diff options
author | Jelmer Vernooij <jelmer@samba.org> | 2002-08-28 08:49:02 +0000 |
---|---|---|
committer | Jelmer Vernooij <jelmer@samba.org> | 2002-08-28 08:49:02 +0000 |
commit | 826f72a7c0c6ff3f530b819f1100f5f8d20910fa (patch) | |
tree | cd2c25a53950babbad677cc22bff6ec44ecb13b4 /docs | |
parent | 9785c61c899f4180290fd6feb41a764cc773fcaa (diff) | |
download | samba-826f72a7c0c6ff3f530b819f1100f5f8d20910fa.tar.gz samba-826f72a7c0c6ff3f530b819f1100f5f8d20910fa.tar.bz2 samba-826f72a7c0c6ff3f530b819f1100f5f8d20910fa.zip |
Remove obsolete text docs
(This used to be commit 844d7254686b4a0429f30b4d4711387429172224)
Diffstat (limited to 'docs')
-rw-r--r-- | docs/textdocs/BROWSING.txt | 559 | ||||
-rw-r--r-- | docs/textdocs/BUGS.txt | 135 | ||||
-rw-r--r-- | docs/textdocs/DIAGNOSIS.txt | 321 | ||||
-rw-r--r-- | docs/textdocs/DNIX.txt | 69 | ||||
-rw-r--r-- | docs/textdocs/GROUP-MAPPING-HOWTO.txt | 60 | ||||
-rw-r--r-- | docs/textdocs/INSTALL.sambatar | 33 | ||||
-rw-r--r-- | docs/textdocs/Imprints.txt | 47 | ||||
-rw-r--r-- | docs/textdocs/Macintosh_Clients.txt | 23 | ||||
-rw-r--r-- | docs/textdocs/NetBIOS.txt | 152 | ||||
-rw-r--r-- | docs/textdocs/Printing.txt | 255 | ||||
-rw-r--r-- | docs/textdocs/README.sambatar | 23 | ||||
-rw-r--r-- | docs/textdocs/SCO.txt | 19 | ||||
-rw-r--r-- | docs/textdocs/SMBTAR.notes | 46 | ||||
-rw-r--r-- | docs/textdocs/Solaris-Winbind-HOWTO.txt | 361 | ||||
-rw-r--r-- | docs/textdocs/Speed.txt | 338 | ||||
-rw-r--r-- | docs/textdocs/Speed2.txt | 57 | ||||
-rw-r--r-- | docs/textdocs/Win95.txt | 74 | ||||
-rw-r--r-- | docs/textdocs/WinNT.txt | 104 | ||||
-rw-r--r-- | docs/textdocs/security_level.txt | 100 |
19 files changed, 0 insertions, 2776 deletions
diff --git a/docs/textdocs/BROWSING.txt b/docs/textdocs/BROWSING.txt deleted file mode 100644 index 2ca41e5624..0000000000 --- a/docs/textdocs/BROWSING.txt +++ /dev/null @@ -1,559 +0,0 @@ -Author/s: Many (Thanks to Luke, Jeremy, Andrew, etc.) -Updated: July 5, 1998 -Status: Current - For VERY Advanced Users ONLY - -Summary: This describes how to configure Samba for improved browsing. -===================================================================== - -OVERVIEW: -========= - -SMB networking provides a mechanism by which clients can access a list -of machines in a network, a so-called "browse list". This list -contains machines that are ready to offer file and/or print services -to other machines within the network. Thus it does not include -machines which aren't currently able to do server tasks. The browse -list is heavily used by all SMB clients. Configuration of SMB -browsing has been problematic for some Samba users, hence this -document. - -Browsing will NOT work if name resolution from NetBIOS names to IP -addresses does not function correctly. Use of a WINS server is highly -recommended to aid the resolution of NetBIOS (SMB) names to IP addresses. -WINS allows remote segment clients to obtain NetBIOS name_type information -that can NOT be provided by any other means of name resolution. - -===================================================================== - -BROWSING -======== -Samba now fully supports browsing. The browsing is supported by nmbd -and is also controlled by options in the smb.conf file (see smb.conf(5)). - -Samba can act as a local browse master for a workgroup and the ability -for samba to support domain logons and scripts is now available. See -DOMAIN.txt for more information on domain logons. - -Samba can also act as a domain master browser for a workgroup. This -means that it will collate lists from local browse masters into a -wide area network server list. In order for browse clients to -resolve the names they may find in this list, it is recommended that -both samba and your clients use a WINS server. - -Note that you should NOT set Samba to be the domain master for a -workgroup that has the same name as an NT Domain: on each wide area -network, you must only ever have one domain master browser per workgroup, -regardless of whether it is NT, Samba or any other type of domain master -that is providing this service. - -[Note that nmbd can be configured as a WINS server, but it is not -necessary to specifically use samba as your WINS server. NTAS can -be configured as your WINS server. In a mixed NT server and -samba environment on a Wide Area Network, it is recommended that -you use the NT server's WINS server capabilities. In a samba-only -environment, it is recommended that you use one and only one nmbd -as your WINS server]. - -To get browsing to work you need to run nmbd as usual, but will need -to use the "workgroup" option in smb.conf to control what workgroup -Samba becomes a part of. - -Samba also has a useful option for a Samba server to offer itself for -browsing on another subnet. It is recommended that this option is only -used for 'unusual' purposes: announcements over the internet, for -example. See "remote announce" in the smb.conf man page. - -If something doesn't work then hopefully the log.nmb file will help -you track down the problem. Try a debug level of 2 or 3 for finding -problems. Also note that the current browse list usually gets stored -in text form in a file called browse.dat. - -Note that if it doesn't work for you, then you should still be able to -type the server name as \\SERVER in filemanager then hit enter and -filemanager should display the list of available shares. - -Some people find browsing fails because they don't have the global -"guest account" set to a valid account. Remember that the IPC$ -connection that lists the shares is done as guest, and thus you must -have a valid guest account. - -Also, a lot of people are getting bitten by the problem of too many -parameters on the command line of nmbd in inetd.conf. This trick is to -not use spaces between the option and the parameter (eg: -d2 instead -of -d 2), and to not use the -B and -N options. New versions of nmbd -are now far more likely to correctly find your broadcast and network -address, so in most cases these aren't needed. - -The other big problem people have is that their broadcast address, -netmask or IP address is wrong (specified with the "interfaces" option -in smb.conf) - - -BROWSING ACROSS SUBNETS -======================= - -With the release of Samba 1.9.17(alpha1 and above) Samba has been -updated to enable it to support the replication of browse lists -across subnet boundaries. New code and options have been added to -achieve this. This section describes how to set this feature up -in different settings. - -To see browse lists that span TCP/IP subnets (ie. networks separated -by routers that don't pass broadcast traffic) you must set up at least -one WINS server. The WINS server acts as a DNS for NetBIOS names, allowing -NetBIOS name to IP address translation to be done by doing a direct -query of the WINS server. This is done via a directed UDP packet on -port 137 to the WINS server machine. The reason for a WINS server is -that by default, all NetBIOS name to IP address translation is done -by broadcasts from the querying machine. This means that machines -on one subnet will not be able to resolve the names of machines on -another subnet without using a WINS server. - -Remember, for browsing across subnets to work correctly, all machines, -be they Windows 95, Windows NT, or Samba servers must have the IP address -of a WINS server given to them by a DHCP server, or by manual configuration -(for Win95 and WinNT, this is in the TCP/IP Properties, under Network -settings) for Samba this is in the smb.conf file. - -How does cross subnet browsing work ? -===================================== - -Cross subnet browsing is a complicated dance, containing multiple -moving parts. It has taken Microsoft several years to get the code -that achieves this correct, and Samba lags behind in some areas. -However, with the 1.9.17 release, Samba is capable of cross subnet -browsing when configured correctly. - -Consider a network set up as follows : - - (DMB) - N1_A N1_B N1_C N1_D N1_E - | | | | | - ------------------------------------------------------- - | subnet 1 | - +---+ +---+ - |R1 | Router 1 Router 2 |R2 | - +---+ +---+ - | | - | subnet 2 subnet 3 | - -------------------------- ------------------------------------ - | | | | | | | | - N2_A N2_B N2_C N2_D N3_A N3_B N3_C N3_D - (WINS) - -Consisting of 3 subnets (1, 2, 3) conneted by two routers -(R1, R2) - these do not pass broadcasts. Subnet 1 has 5 machines -on it, subnet 2 has 4 machines, subnet 3 has 4 machines. Assume -for the moment that all these machines are configured to be in the -same workgroup (for simplicities sake). Machine N1_C on subnet 1 -is configured as Domain Master Browser (ie. it will collate the -browse lists for the workgroup). Machine N2_D is configured as -WINS server and all the other machines are configured to register -their NetBIOS names with it. - -As all these machines are booted up, elections for master browsers -will take place on each of the three subnets. Assume that machine -N1_C wins on subnet 1, N2_B wins on subnet 2, and N3_D wins on -subnet 3 - these machines are known as local master browsers for -their particular subnet. N1_C has an advantage in winning as the -local master browser on subnet 1 as it is set up as Domain Master -Browser. - -On each of the three networks, machines that are configured to -offer sharing services will broadcast that they are offering -these services. The local master browser on each subnet will -receive these broadcasts and keep a record of the fact that -the machine is offering a service. This list of records is -the basis of the browse list. For this case, assume that -all the machines are configured to offer services so all machines -will be on the browse list. - -For each network, the local master browser on that network is -considered 'authoritative' for all the names it receives via -local broadcast. This is because a machine seen by the local -master browser via a local broadcast must be on the same -network as the local master browser and thus is a 'trusted' -and 'verifiable' resource. Machines on other networks that -the local master browsers learn about when collating their -browse lists have not been directly seen - these records are -called 'non-authoritative'. - -At this point the browse lists look as follows (these are -the machines you would see in your network neighborhood if -you looked in it on a particular network right now). - -Subnet Browse Master List ------- ------------- ---- -Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E - -Subnet2 N2_B N2_A, N2_B, N2_C, N2_D - -Subnet3 N3_D N3_A, N3_B, N3_C, N3_D - -Note that at this point all the subnets are separate, no -machine is seen across any of the subnets. - -Now examine subnet 2. As soon as N2_B has become the local -master browser it looks for a Domain master browser to synchronize -its browse list with. It does this by querying the WINS server -(N2_D) for the IP address associated with the NetBIOS name -WORKGROUP<1B>. This name was registerd by the Domain master -browser (N1_C) with the WINS server as soon as it was booted. - -Once N2_B knows the address of the Domain master browser it -tells it that is the local master browser for subnet 2 by -sending a MasterAnnouncement packet as a UDP port 138 packet. -It then synchronizes with it by doing a NetServerEnum2 call. This -tells the Domain Master Browser to send it all the server -names it knows about. Once the domain master browser receives -the MasterAnnouncement packet it schedules a synchronization -request to the sender of that packet. After both synchronizations -are done the browse lists look like : - -Subnet Browse Master List ------- ------------- ---- -Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E, - N2_A(*), N2_B(*), N2_C(*), N2_D(*) - -Subnet2 N2_B N2_A, N2_B, N2_C, N2_D - N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*) - -Subnet3 N3_D N3_A, N3_B, N3_C, N3_D - -Servers with a (*) after them are non-authoritative names. - -At this point users looking in their network neighborhood on -subnets 1 or 2 will see all the servers on both, users on -subnet 3 will still only see the servers on their own subnet. - -The same sequence of events that occured for N2_B now occurs -for the local master browser on subnet 3 (N3_D). When it -synchronizes browse lists with the domain master browser (N1_A) -it gets both the server entries on subnet 1, and those on -subnet 2. After N3_D has synchronized with N1_C and vica-versa -the browse lists look like. - -Subnet Browse Master List ------- ------------- ---- -Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E, - N2_A(*), N2_B(*), N2_C(*), N2_D(*), - N3_A(*), N3_B(*), N3_C(*), N3_D(*) - -Subnet2 N2_B N2_A, N2_B, N2_C, N2_D - N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*) - -Subnet3 N3_D N3_A, N3_B, N3_C, N3_D - N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), - N2_A(*), N2_B(*), N2_C(*), N2_D(*) - -Servers with a (*) after them are non-authoritative names. - -At this point users looking in their network neighborhood on -subnets 1 or 3 will see all the servers on all sunbets, users on -subnet 2 will still only see the servers on subnets 1 and 2, but not 3. - -Finally, the local master browser for subnet 2 (N2_B) will sync again -with the domain master browser (N1_C) and will recieve the missing -server entries. Finally - and as a steady state (if no machines -are removed or shut off) the browse lists will look like : - -Subnet Browse Master List ------- ------------- ---- -Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E, - N2_A(*), N2_B(*), N2_C(*), N2_D(*), - N3_A(*), N3_B(*), N3_C(*), N3_D(*) - -Subnet2 N2_B N2_A, N2_B, N2_C, N2_D - N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*) - N3_A(*), N3_B(*), N3_C(*), N3_D(*) - -Subnet3 N3_D N3_A, N3_B, N3_C, N3_D - N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), - N2_A(*), N2_B(*), N2_C(*), N2_D(*) - -Servers with a (*) after them are non-authoritative names. - -Synchronizations between the domain master browser and local -master browsers will continue to occur, but this should be a -steady state situation. - -If either router R1 or R2 fails the following will occur: - -1) Names of computers on each side of the inaccessible network fragments -will be maintained for as long as 36 minutes, in the network neighbourhood -lists. - -2) Attempts to connect to these inaccessible computers will fail, but the -names will not be removed from the network neighbourhood lists. - -3) If one of the fragments is cut off from the WINS server, it will only -be able to access servers on its local subnet, by using subnet-isolated -broadcast NetBIOS name resolution. The effects are similar to that of -losing access to a DNS server. - -Setting up a WINS server -======================== - -Either a Samba machine or a Windows NT Server machine may be set up -as a WINS server. To set a Samba machine to be a WINS server you must -add the following option to the smb.conf file on the selected machine : -in the [globals] section add the line - - wins support = yes - -Versions of Samba previous to 1.9.17 had this parameter default to -yes. If you have any older versions of Samba on your network it is -strongly suggested you upgrade to 1.9.17 or above, or at the very -least set the parameter to 'no' on all these machines. - -Machines with "wins support = yes" will keep a list of all NetBIOS -names registered with them, acting as a DNS for NetBIOS names. - -You should set up only ONE wins server. Do NOT set the -"wins support = yes" option on more than one Samba server. - -To set up a Windows NT Server as a WINS server you need to set up -the WINS service - see your NT documentation for details. Note that -Windows NT WINS Servers can replicate to each other, allowing more -than one to be set up in a complex subnet environment. As Microsoft -refuse to document these replication protocols Samba cannot currently -participate in these replications. It is possible in the future that -a Samba->Samba WINS replication protocol may be defined, in which -case more than one Samba machine could be set up as a WINS server -but currently only one Samba server should have the "wins support = yes" -parameter set. - -After the WINS server has been configured you must ensure that all -machines participating on the network are configured with the address -of this WINS server. If your WINS server is a Samba machine, fill in -the Samba machine IP address in the "Primary WINS Server" field of -the "Control Panel->Network->Protocols->TCP->WINS Server" dialogs -in Windows 95 or Windows NT. To tell a Samba server the IP address -of the WINS server add the following line to the [global] section of -all smb.conf files : - - wins server = <name or IP address> - -where <name or IP address> is either the DNS name of the WINS server -machine or its IP address. - -Note that this line MUST NOT BE SET in the smb.conf file of the Samba -server acting as the WINS server itself. If you set both the -"wins support = yes" option and the "wins server = <name>" option then -nmbd will fail to start. - -There are two possible scenarios for setting up cross subnet browsing. -The first details setting up cross subnet browsing on a network containing -Windows 95, Samba and Windows NT machines that are not configured as -part of a Windows NT Domain. The second details setting up cross subnet -browsing on networks that contain NT Domains. - -Setting up Browsing in a WORKGROUP -================================== - -To set up cross subnet browsing on a network containing machines -in up to be in a WORKGROUP, not an NT Domain you need to set up one -Samba server to be the Domain Master Browser (note that this is *NOT* -the same as a Primary Domain Controller, although in an NT Domain the -same machine plays both roles). The role of a Domain master browser is -to collate the browse lists from local master browsers on all the -subnets that have a machine participating in the workgroup. Without -one machine configured as a domain master browser each subnet would -be an isolated workgroup, unable to see any machines on any other -subnet. It is the presense of a domain master browser that makes -cross subnet browsing possible for a workgroup. - -In an WORKGROUP environment the domain master browser must be a -Samba server, and there must only be one domain master browser per -workgroup name. To set up a Samba server as a domain master browser, -set the following option in the [global] section of the smb.conf file : - - domain master = yes - -The domain master browser should also preferrably be the local master -browser for its own subnet. In order to achieve this set the following -options in the [global] section of the smb.conf file : - - domain master = yes - local master = yes - preferred master = yes - os level = 65 - -The domain master browser may be the same machine as the WINS -server, if you require. - -Next, you should ensure that each of the subnets contains a -machine that can act as a local master browser for the -workgroup. Any NT machine should be able to do this, as will -Windows 95 machines (although these tend to get rebooted more -often, so it's not such a good idea to use these). To make a -Samba server a local master browser set the following -options in the [global] section of the smb.conf file : - - domain master = no - local master = yes - preferred master = yes - os level = 65 - -Do not do this for more than one Samba server on each subnet, -or they will war with each other over which is to be the local -master browser. - -The "local master" parameter allows Samba to act as a local master -browser. The "preferred master" causes nmbd to force a browser -election on startup and the "os level" parameter sets Samba high -enough so that it should win any browser elections. - -If you have an NT machine on the subnet that you wish to -be the local master browser then you can disable Samba from -becoming a local master browser by setting the following -options in the [global] section of the smb.conf file : - - domain master = no - local master = no - preferred master = no - os level = 0 - -Setting up Browsing in a DOMAIN -=============================== - -If you are adding Samba servers to a Windows NT Domain then -you must not set up a Samba server as a domain master browser. -By default, a Windows NT Primary Domain Controller for a Domain -name is also the Domain master browser for that name, and many -things will break if a Samba server registers the Domain master -browser NetBIOS name (DOMAIN<1B>) with WINS instead of the PDC. - -For subnets other than the one containing the Windows NT PDC -you may set up Samba servers as local master browsers as -described. To make a Samba server a local master browser set -the following options in the [global] section of the smb.conf -file : - - domain master = no - local master = yes - preferred master = yes - os level = 65 - -If you wish to have a Samba server fight the election with machines -on the same subnet you may set the "os level" parameter to lower -levels. By doing this you can tune the order of machines that -will become local master browsers if they are running. For -more details on this see the section "FORCING SAMBA TO BE THE MASTER" -below. - -If you have Windows NT machines that are members of the domain -on all subnets, and you are sure they will always be running then -you can disable Samba from taking part in browser elections and -ever becoming a local master browser by setting following options -in the [global] section of the smb.conf file : - - domain master = no - local master = no - preferred master = no - os level = 0 - -FORCING SAMBA TO BE THE MASTER -============================== - -Who becomes the "master browser" is determined by an election process -using broadcasts. Each election packet contains a number of parameters -which determine what precedence (bias) a host should have in the -election. By default Samba uses a very low precedence and thus loses -elections to just about anyone else. - -If you want Samba to win elections then just set the "os level" global -option in smb.conf to a higher number. It defaults to 0. Using 34 -would make it win all elections over every other system (except other -samba systems!) - -A "os level" of 2 would make it beat WfWg and Win95, but not NTAS. A -NTAS domain controller uses level 32. - -The maximum os level is 255 - -If you want samba to force an election on startup, then set the -"preferred master" global option in smb.conf to "yes". Samba will -then have a slight advantage over other potential master browsers -that are not preferred master browsers. Use this parameter with -care, as if you have two hosts (whether they are windows 95 or NT or -samba) on the same local subnet both set with "preferred master" to -"yes", then periodically and continually they will force an election -in order to become the local master browser. - -If you want samba to be a "domain master browser", then it is -recommended that you also set "preferred master" to "yes", because -samba will not become a domain master browser for the whole of your -LAN or WAN if it is not also a local master browser on its own -broadcast isolated subnet. - -It is possible to configure two samba servers to attempt to become -the domain master browser for a domain. The first server that comes -up will be the domain master browser. All other samba servers will -attempt to become the domain master browser every 5 minutes. They -will find that another samba server is already the domain master -browser and will fail. This provides automatic redundancy, should -the current domain master browser fail. - - -MAKING SAMBA THE DOMAIN MASTER -============================== - -The domain master is responsible for collating the browse lists of -multiple subnets so that browsing can occur between subnets. You can -make samba act as the domain master by setting "domain master = yes" -in smb.conf. By default it will not be a domain master. - -Note that you should NOT set Samba to be the domain master for a -workgroup that has the same name as an NT Domain. - -When samba is the domain master and the master browser it will listen -for master announcements (made roughly every twelve minutes) from local -master browsers on other subnets and then contact them to synchronise -browse lists. - -If you want samba to be the domain master then I suggest you also set -the "os level" high enough to make sure it wins elections, and set -"preferred master" to "yes", to get samba to force an election on -startup. - -Note that all your servers (including samba) and clients should be -using a WINS server to resolve NetBIOS names. If your clients are only -using broadcasting to resolve NetBIOS names, then two things will occur: - -a) your local master browsers will be unable to find a domain master - browser, as it will only be looking on the local subnet. - -b) if a client happens to get hold of a domain-wide browse list, and - a user attempts to access a host in that list, it will be unable to - resolve the NetBIOS name of that host. - -If, however, both samba and your clients are using a WINS server, then: - -a) your local master browsers will contact the WINS server and, as long as - samba has registered that it is a domain master browser with the WINS - server, your local master browser will receive samba's ip address - as its domain master browser. - -b) when a client receives a domain-wide browse list, and a user attempts - to access a host in that list, it will contact the WINS server to - resolve the NetBIOS name of that host. as long as that host has - registered its NetBIOS name with the same WINS server, the user will - be able to see that host. - -NOTE ABOUT BROADCAST ADDRESSES -============================== - -If your network uses a "0" based broadcast address (for example if it -ends in a 0) then you will strike problems. Windows for Workgroups -does not seem to support a 0's broadcast and you will probably find -that browsing and name lookups won't work. - - -MULTIPLE INTERFACES -=================== - -Samba now supports machines with multiple network interfaces. If you -have multiple interfaces then you will need to use the "interfaces" -option in smb.conf to configure them. See smb.conf(5) for details. - diff --git a/docs/textdocs/BUGS.txt b/docs/textdocs/BUGS.txt deleted file mode 100644 index 247998c6c7..0000000000 --- a/docs/textdocs/BUGS.txt +++ /dev/null @@ -1,135 +0,0 @@ -Contributor: Samba Team -Updated: June 27, 1997 - -Subject: This file describes how to report Samba bugs. -============================================================================ - ->> The email address for bug reports is samba@samba.org << - -Please take the time to read this file before you submit a bug -report. Also, please see if it has changed between releases, as we -may be changing the bug reporting mechanism at some time. - -Please also do as much as you can yourself to help track down the -bug. Samba is maintained by a dedicated group of people who volunteer -their time, skills and efforts. We receive far more mail about it than -we can possibly answer, so you have a much higher chance of an answer -and a fix if you send us a "developer friendly" bug report that lets -us fix it fast. - -Do not assume that if you post the bug to the comp.protocols.smb -newsgroup or the mailing list that we will read it. If you suspect that your -problem is not a bug but a configuration problem then it is better to send -it to the Samba mailing list, as there are (at last count) 5000 other users on -that list that may be able to help you. - -You may also like to look though the recent mailing list archives, -which are conveniently accessible on the Samba web pages -at http://samba.org/samba/ - - -GENERAL INFO ------------- - -Before submitting a bug report check your config for silly -errors. Look in your log files for obvious messages that tell you that -you've misconfigured something and run testparm to test your config -file for correct syntax. - -Have you run through DIAGNOSIS.txt? This is very important. - -If you include part of a log file with your bug report then be sure to -annotate it with exactly what you were doing on the client at the -time, and exactly what the results were. - - -DEBUG LEVELS ------------- - -If the bug has anything to do with Samba behaving incorrectly as a -server (like refusing to open a file) then the log files will probably -be very useful. Depending on the problem a log level of between 3 and -10 showing the problem may be appropriate. A higher level givesmore -detail, but may use too much disk space. - -To set the debug level use "log level =" in your smb.conf. You may -also find it useful to set the log level higher for just one machine -and keep separate logs for each machine. To do this use: - -log level = 10 -log file = /usr/local/samba/lib/log.%m -include = /usr/local/samba/lib/smb.conf.%m - -then create a file "/usr/local/samba/lib/smb.conf.machine" where -"machine" is the name of the client you wish to debug. In that file -put any smb.conf commands you want, for example "log level=" may be -useful. This also allows you to experiment with different security -systems, protocol levels etc on just one machine. - -The smb.conf entry "log level =" is synonymous with the entry -"debuglevel =" that has been used in older versions of Samba and -is being retained for backwards compatibility of smb.conf files. - -As the "log level =" value is increased you will record a significantly -increasing level of debugging information. For most debugging operations -you may not need a setting higher than 3. Nearly all bugs can be tracked -at a setting of 10, but be prepared for a VERY large volume of log data. - - -INTERNAL ERRORs ---------------- - -If you get a "INTERNAL ERROR" message in your log files it means that -Samba got an unexpected signal while running. It is probably a -segmentation fault and almost certainly means a bug in Samba (unless -you have faulty hardware or system software) - -If the message came from smbd then it will probably be accompanied by -a message which details the last SMB message received by smbd. This -info is often very useful in tracking down the problem so please -include it in your bug report. - -You should also detail how to reproduce the problem, if -possible. Please make this reasonably detailed. - -You may also find that a core file appeared in a "corefiles" -subdirectory of the directory where you keep your samba log -files. This file is the most useful tool for tracking down the bug. To -use it you do this: - -gdb smbd core - -adding appropriate paths to smbd and core so gdb can find them. If you -don't have gdb then try "dbx". Then within the debugger use the -command "where" to give a stack trace of where the problem -occurred. Include this in your mail. - -If you known any assembly language then do a "disass" of the routine -where the problem occurred (if its in a library routine then -disassemble the routine that called it) and try to work out exactly -where the problem is by looking at the surrounding code. Even if you -don't know assembly then incuding this info in the bug report can be -useful. - - -ATTACHING TO A RUNNING PROCESS ------------------------------- - -Unfortunately some unixes (in particular some recent linux kernels) -refuse to dump a core file if the task has changed uid (which smbd -does often). To debug with this sort of system you could try to attach -to the running process using "gdb smbd PID" where you get PID from -smbstatus. Then use "c" to continue and try to cause the core dump -using the client. The debugger should catch the fault and tell you -where it occurred. - - -PATCHES -------- - -The best sort of bug report is one that includes a fix! If you send us -patches please use "diff -u" format if your version of diff supports -it, otherwise use "diff -c4". Make sure your do the diff against a -clean version of the source and let me know exactly what version you -used. - diff --git a/docs/textdocs/DIAGNOSIS.txt b/docs/textdocs/DIAGNOSIS.txt deleted file mode 100644 index 2816610a9c..0000000000 --- a/docs/textdocs/DIAGNOSIS.txt +++ /dev/null @@ -1,321 +0,0 @@ -Contributor: Andrew Tridgell -Updated: November 1, 1999 - -Subject: DIAGNOSING YOUR SAMBA SERVER -=========================================================================== - -This file contains a list of tests you can perform to validate your -Samba server. It also tells you what the likely cause of the problem -is if it fails any one of these steps. If it passes all these tests -then it is probably working fine. - -You should do ALL the tests, in the order shown. I have tried to -carefully choose them so later tests only use capabilities verified in -the earlier tests. - -If you send me an email saying "it doesn't work" and you have not -followed this test procedure then you should not be surprised if I -ignore your email. - - -ASSUMPTIONS ------------ - -In all of the tests I assume you have a Samba server called BIGSERVER -and a PC called ACLIENT both in workgroup TESTGROUP. I also assume the -PC is running windows for workgroups with a recent copy of the -microsoft tcp/ip stack. Alternatively, your PC may be running Windows -95 or Windows NT (Workstation or Server). - -The procedure is similar for other types of clients. - -I also assume you know the name of an available share in your -smb.conf. I will assume this share is called "tmp". You can add a -"tmp" share like by adding the following to smb.conf: - -[tmp] - comment = temporary files - path = /tmp - read only = yes - - -THESE TESTS ASSUME VERSION 2.0.6 OR LATER OF THE SAMBA SUITE. SOME -COMMANDS SHOWN DID NOT EXIST IN EARLIER VERSIONS - -Please pay attention to the error messages you receive. If any error message -reports that your server is being unfriendly you should first check that you -IP name resolution is correctly set up. eg: Make sure your /etc/resolv.conf -file points to name servers that really do exist. - -Also, if you do not have DNS server access for name resolution please check -that the settings for your smb.conf file results in "dns proxy = no". The -best way to check this is with "testparm smb.conf" - - -TEST 1: -------- - -In the directory in which you store your smb.conf file, run the command -"testparm smb.conf". If it reports any errors then your smb.conf -configuration file is faulty. - -Note: Your smb.conf file may be located in: /etc - Or in: /usr/local/samba/lib - - -TEST 2: -------- - -run the command "ping BIGSERVER" from the PC and "ping ACLIENT" from -the unix box. If you don't get a valid response then your TCP/IP -software is not correctly installed. - -Note that you will need to start a "dos prompt" window on the PC to -run ping. - -If you get a message saying "host not found" or similar then your DNS -software or /etc/hosts file is not correctly setup. It is possible to -run samba without DNS entries for the server and client, but I assume -you do have correct entries for the remainder of these tests. - -Another reason why ping might fail is if your host is running firewall -software. You will need to relax the rules to let in the workstation -in question, perhaps by allowing access from another subnet (on Linux -this is done via the ipfwadm program.) - - -TEST 3: -------- - -Run the command "smbclient -L BIGSERVER" on the unix box. You -should get a list of available shares back. - -If you get a error message containing the string "Bad password" then -you probably have either an incorrect "hosts allow", "hosts deny" or -"valid users" line in your smb.conf, or your guest account is not -valid. Check what your guest account is using "testparm" and -temporarily remove any "hosts allow", "hosts deny", "valid users" or -"invalid users" lines. - -If you get a "connection refused" response then the smbd server may -not be running. If you installed it in inetd.conf then you probably edited -that file incorrectly. If you installed it as a daemon then check that -it is running, and check that the netbios-ssn port is in a LISTEN -state using "netstat -a". - -If you get a "session request failed" then the server refused the -connection. If it says "Your server software is being unfriendly" then -its probably because you have invalid command line parameters to smbd, -or a similar fatal problem with the initial startup of smbd. Also -check your config file (smb.conf) for syntax errors with "testparm" -and that the various directories where samba keeps its log and lock -files exist. - -There are a number of reasons for which smbd may refuse or decline -a session request. The most common of these involve one or more of -the following smb.conf file entries: - hosts deny = ALL - hosts allow = xxx.xxx.xxx.xxx/yy - bind interfaces only = Yes - -In the above, no allowance has been made for any session requests that -will automatically translate to the loopback adaptor address 127.0.0.1. -To solve this problem change these lines to: - hosts deny = ALL - hosts allow = xxx.xxx.xxx.xxx/yy 127. -Do NOT use the "bind interfaces only" parameter where you may wish to -use the samba password change facility, or where smbclient may need to -access local service for name resolution or for local resource -connections. (Note: the "bind interfaces only" parameter deficiency -where it will not allow connections to the loopback address will be -fixed soon). - -Another common cause of these two errors is having something already running -on port 139, such as Samba (ie: smbd is running from inetd already) or -something like Digital's Pathworks. Check your inetd.conf file before trying -to start smbd as a daemon, it can avoid a lot of frustration! - -And yet another possible cause for failure of TEST 3 is when the subnet mask -and / or broadcast address settings are incorrect. Please check that the -network interface IP Address / Broadcast Address / Subnet Mask settings are -correct and that Samba has correctly noted these in the log.nmb file. - -TEST 4: -------- - -Run the command "nmblookup -B BIGSERVER __SAMBA__". You should get the -IP address of your Samba server back. - -If you don't then nmbd is incorrectly installed. Check your inetd.conf -if you run it from there, or that the daemon is running and listening -to udp port 137. - -One common problem is that many inetd implementations can't take many -parameters on the command line. If this is the case then create a -one-line script that contains the right parameters and run that from -inetd. - - -TEST 5: -------- - -run the command "nmblookup -B ACLIENT '*'" - -You should get the PCs IP address back. If you don't then the client -software on the PC isn't installed correctly, or isn't started, or you -got the name of the PC wrong. - -If ACLIENT doesn't resolve via DNS then use the IP address of the -client in the above test. - - -TEST 6: -------- - -Run the command "nmblookup -d 2 '*'" - -This time we are trying the same as the previous test but are trying -it via a broadcast to the default broadcast address. A number of -Netbios/TCPIP hosts on the network should respond, although Samba may -not catch all of the responses in the short time it listens. You -should see "got a positive name query response" messages from several -hosts. - -If this doesn't give a similar result to the previous test then -nmblookup isn't correctly getting your broadcast address through its -automatic mechanism. In this case you should experiment use the -"interfaces" option in smb.conf to manually configure your IP -address, broadcast and netmask. - -If your PC and server aren't on the same subnet then you will need to -use the -B option to set the broadcast address to the that of the PCs -subnet. - -This test will probably fail if your subnet mask and broadcast address are -not correct. (Refer to TEST 3 notes above). - -TEST 7: -------- - -Run the command "smbclient //BIGSERVER/TMP". You should then be -prompted for a password. You should use the password of the account -you are logged into the unix box with. If you want to test with -another account then add the -U <accountname> option to the end of -the command line. eg: smbclient //bigserver/tmp -Ujohndoe - -Note: It is possible to specify the password along with the username -as follows: - smbclient //bigserver/tmp -Ujohndoe%secret - -Once you enter the password you should get the "smb>" prompt. If you -don't then look at the error message. If it says "invalid network -name" then the service "tmp" is not correctly setup in your smb.conf. - -If it says "bad password" then the likely causes are: - -- you have shadow passords (or some other password system) but didn't -compile in support for them in smbd -- your "valid users" configuration is incorrect -- you have a mixed case password and you haven't enabled the "password -level" option at a high enough level -- the "path =" line in smb.conf is incorrect. Check it with testparm -- you enabled password encryption but didn't create the SMB encrypted -password file - -Once connected you should be able to use the commands "dir" "get" -"put" etc. Type "help <command>" for instructions. You should -especially check that the amount of free disk space shown is correct -when you type "dir". - - -TEST 8: -------- - -On the PC type the command "net view \\BIGSERVER". You will need to do -this from within a "dos prompt" window. You should get back a list of -available shares on the server. - -If you get a "network name not found" or similar error then netbios -name resolution is not working. This is usually caused by a problem in -nmbd. To overcome it you could do one of the following (you only need -to choose one of them): - -- fixup the nmbd installation -- add the IP address of BIGSERVER to the "wins server" box in the -advanced tcp/ip setup on the PC. -- enable windows name resolution via DNS in the advanced section of -the tcp/ip setup -- add BIGSERVER to your lmhosts file on the PC. - -If you get a "invalid network name" or "bad password error" then the -same fixes apply as they did for the "smbclient -L" test above. In -particular, make sure your "hosts allow" line is correct (see the man -pages) - -Also, do not overlook that fact that when the workstation requests the -connection to the samba server it will attempt to connect using the -name with which you logged onto your Windows machine. You need to make -sure that an account exists on your Samba server with that exact same -name and password. - -If you get "specified computer is not receiving requests" or similar -it probably means that the host is not contactable via tcp services. -Check to see if the host is running tcp wrappers, and if so add an entry in -the hosts.allow file for your client (or subnet, etc.) - - -TEST 9: --------- - -Run the command "net use x: \\BIGSERVER\TMP". You should be prompted -for a password then you should get a "command completed successfully" -message. If not then your PC software is incorrectly installed or your -smb.conf is incorrect. make sure your "hosts allow" and other config -lines in smb.conf are correct. - -It's also possible that the server can't work out what user name to -connect you as. To see if this is the problem add the line "user = -USERNAME" to the [tmp] section of smb.conf where "USERNAME" is the -username corresponding to the password you typed. If you find this -fixes things you may need the username mapping option. - -TEST 10: --------- - -Run the command "nmblookup -M TESTGROUP" where TESTGROUP is the name -of the workgroup that your Samba server and Windows PCs belong to. You -should get back the IP address of the master browser for that -workgroup. - -If you don't then the election process has failed. Wait a minute to -see if it is just being slow then try again. If it still fails after -that then look at the browsing options you have set in smb.conf. Make -sure you have "preferred master = yes" to ensure that an election is -held at startup. - -TEST 11: --------- - -From file manager try to browse the server. Your samba server should -appear in the browse list of your local workgroup (or the one you -specified in smb.conf). You should be able to double click on the name -of the server and get a list of shares. If you get a "invalid -password" error when you do then you are probably running WinNT and it -is refusing to browse a server that has no encrypted password -capability and is in user level security mode. In this case either set -"security = server" AND "password server = Windows_NT_Machine" in your -smb.conf file, or enable encrypted passwords AFTER compiling in support -for encrypted passwords (refer to the Makefile). - - -Still having troubles? ----------------------- - -Try the mailing list or newsgroup, or use the tcpdump-smb utility to -sniff the problem. The official samba mailing list can be reached at -samba@samba.org. To find out more about samba and how to -subscribe to the mailing list check out the samba web page at - http://samba.org/samba - -Also look at the other docs in the Samba package! - diff --git a/docs/textdocs/DNIX.txt b/docs/textdocs/DNIX.txt deleted file mode 100644 index 51005e6ec8..0000000000 --- a/docs/textdocs/DNIX.txt +++ /dev/null @@ -1,69 +0,0 @@ -DNIX has a problem with seteuid() and setegid(). These routines are -needed for Samba to work correctly, but they were left out of the DNIX -C library for some reason. - -For this reason Samba by default defines the macro NO_EID in the DNIX -section of includes.h. This works around the problem in a limited way, -but it is far from ideal, some things still won't work right. - -To fix the problem properly you need to assemble the following two -functions and then either add them to your C library or link them into -Samba. - -put this in the file setegid.s: - - .globl _setegid -_setegid: - moveq #47,d0 - movl #100,a0 - moveq #1,d1 - movl 4(sp),a1 - trap #9 - bccs 1$ - jmp cerror -1$: - clrl d0 - rts - - -put this in the file seteuid.s: - - .globl _seteuid -_seteuid: - moveq #47,d0 - movl #100,a0 - moveq #0,d1 - movl 4(sp),a1 - trap #9 - bccs 1$ - jmp cerror -1$: - clrl d0 - rts - -after creating the above files you then assemble them using - -as seteuid.s -as setegid.s - -that should produce the files seteuid.o and setegid.o - -then you need to add these to the LIBSM line in the DNIX section of -the Samba Makefile. Your LIBSM line will then look something like this: - -LIBSM = setegid.o seteuid.o -ln - -You should then remove the line: - -#define NO_EID - -from the DNIX section of includes.h - -Then recompile and try it out! - -Note that this file was derived from an email from Peter Olsson -<pol@leissner.se>. I don't have DNIX myself, so you're probably better -off contacting Peter if you have problems. - -Andrew - diff --git a/docs/textdocs/GROUP-MAPPING-HOWTO.txt b/docs/textdocs/GROUP-MAPPING-HOWTO.txt deleted file mode 100644 index c266f56548..0000000000 --- a/docs/textdocs/GROUP-MAPPING-HOWTO.txt +++ /dev/null @@ -1,60 +0,0 @@ -Samba 3.0 prealpha guide to group mapping ---------------------------------------------------- - -Jean François Micouleau (jfm@samba.org) - -Starting with Samba 3.0 alpha 2, a new group mapping function is available. The -current method (likely to change) to manage the groups is a new command called -smbgroupedit. - -The first immediate reason to use the group mapping on a PDC, is that -the 'domain admin group' of smb.conf is now gone. This parameter was -used to give the listed users local admin rights on their -workstations. It was some magic stuff that simply worked but didn't -scale very well for complex setups. - -Let me explain how it works on NT/W2K, to have this magic fade away. -When installing NT/W2K on a computer, the installer program creates some users -and groups. Notably the 'Administrators' group, and gives to that group some -privileges like the ability to change the date and time or to kill any process -(or close too) running on the local machine. The 'Administrator' user is a -member of the 'Administrators' group, and thus 'inherit' the 'Administrators' -group privileges. If a 'joe' user is created and become a member of the -'Administrator' group, 'joe' has exactly the same rights as 'Administrator'. - -When a NT/W2K machine is joined to a domain, during that phase, the "Domain -Administrators' group of the PDC is added to the 'Administrators' group of the -workstation. Every members of the 'Domain Administrators' group 'inherit' the -rights of the 'Administrators' group when logging on the workstation. - - -You are now wondering how to make some of your samba PDC users members of the -'Domain Administrators' ? That's really easy. - -1) create a unix group (usually in /etc/group), let's call it domadm -2) add to this group the users that must be Administrators. For example if you -want joe,john and mary, your entry in /etc/group will look like: - - domadm:x:502:joe,john,mary - -3) map this domadm group to the 'domain admins' group by running the command: - - smbgroupedit -c "Domain Admins" -u domadm - -you're set, joe, john and mary are domain administrators ! - - - -Like the Domain Admins group, you can map any arbitrary Unix group to any NT -group. You can also make any Unix group a domain group. For example, on a domain -member machine (an NT/W2K or a samba server running winbind), you would like to -give access to a certain directory to some users who are member of a group on -your samba PDC. Flag that group as a domain group by running: - - smbgroupedit -a unixgroup -td - - -You can list the various groups in the mapping database like this - - smbgroupedit -v - diff --git a/docs/textdocs/INSTALL.sambatar b/docs/textdocs/INSTALL.sambatar deleted file mode 100644 index 413f54d3c6..0000000000 --- a/docs/textdocs/INSTALL.sambatar +++ /dev/null @@ -1,33 +0,0 @@ -Contributor: Ricky Poulten <poultenr@logica.co.uk> -Date: Unknown -Status: Current - -Subject: Using smbtar -============================================================================= - -Please see the readme and the man page for general info. - -1) Follow the samba installation instructions. - -2) If all goes well, test it out by creating a share on your PC (called -backup for example) then doing something like, - - ./smbtar -s mypc -t /dev/rmt/0ubn -x backup - -substituting whatever your tape drive is for the -t option, or set your -tape environmental variable. - -If all does not go well, feel free to mail the author (poultenr@logica.co.uk) -about bug reports / help / money / pizza / etc. - -3) Read the man page and the NOTES file for more information - -4) Work smbtar into your usual nightly backup scheme (presuming you -have one :-}). - - -NOTE: - -If you have problems with smbtar then it's probably best to contact the -author Ricky Poulten (poultenr@logica.co.uk). - diff --git a/docs/textdocs/Imprints.txt b/docs/textdocs/Imprints.txt deleted file mode 100644 index 4ea9782bd3..0000000000 --- a/docs/textdocs/Imprints.txt +++ /dev/null @@ -1,47 +0,0 @@ -================================================================== - - -Imprints (Installation Manager of Printer driver -Retreival and Installation for Samba) is a project to -implement a UNIX equivalent of the Windows NT APW. -It has been taken on in part by the Samba Team, VA Linux -Systems and Hewlett-Packard. The Imprints toolset seeks -to provide central repository for users and administrators -to locate, download, and install all variations Window -95/98/NT printer drivers on Samba print servers. - -The server portion of Imprints is composed of a database -server which contains information and locations of various -printer driver packages. This server can be queried over -standard HTTP get requests and should therefore be available -to most administrators behind firewalls. The server's -database consists of records containing data about each -known printer driver package. For example, each driver -record contains a URL from which the Imprints installation -client can download the package as well as a public key which -can be used to verify the package's integrity. - -Once downloaded, the installation client will attempt to -install the printer driver on the defined remote server -using the username and password provided by the administrator. -If the username/password pair can be authenticated by the -remote server (and has the appropriate authorization), then -the printer driver(s) is (are) installed and the new Printer -is created. - -From Samba's point of view, the process of creating a new -printer via the Imprints installation client is identical to -that of using the Windows NT APW. In fact, Imprints utilizes -Samba's rpcclient and smbclient tools to issue the same MS-RPC -and file copy operations as an NT client. This means that -Imprints can also be used to install printers on remote Windows -NT print servers. - -For more information on Imprints, visit the project homepage -at - - http://imprints.sourceforge.net/. - - - - diff --git a/docs/textdocs/Macintosh_Clients.txt b/docs/textdocs/Macintosh_Clients.txt deleted file mode 100644 index dfac97e1aa..0000000000 --- a/docs/textdocs/Macintosh_Clients.txt +++ /dev/null @@ -1,23 +0,0 @@ -> Are there any Macintosh clients for Samba? - -Yes. Thursby now have a CIFS Client / Server called DAVE - see -http://www.thursby.com/ - -They test it against Windows 95, Windows NT and samba for -compatibility issues. At the time of writing, DAVE was at version -1.0.1. The 1.0.0 to 1.0.1 update is available as a free download from -the Thursby web site (the speed of finder copies has been greatly -enhanced, and there are bug-fixes included). - -Alternatives - There are two free implementations of AppleTalk for -several kinds of UNIX machnes, and several more commercial ones. -These products allow you to run file services and print services -natively to Macintosh users, with no additional support required on -the Macintosh. The two free omplementations are Netatalk, -http://www.umich.edu/~rsug/netatalk/, and CAP, -http://www.cs.mu.oz.au/appletalk/atalk.html. What Samba offers MS -Windows users, these packages offer to Macs. For more info on these -packages, Samba, and Linux (and other UNIX-based systems) see -http://www.eats.com/linux_mac_win.html - - diff --git a/docs/textdocs/NetBIOS.txt b/docs/textdocs/NetBIOS.txt deleted file mode 100644 index ca0dcc84b7..0000000000 --- a/docs/textdocs/NetBIOS.txt +++ /dev/null @@ -1,152 +0,0 @@ -Contributor: lkcl - samba@samba.org - Copyright 1997 Luke Kenneth Casson Leighton -Date: March 1997 -Status: Current -Updated: 12jun97 - -Subject: Definition of NetBIOS Protocol and Name Resolution Modes -============================================================================= - -======= -NETBIOS -======= - -NetBIOS runs over the following tranports: TCP/IP; NetBEUI and IPX/SPX. -Samba only uses NetBIOS over TCP/IP. For details on the TCP/IP NetBIOS -Session Service NetBIOS Datagram Service, and NetBIOS Names, see -rfc1001.txt and rfc1002.txt. - -NetBEUI is a raw NetBIOS frame protocol implementation that allows NetBIOS -datagrams to be sent out over the 'wire' embedded within LLC frames. -NetBEUI is not required when using NetBIOS over TCP/IP protocols and it -is preferable NOT to install NetBEUI if it can be avoided. - -IPX/SPX is also not required when using NetBIOS over TCP/IP, and it is -preferable NOT to install the IPX/SPX transport unless you are using Novell -servers. At the very least, it is recommended that you do not install -'NetBIOS over IPX/SPX'. - -[When installing Windows 95, you will find that NetBEUI and IPX/SPX are -installed as the default protocols. This is because they are the simplest -to manage: no Windows 95 user-configuration is required]. - - -NetBIOS applications (such as samba) offer their services (for example, -SMB file and print sharing) on a NetBIOS name. They must claim this name -on the network before doing so. The NetBIOS session service will then -accept connections on the application's behalf (on the NetBIOS name -claimed by the application). A NetBIOS session between the application -and the client can then commence. - -NetBIOS names consist of 15 characters plus a 'type' character. This is -similar, in concept, to an IP address and a TCP port number, respectively. -A NetBIOS-aware application on a host will offer different services under -different NetBIOS name types, just as a host will offer different TCP/IP -services on different port numbers. - -NetBIOS names must be claimed on a network, and must be defended. The use -of NetBIOS names is most suitable on a single subnet; a Local Area Network -or a Wide Area Network. - -NetBIOS names are either UNIQUE or GROUP. Only one application can claim a -UNIQUE NetBIOS name on a network. - -There are two kinds of NetBIOS Name resolution: Broadcast and Point-to-Point. - - -================= -BROADCAST NetBIOS -================= - -Clients can claim names, and therefore offer services on successfully claimed -names, on their broadcast-isolated subnet. One way to get NetBIOS services -(such as browsing: see ftp.microsoft.com/drg/developr/CIFS/browdiff.txt; and -SMB file/print sharing: see cifs4.txt) working on a LAN or WAN is to make -your routers forward all broadcast packets from TCP/IP ports 137, 138 and 139. - -This, however, is not recommended. If you have a large LAN or WAN, you will -find that some of your hosts spend 95 percent of their time dealing with -broadcast traffic. [If you have IPX/SPX on your LAN or WAN, you will find -that this is already happening: a packet analyzer will show, roughly -every twelve minutes, great swathes of broadcast traffic!]. - - -============ -NBNS NetBIOS -============ - -rfc1001.txt describes, amongst other things, the implementation and use -of, a 'NetBIOS Name Service'. NT/AS offers 'Windows Internet Name Service' -which is fully rfc1001/2 compliant, but has had to take specific action -with certain NetBIOS names in order to make it useful. (for example, it -deals with the registration of <1c> <1d> <1e> names all in different ways. -I recommend the reading of the Microsoft WINS Server Help files for full -details). - -Samba also offers WINS server capabilities. Samba does not interact -with NT/AS (WINS replication), so if you have a mixed NT server and -Samba server environment, it is recommended that you use the NT server's -WINS capabilities, instead of samba's WINS server capabilities. - -The use of a WINS server cuts down on broadcast network traffic for -NetBIOS name resolution. It has the effect of pulling all the broadcast -isolated subnets together into a single NetBIOS scope, across your LAN -or WAN, while avoiding the use of TCP/IP broadcast packets. - -When you have a WINS server on your LAN, WINS clients will be able to -contact the WINS server to resolve NetBIOS names. Note that only those -WINS clients that have registered with the same WINS server will be -visible. The WINS server _can_ have static NetBIOS entries added to its -database (usually for security reasons you might want to consider putting -your domain controllers or other important servers as static entries, -but you should not rely on this as your sole means of security), but for -the most part, NetBIOS names are registered dynamically. - -[It is important to mention that samba's browsing capabilities (as a WINS -client) must have access to a WINS server. if you are using samba also -as a WINS server, then it will have a direct short-cut into the WINS -database. - -This provides some confusion for lots of people, and is worth mentioning -here: a Browse Server is NOT a WINS Server, even if these services are -implemented in the same application. A Browse Server _needs_ a WINS server -because a Browse Server is a WINS client, which is _not_ the same thing]. - -Clients can claim names, and therefore offer services on successfully claimed -names, on their broadcast-isolated subnet. One way to get NetBIOS services -(such as browsing: see ftp.microsoft.com/drg/developr/CIFS/browdiff.txt; and -SMB file/print sharing: see cifs6.txt) working on a LAN or WAN is to make -your routers forward all broadcast packets from TCP/IP ports 137, 138 and 139. -You will find, however, if you do this on a large LAN or a WAN, that your -network is completely swamped by NetBIOS and browsing packets, which is why -WINS was developed to minimise the necessity of broadcast traffic. - -WINS Clients therefore claim names from the WINS server. If the WINS -server allows them to register a name, the client's NetBIOS session service -can then offer services on this name. Other WINS clients will then -contact the WINS server to resolve a NetBIOS name. - - -======================= -Samba WINS Capabilities -======================= - -To configure samba as a WINS server, you must add "wins support = yes" to -the [global] section of your smb.conf file. This will enable WINS server -capabilities in nmbd. - -To configure samba as a WINS client, you must add "wins server = x.x.x.x" -to the [global] section of your smb.conf file, where x.x.x.x is the TCP/IP -address of your WINS server. The browsing capabilities in nmbd will then -register (and resolve) WAN-wide NetBIOS names with this WINS server. - -Note that if samba has "wins support = yes", then the browsing capabilities -will _not_ use the "wins server" option to resolve NetBIOS names: it will -go directly to the internal WINS database for NetBIOS name resolution. It -is therefore invalid to have both "wins support = yes" and -"wins server = x.x.x.x". Note, in particular, that if you configure the -"wins server" parameter to be the ip address of your samba server itself -(as might one intuitively think), that you will run into difficulties. -Do not use both parameters! - - diff --git a/docs/textdocs/Printing.txt b/docs/textdocs/Printing.txt deleted file mode 100644 index 2c50e5f4fe..0000000000 --- a/docs/textdocs/Printing.txt +++ /dev/null @@ -1,255 +0,0 @@ -Contributor: Unknown <samba@samba.org> -Revised by: Patrick Powell <papowell@lprng.org> -Date: August 11, 2000 -Status: Current - -Subject: Debugging Printing Problems -============================================================================= - -This is a short description of how to debug printing problems with -Samba. This describes how to debug problems with printing from a SMB -client to a Samba server, not the other way around. For the reverse -see the examples/printing directory. - -Please send enhancements to this file to samba@samba.org - -Ok, so you want to print to a Samba server from your PC. The first -thing you need to understand is that Samba does not actually do any -printing itself, it just acts as a middleman between your PC client -and your Unix printing subsystem. Samba receives the file from the PC -then passes the file to a external "print command". What print command -you use is up to you. - -The whole things is controlled using options in smb.conf. The most -relevant options (which you should look up in the smb.conf man page) -are: - [global] - print command - send a file to a spooler - lpq command - get spool queue status - lprm command - remove a job - [printers] - path = /var/spool/lpd/samba - -The following are nice to know about: - - queuepause command - stop a printer or print queue - queueresume command - start a printer or print queue - -Example: - print command = /usr/bin/lpr -r -P%p %s - lpq command = /usr/bin/lpq -P%p %s - lprm command = /usr/bin/lprm -P%p %j - queuepause command = /usr/sbin/lpc -P%p stop - queuepause command = /usr/sbin/lpc -P%p start - -Samba should set reasonable defaults for these depending on your -system type, but it isn't clairvoyant. It is not uncommon that you -have to tweak these for local conditions. The commands should -always have fully specified pathnames, as the smdb may not have -the correct PATH values. - -When you send a job to Samba to be printed, it will make a temporary -copy of it in the directory specified in the [printers] section. -and it should be periodically cleaned out. The lpr -r option -requests that the temporary copy be removed after printing; If -printing fails then you might find leftover files in this directory, -and it should be periodically cleaned out. Samba used the lpq -command to determine the "job number" assigned to your print job -by the spooler. - -The %<letter> are "macros" that get dynamically replaced with appropriate -values when they are used. The %s gets replaced with the name of the spool -file that Samba creates and the %p gets replaced with the name of the -printer. The %j gets replaced with the "job number" which comes from -the lpq output. - -DEBUGGING PRINTER PROBLEMS - -One way to debug printing problems is to start by replacing these -command with shell scripts that record the arguments and the contents -of the print file. A simple example of this kind of things might -be: - - print command = /tmp/saveprint %p %s - - #!/bin/saveprint - # we make sure that we are the right user - /usr/bin/id -p >/tmp/tmp.print - # we run the command and save the error messages - # replace the command with the one appropriate for your system - /usr/bin/lpr -r -P$1 $2 2>>&/tmp/tmp.print - -Then you print a file and try removing it. You may find that the -print queue needs to be stopped in order to see the queue status -and remove the job: - -h4: {42} % echo hi >/tmp/hi -h4: {43} % smbclient //localhost/lw4 -added interface ip=10.0.0.4 bcast=10.0.0.255 nmask=255.255.255.0 -Password: -Domain=[ASTART] OS=[Unix] Server=[Samba 2.0.7] -smb: \> print /tmp/hi -putting file /tmp/hi as hi-17534 (0.0 kb/s) (average 0.0 kb/s) -smb: \> queue -1049 3 hi-17534 -smb: \> cancel 1049 -Error cancelling job 1049 : code 0 -smb: \> cancel 1049 -Job 1049 cancelled -smb: \> queue -smb: \> exit - -The 'code 0' indicates that the job was removed. The comment -by the smbclient is a bit misleading on this. -You can observe the command output and then and look at the -/tmp/tmp.print file to see what the results are. You can quickly -find out if the problem is with your printing system. Often people -have problems with their /etc/printcap file or permissions on -various print queues. - -WHAT PRINTERS DO I HAVE - -You can use the 'testprns' program to check to see if the printer -name you are using is recognized by Samba. For example, you can -use: - - testprns printer /etc/printcap - -Samba can get its printcap information from a file or from a program. -You can try the following to see the format of the extracted -information: - - testprns -a printer /etc/printcap - - testprns -a printer '|/bin/cat printcap' - -SETTING UP PRINTCAP AND PRINT SERVERS - -You may need to set up some printcaps for your Samba system to use. -It is strongly recommended that you use the facilities provided by -the print spooler to set up queues and printcap information. - -Samba requires either a printcap or program to deliver printcap -information. This printcap information has the format: - - name|alias1|alias2...:option=value:... - -For almost all printing systems, the printer 'name' must be composed -only of alphanumeric or underscore '_' characters. Some systems also -allow hyphens ('-') as well. An alias is an alternative name for the -printer, and an alias with a space in it is used as a 'comment' -about the printer. The printcap format optionally uses a \ at the end of lines -to extend the printcap to multiple lines. - - -Here are some examples of printcap files: - -pr just printer name -pr|alias printer name and alias -pr|My Printer printer name, alias used as comment -pr:sh:\ Same as pr:sh:cm= testing - :cm= \ - testing -pr:sh Same as pr:sh:cm= testing - :cm= testing - -Samba reads the printcap information when first started. If you make -changes in the printcap information, then you must do the following: - -a) make sure that the print spooler is aware of these changes. - The LPRng system uses the 'lpc reread' command to do this. - -b) make sure that the spool queues, etc., exist and have the - correct permissions. The LPRng system uses the 'checkpc -f' - command to do this. - -c) You now should send a SIGHUP signal to the smbd server to have - it reread the printcap information. - -JOB SENT, NO OUTPUT - -This is the most frustrating part of printing. You may have sent the -job, verified that the job was forwarded, set up a wrapper around -the command to send the file, but there was no output from the printer. - -First, check to make sure that the job REALLY is getting to the -right print queue. If you are using a BSD or LPRng print spooler, -you can temporarily stop the printing of jobs. Jobs can still be -submitted, but they will not be printed. Use: - - lpc -Pprinter stop - -Now submit a print job and then use 'lpq -Pprinter' to see if the -job is in the print queue. If it is not in the print queue then -you will have to find out why it is not being accepted for printing. - -Next, you may want to check to see what the format of the job really -was. With the assistance of the system administrator you can view -the submitted jobs files. You may be surprised to find that these -are not in what you would expect to call a printable format. -You can use the UNIX 'file' utitily to determine what the job -format actually is: - - cd /var/spool/lpd/printer # spool directory of print jobs - ls # find job files - file dfA001myhost - -You should make sure that your printer supports this format OR that -your system administrator has installed a 'print filter' that will -convert the file to a format appropriate for your printer. - -JOB SENT, STRANGE OUTPUT - -Once you have the job printing, you can then start worrying about -making it print nicely. - -The most common problem is extra pages of output: banner pages -OR blank pages at the end. - -If you are getting banner pages, check and make sure that the -printcap option or printer option is configured for no banners. -If you have a printcap, this is the :sh (suppress header or banner -page) option. You should have the following in your printer. - - printer: ... :sh - -If you have this option and are still getting banner pages, there -is a strong chance that your printer is generating them for you -automatically. You should make sure that banner printing is disabled -for the printer. This usually requires using the printer setup software -or procedures supplied by the printer manufacturer. - -If you get an extra page of output, this could be due to problems -with your job format, or if you are generating PostScript jobs, -incorrect setting on your printer driver on the MicroSoft client. -For example, under Win95 there is a option: - - Printers|Printer Name|(Right Click)Properties|Postscript|Advanced| - -that allows you to choose if a Ctrl-D is appended to all jobs. -This is a very bad thing to do, as most spooling systems will -automatically add a ^D to the end of the job if it is detected as -PostScript. The multiple ^D may cause an additional page of output. - -RAW POSTSCRIPT PRINTED - -This is a problem that is usually caused by either the print spooling -system putting information at the start of the print job that makes -the printer think the job is a text file, or your printer simply -does not support PostScript. You may need to enable 'Automatic -Format Detection' on your printer. - -ADVANCED PRINTING - -Note that you can do some pretty magic things by using your -imagination with the "print command" option and some shell scripts. -Doing print accounting is easy by passing the %U option to a print -command shell script. You could even make the print command detect -the type of output and its size and send it to an appropriate -printer. - -DEBUGGING - -If the above debug tips don't help, then maybe you need to bring in -the bug guns, system tracing. See Tracing.txt in this directory. ------------------------------------------------------------------------------ diff --git a/docs/textdocs/README.sambatar b/docs/textdocs/README.sambatar deleted file mode 100644 index af7250c2a4..0000000000 --- a/docs/textdocs/README.sambatar +++ /dev/null @@ -1,23 +0,0 @@ -Contributor/s: Martin.Kraemer <Martin.Kraemer@mch.sni.de> - and Ricky Poulten (ricky@logcam.co.uk) -Date: Unknown - circa 1994 -Status: Obsoleted - smbtar has been a stable part of Samba - since samba-1.9.13 - -Subject: Sambatar (now smbtar) -============================================================================= - -This is version 1.4 of my small extension to samba that allows PC shares -to be backed up directly to a UNIX tape. It only has been tested under -Solaris 2.3, Linux 1.1.59 and DG/UX 5.4r3.10 with version 1.9.13 of samba. - -See the file INSTALL for installation instructions, and -the man page and NOTES file for some basic usage. Please let me know if you -have any problems getting it to work under your flavour of Unix. - -This is only (yet another) intermediate version of sambatar. -This version also comes with an extra gift, zen.bas, written in -microsoft qbasic by a colleague. It is (apparently) based on a 70s -British sci-fi series known as Blake's 7. If you have any questions -about this program, or any suggestions (e.g. what about servillan.bas -?), feel free to mail the author (of zen.bas) greenm@lilhd.logica.com. diff --git a/docs/textdocs/SCO.txt b/docs/textdocs/SCO.txt deleted file mode 100644 index 7c01aa57c6..0000000000 --- a/docs/textdocs/SCO.txt +++ /dev/null @@ -1,19 +0,0 @@ -Contributor: Geza Makay <makayg@math.u-szeged.hu> -Date: Unknown -Status: Obsolete - Dates to SCO Unix v3.2.4 approx. - -Subject: TCP/IP Bug in SCO Unix -============================================================================ - -There is an annoying TCPIP bug in SCO Unix. This causes corruption when -transferring files with Samba. - -Geza Makay (makayg@math.u-szeged.hu) sends this information: - -The patch you need is UOD385 Connection Drivers SLS. It is available from -SCO (ftp.sco.com, directory SLS, files uod385a.Z and uod385a.ltr.Z). - -You do not need anything else but the above patch. It installs in seconds, -and corrected the Excel problem. We also had some other minor problems (not -only with Samba) that disappeared by installing this patch. - diff --git a/docs/textdocs/SMBTAR.notes b/docs/textdocs/SMBTAR.notes deleted file mode 100644 index 679d776f56..0000000000 --- a/docs/textdocs/SMBTAR.notes +++ /dev/null @@ -1,46 +0,0 @@ -Contributor: Unknown -Date: 1994 -Status: Mostly Current - refer man page - -Subject: Smbtar -============================================================================ - -Intro ------ - -sambatar is just a small extension to the smbclient program distributed with -samba. A basic front end shell script, smbtar, is provided as an interface -to the smbclient extensions. - -Extensions ----------- - -This release adds the following extensions to smbclient, - -tar [c|x] filename - creates or restores from a tar file. The tar file may be a tape -or a unix tar file. tar's behaviour is modified with the newer and tarmode -commands. - -tarmode [full|inc|reset|noreset] - With no arguments, tarmode prints the current tar mode (by default full, -noreset). In full mode, every file is backed up during a tar command. -In incremental, only files with the dos archive bit set are backed up. -The archive bit is reset if in reset mode, or left untouched if in noreset. -In reset mode, the share has to be writable, which makes sambatar even -less secure. An alternative might be to use tarmode inc noreset which -would implement an "expanding incremental" backup (which some may prefer -anyway). - -setmode <setmode string> filename - This is a "freebie" - nothing really to do with sambatar. This -is a crude attrib like command (only the other way around). Setmode string -is a combination of +-rhsa. So for example -rh would reset the read only -bit on filename. - -newer filename - This is in fact part of the 1.9.13 samba distribution, but comes -into its own with sambatar. This causes tar (or get, mget, etc) to -only copy files newer than the specified file name. Could be used -against the previous nights (or whatever) log file to implement incremental -backups. diff --git a/docs/textdocs/Solaris-Winbind-HOWTO.txt b/docs/textdocs/Solaris-Winbind-HOWTO.txt deleted file mode 100644 index a81bacf486..0000000000 --- a/docs/textdocs/Solaris-Winbind-HOWTO.txt +++ /dev/null @@ -1,361 +0,0 @@ -!== -!== Solaris-Winbind-HOWTO.txt -!== -Contributors: Naag Mummaneni <getnag@rediffmail.com> -Updated: May 2, 2002 -Status: Current - -Subject: Installing and Configuring Winbind on Solaris -============================================================================= - -Installation and Configuration of Winbind on Solaris. ------------------------------------------------------ - -This HOWTO describes how to get winbind services up and running to control -access and authenticate users on your Solaris box using the winbind services -which come with SAMBA 2.2.x latest CVS Checkout.Make sure you are using the -latest Samba 2.2.x cvs checkout as other versions come with a lots of bugs -regarding winbind .And even the Latest Samba Stable Release is also not an -exception to this. - -Introduction ------------- - -This HOWTO describes the procedures used to get winbind up and running on a -Solaris system. Winbind is capable of providing access and authentication -control for Windows Domain users through an NT or Win2K PDC for 'regular' -services, such as telnet and ftp, as well for SAMBA services. - -Why should I to this? - -This allows the SAMBA administrator to rely on the authentication mechanisms -on the NT/Win2K PDC for the authentication of domain members. NT/Win2K users -no longer need to have separate accounts on the SAMBA server. - -Who should be reading this document? - -This HOWTO is designed for system administrators. If you are implementing -SAMBA on a file server and wish to (fairly easily) integrate existing -NT/Win2K users from your PDC onto the SAMBA server, this HOWTO is for you. - -Requirements ------------- - -If you have a samba configuration file that you are currently using... BACK -IT UP! If your system already uses PAM, back up the /etc/pam.conf file ! If -you haven't already made a boot disk, MAKEONE NOW! Messing with the pam -configuration file can make it nearly impossible to log in to yourmachine. -That's why you want to be able to boot back into your machine in single user -mode and restore your /etc/pam.conf back to the original state they were in -if you get frustrated with the way things are going. ;-) Please refer to the -main SAMBA web page or, better yet, your closest SAMBA mirror site for -instructions on downloading the source code of Samba 2.2.x from the SAMBA -CVS repository. To allow Domain users the ability to access SAMBA shares and -files, as well as potentially other services provided by your SAMBA machine, -PAM (pluggable authentication modules) must be setup properly on your -machine. In order to compile the winbind modules, you should have at least -the pam libraries resident on your system. Solaris 7/8 has its pam modules -coming with the distribution itself. - -Testing Things Out ------------------- - -Before starting, it is probably best to kill off all the SAMBA related -daemons running on your server. Kill off all smbd, nmbd, and winbindd -processes that may be running. - - -Configure and compile SAMBA ---------------------------- - -The configuration and compilation of SAMBA is pretty straightforward. The -first three steps may not be necessary depending upon whether or not you -have previously built the Samba binaries. - -root# autoconf -root# make clean -root# rm config.cache -root# ./configure --with-winbind --with-pam -root# make -root# make install - -This will, by default, install SAMBA in /usr/local/samba. See the main SAMBA -documentation if you want to install SAMBA somewhere else. It will also -build the winbindd executable and libraries. - -Configure nsswitch.conf and the winbind libraries -------------------------------------------------- - -The libraries needed to run the winbindd daemon through nsswitch need to be -copied to their proper locations, so - -root# cp ../samba/source/nsswitch/libnss_winbind.so /usr/lib - -I also found it necessary to make the following symbolic links: - -root# ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1 -root# ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.2 -root# ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1 -root# ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2 - -Now, as root you need to edit /etc/nsswitch.conf to allow user and group -entries to be visible from the winbindd daemon. My /etc/nsswitch.conf file -look like this after editing: - - passwd: files winbind - group: files winbind - - -Configure smb.conf ------------------- - -Several parameters are needed in the smb.conf file to control the behavior -of winbindd. Configure smb.conf These are described in more detail in the -winbindd(8) man page. My smb.conf file was modified to include the following -entries in the [global] section: - -[global] - <...> - # The previous documentation says to - # as the "winbind seperator " directive also but - # it is no longer supported. - - # use uids from 10000 to 20000 for domain users - winbind uid = 10000-20000 - - # use gids from 10000 to 20000 for domain groups - winbind gid = 10000-20000 - - # allow enumeration of winbind users and groups - winbind enum users = yes - winbind enum groups = yes - - # give winbind users a real shell (only needed if - # they have telnet access) - template homedir = /home/winnt/%D/%U - template shell = /bin/bash - - -Join the SAMBA server to the PDC domain ---------------------------------------- - -Enter the following command to make the SAMBA server join the PDC domain, -where DOMAIN is the name of your Windows domain and Administrator is a -domain user who has administrative privileges in the domain. - -root# /usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U Administrator - -The proper response to the command should be: "Joined the domain DOMAIN" -where DOMAIN is your DOMAIN name. - -Start up the winbindd daemon and test it! - -Eventually, you will want to modify your smb startup script to automatically -invoke the winbindd daemon when the other parts of SAMBA start, but it is -possible to test out just the winbind portion first. To start up winbind -services, enter the following command as root: - -root# /usr/local/samba/bin/winbindd - -I'm always paranoid and like to make sure the daemon is really running... - -root# ps -ae | grep winbindd - -This command should produce output like this, if the daemon is running - - 3025 ? 00:00:00 winbindd - -Now... for the real test, try to get some information about the users on -your PDC - -root# /usr/local/samba/bin/wbinfo -u - -This should echo back a list of users on your Windows users on your PDC. For -example, I get the following response: - -CEO\Administrator -CEO\burdell -CEO\Guest -CEO\jt-ad -CEO\krbtgt -CEO\TsInternetUser - -root# /usr/local/samba/bin/wbinfo -g - -CEO\Domain Admins -CEO\Domain Users -CEO\Domain Guests -CEO\Domain Computers -CEO\Domain Controllers -CEO\Cert Publishers -CEO\Schema Admins -CEO\Enterprise Admins -CEO\Group Policy Creator Owners - -The function 'getent' can now be used to get unified lists of both local and -PDC users and groups. Try the following command: - -root# getent passwd - -You should get a list that looks like your /etc/passwd list followed by the domain users with their new -uids, gids, home directories and default shells. - -The same thing can be done for groups with the command - -root# getent group - -Fix the /etc/rc.d/init.d/samba.server startup files The winbindd daemon -needs to start up after the smbd and nmbd daemons are running. To accomplish -this task, you need to modify the /etc/init.d/samba.server script to add -commands to invoke this daemon in the proper sequence. My -/etc/init.d/samba.server file starts up smbd, nmbd, and winbindd from the -/usr/local/samba/bin directory directly. - -## -## samba.server -## - -if [ ! -d /usr/bin ] -then # /usr not mounted - exit -fi - -killproc() { # kill the named process(es) - pid=`/usr/bin/ps -e | - /usr/bin/grep -w $1 | - /usr/bin/sed -e 's/^ *//' -e 's/ .*//'` - [ "$pid" != "" ] && kill $pid -} - -# Start/stop processes required for samba server - -case "$1" in - -'start') -# -# Edit these lines to suit your installation (paths, workgroup, host) -# -echo Starting SMBD - /usr/local/samba/bin/smbd -D -s \ - /usr/local/samba/smb.conf - -echo Starting NMBD - /usr/local/samba/bin/nmbd -D -l \ - /usr/local/samba/var/log -s /usr/local/samba/smb.conf - -echo Starting Winbind Daemon - /usr/local/samba/bin/winbindd - ;; - -'stop') - killproc nmbd - killproc smbd - killproc winbindd - ;; - -*) - echo "Usage: /etc/init.d/samba.server { start | stop }" - ;; -esac - -If you restart the smbd, nmbd, and winbindd daemons at this point, you -should be able to connect to the samba server as a domain member just as if -you were a local user. - - -Configure Winbind and PAM -------------------------- - -If you have made it this far, you know that winbindd and samba are working -together. If you want to use winbind to provide authentication for other -services, keep reading. The pam configuration file need to be altered in -this step. (Did you remember to make backups of your original /etc/pam.conf -file? If not, do it now.) You will need a pam module to use winbindd with -these other services. This module will be compiled in the ../source/nsswitch -directory by default when we used ./configure --with-pam option. - -root# make nsswitch/pam_winbind.so - -from the ../source directory. The pam_winbind.so file should be copied to -the location of your other pam security modules. On my Solaris 8, this was -the /usr/lib/security directory. - -root# cp ../samba/source/nsswitch/pam_winbind.so /usr/lib/security - -The /etc/pam.conf need to be changed. I changed this file so that my Domain -users can logon both locally as well as telnet.The following are the changes -that I made.You can customize the pam.conf file as per your requirements,but -be sure of those changes because in the worst case it will leave your system -nearly impossible to boot. - -# -#ident "@(#)pam.conf 1.14 99/09/16 SMI" -# -# Copyright (c) 1996-1999, Sun Microsystems, Inc. -# All Rights Reserved. -# -# PAM configuration -# -# Authentication management -# -login auth required /usr/lib/security/pam_winbind.so -login auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass -login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1 try_first_pass -# -rlogin auth sufficient /usr/lib/security/pam_winbind.so -rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1 -rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass -# -dtlogin auth sufficient /usr/lib/security/pam_winbind.so -dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass -# -rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1 -other auth sufficient /usr/lib/security/pam_winbind.so -other auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass -# -# Account management -# -login account sufficient /usr/lib/security/pam_winbind.so -login account requisite /usr/lib/security/$ISA/pam_roles.so.1 -login account required /usr/lib/security/$ISA/pam_unix.so.1 -# -dtlogin account sufficient /usr/lib/security/pam_winbind.so -dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1 -dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1 -# -other account sufficient /usr/lib/security/pam_winbind.so -other account requisite /usr/lib/security/$ISA/pam_roles.so.1 -other account required /usr/lib/security/$ISA/pam_unix.so.1 -# -# Session management -# -other session required /usr/lib/security/$ISA/pam_unix.so.1 -# -# Password management -# -#other password sufficient /usr/lib/security/pam_winbind.so -other password required /usr/lib/security/$ISA/pam_unix.so.1 -dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1 -# -# Support for Kerberos V5 authentication (uncomment to use Kerberos) -# -#rlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass -#login auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass -#dtlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass -#other auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass -#dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1 -#other account optional /usr/lib/security/$ISA/pam_krb5.so.1 -#other session optional /usr/lib/security/$ISA/pam_krb5.so.1 -#other password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass - -I also added a try_first_pass line after the winbind.so line to get rid of -annoying double prompts for passwords. - -Now restart your Samba & try connecting through your application that you -configured in the pam.conf. - - - -!== -!== end of Solaris-Winbind-HOWTO.txt -!== diff --git a/docs/textdocs/Speed.txt b/docs/textdocs/Speed.txt deleted file mode 100644 index b82db8f8f4..0000000000 --- a/docs/textdocs/Speed.txt +++ /dev/null @@ -1,338 +0,0 @@ - -Subject: Samba performance issues -============================================================================ - -This file tries to outline the ways to improve the speed of a Samba server. - -COMPARISONS ------------ - -The Samba server uses TCP to talk to the client. Thus if you are -trying to see if it performs well you should really compare it to -programs that use the same protocol. The most readily available -programs for file transfer that use TCP are ftp or another TCP based -SMB server. - -If you want to test against something like a NT or WfWg server then -you will have to disable all but TCP on either the client or -server. Otherwise you may well be using a totally different protocol -(such as Netbeui) and comparisons may not be valid. - -Generally you should find that Samba performs similarly to ftp at raw -transfer speed. It should perform quite a bit faster than NFS, -although this very much depends on your system. - -Several people have done comparisons between Samba and Novell, NFS or -WinNT. In some cases Samba performed the best, in others the worst. I -suspect the biggest factor is not Samba vs some other system but the -hardware and drivers used on the various systems. Given similar -hardware Samba should certainly be competitive in speed with other -systems. - - -OPLOCKS -------- - -Oplocks are the way that SMB clients get permission from a server to -locally cache file operations. If a server grants an oplock -(opportunistic lock) then the client is free to assume that it is the -only one accessing the file and it will agressively cache file -data. With some oplock types the client may even cache file open/close -operations. This can give enormous performance benefits. - -With the release of Samba 1.9.18 we now correctly support opportunistic -locks. This is turned on by default, and can be turned off on a share- -by-share basis by setting the parameter : - -oplocks = False - -We recommend that you leave oplocks on however, as current benchmark -tests with NetBench seem to give approximately a 30% improvement in -speed with them on. This is on average however, and the actual -improvement seen can be orders of magnitude greater, depending on -what the client redirector is doing. - -Previous to Samba 1.9.18 there was a 'fake oplocks' option. This -option has been left in the code for backwards compatibility reasons -but it's use is now deprecated. A short summary of what the old -code did follows. - -LEVEL2 OPLOCKS --------------- - -With Samba 2.0.5 a new capability - level2 (read only) oplocks is -supported (although the option is off by default - see the smb.conf -man page for details). Turning on level2 oplocks (on a share-by-share basis) -by setting the parameter : - -level2 oplocks = true - -should speed concurrent access to files that are not commonly written -to, such as application serving shares (ie. shares that contain common -.EXE files - such as a Microsoft Office share) as it allows clients to -read-ahread cache copies of these files. - -Old 'fake oplocks' option - deprecated. ---------------------------------------- - -Samba can also fake oplocks, by granting a oplock whenever a client -asks for one. This is controlled using the smb.conf option "fake -oplocks". If you set "fake oplocks = yes" then you are telling the -client that it may agressively cache the file data for all opens. - -Enabling 'fake oplocks' on all read-only shares or shares that you know -will only be accessed from one client at a time you will see a big -performance improvement on many operations. If you enable this option -on shares where multiple clients may be accessing the files read-write -at the same time you can get data corruption. - -SOCKET OPTIONS --------------- - -There are a number of socket options that can greatly affect the -performance of a TCP based server like Samba. - -The socket options that Samba uses are settable both on the command -line with the -O option, or in the smb.conf file. - -The "socket options" section of the smb.conf manual page describes how -to set these and gives recommendations. - -Getting the socket options right can make a big difference to your -performance, but getting them wrong can degrade it by just as -much. The correct settings are very dependent on your local network. - -The socket option TCP_NODELAY is the one that seems to make the -biggest single difference for most networks. Many people report that -adding "socket options = TCP_NODELAY" doubles the read performance of -a Samba drive. The best explanation I have seen for this is that the -Microsoft TCP/IP stack is slow in sending tcp ACKs. - - -READ SIZE ---------- - -The option "read size" affects the overlap of disk reads/writes with -network reads/writes. If the amount of data being transferred in -several of the SMB commands (currently SMBwrite, SMBwriteX and -SMBreadbraw) is larger than this value then the server begins writing -the data before it has received the whole packet from the network, or -in the case of SMBreadbraw, it begins writing to the network before -all the data has been read from disk. - -This overlapping works best when the speeds of disk and network access -are similar, having very little effect when the speed of one is much -greater than the other. - -The default value is 16384, but very little experimentation has been -done yet to determine the optimal value, and it is likely that the best -value will vary greatly between systems anyway. A value over 65536 is -pointless and will cause you to allocate memory unnecessarily. - - -MAX XMIT --------- - -At startup the client and server negotiate a "maximum transmit" size, -which limits the size of nearly all SMB commands. You can set the -maximum size that Samba will negotiate using the "max xmit = " option -in smb.conf. Note that this is the maximum size of SMB request that -Samba will accept, but not the maximum size that the *client* will accept. -The client maximum receive size is sent to Samba by the client and Samba -honours this limit. - -It defaults to 65536 bytes (the maximum), but it is possible that some -clients may perform better with a smaller transmit unit. Trying values -of less than 2048 is likely to cause severe problems. - -In most cases the default is the best option. - - -LOCKING -------- - -By default Samba does not implement strict locking on each read/write -call (although it did in previous versions). If you enable strict -locking (using "strict locking = yes") then you may find that you -suffer a severe performance hit on some systems. - -The performance hit will probably be greater on NFS mounted -filesystems, but could be quite high even on local disks. - - -SHARE MODES ------------ - -Some people find that opening files is very slow. This is often -because of the "share modes" code needed to fully implement the dos -share modes stuff. You can disable this code using "share modes = -no". This will gain you a lot in opening and closing files but will -mean that (in some cases) the system won't force a second user of a -file to open the file read-only if the first has it open -read-write. For many applications that do their own locking this -doesn't matter, but for some it may. Most Windows applications -depend heavily on "share modes" working correctly and it is -recommended that the Samba share mode support be left at the -default of "on". - -The share mode code in Samba has been re-written in the 1.9.17 -release following tests with the Ziff-Davis NetBench PC Benchmarking -tool. It is now believed that Samba 1.9.17 implements share modes -similarly to Windows NT. - -NOTE: In the most recent versions of Samba there is an option to use -shared memory via mmap() to implement the share modes. This makes -things much faster. See the Makefile for how to enable this. - - -LOG LEVEL ---------- - -If you set the log level (also known as "debug level") higher than 2 -then you may suffer a large drop in performance. This is because the -server flushes the log file after each operation, which can be very -expensive. - - -WIDE LINKS ----------- - -The "wide links" option is now enabled by default, but if you disable -it (for better security) then you may suffer a performance hit in -resolving filenames. The performance loss is lessened if you have -"getwd cache = yes", which is now the default. - - -READ RAW --------- - -The "read raw" operation is designed to be an optimised, low-latency -file read operation. A server may choose to not support it, -however. and Samba makes support for "read raw" optional, with it -being enabled by default. - -In some cases clients don't handle "read raw" very well and actually -get lower performance using it than they get using the conventional -read operations. - -So you might like to try "read raw = no" and see what happens on your -network. It might lower, raise or not affect your performance. Only -testing can really tell. - - -WRITE RAW ---------- - -The "write raw" operation is designed to be an optimised, low-latency -file write operation. A server may choose to not support it, -however. and Samba makes support for "write raw" optional, with it -being enabled by default. - -Some machines may find "write raw" slower than normal write, in which -case you may wish to change this option. - -READ PREDICTION ---------------- - -Samba can do read prediction on some of the SMB commands. Read -prediction means that Samba reads some extra data on the last file it -read while waiting for the next SMB command to arrive. It can then -respond more quickly when the next read request arrives. - -This is disabled by default. You can enable it by using "read -prediction = yes". - -Note that read prediction is only used on files that were opened read -only. - -Read prediction should particularly help for those silly clients (such -as "Write" under NT) which do lots of very small reads on a file. - -Samba will not read ahead more data than the amount specified in the -"read size" option. It always reads ahead on 1k block boundaries. - - -MEMORY MAPPING --------------- - -Samba supports reading files via memory mapping them. One some -machines this can give a large boost to performance, on others it -makes not difference at all, and on some it may reduce performance. - -To enable you you have to recompile Samba with the -DUSE_MMAP option -on the FLAGS line of the Makefile. - -Note that memory mapping is only used on files opened read only, and -is not used by the "read raw" operation. Thus you may find memory -mapping is more effective if you disable "read raw" using "read raw = -no". - - -SLOW CLIENTS ------------- - -One person has reported that setting the protocol to COREPLUS rather -than LANMAN2 gave a dramatic speed improvement (from 10k/s to 150k/s). - -I suspect that his PC's (386sx16 based) were asking for more data than -they could chew. I suspect a similar speed could be had by setting -"read raw = no" and "max xmit = 2048", instead of changing the -protocol. Lowering the "read size" might also help. - - -SLOW LOGINS ------------ - -Slow logins are almost always due to the password checking time. Using -the lowest practical "password level" will improve things a lot. You -could also enable the "UFC crypt" option in the Makefile. - -CLIENT TUNING -------------- - -Often a speed problem can be traced to the client. The client (for -example Windows for Workgroups) can often be tuned for better TCP -performance. - -See your client docs for details. In particular, I have heard rumours -that the WfWg options TCPWINDOWSIZE and TCPSEGMENTSIZE can have a -large impact on performance. - -Also note that some people have found that setting DefaultRcvWindow in -the [MSTCP] section of the SYSTEM.INI file under WfWg to 3072 gives a -big improvement. I don't know why. - -My own experience wth DefaultRcvWindow is that I get much better -performance with a large value (16384 or larger). Other people have -reported that anything over 3072 slows things down enourmously. One -person even reported a speed drop of a factor of 30 when he went from -3072 to 8192. I don't know why. - -It probably depends a lot on your hardware, and the type of unix box -you have at the other end of the link. - - -MY RESULTS ----------- - -Some people want to see real numbers in a document like this, so here -they are. I have a 486sx33 client running WfWg 3.11 with the 3.11b -tcp/ip stack. It has a slow IDE drive and 20Mb of ram. It has a SMC -Elite-16 ISA bus ethernet card. The only WfWg tuning I've done is to -set DefaultRcvWindow in the [MSTCP] section of system.ini to 16384. My -server is a 486dx3-66 running Linux. It also has 20Mb of ram and a SMC -Elite-16 card. You can see my server config in the examples/tridge/ -subdirectory of the distribution. - -I get 490k/s on reading a 8Mb file with copy. -I get 441k/s writing the same file to the samba server. - -Of course, there's a lot more to benchmarks than 2 raw throughput -figures, but it gives you a ballpark figure. - -I've also tested Win95 and WinNT, and found WinNT gave me the best -speed as a samba client. The fastest client of all (for me) is -smbclient running on another linux box. Maybe I'll add those results -here someday ... - - diff --git a/docs/textdocs/Speed2.txt b/docs/textdocs/Speed2.txt deleted file mode 100644 index a8c3e7381f..0000000000 --- a/docs/textdocs/Speed2.txt +++ /dev/null @@ -1,57 +0,0 @@ -Contributor: Paul Cochrane <paulc@dth.scot.nhs.uk> -Organization: Dundee Limb Fitting Centre -Date: Fri, 10 Apr 1998 -Subject: Samba SPEED.TXT comment -============================================================================= - -This might be relevant to Client Tuning. I have been trying various methods -of getting win95 to talk to Samba quicker. The results I have come up with -are: - -1. Install the W2setup.exe file from www.microsoft.com. This is an -update for the winsock stack and utilities which improve performance. - -2. Configure the win95 TCPIP registry settings to give better -perfomance. I use a program called MTUSPEED.exe which I got off the -net. There are various other utilities of this type freely available. -The setting which give the best performance for me are: - -(a) MaxMTU Remove -(b) RWIN Remove -(c) MTUAutoDiscover Disable -(d) MTUBlackHoleDetect Disable -(e) Time To Live Enabled -(f) Time To Live - HOPS 32 -(g) NDI Cache Size 0 - -3. I tried virtually all of the items mentioned in the document and -the only one which made a difference to me was the socket options. It -turned out I was better off without any!!!!! - -In terms of overall speed of transfer, between various win95 clients -and a DX2-66 20MB server with a crappy NE2000 compatible and old IDE -drive (Kernel 2.0.30). The transfer rate was reasonable for 10 baseT. - -The figures are: Put Get -P166 client 3Com card: 420-440kB/s 500-520kB/s -P100 client 3Com card: 390-410kB/s 490-510kB/s -DX4-75 client NE2000: 370-380kB/s 330-350kB/s - -I based these test on transfer two files a 4.5MB text file and a 15MB -textfile. The results arn't bad considering the hardware Samba is -running on. It's a crap machine!!!! - -The updates mentioned in 1 and 2 brought up the transfer rates from -just over 100kB/s in some clients. - -A new client is a P333 connected via a 100MB/s card and hub. The -transfer rates from this were good: 450-500kB/s on put and 600+kB/s -on get. - -Looking at standard FTP throughput, Samba is a bit slower (100kB/s -upwards). I suppose there is more going on in the samba protocol, but -if it could get up to the rate of FTP the perfomance would be quite -staggering. - -Paul Cochrane - diff --git a/docs/textdocs/Win95.txt b/docs/textdocs/Win95.txt deleted file mode 100644 index 69330c512d..0000000000 --- a/docs/textdocs/Win95.txt +++ /dev/null @@ -1,74 +0,0 @@ -Copyright (C) 1997 - Samba-Team -Contributed Date: August 20, 1997 -Last Update: August 20, 1997 - -Subject: Windows 95 and Samba Interoperability -=============================================================================== - -Password Handling: ------------------- -Microsoft periodically release updates to all their operating systems. Some of -these are welcomed while others cause us to change the way we do things. Few -people like change, particularly if the change is unexpected. The best advice -always is to read the documentation provided BEFORE applying an update. - -One of the recent Win95 updates (VRDRUPD.EXE) disables plain text (also called -clear text) password authentication. The effects of this updates are desirable -where MS Windows NT is providing the password authentication service. This -update is most undesirable where Samba must provide the authentication service -unless Samba has been specifically configured to use encrypted passwords _AND_ -has been linked with the libdes library. - -If the above conditions have not been complied with, and you are using Samba, -then Windows 95 clients will NOT be able to authenticate to a Samba server. - -To re-enable plain text password capabilities AFTER applying this update -you must create a new value in the Windows 95 registry. - -Either foillow the following procedure or just double click on the -file Win95_PlainPassword.reg for an easier way to do this. - -Procedure: -1) Launch the Registry Editor as follows: - Click on: /Start/Run - Type "regedit" and press enter. - -2) Double click on: HKEY_LOCAL_MACHINE - -3) Locate the following Key: - /HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/VxD/VNETSUP - -4) From the menu bar select Edit/New/DWORD Value - -5) Rename the entry from "New Value #1" to: - EnablePlainTextPassword - -6) Press Enter, then double click on the new entry. - A dialog box will pop up and enable you to set a value. - You must set this value to 1. - -------------------------------------------------------------------------------- - -Windows 95 Updates: -------------------- -When using Windows 95 OEM SR2 the following updates are recommended where Samba -is being used. Please NOTE that the above change will affect you once these -updates have been installed. - -There are more updates than the ones mentioned here. You are referred to the -Microsoft Web site for all currently available updates to your specific version -of Windows 95. - -Kernel Update: KRNLUPD.EXE -Ping Fix: PINGUPD.EXE -RPC Update: RPCRTUPD.EXE -TCP/IP Update: VIPUPD.EXE -Redirector Update: VRDRUPD.EXE - -Also, if using MS OutLook it is desirable to install the OLEUPD.EXE fix. This -fix may stop your machine from hanging for an extended period when exiting -OutLook and you may also notice a significant speedup when accessing network -neighborhood services. - -------------------------------------------------------------------------------- -The above password information was provided by: Jochen Huppertz <jhu@nrh.de> diff --git a/docs/textdocs/WinNT.txt b/docs/textdocs/WinNT.txt deleted file mode 100644 index 5c72fb08aa..0000000000 --- a/docs/textdocs/WinNT.txt +++ /dev/null @@ -1,104 +0,0 @@ -Contributors: Various - Password Section - Copyright (C) 1997 - John H Terpstra - Printing Section - Copyright (C) 1997 - Matthew Harrell - Priting Info - Copyright (C) 1997 - Frank Varnavas -Updated: October 16, 1997 -Status: Current - -Subject: Samba and Windows NT Password Handling -============================================================================= - -There are some particular issues with Samba and Windows NT. - -Passwords: -========== -One of the most annoying problems with WinNT is that NT refuses to -connect to a server that is in user level security mode and that -doesn't support password encryption unless it first prompts the user -for a password. - -This means even if you have the same password on the NT box and the -Samba server you will get prompted for a password. Entering the -correct password will get you connected only if Windows NT can -communicate with Samba using a compatible mode of password security. - -All versions of Windows NT prior to 4.0 Service Pack 3 could negotiate -plain text (clear text) passwords. Windows NT 4.0 Service Pack 3 changed -this default behaviour so it now will only handle encrypted passwords. -The following registry entry change will re-enable clear text password -handling: - -Run regedt32.exe and locate the hive key entry: -HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Rdr\Parameters\ - -Add the following value: - EnablePlainTextPassword:REG_DWORD=1 - -Alternatively, use the NT4_PlainPassword.reg file in this directory (either -by double clicking on it, or run regedt32.exe and select "Import Registry -File" from the "Registry" Menu). - -The other major ramification of this feature of NT is that it can't -browse a user level non-encrypted server unless it already has a -connection open. This is because there is no spot for a password -prompt in the browser window. It works fine if you already have a -drive mounted (for example, one auto mounted on startup). -===================================================================== - -Printing: -========= -When you mount a printer using the print manager in NT you may find -the following info from Matthew Harrell <harrell@leech.nrl.navy.mil> -useful: - ------------- - I noticed in your change-log you noted that some people were -still unable to use print manager under NT. If this is the same problem -that I encountered, it's caused by the length of time it takes NT to -determine if the printer is ready. - -The problem occurs when you double-click on a printer to connect it to -the NT machine. Because it's unable to determine if the printer is ready -in the short span of time it has, it assumes it isn't and gives some -strange error about not having enough resources (I forget what the error -is). A solution to this that seems to work fine for us is to click -once on the printer, look at the bottom of the window and wait until -it says it's ready, then clilck on "OK". - -By the way, this problem probably occurs in our group because the -Samba server doesn't actually have the printers - it queues them to -remote printers either on other machines or using their own network -cards. Because of this "middle layer", it takes an extra amount of -time for the NT machine to get verification that the printer queue -actually exists. - -I hope this helped in some way... - -===================================================================== -Printing Info: --------------- - -From: Frank Varnavas <varnavas@ny.ubs.com> -Subject: RE: Samba as a print server - -When an NT client attempts to connect to a printer on a non-NT print -server the attempt is failed with an error, something like: - - "You have insufficient access to your computer to perform the - operation because a driver needs to be installed" - -This is because domain users must have 'Power User' status on the -desktop to connect to printers on a non-NT print server. - -This error occurs regardless of whether the driver in question is -already installed or not. What it really means is that the server is -a non-NT server and the client does not have permission to create -printers locally. Apparently when a connection to a non-NT print -server is made the printer is defined locally. Such an action can be -performed by either a local administrator or a Power User. -Unfortunately there is no way to limit the powers of a Power User, nor -is there any way to grant the Printer Creation right to another group. - -This permission policy is documented in PSS database WINNT, ID Q101874 - -Frank Varnavas (varnavas@ny.ubs.com) diff --git a/docs/textdocs/security_level.txt b/docs/textdocs/security_level.txt deleted file mode 100644 index f4e0df7139..0000000000 --- a/docs/textdocs/security_level.txt +++ /dev/null @@ -1,100 +0,0 @@ -Contributor: Andrew Tridgell -Updated: June 27, 1997 -Status: Current - -Subject: Description of SMB security levels. -=========================================================================== - -Samba supports the following options to the global smb.conf parameter -"security =": - share, user, server - -Note: Samba-2.0.0 now adds the "domain" security mode. Please refer to -the smb.conf man page for usage information and to the document -docs/textdocs/DOMAIN_MEMBER.txt for further background details. - -Of the above, "security = server" means that Samba reports to clients that -it is running in "user mode" but actually passes off all authentication -requests to another "user mode" server. This requires an additional -parameter "password server =" that points to the real authentication server. -That real authentication server can be another Samba server or can be a -Windows NT server, the later natively capable of encrypted password support. - -Below is a more complete description of security levels. -=========================================================================== - -A SMB server tells the client at startup what "security level" it is -running. There are two options "share level" and "user level". Which -of these two the client receives affects the way the client then tries -to authenticate itself. It does not directly affect (to any great -extent) the way the Samba server does security. I know this is -strange, but it fits in with the client/server approach of SMB. In SMB -everything is initiated and controlled by the client, and the server -can only tell the client what is available and whether an action is -allowed. - -I'll describe user level security first, as its simpler. In user level -security the client will send a "session setup" command directly after -the protocol negotiation. This contains a username and password. The -server can either accept or reject that username/password -combination. Note that at this stage the server has no idea what -share the client will eventually try to connect to, so it can't base -the "accept/reject" on anything other than: - -- the username/password -- the machine that the client is coming from - -If the server accepts the username/password then the client expects to -be able to mount any share (using a "tree connection") without -specifying a password. It expects that all access rights will be as -the username/password specified in the "session setup". - -It is also possible for a client to send multiple "session setup" -requests. When the server responds it gives the client a "uid" to use -as an authentication tag for that username/password. The client can -maintain multiple authentication contexts in this way (WinDD is an -example of an application that does this) - - -Ok, now for share level security. In share level security the client -authenticates itself separately for each share. It will send a -password along with each "tree connection" (share mount). It does not -explicitly send a username with this operation. The client is -expecting a password to be associated with each share, independent of -the user. This means that samba has to work out what username the -client probably wants to use. It is never explicitly sent the -username. Some commercial SMB servers such as NT actually associate -passwords directly with shares in share level security, but samba -always uses the unix authentication scheme where it is a -username/password that is authenticated, not a "share/password". - -Many clients send a "session setup" even if the server is in share -level security. They normally send a valid username but no -password. Samba records this username in a list of "possible -usernames". When the client then does a "tree connection" it also adds -to this list the name of the share they try to connect to (useful for -home directories) and any users listed in the "user =" smb.conf -line. The password is then checked in turn against these "possible -usernames". If a match is found then the client is authenticated as -that user. - -Finally "server level" security. In server level security the samba -server reports to the client that it is in user level security. The -client then does a "session setup" as described earlier. The samba -server takes the username/password that the client sends and attempts -to login to the "password server" by sending exactly the same -username/password that it got from the client. If that server is in -user level security and accepts the password then samba accepts the -clients connection. This allows the samba server to use another SMB -server as the "password server". - -You should also note that at the very start of all this, where the -server tells the client what security level it is in, it also tells -the client if it supports encryption. If it does then it supplies the -client with a random "cryptkey". The client will then send all -passwords in encrypted form. You have to compile samba with encryption -enabled to support this feature, and you have to maintain a separate -smbpasswd file with SMB style encrypted passwords. It is -cryptographically impossible to translate from unix style encryption -to SMB style encryption, although there are some fairly simple management -schemes by which the two could be kept in sync. |