the oplock break. + </p></dd><dt><span class="term">Level2 Oplock:</span></dt><dd><p> + Performs like a level1 oplock, except caching is only + operative for reads. All other operations are performed + on the server disk copy of the file. + </p></dd><dt><span class="term">Filter Oplock:</span></dt><dd><p> + Does not allow write or delete file access + </p></dd><dt><span class="term">Batch Oplock:</span></dt><dd><p> + Manipulates file openings and closings - allows caching + of file attributes + </p></dd></dl></div><p> +An important detail is that oplocks are invoked by the file system, not +an application API. Therefore, an application can close an oplocked +file, but the file system does not relinquish the oplock. When the +oplock break is issued, the file system then simply closes the file in +preparation for the subsequent open by the second process. +</p><p> +<span class="emphasis"><em>Opportunistic Locking</em></span> is actually an improper name for this feature. +The true benefit of this feature is client-side data caching, and +oplocks is merely a notification mechanism for writing data back to the +networked storage disk. The limitation of opportunistic locking is the +reliability of the mechanism to process an oplock break (notification) +between the server and the caching client. If this exchange is faulty +(usually due to timing out for any number of reasons) then the +client-side caching benefit is negated. +</p><p> +The actual decision that a user or administrator should consider is +whether it is sensible to share amongst multiple users data that will +be cached locally on a client. In many cases the answer is no. +Deciding when to cache or not cache data is the real question, and thus +"opportunistic locking" should be treated as a toggle for client-side +caching. Turn it "ON" when client-side caching is desirable and +reliable. Turn it "OFF" when client-side caching is redundant, +unreliable, or counter-productive. +</p><p> +Opportunistic locking is by default set to "on" by Samba on all +configured shares, so careful attention should be given to each case to +determine if the potential benefit is worth the potential for delays. +The following recommendations will help to characterize the environment +where opportunistic locking may be effectively configured. +</p><p> +Windows Opportunistic Locking is a lightweight performance-enhancing +feature. It is not a robust and reliable protocol. Every +implementation of Opportunistic Locking should be evaluated as a +tradeoff between perceived performance and reliability. Reliability +decreases as each successive rule above is not enforced. Consider a +share with oplocks enabled, over a wide area network, to a client on a +South Pacific atoll, on a high-availability server, serving a +mission-critical multi-user corporate database, during a tropical +storm. This configuration will likely encounter problems with oplocks. +</p><p> +Oplocks can be beneficial to perceived client performance when treated +as a configuration toggle for client-side data caching. If the data +caching is likely to be interrupted, then oplock usage should be +reviewed. Samba enables opportunistic locking by default on all +shares. Careful attention should be given to the client usage of +shared data on the server, the server network reliability, and the +opportunistic locking configuration of each share. +n mission critical high availability environments, data integrity is +often a priority. Complex and expensive configurations are implemented +to ensure that if a client loses connectivity with a file server, a +failover replacement will be available immediately to provide +continuous data availability. +</p><p> +Windows client failover behavior is more at risk of application +interruption than other platforms because it is dependant upon an +established TCP transport connection. If the connection is interrupted +- as in a file server failover - a new session must be established. +It is rare for Windows client applications to be coded to recover +correctly from a transport connection loss, therefore most applications +will experience some sort of interruption - at worst, abort and +require restarting. +</p><p> +If a client session has been caching writes and reads locally due to +opportunistic locking, it is likely that the data will be lost when the +application restarts, or recovers from the TCP interrupt. When the TCP +connection drops, the client state is lost. When the file server +recovers, an oplock break is not sent to the client. In this case, the +work from the prior session is lost. Observing this scenario with +oplocks disabled, and the client was writing data to the file server +real-time, then the failover will provide the data on disk as it +existed at the time of the disconnect. +</p><p> +In mission critical high availability environments, careful attention +should be given to opportunistic locking. Ideally, comprehensive +testing should be done with all affected applications with oplocks +enabled and disabled. +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928695"></a>Exclusively Accessed Shares</h4></div></div><div></div></div><p> +Opportunistic locking is most effective when it is confined to shares +that are exclusively accessed by a single user, or by only one user at +a time. Because the true value of opportunistic locking is the local +client caching of data, any operation that interrupts the caching +mechanism will cause a delay. +</p><p> +Home directories are the most obvious examples of where the performance +benefit of opportunistic locking can be safely realized. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928719"></a>Multiple-Accessed Shares or Files</h4></div></div><div></div></div><p> +As each additional user accesses a file in a share with opportunistic +locking enabled, the potential for delays and resulting perceived poor +performance increases. When multiple users are accessing a file on a +share that has oplocks enabled, the management impact of sending and +receiving oplock breaks, and the resulting latency while other clients +wait for the caching client to flush data, offset the performance gains +of the caching user. +</p><p> +As each additional client attempts to access a file with oplocks set, +the potential performance improvement is negated and eventually results +in a performance bottleneck. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928748"></a>Unix or NFS Client Accessed Files</h4></div></div><div></div></div><p> +Local Unix and NFS clients access files without a mandatory +file locking mechanism. Thus, these client platforms are incapable of +initiating an oplock break request from the server to a Windows client +that has a file cached. Local Unix or NFS file access can therefore +write to a file that has been cached by a Windows client, which +exposes the file to likely data corruption. +</p><p> +If files are shared between Windows clients, and either local Unix +or NFS users, then turn opportunistic locking off. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928775"></a>Slow and/or Unreliable Networks</h4></div></div><div></div></div><p> +The biggest potential performance improvement for opportunistic locking +occurs when the client-side caching of reads and writes delivers the +most differential over sending those reads and writes over the wire. +This is most likely to occur when the network is extremely slow, +congested, or distributed (as in a WAN). However, network latency also +has a very high impact on the reliability of the oplock break +mechanism, and thus increases the likelihood of encountering oplock +problems that more than offset the potential perceived performance +gain. Of course, if an oplock break never has to be sent, then this is +the most advantageous scenario to utilize opportunistic locking. +</p><p> +If the network is slow, unreliable, or a WAN, then do not configure +opportunistic locking if there is any chance of multiple users +regularly opening the same file. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928808"></a>Multi-User Databases</h4></div></div><div></div></div><p> +Multi-user databases clearly pose a risk due to their very nature - +they are typically heavily accessed by numerous users at random +intervals. Placing a multi-user database on a share with opportunistic +locking enabled will likely result in a locking management bottleneck +on the Samba server. Whether the database application is developed +in-house or a commercially available product, ensure that the share +has opportunistic locking disabled. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928829"></a>PDM Data Shares</h4></div></div><div></div></div><p> +Process Data Management (PDM) applications such as IMAN, Enovia, and +Clearcase, are increasing in usage with Windows client platforms, and +therefore SMB data stores. PDM applications manage multi-user +environments for critical data security and access. The typical PDM +environment is usually associated with sophisticated client design +applications that will load data locally as demanded. In addition, the +PDM application will usually monitor the data-state of each client. +In this case, client-side data caching is best left to the local +application and PDM server to negotiate and maintain. It is +appropriate to eliminate the client OS from any caching tasks, and the +server from any oplock management, by disabling opportunistic locking on +the share. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928870"></a>Beware of Force User</h4></div></div><div></div></div><p> +Samba includes an <tt class="filename">smb.conf</tt> parameter called <i class="parameter"><tt>force user</tt></i> that changes +the user accessing a share from the incoming user to whatever user is +defined by the smb.conf variable. If opportunistic locking is enabled +on a share, the change in user access causes an oplock break to be sent +to the client, even if the user has not explicitly loaded a file. In +cases where the network is slow or unreliable, an oplock break can +become lost without the user even accessing a file. This can cause +apparent performance degradation as the client continually reconnects +to overcome the lost oplock break. +</p><p> +Avoid the combination of the following: +</p><div class="itemizedlist"><ul type="disc"><li><p> + <i class="parameter"><tt>force user</tt></i> in the <tt class="filename">smb.conf</tt> share configuration. + </p></li><li><p> + Slow or unreliable networks + </p></li><li><p> + Opportunistic Locking Enabled + </p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928948"></a>Advanced Samba Opportunistic Locking Parameters</h4></div></div><div></div></div><p> +Samba provides opportunistic locking parameters that allow the +administrator to adjust various properties of the oplock mechanism to +account for timing and usage levels. These parameters provide good +versatility for implementing oplocks in environments where they would +likely cause problems. The parameters are: +<i class="parameter"><tt>oplock break wait time</tt></i>, +<i class="parameter"><tt>oplock contention limit</tt></i>. +</p><p> +For most users, administrators, and environments, if these parameters +are required, then the better option is to simply turn oplocks off. +The samba SWAT help text for both parameters reads "DO NOT CHANGE THIS +PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE." +This is good advice. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928991"></a>Mission Critical High Availability</h4></div></div><div></div></div><p> +In mission critical high availability environments, data integrity is +often a priority. Complex and expensive configurations are implemented +to ensure that if a client loses connectivity with a file server, a +failover replacement will be available immediately to provide +continuous data availability. +</p><p> +Windows client failover behavior is more at risk of application +interruption than other platforms because it is dependant upon an +established TCP transport connection. If the connection is interrupted +- as in a file server failover - a new session must be established. +It is rare for Windows client applications to be coded to recover +correctly from a transport connection loss, therefore most applications +will experience some sort of interruption - at worst, abort and +require restarting. +</p><p> +If a client session has been caching writes and reads locally due to +opportunistic locking, it is likely that the data will be lost when the +application restarts, or recovers from the TCP interrupt. When the TCP +connection drops, the client state is lost. When the file server +recovers, an oplock break is not sent to the client. In this case, the +work from the prior session is lost. Observing this scenario with +oplocks disabled, and the client was writing data to the file server +real-time, then the failover will provide the data on disk as it +existed at the time of the disconnect. +</p><p> +In mission critical high availability environments, careful attention +should be given to opportunistic locking. Ideally, comprehensive +testing should be done with all affected applications with oplocks +enabled and disabled. +</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2929049"></a>Samba Opportunistic Locking Control</h2></div></div><div></div></div><p> +Opportunistic Locking is a unique Windows file locking feature. It is +not really file locking, but is included in most discussions of Windows +file locking, so is considered a defacto locking feature. +Opportunistic Locking is actually part of the Windows client file +caching mechanism. It is not a particularly robust or reliable feature +when implemented on the variety of customized networks that exist in +enterprise computing. +</p><p> +Like Windows, Samba implements Opportunistic Locking as a server-side +component of the client caching mechanism. Because of the lightweight +nature of the Windows feature design, effective configuration of +Opportunistic Locking requires a good understanding of its limitations, +and then applying that understanding when configuring data access for +each particular customized network and client usage state. +</p><p> +Opportunistic locking essentially means that the client is allowed to download and cache +a file on their hard drive while making changes; if a second client wants to access the +file, the first client receives a break and must synchronise the file back to the server. +This can give significant performance gains in some cases; some programs insist on +synchronising the contents of the entire file back to the server for a single change. +</p><p> +Level1 Oplocks (aka just plain "oplocks") is another term for opportunistic locking. +</p><p> +Level2 Oplocks provides opportunistic locking for a file that will be treated as +<span class="emphasis"><em>read only</em></span>. Typically this is used on files that are read-only or +on files that the client has no initial intention to write to at time of opening the file. +</p><p> +Kernel Oplocks are essentially a method that allows the Linux kernel to co-exist with +Samba's oplocked files, although this has provided better integration of MS Windows network +file locking with the under lying OS, SGI IRIX and Linux are the only two OS's that are +oplock aware at this time. +</p><p> +Unless your system supports kernel oplocks, you should disable oplocks if you are +accessing the same files from both Unix/Linux and SMB clients. Regardless, oplocks should +always be disabled if you are sharing a database file (e.g., Microsoft Access) between +multiple clients, as any break the first client receives will affect synchronisation of +the entire file (not just the single record), which will result in a noticeable performance +impairment and, more likely, problems accessing the database in the first place. Notably, +Microsoft Outlook's personal folders (*.pst) react very badly to oplocks. If in doubt, +disable oplocks and tune your system from that point. +</p><p> +If client-side caching is desirable and reliable on your network, you will benefit from +turning on oplocks. If your network is slow and/or unreliable, or you are sharing your +files among other file sharing mechanisms (e.g., NFS) or across a WAN, or multiple people +will be accessing the same files frequently, you probably will not benefit from the overhead +of your client sending oplock breaks and will instead want to disable oplocks for the share. +</p><p> +Another factor to consider is the perceived performance of file access. If oplocks provide no +measurable speed benefit on your network, it might not be worth the hassle of dealing with them. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2929159"></a>Example Configuration</h3></div></div><div></div></div><p> +In the following we examine two distinct aspects of Samba locking controls. +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2929172"></a>Disabling Oplocks</h4></div></div><div></div></div><p> +You can disable oplocks on a per-share basis with the following: +</p><p> +</p><pre class="programlisting"> +[acctdata] + oplocks = False + level2 oplocks = False +</pre><p> +</p><p> +The default oplock type is Level1. Level2 Oplocks are enabled on a per-share basis +in the <tt class="filename">smb.conf</tt> file. +</p><p> +Alternately, you could disable oplocks on a per-file basis within the share: +</p><p> +</p><pre class="programlisting"> + veto oplock files = /*.mdb/*.MDB/*.dbf/*.DBF/ +</pre><p> +</p><p> +If you are experiencing problems with oplocks as apparent from Samba's log entries, +you may want to play it safe and disable oplocks and level2 oplocks. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2929235"></a>Disabling Kernel OpLocks</h4></div></div><div></div></div><p> +Kernel OpLocks is an <tt class="filename">smb.conf</tt> parameter that notifies Samba (if +the UNIX kernel has the capability to send a Windows client an oplock +break) when a UNIX process is attempting to open the file that is +cached. This parameter addresses sharing files between UNIX and +Windows with Oplocks enabled on the Samba server: the UNIX process +can open the file that is Oplocked (cached) by the Windows client and +the smbd process will not send an oplock break, which exposes the file +to the risk of data corruption. If the UNIX kernel has the ability to +send an oplock break, then the kernel oplocks parameter enables Samba +to send the oplock break. Kernel oplocks are enabled on a per-server +basis in the <tt class="filename">smb.conf</tt> file. +</p><p> +</p><pre class="programlisting"> +[global] +kernel oplocks = yes +</pre><p> +The default is "no". +</p><p> +Veto OpLocks is an <tt class="filename">smb.conf</tt> parameter that identifies specific files for +which Oplocks are disabled. When a Windows client opens a file that +has been configured for veto oplocks, the client will not be granted +the oplock, and all operations will be executed on the original file on +disk instead of a client-cached file copy. By explicitly identifying +files that are shared with UNIX processes, and disabling oplocks for +those files, the server-wide Oplock configuration can be enabled to +allow Windows clients to utilize the performance benefit of file +caching without the risk of data corruption. Veto Oplocks can be +enabled on a per-share basis, or globally for the entire server, in the +<tt class="filename">smb.conf</tt> file: +</p><p> +</p><pre class="programlisting"><font color="red"><title>Example Veto OpLock Settings</title></font> +[global] + veto oplock files = /filename.htm/*.txt/ + +[share_name] + veto oplock files = /*.exe/filename.ext/ +</pre><p> +</p><p> +<span class="emphasis"><em>Oplock break wait time</em></span> is an <tt class="filename">smb.conf</tt> parameter that adjusts the time +interval for Samba to reply to an oplock break request. Samba +recommends "DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND +UNDERSTOOD THE SAMBA OPLOCK CODE." Oplock Break Wait Time can only be +configured globally in the <tt class="filename">smb.conf</tt> file: +</p><p> +</p><pre class="programlisting"> +[global] + oplock break wait time = 0 (default) +</pre><p> +</p><p> +<span class="emphasis"><em>Oplock break contention limit</em></span> is an <tt class="filename">smb.conf</tt> parameter that limits the +response of the Samba server to grant an oplock if the configured +number of contending clients reaches the limit specified by the +parameter. Samba recommends "DO NOT CHANGE THIS PARAMETER UNLESS YOU +HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE." Oplock Break +Contention Limit can be enable on a per-share basis, or globally for +the entire server, in the <tt class="filename">smb.conf</tt> file: +</p><p> +</p><pre class="programlisting"> +[global] + oplock break contention limit = 2 (default) + +[share_name] + oplock break contention limit = 2 (default) +</pre><p> +</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2929419"></a>MS Windows Opportunistic Locking and Caching Controls</h2></div></div><div></div></div><p> +There is a known issue when running applications (like Norton Anti-Virus) on a Windows 2000/ XP +workstation computer that can affect any application attempting to access shared database files +across a network. This is a result of a default setting configured in the Windows 2000/XP +operating system known as <span class="emphasis"><em>Opportunistic Locking</em></span>. When a workstation +attempts to access shared data files located on another Windows 2000/XP computer, +the Windows 2000/XP operating system will attempt to increase performance by locking the +files and caching information locally. When this occurs, the application is unable to +properly function, which results in an <span class="errorname">Access Denied</span> + error message being displayed during network operations. +</p><p> +All Windows operating systems in the NT family that act as database servers for data files +(meaning that data files are stored there and accessed by other Windows PCs) may need to +have opportunistic locking disabled in order to minimize the risk of data file corruption. +This includes Windows 9x/Me, Windows NT, Windows 200x and Windows XP. +</p><p> +If you are using a Windows NT family workstation in place of a server, you must also +disable opportunistic locking (oplocks) on that workstation. For example, if you use a +PC with the Windows NT Workstation operating system instead of Windows NT Server, and you +have data files located on it that are accessed from other Windows PCs, you may need to +disable oplocks on that system. +</p><p> +The major difference is the location in the Windows registry where the values for disabling +oplocks are entered. Instead of the LanManServer location, the LanManWorkstation location +may be used. +</p><p> +You can verify (or change or add, if necessary) this Registry value using the Windows +Registry Editor. When you change this registry value, you will have to reboot the PC +to ensure that the new setting goes into effect. +</p><p> +The location of the client registry entry for opportunistic locking has changed in +Windows 2000 from the earlier location in Microsoft Windows NT. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +Windows 2000 will still respect the EnableOplocks registry value used to disable oplocks +in earlier versions of Windows. +</p></div><p> +You can also deny the granting of opportunistic locks by changing the following registry entries: +</p><p> +</p><pre class="programlisting"> + HKEY_LOCAL_MACHINE\System\ + CurrentControlSet\Services\MRXSmb\Parameters\ + + OplocksDisabled REG_DWORD 0 or 1 + Default: 0 (not disabled) +</pre><p> +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +The OplocksDisabled registry value configures Windows clients to either request or not +request opportunistic locks on a remote file. To disable oplocks, the value of + OplocksDisabled must be set to 1. +</p></div><p> +</p><pre class="programlisting"> + HKEY_LOCAL_MACHINE\System\ + CurrentControlSet\Services\LanmanServer\Parameters + + EnableOplocks REG_DWORD 0 or 1 + Default: 1 (Enabled by Default) + + EnableOpLockForceClose REG_DWORD 0 or 1 + Default: 0 (Disabled by Default) +</pre><p> +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +The EnableOplocks value configures Windows-based servers (including Workstations sharing +files) to allow or deny opportunistic locks on local files. +</p></div><p> +To force closure of open oplocks on close or program exit EnableOpLockForceClose must be set to 1. +</p><p> +An illustration of how level II oplocks work: +</p><div class="itemizedlist"><ul type="disc"><li><p> + Station 1 opens the file, requesting oplock. + </p></li><li><p> + Since no other station has the file open, the server grants station 1 exclusive oplock. + </p></li><li><p> + Station 2 opens the file, requesting oplock. + </p></li><li><p> + Since station 1 has not yet written to the file, the server asks station 1 to Break + to Level II Oplock. + </p></li><li><p> + Station 1 complies by flushing locally buffered lock information to the server. + </p></li><li><p> + Station 1 informs the server that it has Broken to Level II Oplock (alternatively, + station 1 could have closed the file). + </p></li><li><p> + The server responds to station 2's open request, granting it level II oplock. + Other stations can likewise open the file and obtain level II oplock. + </p></li><li><p> + Station 2 (or any station that has the file open) sends a write request SMB. + The server returns the write response. + </p></li><li><p> + The server asks all stations that have the file open to Break to None, meaning no + station holds any oplock on the file. Because the workstations can have no cached + writes or locks at this point, they need not respond to the break-to-none advisory; + all they need do is invalidate locally cashed read-ahead data. + </p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2929649"></a>Workstation Service Entries</h3></div></div><div></div></div><pre class="programlisting"> + \HKEY_LOCAL_MACHINE\System\ + CurrentControlSet\Services\LanmanWorkstation\Parameters + + UseOpportunisticLocking REG_DWORD 0 or 1 + Default: 1 (true) +</pre><p> +Indicates whether the redirector should use opportunistic-locking (oplock) performance +enhancement. This parameter should be disabled only to isolate problems. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2929676"></a>Server Service Entries</h3></div></div><div></div></div><pre class="programlisting"> + \HKEY_LOCAL_MACHINE\System\ + CurrentControlSet\Services\LanmanServer\Parameters + + EnableOplocks REG_DWORD 0 or 1 + Default: 1 (true) +</pre><p> +Specifies whether the server allows clients to use oplocks on files. Oplocks are a +significant performance enhancement, but have the potential to cause lost cached +data on some networks, particularly wide-area networks. +</p><pre class="programlisting"> + MinLinkThroughput REG_DWORD 0 to infinite bytes per second + Default: 0 +</pre><p> +Specifies the minimum link throughput allowed by the server before it disables +raw and opportunistic locks for this connection. +</p><pre class="programlisting"> + MaxLinkDelay REG_DWORD 0 to 100,000 seconds + Default: 60 +</pre><p> +Specifies the maximum time allowed for a link delay. If delays exceed this number, +the server disables raw I/O and opportunistic locking for this connection. +</p><pre class="programlisting"> + OplockBreakWait REG_DWORD 10 to 180 seconds + Default: 35 +</pre><p> +Specifies the time that the server waits for a client to respond to an oplock break +request. Smaller values can allow detection of crashed clients more quickly but can +potentially cause loss of cached data. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2929755"></a>Persistent Data Corruption</h2></div></div><div></div></div><p> +If you have applied all of the settings discussed in this paper but data corruption problems +and other symptoms persist, here are some additional things to check out: +</p><p> +We have credible reports from developers that faulty network hardware, such as a single +faulty network card, can cause symptoms similar to read caching and data corruption. +If you see persistent data corruption even after repeated reindexing, you may have to +rebuild the data files in question. This involves creating a new data file with the +same definition as the file to be rebuilt and transferring the data from the old file +to the new one. There are several known methods for doing this that can be found in +our Knowledge Base. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2929785"></a>Common Errors</h2></div></div><div></div></div><p> +In some sites locking problems surface as soon as a server is installed, in other sites +locking problems may not surface for a long time. Almost without exception, when a locking +problem does surface it will cause embarrassment and potential data corruption. +</p><p> +Over the past few years there have been a number of complaints on the samba mailing lists +that have claimed that samba caused data corruption. Three causes have been identified +so far: +</p><div class="itemizedlist"><ul type="disc"><li><p> + Incorrect configuration of opportunistic locking (incompatible with the application + being used. This is a VERY common problem even where MS Windows NT4 or MS Windows 200x + based servers were in use. It is imperative that the software application vendors' + instructions for configuration of file locking should be followed. If in doubt, + disable oplocks on both the server and the client. Disabling of all forms of file + caching on the MS Windows client may be necessary also. + </p></li><li><p> + Defective network cards, cables, or HUBs / Switched. This is generally a more + prevalent factor with low cost networking hardware, though occasionally there + have been problems with incompatibilities in more up market hardware also. + </p></li><li><p> + There have been some random reports of samba log files being written over data + files. This has been reported by very few sites (about 5 in the past 3 years) + and all attempts to reproduce the problem have failed. The Samba-Team has been + unable to catch this happening and thus has NOT been able to isolate any particular + cause. Considering the millions of systems that use samba, for the sites that have + been affected by this as well as for the Samba-Team this is a frustrating and + a vexing challenge. If you see this type of thing happening please create a bug + report on https://bugzilla.samba.org without delay. Make sure that you give as much + information as you possibly can to help isolate the cause and to allow reproduction + of the problem (an essential step in problem isolation and correction). + </p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2929859"></a>locking.tdb error messages</h3></div></div><div></div></div><p> + </p><pre class="screen"> + > We are seeing lots of errors in the samba logs like: + > + > tdb(/usr/local/samba_2.2.7/var/locks/locking.tdb): rec_read bad magic + > 0x4d6f4b61 at offset=36116 + > + > What do these mean? + </pre><p> + </p><p> + Corrupted tdb. Stop all instances of smbd, delete locking.tdb, restart smbd. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2929890"></a>Additional Reading</h2></div></div><div></div></div><p> +You may want to check for an updated version of this white paper on our Web site from +time to time. Many of our white papers are updated as information changes. For those papers, +the Last Edited date is always at the top of the paper. +</p><p> +Section of the Microsoft MSDN Library on opportunistic locking: +</p><p> +Opportunistic Locks, Microsoft Developer Network (MSDN), Windows Development > +Windows Base Services > Files and I/O > SDK Documentation > File Storage > File Systems +> About File Systems > Opportunistic Locks, Microsoft Corporation. +<a href="http://msdn.microsoft.com/library/en-us/fileio/storage_5yk3.asp" target="_top">http://msdn.microsoft.com/library/en-us/fileio/storage_5yk3.asp</a> +</p><p> +Microsoft Knowledge Base Article Q224992 "Maintaining Transactional Integrity with OPLOCKS", +Microsoft Corporation, April 1999, <a href="http://support.microsoft.com/default.aspx?scid=kb;en-us;Q224992" target="_top">http://support.microsoft.com/default.aspx?scid=kb;en-us;Q224992</a>. +</p><p> +Microsoft Knowledge Base Article Q296264 "Configuring Opportunistic Locking in Windows 2000", +Microsoft Corporation, April 2001, <a href="http://support.microsoft.com/default.aspx?scid=kb;en-us;Q296264" target="_top">http://support.microsoft.com/default.aspx?scid=kb;en-us;Q296264</a>. +</p><p> +Microsoft Knowledge Base Article Q129202 "PC Ext: Explanation of Opportunistic Locking on Windows NT", + Microsoft Corporation, April 1995, <a href="http://support.microsoft.com/default.aspx?scid=kb;en-us;Q129202" target="_top">http://support.microsoft.com/default.aspx?scid=kb;en-us;Q129202</a>. +</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="AccessControls.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="securing-samba.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 13. File, Directory and Share Access Controls </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 15. Securing Samba</td></tr></table></div></body></html> diff --git a/docs/htmldocs/migration.html b/docs/htmldocs/migration.html new file mode 100644 index 0000000000..b8027a62ea --- /dev/null +++ b/docs/htmldocs/migration.html @@ -0,0 +1 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part IV. Migration and Updating</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="index.html" title="SAMBA Project Documentation"><link rel="previous" href="SambaHA.html" title="Chapter 29. High Availability Options"><link rel="next" href="upgrading-to-3.0.html" title="Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part IV. Migration and Updating</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="SambaHA.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="upgrading-to-3.0.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="migration"></a>Migration and Updating</h1></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt>30. <a href="upgrading-to-3.0.html">Upgrading from Samba-2.x to Samba-3.0.0</a></dt><dd><dl><dt><a href="upgrading-to-3.0.html#id3001684">Charsets</a></dt><dt><a href="upgrading-to-3.0.html#id3001709">Obsolete configuration options</a></dt><dt><a href="upgrading-to-3.0.html#id3003319">Password Backend</a></dt></dl></dd><dt>31. <a href="NT4Migration.html">Migration from NT4 PDC to Samba-3 PDC</a></dt><dd><dl><dt><a href="NT4Migration.html#id3001339">Planning and Getting Started</a></dt><dd><dl><dt><a href="NT4Migration.html#id3001368">Objectives</a></dt><dt><a href="NT4Migration.html#id3004043">Steps In Migration Process</a></dt></dl></dd><dt><a href="NT4Migration.html#id3004381">Migration Options</a></dt><dd><dl><dt><a href="NT4Migration.html#id3004462">Planning for Success</a></dt><dt><a href="NT4Migration.html#id3004704">Samba Implementation Choices</a></dt></dl></dd></dl></dd><dt>32. <a href="SWAT.html">SWAT - The Samba Web Administration Tool</a></dt><dd><dl><dt><a href="SWAT.html#id3003929">Features and Benefits</a></dt><dd><dl><dt><a href="SWAT.html#id3003963">Enabling SWAT for use</a></dt><dt><a href="SWAT.html#id3006322">Securing SWAT through SSL</a></dt><dt><a href="SWAT.html#id3006435">The SWAT Home Page</a></dt><dt><a href="SWAT.html#id3006499">Global Settings</a></dt><dt><a href="SWAT.html#id3006604">Share Settings</a></dt><dt><a href="SWAT.html#id3006669">Printers Settings</a></dt><dt><a href="SWAT.html#id3006733">The SWAT Wizard</a></dt><dt><a href="SWAT.html#id3006781">The Status Page</a></dt><dt><a href="SWAT.html#id3006833">The View Page</a></dt><dt><a href="SWAT.html#id3006856">The Password Change Page</a></dt></dl></dd></dl></dd></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="SambaHA.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="upgrading-to-3.0.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 29. High Availability Options </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0</td></tr></table></div></body></html> diff --git a/docs/htmldocs/tdbbackup.8.html b/docs/htmldocs/tdbbackup.8.html new file mode 100644 index 0000000000..d91b41cf77 --- /dev/null +++ b/docs/htmldocs/tdbbackup.8.html @@ -0,0 +1,35 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>tdbbackup</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="tdbbackup.8"></a><div class="titlepage"><div></div><div></div></div><div class="refnamediv"><h2>Name</h2><p>tdbbackup — tool for backing up and for validating the integrity of samba .tdb files</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><tt class="command">tdbbackup</tt> [-s suffix] [-v] [-h]</p></div></div><div class="refsect1" lang="en"><h2>DESCRIPTION</h2><p>This tool is part of the <a href="Samba.1.html"><span class="citerefentry"><span class="refentrytitle">Samba</span>(1)</span></a> suite.</p><p><b class="command">tdbbackup</b> is a tool that may be used to backup samba .tdb + files. This tool may also be used to verify the integrity of the .tdb files prior + to samba startup, in which case, if it find file damage and it finds a prior backup + it will restore the backup file. + </p></div><div class="refsect1" lang="en"><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">-h</span></dt><dd><p> + Get help information. + </p></dd><dt><span class="term">-s suffix</span></dt><dd><p> + The <b class="command">-s</b> option allows the adminisistrator to specify a file + backup extension. This way it is possible to keep a history of tdb backup + files by using a new suffix for each backup. + </p></dd><dt><span class="term">-v</span></dt><dd><p> + The <b class="command">-v</b> will check the database for damages (currupt data) + which if detected causes the backup to be restored. + </p></dd></dl></div></div><div class="refsect1" lang="en"><h2>COMMANDS</h2><p><span class="emphasis"><em>GENERAL INFORMATION</em></span></p><p> + The <b class="command">tdbbackup</b> utility should be run as soon as samba has shut down. + Do NOT run this command on a live database. Typical usage for the command will be: + </p><p>tdbbackup [-s suffix] *.tdb</p><p> + Before restarting samba the following command may be run to validate .tdb files: + </p><p>tdbbackup -v [-s suffix] *.tdb</p><p> + Samba .tdb files are stored in various locations, be sure to run backup all + .tdb file on the system. Imporatant files includes: + </p><div class="itemizedlist"><ul type="disc"><li><p> + <b class="command">secrets.tdb</b> - usual location is in the /usr/local/samba/private + directory, or on some systems in /etc/samba. + </p></li><li><p> + <b class="command">passdb.tdb</b> - usual location is in the /usr/local/samba/private + directory, or on some systems in /etc/samba. + </p></li><li><p> + <b class="command">*.tdb</b> located in the /usr/local/samba/var directory or on some + systems in the /var/cache or /var/lib/samba directories. + </p></li></ul></div></div><div class="refsect1" lang="en"><h2>VERSION</h2><p>This man page is correct for version 3.0 of the Samba suite.</p></div><div class="refsect1" lang="en"><h2>AUTHOR</h2><p> + The original Samba software and related utilities were created by Andrew Tridgell. + Samba is now developed by the Samba Team as an Open Source project similar to the way + the Linux kernel is developed. + </p><p>The tdbbackup man page was written by John H Terpstra.</p></div></div></body></html> diff --git a/docs/htmldocs/troubleshooting.html b/docs/htmldocs/troubleshooting.html new file mode 100644 index 0000000000..582beeb6b0 --- /dev/null +++ b/docs/htmldocs/troubleshooting.html @@ -0,0 +1 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part V. Troubleshooting</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="index.html" title="SAMBA Project Documentation"><link rel="previous" href="SWAT.html" title="Chapter 32. SWAT - The Samba Web Administration Tool"><link rel="next" href="diagnosis.html" title="Chapter 33. The Samba checklist"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part V. Troubleshooting</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="SWAT.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="diagnosis.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="troubleshooting"></a>Troubleshooting</h1></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt>33. <a href="diagnosis.html">The Samba checklist</a></dt><dd><dl><dt><a href="diagnosis.html#id3006072">Introduction</a></dt><dt><a href="diagnosis.html#id3007931">Assumptions</a></dt><dt><a href="diagnosis.html#id3008108">The tests</a></dt><dt><a href="diagnosis.html#id3009283">Still having troubles?</a></dt></dl></dd><dt>34. <a href="problems.html">Analysing and solving samba problems</a></dt><dd><dl><dt><a href="problems.html#id3010907">Diagnostics tools</a></dt><dt><a href="problems.html#id3011048">Installing 'Network Monitor' on an NT Workstation or a Windows 9x box</a></dt><dt><a href="problems.html#id3011333">Useful URLs</a></dt><dt><a href="problems.html#id3011378">Getting help from the mailing lists</a></dt><dt><a href="problems.html#id3011530">How to get off the mailing lists</a></dt></dl></dd><dt>35. <a href="bugreport.html">Reporting Bugs</a></dt><dd><dl><dt><a href="bugreport.html#id3012269">Introduction</a></dt><dt><a href="bugreport.html#id3012491">General info</a></dt><dt><a href="bugreport.html#id3012528">Debug levels</a></dt><dt><a href="bugreport.html#id3012670">Internal errors</a></dt><dt><a href="bugreport.html#id3012778">Attaching to a running process</a></dt><dt><a href="bugreport.html#id3012825">Patches</a></dt></dl></dd></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="SWAT.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="diagnosis.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 32. SWAT - The Samba Web Administration Tool </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 33. The Samba checklist</td></tr></table></div></body></html> diff --git a/docs/htmldocs/upgrading-to-3.0.html b/docs/htmldocs/upgrading-to-3.0.html new file mode 100644 index 0000000000..ac559fa129 --- /dev/null +++ b/docs/htmldocs/upgrading-to-3.0.html @@ -0,0 +1,19 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="migration.html" title="Part IV. Migration and Updating"><link rel="previous" href="migration.html" title="Part IV. Migration and Updating"><link rel="next" href="NT4Migration.html" title="Chapter 31. Migration from NT4 PDC to Samba-3 PDC"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="migration.html">Prev</a> </td><th width="60%" align="center">Part IV. Migration and Updating</th><td width="20%" align="right"> <a accesskey="n" href="NT4Migration.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="upgrading-to-3.0"></a>Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">25 October 2002</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="upgrading-to-3.0.html#id3001684">Charsets</a></dt><dt><a href="upgrading-to-3.0.html#id3001709">Obsolete configuration options</a></dt><dt><a href="upgrading-to-3.0.html#id3003319">Password Backend</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3001684"></a>Charsets</h2></div></div><div></div></div><p>You might experience problems with special characters +when communicating with old DOS clients. Codepage +support has changed in samba 3.0. Read the chapter +<a href="unicode.html" title="Chapter 27. Unicode/Charsets">Unicode support</a> for details. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3001709"></a>Obsolete configuration options</h2></div></div><div></div></div><p> +In 3.0, the following configuration options have been removed. +</p><table class="simplelist" border="0" summary="Simple list"><tr><td>printer driver (replaced by new driver procedures) </td></tr><tr><td>printer driver file (replaced by new driver procedures)</td></tr><tr><td>printer driver location (replaced by new driver procedures)</td></tr><tr><td>use rhosts</td></tr><tr><td>postscript</td></tr><tr><td>client code page (replaced by dos charset)</td></tr><tr><td>vfs path</td></tr><tr><td>vfs options</td></tr></table></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3003319"></a>Password Backend</h2></div></div><div></div></div><p> +Effective with the release of samba-3 it is now imperative that the password backend +be correctly defined in smb.conf. +</p><p> +Those migrating from samba-2.x with plaintext password support need the following: +<span class="emphasis"><em>passdb backend = guest</em></span>. +</p><p> +Those migrating from samba-2.x with encrypted password support should add to smb.conf +<span class="emphasis"><em>passdb backend = smbpasswd, guest</em></span>. +</p><p> +LDAP using Samba-2.x systems can continue to operate with the following entry +<span class="emphasis"><em>passdb backend = ldapsam_compat, guest</em></span>. +</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="migration.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="migration.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="NT4Migration.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part IV. Migration and Updating </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 31. Migration from NT4 PDC to Samba-3 PDC</td></tr></table></div></body></html> |