diff options
-rw-r--r-- | docs/docbook/faq/clientapp.sgml | 16 | ||||
-rw-r--r-- | docs/docbook/faq/errors.sgml | 77 | ||||
-rw-r--r-- | docs/faq/clientapp.html | 38 | ||||
-rw-r--r-- | docs/faq/errors.html | 80 | ||||
-rw-r--r-- | docs/faq/samba-faq.html | 42 | ||||
-rw-r--r-- | docs/textdocs/HINTS.txt | 111 | ||||
-rw-r--r-- | docs/textdocs/UNIX_SECURITY.txt | 54 |
7 files changed, 239 insertions, 179 deletions
diff --git a/docs/docbook/faq/clientapp.sgml b/docs/docbook/faq/clientapp.sgml index 2077b230ce..6d687bf772 100644 --- a/docs/docbook/faq/clientapp.sgml +++ b/docs/docbook/faq/clientapp.sgml @@ -82,4 +82,20 @@ workstation as follows: <command>\\"Server_Name"\MSOP95\msoffice\setup</command> </itemizedlist> </sect1> + +<sect1> +<title>Microsoft Access database opening errors</title> + +<para> +Here are some notes on running MS-Access on a Samba drive from <ulink url="stefank@esi.com.au">Stefan Kjellberg</ulink> +</para> + +<para><simplelist> +<member>Opening a database in 'exclusive' mode does NOT work. Samba ignores r/w/share modes on file open.</member> +<member>Make sure that you open the database as 'shared' and to 'lock modified records'</member> +<member>Of course locking must be enabled for the particular share (smb.conf)</member> +</simplelist> +</para> + +</sect1> </chapter> diff --git a/docs/docbook/faq/errors.sgml b/docs/docbook/faq/errors.sgml index 53e4d01e20..0a40011fbb 100644 --- a/docs/docbook/faq/errors.sgml +++ b/docs/docbook/faq/errors.sgml @@ -82,4 +82,81 @@ SMB servers. </sect1> +<sect1> +<title>The data on the CD-Drive I've shared seems to be corrupted!</title> + +<para> +Some OSes (notably Linux) default to auto detection of file type on +cdroms and do cr/lf translation. This is a very bad idea when use with +Samba. It causes all sorts of stuff ups. +</para> + +<para> +To overcome this problem use conv=binary when mounting the cdrom +before exporting it with Samba. +</para> + +</sect1> + +<sect1> +<title>Why can users access home directories of other users?</title> + +<para> +<quote> +We are unable to keep individual users from mapping to any other user's +home directory once they have supplied a valid password! They only need +to enter their own password. I have not found *any* method that I can +use to configure samba to enforce that only a user may map their own +home directory. +</quote> +</para> + +<para><quote> +User xyzzy can map his home directory. Once mapped user xyzzy can also map +*anyone* elses home directory! +</quote></para> + +<para> +This is not a security flaw, it is by design. Samba allows +users to have *exactly* the same access to the UNIX filesystem +as they would if they were logged onto the UNIX box, except +that it only allows such views onto the file system as are +allowed by the defined shares. +</para> + +<para> +This means that if your UNIX home directories are set up +such that one user can happily cd into another users +directory and do an ls, the UNIX security solution is to +change the UNIX file permissions on the users home directories +such that the cd and ls would be denied. +</para> + +<para> +Samba tries very hard not to second guess the UNIX administrators +security policies, and trusts the UNIX admin to set +the policies and permissions he or she desires. +</para> + +<para> +Samba does allow the setup you require when you have set the +"only user = yes" option on the share, is that you have not set the +valid users list for the share. +</para> + +<para> +Note that only user works in conjunction with the users= list, +so to get the behavior you require, add the line : +<programlisting> +users = %S +</programlisting> +this is equivalent to: +<programlisting> +valid users = %S +</programlisting> +to the definition of the [homes] share, as recommended in +the smb.conf man page. +</para> + +</sect1> </chapter> diff --git a/docs/faq/clientapp.html b/docs/faq/clientapp.html index fd120f90cd..3196fd285e 100644 --- a/docs/faq/clientapp.html +++ b/docs/faq/clientapp.html @@ -155,6 +155,44 @@ CLASS="COMMAND" ></LI ></UL ></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN190" +></A +>3.3. Microsoft Access database opening errors</H1 +><P +>Here are some notes on running MS-Access on a Samba drive from <A +HREF="stefank@esi.com.au" +TARGET="_top" +>Stefan Kjellberg</A +></P +><P +><P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>Opening a database in 'exclusive' mode does NOT work. Samba ignores r/w/share modes on file open.</TD +></TR +><TR +><TD +>Make sure that you open the database as 'shared' and to 'lock modified records'</TD +></TR +><TR +><TD +>Of course locking must be enabled for the particular share (smb.conf)</TD +></TR +></TBODY +></TABLE +><P +></P +></P +></DIV ></DIV ><DIV CLASS="NAVFOOTER" diff --git a/docs/faq/errors.html b/docs/faq/errors.html index 49f68e4991..b36251ec13 100644 --- a/docs/faq/errors.html +++ b/docs/faq/errors.html @@ -77,7 +77,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN192" +NAME="AEN201" ></A >4.1. Not listening for calling name</H1 ><P @@ -103,7 +103,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN199" +NAME="AEN208" ></A >4.2. System Error 1240</H1 ><P @@ -139,7 +139,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN206" +NAME="AEN215" ></A >4.3. smbclient ignores -N !</H1 ><P @@ -169,6 +169,80 @@ an anonymous login for SMB. Using -N would only set the password to null, and this is not accepted as an anonymous login for most SMB servers.</P ></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN224" +></A +>4.4. The data on the CD-Drive I've shared seems to be corrupted!</H1 +><P +>Some OSes (notably Linux) default to auto detection of file type on +cdroms and do cr/lf translation. This is a very bad idea when use with +Samba. It causes all sorts of stuff ups.</P +><P +>To overcome this problem use conv=binary when mounting the cdrom +before exporting it with Samba.</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN228" +></A +>4.5. Why can users access home directories of other users?</H1 +><P +><SPAN +CLASS="QUOTE" +>"We are unable to keep individual users from mapping to any other user's +home directory once they have supplied a valid password! They only need +to enter their own password. I have not found *any* method that I can +use to configure samba to enforce that only a user may map their own +home directory."</SPAN +></P +><P +><SPAN +CLASS="QUOTE" +>"User xyzzy can map his home directory. Once mapped user xyzzy can also map +*anyone* elses home directory!"</SPAN +></P +><P +>This is not a security flaw, it is by design. Samba allows +users to have *exactly* the same access to the UNIX filesystem +as they would if they were logged onto the UNIX box, except +that it only allows such views onto the file system as are +allowed by the defined shares.</P +><P +>This means that if your UNIX home directories are set up +such that one user can happily cd into another users +directory and do an ls, the UNIX security solution is to +change the UNIX file permissions on the users home directories +such that the cd and ls would be denied.</P +><P +>Samba tries very hard not to second guess the UNIX administrators +security policies, and trusts the UNIX admin to set +the policies and permissions he or she desires.</P +><P +>Samba does allow the setup you require when you have set the +"only user = yes" option on the share, is that you have not set the +valid users list for the share.</P +><P +>Note that only user works in conjunction with the users= list, +so to get the behavior you require, add the line : +<PRE +CLASS="PROGRAMLISTING" +>users = %S</PRE +> +this is equivalent to: +<PRE +CLASS="PROGRAMLISTING" +>valid users = %S</PRE +> +to the definition of the [homes] share, as recommended in +the smb.conf man page.</P +></DIV ></DIV ><DIV CLASS="NAVFOOTER" diff --git a/docs/faq/samba-faq.html b/docs/faq/samba-faq.html index 8d9265d2a0..ed74a3be31 100644 --- a/docs/faq/samba-faq.html +++ b/docs/faq/samba-faq.html @@ -171,6 +171,11 @@ HREF="clientapp.html#AEN170" HREF="clientapp.html#AEN175" >How to use a Samba share as an administrative share for MS Office, etc.</A ></DT +><DT +>3.3. <A +HREF="clientapp.html#AEN190" +>Microsoft Access database opening errors</A +></DT ></DL ></DD ><DT @@ -182,19 +187,29 @@ HREF="errors.html" ><DL ><DT >4.1. <A -HREF="errors.html#AEN192" +HREF="errors.html#AEN201" >Not listening for calling name</A ></DT ><DT >4.2. <A -HREF="errors.html#AEN199" +HREF="errors.html#AEN208" >System Error 1240</A ></DT ><DT >4.3. <A -HREF="errors.html#AEN206" +HREF="errors.html#AEN215" >smbclient ignores -N !</A ></DT +><DT +>4.4. <A +HREF="errors.html#AEN224" +>The data on the CD-Drive I've shared seems to be corrupted!</A +></DT +><DT +>4.5. <A +HREF="errors.html#AEN228" +>Why can users access home directories of other users?</A +></DT ></DL ></DD ><DT @@ -206,48 +221,53 @@ HREF="features.html" ><DL ><DT >5.1. <A -HREF="features.html#AEN217" +HREF="features.html#AEN243" >How can I prevent my samba server from being used to distribute the Nimda worm?</A ></DT ><DT >5.2. <A -HREF="features.html#AEN231" +HREF="features.html#AEN257" >How can I use samba as a fax server?</A ></DT ><DD ><DL ><DT >5.2.1. <A -HREF="features.html#AEN242" +HREF="features.html#AEN268" >Tools for printing faxes</A ></DT ><DT >5.2.2. <A -HREF="features.html#AEN252" +HREF="features.html#AEN278" >Making the fax-server</A ></DT ><DT >5.2.3. <A -HREF="features.html#AEN268" +HREF="features.html#AEN294" >Installing the client drivers</A ></DT ><DT >5.2.4. <A -HREF="features.html#AEN282" +HREF="features.html#AEN308" >Example smb.conf</A ></DT ></DL ></DD ><DT >5.3. <A -HREF="features.html#AEN286" +HREF="features.html#AEN312" >Samba doesn't work well together with DHCP!</A ></DT ><DT >5.4. <A -HREF="features.html#AEN299" +HREF="features.html#AEN325" >How can I assign NetBIOS names to clients with DHCP?</A ></DT +><DT +>5.5. <A +HREF="features.html#AEN332" +>How do I convert between unix and dos text formats?</A +></DT ></DL ></DD ></DL diff --git a/docs/textdocs/HINTS.txt b/docs/textdocs/HINTS.txt deleted file mode 100644 index 7af39adc9f..0000000000 --- a/docs/textdocs/HINTS.txt +++ /dev/null @@ -1,111 +0,0 @@ -Contributor: Many -Updated: October 2002 - -Subject: A collection of hints -Status: May be useful information but NOT current -=============================================================================== - -Here are some random hints that you may find useful. These really -should be incorporated in the main docs someday. - - ----------------------- -HINT: Always test your smb.conf with testparm before using it - -If your smb.conf file is invalid then samba will fail to load. Run -testparm over it before you install it just to make sure there aren't -any basic syntax or logical errors. - - ----------------------- -HINT: Try printing with smbclient first - -If you have problems printing, test with smbclient first. Just connect using -"smbclient '\\server\printer' -P" and use the "print" command. - -Once this works, you know that Samba is setup correctly for printing, -and you should be able to get it to work from your PCs. - -This particularly helps in getting the "print command" right. - - ----------------------- -HINT: Mount cdroms with conv=binary - -Some OSes (notably Linux) default to auto detection of file type on -cdroms and do cr/lf translation. This is a very bad idea when use with -Samba. It causes all sorts of stuff ups. - -To overcome this problem use conv=binary when mounting the cdrom -before exporting it with Samba. - - ----------------------- -HINT: Convert between unix and dos text formats - -Jim barry has written an excellent drag-and-drop cr/lf converter for -windows. Just drag your file onto the icon and it converts the file. - -Get it from -ftp://samba.org/pub/samba/contributed/fixcrlf.zip - -The utilities unix2dos and dos2unix(in the mtools package) should do -the job under unix. - ----------------------- -HINT: Use the "username map" option - -If the usernames used on your PCs don't match those used on the unix -server then you will find the "username map" option useful. - ------------------------ -HINT: Use "security = user" in [global] - -If you have the same usernames on the unix box and the PCs or have -mapped them with the "username map" option then choose "security = -user" in the [global] section of smb.conf. - -This will mean your password is checked only when you first connect, -and subsequent connections to printers, disks etc will go more -smoothly and much faster. - -The main problem with "security = user" if you use WfWg is that you -will ONLY be able to connect as the username that you log into WfWg -with. This is because WfWg silently ignores the password field in the -connect drive dialog box if the server is in user security mode. - ------------------------- -HINT: Make your printers not "guest ok" - -If your printers are not "guest ok" and you are using "security = -user" and have matching unix and PC usernames then you will attach to -the printer without trouble as your own username. This will mean you -will be able to delete print jobs (in 1.8.06 and above) and printer -accounting will be possible. - - ------------------------ -HINT: Use a sensible "guest" account - -Even if all your services are not available to "guest" you will need a -guest account. This is because the browsing is done as guest. In many -cases setting "guest account = ftp" will do the trick. Using the -default guest account or "guest account = nobody" will give problems on -many unixes. If in doubt create another account with minimal -privilages and use it instead. Your users don't need to know the -password of the guest account. - - ----------------------- -HINT: Using MS Access - -Here are some notes on running MS-Access on a Samba drive from Stefan -Kjellberg <stefank@esi.com.au> - -1. Opening a database in 'exclusive' mode does NOT work. Samba ignores - r/w/share modes on file open. - -2. Make sure that you open the database as 'shared' and to 'lock modified - records' - -3. Of course locking must be enabled for the particular share (smb.conf) diff --git a/docs/textdocs/UNIX_SECURITY.txt b/docs/textdocs/UNIX_SECURITY.txt deleted file mode 100644 index 38705f018a..0000000000 --- a/docs/textdocs/UNIX_SECURITY.txt +++ /dev/null @@ -1,54 +0,0 @@ -Contributor: John H Terpstra <jht@samba.org> -Date: July 5, 1998 -Status: Current - -Subject: SETTING UNIX FILE SYSTEM SECURITY -=============================================================================== -The following excerpt from a bug report demonstrates the need to -understand Unix file system security and to manage it correctly. - -Quote: -====== -> We are unable to keep individual users from mapping to any other user's -> home directory once they have supplied a valid password! They only need -> to enter their own password. I have not found *any* method that I can -> use to configure samba to enforce that only a user may map their own -> home directory. -> -> User xyzzy can map his home directory. Once mapped user xyzzy can also map -> *anyone* elses home directory! - -ANSWER: -======= -This is not a security flaw, it is by design. Samba allows -users to have *exactly* the same access to the UNIX filesystem -as they would if they were logged onto the UNIX box, except -that it only allows such views onto the file system as are -allowed by the defined shares. - -This means that if your UNIX home directories are set up -such that one user can happily cd into another users -directory and do an ls, the UNIX security solution is to -change the UNIX file permissions on the users home directories -such that the cd and ls would be denied. - -Samba tries very hard not to second guess the UNIX administrators -security policies, and trusts the UNIX admin to set -the policies and permissions he or she desires. - -Samba does allow the setup you require when you have set the -"only user = yes" option on the share, is that you have not set the -valid users list for the share. - -Note that only user works in conjunction with the users= list, -so to get the behavior you require, add the line : - -users = %S - -this is equivalent to: - -valid users = %S - -to the definition of the [homes] share, as recommended in -the smb.conf man page. - |