summaryrefslogtreecommitdiff
path: root/docs/textdocs
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2001-04-19 21:30:20 +0000
committerGerald Carter <jerry@samba.org>2001-04-19 21:30:20 +0000
commite3fc10eab22443376ac3312447874607810dbc6b (patch)
tree4731fee5485deed4bd37c44c348a9630ece4a1fa /docs/textdocs
parent3cfd1cb50b3fd71b8b523b26a3378eea4eb10130 (diff)
downloadsamba-e3fc10eab22443376ac3312447874607810dbc6b.tar.gz
samba-e3fc10eab22443376ac3312447874607810dbc6b.tar.bz2
samba-e3fc10eab22443376ac3312447874607810dbc6b.zip
syncing up with 2.2
(This used to be commit dd83f412e9c60c02bf1d5e11a13a6122c71375ca)
Diffstat (limited to 'docs/textdocs')
-rw-r--r--docs/textdocs/DOMAIN_CONTROL.txt121
-rw-r--r--docs/textdocs/DOMAIN_MEMBER.txt151
-rw-r--r--docs/textdocs/ENCRYPTION.txt331
-rw-r--r--docs/textdocs/NT_Security.txt304
-rw-r--r--docs/textdocs/PRINTER_DRIVER2.txt332
-rw-r--r--docs/textdocs/UNIX_INSTALL.txt332
-rw-r--r--docs/textdocs/samba-pdc-faq.txt939
-rw-r--r--docs/textdocs/samba-pdc-howto.txt712
8 files changed, 0 insertions, 3222 deletions
diff --git a/docs/textdocs/DOMAIN_CONTROL.txt b/docs/textdocs/DOMAIN_CONTROL.txt
deleted file mode 100644
index dd4afa3475..0000000000
--- a/docs/textdocs/DOMAIN_CONTROL.txt
+++ /dev/null
@@ -1,121 +0,0 @@
-!==
-!== DOMAIN_CONTROL.txt for Samba release 2.0.4 18 May 1999
-!==
-Initial Release: August 22, 1996
-Contributor: John H Terpstra <samba-bugs@samba.org>
- Copyright (C) 1996-1997 - John H Terpstra
-Updated: July 5, 1998
-Status: Current
-
-Subject: Windows NT Domain Control & Samba
-============================================================================
-
-****NOTE:****
-=============
-The term "Domain Controller" and those related to it refer to one specific
-method of authentication that can underly an SMB domain. Domain Controllers
-prior to Windows NT Server 3.1 were sold by various companies and based on
-private extensions to the LAN Manager 2.1 protocol. Windows NT introduced
-Microsoft-specific ways of distributing the user authentication database.
-See DOMAIN.txt for examples of how Samba can participate in or create
-SMB domains based on shared authentication database schemes other than the
-Windows NT SAM.
-
-Microsoft Windows NT Domain Control is an extremely complex protocol.
-We have received countless requests to implement Domain Control in Samba.
-The 1.9.18 release of Samba contains experimental code to implement
-this. Please read the file docs/NTDOMAIN.txt for more information on this.
-============================================================================
-
-Windows NT Server can be installed as either a plain file and print server
-(WORKGROUP workstation or server) or as a server that participates in Domain
-Control (DOMAIN member, Primary Domain controller or Backup Domain controller).
-
-The same is true for OS/2 Warp Server, Digital Pathworks and other similar
-products, all of which can participate in Domain Control along with Windows NT.
-However only those servers which have licenced Windows NT code in them can be
-a primary Domain Controller (eg Windows NT Server, Advanced Server for Unix.)
-
-To many people these terms can be confusing, so let's try to clear the air.
-
-Every Windows NT system (workstation or server) has a registry database.
-The registry contains entries that describe the initialisation information
-for all services (the equivalent of Unix Daemons) that run within the Windows
-NT environment. The registry also contains entries that tell application
-software where to find dynamically loadable libraries that they depend upon.
-In fact, the registry contains entries that describes everything that anything
-may need to know to interact with the rest of the system.
-
-The registry files can be located on any Windows NT machine by opening a
-command prompt and typing:
- dir %SystemRoot%\System32\config
-
-The environment variable %SystemRoot% value can be obtained by typing:
- echo %SystemRoot%
-
-The active parts of the registry that you may want to be familiar with are
-the files called: default, system, software, sam and security.
-
-In a domain environment, Microsoft Windows NT domain controllers participate
-in replication of the SAM and SECURITY files so that all controllers within
-the domain have an exactly identical copy of each.
-
-The Microsoft Windows NT system is structured within a security model that
-says that all applications and services must authenticate themselves before
-they can obtain permission from the security manager to do what they set out
-to do.
-
-The Windows NT User database also resides within the registry. This part of
-the registry contains the user's security identifier, home directory, group
-memberships, desktop profile, and so on.
-
-Every Windows NT system (workstation as well as server) will have its own
-registry. Windows NT Servers that participate in Domain Security control
-have a database that they share in common - thus they do NOT own an
-independent full registry database of their own, as do Workstations and
-plain Servers.
-
-The User database is called the SAM (Security Access Manager) database and
-is used for all user authentication as well as for authentication of inter-
-process authentication (ie: to ensure that the service action a user has
-requested is permitted within the limits of that user's privileges).
-
-The Samba team have produced a utility that can dump the Windows NT SAM into
-smbpasswd format: see ENCRYPTION.txt for information on smbpasswd and
-/pub/samba/pwdump on your nearest Samba mirror for the utility. This
-facility is useful but cannot be easily used to implement SAM replication
-to Samba systems.
-
-Windows for Workgroups, Windows 95, and Windows NT Workstations and Servers
-can participate in a Domain security system that is controlled by Windows NT
-servers that have been correctly configured. At most every domain will have
-ONE Primary Domain Controller (PDC). It is desirable that each domain will
-have at least one Backup Domain Controller (BDC).
-
-The PDC and BDCs then participate in replication of the SAM database so that
-each Domain Controlling participant will have an up to date SAM component
-within its registry.
-
-Samba can NOT at this time function as a Domain Controller for any of these
-security services, but like all other domain members can interact with the
-Windows NT security system for all access authentication.
-
-When Samba is configured with the 'security = server' option and the
-'password server = Your_Windows_NT_Server_Name' option, then it will
-redirect all access authentication to that server. This way you can
-use Windows NT to act as your password server with full support for
-Microsoft encrypted passwords.
-
-Note also, that since release of samba-1.9.18 we now support native encrypted
-passwords too. To enable encrypted password handling several things need to be
-done:
- 1) In smb.conf [globals]:
- encrypt passwords = yes
- smbpasswd file = /path/smbpasswd
-the standard path is /usr/local/samba/private/smbpasswd but this may be
-platform specific.
-
- 2) Use "smbpasswd -a" to add all users to the smbpasswd file.
-
-Above all read all the documentation for encrypted password support - you will
-need it!
diff --git a/docs/textdocs/DOMAIN_MEMBER.txt b/docs/textdocs/DOMAIN_MEMBER.txt
deleted file mode 100644
index d58a8bc099..0000000000
--- a/docs/textdocs/DOMAIN_MEMBER.txt
+++ /dev/null
@@ -1,151 +0,0 @@
-
-TITLE INFORMATION: Joining an NT Domain with Samba 2.0
-AUTHOR INFORMATION: Jeremy Allison, Samba Team
-DATE INFORMATION: 7th October 1999
-
-Table of Contents
-
-Joining an NT Domain with Samba 2.0
------------------------------------
-
-In order for a Samba-2 server to join an NT domain, you must first add
-the NetBIOS name of the Samba server to the NT domain on the PDC using
-Server Manager for Domains. This creates the machine account in the
-domain (PDC) SAM. Note that you should add the Samba server as a "Windows
-NT Workstation or Server", NOT as a Primary or backup domain controller.
-
-Assume you have a Samba-2 server with a NetBIOS name of SERV1 and are
-joining an NT domain called DOM, which has a PDC with a NetBIOS name
-of DOMPDC and two backup domain controllers with NetBIOS names DOMBDC1
-and DOMBDC2.
-
-In order to join the domain, first stop all Samba daemons and run the
-command
-
-smbpasswd -j DOM -r DOMPDC
-
-as we are joining the domain DOM and the PDC for that domain (the only
-machine that has write access to the domain SAM database) is DOMPDC. If this is
-successful you will see the message:
-
-smbpasswd: Joined domain DOM.
-
-in your terminal window. See the smbpasswd
-man page for more details.
-
-This command goes through the machine account password change
-protocol, then writes the new (random) machine account password for
-this Samba server into a file in the same directory in which an
-smbpasswd file would be stored - normally :
-
-/usr/local/samba/private
-
-The filename looks like this:
-
-<NT DOMAIN NAME>.<Samba Server Name>.mac
-
-The .mac suffix stands for machine account password file. So in
-our example above, the file would be called:
-
-DOM.SERV1.mac
-
-This file is created and owned by root and is not readable by any
-other user. It is the key to the domain-level security for your
-system, and should be treated as carefully as a shadow password file.
-
-Now, before restarting the Samba daemons you must edit your
-smb.conf file to tell Samba it should now
-use domain security.
-
-Change (or add) your
-
-"security ="
-
-line in the [global] section of your
-smb.conf to read:
-
-security = domain
-
-Next change the
-
-"workgroup ="
-
-line in the [global] section to read:
-
-workgroup = DOM
-
-as this is the name of the domain we are joining.
-
-You must also have the parameter "encrypt passwords"
-set to "yes" in order for your users to authenticate to the
-NT PDC.
-
-Finally, add (or modify) a:
-
-"password server ="
-
-line in the [global] section to read:
-
-password server = DOMPDC DOMBDC1 DOMBDC2
-
-These are the primary and backup domain controllers Samba will attempt
-to contact in order to authenticate users. Samba will try to contact
-each of these servers in order, so you may want to rearrange this list
-in order to spread out the authentication load among domain
-controllers.
-
-Alternatively, if you want smbd to automatically determine the
-list of Domain controllers to use for authentication, you may set this line to be :
-
-password server = *
-
-This method, which is new in Samba 2.0.6 and above, allows Samba
-to use exactly the same mechanism that NT does. This method either broadcasts or
-uses a WINS database in order to find domain controllers to
-authenticate against.
-
-Finally, restart your Samba daemons and get ready for clients to begin
-using domain security!
-
-Why is this better than security = server?
-------------------------------------------
-
-Currently, domain security in Samba doesn't free you from having to
-create local Unix users to represent the users attaching to your
-server. This means that if domain user DOM\fred attaches to your
-domain security Samba server, there needs to be a local Unix user fred
-to represent that user in the Unix filesystem. This is very similar to
-the older Samba security mode "security=server", where Samba would pass
-through the authentication request to a Windows NT server in the same
-way as a Windows 95 or Windows 98 server would.
-
-The advantage to domain-level security is that the authentication in
-domain-level security is passed down the authenticated RPC channel in
-exactly the same way that an NT server would do it. This means Samba
-servers now participate in domain trust relationships in exactly the
-same way NT servers do (i.e., you can add Samba servers into a
-resource domain and have the authentication passed on from a resource
-domain PDC to an account domain PDC.
-
-In addition, with "security=server" every Samba daemon on a
-server has to keep a connection open to the authenticating server for
-as long as that daemon lasts. This can drain the connection resources
-on a Microsoft NT server and cause it to run out of available
-connections. With "security =domain", however, the Samba
-daemons connect to the PDC/BDC only for as long as is necessary to
-authenticate the user, and then drop the connection, thus conserving
-PDC connection resources.
-
-And finally, acting in the same manner as an NT server authenticating
-to a PDC means that as part of the authentication reply, the Samba
-server gets the user identification information such as the user SID,
-the list of NT groups the user belongs to, etc. All this information
-will allow Samba to be extended in the future into a mode the
-developers currently call appliance mode. In this mode, no local Unix
-users will be necessary, and Samba will generate Unix uids and gids
-from the information passed back from the PDC when a user is
-authenticated, making a Samba server truly plug and play in an NT
-domain environment. Watch for this code soon.
-
-NOTE: Much of the text of this document was first published in the
-Web magazine "LinuxWorld" as the article "Doing the NIS/NT Samba".
diff --git a/docs/textdocs/ENCRYPTION.txt b/docs/textdocs/ENCRYPTION.txt
deleted file mode 100644
index 89f30b0d53..0000000000
--- a/docs/textdocs/ENCRYPTION.txt
+++ /dev/null
@@ -1,331 +0,0 @@
-!==
-!== ENCRYPTION.txt for Samba release 2.0.5a 22 Jul 1999
-!==
-Contributor: Jeremy Allison <samba-bugs@samba.org>
-Updated: April 19, 1999
-Note: Please refer to WinNT.txt also
-
-Subject: LanManager / Samba Password Encryption.
-============================================================================
-
-With the development of LanManager and Windows NT compatible password
-encryption for Samba, it is now able to validate user connections in
-exactly the same way as a LanManager or Windows NT server.
-
-This document describes how the SMB password encryption algorithm
-works and what issues there are in choosing whether you want to use
-it. You should read it carefully, especially the part about security
-and the "PROS and CONS" section.
-
-How does it work ?
-------------------
-
-LanManager encryption is somewhat similar to UNIX password
-encryption. The server uses a file containing a hashed value of a
-user's password. This is created by taking the user's plaintext
-password, capitalising it, and either truncating to 14 bytes (or
-padding to 14 bytes with null bytes). This 14 byte value is used as
-two 56 bit DES keys to encrypt a 'magic' eight byte value, forming a
-16 byte value which is stored by the server and client. Let this value
-be known as the *hashed password*.
-
-Windows NT encryption is a higher quality mechanism, consisting
-of doing an MD4 hash on a Unicode version of the user's password. This
-also produces a 16 byte hash value that is non-reversible.
-
-When a client (LanManager, Windows for WorkGroups, Windows 95 or
-Windows NT) wishes to mount a Samba drive (or use a Samba resource) it
-first requests a connection and negotiates the protocol that the client
-and server will use. In the reply to this request the Samba server
-generates and appends an 8 byte, random value - this is stored in the
-Samba server after the reply is sent and is known as the *challenge*.
-
-The challenge is different for every client connection.
-
-The client then uses the hashed password (16 byte values described
-above), appended with 5 null bytes, as three 56 bit DES keys, each of
-which is used to encrypt the challenge 8 byte value, forming a 24 byte
-value known as the *response*.
-
-In the SMB call SMBsessionsetupX (when user level security is
-selected) or the call SMBtconX (when share level security is selected)
-the 24 byte response is returned by the client to the Samba server.
-For Windows NT protocol levels the above calculation is done on
-both hashes of the user's password and both responses are returned
-in the SMB call, giving two 24 byte values.
-
-The Samba server then reproduces the above calculation, using its own
-stored value of the 16 byte hashed password (read from the smbpasswd
-file - described later) and the challenge value that it kept from the
-negotiate protocol reply. It then checks to see if the 24 byte value it
-calculates matches the 24 byte value returned to it from the client.
-
-If these values match exactly, then the client knew the correct
-password (or the 16 byte hashed value - see security note below) and
-is thus allowed access. If not, then the client did not know the
-correct password and is denied access.
-
-Note that the Samba server never knows or stores the cleartext of the
-user's password - just the 16 byte hashed values derived from it. Also
-note that the cleartext password or 16 byte hashed values are never
-transmitted over the network - thus increasing security.
-
-IMPORTANT NOTE ABOUT SECURITY
------------------------------
-
-The unix and SMB password encryption techniques seem similar on the
-surface. This similarity is, however, only skin deep. The unix scheme
-typically sends clear text passwords over the nextwork when logging
-in. This is bad. The SMB encryption scheme never sends the cleartext
-password over the network but it does store the 16 byte hashed values
-on disk. This is also bad. Why? Because the 16 byte hashed values are a
-"password equivalent". You cannot derive the user's password from them,
-but they could potentially be used in a modified client to gain access
-to a server. This would require considerable technical knowledge on
-behalf of the attacker but is perfectly possible. You should thus
-treat the smbpasswd file as though it contained the cleartext
-passwords of all your users. Its contents must be kept secret, and the
-file should be protected accordingly.
-
-Ideally we would like a password scheme which neither requires plain
-text passwords on the net or on disk. Unfortunately this is not
-available as Samba is stuck with being compatible with other SMB
-systems (WinNT, WfWg, Win95 etc).
-
-
-PROS AND CONS
--------------
-
-There are advantages and disadvantages to both schemes.
-
-Advantages of SMB Encryption:
------------------------------
-
-- plain text passwords are not passed across the network. Someone using
-a network sniffer cannot just record passwords going to the SMB server.
-
-- WinNT doesn't like talking to a server that isn't using SMB
-encrypted passwords. It will refuse to browse the server if the server
-is also in user level security mode. It will insist on prompting the
-user for the password on each connection, which is very annoying. The
-only things you can do to stop this is to use SMB encryption.
-
-Advantages of non-encrypted passwords:
---------------------------------------
-
-- plain text passwords are not kept on disk.
-
-- uses same password file as other unix services such as login and
-ftp
-
-- you are probably already using other services (such as telnet and
-ftp) which send plain text passwords over the net, so not sending them
-for SMB isn't such a big deal.
-
-Note that Windows NT 4.0 Service pack 3 changed the default for
-permissible authentication so that plaintext passwords are *never*
-sent over the wire. The solution to this is either to switch to
-encrypted passwords with Samba or edit the Windows NT registry to
-re-enable plaintext passwords. See the document WinNT.txt for
-details on how to do this.
-
-The smbpasswd file.
--------------------
-
-In order for Samba to participate in the above protocol it must
-be able to look up the 16 byte hashed values given a user name.
-Unfortunately, as the UNIX password value is also a one way hash
-function (ie. it is impossible to retrieve the cleartext of the user's
-password given the UNIX hash of it) then a separate password file
-containing this 16 byte value must be kept. To minimise problems with
-these two password files, getting out of sync, the UNIX /etc/passwd and
-the smbpasswd file, a utility, mksmbpasswd.sh, is provided to generate
-a smbpasswd file from a UNIX /etc/passwd file.
-
-To generate the smbpasswd file from your /etc/passwd file use the
-following command :-
-
-cat /etc/passwd | mksmbpasswd.sh >/usr/local/samba/private/smbpasswd
-
-If you are running on a system that uses NIS, use
-
-ypcat passwd | mksmbpasswd.sh >/usr/local/samba/private/smbpasswd
-
-The mksmbpasswd.sh program is found in the Samba source directory. By
-default, the smbpasswd file is stored in :-
-
-/usr/local/samba/private/smbpasswd
-
-The owner of the /usr/local/samba/private directory should be set to
-root, and the permissions on it should be set to :-
-
-r-x------
-
-The command
-
-chmod 500 /usr/local/samba/private
-
-will do the trick. Likewise, the smbpasswd file inside the private
-directory should be owned by root and the permissions on is should be
-set to
-
-rw-------
-
-by the command :-
-
-chmod 600 smbpasswd.
-
-The format of the smbpasswd file is
-
-username:uid:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[Account type]:LCT-<last-change-time>:Long name
-
-Although only the username, uid, XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,
-[Account type] and last-change-time sections are significant and
-are looked at in the Samba code.
-
-It is *VITALLY* important that there by 32 'X' characters between the
-two ':' characters in the XXX sections - the smbpasswd and Samba code
-will fail to validate any entries that do not have 32 characters
-between ':' characters. The first XXX section is for the Lanman password
-hash, the second is for the Windows NT version.
-
-When the password file is created all users have password entries
-consisting of 32 'X' characters. By default this disallows any access
-as this user. When a user has a password set, the 'X' characters change
-to 32 ascii hexadecimal digits (0-9, A-F). These are an ascii
-representation of the 16 byte hashed value of a user's password.
-
-To set a user to have no password (not recommended), edit the file
-using vi, and replace the first 11 characters with the asci text
-
-NO PASSWORD
-
-Eg. To clear the password for user bob, his smbpasswd file entry would
-look like :
-
-bob:100:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[U ]:LCT-00000000:Bob's full name:/bobhome:/bobshell
-
-If you are allowing users to use the smbpasswd command to set their own
-passwords, you may want to give users NO PASSWORD initially so they do
-not have to enter a previous password when changing to their new
-password (not recommended). In order for you to allow this the
-smbpasswd program must be able to connect to the smbd daemon as
-that user with no password. Enable this by adding the line :
-
-null passwords = true
-
-to the [global] section of the smb.conf file (this is why the
-above scenario is not recommended). Preferably, allocate your
-users a default password to begin with, so you do not have
-to enable this on your server.
-
-Note : This file should be protected very carefully. Anyone with
-access to this file can (with enough knowledge of the protocols) gain
-access to your SMB server. The file is thus more sensitive than a
-normal unix /etc/passwd file.
-
-The smbpasswd Command.
-----------------------
-
-The smbpasswd command maintains the two 32 byte password fields in
-the smbpasswd file. If you wish to make it similar to the unix passwd
-or yppasswd programs, install it in /usr/local/samba/bin (or your main
-Samba binary directory).
-
-Note that as of Samba 1.9.18p4 this program MUST NOT BE INSTALLED
-setuid root (the new smbpasswd code enforces this restriction so
-it cannot be run this way by accident).
-
-smbpasswd now works in a client-server mode where it contacts
-the local smbd to change the user's password on its behalf. This
-has enormous benefits - as follows.
-
-1). smbpasswd no longer has to be setuid root - an enormous
-range of potential security problems is eliminated.
-
-2). smbpasswd now has the capability to change passwords
-on Windows NT servers (this only works when the request is
-sent to the NT Primary Domain Controller if you are changing
-an NT Domain user's password).
-
-To run smbpasswd as a normal user just type :
-
-smbpasswd
-Old SMB password: <type old value here - or hit return if there was no old password >
-New SMB Password: < type new value >
-Repeat New SMB Password: < re-type new value >
-
-If the old value does not match the current value stored for that user,
-or the two new values do not match each other, then the password will
-not be changed.
-
-If invoked by an ordinary user it will only allow the user to change
-his or her own Samba password.
-
-If run by the root user smbpasswd may take an optional argument,
-specifying the user name whose SMB password you wish to change. Note
-that when run as root smbpasswd does not prompt for or check the old
-password value, thus allowing root to set passwords for users who have
-forgotten their passwords.
-
-smbpasswd is designed to work in the same way and be familiar to UNIX
-users who use the passwd or yppasswd commands.
-
-For more details on using smbpasswd refer to the man page which
-will always be the definitive reference.
-
-Setting up Samba to support LanManager Encryption.
---------------------------------------------------
-
-This is a very brief description on how to setup samba to support
-password encryption. More complete instructions will probably be added
-later.
-
-1) compile and install samba as usual
-
-2) if your system can't compile the module getsmbpass.c then remove the
--DSMBGETPASS define from the Makefile.
-
-3) enable encrypted passwords in smb.conf by adding the line
-"encrypt passwords = yes" in the [global] section
-
-4) create the initial smbpasswd password file in the place you
-specified in the Makefile. A simple way to do this based on your
-existing Makefile (assuming it is in a reasonably standard format) is
-like this:
-
-cat /etc/passwd | mksmbpasswd.sh > /usr/local/samba/private/smbpasswd
-
-Change ownership of private and smbpasswd to root.
-
-chown -R root /usr/local/samba/private
-
-Set the correct permissions on /usr/local/samba/private
-
-chmod 500 /usr/local/samba/private
-
-Set the correct permissions on /usr/local/samba/private/smbpasswd
-
-chmod 600 /usr/local/samba/private/smbpasswd
-
-note that the mksmbpasswd.sh script is in the samba source directory.
-
-If this fails then you will find that you will need entries that look
-like this:
-
-# SMB password file.
-tridge:148:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[U ]:LCT-00000000:Andrew Tridgell:/home/tridge:/bin/tcsh
-
-note that the uid and username fields must be right. Also, you must get
-the number of X's right (there should be 32).
-
-5) set the passwords for users using the smbpasswd command. For
-example, as root you could do "smbpasswd tridge"
-
-6) try it out!
-
-Note that you can test things using smbclient, as it also now supports
-encryption.
-
-==============================================================================
-Footnote: Please refer to WinNT.txt also
diff --git a/docs/textdocs/NT_Security.txt b/docs/textdocs/NT_Security.txt
deleted file mode 100644
index 4620dd8408..0000000000
--- a/docs/textdocs/NT_Security.txt
+++ /dev/null
@@ -1,304 +0,0 @@
-
-TITLE INFORMATION: Viewing and changing UNIX permissions using the NT security dialogs in Samba 2.0.4
-AUTHOR INFORMATION: Jeremy Allison, Samba Team
-DATE INFORMATION: 12th April 1999
-
-Table of Contents
-
-Viewing and changing UNIX permissions using the NT security dialogs
-
--------------------------------------------------------------------
-
-New in the Samba 2.0.4 release is the
-ability for Windows NT clients to use their native security
-settings dialog box to view and modify the underlying UNIX
-permissions.
-
-Note that this ability is careful not to compromise the security
-of the UNIX host Samba is running on, and still obeys all the
-file permission rules that a Samba administrator can set.
-
-In Samba 2.0.4 and above the default value of the parameter
-"nt acl support" has been
-changed from "false" to "true", so manipulation of permissions is
-turned on by default.
-
-How to view file security on a Samba share
-
-------------------------------------------
-
-From an NT 4.0 client, single-click with the right mouse button on
-any file or directory in a Samba mounted drive letter or UNC path.
-When the menu pops-up, click on the Properties entry at the
-bottom of the menu. This brings up the normal file properties dialog
-box, but with Samba 2.0.4 this will have a new tab along the top
-marked Security. Click on this tab and you will see three buttons,
-Permissions, Auditing, and Ownership. The Auditing
-button will cause either an error message "A requested privilege is
-not held by the client" to appear if the user is not the NT Administrator,
-or a dialog which is intended to allow an Administrator to add
-auditing requirements to a file if the user is logged on as the
-NT Administrator. This dialog is non-functional with a Samba
-share at this time, as the only useful button, the Add button
-will not currently allow a list of users to be seen.
-
-Viewing file ownership
-
-----------------------
-
-Clicking on the "Ownership" button brings up a dialog box telling
-you who owns the given file. The owner name will be of the form :
-
-"SERVER\user (Long name)"
-
-Where SERVER is the NetBIOS name of the Samba server, user
-is the user name of the UNIX user who owns the file, and (Long name)
-is the discriptive string identifying the user (normally found in the
-GECOS field of the UNIX password database). Click on the Close
-button to remove this dialog.
-
-If the parameter "nt acl support"
-is set to "false" then the file owner will be shown as the NT user
-"Everyone".
-
-The Take Ownership button will not allow you to change the
-ownership of this file to yourself (clicking on it will display a
-dialog box complaining that the user you are currently logged onto
-the NT client cannot be found). The reason for this is that changing
-the ownership of a file is a privilaged operation in UNIX, available
-only to the root user. As clicking on this button causes NT to
-attempt to change the ownership of a file to the current user logged
-into the NT client this will not work with Samba at this time.
-
-There is an NT chown command that will work with Samba and allow
-a user with Administrator privillage connected to a Samba 2.0.4
-server as root to change the ownership of files on both a local NTFS
-filesystem or remote mounted NTFS or Samba drive. This is available
-as part of the Seclib NT security library written by Jeremy
-Allison of the Samba Team, available from the main Samba ftp site.
-
-Viewing file or directory permissions
-
--------------------------------------
-
-The third button is the "Permissions" button. Clicking on this
-brings up a dialog box that shows both the permissions and the UNIX
-owner of the file or directory. The owner is displayed in the form :
-
-"SERVER\user (Long name)"
-
-Where SERVER is the NetBIOS name of the Samba server, user
-is the user name of the UNIX user who owns the file, and (Long name)
-is the discriptive string identifying the user (normally found in the
-GECOS field of the UNIX password database).
-
-If the parameter "nt acl support"
-is set to "false" then the file owner will be shown as the NT user
-"Everyone" and the permissions will be shown as NT "Full Control".
-
-The permissions field is displayed differently for files and directories,
-so I'll describe the way file permissions are displayed first.
-
-File Permissions
-
-----------------
-
-The standard UNIX user/group/world triple and the correspinding
-"read", "write", "execute" permissions triples are mapped by Samba
-into a three element NT ACL with the 'r', 'w', and 'x' bits mapped
-into the corresponding NT permissions. The UNIX world permissions are mapped
-into the global NT group Everyone, followed by the list of permissions
-allowed for UNIX world. The UNIX owner and group permissions
-are displayed as an NT user icon and an NT local group icon
-respectively followed by the list of permissions allowed for the
-UNIX user and group.
-
-As many UNIX permission sets don't map into common NT names such as
-"read", "change" or "full control" then usually the permissions
-will be prefixed by the words "Special Access" in the NT display
-list.
-
-But what happens if the file has no permissions allowed for a
-particular UNIX user group or world component ? In order to
-allow "no permissions" to be seen and modified then Samba overloads
-the NT "Take Ownership" ACL attribute (which has no meaning in
-UNIX) and reports a component with no permissions as having the NT
-"O" bit set. This was chosen of course to make it look like a
-zero, meaning zero permissions. More details on the decision behind
-this will be given below.
-
-Directory Permissions
-
----------------------
-
-Directories on an NT NTFS file system have two different sets of
-permissions. The first set of permissions is the ACL set on the
-directory itself, this is usually displayed in the first set of
-parentheses in the normal "RW" NT style. This first set of
-permissions is created by Samba in exactly the same way as normal
-file permissions are, described above, and is displayed in the
-same way.
-
-The second set of directory permissions has no real meaning in the
-UNIX permissions world and represents the "inherited" permissions
-that any file created within this directory would inherit.
-
-Samba synthesises these inherited permissions for NT by returning as
-an NT ACL the UNIX permission mode that a new file created by Samba
-on this share would receive.
-
-Modifying file or directory permissions
-
----------------------------------------
-
-Modifying file and directory permissions is as simple as changing
-the displayed permissions in the dialog box, and clicking the OK
-button. However, there are limitations that a user needs to be aware
-of, and also interactions with the standard Samba permission masks
-and mapping of DOS attributes that need to also be taken into account.
-
-If the parameter "nt acl support"
-is set to "false" then any attempt to set security permissions will
-fail with an "Access Denied" message.
-
-The first thing to note is that the "Add" button will not return
-a list of users in Samba 2.0.4 (it will give an error message of
-"The remote proceedure call failed and did not execute"). This
-means that you can only manipulate the current user/group/world
-permissions listed in the dialog box. This actually works quite well
-as these are the only permissions that UNIX actually has.
-
-If a permission triple (either user, group, or world) is removed from
-the list of permissions in the NT dialog box, then when the "OK"
-button is pressed it will be applied as "no permissions" on the UNIX
-side. If you then view the permissions again the "no permissions" entry
-will appear as the NT "O" flag, as described above. This allows you
-to add permissions back to a file or directory once you have removed
-them from a triple component.
-
-As UNIX supports only the "r", "w" and "x" bits of an NT ACL
-then if other NT security attributes such as "Delete access"
-are selected then they will be ignored when applied on the
-Samba server.
-
-When setting permissions on a directory the second set of permissions
-(in the second set of parentheses) is by default applied to all
-files within that directory. If this is not what you want you
-must uncheck the "Replace permissions on existing files" checkbox
-in the NT dialog before clicking "OK".
-
-If you wish to remove all permissions from a user/group/world
-component then you may either highlight the component and click
-the "Remove" button, or set the component to only have the special
-"Take Ownership" permission (dsplayed as "O") highlighted.
-
-Interaction with the standard Samba create mask parameters
-
-----------------------------------------------------------
-
-Note that with Samba 2.0.5 there are four new parameters to
-control this interaction.
-
-These are :
-
-security mask
-force security mode
-directory security mask
-force directory security mode
-
-Once a user clicks "OK" to apply the permissions Samba maps
-the given permissions into a user/group/world r/w/x triple set,
-and then will check the changed permissions for a file against
-the bits set in the "security mask"
-parameter. Any bits that were changed that are not set to '1'
-in this parameter are left alone in the file permissions.
-
-Essentially, zero bits in the "security mask"
-mask may be treated as a set of bits the user is not allowed to change,
-and one bits are those the user is allowed to change.
-
-If not set explicitly this parameter is set to the same value as the
-"create mask" parameter to provide compatibility
-with Samba 2.0.4 where this permission change facility was introduced.
-To allow a user to modify all the user/group/world permissions on a file,
-set this parameter to 0777.
-
-Next Samba checks the changed permissions for a file against the
-bits set in the "force security mode"
-parameter. Any bits that were changed that correspond to bits set
-to '1' in this parameter are forced to be set.
-
-Essentially, bits set in the "force security mode"
-parameter may be treated as a set of bits that, when modifying security on a file, the
-user has always set to be 'on'.
-
-If not set explicitly this parameter is set to the same value as the
-"force create mode" parameter to provide compatibility
-with Samba 2.0.4 where the permission change facility was introduced.
-To allow a user to modify all the user/group/world permissions on a file,
-with no restrictions set this parameter to 000.
-
-The "security mask" and
-"force security mode" parameters
-are applied to the change request in that order.
-
-For a directory Samba will perform the same operations as described above
-for a file except using the parameter "directory security mask"
-instead of "security mask", and
-"force directory security mode" parameter instead
-of "force security mode".
-
-The "directory security mask"
-parameter by default is set to the same value as the "directory mask"
-parameter and the "force directory security mode"
-parameter by default is set to the same value as the
-iurl("force directory mode")(smb.conf.5.html#forcedirectorymode) parameter
-to provide compatibility with Samba 2.0.4 where the permission change facility was introduced.
-
-In this way Samba enforces the permission restrictions that an administrator
-can set on a Samba share, whilst still allowing users to modify the
-permission bits within that restriction.
-
-If you want to set up a share that allows users full control
-in modifying the permission bits on their files and directories and
-doesn't force any particular bits to be set 'on', then set the following
-parameters in the smb.conf.5 file in
-that share specific section :
-
-security mask = 0777
-force security mode = 0
-directory security mask = 0777
-force directory security mode = 0
-
-As described, in Samba 2.0.4 the parameters :
-
-create mask
-force create mode
-directory mask
-force directory mode
-
-were used instead of the parameters discussed here.
-
-Interaction with the standard Samba file attribute mapping
-
-----------------------------------------------------------
-
-Samba maps some of the DOS attribute bits (such as "read only")
-into the UNIX permissions of a file. This means there can be a
-conflict between the permission bits set via the security dialog
-and the permission bits set by the file attribute mapping.
-
-One way this can show up is if a file has no UNIX read access
-for the owner it will show up as "read only" in the standard
-file attributes tabbed dialog. Unfortunately this dialog is
-the same one that contains the security info in another tab.
-
-What this can mean is that if the owner changes the permissions
-to allow themselves read access using the security dialog, clicks
-"OK" to get back to the standard attributes tab dialog, and
-then clicks "OK" on that dialog, then NT will set the file
-permissions back to read-only (as that is what the attributes
-still say in the dialog). This means that after setting permissions
-and clicking "OK" to get back to the attributes dialog you
-should always hit "Cancel" rather than "OK" to ensure
-that your changes are not overridden.
diff --git a/docs/textdocs/PRINTER_DRIVER2.txt b/docs/textdocs/PRINTER_DRIVER2.txt
deleted file mode 100644
index 2bca8e69c9..0000000000
--- a/docs/textdocs/PRINTER_DRIVER2.txt
+++ /dev/null
@@ -1,332 +0,0 @@
-!==
-!== PRINTER_DRIVER2.txt for Samba release 2.2.0-alpha1 23 Nov 2000
-!==
-
-==========================================================================
- Gerald Carter <jerry@samba.org> 14 Sep 2000
-===========================================================================
-
-Introduction
-============
-Beginning with the 2.2.0 release, Samba now supports the native Windows
-NT printing mechanisms implemented via MS-RPC (i.e. the SPOOLSS named
-pipe). Previous versions of Samba only supported the LanMan printing
-calls.
-
-The additional functionality provided by the new SPOOLSS support
-includes:
-
- o Support for downloading printer driver files to
- Windows 95/98/NT/2000 clients upon demand.
- o Uploading of printer drivers via the Windows NT
- Add Printer Wizard (APW) or the Imprints tool set
- o Support for the native MS-RPC printing calls such
- as StartDocPrinter, EnumJobs(), etc... (See the MSDN
- documentation for more information on the Win32
- printing API)
- o Support for NT Access Control Lists (ACL) on
- printer objects
- o Improved support for printer queue manipulation through
- the use of an internal database for spooled job information.
-
-
-Configuration
-=============
-
-In order to support the uploading of printer driver files, you
-must first configure a file share named [print$]. The name of
-this share is hard coded in Samba's internals so the name is
-very important (print$ is the service used by Windows NT
-print servers to provide support for printer driver download.
-
-<aside>
- Previous versions of Samba recommended using a share named
- [printer$]. This name was taken from the printer$ service
- created by Windows 9x clients when a printer was shared.
- (Windows 9x printer servers always have a printer$ service
- which provides read-only access via no password in order to
- support printer driver downloads).
-
- However, the initial implementation allowed for a parameter
- named 'printer driver location' to be used on a per share basis
- to specify the location of the driver files associated with that
- printer. Another parameter named 'printer driver' provided a
- means of defining the printer driver name to be sent to the
- client.
-
- These parameters, including 'printer driver file', are being
- depreciated and should not be used in new installations.
- For more information on this change, you should refer to the
- "Migration" section of this document.
-</aside>
-
-You should modify the server's smb.conf file to create the
-following file share (of course, some of the parameter values,
-such as 'path' are arbitrary and should be replaced with
-appropriate values for your site):
-
- [print$]
- path = /usr/local/samba/printers
- guest ok = yes
- browseable = yes
- read only = yes
- write list = ntadmin
-
-The 'write list' is used to allow administrative level user accounts
-to have write access in order to update files on the share.
-See the smb.conf(5) man page for more information on configuring
-file shares.
-
-The requirement for 'guest ok = yes' depends upon how your
-site is configured. If users will be guaranteed to have
-an account on the Samba host, then this is a non-issue.
-
- [author's note: The non-issue is that if all your Windows
- NT users are guarenteed to be authenticated by the Samba server
- (such as a domain member server and the NT user has already
- been validated by the Domain Controller in order to logon
- to the Windows NT console), then guest access is not necessary.
- Of course, in a workgroup environment where you just want
- to be able to print without worrying about silly accounts
- and security, then configure the share for gues access.
- You'll probably want to add 'map to guest = Bad User'
- in the [global] section as well. Make sure you understand
- what this parameter does before using it though. --jerry]
-
-In order for a Windows NT print server to support the
-downloading of driver files by multiple client architectures,
-it must create subdirectories within the [print$] service
-which correspond to each of the supported client architectures.
-Samba follows this model as well.
-
-Next create the directory tree below the [print$] share for
-each architecture you wish to support.
-
- [print$]-----
- |-W32X86 ; "Windows NT x86"
- |-WIN40 ; "Windows 95/98"
- |-W32ALPHA ; "Windows NT Alpha_AXP"
- |-W32MIPS ; "Windows NT R4000"
- |-W32PPC ; "Windows NT PowerPC"
-
-
-+++++++++++++ ATTENTION! REQUIRED PERMISSIONS +++++++++++++++++
-
-Currently, the connected user must have uid 0 in order to
-successfully install a new printer driver. There are two
-points of authorization in this process.
-
- o Access permissions to add files to the [print$]
- share. This access control is managed using
- the same semantics as normal file shares.
- (i.e. filesystem permissions, write list,
- writeable, etc...)
-
- o Authorization to add entries to
-
- $SAMBA/var/locks/ntdrivers.tdb
-
- Updates to this TDB are curently restricted
- to the root account.
-
-Therefore, you must be connected to the samba host as the
-root user in order to add a new printer driver.
-
-
-++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-
-!== The Windows NT APW
-
-Once you have created the required [print$] service and associated
-subdirectories, simply log onto the Samba server using a root account
-from a Windows NT 4.0 client. Navigate to the "Printers" folder
-on the Samba server. You should see an initial listing of printers
-that matches the printer shares defined on your Samba host.
-
-<aside>
- It is possible on a Windows NT print server to have printers
- listed in the Printers folder which are not shared. Samba does
- not make this distinction. By definition, the only printers of
- which Samba is aware are those which are specified as shares in
- smb.conf.
-
- Another interesting side note is that Windows NT clients do
- not use the SMB printer share, but rather can print directly
- to any printer on another Windows NT host using MS-RPC. This
- of course assumes that the printing client has the necessary
- privileges on the remote host serving the printer. The default
- permissions assigned by Windows NT to a printer gives the "Print"
- permissions to the "Everyone" well-known group.
-</aside>
-
-The initial listing of printers in the Samba host's Printers
-folder will have no printer driver assigned to them. The way
-assign a driver to a printer is to view the Properties of the
-printer and either
-
- o Use the "New Driver..." button to install a new printer
- driver, or
- o Select a driver from the popup list of installed drivers.
- Initially this list will be empty.
-
-If you wish to install printer drivers for client operating
-systems other than "Windows NT x86", you will need to use the
-"Sharing" tab of the printer properties dialog.
-
-Assuming you have connected with a root account, you will
-also be able modify other printer properties such as
-ACLs and device settings using this dialog box.
-
-
-!== Imprints
-
-The Imprints tool set provides a UNIX equivalent of the Windows
-NT Add Printer Wizard. For complete information, please refer
-to the Imprints web site at http://imprints.sourceforge.net/
-as well as the documentation included with the imprints source
-distribution. This section will only provide a brief introduction
-to the features of Imprints.
-
-What is Imprints?
-
- Imprints is a collection of tools for supporting the goals of
-
- o Providing a central repository information regarding
- Windows NT and 95/98 printer driver packages
- o Providing the tools necessary for creating the Imprints
- printer driver packages.
- o Providing an installation client which will obtain
- and install printer drivers on remote Samba and Windows
- NT 4 print servers.
-
-
-Creating Printer Driver Packages
-
- The process of creating printer driver packages is beyond
- the scope of this document (refer to Imprints.txt also included
- with the Samba distribution for more information). In short,
- an Imprints driver package is a gzipped tarball containing the
- driver files, related INF files, and a control file needed by the
- installation client.
-
-The Imprints server
-
- The Imprints server is really a database server that may
- be queried via standard HTTP mechanisms. Each printer entry
- in the database has an associated URL for the actual
- downloading of the package. Each package is digitally signed
- via GnuPG which can be used to verify that package downloaded
- is actually the one referred in the Imprints database. It is
- **not** recommended that this security check be disabled.
-
-The Installation Client
-<aside>
- More information regarding the Imprints installation client is available
- in the Imprints-Client-HOWTO.ps file included with the imprints source
- package.
-</aside>
-
- The Imprints installation client comes in two forms.
-
- o a set of command line Perl scripts
- o a GTK+ based graphical interface to the command
- line perl scripts
-
- The installation client (in both forms) provides a means
- of querying the Imprints database server for a matching
- list of known printer model names as well as a means to
- download and install the drivers on remote Samba and Windows
- NT print servers.
-
- The basic installation process is in four steps and perl code
- is wrapped around smbclient and rpcclient.
-
- foreach (supported architecture for a given driver)
- {
- 1. rpcclient: Get the appropriate upload directory
- on the remote server
- 2. smbclient: Upload the driver files
- 3. rpcclient: Issues an AddPrinterDriver() MS-RPC
- }
-
- 4. rpcclient: Issue an AddPrinterEx() MS-RPC to actually
- create the printer
-
-!== The printer driver name space problem
-
- One of the problems encountered when implementing the Imprints
- tool set was the name space issues between various supported
- client architectures. For example, Windows NT includes a driver
- named "Apple LaserWriter II NTX v51.8" and Windows 95 calls
- its version of this driver "Apple LaserWriter II NTX"
-
- The problem is how to know what client drivers have been
- uploaded for a printer. As astute reader will remember that
- the Windows NT Printer Properties dialog only includes space
- for one printer driver name. A quick look in the Windows NT
- 4 system registry at
-
- HKLM\System\CurrentControlSet\Control\Print\Environment
-
- will reveal that Windows NT always uses the NT driver name.
- The is ok as Windows NT always requires that at least the Windows
- NT version of the printer driver is present. However, Samba
- does not have the requirement internally. Therefore, how can
- you use the NT driver name if is has not already been installed?
-
- The way of sidestepping this limitation is to require that all
- Imprints printer driver packages include both the Intel Windows
- NT and 95/98 printer drivers and that NT driver is installed
- first.
-
-
-Migration to 2.2.x
-=============================
-
-Given that printer driver management has changed
-(we hope improved :) ) in 2.2.0 over prior releases,
-migration from an existing setup to 2.2.0 can follow
-several paths.
-
-<WARNING>
- The following smb.conf parameters are considered to be
- depreciated and will be removed soon. Do not use them
- in new installations
-
- 'printer driver file' (G)
- 'printer driver' (S)
- 'printer driver location' (S)
-</WARNING>
-
-
-Here are the possible scenarios for supporting migration:
-
- o If you does not desire the new Windows NT
- print driver support, nothing needs to be done.
- All existing parameters work the same.
-
- o If you want to take advantage of NT printer
- driver support but does not want to migrate the
- 9x drivers to the new setup, the leave the existing
- printers.def file. When smbd attempts to locate a
- 9x driver for the printer in the TDB and fails it
- will drop down to using the printers.def (and all
- associated parameters). The make_printerdef tool
- will also remain for backwards compatibility but will
- be moved to the "this tool is the old way of doing it"
- pile.
-
- o If you instal a Windows 9x driver for a printer on
- your Samba host (in the printing TDB), this information will
- take precedence and the three old printing parameters
- will be ignored (including print driver location).
-
- o If you want to migrate an existing printers.def file into
- the new setup, the current only solution is to use the
- Windows NT APW to install the NT drivers and the 9x
- drivers. (comment: this could possibly be scripted using
- smbclient and rpcclient, but I haven't had time --jerry)
-
-!== end of PRINTER_DRIVER2.txt =======================================
-!=====================================================================
-
diff --git a/docs/textdocs/UNIX_INSTALL.txt b/docs/textdocs/UNIX_INSTALL.txt
deleted file mode 100644
index 1de821e152..0000000000
--- a/docs/textdocs/UNIX_INSTALL.txt
+++ /dev/null
@@ -1,332 +0,0 @@
-HOW TO INSTALL AND TEST SAMBA
-=============================
-
-STEP 0. Read the man pages. They contain lots of useful info that will
-help to get you started. If you don't know how to read man pages then
-try something like:
-
- nroff -man smbd.8 | more
-
-Other sources of information are pointed to by the Samba web
-site, http://samba.org/samba.
-
-STEP 1. Building the binaries
-
-To do this, first run the program ./configure in the source
-directory. This should automatically configure Samba for your
-operating system. If you have unusual needs then you may wish to run
-"./configure --help" first to see what special options you can enable.
-
-Then type "make". This will create the binaries.
-
-Once it's successfully compiled you can use "make install" to install
-the binaries and manual pages. You can separately install the binaries
-and/or man pages using "make installbin" and "make installman".
-
-Note that if you are upgrading for a previous version of Samba you
-might like to know that the old versions of the binaries will be
-renamed with a ".old" extension. You can go back to the previous
-version with "make revert" if you find this version a disaster!
-
-STEP 2. The all important step
-
-At this stage you must fetch yourself a coffee or other drink you find
-stimulating. Getting the rest of the install right can sometimes be
-tricky, so you will probably need it.
-
-If you have installed samba before then you can skip this step.
-
-STEP 3. Create the smb configuration file.
-
-There are sample configuration files in the examples subdirectory in
-the distribution. I suggest you read them carefully so you can see how
-the options go together in practice. See the man page for all the
-options.
-
-The simplest useful configuration file would be something like this:
-
- workgroup = MYGROUP
-
- [homes]
- guest ok = no
- read only = no
-
-which would allow connections by anyone with an account on the server,
-using either their login name or "homes" as the service name. (Note
-that I also set the workgroup that Samba is part of. See BROWSING.txt
-for defails)
-
-Note that "make install" will not install a smb.conf file. You need to
-create it yourself. You will also need to create the path you specify
-in the Makefile for the logs etc, such as /usr/local/samba.
-
-Make sure you put the smb.conf file in the same place you specified in
-the Makefile.
-
-For more information about security settings for the [homes] share please
-refer to the document UNIX_SECURITY.txt
-
-STEP 4. Test your config file with testparm
-
-It's important that you test the validity of your smb.conf file using
-the testparm program. If testparm runs OK then it will list the loaded
-services. If not it will give an error message.
-
-Make sure it runs OK and that the services look resonable before
-proceeding.
-
-STEP 5. Starting the smbd and nmbd.
-
-You must choose to start smbd and nmbd either as daemons or from
-inetd. Don't try to do both! Either you can put them in inetd.conf
-and have them started on demand by inetd, or you can start them as
-daemons either from the command line or in /etc/rc.local. See the man
-pages for details on the command line options. Take particular care
-to read the bit about what user you need to be in order to start Samba.
-In many cases you must be root.
-
-The main advantage of starting smbd and nmbd as a daemon is that they
-will respond slightly more quickly to an initial connection
-request. This is, however, unlilkely to be a problem.
-
-Step 5a. Starting from inetd.conf
-
-NOTE; The following will be different if you use NIS or NIS+ to
-distributed services maps.
-
-Look at your /etc/services. What is defined at port 139/tcp. If
-nothing is defined then add a line like this:
-
-netbios-ssn 139/tcp
-
-similarly for 137/udp you should have an entry like:
-
-netbios-ns 137/udp
-
-Next edit your /etc/inetd.conf and add two lines something like this:
-
-netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd
-netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd
-
-The exact syntax of /etc/inetd.conf varies between unixes. Look at the
-other entries in inetd.conf for a guide.
-
-NOTE: Some unixes already have entries like netbios_ns (note the
-underscore) in /etc/services. You must either edit /etc/services or
-/etc/inetd.conf to make them consistant.
-
-NOTE: On many systems you may need to use the "interfaces" option in
-smb.conf to specify the IP address and netmask of your interfaces. Run
-ifconfig as root if you don't know what the broadcast is for your
-net. nmbd tries to determine it at run time, but fails on some
-unixes. See the section on "testing nmbd" for a method of finding if
-you need to do this.
-
-!!!WARNING!!! Many unixes only accept around 5 parameters on the
-command line in inetd. This means you shouldn't use spaces between the
-options and arguments, or you should use a script, and start the
-script from inetd.
-
-Restart inetd, perhaps just send it a HUP. If you have installed an
-earlier version of nmbd then you may need to kill nmbd as well.
-
-Step 5b. Alternative: starting it as a daemon
-
-To start the server as a daemon you should create a script something
-like this one, perhaps calling it "startsmb"
-
-#!/bin/sh
-/usr/local/samba/bin/smbd -D
-/usr/local/samba/bin/nmbd -D
-
-then make it executable with "chmod +x startsmb"
-
-You can then run startsmb by hand or execute it from /etc/rc.local
-
-To kill it send a kill signal to the processes nmbd and smbd.
-
-NOTE: If you use the SVR4 style init system then you may like to look
-at the examples/svr4-startup script to make Samba fit into that system.
-
-
-STEP 6. Try listing the shares available on your server
-
-smbclient -L yourhostname
-
-Your should get back a list of shares available on your server. If you
-don't then something is incorrectly setup. Note that this method can
-also be used to see what shares are available on other LanManager
-clients (such as WfWg).
-
-If you choose user level security then you may find that Samba requests
-a password before it will list the shares. See the smbclient docs for
-details. (you can force it to list the shares without a password by
-adding the option -U% to the command line. This will not work with
-non-Samba servers)
-
-STEP 7. try connecting with the unix client. eg:
-
-smbclient //yourhostname/aservice
-
-Typically the "yourhostname" would be the name of the host where you
-installed smbd. The "aservice" is any service you have defined in the
-smb.conf file. Try your user name if you just have a [homes] section
-in smb.conf.
-
-For example if your unix host is bambi and your login name is fred you
-would type:
-
-smbclient //bambi/fred
-
-STEP 8. Try connecting from a dos/WfWg/Win95/NT/os-2 client. Try
-mounting disks. eg:
-
-net use d: \\servername\service
-
-Try printing. eg:
-
-net use lpt1: \\servername\spoolservice
-print filename
-
-Celebrate, or send me a bug report!
-
-WHAT IF IT DOESN'T WORK?
-========================
-
-If nothing works and you start to think "who wrote this pile of trash"
-then I suggest you do step 2 again (and again) till you calm down.
-
-Then you might read the file DIAGNOSIS.txt and the FAQ. If you are
-still stuck then try the mailing list or newsgroup (look in the README
-for details). Samba has been successfully installed at thousands of
-sites worldwide, so maybe someone else has hit your problem and has
-overcome it. You could also use the WWW site to scan back issues of
-the samba-digest.
-
-When you fix the problem PLEASE send me some updates to the
-documentation (or source code) so that the next person will find it
-easier.
-
-DIAGNOSING PROBLEMS
-===================
-
-If you have instalation problems then go to DIAGNOSIS.txt to try to
-find the problem.
-
-SCOPE IDs
-=========
-
-By default Samba uses a blank scope ID. This means all your windows
-boxes must also have a blank scope ID. If you really want to use a
-non-blank scope ID then you will need to use the -i <scope> option to
-nmbd, smbd, and smbclient. All your PCs will need to have the same
-setting for this to work. I do not recommend scope IDs.
-
-
-CHOOSING THE PROTOCOL LEVEL
-===========================
-
-The SMB protocol has many dialects. Currently Samba supports 5, called
-CORE, COREPLUS, LANMAN1, LANMAN2 and NT1.
-
-You can choose what maximum protocol to support in the smb.conf
-file. The default is NT1 and that is the best for the vast majority of
-sites.
-
-In older versions of Samba you may have found it necessary to use
-COREPLUS. The limitations that led to this have mostly been fixed. It
-is now less likely that you will want to use less than LANMAN1. The
-only remaining advantage of COREPLUS is that for some obscure reason
-WfWg preserves the case of passwords in this protocol, whereas under
-LANMAN1, LANMAN2 or NT1 it uppercases all passwords before sending them,
-forcing you to use the "password level=" option in some cases.
-
-The main advantage of LANMAN2 and NT1 is support for long filenames with some
-clients (eg: smbclient, Windows NT or Win95).
-
-See the smb.conf manual page for more details.
-
-Note: To support print queue reporting you may find that you have to
-use TCP/IP as the default protocol under WfWg. For some reason if you
-leave Netbeui as the default it may break the print queue reporting on
-some systems. It is presumably a WfWg bug.
-
-
-PRINTING FROM UNIX TO A CLIENT PC
-=================================
-
-To use a printer that is available via a smb-based server from a unix
-host you will need to compile the smbclient program. You then need to
-install the script "smbprint". Read the instruction in smbprint for
-more details.
-
-There is also a SYSV style script that does much the same thing called
-smbprint.sysv. It contains instructions.
-
-
-LOCKING
-=======
-
-One area which sometimes causes trouble is locking.
-
-There are two types of locking which need to be performed by a SMB
-server. The first is "record locking" which allows a client to lock a
-range of bytes in a open file. The second is the "deny modes" that are
-specified when a file is open.
-
-Samba supports "record locking" using the fcntl() unix system
-call. This is often implemented using rpc calls to a rpc.lockd process
-running on the system that owns the filesystem. Unfortunately many
-rpc.lockd implementations are very buggy, particularly when made to
-talk to versions from other vendors. It is not uncommon for the
-rpc.lockd to crash.
-
-There is also a problem translating the 32 bit lock requests generated
-by PC clients to 31 bit requests supported by most
-unixes. Unfortunately many PC applications (typically OLE2
-applications) use byte ranges with the top bit set as semaphore
-sets. Samba attempts translation to support these types of
-applications, and the translation has proved to be quite successful.
-
-Strictly a SMB server should check for locks before every read and
-write call on a file. Unfortunately with the way fcntl() works this
-can be slow and may overstress the rpc.lockd. It is also almost always
-unnecessary as clients are supposed to independently make locking
-calls before reads and writes anyway if locking is important to
-them. By default Samba only makes locking calls when explicitly asked
-to by a client, but if you set "strict locking = yes" then it will
-make lock checking calls on every read and write.
-
-You can also disable by range locking completely using "locking =
-no". This is useful for those shares that don't support locking or
-don't need it (such as cdroms). In this case Samba fakes the return
-codes of locking calls to tell clients that everything is OK.
-
-The second class of locking is the "deny modes". These are set by an
-application when it opens a file to determine what types of access
-should be allowed simultaneously with its open. A client may ask for
-DENY_NONE, DENY_READ, DENY_WRITE or DENY_ALL. There are also special
-compatability modes called DENY_FCB and DENY_DOS.
-
-You can disable share modes using "share modes = no". This may be
-useful on a heavily loaded server as the share modes code is very
-slow. See also the FAST_SHARE_MODES option in the Makefile for a way
-to do full share modes very fast using shared memory (if your OS
-supports it).
-
-
-MAPPING USERNAMES
-=================
-
-If you have different usernames on the PCs and the unix server then
-take a look at the "username map" option. See the smb.conf man page
-for details.
-
-
-OTHER CHARACTER SETS
-====================
-
-If you have problems using filenames with accented characters in them
-(like the German, French or Scandinavian character sets) then I
-recommmend you look at the "valid chars" option in smb.conf and also
-take a look at the validchars package in the examples directory.
diff --git a/docs/textdocs/samba-pdc-faq.txt b/docs/textdocs/samba-pdc-faq.txt
deleted file mode 100644
index e6222ad422..0000000000
--- a/docs/textdocs/samba-pdc-faq.txt
+++ /dev/null
@@ -1,939 +0,0 @@
-
-The Samba 2.2 PDC FAQ
-
-David Bannon
-
- La Trobe University
- _________________________________________________________________
- _________________________________________________________________
-
- Comments, corrections and additions to <D.Bannon@latrobe.edu.au>
-
- This is the FAQ for Samba 2.2 as an NTDomain controller. This document
- is derived from the origional FAQ that was built and maintained by
- Gerald Carter from the early days of Samba NTDomain development up
- until recently. It is now being updated as significent changes are
- made to 2.2.0.
-
- Please note it does not apply to Samba2.2alpha0, Samba2.2alpha1, Samba
- 2.0.7, TNG nor HEAD branch.
-
- I'll repeat, it does not apply to the current snapshot [ftp
- mirror]:/pub/samba/alpha/samba-2.2.0-alpha1.tar.gz, only to the to the
- current cvs.
-
- Also available is a Samba 2.2 PDC HowTo that takes you, step by step,
- over the process of setting up a very basic Samba 2.2 Primary Domain
- Controller
-
- Note: Please read the Introduction for the current state of play.
-
- Table of Contents
- 1. Introduction
-
- State of Play
- Introduction
-
- 2. General Information
-
- What can we do ?
-
- What can Samba Primary Domain Controller (PDC) do ?
- Can I have a Windows 2000 client logon to a Samba
- controlled domain?
-
- What's the status of print spool (spoolss) support in the
- NTDOM code?
-
- CVS
-
- What are the different Samba branches available in CVS ?
- What are the CVS commands ?
-
- 3. Establishing Connections
-
- How do I get my NT4 or W2000 Workstation to login to the
- Samba controlled Domain?
-
- What is a 'machine account' ?
- "The machine account for this computer either does not
- exist or is not accessable."
-
- How do I create machine accounts manually ?
- I cannot include a '$' in a machine name.
- I get told "You already have a connection to the
- Domain...." when creating a machine account.
-
- I get told "Cannot join domain, the credentials supplied
- conflict with an existing set.."
-
- "The system can not log you on (C000019B)...."
-
- 4. User Account Management
-
- Domain Admins
-
- How do I configure an account as a domain administrator?
-
- Profiles
-
- Why is it bad to set "logon path = \\%N\%U\profile" in
- smb.conf? ?
-
- Why are all the users listed in the "domain admin users"
- using the same profile?
-
- The roaming profiles do not seem to be updating on the
- server.
-
- Policies
-
- What are 'Policies' ?.
- I can't get system policies to work.
- What about Windows NT Policy Editor ?
- Can Win95 do Policies ?
-
- Passwords
-
- What is password sync and should I use it ?
- How do I get remote password (unix and SMB) changing
- working ?
-
- 5. Miscellaneous
-
- What editor can I use in DOS/Windows that won't mess with
- my unix EOF
-
- How do I get 'User Manager' and 'Server Manager'
- The time setting from a Samba server does not work.
- "trust account xxx should be in DOMAIN_GROUP_RID_USERS"
- How do I get my samba server to become a member ( not PDC )
- of an NT domain?
-
- 6. Troubleshooting and Bug Reporting
-
- Diagnostic tools
-
- What are some diagnostics tools I can use to debug the
- domain logon process and where can I find them?
-
- How do I install 'Network Monitor' on an NT Workstation or
- a Windows 9x box?
-
- What other help can I get ?
-
- URLs and similar
- How do I get help from the mailing lists ?
- How do I get off the mailing lists ?
- _________________________________________________________________
-
-Chapter 1. Introduction
-
-State of Play
-
- It should be noted that 2.2.0 in its pre-release form still has a few
- problems, I'll try and keep this section current while things are
- still dynamic. At the time of this update (December 15, 2000) the
- current state of play is :
-
- Comments here about W2K joining the domain apply only to Samba 2.2
- from the CVS after November 27th. The 'snapshot' release
- Samba2.2alpha1 does not work !!! See below on how to get a CVS tree.
-
- Known Bug !W2K machines will not successfully join a domain with a
- name that is made up from an even number of characters. Yep, thats
- right ! BIOTEST is OK as is MYDOMAI but MYDOMAIN will not work until
- this bug is fixed. Hmm.., we believe that this bug is fixed, but see
- below.
-
- Known Bug !After some bugs were fixed just before Christmas, W2K SP1
- machines cannot join the domain. Expected to be fixed early in the new
- year. Whats that ? yeah, samba developers have a Christmas break too !
-
- Know Bug !NTs (and possibly W2K ?) are not told the logged on user is
- a domain admin if the parameter "domain admin users = user" is used.
- The alternative, "domain admin group" does work. See the HowTo.
-
- Client Side creation of Machine accounts does work but is not
- complete. Firstly, the add user script runs as the user who's name was
- entered, not as root. Secondly, the machine name passed to the script
- (%U) has an underscore at the end, not a '$'. One alternative is to
- use %m and add the $. This method is documented in the HowTo. And
- thirdly, it does not work with NT4ws.
-
- A W2K machine can join the domain. See the HowTo which explains the
- process. The methods described are 'work arounds' and should be
- regarded as temporary. Although I (drb) have tested these procedures a
- number of people have had difficulty so there may be other issues at
- work. JFM is aware of these problems and will attend to them when he
- can.
-
- A Domain Admin account is required and at present it appears that only
- root is a suitable candidate.
-
- Much of the related code does work. For example, if an NT is removed
- from the domain and then rejoins, the Create a Computer Account in the
- Domain dialog will let you reset the smbpasswd. That is you don't need
- to do it from the unix box. However, at the present, you do need to
- have root as an administrator and use the root user name and password.
-
- Actually I'm not sure that last paragraph is correct ....
-
- Policies do work on a W2K machine. MS says that recent builds of W2K
- dont observe an NT policy but it appears it does in 'legacy' mode.
- _________________________________________________________________
-
-Introduction
-
- This FAQ was origionally compiled by Jerry Carter (gc) chiefly dealing
- with the 'old head' version of Samba and its NTDomain facilities. It
- is being rewritten by David Bannon (drb) so that it addresses more
- accurately the Samba 2.2 planned for release late 2000.
-
- This document probably still contains some material that does not
- apply to Samba 2.2 but most (all?) of the really misleading stuff has
- been removed. Some issues are not dealt with or are dealt with badly.
- Please send corrections and additions to David Bannon at
- D.Bannon@latrobe.edu.au
-
- Hopefully, as we all become familiar with the Samba 2.2 as a PDC this
- document will become much more usefull.
- _________________________________________________________________
-
-Chapter 2. General Information
-
-What can we do ?
-
-What can Samba Primary Domain Controller (PDC) do ?
-
- If you wish to have Samba act as a PDC for Windows NT 3.51.and 4.0 or
- W2000 client, then you will need to obtain the 2.2.0 version,
- currently in pre-release. Release of a stable, full featured Samba PDC
- is currently slated for version 3.0.
-
- The following is a list of included features currently in Samba 2.2:
-
- * The ability to act as a limited PDC for Windows NT and W2000
- clients. This includes adding NT and W2K machines to the domain
- and authenticating users logging into the domain.
- * Domain account can be viewed using the User Manager for Domains
- ????
- * Viewing resources on the Samba PDC via the Server Manager for
- Domains from the NT client. ??
- * Windows 95 clients will allow user level security to be set but
- will not currently allow browsing of accounts.
- * Machine account password updates.
- * Changing of user passwords from an NT client.
- * Partial support for Windows NT group and username mapping.
- * Support for a LDAP password database backend.
- * Printing.
-
- These things are note expected to work in the forseeable future
- * Trust relationships
- * PDC and BDC integration
- * Windows NT ACLs (on the Samba shares)
- * Offer a list of domain users to User Manager for Domains (or the
- Security Tab etc).
- _________________________________________________________________
-
-Can I have a Windows 2000 client logon to a Samba controlled domain?
-
- The 2.2 release branch of Samba supports Windows 2000 domain clients
- in legacy mode, ie as if the PDC is a NTServer, not a W2K server.
- _________________________________________________________________
-
-What's the status of print spool (spoolss) support in the NTDOM code?
-
- The implementation of support for SPOOLSS pipe is complete and it will
- be available in the 2.2.0 release. This means that Samba will support
- the automatic downloading of printer drivers for Windows NT clients
- just as it currently does for Windows 9x clients.
- _________________________________________________________________
-
-CVS
-
- CVS is a programme (publically available) that the Samba developers
- use to maintain the central source code. Non developers can get access
- to the source in a read only capacity. Many flavours of unix now
- arrive with cvs installed.
- _________________________________________________________________
-
-What are the different Samba branches available in CVS ?
-
- You can find out more about obtaining Samba's via anonymous CVS from
- http://pserver.samba.org/samba/cvs.html".
-
- There are basically four branches to watch at the moment :
-
- HEAD
- Samba 3.0 ? This code boasts all the main development work in
- Samba. Two things that most people are not aware of which live
- in the HEAD branch code are winbind NSS module and Tim Potter's
- VFS implementation. Due to its developmental nature, its not
- really suitable for production work.
-
- SAMBA_2_0
- This branch contains the current stable release release. At the
- moment it contains 2.0.7, a version that will do some limited
- PDC stuff. If you are really going to do PDC things then I
- (drb) suggest that you consider 2.2 instead.
-
- SAMBA_2_2
- The next stable release, currently in a 'alpha' form. It
- provides the Samba developers, testers and interested people
- with an approximation of what is to come. This document
- addresses only SAMBA_2_2.
-
- SAMBA_TNG
- This branch is no longer maintained from the Samba sites.
- Please see http://www.samba-tng.org/. It has been requested
- that questions about TNG are not posted to the regular Samba
- mailing lists including samba-ntdom and samba-technical.
- _________________________________________________________________
-
-What are the CVS commands ?
-
- See http://pserver.samba.org/samba/cvs.html
-
- To get the Samba 2.2 version, tag SAMBA_2_2 you would do :
- * For example : cd /usr/local/src/
- * cvs -d :pserver:cvs@pserver.samba.org:/cvsroot login
- * When prompted enter a password of cvs
- * cvs -d :pserver:cvs@pserver.samba.org:/cvsroot co -r SAMBA_2_2
- samba
-
- Then to update that directory at some later time,
- * cd /usr/local/src/samba
- * cvs -d :pserver:cvs@pserver.samba.org:/cvsroot login
- * When prompted enter a password of 'cvs'.
- * cvs update -d -P
- _________________________________________________________________
-
-Chapter 3. Establishing Connections
-
-How do I get my NT4 or W2000 Workstation to login to the Samba controlled
-Domain?
-
- There is a comprehensive Samba PDC HowTo accessable from the samba web
- site under 'Documentation'. Its currently located at
- http://bioserve.latrobe.edu.au/samba. Read it.
- _________________________________________________________________
-
-What is a 'machine account' ?
-
- Every NT, W2K or Samba machine that joins a Samba controlled domain
- must be known to the Samba PDC. There are two entries required, one in
- (typically) /etc/passwd and the other in (typically)
- /usr/local/samba/private/smbpasswd. Under some circumstances these
- entries are made manually, the HowTo discusses ways of creating them
- automatically.
- _________________________________________________________________
-
-"The machine account for this computer either does not exist or is not
-accessable."
-
- When I try to join the domain I get the message "The machine account
- for this computer either does not exist or is not accessable". Whats
- wrong ?
-
- This problem is caused by the PDC not having a suitable machine
- account. If you are using the add user script = method to create
- accounts then this would indicate that it has not worked. Ensure the
- domain admin user system is working.
-
- Alternatively if you are creating account entries manually then they
- have not been created correctly. Make sure that you have the entry
- correct for the machine account in smbpasswd file on the Samba PDC. If
- you added the account using an editor rather than using the smbpasswd
- utility, make sure that the account name is the machine netbios name
- with a '$' appended to it ( ie. computer_name$ ). There must be an
- entry in both /etc/passwd and the smbpasswd file. Some people have
- reported that inconsistent subnet masks between the Samba server and
- the NT client have caused this problem. Make sure that these are
- consistent for both client and server.
- _________________________________________________________________
-
-How do I create machine accounts manually ?
-
- This was the only option until recently, now in version 2.2 better
- means are available. You might still need to do it manually for a
- couple of reasons. A machine account consists of two entries (assuming
- a standard install and /etc/passwd use), one in /etc/passwd and the
- other in /usr/local/samba/private/smbpasswd. The /etc/passwd entry
- will list the machine name with a $ appended, won't have a passwd,
- will have a null shell and no home directory. For example a machine
- called 'doppy' would have an /etc/passwd entry like this :
-
- doppy$:x:505:501:NTMachine:/dev/null:/bin/false
-
- On a linux system for example, you would typically add it like this :
-
- adduser -g machines -c NTMachine -d /dev/null -s /bin/false -n doppy$
-
- Then you need to add that entry to smbpasswd, assuming you have a
- suitable path to the smbpasswd programme, do this :
-
- smbpasswd -a -m doppy$
-
- The entry will be created with a well known password, so any machine
- that says its doppy could join the domain as long as it gets in first.
- So don't create the accounts any earlier than you need them.
- _________________________________________________________________
-
-I cannot include a '$' in a machine name.
-
- A 'machine name' in (typically) /etc/passwd consists of the machine
- name with a '$' appended. FreeBSD (and other BSD systems ?) won't
- create a user with a '$' in their name.
-
- The problem is only in the program used to make the entry, once made,
- it works perfectly. So create a user without the '$' and use vipw to
- edit the entry, adding the '$'. Or create the whole entry with vipw if
- you like, make sure you use a unique uid !
- _________________________________________________________________
-
-I get told "You already have a connection to the Domain...." when creating a
-machine account.
-
- This happens if you try to create a machine account from the machine
- itself and use a user name that does not work (for whatever reason)
- and then try another (possibly valid) user name. Exit out of the
- network applet to close the initial connection and try again.
-
- Further, if the machine is a already a 'member of a workgroup' that is
- the same name as the domain you are joining (bad idea) you will get
- this message. Change the workgroup name to something else, it does not
- matter what, reboot, and try again.
- _________________________________________________________________
-
-I get told "Cannot join domain, the credentials supplied conflict with an
-existing set.."
-
- This is the same basic problem as mentioned above, "You already have a
- connection..."
- _________________________________________________________________
-
-"The system can not log you on (C000019B)...."
-
- I joined the domain successfully but after upgrading to a newer
- version of the Samba code I get the message, "The system can not log
- you on (C000019B), Please try a gain or consult your system
- administrator" when attempting to logon.
-
- This occurs when the domain SID stored in private/WORKGROUP.SID is
- changed. For example, you remove the file and smbd automatically
- creates a new one. Or you are swapping back and forth between versions
- 2.0.7, TNG and the HEAD branch code (not recommended). The only way to
- correct the problem is to restore the original domain SID or remove
- the domain client from the domain and rejoin.
- _________________________________________________________________
-
-Chapter 4. User Account Management
-
-Domain Admins
-
-How do I configure an account as a domain administrator?
-
- See the NTDom HowTo.
- _________________________________________________________________
-
-Profiles
-
-Why is it bad to set "logon path = \\%N\%U\profile" in smb.conf? ?
-
- Sometimes Windows clients will maintain a connection to the \\homes\ (
- or [%U] ) share even after the user has logged out. Consider the
- following scenario.
-
- * user1 logs into the Windows NT machine. Therefore the [homes]
- share is set to \\server\user1.
- * user1 works for a while and then logs out.
- * user2 logs into the same Windows NT machine.
-
- However, since the NT box has maintained a connection to [homes] which
- was previously set to \\server\user1, when the operating system
- attempts to get the profile and if it can read users1's profile, will
- get it otherwise it will return an error. You get the picture.
-
- A better solution is to use a separate [profiles] share and set the
- "logon path = \\%N\profiles\%U"
-
- Note: Is this still a problem ????
- _________________________________________________________________
-
-Why are all the users listed in the "domain admin users" using the same
-profile?
-
- You are using a very very old development version of Samba. Upgrade.
- _________________________________________________________________
-
-The roaming profiles do not seem to be updating on the server.
-
- There can be several reasons for this.
-
- Make sure that the time on the client and the PDC are synchronized.
- You can accomplish this by executing a net time \\server /set /yes
- replacing server with the name of your PDC (or another synchronized
- SMB server). See about Setting Time
-
- Make sure that the logon path is writeable by the user and make sure
- that the connection to the logon path location is by the current user.
- Sometimes Windows client do not drop the connection immediately upon
- logoff.
-
- Some people have reported that the logon path location should also be
- browseable. I (GC) have yet to emperically verify this, but you can
- try.
- _________________________________________________________________
-
-Policies
-
-What are 'Policies' ?.
-
- When a user logs onto the domain via a client machine, the PDC sends
- the client machine a list of things contained in the 'policy' (if it
- exists). This list may do things like suppress a splach screen, format
- the dates the way you like them or perhaps remove locally stored
- profiles.
-
- On a samba PDC this list is obtained from a file called ntconfig.pol
- and located in the [netlogon]share. The file is created with a policy
- editor and must be readable by anyone and writeable by only root. See
- below for how to get a suitable editor.
- _________________________________________________________________
-
-I can't get system policies to work.
-
- There are two possible reasons for system policies not functioning
- correctly. Make sure that you have the following parameters set in
- smb.conf
- [netlogon]
- ....
- locking = no
- public = no
- browseable = yes
- ....
-
-
- A policy file must be in the [netlogon] share and must be readable by
- everyone and writeable by only root. The file must be created by an
- NTServer Policy Editor.
-
- Last time I (drb) looked in the source, it was looking for
- ntconfig.pol first then several other combinations of upper and lower
- case. People have reported success using NTconfig.pol, NTconfig.POL
- and ntconfig.pol. These are the case settings that I (GC) use with the
- filename ntconfig.pol
- case sensitive = no
- case preserve = yes
- default case = yes
-
- _________________________________________________________________
-
-What about Windows NT Policy Editor ?
-
- To create or edit ntconfig.pol you must use the NT Server Policy
- Editor, poledit.exe which is included with NT Server but not NT
- Workstation. There is a Policy Editor on a NTws but it is not suitable
- for creating Domain Policies. Further, although the Windows 95 Policy
- Editor can be installed on an NT Workstation/Server, it will not work
- with NT policies because the registry key that are set by the policy
- templates. However, the files from the NT Server will run happily
- enough on an NTws. You need poledit.exe, common.adm and winnt.adm. It
- is convenient to put the two *.adm files in c:\winnt\inf which is
- where the binary will look for them unless told otherwise. Note also
- that that directory is 'hidden'.
-
- The Windows NT policy editor is also included with the Service Pack 3
- (and later) for Windows NT 4.0. Extract the files using
- servicepackname /x, ie thats Nt4sp6ai.exe /x for service pack 6a. The
- policy editor, poledt.exe and the associated template files (*.adm)
- should be extracted as well. It is also possible to downloaded the
- policy template files for Office97 and get a copy of the policy
- editor. Another possible location is with the Zero Administration Kit
- available for download from Microsoft.
- _________________________________________________________________
-
-Can Win95 do Policies ?
-
- Install the group policy handler for Win9x to pick up group policies.
- Look on the Win98 CD in \tools\reskit\netadmin\poledit. Install group
- policies on a Win9x client by double-clicking grouppol.inf. Log off
- and on again a couple of times and see if Win98 picks up group
- policies. Unfortunately this needs to be done on every Win9x machine
- that uses group policies....
-
- If group policies don't work one reports suggests getting the updated
- (read: working) grouppol.dll for Windows 9x. The group list is grabbed
- from /etc/group.
- _________________________________________________________________
-
-Passwords
-
-What is password sync and should I use it ?
-
- NTws users can change their domain password by pressing Ctrl-Alt-Del
- and choosing 'Change Password'. By default however, this does not
- change the unix password (typically in /etc/passwd or /etc/shadow). In
- lots of situations thats OK, for example :
-
- * The server is only accessible to the user via samba.
- * Pam_smb or similar is installed so other applications still refer
- to the samba password.
-
- But sometimes you really do need to maintain two seperate password
- databases and there are good reasons to keep then in sync. Trying to
- explain to users that they need to change their passwords in two
- seperate places or use two seperate passwords is not fun.
-
- However do understand that setting up password sync is not without
- problems either. The chief difficulty is the interface between Samba
- and the passwd command, it can be a fiddle to set up and if the
- password the user has entered fails, the resulting errors are
- ambiguously reported and the user is confused. Further, you need to
- take steps to ensure that users only ever change their passwords via
- samba (or use smbpasswd), otherwise they will only be changing the
- unix password.
- _________________________________________________________________
-
-How do I get remote password (unix and SMB) changing working ?
-
- Have a practice changing a user's password (as root) to see what
- discussion takes place and change the text in the 'passwd chat' line
- below as necessary. The line as shown works for recent RH Linux but
- most other systems seem to like to do something different. The '*' is
- a wild card and will match anything (or nothing).
-
- Add these lines to smb.conf under [Global]
-
-
- unix password sync = true
- passwd program = /usr/bin/passwd %u
- passwd chat = *password* %n\n *password* %n\n *successful*
-
- As mentioned above, the change to the unix password happens as root,
- not as the user, as is indicated in ~/smbd/chgpasswd.c If you are
- using NIS, the Samba server must be running on the NIS master machine.
- _________________________________________________________________
-
-Chapter 5. Miscellaneous
-
-What editor can I use in DOS/Windows that won't mess with my unix EOF
-
- There are a number of Windows or DOS based editors that will
- understand, and leave intact, the unix eof (as opposed to a DOS
- CL/LF). List members suggested :
-
- * UltraEdit at www.ultraedit.com
- * VI for windows at home.snafu.de/ramo/WinViEn.htm
- * The author prefers PFE at www.lancs.ac.uk/people/cpaap/pfe/ but
- its no longer being developed...
- _________________________________________________________________
-
-How do I get 'User Manager' and 'Server Manager'
-
- Since I don't need to buy an NT Server CD now, how do I get the 'User
- Manager for Domains', the 'Server Manager' ?
-
- Microsoft distributes a version of these tools called nexus for
- installation on Windows 95 systems. The tools set includes
- * Server Manager
- * User Manager for Domains
- * Event Viewer
-
- Click here to download the archived file
- ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE
-
- The Windows NT 4.0 version of the 'User Manager for Domains' and
- 'Server Manager' are available from Microsoft via ftp from
- ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE
- _________________________________________________________________
-
-The time setting from a Samba server does not work.
-
- If it works OK when you log on as Domain Admin then the problem is
- that ordinary users don't have permission to change the time. (The
- system is running with their permission at logon time.) This is not a
- Samba problem, you will have the same problem where ever you connect.
- You can give 'everyone' permission to change the time from the User
- Manager.
-
- Anyone know what the registry settings are so this could be done with
- a Policy ?
- _________________________________________________________________
-
-"trust account xxx should be in DOMAIN_GROUP_RID_USERS"
-
- I keep getting the message "trust account xxx should be in
- DOMAIN_GROUP_RID_USERS." in the logs. What do I need to do?
-
- You are using one of the old development versions. Upgrade. (The
- message is unimportant, was a reminder to a developer)
- _________________________________________________________________
-
-How do I get my samba server to become a member ( not PDC ) of an NT domain?
-
- In a domain that has a number of servers you only need one password
- database. The machines that don't have their own ask the PDC to check
- for them. This will work fine for a domain controlled by either a
- Samba or NT machine. The following lines in smb.conf are typical,
- 'password server' points to the samba machine (or an NT) that has the
- password list :
-
-
- [global]
- ...
- security = domain
- workgroup = { Put your domain name here }
- password server = { Put the ip of the PDC here }
- encrypt passwords = yes
- ...
-
- The samba server in question will have to 'join the domain', that
- requires the domain controller to have a machine account for it. This
- is no different to the machine account requirements to allow a NTws to
- join the domain. For example, if we want a unix box called sleepy to
- ask the PDC called grumpy to do its authentication then grumpy will
- need an entry in its smbpasswd (assuming it's also samba) that starts
- with sleepy$. It would have to be created manually.
-
- If the domain is controlled by an NTServer then the "Server Manager
- for Domains" tool must be used to add 'sleepy' to the domain list.
-
- In either case we then join the domain. If the domain is called forest
- then on sleepy we would join the domain by typing :
-
- smbpasswd -j forest
-
- Note that the directory where the smbpasswd file would be located
- should exist as this is where smbd will generate the MACHINE.SID file.
- This might be /usr/local/samba/private/FOREST.SLEEPY.SID and it
- contains the trust account password for the domain member. The
- permissions are (and should remain) "rw-------
-
- Note the Samba Servers without the password list will most likely
- still need an account for each user, this means a line in its
- /etc/passwd. Because authentication is being handled at the domain
- level the /etc/passwd line does not need a password. If the shares
- being offered are not user specific, ie a common (read only ?) area or
- perhaps just printing then the user's /etc/passwd does not need a home
- directory. A typical line in /etc/passwd for a server that allows
- domain users to connect to the samba shares but does not offer a home
- share ('cos that's on the PDC) and does not allow logon to the unix
- prompt would be like this :
-jblow:x:542:100:Joe Blow:/dev/null:/bin/false
-
- * When removing those 'dummy' users, watch the 'remove user'
- scripts, some OS think they should remove a users directory even
- when its not owned by the user !
- * The username map = parameter might help you to avoid having all
- those accounts created.
- * You should investigate the smb.conf parameter 'add user script',
- it will be used to create accounts on secondary servers when that
- account already exists on the PDC. Very nice. Something like :
- [Global]
- ....
- add user script = /usr/sbin/adduser -n -g users -c User -d /dev/null -s /bi
-n/false %U
- ....
- _________________________________________________________________
-
-Chapter 6. Troubleshooting and Bug Reporting
-
-Diagnostic tools
-
-What are some diagnostics tools I can use to debug the domain logon process
-and where can I find them?
-
- One of the best diagnostic tools for debugging problems is Samba
- itself. You can use the -d option for both smbd and nmbd to specifiy
- what 'debug level' at which to run. See the man pages on smbd, nmbd
- and smb.conf for more information on debugging options. The debug
- level can range from 1 (the default) to around 100 but a debug level
- of about 20 will normally help you find any errors that samba is
- encountering. Another helpful method of debugging is to compile samba
- using the gcc -g flag. This will include debug information in the
- binaries and allow you to attch gdb to the running smbd / nmbd
- process. In order to attach gdb to an smbd process for an NT
- workstation, first get the workstation to make the connection.
- Pressing ctrl-alt-delete and going down to the domain box is
- sufficient (at least, on the first time you join the domain) to
- generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation
- maintains an open connection, and therefore there will be an smbd
- process running (assuming that you haven't set a really short smbd
- idle timeout) So, in between pressing ctrl alt delete, and actually
- typing in your password, you can gdb attach and continue.
-
- Some usefull samba commands worth investigating:
- * testparam | more
- * smbclient -L //{netbios name of server}
-
- An SMB enabled version of tcpdump is available from
- ftp://samba.org/pub/samba/tcpdump-smb/
-
- Capconvert is a small C program for translating output from
- tcpdump-smb to CAP format that can be read by netmon. You will need to
- use the raw output from tcp dump ( ie. tcpdump -w output.dump ). Good
- news! Now you can convert Solaris' snoop output as well. The C source
- code for snoop2cap is available for download.
-
- For tracing things on the Microsoft Windows NT, Network Monitor (aka.
- netmon) is available on the Microsoft Developer Network CD's, the
- Windows NT Server install CD and the SMS CD's. The version of netmon
- that ships with SMS allows for dumping packets between any two
- computers (ie. placing the network interface in promiscuous mode). The
- version on the NT Server install CD will only allow monitoring of
- network traffic directed to the local NT box and broadcasts on the
- local subnet.
- _________________________________________________________________
-
-How do I install 'Network Monitor' on an NT Workstation or a Windows 9x box?
-
- Installing netmon on an NT workstation requires a couple of steps. The
- following are for installing Netmon V4.00.349, which comes with
- Microsoft Windows NT Server 4.0, on Microsoft Windows NT Workstation
- 4.0. The process should be similar for other version of Windows NT /
- Netmon. You will need both the Microsoft Windows NT Server 4.0 Install
- CD and the Workstation 4.0 Install CD.
-
- Initially you will need to install 'Network Monitor Tools and Agent'
- on the NT Server. To do this
-
- * Goto Start - Settings - Control Panel - Network - Services - Add
- * Select the 'Network Monitor Tools and Agent' and click on 'OK'.
- * Click 'OK' on the Network Control Panel.
- * Insert the Windows NT Server 4.0 install CD when prompted.
-
- At this point the Netmon files should exist in
- %SYSTEMROOT%\System32\netmon\*.*. Two subdirectories exist as well,
- parsers\ which contains the necessary DLL's for parsing the netmon
- packet dump, and captures\.
-
- In order to install the Netmon tools on an NT Workstation, you will
- first need to install the 'Network Monitor Agent' from the Workstation
- install CD.
-
- * Goto Start - Settings - Control Panel - Network - Services - Add
- * Select the 'Network Monitor Agent' and click on 'OK'.
- * Click 'OK' on the Network Control Panel.
- * Insert the Windows NT Workstation 4.0 install CD when prompted.
-
- Now copy the files from the NT Server in
- %SYSTEMROOT%\System32\netmon\*.* to %SYSTEMROOT%\System32\netmon\*.*
- on the Workstation and set permissions as you deem appropriate for
- your site. You will need administrative rights on the NT box to run
- netmon.
-
- To install Netmon on a Windows 9x box install the network monitor
- agent from the Windows 9x CD (\admin\nettools\netmon). There is a
- readme file located with the netmon driver files on the CD if you need
- information on how to do this. Copy the files from a working Netmon
- installation.
- _________________________________________________________________
-
-What other help can I get ?
-
- There are many sources of information available in the form of mailing
- lists, RFC's and documentation. The docs that come with the samba
- distribution contain very good explanations of general SMB topics such
- as browsing.
- _________________________________________________________________
-
-URLs and similar
-
- * Home of Samba site http://samba.org. We have a mirror near you !
- * The Development document on the Samba mirrors might mention your
- problem. If so, it might mean that the developers are working on
- it.
- * Ignacio Coupeau has a very comprehesive look at LDAP with Samba at
- http://www.unav.es/cti/ldap-smb-howto.html Be a little carefull
- however, I suspect that it does not specificly address samba
- 2.2.x. The HEAD pre-2.1 may possibly be the best stream to look
- at.
- * Lars Kneschke's site covers Samba-TNG at
- http://www.kneschke.de/projekte/samba_tng, but again, a lot of it
- does not apply to the main stream Samba.
- * See how Scott Merrill simulates a BDC behaviour at
- http://www.skippy.net/linux/smb-howto.html.
- * Although 2.0.7 has almost had its day as a PDC, I (drb) will keep
- the 2.0.7 PDC pages at http://bioserve.latrobe.edu.au/samba going
- for a while yet.
- * Misc links to CIFS information http://samba.org/cifs/
- * NT Domains for Unix http://mailhost.cb1.com/~lkcl/ntdom/
- * FTP site for older SMB specs:
- ftp://ftp.microsoft.com/developr/drg/CIFS/
-
- There are a number of documents that no longer appear to live at their
- origional home. Any one know where the following may be found ?
- * CIFS/E Browser Protocol draft-leach-cifs-browser-spec-00.txt
- * CIFS Remote Administration Protocol
- draft-leach-cifs-rap-spec-00.txt
- * CIFS Logon and Pass Through Authentication
- draft-leach-cifs-logon-spec-00.txt
- * A Common Internet File System (CIFS/1.0) Protocol
- draft-leach-cifs-v1-spec-01.txt
- * CIFS Printing Specification draft-leach-cifs-print-spec-00.txt
- * RFC1001 (March '87) Protocol standard for a NetBIOS service on a
- TCP/UDP transport: Concepts and methods.
- http://ds.internic.net/rfc/rfc1001.txt
- * RFC1002 (March '87) Protocol standard for a NetBIOS service on a
- TCP/UDP transport: Detailed specifications.
- http://ds.internic.net/rfc/rfc1002.txt
- * Microsoft's main CIFS page:
- http://www.microsoft.com/workshop/networking/cifs/
- _________________________________________________________________
-
-How do I get help from the mailing lists ?
-
- There are a number of Samba related mailing lists. Go to
- http://samba.org, click on your nearest mirror and then click on
- Support and then click on Samba related mailing lists.
-
- For questions relating to Samba TNG go to http://www.samba-tng.org/ It
- has been requested that you don't post questions about Samba-TNG to
- the main stream Samba lists.
-
- If you post a message to one of the lists please observe the following
- guide lines :
- * Always remember that the developers are volunteers, they are not
- paid and they never guarantee to produce a particular feature at a
- particular time. Any time lines are 'best guess' and nothing more.
- * Always mention what version of samba you are using and what
- operating system its running under. You should probably list the
- relevant sections of your smb.conf file, at least the options in
- [global] that affect PDC support.
- * In addition to the version, if you obtained Samba via CVS mention
- the date when you last checked it out.
- * Try and make your question clear and brief, lots of long,
- convoluted questions get deleted before they are completely read !
- Don't post html encoded messages (if you can select colour or font
- size its html).
- * If you run one of those niffy 'I'm on holidays' things when you
- are away, make sure its configured to not answer mailing lists.
- * Don't cross post. Work out which is the best list to post to and
- see what happens, ie don't post to both samba-ntdom and
- samba-technical. Many people active on the lists subscribe to more
- than one list and get annoyed to see the same message two or more
- times. Often someone will see a message and thinking it would be
- better dealt with on another, will forward it on for you.
- * You might include partial log files written at a debug level set
- to as much as 20. Please don't send the entire log but enough to
- give the context of the error messages.
- * (Possibly) If you have a complete netmon trace ( from the opening
- of the pipe to the error ) you can send the *.CAP file as well.
- * Please think carefully before attaching a document to an email.
- Consider pasting the relevant parts into the body of the message.
- The samba mailing lists go to a huge number of people, do they all
- need a copy of your smb.conf in their attach directory ?
- _________________________________________________________________
-
-How do I get off the mailing lists ?
-
- To have your name removed from a samba mailing list, go to the same
- place you went to to get on it. Go to http://samba.org, click on your
- nearest mirror and then click on Support and then click on Samba
- related mailing lists. Or perhaps see here
-
- Please don't post messages to the list asking to be removed, you will
- just be refered to the above address (unless that process failed in
- some way...)
diff --git a/docs/textdocs/samba-pdc-howto.txt b/docs/textdocs/samba-pdc-howto.txt
deleted file mode 100644
index 5ed15cdf4a..0000000000
--- a/docs/textdocs/samba-pdc-howto.txt
+++ /dev/null
@@ -1,712 +0,0 @@
-
-The Samba 2.2 PDC HowTo
-
-David Bannon
-
- La Trobe University
- _________________________________________________________________
- _________________________________________________________________
-
- Comments, corrections and additions to <dbannon@samba.org>
-
- This document explains how to setup Samba as a Primary Domain
- Controller and applies to version 2.2.0. Before using these functions
- make sure you understand what the controller can and cannot do. Please
- read the sections below in the Introduction. As 2.2.0 is incrementally
- updated this document will change or become out of date very quickly,
- make sure you are reading the most current version.
-
- Please note this document does not apply to Samba2.2alpha0,
- Samba2.2alpha1, Samba 2.0.7, TNG nor HEAD branch.
-
- It does apply to the current (post November 27th) cvs.
-
- Also available is an updated version of Jerry Carter's NTDom FAQ that
- will answer lots of the special 'tuning' questions that are not
- covered here. Over the next couple of weeks some of the items here
- will be moved to the FAQ.
-
- Table of Contents
- 1. Introduction
-
- What can we do ?
- What can't we do ?
-
- 2. Installing
-
- Start Up Script
- Config File
-
- A sample conf file
- PDC Config Parameters
-
- Special directories
-
- 3. User and Machine Accounts
-
- Logon Accounts
- Machine Accounts
- Joining the Domain
- User Accounts
- Domain Admin Accounts
-
- 4. Profiles, Policies and Logon Scripts
-
- Profiles
- Policies
- Logon Scripts
-
- 5. Passwords and Authentication
-
- Syncing Passwords
- Using PAM
- Authenticating other Samba Servers
-
- 6. Background
-
- History
- The Future
- Getting further help
- _________________________________________________________________
-
-Chapter 1. Introduction
-
- This document will show you one way of making Version 2.2.0 of Samba
- perform some of the tasks of a NT Primary Domain Controller. The
- facilities described are built into Samba as a result of development
- work done over a number of years by a large number of people. These
- facilities are only just beginning to be officially supported and
- although they do appear to work reliably, if you use them then you
- take the risks upon your self. This document does not cover the
- developmental versions of Samba, particularly Samba-TNG
-
- Note that Samba 2.0.7 supports significently less of the NT Domain
- facilities compared with 2.2.0
-
- This document does not replace the text files DOMAIN_CONTROL.txt,
- DOMAIN.txt (by John H Terpstra) or NTDOMAIN.txt (by Luke Kenneth
- Casson Leighton). Those documents provide more detail and an insight
- to the development cycle and should be considered 'further reading'.
- _________________________________________________________________
-
-What can we do ?
-
- * Permit 'domain logons' for Win95/98, NT4 and W2K workstations from
- one central password database. WRT W2K, please see the section
- about adding machine accounts and the Intro in the FAQ.
- * Grant Administrator privileges to particular domain users on an NT
- or W2K workstation.
- * Apply policies from a domain policy file to NT and W2K (?)
- workstation.
- * Run the appropriate logon script when a user logs on to the domain
- .
- * Maintain a user's local profile on the server.
- * Validate a user using another system via smb (such as smb_pam) and
- soon winbind (?).
- _________________________________________________________________
-
-What can't we do ?
-
- * Become or work with a Backup Domain Controller (a BDC).
- * Participate in any sort of trust relationship (with either Samba
- or NT Servers).
- * Offer a list of domain users to User Manager for Domains on the
- Security Tab etc).
- * Be a W2K type of Domain Controller. Samba PDC will behave like an
- NT PDC, W2K workstations connect in legacy mode.
- _________________________________________________________________
-
-Chapter 2. Installing
-
- Installing consists of the usual download, configure, make and make
- install process. These steps are well documented elsewhere. The FAQ
- discusses getting pre-release versions via CVS. Then you need to
- configure the server.
- _________________________________________________________________
-
-Start Up Script
-
- Skip this section if you have a working Samba already. Everyone has
- their own favourite startup script. Here is mine, offered with no
- warrantee at all !
-
-
- #!/bin/sh
- # Script to control Samba server, David Bannon, 14-6-96
- #
- #
- PATH=/bin:/usr/sbin:/usr/bin
- export PATH
- case "$1" in
- 'start')
- if [ -f /usr/local/samba/bin/smbd ]
- then
- /usr/local/samba/bin/smbd -D
- /usr/local/samba/bin/nmbd -D
- echo "Starting Samba Server"
- fi
- ;;
- 'conf')
- if [ -f /usr/local/samba/lib/smb.conf ]
- then
- vi /usr/local/samba/lib/smb.conf
- fi
- ;;
- 'pw')
- if [ -f /usr/local/samba/private/smbpasswd ]
- then
- vi /usr/local/samba/private/smbpasswd
- fi
- ;;
- 'who')
- /usr/local/samba/bin/smbstatus -b
- ;;
- 'restart')
- psline=`/bin/ps x | grep smbd | grep -v grep`
-
- if [ "$psline" != "" ]
- then
- while [ "$psline" != "" ]
- do
- psline=`/bin/ps x | fgrep smbd | grep -v grep`
- if [ "$psline" ]
- then
- set -- $psline
- pid=$1
- /bin/kill -HUP $pid
- echo "Stopped $pid line = $psline"
- sleep 2
- fi
- done
- fi
- echo "Stopped Samba servers"
- ;;
- 'stop')
- psline=`/bin/ps x | grep smbd | grep -v grep`
-
- if [ "$psline" != "" ]
- then
- while [ "$psline" != "" ]
- do
- psline=`/bin/ps x | fgrep smbd | grep -v grep`
- if [ "$psline" ]
- then
- set -- $psline
- pid=$1
- /bin/kill -9 $pid
- echo "Stopped $pid line = $psline"
- sleep 2
- fi
- done
- fi
- echo "Stopped Samba servers"
- psline=`/bin/ps x | grep nmbd | grep -v grep`
- if [ "$psline" ]
- then
- set -- $psline
- pid=$1
- /bin/kill -9 $pid
- echo "Stopped Name Server "
- fi
- echo "Stopped Name Servers"
- ;;
- *)
- echo "usage: samba {start | restart |stop | conf | pw | who}"
- ;;
- esac
-
-
- Use this script, or some other one, you will need to ensure its used
- while the machine is booting. (This typically involves /etc/rc.d,
- we'll be assuming that there is a script called samba in
- /etc/rc.d/init.d further down in this document.)
- _________________________________________________________________
-
-Config File
-
-A sample conf file
-
- Here is a fairly minimal config file to do PDC. It will also make the
- server become the browse master for the specified domain (not
- necessary but usually desirable). You will need to change only two
- parameters to make this file work, wins server and workgroup, plus you
- will need to put your own name (not mine!) in the domain admin users
- fields. Some of the parameters are discussed further down this
- document.
-
- Assuming you have used the default install directories, this file
- should appear as /usr/local/samba/lib/smb.conf. It should not be
- writable by anyone except root.
-
- Note: The 'add user script' parameter is a work-around, watch for
- changes !
-
-
-
- [global]
- security = user
- status = yes
- workgroup = { Your domain name here }
- wins server = { ip of a wins server if you have one }
- encrypt passwords = yes
- domain logons =yes
- logon script = scripts\%U.bat
- domain admin group = @adm
- add user script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/n
-ull -s /bin/false %m$
- guest account = ftp
- share modes=no
- os level=65
- [homes]
- guest ok = no
- read only = no
- create mask = 0700
- directory mask = 0700
- oplocks = false
- locking = no
- [netlogon]
- path = /usr/local/samba/netlogon
- writeable = no
- guest ok = no
-
- _________________________________________________________________
-
-PDC Config Parameters
-
- There are a huge range of parameters that may appear in a smb.conf
- file. Some that may be of interest to a PDC are :
-
- add user script
- This parameter specifies a script (or program) that will be run
- to add a user to the system. Here it is being used to add a
- machine, not a user. This is probably not very nice and may
- change. But it does work !
-
- For this example, I have a group called 'machines', entries can
- be added to /etc/passwd using a programme called /usr/adduser
- and the other parameters are chosen as suitable for a machine
- account. Works for RH Linux, your system may require changes.
-
- domain admin group = @adm
- This parameter specifies a unix group whose members will be
- granted admin privileges on a NT workstation when logged onto
- that workstation. See the section called Domain Admin Accounts.
-
- domain admin users = user1 users2
- It appears that this parameter does not funtion correctly at
- present. Use the 'domain admin group' instread. This parameter
- specifies a unix user who will be granted admin privileges on a
- NT workstation when logged onto that workstation. See the
- section called Domain Admin Accounts.
-
- encrypt passwords = yes
- This parameter must be 'yes' to allow any of the recent service
- pack NTs to logon. There are some reg hacks that turn off
- encrypted passwords on the NTws itself but if you are going to
- use the smbpasswd system (and you should) you must use
- encrypted passwords.
-
- logon script = scripts\%U.bat
- This will make samba look for a logon script named after the
- user (eg joeblow.bat). See the section further on called Logon
- Scripts
-
- Note: Note that the slash is like this '\', not like this '/'. NT
- is happy with both, win95 is not !
-
- logon path
- Lets you specify where you would like users profiles kept. The
- default, that is in the users home directory, does encourage a
- bit of fiddling.
- _________________________________________________________________
-
-Special directories
-
- You need to create a couple of special files and directories. Its nice
- to have some of the binaries handy too, so I create links to them.
- Assuming you have used the default samba location and have not changed
- the locations mentioned in the sample config file, do the following :
-
-
- mkdir /usr/local/samba/netlogon
- mkdir /usr/local/samba/netlogon/scripts
- mkdir /usr/local/samba/private
- touch /usr/local/samba/private/smbpasswd
- chmod go-rwx /usr/local/samba/private/smbpasswd
- cd /usr/local/sbin
- ln -s /usr/local/samba/bin/smbpasswd
- ln -s /usr/local/samba/bin/smbclient
- ln -s /etc/rc.d/init.d/samba
-
- Make sure permissions are appropriate !
-
- OK, if you have used the scripts above and have a path to where the
- links are do this to start up the Samba Server :
-
- samba start
-
- Instead, you might like to reboot the machine to make sure that you
- got the init stuff right. Any way, a quick look in the logs
- /usr/local/samba/var/log.smbd and /usr/local/samba/var/log/nmbd will
- give you an idea of what's happening. Assuming all is well, lets
- create some accounts...
- _________________________________________________________________
-
-Chapter 3. User and Machine Accounts
-
-Logon Accounts
-
- This section is very nearly out of date already ! It appears that
- while you are reading it, Jean Francois Micou is making it redundant !
- Jean Francois is adding facilities to add users (via User Manager) and
- machines (when joining the domain) and it looks like these facilities
- will make it into the official release of 2.2.
-
- Every user and NTws (and other samba servers) that will be on the
- domain must have its own passwd entry in both /etc/passwd and
- /usr/local/samba/private/smbpasswd . The /etc/passwd entry is really
- only to reserve a user ID. The NT encrypted password is stored in
- /usr/local/samba/private/smbpasswd. (Note that win95/98 machines don't
- need an account as they don't do any security aware things.)
-
- Samba 2.2 will now create these entries for us. Carefull set up is
- required and there may well be some changes to this system before its
- released.
- _________________________________________________________________
-
-Machine Accounts
-
- Note: There is an entry in the ntdom FAQ explaining how to create
- machine entries manually.
-
- At present to have the machine accounts created when a machine joins
- the domain a number of conditions must be met :
-
- Only root can do it !
- There must be an entry in /usr/local/samba/private/smbpasswd
- for root and root must be mentioned in domain admins. This may
- be fixed some time in the future so any 'domain admin' can do
- it. If you don't like having root as a windows logon account,
- make the machine entries manually (both of them).
-
- Use the add user script
- Again, this looks a bit like a 'work around'. Use a suitable
- command line to add a machine account see above, and pass it
- %m$, that is %m to get machine name plus the '$'. Now, this
- means you cannot use the add user script to really add users
- ....
-
- Only for W2K
- This automatic creation of machine accounts does not work for
- NT4ws at present. Watch this space.
- _________________________________________________________________
-
-Joining the Domain
-
- You must have either added the machine account entries manually (NT4
- ws) or set up the automatic system (W2K), see Machine Accounts before
- proceeding.
-
- Windows NT
-
- + (this step may not be necessary some time in the near
- future). On the samba server that is the PDC, add a machine
- account manually as per the instructions in the FAQ Then give
- the command smbpasswd -a -m {machine} substituting in the
- client machine name.
- + Logon to the NTws in question as a local admin, go to the
- Control Panel, Network IdentificationTag.
- + Press the Change button.
- + Enter the Domain name (from the 'Workgroup' parameter,
- smb.conf) in the Domain Field.
- + Press OK and after a few seconds you will get a 'Welcome to
- Whatever Domain'. Allow to reboot.
-
- Windows 2000
-
- + Logon to the W2k machine as Administrator, go to the Control
- Panel and double click on Network and Dialup Connections.
- + Pull down the Advanced menu and choose Network
- Identification. Press Properties .
- + Choose Domain and enter the domain name. Press 'OK'.
- + Now enter a user name and password for a Domain Admin (Who
- must be root until a pre-release bug is fixed) and press
- 'OK'.
- + Wait for the confirmation, reboot when prompted.
-
- To remove a W2K machine from the domain, follow the first two
- steps then choose Workgroup, enter a work group name (or just
- WORKGROUP) and follow the prompts.
- _________________________________________________________________
-
-User Accounts
-
- Again, doing it manually (cos' the auto way is not working
- pre-release). In our simple case every domain user should have an
- account on the PDC. The account may have a null shell if they are not
- allowed to log on to the unix prompt. Again they need an entry in both
- the /etc/passwd and /usr/local/samba/private/smbpasswd. Again a
- password is not necessary in /etc/passwd but the location of the home
- directory is honoured. To make an entry for a user called Joe Blow you
- would typically do the following :
-
- adduser -g users -c 'Joe Blow' -s /bin/false -n joeblow
-
- smbpasswd -a joeblow
-
- And you will prompted to enter a password for Joe. Ideally he will be
- hovering over your shoulder and will, when asked, type in a password
- of his choice. There are a number of scripts and systems to ease the
- migration of users from somewhere to samba. Better start looking !
- _________________________________________________________________
-
-Domain Admin Accounts
-
- Certain operations demand that the logged on user has Administrator
- privileges, typically installing software and doing maintenance tasks.
- It is very simple to appoint some users as Domain Admins, most likely
- yourself. Make sure you trust the appointee !
-
- Samba 2.2 recognizes particular users as being domain admins and tells
- the NTws when it thinks that it has got one logged on. In the smb.conf
- file we declare that the Domain Admin group = @adm. Any user who is a
- menber of the unix group 'adm' is treated as a Domain Admin by a NTws
- when logged onto the Domain. They will have full Administrator rights
- including the rights to change permissions on files and run the system
- utilities such as Disk Administrator. Add users to the group by
- editing /etc/group/. You do not need to use the 'adm' group, choose
- any one you like.
-
- Further, and this is very new, they will be allowed to create a new
- machine account when first connecting a new NT or W2K machine to the
- domain. However, at present, ie pre-release, only a Domain Admin who
- also happens to be root can do so.
- _________________________________________________________________
-
-Chapter 4. Profiles, Policies and Logon Scripts
-
-Profiles
-
- NT Profiles should work if you have followed the setup so far. A
- user's profile contains a whole lot of their personal settings, the
- contents of their desktop, personal 'My Documents' and so on. When
- they log off, all of the profile is copied to their directory on the
- server and is downloaded again when they logon on again, possibly on
- another client machine.
-
- Sounds great but can be a bit of a bug bear sometimes. Users let their
- profiles get too big and then complain about how long it takes to log
- on each time. This sample setup only supports NT profiles, rumor has
- it that it is also possible to do the same on Win95, my users don't
- know and I'm not telling them.
-
- Note: There is more info about Profiles (including for W95/98) in
- the FAQ.
- _________________________________________________________________
-
-Policies
-
- Policies are an easy way to make or enforce specific characteristics
- across your network. You create a ntconfig.pol file and every time
- someone logs on with their NTws, the settings you put in ntconfig.pol
- are applied to the NTws. Typical setting are things like making the
- date appear the way you want it (none of these 2 figure years here) or
- maybe suppressing one of the splash screens. Perhaps you want to set
- the NTws so it does not keep users profiles on the local machine.
- Cool. The only problem is making the ntconfig.pol file itself. You
- cannot use the policy editor that comes with NTws.
-
- Note: See the FAQ for pointers on how to get a suitable Policy
- Editor.
-
- The Policy Editor (and associated files) will create a ntconfig.pol
- file using the parameters Microsoft thought of and parameters you
- specify by making your own template file.
-
- In our example configuration here, Samba will expect to find the
- ntconfig.pol file in /usr/local/samba/netlogon. Needless to say (I
- hope !), it is vitally important that ordinary users don't have write
- permission to the Policy files.
- _________________________________________________________________
-
-Logon Scripts
-
- In the sample config file above there is a line logon script =
- scripts\%U.bat
-
- Note: Note that the slash is like this '\' not like this '/'. NT is
- happy with both, win95 is not !
-
- This allows you to run a dos batch file every time someone logs on.
- The batch file is located on the server, in the sample install
- mentioned here, its in /usr/local/samba/netlogon/scripts and is named
- after the user with .bat appended, eg Joe Blow's script is called
- /usr/local/samba/netlogon/scripts/joeblow.bat.
-
- Note: There is a suggestion that user names longer than 8
- characters may cause problems with some systems being unable to run
- logon scripts. This is confirmed in earlier versions when
- connecting using W95, comments about other combinations ??
-
- You could use a line like this logon script = default.bat and samba
- will supply /usr/local/samba/netlogon/default.bat for any client and
- every user. Maybe you could use %m and get a client machine dependant
- logon script. You get the idea...
-
- Note that the file is a dos batch file not a Unix script. It runs dos
- commands on the client computer with the logon user's permissions. It
- must be a dos file with each line ending with the dos cr/lf not a nice
- clean newline. Generally, its best to create the initial file on a DOS
- system and copy it across.
-
- There is lots of very clever uses of the Samba replaceable variables
- such ( %U = user, %G = primary group, %H = client machine, see the
- 'man 5 smb.conf') to give you control over which script runs when a
- particular person logs on. (Gee, it would be nice to have a
- default.bat run when nothing else is available.)
-
- Again, it is vitally important that ordinary users don't have write
- permission to other peoples, or even probably their own, logon script
- files.
-
- A typical logon script is reproduced below. Note that it runs separate
- commands for win95 and NT, that's because NT has slightly different
- behaviour when using the net use .. command. Its useful for lots of
- other situations too. I don't know what syntax to use for win98, I
- don't use it here.
-
-
- rem Default logon script, create links to this file.
-
- net time \\bioserve /set /yes
- @echo off
- if %OS%.==Windows_NT. goto WinNT
-
- :Win95
- net use k: \\trillion\bio_prog
- net use p: \\bcfile\homes
- goto end
- :WinNT
- net use k: \\trillion\bio_prog /persistent:no
- net use p: \\bcfile\homes /persistent:no
-
- :end
- _________________________________________________________________
-
-Chapter 5. Passwords and Authentication
-
- So far our configuration assumes that ordinary users don't have unix
- logon access. A change to the adduser line above would allow unix
- logon but it would be with passwords that may be different from the NT
- logon. Clearly that won't suit everyone. Trying to explain to users
- that they need to change their passwords in two seperate places is not
- fun. Further, even if they cannot do a unix logon there are other
- processes that might require authentication. We have a nice securely
- encrypted password in /usr/local/samba/private/smbpasswd, why not use
- it ?
- _________________________________________________________________
-
-Syncing Passwords
-
- Yes, its possible and seems the easiest way (initially anyway). The
- FAQ details how to do so in the sections What is password sync and
- should I use it ? and How do I get remote password (unix and SMB)
- changing working ?
- _________________________________________________________________
-
-Using PAM
-
- Pam enabled systems have a much better solution available. The Samba
- PDC server will offer to authenticate domain users to other processes
- (either on this server or on the domain). With a suitable pam stack
- such as Pam_smb you can get any pam aware application looking to the
- samba password and can leave the password field in /etc/shadow or
- /etc/passwd invalid.
- _________________________________________________________________
-
-Authenticating other Samba Servers
-
- In a domain that has a number of servers you only need one password
- database. The machines that don't have their own ask the PDC to check
- for them. This will work fine for a domain controlled by either a
- Samba or NT machine.
-
- To do so the Samba machine must be told to refer to the PDC and where
- the PDC is. See the section in the NTDom FAQ called How do I get my
- samba server to become a member ( not PDC ) of an NT domain?
- _________________________________________________________________
-
-Chapter 6. Background
-
-History
-
- It might help you understand the limitations of the PDC in Samba if
- you read something of its history. Well, the history as I understand
- it anyway.
-
- For many years the Samba team have been developing Samba, some time
- ago a number of people, possibly lead by Luke Leighton started
- contributing NT PDC stuff. This was added to the 'head' stream (that
- would eventually become the next version) and later to a seperate
- stream (NTDom). They did so much that eventually this development
- stream was so mutated that it could not be merged back into the main
- stream and was abandoned towards the end of 1999. And that was very
- sad because many users, myself include had become heavily dependant on
- the NTController facilities it offered. Oh well...
-
- The NTDom team continued on with their new found knowledge however and
- built the TNG stream. Intended to be carefully controlled so that it
- can be merged back into the main stream and benefiting from what they
- learnt, it is a very different product to the origional NTDom product.
- However, for a number of reasons, the merge did not take place and now
- TNG is being developed at http://www.samba-tng.org.
-
- Now, the NTDom things that the main strean 2.0.x version does is based
- more on the old (initial version) abandoned code than on the TNG
- ideas. It appears that version 2.2.0 will also include an improved
- version of the 2.0.7 domain controller charactistics, not the TNG
- ways. The developers have indicated that 2.2.0 will be further
- developed incrementally and the ideas from TNG incorporated into it.
-
- One more little wriggle is worth mentioning. At one stage the NTDom
- stream was called Samba 2.1.0-prealpha and similar names. This is most
- unfortunate because at least one book published advises people who
- want to use NTDom Samba to get version 2.1.0 or later. As main stream
- Samba will soon be called 2.2.0 and NOT officially supporting NTDom
- Controlling functions, the potential for confusion is certainly there.
- _________________________________________________________________
-
-The Future
-
- There is a document on the Samba mirrors called 'Development' . It
- offers the 'best guess' of what is planned for future releases of
- Samba.
-
- The future of Samba as a Primary Domain Controller appears rosie,
- however be aware that its the future, not the present. The developers
- are strongly committed to building a full featured PDC into Samba but
- it will take time. If this version does not meet your requirements
- then you should consider (in no particular order) :
-
- * Wait. No, we don't know how long. Repeated asking won't help.
- * Investigate the development versions, TNG perhaps or HEAD where
- new code is being added all the time. Realise that development
- code is often unstable, poorly documented and subject to change.
- You will need to use cvs to download development versions.
- * Join one of the Samba mailing lists so that you can find out what
- is happening on the 'bleeding edge'.
- _________________________________________________________________
-
-Getting further help
-
- This document cannot possibly answer all your questions. Please
- understand that its very likely that someone has been confrounted by
- the same problem that you have. The FAQ discusses a number of possible
- paths to take to get further help :
-
- * Documents on the Samba Sites.
- * Other web sites.
- * Mailing list.
-
- There is some discussion about guide lines for using the Mailing Lists
- on the accompanying FAQ, please read them before posting.