diff options
author | Jelmer Vernooij <jelmer@samba.org> | 2003-04-02 12:28:46 +0000 |
---|---|---|
committer | Jelmer Vernooij <jelmer@samba.org> | 2003-04-02 12:28:46 +0000 |
commit | bf11814a57dff757d5816791593c55c9bd15a9e5 (patch) | |
tree | bca793ad3d1fade038544be880e7b063296d9d96 /docs/htmldocs | |
parent | 4392be0a471df0e4f4a8c690dfc0754b1f9d4e05 (diff) | |
download | samba-bf11814a57dff757d5816791593c55c9bd15a9e5.tar.gz samba-bf11814a57dff757d5816791593c55c9bd15a9e5.tar.bz2 samba-bf11814a57dff757d5816791593c55c9bd15a9e5.zip |
Renegerate docs after John's changes
(This used to be commit 597b23e9fbbd4b5024d9d839151b9083efc02b5c)
Diffstat (limited to 'docs/htmldocs')
-rw-r--r-- | docs/htmldocs/Samba-HOWTO-Collection.html | 7434 |
1 files changed, 3588 insertions, 3846 deletions
diff --git a/docs/htmldocs/Samba-HOWTO-Collection.html b/docs/htmldocs/Samba-HOWTO-Collection.html index ea080fbd79..c902d63bec 100644 --- a/docs/htmldocs/Samba-HOWTO-Collection.html +++ b/docs/htmldocs/Samba-HOWTO-Collection.html @@ -145,26 +145,32 @@ HREF="#AEN130" ><DT >2.2. <A HREF="#AEN139" ->Use of the "Remote Announce" parameter</A +>How browsing functions and how to deploy stable and +dependable browsing using Samba</A ></DT ><DT >2.3. <A -HREF="#AEN153" ->Use of the "Remote Browse Sync" parameter</A +HREF="#AEN149" +>Use of the "Remote Announce" parameter</A ></DT ><DT >2.4. <A -HREF="#AEN158" ->Use of WINS</A +HREF="#AEN163" +>Use of the "Remote Browse Sync" parameter</A ></DT ><DT >2.5. <A -HREF="#AEN169" ->Do NOT use more than one (1) protocol on MS Windows machines</A +HREF="#AEN168" +>Use of WINS</A ></DT ><DT >2.6. <A -HREF="#AEN177" +HREF="#AEN179" +>Do NOT use more than one (1) protocol on MS Windows machines</A +></DT +><DT +>2.7. <A +HREF="#AEN187" >Name Resolution Order</A ></DT ></DL @@ -178,42 +184,42 @@ HREF="#PASSDB" ><DL ><DT >3.1. <A -HREF="#AEN234" +HREF="#AEN244" >Introduction</A ></DT ><DT >3.2. <A -HREF="#AEN241" +HREF="#AEN251" >Important Notes About Security</A ></DT ><DT >3.3. <A -HREF="#AEN279" +HREF="#AEN289" >The smbpasswd Command</A ></DT ><DT >3.4. <A -HREF="#AEN310" +HREF="#AEN320" >Plain text</A ></DT ><DT >3.5. <A -HREF="#AEN315" +HREF="#AEN325" >TDB</A ></DT ><DT >3.6. <A -HREF="#AEN318" +HREF="#AEN328" >LDAP</A ></DT ><DT >3.7. <A -HREF="#AEN536" +HREF="#AEN546" >MySQL</A ></DT ><DT >3.8. <A -HREF="#AEN584" +HREF="#AEN594" >Passdb XML plugin</A ></DT ></DL @@ -236,17 +242,17 @@ HREF="#SERVERTYPE" ><DL ><DT >4.1. <A -HREF="#AEN629" +HREF="#AEN639" >Stand Alone Server</A ></DT ><DT >4.2. <A -HREF="#AEN635" +HREF="#AEN646" >Domain Member Server</A ></DT ><DT >4.3. <A -HREF="#AEN641" +HREF="#AEN652" >Domain Controller</A ></DT ></DL @@ -254,8 +260,17 @@ HREF="#AEN641" ><DT >5. <A HREF="#SECURITYLEVELS" ->Samba as Stand-Alone server (User and Share security level)</A +>Samba as Stand-Alone Server</A +></DT +><DD +><DL +><DT +>5.1. <A +HREF="#AEN681" +>User and Share security level</A ></DT +></DL +></DD ><DT >6. <A HREF="#SAMBA-PDC" @@ -265,81 +280,71 @@ HREF="#SAMBA-PDC" ><DL ><DT >6.1. <A -HREF="#AEN705" +HREF="#AEN785" >Prerequisite Reading</A ></DT ><DT >6.2. <A -HREF="#AEN710" +HREF="#AEN790" >Background</A ></DT ><DT >6.3. <A -HREF="#AEN748" +HREF="#AEN830" >Configuring the Samba Domain Controller</A ></DT ><DT >6.4. <A -HREF="#AEN790" +HREF="#AEN872" >Creating Machine Trust Accounts and Joining Clients to the Domain</A ></DT ><DT >6.5. <A -HREF="#AEN898" +HREF="#AEN980" >Common Problems and Errors</A ></DT ><DT >6.6. <A -HREF="#AEN946" ->System Policies and Profiles</A -></DT -><DT ->6.7. <A -HREF="#AEN990" +HREF="#AEN1026" >What other help can I get?</A ></DT ><DT ->6.8. <A -HREF="#AEN1104" +>6.7. <A +HREF="#AEN1140" >Domain Control for Windows 9x/ME</A ></DT -><DT ->6.9. <A -HREF="#AEN1242" ->DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A -></DT ></DL ></DD ><DT >7. <A HREF="#SAMBA-BDC" ->How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain</A +>Samba Backup Domain Controller to Samba Domain Control</A ></DT ><DD ><DL ><DT >7.1. <A -HREF="#AEN1278" +HREF="#AEN1193" >Prerequisite Reading</A ></DT ><DT >7.2. <A -HREF="#AEN1282" +HREF="#AEN1197" >Background</A ></DT ><DT >7.3. <A -HREF="#AEN1290" +HREF="#AEN1205" >What qualifies a Domain Controller on the network?</A ></DT ><DT >7.4. <A -HREF="#AEN1299" +HREF="#AEN1214" >Can Samba be a Backup Domain Controller to an NT PDC?</A ></DT ><DT >7.5. <A -HREF="#AEN1304" +HREF="#AEN1219" >How do I set up a Samba BDC?</A ></DT ></DL @@ -353,7 +358,7 @@ HREF="#ADS" ><DL ><DT >8.1. <A -HREF="#AEN1336" +HREF="#AEN1251" >Setup your <TT CLASS="FILENAME" >smb.conf</TT @@ -361,7 +366,7 @@ CLASS="FILENAME" ></DT ><DT >8.2. <A -HREF="#AEN1347" +HREF="#AEN1262" >Setup your <TT CLASS="FILENAME" >/etc/krb5.conf</TT @@ -369,22 +374,22 @@ CLASS="FILENAME" ></DT ><DT >8.3. <A -HREF="#AEN1358" +HREF="#AEN1273" >Create the computer account</A ></DT ><DT >8.4. <A -HREF="#AEN1370" +HREF="#AEN1285" >Test your server setup</A ></DT ><DT >8.5. <A -HREF="#AEN1375" +HREF="#AEN1290" >Testing with smbclient</A ></DT ><DT >8.6. <A -HREF="#AEN1378" +HREF="#AEN1293" >Notes</A ></DT ></DL @@ -398,12 +403,12 @@ HREF="#DOMAIN-SECURITY" ><DL ><DT >9.1. <A -HREF="#AEN1400" +HREF="#AEN1315" >Joining an NT Domain with Samba 3.0</A ></DT ><DT >9.2. <A -HREF="#AEN1454" +HREF="#AEN1369" >Why is this better than security = server?</A ></DT ></DL @@ -413,48 +418,26 @@ HREF="#AEN1454" ><DT >III. <A HREF="#OPTIONAL" ->Optional configuration</A +>Advanced Configuration</A ></DT ><DD ><DL ><DT >10. <A -HREF="#INTEGRATE-MS-NETWORKS" ->Integrating MS Windows networks with Samba</A +HREF="#ADVANCEDNETWORKMANAGEMENT" +>System Policies</A ></DT ><DD ><DL ><DT >10.1. <A -HREF="#AEN1486" ->Agenda</A +HREF="#AEN1401" +>Basic System Policy Info</A ></DT ><DT >10.2. <A -HREF="#AEN1508" ->Name Resolution in a pure Unix/Linux world</A -></DT -><DT ->10.3. <A -HREF="#AEN1571" ->Name resolution as used within MS Windows networking</A -></DT -><DT ->10.4. <A -HREF="#AEN1616" ->How browsing functions and how to deploy stable and -dependable browsing using Samba</A -></DT -><DT ->10.5. <A -HREF="#AEN1626" ->MS Windows security options and how to configure -Samba for seemless integration</A -></DT -><DT ->10.6. <A -HREF="#AEN1696" ->Conclusions</A +HREF="#AEN1456" +>Roaming Profiles</A ></DT ></DL ></DD @@ -467,39 +450,39 @@ HREF="#UNIX-PERMISSIONS" ><DL ><DT >11.1. <A -HREF="#AEN1717" +HREF="#AEN1663" >Viewing and changing UNIX permissions using the NT security dialogs</A ></DT ><DT >11.2. <A -HREF="#AEN1721" +HREF="#AEN1667" >How to view file security on a Samba share</A ></DT ><DT >11.3. <A -HREF="#AEN1732" +HREF="#AEN1678" >Viewing file ownership</A ></DT ><DT >11.4. <A -HREF="#AEN1752" +HREF="#AEN1698" >Viewing file or directory permissions</A ></DT ><DT >11.5. <A -HREF="#AEN1788" +HREF="#AEN1734" >Modifying file or directory permissions</A ></DT ><DT >11.6. <A -HREF="#AEN1810" +HREF="#AEN1756" >Interaction with the standard Samba create mask parameters</A ></DT ><DT >11.7. <A -HREF="#AEN1864" +HREF="#AEN1810" >Interaction with the standard Samba file attribute mapping</A ></DT @@ -507,6 +490,11 @@ HREF="#AEN1864" ></DD ><DT >12. <A +HREF="#GROUPMAPPING" +>Group mapping HOWTO</A +></DT +><DT +>13. <A HREF="#PAM" >Configuring PAM for distributed but centrally managed authentication</A @@ -514,37 +502,23 @@ managed authentication</A ><DD ><DL ><DT ->12.1. <A -HREF="#AEN1885" +>13.1. <A +HREF="#AEN1866" >Samba and PAM</A ></DT ><DT ->12.2. <A -HREF="#AEN1929" +>13.2. <A +HREF="#AEN1915" >Distributed Authentication</A ></DT ><DT ->12.3. <A -HREF="#AEN1936" +>13.3. <A +HREF="#AEN1920" >PAM Configuration in smb.conf</A ></DT ></DL ></DD ><DT ->13. <A -HREF="#MSDFS" ->Hosting a Microsoft Distributed File System tree on Samba</A -></DT -><DD -><DL -><DT ->13.1. <A -HREF="#AEN1956" ->Instructions</A -></DT -></DL -></DD -><DT >14. <A HREF="#PRINTING" >Printing Support</A @@ -553,22 +527,22 @@ HREF="#PRINTING" ><DL ><DT >14.1. <A -HREF="#AEN2017" +HREF="#AEN1946" >Introduction</A ></DT ><DT >14.2. <A -HREF="#AEN2039" +HREF="#AEN1968" >Configuration</A ></DT ><DT >14.3. <A -HREF="#AEN2147" +HREF="#AEN2076" >The Imprints Toolset</A ></DT ><DT >14.4. <A -HREF="#AEN2190" +HREF="#AEN2119" >Diagnosis</A ></DT ></DL @@ -582,37 +556,37 @@ HREF="#CUPS-PRINTING" ><DL ><DT >15.1. <A -HREF="#AEN2302" +HREF="#AEN2231" >Introduction</A ></DT ><DT >15.2. <A -HREF="#AEN2307" +HREF="#AEN2236" >CUPS - RAW Print Through Mode</A ></DT ><DT >15.3. <A -HREF="#AEN2362" +HREF="#AEN2291" >The CUPS Filter Chains</A ></DT ><DT >15.4. <A -HREF="#AEN2401" +HREF="#AEN2330" >CUPS Print Drivers and Devices</A ></DT ><DT >15.5. <A -HREF="#AEN2478" +HREF="#AEN2407" >Limiting the number of pages users can print</A ></DT ><DT >15.6. <A -HREF="#AEN2567" +HREF="#AEN2496" >Advanced Postscript Printing from MS Windows</A ></DT ><DT >15.7. <A -HREF="#AEN2582" +HREF="#AEN2511" >Auto-Deletion of CUPS spool files</A ></DT ></DL @@ -626,271 +600,216 @@ HREF="#WINBIND" ><DL ><DT >16.1. <A -HREF="#AEN2644" +HREF="#AEN2573" >Abstract</A ></DT ><DT >16.2. <A -HREF="#AEN2648" +HREF="#AEN2577" >Introduction</A ></DT ><DT >16.3. <A -HREF="#AEN2661" +HREF="#AEN2590" >What Winbind Provides</A ></DT ><DT >16.4. <A -HREF="#AEN2672" +HREF="#AEN2601" >How Winbind Works</A ></DT ><DT >16.5. <A -HREF="#AEN2715" +HREF="#AEN2644" >Installation and Configuration</A ></DT ><DT >16.6. <A -HREF="#AEN2972" +HREF="#AEN2901" >Limitations</A ></DT ><DT >16.7. <A -HREF="#AEN2982" +HREF="#AEN2911" >Conclusion</A ></DT ></DL ></DD ><DT >17. <A +HREF="#INTEGRATE-MS-NETWORKS" +>Integrating MS Windows networks with Samba</A +></DT +><DD +><DL +><DT +>17.1. <A +HREF="#AEN2932" +>Name Resolution in a pure Unix/Linux world</A +></DT +><DT +>17.2. <A +HREF="#AEN2995" +>Name resolution as used within MS Windows networking</A +></DT +></DL +></DD +><DT +>18. <A HREF="#IMPROVED-BROWSING" >Improved browsing in samba</A ></DT ><DD ><DL ><DT ->17.1. <A -HREF="#AEN2992" +>18.1. <A +HREF="#AEN3047" >Overview of browsing</A ></DT ><DT ->17.2. <A -HREF="#AEN2997" +>18.2. <A +HREF="#AEN3052" >Browsing support in samba</A ></DT ><DT ->17.3. <A -HREF="#AEN3005" +>18.3. <A +HREF="#AEN3060" >Problem resolution</A ></DT ><DT ->17.4. <A -HREF="#AEN3014" +>18.4. <A +HREF="#AEN3069" >Browsing across subnets</A ></DT ><DT ->17.5. <A -HREF="#AEN3054" +>18.5. <A +HREF="#AEN3109" >Setting up a WINS server</A ></DT ><DT ->17.6. <A -HREF="#AEN3073" +>18.6. <A +HREF="#AEN3128" >Setting up Browsing in a WORKGROUP</A ></DT ><DT ->17.7. <A -HREF="#AEN3091" +>18.7. <A +HREF="#AEN3146" >Setting up Browsing in a DOMAIN</A ></DT ><DT ->17.8. <A -HREF="#AEN3101" +>18.8. <A +HREF="#AEN3156" >Forcing samba to be the master</A ></DT ><DT ->17.9. <A -HREF="#AEN3110" +>18.9. <A +HREF="#AEN3165" >Making samba the domain master</A ></DT ><DT ->17.10. <A -HREF="#AEN3128" +>18.10. <A +HREF="#AEN3183" >Note about broadcast addresses</A ></DT ><DT ->17.11. <A -HREF="#AEN3131" +>18.11. <A +HREF="#AEN3186" >Multiple interfaces</A ></DT ></DL ></DD ><DT ->18. <A -HREF="#VFS" ->Stackable VFS modules</A +>19. <A +HREF="#MSDFS" +>Hosting a Microsoft Distributed File System tree on Samba</A ></DT ><DD ><DL ><DT ->18.1. <A -HREF="#AEN3149" ->Introduction and configuration</A -></DT -><DT ->18.2. <A -HREF="#AEN3158" ->Included modules</A -></DT -><DT ->18.3. <A -HREF="#AEN3212" ->VFS modules available elsewhere</A +>19.1. <A +HREF="#AEN3200" +>Instructions</A ></DT ></DL ></DD ><DT ->19. <A -HREF="#GROUPMAPPING" ->Group mapping HOWTO</A -></DT -><DT >20. <A -HREF="#SPEED" ->Samba performance issues</A +HREF="#VFS" +>Stackable VFS modules</A ></DT ><DD ><DL ><DT >20.1. <A -HREF="#AEN3279" ->Comparisons</A +HREF="#AEN3259" +>Introduction and configuration</A ></DT ><DT >20.2. <A -HREF="#AEN3285" ->Socket options</A +HREF="#AEN3268" +>Included modules</A ></DT ><DT >20.3. <A -HREF="#AEN3292" ->Read size</A -></DT -><DT ->20.4. <A -HREF="#AEN3297" ->Max xmit</A -></DT -><DT ->20.5. <A -HREF="#AEN3302" ->Log level</A -></DT -><DT ->20.6. <A -HREF="#AEN3305" ->Read raw</A -></DT -><DT ->20.7. <A -HREF="#AEN3310" ->Write raw</A -></DT -><DT ->20.8. <A -HREF="#AEN3314" ->Slow Clients</A -></DT -><DT ->20.9. <A -HREF="#AEN3318" ->Slow Logins</A -></DT -><DT ->20.10. <A -HREF="#AEN3321" ->Client tuning</A +HREF="#AEN3322" +>VFS modules available elsewhere</A ></DT ></DL ></DD ><DT >21. <A -HREF="#GROUPPROFILES" ->Creating Group Prolicy Files</A -></DT -><DD -><DL -><DT ->21.1. <A -HREF="#AEN3369" ->Windows '9x</A -></DT -><DT ->21.2. <A -HREF="#AEN3379" ->Windows NT 4</A -></DT -><DT ->21.3. <A -HREF="#AEN3417" ->Windows 2000/XP</A -></DT -></DL -></DD -><DT ->22. <A HREF="#SECURING-SAMBA" >Securing Samba</A ></DT ><DD ><DL ><DT ->22.1. <A -HREF="#AEN3498" +>21.1. <A +HREF="#AEN3348" >Introduction</A ></DT ><DT ->22.2. <A -HREF="#AEN3501" +>21.2. <A +HREF="#AEN3351" >Using host based protection</A ></DT ><DT ->22.3. <A -HREF="#AEN3508" +>21.3. <A +HREF="#AEN3358" >Using interface protection</A ></DT ><DT ->22.4. <A -HREF="#AEN3517" +>21.4. <A +HREF="#AEN3367" >Using a firewall</A ></DT ><DT ->22.5. <A -HREF="#AEN3524" +>21.5. <A +HREF="#AEN3374" >Using a IPC$ share deny</A ></DT ><DT ->22.6. <A -HREF="#AEN3533" +>21.6. <A +HREF="#AEN3383" >Upgrading Samba</A ></DT ></DL ></DD ><DT ->23. <A +>22. <A HREF="#UNICODE" >Unicode/Charsets</A ></DT ><DD ><DL ><DT ->23.1. <A -HREF="#AEN3547" +>22.1. <A +HREF="#AEN3397" >What are charsets and unicode?</A ></DT ><DT ->23.2. <A -HREF="#AEN3556" +>22.2. <A +HREF="#AEN3406" >Samba and charsets</A ></DT ></DL @@ -905,6 +824,65 @@ HREF="#APPENDIXES" ><DD ><DL ><DT +>23. <A +HREF="#SPEED" +>Samba performance issues</A +></DT +><DD +><DL +><DT +>23.1. <A +HREF="#AEN3443" +>Comparisons</A +></DT +><DT +>23.2. <A +HREF="#AEN3449" +>Socket options</A +></DT +><DT +>23.3. <A +HREF="#AEN3456" +>Read size</A +></DT +><DT +>23.4. <A +HREF="#AEN3461" +>Max xmit</A +></DT +><DT +>23.5. <A +HREF="#AEN3466" +>Log level</A +></DT +><DT +>23.6. <A +HREF="#AEN3469" +>Read raw</A +></DT +><DT +>23.7. <A +HREF="#AEN3474" +>Write raw</A +></DT +><DT +>23.8. <A +HREF="#AEN3478" +>Slow Clients</A +></DT +><DT +>23.9. <A +HREF="#AEN3482" +>Slow Logins</A +></DT +><DT +>23.10. <A +HREF="#AEN3485" +>Client tuning</A +></DT +></DL +></DD +><DT >24. <A HREF="#PORTABILITY" >Portability</A @@ -913,27 +891,27 @@ HREF="#PORTABILITY" ><DL ><DT >24.1. <A -HREF="#AEN3585" +HREF="#AEN3525" >HPUX</A ></DT ><DT >24.2. <A -HREF="#AEN3591" +HREF="#AEN3531" >SCO Unix</A ></DT ><DT >24.3. <A -HREF="#AEN3595" +HREF="#AEN3535" >DNIX</A ></DT ><DT >24.4. <A -HREF="#AEN3624" +HREF="#AEN3564" >RedHat Linux Rembrandt-II</A ></DT ><DT >24.5. <A -HREF="#AEN3630" +HREF="#AEN3570" >AIX</A ></DT ></DL @@ -947,27 +925,27 @@ HREF="#OTHER-CLIENTS" ><DL ><DT >25.1. <A -HREF="#AEN3650" +HREF="#AEN3590" >Macintosh clients?</A ></DT ><DT >25.2. <A -HREF="#AEN3659" +HREF="#AEN3599" >OS2 Client</A ></DT ><DT >25.3. <A -HREF="#AEN3699" +HREF="#AEN3639" >Windows for Workgroups</A ></DT ><DT >25.4. <A -HREF="#AEN3723" +HREF="#AEN3663" >Windows '95/'98</A ></DT ><DT >25.5. <A -HREF="#AEN3739" +HREF="#AEN3679" >Windows 2000 Service Pack 2</A ></DT ></DL @@ -981,22 +959,22 @@ HREF="#COMPILING" ><DL ><DT >26.1. <A -HREF="#AEN3766" +HREF="#AEN3706" >Access Samba source code via CVS</A ></DT ><DT >26.2. <A -HREF="#AEN3809" +HREF="#AEN3749" >Accessing the samba sources via rsync and ftp</A ></DT ><DT >26.3. <A -HREF="#AEN3815" +HREF="#AEN3755" >Building the Binaries</A ></DT ><DT >26.4. <A -HREF="#AEN3872" +HREF="#AEN3812" >Starting the smbd and nmbd</A ></DT ></DL @@ -1010,32 +988,32 @@ HREF="#BUGREPORT" ><DL ><DT >27.1. <A -HREF="#AEN3934" +HREF="#AEN3874" >Introduction</A ></DT ><DT >27.2. <A -HREF="#AEN3944" +HREF="#AEN3884" >General info</A ></DT ><DT >27.3. <A -HREF="#AEN3950" +HREF="#AEN3890" >Debug levels</A ></DT ><DT >27.4. <A -HREF="#AEN3967" +HREF="#AEN3907" >Internal errors</A ></DT ><DT >27.5. <A -HREF="#AEN3977" +HREF="#AEN3917" >Attaching to a running process</A ></DT ><DT >27.6. <A -HREF="#AEN3980" +HREF="#AEN3920" >Patches</A ></DT ></DL @@ -1049,22 +1027,22 @@ HREF="#DIAGNOSIS" ><DL ><DT >28.1. <A -HREF="#AEN4003" +HREF="#AEN3943" >Introduction</A ></DT ><DT >28.2. <A -HREF="#AEN4008" +HREF="#AEN3948" >Assumptions</A ></DT ><DT >28.3. <A -HREF="#AEN4018" +HREF="#AEN3958" >Tests</A ></DT ><DT >28.4. <A -HREF="#AEN4128" +HREF="#AEN4068" >Still having troubles?</A ></DT ></DL @@ -1186,26 +1164,32 @@ HREF="#AEN130" ><DT >2.2. <A HREF="#AEN139" ->Use of the "Remote Announce" parameter</A +>How browsing functions and how to deploy stable and +dependable browsing using Samba</A ></DT ><DT >2.3. <A -HREF="#AEN153" ->Use of the "Remote Browse Sync" parameter</A +HREF="#AEN149" +>Use of the "Remote Announce" parameter</A ></DT ><DT >2.4. <A -HREF="#AEN158" ->Use of WINS</A +HREF="#AEN163" +>Use of the "Remote Browse Sync" parameter</A ></DT ><DT >2.5. <A -HREF="#AEN169" ->Do NOT use more than one (1) protocol on MS Windows machines</A +HREF="#AEN168" +>Use of WINS</A ></DT ><DT >2.6. <A -HREF="#AEN177" +HREF="#AEN179" +>Do NOT use more than one (1) protocol on MS Windows machines</A +></DT +><DT +>2.7. <A +HREF="#AEN187" >Name Resolution Order</A ></DT ></DL @@ -1219,146 +1203,146 @@ HREF="#PASSDB" ><DL ><DT >3.1. <A -HREF="#AEN234" +HREF="#AEN244" >Introduction</A ></DT ><DT >3.2. <A -HREF="#AEN241" +HREF="#AEN251" >Important Notes About Security</A ></DT ><DD ><DL ><DT >3.2.1. <A -HREF="#AEN267" +HREF="#AEN277" >Advantages of SMB Encryption</A ></DT ><DT >3.2.2. <A -HREF="#AEN273" +HREF="#AEN283" >Advantages of non-encrypted passwords</A ></DT ></DL ></DD ><DT >3.3. <A -HREF="#AEN279" +HREF="#AEN289" >The smbpasswd Command</A ></DT ><DT >3.4. <A -HREF="#AEN310" +HREF="#AEN320" >Plain text</A ></DT ><DT >3.5. <A -HREF="#AEN315" +HREF="#AEN325" >TDB</A ></DT ><DT >3.6. <A -HREF="#AEN318" +HREF="#AEN328" >LDAP</A ></DT ><DD ><DL ><DT >3.6.1. <A -HREF="#AEN320" +HREF="#AEN330" >Introduction</A ></DT ><DT >3.6.2. <A -HREF="#AEN340" +HREF="#AEN350" >Introduction</A ></DT ><DT >3.6.3. <A -HREF="#AEN369" +HREF="#AEN379" >Supported LDAP Servers</A ></DT ><DT >3.6.4. <A -HREF="#AEN374" +HREF="#AEN384" >Schema and Relationship to the RFC 2307 posixAccount</A ></DT ><DT >3.6.5. <A -HREF="#AEN386" +HREF="#AEN396" >Configuring Samba with LDAP</A ></DT ><DT >3.6.6. <A -HREF="#AEN433" +HREF="#AEN443" >Accounts and Groups management</A ></DT ><DT >3.6.7. <A -HREF="#AEN438" +HREF="#AEN448" >Security and sambaAccount</A ></DT ><DT >3.6.8. <A -HREF="#AEN458" +HREF="#AEN468" >LDAP specials attributes for sambaAccounts</A ></DT ><DT >3.6.9. <A -HREF="#AEN528" +HREF="#AEN538" >Example LDIF Entries for a sambaAccount</A ></DT ></DL ></DD ><DT >3.7. <A -HREF="#AEN536" +HREF="#AEN546" >MySQL</A ></DT ><DD ><DL ><DT >3.7.1. <A -HREF="#AEN538" +HREF="#AEN548" >Building</A ></DT ><DT >3.7.2. <A -HREF="#AEN544" +HREF="#AEN554" >Creating the database</A ></DT ><DT >3.7.3. <A -HREF="#AEN554" +HREF="#AEN564" >Configuring</A ></DT ><DT >3.7.4. <A -HREF="#AEN571" +HREF="#AEN581" >Using plaintext passwords or encrypted password</A ></DT ><DT >3.7.5. <A -HREF="#AEN576" +HREF="#AEN586" >Getting non-column data from the table</A ></DT ></DL ></DD ><DT >3.8. <A -HREF="#AEN584" +HREF="#AEN594" >Passdb XML plugin</A ></DT ><DD ><DL ><DT >3.8.1. <A -HREF="#AEN586" +HREF="#AEN596" >Building</A ></DT ><DT >3.8.2. <A -HREF="#AEN592" +HREF="#AEN602" >Usage</A ></DT ></DL @@ -1841,7 +1825,74 @@ CLASS="SECT1" CLASS="SECT1" ><A NAME="AEN139" ->2.2. Use of the "Remote Announce" parameter</A +>2.2. How browsing functions and how to deploy stable and +dependable browsing using Samba</A +></H2 +><P +>As stated above, MS Windows machines register their NetBIOS names +(i.e.: the machine name for each service type in operation) on start +up. Also, as stated above, the exact method by which this name registration +takes place is determined by whether or not the MS Windows client/server +has been given a WINS server address, whether or not LMHOSTS lookup +is enabled, or if DNS for NetBIOS name resolution is enabled, etc.</P +><P +>In the case where there is no WINS server all name registrations as +well as name lookups are done by UDP broadcast. This isolates name +resolution to the local subnet, unless LMHOSTS is used to list all +names and IP addresses. In such situations Samba provides a means by +which the samba server name may be forcibly injected into the browse +list of a remote MS Windows network (using the "remote announce" parameter).</P +><P +>Where a WINS server is used, the MS Windows client will use UDP +unicast to register with the WINS server. Such packets can be routed +and thus WINS allows name resolution to function across routed networks.</P +><P +>During the startup process an election will take place to create a +local master browser if one does not already exist. On each NetBIOS network +one machine will be elected to function as the domain master browser. This +domain browsing has nothing to do with MS security domain control. +Instead, the domain master browser serves the role of contacting each local +master browser (found by asking WINS or from LMHOSTS) and exchanging browse +list contents. This way every master browser will eventually obtain a complete +list of all machines that are on the network. Every 11-15 minutes an election +is held to determine which machine will be the master browser. By the nature of +the election criteria used, the machine with the highest uptime, or the +most senior protocol version, or other criteria, will win the election +as domain master browser.</P +><P +>Clients wishing to browse the network make use of this list, but also depend +on the availability of correct name resolution to the respective IP +address/addresses. </P +><P +>Any configuration that breaks name resolution and/or browsing intrinsics +will annoy users because they will have to put up with protracted +inability to use the network services.</P +><P +>Samba supports a feature that allows forced synchonisation +of browse lists across routed networks using the "remote +browse sync" parameter in the smb.conf file. This causes Samba +to contact the local master browser on a remote network and +to request browse list synchronisation. This effectively bridges +two networks that are separated by routers. The two remote +networks may use either broadcast based name resolution or WINS +based name resolution, but it should be noted that the "remote +browse sync" parameter provides browse list synchronisation - and +that is distinct from name to address resolution, in other +words, for cross subnet browsing to function correctly it is +essential that a name to address resolution mechanism be provided. +This mechanism could be via DNS, <TT +CLASS="FILENAME" +>/etc/hosts</TT +>, +and so on.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN149" +>2.3. Use of the "Remote Announce" parameter</A ></H2 ><P >The "remote announce" parameter of smb.conf can be used to forcibly ensure @@ -1898,8 +1949,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN153" ->2.3. Use of the "Remote Browse Sync" parameter</A +NAME="AEN163" +>2.4. Use of the "Remote Browse Sync" parameter</A ></H2 ><P >The "remote browse sync" parameter of smb.conf is used to announce to @@ -1921,8 +1972,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN158" ->2.4. Use of WINS</A +NAME="AEN168" +>2.5. Use of WINS</A ></H2 ><P >Use of WINS (either Samba WINS _or_ MS Windows NT Server WINS) is highly @@ -1984,8 +2035,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN169" ->2.5. Do NOT use more than one (1) protocol on MS Windows machines</A +NAME="AEN179" +>2.6. Do NOT use more than one (1) protocol on MS Windows machines</A ></H2 ><P >A very common cause of browsing problems results from installing more than @@ -2027,8 +2078,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN177" ->2.6. Name Resolution Order</A +NAME="AEN187" +>2.7. Name Resolution Order</A ></H2 ><P >Resolution of NetBIOS names to IP addresses can take place using a number @@ -2118,7 +2169,7 @@ CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN234" +NAME="AEN244" >3.1. Introduction</A ></H2 ><P @@ -2159,7 +2210,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN241" +NAME="AEN251" >3.2. Important Notes About Security</A ></H2 ><P @@ -2322,7 +2373,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN267" +NAME="AEN277" >3.2.1. Advantages of SMB Encryption</A ></H3 ><P @@ -2361,7 +2412,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN273" +NAME="AEN283" >3.2.2. Advantages of non-encrypted passwords</A ></H3 ><P @@ -2396,7 +2447,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN279" +NAME="AEN289" >3.3. The smbpasswd Command</A ></H2 ><P @@ -2499,7 +2550,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN310" +NAME="AEN320" >3.4. Plain text</A ></H2 ><P @@ -2519,7 +2570,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN315" +NAME="AEN325" >3.5. TDB</A ></H2 ><P @@ -2532,7 +2583,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN318" +NAME="AEN328" >3.6. LDAP</A ></H2 ><DIV @@ -2540,7 +2591,7 @@ CLASS="SECT2" ><H3 CLASS="SECT2" ><A -NAME="AEN320" +NAME="AEN330" >3.6.1. Introduction</A ></H3 ><P @@ -2608,7 +2659,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN340" +NAME="AEN350" >3.6.2. Introduction</A ></H3 ><P @@ -2717,7 +2768,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN369" +NAME="AEN379" >3.6.3. Supported LDAP Servers</A ></H3 ><P @@ -2743,7 +2794,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN374" +NAME="AEN384" >3.6.4. Schema and Relationship to the RFC 2307 posixAccount</A ></H3 ><P @@ -2800,7 +2851,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN386" +NAME="AEN396" >3.6.5. Configuring Samba with LDAP</A ></H3 ><DIV @@ -2808,7 +2859,7 @@ CLASS="SECT3" ><H4 CLASS="SECT3" ><A -NAME="AEN388" +NAME="AEN398" >3.6.5.1. OpenLDAP configuration</A ></H4 ><P @@ -2890,7 +2941,7 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN405" +NAME="AEN415" >3.6.5.2. Configuring Samba</A ></H4 ><P @@ -3006,7 +3057,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN433" +NAME="AEN443" >3.6.6. Accounts and Groups management</A ></H3 ><P @@ -3031,7 +3082,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN438" +NAME="AEN448" >3.6.7. Security and sambaAccount</A ></H3 ><P @@ -3110,7 +3161,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN458" +NAME="AEN468" >3.6.8. LDAP specials attributes for sambaAccounts</A ></H3 ><P @@ -3317,7 +3368,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN528" +NAME="AEN538" >3.6.9. Example LDIF Entries for a sambaAccount</A ></H3 ><P @@ -3376,7 +3427,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN536" +NAME="AEN546" >3.7. MySQL</A ></H2 ><DIV @@ -3384,7 +3435,7 @@ CLASS="SECT2" ><H3 CLASS="SECT2" ><A -NAME="AEN538" +NAME="AEN548" >3.7.1. Building</A ></H3 ><P @@ -3405,7 +3456,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN544" +NAME="AEN554" >3.7.2. Creating the database</A ></H3 ><P @@ -3441,7 +3492,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN554" +NAME="AEN564" >3.7.3. Configuring</A ></H3 ><P @@ -3552,7 +3603,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN571" +NAME="AEN581" >3.7.4. Using plaintext passwords or encrypted password</A ></H3 ><P @@ -3567,7 +3618,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN576" +NAME="AEN586" >3.7.5. Getting non-column data from the table</A ></H3 ><P @@ -3593,7 +3644,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN584" +NAME="AEN594" >3.8. Passdb XML plugin</A ></H2 ><DIV @@ -3601,7 +3652,7 @@ CLASS="SECT2" ><H3 CLASS="SECT2" ><A -NAME="AEN586" +NAME="AEN596" >3.8.1. Building</A ></H3 ><P @@ -3621,7 +3672,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN592" +NAME="AEN602" >3.8.2. Usage</A ></H3 ><P @@ -3658,7 +3709,7 @@ CLASS="TITLE" ><DIV CLASS="PARTINTRO" ><A -NAME="AEN600" +NAME="AEN610" ></A ><H1 >Introduction</H1 @@ -3682,24 +3733,24 @@ HREF="#SERVERTYPE" ><DL ><DT >4.1. <A -HREF="#AEN629" +HREF="#AEN639" >Stand Alone Server</A ></DT ><DT >4.2. <A -HREF="#AEN635" +HREF="#AEN646" >Domain Member Server</A ></DT ><DT >4.3. <A -HREF="#AEN641" +HREF="#AEN652" >Domain Controller</A ></DT ><DD ><DL ><DT >4.3.1. <A -HREF="#AEN644" +HREF="#AEN655" >Domain Controller Types</A ></DT ></DL @@ -3709,8 +3760,46 @@ HREF="#AEN644" ><DT >5. <A HREF="#SECURITYLEVELS" ->Samba as Stand-Alone server (User and Share security level)</A +>Samba as Stand-Alone Server</A ></DT +><DD +><DL +><DT +>5.1. <A +HREF="#AEN681" +>User and Share security level</A +></DT +><DD +><DL +><DT +>5.1.1. <A +HREF="#AEN684" +>User Level Security</A +></DT +><DT +>5.1.2. <A +HREF="#AEN694" +>Share Level Security</A +></DT +><DT +>5.1.3. <A +HREF="#AEN698" +>Server Level Security</A +></DT +><DT +>5.1.4. <A +HREF="#AEN737" +>Domain Level Security</A +></DT +><DT +>5.1.5. <A +HREF="#AEN758" +>ADS Level Security</A +></DT +></DL +></DD +></DL +></DD ><DT >6. <A HREF="#SAMBA-PDC" @@ -3720,140 +3809,125 @@ HREF="#SAMBA-PDC" ><DL ><DT >6.1. <A -HREF="#AEN705" +HREF="#AEN785" >Prerequisite Reading</A ></DT ><DT >6.2. <A -HREF="#AEN710" +HREF="#AEN790" >Background</A ></DT ><DT >6.3. <A -HREF="#AEN748" +HREF="#AEN830" >Configuring the Samba Domain Controller</A ></DT ><DT >6.4. <A -HREF="#AEN790" +HREF="#AEN872" >Creating Machine Trust Accounts and Joining Clients to the Domain</A ></DT ><DD ><DL ><DT >6.4.1. <A -HREF="#AEN833" +HREF="#AEN915" >Manual Creation of Machine Trust Accounts</A ></DT ><DT >6.4.2. <A -HREF="#AEN874" +HREF="#AEN956" >"On-the-Fly" Creation of Machine Trust Accounts</A ></DT ><DT >6.4.3. <A -HREF="#AEN883" +HREF="#AEN965" >Joining the Client to the Domain</A ></DT ></DL ></DD ><DT >6.5. <A -HREF="#AEN898" +HREF="#AEN980" >Common Problems and Errors</A ></DT ><DT >6.6. <A -HREF="#AEN946" ->System Policies and Profiles</A -></DT -><DT ->6.7. <A -HREF="#AEN990" +HREF="#AEN1026" >What other help can I get?</A ></DT ><DT ->6.8. <A -HREF="#AEN1104" +>6.7. <A +HREF="#AEN1140" >Domain Control for Windows 9x/ME</A ></DT ><DD ><DL ><DT ->6.8.1. <A -HREF="#AEN1130" +>6.7.1. <A +HREF="#AEN1163" >Configuration Instructions: Network Logons</A ></DT -><DT ->6.8.2. <A -HREF="#AEN1149" ->Configuration Instructions: Setting up Roaming User Profiles</A -></DT ></DL ></DD -><DT ->6.9. <A -HREF="#AEN1242" ->DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A -></DT ></DL ></DD ><DT >7. <A HREF="#SAMBA-BDC" ->How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain</A +>Samba Backup Domain Controller to Samba Domain Control</A ></DT ><DD ><DL ><DT >7.1. <A -HREF="#AEN1278" +HREF="#AEN1193" >Prerequisite Reading</A ></DT ><DT >7.2. <A -HREF="#AEN1282" +HREF="#AEN1197" >Background</A ></DT ><DT >7.3. <A -HREF="#AEN1290" +HREF="#AEN1205" >What qualifies a Domain Controller on the network?</A ></DT ><DD ><DL ><DT >7.3.1. <A -HREF="#AEN1293" +HREF="#AEN1208" >How does a Workstation find its domain controller?</A ></DT ><DT >7.3.2. <A -HREF="#AEN1296" +HREF="#AEN1211" >When is the PDC needed?</A ></DT ></DL ></DD ><DT >7.4. <A -HREF="#AEN1299" +HREF="#AEN1214" >Can Samba be a Backup Domain Controller to an NT PDC?</A ></DT ><DT >7.5. <A -HREF="#AEN1304" +HREF="#AEN1219" >How do I set up a Samba BDC?</A ></DT ><DD ><DL ><DT >7.5.1. <A -HREF="#AEN1321" +HREF="#AEN1236" >How do I replicate the smbpasswd file?</A ></DT ><DT >7.5.2. <A -HREF="#AEN1325" +HREF="#AEN1240" >Can I do this all with LDAP?</A ></DT ></DL @@ -3869,7 +3943,7 @@ HREF="#ADS" ><DL ><DT >8.1. <A -HREF="#AEN1336" +HREF="#AEN1251" >Setup your <TT CLASS="FILENAME" >smb.conf</TT @@ -3877,7 +3951,7 @@ CLASS="FILENAME" ></DT ><DT >8.2. <A -HREF="#AEN1347" +HREF="#AEN1262" >Setup your <TT CLASS="FILENAME" >/etc/krb5.conf</TT @@ -3885,31 +3959,31 @@ CLASS="FILENAME" ></DT ><DT >8.3. <A -HREF="#AEN1358" +HREF="#AEN1273" >Create the computer account</A ></DT ><DD ><DL ><DT >8.3.1. <A -HREF="#AEN1362" +HREF="#AEN1277" >Possible errors</A ></DT ></DL ></DD ><DT >8.4. <A -HREF="#AEN1370" +HREF="#AEN1285" >Test your server setup</A ></DT ><DT >8.5. <A -HREF="#AEN1375" +HREF="#AEN1290" >Testing with smbclient</A ></DT ><DT >8.6. <A -HREF="#AEN1378" +HREF="#AEN1293" >Notes</A ></DT ></DL @@ -3923,12 +3997,12 @@ HREF="#DOMAIN-SECURITY" ><DL ><DT >9.1. <A -HREF="#AEN1400" +HREF="#AEN1315" >Joining an NT Domain with Samba 3.0</A ></DT ><DT >9.2. <A -HREF="#AEN1454" +HREF="#AEN1369" >Why is this better than security = server?</A ></DT ></DL @@ -3987,7 +4061,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN629" +NAME="AEN639" >4.1. Stand Alone Server</A ></H2 ><P @@ -4006,6 +4080,11 @@ USER mode. SHARE mode and USER mode security are documented under discussions regarding "security mode". The smb.conf configuration parameters that control security mode are: "security = user" and "security = share".</P ><P +>No special action is needed other than to create user accounts. Stand-alone +servers do NOT provide network logon services, meaning that machines that +use this server do NOT perform a domain logon but instead make use only of +the MS Windows logon which is local to the MS Windows workstation/server.</P +><P >Samba tends to blur the distinction a little in respect of what is a stand alone server. This is because the authentication database may be local or on a remote server, even if from the samba protocol perspective @@ -4025,7 +4104,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN635" +NAME="AEN646" >4.2. Domain Member Server</A ></H2 ><P @@ -4056,7 +4135,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN641" +NAME="AEN652" >4.3. Domain Controller</A ></H2 ><P @@ -4068,7 +4147,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN644" +NAME="AEN655" >4.3.1. Domain Controller Types</A ></H3 ><P @@ -4147,7 +4226,24 @@ CLASS="CHAPTER" ><A NAME="SECURITYLEVELS" ></A ->Chapter 5. Samba as Stand-Alone server (User and Share security level)</H1 +>Chapter 5. Samba as Stand-Alone Server</H1 +><P +>In this section the function and purpose of Samba's <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>security</I +></SPAN +> +modes are described.</P +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN681" +>5.1. User and Share security level</A +></H2 ><P >A SMB server tells the client at startup what "security level" it is running. There are two options "share level" and "user level". Which @@ -4158,6 +4254,14 @@ strange, but it fits in with the client/server approach of SMB. In SMB everything is initiated and controlled by the client, and the server can only tell the client what is available and whether an action is allowed. </P +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN684" +>5.1.1. User Level Security</A +></H3 ><P >I'll describe user level security first, as its simpler. In user level security the client will send a "session setup" command directly after @@ -4190,6 +4294,15 @@ requests. When the server responds it gives the client a "uid" to use as an authentication tag for that username/password. The client can maintain multiple authentication contexts in this way (WinDD is an example of an application that does this)</P +></DIV +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN694" +>5.1.2. Share Level Security</A +></H3 ><P >Ok, now for share level security. In share level security the client authenticates itself separately for each share. It will send a @@ -4212,6 +4325,15 @@ home directories) and any users listed in the "user =" smb.conf line. The password is then checked in turn against these "possible usernames". If a match is found then the client is authenticated as that user.</P +></DIV +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN698" +>5.1.3. Server Level Security</A +></H3 ><P >Finally "server level" security. In server level security the samba server reports to the client that it is in user level security. The @@ -4240,6 +4362,254 @@ requests to another "user mode" server. This requires an additional parameter "password server =" that points to the real authentication server. That real authentication server can be another Samba server or can be a Windows NT server, the later natively capable of encrypted password support.</P +><DIV +CLASS="SECT3" +><HR><H4 +CLASS="SECT3" +><A +NAME="AEN703" +>5.1.3.1. Configuring Samba for Seemless Windows Network Integration</A +></H4 +><P +>MS Windows clients may use encrypted passwords as part of a challenege/response +authentication model (a.k.a. NTLMv1) or alone, or clear text strings for simple +password based authentication. It should be realized that with the SMB protocol +the password is passed over the network either in plain text or encrypted, but +not both in the same authentication requests.</P +><P +>When encrypted passwords are used a password that has been entered by the user +is encrypted in two ways:</P +><P +></P +><UL +><LI +><P +>An MD4 hash of the UNICODE of the password + string. This is known as the NT hash. + </P +></LI +><LI +><P +>The password is converted to upper case, + and then padded or trucated to 14 bytes. This string is + then appended with 5 bytes of NULL characters and split to + form two 56 bit DES keys to encrypt a "magic" 8 byte value. + The resulting 16 bytes for the LanMan hash. + </P +></LI +></UL +><P +>MS Windows 95 pre-service pack 1, MS Windows NT versions 3.x and version 4.0 +pre-service pack 3 will use either mode of password authentication. All +versions of MS Windows that follow these versions no longer support plain +text passwords by default.</P +><P +>MS Windows clients have a habit of dropping network mappings that have been idle +for 10 minutes or longer. When the user attempts to use the mapped drive +connection that has been dropped, the client re-establishes the connection using +a cached copy of the password.</P +><P +>When Microsoft changed the default password mode, support was dropped for caching +of the plain text password. This means that when the registry parameter is changed +to re-enable use of plain text passwords it appears to work, but when a dropped +service connection mapping attempts to revalidate it will fail if the remote +authentication server does not support encrypted passwords. This means that it +is definitely not a good idea to re-enable plain text password support in such clients.</P +><P +>The following parameters can be used to work around the issue of Windows 9x client +upper casing usernames and password before transmitting them to the SMB server +when using clear text authentication.</P +><P +><PRE +CLASS="PROGRAMLISTING" +> <A +HREF="smb.conf.5.html#PASSWORDLEVEL" +TARGET="_top" +>passsword level</A +> = <VAR +CLASS="REPLACEABLE" +>integer</VAR +> + <A +HREF="smb.conf.5.html#USERNAMELEVEL" +TARGET="_top" +>username level</A +> = <VAR +CLASS="REPLACEABLE" +>integer</VAR +></PRE +></P +><P +>By default Samba will lower case the username before attempting to lookup the user +in the database of local system accounts. Because UNIX usernames conventionally +only contain lower case character, the <VAR +CLASS="PARAMETER" +>username level</VAR +> parameter +is rarely needed.</P +><P +>However, passwords on UNIX systems often make use of mixed case characters. +This means that in order for a user on a Windows 9x client to connect to a Samba +server using clear text authentication, the <VAR +CLASS="PARAMETER" +>password level</VAR +> +must be set to the maximum number of upper case letter which <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>could</I +></SPAN +> +appear is a password. Note that is the server OS uses the traditional DES version +of crypt(), then a <VAR +CLASS="PARAMETER" +>password level</VAR +> of 8 will result in case +insensitive passwords as seen from Windows users. This will also result in longer +login times as Samba hash to compute the permutations of the password string and +try them one by one until a match is located (or all combinations fail).</P +><P +>The best option to adopt is to enable support for encrypted passwords +where ever Samba is used. There are three configuration possibilities +for support of encrypted passwords:</P +></DIV +><DIV +CLASS="SECT3" +><HR><H4 +CLASS="SECT3" +><A +NAME="AEN729" +>5.1.3.2. Use MS Windows NT as an authentication server</A +></H4 +><P +>This method involves the additions of the following parameters in the smb.conf file:</P +><P +><PRE +CLASS="PROGRAMLISTING" +> encrypt passwords = Yes + security = server + password server = "NetBIOS_name_of_PDC"</PRE +></P +><P +>There are two ways of identifying whether or not a username and +password pair was valid or not. One uses the reply information provided +as part of the authentication messaging process, the other uses +just and error code.</P +><P +>The down-side of this mode of configuration is the fact that +for security reasons Samba will send the password server a bogus +username and a bogus password and if the remote server fails to +reject the username and password pair then an alternative mode +of identification of validation is used. Where a site uses password +lock out after a certain number of failed authentication attempts +this will result in user lockouts.</P +><P +>Use of this mode of authentication does require there to be +a standard Unix account for the user, this account can be blocked +to prevent logons by other than MS Windows clients.</P +></DIV +></DIV +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN737" +>5.1.4. Domain Level Security</A +></H3 +><P +>When samba is operating in <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>security = domain</I +></SPAN +> mode this means that +the Samba server has a domain security trust account (a machine account) and will cause +all authentication requests to be passed through to the domain controllers.</P +><DIV +CLASS="SECT3" +><HR><H4 +CLASS="SECT3" +><A +NAME="AEN741" +>5.1.4.1. Samba as a member of an MS Windows NT security domain</A +></H4 +><P +>This method involves additon of the following paramters in the smb.conf file:</P +><P +><PRE +CLASS="PROGRAMLISTING" +> encrypt passwords = Yes + security = domain + workgroup = "name of NT domain" + password server = *</PRE +></P +><P +>The use of the "*" argument to "password server" will cause samba to locate the +domain controller in a way analogous to the way this is done within MS Windows NT. +This is the default behaviour.</P +><P +>In order for this method to work the Samba server needs to join the +MS Windows NT security domain. This is done as follows:</P +><P +></P +><UL +><LI +><P +>On the MS Windows NT domain controller using + the Server Manager add a machine account for the Samba server. + </P +></LI +><LI +><P +>Next, on the Linux system execute: + <B +CLASS="COMMAND" +>smbpasswd -r PDC_NAME -j DOMAIN_NAME</B +> + </P +></LI +></UL +><P +>Use of this mode of authentication does require there to be a standard Unix account +for the user in order to assign a uid once the account has been authenticated by +the remote Windows DC. This account can be blocked to prevent logons by other than +MS Windows clients by things such as setting an invalid shell in the +<TT +CLASS="FILENAME" +>/etc/passwd</TT +> entry. </P +><P +>An alternative to assigning UIDs to Windows users on a Samba member server is +presented in the <A +HREF="winbind.html" +TARGET="_top" +>Winbind Overview</A +> chapter +in this HOWTO collection.</P +></DIV +></DIV +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN758" +>5.1.5. ADS Level Security</A +></H3 +><P +>For information about the configuration option please refer to the entire section entitled +<SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Samba as an ADS Domain Member.</I +></SPAN +></P +></DIV +></DIV ></DIV ><DIV CLASS="CHAPTER" @@ -4253,7 +4623,7 @@ CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN705" +NAME="AEN785" >6.1. Prerequisite Reading</A ></H2 ><P @@ -4276,7 +4646,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN710" +NAME="AEN790" >6.2. Background</A ></H2 ><P @@ -4288,31 +4658,58 @@ PDC functionality.</P ><UL ><LI ><P -> domain logons for Windows NT 4.0 / 200x / XP Professional clients. +> Domain logons for Windows NT 4.0 / 200x / XP Professional clients. </P ></LI ><LI ><P -> placing Windows 9x / Me clients in user level security +> Placing Windows 9x / Me clients in user level security </P ></LI ><LI ><P -> retrieving a list of users and groups from a Samba PDC to +> Retrieving a list of users and groups from a Samba PDC to Windows 9x / Me / NT / 200x / XP Professional clients </P ></LI ><LI ><P -> roaming user profiles +> Roaming Profiles </P ></LI ><LI ><P -> Windows NT 4.0-style system policies +> Network/System Policies </P ></LI ></UL +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>Roaming Profiles and System/Network policies are advanced network administration topics +that are covered separately in this document.</P +></TD +></TR +></TABLE +></DIV ><P >The following functionalities are new to the Samba 3.0 release:</P ><P @@ -4396,7 +4793,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN748" +NAME="AEN830" >6.3. Configuring the Samba Domain Controller</A ></H2 ><P @@ -4593,7 +4990,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN790" +NAME="AEN872" >6.4. Creating Machine Trust Accounts and Joining Clients to the Domain</A ></H2 ><P @@ -4779,7 +5176,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN833" +NAME="AEN915" >6.4.1. Manual Creation of Machine Trust Accounts</A ></H3 ><P @@ -4949,7 +5346,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN874" +NAME="AEN956" >6.4.2. "On-the-Fly" Creation of Machine Trust Accounts</A ></H3 ><P @@ -4986,7 +5383,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN883" +NAME="AEN965" >6.4.3. Joining the Client to the Domain</A ></H3 ><P @@ -5054,7 +5451,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN898" +NAME="AEN980" >6.5. Common Problems and Errors</A ></H2 ><P @@ -5138,23 +5535,16 @@ CLASS="EMPHASIS" ><P >I joined the domain successfully but after upgrading to a newer version of the Samba code I get the message, "The system - can not log you on (C000019B), Please try a gain or consult your + can not log you on (C000019B), Please try again or consult your system administrator" when attempting to logon. </P ><P -> This occurs when the domain SID stored in - <TT -CLASS="FILENAME" ->private/WORKGROUP.SID</TT -> is - changed. For example, you remove the file and <B -CLASS="COMMAND" ->smbd</B -> automatically - creates a new one. Or you are swapping back and forth between - versions 2.0.7, TNG and the HEAD branch code (not recommended). The - only way to correct the problem is to restore the original domain - SID or remove the domain client from the domain and rejoin. +> This occurs when the domain SID stored in the secrets.tdb database + is changed. The most common cause of a change in domain SID is when + the domain name and/or the server name (netbios name) is changed. + The only way to correct the problem is to restore the original domain + SID or remove the domain client from the domain and rejoin. The domain + SID may be reset using either the smbpasswd or rpcclient utilities. </P ></LI ><LI @@ -5260,185 +5650,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN946" ->6.6. System Policies and Profiles</A -></H2 -><P ->Much of the information necessary to implement System Policies and -Roving User Profiles in a Samba domain is the same as that for -implementing these same items in a Windows NT 4.0 domain. -You should read the white paper <A -HREF="http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp" -TARGET="_top" ->Implementing -Profiles and Policies in Windows NT 4.0</A -> available from Microsoft.</P -><P ->Here are some additional details:</P -><P -></P -><UL -><LI -><P -> <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->What about Windows NT Policy Editor?</I -></SPAN -> - </P -><P -> To create or edit <TT -CLASS="FILENAME" ->ntconfig.pol</TT -> you must use - the NT Server Policy Editor, <B -CLASS="COMMAND" ->poledit.exe</B -> which - is included with NT Server but <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->not NT Workstation</I -></SPAN ->. - There is a Policy Editor on a NTws - but it is not suitable for creating <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->Domain Policies</I -></SPAN ->. - Further, although the Windows 95 - Policy Editor can be installed on an NT Workstation/Server, it will not - work with NT policies because the registry key that are set by the policy templates. - However, the files from the NT Server will run happily enough on an NTws. - You need <TT -CLASS="FILENAME" ->poledit.exe, common.adm</TT -> and <TT -CLASS="FILENAME" ->winnt.adm</TT ->. It is convenient - to put the two *.adm files in <TT -CLASS="FILENAME" ->c:\winnt\inf</TT -> which is where - the binary will look for them unless told otherwise. Note also that that - directory is 'hidden'. - </P -><P -> The Windows NT policy editor is also included with the Service Pack 3 (and - later) for Windows NT 4.0. Extract the files using <B -CLASS="COMMAND" ->servicepackname /x</B ->, - i.e. that's <B -CLASS="COMMAND" ->Nt4sp6ai.exe /x</B -> for service pack 6a. The policy editor, - <B -CLASS="COMMAND" ->poledit.exe</B -> and the associated template files (*.adm) should - be extracted as well. It is also possible to downloaded the policy template - files for Office97 and get a copy of the policy editor. Another possible - location is with the Zero Administration Kit available for download from Microsoft. - </P -></LI -><LI -><P -> <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->Can Win95 do Policies?</I -></SPAN -> - </P -><P -> Install the group policy handler for Win9x to pick up group - policies. Look on the Win98 CD in <TT -CLASS="FILENAME" ->\tools\reskit\netadmin\poledit</TT ->. - Install group policies on a Win9x client by double-clicking - <TT -CLASS="FILENAME" ->grouppol.inf</TT ->. Log off and on again a couple of - times and see if Win98 picks up group policies. Unfortunately this needs - to be done on every Win9x machine that uses group policies.... - </P -><P -> If group policies don't work one reports suggests getting the updated - (read: working) grouppol.dll for Windows 9x. The group list is grabbed - from /etc/group. - </P -></LI -><LI -><P -> <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->How do I get 'User Manager' and 'Server Manager'</I -></SPAN -> - </P -><P -> Since I don't need to buy an NT Server CD now, how do I get - the 'User Manager for Domains', the 'Server Manager'? - </P -><P -> Microsoft distributes a version of these tools called nexus for - installation on Windows 95 systems. The tools set includes - </P -><P -></P -><UL -><LI -><P ->Server Manager</P -></LI -><LI -><P ->User Manager for Domains</P -></LI -><LI -><P ->Event Viewer</P -></LI -></UL -><P -> Click here to download the archived file <A -HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE" -TARGET="_top" ->ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</A -> - </P -><P -> The Windows NT 4.0 version of the 'User Manager for - Domains' and 'Server Manager' are available from Microsoft via ftp - from <A -HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" -TARGET="_top" ->ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</A -> - </P -></LI -></UL -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN990" ->6.7. What other help can I get?</A +NAME="AEN1026" +>6.6. What other help can I get?</A ></H2 ><P >There are many sources of information available in the form @@ -5857,62 +6070,27 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1104" ->6.8. Domain Control for Windows 9x/ME</A +NAME="AEN1140" +>6.7. Domain Control for Windows 9x/ME</A ></H2 -><DIV -CLASS="NOTE" -><P -></P -><TABLE -CLASS="NOTE" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P ->The following section contains much of the original -DOMAIN.txt file previously included with Samba. Much of -the material is based on what went into the book <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->Special -Edition, Using Samba</I -></SPAN ->, by Richard Sharpe.</P -></TD -></TR -></TABLE -></DIV ><P >A domain and a workgroup are exactly the same thing in terms of network browsing. The difference is that a distributable authentication database is associated with a domain, for secure login access to a network. Also, different access rights can be granted to users if they -successfully authenticate against a domain logon server (NT server and -other systems based on NT server support this, as does at least Samba TNG now).</P +successfully authenticate against a domain logon server. Samba-3 does this +now in the same way that MS Windows NT/2K.</P ><P >The SMB client logging on to a domain has an expectation that every other server in the domain should accept the same authentication information. -Network browsing functionality of domains and workgroups is -identical and is explained in BROWSING.txt. It should be noted, that browsing -is totally orthogonal to logon support.</P +Network browsing functionality of domains and workgroups is identical and +is explained in this documentation under the browsing discussions. +It should be noted, that browsing is totally orthogonal to logon support.</P ><P >Issues related to the single-logon network model are discussed in this section. Samba supports domain logons, network logon scripts, and user profiles for MS Windows for workgroups and MS Windows 9X/ME clients -which will be the focus of this section.</P +which are the focus of this section.</P ><P >When an SMB client in a domain wishes to logon it broadcast requests for a logon server. The first one to reply gets the job, and validates its @@ -5991,8 +6169,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1130" ->6.8.1. Configuration Instructions: Network Logons</A +NAME="AEN1163" +>6.7.1. Configuration Instructions: Network Logons</A ></H3 ><P >The main difference between a PDC and a Windows 9x logon @@ -6092,703 +6270,6 @@ for its domain.</P ></TABLE ></DIV ></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN1149" ->6.8.2. Configuration Instructions: Setting up Roaming User Profiles</A -></H3 -><DIV -CLASS="WARNING" -><P -></P -><TABLE -CLASS="WARNING" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/warning.gif" -HSPACE="5" -ALT="Warning"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P -><SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->NOTE!</I -></SPAN -> Roaming profiles support is different -for Win9X and WinNT.</P -></TD -></TR -></TABLE -></DIV -><P ->Before discussing how to configure roaming profiles, it is useful to see how -Win9X and WinNT clients implement these features.</P -><P ->Win9X clients send a NetUserGetInfo request to the server to get the user's -profiles location. However, the response does not have room for a separate -profiles location field, only the user's home share. This means that Win9X -profiles are restricted to being in the user's home directory.</P -><P ->WinNT clients send a NetSAMLogon RPC request, which contains many fields, -including a separate field for the location of the user's profiles. -This means that support for profiles is different for Win9X and WinNT.</P -><DIV -CLASS="SECT3" -><HR><H4 -CLASS="SECT3" -><A -NAME="AEN1157" ->6.8.2.1. Windows NT Configuration</A -></H4 -><P ->To support WinNT clients, in the [global] section of smb.conf set the -following (for example):</P -><P -><PRE -CLASS="PROGRAMLISTING" ->logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath</PRE -></P -><P ->The default for this option is \\%N\%U\profile, namely -\\sambaserver\username\profile. The \\N%\%U service is created -automatically by the [homes] service. -If you are using a samba server for the profiles, you _must_ make the -share specified in the logon path browseable. </P -><DIV -CLASS="NOTE" -><P -></P -><TABLE -CLASS="NOTE" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P ->[lkcl 26aug96 - we have discovered a problem where Windows clients can -maintain a connection to the [homes] share in between logins. The -[homes] share must NOT therefore be used in a profile path.]</P -></TD -></TR -></TABLE -></DIV -></DIV -><DIV -CLASS="SECT3" -><HR><H4 -CLASS="SECT3" -><A -NAME="AEN1165" ->6.8.2.2. Windows 9X Configuration</A -></H4 -><P ->To support Win9X clients, you must use the "logon home" parameter. Samba has -now been fixed so that "net use/home" now works as well, and it, too, relies -on the "logon home" parameter.</P -><P ->By using the logon home parameter, you are restricted to putting Win9X -profiles in the user's home directory. But wait! There is a trick you -can use. If you set the following in the [global] section of your -smb.conf file:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->logon home = \\%L\%U\.profiles</PRE -></P -><P ->then your Win9X clients will dutifully put their clients in a subdirectory -of your home directory called .profiles (thus making them hidden).</P -><P ->Not only that, but 'net use/home' will also work, because of a feature in -Win9X. It removes any directory stuff off the end of the home directory area -and only uses the server and share portion. That is, it looks like you -specified \\%L\%U for "logon home".</P -></DIV -><DIV -CLASS="SECT3" -><HR><H4 -CLASS="SECT3" -><A -NAME="AEN1173" ->6.8.2.3. Win9X and WinNT Configuration</A -></H4 -><P ->You can support profiles for both Win9X and WinNT clients by setting both the -"logon home" and "logon path" parameters. For example:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->logon home = \\%L\%U\.profiles -logon path = \\%L\profiles\%U</PRE -></P -><DIV -CLASS="NOTE" -><P -></P -><TABLE -CLASS="NOTE" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P ->I have not checked what 'net use /home' does on NT when "logon home" is -set as above.</P -></TD -></TR -></TABLE -></DIV -></DIV -><DIV -CLASS="SECT3" -><HR><H4 -CLASS="SECT3" -><A -NAME="AEN1180" ->6.8.2.4. Windows 9X Profile Setup</A -></H4 -><P ->When a user first logs in on Windows 9X, the file user.DAT is created, -as are folders "Start Menu", "Desktop", "Programs" and "Nethood". -These directories and their contents will be merged with the local -versions stored in c:\windows\profiles\username on subsequent logins, -taking the most recent from each. You will need to use the [global] -options "preserve case = yes", "short preserve case = yes" and -"case sensitive = no" in order to maintain capital letters in shortcuts -in any of the profile folders.</P -><P ->The user.DAT file contains all the user's preferences. If you wish to -enforce a set of preferences, rename their user.DAT file to user.MAN, -and deny them write access to this file.</P -><P -></P -><OL -TYPE="1" -><LI -><P -> On the Windows 95 machine, go to Control Panel | Passwords and - select the User Profiles tab. Select the required level of - roaming preferences. Press OK, but do _not_ allow the computer - to reboot. - </P -></LI -><LI -><P -> On the Windows 95 machine, go to Control Panel | Network | - Client for Microsoft Networks | Preferences. Select 'Log on to - NT Domain'. Then, ensure that the Primary Logon is 'Client for - Microsoft Networks'. Press OK, and this time allow the computer - to reboot. - </P -></LI -></OL -><P ->Under Windows 95, Profiles are downloaded from the Primary Logon. -If you have the Primary Logon as 'Client for Novell Networks', then -the profiles and logon script will be downloaded from your Novell -Server. If you have the Primary Logon as 'Windows Logon', then the -profiles will be loaded from the local machine - a bit against the -concept of roaming profiles, if you ask me.</P -><P ->You will now find that the Microsoft Networks Login box contains -[user, password, domain] instead of just [user, password]. Type in -the samba server's domain name (or any other domain known to exist, -but bear in mind that the user will be authenticated against this -domain and profiles downloaded from it, if that domain logon server -supports it), user name and user's password.</P -><P ->Once the user has been successfully validated, the Windows 95 machine -will inform you that 'The user has not logged on before' and asks you -if you wish to save the user's preferences? Select 'yes'.</P -><P ->Once the Windows 95 client comes up with the desktop, you should be able -to examine the contents of the directory specified in the "logon path" -on the samba server and verify that the "Desktop", "Start Menu", -"Programs" and "Nethood" folders have been created.</P -><P ->These folders will be cached locally on the client, and updated when -the user logs off (if you haven't made them read-only by then :-). -You will find that if the user creates further folders or short-cuts, -that the client will merge the profile contents downloaded with the -contents of the profile directory already on the local client, taking -the newest folders and short-cuts from each set.</P -><P ->If you have made the folders / files read-only on the samba server, -then you will get errors from the w95 machine on logon and logout, as -it attempts to merge the local and the remote profile. Basically, if -you have any errors reported by the w95 machine, check the Unix file -permissions and ownership rights on the profile directory contents, -on the samba server.</P -><P ->If you have problems creating user profiles, you can reset the user's -local desktop cache, as shown below. When this user then next logs in, -they will be told that they are logging in "for the first time".</P -><P -></P -><OL -TYPE="1" -><LI -><P -> instead of logging in under the [user, password, domain] dialog, - press escape. - </P -></LI -><LI -><P -> run the regedit.exe program, and look in: - </P -><P -> HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList - </P -><P -> you will find an entry, for each user, of ProfilePath. Note the - contents of this key (likely to be c:\windows\profiles\username), - then delete the key ProfilePath for the required user. - </P -><P -> [Exit the registry editor]. - </P -></LI -><LI -><P -> <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->WARNING</I -></SPAN -> - before deleting the contents of the - directory listed in - the ProfilePath (this is likely to be c:\windows\profiles\username), - ask them if they have any important files stored on their desktop - or in their start menu. delete the contents of the directory - ProfilePath (making a backup if any of the files are needed). - </P -><P -> This will have the effect of removing the local (read-only hidden - system file) user.DAT in their profile directory, as well as the - local "desktop", "nethood", "start menu" and "programs" folders. - </P -></LI -><LI -><P -> search for the user's .PWL password-caching file in the c:\windows - directory, and delete it. - </P -></LI -><LI -><P -> log off the windows 95 client. - </P -></LI -><LI -><P -> check the contents of the profile path (see "logon path" described - above), and delete the user.DAT or user.MAN file for the user, - making a backup if required. - </P -></LI -></OL -><P ->If all else fails, increase samba's debug log levels to between 3 and 10, -and / or run a packet trace program such as tcpdump or netmon.exe, and -look for any error reports.</P -><P ->If you have access to an NT server, then first set up roaming profiles -and / or netlogons on the NT server. Make a packet trace, or examine -the example packet traces provided with NT server, and see what the -differences are with the equivalent samba trace.</P -></DIV -><DIV -CLASS="SECT3" -><HR><H4 -CLASS="SECT3" -><A -NAME="AEN1216" ->6.8.2.5. Windows NT Workstation 4.0</A -></H4 -><P ->When a user first logs in to a Windows NT Workstation, the profile -NTuser.DAT is created. The profile location can be now specified -through the "logon path" parameter. </P -><DIV -CLASS="NOTE" -><P -></P -><TABLE -CLASS="NOTE" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P ->[lkcl 10aug97 - i tried setting the path to -\\samba-server\homes\profile, and discovered that this fails because -a background process maintains the connection to the [homes] share -which does _not_ close down in between user logins. you have to -have \\samba-server\%L\profile, where user is the username created -from the [homes] share].</P -></TD -></TR -></TABLE -></DIV -><P ->There is a parameter that is now available for use with NT Profiles: -"logon drive". This should be set to "h:" or any other drive, and -should be used in conjunction with the new "logon home" parameter.</P -><P ->The entry for the NT 4.0 profile is a _directory_ not a file. The NT -help on profiles mentions that a directory is also created with a .PDS -extension. The user, while logging in, must have write permission to -create the full profile path (and the folder with the .PDS extension) -[lkcl 10aug97 - i found that the creation of the .PDS directory failed, -and had to create these manually for each user, with a shell script. -also, i presume, but have not tested, that the full profile path must -be browseable just as it is for w95, due to the manner in which they -attempt to create the full profile path: test existence of each path -component; create path component].</P -><P ->In the profile directory, NT creates more folders than 95. It creates -"Application Data" and others, as well as "Desktop", "Nethood", -"Start Menu" and "Programs". The profile itself is stored in a file -NTuser.DAT. Nothing appears to be stored in the .PDS directory, and -its purpose is currently unknown.</P -><P ->You can use the System Control Panel to copy a local profile onto -a samba server (see NT Help on profiles: it is also capable of firing -up the correct location in the System Control Panel for you). The -NT Help file also mentions that renaming NTuser.DAT to NTuser.MAN -turns a profile into a mandatory one.</P -><DIV -CLASS="NOTE" -><P -></P -><TABLE -CLASS="NOTE" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P ->[lkcl 10aug97 - i notice that NT Workstation tells me that it is -downloading a profile from a slow link. whether this is actually the -case, or whether there is some configuration issue, as yet unknown, -that makes NT Workstation _think_ that the link is a slow one is a -matter to be resolved].</P -><P ->[lkcl 20aug97 - after samba digest correspondence, one user found, and -another confirmed, that profiles cannot be loaded from a samba server -unless "security = user" and "encrypt passwords = yes" (see the file -ENCRYPTION.txt) or "security = server" and "password server = ip.address. -of.yourNTserver" are used. Either of these options will allow the NT -workstation to access the samba server using LAN manager encrypted -passwords, without the user intervention normally required by NT -workstation for clear-text passwords].</P -><P ->[lkcl 25aug97 - more comments received about NT profiles: the case of -the profile _matters_. the file _must_ be called NTuser.DAT or, for -a mandatory profile, NTuser.MAN].</P -></TD -></TR -></TABLE -></DIV -></DIV -><DIV -CLASS="SECT3" -><HR><H4 -CLASS="SECT3" -><A -NAME="AEN1229" ->6.8.2.6. Windows NT Server</A -></H4 -><P ->There is nothing to stop you specifying any path that you like for the -location of users' profiles. Therefore, you could specify that the -profile be stored on a samba server, or any other SMB server, as long as -that SMB server supports encrypted passwords.</P -></DIV -><DIV -CLASS="SECT3" -><HR><H4 -CLASS="SECT3" -><A -NAME="AEN1232" ->6.8.2.7. Sharing Profiles between W95 and NT Workstation 4.0</A -></H4 -><DIV -CLASS="WARNING" -><P -></P -><TABLE -CLASS="WARNING" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/warning.gif" -HSPACE="5" -ALT="Warning"></TD -><TH -ALIGN="LEFT" -VALIGN="CENTER" -><B ->Potentially outdated or incorrect material follows</B -></TH -></TR -><TR -><TD -> </TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P ->I think this is all bogus, but have not deleted it. (Richard Sharpe)</P -></TD -></TR -></TABLE -></DIV -><P ->The default logon path is \\%N\%U. NT Workstation will attempt to create -a directory "\\samba-server\username.PDS" if you specify the logon path -as "\\samba-server\username" with the NT User Manager. Therefore, you -will need to specify (for example) "\\samba-server\username\profile". -NT 4.0 will attempt to create "\\samba-server\username\profile.PDS", which -is more likely to succeed.</P -><P ->If you then want to share the same Start Menu / Desktop with W95, you will -need to specify "logon path = \\samba-server\username\profile" [lkcl 10aug97 -this has its drawbacks: i created a shortcut to telnet.exe, which attempts -to run from the c:\winnt\system32 directory. this directory is obviously -unlikely to exist on a Win95-only host].</P -><P -> If you have this set up correctly, you will find separate user.DAT and -NTuser.DAT files in the same profile directory.</P -><DIV -CLASS="NOTE" -><P -></P -><TABLE -CLASS="NOTE" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P ->[lkcl 25aug97 - there are some issues to resolve with downloading of -NT profiles, probably to do with time/date stamps. i have found that -NTuser.DAT is never updated on the workstation after the first time that -it is copied to the local workstation profile directory. this is in -contrast to w95, where it _does_ transfer / update profiles correctly].</P -></TD -></TR -></TABLE -></DIV -></DIV -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN1242" ->6.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A -></H2 -><DIV -CLASS="WARNING" -><P -></P -><TABLE -CLASS="WARNING" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/warning.gif" -HSPACE="5" -ALT="Warning"></TD -><TH -ALIGN="LEFT" -VALIGN="CENTER" -><B ->Possibly Outdated Material</B -></TH -></TR -><TR -><TD -> </TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P -> This appendix was originally authored by John H Terpstra of - the Samba Team and is included here for posterity. - </P -></TD -></TR -></TABLE -></DIV -><P -><SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->NOTE :</I -></SPAN -> -The term "Domain Controller" and those related to it refer to one specific -method of authentication that can underly an SMB domain. Domain Controllers -prior to Windows NT Server 3.1 were sold by various companies and based on -private extensions to the LAN Manager 2.1 protocol. Windows NT introduced -Microsoft-specific ways of distributing the user authentication database. -See DOMAIN.txt for examples of how Samba can participate in or create -SMB domains based on shared authentication database schemes other than the -Windows NT SAM.</P -><P ->Windows NT Server can be installed as either a plain file and print server -(WORKGROUP workstation or server) or as a server that participates in Domain -Control (DOMAIN member, Primary Domain controller or Backup Domain controller). -The same is true for OS/2 Warp Server, Digital Pathworks and other similar -products, all of which can participate in Domain Control along with Windows NT.</P -><P ->To many people these terms can be confusing, so let's try to clear the air.</P -><P ->Every Windows NT system (workstation or server) has a registry database. -The registry contains entries that describe the initialization information -for all services (the equivalent of Unix Daemons) that run within the Windows -NT environment. The registry also contains entries that tell application -software where to find dynamically loadable libraries that they depend upon. -In fact, the registry contains entries that describes everything that anything -may need to know to interact with the rest of the system.</P -><P ->The registry files can be located on any Windows NT machine by opening a -command prompt and typing:</P -><P -><SAMP -CLASS="PROMPT" ->C:\WINNT\></SAMP -> dir %SystemRoot%\System32\config</P -><P ->The environment variable %SystemRoot% value can be obtained by typing:</P -><P -><SAMP -CLASS="PROMPT" ->C:\WINNT></SAMP ->echo %SystemRoot%</P -><P ->The active parts of the registry that you may want to be familiar with are -the files called: default, system, software, sam and security.</P -><P ->In a domain environment, Microsoft Windows NT domain controllers participate -in replication of the SAM and SECURITY files so that all controllers within -the domain have an exactly identical copy of each.</P -><P ->The Microsoft Windows NT system is structured within a security model that -says that all applications and services must authenticate themselves before -they can obtain permission from the security manager to do what they set out -to do.</P -><P ->The Windows NT User database also resides within the registry. This part of -the registry contains the user's security identifier, home directory, group -memberships, desktop profile, and so on.</P -><P ->Every Windows NT system (workstation as well as server) will have its own -registry. Windows NT Servers that participate in Domain Security control -have a database that they share in common - thus they do NOT own an -independent full registry database of their own, as do Workstations and -plain Servers.</P -><P ->The User database is called the SAM (Security Access Manager) database and -is used for all user authentication as well as for authentication of inter- -process authentication (i.e. to ensure that the service action a user has -requested is permitted within the limits of that user's privileges).</P -><P ->The Samba team have produced a utility that can dump the Windows NT SAM into -smbpasswd format: see ENCRYPTION.txt for information on smbpasswd and -/pub/samba/pwdump on your nearest Samba mirror for the utility. This -facility is useful but cannot be easily used to implement SAM replication -to Samba systems.</P -><P ->Windows for Workgroups, Windows 95, and Windows NT Workstations and Servers -can participate in a Domain security system that is controlled by Windows NT -servers that have been correctly configured. Almost every domain will have -ONE Primary Domain Controller (PDC). It is desirable that each domain will -have at least one Backup Domain Controller (BDC).</P -><P ->The PDC and BDCs then participate in replication of the SAM database so that -each Domain Controlling participant will have an up to date SAM component -within its registry.</P ></DIV ></DIV ><DIV @@ -6797,13 +6278,13 @@ CLASS="CHAPTER" ><A NAME="SAMBA-BDC" ></A ->Chapter 7. How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain</H1 +>Chapter 7. Samba Backup Domain Controller to Samba Domain Control</H1 ><DIV CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN1278" +NAME="AEN1193" >7.1. Prerequisite Reading</A ></H2 ><P @@ -6820,7 +6301,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1282" +NAME="AEN1197" >7.2. Background</A ></H2 ><P @@ -6865,7 +6346,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1290" +NAME="AEN1205" >7.3. What qualifies a Domain Controller on the network?</A ></H2 ><P @@ -6882,7 +6363,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1293" +NAME="AEN1208" >7.3.1. How does a Workstation find its domain controller?</A ></H3 ><P @@ -6901,7 +6382,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1296" +NAME="AEN1211" >7.3.2. When is the PDC needed?</A ></H3 ><P @@ -6917,7 +6398,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1299" +NAME="AEN1214" >7.4. Can Samba be a Backup Domain Controller to an NT PDC?</A ></H2 ><P @@ -6940,7 +6421,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1304" +NAME="AEN1219" >7.5. How do I set up a Samba BDC?</A ></H2 ><P @@ -7007,7 +6488,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1321" +NAME="AEN1236" >7.5.1. How do I replicate the smbpasswd file?</A ></H3 ><P @@ -7028,7 +6509,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1325" +NAME="AEN1240" >7.5.2. Can I do this all with LDAP?</A ></H3 ><P @@ -7055,7 +6536,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1336" +NAME="AEN1251" >8.1. Setup your <TT CLASS="FILENAME" >smb.conf</TT @@ -7095,7 +6576,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1347" +NAME="AEN1262" >8.2. Setup your <TT CLASS="FILENAME" >/etc/krb5.conf</TT @@ -7137,7 +6618,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1358" +NAME="AEN1273" >8.3. Create the computer account</A ></H2 ><P @@ -7152,7 +6633,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1362" +NAME="AEN1277" >8.3.1. Possible errors</A ></H3 ><P @@ -7177,7 +6658,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1370" +NAME="AEN1285" >8.4. Test your server setup</A ></H2 ><P @@ -7197,7 +6678,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1375" +NAME="AEN1290" >8.5. Testing with smbclient</A ></H2 ><P @@ -7210,7 +6691,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1378" +NAME="AEN1293" >8.6. Notes</A ></H2 ><P @@ -7233,7 +6714,7 @@ CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN1400" +NAME="AEN1315" >9.1. Joining an NT Domain with Samba 3.0</A ></H2 ><P @@ -7416,7 +6897,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1454" +NAME="AEN1369" >9.2. Why is this better than security = server?</A ></H2 ><P @@ -7524,11 +7005,11 @@ NAME="OPTIONAL" CLASS="TITLEPAGE" ><H1 CLASS="TITLE" ->III. Optional configuration</H1 +>III. Advanced Configuration</H1 ><DIV CLASS="PARTINTRO" ><A -NAME="AEN1472" +NAME="AEN1387" ></A ><H1 >Introduction</H1 @@ -7545,127 +7026,79 @@ CLASS="TOC" ></DT ><DT >10. <A -HREF="#INTEGRATE-MS-NETWORKS" ->Integrating MS Windows networks with Samba</A +HREF="#ADVANCEDNETWORKMANAGEMENT" +>System Policies</A ></DT ><DD ><DL ><DT >10.1. <A -HREF="#AEN1486" ->Agenda</A -></DT -><DT ->10.2. <A -HREF="#AEN1508" ->Name Resolution in a pure Unix/Linux world</A +HREF="#AEN1401" +>Basic System Policy Info</A ></DT ><DD ><DL ><DT ->10.2.1. <A -HREF="#AEN1524" -><TT -CLASS="FILENAME" ->/etc/hosts</TT -></A -></DT -><DT ->10.2.2. <A -HREF="#AEN1540" -><TT -CLASS="FILENAME" ->/etc/resolv.conf</TT -></A -></DT -><DT ->10.2.3. <A -HREF="#AEN1551" -><TT -CLASS="FILENAME" ->/etc/host.conf</TT -></A -></DT -><DT ->10.2.4. <A -HREF="#AEN1559" -><TT -CLASS="FILENAME" ->/etc/nsswitch.conf</TT -></A +>10.1.1. <A +HREF="#AEN1445" +>Creating Group Prolicy Files</A ></DT ></DL ></DD ><DT ->10.3. <A -HREF="#AEN1571" ->Name resolution as used within MS Windows networking</A +>10.2. <A +HREF="#AEN1456" +>Roaming Profiles</A ></DT ><DD ><DL ><DT ->10.3.1. <A -HREF="#AEN1583" ->The NetBIOS Name Cache</A +>10.2.1. <A +HREF="#AEN1464" +>Windows NT Configuration</A ></DT ><DT ->10.3.2. <A -HREF="#AEN1588" ->The LMHOSTS file</A +>10.2.2. <A +HREF="#AEN1473" +>Windows 9X Configuration</A ></DT ><DT ->10.3.3. <A -HREF="#AEN1596" ->HOSTS file</A +>10.2.3. <A +HREF="#AEN1481" +>Win9X and WinNT Configuration</A ></DT ><DT ->10.3.4. <A -HREF="#AEN1601" ->DNS Lookup</A +>10.2.4. <A +HREF="#AEN1488" +>Windows 9X Profile Setup</A ></DT ><DT ->10.3.5. <A -HREF="#AEN1604" ->WINS Lookup</A -></DT -></DL -></DD -><DT ->10.4. <A -HREF="#AEN1616" ->How browsing functions and how to deploy stable and -dependable browsing using Samba</A +>10.2.5. <A +HREF="#AEN1524" +>Windows NT Workstation 4.0</A ></DT ><DT ->10.5. <A -HREF="#AEN1626" ->MS Windows security options and how to configure -Samba for seemless integration</A +>10.2.6. <A +HREF="#AEN1532" +>Windows NT/200x Server</A ></DT -><DD -><DL ><DT ->10.5.1. <A -HREF="#AEN1654" ->Use MS Windows NT as an authentication server</A +>10.2.7. <A +HREF="#AEN1535" +>Sharing Profiles between W9x/Me and NT4/200x/XP workstations</A ></DT ><DT ->10.5.2. <A -HREF="#AEN1662" ->Make Samba a member of an MS Windows NT security domain</A +>10.2.8. <A +HREF="#AEN1542" +>Windows NT 4</A ></DT ><DT ->10.5.3. <A -HREF="#AEN1679" ->Configure Samba as an authentication server</A +>10.2.9. <A +HREF="#AEN1580" +>Windows 2000/XP</A ></DT ></DL ></DD -><DT ->10.6. <A -HREF="#AEN1696" ->Conclusions</A -></DT ></DL ></DD ><DT @@ -7677,53 +7110,53 @@ HREF="#UNIX-PERMISSIONS" ><DL ><DT >11.1. <A -HREF="#AEN1717" +HREF="#AEN1663" >Viewing and changing UNIX permissions using the NT security dialogs</A ></DT ><DT >11.2. <A -HREF="#AEN1721" +HREF="#AEN1667" >How to view file security on a Samba share</A ></DT ><DT >11.3. <A -HREF="#AEN1732" +HREF="#AEN1678" >Viewing file ownership</A ></DT ><DT >11.4. <A -HREF="#AEN1752" +HREF="#AEN1698" >Viewing file or directory permissions</A ></DT ><DD ><DL ><DT >11.4.1. <A -HREF="#AEN1767" +HREF="#AEN1713" >File Permissions</A ></DT ><DT >11.4.2. <A -HREF="#AEN1781" +HREF="#AEN1727" >Directory Permissions</A ></DT ></DL ></DD ><DT >11.5. <A -HREF="#AEN1788" +HREF="#AEN1734" >Modifying file or directory permissions</A ></DT ><DT >11.6. <A -HREF="#AEN1810" +HREF="#AEN1756" >Interaction with the standard Samba create mask parameters</A ></DT ><DT >11.7. <A -HREF="#AEN1864" +HREF="#AEN1810" >Interaction with the standard Samba file attribute mapping</A ></DT @@ -7731,6 +7164,11 @@ HREF="#AEN1864" ></DD ><DT >12. <A +HREF="#GROUPMAPPING" +>Group mapping HOWTO</A +></DT +><DT +>13. <A HREF="#PAM" >Configuring PAM for distributed but centrally managed authentication</A @@ -7738,46 +7176,23 @@ managed authentication</A ><DD ><DL ><DT ->12.1. <A -HREF="#AEN1885" +>13.1. <A +HREF="#AEN1866" >Samba and PAM</A ></DT ><DT ->12.2. <A -HREF="#AEN1929" +>13.2. <A +HREF="#AEN1915" >Distributed Authentication</A ></DT ><DT ->12.3. <A -HREF="#AEN1936" +>13.3. <A +HREF="#AEN1920" >PAM Configuration in smb.conf</A ></DT ></DL ></DD ><DT ->13. <A -HREF="#MSDFS" ->Hosting a Microsoft Distributed File System tree on Samba</A -></DT -><DD -><DL -><DT ->13.1. <A -HREF="#AEN1956" ->Instructions</A -></DT -><DD -><DL -><DT ->13.1.1. <A -HREF="#AEN1991" ->Notes</A -></DT -></DL -></DD -></DL -></DD -><DT >14. <A HREF="#PRINTING" >Printing Support</A @@ -7786,122 +7201,122 @@ HREF="#PRINTING" ><DL ><DT >14.1. <A -HREF="#AEN2017" +HREF="#AEN1946" >Introduction</A ></DT ><DT >14.2. <A -HREF="#AEN2039" +HREF="#AEN1968" >Configuration</A ></DT ><DD ><DL ><DT >14.2.1. <A -HREF="#AEN2047" +HREF="#AEN1976" >Creating [print$]</A ></DT ><DT >14.2.2. <A -HREF="#AEN2082" +HREF="#AEN2011" >Setting Drivers for Existing Printers</A ></DT ><DT >14.2.3. <A -HREF="#AEN2098" +HREF="#AEN2027" >Support a large number of printers</A ></DT ><DT >14.2.4. <A -HREF="#AEN2109" +HREF="#AEN2038" >Adding New Printers via the Windows NT APW</A ></DT ><DT >14.2.5. <A -HREF="#AEN2139" +HREF="#AEN2068" >Samba and Printer Ports</A ></DT ></DL ></DD ><DT >14.3. <A -HREF="#AEN2147" +HREF="#AEN2076" >The Imprints Toolset</A ></DT ><DD ><DL ><DT >14.3.1. <A -HREF="#AEN2151" +HREF="#AEN2080" >What is Imprints?</A ></DT ><DT >14.3.2. <A -HREF="#AEN2161" +HREF="#AEN2090" >Creating Printer Driver Packages</A ></DT ><DT >14.3.3. <A -HREF="#AEN2164" +HREF="#AEN2093" >The Imprints server</A ></DT ><DT >14.3.4. <A -HREF="#AEN2168" +HREF="#AEN2097" >The Installation Client</A ></DT ></DL ></DD ><DT >14.4. <A -HREF="#AEN2190" +HREF="#AEN2119" >Diagnosis</A ></DT ><DD ><DL ><DT >14.4.1. <A -HREF="#AEN2192" +HREF="#AEN2121" >Introduction</A ></DT ><DT >14.4.2. <A -HREF="#AEN2208" +HREF="#AEN2137" >Debugging printer problems</A ></DT ><DT >14.4.3. <A -HREF="#AEN2217" +HREF="#AEN2146" >What printers do I have?</A ></DT ><DT >14.4.4. <A -HREF="#AEN2225" +HREF="#AEN2154" >Setting up printcap and print servers</A ></DT ><DT >14.4.5. <A -HREF="#AEN2253" +HREF="#AEN2182" >Job sent, no output</A ></DT ><DT >14.4.6. <A -HREF="#AEN2264" +HREF="#AEN2193" >Job sent, strange output</A ></DT ><DT >14.4.7. <A -HREF="#AEN2276" +HREF="#AEN2205" >Raw PostScript printed</A ></DT ><DT >14.4.8. <A -HREF="#AEN2279" +HREF="#AEN2208" >Advanced Printing</A ></DT ><DT >14.4.9. <A -HREF="#AEN2282" +HREF="#AEN2211" >Real debugging</A ></DT ></DL @@ -7917,46 +7332,46 @@ HREF="#CUPS-PRINTING" ><DL ><DT >15.1. <A -HREF="#AEN2302" +HREF="#AEN2231" >Introduction</A ></DT ><DT >15.2. <A -HREF="#AEN2307" +HREF="#AEN2236" >CUPS - RAW Print Through Mode</A ></DT ><DT >15.3. <A -HREF="#AEN2362" +HREF="#AEN2291" >The CUPS Filter Chains</A ></DT ><DT >15.4. <A -HREF="#AEN2401" +HREF="#AEN2330" >CUPS Print Drivers and Devices</A ></DT ><DD ><DL ><DT >15.4.1. <A -HREF="#AEN2408" +HREF="#AEN2337" >Further printing steps</A ></DT ></DL ></DD ><DT >15.5. <A -HREF="#AEN2478" +HREF="#AEN2407" >Limiting the number of pages users can print</A ></DT ><DT >15.6. <A -HREF="#AEN2567" +HREF="#AEN2496" >Advanced Postscript Printing from MS Windows</A ></DT ><DT >15.7. <A -HREF="#AEN2582" +HREF="#AEN2511" >Auto-Deletion of CUPS spool files</A ></DT ></DL @@ -7970,399 +7385,394 @@ HREF="#WINBIND" ><DL ><DT >16.1. <A -HREF="#AEN2644" +HREF="#AEN2573" >Abstract</A ></DT ><DT >16.2. <A -HREF="#AEN2648" +HREF="#AEN2577" >Introduction</A ></DT ><DT >16.3. <A -HREF="#AEN2661" +HREF="#AEN2590" >What Winbind Provides</A ></DT ><DD ><DL ><DT >16.3.1. <A -HREF="#AEN2668" +HREF="#AEN2597" >Target Uses</A ></DT ></DL ></DD ><DT >16.4. <A -HREF="#AEN2672" +HREF="#AEN2601" >How Winbind Works</A ></DT ><DD ><DL ><DT >16.4.1. <A -HREF="#AEN2677" +HREF="#AEN2606" >Microsoft Remote Procedure Calls</A ></DT ><DT >16.4.2. <A -HREF="#AEN2681" +HREF="#AEN2610" >Microsoft Active Directory Services</A ></DT ><DT >16.4.3. <A -HREF="#AEN2684" +HREF="#AEN2613" >Name Service Switch</A ></DT ><DT >16.4.4. <A -HREF="#AEN2700" +HREF="#AEN2629" >Pluggable Authentication Modules</A ></DT ><DT >16.4.5. <A -HREF="#AEN2708" +HREF="#AEN2637" >User and Group ID Allocation</A ></DT ><DT >16.4.6. <A -HREF="#AEN2712" +HREF="#AEN2641" >Result Caching</A ></DT ></DL ></DD ><DT >16.5. <A -HREF="#AEN2715" +HREF="#AEN2644" >Installation and Configuration</A ></DT ><DD ><DL ><DT >16.5.1. <A -HREF="#AEN2720" +HREF="#AEN2649" >Introduction</A ></DT ><DT >16.5.2. <A -HREF="#AEN2733" +HREF="#AEN2662" >Requirements</A ></DT ><DT >16.5.3. <A -HREF="#AEN2747" +HREF="#AEN2676" >Testing Things Out</A ></DT ></DL ></DD ><DT >16.6. <A -HREF="#AEN2972" +HREF="#AEN2901" >Limitations</A ></DT ><DT >16.7. <A -HREF="#AEN2982" +HREF="#AEN2911" >Conclusion</A ></DT ></DL ></DD ><DT >17. <A -HREF="#IMPROVED-BROWSING" ->Improved browsing in samba</A +HREF="#INTEGRATE-MS-NETWORKS" +>Integrating MS Windows networks with Samba</A ></DT ><DD ><DL ><DT >17.1. <A -HREF="#AEN2992" ->Overview of browsing</A +HREF="#AEN2932" +>Name Resolution in a pure Unix/Linux world</A ></DT +><DD +><DL ><DT ->17.2. <A -HREF="#AEN2997" ->Browsing support in samba</A +>17.1.1. <A +HREF="#AEN2948" +><TT +CLASS="FILENAME" +>/etc/hosts</TT +></A ></DT ><DT ->17.3. <A -HREF="#AEN3005" ->Problem resolution</A +>17.1.2. <A +HREF="#AEN2964" +><TT +CLASS="FILENAME" +>/etc/resolv.conf</TT +></A ></DT ><DT ->17.4. <A -HREF="#AEN3014" ->Browsing across subnets</A +>17.1.3. <A +HREF="#AEN2975" +><TT +CLASS="FILENAME" +>/etc/host.conf</TT +></A ></DT -><DD -><DL ><DT ->17.4.1. <A -HREF="#AEN3019" ->How does cross subnet browsing work ?</A +>17.1.4. <A +HREF="#AEN2983" +><TT +CLASS="FILENAME" +>/etc/nsswitch.conf</TT +></A ></DT ></DL ></DD ><DT ->17.5. <A -HREF="#AEN3054" ->Setting up a WINS server</A -></DT -><DT ->17.6. <A -HREF="#AEN3073" ->Setting up Browsing in a WORKGROUP</A +>17.2. <A +HREF="#AEN2995" +>Name resolution as used within MS Windows networking</A ></DT +><DD +><DL ><DT ->17.7. <A -HREF="#AEN3091" ->Setting up Browsing in a DOMAIN</A +>17.2.1. <A +HREF="#AEN3007" +>The NetBIOS Name Cache</A ></DT ><DT ->17.8. <A -HREF="#AEN3101" ->Forcing samba to be the master</A +>17.2.2. <A +HREF="#AEN3012" +>The LMHOSTS file</A ></DT ><DT ->17.9. <A -HREF="#AEN3110" ->Making samba the domain master</A +>17.2.3. <A +HREF="#AEN3020" +>HOSTS file</A ></DT ><DT ->17.10. <A -HREF="#AEN3128" ->Note about broadcast addresses</A +>17.2.4. <A +HREF="#AEN3025" +>DNS Lookup</A ></DT ><DT ->17.11. <A -HREF="#AEN3131" ->Multiple interfaces</A +>17.2.5. <A +HREF="#AEN3028" +>WINS Lookup</A ></DT ></DL ></DD +></DL +></DD ><DT >18. <A -HREF="#VFS" ->Stackable VFS modules</A +HREF="#IMPROVED-BROWSING" +>Improved browsing in samba</A ></DT ><DD ><DL ><DT >18.1. <A -HREF="#AEN3149" ->Introduction and configuration</A +HREF="#AEN3047" +>Overview of browsing</A ></DT ><DT >18.2. <A -HREF="#AEN3158" ->Included modules</A -></DT -><DD -><DL -><DT ->18.2.1. <A -HREF="#AEN3160" ->audit</A +HREF="#AEN3052" +>Browsing support in samba</A ></DT ><DT ->18.2.2. <A -HREF="#AEN3168" ->recycle</A +>18.3. <A +HREF="#AEN3060" +>Problem resolution</A ></DT ><DT ->18.2.3. <A -HREF="#AEN3205" ->netatalk</A -></DT -></DL -></DD -><DT ->18.3. <A -HREF="#AEN3212" ->VFS modules available elsewhere</A +>18.4. <A +HREF="#AEN3069" +>Browsing across subnets</A ></DT ><DD ><DL ><DT ->18.3.1. <A -HREF="#AEN3216" ->DatabaseFS</A -></DT -><DT ->18.3.2. <A -HREF="#AEN3224" ->vscan</A +>18.4.1. <A +HREF="#AEN3074" +>How does cross subnet browsing work ?</A ></DT ></DL ></DD -></DL -></DD -><DT ->19. <A -HREF="#GROUPMAPPING" ->Group mapping HOWTO</A -></DT ><DT ->20. <A -HREF="#SPEED" ->Samba performance issues</A -></DT -><DD -><DL -><DT ->20.1. <A -HREF="#AEN3279" ->Comparisons</A +>18.5. <A +HREF="#AEN3109" +>Setting up a WINS server</A ></DT ><DT ->20.2. <A -HREF="#AEN3285" ->Socket options</A +>18.6. <A +HREF="#AEN3128" +>Setting up Browsing in a WORKGROUP</A ></DT ><DT ->20.3. <A -HREF="#AEN3292" ->Read size</A +>18.7. <A +HREF="#AEN3146" +>Setting up Browsing in a DOMAIN</A ></DT ><DT ->20.4. <A -HREF="#AEN3297" ->Max xmit</A +>18.8. <A +HREF="#AEN3156" +>Forcing samba to be the master</A ></DT ><DT ->20.5. <A -HREF="#AEN3302" ->Log level</A +>18.9. <A +HREF="#AEN3165" +>Making samba the domain master</A ></DT ><DT ->20.6. <A -HREF="#AEN3305" ->Read raw</A +>18.10. <A +HREF="#AEN3183" +>Note about broadcast addresses</A ></DT ><DT ->20.7. <A -HREF="#AEN3310" ->Write raw</A +>18.11. <A +HREF="#AEN3186" +>Multiple interfaces</A ></DT +></DL +></DD ><DT ->20.8. <A -HREF="#AEN3314" ->Slow Clients</A +>19. <A +HREF="#MSDFS" +>Hosting a Microsoft Distributed File System tree on Samba</A ></DT +><DD +><DL ><DT ->20.9. <A -HREF="#AEN3318" ->Slow Logins</A +>19.1. <A +HREF="#AEN3200" +>Instructions</A ></DT +><DD +><DL ><DT ->20.10. <A -HREF="#AEN3321" ->Client tuning</A +>19.1.1. <A +HREF="#AEN3235" +>Notes</A ></DT ></DL ></DD +></DL +></DD ><DT ->21. <A -HREF="#GROUPPROFILES" ->Creating Group Prolicy Files</A +>20. <A +HREF="#VFS" +>Stackable VFS modules</A ></DT ><DD ><DL ><DT ->21.1. <A -HREF="#AEN3369" ->Windows '9x</A +>20.1. <A +HREF="#AEN3259" +>Introduction and configuration</A ></DT ><DT ->21.2. <A -HREF="#AEN3379" ->Windows NT 4</A +>20.2. <A +HREF="#AEN3268" +>Included modules</A ></DT ><DD ><DL ><DT ->21.2.1. <A -HREF="#AEN3402" ->Side bar Notes</A -></DT -><DT ->21.2.2. <A -HREF="#AEN3406" ->Mandatory profiles</A +>20.2.1. <A +HREF="#AEN3270" +>audit</A ></DT ><DT ->21.2.3. <A -HREF="#AEN3409" ->moveuser.exe</A +>20.2.2. <A +HREF="#AEN3278" +>recycle</A ></DT ><DT ->21.2.4. <A -HREF="#AEN3412" ->Get SID</A +>20.2.3. <A +HREF="#AEN3315" +>netatalk</A ></DT ></DL ></DD ><DT ->21.3. <A -HREF="#AEN3417" ->Windows 2000/XP</A +>20.3. <A +HREF="#AEN3322" +>VFS modules available elsewhere</A +></DT +><DD +><DL +><DT +>20.3.1. <A +HREF="#AEN3326" +>DatabaseFS</A +></DT +><DT +>20.3.2. <A +HREF="#AEN3334" +>vscan</A ></DT ></DL ></DD +></DL +></DD ><DT ->22. <A +>21. <A HREF="#SECURING-SAMBA" >Securing Samba</A ></DT ><DD ><DL ><DT ->22.1. <A -HREF="#AEN3498" +>21.1. <A +HREF="#AEN3348" >Introduction</A ></DT ><DT ->22.2. <A -HREF="#AEN3501" +>21.2. <A +HREF="#AEN3351" >Using host based protection</A ></DT ><DT ->22.3. <A -HREF="#AEN3508" +>21.3. <A +HREF="#AEN3358" >Using interface protection</A ></DT ><DT ->22.4. <A -HREF="#AEN3517" +>21.4. <A +HREF="#AEN3367" >Using a firewall</A ></DT ><DT ->22.5. <A -HREF="#AEN3524" +>21.5. <A +HREF="#AEN3374" >Using a IPC$ share deny</A ></DT ><DT ->22.6. <A -HREF="#AEN3533" +>21.6. <A +HREF="#AEN3383" >Upgrading Samba</A ></DT ></DL ></DD ><DT ->23. <A +>22. <A HREF="#UNICODE" >Unicode/Charsets</A ></DT ><DD ><DL ><DT ->23.1. <A -HREF="#AEN3547" +>22.1. <A +HREF="#AEN3397" >What are charsets and unicode?</A ></DT ><DT ->23.2. <A -HREF="#AEN3556" +>22.2. <A +HREF="#AEN3406" >Samba and charsets</A ></DT ></DL @@ -8374,116 +7784,183 @@ HREF="#AEN3556" CLASS="CHAPTER" ><HR><H1 ><A -NAME="INTEGRATE-MS-NETWORKS" +NAME="ADVANCEDNETWORKMANAGEMENT" ></A ->Chapter 10. Integrating MS Windows networks with Samba</H1 +>Chapter 10. System Policies</H1 ><DIV CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN1486" ->10.1. Agenda</A +NAME="AEN1401" +>10.1. Basic System Policy Info</A ></H2 ><P ->To identify the key functional mechanisms of MS Windows networking -to enable the deployment of Samba as a means of extending and/or -replacing MS Windows NT/2000 technology.</P +>Much of the information necessary to implement System Policies and +Roaming User Profiles in a Samba domain is the same as that for +implementing these same items in a Windows NT 4.0 domain. +You should read the white paper <A +HREF="http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp" +TARGET="_top" +>Implementing +Profiles and Policies in Windows NT 4.0</A +> available from Microsoft.</P ><P ->We will examine:</P +>Here are some additional details:</P ><P ></P -><OL -TYPE="1" +><UL ><LI ><P ->Name resolution in a pure Unix/Linux TCP/IP - environment +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>What about Windows NT Policy Editor?</I +></SPAN +> </P -></LI -><LI ><P ->Name resolution as used within MS Windows - networking +> To create or edit <TT +CLASS="FILENAME" +>ntconfig.pol</TT +> you must use + the NT Server Policy Editor, <B +CLASS="COMMAND" +>poledit.exe</B +> which + is included with NT Server but <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>not NT Workstation</I +></SPAN +>. + There is a Policy Editor on a NTws + but it is not suitable for creating <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Domain Policies</I +></SPAN +>. + Further, although the Windows 95 + Policy Editor can be installed on an NT Workstation/Server, it will not + work with NT policies because the registry key that are set by the policy templates. + However, the files from the NT Server will run happily enough on an NTws. + You need <TT +CLASS="FILENAME" +>poledit.exe, common.adm</TT +> and <TT +CLASS="FILENAME" +>winnt.adm</TT +>. It is convenient + to put the two *.adm files in <TT +CLASS="FILENAME" +>c:\winnt\inf</TT +> which is where + the binary will look for them unless told otherwise. Note also that that + directory is 'hidden'. </P -></LI -><LI ><P ->How browsing functions and how to deploy stable - and dependable browsing using Samba +> The Windows NT policy editor is also included with the Service Pack 3 (and + later) for Windows NT 4.0. Extract the files using <B +CLASS="COMMAND" +>servicepackname /x</B +>, + i.e. that's <B +CLASS="COMMAND" +>Nt4sp6ai.exe /x</B +> for service pack 6a. The policy editor, + <B +CLASS="COMMAND" +>poledit.exe</B +> and the associated template files (*.adm) should + be extracted as well. It is also possible to downloaded the policy template + files for Office97 and get a copy of the policy editor. Another possible + location is with the Zero Administration Kit available for download from Microsoft. </P ></LI ><LI ><P ->MS Windows security options and how to - configure Samba for seemless integration +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Can Win95 do Policies?</I +></SPAN +> </P -></LI -><LI -><P ->Configuration of Samba as:</P ><P -></P -><OL -TYPE="a" -><LI +> Install the group policy handler for Win9x to pick up group + policies. Look on the Win98 CD in <TT +CLASS="FILENAME" +>\tools\reskit\netadmin\poledit</TT +>. + Install group policies on a Win9x client by double-clicking + <TT +CLASS="FILENAME" +>grouppol.inf</TT +>. Log off and on again a couple of + times and see if Win98 picks up group policies. Unfortunately this needs + to be done on every Win9x machine that uses group policies.... + </P ><P ->A stand-alone server</P +> If group policies don't work one reports suggests getting the updated + (read: working) grouppol.dll for Windows 9x. The group list is grabbed + from /etc/group. + </P ></LI ><LI ><P ->An MS Windows NT 3.x/4.0 security domain member - </P -></LI -><LI +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>How do I get 'User Manager' and 'Server Manager'</I +></SPAN +> + </P ><P ->An alternative to an MS Windows NT 3.x/4.0 Domain Controller - </P -></LI -></OL -></LI -></OL -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN1508" ->10.2. Name Resolution in a pure Unix/Linux world</A -></H2 +> Since I don't need to buy an NT Server CD now, how do I get + the 'User Manager for Domains', the 'Server Manager'? + </P ><P ->The key configuration files covered in this section are:</P +> Microsoft distributes a version of these tools called nexus for + installation on Windows 95 systems. The tools set includes + </P ><P ></P ><UL ><LI ><P -><TT -CLASS="FILENAME" ->/etc/hosts</TT -></P +>Server Manager</P ></LI ><LI ><P -><TT -CLASS="FILENAME" ->/etc/resolv.conf</TT -></P +>User Manager for Domains</P ></LI ><LI ><P -><TT -CLASS="FILENAME" ->/etc/host.conf</TT -></P +>Event Viewer</P ></LI -><LI +></UL ><P -><TT -CLASS="FILENAME" ->/etc/nsswitch.conf</TT -></P +> Click here to download the archived file <A +HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE" +TARGET="_top" +>ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</A +> + </P +><P +> The Windows NT 4.0 version of the 'User Manager for + Domains' and 'Server Manager' are available from Microsoft via ftp + from <A +HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" +TARGET="_top" +>ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</A +> + </P ></LI ></UL ><DIV @@ -8491,925 +7968,868 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1524" ->10.2.1. <TT -CLASS="FILENAME" ->/etc/hosts</TT -></A +NAME="AEN1445" +>10.1.1. Creating Group Prolicy Files</A ></H3 +><DIV +CLASS="SECT3" +><H4 +CLASS="SECT3" +><A +NAME="AEN1447" +>10.1.1.1. Windows '9x</A +></H4 ><P ->Contains a static list of IP Addresses and names. -eg:</P -><P -><PRE -CLASS="PROGRAMLISTING" -> 127.0.0.1 localhost localhost.localdomain - 192.168.1.1 bigbox.caldera.com bigbox alias4box</PRE -></P +>You need the Win98 Group Policy Editor to +set Group Profiles up under Windows '9x. It can be found on the Original +full product Win98 installation CD under +<TT +CLASS="FILENAME" +>tools/reskit/netadmin/poledit</TT +>. You install this +using the Add/Remove Programs facility and then click on the 'Have Disk' +tab.</P ><P ->The purpose of <TT +>Use the Group Policy Editor to create a policy file that specifies the +location of user profiles and/or the <TT CLASS="FILENAME" ->/etc/hosts</TT -> is to provide a -name resolution mechanism so that uses do not need to remember -IP addresses.</P +>My Documents</TT +> etc. +stuff. You then save these settings in a file called +<TT +CLASS="FILENAME" +>Config.POL</TT +> that needs to be placed in +the root of the [NETLOGON] share. If your Win98 is configured to log onto +the Samba Domain, it will automatically read this file and update the +Win9x/Me registry of the machine that is logging on.</P ><P ->Network packets that are sent over the physical network transport -layer communicate not via IP addresses but rather using the Media -Access Control address, or MAC address. IP Addresses are currently -32 bits in length and are typically presented as four (4) decimal -numbers that are separated by a dot (or period). eg: 168.192.1.1</P +>All of this is covered in the Win98 Resource Kit documentation.</P ><P ->MAC Addresses use 48 bits (or 6 bytes) and are typically represented -as two digit hexadecimal numbers separated by colons. eg: -40:8e:0a:12:34:56</P +>If you do not do it this way, then every so often Win9x/Me will check the +integrity of the registry and will restore it's settings from the back-up +copy of the registry it stores on each Win9x/Me machine. Hence, you will +occasionally notice things changing back to the original settings.</P +></DIV +></DIV +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN1456" +>10.2. Roaming Profiles</A +></H2 +><DIV +CLASS="WARNING" ><P ->Every network interfrace must have an MAC address. Associated with -a MAC address there may be one or more IP addresses. There is NO -relationship between an IP address and a MAC address, all such assignments -are arbitary or discretionary in nature. At the most basic level all -network communications takes place using MAC addressing. Since MAC -addresses must be globally unique, and generally remains fixed for -any particular interface, the assignment of an IP address makes sense -from a network management perspective. More than one IP address can -be assigned per MAC address. One address must be the primary IP address, -this is the address that will be returned in the ARP reply.</P +></P +><TABLE +CLASS="WARNING" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/warning.gif" +HSPACE="5" +ALT="Warning"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" ><P ->When a user or a process wants to communicate with another machine -the protocol implementation ensures that the "machine name" or "host -name" is resolved to an IP address in a manner that is controlled -by the TCP/IP configuration control files. The file -<TT -CLASS="FILENAME" ->/etc/hosts</TT -> is one such file.</P +><SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>NOTE!</I +></SPAN +> Roaming profiles support is different for Win9X and WinNT.</P +></TD +></TR +></TABLE +></DIV ><P ->When the IP address of the destination interface has been -determined a protocol called ARP/RARP is used to identify -the MAC address of the target interface. ARP stands for Address -Resolution Protocol, and is a broadcast oriented method that -uses UDP (User Datagram Protocol) to send a request to all -interfaces on the local network segment using the all 1's MAC -address. Network interfaces are programmed to respond to two -MAC addresses only; their own unique address and the address -ff:ff:ff:ff:ff:ff. The reply packet from an ARP request will -contain the MAC address and the primary IP address for each -interface.</P +>Before discussing how to configure roaming profiles, it is useful to see how +Win9X and WinNT clients implement these features.</P ><P ->The <TT -CLASS="FILENAME" ->/etc/hosts</TT -> file is foundational to all -Unix/Linux TCP/IP installations and as a minumum will contain -the localhost and local network interface IP addresses and the -primary names by which they are known within the local machine. -This file helps to prime the pump so that a basic level of name -resolution can exist before any other method of name resolution -becomes available.</P -></DIV +>Win9X clients send a NetUserGetInfo request to the server to get the user's +profiles location. However, the response does not have room for a separate +profiles location field, only the user's home share. This means that Win9X +profiles are restricted to being in the user's home directory.</P +><P +>WinNT clients send a NetSAMLogon RPC request, which contains many fields, +including a separate field for the location of the user's profiles. +This means that support for profiles is different for Win9X and WinNT.</P ><DIV CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1540" ->10.2.2. <TT -CLASS="FILENAME" ->/etc/resolv.conf</TT -></A +NAME="AEN1464" +>10.2.1. Windows NT Configuration</A ></H3 ><P ->This file tells the name resolution libraries:</P +>To support WinNT clients, in the [global] section of smb.conf set the +following (for example):</P ><P +><PRE +CLASS="PROGRAMLISTING" +>logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath</PRE ></P -><UL -><LI ><P ->The name of the domain to which the machine - belongs - </P -></LI -><LI +>The default for this option is \\%N\%U\profile, namely +\\sambaserver\username\profile. The \\N%\%U service is created +automatically by the [homes] service. +If you are using a samba server for the profiles, you _must_ make the +share specified in the logon path browseable. </P +><DIV +CLASS="NOTE" ><P ->The name(s) of any domains that should be - automatically searched when trying to resolve unqualified - host names to their IP address - </P -></LI -><LI +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" ><P ->The name or IP address of available Domain - Name Servers that may be asked to perform name to address - translation lookups - </P -></LI -></UL +>MS Windows NT/2K clients at times do not disconnect a connection to a server +between logons. It is recommended to NOT use the <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>homes</I +></SPAN +> +meta-service name as part of the profile share path.</P +></TD +></TR +></TABLE +></DIV ></DIV ><DIV CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1551" ->10.2.3. <TT -CLASS="FILENAME" ->/etc/host.conf</TT -></A +NAME="AEN1473" +>10.2.2. Windows 9X Configuration</A ></H3 ><P -><TT -CLASS="FILENAME" ->/etc/host.conf</TT -> is the primary means by -which the setting in /etc/resolv.conf may be affected. It is a -critical configuration file. This file controls the order by -which name resolution may procede. The typical structure is:</P +>To support Win9X clients, you must use the "logon home" parameter. Samba has +now been fixed so that "net use /home" now works as well, and it, too, relies +on the "logon home" parameter.</P +><P +>By using the logon home parameter, you are restricted to putting Win9X +profiles in the user's home directory. But wait! There is a trick you +can use. If you set the following in the [global] section of your +smb.conf file:</P ><P ><PRE CLASS="PROGRAMLISTING" -> order hosts,bind - multi on</PRE +>logon home = \\%L\%U\.profiles</PRE ></P ><P ->then both addresses should be returned. Please refer to the -man page for host.conf for further details.</P +>then your Win9X clients will dutifully put their clients in a subdirectory +of your home directory called .profiles (thus making them hidden).</P +><P +>Not only that, but 'net use/home' will also work, because of a feature in +Win9X. It removes any directory stuff off the end of the home directory area +and only uses the server and share portion. That is, it looks like you +specified \\%L\%U for "logon home".</P ></DIV ><DIV CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1559" ->10.2.4. <TT -CLASS="FILENAME" ->/etc/nsswitch.conf</TT -></A +NAME="AEN1481" +>10.2.3. Win9X and WinNT Configuration</A ></H3 ><P ->This file controls the actual name resolution targets. The -file typically has resolver object specifications as follows:</P +>You can support profiles for both Win9X and WinNT clients by setting both the +"logon home" and "logon path" parameters. For example:</P ><P ><PRE CLASS="PROGRAMLISTING" -> # /etc/nsswitch.conf - # - # Name Service Switch configuration file. - # - - passwd: compat - # Alternative entries for password authentication are: - # passwd: compat files nis ldap winbind - shadow: compat - group: compat - - hosts: files nis dns - # Alternative entries for host name resolution are: - # hosts: files dns nis nis+ hesoid db compat ldap wins - networks: nis files dns - - ethers: nis files - protocols: nis files - rpc: nis files - services: nis files</PRE +>logon home = \\%L\%U\.profiles +logon path = \\%L\profiles\%U</PRE ></P +><DIV +CLASS="NOTE" ><P ->Of course, each of these mechanisms requires that the appropriate -facilities and/or services are correctly configured.</P -><P ->It should be noted that unless a network request/message must be -sent, TCP/IP networks are silent. All TCP/IP communications assumes a -principal of speaking only when necessary.</P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" ><P ->Starting with version 2.2.0 samba has Linux support for extensions to -the name service switch infrastructure so that linux clients will -be able to obtain resolution of MS Windows NetBIOS names to IP -Addresses. To gain this functionality Samba needs to be compiled -with appropriate arguments to the make command (ie: <B -CLASS="COMMAND" ->make -nsswitch/libnss_wins.so</B ->). The resulting library should -then be installed in the <TT -CLASS="FILENAME" ->/lib</TT -> directory and -the "wins" parameter needs to be added to the "hosts:" line in -the <TT -CLASS="FILENAME" ->/etc/nsswitch.conf</TT -> file. At this point it -will be possible to ping any MS Windows machine by it's NetBIOS -machine name, so long as that machine is within the workgroup to -which both the samba machine and the MS Windows machine belong.</P +>I have not checked what 'net use /home' does on NT when "logon home" is +set as above.</P +></TD +></TR +></TABLE ></DIV ></DIV ><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" ><A -NAME="AEN1571" ->10.3. Name resolution as used within MS Windows networking</A -></H2 +NAME="AEN1488" +>10.2.4. Windows 9X Profile Setup</A +></H3 ><P ->MS Windows networking is predicated about the name each machine -is given. This name is known variously (and inconsistently) as -the "computer name", "machine name", "networking name", "netbios name", -"SMB name". All terms mean the same thing with the exception of -"netbios name" which can apply also to the name of the workgroup or the -domain name. The terms "workgroup" and "domain" are really just a -simply name with which the machine is associated. All NetBIOS names -are exactly 16 characters in length. The 16th character is reserved. -It is used to store a one byte value that indicates service level -information for the NetBIOS name that is registered. A NetBIOS machine -name is therefore registered for each service type that is provided by -the client/server.</P +>When a user first logs in on Windows 9X, the file user.DAT is created, +as are folders "Start Menu", "Desktop", "Programs" and "Nethood". +These directories and their contents will be merged with the local +versions stored in c:\windows\profiles\username on subsequent logins, +taking the most recent from each. You will need to use the [global] +options "preserve case = yes", "short preserve case = yes" and +"case sensitive = no" in order to maintain capital letters in shortcuts +in any of the profile folders.</P ><P ->The following are typical NetBIOS name/service type registrations:</P +>The user.DAT file contains all the user's preferences. If you wish to +enforce a set of preferences, rename their user.DAT file to user.MAN, +and deny them write access to this file.</P ><P -><PRE -CLASS="PROGRAMLISTING" -> Unique NetBIOS Names: - MACHINENAME<00> = Server Service is running on MACHINENAME - MACHINENAME<03> = Generic Machine Name (NetBIOS name) - MACHINENAME<20> = LanMan Server service is running on MACHINENAME - WORKGROUP<1b> = Domain Master Browser - - Group Names: - WORKGROUP<03> = Generic Name registered by all members of WORKGROUP - WORKGROUP<1c> = Domain Controllers / Netlogon Servers - WORKGROUP<1d> = Local Master Browsers - WORKGROUP<1e> = Internet Name Resolvers</PRE ></P +><OL +TYPE="1" +><LI ><P ->It should be noted that all NetBIOS machines register their own -names as per the above. This is in vast contrast to TCP/IP -installations where traditionally the system administrator will -determine in the /etc/hosts or in the DNS database what names -are associated with each IP address.</P +> On the Windows 95 machine, go to Control Panel | Passwords and + select the User Profiles tab. Select the required level of + roaming preferences. Press OK, but do _not_ allow the computer + to reboot. + </P +></LI +><LI ><P ->One further point of clarification should be noted, the <TT -CLASS="FILENAME" ->/etc/hosts</TT -> -file and the DNS records do not provide the NetBIOS name type information -that MS Windows clients depend on to locate the type of service that may -be needed. An example of this is what happens when an MS Windows client -wants to locate a domain logon server. It find this service and the IP -address of a server that provides it by performing a lookup (via a -NetBIOS broadcast) for enumeration of all machines that have -registered the name type *<1c>. A logon request is then sent to each -IP address that is returned in the enumerated list of IP addresses. Which -ever machine first replies then ends up providing the logon services.</P +> On the Windows 95 machine, go to Control Panel | Network | + Client for Microsoft Networks | Preferences. Select 'Log on to + NT Domain'. Then, ensure that the Primary Logon is 'Client for + Microsoft Networks'. Press OK, and this time allow the computer + to reboot. + </P +></LI +></OL ><P ->The name "workgroup" or "domain" really can be confusing since these -have the added significance of indicating what is the security -architecture of the MS Windows network. The term "workgroup" indicates -that the primary nature of the network environment is that of a -peer-to-peer design. In a WORKGROUP all machines are responsible for -their own security, and generally such security is limited to use of -just a password (known as SHARE MODE security). In most situations -with peer-to-peer networking the users who control their own machines -will simply opt to have no security at all. It is possible to have -USER MODE security in a WORKGROUP environment, thus requiring use -of a user name and a matching password.</P +>Under Windows 95, Profiles are downloaded from the Primary Logon. +If you have the Primary Logon as 'Client for Novell Networks', then +the profiles and logon script will be downloaded from your Novell +Server. If you have the Primary Logon as 'Windows Logon', then the +profiles will be loaded from the local machine - a bit against the +concept of roaming profiles, if you ask me.</P ><P ->MS Windows networking is thus predetermined to use machine names -for all local and remote machine message passing. The protocol used is -called Server Message Block (SMB) and this is implemented using -the NetBIOS protocol (Network Basic Input Output System). NetBIOS can -be encapsulated using LLC (Logical Link Control) protocol - in which case -the resulting protocol is called NetBEUI (Network Basic Extended User -Interface). NetBIOS can also be run over IPX (Internetworking Packet -Exchange) protocol as used by Novell NetWare, and it can be run -over TCP/IP protocols - in which case the resulting protocol is called -NBT or NetBT, the NetBIOS over TCP/IP.</P +>You will now find that the Microsoft Networks Login box contains +[user, password, domain] instead of just [user, password]. Type in +the samba server's domain name (or any other domain known to exist, +but bear in mind that the user will be authenticated against this +domain and profiles downloaded from it, if that domain logon server +supports it), user name and user's password.</P ><P ->MS Windows machines use a complex array of name resolution mechanisms. -Since we are primarily concerned with TCP/IP this demonstration is -limited to this area.</P -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN1583" ->10.3.1. The NetBIOS Name Cache</A -></H3 +>Once the user has been successfully validated, the Windows 95 machine +will inform you that 'The user has not logged on before' and asks you +if you wish to save the user's preferences? Select 'yes'.</P ><P ->All MS Windows machines employ an in memory buffer in which is -stored the NetBIOS names and IP addresses for all external -machines that that machine has communicated with over the -past 10-15 minutes. It is more efficient to obtain an IP address -for a machine from the local cache than it is to go through all the -configured name resolution mechanisms.</P +>Once the Windows 95 client comes up with the desktop, you should be able +to examine the contents of the directory specified in the "logon path" +on the samba server and verify that the "Desktop", "Start Menu", +"Programs" and "Nethood" folders have been created.</P ><P ->If a machine whose name is in the local name cache has been shut -down before the name had been expired and flushed from the cache, then -an attempt to exchange a message with that machine will be subject -to time-out delays. i.e.: Its name is in the cache, so a name resolution -lookup will succeed, but the machine can not respond. This can be -frustrating for users - but it is a characteristic of the protocol.</P +>These folders will be cached locally on the client, and updated when +the user logs off (if you haven't made them read-only by then :-). +You will find that if the user creates further folders or short-cuts, +that the client will merge the profile contents downloaded with the +contents of the profile directory already on the local client, taking +the newest folders and short-cuts from each set.</P ><P ->The MS Windows utility that allows examination of the NetBIOS -name cache is called "nbtstat". The Samba equivalent of this -is called "nmblookup".</P +>If you have made the folders / files read-only on the samba server, +then you will get errors from the w95 machine on logon and logout, as +it attempts to merge the local and the remote profile. Basically, if +you have any errors reported by the w95 machine, check the Unix file +permissions and ownership rights on the profile directory contents, +on the samba server.</P +><P +>If you have problems creating user profiles, you can reset the user's +local desktop cache, as shown below. When this user then next logs in, +they will be told that they are logging in "for the first time".</P +><P +></P +><OL +TYPE="1" +><LI +><P +> instead of logging in under the [user, password, domain] dialog, + press escape. + </P +></LI +><LI +><P +> run the regedit.exe program, and look in: + </P +><P +> HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList + </P +><P +> you will find an entry, for each user, of ProfilePath. Note the + contents of this key (likely to be c:\windows\profiles\username), + then delete the key ProfilePath for the required user. + </P +><P +> [Exit the registry editor]. + </P +></LI +><LI +><P +> <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>WARNING</I +></SPAN +> - before deleting the contents of the + directory listed in + the ProfilePath (this is likely to be c:\windows\profiles\username), + ask them if they have any important files stored on their desktop + or in their start menu. delete the contents of the directory + ProfilePath (making a backup if any of the files are needed). + </P +><P +> This will have the effect of removing the local (read-only hidden + system file) user.DAT in their profile directory, as well as the + local "desktop", "nethood", "start menu" and "programs" folders. + </P +></LI +><LI +><P +> search for the user's .PWL password-caching file in the c:\windows + directory, and delete it. + </P +></LI +><LI +><P +> log off the windows 95 client. + </P +></LI +><LI +><P +> check the contents of the profile path (see "logon path" described + above), and delete the user.DAT or user.MAN file for the user, + making a backup if required. + </P +></LI +></OL +><P +>If all else fails, increase samba's debug log levels to between 3 and 10, +and / or run a packet trace program such as tcpdump or netmon.exe, and +look for any error reports.</P +><P +>If you have access to an NT server, then first set up roaming profiles +and / or netlogons on the NT server. Make a packet trace, or examine +the example packet traces provided with NT server, and see what the +differences are with the equivalent samba trace.</P ></DIV ><DIV CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1588" ->10.3.2. The LMHOSTS file</A +NAME="AEN1524" +>10.2.5. Windows NT Workstation 4.0</A ></H3 ><P ->This file is usually located in MS Windows NT 4.0 or -2000 in <TT -CLASS="FILENAME" ->C:\WINNT\SYSTEM32\DRIVERS\ETC</TT -> and contains -the IP Address and the machine name in matched pairs. The -<TT -CLASS="FILENAME" ->LMHOSTS</TT -> file performs NetBIOS name -to IP address mapping oriented.</P +>When a user first logs in to a Windows NT Workstation, the profile +NTuser.DAT is created. The profile location can be now specified +through the "logon path" parameter. </P ><P ->It typically looks like:</P +>There is a parameter that is now available for use with NT Profiles: +"logon drive". This should be set to "h:" or any other drive, and +should be used in conjunction with the new "logon home" parameter.</P ><P -><PRE -CLASS="PROGRAMLISTING" -> # Copyright (c) 1998 Microsoft Corp. - # - # This is a sample LMHOSTS file used by the Microsoft Wins Client (NetBIOS - # over TCP/IP) stack for Windows98 - # - # This file contains the mappings of IP addresses to NT computernames - # (NetBIOS) names. Each entry should be kept on an individual line. - # The IP address should be placed in the first column followed by the - # corresponding computername. The address and the comptername - # should be separated by at least one space or tab. The "#" character - # is generally used to denote the start of a comment (see the exceptions - # below). - # - # This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts - # files and offers the following extensions: - # - # #PRE - # #DOM:<domain> - # #INCLUDE <filename> - # #BEGIN_ALTERNATE - # #END_ALTERNATE - # \0xnn (non-printing character support) - # - # Following any entry in the file with the characters "#PRE" will cause - # the entry to be preloaded into the name cache. By default, entries are - # not preloaded, but are parsed only after dynamic name resolution fails. - # - # Following an entry with the "#DOM:<domain>" tag will associate the - # entry with the domain specified by <domain>. This affects how the - # browser and logon services behave in TCP/IP environments. To preload - # the host name associated with #DOM entry, it is necessary to also add a - # #PRE to the line. The <domain> is always preloaded although it will not - # be shown when the name cache is viewed. - # - # Specifying "#INCLUDE <filename>" will force the RFC NetBIOS (NBT) - # software to seek the specified <filename> and parse it as if it were - # local. <filename> is generally a UNC-based name, allowing a - # centralized lmhosts file to be maintained on a server. - # It is ALWAYS necessary to provide a mapping for the IP address of the - # server prior to the #INCLUDE. This mapping must use the #PRE directive. - # In addtion the share "public" in the example below must be in the - # LanManServer list of "NullSessionShares" in order for client machines to - # be able to read the lmhosts file successfully. This key is under - # \machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares - # in the registry. Simply add "public" to the list found there. - # - # The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE - # statements to be grouped together. Any single successful include - # will cause the group to succeed. - # - # Finally, non-printing characters can be embedded in mappings by - # first surrounding the NetBIOS name in quotations, then using the - # \0xnn notation to specify a hex value for a non-printing character. - # - # The following example illustrates all of these extensions: - # - # 102.54.94.97 rhino #PRE #DOM:networking #net group's DC - # 102.54.94.102 "appname \0x14" #special app server - # 102.54.94.123 popular #PRE #source server - # 102.54.94.117 localsrv #PRE #needed for the include - # - # #BEGIN_ALTERNATE - # #INCLUDE \\localsrv\public\lmhosts - # #INCLUDE \\rhino\public\lmhosts - # #END_ALTERNATE - # - # In the above example, the "appname" server contains a special - # character in its name, the "popular" and "localsrv" server names are - # preloaded, and the "rhino" server name is specified so it can be used - # to later #INCLUDE a centrally maintained lmhosts file if the "localsrv" - # system is unavailable. - # - # Note that the whole file is parsed including comments on each lookup, - # so keeping the number of comments to a minimum will improve performance. - # Therefore it is not advisable to simply add lmhosts file entries onto the - # end of this file.</PRE -></P +>The entry for the NT 4.0 profile is a _directory_ not a file. The NT +help on profiles mentions that a directory is also created with a .PDS +extension. The user, while logging in, must have write permission to +create the full profile path (and the folder with the .PDS extension +for those situations where it might be created.)</P +><P +>In the profile directory, NT creates more folders than 95. It creates +"Application Data" and others, as well as "Desktop", "Nethood", +"Start Menu" and "Programs". The profile itself is stored in a file +NTuser.DAT. Nothing appears to be stored in the .PDS directory, and +its purpose is currently unknown.</P +><P +>You can use the System Control Panel to copy a local profile onto +a samba server (see NT Help on profiles: it is also capable of firing +up the correct location in the System Control Panel for you). The +NT Help file also mentions that renaming NTuser.DAT to NTuser.MAN +turns a profile into a mandatory one.</P +><P +>The case of the profile is significant. The file must be called +NTuser.DAT or, for a mandatory profile, NTuser.MAN.</P ></DIV ><DIV CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1596" ->10.3.3. HOSTS file</A +NAME="AEN1532" +>10.2.6. Windows NT/200x Server</A ></H3 ><P ->This file is usually located in MS Windows NT 4.0 or 2000 in -<TT -CLASS="FILENAME" ->C:\WINNT\SYSTEM32\DRIVERS\ETC</TT -> and contains -the IP Address and the IP hostname in matched pairs. It can be -used by the name resolution infrastructure in MS Windows, depending -on how the TCP/IP environment is configured. This file is in -every way the equivalent of the Unix/Linux <TT -CLASS="FILENAME" ->/etc/hosts</TT -> file.</P +>There is nothing to stop you specifying any path that you like for the +location of users' profiles. Therefore, you could specify that the +profile be stored on a samba server, or any other SMB server, as long as +that SMB server supports encrypted passwords.</P ></DIV ><DIV CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1601" ->10.3.4. DNS Lookup</A +NAME="AEN1535" +>10.2.7. Sharing Profiles between W9x/Me and NT4/200x/XP workstations</A ></H3 ><P ->This capability is configured in the TCP/IP setup area in the network -configuration facility. If enabled an elaborate name resolution sequence -is followed the precise nature of which isdependant on what the NetBIOS -Node Type parameter is configured to. A Node Type of 0 means use -NetBIOS broadcast (over UDP broadcast) is first used if the name -that is the subject of a name lookup is not found in the NetBIOS name -cache. If that fails then DNS, HOSTS and LMHOSTS are checked. If set to -Node Type 8, then a NetBIOS Unicast (over UDP Unicast) is sent to the -WINS Server to obtain a lookup before DNS, HOSTS, LMHOSTS, or broadcast -lookup is used.</P +>Sharing of desktop profiles between Windows versions is NOT recommended. +Desktop profiles are an evolving phenomenon and profiles for later versions +of MS Windows clients add features that may interfere with earlier versions +of MS Windows clients. Probably the more salient reason to NOT mix profiles +is that when logging off an earlier version of MS Windows the older format +of profile contents may overwrite information that belongs to the newer +version resulting in loss of profile information content when that user logs +on again with the newer version of MS Windows.</P +><P +>If you then want to share the same Start Menu / Desktop with W9x/Me, you will +need to specify a common location for the profiles. The smb.conf parameters +that need to be common are <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>logon path</I +></SPAN +> and +<SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>logon home</I +></SPAN +>.</P +><P +>If you have this set up correctly, you will find separate user.DAT and +NTuser.DAT files in the same profile directory.</P ></DIV ><DIV CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1604" ->10.3.5. WINS Lookup</A +NAME="AEN1542" +>10.2.8. Windows NT 4</A ></H3 ><P ->A WINS (Windows Internet Name Server) service is the equivaent of the -rfc1001/1002 specified NBNS (NetBIOS Name Server). A WINS server stores -the names and IP addresses that are registered by a Windows client -if the TCP/IP setup has been given at least one WINS Server IP Address.</P +>Unfortunately, the Resource Kit info is Win NT4 or 200x specific.</P ><P ->To configure Samba to be a WINS server the following parameter needs -to be added to the <TT -CLASS="FILENAME" ->smb.conf</TT -> file:</P +>Here is a quick guide:</P ><P -><PRE -CLASS="PROGRAMLISTING" -> wins support = Yes</PRE ></P +><UL +><LI ><P ->To configure Samba to use a WINS server the following parameters are -needed in the smb.conf file:</P +>On your NT4 Domain Controller, right click on 'My Computer', then +select the tab labelled 'User Profiles'.</P +></LI +><LI +><P +>Select a user profile you want to migrate and click on it.</P +><DIV +CLASS="NOTE" ><P -><PRE -CLASS="PROGRAMLISTING" -> wins support = No - wins server = xxx.xxx.xxx.xxx</PRE ></P +><TABLE +CLASS="NOTE" +WIDTH="90%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" ><P ->where <VAR -CLASS="REPLACEABLE" ->xxx.xxx.xxx.xxx</VAR -> is the IP address -of the WINS server.</P -></DIV +>I am using the term "migrate" lossely. You can copy a profile to +create a group profile. You can give the user 'Everyone' rights to the +profile you copy this to. That is what you need to do, since your samba +domain is not a member of a trust relationship with your NT4 PDC.</P +></TD +></TR +></TABLE ></DIV +></LI +><LI +><P +>Click the 'Copy To' button.</P +></LI +><LI +><P +>In the box labelled 'Copy Profile to' add your new path, eg: +<TT +CLASS="FILENAME" +>c:\temp\foobar</TT +></P +></LI +><LI +><P +>Click on the button labelled 'Change' in the "Permitted to use" box.</P +></LI +><LI +><P +>Click on the group 'Everyone' and then click OK. This closes the +'chose user' box.</P +></LI +><LI +><P +>Now click OK.</P +></LI +></UL +><P +>Follow the above for every profile you need to migrate.</P ><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" +CLASS="SECT3" +><HR><H4 +CLASS="SECT3" ><A -NAME="AEN1616" ->10.4. How browsing functions and how to deploy stable and -dependable browsing using Samba</A -></H2 +NAME="AEN1565" +>10.2.8.1. Side bar Notes</A +></H4 ><P ->As stated above, MS Windows machines register their NetBIOS names -(i.e.: the machine name for each service type in operation) on start -up. Also, as stated above, the exact method by which this name registration -takes place is determined by whether or not the MS Windows client/server -has been given a WINS server address, whether or not LMHOSTS lookup -is enabled, or if DNS for NetBIOS name resolution is enabled, etc.</P +>You should obtain the SID of your NT4 domain. You can use smbpasswd to do +this. Read the man page.</P ><P ->In the case where there is no WINS server all name registrations as -well as name lookups are done by UDP broadcast. This isolates name -resolution to the local subnet, unless LMHOSTS is used to list all -names and IP addresses. In such situations Samba provides a means by -which the samba server name may be forcibly injected into the browse -list of a remote MS Windows network (using the "remote announce" parameter).</P +>With Samba-3.0.0 alpha code you can import all you NT4 domain accounts +using the net samsync method. This way you can retain your profile +settings as well as all your users.</P +></DIV +><DIV +CLASS="SECT3" +><HR><H4 +CLASS="SECT3" +><A +NAME="AEN1569" +>10.2.8.2. Mandatory profiles</A +></H4 ><P ->Where a WINS server is used, the MS Windows client will use UDP -unicast to register with the WINS server. Such packets can be routed -and thus WINS allows name resolution to function across routed networks.</P +>The above method can be used to create mandatory profiles also. To convert +a group profile into a mandatory profile simply locate the NTUser.DAT file +in the copied profile and rename it to NTUser.MAN.</P +></DIV +><DIV +CLASS="SECT3" +><HR><H4 +CLASS="SECT3" +><A +NAME="AEN1572" +>10.2.8.3. moveuser.exe</A +></H4 ><P ->During the startup process an election will take place to create a -local master browser if one does not already exist. On each NetBIOS network -one machine will be elected to function as the domain master browser. This -domain browsing has nothing to do with MS security domain control. -Instead, the domain master browser serves the role of contacting each local -master browser (found by asking WINS or from LMHOSTS) and exchanging browse -list contents. This way every master browser will eventually obtain a complete -list of all machines that are on the network. Every 11-15 minutes an election -is held to determine which machine will be the master browser. By the nature of -the election criteria used, the machine with the highest uptime, or the -most senior protocol version, or other criteria, will win the election -as domain master browser.</P +>The W2K professional resource kit has moveuser.exe. moveuser.exe changes +the security of a profile from one user to another. This allows the account +domain to change, and/or the user name to change.</P +></DIV +><DIV +CLASS="SECT3" +><HR><H4 +CLASS="SECT3" +><A +NAME="AEN1575" +>10.2.8.4. Get SID</A +></H4 ><P ->Clients wishing to browse the network make use of this list, but also depend -on the availability of correct name resolution to the respective IP -address/addresses. </P +>You can identify the SID by using GetSID.exe from the Windows NT Server 4.0 +Resource Kit.</P ><P ->Any configuration that breaks name resolution and/or browsing intrinsics -will annoy users because they will have to put up with protracted -inability to use the network services.</P +>Windows NT 4.0 stores the local profile information in the registry under +the following key: +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList</P ><P ->Samba supports a feature that allows forced synchonisation -of browse lists across routed networks using the "remote -browse sync" parameter in the smb.conf file. This causes Samba -to contact the local master browser on a remote network and -to request browse list synchronisation. This effectively bridges -two networks that are separated by routers. The two remote -networks may use either broadcast based name resolution or WINS -based name resolution, but it should be noted that the "remote -browse sync" parameter provides browse list synchronisation - and -that is distinct from name to address resolution, in other -words, for cross subnet browsing to function correctly it is -essential that a name to address resolution mechanism be provided. -This mechanism could be via DNS, <TT -CLASS="FILENAME" ->/etc/hosts</TT ->, -and so on.</P +>Under the ProfileList key, there will be subkeys named with the SIDs of the +users who have logged on to this computer. (To find the profile information +for the user whose locally cached profile you want to move, find the SID for +the user with the GetSID.exe utility.) Inside of the appropriate user's +subkey, you will see a string value named ProfileImagePath.</P +></DIV ></DIV ><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" ><A -NAME="AEN1626" ->10.5. MS Windows security options and how to configure -Samba for seemless integration</A -></H2 -><P ->MS Windows clients may use encrypted passwords as part of a -challenege/response authentication model (a.k.a. NTLMv1) or -alone, or clear text strings for simple password based -authentication. It should be realized that with the SMB -protocol the password is passed over the network either -in plain text or encrypted, but not both in the same -authentication requets.</P +NAME="AEN1580" +>10.2.9. Windows 2000/XP</A +></H3 ><P ->When encrypted passwords are used a password that has been -entered by the user is encrypted in two ways:</P +>You must first convert the profile from a local profile to a domain +profile on the MS Windows workstation as follows:</P ><P ></P ><UL ><LI ><P ->An MD4 hash of the UNICODE of the password - string. This is known as the NT hash. - </P +>Log on as the LOCAL workstation administrator.</P ></LI ><LI ><P ->The password is converted to upper case, - and then padded or trucated to 14 bytes. This string is - then appended with 5 bytes of NULL characters and split to - form two 56 bit DES keys to encrypt a "magic" 8 byte value. - The resulting 16 bytes for the LanMan hash. - </P +>Right click on the 'My Computer' Icon, select 'Properties'</P ></LI -></UL -><P ->You should refer to the <A -HREF="ENCRYPTION.html" -TARGET="_top" ->Password Encryption</A -> chapter in this HOWTO collection -for more details on the inner workings</P -><P ->MS Windows 95 pre-service pack 1, MS Windows NT versions 3.x -and version 4.0 pre-service pack 3 will use either mode of -password authentication. All versions of MS Windows that follow -these versions no longer support plain text passwords by default.</P -><P ->MS Windows clients have a habit of dropping network mappings that -have been idle for 10 minutes or longer. When the user attempts to -use the mapped drive connection that has been dropped, the client -re-establishes the connection using -a cached copy of the password.</P +><LI ><P ->When Microsoft changed the default password mode, they dropped support for -caching of the plain text password. This means that when the registry -parameter is changed to re-enable use of plain text passwords it appears to -work, but when a dropped mapping attempts to revalidate it will fail if -the remote authentication server does not support encrypted passwords. -This means that it is definitely not a good idea to re-enable plain text -password support in such clients.</P -><P ->The following parameters can be used to work around the -issue of Windows 9x client upper casing usernames and -password before transmitting them to the SMB server -when using clear text authentication.</P +>Click on the 'User Profiles' tab</P +></LI +><LI ><P -><PRE -CLASS="PROGRAMLISTING" -> <A -HREF="smb.conf.5.html#PASSWORDLEVEL" -TARGET="_top" ->passsword level</A -> = <VAR -CLASS="REPLACEABLE" ->integer</VAR -> - <A -HREF="smb.conf.5.html#USERNAMELEVEL" -TARGET="_top" ->username level</A -> = <VAR -CLASS="REPLACEABLE" ->integer</VAR -></PRE -></P +>Select the profile you wish to convert (click on it once)</P +></LI +><LI ><P ->By default Samba will lower case the username before attempting -to lookup the user in the database of local system accounts. -Because UNIX usernames conventionally only contain lower case -character, the <VAR -CLASS="PARAMETER" ->username level</VAR -> parameter -is rarely even needed.</P +>Click on the button 'Copy To'</P +></LI +><LI ><P ->However, password on UNIX systems often make use of mixed case -characters. This means that in order for a user on a Windows 9x -client to connect to a Samba server using clear text authentication, -the <VAR -CLASS="PARAMETER" ->password level</VAR -> must be set to the maximum -number of upper case letter which <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->could</I -></SPAN -> appear -is a password. Note that is the server OS uses the traditional -DES version of crypt(), then a <VAR -CLASS="PARAMETER" ->password level</VAR -> -of 8 will result in case insensitive passwords as seen from Windows -users. This will also result in longer login times as Samba -hash to compute the permutations of the password string and -try them one by one until a match is located (or all combinations fail).</P +>In the "Permitted to use" box, click on the 'Change' button.</P +></LI +><LI ><P ->The best option to adopt is to enable support for encrypted passwords -where ever Samba is used. There are three configuration possibilities -for support of encrypted passwords:</P +>Click on the 'Look in" area that lists the machine name, when you click +here it will open up a selection box. Click on the domain to which the +profile must be accessible.</P ><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN1654" ->10.5.1. Use MS Windows NT as an authentication server</A -></H3 -><P ->This method involves the additions of the following parameters -in the smb.conf file:</P +CLASS="NOTE" ><P -><PRE -CLASS="PROGRAMLISTING" -> encrypt passwords = Yes - security = server - password server = "NetBIOS_name_of_PDC"</PRE ></P +><TABLE +CLASS="NOTE" +WIDTH="90%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" ><P ->There are two ways of identifying whether or not a username and -password pair was valid or not. One uses the reply information provided -as part of the authentication messaging process, the other uses -just and error code.</P +>You will need to log on if a logon box opens up. Eg: In the connect +as: MIDEARTH\root, password: mypassword.</P +></TD +></TR +></TABLE +></DIV +></LI +><LI ><P ->The down-side of this mode of configuration is the fact that -for security reasons Samba will send the password server a bogus -username and a bogus password and if the remote server fails to -reject the username and password pair then an alternative mode -of identification of validation is used. Where a site uses password -lock out after a certain number of failed authentication attempts -this will result in user lockouts.</P +>To make the profile capable of being used by anyone select 'Everyone'</P +></LI +><LI ><P ->Use of this mode of authentication does require there to be -a standard Unix account for the user, this account can be blocked -to prevent logons by other than MS Windows clients.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN1662" ->10.5.2. Make Samba a member of an MS Windows NT security domain</A -></H3 +>Click OK. The Selection box will close.</P +></LI +><LI ><P ->This method involves additon of the following paramters in the smb.conf file:</P +>Now click on the 'Ok' button to create the profile in the path you +nominated.</P +></LI +></UL +><P +>Done. You now have a profile that can be editted using the samba-3.0.0 +profiles tool.</P +><DIV +CLASS="NOTE" ><P -><PRE -CLASS="PROGRAMLISTING" -> encrypt passwords = Yes - security = domain - workgroup = "name of NT domain" - password server = *</PRE ></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" ><P ->The use of the "*" argument to "password server" will cause samba -to locate the domain controller in a way analogous to the way -this is done within MS Windows NT.</P +>Under NT/2K the use of mandotory profiles forces the use of MS Exchange +storage of mail data. That keeps desktop profiles usable.</P +></TD +></TR +></TABLE +></DIV +><DIV +CLASS="NOTE" ><P ->In order for this method to work the Samba server needs to join the -MS Windows NT security domain. This is done as follows:</P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" ><P ></P ><UL ><LI ><P ->On the MS Windows NT domain controller using - the Server Manager add a machine account for the Samba server. - </P +>This is a security check new to Windows XP (or maybe only +Windows XP service pack 1). It can be disabled via a group policy in +Active Directory. The policy is:</P +><P +>"Computer Configuration\Administrative Templates\System\User +Profiles\Do not check for user ownership of Roaming Profile Folders"</P +><P +>...and it should be set to "Enabled". +Does the new version of samba have an Active Directory analogue? If so, +then you may be able to set the policy through this.</P +><P +>If you cannot set group policies in samba, then you may be able to set +the policy locally on each machine. If you want to try this, then do +the following (N.B. I don't know for sure that this will work in the +same way as a domain group policy):</P ></LI ><LI ><P ->Next, on the Linux system execute: - <B -CLASS="COMMAND" ->smbpasswd -r PDC_NAME -j DOMAIN_NAME</B -> - </P +>On the XP workstation log in with an Administrator account.</P ></LI -></UL +><LI ><P ->Use of this mode of authentication does require there to be -a standard Unix account for the user in order to assign -a uid once the account has been authenticated by the remote -Windows DC. This account can be blocked to prevent logons by -other than MS Windows clients by things such as setting an invalid -shell in the <TT -CLASS="FILENAME" ->/etc/passwd</TT -> entry.</P +>Click: "Start", "Run"</P +></LI +><LI ><P ->An alternative to assigning UIDs to Windows users on a -Samba member server is presented in the <A -HREF="winbind.html" -TARGET="_top" ->Winbind Overview</A -> chapter in -this HOWTO collection.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN1679" ->10.5.3. Configure Samba as an authentication server</A -></H3 +>Type: "mmc"</P +></LI +><LI ><P ->This mode of authentication demands that there be on the -Unix/Linux system both a Unix style account as well as an -smbpasswd entry for the user. The Unix system account can be -locked if required as only the encrypted password will be -used for SMB client authentication.</P +>Click: "OK"</P +></LI +><LI ><P ->This method involves addition of the following parameters to -the smb.conf file:</P +>A Microsoft Management Console should appear.</P +></LI +><LI ><P -><PRE -CLASS="PROGRAMLISTING" ->## please refer to the Samba PDC HOWTO chapter later in -## this collection for more details -[global] - encrypt passwords = Yes - security = user - domain logons = Yes - ; an OS level of 33 or more is recommended - os level = 33 - -[NETLOGON] - path = /somewhare/in/file/system - read only = yes</PRE -></P +>Click: File, "Add/Remove Snap-in...", "Add"</P +></LI +><LI ><P ->in order for this method to work a Unix system account needs -to be created for each user, as well as for each MS Windows NT/2000 -machine. The following structure is required.</P -><DIV -CLASS="SECT3" -><HR><H4 -CLASS="SECT3" -><A -NAME="AEN1686" ->10.5.3.1. Users</A -></H4 +>Double-Click: "Group Policy"</P +></LI +><LI ><P ->A user account that may provide a home directory should be -created. The following Linux system commands are typical of -the procedure for creating an account.</P +>Click: "Finish", "Close"</P +></LI +><LI ><P -><PRE -CLASS="PROGRAMLISTING" -> # useradd -s /bin/bash -d /home/"userid" -m "userid" - # passwd "userid" - Enter Password: <pw> - - # smbpasswd -a "userid" - Enter Password: <pw></PRE -></P -></DIV -><DIV -CLASS="SECT3" -><HR><H4 -CLASS="SECT3" -><A -NAME="AEN1691" ->10.5.3.2. MS Windows NT Machine Accounts</A -></H4 +>Click: "OK"</P +></LI +><LI ><P ->These are required only when Samba is used as a domain -controller. Refer to the Samba-PDC-HOWTO for more details.</P +>In the "Console Root" window:</P +></LI +><LI ><P -><PRE -CLASS="PROGRAMLISTING" -> # useradd -s /bin/false -d /dev/null "machine_name"\$ - # passwd -l "machine_name"\$ - # smbpasswd -a -m "machine_name"</PRE -></P -></DIV -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN1696" ->10.6. Conclusions</A -></H2 +>Expand: "Local Computer Policy", "Computer Configuration",</P +></LI +><LI ><P ->Samba provides a flexible means to operate as...</P +>"Administrative Templates", "System", "User Profiles"</P +></LI +><LI ><P -></P -><UL +>Double-Click: "Do not check for user ownership of Roaming Profile</P +></LI ><LI ><P ->A Stand-alone server - No special action is needed - other than to create user accounts. Stand-alone servers do NOT - provide network logon services, meaning that machines that use this - server do NOT perform a domain logon but instead make use only of - the MS Windows logon which is local to the MS Windows - workstation/server. - </P +>Folders"</P ></LI ><LI ><P ->An MS Windows NT 3.x/4.0 security domain member. - </P +>Select: "Enabled"</P ></LI ><LI ><P ->An alternative to an MS Windows NT 3.x/4.0 - Domain Controller. - </P +>Click: OK"</P +></LI +><LI +><P +>Close the whole console. You do not need to save the settings (this +refers to the console settings rather than the policies you have +changed).</P +></LI +><LI +><P +>Reboot</P ></LI ></UL +></TD +></TR +></TABLE +></DIV +></DIV ></DIV ></DIV ><DIV @@ -9424,7 +8844,7 @@ CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN1717" +NAME="AEN1663" >11.1. Viewing and changing UNIX permissions using the NT security dialogs</A ></H2 @@ -9442,7 +8862,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1721" +NAME="AEN1667" >11.2. How to view file security on a Samba share</A ></H2 ><P @@ -9511,7 +8931,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1732" +NAME="AEN1678" >11.3. Viewing file ownership</A ></H2 ><P @@ -9597,7 +9017,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1752" +NAME="AEN1698" >11.4. Viewing file or directory permissions</A ></H2 ><P @@ -9651,7 +9071,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1767" +NAME="AEN1713" >11.4.1. File Permissions</A ></H3 ><P @@ -9713,7 +9133,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN1781" +NAME="AEN1727" >11.4.2. Directory Permissions</A ></H3 ><P @@ -9745,7 +9165,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1788" +NAME="AEN1734" >11.5. Modifying file or directory permissions</A ></H2 ><P @@ -9841,7 +9261,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1810" +NAME="AEN1756" >11.6. Interaction with the standard Samba create mask parameters</A ></H2 @@ -10035,7 +9455,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1864" +NAME="AEN1810" >11.7. Interaction with the standard Samba file attribute mapping</A ></H2 @@ -10082,17 +9502,118 @@ CLASS="COMMAND" CLASS="CHAPTER" ><HR><H1 ><A +NAME="GROUPMAPPING" +></A +>Chapter 12. Group mapping HOWTO</H1 +><P +> +Starting with Samba 3.0 alpha 2, a new group mapping function is available. The +current method (likely to change) to manage the groups is a new command called +<B +CLASS="COMMAND" +>smbgroupedit</B +>.</P +><P +>The first immediate reason to use the group mapping on a PDC, is that +the <B +CLASS="COMMAND" +>domain admin group</B +> of <TT +CLASS="FILENAME" +>smb.conf</TT +> is +now gone. This parameter was used to give the listed users local admin rights +on their workstations. It was some magic stuff that simply worked but didn't +scale very well for complex setups.</P +><P +>Let me explain how it works on NT/W2K, to have this magic fade away. +When installing NT/W2K on a computer, the installer program creates some users +and groups. Notably the 'Administrators' group, and gives to that group some +privileges like the ability to change the date and time or to kill any process +(or close too) running on the local machine. The 'Administrator' user is a +member of the 'Administrators' group, and thus 'inherit' the 'Administrators' +group privileges. If a 'joe' user is created and become a member of the +'Administrator' group, 'joe' has exactly the same rights as 'Administrator'.</P +><P +>When a NT/W2K machine is joined to a domain, during that phase, the "Domain +Administrators' group of the PDC is added to the 'Administrators' group of the +workstation. Every members of the 'Domain Administrators' group 'inherit' the +rights of the 'Administrators' group when logging on the workstation.</P +><P +>You are now wondering how to make some of your samba PDC users members of the +'Domain Administrators' ? That's really easy.</P +><P +></P +><OL +TYPE="1" +><LI +><P +>create a unix group (usually in <TT +CLASS="FILENAME" +>/etc/group</TT +>), let's call it domadm</P +></LI +><LI +><P +>add to this group the users that must be Administrators. For example if you want joe,john and mary, your entry in <TT +CLASS="FILENAME" +>/etc/group</TT +> will look like:</P +><P +><PRE +CLASS="PROGRAMLISTING" +>domadm:x:502:joe,john,mary</PRE +></P +></LI +><LI +><P +>Map this domadm group to the <B +CLASS="COMMAND" +>domain admins</B +> group by running the command:</P +><P +><B +CLASS="COMMAND" +>smbgroupedit -c "Domain Admins" -u domadm</B +></P +></LI +></OL +><P +>You're set, joe, john and mary are domain administrators !</P +><P +>Like the Domain Admins group, you can map any arbitrary Unix group to any NT +group. You can also make any Unix group a domain group. For example, on a domain +member machine (an NT/W2K or a samba server running winbind), you would like to +give access to a certain directory to some users who are member of a group on +your samba PDC. Flag that group as a domain group by running:</P +><P +><B +CLASS="COMMAND" +>smbgroupedit -a unixgroup -td</B +></P +><P +>You can list the various groups in the mapping database like this</P +><P +><B +CLASS="COMMAND" +>smbgroupedit -v</B +></P +></DIV +><DIV +CLASS="CHAPTER" +><HR><H1 +><A NAME="PAM" ></A ->Chapter 12. Configuring PAM for distributed but centrally +>Chapter 13. Configuring PAM for distributed but centrally managed authentication</H1 ><DIV CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN1885" ->12.1. Samba and PAM</A +NAME="AEN1866" +>13.1. Samba and PAM</A ></H2 ><P >A number of Unix systems (eg: Sun Solaris), as well as the @@ -10128,6 +9649,45 @@ or by editing individual files that are located in <TT CLASS="FILENAME" >/etc/pam.d</TT >.</P +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +> If the PAM authentication module (loadable link library file) is located in the + default location then it is not necessary to specify the path. In the case of + Linux, the default location is <TT +CLASS="FILENAME" +>/lib/security</TT +>. If the module + is located other than default then the path may be specified as: + + <PRE +CLASS="PROGRAMLISTING" +> eg: "auth required /other_path/pam_strange_module.so" + </PRE +> + </P +></TD +></TR +></TABLE +></DIV ><P >The following is an example <TT CLASS="FILENAME" @@ -10143,20 +9703,20 @@ CLASS="FILENAME" ><P ><PRE CLASS="PROGRAMLISTING" ->#%PAM-1.0 -# The PAM configuration file for the `login' service -# -auth required pam_securetty.so -auth required pam_nologin.so -# auth required pam_dialup.so -# auth optional pam_mail.so -auth required pam_pwdb.so shadow md5 -# account requisite pam_time.so -account required pam_pwdb.so -session required pam_pwdb.so -# session optional pam_lastlog.so -# password required pam_cracklib.so retry=3 -password required pam_pwdb.so shadow md5</PRE +> #%PAM-1.0 + # The PAM configuration file for the `login' service + # + auth required pam_securetty.so + auth required pam_nologin.so + # auth required pam_dialup.so + # auth optional pam_mail.so + auth required pam_pwdb.so shadow md5 + # account requisite pam_time.so + account required pam_pwdb.so + session required pam_pwdb.so + # session optional pam_lastlog.so + # password required pam_cracklib.so retry=3 + password required pam_pwdb.so shadow md5</PRE ></P ><P >PAM allows use of replacable modules. Those available on a @@ -10164,19 +9724,19 @@ sample system include:</P ><P ><PRE CLASS="PROGRAMLISTING" ->$ /bin/ls /lib/security -pam_access.so pam_ftp.so pam_limits.so -pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so -pam_cracklib.so pam_group.so pam_listfile.so -pam_nologin.so pam_rootok.so pam_tally.so -pam_deny.so pam_issue.so pam_mail.so -pam_permit.so pam_securetty.so pam_time.so -pam_dialup.so pam_lastlog.so pam_mkhomedir.so -pam_pwdb.so pam_shells.so pam_unix.so -pam_env.so pam_ldap.so pam_motd.so -pam_radius.so pam_smbpass.so pam_unix_acct.so -pam_wheel.so pam_unix_auth.so pam_unix_passwd.so -pam_userdb.so pam_warn.so pam_unix_session.so</PRE +> $ /bin/ls /lib/security + pam_access.so pam_ftp.so pam_limits.so + pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so + pam_cracklib.so pam_group.so pam_listfile.so + pam_nologin.so pam_rootok.so pam_tally.so + pam_deny.so pam_issue.so pam_mail.so + pam_permit.so pam_securetty.so pam_time.so + pam_dialup.so pam_lastlog.so pam_mkhomedir.so + pam_pwdb.so pam_shells.so pam_unix.so + pam_env.so pam_ldap.so pam_motd.so + pam_radius.so pam_smbpass.so pam_unix_acct.so + pam_wheel.so pam_unix_auth.so pam_unix_passwd.so + pam_userdb.so pam_warn.so pam_unix_session.so</PRE ></P ><P >The following example for the login program replaces the use of @@ -10239,13 +9799,13 @@ source distribution.</P ><P ><PRE CLASS="PROGRAMLISTING" ->#%PAM-1.0 -# The PAM configuration file for the `login' service -# -auth required pam_smbpass.so nodelay -account required pam_smbpass.so nodelay -session required pam_smbpass.so nodelay -password required pam_smbpass.so nodelay</PRE +> #%PAM-1.0 + # The PAM configuration file for the `login' service + # + auth required pam_smbpass.so nodelay + account required pam_smbpass.so nodelay + session required pam_smbpass.so nodelay + password required pam_smbpass.so nodelay</PRE ></P ><P >The following is the PAM configuration file for a particular @@ -10256,13 +9816,13 @@ CLASS="FILENAME" ><P ><PRE CLASS="PROGRAMLISTING" ->#%PAM-1.0 -# The PAM configuration file for the `samba' service -# -auth required /lib/security/pam_pwdb.so nullok nodelay shadow audit -account required /lib/security/pam_pwdb.so audit nodelay -session required /lib/security/pam_pwdb.so nodelay -password required /lib/security/pam_pwdb.so shadow md5</PRE +> #%PAM-1.0 + # The PAM configuration file for the `samba' service + # + auth required /lib/security/pam_pwdb.so nullok nodelay shadow audit + account required /lib/security/pam_pwdb.so audit nodelay + session required /lib/security/pam_pwdb.so nodelay + password required /lib/security/pam_pwdb.so shadow md5</PRE ></P ><P >In the following example the decision has been made to use the @@ -10273,16 +9833,36 @@ program.</P ><P ><PRE CLASS="PROGRAMLISTING" ->#%PAM-1.0 -# The PAM configuration file for the `samba' service -# -auth required /lib/security/pam_smbpass.so nodelay -account required /lib/security/pam_pwdb.so audit nodelay -session required /lib/security/pam_pwdb.so nodelay -password required /lib/security/pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf</PRE +> #%PAM-1.0 + # The PAM configuration file for the `samba' service + # + auth required /lib/security/pam_smbpass.so nodelay + account required /lib/security/pam_pwdb.so audit nodelay + session required /lib/security/pam_pwdb.so nodelay + password required /lib/security/pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf</PRE +></P +><DIV +CLASS="NOTE" +><P ></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" ><P ->Note: PAM allows stacking of authentication mechanisms. It is +>PAM allows stacking of authentication mechanisms. It is also possible to pass information obtained within one PAM module through to the next module in the PAM stack. Please refer to the documentation for your particular system implementation for details regarding the specific @@ -10299,14 +9879,18 @@ CLASS="FILENAME" on the basis that it allows for easier administration. As with all issues in life though, every decision makes trade-offs, so you may want examine the PAM documentation for further helpful information.</P +></TD +></TR +></TABLE +></DIV ></DIV ><DIV CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1929" ->12.2. Distributed Authentication</A +NAME="AEN1915" +>13.2. Distributed Authentication</A ></H2 ><P >The astute administrator will realize from this that the @@ -10317,16 +9901,9 @@ CLASS="FILENAME" <B CLASS="COMMAND" >winbindd</B ->, and <B -CLASS="COMMAND" ->rsync</B -> (see -<A -HREF="http://rsync.samba.org/" -TARGET="_top" ->http://rsync.samba.org/</A ->) -will allow the establishment of a centrally managed, distributed +>, and a distributed +passdb backend, such as ldap, will allow the establishment of a +centrally managed, distributed user/password database that can also be used by all PAM (eg: Linux) aware programs and applications. This arrangement can have particularly potent advantages compared with the @@ -10338,8 +9915,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN1936" ->12.3. PAM Configuration in smb.conf</A +NAME="AEN1920" +>13.3. PAM Configuration in smb.conf</A ></H2 ><P >There is an option in smb.conf called <A @@ -10349,7 +9926,7 @@ TARGET="_top" >. The following is from the on-line help for this option in SWAT;</P ><P ->When Samba 2.2 is configure to enable PAM support (i.e. +>When Samba is configured to enable PAM support (i.e. <CODE CLASS="CONSTANT" >--with-pam</CODE @@ -10378,179 +9955,6 @@ CLASS="COMMAND" CLASS="CHAPTER" ><HR><H1 ><A -NAME="MSDFS" -></A ->Chapter 13. Hosting a Microsoft Distributed File System tree on Samba</H1 -><DIV -CLASS="SECT1" -><H2 -CLASS="SECT1" -><A -NAME="AEN1956" ->13.1. Instructions</A -></H2 -><P ->The Distributed File System (or Dfs) provides a means of - separating the logical view of files and directories that users - see from the actual physical locations of these resources on the - network. It allows for higher availability, smoother storage expansion, - load balancing etc. For more information about Dfs, refer to <A -HREF="http://www.microsoft.com/NTServer/nts/downloads/winfeatures/NTSDistrFile/AdminGuide.asp" -TARGET="_top" -> Microsoft documentation</A ->. </P -><P ->This document explains how to host a Dfs tree on a Unix - machine (for Dfs-aware clients to browse) using Samba.</P -><P ->To enable SMB-based DFS for Samba, configure it with the - <VAR -CLASS="PARAMETER" ->--with-msdfs</VAR -> option. Once built, a - Samba server can be made a Dfs server by setting the global - boolean <A -HREF="smb.conf.5.html#HOSTMSDFS" -TARGET="_top" -><VAR -CLASS="PARAMETER" -> host msdfs</VAR -></A -> parameter in the <TT -CLASS="FILENAME" ->smb.conf - </TT -> file. You designate a share as a Dfs root using the share - level boolean <A -HREF="smb.conf.5.html#MSDFSROOT" -TARGET="_top" -><VAR -CLASS="PARAMETER" -> msdfs root</VAR -></A -> parameter. A Dfs root directory on - Samba hosts Dfs links in the form of symbolic links that point - to other servers. For example, a symbolic link - <TT -CLASS="FILENAME" ->junction->msdfs:storage1\share1</TT -> in - the share directory acts as the Dfs junction. When Dfs-aware - clients attempt to access the junction link, they are redirected - to the storage location (in this case, \\storage1\share1).</P -><P ->Dfs trees on Samba work with all Dfs-aware clients ranging - from Windows 95 to 2000.</P -><P ->Here's an example of setting up a Dfs tree on a Samba - server.</P -><P -><PRE -CLASS="PROGRAMLISTING" -># The smb.conf file: -[global] - netbios name = SAMBA - host msdfs = yes - -[dfs] - path = /export/dfsroot - msdfs root = yes - </PRE -></P -><P ->In the /export/dfsroot directory we set up our dfs links to - other servers on the network.</P -><P -><SAMP -CLASS="PROMPT" ->root# </SAMP -><KBD -CLASS="USERINPUT" ->cd /export/dfsroot</KBD -></P -><P -><SAMP -CLASS="PROMPT" ->root# </SAMP -><KBD -CLASS="USERINPUT" ->chown root /export/dfsroot</KBD -></P -><P -><SAMP -CLASS="PROMPT" ->root# </SAMP -><KBD -CLASS="USERINPUT" ->chmod 755 /export/dfsroot</KBD -></P -><P -><SAMP -CLASS="PROMPT" ->root# </SAMP -><KBD -CLASS="USERINPUT" ->ln -s msdfs:storageA\\shareA linka</KBD -></P -><P -><SAMP -CLASS="PROMPT" ->root# </SAMP -><KBD -CLASS="USERINPUT" ->ln -s msdfs:serverB\\share,serverC\\share linkb</KBD -></P -><P ->You should set up the permissions and ownership of - the directory acting as the Dfs root such that only designated - users can create, delete or modify the msdfs links. Also note - that symlink names should be all lowercase. This limitation exists - to have Samba avoid trying all the case combinations to get at - the link name. Finally set up the symbolic links to point to the - network shares you want, and start Samba.</P -><P ->Users on Dfs-aware clients can now browse the Dfs tree - on the Samba server at \\samba\dfs. Accessing - links linka or linkb (which appear as directories to the client) - takes users directly to the appropriate shares on the network.</P -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN1991" ->13.1.1. Notes</A -></H3 -><P -></P -><UL -><LI -><P ->Windows clients need to be rebooted - if a previously mounted non-dfs share is made a dfs - root or vice versa. A better way is to introduce a - new share and make it the dfs root.</P -></LI -><LI -><P ->Currently there's a restriction that msdfs - symlink names should all be lowercase.</P -></LI -><LI -><P ->For security purposes, the directory - acting as the root of the Dfs tree should have ownership - and permissions set so that only designated users can - modify the symbolic links in the directory.</P -></LI -></UL -></DIV -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A NAME="PRINTING" ></A >Chapter 14. Printing Support</H1 @@ -10559,7 +9963,7 @@ CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN2017" +NAME="AEN1946" >14.1. Introduction</A ></H2 ><P @@ -10642,7 +10046,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2039" +NAME="AEN1968" >14.2. Configuration</A ></H2 ><DIV @@ -10704,7 +10108,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2047" +NAME="AEN1976" >14.2.1. Creating [print$]</A ></H3 ><P @@ -10921,7 +10325,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2082" +NAME="AEN2011" >14.2.2. Setting Drivers for Existing Printers</A ></H3 ><P @@ -10993,7 +10397,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2098" +NAME="AEN2027" >14.2.3. Support a large number of printers</A ></H3 ><P @@ -11059,7 +10463,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2109" +NAME="AEN2038" >14.2.4. Adding New Printers via the Windows NT APW</A ></H3 ><P @@ -11214,7 +10618,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2139" +NAME="AEN2068" >14.2.5. Samba and Printer Ports</A ></H3 ><P @@ -11249,7 +10653,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2147" +NAME="AEN2076" >14.3. The Imprints Toolset</A ></H2 ><P @@ -11267,7 +10671,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2151" +NAME="AEN2080" >14.3.1. What is Imprints?</A ></H3 ><P @@ -11299,7 +10703,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2161" +NAME="AEN2090" >14.3.2. Creating Printer Driver Packages</A ></H3 ><P @@ -11315,7 +10719,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2164" +NAME="AEN2093" >14.3.3. The Imprints server</A ></H3 ><P @@ -11339,7 +10743,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2168" +NAME="AEN2097" >14.3.4. The Installation Client</A ></H3 ><P @@ -11433,7 +10837,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2190" +NAME="AEN2119" >14.4. Diagnosis</A ></H2 ><DIV @@ -11441,7 +10845,7 @@ CLASS="SECT2" ><H3 CLASS="SECT2" ><A -NAME="AEN2192" +NAME="AEN2121" >14.4.1. Introduction</A ></H3 ><P @@ -11516,7 +10920,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2208" +NAME="AEN2137" >14.4.2. Debugging printer problems</A ></H3 ><P @@ -11573,7 +10977,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2217" +NAME="AEN2146" >14.4.3. What printers do I have?</A ></H3 ><P @@ -11602,7 +11006,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2225" +NAME="AEN2154" >14.4.4. Setting up printcap and print servers</A ></H3 ><P @@ -11686,7 +11090,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2253" +NAME="AEN2182" >14.4.5. Job sent, no output</A ></H3 ><P @@ -11731,7 +11135,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2264" +NAME="AEN2193" >14.4.6. Job sent, strange output</A ></H3 ><P @@ -11777,7 +11181,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2276" +NAME="AEN2205" >14.4.7. Raw PostScript printed</A ></H3 ><P @@ -11792,7 +11196,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2279" +NAME="AEN2208" >14.4.8. Advanced Printing</A ></H3 ><P @@ -11808,7 +11212,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2282" +NAME="AEN2211" >14.4.9. Real debugging</A ></H3 ><P @@ -11829,7 +11233,7 @@ CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN2302" +NAME="AEN2231" >15.1. Introduction</A ></H2 ><P @@ -11857,7 +11261,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2307" +NAME="AEN2236" >15.2. CUPS - RAW Print Through Mode</A ></H2 ><P @@ -12143,7 +11547,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2362" +NAME="AEN2291" >15.3. The CUPS Filter Chains</A ></H2 ><P @@ -12591,7 +11995,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2401" +NAME="AEN2330" >15.4. CUPS Print Drivers and Devices</A ></H2 ><P @@ -12621,7 +12025,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2408" +NAME="AEN2337" >15.4.1. Further printing steps</A ></H3 ><P @@ -12945,7 +12349,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2478" +NAME="AEN2407" >15.5. Limiting the number of pages users can print</A ></H2 ><P @@ -13468,7 +12872,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2567" +NAME="AEN2496" >15.6. Advanced Postscript Printing from MS Windows</A ></H2 ><P @@ -13559,7 +12963,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2582" +NAME="AEN2511" >15.7. Auto-Deletion of CUPS spool files</A ></H2 ><P @@ -13695,7 +13099,7 @@ CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN2644" +NAME="AEN2573" >16.1. Abstract</A ></H2 ><P @@ -13722,7 +13126,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2648" +NAME="AEN2577" >16.2. Introduction</A ></H2 ><P @@ -13776,7 +13180,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2661" +NAME="AEN2590" >16.3. What Winbind Provides</A ></H2 ><P @@ -13818,7 +13222,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2668" +NAME="AEN2597" >16.3.1. Target Uses</A ></H3 ><P @@ -13842,7 +13246,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2672" +NAME="AEN2601" >16.4. How Winbind Works</A ></H2 ><P @@ -13862,7 +13266,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2677" +NAME="AEN2606" >16.4.1. Microsoft Remote Procedure Calls</A ></H3 ><P @@ -13888,7 +13292,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2681" +NAME="AEN2610" >16.4.2. Microsoft Active Directory Services</A ></H3 ><P @@ -13907,7 +13311,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2684" +NAME="AEN2613" >16.4.3. Name Service Switch</A ></H3 ><P @@ -13987,7 +13391,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2700" +NAME="AEN2629" >16.4.4. Pluggable Authentication Modules</A ></H3 ><P @@ -14036,7 +13440,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2708" +NAME="AEN2637" >16.4.5. User and Group ID Allocation</A ></H3 ><P @@ -14062,7 +13466,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2712" +NAME="AEN2641" >16.4.6. Result Caching</A ></H3 ><P @@ -14085,7 +13489,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2715" +NAME="AEN2644" >16.5. Installation and Configuration</A ></H2 ><P @@ -14104,7 +13508,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2720" +NAME="AEN2649" >16.5.1. Introduction</A ></H3 ><P @@ -14163,7 +13567,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2733" +NAME="AEN2662" >16.5.2. Requirements</A ></H3 ><P @@ -14233,7 +13637,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN2747" +NAME="AEN2676" >16.5.3. Testing Things Out</A ></H3 ><P @@ -14278,7 +13682,7 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN2758" +NAME="AEN2687" >16.5.3.1. Configure and compile SAMBA</A ></H4 ><P @@ -14344,7 +13748,7 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN2777" +NAME="AEN2706" >16.5.3.2. Configure <TT CLASS="FILENAME" >nsswitch.conf</TT @@ -14449,7 +13853,7 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN2810" +NAME="AEN2739" >16.5.3.3. Configure smb.conf</A ></H4 ><P @@ -14524,7 +13928,7 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN2826" +NAME="AEN2755" >16.5.3.4. Join the SAMBA server to the PDC domain</A ></H4 ><P @@ -14562,7 +13966,7 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN2837" +NAME="AEN2766" >16.5.3.5. Start up the winbindd daemon and test it!</A ></H4 ><P @@ -14698,7 +14102,7 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN2877" +NAME="AEN2806" >16.5.3.6. Fix the init.d startup scripts</A ></H4 ><DIV @@ -14706,7 +14110,7 @@ CLASS="SECT4" ><H5 CLASS="SECT4" ><A -NAME="AEN2879" +NAME="AEN2808" >16.5.3.6.1. Linux</A ></H5 ><P @@ -14816,7 +14220,7 @@ CLASS="SECT4" ><HR><H5 CLASS="SECT4" ><A -NAME="AEN2899" +NAME="AEN2828" >16.5.3.6.2. Solaris</A ></H5 ><P @@ -14900,7 +14304,7 @@ CLASS="SECT4" ><HR><H5 CLASS="SECT4" ><A -NAME="AEN2909" +NAME="AEN2838" >16.5.3.6.3. Restarting</A ></H5 ><P @@ -14924,7 +14328,7 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN2915" +NAME="AEN2844" >16.5.3.7. Configure Winbind and PAM</A ></H4 ><P @@ -14982,7 +14386,7 @@ CLASS="SECT4" ><HR><H5 CLASS="SECT4" ><A -NAME="AEN2932" +NAME="AEN2861" >16.5.3.7.1. Linux/FreeBSD-specific PAM configuration</A ></H5 ><P @@ -15111,7 +14515,7 @@ CLASS="SECT4" ><HR><H5 CLASS="SECT4" ><A -NAME="AEN2965" +NAME="AEN2894" >16.5.3.7.2. Solaris-specific configuration</A ></H5 ><P @@ -15198,7 +14602,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2972" +NAME="AEN2901" >16.6. Limitations</A ></H2 ><P @@ -15240,7 +14644,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2982" +NAME="AEN2911" >16.7. Conclusion</A ></H2 ><P @@ -15256,16 +14660,656 @@ NAME="AEN2982" CLASS="CHAPTER" ><HR><H1 ><A +NAME="INTEGRATE-MS-NETWORKS" +></A +>Chapter 17. Integrating MS Windows networks with Samba</H1 +><P +>This section deals with NetBIOS over TCP/IP name to IP address resolution. If you +your MS Windows clients are NOT configured to use NetBIOS over TCP/IP then this +section does not apply to your installation. If your installation involves use of +NetBIOS over TCP/IP then this section may help you to resolve networking problems.</P +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +> NetBIOS over TCP/IP has nothing to do with NetBEUI. NetBEUI is NetBIOS + over Logical Link Control (LLC). On modern networks it is highly advised + to NOT run NetBEUI at all. Note also that there is NO such thing as + NetBEUI over TCP/IP - the existence of such a protocol is a complete + and utter mis-apprehension.</P +></TD +></TR +></TABLE +></DIV +><P +>Since the introduction of MS Windows 2000 it is possible to run MS Windows networking +without the use of NetBIOS over TCP/IP. NetBIOS over TCP/IP uses UDP port 137 for NetBIOS +name resolution and uses TCP port 139 for NetBIOS session services. When NetBIOS over +TCP/IP is disabled on MS Windows 2000 and later clients then only TCP port 445 will be +used and UDP port 137 and TCP port 139 will not.</P +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>When using Windows 2000 or later clients, if NetBIOS over TCP/IP is NOT disabled, then +the client will use UDP port 137 (NetBIOS Name Service, also known as the Windows Internet +Name Service or WINS), TCP port 139 AND TCP port 445 (for actual file and print traffic).</P +></TD +></TR +></TABLE +></DIV +><P +>When NetBIOS over TCP/IP is disabled the use of DNS is essential. Most installations that +disable NetBIOS over TCP/IP today use MS Active Directory Service (ADS). ADS requires +Dynamic DNS with Service Resource Records (SRV RR) and with Incremental Zone Transfers (IXFR). +Use of DHCP with ADS is recommended as a further means of maintaining central control +over client workstation network configuration.</P +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN2932" +>17.1. Name Resolution in a pure Unix/Linux world</A +></H2 +><P +>The key configuration files covered in this section are:</P +><P +></P +><UL +><LI +><P +><TT +CLASS="FILENAME" +>/etc/hosts</TT +></P +></LI +><LI +><P +><TT +CLASS="FILENAME" +>/etc/resolv.conf</TT +></P +></LI +><LI +><P +><TT +CLASS="FILENAME" +>/etc/host.conf</TT +></P +></LI +><LI +><P +><TT +CLASS="FILENAME" +>/etc/nsswitch.conf</TT +></P +></LI +></UL +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN2948" +>17.1.1. <TT +CLASS="FILENAME" +>/etc/hosts</TT +></A +></H3 +><P +>Contains a static list of IP Addresses and names. +eg:</P +><P +><PRE +CLASS="PROGRAMLISTING" +> 127.0.0.1 localhost localhost.localdomain + 192.168.1.1 bigbox.caldera.com bigbox alias4box</PRE +></P +><P +>The purpose of <TT +CLASS="FILENAME" +>/etc/hosts</TT +> is to provide a +name resolution mechanism so that uses do not need to remember +IP addresses.</P +><P +>Network packets that are sent over the physical network transport +layer communicate not via IP addresses but rather using the Media +Access Control address, or MAC address. IP Addresses are currently +32 bits in length and are typically presented as four (4) decimal +numbers that are separated by a dot (or period). eg: 168.192.1.1</P +><P +>MAC Addresses use 48 bits (or 6 bytes) and are typically represented +as two digit hexadecimal numbers separated by colons. eg: +40:8e:0a:12:34:56</P +><P +>Every network interfrace must have an MAC address. Associated with +a MAC address there may be one or more IP addresses. There is NO +relationship between an IP address and a MAC address, all such assignments +are arbitary or discretionary in nature. At the most basic level all +network communications takes place using MAC addressing. Since MAC +addresses must be globally unique, and generally remains fixed for +any particular interface, the assignment of an IP address makes sense +from a network management perspective. More than one IP address can +be assigned per MAC address. One address must be the primary IP address, +this is the address that will be returned in the ARP reply.</P +><P +>When a user or a process wants to communicate with another machine +the protocol implementation ensures that the "machine name" or "host +name" is resolved to an IP address in a manner that is controlled +by the TCP/IP configuration control files. The file +<TT +CLASS="FILENAME" +>/etc/hosts</TT +> is one such file.</P +><P +>When the IP address of the destination interface has been +determined a protocol called ARP/RARP is used to identify +the MAC address of the target interface. ARP stands for Address +Resolution Protocol, and is a broadcast oriented method that +uses UDP (User Datagram Protocol) to send a request to all +interfaces on the local network segment using the all 1's MAC +address. Network interfaces are programmed to respond to two +MAC addresses only; their own unique address and the address +ff:ff:ff:ff:ff:ff. The reply packet from an ARP request will +contain the MAC address and the primary IP address for each +interface.</P +><P +>The <TT +CLASS="FILENAME" +>/etc/hosts</TT +> file is foundational to all +Unix/Linux TCP/IP installations and as a minumum will contain +the localhost and local network interface IP addresses and the +primary names by which they are known within the local machine. +This file helps to prime the pump so that a basic level of name +resolution can exist before any other method of name resolution +becomes available.</P +></DIV +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN2964" +>17.1.2. <TT +CLASS="FILENAME" +>/etc/resolv.conf</TT +></A +></H3 +><P +>This file tells the name resolution libraries:</P +><P +></P +><UL +><LI +><P +>The name of the domain to which the machine + belongs + </P +></LI +><LI +><P +>The name(s) of any domains that should be + automatically searched when trying to resolve unqualified + host names to their IP address + </P +></LI +><LI +><P +>The name or IP address of available Domain + Name Servers that may be asked to perform name to address + translation lookups + </P +></LI +></UL +></DIV +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN2975" +>17.1.3. <TT +CLASS="FILENAME" +>/etc/host.conf</TT +></A +></H3 +><P +><TT +CLASS="FILENAME" +>/etc/host.conf</TT +> is the primary means by +which the setting in /etc/resolv.conf may be affected. It is a +critical configuration file. This file controls the order by +which name resolution may procede. The typical structure is:</P +><P +><PRE +CLASS="PROGRAMLISTING" +> order hosts,bind + multi on</PRE +></P +><P +>then both addresses should be returned. Please refer to the +man page for host.conf for further details.</P +></DIV +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN2983" +>17.1.4. <TT +CLASS="FILENAME" +>/etc/nsswitch.conf</TT +></A +></H3 +><P +>This file controls the actual name resolution targets. The +file typically has resolver object specifications as follows:</P +><P +><PRE +CLASS="PROGRAMLISTING" +> # /etc/nsswitch.conf + # + # Name Service Switch configuration file. + # + + passwd: compat + # Alternative entries for password authentication are: + # passwd: compat files nis ldap winbind + shadow: compat + group: compat + + hosts: files nis dns + # Alternative entries for host name resolution are: + # hosts: files dns nis nis+ hesoid db compat ldap wins + networks: nis files dns + + ethers: nis files + protocols: nis files + rpc: nis files + services: nis files</PRE +></P +><P +>Of course, each of these mechanisms requires that the appropriate +facilities and/or services are correctly configured.</P +><P +>It should be noted that unless a network request/message must be +sent, TCP/IP networks are silent. All TCP/IP communications assumes a +principal of speaking only when necessary.</P +><P +>Starting with version 2.2.0 samba has Linux support for extensions to +the name service switch infrastructure so that linux clients will +be able to obtain resolution of MS Windows NetBIOS names to IP +Addresses. To gain this functionality Samba needs to be compiled +with appropriate arguments to the make command (ie: <B +CLASS="COMMAND" +>make +nsswitch/libnss_wins.so</B +>). The resulting library should +then be installed in the <TT +CLASS="FILENAME" +>/lib</TT +> directory and +the "wins" parameter needs to be added to the "hosts:" line in +the <TT +CLASS="FILENAME" +>/etc/nsswitch.conf</TT +> file. At this point it +will be possible to ping any MS Windows machine by it's NetBIOS +machine name, so long as that machine is within the workgroup to +which both the samba machine and the MS Windows machine belong.</P +></DIV +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN2995" +>17.2. Name resolution as used within MS Windows networking</A +></H2 +><P +>MS Windows networking is predicated about the name each machine +is given. This name is known variously (and inconsistently) as +the "computer name", "machine name", "networking name", "netbios name", +"SMB name". All terms mean the same thing with the exception of +"netbios name" which can apply also to the name of the workgroup or the +domain name. The terms "workgroup" and "domain" are really just a +simply name with which the machine is associated. All NetBIOS names +are exactly 16 characters in length. The 16th character is reserved. +It is used to store a one byte value that indicates service level +information for the NetBIOS name that is registered. A NetBIOS machine +name is therefore registered for each service type that is provided by +the client/server.</P +><P +>The following are typical NetBIOS name/service type registrations:</P +><P +><PRE +CLASS="PROGRAMLISTING" +> Unique NetBIOS Names: + MACHINENAME<00> = Server Service is running on MACHINENAME + MACHINENAME<03> = Generic Machine Name (NetBIOS name) + MACHINENAME<20> = LanMan Server service is running on MACHINENAME + WORKGROUP<1b> = Domain Master Browser + + Group Names: + WORKGROUP<03> = Generic Name registered by all members of WORKGROUP + WORKGROUP<1c> = Domain Controllers / Netlogon Servers + WORKGROUP<1d> = Local Master Browsers + WORKGROUP<1e> = Internet Name Resolvers</PRE +></P +><P +>It should be noted that all NetBIOS machines register their own +names as per the above. This is in vast contrast to TCP/IP +installations where traditionally the system administrator will +determine in the /etc/hosts or in the DNS database what names +are associated with each IP address.</P +><P +>One further point of clarification should be noted, the <TT +CLASS="FILENAME" +>/etc/hosts</TT +> +file and the DNS records do not provide the NetBIOS name type information +that MS Windows clients depend on to locate the type of service that may +be needed. An example of this is what happens when an MS Windows client +wants to locate a domain logon server. It find this service and the IP +address of a server that provides it by performing a lookup (via a +NetBIOS broadcast) for enumeration of all machines that have +registered the name type *<1c>. A logon request is then sent to each +IP address that is returned in the enumerated list of IP addresses. Which +ever machine first replies then ends up providing the logon services.</P +><P +>The name "workgroup" or "domain" really can be confusing since these +have the added significance of indicating what is the security +architecture of the MS Windows network. The term "workgroup" indicates +that the primary nature of the network environment is that of a +peer-to-peer design. In a WORKGROUP all machines are responsible for +their own security, and generally such security is limited to use of +just a password (known as SHARE MODE security). In most situations +with peer-to-peer networking the users who control their own machines +will simply opt to have no security at all. It is possible to have +USER MODE security in a WORKGROUP environment, thus requiring use +of a user name and a matching password.</P +><P +>MS Windows networking is thus predetermined to use machine names +for all local and remote machine message passing. The protocol used is +called Server Message Block (SMB) and this is implemented using +the NetBIOS protocol (Network Basic Input Output System). NetBIOS can +be encapsulated using LLC (Logical Link Control) protocol - in which case +the resulting protocol is called NetBEUI (Network Basic Extended User +Interface). NetBIOS can also be run over IPX (Internetworking Packet +Exchange) protocol as used by Novell NetWare, and it can be run +over TCP/IP protocols - in which case the resulting protocol is called +NBT or NetBT, the NetBIOS over TCP/IP.</P +><P +>MS Windows machines use a complex array of name resolution mechanisms. +Since we are primarily concerned with TCP/IP this demonstration is +limited to this area.</P +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN3007" +>17.2.1. The NetBIOS Name Cache</A +></H3 +><P +>All MS Windows machines employ an in memory buffer in which is +stored the NetBIOS names and IP addresses for all external +machines that that machine has communicated with over the +past 10-15 minutes. It is more efficient to obtain an IP address +for a machine from the local cache than it is to go through all the +configured name resolution mechanisms.</P +><P +>If a machine whose name is in the local name cache has been shut +down before the name had been expired and flushed from the cache, then +an attempt to exchange a message with that machine will be subject +to time-out delays. i.e.: Its name is in the cache, so a name resolution +lookup will succeed, but the machine can not respond. This can be +frustrating for users - but it is a characteristic of the protocol.</P +><P +>The MS Windows utility that allows examination of the NetBIOS +name cache is called "nbtstat". The Samba equivalent of this +is called "nmblookup".</P +></DIV +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN3012" +>17.2.2. The LMHOSTS file</A +></H3 +><P +>This file is usually located in MS Windows NT 4.0 or +2000 in <TT +CLASS="FILENAME" +>C:\WINNT\SYSTEM32\DRIVERS\ETC</TT +> and contains +the IP Address and the machine name in matched pairs. The +<TT +CLASS="FILENAME" +>LMHOSTS</TT +> file performs NetBIOS name +to IP address mapping oriented.</P +><P +>It typically looks like:</P +><P +><PRE +CLASS="PROGRAMLISTING" +> # Copyright (c) 1998 Microsoft Corp. + # + # This is a sample LMHOSTS file used by the Microsoft Wins Client (NetBIOS + # over TCP/IP) stack for Windows98 + # + # This file contains the mappings of IP addresses to NT computernames + # (NetBIOS) names. Each entry should be kept on an individual line. + # The IP address should be placed in the first column followed by the + # corresponding computername. The address and the comptername + # should be separated by at least one space or tab. The "#" character + # is generally used to denote the start of a comment (see the exceptions + # below). + # + # This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts + # files and offers the following extensions: + # + # #PRE + # #DOM:<domain> + # #INCLUDE <filename> + # #BEGIN_ALTERNATE + # #END_ALTERNATE + # \0xnn (non-printing character support) + # + # Following any entry in the file with the characters "#PRE" will cause + # the entry to be preloaded into the name cache. By default, entries are + # not preloaded, but are parsed only after dynamic name resolution fails. + # + # Following an entry with the "#DOM:<domain>" tag will associate the + # entry with the domain specified by <domain>. This affects how the + # browser and logon services behave in TCP/IP environments. To preload + # the host name associated with #DOM entry, it is necessary to also add a + # #PRE to the line. The <domain> is always preloaded although it will not + # be shown when the name cache is viewed. + # + # Specifying "#INCLUDE <filename>" will force the RFC NetBIOS (NBT) + # software to seek the specified <filename> and parse it as if it were + # local. <filename> is generally a UNC-based name, allowing a + # centralized lmhosts file to be maintained on a server. + # It is ALWAYS necessary to provide a mapping for the IP address of the + # server prior to the #INCLUDE. This mapping must use the #PRE directive. + # In addtion the share "public" in the example below must be in the + # LanManServer list of "NullSessionShares" in order for client machines to + # be able to read the lmhosts file successfully. This key is under + # \machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares + # in the registry. Simply add "public" to the list found there. + # + # The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE + # statements to be grouped together. Any single successful include + # will cause the group to succeed. + # + # Finally, non-printing characters can be embedded in mappings by + # first surrounding the NetBIOS name in quotations, then using the + # \0xnn notation to specify a hex value for a non-printing character. + # + # The following example illustrates all of these extensions: + # + # 102.54.94.97 rhino #PRE #DOM:networking #net group's DC + # 102.54.94.102 "appname \0x14" #special app server + # 102.54.94.123 popular #PRE #source server + # 102.54.94.117 localsrv #PRE #needed for the include + # + # #BEGIN_ALTERNATE + # #INCLUDE \\localsrv\public\lmhosts + # #INCLUDE \\rhino\public\lmhosts + # #END_ALTERNATE + # + # In the above example, the "appname" server contains a special + # character in its name, the "popular" and "localsrv" server names are + # preloaded, and the "rhino" server name is specified so it can be used + # to later #INCLUDE a centrally maintained lmhosts file if the "localsrv" + # system is unavailable. + # + # Note that the whole file is parsed including comments on each lookup, + # so keeping the number of comments to a minimum will improve performance. + # Therefore it is not advisable to simply add lmhosts file entries onto the + # end of this file.</PRE +></P +></DIV +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN3020" +>17.2.3. HOSTS file</A +></H3 +><P +>This file is usually located in MS Windows NT 4.0 or 2000 in +<TT +CLASS="FILENAME" +>C:\WINNT\SYSTEM32\DRIVERS\ETC</TT +> and contains +the IP Address and the IP hostname in matched pairs. It can be +used by the name resolution infrastructure in MS Windows, depending +on how the TCP/IP environment is configured. This file is in +every way the equivalent of the Unix/Linux <TT +CLASS="FILENAME" +>/etc/hosts</TT +> file.</P +></DIV +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN3025" +>17.2.4. DNS Lookup</A +></H3 +><P +>This capability is configured in the TCP/IP setup area in the network +configuration facility. If enabled an elaborate name resolution sequence +is followed the precise nature of which isdependant on what the NetBIOS +Node Type parameter is configured to. A Node Type of 0 means use +NetBIOS broadcast (over UDP broadcast) is first used if the name +that is the subject of a name lookup is not found in the NetBIOS name +cache. If that fails then DNS, HOSTS and LMHOSTS are checked. If set to +Node Type 8, then a NetBIOS Unicast (over UDP Unicast) is sent to the +WINS Server to obtain a lookup before DNS, HOSTS, LMHOSTS, or broadcast +lookup is used.</P +></DIV +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN3028" +>17.2.5. WINS Lookup</A +></H3 +><P +>A WINS (Windows Internet Name Server) service is the equivaent of the +rfc1001/1002 specified NBNS (NetBIOS Name Server). A WINS server stores +the names and IP addresses that are registered by a Windows client +if the TCP/IP setup has been given at least one WINS Server IP Address.</P +><P +>To configure Samba to be a WINS server the following parameter needs +to be added to the <TT +CLASS="FILENAME" +>smb.conf</TT +> file:</P +><P +><PRE +CLASS="PROGRAMLISTING" +> wins support = Yes</PRE +></P +><P +>To configure Samba to use a WINS server the following parameters are +needed in the smb.conf file:</P +><P +><PRE +CLASS="PROGRAMLISTING" +> wins support = No + wins server = xxx.xxx.xxx.xxx</PRE +></P +><P +>where <VAR +CLASS="REPLACEABLE" +>xxx.xxx.xxx.xxx</VAR +> is the IP address +of the WINS server.</P +></DIV +></DIV +></DIV +><DIV +CLASS="CHAPTER" +><HR><H1 +><A NAME="IMPROVED-BROWSING" ></A ->Chapter 17. Improved browsing in samba</H1 +>Chapter 18. Improved browsing in samba</H1 ><DIV CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN2992" ->17.1. Overview of browsing</A +NAME="AEN3047" +>18.1. Overview of browsing</A ></H2 ><P >SMB networking provides a mechanism by which clients can access a list @@ -15293,8 +15337,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN2997" ->17.2. Browsing support in samba</A +NAME="AEN3052" +>18.2. Browsing support in samba</A ></H2 ><P >Samba facilitates browsing. The browsing is supported by nmbd @@ -15336,8 +15380,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3005" ->17.3. Problem resolution</A +NAME="AEN3060" +>18.3. Problem resolution</A ></H2 ><P >If something doesn't work then hopefully the log.nmb file will help @@ -15383,8 +15427,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3014" ->17.4. Browsing across subnets</A +NAME="AEN3069" +>18.4. Browsing across subnets</A ></H2 ><P >Since the release of Samba 1.9.17(alpha1) Samba has been @@ -15414,8 +15458,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3019" ->17.4.1. How does cross subnet browsing work ?</A +NAME="AEN3074" +>18.4.1. How does cross subnet browsing work ?</A ></H3 ><P >Cross subnet browsing is a complicated dance, containing multiple @@ -15625,8 +15669,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3054" ->17.5. Setting up a WINS server</A +NAME="AEN3109" +>18.5. Setting up a WINS server</A ></H2 ><P >Either a Samba machine or a Windows NT Server machine may be set up @@ -15708,8 +15752,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3073" ->17.6. Setting up Browsing in a WORKGROUP</A +NAME="AEN3128" +>18.6. Setting up Browsing in a WORKGROUP</A ></H2 ><P >To set up cross subnet browsing on a network containing machines @@ -15740,10 +15784,10 @@ options in the [global] section of the smb.conf file :</P ><P ><PRE CLASS="PROGRAMLISTING" -> domain master = yes - local master = yes - preferred master = yes - os level = 65</PRE +>domain master = yes +local master = yes +preferred master = yes +os level = 65</PRE ></P ><P >The domain master browser may be the same machine as the WINS @@ -15760,10 +15804,10 @@ smb.conf file :</P ><P ><PRE CLASS="PROGRAMLISTING" -> domain master = no - local master = yes - preferred master = yes - os level = 65</PRE +>domain master = no +local master = yes +preferred master = yes +os level = 65</PRE ></P ><P >Do not do this for more than one Samba server on each subnet, @@ -15782,10 +15826,10 @@ options in the [global] section of the smb.conf file :</P ><P ><PRE CLASS="PROGRAMLISTING" -> domain master = no - local master = no - preferred master = no - os level = 0</PRE +>domain master = no +local master = no +preferred master = no +os level = 0</PRE ></P ></DIV ><DIV @@ -15793,8 +15837,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3091" ->17.7. Setting up Browsing in a DOMAIN</A +NAME="AEN3146" +>18.7. Setting up Browsing in a DOMAIN</A ></H2 ><P >If you are adding Samba servers to a Windows NT Domain then @@ -15812,10 +15856,10 @@ file :</P ><P ><PRE CLASS="PROGRAMLISTING" -> domain master = no - local master = yes - preferred master = yes - os level = 65</PRE +>domain master = no +local master = yes +preferred master = yes +os level = 65</PRE ></P ><P >If you wish to have a Samba server fight the election with machines @@ -15844,8 +15888,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3101" ->17.8. Forcing samba to be the master</A +NAME="AEN3156" +>18.8. Forcing samba to be the master</A ></H2 ><P >Who becomes the "master browser" is determined by an election process @@ -15892,8 +15936,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3110" ->17.9. Making samba the domain master</A +NAME="AEN3165" +>18.9. Making samba the domain master</A ></H2 ><P >The domain master is responsible for collating the browse lists of @@ -15965,8 +16009,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3128" ->17.10. Note about broadcast addresses</A +NAME="AEN3183" +>18.10. Note about broadcast addresses</A ></H2 ><P >If your network uses a "0" based broadcast address (for example if it @@ -15979,8 +16023,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3131" ->17.11. Multiple interfaces</A +NAME="AEN3186" +>18.11. Multiple interfaces</A ></H2 ><P >Samba now supports machines with multiple network interfaces. If you @@ -15992,16 +16036,189 @@ option in smb.conf to configure them. See smb.conf(5) for details.</P CLASS="CHAPTER" ><HR><H1 ><A +NAME="MSDFS" +></A +>Chapter 19. Hosting a Microsoft Distributed File System tree on Samba</H1 +><DIV +CLASS="SECT1" +><H2 +CLASS="SECT1" +><A +NAME="AEN3200" +>19.1. Instructions</A +></H2 +><P +>The Distributed File System (or Dfs) provides a means of + separating the logical view of files and directories that users + see from the actual physical locations of these resources on the + network. It allows for higher availability, smoother storage expansion, + load balancing etc. For more information about Dfs, refer to <A +HREF="http://www.microsoft.com/NTServer/nts/downloads/winfeatures/NTSDistrFile/AdminGuide.asp" +TARGET="_top" +> Microsoft documentation</A +>. </P +><P +>This document explains how to host a Dfs tree on a Unix + machine (for Dfs-aware clients to browse) using Samba.</P +><P +>To enable SMB-based DFS for Samba, configure it with the + <VAR +CLASS="PARAMETER" +>--with-msdfs</VAR +> option. Once built, a + Samba server can be made a Dfs server by setting the global + boolean <A +HREF="smb.conf.5.html#HOSTMSDFS" +TARGET="_top" +><VAR +CLASS="PARAMETER" +> host msdfs</VAR +></A +> parameter in the <TT +CLASS="FILENAME" +>smb.conf + </TT +> file. You designate a share as a Dfs root using the share + level boolean <A +HREF="smb.conf.5.html#MSDFSROOT" +TARGET="_top" +><VAR +CLASS="PARAMETER" +> msdfs root</VAR +></A +> parameter. A Dfs root directory on + Samba hosts Dfs links in the form of symbolic links that point + to other servers. For example, a symbolic link + <TT +CLASS="FILENAME" +>junction->msdfs:storage1\share1</TT +> in + the share directory acts as the Dfs junction. When Dfs-aware + clients attempt to access the junction link, they are redirected + to the storage location (in this case, \\storage1\share1).</P +><P +>Dfs trees on Samba work with all Dfs-aware clients ranging + from Windows 95 to 2000.</P +><P +>Here's an example of setting up a Dfs tree on a Samba + server.</P +><P +><PRE +CLASS="PROGRAMLISTING" +># The smb.conf file: +[global] + netbios name = SAMBA + host msdfs = yes + +[dfs] + path = /export/dfsroot + msdfs root = yes + </PRE +></P +><P +>In the /export/dfsroot directory we set up our dfs links to + other servers on the network.</P +><P +><SAMP +CLASS="PROMPT" +>root# </SAMP +><KBD +CLASS="USERINPUT" +>cd /export/dfsroot</KBD +></P +><P +><SAMP +CLASS="PROMPT" +>root# </SAMP +><KBD +CLASS="USERINPUT" +>chown root /export/dfsroot</KBD +></P +><P +><SAMP +CLASS="PROMPT" +>root# </SAMP +><KBD +CLASS="USERINPUT" +>chmod 755 /export/dfsroot</KBD +></P +><P +><SAMP +CLASS="PROMPT" +>root# </SAMP +><KBD +CLASS="USERINPUT" +>ln -s msdfs:storageA\\shareA linka</KBD +></P +><P +><SAMP +CLASS="PROMPT" +>root# </SAMP +><KBD +CLASS="USERINPUT" +>ln -s msdfs:serverB\\share,serverC\\share linkb</KBD +></P +><P +>You should set up the permissions and ownership of + the directory acting as the Dfs root such that only designated + users can create, delete or modify the msdfs links. Also note + that symlink names should be all lowercase. This limitation exists + to have Samba avoid trying all the case combinations to get at + the link name. Finally set up the symbolic links to point to the + network shares you want, and start Samba.</P +><P +>Users on Dfs-aware clients can now browse the Dfs tree + on the Samba server at \\samba\dfs. Accessing + links linka or linkb (which appear as directories to the client) + takes users directly to the appropriate shares on the network.</P +><DIV +CLASS="SECT2" +><HR><H3 +CLASS="SECT2" +><A +NAME="AEN3235" +>19.1.1. Notes</A +></H3 +><P +></P +><UL +><LI +><P +>Windows clients need to be rebooted + if a previously mounted non-dfs share is made a dfs + root or vice versa. A better way is to introduce a + new share and make it the dfs root.</P +></LI +><LI +><P +>Currently there's a restriction that msdfs + symlink names should all be lowercase.</P +></LI +><LI +><P +>For security purposes, the directory + acting as the root of the Dfs tree should have ownership + and permissions set so that only designated users can + modify the symbolic links in the directory.</P +></LI +></UL +></DIV +></DIV +></DIV +><DIV +CLASS="CHAPTER" +><HR><H1 +><A NAME="VFS" ></A ->Chapter 18. Stackable VFS modules</H1 +>Chapter 20. Stackable VFS modules</H1 ><DIV CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN3149" ->18.1. Introduction and configuration</A +NAME="AEN3259" +>20.1. Introduction and configuration</A ></H2 ><P >Since samba 3.0, samba supports stackable VFS(Virtual File System) modules. @@ -16041,16 +16258,16 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3158" ->18.2. Included modules</A +NAME="AEN3268" +>20.2. Included modules</A ></H2 ><DIV CLASS="SECT2" ><H3 CLASS="SECT2" ><A -NAME="AEN3160" ->18.2.1. audit</A +NAME="AEN3270" +>20.2.1. audit</A ></H3 ><P >A simple module to audit file access to the syslog @@ -16087,8 +16304,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3168" ->18.2.2. recycle</A +NAME="AEN3278" +>20.2.2. recycle</A ></H3 ><P >A recycle-bin like modules. When used any unlink call @@ -16158,8 +16375,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3205" ->18.2.3. netatalk</A +NAME="AEN3315" +>20.2.3. netatalk</A ></H3 ><P >A netatalk module, that will ease co-existence of samba and @@ -16191,8 +16408,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3212" ->18.3. VFS modules available elsewhere</A +NAME="AEN3322" +>20.3. VFS modules available elsewhere</A ></H2 ><P >This section contains a listing of various other VFS modules that @@ -16207,8 +16424,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3216" ->18.3.1. DatabaseFS</A +NAME="AEN3326" +>20.3.1. DatabaseFS</A ></H3 ><P >URL: <A @@ -16241,8 +16458,8 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3224" ->18.3.2. vscan</A +NAME="AEN3334" +>20.3.2. vscan</A ></H3 ><P >URL: <A @@ -16263,855 +16480,16 @@ by Rainer Link.</P CLASS="CHAPTER" ><HR><H1 ><A -NAME="GROUPMAPPING" -></A ->Chapter 19. Group mapping HOWTO</H1 -><P -> -Starting with Samba 3.0 alpha 2, a new group mapping function is available. The -current method (likely to change) to manage the groups is a new command called -<B -CLASS="COMMAND" ->smbgroupedit</B ->.</P -><P ->The first immediate reason to use the group mapping on a PDC, is that -the <B -CLASS="COMMAND" ->domain admin group</B -> of <TT -CLASS="FILENAME" ->smb.conf</TT -> is -now gone. This parameter was used to give the listed users local admin rights -on their workstations. It was some magic stuff that simply worked but didn't -scale very well for complex setups.</P -><P ->Let me explain how it works on NT/W2K, to have this magic fade away. -When installing NT/W2K on a computer, the installer program creates some users -and groups. Notably the 'Administrators' group, and gives to that group some -privileges like the ability to change the date and time or to kill any process -(or close too) running on the local machine. The 'Administrator' user is a -member of the 'Administrators' group, and thus 'inherit' the 'Administrators' -group privileges. If a 'joe' user is created and become a member of the -'Administrator' group, 'joe' has exactly the same rights as 'Administrator'.</P -><P ->When a NT/W2K machine is joined to a domain, during that phase, the "Domain -Administrators' group of the PDC is added to the 'Administrators' group of the -workstation. Every members of the 'Domain Administrators' group 'inherit' the -rights of the 'Administrators' group when logging on the workstation.</P -><P ->You are now wondering how to make some of your samba PDC users members of the -'Domain Administrators' ? That's really easy.</P -><P -></P -><OL -TYPE="1" -><LI -><P ->create a unix group (usually in <TT -CLASS="FILENAME" ->/etc/group</TT ->), let's call it domadm</P -></LI -><LI -><P ->add to this group the users that must be Administrators. For example if you want joe,john and mary, your entry in <TT -CLASS="FILENAME" ->/etc/group</TT -> will look like:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->domadm:x:502:joe,john,mary</PRE -></P -></LI -><LI -><P ->Map this domadm group to the <B -CLASS="COMMAND" ->domain admins</B -> group by running the command:</P -><P -><B -CLASS="COMMAND" ->smbgroupedit -c "Domain Admins" -u domadm</B -></P -></LI -></OL -><P ->You're set, joe, john and mary are domain administrators !</P -><P ->Like the Domain Admins group, you can map any arbitrary Unix group to any NT -group. You can also make any Unix group a domain group. For example, on a domain -member machine (an NT/W2K or a samba server running winbind), you would like to -give access to a certain directory to some users who are member of a group on -your samba PDC. Flag that group as a domain group by running:</P -><P -><B -CLASS="COMMAND" ->smbgroupedit -a unixgroup -td</B -></P -><P ->You can list the various groups in the mapping database like this</P -><P -><B -CLASS="COMMAND" ->smbgroupedit -v</B -></P -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="SPEED" -></A ->Chapter 20. Samba performance issues</H1 -><DIV -CLASS="SECT1" -><H2 -CLASS="SECT1" -><A -NAME="AEN3279" ->20.1. Comparisons</A -></H2 -><P ->The Samba server uses TCP to talk to the client. Thus if you are -trying to see if it performs well you should really compare it to -programs that use the same protocol. The most readily available -programs for file transfer that use TCP are ftp or another TCP based -SMB server.</P -><P ->If you want to test against something like a NT or WfWg server then -you will have to disable all but TCP on either the client or -server. Otherwise you may well be using a totally different protocol -(such as Netbeui) and comparisons may not be valid.</P -><P ->Generally you should find that Samba performs similarly to ftp at raw -transfer speed. It should perform quite a bit faster than NFS, -although this very much depends on your system.</P -><P ->Several people have done comparisons between Samba and Novell, NFS or -WinNT. In some cases Samba performed the best, in others the worst. I -suspect the biggest factor is not Samba vs some other system but the -hardware and drivers used on the various systems. Given similar -hardware Samba should certainly be competitive in speed with other -systems.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3285" ->20.2. Socket options</A -></H2 -><P ->There are a number of socket options that can greatly affect the -performance of a TCP based server like Samba.</P -><P ->The socket options that Samba uses are settable both on the command -line with the -O option, or in the smb.conf file.</P -><P ->The "socket options" section of the smb.conf manual page describes how -to set these and gives recommendations.</P -><P ->Getting the socket options right can make a big difference to your -performance, but getting them wrong can degrade it by just as -much. The correct settings are very dependent on your local network.</P -><P ->The socket option TCP_NODELAY is the one that seems to make the -biggest single difference for most networks. Many people report that -adding "socket options = TCP_NODELAY" doubles the read performance of -a Samba drive. The best explanation I have seen for this is that the -Microsoft TCP/IP stack is slow in sending tcp ACKs.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3292" ->20.3. Read size</A -></H2 -><P ->The option "read size" affects the overlap of disk reads/writes with -network reads/writes. If the amount of data being transferred in -several of the SMB commands (currently SMBwrite, SMBwriteX and -SMBreadbraw) is larger than this value then the server begins writing -the data before it has received the whole packet from the network, or -in the case of SMBreadbraw, it begins writing to the network before -all the data has been read from disk.</P -><P ->This overlapping works best when the speeds of disk and network access -are similar, having very little effect when the speed of one is much -greater than the other.</P -><P ->The default value is 16384, but very little experimentation has been -done yet to determine the optimal value, and it is likely that the best -value will vary greatly between systems anyway. A value over 65536 is -pointless and will cause you to allocate memory unnecessarily.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3297" ->20.4. Max xmit</A -></H2 -><P ->At startup the client and server negotiate a "maximum transmit" size, -which limits the size of nearly all SMB commands. You can set the -maximum size that Samba will negotiate using the "max xmit = " option -in smb.conf. Note that this is the maximum size of SMB request that -Samba will accept, but not the maximum size that the *client* will accept. -The client maximum receive size is sent to Samba by the client and Samba -honours this limit.</P -><P ->It defaults to 65536 bytes (the maximum), but it is possible that some -clients may perform better with a smaller transmit unit. Trying values -of less than 2048 is likely to cause severe problems.</P -><P ->In most cases the default is the best option.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3302" ->20.5. Log level</A -></H2 -><P ->If you set the log level (also known as "debug level") higher than 2 -then you may suffer a large drop in performance. This is because the -server flushes the log file after each operation, which can be very -expensive. </P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3305" ->20.6. Read raw</A -></H2 -><P ->The "read raw" operation is designed to be an optimised, low-latency -file read operation. A server may choose to not support it, -however. and Samba makes support for "read raw" optional, with it -being enabled by default.</P -><P ->In some cases clients don't handle "read raw" very well and actually -get lower performance using it than they get using the conventional -read operations. </P -><P ->So you might like to try "read raw = no" and see what happens on your -network. It might lower, raise or not affect your performance. Only -testing can really tell.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3310" ->20.7. Write raw</A -></H2 -><P ->The "write raw" operation is designed to be an optimised, low-latency -file write operation. A server may choose to not support it, -however. and Samba makes support for "write raw" optional, with it -being enabled by default.</P -><P ->Some machines may find "write raw" slower than normal write, in which -case you may wish to change this option.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3314" ->20.8. Slow Clients</A -></H2 -><P ->One person has reported that setting the protocol to COREPLUS rather -than LANMAN2 gave a dramatic speed improvement (from 10k/s to 150k/s).</P -><P ->I suspect that his PC's (386sx16 based) were asking for more data than -they could chew. I suspect a similar speed could be had by setting -"read raw = no" and "max xmit = 2048", instead of changing the -protocol. Lowering the "read size" might also help.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3318" ->20.9. Slow Logins</A -></H2 -><P ->Slow logins are almost always due to the password checking time. Using -the lowest practical "password level" will improve things a lot. You -could also enable the "UFC crypt" option in the Makefile.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3321" ->20.10. Client tuning</A -></H2 -><P ->Often a speed problem can be traced to the client. The client (for -example Windows for Workgroups) can often be tuned for better TCP -performance.</P -><P ->See your client docs for details. In particular, I have heard rumours -that the WfWg options TCPWINDOWSIZE and TCPSEGMENTSIZE can have a -large impact on performance.</P -><P ->Also note that some people have found that setting DefaultRcvWindow in -the [MSTCP] section of the SYSTEM.INI file under WfWg to 3072 gives a -big improvement. I don't know why.</P -><P ->My own experience wth DefaultRcvWindow is that I get much better -performance with a large value (16384 or larger). Other people have -reported that anything over 3072 slows things down enourmously. One -person even reported a speed drop of a factor of 30 when he went from -3072 to 8192. I don't know why.</P -><P ->It probably depends a lot on your hardware, and the type of unix box -you have at the other end of the link.</P -><P ->Paul Cochrane has done some testing on client side tuning and come -to the following conclusions:</P -><P ->Install the W2setup.exe file from www.microsoft.com. This is an -update for the winsock stack and utilities which improve performance.</P -><P ->Configure the win95 TCPIP registry settings to give better -perfomance. I use a program called MTUSPEED.exe which I got off the -net. There are various other utilities of this type freely available. -The setting which give the best performance for me are:</P -><P -></P -><OL -TYPE="1" -><LI -><P ->MaxMTU Remove</P -></LI -><LI -><P ->RWIN Remove</P -></LI -><LI -><P ->MTUAutoDiscover Disable</P -></LI -><LI -><P ->MTUBlackHoleDetect Disable</P -></LI -><LI -><P ->Time To Live Enabled</P -></LI -><LI -><P ->Time To Live - HOPS 32</P -></LI -><LI -><P ->NDI Cache Size 0</P -></LI -></OL -><P ->I tried virtually all of the items mentioned in the document and -the only one which made a difference to me was the socket options. It -turned out I was better off without any!!!!!</P -><P ->In terms of overall speed of transfer, between various win95 clients -and a DX2-66 20MB server with a crappy NE2000 compatible and old IDE -drive (Kernel 2.0.30). The transfer rate was reasonable for 10 baseT.</P -><P -><PRE -CLASS="PROGRAMLISTING" ->The figures are: Put Get -P166 client 3Com card: 420-440kB/s 500-520kB/s -P100 client 3Com card: 390-410kB/s 490-510kB/s -DX4-75 client NE2000: 370-380kB/s 330-350kB/s</PRE -></P -><P ->I based these test on transfer two files a 4.5MB text file and a 15MB -textfile. The results arn't bad considering the hardware Samba is -running on. It's a crap machine!!!!</P -><P ->The updates mentioned in 1 and 2 brought up the transfer rates from -just over 100kB/s in some clients.</P -><P ->A new client is a P333 connected via a 100MB/s card and hub. The -transfer rates from this were good: 450-500kB/s on put and 600+kB/s -on get.</P -><P ->Looking at standard FTP throughput, Samba is a bit slower (100kB/s -upwards). I suppose there is more going on in the samba protocol, but -if it could get up to the rate of FTP the perfomance would be quite -staggering.</P -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A -NAME="GROUPPROFILES" -></A ->Chapter 21. Creating Group Prolicy Files</H1 -><DIV -CLASS="SECT1" -><H2 -CLASS="SECT1" -><A -NAME="AEN3369" ->21.1. Windows '9x</A -></H2 -><P ->You need the Win98 Group Policy Editor to -set Group Profiles up under Windows '9x. It can be found on the Original -full product Win98 installation CD under -<TT -CLASS="FILENAME" ->tools/reskit/netadmin/poledit</TT ->. You install this -using the Add/Remove Programs facility and then click on the 'Have Disk' -tab.</P -><P ->Use the Group Policy Editor to create a policy file that specifies the -location of user profiles and/or the <TT -CLASS="FILENAME" ->My Documents</TT -> etc. -stuff. You then save these settings in a file called -<TT -CLASS="FILENAME" ->Config.POL</TT -> that needs to be placed in -the root of the [NETLOGON] share. If your Win98 is configured to log onto -the Samba Domain, it will automatically read this file and update the -Win9x/Me registry of the machine that is logging on.</P -><P ->All of this is covered in the Win98 Resource Kit documentation.</P -><P ->If you do not do it this way, then every so often Win9x/Me will check the -integrity of the registry and will restore it's settings from the back-up -copy of the registry it stores on each Win9x/Me machine. Hence, you will -occasionally notice things changing back to the original settings.</P -><P ->The following all refers to Windows NT/200x profile migration - not to policies. -We need a separate section on policies (NTConfig.Pol) for NT4/200x.</P -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3379" ->21.2. Windows NT 4</A -></H2 -><P ->Unfortunately, the Resource Kit info is Win NT4 or 200x specific.</P -><P ->Here is a quick guide:</P -><P -></P -><UL -><LI -><P ->On your NT4 Domain Controller, right click on 'My Computer', then -select the tab labelled 'User Profiles'.</P -></LI -><LI -><P ->Select a user profile you want to migrate and click on it.</P -><DIV -CLASS="NOTE" -><P -></P -><TABLE -CLASS="NOTE" -WIDTH="90%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P ->I am using the term "migrate" lossely. You can copy a profile to -create a group profile. You can give the user 'Everyone' rights to the -profile you copy this to. That is what you need to do, since your samba -domain is not a member of a trust relationship with your NT4 PDC.</P -></TD -></TR -></TABLE -></DIV -></LI -><LI -><P ->Click the 'Copy To' button.</P -></LI -><LI -><P ->In the box labelled 'Copy Profile to' add your new path, eg: -<TT -CLASS="FILENAME" ->c:\temp\foobar</TT -></P -></LI -><LI -><P ->Click on the button labelled 'Change' in the "Permitted to use" box.</P -></LI -><LI -><P ->Click on the group 'Everyone' and then click OK. This closes the -'chose user' box.</P -></LI -><LI -><P ->Now click OK.</P -></LI -></UL -><P ->Follow the above for every profile you need to migrate.</P -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN3402" ->21.2.1. Side bar Notes</A -></H3 -><P ->You should obtain the SID of your NT4 domain. You can use smbpasswd to do -this. Read the man page.</P -><P ->With Samba-3.0.0 alpha code you can import all you NT4 domain accounts -using the net samsync method. This way you can retain your profile -settings as well as all your users.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN3406" ->21.2.2. Mandatory profiles</A -></H3 -><P ->The above method can be used to create mandatory profiles also. To convert -a group profile into a mandatory profile simply locate the NTUser.DAT file -in the copied profile and rename it to NTUser.MAN.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN3409" ->21.2.3. moveuser.exe</A -></H3 -><P ->The W2K professional resource kit has moveuser.exe. moveuser.exe changes -the security of a profile from one user to another. This allows the account -domain to change, and/or the user name to change.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H3 -CLASS="SECT2" -><A -NAME="AEN3412" ->21.2.4. Get SID</A -></H3 -><P ->You can identify the SID by using GetSID.exe from the Windows NT Server 4.0 -Resource Kit.</P -><P ->Windows NT 4.0 stores the local profile information in the registry under -the following key: -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList</P -><P ->Under the ProfileList key, there will be subkeys named with the SIDs of the -users who have logged on to this computer. (To find the profile information -for the user whose locally cached profile you want to move, find the SID for -the user with the GetSID.exe utility.) Inside of the appropriate user's -subkey, you will see a string value named ProfileImagePath.</P -></DIV -></DIV -><DIV -CLASS="SECT1" -><HR><H2 -CLASS="SECT1" -><A -NAME="AEN3417" ->21.3. Windows 2000/XP</A -></H2 -><P ->You must first convert the profile from a local profile to a domain -profile on the MS Windows workstation as follows:</P -><P -></P -><UL -><LI -><P ->Log on as the LOCAL workstation administrator.</P -></LI -><LI -><P ->Right click on the 'My Computer' Icon, select 'Properties'</P -></LI -><LI -><P ->Click on the 'User Profiles' tab</P -></LI -><LI -><P ->Select the profile you wish to convert (click on it once)</P -></LI -><LI -><P ->Click on the button 'Copy To'</P -></LI -><LI -><P ->In the "Permitted to use" box, click on the 'Change' button.</P -></LI -><LI -><P ->Click on the 'Look in" area that lists the machine name, when you click -here it will open up a selection box. Click on the domain to which the -profile must be accessible.</P -><DIV -CLASS="NOTE" -><P -></P -><TABLE -CLASS="NOTE" -WIDTH="90%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P ->You will need to log on if a logon box opens up. Eg: In the connect -as: MIDEARTH\root, password: mypassword.</P -></TD -></TR -></TABLE -></DIV -></LI -><LI -><P ->To make the profile capable of being used by anyone select 'Everyone'</P -></LI -><LI -><P ->Click OK. The Selection box will close.</P -></LI -><LI -><P ->Now click on the 'Ok' button to create the profile in the path you -nominated.</P -></LI -></UL -><P ->Done. You now have a profile that can be editted using the samba-3.0.0 -profiles tool.</P -><DIV -CLASS="NOTE" -><P -></P -><TABLE -CLASS="NOTE" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P ->Under NT/2K the use of mandotory profiles forces the use of MS Exchange -storage of mail data. That keeps desktop profiles usable.</P -></TD -></TR -></TABLE -></DIV -><DIV -CLASS="NOTE" -><P -></P -><TABLE -CLASS="NOTE" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P -></P -><UL -><LI -><P ->This is a security check new to Windows XP (or maybe only -Windows XP service pack 1). It can be disabled via a group policy in -Active Directory. The policy is:</P -><P ->"Computer Configuration\Administrative Templates\System\User -Profiles\Do not check for user ownership of Roaming Profile Folders"</P -><P ->...and it should be set to "Enabled". -Does the new version of samba have an Active Directory analogue? If so, -then you may be able to set the policy through this.</P -><P ->If you cannot set group policies in samba, then you may be able to set -the policy locally on each machine. If you want to try this, then do -the following (N.B. I don't know for sure that this will work in the -same way as a domain group policy):</P -></LI -><LI -><P ->On the XP workstation log in with an Administrator account.</P -></LI -><LI -><P ->Click: "Start", "Run"</P -></LI -><LI -><P ->Type: "mmc"</P -></LI -><LI -><P ->Click: "OK"</P -></LI -><LI -><P ->A Microsoft Management Console should appear.</P -></LI -><LI -><P ->Click: File, "Add/Remove Snap-in...", "Add"</P -></LI -><LI -><P ->Double-Click: "Group Policy"</P -></LI -><LI -><P ->Click: "Finish", "Close"</P -></LI -><LI -><P ->Click: "OK"</P -></LI -><LI -><P ->In the "Console Root" window:</P -></LI -><LI -><P ->Expand: "Local Computer Policy", "Computer Configuration",</P -></LI -><LI -><P ->"Administrative Templates", "System", "User Profiles"</P -></LI -><LI -><P ->Double-Click: "Do not check for user ownership of Roaming Profile</P -></LI -><LI -><P ->Folders"</P -></LI -><LI -><P ->Select: "Enabled"</P -></LI -><LI -><P ->Click: OK"</P -></LI -><LI -><P ->Close the whole console. You do not need to save the settings (this -refers to the console settings rather than the policies you have -changed).</P -></LI -><LI -><P ->Reboot</P -></LI -></UL -></TD -></TR -></TABLE -></DIV -></DIV -></DIV -><DIV -CLASS="CHAPTER" -><HR><H1 -><A NAME="SECURING-SAMBA" ></A ->Chapter 22. Securing Samba</H1 +>Chapter 21. Securing Samba</H1 ><DIV CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN3498" ->22.1. Introduction</A +NAME="AEN3348" +>21.1. Introduction</A ></H2 ><P >This note was attached to the Samba 2.2.8 release notes as it contained an @@ -17123,8 +16501,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3501" ->22.2. Using host based protection</A +NAME="AEN3351" +>21.2. Using host based protection</A ></H2 ><P >In many installations of Samba the greatest threat comes for outside @@ -17155,8 +16533,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3508" ->22.3. Using interface protection</A +NAME="AEN3358" +>21.3. Using interface protection</A ></H2 ><P >By default Samba will accept connections on any network interface that @@ -17191,8 +16569,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3517" ->22.4. Using a firewall</A +NAME="AEN3367" +>21.4. Using a firewall</A ></H2 ><P >Many people use a firewall to deny access to services that they don't @@ -17221,8 +16599,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3524" ->22.5. Using a IPC$ share deny</A +NAME="AEN3374" +>21.5. Using a IPC$ share deny</A ></H2 ><P >If the above methods are not suitable, then you could also place a @@ -17260,8 +16638,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3533" ->22.6. Upgrading Samba</A +NAME="AEN3383" +>21.6. Upgrading Samba</A ></H2 ><P >Please check regularly on http://www.samba.org/ for updates and @@ -17276,14 +16654,14 @@ CLASS="CHAPTER" ><A NAME="UNICODE" ></A ->Chapter 23. Unicode/Charsets</H1 +>Chapter 22. Unicode/Charsets</H1 ><DIV CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN3547" ->23.1. What are charsets and unicode?</A +NAME="AEN3397" +>22.1. What are charsets and unicode?</A ></H2 ><P >Computers communicate in numbers. In texts, each number will be @@ -17332,8 +16710,8 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3556" ->23.2. Samba and charsets</A +NAME="AEN3406" +>22.2. Samba and charsets</A ></H2 ><P >As of samba 3.0, samba can (and will) talk unicode over the wire. Internally, @@ -17408,6 +16786,65 @@ CLASS="TOC" >Table of Contents</B ></DT ><DT +>23. <A +HREF="#SPEED" +>Samba performance issues</A +></DT +><DD +><DL +><DT +>23.1. <A +HREF="#AEN3443" +>Comparisons</A +></DT +><DT +>23.2. <A +HREF="#AEN3449" +>Socket options</A +></DT +><DT +>23.3. <A +HREF="#AEN3456" +>Read size</A +></DT +><DT +>23.4. <A +HREF="#AEN3461" +>Max xmit</A +></DT +><DT +>23.5. <A +HREF="#AEN3466" +>Log level</A +></DT +><DT +>23.6. <A +HREF="#AEN3469" +>Read raw</A +></DT +><DT +>23.7. <A +HREF="#AEN3474" +>Write raw</A +></DT +><DT +>23.8. <A +HREF="#AEN3478" +>Slow Clients</A +></DT +><DT +>23.9. <A +HREF="#AEN3482" +>Slow Logins</A +></DT +><DT +>23.10. <A +HREF="#AEN3485" +>Client tuning</A +></DT +></DL +></DD +><DT >24. <A HREF="#PORTABILITY" >Portability</A @@ -17416,34 +16853,34 @@ HREF="#PORTABILITY" ><DL ><DT >24.1. <A -HREF="#AEN3585" +HREF="#AEN3525" >HPUX</A ></DT ><DT >24.2. <A -HREF="#AEN3591" +HREF="#AEN3531" >SCO Unix</A ></DT ><DT >24.3. <A -HREF="#AEN3595" +HREF="#AEN3535" >DNIX</A ></DT ><DT >24.4. <A -HREF="#AEN3624" +HREF="#AEN3564" >RedHat Linux Rembrandt-II</A ></DT ><DT >24.5. <A -HREF="#AEN3630" +HREF="#AEN3570" >AIX</A ></DT ><DD ><DL ><DT >24.5.1. <A -HREF="#AEN3632" +HREF="#AEN3572" >Sequential Read Ahead</A ></DT ></DL @@ -17459,37 +16896,37 @@ HREF="#OTHER-CLIENTS" ><DL ><DT >25.1. <A -HREF="#AEN3650" +HREF="#AEN3590" >Macintosh clients?</A ></DT ><DT >25.2. <A -HREF="#AEN3659" +HREF="#AEN3599" >OS2 Client</A ></DT ><DD ><DL ><DT >25.2.1. <A -HREF="#AEN3661" +HREF="#AEN3601" >How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?</A ></DT ><DT >25.2.2. <A -HREF="#AEN3676" +HREF="#AEN3616" >How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?</A ></DT ><DT >25.2.3. <A -HREF="#AEN3685" +HREF="#AEN3625" >Are there any other issues when OS/2 (any version) is used as a client?</A ></DT ><DT >25.2.4. <A -HREF="#AEN3689" +HREF="#AEN3629" >How do I get printer driver download working for OS/2 clients?</A ></DT @@ -17497,46 +16934,46 @@ HREF="#AEN3689" ></DD ><DT >25.3. <A -HREF="#AEN3699" +HREF="#AEN3639" >Windows for Workgroups</A ></DT ><DD ><DL ><DT >25.3.1. <A -HREF="#AEN3701" +HREF="#AEN3641" >Use latest TCP/IP stack from Microsoft</A ></DT ><DT >25.3.2. <A -HREF="#AEN3706" +HREF="#AEN3646" >Delete .pwl files after password change</A ></DT ><DT >25.3.3. <A -HREF="#AEN3711" +HREF="#AEN3651" >Configure WfW password handling</A ></DT ><DT >25.3.4. <A -HREF="#AEN3715" +HREF="#AEN3655" >Case handling of passwords</A ></DT ><DT >25.3.5. <A -HREF="#AEN3720" +HREF="#AEN3660" >Use TCP/IP as default protocol</A ></DT ></DL ></DD ><DT >25.4. <A -HREF="#AEN3723" +HREF="#AEN3663" >Windows '95/'98</A ></DT ><DT >25.5. <A -HREF="#AEN3739" +HREF="#AEN3679" >Windows 2000 Service Pack 2</A ></DT ></DL @@ -17550,57 +16987,57 @@ HREF="#COMPILING" ><DL ><DT >26.1. <A -HREF="#AEN3766" +HREF="#AEN3706" >Access Samba source code via CVS</A ></DT ><DD ><DL ><DT >26.1.1. <A -HREF="#AEN3768" +HREF="#AEN3708" >Introduction</A ></DT ><DT >26.1.2. <A -HREF="#AEN3773" +HREF="#AEN3713" >CVS Access to samba.org</A ></DT ></DL ></DD ><DT >26.2. <A -HREF="#AEN3809" +HREF="#AEN3749" >Accessing the samba sources via rsync and ftp</A ></DT ><DT >26.3. <A -HREF="#AEN3815" +HREF="#AEN3755" >Building the Binaries</A ></DT ><DD ><DL ><DT >26.3.1. <A -HREF="#AEN3843" +HREF="#AEN3783" >Compiling samba with Active Directory support</A ></DT ></DL ></DD ><DT >26.4. <A -HREF="#AEN3872" +HREF="#AEN3812" >Starting the smbd and nmbd</A ></DT ><DD ><DL ><DT >26.4.1. <A -HREF="#AEN3882" +HREF="#AEN3822" >Starting from inetd.conf</A ></DT ><DT >26.4.2. <A -HREF="#AEN3911" +HREF="#AEN3851" >Alternative: starting it as a daemon</A ></DT ></DL @@ -17616,32 +17053,32 @@ HREF="#BUGREPORT" ><DL ><DT >27.1. <A -HREF="#AEN3934" +HREF="#AEN3874" >Introduction</A ></DT ><DT >27.2. <A -HREF="#AEN3944" +HREF="#AEN3884" >General info</A ></DT ><DT >27.3. <A -HREF="#AEN3950" +HREF="#AEN3890" >Debug levels</A ></DT ><DT >27.4. <A -HREF="#AEN3967" +HREF="#AEN3907" >Internal errors</A ></DT ><DT >27.5. <A -HREF="#AEN3977" +HREF="#AEN3917" >Attaching to a running process</A ></DT ><DT >27.6. <A -HREF="#AEN3980" +HREF="#AEN3920" >Patches</A ></DT ></DL @@ -17655,81 +17092,81 @@ HREF="#DIAGNOSIS" ><DL ><DT >28.1. <A -HREF="#AEN4003" +HREF="#AEN3943" >Introduction</A ></DT ><DT >28.2. <A -HREF="#AEN4008" +HREF="#AEN3948" >Assumptions</A ></DT ><DT >28.3. <A -HREF="#AEN4018" +HREF="#AEN3958" >Tests</A ></DT ><DD ><DL ><DT >28.3.1. <A -HREF="#AEN4020" +HREF="#AEN3960" >Test 1</A ></DT ><DT >28.3.2. <A -HREF="#AEN4026" +HREF="#AEN3966" >Test 2</A ></DT ><DT >28.3.3. <A -HREF="#AEN4032" +HREF="#AEN3972" >Test 3</A ></DT ><DT >28.3.4. <A -HREF="#AEN4047" +HREF="#AEN3987" >Test 4</A ></DT ><DT >28.3.5. <A -HREF="#AEN4052" +HREF="#AEN3992" >Test 5</A ></DT ><DT >28.3.6. <A -HREF="#AEN4058" +HREF="#AEN3998" >Test 6</A ></DT ><DT >28.3.7. <A -HREF="#AEN4066" +HREF="#AEN4006" >Test 7</A ></DT ><DT >28.3.8. <A -HREF="#AEN4092" +HREF="#AEN4032" >Test 8</A ></DT ><DT >28.3.9. <A -HREF="#AEN4109" +HREF="#AEN4049" >Test 9</A ></DT ><DT >28.3.10. <A -HREF="#AEN4117" +HREF="#AEN4057" >Test 10</A ></DT ><DT >28.3.11. <A -HREF="#AEN4123" +HREF="#AEN4063" >Test 11</A ></DT ></DL ></DD ><DT >28.4. <A -HREF="#AEN4128" +HREF="#AEN4068" >Still having troubles?</A ></DT ></DL @@ -17741,6 +17178,311 @@ HREF="#AEN4128" CLASS="CHAPTER" ><HR><H1 ><A +NAME="SPEED" +></A +>Chapter 23. Samba performance issues</H1 +><DIV +CLASS="SECT1" +><H2 +CLASS="SECT1" +><A +NAME="AEN3443" +>23.1. Comparisons</A +></H2 +><P +>The Samba server uses TCP to talk to the client. Thus if you are +trying to see if it performs well you should really compare it to +programs that use the same protocol. The most readily available +programs for file transfer that use TCP are ftp or another TCP based +SMB server.</P +><P +>If you want to test against something like a NT or WfWg server then +you will have to disable all but TCP on either the client or +server. Otherwise you may well be using a totally different protocol +(such as Netbeui) and comparisons may not be valid.</P +><P +>Generally you should find that Samba performs similarly to ftp at raw +transfer speed. It should perform quite a bit faster than NFS, +although this very much depends on your system.</P +><P +>Several people have done comparisons between Samba and Novell, NFS or +WinNT. In some cases Samba performed the best, in others the worst. I +suspect the biggest factor is not Samba vs some other system but the +hardware and drivers used on the various systems. Given similar +hardware Samba should certainly be competitive in speed with other +systems.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN3449" +>23.2. Socket options</A +></H2 +><P +>There are a number of socket options that can greatly affect the +performance of a TCP based server like Samba.</P +><P +>The socket options that Samba uses are settable both on the command +line with the -O option, or in the smb.conf file.</P +><P +>The "socket options" section of the smb.conf manual page describes how +to set these and gives recommendations.</P +><P +>Getting the socket options right can make a big difference to your +performance, but getting them wrong can degrade it by just as +much. The correct settings are very dependent on your local network.</P +><P +>The socket option TCP_NODELAY is the one that seems to make the +biggest single difference for most networks. Many people report that +adding "socket options = TCP_NODELAY" doubles the read performance of +a Samba drive. The best explanation I have seen for this is that the +Microsoft TCP/IP stack is slow in sending tcp ACKs.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN3456" +>23.3. Read size</A +></H2 +><P +>The option "read size" affects the overlap of disk reads/writes with +network reads/writes. If the amount of data being transferred in +several of the SMB commands (currently SMBwrite, SMBwriteX and +SMBreadbraw) is larger than this value then the server begins writing +the data before it has received the whole packet from the network, or +in the case of SMBreadbraw, it begins writing to the network before +all the data has been read from disk.</P +><P +>This overlapping works best when the speeds of disk and network access +are similar, having very little effect when the speed of one is much +greater than the other.</P +><P +>The default value is 16384, but very little experimentation has been +done yet to determine the optimal value, and it is likely that the best +value will vary greatly between systems anyway. A value over 65536 is +pointless and will cause you to allocate memory unnecessarily.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN3461" +>23.4. Max xmit</A +></H2 +><P +>At startup the client and server negotiate a "maximum transmit" size, +which limits the size of nearly all SMB commands. You can set the +maximum size that Samba will negotiate using the "max xmit = " option +in smb.conf. Note that this is the maximum size of SMB request that +Samba will accept, but not the maximum size that the *client* will accept. +The client maximum receive size is sent to Samba by the client and Samba +honours this limit.</P +><P +>It defaults to 65536 bytes (the maximum), but it is possible that some +clients may perform better with a smaller transmit unit. Trying values +of less than 2048 is likely to cause severe problems.</P +><P +>In most cases the default is the best option.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN3466" +>23.5. Log level</A +></H2 +><P +>If you set the log level (also known as "debug level") higher than 2 +then you may suffer a large drop in performance. This is because the +server flushes the log file after each operation, which can be very +expensive. </P +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN3469" +>23.6. Read raw</A +></H2 +><P +>The "read raw" operation is designed to be an optimised, low-latency +file read operation. A server may choose to not support it, +however. and Samba makes support for "read raw" optional, with it +being enabled by default.</P +><P +>In some cases clients don't handle "read raw" very well and actually +get lower performance using it than they get using the conventional +read operations. </P +><P +>So you might like to try "read raw = no" and see what happens on your +network. It might lower, raise or not affect your performance. Only +testing can really tell.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN3474" +>23.7. Write raw</A +></H2 +><P +>The "write raw" operation is designed to be an optimised, low-latency +file write operation. A server may choose to not support it, +however. and Samba makes support for "write raw" optional, with it +being enabled by default.</P +><P +>Some machines may find "write raw" slower than normal write, in which +case you may wish to change this option.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN3478" +>23.8. Slow Clients</A +></H2 +><P +>One person has reported that setting the protocol to COREPLUS rather +than LANMAN2 gave a dramatic speed improvement (from 10k/s to 150k/s).</P +><P +>I suspect that his PC's (386sx16 based) were asking for more data than +they could chew. I suspect a similar speed could be had by setting +"read raw = no" and "max xmit = 2048", instead of changing the +protocol. Lowering the "read size" might also help.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN3482" +>23.9. Slow Logins</A +></H2 +><P +>Slow logins are almost always due to the password checking time. Using +the lowest practical "password level" will improve things a lot. You +could also enable the "UFC crypt" option in the Makefile.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H2 +CLASS="SECT1" +><A +NAME="AEN3485" +>23.10. Client tuning</A +></H2 +><P +>Often a speed problem can be traced to the client. The client (for +example Windows for Workgroups) can often be tuned for better TCP +performance.</P +><P +>See your client docs for details. In particular, I have heard rumours +that the WfWg options TCPWINDOWSIZE and TCPSEGMENTSIZE can have a +large impact on performance.</P +><P +>Also note that some people have found that setting DefaultRcvWindow in +the [MSTCP] section of the SYSTEM.INI file under WfWg to 3072 gives a +big improvement. I don't know why.</P +><P +>My own experience wth DefaultRcvWindow is that I get much better +performance with a large value (16384 or larger). Other people have +reported that anything over 3072 slows things down enourmously. One +person even reported a speed drop of a factor of 30 when he went from +3072 to 8192. I don't know why.</P +><P +>It probably depends a lot on your hardware, and the type of unix box +you have at the other end of the link.</P +><P +>Paul Cochrane has done some testing on client side tuning and come +to the following conclusions:</P +><P +>Install the W2setup.exe file from www.microsoft.com. This is an +update for the winsock stack and utilities which improve performance.</P +><P +>Configure the win95 TCPIP registry settings to give better +perfomance. I use a program called MTUSPEED.exe which I got off the +net. There are various other utilities of this type freely available. +The setting which give the best performance for me are:</P +><P +></P +><OL +TYPE="1" +><LI +><P +>MaxMTU Remove</P +></LI +><LI +><P +>RWIN Remove</P +></LI +><LI +><P +>MTUAutoDiscover Disable</P +></LI +><LI +><P +>MTUBlackHoleDetect Disable</P +></LI +><LI +><P +>Time To Live Enabled</P +></LI +><LI +><P +>Time To Live - HOPS 32</P +></LI +><LI +><P +>NDI Cache Size 0</P +></LI +></OL +><P +>I tried virtually all of the items mentioned in the document and +the only one which made a difference to me was the socket options. It +turned out I was better off without any!!!!!</P +><P +>In terms of overall speed of transfer, between various win95 clients +and a DX2-66 20MB server with a crappy NE2000 compatible and old IDE +drive (Kernel 2.0.30). The transfer rate was reasonable for 10 baseT.</P +><P +><PRE +CLASS="PROGRAMLISTING" +>The figures are: Put Get +P166 client 3Com card: 420-440kB/s 500-520kB/s +P100 client 3Com card: 390-410kB/s 490-510kB/s +DX4-75 client NE2000: 370-380kB/s 330-350kB/s</PRE +></P +><P +>I based these test on transfer two files a 4.5MB text file and a 15MB +textfile. The results arn't bad considering the hardware Samba is +running on. It's a crap machine!!!!</P +><P +>The updates mentioned in 1 and 2 brought up the transfer rates from +just over 100kB/s in some clients.</P +><P +>A new client is a P333 connected via a 100MB/s card and hub. The +transfer rates from this were good: 450-500kB/s on put and 600+kB/s +on get.</P +><P +>Looking at standard FTP throughput, Samba is a bit slower (100kB/s +upwards). I suppose there is more going on in the samba protocol, but +if it could get up to the rate of FTP the perfomance would be quite +staggering.</P +></DIV +></DIV +><DIV +CLASS="CHAPTER" +><HR><H1 +><A NAME="PORTABILITY" ></A >Chapter 24. Portability</H1 @@ -17753,7 +17495,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3585" +NAME="AEN3525" >24.1. HPUX</A ></H2 ><P @@ -17783,7 +17525,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3591" +NAME="AEN3531" >24.2. SCO Unix</A ></H2 ><P @@ -17800,7 +17542,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3595" +NAME="AEN3535" >24.3. DNIX</A ></H2 ><P @@ -17907,7 +17649,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3624" +NAME="AEN3564" >24.4. RedHat Linux Rembrandt-II</A ></H2 ><P @@ -17931,7 +17673,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3630" +NAME="AEN3570" >24.5. AIX</A ></H2 ><DIV @@ -17939,7 +17681,7 @@ CLASS="SECT2" ><H3 CLASS="SECT2" ><A -NAME="AEN3632" +NAME="AEN3572" >24.5.1. Sequential Read Ahead</A ></H3 ><P @@ -17962,7 +17704,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3650" +NAME="AEN3590" >25.1. Macintosh clients?</A ></H2 ><P @@ -18008,7 +17750,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3659" +NAME="AEN3599" >25.2. OS2 Client</A ></H2 ><DIV @@ -18016,7 +17758,7 @@ CLASS="SECT2" ><H3 CLASS="SECT2" ><A -NAME="AEN3661" +NAME="AEN3601" >25.2.1. How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?</A ></H3 @@ -18075,7 +17817,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3676" +NAME="AEN3616" >25.2.2. How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?</A ></H3 @@ -18119,7 +17861,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3685" +NAME="AEN3625" >25.2.3. Are there any other issues when OS/2 (any version) is used as a client?</A ></H3 @@ -18141,7 +17883,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3689" +NAME="AEN3629" >25.2.4. How do I get printer driver download working for OS/2 clients?</A ></H3 @@ -18188,7 +17930,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3699" +NAME="AEN3639" >25.3. Windows for Workgroups</A ></H2 ><DIV @@ -18196,7 +17938,7 @@ CLASS="SECT2" ><H3 CLASS="SECT2" ><A -NAME="AEN3701" +NAME="AEN3641" >25.3.1. Use latest TCP/IP stack from Microsoft</A ></H3 ><P @@ -18218,7 +17960,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3706" +NAME="AEN3646" >25.3.2. Delete .pwl files after password change</A ></H3 ><P @@ -18238,7 +17980,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3711" +NAME="AEN3651" >25.3.3. Configure WfW password handling</A ></H3 ><P @@ -18257,7 +17999,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3715" +NAME="AEN3655" >25.3.4. Case handling of passwords</A ></H3 ><P @@ -18275,7 +18017,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3720" +NAME="AEN3660" >25.3.5. Use TCP/IP as default protocol</A ></H3 ><P @@ -18291,7 +18033,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3723" +NAME="AEN3663" >25.4. Windows '95/'98</A ></H2 ><P @@ -18339,7 +18081,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3739" +NAME="AEN3679" >25.5. Windows 2000 Service Pack 2</A ></H2 ><P @@ -18436,7 +18178,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3766" +NAME="AEN3706" >26.1. Access Samba source code via CVS</A ></H2 ><DIV @@ -18444,7 +18186,7 @@ CLASS="SECT2" ><H3 CLASS="SECT2" ><A -NAME="AEN3768" +NAME="AEN3708" >26.1.1. Introduction</A ></H3 ><P @@ -18466,7 +18208,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3773" +NAME="AEN3713" >26.1.2. CVS Access to samba.org</A ></H3 ><P @@ -18479,7 +18221,7 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN3776" +NAME="AEN3716" >26.1.2.1. Access via CVSweb</A ></H4 ><P @@ -18500,7 +18242,7 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN3781" +NAME="AEN3721" >26.1.2.2. Access via cvs</A ></H4 ><P @@ -18605,7 +18347,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3809" +NAME="AEN3749" >26.2. Accessing the samba sources via rsync and ftp</A ></H2 ><P @@ -18633,7 +18375,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3815" +NAME="AEN3755" >26.3. Building the Binaries</A ></H2 ><P @@ -18719,7 +18461,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3843" +NAME="AEN3783" >26.3.1. Compiling samba with Active Directory support</A ></H3 ><P @@ -18769,7 +18511,7 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN3855" +NAME="AEN3795" >26.3.1.1. Installing the required packages for Debian</A ></H4 ><P @@ -18800,7 +18542,7 @@ CLASS="SECT3" ><HR><H4 CLASS="SECT3" ><A -NAME="AEN3862" +NAME="AEN3802" >26.3.1.2. Installing the required packages for RedHat</A ></H4 ><P @@ -18842,7 +18584,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3872" +NAME="AEN3812" >26.4. Starting the smbd and nmbd</A ></H2 ><P @@ -18882,7 +18624,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3882" +NAME="AEN3822" >26.4.1. Starting from inetd.conf</A ></H3 ><P @@ -18982,7 +18724,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN3911" +NAME="AEN3851" >26.4.2. Alternative: starting it as a daemon</A ></H3 ><P @@ -19047,7 +18789,7 @@ CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN3934" +NAME="AEN3874" >27.1. Introduction</A ></H2 ><P @@ -19092,7 +18834,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3944" +NAME="AEN3884" >27.2. General info</A ></H2 ><P @@ -19117,7 +18859,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3950" +NAME="AEN3890" >27.3. Debug levels</A ></H2 ><P @@ -19187,7 +18929,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3967" +NAME="AEN3907" >27.4. Internal errors</A ></H2 ><P @@ -19231,7 +18973,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3977" +NAME="AEN3917" >27.5. Attaching to a running process</A ></H2 ><P @@ -19248,7 +18990,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN3980" +NAME="AEN3920" >27.6. Patches</A ></H2 ><P @@ -19277,7 +19019,7 @@ CLASS="SECT1" ><H2 CLASS="SECT1" ><A -NAME="AEN4003" +NAME="AEN3943" >28.1. Introduction</A ></H2 ><P @@ -19299,7 +19041,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN4008" +NAME="AEN3948" >28.2. Assumptions</A ></H2 ><P @@ -19337,7 +19079,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN4018" +NAME="AEN3958" >28.3. Tests</A ></H2 ><DIV @@ -19345,7 +19087,7 @@ CLASS="SECT2" ><H3 CLASS="SECT2" ><A -NAME="AEN4020" +NAME="AEN3960" >28.3.1. Test 1</A ></H3 ><P @@ -19367,7 +19109,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN4026" +NAME="AEN3966" >28.3.2. Test 2</A ></H3 ><P @@ -19393,7 +19135,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN4032" +NAME="AEN3972" >28.3.3. Test 3</A ></H3 ><P @@ -19464,7 +19206,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN4047" +NAME="AEN3987" >28.3.4. Test 4</A ></H3 ><P @@ -19485,7 +19227,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN4052" +NAME="AEN3992" >28.3.5. Test 5</A ></H3 ><P @@ -19506,7 +19248,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN4058" +NAME="AEN3998" >28.3.6. Test 6</A ></H3 ><P @@ -19540,7 +19282,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN4066" +NAME="AEN4006" >28.3.7. Test 7</A ></H3 ><P @@ -19629,7 +19371,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN4092" +NAME="AEN4032" >28.3.8. Test 8</A ></H3 ><P @@ -19689,7 +19431,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN4109" +NAME="AEN4049" >28.3.9. Test 9</A ></H3 ><P @@ -19723,7 +19465,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN4117" +NAME="AEN4057" >28.3.10. Test 10</A ></H3 ><P @@ -19749,7 +19491,7 @@ CLASS="SECT2" ><HR><H3 CLASS="SECT2" ><A -NAME="AEN4123" +NAME="AEN4063" >28.3.11. Test 11</A ></H3 ><P @@ -19777,7 +19519,7 @@ CLASS="SECT1" ><HR><H2 CLASS="SECT1" ><A -NAME="AEN4128" +NAME="AEN4068" >28.4. Still having troubles?</A ></H2 ><P |